Merge a875eda618 into cd005a94ce

docs/man5/tinyproxy.conf.txt.in

@@ -227,6 +227,14 @@ AddHeader "X-My-Header" "Powered by Tinyproxy"
     enabling this option, you break compliance.
     Don't disable the `Via` header unless you know what you are doing...
 
+*EnableXffHeader*::
+
+    The 'X-Forwarded-For' header isn't required by the HTTP RFC,
+    but is a common method for identifying the originating IP address
+    of a client connecting to a web server through an HTTP proxy or
+    load balancer. Though, using this is a security concern.
+    So turn this on only for demand.
+
 *Filter*::
 
     Tinyproxy supports filtering of web sites based on URLs or

etc/tinyproxy.conf.in

@@ -229,6 +229,15 @@ ViaProxyName "tinyproxy"
 #
 #DisableViaHeader Yes
 
+#
+# EnableXffHeader: The 'X-Forwarded-For' header isn't required by the
+# HTTP RFC, but is a common method for identifying the originating
+# IP address of a client connecting to a web server through an HTTP
+# proxy or load balancer. Though, using this is a security concern.
+# So we disable it by default.
+#
+#EnableXffHeader No
+
 #
 # Filter: This allows you to specify the location of the filter file.
 #

src/conf.c

@@ -157,6 +157,7 @@ static HANDLE_FUNC (handle_timeout);
 static HANDLE_FUNC (handle_user);
 static HANDLE_FUNC (handle_viaproxyname);
 static HANDLE_FUNC (handle_disableviaheader);
+static HANDLE_FUNC (handle_enablexffheader);
 static HANDLE_FUNC (handle_xtinyproxy);
 
 #ifdef UPSTREAM_SUPPORT
@@ -206,11 +207,12 @@ struct {
         STDCONF ("defaulterrorfile", STR, handle_defaulterrorfile),
         STDCONF ("statfile", STR, handle_statfile),
         STDCONF ("stathost", STR, handle_stathost),
-        STDCONF ("xtinyproxy",  BOOL, handle_xtinyproxy),
         /* boolean arguments */
         STDCONF ("syslog", BOOL, handle_syslog),
         STDCONF ("bindsame", BOOL, handle_bindsame),
         STDCONF ("disableviaheader", BOOL, handle_disableviaheader),
+        STDCONF ("enablexffheader", BOOL, handle_enablexffheader),
+        STDCONF ("xtinyproxy",  BOOL, handle_xtinyproxy),
         /* integer arguments */
         STDCONF ("port", INT, handle_port),
         STDCONF ("maxclients", INT, handle_maxclients),
@@ -531,6 +533,8 @@ static void initialize_with_defaults (struct config_s *conf,
 
         conf->disable_viaheader = defaults->disable_viaheader;
 
+        conf->enable_xffheader = defaults->enable_xffheader;
+
         if (defaults->errorpage_undef) {
                 conf->errorpage_undef = safestrdup (defaults->errorpage_undef);
         }
@@ -742,6 +746,19 @@ static HANDLE_FUNC (handle_disableviaheader)
         return 0;
 }
 
+static HANDLE_FUNC (handle_enablexffheader)
+{
+        int r = set_bool_arg (&conf->enable_xffheader, line, &match[2]);
+
+        if (!r) {
+                return r;
+        }
+
+        log_message (LOG_INFO,
+                     "Enabling transmission of the \"X-Forwarded-For\" header.");
+        return r;
+}
+
 static HANDLE_FUNC (handle_defaulterrorfile)
 {
         return set_string_arg (&conf->errorpage_undef, line, &match[2]);

src/conf.h

@@ -79,6 +79,8 @@ struct config_s {
 
         unsigned int disable_viaheader; /* boolean */
 
+        unsigned int enable_xffheader; /* boolean */
+
         /*
          * Error page support.  Map error numbers to file paths.
          */

src/reqs.c

@@ -837,6 +837,35 @@ done:
         return ret;
 }
 
+/*
+ * Create a 'X-Forwarded-For' header or append to the existing one.
+ * It isn't standard, but is a common method for identifying the originating 
+ * IP address of a client.
+ */
+static int
+write_xff_header(int fd, hashmap_t hashofheaders,
+                     char* client_ip_addr)
+{
+        ssize_t len;
+        char *data;
+        int ret;
+
+        len = hashmap_entry_by_key(hashofheaders, "x-forwarded-for", (void **)&data);
+        if (len > 0) {
+                ret = write_message(fd,
+                                    "X-Forwarded-For: %s, %s\r\n",
+                                    data, client_ip_addr);
+
+                hashmap_remove(hashofheaders, "x-forwarded-for");
+        } else {
+                ret = write_message(fd,
+                                    "X-Forwarded-For: %s\r\n",
+                                    client_ip_addr);
+        }
+
+        return ret;
+}
+
 /*
  * Number of buckets to use internally in the hashmap.
  */
@@ -910,6 +939,21 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders)
                 goto PULL_CLIENT_DATA;
         }
 
+        if (config.enable_xffheader) {
+                /* Send new or appended the 'X-Forwarded-For' header */
+                ret = write_xff_header(connptr->server_fd, hashofheaders,
+                                       connptr->client_ip_addr);
+                if (ret < 0) {
+                        indicate_http_error(connptr, 503,
+                                            "Could not send data to remote server",
+                                            "detail",
+                                            "A network error occurred while "
+                                            "trying to write data to the remote web server.",
+                                            NULL);
+                        goto PULL_CLIENT_DATA;
+                }
+        }
+
         /*
          * Output all the remaining headers to the remote machine.
          */
@@ -1071,6 +1115,14 @@ retry:
         if (ret < 0)
                 goto ERROR_EXIT;
 
+        if (config.enable_xffheader) {
+                /* Send new or appended the 'X-Forwarded-For' header */
+                ret = write_xff_header(connptr->client_fd, hashofheaders,
+                                       connptr->server_ip_addr);
+                if (ret < 0)
+                        goto ERROR_EXIT;
+        }
+
 #ifdef REVERSE_SUPPORT
         /* Write tracking cookie for the magical reverse proxy path hack */
         if (config.reversemagic && connptr->reversepath) {