modules/proxy/mod_proxy_connect.c

	mod_proxy_connect.c revision d494c1653ea615c65699f1f33b0b01586f1839c4
97a9a944b5887e91042b019776c41d5dd74557aferikabele/* Licensed to the Apache Software Foundation (ASF) under one or more
97a9a944b5887e91042b019776c41d5dd74557aferikabele * contributor license agreements.  See the NOTICE file distributed with
97a9a944b5887e91042b019776c41d5dd74557aferikabele * this work for additional information regarding copyright ownership.
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive * The ASF licenses this file to You under the Apache License, Version 2.0
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive * (the "License"); you may not use this file except in compliance with
a945f35eff8b6a88009ce73de6d4c862ce58de3cslive * the License.  You may obtain a copy of the License at
b686b6a420bde7f78c416b90be11db94cb789979nd *
b686b6a420bde7f78c416b90be11db94cb789979nd *     http://www.apache.org/licenses/LICENSE-2.0
b686b6a420bde7f78c416b90be11db94cb789979nd *
b686b6a420bde7f78c416b90be11db94cb789979nd * Unless required by applicable law or agreed to in writing, software
b686b6a420bde7f78c416b90be11db94cb789979nd * distributed under the License is distributed on an "AS IS" BASIS,
b686b6a420bde7f78c416b90be11db94cb789979nd * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
b686b6a420bde7f78c416b90be11db94cb789979nd * See the License for the specific language governing permissions and
b686b6a420bde7f78c416b90be11db94cb789979nd * limitations under the License.
b686b6a420bde7f78c416b90be11db94cb789979nd */
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd/* CONNECT method for Apache proxy */
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd#include "mod_proxy.h"
b686b6a420bde7f78c416b90be11db94cb789979nd#include "apr_poll.h"
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd#define CONN_BLKSZ AP_IOBUFSIZE
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
3b3b7fc78d1f5bfc2769903375050048ff41ff26ndmodule AP_MODULE_DECLARE_DATA proxy_connect_module;
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd
b686b6a420bde7f78c416b90be11db94cb789979nd/*
b686b6a420bde7f78c416b90be11db94cb789979nd * This handles Netscape CONNECT method secure proxy requests.
b686b6a420bde7f78c416b90be11db94cb789979nd * A connection is opened to the specified host and data is
b686b6a420bde7f78c416b90be11db94cb789979nd * passed through between the WWW site and the browser.
b686b6a420bde7f78c416b90be11db94cb789979nd *
b686b6a420bde7f78c416b90be11db94cb789979nd * This code is based on the INTERNET-DRAFT document
b686b6a420bde7f78c416b90be11db94cb789979nd * "Tunneling SSL Through a WWW Proxy" currently at
06ba4a61654b3763ad65f52283832ebf058fdf1cslive * http://www.mcom.com/newsref/std/tunneling_ssl.html.
06ba4a61654b3763ad65f52283832ebf058fdf1cslive *
06ba4a61654b3763ad65f52283832ebf058fdf1cslive * If proxyhost and proxyport are set, we send a CONNECT to
06ba4a61654b3763ad65f52283832ebf058fdf1cslive * the specified proxy..
06ba4a61654b3763ad65f52283832ebf058fdf1cslive *
b686b6a420bde7f78c416b90be11db94cb789979nd * FIXME: this doesn't log the number of bytes sent, but
b686b6a420bde7f78c416b90be11db94cb789979nd *        that may be okay, since the data is supposed to
b686b6a420bde7f78c416b90be11db94cb789979nd *        be transparent. In fact, this doesn't log at all
b686b6a420bde7f78c416b90be11db94cb789979nd *        yet. 8^)
117c1f888a14e73cdd821dc6c23eb0411144a41cnd * FIXME: doesn't check any headers initally sent from the
117c1f888a14e73cdd821dc6c23eb0411144a41cnd *        client.
b686b6a420bde7f78c416b90be11db94cb789979nd * FIXME: should allow authentication, but hopefully the
b686b6a420bde7f78c416b90be11db94cb789979nd *        generic proxy authentication is good enough.
b686b6a420bde7f78c416b90be11db94cb789979nd * FIXME: no check for r->assbackwards, whatever that is.
b686b6a420bde7f78c416b90be11db94cb789979nd */
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979ndstatic int allowed_port(proxy_server_conf *conf, int port)
b686b6a420bde7f78c416b90be11db94cb789979nd{
b686b6a420bde7f78c416b90be11db94cb789979nd    int i;
b686b6a420bde7f78c416b90be11db94cb789979nd    int *list = (int *) conf->allowed_connect_ports->elts;
