From c2e9288043904f5adb279c8d932ebe3205408615 Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Wed, 14 Feb 2018 15:20:58 +0000 Subject: [PATCH] Revert r1824221: wrong backport. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1824246 13f79535-47bb-0310-9956-ffa450edef68 --- CHANGES | 5 - STATUS | 29 ++ docs/manual/mod/mod_remoteip.xml | 71 --- modules/metadata/mod_remoteip.c | 772 +------------------------------ 4 files changed, 31 insertions(+), 846 deletions(-) diff --git a/CHANGES b/CHANGES index a06f95cba3..28fcfc9629 100644 --- a/CHANGES +++ b/CHANGES @@ -1,11 +1,6 @@ -*- coding: utf-8 -*- Changes with Apache 2.4.30 - *) mod_remoteip: Add support for PROXY protocol (code donated by Cloudzilla). - Add ability for PROXY protocol processing to be optional to donated code. - See also: http://www.haproxy.org/download/1.5/doc/proxy-protocol.txt - [Cloudzilla/roadrunner2@GitHub, Jim Jagielski, Daniel Ruggeri] - *) mod_proxy, mod_ssl: Handle SSLProxy* directives in sections, allowing per backend TLS configuration. [Yann Ylavic] diff --git a/STATUS b/STATUS index b75935cbd5..6a4df39d6f 100644 --- a/STATUS +++ b/STATUS @@ -118,6 +118,35 @@ RELEASE SHOWSTOPPERS: PATCHES ACCEPTED TO BACKPORT FROM TRUNK: [ start all new proposals below, under PATCHES PROPOSED. ] + *) mod_remoteip: Add PROXY protocol support + trunk patch: http://svn.apache.org/r1776575 + http://svn.apache.org/r1776578 (doc fix) + http://svn.apache.org/r1776624 + http://svn.apache.org/r1776627 (shortened name + doc fix) + http://svn.apache.org/r1776674 (attribution moved to CHANGES) + http://svn.apache.org/r1776734 + http://svn.apache.org/r1776740 (attribution updated in mod_remotip.c) + http://svn.apache.org/r1778268 (fix compiler warning) + http://svn.apache.org/r1780725 (set buckets aside) + http://svn.apache.org/r1781030 (fix strict GCC warning) + http://svn.apache.org/r1781031 (reference the filter by handle) + http://svn.apache.org/r1781701 (rework optional processing case) + http://svn.apache.org/r1788674 (final edge cases/ignore slave conns) + http://svn.apache.org/r1789800 (remove optional processing) + http://svn.apache.org/r1790169 (rename "exception" directive) + http://svn.apache.org/r1790457 (Update directive name in err message) + http://svn.apache.org/r1790691 + http://svn.apache.org/r1806985 + http://svn.apache.org/r1818279 + 2.4 convenience patch (includes CHANGES): + http://home.apache.org/~ylavic/patches/RemoteIPProxyProtocol.2.4-v3.patch + +1: druggeri, jim, minfrin + ylavic: RemoteIPProxyProtocol* are documented as scoped to server config + and virtual host, though using ap_server_conf makes them global + only (thus less useful too...). + jim: Can docco patch be post-backport? + minfrin: The docs seem correct, and there is a long explanation in the docs of + why the scoping is as it is. PATCHES PROPOSED TO BACKPORT FROM TRUNK: diff --git a/docs/manual/mod/mod_remoteip.xml b/docs/manual/mod/mod_remoteip.xml index eb01dc7c5e..7edf995b00 100644 --- a/docs/manual/mod/mod_remoteip.xml +++ b/docs/manual/mod/mod_remoteip.xml @@ -42,12 +42,6 @@ via the request headers. with the useragent IP address reported in the request header configured with the RemoteIPHeader directive.

-

Additionally, this module implements the server side of - HAProxy's - Proxy Protocol when - using the RemoteIPProxyProtocolEnable - directive.

-

Once replaced as instructed, this overridden useragent IP address is then used for the mod_authz_host Require ip @@ -65,7 +59,6 @@ via the request headers. mod_authz_host mod_status mod_log_config -Proxy Protocol Spec

Remote IP Processing @@ -218,70 +211,6 @@ RemoteIPProxiesHeader X-Forwarded-By - -RemoteIPProxyProtocol -Enable, optionally enable or disable the proxy protocol handling -ProxyProtocol On|Optional|Off -server configvirtual host - - - -

The RemoteIPProxyProtocolEnable enables or - disables the reading and handling of the proxy protocol connection header. - If enabled with the On flag, the upstream client must - send the header every time it opens a connection or the connection will - be aborted. If enabled with the Optional flag, the upstream - client may send the header.

