1 #include "first.h" 2 3 #include "base.h" 4 #include "log.h" 5 #include "buffer.h" 6 7 #include "plugin.h" 8 9 #include "inet_ntop_cache.h" 10 #include "configfile.h" 11 12 #include <assert.h> 13 #include <ctype.h> 14 #include <stdlib.h> 15 #include <string.h> 16 #include <stdio.h> 17 #include <netinet/in.h> 18 #include <errno.h> 19 20 /** 21 * mod_extforward.c for lighttpd, by comman.kang <at> gmail <dot> com 22 * extended, modified by Lionel Elie Mamane (LEM), lionel <at> mamane <dot> lu 23 * support chained proxies by [email protected], #1528 24 * 25 * Config example: 26 * 27 * Trust proxy 10.0.0.232 and 10.0.0.232 28 * extforward.forwarder = ( "10.0.0.232" => "trust", 29 * "10.0.0.233" => "trust" ) 30 * 31 * Trust all proxies (NOT RECOMMENDED!) 32 * extforward.forwarder = ( "all" => "trust") 33 * 34 * Note that "all" has precedence over specific entries, 35 * so "all except" setups will not work. 36 * 37 * In case you have chained proxies, you can add all their IP's to the 38 * config. However "all" has effect only on connecting IP, as the 39 * X-Forwarded-For header can not be trusted. 40 * 41 * Note: The effect of this module is variable on $HTTP["remotip"] directives and 42 * other module's remote ip dependent actions. 43 * Things done by modules before we change the remoteip or after we reset it will match on the proxy's IP. 44 * Things done in between these two moments will match on the real client's IP. 45 * The moment things are done by a module depends on in which hook it does things and within the same hook 46 * on whether they are before/after us in the module loading order 47 * (order in the server.modules directive in the config file). 48 * 49 * Tested behaviours: 50 * 51 * mod_access: Will match on the real client. 52 * 53 * mod_accesslog: 54 * In order to see the "real" ip address in access log , 55 * you'll have to load mod_extforward after mod_accesslog. 56 * like this: 57 * 58 * server.modules = ( 59 * ..... 60 * mod_accesslog, 61 * mod_extforward 62 * ) 63 * 64 * Known issues: 65 * seems causing segfault with mod_ssl and $HTTP{"socket"} directives 66 * LEM 2006.05.26: Fixed segfault $SERVER["socket"] directive. Untested with SSL. 67 * 68 * ChangeLog: 69 * 2005.12.19 Initial Version 70 * 2005.12.19 fixed conflict with conditional directives 71 * 2006.05.26 LEM: IPv6 support 72 * 2006.05.26 LEM: Fix a segfault with $SERVER["socket"] directive. 73 * 2006.05.26 LEM: Run at uri_raw time, as we don't need to see the URI 74 * In this manner, we run before mod_access and $HTTP["remoteip"] directives work! 75 * 2006.05.26 LEM: Clean config_cond cache of tests whose result we probably change. 76 */ 77 78 79 /* plugin config for all request/connections */ 80 81 typedef struct { 82 array *forwarder; 83 array *headers; 84 } plugin_config; 85 86 typedef struct { 87 PLUGIN_DATA; 88 89 plugin_config **config_storage; 90 91 plugin_config conf; 92 } plugin_data; 93 94 95 /* context , used for restore remote ip */ 96 97 typedef struct { 98 sock_addr saved_remote_addr; 99 buffer *saved_remote_addr_buf; 100 } handler_ctx; 101 102 103 static handler_ctx * handler_ctx_init(sock_addr oldaddr, buffer *oldaddr_buf) { 104 handler_ctx * hctx; 105 hctx = calloc(1, sizeof(*hctx)); 106 hctx->saved_remote_addr = oldaddr; 107 hctx->saved_remote_addr_buf = oldaddr_buf; 108 return hctx; 109 } 110 111 static void handler_ctx_free(handler_ctx *hctx) { 112 free(hctx); 113 } 114 115 /* init the plugin data */ 116 INIT_FUNC(mod_extforward_init) { 117 plugin_data *p; 118 p = calloc(1, sizeof(*p)); 119 return p; 120 } 121 122 /* destroy the plugin data */ 123 FREE_FUNC(mod_extforward_free) { 124 plugin_data *p = p_d; 125 126 UNUSED(srv); 127 128 if (!p) return HANDLER_GO_ON; 129 130 if (p->config_storage) { 131 size_t i; 132 133 for (i = 0; i < srv->config_context->used; i++) { 134 plugin_config *s = p->config_storage[i]; 135 136 if (NULL == s) continue; 137 138 array_free(s->forwarder); 139 array_free(s->headers); 140 141 free(s); 142 } 143 free(p->config_storage); 144 } 145 146 147 free(p); 148 149 return HANDLER_GO_ON; 150 } 151 152 /* handle plugin config and check values */ 153 154 SETDEFAULTS_FUNC(mod_extforward_set_defaults) { 155 plugin_data *p = p_d; 156 size_t i = 0; 157 158 config_values_t cv[] = { 159 { "extforward.forwarder", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 0 */ 160 { "extforward.headers", NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION }, /* 1 */ 161 { NULL, NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET } 162 }; 163 164 if (!p) return HANDLER_ERROR; 165 166 p->config_storage = calloc(1, srv->config_context->used * sizeof(plugin_config *)); 167 168 for (i = 0; i < srv->config_context->used; i++) { 169 data_config const* config = (data_config const*)srv->config_context->data[i]; 170 plugin_config *s; 171 172 s = calloc(1, sizeof(plugin_config)); 173 s->forwarder = array_init(); 174 s->headers = array_init(); 175 176 cv[0].destination = s->forwarder; 177 cv[1].destination = s->headers; 178 179 p->config_storage[i] = s; 180 181 if (0 != config_insert_values_global(srv, config->value, cv, i == 0 ? T_CONFIG_SCOPE_SERVER : T_CONFIG_SCOPE_CONNECTION)) { 182 return HANDLER_ERROR; 183 } 184 } 185 186 return HANDLER_GO_ON; 187 } 188 189 #define PATCH(x) \ 190 p->conf.x = s->x; 191 static int mod_extforward_patch_connection(server *srv, connection *con, plugin_data *p) { 192 size_t i, j; 193 plugin_config *s = p->config_storage[0]; 194 195 PATCH(forwarder); 196 PATCH(headers); 197 198 /* skip the first, the global context */ 199 for (i = 1; i < srv->config_context->used; i++) { 200 data_config *dc = (data_config *)srv->config_context->data[i]; 201 s = p->config_storage[i]; 202 203 /* condition didn't match */ 204 if (!config_check_cond(srv, con, dc)) continue; 205 206 /* merge config */ 207 for (j = 0; j < dc->value->used; j++) { 208 data_unset *du = dc->value->data[j]; 209 210 if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.forwarder"))) { 211 PATCH(forwarder); 212 } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("extforward.headers"))) { 213 PATCH(headers); 214 } 215 } 216 } 217 218 return 0; 219 } 220 #undef PATCH 221 222 223 static void put_string_into_array_len(array *ary, const char *str, int len) 224 { 225 data_string *tempdata; 226 if (len == 0) 227 return; 228 tempdata = data_string_init(); 229 buffer_copy_string_len(tempdata->value,str,len); 230 array_insert_unique(ary,(data_unset *)tempdata); 231 } 232 /* 233 extract a forward array from the environment 234 */ 235 static array *extract_forward_array(buffer *pbuffer) 236 { 237 array *result = array_init(); 238 if (!buffer_string_is_empty(pbuffer)) { 239 char *base, *curr; 240 /* state variable, 0 means not in string, 1 means in string */ 241 int in_str = 0; 242 for (base = pbuffer->ptr, curr = pbuffer->ptr; *curr; curr++) { 243 if (in_str) { 244 if ((*curr > '9' || *curr < '0') && *curr != '.' && *curr != ':' && (*curr < 'a' || *curr > 'f') && (*curr < 'A' || *curr > 'F')) { 245 /* found an separator , insert value into result array */ 246 put_string_into_array_len(result, base, curr - base); 247 /* change state to not in string */ 248 in_str = 0; 249 } 250 } else { 251 if ((*curr >= '0' && *curr <= '9') || *curr == ':' || (*curr >= 'a' && *curr <= 'f') || (*curr >= 'A' && *curr <= 'F')) { 252 /* found leading char of an IP address, move base pointer and change state */ 253 base = curr; 254 in_str = 1; 255 } 256 } 257 } 258 /* if breaking out while in str, we got to the end of string, so add it */ 259 if (in_str) { 260 put_string_into_array_len(result, base, curr - base); 261 } 262 } 263 return result; 264 } 265 266 #define IP_TRUSTED 1 267 #define IP_UNTRUSTED 0 268 /* 269 * check whether ip is trusted, return 1 for trusted , 0 for untrusted 270 */ 271 static int is_proxy_trusted(const char *ipstr, plugin_data *p) 272 { 273 data_string* allds = (data_string *)array_get_element(p->conf.forwarder, "all"); 274 275 if (allds) { 276 if (strcasecmp(allds->value->ptr, "trust") == 0) { 277 return IP_TRUSTED; 278 } else { 279 return IP_UNTRUSTED; 280 } 281 } 282 283 return (data_string *)array_get_element(p->conf.forwarder, ipstr) ? IP_TRUSTED : IP_UNTRUSTED; 284 } 285 286 /* 287 * Return char *ip of last address of proxy that is not trusted. 