Welcome! Log In Create A New Profile

Re: HttpAccessModule and unix domain sockets

Forum List Message List New Topic Print View

Ruslan Ermilov

May 23, 2013 03:54PM

On Wed, May 22, 2013 at 05:49:41PM +0400, Maxim Dounin wrote:
> On Tue, May 21, 2013 at 10:27:21PM +0300, Sorin Manole wrote:
>
> > Hi all,
> >
> > It seems that when using HttpAccessModule directives to deny requests, they
> > don't seem to work if the server is listening on a unix domain socket. Even
> > when using deny all.
> > Can someone confirm and it's not just me making some stupid mistake ?
>
> Yes, access module allow/deny directives currently only able to
> limit ipv4 and ipv6 addresses.
>
> > Now if that is the case, would it be a good idea to add this functionality
> > to the module ? Maybe add a new parameter like "deny unix" or something ?
> > Or was this left out on purpose for a reason or another ?
>
> It probably should be expanded to support "unix:" special address
> like set_real_ip_from does (see http://nginx.org/r/set_real_ip_from).

# HG changeset patch
# User Ruslan Ermilov <ru@nginx.com>
# Date 1369338540 -14400
# Node ID d26c24c812846f2993947a0514efa9556d31f404
# Parent a30ea5c6451dcae3ce1e6d9eabe718c0222e5d9f
Access: support for UNIX-domain client addresses (ticket #359).

diff --git a/src/http/modules/ngx_http_access_module.c b/src/http/modules/ngx_http_access_module.c
--- a/src/http/modules/ngx_http_access_module.c
+++ b/src/http/modules/ngx_http_access_module.c
@@ -26,11 +26,22 @@ typedef struct {

#endif

+#if (NGX_HAVE_UNIX_DOMAIN)
+
+typedef struct {
+ ngx_uint_t deny; /* unsigned deny:1; */
+} ngx_http_access_rule_un_t;
+
+#endif
+
typedef struct {
ngx_array_t *rules; /* array of ngx_http_access_rule_t */
#if (NGX_HAVE_INET6)
ngx_array_t *rules6; /* array of ngx_http_access_rule6_t */
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ngx_array_t *rules_un; /* array of ngx_http_access_rule_un_t */
+#endif
} ngx_http_access_loc_conf_t;

@@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ng
static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
ngx_http_access_loc_conf_t *alcf, u_char *p);
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r,
+ ngx_http_access_loc_conf_t *alcf);
+#endif
static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
@@ -145,6 +160,15 @@ ngx_http_access_handler(ngx_http_request
}

#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+ case AF_UNIX:
+ if (alcf->rules_un) {
+ return ngx_http_access_unix(r, alcf);
+ }
+
+#endif
}

return NGX_DECLINED;
@@ -221,6 +245,25 @@ ngx_http_access_inet6(ngx_http_request_t
#endif

+#if (NGX_HAVE_UNIX_DOMAIN)
+
+static ngx_int_t
+ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
+{
+ ngx_uint_t i;
+ ngx_http_access_rule_un_t *rule_un;
+
+ rule_un = alcf->rules_un->elts;
+ for (i = 0; i < alcf->rules_un->nelts; i++) {
+ return ngx_http_access_found(r, rule_un[i].deny);
+ }
+
+ return NGX_DECLINED;
+}
+
+#endif
+
+
static ngx_int_t
ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
{
@@ -246,13 +289,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
{
ngx_http_access_loc_conf_t *alcf = conf;

- ngx_int_t rc;
- ngx_uint_t all;
- ngx_str_t *value;
- ngx_cidr_t cidr;
- ngx_http_access_rule_t *rule;
+ ngx_int_t rc;
+ ngx_uint_t all;
+ ngx_str_t *value;
+ ngx_cidr_t cidr;
+ ngx_http_access_rule_t *rule;
#if (NGX_HAVE_INET6)
- ngx_http_access_rule6_t *rule6;
+ ngx_http_access_rule6_t *rule6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ngx_http_access_rule_un_t *rule_un;
#endif

ngx_memzero(&cidr, sizeof(ngx_cidr_t));
@@ -263,7 +309,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx

if (!all) {

+#if (NGX_HAVE_UNIX_DOMAIN)
+
+ if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) {
+ cidr.family = AF_UNIX;
+ rc = NGX_OK;
+
+ } else {
+ rc = ngx_ptocidr(&value[1], &cidr);
+ }
+
+#else
rc = ngx_ptocidr(&value[1], &cidr);
+#endif

if (rc == NGX_ERROR) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -307,6 +365,32 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
/* "all" passes through */
#endif

+#if (NGX_HAVE_UNIX_DOMAIN)
+ case AF_UNIX:
+ case 0: /* all */
+
+ if (alcf->rules_un == NULL) {
+ alcf->rules_un = ngx_array_create(cf->pool, 1,
+ sizeof(ngx_http_access_rule_un_t));
+ if (alcf->rules_un == NULL) {
+ return NGX_CONF_ERROR;
+ }
+ }
+
+ rule_un = ngx_array_push(alcf->rules_un);
+ if (rule_un == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0;
+
+ if (!all) {
+ break;
+ }
+
+ /* "all" passes through */
+#endif
+
default: /* AF_INET */

if (alcf->rules == NULL) {

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply Quote

RSS

Subject	Author	Views	Posted
HttpAccessModule and unix domain sockets	Sorin Manole	888	May 21, 2013 03:28PM
Re: HttpAccessModule and unix domain sockets	Maxim Dounin	429	May 22, 2013 09:50AM
Re: HttpAccessModule and unix domain sockets	Sorin Manole	402	May 22, 2013 03:18PM
Re: HttpAccessModule and unix domain sockets	Maxim Dounin	399	May 22, 2013 03:34PM
Re: HttpAccessModule and unix domain sockets	Ruslan Ermilov	456	May 23, 2013 03:54PM

Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 178

Record Number of Users: 8 on April 13, 2023

Record Number of Guests: 421 on December 02, 2018