1 /* Licensed to the Apache Software Foundation (ASF) under one or more
2 * contributor license agreements. See the NOTICE file distributed with
3 * this work for additional information regarding copyright ownership.
4 * The ASF licenses this file to You under the Apache License, Version 2.0
5 * (the "License"); you may not use this file except in compliance with
6 * the License. You may obtain a copy of the License at
8 * http://www.apache.org/licenses/LICENSE-2.0
10 * Unless required by applicable law or agreed to in writing, software
11 * distributed under the License is distributed on an "AS IS" BASIS,
12 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 * See the License for the specific language governing permissions and
14 * limitations under the License.
17 /* CONNECT method for Apache proxy */
21 #include "mod_proxy.h"
24 module AP_MODULE_DECLARE_DATA proxy_connect_module;
26 int ap_proxy_connect_canon(request_rec *r, char *url);
27 int ap_proxy_connect_handler(request_rec *r, proxy_server_conf *conf,
28 char *url, const char *proxyname,
29 apr_port_t proxyport);
32 * This handles Netscape CONNECT method secure proxy requests.
33 * A connection is opened to the specified host and data is
34 * passed through between the WWW site and the browser.
36 * This code is based on the INTERNET-DRAFT document
37 * "Tunneling SSL Through a WWW Proxy" currently at
38 * http://www.mcom.com/newsref/std/tunneling_ssl.html.
40 * If proxyhost and proxyport are set, we send a CONNECT to
41 * the specified proxy..
43 * FIXME: this doesn't log the number of bytes sent, but
44 * that may be okay, since the data is supposed to
45 * be transparent. In fact, this doesn't log at all
47 * FIXME: doesn't check any headers initally sent from the
49 * FIXME: should allow authentication, but hopefully the
50 * generic proxy authentication is good enough.
51 * FIXME: no check for r->assbackwards, whatever that is.
55 allowed_port(proxy_server_conf *conf, int port)
58 int *list = (int *) conf->allowed_connect_ports->elts;
60 for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
67 /* canonicalise CONNECT URLs. */
68 int ap_proxy_connect_canon(request_rec *r, char *url)
71 if (r->method_number != M_CONNECT) {
74 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
75 "proxy: CONNECT: canonicalising URL %s", url);
81 int ap_proxy_connect_handler(request_rec *r, proxy_server_conf *conf,
82 char *url, const char *proxyname,
85 apr_pool_t *p = r->pool;
88 apr_size_t i, o, nbytes;
89 char buffer[HUGE_STRING_LEN];
90 apr_socket_t *client_socket = ap_get_module_config(r->connection->conn_config, &core_module);
94 apr_int16_t pollevent;
95 apr_sockaddr_t *uri_addr, *connect_addr;
98 const char *connectname;
101 /* is this for us? */
102 if (r->method_number != M_CONNECT) {
103 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
104 "proxy: CONNECT: declining URL %s", url);
107 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
108 "proxy: CONNECT: serving URL %s", url);
112 * Step One: Determine Who To Connect To
114 * Break up the URL to determine the host to connect to
117 /* we break the URL into host, port, uri */
118 if (APR_SUCCESS != apr_uri_parse_hostinfo(p, url, &uri)) {
119 return ap_proxyerror(r, HTTP_BAD_REQUEST,
120 apr_pstrcat(p, "URI cannot be parsed: ", url, NULL));
123 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
124 "proxy: CONNECT: connecting %s to %s:%d", url, uri.hostname, uri.port);
126 /* do a DNS lookup for the destination host */
127 err = apr_sockaddr_info_get(&uri_addr, uri.hostname, APR_UNSPEC, uri.port, 0, p);
129 /* are we connecting directly, or via a proxy? */
131 connectname = proxyname;
132 connectport = proxyport;
133 err = apr_sockaddr_info_get(&connect_addr, proxyname, APR_UNSPEC, proxyport, 0, p);
136 connectname = uri.hostname;
137 connectport = uri.port;
138 connect_addr = uri_addr;
140 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
141 "proxy: CONNECT: connecting to remote proxy %s on port %d", connectname, connectport);
143 /* check if ProxyBlock directive on this host */
144 if (OK != ap_proxy_checkproxyblock(r, conf, uri_addr)) {
145 return ap_proxyerror(r, HTTP_FORBIDDEN,
146 "Connect to remote machine blocked");
149 /* Check if it is an allowed port */
150 if (conf->allowed_connect_ports->nelts == 0) {
151 /* Default setting if not overridden by AllowCONNECT */
153 case APR_URI_HTTPS_DEFAULT_PORT:
154 case APR_URI_SNEWS_DEFAULT_PORT:
157 /* XXX can we call ap_proxyerror() here to get a nice log message? */
158 return HTTP_FORBIDDEN;
160 } else if(!allowed_port(conf, uri.port)) {
161 /* XXX can we call ap_proxyerror() here to get a nice log message? */
162 return HTTP_FORBIDDEN;
166 * Step Two: Make the Connection
168 * We have determined who to connect to. Now make the connection.
171 /* get all the possible IP addresses for the destname and loop through them
172 * until we get a successful connection
174 if (APR_SUCCESS != err) {
175 return ap_proxyerror(r, HTTP_BAD_GATEWAY, apr_pstrcat(p,
176 "DNS lookup failure for: ",
181 * At this point we have a list of one or more IP addresses of
182 * the machine to connect to. If configured, reorder this
183 * list so that the "best candidate" is first try. "best
184 * candidate" could mean the least loaded server, the fastest
185 * responding server, whatever.
