|
 |
879b17 |
diff --git a/include/http_protocol.h b/include/http_protocol.h
|
|
|
879b17 |
index 448ca53..8ed77ac 100644
|
|
|
879b17 |
--- a/include/http_protocol.h
|
|
|
879b17 |
+++ b/include/http_protocol.h
|
|
|
879b17 |
@@ -96,6 +96,13 @@ AP_DECLARE(void) ap_get_mime_headers(request_rec *r);
|
|
|
879b17 |
AP_DECLARE(void) ap_get_mime_headers_core(request_rec *r,
|
|
|
879b17 |
apr_bucket_brigade *bb);
|
|
|
879b17 |
|
|
|
879b17 |
+/**
|
|
|
879b17 |
+ * Run post_read_request hook and validate.
|
|
|
879b17 |
+ * @param r The current request
|
|
|
879b17 |
+ * @return OK or HTTP_...
|
|
|
879b17 |
+ */
|
|
|
879b17 |
+AP_DECLARE(int) ap_post_read_request(request_rec *r);
|
|
|
879b17 |
+
|
|
|
879b17 |
/* Finish up stuff after a request */
|
|
|
879b17 |
|
|
|
879b17 |
/**
|
|
|
879b17 |
diff --git a/modules/http/http_request.c b/modules/http/http_request.c
|
|
|
879b17 |
index 9e7c4db..e873aab 100644
|
|
|
879b17 |
--- a/modules/http/http_request.c
|
|
|
879b17 |
+++ b/modules/http/http_request.c
|
|
|
879b17 |
@@ -681,7 +681,7 @@ static request_rec *internal_internal_redirect(const char *new_uri,
|
|
|
879b17 |
* to do their thing on internal redirects as well. Perhaps this is a
|
|
|
879b17 |
* misnamed function.
|
|
|
879b17 |
*/
|
|
|
879b17 |
- if ((access_status = ap_run_post_read_request(new))) {
|
|
|
879b17 |
+ if ((access_status = ap_post_read_request(new))) {
|
|
|
879b17 |
ap_die(access_status, new);
|
|
|
879b17 |
return NULL;
|
|
|
879b17 |
}
|
|
|
879b17 |
diff --git a/modules/http2/h2_request.c b/modules/http2/h2_request.c
|
|
|
879b17 |
index 8899c4f..03141d6 100644
|
|
|
879b17 |
--- a/modules/http2/h2_request.c
|
|
|
879b17 |
+++ b/modules/http2/h2_request.c
|
|
|
879b17 |
@@ -313,7 +313,7 @@ request_rec *h2_request_create_rec(const h2_request *req, conn_rec *c)
|
|
|
879b17 |
NULL, r, r->connection);
|
|
|
879b17 |
|
|
|
879b17 |
if (access_status != HTTP_OK
|
|
|
879b17 |
- || (access_status = ap_run_post_read_request(r))) {
|
|
|
879b17 |
+ || (access_status = ap_post_read_request(r))) {
|
|
|
879b17 |
/* Request check post hooks failed. An example of this would be a
|
|
|
879b17 |
* request for a vhost where h2 is disabled --> 421.
