MINOR: proxy/http_ext: introduce proxy forwarded option

Introducing http_ext class for http extension related work that
doesn't fit into existing http classes.

HTTP extension "forwarded", introduced with 7239 RFC is now supported
by haproxy.

The option supports various modes from simple to complex usages involving
custom sample expressions.

  Examples :

    # Those servers want the ip address and protocol of the client request
    # Resulting header would look like this:
    #   forwarded: proto=http;for=127.0.0.1
    backend www_default
        mode http
        option forwarded
        #equivalent to: option forwarded proto for

    # Those servers want the requested host and hashed client ip address
    # as well as client source port (you should use seed for xxh32 if ensuring
    # ip privacy is a concern)
    # Resulting header would look like this:
    #   forwarded: host="haproxy.org";for="_000000007F2F367E:60138"
    backend www_host
        mode http
        option forwarded host for-expr src,xxh32,hex for_port

    # Those servers want custom data in host, for and by parameters
    # Resulting header would look like this:
    #   forwarded: host="host.com";by=_haproxy;for="[::1]:10"
    backend www_custom
        mode http
        option forwarded host-expr str(host.com) by-expr str(_haproxy) for for_port-expr int(10)

    # Those servers want random 'for' obfuscated identifiers for request
    # tracing purposes while protecting sensitive IP information
    # Resulting header would look like this:
    #   forwarded: for=_000000002B1F4D63
    backend www_for_hide
        mode http
        option forwarded for-expr rand,hex

By default (no argument provided), forwarded option will try to mimic
x-forward-for common setups (source client ip address + source protocol)

The option is not available for frontends.
no option forwarded is supported.

More info about 7239 RFC here: https://www.rfc-editor.org/rfc/rfc7239.html

More info about the feature in doc/configuration.txt

This should address feature request GH #575

Depends on:
  - "MINOR: http_htx: add http_append_header() to append value to header"
  - "MINOR: sample: add ARGC_OPT"
  - "MINOR: proxy: introduce http only options"
This commit is contained in:
Aurelien DARRAGON 2022-12-28 15:37:57 +01:00 committed by Christopher Faulet
parent 832e9f4119
commit b2bb9257d2
10 changed files with 1390 additions and 3 deletions

View File

@ -913,7 +913,7 @@ OBJS += src/mux_h2.o src/mux_fcgi.o src/mux_h1.o src/tcpcheck.o \
src/tcp_rules.o src/sink.o src/h1_htx.o src/task.o src/mjson.o \ src/tcp_rules.o src/sink.o src/h1_htx.o src/task.o src/mjson.o \
src/h2.o src/filters.o src/server_state.o src/payload.o \ src/h2.o src/filters.o src/server_state.o src/payload.o \
src/fcgi-app.o src/map.o src/htx.o src/h1.o src/pool.o \ src/fcgi-app.o src/map.o src/htx.o src/h1.o src/pool.o \
src/cfgparse-global.o src/trace.o src/tcp_sample.o \ src/cfgparse-global.o src/trace.o src/tcp_sample.o src/http_ext.o \
src/flt_http_comp.o src/mux_pt.o src/flt_trace.o src/mqtt.o \ src/flt_http_comp.o src/mux_pt.o src/flt_trace.o src/mqtt.o \
src/acl.o src/sock.o src/mworker.o src/tcp_act.o src/ring.o \ src/acl.o src/sock.o src/mworker.o src/tcp_act.o src/ring.o \
src/session.o src/proto_tcp.o src/fd.o src/channel.o src/activity.o \ src/session.o src/proto_tcp.o src/fd.o src/channel.o src/activity.o \

View File

@ -4202,6 +4202,7 @@ option dontlog-normal (*) X X X -
option dontlognull (*) X X X - option dontlognull (*) X X X -
-- keyword -------------------------- defaults - frontend - listen -- backend - -- keyword -------------------------- defaults - frontend - listen -- backend -
option forwardfor X X X X option forwardfor X X X X
option forwarded (*) X - X X
option h1-case-adjust-bogus-client (*) X X X - option h1-case-adjust-bogus-client (*) X X X -
option h1-case-adjust-bogus-server (*) X - X X option h1-case-adjust-bogus-server (*) X - X X
option http-buffer-request (*) X X X X option http-buffer-request (*) X X X X
@ -9059,6 +9060,140 @@ no option dontlognull
See also : "log", "http-ignore-probes", "monitor-uri", and See also : "log", "http-ignore-probes", "monitor-uri", and
section 8 about logging. section 8 about logging.
option forwarded [ proto ]
[ host | host-expr <host_expr> ]
[ by | by-expr <by_expr> ] [ by_port | by_port-expr <by_port_expr>]
[ for | for-expr <for_expr> ] [ for_port | for_port-expr <for_port_expr>]
no option forwarded
Enable insertion of the rfc 7239 forwarded header in requests sent to servers
May be used in sections : defaults | frontend | listen | backend
yes | no | yes | yes
Arguments :
<host_expr> optional argument to specify a custom sample expression
those result will be used as 'host' parameter value
<by_expr> optional argument to specicy a custom sample expression
those result will be used as 'by' parameter nodename value
<for_expr> optional argument to specicy a custom sample expression
those result will be used as 'for' parameter nodename value
<by_port_expr> optional argument to specicy a custom sample expression
those result will be used as 'by' parameter nodeport value
<for_port_expr> optional argument to specicy a custom sample expression
those result will be used as 'for' parameter nodeport value
Since HAProxy works in reverse-proxy mode, servers are loosing some request
context (request origin: client ip address, protocol used...)
A common way to address this limitation is to use the well known
x-forward-for and x-forward-* friends to expose some of this context to the
underlying servers/applications.
While this use to work and is widely deployed, it is not officially supported
by the IETF and can be the root of some interoperability as well as security
issues.
To solve this, a new HTTP extension has been described by the IETF:
forwarded header (RFC7239).
More information here: https://www.rfc-editor.org/rfc/rfc7239.html
The use of this single header allow to convey multiple informations
within the same header, and most importantly, fixes the proxy chaining
issue. (the rfc allows for multiple chained proxies to append their own
values to an already existing header).
This option may be specified in defaults, listen or backend section, but it
will be ignored for frontend sections.
Setting option forwarded without arguments results in using default implicit
behavior.
Default behavior enables proto parameter and injects original client ip.
The equivalent explicit/manual configuration would be:
option forwarded proto for
The keyword 'by' is used to enable 'by' parameter ("nodename") in
forwarded header. It allows to embed request proxy information.
'by' value will be set to proxy ip (destination address)
If not available (ie: UNIX listener), 'by' will be set to
"unknown".
The keyword 'by-expr' is used to enable 'by' parameter ("nodename") in
forwarded header. It allows to embed request proxy information.
'by' value will be set to the result of the sample expression
<by_expr>, if valid, otherwise it will be set to "unknown".
The keyword 'for' is used to enable 'for' parameter ("nodename") in
forwarded header. It allows to embed request client information.
'for' value will be set to client ip (source address)
If not available (ie: UNIX listener), 'for' will be set to
"unknown".
The keyword 'for-expr' is used to enable 'for' parameter ("nodename") in
forwarded header. It allows to embed request client information.
'for' value will be set to the result of the sample expression
<for_expr>, if valid, otherwise it will be set to "unknown".
The keyword 'by_port' is used to provide "nodeport" info to
'by' parameter. 'by_port' requires 'by' or 'by-expr' to be set or
it will be ignored.
"nodeport" will be set to proxy (destination) port if available,
otherwise it will be ignored.
The keyword 'by_port-expr' is used to provide "nodeport" info to
'by' parameter. 'by_port-expr' requires 'by' or 'by-expr' to be set or
it will be ignored.
"nodeport" will be set to the result of the sample expression
<by_port_expr>, if valid, otherwise it will be ignored.
The keyword 'for_port' is used to provide "nodeport" info to
'for' parameter. 'for_port' requires 'for' or 'for-expr' to be set or
it will be ignored.
"nodeport" will be set to client (source) port if available,
otherwise it will be ignored.
The keyword 'for_port-expr' is used to provide "nodeport" info to
'for' parameter. 'for_port-expr' requires 'for' or 'for-expr' to be set or
it will be ignored.
"nodeport" will be set to the result of the sample expression
<for_port_expr>, if valid, otherwise it will be ignored.
Examples :
# Those servers want the ip address and protocol of the client request
# Resulting header would look like this:
# forwarded: proto=http;for=127.0.0.1
backend www_default
mode http
option forwarded
#equivalent to: option forwarded proto for
# Those servers want the requested host and hashed client ip address
# as well as client source port (you should use seed for xxh32 if ensuring
# ip privacy is a concern)
# Resulting header would look like this:
# forwarded: host="haproxy.org";for="_000000007F2F367E:60138"
backend www_host
mode http
option forwarded host for-expr src,xxh32,hex for_port
# Those servers want custom data in host, for and by parameters
# Resulting header would look like this:
# forwarded: host="host.com";by=_haproxy;for="[::1]:10"
backend www_custom
mode http
option forwarded host-expr str(host.com) by-expr str(_haproxy) for for_port-expr int(10)
# Those servers want random 'for' obfuscated identifiers for request
# tracing purposes while protecting sensitive IP information
# Resulting header would look like this:
# forwarded: for=_000000002B1F4D63
backend www_for_hide
mode http
option forwarded for-expr rand,hex
See also : "option forwardfor", "option originalto"
option forwardfor [ except <network> ] [ header <name> ] [ if-none ] option forwardfor [ except <network> ] [ header <name> ] [ if-none ]
Enable insertion of the X-Forwarded-For header to requests sent to servers Enable insertion of the X-Forwarded-For header to requests sent to servers

View File

@ -0,0 +1,113 @@
/*
* include/haproxy/http_ext-t.h
* Version-agnostic and implementation-agnostic HTTP extensions definitions
*
* Copyright 2022 HAProxy Technologies
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef _HAPROXY_HTTPEXT_T_H
#define _HAPROXY_HTTPEXT_T_H
#include <arpa/inet.h>
#include <import/ist.h>
#include <haproxy/tools-t.h>
enum forwarded_header_attribute_type {
FORWARDED_HEADER_UNK = 0,
FORWARDED_HEADER_OBFS = 1,
FORWARDED_HEADER_PORT = 2,
FORWARDED_HEADER_IP = 3,
};
struct forwarded_header_nodename {
union {
struct sockaddr_storage ip;
struct ist obfs;
};
enum forwarded_header_attribute_type type;
};
struct forwarded_header_nodeport {
union {
uint16_t port;
struct ist obfs;
};
enum forwarded_header_attribute_type type;
};
struct forwarded_header_node {
struct forwarded_header_nodename nodename;
struct forwarded_header_nodeport nodeport;
struct ist raw;
};
enum forwarded_header_proto {
FORWARDED_HEADER_HTTP = 1,
FORWARDED_HEADER_HTTPS = 2
};
struct forwarded_header_ctx {
struct forwarded_header_node nfor;
struct forwarded_header_node nby;
struct ist host;
enum forwarded_header_proto proto;
};
enum http_ext_7239_forby_mode {
HTTP_7239_FORBY_ORIG = 1,
HTTP_7239_FORBY_SMP = 2
};
struct http_ext_7239_forby {
/* nn = nodename, np = nodeport */
char *nn_expr_s;
struct sample_expr *nn_expr;
char *np_expr_s;
struct sample_expr *np_expr;
enum http_ext_7239_forby_mode nn_mode;
enum http_ext_7239_forby_mode np_mode;
};
enum http_ext_7239_host_mode {
HTTP_7239_HOST_ORIG = 1,
HTTP_7239_HOST_SMP = 2
};
struct http_ext_7239_host {
char *expr_s;
struct sample_expr *expr;
enum http_ext_7239_host_mode mode;
};
struct http_ext_7239 {
/* forwarded header parameters options */
struct http_ext_7239_forby p_for;
struct http_ext_7239_forby p_by;
struct http_ext_7239_host p_host;
uint8_t p_proto;
/* config error hints, used only during configuration parsing */
char *c_file;
int c_line;
};
enum forwarded_header_field {
FORWARDED_HEADER_FOR = 0x01,
FORWARDED_HEADER_BY = 0x02,
FORWARDED_HEADER_HOST = 0x04,
FORWARDED_HEADER_PROTO = 0x08,
FORWARDED_HEADER_ALL = FORWARDED_HEADER_FOR|FORWARDED_HEADER_BY|FORWARDED_HEADER_HOST|FORWARDED_HEADER_PROTO
};
#endif /* !_HAPROXY_HTTPEXT_T_H */

View File

@ -0,0 +1,41 @@
/*
* include/haproxy/http_ext.h
* Functions for Version-agnostic and implementation-agnostic HTTP extensions
*
* Copyright 2022 HAProxy Technologies
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation, version 2.1
* exclusively.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
*/
#ifndef _HAPROXY_HTTPEXT_H
#define _HAPROXY_HTTPEXT_H
#include <haproxy/http_ext-t.h>
#include <haproxy/channel-t.h>
#include <haproxy/proxy-t.h>
#include <haproxy/stream-t.h>
int http_validate_7239_header(struct ist hdr, int required_steps, struct forwarded_header_ctx *ctx);
int http_handle_7239_header(struct stream *s, struct channel *req);
void http_ext_7239_clean(struct http_ext_7239 *);
void http_ext_7239_copy(struct http_ext_7239 *dest, const struct http_ext_7239 *orig);
int proxy_http_parse_7239(char **args, int cur_arg, struct proxy *curproxy, const struct proxy *defpx, const char *file, int linenum);
int proxy_http_compile_7239(struct proxy *curproxy);
#endif /* !_HAPROXY_HTTPEXT_H */

View File

@ -43,6 +43,7 @@
#include <haproxy/thread-t.h> #include <haproxy/thread-t.h>
#include <haproxy/tools-t.h> #include <haproxy/tools-t.h>
#include <haproxy/uri_auth-t.h> #include <haproxy/uri_auth-t.h>
#include <haproxy/http_ext-t.h>
/* values for proxy->mode */ /* values for proxy->mode */
enum pr_mode { enum pr_mode {
@ -100,7 +101,7 @@ enum PR_SRV_STATE_FILE {
#define PR_O_TCP_CLI_KA 0x00040000 /* enable TCP keep-alive on client-side streams */ #define PR_O_TCP_CLI_KA 0x00040000 /* enable TCP keep-alive on client-side streams */
#define PR_O_TCP_SRV_KA 0x00080000 /* enable TCP keep-alive on server-side streams */ #define PR_O_TCP_SRV_KA 0x00080000 /* enable TCP keep-alive on server-side streams */
#define PR_O_USE_ALL_BK 0x00100000 /* load-balance between backup servers */ #define PR_O_USE_ALL_BK 0x00100000 /* load-balance between backup servers */
/* unused: 0x00020000 */ #define PR_O_HTTP_7239 0x00200000 /* insert 7239 forwarded header */
#define PR_O_TCP_NOLING 0x00400000 /* disable lingering on client and server connections */ #define PR_O_TCP_NOLING 0x00400000 /* disable lingering on client and server connections */
#define PR_O_ABRT_CLOSE 0x00800000 /* immediately abort request when client closes */ #define PR_O_ABRT_CLOSE 0x00800000 /* immediately abort request when client closes */
@ -268,6 +269,8 @@ struct error_snapshot {
/* http options */ /* http options */
struct proxy_http { struct proxy_http {
/* forwarded header (RFC 7239) */
struct http_ext_7239 fwd;
}; };
struct proxy { struct proxy {

View File

@ -20,6 +20,7 @@
#include <haproxy/extcheck.h> #include <haproxy/extcheck.h>
#include <haproxy/http_ana.h> #include <haproxy/http_ana.h>
#include <haproxy/http_htx.h> #include <haproxy/http_htx.h>
#include <haproxy/http_ext.h>
#include <haproxy/http_rules.h> #include <haproxy/http_rules.h>
#include <haproxy/listener.h> #include <haproxy/listener.h>
#include <haproxy/log.h> #include <haproxy/log.h>
@ -61,7 +62,7 @@ static const char *common_options[] = {
"redispatch", "httplog", "tcplog", "tcpka", "httpchk", "redispatch", "httplog", "tcplog", "tcpka", "httpchk",
"ssl-hello-chk", "smtpchk", "pgsql-check", "redis-check", "ssl-hello-chk", "smtpchk", "pgsql-check", "redis-check",
"mysql-check", "ldap-check", "spop-check", "tcp-check", "mysql-check", "ldap-check", "spop-check", "tcp-check",
"external-check", "forwardfor", "original-to", "external-check", "forwardfor", "original-to", "forwarded",
NULL /* must be last */ NULL /* must be last */
}; };
@ -2031,6 +2032,16 @@ stats_error_parsing:
err_code |= ERR_ALERT | ERR_FATAL; err_code |= ERR_ALERT | ERR_FATAL;
goto out; goto out;
} }
else if (strcmp(args[1], "forwarded") == 0) {
if (kwm == KWM_STD) {
err_code |= proxy_http_parse_7239(args, 0, curproxy, curr_defproxy, file, linenum);
goto out;
}
else if (kwm == KWM_NO) {
curproxy->options &= ~PR_O_HTTP_7239;
goto out;
}
}
/* Redispatch can take an integer argument that control when the /* Redispatch can take an integer argument that control when the
* resispatch occurs. All values are relative to the retries option. * resispatch occurs. All values are relative to the retries option.

View File

@ -59,6 +59,7 @@
#include <haproxy/global.h> #include <haproxy/global.h>
#include <haproxy/http_ana.h> #include <haproxy/http_ana.h>
#include <haproxy/http_rules.h> #include <haproxy/http_rules.h>
#include <haproxy/http_ext.h>
#include <haproxy/lb_chash.h> #include <haproxy/lb_chash.h>
#include <haproxy/lb_fas.h> #include <haproxy/lb_fas.h>
#include <haproxy/lb_fwlc.h> #include <haproxy/lb_fwlc.h>
@ -3669,6 +3670,9 @@ out_uri_auth_compat:
else else
curproxy->http_needed |= !!(curproxy->lbprm.expr->fetch->use & SMP_USE_HTTP_ANY); curproxy->http_needed |= !!(curproxy->lbprm.expr->fetch->use & SMP_USE_HTTP_ANY);
} }
/* option "forwarded" may need to compile its expressions */
if ((curproxy->mode == PR_MODE_HTTP) && curproxy->options & PR_O_HTTP_7239)
cfgerr += proxy_http_compile_7239(curproxy);
/* only now we can check if some args remain unresolved. /* only now we can check if some args remain unresolved.
* This must be done after the users and groups resolution. * This must be done after the users and groups resolution.
@ -3964,6 +3968,13 @@ out_uri_auth_compat:
err_code |= ERR_WARN; err_code |= ERR_WARN;
} }
if (curproxy->options & PR_O_HTTP_7239) {
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
"forwarded", proxy_type_str(curproxy), curproxy->id);
err_code |= ERR_WARN;
curproxy->options &= ~PR_O_HTTP_7239;
}
if (curproxy->options & (PR_O_FWDFOR | PR_O_FF_ALWAYS)) { if (curproxy->options & (PR_O_FWDFOR | PR_O_FF_ALWAYS)) {
ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n", ha_warning("'option %s' ignored for %s '%s' as it requires HTTP mode.\n",
"forwardfor", proxy_type_str(curproxy), curproxy->id); "forwardfor", proxy_type_str(curproxy), curproxy->id);

View File

@ -26,6 +26,7 @@
#include <haproxy/http.h> #include <haproxy/http.h>
#include <haproxy/http_ana.h> #include <haproxy/http_ana.h>
#include <haproxy/http_htx.h> #include <haproxy/http_htx.h>
#include <haproxy/http_ext.h>
#include <haproxy/htx.h> #include <haproxy/htx.h>
#include <haproxy/log.h> #include <haproxy/log.h>
#include <haproxy/net_helper.h> #include <haproxy/net_helper.h>
@ -661,6 +662,12 @@ int http_process_request(struct stream *s, struct channel *req, int an_bit)
goto return_fail_rewrite; goto return_fail_rewrite;
} }
/* add forwarded header (RFC 7239) (ignored for frontends) */
if (s->be->options & PR_O_HTTP_7239) {
if (unlikely(!http_handle_7239_header(s, req)))
goto return_fail_rewrite;
}
/* /*
* 9: add X-Forwarded-For if either the frontend or the backend * 9: add X-Forwarded-For if either the frontend or the backend
* asks for it. * asks for it.

1059
src/http_ext.c Normal file

File diff suppressed because it is too large Load Diff

View File

@ -31,6 +31,7 @@
#include <haproxy/global.h> #include <haproxy/global.h>
#include <haproxy/http_ana.h> #include <haproxy/http_ana.h>
#include <haproxy/http_htx.h> #include <haproxy/http_htx.h>
#include <haproxy/http_ext.h>
#include <haproxy/listener.h> #include <haproxy/listener.h>
#include <haproxy/log.h> #include <haproxy/log.h>
#include <haproxy/obj_type-t.h> #include <haproxy/obj_type-t.h>
@ -353,6 +354,7 @@ void free_proxy(struct proxy *p)
free(p->desc); free(p->desc);
istfree(&p->fwdfor_hdr_name); istfree(&p->fwdfor_hdr_name);
istfree(&p->orgto_hdr_name); istfree(&p->orgto_hdr_name);
http_ext_7239_clean(&p->http.fwd);
task_destroy(p->task); task_destroy(p->task);
@ -1467,6 +1469,8 @@ void proxy_free_defaults(struct proxy *defproxy)
istfree(&defproxy->orgto_hdr_name); istfree(&defproxy->orgto_hdr_name);
istfree(&defproxy->server_id_hdr_name); istfree(&defproxy->server_id_hdr_name);
http_ext_7239_clean(&defproxy->http.fwd);
list_for_each_entry_safe(acl, aclb, &defproxy->acl, list) { list_for_each_entry_safe(acl, aclb, &defproxy->acl, list) {
LIST_DELETE(&acl->list); LIST_DELETE(&acl->list);
prune_acl(acl); prune_acl(acl);
@ -1696,6 +1700,9 @@ static int proxy_defproxy_cpy(struct proxy *curproxy, const struct proxy *defpro
} }
curproxy->ck_opts = defproxy->ck_opts; curproxy->ck_opts = defproxy->ck_opts;
if (defproxy->options & PR_O_HTTP_7239)
http_ext_7239_copy(&curproxy->http.fwd, &defproxy->http.fwd);
if (defproxy->cookie_name) if (defproxy->cookie_name)
curproxy->cookie_name = strdup(defproxy->cookie_name); curproxy->cookie_name = strdup(defproxy->cookie_name);
curproxy->cookie_len = defproxy->cookie_len; curproxy->cookie_len = defproxy->cookie_len;