Annotation of embedaddon/nginx/src/http/modules/ngx_http_access_module.c, revision 1.1
1.1 ! misho 1:
! 2: /*
! 3: * Copyright (C) Igor Sysoev
! 4: * Copyright (C) Nginx, Inc.
! 5: */
! 6:
! 7:
! 8: #include <ngx_config.h>
! 9: #include <ngx_core.h>
! 10: #include <ngx_http.h>
! 11:
! 12:
! 13: typedef struct {
! 14: in_addr_t mask;
! 15: in_addr_t addr;
! 16: ngx_uint_t deny; /* unsigned deny:1; */
! 17: } ngx_http_access_rule_t;
! 18:
! 19: #if (NGX_HAVE_INET6)
! 20:
! 21: typedef struct {
! 22: struct in6_addr addr;
! 23: struct in6_addr mask;
! 24: ngx_uint_t deny; /* unsigned deny:1; */
! 25: } ngx_http_access_rule6_t;
! 26:
! 27: #endif
! 28:
! 29: typedef struct {
! 30: ngx_array_t *rules; /* array of ngx_http_access_rule_t */
! 31: #if (NGX_HAVE_INET6)
! 32: ngx_array_t *rules6; /* array of ngx_http_access_rule6_t */
! 33: #endif
! 34: } ngx_http_access_loc_conf_t;
! 35:
! 36:
! 37: static ngx_int_t ngx_http_access_handler(ngx_http_request_t *r);
! 38: static ngx_int_t ngx_http_access_inet(ngx_http_request_t *r,
! 39: ngx_http_access_loc_conf_t *alcf, in_addr_t addr);
! 40: #if (NGX_HAVE_INET6)
! 41: static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r,
! 42: ngx_http_access_loc_conf_t *alcf, u_char *p);
! 43: #endif
! 44: static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny);
! 45: static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd,
! 46: void *conf);
! 47: static void *ngx_http_access_create_loc_conf(ngx_conf_t *cf);
! 48: static char *ngx_http_access_merge_loc_conf(ngx_conf_t *cf,
! 49: void *parent, void *child);
! 50: static ngx_int_t ngx_http_access_init(ngx_conf_t *cf);
! 51:
! 52:
! 53: static ngx_command_t ngx_http_access_commands[] = {
! 54:
! 55: { ngx_string("allow"),
! 56: NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF
! 57: |NGX_CONF_TAKE1,
! 58: ngx_http_access_rule,
! 59: NGX_HTTP_LOC_CONF_OFFSET,
! 60: 0,
! 61: NULL },
! 62:
! 63: { ngx_string("deny"),
! 64: NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LMT_CONF
! 65: |NGX_CONF_TAKE1,
! 66: ngx_http_access_rule,
! 67: NGX_HTTP_LOC_CONF_OFFSET,
! 68: 0,
! 69: NULL },
! 70:
! 71: ngx_null_command
! 72: };
! 73:
! 74:
! 75:
! 76: static ngx_http_module_t ngx_http_access_module_ctx = {
! 77: NULL, /* preconfiguration */
! 78: ngx_http_access_init, /* postconfiguration */
! 79:
! 80: NULL, /* create main configuration */
! 81: NULL, /* init main configuration */
! 82:
! 83: NULL, /* create server configuration */
! 84: NULL, /* merge server configuration */
! 85:
! 86: ngx_http_access_create_loc_conf, /* create location configuration */
! 87: ngx_http_access_merge_loc_conf /* merge location configuration */
! 88: };
! 89:
! 90:
! 91: ngx_module_t ngx_http_access_module = {
! 92: NGX_MODULE_V1,
! 93: &ngx_http_access_module_ctx, /* module context */
! 94: ngx_http_access_commands, /* module directives */
! 95: NGX_HTTP_MODULE, /* module type */
! 96: NULL, /* init master */
! 97: NULL, /* init module */
! 98: NULL, /* init process */
! 99: NULL, /* init thread */
! 100: NULL, /* exit thread */
! 101: NULL, /* exit process */
! 102: NULL, /* exit master */
! 103: NGX_MODULE_V1_PADDING
! 104: };
! 105:
! 106:
! 107: static ngx_int_t
! 108: ngx_http_access_handler(ngx_http_request_t *r)
! 109: {
! 110: struct sockaddr_in *sin;
! 111: ngx_http_access_loc_conf_t *alcf;
! 112: #if (NGX_HAVE_INET6)
! 113: u_char *p;
! 114: in_addr_t addr;
! 115: struct sockaddr_in6 *sin6;
! 116: #endif
! 117:
