Browse Source

[mod_extforward] CIDR support for trusted proxies (fixes #2860)

x-ref:
  "RFE: mod_extforward CIDR support"
  https://redmine.lighttpd.net/issues/2860
personal/stbuehler/fix-fdevent
Glenn Strauss 3 years ago
parent
commit
fc7edb3946
  1. 104
      src/mod_extforward.c

104
src/mod_extforward.c

@ -73,13 +73,26 @@ typedef enum {
PROXY_FORWARDED_REMOTE_USER = 0x10
} proxy_forwarded_t;
struct sock_addr_mask {
sock_addr addr;
int bits;
};
struct sock_addr_masks {
struct sock_addr_mask *addrs;
size_t used;
size_t sz;
};
typedef struct {
array *forwarder;
struct sock_addr_masks *forward_masks;
array *headers;
array *opts_params;
unsigned int opts;
unsigned short int hap_PROXY;
unsigned short int hap_PROXY_ssl_client_verify;
short int forward_all;
} plugin_config;
typedef struct {
@ -148,6 +161,11 @@ FREE_FUNC(mod_extforward_free) {
array_free(s->headers);
array_free(s->opts_params);
if (s->forward_masks) {
free(s->forward_masks->addrs);
free(s->forward_masks);
}
free(s);
}
free(p->config_storage);
@ -206,6 +224,39 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
return HANDLER_ERROR;
}
if (array_get_element(config->value, "extforward.forwarder")) {
const data_string * const allds = (data_string *)array_get_element(s->forwarder, "all");
s->forward_all = (NULL == allds) ? 0 : (0 == strcasecmp(allds->value->ptr, "trust")) ? 1 : -1;
for (size_t j = 0; j < s->forwarder->used; ++j) {
data_string * const ds = (data_string *)s->forwarder->data[j];
char * const nm_slash = strchr(ds->key->ptr, '/');
if (NULL != nm_slash) {
struct sock_addr_mask *sm;
char *err;
const int nm_bits = strtol(nm_slash + 1, &err, 10);
int rc;
if (*err || nm_bits <= 0) {
log_error_write(srv, __FILE__, __LINE__, "sbs", "ERROR: invalid netmask:", ds->key, err);
return HANDLER_ERROR;
}
if (NULL == s->forward_masks)
s->forward_masks = calloc(1, sizeof(struct sock_addr_masks));
force_assert(s->forward_masks);
if (s->forward_masks->used == s->forward_masks->sz) {
s->forward_masks->sz += 2;
s->forward_masks->addrs = realloc(s->forward_masks->addrs, s->forward_masks->sz * sizeof(struct sock_addr_mask));
force_assert(s->forward_masks->addrs);
}
sm = s->forward_masks->addrs + s->forward_masks->used++;
sm->bits = nm_bits;
*nm_slash = '\0';
rc = sock_addr_from_str_numeric(srv, &sm->addr, ds->key->ptr);
*nm_slash = '/';
if (1 != rc) return HANDLER_ERROR;
}
}
}
if (!array_is_vlist(s->headers)) {
log_error_write(srv, __FILE__, __LINE__, "s",
"unexpected value for extforward.headers; expected list of \"headername\"");
@ -318,10 +369,12 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
plugin_config *s = p->config_storage[0];
PATCH(forwarder);
PATCH(forward_masks);
PATCH(headers);
PATCH(opts);
PATCH(hap_PROXY);
PATCH(hap_PROXY_ssl_client_verify);
PATCH(forward_all);
/* skip the first, the global context */
for (i = 1; i < srv->config_context->used; i++) {
@ -337,6 +390,8 @@ static int mod_extforward_patch_connection(server *srv, connection *con, plugin_
if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) {
PATCH(forwarder);
PATCH(forward_masks);
PATCH(forward_all);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.headers"))) {
PATCH(headers);
} else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.params"))) {
@ -397,24 +452,40 @@ static array *extract_forward_array(buffer *pbuffer)
return result;
}
#define IP_TRUSTED 1
#define IP_UNTRUSTED 0
/*
* check whether ip is trusted, return 1 for trusted , 0 for untrusted
*/
static int is_proxy_trusted(const buffer *ipstr, plugin_data *p)
static int is_proxy_trusted(plugin_data *p, const char * const ip, size_t iplen)
{
data_string* allds = (data_string *)array_get_element(p->conf.forwarder, "all");
if (NULL != array_get_element_klen(p->conf.forwarder, ip, iplen))
return 1;
if (p->conf.forward_masks) {
const struct sock_addr_mask * const addrs =p->conf.forward_masks->addrs;
const size_t aused = p->conf.forward_masks->used;
sock_addr addr;
/* C funcs inet_aton(), inet_pton() require '\0'-terminated IP str */
char addrstr[64]; /*(larger than INET_ADDRSTRLEN and INET6_ADDRSTRLEN)*/
if (iplen >= sizeof(addrstr)) return 0;
memcpy(addrstr, ip, iplen);
addrstr[iplen] = '\0';
if (1 != sock_addr_inet_pton(&addr, addrstr, AF_INET, 0)
&& 1 != sock_addr_inet_pton(&addr, addrstr, AF_INET6, 0)) return 0;
for (size_t i = 0; i < aused; ++i) {
if (sock_addr_is_addr_eq_bits(&addr, &addrs[i].addr, addrs[i].bits))
return 1;
}
}
if (allds) {
if (strcasecmp(allds->value->ptr, "trust") == 0) {
return IP_TRUSTED;
} else {
return IP_UNTRUSTED;
}
}
return 0;
}
return (data_string *)array_get_element_klen(p->conf.forwarder, CONST_BUF_LEN(ipstr)) ? IP_TRUSTED : IP_UNTRUSTED;
static int is_connection_trusted(connection * const con, plugin_data *p)
{
if (p->conf.forward_all) return (1 == p->conf.forward_all);
return is_proxy_trusted(p, CONST_BUF_LEN(con->dst_addr_buf));
}
/*
@ -423,12 +494,11 @@ static int is_proxy_trusted(const buffer *ipstr, plugin_data *p)
*/
static const char *last_not_in_array(array *a, plugin_data *p)
{
array *forwarder = p->conf.forwarder;
int i;
for (i = a->used - 1; i >= 0; i--) {
data_string *ds = (data_string *)a->data[i];
if (!array_get_element_klen(forwarder, CONST_BUF_LEN(ds->value))) {
if (!is_proxy_trusted(p, CONST_BUF_LEN(ds->value))) {
return ds->value->ptr;
}
}
@ -706,7 +776,7 @@ static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_
* attempted by this module. */
if (v != vlen) {
int trusted = (NULL != array_get_element_klen(p->conf.forwarder, s+v, vlen-v));
int trusted = is_proxy_trusted(p, s+v, vlen-v);
if (s[v] != '_' && s[v] != '/'
&& (7 != (vlen - v) || 0 != memcmp(s+v, "unknown", 7))) {
@ -980,7 +1050,7 @@ URIHANDLER_FUNC(mod_extforward_uri_handler) {
}
/* if the remote ip itself is not trusted, then do nothing */
if (IP_UNTRUSTED == is_proxy_trusted(con->dst_addr_buf, p)) {
if (!is_connection_trusted(con, p)) {
if (con->conf.log_request_handling) {
log_error_write(srv, __FILE__, __LINE__, "sbs",
"remote address", con->dst_addr_buf, "is NOT a trusted proxy, skipping");
@ -1074,7 +1144,7 @@ CONNECTION_FUNC(mod_extforward_handle_con_accept)
plugin_data *p = p_d;
mod_extforward_patch_connection(srv, con, p);
if (!p->conf.hap_PROXY) return HANDLER_GO_ON;
if (IP_TRUSTED == is_proxy_trusted(con->dst_addr_buf, p)) {
if (is_connection_trusted(con, p)) {
handler_ctx *hctx = handler_ctx_init();
con->plugin_ctx[p->id] = hctx;
hctx->saved_network_read = con->network_read;

Loading…
Cancel
Save