Mercurial > hg > nginx
view auto/sources @ 5095:4fbef397c753
SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer. Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request. Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.
There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection. Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.
An example of configuration that might not work as expected:
server {
listen 433 ssl default;
return 404;
}
server {
listen 433 ssl;
server_name example.org;
ssl_client_certificate org.cert;
ssl_verify_client on;
}
server {
listen 433 ssl;
server_name example.com;
ssl_client_certificate com.cert;
ssl_verify_client on;
}
Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
| author | Valentin Bartenev <vbart@nginx.com> |
|---|---|
| date | Wed, 27 Feb 2013 17:41:34 +0000 |
| parents | dd74fd35ceb5 |
| children | c0f7b94e88ba |
line wrap: on
line source
# Copyright (C) Igor Sysoev # Copyright (C) Nginx, Inc. CORE_MODULES="ngx_core_module ngx_errlog_module ngx_conf_module" CORE_INCS="src/core" CORE_DEPS="src/core/nginx.h \ src/core/ngx_config.h \ src/core/ngx_core.h \ src/core/ngx_log.h \ src/core/ngx_palloc.h \ src/core/ngx_array.h \ src/core/ngx_list.h \ src/core/ngx_hash.h \ src/core/ngx_buf.h \ src/core/ngx_queue.h \ src/core/ngx_string.h \ src/core/ngx_parse.h \ src/core/ngx_inet.h \ src/core/ngx_file.h \ src/core/ngx_crc.h \ src/core/ngx_crc32.h \ src/core/ngx_murmurhash.h \ src/core/ngx_md5.h \ src/core/ngx_sha1.h \ src/core/ngx_rbtree.h \ src/core/ngx_radix_tree.h \ src/core/ngx_slab.h \ src/core/ngx_times.h \ src/core/ngx_shmtx.h \ src/core/ngx_connection.h \ src/core/ngx_cycle.h \ src/core/ngx_conf_file.h \ src/core/ngx_resolver.h \ src/core/ngx_open_file_cache.h \ src/core/ngx_crypt.h" CORE_SRCS="src/core/nginx.c \ src/core/ngx_log.c \ src/core/ngx_palloc.c \ src/core/ngx_array.c \ src/core/ngx_list.c \ src/core/ngx_hash.c \ src/core/ngx_buf.c \ src/core/ngx_queue.c \ src/core/ngx_output_chain.c \ src/core/ngx_string.c \ src/core/ngx_parse.c \ src/core/ngx_inet.c \ src/core/ngx_file.c \ src/core/ngx_crc32.c \ src/core/ngx_murmurhash.c \ src/core/ngx_md5.c \ src/core/ngx_rbtree.c \ src/core/ngx_radix_tree.c \ src/core/ngx_slab.c \ src/core/ngx_times.c \ src/core/ngx_shmtx.c \ src/core/ngx_connection.c \ src/core/ngx_cycle.c \ src/core/ngx_spinlock.c \ src/core/ngx_cpuinfo.c \ src/core/ngx_conf_file.c \ src/core/ngx_resolver.c \ src/core/ngx_open_file_cache.c \ src/core/ngx_crypt.c" REGEX_MODULE=ngx_regex_module REGEX_DEPS=src/core/ngx_regex.h REGEX_SRCS=src/core/ngx_regex.c OPENSSL_MODULE=ngx_openssl_module OPENSSL_DEPS=src/event/ngx_event_openssl.h OPENSSL_SRCS="src/event/ngx_event_openssl.c \ src/event/ngx_event_openssl_stapling.c" EVENT_MODULES="ngx_events_module ngx_event_core_module" EVENT_INCS="src/event src/event/modules" EVENT_DEPS="src/event/ngx_event.h \ src/event/ngx_event_timer.h \ src/event/ngx_event_posted.h \ src/event/ngx_event_busy_lock.h \ src/event/ngx_event_connect.h \ src/event/ngx_event_pipe.h" EVENT_SRCS="src/event/ngx_event.c \ src/event/ngx_event_timer.c \ src/event/ngx_event_posted.c \ src/event/ngx_event_busy_lock.c \ src/event/ngx_event_accept.c \ src/event/ngx_event_connect.c \ src/event/ngx_event_pipe.c" SELECT_MODULE=ngx_select_module SELECT_SRCS=src/event/modules/ngx_select_module.c WIN32_SELECT_SRCS=src/event/modules/ngx_win32_select_module.c POLL_MODULE=ngx_poll_module POLL_SRCS=src/event/modules/ngx_poll_module.c KQUEUE_MODULE=ngx_kqueue_module KQUEUE_SRCS=src/event/modules/ngx_kqueue_module.c DEVPOLL_MODULE=ngx_devpoll_module DEVPOLL_SRCS=src/event/modules/ngx_devpoll_module.c EVENTPORT_MODULE=ngx_eventport_module EVENTPORT_SRCS=src/event/modules/ngx_eventport_module.c EPOLL_MODULE=ngx_epoll_module EPOLL_SRCS=src/event/modules/ngx_epoll_module.c RTSIG_MODULE=ngx_rtsig_module RTSIG_SRCS=src/event/modules/ngx_rtsig_module.c IOCP_MODULE=ngx_iocp_module IOCP_SRCS=src/event/modules/ngx_iocp_module.c AIO_MODULE=ngx_aio_module AIO_SRCS="src/event/modules/ngx_aio_module.c \ src/os/unix/ngx_aio_read.c \ src/os/unix/ngx_aio_write.c \ src/os/unix/ngx_aio_read_chain.c \ src/os/unix/ngx_aio_write_chain.c" FILE_AIO_SRCS="src/os/unix/ngx_file_aio_read.c" LINUX_AIO_SRCS="src/os/unix/ngx_linux_aio_read.c" UNIX_INCS="$CORE_INCS $EVENT_INCS src/os/unix" UNIX_DEPS="$CORE_DEPS $EVENT_DEPS \ src/os/unix/ngx_time.h \ src/os/unix/ngx_errno.h \ src/os/unix/ngx_alloc.h \ src/os/unix/ngx_files.h \ src/os/unix/ngx_channel.h \ src/os/unix/ngx_shmem.h \ src/os/unix/ngx_process.h \ src/os/unix/ngx_setaffinity.h \ src/os/unix/ngx_setproctitle.h \ src/os/unix/ngx_atomic.h \ src/os/unix/ngx_gcc_atomic_x86.h \ src/os/unix/ngx_thread.h \ src/os/unix/ngx_socket.h \ src/os/unix/ngx_os.h \ src/os/unix/ngx_user.h \ src/os/unix/ngx_process_cycle.h" # add to UNIX_DEPS # src/os/unix/ngx_gcc_atomic_amd64.h \ # src/os/unix/ngx_gcc_atomic_sparc64.h \ # src/os/unix/ngx_gcc_atomic_ppc.h \ # src/os/unix/ngx_sunpro_atomic_sparc64.h \ # src/os/unix/ngx_sunpro_x86.il \ # src/os/unix/ngx_sunpro_amd64.il \ # src/os/unix/ngx_sunpro_sparc64.il \ UNIX_SRCS="$CORE_SRCS $EVENT_SRCS \ src/os/unix/ngx_time.c \ src/os/unix/ngx_errno.c \ src/os/unix/ngx_alloc.c \ src/os/unix/ngx_files.c \ src/os/unix/ngx_socket.c \ src/os/unix/ngx_recv.c \ src/os/unix/ngx_readv_chain.c \ src/os/unix/ngx_udp_recv.c \ src/os/unix/ngx_send.c \ src/os/unix/ngx_writev_chain.c \ src/os/unix/ngx_channel.c \ src/os/unix/ngx_shmem.c \ src/os/unix/ngx_process.c \ src/os/unix/ngx_daemon.c \ src/os/unix/ngx_setaffinity.c \ src/os/unix/ngx_setproctitle.c \ src/os/unix/ngx_posix_init.c \ src/os/unix/ngx_user.c \ src/os/unix/ngx_process_cycle.c" POSIX_DEPS=src/os/unix/ngx_posix_config.h FREEBSD_DEPS="src/os/unix/ngx_freebsd_config.h src/os/unix/ngx_freebsd.h" FREEBSD_SRCS=src/os/unix/ngx_freebsd_init.c FREEBSD_SENDFILE_SRCS=src/os/unix/ngx_freebsd_sendfile_chain.c FREEBSD_RFORK_DEPS="src/os/unix/ngx_freebsd_rfork_thread.h" FREEBSD_RFORK_SRCS="src/os/unix/ngx_freebsd_rfork_thread.c" FREEBSD_RFORK_THREAD_SRCS="src/os/unix/rfork_thread.S" PTHREAD_SRCS="src/os/unix/ngx_pthread_thread.c" LINUX_DEPS="src/os/unix/ngx_linux_config.h src/os/unix/ngx_linux.h" LINUX_SRCS=src/os/unix/ngx_linux_init.c LINUX_SENDFILE_SRCS=src/os/unix/ngx_linux_sendfile_chain.c SOLARIS_DEPS="src/os/unix/ngx_solaris_config.h src/os/unix/ngx_solaris.h" SOLARIS_SRCS=src/os/unix/ngx_solaris_init.c SOLARIS_SENDFILEV_SRCS=src/os/unix/ngx_solaris_sendfilev_chain.c DARWIN_DEPS="src/os/unix/ngx_darwin_config.h src/os/unix/ngx_darwin.h" DARWIN_SRCS=src/os/unix/ngx_darwin_init.c DARWIN_SENDFILE_SRCS=src/os/unix/ngx_darwin_sendfile_chain.c WIN32_INCS="$CORE_INCS $EVENT_INCS src/os/win32" WIN32_DEPS="$CORE_DEPS $EVENT_DEPS \ src/os/win32/ngx_win32_config.h \ src/os/win32/ngx_time.h \ src/os/win32/ngx_errno.h \ src/os/win32/ngx_alloc.h \ src/os/win32/ngx_files.h \ src/os/win32/ngx_shmem.h \ src/os/win32/ngx_process.h \ src/os/win32/ngx_atomic.h \ src/os/win32/ngx_thread.h \ src/os/win32/ngx_socket.h \ src/os/win32/ngx_os.h \ src/os/win32/ngx_user.h \ src/os/win32/ngx_process_cycle.h" WIN32_CONFIG=src/os/win32/ngx_win32_config.h WIN32_SRCS="$CORE_SRCS $EVENT_SRCS \ src/os/win32/ngx_errno.c \ src/os/win32/ngx_alloc.c \ src/os/win32/ngx_files.c \ src/os/win32/ngx_shmem.c \ src/os/win32/ngx_time.c \ src/os/win32/ngx_process.c \ src/os/win32/ngx_thread.c \ src/os/win32/ngx_socket.c \ src/os/win32/ngx_wsarecv.c \ src/os/win32/ngx_wsarecv_chain.c \ src/os/win32/ngx_udp_wsarecv.c \ src/os/win32/ngx_wsasend.c \ src/os/win32/ngx_wsasend_chain.c \ src/os/win32/ngx_win32_init.c \ src/os/win32/ngx_user.c \ src/os/win32/ngx_event_log.c \ src/os/win32/ngx_process_cycle.c \ src/event/ngx_event_acceptex.c" NGX_WIN32_ICONS="src/os/win32/nginx.ico" NGX_WIN32_RC="src/os/win32/nginx.rc" # the http modules that have their logging formats # must be after ngx_http_log_module HTTP_MODULES="ngx_http_module \ ngx_http_core_module \ ngx_http_log_module \ ngx_http_upstream_module" HTTP_WRITE_FILTER_MODULE="ngx_http_write_filter_module" HTTP_HEADER_FILTER_MODULE="ngx_http_header_filter_module" HTTP_POSTPONE_FILTER_MODULE=ngx_http_postpone_filter_module HTTP_COPY_FILTER_MODULE=ngx_http_copy_filter_module HTTP_CHUNKED_FILTER_MODULE=ngx_http_chunked_filter_module HTTP_HEADERS_FILTER_MODULE=ngx_http_headers_filter_module HTTP_RANGE_HEADER_FILTER_MODULE=ngx_http_range_header_filter_module HTTP_RANGE_BODY_FILTER_MODULE=ngx_http_range_body_filter_module HTTP_NOT_MODIFIED_FILTER_MODULE=ngx_http_not_modified_filter_module HTTP_STATIC_MODULE=ngx_http_static_module HTTP_INDEX_MODULE=ngx_http_index_module HTTP_INCS="src/http src/http/modules" HTTP_DEPS="src/http/ngx_http.h \ src/http/ngx_http_request.h \ src/http/ngx_http_config.h \ src/http/ngx_http_core_module.h \ src/http/ngx_http_cache.h \ src/http/ngx_http_variables.h \ src/http/ngx_http_script.h \ src/http/ngx_http_upstream.h \ src/http/ngx_http_upstream_round_robin.h \ src/http/ngx_http_busy_lock.h" HTTP_SRCS="src/http/ngx_http.c \ src/http/ngx_http_core_module.c \ src/http/ngx_http_special_response.c \ src/http/ngx_http_request.c \ src/http/ngx_http_parse.c \ src/http/ngx_http_header_filter_module.c \ src/http/ngx_http_write_filter_module.c \ src/http/ngx_http_copy_filter_module.c \ src/http/modules/ngx_http_log_module.c \ src/http/ngx_http_request_body.c \ src/http/ngx_http_variables.c \ src/http/ngx_http_script.c \ src/http/ngx_http_upstream.c \ src/http/ngx_http_upstream_round_robin.c \ src/http/ngx_http_parse_time.c \ src/http/modules/ngx_http_static_module.c \ src/http/modules/ngx_http_index_module.c \ src/http/modules/ngx_http_chunked_filter_module.c \ src/http/modules/ngx_http_range_filter_module.c \ src/http/modules/ngx_http_headers_filter_module.c \ src/http/modules/ngx_http_not_modified_filter_module.c" # STUB HTTP_SRCS="$HTTP_SRCS src/http/ngx_http_busy_lock.c" HTTP_POSTPONE_FILTER_SRCS=src/http/ngx_http_postpone_filter_module.c HTTP_FILE_CACHE_SRCS=src/http/ngx_http_file_cache.c HTTP_CHARSET_FILTER_MODULE=ngx_http_charset_filter_module HTTP_CHARSET_SRCS=src/http/modules/ngx_http_charset_filter_module.c HTTP_GZIP_FILTER_MODULE=ngx_http_gzip_filter_module HTTP_GZIP_SRCS=src/http/modules/ngx_http_gzip_filter_module.c HTTP_GUNZIP_FILTER_MODULE=ngx_http_gunzip_filter_module HTTP_GUNZIP_SRCS=src/http/modules/ngx_http_gunzip_filter_module.c HTTP_SSI_FILTER_MODULE=ngx_http_ssi_filter_module HTTP_SSI_DEPS=src/http/modules/ngx_http_ssi_filter_module.h HTTP_SSI_SRCS=src/http/modules/ngx_http_ssi_filter_module.c HTTP_XSLT_FILTER_MODULE=ngx_http_xslt_filter_module HTTP_XSLT_SRCS=src/http/modules/ngx_http_xslt_filter_module.c HTTP_IMAGE_FILTER_MODULE=ngx_http_image_filter_module HTTP_IMAGE_SRCS=src/http/modules/ngx_http_image_filter_module.c HTTP_SUB_FILTER_MODULE=ngx_http_sub_filter_module HTTP_SUB_SRCS=src/http/modules/ngx_http_sub_filter_module.c HTTP_USERID_FILTER_MODULE=ngx_http_userid_filter_module HTTP_USERID_SRCS=src/http/modules/ngx_http_userid_filter_module.c HTTP_REALIP_MODULE=ngx_http_realip_module HTTP_REALIP_SRCS=src/http/modules/ngx_http_realip_module.c HTTP_ADDITION_FILTER_MODULE=ngx_http_addition_filter_module HTTP_ADDITION_SRCS=src/http/modules/ngx_http_addition_filter_module.c HTTP_DAV_MODULE=ngx_http_dav_module HTTP_DAV_SRCS=src/http/modules/ngx_http_dav_module.c HTTP_ACCESS_MODULE=ngx_http_access_module HTTP_ACCESS_SRCS=src/http/modules/ngx_http_access_module.c HTTP_AUTH_BASIC_MODULE=ngx_http_auth_basic_module HTTP_AUTH_BASIC_SRCS=src/http/modules/ngx_http_auth_basic_module.c HTTP_AUTOINDEX_MODULE=ngx_http_autoindex_module HTTP_AUTOINDEX_SRCS=src/http/modules/ngx_http_autoindex_module.c HTTP_RANDOM_INDEX_MODULE=ngx_http_random_index_module HTTP_RANDOM_INDEX_SRCS=src/http/modules/ngx_http_random_index_module.c HTTP_STATUS_MODULE=ngx_http_status_module HTTP_STATUS_SRCS=src/http/modules/ngx_http_status_module.c HTTP_GEO_MODULE=ngx_http_geo_module HTTP_GEO_SRCS=src/http/modules/ngx_http_geo_module.c HTTP_GEOIP_MODULE=ngx_http_geoip_module HTTP_GEOIP_SRCS=src/http/modules/ngx_http_geoip_module.c HTTP_MAP_MODULE=ngx_http_map_module HTTP_MAP_SRCS=src/http/modules/ngx_http_map_module.c HTTP_SPLIT_CLIENTS_MODULE=ngx_http_split_clients_module HTTP_SPLIT_CLIENTS_SRCS=src/http/modules/ngx_http_split_clients_module.c HTTP_REFERER_MODULE=ngx_http_referer_module HTTP_REFERER_SRCS=src/http/modules/ngx_http_referer_module.c HTTP_REWRITE_MODULE=ngx_http_rewrite_module HTTP_REWRITE_SRCS=src/http/modules/ngx_http_rewrite_module.c HTTP_SSL_MODULE=ngx_http_ssl_module HTTP_SSL_DEPS=src/http/modules/ngx_http_ssl_module.h HTTP_SSL_SRCS=src/http/modules/ngx_http_ssl_module.c HTTP_PROXY_MODULE=ngx_http_proxy_module HTTP_PROXY_SRCS=src/http/modules/ngx_http_proxy_module.c HTTP_FASTCGI_MODULE=ngx_http_fastcgi_module HTTP_FASTCGI_SRCS=src/http/modules/ngx_http_fastcgi_module.c HTTP_UWSGI_MODULE=ngx_http_uwsgi_module HTTP_UWSGI_SRCS=src/http/modules/ngx_http_uwsgi_module.c HTTP_SCGI_MODULE=ngx_http_scgi_module HTTP_SCGI_SRCS=src/http/modules/ngx_http_scgi_module.c HTTP_PERL_MODULE=ngx_http_perl_module HTTP_PERL_INCS=src/http/modules/perl HTTP_PERL_DEPS=src/http/modules/perl/ngx_http_perl_module.h HTTP_PERL_SRCS=src/http/modules/perl/ngx_http_perl_module.c HTTP_MEMCACHED_MODULE=ngx_http_memcached_module HTTP_MEMCACHED_SRCS=src/http/modules/ngx_http_memcached_module.c HTTP_LIMIT_CONN_MODULE=ngx_http_limit_conn_module HTTP_LIMIT_CONN_SRCS=src/http/modules/ngx_http_limit_conn_module.c HTTP_LIMIT_REQ_MODULE=ngx_http_limit_req_module HTTP_LIMIT_REQ_SRCS=src/http/modules/ngx_http_limit_req_module.c HTTP_EMPTY_GIF_MODULE=ngx_http_empty_gif_module HTTP_EMPTY_GIF_SRCS=src/http/modules/ngx_http_empty_gif_module.c HTTP_BROWSER_MODULE=ngx_http_browser_module HTTP_BROWSER_SRCS=src/http/modules/ngx_http_browser_module.c HTTP_SECURE_LINK_MODULE=ngx_http_secure_link_module HTTP_SECURE_LINK_SRCS=src/http/modules/ngx_http_secure_link_module.c HTTP_DEGRADATION_MODULE=ngx_http_degradation_module HTTP_DEGRADATION_SRCS=src/http/modules/ngx_http_degradation_module.c HTTP_FLV_MODULE=ngx_http_flv_module HTTP_FLV_SRCS=src/http/modules/ngx_http_flv_module.c HTTP_MP4_MODULE=ngx_http_mp4_module HTTP_MP4_SRCS=src/http/modules/ngx_http_mp4_module.c HTTP_GZIP_STATIC_MODULE=ngx_http_gzip_static_module HTTP_GZIP_STATIC_SRCS=src/http/modules/ngx_http_gzip_static_module.c HTTP_UPSTREAM_IP_HASH_MODULE=ngx_http_upstream_ip_hash_module HTTP_UPSTREAM_IP_HASH_SRCS=src/http/modules/ngx_http_upstream_ip_hash_module.c HTTP_UPSTREAM_LEAST_CONN_MODULE=ngx_http_upstream_least_conn_module HTTP_UPSTREAM_LEAST_CONN_SRCS=" \ src/http/modules/ngx_http_upstream_least_conn_module.c" HTTP_UPSTREAM_KEEPALIVE_MODULE=ngx_http_upstream_keepalive_module HTTP_UPSTREAM_KEEPALIVE_SRCS=" \ src/http/modules/ngx_http_upstream_keepalive_module.c" MAIL_INCS="src/mail" MAIL_DEPS="src/mail/ngx_mail.h" MAIL_MODULES="ngx_mail_module ngx_mail_core_module" MAIL_SRCS="src/mail/ngx_mail.c \ src/mail/ngx_mail_core_module.c \ src/mail/ngx_mail_handler.c \ src/mail/ngx_mail_parse.c" MAIL_POP3_MODULE="ngx_mail_pop3_module" MAIL_POP3_DEPS="src/mail/ngx_mail_pop3_module.h" MAIL_POP3_SRCS="src/mail/ngx_mail_pop3_module.c \ src/mail/ngx_mail_pop3_handler.c" MAIL_IMAP_MODULE="ngx_mail_imap_module" MAIL_IMAP_DEPS="src/mail/ngx_mail_imap_module.h" MAIL_IMAP_SRCS="src/mail/ngx_mail_imap_module.c \ src/mail/ngx_mail_imap_handler.c" MAIL_SMTP_MODULE="ngx_mail_smtp_module" MAIL_SMTP_DEPS="src/mail/ngx_mail_smtp_module.h" MAIL_SMTP_SRCS="src/mail/ngx_mail_smtp_module.c \ src/mail/ngx_mail_smtp_handler.c" MAIL_SSL_MODULE="ngx_mail_ssl_module" MAIL_SSL_DEPS="src/mail/ngx_mail_ssl_module.h" MAIL_SSL_SRCS="src/mail/ngx_mail_ssl_module.c" MAIL_AUTH_HTTP_MODULE="ngx_mail_auth_http_module" MAIL_AUTH_HTTP_SRCS="src/mail/ngx_mail_auth_http_module.c" MAIL_PROXY_MODULE="ngx_mail_proxy_module" MAIL_PROXY_SRCS="src/mail/ngx_mail_proxy_module.c" NGX_GOOGLE_PERFTOOLS_MODULE=ngx_google_perftools_module NGX_GOOGLE_PERFTOOLS_SRCS=src/misc/ngx_google_perftools_module.c NGX_CPP_TEST_SRCS=src/misc/ngx_cpp_test_module.cpp