Attachment #34711 for bug #59829

View | Details | Raw Unified | Return to bug 59829
Collapse All | Expand All

Lines 55-60 typedef struct { Link Here

(-)a/modules/metadata/mod_remoteip.c (-2 / +92 lines)
55	* from the proxy-via IP header value list)	55	* from the proxy-via IP header value list)
56	*/	56	*/
57	const char *proxies_header_name;	57	const char *proxies_header_name;
		58	/** A header that may indicate user is using a
		59	* HTTPS connection to the reverse-proxy, and
		60	* the value that it must match for it to do so.
		61	*/
		62	const char *secure_header_name;
		63	const char *secure_header_value;
		64	unsigned short secure_port;
58	/** A list of trusted proxies, ideally configured	65	/** A list of trusted proxies, ideally configured
59	* with the most commonly encountered listed first	66	* with the most commonly encountered listed first
60	*/	67	*/
Lines 168-173 static void create_remoteip_server_config(apr_pool_t p, server_rec *s) Link Here
168	config->proxy_protocol_disabled = NULL;	175	config->proxy_protocol_disabled = NULL;
169	config->pp_optional = 0;	176	config->pp_optional = 0;
170	config->pool = p;	177	config->pool = p;
		178	config->secure_port = 443;
171	return config;	179	return config;
172	}	180	}
173		181
Lines 191-196 static void merge_remoteip_server_config(apr_pool_t p, void *globalv, Link Here
191	config->pp_optional = server->pp_optional	199	config->pp_optional = server->pp_optional
192	? server->pp_optional	200	? server->pp_optional
193	: global->pp_optional;	201	: global->pp_optional;
		202	config->secure_header_name = server->secure_header_name
		203	? server->secure_header_name
		204	: global->secure_header_name;
		205	config->secure_header_value = server->secure_header_value
		206	? server->secure_header_value
		207	: global->secure_header_value;
		208	config->secure_port = server->secure_port
		209	? server->secure_port
		210	: global->secure_port;
194	return config;	211	return config;
195	}	212	}
196		213
Lines 212-217 static const char proxies_header_name_set(cmd_parms cmd, void *dummy, Link Here
212	return NULL;	229	return NULL;
213	}	230	}
214		231
		232	static const char secure_header_set(cmd_parms cmd, void *dummy,
		233	const char name, const char value)
		234	{
		235	remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
		236	&remoteip_module);
		237	if (!name \|\| !value)
		238	return "SecureIndicatorHeader requires header name and valid value";
		239
		240	config->secure_header_name = name;
		241	config->secure_header_value = value;
		242	return NULL;
		243	}
		244
		245	static const char secure_port_set(cmd_parms cmd, void dummy, const char value)
		246	{
		247	remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
		248	&remoteip_module);
		249	if (value) {
		250	char *tail;
		251	int intval;
		252	intval = apr_strtoi64(value, &tail, 0);
		253	if (errno == 0 && *tail == '\0' && intval > 0 && intval < 65536) {
		254	config->secure_port = (unsigned short) intval;
		255	return NULL; /* no error */
		256	}
		257	}
		258	return "SecureIndicatorSSLPort must be an integer between 0 and 65536";
		259	}
		260
215	/* Would be quite nice if APR exported this */	261	/* Would be quite nice if APR exported this */
216	/* apr:network_io/unix/sockaddr.c */	262	/* apr:network_io/unix/sockaddr.c */
217	static int looks_like_ip(const char *ipstr)	263	static int looks_like_ip(const char *ipstr)
Lines 506-511 static int remoteip_modify_request(request_rec *r) Link Here
506	char *proxy_ips = NULL;	552	char *proxy_ips = NULL;
507	char *parse_remote;	553	char *parse_remote;
508	char *eos;	554	char *eos;
		555	char *secure = NULL;
509	unsigned char *addrbyte;	556	unsigned char *addrbyte;
510		557
511	/* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy	558	/* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy
Lines 698-703 static int remoteip_modify_request(request_rec *r) Link Here
698	return OK;	745	return OK;
699	}	746	}
700		747
		748	if (config->secure_header_name) {
		749	secure = (char *) apr_table_get(r->headers_in, config->secure_header_name);
