2016-03-19 15:14:35 +00:00
|
|
|
#include "first.h"
|
|
|
|
|
|
2009-10-11 14:31:42 +00:00
|
|
|
#include "base.h"
|
|
|
|
|
#include "log.h"
|
|
|
|
|
#include "buffer.h"
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
#include "request.h"
|
2017-04-04 04:22:32 +00:00
|
|
|
#include "inet_ntop_cache.h"
|
2009-10-11 14:31:42 +00:00
|
|
|
|
|
|
|
|
#include "plugin.h"
|
|
|
|
|
|
|
|
|
|
#include "configfile.h"
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2010-08-06 21:57:15 +00:00
|
|
|
#include <errno.h>
|
2007-02-19 21:05:59 +00:00
|
|
|
|
2017-03-28 06:08:55 +00:00
|
|
|
#include "sys-socket.h"
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
/**
|
|
|
|
|
* mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
|
|
|
|
|
* extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
|
2008-01-21 08:21:20 +00:00
|
|
|
* support chained proxies by glen@delfi.ee, #1528
|
2007-02-19 21:05:59 +00:00
|
|
|
*
|
|
|
|
|
* Config example:
|
|
|
|
|
*
|
|
|
|
|
* Trust proxy 10.0.0.232 and 10.0.0.232
|
|
|
|
|
* extforward.forwarder = ( "10.0.0.232" => "trust",
|
|
|
|
|
* "10.0.0.233" => "trust" )
|
|
|
|
|
*
|
|
|
|
|
* Trust all proxies (NOT RECOMMENDED!)
|
|
|
|
|
* extforward.forwarder = ( "all" => "trust")
|
|
|
|
|
*
|
|
|
|
|
* Note that "all" has precedence over specific entries,
|
|
|
|
|
* so "all except" setups will not work.
|
|
|
|
|
*
|
2008-01-21 08:21:20 +00:00
|
|
|
* In case you have chained proxies, you can add all their IP's to the
|
|
|
|
|
* config. However "all" has effect only on connecting IP, as the
|
|
|
|
|
* X-Forwarded-For header can not be trusted.
|
|
|
|
|
*
|
2007-02-19 21:05:59 +00:00
|
|
|
* Note: The effect of this module is variable on $HTTP["remotip"] directives and
|
|
|
|
|
* other module's remote ip dependent actions.
|
|
|
|
|
* Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
|
|
|
|
|
* Things done in between these two moments will match on the real client's IP.
|
|
|
|
|
* The moment things are done by a module depends on in which hook it does things and within the same hook
|
|
|
|
|
* on whether they are before/after us in the module loading order
|
|
|
|
|
* (order in the server.modules directive in the config file).
|
|
|
|
|
*
|
|
|
|
|
* Tested behaviours:
|
|
|
|
|
*
|
|
|
|
|
* mod_access: Will match on the real client.
|
|
|
|
|
*
|
|
|
|
|
* mod_accesslog:
|
|
|
|
|
* In order to see the "real" ip address in access log ,
|
|
|
|
|
* you'll have to load mod_extforward after mod_accesslog.
|
|
|
|
|
* like this:
|
|
|
|
|
*
|
|
|
|
|
* server.modules = (
|
|
|
|
|
* .....
|
|
|
|
|
* mod_accesslog,
|
|
|
|
|
* mod_extforward
|
|
|
|
|
* )
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* plugin config for all request/connections */
|
|
|
|
|
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
typedef enum {
|
|
|
|
|
PROXY_FORWARDED_NONE = 0x00,
|
|
|
|
|
PROXY_FORWARDED_FOR = 0x01,
|
|
|
|
|
PROXY_FORWARDED_PROTO = 0x02,
|
|
|
|
|
PROXY_FORWARDED_HOST = 0x04,
|
|
|
|
|
PROXY_FORWARDED_BY = 0x08,
|
|
|
|
|
PROXY_FORWARDED_REMOTE_USER = 0x10
|
|
|
|
|
} proxy_forwarded_t;
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
typedef struct {
|
|
|
|
|
array *forwarder;
|
2009-04-26 19:43:22 +00:00
|
|
|
array *headers;
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
array *opts_params;
|
|
|
|
|
unsigned int opts;
|
2017-08-06 05:49:29 +00:00
|
|
|
unsigned short int hap_PROXY;
|
|
|
|
|
unsigned short int hap_PROXY_ssl_client_verify;
|
2007-02-19 21:05:59 +00:00
|
|
|
} plugin_config;
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
|
|
|
|
PLUGIN_DATA;
|
|
|
|
|
|
|
|
|
|
plugin_config **config_storage;
|
|
|
|
|
|
|
|
|
|
plugin_config conf;
|
|
|
|
|
} plugin_data;
|
|
|
|
|
|
2017-04-04 04:22:32 +00:00
|
|
|
static plugin_data *mod_extforward_plugin_data_singleton;
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
static int extforward_check_proxy;
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
/* context , used for restore remote ip */
|
|
|
|
|
|
|
|
|
|
typedef struct {
|
2017-04-04 04:22:32 +00:00
|
|
|
/* per-request state */
|
2007-02-19 21:05:59 +00:00
|
|
|
sock_addr saved_remote_addr;
|
|
|
|
|
buffer *saved_remote_addr_buf;
|
2017-04-04 04:22:32 +00:00
|
|
|
|
|
|
|
|
/* hap-PROXY protocol prior to receiving first request */
|
|
|
|
|
int(*saved_network_read)(server *, connection *, chunkqueue *, off_t);
|
|
|
|
|
|
|
|
|
|
/* connection-level state applied to requests in handle_request_env */
|
|
|
|
|
array *env;
|
|
|
|
|
int ssl_client_verify;
|
2007-02-19 21:05:59 +00:00
|
|
|
} handler_ctx;
|
|
|
|
|
|
|
|
|
|
|
2017-03-25 18:34:27 +00:00
|
|
|
static handler_ctx * handler_ctx_init(void) {
|
2007-02-19 21:05:59 +00:00
|
|
|
handler_ctx * hctx;
|
|
|
|
|
hctx = calloc(1, sizeof(*hctx));
|
|
|
|
|
return hctx;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void handler_ctx_free(handler_ctx *hctx) {
|
|
|
|
|
free(hctx);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* init the plugin data */
|
|
|
|
|
INIT_FUNC(mod_extforward_init) {
|
|
|
|
|
plugin_data *p;
|
|
|
|
|
p = calloc(1, sizeof(*p));
|
2017-04-04 04:22:32 +00:00
|
|
|
mod_extforward_plugin_data_singleton = p;
|
2007-02-19 21:05:59 +00:00
|
|
|
return p;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* destroy the plugin data */
|
|
|
|
|
FREE_FUNC(mod_extforward_free) {
|
|
|
|
|
plugin_data *p = p_d;
|
|
|
|
|
|
|
|
|
|
UNUSED(srv);
|
|
|
|
|
|
|
|
|
|
if (!p) return HANDLER_GO_ON;
|
|
|
|
|
|
|
|
|
|
if (p->config_storage) {
|
|
|
|
|
size_t i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < srv->config_context->used; i++) {
|
|
|
|
|
plugin_config *s = p->config_storage[i];
|
|
|
|
|
|
2015-05-14 09:38:33 +00:00
|
|
|
if (NULL == s) continue;
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
array_free(s->forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
array_free(s->headers);
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
array_free(s->opts_params);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
free(s);
|
|
|
|
|
}
|
|
|
|
|
free(p->config_storage);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
free(p);
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* handle plugin config and check values */
|
|
|
|
|
|
|
|
|
|
SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
plugin_data *p = p_d;
|
|
|
|
|
size_t i = 0;
|
|
|
|
|
|
|
|
|
|
config_values_t cv[] = {
|
2009-04-26 19:43:22 +00:00
|
|
|
{ "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */
|
|
|
|
|
{ "extforward.headers", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
{ "extforward.params", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 2 */
|
2017-04-04 04:22:32 +00:00
|
|
|
{ "extforward.hap-PROXY", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 3 */
|
2017-08-06 05:49:29 +00:00
|
|
|
{ "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
|
2007-02-19 21:05:59 +00:00
|
|
|
{ NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
if (!p) return HANDLER_ERROR;
|
|
|
|
|
|
2013-11-13 11:43:26 +00:00
|
|
|
p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *));
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
for (i = 0; i < srv->config_context->used; i++) {
|
2015-11-07 12:51:11 +00:00
|
|
|
data_config const* config = (data_config const*)srv->config_context->data[i];
|
2007-02-19 21:05:59 +00:00
|
|
|
plugin_config *s;
|
|
|
|
|
|
|
|
|
|
s = calloc(1, sizeof(plugin_config));
|
|
|
|
|
s->forwarder = array_init();
|
2009-04-26 19:43:22 +00:00
|
|
|
s->headers = array_init();
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
s->opts_params = array_init();
|
|
|
|
|
s->opts = PROXY_FORWARDED_NONE;
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
cv[0].destination = s->forwarder;
|
2009-04-26 19:43:22 +00:00
|
|
|
cv[1].destination = s->headers;
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
cv[2].destination = s->opts_params;
|
2017-04-04 04:22:32 +00:00
|
|
|
cv[3].destination = &s->hap_PROXY;
|
2017-08-06 05:49:29 +00:00
|
|
|
cv[4].destination = &s->hap_PROXY_ssl_client_verify;
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
p->config_storage[i] = s;
|
|
|
|
|
|
2015-11-07 12:51:11 +00:00
|
|
|
if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
|
2007-02-19 21:05:59 +00:00
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
2017-03-05 20:39:45 +00:00
|
|
|
|
|
|
|
|
if (!array_is_kvstring(s->forwarder)) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"unexpected value for extforward.forwarder; expected list of \"IPaddr\" => \"trust\"");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!array_is_vlist(s->headers)) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"unexpected value for extforward.headers; expected list of \"headername\"");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
2017-03-24 04:15:12 +00:00
|
|
|
|
|
|
|
|
/* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
|
2017-04-04 04:22:32 +00:00
|
|
|
if (!s->hap_PROXY && 0 == s->headers->used && (0 == i || NULL != array_get_element(config->value, "extforward.headers"))) {
|
2017-03-24 04:15:12 +00:00
|
|
|
data_string *ds;
|
|
|
|
|
ds = data_string_init();
|
|
|
|
|
buffer_copy_string_len(ds->value, CONST_STR_LEN("X-Forwarded-For"));
|
|
|
|
|
array_insert_unique(s->headers, (data_unset *)ds);
|
|
|
|
|
ds = data_string_init();
|
|
|
|
|
buffer_copy_string_len(ds->value, CONST_STR_LEN("Forwarded-For"));
|
|
|
|
|
array_insert_unique(s->headers, (data_unset *)ds);
|
|
|
|
|
}
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
|
|
|
|
|
if (!array_is_kvany(s->opts_params)) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"unexpected value for extforward.params; expected ( \"param\" => \"value\" )");
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
for (size_t j = 0, used = s->opts_params->used; j < used; ++j) {
|
|
|
|
|
proxy_forwarded_t param;
|
|
|
|
|
data_unset *du = s->opts_params->data[j];
|
|
|
|
|
#if 0 /*("for" and "proto" historical behavior: always enabled)*/
|
|
|
|
|
if (buffer_is_equal_string(du->key, CONST_STR_LEN("by"))) {
|
|
|
|
|
param = PROXY_FORWARDED_BY;
|
|
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("for"))) {
|
|
|
|
|
param = PROXY_FORWARDED_FOR;
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
|
|
|
|
if (buffer_is_equal_string(du->key, CONST_STR_LEN("host"))) {
|
|
|
|
|
param = PROXY_FORWARDED_HOST;
|
|
|
|
|
#if 0
|
|
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("proto"))) {
|
|
|
|
|
param = PROXY_FORWARDED_PROTO;
|
|
|
|
|
#endif
|
|
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("remote_user"))) {
|
|
|
|
|
param = PROXY_FORWARDED_REMOTE_USER;
|
|
|
|
|
} else {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sb",
|
|
|
|
|
"extforward.params keys must be one of: host, remote_user, but not:", du->key);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
if (du->type == TYPE_STRING) {
|
|
|
|
|
data_string *ds = (data_string *)du;
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("enable"))) {
|
|
|
|
|
s->opts |= param;
|
|
|
|
|
} else if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("disable"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sb",
|
|
|
|
|
"extforward.params values must be one of: 0, 1, enable, disable; error for key:", du->key);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
} else if (du->type == TYPE_INTEGER) {
|
|
|
|
|
data_integer *di = (data_integer *)du;
|
|
|
|
|
if (di->value) s->opts |= param;
|
|
|
|
|
} else {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sb",
|
|
|
|
|
"extforward.params values must be one of: 0, 1, enable, disable; error for key:", du->key);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-04 04:22:32 +00:00
|
|
|
/* attempt to warn if mod_extforward is not last module loaded to hook
|
|
|
|
|
* handle_connection_accept. (Nice to have, but remove this check if
|
2017-07-30 16:24:01 +00:00
|
|
|
* it reaches too far into internals and prevents other code changes.)
|
2017-04-04 04:22:32 +00:00
|
|
|
* While it would be nice to check connection_handle_accept plugin slot
|
|
|
|
|
* to make sure mod_extforward is last, that info is private to plugin.c
|
|
|
|
|
* so merely warn if mod_openssl is loaded after mod_extforward, though
|
|
|
|
|
* future modules which hook connection_handle_accept might be missed.*/
|
|
|
|
|
for (i = 0; i < srv->config_context->used; ++i) {
|
|
|
|
|
plugin_config *s = p->config_storage[i];
|
|
|
|
|
if (s->hap_PROXY) {
|
|
|
|
|
size_t j;
|
|
|
|
|
for (j = 0; j < srv->srvconf.modules->used; ++j) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[j];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_extforward"))) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
for (; j < srv->srvconf.modules->used; ++j) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[j];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_openssl"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
for (i = 0; i < srv->srvconf.modules->used; i++) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[i];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_proxy"))) {
|
|
|
|
|
extforward_check_proxy = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define PATCH(x) \
|
|
|
|
|
p->conf.x = s->x;
|
|
|
|
|
static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) {
|
|
|
|
|
size_t i, j;
|
|
|
|
|
plugin_config *s = p->config_storage[0];
|
|
|
|
|
|
|
|
|
|
PATCH(forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
PATCH(headers);
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