! 118: alcf = ngx_http_get_module_loc_conf(r, ngx_http_access_module);
! 119:
! 120: switch (r->connection->sockaddr->sa_family) {
! 121:
! 122: case AF_INET:
! 123: if (alcf->rules) {
! 124: sin = (struct sockaddr_in *) r->connection->sockaddr;
! 125: return ngx_http_access_inet(r, alcf, sin->sin_addr.s_addr);
! 126: }
! 127: break;
! 128:
! 129: #if (NGX_HAVE_INET6)
! 130:
! 131: case AF_INET6:
! 132: sin6 = (struct sockaddr_in6 *) r->connection->sockaddr;
! 133: p = sin6->sin6_addr.s6_addr;
! 134:
! 135: if (alcf->rules && IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
! 136: addr = p[12] << 24;
! 137: addr += p[13] << 16;
! 138: addr += p[14] << 8;
! 139: addr += p[15];
! 140: return ngx_http_access_inet(r, alcf, htonl(addr));
! 141: }
! 142:
! 143: if (alcf->rules6) {
! 144: return ngx_http_access_inet6(r, alcf, p);
! 145: }
! 146:
! 147: #endif
! 148: }
! 149:
! 150: return NGX_DECLINED;
! 151: }
! 152:
! 153:
! 154: static ngx_int_t
! 155: ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf,
! 156: in_addr_t addr)
! 157: {
! 158: ngx_uint_t i;
! 159: ngx_http_access_rule_t *rule;
! 160:
! 161: rule = alcf->rules->elts;
! 162: for (i = 0; i < alcf->rules->nelts; i++) {
! 163:
! 164: ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
! 165: "access: %08XD %08XD %08XD",
! 166: addr, rule[i].mask, rule[i].addr);
! 167:
! 168: if ((addr & rule[i].mask) == rule[i].addr) {
! 169: return ngx_http_access_found(r, rule[i].deny);
! 170: }
! 171: }
! 172:
! 173: return NGX_DECLINED;
! 174: }
! 175:
! 176:
! 177: #if (NGX_HAVE_INET6)
! 178:
! 179: static ngx_int_t
! 180: ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf,
! 181: u_char *p)
! 182: {
! 183: ngx_uint_t n;
! 184: ngx_uint_t i;
! 185: ngx_http_access_rule6_t *rule6;
! 186:
! 187: rule6 = alcf->rules6->elts;
! 188: for (i = 0; i < alcf->rules6->nelts; i++) {
! 189:
! 190: #if (NGX_DEBUG)
! 191: {
! 192: size_t cl, ml, al;
! 193: u_char ct[NGX_INET6_ADDRSTRLEN];
! 194: u_char mt[NGX_INET6_ADDRSTRLEN];
! 195: u_char at[NGX_INET6_ADDRSTRLEN];
! 196:
! 197: cl = ngx_inet6_ntop(p, ct, NGX_INET6_ADDRSTRLEN);
! 198: ml = ngx_inet6_ntop(rule6[i].mask.s6_addr, mt, NGX_INET6_ADDRSTRLEN);
! 199: al = ngx_inet6_ntop(rule6[i].addr.s6_addr, at, NGX_INET6_ADDRSTRLEN);
! 200:
! 201: ngx_log_debug6(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
! 202: "access: %*s %*s %*s", cl, ct, ml, mt, al, at);
! 203: }
! 204: #endif
! 205:
! 206: for (n = 0; n < 16; n++) {
! 207: if ((p[n] & rule6[i].mask.s6_addr[n]) != rule6[i].addr.s6_addr[n]) {
! 208: goto next;
! 209: }
! 210: }
! 211:
! 212: return ngx_http_access_found(r, rule6[i].deny);
! 213:
! 214: next:
! 215: continue;
! 216: }
! 217:
! 218: return NGX_DECLINED;
! 219: }
! 220:
! 221: #endif
! 222:
! 223:
! 224: static ngx_int_t
! 225: ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
! 226: {
! 227: ngx_http_core_loc_conf_t *clcf;
! 228:
! 229: if (deny) {
! 230: clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
! 231:
! 232: if (clcf->satisfy == NGX_HTTP_SATISFY_ALL) {
! 233: ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
! 234: "access forbidden by rule");
! 235: }
! 236:
! 237: return NGX_HTTP_FORBIDDEN;
! 238: }
! 239:
! 240: return NGX_OK;
! 241: }
! 242:
! 243:
! 244: static char *
! 245: ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
! 246: {
! 247: ngx_http_access_loc_conf_t *alcf = conf;
! 248:
! 249: ngx_int_t rc;
! 250: ngx_uint_t all;
! 251: ngx_str_t *value;
! 252: ngx_cidr_t cidr;
! 253: ngx_http_access_rule_t *rule;
! 254: #if (NGX_HAVE_INET6)
! 255: ngx_http_access_rule6_t *rule6;
! 256: #endif
! 257:
! 258: ngx_memzero(&cidr, sizeof(ngx_cidr_t));
! 259:
! 260: value = cf->args->elts;
! 261:
! 262: all = (value[1].len == 3 && ngx_strcmp(value[1].data, "all") == 0);
! 263:
! 264: if (!all) {
! 265:
! 266: rc = ngx_ptocidr(&value[1], &cidr);
! 267:
! 268: if (rc == NGX_ERROR) {
! 269: ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
! 270: "invalid parameter \"%V\"", &value[1]);
! 271: return NGX_CONF_ERROR;
! 272: }
! 273:
! 274: if (rc == NGX_DONE) {
! 275: ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
! 276: "low address bits of %V are meaningless", &value[1]);
! 277: }
! 278: }
! 279:
! 280: switch (cidr.family) {
! 281:
! 282: #if (NGX_HAVE_INET6)
! 283: case AF_INET6:
! 284: case 0: /* all */
! 285:
! 286: if (alcf->rules6 == NULL) {
! 287: alcf->rules6 = ngx_array_create(cf->pool, 4,
! 288: sizeof(ngx_http_access_rule6_t));
! 289: if (alcf->rules6 == NULL) {
! 290: return NGX_CONF_ERROR;
! 291: }
! 292: }
! 293:
! 294: rule6 = ngx_array_push(alcf->rules6);
! 295: if (rule6 == NULL) {
! 296: return NGX_CONF_ERROR;
! 297: }
! 298:
! 299: rule6->mask = cidr.u.in6.mask;
! 300: rule6->addr = cidr.u.in6.addr;
! 301: rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
! 302:
! 303: if (!all) {
! 304: break;
! 305: }
! 306:
! 307: /* "all" passes through */
! 308: #endif
! 309:
! 310: default: /* AF_INET */
! 311:
! 312: if (alcf->rules == NULL) {
! 313: alcf->rules = ngx_array_create(cf->pool, 4,
! 314: sizeof(ngx_http_access_rule_t));
! 315: if (alcf->rules == NULL) {
! 316: return NGX_CONF_ERROR;
! 317: }
! 318: }
! 319:
! 320: rule = ngx_array_push(alcf->rules);
! 321: if (rule == NULL) {
! 322: return NGX_CONF_ERROR;
! 323: }
! 324:
! 325: rule->mask = cidr.u.in.mask;
! 326: rule->addr = cidr.u.in.addr;
! 327: rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
! 328: }
! 329:
! 330: return NGX_CONF_OK;
! 331: }
! 332:
! 333:
! 334: static void *
! 335: ngx_http_access_create_loc_conf(ngx_conf_t *cf)
! 336: {
! 337: ngx_http_access_loc_conf_t *conf;
! 338:
! 339: conf = ngx_pcalloc(cf->pool, sizeof(ngx_http_access_loc_conf_t));
! 340: if (conf == NULL) {
! 341: return NULL;
! 342: }
! 343:
! 344: return conf;
! 345: }
! 346:
! 347:
! 348: static char *
! 349: ngx_http_access_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
! 350: {
! 351: ngx_http_access_loc_conf_t *prev = parent;
! 352: ngx_http_access_loc_conf_t *conf = child;
! 353:
! 354: #if (NGX_HAVE_INET6)
! 355:
! 356: if (conf->rules == NULL && conf->rules6 == NULL) {
! 357: conf->rules = prev->rules;
! 358: conf->rules6 = prev->rules6;
! 359: }
! 360:
! 361: #else
! 362:
! 363: if (conf->rules == NULL) {
! 364: conf->rules = prev->rules;
! 365: }
! 366:
! 367: #endif
! 368:
! 369: return NGX_CONF_OK;
! 370: }
! 371:
! 372:
! 373: static ngx_int_t
! 374: ngx_http_access_init(ngx_conf_t *cf)
! 375: {
! 376: ngx_http_handler_pt *h;
! 377: ngx_http_core_main_conf_t *cmcf;
! 378:
! 379: cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
! 380:
! 381: h = ngx_array_push(&cmcf->phases[NGX_HTTP_ACCESS_PHASE].handlers);
! 382: if (h == NULL) {
! 383: return NGX_ERROR;
! 384: }
! 385:
! 386: *h = ngx_http_access_handler;
! 387:
! 388: return NGX_OK;
! 389: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ngx_http_access_module.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / nginx / src / http / modules