proxy_util.c revision caad2986f81ab263f7af41467dd622dc9add17f3
/* Licensed to the Apache Software Foundation (ASF) under one or more
* contributor license agreements. See the NOTICE file distributed with
* this work for additional information regarding copyright ownership.
* The ASF licenses this file to You under the Apache License, Version 2.0
* (the "License"); you may not use this file except in compliance with
* the License. You may obtain a copy of the License at
*
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
/* Utility routines for Apache proxy */
#include "mod_proxy.h"
#include "ap_mpm.h"
#include "scoreboard.h"
#include "apr_version.h"
#include "apr_hash.h"
#include "proxy_util.h"
#include "ajp.h"
#include "scgi.h"
#include <unistd.h> /* for getpid() */
#endif
#if (APR_MAJOR_VERSION < 1)
#endif
#endif
#if (APR_MAJOR_VERSION < 2)
#include "apr_support.h" /* for apr_wait_for_io_or_timeout() */
#endif
/*
* Opaque structure containing target server info when
* using a forward proxy.
* Up to now only used in combination with HTTP CONNECT.
*/
typedef struct {
int use_http_connect; /* Use SSL Tunneling via HTTP CONNECT */
const char *target_host; /* Target hostname */
const char *proxy_auth; /* Proxy authorization */
} forward_info;
/* Keep synced with mod_proxy.h! */
static struct wstat {
unsigned int bit;
char flag;
const char *name;
} wstat_tbl[] = {
};
/* Global balancer counter */
int PROXY_DECLARE_DATA proxy_lb_workers = 0;
static int lb_workers_limit = 0;
extern apr_global_mutex_t *proxy_mutex;
{
char *thenil;
/* special case handling */
if (!dlen) {
/* XXX: APR_ENOSPACE would be better */
return APR_EGENERAL;
}
if (!src) {
*dst = '\0';
return APR_SUCCESS;
}
return APR_SUCCESS;
}
return APR_EGENERAL;
}
/* already called in the knowledge that the characters are hex digits */
PROXY_DECLARE(int) ap_proxy_hex2c(const char *x)
{
int i;
#if !APR_CHARSET_EBCDIC
int ch = x[0];
if (apr_isdigit(ch)) {
i = ch - '0';
}
else if (apr_isupper(ch)) {
}
else {
}
i <<= 4;
ch = x[1];
if (apr_isdigit(ch)) {
i += ch - '0';
}
else if (apr_isupper(ch)) {
}
else {
}
return i;
#else /*APR_CHARSET_EBCDIC*/
/*
* we assume that the hex value refers to an ASCII character
* so convert to EBCDIC so that it makes sense locally;
*
* example:
*
* client specifies %20 in URL to refer to a space char;
* at this point we're called with EBCDIC "20"; after turning
* EBCDIC "20" into binary 0x20, we then need to assume that 0x20
* represents an ASCII char and convert 0x20 to EBCDIC, yielding
* 0x40
*/
char buf[1];
buf[0] = i & 0xFF;
return buf[0];
}
else {
return 0;
}
#endif /*APR_CHARSET_EBCDIC*/
}
{
#if !APR_CHARSET_EBCDIC
int i;
x[0] = '%';
if (i >= 10) {
x[1] = ('A' - 10) + i;
}
else {
x[1] = '0' + i;
}
i = ch & 0x0F;
if (i >= 10) {
x[2] = ('A' - 10) + i;
}
else {
x[2] = '0' + i;
}
#else /*APR_CHARSET_EBCDIC*/
static const char ntoa[] = { "0123456789ABCDEF" };
char buf[1];
ch &= 0xFF;
x[0] = '%';
x[3] = '\0';
#endif /*APR_CHARSET_EBCDIC*/
}
/*
* canonicalise a URL-encoded string
*/
/*
* Convert a URL-encoded string to canonical form.
* It decodes characters which need not be encoded,
* and encodes those which must be encoded, and does not touch
* those which must not be touched.
*/
int proxyreq)
{
int i, j, ch;
char *y;
char *allowed; /* characters which should not be encoded */
/*
* N.B. in addition to :@&=, this allows ';' in an http path
* and '?' in an ftp path -- this may be revised
*
* Also, it makes a '+' character in a search string reserved, as
* it may be form-encoded. (Although RFC 1738 doesn't allow this -
* it only permits ; / ? : @ = & as reserved chars.)
*/
if (t == enc_path) {
allowed = "~$-_.+!*'(),;:@&=";
}
else if (t == enc_search) {
allowed = "$-_.!*'(),;:@&=";
}
else if (t == enc_user) {
allowed = "$-_.+!*'(),;@&=";
}
else if (t == enc_fpath) {
allowed = "$-_.+!*'(),?:@&=";
}
else { /* if (t == enc_parm) */
allowed = "$-_.+!*'(),?/:@&=";
}
if (t == enc_path) {
reserved = "/";
}
else if (t == enc_search) {
reserved = "+";
}
else {
reserved = "";
}
for (i = 0, j = 0; i < len; i++, j++) {
/* always handle '/' first */
ch = x[i];
y[j] = ch;
continue;
}
/*
* decode it if not already done. do not decode reverse proxied URLs
* unless specifically forced
*/
return NULL;
}
i += 2;
ap_proxy_c2hex(ch, &y[j]);
j += 2;
continue;
}
}
/* recode it, if necessary */
ap_proxy_c2hex(ch, &y[j]);
j += 2;
}
else {
y[j] = ch;
}
}
y[j] = '\0';
return y;
}
/*
* Parses network-location.
* urlp on input the URL; on output the path, after the leading /
* password holder for password
* host holder for host
* port port number; only set if one is supplied.
*
* Returns an error string.
*/
PROXY_DECLARE(char *)
{
return "Malformed URL";
}
url = "";
}
else {
}
*strp = '\0';
/* find password */
*strp = '\0';
return "Bad %-escape in URL (password)";
}
}
return "Bad %-escape in URL (username)";
}
}
}
}
/*
* Parse the host string to separate host portion from optional port.
* Perform range checking on port.
*/
}
if (tmp_port != 0) { /* only update caller's port if port was specified */
}
return NULL;
}
{
apr_pstrcat(r->pool,
"The proxy server could not handle the request <em><a href=\"",
"</a></em>.<p>\n"
"</strong></p>",
NULL));
/* Allow "error-notes" string to be printed by ap_send_error_response() */
r->uri);
return statuscode;
}
static const char *
{
return r->hostname;
}
/* Set url to the first char after "scheme://" */
return NULL;
}
url = apr_pstrdup(r->pool, &url[1]); /* make it point to "//", which is what proxy_canon_netloc expects */
}
return host; /* ought to return the port, too */
}
/* Return TRUE if addr represents an IP address (or an IP network address) */
{
long ip_addr[4];
int i, quads;
long bits;
/*
* if the address is given with an explicit netmask, use that
* Due to a deficiency in apr_inet_addr(), it is impossible to parse
* "partial" addresses (with less than 4 quads) correctly, i.e.
* 192.168.123 is parsed as 192.168.0.123, which is not what I want.
* I therefore have to parse the IP address manually:
* addr and mask were set by proxy_readmask()
* return 1;
*/
/*
* Parse IP addr manually, optionally allowing
* abbreviated net addresses like 192.168.
*/
/* Iterate over up to 4 (dotted) quads. */
char *tmp;
break;
}
if (!apr_isdigit(*addr)) {
return 0; /* no digit at start of quad */
}
return 0;
}
/* invalid octet */
return 0;
}
++addr; /* after the 4th quad, a dot would be illegal */
}
}
}
char *tmp;
++addr;
return 0;
}
return 0;
}
}
else {
/*
* Determine (i.e., "guess") netmask by counting the
* number of trailing .0's; reduce #quads appropriately
* (so that 192.168.0.0 is equivalent to 192.168.)
*/
--quads;
}
/* "IP Address should be given in dotted-quad form, optionally followed by a netmask (e.g., 192.168.111.0/24)"; */
if (quads < 1) {
return 0;
}
/* every zero-byte counts as 8 zero-bits */
"Warning: NetMask not supplied with IP-Addr; guessing: %s/%ld",
}
}
"Warning: NetMask and IP-Addr disagree in %s/%ld",
}
if (*addr == '\0') {
return 1;
}
else {
}
}
/* Return TRUE if addr represents an IP address (or an IP network address) */
{
int i, ip_addr[4];
const char *host = proxy_get_host_of_request(r);
return 0;
}
/* ap_proxy_is_ipaddr() already confirmed that we have
* a valid octet in ip_addr[i]
*/
}
#if DEBUGGING
#endif
return 1;
}
#if DEBUGGING
else {
}
#endif
}
else {
struct apr_sockaddr_t *reqaddr;
!= APR_SUCCESS) {
#if DEBUGGING
"2)IP-NoMatch: hostname=%s msg=Host not found", host);
#endif
return 0;
}
/* Try to deal with multiple IP addr's for a host */
/* FIXME: This needs to be able to deal with IPv6 */
while (reqaddr) {
#if DEBUGGING
#endif
return 1;
}
#if DEBUGGING
else {
}
#endif
}
}
return 0;
}
/* Return TRUE if addr represents a domain name */
{
int i;
/* Domain name must start with a '.' */
if (addr[0] != '.') {
return 0;
}
/* rfc1035 says DNS names must consist of "[-a-zA-Z0-9]" and '.' */
continue;
}
#if 0
if (addr[i] == ':') {
"@@@@ handle optional port in proxy_is_domainname()");
/* @@@@ handle optional port */
}
#endif
if (addr[i] != '\0') {
return 0;
}
/* Strip trailing dots */
addr[i] = '\0';
}
return 1;
}
/* Return TRUE if host "host" is in domain "domain" */
{
const char *host = proxy_get_host_of_request(r);
return 0;
}
/* @@@ do this within the setup? */
/* Ignore trailing dots in domain comparison: */
--d_len;
}
--h_len;
}
}
/* Return TRUE if host represents a host name */
{
struct apr_sockaddr_t *addr;
int i;
/* Host names must not start with a '.' */
if (host[0] == '.') {
return 0;
}
/* rfc1035 says DNS names must consist of "[-a-zA-Z0-9]" and '.' */
return 0;
}
/* Strip trailing dots */
host[i] = '\0';
}
return 1;
}
/* Return TRUE if host "host" is equal to host2 "host2" */
{
const char *host2 = proxy_get_host_of_request(r);
int h2_len;
int h1_len;
return 0; /* oops! */
}
#if 0
/* Try to deal with multiple IP addr's for a host */
while (addr) {
if (addr->ipaddr_ptr == ? ? ? ? ? ? ? ? ? ? ? ? ?)
return 1;
}
#endif
/* Ignore trailing dots in host2 comparison: */
--h2_len;
}
--h1_len;
}
}
/* Return TRUE if addr is to be matched as a word */
{
return 1;
}
/* Return TRUE if string "str2" occurs literally in "str1" */
{
const char *host = proxy_get_host_of_request(r);
}
#define MAX_IP_STR_LEN (46)
{
int j;
/* XXX FIXME: conf->noproxies->elts is part of an opaque structure */
struct apr_sockaddr_t *conf_addr;
"checking remote machine [%s] against [%s]",
"connect to remote machine %s blocked: name %s "
return HTTP_FORBIDDEN;
}
/* No IP address checks if no IP address was passed in,
* i.e. the forward address proxy case, where this server does
* not resolve the hostname. */
if (!addr)
continue;
continue;
continue;
"connect to remote machine %s blocked: "
return HTTP_FORBIDDEN;
}
}
}
}
return OK;
}
/* set up the minimal filter set */
{
return OK;
}
{
struct proxy_alias *ent;
char *u;
/*
* XXX FIXME: Make sure this handled the ambiguous case of the :<PORT>
* after the hostname
* XXX FIXME: Ensure the /uri component is a case sensitive match
*/
if (r->proxyreq != PROXYREQ_REVERSE) {
return url;
}
}
else {
}
/*
* First check if mapping against a balancer and see
* if we have such a entity. If so, then we need to
* find the particulars of the actual worker which may
* or may not be the right one... basically, we need
* to find which member actually handled this request.