|
|
|
879b17 |
*/
|
|
|
879b17 |
diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c
|
|
|
879b17 |
index 9685e72..8bffc37 100644
|
|
|
879b17 |
--- a/modules/proxy/mod_proxy.c
|
|
|
879b17 |
+++ b/modules/proxy/mod_proxy.c
|
|
|
879b17 |
@@ -584,11 +584,12 @@ static int proxy_detect(request_rec *r)
|
|
|
879b17 |
|
|
|
879b17 |
if (conf->req && r->parsed_uri.scheme) {
|
|
|
879b17 |
/* but it might be something vhosted */
|
|
|
879b17 |
- if (!(r->parsed_uri.hostname
|
|
|
879b17 |
- && !strcasecmp(r->parsed_uri.scheme, ap_http_scheme(r))
|
|
|
879b17 |
- && ap_matches_request_vhost(r, r->parsed_uri.hostname,
|
|
|
879b17 |
- (apr_port_t)(r->parsed_uri.port_str ? r->parsed_uri.port
|
|
|
879b17 |
- : ap_default_port(r))))) {
|
|
|
879b17 |
+ if (!r->parsed_uri.hostname
|
|
|
879b17 |
+ || ap_cstr_casecmp(r->parsed_uri.scheme, ap_http_scheme(r)) != 0
|
|
|
879b17 |
+ || !ap_matches_request_vhost(r, r->parsed_uri.hostname,
|
|
|
879b17 |
+ (apr_port_t)(r->parsed_uri.port_str
|
|
|
879b17 |
+ ? r->parsed_uri.port
|
|
|
879b17 |
+ : ap_default_port(r)))) {
|
|
|
879b17 |
r->proxyreq = PROXYREQ_PROXY;
|
|
|
879b17 |
r->uri = r->unparsed_uri;
|
|
|
879b17 |
r->filename = apr_pstrcat(r->pool, "proxy:", r->uri, NULL);
|
|
|
879b17 |
@@ -1743,6 +1744,7 @@ static const char *
|
|
|
879b17 |
struct proxy_alias *new;
|
|
|
879b17 |
char *f = cmd->path;
|
|
|
879b17 |
char *r = NULL;
|
|
|
879b17 |
+ const char *real;
|
|
|
879b17 |
char *word;
|
|
|
879b17 |
apr_table_t *params = apr_table_make(cmd->pool, 5);
|
|
|
879b17 |
const apr_array_header_t *arr;
|
|
|
879b17 |
@@ -1808,6 +1810,10 @@ static const char *
|
|
|
879b17 |
if (r == NULL) {
|
|
|
879b17 |
return "ProxyPass|ProxyPassMatch needs a path when not defined in a location";
|
|
|
879b17 |
}
|
|
|
879b17 |
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, r))) {
|
|
|
879b17 |
+ return "ProxyPass|ProxyPassMatch uses an invalid \"unix:\" URL";
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+
|
|
|
879b17 |
|
|
|
879b17 |
/* if per directory, save away the single alias */
|
|
|
879b17 |
if (cmd->path) {
|
|
|
879b17 |
@@ -1824,7 +1830,7 @@ static const char *
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
new->fake = apr_pstrdup(cmd->pool, f);
|
|
|
879b17 |
- new->real = apr_pstrdup(cmd->pool, ap_proxy_de_socketfy(cmd->pool, r));
|
|
|
879b17 |
+ new->real = apr_pstrdup(cmd->pool, real);
|
|
|
879b17 |
new->flags = flags;
|
|
|
879b17 |
if (use_regex) {
|
|
|
879b17 |
new->regex = ap_pregcomp(cmd->pool, f, AP_REG_EXTENDED);
|
|
|
879b17 |
@@ -2301,6 +2307,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
|
879b17 |
proxy_worker *worker;
|
|
|
879b17 |
char *path = cmd->path;
|
|
|
879b17 |
char *name = NULL;
|
|
|
879b17 |
+ const char *real;
|
|
|
879b17 |
char *word;
|
|
|
879b17 |
apr_table_t *params = apr_table_make(cmd->pool, 5);
|
|
|
879b17 |
const apr_array_header_t *arr;
|
|
|
879b17 |
@@ -2341,6 +2348,9 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
|
879b17 |
return "BalancerMember must define balancer name when outside <Proxy > section";
|
|
|
879b17 |
if (!name)
|
|
|
879b17 |
return "BalancerMember must define remote proxy server";
|
|
|
879b17 |
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
|
|
|
