Attachment 34495 Details for Bug 59829 – like previous patch, but also setting r->server->port for correct redirections

[patch] like previous patch, but also setting r->server->port for correct redirections

mod_remoteip.patch (text/plain), 4.66 KB, created by Peter H. on 2016-12-01 13:57:32 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Peter H.

Created: 2016-12-01 13:57:32 UTC

Size: 4.66 KB

patch

obsolete

>--- mod_remoteip.c
>+++ mod_remoteip.c
>@@ -44,10 +44,18 @@
>      * from the proxy-via IP header value list)
>      */
>     const char *proxies_header_name;
>+    /** A header that may indicate user is using a
>+     * HTTPS connection to the reverse-proxy, and
>+     * the value that it must match for it to do so.
>+     */
>+    const char *secure_header_name;
>+    const char *secure_header_value;
>     /** A list of trusted proxies, ideally configured
>      *  with the most commonly encountered listed first
>      */
>     apr_array_header_t *proxymatch_ip;
>+    /** Port to use if secure header is set */
>+    const char *secure_port;
> } remoteip_config_t;
> 
> typedef struct {
>@@ -65,6 +73,7 @@
>     /* config->header_name = NULL;
>      * config->proxies_header_name = NULL;
>      */
>+    config->secure_port="443"; /* Set default value */
>     return config;
> }
> 
>@@ -85,6 +94,16 @@
>     config->proxymatch_ip = server->proxymatch_ip
>                           ? server->proxymatch_ip
>                           : global->proxymatch_ip;
>+    config->secure_header_name = server->secure_header_name
>+                                ? server->secure_header_name
>+                                : global->secure_header_name;
>+    config->secure_header_value = server->secure_header_value
>+                                ? server->secure_header_value
>+                                : global->secure_header_value;
>+    config->secure_port = server->secure_port
>+                         ? server->secure_port
>+                         : global->secure_port;
>+    
>     return config;
> }
> 
>@@ -106,6 +125,25 @@
>     return NULL;
> }
> 
>+static const char *secure_header_set(cmd_parms *cmd, void *dummy,
>+                                           const char *name, const char *value)
>+{
>+    remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
>+                                                     &remoteip_module);
>+    config->secure_header_name = name;
>+    config->secure_header_value = value;
>+    return NULL;
>+}
>+
>+static const char *secure_port_set(cmd_parms *cmd, void *dummy, const char *value)
>+{
>+    remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
>+                                                     &remoteip_module);
>+    config->secure_port = value;
>+    return NULL;
>+}
>+
>+
> /* Would be quite nice if APR exported this */
> /* apr:network_io/unix/sockaddr.c */
> static int looks_like_ip(const char *ipstr)
>@@ -229,6 +267,7 @@
>     char *proxy_ips = NULL;
>     char *parse_remote;
>     char *eos;
>+    char *secure = NULL;
>     unsigned char *addrbyte;
> 
>     /* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
>@@ -394,6 +433,25 @@
>         return OK;
>     }
> 
>+    if (config->secure_header_name) {
>+        secure = (char *) apr_table_get(r->headers_in, config->secure_header_name);
>+    }
>+
>+    if (secure) {
>+
>+        if (!strcmp(secure, config->secure_header_value)) {
>+            apr_table_setn(r->subprocess_env, "HTTPS", "on");
>+	    r->server->server_scheme = config->secure_header_value;
>+	    apr_table_set(r->subprocess_env, "SERVER_PORT", config->secure_port); 
>+            r->server->port = atoi(config->secure_port);
>+        }
>+        /* Header is available. Unset even if no match. */
>+        apr_table_unset(r->headers_in, config->secure_header_name);
>+    }
>+    else {
>+        secure = NULL;
>+    }
>+
>     req->proxied_remote = remote;
>     req->proxy_ips = proxy_ips;
> 
>@@ -417,9 +475,10 @@
> 
>     ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
>                   req->proxy_ips
>-                      ? "Using %s as client's IP by proxies %s"
>-                      : "Using %s as client's IP by internal proxies%s",
>+                      ? "Using %s as client's IP by %s proxies %s via"
>+                      : "Using %s as client's IP by %s internal proxies%s",
>                   req->useragent_ip,
>+                  secure ? "HTTPS" : "HTTP",
>                   (req->proxy_ips ? req->proxy_ips : ""));
>     return OK;
> }
>@@ -447,6 +506,12 @@
>                   RSRC_CONF | EXEC_ON_READ,
>                   "The filename to read the list of internal proxies, "
>                   "see the RemoteIPInternalProxy directive"),
>+    AP_INIT_TAKE2("SecureIndicatorHeader", secure_header_set, NULL, RSRC_CONF,
>+                  "Specifies a request header and value that indicates a secure connection, "
>+                  "e.g. \"X-Forwarded-Proto https\" or \"X-Secure-Connection on\""),
>+    AP_INIT_TAKE1("SecureIndicatorSSLPort", secure_port_set, NULL, RSRC_CONF,
>+                  "Port to be used for redirections if SecureIndicatorHeader is set, "
>+                  "Default is \"SecureInidcatorSSLPort 443\" "),
>     { NULL }
> };
>

Actions: View | Diff

Attachments on bug 59829: 34024 | 34249 | 34495 | 34496 | 34504 | 34506 | 34507 | 34518 | 34709 | 34711 | 34741 | 34774 | 34781