9 #include "configfile.h"
15 #include "sys-socket.h"
21 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
22 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
23 * support chained proxies by glen@delfi.ee, #1528
27 * Trust proxy 10.0.0.232 and 10.0.0.232
28 * extforward.forwarder = ( "10.0.0.232" => "trust",
29 * "10.0.0.233" => "trust" )
31 * Trust all proxies (NOT RECOMMENDED!)
32 * extforward.forwarder = ( "all" => "trust")
34 * Note that "all" has precedence over specific entries,
35 * so "all except" setups will not work.
37 * In case you have chained proxies, you can add all their IP's to the
38 * config. However "all" has effect only on connecting IP, as the
39 * X-Forwarded-For header can not be trusted.
41 * Note: The effect of this module is variable on $HTTP["remotip"] directives and
42 * other module's remote ip dependent actions.
43 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
44 * Things done in between these two moments will match on the real client's IP.
45 * The moment things are done by a module depends on in which hook it does things and within the same hook
46 * on whether they are before/after us in the module loading order
47 * (order in the server.modules directive in the config file).
51 * mod_access: Will match on the real client.
54 * In order to see the "real" ip address in access log ,
55 * you'll have to load mod_extforward after mod_accesslog.
65 * seems causing segfault with mod_ssl and $HTTP{"socket"} directives
66 * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL.
69 * 2005.12.19 Initial Version
70 * 2005.12.19 fixed conflict with conditional directives
71 * 2006.05.26 LEM: IPv6 support
72 * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive.
73 * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI
74 * In this manner, we run before mod_access and $HTTP["remoteip"] directives work!
75 * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change.
79 /* plugin config for all request/connections */
89 plugin_config
**config_storage
;
95 /* context , used for restore remote ip */
98 sock_addr saved_remote_addr
;
99 buffer
*saved_remote_addr_buf
;
103 static handler_ctx
* handler_ctx_init(sock_addr oldaddr
, buffer
*oldaddr_buf
) {
105 hctx
= calloc(1, sizeof(*hctx
));
106 hctx
->saved_remote_addr
= oldaddr
;
107 hctx
->saved_remote_addr_buf
= oldaddr_buf
;
111 static void handler_ctx_free(handler_ctx
*hctx
) {
115 /* init the plugin data */
116 INIT_FUNC(mod_extforward_init
) {
118 p
= calloc(1, sizeof(*p
));
122 /* destroy the plugin data */
123 FREE_FUNC(mod_extforward_free
) {
124 plugin_data
*p
= p_d
;
128 if (!p
) return HANDLER_GO_ON
;
130 if (p
->config_storage
) {
133 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
134 plugin_config
*s
= p
->config_storage
[i
];
136 if (NULL
== s
) continue;
138 array_free(s
->forwarder
);
139 array_free(s
->headers
);
143 free(p
->config_storage
);
149 return HANDLER_GO_ON
;
152 /* handle plugin config and check values */
154 SETDEFAULTS_FUNC(mod_extforward_set_defaults
) {
155 plugin_data
*p
= p_d
;
158 config_values_t cv
[] = {
159 { "extforward.forwarder", NULL
, T_CONFIG_ARRAY
, T_CONFIG_SCOPE_CONNECTION
}, /* 0 */
160 { "extforward.headers", NULL
, T_CONFIG_ARRAY
, T_CONFIG_SCOPE_CONNECTION
}, /* 1 */
161 { NULL
, NULL
, T_CONFIG_UNSET
, T_CONFIG_SCOPE_UNSET
}
164 if (!p
) return HANDLER_ERROR
;
166 p
->config_storage
= calloc(1, srv
->config_context
->used
* sizeof(plugin_config
*));
168 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
169 data_config
const* config
= (data_config
const*)srv
->config_context
->data
[i
];
172 s
= calloc(1, sizeof(plugin_config
));
173 s
->forwarder
= array_init();
174 s
->headers
