122
|
1
|
|
2 /*
|
|
3 * Copyright (C) Igor Sysoev
|
644
|
4 * Copyright (C) Nginx, Inc.
|
122
|
5 */
|
|
6
|
|
7
|
|
8 #include <ngx_config.h>
|
|
9 #include <ngx_core.h>
|
|
10 #include <ngx_http.h>
|
|
11
|
|
12
|
412
|
13 #define NGX_HTTP_REALIP_XREALIP 0
|
|
14 #define NGX_HTTP_REALIP_XFWD 1
|
|
15 #define NGX_HTTP_REALIP_HEADER 2
|
|
16
|
|
17
|
122
|
18 typedef struct {
|
396
|
19 in_addr_t mask;
|
|
20 in_addr_t addr;
|
122
|
21 } ngx_http_realip_from_t;
|
|
22
|
|
23
|
|
24 typedef struct {
|
396
|
25 ngx_array_t *from; /* array of ngx_http_realip_from_t */
|
412
|
26 ngx_uint_t type;
|
|
27 ngx_uint_t hash;
|
|
28 ngx_str_t header;
|
540
|
29 #if (NGX_HAVE_UNIX_DOMAIN)
|
544
|
30 ngx_uint_t unixsock; /* unsigned unixsock:2; */
|
540
|
31 #endif
|
122
|
32 } ngx_http_realip_loc_conf_t;
|
|
33
|
|
34
|
396
|
35 typedef struct {
|
|
36 ngx_connection_t *connection;
|
540
|
37 struct sockaddr *sockaddr;
|
|
38 socklen_t socklen;
|
396
|
39 ngx_str_t addr_text;
|
|
40 } ngx_http_realip_ctx_t;
|
|
41
|
|
42
|
122
|
43 static ngx_int_t ngx_http_realip_handler(ngx_http_request_t *r);
|
540
|
44 static ngx_int_t ngx_http_realip_set_addr(ngx_http_request_t *r, u_char *ip,
|
|
45 size_t len);
|
396
|
46 static void ngx_http_realip_cleanup(void *data);
|
122
|
47 static char *ngx_http_realip_from(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
48 void *conf);
|
412
|
49 static char *ngx_http_realip(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
|
122
|
50 static void *ngx_http_realip_create_loc_conf(ngx_conf_t *cf);
|
|
51 static char *ngx_http_realip_merge_loc_conf(ngx_conf_t *cf,
|
|
52 void *parent, void *child);
|
230
|
53 static ngx_int_t ngx_http_realip_init(ngx_conf_t *cf);
|
122
|
54
|
|
55
|
|
56 static ngx_command_t ngx_http_realip_commands[] = {
|
|
57
|
|
58 { ngx_string("set_real_ip_from"),
|
|
59 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
|
|
60 ngx_http_realip_from,
|
|
61 NGX_HTTP_LOC_CONF_OFFSET,
|
|
62 0,
|
|
63 NULL },
|
|
64
|
|
65 { ngx_string("real_ip_header"),
|
|
66 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
|
412
|
67 ngx_http_realip,
|
122
|
68 NGX_HTTP_LOC_CONF_OFFSET,
|
412
|
69 0,
|
|
70 NULL },
|
122
|
71
|
|
72 ngx_null_command
|
|
73 };
|
|
74
|
|
75
|
|
76
|
216
|
77 static ngx_http_module_t ngx_http_realip_module_ctx = {
|
122
|
78 NULL, /* preconfiguration */
|
230
|
79 ngx_http_realip_init, /* postconfiguration */
|
122
|
80
|
|
81 NULL, /* create main configuration */
|
|
82 NULL, /* init main configuration */
|
|
83
|
|
84 NULL, /* create server configuration */
|
|
85 NULL, /* merge server configuration */
|
|
86
|
|
87 ngx_http_realip_create_loc_conf, /* create location configuration */
|
|
88 ngx_http_realip_merge_loc_conf /* merge location configuration */
|
|
89 };
|
|
90
|
|
91
|
|
92 ngx_module_t ngx_http_realip_module = {
|
|
93 NGX_MODULE_V1,
|
|
94 &ngx_http_realip_module_ctx, /* module context */
|
|
95 ngx_http_realip_commands, /* module directives */
|
|
96 NGX_HTTP_MODULE, /* module type */
|
|
97 NULL, /* init master */
|
230
|
98 NULL, /* init module */
|
122
|
99 NULL, /* init process */
|
|
100 NULL, /* init thread */
|
|
101 NULL, /* exit thread */
|
|
102 NULL, /* exit process */
|
|
103 NULL, /* exit master */
|
|
104 NGX_MODULE_V1_PADDING
|
|
105 };
|
|
106
|
|
107
|
|
108 static ngx_int_t
|
|
109 ngx_http_realip_handler(ngx_http_request_t *r)
|
|
110 {
|
|
111 u_char *ip, *p;
|
|
112 size_t len;
|
412
|
113 ngx_uint_t i, hash;
|
|
114 ngx_list_part_t *part;
|
|
115 ngx_table_elt_t *header;
|
122
|
116 struct sockaddr_in *sin;
|
396
|
117 ngx_connection_t *c;
|
|
118 ngx_http_realip_ctx_t *ctx;
|
122
|
119 ngx_http_realip_from_t *from;
|
|
120 ngx_http_realip_loc_conf_t *rlcf;
|
|
121
|
396
|
122 ctx = ngx_http_get_module_ctx(r, ngx_http_realip_module);
|
|
123
|
|
124 if (ctx) {
|
272
|
125 return NGX_DECLINED;
|
122
|
126 }
|
|
127
|
|
128 rlcf = ngx_http_get_module_loc_conf(r, ngx_http_realip_module);
|
|
129
|
542
|
130 if (rlcf->from == NULL
|
|
131 #if (NGX_HAVE_UNIX_DOMAIN)
|
|
132 && !rlcf->unixsock
|
|
133 #endif
|
|
134 )
|
|
135 {
|
272
|
136 return NGX_DECLINED;
|
122
|
137 }
|
|
138
|
412
|
139 switch (rlcf->type) {
|
|
140
|
|
141 case NGX_HTTP_REALIP_XREALIP:
|
|
142
|
122
|
143 if (r->headers_in.x_real_ip == NULL) {
|
272
|
144 return NGX_DECLINED;
|
122
|
145 }
|
|
146
|
|
147 len = r->headers_in.x_real_ip->value.len;
|
|
148 ip = r->headers_in.x_real_ip->value.data;
|
|
149
|
412
|
150 break;
|
|
151
|
|
152 case NGX_HTTP_REALIP_XFWD:
|
|
153
|
122
|
154 if (r->headers_in.x_forwarded_for == NULL) {
|
272
|
155 return NGX_DECLINED;
|
122
|
156 }
|
|
157
|
|
158 len = r->headers_in.x_forwarded_for->value.len;
|
|
159 ip = r->headers_in.x_forwarded_for->value.data;
|
|
160
|
286
|
161 for (p = ip + len - 1; p > ip; p--) {
|
122
|
162 if (*p == ' ' || *p == ',') {
|
286
|
163 p++;
|
|
164 len -= p - ip;
|
|
165 ip = p;
|
|
166 break;
|
122
|
167 }
|
|
168 }
|
412
|
169
|
|
170 break;
|
|
171
|
|
172 default: /* NGX_HTTP_REALIP_HEADER */
|
|
173
|
|
174 part = &r->headers_in.headers.part;
|
|
175 header = part->elts;
|
|
176
|
|
177 hash = rlcf->hash;
|
|
178 len = rlcf->header.len;
|
|
179 p = rlcf->header.data;
|
|
180
|
|
181 for (i = 0; /* void */ ; i++) {
|
|
182
|
|
183 if (i >= part->nelts) {
