Mercurial > hg > nginx
annotate src/http/modules/ngx_http_realip_module.c @ 1380:b590a528fd41
ignore meaningless bits in CIDR and warn about them
author | Igor Sysoev <igor@sysoev.ru> |
---|---|
date | Fri, 10 Aug 2007 13:13:28 +0000 |
parents | cec2866f29bd |
children | 2a92804f4109 |
rev | line source |
---|---|
573 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 */ | |
5 | |
6 | |
7 #include <ngx_config.h> | |
8 #include <ngx_core.h> | |
9 #include <ngx_http.h> | |
10 | |
11 | |
12 /* AF_INET only */ | |
13 | |
14 typedef struct { | |
15 in_addr_t mask; | |
16 in_addr_t addr; | |
17 } ngx_http_realip_from_t; | |
18 | |
19 | |
20 typedef struct { | |
21 ngx_array_t *from; /* array of ngx_http_realip_from_t */ | |
22 | |
23 ngx_uint_t xfwd; | |
24 } ngx_http_realip_loc_conf_t; | |
25 | |
26 | |
27 static ngx_int_t ngx_http_realip_handler(ngx_http_request_t *r); | |
28 static char *ngx_http_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, | |
29 void *conf); | |
30 static void *ngx_http_realip_create_loc_conf(ngx_conf_t *cf); | |
31 static char *ngx_http_realip_merge_loc_conf(ngx_conf_t *cf, | |
32 void *parent, void *child); | |
681 | 33 static ngx_int_t ngx_http_realip_init(ngx_conf_t *cf); |
573 | 34 |
35 | |
36 static ngx_conf_enum_t ngx_http_realip_header[] = { | |
37 { ngx_string("X-Forwarded-For"), 1 }, | |
38 { ngx_string("X-Real-IP"), 0 }, | |
39 { ngx_null_string, 0 } | |
40 }; | |
41 | |
42 | |
43 static ngx_command_t ngx_http_realip_commands[] = { | |
44 | |
45 { ngx_string("set_real_ip_from"), | |
46 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
47 ngx_http_realip_from, | |
48 NGX_HTTP_LOC_CONF_OFFSET, | |
49 0, | |
50 NULL }, | |
51 | |
52 { ngx_string("real_ip_header"), | |
53 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
54 ngx_conf_set_enum_slot, | |
55 NGX_HTTP_LOC_CONF_OFFSET, | |
56 offsetof(ngx_http_realip_loc_conf_t, xfwd), | |
57 &ngx_http_realip_header }, | |
58 | |
59 ngx_null_command | |
60 }; | |
61 | |
62 | |
63 | |
667 | 64 static ngx_http_module_t ngx_http_realip_module_ctx = { |
573 | 65 NULL, /* preconfiguration */ |
681 | 66 ngx_http_realip_init, /* postconfiguration */ |
573 | 67 |
68 NULL, /* create main configuration */ | |
69 NULL, /* init main configuration */ | |
70 | |
71 NULL, /* create server configuration */ | |
72 NULL, /* merge server configuration */ | |
73 | |
74 ngx_http_realip_create_loc_conf, /* create location configuration */ | |
75 ngx_http_realip_merge_loc_conf /* merge location configuration */ | |
76 }; | |
77 | |
78 | |
79 ngx_module_t ngx_http_realip_module = { | |
80 NGX_MODULE_V1, | |
81 &ngx_http_realip_module_ctx, /* module context */ | |
82 ngx_http_realip_commands, /* module directives */ | |
83 NGX_HTTP_MODULE, /* module type */ | |
84 NULL, /* init master */ | |
681 | 85 NULL, /* init module */ |
573 | 86 NULL, /* init process */ |
87 NULL, /* init thread */ | |
88 NULL, /* exit thread */ | |
89 NULL, /* exit process */ | |
90 NULL, /* exit master */ | |
91 NGX_MODULE_V1_PADDING | |
92 }; | |
93 | |
94 | |
95 static ngx_int_t | |
96 ngx_http_realip_handler(ngx_http_request_t *r) | |
97 { | |
98 u_char *ip, *p; | |
99 size_t len; | |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
100 in_addr_t addr; |
573 | 101 ngx_uint_t i; |
102 struct sockaddr_in *sin; | |
103 ngx_http_realip_from_t *from; | |
104 ngx_http_realip_loc_conf_t *rlcf; | |
105 | |
106 if (r->realip_set) { | |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
107 return NGX_DECLINED; |
573 | 108 } |
109 | |
110 rlcf = ngx_http_get_module_loc_conf(r, ngx_http_realip_module); | |
