Home » FreeBSD » stunnel 5.08 X-Forwarded-For patch (Tag: )

X-Forwarded-For patch (stunnel-4.35-xforwarded-for.diff) を適用した stunnel 4.35 を 5.08 にアップデートした際に、stunnel 5.02 X-Forwarded-For patch を一部参考にしつつ 5.08 向け patch を作成しました。

ソースファイルを展開したディレクトリを /usr/appli/ とし、文末に添付した patch を同ディレクトリに stunnel-5.08-xforwarded-for.diff として保存した場合、

cd /usr/appli/stunnel-5.08/
patch -p1 < stunnel-5.08-xforwarded-for.diff

上記を実行することで適用されます。

diff -ru stunnel-5.08.0/doc/stunnel.8 stunnel-5.08/doc/stunnel.8
--- stunnel-5.08.0/doc/stunnel.8    2014-11-16 00:25:48.000000000 +0900
+++ stunnel-5.08/doc/stunnel.8      2015-01-29 16:56:47.000000000 +0900
@@ -751,6 +751,10 @@
 .IP "\fBTIMEOUTidle\fR = \s-1SECONDS\s0" 4
 .IX Item "TIMEOUTidle = SECONDS"
 time to keep an idle connection
+.IP "\fBxforwardedfor\fR = yes | no" 4
+.IX Item "xforwardedfor = yes | no"
+append an 'X-Forwarded-For:' HTTP request header providing the
+client's IP address to the server.
 .IP "\fBtransparent\fR = none | source | destination | both (Unix only)" 4
 .IX Item "transparent = none | source | destination | both (Unix only)"
 enable transparent proxy support on selected platforms
diff -ru stunnel-5.08.0/doc/stunnel.fr.8 stunnel-5.08/doc/stunnel.fr.8
--- stunnel-5.08.0/doc/stunnel.fr.8    2014-09-22 18:47:00.000000000 +0900
+++ stunnel-5.08/doc/stunnel.fr.8      2015-01-29 16:55:36.000000000 +0900
@@ -399,6 +399,10 @@
 .IP "\fBTIMEOUTidle\fR = secondes" 4
 .IX Item "TIMEOUTidle = secondes"
 Durée d'attente sur une connexion inactive
+.IP "\fBxforwardedfor\fR = yes | no" 4
+.IX Item "xforwardedfor = yes | no"
+Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant
+au serveur l'adresse IP du client.
 .IP "\fBtransparent\fR = yes | no (Unix seulement)" 4
 .IX Item "transparent = yes | no (Unix seulement)"
 Mode mandataire transparent
diff -ru stunnel-5.08.0/src/client.c stunnel-5.08/src/client.c
--- stunnel-5.08.0/src/client.c    2014-11-20 16:52:45.000000000 +0900
+++ stunnel-5.08/src/client.c      2015-01-30 07:36:36.000000000 +0900
@@ -73,6 +73,14 @@
     c=str_alloc(sizeof(CLI));
     str_detach(c);
     c->opt=opt;
+
+    /* some options need space to add some information */
+    if (c->opt->option.xforwardedfor)
+        c->buffsize = BUFFSIZE - BUFF_RESERVED;
+    else
+        c->buffsize = BUFFSIZE;
+    c->crlf_seen=0;
+
     c->local_rfd.fd=rfd;
     c->local_wfd.fd=wfd;
     return c;
@@ -504,6 +512,28 @@
     s_log(LOG_DEBUG, "Peer certificate was cached (%d bytes)", len);
 }

+/* Moves all data from the buffer <buffer> between positions <start> and <stop>
+ * to insert <string> of length <len>. <start> and <stop> are updated to their
+ * new respective values, and the number of characters inserted is returned.
+ * If <len> is too long, nothing is done and -1 is returned.
+ * Note that neither <string> nor <buffer> can be NULL.
+ */
+static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) {
+    if (len > limit - *stop)
+        return -1;
+    if (*start > *stop)
+        return -1;
+    memmove(buffer + *start + len, buffer + *start, *stop - *start);
+    memcpy(buffer + *start, string, len);
+    *start += len;
+    *stop += len;
+    return len;
+}
+
+static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) {
+    return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string));
+}
+
 /****************************** transfer data */
 NOEXPORT void transfer(CLI *c) {
     int watchdog=0; /* a counter to detect an infinite loop */
@@ -527,7 +557,7 @@
     do { /* main loop of client data transfer */
         /****************************** initialize *_wants_* */
         read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)
-            && c->ssl_ptr<BUFFSIZE && !read_wants_write;
+            && c->ssl_ptr<c->buffsize && !read_wants_write;
         write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN)
             && c->sock_ptr && !write_wants_read;

@@ -536,7 +566,7 @@
         /* for plain socket open data strem = open file descriptor */
         /* make sure to add each open socket to receive exceptions! */
         if(sock_open_rd) /* only poll if the read file descriptor is open */
-            s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0);
+            s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<c->buffsize, 0);
         if(sock_open_wr) /* only poll if the write file descriptor is open */
             s_poll_add(c->fds, c->sock_wfd->fd, 0, c->ssl_ptr);
         /* poll SSL file descriptors unless SSL shutdown was completed */
@@ -680,7 +710,7 @@
         /****************************** read from socket */
         if(sock_open_rd && sock_can_rd) {
             num=readsocket(c->sock_rfd->fd,
-                c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
+                c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr);
             switch(num) {
             case -1:
                 if(parse_socket_error(c, "readsocket"))
@@ -700,7 +730,7 @@
         /****************************** update *_wants_* based on new *_ptr */
         /* this update is also required for SSL_pending() to be used */
         read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)
-            && c->ssl_ptr<BUFFSIZE && !read_wants_write;
+            && c->ssl_ptr<c->buffsize && !read_wants_write;
         write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN)
             && c->sock_ptr && !write_wants_read;

@@ -767,12 +797,73 @@
                 (read_wants_write && ssl_can_wr)) {
             read_wants_read=0;
             read_wants_write=0;
-            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
+            num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr);
             switch(err=SSL_get_error(c->ssl, num)) {
             case SSL_ERROR_NONE:
                 if(num==0)
                     s_log(LOG_DEBUG, "SSL_read returned 0");
-                c->ssl_ptr+=num;
+                if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */
+                    int last = c->ssl_ptr;
+                    c->ssl_ptr += num;
+
+                    /* Look for end of HTTP headers between last and ssl_ptr.
+                    * To achieve this reliably, we have to count the number of
+                    * successive [CR]LF and to memorize it in case it's spread
+                    * over multiple segments. --WT.
+                    */
+                    while (last < c->ssl_ptr) {
+                        if (c->ssl_buff[last] == '\n') {
+                            if (++c->crlf_seen == 2)
+                                break;
+                        } else if (last < c->ssl_ptr - 1 &&
+                                    c->ssl_buff[last] == '\r' &&
+                                    c->ssl_buff[last+1] == '\n') {
+                            if (++c->crlf_seen == 2)
+                                break;
+                            last++;
+                        } else if (c->ssl_buff[last] != '\r')
+                            /* don't refuse '\r' because we may get a '\n' on next read */
+                            c->crlf_seen = 0;
+                        last++;
+                    }
+                    if (c->crlf_seen >= 2) {
+                        /* We have all the HTTP headers now. We don't need to
+                        * reserve any space anymore. <ssl_ptr> points to the
+                        * first byte of unread data, and <last> points to the
+                        * exact location where we want to insert our headers,
+                        * which is right before the empty line.
+                        */
+                        c->buffsize = BUFFSIZE;
+
+                        if (c->opt->option.xforwardedfor) {
+                            /* X-Forwarded-For: xxxx \r\n\0 */
+                            char xforw[17 + IPLEN + 3];
+
+                            /* We will insert our X-Forwarded-For: header here.
+                            * We need to write the IP address, but if we use
+                            * sprintf, it will pad with the terminating 0.
+                            * So we will pass via a temporary buffer allocated
+                            * on the stack.
+                            */
+                            memcpy(xforw, "X-Forwarded-For: ", 17);
+                            if (getnameinfo(&c->peer_addr.sa,
+                                    c->peer_addr_len,
+                                    xforw + 17, IPLEN, NULL, 0,
+                                    NI_NUMERICHOST) == 0) {
+                                strcat(xforw + 17, "\r\n");
+                                buffer_insert(c->ssl_buff, &last, &c->ssl_ptr,
+                                            c->buffsize, xforw);
+                            }
+                            /* last still points to the \r\n and ssl_ptr to the
+                            * end of the buffer, so we may add as many headers
+                            * as wee need to.
+                            */
+                        }
+                    }
+                }
+                else
+                   c->ssl_ptr+=num;
+
                 watchdog=0; /* reset watchdog */
                 break;
             case SSL_ERROR_WANT_WRITE:
diff -ru stunnel-5.08.0/src/common.h stunnel-5.08/src/common.h
--- stunnel-5.08.0/src/common.h    2014-10-28 22:10:39.000000000 +0900
+++ stunnel-5.08/src/common.h      2015-01-29 18:33:24.000000000 +0900
@@ -52,6 +52,12 @@
 /* I/O buffer size: 18432 (0x4800) is the maximum size of SSL record payload */
 #define BUFFSIZE 18432

