Attachment 36337 Details for Bug 61355 – get the proxied protocol from header with mod_remoteip

[patch] get the proxied protocol from header with mod_remoteip

pat (text/plain), 5.33 KB, created by Axel Reinhold on 2018-12-19 11:08:22 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Axel Reinhold

Created: 2018-12-19 11:08:22 UTC

Size: 5.33 KB

patch

obsolete

>--- modules/metadata/mod_remoteip.c	Wed Jun  6 21:04:45 2018
>+++ modules/metadata/mod_remoteip.c	Mon Dec 17 17:50:13 2018
>@@ -55,6 +55,11 @@
>      * (removed as the physical connection and
>      * from the proxy-via IP header value list)
>      */
>+    const char *header_scheme;
>+    /** A header to record the proxied scheme
>+     * (removed as the physical connection and
>+     * from the proxy-via IP header value list)
>+     */
>     const char *proxies_header_name;
>     /** A list of trusted proxies, ideally configured
>      *  with the most commonly encountered listed first
>@@ -154,6 +159,7 @@
>     remoteip_config_t *config = apr_pcalloc(p, sizeof(*config));
>     config->disabled_subnets = apr_array_make(p, 1, sizeof(apr_ipsubnet_t *));
>     /* config->header_name = NULL;
>+     * config->header_scheme = NULL;
>      * config->proxies_header_name = NULL;
>      * config->proxy_protocol_enabled = NULL;
>      * config->proxy_protocol_disabled = NULL;
>@@ -173,6 +179,9 @@
>     config->header_name = server->header_name
>                         ? server->header_name
>                         : global->header_name;
>+    config->header_scheme = server->header_scheme
>+                          ? server->header_scheme
>+                          : global->header_scheme;
>     config->proxies_header_name = server->proxies_header_name
>                                 ? server->proxies_header_name
>                                 : global->proxies_header_name;
>@@ -191,6 +200,15 @@
>     return NULL;
> }
> 
>+static const char *scheme_name_set(cmd_parms *cmd, void *dummy,
>+                                   const char *arg)
>+{
>+    remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
>+                                                     &remoteip_module);
>+    config->header_scheme = arg;
>+    return NULL;
>+}
>+
> static const char *proxies_header_name_set(cmd_parms *cmd, void *dummy,
>                                            const char *arg)
> {
>@@ -529,6 +547,7 @@
> 
>     apr_status_t rv;
>     char *remote;
>+    char *scheme;
>     char *proxy_ips = NULL;
>     char *parse_remote;
>     char *eos;
>@@ -739,6 +758,11 @@
> 
>     r->useragent_addr = req->useragent_addr;
>     r->useragent_ip = req->useragent_ip;
>+    if (config->header_name) {
>+        scheme = (char *) apr_table_get(r->headers_in, config->header_scheme);
>+        if (scheme && strcmp(scheme, "https") == 0)
>+            r->server->server_scheme = scheme;
>+    }
> 
>     ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r,
>                   req->proxy_ips
>@@ -1199,6 +1223,9 @@
>     AP_INIT_TAKE1("RemoteIPHeader", header_name_set, NULL, RSRC_CONF,
>                   "Specifies a request header to trust as the client IP, "
>                   "e.g. X-Forwarded-For"),
>+    AP_INIT_TAKE1("RemoteIPProtoHeader", scheme_name_set, NULL, RSRC_CONF,
>+                  "Specifies a request header to trust as the client scheme, "
>+                  "e.g. X-Forwarded-Proto"),
>     AP_INIT_TAKE1("RemoteIPProxiesHeader", proxies_header_name_set,
>                   NULL, RSRC_CONF,
>                   "Specifies a request header to record proxy IP's, "
>EOF
>: patch -b -p0 <<'EOF'
>--- docs/manual/mod/mod_remoteip.xml	(revision 1849285)
>+++ docs/manual/mod/mod_remoteip.xml	(working copy)
>@@ -123,7 +123,6 @@
>     <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> directives.  Unless these
>     other directives are used, <module>mod_remoteip</module> will trust all
>     hosts presenting a <directive module="mod_remoteip">RemoteIPHeader</directive> IP value.</p>
>-
>     <example><title>Internal (Load Balancer) Example</title>
>     <highlight language="config">
>         RemoteIPHeader X-Client-IP
>@@ -139,6 +138,36 @@
> </directivesynopsis>
> 
> <directivesynopsis>
>+<name>RemoteIPProtoHeader</name>
>+<description>Declare the header field which should be parsed for useragent protocol used</description>
>+<syntax>RemoteIPProtoHeader <var>scheme-header-field</var></syntax>
>+<contextlist><context>server config</context><context>virtual host</context></contextlist>
>+
>+<usage>
>+    <p>The <directive module="mod_remoteip">RemoteIPProtoHeader</directive> directive triggers
>+    <module>mod_remoteip</module> to treat the value of the specified
>+    <var>scheme-header-field</var> header as the useragent protocol used,
>+    subject to further configuration
>+    of the <directive module="mod_remoteip">RemoteIPInternalProxy</directive> and
>+    <directive module="mod_remoteip">RemoteIPTrustedProxy</directive> directives.  Unless these
>+    other directives are used, <module>mod_remoteip</module> will trust all
>+    hosts presenting a <directive module="mod_remoteip">RemoteIPProtoHeader</directive> protocol value.
>+    The only valid value for the RemoteIPProtoHeader header is "https".</p>
>+    <example><title>Internal (Load Balancer) Example</title>
>+    <highlight language="config">
>+        RemoteIPProtoHeader X-Client-Proto
>+        </highlight>
>+    </example>
>+
>+    <example><title>Proxy Example</title>
>+    <highlight language="config">
>+        RemoteIPProtoHeader X-Forwarded-Proto
>+        </highlight>
>+    </example>
>+</usage>
>+</directivesynopsis>
>+
>+<directivesynopsis>
> <name>RemoteIPInternalProxy</name>
> <description>Declare client intranet IP addresses trusted to present the RemoteIPHeader value</description>
> <syntax>RemoteIPInternalProxy <var>proxy-ip</var>|<var>proxy-ip/subnet</var>|<var>hostname</var> ...</syntax>

Actions: View | Diff

Attachments on bug 61355: 36295 | 36337