Newer
Older
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816
1817
1818
1819
1820
1821
1822
1823
1824
1825
1826
1827
1828
1829
1830
1831
1832
1833
1834
1835
1836
1837
1838
1839
1840
1841
1842
1843
1844
1845
1846
1847
1848
1849
1850
1851
1852
1853
1854
1855
1856
1857
1858
1859
1860
1861
1862
1863
1864
1865
1866
1867
1868
1869
1870
1871
1872
1873
1874
1875
1876
1877
1878
1879
1880
1881
1882
1883
1884
1885
1886
1887
1888
1889
1890
1891
1892
1893
1894
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908
1909
1910
1911
1912
1913
1914
1915
1916
1917
1918
1919
1920
1921
1922
1923
1924
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939
1940
1941
1942
1943
1944
1945
1946
1947
1948
1949
1950
1951
1952
1953
1954
1955
1956
1957
1958
1959
1960
1961
1962
1963
1964
1965
1966
1967
1968
1969
1970
1971
1972
1973
1974
1975
1976
1977
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987
1988
1989
1990
1991
1992
1993
1994
1995
1996
1997
1998
1999
2000
if (!strcasecmp(date_hdrs[i], key)) {
apr_table_add(r->headers_out, key,
date_canon(r->pool, value));
return;
}
}
for (i = 0; transform_hdrs[i].name; ++i) {
if (!strcasecmp(transform_hdrs[i].name, key)) {
apr_table_add(r->headers_out, key,
(*transform_hdrs[i].func)(r, c, value));
return;
}
}
apr_table_add(r->headers_out, key, value);
}
/*
* Note: pread_len is the length of the response that we've mistakenly
* read (assuming that we don't consider that an error via
* ProxyBadHeader StartBody). This depends on buffer actually being
* local storage to the calling code in order for pread_len to make
* any sense at all, since we depend on buffer still containing
* what was read by ap_getline() upon return.
*/
static void ap_proxy_read_headers(request_rec *r, request_rec *rr,
char *buffer, int size,
conn_rec *c, int *pread_len)
{
int len;
char *value, *end;
char field[MAX_STRING_LEN];
int saw_headers = 0;
void *sconf = r->server->module_config;
proxy_server_conf *psc;
proxy_dir_conf *dconf;
dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
psc = (proxy_server_conf *) ap_get_module_config(sconf, &proxy_module);
r->headers_out = apr_table_make(r->pool, 20);
r->trailers_out = apr_table_make(r->pool, 5);
*pread_len = 0;
/*
* Read header lines until we get the empty separator line, a read error,
* the connection closes (EOF), or we timeout.
*/
ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r,
"Headers received from backend:");
while ((len = ap_getline(buffer, size, rr, 1)) > 0) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE4, 0, r, "%s", buffer);
if (!(value = strchr(buffer, ':'))) { /* Find the colon separator */
/* We may encounter invalid headers, usually from buggy
* MS IIS servers, so we need to determine just how to handle
* them. We can either ignore them, assume that they mark the
* start-of-body (eg: a missing CRLF) or (the default) mark
* the headers as totally bogus and return a 500. The sole
* exception is an extra "HTTP/1.0 200, OK" line sprinkled
* in between the usual MIME headers, which is a favorite
* IIS bug.
*/
/* XXX: The mask check is buggy if we ever see an HTTP/1.10 */
if (!apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
if (psc->badopt == bad_error) {
/* Nope, it wasn't even an extra HTTP header. Give up. */
r->headers_out = NULL;
return;
}
else if (psc->badopt == bad_body) {
/* if we've already started loading headers_out, then
* return what we've accumulated so far, in the hopes
* that they are useful; also note that we likely pre-read
* the first line of the response.
*/
if (saw_headers) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01098)
"Starting body due to bogus non-header "
"in headers returned by %s (%s)",
r->uri, r->method);
*pread_len = len;
return;
}
else {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01099)
"No HTTP headers returned by %s (%s)",
r->uri, r->method);
return;
}
}
}
/* this is the psc->badopt == bad_ignore case */
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01100)
"Ignoring bogus HTTP header returned by %s (%s)",
r->uri, r->method);
continue;
}
*value = '\0';
++value;
/* XXX: RFC2068 defines only SP and HT as whitespace, this test is
* wrong... and so are many others probably.
