static void test_singleton_subnets(abts_case *tc, void *data) { const char *v4addrs[] = { "127.0.0.1", "129.42.18.99", "63.161.155.20", "207.46.230.229", "64.208.42.36", "198.144.203.195", "192.18.97.241", "198.137.240.91", "62.156.179.119", "204.177.92.181" }; apr_ipsubnet_t *ipsub; apr_sockaddr_t *sa; apr_status_t rv; int i, j, rc; for (i = 0; i < sizeof v4addrs / sizeof v4addrs[0]; i++) { rv = apr_ipsubnet_create(&ipsub, v4addrs[i], NULL, p); ABTS_TRUE(tc, rv == APR_SUCCESS); for (j = 0; j < sizeof v4addrs / sizeof v4addrs[0]; j++) { rv = apr_sockaddr_info_get(&sa, v4addrs[j], APR_INET, 0, 0, p); ABTS_TRUE(tc, rv == APR_SUCCESS); rc = apr_ipsubnet_test(ipsub, sa); if (!strcmp(v4addrs[i], v4addrs[j])) { ABTS_TRUE(tc, rc != 0); } else { ABTS_TRUE(tc, rc == 0); } } } /* same for v6? */ }
static authz_status local_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line) { if ( apr_sockaddr_equal(r->connection->local_addr, r->useragent_addr) || apr_ipsubnet_test(localhost_v4, r->useragent_addr) #if APR_HAVE_IPV6 || apr_ipsubnet_test(localhost_v6, r->useragent_addr) #endif ) { return AUTHZ_GRANTED; } return AUTHZ_DENIED; }
static void test_interesting_subnets(abts_case *tc, void *data) { struct { const char *ipstr, *mask; int family; char *in_subnet, *not_in_subnet; } testcases[] = { {"9.67", NULL, APR_INET, "9.67.113.15", "10.1.2.3"} ,{"9.67.0.0", "16", APR_INET, "9.67.113.15", "10.1.2.3"} ,{"9.67.0.0", "255.255.0.0", APR_INET, "9.67.113.15", "10.1.2.3"} ,{"9.67.113.99", "16", APR_INET, "9.67.113.15", "10.1.2.3"} ,{"9.67.113.99", "255.255.255.0", APR_INET, "9.67.113.15", "10.1.2.3"} ,{"127", NULL, APR_INET, "127.0.0.1", "10.1.2.3"} ,{"127.0.0.1", "8", APR_INET, "127.0.0.1", "10.1.2.3"} #if APR_HAVE_IPV6 ,{"fe80::", "8", APR_INET6, "fe80::1", "ff01::1"} ,{"ff01::", "8", APR_INET6, "ff01::1", "fe80::1"} ,{"3FFE:8160::", "28", APR_INET6, "3ffE:816e:abcd:1234::1", "3ffe:8170::1"} ,{"127.0.0.1", NULL, APR_INET6, "::ffff:127.0.0.1", "fe80::1"} ,{"127.0.0.1", "8", APR_INET6, "::ffff:127.0.0.1", "fe80::1"} #endif }; apr_ipsubnet_t *ipsub; apr_sockaddr_t *sa; apr_status_t rv; int i, rc; for (i = 0; i < sizeof testcases / sizeof testcases[0]; i++) { rv = apr_ipsubnet_create(&ipsub, testcases[i].ipstr, testcases[i].mask, p); ABTS_TRUE(tc, rv == APR_SUCCESS); rv = apr_sockaddr_info_get(&sa, testcases[i].in_subnet, testcases[i].family, 0, 0, p); ABTS_TRUE(tc, rv == APR_SUCCESS); ABTS_TRUE(tc, sa != NULL); if (!sa) continue; rc = apr_ipsubnet_test(ipsub, sa); ABTS_TRUE(tc, rc != 0); rv = apr_sockaddr_info_get(&sa, testcases[i].not_in_subnet, testcases[i].family, 0, 0, p); ABTS_TRUE(tc, rv == APR_SUCCESS); rc = apr_ipsubnet_test(ipsub, sa); ABTS_TRUE(tc, rc == 0); } }
static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method) { allowdeny *ap = (allowdeny *) a->elts; apr_int64_t mmask = (AP_METHOD_BIT << method); int i; int gothost = 0; const char *remotehost = NULL; for (i = 0; i < a->nelts; ++i) { if (!(mmask & ap[i].limited)) continue; switch (ap[i].type) { case T_ENV: if (apr_table_get(r->subprocess_env, ap[i].x.from)) { return 1; } break; case T_ALL: return 1; case T_IP: if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) { return 1; } break; case T_HOST: if (!gothost) { int remotehost_is_ip; remotehost = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_DOUBLE_REV, &remotehost_is_ip); if ((remotehost == NULL) || remotehost_is_ip) gothost = 1; else gothost = 2; } if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) return 1; break; case T_FAIL: /* do nothing? */ break; } } return 0; }
static int is_in_array(apr_sockaddr_t *remote_addr, apr_array_header_t *proxy_ips) { int i; apr_ipsubnet_t **subs = (apr_ipsubnet_t **)proxy_ips->elts; for (i = 0; i < proxy_ips->nelts; i++) { if (apr_ipsubnet_test(subs[i], remote_addr)) { return 1; } } return 0; }
/* return 1 means match, 0 means error or unmatch */ static int ip_in_ipsubnet_list_test (apr_sockaddr_t *ip_to_be_test, apr_array_header_t *p_ipsubnet_list) { if (!p_ipsubnet_list) return 0; int i, len = p_ipsubnet_list->nelts; apr_ipsubnet_t **p_ipsubnet = (apr_ipsubnet_t **) p_ipsubnet_list->elts; for (i = 0; i < len; i++) { if (apr_ipsubnet_test (p_ipsubnet[i], ip_to_be_test)) return 1; } return 0; }
