ASF Bugzilla – Attachment 35893 Details for
Bug 37355
Allow to specify Proxy-Authorization in ProxyRemote
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for modules/proxy of httpd-2.4.33
httpd-2.4.x-add-proxy-auth-support-to-mod_proxy.patch (text/plain), 22.32 KB, created by
Chris
on 2018-04-26 08:06:49 UTC
(
hide
)
Description:
patch for modules/proxy of httpd-2.4.33
Filename:
MIME Type:
Creator:
Chris
Created:
2018-04-26 08:06:49 UTC
Size:
22.32 KB
patch
obsolete
>diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c >index e00a82d..9526728 100644 >--- a/modules/proxy/mod_proxy.c >+++ b/modules/proxy/mod_proxy.c >@@ -1187,7 +1187,8 @@ static int proxy_handler(request_rec *r) > access_status = proxy_run_scheme_handler(r, worker, > conf, url, > ents[i].hostname, >- ents[i].port); >+ ents[i].port, >+ ents[i].auth); > > /* Did the scheme handler process the request? */ > if (access_status != DECLINED) { >@@ -1239,7 +1240,7 @@ static int proxy_handler(request_rec *r) > scheme, attempts); > AP_PROXY_RUN(r, worker, conf, url, attempts); > access_status = proxy_run_scheme_handler(r, worker, conf, >- url, NULL, 0); >+ url, NULL, 0, NULL); > if (access_status == OK > || apr_table_get(r->notes, "proxy-error-override")) > break; >@@ -1605,7 +1606,7 @@ static const char * > proxy_server_conf *conf = > (proxy_server_conf *) ap_get_module_config(s->module_config, &proxy_module); > struct proxy_remote *new; >- char *p, *q; >+ char *p, *q, *a; > char *r, *f, *scheme; > ap_regex_t *reg = NULL; > int port; >@@ -1613,6 +1614,10 @@ static const char * > r = apr_pstrdup(cmd->pool, r1); > scheme = apr_pstrdup(cmd->pool, r1); > f = apr_pstrdup(cmd->pool, f1); >+ /* separate different items from remote proxy server configuration >+ * r = <scheme>://[<auth>@]<host>[:<port>] >+ */ >+ /* separate scheme (must) */ > p = strchr(r, ':'); > if (p == NULL || p[1] != '/' || p[2] != '/' || p[3] == '\0') { > if (regex) >@@ -1621,9 +1626,26 @@ static const char * > return "ProxyRemote: Bad syntax for a remote proxy server"; > } > else { >- scheme[p-r] = 0; >+ scheme[p-r] = '\0'; >+ } >+ *p = '\0'; /* terminate r (scheme) */ >+ p+=3; >+ /* separate authentication string (optional, default = NULL) */ >+ q = strchr(p, '@'); >+ if (q != NULL) { >+ *q = '\0'; >+ /* missing: syntax check of the auth string >+ * but do we really need this? >+ */ >+ a = ap_pbase64encode(cmd->pool, p); >+ p = q; >+ p+=1; >+ } >+ else { >+ a = NULL; > } >- q = strchr(p + 3, ':'); >+ /* separate port (optional, default = default port of scheme) */ >+ q = strchr(p, ':'); > if (q != NULL) { > if (sscanf(q + 1, "%u", &port) != 1 || port > 65535) { > if (regex) >@@ -1633,18 +1655,20 @@ static const char * > } > *q = '\0'; > } >- else >+ else { > port = -1; >- *p = '\0'; >+ } >+ > if (regex) { > reg = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED); > if (!reg) > return "Regular expression for ProxyRemoteMatch could not be compiled."; > } >- else >- if (strchr(f, ':') == NULL) >- ap_str_tolower(f); /* lowercase scheme */ >- ap_str_tolower(p + 3); /* lowercase hostname */ >+ else >+ if (strchr(f, ':') == NULL) { >+ ap_str_tolower(f); /* lowercase scheme */ >+ } >+ ap_str_tolower(p); /* lowercase hostname */ > > if (port == -1) { > port = apr_uri_port_of_scheme(scheme); >@@ -1653,8 +1677,9 @@ static const char * > new = apr_array_push(conf->proxies); > new->scheme = f; > new->protocol = r; >- new->hostname = p + 3; >+ new->hostname = p; > new->port = port; >+ new->auth = a; > new->regexp = reg; > new->use_regex = regex; > return NULL; >@@ -2608,7 +2633,7 @@ static const command_rec proxy_cmds[] = > AP_INIT_FLAG("ProxyRequests", set_proxy_req, NULL, RSRC_CONF, > "on if the true proxy requests should be accepted"), > AP_INIT_TAKE2("ProxyRemote", add_proxy_noregex, NULL, RSRC_CONF, >- "a scheme, partial URL or '*' and a proxy server"), >+ "a scheme, partial URL or '*' and a proxy server optional with auth"), > AP_INIT_TAKE2("ProxyRemoteMatch", add_proxy_regex, NULL, RSRC_CONF, > "a regex pattern and a proxy server"), > AP_INIT_FLAG("ProxyPassInterpolateEnv", ap_set_flag_slot_char, >@@ -3047,8 +3072,10 @@ APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(proxy, PROXY, int, scheme_handler, > (request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyhost, >- apr_port_t proxyport),(r,worker,conf, >- url,proxyhost,proxyport),DECLINED) >+ apr_port_t proxyport, >+ const char *proxyauth), >+ (r,worker,conf, >+ url,proxyhost,proxyport, proxyauth),DECLINED) > APR_IMPLEMENT_EXTERNAL_HOOK_RUN_FIRST(proxy, PROXY, int, canon_handler, > (request_rec *r, char *url),(r, > url),DECLINED) >diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h >index bfa5760..7d65a64 100644 >--- a/modules/proxy/mod_proxy.h >+++ b/modules/proxy/mod_proxy.h >@@ -115,6 +115,7 @@ struct proxy_remote { > const char *scheme; /* the schemes handled by this proxy, or '*' */ > const char *protocol; /* the scheme used to talk to this proxy */ > const char *hostname; /* the hostname of this proxy */ >+ const char *auth; /* base64encode(<proxyuser>:<proxypasswd>) */ > ap_regex_t *regexp; /* compiled regex (if any) for the remote */ > int use_regex; /* simple boolean. True if we have a regex pattern */ > apr_port_t port; /* the port for this proxy */ >@@ -595,7 +596,9 @@ APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, section_post_config, > APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, scheme_handler, > (request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, char *url, >- const char *proxyhost, apr_port_t proxyport)) >+ const char *proxyhost, apr_port_t proxyport, >+ const char *proxyauth)) >+ > APR_DECLARE_EXTERNAL_HOOK(proxy, PROXY, int, canon_handler, > (request_rec *r, char *url)) > >@@ -892,6 +895,7 @@ PROXY_DECLARE(int) ap_proxy_post_request(proxy_worker *worker, > * @param url request url > * @param proxyname are we connecting directly or via a proxy > * @param proxyport proxy host port >+ * @param proxyauth proxy authentication > * @param server_portstr Via headers server port, must be non-NULL > * @param server_portstr_size size of the server_portstr buffer; must > * be at least one, even if the protocol doesn't use this >@@ -905,6 +909,7 @@ PROXY_DECLARE(int) ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, > char **url, > const char *proxyname, > apr_port_t proxyport, >+ const char *proxyauth, > char *server_portstr, > int server_portstr_size); > >diff --git a/modules/proxy/mod_proxy_ajp.c b/modules/proxy/mod_proxy_ajp.c >index 8669db6..916c66c 100644 >--- a/modules/proxy/mod_proxy_ajp.c >+++ b/modules/proxy/mod_proxy_ajp.c >@@ -721,7 +721,8 @@ static int ap_proxy_ajp_request(apr_pool_t *p, request_rec *r, > static int proxy_ajp_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, >+ const char *proxyauth) > { > int status; > char server_portstr[32]; >@@ -761,7 +762,8 @@ static int proxy_ajp_handler(request_rec *r, proxy_worker *worker, > char *locurl = url; > /* Step One: Determine