Mercurial > hg > nginx-vendor-current
comparison src/http/modules/ngx_http_ssl_module.c @ 272:29a6403156b0 NGINX_0_5_6
nginx 0.5.6
*) Change: now the ngx_http_index_module ignores all methods except the
GET, HEAD, and POST methods.
*) Feature: the ngx_http_limit_zone_module.
*) Feature: the $binary_remote_addr variable.
*) Feature: the "ssl_session_cache" directives of the
ngx_http_ssl_module and ngx_imap_ssl_module.
*) Feature: the DELETE method supports recursive removal.
*) Bugfix: the byte-ranges were transferred incorrectly if the
$r->sendfile() was used.
author | Igor Sysoev <http://sysoev.ru> |
---|---|
date | Tue, 09 Jan 2007 00:00:00 +0300 |
parents | 559bc7ec214e |
children | 55328d69b335 |
comparison
equal
deleted
inserted
replaced
271:fcbee7dacf2b | 272:29a6403156b0 |
---|---|
25 | 25 |
26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); | 26 static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); |
27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); | 27 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); |
28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, | 28 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, |
29 void *parent, void *child); | 29 void *parent, void *child); |
30 | |
31 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, | |
32 void *conf); | |
30 | 33 |
31 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | 34 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) |
32 | 35 |
33 static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, | 36 static char *ngx_http_ssl_nosupported(ngx_conf_t *cf, ngx_command_t *cmd, |
34 void *conf); | 37 void *conf); |
112 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), | 115 offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers), |
113 NULL }, | 116 NULL }, |
114 #else | 117 #else |
115 ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, | 118 ngx_http_ssl_nosupported, 0, 0, ngx_http_ssl_openssl097 }, |
116 #endif | 119 #endif |
120 | |
121 { ngx_string("ssl_session_cache"), | |
122 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE12, | |
123 ngx_http_ssl_session_cache, | |
124 NGX_HTTP_SRV_CONF_OFFSET, | |
125 0, | |
126 NULL }, | |
117 | 127 |
118 { ngx_string("ssl_session_timeout"), | 128 { ngx_string("ssl_session_timeout"), |
119 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, | 129 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, |
120 ngx_conf_set_sec_slot, | 130 ngx_conf_set_sec_slot, |
121 NGX_HTTP_SRV_CONF_OFFSET, | 131 NGX_HTTP_SRV_CONF_OFFSET, |
176 | 186 |
177 { ngx_null_string, NULL, NULL, 0, 0, 0 } | 187 { ngx_null_string, NULL, NULL, 0, 0, 0 } |
178 }; | 188 }; |
179 | 189 |
180 | 190 |
181 static u_char ngx_http_session_id_ctx[] = "HTTP"; | 191 static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP"); |
182 | 192 |
183 | 193 |
184 static ngx_int_t | 194 static ngx_int_t |
185 ngx_http_ssl_static_variable(ngx_http_request_t *r, | 195 ngx_http_ssl_static_variable(ngx_http_request_t *r, |
186 ngx_http_variable_value_t *v, uintptr_t data) | 196 ngx_http_variable_value_t *v, uintptr_t data) |
255 | 265 |
256 | 266 |
257 static void * | 267 static void * |
258 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) | 268 ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) |
259 { | 269 { |
260 ngx_http_ssl_srv_conf_t *scf; | 270 ngx_http_ssl_srv_conf_t *sscf; |
261 | 271 |
262 scf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); | 272 sscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_ssl_srv_conf_t)); |
263 if (scf == NULL) { | 273 if (sscf == NULL) { |
264 return NGX_CONF_ERROR; | 274 return NGX_CONF_ERROR; |
265 } | 275 } |
266 | 276 |
267 /* | 277 /* |
268 * set by ngx_pcalloc(): | 278 * set by ngx_pcalloc(): |
269 * | 279 * |
270 * scf->protocols = 0; | 280 * sscf->protocols = 0; |
271 | 281 * sscf->certificate.len = 0; |
272 * scf->certificate.len = 0; | 282 * sscf->certificate.data = NULL; |
273 * scf->certificate.data = NULL; | 283 * sscf->certificate_key.len = 0; |
274 * scf->certificate_key.len = 0; | 284 * sscf->certificate_key.data = NULL; |
275 * scf->certificate_key.data = NULL; | 285 * sscf->client_certificate.len = 0; |
276 * scf->client_certificate.len = 0; | 286 * sscf->client_certificate.data = NULL; |
277 * scf->client_certificate.data = NULL; | 287 * sscf->ciphers.len = 0; |
278 * scf->ciphers.len = 0; | 288 * sscf->ciphers.data = NULL; |
279 * scf->ciphers.data = NULL; | 289 * sscf->shm_zone = NULL; |
280 */ | 290 */ |
281 | 291 |
282 scf->enable = NGX_CONF_UNSET; | 292 sscf->enable = NGX_CONF_UNSET; |
283 scf->session_timeout = NGX_CONF_UNSET; | 293 sscf->verify = NGX_CONF_UNSET; |
284 scf->verify = NGX_CONF_UNSET; | 294 sscf->verify_depth = NGX_CONF_UNSET; |
285 scf->verify_depth = NGX_CONF_UNSET; | 295 sscf->prefer_server_ciphers = NGX_CONF_UNSET; |
286 scf->prefer_server_ciphers = NGX_CONF_UNSET; | 296 sscf->builtin_session_cache = NGX_CONF_UNSET; |
287 | 297 sscf->session_timeout = NGX_CONF_UNSET; |
288 return scf; | 298 |
299 return sscf; | |
289 } | 300 } |
290 | 301 |
291 | 302 |
292 static char * | 303 static char * |
293 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) | 304 ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) |
328 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); | 339 ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS); |
329 | 340 |
330 | 341 |
331 conf->ssl.log = cf->log; | 342 conf->ssl.log = cf->log; |
332 | 343 |
333 if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) { | 344 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) { |
334 return NGX_CONF_ERROR; | 345 return NGX_CONF_ERROR; |
335 } | 346 } |
336 | 347 |
337 cln = ngx_pool_cleanup_add(cf->pool, 0); | 348 cln = ngx_pool_cleanup_add(cf->pool, 0); |
338 if (cln == NULL) { | 349 if (cln == NULL) { |
341 | 352 |
342 cln->handler = ngx_ssl_cleanup_ctx; | 353 cln->handler = ngx_ssl_cleanup_ctx; |
343 cln->data = &conf->ssl; | 354 cln->data = &conf->ssl; |
344 | 355 |
345 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, | 356 if (ngx_ssl_certificate(cf, &conf->ssl, &conf->certificate, |
346 &conf->certificate_key) != NGX_OK) | 357 &conf->certificate_key) |
358 != NGX_OK) | |
347 { | 359 { |
348 return NGX_CONF_ERROR; | 360 return NGX_CONF_ERROR; |
349 } | 361 } |
350 | 362 |
351 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, | 363 if (SSL_CTX_set_cipher_list(conf->ssl.ctx, |
357 &conf->ciphers); | 369 &conf->ciphers); |
358 } | 370 } |
359 | 371 |
360 if (conf->verify) { | 372 if (conf->verify) { |
361 if (ngx_ssl_client_certificate(cf, &conf->ssl, | 373 if (ngx_ssl_client_certificate(cf, &conf->ssl, |
362 &conf->client_certificate, conf->verify_depth) | 374 &conf->client_certificate, |
375 conf->verify_depth) | |
363 != NGX_OK) | 376 != NGX_OK) |
364 { | 377 { |
365 return NGX_CONF_ERROR; | 378 return NGX_CONF_ERROR; |
366 } | 379 } |
367 } | 380 } |
377 /* a temporary 512-bit RSA key is required for export versions of MSIE */ | 390 /* a temporary 512-bit RSA key is required for export versions of MSIE */ |
378 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { | 391 if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) { |
