访问权限校验 -- ngx_http_core_access_phase

2016-01-29 23:34:31   最后更新: 2016-01-29 23:34:31   访问数量:955




权限验证是服务器提供的最基本的功能之一,nginx 当然也提供了这一功能

在之前的博客中,我们介绍了 nginx 请求处理的 11 个阶段:

HTTP 请求处理的 11 个阶段 -- ngx_http_handler

权限验证就是在 NGX_HTTP_ACCESS_PHASE 阶段完成的

 

NGX_HTTP_ACCESS_PHASE 阶段的 checker 是 ngx_http_core_access_phase 函数

// ngx_int_t // ngx_http_core_access_phase(ngx_http_request_t *r, // ngx_http_phase_handler_t *ph) // NGX_HTTP_POST_ACCESS_PHASE 阶段 checker,判断用户是否有权限访问 {{{ ngx_int_t ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph) { ngx_int_t rc; ngx_http_core_loc_conf_t *clcf; if (r != r->main) { r->phase_handler = ph->next; return NGX_AGAIN; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "access phase: %ui", r->phase_handler); // ngx_http_access_handler,访问权限判断 // ngx_http_auth_basic_handler, ngx_http_auth_basic_module 提供密码验证 rc = ph->handler(r); if (rc == NGX_DECLINED) { r->phase_handler++; return NGX_AGAIN; } if (rc == NGX_AGAIN || rc == NGX_DONE) { return NGX_OK; } clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); if (clcf->satisfy == NGX_HTTP_SATISFY_ALL) { if (rc == NGX_OK) { r->phase_handler++; return NGX_AGAIN; } } else { if (rc == NGX_OK) { r->access_code = 0; if (r->headers_out.www_authenticate) { r->headers_out.www_authenticate->hash = 0; } r->phase_handler = ph->next; return NGX_AGAIN; } if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) { if (r->access_code != NGX_HTTP_UNAUTHORIZED) { r->access_code = rc; } r->phase_handler++; return NGX_AGAIN; } } /* rc == NGX_ERROR || rc == NGX_HTTP_... */ ngx_http_finalize_request(r, rc); return NGX_OK; } // }}}

 

 

如注释中缩写,他先后调用了 ngx_http_access_handler 和 ngx_http_auth_basic_handler

ngx_http_access_handler 函数是 nginx 提供的通过配置实现对 IP 封禁的功能

而 ngx_http_auth_basic_handler 函数则是 ngx_http_auth_basic_module 实现的用户名、密码的校验

 

// static ngx_int_t ngx_http_access_handler(ngx_http_request_t *r) // NGX_HTTP_POST_ACCESS_PHASE 阶段 handler,判断用户是否有权限访问 {{{ static ngx_int_t ngx_http_access_handler(ngx_http_request_t *r) { struct sockaddr_in *sin; ngx_http_access_loc_conf_t *alcf; #if (NGX_HAVE_INET6) u_char *p; in_addr_t addr; struct sockaddr_in6 *sin6; #endif alcf = ngx_http_get_module_loc_conf(r, ngx_http_access_module); switch (r->connection->sockaddr->sa_family) { case AF_INET: if (alcf->rules) { sin = (struct sockaddr_in *) r->connection->sockaddr; // 根据地址结构判断是否可以访问 return ngx_http_access_inet(r, alcf, sin->sin_addr.s_addr); } break; #if (NGX_HAVE_INET6) case AF_INET6: sin6 = (struct sockaddr_in6 *) r->connection->sockaddr; p = sin6->sin6_addr.s6_addr; if (alcf->rules && IN6_IS_ADDR_V4MAPPED(&sin6->sin6_addr)) { addr = p[12] << 24; addr += p[13] << 16; addr += p[14] << 8; addr += p[15]; // 根据地址结构判断是否可以访问 return ngx_http_access_inet(r, alcf, htonl(addr)); } if (alcf->rules6) { // 根据地址结构判断是否可以访问 return ngx_http_access_inet6(r, alcf, p); } break; #endif #if (NGX_HAVE_UNIX_DOMAIN) case AF_UNIX: if (alcf->rules_un) { // 根据地址结构判断是否可以访问 return ngx_http_access_unix(r, alcf); } break; #endif } return NGX_DECLINED; } // }}}

 

 

这里调用了 ngx_http_access_inet 校验地址的权限:

// static ngx_int_t // ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, // in_addr_t addr) // 判断 IP 是否可访问 {{{ static ngx_int_t ngx_http_access_inet(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, in_addr_t addr) { ngx_uint_t i; ngx_http_access_rule_t *rule; rule = alcf->rules->elts; for (i = 0; i < alcf->rules->nelts; i++) { ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "access: %08XD %08XD %08XD", addr, rule[i].mask, rule[i].addr); if ((addr & rule[i].mask) == rule[i].addr) { return ngx_http_access_found(r, rule[i].deny); } } return NGX_DECLINED; } // }}}

 

 

相较之上面的校验,通过用户名、密码校验要显得复杂一些

// static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r) // ngx_http_auth_basic_module 提供密码验证 {{{ static ngx_int_t ngx_http_auth_basic_handler(ngx_http_request_t *r) { off_t offset; ssize_t n; ngx_fd_t fd; ngx_int_t rc; ngx_err_t err; ngx_str_t pwd, realm, user_file; ngx_uint_t i, level, login, left, passwd; ngx_file_t file; ngx_http_auth_basic_ctx_t *ctx; ngx_http_auth_basic_loc_conf_t *alcf; u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; enum { sw_login, sw_passwd, sw_skip } state; alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module); if (alcf->realm == NULL || alcf->user_file.value.data == NULL) { return NGX_DECLINED; } if (ngx_http_complex_value(r, alcf->realm, &realm) != NGX_OK) { return NGX_ERROR; } if (realm.len == 3 && ngx_strncmp(realm.data, "off", 3) == 0) { return NGX_DECLINED; } ctx = ngx_http_get_module_ctx(r, ngx_http_auth_basic_module); if (ctx) { return ngx_http_auth_basic_crypt_handler(r, ctx, &ctx->passwd, &realm); } // 获取请求中的用户名、密码 rc = ngx_http_auth_basic_user(r); if (rc == NGX_DECLINED) { ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, "no user/password was provided for basic authentication"); return ngx_http_auth_basic_set_realm(r, &realm); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } // 获取用户配置的密码文件 if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) { return NGX_ERROR; } // 打开密码文件 fd = ngx_open_file(user_file.data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); if (fd == NGX_INVALID_FILE) { err = ngx_errno; if (err == NGX_ENOENT) { level = NGX_LOG_ERR; rc = NGX_HTTP_FORBIDDEN; } else { level = NGX_LOG_CRIT; rc = NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_log_error(level, r->connection->log, err, ngx_open_file_n " \"%s\" failed", user_file.data); return rc; } ngx_memzero(&file, sizeof(ngx_file_t)); file.fd = fd; file.name = user_file; file.log = r->connection->log; state = sw_login; passwd = 0; login = 0; left = 0; offset = 0; for ( ;; ) { i = left; // 将文件内容载入内存 n = ngx_read_file(&file, buf + left, NGX_HTTP_AUTH_BUF_SIZE - left, offset); if (n == NGX_ERROR) { ngx_http_auth_basic_close(&file); return NGX_HTTP_INTERNAL_SERVER_ERROR; } if (n == 0) { break; } // 解析密码文件内容 for (i = left; i < left + n; i++) { switch (state) { case sw_login: if (login == 0) { if (buf[i] == '#' || buf[i] == CR) { state = sw_skip; break; } if (buf[i] == LF) { break; } } if (buf[i] != r->headers_in.user.data[login]) { state = sw_skip; break; } if (login == r->headers_in.user.len) { state = sw_passwd; passwd = i + 1; } login++; break; case sw_passwd: if (buf[i] == LF || buf[i] == CR || buf[i] == ':') { buf[i] = '\0'; ngx_http_auth_basic_close(&file); pwd.len = i - passwd; pwd.data = &buf[passwd]; // 用户名、密码校验 return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, &realm); } break; case sw_skip: if (buf[i] == LF) { state = sw_login; login = 0; } break; } } if (state == sw_passwd) { left = left + n - passwd; ngx_memmove(buf, &buf[passwd], left); passwd = 0; } else { left = 0; } offset += n; } ngx_http_auth_basic_close(&file); if (state == sw_passwd) { pwd.len = i - passwd; pwd.data = ngx_pnalloc(r->pool, pwd.len + 1); if (pwd.data == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1); return ngx_http_auth_basic_crypt_handler(r, NULL, &pwd, &realm); } ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "user \"%V\" was not found in \"%V\"", &r->headers_in.user, &user_file); return ngx_http_auth_basic_set_realm(r, &realm); } // }}}

 

 

首先,调用 ngx_http_auth_basic_user 函数获取了请求 header 中的用户名、密码信息,并保存在请求结构中:

// ngx_int_t ngx_http_auth_basic_user(ngx_http_request_t *r) // 获取 header 中的用户名密码 {{{ ngx_int_t ngx_http_auth_basic_user(ngx_http_request_t *r) { ngx_str_t auth, encoded; ngx_uint_t len; if (r->headers_in.user.len == 0 && r->headers_in.user.data != NULL) { return NGX_DECLINED; } if (r->headers_in.authorization == NULL) { r->headers_in.user.data = (u_char *) ""; return NGX_DECLINED; } // 获取 header encoded = r->headers_in.authorization->value; // HEADER 错误 if (encoded.len < sizeof("Basic ") - 1 || ngx_strncasecmp(encoded.data, (u_char *) "Basic ", sizeof("Basic ") - 1) != 0) { r->headers_in.user.data = (u_char *) ""; return NGX_DECLINED; } // 只保留密码全文 encoded.len -= sizeof("Basic ") - 1; encoded.data += sizeof("Basic ") - 1; while (encoded.len && encoded.data[0] == ' ') { encoded.len--; encoded.data++; } if (encoded.len == 0) { r->headers_in.user.data = (u_char *) ""; return NGX_DECLINED; } // 获取密码长度 auth.len = ngx_base64_decoded_length(encoded.len); auth.data = ngx_pnalloc(r->pool, auth.len + 1); if (auth.data == NULL) { return NGX_ERROR; } // base64_decode if (ngx_decode_base64(&auth, &encoded) != NGX_OK) { r->headers_in.user.data = (u_char *) ""; return NGX_DECLINED; } auth.data[auth.len] = '\0'; // 将用户名、密码保存在请求体 headers_in 结构中 for (len = 0; len < auth.len; len++) { if (auth.data[len] == ':') { break; } } if (len == 0 || len == auth.len) { r->headers_in.user.data = (u_char *) ""; return NGX_DECLINED; } r->headers_in.user.len = len; r->headers_in.user.data = auth.data; r->headers_in.passwd.len = auth.len - len - 1; r->headers_in.passwd.data = &auth.data[len + 1]; return NGX_OK; } // }}}

 

 

然后通过解析用户配置文件获取配置的用户名密码,最后调用 ngx_http_auth_basic_crypt_handler 进行校验

// static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, // ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm) // 密码校验 {{{ static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r, ngx_http_auth_basic_ctx_t *ctx, ngx_str_t *passwd, ngx_str_t *realm) { ngx_int_t rc; u_char *encrypted; rc = ngx_crypt(r->pool, r->headers_in.passwd.data, passwd->data, &encrypted); ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "rc: %d user: \"%V\" salt: \"%s\"", rc, &r->headers_in.user, passwd->data); if (rc == NGX_OK) { if (ngx_strcmp(encrypted, passwd->data) == 0) { return NGX_OK; } ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "encrypted: \"%s\"", encrypted); ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "user \"%V\": password mismatch", &r->headers_in.user); // 设置 401 返回头 return ngx_http_auth_basic_set_realm(r, realm); } if (rc == NGX_ERROR) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } /* rc == NGX_AGAIN */ if (ctx == NULL) { ctx = ngx_palloc(r->pool, sizeof(ngx_http_auth_basic_ctx_t)); if (ctx == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } ngx_http_set_ctx(r, ctx, ngx_http_auth_basic_module); ctx->passwd.len = passwd->len; passwd->len++; ctx->passwd.data = ngx_pstrdup(r->pool, passwd); if (ctx->passwd.data == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } } /* TODO: add mutex event */ return rc; } // }}}

 

 

对于校验错误的情况,就会返回 401,这里调用了 ngx_http_auth_basic_set_realm 设置 401 返回头

// static ngx_int_t // ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) // 设置 401 返回头 {{{ static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm) { size_t len; u_char *basic, *p; r->headers_out.www_authenticate = ngx_list_push(&r->headers_out.headers); if (r->headers_out.www_authenticate == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } len = sizeof("Basic realm=\"\"") - 1 + realm->len; basic = ngx_pnalloc(r->pool, len); if (basic == NULL) { return NGX_HTTP_INTERNAL_SERVER_ERROR; } p = ngx_cpymem(basic, "Basic realm=\"", sizeof("Basic realm=\"") - 1); p = ngx_cpymem(p, realm->data, realm->len); *p = '"'; r->headers_out.www_authenticate->hash = 1; ngx_str_set(&r->headers_out.www_authenticate->key, "WWW-Authenticate"); r->headers_out.www_authenticate->value.data = basic; r->headers_out.www_authenticate->value.len = len; return NGX_HTTP_UNAUTHORIZED; } // }}}

 

 






技术帖      龙潭书斋      nginx      源码      opensource      sourcecode      开源      source      校验      ngx_http_core_access_phase      ngx_http_auth_basic_module     


京ICP备15018585号