*/
while (apr_isspace(*value))
++value; /* Skip to start of value */
/* should strip trailing whitespace as well */
for (end = &value[strlen(value)-1]; end > value && apr_isspace(*end); --end)
*end = '\0';
/* make sure we add so as not to destroy duplicated headers
* Modify headers requiring canonicalisation and/or affected
* by ProxyPassReverse and family with process_proxy_header
*/
process_proxy_header(r, dconf, buffer, value);
saw_headers = 1;
/* the header was too long; at the least we should skip extra data */
if (len >= size - 1) {
while ((len = ap_getline(field, MAX_STRING_LEN, rr, 1))
>= MAX_STRING_LEN - 1) {
/* soak up the extra data */
}
if (len == 0) /* time to exit the larger loop as well */
break;
}
}
}
static int addit_dammit(void *v, const char *key, const char *val)
{
apr_table_addn(v, key, val);
return 1;
}
static
apr_status_t ap_proxygetline(apr_bucket_brigade *bb, char *s, int n, request_rec *r,
int fold, int *writen)
{
char *tmp_s = s;
apr_status_t rv;
apr_size_t len;
rv = ap_rgetline(&tmp_s, n, &len, r, fold, bb);
apr_brigade_cleanup(bb);
if (rv == APR_SUCCESS) {
*writen = (int) len;
} else if (APR_STATUS_IS_ENOSPC(rv)) {
*writen = n;
} else {
*writen = -1;
}
return rv;
}
/*
* Limit the number of interim responses we sent back to the client. Otherwise
* we suffer from a memory build up. Besides there is NO sense in sending back
* an unlimited number of interim responses to the client. Thus if we cross
* this limit send back a 502 (Bad Gateway).
*/
#ifndef AP_MAX_INTERIM_RESPONSES
#define AP_MAX_INTERIM_RESPONSES 10
#endif
static int add_trailers(void *data, const char *key, const char *val)
{
if (val) {
apr_table_add((apr_table_t*)data, key, val);
}
return 1;
}
static
apr_status_t ap_proxy_http_process_response(apr_pool_t * p, request_rec *r,
proxy_conn_rec **backend_ptr,
proxy_worker *worker,
proxy_server_conf *conf,
char *server_portstr) {
conn_rec *c = r->connection;
char buffer[HUGE_STRING_LEN];
const char *buf;
char keepchar;
apr_bucket *e;
apr_bucket_brigade *bb;
apr_bucket_brigade *pass_bb;
int len, backasswards;
int interim_response = 0; /* non-zero whilst interim 1xx responses
* are being read. */
int pread_len = 0;
apr_table_t *save_table;
int backend_broke = 0;
static const char *hop_by_hop_hdrs[] =
{"Keep-Alive", "Proxy-Authenticate", "TE", "Trailer", "Upgrade", NULL};
int i;
const char *te = NULL;
int original_status = r->status;
int proxy_status = OK;
const char *original_status_line = r->status_line;
const char *proxy_status_line = NULL;
proxy_conn_rec *backend = *backend_ptr;
conn_rec *origin = backend->connection;
apr_interval_time_t old_timeout = 0;
proxy_dir_conf *dconf;
int do_100_continue;
dconf = ap_get_module_config(r->per_dir_config, &proxy_module);
do_100_continue = (worker->s->ping_timeout_set
&& ap_request_has_body(r)
&& (PROXYREQ_REVERSE == r->proxyreq)
&& !(apr_table_get(r->subprocess_env, "force-proxy-request-1.0")));
bb = apr_brigade_create(p, c->bucket_alloc);
pass_bb = apr_brigade_create(p, c->bucket_alloc);
/* Setup for 100-Continue timeout if appropriate */
if (do_100_continue) {
apr_socket_timeout_get(backend->sock, &old_timeout);
if (worker->s->ping_timeout != old_timeout) {
apr_status_t rc;
rc = apr_socket_timeout_set(backend->sock, worker->s->ping_timeout);
if (rc != APR_SUCCESS) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, APLOGNO(01101)
"could not set 100-Continue timeout");
}
}
}
/* Get response from the remote server, and pass it up the
* filter chain
*/
backend->r = make_fake_req(origin, r);
/* In case anyone needs to know, this is a fake request that is really a
* response.
