static ngx_int_t
ngx_http_upstream_persistence_cookie_get_peer(ngx_http_request_t *r,
ngx_str_t *data)
{
ngx_str_t index_string;
ngx_int_t n;
n = ngx_http_parse_multi_header_lines(&r->headers_in.cookies,
data, &index_string);
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"cookie_get_peer\n");
if (n == NGX_DECLINED ) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"get peer failed\n");
return -1;
}
if (index_string.len == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"get peer failed, index string len is 0\n");
return -1;
}
return ngx_atoi(index_string.data, index_string.len);
}
static ngx_int_t
ngx_http_variable_cookie(ngx_http_request_t *r, ngx_http_variable_value_t *v,
uintptr_t data)
{
ngx_str_t *name = (ngx_str_t *) data;
ngx_str_t cookie, s;
s.len = name->len - (sizeof("cookie_") - 1);
s.data = name->data + sizeof("cookie_") - 1;
if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &s, &cookie)
== NGX_DECLINED)
{
v->not_found = 1;
return NGX_OK;
}
v->len = cookie.len;
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->data = cookie.data;
return NGX_OK;
}
/**
* Retorna 1 quando conseguiu ler o valor do cookie, que ficará em *cookie_value
*/
static int le_cookie(ngx_http_request_t *r, ngx_str_t *cookie_name, ngx_str_t *cookie_value) {
ngx_int_t rc;
/*
* Find the cookie
*/
rc = ngx_http_parse_multi_header_lines(&r->headers_in.cookies,
cookie_name, cookie_value);
if(rc == NGX_DECLINED) {
return 0;
}
return 1;
}
static ngx_int_t ngx_upstream_persistence_session_cookie_get(ngx_http_request_t *r,
ngx_http_upstream_persistence_group_t *group)
{
ngx_str_t session_string;
ngx_str_t session_key = ngx_string(NGX_HTTP_SESSION_PERSIST_ID_COOKIE);
ngx_int_t n;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"http_session_cookie_get_peer\n");
n = ngx_http_parse_multi_header_lines (&r->headers_in.cookies,
(ngx_str_t *)group->data, &session_string);
if (n == NGX_DECLINED ) {
return -1;
}
if (session_string.len == 0) {
return -1;
}
return ngx_http_upstream_persistence_cookie_get_peer(r, &session_key);
}
/*
* function called by the upstream module when it inits each peer
* it's called once per request
*/
static ngx_int_t
ngx_http_init_sticky_peer(ngx_http_request_t *r, ngx_http_upstream_srv_conf_t *us)
{
ngx_http_sticky_peer_data_t *iphp;
ngx_str_t route;
ngx_uint_t i;
ngx_int_t n;
/* alloc custom sticky struct */
iphp = ngx_palloc(r->pool, sizeof(ngx_http_sticky_peer_data_t));
if (iphp == NULL) {
return NGX_ERROR;
}
/* attach it to the request upstream data */
r->upstream->peer.data = &iphp->rrp;
/* call the rr module on which the sticky is based on */
if (ngx_http_upstream_init_round_robin_peer(r, us) != NGX_OK) {
return NGX_ERROR;
}
/* set the callback to select the next peer to use */
r->upstream->peer.get = ngx_http_get_sticky_peer;
/* init the custom sticky struct */
iphp->get_rr_peer = ngx_http_upstream_get_round_robin_peer;
iphp->selected_peer = -1;
iphp->no_fallback = 0;
iphp->sticky_conf = ngx_http_conf_upstream_srv_conf(us,
ngx_http_sticky_module);
iphp->request = r;
/* check weather a cookie is present or not and save it */
if (ngx_http_parse_multi_header_lines(&r->headers_in.cookies,
&iphp->sticky_conf->cookie_name,
&route) != NGX_DECLINED)
{
/* a route cookie has been found. Let's give it a try */
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[sticky/init_sticky_peer] got cookie route=%V, "
"let's try to find a matching peer", &route);
/* hash or hmac, just compare digest */
if (iphp->sticky_conf->hash || iphp->sticky_conf->hmac) {
/* search the digest found in the cookie in the peer digest list */
for (i = 0; i < iphp->rrp.peers->number; i++) {
