static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol)
{
sock->type = type;
sock->protocol = protocol;
apr_sockaddr_vars_set(sock->local_addr, family, 0);
apr_sockaddr_vars_set(sock->remote_addr, family, 0);
}
static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol)
{
sock->type = type;
sock->protocol = protocol;
apr_sockaddr_vars_set(sock->local_addr, family, 0);
apr_sockaddr_vars_set(sock->remote_addr, family, 0);
#if APR_HAVE_IPV6
/* hard-coded behavior for older Windows IPv6 */
if (apr_os_level < APR_WIN_VISTA && family == AF_INET6) {
apr_set_option(sock, APR_IPV6_V6ONLY, 1);
}
#endif
}
static void set_socket_vars(apr_socket_t *sock, int family, int type, int protocol)
{
sock->type = type;
sock->protocol = protocol;
apr_sockaddr_vars_set(sock->local_addr, family, 0);
apr_sockaddr_vars_set(sock->remote_addr, family, 0);
sock->options = 0;
#if defined(BEOS) && !defined(BEOS_BONE)
/* BeOS pre-BONE has TCP_NODELAY on by default and it can't be
* switched off!
*/
sock->options |= APR_TCP_NODELAY;
#endif
}
APR_DECLARE(apr_status_t) apr_socket_recvfrom(apr_sockaddr_t *from,
apr_socket_t *sock,
apr_int32_t flags,
char *buf, apr_size_t *len)
{
apr_ssize_t rv;
from->salen = sizeof(from->sa);
rv = recvfrom(sock->socketdes, buf, (int)*len, flags,
(struct sockaddr*)&from->sa, &from->salen);
if (rv == SOCKET_ERROR) {
(*len) = 0;
return apr_get_netos_error();
}
apr_sockaddr_vars_set(from, from->sa.sin.sin_family,
ntohs(from->sa.sin.sin_port));
(*len) = rv;
if (rv == 0 && sock->type == SOCK_STREAM)
return APR_EOF;
return APR_SUCCESS;
}
static apr_status_t find_addresses(apr_sockaddr_t **sa,
const char *hostname, apr_int32_t family,
apr_port_t port, apr_int32_t flags,
apr_pool_t *p)
{
struct hostent *hp;
apr_sockaddr_t *prev_sa;
int curaddr;
#if APR_HAS_THREADS && !defined(GETHOSTBYNAME_IS_THREAD_SAFE) && \
defined(HAVE_GETHOSTBYNAME_R) && !defined(BEOS)
#ifdef GETHOSTBYNAME_R_HOSTENT_DATA
struct hostent_data hd;
#else
/* If you see ERANGE, that means GETHOSBYNAME_BUFLEN needs to be
* bumped. */
char tmp[GETHOSTBYNAME_BUFLEN];
#endif
int hosterror;
#endif
struct hostent hs;
struct in_addr ipaddr;
char *addr_list[2];
const char *orig_hostname = hostname;
if (hostname == NULL) {
/* if we are given a NULL hostname, assume '0.0.0.0' */
hostname = "0.0.0.0";
}
if (*hostname >= '0' && *hostname <= '9' &&
strspn(hostname, "0123456789.") == strlen(hostname)) {
ipaddr.s_addr = inet_addr(hostname);
addr_list[0] = (char *)&ipaddr;
addr_list[1] = NULL; /* just one IP in list */
hs.h_addr_list = (char **)addr_list;
hp = &hs;
}
else {
#if APR_HAS_THREADS && !defined(GETHOSTBYNAME_IS_THREAD_SAFE) && \
defined(HAVE_GETHOSTBYNAME_R) && !defined(BEOS)
#if defined(GETHOSTBYNAME_R_HOSTENT_DATA)
/* AIX, HP/UX, D/UX et alia */
gethostbyname_r(hostname, &hs, &hd);
hp = &hs;
#else
#if defined(GETHOSTBYNAME_R_GLIBC2)
/* Linux glibc2+ */
gethostbyname_r(hostname, &hs, tmp, GETHOSTBYNAME_BUFLEN - 1,
&hp, &hosterror);
#else
/* Solaris, Irix et alia */
hp = gethostbyname_r(hostname, &hs, tmp, GETHOSTBYNAME_BUFLEN - 1,
&hosterror);
#endif /* !defined(GETHOSTBYNAME_R_GLIBC2) */
if (!hp) {
return (hosterror + APR_OS_START_SYSERR);
}
#endif /* !defined(GETHOSTBYNAME_R_HOSTENT_DATA) */
#else
hp = gethostbyname(hostname);
#endif
if (!hp) {
#ifdef WIN32
return apr_get_netos_error();
#else
return (h_errno + APR_OS_START_SYSERR);
#endif
}
}
prev_sa = NULL;
curaddr = 0;
while (hp->h_addr_list[curaddr]) {
apr_sockaddr_t *new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t));
