| blob | b75392889bc21e92fc9c7e8c35aa91d05d1ccf87 |
13 #include <stdlib.h>
14 #include <string.h>
15 #include <errno.h>
18 #ifndef _WIN32
19 #include <netdb.h>
20 #endif
22 /**
23 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com
24 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu
25 * support chained proxies by glen@delfi.ee, #1528
26 *
27 * Config example:
28 *
29 * Trust proxy 10.0.0.232 and 10.0.0.232
30 * extforward.forwarder = ( "10.0.0.232" => "trust",
31 * "10.0.0.233" => "trust" )
32 *
33 * Trust all proxies (NOT RECOMMENDED!)
34 * extforward.forwarder = ( "all" => "trust")
35 *
36 * Note that "all" has precedence over specific entries,
37 * so "all except" setups will not work.
38 *
39 * In case you have chained proxies, you can add all their IP's to the
40 * config. However "all" has effect only on connecting IP, as the
41 * X-Forwarded-For header can not be trusted.
42 *
43 * Note: The effect of this module is variable on $HTTP["remotip"] directives and
44 * other module's remote ip dependent actions.
45 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP.
46 * Things done in between these two moments will match on the real client's IP.
47 * The moment things are done by a module depends on in which hook it does things and within the same hook
48 * on whether they are before/after us in the module loading order
49 * (order in the server.modules directive in the config file).
50 *
51 * Tested behaviours:
52 *
53 * mod_access: Will match on the real client.
54 *
55 * mod_accesslog:
56 * In order to see the "real" ip address in access log ,
57 * you'll have to load mod_extforward after mod_accesslog.
58 * like this:
59 *
60 * server.modules = (
61 * .....
62 * mod_accesslog,
63 * mod_extforward
64 * )
65 */
68 /* plugin config for all request/connections */
88 PLUGIN_DATA;
92 plugin_config conf;
99 /* context , used for restore remote ip */
102 /* per-request state */
103 sock_addr saved_remote_addr;
106 /* hap-PROXY protocol prior to receiving first request */
109 /* connection-level state applied to requests in handle_request_env */
119 }
123 }
125 /* init the plugin data */
131 }
133 /* destroy the plugin data */
154 }
156 }
162 }
164 /* handle plugin config and check values */
170 config_values_t cv[] = {
176 };
199 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) {
201 }
207 }
213 }
215 /* default to "X-Forwarded-For" or "Forwarded-For" if extforward.headers not specified or empty */
216 if (!s->hap_PROXY && 0 == s->headers->used && (0 == i || NULL != array_get_element(config->value, "extforward.headers"))) {
224 }
230 }
232 proxy_forwarded_t param;
240 #endif
243 #if 0
246 #endif
253 }
262 }
270 }
271 }
272 }
274 /* attempt to warn if mod_extforward is not last module loaded to hook
275 * handle_connection_accept. (Nice to have, but remove this check if
276 * it reaches to far into internals and prevents other code changes.)
277 * While it would be nice to check connection_handle_accept plugin slot
278 * to make sure mod_extforward is last, that info is private to plugin.c
279 * so merely warn if mod_openssl is loaded after mod_extforward, though
280 * future modules which hook connection_handle_accept might be missed.*/
289 }
290 }
295 "mod_extforward must be loaded after mod_openssl in server.modules when extforward.hap-PROXY = \"enable\"");
297 }
298 }
300 }
301 }
308 }
309 }
312 }
314 #define PATCH(x) \
315 p->conf.x = s->x;
325 /* skip the first, the global context */
330 /* condition didn't match */
333 /* merge config */
345 }
346 }
347 }
350 }
351 #undef PATCH
355 {
362 }
363 /*
364 extract a forward array from the environment
365 */
367 {
371 /* state variable, 0 means not in string, 1 means in string */
375 if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) {
376 /* found an separator , insert value into result array */
378 /* change state to not in string */
380 }
382 if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) {
383 /* found leading char of an IP address, move base pointer and change state */
386 }
387 }
388 }
389 /* if breaking out while in str, we got to the end of string, so add it */
392 }
393 }
395 }
397 #define IP_TRUSTED 1
398 #define IP_UNTRUSTED 0
399 /*
400 * check whether ip is trusted, return 1 for trusted , 0 for untrusted
401 */
403 {
411 }
412 }
414 return (data_string *)array_get_element_klen(p->conf.forwarder, CONST_BUF_LEN(ipstr)) ? IP_TRUSTED : IP_UNTRUSTED;
415 }
417 /*
418 * Return last address of proxy that is not trusted.
419 * Do not accept "all" keyword here.
420 */
422 {
430 }
431 }
433 }
436 #ifdef HAVE_IPV6
443 #ifndef AI_NUMERICSERV
444 /**
445 * quoting $ man getaddrinfo
446 *
447 * NOTES
448 * AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED are available since glibc 2.3.3.