*/
if (ap_proxy_valid_balancer_name((char *)real, 0) &&
int n, l3 = 0;
if (urlpart) {
if (!urlpart[1])
else
}
/* The balancer comparison is a bit trickier. Given the context
* BalancerMember balancer://alias http://example.com/foo
* translate url http://example.com/foo/bar/that to /bash/that
*/
if (urlpart) {
/* urlpart (l3) assuredly starts with its own '/' */
--l2;
NULL);
}
}
/* edge case where fake is just "/"... avoid double slash */
} else {
}
}
worker++;
}
}
else {
if (real[0] == '/') {
if (part) {
if (part) {
}
else {
}
}
else {
}
}
}
}
}
return url;
}
/*
* Cookies are a bit trickier to match: we've got two substrings to worry
* about, and we can't just find them with strstr 'cos of case. Regexp
* matching would be an easy fix, but for better consistency with all the
* other matches we'll refrain and use apr_strmatch to find path=/domain=
* and stick to plain strings for the config values.
*/
{
&proxy_module);
struct proxy_alias *ent;
const char *pathp;
const char *domainp;
int i;
int ddiff = 0;
int pdiff = 0;
char *ret;
if (r->proxyreq != PROXYREQ_REVERSE) {
return str;
}
/*
* Find the match and replacement, but save replacing until we've done
* both path and domain so we know the new strlen
*/
pathp += 5;
}
else {
}
break;
}
}
}
domainp += 7;
}
else {
}
break;
}
}
}
if (newpath) {
if (newdomain) {
}
else {
}
}
else {
}
}
else {
if (newdomain) {
}
else {
}
}
return ret;
}
/*
* BALANCER related...
*/
/*
* verifies that the balancer name conforms to standards.
*/
{
if (!i)
i = sizeof(BALANCER_PREFIX)-1;
}
const char *url,
int care)
{
int i;
return NULL;
}
/* remove path from uri */
*c = '\0';
}
return balancer;
}
}
balancer++;
}
return NULL;
}
const char *url)
{
if (!url) {
return NULL;
}
}
return apr_psprintf(p, "balancer %s front-end virtual-path (%s) too long",
}
return apr_psprintf(p, "balancer %s front-end vhost name (%s) too long",
}
return NULL;
}
#define PROXY_UNSET_NONCE '\n'
const char *url,
const char *alias,
int do_malloc)
{
const char *sname;
/* We should never get here without a valid BALANCER_PREFIX... */
return "Bad syntax for a balancer name";
/* remove path from uri */
*q = '\0';
/*
* NOTE: The default method is byrequests - if it doesn't
* exist, that's OK at this time. We check when we share and sync
*/
if (do_malloc)
else
}
/*
* We do the below for verification. The real sname will be
* done post_config
*/
&sname);
}
}
/*
* Create an already defined balancer and free up memory.
*/
int i)
{
char *action = "copying";
return APR_EINVAL;
if (balancer->s->was_malloced)
} else {
action = "re-using";
}
/* the below should always succeed */
if (lbmethod) {
} else {
return APR_EINVAL;
}
/* Retrieve a UUID and store the nonce for the lifetime of
* the process.
*/
apr_uuid_get(&uuid);
}
return rv;
}
PROXY_DECLARE(apr_status_t) ap_proxy_initialize_balancer(proxy_balancer *balancer, server_rec *s, apr_pool_t *p)
{
unsigned int num;
if (!storage) {
return APR_EGENERAL;
}
/*
* for each balancer we need to init the global
* mutex and then attach to the shared worker shm
*/
return APR_EGENERAL;
}
/* Re-open the mutex for the child. */
p);
if (rv != APR_SUCCESS) {
"Failed to reopen mutex %s in child",
return rv;
}
/* now attach */
return APR_EGENERAL;
}
if (rv != APR_SUCCESS) {
"can not create balancer thread mutex");
return rv;
}
}
return APR_SUCCESS;
}
/*
* CONNECTION related...
*/
{
}
return APR_SUCCESS;
}
{
/*
* Create a connection pool's subpool.
* This pool is used for connection recycling.
* Once the worker is added it is never removed but
* it can be disabled.
*/
apr_pool_create(&pool, p);
/*
* Alloc from the same pool as worker.
* proxy_conn_pool is permanently attached to the worker.
*/
}
{
}
{
/*
* If the connection pool is NULL the worker
* cleanup has been run. Just return.
*/
return APR_SUCCESS;
}
if (conn->r) {
}
/* Sanity check: Did we already return the pooled connection? */
"Pooled connection 0x%pp for worker %s has been"
" already returned to the connection pool.", conn,
return APR_SUCCESS;
}
/* determine if the connection need to be closed */
if (!ap_proxy_connection_reusable(conn)) {
apr_pool_clear(p);
}
}
else
{
}
/* Always return the SUCCESS */
return APR_SUCCESS;
}
{
}
request_rec *r)
{
/*
* If we have an existing SSL connection it might be possible that the
* server sent some SSL message we have not read so far (e.g. an SSL
* shutdown message if the server closed the keepalive connection while
* the connection was held unused in our pool).
