artox/incubator-pagespeed-ngx
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for blocking access to our handlers.

Browse Source 
Nginx side of the fix for https://github.com/pagespeed/mod_pagespeed/issues/1088
This commit is contained in:
Jeff Kaufman
2015-06-03 15:42:57 -04:00
parent e42f61e263
commit fe47eeb4f3
3 changed files with 105 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ngx_pagespeed.cc
+12 -6
View File
@@ -1650,23 +1650,29 @@ RequestRouting::Response ps_route_request(ngx_http_request_t* r) {
const NgxRewriteOptions* global_options = cfg_s->server_context->config(); const NgxRewriteOptions* global_options = cfg_s->server_context->config();
StringPiece path = url.PathSansQuery(); StringPiece path = url.PathSansQuery();
if (StringCaseEqual(path, global_options->statistics_path())) { if (StringCaseEqual(path, global_options->statistics_path()) &&
global_options->StatisticsAccessAllowed(url)) {
return RequestRouting::kStatistics; return RequestRouting::kStatistics;
} else if (StringCaseEqual(path, global_options->global_statistics_path())) { } else if (StringCaseEqual(path, global_options->global_statistics_path()) &&
global_options->GlobalStatisticsAccessAllowed(url)) {
return RequestRouting::kGlobalStatistics; return RequestRouting::kGlobalStatistics;
} else if (StringCaseEqual(path, global_options->console_path())) { } else if (StringCaseEqual(path, global_options->console_path()) &&
global_options->ConsoleAccessAllowed(url)) {
return RequestRouting::kConsole; return RequestRouting::kConsole;
} else if (StringCaseEqual(path, global_options->messages_path())) { } else if (StringCaseEqual(path, global_options->messages_path()) &&
global_options->MessagesAccessAllowed(url)) {
return RequestRouting::kMessages; return RequestRouting::kMessages;
} else if ( } else if (
// The admin handlers get everything under a path (/path/*) while all the // The admin handlers get everything under a path (/path/*) while all the
// other handlers only get exact matches (/path). So match all paths // other handlers only get exact matches (/path). So match all paths
// starting with the handler path. // starting with the handler path.
!global_options->admin_path().empty() && !global_options->admin_path().empty() &&
StringCaseStartsWith(path, global_options->admin_path())) { StringCaseStartsWith(path, global_options->admin_path()) &&
global_options->AdminAccessAllowed(url)) {
return RequestRouting::kAdmin; return RequestRouting::kAdmin;
} else if (!global_options->global_admin_path().empty() && } else if (!global_options->global_admin_path().empty() &&
StringCaseStartsWith(path, global_options->global_admin_path())) { StringCaseStartsWith(path, global_options->global_admin_path()) &&
global_options->GlobalAdminAccessAllowed(url)) {
return RequestRouting::kGlobalAdmin; return RequestRouting::kGlobalAdmin;
} else if (global_options->enable_cache_purge() && } else if (global_options->enable_cache_purge() &&
!global_options->purge_method().empty() && !global_options->purge_method().empty() &&
test/nginx_system_test.sh
+3
View File
@@ -298,6 +298,9 @@ fi
PSA_JS_LIBRARY_URL_PREFIX="pagespeed_custom_static" PSA_JS_LIBRARY_URL_PREFIX="pagespeed_custom_static"
BEACON_HANDLER="ngx_pagespeed_beacon" BEACON_HANDLER="ngx_pagespeed_beacon"
STATISTICS_HANDLER="ngx_pagespeed_statistics"
GLOBAL_STATISTICS_HANDLER="ngx_pagespeed_global_statistics"
MESSAGES_HANDLER="ngx_pagespeed_message"
STATISTICS_URL=http://$PRIMARY_HOSTNAME/ngx_pagespeed_statistics STATISTICS_URL=http://$PRIMARY_HOSTNAME/ngx_pagespeed_statistics
# An expected failure can be indicated like: "~In-place resource optimization~" # An expected failure can be indicated like: "~In-place resource optimization~"
test/pagespeed_test.conf.template
+90
View File
@@ -24,6 +24,9 @@ http {
'"$http_user_agent"'; '"$http_user_agent"';
access_log "@@ACCESS_LOG@@" cache; access_log "@@ACCESS_LOG@@" cache;
