|
|
|
@ -107,8 +107,8 @@ typedef struct { |
|
|
|
typedef struct { |
|
|
|
typedef struct { |
|
|
|
ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t */ |
|
|
|
ngx_array_t *servers; /* array of ngx_http_auth_ldap_server_t */ |
|
|
|
ngx_flag_t cache_enabled; |
|
|
|
ngx_flag_t cache_enabled; |
|
|
|
ngx_msec_t cache_expiration_time; |
|
|
|
size_t cache_expiration_no_use_seconds; |
|
|
|
ngx_msec_t cache_limit_time; |
|
|
|
size_t cache_expiration_seconds; |
|
|
|
size_t cache_size; |
|
|
|
size_t cache_size; |
|
|
|
ngx_int_t servers_size; |
|
|
|
ngx_int_t servers_size; |
|
|
|
#if (NGX_OPENSSL) |
|
|
|
#if (NGX_OPENSSL) |
|
|
|
@ -124,8 +124,8 @@ typedef struct { |
|
|
|
typedef struct { |
|
|
|
typedef struct { |
|
|
|
uint32_t small_hash; /* murmur2 hash of username ^ &server */ |
|
|
|
uint32_t small_hash; /* murmur2 hash of username ^ &server */ |
|
|
|
uint32_t outcome; /* OUTCOME_DENY or OUTCOME_ALLOW */ |
|
|
|
uint32_t outcome; /* OUTCOME_DENY or OUTCOME_ALLOW */ |
|
|
|
ngx_msec_t used_time; /* ngx_current_msec when used */ |
|
|
|
size_t used_time; /* seconds when used */ |
|
|
|
ngx_msec_t created_time; /* ngx_current_msec when created */ |
|
|
|
size_t created_time; /* seconds when created */ |
|
|
|
u_char big_hash[16]; /* md5 hash of (username, server, password) */ |
|
|
|
u_char big_hash[16]; /* md5 hash of (username, server, password) */ |
|
|
|
} ngx_http_auth_ldap_cache_elt_t; |
|
|
|
} ngx_http_auth_ldap_cache_elt_t; |
|
|
|
|
|
|
|
|
|
|
|
@ -133,8 +133,8 @@ typedef struct { |
|
|
|
ngx_http_auth_ldap_cache_elt_t *buckets; |
|
|
|
ngx_http_auth_ldap_cache_elt_t *buckets; |
|
|
|
ngx_uint_t num_buckets; |
|
|
|
ngx_uint_t num_buckets; |
|
|
|
ngx_uint_t elts_per_bucket; |
|
|
|
ngx_uint_t elts_per_bucket; |
|
|
|
ngx_msec_t expiration_time; |
|
|
|
size_t expiration_no_use_seconds; |
|
|
|
ngx_msec_t limit_time; |
|
|
|
size_t expiration_seconds; |
|
|
|
} ngx_http_auth_ldap_cache_t; |
|
|
|
} ngx_http_auth_ldap_cache_t; |
|
|
|
|
|
|
|
|
|
|
|
typedef enum { |
|
|
|
typedef enum { |
|
|
|
@ -249,19 +249,19 @@ static ngx_command_t ngx_http_auth_ldap_commands[] = { |
|
|
|
NULL |
|
|
|
NULL |
|
|
|
}, |
|
|
|
}, |
|
|
|
{ |
|
|
|
{ |
|
|
|
ngx_string("auth_ldap_cache_expiration_time"), |
|
|
|
ngx_string("auth_ldap_cache_expiration_no_use_seconds"), |
|
|
|
NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, |
|
|
|
NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, |
|
|
|
ngx_conf_set_msec_slot, |
|
|
|
ngx_conf_set_size_slot, |
|
|
|
NGX_HTTP_MAIN_CONF_OFFSET, |
|
|
|
NGX_HTTP_MAIN_CONF_OFFSET, |
|
|
|
offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_time), |
|
|
|
offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_no_use_seconds), |
|
|
|
NULL |
|
|
|
NULL |
|
|
|
}, |
|
|
|
}, |
|
|
|
{ |
|
|
|
{ |
|
|
|
ngx_string("auth_ldap_cache_limit_time"), |
|
|
|
ngx_string("auth_ldap_cache_expiration_seconds"), |
|
|
|
NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, |
|
|
|
NGX_HTTP_MAIN_CONF | NGX_CONF_TAKE1, |
|
|
|
ngx_conf_set_msec_slot, |
|
|
|
ngx_conf_set_size_slot, |
|
|
|
NGX_HTTP_MAIN_CONF_OFFSET, |
|
|
|
NGX_HTTP_MAIN_CONF_OFFSET, |
|
|
|
offsetof(ngx_http_auth_ldap_main_conf_t, cache_limit_time), |
|
|
|
offsetof(ngx_http_auth_ldap_main_conf_t, cache_expiration_seconds), |
|
|
|
NULL |
|
|
|
NULL |
|
|
|
}, |
|
|
|
}, |
|
|
|
{ |
