static int rpaf_post_read_request(request_rec *r) {
char *fwdvalue, *val, *mask, *last_val;
int i;
apr_port_t tmpport;
apr_pool_t *tmppool;
const char *header_ip = NULL, *header_host = NULL, *header_https = NULL, *header_port = NULL;
rpaf_server_cfg *cfg = (rpaf_server_cfg *)ap_get_module_config(r->server->module_config,
&rpaf_module);
if (!cfg->enable)
return DECLINED;
/* this overcomes an issue when mod_rewrite causes this to get called again
and the environment value is lost for HTTPS. This is the only thing that
is lost and we do not need to process any further after restoring the
value. Note that this check uses the *per-request* note - otherwise we
would shortcut here for every subsequent request */
const char *rpaf_https = apr_table_get(r->notes, "rpaf_https");
if (rpaf_https) {
apr_table_set(r->subprocess_env, "HTTPS", rpaf_https);
return DECLINED;
}
/* check if the remote_addr is in the allowed proxy IP list */
if (is_in_array(r->DEF_ADDR, cfg->proxy_ips) != 1) {
if (cfg->forbid_if_not_proxy)
return HTTP_FORBIDDEN;
return DECLINED;
}
/* TODO: We should not just assume that we should fallback to
X-Forwarded-For as this could pose a security risk, keeping
this for now to keep our behaviour consistant */
header_ip = cfg->headername;
if (header_ip)
fwdvalue = (char *)apr_table_get(r->headers_in, header_ip);
if (!header_ip || !fwdvalue)
{
header_ip = "X-Forwarded-For";
fwdvalue = (char *)apr_table_get(r->headers_in, header_ip);
}
/* if there was no forwarded for header then we dont do anything */
if (!fwdvalue)
return DECLINED;
/* split up the list of forwarded IPs */
apr_array_header_t *arr = apr_array_make(r->pool, 4, sizeof(char *));
while ((val = strsep(&fwdvalue, ",")) != NULL) {
/* strip leading and trailing whitespace */
while(isspace(*val))
++val;
for (i = strlen(val) - 1; i > 0 && isspace(val[i]); i--)
val[i] = '\0';
if (rpaf_looks_like_ip(val))
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
}
/* if there were no IPs, then there is nothing to do */
if (apr_is_empty_array(arr))
return DECLINED;
/* get the last IP and check if it is in our list of proxies */
if ((last_val = last_not_in_array(r, arr, cfg->proxy_ips)) == NULL)
return DECLINED;
/* if we are cleaning up the headers then we need to correct the forwarded IP list */
if (cfg->clean_headers)
{
/* pop the proxy's IP from the list */
apr_array_pop(arr);
if (apr_is_empty_array(arr))
apr_table_unset(r->headers_in, header_ip);
else {
char *ip_list = apr_array_pstrcat(r->pool, arr, ',');
apr_table_set(r->headers_in, header_ip, ip_list);
}
}
rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)apr_pcalloc(r->pool, sizeof(rpaf_cleanup_rec));
rcr->old_ip = apr_pstrdup(r->DEF_POOL, r->DEF_IP);
rcr->r = r;
apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
r->DEF_IP = apr_pstrdup(r->DEF_POOL, last_val);
memcpy(&rcr->old_addr, r->DEF_ADDR, sizeof(apr_sockaddr_t));
tmppool = r->DEF_ADDR->pool;
tmpport = r->DEF_ADDR->port;
apr_sockaddr_t *tmpsa;
int ret = apr_sockaddr_info_get(&tmpsa, r->DEF_IP, APR_UNSPEC, tmpport, 0, tmppool);
if (ret == APR_SUCCESS)
memcpy(r->DEF_ADDR, tmpsa, sizeof(apr_sockaddr_t));
if (cfg->sethostname) {
const char *hostvalue;
header_host = "X-Forwarded-Host";
hostvalue = apr_table_get(r->headers_in, header_host);
if (!hostvalue) {
header_host = "X-Host";
hostvalue = apr_table_get(r->headers_in, header_host);
}
if (!hostvalue) {
header_host = NULL;
} else {
apr_array_header_t *arr = apr_array_make(r->pool, 0, sizeof(char*));
while (*hostvalue && (val = ap_get_token(r->pool, &hostvalue, 1))) {
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
if (*hostvalue != '\0')
++hostvalue;
}
apr_table_set(r->headers_in, "Host", apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]));
r->hostname = apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
ap_update_vhost_from_headers(r);
}
}
if (cfg->sethttps) {
const char *httpsvalue, *scheme;
header_https = "X-Forwarded-HTTPS";
httpsvalue = apr_table_get(r->headers_in, header_https);
if (!httpsvalue) {
header_https = "X-HTTPS";
httpsvalue = apr_table_get(r->headers_in, header_https);
}
if (!httpsvalue) {
header_https = "X-Forwarded-Proto";
httpsvalue = apr_table_get(r->headers_in, header_https);
if (!httpsvalue) {
header_https = "X-Forwarded-Protocol";
httpsvalue = apr_table_get(r->headers_in, header_https);
}
if (httpsvalue) {
if (strcmp(httpsvalue, cfg->https_scheme) == 0) {
/* set a per-request note to get around an issue with mod_rewrite
(explained in an earlier comment), and a per-connection note
to allow our version of ssl_is_https() to work.
