[LON-CAPA-cvs] cvs: loncom / lontrans.pm

raeburn raeburn at source.lon-capa.org
Wed Dec 23 17:03:42 EST 2020


raeburn		Wed Dec 23 22:03:42 2020 EDT

  Modified files:              
    /loncom	lontrans.pm 
  Log:
  - Bug 6914. Support selective use of WAF/Reverse Proxy, e.g., VPN users
    connect directly (no WAF), whereas non-VPN users must connect via WAF.
  
  
Index: loncom/lontrans.pm
diff -u loncom/lontrans.pm:1.27 loncom/lontrans.pm:1.28
--- loncom/lontrans.pm:1.27	Fri Dec 18 15:23:04 2020
+++ loncom/lontrans.pm	Wed Dec 23 22:03:42 2020
@@ -1,7 +1,7 @@
 # The LearningOnline Network
 # URL translation for User Files
 #
-# $Id: lontrans.pm,v 1.27 2020/12/18 15:23:04 raeburn Exp $
+# $Id: lontrans.pm,v 1.28 2020/12/23 22:03:42 raeburn Exp $
 #
 # Copyright Michigan State University Board of Trustees
 #
@@ -38,14 +38,14 @@
     my $r = shift;
     # FIXME line remove when mod_perl fixes BUG#4948
     $r->notes->set('error-notes' => '');
-    my $actualhost = $r->headers_in->get('Host');
+    my $hdrhost = $r->headers_in->get('Host');
     if ($r->uri=~m{^/raw/}) {
-        if ($actualhost) {
-            unless ($host =~ /^internal\-/) {
+        if ($hdrhost) {
+            unless ($hdrhost =~ /^internal\-/) {
                 my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
                 my $lonhost = $r->dir_config('lonHostID');
                 if (&redirect_raw($remote_ip,$lonhost)) {
-                    my $location = 'https://internal-'.$host.$r->uri;
+                    my $location = 'https://internal-'.$hdrhost.$r->uri;
                     $r->headers_out->set(Location => $location);
                     return REDIRECT;
                 }
@@ -55,31 +55,49 @@
     my $alias = &Apache::lonnet::get_proxy_alias();
     if ($alias) {
         my $lonhost = $r->dir_config('lonHostID');
-        my $expected_host = &Apache::lonnet::hostname($lonhost);
-        if (($actualhost eq $expected_host) && ($actualhost ne $alias)) {
-            my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
-            unless ($remote_ip eq '127.0.0.1') {
-                my $hostip = &Apache::lonnet::get_host_ip($lonhost);
-                unless ($remote_ip eq $hostip) {
-                    my $do_redirect = 1;
+        my $hostname = &Apache::lonnet::hostname($lonhost);
+        if (($hdrhost eq $alias) || ($hdrhost eq $hostname)) {
+            my $proxyinfo = &Apache::lonnet::get_proxy_settings($r->dir_config('lonDefDomain'));
+            my ($vpnpriv,$vpnnat);
+            if (ref($proxyinfo) eq 'HASH') {
+                $vpnpriv = $proxyinfo->{'exempt'};
+                $vpnnat = '35.12.16.96-35.12.16.111';
+            }
+            my $redirect;
+            if ($hdrhost eq $alias) {
+                my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP);
+                if ($vpnnat && &Apache::lonnet::ip_match($remote_ip,$vpnnat)) {
+                    $redirect = $hostname;
+                    if ($redirect eq $hdrhost) {
+                        undef($redirect);
+                    }
+                }
+            } elsif ($hdrhost eq $hostname) {
+                my $remote_ip = &Apache::lonnet::get_requestor_ip($r,REMOTE_NOLOOKUP,1);
+                unless (($remote_ip eq '127.0.0.1') ||
+                        ($remote_ip eq &Apache::lonnet::get_host_ip($lonhost)) ||
+                        ($vpnpriv && &Apache::lonnet::ip_match($remote_ip,$vpnpriv))) {
+                    $redirect = $alias;
                     if ($r->uri=~m{^/raw/}){
                         my %iphost = &Apache::lonnet::get_iphost();
                         if (exists($iphost{$remote_ip})) {
-                            undef($do_redirect);
+                            undef($redirect);
                         }
                     }
-                    if ($do_redirect) {
-                        my $uri = $r->uri;
-                        my $protocol = 'http';
-                        my $port = $r->get_server_port();
-                        if ($port eq '443') {
-                            $protocol = 'https';
-                        }
-                        $r->header_out(Location => $protocol.'://'.$alias.$uri);
-                        return REDIRECT;
-                    }
                 }
             }
+            if ($redirect) {
+                my $uri = $r->uri;
+                my $protocol = 'http';
+                my $port = $r->get_server_port();
+                if ($port eq '443') {
+                    $protocol = 'https';
+                }
+# FIXME should check if logged in, and if so use switchserver/migrateuser approach,
+# possibly moved to Access Handler?
+                $r->header_out(Location => $protocol.'://'.$redirect.$uri);
+                return REDIRECT;
+            }
         }
     }
     if ($r->uri=~m|^(/raw)?/uploaded/|) {




More information about the LON-CAPA-cvs mailing list