httpd-cvs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From wr...@apache.org
Subject svn commit: r748690 - in /httpd/sandbox/mod_remoteip: README mod_remoteip.c
Date Fri, 27 Feb 2009 20:48:01 GMT
Author: wrowe
Date: Fri Feb 27 20:48:01 2009
New Revision: 748690

URL: http://svn.apache.org/viewvc?rev=748690&view=rev
Log:
Initial import of mod_remoteip.c as demonstrated at people.apache.org/~wrowe

Added:
    httpd/sandbox/mod_remoteip/README   (with props)
    httpd/sandbox/mod_remoteip/mod_remoteip.c   (with props)

Added: httpd/sandbox/mod_remoteip/README
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/README?rev=748690&view=auto
==============================================================================
--- httpd/sandbox/mod_remoteip/README (added)
+++ httpd/sandbox/mod_remoteip/README Fri Feb 27 20:48:01 2009
@@ -0,0 +1,59 @@
+The X-Forwarded-For header (or really, any arbitrary header) can be passed
+by a proxy server to provide the backend application server the identity of
+the remote (origin) client.
+
+Apache identifies the client by the conn_rec->remote_ip header, with the
+conn_rec->remote_host and conn_rec->remote_logname derived from this value.
+These fields play a role in authentication, authorization and logging.
+
+mod_remoteip replaces the true remote_ip with the advertised remote_ip as
+provided by a proxy, for every evaluation of the client that occurs in the
+server.  Therefore, it's critical to only enable this behavior when the
+immediate client (proxy) is trusted by this server.
+
+In the case of a gateway/reverse proxy under the control of the same admin,
+this is a simple case provided that all previous X-Forwarded-For headers
+are stripped at the gateway and replaced by the immediate apparent client
+IP address to that gateway.  However, context is lost in doing so.  The
+obvious alternative is to have the gateway/reverse proxy use another header
+field name, such as X-Client-IP, and trust this header, preserving the 
+advertised X-Forwarded-For value to the application for its evalution.
+
+
+TODO: the immediate improvement in this module on my plate is to add the
+following processing...
+
+Because the proxy may aggregate requests; the connection remote_ip values 
+should be reset between keep-alive requests.
+
+The convention is for proxies to append to this header, such that;
+
+  X-Forwarded-For: origin-client, proxy1, proxy2
+
+offers a list of these proxies.  So starting from the true remote IP address
+reading from R-T-L, for each trusted proxy IP address, we will present the
+immediate parent IP address to the application.
+
+The context of the trusted IP should be preserved, and the untrusted IP
+address preserved in the X-Forwarded-For header.  If we treat the true
+remote client IP at the backend server as the 'gateway', and both gateway
+and proxy2 are known/trusted, then we should transform
+
+  X-Forwarded-For: origin-client, proxy1, proxy2
+
+into an apparent client IP address of 'proxy1', a new value that applies
+to X-Forwarded-For (note proxy1 wasn't trusted to resolve origin-client);
+
+  X-Forwarded-For: origin-client
+
+and a request notes field value of;
+
+  resolved-forwarded-by: proxy2, gateway
+
+However, when using the advertised client IP address, there is absolutely
+no trust that the origin of that data.  It becomes necessary to build a list
+of trust for a particular application.  Public, maintained lists have been
+developed by the following projects;
+
+ * http://meta.wikimedia.org/wiki/XFF_project
+

Propchange: httpd/sandbox/mod_remoteip/README
------------------------------------------------------------------------------
    svn:eol-style = native

