proxy_connect.c revision 7aeac3e3e334cb421641c1a317b5d926e9dbd44c
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd/* ====================================================================
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * The Apache Software License, Version 1.1
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * Copyright (c) 2000-2001 The Apache Software Foundation. All rights
fd9abdda70912b99b24e3bf1a38f26fde908a74cnd * reserved.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * Redistribution and use in source and binary forms, with or without
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * modification, are permitted provided that the following conditions
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * are met:
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * 1. Redistributions of source code must retain the above copyright
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * notice, this list of conditions and the following disclaimer.
2e545ce2450a9953665f701bb05350f0d3f26275nd * 2. Redistributions in binary form must reproduce the above copyright
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen * notice, this list of conditions and the following disclaimer in
d29d9ab4614ff992b0e8de6e2b88d52b6f1f153erbowen * the documentation and/or other materials provided with the
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * distribution.
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen * 3. The end-user documentation included with the redistribution,
3f08db06526d6901aa08c110b5bc7dde6bc39905nd * if any, must include the following acknowledgment:
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * "This product includes software developed by the
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * Apache Software Foundation (http://www.apache.org/)."
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * Alternately, this acknowledgment may appear in the software itself,
3f08db06526d6901aa08c110b5bc7dde6bc39905nd * if and wherever such third-party acknowledgments normally appear.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * 4. The names "Apache" and "Apache Software Foundation" must
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * not be used to endorse or promote products derived from this
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * software without prior written permission. For written
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * permission, please contact apache@apache.org.
f086b4b402fa9a2fefc7dda85de2a3cc1cd0a654rjung * 5. Products derived from this software may not be called "Apache",
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * nor may "Apache" appear in their name, without prior written
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * permission of the Apache Software Foundation.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
30471a4650391f57975f60bbb6e4a90be7b284bfhumbedooh * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * SUCH DAMAGE.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * ====================================================================
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * This software consists of voluntary contributions made by many
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * individuals on behalf of the Apache Software Foundation. For more
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * information on the Apache Software Foundation, please see
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * Portions of this software are based upon public domain software
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * originally written at the National Center for Supercomputing Applications,
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * University of Illinois, Urbana-Champaign.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd/* CONNECT method for Apache proxy */
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * This handles Netscape CONNECT method secure proxy requests.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * A connection is opened to the specified host and data is
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * passed through between the WWW site and the browser.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * This code is based on the INTERNET-DRAFT document
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * "Tunneling SSL Through a WWW Proxy" currently at
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * If proxyhost and proxyport are set, we send a CONNECT to
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * the specified proxy..
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * FIXME: this doesn't log the number of bytes sent, but
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * that may be okay, since the data is supposed to
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * be transparent. In fact, this doesn't log at all
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * yet. 8^)
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * FIXME: doesn't check any headers initally sent from the
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * FIXME: should allow authentication, but hopefully the
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * generic proxy authentication is good enough.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd * FIXME: no check for r->assbackwards, whatever that is.
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen * Step One: Determine Who To Connect To
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen * Break up the URL to determine the host to connect to
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen /* we break the URL into host, port, uri */
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen if (HTTP_OK != ap_parse_hostinfo_components(p, url, &uri)) {
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server,
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd "proxy: CONNECT: connecting %s to %s:%d", url, uri.hostname, uri.port);
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd /* do a DNS lookup for the destination host */
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port, 0, p);
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd /* are we connecting directly, or via a proxy? */
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC, proxyport, 0, p);
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, NULL,
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd "proxy: CONNECT: connecting to remote proxy %s on port %d", connectname, connectport);
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd /* check if ProxyBlock directive on this host */
d1636bdc2e674b84ee46f534b51be18ecac6bef5rbowen if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd "Connect to remote machine blocked");
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd /* Check if it is an allowed port */
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd /* Default setting if not overridden by AllowCONNECT */
0d0ba3a410038e179b695446bb149cce6264e0abnd * Step Two: Make the Connection
0d0ba3a410038e179b695446bb149cce6264e0abnd * We have determined who to connect to. Now make the connection.
727872d18412fc021f03969b8641810d8896820bhumbedooh /* get all the possible IP addresses for the destname and loop through them
0d0ba3a410038e179b695446bb149cce6264e0abnd * until we get a successful connection
205f749042ed530040a4f0080dbcb47ceae8a374rjung return ap_proxyerror(r, HTTP_BAD_GATEWAY, apr_pstrcat(p,
af33a4994ae2ff15bc67d19ff1a7feb906745bf8rbowen "DNS lookup failure for: ",
7fec19672a491661b2fe4b29f685bc7f4efa64d4nd /* create a new socket */
1ac39787115a288f5e848344b1b1e8dccb1c58f1nd if ((apr_socket_create(&sock, APR_INET, SOCK_STREAM, r->pool)) != APR_SUCCESS) {
return HTTP_INTERNAL_SERVER_ERROR;
while (connect_addr) {
failed = 0;
if (failed) {
if (proxyname) {
return DECLINED;
return HTTP_BAD_GATEWAY;
if (proxyport) {
return HTTP_INTERNAL_SERVER_ERROR;
/* ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: going to sleep (poll)");*/
return HTTP_INTERNAL_SERVER_ERROR;
if (pollcnt) {
while(nbytes)
i = nbytes;
nbytes -= i;
while(nbytes)
i = nbytes;
nbytes -= i;
return OK;