Compare commits

..

6 Commits

Author SHA1 Message Date
Mario Fetka
dbb649038e Bump 2020-04-01 18:05:31 +02:00
Mario Fetka
86ee4ac9ce Bump 2020-04-01 17:36:25 +02:00
Mario Fetka
8882e698cf Bump 2020-04-01 17:29:03 +02:00
Mario Fetka
55fe1fbbdc Bump 2020-04-01 17:27:16 +02:00
Mario Fetka
24dacdf1a9 Bump 2020-04-01 17:23:34 +02:00
Mario Fetka
867fc3475c Bump 2020-02-12 11:55:27 +01:00
8 changed files with 273 additions and 76 deletions

38
.gitlab-ci.yml Normal file
View File

@ -0,0 +1,38 @@
stages:
- build
- deploy
rpmbuild:
stage: build
image: gitlab-registry.cern.ch/cloud/ciadm
except:
- tags
script:
- if [ -z "$CI_BUILD_TAG" ]; then export CI_BUILD_TAG=$CI_DEFAULT_BUILD_TAG; fi
- export parser=(${CI_BUILD_TAG//-/ })
- sed -i s/CERN_VERSION_PLACEHOLDER/${parser[0]}/g mod_proxy_protocol.spec
- sed -i s/CERN_RELEASE_PLACEHOLDER/${parser[1]}/g mod_proxy_protocol.spec
- curl https://gitlab.cern.ch/cloud-infrastructure/cloud-dev/raw/master/gitlab/rpmbuild.sh | bash
kojicheck:
stage: build
image: gitlab-registry.cern.ch/cloud/ciadm
script:
- if [ -z "$CI_BUILD_TAG" ]; then export CI_BUILD_TAG=$CI_DEFAULT_BUILD_TAG; fi
- export parser=(${CI_BUILD_TAG//-/ })
- sed -i s/CERN_VERSION_PLACEHOLDER/${parser[0]}/g mod_proxy_protocol.spec
- sed -i s/CERN_RELEASE_PLACEHOLDER/${parser[1]}/g mod_proxy_protocol.spec
- curl https://gitlab.cern.ch/cloud-infrastructure/cloud-dev/raw/master/gitlab/kojicheck.sh | bash
kojibuild:
stage: deploy
image: gitlab-registry.cern.ch/cloud/ciadm
only:
- tags
script:
- export DIST='.el7.cern'
- if [ -z "$CI_BUILD_TAG" ]; then export CI_BUILD_TAG=$CI_DEFAULT_BUILD_TAG; fi
- export parser=(${CI_BUILD_TAG//-/ })
- sed -i s/CERN_VERSION_PLACEHOLDER/${parser[0]}/g mod_proxy_protocol.spec
- sed -i s/CERN_RELEASE_PLACEHOLDER/${parser[1]}/g mod_proxy_protocol.spec
- curl https://gitlab.cern.ch/cloud-infrastructure/cloud-dev/raw/master/gitlab/kojibuild.sh | bash

6
debian/changelog vendored
View File

@ -1,3 +1,9 @@
mod-proxy-protocol (0.2-3) UNRELEASED; urgency=medium
* Add patch for CVE-2019-10097
-- Mario Fetka <mario.fetka@gmail.com> Wed, 12 Feb 2020 11:54:28 +0100
mod-proxy-protocol (0.2-1) xenial; urgency=low mod-proxy-protocol (0.2-1) xenial; urgency=low
* Merged patch to fix http/2 issues. * Merged patch to fix http/2 issues.

View File

@ -80,37 +80,6 @@ static int pp_hook_pre_config(apr_pool_t *pconf, apr_pool_t *plog,
return OK; return OK;
} }
#if !(APR_VERSION_AT_LEAST(1,5,0))
static APR_DECLARE(int) apr_sockaddr_is_wildcard(const apr_sockaddr_t *addr)
{
static const char inaddr_any[
#if APR_HAVE_IPV6
sizeof(struct in6_addr)
#else
sizeof(struct in_addr)
#endif
] = {0};
if (addr->ipaddr_ptr /* IP address initialized */
&& addr->ipaddr_len <= sizeof inaddr_any) { /* else bug elsewhere? */
if (!memcmp(inaddr_any, addr->ipaddr_ptr, addr->ipaddr_len)) {
return 1;
}
#if APR_HAVE_IPV6
if (addr->family == AF_INET6
&& IN6_IS_ADDR_V4MAPPED((struct in6_addr *)addr->ipaddr_ptr)) {
struct in_addr *v4 = (struct in_addr *)&((apr_uint32_t *)addr->ipaddr_ptr)[3];
if (!memcmp(inaddr_any, v4, sizeof *v4)) {
return 1;
}
}
#endif
}
return 0;
}
#endif
/* Similar apr_sockaddr_equal, except that it compares ports too. */ /* Similar apr_sockaddr_equal, except that it compares ports too. */
static int pp_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) static int pp_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
{ {
@ -123,19 +92,37 @@ static int pp_sockaddr_equal(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
static int pp_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2) static int pp_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
{ {
/* test exact address equality */ /* test exact address equality */
#if !(APR_VERSION_AT_LEAST(1,5,0))
apr_sockaddr_t addr0;
static const char inaddr_any[ sizeof(struct in_addr) ] = {0};
#endif
if (apr_sockaddr_equal(addr1, addr2) && if (apr_sockaddr_equal(addr1, addr2) &&
(addr1->port == addr2->port || addr1->port == 0 || addr2->port == 0)) { (addr1->port == addr2->port || addr1->port == 0 || addr2->port == 0)) {
return 1; return 1;
} }
#if APR_VERSION_AT_LEAST(1,5,0)
/* test address wildcards */ /* test address wildcards */
if (apr_sockaddr_is_wildcard(addr1) && if (apr_sockaddr_is_wildcard(addr1) &&
(addr1->port == 0 || addr1->port == addr2->port)) { (addr1->port == 0 || addr1->port == addr2->port)) {
#else
addr0.ipaddr_ptr = &inaddr_any;
addr0.ipaddr_len = addr1->ipaddr_len;
if (apr_sockaddr_equal(&addr0, addr1) &&
(addr1->port == 0 || addr1->port == addr2->port)) {
#endif
return 1; return 1;
} }
#if APR_VERSION_AT_LEAST (1,5,0)
if (apr_sockaddr_is_wildcard(addr2) && if (apr_sockaddr_is_wildcard(addr2) &&
(addr2->port == 0 || addr2->port == addr1->port)) { (addr2->port == 0 || addr2->port == addr1->port)) {
#else
addr0.ipaddr_len = addr2->ipaddr_len;
if (apr_sockaddr_equal(&addr0, addr2) &&
(addr2->port == 0 || addr2->port == addr1->port)) {
#endif
return 1; return 1;
} }
@ -333,18 +320,6 @@ static int pp_hook_pre_connection(conn_rec *c, void *csd)
pp_config *conf; pp_config *conf;
pp_conn_config *conn_conf; pp_conn_config *conn_conf;
/* Establish master config in slave connections, so that request
* processing finds it. */
if (c->master != NULL) {
conn_conf = ap_get_module_config(c->master->conn_config,
&proxy_protocol_module);
if (conn_conf) {
ap_set_module_config(c->conn_config, &proxy_protocol_module,
conn_conf);
}
return DECLINED;
}
/* check if we're enabled for this connection */ /* check if we're enabled for this connection */
conf = ap_get_module_config(ap_server_conf->module_config, conf = ap_get_module_config(ap_server_conf->module_config,
&proxy_protocol_module); &proxy_protocol_module);
@ -404,7 +379,7 @@ static pp_parse_status_t pp_process_v1_header(conn_rec *c,
proxy_header *hdr, apr_size_t len, proxy_header *hdr, apr_size_t len,
apr_size_t *hdr_len) apr_size_t *hdr_len)
{ {
char *end, *word, *host, *valid_addr_chars, *saveptr; char *end, *next, *word, *host, *valid_addr_chars, *saveptr;
char buf[sizeof(hdr->v1.line)]; char buf[sizeof(hdr->v1.line)];
apr_port_t port; apr_port_t port;
apr_status_t ret; apr_status_t ret;
@ -513,6 +488,8 @@ static pp_parse_status_t pp_process_v2_header(conn_rec *c,
proxy_header *hdr) proxy_header *hdr)
{ {
apr_status_t ret; apr_status_t ret;
struct in_addr *in_addr;
struct in6_addr *in6_addr;
switch (hdr->v2.ver_cmd & 0xF) { switch (hdr->v2.ver_cmd & 0xF) {
case 0x01: /* PROXY command */ case 0x01: /* PROXY command */
@ -550,17 +527,18 @@ static pp_parse_status_t pp_process_v2_header(conn_rec *c,
break; break;
default: default:
/* unsupported protocol */ /* unsupported protocol, keep local connection address */
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, APLOGNO(10183) return HDR_DONE;
"RemoteIPProxyProtocol: unsupported protocol %.2hx",
(unsigned short)hdr->v2.fam);
return HDR_ERROR;
} }
break; /* we got a sockaddr now */ break; /* we got a sockaddr now */
case 0x00: /* LOCAL command */
/* keep local connection address for LOCAL */
return HDR_DONE;
default: default:
/* not a supported command */ /* not a supported command */
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, c, ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, c,
"ProxyProtocol: unsupported command %.2hx", "ProxyProtocol: unsupported command %.2hx",
hdr->v2.ver_cmd); hdr->v2.ver_cmd);
return HDR_ERROR; return HDR_ERROR;
@ -645,25 +623,12 @@ static apr_status_t pp_input_filter(ap_filter_t *f,
/* try to read a header's worth of data */ /* try to read a header's worth of data */
while (!ctx->done) { while (!ctx->done) {
if (APR_BRIGADE_EMPTY(ctx->bb)) { if (APR_BRIGADE_EMPTY(ctx->bb)) {
apr_off_t got, want = ctx->need - ctx->rcvd; ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block,
ret = ap_get_brigade(f->next, ctx->bb, ctx->mode, block, want); ctx->need - ctx->rcvd);
if (ret != APR_SUCCESS) { if (ret != APR_SUCCESS) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10184)
"failed reading input");
return ret; return ret;
} }
ret = apr_brigade_length(ctx->bb, 1, &got);
if (ret || got > want) {
ap_log_cerror(APLOG_MARK, APLOG_ERR, ret, f->c, APLOGNO(10185)
"RemoteIPProxyProtocol header too long, "
"got %" APR_OFF_T_FMT " expected %" APR_OFF_T_FMT,
got, want);
f->c->aborted = 1;
return APR_ECONNABORTED;
} }
}
if (APR_BRIGADE_EMPTY(ctx->bb)) { if (APR_BRIGADE_EMPTY(ctx->bb)) {
return APR_EOF; return APR_EOF;
} }
@ -707,20 +672,13 @@ static apr_status_t pp_input_filter(ap_filter_t *f,
ctx->rcvd, &ctx->need); ctx->rcvd, &ctx->need);
} }
else if (ctx->version == 2) { else if (ctx->version == 2) {
proxy_header *hdr = (proxy_header *) ctx->header;
if (ctx->rcvd >= MIN_V2_HDR_LEN) { if (ctx->rcvd >= MIN_V2_HDR_LEN) {
ctx->need = MIN_V2_HDR_LEN + ntohs(hdr->v2.len); ctx->need = MIN_V2_HDR_LEN +
if (ctx->need > sizeof(proxy_v2)) { ntohs(((proxy_header *) ctx->header)->v2.len);
ap_log_cerror(APLOG_MARK, APLOG_ERR, 0, f->c, APLOGNO(10186)
"RemoteIPProxyProtocol protocol header length too long");
f->c->aborted = 1;
apr_brigade_destroy(ctx->bb);
return APR_ECONNABORTED;
}
} }
if (ctx->rcvd >= ctx->need) { if (ctx->rcvd >= ctx->need) {
psts = pp_process_v2_header(f->c, conn_conf, hdr); psts = pp_process_v2_header(f->c, conn_conf,
(proxy_header *) ctx->header);
} }
} }
else { else {

