Added X-Forwarded-For header stripping option to nghttpx
This commit is contained in:
parent
c6cfcc3c30
commit
9ea4905f68
|
@ -750,6 +750,7 @@ void fill_default_config()
|
|||
mod_config()->num_worker = 1;
|
||||
mod_config()->http2_max_concurrent_streams = 100;
|
||||
mod_config()->add_x_forwarded_for = false;
|
||||
mod_config()->strip_incoming_x_forwarded_for = false;
|
||||
mod_config()->no_via = false;
|
||||
mod_config()->accesslog_file = nullptr;
|
||||
mod_config()->accesslog_syslog = false;
|
||||
|
@ -1156,6 +1157,9 @@ Misc:
|
|||
--add-x-forwarded-for
|
||||
Append X-Forwarded-For header field to the
|
||||
downstream request.
|
||||
--strip-incoming-x-forwarded-for
|
||||
Strip X-Forwarded-For header field from inbound
|
||||
client requests.
|
||||
--no-via Don't append to Via header field. If Via header
|
||||
field is received, it is left unaltered.
|
||||
--no-location-rewrite
|
||||
|
@ -1308,6 +1312,7 @@ int main(int argc, char **argv)
|
|||
{"no-location-rewrite", no_argument, &flag, 62},
|
||||
{"backend-connections-per-frontend", required_argument, &flag, 63},
|
||||
{"listener-disable-timeout", required_argument, &flag, 64},
|
||||
{"strip-incoming-x-forwarded-for", no_argument, &flag, 65},
|
||||
{nullptr, 0, nullptr, 0 }
|
||||
};
|
||||
|
||||
|
@ -1605,6 +1610,10 @@ int main(int argc, char **argv)
|
|||
// --listener-disable-timeout
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_LISTENER_DISABLE_TIMEOUT, optarg);
|
||||
break;
|
||||
case 65:
|
||||
// --strip-incoming-x-forwarded-for
|
||||
cmdcfgs.emplace_back(SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR, "yes");
|
||||
break;
|
||||
default:
|
||||
break;
|
||||
}
|
||||
|
|
|
@ -67,6 +67,7 @@ const char SHRPX_OPT_HTTP2_PROXY[] = "http2-proxy";
|
|||
const char SHRPX_OPT_HTTP2_BRIDGE[] = "http2-bridge";
|
||||
const char SHRPX_OPT_CLIENT_PROXY[] = "client-proxy";
|
||||
const char SHRPX_OPT_ADD_X_FORWARDED_FOR[] = "add-x-forwarded-for";
|
||||
const char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[] = "strip-incoming-x-forwarded-for";
|
||||
const char SHRPX_OPT_NO_VIA[] = "no-via";
|
||||
const char
|
||||
SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[] = "frontend-http2-read-timeout";
|
||||
|
@ -425,6 +426,12 @@ int parse_config(const char *opt, const char *optarg)
|
|||
return 0;
|
||||
}
|
||||
|
||||
if(util::strieq(opt, SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR)) {
|
||||
mod_config()->strip_incoming_x_forwarded_for = util::strieq(optarg, "yes");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
if(util::strieq(opt, SHRPX_OPT_NO_VIA)) {
|
||||
mod_config()->no_via = util::strieq(optarg, "yes");
|
||||
|
||||
|
|
|
@ -65,6 +65,7 @@ extern const char SHRPX_OPT_HTTP2_PROXY[];
|
|||
extern const char SHRPX_OPT_HTTP2_BRIDGE[];
|
||||
extern const char SHRPX_OPT_CLIENT_PROXY[];
|
||||
extern const char SHRPX_OPT_ADD_X_FORWARDED_FOR[];
|
||||
extern const char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[];
|
||||
extern const char SHRPX_OPT_NO_VIA[];
|
||||
extern const char SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[];
|
||||
extern const char SHRPX_OPT_FRONTEND_READ_TIMEOUT[];
|
||||
|
@ -260,6 +261,7 @@ struct Config {
|
|||
bool http2_bridge;
|
||||
bool client_proxy;
|
||||
bool add_x_forwarded_for;
|
||||
bool strip_incoming_x_forwarded_for;
|
||||
bool no_via;
|
||||
bool upstream_no_tls;
|
||||
bool downstream_no_tls;
|
||||
|
|
|
@ -394,14 +394,16 @@ int Http2DownstreamConnection::push_request_headers()
|
|||
|
||||
auto xff = downstream_->get_norm_request_header("x-forwarded-for");
|
||||
if(get_config()->add_x_forwarded_for) {
|
||||
if(xff != end_headers) {
|
||||
if(xff != end_headers &&
|
||||
!get_config()->strip_incoming_x_forwarded_for) {
|
||||
xff_value = (*xff).value;
|
||||
xff_value += ", ";
|
||||
}
|
||||
xff_value += downstream_->get_upstream()->get_client_handler()->
|
||||
get_ipaddr();
|
||||
nva.push_back(http2::make_nv_ls("x-forwarded-for", xff_value));
|
||||
} else if(xff != end_headers) {
|
||||
} else if(xff != end_headers &&
|
||||
!get_config()->strip_incoming_x_forwarded_for) {
|
||||
nva.push_back(http2::make_nv_ls("x-forwarded-for", (*xff).value));
|
||||
}
|
||||
|
||||
|
|
|
@ -209,14 +209,16 @@ int HttpDownstreamConnection::push_request_headers()
|
|||
auto xff = downstream_->get_norm_request_header("x-forwarded-for");
|
||||
if(get_config()->add_x_forwarded_for) {
|
||||
hdrs += "X-Forwarded-For: ";
|
||||
if(xff != end_headers) {
|
||||
if(xff != end_headers &&
|
||||
!get_config()->strip_incoming_x_forwarded_for) {
|
||||
hdrs += (*xff).value;
|
||||
http2::sanitize_header_value(hdrs, hdrs.size() - (*xff).value.size());
|
||||
hdrs += ", ";
|
||||
}
|
||||
hdrs += client_handler_->get_ipaddr();
|
||||
hdrs += "\r\n";
|
||||
} else if(xff != end_headers) {
|
||||
} else if(xff != end_headers &&
|
||||
!get_config()->strip_incoming_x_forwarded_for) {
|
||||
hdrs += "X-Forwarded-For: ";
|
||||
hdrs += (*xff).value;
|
||||
http2::sanitize_header_value(hdrs, hdrs.size() - (*xff).value.size());
|
||||
|
|
Loading…
Reference in New Issue