		750	}
		751
		752	if (secure) {
		753	if (!strcmp(secure, config->secure_header_value)) {
		754	apr_table_setn(r->subprocess_env, "HTTPS", "on");
		755	}
		756	/* Header is available. Unset even if no match. */
		757	apr_table_unset(r->headers_in, config->secure_header_name);
		758	}
		759	else {
		760	secure = NULL;
		761	}
		762
701	/* Port is not known so set it to zero; otherwise it can be misleading */	763	/* Port is not known so set it to zero; otherwise it can be misleading */
702	req->useragent_addr->port = 0;	764	req->useragent_addr->port = 0;
703		765
Lines 724-736 static int remoteip_modify_request(request_rec *r) Link Here
724		786
725	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,	787	ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
726	req->proxy_ips	788	req->proxy_ips
727	? "Using %s as client's IP by proxies %s"	789	? "Using %s as client's IP by %s proxies %s via"
728	: "Using %s as client's IP by internal proxies%s",	790	: "Using %s as client's IP by %s internal proxies %s",
729	req->useragent_ip,	791	req->useragent_ip,
		792	secure ? "HTTPS" : "HTTP",
730	(req->proxy_ips ? req->proxy_ips : ""));	793	(req->proxy_ips ? req->proxy_ips : ""));
731	return OK;	794	return OK;
732	}	795	}
733		796
		797	static const char* remoteip_read_scheme(const request_rec *r)
		798	{
		799	const char* secure = (const char *) apr_table_get(r->subprocess_env, "HTTPS");
		800	if (secure && !strcmp(secure, "on"))
		801	return "https";
		802	return NULL;
		803	}
		804
		805	static unsigned short remoteip_read_port(const request_rec *r)
		806	{
		807	const char* secure = (const char *) apr_table_get(r->subprocess_env, "HTTPS");
		808	if (secure && !strcmp(secure, "on")) {
		809	remoteip_config_t config = (remoteip_config_t )
		810	ap_get_module_config(r->server->module_config, &remoteip_module);
		811	return config->secure_port;
		812	}
		813	return 0;
		814	}
		815
734	static int remoteip_is_server_port(apr_port_t port)	816	static int remoteip_is_server_port(apr_port_t port)
735	{	817	{
736	ap_listen_rec *lr;	818	ap_listen_rec *lr;
Lines 1223-1228 static const command_rec remoteip_cmds[] = Link Here
1223	RSRC_CONF \| EXEC_ON_READ,	1305	RSRC_CONF \| EXEC_ON_READ,
1224	"The filename to read the list of internal proxies, "	1306	"The filename to read the list of internal proxies, "
1225	"see the RemoteIPInternalProxy directive"),	1307	"see the RemoteIPInternalProxy directive"),
		1308	AP_INIT_TAKE2("SecureIndicatorHeader", secure_header_set, NULL, RSRC_CONF,
		1309	"Specifies a request header and value that indicates a secure connection, "
		1310	"e.g. \"X-Forwarded-Proto https\" or \"X-Secure-Connection on\""),
		1311	AP_INIT_TAKE1("SecureIndicatorSSLPort", secure_port_set, NULL, RSRC_CONF,
		1312	"Port to be used for redirections if SecureIndicatorHeader is set, "
		1313	"Default is \"SecureInidcatorSSLPort 443\" "),
1226	AP_INIT_TAKE1("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL,	1314	AP_INIT_TAKE1("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL,
1227	RSRC_CONF, "Enable proxy-protocol handling (`on', `off')"),	1315	RSRC_CONF, "Enable proxy-protocol handling (`on', `off')"),
1228	{ NULL }	1316	{ NULL }
Lines 1240-1245 static void register_hooks(apr_pool_t *p) Link Here
1240	ap_hook_post_config(remoteip_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE);	1328	ap_hook_post_config(remoteip_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE);
1241	ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);	1329	ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE);
1242	ap_hook_post_read_request(remoteip_modify_request, NULL, NULL, APR_HOOK_FIRST);	1330	ap_hook_post_read_request(remoteip_modify_request, NULL, NULL, APR_HOOK_FIRST);
		1331	ap_hook_http_scheme(remoteip_read_scheme, NULL, NULL, APR_HOOK_FIRST);
		1332	ap_hook_default_port(remoteip_read_port, NULL, NULL, APR_HOOK_FIRST);
1243	}	1333	}
1244		1334
1245	AP_DECLARE_MODULE(remoteip) = {	1335	AP_DECLARE_MODULE(remoteip) = {

Return to bug 59829