96af6c
diff --git a/include/http_protocol.h b/include/http_protocol.h
96af6c
index e7abdd9..e1572dc 100644
96af6c
--- a/include/http_protocol.h
96af6c
+++ b/include/http_protocol.h
96af6c
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
96af6c
 AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
96af6c
                                           apr_bucket_brigade *bb);
96af6c
 
96af6c
+/**
96af6c
+ * Run post_read_request hook and validate.
96af6c
+ * @param r The current request
96af6c
+ * @return OK or HTTP_...
96af6c
+ */
96af6c
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
96af6c
+
96af6c
 /* Finish up stuff after a request */
96af6c
 
96af6c
 /**
96af6c
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
96af6c
index 9e7c4db..e873aab 100644
96af6c
--- a/modules/http/http_request.c
96af6c
+++ b/modules/http/http_request.c
96af6c
@@ -681,7 +681,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
96af6c
      * to do their thing on internal redirects as well.  Perhaps this is a
96af6c
      * misnamed function.
96af6c
      */
96af6c
-    if ((access_status = ap_run_post_read_request(new))) {
96af6c
+    if ((access_status = ap_post_read_request(new))) {
96af6c
         ap_die(access_status, new);
96af6c
         return NULL;
96af6c
     }
96af6c
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
96af6c
index 6a9ef55..a6df1b8 100644
96af6c
--- a/modules/proxy/mod_proxy.c
96af6c
+++ b/modules/proxy/mod_proxy.c
96af6c
@@ -584,11 +584,12 @@ static int proxy_detect(request_rec *r)
96af6c
 
96af6c
     if (conf->req && r->parsed_uri.scheme) {
96af6c
         /* but it might be something vhosted */
96af6c
-        if (!(r->parsed_uri.hostname
96af6c
-              && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r))
96af6c
-              && ap_matches_request_vhost(r, r->parsed_uri.hostname,
96af6c
-                                          (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
96af6c
-                                                       : ap_default_port(r))))) {
96af6c
+        if (!r->parsed_uri.hostname
96af6c
+            || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
96af6c
+            || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
96af6c
+                                         (apr_port_t)(r->parsed_uri.port_str
96af6c
+                                                      ? r->parsed_uri.port
96af6c
+                                                      : ap_default_port(r)))) {
96af6c
             r->proxyreq = PROXYREQ_PROXY;
96af6c
             r->uri = r->unparsed_uri;
96af6c
             r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
96af6c
@@ -1750,6 +1751,7 @@ static const char *
96af6c
     struct proxy_alias *new;
96af6c
     char *f = cmd->path;
96af6c
     char *r = NULL;
96af6c
+    const char *real;
96af6c
     char *word;
96af6c
     apr_table_t *params = apr_table_make(cmd->pool, 5);
96af6c
     const apr_array_header_t *arr;
96af6c
@@ -1815,6 +1817,10 @@ static const char *
96af6c
     if (r == NULL) {
96af6c
         return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
96af6c
     }
96af6c
+    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
96af6c
+        return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
96af6c
+    }
96af6c
+
96af6c
 
96af6c
     /* if per directory, save away the single alias */
96af6c
     if (cmd->path) {
96af6c
@@ -1831,7 +1837,7 @@ static const char *
96af6c
     }
96af6c
 
96af6c
     new->fake = apr_pstrdup(cmd->pool, f);
96af6c
-    new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
96af6c
+    new->real = apr_pstrdup(cmd->pool, real);
96af6c
     new->flags = flags;
96af6c
     if (use_regex) {
96af6c
         new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
96af6c
@@ -2316,6 +2322,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
96af6c
     proxy_worker *worker;
96af6c
     char *path = cmd->path;
96af6c
     char *name = NULL;
96af6c
+    const char *real;
96af6c
     char *word;
96af6c
     apr_table_t *params = apr_table_make(cmd->pool, 5);
96af6c
     const apr_array_header_t *arr;
96af6c
@@ -2356,6 +2363,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
96af6c
         return "BalancerMember must define balancer name when outside <Proxy > section";
96af6c
     if (!name)
96af6c
         return "BalancerMember must define remote proxy server";
96af6c
+    if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
96af6c
+        return "BalancerMember uses an invalid \"unix:\" URL";
96af6c
+    }
96af6c
 
96af6c
     ap_str_tolower(path);   /* lowercase scheme://hostname */
96af6c
 
96af6c
@@ -2368,7 +2378,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
96af6c
     }
96af6c
 
96af6c
     /* Try to find existing worker */
96af6c
-    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
96af6c
+    worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
96af6c
     if (!worker) {
96af6c
         ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
96af6c
                      "Defining worker '%s' for balancer '%s'",
96af6c
@@ -2457,7 +2467,13 @@ static const char *
96af6c
         }
96af6c
     }
96af6c
     else {
96af6c
-        worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
96af6c
+        const char *real;
96af6c
+
96af6c
+        if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
96af6c
+            return "ProxySet uses an invalid \"unix:\" URL";
96af6c
+        }
96af6c
+
96af6c
+        worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, real);
96af6c
         if (!worker) {
96af6c
             if (in_proxy_section) {
96af6c
                 err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
96af6c
@@ -2599,8 +2615,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
96af6c
             }
96af6c
         }
96af6c
         else {
96af6c
+            const char *real;
96af6c
+
96af6c
+            if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
96af6c
+                return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
96af6c
+            }
96af6c
+
96af6c
             worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf,
96af6c
-                                         ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p));
96af6c
+                                         real);
96af6c
             if (!worker) {
96af6c
                 err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
96af6c
                                           sconf, conf->p, 0);
96af6c
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
96af6c
index fbbd508..dca6f69 100644
96af6c
--- a/modules/proxy/mod_proxy.h
96af6c
+++ b/modules/proxy/mod_proxy.h
96af6c
@@ -713,6 +713,8 @@ typedef __declspec(dllimport) const char *
96af6c
                proxy_dir_conf *, const char *);
96af6c
 #endif
96af6c
 
96af6c
+#define AP_PROXY_WORKER_NO_UDS      (1u << 3)
96af6c
+
96af6c
 
96af6c
 /* Connection pool API */
96af6c
 /**
96af6c
@@ -725,6 +727,24 @@ typedef __declspec(dllimport) const char *
96af6c
 PROXY_DECLARE(char *) ap_proxy_worker_name(apr_pool_t *p,
96af6c
                                            proxy_worker *worker);
96af6c
 
96af6c
+
96af6c
+/**
96af6c
+ * Get the worker from proxy configuration, looking for either PREFIXED or
96af6c
+ * MATCHED or both types of workers according to given mask
96af6c
+ * @param p        memory pool used for finding worker
96af6c
+ * @param balancer the balancer that the worker belongs to
96af6c
+ * @param conf     current proxy server configuration
96af6c
+ * @param url      url to find the worker from
96af6c
+ * @param mask     bitmask of AP_PROXY_WORKER_IS_*
96af6c
+ * @return         proxy_worker or NULL if not found
96af6c
+ */
96af6c
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
96af6c
+                                                     proxy_balancer *balancer,
96af6c
+                                                     proxy_server_conf *conf,
96af6c
+                                                     const char *url,
96af6c
+                                                     unsigned int mask);
96af6c
+
96af6c
+
96af6c
 /**
96af6c
  * Get the worker from proxy configuration
96af6c
  * @param p        memory pool used for finding worker
96af6c
@@ -737,6 +757,8 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
96af6c
                                                   proxy_balancer *balancer,
96af6c
                                                   proxy_server_conf *conf,
96af6c
                                                   const char *url);
96af6c
+
96af6c
+
96af6c
 /**
96af6c
  * Define and Allocate space for the worker to proxy configuration
96af6c
  * @param p         memory pool to allocate worker from
96af6c
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
96af6c
index 032e0c4..3d5b220 100644
96af6c
--- a/modules/proxy/proxy_util.c
96af6c
+++ b/modules/proxy/proxy_util.c
96af6c
@@ -1643,10 +1643,11 @@ PROXY_DECLARE(char *) ap_proxy_worker_name(apr_pool_t *p,
96af6c
     return apr_pstrcat(p, "unix:", worker->s->uds_path, "|", worker->s->name, NULL);
96af6c
 }
96af6c
 
96af6c
-PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
96af6c
-                                                  proxy_balancer *balancer,
96af6c
-                                                  proxy_server_conf *conf,
96af6c
-                                                  const char *url)
96af6c
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
96af6c
+                                                     proxy_balancer *balancer,
96af6c
+                                                     proxy_server_conf *conf,
96af6c
+                                                     const char *url,
96af6c
+                                                     unsigned int mask)
96af6c
 {
96af6c
     proxy_worker *worker;
96af6c
     proxy_worker *max_worker = NULL;
96af6c
@@ -1662,7 +1663,12 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
96af6c
         return NULL;
96af6c
     }
96af6c
 
