Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 5661:060c2e692b96
Upstream: proxy_ssl_verify and friends.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Fri, 18 Apr 2014 20:13:30 +0400 |
parents | 7022564a9e0e |
children | fbfdf8017748 |
comparison
equal
deleted
inserted
replaced
5660:7022564a9e0e | 5661:060c2e692b96 |
---|---|
79 | 79 |
80 #if (NGX_HTTP_SSL) | 80 #if (NGX_HTTP_SSL) |
81 ngx_uint_t ssl; | 81 ngx_uint_t ssl; |
82 ngx_uint_t ssl_protocols; | 82 ngx_uint_t ssl_protocols; |
83 ngx_str_t ssl_ciphers; | 83 ngx_str_t ssl_ciphers; |
84 ngx_uint_t ssl_verify_depth; | |
85 ngx_str_t ssl_trusted_certificate; | |
86 ngx_str_t ssl_crl; | |
84 #endif | 87 #endif |
85 } ngx_http_proxy_loc_conf_t; | 88 } ngx_http_proxy_loc_conf_t; |
86 | 89 |
87 | 90 |
88 typedef struct { | 91 typedef struct { |
563 { ngx_string("proxy_ssl_server_name"), | 566 { ngx_string("proxy_ssl_server_name"), |
564 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, | 567 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, |
565 ngx_conf_set_flag_slot, | 568 ngx_conf_set_flag_slot, |
566 NGX_HTTP_LOC_CONF_OFFSET, | 569 NGX_HTTP_LOC_CONF_OFFSET, |
567 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), | 570 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), |
571 NULL }, | |
572 | |
573 { ngx_string("proxy_ssl_verify"), | |
574 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, | |
575 ngx_conf_set_flag_slot, | |
576 NGX_HTTP_LOC_CONF_OFFSET, | |
577 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify), | |
578 NULL }, | |
579 | |
580 { ngx_string("proxy_ssl_verify_depth"), | |
581 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
582 ngx_conf_set_num_slot, | |
583 NGX_HTTP_LOC_CONF_OFFSET, | |
584 offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth), | |
585 NULL }, | |
586 | |
587 { ngx_string("proxy_ssl_trusted_certificate"), | |
588 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
589 ngx_conf_set_str_slot, | |
590 NGX_HTTP_LOC_CONF_OFFSET, | |
591 offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate), | |
592 NULL }, | |
593 | |
594 { ngx_string("proxy_ssl_crl"), | |
595 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
596 ngx_conf_set_str_slot, | |
597 NGX_HTTP_LOC_CONF_OFFSET, | |
598 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), | |
568 NULL }, | 599 NULL }, |
569 | 600 |
570 #endif | 601 #endif |
571 | 602 |
572 ngx_null_command | 603 ngx_null_command |
2416 * conf->body_source = { 0, NULL }; | 2447 * conf->body_source = { 0, NULL }; |
2417 * conf->redirects = NULL; | 2448 * conf->redirects = NULL; |
2418 * conf->ssl = 0; | 2449 * conf->ssl = 0; |
2419 * conf->ssl_protocols = 0; | 2450 * conf->ssl_protocols = 0; |
2420 * conf->ssl_ciphers = { 0, NULL }; | 2451 * conf->ssl_ciphers = { 0, NULL }; |
2452 * conf->ssl_trusted_certificate = { 0, NULL }; | |
2453 * conf->ssl_crl = { 0, NULL }; | |
2421 */ | 2454 */ |
2422 | 2455 |
2423 conf->upstream.store = NGX_CONF_UNSET; | 2456 conf->upstream.store = NGX_CONF_UNSET; |
2424 conf->upstream.store_access = NGX_CONF_UNSET_UINT; | 2457 conf->upstream.store_access = NGX_CONF_UNSET_UINT; |
2425 conf->upstream.buffering = NGX_CONF_UNSET; | 2458 conf->upstream.buffering = NGX_CONF_UNSET; |
2458 conf->upstream.intercept_errors = NGX_CONF_UNSET; | 2491 conf->upstream.intercept_errors = NGX_CONF_UNSET; |
2459 | 2492 |
2460 #if (NGX_HTTP_SSL) | 2493 #if (NGX_HTTP_SSL) |
2461 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; | 2494 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; |
2462 conf->upstream.ssl_server_name = NGX_CONF_UNSET; | 2495 conf->upstream.ssl_server_name = NGX_CONF_UNSET; |
2496 conf->upstream.ssl_verify = NGX_CONF_UNSET; | |
2497 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; | |
2463 #endif | 2498 #endif |
2464 | 2499 |
2465 /* "proxy_cyclic_temp_file" is disabled */ | 2500 /* "proxy_cyclic_temp_file" is disabled */ |
2466 conf->upstream.cyclic_temp_file = 0; | 2501 conf->upstream.cyclic_temp_file = 0; |
2467 | 2502 |
2747 conf->upstream.ssl_name = prev->upstream.ssl_name; | 2782 conf->upstream.ssl_name = prev->upstream.ssl_name; |
2748 } | 2783 } |
2749 | 2784 |
2750 ngx_conf_merge_value(conf->upstream.ssl_server_name, | 2785 ngx_conf_merge_value(conf->upstream.ssl_server_name, |
2751 prev->upstream.ssl_server_name, 0); | 2786 prev->upstream.ssl_server_name, 0); |
2787 ngx_conf_merge_value(conf->upstream.ssl_verify, | |
2788 prev->upstream.ssl_verify, 0); | |
2789 ngx_conf_merge_uint_value(conf->ssl_verify_depth, | |
2790 prev->ssl_verify_depth, 1); | |
2791 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, | |
2792 prev->ssl_trusted_certificate, ""); | |
2793 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); | |
2752 | 2794 |
2753 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { | 2795 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { |
2754 return NGX_CONF_ERROR; | 2796 return NGX_CONF_ERROR; |
2755 } | 2797 } |
2756 | 2798 |
3816 "SSL_CTX_set_cipher_list(\"%V\") failed", | 3858 "SSL_CTX_set_cipher_list(\"%V\") failed", |
3817 &plcf->ssl_ciphers); | 3859 &plcf->ssl_ciphers); |
3818 return NGX_ERROR; | 3860 return NGX_ERROR; |
3819 } | 3861 } |
3820 | 3862 |
3863 if (plcf->upstream.ssl_verify) { | |
3864 if (plcf->ssl_trusted_certificate.len == 0) { | |
3865 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
3866 "no proxy_ssl_trusted_certificate for proxy_ssl_verify"); | |
3867 return NGX_ERROR; | |
3868 } | |
3869 | |
3870 if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, | |
3871 &plcf->ssl_trusted_certificate, | |
3872 plcf->ssl_verify_depth) | |
3873 != NGX_OK) | |
3874 { | |
3875 return NGX_ERROR; | |
3876 } | |
3877 | |
3878 if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) { | |
3879 return NGX_ERROR; | |
3880 } | |
3881 } | |
3882 | |
3821 return NGX_OK; | 3883 return NGX_OK; |
3822 } | 3884 } |
3823 | 3885 |
3824 #endif | 3886 #endif |
3825 | 3887 |