From fa9aabd5cf19b3aacc1d3aa1bc870256cd99c675 Mon Sep 17 00:00:00 2001 From: Christophe Jaillet Date: Wed, 22 Aug 2018 21:57:37 +0000 Subject: [PATCH 1/5] When a rewrite to proxy is configured in the server config, a check is made to make sure mod_proxy is active. But the same is not done if a rewrite to proxy is configured in an .htaccess file. Basically this patch is the block of code from hook_uri2file that does the proxy check, copied to hook_fixup. Patch provided by Michael Streeter [mstreeter1 gmail.com], slightly modified to use a new APLOGNO PR 56264 git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1838684 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit d8ba15241607c67b033609a5a7dddbfa13b74c5d) --- modules/mappers/mod_rewrite.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index 0bf44049238..a3039a34221 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -5342,6 +5342,16 @@ static int hook_fixup(request_rec *r) if (to_proxyreq) { /* it should go on as an internal proxy request */ + /* check if the proxy module is enabled, so + * we can actually use it! + */ + if (!proxy_available) { + ap_log_rerror(APLOG_MARK, APLOG_ERR, 0, r, APLOGNO(10160) + "attempt to make remote request from mod_rewrite " + "without proxy enabled: %s", r->filename); + return HTTP_FORBIDDEN; + } + /* make sure the QUERY_STRING and * PATH_INFO parts get incorporated * (r->path_info was already appended by the From 2348d39fedf04eab6caaf8d7903d203d3a4b0edd Mon Sep 17 00:00:00 2001 From: Yann Ylavic Date: Wed, 11 Sep 2024 15:30:08 +0000 Subject: [PATCH 2/5] mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235. When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by mod_proxy still, notably to handle any "unix:" local socket part. To avoid double encoding in perdir context, a follow up commit should remove the ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize, per PR 69260. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920570 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit c9dc4bb61befa4f3772de4aec0b892e728b94145) --- changes-entries/pr69235.txt | 2 ++ modules/mappers/mod_rewrite.c | 13 ++++++------- modules/proxy/mod_proxy.c | 13 ++++++------- 3 files changed, 14 insertions(+), 14 deletions(-) create mode 100644 changes-entries/pr69235.txt diff --git a/changes-entries/pr69235.txt b/changes-entries/pr69235.txt new file mode 100644 index 00000000000..bbd37e2b0fd --- /dev/null +++ b/changes-entries/pr69235.txt @@ -0,0 +1,2 @@ + *) mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs, + including "unix:" ones. PR 69235. [Yann Ylavic] diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index a3039a34221..d7cb194f742 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -5658,10 +5658,7 @@ static void ap_register_rewrite_mapfunc(char *name, rewrite_mapfunc_t *func) static void register_hooks(apr_pool_t *p) { - /* fixup after mod_proxy, so that the proxied url will not - * escaped accidentally by mod_proxy's fixup. - */ - static const char * const aszPre[]={ "mod_proxy.c", NULL }; + static const char * const aszModProxy[] = { "mod_proxy.c", NULL }; /* make the hashtable before registering the function, so that * other modules are prevented from accessing uninitialized memory. @@ -5673,10 +5670,12 @@ static void register_hooks(apr_pool_t *p) ap_hook_pre_config(pre_config, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_post_config(post_config, NULL, NULL, APR_HOOK_MIDDLE); ap_hook_child_init(init_child, NULL, NULL, APR_HOOK_MIDDLE); - - ap_hook_fixups(hook_fixup, aszPre, NULL, APR_HOOK_FIRST); + + /* allow to change the uri before mod_proxy takes over it */ + ap_hook_translate_name(hook_uri2file, NULL, aszModProxy, APR_HOOK_FIRST); + /* fixup before mod_proxy so that a [P] URL gets fixed up there */ + ap_hook_fixups(hook_fixup, NULL, aszModProxy, APR_HOOK_FIRST); ap_hook_fixups(hook_mimetype, NULL, NULL, APR_HOOK_LAST); - ap_hook_translate_name(hook_uri2file, NULL, NULL, APR_HOOK_FIRST); } /* the main config structure */ diff --git a/modules/proxy/mod_proxy.c b/modules/proxy/mod_proxy.c index 756c41c4a1d..ab29c321df8 100644 --- a/modules/proxy/mod_proxy.c +++ b/modules/proxy/mod_proxy.c @@ -3347,27 +3347,26 @@ static int proxy_pre_config(apr_pool_t *pconf, apr_pool_t *plog, } static void register_hooks(apr_pool_t *p) { - /* fixup before mod_rewrite, so that the proxied url will not - * escaped accidentally by our fixup. - */ - static const char * const aszSucc[] = { "mod_rewrite.c", NULL}; /* Only the mpm_winnt has child init hook handler. * make sure that we are called after the mpm * initializes. */ static const char *const aszPred[] = { "mpm_winnt.c", "mod_proxy_balancer.c", "mod_proxy_hcheck.c", NULL}; + static const char * const aszModRewrite[] = { "mod_rewrite.c", NULL }; + /* handler */ ap_hook_handler(proxy_handler, NULL, NULL, APR_HOOK_FIRST); /* filename-to-URI translation */ ap_hook_pre_translate_name(proxy_pre_translate_name, NULL, NULL, APR_HOOK_MIDDLE); - ap_hook_translate_name(proxy_translate_name, aszSucc, NULL, + /* mod_rewrite has a say on the uri before proxy translation */ + ap_hook_translate_name(proxy_translate_name, aszModRewrite, NULL, APR_HOOK_FIRST); /* walk entries and suppress default TRACE behavior */ ap_hook_map_to_storage(proxy_map_location, NULL,NULL, APR_HOOK_FIRST); - /* fixups */ - ap_hook_fixups(proxy_fixup, NULL, aszSucc, APR_HOOK_FIRST); + /* fixup after mod_rewrite so that a [P] URL from there gets fixed up */ + ap_hook_fixups(proxy_fixup, aszModRewrite, NULL, APR_HOOK_FIRST); /* post read_request handling */ ap_hook_post_read_request(proxy_detect, NULL, NULL, APR_HOOK_FIRST); /* pre config handling */ From 904afc8bdeb87624c11ec1673daa474bee93d74d Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Wed, 11 Sep 2024 15:56:33 +0000 Subject: [PATCH 3/5] * Leave the proper escaping of the URL and the adding of r->args to the proxy module which runs after us after r1920570. Just take care to add r->args in case the proxy rule has the [NE] flag set and tell the proxy module to not escape in this case. git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920571 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit 4348e8cb7d8c41b1c8019ceb0a1612bb4a3384f7) --- modules/mappers/mod_rewrite.c | 29 ++++++++++------------------- 1 file changed, 10 insertions(+), 19 deletions(-) diff --git a/modules/mappers/mod_rewrite.c b/modules/mappers/mod_rewrite.c index d7cb194f742..93430e5952e 100644 --- a/modules/mappers/mod_rewrite.c +++ b/modules/mappers/mod_rewrite.c @@ -4515,20 +4515,6 @@ static rule_return_type apply_rewrite_rule(rewriterule_entry *p, * ourself). */ if (p->flags & RULEFLAG_PROXY) { - /* For rules evaluated in server context, the mod_proxy fixup - * hook can be relied upon to escape the URI as and when - * necessary, since it occurs later. If in directory context, - * the ordering of the fixup hooks is forced such that - * mod_proxy comes first, so the URI must be escaped here - * instead. See PR 39746, 46428, and other headaches. */ - if (ctx->perdir && (p->flags & RULEFLAG_NOESCAPE) == 0) { - char *old_filename = r->filename; - - r->filename = ap_escape_uri(r->pool, r->filename); - rewritelog(r, 2, ctx->perdir, "escaped URI in per-dir context " - "for proxy, %s -> %s", old_filename, r->filename); - } - fully_qualify_uri(r); rewritelog(r, 2, ctx->perdir, "forcing proxy-throughput with %s", @@ -5051,7 +5037,7 @@ static int hook_uri2file(request_rec *r) } if ((r->args != NULL) && ((r->proxyreq == PROXYREQ_PROXY) - || (rulestatus == ACTION_NOESCAPE))) { + || apr_table_get(r->notes, "proxy-nocanon"))) { /* see proxy_http:proxy_http_canon() */ r->filename = apr_pstrcat(r->pool, r->filename, "?", r->args, NULL); @@ -5352,13 +5338,18 @@ static int hook_fixup(request_rec *r) return HTTP_FORBIDDEN; } - /* make sure the QUERY_STRING and - * PATH_INFO parts get incorporated + if (rulestatus == ACTION_NOESCAPE) { + apr_table_setn(r->notes, "proxy-nocanon", "1"); + } + + /* make sure the QUERY_STRING gets incorporated in the case + * [NE] was specified on the Proxy rule. We are preventing + * mod_proxy canon handler from incorporating r->args as well + * as escaping the URL. * (r->path_info was already appended by the * rewriting engine because of the per-dir context!) */ - if (r->args != NULL) { - /* see proxy_http:proxy_http_canon() */ + if ((r->args != NULL) && apr_table_get(r->notes, "proxy-nocanon")) { r->filename = apr_pstrcat(r->pool, r->filename, "?", r->args, NULL); } From 4b3163688ca851c42001d7c2f03f0ed7ccc65f58 Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Wed, 11 Sep 2024 16:06:04 +0000 Subject: [PATCH 4/5] * Mention the additional bug git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1920572 13f79535-47bb-0310-9956-ffa450edef68 (cherry picked from commit 197ed7781662f3d764979df46cf6f2ad15f0b93d) --- changes-entries/pr69235.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/changes-entries/pr69235.txt b/changes-entries/pr69235.txt index bbd37e2b0fd..55a3f77af4b 100644 --- a/changes-entries/pr69235.txt +++ b/changes-entries/pr69235.txt @@ -1,2 +1,2 @@ *) mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs, - including "unix:" ones. PR 69235. [Yann Ylavic] + including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem] From 3b06b624fd4ce98c1450d595ad4b9f3aa08da4e1 Mon Sep 17 00:00:00 2001 From: Ruediger Pluem Date: Fri, 27 Sep 2024 17:29:43 +0200 Subject: [PATCH 5/5] Add changes entry for PR 56264 --- changes-entries/pr56264.txt | 3 +++ changes-entries/pr69235.txt | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 changes-entries/pr56264.txt diff --git a/changes-entries/pr56264.txt b/changes-entries/pr56264.txt new file mode 100644 index 00000000000..3a95a792420 --- /dev/null +++ b/changes-entries/pr56264.txt @@ -0,0 +1,3 @@ + *) mod_rewrite: Error out in case a RewriteRule in directory context uses the + proxy, but mod_proxy is not loaded. PR 56264. + [Christophe Jaillet, Michael Streeter ] diff --git a/changes-entries/pr69235.txt b/changes-entries/pr69235.txt index 55a3f77af4b..be812e4dc86 100644 --- a/changes-entries/pr69235.txt +++ b/changes-entries/pr69235.txt @@ -1,2 +1,2 @@ - *) mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs, + *) mod_rewrite, mod_proxy: mod_proxy to canonicalize rewritten [P] URLs, including "unix:" ones. PR 69235, PR 69260. [Yann Ylavic, Ruediger Pluem]