Supported recursive ip extraction.

README

@@ -6,6 +6,7 @@ This module was originally written by Thomas Eibner <[email protected]>.
 
 The differences from the original module are:
 * Feature: Support for partial IP address as '10.1.' for RPAFproxy_ips. The author of this patch is unknown.
+* Feature: Recursive ip extraction with RPAFrecursive directive.
 * Bugfix: In the case of APR_HAVE_IPV6-enabled build, access control of Order/Allow/Deny does not work correctly.
 * Support of httpd 1.3 was deleted.
 
@@ -29,6 +30,11 @@ or simply try:
  # Allows you to change which header mod_rpaf looks
  # for when trying to find the ip the that is forwarding
  # our requests
+ RPAFrecursive On
+ # If recursive search is disabled, remote address is replaced by the
+ # last address in RPAFheader directive. If recursive search is
+ # enabled, remote address is replaced by the last non-trusted address
+ # in RPAFheader directive.
 
 ## Author
 * Thomas Eibner <[email protected]>

mod_rpaf-2.0.c

@@ -80,6 +80,7 @@ typedef struct {
     int                sethostname;
     const char         *headername;
     apr_array_header_t *proxy_ips;
+    int                recursive;
 } rpaf_server_cfg;
 
 typedef struct {
@@ -137,6 +138,15 @@ static const char *rpaf_sethostname(cmd_parms *cmd, void *dummy, int flag) {
     return NULL;
 }
 
+static const char *rpaf_set_recursive(cmd_parms *cmd, void *dummy, int flag) {
+    server_rec *s = cmd->server;
+    rpaf_server_cfg *cfg = (rpaf_server_cfg *)ap_get_module_config(s->module_config, 
+                                                                   &rpaf_module);
+
+    cfg->recursive = flag;
+    return NULL;
+}
+
 static int is_in_array(const char *remote_ip, apr_array_header_t *proxy_ips) {
     int i;
     char **list = (char**)proxy_ips->elts;
@@ -147,6 +157,21 @@ static int is_in_array(const char *remote_ip, apr_array_header_t *proxy_ips) {
     return 0;
 }
 
+static char *extract_ip(apr_array_header_t *arr, apr_array_header_t *proxy_ips, int recursive) {
+    int i;
+    char **ips = (char **)arr->elts;
+    int len = arr->nelts;
+    ap_assert(len >= 0);
+
+    if (!recursive) return ips[len-1];
+    for (i = len-1; i >= 0; i--) {
+        if (!is_in_array(ips[i], proxy_ips)) {
+            return ips[i];
+        }
+    }
+    return ips[0];
+}
+
 static apr_status_t rpaf_cleanup(void *data) {
     rpaf_cleanup_rec *rcr = (rpaf_cleanup_rec *)data;
     rcr->r->connection->remote_ip   = apr_pstrdup(rcr->r->connection->pool, rcr->old_ip);
@@ -187,7 +212,7 @@ static int change_remote_ip(request_rec *r) {
             rcr->old_family = r->connection->remote_addr->sa.sin.sin_family;
             rcr->r = r;
             apr_pool_cleanup_register(r->pool, (void *)rcr, rpaf_cleanup, apr_pool_cleanup_null);
-            r->connection->remote_ip = apr_pstrdup(r->connection->pool, ((char **)arr->elts)[((arr->nelts)-1)]);
+            r->connection->remote_ip = apr_pstrdup(r->connection->pool, extract_ip(arr, cfg->proxy_ips, cfg->recursive));
             r->connection->remote_addr->sa.sin.sin_addr.s_addr = apr_inet_addr(r->connection->remote_ip);
             r->connection->remote_addr->sa.sin.sin_family = AF_INET;
             if (cfg->sethostname) {
@@ -239,6 +264,13 @@ static const command_rec rpaf_cmds[] = {
                     RSRC_CONF,
                     "Which header to look for when trying to find the real ip of the client in a proxy setup"
                     ),
+    AP_INIT_FLAG(
+                 "RPAFrecursive",
+                 rpaf_set_recursive,
+                 NULL,
+                 RSRC_CONF,
+                 "Enable to support recursive ip extraction."
+                 ),
     { NULL }
 };
 

mod_rpaf.conf

@@ -3,3 +3,4 @@ RPAFenable On
 RPAFsethostname On
 RPAFproxy_ips 127.0.0.1
 RPAFheader X-Forwarded-For
+RPAFrecursive Off