= array_init();
176 cv
[0].destination
= s
->forwarder
;
177 cv
[1].destination
= s
->headers
;
179 p
->config_storage
[i
] = s
;
181 if (0 != config_insert_values_global(srv
, config
->value
, cv
, i
== 0 ? T_CONFIG_SCOPE_SERVER
: T_CONFIG_SCOPE_CONNECTION
)) {
182 return HANDLER_ERROR
;
185 if (!array_is_kvstring(s
->forwarder
)) {
186 log_error_write(srv
, __FILE__
, __LINE__
, "s",
187 "unexpected value for extforward.forwarder; expected list of \"IPaddr\" => \"trust\"");
188 return HANDLER_ERROR
;
191 if (!array_is_vlist(s
->headers
)) {
192 log_error_write(srv
, __FILE__
, __LINE__
, "s",
193 "unexpected value for extforward.headers; expected list of \"headername\"");
194 return HANDLER_ERROR
;
197 /* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
198 if (0 == s
->headers
->used
&& (0 == i
|| NULL
!= array_get_element(config
->value
, "extforward.headers"))) {
200 ds
= data_string_init();
201 buffer_copy_string_len(ds
->value
, CONST_STR_LEN("X-Forwarded-For"));
202 array_insert_unique(s
->headers
, (data_unset
*)ds
);
203 ds
= data_string_init();
204 buffer_copy_string_len(ds
->value
, CONST_STR_LEN("Forwarded-For"));
205 array_insert_unique(s
->headers
, (data_unset
*)ds
);
209 return HANDLER_GO_ON
;
214 static int mod_extforward_patch_connection(server
*srv
, connection
*con
, plugin_data
*p
) {
216 plugin_config
*s
= p
->config_storage
[0];
221 /* skip the first, the global context */
222 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
223 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
224 s
= p
->config_storage
[i
];
226 /* condition didn't match */
227 if (!config_check_cond(srv
, con
, dc
)) continue;
230 for (j
= 0; j
< dc
->value
->used
; j
++) {
231 data_unset
*du
= dc
->value
->data
[j
];
233 if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("extforward.forwarder"))) {
235 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("extforward.headers"))) {
246 static void put_string_into_array_len(array
*ary
, const char *str
, int len
)
248 data_string
*tempdata
;
251 tempdata
= data_string_init();
252 buffer_copy_string_len(tempdata
->value
,str
,len
);
253 array_insert_unique(ary
,(data_unset
*)tempdata
);
256 extract a forward array from the environment
258 static array
*extract_forward_array(buffer
*pbuffer
)
260 array
*result
= array_init();
261 if (!buffer_string_is_empty(pbuffer
)) {
263 /* state variable, 0 means not in string, 1 means in string */
265 for (base
= pbuffer
->ptr
, curr
= pbuffer
->ptr
; *curr
; curr
++) {
267 if ((*curr
> '9' || *curr
< '0') && *curr
!= '.' && *curr
!= ':' && (*curr
< 'a' || *curr
> 'f') && (*curr
< 'A' || *curr
> 'F')) {
268 /* found an separator , insert value into result array */
269 put_string_into_array_len(result
, base
, curr
- base
);
270 /* change state to not in string */
274 if ((*curr
>= '0' && *curr
<= '9') || *curr
== ':' || (*curr
>= 'a' && *curr
<= 'f') || (*curr
>= 'A' && *curr
<= 'F')) {
275 /* found leading char of an IP address, move base pointer and change state */
281 /* if breaking out while in str, we got to the end of string, so add it */
283 put_string_into_array_len(result
, base
, curr
- base
);
290 #define IP_UNTRUSTED 0
292 * check whether ip is trusted, return 1 for trusted , 0 for untrusted
294 static int is_proxy_trusted(const char *ipstr
, plugin_data
*p
)
296 data_string
* allds
= (data_string
*)array_get_element(p
->conf
.forwarder
, "all");
299 if (strcasecmp(allds
->value
->ptr
, "trust") == 0) {
306 return (data_string
*)array_get_element(p
->conf
.forwarder
, ipstr
) ? IP_TRUSTED
: IP_UNTRUSTED
;
310 * Return char *ip of last address of proxy that is not trusted.
311 * Do not accept "all" keyword here.
313 static const char *last_not_in_array(array
*a
, plugin_data
*p
)
315 array
*forwarder
= p
->conf
.forwarder
;
318 for (i
= a
->used
- 1; i
>= 0; i
--) {
319 data_string
*ds
= (data_string
*)a
->data
[i
];
320 const char *ip
= ds
->value
->ptr
;
322 if (!array_get_element(forwarder
, ip
)) {
329 static void ipstr_to_sockaddr(server
*srv
, const char *host
, sock_addr
*sock
) {
331 struct addrinfo hints
, *addrlist
= NULL
;
334 memset(&hints
, 0, sizeof(hints
));
335 sock
->plain
.sa_family
= AF_UNSPEC
;
337 #ifndef AI_NUMERICSERV
339 * quoting $ man getaddrinfo
342 * AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED are available since glibc 2.3.3.
343 * AI_NUMERICSERV is available since glibc 2.3.4.
345 #define AI_NUMERICSERV 0
347 hints
.ai_flags
= AI_NUMERICHOST
| AI_NUMERICSERV
;
350 result
= getaddrinfo(host
, NULL
, &hints
, &addrlist
);
353 log_error_write(srv
, __FILE__
, __LINE__
, "SSSs(S)",
354 "could not parse ip address ", host
, " because ", gai_strerror(result
), strerror(errno
));
355 } else if (addrlist
== NULL
) {
356 log_error_write(srv
, __FILE__
, __LINE__
, "SSS",
357 "Problem in parsing ip address ", host
, ": succeeded, but no information returned");
358 } else switch (addrlist
->ai_family
) {
360 memcpy(&sock
->ipv4
, addrlist
->ai_addr
, sizeof(sock
->ipv4
));
361 force_assert(AF_INET
== sock
->plain
.sa_family
);
364 memcpy(&sock
->ipv6
, addrlist
->ai_addr
, sizeof(sock
->ipv6
));
365 force_assert(AF_INET6
== sock
->plain
.sa_family
);
368 log_error_write(srv
, __FILE__
, __LINE__
, "SSS",
369 "Problem in parsing ip address ", host
, ": succeeded, but unknown family");
372 freeaddrinfo(addrlist
);
375 sock
->ipv4
.sin_addr
.s_addr
= inet_addr(host
);
376 sock
->plain
.sa_family
= (sock
->ipv4
.sin_addr
.s_addr
== 0xFFFFFFFF) ? AF_UNSPEC
: AF_INET
;
380 static void clean_cond_cache(server
*srv
, connection
*con
) {
381 config_cond_cache_reset_item(srv
, con
, COMP_HTTP_REMOTE_IP
);
382 config_cond_cache_reset_item(srv
, con
, COMP_HTTP_SCHEME
);
385 URIHANDLER_FUNC(mod_extforward_uri_handler
) {
386 plugin_data
*p
= p_d
;
387 data_string
*forwarded
= NULL
;
388 array
*forward_array
= NULL
;
389 const char *real_remote_addr
= NULL
;
391 mod_extforward_patch_connection(srv
, con
, p
);
393 if (con
->conf
.log_request_handling
) {
394 log_error_write(srv
, __FILE__
, __LINE__
, "s",
395 "-- mod_extforward_uri_handler called");
398 for (size_t k
= 0; k
< p
->conf
.headers
->used
&& NULL
== forwarded
; ++k
) {
399 forwarded
= (data_string
*) array_get_element(con
->request
.headers
, ((data_string
*)p
->conf
.headers
->data
[k
])->value
->ptr
);
401 if (NULL
== forwarded
) {
402 if (con
->conf
.log_request_handling
) {
403 log_error_write(srv
, __FILE__
, __LINE__
, "s", "no forward header found, skipping");
406 return HANDLER_GO_ON
;
409 /* if the remote ip itself is not trusted, then do nothing */
410 if (IP_UNTRUSTED
== is_proxy_trusted(con
->dst_addr_buf
->ptr
, p
)) {
411 if (con
->conf
.log_request_handling
) {
412 log_error_write(srv
, __FILE__
, __LINE__
, "sbs",
413 "remote address", con
->dst_addr_buf
, "is NOT a trusted proxy, skipping");
416 return HANDLER_GO_ON
;
419 /* build forward_array from forwarded data_string */
420 forward_array
= extract_forward_array(forwarded
->value
);
421 real_remote_addr
= last_not_in_array(forward_array
, p
);
423 if (real_remote_addr
!= NULL
) { /* parsed */
425 sock
.plain
.sa_family
= AF_UNSPEC
;
427 if (con
->conf
.log_request_handling
) {
428 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "using address:", real_remote_addr
