[nginx] Access: support for UNIX-domain client addresses (ticket...

Ruslan Ermilov ru at nginx.com
Thu May 30 14:24:54 UTC 2013


details:   http://hg.nginx.org/nginx/rev/00dbfac67e48
branches:  
changeset: 5233:00dbfac67e48
user:      Ruslan Ermilov <ru at nginx.com>
date:      Thu May 30 18:23:05 2013 +0400
description:
Access: support for UNIX-domain client addresses (ticket #359).

diffstat:

 src/http/modules/ngx_http_access_module.c |  170 +++++++++++++++++++++--------
 1 files changed, 123 insertions(+), 47 deletions(-)

diffs (248 lines):

diff -r 53eb1e67e432 -r 00dbfac67e48 src/http/modules/ngx_http_access_module.c
--- a/src/http/modules/ngx_http_access_module.c	Wed May 29 19:18:22 2013 +0400
+++ b/src/http/modules/ngx_http_access_module.c	Thu May 30 18:23:05 2013 +0400
@@ -26,11 +26,22 @@ typedef struct {
 
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+typedef struct {
+    ngx_uint_t        deny;      /* unsigned  deny:1; */
+} ngx_http_access_rule_un_t;
+
+#endif
+
 typedef struct {
     ngx_array_t      *rules;     /* array of ngx_http_access_rule_t */
 #if (NGX_HAVE_INET6)
     ngx_array_t      *rules6;    /* array of ngx_http_access_rule6_t */
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_array_t      *rules_un;  /* array of ngx_http_access_rule_un_t */
+#endif
 } ngx_http_access_loc_conf_t;
 
 
@@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ng
 static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
     ngx_http_access_loc_conf_t *alcf, u_char *p);
 #endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r,
+    ngx_http_access_loc_conf_t *alcf);
+#endif
 static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
 static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
@@ -144,6 +159,19 @@ ngx_http_access_handler(ngx_http_request
             return ngx_http_access_inet6(r, alcf, p);
         }
 
+        break;
+
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+    case AF_UNIX:
+        if (alcf->rules_un) {
+            return ngx_http_access_unix(r, alcf);
+        }
+
+        break;
+
 #endif
     }
 
@@ -221,6 +249,25 @@ ngx_http_access_inet6(ngx_http_request_t
 #endif
 
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+static ngx_int_t
+ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf)
+{
+    ngx_uint_t                  i;
+    ngx_http_access_rule_un_t  *rule_un;
+
+    rule_un = alcf->rules_un->elts;
+    for (i = 0; i < alcf->rules_un->nelts; i++) {
+        return ngx_http_access_found(r, rule_un[i].deny);
+    }
+
+    return NGX_DECLINED;
+}
+
+#endif
+
+
 static ngx_int_t
 ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
 {
@@ -246,13 +293,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
 {
     ngx_http_access_loc_conf_t *alcf = conf;
 
-    ngx_int_t                 rc;
-    ngx_uint_t                all;
-    ngx_str_t                *value;
-    ngx_cidr_t                cidr;
-    ngx_http_access_rule_t   *rule;
+    ngx_int_t                   rc;
+    ngx_uint_t                  all;
+    ngx_str_t                  *value;
+    ngx_cidr_t                  cidr;
+    ngx_http_access_rule_t     *rule;
 #if (NGX_HAVE_INET6)
-    ngx_http_access_rule6_t  *rule6;
+    ngx_http_access_rule6_t    *rule6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+    ngx_http_access_rule_un_t  *rule_un;
 #endif
 
     ngx_memzero(&cidr, sizeof(ngx_cidr_t));
@@ -263,7 +313,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
 
     if (!all) {
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+        if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) {
+            cidr.family = AF_UNIX;
+            rc = NGX_OK;
+
+        } else {
+            rc = ngx_ptocidr(&value[1], &cidr);
+        }
+
+#else
         rc = ngx_ptocidr(&value[1], &cidr);
+#endif
 
         if (rc == NGX_ERROR) {
             ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
@@ -277,37 +339,7 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
         }
     }
 
-    switch (cidr.family) {
-
-#if (NGX_HAVE_INET6)
-    case AF_INET6:
-    case 0: /* all */
-
-        if (alcf->rules6 == NULL) {
-            alcf->rules6 = ngx_array_create(cf->pool, 4,
-                                            sizeof(ngx_http_access_rule6_t));
-            if (alcf->rules6 == NULL) {
-                return NGX_CONF_ERROR;
-            }
-        }
-
-        rule6 = ngx_array_push(alcf->rules6);
-        if (rule6 == NULL) {
-            return NGX_CONF_ERROR;
-        }
-
-        rule6->mask = cidr.u.in6.mask;
-        rule6->addr = cidr.u.in6.addr;
-        rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
-
-        if (!all) {
-            break;
-        }
-
-        /* "all" passes through */
-#endif
-
-    default: /* AF_INET */
+    if (cidr.family == AF_INET || all) {
 
         if (alcf->rules == NULL) {
             alcf->rules = ngx_array_create(cf->pool, 4,
@@ -327,6 +359,48 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx
         rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
     }
 
+#if (NGX_HAVE_INET6)
+    if (cidr.family == AF_INET6 || all) {
+
+        if (alcf->rules6 == NULL) {
+            alcf->rules6 = ngx_array_create(cf->pool, 4,
+                                            sizeof(ngx_http_access_rule6_t));
+            if (alcf->rules6 == NULL) {
+                return NGX_CONF_ERROR;
+            }
+        }
+
+        rule6 = ngx_array_push(alcf->rules6);
+        if (rule6 == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        rule6->mask = cidr.u.in6.mask;
+        rule6->addr = cidr.u.in6.addr;
+        rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
+    }
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+    if (cidr.family == AF_UNIX || all) {
+
+        if (alcf->rules_un == NULL) {
+            alcf->rules_un = ngx_array_create(cf->pool, 1,
+                                            sizeof(ngx_http_access_rule_un_t));
+            if (alcf->rules_un == NULL) {
+                return NGX_CONF_ERROR;
+            }
+        }
+
+        rule_un = ngx_array_push(alcf->rules_un);
+        if (rule_un == NULL) {
+            return NGX_CONF_ERROR;
+        }
+
+        rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0;
+    }
+#endif
+
     return NGX_CONF_OK;
 }
 
@@ -351,21 +425,23 @@ ngx_http_access_merge_loc_conf(ngx_conf_
     ngx_http_access_loc_conf_t  *prev = parent;
     ngx_http_access_loc_conf_t  *conf = child;
 
+    if (conf->rules == NULL
 #if (NGX_HAVE_INET6)
-
-    if (conf->rules == NULL && conf->rules6 == NULL) {
+        && conf->rules6 == NULL
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+        && conf->rules_un == NULL
+#endif
+    ) {
         conf->rules = prev->rules;
+#if (NGX_HAVE_INET6)
         conf->rules6 = prev->rules6;
+#endif
+#if (NGX_HAVE_UNIX_DOMAIN)
+        conf->rules_un = prev->rules_un;
+#endif
     }
 
-#else
-
-    if (conf->rules == NULL) {
-        conf->rules = prev->rules;
-    }
-
-#endif
-
     return NGX_CONF_OK;
 }
 



More information about the nginx-devel mailing list