*/
backend->r->proxyreq = PROXYREQ_RESPONSE;
apr_table_setn(r->notes, "proxy-source-port", apr_psprintf(r->pool, "%hu",
origin->local_addr->port));
do {
apr_status_t rc;
apr_brigade_cleanup(bb);
rc = ap_proxygetline(backend->tmp_bb, buffer, sizeof(buffer),
backend->r, 0, &len);
if (len == 0) {
/* handle one potential stray CRLF */
rc = ap_proxygetline(backend->tmp_bb, buffer, sizeof(buffer),
backend->r, 0, &len);
}
if (len <= 0) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, rc, r, APLOGNO(01102)
"error reading status line from remote "
"server %s:%d", backend->hostname, backend->port);
if (APR_STATUS_IS_TIMEUP(rc)) {
apr_table_setn(r->notes, "proxy_timedout", "1");
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01103) "read timeout");
if (do_100_continue) {
return ap_proxyerror(r, HTTP_SERVICE_UNAVAILABLE, "Timeout on 100-Continue");
}
}
/*
* If we are a reverse proxy request shutdown the connection
* WITHOUT ANY response to trigger a retry by the client
* if allowed (as for idempotent requests).
* BUT currently we should not do this if the request is the
* first request on a keepalive connection as browsers like
* seamonkey only display an empty page in this case and do
* not do a retry. We should also not do this on a
* connection which times out; instead handle as
* we normally would handle timeouts
*/
if (r->proxyreq == PROXYREQ_REVERSE && c->keepalives &&
!APR_STATUS_IS_TIMEUP(rc)) {
apr_bucket *eos;
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01104)
"Closing connection to client because"
" reading from backend server %s:%d failed."
" Number of keepalives %i", backend->hostname,
backend->port, c->keepalives);
ap_proxy_backend_broke(r, bb);
/*
* Add an EOC bucket to signal the ap_http_header_filter
* that it should get out of our way, BUT ensure that the
* EOC bucket is inserted BEFORE an EOS bucket in bb as
* some resource filters like mod_deflate pass everything
* up to the EOS down the chain immediately and sent the
* remainder of the brigade later (or even never). But in
* this case the ap_http_header_filter does not get out of
* our way soon enough.
*/
e = ap_bucket_eoc_create(c->bucket_alloc);
eos = APR_BRIGADE_LAST(bb);
while ((APR_BRIGADE_SENTINEL(bb) != eos)
&& !APR_BUCKET_IS_EOS(eos)) {
eos = APR_BUCKET_PREV(eos);
}
if (eos == APR_BRIGADE_SENTINEL(bb)) {
APR_BRIGADE_INSERT_TAIL(bb, e);
}
else {
APR_BUCKET_INSERT_BEFORE(eos, e);
}
ap_pass_brigade(r->output_filters, bb);
/* Mark the backend connection for closing */
backend->close = 1;
/* Need to return OK to avoid sending an error message */
return OK;
}
else if (!c->keepalives) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01105)
"NOT Closing connection to client"
" although reading from backend server %s:%d"
" failed.",
backend->hostname, backend->port);
}
return ap_proxyerror(r, HTTP_BAD_GATEWAY,
"Error reading from remote server");
}
/* XXX: Is this a real headers length send from remote? */
backend->worker->s->read += len;
/* Is it an HTTP/1 response?
* This is buggy if we ever see an HTTP/1.10
*/
if (apr_date_checkmask(buffer, "HTTP/#.# ###*")) {
int major, minor;
int toclose;
major = buffer[5] - '0';
minor = buffer[7] - '0';
/* If not an HTTP/1 message or
* if the status line was > 8192 bytes
*/
if ((major != 1) || (len >= sizeof(buffer)-1)) {
return ap_proxyerror(r, HTTP_BAD_GATEWAY,
apr_pstrcat(p, "Corrupt status line returned by remote "
"server: ", buffer, NULL));
}
backasswards = 0;
keepchar = buffer[12];
buffer[12] = '\0';
proxy_status = atoi(&buffer[9]);
apr_table_setn(r->notes, "proxy-status",
apr_pstrdup(r->pool, &buffer[9]));
if (keepchar != '\0') {
buffer[12] = keepchar;
} else {
/* 2616 requires the space in Status-Line; the origin
* server may have sent one but ap_rgetline_core will
* have stripped it. */
buffer[12] = ' ';
buffer[13] = '\0';
}
proxy_status_line = apr_pstrdup(p, &buffer[9]);
/* The status out of the front is the same as the status coming in
* from the back, until further notice.
