The new auth_delay directive for delaying unauthorized requests.
The request processing is delayed by a timer. Since nginx updates internal time once at the start of each event loop iteration, this normally ensures constant time delay, adding a mitigation from time-based attacks. A notable exception to this is the case when there are no additional events before the timer expires. To ensure constant-time processing in this case as well, we trigger an additional event loop iteration by posting a dummy event for the next event loop iteration.
This commit is contained in:
parent
a52fc791ad
commit
814df8f412
2 changed files with 82 additions and 1 deletions
|
@ -21,6 +21,9 @@ typedef struct {
|
|||
#define NGX_HTTP_REQUEST_BODY_FILE_CLEAN 2
|
||||
|
||||
|
||||
static ngx_int_t ngx_http_core_auth_delay(ngx_http_request_t *r);
|
||||
static void ngx_http_core_auth_delay_handler(ngx_http_request_t *r);
|
||||
|
||||
static ngx_int_t ngx_http_core_find_location(ngx_http_request_t *r);
|
||||
static ngx_int_t ngx_http_core_find_static_location(ngx_http_request_t *r,
|
||||
ngx_http_location_tree_node_t *node);
|
||||
|
@ -520,6 +523,13 @@ static ngx_command_t ngx_http_core_commands[] = {
|
|||
offsetof(ngx_http_core_loc_conf_t, satisfy),
|
||||
&ngx_http_core_satisfy },
|
||||
|
||||
{ ngx_string("auth_delay"),
|
||||
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_msec_slot,
|
||||
NGX_HTTP_LOC_CONF_OFFSET,
|
||||
offsetof(ngx_http_core_loc_conf_t, auth_delay),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("internal"),
|
||||
NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS,
|
||||
ngx_http_core_internal,
|
||||
|
@ -1124,6 +1134,10 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
|
|||
|
||||
/* rc == NGX_ERROR || rc == NGX_HTTP_... */
|
||||
|
||||
if (rc == NGX_HTTP_UNAUTHORIZED) {
|
||||
return ngx_http_core_auth_delay(r);
|
||||
}
|
||||
|
||||
ngx_http_finalize_request(r, rc);
|
||||
return NGX_OK;
|
||||
}
|
||||
|
@ -1141,12 +1155,17 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
|
|||
access_code = r->access_code;
|
||||
|
||||
if (access_code) {
|
||||
r->access_code = 0;
|
||||
|
||||
if (access_code == NGX_HTTP_FORBIDDEN) {
|
||||
ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
|
||||
"access forbidden by rule");
|
||||
}
|
||||
|
||||
r->access_code = 0;
|
||||
if (access_code == NGX_HTTP_UNAUTHORIZED) {
|
||||
return ngx_http_core_auth_delay(r);
|
||||
}
|
||||
|
||||
ngx_http_finalize_request(r, access_code);
|
||||
return NGX_OK;
|
||||
}
|
||||
|
@ -1156,6 +1175,65 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
|
|||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_http_core_auth_delay(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_http_core_loc_conf_t *clcf;
|
||||
|
||||
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
|
||||
|
||||
if (clcf->auth_delay == 0) {
|
||||
ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
|
||||
"delaying unauthorized request");
|
||||
|
||||
if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
|
||||
return NGX_HTTP_INTERNAL_SERVER_ERROR;
|
||||
}
|
||||
|
||||
r->read_event_handler = ngx_http_test_reading;
|
||||
r->write_event_handler = ngx_http_core_auth_delay_handler;
|
||||
|
||||
r->connection->write->delayed = 1;
|
||||
ngx_add_timer(r->connection->write, clcf->auth_delay);
|
||||
|
||||
/*
|
||||
* trigger an additional event loop iteration
|
||||
* to ensure constant-time processing
|
||||
*/
|
||||
|
||||
ngx_post_event(r->connection->write, &ngx_posted_next_events);
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static void
|
||||
ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
|
||||
{
|
||||
ngx_event_t *wev;
|
||||
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
||||
"auth delay handler");
|
||||
|
||||
wev = r->connection->write;
|
||||
|
||||
if (wev->delayed) {
|
||||
|
||||
if (ngx_handle_write_event(wev, 0) != NGX_OK) {
|
||||
ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
|
||||
}
|
||||
|
||||
return;
|
||||
}
|
||||
|
||||
ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_http_core_content_phase(ngx_http_request_t *r,
|
||||
ngx_http_phase_handler_t *ph)
|
||||
|
@ -3394,6 +3472,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
|
|||
clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
|
||||
clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
|
||||
clcf->satisfy = NGX_CONF_UNSET_UINT;
|
||||
clcf->auth_delay = NGX_CONF_UNSET_MSEC;
|
||||
clcf->if_modified_since = NGX_CONF_UNSET_UINT;
|
||||
clcf->max_ranges = NGX_CONF_UNSET_UINT;
|
||||
clcf->client_body_in_file_only = NGX_CONF_UNSET_UINT;
|
||||
|
@ -3609,6 +3688,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|||
|NGX_HTTP_KEEPALIVE_DISABLE_MSIE6));
|
||||
ngx_conf_merge_uint_value(conf->satisfy, prev->satisfy,
|
||||
NGX_HTTP_SATISFY_ALL);
|
||||
ngx_conf_merge_msec_value(conf->auth_delay, prev->auth_delay, 0);
|
||||
ngx_conf_merge_uint_value(conf->if_modified_since, prev->if_modified_since,
|
||||
NGX_HTTP_IMS_EXACT);
|
||||
ngx_conf_merge_uint_value(conf->max_ranges, prev->max_ranges,
|
||||
|
|
|
@ -363,6 +363,7 @@ struct ngx_http_core_loc_conf_s {
|
|||
ngx_msec_t lingering_time; /* lingering_time */
|
||||
ngx_msec_t lingering_timeout; /* lingering_timeout */
|
||||
ngx_msec_t resolver_timeout; /* resolver_timeout */
|
||||
ngx_msec_t auth_delay; /* auth_delay */
|
||||
|
||||
ngx_resolver_t *resolver; /* resolver */
|
||||
|
||||
|
|
Loading…
Reference in a new issue