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd    for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
b686b6a420bde7f78c416b90be11db94cb789979nd    if(port == list[i])
b686b6a420bde7f78c416b90be11db94cb789979nd        return 1;
b686b6a420bde7f78c416b90be11db94cb789979nd    }
b686b6a420bde7f78c416b90be11db94cb789979nd    return 0;
b686b6a420bde7f78c416b90be11db94cb789979nd}
b686b6a420bde7f78c416b90be11db94cb789979nd
06ba4a61654b3763ad65f52283832ebf058fdf1cslive/* canonicalise CONNECT URLs. */
06ba4a61654b3763ad65f52283832ebf058fdf1cslivestatic int proxy_connect_canon(request_rec *r, char *url)
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd{
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    if (r->method_number != M_CONNECT) {
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    return DECLINED;
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    }
b686b6a420bde7f78c416b90be11db94cb789979nd    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
b686b6a420bde7f78c416b90be11db94cb789979nd         "proxy: CONNECT: canonicalising URL %s", url);
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd    return OK;
b686b6a420bde7f78c416b90be11db94cb789979nd}
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd/* read available data (in blocks of CONN_BLKSZ) from c_i and copy to c_o */
b686b6a420bde7f78c416b90be11db94cb789979ndstatic int proxy_connect_transfer(request_rec *r, conn_rec *c_i, conn_rec *c_o,
b686b6a420bde7f78c416b90be11db94cb789979nd                  apr_bucket_brigade *bb, char *name)
b686b6a420bde7f78c416b90be11db94cb789979nd{
b686b6a420bde7f78c416b90be11db94cb789979nd    int rv;
b686b6a420bde7f78c416b90be11db94cb789979nd#ifdef DEBUGGING
06ba4a61654b3763ad65f52283832ebf058fdf1cslive    apr_off_t len;
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd#endif
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    do {
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    apr_brigade_cleanup(bb);
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd    rv = ap_get_brigade(c_i->input_filters, bb, AP_MODE_READBYTES,
b686b6a420bde7f78c416b90be11db94cb789979nd                APR_NONBLOCK_READ, CONN_BLKSZ);
b686b6a420bde7f78c416b90be11db94cb789979nd    if (rv == APR_SUCCESS) {
b686b6a420bde7f78c416b90be11db94cb789979nd        if (APR_BRIGADE_EMPTY(bb))
b686b6a420bde7f78c416b90be11db94cb789979nd        break;
b686b6a420bde7f78c416b90be11db94cb789979nd#ifdef DEBUGGING
b686b6a420bde7f78c416b90be11db94cb789979nd        len = -1;
b686b6a420bde7f78c416b90be11db94cb789979nd        apr_brigade_length(bb, 0, &len);
b686b6a420bde7f78c416b90be11db94cb789979nd        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
b686b6a420bde7f78c416b90be11db94cb789979nd              "proxy: CONNECT: read %" APR_OFF_T_FMT
b686b6a420bde7f78c416b90be11db94cb789979nd              " bytes from %s", len, name);
b686b6a420bde7f78c416b90be11db94cb789979nd#endif
b686b6a420bde7f78c416b90be11db94cb789979nd        rv = ap_pass_brigade(c_o->output_filters, bb);
b686b6a420bde7f78c416b90be11db94cb789979nd        if (rv == APR_SUCCESS) {
06ba4a61654b3763ad65f52283832ebf058fdf1cslive        ap_fflush(c_o->output_filters, bb);
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd        } else {
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd        ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd                  "proxy: CONNECT: error on %s - ap_pass_brigade",
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd                  name);
e55e60efce8a3e2139132c1d6ad9f6f0d2976614nd        }
b686b6a420bde7f78c416b90be11db94cb789979nd    } else if (!APR_STATUS_IS_EAGAIN(rv)) {
b686b6a420bde7f78c416b90be11db94cb789979nd        ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r,
b686b6a420bde7f78c416b90be11db94cb789979nd              "proxy: CONNECT: error on %s - ap_get_brigade",
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd              name);
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd    }
3b3b7fc78d1f5bfc2769903375050048ff41ff26nd    } while (rv == APR_SUCCESS);
b686b6a420bde7f78c416b90be11db94cb789979nd
b686b6a420bde7f78c416b90be11db94cb789979nd    if (APR_STATUS_IS_EAGAIN(rv)) {
b686b6a420bde7f78c416b90be11db94cb789979nd    rv = APR_SUCCESS;
    }
    return rv;
}

/* CONNECT handler */
static int proxy_connect_handler(request_rec *r, proxy_worker *worker,
                                 proxy_server_conf *conf,
                                 char *url, const char *proxyname,
                                 apr_port_t proxyport)
{
    apr_pool_t *p = r->pool;
    apr_socket_t *sock;
    conn_rec *c = r->connection;
    conn_rec *backconn;

    apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc);
    apr_status_t err, rv;
    apr_size_t nbytes;
    char buffer[HUGE_STRING_LEN];
    apr_socket_t *client_socket = ap_get_module_config(c->conn_config, &core_module);
    int failed, rc;
    apr_pollset_t *pollset;
    apr_pollfd_t pollfd;
    const apr_pollfd_t *signalled;
    apr_int32_t pollcnt, pi;
    apr_int16_t pollevent;
    apr_sockaddr_t *uri_addr, *connect_addr;

    apr_uri_t uri;
    const char *connectname;
    int connectport = 0;

    /* is this for us? */
    if (r->method_number != M_CONNECT) {
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
             "proxy: CONNECT: declining URL %s", url);
    return DECLINED;
    }
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
         "proxy: CONNECT: serving URL %s", url);


    /*
     * Step One: Determine Who To Connect To
     *
     * Break up the URL to determine the host to connect to
     */

    /* we break the URL into host, port, uri */
    if (APR_SUCCESS != apr_uri_parse_hostinfo(p, url, &uri)) {
        return ap_proxyerror(r, HTTP_BAD_REQUEST,
                             apr_pstrcat(p, "URI cannot be parsed: ", url,
                                         NULL));
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
         "proxy: CONNECT: connecting %s to %s:%d", url, uri.hostname, uri.port);

    /* do a DNS lookup for the destination host */
    err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port,
                                0, p);
    if (APR_SUCCESS != err) {
        return ap_proxyerror(r, HTTP_BAD_GATEWAY,
                             apr_pstrcat(p, "DNS lookup failure for: ",
                                         uri.hostname, NULL));
    }

    /* are we connecting directly, or via a proxy? */
    if (proxyname) {
        connectname = proxyname;
        connectport = proxyport;
        err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC, proxyport, 0, p);
    }
    else {
        connectname = uri.hostname;
        connectport = uri.port;
        connect_addr = uri_addr;
    }
    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
         "proxy: CONNECT: connecting to remote proxy %s on port %d", connectname, connectport);

    /* check if ProxyBlock directive on this host */
    if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
        return ap_proxyerror(r, HTTP_FORBIDDEN,
                             "Connect to remote machine blocked");
    }

    /* Check if it is an allowed port */
    if (conf->allowed_connect_ports->nelts == 0) {
    /* Default setting if not overridden by AllowCONNECT */
        switch (uri.port) {
            case APR_URI_HTTPS_DEFAULT_PORT:
            case APR_URI_SNEWS_DEFAULT_PORT:
                break;
            default:
        return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked");
        }
    } else if(!allowed_port(conf, uri.port)) {
    return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked");
    }

    /*
     * Step Two: Make the Connection
     *
     * We have determined who to connect to. Now make the connection.
     */

    /* get all the possible IP addresses for the destname and loop through them
     * until we get a successful connection
     */
    if (APR_SUCCESS != err) {
        return ap_proxyerror(r, HTTP_BAD_GATEWAY,
                             apr_pstrcat(p, "DNS lookup failure for: ",
                                         connectname, NULL));
    }

    /*
     * At this point we have a list of one or more IP addresses of
     * the machine to connect to. If configured, reorder this
     * list so that the "best candidate" is first try. "best
     * candidate" could mean the least loaded server, the fastest
     * responding server, whatever.
     *
     * For now we do nothing, ie we get DNS round robin.
     * XXX FIXME
     */
    failed = ap_proxy_connect_to_backend(&sock, "CONNECT", connect_addr,
                                         connectname, conf, r->server,
                                         r->pool);

    /* handle a permanent error from the above loop */
    if (failed) {
        if (proxyname) {
            return DECLINED;
        }
        else {
            return HTTP_SERVICE_UNAVAILABLE;
        }
    }

    /* setup polling for connection */
    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
          "proxy: CONNECT: setting up poll()");

    if ((rv = apr_pollset_create(&pollset, 2, r->pool, 0)) != APR_SUCCESS) {
    apr_socket_close(sock);
        ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
            "proxy: CONNECT: error apr_pollset_create()");
        return HTTP_INTERNAL_SERVER_ERROR;
    }

    /* Add client side to the poll */
    pollfd.p = r->pool;
    pollfd.desc_type = APR_POLL_SOCKET;
    pollfd.reqevents = APR_POLLIN;
    pollfd.desc.s = client_socket;
    pollfd.client_data = NULL;
    apr_pollset_add(pollset, &pollfd);

    /* Add the server side to the poll */
    pollfd.desc.s = sock;
    apr_pollset_add(pollset, &pollfd);

    /*
     * Step Three: Send the Request
     *
     * Send the HTTP/1.1 CONNECT request to the remote server
     */

    backconn = ap_run_create_connection(c->pool, r->server, sock,
                    c->id, c->sbh, c->bucket_alloc);
    if (!backconn) {
    /* peer reset */
    ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
              "proxy: an error occurred creating a new connection "
              "to %pI (%s)", connect_addr, connectname);
    apr_socket_close(sock);
    return HTTP_INTERNAL_SERVER_ERROR;
    }
    ap_proxy_ssl_disable(backconn);
    rc = ap_run_pre_connection(backconn, sock);
    if (rc != OK && rc != DONE) {
    backconn->aborted = 1;
    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
              "proxy: CONNECT: pre_connection setup failed (%d)", rc);
    return HTTP_INTERNAL_SERVER_ERROR;
    }

    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
          "proxy: CONNECT: connection complete to %pI (%s)",
          connect_addr, connectname);


    /* If we are connecting through a remote proxy, we need to pass
     * the CONNECT request on to it.
     */
    if (proxyport) {
    /* FIXME: Error checking ignored.
     */
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
             "proxy: CONNECT: sending the CONNECT request to the remote proxy");
        ap_fprintf(backconn->output_filters, bb,
             "CONNECT %s HTTP/1.0" CRLF, r->uri);
        ap_fprintf(backconn->output_filters, bb,
             "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
        ap_fflush(backconn->output_filters, bb);
    }
    else {
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
             "proxy: CONNECT: Returning 200 OK Status");
        nbytes = apr_snprintf(buffer, sizeof(buffer),
                  "HTTP/1.0 200 Connection Established" CRLF);
        ap_xlate_proto_to_ascii(buffer, nbytes);
       ap_fwrite(c->output_filters, bb, buffer, nbytes);
        nbytes = apr_snprintf(buffer, sizeof(buffer),
                  "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner());
        ap_xlate_proto_to_ascii(buffer, nbytes);
        ap_fwrite(c->output_filters, bb, buffer, nbytes);
    ap_fflush(c->output_filters, bb);
#if 0
        /* This is safer code, but it doesn't work yet.  I'm leaving it
         * here so that I can fix it later.
         */
        r->status = HTTP_OK;
        r->header_only = 1;
        apr_table_set(r->headers_out, "Proxy-agent: %s", ap_get_server_banner());
        ap_rflush(r);
#endif
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
         "proxy: CONNECT: setting up poll()");

    /*
     * Step Four: Handle Data Transfer
     *
     * Handle two way transfer of data over the socket (this is a tunnel).
     */

    /* we are now acting as a tunnel - the input/output filter stacks should
     * not contain any non-connection filters.
     */
    r->output_filters = c->output_filters;
    r->proto_output_filters = c->output_filters;
    r->input_filters = c->input_filters;
    r->proto_input_filters = c->input_filters;
/*    r->sent_bodyct = 1;*/

    while (1) { /* Infinite loop until error (one side closes the connection) */
        if ((rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled)) != APR_SUCCESS) {
            apr_socket_close(sock);
            ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: CONNECT: error apr_poll()");
            return HTTP_INTERNAL_SERVER_ERROR;
        }
#ifdef DEBUGGING
        ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
                     "proxy: CONNECT: woke from poll(), i=%d", pollcnt);
#endif

        for (pi = 0; pi < pollcnt; pi++) {
            const apr_pollfd_t *cur = &signalled[pi];

            if (cur->desc.s == sock) {
                pollevent = cur->rtnevents;
                if (pollevent & APR_POLLIN) {
#ifdef DEBUGGING
                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                 "proxy: CONNECT: sock was readable");
#endif
                    rv = proxy_connect_transfer(r, backconn, c, bb, "sock");
                    }
                else if ((pollevent & APR_POLLERR) || (pollevent & APR_POLLHUP)) {
            rv = APR_EPIPE;
                    ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, "proxy: CONNECT: err/hup on backconn");
                }
            }
            else if (cur->desc.s == client_socket) {
                pollevent = cur->rtnevents;
                if (pollevent & APR_POLLIN) {
#ifdef DEBUGGING
                    ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r,
                                 "proxy: CONNECT: client was readable");
#endif
                    rv = proxy_connect_transfer(r, c, backconn, bb, "client");
                }
                }
            else {
                rv = APR_EBADF;
                ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r,
                  "proxy: CONNECT: unknown socket in pollset");
            }

        }
        if (rv != APR_SUCCESS) {
            break;
        }
    }

    ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
         "proxy: CONNECT: finished with poll() - cleaning up");

    /*
     * Step Five: Clean Up
     *
     * Close the socket and clean up
     */

    ap_lingering_close(backconn);

    c->aborted = 1;

    return OK;
}

static void ap_proxy_connect_register_hook(apr_pool_t *p)
{
    proxy_hook_scheme_handler(proxy_connect_handler, NULL, NULL, APR_HOOK_MIDDLE);
    proxy_hook_canon_handler(proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE);
}

module AP_MODULE_DECLARE_DATA proxy_connect_module = {
    STANDARD20_MODULE_STUFF,
    NULL,       /* create per-directory config structure */
    NULL,       /* merge per-directory config structures */
    NULL,       /* create per-server config structure */
    NULL,       /* merge per-server config structures */
    NULL,       /* command apr_table_t */
    ap_proxy_connect_register_hook  /* register hooks */
};