static ngx_int_t ngx_http_upstream_persistence_cookie_get_peer(ngx_http_request_t *r, ngx_str_t *data) { ngx_str_t index_string; ngx_int_t n; n = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, data, &index_string); ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "cookie_get_peer\n"); if (n == NGX_DECLINED ) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "get peer failed\n"); return -1; } if (index_string.len == 0) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "get peer failed, index string len is 0\n"); return -1; } return ngx_atoi(index_string.data, index_string.len); }
static ngx_int_t ngx_http_variable_cookie(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data) { ngx_str_t *name = (ngx_str_t *) data; ngx_str_t cookie, s; s.len = name->len - (sizeof("cookie_") - 1); s.data = name->data + sizeof("cookie_") - 1; if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &s, &cookie) == NGX_DECLINED) { v->not_found = 1; return NGX_OK; } v->len = cookie.len; v->valid = 1; v->no_cacheable = 0; v->not_found = 0; v->data = cookie.data; return NGX_OK; }
/** * Retorna 1 quando conseguiu ler o valor do cookie, que ficará em *cookie_value */ static int le_cookie(ngx_http_request_t *r, ngx_str_t *cookie_name, ngx_str_t *cookie_value) { ngx_int_t rc; /* * Find the cookie */ rc = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, cookie_name, cookie_value); if(rc == NGX_DECLINED) { return 0; } return 1; }
static ngx_int_t ngx_upstream_persistence_session_cookie_get(ngx_http_request_t *r, ngx_http_upstream_persistence_group_t *group) { ngx_str_t session_string; ngx_str_t session_key = ngx_string(NGX_HTTP_SESSION_PERSIST_ID_COOKIE); ngx_int_t n; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http_session_cookie_get_peer\n"); n = ngx_http_parse_multi_header_lines (&r->headers_in.cookies, (ngx_str_t *)group->data, &session_string); if (n == NGX_DECLINED ) { return -1; } if (session_string.len == 0) { return -1; } return ngx_http_upstream_persistence_cookie_get_peer(r, &session_key); }
/* * function called by the upstream module when it inits each peer * it's called once per request */ static ngx_int_t ngx_http_init_sticky_peer(ngx_http_request_t *r, ngx_http_upstream_srv_conf_t *us) { ngx_http_sticky_peer_data_t *iphp; ngx_str_t route; ngx_uint_t i; ngx_int_t n; /* alloc custom sticky struct */ iphp = ngx_palloc(r->pool, sizeof(ngx_http_sticky_peer_data_t)); if (iphp == NULL) { return NGX_ERROR; } /* attach it to the request upstream data */ r->upstream->peer.data = &iphp->rrp; /* call the rr module on which the sticky is based on */ if (ngx_http_upstream_init_round_robin_peer(r, us) != NGX_OK) { return NGX_ERROR; } /* set the callback to select the next peer to use */ r->upstream->peer.get = ngx_http_get_sticky_peer; /* init the custom sticky struct */ iphp->get_rr_peer = ngx_http_upstream_get_round_robin_peer; iphp->selected_peer = -1; iphp->no_fallback = 0; iphp->sticky_conf = ngx_http_conf_upstream_srv_conf(us, ngx_http_sticky_module); iphp->request = r; /* check weather a cookie is present or not and save it */ if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &iphp->sticky_conf->cookie_name, &route) != NGX_DECLINED) { /* a route cookie has been found. Let's give it a try */ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] got cookie route=%V, " "let's try to find a matching peer", &route); /* hash or hmac, just compare digest */ if (iphp->sticky_conf->hash || iphp->sticky_conf->hmac) { /* search the digest found in the cookie in the peer digest list */ for (i = 0; i < iphp->rrp.peers->number; i++) { /* ensure the both len are equal and > 0 */ if (iphp->sticky_conf->peers[i].digest.len != route.len || route.len <= 0) { continue; } if (!ngx_strncmp(iphp->sticky_conf->peers[i].digest.data, route.data, route.len)) { /* we found a match */ iphp->selected_peer = i; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route " "\"%V\"matches peer at index %ui", &route, i); return NGX_OK; } } } else { /* * switch back to index, just convert to integer and ensure it * corresponds to a valid peer */ n = ngx_atoi(route.data, route.len); if (n == NGX_ERROR) { ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, "[sticky/init_sticky_peer] unable to convert " "the route \"%V\" to an integer value", &route); } else if (n >= 0 && n < (ngx_int_t) iphp->rrp.peers->number) { /* found one */ ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route \"%V\" " "matches peer at index %i", &route, n); iphp->selected_peer = n; return NGX_OK; } } /* nothing was found, just continue with rr */ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] the route \"%V\"" "does not match any peer. Just ignoring it ...", &route); return NGX_OK; } /* nothing found */ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "[sticky/init_sticky_peer] route cookie not found"); return NGX_OK; /* return OK, in order to continue */ }
