nginx - get value of the header - x_forwarded_for in Nginx module (Naxsi)
Marcin Kozlowski
marcinguy at gmail.com
Mon Dec 30 21:44:49 UTC 2019
OK, this helped:
https://github.com/yakantosat/nginx-example/blob/master/ngx_hash_test.c
Thanks,
On Mon, Dec 30, 2019 at 4:47 PM Marcin Kozlowski <marcinguy at gmail.com>
wrote:
> I don't work with NGINX and modules and C daily.
>
> Still struggling with it. Feel free to contact me via the list or to avoid
> spamming privately. Help will be greatly appreciated.
>
> Trying to add whitelisting of IP to NAXSI
>
> https://github.com/nbs-system/naxsi
>
>
>
> How can I add simply one entry being IP to headers_ar?
>
>
>
> headers_ar = ngx_array_create(cf->pool, 1, sizeof(ngx_hash_key_t));
>
> ngx_array_t *headers_ar_c;
> headers_ar_c = ngx_array_push(headers_ar);
>
> hash_init.key = &ngx_hash_key_lc;
> hash_init.pool = cf->pool;
> hash_init.temp_pool = NULL;
> hash_init.max_size = 1024;
> hash_init.bucket_size = 512;
>
>
> dlc->passr_headers_hash = (ngx_hash_t*) ngx_pcalloc(cf->pool,
> sizeof(ngx_hash_t));
> hash_init.hash = dlc->passr_headers_hash;
> hash_init.name = "passr_headers_hash";
>
> if (ngx_hash_init(&hash_init, (ngx_hash_key_t*) headers_ar->elts,
> headers_ar->nelts) != NGX_OK) {
> ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "$HEADERS hashtable init
> failed"); /* LCOV_EXCL_LINE */
> return (NGX_ERROR); /* LCOV_EXCL_LINE */
> }
>
> else {
> NX_LOG_DEBUG(_debug_whitelist, NGX_LOG_EMERG, cf, 0, "$HEADERS
> hashtable init successed %d !",
> dlc->passr_headers_hash->size);
> }
>
>
>
> return (NGX_OK);
>
>
>
>
>
> Later I have a function that looks for it in hash
>
> Find in hash function:
>
> ngx_http_pass_rule_t *
> nx_find_pass_in_hash(
> ngx_http_request_t *req,
> ngx_str_t *mstr,
> ngx_http_dummy_loc_conf_t *cf,
> enum DUMMY_MATCH_ZONE zone)
> {
> ngx_http_pass_rule_t *b = NULL;
>
> ngx_uint_t key;
>
> ngx_str_t scratch = {.data = mstr->data, .len = mstr->len};
>
> ngx_str_t k1 = ngx_string("key1");
> key = ngx_hash_key(scratch.data, scratch.len);
>
> b = (ngx_http_pass_rule_t*) ngx_hash_find(cf->passr_headers_hash, key,
> k1.data, k1.len);
> if (b == NULL) {
> /* key not found */
> NX_DEBUG(_debug_custom_score, NGX_LOG_DEBUG_HTTP,
> req->connection->log, 0,
> "find hash 1");
>
> }else{
> NX_DEBUG(_debug_custom_score, NGX_LOG_DEBUG_HTTP,
> req->connection->log, 0,
> "find hash 2");
>
>
> }
>
> return b;
>
> }
>
> Thanks,
>
>
>
>
> On Sun, Dec 29, 2019 at 3:27 AM Hung Nguyen <hungnv at opensource.com.vn>
> wrote:
>
>> Hello,
>>
>> I suggest you to read nginx development guide which is available on
>> nginx.org.
>>
>> About getting x forward for headers, if you take a look at some built in
>> module there’s already exist implementation which takes the headers and
>> returns an array.
>>
>> --
>> Hưng
>>
>> On Dec 29, 2019, at 03:49, Robert Paprocki <
>> rpaprocki at fearnothingproductions.net> wrote:
>>
>> The array has 0 nelts because you haven’t added anything to do. nelts is
>> the number of elements in the array, not the size of the array.
>>
>> Add an element to the array with ngx_array_push().
>>
>> On Dec 28, 2019, at 11:35, Marcin Kozlowski <marcinguy at gmail.com> wrote:
>>
>>
>> Still have few questions. Help would be great
>>
>> Beginner in writing NGINX modules
>>
>> Have this question
>>
>> 1) How do I create array, add element to it and than create a hashtable
>> from it.
