static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol) { sock->type = type; sock->protocol = protocol; apr_sockaddr_vars_set(sock->local_addr, family, 0); apr_sockaddr_vars_set(sock->remote_addr, family, 0); }
static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol) { sock->type = type; sock->protocol = protocol; apr_sockaddr_vars_set(sock->local_addr, family, 0); apr_sockaddr_vars_set(sock->remote_addr, family, 0); #if APR_HAVE_IPV6 /* hard-coded behavior for older Windows IPv6 */ if (apr_os_level < APR_WIN_VISTA && family == AF_INET6) { apr_set_option(sock, APR_IPV6_V6ONLY, 1); } #endif }
static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol) { sock->type = type; sock->protocol = protocol; apr_sockaddr_vars_set(sock->local_addr, family, 0); apr_sockaddr_vars_set(sock->remote_addr, family, 0); sock->options = 0; #if defined(BEOS) && !defined(BEOS_BONE) /* BeOS pre-BONE has TCP_NODELAY on by default and it can't be * switched off! */ sock->options |= APR_TCP_NODELAY; #endif }
APR_DECLARE(apr_status_t) apr_socket_recvfrom(apr_sockaddr_t *from, apr_socket_t *sock, apr_int32_t flags, char *buf, apr_size_t *len) { apr_ssize_t rv; from->salen = sizeof(from->sa); rv = recvfrom(sock->socketdes, buf, (int)*len, flags, (struct sockaddr*)&from->sa, &from->salen); if (rv == SOCKET_ERROR) { (*len) = 0; return apr_get_netos_error(); } apr_sockaddr_vars_set(from, from->sa.sin.sin_family, ntohs(from->sa.sin.sin_port)); (*len) = rv; if (rv == 0 && sock->type == SOCK_STREAM) return APR_EOF; return APR_SUCCESS; }
static apr_status_t find_addresses(apr_sockaddr_t **sa, const char *hostname, apr_int32_t family, apr_port_t port, apr_int32_t flags, apr_pool_t *p) { struct hostent *hp; apr_sockaddr_t *prev_sa; int curaddr; #if APR_HAS_THREADS && !defined(GETHOSTBYNAME_IS_THREAD_SAFE) && \ defined(HAVE_GETHOSTBYNAME_R) && !defined(BEOS) #ifdef GETHOSTBYNAME_R_HOSTENT_DATA struct hostent_data hd; #else /* If you see ERANGE, that means GETHOSBYNAME_BUFLEN needs to be * bumped. */ char tmp[GETHOSTBYNAME_BUFLEN]; #endif int hosterror; #endif struct hostent hs; struct in_addr ipaddr; char *addr_list[2]; const char *orig_hostname = hostname; if (hostname == NULL) { /* if we are given a NULL hostname, assume '0.0.0.0' */ hostname = "0.0.0.0"; } if (*hostname >= '0' && *hostname <= '9' && strspn(hostname, "0123456789.") == strlen(hostname)) { ipaddr.s_addr = inet_addr(hostname); addr_list[0] = (char *)&ipaddr; addr_list[1] = NULL; /* just one IP in list */ hs.h_addr_list = (char **)addr_list; hp = &hs; } else { #if APR_HAS_THREADS && !defined(GETHOSTBYNAME_IS_THREAD_SAFE) && \ defined(HAVE_GETHOSTBYNAME_R) && !defined(BEOS) #if defined(GETHOSTBYNAME_R_HOSTENT_DATA) /* AIX, HP/UX, D/UX et alia */ gethostbyname_r(hostname, &hs, &hd); hp = &hs; #else #if defined(GETHOSTBYNAME_R_GLIBC2) /* Linux glibc2+ */ gethostbyname_r(hostname, &hs, tmp, GETHOSTBYNAME_BUFLEN - 1, &hp, &hosterror); #else /* Solaris, Irix et alia */ hp = gethostbyname_r(hostname, &hs, tmp, GETHOSTBYNAME_BUFLEN - 1, &hosterror); #endif /* !defined(GETHOSTBYNAME_R_GLIBC2) */ if (!hp) { return (hosterror + APR_OS_START_SYSERR); } #endif /* !defined(GETHOSTBYNAME_R_HOSTENT_DATA) */ #else hp = gethostbyname(hostname); #endif if (!hp) { #ifdef WIN32 return apr_get_netos_error(); #else return (h_errno + APR_OS_START_SYSERR); #endif } } prev_sa = NULL; curaddr = 0; while (hp->h_addr_list[curaddr]) { apr_sockaddr_t *new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t)); new_sa->pool = p; new_sa->sa.sin.sin_addr = *(struct in_addr *)hp->h_addr_list[curaddr]; apr_sockaddr_vars_set(new_sa, AF_INET, port); if (!prev_sa) { /* first element in new list */ if (orig_hostname) { new_sa->hostname = apr_pstrdup(p, orig_hostname); } *sa = new_sa; } else { new_sa->hostname = prev_sa->hostname; prev_sa->next = new_sa; } prev_sa = new_sa; ++curaddr; } return APR_SUCCESS; }
static apr_status_t call_resolver(apr_sockaddr_t **sa, const char *hostname, apr_int32_t family, apr_port_t port, apr_int32_t flags, apr_pool_t *p) { struct addrinfo hints, *ai, *ai_list; apr_sockaddr_t *prev_sa; int error; char *servname = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; #ifdef HAVE_GAI_ADDRCONFIG if (family == APR_UNSPEC) { /* By default, only look up addresses using address types for * which a local interface is configured, i.e. no IPv6 if no * IPv6 interfaces configured. */ hints.ai_flags = AI_ADDRCONFIG; } #endif if(hostname == NULL) { #ifdef AI_PASSIVE /* If hostname is NULL, assume we are trying to bind to all * interfaces. */ hints.ai_flags |= AI_PASSIVE; #endif /* getaddrinfo according to RFC 2553 must have either hostname * or servname non-NULL. */ #ifdef OSF1 /* The Tru64 5.0 getaddrinfo() can only resolve services given * by the name listed in /etc/services; a numeric or unknown * servname gets an EAI_SERVICE error. So just resolve the * appropriate anyaddr and fill in the port later. */ hostname = family == AF_INET6 ? "::" : "0.0.0.0"; servname = NULL; #ifdef AI_NUMERICHOST hints.ai_flags |= AI_NUMERICHOST; #endif #else #ifdef _AIX /* But current AIX getaddrinfo() doesn't like servname = "0"; * the "1" won't hurt since we use the port parameter to fill * in the returned socket addresses later */ if (!port) { servname = "1"; } else #endif /* _AIX */ servname = apr_itoa(p, port); #endif /* OSF1 */ } error = getaddrinfo(hostname, servname, &hints, &ai_list); #ifdef HAVE_GAI_ADDRCONFIG if (error == EAI_BADFLAGS && family == APR_UNSPEC) { /* Retry with no flags if AI_ADDRCONFIG was rejected. */ hints.ai_flags = 0; error = getaddrinfo(hostname, servname, &hints, &ai_list); } #endif if (error) { #ifndef WIN32 if (error == EAI_SYSTEM) { return errno; } else #endif { /* issues with representing this with APR's error scheme: * glibc uses negative values for these numbers, perhaps so * they don't conflict with h_errno values... Tru64 uses * positive values which conflict with h_errno values */ #if defined(NEGATIVE_EAI) error = -error; #endif return error + APR_OS_START_EAIERR; } } prev_sa = NULL; ai = ai_list; while (ai) { /* while more addresses to report */ apr_sockaddr_t *new_sa; /* Ignore anything bogus: getaddrinfo in some old versions of * glibc will return AF_UNIX entries for APR_UNSPEC+AI_PASSIVE * lookups. */ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) { ai = ai->ai_next; continue; } new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t)); new_sa->pool = p; memcpy(&new_sa->sa, ai->ai_addr, ai->ai_addrlen); apr_sockaddr_vars_set(new_sa, ai->ai_family, port); if (!prev_sa) { /* first element in new list */ if (hostname) { new_sa->hostname = apr_pstrdup(p, hostname); } *sa = new_sa; } else { new_sa->hostname = prev_sa->hostname; prev_sa->next = new_sa; } prev_sa = new_sa; ai = ai->ai_next; } freeaddrinfo(ai_list); return APR_SUCCESS; }
static int reverseproxy_modify_connection(request_rec *r) { conn_rec *c = r->connection; reverseproxy_config_t *config = (reverseproxy_config_t *) ap_get_module_config(r->server->module_config, &reverseproxy_module); if (!config->enable_module) return DECLINED; reverseproxy_conn_t *conn; #ifdef REMOTEIP_OPTIMIZED apr_sockaddr_t temp_sa_buff; apr_sockaddr_t *temp_sa = &temp_sa_buff; #else apr_sockaddr_t *temp_sa; #endif apr_status_t rv; char *remote = (char *) apr_table_get(r->headers_in, config->header_name); char *proxy_ips = NULL; char *parse_remote; char *eos; unsigned char *addrbyte; void *internal = NULL; apr_pool_userdata_get((void*)&conn, "mod_reverseproxy-conn", c->pool); if (conn) { if (remote && (strcmp(remote, conn->prior_remote) == 0)) { /* TODO: Recycle r-> overrides from previous request */ goto ditto_request_rec; } else { /* TODO: Revert connection from previous request */ #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) c->client_addr = conn->orig_addr; c->client_ip = (char *) conn->orig_ip; #else c->remote_addr = conn->orig_addr; c->remote_ip = (char *) conn->orig_ip; #endif } } remote = apr_pstrdup(r->pool, remote); #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) #ifdef