/* ensure the both len are equal and > 0 */
if (iphp->sticky_conf->peers[i].digest.len != route.len
|| route.len <= 0) {
continue;
}
if (!ngx_strncmp(iphp->sticky_conf->peers[i].digest.data,
route.data, route.len)) {
/* we found a match */
iphp->selected_peer = i;
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[sticky/init_sticky_peer] the route "
"\"%V\"matches peer at index %ui",
&route, i);
return NGX_OK;
}
}
} else {
/*
* switch back to index, just convert to integer and ensure it
* corresponds to a valid peer
*/
n = ngx_atoi(route.data, route.len);
if (n == NGX_ERROR) {
ngx_log_error(NGX_LOG_WARN, r->connection->log, 0,
"[sticky/init_sticky_peer] unable to convert "
"the route \"%V\" to an integer value", &route);
} else if (n >= 0 && n < (ngx_int_t) iphp->rrp.peers->number) {
/* found one */
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[sticky/init_sticky_peer] the route \"%V\" "
"matches peer at index %i", &route, n);
iphp->selected_peer = n;
return NGX_OK;
}
}
/* nothing was found, just continue with rr */
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[sticky/init_sticky_peer] the route \"%V\""
"does not match any peer. Just ignoring it ...", &route);
return NGX_OK;
}
/* nothing found */
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"[sticky/init_sticky_peer] route cookie not found");
return NGX_OK; /* return OK, in order to continue */
}
static ngx_int_t
ngx_apikey_access_filter_handler( ngx_http_request_t *r ) {
ngx_apikey_access_filter_loc_conf_t *lcf = NULL;
ngx_int_t rc;
u_char *last = NULL;
ngx_str_t auth_header_key = ngx_string("X-AuthAPI");
ngx_str_t auth_header_value = ngx_null_string;
ngx_str_t client_id = ngx_null_string;
ngx_str_t issued_time = ngx_null_string;
ngx_str_t client_digest = ngx_null_string;
/* If the module isn't enabled..let's the request go! */
lcf = ngx_http_get_module_loc_conf(r, ngx_apikey_access_filter_module);
if ( !lcf->enable ) {
return NGX_OK;
}
// ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "uri = %V", &r->uri );
/* Let's look for the request token in the cookies */
rc = ngx_http_parse_multi_header_lines(&r->headers_in.cookies, &auth_header_key, &auth_header_value);
if ( rc != NGX_DECLINED ) {
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"found auth token in cookie with value ( %s )", auth_header_value.data );
} else {
/* Nothing in the cookies ? let's search the request headers */
ngx_table_elt_t *token_header = ngx_apikey_find_request_header( r, auth_header_key.data, auth_header_key.len );
if ( token_header ) {
u_char *last = NULL;
auth_header_value.len = ngx_strlen( token_header->value.data );
auth_header_value.data = ngx_pcalloc( r->pool, auth_header_value.len + 1 );
last = ngx_copy( auth_header_value.data, token_header->value.data, auth_header_value.len );
*last = (u_char)'\0';
//ngx_str_set( &auth_token_value, token_header->value.data );
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"found auth token in header with value ( %s ) - (%d)", auth_header_value.data, auth_header_value.len );
}
}
/* Nothing found? Access Denied! */
if ( auth_header_value.data == NULL ) {
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "auth token not found neither in request header or cookie" );
return NGX_HTTP_FORBIDDEN;
}
/* Let's parse plain token */
last = (u_char *)ngx_strchr( auth_header_value.data, '|' );
if ( last == NULL ) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ );
return NGX_HTTP_FORBIDDEN;
}
/* Token parsing: client_id */
client_id.len = (last - auth_header_value.data);
client_id.data = ngx_pcalloc( r->pool, client_id.len + 1 );
if ( client_id.data == NULL ) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ );
return NGX_ERROR;
}
last = (u_char *)ngx_copy( client_id.data, auth_header_value.data, client_id.len );
*last = (u_char)'\0';
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "client id: %s - (%d)", client_id.data, client_id.len );
/* Token parsing: client_issued_time */
last = (u_char *)ngx_strchr( auth_header_value.data + (client_id.len + 1), (u_char)'|' );
if ( last == NULL ) {
ngx_pfree( r->pool, client_id.data );
ngx_pfree( r->pool, auth_header_value.data );
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ );
return NGX_HTTP_FORBIDDEN;
}
issued_time.len = ( last - auth_header_value.data - (client_id.len + 1) );
issued_time.data = ngx_pcalloc( r->pool, issued_time.len + 1 );
if ( issued_time.data == NULL ) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ );
return NGX_ERROR;
}
last = ngx_copy( issued_time.data, auth_header_value.data + client_id.len + 1, issued_time.len );
*last = (u_char)'\0';
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "request time: %V", &issued_time );
/* Token parsing: digest */
client_digest.len = (auth_header_value.len - (client_id.len + 1) - (issued_time.len + 1) );
if ( client_digest.len <= 1 ) {
ngx_pfree( r->pool, client_id.data );
ngx_pfree( r->pool, auth_header_value.data );
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) while parsing auth token", __func__ );
return NGX_HTTP_FORBIDDEN;
}
client_digest.data = ngx_pcalloc( r->pool, client_digest.len + 1 );
if ( client_digest.data == NULL ) {
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "(%s) failed allocating memory", __func__ );
return NGX_ERROR;
}
last = ngx_copy( client_digest.data, auth_header_value.data + (client_id.len + 1) + (issued_time.len + 1), client_digest.len );
*last = (u_char)'\0';
ngx_log_debug( NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "client digest: %V", &client_digest );
/* Verify the token digest */
rc = ngx_apikey_verify( r, &client_id, &issued_time, &client_digest );
return (rc != NGX_OK) ? NGX_HTTP_FORBIDDEN : NGX_OK;
}
static ngx_int_t
ngx_http_cp_handler(ngx_http_request_t *r)
{
ngx_http_cp_loc_conf_t *cplcf;
ngx_str_t cookie, cookie_name;
ngx_str_t neteye_cookie;
#if (NGX_DEBUG)
ngx_str_t cookie_magic;
#endif
ngx_int_t ret;
ngx_uint_t i, j;
ngx_table_elt_t **h;
u_char *start, *end, *p;
ngx_http_cp_monitored_cookie_t *m_cookie;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"cookie poison handler begin");
if (ngx_http_session_test_bypass(r)) {
return NGX_DECLINED;
}
cplcf = ngx_http_get_module_loc_conf(r, ngx_http_cookie_poisoning_module);
if (!cplcf->enabled) {
return NGX_DECLINED;
}
if (ngx_http_ns_test_bypass_all(r)) {
return NGX_DECLINED;
}
memset(&cookie, 0, sizeof(ngx_str_t));
memset(&cookie_name, 0, sizeof(ngx_str_t));
memset(&neteye_cookie, 0, sizeof(ngx_str_t));
h = r->headers_in.cookies.elts;
for (i = 0; i < r->headers_in.cookies.nelts; i++) {
start = p = h[i]->value.data;
end = start + h[i]->value.len;
/* skip the spaces at head */
for (; start < end && *start == ' '; start++) { }
if (start == end) {
/* no more in this value */
continue;
}
for (j = 0; j < h[i]->value.len; j++, p++) {
if (*p == '=') {
cookie_name.data = start;
cookie_name.len = p - start;
if (cookie_name.len == strlen(NGX_HTTP_SESSION_DEFAULT_COOKIE)) {
if (!memcmp(cookie_name.data,
NGX_HTTP_SESSION_DEFAULT_COOKIE,
strlen(NGX_HTTP_SESSION_DEFAULT_COOKIE))) {
goto next;
}
}
/* store this cookie's value to cookie */
ret = ngx_http_parse_multi_header_lines(&r->headers_in.cookies,
&cookie_name, &cookie);
if (ret == NGX_DECLINED
|| cookie.len == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"BIG ERROR!");
goto next;
}
