mod_proxy.c revision 9b4c60b689b8a3f2d48d19c55d857b276d405f85
/* ====================================================================
* The Apache Software License, Version 1.1
*
* Copyright (c) 2000-2002 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* distribution.
*
* 3. The end-user documentation included with the redistribution,
* if any, must include the following acknowledgment:
* "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowledgment may appear in the software itself,
* if and wherever such third-party acknowledgments normally appear.
*
* 4. The names "Apache" and "Apache Software Foundation" must
* not be used to endorse or promote products derived from this
* software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache",
* nor may "Apache" appear in their name, without prior written
* permission of the Apache Software Foundation.
*
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
* WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
* DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
* USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
* ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
* OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
* OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Software Foundation. For more
* information on the Apache Software Foundation, please see
*
* Portions of this software are based upon public domain software
* originally written at the National Center for Supercomputing Applications,
* University of Illinois, Urbana-Champaign.
*/
#define CORE_PRIVATE
#include "mod_proxy.h"
#include "mod_core.h"
#include "apr_optional.h"
#ifndef MAX
#define MAX(x,y) ((x) >= (y) ? (x) : (y))
#endif
/*
* A Web proxy module. Stages:
*
* translate_name: set filename to proxy:<URL>
* map_to_storage: run proxy_walk (rather than directory_walk/file_walk)
* can't trust directory_walk/file_walk since these are
* not in our filesystem. Prevents mod_http from serving
* the TRACE request we will set aside to handle later.
* type_checker: set type to PROXY_MAGIC_TYPE if filename begins proxy:
* fix_ups: convert the URL stored in the filename to the
* canonical form.
* handler: handle proxy requests
*/
/* -------------------------------------------------------------- */
/* Translate the URL into a 'filename' */
{
while (aliasp < end_fakename) {
if (*aliasp == '/') {
/* any number of '/' in the alias matches any number in
* the supplied URI, but there must be at least one...
*/
if (*urip != '/')
return 0;
while (*aliasp == '/')
++aliasp;
while (*urip == '/')
++urip;
}
else {
/* Other characters are compared literally */
return 0;
}
}
/* Check last alias path component matched all the way */
return 0;
/* Return number of characters from URI which matched (may be
* greater than length of alias, since we may have matched
* doubled slashes)
*/
}
/* Detect if an absoluteURI should be proxied or not. Note that we
* have to do this during this phase because later phases are
* "short-circuiting"... i.e. translate_names will end when the first
* module returns OK. So for example, if the request is something like:
*
* GET http://othervhost/cgi-bin/printenv HTTP/1.0
*
* mod_alias will notice the /cgi-bin part and ScriptAlias it and
* short-circuit the proxy... just because of the ordering in the
* configuration file.
*/
static int proxy_detect(request_rec *r)
{
/* Ick... msvc (perhaps others) promotes ternary short results to int */
/* but it might be something vhosted */
if (!(r->parsed_uri.hostname
: ap_default_port(r))))) {
r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->handler = "proxy-server";
}
}
/* We need special treatment for CONNECT proxying: it has no scheme part */
&& r->parsed_uri.hostname
&& r->parsed_uri.port_str) {
r->proxyreq = PROXYREQ_PROXY;
r->uri = r->unparsed_uri;
r->handler = "proxy-server";
}
return DECLINED;
}
static int proxy_trans(request_rec *r)
{
int i, len;
if (r->proxyreq) {
/* someone has already set up the proxy, it was possibly ourselves
* in proxy_detect
*/
return OK;
}
/* XXX: since r->uri has been manipulated already we're not really
* compliant with RFC1945 at this point. But this probably isn't
*/
if (len > 0) {
return DECLINED;
}
r->handler = "proxy-server";
r->proxyreq = PROXYREQ_REVERSE;
return OK;
}
}
return DECLINED;
}
static int proxy_walk(request_rec *r)
{
&proxy_module);
/* XXX: shouldn't we use URI here? Canonicalize it first?
* Pass over "proxy:" prefix
*/
int j;
for (j = 0; j < num_sec; ++j)
{
entry_config = sec_proxy[j];
/* XXX: What about case insensitive matching ???
* Compare regex, fnmatch or string as appropriate
* If the entry doesn't relate, then continue
*/
if (entry_proxy->r
strlen(entry_proxy->p)))) {
continue;
}
}
return OK;
}
static int proxy_map_location(request_rec *r)
{
int access_status;
return DECLINED;
/* Don't let the core or mod_http map_to_storage hooks handle this,
*/
if ((access_status = proxy_walk(r))) {
ap_die(access_status, r);
return access_status;
}
return OK;
}
/* -------------------------------------------------------------- */
/* Fixup the filename */
/*
* Canonicalise the URL
*/
static int proxy_fixup(request_rec *r)
{
char *url, *p;
int access_status;
return DECLINED;
/* XXX: Shouldn't we try this before we run the proxy_walk? */
/* canonicalise each specific scheme */
return access_status;
}
return HTTP_BAD_REQUEST;
return OK; /* otherwise; we've done the best we can */
}
/* Send a redirection if the request contains a hostname which is not */
/* fully qualified, i.e. doesn't have a domain name appended. Some proxy */
/* servers like Netscape's allow this and access hosts from the local */
/* domain in this case. I think it is better to redirect to a FQDN, since */
/* these will later be found in the bookmarks files. */
/* The "ProxyDomain" directive determines what domain will be appended */
{
char *nuri;
const char *ref;
/* We only want to worry about GETs */
return DECLINED;
/* If host does contain a dot already, or it is "localhost", decline */
return DECLINED; /* host name has a dot already */
/* Reassemble the request, but insert the domain after the host name */
/* Note that the domain name always starts with a dot */
&r->parsed_uri,
"Domain missing: %s sent to %s%s%s", r->uri,
return HTTP_MOVED_PERMANENTLY;
}
/* -------------------------------------------------------------- */
/* Invoke handler */
static int proxy_handler(request_rec *r)
{
const char *p2;
int i, rc, access_status;
int direct_connect = 0;
const char *str;
long maxfwd;
/* is this for us? */
return DECLINED;
/* handle max-forwards / OPTIONS / TRACE */
if (maxfwd < 1) {
switch (r->method_number) {
case M_TRACE: {
int access_status;
r->proxyreq = PROXYREQ_NONE;
if ((access_status = ap_send_http_trace(r)))
ap_die(access_status, r);
else
return OK;
}
case M_OPTIONS: {
int access_status;
r->proxyreq = PROXYREQ_NONE;
if ((access_status = ap_send_http_options(r)))
ap_die(access_status, r);
else
return OK;
}
default: {
return ap_proxyerror(r, HTTP_BAD_GATEWAY,
"Max-Forwards has reached zero - proxy loop?");
}
}
}
}
else {
/* set configured max-forwards */
}
if (p == NULL)
return HTTP_BAD_REQUEST;
/* If the host doesn't have a domain name, add one and redirect. */
if (ap_is_HTTP_REDIRECT(rc))
return HTTP_MOVED_PERMANENTLY;
}
*p = '\0';
*p = ':';
/* Check URI's destination host against NoProxy hosts */
/* Bypass ProxyRemote server lookup if configured as NoProxy */
/* we only know how to handle communication to a proxy via http */
/*if (strcasecmp(scheme, "http") == 0) */
{
int ii;
}
#if DEBUGGING
r->uri);
#endif
}
/* firstly, try a proxy, unless a NoProxy directive is active */
if (!direct_connect) {
/* handle the scheme */
"Trying to run scheme_handler against proxy");
/* an error or success */
return access_status;
}
/* we failed to talk to the upstream proxy */
}
}
}
/* otherwise, try it direct */
/* N.B. what if we're behind a firewall, where we must use a proxy or
* give up??
*/
/* handle the scheme */
"Trying to run scheme_handler");
if (DECLINED == access_status) {
"proxy: No protocol handler was valid for the URL %s. "
"If you are using a DSO version of mod_proxy, make sure "
"the proxy submodules are included in the configuration "
"using LoadModule.", r->uri);
return HTTP_FORBIDDEN;
}
return access_status;
}
/* -------------------------------------------------------------- */
/* Setup configurable data */
{
ps->recv_buffer_size_set = 0;
ps->io_buffer_size_set = 0;
ps->maxfwd_set = 0;
ps->error_override = 0;
ps->error_override_set = 0;
ps->preserve_host_set =0;
ps->preserve_host =0;
ps->timeout_set=0;
return ps;
}
{
ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports);
ps->recv_buffer_size = (overrides->recv_buffer_size_set == 0) ? base->recv_buffer_size : overrides->recv_buffer_size;
ps->io_buffer_size = (overrides->io_buffer_size_set == 0) ? base->io_buffer_size : overrides->io_buffer_size;
ps->error_override = (overrides->error_override_set == 0) ? base->error_override : overrides->error_override;
ps->preserve_host = (overrides->preserve_host_set == 0) ? base->preserve_host : overrides->preserve_host;
return ps;
}
{
/* Filled in by proxysection, when applicable */
return (void *) new;
}
{
return new;
}
static const char *
{
struct proxy_remote *new;
char *p, *q;
char *r, *f, *scheme;
int port;
p = strchr(r, ':');
if (regex)
return "ProxyRemoteMatch: Bad syntax for a remote proxy server";
else
return "ProxyRemote: Bad syntax for a remote proxy server";
}
else {
scheme[p-r] = 0;
}
if (q != NULL) {
if (regex)
return "ProxyRemoteMatch: Bad syntax for a remote proxy server (bad port number)";
else
return "ProxyRemote: Bad syntax for a remote proxy server (bad port number)";
}
*q = '\0';
}
else
port = -1;
*p = '\0';
if (regex) {
if (!reg)
return "Regular expression for ProxyRemoteMatch could not be compiled.";
}
else
ap_str_tolower(f); /* lowercase scheme */
if (port == -1) {
}
return NULL;
}
static const char *
{
}
static const char *
{
}
static const char *
{
struct proxy_alias *new;
} else {
if ( r== NULL)
return "ProxyPass needs a path when not defined in a location";
else
return "ProxyPass can not have a path when defined in a location";
}
return NULL;
}
static const char *
{
struct proxy_alias *new;
&proxy_module);
} else {
if ( r == NULL)
return "ProxyPassReverse needs a path when not defined in a location";
else
return "ProxyPassReverse can not have a path when defined in a location";
}
return NULL;
}
static const char *
{
struct noproxy_entry *new;
struct apr_sockaddr_t *addr;
int found = 0;
int i;
/* Don't duplicate entries */
found = 1;
}
}
if (!found) {
}
else {
}
}
return NULL;
}
/*
* Set the ports CONNECT can use
*/
static const char *
{
int *New;
if (!apr_isdigit(arg[0]))
return "AllowCONNECT: port number must be numeric";
return NULL;
}
/* Similar to set_proxy_exclude(), but defining directly connected hosts,
* which should never be accessed via the configured ProxyRemote servers
*/
static const char *
{
struct dirconn_entry *New;
int found = 0;
int i;
/* Don't duplicate entries */
found = 1;
}
if (!found) {
#if DEBUGGING
#endif
}
#if DEBUGGING
#endif
}
#if DEBUGGING
#endif
}
else {
#if DEBUGGING
#endif
}
}
return NULL;
}
static const char *
{
if (arg[0] != '.')