Added: httpd/sandbox/mod_remoteip/mod_remoteip.c
URL: http://svn.apache.org/viewvc/httpd/sandbox/mod_remoteip/mod_remoteip.c?rev=748690&view=auto
==============================================================================
--- httpd/sandbox/mod_remoteip/mod_remoteip.c (added)
+++ httpd/sandbox/mod_remoteip/mod_remoteip.c Fri Feb 27 20:48:01 2009
@@ -0,0 +1,132 @@
+/* Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#include "ap_config.h"
+#include "ap_mmn.h"
+#include "httpd.h"
+#include "http_config.h"
+#include "http_connection.h"
+#include "http_protocol.h"
+#include "http_log.h"
+#include "apr_strings.h"
+#define APR_WANT_BYTEFUNC
+#include "apr_want.h"
+#include "apr_network_io.h"
+
+module AP_MODULE_DECLARE_DATA remoteip_module;
+
+typedef struct {
+    const char *remoteip_header;
+} remoteip_config_t;
+
+static void *create_remoteip_server_config(apr_pool_t *p, server_rec *s)
+{
+    remoteip_config_t *config = apr_palloc(p, sizeof *config);
+    config->remoteip_header = NULL;
+    return config;
+}
+
+static void *merge_remoteip_server_config(apr_pool_t *p, void *globalv,
+                                          void *serverv)
+{
+    remoteip_config_t *global = (remoteip_config_t *) globalv;
+    remoteip_config_t *server = (remoteip_config_t *) serverv;
+    remoteip_config_t *config;
+
+    config = (remoteip_config_t *) apr_palloc(p, sizeof(*config));
+    if (server->remoteip_header)
+        config->remoteip_header = server->remoteip_header;
+    else
+        config->remoteip_header = global->remoteip_header;
+    return config;
+}
+ 
+static const char *remoteip_header_set(cmd_parms *cmd, void *dummy,
+                                       const char *arg)
+{
+    remoteip_config_t *config = ap_get_module_config(cmd->server->module_config,
+                                                     &remoteip_module);
+    config->remoteip_header = apr_pstrdup(cmd->pool, arg);
+    return NULL;
+}
+
+static int modify_connection(request_rec *r)
+{
+    conn_rec *c = r->connection;
+    remoteip_config_t *config = ap_get_module_config(r->server->module_config,
+                                                     &remoteip_module);
+    char *remote;
+
+    if (!config->remoteip_header) 
+        return OK;
+
+    remote = (char*)apr_table_get(r->headers_in, config->remoteip_header);
+    if (!remote)
+        return OK;
+
+    /* Decode remote_addr - sucks; apr_sockaddr_vars_set isn't 'public' */
+    if (inet_pton(AF_INET, remote, 
+                  &c->remote_addr->sa.sin.sin_addr) > 0) {
+        apr_sockaddr_vars_set(c->remote_addr, APR_INET, 0);
+    }
+#if APR_HAVE_IPV6
+    else if (inet_pton(AF_INET6, remote, 
+                       &c->remote_addr->sa.sin6.sin6_addr) > 0) {
+        apr_sockaddr_vars_set(c->remote_addr, APR_INET6, 0);
+    }
+#endif
+    else {
+        ap_log_rerror(APLOG_MARK, APLOG_DEBUG,  apr_get_netos_error(), r,
+                      "Header %s value of %s doesn't appear to be a client IP",
+                      config->remoteip_header, remote);
+        return OK;
+    }
+
+    /* Set remote_ip string */
+    remote = apr_pstrdup(c->pool, remote);
+    c->remote_ip = remote;
+
+    /* Unset remote_host string DNS lookups */
+    c->remote_host = NULL;
+    c->remote_logname = NULL;
+
+    ap_log_rerror(APLOG_MARK, APLOG_INFO|APLOG_NOERRNO, 0, r,
+                  "Using header %s value %s as client's IP",
+                  config->remoteip_header, remote);
+    return OK;
+}
+
+static const command_rec remoteip_cmds[] =
+{
+    AP_INIT_TAKE1("RemoteIPHeader", remoteip_header_set, NULL, RSRC_CONF,
+                  "Specifies a request header to trust as the client IP, e.g. X-Forwarded-For."),
+    { NULL }
+};
+
+static void register_hooks(apr_pool_t *p)
+{
+    ap_hook_post_read_request(modify_connection, NULL, NULL, APR_HOOK_FIRST);
+}
+
+module AP_MODULE_DECLARE_DATA remoteip_module = {
+    STANDARD20_MODULE_STUFF,
+    NULL,                          /* create per-directory config structure */
+    NULL,                          /* merge per-directory config structures */
+    create_remoteip_server_config, /* create per-server config structure */
+    merge_remoteip_server_config,  /* merge per-server config structures */
+    remoteip_cmds,                 /* command apr_table_t */
+    register_hooks                 /* register hooks */
+};

Propchange: httpd/sandbox/mod_remoteip/mod_remoteip.c
------------------------------------------------------------------------------
    svn:eol-style = native



Mime
View raw message