static void test_singleton_subnets(abts_case *tc, void *data)
{
const char *v4addrs[] = {
"127.0.0.1", "129.42.18.99", "63.161.155.20", "207.46.230.229", "64.208.42.36",
"198.144.203.195", "192.18.97.241", "198.137.240.91", "62.156.179.119",
"204.177.92.181"
};
apr_ipsubnet_t *ipsub;
apr_sockaddr_t *sa;
apr_status_t rv;
int i, j, rc;
for (i = 0; i < sizeof v4addrs / sizeof v4addrs[0]; i++) {
rv = apr_ipsubnet_create(&ipsub, v4addrs[i], NULL, p);
ABTS_TRUE(tc, rv == APR_SUCCESS);
for (j = 0; j < sizeof v4addrs / sizeof v4addrs[0]; j++) {
rv = apr_sockaddr_info_get(&sa, v4addrs[j], APR_INET, 0, 0, p);
ABTS_TRUE(tc, rv == APR_SUCCESS);
rc = apr_ipsubnet_test(ipsub, sa);
if (!strcmp(v4addrs[i], v4addrs[j])) {
ABTS_TRUE(tc, rc != 0);
}
else {
ABTS_TRUE(tc, rc == 0);
}
}
}
/* same for v6? */
}
static authz_status local_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
{
if ( apr_sockaddr_equal(r->connection->local_addr,
r->useragent_addr)
|| apr_ipsubnet_test(localhost_v4, r->useragent_addr)
#if APR_HAVE_IPV6
|| apr_ipsubnet_test(localhost_v6, r->useragent_addr)
#endif
)
{
return AUTHZ_GRANTED;
}
return AUTHZ_DENIED;
}
static void test_interesting_subnets(abts_case *tc, void *data)
{
struct {
const char *ipstr, *mask;
int family;
char *in_subnet, *not_in_subnet;
} testcases[] =
{
{"9.67", NULL, APR_INET, "9.67.113.15", "10.1.2.3"}
,{"9.67.0.0", "16", APR_INET, "9.67.113.15", "10.1.2.3"}
,{"9.67.0.0", "255.255.0.0", APR_INET, "9.67.113.15", "10.1.2.3"}
,{"9.67.113.99", "16", APR_INET, "9.67.113.15", "10.1.2.3"}
,{"9.67.113.99", "255.255.255.0", APR_INET, "9.67.113.15", "10.1.2.3"}
,{"127", NULL, APR_INET, "127.0.0.1", "10.1.2.3"}
,{"127.0.0.1", "8", APR_INET, "127.0.0.1", "10.1.2.3"}
#if APR_HAVE_IPV6
,{"fe80::", "8", APR_INET6, "fe80::1", "ff01::1"}
,{"ff01::", "8", APR_INET6, "ff01::1", "fe80::1"}
,{"3FFE:8160::", "28", APR_INET6, "3ffE:816e:abcd:1234::1", "3ffe:8170::1"}
,{"127.0.0.1", NULL, APR_INET6, "::ffff:127.0.0.1", "fe80::1"}
,{"127.0.0.1", "8", APR_INET6, "::ffff:127.0.0.1", "fe80::1"}
#endif
};
apr_ipsubnet_t *ipsub;
apr_sockaddr_t *sa;
apr_status_t rv;
int i, rc;
for (i = 0; i < sizeof testcases / sizeof testcases[0]; i++) {
rv = apr_ipsubnet_create(&ipsub, testcases[i].ipstr, testcases[i].mask, p);
ABTS_TRUE(tc, rv == APR_SUCCESS);
rv = apr_sockaddr_info_get(&sa, testcases[i].in_subnet, testcases[i].family, 0, 0, p);
ABTS_TRUE(tc, rv == APR_SUCCESS);
ABTS_TRUE(tc, sa != NULL);
if (!sa) continue;
rc = apr_ipsubnet_test(ipsub, sa);
ABTS_TRUE(tc, rc != 0);
rv = apr_sockaddr_info_get(&sa, testcases[i].not_in_subnet, testcases[i].family, 0, 0, p);
ABTS_TRUE(tc, rv == APR_SUCCESS);
rc = apr_ipsubnet_test(ipsub, sa);
ABTS_TRUE(tc, rc == 0);
}
}
static int find_allowdeny(request_rec *r, apr_array_header_t *a, int method)
{
allowdeny *ap = (allowdeny *) a->elts;
apr_int64_t mmask = (AP_METHOD_BIT << method);
int i;
int gothost = 0;
const char *remotehost = NULL;
for (i = 0; i < a->nelts; ++i) {
if (!(mmask & ap[i].limited))
continue;
switch (ap[i].type) {
case T_ENV:
if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
return 1;
}
break;
case T_ALL:
return 1;
case T_IP:
if (apr_ipsubnet_test(ap[i].x.ip, r->connection->remote_addr)) {
return 1;
}
break;
case T_HOST:
if (!gothost) {
int remotehost_is_ip;
remotehost = ap_get_remote_host(r->connection, r->per_dir_config,
REMOTE_DOUBLE_REV, &remotehost_is_ip);
if ((remotehost == NULL) || remotehost_is_ip)
gothost = 1;
else
gothost = 2;
}
if ((gothost == 2) && in_domain(ap[i].x.from, remotehost))
return 1;
break;
case T_FAIL:
/* do nothing? */
break;
}
}
return 0;
}
static int is_in_array(apr_sockaddr_t *remote_addr, apr_array_header_t *proxy_ips) {
int i;
apr_ipsubnet_t **subs = (apr_ipsubnet_t **)proxy_ips->elts;
for (i = 0; i < proxy_ips->nelts; i++) {
if (apr_ipsubnet_test(subs[i], remote_addr)) {
return 1;
}
}
return 0;
}
/* return 1 means match, 0 means error or unmatch */
static int ip_in_ipsubnet_list_test (apr_sockaddr_t *ip_to_be_test,
apr_array_header_t *p_ipsubnet_list)
{
if (!p_ipsubnet_list)
return 0;
int i, len = p_ipsubnet_list->nelts;
apr_ipsubnet_t **p_ipsubnet = (apr_ipsubnet_t **) p_ipsubnet_list->elts;
for (i = 0; i < len; i++) {
if (apr_ipsubnet_test (p_ipsubnet[i], ip_to_be_test))
return 1;
}
return 0;
}
/**
* Find remote_addr in ACL
*/
static int find_accesslist(apr_array_header_t *a, apr_sockaddr_t *remote_addr)
{
accesslist *ap = (accesslist *) a->elts;
int i;
for (i = 0; i < a->nelts; ++i) {
if (apr_ipsubnet_test(ap[i].ip, remote_addr)) {
return 1;
}
}
return 0;
}
static authz_status ip_check_authorization(request_rec *r,
const char *require_line,
const void *parsed_require_line)
{
/* apr_ipsubnet_test should accept const but doesn't */
apr_ipsubnet_t **ip = (apr_ipsubnet_t **)parsed_require_line;
while (*ip) {
if (apr_ipsubnet_test(*ip, r->useragent_addr))
return AUTHZ_GRANTED;
ip++;
}
/* authz_core will log the require line and the result at DEBUG */
return AUTHZ_DENIED;
}
static int reverseproxy_modify_connection(request_rec *r)
{
conn_rec *c = r->connection;
reverseproxy_config_t *config = (reverseproxy_config_t *)
ap_get_module_config(r->server->module_config, &reverseproxy_module);
if (!config->enable_module)
return DECLINED;
reverseproxy_conn_t *conn;
#ifdef REMOTEIP_OPTIMIZED
apr_sockaddr_t temp_sa_buff;
apr_sockaddr_t *temp_sa = &temp_sa_buff;
#else
apr_sockaddr_t *temp_sa;
#endif
apr_status_t rv;
char *remote = (char *) apr_table_get(r->headers_in, config->header_name);
char *proxy_ips = NULL;
char *parse_remote;
char *eos;
unsigned char *addrbyte;
void *internal = NULL;
apr_pool_userdata_get((void*)&conn, "mod_reverseproxy-conn", c->pool);
if (conn) {
if (remote && (strcmp(remote, conn->prior_remote) == 0)) {
/* TODO: Recycle r-> overrides from previous request
*/
goto ditto_request_rec;
}
else {
/* TODO: Revert connection from previous request
*/
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
c->client_addr = conn->orig_addr;
c->client_ip = (char *) conn->orig_ip;
#else
c->remote_addr = conn->orig_addr;
c->remote_ip = (char *) conn->orig_ip;
#endif
}
}
remote = apr_pstrdup(r->pool, remote);
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
#ifdef REMOTEIP_OPTIMIZED
memcpy(temp_sa, c->client_addr, sizeof(*temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->client_addr;
#endif
#else
#ifdef REMOTEIP_OPTIMIZED
memcpy(temp_sa, c->remote_addr, sizeof(*temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->remote_addr;
#endif
#endif
while (remote) {
/* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
reverseproxy_proxymatch_t *match;
match = (reverseproxy_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
#else
if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) {
internal = match[i].internal;
break;
}
#endif
}
}
if ((parse_remote = strrchr(remote, ',')) == NULL) {
parse_remote = remote;
remote = NULL;
}
else {
*(parse_remote++) = '\0';
}
while (*parse_remote == ' ')
++parse_remote;
eos = parse_remote + strlen(parse_remote) - 1;
while (eos >= parse_remote && *eos == ' ')
*(eos--) = '\0';
if (eos < parse_remote) {
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#ifdef REMOTEIP_OPTIMIZED
/* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */
if (inet_pton(AF_INET, parse_remote,
&temp_sa->sa.sin.sin_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port);
}
#if APR_HAVE_IPV6
else if (inet_pton(AF_INET6, parse_remote,
&temp_sa->sa.sin6.sin6_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port);
}
#endif
else {
rv = apr_get_netos_error();
#else /* !REMOTEIP_OPTIMIZED */
/* We map as IPv4 rather than IPv6 for equivilant host names
* or IPV4OVERIPV6
*/
rv = apr_sockaddr_info_get(&temp_sa, parse_remote,
APR_UNSPEC, temp_sa->port,
APR_IPV4_ADDR_OK, r->pool);
if (rv != APR_SUCCESS) {
#endif
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s cannot be parsed "
"as a client IP",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
/* For intranet (Internal proxies) ignore all restrictions below */
if (!internal
&& ((temp_sa->family == APR_INET
/* For internet (non-Internal proxies) deny all
* RFC3330 designated local/private subnets:
* 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16
* 127.0.0.0/8 172.16.0.0/12
*/
&& (addrbyte[0] == 10
|| addrbyte[0] == 127
|| (addrbyte[0] == 169 && addrbyte[1] == 254)
|| (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
|| (addrbyte[0] == 192 && addrbyte[1] == 168)))
#if APR_HAVE_IPV6
|| (temp_sa->family == APR_INET6
/* For internet (non-Internal proxies) we translated
* IPv4-over-IPv6-mapped addresses as IPv4, above.