*/
r->status = proxy_status;
r->status_line = proxy_status_line;
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r,
"Status from backend: %d", proxy_status);
/* read the headers. */
/* N.B. for HTTP/1.0 clients, we have to fold line-wrapped headers*/
/* Also, take care with headers with multiple occurences. */
/* First, tuck away all already existing cookies */
save_table = apr_table_make(r->pool, 2);
apr_table_do(addit_dammit, save_table, r->headers_out,
"Set-Cookie", NULL);
/* shove the headers direct into r->headers_out */
ap_proxy_read_headers(r, backend->r, buffer, sizeof(buffer), origin,
&pread_len);
if (r->headers_out == NULL) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01106)
"bad HTTP/%d.%d header returned by %s (%s)",
major, minor, r->uri, r->method);
backend->close = 1;
/*
* ap_send_error relies on a headers_out to be present. we
* are in a bad position here.. so force everything we send out
* to have nothing to do with the incoming packet
*/
r->headers_out = apr_table_make(r->pool,1);
r->status = HTTP_BAD_GATEWAY;
r->status_line = "bad gateway";
return r->status;
}
/* Now, add in the just read cookies */
apr_table_do(addit_dammit, save_table, r->headers_out,
"Set-Cookie", NULL);
/* and now load 'em all in */
if (!apr_is_empty_table(save_table)) {
apr_table_unset(r->headers_out, "Set-Cookie");
r->headers_out = apr_table_overlay(r->pool,
r->headers_out,
save_table);
}
/* can't have both Content-Length and Transfer-Encoding */
if (apr_table_get(r->headers_out, "Transfer-Encoding")
&& apr_table_get(r->headers_out, "Content-Length")) {
/*
* 2616 section 4.4, point 3: "if both Transfer-Encoding
* and Content-Length are received, the latter MUST be
* ignored";
*
* To help mitigate HTTP Splitting, unset Content-Length
* and shut down the backend server connection
* XXX: We aught to treat such a response as uncachable
*/
apr_table_unset(r->headers_out, "Content-Length");
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01107)
"server %s:%d returned Transfer-Encoding"
" and Content-Length",
backend->hostname, backend->port);
backend->close = 1;
}
/*
* Save a possible Transfer-Encoding header as we need it later for
* ap_http_filter to know where to end.
*/
te = apr_table_get(r->headers_out, "Transfer-Encoding");
/* strip connection listed hop-by-hop headers from response */
toclose = ap_proxy_clear_connection_fn(r, r->headers_out);
if (toclose) {
backend->close = 1;
}
if ((buf = apr_table_get(r->headers_out, "Content-Type"))) {
ap_set_content_type(r, apr_pstrdup(p, buf));
}
if (!ap_is_HTTP_INFO(proxy_status)) {
ap_proxy_pre_http_request(origin, backend->r);
}
/* Clear hop-by-hop headers */
for (i=0; hop_by_hop_hdrs[i]; ++i) {
apr_table_unset(r->headers_out, hop_by_hop_hdrs[i]);
}
/* Delete warnings with wrong date */
r->headers_out = ap_proxy_clean_warnings(p, r->headers_out);
/* handle Via header in response */
if (conf->viaopt != via_off && conf->viaopt != via_block) {
const char *server_name = ap_get_server_name(r);
/* If USE_CANONICAL_NAME_OFF was configured for the proxy virtual host,
* then the server name returned by ap_get_server_name() is the
* origin server name (which does make too much sense with Via: headers)
* so we use the proxy vhost's name instead.
*/
if (server_name == r->hostname)
server_name = r->server->server_hostname;
/* create a "Via:" response header entry and merge it */
apr_table_addn(r->headers_out, "Via",
(conf->viaopt == via_full)
? apr_psprintf(p, "%d.%d %s%s (%s)",
HTTP_VERSION_MAJOR(r->proto_num),
HTTP_VERSION_MINOR(r->proto_num),
server_name,
server_portstr,
AP_SERVER_BASEVERSION)
: apr_psprintf(p, "%d.%d %s%s",
HTTP_VERSION_MAJOR(r->proto_num),
HTTP_VERSION_MINOR(r->proto_num),
server_name,
server_portstr)
);
}
/* cancel keepalive if HTTP/1.0 or less */
if ((major < 1) || (minor < 1)) {
backend->close = 1;
origin->keepalive = AP_CONN_CLOSE;
}
} else {
/* an http/0.9 response */
backasswards = 1;
r->status = 200;
r->status_line = "200 OK";
backend->close = 1;
}
if (ap_is_HTTP_INFO(proxy_status)) {
interim_response++;
/* Reset to old timeout iff we've adjusted it */
if (do_100_continue
&& (r->status == HTTP_CONTINUE)
&& (worker->s->ping_timeout != old_timeout)) {
apr_socket_timeout_set(backend->sock, old_timeout);
}
}
else {
interim_response = 0;
}
if (interim_response) {
/* RFC2616 tells us to forward this.
*
* OTOH, an interim response here may mean the backend
* is playing sillybuggers. The Client didn't ask for
* it within the defined HTTP/1.1 mechanisms, and if
* it's an extension, it may also be unsupported by us.
*
* There's also the possibility that changing existing
* behaviour here might break something.
*
* So let's make it configurable.
*
* We need to set "r->expecting_100 = 1" otherwise origin
* server behaviour will apply.
*/
const char *policy = apr_table_get(r->subprocess_env,
"proxy-interim-response");
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r,
"HTTP: received interim %d response", r->status);
if (!policy
|| (!strcasecmp(policy, "RFC") && ((r->expecting_100 = 1)))) {
ap_send_interim_response(r, 1);
}
/* FIXME: refine this to be able to specify per-response-status
* policies and maybe also add option to bail out with 502
*/
else if (strcasecmp(policy, "Suppress")) {
ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO(01108)
"undefined proxy interim response policy");
}
}
/* Moved the fixups of Date headers and those affected by
* ProxyPassReverse/etc from here to ap_proxy_read_headers
*/
if ((proxy_status == 401) && (dconf->error_override)) {
const char *buf;
const char *wa = "WWW-Authenticate";
if ((buf = apr_table_get(r->headers_out, wa))) {
apr_table_set(r->err_headers_out, wa, buf);
} else {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01109)
"origin server sent 401 without "
"WWW-Authenticate header");
}
}
r->sent_bodyct = 1;
/*
* Is it an HTTP/0.9 response or did we maybe preread the 1st line of
* the response? If so, load the extra data. These are 2 mutually
* exclusive possibilities, that just happen to require very
* similar behavior.
*/
if (backasswards || pread_len) {
apr_ssize_t cntr = (apr_ssize_t)pread_len;
if (backasswards) {
/*@@@FIXME:
* At this point in response processing of a 0.9 response,
* we don't know yet whether data is binary or not.
* mod_charset_lite will get control later on, so it cannot
* decide on the conversion of this buffer full of data.
* However, chances are that we are not really talking to an
* HTTP/0.9 server, but to some different protocol, therefore
* the best guess IMHO is to always treat the buffer as "text/x":
*/
ap_xlate_proto_to_ascii(buffer, len);
cntr = (apr_ssize_t)len;
}
e = apr_bucket_heap_create(buffer, cntr, NULL, c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
}
/* PR 41646: get HEAD right with ProxyErrorOverride */
if (ap_is_HTTP_ERROR(r->status) && dconf->error_override) {
/* clear r->status for override error, otherwise ErrorDocument
* thinks that this is a recursive error, and doesn't find the
* custom error page
*/
r->status = HTTP_OK;
/* Discard body, if one is expected */
if (!r->header_only && /* not HEAD request */
(proxy_status != HTTP_NO_CONTENT) && /* not 204 */
(proxy_status != HTTP_NOT_MODIFIED)) { /* not 304 */
const char *tmp;
/* Add minimal headers needed to allow http_in filter
* detecting end of body without waiting for a timeout. */
if ((tmp = apr_table_get(r->headers_out, "Transfer-Encoding"))) {
apr_table_set(backend->r->headers_in, "Transfer-Encoding", tmp);
}
else if ((tmp = apr_table_get(r->headers_out, "Content-Length"))) {
apr_table_set(backend->r->headers_in, "Content-Length", tmp);
}
else if (te) {
apr_table_set(backend->r->headers_in, "Transfer-Encoding", te);
}
ap_discard_request_body(backend->r);
}
/*
* prevent proxy_handler() from treating this as an
* internal error.
*/
apr_table_setn(r->notes, "proxy-error-override", "1");
return proxy_status;
}
/* send body - but only if a body is expected */
if ((!r->header_only) && /* not HEAD request */
!interim_response && /* not any 1xx response */
(proxy_status != HTTP_NO_CONTENT) && /* not 204 */
(proxy_status != HTTP_NOT_MODIFIED)) { /* not 304 */
/* We need to copy the output headers and treat them as input
* headers as well. BUT, we need to do this before we remove
* TE, so that they are preserved accordingly for
* ap_http_filter to know where to end.
*/
backend->r->headers_in = apr_table_clone(backend->r->pool, r->headers_out);
/*
* Restore Transfer-Encoding header from response if we saved
* one before and there is none left. We need it for the
* ap_http_filter. See above.
*/
if (te && !apr_table_get(backend->r->headers_in, "Transfer-Encoding")) {
apr_table_add(backend->r->headers_in, "Transfer-Encoding", te);
}
apr_table_unset(r->headers_out,"Transfer-Encoding");
ap_log_rerror(APLOG_MARK, APLOG_TRACE3, 0, r, "start body send");
/*
* if we are overriding the errors, we can't put the content
* of the page into the brigade
*/
if (!dconf->error_override || !ap_is_HTTP_ERROR(proxy_status)) {
/* read the body, pass it to the output filters */
apr_read_type_e mode = APR_NONBLOCK_READ;
int finish = FALSE;
/* Handle the case where the error document is itself reverse
* proxied and was successful. We must maintain any previous
* error status so that an underlying error (eg HTTP_NOT_FOUND)
* doesn't become an HTTP_OK.
*/
if (dconf->error_override && !ap_is_HTTP_ERROR(proxy_status)
&& ap_is_HTTP_ERROR(original_status)) {
r->status = original_status;
r->status_line = original_status_line;
}
do {
apr_off_t readbytes;
apr_status_t rv;
rv = ap_get_brigade(backend->r->input_filters, bb,
AP_MODE_READBYTES, mode,
conf->io_buffer_size);
/* ap_get_brigade will return success with an empty brigade
* for a non-blocking read which would block: */
if (mode == APR_NONBLOCK_READ
&& (APR_STATUS_IS_EAGAIN(rv)
|| (rv == APR_SUCCESS && APR_BRIGADE_EMPTY(bb)))) {
/* flush to the client and switch to blocking mode */
e = apr_bucket_flush_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
if (ap_pass_brigade(r->output_filters, bb)
|| c->aborted) {
backend->close = 1;
break;
}
apr_brigade_cleanup(bb);
mode = APR_BLOCK_READ;
continue;
}
else if (rv == APR_EOF) {
backend->close = 1;
break;
}
else if (rv != APR_SUCCESS) {
/* In this case, we are in real trouble because
* our backend bailed on us. Pass along a 502 error
* error bucket
*/
ap_log_rerror(APLOG_MARK, APLOG_ERR, rv, r, APLOGNO(01110)
"error reading response");
ap_proxy_backend_broke(r, bb);
ap_pass_brigade(r->output_filters, bb);
backend_broke = 1;
backend->close = 1;
break;
}
/* next time try a non-blocking read */
mode = APR_NONBLOCK_READ;
if (!apr_is_empty_table(backend->r->trailers_in)) {
apr_table_do(add_trailers, r->trailers_out,
backend->r->trailers_in, NULL);
apr_table_clear(backend->r->trailers_in);
}
apr_brigade_length(bb, 0, &readbytes);
backend->worker->s->read += readbytes;
#if DEBUGGING
{
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01111)
"readbytes: %#x", readbytes);
}
#endif
/* sanity check */
if (APR_BRIGADE_EMPTY(bb)) {
break;
}
/* Switch the allocator lifetime of the buckets */
ap_proxy_buckets_lifetime_transform(r, bb, pass_bb);
/* found the last brigade? */
if (APR_BUCKET_IS_EOS(APR_BRIGADE_LAST(pass_bb))) {
/* signal that we must leave */
finish = TRUE;
/* the brigade may contain transient buckets that contain
* data that lives only as long as the backend connection.
