| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
This commit introduces the replacement of the client address based on the value
of a specified HTTP header. This is intended for use when Unit is placed
behind a reverse proxy like nginx or a CDN.
You must specify the source addresses of the trusted proxies. This can be
accomplished with any valid IP pattern supported by Unit's match block:
["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"]
The feature is configured per listener.
The client address replacement functionality only operates when there is a
source IP match and the specified header is present. Typically this would be
an 'X-Forwarded-For' header.
{
"listeners": {
"127.0.0.1:8080": {
"client_ip": {
"header": "X-Forwarded-For",
"source": [
"10.0.0.0/8"
]
},
"pass": "applications/my_app"
},
}
}
If a request occurs and Unit receives a header like below:
"X-Forwarded-For: 84.123.23.23"
By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR
will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8.
If Unit runs behind consecutive reverse proxies and receives a header similar
to the following:
"X-Forwarded-For: 84.123.23.23, 10.0.0.254"
You will need to enable "recursive" checking, which walks the header from
last address to first and chooses the first non-trusted address it finds.
{
"listeners": {
"127.0.0.1:8080": {
"client_ip": {
"header": "X-Forwarded-For",
"source": [
"10.0.0.0/8"
]
"recursive": true,
},
"pass": "applications/my_app"
},
}
}
If a connection from 10.0.0.0/8 occurs, the chain is walked. Here, 10.0.0.254
is also a trusted address so the client address will be replaced with
84.123.23.23.
If all IP addresses in the header are trusted, the client address is set to
the first address in the header:
If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1",
the client address will be replaced with 10.0.0.3.
|
|
A crash would occur when the router tried to match an
against an empty address pattern array.
The following configuration was used to reproduce the
issue:
{
"listeners": {
"127.0.0.1:8082": {
"pass": "routes"
}
},
"routes": [
{
"match": {
"source": []
},
"action": {
"return": 200
}
}
]
}
|
|
In the case that routes or upstreams is empty and the pass option is a variable.
If the resolved pass is routes or upstreams, a segment error occurred.
|
|
No functional changes.
|
|
No functional changes.
|
|
No functional changes.
|
|
No functional changes.
|
|
|
|
Support for chrooting, rejecting symlinks, and rejecting crossing mounting
points on a per-request basis during static file serving.
|
|
This is a prerequisite for further introduction of openat2() features.
No functional changes.
|
|
This closes #467 issue on GitHub.
|
|
|
|
The "!" pattern should be opposite to "", i.e. match only non-empty values.
But after 3c00af54b937 it was equal to "!*", which is wrong.
|
|
Messed up return values in nxt_upstream_find() caused error in applying any
configuration with a valid "pass" value in router configuration pointing to
upstream. That wasn't the case in "listeners" objects, where the return value
wasn't checked.
Also, it caused segfault in cases where the "pass" option was configured with
variables and resulting value was pointing to a non-existent upstream.
Added missing return checks as well to catch possible memory allocation errors.
The bug was introduced in d32bc428f46b.
This closes #472 issue on GitHub.
|
|
Found by Coverity (CID 361277).
|
|
|
|
This is partially related to #434 issue on Github.
Thanks to 洪志道 (Hong Zhi Dao).
|
|
Matching 'start' and 'end' position now adjusted to avoid false matching.
This is related to #434 issue on Github.
Thanks to 洪志道 (Hong Zhi Dao).
|
|
|
|
This should resolve some static analyzers warnings.
|
|
|
|
This allows to specify multiple subsequent targets inside PHP applications.
For example:
{
"listeners": {
"*:80": {
"pass": "routes"
}
},
"routes": [
{
"match": {
"uri": "/info"
},
"action": {
"pass": "applications/my_app/phpinfo"
}
},
{
"match": {
"uri": "/hello"
},
"action": {
"pass": "applications/my_app/hello"
}
},
{
"action": {
"pass": "applications/my_app/rest"
}
}
],
"applications": {
"my_app": {
"type": "php",
"targets": {
"phpinfo": {
"script": "phpinfo.php",
"root": "/www/data/admin",
},
"hello": {
"script": "hello.php",
"root": "/www/data/test",
},
"rest": {
"root": "/www/data/example.com",
"index": "index.php"
},
}
}
}
}
|
|
This is useful to escape "/" in path fragments. For example, in order
to reference the application named "foo/bar":
{
"pass": "applications/foo%2Fbar"
}
|
|
|
|
This allows to specify redirects:
{
"action": {
"return": 301,
"location": "https://www.example.com/"
}
}
|
|
The "return" action can be used to immediately generate a simple HTTP response
with an arbitrary status:
{
"action": {
"return": 404
}
}
This is especially useful for denying access to specific resources.
|
|
|
|
|
|
|
|
|
|
It allows proceeding to another action if a file isn't available.
An example:
{
"share": "/data/www/",
"fallback": {
"pass": "applications/php"
}
}
In the example above, an attempt is made first to serve a request with
a file from the "/data/www/" directory. If there's no such file, the
request is passed to the "php" application.
Fallback actions may be nested:
{
"share": "/data/www/",
"fallback": {
"share": "/data/cache/",
"fallback": {
"proxy": "http://127.0.0.1:9000"
}
}
}
|
|
|
|
|
|
|
|
|
|
|
|
Scheme matches exact string “http” or “https”.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
