MINOR: http-ana: Rely on addresses at stream level to set xff and xot headers

Client source and destination addresses at stream level are now used to emit
X-Forwarded-For and X-Original-To headers. For now, stream-interface addresses
are never set. So, thanks to the fallback mechanism, no changes are expected
with this patch. But its purpose is to rely on addresses at the stream level,
when set, instead of those at the connection level.
This commit is contained in:
Christopher Faulet 2021-10-25 07:41:30 +02:00
parent c269f664bd
commit 8a104ba3e0

View File

@ -654,6 +654,7 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
* asks for it. * asks for it.
*/ */
if ((sess->fe->options | s->be->options) & PR_O_FWDFOR) { if ((sess->fe->options | s->be->options) & PR_O_FWDFOR) {
const struct sockaddr_storage *src = si_src(&s->si[0]);
struct http_hdr_ctx ctx = { .blk = NULL }; struct http_hdr_ctx ctx = { .blk = NULL };
struct ist hdr = ist2(s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_name : sess->fe->fwdfor_hdr_name, struct ist hdr = ist2(s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_name : sess->fe->fwdfor_hdr_name,
s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_len : sess->fe->fwdfor_hdr_len); s->be->fwdfor_hdr_len ? s->be->fwdfor_hdr_len : sess->fe->fwdfor_hdr_len);
@ -664,13 +665,13 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
* and we found it, so don't do anything. * and we found it, so don't do anything.
*/ */
} }
else if (cli_conn && conn_get_src(cli_conn) && cli_conn->src->ss_family == AF_INET) { else if (src && src->ss_family == AF_INET) {
/* Add an X-Forwarded-For header unless the source IP is /* Add an X-Forwarded-For header unless the source IP is
* in the 'except' network range. * in the 'except' network range.
*/ */
if (ipcmp2net(cli_conn->src, &sess->fe->except_xff_net) && if (ipcmp2net(src, &sess->fe->except_xff_net) &&
ipcmp2net(cli_conn->src, &s->be->except_xff_net)) { ipcmp2net(src, &s->be->except_xff_net)) {
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)cli_conn->src)->sin_addr; unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)src)->sin_addr;
/* Note: we rely on the backend to get the header name to be used for /* Note: we rely on the backend to get the header name to be used for
* x-forwarded-for, because the header is really meant for the backends. * x-forwarded-for, because the header is really meant for the backends.
@ -682,16 +683,16 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
goto return_int_err; goto return_int_err;
} }
} }
else if (cli_conn && conn_get_src(cli_conn) && cli_conn->src->ss_family == AF_INET6) { else if (src && src->ss_family == AF_INET6) {
/* Add an X-Forwarded-For header unless the source IP is /* Add an X-Forwarded-For header unless the source IP is
* in the 'except' network range. * in the 'except' network range.
*/ */
if (ipcmp2net(cli_conn->src, &sess->fe->except_xff_net) && if (ipcmp2net(src, &sess->fe->except_xff_net) &&
ipcmp2net(cli_conn->src, &s->be->except_xff_net)) { ipcmp2net(src, &s->be->except_xff_net)) {
char pn[INET6_ADDRSTRLEN]; char pn[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, inet_ntop(AF_INET6,
(const void *)&((struct sockaddr_in6 *)(cli_conn->src))->sin6_addr, (const void *)&((struct sockaddr_in6 *)(src))->sin6_addr,
pn, sizeof(pn)); pn, sizeof(pn));
/* Note: we rely on the backend to get the header name to be used for /* Note: we rely on the backend to get the header name to be used for
@ -711,16 +712,17 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
* asks for it. * asks for it.
*/ */
if ((sess->fe->options | s->be->options) & PR_O_ORGTO) { if ((sess->fe->options | s->be->options) & PR_O_ORGTO) {
const struct sockaddr_storage *dst = si_dst(&s->si[0]);
struct ist hdr = ist2(s->be->orgto_hdr_len ? s->be->orgto_hdr_name : sess->fe->orgto_hdr_name, struct ist hdr = ist2(s->be->orgto_hdr_len ? s->be->orgto_hdr_name : sess->fe->orgto_hdr_name,
s->be->orgto_hdr_len ? s->be->orgto_hdr_len : sess->fe->orgto_hdr_len); s->be->orgto_hdr_len ? s->be->orgto_hdr_len : sess->fe->orgto_hdr_len);
if (cli_conn && conn_get_dst(cli_conn) && cli_conn->dst->ss_family == AF_INET) { if (dst && dst->ss_family == AF_INET) {
/* Add an X-Original-To header unless the destination IP is /* Add an X-Original-To header unless the destination IP is
* in the 'except' network range. * in the 'except' network range.
*/ */
if (ipcmp2net(cli_conn->dst, &sess->fe->except_xot_net) && if (ipcmp2net(dst, &sess->fe->except_xot_net) &&
ipcmp2net(cli_conn->dst, &s->be->except_xot_net)) { ipcmp2net(dst, &s->be->except_xot_net)) {
unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)cli_conn->dst)->sin_addr; unsigned char *pn = (unsigned char *)&((struct sockaddr_in *)dst)->sin_addr;
/* Note: we rely on the backend to get the header name to be used for /* Note: we rely on the backend to get the header name to be used for
* x-original-to, because the header is really meant for the backends. * x-original-to, because the header is really meant for the backends.
@ -732,16 +734,16 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
goto return_int_err; goto return_int_err;
} }
} }
else if (cli_conn && conn_get_dst(cli_conn) && cli_conn->dst->ss_family == AF_INET6) { else if (dst && dst->ss_family == AF_INET6) {
/* Add an X-Original-To header unless the source IP is /* Add an X-Original-To header unless the source IP is
* in the 'except' network range. * in the 'except' network range.
*/ */
if (ipcmp2net(cli_conn->dst, &sess->fe->except_xot_net) && if (ipcmp2net(dst, &sess->fe->except_xot_net) &&
ipcmp2net(cli_conn->dst, &s->be->except_xot_net)) { ipcmp2net(dst, &s->be->except_xot_net)) {
char pn[INET6_ADDRSTRLEN]; char pn[INET6_ADDRSTRLEN];
inet_ntop(AF_INET6, inet_ntop(AF_INET6,
(const void *)&((struct sockaddr_in6 *)(cli_conn->dst))->sin6_addr, (const void *)&((struct sockaddr_in6 *)dst)->sin6_addr,
pn, sizeof(pn)); pn, sizeof(pn));
/* Note: we rely on the backend to get the header name to be used for /* Note: we rely on the backend to get the header name to be used for