Mercurial > hg > nginx

comparison src/http/modules/ngx_http_proxy_module.c @ 8053:9d98d524bd02

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: optimized use of SSL contexts (ticket #1234). To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 29 Jun 2022 02:47:45 +0300
parents c7e25324be11
children d1cf09451ae8
comparison
equal deleted inserted replaced
8052:e210c8942a54 8053:9d98d524bd02
234 234
235 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, 235 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
236 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); 236 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
237 237
238 #if (NGX_HTTP_SSL) 238 #if (NGX_HTTP_SSL)
239 static ngx_int_t ngx_http_proxy_merge_ssl(ngx_conf_t *cf,
240 ngx_http_proxy_loc_conf_t *conf, ngx_http_proxy_loc_conf_t *prev);
239 static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, 241 static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf,
240 ngx_http_proxy_loc_conf_t *plcf); 242 ngx_http_proxy_loc_conf_t *plcf);
241 #endif 243 #endif
242 static void ngx_http_proxy_set_vars(ngx_url_t *u, ngx_http_proxy_vars_t *v); 244 static void ngx_http_proxy_set_vars(ngx_url_t *u, ngx_http_proxy_vars_t *v);
243 245
957 959
958 if (plcf->proxy_lengths == NULL) { 960 if (plcf->proxy_lengths == NULL) {
959 ctx->vars = plcf->vars; 961 ctx->vars = plcf->vars;
960 u->schema = plcf->vars.schema; 962 u->schema = plcf->vars.schema;
961 #if (NGX_HTTP_SSL) 963 #if (NGX_HTTP_SSL)
962 u->ssl = (plcf->upstream.ssl != NULL); 964 u->ssl = plcf->ssl;
963 #endif 965 #endif
964 966
965 } else { 967 } else {
966 if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) { 968 if (ngx_http_proxy_eval(r, ctx, plcf) != NGX_OK) {
967 return NGX_HTTP_INTERNAL_SERVER_ERROR; 969 return NGX_HTTP_INTERNAL_SERVER_ERROR;
3722 ngx_conf_merge_value(conf->upstream.intercept_errors, 3724 ngx_conf_merge_value(conf->upstream.intercept_errors,
3723 prev->upstream.intercept_errors, 0); 3725 prev->upstream.intercept_errors, 0);
3724 3726
3725 #if (NGX_HTTP_SSL) 3727 #if (NGX_HTTP_SSL)
3726 3728
3729 if (ngx_http_proxy_merge_ssl(cf, conf, prev) != NGX_OK) {
3730 return NGX_CONF_ERROR;
3731 }
3732
3727 ngx_conf_merge_value(conf->upstream.ssl_session_reuse, 3733 ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
3728 prev->upstream.ssl_session_reuse, 1); 3734 prev->upstream.ssl_session_reuse, 1);
3729 3735
3730 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, 3736 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
3731 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 3737 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
3855 3861
3856 conf->proxy_lengths = prev->proxy_lengths; 3862 conf->proxy_lengths = prev->proxy_lengths;
3857 conf->proxy_values = prev->proxy_values; 3863 conf->proxy_values = prev->proxy_values;
3858 3864
3859 #if (NGX_HTTP_SSL) 3865 #if (NGX_HTTP_SSL)
3860 conf->upstream.ssl = prev->upstream.ssl; 3866 conf->ssl = prev->ssl;
3861 #endif 3867 #endif
3862 } 3868 }
3863 3869
3864 if (clcf->lmt_excpt && clcf->handler == NULL 3870 if (clcf->lmt_excpt && clcf->handler == NULL
3865 && (conf->upstream.upstream || conf->proxy_lengths)) 3871 && (conf->upstream.upstream || conf->proxy_lengths))
4921 #endif 4927 #endif
4922 } 4928 }
4923 4929
4924 4930
4925 static ngx_int_t 4931 static ngx_int_t
4932 ngx_http_proxy_merge_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
4933 ngx_http_proxy_loc_conf_t *prev)
4934 {
4935 ngx_uint_t preserve;
4936
4937 if (conf->ssl_protocols == 0
4938 && conf->ssl_ciphers.data == NULL
4939 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
4940 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
4941 && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
4942 && conf->upstream.ssl_verify == NGX_CONF_UNSET
4943 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
4944 && conf->ssl_trusted_certificate.data == NULL
4945 && conf->ssl_crl.data == NULL
4946 && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
4947 && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
4948 {
4949 if (prev->upstream.ssl) {
4950 conf->upstream.ssl = prev->upstream.ssl;
4951 return NGX_OK;
4952 }
4953
4954 preserve = 1;
4955
4956 } else {
4957 preserve = 0;
4958 }
4959
4960 conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
4961 if (conf->upstream.ssl == NULL) {
4962 return NGX_ERROR;
4963 }
4964
4965 conf->upstream.ssl->log = cf->log;
4966
4967 /*
4968 * special handling to preserve conf->upstream.ssl
4969 * in the "http" section to inherit it to all servers
4970 */
4971
4972 if (preserve) {
4973 prev->upstream.ssl = conf->upstream.ssl;
4974 }
4975
4976 return NGX_OK;
4977 }
4978
4979
4980 static ngx_int_t
4926 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) 4981 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
4927 { 4982 {
4928 ngx_pool_cleanup_t *cln; 4983 ngx_pool_cleanup_t *cln;
4929 4984
4930 plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); 4985 if (plcf->upstream.ssl->ctx) {
4931 if (plcf->upstream.ssl == NULL) { 4986 return NGX_OK;
4932 return NGX_ERROR; 4987 }
4933 }
4934
4935 plcf->upstream.ssl->log = cf->log;
4936 4988
4937 if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL) 4989 if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL)
4938 != NGX_OK) 4990 != NGX_OK)
4939 { 4991 {
4940 return NGX_ERROR; 4992 return NGX_ERROR;