nginx: src/http/modules/ngx_http_geo

comparison src/http/modules/ngx_http_geo_module.c @ 4668:ba2c7463ce18 stable-1.2

Merge of r4614, r4624-r4629, r4631: proxy recursive changes. *) Added IPv6 and UNIX-domain socket support in "debug_connection" directive. *) New function ngx_http_get_forwarded_addr() to look up real client address. On input it takes an original address, string in the X-Forwarded-For format and its length, list of trusted proxies, and a flag indicating to perform the recursive search. On output it returns NGX_OK and the "deepest" valid address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6. Additionally, original address and/or proxy may be specified as AF_UNIX. *) Realip: chains of trusted proxies and IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies, controlled by the "real_ip_recursive" directive (closes #2). It also gets full IPv6 support (closes #44) and canonical value of the $client_addr variable on address change. Example: real_ip_header X-Forwarded-For; set_real_ip_from 127.0.0.0/8; set_real_ip_from ::1; set_real_ip_from unix:; real_ip_recursive on; *) Geo: chains of trusted proxies and partial IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies, controlled by the "proxy_recursive" directive in the "geo" block. It also gets partial IPv6 support: now proxies may be specified with IPv6 addresses. Example: geo $test { ... proxy 127.0.0.1; proxy ::1; proxy_recursive; } There's also a slight change in behavior. When original client address (as specified by the "geo" directive) is one of the trusted proxies, and the value of the X-Forwarded-For request header cannot not be parsed as a valid address, an original client address will be used for lookup. Previously, 255.255.255.255 was used in this case. *) Geoip: trusted proxies support and partial IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies (closes #100), in the same scope as the geo module. Proxies are listed by the "geoip_proxy" directive, recursive search is enabled by the "geoip_proxy_recursive" directive. IPv6 is partially supported: proxies may be specified with IPv6 addresses. Example: geoip_country .../GeoIP.dat; geoip_proxy 127.0.0.1; geoip_proxy ::1; geoip_proxy 10.0.0.0/8; geoip_proxy_recursive on;

author	Maxim Dounin <mdounin@mdounin.ru>
date	Mon, 04 Jun 2012 11:58:12 +0000
parents	834049edae24
children	bb37a9cc08fb

comparison

equal deleted inserted replaced

-:d05ab8793a69
+:ba2c7463ce18
 unsigned                         ranges:1;
 unsigned                         outside_entries:1;
 unsigned                         allow_binary_include:1;
 unsigned                         binary_include:1;
+unsigned                         proxy_recursive:1;
 } ngx_http_geo_conf_ctx_t;
 typedef struct {
 union {
 ngx_radix_tree_t            *tree;
 ngx_http_geo_high_ranges_t   high;
 } u;
 ngx_array_t                     *proxies;
+unsigned                         proxy_recursive:1;
 ngx_int_t                        index;
 } ngx_http_geo_ctx_t;
 static in_addr_t ngx_http_geo_addr(ngx_http_request_t *r,
 ngx_http_geo_ctx_t *ctx);
-static in_addr_t ngx_http_geo_real_addr(ngx_http_request_t *r,
+static ngx_int_t ngx_http_geo_real_addr(ngx_http_request_t *r,
-ngx_http_geo_ctx_t *ctx);
+ngx_http_geo_ctx_t *ctx, ngx_addr_t *addr);
 static char *ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
 static char *ngx_http_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf);
 static char *ngx_http_geo_range(ngx_conf_t *cf, ngx_http_geo_conf_ctx_t *ctx,
 ngx_str_t *value);
 static char *ngx_http_geo_add_range(ngx_conf_t *cf,
 static in_addr_t
 ngx_http_geo_addr(ngx_http_request_t *r, ngx_http_geo_ctx_t *ctx)
 {
-u_char           *p, *ip;
+ngx_addr_t           addr;
-size_t            len;
+ngx_table_elt_t     *xfwd;
-in_addr_t         addr;
+struct sockaddr_in  *sin;
-ngx_uint_t        i, n;
-ngx_in_cidr_t    *proxies;
+if (ngx_http_geo_real_addr(r, ctx, &addr) != NGX_OK) {
-ngx_table_elt_t  *xfwd;
+return INADDR_NONE;
+}
-addr = ngx_http_geo_real_addr(r, ctx);
 xfwd = r->headers_in.x_forwarded_for;
-if (xfwd == NULL || ctx->proxies == NULL) {
+if (xfwd != NULL && ctx->proxies != NULL) {
-return addr;
+(void) ngx_http_get_forwarded_addr(r, &addr, xfwd->value.data,
-}
+xfwd->value.len, ctx->proxies,
+ctx->proxy_recursive);
-proxies = ctx->proxies->elts;
+}
-n = ctx->proxies->nelts;
+#if (NGX_HAVE_INET6)
-for (i = 0; i < n; i++) {
-if ((addr & proxies[i].mask) == proxies[i].addr) {
+if (addr.sockaddr->sa_family == AF_INET6) {
+struct in6_addr  *inaddr6;
-len = xfwd->value.len;
-ip = xfwd->value.data;
+inaddr6 = &((struct sockaddr_in6 *) addr.sockaddr)->sin6_addr;
-for (p = ip + len - 1; p > ip; p--) {
+if (IN6_IS_ADDR_V4MAPPED(inaddr6)) {
-if (*p == ' ' || *p == ',') {
+return ntohl(*(in_addr_t *) &inaddr6->s6_addr[12]);
-p++;
+}
-len -= p - ip;
+}
-ip = p;
-break;
+#endif
-}
-}
+if (addr.sockaddr->sa_family != AF_INET) {
+return INADDR_NONE;
-return ntohl(ngx_inet_addr(ip, len));
+}
-}
-}
+sin = (struct sockaddr_in *) addr.sockaddr;
+return ntohl(sin->sin_addr.s_addr);
-return addr;
+}
-}
+static ngx_int_t
-static in_addr_t
+ngx_http_geo_real_addr(ngx_http_request_t *r, ngx_http_geo_ctx_t *ctx,
-ngx_http_geo_real_addr(ngx_http_request_t *r, ngx_http_geo_ctx_t *ctx)
+ngx_addr_t *addr)
 {
-struct sockaddr_in         *sin;
 ngx_http_variable_value_t  *v;
-#if (NGX_HAVE_INET6)
-u_char                     *p;
-in_addr_t                   addr;
-struct sockaddr_in6        *sin6;
-#endif
 if (ctx->index == -1) {
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
 "http geo started: %V", &r->connection->addr_text);
-switch (r->connection->sockaddr->sa_family) {
+addr->sockaddr = r->connection->sockaddr;
+addr->socklen = r->connection->socklen;
-case AF_INET:
+/* addr->name = r->connection->addr_text; */
-sin = (struct sockaddr_in *) r->connection->sockaddr;
-return ntohl(sin->sin_addr.s_addr);
+return NGX_OK;
-#if (NGX_HAVE_INET6)
-case AF_INET6:
-sin6 = (struct sockaddr_in6 *) r->connection->sockaddr;
-if (IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
-p = sin6->sin6_addr.s6_addr;
-addr = p[12] << 24;
-addr += p[13] << 16;
-addr += p[14] << 8;
-addr += p[15];
-return addr;
-}
-#endif
-}
-return INADDR_NONE;
 }
 v = ngx_http_get_flushed_variable(r, ctx->index);
 if (v == NULL || v->not_found) {
 ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
 "http geo not found");
-return 0;
+return NGX_ERROR;
 }
 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
 "http geo started: %v", v);
-return ntohl(ngx_inet_addr(v->data, v->len));
+if (ngx_parse_addr(r->pool, addr, v->data, v->len) == NGX_OK) {
+return NGX_OK;
+}
+return NGX_ERROR;
 }
 static char *
 ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 rv = ngx_conf_parse(cf, NULL);
 *cf = save;
 geo->proxies = ctx.proxies;
+geo->proxy_recursive = ctx.proxy_recursive;
 if (ctx.high.low) {
 if (!ctx.binary_include) {
 for (i = 0; i < 0x10000; i++) {
 rv = NGX_CONF_OK;
 goto done;
 }
+else if (ngx_strcmp(value[0].data, "proxy_recursive") == 0) {
+ctx->proxy_recursive = 1;
+rv = NGX_CONF_OK;
+goto done;
+}
 }
 if (cf->args->nelts != 2) {
 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
 "invalid number of the geo parameters");
 return NGX_CONF_ERROR;
 }
 }
 if (ngx_strcmp(value[0].data, "default") == 0) {
+/* cidr.family = AF_INET; */
 cidr.u.in.addr = 0;
 cidr.u.in.mask = 0;
 net = &value[0];
 } else {
 }
 if (ngx_http_geo_cidr_value(cf, net, &cidr) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
+if (cidr.family != AF_INET) {
+ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+"\"geo\" supports IPv4 only");
+return NGX_CONF_ERROR;
+}
+cidr.u.in.addr = ntohl(cidr.u.in.addr);
+cidr.u.in.mask = ntohl(cidr.u.in.mask);
 if (del) {
 if (ngx_radix32tree_delete(ctx->tree, cidr.u.in.addr,
 cidr.u.in.mask)
 != NGX_OK)
 static char *
 ngx_http_geo_add_proxy(ngx_conf_t *cf, ngx_http_geo_conf_ctx_t *ctx,
 ngx_cidr_t *cidr)
 {
-ngx_in_cidr_t  *c;
+ngx_cidr_t  *c;
 if (ctx->proxies == NULL) {
-ctx->proxies = ngx_array_create(ctx->pool, 4, sizeof(ngx_in_cidr_t));
+ctx->proxies = ngx_array_create(ctx->pool, 4, sizeof(ngx_cidr_t));
 if (ctx->proxies == NULL) {
 return NGX_CONF_ERROR;
 }
 }
 c = ngx_array_push(ctx->proxies);
 if (c == NULL) {
 return NGX_CONF_ERROR;
 }
-c->addr = cidr->u.in.addr;
+*c = *cidr;
-c->mask = cidr->u.in.mask;
 return NGX_CONF_OK;
 }
 ngx_http_geo_cidr_value(ngx_conf_t *cf, ngx_str_t *net, ngx_cidr_t *cidr)
 {
 ngx_int_t  rc;
 if (ngx_strcmp(net->data, "255.255.255.255") == 0) {
+cidr->family = AF_INET;
 cidr->u.in.addr = 0xffffffff;
 cidr->u.in.mask = 0xffffffff;
 return NGX_OK;
 }
 if (rc == NGX_ERROR) {
 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid network \"%V\"", net);
 return NGX_ERROR;
 }
-if (cidr->family != AF_INET) {
-ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "\"geo\" supports IPv4 only");
-return NGX_ERROR;
-}
 if (rc == NGX_DONE) {
 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
 "low address bits of %V are meaningless", net);
 }
-cidr->u.in.addr = ntohl(cidr->u.in.addr);
-cidr->u.in.mask = ntohl(cidr->u.in.mask);
 return NGX_OK;
 }

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_geo_module.c @ 4668:ba2c7463ce18 stable-1.2