From: Takashi Sato Date: Tue, 29 Dec 2009 15:39:54 +0000 (+0000) Subject: Move AllowCONNECT from mod_proxy to mod_proxy_connect. X-Git-Tag: 2.3.5~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=255f44600cd466d26423e0a74f74cd07a728593a;p=thirdparty%2Fapache%2Fhttpd.git Move AllowCONNECT from mod_proxy to mod_proxy_connect. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@894425 13f79535-47bb-0310-9956-ffa450edef68 --- diff --git a/CHANGES b/CHANGES index c1e486a4210..1d23a11e61b 100644 --- a/CHANGES +++ b/CHANGES @@ -7,6 +7,9 @@ Changes with Apache 2.3.5 a partial match. PR 48401.i [Dodou Wang , Ruediger Pluem] + *) mod_proxy, mod_proxy_connect: Move AllowCONNECT from mod_proxy to + mod_proxy_connect. [Takashi Sato] + *) mod_proxy_balancer: Fix crash in balancer-manager. [Rainer Jung] *) mod_headers: Ensure that changes to the main request remain valid when diff --git a/docs/manual/mod/mod_proxy.xml b/docs/manual/mod/mod_proxy.xml index 9b70efa8f31..bff8168c0b0 100644 --- a/docs/manual/mod/mod_proxy.xml +++ b/docs/manual/mod/mod_proxy.xml @@ -1085,33 +1085,6 @@ string in Set-Cookie headers.

- - -AllowCONNECT -Ports that are allowed to CONNECT through the -proxy -AllowCONNECT port [port] ... -AllowCONNECT 443 563 -server configvirtual host - - - -

The AllowCONNECT directive specifies a list - of port numbers to which the proxy CONNECT method may - connect. Today's browsers use this method when a https - connection is requested and proxy tunneling over HTTP is in effect.

- -

By default, only the default https port (443) and the - default snews port (563) are enabled. Use the - AllowCONNECT directive to override this default and - allow connections to the listed ports only.

- -

Note that you'll need to have mod_proxy_connect present - in the server in order to get the support for the CONNECT at - all.

- - - ProxyBlock Words, hosts, or domains that are banned from being diff --git a/docs/manual/mod/mod_proxy_connect.xml b/docs/manual/mod/mod_proxy_connect.xml index ed8f07d8454..b442008ea36 100644 --- a/docs/manual/mod/mod_proxy_connect.xml +++ b/docs/manual/mod/mod_proxy_connect.xml @@ -49,4 +49,26 @@ AllowCONNECT mod_proxy + +AllowCONNECT +Ports that are allowed to CONNECT through the +proxy +AllowCONNECT port [port] ... +AllowCONNECT 443 563 +server configvirtual host + + + +

The AllowCONNECT directive specifies a list + of port numbers to which the proxy CONNECT method may + connect. Today's browsers use this method when a https + connection is requested and proxy tunneling over HTTP is in effect.

+ +

By default, only the default https port (443) and the + default snews port (563) are enabled. Use the + AllowCONNECT directive to override this default and + allow connections to the listed ports only.

