Lines 55-60
typedef struct {
Link Here
|
55 |
* from the proxy-via IP header value list) |
55 |
* from the proxy-via IP header value list) |
56 |
*/ |
56 |
*/ |
57 |
const char *proxies_header_name; |
57 |
const char *proxies_header_name; |
|
|
58 |
/** A header that may indicate user is using a |
59 |
* HTTPS connection to the reverse-proxy, and |
60 |
* the value that it must match for it to do so. |
61 |
*/ |
62 |
const char *secure_header_name; |
63 |
const char *secure_header_value; |
64 |
unsigned short secure_port; |
58 |
/** A list of trusted proxies, ideally configured |
65 |
/** A list of trusted proxies, ideally configured |
59 |
* with the most commonly encountered listed first |
66 |
* with the most commonly encountered listed first |
60 |
*/ |
67 |
*/ |
Lines 168-173
static void *create_remoteip_server_config(apr_pool_t *p, server_rec *s)
Link Here
|
168 |
config->proxy_protocol_disabled = NULL; |
175 |
config->proxy_protocol_disabled = NULL; |
169 |
config->pp_optional = 0; |
176 |
config->pp_optional = 0; |
170 |
config->pool = p; |
177 |
config->pool = p; |
|
|
178 |
config->secure_port = 443; |
171 |
return config; |
179 |
return config; |
172 |
} |
180 |
} |
173 |
|
181 |
|
Lines 191-196
static void *merge_remoteip_server_config(apr_pool_t *p, void *globalv,
Link Here
|
191 |
config->pp_optional = server->pp_optional |
199 |
config->pp_optional = server->pp_optional |
192 |
? server->pp_optional |
200 |
? server->pp_optional |
193 |
: global->pp_optional; |
201 |
: global->pp_optional; |
|
|
202 |
config->secure_header_name = server->secure_header_name |
203 |
? server->secure_header_name |
204 |
: global->secure_header_name; |
205 |
config->secure_header_value = server->secure_header_value |
206 |
? server->secure_header_value |
207 |
: global->secure_header_value; |
208 |
config->secure_port = server->secure_port |
209 |
? server->secure_port |
210 |
: global->secure_port; |
194 |
return config; |
211 |
return config; |
195 |
} |
212 |
} |
196 |
|
213 |
|
Lines 212-217
static const char *proxies_header_name_set(cmd_parms *cmd, void *dummy,
Link Here
|
212 |
return NULL; |
229 |
return NULL; |
213 |
} |
230 |
} |
214 |
|
231 |
|
|
|
232 |
static const char *secure_header_set(cmd_parms *cmd, void *dummy, |
233 |
const char *name, const char *value) |
234 |
{ |
235 |
remoteip_config_t *config = ap_get_module_config(cmd->server->module_config, |
236 |
&remoteip_module); |
237 |
if (!name || !value) |
238 |
return "SecureIndicatorHeader requires header name and valid value"; |
239 |
|
240 |
config->secure_header_name = name; |
241 |
config->secure_header_value = value; |
242 |
return NULL; |
243 |
} |
244 |
|
245 |
static const char *secure_port_set(cmd_parms *cmd, void *dummy, const char *value) |
246 |
{ |
247 |
remoteip_config_t *config = ap_get_module_config(cmd->server->module_config, |
248 |
&remoteip_module); |
249 |
if (value) { |
250 |
char *tail; |
251 |
int intval; |
252 |
intval = apr_strtoi64(value, &tail, 0); |
253 |
if (errno == 0 && *tail == '\0' && intval > 0 && intval < 65536) { |
254 |
config->secure_port = (unsigned short) intval; |
255 |
return NULL; /* no error */ |
256 |
} |
257 |
} |
258 |
return "SecureIndicatorSSLPort must be an integer between 0 and 65536"; |
259 |
} |
260 |
|
215 |
/* Would be quite nice if APR exported this */ |
261 |
/* Would be quite nice if APR exported this */ |
216 |
/* apr:network_io/unix/sockaddr.c */ |
262 |
/* apr:network_io/unix/sockaddr.c */ |
217 |
static int looks_like_ip(const char *ipstr) |
263 |
static int looks_like_ip(const char *ipstr) |
Lines 506-511
static int remoteip_modify_request(request_rec *r)
Link Here
|
506 |
char *proxy_ips = NULL; |
552 |
char *proxy_ips = NULL; |
507 |
char *parse_remote; |
553 |
char *parse_remote; |
508 |
char *eos; |
554 |
char *eos; |
|
|
555 |
char *secure = NULL; |
509 |
unsigned char *addrbyte; |
556 |
unsigned char *addrbyte; |
510 |
|
557 |
|
511 |
/* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy |
558 |
/* If no RemoteIPInternalProxy, RemoteIPInternalProxyList, RemoteIPTrustedProxy |
Lines 698-703
static int remoteip_modify_request(request_rec *r)
Link Here
|
698 |
return OK; |
745 |
return OK; |
699 |
} |
746 |
} |
700 |
|
747 |
|
|
|
748 |
if (config->secure_header_name) { |
749 |
secure = (char *) apr_table_get(r->headers_in, config->secure_header_name); |