/** * Find remote_addr in ACL */ static int find_accesslist(apr_array_header_t *a, apr_sockaddr_t *remote_addr) { accesslist *ap = (accesslist *) a->elts; int i; for (i = 0; i < a->nelts; ++i) { if (apr_ipsubnet_test(ap[i].ip, remote_addr)) { return 1; } } return 0; }
static authz_status ip_check_authorization(request_rec *r, const char *require_line, const void *parsed_require_line) { /* apr_ipsubnet_test should accept const but doesn't */ apr_ipsubnet_t **ip = (apr_ipsubnet_t **)parsed_require_line; while (*ip) { if (apr_ipsubnet_test(*ip, r->useragent_addr)) return AUTHZ_GRANTED; ip++; } /* authz_core will log the require line and the result at DEBUG */ return AUTHZ_DENIED; }
static int reverseproxy_modify_connection(request_rec *r) { conn_rec *c = r->connection; reverseproxy_config_t *config = (reverseproxy_config_t *) ap_get_module_config(r->server->module_config, &reverseproxy_module); if (!config->enable_module) return DECLINED; reverseproxy_conn_t *conn; #ifdef REMOTEIP_OPTIMIZED apr_sockaddr_t temp_sa_buff; apr_sockaddr_t *temp_sa = &temp_sa_buff; #else apr_sockaddr_t *temp_sa; #endif apr_status_t rv; char *remote = (char *) apr_table_get(r->headers_in, config->header_name); char *proxy_ips = NULL; char *parse_remote; char *eos; unsigned char *addrbyte; void *internal = NULL; apr_pool_userdata_get((void*)&conn, "mod_reverseproxy-conn", c->pool); if (conn) { if (remote && (strcmp(remote, conn->prior_remote) == 0)) { /* TODO: Recycle r-> overrides from previous request */ goto ditto_request_rec; } else { /* TODO: Revert connection from previous request */ #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) c->client_addr = conn->orig_addr; c->client_ip = (char *) conn->orig_ip; #else c->remote_addr = conn->orig_addr; c->remote_ip = (char *) conn->orig_ip; #endif } } remote = apr_pstrdup(r->pool, remote); #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) #ifdef REMOTEIP_OPTIMIZED memcpy(temp_sa, c->client_addr, sizeof(*temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->client_addr; #endif #else #ifdef REMOTEIP_OPTIMIZED memcpy(temp_sa, c->remote_addr, sizeof(*temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->remote_addr; #endif #endif while (remote) { /* verify c->client_addr is trusted if there is a trusted proxy list */ if (config->proxymatch_ip) { int i; reverseproxy_proxymatch_t *match; match = (reverseproxy_proxymatch_t *)config->proxymatch_ip->elts; for (i = 0; i < config->proxymatch_ip->nelts; ++i) { #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) if (apr_ipsubnet_test(match[i].ip, c->client_addr)) { internal = match[i].internal; break; } #else if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) { internal = match[i].internal; break; } #endif } } if ((parse_remote = strrchr(remote, ',')) == NULL) { parse_remote = remote; remote = NULL; } else { *(parse_remote++) = '\0'; } while (*parse_remote == ' ') ++parse_remote; eos = parse_remote + strlen(parse_remote) - 1; while (eos >= parse_remote && *eos == ' ') *(eos--) = '\0'; if (eos < parse_remote) { if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #ifdef REMOTEIP_OPTIMIZED /* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */ if (inet_pton(AF_INET, parse_remote, &temp_sa->sa.sin.sin_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port); } #if APR_HAVE_IPV6 else if (inet_pton(AF_INET6, parse_remote, &temp_sa->sa.sin6.sin6_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port); } #endif else { rv = apr_get_netos_error(); #else /* !REMOTEIP_OPTIMIZED */ /* We map as IPv4 rather than IPv6 for equivilant host names * or IPV4OVERIPV6 */ rv = apr_sockaddr_info_get(&temp_sa, parse_remote, APR_UNSPEC, temp_sa->port, APR_IPV4_ADDR_OK, r->pool); if (rv != APR_SUCCESS) { #endif ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s cannot be parsed " "as a client IP", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr; /* For