Comments on: A Mechanism to Help Write Web Application Firewalls for Nginx http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/ Sat, 19 May 2012 14:02:14 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Jasmine http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2063 Jasmine Sun, 19 Feb 2012 23:32:30 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2063 You'd also have to egnarle your limits in /etc/limits.conf (or where ever it is on your distro of choice), if you'd have 1000s of users simultaneous, you could have a bottleneck if there are too many files open. You’d also have to egnarle your limits in /etc/limits.conf (or where ever it is on your distro of choice), if you’d have 1000s of users simultaneous, you could have a bottleneck if there are too many files open.

]]> By: Anders http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2062 Anders Sat, 18 Feb 2012 21:47:16 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2062 sorry for posting unrelated question here: First of all, your blog has been very helpful for nginx newbies. Thanks a lot! I am playing with your hello world module and attached it with NGX_HTTP_ACCESS_PHASE. As you may know, if you apply the basic auth on a uri that is backed by a remote resource through reversed proxy, the authentication header is carried over and hit the remote resource. For lots of cases, this will invoke the auth mechanism of the remote resource, say tomcat. I understand you can bypass it by proxy_set_header Authorization ""; in the config file. But I am wondering if there is a way to suppress/remove it from the header_in in my module? I tried: r->headers_in.authorization->value.len=0; It appears to work. But I don't know this could lead any memory leak since the authorization is a pointer and probably the memory is dynamically allocated for the request. Could you shed some light here? Thxs! Anders sorry for posting unrelated question here:

First of all, your blog has been very helpful for nginx newbies. Thanks a lot!

I am playing with your hello world module and attached it with NGX_HTTP_ACCESS_PHASE. As you may know, if you apply the basic auth on a uri that is backed by a remote resource through reversed proxy, the authentication header is carried over and hit the remote resource. For lots of cases, this will invoke the auth mechanism of the remote resource, say tomcat.

I understand you can bypass it by proxy_set_header Authorization “”; in the config file. But I am wondering if there is a way to suppress/remove it from the header_in in my module?

I tried: r->headers_in.authorization->value.len=0;

It appears to work. But I don’t know this could lead any memory leak since the authorization is a pointer and probably the memory is dynamically allocated for the request.

Could you shed some light here?

Thxs!

Anders

]]> By: Joshua http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2058 Joshua Sun, 12 Feb 2012 07:05:13 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2058 @Abioy: 是的。在Nginx的phase里是无法完美处理body的,所以我们把input body filter加上了 :) @Abioy:
是的。在Nginx的phase里是无法完美处理body的,所以我们把input body filter加上了 :)

]]> By: Abioy http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2057 Abioy Sun, 12 Feb 2012 02:21:33 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2057 Cool! Tengine把input filter给做了?我们某个服务由于已经在ACCESS PHASE中处理body,便直接在该PHASE加入了防御。 Cool! Tengine把input filter给做了?我们某个服务由于已经在ACCESS PHASE中处理body,便直接在该PHASE加入了防御。

]]> By: tricky1997 http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2055 tricky1997 Thu, 19 Jan 2012 10:15:33 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2055 请问,为什么不通过入侵检测工具(例如snort)来防止hash Dos,而要在nginx里加功能呢? 请问,为什么不通过入侵检测工具(例如snort)来防止hash Dos,而要在nginx里加功能呢?

]]> By: Jason.Lee http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2054 Jason.Lee Wed, 18 Jan 2012 06:20:50 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2054 不仅仅是佩服 不仅仅是佩服

]]> By: Joshua http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2053 Joshua Wed, 18 Jan 2012 03:25:51 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2053 @james, >= PAGE_SIZE的内存回收更有意义 @james,
>= PAGE_SIZE的内存回收更有意义

]]> By: james http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2052 james Wed, 18 Jan 2012 02:57:45 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2052 我的意思是 比如linux的pagesize是 4k ,它为什么是4k-1 我的意思是 比如linux的pagesize是 4k ,它为什么是4k-1

]]> By: Joshua http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2051 Joshua Wed, 18 Jan 2012 01:50:47 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2051 @james, 大于PAGE_SIZE或pool的内存nginx会单独存放一个链表,这个是可能被回收的,以节约内存。请阅读src/core/ngx_palloc.c和我之前写的nginx internals文档中讲内存池实现部分 @james,
大于PAGE_SIZE或pool的内存nginx会单独存放一个链表,这个是可能被回收的,以节约内存。请阅读src/core/ngx_palloc.c和我之前写的nginx internals文档中讲内存池实现部分

]]> By: james http://blog.zhuzhaoyuan.com/2012/01/a-mechanism-to-help-write-web-application-firewalls-for-nginx/comment-page-1/#comment-2050 james Wed, 18 Jan 2012 01:20:32 +0000 http://blog.zhuzhaoyuan.com/?p=210#comment-2050 #define NGX_MAX_ALLOC_FROM_POOL (ngx_pagesize - 1) 请教,为什么是这样 #define NGX_MAX_ALLOC_FROM_POOL (ngx_pagesize - 1)

请教,为什么是这样

]]>