* Force a setaside so these transient buckets become heap
* buckets that live as long as the request.
*/
for (e = APR_BRIGADE_FIRST(pass_bb); e
!= APR_BRIGADE_SENTINEL(pass_bb); e
= APR_BUCKET_NEXT(e)) {
apr_bucket_setaside(e, r->pool);
}
/* finally it is safe to clean up the brigade from the
* connection pool, as we have forced a setaside on all
* buckets.
*/
apr_brigade_cleanup(bb);
/* make sure we release the backend connection as soon
* as we know we are done, so that the backend isn't
* left waiting for a slow client to eventually
* acknowledge the data.
*/
ap_proxy_release_connection(backend->worker->s->scheme,
backend, r->server);
/* Ensure that the backend is not reused */
*backend_ptr = NULL;
}
/* try send what we read */
if (ap_pass_brigade(r->output_filters, pass_bb) != APR_SUCCESS
|| c->aborted) {
/* Ack! Phbtt! Die! User aborted! */
/* Only close backend if we haven't got all from the
* backend. Furthermore if *backend_ptr is NULL it is no
* longer safe to fiddle around with backend as it might
* be already in use by another thread.
*/
if (*backend_ptr) {
backend->close = 1; /* this causes socket close below */
}
finish = TRUE;
}
/* make sure we always clean up after ourselves */
apr_brigade_cleanup(pass_bb);
apr_brigade_cleanup(bb);
} while (!finish);
}
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "end body send");
}
else if (!interim_response) {
ap_log_rerror(APLOG_MARK, APLOG_TRACE2, 0, r, "header only");
/* make sure we release the backend connection as soon
* as we know we are done, so that the backend isn't
* left waiting for a slow client to eventually
* acknowledge the data.
*/
ap_proxy_release_connection(backend->worker->s->scheme,
backend, r->server);
*backend_ptr = NULL;
/* Pass EOS bucket down the filter chain. */
e = apr_bucket_eos_create(c->bucket_alloc);
APR_BRIGADE_INSERT_TAIL(bb, e);
ap_pass_brigade(r->output_filters, bb);
apr_brigade_cleanup(bb);
}
} while (interim_response && (interim_response < AP_MAX_INTERIM_RESPONSES));
/* We have to cleanup bb brigade, because buckets inserted to it could be
* created from scpool and this pool can be freed before this brigade. */
apr_brigade_cleanup(bb);
/* See define of AP_MAX_INTERIM_RESPONSES for why */
if (interim_response >= AP_MAX_INTERIM_RESPONSES) {
return ap_proxyerror(r, HTTP_BAD_GATEWAY,
apr_psprintf(p,
"Too many (%d) interim responses from origin server",
interim_response));
}
/* If our connection with the client is to be aborted, return DONE. */
if (c->aborted || backend_broke) {
return DONE;
}
return OK;
}
static
apr_status_t ap_proxy_http_cleanup(const char *scheme, request_rec *r,
proxy_conn_rec *backend)
{
ap_proxy_release_connection(scheme, backend, r->server);
return OK;
}
/*
* This handles http:// URLs, and other URLs using a remote proxy over http
* If proxyhost is NULL, then contact the server directly, otherwise
* go via the proxy.
* Note that if a proxy is used, then URLs other than http: can be accessed,
* also, if we have trouble which is clearly specific to the proxy, then
* we return DECLINED so that we can try another proxy. (Or the direct
* route.)
