summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2017-08-06 01:49:29 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2017-08-06 23:32:33 -0400
commitb6bd4d3d9452e6d2de9e382452b864080be7a0f8 (patch)
tree58bfa2f45699a4db380caab4a04770022bf2f58f
parent7ec74fe7b1502c7ffc970dd5a6171afac2508cf8 (diff)
downloadlighttpd1.4-b6bd4d3d9452e6d2de9e382452b864080be7a0f8.tar.gz
lighttpd1.4-b6bd4d3d9452e6d2de9e382452b864080be7a0f8.zip
[mod_extforward] PROXY proto and SSL_CLIENT_VERIFY
Use config directive extforward.hap-PROXY-ssl-client-verify = "enable" to enable setting SSL_CLIENT_VERIFY, REMOTE_USER, and AUTH_TYPE using information provided by HAProxy PROXY protocol.
-rw-r--r--src/mod_extforward.c15
1 files changed, 8 insertions, 7 deletions
diff --git a/src/mod_extforward.c b/src/mod_extforward.c
index b4614410..a3f23697 100644
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@@ -78,7 +78,8 @@ typedef struct {
array *headers;
array *opts_params;
unsigned int opts;
- unsigned int hap_PROXY;
+ unsigned short int hap_PROXY;
+ unsigned short int hap_PROXY_ssl_client_verify;
} plugin_config;
typedef struct {
@@ -169,6 +170,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
{ "extforward.headers", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
{ "extforward.params", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
{ "extforward.hap-PROXY", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
+ { "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
};
@@ -190,6 +192,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
cv[1].destination = s->headers;
cv[2].destination = s->opts_params;
cv[3].destination = &s->hap_PROXY;
+ cv[4].destination = &s->hap_PROXY_ssl_client_verify;
p->config_storage[i] = s;
@@ -318,6 +321,7 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
PATCH(headers);
PATCH(opts);
PATCH(hap_PROXY);
+ PATCH(hap_PROXY_ssl_client_verify);
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
@@ -339,6 +343,8 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
PATCH(opts);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY"))) {
PATCH(hap_PROXY);
+ } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
+ PATCH(hap_PROXY_ssl_client_verify);
}
}
}
@@ -942,11 +948,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
"-- mod_extforward_uri_handler called");
}
- if (NULL != hctx) {
- /* XXX: future: add config option to enable
- * and replace above with: if (p->conf.???)
- * similar to ssl.verifyclient.username */
- #if 0
+ if (p->conf.hap_PROXY_ssl_client_verify) {
data_string *ds;
if (NULL != hctx && hctx->ssl_client_verify && NULL != hctx->env
&& NULL != (ds = (data_string *)array_get_element(hctx->env, "SSL_CLIENT_S_DN_CN"))) {
@@ -964,7 +966,6 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
CONST_STR_LEN("SSL_CLIENT_VERIFY"),
CONST_STR_LEN("NONE"));
}
- #endif
}
for (size_t k = 0; k < p->conf.headers->used && NULL == forwarded; ++k) {