return "ProxyDomain: domain name must start with a dot.";
return NULL;
}
static const char *
{
return NULL;
}
static const char *
{
return NULL;
}
static const char *
{
return NULL;
}
static const char *
{
if (s < 512 && s != 0) {
return "ProxyReceiveBufferSize must be >= 512 bytes, or 0 for system default.";
}
psf->recv_buffer_size = s;
return NULL;
}
static const char *
{
return NULL;
}
static const char *
{
if (s < 0) {
return "ProxyMaxForwards must be greater or equal to zero..";
}
return NULL;
}
static const char*
{
int timeout;
if (timeout<1) {
return "Proxy Timeout must be at least 1 second.";
}
return NULL;
}
static const char*
{
else {
return "ProxyVia must be one of: "
"off | on | full | block";
}
return NULL;
}
{
&proxy_module);
*new_space = dir_config;
}
{
const char *errmsg;
return err;
}
"> directive missing closing '>'", NULL);
}
if (!arg) {
return "<ProxyMatch > block must specify a path";
else
return "<Proxy > block must specify a path";
}
/* XXX Ignore case? What if we proxy a case-insensitive server?!?
* While we are at it, shouldn't we also canonicalize the entire
* scheme? See proxy_fixup()
*/
}
return "<Proxy ~ > block must specify a path";
}
/* initialize our config and fetch it */
return errmsg;
conf->r = r;
if (*arg != '\0') {
"> arguments not (yet) supported.", NULL);
}
return NULL;
}
static const command_rec proxy_cmds[] =
{
"Container for directives affecting resources located in the proxied "
"location"),
"Container for directives affecting resources located in the proxied "
"location, in regular expression syntax"),
"on if the true proxy requests should be accepted"),
"a scheme, partial URL or '*' and a proxy server"),
"a regex pattern and a proxy server"),
"a virtual path and a URL"),
"a virtual path and a URL for reverse proxy behaviour"),
"A list of names, hosts or domains to which the proxy will not connect"),
"Receive buffer size for outgoing HTTP and FTP connections in bytes"),
"IO buffer size for outgoing HTTP and FTP connections in bytes"),
"The maximum number of proxies a request may be forwarded through."),
"A list of domains, hosts, or subnets to which the proxy will connect directly"),
"The default intranet domain name (in absence of a domain in the URL)"),
"A list of ports which CONNECT may connect to"),
"Configure Via: proxy header header to one of: on | off | block | full"),
"use our error handling pages instead of the servers' we are proxying"),
"on if we should preserve host header while proxying"),
"Set the timeout (in seconds) for a proxied connection. "
"This overrides the server timeout"),
{NULL}
};
{
/*
* if c == NULL just check if the optional function was imported
* else run the optional function so ssl filters are inserted
*/
if (proxy_ssl_enable) {
return c ? proxy_ssl_enable(c) : 1;
}
return 0;
}
{
if (proxy_ssl_disable) {
return proxy_ssl_disable(c);
}
return 0;
}
{
return OK;
}
static void register_hooks(apr_pool_t *p)
{
/* handler */
/* filename-to-URI translation */
/* walk <Proxy > entries and suppress default TRACE behavior */
/* fixups */
/* post read_request handling */
/* post config handling */
}
{
create_proxy_dir_config, /* create per-directory config structure */
merge_proxy_dir_config, /* merge per-directory config structures */
create_proxy_config, /* create per-server config structure */
merge_proxy_config, /* merge per-server config structures */
proxy_cmds, /* command table */
};
)
(request_rec *r, char *url),(r,
(request_rec *r), (r),