96af6c
-    url = ap_proxy_de_socketfy(p, url);
96af6c
+    if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
96af6c
+        url = ap_proxy_de_socketfy(p, url);
96af6c
+        if (!url) {
96af6c
+            return NULL;
96af6c
+        }
96af6c
+    }
96af6c
 
96af6c
     c = ap_strchr_c(url, ':');
96af6c
     if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
96af6c
@@ -1727,6 +1733,14 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
96af6c
     return max_worker;
96af6c
 }
96af6c
 
96af6c
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
96af6c
+                                                  proxy_balancer *balancer,
96af6c
+                                                  proxy_server_conf *conf,
96af6c
+                                                  const char *url)
96af6c
+{
96af6c
+    return ap_proxy_get_worker_ex(p, balancer, conf, url, 0);
96af6c
+}
96af6c
+
96af6c
 /*
96af6c
  * To create a worker from scratch first we define the
96af6c
  * specifics of the worker; this is all local data.
96af6c
@@ -2134,22 +2148,22 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
96af6c
 
96af6c
     access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
96af6c
     if (access_status == DECLINED && *balancer == NULL) {
96af6c
-        *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
96af6c
+        const int forward = (r->proxyreq == PROXYREQ_PROXY);
96af6c
+        *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
96af6c
+                                         forward ? AP_PROXY_WORKER_NO_UDS : 0);
96af6c
         if (*worker) {
96af6c
             ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
96af6c
                           "%s: found worker %s for %s",
96af6c
                           (*worker)->s->scheme, (*worker)->s->name, *url);
96af6c
-            *balancer = NULL;
96af6c
-            if (!fix_uds_filename(r, url)) {
96af6c
+            if (!forward && !fix_uds_filename(r, url)) {
96af6c
                      return HTTP_INTERNAL_SERVER_ERROR;
96af6c
             }
96af6c
             access_status = OK;
96af6c
         }
96af6c
-        else if (r->proxyreq == PROXYREQ_PROXY) {
96af6c
+        else if (forward) {
96af6c
             if (conf->forward) {
96af6c
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
96af6c
                               "*: found forward proxy worker for %s", *url);
96af6c
-                *balancer = NULL;
96af6c
                 *worker = conf->forward;
96af6c
                 access_status = OK;
96af6c
                 /*
96af6c
@@ -2163,8 +2177,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
96af6c
         else if (r->proxyreq == PROXYREQ_REVERSE) {
96af6c
             if (conf->reverse) {
96af6c
                 ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
96af6c
-                              "*: using default reverse proxy worker for %s (no keepalive)", *url);
96af6c
-                *balancer = NULL;
96af6c
+                              "*: using default reverse proxy worker for %s "
96af6c
+                              "(no keepalive)", *url);
96af6c
                 *worker = conf->reverse;
96af6c
                 access_status = OK;
96af6c
                 /*
96af6c
diff --git a/server/protocol.c b/server/protocol.c
96af6c
index 430d91e..a2aa081 100644
96af6c
--- a/server/protocol.c
96af6c
+++ b/server/protocol.c
96af6c
@@ -1525,7 +1525,7 @@ request_rec *ap_read_request(conn_rec *conn)
96af6c
     /* we may have switched to another server */
96af6c
     apply_server_config(r);
96af6c
 
96af6c
-    if ((access_status = ap_run_post_read_request(r))) {
96af6c
+    if ((access_status = ap_post_read_request(r))) {
96af6c
         goto die;
96af6c
     }
96af6c
 
96af6c
@@ -1582,6 +1582,27 @@ ignore:
96af6c
     return NULL;
96af6c
 }
96af6c
 
96af6c
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
96af6c
+{
96af6c
+    int status;
96af6c
+
96af6c
+    if ((status = ap_run_post_read_request(r))) {
96af6c
+        return status;
96af6c
+    }
96af6c
+
96af6c
+    /* Enforce http(s) only scheme for non-forward-proxy requests */
96af6c
+    if (!r->proxyreq
96af6c
+            && r->parsed_uri.scheme
96af6c
+            && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
96af6c
+                || (r->parsed_uri.scheme[4] != '\0'
96af6c
+                    && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
96af6c
+                        || r->parsed_uri.scheme[5] != '\0')))) {
96af6c
+        return HTTP_BAD_REQUEST;
96af6c
+    }
96af6c
+
96af6c
+    return OK;
96af6c
+}
96af6c
+
96af6c
 /* if a request with a body creates a subrequest, remove original request's
96af6c
  * input headers which pertain to the body which has already been read.
96af6c
  * out-of-line helper function for ap_set_sub_req_protocol.