Re: [PROPOSAL]: Extend list of Stream phases

Thu, 25 Apr 2024 06:07:13 -0700 

Hi Andrey,

> On 11 Apr 2024, at 3:27 AM, Andrey Kulikov <[email protected]> wrote:
> 
> Hello,
> 
> Consider the following test-case:
> I, as admin, would like to limit access to certain resources, based on Client 
> TLS certificate content, fields, etc...
> 
> Solution for HTTP: Easy!
> There is NGX_HTTP_ACCESS_PHASE phase, where connections have been already 
> accepted, and I have access to all $ssl_client_* variables.
> And I control whatever I want, either using the if directive, or by 
> implementing arbitrary sophisticated logic with some custom module.
> 
> Solution for Stream: Simply impossible!
> On NGX_STREAM_ACCESS_PHASE only IP-addresses can be checked, as TLS has not 
> taken place yet.
> NGX_STREAM_SSL_PHASE seems to be intended to specify certificates/keys for 
> performing TLS handshake.
> On NGX_STREAM_PREREAD_PHASE no $ssl_client_* variables available, as TLS 
> handshake has not finished yet.
> On NGX_STREAM_CONTENT_PHASE it is too late to do anything, as connection to 
> the destination server was already established.
> Hard way: implement a custom stream filter module, which checks access 
> criteria on  NGX_STREAM_CONTENT_PHASE. But it looks overcomplicated...
> 
> Proposal:
> Extend list of Stream phases at least to following:
> 
> typedef enum {
>     NGX_STREAM_POST_ACCEPT_PHASE = 0,
>     NGX_STREAM_PREACCESS_PHASE,
>     NGX_STREAM_ACCESS_PHASE,
>     NGX_STREAM_SSL_PHASE,
>     NGX_STREAM_PREREAD_PHASE,
> +  NGX_STREAM_PRE_CONTENT_PHASE, // Change name to whatever seems suitable.
>     NGX_STREAM_CONTENT_PHASE,
>     NGX_STREAM_LOG_PHASE
> } ngx_stream_phases;
> 
> Questions:
> Does it look feasible?
> Are there any objectives NOT to do anything like this? (binary compatibility, 
> etc...)
> If I implement a trivial patch to extend the number of phases, will it be 
> considered for review?

While the problem does exist, precontent phase is not the right place for 
access control anyway.

There's another solution. With the introduction of ngx_stream_pass_module, you 
can terminate TLS in one server and then switch to another server for access 
control.

server {
    listen 9000 ssl;
    ...
    pass 127.0.0.1:9001;
}

server {
    listen 127.0.0.1:9001;
    # access control in access phase
    ...
}

----
Roman Arutyunyan
[email protected]





_______________________________________________
nginx-devel mailing list
[email protected]
https://mailman.nginx.org/mailman/listinfo/nginx-devel

Reply via email to