diff --git a/auto/modules b/auto/modules index 878b1c6..2c04cb0 100644 --- a/auto/modules +++ b/auto/modules @@ -210,6 +210,12 @@ if [ $HTTP_LIMIT_ZONE = YES ]; then HTTP_SRCS="$HTTP_SRCS $HTTP_LIMIT_ZONE_SRCS" fi +if [ $HTTP_LIMIT_VAR = YES ]; then + have=NGX_HTTP_LIMIT_VAR . auto/have + HTTP_MODULES="$HTTP_MODULES $HTTP_LIMIT_VAR_MODULE" + HTTP_SRCS="$HTTP_SRCS $HTTP_LIMIT_VAR_SRCS" +fi + if [ $HTTP_LIMIT_REQ = YES ]; then HTTP_MODULES="$HTTP_MODULES $HTTP_LIMIT_REQ_MODULE" HTTP_SRCS="$HTTP_SRCS $HTTP_LIMIT_REQ_SRCS" diff --git a/auto/options b/auto/options index 7cb0754..08c1e56 100644 --- a/auto/options +++ b/auto/options @@ -81,6 +81,7 @@ HTTP_FASTCGI=YES HTTP_PERL=NO HTTP_MEMCACHED=YES HTTP_LIMIT_ZONE=YES +HTTP_LIMIT_VAR=YES HTTP_LIMIT_REQ=YES HTTP_EMPTY_GIF=YES HTTP_BROWSER=YES @@ -214,6 +215,7 @@ do --without-http_fastcgi_module) HTTP_FASTCGI=NO ;; --without-http_memcached_module) HTTP_MEMCACHED=NO ;; --without-http_limit_zone_module) HTTP_LIMIT_ZONE=NO ;; + --without-http_limit_var_module) HTTP_LIMIT_VAR=NO ;; --without-http_limit_req_module) HTTP_LIMIT_REQ=NO ;; --without-http_empty_gif_module) HTTP_EMPTY_GIF=NO ;; --without-http_browser_module) HTTP_BROWSER=NO ;; @@ -344,6 +346,7 @@ cat << END --without-http_fastcgi_module disable ngx_http_fastcgi_module --without-http_memcached_module disable ngx_http_memcached_module --without-http_limit_zone_module disable ngx_http_limit_zone_module + --without-http_limit_var_module disable ngx_http_limit_var_module --without-http_limit_req_module disable ngx_http_limit_req_module --without-http_empty_gif_module disable ngx_http_empty_gif_module --without-http_browser_module disable ngx_http_browser_module diff --git a/auto/sources b/auto/sources index f5cdee7..81f85e2 100644 --- a/auto/sources +++ b/auto/sources @@ -27,6 +27,7 @@ CORE_DEPS="src/core/nginx.h \ src/core/ngx_sha1.h \ src/core/ngx_rbtree.h \ src/core/ngx_rbtreehash.h \ + src/core/ngx_flathash.h \ src/core/ngx_radix_tree.h \ src/core/ngx_slab.h \ src/core/ngx_times.h \ @@ -55,6 +56,7 @@ CORE_SRCS="src/core/nginx.c \ src/core/ngx_lookup3.c \ src/core/ngx_rbtree.c \ src/core/ngx_rbtreehash.c \ + src/core/ngx_flathash.c \ src/core/ngx_radix_tree.c \ src/core/ngx_slab.c \ src/core/ngx_times.c \ @@ -416,6 +418,10 @@ HTTP_LIMIT_ZONE_MODULE=ngx_http_limit_zone_module HTTP_LIMIT_ZONE_SRCS=src/http/modules/ngx_http_limit_zone_module.c +HTTP_LIMIT_VAR_MODULE=ngx_http_limit_var_module +HTTP_LIMIT_VAR_SRCS=src/http/modules/ngx_http_limit_var_module.c + + HTTP_LIMIT_REQ_MODULE=ngx_http_limit_req_module HTTP_LIMIT_REQ_SRCS=src/http/modules/ngx_http_limit_req_module.c diff --git a/src/core/ngx_core.h b/src/core/ngx_core.h index 1a08861..809bd71 100644 --- a/src/core/ngx_core.h +++ b/src/core/ngx_core.h @@ -77,6 +77,7 @@ typedef void (*ngx_connection_handler_pt)(ngx_connection_t *c); #include #include #include +#include #define LF (u_char) 10 diff --git a/src/core/ngx_flathash.c b/src/core/ngx_flathash.c new file mode 100644 index 0000000..899f818 --- /dev/null +++ b/src/core/ngx_flathash.c @@ -0,0 +1,106 @@ + +/* + * Copyright (C) Kirill A. Korinskiy + */ + +#include +#include + + +typedef struct { + u_char data[1]; +} ngx_flathash_node_t; + + +/* + * Credit for primes table: Aaron Krowne + * http://planetmath.org/encyclopedia/GoodHashTablePrimes.html + */ +static const uint32_t ngx_flathash_primes[] = { + 53, 97, 193, 389, 769, 1543, 3079, 6151, + 12289, 24593, 49157, 98317, 196613, 393241, + 786433, 1572869, 3145739, 6291469, 12582917, + 25165843, 50331653, 100663319, 201326611, + 402653189, 805306457, 1610612741 +}; + +static const uint32_t ngx_flathash_primes_length = + sizeof(ngx_flathash_primes) / sizeof(uint32_t); + + +/* + * Really simple index for "good hash table" + */ +static inline ngx_flathash_node_t * +ngx_flathash_index(ngx_flathash_t *hashtable, uint32_t hash) { + return (ngx_flathash_node_t *)(hashtable->data + + ((offsetof(ngx_flathash_node_t, data) + + hashtable->value_len) + * (hash % hashtable->length))); +}; + + +void * +ngx_flathash_get(ngx_flathash_t *hashtable, ngx_str_t *key) +{ + uint32_t hash; + ngx_flathash_node_t *rn; + + hash = ngx_lookup3_hashlittle(key->data, key->len, 0); + + rn = ngx_flathash_index(hashtable, hash); + + return rn->data; +} + + +size_t +ngx_flathash_need_memory(size_t length, size_t size) +{ + uint32_t prime; + ngx_uint_t pindex; + + /* enforce size as prime */ + for (pindex=0, prime = 0; + pindex < ngx_flathash_primes_length; pindex++) { + if (ngx_flathash_primes[pindex] > size) { + prime = ngx_flathash_primes[pindex]; + break; + } + } + + /* a table so large */ + if (prime == 0) { + return 0; + } + + return offsetof(ngx_flathash_t, data) + + ((offsetof(ngx_flathash_node_t, data) + + length) + * prime); +} + + +ngx_int_t +ngx_flathash_init(ngx_flathash_t *hashtable, size_t length, size_t size) +{ + ngx_uint_t pindex; + + hashtable->value_len = length; + + hashtable->mutex.lock = 0; + + /* enforce size as prime */ + for (pindex=0, hashtable->length = 0; + pindex < ngx_flathash_primes_length; pindex++) { + if (ngx_flathash_primes[pindex] > size) { + hashtable->length = ngx_flathash_primes[pindex]; + + ngx_memzero(hashtable->data, hashtable->length); + + return NGX_OK; + } + } + + return NGX_ERROR; +} diff --git a/src/core/ngx_flathash.h b/src/core/ngx_flathash.h new file mode 100644 index 0000000..8b3c3c0 --- /dev/null +++ b/src/core/ngx_flathash.h @@ -0,0 +1,26 @@ + +/* + * Copyright (C) Kirill A. Korinskiy + */ + +#ifndef _NGX_FLATHASH_H_INCLUDED_ +#define _NGX_FLATHASH_H_INCLUDED_ + +#include +#include + +typedef struct { + size_t value_len; + size_t length; + ngx_shmtx_t mutex; + u_char data[1]; +} ngx_flathash_t; + +void *ngx_flathash_get(ngx_flathash_t *hashtable, ngx_str_t *key); + +size_t ngx_flathash_need_memory(size_t length, size_t size); + +ngx_int_t ngx_flathash_init(ngx_flathash_t *hashtable, size_t length, size_t size); + + +#endif /* _NGX_FLATHASH_H_INCLUDED_ */ diff --git a/src/http/modules/ngx_http_auth_basic_module.c b/src/http/modules/ngx_http_auth_basic_module.c index 64a62eb..cf0fb80 100644 --- a/src/http/modules/ngx_http_auth_basic_module.c +++ b/src/http/modules/ngx_http_auth_basic_module.c @@ -131,10 +131,7 @@ ngx_http_auth_basic_handler(ngx_http_request_t *r) ngx_str_t pwd, user_file; ngx_uint_t i, level, login, left, passwd; ngx_file_t file; - ngx_http_script_code_pt code; - ngx_http_script_engine_t e; ngx_http_auth_basic_ctx_t *ctx; - ngx_http_script_len_code_pt lcode; ngx_http_auth_basic_loc_conf_t *alcf; u_char buf[NGX_HTTP_AUTH_BUF_SIZE]; enum { diff --git a/src/http/modules/ngx_http_limit_var_module.c b/src/http/modules/ngx_http_limit_var_module.c new file mode 100644 index 0000000..fa77207 --- /dev/null +++ b/src/http/modules/ngx_http_limit_var_module.c @@ -0,0 +1,318 @@ + +/* + * Copyright (C) Kirill A. Korinskiy + */ + + +#include +#include +#include + + +typedef struct { + ngx_flathash_t *hash; + ngx_uint_t size; + ngx_uint_t rate; + ngx_http_complex_value_t key; +} ngx_http_limit_var_ctx_t; + + +static void *ngx_http_limit_var_create_conf(ngx_conf_t *cf); +static char *ngx_http_limit_var_merge_conf(ngx_conf_t *cf, void *parent, + void *child); +static char *ngx_http_limit_var(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + + +static ngx_command_t ngx_http_limit_var_commands[] = { + + { ngx_string("limit_var"), + NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE3, + ngx_http_limit_var, + 0, + 0, + NULL }, + + ngx_null_command +}; + + +static ngx_http_module_t ngx_http_limit_var_module_ctx = { + NULL, /* preconfiguration */ + NULL, /* postconfiguration */ + + NULL, /* create main configuration */ + NULL, /* init main configuration */ + + NULL, /* create server configuration */ + NULL, /* merge server configuration */ + + NULL, /* create location configration */ + NULL /* merge location configration */ +}; + + +ngx_module_t ngx_http_limit_var_module = { + NGX_MODULE_V1, + &ngx_http_limit_var_module_ctx, /* module context */ + ngx_http_limit_var_commands, /* module directives */ + NGX_HTTP_MODULE, /* module type */ + NULL, /* init master */ + NULL, /* init module */ + NULL, /* init process */ + NULL, /* init thread */ + NULL, /* exit thread */ + NULL, /* exit process */ + NULL, /* exit master */ + NGX_MODULE_V1_PADDING +}; + + +static ngx_int_t +ngx_http_limit_var_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, + uintptr_t data) +{ + ngx_http_limit_var_ctx_t *ctx = (ngx_http_limit_var_ctx_t *)data; + + + ngx_str_t key; + + uint32_t *value, cached; + + if (r->main->limit_var_set) { + goto calc; + } + + if (ngx_http_complex_value(r, &ctx->key, &key) != NGX_OK) { + return NGX_ERROR; + } + + if (key.len == 0) { + v->not_found = 1; + return NGX_OK; + } + + r->main->limit_var_set = 1; + + value = ngx_flathash_get(ctx->hash, &key); + + ngx_shmtx_lock(&ctx->hash->mutex); + if (*value > (uint32_t)ngx_time()) { + (*value)++; + } else { + *value = ngx_time() + 1; + } + ngx_shmtx_unlock(&ctx->hash->mutex); + +calc: + cached = *(uint32_t *)ngx_flathash_get(ctx->hash, &key); + + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "limit_req: %d:%d", ngx_time(), cached); + + if ((cached - (uint32_t)ngx_time()) > ctx->rate) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "limiting requests, excess %d", + cached - ngx_time()); + + v->len = sizeof(uint32_t); + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + v->data = (u_char *)(&cached); + + return NGX_OK; + } else { + v->not_found = 1; + } + + return NGX_OK; +} + + +static ngx_int_t +ngx_http_limit_var_init_zone(ngx_shm_zone_t *shm_zone, void *data) +{ + ngx_http_limit_var_ctx_t *octx = data; + + ngx_http_limit_var_ctx_t *ctx; + + ctx = shm_zone->data; + + if (octx) { + if (ngx_strcmp(ctx->key.value.data, octx->key.value.data) != 0) { + ngx_log_error(NGX_LOG_EMERG, shm_zone->shm.log, 0, + "limit_req \"%V\" uses the \"%V\" key " + "while previously it used the \"%V\" key", + &shm_zone->name, &ctx->key.value, &octx->key.value); + return NGX_ERROR; + } + + ctx->hash = octx->hash; + + return NGX_OK; + } + + ctx->hash = (ngx_flathash_t *) shm_zone->shm.addr; + + if (ngx_flathash_init(ctx->hash, sizeof(uint32_t), ctx->size) != NGX_OK) { + return NGX_ERROR; + } + + return NGX_OK; +} + + +static char * +ngx_http_limit_var(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + u_char *p; + size_t size, len; + ngx_str_t *value, name, s; + ngx_int_t rate; + ngx_uint_t i; + ngx_shm_zone_t *shm_zone; + ngx_http_variable_t *var; + ngx_http_limit_var_ctx_t *ctx; + + ngx_http_compile_complex_value_t ccv; + + value = cf->args->elts; + + ctx = NULL; + size = 0; + rate = 1; + name.len = 0; + + for (i = 1; i < cf->args->nelts; i++) { + + if (ngx_strncmp(value[i].data, "zone=", 5) == 0) { + + name.data = value[i].data + 5; + + p = (u_char *) ngx_strchr(name.data, ':'); + + if (p) { + name.len = p - name.data; + + p++; + + s.len = value[i].data + value[i].len - p; + s.data = p; + + size = ngx_atoi(s.data, s.len); + if ((ngx_int_t)size != NGX_ERROR && size > 769) { + continue; + } + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid zone size \"%V\"", &value[i]); + return NGX_CONF_ERROR; + } + + if (ngx_strncmp(value[i].data, "rate=", 5) == 0) { + + len = value[i].len; + p = value[i].data + len - 3; + + if (ngx_strncmp(p, "r/s", 3) == 0) { + len -= 3; + } + + rate = ngx_atoi(value[i].data + 5, len - 5); + if (rate <= NGX_ERROR) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid rate \"%V\"", &value[i]); + return NGX_CONF_ERROR; + } + + continue; + } + + if (value[i].data[0] == '$') { + + value[i].len--; + value[i].data++; + + ctx = ngx_pcalloc(cf->pool, sizeof(ngx_http_limit_var_ctx_t)); + if (ctx == NULL) { + return NGX_CONF_ERROR; + } + + ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); + + ccv.cf = cf; + ccv.value = &value[1]; + ccv.complex_value = &ctx->key; + ccv.zero = 1; + ccv.conf_prefix = 1; + + if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { + return NGX_CONF_ERROR; + } + + continue; + } + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid parameter \"%V\"", &value[i]); + return NGX_CONF_ERROR; + } + + if (name.len == 0 || size == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "\"%V\" must have \"zone\" parameter", + &cmd->name); + return NGX_CONF_ERROR; + } + + if (ctx == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no var is defined for limit_var_zone \"%V\"", + &cmd->name); + return NGX_CONF_ERROR; + } + + ctx->rate = rate; + + ctx->size = size; + + size = ngx_flathash_need_memory(sizeof(uint32_t), size); + + shm_zone = ngx_shared_memory_add(cf, &name, size, + &ngx_http_limit_var_module); + if (shm_zone == NULL) { + return NGX_CONF_ERROR; + } + + if (shm_zone->data) { + ctx = shm_zone->data; + + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "limit_var_zone \"%V\" is already bound to var \"%V\"", + &value[1], &ctx->key.value); + return NGX_CONF_ERROR; + } + + shm_zone->init = ngx_http_limit_var_init_zone; + shm_zone->data = ctx; + + s.len = sizeof("limit_var_") - 1 + name.len; + s.data = ngx_palloc(cf->pool, s.len); + if (s.data == NULL) { + return NGX_CONF_ERROR; + } + + ngx_sprintf(s.data, "limit_var_%V", &name); + + var = ngx_http_add_variable(cf, &s, NGX_HTTP_VAR_NOCACHEABLE); + if (var == NULL) { + return NGX_CONF_ERROR; + } + + var->get_handler = ngx_http_limit_var_variable; + var->data = (uintptr_t) ctx; + + return NGX_CONF_OK; +} diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h index a8d1b85..2663b55 100644 --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -465,6 +465,7 @@ struct ngx_http_request_s { * we use the single bits in the request structure */ unsigned limit_zone_set:1; + unsigned limit_var_set:1; unsigned limit_req_set:1; #if 0