mirror of
https://git.haproxy.org/git/haproxy.git/
synced 2025-08-07 15:47:01 +02:00
MINOR: http-ana: Rely on addresses at stream level to set xff and xot headers
Client source and destination addresses at stream level are now used to emit X-Forwarded-For and X-Original-To headers. For now, stream-interface addresses are never set. So, thanks to the fallback mechanism, no changes are expected with this patch. But its purpose is to rely on addresses at the stream level, when set, instead of those at the connection level.
This commit is contained in:
parent
c269f664bd
commit
8a104ba3e0
@ -654,6 +654,7 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
|
|||||||
* asks for it.
|
* asks for it.
|
||||||
*/
|
*/
|
||||||
if ((sess->fe->options | s->be->options) & PR_O_FWDFOR) {
|
if ((sess->fe->options | s->be->options) & PR_O_FWDFOR) {
|
||||||
|
const struct sockaddr_storage *src = si_src(&s->si[0]);
|
||||||
struct http_hdr_ctx ctx = { .blk = NULL };
|
struct http_hdr_ctx ctx = { .blk = NULL };
|
||||||
struct ist hdr = ist2(s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_name : sess->fe->fwdfor_hdr_name,
|
struct ist hdr = ist2(s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_name : sess->fe->fwdfor_hdr_name,
|
||||||
s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_len : sess->fe->fwdfor_hdr_len);
|
s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_len : sess->fe->fwdfor_hdr_len);
|
||||||
@ -664,13 +665,13 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
|
|||||||
* and we found it, so don't do anything.
|
* and we found it, so don't do anything.
|
||||||
*/
|
*/
|
||||||
}
|
}
|
||||||
else if (cli_conn && conn_get_src(cli_conn) && cli_conn->src->ss_family == AF_INET) {
|
else if (src && src->ss_family == AF_INET) {
|
||||||
/* Add an X-Forwarded-For header unless the source IP is
|
/* Add an X-Forwarded-For header unless the source IP is
|
||||||
* in the 'except' network range.
|
* in the 'except' network range.
|
||||||
*/
|
*/
|
||||||
if (ipcmp2net(cli_conn->src, &sess->fe->except_xff_net) &&
|
if (ipcmp2net(src, &sess->fe->except_xff_net) &&
|
||||||
ipcmp2net(cli_conn->src, &s->be->except_xff_net)) {
|
ipcmp2net(src, &s->be->except_xff_net)) {
|
||||||
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)cli_conn->src)->sin_addr;
|
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)src)->sin_addr;
|
||||||
|
|
||||||
/* Note: we rely on the backend to get the header name to be used for
|
/* Note: we rely on the backend to get the header name to be used for
|
||||||
* x-forwarded-for, because the header is really meant for the backends.
|
* x-forwarded-for, because the header is really meant for the backends.
|
||||||
@ -682,16 +683,16 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
|
|||||||
goto return_int_err;
|
goto return_int_err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (cli_conn && conn_get_src(cli_conn) && cli_conn->src->ss_family == AF_INET6) {
|
else if (src && src->ss_family == AF_INET6) {
|
||||||
/* Add an X-Forwarded-For header unless the source IP is
|
/* Add an X-Forwarded-For header unless the source IP is
|
||||||
* in the 'except' network range.
|
* in the 'except' network range.
|
||||||
*/
|
*/
|
||||||
if (ipcmp2net(cli_conn->src, &sess->fe->except_xff_net) &&
|
if (ipcmp2net(src, &sess->fe->except_xff_net) &&
|
||||||
ipcmp2net(cli_conn->src, &s->be->except_xff_net)) {
|
ipcmp2net(src, &s->be->except_xff_net)) {
|
||||||
char pn[INET6_ADDRSTRLEN];
|
char pn[INET6_ADDRSTRLEN];
|
||||||
|
|
||||||
inet_ntop(AF_INET6,
|
inet_ntop(AF_INET6,
|
||||||
(const void *)&((struct sockaddr_in6 *)(cli_conn->src))->sin6_addr,
|
(const void *)&((struct sockaddr_in6 *)(src))->sin6_addr,
|
||||||
pn, sizeof(pn));
|
pn, sizeof(pn));
|
||||||
|
|
||||||
/* Note: we rely on the backend to get the header name to be used for
|
/* Note: we rely on the backend to get the header name to be used for
|
||||||
@ -711,16 +712,17 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
|
|||||||
* asks for it.
