[mod_extforward] PROXY proto and SSL_CLIENT_VERIFY

Use config directive extforward.hap-PROXY-ssl-client-verify = "enable" to enable setting SSL_CLIENT_VERIFY, REMOTE_USER, and AUTH_TYPE using information provided by HAProxy PROXY protocol.
6 years ago · b6bd4d3d94
parent 7ec74fe7b1
commit b6bd4d3d94
1 changed files with 8 additions and 7 deletions
--- a/src/mod_extforward.c
+++ b/src/mod_extforward.c
@ -78,7 +78,8 @@ typedef struct {
 	array *headers;
 	array *opts_params;
 	unsigned int opts;
-	unsigned int hap_PROXY;
+	unsigned short int hap_PROXY;
+	unsigned short int hap_PROXY_ssl_client_verify;
 } plugin_config;

 typedef struct {
@ -169,6 +170,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
 		{ "extforward.headers",         NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },       /* 1 */
 		{ "extforward.params",          NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },       /* 2 */
 		{ "extforward.hap-PROXY",       NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },     /* 3 */
+		{ "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
 		{ NULL,                         NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }
 	};

@ -190,6 +192,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
 		cv[1].destination = s->headers;
 		cv[2].destination = s->opts_params;
 		cv[3].destination = &s->hap_PROXY;
+		cv[4].destination = &s->hap_PROXY_ssl_client_verify;

 		p->config_storage[i] = s;

@ -318,6 +321,7 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
 	PATCH(headers);
 	PATCH(opts);
 	PATCH(hap_PROXY);
+	PATCH(hap_PROXY_ssl_client_verify);

 	/* skip the first, the global context */
 	for (i = 1; i < srv->config_context->used; i++) {
@ -339,6 +343,8 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
 				PATCH(opts);
 			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY"))) {
 				PATCH(hap_PROXY);
+			} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
+				PATCH(hap_PROXY_ssl_client_verify);
 			}
 		}
 	}
@ -942,11 +948,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
 			"-- mod_extforward_uri_handler called");
 	}

-	if (NULL != hctx) {
-		/* XXX: future: add config option to enable
-		 *      and replace above with: if (p->conf.???)
-		 *      similar to ssl.verifyclient.username */
-	      #if 0
+	if (p->conf.hap_PROXY_ssl_client_verify) {
 		data_string *ds;
 		if (NULL != hctx && hctx->ssl_client_verify && NULL != hctx->env
 		    && NULL != (ds = (data_string *)array_get_element(hctx->env, "SSL_CLIENT_S_DN_CN"))) {
@ -964,7 +966,6 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
 					    CONST_STR_LEN("SSL_CLIENT_VERIFY"),
 					    CONST_STR_LEN("NONE"));
 		}
-	      #endif
 	}

 	for (size_t k = 0; k < p->conf.headers->used && NULL == forwarded; ++k) {