1/* Licensed to the Apache Software Foundation (ASF) under one or more 2 * contributor license agreements. See the NOTICE file distributed with 3 * this work for additional information regarding copyright ownership. 4 * The ASF licenses this file to You under the Apache License, Version 2.0 5 * (the "License"); you may not use this file except in compliance with 6 * the License. You may obtain a copy of the License at 7 * 8 * http://www.apache.org/licenses/LICENSE-2.0 9 * 10 * Unless required by applicable law or agreed to in writing, software 11 * distributed under the License is distributed on an "AS IS" BASIS, 12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 * See the License for the specific language governing permissions and 14 * limitations under the License. 15 */ 16 17/* CONNECT method for Apache proxy */ 18 19#include "mod_proxy.h" 20#include "apr_poll.h" 21 22#define CONN_BLKSZ AP_IOBUFSIZE 23 24module AP_MODULE_DECLARE_DATA proxy_connect_module; 25 26/* 27 * This handles Netscape CONNECT method secure proxy requests. 28 * A connection is opened to the specified host and data is 29 * passed through between the WWW site and the browser. 30 * 31 * This code is based on the INTERNET-DRAFT document 32 * "Tunneling SSL Through a WWW Proxy" currently at 33 * http://www.mcom.com/newsref/std/tunneling_ssl.html. 34 * 35 * If proxyhost and proxyport are set, we send a CONNECT to 36 * the specified proxy.. 37 * 38 * FIXME: this doesn't log the number of bytes sent, but 39 * that may be okay, since the data is supposed to 40 * be transparent. In fact, this doesn't log at all 41 * yet. 8^) 42 * FIXME: doesn't check any headers initally sent from the 43 * client. 44 * FIXME: should allow authentication, but hopefully the 45 * generic proxy authentication is good enough. 46 * FIXME: no check for r->assbackwards, whatever that is. 47 */ 48 49typedef struct { 50 apr_array_header_t *allowed_connect_ports; 51} connect_conf; 52 53typedef struct { 54 int first; 55 int last; 56} port_range; 57 58static void *create_config(apr_pool_t *p, server_rec *s) 59{ 60 connect_conf *c = apr_pcalloc(p, sizeof(connect_conf)); 61 c->allowed_connect_ports = apr_array_make(p, 10, sizeof(port_range)); 62 return c; 63} 64 65static void *merge_config(apr_pool_t *p, void *basev, void *overridesv) 66{ 67 connect_conf *c = apr_pcalloc(p, sizeof(connect_conf)); 68 connect_conf *base = (connect_conf *) basev; 69 connect_conf *overrides = (connect_conf *) overridesv; 70 71 c->allowed_connect_ports = apr_array_append(p, 72 base->allowed_connect_ports, 73 overrides->allowed_connect_ports); 74 75 return c; 76} 77 78 79/* 80 * Set the ports CONNECT can use 81 */ 82static const char * 83 set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg) 84{ 85 server_rec *s = parms->server; 86 int first, last; 87 connect_conf *conf = 88 ap_get_module_config(s->module_config, &proxy_connect_module); 89 port_range *New; 90 char *endptr; 91 const char *p = arg; 92 93 if (!apr_isdigit(arg[0])) 94 return "AllowCONNECT: port numbers must be numeric"; 95 96 first = strtol(p, &endptr, 10); 97 if (*endptr == '-') { 98 p = endptr + 1; 99 last = strtol(p, &endptr, 10); 100 } 101 else { 102 last = first; 103 } 104 105 if (endptr == p || *endptr != '\0') { 106 return apr_psprintf(parms->temp_pool, 107 "Cannot parse '%s' as port number", p); 108 } 109 110 New = apr_array_push(conf->allowed_connect_ports); 111 New->first = first; 112 New->last = last; 113 return NULL; 114} 115 116 117static int allowed_port(connect_conf *conf, int port) 118{ 119 int i; 120 port_range *list = (port_range *) conf->allowed_connect_ports->elts; 121 122 if (apr_is_empty_array(conf->allowed_connect_ports)){ 123 return port == APR_URI_HTTPS_DEFAULT_PORT 124 || port == APR_URI_SNEWS_DEFAULT_PORT; 125 } 126 127 for (i = 0; i < conf->allowed_connect_ports->nelts; i++) { 128 if (port >= list[i].first && port <= list[i].last) 129 return 1; 130 } 131 return 0; 132} 133 134/* canonicalise CONNECT URLs. */ 135static int proxy_connect_canon(request_rec *r, char *url) 136{ 137 138 if (r->method_number != M_CONNECT) { 139 return DECLINED; 140 } 141 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "canonicalising URL %s", url); 142 143 return OK; 144} 145 146/* read available data (in blocks of CONN_BLKSZ) from c_i and copy to c_o */ 147static int proxy_connect_transfer(request_rec *r, conn_rec *c_i, conn_rec *c_o, 148 apr_bucket_brigade *bb, char *name) 149{ 150 int rv; 151#ifdef DEBUGGING 152 apr_off_t len; 153#endif 154 155 do { 156 apr_brigade_cleanup(bb); 157 rv = ap_get_brigade(c_i->input_filters, bb, AP_MODE_READBYTES, 158 APR_NONBLOCK_READ, CONN_BLKSZ); 159 if (rv == APR_SUCCESS) { 160 if (c_o->aborted) 161 return APR_EPIPE; 162 if (APR_BRIGADE_EMPTY(bb)) 163 break; 164#ifdef DEBUGGING 165 len = -1; 166 apr_brigade_length(bb, 0, &len); 167 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01016) 168 "read %" APR_OFF_T_FMT 169 " bytes from %s", len, name); 170#endif 171 rv = ap_pass_brigade(c_o->output_filters, bb); 172 if (rv == APR_SUCCESS) { 173 ap_fflush(c_o->output_filters, bb); 174 } 175 else { 176 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01017) 177 "error on %s - ap_pass_brigade", 178 name); 179 } 180 } else if (!APR_STATUS_IS_EAGAIN(rv)) { 181 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, rv, r, APLOGNO(01018) 182 "error on %s - ap_get_brigade", 183 name); 184 } 185 } while (rv == APR_SUCCESS); 186 187 if (APR_STATUS_IS_EAGAIN(rv)) { 188 rv = APR_SUCCESS; 189 } 190 return rv; 191} 192 193/* CONNECT handler */ 194static int proxy_connect_handler(request_rec *r, proxy_worker *worker, 195 proxy_server_conf *conf, 196 char *url, const char *proxyname, 197 apr_port_t proxyport) 198{ 199 connect_conf *c_conf = 200 ap_get_module_config(r->server->module_config, &proxy_connect_module); 201 202 apr_pool_t *p = r->pool; 203 apr_socket_t *sock; 204 conn_rec *c = r->connection; 205 conn_rec *backconn; 206 207 apr_bucket_brigade *bb = apr_brigade_create(p, c->bucket_alloc); 208 apr_status_t rv; 209 apr_size_t nbytes; 210 char buffer[HUGE_STRING_LEN]; 211 apr_socket_t *client_socket = ap_get_conn_socket(c); 212 int failed, rc; 213 int client_error = 0; 214 apr_pollset_t *pollset; 215 apr_pollfd_t pollfd; 216 const apr_pollfd_t *signalled; 217 apr_int32_t pollcnt, pi; 218 apr_int16_t pollevent; 219 apr_sockaddr_t *nexthop; 220 221 apr_uri_t uri; 222 const char *connectname; 223 apr_port_t connectport = 0; 224 225 /* is this for us? */ 226 if (r->method_number != M_CONNECT) { 227 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "declining URL %s", url); 228 return DECLINED; 229 } 230 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "serving URL %s", url); 231 232 233 /* 234 * Step One: Determine Who To Connect To 235 * 236 * Break up the URL to determine the host to connect to 237 */ 238 239 /* we break the URL into host, port, uri */ 240 if (APR_SUCCESS != apr_uri_parse_hostinfo(p, url, &uri)) { 241 return ap_proxyerror(r, HTTP_BAD_REQUEST, 242 apr_pstrcat(p, "URI cannot be parsed: ", url, 243 NULL)); 244 } 245 246 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01019) 247 "connecting %s to %s:%d", url, uri.hostname, uri.port); 248 249 /* Determine host/port of next hop; from request URI or of a proxy. */ 250 connectname = proxyname ? proxyname : uri.hostname; 251 connectport = proxyname ? proxyport : uri.port; 252 253 /* Do a DNS lookup for the next hop */ 254 rv = apr_sockaddr_info_get(&nexthop, connectname, APR_UNSPEC, 255 connectport, 0, p); 256 if (rv != APR_SUCCESS) { 257 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(02327) 258 "failed to resolve hostname '%s'", connectname); 259 return ap_proxyerror(r, HTTP_BAD_GATEWAY, 260 apr_pstrcat(p, "DNS lookup failure for: ", 261 connectname, NULL)); 262 } 263 264 /* Check ProxyBlock directive on the