750 |
} |
751 |
|
752 |
if (secure) { |
753 |
if (!strcmp(secure, config->secure_header_value)) { |
754 |
apr_table_setn(r->subprocess_env, "HTTPS", "on"); |
755 |
} |
756 |
/* Header is available. Unset even if no match. */ |
757 |
apr_table_unset(r->headers_in, config->secure_header_name); |
758 |
} |
759 |
else { |
760 |
secure = NULL; |
761 |
} |
762 |
|
701 |
/* Port is not known so set it to zero; otherwise it can be misleading */ |
763 |
/* Port is not known so set it to zero; otherwise it can be misleading */ |
702 |
req->useragent_addr->port = 0; |
764 |
req->useragent_addr->port = 0; |
703 |
|
765 |
|
Lines 724-736
static int remoteip_modify_request(request_rec *r)
Link Here
|
724 |
|
786 |
|
725 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
787 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, |
726 |
req->proxy_ips |
788 |
req->proxy_ips |
727 |
? "Using %s as client's IP by proxies %s" |
789 |
? "Using %s as client's IP by %s proxies %s via" |
728 |
: "Using %s as client's IP by internal proxies%s", |
790 |
: "Using %s as client's IP by %s internal proxies %s", |
729 |
req->useragent_ip, |
791 |
req->useragent_ip, |
|
|
792 |
secure ? "HTTPS" : "HTTP", |
730 |
(req->proxy_ips ? req->proxy_ips : "")); |
793 |
(req->proxy_ips ? req->proxy_ips : "")); |
731 |
return OK; |
794 |
return OK; |
732 |
} |
795 |
} |
733 |
|
796 |
|
|
|
797 |
static const char* remoteip_read_scheme(const request_rec *r) |
798 |
{ |
799 |
const char* secure = (const char *) apr_table_get(r->subprocess_env, "HTTPS"); |
800 |
if (secure && !strcmp(secure, "on")) |
801 |
return "https"; |
802 |
return NULL; |
803 |
} |
804 |
|
805 |
static unsigned short remoteip_read_port(const request_rec *r) |
806 |
{ |
807 |
const char* secure = (const char *) apr_table_get(r->subprocess_env, "HTTPS"); |
808 |
if (secure && !strcmp(secure, "on")) { |
809 |
remoteip_config_t *config = (remoteip_config_t *) |
810 |
ap_get_module_config(r->server->module_config, &remoteip_module); |
811 |
return config->secure_port; |
812 |
} |
813 |
return 0; |
814 |
} |
815 |
|
734 |
static int remoteip_is_server_port(apr_port_t port) |
816 |
static int remoteip_is_server_port(apr_port_t port) |
735 |
{ |
817 |
{ |
736 |
ap_listen_rec *lr; |
818 |
ap_listen_rec *lr; |
Lines 1223-1228
static const command_rec remoteip_cmds[] =
Link Here
|
1223 |
RSRC_CONF | EXEC_ON_READ, |
1305 |
RSRC_CONF | EXEC_ON_READ, |
1224 |
"The filename to read the list of internal proxies, " |
1306 |
"The filename to read the list of internal proxies, " |
1225 |
"see the RemoteIPInternalProxy directive"), |
1307 |
"see the RemoteIPInternalProxy directive"), |
|
|
1308 |
AP_INIT_TAKE2("SecureIndicatorHeader", secure_header_set, NULL, RSRC_CONF, |
1309 |
"Specifies a request header and value that indicates a secure connection, " |
1310 |
"e.g. \"X-Forwarded-Proto https\" or \"X-Secure-Connection on\""), |
1311 |
AP_INIT_TAKE1("SecureIndicatorSSLPort", secure_port_set, NULL, RSRC_CONF, |
1312 |
"Port to be used for redirections if SecureIndicatorHeader is set, " |
1313 |
"Default is \"SecureInidcatorSSLPort 443\" "), |
1226 |
AP_INIT_TAKE1("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL, |
1314 |
AP_INIT_TAKE1("RemoteIPProxyProtocol", remoteip_enable_proxy_protocol, NULL, |
1227 |
RSRC_CONF, "Enable proxy-protocol handling (`on', `off')"), |
1315 |
RSRC_CONF, "Enable proxy-protocol handling (`on', `off')"), |
1228 |
{ NULL } |
1316 |
{ NULL } |
Lines 1240-1245
static void register_hooks(apr_pool_t *p)
Link Here
|
1240 |
ap_hook_post_config(remoteip_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
1328 |
ap_hook_post_config(remoteip_hook_post_config, NULL, NULL, APR_HOOK_MIDDLE); |
1241 |
ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); |
1329 |
ap_hook_pre_connection(remoteip_hook_pre_connection, NULL, NULL, APR_HOOK_MIDDLE); |
1242 |
ap_hook_post_read_request(remoteip_modify_request, NULL, NULL, APR_HOOK_FIRST); |
1330 |
ap_hook_post_read_request(remoteip_modify_request, NULL, NULL, APR_HOOK_FIRST); |
|
|
1331 |
ap_hook_http_scheme(remoteip_read_scheme, NULL, NULL, APR_HOOK_FIRST); |
1332 |
ap_hook_default_port(remoteip_read_port, NULL, NULL, APR_HOOK_FIRST); |
1243 |
} |
1333 |
} |
1244 |
|
1334 |
|
1245 |
AP_DECLARE_MODULE(remoteip) = { |
1335 |
AP_DECLARE_MODULE(remoteip) = { |