Mail Auth Module - Auth-Server local unix socket support
Igor Sysoev
igor at sysoev.ru
Tue Apr 6 22:13:10 MSD 2010
On Tue, Apr 06, 2010 at 03:23:07PM +0200, Simon Lécaille wrote:
> Hi all,
>
> Because I need it, I add the unix socket support to Mail Auth Module.
> Now if nginx mail auth module receives Auth-Server containing a sock
> path e.g :
>
> HTTP/1.0 200 OK
> Auth-Status: OK
> Auth-Server: /tmp/cyrus.sock
> Auth-Port: [SomethingOrNot]
> Auth-User: user at domain.tld
> Auth-Pass: password
>
> Nginx will be able to connect to the socket (e.g /tmp/cyrus.sock)
>
> I'm writting the tests set for prove.
>
> Patch in this mail (nginx-0.8.35)
>
> For people who wonder why :
> Unix sockets allow me to restrict rights and permissions on cyrus.
> By chrooting a lot of services, bad local users could contact cyrus from
> localhost with tcp connections.
> With unix sockets, the problem is now solved.
Thank you for the patch, I will include it in the next release.
> Best regards,
> Simon LECAILLE.
>
> --
> (Logo EmisFr)
> *Simon LECAILLE*
> EmisFR
> /Infogérance totale ou partagée, sur site ou distante, Développements
> sur mesure web 2.0/
> 10 rue Mazagran, 54000 NANCY, France
> http://www.emisfr.com
> Tel/Fax.: +33.3 83 32 25 75
> --- ./src/mail/ngx_mail_auth_http_module.c 2009-12-25 16:43:40.000000000 +0100
> +++ ./src/mail/ngx_mail_auth_http_module.c 2010-04-06 14:55:05.000000000 +0200
> @@ -458,7 +458,6 @@
> size_t len, size;
> ngx_int_t rc, port, n;
> ngx_addr_t *peer;
> - struct sockaddr_in *sin;
>
> ngx_log_debug0(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
> "mail auth http process headers");
> @@ -744,7 +743,7 @@
> return;
> }
>
> - if (ctx->addr.len == 0 || ctx->port.len == 0) {
> + if ((ctx->addr.len == 0 && ctx->port.len == 0) || (ctx->port.len == 0 && ngx_strncmp(ctx->addr.data,"/",1)!=0)) {
> ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
> "auth http server %V did not send server or port",
> ctx->peer.name);
> @@ -770,9 +769,38 @@
> ngx_mail_session_internal_server_error(s);
> return;
> }
> + /* AF_UNIX or AF_INET*/
> + if(ngx_strncmp(ctx->addr.data,"/",1)==0){
> +
> + /* AF_UNIX */
> + port = 0;
> + struct sockaddr_un *sun;
> + sun = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_un));
> + if (sun == NULL) {
> + ngx_destroy_pool(ctx->pool);
> + ngx_mail_session_internal_server_error(s);
> + return;
> + }
>
> - /* AF_INET only */
> + sun->sun_family = AF_UNIX;
> + ngx_memcpy(sun->sun_path, ctx->addr.data, ctx->addr.len);
> + peer->sockaddr = (struct sockaddr *) sun;
> + peer->socklen = sizeof(struct sockaddr_un);
> + len = ctx->addr.len;
> + peer->name.len = len;
> + peer->name.data = ngx_pnalloc(s->connection->pool, len);
> + if (peer->name.data == NULL) {
> + ngx_destroy_pool(ctx->pool);
> + ngx_mail_session_internal_server_error(s);
> + return;
> + }
>
> + len = ctx->addr.len;
> + ngx_memcpy(peer->name.data, ctx->addr.data, len);
> + }
> + else{
> + /* AF_INET */
> + struct sockaddr_in *sin;
> sin = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_in));
> if (sin == NULL) {
> ngx_destroy_pool(ctx->pool);
> @@ -823,10 +850,9 @@
> len = ctx->addr.len;
>
> ngx_memcpy(peer->name.data, ctx->addr.data, len);
> -
> peer->name.data[len++] = ':';
> -
> ngx_memcpy(peer->name.data + len, ctx->port.data, ctx->port.len);
> + }
>
> ngx_destroy_pool(ctx->pool);
> ngx_mail_proxy_init(s, peer);
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://nginx.org/mailman/listinfo/nginx-devel
--
Igor Sysoev
http://sysoev.ru/en/
More information about the nginx-devel
mailing list