- -

While this directive may be specified in any virtual host, it is - important to understand that because the proxy protocol is connection - based and protocol agnostic, the enabling and disabling is actually based - on ip-address and port. This means that if you have multiple name-based - virtual hosts for the same host and port, and you enable it any one of - them, then it is enabled for all them (with that host and port). It also - means that if you attempt to enable the proxy protocol in one and disable - in the other, that won't work; in such a case the last one wins and a - notice will be logged indicating which setting was being overridden.

- - When multiple virtual hosts on the same IP and port are - configured with a combination of On and Optional - flags, connections will not be aborted if the header is not sent. - Instead, enforcement will happen after the request is read so virtual - hosts configured with On will return a 400 Bad Request. - Virtual hosts configured with Optional will continue as - usual but without replacing the client IP information - - -Listen 80 -<VirtualHost *:80> - ServerName www.example.com - RemoteIPProxyProtocolEnable Optional - - #Requests to this virtual host may optionally not have - # a proxy protocol header provided -</VirtualHost> - -<VirtualHost *:80> - ServerName www.example.com - RemoteIPProxyProtocolEnable On - - #Requests to this virtual host must have a proxy protocol - # header provided. If it is missing, a 400 will result -</VirtualHost> - -Listen 8080 -<VirtualHost *:8080> - ServerName www.example.com - RemoteIPProxyProtocolEnable On - - #Requests to this virtual host must have a proxy protocol - # header provided. If it is missing, the connection will - # be aborted -</VirtualHost> - - - - RemoteIPTrustedProxy Declare client intranet IP addresses trusted to present the RemoteIPHeader value diff --git a/modules/metadata/mod_remoteip.c b/modules/metadata/mod_remoteip.c index 8604d6b95e..28e01df297 100644 --- a/modules/metadata/mod_remoteip.c +++ b/modules/metadata/mod_remoteip.c @@ -16,13 +16,11 @@ #include "ap_config.h" #include "ap_mmn.h" -#include "ap_listen.h" #include "httpd.h" #include "http_config.h" #include "http_connection.h" #include "http_protocol.h" #include "http_log.h" -#include "http_main.h" #include "apr_strings.h" #include "apr_lib.h" #define APR_WANT_BYTEFUNC @@ -38,12 +36,6 @@ typedef struct { void *internal; } remoteip_proxymatch_t; -typedef struct remoteip_addr_info { - struct remoteip_addr_info *next; - apr_sockaddr_t *addr; - server_rec *source; -} remoteip_addr_info; - typedef struct { /** The header to retrieve a proxy-via IP list */ const char *header_name; @@ -56,17 +48,6 @@ typedef struct { * with the most commonly encountered listed first */ apr_array_header_t *proxymatch_ip; - - remoteip_addr_info *proxy_protocol_enabled; - remoteip_addr_info *proxy_protocol_optional; - remoteip_addr_info *proxy_protocol_disabled; - - /** A flag indicating whether or not proxyprotocol - * is optoinal for this specific server - */ - int pp_optional; - - apr_pool_t *pool; } remoteip_config_t; typedef struct { @@ -78,92 +59,12 @@ typedef struct { const char *proxied_remote; } remoteip_req_t; -/* For PROXY protocol processing */ -static const char *remoteip_filter_name = "REMOTEIP_INPUT"; - -typedef struct { - char line[108]; -} proxy_v1; - -typedef union { - struct { /* for TCP/UDP over IPv4, len = 12 */ - apr_uint32_t src_addr; - apr_uint32_t dst_addr; - apr_uint16_t src_port; - apr_uint16_t dst_port; - } ip4; - struct { /* for TCP/UDP over IPv6, len = 36 */ - apr_byte_t src_addr[16]; - apr_byte_t dst_addr[16]; - apr_uint16_t src_port; - apr_uint16_t dst_port; - } ip6; - struct { /* for AF_UNIX sockets, len = 216 */ - apr_byte_t src_addr[108]; - apr_byte_t dst_addr[108]; - } unx; -} proxy_v2_addr; - -typedef struct { - apr_byte_t sig[12]; /* hex 0D 0A 0D 0A 00 0D 0A 51 55 49 54 0A */ - apr_byte_t ver_cmd; /* protocol version and command */ - apr_byte_t fam; /* protocol family and address */ - apr_uint16_t len; /* number of following bytes part of the header */ - proxy_v2_addr addr; -} proxy_v2; - -typedef union { - proxy_v1 v1; - proxy_v2 v2; -} proxy_header; - -static const char v2sig[12] = "\x0D\x0A\x0D\x0A\x00\x0D\x0A\x51\x55\x49\x54\x0A"; -#define MIN_V1_HDR_LEN 15 -#define MIN_V2_HDR_LEN 16 -#define MIN_HDR_LEN MIN_V1_HDR_LEN - -/* XXX: Unsure if this is needed if v6 support is not available on - this platform */ -#ifndef INET6_ADDRSTRLEN -#define INET6_ADDRSTRLEN 46 -#endif - -typedef struct { - char header[sizeof(proxy_header)]; - apr_size_t rcvd; - apr_size_t need; - int version; - ap_input_mode_t mode; - apr_bucket_brigade *bb; - int done; -} remoteip_filter_context; - -/** Holds the resolved proxy info for this connection and any addition - configurable parameters -*/ -typedef struct { - /** The parsed client address in native format */ - apr_sockaddr_t *client_addr; - /** Character representation of the client */ - char *client_ip; - /** Flag indicating that the PROXY header may be omitted on this - connection (do not abort if it is missing). */ - int proxy_protocol_optional; -} remoteip_conn_config_t; - -typedef enum { HDR_DONE, HDR_ERROR, HDR_MISSING, HDR_NEED_MORE } remoteip_parse_status_t; - static void *create_remoteip_server_config(apr_pool_t *p, server_rec *s) { remoteip_config_t *config = apr_pcalloc(p, sizeof *config); /* config->header_name = NULL; * config->proxies_header_name = NULL; */ - config->proxy_protocol_enabled = NULL; - config->proxy_protocol_optional = NULL; - config->proxy_protocol_disabled = NULL; - config->pp_optional = 0; - config->pool = p; return config; } @@ -184,9 +85,6 @@ static void *merge_remoteip_server_config(apr_pool_t *p, void *globalv, config->proxymatch_ip = server->proxymatch_ip ? server->proxymatch_ip : global->proxymatch_ip; - config->pp_optional = server->pp_optional - ? server->pp_optional - : global->pp_optional; return config; } @@ -317,184 +215,13 @@ static const char *proxylist_read(cmd_parms *cmd, void *cfg, return NULL; } -/** Similar apr_sockaddr_equal, except that it compares ports too. */ -static int remoteip_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) -{ - return (addr1->port == addr2->port && apr_sockaddr_equal(addr1, addr2)); -} - -/** Similar remoteip_sockaddr_equal, except that it handles wildcard addresses - * and ports too. - */ -static int remoteip_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) -{ - /* test exact address equality */ - if (apr_sockaddr_equal(addr1, addr2) && - (addr1->port == addr2->port || addr1->port == 0 || addr2->port == 0)) { - return 1; - } - - /* test address wildcards */ - if (apr_sockaddr_is_wildcard(addr1) && - (addr1->port == 0 || addr1->port == addr2->port)) { - return 1; - } - - if (apr_sockaddr_is_wildcard(addr2) && - (addr2->port == 0 || addr2->port == addr1->port)) { - return 1; - } - - return 0; -} - -static int remoteip_addr_in_list(remoteip_addr_info *list, apr_sockaddr_t *addr) -{ - for (; list; list = list->next) { - if (remoteip_sockaddr_compat(list->addr, addr)) { - return 1; - } - } - - return 0; -} - -static void remoteip_warn_enable_conflict(remoteip_addr_info *prev, server_rec *new, const char* arg) -{ - char buf[INET6_ADDRSTRLEN]; - - apr_sockaddr_ip_getbuf(buf, sizeof(buf), prev->addr); - - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, new, APLOGNO(03491) - "RemoteIPProxyProtocolEnable: previous setting for %s:%hu from virtual " - "host {%s:%hu in %s} is being overriden by virtual host " - "{%s:%hu in %s}; new setting is '%s'", - buf, prev->addr->port, prev->source->server_hostname, - prev->source->addrs->host_port, prev->source->defn_name, - new->server_hostname, new->addrs->host_port, new->defn_name, - arg); -} - -static