| blob | 0364f31f300170b58d21689fdbf54b50c2de3303 |
13 #include <stdlib.h>
14 #include <string.h>
15 #include <errno.h>
19 /**
20 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
21 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
22 * support chained proxies by glen@delfi.ee, #1528
23 *
24 * Config example:
25 *
26 * Trust proxy 10.0.0.232 and 10.0.0.232
27 * extforward.forwarder = ( "10.0.0.232" => "trust",
28 * "10.0.0.233" => "trust" )
29 *
30 * Trust all proxies (NOT RECOMMENDED!)
31 * extforward.forwarder = ( "all" => "trust")
32 *
33 * Note that "all" has precedence over specific entries,
34 * so "all except" setups will not work.
35 *
36 * In case you have chained proxies, you can add all their IP's to the
37 * config. However "all" has effect only on connecting IP, as the
38 * X-Forwarded-For header can not be trusted.
39 *
40 * Note: The effect of this module is variable on $HTTP["remotip"] directives and
41 * other module's remote ip dependent actions.
42 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
43 * Things done in between these two moments will match on the real client's IP.
44 * The moment things are done by a module depends on in which hook it does things and within the same hook
45 * on whether they are before/after us in the module loading order
46 * (order in the server.modules directive in the config file).
47 *
48 * Tested behaviours:
49 *
50 * mod_access: Will match on the real client.
51 *
52 * mod_accesslog:
53 * In order to see the "real" ip address in access log ,
54 * you'll have to load mod_extforward after mod_accesslog.
55 * like this:
56 *
57 * server.modules = (
58 * .....
59 * mod_accesslog,
60 * mod_extforward
61 * )
62 */
65 /* plugin config for all request/connections */
86 PLUGIN_DATA;
90 plugin_config conf;
97 /* context , used for restore remote ip */
100 /* per-request state */
101 sock_addr saved_remote_addr;
104 /* hap-PROXY protocol prior to receiving first request */
107 /* connection-level state applied to requests in handle_request_env */
117 }
121 }
123 /* init the plugin data */
129 }
131 /* destroy the plugin data */
152 }
154 }
160 }
162 /* handle plugin config and check values */
168 config_values_t cv[] = {
173 { "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
175 };
199 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
201 }
207 }
213 }
215 /* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
216 if (!s->hap_PROXY && 0 == s->headers->used && (0 == i || NULL != array_get_element(config->value, "extforward.headers"))) {
224 }
230 }
232 proxy_forwarded_t param;
240 #endif
243 #if 0
246 #endif
253 }
262 }
270 }
271 }
272 }
274 /* attempt to warn if mod_extforward is not last module loaded to hook
275 * handle_connection_accept. (Nice to have, but remove this check if
276 * it reaches too far into internals and prevents other code changes.)
277 * While it would be nice to check connection_handle_accept plugin slot
278 * to make sure mod_extforward is last, that info is private to plugin.c
279 * so merely warn if mod_openssl is loaded after mod_extforward, though
280 * future modules which hook connection_handle_accept might be missed.*/
289 }
290 }
295 "mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
297 }
298 }
300 }
301 }
308 }
309 }
312 }
314 #define PATCH(x) \
315 p->conf.x = s->x;
326 /* skip the first, the global context */
331 /* condition didn't match */
334 /* merge config */
346 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
348 }
349 }
350 }
353 }
354 #undef PATCH
358 {
365 }
366 /*
367 extract a forward array from the environment
368 */
370 {
374 /* state variable, 0 means not in string, 1 means in string */
378 if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
379 /* found an separator , insert value into result array */
381 /* change state to not in string */
383 }
385 if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
386 /* found leading char of an IP address, move base pointer and change state */
389 }
390 }
391 }
392 /* if breaking out while in str, we got to the end of string, so add it */
395 }
396 }
398 }
400 #define IP_TRUSTED 1
401 #define IP_UNTRUSTED 0
402 /*
403 * check whether ip is trusted, return 1 for trusted , 0 for untrusted
404 */
406 {
414 }
415 }
417 return (data_string *)array_get_element_klen(p->conf.forwarder, CONST_BUF_LEN(ipstr)) ? IP_TRUSTED : IP_UNTRUSTED;
418 }
420 /*
421 * Return last address of proxy that is not trusted.
422 * Do not accept "all" keyword here.
423 */
425 {
433 }
434 }
436 }
438 static int mod_extforward_set_addr(server *srv, connection *con, plugin_data *p, const char *addr) {
439 sock_addr sock;
444 }
450 /* we found the remote address, modify current connection and save the old address */
456 }
461 }
464 }
465 /* save old address */
467 array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), CONST_BUF_LEN(con->dst_addr_buf));
468 }
471 /* patch connection address */
478 }
480 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
484 }
486 static void mod_extforward_set_proto(server *srv, connection *con, const char *proto, size_t protolen) {
488 /* update scheme if X-Forwarded-Proto is set
489 * Limitations:
490 * - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
491 * be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
492 * untrusted header must be checked to contain only alphanumeric characters, and to be a
493 * reasonable length, e.g. < 256 chars.
494 * - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
495 * con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
496 * handle_request_done hook, then should evaluate if that module should use the forwarded value
497 * (probably) or the original value.
498 */
500 array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(con->uri.scheme));
501 }
508 }
509 }
510 }
512 static handler_t mod_extforward_X_Forwarded_For(server *srv, connection *con, plugin_data *p, buffer *x_forwarded_for) {
513 /* build forward_array from forwarded data_string */
517 /* get scheme if X-Forwarded-Proto is set
518 * Limitations:
519 * - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
520 * - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
521 * but the historical behavior of the code below only honored it if there was exactly one value
522 * (not done: walking backwards in X-Forwarded-Proto the same num of steps
523 * as in X-Forwarded-For to find proto set by last trusted proxy)
524 */
525 data_string *x_forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto");
528 }
529 }
532 }
539 }
546 }
547 }
549 }
556 }
557 }
559 }
562 /* (future: might move to buffer.c) */
573 }
575 }
578 }
580 static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_data *p, buffer *forwarded) {
581 /* HTTP list need not consist of param=value tokens,
582 * but this routine expect such for HTTP Forwarded header
583 * Since info in each set of params is only used if from
584 * admin-specified trusted proxy:
585 * - invalid param=value tokens are ignored and skipped
586 * - not checking "for" exists in each set of params
587 * - not checking for duplicated params in each set of params
588 * - not checking canonical form of addr (also might be obfuscated)
589 * - obfuscated tokens permitted in chain, though end of trust is expected
590 * to be non-obfuscated IP for mod_extforward to masquerade as remote IP
591 * future: since (potentially) trusted proxies begin at end of string,
592 * it might be better to parse from end of string rather than parsing from
593 * beginning. Doing so would also allow reducing arbitrary param limit
594 * to number of params permitted per proxy.
595 */
609 }
615 /*(reject IP spoofing if attacker sets improper quoted-string)*/
621 }
627 /*(reject IP spoofing if attacker sets improper quoted-string)*/
633 }
636 /* have k, klen, v, vlen
637 * (might contain quoted string) (contents not validated or decoded)
638 * (might be repeated k)
639 */
647 }
650 /* error processing Forwarded; too many params; fail closed */
656 }
672 /* remove trailing spaces/tabs and double-quotes from string
673 * (note: not unescaping backslash escapes in quoted string) */
681 /* remove "[]" surrounding IPv6, as well as (optional) port
682 * (assumes properly formatted IPv6 addr from trusted proxy) */
691 }
692 }
694 /* remove (optional) port from non-obfuscated IPv4 */
696 }
698 }
701 /* obfuscated ipstr and obfuscated port are also accepted here, as
702 * is path to unix domain socket, but note that backslash escapes
703 * in quoted-string were not unescaped above. Also, if obfuscated
704 * identifiers are rotated by proxies as recommended by RFC, then
705 * maintaining list of trusted identifiers is non-trivial and is not
706 * attempted by this module. */
714 }
717 }
722 }
725 /* C funcs getaddrinfo(), inet_addr() require '\0'-terminated IP str */
733 }
736 }
738 /* parse out params associated with for=<ip> addr set above */
746 #if 0
751 #endif
752 #if 0
753 /*(already handled above to find IP prior to earliest trusted proxy)*/
758 #endif
773 }
774 }
778 /* remove trailing spaces/tabs, and double-quotes from proto
779 * (note: not unescaping backslash escapes in quoted string) */
785 }
788 /* Limitations:
789 * - con->request.http_host is not reset in mod_extforward_restore()
790 * but is currently not an issues since con->request.http_host will be
791 * reset by next request. If a new module uses con->request.http_host
792 * in the handle_request_done hook, then should evaluate if that
793 * module should use the forwarded value (probably) or original value.