REMOTEIP_OPTIMIZED memcpy(temp_sa, c->client_addr, sizeof(*temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->client_addr; #endif #else #ifdef REMOTEIP_OPTIMIZED memcpy(temp_sa, c->remote_addr, sizeof(*temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->remote_addr; #endif #endif while (remote) { /* verify c->client_addr is trusted if there is a trusted proxy list */ if (config->proxymatch_ip) { int i; reverseproxy_proxymatch_t *match; match = (reverseproxy_proxymatch_t *)config->proxymatch_ip->elts; for (i = 0; i < config->proxymatch_ip->nelts; ++i) { #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) if (apr_ipsubnet_test(match[i].ip, c->client_addr)) { internal = match[i].internal; break; } #else if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) { internal = match[i].internal; break; } #endif } } if ((parse_remote = strrchr(remote, ',')) == NULL) { parse_remote = remote; remote = NULL; } else { *(parse_remote++) = '\0'; } while (*parse_remote == ' ') ++parse_remote; eos = parse_remote + strlen(parse_remote) - 1; while (eos >= parse_remote && *eos == ' ') *(eos--) = '\0'; if (eos < parse_remote) { if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #ifdef REMOTEIP_OPTIMIZED /* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */ if (inet_pton(AF_INET, parse_remote, &temp_sa->sa.sin.sin_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port); } #if APR_HAVE_IPV6 else if (inet_pton(AF_INET6, parse_remote, &temp_sa->sa.sin6.sin6_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port); } #endif else { rv = apr_get_netos_error(); #else /* !REMOTEIP_OPTIMIZED */ /* We map as IPv4 rather than IPv6 for equivilant host names * or IPV4OVERIPV6 */ rv = apr_sockaddr_info_get(&temp_sa, parse_remote, APR_UNSPEC, temp_sa->port, APR_IPV4_ADDR_OK, r->pool); if (rv != APR_SUCCESS) { #endif ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s cannot be parsed " "as a client IP", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr; /* For intranet (Internal proxies) ignore all restrictions below */ if (!internal && ((temp_sa->family == APR_INET /* For internet (non-Internal proxies) deny all * RFC3330 designated local/private subnets: * 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16 * 127.0.0.0/8 172.16.0.0/12 */ && (addrbyte[0] == 10 || addrbyte[0] == 127 || (addrbyte[0] == 169 && addrbyte[1] == 254) || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16) || (addrbyte[0] == 192 && addrbyte[1] == 168))) #if APR_HAVE_IPV6 || (temp_sa->family == APR_INET6 /* For internet (non-Internal proxies) we translated * IPv4-over-IPv6-mapped addresses as IPv4, above. * Accept only Global Unicast 2000::/3 defined by RFC4291 */ && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20)) #endif )) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s appears to be " "a private IP or nonsensical. Ignored", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #if AP_MODULE_MAGIC_AT_LEAST(20111130,0) if (!conn) { conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool); conn->orig_addr = c->client_addr; conn->orig_ip = c->client_ip; } /* Set remote_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->client_ip, NULL); else proxy_ips = c->client_ip; } c->client_addr = temp_sa; apr_sockaddr_ip_get(&c->client_ip, c->client_addr); } /* Nothing happened? */ if (!conn || (c->client_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->client_ip = apr_pstrdup(c->pool, c->client_ip); conn->proxied_ip = c->client_ip; r->useragent_ip = c->client_ip; r->useragent_addr = c->client_addr; memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa)); conn->proxied_addr.pool = c->pool; c->client_addr = &conn->proxied_addr; #else if (!conn) { conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool); conn->orig_addr = c->remote_addr; conn->orig_ip = c->remote_ip; } /* Set remote_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->remote_ip, NULL); else proxy_ips = c->remote_ip; } c->remote_addr = temp_sa; apr_sockaddr_ip_get(&c->remote_ip, c->remote_addr); } /* Nothing happened? */ if (!conn || (c->remote_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->remote_ip = apr_pstrdup(c->pool, c->remote_ip); conn->proxied_ip = c->remote_ip; memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa)); conn->proxied_addr.pool = c->pool; c->remote_addr = &conn->proxied_addr; #endif if (remote) remote = apr_pstrdup(c->pool, remote); conn->proxied_remote = remote; conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in, config->header_name)); if (proxy_ips) proxy_ips = apr_pstrdup(c->pool, proxy_ips); conn->proxy_ips = proxy_ips; /* Unset remote_host string DNS lookups */ c->remote_host = NULL; c->remote_logname = NULL; ditto_request_rec: if (conn->proxy_ips) { apr_table_setn(r->notes, "reverseproxy-proxy-ip-list", conn->proxy_ips); if (config->proxies_header_name) apr_table_setn(r->headers_in, config->proxies_header_name, conn->proxy_ips); } ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, conn->proxy_ips ? "Using %s as client's IP by proxies %s" : "Using %s as client's IP by internal proxies", conn->proxied_ip, conn->proxy_ips); return OK; }
static apr_socket_t * create_net_server(apr_pool_t *context, int32_t ofamily, int type, apr_port_t port, char *bind_addr, int blocking) { apr_sockaddr_t *localsa = NULL; apr_socket_t *sock = NULL; apr_status_t stat; int32_t family = ofamily; /* We set family to the family specified in the option. If however a bind address * is also specified, it's family will take precedence. * e.g. ofamily = APR_INET6 but the bind address is "127.0.0.1" which is IPv4 * the family will be set to the bind address family */ if(bind_addr) { stat = apr_sockaddr_info_get(&localsa, bind_addr, APR_UNSPEC, port, 0, context); if (stat != APR_SUCCESS) return NULL; family = localsa->sa.sin.sin_family; } stat = apr_socket_create(&sock, family, type, 0, context); if( stat != APR_SUCCESS ) return NULL; if(!blocking){ /* This is a non-blocking server */ stat = apr_socket_opt_set(sock, APR_SO_NONBLOCK, 1); if (stat != APR_SUCCESS) { apr_socket_close(sock); return NULL; } } stat = apr_socket_opt_set(sock, APR_SO_REUSEADDR, 1); if (stat != APR_SUCCESS) { apr_socket_close(sock); return NULL; } if(!localsa) { apr_socket_addr_get(&localsa, APR_LOCAL, sock); apr_sockaddr_vars_set(localsa, localsa->family, port); } #if APR_HAVE_IPV6 if (localsa->family == APR_INET6) { int one = 1; /* Don't accept IPv4 connections on an IPv6 listening socket */ stat = apr_socket_opt_set(sock, APR_IPV6_V6ONLY, one); if(stat == APR_ENOTIMPL) { err_msg("Warning: your operating system does not support IPV6_V6ONLY!\n"); err_msg("This means that you are also listening to IPv4 traffic on port %d\n", port); err_msg("This IPv6=>IPv4 mapping may be a security risk.\n"); } } #endif stat = apr_socket_bind(sock, localsa); if( stat != APR_SUCCESS) { apr_socket_close(sock); return NULL; } return sock; }
static apr_status_t call_resolver(apr_sockaddr_t **sa, const char *hostname, apr_int32_t family, apr_port_t port, apr_int32_t flags, apr_pool_t *p) { struct addrinfo hints, *ai, *ai_list; apr_sockaddr_t *prev_sa; int error; char *servname = NULL; memset(&hints, 0, sizeof(hints)); hints.ai_family = family; hints.ai_socktype = SOCK_STREAM; if(hostname == NULL) { #ifdef AI_PASSIVE /* If hostname is NULL, assume we are trying to bind to all * interfaces. */ hints.ai_flags |= AI_PASSIVE; #endif /* getaddrinfo according to RFC 2553 must have either hostname * or servname non-NULL. */ #ifdef _AIX /* But current AIX getaddrinfo() doesn't like servname = "0"; * the "1" won't hurt since we use the port parameter to fill * in the returned socket addresses later */ if (!port) { servname = "1"; } else #endif servname = apr_itoa(p, port); } error = getaddrinfo(hostname, servname, &hints, &ai_list); if (error) { #ifndef WIN32 if (error == EAI_SYSTEM) { return errno; } else #endif { /* issues with representing this with APR's error scheme: * glibc uses negative values for these numbers, perhaps so * they don't conflict with h_errno values... Tru64 uses * positive values which conflict with h_errno values */ #if defined(NEGATIVE_EAI) error = -error; #endif return error + APR_OS_START_EAIERR; } } prev_sa = NULL; ai = ai_list; while (ai) { /* while more addresses to report */ apr_sockaddr_t *new_sa; /* Ignore anything bogus: getaddrinfo in some old versions of * glibc will return AF_UNIX entries for AF_UNSPEC+AI_PASSIVE * lookups. */ if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) { ai = ai->ai_next; continue; } new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t)); new_sa->pool = p; memcpy(&new_sa->sa, ai->ai_addr, ai->ai_addrlen); apr_sockaddr_vars_set(new_sa, ai->ai_family, port); if (!prev_sa) { /* first element in new list */ if (hostname) { new_sa->hostname = apr_pstrdup(p, hostname); } *sa = new_sa; } else { new_sa->hostname = prev_sa->hostname; prev_sa->next = new_sa; } prev_sa = new_sa; ai = ai->ai_next; } freeaddrinfo(ai_list); return APR_SUCCESS; }
static int cloudflare_modify_connection(request_rec *r) { conn_rec *c = r->connection; cloudflare_config_t *config = (cloudflare_config_t *) ap_get_module_config(r->server->module_config, &cloudflare_module); cloudflare_conn_t *conn; #ifdef REMOTEIP_OPTIMIZED apr_sockaddr_t temp_sa_buff; apr_sockaddr_t *temp_sa = &temp_sa_buff; #else apr_sockaddr_t *temp_sa; #endif apr_status_t rv; char *remote = (char *) apr_table_get(r->headers_in, config->header_name); char *proxy_ips = NULL; char *parse_remote; char *eos; unsigned char *addrbyte; void *internal = NULL; apr_pool_userdata_get((void*)&conn, "mod_cloudflare-conn", c->pool); if (conn) { if (remote && (strcmp(remote, conn->prior_remote) == 0)) { /* TODO: Recycle r-> overrides from previous request */ goto ditto_request_rec; } else { /* TODO: Revert connection from previous request */ c->client_addr = conn->orig_addr; c->client_ip = (char *) conn->orig_ip; } } if (!remote) { if (config->deny_all) { return 403; } return OK; } remote = apr_pstrdup(r->pool, remote); #ifdef REMOTEIP_OPTIMIZED memcpy(&temp_sa, c->client_addr, sizeof(temp_sa)); temp_sa->pool = r->pool; #else temp_sa = c->client_addr; #endif while (remote) { /* verify c->client_addr is trusted if there is a trusted proxy list */ if (config->proxymatch_ip) { int i; cloudflare_proxymatch_t *match; match = (cloudflare_proxymatch_t *)config->proxymatch_ip->elts; for (i = 0; i < config->proxymatch_ip->nelts; ++i) { if (apr_ipsubnet_test(match[i].ip, c->client_addr)) { internal = match[i].internal; break; } } if (i && i >= config->proxymatch_ip->nelts) { if (config->deny_all) { return 403; } else { break; } } } if ((parse_remote = strrchr(remote, ',')) == NULL) { parse_remote = remote; remote = NULL; } else { *(parse_remote++) = '\0'; } while (*parse_remote == ' ') ++parse_remote; eos = parse_remote + strlen(parse_remote) - 1; while (eos >= parse_remote && *eos == ' ') *(eos--) = '\0'; if (eos < parse_remote) { if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } #ifdef REMOTEIP_OPTIMIZED /* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */ if (inet_pton(AF_INET, parse_remote, &temp_sa_buff->sa.sin.sin_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port); } #if APR_HAVE_IPV6 else if (inet_pton(AF_INET6, parse_remote, &temp_sa->sa.sin6.sin6_addr) > 0) { apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port); } #endif else { rv = apr_get_netos_error(); #else /* !REMOTEIP_OPTIMIZED */ /* We map as IPv4 rather than IPv6 for equivilant host names * or IPV4OVERIPV6 */ rv = apr_sockaddr_info_get(&temp_sa, parse_remote, APR_UNSPEC, temp_sa->port, APR_IPV4_ADDR_OK, r->pool); if (rv != APR_SUCCESS) { #endif ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s cannot be parsed " "as a client IP", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr; /* For intranet (Internal proxies) ignore all restrictions below */ if (!internal && ((temp_sa->family == APR_INET /* For internet (non-Internal proxies) deny all * RFC3330 designated local/private subnets: * 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16 * 127.0.0.0/8 172.16.0.0/12 */ && (addrbyte[0] == 10 || addrbyte[0] == 127 || (addrbyte[0] == 169 && addrbyte[1] == 254) || (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16) || (addrbyte[0] == 192 && addrbyte[1] == 168))) #if APR_HAVE_IPV6 || (temp_sa->family == APR_INET6 /* For internet (non-Internal proxies) we translated * IPv4-over-IPv6-mapped addresses as IPv4, above. * Accept only Global Unicast 2000::/3 defined by RFC4291 */ && ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20)) #endif )) { ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, "RemoteIP: Header %s value of %s appears to be " "a private IP or nonsensical. Ignored", config->header_name, parse_remote); if (remote) *(remote + strlen(remote)) = ','; else remote = parse_remote; break; } if (!conn) { conn = (cloudflare_conn_t *) apr_palloc(c->pool, sizeof(*conn)); apr_pool_userdata_set(conn, "mod_cloudflare-conn", NULL, c->pool); conn->orig_addr = c->client_addr; conn->orig_ip = c->client_ip; } /* Set client_ip string */ if (!internal) { if (proxy_ips) proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ", c->client_ip, NULL); else proxy_ips = c->client_ip; } c->client_addr = temp_sa; apr_sockaddr_ip_get(&c->client_ip, c->client_addr); } /* Nothing happened? */ if (!conn || (c->client_addr == conn->orig_addr)) return OK; /* Fixups here, remote becomes the new Via header value, etc * In the heavy operations above we used request scope, to limit * conn pool memory growth on keepalives, so here we must scope * the final results to the connection pool lifetime. * To limit memory growth, we keep recycling the same buffer * for the final apr_sockaddr_t in the remoteip conn rec. */ c->client_ip = apr_pstrdup(c->pool, c->client_ip); conn->proxied_ip = c->client_ip; r->useragent_ip = c->client_ip; r->useragent_addr = c->client_addr; memcpy(&conn->proxied_addr, &temp_sa, sizeof(temp_sa)); conn->proxied_addr.pool = c->pool; // Causing an error with mod_authz_host // c->client_addr = &conn->proxied_addr; if (remote) remote = apr_pstrdup(c->pool, remote); conn->proxied_remote = remote; conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in, config->header_name)); if (proxy_ips) proxy_ips = apr_pstrdup(c->pool, proxy_ips); conn->proxy_ips = proxy_ips; /* Unset remote_host string DNS lookups */ c->remote_host = NULL; c->remote_logname = NULL; ditto_request_rec: // Why do we unset the headers here? //if (conn->proxied_remote) { // apr_table_setn(r->headers_in, config->header_name, conn->proxied_remote); //} else { // apr_table_unset(r->headers_in, config->header_name); // } if (conn->proxy_ips) { apr_table_setn(r->notes, "cloudflare-proxy-ip-list", conn->proxy_ips); if (config->proxies_header_name) apr_table_setn(r->headers_in, config->proxies_header_name, conn->proxy_ips); } ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r, conn->proxy_ips ? "Using %s as client's IP by proxies %s" : "Using %s as client's IP by internal proxies", conn->proxied_ip, conn->proxy_ips); return OK; } static const command_rec cloudflare_cmds[] = { AP_INIT_TAKE1("CloudFlareRemoteIPHeader", header_name_set, NULL, RSRC_CONF, "Specifies a request header to trust as the client IP, " "Overrides the default of CF-Connecting-IP"), AP_INIT_ITERATE("CloudFlareRemoteIPTrustedProxy", proxies_set, 0, RSRC_CONF, "Specifies one or more proxies which are trusted " "to present IP headers. Overrides the defaults."), AP_INIT_NO_ARGS("DenyAllButCloudFlare", deny_all_set, NULL, RSRC_CONF, "Return a 403 status to all requests which do not originate from " "a CloudFlareRemoteIPTrustedProxy."), { NULL } }; static void register_hooks(apr_pool_t *p) { // We need to run very early so as to not trip up mod_security. // Hence, this little trick, as mod_security runs at APR_HOOK_REALLY_FIRST. ap_hook_post_read_request(cloudflare_modify_connection, NULL, NULL, APR_HOOK_REALLY_FIRST - 10); }