new_sa->pool = p;
new_sa->sa.sin.sin_addr = *(struct in_addr *)hp->h_addr_list[curaddr];
apr_sockaddr_vars_set(new_sa, AF_INET, port);
if (!prev_sa) { /* first element in new list */
if (orig_hostname) {
new_sa->hostname = apr_pstrdup(p, orig_hostname);
}
*sa = new_sa;
}
else {
new_sa->hostname = prev_sa->hostname;
prev_sa->next = new_sa;
}
prev_sa = new_sa;
++curaddr;
}
return APR_SUCCESS;
}
static apr_status_t call_resolver(apr_sockaddr_t **sa,
const char *hostname, apr_int32_t family,
apr_port_t port, apr_int32_t flags,
apr_pool_t *p)
{
struct addrinfo hints, *ai, *ai_list;
apr_sockaddr_t *prev_sa;
int error;
char *servname = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
#ifdef HAVE_GAI_ADDRCONFIG
if (family == APR_UNSPEC) {
/* By default, only look up addresses using address types for
* which a local interface is configured, i.e. no IPv6 if no
* IPv6 interfaces configured. */
hints.ai_flags = AI_ADDRCONFIG;
}
#endif
if(hostname == NULL) {
#ifdef AI_PASSIVE
/* If hostname is NULL, assume we are trying to bind to all
* interfaces. */
hints.ai_flags |= AI_PASSIVE;
#endif
/* getaddrinfo according to RFC 2553 must have either hostname
* or servname non-NULL.
*/
#ifdef OSF1
/* The Tru64 5.0 getaddrinfo() can only resolve services given
* by the name listed in /etc/services; a numeric or unknown
* servname gets an EAI_SERVICE error. So just resolve the
* appropriate anyaddr and fill in the port later. */
hostname = family == AF_INET6 ? "::" : "0.0.0.0";
servname = NULL;
#ifdef AI_NUMERICHOST
hints.ai_flags |= AI_NUMERICHOST;
#endif
#else
#ifdef _AIX
/* But current AIX getaddrinfo() doesn't like servname = "0";
* the "1" won't hurt since we use the port parameter to fill
* in the returned socket addresses later
*/
if (!port) {
servname = "1";
}
else
#endif /* _AIX */
servname = apr_itoa(p, port);
#endif /* OSF1 */
}
error = getaddrinfo(hostname, servname, &hints, &ai_list);
#ifdef HAVE_GAI_ADDRCONFIG
if (error == EAI_BADFLAGS && family == APR_UNSPEC) {
/* Retry with no flags if AI_ADDRCONFIG was rejected. */
hints.ai_flags = 0;
error = getaddrinfo(hostname, servname, &hints, &ai_list);
}
#endif
if (error) {
#ifndef WIN32
if (error == EAI_SYSTEM) {
return errno;
}
else
#endif
{
/* issues with representing this with APR's error scheme:
* glibc uses negative values for these numbers, perhaps so
* they don't conflict with h_errno values... Tru64 uses
* positive values which conflict with h_errno values
*/
#if defined(NEGATIVE_EAI)
error = -error;
#endif
return error + APR_OS_START_EAIERR;
}
}
prev_sa = NULL;
ai = ai_list;
while (ai) { /* while more addresses to report */
apr_sockaddr_t *new_sa;
/* Ignore anything bogus: getaddrinfo in some old versions of
* glibc will return AF_UNIX entries for APR_UNSPEC+AI_PASSIVE
* lookups. */
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) {
ai = ai->ai_next;
continue;
}
new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t));
new_sa->pool = p;
memcpy(&new_sa->sa, ai->ai_addr, ai->ai_addrlen);
apr_sockaddr_vars_set(new_sa, ai->ai_family, port);
if (!prev_sa) { /* first element in new list */
if (hostname) {
new_sa->hostname = apr_pstrdup(p, hostname);
}
*sa = new_sa;
}
else {
new_sa->hostname = prev_sa->hostname;
prev_sa->next = new_sa;
}
prev_sa = new_sa;
ai = ai->ai_next;
}
freeaddrinfo(ai_list);
return APR_SUCCESS;
}
static int reverseproxy_modify_connection(request_rec *r)
{
conn_rec *c = r->connection;
reverseproxy_config_t *config = (reverseproxy_config_t *)
ap_get_module_config(r->server->module_config, &reverseproxy_module);
if (!config->enable_module)
return DECLINED;
reverseproxy_conn_t *conn;
#ifdef REMOTEIP_OPTIMIZED
apr_sockaddr_t temp_sa_buff;
apr_sockaddr_t *temp_sa = &temp_sa_buff;
#else
apr_sockaddr_t *temp_sa;
#endif
apr_status_t rv;
char *remote = (char *) apr_table_get(r->headers_in, config->header_name);
char *proxy_ips = NULL;
char *parse_remote;
char *eos;
unsigned char *addrbyte;
void *internal = NULL;
apr_pool_userdata_get((void*)&conn, "mod_reverseproxy-conn", c->pool);
if (conn) {
if (remote && (strcmp(remote, conn->prior_remote) == 0)) {
/* TODO: Recycle r-> overrides from previous request
*/
goto ditto_request_rec;
}
else {
/* TODO: Revert connection from previous request
*/
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
c->client_addr = conn->orig_addr;
c->client_ip = (char *) conn->orig_ip;
#else
c->remote_addr = conn->orig_addr;
c->remote_ip = (char *) conn->orig_ip;
#endif
}
}
remote = apr_pstrdup(r->pool, remote);
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
#ifdef REMOTEIP_OPTIMIZED
memcpy(temp_sa, c->client_addr, sizeof(*temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->client_addr;
#endif
#else
#ifdef REMOTEIP_OPTIMIZED
memcpy(temp_sa, c->remote_addr, sizeof(*temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->remote_addr;
#endif
#endif
while (remote) {
/* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
reverseproxy_proxymatch_t *match;
match = (reverseproxy_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
#else
if (apr_ipsubnet_test(match[i].ip, c->remote_addr)) {
internal = match[i].internal;
break;
}
#endif
}
}
if ((parse_remote = strrchr(remote, ',')) == NULL) {
parse_remote = remote;
remote = NULL;
}
else {
*(parse_remote++) = '\0';
}
while (*parse_remote == ' ')
++parse_remote;
eos = parse_remote + strlen(parse_remote) - 1;
while (eos >= parse_remote && *eos == ' ')
*(eos--) = '\0';
if (eos < parse_remote) {
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#ifdef REMOTEIP_OPTIMIZED
/* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */
if (inet_pton(AF_INET, parse_remote,
&temp_sa->sa.sin.sin_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port);
}
#if APR_HAVE_IPV6
else if (inet_pton(AF_INET6, parse_remote,
&temp_sa->sa.sin6.sin6_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port);
}
#endif
else {
rv = apr_get_netos_error();
#else /* !REMOTEIP_OPTIMIZED */
/* We map as IPv4 rather than IPv6 for equivilant host names
* or IPV4OVERIPV6
*/
rv = apr_sockaddr_info_get(&temp_sa, parse_remote,
APR_UNSPEC, temp_sa->port,
APR_IPV4_ADDR_OK, r->pool);
if (rv != APR_SUCCESS) {
#endif
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s cannot be parsed "
"as a client IP",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
/* For intranet (Internal proxies) ignore all restrictions below */
if (!internal
&& ((temp_sa->family == APR_INET
/* For internet (non-Internal proxies) deny all
* RFC3330 designated local/private subnets:
* 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16
* 127.0.0.0/8 172.16.0.0/12
*/
&& (addrbyte[0] == 10
|| addrbyte[0] == 127
|| (addrbyte[0] == 169 && addrbyte[1] == 254)
|| (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
|| (addrbyte[0] == 192 && addrbyte[1] == 168)))
#if APR_HAVE_IPV6
|| (temp_sa->family == APR_INET6
/* For internet (non-Internal proxies) we translated
* IPv4-over-IPv6-mapped addresses as IPv4, above.
* Accept only Global Unicast 2000::/3 defined by RFC4291
*/
&& ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20))
#endif
)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s appears to be "
"a private IP or nonsensical. Ignored",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#if AP_MODULE_MAGIC_AT_LEAST(20111130,0)
if (!conn) {
conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool);
conn->orig_addr = c->client_addr;
conn->orig_ip = c->client_ip;
}
/* Set remote_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->client_ip, NULL);
else
proxy_ips = c->client_ip;
}
c->client_addr = temp_sa;
apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
}
/* Nothing happened? */
if (!conn || (c->client_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->client_ip = apr_pstrdup(c->pool, c->client_ip);
conn->proxied_ip = c->client_ip;
r->useragent_ip = c->client_ip;
r->useragent_addr = c->client_addr;
memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa));
conn->proxied_addr.pool = c->pool;
c->client_addr = &conn->proxied_addr;
#else
if (!conn) {
conn = (reverseproxy_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_reverseproxy-conn", NULL, c->pool);
conn->orig_addr = c->remote_addr;
conn->orig_ip = c->remote_ip;
}
/* Set remote_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->remote_ip, NULL);
else
proxy_ips = c->remote_ip;
}
c->remote_addr = temp_sa;
apr_sockaddr_ip_get(&c->remote_ip, c->remote_addr);
}
/* Nothing happened? */
if (!conn || (c->remote_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->remote_ip = apr_pstrdup(c->pool, c->remote_ip);
conn->proxied_ip = c->remote_ip;
memcpy(&conn->proxied_addr, temp_sa, sizeof(*temp_sa));
conn->proxied_addr.pool = c->pool;
c->remote_addr = &conn->proxied_addr;
#endif
if (remote)
remote = apr_pstrdup(c->pool, remote);
conn->proxied_remote = remote;
conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in,
config->header_name));
if (proxy_ips)
proxy_ips = apr_pstrdup(c->pool, proxy_ips);
conn->proxy_ips = proxy_ips;
/* Unset remote_host string DNS lookups */
c->remote_host = NULL;
c->remote_logname = NULL;
ditto_request_rec:
if (conn->proxy_ips) {
apr_table_setn(r->notes, "reverseproxy-proxy-ip-list", conn->proxy_ips);
if (config->proxies_header_name)
apr_table_setn(r->headers_in, config->proxies_header_name,
conn->proxy_ips);
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
conn->proxy_ips
? "Using %s as client's IP by proxies %s"
: "Using %s as client's IP by internal proxies",
conn->proxied_ip, conn->proxy_ips);
return OK;
}
static apr_socket_t *
create_net_server(apr_pool_t *context, int32_t ofamily, int type, apr_port_t port,
char *bind_addr, int blocking)
{
apr_sockaddr_t *localsa = NULL;
apr_socket_t *sock = NULL;
apr_status_t stat;
int32_t family = ofamily;
/* We set family to the family specified in the option. If however a bind address
* is also specified, it's family will take precedence.
* e.g. ofamily = APR_INET6 but the bind address is "127.0.0.1" which is IPv4
* the family will be set to the bind address family */
if(bind_addr)
{
stat = apr_sockaddr_info_get(&localsa, bind_addr, APR_UNSPEC, port, 0, context);
if (stat != APR_SUCCESS)
return NULL;
family = localsa->sa.sin.sin_family;
}
stat = apr_socket_create(&sock, family, type, 0, context);
if( stat != APR_SUCCESS )
return NULL;
if(!blocking){
/* This is a non-blocking server */
stat = apr_socket_opt_set(sock, APR_SO_NONBLOCK, 1);
if (stat != APR_SUCCESS)
{
apr_socket_close(sock);
return NULL;
}
}
stat = apr_socket_opt_set(sock, APR_SO_REUSEADDR, 1);
if (stat != APR_SUCCESS)
{
apr_socket_close(sock);
return NULL;
}
if(!localsa)
{
apr_socket_addr_get(&localsa, APR_LOCAL, sock);
apr_sockaddr_vars_set(localsa, localsa->family, port);
}
#if APR_HAVE_IPV6
if (localsa->family == APR_INET6)
{
int one = 1;
/* Don't accept IPv4 connections on an IPv6 listening socket */
stat = apr_socket_opt_set(sock, APR_IPV6_V6ONLY, one);
if(stat == APR_ENOTIMPL)
{
err_msg("Warning: your operating system does not support IPV6_V6ONLY!\n");
err_msg("This means that you are also listening to IPv4 traffic on port %d\n",
port);
err_msg("This IPv6=>IPv4 mapping may be a security risk.\n");
}
}
#endif
stat = apr_socket_bind(sock, localsa);
if( stat != APR_SUCCESS)
{
apr_socket_close(sock);
return NULL;
}
return sock;
}
static apr_status_t call_resolver(apr_sockaddr_t **sa,
const char *hostname, apr_int32_t family,
apr_port_t port, apr_int32_t flags,
apr_pool_t *p)
{
struct addrinfo hints, *ai, *ai_list;
apr_sockaddr_t *prev_sa;
int error;
char *servname = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = family;
hints.ai_socktype = SOCK_STREAM;
if(hostname == NULL) {
#ifdef AI_PASSIVE
/* If hostname is NULL, assume we are trying to bind to all
* interfaces. */
hints.ai_flags |= AI_PASSIVE;
#endif
/* getaddrinfo according to RFC 2553 must have either hostname
* or servname non-NULL.
*/
#ifdef _AIX
/* But current AIX getaddrinfo() doesn't like servname = "0";
* the "1" won't hurt since we use the port parameter to fill
* in the returned socket addresses later
*/
if (!port) {
servname = "1";
}
else
#endif
servname = apr_itoa(p, port);
}
error = getaddrinfo(hostname, servname, &hints, &ai_list);
if (error) {
#ifndef WIN32
if (error == EAI_SYSTEM) {
return errno;
}
else
#endif
{
/* issues with representing this with APR's error scheme:
* glibc uses negative values for these numbers, perhaps so
* they don't conflict with h_errno values... Tru64 uses
* positive values which conflict with h_errno values
*/
#if defined(NEGATIVE_EAI)
error = -error;
#endif
return error + APR_OS_START_EAIERR;
}
}
prev_sa = NULL;
ai = ai_list;
while (ai) { /* while more addresses to report */
apr_sockaddr_t *new_sa;
/* Ignore anything bogus: getaddrinfo in some old versions of
* glibc will return AF_UNIX entries for AF_UNSPEC+AI_PASSIVE
* lookups. */
if (ai->ai_family != AF_INET && ai->ai_family != AF_INET6) {
ai = ai->ai_next;
continue;
}
new_sa = apr_pcalloc(p, sizeof(apr_sockaddr_t));
new_sa->pool = p;
memcpy(&new_sa->sa, ai->ai_addr, ai->ai_addrlen);
apr_sockaddr_vars_set(new_sa, ai->ai_family, port);
if (!prev_sa) { /* first element in new list */
if (hostname) {
new_sa->hostname = apr_pstrdup(p, hostname);
}
*sa = new_sa;
}
else {
new_sa->hostname = prev_sa->hostname;
prev_sa->next = new_sa;
}
prev_sa = new_sa;
ai = ai->ai_next;
}
freeaddrinfo(ai_list);
return APR_SUCCESS;
}
static int cloudflare_modify_connection(request_rec *r)
{
conn_rec *c = r->connection;
cloudflare_config_t *config = (cloudflare_config_t *)
ap_get_module_config(r->server->module_config, &cloudflare_module);
cloudflare_conn_t *conn;
#ifdef REMOTEIP_OPTIMIZED
apr_sockaddr_t temp_sa_buff;
apr_sockaddr_t *temp_sa = &temp_sa_buff;
#else
apr_sockaddr_t *temp_sa;
#endif
apr_status_t rv;
char *remote = (char *) apr_table_get(r->headers_in, config->header_name);
char *proxy_ips = NULL;
char *parse_remote;
char *eos;
unsigned char *addrbyte;
void *internal = NULL;
apr_pool_userdata_get((void*)&conn, "mod_cloudflare-conn", c->pool);
if (conn) {
if (remote && (strcmp(remote, conn->prior_remote) == 0)) {
/* TODO: Recycle r-> overrides from previous request
*/
goto ditto_request_rec;
}
else {
/* TODO: Revert connection from previous request
*/
c->client_addr = conn->orig_addr;
c->client_ip = (char *) conn->orig_ip;
}
}
if (!remote) {
if (config->deny_all) {
return 403;
}
return OK;
}
remote = apr_pstrdup(r->pool, remote);
#ifdef REMOTEIP_OPTIMIZED
memcpy(&temp_sa, c->client_addr, sizeof(temp_sa));
temp_sa->pool = r->pool;
#else
temp_sa = c->client_addr;
#endif
while (remote) {
/* verify c->client_addr is trusted if there is a trusted proxy list
*/
if (config->proxymatch_ip) {
int i;
cloudflare_proxymatch_t *match;
match = (cloudflare_proxymatch_t *)config->proxymatch_ip->elts;
for (i = 0; i < config->proxymatch_ip->nelts; ++i) {
if (apr_ipsubnet_test(match[i].ip, c->client_addr)) {
internal = match[i].internal;
break;
}
}
if (i && i >= config->proxymatch_ip->nelts) {
if (config->deny_all) {
return 403;
} else {
break;
}
}
}
if ((parse_remote = strrchr(remote, ',')) == NULL) {
parse_remote = remote;
remote = NULL;
}
else {
*(parse_remote++) = '\0';
}
while (*parse_remote == ' ')
++parse_remote;
eos = parse_remote + strlen(parse_remote) - 1;
while (eos >= parse_remote && *eos == ' ')
*(eos--) = '\0';
if (eos < parse_remote) {
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
#ifdef REMOTEIP_OPTIMIZED
/* Decode client_addr - sucks; apr_sockaddr_vars_set isn't 'public' */
if (inet_pton(AF_INET, parse_remote,
&temp_sa_buff->sa.sin.sin_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET, temp_sa.port);
}
#if APR_HAVE_IPV6
else if (inet_pton(AF_INET6, parse_remote,
&temp_sa->sa.sin6.sin6_addr) > 0) {
apr_sockaddr_vars_set(temp_sa, APR_INET6, temp_sa.port);
}
#endif
else {
rv = apr_get_netos_error();
#else /* !REMOTEIP_OPTIMIZED */
/* We map as IPv4 rather than IPv6 for equivilant host names
* or IPV4OVERIPV6
*/
rv = apr_sockaddr_info_get(&temp_sa, parse_remote,
APR_UNSPEC, temp_sa->port,
APR_IPV4_ADDR_OK, r->pool);
if (rv != APR_SUCCESS) {
#endif
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s cannot be parsed "
"as a client IP",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
addrbyte = (unsigned char *) &temp_sa->sa.sin.sin_addr;
/* For intranet (Internal proxies) ignore all restrictions below */
if (!internal
&& ((temp_sa->family == APR_INET
/* For internet (non-Internal proxies) deny all
* RFC3330 designated local/private subnets:
* 10.0.0.0/8 169.254.0.0/16 192.168.0.0/16
* 127.0.0.0/8 172.16.0.0/12
*/
&& (addrbyte[0] == 10
|| addrbyte[0] == 127
|| (addrbyte[0] == 169 && addrbyte[1] == 254)
|| (addrbyte[0] == 172 && (addrbyte[1] & 0xf0) == 16)
|| (addrbyte[0] == 192 && addrbyte[1] == 168)))
#if APR_HAVE_IPV6
|| (temp_sa->family == APR_INET6
/* For internet (non-Internal proxies) we translated
* IPv4-over-IPv6-mapped addresses as IPv4, above.