379 return NGX_CONF_ERROR; | 392 return NGX_CONF_ERROR; |
380 } | 393 } |
381 | 394 |
382 SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER); | 395 ngx_conf_merge_value(conf->builtin_session_cache, |
383 | 396 prev->builtin_session_cache, |
384 SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx, | 397 NGX_SSL_DFLT_BUILTIN_SCACHE); |
385 sizeof(ngx_http_session_id_ctx) - 1); | 398 |
386 | 399 if (conf->shm_zone == NULL) { |
387 SSL_CTX_set_timeout(conf->ssl.ctx, conf->session_timeout); | 400 conf->shm_zone = prev->shm_zone; |
401 } | |
402 | |
403 if (ngx_ssl_session_cache(&conf->ssl, &ngx_http_ssl_sess_id_ctx, | |
404 conf->builtin_session_cache, | |
405 conf->shm_zone, conf->session_timeout) | |
406 != NGX_OK) | |
407 { | |
408 return NGX_CONF_ERROR; | |
409 } | |
388 | 410 |
389 return NGX_CONF_OK; | 411 return NGX_CONF_OK; |
412 } | |
413 | |
414 | |
415 static char * | |
416 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
417 { | |
418 ngx_http_ssl_srv_conf_t *sscf = conf; | |
419 | |
420 size_t len; | |
421 ngx_str_t *value, name, size; | |
422 ngx_int_t n; | |
423 ngx_uint_t i, j; | |
424 | |
425 value = cf->args->elts; | |
426 | |
427 for (i = 1; i < cf->args->nelts; i++) { | |
428 | |
429 if (ngx_strcmp(value[i].data, "builtin") == 0) { | |
430 sscf->builtin_session_cache = NGX_SSL_DFLT_BUILTIN_SCACHE; | |
431 continue; | |
432 } | |
433 | |
434 if (value[i].len > sizeof("builtin:") - 1 | |
435 && ngx_strncmp(value[i].data, "builtin:", sizeof("builtin:") - 1) | |
436 == 0) | |
437 { | |
438 n = ngx_atoi(value[i].data + sizeof("builtin:") - 1, | |
439 value[i].len - (sizeof("builtin:") - 1)); | |
440 | |
441 if (n == NGX_ERROR) { | |
442 goto invalid; | |
443 } | |
444 | |
445 sscf->builtin_session_cache = n; | |
446 | |
447 continue; | |
448 } | |
449 | |
450 if (value[i].len > sizeof("shared:") - 1 | |
451 && ngx_strncmp(value[i].data, "shared:", sizeof("shared:") - 1) | |
452 == 0) | |
453 { | |
454 len = 0; | |
455 | |
456 for (j = sizeof("shared:") - 1; j < value[i].len; j++) { | |
457 if (value[i].data[j] == ':') { | |
458 break; | |
459 } | |
460 | |
461 len++; | |
462 } | |
463 | |
464 if (len == 0) { | |
465 goto invalid; | |
466 } | |
467 | |
468 name.len = len; | |
469 name.data = value[i].data + sizeof("shared:") - 1; | |
470 | |
471 size.len = value[i].len - j - 1; | |
472 size.data = name.data + len + 1; | |
473 | |
474 n = ngx_parse_size(&size); | |
475 | |
476 if (n == NGX_ERROR) { | |
477 goto invalid; | |
478 } | |
479 | |
480 if (n < (ngx_int_t) (8 * ngx_pagesize)) { | |
481 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
482 "session cache \"%V\" is too small", | |
483 &value[i]); | |
484 | |
485 return NGX_CONF_ERROR; | |
486 } | |
487 | |
488 sscf->shm_zone = ngx_shared_memory_add(cf, &name, n, | |
489 &ngx_http_ssl_module); | |
490 if (sscf->shm_zone == NULL) { | |
491 return NGX_CONF_ERROR; | |
492 } | |
493 | |
494 continue; | |
495 } | |
496 | |
497 goto invalid; | |
498 } | |
499 | |
500 if (sscf->shm_zone && sscf->builtin_session_cache == NGX_CONF_UNSET) { | |
501 sscf->builtin_session_cache = NGX_SSL_NO_BUILTIN_SCACHE; | |
502 } | |
503 | |
504 return NGX_CONF_OK; | |
505 | |
506 invalid: | |
507 | |
508 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, | |
509 "invalid session cache \"%V\"", &value[i]); | |
510 | |
511 return NGX_CONF_ERROR; | |
390 } | 512 } |
391 | 513 |
392 | 514 |
393 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) | 515 #if !defined (SSL_OP_CIPHER_SERVER_PREFERENCE) |
394 | 516 |