| blob | b53e0d52300b52da9b1ff2a1ac6d4d5d3fdcf39f |
14 #include <limits.h>
15 #include <stdlib.h>
16 #include <string.h>
17 #include <errno.h>
21 /**
22 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
23 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
24 * support chained proxies by glen@delfi.ee, #1528
25 *
26 * Config example:
27 *
28 * Trust proxy 10.0.0.232 and 10.0.0.232
29 * extforward.forwarder = ( "10.0.0.232" => "trust",
30 * "10.0.0.233" => "trust" )
31 *
32 * Trust all proxies (NOT RECOMMENDED!)
33 * extforward.forwarder = ( "all" => "trust")
34 *
35 * Note that "all" has precedence over specific entries,
36 * so "all except" setups will not work.
37 *
38 * In case you have chained proxies, you can add all their IP's to the
39 * config. However "all" has effect only on connecting IP, as the
40 * X-Forwarded-For header can not be trusted.
41 *
42 * Note: The effect of this module is variable on $HTTP["remotip"] directives and
43 * other module's remote ip dependent actions.
44 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
45 * Things done in between these two moments will match on the real client's IP.
46 * The moment things are done by a module depends on in which hook it does things and within the same hook
47 * on whether they are before/after us in the module loading order
48 * (order in the server.modules directive in the config file).
49 *
50 * Tested behaviours:
51 *
52 * mod_access: Will match on the real client.
53 *
54 * mod_accesslog:
55 * In order to see the "real" ip address in access log ,
56 * you'll have to load mod_extforward after mod_accesslog.
57 * like this:
58 *
59 * server.modules = (
60 * .....
61 * mod_accesslog,
62 * mod_extforward
63 * )
64 */
67 /* plugin config for all request/connections */
79 sock_addr addr;
81 };
87 };
101 PLUGIN_DATA;
105 plugin_config conf;
112 /* context , used for restore remote ip */
115 /* per-request state */
116 sock_addr saved_remote_addr;
119 /* hap-PROXY protocol prior to receiving first request */
122 /* connection-level state applied to requests in handle_request_env */
132 }
136 }
138 /* init the plugin data */
144 }
146 /* destroy the plugin data */
169 }
172 }
174 }
180 }
182 /* handle plugin config and check values */
188 config_values_t cv[] = {
193 { "extforward.hap-PROXY-ssl-client-verify", NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION }, /* 4 */
195 };
219 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
221 }
227 }
231 s->forward_all = (NULL == allds) ? 0 : buffer_eq_icase_slen(allds->value, CONST_STR_LEN("trust")) ? 1 : -1;
237 log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: expect \"trust\", not \"", ds->key, "\" => \"", ds->value, "\"; treating as untrusted");
238 }
240 log_error_write(srv, __FILE__, __LINE__, "sbsbs", "ERROR: untrusted CIDR masks are ignored (\"", ds->key, "\" => \"", ds->value, "\")");
241 }
244 }
253 }
257 }
260 s->forward_masks->addrs = realloc(s->forward_masks->addrs, s->forward_masks->sz * sizeof(struct sock_addr_mask));
262 }
269 buffer_clear(ds->value); /* empty is untrusted, e.g. if subnet (incorrectly) appears in X-Forwarded-For */
270 }
271 }
272 }
278 }
280 /* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
281 if (!s->hap_PROXY && 0 == s->headers->used && (0 == i || NULL != array_get_element(config->value, "extforward.headers"))) {
284 }
290 }
292 proxy_forwarded_t param;
300 #endif
303 #if 0
306 #endif
313 }
322 }
330 }
331 }
332 }
334 /* attempt to warn if mod_extforward is not last module loaded to hook
335 * handle_connection_accept. (Nice to have, but remove this check if
336 * it reaches too far into internals and prevents other code changes.)
337 * While it would be nice to check connection_handle_accept plugin slot
338 * to make sure mod_extforward is last, that info is private to plugin.c
339 * so merely warn if mod_openssl is loaded after mod_extforward, though
340 * future modules which hook connection_handle_accept might be missed.*/
349 }
350 }
355 "mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
357 }
358 }
360 }
361 }
368 }
369 }
372 }
374 #define PATCH(x) \
375 p->conf.x = s->x;
388 /* skip the first, the global context */
393 /* condition didn't match */
396 /* merge config */
410 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.hap-PROXY-ssl-client-verify"))) {
412 }
413 }
414 }
417 }
418 #undef PATCH
421 /*
422 extract a forward array from the environment
423 */
425 {
429 /* state variable, 0 means not in string, 1 means in string */
433 if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
434 /* found an separator , insert value into result array */
436 /* change state to not in string */
438 }
440 if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
441 /* found leading char of an IP address, move base pointer and change state */
444 }
445 }
446 }
447 /* if breaking out while in str, we got to the end of string, so add it */
450 }
451 }
453 }
455 /*
456 * check whether ip is trusted, return 1 for trusted , 0 for untrusted
457 */
459 {
467 sock_addr addr;
468 /* C funcs inet_aton(), inet_pton() require '\0'-terminated IP str */
480 }
481 }
484 }
487 {
490 }
492 /*
493 * Return last address of proxy that is not trusted.
494 * Do not accept "all" keyword here.
495 */
497 {
504 }
505 }
507 }
509 static int mod_extforward_set_addr(server *srv, connection *con, plugin_data *p, const char *addr) {
510 sock_addr sock;
515 }
521 /* we found the remote address, modify current connection and save the old address */
527 }
532 }
535 }
536 /* save old address */
538 http_header_env_set(con, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), CONST_BUF_LEN(con->dst_addr_buf));
539 }
542 /* patch connection address */
549 }
551 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
555 }
557 static void mod_extforward_set_proto(server *srv, connection *con, const char *proto, size_t protolen) {
559 /* update scheme if X-Forwarded-Proto is set
560 * Limitations:
561 * - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
562 * be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
563 * untrusted header must be checked to contain only alphanumeric characters, and to be a
564 * reasonable length, e.g. < 256 chars.
565 * - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
566 * con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
567 * handle_request_done hook, then should evaluate if that module should use the forwarded value
568 * (probably) or the original value.
569 */
571 http_header_env_set(con, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(con->uri.scheme));
572 }
579 }
580 }
581 }
583 static handler_t mod_extforward_X_Forwarded_For(server *srv, connection *con, plugin_data *p, buffer *x_forwarded_for) {
584 /* build forward_array from forwarded data_string */
588 /* get scheme if X-Forwarded-Proto is set
589 * Limitations:
590 * - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
591 * - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
592 * but the historical behavior of the code below only honored it if there was exactly one value
593 * (not done: walking backwards in X-Forwarded-Proto the same num of steps
594 * as in X-Forwarded-For to find proto set by last trusted proxy)
595 */
596 buffer *x_forwarded_proto = http_header_request_get(con, HTTP_HEADER_X_FORWARDED_PROTO, CONST_STR_LEN("X-Forwarded-Proto"));
599 }
600 }
603 }
610 }
617 }
618 }
620 }
627 }
628 }
630 }
633 /* (future: might move to buffer.c) */
644 }
646 }
649 }
651 static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_data *p, buffer *forwarded) {
652 /* HTTP list need not consist of param=value tokens,
653 * but this routine expect such for HTTP Forwarded header
654 * Since info in each set of params is only used if from
655 * admin-specified trusted proxy:
656 * - invalid param=value tokens are ignored and skipped
657 * - not checking "for" exists in each set of params
658 * - not checking for duplicated params in each set of params
659 * - not checking canonical form of addr (also might be obfuscated)
660 * - obfuscated tokens permitted in chain, though end of trust is expected
661 * to be non-obfuscated IP for mod_extforward to masquerade as remote IP
662 * future: since (potentially) trusted proxies begin at end of string,
663 * it might be better to parse from end of string rather than parsing from
664 * beginning. Doing so would also allow reducing arbitrary param limit
665 * to number of params permitted per proxy.
666 */
680 }
686 /*(reject IP spoofing if attacker sets improper quoted-string)*/
692 }
698 /*(reject IP spoofing if attacker sets improper quoted-string)*/
704 }
707 /* have k, klen, v, vlen
708 * (might contain quoted string) (contents not validated or decoded)
709 * (might be repeated k)
710 */
718 }
721 /* error processing Forwarded; too many params; fail closed */
727 }
743 /* remove trailing spaces/tabs and double-quotes from string
744 * (note: not unescaping backslash escapes in quoted string) */
752 /* remove "[]" surrounding IPv6, as well as (optional) port
753 * (assumes properly formatted IPv6 addr from trusted proxy) */
762 }
763 }
765 /* remove (optional) port from non-obfuscated IPv4 */
767 }
769 }
772 /* obfuscated ipstr and obfuscated port are also accepted here, as
773 * is path to unix domain socket, but note that backslash escapes
774 * in quoted-string were not unescaped above. Also, if obfuscated
775 * identifiers are rotated by proxies as recommended by RFC, then
776 * maintaining list of trusted identifiers is non-trivial and is not
777 * attempted by this module. */
785 }
788 }
793 }
796 /* C funcs getaddrinfo(), inet_addr() require '\0'-terminated IP str */
804 }
807 }
809 /* parse out params associated with for=<ip> addr set above */
817 #if 0
822 #endif
823 #if 0
824 /*(already handled above to find IP prior to earliest trusted proxy)*/
829 #endif
844 }
845 }
849 /* remove trailing spaces/tabs, and double-quotes from proto
850 * (note: not unescaping backslash escapes in quoted string) */
856 }
859 /* Limitations:
860 * - con->request.http_host is not reset in mod_extforward_restore()
861 * but is currently not an issues since con->request.http_host will be
862 * reset by next request. If a new module uses con->request.http_host
863 * in the handle_request_done hook, then should evaluate if that
864 * module should use the forwarded value (probably) or original value.
865 * - due to need to decode and unescape host=..., some extra work is
866 * done in the case where host matches current Host header.
867 * future: might add code to check if Host has actually changed or not
868 *
869 * note: change host after mod_extforward_set_proto() since that may
870 * affect scheme port used in http_request_host_policy() host
871 * normalization
872 */
874 /* find host param set by earliest trusted proxy in proxy chain
875 * (host might be changed anywhere along the chain) */
882 }
889 }
890 /* remove trailing spaces/tabs, and double-quotes from host */
903 }
904 }
907 }
911 /*(reject invalid chars in Host)*/
917 }
920 }
921 }
924 /* find remote_user param set by closest proxy
925 * (auth may have been handled by any trusted proxy in proxy chain) */
932 }
934 /* ???: should we also support param for auth_type ??? */
935 /* remove trailing spaces/tabs, and double-quotes from remote_user*/
952 }
953 }
957 }
958 }
959 }
961 #if 0
963 && NULL == http_header_request_get(con, HTTP_HEADER_X_FORWARDED_FOR, CONST_STR_LEN("X-Forwarded-For"))) {
964 /* create X-Forwarded-For if not present
965 * (and at least original connecting IP is a trusted proxy) */
974 /* quoted-string, IPv6 brackets, and :port already removed */
986 }
988 }
989 }
990 /* skip to next group; take first "for=..." in group
991 * (should be 0 or 1 "for=..." per group, but not trusted) */
995 }
997 }
998 http_header_request_set(con, HTTP_HEADER_X_FORWARDED_FOR, CONST_STR_LEN("X-Forwarded-For"), CONST_BUF_LEN(xff));
999 }
1000 #endif
1003 }
1016 }
1035 }
1036 }
1044 }
1045 }
1049 }
1052 }
1054 /* if the remote ip itself is not trusted, then do nothing */
1059 }
1062 }
1066 }
1069 }
1078 /* note: replaces values which may have been set by mod_openssl
1079 * (when mod_extforward is listed after mod_openssl in server.modules)*/
1083 }
1085 }
1097 }
1104 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
1106 }
1111 }
1114 }
1118 {
1125 }
1130 }
1133 }
1136 }
1139 }
1142 static int mod_extforward_network_read (server *srv, connection *con, chunkqueue *cq, off_t max_bytes);
1145 {
1154 }
1160 }
1161 }
1163 }
1166 /* this function is called at dlopen() time and inits the callbacks */
1186 }
1191 /* Modified from:
1192 * http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
1193 *
1194 9. Sample code
1196 The code below is an example of how a receiver may deal with both versions of
1197 the protocol header for TCP over IPv4 or IPv6. The function is supposed to be
1198 called upon a read event. Addresses may be directly copied into their final
1199 memory location since they're transported in network byte order. The sending
1200 side is even simpler and can easily be deduced from this sample code.
1201 *
1202 */
1232 };
1234 /*
1235 If the length specified in the PROXY protocol header indicates that additional
1236 bytes are part of the header beyond the address information, a receiver may
1237 choose to skip over and ignore those bytes, or attempt to interpret those
1238 bytes.
1240 The information in those bytes will be arranged in Type-Length-Value (TLV
1241 vectors) in the following format. The first byte is the Type of the vector.
1242 The second two bytes represent the length in bytes of the value (not included
1243 the Type and Length bytes), and following the length field is the number of
1244 bytes specified by the length.