const char *remoteip_enable_proxy_protocol(cmd_parms *cmd, void *config, - const char *arg) -{ - remoteip_config_t *global_conf; - remoteip_config_t *server_conf; - server_addr_rec *addr; - remoteip_addr_info **add; - int list_len = 2; - remoteip_addr_info **rem_list[list_len]; - remoteip_addr_info *list; - int i; - - global_conf = ap_get_module_config(ap_server_conf->module_config, - &remoteip_module); - server_conf = ap_get_module_config(cmd->server->module_config, - &remoteip_module); - - if (strcasecmp(arg, "On") == 0) { - add = &global_conf->proxy_protocol_enabled; - rem_list[0] = &global_conf->proxy_protocol_optional; - rem_list[1] = &global_conf->proxy_protocol_disabled; - } - else if (strcasecmp(arg, "Optional") == 0) { - add = &global_conf->proxy_protocol_optional; - rem_list[0] = &global_conf->proxy_protocol_enabled; - rem_list[1] = &global_conf->proxy_protocol_disabled; - server_conf->pp_optional = 1; - } - else if (strcasecmp(arg, "Off") == 0 ) { - add = &global_conf->proxy_protocol_disabled; - rem_list[0] = &global_conf->proxy_protocol_enabled; - rem_list[1] = &global_conf->proxy_protocol_optional; - } - else { - return apr_pstrcat(cmd->pool, "Unrecognized option for ProxyProtocolEnable `%s'", arg, NULL); - } - - for (addr = cmd->server->addrs; addr; addr = addr->next) { - /* remove address from other lists */ - for (i = 0; i < list_len ; i++) { - remoteip_addr_info **rem = rem_list[i]; - if (*rem) { - if (remoteip_sockaddr_equal((*rem)->addr, addr->host_addr)) { - remoteip_warn_enable_conflict(*rem, cmd->server, arg); - *rem = (*rem)->next; - } - else { - for (list = *rem; list->next; list = list->next) { - if (remoteip_sockaddr_equal(list->next->addr, addr->host_addr)) { - remoteip_warn_enable_conflict(list->next, cmd->server, arg); - list->next = list->next->next; - break; - } - } - } - } - } - - /* add address to desired list */ - if (!remoteip_addr_in_list(*add, addr->host_addr)) { - remoteip_addr_info *info = apr_palloc(global_conf->pool, sizeof(*info)); - info->addr = addr->host_addr; - info->source = cmd->server; - info->next = *add; - *add = info; - } - } - - return NULL; -} - -static int remoteip_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, - apr_pool_t *ptemp) -{ - remoteip_config_t *config = (remoteip_config_t *) - create_remoteip_server_config(pconf, NULL); - ap_set_module_config(ap_server_conf->module_config, &remoteip_module, - config); - - return OK; -} - -static int remoteip_hook_post_config(apr_pool_t *pconf, apr_pool_t *plog, - apr_pool_t *ptemp, server_rec *s) -{ - remoteip_config_t *conf; - remoteip_addr_info *info; - char buf[INET6_ADDRSTRLEN]; - - conf = ap_get_module_config(ap_server_conf->module_config, - &remoteip_module); - - for (info = conf->proxy_protocol_enabled; info; info = info->next) { - apr_sockaddr_ip_getbuf(buf, sizeof(buf), info->addr); - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(03492) - "RemoteIPProxyProtocol: enabled on %s:%hu", buf, info->addr->port); - } - for (info = conf->proxy_protocol_optional; info; info = info->next) { - apr_sockaddr_ip_getbuf(buf, sizeof(buf), info->addr); - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(03493) - "RemoteIPProxyProtocol: optional on %s:%hu", buf, info->addr->port); - } - for (info = conf->proxy_protocol_disabled; info; info = info->next) { - apr_sockaddr_ip_getbuf(buf, sizeof(buf), info->addr); - ap_log_error(APLOG_MARK, APLOG_NOTICE, 0, s, APLOGNO(03494) - "RemoteIPProxyProtocol: disabled on %s:%hu", buf, info->addr->port); - } - - return OK; -} - static int remoteip_modify_request(request_rec *r) { conn_rec *c = r->connection; remoteip_config_t *config = (remoteip_config_t *) ap_get_module_config(r->server->module_config, &remoteip_module); - remoteip_conn_config_t *conn_config = (remoteip_conn_config_t *) - ap_get_module_config(r->connection->conn_config, &remoteip_module); - remoteip_req_t *req = NULL; + apr_sockaddr_t *temp_sa; apr_status_t rv; @@ -510,37 +237,10 @@ static int remoteip_modify_request(request_rec *r) */ void *internal = NULL; - /* No header defined or results from our input filter */ - if (!config->header_name && !conn_config) { + if (!config->header_name) { return DECLINED; } - /* Easy parsing case - just position the data we already have from PROXY - protocol handling allowing it to take precedence and return - */ - if (conn_config) { - /* We may have gotten here if processing was optional - check for that */ - if (!conn_config->client_addr) { - if (config->pp_optional) { - ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(03495) - "RemoteIPProxyProtocol data is missing, but was optional. Allowing request."); - return OK; - } - else { - ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(03496) - "RemoteIPProxyProtocol data is missing, but required! Aborting request."); - return HTTP_BAD_REQUEST; - } - } - - r->useragent_addr = conn_config->client_addr; - r->useragent_ip = conn_config->client_ip; - - ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, - "Using %s as client's IP from PROXY protocol", r->useragent_ip); - return OK; - } - if (config->proxymatch_ip) { /* This indicates that a RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy or RemoteIPTrustedProxyList directive is configured. @@ -724,464 +424,6 @@ static int remoteip_modify_request(request_rec *r) return OK; } -static int remoteip_is_server_port(apr_port_t port) -{ - ap_listen_rec *lr; - - for (lr = ap_listeners; lr; lr = lr->next) { - if (lr->bind_addr && lr->bind_addr->port == port) { - return 1; - } - } - - return 0; -} - -/* - * Human readable format: - * PROXY {TCP4|TCP6|UNKNOWN} - */ -static remoteip_parse_status_t remoteip_process_v1_header(conn_rec *c, - remoteip_conn_config_t *conn_conf, - proxy_header *hdr, apr_size_t len, - apr_size_t *hdr_len) -{ - char *end, *word, *host, *valid_addr_chars, *saveptr; - char buf[sizeof(hdr->v1.line)]; - apr_port_t port; - apr_status_t ret; - apr_int32_t family; - -#define GET_NEXT_WORD(field) \ - word = apr_strtok(NULL, " ", &saveptr); \ - if (!word) { \ - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03497) \ - "RemoteIPProxyProtocol: no " field " found in header '%s'", \ - hdr->v1.line); \ - return HDR_ERROR; \ - } - - end = memchr(hdr->v1.line, '\r', len - 1); - if (!end || end[1] != '\n') { - return HDR_NEED_MORE; /* partial or invalid header */ - } - - *end = '\0'; - *hdr_len = end + 2 - hdr->v1.line; /* skip header + CRLF */ - - /* parse in separate buffer so have the original for error messages */ - strcpy(buf, hdr->v1.line); - - apr_strtok(buf, " ", &saveptr); - - /* parse family */ - GET_NEXT_WORD("family") - if (strcmp(word, "UNKNOWN") == 0) { - conn_conf->client_addr = c->client_addr; - conn_conf->client_ip = c->client_ip; - return HDR_DONE; - } - else if (strcmp(word, "TCP4") == 0) { - family = APR_INET; - valid_addr_chars = "0123456789."; - } - else if (strcmp(word, "TCP6") == 0) { -#if APR_HAVE_IPV6 - family = APR_INET6; - valid_addr_chars = "0123456789abcdefABCDEF:"; -#else - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03498) - "RemoteIPProxyProtocol: Unable to parse v6 address - APR is not compiled with IPv6 support", - word, hdr->v1.line); - return HDR_ERROR; -#endif - } - else { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03499) - "RemoteIPProxyProtocol: unknown family '%s' in header '%s'", - word, hdr->v1.line); - return HDR_ERROR; - } - - /* parse client-addr */ - GET_NEXT_WORD("client-address") - - if (strspn(word, valid_addr_chars) != strlen(word)) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03500) - "RemoteIPProxyProtocol: invalid client-address '%s' found in " - "header '%s'", word, hdr->v1.line); - return