187 * For now we do nothing, ie we get DNS round robin.
190 failed = ap_proxy_connect_to_backend(&sock, "CONNECT", connect_addr,
191 connectname, conf, r->server,
194 /* handle a permanent error from the above loop */
200 return HTTP_BAD_GATEWAY;
205 * Step Three: Send the Request
207 * Send the HTTP/1.1 CONNECT request to the remote server
210 /* we are acting as a tunnel - the output filter stack should
211 * be completely empty, because when we are done here we are done completely.
212 * We add the NULL filter to the stack to do this...
214 r->output_filters = NULL;
215 r->connection->output_filters = NULL;
218 /* If we are connecting through a remote proxy, we need to pass
219 * the CONNECT request on to it.
222 /* FIXME: Error checking ignored.
224 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
225 "proxy: CONNECT: sending the CONNECT request to the remote proxy");
226 nbytes = apr_snprintf(buffer, sizeof(buffer),
227 "CONNECT %s HTTP/1.0" CRLF, r->uri);
228 apr_send(sock, buffer, &nbytes);
229 nbytes = apr_snprintf(buffer, sizeof(buffer),
230 "Proxy-agent: %s" CRLF CRLF, ap_get_server_version());
231 apr_send(sock, buffer, &nbytes);
234 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
235 "proxy: CONNECT: Returning 200 OK Status");
236 nbytes = apr_snprintf(buffer, sizeof(buffer),
237 "HTTP/1.0 200 Connection Established" CRLF);
238 ap_xlate_proto_to_ascii(buffer, nbytes);
239 apr_send(client_socket, buffer, &nbytes);
240 nbytes = apr_snprintf(buffer, sizeof(buffer),
241 "Proxy-agent: %s" CRLF CRLF, ap_get_server_version());
242 ap_xlate_proto_to_ascii(buffer, nbytes);
243 apr_send(client_socket, buffer, &nbytes);
245 /* This is safer code, but it doesn't work yet. I'm leaving it
246 * here so that I can fix it later.
250 apr_table_set(r->headers_out, "Proxy-agent: %s", ap_get_server_version());
255 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
256 "proxy: CONNECT: setting up poll()");
259 * Step Four: Handle Data Transfer
261 * Handle two way transfer of data over the socket (this is a tunnel).
264 /* r->sent_bodyct = 1;*/
266 if((rv = apr_poll_setup(&pollfd, 2, r->pool)) != APR_SUCCESS)
268 apr_socket_close(sock);
269 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r,
270 "proxy: CONNECT: error apr_poll_setup()");
271 return HTTP_INTERNAL_SERVER_ERROR;
274 /* Add client side to the poll */
275 apr_poll_socket_add(pollfd, client_socket, APR_POLLIN);
277 /* Add the server side to the poll */
278 apr_poll_socket_add(pollfd, sock, APR_POLLIN);
280 while (1) { /* Infinite loop until error (one side closes the connection) */
281 /* ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server, "proxy: CONNECT: going to sleep (poll)");*/
282 if ((rv = apr_poll(pollfd, 2, &pollcnt, -1)) != APR_SUCCESS)
284 apr_socket_close(sock);
285 ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, "proxy: CONNECT: error apr_poll()");
286 return HTTP_INTERNAL_SERVER_ERROR;
288 /* ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
289 "proxy: CONNECT: woke from select(), i=%d", pollcnt);*/
292 apr_poll_revents_get(&pollevent, sock, pollfd);
293 if (pollevent & APR_POLLIN) {
294 /* ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
295 "proxy: CONNECT: sock was set");*/
296 nbytes = sizeof(buffer);
297 if (apr_recv(sock, buffer, &nbytes) == APR_SUCCESS) {
303 /* This is just plain wrong. No module should ever write directly
304 * to the client. For now, this works, but this is high on my list of
305 * things to fix. The correct line is:
306 * if ((nbytes = ap_rwrite(buffer + o, nbytes, r)) < 0)
309 if (apr_send(client_socket, buffer + o, &nbytes) != APR_SUCCESS)
318 else if ((pollevent & APR_POLLERR) || (pollevent & APR_POLLHUP))
322 apr_poll_revents_get(&pollevent, client_socket, pollfd);
323 if (pollevent & APR_POLLIN) {
324 /* ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
325 "proxy: CONNECT: client was set");*/
326 nbytes = sizeof(buffer);
327 if (apr_recv(client_socket, buffer, &nbytes) == APR_SUCCESS) {
333 if (apr_send(sock, buffer + o, &nbytes) != APR_SUCCESS)
342 else if ((pollevent & APR_POLLERR) || (pollevent & APR_POLLHUP))
349 ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, r->server,
350 "proxy: CONNECT: finished with poll() - cleaning up");
353 * Step Five: Clean Up
355 * Close the socket and clean up
358 apr_socket_close(sock);
363 static void ap_proxy_connect_register_hook(apr_pool_t *p)
365 proxy_hook_scheme_handler(ap_proxy_connect_handler, NULL, NULL, APR_HOOK_MIDDLE);
366 proxy_hook_canon_handler(ap_proxy_connect_canon, NULL, NULL, APR_HOOK_MIDDLE);
369 module AP_MODULE_DECLARE_DATA proxy_connect_module = {
370 STANDARD20_MODULE_STUFF,
371 NULL, /* create per-directory config structure */
372 NULL, /* merge per-directory config structures */
373 NULL, /* create per-server config structure */
374 NULL, /* merge per-server config structures */
375 NULL, /* command apr_table_t */
376 ap_proxy_connect_register_hook /* register hooks */