111 | |
112 if (rlcf->from == NULL) { | |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
113 return NGX_DECLINED; |
573 | 114 } |
115 | |
116 if (rlcf->xfwd == 0) { | |
117 if (r->headers_in.x_real_ip == NULL) { | |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
118 return NGX_DECLINED; |
573 | 119 } |
120 | |
121 len = r->headers_in.x_real_ip->value.len; | |
122 ip = r->headers_in.x_real_ip->value.data; | |
123 | |
124 } else { | |
125 if (r->headers_in.x_forwarded_for == NULL) { | |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
126 return NGX_DECLINED; |
573 | 127 } |
128 | |
129 len = r->headers_in.x_forwarded_for->value.len; | |
130 ip = r->headers_in.x_forwarded_for->value.data; | |
131 | |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
132 for (p = ip + len - 1; p > ip; p--) { |
573 | 133 if (*p == ' ' || *p == ',') { |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
134 p++; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
135 len -= p - ip; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
136 ip = p; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
137 break; |
573 | 138 } |
139 } | |
140 } | |
141 | |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
142 ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
143 "realip: \"%s\"", ip); |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
144 |
573 | 145 /* AF_INET only */ |
146 | |
147 sin = (struct sockaddr_in *) r->connection->sockaddr; | |
148 | |
149 from = rlcf->from->elts; | |
150 for (i = 0; i < rlcf->from->nelts; i++) { | |
151 | |
152 ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, | |
153 "realip: %08XD %08XD %08XD", | |
154 sin->sin_addr.s_addr, from[i].mask, from[i].addr); | |
155 | |
156 if ((sin->sin_addr.s_addr & from[i].mask) == from[i].addr) { | |
157 | |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
158 r->realip_set = 1; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
159 |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
160 addr = inet_addr((char *) ip); |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
161 |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
162 if (addr == INADDR_NONE) { |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
163 return NGX_DECLINED; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
164 } |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
165 |
1118
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
166 p = ngx_palloc(r->connection->pool, len); |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
167 if (p == NULL) { |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
168 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
169 } |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
170 |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
171 ngx_memcpy(p, ip, len); |
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
172 |
1114
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
173 sin->sin_addr.s_addr = addr; |
3f354952e91d
fix broken values, debug logging, and style fix
Igor Sysoev <igor@sysoev.ru>
parents:
986
diff
changeset
|
174 |
573 | 175 r->connection->addr_text.len = len; |
1118
cec2866f29bd
a client address must be allocated from a connection pool
Igor Sysoev <igor@sysoev.ru>
parents:
1114
diff
changeset
|
176 r->connection->addr_text.data = p; |
573 | 177 |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
178 return NGX_DECLINED; |
573 | 179 } |
180 } | |
181 | |
986
68c85f283043
ngx_http_realip_module must return NGX_DECLINED
Igor Sysoev <igor@sysoev.ru>
parents:
681
diff
changeset
|
182 return NGX_DECLINED; |
573 | 183 } |
184 | |
185 | |
186 static char * | |
187 ngx_http_realip_from(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
188 { | |
189 ngx_http_realip_loc_conf_t *rlcf = conf; | |
190 | |
1380
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
191 ngx_int_t rc; |
573 | 192 ngx_str_t *value; |
193 ngx_inet_cidr_t in_cidr; | |
194 ngx_http_realip_from_t *from; | |
195 | |
196 if (rlcf->from == NULL) { | |
197 rlcf->from = ngx_array_create(cf->pool, 2, | |
198 sizeof(ngx_http_realip_from_t)); | |
199 if (rlcf->from == NULL) { | |
200 return NGX_CONF_ERROR; | |
201 } | |
202 } | |
203 | |
204 from = ngx_array_push(rlcf->from); | |
205 if (from == NULL) { | |
206 return NGX_CONF_ERROR; | |
207 } | |
208 | |
209 value = cf->args->elts; | |
210 | |
211 from->addr = inet_addr((char *) value[1].data); | |
212 | |
213 if (from->addr != INADDR_NONE) { | |
214 from->mask = 0xffffffff; | |
215 | |
216 return NGX_CONF_OK; | |
217 } | |
218 | |
1380
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
219 rc = ngx_ptocidr(&value[1], &in_cidr); |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
220 |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
221 if (rc == NGX_ERROR) { |
573 | 222 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid parameter \"%V\"", |
223 &value[1]); | |
224 return NGX_CONF_ERROR; | |
225 } | |
226 | |
1380
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
227 if (rc == NGX_DONE) { |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
228 ngx_conf_log_error(NGX_LOG_WARN, cf, 0, |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
229 "low address bits of %V are meaningless", &value[1]); |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
230 } |
b590a528fd41
ignore meaningless bits in CIDR and warn about them
Igor Sysoev <igor@sysoev.ru>
parents:
1118
diff
changeset
|
231 |
573 | 232 from->mask = in_cidr.mask; |
233 from->addr = in_cidr.addr; | |
234 | |
235 return NGX_CONF_OK; | |
236 } | |
237 | |
238 | |
239 static void * | |
240 ngx_http_realip_create_loc_conf(ngx_conf_t *cf) | |
241 { | |
242 ngx_http_realip_loc_conf_t *conf; | |
243 | |
244 conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_realip_loc_conf_t)); | |
245 if (conf == NULL) { | |
246 return NGX_CONF_ERROR; | |
247 } | |
248 | |
249 /* | |
250 * set by ngx_pcalloc(): | |
251 * | |
252 * conf->from = NULL; | |
253 */ | |
254 | |
255 conf->xfwd = NGX_CONF_UNSET_UINT; | |
256 | |
257 return conf; | |
258 } | |
259 | |
260 | |
261 static char * | |
262 ngx_http_realip_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) | |
263 { | |
264 ngx_http_realip_loc_conf_t *prev = parent; | |
265 ngx_http_realip_loc_conf_t *conf = child; | |
266 | |
267 if (conf->from == NULL) { | |
268 conf->from = prev->from; | |
269 } | |
270 | |
663 | 271 ngx_conf_merge_uint_value(conf->xfwd, prev->xfwd, 0); |
573 | 272 |
273 return NGX_CONF_OK; | |
274 } | |
275 | |
276 | |
277 static ngx_int_t | |
681 | 278 ngx_http_realip_init(ngx_conf_t *cf) |
573 | 279 { |
280 ngx_http_handler_pt *h; | |
281 ngx_http_core_main_conf_t *cmcf; | |
282 | |
681 | 283 cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module); |
573 | 284 |
285 h = ngx_array_push(&cmcf->phases[NGX_HTTP_POST_READ_PHASE].handlers); | |
286 if (h == NULL) { | |
287 return NGX_ERROR; | |
288 } | |
289 | |
290 *h = ngx_http_realip_handler; | |
291 | |
581 | 292 h = ngx_array_push(&cmcf->phases[NGX_HTTP_PREACCESS_PHASE].handlers); |
573 | 293 if (h == NULL) { |
294 return NGX_ERROR; | |
295 } | |
296 | |
297 *h = ngx_http_realip_handler; | |
298 | |
299 return NGX_OK; | |
300 } |