879b17 |
+ return "BalancerMember uses an invalid \"unix:\" URL";
|
|
|
879b17 |
+ }
|
|
|
879b17 |
|
|
|
879b17 |
ap_str_tolower(path); /* lowercase scheme://hostname */
|
|
|
879b17 |
|
|
|
879b17 |
@@ -2353,7 +2363,7 @@ static const char *add_member(cmd_parms *cmd, void *dummy, const char *arg)
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
/* Try to find existing worker */
|
|
|
879b17 |
- worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
|
|
|
879b17 |
+ worker = ap_proxy_get_worker(cmd->temp_pool, balancer, conf, real);
|
|
|
879b17 |
if (!worker) {
|
|
|
879b17 |
ap_log_error(APLOG_MARK, APLOG_DEBUG, 0, cmd->server, APLOGNO(01147)
|
|
|
879b17 |
"Defining worker '%s' for balancer '%s'",
|
|
|
879b17 |
@@ -2442,7 +2452,13 @@ static const char *
|
|
|
879b17 |
}
|
|
|
879b17 |
}
|
|
|
879b17 |
else {
|
|
|
879b17 |
- worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, ap_proxy_de_socketfy(cmd->temp_pool, name));
|
|
|
879b17 |
+ const char *real;
|
|
|
879b17 |
+
|
|
|
879b17 |
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, name))) {
|
|
|
879b17 |
+ return "ProxySet uses an invalid \"unix:\" URL";
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+
|
|
|
879b17 |
+ worker = ap_proxy_get_worker(cmd->temp_pool, NULL, conf, real);
|
|
|
879b17 |
if (!worker) {
|
|
|
879b17 |
if (in_proxy_section) {
|
|
|
879b17 |
err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
|
|
|
879b17 |
@@ -2584,8 +2600,14 @@ static const char *proxysection(cmd_parms *cmd, void *mconfig, const char *arg)
|
|
|
879b17 |
}
|
|
|
879b17 |
}
|
|
|
879b17 |
else {
|
|
|
879b17 |
+ const char *real;
|
|
|
879b17 |
+
|
|
|
879b17 |
+ if (!(real = ap_proxy_de_socketfy(cmd->temp_pool, conf->p))) {
|
|
|
879b17 |
+ return "<Proxy/ProxyMatch > uses an invalid \"unix:\" URL";
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+
|
|
|
879b17 |
worker = ap_proxy_get_worker(cmd->temp_pool, NULL, sconf,
|
|
|
879b17 |
- ap_proxy_de_socketfy(cmd->temp_pool, (char*)conf->p));
|
|
|
879b17 |
+ real);
|
|
|
879b17 |
if (!worker) {
|
|
|
879b17 |
err = ap_proxy_define_worker(cmd->pool, &worker, NULL,
|
|
|
879b17 |
sconf, conf->p, 0);
|
|
|
879b17 |
diff --git a/modules/proxy/mod_proxy.h b/modules/proxy/mod_proxy.h
|
|
|
879b17 |
index 7141473..7164bfe 100644
|
|
|
879b17 |
--- a/modules/proxy/mod_proxy.h
|
|
|
879b17 |
+++ b/modules/proxy/mod_proxy.h
|
|
|
879b17 |
@@ -698,6 +698,8 @@ typedef __declspec(dllimport) const char *
|
|
|
879b17 |
proxy_dir_conf *, const char *);
|
|
|
879b17 |
#endif
|
|
|
879b17 |
|
|
|
879b17 |
+#define AP_PROXY_WORKER_NO_UDS (1u << 3)
|
|
|
879b17 |
+
|
|
|
879b17 |
|
|
|
879b17 |
/* Connection pool API */
|
|
|
879b17 |
/**
|
|
|
879b17 |
@@ -710,6 +712,24 @@ typedef __declspec(dllimport) const char *
|
|
|
879b17 |
PROXY_DECLARE(char *) ap_proxy_worker_name(apr_pool_t *p,
|
|
|
879b17 |
proxy_worker *worker);
|
|
|
879b17 |
|
|
|
879b17 |
+
|
|
|
879b17 |
+/**
|
|
|
879b17 |
+ * Get the worker from proxy configuration, looking for either PREFIXED or
|
|
|
879b17 |
+ * MATCHED or both types of workers according to given mask
|
|
|
879b17 |
+ * @param p memory pool used for finding worker
|
|
|
879b17 |
+ * @param balancer the balancer that the worker belongs to
|
|
|
879b17 |
+ * @param conf current proxy server configuration
|
|
|
879b17 |
+ * @param url url to find the worker from
|
|
|
879b17 |
+ * @param mask bitmask of AP_PROXY_WORKER_IS_*
|
|
|
879b17 |
+ * @return proxy_worker or NULL if not found
|
|
|
879b17 |
+ */
|
|
|
879b17 |
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
|
|
|
879b17 |
+ proxy_balancer *balancer,
|
|
|
879b17 |
+ proxy_server_conf *conf,
|
|
|
879b17 |
+ const char *url,
|
|
|
879b17 |
+ unsigned int mask);
|
|
|
879b17 |
+
|
|
|
879b17 |
+
|
|
|
879b17 |
/**
|
|
|
879b17 |
* Get the worker from proxy configuration
|
|
|
879b17 |
* @param p memory pool used for finding worker
|
|
|
879b17 |
@@ -722,6 +742,8 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
|
|
|
879b17 |
proxy_balancer *balancer,
|
|
|
879b17 |
proxy_server_conf *conf,
|
|
|
879b17 |
const char *url);
|
|
|
879b17 |
+
|
|
|
879b17 |
+
|
|
|
879b17 |
/**
|
|
|
879b17 |
* Define and Allocate space for the worker to proxy configuration
|
|
|
879b17 |
* @param p memory pool to allocate worker from
|
|
|
879b17 |
diff --git a/modules/proxy/proxy_util.c b/modules/proxy/proxy_util.c
|
|
|
879b17 |
index fdb3a6d..a0556dd 100644
|
|
|
879b17 |
--- a/modules/proxy/proxy_util.c
|
|
|
879b17 |
+++ b/modules/proxy/proxy_util.c
|
|
|
879b17 |
@@ -1626,10 +1626,11 @@ PROXY_DECLARE(char *) ap_proxy_worker_name(apr_pool_t *p,
|
|
|
879b17 |
return apr_pstrcat(p, "unix:", worker->s->uds_path, "|", worker->s->name, NULL);
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
-PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
|
|
|
879b17 |
- proxy_balancer *balancer,
|
|
|
879b17 |
- proxy_server_conf *conf,
|
|
|
879b17 |
- const char *url)
|
|
|
879b17 |
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker_ex(apr_pool_t *p,
|
|
|
879b17 |
+ proxy_balancer *balancer,
|
|
|
879b17 |
+ proxy_server_conf *conf,
|
|
|
879b17 |
+ const char *url,
|
|
|
879b17 |
+ unsigned int mask)
|
|
|
879b17 |
{
|
|
|
879b17 |
proxy_worker *worker;
|
|
|
879b17 |
proxy_worker *max_worker = NULL;
|
|
|
879b17 |
@@ -1645,7 +1646,12 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
|
|
|
879b17 |
return NULL;
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
- url = ap_proxy_de_socketfy(p, url);
|
|
|
879b17 |
+ if (!(mask & AP_PROXY_WORKER_NO_UDS)) {
|
|
|
879b17 |
+ url = ap_proxy_de_socketfy(p, url);
|
|
|
879b17 |
+ if (!url) {
|
|
|
879b17 |
+ return NULL;
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+ }
|
|
|
879b17 |
|
|
|
879b17 |
c = ap_strchr_c(url, ':');
|
|
|
879b17 |
if (c == NULL || c[1] != '/' || c[2] != '/' || c[3] == '\0') {
|
|
|
879b17 |
@@ -1710,6 +1716,14 @@ PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
|
|
|
879b17 |
return max_worker;
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
+PROXY_DECLARE(proxy_worker *) ap_proxy_get_worker(apr_pool_t *p,
|
|
|
879b17 |
+ proxy_balancer *balancer,
|
|
|
879b17 |
+ proxy_server_conf *conf,
|
|
|
879b17 |
+ const char *url)
|
|
|
879b17 |
+{
|
|
|
879b17 |
+ return ap_proxy_get_worker_ex(p, balancer, conf, url, 0);
|
|
|
879b17 |
+}
|
|
|
879b17 |
+
|
|
|
879b17 |
/*
|
|
|
879b17 |
* To create a worker from scratch first we define the
|
|
|
879b17 |
* specifics of the worker; this is all local data.
