Commit 9ea4905f authored by Lucas Pardue's avatar Lucas Pardue

Added X-Forwarded-For header stripping option to nghttpx

parent c6cfcc3c
......@@ -750,6 +750,7 @@ void fill_default_config()
mod_config()->num_worker = 1;
mod_config()->http2_max_concurrent_streams = 100;
mod_config()->add_x_forwarded_for = false;
mod_config()->strip_incoming_x_forwarded_for = false;
mod_config()->no_via = false;
mod_config()->accesslog_file = nullptr;
mod_config()->accesslog_syslog = false;
......@@ -1156,6 +1157,9 @@ Misc:
--add-x-forwarded-for
Append X-Forwarded-For header field to the
downstream request.
--strip-incoming-x-forwarded-for
Strip X-Forwarded-For header field from inbound
client requests.
--no-via Don't append to Via header field. If Via header
field is received, it is left unaltered.
--no-location-rewrite
......@@ -1308,6 +1312,7 @@ int main(int argc, char **argv)
{"no-location-rewrite", no_argument, &flag, 62},
{"backend-connections-per-frontend", required_argument, &flag, 63},
{"listener-disable-timeout", required_argument, &flag, 64},
{"strip-incoming-x-forwarded-for", no_argument, &flag, 65},
{nullptr, 0, nullptr, 0 }
};
......@@ -1605,6 +1610,10 @@ int main(int argc, char **argv)
// --listener-disable-timeout
cmdcfgs.emplace_back(SHRPX_OPT_LISTENER_DISABLE_TIMEOUT, optarg);
break;
case 65:
// --strip-incoming-x-forwarded-for
cmdcfgs.emplace_back(SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR, "yes");
break;
default:
break;
}
......
......@@ -67,6 +67,7 @@ const char SHRPX_OPT_HTTP2_PROXY[] = "http2-proxy";
const char SHRPX_OPT_HTTP2_BRIDGE[] = "http2-bridge";
const char SHRPX_OPT_CLIENT_PROXY[] = "client-proxy";
const char SHRPX_OPT_ADD_X_FORWARDED_FOR[] = "add-x-forwarded-for";
const char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[] = "strip-incoming-x-forwarded-for";
const char SHRPX_OPT_NO_VIA[] = "no-via";
const char
SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[] = "frontend-http2-read-timeout";
......@@ -425,6 +426,12 @@ int parse_config(const char *opt, const char *optarg)
return 0;
}
if(util::strieq(opt, SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR)) {
mod_config()->strip_incoming_x_forwarded_for = util::strieq(optarg, "yes");
return 0;
}
if(util::strieq(opt, SHRPX_OPT_NO_VIA)) {
mod_config()->no_via = util::strieq(optarg, "yes");
......
......@@ -65,6 +65,7 @@ extern const char SHRPX_OPT_HTTP2_PROXY[];
extern const char SHRPX_OPT_HTTP2_BRIDGE[];
extern const char SHRPX_OPT_CLIENT_PROXY[];
extern const char SHRPX_OPT_ADD_X_FORWARDED_FOR[];
extern const char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[];
extern const char SHRPX_OPT_NO_VIA[];
extern const char SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[];
extern const char SHRPX_OPT_FRONTEND_READ_TIMEOUT[];
......@@ -260,6 +261,7 @@ struct Config {
bool http2_bridge;
bool client_proxy;
bool add_x_forwarded_for;
bool strip_incoming_x_forwarded_for;
bool no_via;
bool upstream_no_tls;
bool downstream_no_tls;
......
......@@ -394,14 +394,16 @@ int Http2DownstreamConnection::push_request_headers()
auto xff = downstream_->get_norm_request_header("x-forwarded-for");
if(get_config()->add_x_forwarded_for) {
if(xff != end_headers) {
if(xff != end_headers &&
!get_config()->strip_incoming_x_forwarded_for) {
xff_value = (*xff).value;
xff_value += ", ";
}
xff_value += downstream_->get_upstream()->get_client_handler()->
get_ipaddr();
nva.push_back(http2::make_nv_ls("x-forwarded-for", xff_value));
} else if(xff != end_headers) {
} else if(xff != end_headers &&
!get_config()->strip_incoming_x_forwarded_for) {
nva.push_back(http2::make_nv_ls("x-forwarded-for", (*xff).value));
}
......
......@@ -209,14 +209,16 @@ int HttpDownstreamConnection::push_request_headers()
auto xff = downstream_->get_norm_request_header("x-forwarded-for");
if(get_config()->add_x_forwarded_for) {
hdrs += "X-Forwarded-For: ";
if(xff != end_headers) {
if(xff != end_headers &&
!get_config()->strip_incoming_x_forwarded_for) {
hdrs += (*xff).value;
http2::sanitize_header_value(hdrs, hdrs.size() - (*xff).value.size());
hdrs += ", ";
}
hdrs += client_handler_->get_ipaddr();
hdrs += "\r\n";
} else if(xff != end_headers) {
} else if(xff != end_headers &&
!get_config()->strip_incoming_x_forwarded_for) {
hdrs += "X-Forwarded-For: ";
hdrs += (*xff).value;
http2::sanitize_header_value(hdrs, hdrs.size() - (*xff).value.size());
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment