diff -uNr ffproxy-1.5.1/ChangeLog ffproxy-1.6-RC1/ChangeLog --- ffproxy-1.5.1/ChangeLog Sun Aug 17 19:42:46 2003 +++ ffproxy-1.6-RC1/ChangeLog Mon Jun 7 23:33:16 2004 @@ -1,3 +1,17 @@ +Version 1.6 +============ + +* added CONNECT request method to + support HTTPS proxying + (see section HTTPS OPERATION + in ffproxy(8)) + +* new configuration options + unrestriced_connect and + timeout_connect + +* updated documentation accordingly + Version 1.5.1 ============= diff -uNr ffproxy-1.5.1/README ffproxy-1.6-RC1/README --- ffproxy-1.5.1/README Sun Aug 17 20:35:26 2003 +++ ffproxy-1.6-RC1/README Mon Jun 7 23:34:00 2004 @@ -1,7 +1,7 @@ Description =========== -ffproxy is a filtering HTTP proxy server. It is able to filter by host, +ffproxy is a filtering HTTP(S) proxy server. It is able to filter by host, url, and header. Custom header entries can be filtered and added. It can even drop its privileges and chroot(2) to some directory. Logging to syslogd(8) is supported, as is using another auxiliary proxy server. diff -uNr ffproxy-1.5.1/access.c ffproxy-1.6-RC1/access.c --- ffproxy-1.5.1/access.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/access.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: access.c,v 1.7 2003/08/08 14:10:28 niklas Exp $ + * $Id: access.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/alloc.c ffproxy-1.6-RC1/alloc.c --- ffproxy-1.5.1/alloc.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/alloc.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: alloc.c,v 1.5 2003/08/08 14:10:28 niklas Exp $ + * $Id: alloc.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/cfg.h ffproxy-1.6-RC1/cfg.h --- ffproxy-1.5.1/cfg.h Sun Aug 17 19:11:07 2003 +++ ffproxy-1.6-RC1/cfg.h Mon Jun 7 22:42:34 2004 @@ -34,6 +34,9 @@ int kalive; + int unr_con; + int to_con; + int nowarn; int first; }; diff -uNr ffproxy-1.5.1/db.c ffproxy-1.6-RC1/db.c --- ffproxy-1.5.1/db.c Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/db.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* - * ffproxy (c) 2002, 2003 Niklas Olmes - * + * ffproxy (c) 2002-2004 Niklas Olmes * http://faith.eu.org * - * $Id: db.c,v 1.23.2.1 2003/08/17 19:57:52 niklas Exp $ + * $Id: db.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free @@ -357,6 +356,15 @@ config.kalive = 1; else config.kalive = 0; + continue; + } else if (strcmp("unrestricted_connect", obuf) == 0) { + if (strcmp(abuf, "yes") == 0) + config.unr_con = 1; + else + config.unr_con = 0; + continue; + } else if (strcmp("timeout_connect", obuf) == 0) { + config.to_con = atoi(abuf); continue; } else if (!config.first) { continue; diff -uNr ffproxy-1.5.1/dns.c ffproxy-1.6-RC1/dns.c --- ffproxy-1.5.1/dns.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/dns.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: dns.c,v 1.7 2003/08/08 14:10:28 niklas Exp $ + * $Id: dns.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/ffproxy.8 ffproxy-1.6-RC1/ffproxy.8 --- ffproxy-1.5.1/ffproxy.8 Sun Aug 17 20:10:22 2003 +++ ffproxy-1.6-RC1/ffproxy.8 Mon Jun 7 23:19:03 2004 @@ -1,12 +1,12 @@ .\" $Id: ffproxy.8,v 1.8.2.2 2003/08/17 20:10:22 niklas Exp $ -.\" Copyright (c) 2002, 2003 Niklas Olmes +.\" Copyright (c) 2002-2004 Niklas Olmes .\" See COPYING for license (GNU GPL) .\" http://faith.eu.org -.Dd August 18, 2003 +.Dd June 8, 2004 .Dt ffproxy 8 .Sh NAME .Nm ffproxy -.Nd filtering HTTP proxy server +.Nd filtering HTTP(S) proxy server .Sh SYNOPSIS .Nm ffproxy .Op Fl p Ar port @@ -23,7 +23,7 @@ .Op Fl ds4bBhv .Sh DESCRIPTION .Nm ffproxy -is a filtering HTTP proxy server. It is able to filter +is a filtering HTTP(S) proxy server. It is able to filter by host, url, and header. Custom header entries can be filtered and added. It can even drop its privileges and .Xr chroot 2 @@ -256,7 +256,7 @@ (`Host:' hast to be removed from default .Pa filter.header.entry , of course). To change this, use `accel_user_host no' -in configuration file. ``Host: accel_host:accel_port'' +in the configuration file. ``Host: accel_host:accel_port'' will be used then. .Sh TRANSPARENT OPERATION It is possible to redirect all HTTP traffic, that is, @@ -280,6 +280,12 @@ The program supports keep alive on client to proxy connections. This is used automatically by default and may be disabled by setting `use_keep_alive no' in the configuration file. +.Sh HTTPS OPERATION +The proxy allows HTTPS proxying via implementation of the +CONNECT request method. By default, only port 443 is +allowed for CONNECT. This may be changed by using +`unrestricted_connect yes' in the configuration file. +Timeout may also be tuned by `timeout_connect seconds'. .Sh RELOADING CONFIGURATION Send a SIGHUP to the pid of the ffproxy master process to let it reload db/ files, html/ files, *and* configuration file. @@ -348,7 +354,7 @@ Dobrica Pavlinusic provided patches for http accelerator feature .Sh VERSION -This manual documents ffproxy 1.5.1 (2003-08-18). +This manual documents ffproxy 1.6 (2004-06-08). .Pp Send bug reports, comments, suggestions to .Sh AUTHOR diff -uNr ffproxy-1.5.1/ffproxy.conf.5 ffproxy-1.6-RC1/ffproxy.conf.5 --- ffproxy-1.5.1/ffproxy.conf.5 Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/ffproxy.conf.5 Mon Jun 7 23:13:34 2004 @@ -1,15 +1,15 @@ .\" $Id: ffproxy.conf.5,v 1.9.2.1 2003/08/17 19:57:52 niklas Exp $ -.\" Copyright (c) 2002, 2003 Niklas Olmes +.\" Copyright (c) 2002-2004 Niklas Olmes .\" See COPYING for license (GNU GPL) .\" http://faith.eu.org -.Dd August 18, 2003 +.Dd June 8, 2004 .Dt ffproxy.conf 5 .Sh NAME .Nm ffproxy.conf -.Nd filtering HTTP proxy server configuration file +.Nd filtering HTTP(S) proxy server configuration file .Sh DESCRIPTION .Nm ffproxy -is a filtering HTTP proxy server. It is able to filter +is a filtering HTTP(S) proxy server. It is able to filter by host, url, and header. Custom header entries can be filtered and added. It can even drop its privileges and .Xr chroot 2 @@ -56,6 +56,8 @@ accel_port accel_user_host use_keep_alive +unrestricted_connect +timeout_connect backlog_size .Ed .Pp @@ -187,13 +189,24 @@ #use_keep_alive no #use_keep_alive yes +# allow CONNECT request to other than port 443 (HTTPS) +# (CONNECT enables HTTPS proxying) +# (disabled by default for security) +#unrestricted_connect yes +#unrestricted_connect no + +# timeout for CONNECT requests in seconds +# (default: 5) +#timeout_connect 20 +#timeout_connect 5 + # backlog size for accept() # (default: 4) #backlog_size 16 #backlog_size 4 .Ed .Sh VERSION -This manual documents ffproxy 1.5.1 (2003-08-18). +This manual documents ffproxy 1.6 (2004-06-08). .Sh FILES .Pa /etc/ffproxy.conf default configuration file diff -uNr ffproxy-1.5.1/ffproxy.quick.7 ffproxy-1.6-RC1/ffproxy.quick.7 --- ffproxy-1.5.1/ffproxy.quick.7 Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/ffproxy.quick.7 Mon Jun 7 23:13:19 2004 @@ -1,15 +1,15 @@ .\" $Id: ffproxy.quick.7,v 1.5.2.1 2003/08/17 19:57:52 niklas Exp $ -.\" Copyright (c) 2002, 2003 Niklas Olmes +.\" Copyright (c) 2002-2004 Niklas Olmes .\" See COPYING for license (GNU GPL) .\" http://faith.eu.org -.Dd August 18, 2003 +.Dd June 8, 2004 .Dt ffproxy.quick 7 .Sh NAME .Nm ffproxy.quick -.Nd filtering HTTP proxy server quick introduction +.Nd filtering HTTP(S) proxy server quick introduction .Sh DESCRIPTION .Nm ffproxy -is a filtering HTTP proxy server. It is able to filter +is a filtering HTTP(S) proxy server. It is able to filter by host, url, and header. Custom header entries can be filtered and added. It can even drop its privileges and .Xr chroot 2 @@ -138,7 +138,7 @@ .Pa /etc/pf.conf . See your NAT's documentation for details on how to do this. .Sh VERSION -This manual documents ffproxy 1.5.1 (2003-08-18). +This manual documents ffproxy 1.6 (2004-06-08). .Sh SEE ALSO .Xr ffproxy 8 , .Xr ffproxy.conf 5 , diff -uNr ffproxy-1.5.1/file.c ffproxy-1.6-RC1/file.c --- ffproxy-1.5.1/file.c Sun Jul 20 10:38:23 2003 +++ ffproxy-1.6-RC1/file.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: file.c,v 1.4 2003/07/20 10:38:23 niklas Exp $ + * $Id: file.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/filter.c ffproxy-1.6-RC1/filter.c --- ffproxy-1.5.1/filter.c Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/filter.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: filter.c,v 1.10.2.1 2003/08/17 19:57:52 niklas Exp $ + * $Id: filter.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/http.c ffproxy-1.6-RC1/http.c --- ffproxy-1.5.1/http.c Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/http.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* - * ffproxy (c) 2002, 2003 Niklas Olmes - * + * ffproxy (c) 2002-2004 Niklas Olmes * http://faith.eu.org * - * $Id: http.c,v 1.7.2.1 2003/08/17 19:57:52 niklas Exp $ + * $Id: http.c,v 2.0 2004/06/08 08:07:06 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free @@ -34,6 +33,7 @@ static const char http_get[] = "GET "; static const char http_post[] = "POST "; static const char http_head[] = "HEAD "; +static const char http_connect[] = "CONNECT "; static const char http[] = "http://"; static const char httpv[] = "HTTP/"; @@ -53,6 +53,9 @@ } else if (strncmp(http_head, s, strlen(http_head)) == 0) { r->type = HEAD; s += strlen(http_head); + } else if (strncmp(http_connect, s, strlen(http_connect)) == 0) { + r->type = CONNECT; + s += strlen(http_connect); } else { r->type = UNKNOWN; return -1; @@ -112,6 +115,9 @@ return -1; } + if (r->type == CONNECT) + *r->url = '\0'; + DEBUG(("http_url() => extracted urlpath (%s)", r->urlpath)); DEBUG(("http_url() => extracted url (%s)", r->url)); @@ -143,7 +149,7 @@ p = r->url; p += strlen(http); - if(r->relative) + if(r->relative || r->type == CONNECT) return 0; i = 0; @@ -218,7 +224,10 @@ } DEBUG(("http_rel() => extracted port %d", r->port)); } else { - r->port = 80; + if (r->type == CONNECT) + r->port = 443; + else + r->port = 80; } if (strlen(r->url) + strlen(http) + strlen(r->host) + 7 >= sizeof(r->url)) { DEBUG(("http_rel() => URL will get too long")); diff -uNr ffproxy-1.5.1/main.c ffproxy-1.6-RC1/main.c --- ffproxy-1.5.1/main.c Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/main.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* - * ffproxy (c) 2002, 2003 Niklas Olmes - * + * ffproxy (c) 2002-2004 Niklas Olmes * http://faith.eu.org * - * $Id: main.c,v 1.26.2.2 2003/08/17 19:57:52 niklas Exp $ + * $Id: main.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free @@ -60,8 +59,8 @@ static void usage(void); static void drop_privileges(void); -static const char version[] = "1.5.1"; -static const char rcsid[] = "$Id: main.c,v 1.26.2.2 2003/08/17 19:57:52 niklas Exp $"; +static const char version[] = "1.6-RC1"; +static const char rcsid[] = "$Id: main.c,v 2.0 2004/06/08 06:39:51 niklas Exp $"; char loop_header[100]; struct cfg config; @@ -103,6 +102,8 @@ *config.accelhost = '\0'; config.accelport = 80; config.kalive = 1; + config.unr_con = 0; + config.to_con = 5; config.first = 1; while ((c = getopt(argc, argv, "vdbBc:C:p:x:X:l:u:g:r:D:F:f:s4a:A:h")) != -1) { @@ -261,7 +262,7 @@ (void) fprintf(fp, "%ld", (long) getpid()); (void) fclose(fp); } - (void) snprintf(loop_header, sizeof(loop_header), "X-Loop-%d-%d: true", getpid(), time(NULL)); + (void) snprintf(loop_header, sizeof(loop_header), "X-Loop-%d-%d: true", getpid(), (int) time(NULL)); init_sighandlers(); open_socket(); @@ -273,7 +274,7 @@ static void usage(void) { - (void) fprintf(stderr, "ffproxy %s -- (c) 2002, 2003 Niklas Olmes \n", version); + (void) fprintf(stderr, "ffproxy %s -- (c) 2002-2004 Niklas Olmes \n", version); (void) fprintf(stderr, " GNU GPL. Website: http://faith.eu.org/programs.html\n"); (void) fprintf(stderr, "usage: ffproxy [-vhds4bB] [-c host|ip] [-C host|ip] [-p port]\n" @@ -284,7 +285,8 @@ " -4 use IPv4 only. don't try contacting via IPv6.\n" " -b do *not* bind to IPv4\n" " -B do *not* bind to IPv6\n" - " -c host|ip bind to IPv4 address (default is any)\n" + " -c host|ip bind to IPv4 address (default is any)\n"); + (void) fprintf(stderr, " -C host|ip bind to IPv6 address (default is any)\n" " -p port bind to port\n" " -x host|ip auxiliary forward proxy\n" diff -uNr ffproxy-1.5.1/msg.c ffproxy-1.6-RC1/msg.c --- ffproxy-1.5.1/msg.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/msg.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: msg.c,v 1.9 2003/08/08 14:10:28 niklas Exp $ + * $Id: msg.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/poll.c ffproxy-1.6-RC1/poll.c --- ffproxy-1.5.1/poll.c Sun Jul 20 10:38:23 2003 +++ ffproxy-1.6-RC1/poll.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: poll.c,v 1.4 2003/07/20 10:38:23 niklas Exp $ + * $Id: poll.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/print.c ffproxy-1.6-RC1/print.c --- ffproxy-1.5.1/print.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/print.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: print.c,v 1.11 2003/08/08 14:10:28 niklas Exp $ + * $Id: print.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free @@ -22,6 +21,7 @@ #include #include +#include #include #include "cfg.h" diff -uNr ffproxy-1.5.1/regex.c ffproxy-1.6-RC1/regex.c --- ffproxy-1.5.1/regex.c Sun Jul 20 10:38:23 2003 +++ ffproxy-1.6-RC1/regex.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: regex.c,v 1.4 2003/07/20 10:38:23 niklas Exp $ + * $Id: regex.