1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* CONNECT method for Apache proxy */
19 #include "mod_proxy.h"
22 #define CONN_BLKSZ AP_IOBUFSIZE
24 module AP_MODULE_DECLARE_DATA proxy_connect_module;
27 * This handles Netscape CONNECT method secure proxy requests.
28 * A connection is opened to the specified host and data is
29 * passed through between the WWW site and the browser.
31 * This code is based on the INTERNET-DRAFT document
32 * "Tunneling SSL Through a WWW Proxy" currently at
33 * http://www.mcom.com/newsref/std/tunneling_ssl.html.
35 * If proxyhost and proxyport are set, we send a CONNECT to
36 * the specified proxy..
38 * FIXME: this doesn't log the number of bytes sent, but
39 * that may be okay, since the data is supposed to
40 * be transparent. In fact, this doesn't log at all
42 * FIXME: doesn't check any headers initally sent from the
44 * FIXME: should allow authentication, but hopefully the
45 * generic proxy authentication is good enough.
46 * FIXME: no check for r->assbackwards, whatever that is.
50 apr_array_header_t *allowed_connect_ports;
58 static void *create_config(apr_pool_t *p, server_rec *s)
60 connect_conf *c = apr_pcalloc(p, sizeof(connect_conf));
61 c->allowed_connect_ports = apr_array_make(p, 10, sizeof(port_range));
65 static void *merge_config(apr_pool_t *p, void *basev, void *overridesv)
67 connect_conf *c = apr_pcalloc(p, sizeof(connect_conf));
68 connect_conf *base = (connect_conf *) basev;
69 connect_conf *overrides = (connect_conf *) overridesv;
71 c->allowed_connect_ports = apr_array_append(p,
72 base->allowed_connect_ports,
73 overrides->allowed_connect_ports);
80 * Set the ports CONNECT can use
83 set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg)
85 server_rec *s = parms->server;
88 ap_get_module_config(s->module_config, &proxy_connect_module);
93 if (!apr_isdigit(arg[0]))
94 return "AllowCONNECT: port numbers must be numeric";
96 first = strtol(p, &endptr, 10);
99 last = strtol(p, &endptr, 10);
105 if (endptr == p || *endptr != '\0') {
106 return apr_psprintf(parms->temp_pool,
107 "Cannot parse '%s' as port number", p);
110 New = apr_array_push(conf->allowed_connect_ports);
117 static int allowed_port(connect_conf *conf, int port)
120 port_range *list = (port_range *) conf->allowed_connect_ports->elts;
122 if (apr_is_empty_array(conf->allowed_connect_ports)){
123 return port == APR_URI_HTTPS_DEFAULT_PORT
124 || port == APR_URI_SNEWS_DEFAULT_PORT;
127 for (i = 0; i < conf->allowed_connect_ports->nelts; i++) {
128 if (port >= list[i].first && port <= list[i].last)
134 /* canonicalise CONNECT URLs. */
135 static int proxy_connect_canon(request_rec *r, char *url)
138 if (r->method_number != M_CONNECT) {
141 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
142 "proxy: CONNECT: canonicalising URL %s", url);
147 /* read available data (in blocks of CONN_BLKSZ) from c_i and copy to c_o */
148 static int proxy_connect_transfer(request_rec *r, conn_rec *c_i, conn_rec *c_o,
149 apr_bucket_brigade *bb, char *name)
157 apr_brigade_cleanup(bb);
158 rv = ap_get_brigade(c_i->input_filters, bb, AP_MODE_READBYTES,
159 APR_NONBLOCK_READ, CONN_BLKSZ);
160 if (rv == APR_SUCCESS) {
163 if (APR_BRIGADE_EMPTY(bb))
167 apr_brigade_length(bb, 0, &len);
168 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
169 "proxy: CONNECT: read %" APR_OFF_T_FMT
170 " bytes from %s", len, name);
172 rv = ap_pass_brigade(c_o->output_filters, bb);
173 if (rv == APR_SUCCESS) {
174 ap_fflush(c_o->output_filters, bb);
177 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
178 "proxy: CONNECT: error on %s - ap_pass_brigade",
181 } else if (!APR_STATUS_IS_EAGAIN(rv)) {
182 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
183 "proxy: CONNECT: error on %s - ap_get_brigade",
186 } while (rv == APR_SUCCESS);
188 if (APR_STATUS_IS_EAGAIN(rv)) {
194 /* CONNECT handler */
195 static int proxy_connect_handler(request_rec *r, proxy_worker *worker,
196 proxy_server_conf *conf,
197 char *url, const char *proxyname,
198 apr_port_t proxyport)
200 connect_conf *c_conf =
201 ap_get_module_config(r->server->module_config, &proxy_connect_module);
203 apr_pool_t *p = r->pool;
205 conn_rec *c = r->connection;
208 apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc);
209 apr_status_t err, rv;
211 char buffer[HUGE_STRING_LEN];
212 apr_socket_t *client_socket = ap_get_module_config(c->conn_config, &core_module);
214 int client_error = 0;
215 apr_pollset_t *pollset;
217 const apr_pollfd_t *signalled;
218 apr_int32_t pollcnt, pi;
219 apr_int16_t pollevent;
220 apr_sockaddr_t *uri_addr, *connect_addr;
223 const char *connectname;
226 /* is this for us? */
227 if (r->method_number != M_CONNECT) {
228 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
229 "proxy: CONNECT: declining URL %s", url);
232 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
233 "proxy: CONNECT: serving URL %s", url);
237 * Step One: Determine Who To Connect To
239 * Break up the URL to determine the host to connect to
242 /* we break the URL into host, port, uri */
243 if (APR_SUCCESS != apr_uri_parse_hostinfo(p, url, &uri)) {
244 return ap_proxyerror(r, HTTP_BAD_REQUEST,
245 apr_pstrcat(p, "URI cannot be parsed: ", url,
249 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
250 "proxy: CONNECT: connecting %s to %s:%d", url, uri.hostname,
253 /* do a DNS lookup for the destination host */
254 err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port,
256 if (APR_SUCCESS != err) {
257 return ap_proxyerror(r, HTTP_BAD_GATEWAY,
258 apr_pstrcat(p, "DNS lookup failure for: ",
259 uri.hostname, NULL));
262 /* are we connecting directly, or via a proxy? */
264 connectname = proxyname;
265 connectport = proxyport;
266 err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC,
270 connectname = uri.hostname;
271 connectport = uri.port;
272 connect_addr = uri_addr;
274 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
275 "proxy: CONNECT: connecting to remote proxy %s on port %d",
276 connectname, connectport);
278 /* check if ProxyBlock directive on this host */
279 if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
280 return ap_proxyerror(r, HTTP_FORBIDDEN,
281 "Connect to remote machine blocked");
284 /* Check if it is an allowed port */
285 if(!allowed_port(c_conf, uri.port)) {
286 return ap_proxyerror(r, HTTP_FORBIDDEN,
287 "Connect to remote machine blocked");
291 * Step Two: Make the Connection
293 * We have determined who to connect to. Now make the connection.
296 /* get all the possible IP addresses for the destname and loop through them
297 * until we get a successful connection
299 if (APR_SUCCESS != err) {
300 return ap_proxyerror(r, HTTP_BAD_GATEWAY,
301 apr_pstrcat(p, "DNS lookup failure for: ",
306 * At this point we have a list of one or more IP addresses of
307 * the machine to connect to. If configured, reorder this
308 * list so that the "best candidate" is first try. "best
309 * candidate" could mean the least loaded server, the fastest
310 * responding server, whatever.
312 * For now we do nothing, ie we get DNS round robin.
315 failed = ap_proxy_connect_to_backend(&sock, "CONNECT", connect_addr,
316 connectname, conf, r->server,
319 /* handle a permanent error from the above loop */
325 return HTTP_SERVICE_UNAVAILABLE;
329 /* setup polling for connection */
330 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
331 "proxy: CONNECT: setting up poll()");
333 if ((rv = apr_pollset_create(&pollset, 2, r->pool, 0)) != APR_SUCCESS) {
334 apr_socket_close(sock);
335 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
336 "proxy: CONNECT: error apr_pollset_create()");
337 return HTTP_INTERNAL_SERVER_ERROR;
340 /* Add client side to the poll */
342 pollfd.desc_type = APR_POLL_SOCKET;
343 pollfd.reqevents = APR_POLLIN;
344 pollfd.desc.s = client_socket;
345 pollfd.client_data = NULL;
346 apr_pollset_add(pollset, &pollfd);
348 /* Add the server side to the poll */
349 pollfd.desc.s = sock;
350 apr_pollset_add(pollset, &pollfd);
353 * Step Three: Send the Request
355 * Send the HTTP/1.1 CONNECT request to the remote server
358 backconn = ap_run_create_connection(c->pool, r->server, sock,
359 c->id, c->sbh, c->bucket_alloc);
362 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
363 "proxy: an error occurred creating a new connection "
364 "to %pI (%s)", connect_addr, connectname);
365 apr_socket_close(sock);
366 return HTTP_INTERNAL_SERVER_ERROR;
368 ap_proxy_ssl_disable(backconn);
369 rc = ap_run_pre_connection(backconn, sock);
370 if (rc != OK && rc != DONE) {
371 backconn->aborted = 1;
372 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
373 "proxy: CONNECT: pre_connection setup failed (%d)", rc);
374 return HTTP_INTERNAL_SERVER_ERROR;
377 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
378 "proxy: CONNECT: connection complete to %pI (%s)",
379 connect_addr, connectname);
382 /* If we are connecting through a remote proxy, we need to pass
383 * the CONNECT request on to it.