|
|
184 if (part->next == NULL) {
|
|
185 break;
|
|
186 }
|
|
187
|
|
188 part = part->next;
|
|
189 header = part->elts;
|
|
190 i = 0;
|
|
191 }
|
|
192
|
|
193 if (hash == header[i].hash
|
|
194 && len == header[i].key.len
|
|
195 && ngx_strncmp(p, header[i].lowcase_key, len) == 0)
|
|
196 {
|
|
197 len = header[i].value.len;
|
|
198 ip = header[i].value.data;
|
|
199
|
|
200 goto found;
|
|
201 }
|
|
202 }
|
|
203
|
|
204 return NGX_DECLINED;
|
122
|
205 }
|
|
206
|
412
|
207 found:
|
|
208
|
396
|
209 c = r->connection;
|
|
210
|
|
211 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "realip: \"%s\"", ip);
|
286
|
212
|
122
|
213 /* AF_INET only */
|
|
214
|
540
|
215 if (c->sockaddr->sa_family == AF_INET) {
|
|
216 sin = (struct sockaddr_in *) c->sockaddr;
|
|
217
|
|
218 from = rlcf->from->elts;
|
|
219 for (i = 0; i < rlcf->from->nelts; i++) {
|
|
220
|
|
221 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, c->log, 0,
|
|
222 "realip: %08XD %08XD %08XD",
|
|
223 sin->sin_addr.s_addr, from[i].mask, from[i].addr);
|
|
224
|
|
225 if ((sin->sin_addr.s_addr & from[i].mask) == from[i].addr) {
|
|
226 return ngx_http_realip_set_addr(r, ip, len);
|
|
227 }
|
|
228 }
|
|
229 }
|
|
230
|
|
231 #if (NGX_HAVE_UNIX_DOMAIN)
|
|
232
|
|
233 if (c->sockaddr->sa_family == AF_UNIX && rlcf->unixsock) {
|
|
234 return ngx_http_realip_set_addr(r, ip, len);
|
448
|
235 }
|
|
236
|
540
|
237 #endif
|
122
|
238
|
540
|
239 return NGX_DECLINED;
|
|
240 }
|
122
|
241
|
|
242
|
540
|
243 static ngx_int_t
|
|
244 ngx_http_realip_set_addr(ngx_http_request_t *r, u_char *ip, size_t len)
|
|
245 {
|
|
246 u_char *p;
|
|
247 ngx_int_t rc;
|
|
248 ngx_addr_t addr;
|
|
249 ngx_connection_t *c;
|
|
250 ngx_pool_cleanup_t *cln;
|
|
251 ngx_http_realip_ctx_t *ctx;
|
286
|
252
|
540
|
253 cln = ngx_pool_cleanup_add(r->pool, sizeof(ngx_http_realip_ctx_t));
|
|
254 if (cln == NULL) {
|
|
255 return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
256 }
|
286
|
257
|
540
|
258 ctx = cln->data;
|
|
259 ngx_http_set_ctx(r, ctx, ngx_http_realip_module);
|
|
260
|
|
261 c = r->connection;
|
|
262
|
|
263 rc = ngx_parse_addr(c->pool, &addr, ip, len);
|
122
|
264
|
540
|
265 switch (rc) {
|
|
266 case NGX_DECLINED:
|
|
267 return NGX_DECLINED;
|
|
268 case NGX_ERROR:
|
|
269 return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
270 default: /* NGX_OK */
|
|
271 break;
|
|
272 }
|
122
|
273
|
540
|
274 p = ngx_pnalloc(c->pool, len);
|
|
275 if (p == NULL) {
|
|
276 return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
|
277 }
|
396
|
278
|
540
|
279 ngx_memcpy(p, ip, len);
|
396
|
280
|
540
|
281 cln->handler = ngx_http_realip_cleanup;
|
286
|
282
|
540
|
283 ctx->connection = c;
|
|
284 ctx->sockaddr = c->sockaddr;
|
|
285 ctx->socklen = c->socklen;
|
|
286 ctx->addr_text = c->addr_text;
|
122
|
287
|
540
|
288 c->sockaddr = addr.sockaddr;
|
|
289 c->socklen = addr.socklen;
|
|
290 c->addr_text.len = len;
|
|
291 c->addr_text.data = p;
|
122
|
292
|
272
|
293 return NGX_DECLINED;
|
122
|
294 }
|
|
295
|
|
296
|
396
|
297 static void
|
|
298 ngx_http_realip_cleanup(void *data)
|
|
299 {
|
|
300 ngx_http_realip_ctx_t *ctx = data;
|
|
301
|
540
|
302 ngx_connection_t *c;
|
396
|
303
|
|
304 c = ctx->connection;
|
|
305
|
540
|
306 c->sockaddr = ctx->sockaddr;
|
|
307 c->socklen = ctx->socklen;
|
396
|
308 c->addr_text = ctx->addr_text;
|
|
309 }
|
|
310
|
|
311
|
122
|
312 static char *
|
|
313 ngx_http_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
314 {
|
|
315 ngx_http_realip_loc_conf_t *rlcf = conf;
|
|
316
|
412
|
317 ngx_int_t rc;
|
|
318 ngx_str_t *value;
|
454
|
319 ngx_cidr_t cidr;
|
412
|
320 ngx_http_realip_from_t *from;
|
122
|
321
|
540
|
322 value = cf->args->elts;
|
|
323
|
|
324 #if (NGX_HAVE_UNIX_DOMAIN)
|
|
325
|
|
326 if (ngx_strcmp(value[1].data, "unix:") == 0) {
|
|
327 rlcf->unixsock = 1;
|
|
328 return NGX_CONF_OK;
|
|
329 }
|
|
330
|
|
331 #endif
|
|
332
|
122
|
333 if (rlcf->from == NULL) {
|
|
334 rlcf->from = ngx_array_create(cf->pool, 2,
|
|
335 sizeof(ngx_http_realip_from_t));
|
|
336 if (rlcf->from == NULL) {
|
|
337 return NGX_CONF_ERROR;
|
|
338 }
|
|
339 }
|
|
340
|
|
341 from = ngx_array_push(rlcf->from);
|
|
342 if (from == NULL) {
|
|
343 return NGX_CONF_ERROR;
|
|
344 }
|
|
345
|
454
|
346 rc = ngx_ptocidr(&value[1], &cidr);
|
326
|
347
|
|
348 if (rc == NGX_ERROR) {
|
122
|
349 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid parameter \"%V\"",
|
|
350 &value[1]);
|
|
351 return NGX_CONF_ERROR;
|
|
352 }
|
|
353
|
454
|
354 if (cidr.family != AF_INET) {
|
|
355 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
540
|
356 "\"set_real_ip_from\" supports IPv4 only");
|
454
|
357 return NGX_CONF_ERROR;
|
|
358 }
|
|
359
|
326
|
360 if (rc == NGX_DONE) {
|
|
361 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
|
|
362 "low address bits of %V are meaningless", &value[1]);
|
|
363 }
|
|
364
|
454
|
365 from->mask = cidr.u.in.mask;
|
|
366 from->addr = cidr.u.in.addr;
|
122
|
367
|
|
368 return NGX_CONF_OK;
|
|
369 }
|
|
370
|
|
371
|
412
|
372 static char *
|
|
373 ngx_http_realip(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
|
374 {
|
|
375 ngx_http_realip_loc_conf_t *rlcf = conf;
|
|
376
|
|
377 ngx_str_t *value;
|
|
378
|
|
379 value = cf->args->elts;
|
|
380
|
|
381 if (ngx_strcmp(value[1].data, "X-Real-IP") == 0) {
|
|
382 rlcf->type = NGX_HTTP_REALIP_XREALIP;
|
|
383 return NGX_CONF_OK;
|
|
384 }
|
|
385
|
|
386 if (ngx_strcmp(value[1].data, "X-Forwarded-For") == 0) {
|
|
387 rlcf->type = NGX_HTTP_REALIP_XFWD;
|
|
388 return NGX_CONF_OK;
|
|
389 }
|
|
390
|
|
391 rlcf->type = NGX_HTTP_REALIP_HEADER;
|
|
392 rlcf->hash = ngx_hash_strlow(value[1].data, value[1].data, value[1].len);
|
|
393 rlcf->header = value[1];
|
|
394
|
|
395 return NGX_CONF_OK;
|
|
396 }
|
|
397
|
|
398
|
122
|
399 static void *
|
|
400 ngx_http_realip_create_loc_conf(ngx_conf_t *cf)
|
|
401 {
|
|
402 ngx_http_realip_loc_conf_t *conf;
|
|
403
|
|
404 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_realip_loc_conf_t));
|
|
405 if (conf == NULL) {
|
496
|
406 return NULL;
|
122
|
407 }
|
|
408
|
|
409 /*
|
|
410 * set by ngx_pcalloc():
|
|
411 *
|
|
412 * conf->from = NULL;
|
412
|
413 * conf->hash = 0;
|
|
414 * conf->header = { 0, NULL };
|
122
|
415 */
|
|
416
|
412
|
417 conf->type = NGX_CONF_UNSET_UINT;
|
544
|
418 #if (NGX_HAVE_UNIX_DOMAIN)
|
|
419 conf->unixsock = 2;
|
|
420 #endif
|
122
|
421
|
|
422 return conf;
|
|
423 }
|
|
424
|
|
425
|
|
426 static char *
|
|
427 ngx_http_realip_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
428 {
|
|
429 ngx_http_realip_loc_conf_t *prev = parent;
|
|
430 ngx_http_realip_loc_conf_t *conf = child;
|
|
431
|
|
432 if (conf->from == NULL) {
|
|
433 conf->from = prev->from;
|
544
|
434 }
|
|
435
|
540
|
436 #if (NGX_HAVE_UNIX_DOMAIN)
|
544
|
437 if (conf->unixsock == 2) {
|
|
438 conf->unixsock = (prev->unixsock == 2) ? 0 : prev->unixsock;
|
|
439 }
|
540
|
440 #endif
|
122
|
441
|
412
|
442 ngx_conf_merge_uint_value(conf->type, prev->type, NGX_HTTP_REALIP_XREALIP);
|
|
443
|
|
444 if (conf->header.len == 0) {
|
|
445 conf->hash = prev->hash;
|
|
446 conf->header = prev->header;
|
|
447 }
|
122
|
448
|
|
449 return NGX_CONF_OK;
|
|
450 }
|
|
451
|
|
452
|
|
453 static ngx_int_t
|
230
|
454 ngx_http_realip_init(ngx_conf_t *cf)
|
122
|
455 {
|
|
456 ngx_http_handler_pt *h;
|
|
457 ngx_http_core_main_conf_t *cmcf;
|
|
458
|
230
|
459 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
122
|
460
|
|
461 h = ngx_array_push(&cmcf->phases[NGX_HTTP_POST_READ_PHASE].handlers);
|
|
462 if (h == NULL) {
|
|
463 return NGX_ERROR;
|
|
464 }
|
|
465
|
|
466 *h = ngx_http_realip_handler;
|
|
467
|
130
|
468 h = ngx_array_push(&cmcf->phases[NGX_HTTP_PREACCESS_PHASE].handlers);
|
122
|
469 if (h == NULL) {
|
|
470 return NGX_ERROR;
|
|
471 }
|
|
472
|
|
473 *h = ngx_http_realip_handler;
|
|
474
|
|
475 return NGX_OK;
|
|
476 }
|