# Don't put entries in the error log for 403s and 404s.
log_not_found off;
proxy_cache_path "@@PROXY_CACHE@@" levels=1:2 keys_zone=htmlcache:60m inactive=90m max_size=50m; proxy_cache_path "@@PROXY_CACHE@@" levels=1:2 keys_zone=htmlcache:60m inactive=90m max_size=50m;
proxy_temp_path "@@TMP_PROXY_CACHE@@"; proxy_temp_path "@@TMP_PROXY_CACHE@@";
@@ -816,6 +819,13 @@ http {
pagespeed ConsolePath /custom_pagespeed_console; pagespeed ConsolePath /custom_pagespeed_console;
pagespeed MessagesPath /custom_pagespeed_message; pagespeed MessagesPath /custom_pagespeed_message;
pagespeed AdminPath /custom_pagespeed_admin; pagespeed AdminPath /custom_pagespeed_admin;
pagespeed StatisticsDomains Allow *;
pagespeed GlobalStatisticsDomains Allow *;
pagespeed MessagesDomains Allow *;
pagespeed ConsoleDomains Allow *;
pagespeed AdminDomains Allow *;
pagespeed GlobalAdminDomains Allow *;
} }
server { server {
@@ -823,6 +833,13 @@ http {
listen [::]:@@SECONDARY_PORT@@; listen [::]:@@SECONDARY_PORT@@;
server_name inherit-paths.example.com; server_name inherit-paths.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@"; pagespeed FileCachePath "@@FILE_CACHE@@";
pagespeed StatisticsDomains Allow *;
pagespeed GlobalStatisticsDomains Allow *;
pagespeed MessagesDomains Allow *;
pagespeed ConsoleDomains Allow *;
pagespeed AdminDomains Allow *;
pagespeed GlobalAdminDomains Allow *;
} }
server { server {
@@ -1336,6 +1353,79 @@ http {
} }
} }
pagespeed MessagesDomains Allow messages-allowed.example.com;
pagespeed MessagesDomains Allow cleared-inherited.example.com;
pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
pagespeed MessagesDomains Allow more-messages-allowed.example.com;
pagespeed MessagesDomains Allow anything-*-wildcard.example.com;
pagespeed MessagesDomains Allow localhost;
server {
listen @@SECONDARY_PORT@@;
listen [::]:@@SECONDARY_PORT@@;
server_name messages-allowed.example.com
messages-not-allowed.example.com
more-messages-allowed.example.com
anything-a-wildcard.example.com
anything-b-wildcard.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
listen @@SECONDARY_PORT@@;
listen [::]:@@SECONDARY_PORT@@;
server_name messages-still-not-allowed.example.com
but-this-message-allowed.example.com
and-this-one.example.com;
pagespeed MessagesDomains Allow but-this-message-allowed.example.com;
pagespeed MessagesDomains Allow and-this-one.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
listen @@SECONDARY_PORT@@;
listen [::]:@@SECONDARY_PORT@@;
server_name cleared-inherited.example.com
cleared-inherited-reallowed.example.com
messages-allowed-at-vhost.example.com
messages-not-allowed-at-vhost.example.com
anything-c-wildcard.example.com;
pagespeed MessagesDomains Disallow *;
pagespeed MessagesDomains Allow cleared-inherited-reallowed.example.com;
pagespeed MessagesDomains Allow messages-allowed-at-vhost.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
listen @@SECONDARY_PORT@@;
listen [::]:@@SECONDARY_PORT@@;
server_name cleared-inherited-unlisted.example.com;
pagespeed MessagesDomains Allow *;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
server_name nothing-allowed.example.com;
pagespeed MessagesDomains Disallow *;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
server_name nothing-explicitly-allowed.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@";
}
server {
listen @@SECONDARY_PORT@@;
listen [::]:@@SECONDARY_PORT@@;
server_name everything-explicitly-allowed.example.com
everything-explicitly-allowed-but-aliased.example.com;
pagespeed FileCachePath "@@FILE_CACHE@@";
pagespeed StatisticsDomains Allow everything-explicitly-allowed.example.com;
pagespeed GlobalStatisticsDomains
Allow everything-explicitly-allowed.example.com;
pagespeed MessagesDomains Allow everything-explicitly-allowed.example.com;
pagespeed ConsoleDomains Allow everything-explicitly-allowed.example.com;
pagespeed AdminDomains Allow everything-explicitly-allowed.example.com;
pagespeed GlobalAdminDomains
Allow everything-explicitly-allowed.example.com;
}
server { server {
listen @@PRIMARY_PORT@@; listen @@PRIMARY_PORT@@;
listen [::]:@@PRIMARY_PORT@@; listen [::]:@@PRIMARY_PORT@@;