Attachment #24968 for bug #48721

View | Details | Raw Unified | Return to bug 48721
Collapse All | Expand All

Lines 252-260 Link Here

(-)modules/proxy/mod_proxy_connect.c (-1 / +7 lines)
252	/* check if ProxyBlock directive on this host */	252	/* check if ProxyBlock directive on this host */
253	if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {	253	if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
254	return ap_proxyerror(r, HTTP_FORBIDDEN,	254	return ap_proxyerror(r, HTTP_FORBIDDEN,
255	"Connect to remote machine blocked");	255	"Connect to remote machine blocked by block");
256	}	256	}
257		257
		258	/* check if ProxyAllow directive on this host */
		259	if (OK != ap_proxy_checkproxyallow(r, conf, uri_addr)) {
		260	return ap_proxyerror(r, HTTP_FORBIDDEN,
		261	"Connect to remote machine blocked by allow");
		262	}
		263
258	/* Check if it is an allowed port */	264	/* Check if it is an allowed port */
259	if(!allowed_port(c_conf, uri.port)) {	265	if(!allowed_port(c_conf, uri.port)) {
260	return ap_proxyerror(r, HTTP_FORBIDDEN,	266	return ap_proxyerror(r, HTTP_FORBIDDEN,




    return OK;
}

/* checks whether a host in uri_addr matches proxyallow */
PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec *r, proxy_server_conf *conf,
                             apr_sockaddr_t *uri_addr)
{
    int j;
    apr_sockaddr_t * src_uri_addr = uri_addr;
    /* XXX FIXME: conf->noproxies->elts is part of an opaque structure */
    for (j = 0; j < conf->allowproxies->nelts; j++) {
        struct noproxy_entry *apent = (struct noproxy_entry *) conf->allowproxies->elts;
        struct apr_sockaddr_t *conf_addr = apent[j].addr;
        uri_addr = src_uri_addr;
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                     "proxy: checking remote machine [%s] against [%s]", uri_addr->hostname, apent[j].name);
        if ((apent[j].name && ap_strstr_c(uri_addr->hostname, apent[j].name))
            || apent[j].name[0] == '*') {
            ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
                         "proxy: connect to remote machine %s allowed: name %s matched", uri_addr->hostname, apent[j].name);
            return OK;
        }
        while (conf_addr) {
            uri_addr = src_uri_addr;
            while (uri_addr) {
                char *conf_ip;
                char *uri_ip;
                apr_sockaddr_ip_get(&conf_ip, conf_addr);
                apr_sockaddr_ip_get(&uri_ip, uri_addr);
                ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                             "proxy: ProxyAllow comparing %s and %s", conf_ip, uri_ip);
                if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
                    ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
                                 "proxy: connect to remote machine %s allow: IP %s matched", uri_addr->hostname, conf_ip);
                    return OK;
                }
                uri_addr = uri_addr->next;
            }
            conf_addr = conf_addr->next;
        }
    }
    return HTTP_FORBIDDEN;
}

/* set up the minimal filter set */
PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec *c, request_rec *r)
{

        return ap_proxyerror(r, HTTP_FORBIDDEN,
                             "Connect to remote machine blocked");
    }
    /* check if ProxyAllow directive on this host */
    if (OK != ap_proxy_checkproxyallow(r, conf, conn->addr)) {
        return ap_proxyerror(r, HTTP_FORBIDDEN,
                             "Connect to remote machine blocked");
    }
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                 "proxy: connected %s to %s:%d", *url, conn->hostname,
                 conn->port);

Lines 1084-1089 Link Here

(-)modules/proxy/mod_proxy.c (+36 lines)
1084	ps->proxies = apr_array_make(p, 10, sizeof(struct proxy_remote));	1084	ps->proxies = apr_array_make(p, 10, sizeof(struct proxy_remote));
1085	ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));	1085	ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias));
1086	ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));	1086	ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
		1087	ps->allowproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry));
1087	ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));	1088	ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry));
1088	ps->workers = apr_array_make(p, 10, sizeof(proxy_worker));	1089	ps->workers = apr_array_make(p, 10, sizeof(proxy_worker));
1089	ps->balancers = apr_array_make(p, 10, sizeof(proxy_balancer));	1090	ps->balancers = apr_array_make(p, 10, sizeof(proxy_balancer));
Lines 1121-1126 Link Here
1121	ps->sec_proxy = apr_array_append(p, base->sec_proxy, overrides->sec_proxy);	1122	ps->sec_proxy = apr_array_append(p, base->sec_proxy, overrides->sec_proxy);
1122	ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);	1123	ps->aliases = apr_array_append(p, base->aliases, overrides->aliases);
1123	ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);	1124	ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies);
		1125	ps->allowproxies = apr_array_append(p, base->allowproxies, overrides->allowproxies);
1124	ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);	1126	ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn);
1125	ps->workers = apr_array_append(p, base->workers, overrides->workers);	1127	ps->workers = apr_array_append(p, base->workers, overrides->workers);
1126	ps->balancers = apr_array_append(p, base->balancers, overrides->balancers);	1128	ps->balancers = apr_array_append(p, base->balancers, overrides->balancers);
Lines 2067-2072 Link Here
2067	RSRC_CONF\|ACCESS_CONF, "Domain rewrite rule for proxying cookies"),	2069	RSRC_CONF\|ACCESS_CONF, "Domain rewrite rule for proxying cookies"),
2068	AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF,	2070	AP_INIT_ITERATE("ProxyBlock", set_proxy_exclude, NULL, RSRC_CONF,
2069	"A list of names, hosts or domains to which the proxy will not connect"),	2071	"A list of names, hosts or domains to which the proxy will not connect"),
		2072	AP_INIT_ITERATE("ProxyAllow", set_proxy_include, NULL, RSRC_CONF,
		2073	"A list of names, hosts or domains to which the proxy will connect"),
2070	AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF,	2074	AP_INIT_TAKE1("ProxyReceiveBufferSize", set_recv_buffer_size, NULL, RSRC_CONF,
2071	"Receive buffer size for outgoing HTTP and FTP connections in bytes"),	2075	"Receive buffer size for outgoing HTTP and FTP connections in bytes"),
2072	AP_INIT_TAKE1("ProxyIOBufferSize", set_io_buffer_size, NULL, RSRC_CONF,	2076	AP_INIT_TAKE1("ProxyIOBufferSize", set_io_buffer_size, NULL, RSRC_CONF,
Lines 2157-2162 Link Here
2157	return OK;	2161	return OK;
2158	}	2162	}
2159		2163
		2164	static const char *
		2165	set_proxy_include(cmd_parms parms, void dummy, const char *arg)
		2166	{
		2167	server_rec *s = parms->server;
		2168	proxy_server_conf *conf =
		2169	ap_get_module_config(s->module_config, &proxy_module);
		2170	struct noproxy_entry *new;
		2171	struct noproxy_entry list = (struct noproxy_entry ) conf->allowproxies->elts;
		2172	struct apr_sockaddr_t *addr;
		2173	int found = 0;
		2174	int i;
		2175
		2176	/* Don't duplicate entries */
		2177	for (i = 0; i < conf->allowproxies->nelts; i++) {
		2178	if (strcasecmp(arg, list[i].name) == 0) { /* ignore case for host names */
		2179	found = 1;
		2180	}
		2181	}
		2182
		2183	if (!found) {
		2184	new = apr_array_push(conf->allowproxies);
		2185	new->name = arg;
		2186	if (APR_SUCCESS == apr_sockaddr_info_get(&addr, new->name, APR_UNSPEC, 0, 0, parms->pool)) {
		2187	new->addr = addr;
		2188	}
		2189	else {
		2190	new->addr = NULL;
		2191	}
		2192	}
		2193	return NULL;
		2194	}
		2195
2160	/*	2196	/*
2161	* proxy Extension to mod_status	2197	* proxy Extension to mod_status
2162	*/	2198	*/

Lines 177-182 Link Here

(-)modules/proxy/mod_proxy.h (+1 lines)
177	status_full	177	status_full
178	} proxy_status; /* Status display options */	178	} proxy_status; /* Status display options */
179	char proxy_status_set;	179	char proxy_status_set;
		180	apr_array_header_t *allowproxies;
180	apr_pool_t pool; / Pool used for allocating this struct */	181	apr_pool_t pool; / Pool used for allocating this struct */
181	} proxy_server_conf;	182	} proxy_server_conf;
182		183