|
|
|
879b17 |
@@ -2110,22 +2124,24 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
|
|
879b17 |
|
|
|
879b17 |
access_status = proxy_run_pre_request(worker, balancer, r, conf, url);
|
|
|
879b17 |
if (access_status == DECLINED && *balancer == NULL) {
|
|
|
879b17 |
- *worker = ap_proxy_get_worker(r->pool, NULL, conf, *url);
|
|
|
879b17 |
+ const int forward = (r->proxyreq == PROXYREQ_PROXY);
|
|
|
879b17 |
+ *worker = ap_proxy_get_worker_ex(r->pool, NULL, conf, *url,
|
|
|
879b17 |
+ forward ? AP_PROXY_WORKER_NO_UDS : 0);
|
|
|
879b17 |
if (*worker) {
|
|
|
879b17 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
|
879b17 |
"%s: found worker %s for %s",
|
|
|
879b17 |
(*worker)->s->scheme, (*worker)->s->name, *url);
|
|
|
879b17 |
- *balancer = NULL;
|
|
|
879b17 |
- if (!fix_uds_filename(r, url)) {
|
|
|
879b17 |
+
|
|
|
879b17 |
+ if (!forward && !fix_uds_filename(r, url)) {
|
|
|
879b17 |
return HTTP_INTERNAL_SERVER_ERROR;
|
|
|
879b17 |
}
|
|
|
879b17 |
+
|
|
|
879b17 |
access_status = OK;
|
|
|
879b17 |
}
|
|
|
879b17 |
- else if (r->proxyreq == PROXYREQ_PROXY) {
|
|
|
879b17 |
+ else if (forward) {
|
|
|
879b17 |
if (conf->forward) {
|
|
|
879b17 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
|
879b17 |
"*: found forward proxy worker for %s", *url);
|
|
|
879b17 |
- *balancer = NULL;
|
|
|
879b17 |
*worker = conf->forward;
|
|
|
879b17 |
access_status = OK;
|
|
|
879b17 |
/*
|
|
|
879b17 |
@@ -2139,8 +2155,8 @@ PROXY_DECLARE(int) ap_proxy_pre_request(proxy_worker **worker,
|
|
|
879b17 |
else if (r->proxyreq == PROXYREQ_REVERSE) {
|
|
|
879b17 |
if (conf->reverse) {
|
|
|
879b17 |
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
|
|
|
879b17 |
- "*: using default reverse proxy worker for %s (no keepalive)", *url);
|
|
|
879b17 |
- *balancer = NULL;
|
|
|
879b17 |
+ "*: using default reverse proxy worker for %s "
|
|
|
879b17 |
+ "(no keepalive)", *url);
|
|
|
879b17 |
*worker = conf->reverse;
|
|
|
879b17 |
access_status = OK;
|
|
|
879b17 |
/*
|
|
|
879b17 |
diff --git a/server/protocol.c b/server/protocol.c
|
|
|
879b17 |
index ab1e316..a78eff6 100644
|
|
|
879b17 |
--- a/server/protocol.c
|
|
|
879b17 |
+++ b/server/protocol.c
|
|
|
879b17 |
@@ -1525,7 +1525,7 @@ request_rec *ap_read_request(conn_rec *conn)
|
|
|
879b17 |
/* we may have switched to another server */
|
|
|
879b17 |
apply_server_config(r);
|
|
|
879b17 |
|
|
|
879b17 |
- if ((access_status = ap_run_post_read_request(r))) {
|
|
|
879b17 |
+ if ((access_status = ap_post_read_request(r))) {
|
|
|
879b17 |
goto die;
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
@@ -1582,6 +1582,27 @@ ignore:
|
|
|
879b17 |
return NULL;
|
|
|
879b17 |
}
|
|
|
879b17 |
|
|
|
879b17 |
+AP_DECLARE(int) ap_post_read_request(request_rec *r)
|
|
|
879b17 |
+{
|
|
|
879b17 |
+ int status;
|
|
|
879b17 |
+
|
|
|
879b17 |
+ if ((status = ap_run_post_read_request(r))) {
|
|
|
879b17 |
+ return status;
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+
|
|
|
879b17 |
+ /* Enforce http(s) only scheme for non-forward-proxy requests */
|
|
|
879b17 |
+ if (!r->proxyreq
|
|
|
879b17 |
+ && r->parsed_uri.scheme
|
|
|
879b17 |
+ && (ap_cstr_casecmpn(r->parsed_uri.scheme, "http", 4) != 0
|
|
|
879b17 |
+ || (r->parsed_uri.scheme[4] != '\0'
|
|
|
879b17 |
+ && (apr_tolower(r->parsed_uri.scheme[4]) != 's'
|
|
|
879b17 |
+ || r->parsed_uri.scheme[5] != '\0')))) {
|
|
|
879b17 |
+ return HTTP_BAD_REQUEST;
|
|
|
879b17 |
+ }
|
|
|
879b17 |
+
|
|
|
879b17 |
+ return OK;
|
|
|
879b17 |
+}
|
|
|
879b17 |
+
|
|
|
879b17 |
/* if a request with a body creates a subrequest, remove original request's
|
|
|
879b17 |
* input headers which pertain to the body which has already been read.
|
|
|
879b17 |
* out-of-line helper function for ap_set_sub_req_protocol.
|