Mercurial > hg > nginx
comparison src/event/ngx_event_accept.c @ 4668:ba2c7463ce18 stable-1.2
Merge of r4614, r4624-r4629, r4631: proxy recursive changes.
*) Added IPv6 and UNIX-domain socket support in "debug_connection"
directive.
*) New function ngx_http_get_forwarded_addr() to look up real client
address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
*) Realip: chains of trusted proxies and IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2). It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.
Example:
real_ip_header X-Forwarded-For;
set_real_ip_from 127.0.0.0/8;
set_real_ip_from ::1;
set_real_ip_from unix:;
real_ip_recursive on;
*) Geo: chains of trusted proxies and partial IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block. It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.
Example:
geo $test {
...
proxy 127.0.0.1;
proxy ::1;
proxy_recursive;
}
There's also a slight change in behavior. When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup. Previously, 255.255.255.255 was
used in this case.
*) Geoip: trusted proxies support and partial IPv6 support.
The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module. Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive. IPv6 is
partially supported: proxies may be specified with IPv6 addresses.
Example:
geoip_country .../GeoIP.dat;
geoip_proxy 127.0.0.1;
geoip_proxy ::1;
geoip_proxy 10.0.0.0/8;
geoip_proxy_recursive on;
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Mon, 04 Jun 2012 11:58:12 +0000 |
parents | 25611746fee7 |
children |
comparison
equal
deleted
inserted
replaced
4667:d05ab8793a69 | 4668:ba2c7463ce18 |
---|---|
284 } | 284 } |
285 | 285 |
286 #if (NGX_DEBUG) | 286 #if (NGX_DEBUG) |
287 { | 287 { |
288 | 288 |
289 in_addr_t i; | 289 struct sockaddr_in *sin; |
290 ngx_event_debug_t *dc; | 290 ngx_cidr_t *cidr; |
291 struct sockaddr_in *sin; | 291 ngx_uint_t i; |
292 | 292 #if (NGX_HAVE_INET6) |
293 sin = (struct sockaddr_in *) sa; | 293 struct sockaddr_in6 *sin6; |
294 dc = ecf->debug_connection.elts; | 294 ngx_uint_t n; |
295 #endif | |
296 | |
297 cidr = ecf->debug_connection.elts; | |
295 for (i = 0; i < ecf->debug_connection.nelts; i++) { | 298 for (i = 0; i < ecf->debug_connection.nelts; i++) { |
296 if ((sin->sin_addr.s_addr & dc[i].mask) == dc[i].addr) { | 299 if (cidr[i].family != c->sockaddr->sa_family) { |
297 log->log_level = NGX_LOG_DEBUG_CONNECTION|NGX_LOG_DEBUG_ALL; | 300 goto next; |
301 } | |
302 | |
303 switch (cidr[i].family) { | |
304 | |
305 #if (NGX_HAVE_INET6) | |
306 case AF_INET6: | |
307 sin6 = (struct sockaddr_in6 *) c->sockaddr; | |
308 for (n = 0; n < 16; n++) { | |
309 if ((sin6->sin6_addr.s6_addr[n] | |
310 & cidr[i].u.in6.mask.s6_addr[n]) | |
311 != cidr[i].u.in6.addr.s6_addr[n]) | |
312 { | |
313 goto next; | |
314 } | |
315 } | |
298 break; | 316 break; |
299 } | 317 #endif |
318 | |
319 #if (NGX_HAVE_UNIX_DOMAIN) | |
320 case AF_UNIX: | |
321 break; | |
322 #endif | |
323 | |
324 default: /* AF_INET */ | |
325 sin = (struct sockaddr_in *) c->sockaddr; | |
326 if ((sin->sin_addr.s_addr & cidr[i].u.in.mask) | |
327 != cidr[i].u.in.addr) | |
328 { | |
329 goto next; | |
330 } | |
331 break; | |
332 } | |
333 | |
334 log->log_level = NGX_LOG_DEBUG_CONNECTION|NGX_LOG_DEBUG_ALL; | |
335 break; | |
336 | |
337 next: | |
338 continue; | |
300 } | 339 } |
301 | 340 |
302 } | 341 } |
303 #endif | 342 #endif |
304 | 343 |