PATCH(opts);
|
2017-04-04 04:22:32 +00:00
|
|
|
PATCH(hap_PROXY);
|
2017-08-06 05:49:29 +00:00
|
|
|
PATCH(hap_PROXY_ssl_client_verify);
|
2007-02-19 21:05:59 +00:00
|
|
|
|
|
|
|
|
/* skip the first, the global context */
|
|
|
|
|
for (i = 1; i < srv->config_context->used; i++) {
|
|
|
|
|
data_config *dc = (data_config *)srv->config_context->data[i];
|
|
|
|
|
s = p->config_storage[i];
|
|
|
|
|
|
|
|
|
|
/* condition didn't match */
|
|
|
|
|
if (!config_check_cond(srv, con, dc)) continue;
|
|
|
|
|
|
|
|
|
|
/* merge config */
|
|
|
|
|
for (j = 0; j < dc->value->used; j++) {
|
|
|
|
|
data_unset *du = dc->value->data[j];
|
|
|
|
|
|
|
|
|
|
if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
|
|
|
|
|
PATCH(forwarder);
|
2009-04-26 19:43:22 +00:00
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.headers"))) {
|
|
|
|
|
PATCH(headers);
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.params"))) {
|
|
|
|
|
PATCH(opts);
|
2017-04-04 04:22:32 +00:00
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY"))) {
|
|
|
|
|
PATCH(hap_PROXY);
|
2017-08-06 05:49:29 +00:00
|
|
|
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
|
|
|
|
|
PATCH(hap_PROXY_ssl_client_verify);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#undef PATCH
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
static void put_string_into_array_len(array *ary, const char *str, int len)
|
|
|
|
|
{
|
|
|
|
|
data_string *tempdata;
|
|
|
|
|
if (len == 0)
|
|
|
|
|
return;
|
|
|
|
|
tempdata = data_string_init();
|
|
|
|
|
buffer_copy_string_len(tempdata->value,str,len);
|
|
|
|
|
array_insert_unique(ary,(data_unset *)tempdata);
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
extract a forward array from the environment
|
|
|
|
|
*/
|
|
|
|
|
static array *extract_forward_array(buffer *pbuffer)
|
|
|
|
|
{
|
|
|
|
|
array *result = array_init();
|
2015-02-08 19:10:44 +00:00
|
|
|
if (!buffer_string_is_empty(pbuffer)) {
|
2007-02-19 21:05:59 +00:00
|
|
|
char *base, *curr;
|
|
|
|
|
/* state variable, 0 means not in string, 1 means in string */
|
|
|
|
|
int in_str = 0;
|
2008-01-21 08:21:20 +00:00
|
|
|
for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) {
|
2007-02-19 21:05:59 +00:00
|
|
|
if (in_str) {
|
2012-05-18 13:28:00 +00:00
|
|
|
if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
|
2007-02-19 21:05:59 +00:00
|
|
|
/* found an separator , insert value into result array */
|
2008-01-21 08:21:20 +00:00
|
|
|
put_string_into_array_len(result, base, curr - base);
|
2007-02-19 21:05:59 +00:00
|
|
|
/* change state to not in string */
|
|
|
|
|
in_str = 0;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2012-05-18 13:28:00 +00:00
|
|
|
if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
|
2007-02-19 21:05:59 +00:00
|
|
|
/* found leading char of an IP address, move base pointer and change state */
|
|
|
|
|
base = curr;
|
|
|
|
|
in_str = 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* if breaking out while in str, we got to the end of string, so add it */
|
2008-01-21 08:21:20 +00:00
|
|
|
if (in_str) {
|
|
|
|
|
put_string_into_array_len(result, base, curr - base);
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return result;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define IP_TRUSTED 1
|
|
|
|
|
#define IP_UNTRUSTED 0
|
|
|
|
|
/*
|
2008-01-21 08:21:20 +00:00
|
|
|
* check whether ip is trusted, return 1 for trusted , 0 for untrusted
|
|
|
|
|
*/
|
2017-05-12 03:15:29 +00:00
|
|
|
static int is_proxy_trusted(const buffer *ipstr, plugin_data *p)
|
2007-02-19 21:05:59 +00:00
|
|
|
{
|
2008-01-21 08:21:20 +00:00
|
|
|
data_string* allds = (data_string *)array_get_element(p->conf.forwarder, "all");
|
|
|
|
|
|
2007-02-19 21:05:59 +00:00
|
|
|
if (allds) {
|
2008-01-21 08:21:20 +00:00
|
|
|
if (strcasecmp(allds->value->ptr, "trust") == 0) {
|
2007-02-19 21:05:59 +00:00
|
|
|
return IP_TRUSTED;
|
2008-01-21 08:21:20 +00:00
|
|
|
} else {
|
2007-02-19 21:05:59 +00:00
|
|
|
return IP_UNTRUSTED;
|
2008-01-21 08:21:20 +00:00
|
|
|
}
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
2008-01-21 08:21:20 +00:00
|
|
|
|
2017-05-12 03:15:29 +00:00
|
|
|
return (data_string *)array_get_element_klen(p->conf.forwarder, CONST_BUF_LEN(ipstr)) ? IP_TRUSTED : IP_UNTRUSTED;
|
2008-01-21 08:21:20 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
2017-05-12 03:15:29 +00:00
|
|
|
* Return last address of proxy that is not trusted.
|
2008-01-21 08:21:20 +00:00
|
|
|
* Do not accept "all" keyword here.
