J Carter
February 21, 2024 09:00PM
Hello Roman,

On Wed, 21 Feb 2024 17:29:52 +0400
Roman Arutyunyan <arut@nginx.com> wrote:

> Hi,
>

[...]

> Checking whether the address used in PROXY writer is in fact the address
> that was passed in the PROXY header, is complicated. This will either require
> setting a flag when PROXY address is set by realip, which is ugly.
> Another approach is checking if the client address written to a PROXY header
> matches the client address in the received PROXY header. However since
> currently PROXY protocol addresses are stored as text, and not all addresses
> have unique text repersentations, this approach would require refactoring all
> PROXY protocol code + realip modules to switch from text to sockaddr.
>
> I suggest that we follow the first plan (INADDR_ANY etc).
>
> > [...]
>
> Updated patch attached.
>
> --
> Roman Arutyunyan

> diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
> --- a/src/core/ngx_proxy_protocol.c
> +++ b/src/core/ngx_proxy_protocol.c
> @@ -279,7 +279,10 @@ ngx_proxy_protocol_read_port(u_char *p,
> u_char *
> ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last)
> {
> - ngx_uint_t port, lport;
> + socklen_t local_socklen;
> + ngx_uint_t port, lport;
> + struct sockaddr *local_sockaddr;
> + static ngx_sockaddr_t default_sockaddr;

I understand you are using the fact static variables are zero
initalized - to be both INADDR_ANY and "IN6ADDR_ANY", however is
this defined behavior for a union (specifically for ipv6 case) ?

I was under the impression only the first declared member, along with
padding bits were garunteed to be zero'ed.

https://stackoverflow.com/questions/54160137/what-constitutes-as-padding-in-a-union

>
> if (last - buf < NGX_PROXY_PROTOCOL_V1_MAX_HEADER) {
> ngx_log_error(NGX_LOG_ALERT, c->log, 0,
> @@ -312,11 +315,21 @@ ngx_proxy_protocol_write(ngx_connection_
>
> *buf++ = ' ';
>
> - buf += ngx_sock_ntop(c->local_sockaddr, c->local_socklen, buf, last - buf,
> - 0);
> + if (c->sockaddr->sa_family == c->local_sockaddr->sa_family) {
> + local_sockaddr = c->local_sockaddr;
> + local_socklen = c->local_socklen;
> +
> + } else {
> + default_sockaddr.sockaddr.sa_family = c->sockaddr->sa_family;
> +
> + local_sockaddr = &default_sockaddr.sockaddr;
> + local_socklen = sizeof(ngx_sockaddr_t);
> + }
> +
> + buf += ngx_sock_ntop(local_sockaddr, local_socklen, buf, last - buf, 0);
>
> port = ngx_inet_get_port(c->sockaddr);
> - lport = ngx_inet_get_port(c->local_sockaddr);
> + lport = ngx_inet_get_port(local_sockaddr);
>
> return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport);
> }
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 354 January 22, 2024 05:52AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Maxim Dounin 73 January 22, 2024 07:00AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 67 January 22, 2024 10:50AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Maxim Dounin 69 January 23, 2024 04:04PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 64 February 21, 2024 08:32AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

J Carter 74 February 21, 2024 09:00PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 69 February 22, 2024 10:18AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Sergey Kandaurov 62 March 06, 2024 09:52AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 72 March 11, 2024 08:46AM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Sergey Kandaurov 68 March 13, 2024 01:10PM

Re: [PATCH] Avoiding mixed socket families in PROXY protocol v1 (ticket #2594)

Roman Arutyunyan 83 March 21, 2024 10:58AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 309
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 466 on July 09, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready