At 09:50 PM 1/30/99 -0000, you wrote:
>Thank you very much for your problem report.
>It has the internal identification `mod_proxy/3801'.
>The individual assigned to look at your
>report is: apache.
>
>>Category: mod_proxy
>>Responsible: apache
>>Synopsis: Using proxy tunneling fails (tested with port 443)
>>Arrival-Date: Sat Jan 30 13:50:01 PST 1999
>
>
i'm including the fix,
thank you.
[EMAIL PROTECTED]
/* ====================================================================
* Copyright (c) 1996-1999 The Apache Group. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* 4. The names "Apache Server" and "Apache Group" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* [EMAIL PROTECTED]
*
* 5. Products derived from this software may not be called "Apache"
* nor may "Apache" appear in their names without prior written
* permission of the Apache Group.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the Apache Group
* for use in the Apache HTTP server project (http://www.apache.org/)."
*
* THIS SOFTWARE IS PROVIDED BY THE APACHE GROUP ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE APACHE GROUP OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This software consists of voluntary contributions made by many
* individuals on behalf of the Apache Group and was originally based
* on public domain software written at the National Center for
* Supercomputing Applications, University of Illinois, Urbana-Champaign.
* For more information on the Apache Group and the Apache HTTP server
* project, please see <http://www.apache.org/>.
*
*/
/* CONNECT method for Apache proxy */
#include "mod_proxy.h"
#include "http_log.h"
#include "http_main.h"
#ifdef HAVE_BSTRING_H
#include <bstring.h> /* for IRIX, FD_SET calls bzero() */
#endif
DEF_Explain
/*
* This handles Netscape CONNECT method secure proxy requests.
* A connection is opened to the specified host and data is
* passed through between the WWW site and the browser.
*
* This code is based on the INTERNET-DRAFT document
* "Tunneling SSL Through a WWW Proxy" currently at
* http://www.mcom.com/newsref/std/tunneling_ssl.html.
*
* If proxyhost and proxyport are set, we send a CONNECT to
* the specified proxy..
*
* FIXME: this is bad, because it does its own socket I/O
* instead of using the I/O in buff.c. However,
* the I/O in buff.c blocks on reads, and because
* this function doesn't know how much data will
* be sent either way (or when) it can't use blocking
* I/O. This may be very implementation-specific
* (to Linux). Any suggestions?
* FIXME: this doesn't log the number of bytes sent, but
* that may be okay, since the data is supposed to
* be transparent. In fact, this doesn't log at all
* yet. 8^)
* FIXME: doesn't check any headers initally sent from the
* client.
* FIXME: should allow authentication, but hopefully the
* generic proxy authentication is good enough.
* FIXME: no check for r->assbackwards, whatever that is.
*/
static int
allowed_port(proxy_server_conf *conf, int port)
{
int i;
int *list = (int *) conf->allowed_connect_ports->elts;
for(i = 0; i < conf->allowed_connect_ports->nelts; i++) {
if(port == list[i])
return 1;
}
return 0;
}
int ap_proxy_connect_handler(request_rec *r, cache_req *c, char *url,
const char *proxyhost, int proxyport)
{
struct sockaddr_in server;
struct in_addr destaddr;
struct hostent server_hp;
const char *host, *err;
char *p;
int port, sock;
char buffer[HUGE_STRING_LEN];
int nbytes, i, j;
fd_set fds;
void *sconf = r->server->module_config;
proxy_server_conf *conf =
(proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
struct noproxy_entry *npent = (struct noproxy_entry *)
conf->noproxies->elts;
memset(&server, '\0', sizeof(server));
server.sin_family = AF_INET;
/* Break the URL into host:port pairs */
host = url;
p = strchr(url, ':');
if (p == NULL)
port = DEFAULT_HTTPS_PORT;
else {
port = atoi(p + 1);
*p = '\0';
}
/* check if ProxyBlock directive on this host */
destaddr.s_addr = ap_inet_addr(host);
for (i = 0; i < conf->noproxies->nelts; i++) {
if ((npent[i].name != NULL && strstr(host, npent[i].name) != NULL)
|| destaddr.s_addr == npent[i].addr.s_addr || npent[i].name[0] ==
'*')
return ap_proxyerror(r, "Connect to remote machine blocked");
}
/* Check if it is an allowed port */
if (conf->allowed_connect_ports->nelts == 0) {
/* Default setting if not overridden by AllowCONNECT */
switch (port) {
case DEFAULT_HTTPS_PORT:
case DEFAULT_SNEWS_PORT:
break;
default:
return HTTP_FORBIDDEN;
}
} else if(!allowed_port(conf, port))
return HTTP_FORBIDDEN;
if (proxyhost) {
Explain2("CONNECT to remote proxy %s on port %d", proxyhost, proxyport);
}
else {
Explain2("CONNECT to %s on port %d", host, port);
}
server.sin_port = (proxyport ? htons(proxyport) : htons(port));
err = ap_proxy_host2addr(proxyhost ? proxyhost : host, &server_hp);
if (err != NULL)
return ap_proxyerror(r, err); /* give up */
sock = ap_psocket(r->pool, PF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock == -1) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, r,
"proxy: error creating socket");
return HTTP_INTERNAL_SERVER_ERROR;
}
#ifndef WIN32
if (sock >= FD_SETSIZE) {
ap_log_error(APLOG_MARK, APLOG_NOERRNO|APLOG_WARNING, NULL,
"proxy_connect_handler: filedescriptor (%u) "
"larger than FD_SETSIZE (%u) "
"found, you probably need to rebuild Apache with a "
"larger FD_SETSIZE", sock, FD_SETSIZE);
ap_pclosesocket(r->pool, sock);
return HTTP_INTERNAL_SERVER_ERROR;
}
#endif
j = 0;
while (server_hp.h_addr_list[j] != NULL) {
memcpy(&server.sin_addr, server_hp.h_addr_list[j],
sizeof(struct in_addr));
i = ap_proxy_doconnect(sock, &server, r);
if (i == 0)
break;
j++;
}
if (i == -1) {
ap_pclosesocket(r->pool, sock);
return ap_proxyerror(r, ap_pstrcat(r->pool,
"Could not connect to remote
machine:<br>",
strerror(errno), NULL));
}
/* If we are connecting through a remote proxy, we need to pass
* the CONNECT request on to it.
*/
if (proxyport) {
/* FIXME: We should not be calling write() directly, but we currently
* have no alternative. Error checking ignored. Also, we force
* a HTTP/1.0 request to keep things simple.
*/
Explain0("Sending the CONNECT request to the remote proxy");
ap_snprintf(buffer, sizeof(buffer), "CONNECT %s HTTP/1.0" CRLF,
r->uri);
#if defined(WIN32)
send(sock, buffer, strlen(buffer), 0 );
#else
write(sock, buffer, strlen(buffer));
#endif
ap_snprintf(buffer, sizeof(buffer),
"Proxy-agent: %s" CRLF CRLF, ap_get_server_version());
#if defined(WIN32)
send(sock, buffer, strlen(buffer), 0);
#else
write(sock, buffer, strlen(buffer));
#endif
}
else {
Explain0("Returning 200 OK Status");
#if defined(WIN32)
sprintf( buffer, "%s\x0d\x0a%s %s\x0d\x0a\x0d\x0a",
"HTTP/1.0 200 Connection established",
"Proxy-agent:",
ap_get_server_version() );
send(r->connection->client->fd, buffer, strlen(buffer), 0);
#else
ap_rvputs(r, "HTTP/1.0 200 Connection established" CRLF, NULL);
ap_rvputs(r, "Proxy-agent: ", ap_get_server_version(), CRLF CRLF, NULL);
ap_bflush(r->connection->client);
#endif
}
while (1) { /* Infinite loop until error (one side closes
the connection) */
FD_ZERO(&fds);
FD_SET(sock, &fds);
FD_SET(r->connection->client->fd, &fds);
Explain0("Going to sleep (select)");
i = ap_select((r->connection->client->fd > sock ?
r->connection->client->fd + 1 :
sock + 1), &fds, NULL, NULL, NULL);
Explain1("Woke from select(), i=%d", i);
if (i) {
if (FD_ISSET(sock, &fds)) {
Explain0("sock was set");
#if defined(WIN32)
if ((nbytes = recv(sock, buffer, HUGE_STRING_LEN, 0)) != 0) {
#else
if ((nbytes = read(sock, buffer, HUGE_STRING_LEN)) != 0) {
#endif
if (nbytes == -1)
break;
#if defined(WIN32)
if (send(r->connection->client->fd, buffer, nbytes, 0) ==
EOF)
#else
if (write(r->connection->client->fd, buffer, nbytes) == EOF)
#endif
break;
Explain1("Wrote %d bytes to client", nbytes);
}
else
break;
}
else if (FD_ISSET(r->connection->client->fd, &fds)) {
Explain0("client->fd was set");
#if defined(WIN32)
if ((nbytes = recv(r->connection->client->fd, buffer,
HUGE_STRING_LEN, 0)) != 0) {
#else
if ((nbytes = read(r->connection->client->fd, buffer,
HUGE_STRING_LEN)) != 0) {
#endif
if (nbytes == -1)
break;
#if defined(WIN32)
if (send(sock, buffer, nbytes, 0) == EOF)
#else
if (write(sock, buffer, nbytes) == EOF)
#endif
break;
Explain1("Wrote %d bytes to server", nbytes);
}
else
break;
}
else
break; /* Must be done waiting */
}
else
break;
}
ap_pclosesocket(r->pool, sock);
return OK;
}
