OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: svn commit: r1838055 - in /httpd/httpd/trunk: CHANGES docs/manual/mod/core.xml include/http_core.h include/http_vhost.h server/core.c server/protocol.c server/vhost.c


Today I learned that ServerAlias is not permitted in global scope.
while writing tests in a different framework for $bigco.

I would like to allow them in trunk. They are normally not needed  as
aliases are really only a way to pick the best NVH from a set of
virtual host sharing an TCP address specification -- and if the global
config is the best TCP match, there is only one.  But this would allow
the StrictHostCheck "don't respond to unknown hostnames" to add stuff
when NVH'es are not (totally) used.

I plan to keep it in trunk.  Any concerns?


On Tue, Aug 14, 2018 at 5:47 PM <covener@xxxxxxxxxx> wrote:
>
> Author: covener
> Date: Tue Aug 14 21:47:22 2018
> New Revision: 1838055
>
> URL: http://svn.apache.org/viewvc?rev=1838055&view=rev
> Log:
> Add StrictHostCheck
>
> .. to allow ucnonfigured hostnames to be rejected.
>
> The checks happen during NVH mapping and checks that the
> mapped VH itself has the host as a name or alias.
>
>
> Modified:
>     httpd/httpd/trunk/CHANGES
>     httpd/httpd/trunk/docs/manual/mod/core.xml
>     httpd/httpd/trunk/include/http_core.h
>     httpd/httpd/trunk/include/http_vhost.h
>     httpd/httpd/trunk/server/core.c
>     httpd/httpd/trunk/server/protocol.c
>     httpd/httpd/trunk/server/vhost.c
>
> Modified: httpd/httpd/trunk/CHANGES
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/CHANGES?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/CHANGES [utf-8] (original)
> +++ httpd/httpd/trunk/CHANGES [utf-8] Tue Aug 14 21:47:22 2018
> @@ -1,6 +1,9 @@
>                                                           -*- coding: utf-8 -*-
>  Changes with Apache 2.5.1
>
> +  *) core: Add StrictHostCheck to allow ucnonfigured hostnames to be
> +     rejected. [Eric Covener]
> +
>    *) mod_status: Cumulate CPU time of exited child processes in the
>       "cu" and "cs" values. Add CPU time of the parent process to the
>       "c" and "s" values.
>
> Modified: httpd/httpd/trunk/docs/manual/mod/core.xml
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/manual/mod/core.xml?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/docs/manual/mod/core.xml (original)
> +++ httpd/httpd/trunk/docs/manual/mod/core.xml Tue Aug 14 21:47:22 2018
> @@ -5240,6 +5240,40 @@ as if 'QualifyRedirectURL ON' was config
>  </usage>
>  </directivesynopsis>
>
> +<directivesynopsis>
> +<name>StrictHostCheck</name>
> +<description>Controls whether the server requires the requested hostname be
> +             listed enumerated in the virtual host handling the request
> +             </description>
> +<syntax>StrictHostCheck ON|OFF</syntax>
> +<default>StrictHostCheck OFF</default>
> +<contextlist><context>server config</context><context>virtual host</context>
> +</contextlist>
> +<compatibility>Added in 2.5.1</compatibility>
>
> +<usage>
> +    <p>By default, the server will respond to requests for any hostname,
> +    including requests addressed to unexpected or unconfigured hostnames.
> +    While this is convenient, it is sometimes desirable to limit what hostnames
> +    a backend application handles since it will often generate self-referential
> +    responses.</p>
> +
> +    <p>By setting <directive>StrictHostCheck</directive> to <em>ON</em>,
> +    the server will return an HTTP 400 error if the requested hostname
> +    hasn't been explicitly listed by either <directive module="core"
> +    >ServerName</directive> or <directive module="core"
> +    >ServerAlias</directive> in the virtual host that best matches the
> +    details of the incoming connection.</p>
> +
> +   <p>This directive also allows matching of the requested hostname to hostnames
> +   specified within the opening <directive module="core">VirtualHost</directive>
> +   tag, which is a relatively obscure configuration mechanism that acts like
> +   additional <directive module="core">ServerAlias</directive> entries.</p>
> +
> +   <p>This directive has no affect in non-default virtual hosts. The value
> +   inherited from the global server configuration, or the default virtualhost
> +   for the ip:port the underlying connection, determine the effective value.</p>
> +</usage>
> +</directivesynopsis>
>
>  </modulesynopsis>
>
> Modified: httpd/httpd/trunk/include/http_core.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_core.h?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/include/http_core.h (original)
> +++ httpd/httpd/trunk/include/http_core.h Tue Aug 14 21:47:22 2018
> @@ -770,6 +770,7 @@ typedef struct {
>
>      apr_size_t   flush_max_threshold;
>      apr_int32_t  flush_max_pipelined;
> +    unsigned int strict_host_check;
>  } core_server_config;
>
>  /* for AddOutputFiltersByType in core.c */
>
> Modified: httpd/httpd/trunk/include/http_vhost.h
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/include/http_vhost.h?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/include/http_vhost.h (original)
> +++ httpd/httpd/trunk/include/http_vhost.h Tue Aug 14 21:47:22 2018
> @@ -100,6 +100,19 @@ AP_DECLARE(void) ap_update_vhost_given_i
>  AP_DECLARE(void) ap_update_vhost_from_headers(request_rec *r);
>
>  /**
> + * Updates r->server with the best name-based virtual host match, within
> + * the chain of matching virtual hosts selected by ap_update_vhost_given_ip.
> + * @param r The current request
> + * @param require_match 1 to return an HTTP error if the requested hostname is
> + * not explicitly matched to a VirtualHost.
> + * @return return HTTP_OK unless require_match was specified and the requested
> + * hostname did not match any ServerName, ServerAlias, or VirtualHost
> + * address-spec.
> + */
> +AP_DECLARE(int) ap_update_vhost_from_headers_ex(request_rec *r, int require_match);
> +
> +
> +/**
>   * Match the host in the header with the hostname of the server for this
>   * request.
>   * @param r The current request
>
> Modified: httpd/httpd/trunk/server/core.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/core.c?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/core.c (original)
> +++ httpd/httpd/trunk/server/core.c Tue Aug 14 21:47:22 2018
> @@ -525,6 +525,7 @@ static void *create_core_server_config(a
>      conf->protocols = apr_array_make(a, 5, sizeof(const char *));
>      conf->protocols_honor_order = -1;
>      conf->async_filter = 0;
> +    conf->strict_host_check= AP_CORE_CONFIG_UNSET;
>
>      return (void *)conf;
>  }
> @@ -620,6 +621,12 @@ static void *merge_core_server_configs(a
>                                    ? virt->flush_max_pipelined
>                                    : base->flush_max_pipelined;
>
> +    conf->strict_host_check = (virt->strict_host_check != AP_CORE_CONFIG_UNSET)
> +                              ? virt->strict_host_check
> +                              : base->strict_host_check;
> +
> +    AP_CORE_MERGE_FLAG(strict_host_check, conf, base, virt);
> +
>      return conf;
>  }
>
> @@ -1962,7 +1969,12 @@ static const char *set_qualify_redirect_
>
>      return NULL;
>  }
> -
> +static const char *set_core_server_flag(cmd_parms *cmd, void *s_, int flag)
> +{
> +    core_server_config *conf =
> +        ap_get_core_module_config(cmd->server->module_config);
> +    return ap_set_flag_slot(cmd, conf, flag);
> +}
>  static const char *set_override_list(cmd_parms *cmd, void *d_, int argc, char *const argv[])
>  {
>      core_dir_config *d = d_;
> @@ -4816,7 +4828,10 @@ AP_INIT_TAKE2("CGIVar", set_cgi_var, NUL
>  AP_INIT_FLAG("QualifyRedirectURL", set_qualify_redirect_url, NULL, OR_FILEINFO,
>               "Controls whether the REDIRECT_URL environment variable is fully "
>               "qualified"),
> -
> +AP_INIT_FLAG("StrictHostCheck", set_core_server_flag,
> +             (void *)APR_OFFSETOF(core_server_config, strict_host_check),
> +             RSRC_CONF,
> +             "Controls whether a hostname match is required"),
>  AP_INIT_TAKE1("ForceType", ap_set_string_slot_lower,
>         (void *)APR_OFFSETOF(core_dir_config, mime_type), OR_FILEINFO,
>       "a mime type that overrides other configured type"),
> @@ -5891,4 +5906,3 @@ AP_DECLARE_MODULE(core) = {
>      core_cmds,                    /* command apr_table_t */
>      register_hooks                /* register hooks */
>  };
> -
>
> Modified: httpd/httpd/trunk/server/protocol.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/protocol.c?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/protocol.c (original)
> +++ httpd/httpd/trunk/server/protocol.c Tue Aug 14 21:47:22 2018
> @@ -1348,10 +1348,11 @@ request_rec *ap_read_request(conn_rec *c
>      apr_bucket_brigade *tmp_bb;
>      apr_socket_t *csd;
>      apr_interval_time_t cur_timeout;
> -
> +    core_server_config *conf = NULL;
>
>      request_rec *r = ap_create_request(conn);
>
> +    conf = ap_get_core_module_config(r->server->module_config);
>      tmp_bb = apr_brigade_create(r->pool, r->connection->bucket_alloc);
>
>      ap_run_pre_read_request(r, conn);
> @@ -1455,7 +1456,23 @@ request_rec *ap_read_request(conn_rec *c
>      /* update what we think the virtual host is based on the headers we've
>       * now read. may update status.
>       */
> -    ap_update_vhost_from_headers(r);
> +
> +    access_status = ap_update_vhost_from_headers_ex(r, conf->strict_host_check == AP_CORE_CONFIG_ON);
> +    if (conf->strict_host_check == AP_CORE_CONFIG_ON && access_status != HTTP_OK) {
> +         if (r->server == ap_server_conf) {
> +             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO()
> +                           "Requested hostname '%s' did not match any ServerName/ServerAlias "
> +                           "in the global server configuration ", r->hostname);
> +         } else {
> +             ap_log_rerror(APLOG_MARK, APLOG_WARNING, 0, r, APLOGNO()
> +                           "Requested hostname '%s' did not match any ServerName/ServerAlias "
> +                           "in the matching virtual host (default vhost for "
> +                           "current connection is  %s:%u)",
> +                           r->hostname, r->server->defn_name, r->server->defn_line_number);
> +         }
> +         r->status = access_status;
> +    }
> +
>      access_status = r->status;
>
>      /* Toggle to the Host:-based vhost's timeout mode to fetch the
>
> Modified: httpd/httpd/trunk/server/vhost.c
> URL: http://svn.apache.org/viewvc/httpd/httpd/trunk/server/vhost.c?rev=1838055&r1=1838054&r2=1838055&view=diff
> ==============================================================================
> --- httpd/httpd/trunk/server/vhost.c (original)
> +++ httpd/httpd/trunk/server/vhost.c Tue Aug 14 21:47:22 2018
> @@ -35,6 +35,7 @@
>  #include "http_vhost.h"
>  #include "http_protocol.h"
>  #include "http_core.h"
> +#include "http_main.h"
>
>  #if APR_HAVE_ARPA_INET_H
>  #include <arpa/inet.h>
> @@ -976,7 +977,13 @@ AP_DECLARE(int) ap_matches_request_vhost
>  }
>
>
> -static void check_hostalias(request_rec *r)
> +/*
> + * Updates r->server from ServerName/ServerAlias. Per the interaction
> + * of ip and name-based vhosts, it only looks in the best match from the
> + * connection-level ip-based matching.
> + * Returns HTTP_BAD_REQUEST if there was no match.
> + */
> +static int update_server_from_aliases(request_rec *r)
>  {
>      /*
>       * Even if the request has a Host: header containing a port we ignore
> @@ -1053,11 +1060,18 @@ static void check_hostalias(request_rec
>          goto found;
>      }
>
> -    return;
> +    if (r->server == ap_server_conf) {
> +        if (matches_aliases(ap_server_conf, host)) {
> +            s = ap_server_conf;
> +            goto found;
> +        }
> +    }
> +    return HTTP_BAD_REQUEST;
>
>  found:
>      /* s is the first matching server, we're done */
>      r->server = s;
> +    return HTTP_OK;
>  }
>
>
> @@ -1074,7 +1088,7 @@ static void check_serverpath(request_rec
>       * This is in conjunction with the ServerPath code in http_core, so we
>       * get the right host attached to a non- Host-sending request.
>       *
> -     * See the comment in check_hostalias about how each vhost can be
> +     * See the comment in update_server_from_aliases about how each vhost can be
>       * listed multiple times.
>       */
>
> @@ -1138,10 +1152,16 @@ static APR_INLINE const char *construct_
>
>  AP_DECLARE(void) ap_update_vhost_from_headers(request_rec *r)
>  {
> +    ap_update_vhost_from_headers_ex(r, 0);
> +}
> +
> +AP_DECLARE(int) ap_update_vhost_from_headers_ex(request_rec *r, int require_match)
> +{
>      core_server_config *conf = ap_get_core_module_config(r->server->module_config);
>      const char *host_header = apr_table_get(r->headers_in, "Host");
>      int is_v6literal = 0;
>      int have_hostname_from_url = 0;
> +    int rc = HTTP_OK;
>
>      if (r->hostname) {
>          /*
> @@ -1154,8 +1174,8 @@ AP_DECLARE(void) ap_update_vhost_from_he
>      else if (host_header != NULL) {
>          is_v6literal = fix_hostname(r, host_header, conf->http_conformance);
>      }
> -    if (r->status != HTTP_OK)
> -        return;
> +    if (!require_match && r->status != HTTP_OK)
> +        return HTTP_OK;
>
>      if (conf->http_conformance != AP_HTTP_CONFORMANCE_UNSAFE) {
>          /*
> @@ -1176,10 +1196,16 @@ AP_DECLARE(void) ap_update_vhost_from_he
>      /* check if we tucked away a name_chain */
>      if (r->connection->vhost_lookup_data) {
>          if (r->hostname)
> -            check_hostalias(r);
> +            rc = update_server_from_aliases(r);
>          else
>              check_serverpath(r);
>      }
> +    else if (require_match) {
> +        /* check the base server config */
> +        rc = update_server_from_aliases(r);
> +    }
> +
> +    return rc;
>  }
>
>  /**
>
>


-- 
Eric Covener
covener@xxxxxxxxx