Roman Arutyunyan
January 22, 2024 05:52AM
# HG changeset patch
# User Roman Arutyunyan <arut@nginx.com>
# Date 1705916128 -14400
# Mon Jan 22 13:35:28 2024 +0400
# Node ID 2f12c929527b2337c15ef99d3a4dc97819b61fbd
# Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07
Avoiding mixed socket families in PROXY protocol v1 (ticket #2594).

When using realip module, remote and local addreses of a connection can belong
to different address families. This previously resulted in generating PROXY
protocol headers like this:

PROXY TCP4 127.0.0.1 unix:/tmp/nginx1.sock 55544 0

The PROXY protocol v1 specification does not allow mixed families. The change
will generate the unknown PROXY protocol header in this case:

PROXY UNKNOWN

Also, the above mentioned format for unix socket address is not specified in
PROXY protocol v1 and is a by-product of internal nginx representation of it.
The change eliminates such addresses from PROXY protocol headers as well.

diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
--- a/src/core/ngx_proxy_protocol.c
+++ b/src/core/ngx_proxy_protocol.c
@@ -291,6 +291,10 @@ ngx_proxy_protocol_write(ngx_connection_
return NULL;
}

+ if (c->sockaddr->sa_family != c->local_sockaddr->sa_family) {
+ goto unknown;
+ }
+
switch (c->sockaddr->sa_family) {

case AF_INET:
@@ -304,8 +308,7 @@ ngx_proxy_protocol_write(ngx_connection_
#endif

default:
- return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF,
- sizeof("PROXY UNKNOWN" CRLF) - 1);
+ goto unknown;
}

buf += ngx_sock_ntop(c->sockaddr, c->socklen, buf, last - buf, 0);
@@ -319,6 +322,11 @@ ngx_proxy_protocol_write(ngx_connection_
lport = ngx_inet_get_port(c->local_sockaddr);

return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport);
+
+unknown:
+
+ return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF,
+ sizeof("PROXY UNKNOWN" CRLF) - 1);
}


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 306 January 22, 2024 05:52AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Maxim Dounin 56 January 22, 2024 07:00AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 52 January 22, 2024 10:50AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Maxim Dounin 57 January 23, 2024 04:04PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 44 February 21, 2024 08:32AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

J Carter 54 February 21, 2024 09:00PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 52 February 22, 2024 10:18AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Sergey Kandaurov 43 March 06, 2024 09:52AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 45 March 11, 2024 08:46AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Sergey Kandaurov 40 March 13, 2024 01:10PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 42 March 21, 2024 10:58AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 255
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready