Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 7730:1a719ee45526
Upstream: proxy_ssl_conf_command and friends.
Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command,
uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration
parameters as long as nginx is compiled with OpenSSL 1.0.2 or later,
when connecting to upstream servers with SSL. Full list of available
configuration commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:00:23 +0300 |
parents | 485dba3e2a01 |
children | 83c4622053b0 |
comparison
equal
deleted
inserted
replaced
7729:3bff3f397c05 | 7730:1a719ee45526 |
---|---|
125 ngx_str_t ssl_trusted_certificate; | 125 ngx_str_t ssl_trusted_certificate; |
126 ngx_str_t ssl_crl; | 126 ngx_str_t ssl_crl; |
127 ngx_str_t ssl_certificate; | 127 ngx_str_t ssl_certificate; |
128 ngx_str_t ssl_certificate_key; | 128 ngx_str_t ssl_certificate_key; |
129 ngx_array_t *ssl_passwords; | 129 ngx_array_t *ssl_passwords; |
130 ngx_array_t *ssl_conf_commands; | |
130 #endif | 131 #endif |
131 } ngx_http_proxy_loc_conf_t; | 132 } ngx_http_proxy_loc_conf_t; |
132 | 133 |
133 | 134 |
134 typedef struct { | 135 typedef struct { |
227 static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, | 228 static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, |
228 ngx_command_t *cmd, void *conf); | 229 ngx_command_t *cmd, void *conf); |
229 #endif | 230 #endif |
230 | 231 |
231 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data); | 232 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data); |
233 #if (NGX_HTTP_SSL) | |
234 static char *ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, | |
235 void *data); | |
236 #endif | |
232 | 237 |
233 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, | 238 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, |
234 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); | 239 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); |
235 | 240 |
236 #if (NGX_HTTP_SSL) | 241 #if (NGX_HTTP_SSL) |
272 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, | 277 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, |
273 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, | 278 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 }, |
274 { ngx_null_string, 0 } | 279 { ngx_null_string, 0 } |
275 }; | 280 }; |
276 | 281 |
282 static ngx_conf_post_t ngx_http_proxy_ssl_conf_command_post = | |
283 { ngx_http_proxy_ssl_conf_command_check }; | |
284 | |
277 #endif | 285 #endif |
278 | 286 |
279 | 287 |
280 static ngx_conf_enum_t ngx_http_proxy_http_version[] = { | 288 static ngx_conf_enum_t ngx_http_proxy_http_version[] = { |
281 { ngx_string("1.0"), NGX_HTTP_VERSION_10 }, | 289 { ngx_string("1.0"), NGX_HTTP_VERSION_10 }, |
761 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | 769 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
762 ngx_http_proxy_ssl_password_file, | 770 ngx_http_proxy_ssl_password_file, |
763 NGX_HTTP_LOC_CONF_OFFSET, | 771 NGX_HTTP_LOC_CONF_OFFSET, |
764 0, | 772 0, |
765 NULL }, | 773 NULL }, |
774 | |
775 { ngx_string("proxy_ssl_conf_command"), | |
776 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2, | |
777 ngx_conf_set_keyval_slot, | |
778 NGX_HTTP_LOC_CONF_OFFSET, | |
779 offsetof(ngx_http_proxy_loc_conf_t, ssl_conf_commands), | |
780 &ngx_http_proxy_ssl_conf_command_post }, | |
766 | 781 |
767 #endif | 782 #endif |
768 | 783 |
769 ngx_null_command | 784 ngx_null_command |
770 }; | 785 }; |
3338 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; | 3353 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; |
3339 conf->upstream.ssl_server_name = NGX_CONF_UNSET; | 3354 conf->upstream.ssl_server_name = NGX_CONF_UNSET; |
3340 conf->upstream.ssl_verify = NGX_CONF_UNSET; | 3355 conf->upstream.ssl_verify = NGX_CONF_UNSET; |
3341 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; | 3356 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; |
3342 conf->ssl_passwords = NGX_CONF_UNSET_PTR; | 3357 conf->ssl_passwords = NGX_CONF_UNSET_PTR; |
3358 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; | |
3343 #endif | 3359 #endif |
3344 | 3360 |
3345 /* "proxy_cyclic_temp_file" is disabled */ | 3361 /* "proxy_cyclic_temp_file" is disabled */ |
3346 conf->upstream.cyclic_temp_file = 0; | 3362 conf->upstream.cyclic_temp_file = 0; |
3347 | 3363 |
3684 ngx_conf_merge_str_value(conf->ssl_certificate, | 3700 ngx_conf_merge_str_value(conf->ssl_certificate, |
3685 prev->ssl_certificate, ""); | 3701 prev->ssl_certificate, ""); |
3686 ngx_conf_merge_str_value(conf->ssl_certificate_key, | 3702 ngx_conf_merge_str_value(conf->ssl_certificate_key, |
3687 prev->ssl_certificate_key, ""); | 3703 prev->ssl_certificate_key, ""); |
3688 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); | 3704 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); |
3705 | |
3706 ngx_conf_merge_ptr_value(conf->ssl_conf_commands, | |
3707 prev->ssl_conf_commands, NULL); | |
3689 | 3708 |
3690 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { | 3709 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { |
3691 return NGX_CONF_ERROR; | 3710 return NGX_CONF_ERROR; |
3692 } | 3711 } |
3693 | 3712 |
4843 } | 4862 } |
4844 | 4863 |
4845 | 4864 |
4846 #if (NGX_HTTP_SSL) | 4865 #if (NGX_HTTP_SSL) |
4847 | 4866 |
4867 static char * | |
4868 ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data) | |
4869 { | |
4870 #ifndef SSL_CONF_FLAG_FILE | |
4871 return "is not supported on this platform"; | |
4872 #endif | |
4873 | |
4874 return NGX_CONF_OK; | |
4875 } | |
4876 | |
4877 | |
4848 static ngx_int_t | 4878 static ngx_int_t |
4849 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) | 4879 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) |
4850 { | 4880 { |
4851 ngx_pool_cleanup_t *cln; | 4881 ngx_pool_cleanup_t *cln; |
4852 | 4882 |
4920 != NGX_OK) | 4950 != NGX_OK) |
4921 { | 4951 { |
4922 return NGX_ERROR; | 4952 return NGX_ERROR; |
4923 } | 4953 } |
4924 | 4954 |
4955 if (ngx_ssl_conf_commands(cf, plcf->upstream.ssl, plcf->ssl_conf_commands) | |
4956 != NGX_OK) | |
4957 { | |
4958 return NGX_ERROR; | |
4959 } | |
4960 | |
4925 return NGX_OK; | 4961 return NGX_OK; |
4926 } | 4962 } |
4927 | 4963 |
4928 #endif | 4964 #endif |
4929 | 4965 |