feat: nginx-ntlm-modulev2 — full rewrite with security hardening for nginx ≥ 1.25#11
Draft
feat: nginx-ntlm-modulev2 — full rewrite with security hardening for nginx ≥ 1.25#11
Conversation
- Rewrites ngx_http_upstream_ntlm_module.c with four documented security invariants: I1. Atomic item release via ngx_http_upstream_ntlm_item_release() helper I2. c->read->data (not c->data) for cache item storage on idle connections I3. OOM guard: cleanup-add failure aborts cache insertion (session-hijack fix) I4. Stale-credential eviction on re-auth with established session - Fixes from all open PRs (#3, #6, #7): - Synchronous cleanup handler (no posted events) - Session-hijack via cleanup-OOM (critical) - Stale-credential reuse on established connections (high) - client_connection NULL in eviction path - Fault-injection macro NGX_NTLM_TEST_CLEANUP_NULL for testing - Adds ntlm_time and ntlm_requests directives - Adds notify peer callback pass-through - Updates README.md for v2 with security section - Updates Docker files to nginx 1.28.0 / alpine 3.20 - Adds TEST 5 (stale credential eviction) and TEST 6 (OOM guard, SKIP) to t/001-sanity.t Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/3343cf49-d4a7-4188-89b8-5a89fad4a7fe Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/3343cf49-d4a7-4188-89b8-5a89fad4a7fe Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
Copilot created this pull request from a session on behalf of
matthias-lay
May 7, 2026 08:36
View session
…efix Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/54f34666-9396-4585-9866-0afcf7b9caca Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/67d8ce81-c2d8-4386-8de0-1b27bdfb112b Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
…t wrapping Agent-Logs-Url: https://github.com/Securepoint/nginx-ntlm-module/sessions/7c8dc35d-b81d-44b9-88fc-a881b0b47269 Co-authored-by: matthias-lay <163420385+matthias-lay@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
get_ntlm_peerandfree_ntlm_peerprove -r t) and report environment limitations