9 #include "inet_ntop_cache.h"
10 #include "configfile.h"
17 #include <netinet/in.h>
21 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
22 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
23 * support chained proxies by glen@delfi.ee, #1528
27 * Trust proxy 10.0.0.232 and 10.0.0.232
28 * extforward.forwarder = ( "10.0.0.232" => "trust",
29 * "10.0.0.233" => "trust" )
31 * Trust all proxies (NOT RECOMMENDED!)
32 * extforward.forwarder = ( "all" => "trust")
34 * Note that "all" has precedence over specific entries,
35 * so "all except" setups will not work.
37 * In case you have chained proxies, you can add all their IP's to the
38 * config. However "all" has effect only on connecting IP, as the
39 * X-Forwarded-For header can not be trusted.
41 * Note: The effect of this module is variable on $HTTP["remotip"] directives and
42 * other module's remote ip dependent actions.
43 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
44 * Things done in between these two moments will match on the real client's IP.
45 * The moment things are done by a module depends on in which hook it does things and within the same hook
46 * on whether they are before/after us in the module loading order
47 * (order in the server.modules directive in the config file).
51 * mod_access: Will match on the real client.
54 * In order to see the "real" ip address in access log ,
55 * you'll have to load mod_extforward after mod_accesslog.
65 * seems causing segfault with mod_ssl and $HTTP{"socket"} directives
66 * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL.
69 * 2005.12.19 Initial Version
70 * 2005.12.19 fixed conflict with conditional directives
71 * 2006.05.26 LEM: IPv6 support
72 * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive.
73 * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI
74 * In this manner, we run before mod_access and $HTTP["remoteip"] directives work!
75 * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change.
79 /* plugin config for all request/connections */
89 plugin_config
**config_storage
;
95 /* context , used for restore remote ip */
98 sock_addr saved_remote_addr
;
99 buffer
*saved_remote_addr_buf
;
103 static handler_ctx
* handler_ctx_init(sock_addr oldaddr
, buffer
*oldaddr_buf
) {
105 hctx
= calloc(1, sizeof(*hctx
));
106 hctx
->saved_remote_addr
= oldaddr
;
107 hctx
->saved_remote_addr_buf
= oldaddr_buf
;
111 static void handler_ctx_free(handler_ctx
*hctx
) {
115 /* init the plugin data */
116 INIT_FUNC(mod_extforward_init
) {
118 p
= calloc(1, sizeof(*p
));
122 /* destroy the plugin data */
123 FREE_FUNC(mod_extforward_free
) {
124 plugin_data
*p
= p_d
;
128 if (!p
) return HANDLER_GO_ON
;
130 if (p
->config_storage
) {
133 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
134 plugin_config
*s
= p
->config_storage
[i
];
136 if (NULL
== s
) continue;
138 array_free(s
->forwarder
);
139 array_free(s
->headers
);
143 free(p
->config_storage
);
149 return HANDLER_GO_ON
;
152 /* handle plugin config and check values */
154 SETDEFAULTS_FUNC(mod_extforward_set_defaults
) {
155 plugin_data
*p
= p_d
;
158 config_values_t cv
[] = {
159 { "extforward.forwarder", NULL
, T_CONFIG_ARRAY
, T_CONFIG_SCOPE_CONNECTION
}, /* 0 */
160 { "extforward.headers", NULL
, T_CONFIG_ARRAY
, T_CONFIG_SCOPE_CONNECTION
}, /* 1 */
161 { NULL
, NULL
, T_CONFIG_UNSET
, T_CONFIG_SCOPE_UNSET
}
164 if (!p
) return HANDLER_ERROR
;
166 p
->config_storage
= calloc(1, srv
->config_context
->used
* sizeof(plugin_config
*));
168 for (i
= 0; i
< srv
->config_context
->used
; i
++) {
169 data_config
const* config
= (data_config
