Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 8053:9d98d524bd02
Upstream: optimized use of SSL contexts (ticket #1234).
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.
Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.
Similar changes made in uwsgi, grpc, and stream proxy.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 29 Jun 2022 02:47:45 +0300 |
parents | c7e25324be11 |
children | d1cf09451ae8 |
comparison
equal
deleted
inserted
replaced
8052:e210c8942a54 | 8053:9d98d524bd02 |
---|---|
234 | 234 |
235 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, | 235 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, |
236 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); | 236 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); |
237 | 237 |
238 #if (NGX_HTTP_SSL) | 238 #if (NGX_HTTP_SSL) |
239 static ngx_int_t ngx_http_proxy_merge_ssl(ngx_conf_t *cf, | |
240 ngx_http_proxy_loc_conf_t *conf, ngx_http_proxy_loc_conf_t *prev); | |
239 static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, | 241 static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, |
240 ngx_http_proxy_loc_conf_t *plcf); | 242 ngx_http_proxy_loc_conf_t *plcf); |
241 #endif | 243 #endif |
242 static void ngx_http_proxy_set_vars(ngx_url_t *u, ngx_http_proxy_vars_t *v); | 244 static void ngx_http_proxy_set_vars(ngx_url_t *u, ngx_http_proxy_vars_t *v); |
243 | 245 |
957 | 959 |
958 if (plcf->proxy_lengths == NULL) { | 960 if (plcf->proxy_lengths == NULL) { |
959 ctx->vars = plcf->vars; | 961 ctx->vars = plcf->vars; |
960 u->schema = plcf->vars.schema; | 962 u->schema = plcf->vars.schema; |
961 #if (NGX_HTTP_SSL) | 963 #if (NGX_HTTP_SSL) |
962 u->ssl = (plcf->upstream.ssl != NULL); | 964 u->ssl = plcf->ssl; |
963 #endif | 965 #endif |
964 | 966 |
965 } else { | 967 } else { |
966 if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) { | 968 if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) { |
967 return NGX_HTTP_INTERNAL_SERVER_ERROR; | 969 return NGX_HTTP_INTERNAL_SERVER_ERROR; |
3722 ngx_conf_merge_value(conf->upstream.intercept_errors, | 3724 ngx_conf_merge_value(conf->upstream.intercept_errors, |
3723 prev->upstream.intercept_errors, 0); | 3725 prev->upstream.intercept_errors, 0); |
3724 | 3726 |
3725 #if (NGX_HTTP_SSL) | 3727 #if (NGX_HTTP_SSL) |
3726 | 3728 |
3729 if (ngx_http_proxy_merge_ssl(cf, conf, prev) != NGX_OK) { | |
3730 return NGX_CONF_ERROR; | |
3731 } | |
3732 | |
3727 ngx_conf_merge_value(conf->upstream.ssl_session_reuse, | 3733 ngx_conf_merge_value(conf->upstream.ssl_session_reuse, |
3728 prev->upstream.ssl_session_reuse, 1); | 3734 prev->upstream.ssl_session_reuse, 1); |
3729 | 3735 |
3730 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, | 3736 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, |
3731 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 3737 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
3855 | 3861 |
3856 conf->proxy_lengths = prev->proxy_lengths; | 3862 conf->proxy_lengths = prev->proxy_lengths; |
3857 conf->proxy_values = prev->proxy_values; | 3863 conf->proxy_values = prev->proxy_values; |
3858 | 3864 |
3859 #if (NGX_HTTP_SSL) | 3865 #if (NGX_HTTP_SSL) |
3860 conf->upstream.ssl = prev->upstream.ssl; | 3866 conf->ssl = prev->ssl; |
3861 #endif | 3867 #endif |
3862 } | 3868 } |
3863 | 3869 |
3864 if (clcf->lmt_excpt && clcf->handler == NULL | 3870 if (clcf->lmt_excpt && clcf->handler == NULL |
3865 && (conf->upstream.upstream || conf->proxy_lengths)) | 3871 && (conf->upstream.upstream || conf->proxy_lengths)) |
4921 #endif | 4927 #endif |
4922 } | 4928 } |
4923 | 4929 |
4924 | 4930 |
4925 static ngx_int_t | 4931 static ngx_int_t |
4932 ngx_http_proxy_merge_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf, | |
4933 ngx_http_proxy_loc_conf_t *prev) | |
4934 { | |
4935 ngx_uint_t preserve; | |
4936 | |
4937 if (conf->ssl_protocols == 0 | |
4938 && conf->ssl_ciphers.data == NULL | |
4939 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR | |
4940 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR | |
4941 && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR | |
4942 && conf->upstream.ssl_verify == NGX_CONF_UNSET | |
4943 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT | |
4944 && conf->ssl_trusted_certificate.data == NULL | |
4945 && conf->ssl_crl.data == NULL | |
4946 && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET | |
4947 && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) | |
4948 { | |
4949 if (prev->upstream.ssl) { | |
4950 conf->upstream.ssl = prev->upstream.ssl; | |
4951 return NGX_OK; | |
4952 } | |
4953 | |
4954 preserve = 1; | |
4955 | |
4956 } else { | |
4957 preserve = 0; | |
4958 } | |
4959 | |
4960 conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | |
4961 if (conf->upstream.ssl == NULL) { | |
4962 return NGX_ERROR; | |
4963 } | |
4964 | |
4965 conf->upstream.ssl->log = cf->log; | |
4966 | |
4967 /* | |
4968 * special handling to preserve conf->upstream.ssl | |
4969 * in the "http" section to inherit it to all servers | |
4970 */ | |
4971 | |
4972 if (preserve) { | |
4973 prev->upstream.ssl = conf->upstream.ssl; | |
4974 } | |
4975 | |
4976 return NGX_OK; | |
4977 } | |
4978 | |
4979 | |
4980 static ngx_int_t | |
4926 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) | 4981 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) |
4927 { | 4982 { |
4928 ngx_pool_cleanup_t *cln; | 4983 ngx_pool_cleanup_t *cln; |
4929 | 4984 |
4930 plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | 4985 if (plcf->upstream.ssl->ctx) { |
4931 if (plcf->upstream.ssl == NULL) { | 4986 return NGX_OK; |
4932 return NGX_ERROR; | 4987 } |
4933 } | |
4934 | |
4935 plcf->upstream.ssl->log = cf->log; | |
4936 | 4988 |
4937 if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL) | 4989 if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL) |
4938 != NGX_OK) | 4990 != NGX_OK) |
4939 { | 4991 { |
4940 return NGX_ERROR; | 4992 return NGX_ERROR; |