ASF Bugzilla – Attachment 18996 Details for
Bug 40746
Feature request: ProxyAllow directive
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch to create a new ProxyAllow directive in mod_proxy
httpd-2.0.59-proxyallow.patch (text/plain), 14.19 KB, created by
Trevin Beattie
on 2006-10-12 11:52:29 UTC
(
hide
)
Description:
patch to create a new ProxyAllow directive in mod_proxy
Filename:
MIME Type:
Creator:
Trevin Beattie
Created:
2006-10-12 11:52:29 UTC
Size:
14.19 KB
patch
obsolete
>--- httpd-2.0.59/docs/manual/mod/directives.html.en.proxyallow 2006-07-12 00:22:22.000000000 -0700 >+++ httpd-2.0.59/docs/manual/mod/directives.html.en 2006-08-30 13:47:22.000000000 -0700 >@@ -272,6 +272,7 @@ > <li><a href="mpm_common.html#pidfile">PidFile</a></li> > <li><a href="mod_echo.html#protocolecho">ProtocolEcho</a></li> > <li><a href="mod_proxy.html#proxy"><Proxy></a></li> >+<li><a href="mod_proxy.html#proxyallow">ProxyAllow</a></li> > <li><a href="mod_proxy.html#proxybadheader">ProxyBadHeader</a></li> > <li><a href="mod_proxy.html#proxyblock">ProxyBlock</a></li> > <li><a href="mod_proxy.html#proxydomain">ProxyDomain</a></li> >--- httpd-2.0.59/docs/manual/mod/mod_proxy.html.en.proxyallow 2006-07-12 00:22:22.000000000 -0700 >+++ httpd-2.0.59/docs/manual/mod/mod_proxy.html.en 2006-08-30 13:47:22.000000000 -0700 >@@ -62,6 +62,7 @@ > <li><img alt="" src="../images/down.gif" /> <a href="#allowconnect">AllowCONNECT</a></li> > <li><img alt="" src="../images/down.gif" /> <a href="#noproxy">NoProxy</a></li> > <li><img alt="" src="../images/down.gif" /> <a href="#proxy"><Proxy></a></li> >+<li><img alt="" src="../images/down.gif" /> <a href="#proxyallow">ProxyAllow</a></li> > <li><img alt="" src="../images/down.gif" /> <a href="#proxybadheader">ProxyBadHeader</a></li> > <li><img alt="" src="../images/down.gif" /> <a href="#proxyblock">ProxyBlock</a></li> > <li><img alt="" src="../images/down.gif" /> <a href="#proxydomain">ProxyDomain</a></li> >@@ -299,7 +300,8 @@ > </div><div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> > <div class="section"> > <h2><a name="startup" id="startup">Slow Startup</a></h2> >- <p>If you're using the <code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up >+ <p>If you're using the <code class="directive"><a href="#proxyallow">ProxyAllow</a></code> or >+ <code class="directive"><a href="#proxyblock">ProxyBlock</a></code> directive, hostnames' IP addresses are looked up > and cached during startup for later match test. This may take a few > seconds (or more) depending on the speed with which the hostname lookups > occur.</p> >@@ -537,6 +539,48 @@ > > </div> > <div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> >+<div class="directive-section"><h2><a name="ProxyAllow" id="ProxyAllow">ProxyAllow</a> <a name="proxyallow" id="proxyallow">Directive</a></h2> >+<table class="directive"> >+<tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Words, hosts, or domains that are banned from being >+proxied</td></tr> >+<tr><th><a href="directive-dict.html#Syntax">Syntax:</a></th><td><code>ProxyAllow *|<var>word</var>|<var>host</var>|<var>domain</var> >+[<var>word</var>|<var>host</var>|<var>domain</var>] ...</code></td></tr> >+<tr><th><a href="directive-dict.html#Context">Context:</a></th><td>server config, virtual host</td></tr> >+<tr><th><a href="directive-dict.html#Status">Status:</a></th><td>Extension</td></tr> >+<tr><th><a href="directive-dict.html#Module">Module:</a></th><td>mod_proxy</td></tr> >+</table> >+ <p>The <code class="directive">ProxyAllow</code> directive specifies a list of >+ words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and >+ FTP document requests to sites whose names contain matched words, >+ hosts or domains are <em>allowed</em> by the proxy server. The proxy >+ module will also attempt to determine IP addresses of list items which >+ may be hostnames during startup, and cache them for match test as >+ well. That may slow down the startup time of the server.</p> >+ >+ <div class="example"><h3>Example</h3><p><code> >+ ProxyAllow joes-garage.com some-host.co.uk rocky.wotsamattau.edu >+ </code></p></div> >+ >+ <p><code>rocky.wotsamattau.edu</code> would also be matched if referenced by >+ IP address.</p> >+ >+ <p>Note that <code>wotsamattau</code> would also be sufficient to match >+ <code>wotsamattau.edu</code>.</p> >+ >+ <p>Note also that</p> >+ >+ <div class="example"><p><code> >+ ProxyAllow * >+ </code></p></div> >+ >+ <p>allows connections to all sites.</p> >+ >+ <p>If the <code class="directive">ProxyAllow</code> is not present, >+ the default is to allow all sites (except those blocked by >+ <a href="#proxyblock"><code class="directive">ProxyBlock</code></a>).</p> >+ >+</div> >+<div class="top"><a href="#page-header"><img alt="top" src="../images/up.gif" /></a></div> > <div class="directive-section"><h2><a name="ProxyBadHeader" id="ProxyBadHeader">ProxyBadHeader</a> <a name="proxybadheader" id="proxybadheader">Directive</a></h2> > <table class="directive"> > <tr><th><a href="directive-dict.html#Description">Description:</a></th><td>Determines how to handle bad header lines in a >--- httpd-2.0.59/docs/manual/mod/quickreference.html.en.proxyallow 2006-07-12 00:22:22.000000000 -0700 >+++ httpd-2.0.59/docs/manual/mod/quickreference.html.en 2006-08-30 13:47:22.000000000 -0700 >@@ -476,6 +476,9 @@ > of the daemon</td></tr> > <tr><td><a href="mod_echo.html#protocolecho">ProtocolEcho On|Off</a></td><td></td><td>sv</td><td>X</td></tr><tr><td class="descr" colspan="4">Turn the echo server on or off</td></tr> > <tr class="odd"><td><a href="mod_proxy.html#proxy"><Proxy <var>wildcard-url</var>> ...</Proxy></a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Container for directives applied to proxied resources</td></tr> >+<tr class="odd"><td><a href="mod_proxy.html#proxyallow">ProxyAllow *|<var>word</var>|<var>host</var>|<var>domain</var> >+[<var>word</var>|<var>host</var>|<var>domain</var>] ...</a></td><td></td><td>sv</td><td>E</td></tr><tr class="odd"><td class="descr" colspan="4">Words, hosts, or domains that are exclusively allowed to be >+proxied</td></tr> > <tr><td><a href="mod_proxy.html#proxybadheader">ProxyBadHeader IsError|Ignore|StartBody</a></td><td> IsError </td><td>sv</td><td>E</td></tr><tr><td class="descr" colspan="4">Determines how to handle bad header lines in a > response</td></tr> > <tr class="odd"><td><a href="mod_proxy.html#proxyblock">ProxyBlock *|<var>word</var>|<var>host</var>|<var>domain</var> >--- httpd-2.0.59/modules/proxy/mod_proxy.c.proxyallow 2006-07-12 00:40:55.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/mod_proxy.c 2006-08-30 14:06:47.000000000 -0700 >@@ -477,6 +477,7 @@ > ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias)); > ps->raliases = apr_array_make(p, 10, sizeof(struct proxy_alias)); > ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry)); >+ ps->onlyproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry)); > ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry)); > ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int)); > ps->domain = NULL; >@@ -512,6 +513,7 @@ > ps->aliases = apr_array_append(p, base->aliases, overrides->aliases); > ps->raliases = apr_array_append(p, base->raliases, overrides->raliases); > ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies); >+ ps->onlyproxies = apr_array_append(p, base->onlyproxies, overrides->onlyproxies); > ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn); > ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports); > >@@ -709,6 +711,38 @@ > return NULL; > } > >+static const char * >+ set_proxy_include(cmd_parms *parms, void *dummy, const char *arg) >+{ >+ server_rec *s = parms->server; >+ proxy_server_conf *conf = >+ ap_get_module_config(s->module_config, &proxy_module); >+ struct noproxy_entry *new; >+ struct noproxy_entry *list = (struct noproxy_entry *) conf->onlyproxies->elts; >+ struct apr_sockaddr_t *addr; >+ int found = 0; >+ int i; >+ >+ /* Don't duplicate entries */ >+ for (i = 0; i < conf->onlyproxies->nelts; i++) { >+ if (apr_strnatcasecmp(arg, list[i].name) == 0) { /* ignore case for host names */ >+ found = 1; >+ } >+ } >+ >+ if (!found) { >+ new = apr_array_push(conf->onlyproxies); >+ new->name = arg; >+ if (APR_SUCCESS == apr_sockaddr_info_get(&addr, new->name, APR_UNSPEC, 0, 0, parms->pool)) { >+ new->addr = addr; >+ } >+ else { >+ new->addr = NULL; >+ } >+ } >+ return NULL; >+} >+ > /* > * Set the ports CONNECT can use > */ >@@ -1042,6 +1076,8 @@ > "a virtual path and a URL"), > AP_INIT_TAKE12("ProxyPassReverse", add_pass_reverse, NULL, RSRC_CONF|ACCESS_CONF, > "a virtual path and a URL for reverse proxy behaviour"), >+ AP_INIT_ITERATE("ProxyAllow", set_proxy_include, NULL, RSRC_CONF, >+ "A list of names, hosts or domains to which the proxy may connect"), > AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF, > "A list of names, hosts or domains to which the proxy will not connect"), > AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF, >--- httpd-2.0.59/modules/proxy/mod_proxy.h.proxyallow 2006-07-12 00:40:55.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/mod_proxy.h 2006-08-30 13:47:22.000000000 -0700 >@@ -121,6 +121,7 @@ > apr_array_header_t *aliases; > apr_array_header_t *raliases; > apr_array_header_t *noproxies; >+ apr_array_header_t *onlyproxies; > apr_array_header_t *dirconn; > apr_array_header_t *allowed_connect_ports; > const char *domain; /* domain name to use in absence of a domain name in the request */ >@@ -240,6 +241,7 @@ > PROXY_DECLARE(int) ap_proxy_is_domainname(struct dirconn_entry *This, apr_pool_t *p); > PROXY_DECLARE(int) ap_proxy_is_hostname(struct dirconn_entry *This, apr_pool_t *p); > PROXY_DECLARE(int) ap_proxy_is_word(struct dirconn_entry *This, apr_pool_t *p); >+PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec *r, proxy_server_conf *conf, apr_sockaddr_t *uri_addr); > PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, apr_sockaddr_t *uri_addr); > PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec *c, request_rec *r); > PROXY_DECLARE(apr_status_t) ap_proxy_string_read(conn_rec *c, apr_bucket_brigade *bb, char *buff, size_t bufflen, int *eos); >--- httpd-2.0.59/modules/proxy/proxy_connect.c.proxyallow 2006-07-12 00:40:55.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/proxy_connect.c 2006-08-30 13:47:22.000000000 -0700 >@@ -146,6 +146,12 @@ > "Connect to remote machine blocked"); > } > >+ /* check if ProxyAllow directive on this host */ >+ if (OK != ap_proxy_checkproxyallow(r, conf, uri_addr)) { >+ return ap_proxyerror(r, HTTP_FORBIDDEN, >+ "Connect to remote machine blocked"); >+ } >+ > /* Check if it is an allowed port */ > if (conf->allowed_connect_ports->nelts == 0) { > /* Default setting if not overridden by AllowCONNECT */ >--- httpd-2.0.59/modules/proxy/proxy_ftp.c.proxyallow 2006-07-12 00:40:55.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/proxy_ftp.c 2006-08-30 13:47:22.000000000 -0700 >@@ -899,6 +899,12 @@ > "Connect to remote machine blocked"); > } > >+ /* check if ProxyAllow directive on this host */ >+ if (OK != ap_proxy_checkproxyallow(r, conf, connect_addr)) { >+ return ap_proxyerror(r, HTTP_FORBIDDEN, >+ "Connect to remote machine blocked"); >+ } >+ > > /* > * II: Make the Connection ----------------------- >--- httpd-2.0.59/modules/proxy/proxy_http.c.proxyallow 2006-08-30 13:47:22.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/proxy_http.c 2006-08-30 13:47:22.000000000 -0700 >@@ -234,6 +234,11 @@ > return ap_proxyerror(r, HTTP_FORBIDDEN, > "Connect to remote machine blocked"); > } >+ /* check if ProxyAllow directive on this host */ >+ if (OK != ap_proxy_checkproxyallow(r, conf, uri_addr)) { >+ return ap_proxyerror(r, HTTP_FORBIDDEN, >+ "Connect to remote machine blocked"); >+ } > return OK; > } > >--- httpd-2.0.59/modules/proxy/proxy_util.c.proxyallow 2006-07-12 00:40:55.000000000 -0700 >+++ httpd-2.0.59/modules/proxy/proxy_util.c 2006-08-30 14:08:58.000000000 -0700 >@@ -946,6 +946,47 @@ > return host != NULL && ap_strstr_c(host, This->name) != NULL; > } > >+/* checks whether a host in uri_addr matches proxyallow */ >+PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec *r, proxy_server_conf *conf, >+ apr_sockaddr_t *uri_addr) >+{ >+ int j; >+ apr_sockaddr_t * src_uri_addr = uri_addr; >+ /* XXX FIXME: conf->onlyproxies->elts is part of an opaque structure */ >+ for (j = 0; j < conf->onlyproxies->nelts; j++) { >+ struct noproxy_entry *opent = (struct noproxy_entry *) conf->onlyproxies->elts; >+ struct apr_sockaddr_t *conf_addr = opent[j].addr; >+ uri_addr = src_uri_addr; >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, >+ "proxy: checking remote machine [%s] against [%s]", uri_addr->hostname, opent[j].name); >+ if ((opent[j].name && ap_strstr_c(uri_addr->hostname, opent[j].name)) >+ || opent[j].name[0] == '*') { >+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, >+ "proxy: connect to remote machine %s allowed: name %s matched", uri_addr->hostname, opent[j].name); >+ return OK; >+ } >+ while (conf_addr) { >+ while (uri_addr) { >+ char *conf_ip; >+ char *uri_ip; >+ apr_sockaddr_ip_get(&conf_ip, conf_addr); >+ apr_sockaddr_ip_get(&uri_ip, uri_addr); >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, >+ "proxy: ProxyAllow comparing %s and %s", conf_ip, uri_ip); >+ if (!apr_strnatcasecmp(conf_ip, uri_ip)) { >+ ap_log_error(APLOG_MARK, APLOG_INFO, 0, r->server, >+ "proxy: connect to remote machine %s allowed: IP %s matched", uri_addr->hostname, conf_ip); >+ return OK; >+ } >+ uri_addr = uri_addr->next; >+ } >+ conf_addr = conf_addr->next; >+ } >+ } >+ /* Default to OK if no hosts were listed in ProxyAllow */ >+ return conf->onlyproxies->nelts ? HTTP_FORBIDDEN : OK; >+} >+ > /* checks whether a host in uri_addr matches proxyblock */ > PROXY_DECLARE(int) ap_proxy_checkproxyblock(request_rec *r, proxy_server_conf *conf, > apr_sockaddr_t *uri_addr)
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18996">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 40746
: 18996