const*)srv
->config_context
->data
[i
];
172 s
= calloc(1, sizeof(plugin_config
));
173 s
->forwarder
= array_init();
174 s
->headers
= array_init();
176 cv
[0].destination
= s
->forwarder
;
177 cv
[1].destination
= s
->headers
;
179 p
->config_storage
[i
] = s
;
181 if (0 != config_insert_values_global(srv
, config
->value
, cv
, i
== 0 ? T_CONFIG_SCOPE_SERVER
: T_CONFIG_SCOPE_CONNECTION
)) {
182 return HANDLER_ERROR
;
186 return HANDLER_GO_ON
;
191 static int mod_extforward_patch_connection(server
*srv
, connection
*con
, plugin_data
*p
) {
193 plugin_config
*s
= p
->config_storage
[0];
198 /* skip the first, the global context */
199 for (i
= 1; i
< srv
->config_context
->used
; i
++) {
200 data_config
*dc
= (data_config
*)srv
->config_context
->data
[i
];
201 s
= p
->config_storage
[i
];
203 /* condition didn't match */
204 if (!config_check_cond(srv
, con
, dc
)) continue;
207 for (j
= 0; j
< dc
->value
->used
; j
++) {
208 data_unset
*du
= dc
->value
->data
[j
];
210 if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("extforward.forwarder"))) {
212 } else if (buffer_is_equal_string(du
->key
, CONST_STR_LEN("extforward.headers"))) {
223 static void put_string_into_array_len(array
*ary
, const char *str
, int len
)
225 data_string
*tempdata
;
228 tempdata
= data_string_init();
229 buffer_copy_string_len(tempdata
->value
,str
,len
);
230 array_insert_unique(ary
,(data_unset
*)tempdata
);
233 extract a forward array from the environment
235 static array
*extract_forward_array(buffer
*pbuffer
)
237 array
*result
= array_init();
238 if (!buffer_string_is_empty(pbuffer
)) {
240 /* state variable, 0 means not in string, 1 means in string */
242 for (base
= pbuffer
->ptr
, curr
= pbuffer
->ptr
; *curr
; curr
++) {
244 if ((*curr
> '9' || *curr
< '0') && *curr
!= '.' && *curr
!= ':' && (*curr
< 'a' || *curr
> 'f') && (*curr
< 'A' || *curr
> 'F')) {
245 /* found an separator , insert value into result array */
246 put_string_into_array_len(result
, base
, curr
- base
);
247 /* change state to not in string */
251 if ((*curr
>= '0' && *curr
<= '9') || *curr
== ':' || (*curr
>= 'a' && *curr
<= 'f') || (*curr
>= 'A' && *curr
<= 'F')) {
252 /* found leading char of an IP address, move base pointer and change state */
258 /* if breaking out while in str, we got to the end of string, so add it */
260 put_string_into_array_len(result
, base
, curr
- base
);
267 #define IP_UNTRUSTED 0
269 * check whether ip is trusted, return 1 for trusted , 0 for untrusted
271 static int is_proxy_trusted(const char *ipstr
, plugin_data
*p
)
273 data_string
* allds
= (data_string
*)array_get_element(p
->conf
.forwarder
, "all");
276 if (strcasecmp(allds
->value
->ptr
, "trust") == 0) {
283 return (data_string
*)array_get_element(p
->conf
.forwarder
, ipstr
) ? IP_TRUSTED
: IP_UNTRUSTED
;
287 * Return char *ip of last address of proxy that is not trusted.
288 * Do not accept "all" keyword here.
290 static const char *last_not_in_array(array
*a
, plugin_data
*p
)
292 array
*forwarder
= p
->conf
.forwarder
;
295 for (i
= a
->used
- 1; i
>= 0; i
--) {
296 data_string
*ds
= (data_string
*)a
->data
[i
];
297 const char *ip
= ds
->value
->ptr
;
299 if (!array_get_element(forwarder
, ip
)) {
307 static void ipstr_to_sockaddr(server
*srv
, const char *host
, sock_addr
*sock
) {
308 struct addrinfo hints
, *addrlist
= NULL
;
311 memset(&hints
, 0, sizeof(hints
));
312 sock
->plain
.sa_family
= AF_UNSPEC
;
314 #ifndef AI_NUMERICSERV
316 * quoting $ man getaddrinfo
319 * AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED are available since glibc 2.3.3.
