a partial match. PR 48401.i
[Dodou Wang <wangdong.08 gmail.com>, Ruediger Pluem]
+ *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to
+ mod_proxy_connect. [Takashi Sato]
+
*) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung]
*) mod_headers: Ensure that changes to the main request remain valid when
</usage>
</directivesynopsis>
-
-<directivesynopsis>
-<name>AllowCONNECT</name>
-<description>Ports that are allowed to <code>CONNECT</code> through the
-proxy</description>
-<syntax>AllowCONNECT <var>port</var> [<var>port</var>] ...</syntax>
-<default>AllowCONNECT 443 563</default>
-<contextlist><context>server config</context><context>virtual host</context>
-</contextlist>
-
-<usage>
- <p>The <directive>AllowCONNECT</directive> directive specifies a list
- of port numbers to which the proxy <code>CONNECT</code> method may
- connect. Today's browsers use this method when a <code>https</code>
- connection is requested and proxy tunneling over HTTP is in effect.</p>
-
- <p>By default, only the default https port (<code>443</code>) and the
- default snews port (<code>563</code>) are enabled. Use the
- <directive>AllowCONNECT</directive> directive to override this default and
- allow connections to the listed ports only.</p>
-
- <p>Note that you'll need to have <module>mod_proxy_connect</module> present
- in the server in order to get the support for the <code>CONNECT</code> at
- all.</p>
-</usage>
-</directivesynopsis>
-
<directivesynopsis>
<name>ProxyBlock</name>
<description>Words, hosts, or domains that are banned from being
<seealso><directive module="mod_proxy">AllowCONNECT</directive></seealso>
<seealso><module>mod_proxy</module></seealso>
+<directivesynopsis>
+<name>AllowCONNECT</name>
+<description>Ports that are allowed to <code>CONNECT</code> through the
+proxy</description>
+<syntax>AllowCONNECT <var>port</var> [<var>port</var>] ...</syntax>
+<default>AllowCONNECT 443 563</default>
+<contextlist><context>server config</context><context>virtual host</context>
+</contextlist>
+
+<usage>
+ <p>The <directive>AllowCONNECT</directive> directive specifies a list
+ of port numbers to which the proxy <code>CONNECT</code> method may
+ connect. Today's browsers use this method when a <code>https</code>
+ connection is requested and proxy tunneling over HTTP is in effect.</p>
+
+ <p>By default, only the default https port (<code>443</code>) and the
+ default snews port (<code>563</code>) are enabled. Use the
+ <directive>AllowCONNECT</directive> directive to override this default and
+ allow connections to the listed ports only.</p>
+</usage>
+</directivesynopsis>
+
</modulesynopsis>
* 20091031.0 (2.3.3-dev) remove public LDAP referral-related macros
* 20091119.0 (2.3.4-dev) dav_error interface uses apr_status_t parm, not errno
* 20091119.1 (2.3.4-dev) ap_mutex_register(), ap_{proc,global}_mutex_create()
+ * 20091229.0 (2.3.4-dev) Move allowed_connect_ports from proxy_server_conf
+ * to mod_proxy_connect
*
*/
#define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */
#ifndef MODULE_MAGIC_NUMBER_MAJOR
-#define MODULE_MAGIC_NUMBER_MAJOR 20091119
+#define MODULE_MAGIC_NUMBER_MAJOR 20091229
#endif
-#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */
+#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */
/**
* Determine if the server's current MODULE_MAGIC_NUMBER is at least a
ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));
- ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int));
ps->workers = apr_array_make(p, 10, sizeof(proxy_worker));
ps->balancers = apr_array_make(p, 10, sizeof(proxy_balancer));
ps->forward = NULL;
ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);
ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);
ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);
- ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports);
ps->workers = apr_array_append(p, base->workers, overrides->workers);
ps->balancers = apr_array_append(p, base->balancers, overrides->balancers);
ps->forward = overrides->forward ? overrides->forward : base->forward;
return NULL;
}
-/*
- * Set the ports CONNECT can use
- */
-static const char *
- set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg)
-{
- server_rec *s = parms->server;
- proxy_server_conf *conf =
- ap_get_module_config(s->module_config, &proxy_module);
- int *New;
-
- if (!apr_isdigit(arg[0]))
- return "AllowCONNECT: port number must be numeric";
-
- New = apr_array_push(conf->allowed_connect_ports);
- *New = atoi(arg);
- return NULL;
-}
/* Similar to set_proxy_exclude(), but defining directly connected hosts,
* which should never be accessed via the configured ProxyRemote servers
"A list of domains, hosts, or subnets to which the proxy will connect directly"),
AP_INIT_TAKE1("ProxyDomain", set_proxy_domain, NULL, RSRC_CONF,
"The default intranet domain name (in absence of a domain in the URL)"),
- AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF,
- "A list of ports which CONNECT may connect to"),
AP_INIT_TAKE1("ProxyVia", set_via_opt, NULL, RSRC_CONF,
"Configure Via: proxy header header to one of: on | off | block | full"),
AP_INIT_FLAG("ProxyErrorOverride", set_proxy_error_override, NULL, RSRC_CONF,
apr_array_header_t *aliases;
apr_array_header_t *noproxies;
apr_array_header_t *dirconn;
- apr_array_header_t *allowed_connect_ports;
apr_array_header_t *workers;
apr_array_header_t *balancers;
proxy_worker *forward; /* forward proxy worker */
* FIXME: no check for r->assbackwards, whatever that is.