288 * Do not accept "all" keyword here. 289 */ 290 static const char *last_not_in_array(array *a, plugin_data *p) 291 { 292 array *forwarder = p->conf.forwarder; 293 int i; 294 295 for (i = a->used - 1; i >= 0; i--) { 296 data_string *ds = (data_string *)a->data[i]; 297 const char *ip = ds->value->ptr; 298 299 if (!array_get_element(forwarder, ip)) { 300 return ip; 301 } 302 } 303 return NULL; 304 } 305 306 #ifdef HAVE_IPV6 307 static void ipstr_to_sockaddr(server *srv, const char *host, sock_addr *sock) { 308 struct addrinfo hints, *addrlist = NULL; 309 int result; 310 311 memset(&hints, 0, sizeof(hints)); 312 sock->plain.sa_family = AF_UNSPEC; 313 314 #ifndef AI_NUMERICSERV 315 /** 316 * quoting $ man getaddrinfo 317 * 318 * NOTES 319 * AI_ADDRCONFIG, AI_ALL, and AI_V4MAPPED are available since glibc 2.3.3. 320 * AI_NUMERICSERV is available since glibc 2.3.4. 321 */ 322 #define AI_NUMERICSERV 0 323 #endif 324 hints.ai_flags = AI_NUMERICHOST | AI_NUMERICSERV; 325 326 errno = 0; 327 result = getaddrinfo(host, NULL, &hints, &addrlist); 328 329 if (result != 0) { 330 log_error_write(srv, __FILE__, __LINE__, "SSSs(S)", 331 "could not parse ip address ", host, " because ", gai_strerror(result), strerror(errno)); 332 } else if (addrlist == NULL) { 333 log_error_write(srv, __FILE__, __LINE__, "SSS", 334 "Problem in parsing ip address ", host, ": succeeded, but no information returned"); 335 } else switch (addrlist->ai_family) { 336 case AF_INET: 337 memcpy(&sock->ipv4, addrlist->ai_addr, sizeof(sock->ipv4)); 338 force_assert(AF_INET == sock->plain.sa_family); 339 break; 340 case AF_INET6: 341 memcpy(&sock->ipv6, addrlist->ai_addr, sizeof(sock->ipv6)); 342 force_assert(AF_INET6 == sock->plain.sa_family); 343 break; 344 default: 345 log_error_write(srv, __FILE__, __LINE__, "SSS", 346 "Problem in parsing ip address ", host, ": succeeded, but unknown family"); 347 } 348 349 freeaddrinfo(addrlist); 350 } 351 #endif 352 353 static void clean_cond_cache(server *srv, connection *con) { 354 config_cond_cache_reset_item(srv, con, COMP_HTTP_REMOTE_IP); 355 config_cond_cache_reset_item(srv, con, COMP_HTTP_SCHEME); 356 } 357 358 URIHANDLER_FUNC(mod_extforward_uri_handler) { 359 plugin_data *p = p_d; 360 data_string *forwarded = NULL; 361 #ifdef HAVE_IPV6 362 char b2[INET6_ADDRSTRLEN + 1]; 363 #endif 364 const char *dst_addr_str = NULL; 365 array *forward_array = NULL; 366 const char *real_remote_addr = NULL; 367 #ifdef HAVE_IPV6 368 #endif 369 370 if (!con->request.headers) return HANDLER_GO_ON; 371 372 mod_extforward_patch_connection(srv, con, p); 373 374 if (con->conf.log_request_handling) { 375 log_error_write(srv, __FILE__, __LINE__, "s", 376 "-- mod_extforward_uri_handler called"); 377 } 378 379 if (p->conf.headers->used) { 380 data_string *ds; 381 size_t k; 382 383 for(k = 0; k < p->conf.headers->used; k++) { 384 ds = (data_string *) p->conf.headers->data[k]; 385 if (NULL != (forwarded = (data_string*) array_get_element(con->request.headers, ds->value->ptr))) break; 386 } 387 } else { 388 forwarded = (data_string *) array_get_element(con->request.headers,"X-Forwarded-For"); 389 if (NULL == forwarded) forwarded = (data_string *) array_get_element(con->request.headers, "Forwarded-For"); 390 } 391 392 if (NULL == forwarded) { 393 if (con->conf.log_request_handling) { 394 log_error_write(srv, __FILE__, __LINE__, "s", "no forward header found, skipping"); 395 } 396 397 return HANDLER_GO_ON; 398 } 399 400 #ifdef HAVE_IPV6 401 dst_addr_str = inet_ntop(con->dst_addr.plain.sa_family, 402 con->dst_addr.plain.sa_family == AF_INET6 ? 403 (struct sockaddr *)&(con->dst_addr.ipv6.sin6_addr) : 404 (struct sockaddr *)&(con->dst_addr.ipv4.sin_addr), 405 b2, (sizeof b2) - 1); 406 #else 407 dst_addr_str = inet_ntoa(con->dst_addr.ipv4.sin_addr); 408 #endif 409 410 /* if the remote ip itself is not trusted, then do nothing */ 411 if (IP_UNTRUSTED == is_proxy_trusted(dst_addr_str, p)) { 412 if (con->conf.log_request_handling) { 413 log_error_write(srv, __FILE__, __LINE__, "sss", 414 "remote address", dst_addr_str, "is NOT a trusted proxy, skipping"); 415 } 416 417 return HANDLER_GO_ON; 418 } 419 420 /* build forward_array from forwarded data_string */ 421 forward_array = extract_forward_array(forwarded->value); 422 real_remote_addr = last_not_in_array(forward_array, p); 423 424 if (real_remote_addr != NULL) { /* parsed */ 425 sock_addr sock; 426 data_string *forwarded_proto = (data_string *)array_get_element(con->request.headers, "X-Forwarded-Proto"); 427 428 if (NULL != forwarded_proto) { 429 if (buffer_is_equal_caseless_string(forwarded_proto->value, CONST_STR_LEN("https"))) { 430 buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("https")); 431 } else if (buffer_is_equal_caseless_string(forwarded_proto->value, CONST_STR_LEN("http"))) { 432 buffer_copy_string_len(con->uri.scheme, CONST_STR_LEN("http")); 433 } 434 } 435 436 if (con->conf.log_request_handling) { 437 log_error_write(srv, __FILE__, __LINE__, "ss", "using address:", real_remote_addr); 438 } 439 #ifdef HAVE_IPV6 440 ipstr_to_sockaddr(srv, real_remote_addr, &sock); 441 #else 442 sock.ipv4.sin_addr.s_addr = inet_addr(real_remote_addr); 443 sock.plain.sa_family = (sock.ipv4.sin_addr.s_addr == 0xFFFFFFFF) ? AF_UNSPEC : AF_INET; 444 #endif 445 if (sock.plain.sa_family != AF_UNSPEC) { 446 /* we found the remote address, modify current connection and save the old address */ 447 if (con->plugin_ctx[p->id]) { 448 if (con->conf.log_request_handling) { 449 log_error_write(srv, __FILE__, __LINE__, "s", 450 "-- mod_extforward_uri_handler already patched this connection, resetting state"); 451 } 452 handler_ctx_free(con->plugin_ctx[p->id]); 453 con->plugin_ctx[p->id] = NULL; 454 } 455 /* save old address */ 456 con->plugin_ctx[p->id] = handler_ctx_init(con->dst_addr, con->dst_addr_buf); 457 /* patch connection address */ 458 con->dst_addr = sock; 459 con->dst_addr_buf = buffer_init(); 460 buffer_copy_string(con->dst_addr_buf, real_remote_addr); 461 462 if (con->conf.log_request_handling) { 463 log_error_write(srv, __FILE__, __LINE__, "ss", 464 "patching con->dst_addr_buf for the accesslog:", real_remote_addr); 465 } 466 /* Now, clean the conf_cond cache, because we may have changed the results of tests */ 467 clean_cond_cache(srv, con); 468 } 469 } 470 array_free(forward_array); 471 472 /* not found */ 473 return HANDLER_GO_ON; 474 } 475 476 CONNECTION_FUNC(mod_extforward_restore) { 477 plugin_data *p = p_d; 478 handler_ctx *hctx = con->plugin_ctx[p->id]; 479 480 if (!hctx) return HANDLER_GO_ON; 481 482 con->dst_addr = hctx->saved_remote_addr; 483 buffer_free(con->dst_addr_buf); 484 485 con->dst_addr_buf = hctx->saved_remote_addr_buf; 486 487 handler_ctx_free(hctx); 488 489 con->plugin_ctx[p->id] = NULL; 490 491 /* Now, clean the conf_cond cache, because we may have changed the results of tests */ 492 clean_cond_cache(srv, con); 493 494 return HANDLER_GO_ON; 495 } 496 497 498 /* this function is called at dlopen() time and inits the callbacks */ 499 500 int mod_extforward_plugin_init(plugin *p); 501 int mod_extforward_plugin_init(plugin *p) { 502 p->version = LIGHTTPD_VERSION_ID; 503 p->name = buffer_init_string("extforward"); 504 505 p->init = mod_extforward_init; 506 p->handle_uri_raw = mod_extforward_uri_handler; 507 p->handle_request_done = mod_extforward_restore; 508 p->connection_reset = mod_extforward_restore; 509 p->set_defaults = mod_extforward_set_defaults; 510 p->cleanup = mod_extforward_free; 511 512 p->data = NULL; 513 514 return 0; 515 } 516 517