320 * AI_NUMERICSERV is available since glibc 2.3.4.
322 #define AI_NUMERICSERV 0
324 hints
.ai_flags
= AI_NUMERICHOST
| AI_NUMERICSERV
;
327 result
= getaddrinfo(host
, NULL
, &hints
, &addrlist
);
330 log_error_write(srv
, __FILE__
, __LINE__
, "SSSs(S)",
331 "could not parse ip address ", host
, " because ", gai_strerror(result
), strerror(errno
));
332 } else if (addrlist
== NULL
) {
333 log_error_write(srv
, __FILE__
, __LINE__
, "SSS",
334 "Problem in parsing ip address ", host
, ": succeeded, but no information returned");
335 } else switch (addrlist
->ai_family
) {
337 memcpy(&sock
->ipv4
, addrlist
->ai_addr
, sizeof(sock
->ipv4
));
338 force_assert(AF_INET
== sock
->plain
.sa_family
);
341 memcpy(&sock
->ipv6
, addrlist
->ai_addr
, sizeof(sock
->ipv6
));
342 force_assert(AF_INET6
== sock
->plain
.sa_family
);
345 log_error_write(srv
, __FILE__
, __LINE__
, "SSS",
346 "Problem in parsing ip address ", host
, ": succeeded, but unknown family");
349 freeaddrinfo(addrlist
);
353 static void clean_cond_cache(server
*srv
, connection
*con
) {
354 config_cond_cache_reset_item(srv
, con
, COMP_HTTP_REMOTE_IP
);
355 config_cond_cache_reset_item(srv
, con
, COMP_HTTP_SCHEME
);
358 URIHANDLER_FUNC(mod_extforward_uri_handler
) {
359 plugin_data
*p
= p_d
;
360 data_string
*forwarded
= NULL
;
362 char b2
[INET6_ADDRSTRLEN
+ 1];
364 const char *dst_addr_str
= NULL
;
365 array
*forward_array
= NULL
;
366 const char *real_remote_addr
= NULL
;
370 if (!con
->request
.headers
) return HANDLER_GO_ON
;
372 mod_extforward_patch_connection(srv
, con
, p
);
374 if (con
->conf
.log_request_handling
) {
375 log_error_write(srv
, __FILE__
, __LINE__
, "s",
376 "-- mod_extforward_uri_handler called");
379 if (p
->conf
.headers
->used
) {
383 for(k
= 0; k
< p
->conf
.headers
->used
; k
++) {
384 ds
= (data_string
*) p
->conf
.headers
->data
[k
];
385 if (NULL
!= (forwarded
= (data_string
*) array_get_element(con
->request
.headers
, ds
->value
->ptr
))) break;
388 forwarded
= (data_string
*) array_get_element(con
->request
.headers
,"X-Forwarded-For");
389 if (NULL
== forwarded
) forwarded
= (data_string
*) array_get_element(con
->request
.headers
, "Forwarded-For");
392 if (NULL
== forwarded
) {
393 if (con
->conf
.log_request_handling
) {
394 log_error_write(srv
, __FILE__
, __LINE__
, "s", "no forward header found, skipping");
397 return HANDLER_GO_ON
;
401 dst_addr_str
= inet_ntop(con
->dst_addr
.plain
.sa_family
,
402 con
->dst_addr
.plain
.sa_family
== AF_INET6
?