1245 */
1251 };
1253 /*
1254 The following types have already been registered for the <type> field :
1255 */
1257 #define PP2_TYPE_ALPN 0x01
1258 #define PP2_TYPE_AUTHORITY 0x02
1259 #define PP2_TYPE_CRC32C 0x03
1260 #define PP2_TYPE_NOOP 0x04
1261 #define PP2_TYPE_SSL 0x20
1262 #define PP2_SUBTYPE_SSL_VERSION 0x21
1263 #define PP2_SUBTYPE_SSL_CN 0x22
1264 #define PP2_SUBTYPE_SSL_CIPHER 0x23
1265 #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
1266 #define PP2_SUBTYPE_SSL_KEY_ALG 0x25
1267 #define PP2_TYPE_NETNS 0x30
1269 /*
1270 For the type PP2_TYPE_SSL, the value is itselv a defined like this :
1271 */
1277 };
1279 /*
1280 And the <client> field is made of a bit field from the following values,
1281 indicating which element is present :
1282 */
1284 #define PP2_CLIENT_SSL 0x01
1285 #define PP2_CLIENT_CERT_CONN 0x02
1286 #define PP2_CLIENT_CERT_SESS 0x04
1291 #ifndef MSG_DONTWAIT
1292 #define MSG_DONTWAIT 0
1293 #endif
1294 #ifndef MSG_NOSIGNAL
1295 #define MSG_NOSIGNAL 0
1296 #endif
1298 /* returns 0 if needs to poll, <0 upon error or >0 is protocol vers (success) */
1299 static int hap_PROXY_recv (const int fd, union hap_PROXY_hdr * const hdr, const int family, const int so_type)
1300 {
1304 ssize_t ret;
1314 #ifdef EWOULDBLOCK
1315 #if EAGAIN != EWOULDBLOCK
1317 #endif
1318 #endif
1332 }
1333 }
1340 }
1342 /* Wrong protocol */
1344 }
1346 /* we need to consume the appropriate amount of data from the socket
1347 * (overwrites existing contents of hdr with same data) */
1351 #if defined(MSG_TRUNC) && defined(__linux__)
1355 }
1356 #endif
1363 }
1366 }
1371 {
1372 #ifdef __COVERITY__
1374 #endif
1376 /* samples
1377 * "PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n"
1378 * "PROXY TCP6 ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1379 * "PROXY UNKNOWN\r\n"
1380 * "PROXY UNKNOWN ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1381 */
1393 }
1396 }
1398 }
1402 }
1405 }
1407 /*(strsep() should be fairly portable, but is not standard)*/
1427 /* Forwarded by=... could be saved here.
1428 * (see additional comments in mod_extforward_hap_PROXY_v2()) */
1430 /* re-parse addr to string to normalize
1431 * (instead of trusting PROXY to provide canonicalized src_addr string)
1432 * (should prefer PROXY v2 protocol if concerned about performance) */
1436 }
1441 {
1442 #ifdef __COVERITY__
1444 #endif
1446 /* If HAProxy-PROXY protocol used, then lighttpd acts as transparent proxy,
1447 * masquerading as servicing the client IP provided in by HAProxy-PROXY hdr.
1448 * The connecting con->dst_addr and con->dst_addr_buf are not saved here,
1449 * so that info is lost unless getsockname() and getpeername() are used.
1450 * One result is that mod_proxy will use the masqueraded IP instead of the
1451 * actual IP when updated Forwarded and X-Forwarded-For (but if actual
1452 * connection IPs needed, better to save the info here rather than use
1453 * syscalls to retrieve the info later).
1454 * (Exception: con->dst_addr can be further changed if mod_extforward parses
1455 * Forwaded or X-Forwarded-For request headers later, after request headers
1456 * have been received.)
1457 */
1459 /* Forwarded by=... could be saved here. The by param is for backends to be
1460 * able to construct URIs for that interface (interface on server which
1461 * received request and made PROXY connection here), though that server
1462 * should provide that information in updated Forwarded or X-Forwarded-For
1463 * HTTP headers */
1464 /*struct sockaddr_storage by;*/
1466 /* Addresses provided by HAProxy-PROXY protocol are in network byte order.
1467 * Note: addr info is not validated, so do not accept HAProxy-PROXY
1468 * protocol from untrusted servers. For example, untrusted servers from
1469 * which HAProxy-PROXY protocol is accepted (don't do that) could pretend
1470 * to be from the internal network and might thereby bypass security policy.
1471 */
1473 /* (Clear con->dst_addr with memset() in case actual and proxies IPs
1474 * are different domains, e.g. one is IPv4 and the other is IPv6) */
1484 }
1486 /* PROXY command */
1493 #if 0
1499 #endif
1502 #ifdef HAVE_IPV6
1507 #if 0
1513 #endif
1516 #endif
1517 #ifdef HAVE_SYS_UN_H
1519 {
1526 }
1531 #endif
1534 #endif
1537 }
1539 /* (optional) Type-Length-Value (TLV vectors) follow addresses */
1551 #endif
1561 }
1565 }
1578 /* (tlv_ssl->client & PP2_CLIENT_CERT_CONN)
1579 * or
1580 * (tlv_ssl->client & PP2_CLIENT_CERT_SESS) */
1602 }
1603 }
1605 }
1608 #endif
1612 }
1613 }
1616 }
1621 {
1622 /* XXX: when using hap-PROXY protocol, currently avoid overhead of setting
1623 * _L_ environment variables for mod_proxy to accurately set Forwarded hdr
1624 * In the future, might add config switch to enable doing this extra work */
1637 "hap-PROXY proto received "
1639 /* fall through */
1641 }
1645 }