Retain CAP_NET_RAW capability for transparent proxying.

The capability is retained automatically in unprivileged worker processes after changing UID if transparent proxying is enabled at least once in nginx configuration. The feature is only available in Linux.
author: Roman Arutyunyan <arut@nginx.com> 2017-12-13 20:40:53 +0300
committer: Roman Arutyunyan <arut@nginx.com> 2017-12-13 20:40:53 +0300
commit: 752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5 (patch)
tree: 78fc3bcc2f52d8fc71fa4ec12080fdf891e0a113 /src/http
parent: d2d737e70b46429ef9ed71b99402a9151f3c2e1f (diff)
download: nginx-752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5.tar.gz
nginx-752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5.tar.bz2
1 files changed, 6 insertions, 0 deletions
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 6d0f4ee52..f8d5707d3 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -6078,6 +6078,12 @@ ngx_http_upstream_bind_set_slot(ngx_conf_t *cf, ngx_command_t *cmd,
     if (cf->args->nelts > 2) {
         if (ngx_strcmp(value[2].data, "transparent") == 0) {
 #if (NGX_HAVE_TRANSPARENT_PROXY)
+            ngx_core_conf_t  *ccf;
+
+            ccf = (ngx_core_conf_t *) ngx_get_conf(cf->cycle->conf_ctx,
+                                                   ngx_core_module);
+
+            ccf->transparent = 1;
             local->transparent = 1;
 #else
             ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
author	Roman Arutyunyan <arut@nginx.com>	2017-12-13 20:40:53 +0300
committer	Roman Arutyunyan <arut@nginx.com>	2017-12-13 20:40:53 +0300
commit	752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5 (patch)
tree	78fc3bcc2f52d8fc71fa4ec12080fdf891e0a113 /src/http
parent	d2d737e70b46429ef9ed71b99402a9151f3c2e1f (diff)
download	nginx-752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5.tar.gz nginx-752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5.tar.bz2