90
108
ngx_http_access_handler(ngx_http_request_t *r)
93
110
struct sockaddr_in *sin;
94
ngx_http_access_rule_t *rule;
95
ngx_http_core_loc_conf_t *clcf;
96
111
ngx_http_access_loc_conf_t *alcf;
115
struct sockaddr_in6 *sin6;
98
118
alcf = ngx_http_get_module_loc_conf(r, ngx_http_access_module);
100
if (alcf->rules == NULL) {
120
switch (r->connection->sockaddr->sa_family) {
124
sin = (struct sockaddr_in *) r->connection->sockaddr;
125
return ngx_http_access_inet(r, alcf, sin->sin_addr.s_addr);
132
sin6 = (struct sockaddr_in6 *) r->connection->sockaddr;
133
p = sin6->sin6_addr.s6_addr;
135
if (alcf->rules && IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) {
140
return ngx_http_access_inet(r, alcf, htonl(addr));
144
return ngx_http_access_inet6(r, alcf, p);
106
sin = (struct sockaddr_in *) r->connection->sockaddr;
155
ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf,
159
ngx_http_access_rule_t *rule;
108
161
rule = alcf->rules->elts;
109
162
for (i = 0; i < alcf->rules->nelts; i++) {
111
164
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
112
165
"access: %08XD %08XD %08XD",
113
sin->sin_addr.s_addr, rule[i].mask, rule[i].addr);
115
if ((sin->sin_addr.s_addr & rule[i].mask) == rule[i].addr) {
117
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
119
if (clcf->satisfy == NGX_HTTP_SATISFY_ALL) {
120
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
121
"access forbidden by rule");
124
return NGX_HTTP_FORBIDDEN;
166
addr, rule[i].mask, rule[i].addr);
168
if ((addr & rule[i].mask) == rule[i].addr) {
169
return ngx_http_access_found(r, rule[i].deny);
180
ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf,
185
ngx_http_access_rule6_t *rule6;
187
rule6 = alcf->rules6->elts;
188
for (i = 0; i < alcf->rules6->nelts; i++) {
193
u_char ct[NGX_INET6_ADDRSTRLEN];
194
u_char mt[NGX_INET6_ADDRSTRLEN];
195
u_char at[NGX_INET6_ADDRSTRLEN];
197
cl = ngx_inet6_ntop(p, ct, NGX_INET6_ADDRSTRLEN);
198
ml = ngx_inet6_ntop(rule6[i].mask.s6_addr, mt, NGX_INET6_ADDRSTRLEN);
199
al = ngx_inet6_ntop(rule6[i].addr.s6_addr, at, NGX_INET6_ADDRSTRLEN);
201
ngx_log_debug6(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
202
"access: %*s %*s %*s", cl, ct, ml, mt, al, at);
206
for (n = 0; n < 16; n++) {
207
if ((p[n] & rule6[i].mask.s6_addr[n]) != rule6[i].addr.s6_addr[n]) {
212
return ngx_http_access_found(r, rule6[i].deny);
131
218
return NGX_DECLINED;
225
ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny)
227
ngx_http_core_loc_conf_t *clcf;
230
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
232
if (clcf->satisfy == NGX_HTTP_SATISFY_ALL) {
233
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
234
"access forbidden by rule");
237
return NGX_HTTP_FORBIDDEN;
136
245
ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
138
247
ngx_http_access_loc_conf_t *alcf = conf;
142
ngx_inet_cidr_t in_cidr;
143
ngx_http_access_rule_t *rule;
145
if (alcf->rules == NULL) {
146
alcf->rules = ngx_array_create(cf->pool, 4,
147
sizeof(ngx_http_access_rule_t));
253
ngx_http_access_rule_t *rule;
255
ngx_http_access_rule6_t *rule6;
258
ngx_memzero(&cidr, sizeof(ngx_cidr_t));
260
value = cf->args->elts;
262
all = (value[1].len == 3 && ngx_strcmp(value[1].data, "all") == 0);
266
rc = ngx_ptocidr(&value[1], &cidr);
268
if (rc == NGX_ERROR) {
269
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
270
"invalid parameter \"%V\"", &value[1]);
271
return NGX_CONF_ERROR;
274
if (rc == NGX_DONE) {
275
ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
276
"low address bits of %V are meaningless", &value[1]);
280
switch (cidr.family) {
286
if (alcf->rules6 == NULL) {
287
alcf->rules6 = ngx_array_create(cf->pool, 4,
288
sizeof(ngx_http_access_rule6_t));
289
if (alcf->rules6 == NULL) {
290
return NGX_CONF_ERROR;
294
rule6 = ngx_array_push(alcf->rules6);
296
return NGX_CONF_ERROR;
299
rule6->mask = cidr.u.in6.mask;
300
rule6->addr = cidr.u.in6.addr;
301
rule6->deny = (value[0].data[0] == 'd') ? 1 : 0;
307
/* "all" passes through */
310
default: /* AF_INET */
148
312
if (alcf->rules == NULL) {
313
alcf->rules = ngx_array_create(cf->pool, 4,
314
sizeof(ngx_http_access_rule_t));
315
if (alcf->rules == NULL) {
316
return NGX_CONF_ERROR;
320
rule = ngx_array_push(alcf->rules);
149
322
return NGX_CONF_ERROR;
153
rule = ngx_array_push(alcf->rules);
155
return NGX_CONF_ERROR;
158
value = cf->args->elts;
160
rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
162
if (value[1].len == 3 && ngx_strcmp(value[1].data, "all") == 0) {
169
rule->addr = inet_addr((char *) value[1].data);
171
if (rule->addr != INADDR_NONE) {
172
rule->mask = 0xffffffff;
177
rc = ngx_ptocidr(&value[1], &in_cidr);
179
if (rc == NGX_ERROR) {
180
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "invalid parameter \"%V\"",
182
return NGX_CONF_ERROR;
185
if (rc == NGX_DONE) {
186
ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
187
"low address bits of %V are meaningless", &value[1]);
190
rule->mask = in_cidr.mask;
191
rule->addr = in_cidr.addr;
325
rule->mask = cidr.u.in.mask;
326
rule->addr = cidr.u.in.addr;
327
rule->deny = (value[0].data[0] == 'd') ? 1 : 0;
193
330
return NGX_CONF_OK;