794 * - due to need to decode and unescape host=..., some extra work is
795 * done in the case where host matches current Host header.
796 * future: might add code to check if Host has actually changed or not
797 *
798 * note: change host after mod_extforward_set_proto() since that may
799 * affect scheme port used in http_request_host_policy() host
800 * normalization
801 */
803 /* find host param set by earliest trusted proxy in proxy chain
804 * (host might be changed anywhere along the chain) */
811 }
818 }
819 /* remove trailing spaces/tabs, and double-quotes from host */
832 }
833 }
836 }
840 /*(reject invalid chars in Host)*/
846 }
849 }
850 }
853 /* find remote_user param set by closest proxy
854 * (auth may have been handled by any trusted proxy in proxy chain) */
861 }
863 /* ???: should we also support param for auth_type ??? */
864 /* remove trailing spaces/tabs, and double-quotes from remote_user*/
882 }
883 }
887 }
888 }
889 }
891 #if 0
894 /* create X-Forwarded-For if not present
895 * (and at least original connecting IP is a trusted proxy) */
909 /* quoted-string, IPv6 brackets, and :port already removed */
921 }
923 }
924 }
925 /* skip to next group; take first "for=..." in group
926 * (should be 0 or 1 "for=..." per group, but not trusted) */
930 }
932 }
933 }
934 #endif
937 }
949 }
968 }
969 }
972 forwarded = (data_string *) array_get_element_klen(con->request.headers, CONST_BUF_LEN(((data_string *)p->conf.headers->data[k])->value));
973 }
977 }
980 }
982 /* if the remote ip itself is not trusted, then do nothing */
987 }
990 }
994 }
997 }
1006 /* note: replaces values which may have been set by mod_openssl
1007 * (when mod_extforward is listed after mod_openssl in server.modules)*/
1011 }
1013 }
1025 }
1032 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
1034 }
1039 }
1042 }
1046 {
1053 }
1058 }
1061 }
1064 }
1067 }
1070 static int mod_extforward_network_read (server *srv, connection *con, chunkqueue *cq, off_t max_bytes);
1073 {
1082 }
1088 }
1089 }
1091 }
1094 /* this function is called at dlopen() time and inits the callbacks */
1114 }
1119 /* Modified from:
1120 * http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
1121 *
1122 9. Sample code
1124 The code below is an example of how a receiver may deal with both versions of
1125 the protocol header for TCP over IPv4 or IPv6. The function is supposed to be
1126 called upon a read event. Addresses may be directly copied into their final
1127 memory location since they're transported in network byte order. The sending
1128 side is even simpler and can easily be deduced from this sample code.
1129 *
1130 */
1160 };
1162 /*
1163 If the length specified in the PROXY protocol header indicates that additional
1164 bytes are part of the header beyond the address information, a receiver may
1165 choose to skip over and ignore those bytes, or attempt to interpret those
1166 bytes.
1168 The information in those bytes will be arranged in Type-Length-Value (TLV
1169 vectors) in the following format. The first byte is the Type of the vector.
1170 The second two bytes represent the length in bytes of the value (not included
1171 the Type and Length bytes), and following the length field is the number of
1172 bytes specified by the length.
