nginx: src/stream/ngx_stream_proxy

comparison src/stream/ngx_stream_proxy_module.c @ 6530:1d0e03db9f8e

Upstream: the "transparent" parameter of proxy_bind and friends. This parameter lets binding the proxy connection to a non-local address. Upstream will see the connection as coming from that address. When used with $remote_addr, upstream will accept the connection from real client address. Example: proxy_bind $remote_addr transparent;

author	Roman Arutyunyan <arut@nginx.com>
date	Fri, 18 Dec 2015 19:05:27 +0300
parents	cb8177ca0990
children	04d8d1f85649

comparison

equal deleted inserted replaced

-:cb8177ca0990
+:1d0e03db9f8e
 #include <ngx_stream.h>
 typedef struct {
 ngx_addr_t                      *addr;
+#if (NGX_HAVE_TRANSPARENT_PROXY)
+ngx_uint_t                       transparent; /* unsigned  transparent:1; */
+#endif
 } ngx_stream_upstream_local_t;
 typedef struct {
 ngx_msec_t                       connect_timeout;
 NGX_STREAM_SRV_CONF_OFFSET,
 0,
 NULL },
 { ngx_string("proxy_bind"),
-NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE12,
 ngx_stream_proxy_bind,
 NGX_STREAM_SRV_CONF_OFFSET,
 0,
 NULL },
 static ngx_int_t
 ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
 ngx_stream_upstream_local_t *local)
 {
+ngx_addr_t           *addr;
+ngx_connection_t     *c;
+struct sockaddr_in   *sin;
+#if (NGX_HAVE_INET6)
+struct sockaddr_in6  *sin6;
+#endif
 if (local == NULL) {
 u->peer.local = NULL;
 return NGX_OK;
 }
+#if (NGX_HAVE_TRANSPARENT_PROXY)
+u->peer.transparent = local->transparent;
+#endif
 if (local->addr) {
 u->peer.local = local->addr;
 return NGX_OK;
 }
+/* $remote_addr */
+c = s->connection;
+addr = ngx_palloc(c->pool, sizeof(ngx_addr_t));
+if (addr == NULL) {
+return NGX_ERROR;
+}
+addr->socklen = c->socklen;
+addr->sockaddr = ngx_palloc(c->pool, addr->socklen);
+if (addr->sockaddr == NULL) {
+return NGX_ERROR;
+}
+ngx_memcpy(addr->sockaddr, c->sockaddr, c->socklen);
+switch (addr->sockaddr->sa_family) {
+case AF_INET:
+sin = (struct sockaddr_in *) addr->sockaddr;
+sin->sin_port = 0;
+break;
+#if (NGX_HAVE_INET6)
+case AF_INET6:
+sin6 = (struct sockaddr_in6 *) addr->sockaddr;
+sin6->sin6_port = 0;
+break;
+#endif
+}
+addr->name = c->addr_text;
+u->peer.local = addr;
 return NGX_OK;
 }
 return "is duplicate";
 }
 value = cf->args->elts;
-if (ngx_strcmp(value[1].data, "off") == 0) {
+if (cf->args->nelts == 2 && ngx_strcmp(value[1].data, "off") == 0) {
 pscf->local = NULL;
 return NGX_CONF_OK;
 }
 local = ngx_palloc(cf->pool, sizeof(ngx_stream_upstream_local_t));
 return NGX_CONF_ERROR;
 }
 pscf->local = local;
-local->addr = ngx_palloc(cf->pool, sizeof(ngx_addr_t));
+if (ngx_strcmp(value[1].data, "$remote_addr") != 0) {
-if (local->addr == NULL) {
+local->addr = ngx_palloc(cf->pool, sizeof(ngx_addr_t));
-return NGX_CONF_ERROR;
+if (local->addr == NULL) {
-}
+return NGX_CONF_ERROR;
+}
-rc = ngx_parse_addr(cf->pool, local->addr, value[1].data, value[1].len);
+rc = ngx_parse_addr(cf->pool, local->addr, value[1].data, value[1].len);
-switch (rc) {
-case NGX_OK:
+switch (rc) {
-local->addr->name = value[1];
+case NGX_OK:
-break;
+local->addr->name = value[1];
+break;
-case NGX_DECLINED:
-ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+case NGX_DECLINED:
-"invalid address \"%V\"", &value[1]);
+ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-/* fall through */
+"invalid address \"%V\"", &value[1]);
+/* fall through */
-default:
-return NGX_CONF_ERROR;
+default:
+return NGX_CONF_ERROR;
+}
+}
+if (cf->args->nelts > 2) {
+if (ngx_strcmp(value[2].data, "transparent") == 0) {
+#if (NGX_HAVE_TRANSPARENT_PROXY)
+local->transparent = 1;
+#else
+ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+"transparent proxying is not supported "
+"on this platform, ignored");
+#endif
+} else {
+ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+"invalid parameter \"%V\"", &value[2]);
+return NGX_CONF_ERROR;
+}
 }
 return NGX_CONF_OK;
 }

Mercurial > hg > nginx

comparison src/stream/ngx_stream_proxy_module.c @ 6530:1d0e03db9f8e