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"cookie_name: %V, cookie_data: %V",
&cookie_name, &cookie);
m_cookie = ngx_http_cp_check_cookie(r, &cookie_name);
if (m_cookie != NULL) {
/* this cookie is monitored */
if (ngx_http_cp_gen_cookie_data(r, &cookie,
&neteye_cookie, m_cookie->magic) != NGX_OK) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
#if (NGX_DEBUG)
cookie_magic.data = m_cookie->cookie_magic;
cookie_magic.len = NGX_HTTP_CP_MD5_LEN;
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"neteye_cookie_data: %V, expected: %V",
&neteye_cookie, &cookie_magic);
#endif
if (memcmp(m_cookie->cookie_magic, neteye_cookie.data,
NGX_HTTP_CP_MD5_LEN)) {
/* not matched, do action */
ret = ngx_http_cp_do_action(r, &cookie_name, &cookie);
if (ret != NGX_OK) {
return ret;
}
}
} else {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"cookie is not monitored");
}
next:
for (; start < end && *start != ';'; start++) { }
if (start == end) {
/* no more in this value */
break;
}
/* *start == ';' */
start++;
for (; start < end && *start == ' '; start++) { }
if (start == end) {
/* no more in this value */
break;
}
p = start;
}
}
}
return NGX_DECLINED;
}
static ngx_int_t
ngx_http_session_handler(ngx_http_request_t *r)
{
ngx_http_session_conf_t *sscf;
ngx_http_session_t *session;
ngx_http_session_list_t *session_list;
ngx_str_t cookie;
ngx_int_t ret;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"session handler begin");
sscf = ngx_http_get_module_loc_conf(r, ngx_http_session_module);
if (!sscf->enabled) {
return NGX_DECLINED;
}
if (ngx_http_session_request_cleanup_init(r) == NGX_ERROR) {
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
if (sscf->session_show_enabled
|| ngx_http_session_is_favico(r)) {
ngx_http_session_set_bypass(r);
ngx_http_session_clr_found(r);
ngx_http_session_clr_create(r);
return NGX_DECLINED;
}
memset(&cookie, 0, sizeof(ngx_str_t));
ret = ngx_http_parse_multi_header_lines(&r->headers_in.cookies,
&sscf->keyword, &cookie);
if (ret == NGX_DECLINED
|| cookie.len == 0) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"new session, create one when response");
ngx_http_session_clr_found(r);
ngx_http_session_set_create(r);
ngx_http_session_set_location_handler(r);
/* return NGX_OK to jump over other modules in NS layer */
return NGX_OK;
}
session_list = ngx_http_session_shm_zone->data;
ngx_shmtx_lock(&session_list->shpool->mutex);
session = __ngx_http_session_search(r, &cookie);
if (!session) {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"session time out!");
ngx_http_session_clr_found(r);
ngx_http_session_set_create(r);
ngx_http_session_set_location_handler(r);
ngx_shmtx_unlock(&session_list->shpool->mutex);
return NGX_OK;
} else {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"find a session");
ngx_http_session_set_found(r);
ngx_http_session_clr_create(r);
ngx_http_session_set_request_session(r, session);
__ngx_http_session_get_ref(r);
/* reset timer */
ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"reset timer: %p, timeout: %d, ref: %d\n",
session, session->timeout, session->ref);
session->reset = 1;
session->timeout = sscf->timeout;
session->est = ngx_time();
if (!ngx_queue_empty(&session->redirect_queue_node)) {
ngx_queue_remove(&session->redirect_queue_node);
ngx_queue_init(&session->redirect_queue_node);
session_list->redirect_num--;
if (session->ev.timer_set) {
ngx_del_timer(&session->ev);
}
}
__ngx_http_session_insert_to_new_chain(session_list, session);
}
ngx_shmtx_unlock(&session_list->shpool->mutex);
/*In blacklist*/
if (!ngx_http_session_test_bypass(r) && session->bl_timeout > ngx_time()) {
return NGX_ERROR;
}
return NGX_DECLINED;
}