403 (struct sockaddr
*)&(con
->dst_addr
.ipv6
.sin6_addr
) :
404 (struct sockaddr
*)&(con
->dst_addr
.ipv4
.sin_addr
),
405 b2
, (sizeof b2
) - 1);
407 dst_addr_str
= inet_ntoa(con
->dst_addr
.ipv4
.sin_addr
);
410 /* if the remote ip itself is not trusted, then do nothing */
411 if (IP_UNTRUSTED
== is_proxy_trusted(dst_addr_str
, p
)) {
412 if (con
->conf
.log_request_handling
) {
413 log_error_write(srv
, __FILE__
, __LINE__
, "sss",
414 "remote address", dst_addr_str
, "is NOT a trusted proxy, skipping");
417 return HANDLER_GO_ON
;
420 /* build forward_array from forwarded data_string */
421 forward_array
= extract_forward_array(forwarded
->value
);
422 real_remote_addr
= last_not_in_array(forward_array
, p
);
424 if (real_remote_addr
!= NULL
) { /* parsed */
426 data_string
*forwarded_proto
= (data_string
*)array_get_element(con
->request
.headers
, "X-Forwarded-Proto");
427 sock
.plain
.sa_family
= AF_UNSPEC
;
429 if (NULL
!= forwarded_proto
) {
430 if (buffer_is_equal_caseless_string(forwarded_proto
->value
, CONST_STR_LEN("https"))) {
431 buffer_copy_string_len(con
->uri
.scheme
, CONST_STR_LEN("https"));
432 } else if (buffer_is_equal_caseless_string(forwarded_proto
->value
, CONST_STR_LEN("http"))) {
433 buffer_copy_string_len(con
->uri
.scheme
, CONST_STR_LEN("http"));
437 if (con
->conf
.log_request_handling
) {
438 log_error_write(srv
, __FILE__
, __LINE__
, "ss", "using address:", real_remote_addr
);
441 ipstr_to_sockaddr(srv
, real_remote_addr
, &sock
);
443 sock
.ipv4
.sin_addr
.s_addr
= inet_addr(real_remote_addr
);
444 sock
.plain
.sa_family
= (sock
.ipv4
.sin_addr
.s_addr
== 0xFFFFFFFF) ? AF_UNSPEC
: AF_INET
;
446 if (sock
.plain
.sa_family
!= AF_UNSPEC
) {
447 /* we found the remote address, modify current connection and save the old address */
448 if (con
->plugin_ctx
[p
->id
]) {
449 if (con
->conf
.log_request_handling
) {
450 log_error_write(srv
, __FILE__
, __LINE__
, "s",
451 "-- mod_extforward_uri_handler already patched this connection, resetting state");
453 handler_ctx_free(con
->plugin_ctx
[p
->id
]);
454 con
->plugin_ctx
[p
->id
] = NULL
;
456 /* save old address */
457 con
->plugin_ctx
[p
->id
] = handler_ctx_init(con
->dst_addr
, con
->dst_addr_buf
);
458 /* patch connection address */
459 con
->dst_addr
= sock
;
460 con
->dst_addr_buf
= buffer_init();
461 buffer_copy_string(con
->dst_addr_buf
, real_remote_addr
);
463 if (con
->conf
.log_request_handling
) {
464 log_error_write(srv
, __FILE__
, __LINE__
, "ss",
465 "patching con->dst_addr_buf for the accesslog:", real_remote_addr
);
467 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
468 clean_cond_cache(srv
, con
);
471 array_free(forward_array
);
474 return HANDLER_GO_ON
;
477 CONNECTION_FUNC(mod_extforward_restore
) {
478 plugin_data
*p
= p_d
;
479 handler_ctx
*hctx
= con
->plugin_ctx
[p
->id
];
481 if (!hctx
) return HANDLER_GO_ON
;
483 con
->dst_addr
= hctx
->saved_remote_addr
;
484 buffer_free(con
->dst_addr_buf
);
486 con
->dst_addr_buf
= hctx
->saved_remote_addr_buf
;
488 handler_ctx_free(hctx
);
490 con
->plugin_ctx
[p
->id
] = NULL
;
492 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
493 clean_cond_cache(srv
, con
);
495 return HANDLER_GO_ON
;
499 /* this function is called at dlopen() time and inits the callbacks */
501 int mod_extforward_plugin_init(plugin
*p
);
502 int mod_extforward_plugin_init(plugin
*p
) {
503 p
->version
= LIGHTTPD_VERSION_ID
;
504 p
->name
= buffer_init_string("extforward");
506 p
->init
= mod_extforward_init
;
507 p
->handle_uri_raw
= mod_extforward_uri_handler
;
508 p
->handle_request_done
= mod_extforward_restore
;
509 p
->connection_reset
= mod_extforward_restore
;
510 p
->set_defaults
= mod_extforward_set_defaults
;
511 p
->cleanup
= mod_extforward_free
;