*/
apr_table_set(r->notes, "rpaf_https", "on");
apr_table_set(r->connection->notes, "rpaf_https", "on");
apr_table_set(r->subprocess_env , "HTTPS" , "on");
scheme = cfg->https_scheme;
} else {
scheme = cfg->orig_scheme;
}
} else {
header_https = NULL;
scheme = cfg->orig_scheme;
}
} else {
if(strcmp(httpsvalue, "on") == 0 || strcmp(httpsvalue, "On") == 0) {
apr_table_set(r->notes, "rpaf_https", "on");
apr_table_set(r->connection->notes, "rpaf_https", "on");
apr_table_set(r->subprocess_env , "HTTPS" , "on");
scheme = cfg->https_scheme;
} else {
scheme = cfg->orig_scheme;
}
}
#if AP_SERVER_MINORVERSION_NUMBER > 1 && AP_SERVER_PATCHLEVEL_NUMBER > 2
r->server->server_scheme = scheme;
#endif
}
if (cfg->setport) {
const char *portvalue;
header_port = "X-Forwarded-Port";
portvalue = apr_table_get(r->headers_in, header_port);
if (!portvalue) {
header_port = "X-Port";
portvalue = apr_table_get(r->headers_in, header_port);
}
if (!portvalue) {
header_port = NULL;
r->server->port = cfg->orig_port;
} else {
r->server->port = atoi(portvalue);
r->parsed_uri.port = r->server->port;
}
}
if (cfg->clean_headers) {
if (header_host ) apr_table_unset(r->headers_in, header_host );
if (header_https) apr_table_unset(r->headers_in, header_https);
if (header_port ) apr_table_unset(r->headers_in, header_port );
}
return DECLINED;
}
static int change_remote_ip(request_rec *r) {
const char *fwdvalue;
char *val;
apr_port_t tmpport;
apr_pool_t *tmppool;
rpaf_server_cfg *cfg = (rpaf_server_cfg *)ap_get_module_config(r->server->module_config,
&rpaf_module);
if (!cfg->enable)
return DECLINED;
if (is_in_array(r->pool, r->connection->remote_ip, cfg->proxy_ips) == 1) {
/* check if cfg->headername is set and if it is use
that instead of X-Forwarded-For by default */
if (cfg->headername && (fwdvalue = apr_table_get(r->headers_in, cfg->headername))) {
//
} else if ((fwdvalue = apr_table_get(r->headers_in, "X-Forwarded-For"))) {
//
} else {
return DECLINED;
}
if (fwdvalue) {
rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)apr_pcalloc(r->pool, sizeof(rpaf_cleanup_rec));
apr_array_header_t *arr = apr_array_make(r->pool, 0, sizeof(char*));
while (*fwdvalue && (val = ap_get_token(r->pool, &fwdvalue, 1))) {
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
if (*fwdvalue != '\0')
++fwdvalue;
}
rcr->old_ip = apr_pstrdup(r->connection->pool, r->connection->remote_ip);
rcr->r = r;
apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
r->connection->remote_ip = apr_pstrdup(r->connection->pool, last_not_in_array(r->pool, arr, cfg->proxy_ips));
tmppool = r->connection->remote_addr->pool;
tmpport = r->connection->remote_addr->port;
memset(r->connection->remote_addr, '\0', sizeof(apr_sockaddr_t));
r->connection->remote_addr = NULL;
apr_sockaddr_info_get(&(r->connection->remote_addr), r->connection->remote_ip, APR_UNSPEC, tmpport, 0, tmppool);
if (cfg->sethostname) {
const char *hostvalue;
if ((hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) ||
(hostvalue = apr_table_get(r->headers_in, "X-Host"))) {
apr_array_header_t *arr = apr_array_make(r->pool, 0, sizeof(char*));
while (*hostvalue && (val = ap_get_token(r->pool, &hostvalue, 1))) {
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
if (*hostvalue != '\0')
++hostvalue;
}
apr_table_set(r->headers_in, "Host", apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]));
r->hostname = apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
ap_update_vhost_from_headers(r);
}
}
if (cfg->sethttps) {
const char *httpsvalue;
if ((httpsvalue = apr_table_get(r->headers_in, "X-Forwarded-HTTPS")) ||
(httpsvalue = apr_table_get(r->headers_in, "X-HTTPS"))) {
apr_table_set(r->subprocess_env, "HTTPS", apr_pstrdup(r->pool, httpsvalue));
r->server->server_scheme = cfg->https_scheme;
} else {
r->server->server_scheme = cfg->orig_scheme;
}
}
if (cfg->setport) {
const char *portvalue;
if ((portvalue = apr_table_get(r->headers_in, "X-Forwarded-Port")) ||
(portvalue = apr_table_get(r->headers_in, "X-Port"))) {
r->server->port = atoi(portvalue);
r->parsed_uri.port = r->server->port;
} else {
r->server->port = cfg->orig_port;
}
}
}
}