+/* maximum space reserved for header insertion in BUFFSIZE */
+#define BUFF_RESERVED 1024
+
+/* IP address and TCP port textual representation length */
+#define IPLEN 128
+
 /* how many bytes of random input to read from files for PRNG */
 /* OpenSSL likes at least 128 bits, so 64 bytes seems plenty. */
 #define RANDOM_BYTES 64
diff -ru stunnel-5.08.0/src/options.c stunnel-5.08/src/options.c
--- stunnel-5.08.0/src/options.c    2014-11-20 16:52:45.000000000 +0900
+++ stunnel-5.08/src/options.c      2015-01-29 18:50:04.000000000 +0900
@@ -1439,6 +1439,33 @@

 #endif

+    /* xforwardedfor */
+    switch(cmd) {
+    case CMD_BEGIN:
+        section->option.xforwardedfor=0;
+        break;
+    case CMD_EXEC:
+        if(strcasecmp(opt, "xforwardedfor"))
+            break;
+        if(!strcasecmp(arg, "yes"))
+            section->option.xforwardedfor=1;
+        else if(!strcasecmp(arg, "no"))
+            section->option.xforwardedfor=0;
+        else
+            return "argument should be either 'yes' or 'no'";
+        return NULL; /* OK */
+    case CMD_END:
+        break;
+    case CMD_FREE:
+        break;
+    case CMD_DEFAULT:
+        break;
+    case CMD_HELP:
+        s_log(LOG_NOTICE, "%-22s = yes|no append an HTTP X-Forwarded-For header",
+            "xforwardedfor");
+        break;
+    }
+
     /* exec */
     switch(cmd) {
     case CMD_BEGIN:
diff -ru stunnel-5.08.0/src/prototypes.h stunnel-5.08/src/prototypes.h
--- stunnel-5.08.0/src/prototypes.h    2014-11-20 16:52:45.000000000 +0900
+++ stunnel-5.08/src/prototypes.h      2015-01-29 17:20:28.000000000 +0900
@@ -229,6 +229,7 @@
         unsigned int accept:1;          /* endpoint: accept */
         unsigned int client:1;
         unsigned int delayed_lookup:1;
+        unsigned int xforwardedfor:1;
 #ifdef USE_LIBWRAP
         unsigned int libwrap:1;
 #endif
@@ -467,6 +468,8 @@
     FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */
     int sock_bytes, ssl_bytes; /* bytes written to socket and SSL */
     s_poll_set *fds; /* file descriptors */
+    int buffsize;  /* current buffer size, may be lower than BUFFSIZE */
+    int crlf_seen; /* the number of successive CRLF seen */
 } CLI;

 CLI *alloc_client_session(SERVICE_OPTIONS *, int, int);

Random Select

サーモン 14 貫セット
板前寿司 というチェーン店は知らなかったのですが、"サーモンフェア" があるので行ってみようという誘いに乗ってみました。サーモンはフライも好きですが、回転寿司では甘エビと同じくらい
DRY ZERO (1)
ここ最近、アルコール自体の摂取を控えて 3 週間程経過しています。健康に気を使っているという訳ではありません。が、冷奴・生野菜サラダ程度の晩御飯時にシュワーと炭酸の効いたビールを飲むクセも結構根強くつ
R&D ファクトリー (4)
富山出張 (No. 1 – 株式会社エーティーワークス) の続きです。富山本社・データセンターの内部にも興味がありましたが、実際の組立現場にはもっと興味がありました。建物の 2F の入口か
hp dv5
2014/02 頃、5 年以上使って来たノート PC (hp dv5 has broken again and again) に 5 度目の故障が発生しました。hp のサポートセンターに問い合わせても
Becky Logo
Windows 環境ではメールソフトに Becky! を使用しています。普段は FreeBSD で作業していますが、場合によっては同じメールを Becky! 側で開く方が効率が良い場合があるからです。
WS-C2960S-48TS-L (1)
Cisco Catalyst 2960S (ip device tracking Part 1) の続きです。現在ネットワーク内で使用している L2 スイッチは、すべて WS-C2960S-48TS-
Drive Network Philosophy
Drive Network "こだわり" シリーズ第 5 弾は、"1 クリックインストール" です。これは、Movable Type, WordPress, E
ソーキそばセット
うちなぁ料理と古酒家 ニライカナイ (やさいそばセット) から 2 日と空けずに再訪しました。今回も過去 2 回同様 13:30 頃に訪れましたが、今日はほぼ満席でした。雨上がりでしたので、普段程には
ビーフ + 野菜カレー (ルー大盛り, 辛さ 70 倍)
カリーライス専門店 エチオピア 本店 (No. 13 – 辛さ 70 倍メドレー 1) を投稿した時は、まさか全メニューを辛さ 70 倍で横断するとは思っていませんでしたが、我ながら凝り性
古瀬戸ブレンド
沖縄から東京に訪れた友達を カリーライス専門店 エチオピア に連れて行った後、まだ時間に余裕がある様でしたので、3 件程となりの 古瀬戸珈琲店 (コセトコーヒーテン) を訪れました。このお店はかねてか
Valid HTML5 Valid CSS3 Another HTML Lint