[PROPOSAL]: Extend list of Stream phases

Andrey Kulikov amdeich at gmail.com
Wed Apr 10 23:27:39 UTC 2024


Hello,

Consider the following test-case:
I, as admin, would like to limit access to certain resources, based on
Client TLS certificate content, fields, etc...

Solution for HTTP: Easy!
There is NGX_HTTP_ACCESS_PHASE phase, where connections have been already
accepted, and I have access to all $ssl_client_* variables.
And I control whatever I want, either using the if directive, or by
implementing arbitrary sophisticated logic with some custom module.

Solution for Stream: Simply impossible!
On NGX_STREAM_ACCESS_PHASE only IP-addresses can be checked, as TLS has not
taken place yet.
NGX_STREAM_SSL_PHASE seems to be intended to specify certificates/keys for
performing TLS handshake.
On NGX_STREAM_PREREAD_PHASE no $ssl_client_* variables available, as TLS
handshake has not finished yet.
On NGX_STREAM_CONTENT_PHASE it is too late to do anything, as connection to
the destination server was already established.
Hard way: implement a custom stream filter module, which checks access
criteria on  NGX_STREAM_CONTENT_PHASE. But it looks overcomplicated...

Proposal:
Extend list of Stream phases at least to following:

typedef enum {
    NGX_STREAM_POST_ACCEPT_PHASE = 0,
    NGX_STREAM_PREACCESS_PHASE,
    NGX_STREAM_ACCESS_PHASE,
    NGX_STREAM_SSL_PHASE,
    NGX_STREAM_PREREAD_PHASE,
+  NGX_STREAM_PRE_CONTENT_PHASE, // Change name to whatever seems suitable.
    NGX_STREAM_CONTENT_PHASE,
    NGX_STREAM_LOG_PHASE
} ngx_stream_phases;

Questions:
Does it look feasible?
Are there any objectives NOT to do anything like this? (binary
compatibility, etc...)
If I implement a trivial patch to extend the number of phases, will it be
considered for review?


--
Regards,
Andrey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20240411/caac30d3/attachment.htm>


More information about the nginx-devel mailing list