summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_http.h
diff options
context:
space:
mode:
authorOisin Canty <o.canty@f5.com>2021-08-12 08:23:16 +0000
committerOisin Canty <o.canty@f5.com>2021-08-12 08:23:16 +0000
commitca373aaccd276fb412e59557a3971a8d06ada0f8 (patch)
tree083d75282d8ae54affbe999cc7894b852a532043 /src/nxt_http.h
parent73ea6a1c3a7a4a7f3ab14230b80e783e57a7d830 (diff)
downloadunit-ca373aaccd276fb412e59557a3971a8d06ada0f8.tar.gz
unit-ca373aaccd276fb412e59557a3971a8d06ada0f8.tar.bz2
Router: client IP address replacement.
This commit introduces the replacement of the client address based on the value of a specified HTTP header. This is intended for use when Unit is placed behind a reverse proxy like nginx or a CDN. You must specify the source addresses of the trusted proxies. This can be accomplished with any valid IP pattern supported by Unit's match block: ["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"] The feature is configured per listener. The client address replacement functionality only operates when there is a source IP match and the specified header is present. Typically this would be an 'X-Forwarded-For' header. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] }, "pass": "applications/my_app" }, } } If a request occurs and Unit receives a header like below: "X-Forwarded-For: 84.123.23.23" By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8. If Unit runs behind consecutive reverse proxies and receives a header similar to the following: "X-Forwarded-For: 84.123.23.23, 10.0.0.254" You will need to enable "recursive" checking, which walks the header from last address to first and chooses the first non-trusted address it finds. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] "recursive": true, }, "pass": "applications/my_app" }, } } If a connection from 10.0.0.0/8 occurs, the chain is walked. Here, 10.0.0.254 is also a trusted address so the client address will be replaced with 84.123.23.23. If all IP addresses in the header are trusted, the client address is set to the first address in the header: If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1", the client address will be replaced with 10.0.0.3.
Diffstat (limited to '')
-rw-r--r--src/nxt_http.h17
1 files changed, 15 insertions, 2 deletions
diff --git a/src/nxt_http.h b/src/nxt_http.h
index faba83f2..3bc2fd61 100644
--- a/src/nxt_http.h
+++ b/src/nxt_http.h
@@ -197,8 +197,9 @@ struct nxt_http_request_s {
};
-typedef struct nxt_http_route_s nxt_http_route_t;
-typedef struct nxt_http_route_rule_s nxt_http_route_rule_t;
+typedef struct nxt_http_route_s nxt_http_route_t;
+typedef struct nxt_http_route_rule_s nxt_http_route_rule_t;
+typedef struct nxt_http_route_addr_rule_s nxt_http_route_addr_rule_t;
typedef struct {
@@ -254,6 +255,14 @@ typedef struct {
} nxt_http_proto_table_t;
+struct nxt_http_client_ip_s {
+ nxt_http_route_addr_rule_t *source;
+ nxt_str_t *header;
+ uint32_t header_hash;
+ uint8_t recursive; /* 1 bit */
+};
+
+
#define NXT_HTTP_DATE_LEN nxt_length("Wed, 31 Dec 1986 16:40:00 GMT")
nxt_inline u_char *
@@ -311,6 +320,10 @@ nxt_int_t nxt_http_pass_segments(nxt_mp_t *mp, nxt_str_t *pass,
nxt_str_t *segments, nxt_uint_t n);
nxt_http_action_t *nxt_http_pass_application(nxt_task_t *task,
nxt_router_conf_t *rtcf, nxt_str_t *name);
+nxt_http_route_addr_rule_t *nxt_http_route_addr_rule_create(
+ nxt_task_t *task, nxt_mp_t *mp, nxt_conf_value_t *cv);
+nxt_int_t nxt_http_route_addr_rule(nxt_http_request_t *r,
+ nxt_http_route_addr_rule_t *addr_rule, nxt_sockaddr_t *sockaddr);
nxt_http_route_rule_t *nxt_http_route_types_rule_create(nxt_task_t *task,
nxt_mp_t *mp, nxt_conf_value_t *types);
nxt_int_t nxt_http_route_test_rule(nxt_http_request_t *r,