|
* asks for it.
|
||||||
*/
|
*/
|
||||||
if ((sess->fe->options | s->be->options) & PR_O_ORGTO) {
|
if ((sess->fe->options | s->be->options) & PR_O_ORGTO) {
|
||||||
|
const struct sockaddr_storage *dst = si_dst(&s->si[0]);
|
||||||
struct ist hdr = ist2(s->be->orgto_hdr_len ? s->be->orgto_hdr_name : sess->fe->orgto_hdr_name,
|
struct ist hdr = ist2(s->be->orgto_hdr_len ? s->be->orgto_hdr_name : sess->fe->orgto_hdr_name,
|
||||||
s->be->orgto_hdr_len ? s->be->orgto_hdr_len : sess->fe->orgto_hdr_len);
|
s->be->orgto_hdr_len ? s->be->orgto_hdr_len : sess->fe->orgto_hdr_len);
|
||||||
|
|
||||||
if (cli_conn && conn_get_dst(cli_conn) && cli_conn->dst->ss_family == AF_INET) {
|
if (dst && dst->ss_family == AF_INET) {
|
||||||
/* Add an X-Original-To header unless the destination IP is
|
/* Add an X-Original-To header unless the destination IP is
|
||||||
* in the 'except' network range.
|
* in the 'except' network range.
|
||||||
*/
|
*/
|
||||||
if (ipcmp2net(cli_conn->dst, &sess->fe->except_xot_net) &&
|
if (ipcmp2net(dst, &sess->fe->except_xot_net) &&
|
||||||
ipcmp2net(cli_conn->dst, &s->be->except_xot_net)) {
|
ipcmp2net(dst, &s->be->except_xot_net)) {
|
||||||
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)cli_conn->dst)->sin_addr;
|
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)dst)->sin_addr;
|
||||||
|
|
||||||
/* Note: we rely on the backend to get the header name to be used for
|
/* Note: we rely on the backend to get the header name to be used for
|
||||||
* x-original-to, because the header is really meant for the backends.
|
* x-original-to, because the header is really meant for the backends.
|
||||||
@ -732,16 +734,16 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
|
|||||||
goto return_int_err;
|
goto return_int_err;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
else if (cli_conn && conn_get_dst(cli_conn) && cli_conn->dst->ss_family == AF_INET6) {
|
else if (dst && dst->ss_family == AF_INET6) {
|
||||||
/* Add an X-Original-To header unless the source IP is
|
/* Add an X-Original-To header unless the source IP is
|
||||||
* in the 'except' network range.
|
* in the 'except' network range.
|
||||||
*/
|
*/
|
||||||
if (ipcmp2net(cli_conn->dst, &sess->fe->except_xot_net) &&
|
if (ipcmp2net(dst, &sess->fe->except_xot_net) &&
|
||||||
ipcmp2net(cli_conn->dst, &s->be->except_xot_net)) {
|
ipcmp2net(dst, &s->be->except_xot_net)) {
|
||||||
char pn[INET6_ADDRSTRLEN];
|
char pn[INET6_ADDRSTRLEN];
|
||||||
|
|
||||||
inet_ntop(AF_INET6,
|
inet_ntop(AF_INET6,
|
||||||
(const void *)&((struct sockaddr_in6 *)(cli_conn->dst))->sin6_addr,
|
(const void *)&((struct sockaddr_in6 *)dst)->sin6_addr,
|
||||||
pn, sizeof(pn));
|
pn, sizeof(pn));
|
||||||
|
|
||||||
/* Note: we rely on the backend to get the header name to be used for
|
/* Note: we rely on the backend to get the header name to be used for
|
||||||
|
Loading…
Reference in New Issue
Block a user