* So ensure that if present (=> APR_NONBLOCK_READ) it is read and
* processed. We don't expect any data to be in the returned brigade.
*/
}
if (!APR_BRIGADE_EMPTY(bb)) {
"SSL cleanup brigade contained %"
}
}
return APR_SUCCESS;
}
/* reslist constructor */
{
/*
* Create the subpool for each connection
* This keeps the memory consumption constant
* when disconnecting from backend.
*/
/*
* Create another subpool that manages the data for the
* socket and the connection member of the proxy_conn_rec struct as we
* destroy this data more frequently than other data in the proxy_conn_rec
* struct like hostname and addr (at least in the case where we have
* keepalive connections that timed out).
*/
return APR_SUCCESS;
}
/* reslist destructor */
{
/* Destroy the pool only if not called from reslist_destroy */
}
return APR_SUCCESS;
}
/*
* WORKER related...
*/
{
/* just in case */
}
}
/*
* Taken from ap_strcmp_match() :
* Match = 0, NoMatch = 1, Abort = -1, Inval = -2
* Based loosely on sections of wildmat.c by Rich Salz
* Hmmm... shouldn't this really go component by component?
*
* Adds handling of the "\<any>" => "<any>" unescaping.
*/
{
apr_size_t x, y;
for (x = 0, y = 0; expected[y]; ++y, ++x) {
return -1;
y += 2;
if (!expected[y])
return 0;
while (str[x]) {
int ret;
return ret;
}
return -1;
}
else if (expected[y] == '\\') {
/* NUL is an invalid char! */
if (!expected[++y])
return -2;
}
return 1;
}
/* We got all the way through the worker path without a difference */
return 0;
}
const char *url)
{
int max_match = 0;
int url_length;
int min_match;
int worker_name_length;
const char *c;
char *url_copy;
int i;
if (!url) {
return NULL;
}
return NULL;
}
/*
* We need to find the start of the path and
* therefore we know the length of the scheme://hostname/
* part to we can force-lowercase everything up to
* the start of the path.
*/
if (c) {
char *pathstart;
*pathstart = '\0';
*pathstart = '/';
}
else {
}
/*
* Do a "longest match" on the worker name to find the worker that
* fits best to the URL, but keep in mind that we must have at least
* a minimum matching of length min_match such that
* scheme://hostname[:port] matches between worker and url.
*/
if (balancer) {
&& (worker_name_length >= min_match)
&& (worker_name_length > max_match)
&& (worker->s->is_name_matchable
worker_name_length) == 0)
&& (!worker->s->is_name_matchable
max_worker = worker;
}
}
} else {
&& (worker_name_length >= min_match)
&& (worker_name_length > max_match)
&& (worker->s->is_name_matchable
worker_name_length) == 0)
&& (!worker->s->is_name_matchable
max_worker = worker;
}
}
}
return max_worker;
}
/*
* To create a worker from scratch first we define the
* specifics of the worker; this is all local data.
* We then allocate space for it if data needs to be
* shared. This allows for dynamic addition during
* config and runtime.
*/
const char *url,
int do_malloc)
{
int rv;
/*
* Look to see if we are using UDS:
* require format: unix:/path/foo/bar.sock|http://ignored/path2/
*/
if (ptr) {
*ptr = '\0';
}
else {
*ptr = '|';
}
}
if (rv != APR_SUCCESS) {
}
}
/* allow for unix:/path|http: */
if (sockpath) {
}
else {
}
}
else {
}
/*
* Workers can be associated w/ balancers or on their
* own; ie: the generic reverse-proxy or a worker
* in a simple ProxyPass statement. eg:
*
* ProxyPass / http://www.example.com
*
* in which case the worker goes in the conf slot.
*/
if (balancer) {
/* recall that we get a ptr to the ptr here */
/* we've updated the list of workers associated with
* this balancer *locally* */
} else if (conf) {
} else {
/* we need to allocate space here */
}
/* right here we just want to tuck away the worker info.
* if called during config, we don't have shm setup yet,
* so just note the info for later. */
if (do_malloc)
else
}
}
}
}
wshared->is_name_matchable = 0;
if (sockpath) {
}
}
else {
}
if (!balancer) {
}
return NULL;
}
const char *url,
int do_malloc)
{
char *err;
if (err) {
return err;
}
return NULL;
}
/*
* Create an already defined worker and free up memory
*/
int i)
{
char *action = "copying";
return APR_EINVAL;
if (worker->s->was_malloced)
} else {
action = "re-using";
}
{
if (pool) {
}
}
return APR_SUCCESS;
}
PROXY_DECLARE(apr_status_t) ap_proxy_initialize_worker(proxy_worker *worker, server_rec *s, apr_pool_t *p)
{
int mpm_threads;
/* The worker is already initialized */
"worker %s shared already initialized",
ap_proxy_worker_name(p, worker));
}
else {
"initializing worker %s shared",
ap_proxy_worker_name(p, worker));
/* Set default parameters */
}
/* By default address is reusable unless DisableReuse is set */
if (worker->s->disablereuse) {
worker->s->is_address_reusable = 0;
}
else {
}
if (mpm_threads > 1) {
/* Set hard max to no more then mpm_threads */
}
}
/* Set min to be lower then smax */
}
}
else {
/* This will supress the apr_reslist creation */
}
}
/* What if local is init'ed and shm isn't?? Even possible? */
"worker %s local already initialized",
ap_proxy_worker_name(p, worker));
}
else {
"initializing worker %s local",
ap_proxy_worker_name(p, worker));
/* Now init local worker data */
if (rv != APR_SUCCESS) {
"can not create worker thread mutex");
return rv;
}
}
init_conn_pool(p, worker);
"can not create connection pool");
return APR_EGENERAL;
}
/* Set the acquire timeout */
}
}
else {
void *conn;
}
}
if (rv == APR_SUCCESS) {
}
return rv;
}
server_rec *s)
{
"%s: worker for (%s) has been marked for retry",
return OK;
}
else {
"%s: too soon to retry worker for (%s)",
return DECLINED;
}
}
else {
return OK;
}
}
/*
* In the case of the reverse proxy, we need to see if we
* were passed a UDS url (eg: from mod_proxy) and adjust uds_path
* as required.
*/
{
if (!r || !r->filename) return;
*ptr = '\0';
if (rv == APR_SUCCESS) {
/* r->filename starts w/ "proxy:", so add after that */
"*: rewrite of url due to UDS(%s): %s (%s)",
}
else {
*ptr = '|';
}
}
}
request_rec *r,
{
int access_status;
if (*worker) {
"%s: found worker %s for %s",
fix_uds_filename(r, url);
access_status = OK;
}
else if (r->proxyreq == PROXYREQ_PROXY) {
"*: found forward proxy worker for %s", *url);
access_status = OK;
/*
* The forward worker does not keep connections alive, so
* ensure that mod_proxy_http does the correct thing
* regarding the Connection header in the request.
*/
}
}
else if (r->proxyreq == PROXYREQ_REVERSE) {
"*: using default reverse proxy worker for %s (no keepalive)", *url);
access_status = OK;
/*
* The reverse worker does not keep connections alive, so
* ensure that mod_proxy_http does the correct thing
* regarding the Connection header in the request.
*/
fix_uds_filename(r, url);
}
}
}
/* All the workers are busy */
"all workers are busy. Unable to serve %s", *url);
}
return access_status;
}
request_rec *r,
{
int access_status = OK;
if (balancer) {
if (access_status == DECLINED) {
/* TODO: recycle direct worker */
}
}
return access_status;
}
/* DEPRECATED */
const char *proxy_function,
const char *backend_name,
request_rec *r)
{
int connected = 0;
int loglevel;
while (backend_addr && !connected) {
"%s: error creating fam %d socket for target %s",
/*
* this could be an IPv6 address from the DNS but the
* local machine won't give us an IPv6 socket; hopefully the
* DNS returned an additional address to try
*/
continue;
}
if (conf->recv_buffer_size > 0 &&
conf->recv_buffer_size))) {
"apr_socket_opt_set(SO_RCVBUF): Failed to set "
"ProxyReceiveBufferSize, using default");
}
"apr_socket_opt_set(APR_TCP_NODELAY): "
"Failed to set");
}
/* Set a timeout on the socket */
if (conf->timeout_set) {
}
else {
}
"%s: fam %d socket created to connect to %s",
if (conf->source_address) {
if (rv != APR_SUCCESS) {
"%s: failed to bind socket to local address",
}
}
/* make the connection out of the socket */
/* if an error occurred, loop round and try again */
if (rv != APR_SUCCESS) {
"%s: attempt to connect to %pI (%s) failed",
continue;
}
connected = 1;
}
return connected ? 0 : 1;
}
server_rec *s)
{
if (!PROXY_WORKER_IS_USABLE(worker)) {
/* Retry the worker */
if (!PROXY_WORKER_IS_USABLE(worker)) {
"%s: disabled connection for (%s)",
return HTTP_SERVICE_UNAVAILABLE;
}
}
}
else {
/* create the new connection if the previous was destroyed */
}
else {
}
rv = APR_SUCCESS;
}
if (rv != APR_SUCCESS) {
"%s: failed to acquire connection for (%s)",
return HTTP_SERVICE_UNAVAILABLE;
}
"%s: has acquired connection for (%s)",
return OK;
}
server_rec *s)
{
"%s: has released connection for (%s)",
return OK;
}
PROXY_DECLARE(int)
char **url,
const char *proxyname,
char *server_portstr,
int server_portstr_size)
{
int server_port;
const char *uds_path;
/*
* Break up the URL to determine the host to connect to
*/
/* we break the URL into host, port, uri */
return ap_proxyerror(r, HTTP_BAD_REQUEST,
NULL));
}
}
/*
* allocate these out of the specified connection pool
* The scheme handler decides if this is permanent or
* short living pool.
*/
/* are we connecting directly, or via a proxy? */
if (!proxyname) {
}
/*
* Figure out if our passed in proxy_conn_rec has a usable
* address cached.
*
* TODO: Handle this much better...
*
* XXX: If generic workers are ever address-reusable, we need
* to check host and port on the conn and be careful about
* spilling the cached addr from the worker.
*/
if (uds_path) {
/* use (*conn)->pool instead of worker->cp->pool to match lifetime */
}
"%s: has determined UDS as %s",
}
else {
/* should never happen */
"%s: cannot determine UDS (%s)",
}
/*
* In UDS cases, some structs are NULL. Protect from de-refs
* and provide info for logging at the same time.
*/
}
}
else {
if (proxyname) {
/*
* If we have a forward proxy and the protocol is HTTPS,
* then we need to prepend a HTTP CONNECT request before
* sending our actual HTTPS requests.
* Save our real backend data for using it later during HTTP CONNECT.
*/
const char *proxy_auth;
/* Do we want to pass Proxy-Authorization along?
* If we haven't used it, then YES
* If we have used it then MAYBE: RFC2616 says we MAY propagate it.
* So let's make it configurable by env.
* The logic here is the same used in mod_proxy_http.
*/
if (proxy_auth != NULL &&
proxy_auth[0] != '\0' &&
}
}
}
else {
}
if (!will_reuse) {
/*
* Only do a lookup if we should not reuse the backend address.
* Otherwise we will look it up once for the worker.
*/
}
}
if (will_reuse) {
/*
* Looking up the backend address for the worker only makes sense if
* we can reuse the address.
*/
return HTTP_INTERNAL_SERVER_ERROR;
}
/*
* Worker can have the single constant backend adress.
