diff --git a/docs/man5/tinyproxy.conf.txt.in b/docs/man5/tinyproxy.conf.txt.in index 3e24852..a728400 100644 --- a/docs/man5/tinyproxy.conf.txt.in +++ b/docs/man5/tinyproxy.conf.txt.in @@ -227,6 +227,14 @@ AddHeader "X-My-Header" "Powered by Tinyproxy" enabling this option, you break compliance. Don't disable the `Via` header unless you know what you are doing... +*EnableXffHeader*:: + + The 'X-Forwarded-For' header isn't required by the HTTP RFC, + but is a common method for identifying the originating IP address + of a client connecting to a web server through an HTTP proxy or + load balancer. Though, using this is a security concern. + So turn this on only for demand. + *Filter*:: Tinyproxy supports filtering of web sites based on URLs or diff --git a/etc/tinyproxy.conf.in b/etc/tinyproxy.conf.in index 06f5480..f3891a7 100644 --- a/etc/tinyproxy.conf.in +++ b/etc/tinyproxy.conf.in @@ -229,6 +229,15 @@ ViaProxyName "tinyproxy" # #DisableViaHeader Yes +# +# EnableXffHeader: The 'X-Forwarded-For' header isn't required by the +# HTTP RFC, but is a common method for identifying the originating +# IP address of a client connecting to a web server through an HTTP +# proxy or load balancer. Though, using this is a security concern. +# So we disable it by default. +# +#EnableXffHeader No + # # Filter: This allows you to specify the location of the filter file. # diff --git a/src/conf.c b/src/conf.c index eded11a..05b243a 100644 --- a/src/conf.c +++ b/src/conf.c @@ -157,6 +157,7 @@ static HANDLE_FUNC (handle_timeout); static HANDLE_FUNC (handle_user); static HANDLE_FUNC (handle_viaproxyname); static HANDLE_FUNC (handle_disableviaheader); +static HANDLE_FUNC (handle_enablexffheader); static HANDLE_FUNC (handle_xtinyproxy); #ifdef UPSTREAM_SUPPORT @@ -206,11 +207,12 @@ struct { STDCONF ("defaulterrorfile", STR, handle_defaulterrorfile), STDCONF ("statfile", STR, handle_statfile), STDCONF ("stathost", STR, handle_stathost), - STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy), /* boolean arguments */ STDCONF ("syslog", BOOL, handle_syslog), STDCONF ("bindsame", BOOL, handle_bindsame), STDCONF ("disableviaheader", BOOL, handle_disableviaheader), + STDCONF ("enablexffheader", BOOL, handle_enablexffheader), + STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy), /* integer arguments */ STDCONF ("port", INT, handle_port), STDCONF ("maxclients", INT, handle_maxclients), @@ -531,6 +533,8 @@ static void initialize_with_defaults (struct config_s *conf, conf->disable_viaheader = defaults->disable_viaheader; + conf->enable_xffheader = defaults->enable_xffheader; + if (defaults->errorpage_undef) { conf->errorpage_undef = safestrdup (defaults->errorpage_undef); } @@ -742,6 +746,19 @@ static HANDLE_FUNC (handle_disableviaheader) return 0; } +static HANDLE_FUNC (handle_enablexffheader) +{ + int r = set_bool_arg (&conf->enable_xffheader, line, &match[2]); + + if (!r) { + return r; + } + + log_message (LOG_INFO, + "Enabling transmission of the \"X-Forwarded-For\" header."); + return r; +} + static HANDLE_FUNC (handle_defaulterrorfile) { return set_string_arg (&conf->errorpage_undef, line, &match[2]); diff --git a/src/conf.h b/src/conf.h index 44f12d7..69aa61a 100644 --- a/src/conf.h +++ b/src/conf.h @@ -79,6 +79,8 @@ struct config_s { unsigned int disable_viaheader; /* boolean */ + unsigned int enable_xffheader; /* boolean */ + /* * Error page support. Map error numbers to file paths. */ diff --git a/src/reqs.c b/src/reqs.c index 3adc473..62d2fa3 100644 --- a/src/reqs.c +++ b/src/reqs.c @@ -837,6 +837,35 @@ done: return ret; } +/* + * Create a 'X-Forwarded-For' header or append to the existing one. + * It isn't standard, but is a common method for identifying the originating + * IP address of a client. + */ +static int +write_xff_header(int fd, hashmap_t hashofheaders, + char* client_ip_addr) +{ + ssize_t len; + char *data; + int ret; + + len = hashmap_entry_by_key(hashofheaders, "x-forwarded-for", (void **)&data); + if (len > 0) { + ret = write_message(fd, + "X-Forwarded-For: %s, %s\r\n", + data, client_ip_addr); + + hashmap_remove(hashofheaders, "x-forwarded-for"); + } else { + ret = write_message(fd, + "X-Forwarded-For: %s\r\n", + client_ip_addr); + } + + return ret; +} + /* * Number of buckets to use internally in the hashmap. */ @@ -910,6 +939,21 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders) goto PULL_CLIENT_DATA; } + if (config.enable_xffheader) { + /* Send new or appended the 'X-Forwarded-For' header */ + ret = write_xff_header(connptr->server_fd, hashofheaders, + connptr->client_ip_addr); + if (ret < 0) { + indicate_http_error(connptr, 503, + "Could not send data to remote server", + "detail", + "A network error occurred while " + "trying to write data to the remote web server.", + NULL); + goto PULL_CLIENT_DATA; + } + } + /* * Output all the remaining headers to the remote machine. */ @@ -1071,6 +1115,14 @@ retry: if (ret < 0) goto ERROR_EXIT; + if (config.enable_xffheader) { + /* Send new or appended the 'X-Forwarded-For' header */ + ret = write_xff_header(connptr->client_fd, hashofheaders, + connptr->server_ip_addr); + if (ret < 0) + goto ERROR_EXIT; + } + #ifdef REVERSE_SUPPORT /* Write tracking cookie for the magical reverse proxy path hack */ if (config.reversemagic && connptr->reversepath) {