Mercurial > hg > nginx
annotate auto/os/darwin @ 7732:59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:02:28 +0300 |
parents | 9fb994513776 |
children |
rev | line source |
---|---|
2128
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
1 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
2 # Copyright (C) Igor Sysoev |
4412 | 3 # Copyright (C) Nginx, Inc. |
2128
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
4 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
5 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
6 have=NGX_DARWIN . auto/have_headers |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
7 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
8 CORE_INCS="$UNIX_INCS" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
9 CORE_DEPS="$UNIX_DEPS $DARWIN_DEPS" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
10 CORE_SRCS="$UNIX_SRCS $DARWIN_SRCS" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
11 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
12 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
13 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
14 ngx_spacer=' |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
15 ' |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
16 |
6383 | 17 MAIN_LINK= |
18 MODULE_LINK="-shared -Wl,-undefined,dynamic_lookup" | |
19 | |
6978
9fb994513776
Enabled IPV6_RECVPKTINFO / IPV6_PKTINFO on macOS.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6622
diff
changeset
|
20 CC_AUX_FLAGS="$CC_AUX_FLAGS -D__APPLE_USE_RFC_3542" |
9fb994513776
Enabled IPV6_RECVPKTINFO / IPV6_PKTINFO on macOS.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6622
diff
changeset
|
21 |
9fb994513776
Enabled IPV6_RECVPKTINFO / IPV6_PKTINFO on macOS.
Sergey Kandaurov <pluknet@nginx.com>
parents:
6622
diff
changeset
|
22 |
2128
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
23 # kqueue |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
24 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
25 echo " + kqueue found" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
26 have=NGX_HAVE_KQUEUE . auto/have |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
27 have=NGX_HAVE_CLEAR_EVENT . auto/have |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
28 EVENT_MODULES="$EVENT_MODULES $KQUEUE_MODULE" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
29 CORE_SRCS="$CORE_SRCS $KQUEUE_SRCS" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
30 EVENT_FOUND=YES |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
31 NGX_KQUEUE_CHECKED=YES |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
32 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
33 ngx_feature="kqueue's EVFILT_TIMER" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
34 ngx_feature_name="NGX_HAVE_TIMER_EVENT" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
35 ngx_feature_run=yes |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
36 ngx_feature_incs="#include <sys/event.h> |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
37 #include <sys/time.h>" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
38 ngx_feature_path= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
39 ngx_feature_libs= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
40 ngx_feature_test="int kq; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
41 struct kevent kev; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
42 struct timespec ts; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
43 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
44 if ((kq = kqueue()) == -1) return 1; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
45 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
46 kev.ident = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
47 kev.filter = EVFILT_TIMER; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
48 kev.flags = EV_ADD|EV_ENABLE; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
49 kev.fflags = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
50 kev.data = 1000; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
51 kev.udata = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
52 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
53 ts.tv_sec = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
54 ts.tv_nsec = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
55 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
56 if (kevent(kq, &kev, 1, &kev, 1, &ts) == -1) return 1; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
57 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
58 if (kev.flags & EV_ERROR) return 1;" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
59 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
60 . auto/feature |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
61 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
62 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
63 ngx_feature="Darwin 64-bit kqueue millisecond timeout bug" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
64 ngx_feature_name=NGX_DARWIN_KEVENT_BUG |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
65 ngx_feature_run=bug |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
66 ngx_feature_incs="#include <sys/event.h> |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
67 #include <sys/time.h>" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
68 ngx_feature_path= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
69 ngx_feature_libs= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
70 ngx_feature_test="int kq; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
71 struct kevent kev; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
72 struct timespec ts; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
73 struct timeval tv, tv0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
74 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
75 kq = kqueue(); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
76 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
77 ts.tv_sec = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
78 ts.tv_nsec = 999000000; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
79 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
80 gettimeofday(&tv, 0); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
81 kevent(kq, NULL, 0, &kev, 1, &ts); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
82 gettimeofday(&tv0, 0); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
83 timersub(&tv0, &tv, &tv); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
84 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
85 if (tv.tv_sec * 1000000 + tv.tv_usec < 900000) return 1;" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
86 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
87 . auto/feature |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
88 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
89 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
90 # sendfile() |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
91 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
92 ngx_feature="sendfile()" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
93 ngx_feature_name="NGX_HAVE_SENDFILE" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
94 ngx_feature_run=yes |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
95 ngx_feature_incs="#include <sys/types.h> |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
96 #include <sys/socket.h> |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
97 #include <sys/uio.h> |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
98 #include <sys/errno.h>" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
99 ngx_feature_path= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
100 ngx_feature_libs= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
101 ngx_feature_test="int s = 0, fd = 1; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
102 off_t n; off_t off = 0; |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
103 n = sendfile(s, fd, off, &n, NULL, 0); |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
104 if (n == -1 && errno == ENOSYS) return 1" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
105 . auto/feature |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
106 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
107 if [ $ngx_found = yes ]; then |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
108 CORE_SRCS="$CORE_SRCS $DARWIN_SENDFILE_SRCS" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
109 fi |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
110 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
111 |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
112 ngx_feature="atomic(3)" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
113 ngx_feature_name=NGX_DARWIN_ATOMIC |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
114 ngx_feature_run=no |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
115 ngx_feature_incs="#include <libkern/OSAtomic.h>" |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
116 ngx_feature_path= |
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
117 ngx_feature_libs= |
6622
e393c0bf53d3
Configure: fix build with -Werror=unused-but-set-variable.
Piotr Sikora <piotrsikora@google.com>
parents:
6383
diff
changeset
|
118 ngx_feature_test="int32_t lock = 0; |
e393c0bf53d3
Configure: fix build with -Werror=unused-but-set-variable.
Piotr Sikora <piotrsikora@google.com>
parents:
6383
diff
changeset
|
119 if (!OSAtomicCompareAndSwap32Barrier(0, 1, &lock)) return 1" |
2128
345a014436d4
*) move Darwin support to separate files
Igor Sysoev <igor@sysoev.ru>
parents:
diff
changeset
|
120 . auto/feature |