nginx: src/http/modules/ngx_http_proxy

comparison src/http/modules/ngx_http_proxy_module.c @ 7730:1a719ee45526

Upstream: proxy_ssl_conf_command and friends. Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command, uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later, when connecting to upstream servers with SSL. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

author	Maxim Dounin <mdounin@mdounin.ru>
date	Thu, 22 Oct 2020 18:00:23 +0300
parents	485dba3e2a01
children	83c4622053b0

comparison

equal deleted inserted replaced

-:3bff3f397c05
+:1a719ee45526
 ngx_str_t                      ssl_trusted_certificate;
 ngx_str_t                      ssl_crl;
 ngx_str_t                      ssl_certificate;
 ngx_str_t                      ssl_certificate_key;
 ngx_array_t                   *ssl_passwords;
+ngx_array_t                   *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
 typedef struct {
 static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf,
 ngx_command_t *cmd, void *conf);
 #endif
 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+void *data);
+#endif
 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
 #if (NGX_HTTP_SSL)
 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
 { ngx_string("TLSv1.3"), NGX_SSL_TLSv1_3 },
 { ngx_null_string, 0 }
 };
+static ngx_conf_post_t  ngx_http_proxy_ssl_conf_command_post =
+{ ngx_http_proxy_ssl_conf_command_check };
 #endif
 static ngx_conf_enum_t  ngx_http_proxy_http_version[] = {
 { ngx_string("1.0"), NGX_HTTP_VERSION_10 },
 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
 ngx_http_proxy_ssl_password_file,
 NGX_HTTP_LOC_CONF_OFFSET,
 0,
 NULL },
+{ ngx_string("proxy_ssl_conf_command"),
+NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ngx_conf_set_keyval_slot,
+NGX_HTTP_LOC_CONF_OFFSET,
+offsetof(ngx_http_proxy_loc_conf_t, ssl_conf_commands),
+&ngx_http_proxy_ssl_conf_command_post },
 #endif
 ngx_null_command
 };
 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
 conf->upstream.ssl_server_name = NGX_CONF_UNSET;
 conf->upstream.ssl_verify = NGX_CONF_UNSET;
 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
 conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
 /* "proxy_cyclic_temp_file" is disabled */
 conf->upstream.cyclic_temp_file = 0;
 ngx_conf_merge_str_value(conf->ssl_certificate,
 prev->ssl_certificate, "");
 ngx_conf_merge_str_value(conf->ssl_certificate_key,
 prev->ssl_certificate_key, "");
 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+prev->ssl_conf_commands, NULL);
 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
 return NGX_CONF_ERROR;
 }
 }
 #if (NGX_HTTP_SSL)
+static char *
+ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+return "is not supported on this platform";
+#endif
+return NGX_CONF_OK;
+}
 static ngx_int_t
 ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
 {
 ngx_pool_cleanup_t  *cln;
 != NGX_OK)
 {
 return NGX_ERROR;
 }
+if (ngx_ssl_conf_commands(cf, plcf->upstream.ssl, plcf->ssl_conf_commands)
+!= NGX_OK)
+{
+return NGX_ERROR;
+}
 return NGX_OK;
 }
 #endif

Mercurial > hg > nginx

comparison src/http/modules/ngx_http_proxy_module.c @ 7730:1a719ee45526