Forum: NGINX Is it ok to call header filters twice for the same response

95763e65fd1ff9f48963e8973d054db9?d=identicon&s=25 Rv Rv (Guest)
on 2014-06-29 06:56
(Received via mailing list)
Hello

When we configure nginx without modsecurity body filter, then the
response is processed in two stages. First the headers are processed
followed by the body filters
If however, modsecurity is configured, then modsecurity body filter may
*once again* call the entire chain of headers filter via a call to
 rc = ngx_http_next_header_filter(r); in the routine
ngx_http_modsecurity_body_filter.

This means that any header filter that is configured will end up
processing the same response header twice. This means that header filter
should be stateful in that it should know if it is invoked multiple
times and allocate ctx only once.

Is this the way the design of body and header filters expected to be?
Thanks for any answers
A8108a0961c6087c43cda32c8616dcba?d=identicon&s=25 Maxim Dounin (Guest)
on 2014-07-01 01:39
(Received via mailing list)
Hello!

On Sun, Jun 29, 2014 at 12:56:02PM +0800, Rv Rv wrote:

> This means that any header filter that is configured will end up
> processing the same response header twice. This means that
> header filter should be stateful in that it should know if it is
> invoked multiple times and allocate ctx only once.
>
> Is this the way the design of body and header filters expected
> to be?
> Thanks for any answers

No.  Header filters chain is expected to be called once per
request.

You are probably looking into the 'master' branch of mod_security
nginx module.  It is known to be completely unusable.  Try looking
into nginx_refactoring branch instead, it should be a bit better.

--
Maxim Dounin
http://nginx.org/
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.