Mercurial > hg > nginx-quic
comparison src/stream/ngx_stream_proxy_module.c @ 8905:9d98d524bd02
Upstream: optimized use of SSL contexts (ticket #1234).
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.
Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.
Similar changes made in uwsgi, grpc, and stream proxy.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 29 Jun 2022 02:47:45 +0300 |
parents | 457afc332c67 |
children | b30bec3d71d6 17d6a537fb1b |
comparison
equal
deleted
inserted
replaced
8904:e210c8942a54 | 8905:9d98d524bd02 |
---|---|
101 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); | 101 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); |
102 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); | 102 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); |
103 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); | 103 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); |
104 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); | 104 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); |
105 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s); | 105 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s); |
106 static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, | |
107 ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev); | |
106 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, | 108 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, |
107 ngx_stream_proxy_srv_conf_t *pscf); | 109 ngx_stream_proxy_srv_conf_t *pscf); |
108 | 110 |
109 | 111 |
110 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { | 112 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { |
799 | 801 |
800 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); | 802 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); |
801 | 803 |
802 #if (NGX_STREAM_SSL) | 804 #if (NGX_STREAM_SSL) |
803 | 805 |
804 if (pc->type == SOCK_STREAM && pscf->ssl) { | 806 if (pc->type == SOCK_STREAM && pscf->ssl_enable) { |
805 | 807 |
806 if (u->proxy_protocol) { | 808 if (u->proxy_protocol) { |
807 if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) { | 809 if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) { |
808 return; | 810 return; |
809 } | 811 } |
2148 | 2150 |
2149 ngx_conf_merge_value(conf->half_close, prev->half_close, 0); | 2151 ngx_conf_merge_value(conf->half_close, prev->half_close, 0); |
2150 | 2152 |
2151 #if (NGX_STREAM_SSL) | 2153 #if (NGX_STREAM_SSL) |
2152 | 2154 |
2155 if (ngx_stream_proxy_merge_ssl(cf, conf, prev) != NGX_OK) { | |
2156 return NGX_CONF_ERROR; | |
2157 } | |
2158 | |
2153 ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0); | 2159 ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0); |
2154 | 2160 |
2155 ngx_conf_merge_value(conf->ssl_session_reuse, | 2161 ngx_conf_merge_value(conf->ssl_session_reuse, |
2156 prev->ssl_session_reuse, 1); | 2162 prev->ssl_session_reuse, 1); |
2157 | 2163 |
2197 | 2203 |
2198 | 2204 |
2199 #if (NGX_STREAM_SSL) | 2205 #if (NGX_STREAM_SSL) |
2200 | 2206 |
2201 static ngx_int_t | 2207 static ngx_int_t |
2208 ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf, | |
2209 ngx_stream_proxy_srv_conf_t *prev) | |
2210 { | |
2211 ngx_uint_t preserve; | |
2212 | |
2213 if (conf->ssl_protocols == 0 | |
2214 && conf->ssl_ciphers.data == NULL | |
2215 && conf->ssl_certificate == NGX_CONF_UNSET_PTR | |
2216 && conf->ssl_certificate_key == NGX_CONF_UNSET_PTR | |
2217 && conf->ssl_passwords == NGX_CONF_UNSET_PTR | |
2218 && conf->ssl_verify == NGX_CONF_UNSET | |
2219 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT | |
2220 && conf->ssl_trusted_certificate.data == NULL | |
2221 && conf->ssl_crl.data == NULL | |
2222 && conf->ssl_session_reuse == NGX_CONF_UNSET | |
2223 && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) | |
2224 { | |
2225 if (prev->ssl) { | |
2226 conf->ssl = prev->ssl; | |
2227 return NGX_OK; | |
2228 } | |
2229 | |
2230 preserve = 1; | |
2231 | |
2232 } else { | |
2233 preserve = 0; | |
2234 } | |
2235 | |
2236 conf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | |
2237 if (conf->ssl == NULL) { | |
2238 return NGX_ERROR; | |
2239 } | |
2240 | |
2241 conf->ssl->log = cf->log; | |
2242 | |
2243 /* | |
2244 * special handling to preserve conf->ssl | |
2245 * in the "stream" section to inherit it to all servers | |
2246 */ | |
2247 | |
2248 if (preserve) { | |
2249 prev->ssl = conf->ssl; | |
2250 } | |
2251 | |
2252 return NGX_OK; | |
2253 } | |
2254 | |
2255 | |
2256 static ngx_int_t | |
2202 ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) | 2257 ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) |
2203 { | 2258 { |
2204 ngx_pool_cleanup_t *cln; | 2259 ngx_pool_cleanup_t *cln; |
2205 | 2260 |
2206 pscf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | 2261 if (pscf->ssl->ctx) { |
2207 if (pscf->ssl == NULL) { | 2262 return NGX_OK; |
2208 return NGX_ERROR; | 2263 } |
2209 } | |
2210 | |
2211 pscf->ssl->log = cf->log; | |
2212 | 2264 |
2213 if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) { | 2265 if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) { |
2214 return NGX_ERROR; | 2266 return NGX_ERROR; |
2215 } | 2267 } |
2216 | 2268 |