From 55fe1fbbdc7d4b66cdd1178df9a3e29f48b51b06 Mon Sep 17 00:00:00 2001 From: Mario Fetka Date: Wed, 1 Apr 2020 17:27:16 +0200 Subject: [PATCH] Bump --- Makefile | 4 +- README.md | 4 ++ debian/changelog | 3 -- debian/control | 2 +- debian/docs | 1 - debian/lintian-overrides | 2 + debian/rules | 2 +- mod_proxy_protocol.c | 110 +++++++++++++++++++++++++++------------ 8 files changed, 86 insertions(+), 42 deletions(-) create mode 100644 debian/lintian-overrides diff --git a/Makefile b/Makefile index 0627d7a..c0ff43b 100644 --- a/Makefile +++ b/Makefile @@ -12,11 +12,11 @@ all: .libs/mod_proxy_protocol.so # build the so in the current directory .libs/mod_proxy_protocol.so: mod_proxy_protocol.c - $(APXS) -c mod_proxy_protocol.c + $(APXS) -c -Wc,-Wall mod_proxy_protocol.c # install the so - usually needs root access install: .libs/mod_proxy_protocol.so - $(APXS) -i mod_proxy_protocol.c + $(APXS) -i mod_proxy_protocol.la # generate the html doc docs: mod_proxy_protocol.html diff --git a/README.md b/README.md index cbc25bc..eebeb68 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,10 @@ This is an [Apache](http://httpd.apache.org/) module that implements the server side of HAProxy's [Proxy Protocol](http://blog.haproxy.com/haproxy/proxy-protocol/). +Note: as of Apache 2.4.30 this code has been merged into +[mod_remoteip](https://httpd.apache.org/docs/2.4/mod/mod_remoteip.html), +with the `ProxyProtocol` directive renamed to `RemoteIPProxyProtocol`. + ## Build and Install You'll need the apache development packages installed (typically something diff --git a/debian/changelog b/debian/changelog index aa4c74f..d732ac3 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,4 +1,3 @@ -<<<<<<< HEAD mod-proxy-protocol (0.2-2) UNRELEASED; urgency=medium * Add patch for CVE-2019-10097 @@ -11,8 +10,6 @@ mod-proxy-protocol (0.2-1) xenial; urgency=low -- Roadrunner2 Tue, 20 Mar 2018 02:11:49 -0700 -======= ->>>>>>> upstream/0.1 mod-proxy-protocol (0.1-1) trusty; urgency=low * Initial release diff --git a/debian/control b/debian/control index a0cdc0a..596d88b 100644 --- a/debian/control +++ b/debian/control @@ -8,7 +8,7 @@ Homepage: https://github.com/roadrunner2/mod-proxy-protocol Package: libapache2-mod-proxy-protocol Architecture: amd64 -Depends: ${shlibs:Depends}, ${misc:Depends}, apache2-api-20120211, apache2 (>= 2.4.0) +Depends: ${shlibs:Depends}, ${misc:Depends}, apache2-api-20120211 Description: Apache module for proxy protocol The proxy protocol is a way for upstream proxies and load-balancers to for the ip-address of the client to the server. This package contains diff --git a/debian/docs b/debian/docs index 931c46d..e980146 100644 --- a/debian/docs +++ b/debian/docs @@ -1,5 +1,4 @@ README.md mod_proxy_protocol.xml mod_proxy_protocol.xml.meta -mod_proxy_protocol.html debian/README.Debian diff --git a/debian/lintian-overrides b/debian/lintian-overrides new file mode 100644 index 0000000..48369ea --- /dev/null +++ b/debian/lintian-overrides @@ -0,0 +1,2 @@ +libapache2-mod-proxy-protocol: apache2-module-depends-on-real-apache2-package +libapache2-mod-proxy-protocol: copyright-should-refer-to-common-license-file-for-apache-2 diff --git a/debian/rules b/debian/rules index db2bc2a..f311f7d 100755 --- a/debian/rules +++ b/debian/rules @@ -4,7 +4,7 @@ build: dh_testdir - make all docs + make all # docs clean: dh_testdir diff --git a/mod_proxy_protocol.c b/mod_proxy_protocol.c index 5766b80..e74fdf4 100644 --- a/mod_proxy_protocol.c +++ b/mod_proxy_protocol.c @@ -80,6 +80,37 @@ static int pp_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog, return OK; } +#if !(APR_VERSION_AT_LEAST(1,5,0)) +static APR_DECLARE(int) apr_sockaddr_is_wildcard(const apr_sockaddr_t *addr) +{ + static const char inaddr_any[ +#if APR_HAVE_IPV6 + sizeof(struct in6_addr) +#else + sizeof(struct in_addr) +#endif + ] = {0}; + + if (addr->ipaddr_ptr /* IP address initialized */ + && addr->ipaddr_len <= sizeof inaddr_any) { /* else bug elsewhere? */ + if (!memcmp(inaddr_any, addr->ipaddr_ptr, addr->ipaddr_len)) { + return 1; + } +#if APR_HAVE_IPV6 + if (addr->family == AF_INET6 + && IN6_IS_ADDR_V4MAPPED((struct in6_addr *)addr->ipaddr_ptr)) { + struct in_addr *v4 = (struct in_addr *)&((apr_uint32_t *)addr->ipaddr_ptr)[3]; + + if (!memcmp(inaddr_any, v4, sizeof *v4)) { + return 1; + } + } +#endif + } + return 0; +} +#endif + /* Similar apr_sockaddr_equal, except that it compares ports too. */ static int pp_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) { @@ -92,37 +123,19 @@ static int pp_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) static int pp_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) { /* test exact address equality */ -#if !