[master] 7cd8cca07 vmod_proxy: restrict all $Functions to client context
Nils Goroll
nils.goroll at uplex.de
Mon Apr 24 13:46:09 UTC 2023
commit 7cd8cca07743def39ca16bd47bd86a362eada819
Author: Walid Boudebouda <walid.boudebouda at gmail.com>
Date: Thu Mar 9 09:51:25 2023 +0100
vmod_proxy: restrict all $Functions to client context
Since all functions of vmod_proxy use ctx->req, they should then be restricted to client context only
diff --git a/vmod/vmod_proxy.vcc b/vmod/vmod_proxy.vcc
index 603456e1c..46787dc06 100644
--- a/vmod/vmod_proxy.vcc
+++ b/vmod/vmod_proxy.vcc
@@ -45,6 +45,8 @@ Example::
set req.http.alpn = proxy.alpn();
+$Restrict client
+
$Function STRING authority()
Extract authority attribute. This corresponds to SNI from a TLS
@@ -54,6 +56,8 @@ Example::
set req.http.authority = proxy.authority();
+$Restrict client
+
$Function BOOL is_ssl()
Report if proxy-protocol-v2 has SSL TLV.
@@ -64,16 +68,22 @@ Example::
set req.http.ssl-version = proxy.ssl_version();
}
+$Restrict client
+
$Function BOOL client_has_cert_sess()
Report if the client provided a certificate at least once over the TLS
session this connection belongs to.
+$Restrict client
+
$Function BOOL client_has_cert_conn()
Report if the client provided a certificate over the current
connection.
+$Restrict client
+
$Function INT ssl_verify_result()
Report the SSL_get_verify_result from a TLS session. It only matters
@@ -86,6 +96,8 @@ Example::
set req.http.ssl-verify = "ok";
}
+$Restrict client
+
$Function STRING ssl_version()
Extract SSL version attribute.
@@ -94,6 +106,8 @@ Example::
set req.http.ssl-version = proxy.ssl_version();
+$Restrict client
+
$Function STRING client_cert_cn()
Extract the common name attribute of the client certificate's.
@@ -101,6 +115,8 @@ Extract the common name attribute of the client certificate's.
Example::
set req.http.cert-cn = proxy.client_cert_cn();
+$Restrict client
+
$Function STRING ssl_cipher()
Extract the SSL cipher attribute.
@@ -109,6 +125,8 @@ Example::
set req.http.ssl-cipher = proxy.ssl_cipher();
+$Restrict client
+
$Function STRING cert_sign()
Extract the certificate signature algorithm attribute.
@@ -117,6 +135,8 @@ Example::
set req.http.cert-sign = proxy.cert_sign();
+$Restrict client
+
$Function STRING cert_key()
Extract the certificate key algorithm attribute.
@@ -125,6 +145,8 @@ Example::
set req.http.cert-key = proxy.cert_key();
+$Restrict client
+
SEE ALSO
========
More information about the varnish-commit
mailing list