);
430 ipstr_to_sockaddr(srv
, real_remote_addr
, &sock
);
431 if (sock
.plain
.sa_family
!= AF_UNSPEC
) {
432 /* we found the remote address, modify current connection and save the old address */
433 if (con
->plugin_ctx
[p
->id
]) {
434 if (con
->conf
.log_request_handling
) {
435 log_error_write(srv
, __FILE__
, __LINE__
, "s",
436 "-- mod_extforward_uri_handler already patched this connection, resetting state");
438 handler_ctx_free(con
->plugin_ctx
[p
->id
]);
439 con
->plugin_ctx
[p
->id
] = NULL
;
441 /* save old address */
442 con
->plugin_ctx
[p
->id
] = handler_ctx_init(con
->dst_addr
, con
->dst_addr_buf
);
443 /* patch connection address */
444 con
->dst_addr
= sock
;
445 con
->dst_addr_buf
= buffer_init();
446 buffer_copy_string(con
->dst_addr_buf
, real_remote_addr
);
448 if (con
->conf
.log_request_handling
) {
449 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
450 "patching con->dst_addr_buf for the accesslog:", real_remote_addr
);
454 /* update scheme if X-Forwarded-Proto is set
456 * - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
457 * - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
458 * but the historical behavior of the code below only honored it if there was exactly one value
459 * - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
460 * be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
461 * untrusted header must be checked to contain only alphanumeric characters, and to be a
462 * reasonable length, e.g. < 256 chars.
463 * - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
464 * con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
465 * handle_request_done hook, then should evaluate if that module should use the forwarded value
466 * (probably) or the original value.
468 data_string
*forwarded_proto
= (data_string
*)array_get_element(con
->request
.headers
, "X-Forwarded-Proto");
469 if (NULL
!= forwarded_proto
&& !buffer_is_equal_caseless_string(forwarded_proto
->value
, CONST_BUF_LEN(con
->uri
.scheme
))) {
470 if (buffer_is_equal_caseless_string(forwarded_proto
->value
, CONST_STR_LEN("https"))) {
471 buffer_copy_string_len(con
->uri
.scheme
, CONST_STR_LEN("https"));
472 } else if (buffer_is_equal_caseless_string(forwarded_proto
->value
, CONST_STR_LEN("http"))) {
473 buffer_copy_string_len(con
->uri
.scheme
, CONST_STR_LEN("http"));
478 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
479 clean_cond_cache(srv
, con
);
482 array_free(forward_array
);
485 return HANDLER_GO_ON
;
488 CONNECTION_FUNC(mod_extforward_restore
) {
489 plugin_data
*p
= p_d
;
490 handler_ctx
*hctx
= con
->plugin_ctx
[p
->id
];
492 if (!hctx
) return HANDLER_GO_ON
;
494 con
->dst_addr
= hctx
->saved_remote_addr
;
495 buffer_free(con
->dst_addr_buf
);
497 con
->dst_addr_buf
= hctx
->saved_remote_addr_buf
;
499 handler_ctx_free(hctx
);
501 con
->plugin_ctx
[p
->id
] = NULL
;
503 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
504 clean_cond_cache(srv
, con
);
506 return HANDLER_GO_ON
;
510 /* this function is called at dlopen() time and inits the callbacks */
512 int mod_extforward_plugin_init(plugin
*p
);
513 int mod_extforward_plugin_init(plugin
*p
) {
514 p
->version
= LIGHTTPD_VERSION_ID
;
515 p
->name
= buffer_init_string("extforward");
517 p
->init
= mod_extforward_init
;
518 p
->handle_uri_raw
= mod_extforward_uri_handler
;
519 p
->handle_request_done
= mod_extforward_restore
;
520 p
->connection_reset
= mod_extforward_restore
;
521 p
->set_defaults
= mod_extforward_set_defaults
;
522 p
->cleanup
= mod_extforward_free
;