# HG changeset patch
# User Roman Arutyunyan <a...@nginx.com>
# Date 1705916128 -14400
# Mon Jan 22 13:35:28 2024 +0400
# Node ID 2f12c929527b2337c15ef99d3a4dc97819b61fbd
# Parent ee40e2b1d0833b46128a357fbc84c6e23be9be07
Avoiding mixed socket families in PROXY protocol v1 (ticket #2594).
When using realip module, remote and local addreses of a connection can belong
to different address families. This previously resulted in generating PROXY
protocol headers like this:
PROXY TCP4 127.0.0.1 unix:/tmp/nginx1.sock 55544 0
The PROXY protocol v1 specification does not allow mixed families. The change
will generate the unknown PROXY protocol header in this case:
PROXY UNKNOWN
Also, the above mentioned format for unix socket address is not specified in
PROXY protocol v1 and is a by-product of internal nginx representation of it.
The change eliminates such addresses from PROXY protocol headers as well.
diff --git a/src/core/ngx_proxy_protocol.c b/src/core/ngx_proxy_protocol.c
--- a/src/core/ngx_proxy_protocol.c
+++ b/src/core/ngx_proxy_protocol.c
@@ -291,6 +291,10 @@ ngx_proxy_protocol_write(ngx_connection_
return NULL;
}
+ if (c->sockaddr->sa_family != c->local_sockaddr->sa_family) {
+ goto unknown;
+ }
+
switch (c->sockaddr->sa_family) {
case AF_INET:
@@ -304,8 +308,7 @@ ngx_proxy_protocol_write(ngx_connection_
#endif
default:
- return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF,
- sizeof("PROXY UNKNOWN" CRLF) - 1);
+ goto unknown;
}
buf += ngx_sock_ntop(c->sockaddr, c->socklen, buf, last - buf, 0);
@@ -319,6 +322,11 @@ ngx_proxy_protocol_write(ngx_connection_
lport = ngx_inet_get_port(c->local_sockaddr);
return ngx_slprintf(buf, last, " %ui %ui" CRLF, port, lport);
+
+unknown:
+
+ return ngx_cpymem(buf, "PROXY UNKNOWN" CRLF,
+ sizeof("PROXY UNKNOWN" CRLF) - 1);
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx-devel
