[PROPOSAL]: Extend list of Stream phases

Roman Arutyunyan arut at nginx.com
Thu Apr 25 13:06:33 UTC 2024 

Hi Andrey,

> On 11 Apr 2024, at 3:27 AM, Andrey Kulikov <amdeich at gmail.com> wrote:
> 
> Hello,
> 
> Consider the following test-case:
> I, as admin, would like to limit access to certain resources, based on Client TLS certificate content, fields, etc...
> 
> Solution for HTTP: Easy!
> There is NGX_HTTP_ACCESS_PHASE phase, where connections have been already accepted, and I have access to all $ssl_client_* variables.
> And I control whatever I want, either using the if directive, or by implementing arbitrary sophisticated logic with some custom module.
> 
> Solution for Stream: Simply impossible!
> On NGX_STREAM_ACCESS_PHASE only IP-addresses can be checked, as TLS has not taken place yet.
> NGX_STREAM_SSL_PHASE seems to be intended to specify certificates/keys for performing TLS handshake.
> On NGX_STREAM_PREREAD_PHASE no $ssl_client_* variables available, as TLS handshake has not finished yet.
> On NGX_STREAM_CONTENT_PHASE it is too late to do anything, as connection to the destination server was already established.
> Hard way: implement a custom stream filter module, which checks access criteria on  NGX_STREAM_CONTENT_PHASE. But it looks overcomplicated...
> 
> Proposal:
> Extend list of Stream phases at least to following:
> 
> typedef enum {
>     NGX_STREAM_POST_ACCEPT_PHASE = 0,
>     NGX_STREAM_PREACCESS_PHASE,
>     NGX_STREAM_ACCESS_PHASE,
>     NGX_STREAM_SSL_PHASE,
>     NGX_STREAM_PREREAD_PHASE,
> +  NGX_STREAM_PRE_CONTENT_PHASE, // Change name to whatever seems suitable.
>     NGX_STREAM_CONTENT_PHASE,
>     NGX_STREAM_LOG_PHASE
> } ngx_stream_phases;
> 
> Questions:
> Does it look feasible?
> Are there any objectives NOT to do anything like this? (binary compatibility, etc...)
> If I implement a trivial patch to extend the number of phases, will it be considered for review?

While the problem does exist, precontent phase is not the right place for access control anyway.

There's another solution. With the introduction of ngx_stream_pass_module, you can terminate TLS in one server and then switch to another server for access control.

server {
    listen 9000 ssl;
    ...
    pass 127.0.0.1:9001;
}

server {
    listen 127.0.0.1:9001;
    # access control in access phase
    ...
}

----
Roman Arutyunyan
arut at nginx.com




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240425/e8fadae7/attachment.htm>

More information about the nginx-devel mailing list