(APR_VERSION_AT_LEAST(1,5,0)) - apr_sockaddr_t addr0; - static const char inaddr_any[ sizeof(struct in_addr) ] = {0}; -#endif - if (apr_sockaddr_equal(addr1, addr2) && (addr1->port == addr2->port || addr1->port == 0 || addr2->port == 0)) { return 1; } -#if APR_VERSION_AT_LEAST(1,5,0) /* test address wildcards */ if (apr_sockaddr_is_wildcard(addr1) && (addr1->port == 0 || addr1->port == addr2->port)) { -#else - addr0.ipaddr_ptr = &inaddr_any; - addr0.ipaddr_len = addr1->ipaddr_len; - if (apr_sockaddr_equal(&addr0, addr1) && - (addr1->port == 0 || addr1->port == addr2->port)) { -#endif return 1; } -#if APR_VERSION_AT_LEAST (1,5,0) if (apr_sockaddr_is_wildcard(addr2) && (addr2->port == 0 || addr2->port == addr1->port)) { -#else - addr0.ipaddr_len = addr2->ipaddr_len; - if (apr_sockaddr_equal(&addr0, addr2) && - (addr2->port == 0 || addr2->port == addr1->port)) { -#endif return 1; } @@ -320,6 +333,18 @@ static int pp_hook_pre_connection(conn_rec *c, void *csd) pp_config *conf; pp_conn_config *conn_conf; + /* Establish master config in slave connections, so that request + * processing finds it. */ + if (c->master != NULL) { + conn_conf = ap_get_module_config(c->master->conn_config, + &proxy_protocol_module); + if (conn_conf) { + ap_set_module_config(c->conn_config, &proxy_protocol_module, + conn_conf); + } + return DECLINED; + } + /* check if we're enabled for this connection */ conf = ap_get_module_config(ap_server_conf->module_config, &proxy_protocol_module); @@ -379,7 +404,7 @@ static pp_parse_status_t pp_process_v1_header(conn_rec *c, proxy_header *hdr, apr_size_t len, apr_size_t *hdr_len) { - char *end, *next, *word, *host, *valid_addr_chars, *saveptr; + char *end, *word, *host, *valid_addr_chars, *saveptr; char buf[sizeof(hdr->v1.line)]; apr_port_t port; apr_status_t ret; @@ -488,8 +513,6 @@ static pp_parse_status_t pp_process_v2_header(conn_rec *c, proxy_header *hdr) { apr_status_t ret; - struct in_addr *in_addr; - struct in6_addr *in6_addr; switch (hdr->v2.ver_cmd & 0xF) { case 0x01: /* PROXY command */ @@ -527,18 +550,17 @@ static pp_parse_status_t pp_process_v2_header(conn_rec *c, break; default: - /* unsupported protocol, keep local connection address */ - return HDR_DONE; + /* unsupported protocol */ + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183) + "RemoteIPProxyProtocol: unsupported protocol %.2hx", + (unsigned short)hdr->v2.fam); + return HDR_ERROR; } break; /* we got a sockaddr now */ - case 0x00: /* LOCAL command */ - /* keep local connection address for LOCAL */ - return HDR_DONE; - default: /* not a supported command */ - ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c, + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, "ProxyProtocol: unsupported command %.2hx", hdr->v2.ver_cmd); return HDR_ERROR; @@ -623,12 +645,25 @@ static apr_status_t pp_input_filter(ap_filter_t *f, /* try to read a header's worth of data */ while (!ctx->done) { if (APR_BRIGADE_EMPTY(ctx->bb)) { - ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, - ctx->need - ctx->rcvd); + apr_off_t got, want = ctx->need - ctx->rcvd; + ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want); if (ret != APR_SUCCESS) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184) + "failed reading input"); return ret; } + + ret = apr_brigade_length(ctx->bb, 1, &got); + if (ret || got > want) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185) + "RemoteIPProxyProtocol header too long, " + "got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT, + got, want); + f->c->aborted = 1; + return APR_ECONNABORTED; + } } + if (APR_BRIGADE_EMPTY(ctx->bb)) { return APR_EOF; } @@ -672,13 +707,20 @@ static apr_status_t pp_input_filter(ap_filter_t *f, ctx->rcvd, &ctx->need); } else if (ctx->version == 2) { + proxy_header *hdr = (proxy_header *) ctx->header; + if (ctx->rcvd >= MIN_V2_HDR_LEN) { - ctx->need = MIN_V2_HDR_LEN + - ntohs(((proxy_header *) ctx->header)->v2.len); + ctx->need = MIN_V2_HDR_LEN + ntohs(hdr->v2.len); + if (ctx->need > sizeof(proxy_v2)) { + ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186) + "RemoteIPProxyProtocol protocol header length too long"); + f->c->aborted = 1; + apr_brigade_destroy(ctx->bb); + return APR_ECONNABORTED; + } } if (ctx->rcvd >= ctx->need) { - psts = pp_process_v2_header(f->c, conn_conf, - (proxy_header *) ctx->header); + psts = pp_process_v2_header(f->c, conn_conf, hdr); } } else {