Mercurial > hg > nginx
comparison src/http/ngx_http_core_module.c @ 4623:ed3d0cc6de5a
New function ngx_http_get_forwarded_addr() to look up real client address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search. On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
| author | Ruslan Ermilov <ru@nginx.com> |
|---|---|
| date | Mon, 14 May 2012 12:27:41 +0000 |
| parents | 347a54b2cb14 |
| children | 3709ce127763 |
comparison
equal
deleted
inserted
replaced
| 4622:0dfdc3f732cb | 4623:ed3d0cc6de5a |
|---|---|
| 2694 of->disable_symlinks_from = from.len - 1; | 2694 of->disable_symlinks_from = from.len - 1; |
| 2695 } | 2695 } |
| 2696 #endif | 2696 #endif |
| 2697 | 2697 |
| 2698 return NGX_OK; | 2698 return NGX_OK; |
| 2699 } | |
| 2700 | |
| 2701 | |
| 2702 ngx_int_t | |
| 2703 ngx_http_get_forwarded_addr(ngx_http_request_t *r, ngx_addr_t *addr, | |
| 2704 u_char *xff, size_t xfflen, ngx_array_t *proxies, int recursive) | |
| 2705 { | |
| 2706 u_char *p; | |
| 2707 in_addr_t *inaddr; | |
| 2708 ngx_addr_t paddr; | |
| 2709 ngx_cidr_t *cidr; | |
| 2710 ngx_uint_t family, i; | |
| 2711 #if (NGX_HAVE_INET6) | |
| 2712 ngx_uint_t n; | |
| 2713 struct in6_addr *inaddr6; | |
| 2714 #endif | |
| 2715 | |
| 2716 family = addr->sockaddr->sa_family; | |
| 2717 | |
| 2718 if (family == AF_INET) { | |
| 2719 inaddr = &((struct sockaddr_in *) addr->sockaddr)->sin_addr.s_addr; | |
| 2720 } | |
| 2721 | |
| 2722 #if (NGX_HAVE_INET6) | |
| 2723 else if (family == AF_INET6) { | |
| 2724 inaddr6 = &((struct sockaddr_in6 *) addr->sockaddr)->sin6_addr; | |
| 2725 | |
| 2726 if (IN6_IS_ADDR_V4MAPPED(inaddr6)) { | |
| 2727 family = AF_INET; | |
| 2728 inaddr = (in_addr_t *) &inaddr6->s6_addr[12]; | |
| 2729 } | |
| 2730 } | |
| 2731 #endif | |
| 2732 | |
| 2733 for (cidr = proxies->elts, i = 0; i < proxies->nelts; i++) { | |
| 2734 if (cidr[i].family != family) { | |
| 2735 goto next; | |
| 2736 } | |
| 2737 | |
| 2738 switch (family) { | |
| 2739 | |
| 2740 #if (NGX_HAVE_INET6) | |
| 2741 case AF_INET6: | |
| 2742 for (n = 0; n < 16; n++) { | |
| 2743 if ((inaddr6->s6_addr[n] & cidr[i].u.in6.mask.s6_addr[n]) | |
| 2744 != cidr[i].u.in6.addr.s6_addr[n]) | |
| 2745 { | |
| 2746 goto next; | |
| 2747 } | |
| 2748 } | |
| 2749 break; | |
| 2750 #endif | |
| 2751 | |
| 2752 #if (NGX_HAVE_UNIX_DOMAIN) | |
| 2753 case AF_UNIX: | |
| 2754 break; | |
| 2755 #endif | |
| 2756 | |
| 2757 default: /* AF_INET */ | |
| 2758 if ((*inaddr & cidr[i].u.in.mask) != cidr[i].u.in.addr) { | |
| 2759 goto next; | |
| 2760 } | |
| 2761 break; | |
| 2762 } | |
| 2763 | |
| 2764 for (p = xff + xfflen - 1; p > xff; p--, xfflen--) { | |
| 2765 if (*p != ' ' && *p != ',') { | |
| 2766 break; | |
| 2767 } | |
| 2768 } | |
| 2769 | |
| 2770 for ( /* void */ ; p > xff; p--) { | |
| 2771 if (*p == ' ' || *p == ',') { | |
| 2772 p++; | |
| 2773 break; | |
| 2774 } | |
| 2775 } | |
| 2776 | |
| 2777 if (ngx_parse_addr(r->pool, &paddr, p, xfflen - (p - xff)) != NGX_OK) { | |
| 2778 return NGX_DECLINED; | |
| 2779 } | |
| 2780 | |
| 2781 *addr = paddr; | |
| 2782 | |
| 2783 if (recursive && p > xff) { | |
| 2784 (void) ngx_http_get_forwarded_addr(r, addr, xff, p - 1 - xff, | |
| 2785 proxies, 1); | |
| 2786 } | |
| 2787 | |
| 2788 return NGX_OK; | |
| 2789 | |
| 2790 next: | |
| 2791 continue; | |
| 2792 } | |
| 2793 | |
| 2794 return NGX_DECLINED; | |
| 2699 } | 2795 } |
| 2700 | 2796 |
| 2701 | 2797 |
| 2702 static char * | 2798 static char * |
| 2703 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) | 2799 ngx_http_core_server(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) |