static ngx_int_t ngx_apikey_access_filter_handler( ngx_http_request_t *r ) { ngx_apikey_access_filter_loc_conf_t *lcf = NULL; ngx_int_t rc; u_char *last = NULL; ngx_str_t auth_header_key = ngx_string("X-AuthAPI"); ngx_str_t auth_header_value = ngx_null_string; ngx_str_t client_id = ngx_null_string; ngx_str_t issued_time = ngx_null_string; ngx_str_t client_digest = ngx_null_string; /* If the module isn't enabled..let's the request go! */ lcf = ngx_http_get_module_loc_conf(r, ngx_apikey_access_filter_module); if ( !lcf->enable ) { return NGX_OK; } // ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "uri = %V", &r->uri ); /* Let's look for the request token in the cookies */ rc = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &auth_header_key, &auth_header_value); if ( rc != NGX_DECLINED ) { ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "found auth token in cookie with value ( %s )", auth_header_value.data ); } else { /* Nothing in the cookies ? let's search the request headers */ ngx_table_elt_t *token_header = ngx_apikey_find_request_header( r, auth_header_key.data, auth_header_key.len ); if ( token_header ) { u_char *last = NULL; auth_header_value.len = ngx_strlen( token_header->value.data ); auth_header_value.data = ngx_pcalloc( r->pool, auth_header_value.len + 1 ); last = ngx_copy( auth_header_value.data, token_header->value.data, auth_header_value.len ); *last = (u_char)'\0'; //ngx_str_set( &auth_token_value, token_header->value.data ); ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "found auth token in header with value ( %s ) - (%d)", auth_header_value.data, auth_header_value.len ); } } /* Nothing found? Access Denied! */ if ( auth_header_value.data == NULL ) { ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "auth token not found neither in request header or cookie" ); return NGX_HTTP_FORBIDDEN; } /* Let's parse plain token */ last = (u_char *)ngx_strchr( auth_header_value.data, '|' ); if ( last == NULL ) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ ); return NGX_HTTP_FORBIDDEN; } /* Token parsing: client_id */ client_id.len = (last - auth_header_value.data); client_id.data = ngx_pcalloc( r->pool, client_id.len + 1 ); if ( client_id.data == NULL ) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ ); return NGX_ERROR; } last = (u_char *)ngx_copy( client_id.data, auth_header_value.data, client_id.len ); *last = (u_char)'\0'; ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "client id: %s - (%d)", client_id.data, client_id.len ); /* Token parsing: client_issued_time */ last = (u_char *)ngx_strchr( auth_header_value.data + (client_id.len + 1), (u_char)'|' ); if ( last == NULL ) { ngx_pfree( r->pool, client_id.data ); ngx_pfree( r->pool, auth_header_value.data ); ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ ); return NGX_HTTP_FORBIDDEN; } issued_time.len = ( last - auth_header_value.data - (client_id.len + 1) ); issued_time.data = ngx_pcalloc( r->pool, issued_time.len + 1 ); if ( issued_time.data == NULL ) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ ); return NGX_ERROR; } last = ngx_copy( issued_time.data, auth_header_value.data + client_id.len + 1, issued_time.len ); *last = (u_char)'\0'; ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "request time: %V", &issued_time ); /* Token parsing: digest */ client_digest.len = (auth_header_value.len - (client_id.len + 1) - (issued_time.len + 1) ); if ( client_digest.len <= 1 ) { ngx_pfree( r->pool, client_id.data ); ngx_pfree( r->pool, auth_header_value.data ); ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ ); return NGX_HTTP_FORBIDDEN; } client_digest.data = ngx_pcalloc( r->pool, client_digest.len + 1 ); if ( client_digest.data == NULL ) { ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ ); return NGX_ERROR; } last = ngx_copy( client_digest.data, auth_header_value.data + (client_id.len + 1) + (issued_time.len + 1), client_digest.len ); *last = (u_char)'\0'; ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "client digest: %V", &client_digest ); /* Verify the token digest */ rc = ngx_apikey_verify( r, &client_id, &issued_time, &client_digest ); return (rc != NGX_OK) ? NGX_HTTP_FORBIDDEN : NGX_OK; }
