Mercurial > hg > nginx
comparison src/stream/ngx_stream_proxy_module.c @ 7320:696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
| author | Sergey Kandaurov <pluknet@nginx.com> |
|---|---|
| date | Tue, 17 Jul 2018 12:53:23 +0300 |
| parents | d27aa9060c95 |
| children | 8b68d50090e4 |
comparison
equal
deleted
inserted
replaced
| 7319:dcab86115261 | 7320:696df3ac27ac |
|---|---|
| 90 static ngx_int_t ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s); | 90 static ngx_int_t ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s); |
| 91 static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf, | 91 static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf, |
| 92 ngx_command_t *cmd, void *conf); | 92 ngx_command_t *cmd, void *conf); |
| 93 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); | 93 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); |
| 94 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); | 94 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); |
| 95 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); | |
| 95 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); | 96 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); |
| 96 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, | 97 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, |
| 97 ngx_stream_proxy_srv_conf_t *pscf); | 98 ngx_stream_proxy_srv_conf_t *pscf); |
| 98 | 99 |
| 99 | 100 |
| 1006 return; | 1007 return; |
| 1007 } | 1008 } |
| 1008 } | 1009 } |
| 1009 | 1010 |
| 1010 if (pscf->ssl_session_reuse) { | 1011 if (pscf->ssl_session_reuse) { |
| 1012 pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; | |
| 1013 | |
| 1011 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { | 1014 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { |
| 1012 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | 1015 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); |
| 1013 return; | 1016 return; |
| 1014 } | 1017 } |
| 1015 } | 1018 } |
| 1064 &u->ssl_name); | 1067 &u->ssl_name); |
| 1065 goto failed; | 1068 goto failed; |
| 1066 } | 1069 } |
| 1067 } | 1070 } |
| 1068 | 1071 |
| 1069 if (pscf->ssl_session_reuse) { | |
| 1070 u = s->upstream; | |
| 1071 u->peer.save_session(&u->peer, u->peer.data); | |
| 1072 } | |
| 1073 | |
| 1074 if (pc->write->timer_set) { | 1072 if (pc->write->timer_set) { |
| 1075 ngx_del_timer(pc->write); | 1073 ngx_del_timer(pc->write); |
| 1076 } | 1074 } |
| 1077 | 1075 |
| 1078 ngx_stream_proxy_init_upstream(s); | 1076 ngx_stream_proxy_init_upstream(s); |
| 1081 } | 1079 } |
| 1082 | 1080 |
| 1083 failed: | 1081 failed: |
| 1084 | 1082 |
| 1085 ngx_stream_proxy_next_upstream(s); | 1083 ngx_stream_proxy_next_upstream(s); |
| 1084 } | |
| 1085 | |
| 1086 | |
| 1087 static void | |
| 1088 ngx_stream_proxy_ssl_save_session(ngx_connection_t *c) | |
| 1089 { | |
| 1090 ngx_stream_session_t *s; | |
| 1091 ngx_stream_upstream_t *u; | |
| 1092 | |
| 1093 s = c->data; | |
| 1094 u = s->upstream; | |
| 1095 | |
| 1096 u->peer.save_session(&u->peer, u->peer.data); | |
| 1086 } | 1097 } |
| 1087 | 1098 |
| 1088 | 1099 |
| 1089 static ngx_int_t | 1100 static ngx_int_t |
| 1090 ngx_stream_proxy_ssl_name(ngx_stream_session_t *s) | 1101 ngx_stream_proxy_ssl_name(ngx_stream_session_t *s) |
| 2049 if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl) != NGX_OK) { | 2060 if (ngx_ssl_crl(cf, pscf->ssl, &pscf->ssl_crl) != NGX_OK) { |
| 2050 return NGX_ERROR; | 2061 return NGX_ERROR; |
| 2051 } | 2062 } |
| 2052 } | 2063 } |
| 2053 | 2064 |
| 2065 if (ngx_ssl_client_session_cache(cf, pscf->ssl, pscf->ssl_session_reuse) | |
| 2066 != NGX_OK) | |
| 2067 { | |
| 2068 return NGX_ERROR; | |
| 2069 } | |
| 2070 | |
| 2054 return NGX_OK; | 2071 return NGX_OK; |
| 2055 } | 2072 } |
| 2056 | 2073 |
| 2057 #endif | 2074 #endif |
| 2058 | 2075 |