386 /* FIXME: Error checking ignored.
388 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
389 "proxy: CONNECT: sending the CONNECT request"
390 " to the remote proxy");
391 ap_fprintf(backconn->output_filters, bb,
392 "CONNECT %s HTTP/1.0" CRLF, r->uri);
393 ap_fprintf(backconn->output_filters, bb,
394 "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
395 ap_fflush(backconn->output_filters, bb);
398 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
399 "proxy: CONNECT: Returning 200 OK Status");
400 nbytes = apr_snprintf(buffer, sizeof(buffer),
401 "HTTP/1.0 200 Connection Established" CRLF);
402 ap_xlate_proto_to_ascii(buffer, nbytes);
403 ap_fwrite(c->output_filters, bb, buffer, nbytes);
404 nbytes = apr_snprintf(buffer, sizeof(buffer),
405 "Proxy-agent: %s" CRLF CRLF,
406 ap_get_server_banner());
407 ap_xlate_proto_to_ascii(buffer, nbytes);
408 ap_fwrite(c->output_filters, bb, buffer, nbytes);
409 ap_fflush(c->output_filters, bb);
411 /* This is safer code, but it doesn't work yet. I'm leaving it
412 * here so that I can fix it later.
416 apr_table_set(r->headers_out, "Proxy-agent: %s", ap_get_server_banner());
421 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
422 "proxy: CONNECT: setting up poll()");
425 * Step Four: Handle Data Transfer
427 * Handle two way transfer of data over the socket (this is a tunnel).
430 /* we are now acting as a tunnel - the input/output filter stacks should
431 * not contain any non-connection filters.
433 r->output_filters = c->output_filters;
434 r->proto_output_filters = c->output_filters;
435 r->input_filters = c->input_filters;
436 r->proto_input_filters = c->input_filters;
437 /* r->sent_bodyct = 1;*/
439 while (1) { /* Infinite loop until error (one side closes the connection) */
440 if ((rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled))
442 apr_socket_close(sock);
443 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: CONNECT: error apr_poll()");
444 return HTTP_INTERNAL_SERVER_ERROR;
447 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
448 "proxy: CONNECT: woke from poll(), i=%d", pollcnt);
451 for (pi = 0; pi < pollcnt; pi++) {
452 const apr_pollfd_t *cur = &signalled[pi];
454 if (cur->desc.s == sock) {
455 pollevent = cur->rtnevents;
456 if (pollevent & APR_POLLIN) {
458 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
459 "proxy: CONNECT: sock was readable");
461 rv = proxy_connect_transfer(r, backconn, c, bb, "sock");
463 else if ((pollevent & APR_POLLERR)
464 || (pollevent & APR_POLLHUP)) {
466 ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r,
467 "proxy: CONNECT: err/hup on backconn");
469 if (rv != APR_SUCCESS)
472 else if (cur->desc.s == client_socket) {
473 pollevent = cur->rtnevents;
474 if (pollevent & APR_POLLIN) {
476 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
477 "proxy: CONNECT: client was readable");
479 rv = proxy_connect_transfer(r, c, backconn, bb, "client");
484 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
485 "proxy: CONNECT: unknown socket in pollset");
489 if (rv != APR_SUCCESS) {
494 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
495 "proxy: CONNECT: finished with poll() - cleaning up");
498 * Step Five: Clean Up
500 * Close the socket and clean up
504 apr_socket_close(sock);
506 ap_lingering_close(backconn);
513 static void ap_proxy_connect_register_hook(apr_pool_t *p)
515 proxy_hook_scheme_handler(proxy_connect_handler, NULL, NULL, APR_HOOK_MIDDLE);
516 proxy_hook_canon_handler(proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE);
519 static const command_rec cmds[] =
521 AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF,
522 "A list of ports or port ranges which CONNECT may connect to"),
526 module AP_MODULE_DECLARE_DATA proxy_connect_module = {
527 STANDARD20_MODULE_STUFF,
528 NULL, /* create per-directory config structure */
529 NULL, /* merge per-directory config structures */
530 create_config, /* create per-server config structure */
531 merge_config, /* merge per-server config structures */
532 cmds, /* command apr_table_t */
533 ap_proxy_connect_register_hook /* register hooks */