HDR_ERROR; - } - - host = word; - - /* parse dest-addr */ - GET_NEXT_WORD("destination-address") - - /* parse client-port */ - GET_NEXT_WORD("client-port") - if (sscanf(word, "%hu", &port) != 1) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03501) - "RemoteIPProxyProtocol: error parsing port '%s' in header '%s'", - word, hdr->v1.line); - return HDR_ERROR; - } - - /* parse dest-port */ - /* GET_NEXT_WORD("destination-port") - no-op since we don't care about it */ - - /* create a socketaddr from the info */ - ret = apr_sockaddr_info_get(&conn_conf->client_addr, host, family, port, 0, - c->pool); - if (ret != APR_SUCCESS) { - conn_conf->client_addr = NULL; - ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, APLOGNO(03502) - "RemoteIPProxyProtocol: error converting family '%d', host '%s'," - " and port '%hu' to sockaddr; header was '%s'", - family, host, port, hdr->v1.line); - return HDR_ERROR; - } - - conn_conf->client_ip = apr_pstrdup(c->pool, host); - - return HDR_DONE; -} - -/** Add our filter to the connection if it is requested - */ -static int remoteip_hook_pre_connection(conn_rec *c, void *csd) -{ - remoteip_config_t *conf; - remoteip_conn_config_t *conn_conf; - int optional; - - conf = ap_get_module_config(ap_server_conf->module_config, - &remoteip_module); - - /* Used twice - do the check only once */ - optional = remoteip_addr_in_list(conf->proxy_protocol_optional, c->local_addr); - - /* check if we're enabled for this connection */ - if ((!remoteip_addr_in_list(conf->proxy_protocol_enabled, c->local_addr) - && !optional ) - || remoteip_addr_in_list(conf->proxy_protocol_disabled, c->local_addr)) { - return DECLINED; - } - - /* mod_proxy creates outgoing connections - we don't want those */ - if (!remoteip_is_server_port(c->local_addr->port)) { - return DECLINED; - } - - /* add our filter */ - if (!ap_add_input_filter(remoteip_filter_name, NULL, NULL, c)) { - /* XXX: Shouldn't this WARN in log? */ - return DECLINED; - } - - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, c, APLOGNO(03503) - "RemoteIPProxyProtocol: enabled on connection to %s:%hu", - c->local_ip, c->local_addr->port); - - /* this holds the resolved proxy info for this connection */ - conn_conf = apr_pcalloc(c->pool, sizeof(*conn_conf)); - - /* Propagate the optional flag so the connection handler knows not to - abort if the header is mising. NOTE: This means we must check after - we read the request that the header was NOT optional, too. - */ - conn_conf->proxy_protocol_optional = optional; - - ap_set_module_config(c->conn_config, &remoteip_module, conn_conf); - - return OK; -} - -/* Binary format: - * - * sig = \x0D \x0A \x0D \x0A \x00 \x0D \x0A \x51 \x55 \x49 \x54 \x0A - * cmd = <4-bits-version><4-bits-command> - * 4-bits-version = \x02 - * 4-bits-command = {\x00|\x01} (\x00 = LOCAL: discard con info; \x01 = PROXY) - * proto = <4-bits-family><4-bits-protocol> - * 4-bits-family = {\x00|\x01|\x02|\x03} (AF_UNSPEC, AF_INET, AF_INET6, AF_UNIX) - * 4-bits-protocol = {\x00|\x01|\x02} (UNSPEC, STREAM, DGRAM) - */ -static remoteip_parse_status_t remoteip_process_v2_header(conn_rec *c, - remoteip_conn_config_t *conn_conf, - proxy_header *hdr) -{ - apr_status_t ret; - - switch (hdr->v2.ver_cmd & 0xF) { - case 0x01: /* PROXY command */ - switch (hdr->v2.fam) { - case 0x11: /* TCPv4 */ - ret = apr_sockaddr_info_get(&conn_conf->client_addr, NULL, - APR_INET, - ntohs(hdr->v2.addr.ip4.src_port), - 0, c->pool); - if (ret != APR_SUCCESS) { - conn_conf->client_addr = NULL; - ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, APLOGNO(03504) - "RemoteIPPProxyProtocol: error creating sockaddr"); - return HDR_ERROR; - } - - conn_conf->client_addr->sa.sin.sin_addr.s_addr = - hdr->v2.addr.ip4.src_addr; - break; - - case 0x21: /* TCPv6 */ -#if APR_HAVE_IPV6 - ret = apr_sockaddr_info_get(&conn_conf->client_addr, NULL, - APR_INET6, - ntohs(hdr->v2.addr.ip6.src_port), - 