*/
-static int allowed_port(proxy_server_conf *conf, int port)
+typedef struct {
+ apr_array_header_t *allowed_connect_ports;
+} connect_conf;
+
+static void *create_config(apr_pool_t *p, server_rec *s)
+{
+ connect_conf *c = apr_pcalloc(p, sizeof(connect_conf));
+ c->allowed_connect_ports = apr_array_make(p, 10, sizeof(int));
+ return c;
+}
+
+static void *merge_config(apr_pool_t *p, void *basev, void *overridesv)
+{
+ connect_conf *c = apr_pcalloc(p, sizeof(connect_conf));
+ connect_conf *base = (connect_conf *) basev;
+ connect_conf *overrides = (connect_conf *) overridesv;
+
+ c->allowed_connect_ports = apr_array_append(p,
+ base->allowed_connect_ports,
+ overrides->allowed_connect_ports);
+
+ return c;
+}
+
+
+/*
+ * Set the ports CONNECT can use
+ */
+static const char *
+ set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg)
+{
+ server_rec *s = parms->server;
+ connect_conf *conf =
+ ap_get_module_config(s->module_config, &proxy_connect_module);
+ int *New;
+
+ if (!apr_isdigit(arg[0]))
+ return "AllowCONNECT: port number must be numeric";
+
+ New = apr_array_push(conf->allowed_connect_ports);
+ *New = atoi(arg);
+ return NULL;
+}
+
+
+static int allowed_port(connect_conf *conf, int port)
{
int i;
int *list = (int *) conf->allowed_connect_ports->elts;
char *url, const char *proxyname,
apr_port_t proxyport)
{
+ connect_conf *c_conf =
+ ap_get_module_config(r->server->module_config, &proxy_connect_module);
+
apr_pool_t *p = r->pool;
apr_socket_t *sock;
conn_rec *c = r->connection;
}
/* Check if it is an allowed port */
- if (conf->allowed_connect_ports->nelts == 0) {
+ if (c_conf->allowed_connect_ports->nelts == 0) {
/* Default setting if not overridden by AllowCONNECT */
switch (uri.port) {
case APR_URI_HTTPS_DEFAULT_PORT:
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked");
}
- } else if(!allowed_port(conf, uri.port)) {
+ } else if(!allowed_port(c_conf, uri.port)) {
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked");
}
proxy_hook_canon_handler(proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE);
}
+static const command_rec cmds[] =
+{
+ AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF,
+ "A list of ports which CONNECT may connect to"),
+ {NULL}
+};
+
module AP_MODULE_DECLARE_DATA proxy_connect_module = {
STANDARD20_MODULE_STUFF,
NULL, /* create per-directory config structure */
NULL, /* merge per-directory config structures */
- NULL, /* create per-server config structure */
- NULL, /* merge per-server config structures */
- NULL, /* command apr_table_t */
+ create_config, /* create per-server config structure */
+ merge_config, /* merge per-server config structures */
+ cmds, /* command apr_table_t */
ap_proxy_connect_register_hook /* register hooks */
};
projects / apache / commitdiff