|
|
|
@ -228,18 +228,18 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
|
|
|
|
|
if (array_get_element_klen(config->value, CONST_STR_LEN("extforward.forwarder"))) {
|
|
|
|
|
const data_string * const allds = (const data_string *)array_get_element_klen(s->forwarder, CONST_STR_LEN("all"));
|
|
|
|
|
s->forward_all = (NULL == allds) ? 0 : buffer_eq_icase_slen(allds->value, CONST_STR_LEN("trust")) ? 1 : -1;
|
|
|
|
|
s->forward_all = (NULL == allds) ? 0 : buffer_eq_icase_slen(&allds->value, CONST_STR_LEN("trust")) ? 1 : -1;
|
|
|
|
|
for (size_t j = 0; j < s->forwarder->used; ++j) {
|
|
|
|
|
data_string * const ds = (data_string *)s->forwarder->data[j];
|
|
|
|
|
char * const nm_slash = strchr(ds->key.ptr, '/');
|
|
|
|
|
if (!buffer_eq_icase_slen(ds->value, CONST_STR_LEN("trust"))) {
|
|
|
|
|
if (!buffer_eq_icase_slen(ds->value, CONST_STR_LEN("untrusted"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: expect \"trust\", not \"", &ds->key, "\" => \"", ds->value, "\"; treating as untrusted");
|
|
|
|
|
if (!buffer_eq_icase_slen(&ds->value, CONST_STR_LEN("trust"))) {
|
|
|
|
|
if (!buffer_eq_icase_slen(&ds->value, CONST_STR_LEN("untrusted"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: expect \"trust\", not \"", &ds->key, "\" => \"", &ds->value, "\"; treating as untrusted");
|
|
|
|
|
}
|
|
|
|
|
if (NULL != nm_slash) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: untrusted CIDR masks are ignored (\"", &ds->key, "\" => \"", ds->value, "\")");
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: untrusted CIDR masks are ignored (\"", &ds->key, "\" => \"", &ds->value, "\")");
|
|
|
|
|
}
|
|
|
|
|
buffer_clear(ds->value); /* empty is untrusted */
|
|
|
|
|
buffer_clear(&ds->value); /* empty is untrusted */
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
if (NULL != nm_slash) {
|
|
|
|
@ -266,7 +266,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
rc = sock_addr_from_str_numeric(srv, &sm->addr, ds->key.ptr);
|
|
|
|
|
*nm_slash = '/';
|
|
|
|
|
if (1 != rc) return HANDLER_ERROR;
|
|
|
|
|
buffer_clear(ds->value); /* empty is untrusted, e.g. if subnet (incorrectly) appears in X-Forwarded-For */
|
|
|
|
|
buffer_clear(&ds->value); /* empty is untrusted, e.g. if subnet (incorrectly) appears in X-Forwarded-For */
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
@ -313,9 +313,9 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
}
|
|
|
|
|
if (du->type == TYPE_STRING) {
|
|
|
|
|
data_string *ds = (data_string *)du;
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("enable"))) {
|
|
|
|
|
if (buffer_is_equal_string(&ds->value, CONST_STR_LEN("enable"))) {
|
|
|
|
|
s->opts |= param;
|
|
|
|
|
} else if (!buffer_is_equal_string(ds->value, CONST_STR_LEN("disable"))) {
|
|
|
|
|
} else if (!buffer_is_equal_string(&ds->value, CONST_STR_LEN("disable"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "sb",
|
|
|
|
|
"extforward.params values must be one of: 0, 1, enable, disable; error for key:", &du->key);
|
|
|
|
|
return HANDLER_ERROR;
|
|
|
|
@ -344,13 +344,13 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
size_t j;
|
|
|
|
|
for (j = 0; j < srv->srvconf.modules->used; ++j) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[j];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_extforward"))) {
