버전 - 1.17.10 업데이트

*) 기능 - "auth_delay" 지시문 추가
*) 스크립트 - 업데이트 구문 추가

Author: HanbitGaram

.DS_Store

@@ -1,4 +1,9 @@
 
+Changes with nginx 1.17.10                                       14 Apr 2020
+
+    *) Feature: the "auth_delay" directive.
+
+
 Changes with nginx 1.17.9                                        03 Mar 2020
 
     *) Change: now nginx does not allow several "Host" request header lines.

CHANGES

@@ -1,4 +1,9 @@
 
+Изменения в nginx 1.17.10                                         14.04.2020
+
+    *) Добавление: директива auth_delay.
+
+
 Изменения в nginx 1.17.9                                          03.03.2020
 
     *) Изменение: теперь nginx не разрешает несколько строк "Host" в

CHANGES.ru

@@ -7,11 +7,11 @@
 오픈소스로 개발 된 소스를 HostLSH 서버에 맞게 수정하였으므로,<br>
 HostLSH 서버 외에서는 사용하기에 부적합 할 수 있습니다.
 
-최근 버전 : 1.17.9
+최근 버전 : 1.17.10
 
-# 설치방법
+# 설치방법 및 업데이트 방법
 ```sh
-wget https://raw.githubusercontent.com/HanbitGaram/LSH_Nginx/master/install.sh && sh install.sh
+wget https://raw.githubusercontent.com/HanbitGaram/LSH_Nginx/master/install.sh -O install.sh && sh install.sh
 ```
 
 # 설치되는 경로

README.md

@@ -6,8 +6,11 @@ apt -y update
 apt -y upgrade
 apt-get -y install unzip gcc g++ openssl zlib1g-dev libpcre3 libpcre3-dev make git
 
-git clone https://github.com/HanbitGaram/LSH_Nginx.git
-cd LSH_Nginx
+mkdir /opt/
+git clone https://github.com/HanbitGaram/LSH_Nginx.git /opt/LSH_nginx
+git pull
+
+cd /opt/LSH_nginx
 
 ./configure \
 --prefix=/usr/local/nginx \

install.sh

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1017009
-#define NGINX_VERSION      "1.17.9"
+#define nginx_version      1017010
+#define NGINX_VERSION      "1.17.10"
 #define NGINX_VER          "HostLSH SERVER/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/.DS_Store

@@ -25,7 +25,6 @@ static ngx_int_t ngx_http_auth_basic_crypt_handler(ngx_http_request_t *r,
     ngx_str_t *passwd, ngx_str_t *realm);
 static ngx_int_t ngx_http_auth_basic_set_realm(ngx_http_request_t *r,
     ngx_str_t *realm);
-static void ngx_http_auth_basic_close(ngx_file_t *file);
 static void *ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf);
 static char *ngx_http_auth_basic_merge_loc_conf(ngx_conf_t *cf,
     void *parent, void *child);
@@ -177,8 +176,8 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
                           offset);
 
         if (n == NGX_ERROR) {
-            ngx_http_auth_basic_close(&file);
-            return NGX_HTTP_INTERNAL_SERVER_ERROR;
+            rc = NGX_HTTP_INTERNAL_SERVER_ERROR;
+            goto cleanup;
         }
 
         if (n == 0) {
@@ -219,12 +218,11 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
                 if (buf[i] == LF || buf[i] == CR || buf[i] == ':') {
                     buf[i] = '\0';
 
-                    ngx_http_auth_basic_close(&file);
-
                     pwd.len = i - passwd;
                     pwd.data = &buf[passwd];
 
-                    return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+                    rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+                    goto cleanup;
                 }
 
                 break;
@@ -251,8 +249,6 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
         offset += n;
     }
 
-    ngx_http_auth_basic_close(&file);
-
     if (state == sw_passwd) {
         pwd.len = i - passwd;
         pwd.data = ngx_pnalloc(r->pool, pwd.len + 1);
@@ -262,14 +258,26 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r)
 
         ngx_cpystrn(pwd.data, &buf[passwd], pwd.len + 1);
 
-        return ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+        rc = ngx_http_auth_basic_crypt_handler(r, &pwd, &realm);
+        goto cleanup;
     }
 
     ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                   "user \"%V\" was not found in \"%s\"",
                   &r->headers_in.user, user_file.data);
 
-    return ngx_http_auth_basic_set_realm(r, &realm);
+    rc = ngx_http_auth_basic_set_realm(r, &realm);
+
+cleanup:
+
+    if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+        ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno,
+                      ngx_close_file_n " \"%s\" failed", user_file.data);
+    }
+
+    ngx_explicit_memzero(buf, NGX_HTTP_AUTH_BUF_SIZE);
+
+    return rc;
 }
 
 
@@ -338,15 +346,6 @@ ngx_http_auth_basic_set_realm(ngx_http_request_t *r, ngx_str_t *realm)
     return NGX_HTTP_UNAUTHORIZED;
 }
 
-static void
-ngx_http_auth_basic_close(ngx_file_t *file)
-{
-    if (ngx_close_file(file->fd) == NGX_FILE_ERROR) {
-        ngx_log_error(NGX_LOG_ALERT, file->log, ngx_errno,
-                      ngx_close_file_n " \"%s\" failed", file->name.data);
-    }
-}
-
 
 static void *
 ngx_http_auth_basic_create_loc_conf(ngx_conf_t *cf)

src/core/nginx.h

@@ -21,6 +21,9 @@ typedef struct {
 #define NGX_HTTP_REQUEST_BODY_FILE_CLEAN  2
 
 
+static ngx_int_t ngx_http_core_auth_delay(ngx_http_request_t *r);
+static void ngx_http_core_auth_delay_handler(ngx_http_request_t *r);
+
 static ngx_int_t ngx_http_core_find_location(ngx_http_request_t *r);
 static ngx_int_t ngx_http_core_find_static_location(ngx_http_request_t *r,
     ngx_http_location_tree_node_t *node);
@@ -520,6 +523,13 @@ static ngx_command_t  ngx_http_core_commands[] = {
       offsetof(ngx_http_core_loc_conf_t, satisfy),
       &ngx_http_core_satisfy },
 
+    { ngx_string("auth_delay"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_msec_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_core_loc_conf_t, auth_delay),
+      NULL },
+
     { ngx_string("internal"),
       NGX_HTTP_LOC_CONF|NGX_CONF_NOARGS,
       ngx_http_core_internal,
@@ -1124,6 +1134,10 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
 
     /* rc == NGX_ERROR || rc == NGX_HTTP_...  */
 
+    if (rc == NGX_HTTP_UNAUTHORIZED) {
+        return ngx_http_core_auth_delay(r);
+    }
+
     ngx_http_finalize_request(r, rc);
     return NGX_OK;
 }
@@ -1141,12 +1155,17 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
     access_code = r->access_code;
 
     if (access_code) {
+        r->access_code = 0;
+
         if (access_code == NGX_HTTP_FORBIDDEN) {
             ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                           "access forbidden by rule");
         }
 
-        r->access_code = 0;
+        if (access_code == NGX_HTTP_UNAUTHORIZED) {
+            return ngx_http_core_auth_delay(r);
+        }
+
         ngx_http_finalize_request(r, access_code);
         return NGX_OK;
     }
@@ -1156,6 +1175,65 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
 }
 
 
+static ngx_int_t
+ngx_http_core_auth_delay(ngx_http_request_t *r)
+{
+    ngx_http_core_loc_conf_t  *clcf;
+
+    clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
+
+    if (clcf->auth_delay == 0) {
+        ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+        return NGX_OK;
+    }
+
+    ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+                  "delaying unauthorized request");
+
+    if (ngx_handle_read_event(r->connection->read, 0) != NGX_OK) {
+        return NGX_HTTP_INTERNAL_SERVER_ERROR;
+    }
+
+    r->read_event_handler = ngx_http_test_reading;
+    r->write_event_handler = ngx_http_core_auth_delay_handler;
+
+    r->connection->write->delayed = 1;
+    ngx_add_timer(r->connection->write, clcf->auth_delay);
+
+    /*
+     * trigger an additional event loop iteration
+     * to ensure constant-time processing
+     */
+
+    ngx_post_event(r->connection->write, &ngx_posted_next_events);
+
+    return NGX_OK;
+}
+
+
+static void
+ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
+{
+    ngx_event_t  *wev;
+
+    ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
+                   "auth delay handler");
+
+    wev = r->connection->write;
+
+    if (wev->delayed) {
+
+        if (ngx_handle_write_event(wev, 0) != NGX_OK) {
+            ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+        }
+
+        return;
+    }
+
+    ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+}
+
+
 ngx_int_t
 ngx_http_core_content_phase(ngx_http_request_t *r,
     ngx_http_phase_handler_t *ph)
@@ -3394,6 +3472,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf)
     clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE;
     clcf->client_body_timeout = NGX_CONF_UNSET_MSEC;
     clcf->satisfy = NGX_CONF_UNSET_UINT;
+    clcf->auth_delay = NGX_CONF_UNSET_MSEC;
     clcf->if_modified_since = NGX_CONF_UNSET_UINT;
     clcf->max_ranges = NGX_CONF_UNSET_UINT;
     clcf->client_body_in_file_only = NGX_CONF_UNSET_UINT;
@@ -3609,6 +3688,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                                |NGX_HTTP_KEEPALIVE_DISABLE_MSIE6));
     ngx_conf_merge_uint_value(conf->satisfy, prev->satisfy,
                               NGX_HTTP_SATISFY_ALL);
+    ngx_conf_merge_msec_value(conf->auth_delay, prev->auth_delay, 0);
     ngx_conf_merge_uint_value(conf->if_modified_since, prev->if_modified_since,
                               NGX_HTTP_IMS_EXACT);
     ngx_conf_merge_uint_value(conf->max_ranges, prev->max_ranges,

src/http/modules/ngx_http_auth_basic_module.c

@@ -363,6 +363,7 @@ struct ngx_http_core_loc_conf_s {
     ngx_msec_t    lingering_time;          /* lingering_time */
     ngx_msec_t    lingering_timeout;       /* lingering_timeout */
     ngx_msec_t    resolver_timeout;        /* resolver_timeout */
+    ngx_msec_t    auth_delay;              /* auth_delay */
 
     ngx_resolver_t  *resolver;             /* resolver */