add a directive to proxied client's ip address

thekief · thekief · commit 8c8d2d4d95b0 · 2025-02-13T11:52:00.000+01:00
diff --git a/src/ngx_http_modsecurity_common.h b/src/ngx_http_modsecurity_common.h
@@ -126,6 +126,7 @@ typedef struct {
 #endif
 
     ngx_http_complex_value_t  *transaction_id;
+    ngx_flag_t                 proxy_protocol_ip;
 } ngx_http_modsecurity_conf_t;
 
 
diff --git a/src/ngx_http_modsecurity_module.c b/src/ngx_http_modsecurity_module.c
@@ -514,6 +514,14 @@ static ngx_command_t ngx_http_modsecurity_commands[] =  {
     0,
     NULL
   },
+  {
+    ngx_string("modsecurity_proxy_protocol_ip"),
+    NGX_HTTP_LOC_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG,
+    ngx_conf_set_flag_slot,
+    NGX_HTTP_LOC_CONF_OFFSET,
+    offsetof(ngx_http_modsecurity_conf_t, proxy_protocol_ip),
+    NULL
+  },
   ngx_null_command
 };
 
@@ -725,6 +733,7 @@ ngx_http_modsecurity_create_conf(ngx_conf_t *cf)
     conf->rules_set = msc_create_rules_set();
     conf->pool = cf->pool;
     conf->transaction_id = NGX_CONF_UNSET_PTR;
+    conf->proxy_protocol_ip = NGX_CONF_UNSET;
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     conf->sanity_checks_enabled = NGX_CONF_UNSET;
 #endif
@@ -764,6 +773,7 @@ ngx_http_modsecurity_merge_conf(ngx_conf_t *cf, void *parent, void *child)
 
     ngx_conf_merge_value(c->enable, p->enable, 0);
     ngx_conf_merge_ptr_value(c->transaction_id, p->transaction_id, NULL);
+    ngx_conf_merge_value(c->proxy_protocol_ip, p->proxy_protocol_ip, 0);
 #if defined(MODSECURITY_SANITY_CHECKS) && (MODSECURITY_SANITY_CHECKS)
     ngx_conf_merge_value(c->sanity_checks_enabled, p->sanity_checks_enabled, 0);
 #endif
diff --git a/src/ngx_http_modsecurity_rewrite.c b/src/ngx_http_modsecurity_rewrite.c
@@ -78,10 +78,23 @@ ngx_http_modsecurity_rewrite_handler(ngx_http_request_t *r)
          * erliest phase that nginx allow us to attach those kind of hooks.
          *
          */
-        int client_port = ngx_inet_get_port(connection->sockaddr);
+        int client_port;
+
+        if (mcf->proxy_protocol_ip && connection->proxy_protocol) {
+          client_port = connection->proxy_protocol->src_port;
+        } else {
+          client_port = ngx_inet_get_port(connection->sockaddr);
+        }
         int server_port = ngx_inet_get_port(connection->local_sockaddr);
 
-        const char *client_addr = ngx_str_to_char(addr_text, r->pool);
+        const char *client_addr;
+
+        if (mcf->proxy_protocol_ip && connection->proxy_protocol) {
+          client_addr =  ngx_str_to_char(connection->proxy_protocol->src_addr, r->pool);
+        } else {
+          client_addr = ngx_str_to_char(addr_text, r->pool);
+        }
+
         if (client_addr == (char*)-1) {
             return NGX_HTTP_INTERNAL_SERVER_ERROR;
         }
