HttpAccessModule and unix domain sockets

Ruslan Ermilov ru at nginx.com
Thu May 23 19:52:24 UTC 2013


On Wed, May 22, 2013 at 05:49:41PM +0400, Maxim Dounin wrote:
> On Tue, May 21, 2013 at 10:27:21PM +0300, Sorin Manole wrote:
> 
> > Hi all,
> > 
> > It seems that when using HttpAccessModule directives to deny requests, they
> > don't seem to work if the server is listening on a unix domain socket. Even
> > when using deny all.
> > Can someone confirm and it's not just me making some stupid mistake ?
> 
> Yes, access module allow/deny directives currently only able to 
> limit ipv4 and ipv6 addresses.
> 
> > Now if that is the case, would it be a good idea to add this functionality
> > to the module ? Maybe add a new parameter like "deny unix" or something ?
> > Or was this left out on purpose for a reason or another ?
> 
> It probably should be expanded to support "unix:" special address 
> like set_real_ip_from does (see http://nginx.org/r/set_real_ip_from).

# HG changeset patch
# User Ruslan Ermilov <ru at nginx.com>
# Date 1369338540 -14400
# Node ID d26c24c812846f2993947a0514efa9556d31f404
# Parent  a30ea5c6451dcae3ce1e6d9eabe718c0222e5d9f
Access: support for UNIX-domain client addresses (ticket #359).

diff --git a/src/http/modules/ngx_http_access_module.c b/src/http/modules/ngx_http_access_module.c
--- a/src/http/modules/ngx_http_access_module.c
+++ b/src/http/modules/ngx_http_access_module.c
@@ -26,11 +26,22 @@ typedef struct {
 
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+typedef struct {
+    ngx_uint_t        deny;      /* unsigned  deny:1; */
+} ngx_http_access_rule_un_t;
+
+#endif
+
 typedef struct {
     ngx_array_t      *rules;     /* array of ngx_http_access_rule_t */
 #if (NGX_HAVE_INET6)
     ngx_array_t      *rules6;    /* array of ngx_http_access_rule6_t */
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_array_t      *rules_un;  /* array of ngx_http_access_rule_un_t */
+#endif
 } ngx_http_access_loc_conf_t;
 
 
@@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ng
 static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
     ngx_http_access_loc_conf_t *alcf, u_char *p);
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r,
+    ngx_http_access_loc_conf_t *alcf);
+#endif
 static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
 static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
@@ -145,6 +160,15 @@ ngx_http_access_handler(ngx_http_request
         }
 
 #endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+    case AF_UNIX:
+        if (alcf->rules_un) {
+            return ngx_http_access_unix(r, alcf);
+        }
+
+#endif
     }
 
     return NGX_DECLINED;
@@ -221,6 +245,25 @@ ngx_http_access_inet6(ngx_http_request_t
 #endif
 
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+static ngx_int_t
+ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
+{
+    ngx_uint_t                  i;
+    ngx_http_access_rule_un_t  *rule_un;
+
+    rule_un = alcf->rules_un->elts;
+    for (i = 0; i < alcf->rules_un->nelts; i++) {
+        return ngx_http_access_found(r, rule_un[i].deny);
+    }
+
+    return NGX_DECLINED;
+}
+
+#endif
+
+
 static ngx_int_t
 ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
 {
@@ -246,13 +289,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
 {
     ngx_http_access_loc_conf_t *alcf = conf;
 
-    ngx_int_t                 rc;
-    ngx_uint_t                all;
-    ngx_str_t                *value;
-    ngx_cidr_t                cidr;
-    ngx_http_access_rule_t   *rule;
+    ngx_int_t                   rc;
+    ngx_uint_t                  all;
+    ngx_str_t                  *value;
+    ngx_cidr_t                  cidr;
+    ngx_http_access_rule_t     *rule;
 #if (NGX_HAVE_INET6)
-    ngx_http_access_rule6_t  *rule6;
+    ngx_http_access_rule6_t    *rule6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_http_access_rule_un_t  *rule_un;
 #endif
 
     ngx_memzero(&cidr, sizeof(ngx_cidr_t));
@@ -263,7 +309,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
 
     if (!all) {
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+        if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) {
+            cidr.family = AF_UNIX;
+            rc = NGX_OK;
+
+        } else {
+            rc = ngx_ptocidr(&value[1], &cidr);
+        }
+
+#else
         rc = ngx_ptocidr(&value[1], &cidr);
+#endif
 
         if (rc == NGX_ERROR) {
             ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -307,6 +365,32 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
         /* "all" passes through */
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+    case AF_UNIX:
+    case 0: /* all */
+
+        if (alcf->rules_un == NULL) {
+            alcf->rules_un = ngx_array_create(cf->pool, 1,
+                                            sizeof(ngx_http_access_rule_un_t));
+            if (alcf->rules_un == NULL) {
+                return NGX_CONF_ERROR;
+            }
+        }
+
+        rule_un = ngx_array_push(alcf->rules_un);
+        if (rule_un == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0;
+
+        if (!all) {
+            break;
+        }
+
+        /* "all" passes through */
+#endif
+
     default: /* AF_INET */
 
         if (alcf->rules == NULL) {



More information about the nginx-devel mailing list