diff options
| author | Glenn Strauss <gstrauss@gluelogic.com> | 2020-08-12 19:12:20 -0400 |
|---|---|---|
| committer | Glenn Strauss <gstrauss@gluelogic.com> | 2020-08-13 13:05:12 -0400 |
| commit | 0c7d250034bb2353c10382ff05b0b44dfdf27956 (patch) | |
| tree | 8498647ef036ffcef0ca043b1dc15b6ea2e1e3e8 /src/mod_extforward.c | |
| parent | b600b75f2075aa64f3a6f280cd18455934c5d56f (diff) | |
| download | lighttpd-git-0c7d250034bb2353c10382ff05b0b44dfdf27956.tar.gz | |
[mod_extforward] save proto per connection
Even though request headers are per-request, update the proto on the
connection level for trusted (proxy) clients. Note: the proxy must use
each connection only for a single connection from a single client
(typically true in practice), and not for multiple clients.
proto was previously saved on connection level for mod_extforward with
HAProxy PROXY protocol, but did not occur with X-Forwarded-Proto or the
Forwarded request header with proto=...
Before this change, modules which returned HANDLER_COMEBACK could lose
HTTPS=on if the resulting request was for a backend such as mod_fastcgi.
This was reported in mod_rewrite, but could also affect mod_magnet if
MAGNET_RESTART_REQUEST, or mod_cgi with cgi.local-redir = "enable"
x-ref:
"FastCGI behavior different when using rewrite?"
https://redmine.lighttpd.net/boards/2/topics/9293
Diffstat (limited to 'src/mod_extforward.c')
| -rw-r--r-- | src/mod_extforward.c | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/src/mod_extforward.c b/src/mod_extforward.c index 550c5a16..d2786d04 100644 --- a/src/mod_extforward.c +++ b/src/mod_extforward.c @@ -606,9 +606,11 @@ static void mod_extforward_set_proto(request_st * const r, const char * const pr http_header_env_set(r, CONST_STR_LEN("_L_EXTFORWARD_ACTUAL_PROTO"), CONST_BUF_LEN(&r->uri.scheme)); } if (buffer_eq_icase_ss(proto, protolen, CONST_STR_LEN("https"))) { + r->con->proto_default_port = 443; /* "https" */ buffer_copy_string_len(&r->uri.scheme, CONST_STR_LEN("https")); config_cond_cache_reset_item(r, COMP_HTTP_SCHEME); } else if (buffer_eq_icase_ss(proto, protolen, CONST_STR_LEN("http"))) { + r->con->proto_default_port = 80; /* "http" */ buffer_copy_string_len(&r->uri.scheme, CONST_STR_LEN("http")); config_cond_cache_reset_item(r, COMP_HTTP_SCHEME); } @@ -942,11 +944,9 @@ static handler_t mod_extforward_Forwarded (request_st * const r, plugin_data * c buffer_copy_string_len(r->http_host, s+v, vlen-v); } - int scheme_port = - buffer_eq_slen(&r->uri.scheme,CONST_STR_LEN("https")) ? 443 : 80; if (0 != http_request_host_policy(r->http_host, r->conf.http_parseopts, - scheme_port)) { + r->con->proto_default_port)) { /*(reject invalid chars in Host)*/ log_error(r->conf.errh, __FILE__, __LINE__, "invalid host= value in Forwarded header"); |