|
|
|
{ |
|
|
|
@ -774,8 +774,8 @@ ngx_http_auth_ldap_create_main_conf(ngx_conf_t *cf) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
conf->cache_enabled = NGX_CONF_UNSET; |
|
|
|
conf->cache_enabled = NGX_CONF_UNSET; |
|
|
|
conf->cache_expiration_time = NGX_CONF_UNSET_MSEC; |
|
|
|
conf->cache_expiration_no_use_seconds = NGX_CONF_UNSET_SIZE; |
|
|
|
conf->cache_limit_time = NGX_CONF_UNSET_MSEC; |
|
|
|
conf->cache_expiration_seconds = NGX_CONF_UNSET_SIZE; |
|
|
|
conf->cache_size = NGX_CONF_UNSET_SIZE; |
|
|
|
conf->cache_size = NGX_CONF_UNSET_SIZE; |
|
|
|
conf->servers_size = NGX_CONF_UNSET; |
|
|
|
conf->servers_size = NGX_CONF_UNSET; |
|
|
|
|
|
|
|
|
|
|
|
@ -802,17 +802,17 @@ ngx_http_auth_ldap_init_main_conf(ngx_conf_t *cf, void *parent) |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
if (conf->cache_expiration_time == NGX_CONF_UNSET_MSEC) { |
|
|
|
if (conf->cache_expiration_no_use_seconds == NGX_CONF_UNSET_SIZE) { |
|
|
|
conf->cache_expiration_time = 10000; |
|
|
|
conf->cache_expiration_no_use_seconds = 300; |
|
|
|
} |
|
|
|
} |
|
|
|
if (conf->cache_limit_time == NGX_CONF_UNSET_MSEC) { |
|
|
|
if (conf->cache_expiration_seconds == NGX_CONF_UNSET_SIZE) { |
|
|
|
conf->cache_limit_time = 10000; |
|
|
|
conf->cache_expiration_seconds = 600; |
|
|
|
} |
|
|
|
} |
|
|
|
if (conf->cache_expiration_time < 1000) { |
|
|
|
if (conf->cache_expiration_no_use_seconds < 1) { |
|
|
|
ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_time cannot be smaller than 1000 ms."); |
|
|
|
ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_expiration_no_use_seconds cannot be smaller than 1000 ms."); |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
if (conf->cache_limit_time < 1000) { |
|
|
|
if (conf->cache_expiration_seconds < 1) { |
|
|
|
ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_limit_time cannot be smaller than 1000 ms."); |
|
|
|
ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "http_auth_ldap: auth_ldap_cache_limit_time cannot be smaller than 1000 ms."); |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
return NGX_CONF_ERROR; |
|
|
|
} |
|
|
|
} |
|
|
|
@ -924,8 +924,8 @@ ngx_http_auth_ldap_init_cache(ngx_cycle_t *cycle) |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
cache = &ngx_http_auth_ldap_cache; |
|
|
|
cache = &ngx_http_auth_ldap_cache; |
|
|
|
cache->expiration_time = conf->cache_expiration_time; |
|
|
|
cache->expiration_no_use_seconds = conf->cache_expiration_no_use_seconds; |
|
|
|
cache->limit_time = conf->cache_limit_time; |
|
|
|
cache->expiration_seconds = conf->cache_expiration_seconds; |
|
|
|
cache->num_buckets = count; |
|
|
|
cache->num_buckets = count; |
|
|
|
cache->elts_per_bucket = 8; |
|
|
|
cache->elts_per_bucket = 8; |
|
|
|
|
|
|
|
|
|
|
|
@ -947,8 +947,9 @@ ngx_http_auth_ldap_check_cache_and_update(ngx_http_request_t *r, ngx_http_auth_l |
|
|
|
{ |
|
|
|
{ |
|
|
|
ngx_http_auth_ldap_cache_elt_t *elt; |
|
|
|
ngx_http_auth_ldap_cache_elt_t *elt; |
|
|
|
ngx_md5_t md5ctx; |
|
|
|
ngx_md5_t md5ctx; |
|
|
|
ngx_msec_t used_time_when_expired; |
|
|
|
size_t current_seconds; |
|
|
|
ngx_msec_t created_time_when_expired; |
|
|
|
size_t used_time_valid_after; |
|
|
|
|
|
|
|
size_t created_time_valid_after; |
|
|
|
ngx_uint_t i; |
|
|
|
ngx_uint_t i; |
|
|
|
|
|
|
|
|
|
|
|
ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server; |