449 * AI_NUMERICSERV is available since glibc 2.3.4.
450 */
451 #define AI_NUMERICSERV 0
452 #endif
476 }
479 #else
483 #endif
484 }
486 static int mod_extforward_set_addr(server *srv, connection *con, plugin_data *p, const char *addr) {
487 sock_addr sock;
492 }
498 /* we found the remote address, modify current connection and save the old address */
504 }
509 }
512 }
513 /* save old address */
515 array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_FOR"), CONST_BUF_LEN(con->dst_addr_buf));
516 }
519 /* patch connection address */
526 }
528 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
532 }
534 static void mod_extforward_set_proto(server *srv, connection *con, const char *proto, size_t protolen) {
536 /* update scheme if X-Forwarded-Proto is set
537 * Limitations:
538 * - Only "http" or "https" are currently accepted since the request to lighttpd currently has to
539 * be HTTP/1.0 or HTTP/1.1 using http or https. If this is changed, then the scheme from this
540 * untrusted header must be checked to contain only alphanumeric characters, and to be a
541 * reasonable length, e.g. < 256 chars.
542 * - con->uri.scheme is not reset in mod_extforward_restore() but is currently not an issues since
543 * con->uri.scheme will be reset by next request. If a new module uses con->uri.scheme in the
544 * handle_request_done hook, then should evaluate if that module should use the forwarded value
545 * (probably) or the original value.
546 */
548 array_set_key_value(con->environment, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(con->uri.scheme));
549 }
556 }
557 }
558 }
560 static handler_t mod_extforward_X_Forwarded_For(server *srv, connection *con, plugin_data *p, buffer *x_forwarded_for) {
561 /* build forward_array from forwarded data_string */
565 /* get scheme if X-Forwarded-Proto is set
566 * Limitations:
567 * - X-Forwarded-Proto may or may not be set by proxies, even if X-Forwarded-For is set
568 * - X-Forwarded-Proto may be a comma-separated list if there are multiple proxies,
569 * but the historical behavior of the code below only honored it if there was exactly one value
570 * (not done: walking backwards in X-Forwarded-Proto the same num of steps
571 * as in X-Forwarded-For to find proto set by last trusted proxy)
572 */
573 data_string *x_forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto");
576 }
577 }
580 }
587 }
594 }
595 }
597 }
604 }
605 }
607 }
610 /* (future: might move to buffer.c) */
621 }
623 }
626 }
628 static handler_t mod_extforward_Forwarded (server *srv, connection *con, plugin_data *p, buffer *forwarded) {
629 /* HTTP list need not consist of param=value tokens,
630 * but this routine expect such for HTTP Forwarded header
631 * Since info in each set of params is only used if from
632 * admin-specified trusted proxy:
633 * - invalid param=value tokens are ignored and skipped
634 * - not checking "for" exists in each set of params
635 * - not checking for duplicated params in each set of params
636 * - not checking canonical form of addr (also might be obfuscated)
637 * - obfuscated tokens permitted in chain, though end of trust is expected
638 * to be non-obfuscated IP for mod_extforward to masquerade as remote IP
639 * future: since (potentially) trusted proxies begin at end of string,
640 * it might be better to parse from end of string rather than parsing from
641 * beginning. Doing so would also allow reducing arbitrary param limit
642 * to number of params permitted per proxy.
643 */
657 }
663 /*(reject IP spoofing if attacker sets improper quoted-string)*/
669 }
675 /*(reject IP spoofing if attacker sets improper quoted-string)*/
681 }
684 /* have k, klen, v, vlen
685 * (might contain quoted string) (contents not validated or decoded)
686 * (might be repeated k)
687 */
695 }
698 /* error processing Forwarded; too many params; fail closed */
704 }
720 /* remove trailing spaces/tabs and double-quotes from string
721 * (note: not unescaping backslash escapes in quoted string) */
729 /* remove "[]" surrounding IPv6, as well as (optional) port
730 * (assumes properly formatted IPv6 addr from trusted proxy) */
739 }
740 }
742 /* remove (optional) port from non-obfuscated IPv4 */
744 }
746 }
749 /* obfuscated ipstr and obfuscated port are also accepted here, as
750 * is path to unix domain socket, but note that backslash escapes
751 * in quoted-string were not unescaped above. Also, if obfuscated
752 * identifiers are rotated by proxies as recommended by RFC, then
753 * maintaining list of trusted identifiers is non-trivial and is not
754 * attempted by this module. */
762 }
765 }
770 }
773 /* C funcs getaddrinfo(), inet_addr() require '\0'-terminated IP str */
781 }
784 }
786 /* parse out params associated with for=<ip> addr set above */
794 #if 0
799 #endif
800 #if 0
801 /*(already handled above to find IP prior to earliest trusted proxy)*/
806 #endif
821 }
822 }
826 /* remove trailing spaces/tabs, and double-quotes from proto
827 * (note: not unescaping backslash escapes in quoted string) */
833 }
836 /* Limitations:
837 * - con->request.http_host is not reset in mod_extforward_restore()
838 * but is currently not an issues since con->request.http_host will be
839 * reset by next request. If a new module uses con->request.http_host
840 * in the handle_request_done hook, then should evaluate if that
841 * module should use the forwarded value (probably) or original value.
842 * - due to need to decode and unescape host=..., some extra work is
843 * done in the case where host matches current Host header.
844 * future: might add code to check if Host has actually changed or not
845 *
846 * note: change host after mod_extforward_set_proto() since that may
847 * affect scheme port used in http_request_host_policy() host
848 * normalization
849 */
851 /* find host param set by earliest trusted proxy in proxy chain
852 * (host might be changed anywhere along the chain) */
859 }
866 }
867 /* remove trailing spaces/tabs, and double-quotes from host */
880 }
881 }
884 }
888 /*(reject invalid chars in Host)*/
894 }
897 }
898 }
901 /* find remote_user param set by closest proxy
902 * (auth may have been handled by any trusted proxy in proxy chain) */
909 }
911 /* ???: should we also support param for auth_type ??? */
912 /* remove trailing spaces/tabs, and double-quotes from remote_user*/
930 }
931 }
935 }
936 }
937 }
939 #if 0
942 /* create X-Forwarded-For if not present
943 * (and at least original connecting IP is a trusted proxy) */
957 /* quoted-string, IPv6 brackets, and :port already removed */
969 }
971 }
972 }
973 /* skip to next group; take first "for=..." in group
974 * (should be 0 or 1 "for=..." per group, but not trusted) */
978 }
980 }
981 }
982 #endif
985 }
997 }
1000 /* XXX: future: add config option to enable
1001 * and replace above with: if (p->conf.???)
1002 * similar to ssl.verifyclient.username */
1003 #if 0
1020 }
1021 #endif
1022 }
1025 forwarded = (data_string *) array_get_element_klen(con->request.headers, CONST_BUF_LEN(((data_string *)p->conf.headers->data[k])->value));
1026 }
1030 }
1033 }
1035 /* if the remote ip itself is not trusted, then do nothing */
1040 }
1043 }
1047 }
1050 }
1059 /* note: replaces values which may have been set by mod_openssl
1060 * (when mod_extforward is listed after mod_openssl in server.modules)*/
1064 }
1066 }
1078 }
1085 /* Now, clean the conf_cond cache, because we may have changed the results of tests */
1087 }
1092 }
1095 }
1099 {
1106 }
1111 }
1114 }
1117 }
1120 }
1123 static int mod_extforward_network_read (server *srv, connection *con, chunkqueue *cq, off_t max_bytes);
1126 {
1135 }
1141 }
1142 }
1144 }
1147 /* this function is called at dlopen() time and inits the callbacks */
1167 }
1172 /* Modified from:
1173 * http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt
1174 *
1175 9. Sample code
1177 The code below is an example of how a receiver may deal with both versions of
1178 the protocol header for TCP over IPv4 or IPv6. The function is supposed to be
1179 called upon a read event. Addresses may be directly copied into their final
1180 memory location since they're transported in network byte order. The sending
1181 side is even simpler and can easily be deduced from this sample code.
1182 *
1183 */
1213 };
1215 /*
1216 If the length specified in the PROXY protocol header indicates that additional
1217 bytes are part of the header beyond the address information, a receiver may
1218 choose to skip over and ignore those bytes, or attempt to interpret those
1219 bytes.
1221 The information in those bytes will be arranged in Type-Length-Value (TLV
1222 vectors) in the following format. The first byte is the Type of the vector.
1223 The second two bytes represent the length in bytes of the value (not included
1224 the Type and Length bytes), and following the length field is the number of
1225 bytes specified by the length.
1226 */
1232 };
1234 /*
1235 The following types have already been registered for the <type> field :
1236 */
1238 #define PP2_TYPE_ALPN 0x01
1239 #define PP2_TYPE_AUTHORITY 0x02
1240 #define PP2_TYPE_CRC32C 0x03
1241 #define PP2_TYPE_NOOP 0x04
1242 #define PP2_TYPE_SSL 0x20
1243 #define PP2_SUBTYPE_SSL_VERSION 0x21
1244 #define PP2_SUBTYPE_SSL_CN 0x22
1245 #define PP2_SUBTYPE_SSL_CIPHER 0x23
1246 #define PP2_SUBTYPE_SSL_SIG_ALG 0x24
1247 #define PP2_SUBTYPE_SSL_KEY_ALG 0x25
1248 #define PP2_TYPE_NETNS 0x30
1250 /*
1251 For the type PP2_TYPE_SSL, the value is itselv a defined like this :
1252 */
1258 };
1260 /*
1261 And the <client> field is made of a bit field from the following values,
1262 indicating which element is present :
1263 */
1265 #define PP2_CLIENT_SSL 0x01
1266 #define PP2_CLIENT_CERT_CONN 0x02
1267 #define PP2_CLIENT_CERT_SESS 0x04
1272 #ifndef MSG_DONTWAIT
1273 #define MSG_DONTWAIT 0
1274 #endif
1275 #ifndef MSG_NOSIGNAL
1276 #define MSG_NOSIGNAL 0
1277 #endif
1279 /* returns 0 if needs to poll, <0 upon error or >0 is protocol vers (success) */
1281 {
1285 ssize_t ret;
1295 #ifdef EWOULDBLOCK
1296 #if EAGAIN != EWOULDBLOCK
1298 #endif
1299 #endif
1313 }
1314 }
1321 }
1323 /* Wrong protocol */
1325 }
1327 /* we need to consume the appropriate amount of data from the socket
1328 * (overwrites existing contents of hdr with same data) */
1335 }
1340 {
1341 /* samples
1342 * "PROXY TCP4 255.255.255.255 255.255.255.255 65535 65535\r\n"
1343 * "PROXY TCP6 ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1344 * "PROXY UNKNOWN\r\n"
1345 * "PROXY UNKNOWN ffff:f...f:ffff ffff:f...f:ffff 65535 65535\r\n"
1346 */
1358 }
1361 }
1363 }
1367 }
1370 }
1372 /*(strsep() should be fairly portable, but is not standard)*/
1392 /* Forwarded by=... could be saved here.
1393 * (see additional comments in mod_extforward_hap_PROXY_v2()) */
1395 /* re-parse addr to string to normalize
1396 * (instead of trusting PROXY to provide canonicalized src_addr string)
1397 * (should prefer PROXY v2 protocol if concerned about performance) */
1401 }
1406 {
1407 /* If HAProxy-PROXY protocol used, then lighttpd acts as transparent proxy,
1408 * masquerading as servicing the client IP provided in by HAProxy-PROXY hdr.
1409 * The connecting con->dst_addr and con->dst_addr_buf are not saved here,
1410 * so that info is lost unless getsockname() and getpeername() are used.
1411 * One result is that mod_proxy will use the masqueraded IP instead of the
1412 * actual IP when updated Forwarded and X-Forwarded-For (but if actual
1413 * connection IPs needed, better to save the info here rather than use
1414 * syscalls to retrieve the info later).
1415 * (Exception: con->dst_addr can be further changed if mod_extforward parses
1416 * Forwaded or X-Forwarded-For request headers later, after request headers
1417 * have been received.)
1418 */
1420 /* Forwarded by=... could be saved here. The by param is for backends to be
1421 * able to construct URIs for that interface (interface on server which
1422 * received request and made PROXY connection here), though that server
1423 * should provide that information in updated Forwarded or X-Forwarded-For
1424 * HTTP headers */
1425 /*struct sockaddr_storage by;*/
1427 /* Addresses provided by HAProxy-PROXY protocol are in network byte order.
1428 * Note: addr info is not validated, so do not accept HAProxy-PROXY
1429 * protocol from untrusted servers. For example, untrusted servers from
1430 * which HAProxy-PROXY protocol is accepted (don't do that) could pretend
1431 * to be from the internal network and might thereby bypass security policy.
1432 */
1434 /* (Clear con->dst_addr with memset() in case actual and proxies IPs
1435 * are different domains, e.g. one is IPv4 and the other is IPv6) */
1445 }
1447 /* PROXY command */
1456 #if 0
1462 #endif
1465 #ifdef HAVE_IPV6
1472 #if 0
1478 #endif
1481 #endif
1482 #ifdef HAVE_SYS_UN_H
1484 {
1493 }
1498 #endif
1501 #endif
1504 }
1506 /* (optional) Type-Length-Value (TLV vectors) follow addresses */
1518 #endif
1528 }
1532 }
1545 /* (tlv_ssl->client & PP2_CLIENT_CERT_CONN)
1546 * or
1547 * (tlv_ssl->client & PP2_CLIENT_CERT_SESS) */
1569 }
1570 }
1572 }
1575 #endif
1579 }
1580 }
1583 }
1588 {
1589 /* XXX: when using hap-PROXY protocol, currently avoid overhead of setting
1590 * _L_ environment variables for mod_proxy to accurately set Forwarded hdr
1591 * In the future, might add config switch to enable doing this extra work */
1603 "hap-PROXY proto received "
1605 /* fall through */
1607 }
1611 }