* Accept only Global Unicast 2000::/3 defined by RFC4291
*/
&& ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20))
#endif
)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s appears to be "
"a private IP or nonsensical. Ignored",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
if (!conn) {
conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool);
conn->orig_addr = c->client_addr;
conn->orig_ip = c->client_ip;
}
/* Set remote_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->client_ip, NULL);
else
proxy_ips = c->client_ip;
}
c->client_addr = temp_sa;
apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
}
/* Nothing happened? */
if (!conn || (c->client_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->client_ip = apr_pstrdup(c->pool, c->client_ip);
conn->proxied_ip = c->client_ip;
r->useragent_ip = c->client_ip;
r->useragent_addr = c->client_addr;
memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa));
conn->proxied_addr.pool = c->pool;
c->client_addr = &conn->proxied_addr;
#else
if (!conn) {
conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool);
conn->orig_addr = c->remote_addr;
conn->orig_ip = c->remote_ip;
}
/* Set remote_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->remote_ip, NULL);
else
proxy_ips = c->remote_ip;
}
c->remote_addr = temp_sa;
apr_sockaddr_ip_get(&c->remote_ip, c->remote_addr);
}
/* Nothing happened? */
if (!conn || (c->remote_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->remote_ip = apr_pstrdup(c->pool, c->remote_ip);
conn->proxied_ip = c->remote_ip;
memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa));
conn->proxied_addr.pool = c->pool;
c->remote_addr = &conn->proxied_addr;
#endif
if (remote)
remote = apr_pstrdup(c->pool, remote);
conn->proxied_remote = remote;
conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in,
config->header_name));
if (proxy_ips)
proxy_ips = apr_pstrdup(c->pool, proxy_ips);
conn->proxy_ips = proxy_ips;
/* Unset remote_host string DNS lookups */
c->remote_host = NULL;
c->remote_logname = NULL;
ditto_request_rec:
if (conn->proxy_ips) {
apr_table_setn(r->notes, "reverseproxy-proxy-ip-list", conn->proxy_ips);
if (config->proxies_header_name)
apr_table_setn(r->headers_in, config->proxies_header_name,
conn->proxy_ips);
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
conn->proxy_ips
? "Using %s as client's IP by proxies %s"
: "Using %s as client's IP by internal proxies",
conn->proxied_ip, conn->proxy_ips);
return OK;
}
static int find_allowdeny(request_rec *r, apr_array_header_t *a,
int method, apr_time_t expire_time)
{
allowdeny *ap = (allowdeny *) a->elts;
apr_int64_t mmask = (AP_METHOD_BIT << method);
int i;
int gothost = 0;
const char *remotehost = NULL;
char errmsg_buf[120];
apr_status_t rv;
auth_remote_svr_conf *svr_conf =
ap_get_module_config(r->server->module_config, &auth_remote_module);
for (i = 0; i < a->nelts; ++i) {
if (!(mmask & ap[i].limited)) {
continue;
}
switch (ap[i].type) {
case T_ENV:
if (apr_table_get(r->subprocess_env, ap[i].x.from)) {
return 1;
}
break;
case T_NENV:
if (!apr_table_get(r->subprocess_env, ap[i].x.from)) {
return 1;
}
break;
case T_ALL:
return 1;
case T_IP:
if (apr_ipsubnet_test(ap[i].x.ip,
r->connection->remote_addr)) {
return 1;
}
break;
case T_URL:
#if APR_HAS_THREADS
rv = apr_thread_mutex_lock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to obtain mutex: %s", errmsg_buf);
break;
}
if (init_per_url_directive_data (r, &ap[i].x.remote_info)
== -1) {
rv = apr_thread_mutex_unlock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to release mutex: %s",
errmsg_buf);
break;
}
break;
}
rv = apr_thread_mutex_unlock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to release mutex: %s", errmsg_buf);
break;
}
#else