|
|
|
ctx->cache_small_hash = ngx_murmur_hash2(r->headers_in.user.data, r->headers_in.user.len) ^ (uint32_t) (ngx_uint_t) server; |
|
|
|
@ -962,14 +963,21 @@ ngx_http_auth_ldap_check_cache_and_update(ngx_http_request_t *r, ngx_http_auth_l |
|
|
|
ctx->cache_bucket = &cache->buckets[ctx->cache_small_hash % cache->num_buckets]; |
|
|
|
ctx->cache_bucket = &cache->buckets[ctx->cache_small_hash % cache->num_buckets]; |
|
|
|
|
|
|
|
|
|
|
|
elt = ctx->cache_bucket; |
|
|
|
elt = ctx->cache_bucket; |
|
|
|
used_time_when_expired = ngx_current_msec - cache->expiration_time; |
|
|
|
|
|
|
|
created_time_when_expired = ngx_current_msec - cache->limit_time; |
|
|
|
current_seconds = (size_t)ngx_cached_time->sec; |
|
|
|
|
|
|
|
used_time_valid_after = current_seconds - cache->expiration_no_use_seconds; |
|
|
|
|
|
|
|
created_time_valid_after = current_seconds - cache->expiration_seconds; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> current_seconds=%d", current_seconds); |
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> used_time_valid_after=%d", used_time_valid_after); |
|
|
|
|
|
|
|
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ctx->r->connection->log, 0, "> created_time_valid_after=%d", created_time_valid_after); |
|
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < cache->elts_per_bucket; i++, elt++) { |
|
|
|
for (i = 0; i < cache->elts_per_bucket; i++, elt++) { |
|
|
|
if (elt->small_hash == ctx->cache_small_hash && |
|
|
|
if (elt->small_hash == ctx->cache_small_hash && |
|
|
|
elt->used_time > used_time_when_expired && |
|
|
|
elt->used_time > used_time_valid_after && |
|
|
|
elt->created_time > created_time_when_expired && |
|
|
|
elt->created_time > created_time_valid_after && |
|
|
|
memcmp(elt->big_hash, ctx->cache_big_hash, 16) == 0) { |
|
|
|
memcmp(elt->big_hash, ctx->cache_big_hash, 16) == 0) { |
|
|
|
elt->used_time = ngx_current_msec; // update time as we've just used this entry
|
|
|
|
elt->used_time = current_seconds; // update time as we've just used this entry
|
|
|
|
return elt->outcome; |
|
|
|
return elt->outcome; |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
@ -983,6 +991,7 @@ ngx_http_auth_ldap_set_cache(ngx_http_auth_ldap_ctx_t *ctx, |
|
|
|
{ |
|
|
|
{ |
|
|
|
ngx_http_auth_ldap_cache_elt_t *elt, *oldest_elt; |
|
|
|
ngx_http_auth_ldap_cache_elt_t *elt, *oldest_elt; |
|
|
|
ngx_uint_t i; |
|
|
|
ngx_uint_t i; |
|
|
|
|
|
|
|
size_t current_seconds; |
|
|
|
|
|
|
|
|
|
|
|
elt = ctx->cache_bucket; |
|
|
|
elt = ctx->cache_bucket; |
|
|
|
oldest_elt = elt; |
|
|
|
oldest_elt = elt; |
|
|
|
@ -992,8 +1001,10 @@ ngx_http_auth_ldap_set_cache(ngx_http_auth_ldap_ctx_t *ctx, |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
oldest_elt->created_time = ngx_current_msec; |
|
|
|
current_seconds = (size_t)ngx_cached_time->sec; |
|
|
|
oldest_elt->used_time = ngx_current_msec; |
|
|
|
|
|
|
|
|
|
|
|
oldest_elt->created_time = current_seconds; |
|
|
|
|
|
|
|
oldest_elt->used_time = current_seconds; |
|
|
|
oldest_elt->outcome = outcome; |
|
|
|
oldest_elt->outcome = outcome; |
|
|
|
oldest_elt->small_hash = ctx->cache_small_hash; |
|
|
|
oldest_elt->small_hash = ctx->cache_small_hash; |
|
|
|
ngx_memcpy(oldest_elt->big_hash, ctx->cache_big_hash, 16); |
|
|
|
ngx_memcpy(oldest_elt->big_hash, ctx->cache_big_hash, 16); |
|
|
|
|
