diff -urN stunnel-4.31/doc/stunnel.8 stunnel-4.31-xforwardfor/doc/stunnel.8 --- stunnel-4.31/doc/stunnel.8 2010-02-03 13:46:46 +0100 +++ stunnel-4.31-xforwardfor/doc/stunnel.8 2010-03-08 17:58:16 +0100 @@ -500,6 +500,10 @@ .IP "\fBtransparent\fR = yes | no (Unix only)" 4 .IX Item "transparent = yes | no (Unix only)" transparent proxy mode +.IP "\fBxforwardedfor\fR = yes | no" 4 +.IX Item "xforwardedfor = yes | no" +append an 'X-Forwarded-For:' HTTP request header providing the +client's IP address to the server. .Sp Re-write address to appear as if wrapped daemon is connecting from the \s-1SSL\s0 client machine instead of the machine running \fBstunnel\fR. diff -urN stunnel-4.31/doc/stunnel.fr.8 stunnel-4.31-xforwardfor/doc/stunnel.fr.8 --- stunnel-4.31/doc/stunnel.fr.8 2007-09-23 17:31:24 +0200 +++ stunnel-4.31-xforwardfor/doc/stunnel.fr.8 2010-03-08 18:00:52 +0100 @@ -460,6 +460,10 @@ .IP "\fBtransparent\fR = yes | no (Unix seulement)" 4 .IX Item "transparent = yes | no (Unix seulement)" Mode mandataire transparent +.IP "\fBxforwardedfor\fR = yes | no" 4 +.IX Item "xforwardedfor = yes | no" +Ajoute un en-tête 'X-Forwarded-For:' dans la requête HTTP fournissant +au serveur l'adresse IP du client. .Sp Ré\-écrit les adresses pour qu'elles apparaissent provenir de la machine client \s-1SSL\s0 plutôt que de celle qui exécute \fBstunnel\fR. diff -urN stunnel-4.31/src/client.c stunnel-4.31-xforwardfor/src/client.c --- stunnel-4.31/src/client.c 2010-01-29 11:42:16 +0100 +++ stunnel-4.31-xforwardfor/src/client.c 2010-03-08 17:58:16 +0100 @@ -88,6 +88,12 @@ return NULL; } c->opt=opt; + /* some options need space to add some information */ + if (c->opt->option.xforwardedfor) + c->buffsize = BUFFSIZE - BUFF_RESERVED; + else + c->buffsize = BUFFSIZE; + c->crlf_seen=0; c->local_rfd.fd=rfd; c->local_wfd.fd=wfd; return c; @@ -377,6 +383,28 @@ print_cipher(c); } } + +/* Moves all data from the buffer between positions and + * to insert of length . and are updated to their + * new respective values, and the number of characters inserted is returned. + * If is too long, nothing is done and -1 is returned. + * Note that neither nor can be NULL. + */ +static int buffer_insert_with_len(char *buffer, int *start, int *stop, int limit, char *string, int len) { + if (len > limit - *stop) + return -1; + if (*start > *stop) + return -1; + memmove(buffer + *start + len, buffer + *start, *stop - *start); + memcpy(buffer + *start, string, len); + *start += len; + *stop += len; + return len; +} + +static int buffer_insert(char *buffer, int *start, int *stop, int limit, char *string) { + return buffer_insert_with_len(buffer, start, stop, limit, string, strlen(string)); +} /****************************** some defines for transfer() */ /* is socket/SSL open for read/write? */ @@ -412,13 +440,13 @@ check_SSL_pending=0; SSL_read_wants_read= - ssl_rd && c->ssl_ptrssl_ptrbuffsize && !SSL_read_wants_write; SSL_write_wants_write= ssl_wr && c->sock_ptr && !SSL_write_wants_read; /****************************** setup c->fds structure */ s_poll_init(&c->fds); /* initialize the structure */ - if(sock_rd && c->sock_ptrsock_ptrbuffsize) s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0); if(SSL_read_wants_read || SSL_write_wants_read || @@ -517,7 +545,7 @@ break; default: memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num); - if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */ + if(c->ssl_ptr>=c->buffsize) /* buffer was previously full */ check_SSL_pending=1; /* check for data buffered by SSL */ c->ssl_ptr-=num; c->sock_bytes+=num; @@ -577,7 +605,7 @@ /****************************** read from socket */ if(sock_rd && sock_can_rd) { num=readsocket(c->sock_rfd->fd, - c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr); + c->sock_buff+c->sock_ptr, c->buffsize-c->sock_ptr); switch(num) { case -1: parse_socket_error(c, "readsocket"); @@ -597,10 +625,71 @@ (SSL_read_wants_write && ssl_can_wr) || (check_SSL_pending && SSL_pending(c->ssl))) { SSL_read_wants_write=0; - num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr); + num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, c->buffsize-c->ssl_ptr); switch(err=SSL_get_error(c->ssl, num)) { case SSL_ERROR_NONE: - c->ssl_ptr+=num; + if (c->buffsize != BUFFSIZE && c->opt->option.xforwardedfor) { /* some work left to do */ + int last = c->ssl_ptr; + c->ssl_ptr += num; + + /* Look for end of HTTP headers between last and ssl_ptr. + * To achieve this reliably, we have to count the number of + * successive [CR]LF and to memorize it in case it's spread + * over multiple segments. --WT. + */ + while (last < c->ssl_ptr) { + if (c->ssl_buff[last] == '\n') { + if (++c->crlf_seen == 2) + break; + } else if (last < c->ssl_ptr - 1 && + c->ssl_buff[last] == '\r' && + c->ssl_buff[last+1] == '\n') { + if (++c->crlf_seen == 2) + break; + last++; + } else if (c->ssl_buff[last] != '\r') + /* don't refuse '\r' because we may get a '\n' on next read */ + c->crlf_seen = 0; + last++; + } + if (c->crlf_seen >= 2) { + /* We have all the HTTP headers now. We don't need to + * reserve any space anymore. points to the + * first byte of unread data, and points to the + * exact location where we want to insert our headers, + * which is right before the empty line. + */ + c->buffsize = BUFFSIZE; + + if (c->opt->option.xforwardedfor) { + /* X-Forwarded-For: xxxx \r\n\0 */ + char xforw[17 + IPLEN + 3]; + + /* We will insert our X-Forwarded-For: header here. + * We need to write the IP address, but if we use + * sprintf, it will pad with the terminating 0. + * So we will pass via a temporary buffer allocated + * on the stack. + */ + memcpy(xforw, "X-Forwarded-For: ", 17); + if (getnameinfo(&c->peer_addr.addr[0].sa, + addr_len(c->peer_addr.addr[0]), + xforw + 17, IPLEN, NULL, 0, + NI_NUMERICHOST) == 0) { + strcat(xforw + 17, "\r\n"); + buffer_insert(c->ssl_buff, &last, &c->ssl_ptr, + c->buffsize, xforw); + } + /* last still points to the \r\n and ssl_ptr to the + * end of the buffer, so we may add as many headers + * as wee need to. + */ + } + } + } + else + c->ssl_ptr+=num; + watchdog=0; /* reset watchdog */ break; case SSL_ERROR_WANT_WRITE: diff -urN stunnel-4.31/src/common.h stunnel-4.31-xforwardfor/src/common.h --- stunnel-4.31/src/common.h 2010-01-29 11:38:20 +0100 +++ stunnel-4.31-xforwardfor/src/common.h 2010-03-08 17:58:53 +0100 @@ -53,6 +53,9 @@ /* I/O buffer size */ #define BUFFSIZE 16384 +/* maximum space reserved for header insertion in BUFFSIZE */ +#define BUFF_RESERVED 1024 + /* length of strings (including the terminating '\0' character) */ /* it can't be lower than 256 bytes or NTLM authentication will break */ #define STRLEN 256 diff -urN stunnel-4.31/src/options.c stunnel-4.31-xforwardfor/src/options.c --- stunnel-4.31/src/options.c 2010-01-29 11:43:23 +0100 +++ stunnel-4.31-xforwardfor/src/options.c 2010-03-08 17:58:16 +0100 @@ -792,6 +792,29 @@ } #endif + /* xforwardedfor */ + switch(cmd) { + case CMD_INIT: + section->option.xforwardedfor=0; + break; + case CMD_EXEC: + if(strcasecmp(opt, "xforwardedfor")) + break; + if(!strcasecmp(arg, "yes")) + section->option.xforwardedfor=1; + else if(!strcasecmp(arg, "no")) + section->option.xforwardedfor=0; + else + return "argument should be either 'yes' or 'no'"; + return NULL; /* OK */ + case CMD_DEFAULT: + break; + case CMD_HELP: + s_log(LOG_NOTICE, "%-15s = yes|no append an HTTP X-Forwarded-For header", + "xforwardedfor"); + break; + } + /* exec */ #ifndef USE_WIN32 switch(cmd) { diff -urN stunnel-4.31/src/prototypes.h stunnel-4.31-xforwardfor/src/prototypes.h --- stunnel-4.31/src/prototypes.h 2010-01-29 11:36:17 +0100 +++ stunnel-4.31-xforwardfor/src/prototypes.h 2010-03-08 17:59:23 +0100 @@ -166,6 +166,7 @@ unsigned int cert:1; unsigned int client:1; unsigned int delayed_lookup:1; + unsigned int xforwardedfor:1; unsigned int accept:1; unsigned int remote:1; unsigned int retry:1; /* loop remote+program */ @@ -337,6 +338,8 @@ FD *ssl_rfd, *ssl_wfd; /* read and write SSL descriptors */ int sock_bytes, ssl_bytes; /* bytes written to socket and ssl */ s_poll_set fds; /* file descriptors */ + int buffsize; /* current buffer size, may be lower than BUFFSIZE */ + int crlf_seen; /* the number of successive CRLF seen */ } CLI; extern int max_fds, max_clients;