72
mod_proxy_protocol.spec Normal file
View File

@ -0,0 +1,72 @@
%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo missing-httpd-devel)}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
%global cern_version CERN_VERSION_PLACEHOLDER
%global cern_release CERN_RELEASE_PLACEHOLDER
Name: mod_proxy_protocol
Summary: Apache module that implements the downstream server side of HAProxy's Proxy Protocol.
Version: %{cern_version}
Release: %{cern_release}%{?dist}
License: ASL 2.0
Group: System Environment/Daemons
Source0: %{name}-%{version}.tar.gz
BuildRequires: httpd-devel
BuildRequires: gcc
BuildRequires: libtool
Requires: httpd
Requires: httpd-mmn = %{_httpd_mmn}
# Suppress auto-provides for module DSO per
# https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Summary
%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$}
%{?filter_setup}
%description
HAProxy's Proxy Protocol is a way for upstream proxies and load balancers to
report the IP address of the original remote client to the downstream server,
without having to modify things like HTTP headers in the actual payload.
This package contains an Apache module that implements the downstream (i.e. the
receiving) server side of this protocol, thereby allowing other modules to see
and use the actual client's IP address instead of that of the upstream proxy or
load balancer.
%prep
#%setup -q -n mod_proxy_protocol-%{version}
%setup -q -n %{name}-%{version}
%build
%{_httpd_apxs} -c mod_proxy_protocol.c
%install
rm -rf $RPM_BUILD_ROOT
install -Dm 755 .libs/mod_proxy_protocol.so $RPM_BUILD_ROOT%{_httpd_moddir}/mod_proxy_protocol.so
%if "%{_httpd_modconfdir}" == "%{_httpd_confdir}"
# httpd <= 2.2.x
cat redhat/proxy_protocol.module > unified.conf
echo >> unified.conf
cat redhat/proxy_protocol.conf >> unified.conf
touch -c -r redhat/proxy_protocol.conf unified.conf
install -Dp -m 644 unified.conf $RPM_BUILD_ROOT%{_httpd_confdir}/proxy_protocol.conf
%else
# httpd >= 2.4.x
install -Dp -m 644 redhat/proxy_protocol.module $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-proxy_protocol.conf
install -Dp -m 644 redhat/proxy_protocol.conf $RPM_BUILD_ROOT%{_httpd_confdir}/proxy_protocol.conf
%endif
%files
%doc README.md LICENSE
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
%config(noreplace) %{_httpd_modconfdir}/10-proxy_protocol.conf
%endif
%config(noreplace) %{_httpd_confdir}/proxy_protocol.conf
%{_httpd_moddir}/*.so
%changelog
* Fri Dec 09 2016 Jose Castro Leon <jose.castro.leon@cern.ch> 0.1-1
- First package release.

View File

@ -0,0 +1,48 @@
--- mod_proxy_protocol.c-orig 2016-05-19 12:58:26.902187400 +0000
+++ mod_proxy_protocol.c 2016-05-19 13:24:25.417638197 +0000
@@ -44,6 +44,7 @@
#include "ap_config.h"
#include "ap_listen.h"
#include "apr_strings.h"
+#include "apr_version.h"
module AP_MODULE_DECLARE_DATA proxy_protocol_module;
@@ -91,19 +92,37 @@
static int pp_sockaddr_compat(apr_sockaddr_t *addr1, apr_sockaddr_t *addr2)
{
/* test exact address equality */
+#if !(APR_VERSION_AT_LEAST(1,5,0))
+ apr_sockaddr_t addr0;
+ static const char inaddr_any[ sizeof(struct in_addr) ] = {0};
+#endif
+
if (apr_sockaddr_equal(addr1, addr2) &&
(addr1->port == addr2->port || addr1->port == 0 || addr2->port == 0)) {
return 1;
}
+#if APR_VERSION_AT_LEAST(1,5,0)
/* test address wildcards */
if (apr_sockaddr_is_wildcard(addr1) &&
(addr1->port == 0 || addr1->port == addr2->port)) {
+#else
+ addr0.ipaddr_ptr = &inaddr_any;
+ addr0.ipaddr_len = addr1->ipaddr_len;
+ if (apr_sockaddr_equal(&addr0, addr1) &&
+ (addr1->port == 0 || addr1->port == addr2->port)) {
+#endif
return 1;
}
+#if APR_VERSION_AT_LEAST (1,5,0)
if (apr_sockaddr_is_wildcard(addr2) &&
(addr2->port == 0 || addr2->port == addr1->port)) {
+#else
+ addr0.ipaddr_len = addr2->ipaddr_len;
+ if (apr_sockaddr_equal(&addr0, addr2) &&
+ (addr2->port == 0 || addr2->port == addr1->port)) {
+#endif
return 1;
}

View File

@ -0,0 +1,71 @@
%{!?_httpd_mmn: %{expand: %%global _httpd_mmn %%(cat %{_includedir}/httpd/.mmn || echo 0-0)}}
%{!?_httpd_apxs: %{expand: %%global _httpd_apxs %%{_sbindir}/apxs}}
%{!?_httpd_confdir: %{expand: %%global _httpd_confdir %%{_sysconfdir}/httpd/conf.d}}
# /etc/httpd/conf.d with httpd < 2.4 and defined as /etc/httpd/conf.modules.d with httpd >= 2.4
%{!?_httpd_modconfdir: %{expand: %%global _httpd_modconfdir %%{_sysconfdir}/httpd/conf.d}}
%{!?_httpd_moddir: %{expand: %%global _httpd_moddir %%{_libdir}/httpd/modules}}
Name: mod_proxy_protocol
Summary: Apache module that implements the downstream server side of HAProxy's Proxy Protocol.
Version: 0.1
Release: 1.20141031git62d2df6%{?dist}
License: ASL 2.0
Group: System Environment/Daemons
Source0: https://github.com/roadrunner2/mod-proxy-protocol/archive/62d2df6c94eb0a18605e47f6236c08130d7e120d.tar.gz
Source1: proxy_protocol.module
Source2: proxy_protocol.conf
Patch0: mod_proxy_protocol.c-fix-apr14-compat.patch
BuildRequires: httpd-devel
Requires: httpd
URL: https://github.com/roadrunner2/mod-proxy-protocol
# Suppress auto-provides for module DSO per
# https://fedoraproject.org/wiki/Packaging:AutoProvidesAndRequiresFiltering#Summary
%{?filter_provides_in: %filter_provides_in %{_libdir}/httpd/modules/.*\.so$}
%{?filter_setup}
%description
HAProxy's Proxy Protocol is a way for upstream proxies and load balancers to
report the IP address of the original remote client to the downstream server,
without having to modify things like HTTP headers in the actual payload.
This package contains an Apache module that implements the downstream (i.e. the
receiving) server side of this protocol, thereby allowing other modules to see
and use the actual client's IP address instead of that of the upstream proxy or
load balancer.
%prep
#%setup -q -n mod_proxy_protocol-%{version}
%setup -q -n mod-proxy-protocol-62d2df6c94eb0a18605e47f6236c08130d7e120d
%patch0 -p0 -F1
%build
%{_httpd_apxs} -c mod_proxy_protocol.c
%install
rm -rf $RPM_BUILD_ROOT
install -Dm 755 .libs/mod_proxy_protocol.so $RPM_BUILD_ROOT%{_httpd_moddir}/mod_proxy_protocol.so
%if "%{_httpd_modconfdir}" == "%{_httpd_confdir}"
# httpd <= 2.2.x
cat %{SOURCE1} > unified.conf
echo >> unified.conf
cat %{SOURCE2} >> unified.conf
touch -c -r %{SOURCE1} unified.conf
install -Dp -m 644 unified.conf $RPM_BUILD_ROOT%{_httpd_confdir}/proxy_protocol.conf
%else
# httpd >= 2.4.x
install -Dp -m 644 %{SOURCE1} $RPM_BUILD_ROOT%{_httpd_modconfdir}/10-proxy_protocol.conf
install -Dp -m 644 %{SOURCE2} $RPM_BUILD_ROOT%{_httpd_confdir}/proxy_protocol.conf
%endif
%files
%doc README.md LICENSE
%if "%{_httpd_modconfdir}" != "%{_httpd_confdir}"
%config(noreplace) %{_httpd_modconfdir}/10-proxy_protocol.conf
%endif
%config(noreplace) %{_httpd_confdir}/proxy_protocol.conf
%{_httpd_moddir}/*.so
%changelog
* Fri May 20 2016 earsdown <earsdown@github.com> 0.1-1.20141031git62d2df6
- First package release. Includes mamanguy patch to fix APR 1.4.x compatibility.

View File

@ -0,0 +1,3 @@
<IfModule mod_proxy_protocol.c>
#ProxyProtocol On
</IfModule>

View File

@ -0,0 +1 @@
LoadModule proxy_protocol_module modules/mod_proxy_protocol.so