intranet (Internal proxies) ignore all restrictions below */ if (!internal && ((temp_sa->family == APR_INET /* For internet (non-Internal proxies) deny all * RFC3330 designated local/private subnets: * 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16 * 127.0.0.0/8 172.16.0.0/12 */ && (addrbyte[0] == 10 || addrbyte[0] == 127 || (addrbyte[0] == 169 && addrbyte[1] == 254) || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16) || (addrbyte[0] == 192 && addrbyte[1] == 168))) #if APR_HAVE_IPV6 || (temp_sa->family == APR_INET6 /* For internet (non-Internal proxies) we translated * IPv4-over-IPv6-mapped addresses as IPv4, above. * Accept only Global Unicast 2000::/3 defined by RFC4291 */ && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20)) #endif )) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s appears to be " "a private IP or nonsensical. Ignored", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) if (!conn) { conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool); conn->orig_addr = c->client_addr; conn->orig_ip = c->client_ip; } /* Set remote_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->client_ip, NULL); else proxy_ips = c->client_ip; } c->client_addr = temp_sa; apr_sockaddr_ip_get(&c->client_ip, c->client_addr); } /* Nothing happened? */ if (!conn || (c->client_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->client_ip = apr_pstrdup(c->pool, c->client_ip); conn->proxied_ip = c->client_ip; r->useragent_ip = c->client_ip; r->useragent_addr = c->client_addr; memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa)); conn->proxied_addr.pool = c->pool; c->client_addr = &conn->proxied_addr; #else if (!conn) { conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool); conn->orig_addr = c->remote_addr; conn->orig_ip = c->remote_ip; } /* Set remote_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->remote_ip, NULL); else proxy_ips = c->remote_ip; } c->remote_addr = temp_sa; apr_sockaddr_ip_get(&c->remote_ip, c->remote_addr); } /* Nothing happened? */ if (!conn || (c->remote_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->remote_ip = apr_pstrdup(c->pool, c->remote_ip); conn->proxied_ip = c->remote_ip; memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa)); conn->proxied_addr.pool = c->pool; c->remote_addr = &conn->proxied_addr; #endif if (remote) remote = apr_pstrdup(c->pool, remote); conn->proxied_remote = remote; conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in, config->header_name)); if (proxy_ips) proxy_ips = apr_pstrdup(c->pool, proxy_ips); conn->proxy_ips = proxy_ips; /* Unset remote_host string DNS lookups */ c->remote_host = NULL; c->remote_logname = NULL; ditto_request_rec: if (conn->proxy_ips) { apr_table_setn(r->notes, "reverseproxy-proxy-ip-list", conn->proxy_ips); if (config->proxies_header_name) apr_table_setn(r->headers_in, config->proxies_header_name, conn->proxy_ips); } ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, conn->proxy_ips ? "Using %s as client's IP by proxies %s" : "Using %s as client's IP by internal proxies", conn->proxied_ip, conn->proxy_ips); return OK; }
static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method, apr_time_t expire_time) { allowdeny *ap = (allowdeny *) a->elts; apr_int64_t mmask = (AP_METHOD_BIT << method); int i; int gothost = 0; const char *remotehost = NULL; char errmsg_buf[120]; apr_status_t rv; auth_remote_svr_conf *svr_conf = ap_get_module_config(r->server->module_config, &auth_remote_module); for (i = 0; i < a->nelts; ++i) { if (!(mmask & ap[i].limited)) { continue; } switch (ap[i].type) { case T_ENV: if (apr_table_get(r->subprocess_env, ap[i].x.from)) { return 1; } break; case T_NENV: if (!apr_table_get(r->subprocess_env, ap[i].x.from)) { return 1; } break; case T_ALL: return 1; case T_IP: if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) { return 1; } break; case T_URL: #if APR_HAS_THREADS rv = apr_thread_mutex_lock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to obtain mutex: %s", errmsg_buf); break; } if (init_per_url_directive_data (r, &ap[i].x.remote_info) == -1) { rv = apr_thread_mutex_unlock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to release mutex: %s", errmsg_buf); break; } break; } rv = apr_thread_mutex_unlock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to release mutex: %s", errmsg_buf); break; } #else if (init_per_url_directive_data (&ap[i].x.remote_info) == -1) break; #endif if (ip_in_url_test (r, r->connection->remote_addr, &ap[i].x.remote_info, expire_time) == 1) { return 1; } break; case T_FILE: #if APR_HAS_THREADS rv = apr_thread_mutex_lock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to obtain mutex: %s", errmsg_buf); break; } if (init_per_local_file_directive_data (r, &ap[i].x.local_file_info) == -1) { rv = apr_thread_mutex_unlock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to release mutex: %s", errmsg_buf); break; } break; } rv = apr_thread_mutex_unlock (svr_conf->mutex); if (rv != APR_SUCCESS) { apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf)); ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, "fail to release mutex: %s", errmsg_buf); break; } #else if (init_per_local_file_directive_data (&ap[i].x.local_file_info) == -1) break; #endif if (ip_in_local_file_test (r, r->connection->remote_addr, &ap[i].x.local_file_info) == 1) { return 1; } break; case T_HOST: if (!gothost) { int remotehost_is_ip; remotehost = ap_get_remote_host(r->connection, r->per_dir_config, REMOTE_DOUBLE_REV, &remotehost_is_ip); if ((remotehost == NULL) || remotehost_is_ip) { gothost = 1; } else { gothost = 2; } } if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) { return 1; } break; case T_FAIL: /* do nothing? */ break; } } return 0; }
static int remoteip_modify_request(request_rec *r) { conn_rec *c = r->connection; remoteip_config_t *config = (remoteip_config_t *) ap_get_module_config(r->server->module_config, &remoteip_module); remoteip_req_t *req = NULL; apr_sockaddr_t *temp_sa; apr_status_t rv; char *remote; char *proxy_ips = NULL; char *parse_remote; char *eos; unsigned char *addrbyte; void *internal = NULL; if (!config->header_name) { return DECLINED; } remote = (char *) apr_table_get(r->headers_in, config->header_name); if (!remote) { return OK; } remote = apr_pstrdup(r->pool, remote); temp_sa = c->remote_addr; while (remote) { /* verify c->remote_addr is trusted if there is a trusted proxy list */ if (config->proxymatch_ip) { int i; remoteip_proxymatch_t *match; match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts; for (i = 0; i < config->proxymatch_ip->nelts; ++i) { if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) { internal = match[i].internal; break; } } if (i && i >= config->proxymatch_ip->nelts) { break; } } if ((parse_remote = strrchr(remote, ',')) == NULL) { parse_remote = remote; remote = NULL; } else { *(parse_remote++) = '\0'; } while (*parse_remote == ' ') { ++parse_remote; } eos = parse_remote + strlen(parse_remote) - 1; while (eos >= parse_remote && *eos == ' ') { *(eos--) = '\0'; } if (eos < parse_remote) { if (remote) { *(remote + strlen(remote)) = ','; } else { remote = parse_remote; } break; } /* We map as IPv4 rather than IPv6 for equivilant host names * or IPV4OVERIPV6 */ rv = apr_sockaddr_info_get(&temp_sa, parse_remote, APR_UNSPEC, temp_sa->port, APR_IPV4_ADDR_OK, r->pool); if (rv != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s cannot be parsed " "as a client IP", config->header_name, parse_remote); if (remote) { *(remote + strlen(remote)) = ','; } else { remote = parse_remote; } break; } addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr; /* For intranet (Internal proxies) ignore all restrictions below */ if (!internal && ((temp_sa->family == APR_INET /* For internet (non-Internal proxies) deny all * RFC3330 designated local/private subnets: * 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16 * 127.0.0.0/8 172.16.0.0/12 */ && (addrbyte[0] == 10 || addrbyte[0] == 127 || (addrbyte[0] == 169 && addrbyte[1] == 254) || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16) || (addrbyte[0] == 192 && addrbyte[1] == 168))) #if APR_HAVE_IPV6 || (temp_sa->family == APR_INET6 /* For internet (non-Internal proxies) we translated * IPv4-over-IPv6-mapped addresses as IPv4, above. * Accept only Global Unicast 2000::/3 defined by RFC4291 */ && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20)) #endif )) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s appears to be " "a private IP or nonsensical. Ignored", config->header_name, parse_remote); if (remote) { *(remote + strlen(remote)) = ','; } else { remote = parse_remote; } break; } /* save away our results */ if (!req) { req = (remoteip_req_t *) apr_palloc(r->pool, sizeof(remoteip_req_t)); } /* Set remote_ip string */ if (!internal) { if (proxy_ips) { proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->remote_ip, NULL); } else { proxy_ips = c->remote_ip; } } req->remote_addr = temp_sa; apr_sockaddr_ip_get(&req->remote_ip, req->remote_addr); } /* Nothing happened? */ if (!req) { return OK; } req->proxied_remote = remote; req->proxy_ips = proxy_ips; if (req->proxied_remote) { apr_table_setn(r->headers_in, config->header_name, req->proxied_remote); } else { apr_table_unset(r->headers_in, config->header_name); } if (req->proxy_ips) { apr_table_setn(r->notes, "remoteip-proxy-ip-list", req->proxy_ips); if (config->proxies_header_name) { apr_table_setn(r->headers_in, config->proxies_header_name, req->proxy_ips); } } c->remote_addr = req->remote_addr; c->remote_ip = req->remote_ip; ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, req->proxy_ips ? "Using %s as client's IP by proxies %s" : "Using %s as client's IP by internal proxies", req->remote_ip, req->proxy_ips); return OK; }
static int cloudflare_modify_connection(request_rec *r) { conn_rec *c = r->connection; cloudflare_config_t *config = (cloudflare_config_t *) ap_get_module_config(r->server->module_config, &cloudflare_module); cloudflare_conn_t *conn; #ifdef REMOTEIP_OPTIMIZED apr_sockaddr_t temp_sa_buff; apr_sockaddr_t *temp_sa = &temp_sa_buff; #else apr_sockaddr_t *temp_sa; #endif apr_status_t rv; char *remote = (char *) apr_table_get(r->headers_in, config->header_name); char *proxy_ips = NULL; char *parse_remote; char *eos; unsigned char *addrbyte; void *internal = NULL; apr_pool_userdata_get((void*)&conn, "mod_cloudflare-conn", c->pool); if (conn) { if (remote && (strcmp(remote, conn->prior_remote) == 0)) { /* TODO: Recycle r-> overrides from previous request */ goto ditto_request_rec; } else { /* TODO: Revert connection from previous request */ c->client_addr = conn->orig_addr; c->client_ip = (char *) conn->orig_ip; } } if (!remote) { if (config->deny_all) { return 403; } return OK; } remote = apr_pstrdup(r->pool, remote); #ifdef REMOTEIP_OPTIMIZED memcpy(&temp_sa, c->client_addr, sizeof(temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->client_addr; #endif while (remote) { /* verify c->client_addr is trusted if there is a trusted proxy list */ if (config->proxymatch_ip) { int i; cloudflare_proxymatch_t *match; match = (cloudflare_proxymatch_t *)config->proxymatch_ip->elts; for (i = 0; i < config->proxymatch_ip->nelts; ++i) { if (apr_ipsubnet_test(match[i].ip, c->client_addr)) { internal = match[i].internal; break; } } if (i && i >= config->proxymatch_ip->nelts) { if (config->deny_all) { return 403; } else { break; } } } if ((parse_remote = strrchr(remote, ',')) == NULL) { parse_remote = remote; remote = NULL; } else { *(parse_remote++) = '\0'; } while (*parse_remote == ' ') ++parse_remote; eos = parse_remote + strlen(parse_remote) - 1; while (eos >= parse_remote && *eos == ' ') *(eos--) = '\0'; if (eos < parse_remote) { if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #ifdef REMOTEIP_OPTIMIZED /* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */ if (inet_pton(AF_INET, parse_remote, &temp_sa_buff->sa.sin.sin_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port); } #if APR_HAVE_IPV6 else if (inet_pton(AF_INET6, parse_remote, &temp_sa->sa.sin6.sin6_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port); } #endif