|
|
|
|
|
*/
|
|
|
|
|
static const char *last_not_in_array(array *a, plugin_data *p)
|
|
|
|
|
{
|
|
|
|
|
array *forwarder = p->conf.forwarder;
|
2008-03-13 15:34:28 +00:00
|
|
|
int i;
|
2008-01-21 08:21:20 +00:00
|
|
|
|
2008-03-13 15:34:28 +00:00
|
|
|
for (i = a->used - 1; i >= 0; i--) {
|
2008-01-21 08:21:20 +00:00
|
|
|
data_string *ds = (data_string *)a->data[i];
|
2017-05-12 03:15:29 +00:00
|
|
|
if (!array_get_element_klen(forwarder, CONST_BUF_LEN(ds->value))) {
|
|
|
|
|
return ds->value->ptr;
|
2008-01-21 08:21:20 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
2007-02-19 21:05:59 +00:00
|
|
|
}
|
|
|
|
|
|
2017-03-25 18:34:27 +00:00
|
|
|
static int mod_extforward_set_addr(server *srv, connection *con, plugin_data *p, const char *addr) {
|
|
|
|
|
sock_addr sock;
|
2017-04-04 04:22:32 +00:00
|
|
|
handler_ctx *hctx = con->plugin_ctx[p->id];
|
2017-03-25 18:34:27 +00:00
|
|
|
|
|
|
|
|
if (con->conf.log_request_handling) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss", "using address:", addr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
sock.plain.sa_family = AF_UNSPEC;
|
2017-06-24 15:28:33 +00:00
|
|
|
if (1 != sock_addr_from_str_numeric(srv, &sock, addr)) return 0;
|
2017-03-25 18:34:27 +00:00
|
|
|
if (sock.plain.sa_family == AF_UNSPEC) return 0;
|
|
|
|
|
|
|
|
|
|
/* we found the remote address, modify current connection and save the old address */
|
2017-04-04 04:22:32 +00:00
|
|
|
if (hctx) {
|
|
|
|
|
if (hctx->saved_remote_addr_buf) {
|
|
|
|
|
if (con->conf.log_request_handling) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"-- mod_extforward_uri_handler already patched this connection, resetting state");
|
|
|
|
|
}
|
|
|
|
|
con->dst_addr = hctx->saved_remote_addr;
|
|
|
|
|
buffer_free(con->dst_addr_buf);
|
|
|
|
|
con->dst_addr_buf = hctx->saved_remote_addr_buf;
|
|
|
|
|
hctx->saved_remote_addr_buf = NULL;
|
2017-03-25 18:34:27 +00:00
|
|
|
}
|
2017-04-04 04:22:32 +00:00
|
|
|
} else {
|
|
|
|
|
con->plugin_ctx[p->id] = hctx = handler_ctx_init();
|
2017-03-25 18:34:27 +00:00
|
|
|
}
|
|
|
|
|
/* save old address */
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
if (extforward_check_proxy) {
|
|
|
|
|
array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), CONST_BUF_LEN(con->dst_addr_buf));
|
|
|
|
|
}
|
2017-03-25 18:34:27 +00:00
|
|
|
hctx->saved_remote_addr = con->dst_addr;
|
|
|
|
|
hctx->saved_remote_addr_buf = con->dst_addr_buf;
|
|
|
|
|
/* patch connection address */
|
|
|
|
|
con->dst_addr = sock;
|
|
|
|
|
con->dst_addr_buf = buffer_init_string(addr);
|
|
|
|
|
|
|
|
|
|
if (con->conf.log_request_handling) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "ss",
|
|
|
|
|
"patching con->dst_addr_buf for the accesslog:", addr);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Now, clean the conf_cond cache, because we may have changed the results of tests */
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP);
|
2017-03-25 18:34:27 +00:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
static void mod_extforward_set_proto(server *srv, connection *con, const char *proto, size_t protolen) {
|
2017-03-25 18:34:27 +00:00
|
|
|
if (0 != protolen && !buffer_is_equal_caseless_string(con->uri.scheme, proto, protolen)) {
|
|
|
|
|
/* update scheme if X-Forwarded-Proto is set
|
|
|
|
|
* Limitations:
|
|
|
|
|
* - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
|
|
|
|
|
* be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
|
|
|
|
|
* untrusted header must be checked to contain only alphanumeric characters, and to be a
|
|
|
|
|
* reasonable length, e.g. < 256 chars.
|
|
|
|
|
* - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
|
|
|
|
|
* con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
|
|
|
|
|
* handle_request_done hook, then should evaluate if that module should use the forwarded value
|
|
|
|
|
* (probably) or the original value.
|
|
|
|
|
*/
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
if (extforward_check_proxy) {
|
|
|
|
|
array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(con->uri.scheme));
|
|
|
|
|
}
|
2017-03-25 18:34:27 +00:00
|
|
|
if (0 == buffer_caseless_compare(proto, protolen, CONST_STR_LEN("https"))) {
|
|
|
|
|
buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("https"));
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
|
2017-03-25 18:34:27 +00:00
|
|
|
} else if (0 == buffer_caseless_compare(proto, protolen, CONST_STR_LEN("http"))) {
|
|
|
|
|
buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("http"));
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME);
|
