Skip to content

Add support for 'X-Forwarded-For' header #87

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open

Add support for 'X-Forwarded-For' header #87

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
2df1e61
reqs: Add support for X-Forwarded-For header.
vbelov42 Mar 31, 2017
0fc9d1c
Add an option to control the use of X-Forwarded-For header.
vbelov42 Apr 1, 2017
5df3615
Rename option DisableXffHeader to EnableXffHeader.
vbelov42 Mar 30, 2018
1eacdc3
Merge branch 'master' into x-forwarded-for
vbelov42 Sep 27, 2018
a875eda
Merge branch 'master' into x-forwarded-for
vbelov42 Jan 26, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 8 additions & 0 deletions docs/man5/tinyproxy.conf.txt.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -250,6 +250,14 @@ AddHeader "X-My-Header" "Powered by Tinyproxy"
enabling this option, you break compliance.
Don't disable the `Via` header unless you know what you are doing...

*EnableXffHeader*::

The 'X-Forwarded-For' header isn't required by the HTTP RFC,
but is a common method for identifying the originating IP address
of a client connecting to a web server through an HTTP proxy or
load balancer. Though, using this is a security concern.
So turn this on only for demand.

*Filter*::

Tinyproxy supports filtering of web sites based on URLs or
Expand Down
9 changes: 9 additions & 0 deletions etc/tinyproxy.conf.in
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -252,6 +252,15 @@ ViaProxyName "tinyproxy"
#
#DisableViaHeader Yes

#
# EnableXffHeader: The 'X-Forwarded-For' header isn't required by the
# HTTP RFC, but is a common method for identifying the originating
# IP address of a client connecting to a web server through an HTTP
# proxy or load balancer. Though, using this is a security concern.
# So we disable it by default.
#
#EnableXffHeader No

#
# Filter: This allows you to specify the location of the filter file.
#
Expand Down
19 changes: 18 additions & 1 deletion src/conf.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,7 @@ static HANDLE_FUNC (handle_timeout);
static HANDLE_FUNC (handle_user);
static HANDLE_FUNC (handle_viaproxyname);
static HANDLE_FUNC (handle_disableviaheader);
static HANDLE_FUNC (handle_enablexffheader);
static HANDLE_FUNC (handle_xtinyproxy);

#ifdef UPSTREAM_SUPPORT
Expand Down Expand Up @@ -209,11 +210,12 @@ struct {
STDCONF ("defaulterrorfile", STR, handle_defaulterrorfile),
STDCONF ("statfile", STR, handle_statfile),
STDCONF ("stathost", STR, handle_stathost),
STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy),
/* boolean arguments */
STDCONF ("syslog", BOOL, handle_syslog),
STDCONF ("bindsame", BOOL, handle_bindsame),
STDCONF ("disableviaheader", BOOL, handle_disableviaheader),
STDCONF ("enablexffheader", BOOL, handle_enablexffheader),
STDCONF ("xtinyproxy", BOOL, handle_xtinyproxy),
/* integer arguments */
STDCONF ("port", INT, handle_port),
STDCONF ("maxclients", INT, handle_maxclients),
Expand Down Expand Up @@ -533,6 +535,8 @@ static void initialize_with_defaults (struct config_s *conf,

conf->disable_viaheader = defaults->disable_viaheader;

conf->enable_xffheader = defaults->enable_xffheader;

if (defaults->errorpage_undef) {
conf->errorpage_undef = safestrdup (defaults->errorpage_undef);
}
Expand Down Expand Up @@ -744,6 +748,19 @@ static HANDLE_FUNC (handle_disableviaheader)
return 0;
}

static HANDLE_FUNC (handle_enablexffheader)
{
int r = set_bool_arg (&conf->enable_xffheader, line, &match[2]);

if (!r) {
return r;
}

log_message (LOG_INFO,
"Enabling transmission of the \"X-Forwarded-For\" header.");
return r;
}

static HANDLE_FUNC (handle_defaulterrorfile)
{
return set_string_arg (&conf->errorpage_undef, line, &match[2]);
Expand Down
2 changes: 2 additions & 0 deletions src/conf.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,8 @@ struct config_s {

unsigned int disable_viaheader; /* boolean */

unsigned int enable_xffheader; /* boolean */

/*
* Error page support. Map error numbers to file paths.
*/
Expand Down
52 changes: 52 additions & 0 deletions src/reqs.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -836,6 +836,35 @@ write_via_header (int fd, hashmap_t hashofheaders,
return ret;
}

/*
* Create a 'X-Forwarded-For' header or append to the existing one.
* It isn't standard, but is a common method for identifying the originating
* IP address of a client.
*/
static int
write_xff_header(int fd, hashmap_t hashofheaders,
char* client_ip_addr)
{
ssize_t len;
char *data;
int ret;

len = hashmap_entry_by_key(hashofheaders, "x-forwarded-for", (void **)&data);
if (len > 0) {
ret = write_message(fd,
"X-Forwarded-For: %s, %s\r\n",
data, client_ip_addr);

hashmap_remove(hashofheaders, "x-forwarded-for");
} else {
ret = write_message(fd,
"X-Forwarded-For: %s\r\n",
client_ip_addr);
}

return ret;
}

/*
* Number of buckets to use internally in the hashmap.
*/
Expand Down Expand Up @@ -909,6 +938,21 @@ process_client_headers (struct conn_s *connptr, hashmap_t hashofheaders)
goto PULL_CLIENT_DATA;
}

if (config.enable_xffheader) {
/* Send new or appended the 'X-Forwarded-For' header */
ret = write_xff_header(connptr->server_fd, hashofheaders,
connptr->client_ip_addr);
if (ret < 0) {
indicate_http_error(connptr, 503,
"Could not send data to remote server",
"detail",
"A network error occurred while "
"trying to write data to the remote web server.",
NULL);
goto PULL_CLIENT_DATA;
}
}

/*
* Output all the remaining headers to the remote machine.
*/
Expand Down Expand Up @@ -1070,6 +1114,14 @@ static int process_server_headers (struct conn_s *connptr)
if (ret < 0)
goto ERROR_EXIT;

if (config.enable_xffheader) {
/* Send new or appended the 'X-Forwarded-For' header */
ret = write_xff_header(connptr->client_fd, hashofheaders,
connptr->server_ip_addr);
if (ret < 0)
goto ERROR_EXIT;
}

#ifdef REVERSE_SUPPORT
/* Write tracking cookie for the magical reverse proxy path hack */
if (config.reversemagic && connptr->reversepath) {
Expand Down
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy