Mercurial > hg > nginx
view src/stream/ngx_stream_ssl_preread_module.c @ 8045:aa28c802409f
Resolver: make TCP write timer event cancelable.
Similar to 70e65bf8dfd7, the change is made to ensure that the ability to
cancel resolver tasks is fully controlled by the caller. As mentioned in the
referenced commit, it is safe to make this timer cancelable because resolve
tasks can have their own timeouts that are not cancelable.
The scenario where this may become a problem is a periodic background resolve
task (not tied to a specific request or a client connection), which receives a
response with short TTL, large enough to warrant fallback to a TCP query.
With each event loop wakeup, we either have a previously set write timer
instance or schedule a new one. The non-cancelable write timer can delay or
block graceful shutdown of a worker even if the ngx_resolver_ctx_t->cancelable
flag is set by the API user, and there are no other tasks or connections.
We use the resolver API in this way to maintain the list of upstream server
addresses specified with the 'resolve' parameter, and there could be third-party
modules implementing similar logic.
author | Aleksei Bavshin <a.bavshin@f5.com> |
---|---|
date | Wed, 01 Jun 2022 20:17:23 -0700 |
parents | 6649d4433266 |
children |
line wrap: on
line source
/* * Copyright (C) Nginx, Inc. */ #include <ngx_config.h> #include <ngx_core.h> #include <ngx_stream.h> typedef struct { ngx_flag_t enabled; } ngx_stream_ssl_preread_srv_conf_t; typedef struct { size_t left; size_t size; size_t ext; u_char *pos; u_char *dst; u_char buf[4]; u_char version[2]; ngx_str_t host; ngx_str_t alpn; ngx_log_t *log; ngx_pool_t *pool; ngx_uint_t state; } ngx_stream_ssl_preread_ctx_t; static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s); static ngx_int_t ngx_stream_ssl_preread_parse_record( ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last); static ngx_int_t ngx_stream_ssl_preread_protocol_variable( ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_server_name_variable( ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable( ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf); static void *ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf); static char *ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child); static ngx_int_t ngx_stream_ssl_preread_init(ngx_conf_t *cf); static ngx_command_t ngx_stream_ssl_preread_commands[] = { { ngx_string("ssl_preread"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, ngx_conf_set_flag_slot, NGX_STREAM_SRV_CONF_OFFSET, offsetof(ngx_stream_ssl_preread_srv_conf_t, enabled), NULL }, ngx_null_command }; static ngx_stream_module_t ngx_stream_ssl_preread_module_ctx = { ngx_stream_ssl_preread_add_variables, /* preconfiguration */ ngx_stream_ssl_preread_init, /* postconfiguration */ NULL, /* create main configuration */ NULL, /* init main configuration */ ngx_stream_ssl_preread_create_srv_conf, /* create server configuration */ ngx_stream_ssl_preread_merge_srv_conf /* merge server configuration */ }; ngx_module_t ngx_stream_ssl_preread_module = { NGX_MODULE_V1, &ngx_stream_ssl_preread_module_ctx, /* module context */ ngx_stream_ssl_preread_commands, /* module directives */ NGX_STREAM_MODULE, /* module type */ NULL, /* init master */ NULL, /* init module */ NULL, /* init process */ NULL, /* init thread */ NULL, /* exit thread */ NULL, /* exit process */ NULL, /* exit master */ NGX_MODULE_V1_PADDING }; static ngx_stream_variable_t ngx_stream_ssl_preread_vars[] = { { ngx_string("ssl_preread_protocol"), NULL, ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 }, { ngx_string("ssl_preread_server_name"), NULL, ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 }, { ngx_string("ssl_preread_alpn_protocols"), NULL, ngx_stream_ssl_preread_alpn_protocols_variable, 0, 0, 0 }, ngx_stream_null_variable }; static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) { u_char *last, *p; size_t len; ngx_int_t rc; ngx_connection_t *c; ngx_stream_ssl_preread_ctx_t *ctx; ngx_stream_ssl_preread_srv_conf_t *sscf; c = s->connection; ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, "ssl preread handler"); sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_preread_module); if (!sscf->enabled) { return NGX_DECLINED; } if (c->type != SOCK_STREAM) { return NGX_DECLINED; } if (c->buffer == NULL) { return NGX_AGAIN; } ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module); if (ctx == NULL) { ctx = ngx_pcalloc(c->pool, sizeof(ngx_stream_ssl_preread_ctx_t)); if (ctx == NULL) { return NGX_ERROR; } ngx_stream_set_ctx(s, ctx, ngx_stream_ssl_preread_module); ctx->pool = c->pool; ctx->log = c->log; ctx->pos = c->buffer->pos; } p = ctx->pos; last = c->buffer->last; while (last - p >= 5) { if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: version 2 ClientHello"); ctx->version[0] = p[3]; ctx->version[1] = p[4]; return NGX_OK; } if (p[0] != 0x16) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: not a handshake"); ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module); return NGX_DECLINED; } if (p[1] != 3) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: unsupported SSL version"); ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module); return NGX_DECLINED; } len = (p[3] << 8) + p[4]; /* read the whole record before parsing */ if ((size_t) (last - p) < len + 5) { break; } p += 5; rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); if (rc == NGX_DECLINED) { ngx_stream_set_ctx(s, NULL, ngx_stream_ssl_preread_module); return NGX_DECLINED; } if (rc != NGX_AGAIN) { return rc; } p += len; } ctx->pos = p; return NGX_AGAIN; } static ngx_int_t ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last) { size_t left, n, size, ext; u_char *dst, *p; enum { sw_start = 0, sw_header, /* handshake msg_type, length */ sw_version, /* client_version */ sw_random, /* random */ sw_sid_len, /* session_id length */ sw_sid, /* session_id */ sw_cs_len, /* cipher_suites length */ sw_cs, /* cipher_suites */ sw_cm_len, /* compression_methods length */ sw_cm, /* compression_methods */ sw_ext, /* extension */ sw_ext_header, /* extension_type, extension_data length */ sw_sni_len, /* SNI length */ sw_sni_host_head, /* SNI name_type, host_name length */ sw_sni_host, /* SNI host_name */ sw_alpn_len, /* ALPN length */ sw_alpn_proto_len, /* ALPN protocol_name length */ sw_alpn_proto_data, /* ALPN protocol_name */ sw_supver_len /* supported_versions length */ } state; ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: state %ui left %z", ctx->state, ctx->left); state = ctx->state; size = ctx->size; left = ctx->left; ext = ctx->ext; dst = ctx->dst; p = ctx->buf; for ( ;; ) { n = ngx_min((size_t) (last - pos), size); if (dst) { dst = ngx_cpymem(dst, pos, n); } pos += n; size -= n; left -= n; if (size != 0) { break; } switch (state) { case sw_start: state = sw_header; dst = p; size = 4; left = size; break; case sw_header: if (p[0] != 1) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: not a client hello"); return NGX_DECLINED; } state = sw_version; dst = ctx->version; size = 2; left = (p[1] << 16) + (p[2] << 8) + p[3]; break; case sw_version: state = sw_random; dst = NULL; size = 32; break; case sw_random: state = sw_sid_len; dst = p; size = 1; break; case sw_sid_len: state = sw_sid; dst = NULL; size = p[0]; break; case sw_sid: state = sw_cs_len; dst = p; size = 2; break; case sw_cs_len: state = sw_cs; dst = NULL; size = (p[0] << 8) + p[1]; break; case sw_cs: state = sw_cm_len; dst = p; size = 1; break; case sw_cm_len: state = sw_cm; dst = NULL; size = p[0]; break; case sw_cm: if (left == 0) { /* no extensions */ return NGX_OK; } state = sw_ext; dst = p; size = 2; break; case sw_ext: if (left == 0) { return NGX_OK; } state = sw_ext_header; dst = p; size = 4; break; case sw_ext_header: if (p[0] == 0 && p[1] == 0 && ctx->host.data == NULL) { /* SNI extension */ state = sw_sni_len; dst = p; size = 2; break; } if (p[0] == 0 && p[1] == 16 && ctx->alpn.data == NULL) { /* ALPN extension */ state = sw_alpn_len; dst = p; size = 2; break; } if (p[0] == 0 && p[1] == 43) { /* supported_versions extension */ state = sw_supver_len; dst = p; size = 1; break; } state = sw_ext; dst = NULL; size = (p[2] << 8) + p[3]; break; case sw_sni_len: ext = (p[0] << 8) + p[1]; state = sw_sni_host_head; dst = p; size = 3; break; case sw_sni_host_head: if (p[0] != 0) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: SNI hostname type is not DNS"); return NGX_DECLINED; } size = (p[1] << 8) + p[2]; if (ext < 3 + size) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: SNI format error"); return NGX_DECLINED; } ext -= 3 + size; ctx->host.data = ngx_pnalloc(ctx->pool, size); if (ctx->host.data == NULL) { return NGX_ERROR; } state = sw_sni_host; dst = ctx->host.data; break; case sw_sni_host: ctx->host.len = (p[1] << 8) + p[2]; ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: SNI hostname \"%V\"", &ctx->host); state = sw_ext; dst = NULL; size = ext; break; case sw_alpn_len: ext = (p[0] << 8) + p[1]; ctx->alpn.data = ngx_pnalloc(ctx->pool, ext); if (ctx->alpn.data == NULL) { return NGX_ERROR; } state = sw_alpn_proto_len; dst = p; size = 1; break; case sw_alpn_proto_len: size = p[0]; if (size == 0) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: ALPN empty protocol"); return NGX_DECLINED; } if (ext < 1 + size) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: ALPN format error"); return NGX_DECLINED; } ext -= 1 + size; state = sw_alpn_proto_data; dst = ctx->alpn.data + ctx->alpn.len; break; case sw_alpn_proto_data: ctx->alpn.len += p[0]; ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: ALPN protocols \"%V\"", &ctx->alpn); if (ext) { ctx->alpn.data[ctx->alpn.len++] = ','; state = sw_alpn_proto_len; dst = p; size = 1; break; } state = sw_ext; dst = NULL; size = 0; break; case sw_supver_len: ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: supported_versions"); /* set TLSv1.3 */ ctx->version[0] = 3; ctx->version[1] = 4; state = sw_ext; dst = NULL; size = p[0]; break; } if (left < size) { ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0, "ssl preread: failed to parse handshake"); return NGX_DECLINED; } } ctx->state = state; ctx->size = size; ctx->left = left; ctx->ext = ext; ctx->dst = dst; return NGX_AGAIN; } static ngx_int_t ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s, ngx_variable_value_t *v, uintptr_t data) { ngx_str_t version; ngx_stream_ssl_preread_ctx_t *ctx; ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module); if (ctx == NULL) { v->not_found = 1; return NGX_OK; } /* SSL_get_version() format */ ngx_str_null(&version); switch (ctx->version[0]) { case 0: switch (ctx->version[1]) { case 2: ngx_str_set(&version, "SSLv2"); break; } break; case 3: switch (ctx->version[1]) { case 0: ngx_str_set(&version, "SSLv3"); break; case 1: ngx_str_set(&version, "TLSv1"); break; case 2: ngx_str_set(&version, "TLSv1.1"); break; case 3: ngx_str_set(&version, "TLSv1.2"); break; case 4: ngx_str_set(&version, "TLSv1.3"); break; } } v->valid = 1; v->no_cacheable = 0; v->not_found = 0; v->len = version.len; v->data = version.data; return NGX_OK; } static ngx_int_t ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s, ngx_variable_value_t *v, uintptr_t data) { ngx_stream_ssl_preread_ctx_t *ctx; ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module); if (ctx == NULL) { v->not_found = 1; return NGX_OK; } v->valid = 1; v->no_cacheable = 0; v->not_found = 0; v->len = ctx->host.len; v->data = ctx->host.data; return NGX_OK; } static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(ngx_stream_session_t *s, ngx_variable_value_t *v, uintptr_t data) { ngx_stream_ssl_preread_ctx_t *ctx; ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module); if (ctx == NULL) { v->not_found = 1; return NGX_OK; } v->valid = 1; v->no_cacheable = 0; v->not_found = 0; v->len = ctx->alpn.len; v->data = ctx->alpn.data; return NGX_OK; } static ngx_int_t ngx_stream_ssl_preread_add_variables(ngx_conf_t *cf) { ngx_stream_variable_t *var, *v; for (v = ngx_stream_ssl_preread_vars; v->name.len; v++) { var = ngx_stream_add_variable(cf, &v->name, v->flags); if (var == NULL) { return NGX_ERROR; } var->get_handler = v->get_handler; var->data = v->data; } return NGX_OK; } static void * ngx_stream_ssl_preread_create_srv_conf(ngx_conf_t *cf) { ngx_stream_ssl_preread_srv_conf_t *conf; conf = ngx_pcalloc(cf->pool, sizeof(ngx_stream_ssl_preread_srv_conf_t)); if (conf == NULL) { return NULL; } conf->enabled = NGX_CONF_UNSET; return conf; } static char * ngx_stream_ssl_preread_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) { ngx_stream_ssl_preread_srv_conf_t *prev = parent; ngx_stream_ssl_preread_srv_conf_t *conf = child; ngx_conf_merge_value(conf->enabled, prev->enabled, 0); return NGX_CONF_OK; } static ngx_int_t ngx_stream_ssl_preread_init(ngx_conf_t *cf) { ngx_stream_handler_pt *h; ngx_stream_core_main_conf_t *cmcf; cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module); h = ngx_array_push(&cmcf->phases[NGX_STREAM_PREREAD_PHASE].handlers); if (h == NULL) { return NGX_ERROR; } *h = ngx_stream_ssl_preread_handler; return NGX_OK; }