*/
static int proxy_http_handler(request_rec *r, proxy_worker *worker,
proxy_server_conf *conf,
char *url, const char *proxyname,
apr_port_t proxyport)
{
int status;
char server_portstr[32];
char *scheme;
const char *proxy_function;
const char *u;
proxy_conn_rec *backend = NULL;
int is_ssl = 0;
conn_rec *c = r->connection;
int retry = 0;
/*
* Use a shorter-lived pool to reduce memory usage
* and avoid a memory leak
*/
apr_pool_t *p = r->pool;
apr_uri_t *uri = apr_palloc(p, sizeof(*uri));
/* find the scheme */
u = strchr(url, ':');
if (u == NULL || u[1] != '/' || u[2] != '/' || u[3] == '\0')
return DECLINED;
if ((u - url) > 14)
return HTTP_BAD_REQUEST;
scheme = apr_pstrmemdup(p, url, u - url);
/* scheme is lowercase */
ap_str_tolower(scheme);
/* is it for us? */
if (strcmp(scheme, "https") == 0) {
if (!ap_proxy_ssl_enable(NULL)) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01112)
"HTTPS: declining URL %s (mod_ssl not configured?)",
url);
return DECLINED;
}
is_ssl = 1;
proxy_function = "HTTPS";
}
else if (!(strcmp(scheme, "http") == 0 || (strcmp(scheme, "ftp") == 0 && proxyname))) {
ap_log_rerror(APLOG_MARK, APLOG_DEBUG, 0, r, APLOGNO(01113) "HTTP: declining URL %s",
url);
return DECLINED; /* only interested in HTTP, or FTP via proxy */
}
else {
if (*scheme == 'h')
proxy_function = "HTTP";
else
proxy_function = "FTP";
}
ap_log_rerror(APLOG_MARK, APLOG_TRACE1, 0, r, "HTTP: serving URL %s", url);
/* create space for state information */
if ((status = ap_proxy_acquire_connection(proxy_function, &backend,
worker, r->server)) != OK)
goto cleanup;
backend->is_ssl = is_ssl;
/*
* In the case that we are handling a reverse proxy connection and this
* is not a request that is coming over an already kept alive connection
* with the client, do NOT reuse the connection to the backend, because
* we cannot forward a failure to the client in this case as the client
* does NOT expect this in this situation.
* Yes, this creates a performance penalty.
*/
if ((r->proxyreq == PROXYREQ_REVERSE) && (!c->keepalives)
&& (apr_table_get(r->subprocess_env, "proxy-initial-not-pooled"))) {
backend->close = 1;
}
while (retry < 2) {
char *locurl = url;
/* Step One: Determine Who To Connect To */
if ((status = ap_proxy_determine_connection(p, r, conf, worker, backend,
uri, &locurl, proxyname,
proxyport, server_portstr,
sizeof(server_portstr))) != OK)
break;
/* Step Two: Make the Connection */
if (ap_proxy_check_connection(proxy_function, backend, r->server, 1,
PROXY_CHECK_CONN_EMPTY)
&& ap_proxy_connect_backend(proxy_function, backend, worker,
r->server)) {
ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(01114)
"HTTP: failed to make connection to backend: %s",
backend->hostname);
status = HTTP_SERVICE_UNAVAILABLE;
break;
}
/* Step Three: Create conn_rec */
if (!backend->connection) {
if ((status = ap_proxy_connection_create(proxy_function, backend,
c, r->server)) != OK)
break;
/*
* On SSL connections set a note on the connection what CN is
* requested, such that mod_ssl can check if it is requested to do
* so.
*/
if (backend->ssl_hostname) {
apr_table_setn(backend->connection->notes,
"proxy-request-hostname",
backend->ssl_hostname);
}
}
/* Step Four: Send the Request
* On the off-chance that we forced a 100-Continue as a
* kinda HTTP ping test, allow for retries
*/
if ((status = ap_proxy_http_request(p, r, backend, worker,
conf, uri, locurl, server_portstr)) != OK) {
if ((status == HTTP_SERVICE_UNAVAILABLE) && worker->s->ping_timeout_set) {
backend->close = 1;
ap_log_rerror(APLOG_MARK, APLOG_INFO, status, r, APLOGNO(01115)
"HTTP: 100-Continue failed to %pI (%s)",
worker->cp->addr, worker->s->hostname);
retry++;
continue;
} else {
break;
}
}
/* Step Five: Receive the Response... Fall thru to cleanup */
status = ap_proxy_http_process_response(p, r, &backend, worker,
conf, server_portstr);
break;
}
/* Step Six: Clean Up */
cleanup:
if (backend) {
if (status != OK)
backend->close = 1;
ap_proxy_http_cleanup(proxy_function, r, backend);
}
return status;
}