Mail Auth Module - Auth-Server local unix socket support

Igor Sysoev igor at sysoev.ru
Tue Apr 6 22:13:10 MSD 2010


On Tue, Apr 06, 2010 at 03:23:07PM +0200, Simon Lécaille wrote:

> Hi all,
> 
> Because I need it, I add the unix socket support to Mail Auth Module.
> Now if nginx mail auth module receives Auth-Server containing a sock 
> path e.g :
> 
> HTTP/1.0 200 OK
> Auth-Status: OK
> Auth-Server: /tmp/cyrus.sock
> Auth-Port: [SomethingOrNot]
> Auth-User: user at domain.tld
> Auth-Pass: password
> 
> Nginx will be able to connect to the socket (e.g /tmp/cyrus.sock)
> 
> I'm writting the tests set for prove.
> 
> Patch in this mail (nginx-0.8.35)
> 
> For people who wonder why :
> Unix sockets allow me to restrict rights and permissions on cyrus.
> By chrooting a lot of services, bad local users could contact cyrus from 
> localhost with tcp connections.
> With unix sockets, the problem is now solved.

Thank you for the patch, I will include it in the next release.

> Best regards,
> Simon LECAILLE.
> 
> -- 
> (Logo EmisFr)
> *Simon LECAILLE*
> EmisFR
> /Infogérance totale ou partagée, sur site ou distante, Développements 
> sur mesure web 2.0/
> 10 rue Mazagran, 54000 NANCY, France
> http://www.emisfr.com
> Tel/Fax.: +33.3 83 32 25 75

> --- ./src/mail/ngx_mail_auth_http_module.c	2009-12-25 16:43:40.000000000 +0100
> +++ ./src/mail/ngx_mail_auth_http_module.c	2010-04-06 14:55:05.000000000 +0200
> @@ -458,7 +458,6 @@
>      size_t               len, size;
>      ngx_int_t            rc, port, n;
>      ngx_addr_t          *peer;
> -    struct sockaddr_in  *sin;
>  
>      ngx_log_debug0(NGX_LOG_DEBUG_MAIL, s->connection->log, 0,
>                     "mail auth http process headers");
> @@ -744,7 +743,7 @@
>                  return;
>              }
>  
> -            if (ctx->addr.len == 0 || ctx->port.len == 0) {
> +			if ((ctx->addr.len == 0 && ctx->port.len == 0) || (ctx->port.len == 0 && ngx_strncmp(ctx->addr.data,"/",1)!=0)) {
>                  ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
>                                "auth http server %V did not send server or port",
>                                ctx->peer.name);
> @@ -770,9 +769,38 @@
>                  ngx_mail_session_internal_server_error(s);
>                  return;
>              }
> +			/* AF_UNIX or AF_INET*/
> +			if(ngx_strncmp(ctx->addr.data,"/",1)==0){
> +
> +				/* AF_UNIX */
> +				port = 0;
> +				struct sockaddr_un  *sun;
> +				sun = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_un));
> +				if (sun == NULL) {
> +					ngx_destroy_pool(ctx->pool);
> +					ngx_mail_session_internal_server_error(s);
> +					return;
> +				}
>  
> -            /* AF_INET only */
> +				sun->sun_family = AF_UNIX;
> +				ngx_memcpy(sun->sun_path, ctx->addr.data, ctx->addr.len);
> +				peer->sockaddr = (struct sockaddr *) sun;
> +				peer->socklen = sizeof(struct sockaddr_un);
> +				len = ctx->addr.len;
> +				peer->name.len = len;
> +				peer->name.data = ngx_pnalloc(s->connection->pool, len);
> +				if (peer->name.data == NULL) {
> +					ngx_destroy_pool(ctx->pool);
> +					ngx_mail_session_internal_server_error(s);
> +					return;
> +				}
>  
> +				len = ctx->addr.len;
> +				ngx_memcpy(peer->name.data, ctx->addr.data, len);
> +			}
> +			else{
> +				/* AF_INET */
> +				struct sockaddr_in  *sin;
>              sin = ngx_pcalloc(s->connection->pool, sizeof(struct sockaddr_in));
>              if (sin == NULL) {
>                  ngx_destroy_pool(ctx->pool);
> @@ -823,10 +850,9 @@
>              len = ctx->addr.len;
>  
>              ngx_memcpy(peer->name.data, ctx->addr.data, len);
> -
>              peer->name.data[len++] = ':';
> -
>              ngx_memcpy(peer->name.data + len, ctx->port.data, ctx->port.len);
> +			}
>  
>              ngx_destroy_pool(ctx->pool);
>              ngx_mail_proxy_init(s, peer);

> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://nginx.org/mailman/listinfo/nginx-devel


-- 
Igor Sysoev
http://sysoev.ru/en/



More information about the nginx-devel mailing list