details: https://hg.nginx.org/nginx/rev/681b78a98a52
branches:
changeset: 7638:681b78a98a52
user: Ruslan Ermilov <ru@nginx.com>
date: Wed Apr 08 01:02:17 2020 +0300
description:
The new auth_delay directive for delaying unauthorized requests.

The request processing is delayed by a timer. Since nginx updates
internal time once at the start of each event loop iteration, this
normally ensures constant time delay, adding a mitigation from
time-based attacks.

A notable exception to this is the case when there are no additional
events before the timer expires. To ensure constant-time processing
in this case as well, we trigger an additional event loop iteration
by posting a dummy event for the next event loop iteration.

diffstat:

src/http/ngx_http_core_module.c | 82 ++++++++++++++++++++++++++++++++++++++++-
src/http/ngx_http_core_module.h | 1 +
2 files changed, 82 insertions(+), 1 deletions(-)

diffs (150 lines):

diff -r 0cb942c1c1aa -r 681b78a98a52 src/http/ngx_http_core_module.c
--- a/src/http/ngx_http_core_module.c Fri Mar 13 02:12:10 2020 +0300
+++ b/src/http/ngx_http_core_module.c Wed Apr 08 01:02:17 2020 +0300
@@ -21,6 +21,9 @@ typedef struct {
#define NGX_HTTP_REQUEST_BODY_FILE_CLEAN 2


+static ngx_int_t ngx_http_core_auth_delay(ngx_http_request_t *r);
+static void ngx_http_core_auth_delay_handler(ngx_http_request_t *r);
+
static ngx_int_t ngx_http_core_find_location(ngx_http_request_t *r);
static ngx_int_t ngx_http_core_find_static_location(ngx_http_request_t *r,
ngx_http_location_tree_node_t *node);
@@ -520,6 +523,13 @@ static ngx_command_t ngx_http_core_comm
offsetof(ngx_http_core_loc_conf_t, satisfy),
&ngx_http_core_satisfy },

+ { ngx_string("auth_delay"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_core_loc_conf_t, auth_delay),
+ NULL },
+
{ ngx_string("internal"),
NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS,
ngx_http_core_internal,
@@ -1124,6 +1134,10 @@ ngx_http_core_access_phase(ngx_http_requ

/* rc == NGX_ERROR || rc == NGX_HTTP_... */

+ if (rc == NGX_HTTP_UNAUTHORIZED) {
+ return ngx_http_core_auth_delay(r);
+ }
+
ngx_http_finalize_request(r, rc);
return NGX_OK;
}
@@ -1141,12 +1155,17 @@ ngx_http_core_post_access_phase(ngx_http
access_code = r->access_code;

if (access_code) {
+ r->access_code = 0;
+
if (access_code == NGX_HTTP_FORBIDDEN) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
"access forbidden by rule");
}

- r->access_code = 0;
+ if (access_code == NGX_HTTP_UNAUTHORIZED) {
+ return ngx_http_core_auth_delay(r);
+ }
+
ngx_http_finalize_request(r, access_code);
return NGX_OK;
}
@@ -1156,6 +1175,65 @@ ngx_http_core_post_access_phase(ngx_http
}


+static ngx_int_t
+ngx_http_core_auth_delay(ngx_http_request_t *r)
+{
+ ngx_http_core_loc_conf_t *clcf;
+
+ clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+ if (clcf->auth_delay == 0) {
+ ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+ return NGX_OK;
+ }
+
+ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ "delaying unauthorized request");
+
+ if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
+ return NGX_HTTP_INTERNAL_SERVER_ERROR;
+ }
+
+ r->read_event_handler = ngx_http_test_reading;
+ r->write_event_handler = ngx_http_core_auth_delay_handler;
+
+ r->connection->write->delayed = 1;
+ ngx_add_timer(r->connection->write, clcf->auth_delay);
+
+ /*
+ * trigger an additional event loop iteration
+ * to ensure constant-time processing
+ */
+
+ ngx_post_event(r->connection->write, &ngx_posted_next_events);
+
+ return NGX_OK;
+}
+
+
+static void
+ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
+{
+ ngx_event_t *wev;
+
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+ "auth delay handler");
+
+ wev = r->connection->write;
+
+ if (wev->delayed) {
+
+ if (ngx_handle_write_event(wev, 0) != NGX_OK) {
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ }
+
+ return;
+ }
+
+ ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+}
+
+
ngx_int_t
ngx_http_core_content_phase(ngx_http_request_t *r,
ngx_http_phase_handler_t *ph)
@@ -3394,6 +3472,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t
clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
clcf->satisfy = NGX_CONF_UNSET_UINT;
+ clcf->auth_delay = NGX_CONF_UNSET_MSEC;
clcf->if_modified_since = NGX_CONF_UNSET_UINT;
clcf->max_ranges = NGX_CONF_UNSET_UINT;
clcf->client_body_in_file_only = NGX_CONF_UNSET_UINT;
@@ -3609,6 +3688,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t
|NGX_HTTP_KEEPALIVE_DISABLE_MSIE6));
ngx_conf_merge_uint_value(conf->satisfy, prev->satisfy,
NGX_HTTP_SATISFY_ALL);
+ ngx_conf_merge_msec_value(conf->auth_delay, prev->auth_delay, 0);
ngx_conf_merge_uint_value(conf->if_modified_since, prev->if_modified_since,
NGX_HTTP_IMS_EXACT);
ngx_conf_merge_uint_value(conf->max_ranges, prev->max_ranges,
diff -r 0cb942c1c1aa -r 681b78a98a52 src/http/ngx_http_core_module.h
--- a/src/http/ngx_http_core_module.h Fri Mar 13 02:12:10 2020 +0300
+++ b/src/http/ngx_http_core_module.h Wed Apr 08 01:02:17 2020 +0300
@@ -363,6 +363,7 @@ struct ngx_http_core_loc_conf_s {
ngx_msec_t lingering_time; /* lingering_time */
ngx_msec_t lingering_timeout; /* lingering_timeout */
ngx_msec_t resolver_timeout; /* resolver_timeout */
+ ngx_msec_t auth_delay; /* auth_delay */

ngx_resolver_t *resolver; /* resolver */

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel