Mercurial > hg > nginx-quic
annotate src/stream/ngx_stream_realip_module.c @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | 3908156a51fa |
children | df1a62c83b1b |
rev | line source |
---|---|
573 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4412 | 4 * Copyright (C) Nginx, Inc. |
573 | 5 */ |
6 | |
7 | |
8 #include <ngx_config.h> | |
9 #include <ngx_core.h> | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
10 #include <ngx_stream.h> |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
11 |
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
12 |
573 | 13 typedef struct { |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
14 ngx_array_t *from; /* array of ngx_cidr_t */ |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
15 } ngx_stream_realip_srv_conf_t; |
573 | 16 |
17 | |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
18 typedef struct { |
3274 | 19 struct sockaddr *sockaddr; |
20 socklen_t socklen; | |
21 ngx_str_t addr_text; | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
22 } ngx_stream_realip_ctx_t; |
573 | 23 |
24 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
25 static ngx_int_t ngx_stream_realip_handler(ngx_stream_session_t *s); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
26 static ngx_int_t ngx_stream_realip_set_addr(ngx_stream_session_t *s, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
27 ngx_addr_t *addr); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
28 static char *ngx_stream_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
29 void *conf); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
30 static void *ngx_stream_realip_create_srv_conf(ngx_conf_t *cf); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
31 static char *ngx_stream_realip_merge_srv_conf(ngx_conf_t *cf, void *parent, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
32 void *child); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
33 static ngx_int_t ngx_stream_realip_add_variables(ngx_conf_t *cf); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
34 static ngx_int_t ngx_stream_realip_init(ngx_conf_t *cf); |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
35 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
36 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
37 static ngx_int_t ngx_stream_realip_remote_addr_variable(ngx_stream_session_t *s, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
38 ngx_stream_variable_value_t *v, uintptr_t data); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
39 static ngx_int_t ngx_stream_realip_remote_port_variable(ngx_stream_session_t *s, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
40 ngx_stream_variable_value_t *v, uintptr_t data); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
41 |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
42 |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
43 static ngx_command_t ngx_stream_realip_commands[] = { |
573 | 44 |
45 { ngx_string("set_real_ip_from"), | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
46 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
47 ngx_stream_realip_from, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
48 NGX_STREAM_SRV_CONF_OFFSET, |
573 | 49 0, |
50 NULL }, | |
51 | |
52 ngx_null_command | |
53 }; | |
54 | |
55 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
56 static ngx_stream_module_t ngx_stream_realip_module_ctx = { |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
57 ngx_stream_realip_add_variables, /* preconfiguration */ |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
58 ngx_stream_realip_init, /* postconfiguration */ |
573 | 59 |
60 NULL, /* create main configuration */ | |
61 NULL, /* init main configuration */ | |
62 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
63 ngx_stream_realip_create_srv_conf, /* create server configuration */ |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
64 ngx_stream_realip_merge_srv_conf /* merge server configuration */ |
573 | 65 }; |
66 | |
67 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
68 ngx_module_t ngx_stream_realip_module = { |
573 | 69 NGX_MODULE_V1, |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
70 &ngx_stream_realip_module_ctx, /* module context */ |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
71 ngx_stream_realip_commands, /* module directives */ |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
72 NGX_STREAM_MODULE, /* module type */ |
573 | 73 NULL, /* init master */ |
681 | 74 NULL, /* init module */ |
573 | 75 NULL, /* init process */ |
76 NULL, /* init thread */ | |
77 NULL, /* exit thread */ | |
78 NULL, /* exit process */ | |
79 NULL, /* exit master */ | |
80 NGX_MODULE_V1_PADDING | |
81 }; | |
82 | |
83 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
84 static ngx_stream_variable_t ngx_stream_realip_vars[] = { |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
85 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
86 { ngx_string("realip_remote_addr"), NULL, |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
87 ngx_stream_realip_remote_addr_variable, 0, 0, 0 }, |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
88 |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
89 { ngx_string("realip_remote_port"), NULL, |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
90 ngx_stream_realip_remote_port_variable, 0, 0, 0 }, |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
91 |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
92 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
93 }; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
94 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
95 |
573 | 96 static ngx_int_t |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
97 ngx_stream_realip_handler(ngx_stream_session_t *s) |
573 | 98 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
99 ngx_addr_t addr; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
100 ngx_connection_t *c; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
101 ngx_stream_realip_srv_conf_t *rscf; |
573 | 102 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
103 rscf = ngx_stream_get_module_srv_conf(s, ngx_stream_realip_module); |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
104 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
105 if (rscf->from == NULL) { |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
106 return NGX_DECLINED; |
573 | 107 } |
108 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
109 c = s->connection; |
5605
3a72b1805c52
Added server-side support for PROXY protocol v1 (ticket #355).
Roman Arutyunyan <arut@nginx.com>
parents:
5263
diff
changeset
|
110 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
111 if (c->proxy_protocol_addr.len == 0) { |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
112 return NGX_DECLINED; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
113 } |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
114 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
115 if (ngx_cidr_match(c->sockaddr, rscf->from) != NGX_OK) { |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
116 return NGX_DECLINED; |
573 | 117 } |
118 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
119 if (ngx_parse_addr(c->pool, &addr, c->proxy_protocol_addr.data, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
120 c->proxy_protocol_addr.len) |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
121 != NGX_OK) |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
122 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
123 return NGX_DECLINED; |
3274 | 124 } |
125 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
126 ngx_inet_set_port(addr.sockaddr, c->proxy_protocol_port); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
127 |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
128 return ngx_stream_realip_set_addr(s, &addr); |
3274 | 129 } |
130 | |
573 | 131 |
3274 | 132 static ngx_int_t |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
133 ngx_stream_realip_set_addr(ngx_stream_session_t *s, ngx_addr_t *addr) |
3274 | 134 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
135 size_t len; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
136 u_char *p; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
137 u_char text[NGX_SOCKADDR_STRLEN]; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
138 ngx_connection_t *c; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
139 ngx_stream_realip_ctx_t *ctx; |
573 | 140 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
141 c = s->connection; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
142 |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
143 ctx = ngx_palloc(c->pool, sizeof(ngx_stream_realip_ctx_t)); |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
144 if (ctx == NULL) { |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
145 return NGX_ERROR; |
3274 | 146 } |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
147 |
5263
05ba5bce31e0
Core: extended ngx_sock_ntop() with socklen parameter.
Vladimir Homutov <vl@nginx.com>
parents:
5084
diff
changeset
|
148 len = ngx_sock_ntop(addr->sockaddr, addr->socklen, text, |
05ba5bce31e0
Core: extended ngx_sock_ntop() with socklen parameter.
Vladimir Homutov <vl@nginx.com>
parents:
5084
diff
changeset
|
149 NGX_SOCKADDR_STRLEN, 0); |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
150 if (len == 0) { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
151 return NGX_ERROR; |
3274 | 152 } |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
153 |
3274 | 154 p = ngx_pnalloc(c->pool, len); |
155 if (p == NULL) { | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
156 return NGX_ERROR; |
3274 | 157 } |
1118
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
158 |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
159 ngx_memcpy(p, text, len); |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
160 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
161 ngx_stream_set_ctx(s, ctx, ngx_stream_realip_module); |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
162 |
3274 | 163 ctx->sockaddr = c->sockaddr; |
164 ctx->socklen = c->socklen; | |
165 ctx->addr_text = c->addr_text; | |
573 | 166 |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
167 c->sockaddr = addr->sockaddr; |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
168 c->socklen = addr->socklen; |
3274 | 169 c->addr_text.len = len; |
170 c->addr_text.data = p; | |
573 | 171 |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
172 return NGX_DECLINED; |
573 | 173 } |
174 | |
175 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
176 static char * |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
177 ngx_stream_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) |
2176
29d26406e1bd
restore connection address on request closure,
Igor Sysoev <igor@sysoev.ru>
parents:
2049
diff
changeset
|
178 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
179 ngx_stream_realip_srv_conf_t *rscf = conf; |
573 | 180 |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
181 ngx_int_t rc; |
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
182 ngx_str_t *value; |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
183 ngx_cidr_t *cidr; |
573 | 184 |
3274 | 185 value = cf->args->elts; |
186 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
187 if (rscf->from == NULL) { |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
188 rscf->from = ngx_array_create(cf->pool, 2, |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
189 sizeof(ngx_cidr_t)); |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
190 if (rscf->from == NULL) { |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
191 return NGX_CONF_ERROR; |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
192 } |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
193 } |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
194 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
195 cidr = ngx_array_push(rscf->from); |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
196 if (cidr == NULL) { |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
197 return NGX_CONF_ERROR; |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
198 } |
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
199 |
3274 | 200 #if (NGX_HAVE_UNIX_DOMAIN) |
201 | |
202 if (ngx_strcmp(value[1].data, "unix:") == 0) { | |
6474 | 203 cidr->family = AF_UNIX; |
204 return NGX_CONF_OK; | |
3274 | 205 } |
206 | |
207 #endif | |
208 | |
4624
df93068953c0
realip: chains of trusted proxies and IPv6 support.
