httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 45405] Allow binding port to be set for individual workers for proxy requests
Date Thu, 17 Jul 2008 21:11:06 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=45405





--- Comment #4 from D. Stussy <apache+bugreports@kd6lvw.ampr.org>  2008-07-17 14:11:04
PST ---
Generally, looks good.  I like your solution to the configuration issue I
raised - with no need to copy conf->bind* to worker->bind*.  I see we got rid
of "bindopt_set" as redundant (I hated that too).

Parsing: "if (range) ..." - closing brace.  Should
"if((apr_parse_addr_port()..." be inside the closing brace?  If we have ONLY a
hostname, we don't have a range, so we never set "host" - and thus
apr_sockaddr_info_get() will fail.  Yet it seems as if "ip/hostname" with NO
port or range should work.  Moving the "if((apr-parse..." outside of the "if
(range) ..." closing brace appears to restore what syntax we defined.

Parsing:  Range can be set to zero INTERNALLY.  We lost the "r+1" bump-up
("conf-> or worker->bind_range = r + 1;") from the original patch before we
converted the parser to a separate subroutine.  Fix:

Change comparison in apr_status_t bind_to_addr() from "<" to "<=", i.e.
+    for(i = 0; i <= range; ++i) { /* loop until we can bind correctly*/
(line 2277 after patch applied).

Additional comment:  "apr_pcalloc(p, sizeof(proxy_bind_addr))"
Do we know that this will never return NULL (i.e. "out of memory")?  If we
can't guarentee that, then we need to check the value and abort parsing.
Assumption:  Allocated memory is zeroed.  Therefore, variables referenced but
not set are zero (pointers NULL), especially the parameters to
parse_bind_address().


Documentation:
-------------------------------------------------------------------------
Command: ProxyBindAddress   [<hostname/address-literal>][:<port>+<range>]
Command: ProxyPass ... bind=[<hostname/address-literal>][:<port>+<range>]
Command: ProxySet  ... bind=[<hostname/address-literal>][:<port>+<range>]
Context: server config, virtual host (Should <PROXY> sections be allowed too?)
Default: Address: unspecified address ("0.0.0.0" for IPv4; "::/128" for IPv6)
         Port: unspecified port (0 => use any port available - OS choice)
         Range:  0 (use only the port specified, if any)
Status:  Extension

This command is useful in order to restrict outbound proxy server requests to
use the specified IP address(es) and/or (TCP) port range.  Such limits may be
imposed by server firewall design as a security measure or for statistical data
collection.  The ProxyPass and ProxySet versions of the command override the
general declaration for a particular proxy worker or balancer.

Specifying a hostname or an address-literal shall bind all outbound proxy
requests to the IP address(es) specified or resolved.  DNS resolution is
used to translate hostnames at configuration time, so if a hostname maps to
multiple addresses, the address used may vary across requests. (Internally, all
resolved addresses are stored.)  Should the DNS data for the hostname change,
Apache will ignore any such changes until it reloads its configuration or is
stopped and restarted.  If DNS resolution fails, no source binding takes place
and an error is issued.  As noted elsewhere in the Apache documentation, IPv6
address literals that contain colons must appear in brackets.

Specifying a non-zero port locks in that port as the one used, or if a non-zero
range is specified, the first one used.  Specifying a range indicates how many
additional consecutive ports beyond the first may be used.  Specifying a range
of "+0" means that only the specified port is used, thus causing serialization
of requests.  This may deny additional requests made in parallel.  A warning
may be issued to the system log for a range less than 8.  Explicitly specifying
port 0, thus allowing the operating system to choose a random port, does not
permit a range value and is equivalent to omitting the port value.

Examples:
  ProxyBindAddress 192.0.2.1:10000+10

This sets the IP address to the IPv4 address of 192.0.2.1
There are 11 valid ports for this range:  10000-10010
IPv6-only sites will not be reachable.  Only IPv4 sites will be contacted.

  ProxyBindAddress [2001:df8::1]:49151+9

This sets the IP address to the IPv6 address of 2001:df8::1
There are 10 valid ports for this range:  49151-49160
IPv4-only sites will not be reachable.  Only IPv6 sites will be contacted.

  ProxyBindAddress localhost

This sets the IP address to the IPv6 address of ::1 and the IPv4 address to
127.0.0.1 (assuming DNS records are set for both IP versions).  The operating
system chooses the outbound port to use.  Both IPv4 and IPv6 sites are
reachable.  However, as the loopback address is restricted, only sites on the
same physical host can be reached.

Notes:
In the current implementation, it is not possible to specify separate port
ranges for different addresses or address families.  It is also considered an
error to specify an interface with an IPv6 address literal ("%" parameter). 
Specifying port 0 with a range is invalid.  Specifying an address literal also
locks the proxy server into the address family the literal belongs to. 
Therefore, only a hostname produces an address family independent assignment
assuming that both DNS A (IPv4) and AAAA (IPv6) records exist for the name. 
Internally, not specifying the command at all actually skips any attempt to
bind the source address and port of the outbound request (the default behavior
before this command was added).  However, explicitly using the command with the
unspecified address will cause address and port binding, even if the result
turns out to be the same action as if the command were unspecified (i.e. port
also 0).  Using the IPv4 unspecified address ("0.0.0.0") will force IPv4-only
connections, and similarly with IPv6 ("::" forces IPv6 only).

Where a non-zero port value is specified, a range value less than the number of
available workers (or child processes for non-threaded servers) may yield
connection failures when all ports in the range are in use, even when there are
available worker threads/processes.  Therefore, the range value should equal or
exceed the maximum possible number of proxy workers.

Apache Hackers' note:
This code appears to be address family independent.  Therefore, if address
family data other than IPv4 and IPv6 are returned from apr_parse_addr_port(),
and such other address family data are accepted by bind_to_addr(), other
address families may work.  The code only attempts binding where both the
source and destination have the SAME address family.  If the source and
destination have no common address family, "DECLINED" is returned.


-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org


Mime
View raw message