Mercurial > hg > nginx

comparison src/http/modules/ngx_http_proxy_module.c @ 5661:060c2e692b96

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: proxy_ssl_verify and friends.
author Maxim Dounin <mdounin@mdounin.ru>
date Fri, 18 Apr 2014 20:13:30 +0400
parents 7022564a9e0e
children fbfdf8017748
comparison
equal deleted inserted replaced
5660:7022564a9e0e 5661:060c2e692b96
79 79
80 #if (NGX_HTTP_SSL) 80 #if (NGX_HTTP_SSL)
81 ngx_uint_t ssl; 81 ngx_uint_t ssl;
82 ngx_uint_t ssl_protocols; 82 ngx_uint_t ssl_protocols;
83 ngx_str_t ssl_ciphers; 83 ngx_str_t ssl_ciphers;
84 ngx_uint_t ssl_verify_depth;
85 ngx_str_t ssl_trusted_certificate;
86 ngx_str_t ssl_crl;
84 #endif 87 #endif
85 } ngx_http_proxy_loc_conf_t; 88 } ngx_http_proxy_loc_conf_t;
86 89
87 90
88 typedef struct { 91 typedef struct {
563 { ngx_string("proxy_ssl_server_name"), 566 { ngx_string("proxy_ssl_server_name"),
564 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, 567 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
565 ngx_conf_set_flag_slot, 568 ngx_conf_set_flag_slot,
566 NGX_HTTP_LOC_CONF_OFFSET, 569 NGX_HTTP_LOC_CONF_OFFSET,
567 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name), 570 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name),
571 NULL },
572
573 { ngx_string("proxy_ssl_verify"),
574 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
575 ngx_conf_set_flag_slot,
576 NGX_HTTP_LOC_CONF_OFFSET,
577 offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify),
578 NULL },
579
580 { ngx_string("proxy_ssl_verify_depth"),
581 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
582 ngx_conf_set_num_slot,
583 NGX_HTTP_LOC_CONF_OFFSET,
584 offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth),
585 NULL },
586
587 { ngx_string("proxy_ssl_trusted_certificate"),
588 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
589 ngx_conf_set_str_slot,
590 NGX_HTTP_LOC_CONF_OFFSET,
591 offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate),
592 NULL },
593
594 { ngx_string("proxy_ssl_crl"),
595 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
596 ngx_conf_set_str_slot,
597 NGX_HTTP_LOC_CONF_OFFSET,
598 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
568 NULL }, 599 NULL },
569 600
570 #endif 601 #endif
571 602
572 ngx_null_command 603 ngx_null_command
2416 * conf->body_source = { 0, NULL }; 2447 * conf->body_source = { 0, NULL };
2417 * conf->redirects = NULL; 2448 * conf->redirects = NULL;
2418 * conf->ssl = 0; 2449 * conf->ssl = 0;
2419 * conf->ssl_protocols = 0; 2450 * conf->ssl_protocols = 0;
2420 * conf->ssl_ciphers = { 0, NULL }; 2451 * conf->ssl_ciphers = { 0, NULL };
2452 * conf->ssl_trusted_certificate = { 0, NULL };
2453 * conf->ssl_crl = { 0, NULL };
2421 */ 2454 */
2422 2455
2423 conf->upstream.store = NGX_CONF_UNSET; 2456 conf->upstream.store = NGX_CONF_UNSET;
2424 conf->upstream.store_access = NGX_CONF_UNSET_UINT; 2457 conf->upstream.store_access = NGX_CONF_UNSET_UINT;
2425 conf->upstream.buffering = NGX_CONF_UNSET; 2458 conf->upstream.buffering = NGX_CONF_UNSET;
2458 conf->upstream.intercept_errors = NGX_CONF_UNSET; 2491 conf->upstream.intercept_errors = NGX_CONF_UNSET;
2459 2492
2460 #if (NGX_HTTP_SSL) 2493 #if (NGX_HTTP_SSL)
2461 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; 2494 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
2462 conf->upstream.ssl_server_name = NGX_CONF_UNSET; 2495 conf->upstream.ssl_server_name = NGX_CONF_UNSET;
2496 conf->upstream.ssl_verify = NGX_CONF_UNSET;
2497 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
2463 #endif 2498 #endif
2464 2499
2465 /* "proxy_cyclic_temp_file" is disabled */ 2500 /* "proxy_cyclic_temp_file" is disabled */
2466 conf->upstream.cyclic_temp_file = 0; 2501 conf->upstream.cyclic_temp_file = 0;
2467 2502
2747 conf->upstream.ssl_name = prev->upstream.ssl_name; 2782 conf->upstream.ssl_name = prev->upstream.ssl_name;
2748 } 2783 }
2749 2784
2750 ngx_conf_merge_value(conf->upstream.ssl_server_name, 2785 ngx_conf_merge_value(conf->upstream.ssl_server_name,
2751 prev->upstream.ssl_server_name, 0); 2786 prev->upstream.ssl_server_name, 0);
2787 ngx_conf_merge_value(conf->upstream.ssl_verify,
2788 prev->upstream.ssl_verify, 0);
2789 ngx_conf_merge_uint_value(conf->ssl_verify_depth,
2790 prev->ssl_verify_depth, 1);
2791 ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
2792 prev->ssl_trusted_certificate, "");
2793 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
2752 2794
2753 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { 2795 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
2754 return NGX_CONF_ERROR; 2796 return NGX_CONF_ERROR;
2755 } 2797 }
2756 2798
3816 "SSL_CTX_set_cipher_list(\"%V\") failed", 3858 "SSL_CTX_set_cipher_list(\"%V\") failed",
3817 &plcf->ssl_ciphers); 3859 &plcf->ssl_ciphers);
3818 return NGX_ERROR; 3860 return NGX_ERROR;
3819 } 3861 }
3820 3862
3863 if (plcf->upstream.ssl_verify) {
3864 if (plcf->ssl_trusted_certificate.len == 0) {
3865 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
3866 "no proxy_ssl_trusted_certificate for proxy_ssl_verify");
3867 return NGX_ERROR;
3868 }
3869
3870 if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,
3871 &plcf->ssl_trusted_certificate,
3872 plcf->ssl_verify_depth)
3873 != NGX_OK)
3874 {
3875 return NGX_ERROR;
3876 }
3877
3878 if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {
3879 return NGX_ERROR;
3880 }
3881 }
3882
3821 return NGX_OK; 3883 return NGX_OK;
3822 } 3884 }
3823 3885
3824 #endif 3886 #endif
3825 3887