Mercurial > hg > nginx
comparison src/http/modules/ngx_http_uwsgi_module.c @ 8053:9d98d524bd02
Upstream: optimized use of SSL contexts (ticket #1234).
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.
Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.
Similar changes made in uwsgi, grpc, and stream proxy.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Wed, 29 Jun 2022 02:47:45 +0300 |
parents | c7e25324be11 |
children | d1cf09451ae8 |
comparison
equal
deleted
inserted
replaced
8052:e210c8942a54 | 8053:9d98d524bd02 |
---|---|
94 #if (NGX_HTTP_SSL) | 94 #if (NGX_HTTP_SSL) |
95 static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf, | 95 static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf, |
96 ngx_command_t *cmd, void *conf); | 96 ngx_command_t *cmd, void *conf); |
97 static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, | 97 static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, |
98 void *data); | 98 void *data); |
99 static ngx_int_t ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, | |
100 ngx_http_uwsgi_loc_conf_t *conf, ngx_http_uwsgi_loc_conf_t *prev); | |
99 static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, | 101 static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, |
100 ngx_http_uwsgi_loc_conf_t *uwcf); | 102 ngx_http_uwsgi_loc_conf_t *uwcf); |
101 #endif | 103 #endif |
102 | 104 |
103 | 105 |
666 u = r->upstream; | 668 u = r->upstream; |
667 | 669 |
668 if (uwcf->uwsgi_lengths == NULL) { | 670 if (uwcf->uwsgi_lengths == NULL) { |
669 | 671 |
670 #if (NGX_HTTP_SSL) | 672 #if (NGX_HTTP_SSL) |
671 u->ssl = (uwcf->upstream.ssl != NULL); | 673 u->ssl = uwcf->ssl; |
672 | 674 |
673 if (u->ssl) { | 675 if (u->ssl) { |
674 ngx_str_set(&u->schema, "suwsgi://"); | 676 ngx_str_set(&u->schema, "suwsgi://"); |
675 | 677 |
676 } else { | 678 } else { |
1863 ngx_conf_merge_value(conf->upstream.intercept_errors, | 1865 ngx_conf_merge_value(conf->upstream.intercept_errors, |
1864 prev->upstream.intercept_errors, 0); | 1866 prev->upstream.intercept_errors, 0); |
1865 | 1867 |
1866 #if (NGX_HTTP_SSL) | 1868 #if (NGX_HTTP_SSL) |
1867 | 1869 |
1870 if (ngx_http_uwsgi_merge_ssl(cf, conf, prev) != NGX_OK) { | |
1871 return NGX_CONF_ERROR; | |
1872 } | |
1873 | |
1868 ngx_conf_merge_value(conf->upstream.ssl_session_reuse, | 1874 ngx_conf_merge_value(conf->upstream.ssl_session_reuse, |
1869 prev->upstream.ssl_session_reuse, 1); | 1875 prev->upstream.ssl_session_reuse, 1); |
1870 | 1876 |
1871 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, | 1877 ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, |
1872 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 | 1878 (NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1 |
1925 | 1931 |
1926 conf->uwsgi_lengths = prev->uwsgi_lengths; | 1932 conf->uwsgi_lengths = prev->uwsgi_lengths; |
1927 conf->uwsgi_values = prev->uwsgi_values; | 1933 conf->uwsgi_values = prev->uwsgi_values; |
1928 | 1934 |
1929 #if (NGX_HTTP_SSL) | 1935 #if (NGX_HTTP_SSL) |
1930 conf->upstream.ssl = prev->upstream.ssl; | 1936 conf->ssl = prev->ssl; |
1931 #endif | 1937 #endif |
1932 } | 1938 } |
1933 | 1939 |
1934 if (clcf->lmt_excpt && clcf->handler == NULL | 1940 if (clcf->lmt_excpt && clcf->handler == NULL |
1935 && (conf->upstream.upstream || conf->uwsgi_lengths)) | 1941 && (conf->upstream.upstream || conf->uwsgi_lengths)) |
2453 #endif | 2459 #endif |
2454 } | 2460 } |
2455 | 2461 |
2456 | 2462 |
2457 static ngx_int_t | 2463 static ngx_int_t |
2464 ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *conf, | |
2465 ngx_http_uwsgi_loc_conf_t *prev) | |
2466 { | |
2467 ngx_uint_t preserve; | |
2468 | |
2469 if (conf->ssl_protocols == 0 | |
2470 && conf->ssl_ciphers.data == NULL | |
2471 && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR | |
2472 && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR | |
2473 && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR | |
2474 && conf->upstream.ssl_verify == NGX_CONF_UNSET | |
2475 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT | |
2476 && conf->ssl_trusted_certificate.data == NULL | |
2477 && conf->ssl_crl.data == NULL | |
2478 && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET | |
2479 && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) | |
2480 { | |
2481 if (prev->upstream.ssl) { | |
2482 conf->upstream.ssl = prev->upstream.ssl; | |
2483 return NGX_OK; | |
2484 } | |
2485 | |
2486 preserve = 1; | |
2487 | |
2488 } else { | |
2489 preserve = 0; | |
2490 } | |
2491 | |
2492 conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | |
2493 if (conf->upstream.ssl == NULL) { | |
2494 return NGX_ERROR; | |
2495 } | |
2496 | |
2497 conf->upstream.ssl->log = cf->log; | |
2498 | |
2499 /* | |
2500 * special handling to preserve conf->upstream.ssl | |
2501 * in the "http" section to inherit it to all servers | |
2502 */ | |
2503 | |
2504 if (preserve) { | |
2505 prev->upstream.ssl = conf->upstream.ssl; | |
2506 } | |
2507 | |
2508 return NGX_OK; | |
2509 } | |
2510 | |
2511 | |
2512 static ngx_int_t | |
2458 ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) | 2513 ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) |
2459 { | 2514 { |
2460 ngx_pool_cleanup_t *cln; | 2515 ngx_pool_cleanup_t *cln; |
2461 | 2516 |
2462 uwcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); | 2517 if (uwcf->upstream.ssl->ctx) { |
2463 if (uwcf->upstream.ssl == NULL) { | 2518 return NGX_OK; |
2464 return NGX_ERROR; | 2519 } |
2465 } | |
2466 | |
2467 uwcf->upstream.ssl->log = cf->log; | |
2468 | 2520 |
2469 if (ngx_ssl_create(uwcf->upstream.ssl, uwcf->ssl_protocols, NULL) | 2521 if (ngx_ssl_create(uwcf->upstream.ssl, uwcf->ssl_protocols, NULL) |
2470 != NGX_OK) | 2522 != NGX_OK) |
2471 { | 2523 { |
2472 return NGX_ERROR; | 2524 return NGX_ERROR; |