0, c->pool); - if (ret != APR_SUCCESS) { - conn_conf->client_addr = NULL; - ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, APLOGNO(03505) - "RemoteIPProxyProtocol: error creating sockaddr"); - return HDR_ERROR; - } - memcpy(&conn_conf->client_addr->sa.sin6.sin6_addr.s6_addr, - hdr->v2.addr.ip6.src_addr, 16); - break; -#else - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03506) - "RemoteIPProxyProtocol: APR is not compiled with IPv6 support"); - return HDR_ERROR; -#endif - default: - /* unsupported protocol, keep local connection address */ - return HDR_DONE; - } - break; /* we got a sockaddr now */ - - case 0x00: /* LOCAL command */ - /* keep local connection address for LOCAL */ - return HDR_DONE; - - default: - /* not a supported command */ - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(03507) - "RemoteIPProxyProtocol: unsupported command %.2hx", - (unsigned short)hdr->v2.ver_cmd); - return HDR_ERROR; - } - - /* got address - compute the client_ip from it */ - ret = apr_sockaddr_ip_get(&conn_conf->client_ip, conn_conf->client_addr); - if (ret != APR_SUCCESS) { - conn_conf->client_addr = NULL; - ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, APLOGNO(03508) - "RemoteIPProxyProtocol: error converting address to string"); - return HDR_ERROR; - } - - return HDR_DONE; -} - -/** Determine if this is a v1 or v2 PROXY header. - */ -static int remoteip_determine_version(conn_rec *c, const char *ptr) -{ - proxy_header *hdr = (proxy_header *) ptr; - - /* assert len >= 14 */ - - if (memcmp(&hdr->v2, v2sig, sizeof(v2sig)) == 0 && - (hdr->v2.ver_cmd & 0xF0) == 0x20) { - return 2; - } - else if (memcmp(hdr->v1.line, "PROXY ", 6) == 0) { - return 1; - } - else { - return -1; - } -} - -/* Capture the first bytes on the protocol and parse the proxy protocol header. - * Removes itself when the header is complete. - */ -static apr_status_t remoteip_input_filter(ap_filter_t *f, - apr_bucket_brigade *bb_out, - ap_input_mode_t mode, - apr_read_type_e block, - apr_off_t readbytes) -{ - apr_status_t ret; - remoteip_filter_context *ctx = f->ctx; - remoteip_conn_config_t *conn_conf; - apr_bucket *b; - remoteip_parse_status_t psts; - const char *ptr; - apr_size_t len; - - if (f->c->aborted) { - return APR_ECONNABORTED; - } - - /* allocate/retrieve the context that holds our header */ - if (!ctx) { - ctx = f->ctx = apr_palloc(f->c->pool, sizeof(*ctx)); - ctx->rcvd = 0; - ctx->need = MIN_HDR_LEN; - ctx->version = 0; - ctx->mode = AP_MODE_READBYTES; - ctx->bb = apr_brigade_create(f->c->pool, f->c->bucket_alloc); - ctx->done = 0; - } - - if (ctx->done) { - /* Note: because we're a connection filter we can't remove ourselves - * when we're done, so we have to stay in the chain and just go into - * passthrough mode. - */ - return ap_get_brigade(f->next, bb_out, mode, block, readbytes); - } - - conn_conf = ap_get_module_config(f->c->conn_config, &remoteip_module); - - /* try to read a header's worth of data */ - while (!ctx->done) { - if (APR_BRIGADE_EMPTY(ctx->bb)) { - ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, - ctx->need - ctx->rcvd); - if (ret != APR_SUCCESS) { - return ret; - } - } - if (APR_BRIGADE_EMPTY(ctx->bb)) { - return APR_EOF; - } - - while (!ctx->done && !APR_BRIGADE_EMPTY(ctx->bb)) { - b = APR_BRIGADE_FIRST(ctx->bb); - - ret = apr_bucket_read(b, &ptr, &len, block); - if (APR_STATUS_IS_EAGAIN(ret) && block == APR_NONBLOCK_READ) { - return APR_SUCCESS; - } - if (ret != APR_SUCCESS) { - return ret; - } - - memcpy(ctx->header + ctx->rcvd, ptr, len); - ctx->rcvd += len; - - /* Remove instead of delete - we may put this bucket - back into bb_out if the header was optional and we - pass down the chain */ - APR_BUCKET_REMOVE(b); - psts = HDR_NEED_MORE; - - if (ctx->version == 0) { - /* reading initial chunk */ - if (ctx->rcvd >= MIN_HDR_LEN) { - ctx->version = remoteip_determine_version(f->c, ctx->header); - if (ctx->version < 0) { - psts = HDR_MISSING; - } - else if (ctx->version == 1) { - ctx->mode = AP_MODE_GETLINE; - ctx->need = sizeof(proxy_v1); - } - else if (ctx->version == 2) { - ctx->need = MIN_V2_HDR_LEN; - } - } - } - else if (ctx->version == 1) { - psts = remoteip_process_v1_header(f->c, conn_conf, - (proxy_header *) ctx->header, - ctx->rcvd, &ctx->need); - } - else if (ctx->version == 2) { - if (ctx->rcvd >= MIN_V2_HDR_LEN) { - ctx->need = MIN_V2_HDR_LEN + - ntohs(((proxy_header *) ctx->header)->v2.len); - } - if (ctx->rcvd >= ctx->need) { - psts = remoteip_process_v2_header(f->c, conn_conf, - (proxy_header *) ctx->header); - } - } - else { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(03509) - "RemoteIPProxyProtocol: internal error: unknown version " - "%d", ctx->version); - f->c->aborted = 1; - apr_bucket_delete(b); - apr_brigade_destroy(ctx->bb); - return APR_ECONNABORTED; - } - - switch (psts) { - case HDR_MISSING: - if (conn_conf->proxy_protocol_optional) { - /* Same as DONE, but don't delete the bucket. Rather, put it - back into the brigade and move the request along the stack */ - ctx->done = 1; - APR_BRIGADE_INSERT_HEAD(bb_out, b); - return ap_pass_brigade(f->next, ctx->bb); - } - else { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(03510) - "RemoteIPProxyProtocol: no valid PROXY header found"); - /* fall through to error case */ - } - case HDR_ERROR: - f->c->aborted = 1; - apr_bucket_delete(b); - apr_brigade_destroy(ctx->bb); - return APR_ECONNABORTED; - - case HDR_DONE: - apr_bucket_delete(b); - ctx->done = 1; - break; - - case HDR_NEED_MORE: - /* It is safe to delete this bucket if we get here since we know - that we are definitely processing a header (we've read enough to - know if the signatures exist on the line) */ - apr_bucket_delete(b); - break; - } - } - } - - /* we only get here when done == 1 */ - if (psts == HDR_DONE) { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c, APLOGNO(03511) - "RemoteIPProxyProtocol: received valid PROXY header: %s:%hu", - conn_conf->client_ip, conn_conf->client_addr->port); - } - else { - ap_log_cerror(APLOG_MARK, APLOG_DEBUG, 0, f->c, APLOGNO(03512) - "RemoteIPProxyProtocol: PROXY header was missing"); - } - - if (ctx->rcvd > ctx->need || !APR_BRIGADE_EMPTY(ctx->bb)) { - ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(03513) - "RemoteIPProxyProtocol: internal error: have data left over; " - " need=%lu, rcvd=%lu, brigade-empty=%d", ctx->need, - ctx->rcvd, APR_BRIGADE_EMPTY(ctx->bb)); - f->c->aborted = 1; - apr_brigade_destroy(ctx->bb); - return APR_ECONNABORTED; - } - - /* clean up */ - apr_brigade_destroy(ctx->bb); - ctx->bb = NULL; - - /* now do the real read for the upper layer */ - return ap_get_brigade(f->next, bb_out, mode, block, readbytes); -} - static const command_rec remoteip_cmds[] = { AP_INIT_TAKE1("RemoteIPHeader", header_name_set, NULL, RSRC_CONF, @@ -1205,21 +447,11 @@ static const command_rec remoteip_cmds[] = RSRC_CONF | EXEC_ON_READ, "The filename to read the list of internal proxies, " "see the RemoteIPInternalProxy directive"), - AP_INIT_TAKE1("RemoteIPProxyProtocolEnable", remoteip_enable_proxy_protocol, NULL, - RSRC_CONF, "Enable proxy-protocol handling (`on', `off')"), { NULL } }; static void register_hooks(apr_pool_t *p) { - /* mod_ssl is CONNECTION + 5, so we want something higher (earlier); - * mod_reqtimeout is CONNECTION + 8, so we want something lower (later) */ - ap_register_input_filter(remoteip_filter_name, remoteip_input_filter, NULL, - AP_FTYPE_CONNECTION + 7); - - ap_hook_pre_config(remoteip_hook_pre_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_post_config(remoteip_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_read_request(remoteip_modify_request, NULL, NULL, APR_HOOK_FIRST); } -- 2.40.0