* Accept only Global Unicast 2000::/3 defined by RFC4291
*/
&& ((temp_sa->sa.sin6.sin6_addr.s6_addr[0] & 0xe0) != 0x20))
#endif
)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
"RemoteIP: Header %s value of %s appears to be "
"a private IP or nonsensical. Ignored",
config->header_name, parse_remote);
if (remote)
*(remote + strlen(remote)) = ',';
else
remote = parse_remote;
break;
}
if (!conn) {
conn = (cloudflare_conn_t *) apr_palloc(c->pool, sizeof(*conn));
apr_pool_userdata_set(conn, "mod_cloudflare-conn", NULL, c->pool);
conn->orig_addr = c->client_addr;
conn->orig_ip = c->client_ip;
}
/* Set client_ip string */
if (!internal) {
if (proxy_ips)
proxy_ips = apr_pstrcat(r->pool, proxy_ips, ", ",
c->client_ip, NULL);
else
proxy_ips = c->client_ip;
}
c->client_addr = temp_sa;
apr_sockaddr_ip_get(&c->client_ip, c->client_addr);
}
/* Nothing happened? */
if (!conn || (c->client_addr == conn->orig_addr))
return OK;
/* Fixups here, remote becomes the new Via header value, etc
* In the heavy operations above we used request scope, to limit
* conn pool memory growth on keepalives, so here we must scope
* the final results to the connection pool lifetime.
* To limit memory growth, we keep recycling the same buffer
* for the final apr_sockaddr_t in the remoteip conn rec.
*/
c->client_ip = apr_pstrdup(c->pool, c->client_ip);
conn->proxied_ip = c->client_ip;
r->useragent_ip = c->client_ip;
r->useragent_addr = c->client_addr;
memcpy(&conn->proxied_addr, &temp_sa, sizeof(temp_sa));
conn->proxied_addr.pool = c->pool;
// Causing an error with mod_authz_host
// c->client_addr = &conn->proxied_addr;
if (remote)
remote = apr_pstrdup(c->pool, remote);
conn->proxied_remote = remote;
conn->prior_remote = apr_pstrdup(c->pool, apr_table_get(r->headers_in,
config->header_name));
if (proxy_ips)
proxy_ips = apr_pstrdup(c->pool, proxy_ips);
conn->proxy_ips = proxy_ips;
/* Unset remote_host string DNS lookups */
c->remote_host = NULL;
c->remote_logname = NULL;
ditto_request_rec:
// Why do we unset the headers here?
//if (conn->proxied_remote) {
// apr_table_setn(r->headers_in, config->header_name, conn->proxied_remote);
//} else {
// apr_table_unset(r->headers_in, config->header_name);
// }
if (conn->proxy_ips) {
apr_table_setn(r->notes, "cloudflare-proxy-ip-list", conn->proxy_ips);
if (config->proxies_header_name)
apr_table_setn(r->headers_in, config->proxies_header_name,
conn->proxy_ips);
}
ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
conn->proxy_ips
? "Using %s as client's IP by proxies %s"
: "Using %s as client's IP by internal proxies",
conn->proxied_ip, conn->proxy_ips);
return OK;
}
static const command_rec cloudflare_cmds[] =
{
AP_INIT_TAKE1("CloudFlareRemoteIPHeader", header_name_set, NULL, RSRC_CONF,
"Specifies a request header to trust as the client IP, "
"Overrides the default of CF-Connecting-IP"),
AP_INIT_ITERATE("CloudFlareRemoteIPTrustedProxy", proxies_set, 0, RSRC_CONF,
"Specifies one or more proxies which are trusted "
"to present IP headers. Overrides the defaults."),
AP_INIT_NO_ARGS("DenyAllButCloudFlare", deny_all_set, NULL, RSRC_CONF,
"Return a 403 status to all requests which do not originate from "
"a CloudFlareRemoteIPTrustedProxy."),
{ NULL }
};
static void register_hooks(apr_pool_t *p)
{
// We need to run very early so as to not trip up mod_security.
// Hence, this little trick, as mod_security runs at APR_HOOK_REALLY_FIRST.
ap_hook_post_read_request(cloudflare_modify_connection, NULL, NULL, APR_HOOK_REALLY_FIRST - 10);
}