Ruslan Ermilov <ru@nginx.com>
parents:
4562
diff
changeset
|
209 rc = ngx_ptocidr(&value[1], cidr); |
1380
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
210 |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
211 if (rc == NGX_ERROR) { |
573 | 212 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid parameter \"%V\"", |
213 &value[1]); | |
214 return NGX_CONF_ERROR; | |
215 } | |
216 | |
1380
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
217 if (rc == NGX_DONE) { |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
218 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
219 "low address bits of %V are meaningless", &value[1]); |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
220 } |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
221 |
573 | 222 return NGX_CONF_OK; |
223 } | |
224 | |
225 | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
226 static void * |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
227 ngx_stream_realip_create_srv_conf(ngx_conf_t *cf) |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
228 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
229 ngx_stream_realip_srv_conf_t *conf; |
2257
74d270c8821e
real_ip_header supports any header
Igor Sysoev <igor@sysoev.ru>
parents:
2202
diff
changeset
|
230 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
231 conf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_realip_srv_conf_t)); |
573 | 232 if (conf == NULL) { |
2912
c7d57b539248
return NULL instead of NGX_CONF_ERROR on a create conf failure
Igor Sysoev <igor@sysoev.ru>
parents:
2537
diff
changeset
|
233 return NULL; |
573 | 234 } |
235 | |
236 /* | |
237 * set by ngx_pcalloc(): | |
238 * | |
239 * conf->from = NULL; | |
240 */ | |
241 | |
242 return conf; | |
243 } | |
244 | |
245 | |
246 static char * | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
247 ngx_stream_realip_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) |
573 | 248 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
249 ngx_stream_realip_srv_conf_t *prev = parent; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
250 ngx_stream_realip_srv_conf_t *conf = child; |
573 | 251 |
252 if (conf->from == NULL) { | |
253 conf->from = prev->from; | |
3305
8017f9bda3f6
fix "set_real_ip_from unix:" inheritance
Igor Sysoev <igor@sysoev.ru>
parents:
3291
diff
changeset
|
254 } |
8017f9bda3f6
fix "set_real_ip_from unix:" inheritance
Igor Sysoev <igor@sysoev.ru>
parents:
3291
diff
changeset
|
255 |
573 | 256 return NGX_CONF_OK; |
257 } | |
258 | |
259 | |
260 static ngx_int_t | |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
261 ngx_stream_realip_add_variables(ngx_conf_t *cf) |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
262 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
263 ngx_stream_variable_t *var, *v; |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
264 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
265 for (v = ngx_stream_realip_vars; v->name.len; v++) { |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
266 var = ngx_stream_add_variable(cf, &v->name, v->flags); |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
267 if (var == NULL) { |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
268 return NGX_ERROR; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
269 } |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
270 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
271 var->get_handler = v->get_handler; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
272 var->data = v->data; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
273 } |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
274 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
275 return NGX_OK; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
276 } |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
277 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
278 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
279 static ngx_int_t |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
280 ngx_stream_realip_init(ngx_conf_t *cf) |
573 | 281 { |
6693 | 282 ngx_stream_handler_pt *h; |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
283 ngx_stream_core_main_conf_t *cmcf; |
573 | 284 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
285 cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); |
573 | 286 |
6693 | 287 h = ngx_array_push(&cmcf->phases[NGX_STREAM_POST_ACCEPT_PHASE].handlers); |
288 if (h == NULL) { | |
289 return NGX_ERROR; | |
290 } | |
291 | |
292 *h = ngx_stream_realip_handler; | |
573 | 293 |
294 return NGX_OK; | |
295 } | |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
296 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
297 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
298 static ngx_int_t |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
299 ngx_stream_realip_remote_addr_variable(ngx_stream_session_t *s, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
300 ngx_stream_variable_value_t *v, uintptr_t data) |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
301 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
302 ngx_str_t *addr_text; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
303 ngx_stream_realip_ctx_t *ctx; |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
304 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
305 ctx = ngx_stream_get_module_ctx(s, ngx_stream_realip_module); |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
306 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
307 addr_text = ctx ? &ctx->addr_text : &s->connection->addr_text; |
6294
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
308 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
309 v->len = addr_text->len; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
310 v->valid = 1; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
311 v->no_cacheable = 0; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
312 v->not_found = 0; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
313 v->data = addr_text->data; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
314 |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
315 return NGX_OK; |
cebe43bace93
Realip: the $realip_remote_addr variable.
Ruslan Ermilov <ru@nginx.com>
parents:
5605
diff
changeset
|
316 } |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
317 |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
318 |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
319 static ngx_int_t |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
320 ngx_stream_realip_remote_port_variable(ngx_stream_session_t *s, |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
321 ngx_stream_variable_value_t *v, uintptr_t data) |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
322 { |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
323 ngx_uint_t port; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
324 struct sockaddr *sa; |
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
325 ngx_stream_realip_ctx_t *ctx; |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
326 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
327 ctx = ngx_stream_get_module_ctx(s, ngx_stream_realip_module); |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
328 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
329 sa = ctx ? ctx->sockaddr : s->connection->sockaddr; |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
330 |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
331 v->len = 0; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
332 v->valid = 1; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
333 v->no_cacheable = 0; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
334 v->not_found = 0; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
335 |
6684
9cac11efb205
Stream: realip module.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6671
diff
changeset
|
336 v->data = ngx_pnalloc(s->connection->pool, sizeof("65535") - 1); |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
337 if (v->data == NULL) { |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
338 return NGX_ERROR; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
339 } |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
340 |
6593
b3b7e33083ac
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions.
Roman Arutyunyan <arut@nginx.com>
parents:
6565
diff
changeset
|
341 port = ngx_inet_get_port(sa); |
6562
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
342 |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
343 if (port > 0 && port < 65536) { |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
344 v->len = ngx_sprintf(v->data, "%ui", port) - v->data; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
345 } |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
346 |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
347 return NGX_OK; |
b13d3a6f0512
Added the $realip_remote_port variable.
Dmitry Volyntsev <xeioex@nginx.com>
parents:
6474
diff
changeset
|
348 } |