Hello Roman,
On Wed, 21 Feb 2024 17:29:52 +0400
Roman Arutyunyan <a...@nginx.com> wrote:
> Hi,
>
[...]
> Checking whether the address used in PROXY writer is in fact the address
> that was passed in the PROXY header, is complicated. This will either require
> setting a flag when PROXY address is set by realip, which is ugly.
> Another approach is checking if the client address written to a PROXY header
> matches the client address in the received PROXY header. However since
> currently PROXY protocol addresses are stored as text, and not all addresses
> have unique text repersentations, this approach would require refactoring all
> PROXY protocol code + realip modules to switch from text to sockaddr.
>
> I suggest that we follow the first plan (INADDR_ANY etc).
>
> > [...]
>
> Updated patch attached.
>
> --
> Roman Arutyunyan
> diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
> --- a/src/core/ngx_proxy_protocol.c
> +++ b/src/core/ngx_proxy_protocol.c
> @@ -279,7 +279,10 @@ ngx_proxy_protocol_read_port(u_char *p,
> u_char *
> ngx_proxy_protocol_write(ngx_connection_t *c, u_char *buf, u_char *last)
> {
> - ngx_uint_t port, lport;
> + socklen_t local_socklen;
> + ngx_uint_t port, lport;
> + struct sockaddr *local_sockaddr;
> + static ngx_sockaddr_t default_sockaddr;
I understand you are using the fact static variables are zero
initalized - to be both INADDR_ANY and "IN6ADDR_ANY", however is
this defined behavior for a union (specifically for ipv6 case) ?
I was under the impression only the first declared member, along with
padding bits were garunteed to be zero'ed.
https://stackoverflow.com/questions/54160137/what-constitutes-as-padding-in-a-union
>
> if (last - buf < NGX_PROXY_PROTOCOL_V1_MAX_HEADER) {
> ngx_log_error(NGX_LOG_ALERT, c->log, 0,
> @@ -312,11 +315,21 @@ ngx_proxy_protocol_write(ngx_connection_
>
> *buf++ = ' ';
>
> - buf += ngx_sock_ntop(c->local_sockaddr, c->local_socklen, buf, last -
> buf,
> - 0);
> + if (c->sockaddr->sa_family == c->local_sockaddr->sa_family) {
> + local_sockaddr = c->local_sockaddr;
> + local_socklen = c->local_socklen;
> +
> + } else {
> + default_sockaddr.sockaddr.sa_family = c->sockaddr->sa_family;
> +
> + local_sockaddr = &default_sockaddr.sockaddr;
> + local_socklen = sizeof(ngx_sockaddr_t);
> + }
> +
> + buf += ngx_sock_ntop(local_sockaddr, local_socklen, buf, last - buf, 0);
>
> port = ngx_inet_get_port(c->sockaddr);
> - lport = ngx_inet_get_port(c->local_sockaddr);
> + lport = ngx_inet_get_port(local_sockaddr);
>
> return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport);
> }
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