if (init_per_url_directive_data (&ap[i].x.remote_info) == -1)
break;
#endif
if (ip_in_url_test (r, r->connection->remote_addr,
&ap[i].x.remote_info, expire_time)
== 1) {
return 1;
}
break;
case T_FILE:
#if APR_HAS_THREADS
rv = apr_thread_mutex_lock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to obtain mutex: %s", errmsg_buf);
break;
}
if (init_per_local_file_directive_data
(r, &ap[i].x.local_file_info)
== -1) {
rv = apr_thread_mutex_unlock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to release mutex: %s", errmsg_buf);
break;
}
break;
}
rv = apr_thread_mutex_unlock (svr_conf->mutex);
if (rv != APR_SUCCESS) {
apr_strerror (rv, errmsg_buf, sizeof (errmsg_buf));
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r,
"fail to release mutex: %s", errmsg_buf);
break;
}
#else
if (init_per_local_file_directive_data (&ap[i].x.local_file_info) == -1)
break;
#endif
if (ip_in_local_file_test
(r, r->connection->remote_addr, &ap[i].x.local_file_info) == 1) {
return 1;
}
break;
case T_HOST:
if (!gothost) {
int remotehost_is_ip;
remotehost = ap_get_remote_host(r->connection,
r->per_dir_config,
REMOTE_DOUBLE_REV,
&remotehost_is_ip);
if ((remotehost == NULL) || remotehost_is_ip) {
gothost = 1;
}
else {
gothost = 2;
}
}
if ((gothost == 2) && in_domain(ap[i].x.from, remotehost)) {
return 1;
}
break;
case T_FAIL:
/* do nothing? */
break;
}
}
return 0;
}
static int remoteip_modify_request(request_rec *r)
{
conn_rec *c = r->connection;
remoteip_config_t *config = (remoteip_config_t *)
ap_get_module_config(r->server->module_config, &remoteip_module);
remoteip_req_t *req = NULL;
apr_sockaddr_t *temp_sa;
apr_status_t rv;
char *remote;
char *proxy_ips = NULL;
char *parse_remote;
char *eos;
unsigned char *addrbyte;
void *internal = NULL;
if (!config->header_name) {
return DECLINED;
}
remote = (char *) apr_table_get(r->headers_in, config->header_name);
if (!remote) {
return OK;
}
remote = apr_pstrdup(r->pool, remote);
temp_sa = c->remote_addr;
while (remote) {
/* verify c->remote_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
remoteip_proxymatch_t *match;
match = (remoteip_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) {
internal = match[i].internal;
break;
}
}
if (i && i >= config->proxymatch_ip->nelts) {
break;
}
}
if ((parse_remote = strrchr(remote, ',')) == NULL) {
parse_remote = remote;
remote = NULL;
}
else {
*(parse_remote++) = '\0';
}
while (*parse_remote == ' ') {
++parse_remote;
}
eos = parse_remote + strlen(parse_remote) - 1;
while (eos >= parse_remote && *eos == ' ') {
*(eos--) = '\0';
}
if (eos < parse_remote) {
if (remote) {
*(remote + strlen(remote)) = ',';
}
else {
remote = parse_remote;
}
break;
}
/* We map as IPv4 rather than IPv6 for equivilant host names
* or IPV4OVERIPV6
*/
rv = apr_sockaddr_info_get(&temp_sa, parse_remote,
APR_UNSPEC, temp_sa->port,
APR_IPV4_ADDR_OK, r->pool);
if (rv != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s cannot be parsed "
"as a client IP",
config->header_name, parse_remote);
if (remote) {
*(remote + strlen(remote)) = ',';
}
else {
remote = parse_remote;
}
break;
}
addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
/* For intranet (Internal proxies) ignore all restrictions below */
if (!internal
&& ((temp_sa->family == APR_INET
/* For internet (non-Internal proxies) deny all
* RFC3330 designated local/private subnets:
* 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16
* 127.0.0.0/8 172.16.0.0/12
*/
&& (addrbyte[0] == 10
|| addrbyte[0] == 127
|| (addrbyte[0] == 169 && addrbyte[1] == 254)
|| (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
|| (addrbyte[0] == 192 && addrbyte[1] == 168)))
#if APR_HAVE_IPV6
|| (temp_sa->family == APR_INET6
/* For internet (non-Internal proxies) we translated
* IPv4-over-IPv6-mapped addresses as IPv4, above.
