Mercurial > hg > nginx-quic
comparison src/http/ngx_http_core_module.c @ 4668:ba2c7463ce18 stable-1.2
Merge of r4614, r4624-r4629, r4631: proxy recursive changes.
*) Added IPv6 and UNIX-domain socket support in "debug_connection"
directive.
*) New function ngx_http_get_forwarded_addr() to look up real client
address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
*) Realip: chains of trusted proxies and IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.
Example:
real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;
*) Geo: chains of trusted proxies and partial IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block. It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.
Example:
geo $test {
...
proxy 127.0.0.1;
proxy ::1;
proxy_recursive;
}
There's also a slight change in behavior. When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup. Previously, 255.255.255.255 was
used in this case.
*) Geoip: trusted proxies support and partial IPv6 support.
The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.
Example:
geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;
| author | Maxim Dounin <mdounin@mdounin.ru> |
|---|---|
| date | Mon, 04 Jun 2012 11:58:12 +0000 |
| parents | eb565752dd8e |
| children | 5a4666d4b6cb |
comparison
equal
deleted
inserted
replaced
| 4667:d05ab8793a69 | 4668:ba2c7463ce18 |
|---|---|
| 2694 of->disable_symlinks_from = from.len - 1; | 2694 of->disable_symlinks_from = from.len - 1; |
| 2695 } | 2695 } |
| 2696 #endif | 2696 #endif |
| 2697 | 2697 |
| 2698 return NGX_OK; | 2698 return NGX_OK; |
| 2699 } | |
| 2700 | |
| 2701 | |
| 2702 ngx_int_t | |
| 2703 ngx_http_get_forwarded_addr(ngx_http_request_t *r, ngx_addr_t *addr, | |
| 2704 u_char *xff, size_t xfflen, ngx_array_t *proxies, int recursive) | |
| 2705 { | |
| 2706 u_char *p; | |
| 2707 in_addr_t inaddr; | |
| 2708 ngx_addr_t paddr; | |
| 2709 ngx_cidr_t *cidr; | |
| 2710 ngx_uint_t family, i; | |
| 2711 #if (NGX_HAVE_INET6) | |
| 2712 ngx_uint_t n; | |
| 2713 struct in6_addr *inaddr6; | |
| 2714 #endif | |
| 2715 | |
| 2716 #if (NGX_SUPPRESS_WARN) | |
| 2717 inaddr = 0; | |
| 2718 #if (NGX_HAVE_INET6) | |
| 2719 inaddr6 = NULL; | |
| 2720 #endif | |
| 2721 #endif | |
| 2722 | |
| 2723 family = addr->sockaddr->sa_family; | |
| 2724 | |
| 2725 if (family == AF_INET) { | |
| 2726 inaddr = ((struct sockaddr_in *) addr->sockaddr)->sin_addr.s_addr; | |
| 2727 } | |
| 2728 | |
| 2729 #if (NGX_HAVE_INET6) | |
| 2730 else if (family == AF_INET6) { | |
| 2731 inaddr6 = &((struct sockaddr_in6 *) addr->sockaddr)->sin6_addr; | |
| 2732 | |
| 2733 if (IN6_IS_ADDR_V4MAPPED(inaddr6)) { | |
| 2734 family = AF_INET; | |
| 2735 inaddr = *(in_addr_t *) &inaddr6->s6_addr[12]; | |
| 2736 } | |
| 2737 } | |
| 2738 #endif | |
| 2739 | |
| 2740 for (cidr = proxies->elts, i = 0; i < proxies->nelts; i++) { | |
| 2741 if (cidr[i].family != family) { | |
| 2742 goto next; | |
| 2743 } | |
| 2744 | |
| 2745 switch (family) { | |
| 2746 | |
| 2747 #if (NGX_HAVE_INET6) | |
| 2748 case AF_INET6: | |
| 2749 for (n = 0; n < 16; n++) { | |
| 2750 if ((inaddr6->s6_addr[n] & cidr[i].u.in6.mask.s6_addr[n]) | |
| 2751 != cidr[i].u.in6.addr.s6_addr[n]) | |
| 2752 { | |
| 2753 goto next; | |
| 2754 } | |
| 2755 } | |
| 2756 break; | |
| 2757 #endif | |
| 2758 | |
| 2759 #if (NGX_HAVE_UNIX_DOMAIN) | |
| 2760 case AF_UNIX: | |
| 2761 break; | |
| 2762 #endif | |
| 2763 | |
| 2764 default: /* AF_INET */ | |
| 2765 if ((inaddr & cidr[i].u.in.mask) != cidr[i].u.in.addr) { | |
| 2766 goto next; | |
| 2767 } | |
| 2768 break; | |
| 2769 } | |
| 2770 | |
| 2771 for (p = xff + xfflen - 1; p > xff; p--, xfflen--) { | |
| 2772 if (*p != ' ' && *p != ',') { | |
| 2773 break; | |
| 2774 } | |
| 2775 } | |
| 2776 | |
| 2777 for ( /* void */ ; p > xff; p--) { | |
| 2778 if (*p == ' ' || *p == ',') { | |
| 2779 p++; | |
| 2780 break; | |
| 2781 } | |
| 2782 } | |
| 2783 | |
| 2784 if (ngx_parse_addr(r->pool, &paddr, p, xfflen - (p - xff)) != NGX_OK) { | |
| 2785 return NGX_DECLINED; | |
| 2786 } | |
| 2787 | |
| 2788 *addr = paddr; | |
| 2789 | |
| 2790 if (recursive && p > xff) { | |
| 2791 (void) ngx_http_get_forwarded_addr(r, addr, xff, p - 1 - xff, | |
| 2792 proxies, 1); | |
| 2793 } | |
| 2794 | |
| 2795 return NGX_OK; | |
| 2796 | |
| 2797 next: | |
| 2798 continue; | |
| 2799 } | |
| 2800 | |
| 2801 return NGX_DECLINED; | |
| 2699 } | 2802 } |
| 2700 | 2803 |
| 2701 | 2804 |
| 2702 static char * | 2805 static char * |
| 2703 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) | 2806 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) |