2017-03-25 18:34:27 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static handler_t mod_extforward_X_Forwarded_For(server *srv, connection *con, plugin_data *p, buffer *x_forwarded_for) {
|
|
|
|
|
/* build forward_array from forwarded data_string */
|
|
|
|
|
array *forward_array = extract_forward_array(x_forwarded_for);
|
|
|
|
|
const char *real_remote_addr = last_not_in_array(forward_array, p);
|
|
|
|
|
if (real_remote_addr != NULL) { /* parsed */
|
|
|
|
|
/* get scheme if X-Forwarded-Proto is set
|
|
|
|
|
* Limitations:
|
|
|
|
|
* - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
|
|
|
|
|
* - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
|
|
|
|
|
* but the historical behavior of the code below only honored it if there was exactly one value
|
|
|
|
|
* (not done: walking backwards in X-Forwarded-Proto the same num of steps
|
|
|
|
|
* as in X-Forwarded-For to find proto set by last trusted proxy)
|
|
|
|
|
*/
|
|
|
|
|
data_string *x_forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto");
|
|
|
|
|
if (mod_extforward_set_addr(srv, con, p, real_remote_addr) && NULL != x_forwarded_proto) {
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
mod_extforward_set_proto(srv, con, CONST_BUF_LEN(x_forwarded_proto->value));
|
2017-03-25 18:34:27 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
array_free(forward_array);
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
static int find_end_quoted_string (const char * const s, int i) {
|
|
|
|
|
do {
|
|
|
|
|
++i;
|
|
|
|
|
} while (s[i] != '"' && s[i] != '\0' && (s[i] != '\\' || s[++i] != '\0'));
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int find_next_semicolon_or_comma_or_eq (const char * const s, int i) {
|
|
|
|
|
for (; s[i] != '=' && s[i] != ';' && s[i] != ',' && s[i] != '\0'; ++i) {
|
|
|
|
|
if (s[i] == '"') {
|
|
|
|
|
i = find_end_quoted_string(s, i);
|
|
|
|
|
if (s[i] == '\0') return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int find_next_semicolon_or_comma (const char * const s, int i) {
|
|
|
|
|
for (; s[i] != ';' && s[i] != ',' && s[i] != '\0'; ++i) {
|
|
|
|
|
if (s[i] == '"') {
|
|
|
|
|
i = find_end_quoted_string(s, i);
|
|
|
|
|
if (s[i] == '\0') return -1;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int buffer_backslash_unescape (buffer * const b) {
|
|
|
|
|
/* (future: might move to buffer.c) */
|
|
|
|
|
size_t j = 0;
|
|
|
|
|
size_t len = buffer_string_length(b);
|
|
|
|
|
char *p = memchr(b->ptr, '\\', len);
|
|
|
|
|
|
|
|
|
|
if (NULL == p) return 1; /*(nothing to do)*/
|
|
|
|
|
|
|
|
|
|
len -= (size_t)(p - b->ptr);
|
|
|
|
|
for (size_t i = 0; i < len; ++i) {
|
|
|
|
|
if (p[i] == '\\') {
|
|
|
|
|
if (++i == len) return 0; /*(invalid trailing backslash)*/
|
|
|
|
|
}
|
|
|
|
|
p[j++] = p[i];
|
|
|
|
|
}
|
|
|
|
|
buffer_string_set_length(b, (size_t)(p+j - b->ptr));
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_data *p, buffer *forwarded) {
|
|
|
|
|
/* HTTP list need not consist of param=value tokens,
|
|
|
|
|
* but this routine expect such for HTTP Forwarded header
|
|
|
|
|
* Since info in each set of params is only used if from
|
|
|
|
|
* admin-specified trusted proxy:
|
|
|
|
|
* - invalid param=value tokens are ignored and skipped
|
|
|
|
|
* - not checking "for" exists in each set of params
|
|
|
|
|
* - not checking for duplicated params in each set of params
|
|
|
|
|
* - not checking canonical form of addr (also might be obfuscated)
|
|
|
|
|
* - obfuscated tokens permitted in chain, though end of trust is expected
|
|
|
|
|
* to be non-obfuscated IP for mod_extforward to masquerade as remote IP
|
|
|
|
|
* future: since (potentially) trusted proxies begin at end of string,
|
|
|
|
|
* it might be better to parse from end of string rather than parsing from
|
|
|
|
|
* beginning. Doing so would also allow reducing arbitrary param limit
|
|
|
|
|
* to number of params permitted per proxy.
|
|
|
|
|
*/
|
|
|
|
|
char * const s = forwarded->ptr;
|
|
|
|
|
int i = 0, j = -1, v, vlen, k, klen;
|
|
|
|
|
int used = (int)buffer_string_length(forwarded);
|
|
|
|
|
int ofor = -1, oproto, ohost, oby, oremote_user;
|
|
|
|
|
int offsets[256];/*(~50 params is more than reasonably expected to handle)*/
|
|
|
|
|
while (i < used) {
|
|
|
|
|
while (s[i] == ' ' || s[i] == '\t') ++i;
|
|
|
|
|
if (s[i] == ';') { ++i; continue; }
|
|
|
|
|
if (s[i] == ',') {
|
|
|
|
|
if (j >= (int)(sizeof(offsets)/sizeof(int))) break;
|
|
|
|
|
offsets[++j] = -1; /*("offset" separating params from next proxy)*/
|
|
|
|
|
++i;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (s[i] == '\0') break;
|
|
|
|
|
|
|
|
|
|
k = i;
|
|
|
|
|
i = find_next_semicolon_or_comma_or_eq(s, i);
|
|
|
|
|
if (i < 0) {
|
|
|
|
|
/*(reject IP spoofing if attacker sets improper quoted-string)*/
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"invalid quoted-string in Forwarded header");
|
|
|
|
|
con->http_status = 400; /* Bad Request */
|
|
|
|
|
con->mode = DIRECT;
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
if (s[i] != '=') continue;
|
|
|
|
|
klen = i - k;
|
|
|
|
|
v = ++i;
|
|
|
|
|
i = find_next_semicolon_or_comma(s, i);
|
|
|
|
|
if (i < 0) {
|
|
|
|
|
/*(reject IP spoofing if attacker sets improper quoted-string)*/
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"invalid quoted-string in Forwarded header");
|
|
|
|
|
con->http_status = 400; /* Bad Request */
|
|
|
|
|
con->mode = DIRECT;
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
vlen = i - v; /* might be 0 */
|
|
|
|
|
|
|
|
|
|
/* have k, klen, v, vlen
|
|
|
|
|
* (might contain quoted string) (contents not validated or decoded)
|
|
|
|
|
* (might be repeated k)
|
|
|
|
|
*/
|
|
|
|
|
if (0 == klen) continue; /* invalid k */
|
|
|
|
|
if (j >= (int)(sizeof(offsets)/sizeof(int))-4) break;
|
|
|
|
|
offsets[j+1] = k;
|
|
|
|
|
offsets[j+2] = klen;
|
|
|
|
|
offsets[j+3] = v;
|
|
|
|
|
offsets[j+4] = vlen;
|
|
|
|
|
j += 4;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (j >= (int)(sizeof(offsets)/sizeof(int))-4) {
|
|
|
|
|
/* error processing Forwarded; too many params; fail closed */
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"Too many params in Forwarded header");
|
|
|
|
|
con->http_status = 400; /* Bad Request */
|
|
|
|
|
con->mode = DIRECT;
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (-1 == j) return HANDLER_GO_ON; /* make no changes */
|
|
|
|
|
used = j+1;
|
|
|
|
|
offsets[used] = -1; /* mark end of last set of params */
|
|
|
|
|
|
|
|
|
|
while (j > 0) { /*(param=value pairs, so j > 0, not j >= 0)*/
|
|
|
|
|
if (-1 == offsets[j]) { --j; continue; }
|
|
|
|
|
do {
|
|
|
|
|
j -= 3; /*(k, klen, v, vlen come in sets of 4)*/
|
|
|
|
|
} while ((3 != offsets[j+1] /* 3 == sizeof("for")-1 */
|
|
|
|
|
|| 0 != buffer_caseless_compare(s+offsets[j], 3, "for", 3))
|
|
|
|
|
&& 0 != j-- && -1 != offsets[j]);
|
|
|
|
|
if (j < 0) break;
|
|
|
|
|
if (-1 == offsets[j]) { --j; continue; }
|
|
|
|
|
|
|
|
|
|
/* remove trailing spaces/tabs and double-quotes from string
|
|
|
|
|
* (note: not unescaping backslash escapes in quoted string) */
|
|
|
|
|
v = offsets[j+2];
|
|
|
|
|
vlen = v + offsets[j+3];
|
|
|
|
|
while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
|
|
|
|
|
if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') {
|
|
|
|
|
offsets[j+2] = ++v;
|
|
|
|
|
--vlen;
|
|
|
|
|
if (s[v] == '[') {
|
|
|
|
|
/* remove "[]" surrounding IPv6, as well as (optional) port
|
|
|
|
|
* (assumes properly formatted IPv6 addr from trusted proxy) */
|
|
|
|
|
++v;
|
|
|
|
|
do { --vlen; } while (vlen > v && s[vlen] != ']');
|
|
|
|
|
if (v == vlen) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"Invalid IPv6 addr in Forwarded header");
|
|
|
|
|
con->http_status = 400; /* Bad Request */
|
|
|
|
|
con->mode = DIRECT;
|
|
|
|
|
return HANDLER_FINISHED;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
else if (s[v] != '_' && s[v] != '/' && s[v] != 'u') {
|
|
|
|
|
/* remove (optional) port from non-obfuscated IPv4 */
|
|
|
|
|
for (klen=vlen, vlen=v; vlen < klen && s[vlen] != ':'; ++vlen) ;
|
|
|
|
|
}
|
|
|
|
|
offsets[j+2] = v;
|
|
|
|
|
}
|
|
|
|
|
offsets[j+3] = vlen - v;
|
|
|
|
|
|
|
|
|
|
/* obfuscated ipstr and obfuscated port are also accepted here, as
|
|
|
|
|
* is path to unix domain socket, but note that backslash escapes
|
|
|
|
|
* in quoted-string were not unescaped above. Also, if obfuscated
|
|
|
|
|
* identifiers are rotated by proxies as recommended by RFC, then
|
|
|
|
|
* maintaining list of trusted identifiers is non-trivial and is not
|
|
|
|
|
* attempted by this module. */
|
|
|
|
|
|
|
|
|
|
if (v != vlen) {
|
2017-05-12 03:15:29 +00:00
|
|
|
int trusted = (NULL != array_get_element_klen(p->conf.forwarder, s+v, vlen-v));
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
|
|
|
|
|
if (s[v] != '_' && s[v] != '/'
|
|
|
|
|
&& (7 != (vlen - v) || 0 != memcmp(s+v, "unknown", 7))) {
|
|
|
|
|
ofor = j; /* save most recent non-obfuscated ipstr */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!trusted) break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
do { --j; } while (j > 0 && -1 != offsets[j]);
|
|
|
|
|
if (j <= 0) break;
|
|
|
|
|
--j;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (-1 != ofor) {
|
|
|
|
|
/* C funcs getaddrinfo(), inet_addr() require '\0'-terminated IP str */
|
|
|
|
|
char *ipend = s+offsets[ofor+2]+offsets[ofor+3];
|
|
|
|
|
char c = *ipend;
|
|
|
|
|
int rc;
|
|
|
|
|
*ipend = '\0';
|
|
|
|
|
rc = mod_extforward_set_addr(srv, con, p, s+offsets[ofor+2]);
|
|
|
|
|
*ipend = c;
|
|
|
|
|
if (!rc) return HANDLER_GO_ON; /* invalid addr; make no changes */
|
|
|
|
|
}
|
|
|
|
|
else {
|
|
|
|
|
return HANDLER_GO_ON; /* make no changes */
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* parse out params associated with for=<ip> addr set above */
|
|
|
|
|
oproto = ohost = oby = oremote_user = -1;
|
|
|
|
|
j = ofor;
|
|
|
|
|
if (j > 0) { do { --j; } while (j > 0 && -1 != offsets[j]); }
|
|
|
|
|
if (-1 == offsets[j]) ++j;
|
|
|
|
|
if (j == ofor) j += 4;
|
|
|
|
|
for (; -1 != offsets[j]; j+=4) { /*(k, klen, v, vlen come in sets of 4)*/
|
|
|
|
|
switch (offsets[j+1]) {
|
|
|
|
|
#if 0
|
|
|
|
|
case 2:
|
|
|
|
|
if (0 == buffer_caseless_compare(s+offsets[j],2,"by",2))
|
2017-04-09 16:57:56 +00:00
|
|
|
oby = j;
|
[mod_extforward] support Forwarded HTTP Extension (#2703)
enable with, e.g.:
extforward.headers = ( "Forwarded" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For" )
or
extforward.headers = ( "Forwarded", "X-Forwarded-For", "Forwarded-For" )
The default remains:
extforward.headers = ( "X-Forwarded-For", "Forwarded-For" )
Support for "Forwarded" is not enabled by default since intermediate
proxies might not be aware of Forwarded, and might therefore pass
spoofed Forwarded header received from client.
extforward.params = ( # overwrite "Host" with Forwarded value
#"host" => 1
# set REMOTE_USER with Forwarded value
#"remote_user" => 1
)
Note: be cautious configuring trusted proxies if enabling these options
since Forwarded header may be spoofed and passed along indescriminantly
by proxies which do not handle Forwarded.
To remove "Forwarded" from incoming requests, do not enable these
options and instead use mod_setenv to clear the request header:
setenv.set-request-header = ( "Forwarded" => "" )
Other proxy-related headers which admin might evaluate to keep or clear:
setenv.set-request-header = ( "X-Forwarded-For" => "",
"X-Forwarded-By" => "",
"X-Forwarded-Server" => "",
"X-Origin-IP" => "",
"Via" => "",
#...
)
x-ref:
"Forwarded HTTP Extension"
https://tools.ietf.org/html/rfc7239
"Forward authenticated user to proxied requests"
https://redmine.lighttpd.net/issues/2703
2017-03-27 18:00:19 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
#if 0
|
|
|
|
|
/*(already handled above to find IP prior to earliest trusted proxy)*/
|
|
|
|
|
case 3:
|
|
|
|
|
if (0 == buffer_caseless_compare(s+offsets[j],3,"for",3))
|
|
|
|
|
ofor = j;
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
|
|
|
|
case 4:
|
|
|
|
|
if (0 == buffer_caseless_compare(s+offsets[j],4,"host",4))
|
|
|
|
|
ohost = j;
|
|
|
|
|
break;
|
|
|
|
|
case 5:
|
|
|
|
|
if (0 == buffer_caseless_compare(s+offsets[j],5,"proto",5))
|
|
|
|
|
oproto = j;
|
|
|
|
|
break;
|
|
|
|
|
case 11:
|
|
|
|
|
if (0 == buffer_caseless_compare(s+offsets[j],11,"remote_user",11))
|
|
|
|
|
oremote_user = j;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
i = ++j;
|
|
|
|
|
|
|
|
|
|
if (-1 != oproto) {
|
|
|
|
|
/* remove trailing spaces/tabs, and double-quotes from proto
|
|
|
|
|
* (note: not unescaping backslash escapes in quoted string) */
|
|
|
|
|
v = offsets[oproto+2];
|
|
|
|
|
vlen = v + offsets[oproto+3];
|
|
|
|
|
while (vlen > v && (s[vlen-1] == ' ' || s[vlen-1] == '\t')) --vlen;
|
|
|
|
|
if (vlen > v+1 && s[v] == '"' && s[vlen-1] == '"') { ++v; --vlen; }
|
|
|
|
|
mod_extforward_set_proto(srv, con, s+v, vlen-v);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (p->conf.opts & PROXY_FORWARDED_HOST) {
|
|
|
|
|
/* Limitations:
|
|
|
|
|
* - con->request.http_host is not reset in mod_extforward_restore()
|
|
|
|
|
* but is currently not an issues since con->request.http_host will be
|
|
|
|
|
* reset by next request. If a new module uses con->request.http_host
|
|
|
|
|
* in the handle_request_done hook, then should evaluate if that
|
|
|
|
|
* module should use the forwarded value (probably) or original value.
|
|
|
|
|
* - due to need to decode and unescape host=..., some extra work is
|
|
|
|
|
* done in the case where host matches current Host header.
|
|
|
|
|
* future: might add code to check if Host has actually changed or not
|
2017-04-25 15:12:53 +00:00
|
|
|
*
|
|
|
|
|
* note: change host after mod_extforward_set_proto() since that may
|
|
|
|
|
* affect scheme port used in http_request_host_policy() host
|
|
|
|
|
* normalization
|
|
|
