[nginx] Access: support for UNIX-domain client addresses (ticket...
Ruslan Ermilov
ru at nginx.com
Thu May 30 14:24:54 UTC 2013
details: http://hg.nginx.org/nginx/rev/00dbfac67e48
branches:
changeset: 5233:00dbfac67e48
user: Ruslan Ermilov <ru at nginx.com>
date: Thu May 30 18:23:05 2013 +0400
description:
Access: support for UNIX-domain client addresses (ticket #359).
diffstat:
src/http/modules/ngx_http_access_module.c | 170 +++++++++++++++++++++--------
1 files changed, 123 insertions(+), 47 deletions(-)
diffs (248 lines):
diff -r 53eb1e67e432 -r 00dbfac67e48 src/http/modules/ngx_http_access_module.c
--- a/src/http/modules/ngx_http_access_module.c Wed May 29 19:18:22 2013 +0400
+++ b/src/http/modules/ngx_http_access_module.c Thu May 30 18:23:05 2013 +0400
@@ -26,11 +26,22 @@ typedef struct {
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+typedef struct {
+ ngx_uint_t deny; /* unsigned deny:1; */
+} ngx_http_access_rule_un_t;
+
+#endif
+
typedef struct {
ngx_array_t *rules; /* array of ngx_http_access_rule_t */
#if (NGX_HAVE_INET6)
ngx_array_t *rules6; /* array of ngx_http_access_rule6_t */
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ngx_array_t *rules_un; /* array of ngx_http_access_rule_un_t */
+#endif
} ngx_http_access_loc_conf_t;
@@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ng
static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
ngx_http_access_loc_conf_t *alcf, u_char *p);
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r,
+ ngx_http_access_loc_conf_t *alcf);
+#endif
static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
@@ -144,6 +159,19 @@ ngx_http_access_handler(ngx_http_request
return ngx_http_access_inet6(r, alcf, p);
}
+ break;
+
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+ case AF_UNIX:
+ if (alcf->rules_un) {
+ return ngx_http_access_unix(r, alcf);
+ }
+
+ break;
+
#endif
}
@@ -221,6 +249,25 @@ ngx_http_access_inet6(ngx_http_request_t
#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+static ngx_int_t
+ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
+{
+ ngx_uint_t i;
+ ngx_http_access_rule_un_t *rule_un;
+
+ rule_un = alcf->rules_un->elts;
+ for (i = 0; i < alcf->rules_un->nelts; i++) {
+ return ngx_http_access_found(r, rule_un[i].deny);
+ }
+
+ return NGX_DECLINED;
+}
+
+#endif
+
+
static ngx_int_t
ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
{
@@ -246,13 +293,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
{
ngx_http_access_loc_conf_t *alcf = conf;
- ngx_int_t rc;
- ngx_uint_t all;
- ngx_str_t *value;
- ngx_cidr_t cidr;
- ngx_http_access_rule_t *rule;
+ ngx_int_t rc;
+ ngx_uint_t all;
+ ngx_str_t *value;
+ ngx_cidr_t cidr;
+ ngx_http_access_rule_t *rule;
#if (NGX_HAVE_INET6)
- ngx_http_access_rule6_t *rule6;
+ ngx_http_access_rule6_t *rule6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ ngx_http_access_rule_un_t *rule_un;
#endif
ngx_memzero(&cidr, sizeof(ngx_cidr_t));
@@ -263,7 +313,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
if (!all) {
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+ if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) {
+ cidr.family = AF_UNIX;
+ rc = NGX_OK;
+
+ } else {
+ rc = ngx_ptocidr(&value[1], &cidr);
+ }
+
+#else
rc = ngx_ptocidr(&value[1], &cidr);
+#endif
if (rc == NGX_ERROR) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -277,37 +339,7 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
}
}
- switch (cidr.family) {
-
-#if (NGX_HAVE_INET6)
- case AF_INET6:
- case 0: /* all */
-
- if (alcf->rules6 == NULL) {
- alcf->rules6 = ngx_array_create(cf->pool, 4,
- sizeof(ngx_http_access_rule6_t));
- if (alcf->rules6 == NULL) {
- return NGX_CONF_ERROR;
- }
- }
-
- rule6 = ngx_array_push(alcf->rules6);
- if (rule6 == NULL) {
- return NGX_CONF_ERROR;
- }
-
- rule6->mask = cidr.u.in6.mask;
- rule6->addr = cidr.u.in6.addr;
- rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
-
- if (!all) {
- break;
- }
-
- /* "all" passes through */
-#endif
-
- default: /* AF_INET */
+ if (cidr.family == AF_INET || all) {
if (alcf->rules == NULL) {
alcf->rules = ngx_array_create(cf->pool, 4,
@@ -327,6 +359,48 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
}
+#if (NGX_HAVE_INET6)
+ if (cidr.family == AF_INET6 || all) {
+
+ if (alcf->rules6 == NULL) {
+ alcf->rules6 = ngx_array_create(cf->pool, 4,
+ sizeof(ngx_http_access_rule6_t));
+ if (alcf->rules6 == NULL) {
+ return NGX_CONF_ERROR;
+ }
+ }
+
+ rule6 = ngx_array_push(alcf->rules6);
+ if (rule6 == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ rule6->mask = cidr.u.in6.mask;
+ rule6->addr = cidr.u.in6.addr;
+ rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
+ }
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+ if (cidr.family == AF_UNIX || all) {
+
+ if (alcf->rules_un == NULL) {
+ alcf->rules_un = ngx_array_create(cf->pool, 1,
+ sizeof(ngx_http_access_rule_un_t));
+ if (alcf->rules_un == NULL) {
+ return NGX_CONF_ERROR;
+ }
+ }
+
+ rule_un = ngx_array_push(alcf->rules_un);
+ if (rule_un == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0;
+ }
+#endif
+
return NGX_CONF_OK;
}
@@ -351,21 +425,23 @@ ngx_http_access_merge_loc_conf(ngx_conf_
ngx_http_access_loc_conf_t *prev = parent;
ngx_http_access_loc_conf_t *conf = child;
+ if (conf->rules == NULL
#if (NGX_HAVE_INET6)
-
- if (conf->rules == NULL && conf->rules6 == NULL) {
+ && conf->rules6 == NULL
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ && conf->rules_un == NULL
+#endif
+ ) {
conf->rules = prev->rules;
+#if (NGX_HAVE_INET6)
conf->rules6 = prev->rules6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+ conf->rules_un = prev->rules_un;
+#endif
}
-#else
-
- if (conf->rules == NULL) {
- conf->rules = prev->rules;
- }
-
-#endif
-
return NGX_CONF_OK;
}
More information about the nginx-devel
mailing list