Mercurial > hg > nginx
annotate src/stream/ngx_stream_upstream.h @ 6982:ac9b1df5b246
SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation). On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.
On the client side the situation is different though. There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems. This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).
Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt. This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 18 Apr 2017 16:08:44 +0300 |
parents | 54cf51c4f07a |
children | 5a3ab1b5804b |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #ifndef _NGX_STREAM_UPSTREAM_H_INCLUDED_ | |
9 #define _NGX_STREAM_UPSTREAM_H_INCLUDED_ | |
10 | |
11 | |
12 #include <ngx_config.h> | |
13 #include <ngx_core.h> | |
14 #include <ngx_stream.h> | |
15 #include <ngx_event_connect.h> | |
16 | |
17 | |
18 #define NGX_STREAM_UPSTREAM_CREATE 0x0001 | |
19 #define NGX_STREAM_UPSTREAM_WEIGHT 0x0002 | |
20 #define NGX_STREAM_UPSTREAM_MAX_FAILS 0x0004 | |
21 #define NGX_STREAM_UPSTREAM_FAIL_TIMEOUT 0x0008 | |
22 #define NGX_STREAM_UPSTREAM_DOWN 0x0010 | |
23 #define NGX_STREAM_UPSTREAM_BACKUP 0x0020 | |
6705 | 24 #define NGX_STREAM_UPSTREAM_MAX_CONNS 0x0100 |
6115 | 25 |
26 | |
6863
54cf51c4f07a
Stream: speed up TCP peer recovery.
Roman Arutyunyan <arut@nginx.com>
parents:
6785
diff
changeset
|
27 #define NGX_STREAM_UPSTREAM_NOTIFY_CONNECT 0x1 |
54cf51c4f07a
Stream: speed up TCP peer recovery.
Roman Arutyunyan <arut@nginx.com>
parents:
6785
diff
changeset
|
28 |
54cf51c4f07a
Stream: speed up TCP peer recovery.
Roman Arutyunyan <arut@nginx.com>
parents:
6785
diff
changeset
|
29 |
6115 | 30 typedef struct { |
31 ngx_array_t upstreams; | |
32 /* ngx_stream_upstream_srv_conf_t */ | |
33 } ngx_stream_upstream_main_conf_t; | |
34 | |
35 | |
36 typedef struct ngx_stream_upstream_srv_conf_s ngx_stream_upstream_srv_conf_t; | |
37 | |
38 | |
39 typedef ngx_int_t (*ngx_stream_upstream_init_pt)(ngx_conf_t *cf, | |
40 ngx_stream_upstream_srv_conf_t *us); | |
41 typedef ngx_int_t (*ngx_stream_upstream_init_peer_pt)(ngx_stream_session_t *s, | |
42 ngx_stream_upstream_srv_conf_t *us); | |
43 | |
44 | |
45 typedef struct { | |
46 ngx_stream_upstream_init_pt init_upstream; | |
47 ngx_stream_upstream_init_peer_pt init; | |
48 void *data; | |
49 } ngx_stream_upstream_peer_t; | |
50 | |
51 | |
52 typedef struct { | |
53 ngx_str_t name; | |
54 ngx_addr_t *addrs; | |
55 ngx_uint_t naddrs; | |
56 ngx_uint_t weight; | |
6705 | 57 ngx_uint_t max_conns; |
6115 | 58 ngx_uint_t max_fails; |
59 time_t fail_timeout; | |
6708
4080f94a996f
Modules compatibility: slow start fields.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6705
diff
changeset
|
60 ngx_msec_t slow_start; |
6115 | 61 |
62 unsigned down:1; | |
63 unsigned backup:1; | |
6715
d200a0fd00b7
Introduced the NGX_COMPAT macro.
Ruslan Ermilov <ru@nginx.com>
parents:
6708
diff
changeset
|
64 |
d200a0fd00b7
Introduced the NGX_COMPAT macro.
Ruslan Ermilov <ru@nginx.com>
parents:
6708
diff
changeset
|
65 NGX_COMPAT_BEGIN(4) |
d200a0fd00b7
Introduced the NGX_COMPAT macro.
Ruslan Ermilov <ru@nginx.com>
parents:
6708
diff
changeset
|
66 NGX_COMPAT_END |
6115 | 67 } ngx_stream_upstream_server_t; |
68 | |
69 | |
70 struct ngx_stream_upstream_srv_conf_s { | |
71 ngx_stream_upstream_peer_t peer; | |
72 void **srv_conf; | |
73 | |
74 ngx_array_t *servers; | |
75 /* ngx_stream_upstream_server_t */ | |
76 | |
77 ngx_uint_t flags; | |
78 ngx_str_t host; | |
79 u_char *file_name; | |
80 ngx_uint_t line; | |
81 in_port_t port; | |
82 ngx_uint_t no_port; /* unsigned no_port:1 */ | |
83 | |
84 #if (NGX_STREAM_UPSTREAM_ZONE) | |
85 ngx_shm_zone_t *shm_zone; | |
86 #endif | |
87 }; | |
88 | |
89 | |
90 typedef struct { | |
6677
c02290241cbe
Stream: upstream response time variables.
