Guard websites with a secret handshake [ngx_http_knock_module]

Phillip Taylor (nginx) nginx at philliptaylor.net
Mon Sep 15 09:47:44 UTC 2014


Hi everyone,

Firstly I want to thank SplitIce for their feedback on my work. I've 
taken it all on board. Last night, I updated the git repo for this 
module to use a red-black tree instead of a statically sized array.

I still need to:

a) implement the shared memory feature so that workers > 1 will work.
b) fix the log statements which don't appear to log anywhere.

Can someone guide me on how to allocate memory that is shared between 
the workers please and lasts for the lifetime of the web server please? 
Perhaps point me to some examples? For non connection-oriented requests, 
I need my memory to last longer than the connection. Would I choose an 
ngx_pool that had a lifetime of forever, or how would I achieve this 
please?

https://github.com/PhillipTaylor/ngx_http_knock_module/commits/master

Any other code review feedback is still welcome at this point. Hopefully 
I can get everything fixed in the next month.

Thanks

Phill

On 2014-08-19 03:54, SplitIce wrote:
> Is it just me or would access_records be per worker and hence this 
> module
> not work with workers > 1 ?
> 
> Additionally
> for (i = 0; i < NGX_HTTP_KNOCK__IP_DB_SIZE && i <
> ngx_http_knock_next_free_slot; i++) {
> if (access_records[i].ip_addr == ip_addr)
> 
> Perhaps using the nginx Red-Black tree here would lead to better
> performance (in place of O(n)) and remove the limitation on number of 
> IPs.
> 
> 
> On Tue, Aug 19, 2014 at 9:50 AM, Phillip Taylor (nginx) <
> nginx at philliptaylor.net> wrote:
> 
>> Hello everyone,
>> 
>> I've written a module for nginx that takes the concept of "Port 
>> Knocking"
>> and applies it to websites. When you visit an configured nginx 
>> website, it
>> returns a 404 "page not found" error. However if you go to secret 
>> urls,
>> even though they all, on the service appear to return 404, you are 
>> secretly
>> handshaking with nginx. After you've hit the magic combination you ip 
>> is
>> logged server side, and you're allowed to the visit the site (that is, 
>> it
>> returns content instead of 404).
>> 
>> The benefits include:
>> * private websites
>> * protect login pages against bots and scripts
>> * protect against zero day exploits
>> * protect against known exploits if you're slow to defend the site.
>> 
>> The code, documentation and even a link to demonstration youtube video 
>> is
>> available here:
>> 
>> https://github.com/PhillipTaylor/ngx_http_knock_module
>> 
>> I contact this mailing list:
>> 
>> * to raise awareness that I have developed it.
>> * for possibly inclusion on the 3rd Party Modules page for nginx (
>> http://wiki.nginx.org/3rdPartyModules)
>> * to ask if you would be so kind to provide some code review feedback 
>> and
>> advice regarding its quality.
>> * and any other thoughts.
>> 
>> Thank you
>> 
>> Phillip Taylor
>> 
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>> 
> 
> _______________________________________________
> nginx-devel mailing list
> nginx-devel at nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel



More information about the nginx-devel mailing list