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/req.h ffproxy-1.6-RC1/req.h --- ffproxy-1.5.1/req.h Sun Aug 17 04:46:50 2003 +++ ffproxy-1.6-RC1/req.h Mon Jun 7 12:11:55 2004 @@ -32,5 +32,5 @@ }; enum { - GET = 0, POST, HEAD, UNKNOWN + GET = 0, POST, HEAD, CONNECT, UNKNOWN }; diff -uNr ffproxy-1.5.1/request.c ffproxy-1.6-RC1/request.c --- ffproxy-1.5.1/request.c Sun Aug 17 19:57:52 2003 +++ ffproxy-1.6-RC1/request.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* - * ffproxy (c) 2002, 2003 Niklas Olmes - * + * ffproxy (c) 2002-2004 Niklas Olmes * http://faith.eu.org * - * $Id: request.c,v 1.25.2.1 2003/08/17 19:57:52 niklas Exp $ + * $Id: request.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free @@ -62,7 +61,52 @@ r.loop = 0; - if (read_header(cl, &r) != 0) { + if (r.type == CONNECT) { + DEBUG(("handle_request => CONNECT request detected")); + if (read_header(cl, &r) != 0) { + info("invalid CONNECT header from (%s) [%s]", + clinfo->name, clinfo->ip); + err_msg(cl, &r, E_INV); + } else if (r.port != 443 && ! config.unr_con) { + info("invalid CONNECT port (%d) for host (%s) from (%s) [%s]", + r.port, r.host, clinfo->name, clinfo->ip); + err_msg(cl, &r, E_INV); + } else if (filter_request(&r) != 0) { + info("filtered CONNECT request for (%s:%d) from (%s) [%s]", + r.host, r.port, clinfo->name, clinfo->ip); + } else { + if (config.logrequests) { + if (r.port == 443) + info("HTTPS CONNECT to (%s) from (%s) [%s]", + r.host, clinfo->name, clinfo->ip); + else + info("CONNECT to host (%s:%d) from (%s) [%s]", + r.host, r.port, clinfo->ip); + } + i = do_request(cl, &r); + switch (i) { + case E_INV: + info("invalid CONNECT request for (%s:%d) from (%s) [%s]", r.host, r.port, clinfo->name, clinfo->ip); + break; + case E_RES: + info("resolve failure for host (%s) from (%s) [%s]", r.host, clinfo->name, clinfo->ip); + break; + case E_CON: + info("connection failure for host (%s) from (%s) [%s]", r.host, clinfo->name, clinfo->ip); + break; + default: + i = 0; + } + if (i != 0) { + err_msg(cl, &r, i); + r.kalive = 0; + } + } + i = 0; + while (r.header[i] != NULL) + free(r.header[i++]); + r.header[0] = NULL; + } else if (read_header(cl, &r) != 0) { info("invalid header from (%s) [%s]", clinfo->name, clinfo->ip); err_msg(cl, &r, E_INV); @@ -197,6 +241,7 @@ #include #include +#include #include #include @@ -332,7 +377,10 @@ (*config.proxyhost && config.proxyport) != '\0' ? r->url : r->urlpath, r->vmajor, r->vminor, r->host); - else + else if (r->port == 443 || r->type == CONNECT) { + *buf = '\0'; + len = 0; + } else len = snprintf(buf, sizeof(buf), "%s %s HTTP/%d.%d\r\n" "Host: %s:%d\r\n", @@ -342,20 +390,22 @@ r->vmajor, r->vminor, r->host, r->port); - i = 0; - while (r->header[i] != NULL) { - len += strlen(r->header[i]) + strlen("\r\n"); - if (len < sizeof(buf)) { - (void) strncat(buf, r->header[i++], len); - (void) strncat(buf, "\r\n", strlen("\r\n")); - } else { - DEBUG(("do_request() => header too big")); - (void) close(s); - i = 0; - while (r->header[i] != NULL) - free(r->header[i++]); - r->header[0] = NULL; - return E_INV; + if (r->type != CONNECT) { + i = 0; + while (r->header[i] != NULL) { + len += strlen(r->header[i]) + strlen("\r\n"); + if (len < sizeof(buf)) { + (void) strncat(buf, r->header[i++], len); + (void) strncat(buf, "\r\n", strlen("\r\n")); + } else { + DEBUG(("do_request() => header too big")); + (void) close(s); + i = 0; + while (r->header[i] != NULL) + free(r->header[i++]); + r->header[0] = NULL; + return E_INV; + } } } i = 0; @@ -363,23 +413,25 @@ free(r->header[i++]); r->header[0] = NULL; - len += strlen("\r\n"); - if (len >= sizeof(buf) - 1) { - DEBUG(("do_request() => header too big")); - (void) close(s); - return E_INV; - } - (void) strncat(buf, "\r\n", strlen("\r\n")); + if (r->type != CONNECT) { + len += strlen("\r\n"); + if (len >= sizeof(buf) - 1) { + DEBUG(("do_request() => header too big")); + (void) close(s); + return E_INV; + } + (void) strncat(buf, "\r\n", strlen("\r\n")); - DEBUG(("do_request() => request ready: type %d url (%s) host (%s) port %d", - r->type, r->url, r->host, r->port)); - DEBUG(("=> version maj %d min %d", r->vmajor, r->vminor)); - DEBUG(("=> header: (%s)", buf)); + DEBUG(("do_request() => request ready: type %d url (%s) host (%s) port %d", + r->type, r->url, r->host, r->port)); + DEBUG(("=> version maj %d min %d", r->vmajor, r->vminor)); + DEBUG(("=> header: (%s)", buf)); - if (my_poll(s, OUT) <= 0 || write(s, buf, len) < 1) { - DEBUG(("do_request() => sending request failed")); - (void) close(s); - return E_CON; + if (my_poll(s, OUT) <= 0 || write(s, buf, len) < 1) { + DEBUG(("do_request() => sending request failed")); + (void) close(s); + return E_CON; + } } if (r->type == POST) { long rest; @@ -410,70 +462,109 @@ } DEBUG(("do_request() => post done")); } - i = 0; - while ((len = getline(s, buf, sizeof(buf))) > 0 && i < sizeof(r->header) - 1) { - DEBUG(("do_request() => got remote header line: (%s)", buf)); - r->header[i] = (char *) my_alloc(len + 1); - (void) strcpy(r->header[i++], buf); - } - r->header[i] = NULL; - - if (len > 0) { - DEBUG(("do_request() => remote header too big")); - (void) close(s); + if (r->type != CONNECT) { i = 0; - while (r->header[i] != NULL) - free(r->header[i++]); - r->header[0] = NULL; - return E_FIL; - } - if (filter_remote(r) != 0) { - DEBUG(("do_request() => response was filtered")); - (void) close(s); - i = 0; - while (r->header[i] != NULL) - free(r->header[i++]); - r->header[0] = NULL; - return E_FIL; - } - *buf = '\0'; - len = 0; - i = 0; - while (r->header[i] != NULL) { - len += strlen(r->header[i]) + strlen("\r\n"); - if (len < sizeof(buf) - 1) { - (void) strcat(buf, r->header[i++]); - (void) strcat(buf, "\r\n"); - } else { - DEBUG(("do_request() => remote header too big (at concatenation)")); + while ((len = getline(s, buf, sizeof(buf))) > 0 && i < sizeof(r->header) - 1) { + DEBUG(("do_request() => got remote header line: (%s)", buf)); + r->header[i] = (char *) my_alloc(len + 1); + (void) strcpy(r->header[i++], buf); + } + r->header[i] = NULL; + + if (len > 0) { + DEBUG(("do_request() => remote header too big")); + (void) close(s); i = 0; while (r->header[i] != NULL) free(r->header[i++]); r->header[0] = NULL; + return E_FIL; + } + if (filter_remote(r) != 0) { + DEBUG(("do_request() => response was filtered")); (void) close(s); + i = 0; + while (r->header[i] != NULL) + free(r->header[i++]); + r->header[0] = NULL; return E_FIL; } - } - i = 0; - while (r->header[i] != NULL) - free(r->header[i++]); - r->header[0] = NULL; + *buf = '\0'; + len = 0; + i = 0; + while (r->header[i] != NULL) { + len += strlen(r->header[i]) + strlen("\r\n"); + if (len < sizeof(buf) - 1) { + (void) strcat(buf, r->header[i++]); + (void) strcat(buf, "\r\n"); + } else { + DEBUG(("do_request() => remote header too big (at concatenation)")); + i = 0; + while (r->header[i] != NULL) + free(r->header[i++]); + r->header[0] = NULL; + (void) close(s); + return E_FIL; + } + } + i = 0; + while (r->header[i] != NULL) + free(r->header[i++]); + r->header[0] = NULL; - len += strlen("\r\n"); - if (len >= sizeof(buf) - 1) { - DEBUG(("do_request() => remote header too big (at final)")); - (void) close(s); - return E_FIL; - } - (void) strcat(buf, "\r\n"); + len += strlen("\r\n"); + if (len >= sizeof(buf) - 1) { + DEBUG(("do_request() => remote header too big (at final)")); + (void) close(s); + return E_FIL; + } + (void) strcat(buf, "\r\n"); - DEBUG(("do_request() => remote header ready: (%s)", buf)); + DEBUG(("do_request() => remote header ready: (%s)", buf)); - if (my_poll(cl, OUT) <= 0 || write(cl, buf, len) < 1) { - (void) close(s); - return -1; + if (my_poll(cl, OUT) <= 0 || write(cl, buf, len) < 1) { + (void) close(s); + return -1; + } } - if (r->type != HEAD) { + if (r->type == CONNECT) { + char *con_est = "HTTP/1.0 200 Connection established\r\n\r\n"; + int max, sel; + struct timeval to; + fd_set fdset; + + to.tv_sec = config.to_con; + to.tv_usec = 0; + + if (write(cl, con_est, strlen(con_est)) < 1) + goto c_break; + + if(cl >= s) + max = cl + 1; + else + max = s + 1; + + i = 1; + sel = 1; + len = 1; + while (len > 0 && sel > 0 && i > 0) { + FD_ZERO(&fdset); + FD_SET(cl, &fdset); + FD_SET(s, &fdset); + sel = select(max, &fdset, (fd_set*) 0, (fd_set*) 0, &to); + if (FD_ISSET(cl, &fdset)) { + len = read(cl, buf, sizeof(buf)); + i = write(s, buf, len); + } + if (FD_ISSET(s, &fdset)) { + len = read(s, buf, sizeof(buf)); + i = write(cl, buf, len); + } + } +c_break: + (void) close(s); + return 0; + } else if (r->type != HEAD) { while (my_poll(s, IN) > 0 && (len = read(s, buf, sizeof(buf))) > 0) { if (my_poll(cl, OUT) <= 0 || write(cl, buf, len) < 1) { (void) close(s); diff -uNr ffproxy-1.5.1/sample.config ffproxy-1.6-RC1/sample.config --- ffproxy-1.5.1/sample.config Sun Aug 17 19:53:25 2003 +++ ffproxy-1.6-RC1/sample.config Mon Jun 7 22:53:48 2004 @@ -1,6 +1,6 @@ # # sample configuration file for ffproxy(8) -# (version 1.5.1) +# (version 1.6) # # lines starting with '#' are comments @@ -120,6 +120,17 @@ # (enabled by default) #use_keep_alive no #use_keep_alive yes + +# allow CONNECT request to other than port 443 (HTTPS) +# (CONNECT enables HTTPS proxying) +# (disabled by default for security) +#unrestricted_connect yes +#unrestricted_connect no + +# timeout for CONNECT requests in seconds +# (default: 5) +#timeout_connect 20 +#timeout_connect 5 # backlog size for accept() # (default: 4) diff -uNr ffproxy-1.5.1/signals.c ffproxy-1.6-RC1/signals.c --- ffproxy-1.5.1/signals.c Fri Aug 8 14:10:28 2003 +++ ffproxy-1.6-RC1/signals.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: signals.c,v 1.6 2003/08/08 14:10:28 niklas Exp $ + * $Id: signals.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free diff -uNr ffproxy-1.5.1/socket.c ffproxy-1.6-RC1/socket.c --- ffproxy-1.5.1/socket.c Sat Aug 9 14:32:00 2003 +++ ffproxy-1.6-RC1/socket.c Tue Jun 8 08:07:12 2004 @@ -1,9 +1,8 @@ /* * ffproxy (c) 2002, 2003 Niklas Olmes - * * http://faith.eu.org * - * $Id: socket.c,v 1.19 2003/08/09 14:32:00 niklas Exp $ + * $Id: socket.c,v 2.0 2004/06/08 06:39:51 niklas Exp $ * * This program is free software; you can redistribute it and/or modify it under * the terms of the GNU General Public License as published by the Free