* The single DNS lookup is used once per worker.
* If dynamic change is needed then set the addr to NULL
* inside dynamic config to force the lookup.
*/
}
}
else {
}
}
}
/* Close a possible existing socket if we are told to do so */
}
if (err != APR_SUCCESS) {
return ap_proxyerror(r, HTTP_GATEWAY_TIME_OUT,
apr_pstrcat(p, "DNS lookup failure for: ",
}
/* Get the server port for the Via headers */
if (ap_is_default_port(server_port, r)) {
server_portstr[0] = '\0';
}
else {
}
/* check if ProxyBlock directive on this host */
return ap_proxyerror(r, HTTP_FORBIDDEN,
"Connect to remote machine blocked");
}
/*
* When SSL is configured, determine the hostname (SNI) for the request
* and save it in conn->ssl_hostname. Close any reused connection whose
* SNI differs.
*/
const char *ssl_hostname;
/*
* In the case of ProxyPreserveHost on use the hostname of
* the request if present otherwise use the one from the
* backend request URI.
*/
if (dconf->preserve_host) {
ssl_hostname = r->hostname;
}
}
else {
}
/*
* Close if a SNI is in use but this request requires no or
* a different one, or no SNI is in use but one is required.
*/
ssl_hostname) != 0)) ||
}
}
}
return OK;
}
#define USE_ALTERNATE_IS_CONNECTED 1
#if !defined(APR_MSG_PEEK) && defined(MSG_PEEK)
#define APR_MSG_PEEK MSG_PEEK
#endif
#if USE_ALTERNATE_IS_CONNECTED && defined(APR_MSG_PEEK)
{
do {
} while (APR_STATUS_IS_EINTR(status));
char buf[1];
/* The socket might be closed in which case
* the poll will return POLLIN.
* If there is no data available the socket
* is closed.
*/
return 1;
else
return 0;
}
return 1;
}
return 0;
}
#else
{
char test_buffer[1];
/* save timeout */
/* set no timeout */
/* put back old timeout */
return 0;
}
else {
return 1;
}
}
#endif /* USE_ALTERNATE_IS_CONNECTED */
/*
* Send a HTTP CONNECT request to a forward proxy.
* The proxy is given by "backend", the target server
* is contained in the "forward" member of "backend".
*/
server_rec *s)
{
int status;
int complete = 0;
char buffer[HUGE_STRING_LEN];
char drain_buffer[HUGE_STRING_LEN];
int len = 0;
"CONNECT: sending the CONNECT request for %s:%d "
"to the remote proxy %pI (%s)",
/* Create the CONNECT request */
"CONNECT %s:%d HTTP/1.0" CRLF,
/* Add proxy authorization from the initial request if necessary */
"Proxy-Authorization: %s" CRLF,
}
/* Set a reasonable agent and send everything */
/* Receive the whole CONNECT response */
/* Read until we find the end of the headers or run out of buffer */
do {
complete = 1;
break;
}
/* Drain what's left */
if (!complete) {
break;
}
}
}
/* Check for HTTP_OK response status */
if (status == APR_SUCCESS) {
/* Only scan for three character status code */
char code_str[4];
"send_http_connect: response from the forward proxy: %s",
buffer);
/* Extract the returned code */
}
else {
"send_http_connect: the forward proxy returned code is '%s'",
code_str);
}
}
}
return(status);
}
/* TODO: In APR 2.x: Extend apr_sockaddr_t to possibly be a path !!! */
const char *uds_path,
apr_pool_t *p)
{
struct sockaddr_un *sa;
if (rv != APR_SUCCESS) {
return rv;
}
if (rv != APR_SUCCESS) {
return rv;
}
/* copy the UDS path (including NUL) to the sockaddr_un */
do {
#if APR_MAJOR_VERSION < 2
#else
#endif
}
if (rv != APR_SUCCESS) {
return rv;
}
}
return APR_SUCCESS;
}
#endif
server_rec *s)
{
int connected = 0;
int loglevel;
/* the local address to use for the outgoing connection */
void *sconf = s->module_config;
"%s: backend socket is disconnected.",
}
}
{
if (rv != APR_SUCCESS) {
"%s: error creating Unix domain socket for "
"target %s",
break;
}
if (rv != APR_SUCCESS) {
"%s: attempt to connect to Unix domain socket "
"%s (%s) failed",
break;
}
"%s: connection established with Unix domain socket "
"%s (%s)",
}
else
#endif
{
"%s: error creating fam %d socket for "
"target %s",
/*
* this could be an IPv6 address from the DNS but the
* local machine won't give us an IPv6 socket; hopefully the
* DNS returned an additional address to try
*/
continue;
}
if (worker->s->recv_buffer_size > 0 &&
worker->s->recv_buffer_size))) {
"apr_socket_opt_set(SO_RCVBUF): Failed to set "
"ProxyReceiveBufferSize, using default");
}
"apr_socket_opt_set(APR_TCP_NODELAY): "
"Failed to set");
}
/* Set a timeout for connecting to the backend on the socket */
if (worker->s->conn_timeout_set) {
}
else if (worker->s->timeout_set) {
}
else if (conf->timeout_set) {
}
else {
}
/* Set a keepalive option */
"apr_socket_opt_set(SO_KEEPALIVE): Failed to set"
" Keepalive");
}
}
"%s: fam %d socket created to connect to %s",
if (conf->source_address_set) {
sizeof(apr_sockaddr_t));
if (rv != APR_SUCCESS) {
"%s: failed to bind socket to local address",
}
}
/* make the connection out of the socket */
/* if an error occurred, loop round and try again */
if (rv != APR_SUCCESS) {
"%s: attempt to connect to %pI (%s) failed",
continue;
}
"%s: connection established with %pI (%s)",
}
/* Set a timeout on the socket */
if (worker->s->timeout_set) {
}
else if (conf->timeout_set) {
}
else {
}
/*
* For HTTP CONNECT we need to prepend CONNECT request before
* sending our actual HTTPS requests.