* Accept only Global Unicast 2000::/3 defined by RFC4291
*/
&& ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20))
#endif
)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s appears to be "
"a private IP or nonsensical. Ignored",
config->header_name, parse_remote);
if (remote) {
*(remote + strlen(remote)) = ',';
}
else {
remote = parse_remote;
}
break;
}
/* save away our results */
if (!req) {
req = (remoteip_req_t *) apr_palloc(r->pool, sizeof(remoteip_req_t));
}
/* Set remote_ip string */
if (!internal) {
if (proxy_ips) {
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->remote_ip, NULL);
}
else {
proxy_ips = c->remote_ip;
}
}
req->remote_addr = temp_sa;
apr_sockaddr_ip_get(&req->remote_ip, req->remote_addr);
}
/* Nothing happened? */
if (!req) {
return OK;
}
req->proxied_remote = remote;
req->proxy_ips = proxy_ips;
if (req->proxied_remote) {
apr_table_setn(r->headers_in, config->header_name,
req->proxied_remote);
}
else {
apr_table_unset(r->headers_in, config->header_name);
}
if (req->proxy_ips) {
apr_table_setn(r->notes, "remoteip-proxy-ip-list", req->proxy_ips);
if (config->proxies_header_name) {
apr_table_setn(r->headers_in, config->proxies_header_name,
req->proxy_ips);
}
}
c->remote_addr = req->remote_addr;
c->remote_ip = req->remote_ip;
ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
req->proxy_ips
? "Using %s as client's IP by proxies %s"
: "Using %s as client's IP by internal proxies",
req->remote_ip, req->proxy_ips);
return OK;
}
static int cloudflare_modify_connection(request_rec *r)
{
conn_rec *c = r->connection;
cloudflare_config_t *config = (cloudflare_config_t *)
ap_get_module_config(r->server->module_config, &cloudflare_module);
cloudflare_conn_t *conn;
#ifdef REMOTEIP_OPTIMIZED
apr_sockaddr_t temp_sa_buff;
apr_sockaddr_t *temp_sa = &temp_sa_buff;
#else
apr_sockaddr_t *temp_sa;
#endif
apr_status_t rv;
char *remote = (char *) apr_table_get(r->headers_in, config->header_name);
char *proxy_ips = NULL;
char *parse_remote;
char *eos;
unsigned char *addrbyte;
void *internal = NULL;
apr_pool_userdata_get((void*)&conn, "mod_cloudflare-conn", c->pool);
if (conn) {
if (remote && (strcmp(remote, conn->prior_remote) == 0)) {
/* TODO: Recycle r-> overrides from previous request
*/
goto ditto_request_rec;
}
else {
/* TODO: Revert connection from previous request
*/
c->client_addr = conn->orig_addr;
c->client_ip = (char *) conn->orig_ip;
}
}
if (!remote) {
if (config->deny_all) {
return 403;
}
return OK;
}
remote = apr_pstrdup(r->pool, remote);
#ifdef REMOTEIP_OPTIMIZED
memcpy(&temp_sa, c->client_addr, sizeof(temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->client_addr;
#endif
while (remote) {
/* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
cloudflare_proxymatch_t *match;
match = (cloudflare_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
}
if (i && i >= config->proxymatch_ip->nelts) {
if (config->deny_all) {
return 403;
} else {
break;
}
}
}
if ((parse_remote = strrchr(remote, ',')) == NULL) {
parse_remote = remote;
remote = NULL;
}
else {
*(parse_remote++) = '\0';
}
while (*parse_remote == ' ')
++parse_remote;
eos = parse_remote + strlen(parse_remote) - 1;
while (eos >= parse_remote && *eos == ' ')
*(eos--) = '\0';
if (eos < parse_remote) {
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#ifdef REMOTEIP_OPTIMIZED
/* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */
if (inet_pton(AF_INET, parse_remote,
&temp_sa_buff->sa.sin.sin_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port);
}
#if APR_HAVE_IPV6
else if (inet_pton(AF_INET6, parse_remote,
&temp_sa->sa.sin6.sin6_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port);
}
#endif
else {
rv = apr_get_netos_error();
#else /* !REMOTEIP_OPTIMIZED */
/* We map as IPv4 rather than IPv6 for equivilant host names
* or IPV4OVERIPV6
*/
rv = apr_sockaddr_info_get(&temp_sa, parse_remote,
APR_UNSPEC, temp_sa->port,
APR_IPV4_ADDR_OK, r->pool);
if (rv != APR_SUCCESS) {
#endif
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s cannot be parsed "
"as a client IP",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
/* For intranet (Internal proxies) ignore all restrictions below */
if (!internal
&& ((temp_sa->family == APR_INET
/* For internet (non-Internal proxies) deny all
* RFC3330 designated local/private subnets:
* 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16
* 127.0.0.0/8 172.16.0.0/12
*/
&& (addrbyte[0] == 10
|| addrbyte[0] == 127
|| (addrbyte[0] == 169 && addrbyte[1] == 254)
|| (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
|| (addrbyte[0] == 192 && addrbyte[1] == 168)))
#if APR_HAVE_IPV6
|| (temp_sa->family == APR_INET6
/* For internet (non-Internal proxies) we translated
* IPv4-over-IPv6-mapped addresses as IPv4, above.
