bughz/tinyproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add an option to control the use of X-Forwarded-For header.

Browse Source
This commit is contained in:
Vladimir Belov 2017-04-01 14:19:04 +03:00
parent 2df1e61b51
commit 0fc9d1cd39
5 changed files with 57 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
docs/man5/tinyproxy.conf.txt.in
View File

@ -246,6 +246,14 @@ AddHeader "X-My-Header" "Powered by Tinyproxy"
enabling this option, you break compliance.
Don't disable the `Via` header unless you know what you are doing...
*DisableXffHeader*::
The 'X-Forwarded-For' header isn't required by the HTTP RFC,
but is a common method for identifying the originating IP address
of a client connecting to a web server through an HTTP proxy or
load balancer. Though, using this is a security concern.
So turn this off only for demand.
*Filter*::
Tinyproxy supports filtering of web sites based on URLs or

9
etc/tinyproxy.conf.in
View File

@ -233,6 +233,15 @@ ViaProxyName "tinyproxy"
#
#DisableViaHeader Yes
#
# DisableXffHeader: The 'X-Forwarded-For' header isn't required by the
# HTTP RFC, but is a common method for identifying the originating
# IP address of a client connecting to a web server through an HTTP
# proxy or load balancer. Though, using this is a security concern.
# So we disable it by default.
#
DisableXffHeader Yes
#
# Filter: This allows you to specify the location of the filter file.
#

17
src/conf.c
View File

@ -156,6 +156,7 @@ static HANDLE_FUNC (handle_timeout);
static HANDLE_FUNC (handle_user);
static HANDLE_FUNC (handle_viaproxyname);
static HANDLE_FUNC (handle_disableviaheader);
static HANDLE_FUNC (handle_disablexffheader);
static HANDLE_FUNC (handle_xtinyproxy);
#ifdef UPSTREAM_SUPPORT
@ -205,11 +206,12 @@ struct {
STDCONF ("defaulterrorfile", STR, handle_defaulterrorfile),
STDCONF ("statfile", STR, handle_statfile),
STDCONF ("stathost", STR, handle_stathost),
STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy),
/* boolean arguments */
STDCONF ("syslog", BOOL, handle_syslog),
STDCONF ("bindsame", BOOL, handle_bindsame),
STDCONF ("disableviaheader", BOOL, handle_disableviaheader),
STDCONF ("disablexffheader", BOOL, handle_disablexffheader),
STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy),
/* integer arguments */
STDCONF ("port", INT, handle_port),
STDCONF ("maxclients", INT, handle_maxclients),
@ -736,6 +738,19 @@ static HANDLE_FUNC (handle_disableviaheader)
return 0;
}
static HANDLE_FUNC (handle_disablexffheader)
{
int r = set_bool_arg (&conf->disable_xffheader, line, &match[2]);
if (r) {
return r;
}
log_message (LOG_INFO,
"Disabling transmission of the \"X-Forwarded-For\" header.");
return 0;
}
static HANDLE_FUNC (handle_defaulterrorfile)
{
return set_string_arg (&conf->errorpage_undef, line, &match[2]);

2
src/conf.h
View File

@ -77,6 +77,8 @@ struct config_s {
unsigned int disable_viaheader; /* boolean */
unsigned int disable_xffheader; /* boolean */
/*
* Error page support. Map error numbers to file paths.
*/

6
src/reqs.c
View File

@ -923,6 +923,8 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders)
NULL);
goto PULL_CLIENT_DATA;
}
if (!config.disable_xffheader) {
/* Send new or appended the 'X-Forwarded-For' header */
ret = write_xff_header(connptr->server_fd, hashofheaders,
connptr->client_ip_addr);
@ -935,6 +937,7 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders)
NULL);
goto PULL_CLIENT_DATA;
}
}
/*
* Output all the remaining headers to the remote machine.
@ -1096,11 +1099,14 @@ retry:
connptr->protocol.minor);
if (ret < 0)
goto ERROR_EXIT;
if (!config.disable_xffheader) {
/* Send new or appended the 'X-Forwarded-For' header */
ret = write_xff_header(connptr->client_fd, hashofheaders,
connptr->server_ip_addr);
if (ret < 0)
goto ERROR_EXIT;
}
#ifdef REVERSE_SUPPORT
/* Write tracking cookie for the magical reverse proxy path hack */