>>
>> Below I try to achieve it:
>>
>> NX_LOG_DEBUG(_debug_whitelist_heavy,
>> NGX_LOG_EMERG, cf, 0,
>> "finalizing hashtables array %i", dlc->pass_rules->nelts);
>>
>> headers_ar = ngx_array_create(cf->pool, dlc->pass_rules->nelts,
>> sizeof(ngx_hash_key_t));
>>
>>
>>
>> if (headers_ar) {
>> NX_LOG_DEBUG(_debug_readconf, NGX_LOG_EMERG, cf, 0,
>> "headers array %i",headers_ar->nelts);
>>
>> 2) Why headers_ar has 0 elemets
>>
>> nginx: [emerg] finalizing hashtables array 6 in /etc/nginx/nginx.conf:124
>> nginx: [emerg] headers array 0 in /etc/nginx/nginx.conf:124
>>
>>
>>
>> 3) I later want to build hashtable based on this array:
>>
>> dlc->passr_headers_hash = (ngx_hash_t*) ngx_pcalloc(cf->pool,
>> sizeof(ngx_hash_t));
>> hash_init.hash = dlc->passr_headers_hash;
>> hash_init.name = "passr_headers_hash";
>>
>>
>>
>> if (ngx_hash_init(&hash_init, (ngx_hash_key_t*) headers_ar->elts,
>> headers_ar->nelts) != NGX_OK) {
>> ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "$HEADERS hashtable init
>> failed"); /* LCOV_EXCL_LINE */
>> return (NGX_ERROR); /* LCOV_EXCL_LINE */
>> }
>>
>> else {
>> NX_LOG_DEBUG(_debug_whitelist, NGX_LOG_EMERG, cf, 0, "$HEADERS
>> hashtable init successed %d !",
>> dlc->passr_headers_hash->size);
>> }
>>
>>
>>
>> 4) Can somebody post simple code that
>>
>> a) creates array
>> b) pushes one IP
>> c) create hashtable from it
>>
>> Thanks,
>>
>>
>> On Sat, Dec 28, 2019 at 3:36 PM Marcin Kozlowski <marcinguy at gmail.com>
>> wrote:
>>
>>> Ignore my last post.
>>>
>>> My error.
>>>
>>> Thanks,
>>>
>>> On Fri, Dec 27, 2019 at 11:42 PM Marcin Kozlowski <marcinguy at gmail.com>
>>> wrote:
>>>
>>>> Thanks. Almost got my modifications to NAXSI ready.
>>>>
>>>> But currently have a blocker with getting just the X-Forwarded-for IP
>>>>
>>>> The code below:
>>>>
>>>> ngx_uint_t n;
>>>> ngx_table_elt_t **h;
>>>> ngx_array_t a;
>>>> a = req->headers_in.x_forwarded_for;
>>>> n = a.nelts;
>>>> h = a.elts;
>>>>
>>>>
>>>> for (i = 0; i<n; i++) {
>>>> ngx_log_error(NGX_LOG_ERR, req->connection->log,
>>>> 0, "x_forwarded_for: %s", h[i]->value.data);
>>>> }
>>>>
>>>> gets a String with several IP (i.e client, server, request etc)
>>>>
>>>> Tried to parse the string using strtok(), interating through it ....
>>>> but it segfaults. I guess I am missing some NGINX module knowledge.
>>>>
>>>> How to properly get first string up to first "," from the
>>>> h[i]->value.data using NGINX functions/types or other correct way to do it.
>>>>
>>>> Thanks,
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Wed, Dec 25, 2019 at 12:17 PM Ruslan Ermilov <ru at nginx.com> wrote:
>>>>
>>>>> On Tue, Dec 24, 2019 at 08:00:26PM +0100, Marcin Kozlowski wrote:
>>>>> > Thanks.
>>>>> >
>>>>> > Works. For the reference, this is the code I used:
>>>>> >
>>>>> > ngx_uint_t n;
>>>>> > ngx_table_elt_t **h;
>>>>> > ngx_array_t a;
>>>>> > a = req->headers_in.x_forwarded_for;
>>>>> > n = a.nelts;
>>>>> > h = a.elts;
>>>>> >
>>>>> >
>>>>> > for (i = 0; i<n; i++) {
>>>>> > ngx_log_error(NGX_LOG_ERR, req->connection->log,
>>>>> > 0, "x_forwarded_for: %s", h[i]->value.data);
>>>>> > }
>>>>> >
>>>>> > BTW What would be the best practice in NGINX NASIX module or any
>>>>> other
>>>>> > module to load a file with hundreds entries of IPs (hashmap, or what
>>>>> > structure would be best?) which should be whitelisted later for
>>>>> comparison
>>>>> > in NASIX module logic. Those IP should never be blocked by NAXSI.
>>>>> >
>>>>> > When should I load this file in memory, in which component
>>>>> > /module/function/step?
>>>>> >
>>>>> > Links to some guides/sample code would be also appreciated.
>>>>> >
>>>>> > Thanks,
>>>>>
>>>>> http://nginx.org/en/docs/http/ngx_http_geo_module.html
>>>>> _______________________________________________
>>>>> nginx-devel mailing list
>>>>> nginx-devel at nginx.org
>>>>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>>>>
>>>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>>
>> _______________________________________________
>> nginx-devel mailing list
>> nginx-devel at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20191230/6c3a34a0/attachment-0001.htm>
More information about the nginx-devel
mailing list