|
|
|
|
|
if (buffer_is_equal_string(&ds->value, CONST_STR_LEN("mod_extforward"))) {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
for (; j < srv->srvconf.modules->used; ++j) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[j];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_openssl"))) {
|
|
|
|
|
if (buffer_is_equal_string(&ds->value, CONST_STR_LEN("mod_openssl"))) {
|
|
|
|
|
log_error_write(srv, __FILE__, __LINE__, "s",
|
|
|
|
|
"mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
|
|
|
|
|
break;
|
|
|
|
@ -362,7 +362,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < srv->srvconf.modules->used; i++) {
|
|
|
|
|
data_string *ds = (data_string *)srv->srvconf.modules->data[i];
|
|
|
|
|
if (buffer_is_equal_string(ds->value, CONST_STR_LEN("mod_proxy"))) {
|
|
|
|
|
if (buffer_is_equal_string(&ds->value, CONST_STR_LEN("mod_proxy"))) {
|
|
|
|
|
extforward_check_proxy = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
@ -460,7 +460,7 @@ static int is_proxy_trusted(plugin_data *p, const char * const ip, size_t iplen)
|
|
|
|
|
{
|
|
|
|
|
const data_string *ds =
|
|
|
|
|
(const data_string *)array_get_element_klen(p->conf.forwarder, ip, iplen);
|
|
|
|
|
if (NULL != ds) return !buffer_string_is_empty(ds->value);
|
|
|
|
|
if (NULL != ds) return !buffer_string_is_empty(&ds->value);
|
|
|
|
|
|
|
|
|
|
if (p->conf.forward_masks) {
|
|
|
|
|
const struct sock_addr_mask * const addrs =p->conf.forward_masks->addrs;
|
|
|
|
@ -500,8 +500,8 @@ static const char *last_not_in_array(array *a, plugin_data *p)
|
|
|
|
|
|
|
|
|
|
for (i = a->used - 1; i >= 0; i--) {
|
|
|
|
|
data_string *ds = (data_string *)a->data[i];
|
|
|
|
|
if (!is_proxy_trusted(p, CONST_BUF_LEN(ds->value))) {
|
|
|
|
|
return ds->value->ptr;
|
|
|
|
|
if (!is_proxy_trusted(p, CONST_BUF_LEN(&ds->value))) {
|
|
|
|
|
return ds->value.ptr;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return NULL;
|
|
|
|
@ -1025,7 +1025,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
|
|
|
|
|
CONST_STR_LEN("SUCCESS"));
|
|
|
|
|
http_header_env_set(con,
|
|
|
|
|
CONST_STR_LEN("REMOTE_USER"),
|
|
|
|
|
CONST_BUF_LEN(ds->value));
|
|
|
|
|
CONST_BUF_LEN(&ds->value));
|
|
|
|
|
http_header_env_set(con,
|
|
|
|
|
CONST_STR_LEN("AUTH_TYPE"),
|
|
|
|
|
CONST_STR_LEN("SSL_CLIENT_VERIFY"));
|
|
|
|
@ -1037,7 +1037,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
for (size_t k = 0; k < p->conf.headers->used && NULL == forwarded; ++k) {
|
|
|
|
|
buffer *hdr = ((data_string *)p->conf.headers->data[k])->value;
|
|
|
|
|
buffer *hdr = &((data_string *)p->conf.headers->data[k])->value;
|
|
|
|
|
forwarded = http_header_request_get(con, HTTP_HEADER_UNSPECIFIED, CONST_BUF_LEN(hdr));
|
|
|
|
|
if (forwarded) {
|
|
|
|
|
is_forwarded_header = buffer_is_equal_caseless_string(hdr, CONST_STR_LEN("Forwarded"));
|
|
|
|
@ -1080,7 +1080,7 @@ CONNECTION_FUNC(mod_extforward_handle_request_env) {
|
|
|
|
|
* (when mod_extforward is listed after mod_openssl in server.modules)*/
|
|
|
|
|
data_string *ds = (data_string *)hctx->env->data[i];
|
|
|
|
|
http_header_env_set(con,
|
|
|
|
|
CONST_BUF_LEN(&ds->key), CONST_BUF_LEN(ds->value));
|
|
|
|
|
CONST_BUF_LEN(&ds->key), CONST_BUF_LEN(&ds->value));
|
|
|
|
|
}
|
|
|
|
|
return HANDLER_GO_ON;
|
|
|
|
|
}
|
|
|
|
|