Vladimir Homutov <vl@nginx.com>
parents:
6676
diff
changeset
|
91 ngx_msec_t response_time; |
c02290241cbe
Stream: upstream response time variables.
Vladimir Homutov <vl@nginx.com>
parents:
6676
diff
changeset
|
92 ngx_msec_t connect_time; |
c02290241cbe
Stream: upstream response time variables.
Vladimir Homutov <vl@nginx.com>
parents:
6676
diff
changeset
|
93 ngx_msec_t first_byte_time; |
6676
df3a7c029dec
Stream: $upstream_bytes_sent and $upstream_bytes_received.
Vladimir Homutov <vl@nginx.com>
parents:
6675
diff
changeset
|
94 off_t bytes_sent; |
df3a7c029dec
Stream: $upstream_bytes_sent and $upstream_bytes_received.
Vladimir Homutov <vl@nginx.com>
parents:
6675
diff
changeset
|
95 off_t bytes_received; |
df3a7c029dec
Stream: $upstream_bytes_sent and $upstream_bytes_received.
Vladimir Homutov <vl@nginx.com>
parents:
6675
diff
changeset
|
96 |
6675
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
97 ngx_str_t *peer; |
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
98 } ngx_stream_upstream_state_t; |
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
99 |
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
100 |
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
101 typedef struct { |
6643
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
102 ngx_str_t host; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
103 in_port_t port; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
104 ngx_uint_t no_port; /* unsigned no_port:1 */ |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
105 |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
106 ngx_uint_t naddrs; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
107 ngx_resolver_addr_t *addrs; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
108 |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
109 struct sockaddr *sockaddr; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
110 socklen_t socklen; |
6785
d1d0dd69a419
Upstream: added the ngx_http_upstream_resolved_t.name field.
Ruslan Ermilov <ru@nginx.com>
parents:
6736
diff
changeset
|
111 ngx_str_t name; |
6643
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
112 |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
113 ngx_resolver_ctx_t *ctx; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
114 } ngx_stream_upstream_resolved_t; |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
115 |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
116 |
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
117 typedef struct { |
6115 | 118 ngx_peer_connection_t peer; |
6692 | 119 |
6115 | 120 ngx_buf_t downstream_buf; |
121 ngx_buf_t upstream_buf; | |
6692 | 122 |
123 ngx_chain_t *free; | |
124 ngx_chain_t *upstream_out; | |
125 ngx_chain_t *upstream_busy; | |
126 ngx_chain_t *downstream_out; | |
127 ngx_chain_t *downstream_busy; | |
128 | |
6115 | 129 off_t received; |
6201
24488e6db782
Stream: upstream and downstream limit rates.
Roman Arutyunyan <arut@nginx.com>
parents:
6184
diff
changeset
|
130 time_t start_sec; |
6436 | 131 ngx_uint_t responses; |
6692 | 132 |
6115 | 133 ngx_str_t ssl_name; |
6692 | 134 |
6703
edcd9303a4d3
Upstream: introduced u->upstream.
Maxim Dounin <mdounin@mdounin.ru>
parents:
6692
diff
changeset
|
135 ngx_stream_upstream_srv_conf_t *upstream; |
6643
9757cffc1e2f
Stream: variables in proxy_pass and proxy_ssl_name.
Vladimir Homutov <vl@nginx.com>
parents:
6436
diff
changeset
|
136 ngx_stream_upstream_resolved_t *resolved; |
6675
ab9b4fd8c5b7
Stream: the $upstream_addr variable.
Vladimir Homutov <vl@nginx.com>
parents:
6643
diff
changeset
|
137 ngx_stream_upstream_state_t *state; |
6202
6345822f0abb
Stream: upstream "connected" flag.
Roman Arutyunyan <arut@nginx.com>
parents:
6201
diff
changeset
|
138 unsigned connected:1; |
6345822f0abb
Stream: upstream "connected" flag.
Roman Arutyunyan <arut@nginx.com>
parents:
6201
diff
changeset
|
139 unsigned proxy_protocol:1; |
6115 | 140 } ngx_stream_upstream_t; |
141 | |
142 | |
143 ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf, | |
144 ngx_url_t *u, ngx_uint_t flags); | |
145 | |
146 | |
147 #define ngx_stream_conf_upstream_srv_conf(uscf, module) \ | |
148 uscf->srv_conf[module.ctx_index] | |
149 | |
150 | |
151 extern ngx_module_t ngx_stream_upstream_module; | |
152 | |
153 | |
154 #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */ |