[master] 7cd8cca07 vmod_proxy: restrict all $Functions to client context

Nils Goroll nils.goroll at uplex.de
Mon Apr 24 13:46:09 UTC 2023 

commit 7cd8cca07743def39ca16bd47bd86a362eada819
Author: Walid Boudebouda <walid.boudebouda at gmail.com>
Date:   Thu Mar 9 09:51:25 2023 +0100

    vmod_proxy: restrict all $Functions to client context
    
    Since all functions of vmod_proxy use ctx->req, they should then be restricted to client context only

diff --git a/vmod/vmod_proxy.vcc b/vmod/vmod_proxy.vcc
index 603456e1c..46787dc06 100644
--- a/vmod/vmod_proxy.vcc
+++ b/vmod/vmod_proxy.vcc
@@ -45,6 +45,8 @@ Example::
 
 	set req.http.alpn = proxy.alpn();
 
+$Restrict client
+
 $Function STRING authority()
 
 Extract authority attribute. This corresponds to SNI from a TLS
@@ -54,6 +56,8 @@ Example::
 
 	set req.http.authority = proxy.authority();
 
+$Restrict client
+
 $Function BOOL is_ssl()
 
 Report if proxy-protocol-v2 has SSL TLV.
@@ -64,16 +68,22 @@ Example::
 		set req.http.ssl-version = proxy.ssl_version();
 	}
 
+$Restrict client
+
 $Function BOOL client_has_cert_sess()
 
 Report if the client provided a certificate at least once over the TLS
 session this connection belongs to.
 
+$Restrict client
+
 $Function BOOL client_has_cert_conn()
 
 Report if the client provided a certificate over the current
 connection.
 
+$Restrict client
+
 $Function INT ssl_verify_result()
 
 Report the SSL_get_verify_result from a TLS session. It only matters
@@ -86,6 +96,8 @@ Example::
 		set req.http.ssl-verify = "ok";
 	}
 
+$Restrict client
+
 $Function STRING ssl_version()
 
 Extract SSL version attribute.
@@ -94,6 +106,8 @@ Example::
 
 	set req.http.ssl-version = proxy.ssl_version();
 
+$Restrict client
+
 $Function STRING client_cert_cn()
 
 Extract the common name attribute of the client certificate's.
@@ -101,6 +115,8 @@ Extract the common name attribute of the client certificate's.
 Example::
 	set req.http.cert-cn = proxy.client_cert_cn();
 
+$Restrict client
+
 $Function STRING ssl_cipher()
 
 Extract the SSL cipher attribute.
@@ -109,6 +125,8 @@ Example::
 
 	set req.http.ssl-cipher = proxy.ssl_cipher();
 
+$Restrict client
+
 $Function STRING cert_sign()
 
 Extract the certificate signature algorithm attribute.
@@ -117,6 +135,8 @@ Example::
 
 	set req.http.cert-sign = proxy.cert_sign();
 
+$Restrict client
+
 $Function STRING cert_key()
 
 Extract the certificate key algorithm attribute.
@@ -125,6 +145,8 @@ Example::
 
 	set req.http.cert-key = proxy.cert_key();
 
+$Restrict client
+
 SEE ALSO
 ========

More information about the varnish-commit mailing list