static ngx_int_t ngx_http_cp_handler(ngx_http_request_t *r) { ngx_http_cp_loc_conf_t *cplcf; ngx_str_t cookie, cookie_name; ngx_str_t neteye_cookie; #if (NGX_DEBUG) ngx_str_t cookie_magic; #endif ngx_int_t ret; ngx_uint_t i, j; ngx_table_elt_t **h; u_char *start, *end, *p; ngx_http_cp_monitored_cookie_t *m_cookie; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "cookie poison handler begin"); if (ngx_http_session_test_bypass(r)) { return NGX_DECLINED; } cplcf = ngx_http_get_module_loc_conf(r, ngx_http_cookie_poisoning_module); if (!cplcf->enabled) { return NGX_DECLINED; } if (ngx_http_ns_test_bypass_all(r)) { return NGX_DECLINED; } memset(&cookie, 0, sizeof(ngx_str_t)); memset(&cookie_name, 0, sizeof(ngx_str_t)); memset(&neteye_cookie, 0, sizeof(ngx_str_t)); h = r->headers_in.cookies.elts; for (i = 0; i < r->headers_in.cookies.nelts; i++) { start = p = h[i]->value.data; end = start + h[i]->value.len; /* skip the spaces at head */ for (; start < end && *start == ' '; start++) { } if (start == end) { /* no more in this value */ continue; } for (j = 0; j < h[i]->value.len; j++, p++) { if (*p == '=') { cookie_name.data = start; cookie_name.len = p - start; if (cookie_name.len == strlen(NGX_HTTP_SESSION_DEFAULT_COOKIE)) { if (!memcmp(cookie_name.data, NGX_HTTP_SESSION_DEFAULT_COOKIE, strlen(NGX_HTTP_SESSION_DEFAULT_COOKIE))) { goto next; } } /* store this cookie's value to cookie */ ret = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &cookie_name, &cookie); if (ret == NGX_DECLINED || cookie.len == 0) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "BIG ERROR!"); goto next; } ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "cookie_name: %V, cookie_data: %V", &cookie_name, &cookie); m_cookie = ngx_http_cp_check_cookie(r, &cookie_name); if (m_cookie != NULL) { /* this cookie is monitored */ if (ngx_http_cp_gen_cookie_data(r, &cookie, &neteye_cookie, m_cookie->magic) != NGX_OK) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } #if (NGX_DEBUG) cookie_magic.data = m_cookie->cookie_magic; cookie_magic.len = NGX_HTTP_CP_MD5_LEN; ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "neteye_cookie_data: %V, expected: %V", &neteye_cookie, &cookie_magic); #endif if (memcmp(m_cookie->cookie_magic, neteye_cookie.data, NGX_HTTP_CP_MD5_LEN)) { /* not matched, do action */ ret = ngx_http_cp_do_action(r, &cookie_name, &cookie); if (ret != NGX_OK) { return ret; } } } else { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "cookie is not monitored"); } next: for (; start < end && *start != ';'; start++) { } if (start == end) { /* no more in this value */ break; } /* *start == ';' */ start++; for (; start < end && *start == ' '; start++) { } if (start == end) { /* no more in this value */ break; } p = start; } } } return NGX_DECLINED; }
static ngx_int_t ngx_http_session_handler(ngx_http_request_t *r) { ngx_http_session_conf_t *sscf; ngx_http_session_t *session; ngx_http_session_list_t *session_list; ngx_str_t cookie; ngx_int_t ret; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "session handler begin"); sscf = ngx_http_get_module_loc_conf(r, ngx_http_session_module); if (!sscf->enabled) { return NGX_DECLINED; } if (ngx_http_session_request_cleanup_init(r) == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (sscf->session_show_enabled || ngx_http_session_is_favico(r)) { ngx_http_session_set_bypass(r); ngx_http_session_clr_found(r); ngx_http_session_clr_create(r); return NGX_DECLINED; } memset(&cookie, 0, sizeof(ngx_str_t)); ret = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &sscf->keyword, &cookie); if (ret == NGX_DECLINED || cookie.len == 0) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "new session, create one when response"); ngx_http_session_clr_found(r); ngx_http_session_set_create(r); ngx_http_session_set_location_handler(r); /* return NGX_OK to jump over other modules in NS layer */ return NGX_OK; } session_list = ngx_http_session_shm_zone->data; ngx_shmtx_lock(&session_list->shpool->mutex); session = __ngx_http_session_search(r, &cookie); if (!session) { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "session time out!"); ngx_http_session_clr_found(r); ngx_http_session_set_create(r); ngx_http_session_set_location_handler(r); ngx_shmtx_unlock(&session_list->shpool->mutex); return NGX_OK; } else { ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "find a session"); ngx_http_session_set_found(r); ngx_http_session_clr_create(r); ngx_http_session_set_request_session(r, session); __ngx_http_session_get_ref(r); /* reset timer */ ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "reset timer: %p, timeout: %d, ref: %d\n", session, session->timeout, session->ref); session->reset = 1; session->timeout = sscf->timeout; session->est = ngx_time(); if (!ngx_queue_empty(&session->redirect_queue_node)) { ngx_queue_remove(&session->redirect_queue_node); ngx_queue_init(&session->redirect_queue_node); session_list->redirect_num--; if (session->ev.timer_set) { ngx_del_timer(&session->ev); } } __ngx_http_session_insert_to_new_chain(session_list, session); } ngx_shmtx_unlock(&session_list->shpool->mutex); /*In blacklist*/ if (!ngx_http_session_test_bypass(r) && session->bl_timeout > ngx_time()) { return NGX_ERROR; } return NGX_DECLINED; }