Hello, Consider the following test-case: I, as admin, would like to limit access to certain resources, based on Client TLS certificate content, fields, etc...
Solution for HTTP: Easy! There is NGX_HTTP_ACCESS_PHASE phase, where connections have been already accepted, and I have access to all $ssl_client_* variables. And I control whatever I want, either using the if directive, or by implementing arbitrary sophisticated logic with some custom module. Solution for Stream: Simply impossible! On NGX_STREAM_ACCESS_PHASE only IP-addresses can be checked, as TLS has not taken place yet. NGX_STREAM_SSL_PHASE seems to be intended to specify certificates/keys for performing TLS handshake. On NGX_STREAM_PREREAD_PHASE no $ssl_client_* variables available, as TLS handshake has not finished yet. On NGX_STREAM_CONTENT_PHASE it is too late to do anything, as connection to the destination server was already established. Hard way: implement a custom stream filter module, which checks access criteria on NGX_STREAM_CONTENT_PHASE. But it looks overcomplicated... Proposal: Extend list of Stream phases at least to following: typedef enum { NGX_STREAM_POST_ACCEPT_PHASE = 0, NGX_STREAM_PREACCESS_PHASE, NGX_STREAM_ACCESS_PHASE, NGX_STREAM_SSL_PHASE, NGX_STREAM_PREREAD_PHASE, + NGX_STREAM_PRE_CONTENT_PHASE, // Change name to whatever seems suitable. NGX_STREAM_CONTENT_PHASE, NGX_STREAM_LOG_PHASE } ngx_stream_phases; Questions: Does it look feasible? Are there any objectives NOT to do anything like this? (binary compatibility, etc...) If I implement a trivial patch to extend the number of phases, will it be considered for review? -- Regards, Andrey
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel