diff options
| author | Roman Arutyunyan <arut@nginx.com> | 2025-05-20 15:33:20 +0400 |
|---|---|---|
| committer | Roman Arutyunyan <arut@nginx.com> | 2025-05-25 22:16:04 +0400 |
| commit | d76e3d301644cfc6a2d914976b6098eb98b9e5b9 (patch) | |
| tree | b3aa4ef70b07d641e9c5b6d0693bb121b389ba7d /src/http/ngx_http_variables.c | |
| parent | 6a134dfd4888fc3850d22294687cfb3940994c69 (diff) | |
| download | nginx-d76e3d301644cfc6a2d914976b6098eb98b9e5b9.tar.gz nginx-d76e3d301644cfc6a2d914976b6098eb98b9e5b9.tar.bz2 | |
HTTP CONNECT proxy.tunnel
HTTP CONNECT method is now supported in HTTP/1 connections. It's disabled
in all currently existing standard modules. A new variable $port is added
that contains the port passed by client in HTTP CONNECT. The $host
variable contains the host part.
A new module ngx_http_tunnel module is added which establishes a tunnel
to a backend. It supports the newly added HTTP CONNECT method and can be
used to set up an HTTP CONNECT proxy.
As recommended by RFC 9110, proxy target should be restricted to ensure
safe proxying:
: Proxies that support CONNECT SHOULD restrict its use to a limited set
: of known ports or a configurable list of safe request targets.
Example config:
server {
listen 8000;
resolver dns.example.com;
map $port $tun_port {
80 1;
443 1;
}
map $host $tun_host {
hostnames;
example.com 1;
*.example.org 1;
}
map $tun_port$tun_host $tun {
11 $host:$port;
}
location / {
tunnel_pass $tun;
}
}
Request:
$ curl -px 127.0.0.1:8000 http://example.com
Diffstat (limited to 'src/http/ngx_http_variables.c')
| -rw-r--r-- | src/http/ngx_http_variables.c | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/src/http/ngx_http_variables.c b/src/http/ngx_http_variables.c index 4f0bd0e4b..8f0946b0d 100644 --- a/src/http/ngx_http_variables.c +++ b/src/http/ngx_http_variables.c @@ -51,6 +51,8 @@ static ngx_int_t ngx_http_variable_content_length(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_host(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_port(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_binary_remote_addr(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_remote_addr(ngx_http_request_t *r, @@ -192,6 +194,7 @@ static ngx_http_variable_t ngx_http_core_variables[] = { offsetof(ngx_http_request_t, headers_in.content_type), 0, 0 }, { ngx_string("host"), NULL, ngx_http_variable_host, 0, 0, 0 }, + { ngx_string("port"), NULL, ngx_http_variable_port, 0, 0, 0 }, { ngx_string("binary_remote_addr"), NULL, ngx_http_variable_binary_remote_addr, 0, 0, 0 }, @@ -1245,6 +1248,20 @@ ngx_http_variable_host(ngx_http_request_t *r, ngx_http_variable_value_t *v, static ngx_int_t +ngx_http_variable_port(ngx_http_request_t *r, ngx_http_variable_value_t *v, + uintptr_t data) +{ + v->len = r->headers_in.port.len; + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + v->data = r->headers_in.port.data; + + return NGX_OK; +} + + +static ngx_int_t ngx_http_variable_binary_remote_addr(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data) { |