Who To Connect To */ > status = ap_proxy_determine_connection(p, r, conf, worker, backend, >- uri, &locurl, proxyname, proxyport, >+ uri, &locurl, >+ proxyname, proxyport, proxyauth, > server_portstr, > sizeof(server_portstr)); > >diff --git a/modules/proxy/mod_proxy_connect.c b/modules/proxy/mod_proxy_connect.c >index 7be6a6a..7f28783 100644 >--- a/modules/proxy/mod_proxy_connect.c >+++ b/modules/proxy/mod_proxy_connect.c >@@ -147,7 +147,8 @@ static int proxy_connect_canon(request_rec *r, char *url) > static int proxy_connect_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, >+ const char *proxyauth) > { > connect_conf *c_conf = > ap_get_module_config(r->server->module_config, &proxy_connect_module); >@@ -328,6 +329,13 @@ static int proxy_connect_handler(request_rec *r, proxy_worker *worker, > "sending the CONNECT request to the remote proxy"); > ap_fprintf(backconn->output_filters, bb_back, > "CONNECT %s HTTP/1.0" CRLF, r->uri); >+ /* add Proxyauth Header if configured >+ */ >+ if (proxyauth) { >+ ap_fprintf(backconn->output_filters, bb_back, >+ "Proxy-Authorization: Basic %s" CRLF, >+ proxyauth); >+ } > ap_fprintf(backconn->output_filters, bb_back, > "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner()); > ap_fflush(backconn->output_filters, bb_back); >diff --git a/modules/proxy/mod_proxy_fcgi.c b/modules/proxy/mod_proxy_fcgi.c >index 2e97408..92d98be 100644 >--- a/modules/proxy/mod_proxy_fcgi.c >+++ b/modules/proxy/mod_proxy_fcgi.c >@@ -1002,7 +1002,8 @@ static int fcgi_do_request(apr_pool_t *p, request_rec *r, > static int proxy_fcgi_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, >+ const char *proxyauth) > { > int status; > char server_portstr[32]; >@@ -1043,7 +1044,8 @@ static int proxy_fcgi_handler(request_rec *r, proxy_worker *worker, > /* Step One: Determine Who To Connect To */ > uri = apr_palloc(p, sizeof(*uri)); > status = ap_proxy_determine_connection(p, r, conf, worker, backend, >- uri, &url, proxyname, proxyport, >+ uri, &url, >+ proxyname, proxyport, proxyauth, > server_portstr, > sizeof(server_portstr)); > if (status != OK) { >diff --git a/modules/proxy/mod_proxy_fdpass.c b/modules/proxy/mod_proxy_fdpass.c >index 195b0fd..b7fd020 100644 >--- a/modules/proxy/mod_proxy_fdpass.c >+++ b/modules/proxy/mod_proxy_fdpass.c >@@ -123,7 +123,8 @@ static apr_status_t send_socket(apr_pool_t *p, > static int proxy_fdpass_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, >+ const char *proxyauth) > { > apr_status_t rv; > apr_socket_t *sock; >diff --git a/modules/proxy/mod_proxy_ftp.c b/modules/proxy/mod_proxy_ftp.c >index 4a10987..5cc31a8 100644 >--- a/modules/proxy/mod_proxy_ftp.c >+++ b/modules/proxy/mod_proxy_ftp.c >@@ -959,7 +959,8 @@ int ftp_proxyerror(request_rec *r, proxy_conn_rec *conn, int statuscode, const c > */ > static int proxy_ftp_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, char *url, >- const char *proxyhost, apr_port_t proxyport) >+ const char *proxyhost, apr_port_t proxyport, >+ const char *proxyauth) > { > apr_pool_t *p = r->pool; > conn_rec *c = r->connection; >diff --git a/modules/proxy/mod_proxy_http.c b/modules/proxy/mod_proxy_http.c >index 7377a11..8b9f93d 100644 >--- a/modules/proxy/mod_proxy_http.c >+++ b/modules/proxy/mod_proxy_http.c >@@ -649,7 +649,8 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r, > proxy_conn_rec *p_conn, proxy_worker *worker, > proxy_server_conf *conf, > apr_uri_t *uri, >- char *url, char *server_portstr) >+ char *url, char *server_portstr, >+ const char *proxyauth) > { > conn_rec *c = r->connection; > apr_bucket_alloc_t *bucket_alloc = c->bucket_alloc; >@@ -685,6 +686,14 @@ int ap_proxy_http_request(apr_pool_t *p, request_rec *r, > return rv; > } > >+ if (proxyauth) { >+ buf = apr_pstrcat(p, "Proxy-Authorization: Basic ", >+ proxyauth, CRLF, NULL); >+ ap_xlate_proto_to_ascii(buf, strlen(buf)); >+ e = apr_bucket_pool_create(buf, strlen(buf), p, c->bucket_alloc); >+ APR_BRIGADE_INSERT_TAIL(header_brigade, e); >+ } >+ > /* We have headers, let's figure out our request body... */ > input_brigade = apr_brigade_create(p, bucket_alloc); > >@@ -1852,7 +1861,7 @@ apr_status_t ap_proxy_http_cleanup(const char *scheme, request_rec *r, > static int proxy_http_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, const char *proxyauth) > { > int status; > char server_portstr[32]; >@@ -1930,7 +1939,7 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, > /* Step One: Determine Who To Connect To */ > if ((status = ap_proxy_determine_connection(p, r, conf, worker, backend, > uri, &locurl, proxyname, >- proxyport, server_portstr, >+ proxyport, proxyauth, server_portstr, > sizeof(server_portstr))) != OK) > break; > >@@ -1963,12 +1972,14 @@ static int proxy_http_handler(request_rec *r, proxy_worker *worker, > } > } > >+ > /* Step Four: Send the Request > * On the off-chance that we forced a 100-Continue as a > * kinda HTTP ping test, allow for retries > */ > if ((status = ap_proxy_http_request(p, r, backend, worker, >- conf, uri, locurl, server_portstr)) != OK) { >+ conf, uri, locurl, server_portstr, >+ (is_ssl ? NULL : proxyauth))) != OK) { > if ((status == HTTP_SERVICE_UNAVAILABLE) && worker->s->ping_timeout_set) { > backend->close = 1; > ap_log_rerror(APLOG_MARK, APLOG_INFO, status, r, APLOGNO(01115) >diff --git a/modules/proxy/mod_proxy_scgi.c b/modules/proxy/mod_proxy_scgi.c >index cede817..d6fd7be 100644 >--- a/modules/proxy/mod_proxy_scgi.c >+++ b/modules/proxy/mod_proxy_scgi.c >@@ -525,7 +525,8 @@ static int scgi_request_status(int *status, request_rec *r) > */ > static int scgi_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, char *url, >- const char *proxyname, apr_port_t proxyport) >+ const char *proxyname, apr_port_t proxyport, >+ const char *proxyauth) > { > int status; > proxy_conn_rec *backend = NULL; >@@ -550,7 +551,8 @@ static int scgi_handler(request_rec *r, proxy_worker *worker, > /* Step One: Determine Who To Connect To */ > uri = apr_palloc(p, sizeof(*uri)); > status = ap_proxy_determine_connection(p, r, conf, worker, backend, >- uri, &url, proxyname, proxyport, >+ uri, &url, >+ proxyname, proxyport, proxyauth, > &dummy, 1); > if (status != OK) { > goto cleanup; >diff --git a/modules/proxy/mod_proxy_uwsgi.c b/modules/proxy/mod_proxy_uwsgi.c >index bc7e7f9..fc09a01 100644 >--- a/modules/proxy/mod_proxy_uwsgi.c >+++ b/modules/proxy/mod_proxy_uwsgi.c >@@ -443,7 +443,8 @@ static int uwsgi_response(request_rec *r, proxy_conn_rec * backend, > > static int uwsgi_handler(request_rec *r, proxy_worker * worker, > proxy_server_conf * conf, char *url, >- const char *proxyname, apr_port_t proxyport) >+ const char *proxyname, apr_port_t proxyport, >+ const char *proxyauth) > { > int status; > int delta = 0; >@@ -492,7 +493,7 @@ static int uwsgi_handler(request_rec *r, proxy_worker * worker, > /* Step One: Determine Who To Connect To */ > status = ap_proxy_determine_connection(p, r, conf, worker, backend, > uri, &url, proxyname, proxyport, >- server_portstr, >+ proxyauth, server_portstr, > sizeof(server_portstr)); > if (status != OK) { > goto cleanup; >diff --git a/modules/proxy/mod_proxy_wstunnel.c b/modules/proxy/mod_proxy_wstunnel.c >index 9dda010..aaeffb1 100644 >--- a/modules/proxy/mod_proxy_wstunnel.c >+++ b/modules/proxy/mod_proxy_wstunnel.c >@@ -278,7 +278,8 @@ static int proxy_wstunnel_request(apr_pool_t *p, request_rec *r, > static int proxy_wstunnel_handler(request_rec *r, proxy_worker *worker, > proxy_server_conf *conf, > char *url, const char *proxyname, >- apr_port_t proxyport) >+ apr_port_t proxyport, >+ const char *proxyauth) > { > int status; > char server_portstr[32]; >@@ -336,7 +337,8 @@ static int proxy_wstunnel_handler(request_rec *r, proxy_worker *worker, > char *locurl = url; > /* Step One: Determine Who To Connect To */ > status = ap_proxy_determine_connection(p, r, conf, worker, backend, >- uri, &locurl, proxyname, proxyport, >+ uri, &locurl, >+ proxyname, proxyport, proxyauth, > server_portstr, > sizeof(server_portstr)); > >diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c >index 59f5e30..f9c97c9 100644 >--- a/modules/proxy/proxy_util.c >+++ b/modules/proxy/proxy_util.c >@@ -2189,6 +2189,7 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, > char **url, > const char *proxyname, > apr_port_t proxyport, >+ const char *proxyauth, > char *server_portstr, > int server_portstr_size) > { >@@ -2301,7 +2302,11 @@ ap_proxy_determine_connection(apr_pool_t *p, request_rec *r, > proxy_auth[0] != '\0' && > r->user == NULL && /* we haven't yet authenticated */ > apr_table_get(r->subprocess_env, "Proxy-Chain-Auth")) { >+ /* take ProxyAuth from Request */ > forward->proxy_auth = apr_pstrdup(conn->pool, proxy_auth); >+ } else if ( proxyauth ) { >+ /* take ProxyAuth from ProxyRemote */ >+ forward->proxy_auth = apr_pstrcat(conn->pool, "Basic ", proxyauth, NULL); > } > } > } >@@ -2513,11 +2518,6 @@ static apr_status_t send_http_connect(proxy_conn_rec *backend, > forward_info *forward = (forward_info *)backend->forward; > int len = 0; > >- ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00948) >- "CONNECT: sending the CONNECT request for %s:%d " >- "to the remote proxy %pI (%s)", >- forward->target_host, forward->target_port, >- backend->addr, backend->hostname); > /* Create the CONNECT request */ > nbytes = apr_snprintf(buffer, sizeof(buffer), > "CONNECT %s:%d HTTP/1.0" CRLF, >@@ -2527,6 +2527,17 @@ static apr_status_t send_http_connect(proxy_conn_rec *backend, > nbytes += apr_snprintf(buffer + nbytes, sizeof(buffer) - nbytes, > "Proxy-Authorization: %s" CRLF, > forward->proxy_auth); >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00948) >+ "CONNECT: sending the CONNECT request for %s:%d " >+ "to the remote proxy %pI (%s) with forward auth \"%s\"", >+ forward->target_host, forward->target_port, >+ backend->addr, backend->hostname, forward->proxy_auth); >+ } else { >+ ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, s, APLOGNO(00948) >+ "CONNECT: sending the CONNECT request for %s:%d " >+ "to the remote proxy %pI (%s) without auth", >+ forward->target_host, forward->target_port, >+ backend->addr, backend->hostname); > } > /* Set a reasonable agent and send everything */ > nbytes += apr_snprintf(buffer + nbytes, sizeof(buffer) - nbytes,
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=35893">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 37355
:
17448
|
27977
|
28815
|
31121
|
32361
|
32670
|
32948
|
34271
| 35893 |
37397