else { rv = apr_get_netos_error(); #else /* !REMOTEIP_OPTIMIZED */ /* We map as IPv4 rather than IPv6 for equivilant host names * or IPV4OVERIPV6 */ rv = apr_sockaddr_info_get(&temp_sa, parse_remote, APR_UNSPEC, temp_sa->port, APR_IPV4_ADDR_OK, r->pool); if (rv != APR_SUCCESS) { #endif ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s cannot be parsed " "as a client IP", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr; /* For intranet (Internal proxies) ignore all restrictions below */ if (!internal && ((temp_sa->family == APR_INET /* For internet (non-Internal proxies) deny all * RFC3330 designated local/private subnets: * 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16 * 127.0.0.0/8 172.16.0.0/12 */ && (addrbyte[0] == 10 || addrbyte[0] == 127 || (addrbyte[0] == 169 && addrbyte[1] == 254) || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16) || (addrbyte[0] == 192 && addrbyte[1] == 168))) #if APR_HAVE_IPV6 || (temp_sa->family == APR_INET6 /* For internet (non-Internal proxies) we translated * IPv4-over-IPv6-mapped addresses as IPv4, above. * Accept only Global Unicast 2000::/3 defined by RFC4291 */ && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20)) #endif )) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s appears to be " "a private IP or nonsensical. Ignored", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } if (!conn) { conn = (cloudflare_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_cloudflare-conn", NULL, c->pool); conn->orig_addr = c->client_addr; conn->orig_ip = c->client_ip; } /* Set client_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->client_ip, NULL); else proxy_ips = c->client_ip; } c->client_addr = temp_sa; apr_sockaddr_ip_get(&c->client_ip, c->client_addr); } /* Nothing happened? */ if (!conn || (c->client_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->client_ip = apr_pstrdup(c->pool, c->client_ip); conn->proxied_ip = c->client_ip; r->useragent_ip = c->client_ip; r->useragent_addr = c->client_addr; memcpy(&conn->proxied_addr, &temp_sa, sizeof(temp_sa)); conn->proxied_addr.pool = c->pool; // Causing an error with mod_authz_host // c->client_addr = &conn->proxied_addr; if (remote) remote = apr_pstrdup(c->pool, remote); conn->proxied_remote = remote; conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in, config->header_name)); if (proxy_ips) proxy_ips = apr_pstrdup(c->pool, proxy_ips); conn->proxy_ips = proxy_ips; /* Unset remote_host string DNS lookups */ c->remote_host = NULL; c->remote_logname = NULL; ditto_request_rec: // Why do we unset the headers here? //if (conn->proxied_remote) { // apr_table_setn(r->headers_in, config->header_name, conn->proxied_remote); //} else { // apr_table_unset(r->headers_in, config->header_name); // } if (conn->proxy_ips) { apr_table_setn(r->notes, "cloudflare-proxy-ip-list", conn->proxy_ips); if (config->proxies_header_name) apr_table_setn(r->headers_in, config->proxies_header_name, conn->proxy_ips); } ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, conn->proxy_ips ? "Using %s as client's IP by proxies %s" : "Using %s as client's IP by internal proxies", conn->proxied_ip, conn->proxy_ips); return OK; } static const command_rec cloudflare_cmds[] = { AP_INIT_TAKE1("CloudFlareRemoteIPHeader", header_name_set, NULL, RSRC_CONF, "Specifies a request header to trust as the client IP, " "Overrides the default of CF-Connecting-IP"), AP_INIT_ITERATE("CloudFlareRemoteIPTrustedProxy", proxies_set, 0, RSRC_CONF, "Specifies one or more proxies which are trusted " "to present IP headers. Overrides the defaults."), AP_INIT_NO_ARGS("DenyAllButCloudFlare", deny_all_set, NULL, RSRC_CONF, "Return a 403 status to all requests which do not originate from " "a CloudFlareRemoteIPTrustedProxy."), { NULL } }; static void register_hooks(apr_pool_t *p) { // We need to run very early so as to not trip up mod_security. // Hence, this little trick, as mod_security runs at APR_HOOK_REALLY_FIRST. ap_hook_post_read_request(cloudflare_modify_connection, NULL, NULL, APR_HOOK_REALLY_FIRST - 10); }