1173 */
1179 };
1181 /*
1182 The following types have already been registered for the <type> field :
1183 */
1185 #define PP2_TYPE_ALPN 0x01
1186 #define PP2_TYPE_AUTHORITY 0x02
1187 #define PP2_TYPE_CRC32C 0x03
1188 #define PP2_TYPE_NOOP 0x04
1189 #define PP2_TYPE_SSL 0x20
1190 #define PP2_SUBTYPE_SSL_VERSION 0x21
1191 #define PP2_SUBTYPE_SSL_CN 0x22
1192 #define PP2_SUBTYPE_SSL_CIPHER 0x23
1193 #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
1194 #define PP2_SUBTYPE_SSL_KEY_ALG 0x25
1195 #define PP2_TYPE_NETNS 0x30
1197 /*
1198 For the type PP2_TYPE_SSL, the value is itselv a defined like this :
1199 */
1205 };
1207 /*
1208 And the <client> field is made of a bit field from the following values,
1209 indicating which element is present :
1210 */
1212 #define PP2_CLIENT_SSL 0x01
1213 #define PP2_CLIENT_CERT_CONN 0x02
1214 #define PP2_CLIENT_CERT_SESS 0x04
1219 #ifndef MSG_DONTWAIT
1220 #define MSG_DONTWAIT 0
1221 #endif
1222 #ifndef MSG_NOSIGNAL
1223 #define MSG_NOSIGNAL 0
1224 #endif
1226 /* returns 0 if needs to poll, <0 upon error or >0 is protocol vers (success) */
1228 {
1232 ssize_t ret;
1242 #ifdef EWOULDBLOCK
1243 #if EAGAIN != EWOULDBLOCK
1245 #endif
1246 #endif
1260 }
1261 }
1268 }
1270 /* Wrong protocol */
1272 }
1274 /* we need to consume the appropriate amount of data from the socket
1275 * (overwrites existing contents of hdr with same data) */
1282 }
1287 {
1288 #ifdef __COVERITY__
1290 #endif
1292 /* samples
1293 * "PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n"
1294 * "PROXY TCP6 ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1295 * "PROXY UNKNOWN\r\n"
1296 * "PROXY UNKNOWN ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1297 */
1309 }
1312 }
1314 }
1318 }
1321 }
1323 /*(strsep() should be fairly portable, but is not standard)*/
1343 /* Forwarded by=... could be saved here.
1344 * (see additional comments in mod_extforward_hap_PROXY_v2()) */
1346 /* re-parse addr to string to normalize
1347 * (instead of trusting PROXY to provide canonicalized src_addr string)
1348 * (should prefer PROXY v2 protocol if concerned about performance) */
1352 }
1357 {
1358 #ifdef __COVERITY__
1360 #endif
1362 /* If HAProxy-PROXY protocol used, then lighttpd acts as transparent proxy,
1363 * masquerading as servicing the client IP provided in by HAProxy-PROXY hdr.
1364 * The connecting con->dst_addr and con->dst_addr_buf are not saved here,
1365 * so that info is lost unless getsockname() and getpeername() are used.
1366 * One result is that mod_proxy will use the masqueraded IP instead of the
1367 * actual IP when updated Forwarded and X-Forwarded-For (but if actual
1368 * connection IPs needed, better to save the info here rather than use
1369 * syscalls to retrieve the info later).
1370 * (Exception: con->dst_addr can be further changed if mod_extforward parses
1371 * Forwaded or X-Forwarded-For request headers later, after request headers
1372 * have been received.)
1373 */
1375 /* Forwarded by=... could be saved here. The by param is for backends to be
1376 * able to construct URIs for that interface (interface on server which
1377 * received request and made PROXY connection here), though that server
1378 * should provide that information in updated Forwarded or X-Forwarded-For
1379 * HTTP headers */
1380 /*struct sockaddr_storage by;*/
1382 /* Addresses provided by HAProxy-PROXY protocol are in network byte order.
1383 * Note: addr info is not validated, so do not accept HAProxy-PROXY
1384 * protocol from untrusted servers. For example, untrusted servers from
1385 * which HAProxy-PROXY protocol is accepted (don't do that) could pretend
1386 * to be from the internal network and might thereby bypass security policy.
1387 */
1389 /* (Clear con->dst_addr with memset() in case actual and proxies IPs
1390 * are different domains, e.g. one is IPv4 and the other is IPv6) */
1400 }
1402 /* PROXY command */
1411 #if 0
1417 #endif
1420 #ifdef HAVE_IPV6
1427 #if 0
1433 #endif
1436 #endif
1437 #ifdef HAVE_SYS_UN_H
1439 {
1448 }
1453 #endif
1456 #endif
1459 }
1461 /* (optional) Type-Length-Value (TLV vectors) follow addresses */
1473 #endif
1483 }
1487 }
1500 /* (tlv_ssl->client & PP2_CLIENT_CERT_CONN)
1501 * or
1502 * (tlv_ssl->client & PP2_CLIENT_CERT_SESS) */
1524 }
1525 }
1527 }
1530 #endif
1534 }
1535 }
1538 }
1543 {
1544 /* XXX: when using hap-PROXY protocol, currently avoid overhead of setting
1545 * _L_ environment variables for mod_proxy to accurately set Forwarded hdr
1546 * In the future, might add config switch to enable doing this extra work */
1558 "hap-PROXY proto received "
1560 /* fall through */
1562 }
1566 }