{"id":20163495,"url":"https://github.com/sjinks/ngx_tcpwrappers","last_synced_at":"2025-08-01T10:41:36.361Z","repository":{"id":77874279,"uuid":"24215301","full_name":"sjinks/ngx_tcpwrappers","owner":"sjinks","description":"TCP Wrapper support for nginx","archived":false,"fork":false,"pushed_at":"2016-02-25T01:31:53.000Z","size":13,"stargazers_count":9,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"master","last_synced_at":"2025-03-24T02:22:44.928Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sjinks.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null},"funding":{"custom":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU"]}},"created_at":"2014-09-19T03:51:34.000Z","updated_at":"2019-12-03T19:52:10.000Z","dependencies_parsed_at":"2023-02-28T08:00:49.216Z","dependency_job_id":null,"html_url":"https://github.com/sjinks/ngx_tcpwrappers","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fngx_tcpwrappers","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fngx_tcpwrappers/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fngx_tcpwrappers/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sjinks%2Fngx_tcpwrappers/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sjinks","download_url":"https://codeload.github.com/sjinks/ngx_tcpwrappers/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248137997,"owners_count":21053775,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-11-14T00:29:50.655Z","updated_at":"2025-04-10T00:41:05.422Z","avatar_url":"https://github.com/sjinks.png","language":"C","funding_links":["https://www.paypal.com/donate/?hosted_button_id=SAG6877JDJ3KU"],"categories":[],"sub_categories":[],"readme":"# ngx_tcpwrappers [![Build Status](https://travis-ci.org/sjinks/ngx_tcpwrappers.svg?branch=master)](https://travis-ci.org/sjinks/ngx_tcpwrappers)\n\nTCP Wrapper is a host-based networking ACL system, used to filter network access to Internet Protocol servers on\nUnix-like operating systems such as Linux or BSD. It allows host or subnetwork IP addresses, names and/or ident\nquery replies, to be used as tokens on which to filter for access control purposes. Details are [here](http://linux.die.net/man/5/hosts_access).\n\nTCP Wrapper is very convenient to use for anti-worm protection (e.g., in combination with DenyHosts, BlackHosts, fail2ban),\nin particular, to defend against HTTP-based scans.\n\nOne of the biggests TCP Wrappers advantages are ACL dynamic configuration (deny rules can be added by the\nWeb Application Firewall and there is no need to restart or reload nginx) and simple configuration files.\n\nUnfortunately, nginx does not support TCP Wrappers out of the box. Fortunately, this module fixes this.\n\nIt should be noted that TCP Wrappers have several pecularities you should know about:\n* the most disappointing thing is that libwrap (library implementing TCP Wrappers functionality) is not a thread safe library.\nIn other words, if two threads try to simultaneously use libwrap, the results could be weird.\nThis is because libwrap uses non-reentrant functions like `strtok()`, `gethostbyname()`, `gethostbyaddr()` etc.\nIf nginx is built with threading support (does it work yet?), use of libwrap can lead to performance penalties\n(because access to libwrap functions will have to be serialized). If nginx is configured without threading support\n(this is the default for Linux), everything is OK.\n* dynamic ACL configuration comes at a price: libwrap will read and parse `/etc/hosts.allow` and `/etc/hosts.deny`\non every request; this may be an issue for high-loaded projects.\n\n# Build\n\nBecause nginx does not support dynamic modules, it will have to be rebuilt from the source.\nAssuming that nginx source code is located in `~/nginx` and the source code of ngx_tcpwrappers is in `~/nginx/ngx_tcpwrappers`,\nthe build process will be as follows:\n\n```bash\ncd ~/nginx\n./configure \\\n    --conf-path=/etc/nginx/nginx.conf \\\n    --error-log-path=/var/log/nginx/error.log \\\n    # other parameters passed to ./configure \\\n    --add-module=./ngx_tcpwrappers\nmake\nsudo make install\n```\n\nAs of [1.9.11](https://www.nginx.com/blog/dynamic-modules-nginx-1-9-11/) nginx supports dynamic modules.\nTo build `ngx_tcpwrappers` as a dynamic module, the build procedure will be as follows:\n\n```bash\ncd ~/nginx\n./configure \\\n    --conf-path=/etc/nginx/nginx.conf \\\n    --error-log-path=/var/log/nginx/error.log \\\n    # other parameters passed to ./configure \\\n    --add-dynamic-module=./ngx_tcpwrappers/\nmake\nsudo make install\n```\n\n# Module Configuration\n\nConfiguration directives:\n\n* **tcpwrappers**\n  * **Syntax:** `tcpwrappers [on|off]`\n  * **Default:** `tcpwrappers off`\n  * **Context:** http, server, location, limit_except\n  * **Description:** allows or disallows the use of TCP Wrappers for the access control.\n`tcpwrappers off` turns off TCP Wrappers completely; this can be useful to avoid performance penalties.\n* **tcpwrappers_daemon**\n  * **Syntax:** `tcpwrappers_daemon name`\n  * **Default:** `tcpwrappers_daemon nginx`\n  * **Context:** http, server, location, limit_except\n  * **Description:** specifies the name of the daemon used in `/etc/hosts.{allow,deny}` to identify the process.\n* **tcpwrappers_thorough**\n  * **Syntax:** `tcpwrappers_thorough [on|off]`\n  * **Default:** `tcpwrappers_thorough off`\n  * **Context:** http, server, location, limit_except\n  * **Description:** controls thoroughness of the verification.\nWith `tcpwrappers_thorough off` [hosts_ctl(3)](http://linux.die.net/man/3/hosts_ctl) is used; access check uses only the IP address.\nWith `tcpwrappers_thorough on` [hosts_access(3)](http://linux.die.net/man/3/hosts_access) is used; access check uses the IP address, user name (if available),\nreverse DNS. This check is more thorough but the price is a DNS query to resolve the IP address.\n\n# Further Reading\n* [hosts_access(5) manual](http://linux.die.net/man/5/hosts_access)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fngx_tcpwrappers","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsjinks%2Fngx_tcpwrappers","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsjinks%2Fngx_tcpwrappers/lists"}