*/
if (forward->use_http_connect) {
/* If an error occurred, loop round and try again */
if (rv != APR_SUCCESS) {
"%s: attempt to connect to %s:%d "
"via http CONNECT through %pI (%s) failed",
continue;
}
}
}
connected = 1;
}
/*
* Put the entire worker to error state if
* the PROXY_WORKER_IGNORE_ERRORS flag is not set.
* Altrough some connections may be alive
* no further connections to the worker could be made
*/
"ap_proxy_connect_backend disabling worker for (%s) for %"
APR_TIME_T_FMT "s",
}
else {
/*
* A worker came back. So here is where we need to
* either reset all params to initial conditions or
* apply some sort of aging
*/
}
worker->s->error_time = 0;
}
}
{
if (c) {
if (!c->aborted) {
if (saved_timeout) {
}
(void)ap_shutdown_conn(c, 0);
c->aborted = 1;
if (saved_timeout) {
}
}
"proxy: connection shutdown");
}
return APR_SUCCESS;
}
conn_rec *c,
server_rec *s)
{
int rc;
if (conn->connection) {
return OK;
}
/*
* The socket is now open, create a new backend server connection
*/
0, NULL,
if (!conn->connection) {
/*
* the peer reset the connection already; ap_run_create_connection()
* closed the socket
*/
"new connection to %pI (%s)", proxy_function,
/* XXX: Will be closed when proxy_conn is closed */
return HTTP_INTERNAL_SERVER_ERROR;
}
/* For ssl connection to backend */
"for %pI (%s)", proxy_function,
return HTTP_INTERNAL_SERVER_ERROR;
}
}
else {
/* TODO: See if this will break FTP */
}
"%s: connection complete to %pI (%s)",
/*
* save the timeout of the socket because core_pre_connection
* will set it to base_server->timeout
* (core TimeOut directive).
*/
/* set up the connection filters */
"%s: pre_connection setup failed (%d)",
proxy_function, rc);
return rc;
}
/* Shutdown the connection before closing it (eg. SSL connections
* need to be close-notify-ed).
*/
return OK;
}
int ap_proxy_lb_workers(void)
{
/*
* Since we can't resize the scoreboard when reconfiguring, we
* have to impose a limit on the number of workers, we are
* able to reconfigure to.
*/
if (!lb_workers_limit)
return lb_workers_limit;
}
/* deprecated - to be removed in v2.6 */
{
apr_bucket *e;
conn_rec *c = r->connection;
r->no_cache = 1;
/*
* If this is a subrequest, then prevent also caching of the main
* request.
*/
if (r->main)
c->bucket_alloc);
e = apr_bucket_eos_create(c->bucket_alloc);
}
/*
* Provide a string hashing function for the proxy.
* We offer 2 methods: one is the APR model but we
* also provide our own, based on either FNV or SDBM.
* The reason is in case we want to use both to ensure no
* collisions.
*/
PROXY_DECLARE(unsigned int)
{
if (method == PROXY_HASHFUNC_APR) {
}
else if (method == PROXY_HASHFUNC_FNV) {
/* FNV model */
unsigned int hash;
const unsigned int fnv_prime = 0x811C9DC5;
}
return hash;
}
else { /* method == PROXY_HASHFUNC_DEFAULT */
/* SDBM model */
unsigned int hash;
}
return hash;
}
}
{
if (set)
else
return APR_SUCCESS;
}
pwt++;
}
return APR_EINVAL;
}
{
char *ret = "";
pwt++;
}
if (PROXY_WORKER_IS_USABLE(w))
return ret;
}
{
int i;
int index;
return APR_SUCCESS;
/* balancer sync */
if (lbmethod) {
} else {
"Cannot find LB Method: %s", b->s->lbpname);
return APR_EINVAL;
}
/* worker sync */
/*
* Look thru the list of workers in shm
* and see which one(s) we are lacking...
* again, the cast to unsigned int is safe
* since our upper limit is always max_workers
* which is int.
*/
int found;
return APR_EGENERAL;
}
/* account for possible "holes" in the slotmem
* (eg: slots 0-2 are used, but 3 isn't, but 4-5 is)
*/
continue;
found = 0;
found = 1;
"re-grabbing shm[%d] (0x%pp) for worker: %s", i, (void *)shm,
break;
}
}
if (!found) {
if (rv != APR_SUCCESS) {
return rv;
}
"grabbing shm[%d] (0x%pp) for worker: %s", i, (void *)shm,
}
}
if (b->s->need_reset) {
b->s->need_reset = 0;
}
return APR_SUCCESS;
}
unsigned int *index)
{
unsigned int i, limit;
for (i = 0; i < limit; i++) {
return NULL;
}
*index = i;
return shm;
}
}
return NULL;
}
unsigned int *index)
{
unsigned int i, limit;
for (i = 0; i < limit; i++) {
return NULL;
}
*index = i;
return shm;
}
}
return NULL;
}
typedef struct header_connection {
const char *error;
int is_req;
{
header_connection *x = data;
return !x->error;
}
/**
* Remove all headers referred to by the Connection header.
* Returns -1 on error. Otherwise, returns 1 if 'Close' was seen in
* the Connection header tokens, and 0 if not.
*/
{
int closed = 0;
if (x.error) {
"Error parsing Connection header: %s", x.error);
return -1;
}
if (x.array) {
int i;
"Removing header '%s' listed in Connection header",
name);
closed = 1;
}
}
}
return closed;
}
request_rec *r,
char *url, char *server_portstr,
char **old_cl_val,
char **old_te_val)
{
conn_rec *c = r->connection;
int counter;
char *buf;
const apr_array_header_t *headers_in_array;
const apr_table_entry_t *headers_in;
apr_bucket *e;
int do_100_continue;
const char *fpr1;
/*
* HTTP "Ping" test? Easiest is 100-Continue. However:
* To be compliant, we only use 100-Continue for requests with bodies.