hostname/address. */ 265 if (ap_proxy_checkproxyblock2(r, conf, uri.hostname, 266 proxyname ? NULL : nexthop) != OK) { 267 return ap_proxyerror(r, HTTP_FORBIDDEN, 268 "Connect to remote machine blocked"); 269 } 270 271 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, 272 "connecting to remote proxy %s on port %d", 273 connectname, connectport); 274 275 /* Check if it is an allowed port */ 276 if(!allowed_port(c_conf, uri.port)) { 277 return ap_proxyerror(r, HTTP_FORBIDDEN, 278 "Connect to remote machine blocked"); 279 } 280 281 /* 282 * Step Two: Make the Connection 283 * 284 * We have determined who to connect to. Now make the connection. 285 */ 286 287 /* 288 * At this point we have a list of one or more IP addresses of 289 * the machine to connect to. If configured, reorder this 290 * list so that the "best candidate" is first try. "best 291 * candidate" could mean the least loaded server, the fastest 292 * responding server, whatever. 293 * 294 * For now we do nothing, ie we get DNS round robin. 295 * XXX FIXME 296 */ 297 failed = ap_proxy_connect_to_backend(&sock, "CONNECT", nexthop, 298 connectname, conf, r); 299 300 /* handle a permanent error from the above loop */ 301 if (failed) { 302 if (proxyname) { 303 return DECLINED; 304 } 305 else { 306 return HTTP_SERVICE_UNAVAILABLE; 307 } 308 } 309 310 /* setup polling for connection */ 311 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "setting up poll()"); 312 313 if ((rv = apr_pollset_create(&pollset, 2, r->pool, 0)) != APR_SUCCESS) { 314 apr_socket_close(sock); 315 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01020) 316 "error apr_pollset_create()"); 317 return HTTP_INTERNAL_SERVER_ERROR; 318 } 319 320 /* Add client side to the poll */ 321 pollfd.p = r->pool; 322 pollfd.desc_type = APR_POLL_SOCKET; 323 pollfd.reqevents = APR_POLLIN; 324 pollfd.desc.s = client_socket; 325 pollfd.client_data = NULL; 326 apr_pollset_add(pollset, &pollfd); 327 328 /* Add the server side to the poll */ 329 pollfd.desc.s = sock; 330 apr_pollset_add(pollset, &pollfd); 331 332 /* 333 * Step Three: Send the Request 334 * 335 * Send the HTTP/1.1 CONNECT request to the remote server 336 */ 337 338 backconn = ap_run_create_connection(c->pool, r->server, sock, 339 c->id, c->sbh, c->bucket_alloc); 340 if (!backconn) { 341 /* peer reset */ 342 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01021) 343 "an error occurred creating a new connection " 344 "to %pI (%s)", nexthop, connectname); 345 apr_socket_close(sock); 346 return HTTP_INTERNAL_SERVER_ERROR; 347 } 348 ap_proxy_ssl_disable(backconn); 349 rc = ap_run_pre_connection(backconn, sock); 350 if (rc != OK && rc != DONE) { 351 backconn->aborted = 1; 352 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01022) 353 "pre_connection setup failed (%d)", rc); 354 return HTTP_INTERNAL_SERVER_ERROR; 355 } 356 357 ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, 358 "connection complete to %pI (%s)", 359 nexthop, connectname); 360 apr_table_setn(r->notes, "proxy-source-port", apr_psprintf(r->pool, "%hu", 361 backconn->local_addr->port)); 362 363 /* If we are connecting through a remote proxy, we need to pass 364 * the CONNECT request on to it. 365 */ 366 if (proxyport) { 367 /* FIXME: Error checking ignored. 368 */ 369 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, 370 "sending the CONNECT request to the remote proxy"); 371 ap_fprintf(backconn->output_filters, bb, 372 "CONNECT %s HTTP/1.0" CRLF, r->uri); 373 ap_fprintf(backconn->output_filters, bb, 374 "Proxy-agent: %s" CRLF CRLF, ap_get_server_banner()); 375 ap_fflush(backconn->output_filters, bb); 376 } 377 else { 378 ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "Returning 200 OK"); 379 nbytes = apr_snprintf(buffer, sizeof(buffer), 380 "HTTP/1.0 200 Connection Established" CRLF); 381 ap_xlate_proto_to_ascii(buffer, nbytes); 382 ap_fwrite(c->output_filters, bb, buffer, nbytes); 383 nbytes = apr_snprintf(buffer, sizeof(buffer), 384 "Proxy-agent: %s" CRLF CRLF, 385 ap_get_server_banner()); 386 ap_xlate_proto_to_ascii(buffer, nbytes); 387 ap_fwrite(c->output_filters, bb, buffer, nbytes); 388 ap_fflush(c->output_filters, bb); 389#if 0 390 /* This is safer code, but it doesn't work yet. I'm leaving it 391 * here so that I can fix it later. 392 */ 393 r->status = HTTP_OK; 394 r->header_only = 1; 395 apr_table_set(r->headers_out, "Proxy-agent: %s", ap_get_server_banner()); 396 ap_rflush(r); 397#endif 398 } 399 400 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "setting up poll()"); 401 402 /* 403 * Step Four: Handle Data Transfer 404 * 405 * Handle two way transfer of data over the socket (this is a tunnel). 406 */ 407 408 /* we are now acting as a tunnel - the input/output filter stacks should 409 * not contain any non-connection filters. 410 */ 411 r->output_filters = c->output_filters; 412 r->proto_output_filters = c->output_filters; 413 r->input_filters = c->input_filters; 414 r->proto_input_filters = c->input_filters; 415/* r->sent_bodyct = 1;*/ 416 417 while (1) { /* Infinite loop until error (one side closes the connection) */ 418 if ((rv = apr_pollset_poll(pollset, -1, &pollcnt, &signalled)) 419 != APR_SUCCESS) { 420 if (APR_STATUS_IS_EINTR(rv)) { 421 continue; 422 } 423 apr_socket_close(sock); 424 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01023) "error apr_poll()"); 425 return HTTP_INTERNAL_SERVER_ERROR; 426 } 427#ifdef DEBUGGING 428 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01024) 429 "woke from poll(), i=%d", pollcnt); 430#endif 431 432 for (pi = 0; pi < pollcnt; pi++) { 433 const apr_pollfd_t *cur = &signalled[pi]; 434 435 if (cur->desc.s == sock) { 436 pollevent = cur->rtnevents; 437 if (pollevent & APR_POLLIN) { 438#ifdef DEBUGGING 439 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01025) 440 "sock was readable"); 441#endif 442 rv = proxy_connect_transfer(r, backconn, c, bb, "sock"); 443 } 444 else if ((pollevent & APR_POLLERR) 445 || (pollevent & APR_POLLHUP)) { 446 rv = APR_EPIPE; 447 ap_log_rerror(APLOG_MARK, APLOG_NOTICE, 0, r, APLOGNO(01026) 448 "err/hup on backconn"); 449 } 450 if (rv != APR_SUCCESS) 451 client_error = 1; 452 } 453 else if (cur->desc.s == client_socket) { 454 pollevent = cur->rtnevents; 455 if (pollevent & APR_POLLIN) { 456#ifdef DEBUGGING 457 ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01027) 458 "client was readable"); 459#endif 460 rv = proxy_connect_transfer(r, c, backconn, bb, "client"); 461 } 462 } 463 else { 464 rv = APR_EBADF; 465 ap_log_rerror(APLOG_MARK, APLOG_INFO, 0, r, APLOGNO(01028) 466 "unknown socket in pollset"); 467 } 468 469 } 470 if (rv != APR_SUCCESS) { 471 break; 472 } 473 } 474 475 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, 476 "finished with poll() - cleaning up"); 477 478 /* 479 * Step Five: Clean Up 480 * 481 * Close the socket and clean up 482 */ 483 484 if (client_error) 485 apr_socket_close(sock); 486 else 487 ap_lingering_close(backconn); 488 489 c->aborted = 1; 490 c->keepalive = AP_CONN_CLOSE; 491 492 return OK; 493} 494 495static void ap_proxy_connect_register_hook(apr_pool_t *p) 496{ 497 proxy_hook_scheme_handler(proxy_connect_handler, NULL, NULL, APR_HOOK_MIDDLE); 498 proxy_hook_canon_handler(proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE); 499} 500 501static const command_rec cmds[] = 502{ 503 AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, 504 "A list of ports or port ranges which CONNECT may connect to"), 505 {NULL} 506}; 507 508AP_DECLARE_MODULE(proxy_connect) = { 509 STANDARD20_MODULE_STUFF, 510 NULL, /* create per-directory config structure */ 511 NULL, /* merge per-directory config structures */ 512 create_config, /* create per-server config structure */ 513 merge_config, /* merge per-server config structures */ 514 cmds, /* command apr_table_t */ 515 ap_proxy_connect_register_hook /* register hooks */ 516}; 517