return DECLINED;
}
static int rpaf_post_read_request(request_rec *r) {
char *fwdvalue, *val, *mask, *last_val;
int i;
apr_port_t tmpport;
apr_pool_t *tmppool;
rpaf_server_cfg *cfg = (rpaf_server_cfg *)ap_get_module_config(r->server->module_config,
&rpaf_module);
if (!cfg->enable)
return DECLINED;
/* this overcomes an issue when mod_rewrite causes this to get called again
and the environment value is lost for HTTPS. This is the only thing that
is lost and we do not need to process any further after restoring the
value. */
const char *rpaf_https = apr_table_get(r->connection->notes, "rpaf_https");
if (rpaf_https) {
apr_table_set(r->subprocess_env, "HTTPS", rpaf_https);
return DECLINED;
}
/* check if the client_addr is in the allowed proxy IP list */
if (is_in_array(r->connection->client_addr, cfg->proxy_ips) != 1) {
if (cfg->forbid_if_not_proxy)
return HTTP_FORBIDDEN;
return DECLINED;
}
/* check if cfg->headername is set and if it is use
that instead of X-Forwarded-For by default */
if (cfg->headername && (fwdvalue = (char *)apr_table_get(r->headers_in, cfg->headername))) {
//
} else if (cfg->headername == NULL && (fwdvalue = (char *)apr_table_get(r->headers_in, "X-Forwarded-For"))) {
//
} else {
return DECLINED;
}
/* if there was no forwarded for header then we dont do anything */
if (!fwdvalue)
return DECLINED;
apr_array_header_t *arr = apr_array_make(r->pool, 4, sizeof(char *));
while ((val = strsep(&fwdvalue, ",")) != NULL) {
/* strip leading and trailing whitespace */
while(isspace(*val))
++val;
for (i = strlen(val) - 1; i > 0 && isspace(val[i]); i--)
val[i] = '\0';
if (rpaf_looks_like_ip(val))
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
}
if (arr->nelts == 0)
return DECLINED;
if ((last_val = last_not_in_array(r, arr, cfg->proxy_ips)) == NULL)
return DECLINED;
rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)apr_pcalloc(r->pool, sizeof(rpaf_cleanup_rec));
rcr->old_ip = apr_pstrdup(r->connection->pool, r->connection->client_ip);
rcr->r = r;
apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
r->connection->client_ip = apr_pstrdup(r->connection->pool, last_val);
tmppool = r->connection->client_addr->pool;
tmpport = r->connection->client_addr->port;
apr_sockaddr_t *tmpsa;
int ret = apr_sockaddr_info_get(&tmpsa, r->connection->client_ip, APR_UNSPEC, tmpport, 0, tmppool);
if (ret == APR_SUCCESS)
memcpy(r->connection->client_addr, tmpsa, sizeof(apr_sockaddr_t));
if (cfg->sethostname) {
const char *hostvalue;
if ((hostvalue = apr_table_get(r->headers_in, "X-Forwarded-Host")) ||
(hostvalue = apr_table_get(r->headers_in, "X-Host"))) {
apr_array_header_t *arr = apr_array_make(r->pool, 0, sizeof(char*));
while (*hostvalue && (val = ap_get_token(r->pool, &hostvalue, 1))) {
*(char **)apr_array_push(arr) = apr_pstrdup(r->pool, val);
if (*hostvalue != '\0')
++hostvalue;
}
apr_table_set(r->headers_in, "Host", apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]));
r->hostname = apr_pstrdup(r->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
ap_update_vhost_from_headers(r);
}
}
if (cfg->sethttps) {
const char *httpsvalue, *scheme;
if ((httpsvalue = apr_table_get(r->headers_in, "X-Forwarded-HTTPS")) ||
(httpsvalue = apr_table_get(r->headers_in, "X-HTTPS"))) {
apr_table_set(r->connection->notes, "rpaf_https", httpsvalue);
apr_table_set(r->subprocess_env , "HTTPS" , httpsvalue);
scheme = cfg->https_scheme;
} else if ((httpsvalue = apr_table_get(r->headers_in, "X-Forwarded-Proto"))
&& (strcmp(httpsvalue, cfg->https_scheme) == 0)) {
apr_table_set(r->connection->notes, "rpaf_https", "on");
apr_table_set(r->subprocess_env , "HTTPS" , "on");
scheme = cfg->https_scheme;
} else {
scheme = cfg->orig_scheme;
}
#if AP_SERVER_MINORVERSION_NUMBER > 1 && AP_SERVER_PATCHLEVEL_NUMBER > 2
r->server->server_scheme = scheme;
#endif
}
if (cfg->setport) {
const char *portvalue;
if ((portvalue = apr_table_get(r->headers_in, "X-Forwarded-Port")) ||
(portvalue = apr_table_get(r->headers_in, "X-Port"))) {
r->server->port = atoi(portvalue);
r->parsed_uri.port = r->server->port;
} else {
r->server->port = cfg->orig_port;
}
}
return DECLINED;
}
