Welcome! Log In Create A New Profile

Advanced

Re: [PROPOSAL]: Extend list of Stream phases

Roman Arutyunyan
April 25, 2024 09:08AM
Hi Andrey,

> On 11 Apr 2024, at 3:27 AM, Andrey Kulikov <amdeich@gmail.com> wrote:
>
> Hello,
>
> Consider the following test-case:
> I, as admin, would like to limit access to certain resources, based on Client TLS certificate content, fields, etc...
>
> Solution for HTTP: Easy!
> There is NGX_HTTP_ACCESS_PHASE phase, where connections have been already accepted, and I have access to all $ssl_client_* variables.
> And I control whatever I want, either using the if directive, or by implementing arbitrary sophisticated logic with some custom module.
>
> Solution for Stream: Simply impossible!
> On NGX_STREAM_ACCESS_PHASE only IP-addresses can be checked, as TLS has not taken place yet.
> NGX_STREAM_SSL_PHASE seems to be intended to specify certificates/keys for performing TLS handshake.
> On NGX_STREAM_PREREAD_PHASE no $ssl_client_* variables available, as TLS handshake has not finished yet.
> On NGX_STREAM_CONTENT_PHASE it is too late to do anything, as connection to the destination server was already established.
> Hard way: implement a custom stream filter module, which checks access criteria on NGX_STREAM_CONTENT_PHASE. But it looks overcomplicated...
>
> Proposal:
> Extend list of Stream phases at least to following:
>
> typedef enum {
> NGX_STREAM_POST_ACCEPT_PHASE = 0,
> NGX_STREAM_PREACCESS_PHASE,
> NGX_STREAM_ACCESS_PHASE,
> NGX_STREAM_SSL_PHASE,
> NGX_STREAM_PREREAD_PHASE,
> + NGX_STREAM_PRE_CONTENT_PHASE, // Change name to whatever seems suitable.
> NGX_STREAM_CONTENT_PHASE,
> NGX_STREAM_LOG_PHASE
> } ngx_stream_phases;
>
> Questions:
> Does it look feasible?
> Are there any objectives NOT to do anything like this? (binary compatibility, etc...)
> If I implement a trivial patch to extend the number of phases, will it be considered for review?

While the problem does exist, precontent phase is not the right place for access control anyway.

There's another solution. With the introduction of ngx_stream_pass_module, you can terminate TLS in one server and then switch to another server for access control.

server {
listen 9000 ssl;
...
pass 127.0.0.1:9001;
}

server {
listen 127.0.0.1:9001;
# access control in access phase
...
}

----
Roman Arutyunyan
arut@nginx.com




_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[PROPOSAL]: Extend list of Stream phases

Andrey Kulikov 368 April 10, 2024 07:30PM

Re: [PROPOSAL]: Extend list of Stream phases

Roman Arutyunyan 98 April 25, 2024 09:08AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 198
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 500 on July 15, 2024
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready