summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorGlenn Strauss <gstrauss@gluelogic.com>2017-03-27 14:00:19 -0400
committerGlenn Strauss <gstrauss@gluelogic.com>2017-04-06 00:22:41 -0400
commit371e1bf723ad4b03642189baebc49d684bd9c1e4 (patch)
treeed4a453be22d4d50c9ad71165ea390caf4046ce1 /tests
parent36adf0d9a681df432d5527ea05490819359e447c (diff)
downloadlighttpd1.4-371e1bf723ad4b03642189baebc49d684bd9c1e4.tar.gz
lighttpd1.4-371e1bf723ad4b03642189baebc49d684bd9c1e4.zip
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.: extforward.headers = ( "Forwarded" ) or extforward.headers = ( "Forwarded", "X-Forwarded-For" ) or extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" ) The default remains: extforward.headers = ( "X-Forwarded-For", "Forwarded-For" ) Support for "Forwarded" is not enabled by default since intermediate proxies might not be aware of Forwarded, and might therefore pass spoofed Forwarded header received from client. extforward.params = ( # overwrite "Host" with Forwarded value #"host" => 1 # set REMOTE_USER with Forwarded value #"remote_user" => 1 ) Note: be cautious configuring trusted proxies if enabling these options since Forwarded header may be spoofed and passed along indescriminantly by proxies which do not handle Forwarded. To remove "Forwarded" from incoming requests, do not enable these options and instead use mod_setenv to clear the request header: setenv.set-request-header = ( "Forwarded" => "" ) Other proxy-related headers which admin might evaluate to keep or clear: setenv.set-request-header = ( "X-Forwarded-For" => "", "X-Forwarded-By" => "", "X-Forwarded-Server" => "", "X-Origin-IP" => "", "Via" => "", #... ) x-ref: "Forwarded HTTP Extension" https://tools.ietf.org/html/rfc7239 "Forward authenticated user to proxied requests" https://redmine.lighttpd.net/issues/2703
Diffstat (limited to 'tests')
-rw-r--r--tests/mod-extforward.conf1
-rwxr-xr-xtests/mod-extforward.t11
2 files changed, 11 insertions, 1 deletions
diff --git a/tests/mod-extforward.conf b/tests/mod-extforward.conf
index 673ff689..c8e51017 100644
--- a/tests/mod-extforward.conf
+++ b/tests/mod-extforward.conf
@@ -29,6 +29,7 @@ cgi.assign = (
".pl" => env.PERL,
)
+extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
extforward.forwarder = (
"127.0.0.1" => "trust",
"127.0.30.1" => "trust",
diff --git a/tests/mod-extforward.t b/tests/mod-extforward.t
index 6722234f..737c9147 100755
--- a/tests/mod-extforward.t
+++ b/tests/mod-extforward.t
@@ -8,7 +8,7 @@ BEGIN {
use strict;
use IO::Socket;
-use Test::More tests => 5;
+use Test::More tests => 6;
use LightyTest;
my $tf = LightyTest->new();
@@ -45,4 +45,13 @@ EOF
$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '127.0.20.1' } ];
ok($tf->handle_http($t) == 0, 'expect 127.0.20.1, from chained proxies');
+$t->{REQUEST} = ( <<EOF
+GET /ip.pl HTTP/1.0
+Host: www.example.org
+Forwarded: for=127.0.10.1, for=127.0.20.1;proto=https, for=127.0.30.1;proto=http
+EOF
+);
+$t->{RESPONSE} = [ { 'HTTP-Protocol' => 'HTTP/1.0', 'HTTP-Status' => 200, 'HTTP-Content' => '127.0.20.1' } ];
+ok($tf->handle_http($t) == 0, 'expect 127.0.20.1, from chained proxies');
+
ok($tf->stop_proc == 0, "Stopping lighttpd");