+ + + diff --git a/include/ap_mmn.h b/include/ap_mmn.h index 96fe1d147dc..e53717d2247 100644 --- a/include/ap_mmn.h +++ b/include/ap_mmn.h @@ -206,15 +206,17 @@ * 20091031.0 (2.3.3-dev) remove public LDAP referral-related macros * 20091119.0 (2.3.4-dev) dav_error interface uses apr_status_t parm, not errno * 20091119.1 (2.3.4-dev) ap_mutex_register(), ap_{proc,global}_mutex_create() + * 20091229.0 (2.3.4-dev) Move allowed_connect_ports from proxy_server_conf + * to mod_proxy_connect * */ #define MODULE_MAGIC_COOKIE 0x41503234UL /* "AP24" */ #ifndef MODULE_MAGIC_NUMBER_MAJOR -#define MODULE_MAGIC_NUMBER_MAJOR 20091119 +#define MODULE_MAGIC_NUMBER_MAJOR 20091229 #endif -#define MODULE_MAGIC_NUMBER_MINOR 1 /* 0...n */ +#define MODULE_MAGIC_NUMBER_MINOR 0 /* 0...n */ /** * Determine if the server's current MODULE_MAGIC_NUMBER is at least a diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 584c385b8f9..fd7431d0ec3 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -1085,7 +1085,6 @@ static void * create_proxy_config(apr_pool_t *p, server_rec *s) ps->aliases = apr_array_make(p, 10, sizeof(struct proxy_alias)); ps->noproxies = apr_array_make(p, 10, sizeof(struct noproxy_entry)); ps->dirconn = apr_array_make(p, 10, sizeof(struct dirconn_entry)); - ps->allowed_connect_ports = apr_array_make(p, 10, sizeof(int)); ps->workers = apr_array_make(p, 10, sizeof(proxy_worker)); ps->balancers = apr_array_make(p, 10, sizeof(proxy_balancer)); ps->forward = NULL; @@ -1123,7 +1122,6 @@ static void * merge_proxy_config(apr_pool_t *p, void *basev, void *overridesv) ps->aliases = apr_array_append(p, base->aliases, overrides->aliases); ps->noproxies = apr_array_append(p, base->noproxies, overrides->noproxies); ps->dirconn = apr_array_append(p, base->dirconn, overrides->dirconn); - ps->allowed_connect_ports = apr_array_append(p, base->allowed_connect_ports, overrides->allowed_connect_ports); ps->workers = apr_array_append(p, base->workers, overrides->workers); ps->balancers = apr_array_append(p, base->balancers, overrides->balancers); ps->forward = overrides->forward ? overrides->forward : base->forward; @@ -1502,24 +1500,6 @@ static const char * return NULL; } -/* - * Set the ports CONNECT can use - */ -static const char * - set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg) -{ - server_rec *s = parms->server; - proxy_server_conf *conf = - ap_get_module_config(s->module_config, &proxy_module); - int *New; - - if (!apr_isdigit(arg[0])) - return "AllowCONNECT: port number must be numeric"; - - New = apr_array_push(conf->allowed_connect_ports); - *New = atoi(arg); - return NULL; -} /* Similar to set_proxy_exclude(), but defining directly connected hosts, * which should never be accessed via the configured ProxyRemote servers @@ -2109,8 +2089,6 @@ static const command_rec proxy_cmds[] = "A list of domains, hosts, or subnets to which the proxy will connect directly"), AP_INIT_TAKE1("ProxyDomain", set_proxy_domain, NULL, RSRC_CONF, "The default intranet domain name (in absence of a domain in the URL)"), - AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, - "A list of ports which CONNECT may connect to"), AP_INIT_TAKE1("ProxyVia", set_via_opt, NULL, RSRC_CONF, "Configure Via: proxy header header to one of: on | off | block | full"), AP_INIT_FLAG("ProxyErrorOverride", set_proxy_error_override, NULL, RSRC_CONF, diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h index aebfb12a043..0dee2402b90 100644 --- a/modules/proxy/mod_proxy.h +++ b/modules/proxy/mod_proxy.h @@ -129,7 +129,6 @@ typedef struct { apr_array_header_t *aliases; apr_array_header_t *noproxies; apr_array_header_t *dirconn; - apr_array_header_t *allowed_connect_ports; apr_array_header_t *workers; apr_array_header_t *balancers; proxy_worker *forward; /* forward proxy worker */ diff --git a/modules/proxy/mod_proxy_connect.c b/modules/proxy/mod_proxy_connect.c index 5a99da7161a..8fa2f756b2c 100644 --- a/modules/proxy/mod_proxy_connect.c +++ b/modules/proxy/mod_proxy_connect.c @@ -46,7 +46,52 @@ module AP_MODULE_DECLARE_DATA proxy_connect_module; * FIXME: no check for r->assbackwards, whatever that is. */ -static int allowed_port(proxy_server_conf *conf, int port) +typedef struct { + apr_array_header_t *allowed_connect_ports; +} connect_conf; + +static void *create_config(apr_pool_t *p, server_rec *s) +{ + connect_conf *c = apr_pcalloc(p, sizeof(connect_conf)); + c->allowed_connect_ports = apr_array_make(p, 10, sizeof(int)); + return c; +} + +static void *merge_config(apr_pool_t *p, void *basev, void *overridesv) +{ + connect_conf *c = apr_pcalloc(p, sizeof(connect_conf)); + connect_conf *base = (connect_conf *) basev; + connect_conf *overrides = (connect_conf *) overridesv; + + c->allowed_connect_ports = apr_array_append(p, + base->allowed_connect_ports, + overrides->allowed_connect_ports); + + return c; +} + + +/* + * Set the ports CONNECT can use + */ +static const char * + set_allowed_ports(cmd_parms *parms, void *dummy, const char *arg) +{ + server_rec *s = parms->server; + connect_conf *conf = + ap_get_module_config(s->module_config, &proxy_connect_module); + int *New; + + if (!apr_isdigit(arg[0])) + return "AllowCONNECT: port number must be numeric"; + + New = apr_array_push(conf->allowed_connect_ports); + *New = atoi(arg); + return NULL; +} + + +static int allowed_port(connect_conf *conf, int port) { int i; int *list = (int *) conf->allowed_connect_ports->elts; @@ -122,6 +167,9 @@ static int proxy_connect_handler(request_rec *r, proxy_worker *worker, char *url, const char *proxyname, apr_port_t proxyport) { + connect_conf *c_conf = + ap_get_module_config(r->server->module_config, &proxy_connect_module); + apr_pool_t *p = r->pool; apr_socket_t *sock; conn_rec *c = r->connection; @@ -203,7 +251,7 @@ static int proxy_connect_handler(request_rec *r, proxy_worker *worker, } /* Check if it is an allowed port */ - if (conf->allowed_connect_ports->nelts == 0) { + if (c_conf->allowed_connect_ports->nelts == 0) { /* Default setting if not overridden by AllowCONNECT */ switch (uri.port) { case APR_URI_HTTPS_DEFAULT_PORT: @@ -213,7 +261,7 @@ static int proxy_connect_handler(request_rec *r, proxy_worker *worker, return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked"); } - } else if(!allowed_port(conf, uri.port)) { + } else if(!allowed_port(c_conf, uri.port)) { return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked"); } @@ -442,12 +490,19 @@ static void ap_proxy_connect_register_hook(apr_pool_t *p) proxy_hook_canon_handler(proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE); } +static const command_rec cmds[] = +{ + AP_INIT_ITERATE("AllowCONNECT", set_allowed_ports, NULL, RSRC_CONF, + "A list of ports which CONNECT may connect to"), + {NULL} +}; + module AP_MODULE_DECLARE_DATA proxy_connect_module = { STANDARD20_MODULE_STUFF, NULL, /* create per-directory config structure */ NULL, /* merge per-directory config structures */ - NULL, /* create per-server config structure */ - NULL, /* merge per-server config structures */ - NULL, /* command apr_table_t */ + create_config, /* create per-server config structure */ + merge_config, /* merge per-server config structures */ + cmds, /* command apr_table_t */ ap_proxy_connect_register_hook /* register hooks */ };