* We also make sure we won't be talking HTTP/1.0 as well.
*/
&& (worker->s->ping_timeout >= 0)
&& (PROXYREQ_REVERSE == r->proxyreq)
&& !(fpr1)
&& ap_request_has_body(r));
if (fpr1) {
/*
* According to RFC 2616 8.2.3 we are not allowed to forward an
* Expect: 100-continue to an HTTP/1.0 server. Instead we MUST return
* a HTTP_EXPECTATION_FAILED
*/
if (r->expecting_100) {
return HTTP_EXPECTATION_FAILED;
}
} else {
}
}
if (dconf->preserve_host == 0) {
} else {
}
} else {
} else {
}
}
}
else {
/* don't want to use r->hostname, as the incoming header might have a
* port attached
*/
if (!hostname) {
"no HTTP 0.9 request (with no host line) "
"on incoming request and preserve host set "
"forcing hostname to be %s for uri %s",
}
}
/*
* Save the original headers in here and restore them when leaving, since
* we will apply proxy purpose only modifications (eg. clearing hop-by-hop
* headers, add Via or X-Forwarded-* or Expect...), whereas the originals
* will be needed later to prepare the correct response and logging.
*
* Note: We need to take r->pool for apr_table_copy as the key / value
* pairs in r->headers_in have been created out of r->pool and
* p might be (and actually is) a longer living pool.
* This would trigger the bad pool ancestry abort in apr_table_copy if
* apr is compiled with APR_POOL_DEBUG.
*/
saved_headers_in = r->headers_in;
/* handle Via */
/* Block all outgoing Via: headers */
const char *server_name = ap_get_server_name(r);
/* If USE_CANONICAL_NAME_OFF was configured for the proxy virtual host,
* then the server name returned by ap_get_server_name() is the
* origin server name (which does make too much sense with Via: headers)
* so we use the proxy vhost's name instead.
*/
if (server_name == r->hostname)
/* Create a "Via:" request header entry and merge it */
? apr_psprintf(p, "%d.%d %s%s (%s)",
: apr_psprintf(p, "%d.%d %s%s",
);
}
/* Use HTTP/1.1 100-Continue as quick "HTTP ping" test
* to backend
*/
if (do_100_continue) {
const char *val;
if (!r->expecting_100) {
/* Don't forward any "100 Continue" response if the client is
* not expecting it.
*/
"Suppress");
}
/* Add the Expect header if not already there. */
}
}
/* X-Forwarded-*: handling
*
* XXX Privacy Note:
* -----------------
*
* These request headers are only really useful when the mod_proxy
* is used in a reverse proxy configuration, so that useful info
* about the client can be passed through the reverse proxy and on
* to the backend server, which may require the information to
* function properly.
*
* In a forward proxy situation, these options are a potential
* privacy violation, as information about clients behind the proxy
* are revealed to arbitrary servers out there on the internet.
*
* The HTTP/1.1 Via: header is designed for passing client
* information through proxies to a server, and should be used in
* a forward proxy configuation instead of X-Forwarded-*. See the
* ProxyVia option for details.
*/
if (dconf->add_forwarded_headers) {
if (PROXYREQ_REVERSE == r->proxyreq) {
const char *buf;
/* Add X-Forwarded-For: so that the upstream has a chance to
* determine, where the original request came from.
*/
r->useragent_ip);
/* Add X-Forwarded-Host: so that upstream knows what the
* original request hostname was.
*/
}
/* Add X-Forwarded-Server: so that upstream knows what the
* name of this proxy server is (if there are more than one)
* XXX: This duplicates Via: - do we strictly need it?
*/
r->server->server_hostname);
}
}
proxy_run_fixups(r);
if (ap_proxy_clear_connection(r, r->headers_in) < 0) {
return HTTP_BAD_REQUEST;
}
/* send request headers */
/* Already sent */
/* Clear out hop-by-hop request headers not to send
* RFC2616 13.5.1 says we should strip these headers
*/
) {
continue;
}
/* Do we want to strip Proxy-Authorization ?
* If we haven't used it, then NO
* If we have used it then MAYBE: RFC2616 says we MAY propagate it.
* So let's make it configurable by env.
*/
continue;
}
}
}
/* Skip Transfer-Encoding and Content-Length for now.
*/
continue;
}
continue;
}
if (r->main) {
continue;
}
}
NULL);
}
/* Restore the original headers in (see comment above),
* we won't modify them anymore.
*/
r->headers_in = saved_headers_in;
return OK;
}
int flush)
{
if (flush) {
}
if (transferred != -1)
/* Cleanup the brigade now to avoid buckets lifetime
* issues in case of error returned below. */
if (status != APR_SUCCESS) {
"pass request body failed to %pI (%s)",
const char *ssl_note;
return ap_proxyerror(r, HTTP_INTERNAL_SERVER_ERROR,
"Error during SSL Handshake with"
" remote server");
}
return HTTP_GATEWAY_TIME_OUT;
}
else {
return HTTP_BAD_REQUEST;
}
}
return OK;
}
/* Fill in unknown schemes from apr_uri_port_of_scheme() */
typedef struct proxy_schemes_t {
const char *name;
} proxy_schemes_t ;
static proxy_schemes_t pschemes[] =
{
{"fcgi", 8000},
{"ajp", AJP13_DEF_PORT},
{"scgi", SCGI_DEF_PORT},
};
{
if (scheme) {
return port;
} else {
return pscheme->default_port;
}
}
}
}
return 0;
}
void proxy_util_register_hooks(apr_pool_t *p)
{
}