Mercurial > hg > nginx-quic
comparison src/http/ngx_http_core_module.c @ 4623:ed3d0cc6de5a
New function ngx_http_get_forwarded_addr() to look up real client address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
author | Ruslan Ermilov <ru@nginx.com> |
---|---|
date | Mon, 14 May 2012 12:27:41 +0000 |
parents | 347a54b2cb14 |
children | 3709ce127763 |
comparison
equal
deleted
inserted
replaced
4622:0dfdc3f732cb | 4623:ed3d0cc6de5a |
---|---|
2694 of->disable_symlinks_from = from.len - 1; | 2694 of->disable_symlinks_from = from.len - 1; |
2695 } | 2695 } |
2696 #endif | 2696 #endif |
2697 | 2697 |
2698 return NGX_OK; | 2698 return NGX_OK; |
2699 } | |
2700 | |
2701 | |
2702 ngx_int_t | |
2703 ngx_http_get_forwarded_addr(ngx_http_request_t *r, ngx_addr_t *addr, | |
2704 u_char *xff, size_t xfflen, ngx_array_t *proxies, int recursive) | |
2705 { | |
2706 u_char *p; | |
2707 in_addr_t *inaddr; | |
2708 ngx_addr_t paddr; | |
2709 ngx_cidr_t *cidr; | |
2710 ngx_uint_t family, i; | |
2711 #if (NGX_HAVE_INET6) | |
2712 ngx_uint_t n; | |
2713 struct in6_addr *inaddr6; | |
2714 #endif | |
2715 | |
2716 family = addr->sockaddr->sa_family; | |
2717 | |
2718 if (family == AF_INET) { | |
2719 inaddr = &((struct sockaddr_in *) addr->sockaddr)->sin_addr.s_addr; | |
2720 } | |
2721 | |
2722 #if (NGX_HAVE_INET6) | |
2723 else if (family == AF_INET6) { | |
2724 inaddr6 = &((struct sockaddr_in6 *) addr->sockaddr)->sin6_addr; | |
2725 | |
2726 if (IN6_IS_ADDR_V4MAPPED(inaddr6)) { | |
2727 family = AF_INET; | |
2728 inaddr = (in_addr_t *) &inaddr6->s6_addr[12]; | |
2729 } | |
2730 } | |
2731 #endif | |
2732 | |
2733 for (cidr = proxies->elts, i = 0; i < proxies->nelts; i++) { | |
2734 if (cidr[i].family != family) { | |
2735 goto next; | |
2736 } | |
2737 | |
2738 switch (family) { | |
2739 | |
2740 #if (NGX_HAVE_INET6) | |
2741 case AF_INET6: | |
2742 for (n = 0; n < 16; n++) { | |
2743 if ((inaddr6->s6_addr[n] & cidr[i].u.in6.mask.s6_addr[n]) | |
2744 != cidr[i].u.in6.addr.s6_addr[n]) | |
2745 { | |
2746 goto next; | |
2747 } | |
2748 } | |
2749 break; | |
2750 #endif | |
2751 | |
2752 #if (NGX_HAVE_UNIX_DOMAIN) | |
2753 case AF_UNIX: | |
2754 break; | |
2755 #endif | |
2756 | |
2757 default: /* AF_INET */ | |
2758 if ((*inaddr & cidr[i].u.in.mask) != cidr[i].u.in.addr) { | |
2759 goto next; | |
2760 } | |
2761 break; | |
2762 } | |
2763 | |
2764 for (p = xff + xfflen - 1; p > xff; p--, xfflen--) { | |
2765 if (*p != ' ' && *p != ',') { | |
2766 break; | |
2767 } | |
2768 } | |
2769 | |
2770 for ( /* void */ ; p > xff; p--) { | |
2771 if (*p == ' ' || *p == ',') { | |
2772 p++; | |
2773 break; | |
2774 } | |
2775 } | |
2776 | |
2777 if (ngx_parse_addr(r->pool, &paddr, p, xfflen - (p - xff)) != NGX_OK) { | |
2778 return NGX_DECLINED; | |
2779 } | |
2780 | |
2781 *addr = paddr; | |
2782 | |
2783 if (recursive && p > xff) { | |
2784 (void) ngx_http_get_forwarded_addr(r, addr, xff, p - 1 - xff, | |
2785 proxies, 1); | |
2786 } | |
2787 | |
2788 return NGX_OK; | |
2789 | |
2790 next: | |
2791 continue; | |
2792 } | |
2793 | |
2794 return NGX_DECLINED; | |
2699 } | 2795 } |
2700 | 2796 |
2701 | 2797 |
2702 static char * | 2798 static char * |
2703 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) | 2799 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) |