Merge of r4614, r4624-r4629, r4631: proxy recursive changes.

   
*) Added IPv6 and UNIX-domain socket support in "debug_connection"
   directive.
   
*) New function ngx_http_get_forwarded_addr() to look up real client
   address.

   On input it takes an original address, string in the X-Forwarded-For format
   and its length, list of trusted proxies, and a flag indicating to perform
   the recursive search.  On output it returns NGX_OK and the "deepest" valid
   address in a chain, or NGX_DECLINED.  It supports AF_INET and AF_INET6.
   Additionally, original address and/or proxy may be specified as AF_UNIX.
   
*) Realip: chains of trusted proxies and IPv6 support.
   
   The module now supports recursive search of client address through
   the chain of trusted proxies, controlled by the "real_ip_recursive"
   directive (closes git-mirror#2).  It also gets full IPv6 support (closes #44)
   and canonical value of the $client_addr variable on address change.
        
   Example:

       real_ip_header X-Forwarded-For;   
       set_real_ip_from 127.0.0.0/8;
       set_real_ip_from ::1;
       set_real_ip_from unix:;
       real_ip_recursive on;

*) Geo: chains of trusted proxies and partial IPv6 support.

   The module now supports recursive search of client address through
   the chain of trusted proxies, controlled by the "proxy_recursive"
   directive in the "geo" block.  It also gets partial IPv6 support:
   now proxies may be specified with IPv6 addresses.

   Example:

       geo $test {
           ...
           proxy 127.0.0.1;
           proxy ::1;
           proxy_recursive;
       }

   There's also a slight change in behavior.  When original client
   address (as specified by the "geo" directive) is one of the
   trusted proxies, and the value of the X-Forwarded-For request
   header cannot not be parsed as a valid address, an original client
   address will be used for lookup.  Previously, 255.255.255.255 was
   used in this case.

*) Geoip: trusted proxies support and partial IPv6 support.

   The module now supports recursive search of client address through the
   chain of trusted proxies (closes #100), in the same scope as the geo
   module.  Proxies are listed by the "geoip_proxy" directive, recursive
   search is enabled by the "geoip_proxy_recursive" directive.  IPv6 is
   partially supported: proxies may be specified with IPv6 addresses.

   Example:

        geoip_country .../GeoIP.dat;
        geoip_proxy 127.0.0.1;
        geoip_proxy ::1;
        geoip_proxy 10.0.0.0/8;
        geoip_proxy_recursive on;

Author: mdounin

src/event/ngx_event.c

@@ -1064,38 +1064,34 @@ ngx_event_debug_connection(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 
     ngx_int_t           rc;
     ngx_str_t          *value;
-    ngx_event_debug_t  *dc;
     struct hostent     *h;
-    ngx_cidr_t          cidr;
+    ngx_cidr_t         *cidr;
 
     value = cf->args->elts;
 
-    dc = ngx_array_push(&ecf->debug_connection);
-    if (dc == NULL) {
+    cidr = ngx_array_push(&ecf->debug_connection);
+    if (cidr == NULL) {
         return NGX_CONF_ERROR;
     }
 
-    rc = ngx_ptocidr(&value[1], &cidr);
+#if (NGX_HAVE_UNIX_DOMAIN)
+
+    if (ngx_strcmp(value[1].data, "unix:") == 0) {
+         cidr->family = AF_UNIX;
+         return NGX_CONF_OK;
+    }
+
+#endif
+
+    rc = ngx_ptocidr(&value[1], cidr);
 
     if (rc == NGX_DONE) {
         ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
                            "low address bits of %V are meaningless", &value[1]);
-        rc = NGX_OK;
+        return NGX_CONF_OK;
     }
 
     if (rc == NGX_OK) {
-
-        /* AF_INET only */
-
-        if (cidr.family != AF_INET) {
-            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-                               "\"debug_connection\" supports IPv4 only");
-            return NGX_CONF_ERROR;
-        }
-
-        dc->mask = cidr.u.in.mask;
-        dc->addr = cidr.u.in.addr;
-
         return NGX_CONF_OK;
     }
 
@@ -1107,8 +1103,9 @@ ngx_event_debug_connection(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         return NGX_CONF_ERROR;
     }
 
-    dc->mask = 0xffffffff;
-    dc->addr = *(in_addr_t *)(h->h_addr_list[0]);
+    cidr->family = AF_INET;
+    cidr->u.in.mask = 0xffffffff;
+    cidr->u.in.addr = *(in_addr_t *)(h->h_addr_list[0]);
 
 #else
 
@@ -1142,7 +1139,7 @@ ngx_event_core_create_conf(ngx_cycle_t *cycle)
 #if (NGX_DEBUG)
 
     if (ngx_array_init(&ecf->debug_connection, cycle->pool, 4,
-                       sizeof(ngx_event_debug_t)) == NGX_ERROR)
+                       sizeof(ngx_cidr_t)) == NGX_ERROR)
     {
         return NULL;
     }

src/event/ngx_event.h

@@ -221,12 +221,6 @@ struct ngx_event_aio_s {
 #endif
 
 
-typedef struct {
-    in_addr_t  mask;
-    in_addr_t  addr;
-} ngx_event_debug_t;
-
-
 typedef struct {
     ngx_int_t  (*add)(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags);
     ngx_int_t  (*del)(ngx_event_t *ev, ngx_int_t event, ngx_uint_t flags);

src/event/ngx_event_accept.c

@@ -286,17 +286,56 @@ ngx_event_accept(ngx_event_t *ev)
 #if (NGX_DEBUG)
         {
 
-        in_addr_t            i;
-        ngx_event_debug_t   *dc;
-        struct sockaddr_in  *sin;
+        struct sockaddr_in   *sin;
+        ngx_cidr_t           *cidr;
+        ngx_uint_t            i;
+#if (NGX_HAVE_INET6)
+        struct sockaddr_in6  *sin6;
+        ngx_uint_t            n;
+#endif
 
-        sin = (struct sockaddr_in *) sa;
-        dc = ecf->debug_connection.elts;
+        cidr = ecf->debug_connection.elts;
         for (i = 0; i < ecf->debug_connection.nelts; i++) {
-            if ((sin->sin_addr.s_addr & dc[i].mask) == dc[i].addr) {
-                log->log_level = NGX_LOG_DEBUG_CONNECTION|NGX_LOG_DEBUG_ALL;
+            if (cidr[i].family != c->sockaddr->sa_family) {
+                goto next;
+            }
+
+            switch (cidr[i].family) {
+
+#if (NGX_HAVE_INET6)
+            case AF_INET6:
+                sin6 = (struct sockaddr_in6 *) c->sockaddr;
+                for (n = 0; n < 16; n++) {
+                    if ((sin6->sin6_addr.s6_addr[n]
+                        & cidr[i].u.in6.mask.s6_addr[n])
+                        != cidr[i].u.in6.addr.s6_addr[n])
+                    {
+                        goto next;
+                    }
+                }
+                break;
+#endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+            case AF_UNIX:
+                break;
+#endif
+
+            default: /* AF_INET */
+                sin = (struct sockaddr_in *) c->sockaddr;
+                if ((sin->sin_addr.s_addr & cidr[i].u.in.mask)
+                    != cidr[i].u.in.addr)
+                {
+                    goto next;
+                }
                 break;
             }
+
+            log->log_level = NGX_LOG_DEBUG_CONNECTION|NGX_LOG_DEBUG_ALL;
+            break;
+
+        next:
+            continue;
         }
 
         }