# HG changeset patch # User Roman Arutyunyan <a...@nginx.com> # Date 1705916128 -14400 # Mon Jan 22 13:35:28 2024 +0400 # Node ID 2f12c929527b2337c15ef99d3a4dc97819b61fbd # Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07 Avoiding mixed socket families in PROXY protocol v1 (ticket #2594).
When using realip module, remote and local addreses of a connection can belong to different address families. This previously resulted in generating PROXY protocol headers like this: PROXY TCP4 127.0.0.1 unix:/tmp/nginx1.sock 55544 0 The PROXY protocol v1 specification does not allow mixed families. The change will generate the unknown PROXY protocol header in this case: PROXY UNKNOWN Also, the above mentioned format for unix socket address is not specified in PROXY protocol v1 and is a by-product of internal nginx representation of it. The change eliminates such addresses from PROXY protocol headers as well. diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c --- a/src/core/ngx_proxy_protocol.c +++ b/src/core/ngx_proxy_protocol.c @@ -291,6 +291,10 @@ ngx_proxy_protocol_write(ngx_connection_ return NULL; } + if (c->sockaddr->sa_family != c->local_sockaddr->sa_family) { + goto unknown; + } + switch (c->sockaddr->sa_family) { case AF_INET: @@ -304,8 +308,7 @@ ngx_proxy_protocol_write(ngx_connection_ #endif default: - return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF, - sizeof("PROXY UNKNOWN" CRLF) - 1); + goto unknown; } buf += ngx_sock_ntop(c->sockaddr, c->socklen, buf, last - buf, 0); @@ -319,6 +322,11 @@ ngx_proxy_protocol_write(ngx_connection_ lport = ngx_inet_get_port(c->local_sockaddr); return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport); + +unknown: + + return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF, + sizeof("PROXY UNKNOWN" CRLF) - 1); } _______________________________________________ nginx-devel mailing list nginx-devel@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx-devel