Lines 1079-1084 Link Here

(-)modules/proxy/mod_proxy_ftp.c (+6 lines)
1079	"Connect to remote machine blocked");	1079	"Connect to remote machine blocked");
1080	}	1080	}
1081		1081
		1082	/* check if ProxyBlock directive on this host */
		1083	if (OK != ap_proxy_checkproxyallow(r, conf, connect_addr)) {
		1084	return ap_proxyerror(r, HTTP_FORBIDDEN,
		1085	"Connect to remote machine blocked");
		1086	}
		1087
1082	/* create space for state information */	1088	/* create space for state information */
1083	backend = (proxy_conn_rec *) ap_get_module_config(c->conn_config, &proxy_ftp_module);	1089	backend = (proxy_conn_rec *) ap_get_module_config(c->conn_config, &proxy_ftp_module);
1084	if (!backend) {	1090	if (!backend) {

Return to bug 48721

Lines 931-936 Link Here

(-)modules/proxy/proxy_util.c (+46 lines)
931	return OK;	931	return OK;
932	}	932	}
933		933
		934	/* checks whether a host in uri_addr matches proxyallow */
		935	PROXY_DECLARE(int) ap_proxy_checkproxyallow(request_rec r, proxy_server_conf conf,
		936	apr_sockaddr_t *uri_addr)
		937	{
		938	int j;
		939	apr_sockaddr_t * src_uri_addr = uri_addr;
		940	/* XXX FIXME: conf->noproxies->elts is part of an opaque structure */
		941	for (j = 0; j < conf->allowproxies->nelts; j++) {
		942	struct noproxy_entry apent = (struct noproxy_entry ) conf->allowproxies->elts;
		943	struct apr_sockaddr_t *conf_addr = apent[j].addr;
		944	uri_addr = src_uri_addr;
		945	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
		946	"proxy: checking remote machine [%s] against [%s]", uri_addr->hostname, apent[j].name);
		947	if ((apent[j].name && ap_strstr_c(uri_addr->hostname, apent[j].name))
		948	\|\| apent[j].name[0] == '*') {
		949	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
		950	"proxy: connect to remote machine %s allowed: name %s matched", uri_addr->hostname, apent[j].name);
		951	return OK;
		952	}
		953	while (conf_addr) {
		954	uri_addr = src_uri_addr;
		955	while (uri_addr) {
		956	char *conf_ip;
		957	char *uri_ip;
		958	apr_sockaddr_ip_get(&conf_ip, conf_addr);
		959	apr_sockaddr_ip_get(&uri_ip, uri_addr);
		960	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
		961	"proxy: ProxyAllow comparing %s and %s", conf_ip, uri_ip);
		962	if (!apr_strnatcasecmp(conf_ip, uri_ip)) {
		963	ap_log_error(APLOG_MARK, APLOG_WARNING, 0, r->server,
		964	"proxy: connect to remote machine %s allow: IP %s matched", uri_addr->hostname, conf_ip);
		965	return OK;
		966	}
		967	uri_addr = uri_addr->next;
		968	}
		969	conf_addr = conf_addr->next;
		970	}
		971	}
		972	return HTTP_FORBIDDEN;
		973	}
		974
934	/* set up the minimal filter set */	975	/* set up the minimal filter set */
935	PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec c, request_rec r)	976	PROXY_DECLARE(int) ap_proxy_pre_http_request(conn_rec c, request_rec r)
936	{	977	{
Lines 2174-2179 Link Here
2174	return ap_proxyerror(r, HTTP_FORBIDDEN,	2215	return ap_proxyerror(r, HTTP_FORBIDDEN,
2175	"Connect to remote machine blocked");	2216	"Connect to remote machine blocked");
2176	}	2217	}
		2218	/* check if ProxyAllow directive on this host */
		2219	if (OK != ap_proxy_checkproxyallow(r, conf, conn->addr)) {
		2220	return ap_proxyerror(r, HTTP_FORBIDDEN,
		2221	"Connect to remote machine blocked");
		2222	}
2177	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,	2223	ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
2178	"proxy: connected %s to %s:%d", *url, conn->hostname,	2224	"proxy: connected %s to %s:%d", *url, conn->hostname,
2179	conn->port);	2225	conn->port);