* Accept only Global Unicast 2000::/3 defined by RFC4291
*/
&& ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20))
#endif
)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s appears to be "
"a private IP or nonsensical. Ignored",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
if (!conn) {
conn = (cloudflare_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_cloudflare-conn", NULL, c->pool);
conn->orig_addr = c->client_addr;
conn->orig_ip = c->client_ip;
}
/* Set client_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->client_ip, NULL);
else
proxy_ips = c->client_ip;
}
c->client_addr = temp_sa;
apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
}
/* Nothing happened? */
if (!conn || (c->client_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->client_ip = apr_pstrdup(c->pool, c->client_ip);
conn->proxied_ip = c->client_ip;
r->useragent_ip = c->client_ip;
r->useragent_addr = c->client_addr;
memcpy(&conn->proxied_addr, &temp_sa, sizeof(temp_sa));
conn->proxied_addr.pool = c->pool;
// Causing an error with mod_authz_host
// c->client_addr = &conn->proxied_addr;
if (remote)
remote = apr_pstrdup(c->pool, remote);
conn->proxied_remote = remote;
conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in,
config->header_name));
if (proxy_ips)
proxy_ips = apr_pstrdup(c->pool, proxy_ips);
conn->proxy_ips = proxy_ips;
/* Unset remote_host string DNS lookups */
c->remote_host = NULL;
c->remote_logname = NULL;
ditto_request_rec:
// Why do we unset the headers here?
//if (conn->proxied_remote) {
// apr_table_setn(r->headers_in, config->header_name, conn->proxied_remote);
//} else {
// apr_table_unset(r->headers_in, config->header_name);
// }
if (conn->proxy_ips) {
apr_table_setn(r->notes, "cloudflare-proxy-ip-list", conn->proxy_ips);
if (config->proxies_header_name)
apr_table_setn(r->headers_in, config->proxies_header_name,
conn->proxy_ips);
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
conn->proxy_ips
? "Using %s as client's IP by proxies %s"
: "Using %s as client's IP by internal proxies",
conn->proxied_ip, conn->proxy_ips);
return OK;
}
static const command_rec cloudflare_cmds[] =
{
AP_INIT_TAKE1("CloudFlareRemoteIPHeader", header_name_set, NULL, RSRC_CONF,
"Specifies a request header to trust as the client IP, "
"Overrides the default of CF-Connecting-IP"),
AP_INIT_ITERATE("CloudFlareRemoteIPTrustedProxy", proxies_set, 0, RSRC_CONF,
"Specifies one or more proxies which are trusted "
"to present IP headers. Overrides the defaults."),
AP_INIT_NO_ARGS("DenyAllButCloudFlare", deny_all_set, NULL, RSRC_CONF,
"Return a 403 status to all requests which do not originate from "
"a CloudFlareRemoteIPTrustedProxy."),
{ NULL }
};
static void register_hooks(apr_pool_t *p)
{
// We need to run very early so as to not trip up mod_security.
// Hence, this little trick, as mod_security runs at APR_HOOK_REALLY_FIRST.
ap_hook_post_read_request(cloudflare_modify_connection, NULL, NULL, APR_HOOK_REALLY_FIRST - 10);
}
