Mercurial > hg > nginx
view auto/modules @ 5095:4fbef397c753
SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer. Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request. Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.
There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection. Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.
An example of configuration that might not work as expected:
server {
listen 433 ssl default;
return 404;
}
server {
listen 433 ssl;
server_name example.org;
ssl_client_certificate org.cert;
ssl_verify_client on;
}
server {
listen 433 ssl;
server_name example.com;
ssl_client_certificate com.cert;
ssl_verify_client on;
}
Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
author | Valentin Bartenev <vbart@nginx.com> |
---|---|
date | Wed, 27 Feb 2013 17:41:34 +0000 |
parents | f9ae534ebf4b |
children | c0f7b94e88ba |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. if [ $EVENT_SELECT = NO -a $EVENT_FOUND = NO ]; then EVENT_SELECT=YES fi if [ $EVENT_SELECT = YES ]; then have=NGX_HAVE_SELECT . auto/have CORE_SRCS="$CORE_SRCS $SELECT_SRCS" EVENT_MODULES="$EVENT_MODULES $SELECT_MODULE" fi if [ $EVENT_POLL = NO -a $EVENT_FOUND = NO ]; then EVENT_POLL=YES fi if [ $EVENT_POLL = YES ]; then have=NGX_HAVE_POLL . auto/have CORE_SRCS="$CORE_SRCS $POLL_SRCS" EVENT_MODULES="$EVENT_MODULES $POLL_MODULE" fi if [ $NGX_TEST_BUILD_DEVPOLL = YES ]; then have=NGX_HAVE_DEVPOLL . auto/have have=NGX_TEST_BUILD_DEVPOLL . auto/have EVENT_MODULES="$EVENT_MODULES $DEVPOLL_MODULE" CORE_SRCS="$CORE_SRCS $DEVPOLL_SRCS" fi if [ $NGX_TEST_BUILD_EVENTPORT = YES ]; then have=NGX_HAVE_EVENTPORT . auto/have have=NGX_TEST_BUILD_EVENTPORT . auto/have EVENT_MODULES="$EVENT_MODULES $EVENTPORT_MODULE" CORE_SRCS="$CORE_SRCS $EVENTPORT_SRCS" fi if [ $NGX_TEST_BUILD_EPOLL = YES ]; then have=NGX_HAVE_EPOLL . auto/have have=NGX_HAVE_EVENTFD . auto/have have=NGX_TEST_BUILD_EPOLL . auto/have EVENT_MODULES="$EVENT_MODULES $EPOLL_MODULE" CORE_SRCS="$CORE_SRCS $EPOLL_SRCS" fi if [ $NGX_TEST_BUILD_RTSIG = YES ]; then have=NGX_HAVE_RTSIG . auto/have have=NGX_TEST_BUILD_RTSIG . auto/have EVENT_MODULES="$EVENT_MODULES $RTSIG_MODULE" CORE_SRCS="$CORE_SRCS $RTSIG_SRCS" fi if [ $NGX_TEST_BUILD_SOLARIS_SENDFILEV = YES ]; then have=NGX_TEST_BUILD_SOLARIS_SENDFILEV . auto/have CORE_SRCS="$CORE_SRCS $SOLARIS_SENDFILEV_SRCS" fi if [ $HTTP != YES ]; then have=NGX_CRYPT . auto/nohave CRYPT_LIB= fi if [ $HTTP_CACHE = YES ]; then USE_MD5=YES have=NGX_HTTP_CACHE . auto/have HTTP_SRCS="$HTTP_SRCS $HTTP_FILE_CACHE_SRCS" fi if [ $HTTP_SSI = YES ]; then HTTP_POSTPONE=YES fi if [ $HTTP_ADDITION = YES ]; then HTTP_POSTPONE=YES fi # the module order is important # ngx_http_static_module # ngx_http_gzip_static_module # ngx_http_dav_module # ngx_http_autoindex_module # ngx_http_index_module # ngx_http_random_index_module # # ngx_http_access_module # ngx_http_realip_module # # # the filter order is important # ngx_http_write_filter # ngx_http_header_filter # ngx_http_chunked_filter # ngx_http_range_header_filter # ngx_http_gzip_filter # ngx_http_postpone_filter # ngx_http_ssi_filter # ngx_http_charset_filter # ngx_http_xslt_filter # ngx_http_image_filter # ngx_http_sub_filter # ngx_http_addition_filter # ngx_http_gunzip_filter # ngx_http_userid_filter # ngx_http_headers_filter # ngx_http_copy_filter # ngx_http_range_body_filter # ngx_http_not_modified_filter HTTP_FILTER_MODULES="$HTTP_WRITE_FILTER_MODULE \ $HTTP_HEADER_FILTER_MODULE \ $HTTP_CHUNKED_FILTER_MODULE \ $HTTP_RANGE_HEADER_FILTER_MODULE" if [ $HTTP_GZIP = YES ]; then have=NGX_HTTP_GZIP . auto/have USE_ZLIB=YES HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_GZIP_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_GZIP_SRCS" fi if [ $HTTP_POSTPONE = YES ]; then HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_POSTPONE_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_POSTPONE_FILTER_SRCS" fi if [ $HTTP_SSI = YES ]; then have=NGX_HTTP_SSI . auto/have HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_SSI_FILTER_MODULE" HTTP_DEPS="$HTTP_DEPS $HTTP_SSI_DEPS" HTTP_SRCS="$HTTP_SRCS $HTTP_SSI_SRCS" fi if [ $HTTP_CHARSET = YES ]; then HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_CHARSET_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_CHARSET_SRCS" fi if [ $HTTP_XSLT = YES ]; then USE_LIBXSLT=YES HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_XSLT_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_XSLT_SRCS" fi if [ $HTTP_IMAGE_FILTER = YES ]; then USE_LIBGD=YES HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_IMAGE_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_IMAGE_SRCS" fi if [ $HTTP_SUB = YES ]; then HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_SUB_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_SUB_SRCS" fi if [ $HTTP_ADDITION = YES ]; then HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_ADDITION_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_ADDITION_SRCS" fi if [ $HTTP_GUNZIP = YES ]; then have=NGX_HTTP_GZIP . auto/have USE_ZLIB=YES HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_GUNZIP_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_GUNZIP_SRCS" fi if [ $HTTP_USERID = YES ]; then HTTP_FILTER_MODULES="$HTTP_FILTER_MODULES $HTTP_USERID_FILTER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_USERID_SRCS" fi HTTP_MODULES="$HTTP_MODULES $HTTP_STATIC_MODULE" if [ $HTTP_GZIP_STATIC = YES ]; then have=NGX_HTTP_GZIP . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_GZIP_STATIC_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_GZIP_STATIC_SRCS" fi if [ $HTTP_DAV = YES ]; then have=NGX_HTTP_DAV . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_DAV_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_DAV_SRCS" fi if [ $HTTP_AUTOINDEX = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_AUTOINDEX_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_AUTOINDEX_SRCS" fi HTTP_MODULES="$HTTP_MODULES $HTTP_INDEX_MODULE" if [ $HTTP_RANDOM_INDEX = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_RANDOM_INDEX_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_RANDOM_INDEX_SRCS" fi if [ $HTTP_AUTH_BASIC = YES ]; then USE_MD5=YES USE_SHA1=YES have=NGX_CRYPT . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_AUTH_BASIC_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_AUTH_BASIC_SRCS" CORE_LIBS="$CORE_LIBS $CRYPT_LIB" fi if [ $HTTP_ACCESS = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_ACCESS_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_ACCESS_SRCS" fi if [ $HTTP_LIMIT_CONN = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_LIMIT_CONN_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_LIMIT_CONN_SRCS" fi if [ $HTTP_LIMIT_REQ = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_LIMIT_REQ_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_LIMIT_REQ_SRCS" fi if [ $HTTP_REALIP = YES ]; then have=NGX_HTTP_REALIP . auto/have have=NGX_HTTP_X_FORWARDED_FOR . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_REALIP_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_REALIP_SRCS" fi if [ $HTTP_STATUS = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_STATUS_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_STATUS_SRCS" fi if [ $HTTP_GEO = YES ]; then have=NGX_HTTP_X_FORWARDED_FOR . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_GEO_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_GEO_SRCS" fi if [ $HTTP_GEOIP = YES ]; then have=NGX_HTTP_X_FORWARDED_FOR . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_GEOIP_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_GEOIP_SRCS" fi if [ $HTTP_MAP = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_MAP_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_MAP_SRCS" fi if [ $HTTP_SPLIT_CLIENTS = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_SPLIT_CLIENTS_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_SPLIT_CLIENTS_SRCS" fi if [ $HTTP_REFERER = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_REFERER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_REFERER_SRCS" fi if [ $HTTP_REWRITE = YES -a $USE_PCRE != DISABLED ]; then USE_PCRE=YES HTTP_MODULES="$HTTP_MODULES $HTTP_REWRITE_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_REWRITE_SRCS" fi if [ $HTTP_SSL = YES ]; then USE_OPENSSL=YES have=NGX_HTTP_SSL . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_SSL_MODULE" HTTP_DEPS="$HTTP_DEPS $HTTP_SSL_DEPS" HTTP_SRCS="$HTTP_SRCS $HTTP_SSL_SRCS" fi if [ $HTTP_PROXY = YES ]; then have=NGX_HTTP_X_FORWARDED_FOR . auto/have #USE_MD5=YES HTTP_MODULES="$HTTP_MODULES $HTTP_PROXY_MODULE" HTTP_DEPS="$HTTP_DEPS $HTTP_PROXY_DEPS" HTTP_SRCS="$HTTP_SRCS $HTTP_PROXY_SRCS" fi if [ $HTTP_FASTCGI = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_FASTCGI_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_FASTCGI_SRCS" fi if [ $HTTP_UWSGI = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_UWSGI_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_UWSGI_SRCS" fi if [ $HTTP_SCGI = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_SCGI_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_SCGI_SRCS" fi if [ $HTTP_PERL = YES ]; then USE_PERL=YES HTTP_MODULES="$HTTP_MODULES $HTTP_PERL_MODULE" HTTP_INCS="$HTTP_INCS $HTTP_PERL_INCS" HTTP_DEPS="$HTTP_DEPS $HTTP_PERL_DEPS" HTTP_SRCS="$HTTP_SRCS $HTTP_PERL_SRCS" fi if [ $HTTP_MEMCACHED = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_MEMCACHED_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_MEMCACHED_SRCS" fi if [ $HTTP_EMPTY_GIF = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_EMPTY_GIF_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_EMPTY_GIF_SRCS" fi if [ $HTTP_BROWSER = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_BROWSER_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_BROWSER_SRCS" fi if [ $HTTP_SECURE_LINK = YES ]; then USE_MD5=YES HTTP_MODULES="$HTTP_MODULES $HTTP_SECURE_LINK_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_SECURE_LINK_SRCS" fi if [ $HTTP_DEGRADATION = YES ]; then have=NGX_HTTP_DEGRADATION . auto/have HTTP_MODULES="$HTTP_MODULES $HTTP_DEGRADATION_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_DEGRADATION_SRCS" fi if [ $HTTP_FLV = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_FLV_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_FLV_SRCS" fi if [ $HTTP_MP4 = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_MP4_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_MP4_SRCS" fi if [ $HTTP_UPSTREAM_IP_HASH = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_UPSTREAM_IP_HASH_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_UPSTREAM_IP_HASH_SRCS" fi if [ $HTTP_UPSTREAM_LEAST_CONN = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_UPSTREAM_LEAST_CONN_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_UPSTREAM_LEAST_CONN_SRCS" fi if [ $HTTP_UPSTREAM_KEEPALIVE = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_UPSTREAM_KEEPALIVE_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_UPSTREAM_KEEPALIVE_SRCS" fi if [ $HTTP_STUB_STATUS = YES ]; then have=NGX_STAT_STUB . auto/have HTTP_MODULES="$HTTP_MODULES ngx_http_stub_status_module" HTTP_SRCS="$HTTP_SRCS src/http/modules/ngx_http_stub_status_module.c" fi #if [ -r $NGX_OBJS/auto ]; then # . $NGX_OBJS/auto #fi if test -n "$NGX_ADDONS"; then echo configuring additional modules for ngx_addon_dir in $NGX_ADDONS do echo "adding module in $ngx_addon_dir" if test -f $ngx_addon_dir/config; then . $ngx_addon_dir/config echo " + $ngx_addon_name was configured" else echo "$0: error: no $ngx_addon_dir/config was found" exit 1 fi done fi if [ $MAIL_SSL = YES ]; then have=NGX_MAIL_SSL . auto/have USE_OPENSSL=YES fi modules="$CORE_MODULES $EVENT_MODULES" if [ $USE_OPENSSL = YES ]; then modules="$modules $OPENSSL_MODULE" CORE_DEPS="$CORE_DEPS $OPENSSL_DEPS" CORE_SRCS="$CORE_SRCS $OPENSSL_SRCS" fi if [ $USE_PCRE = YES ]; then modules="$modules $REGEX_MODULE" CORE_DEPS="$CORE_DEPS $REGEX_DEPS" CORE_SRCS="$CORE_SRCS $REGEX_SRCS" fi if [ $HTTP = YES ]; then modules="$modules $HTTP_MODULES $HTTP_FILTER_MODULES \ $HTTP_HEADERS_FILTER_MODULE \ $HTTP_AUX_FILTER_MODULES \ $HTTP_COPY_FILTER_MODULE \ $HTTP_RANGE_BODY_FILTER_MODULE \ $HTTP_NOT_MODIFIED_FILTER_MODULE" NGX_ADDON_DEPS="$NGX_ADDON_DEPS \$(HTTP_DEPS)" fi if [ $MAIL = YES ]; then modules="$modules $MAIL_MODULES" if [ $MAIL_SSL = YES ]; then modules="$modules $MAIL_SSL_MODULE" MAIL_DEPS="$MAIL_DEPS $MAIL_SSL_DEPS" MAIL_SRCS="$MAIL_SRCS $MAIL_SSL_SRCS" fi if [ $MAIL_POP3 = YES ]; then modules="$modules $MAIL_POP3_MODULE" MAIL_DEPS="$MAIL_DEPS $MAIL_POP3_DEPS" MAIL_SRCS="$MAIL_SRCS $MAIL_POP3_SRCS" fi if [ $MAIL_IMAP = YES ]; then modules="$modules $MAIL_IMAP_MODULE" MAIL_DEPS="$MAIL_DEPS $MAIL_IMAP_DEPS" MAIL_SRCS="$MAIL_SRCS $MAIL_IMAP_SRCS" fi if [ $MAIL_SMTP = YES ]; then modules="$modules $MAIL_SMTP_MODULE" MAIL_DEPS="$MAIL_DEPS $MAIL_SMTP_DEPS" MAIL_SRCS="$MAIL_SRCS $MAIL_SMTP_SRCS" fi modules="$modules $MAIL_AUTH_HTTP_MODULE" MAIL_SRCS="$MAIL_SRCS $MAIL_AUTH_HTTP_SRCS" modules="$modules $MAIL_PROXY_MODULE" MAIL_SRCS="$MAIL_SRCS $MAIL_PROXY_SRCS" fi if [ $NGX_GOOGLE_PERFTOOLS = YES ]; then modules="$modules $NGX_GOOGLE_PERFTOOLS_MODULE" NGX_MISC_SRCS="$NGX_MISC_SRCS $NGX_GOOGLE_PERFTOOLS_SRCS" fi if [ $NGX_CPP_TEST = YES ]; then NGX_MISC_SRCS="$NGX_MISC_SRCS $NGX_CPP_TEST_SRCS" CORE_LIBS="$CORE_LIBS -lstdc++" fi cat << END > $NGX_MODULES_C #include <ngx_config.h> #include <ngx_core.h> $NGX_PRAGMA END for mod in $modules do echo "extern ngx_module_t $mod;" >> $NGX_MODULES_C done echo >> $NGX_MODULES_C echo 'ngx_module_t *ngx_modules[] = {' >> $NGX_MODULES_C for mod in $modules do echo " &$mod," >> $NGX_MODULES_C done cat << END >> $NGX_MODULES_C NULL }; END