/* ==================================================================== * The Apache Software License, Version 1.1 * * Copyright (c) 2000-2001 The Apache Software Foundation. All rights * reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in * the documentation and/or other materials provided with the * distribution. * * 3. The end-user documentation included with the redistribution, * if any, must include the following acknowledgment: * "This product includes software developed by the * Apache Software Foundation (http://www.apache.org/)." * Alternately, this acknowledgment may appear in the software itself, * if and wherever such third-party acknowledgments normally appear. * * 4. The names "Apache" and "Apache Software Foundation" must * not be used to endorse or promote products derived from this * software without prior written permission. For written * permission, please contact apache@apache.org. * * 5. Products derived from this software may not be called "Apache", * nor may "Apache" appear in their name, without prior written * permission of the Apache Software Foundation. * * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESSED OR IMPLIED * WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE * DISCLAIMED. IN NO EVENT SHALL THE APACHE SOFTWARE FOUNDATION OR * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * ==================================================================== * * This software consists of voluntary contributions made by many * individuals on behalf of the Apache Software Foundation. For more * information on the Apache Software Foundation, please see * . * * Portions of this software are based upon public domain software * originally written at the National Center for Supercomputing Applications, * University of Illinois, Urbana-Champaign. */ /* CONNECT method for Apache proxy */ #define CORE_PRIVATE #include "mod_proxy.h" module AP_MODULE_DECLARE_DATA proxy_connect_module; int ap_proxy_connect_canon(request_rec *r, char *url); int ap_proxy_connect_handler(request_rec *r, proxy_server_conf *conf, char *url, const char *proxyname, apr_port_t proxyport); /* * This handles Netscape CONNECT method secure proxy requests. * A connection is opened to the specified host and data is * passed through between the WWW site and the browser. * * This code is based on the INTERNET-DRAFT document * "Tunneling SSL Through a WWW Proxy" currently at * http://www.mcom.com/newsref/std/tunneling_ssl.html. * * If proxyhost and proxyport are set, we send a CONNECT to * the specified proxy.. * * FIXME: this doesn't log the number of bytes sent, but * that may be okay, since the data is supposed to * be transparent. In fact, this doesn't log at all * yet. 8^) * FIXME: doesn't check any headers initally sent from the * client. * FIXME: should allow authentication, but hopefully the * generic proxy authentication is good enough. * FIXME: no check for r->assbackwards, whatever that is. */ static int allowed_port(proxy_server_conf *conf, int port) { int i; int *list = (int *) conf->allowed_connect_ports->elts; for(i = 0; i < conf->allowed_connect_ports->nelts; i++) { if(port == list[i]) return 1; } return 0; } /* canonicalise CONNECT URLs. */ int ap_proxy_connect_canon(request_rec *r, char *url) { if (r->method_number != M_CONNECT) { return DECLINED; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: canonicalising URL %s", url); return OK; } /* CONNECT handler */ int ap_proxy_connect_handler(request_rec *r, proxy_server_conf *conf, char *url, const char *proxyname, apr_port_t proxyport) { apr_pool_t *p = r->pool; apr_socket_t *sock; apr_status_t err, rv; apr_size_t i, o, nbytes; char buffer[HUGE_STRING_LEN]; apr_pollfd_t *pollfd; apr_int32_t pollcnt; apr_int16_t pollevent; apr_sockaddr_t *uri_addr, *connect_addr; apr_uri_components uri; const char *connectname; int connectport = 0; /* is this for us? */ if (r->method_number != M_CONNECT) { ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: rejecting URL %s", url); return DECLINED; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: serving URL %s", url); /* * Step One: Determine Who To Connect To * * Break up the URL to determine the host to connect to */ /* we break the URL into host, port, uri */ if (APR_SUCCESS != apr_uri_parse_hostinfo_components(p, url, &uri)) { return ap_proxyerror(r, HTTP_BAD_REQUEST, apr_pstrcat(p, "URI cannot be parsed: ", url, NULL)); } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: connecting %s to %s:%d", url, uri.hostname, uri.port); /* do a DNS lookup for the destination host */ err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port, 0, p); /* are we connecting directly, or via a proxy? */ if (proxyname) { connectname = proxyname; connectport = proxyport; err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC, proxyport, 0, p); } else { connectname = uri.hostname; connectport = uri.port; connect_addr = uri_addr; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, NULL, "proxy: CONNECT: connecting to remote proxy %s on port %d", connectname, connectport); /* check if ProxyBlock directive on this host */ if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) { return ap_proxyerror(r, HTTP_FORBIDDEN, "Connect to remote machine blocked"); } /* Check if it is an allowed port */ if (conf->allowed_connect_ports->nelts == 0) { /* Default setting if not overridden by AllowCONNECT */ switch (uri.port) { case APU_URI_HTTPS_DEFAULT_PORT: case APU_URI_SNEWS_DEFAULT_PORT: break; default: return HTTP_FORBIDDEN; } } else if(!allowed_port(conf, uri.port)) return HTTP_FORBIDDEN; /* * Step Two: Make the Connection * * We have determined who to connect to. Now make the connection. */ /* get all the possible IP addresses for the destname and loop through them * until we get a successful connection */ if (APR_SUCCESS != err) { return ap_proxyerror(r, HTTP_BAD_GATEWAY, apr_pstrcat(p, "DNS lookup failure for: ", connectname, NULL)); } /* create a new socket */ if ((rv = apr_socket_create(&sock, APR_INET, SOCK_STREAM,APR_INHERIT, r->pool)) != APR_SUCCESS) { ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: error creating socket"); return HTTP_INTERNAL_SERVER_ERROR; } /* * At this point we have a list of one or more IP addresses of * the machine to connect to. If configured, reorder this * list so that the "best candidate" is first try. "best * candidate" could mean the least loaded server, the fastest * responding server, whatever. * * For now we do nothing, ie we get DNS round robin. * XXX FIXME */ /* try each IP address until we connect successfully */ { int failed = 1; while (connect_addr) { /* make the connection out of the socket */ rv = apr_connect(sock, connect_addr); /* if an error occurred, loop round and try again */ if (rv != APR_SUCCESS) { ap_log_error(APLOG_MARK, APLOG_ERR, rv, r->server, "proxy: CONNECT: attempt to connect to %pI (%s) failed", connect_addr, connectname); connect_addr = connect_addr->next; continue; } /* if we get here, all is well */ failed = 0; break; } /* handle a permanent error from the above loop */ if (failed) { apr_socket_close(sock); if (proxyname) { return DECLINED; } else { return HTTP_BAD_GATEWAY; } } } /* * Step Three: Send the Request * * Send the HTTP/1.1 CONNECT request to the remote server */ /* we are acting as a tunnel - the output filter stack should * be completely empty, because when we are done here we are done completely. * We add the NULL filter to the stack to do this... */ r->output_filters = NULL; r->connection->output_filters = NULL; /* If we are connecting through a remote proxy, we need to pass * the CONNECT request on to it. */ if (proxyport) { /* FIXME: Error checking ignored. */ ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: sending the CONNECT request to the remote proxy"); nbytes = apr_snprintf(buffer, sizeof(buffer), "CONNECT %s HTTP/1.0" CRLF, r->uri); apr_send(sock, buffer, &nbytes); nbytes = apr_snprintf(buffer, sizeof(buffer), "Proxy-agent: %s" CRLF CRLF, ap_get_server_version()); apr_send(sock, buffer, &nbytes); } else { ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: Returning 200 OK Status"); nbytes = apr_snprintf(buffer, sizeof(buffer), "HTTP/1.0 200 Connection Established" CRLF); apr_send(r->connection->client_socket, buffer, &nbytes); nbytes = apr_snprintf(buffer, sizeof(buffer), "Proxy-agent: %s" CRLF CRLF, ap_get_server_version()); apr_send(r->connection->client_socket, buffer, &nbytes); } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: setting up poll()"); /* * Step Four: Handle Data Transfer * * Handle two way transfer of data over the socket (this is a tunnel). */ /* r->sent_bodyct = 1;*/ if((rv = apr_poll_setup(&pollfd, 2, r->pool)) != APR_SUCCESS) { apr_socket_close(sock); ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: CONNECT: error apr_poll_setup()"); return HTTP_INTERNAL_SERVER_ERROR; } /* Add client side to the poll */ apr_poll_socket_add(pollfd, r->connection->client_socket, APR_POLLIN); /* Add the server side to the poll */ apr_poll_socket_add(pollfd, sock, APR_POLLIN); while (1) { /* Infinite loop until error (one side closes the connection) */ /* ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: going to sleep (poll)");*/ if ((rv = apr_poll(pollfd, &pollcnt, -1)) != APR_SUCCESS) { apr_socket_close(sock); ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: CONNECT: error apr_poll()"); return HTTP_INTERNAL_SERVER_ERROR; } /* ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: woke from select(), i=%d", pollcnt);*/ if (pollcnt) { apr_poll_revents_get(&pollevent, sock, pollfd); if (pollevent & APR_POLLIN) { /* ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: sock was set");*/ nbytes = sizeof(buffer); if (apr_recv(sock, buffer, &nbytes) == APR_SUCCESS) { o = 0; i = nbytes; while(i > 0) { nbytes = i; if (apr_send(r->connection->client_socket, buffer + o, &nbytes) != APR_SUCCESS) break; o += nbytes; i -= nbytes; } } else break; } else if ((pollevent & APR_POLLERR) || (pollevent & APR_POLLHUP)) break; apr_poll_revents_get(&pollevent, r->connection->client_socket, pollfd); if (pollevent & APR_POLLIN) { /* ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: client was set");*/ nbytes = sizeof(buffer); if (apr_recv(r->connection->client_socket, buffer, &nbytes) == APR_SUCCESS) { o = 0; i = nbytes; while(i > 0) { nbytes = i; if (apr_send(sock, buffer + o, &nbytes) != APR_SUCCESS) break; o += nbytes; i -= nbytes; } } else break; } else if ((pollevent & APR_POLLERR) || (pollevent & APR_POLLHUP)) break; } else break; } ap_log_error(APLOG_MARK, APLOG_DEBUG|APLOG_NOERRNO, 0, r->server, "proxy: CONNECT: finished with poll() - cleaning up"); /* * Step Five: Clean Up * * Close the socket and clean up */ apr_socket_close(sock); return OK; } static void ap_proxy_connect_register_hook(apr_pool_t *p) { proxy_hook_scheme_handler(ap_proxy_connect_handler, NULL, NULL, APR_HOOK_MIDDLE); proxy_hook_canon_handler(ap_proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE); } module AP_MODULE_DECLARE_DATA proxy_connect_module = { STANDARD20_MODULE_STUFF, NULL, /* create per-directory config structure */ NULL, /* merge per-directory config structures */ NULL, /* create per-server config structure */ NULL, /* merge per-server config structures */ NULL, /* command apr_table_t */ ap_proxy_connect_register_hook /* register hooks */ };