Mercurial > hg > nginx

comparison src/http/modules/ngx_http_proxy_module.c @ 5900:20d966ad5e89

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: add "proxy_ssl_certificate" and friends. Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
author Piotr Sikora <piotr@cloudflare.com>
date Thu, 30 Oct 2014 04:30:41 -0700
parents 973ee2276300
children 2f7e557eab5b
comparison
equal deleted inserted replaced
5899:234c5ecb00c0 5900:20d966ad5e89
82 ngx_uint_t ssl_protocols; 82 ngx_uint_t ssl_protocols;
83 ngx_str_t ssl_ciphers; 83 ngx_str_t ssl_ciphers;
84 ngx_uint_t ssl_verify_depth; 84 ngx_uint_t ssl_verify_depth;
85 ngx_str_t ssl_trusted_certificate; 85 ngx_str_t ssl_trusted_certificate;
86 ngx_str_t ssl_crl; 86 ngx_str_t ssl_crl;
87 ngx_str_t ssl_certificate;
88 ngx_str_t ssl_certificate_key;
89 ngx_array_t *ssl_passwords;
87 #endif 90 #endif
88 } ngx_http_proxy_loc_conf_t; 91 } ngx_http_proxy_loc_conf_t;
89 92
90 93
91 typedef struct { 94 typedef struct {
160 static char *ngx_http_proxy_cache(ngx_conf_t *cf, ngx_command_t *cmd, 163 static char *ngx_http_proxy_cache(ngx_conf_t *cf, ngx_command_t *cmd,
161 void *conf); 164 void *conf);
162 static char *ngx_http_proxy_cache_key(ngx_conf_t *cf, ngx_command_t *cmd, 165 static char *ngx_http_proxy_cache_key(ngx_conf_t *cf, ngx_command_t *cmd,
163 void *conf); 166 void *conf);
164 #endif 167 #endif
168 #if (NGX_HTTP_SSL)
169 static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf,
170 ngx_command_t *cmd, void *conf);
171 #endif
165 172
166 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data); 173 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
167 174
168 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, 175 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
169 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); 176 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
622 { ngx_string("proxy_ssl_crl"), 629 { ngx_string("proxy_ssl_crl"),
623 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, 630 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
624 ngx_conf_set_str_slot, 631 ngx_conf_set_str_slot,
625 NGX_HTTP_LOC_CONF_OFFSET, 632 NGX_HTTP_LOC_CONF_OFFSET,
626 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), 633 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
634 NULL },
635
636 { ngx_string("proxy_ssl_certificate"),
637 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
638 ngx_conf_set_str_slot,
639 NGX_HTTP_LOC_CONF_OFFSET,
640 offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate),
641 NULL },
642
643 { ngx_string("proxy_ssl_certificate_key"),
644 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
645 ngx_conf_set_str_slot,
646 NGX_HTTP_LOC_CONF_OFFSET,
647 offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate_key),
648 NULL },
649
650 { ngx_string("proxy_ssl_password_file"),
651 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
652 ngx_http_proxy_ssl_password_file,
653 NGX_HTTP_LOC_CONF_OFFSET,
654 0,
627 NULL }, 655 NULL },
628 656
629 #endif 657 #endif
630 658
631 ngx_null_command 659 ngx_null_command
2477 * conf->ssl = 0; 2505 * conf->ssl = 0;
2478 * conf->ssl_protocols = 0; 2506 * conf->ssl_protocols = 0;
2479 * conf->ssl_ciphers = { 0, NULL }; 2507 * conf->ssl_ciphers = { 0, NULL };
2480 * conf->ssl_trusted_certificate = { 0, NULL }; 2508 * conf->ssl_trusted_certificate = { 0, NULL };
2481 * conf->ssl_crl = { 0, NULL }; 2509 * conf->ssl_crl = { 0, NULL };
2510 * conf->ssl_certificate = { 0, NULL };
2511 * conf->ssl_certificate_key = { 0, NULL };
2482 */ 2512 */
2483 2513
2484 conf->upstream.store = NGX_CONF_UNSET; 2514 conf->upstream.store = NGX_CONF_UNSET;
2485 conf->upstream.store_access = NGX_CONF_UNSET_UINT; 2515 conf->upstream.store_access = NGX_CONF_UNSET_UINT;
2486 conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT; 2516 conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT;
2525 #if (NGX_HTTP_SSL) 2555 #if (NGX_HTTP_SSL)
2526 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; 2556 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
2527 conf->upstream.ssl_server_name = NGX_CONF_UNSET; 2557 conf->upstream.ssl_server_name = NGX_CONF_UNSET;
2528 conf->upstream.ssl_verify = NGX_CONF_UNSET; 2558 conf->upstream.ssl_verify = NGX_CONF_UNSET;
2529 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; 2559 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
2560 conf->ssl_passwords = NGX_CONF_UNSET_PTR;
2530 #endif 2561 #endif
2531 2562
2532 /* "proxy_cyclic_temp_file" is disabled */ 2563 /* "proxy_cyclic_temp_file" is disabled */
2533 conf->upstream.cyclic_temp_file = 0; 2564 conf->upstream.cyclic_temp_file = 0;
2534 2565
2833 ngx_conf_merge_uint_value(conf->ssl_verify_depth, 2864 ngx_conf_merge_uint_value(conf->ssl_verify_depth,
2834 prev->ssl_verify_depth, 1); 2865 prev->ssl_verify_depth, 1);
2835 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, 2866 ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
2836 prev->ssl_trusted_certificate, ""); 2867 prev->ssl_trusted_certificate, "");
2837 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); 2868 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
2869
2870 ngx_conf_merge_str_value(conf->ssl_certificate,
2871 prev->ssl_certificate, "");
2872 ngx_conf_merge_str_value(conf->ssl_certificate_key,
2873 prev->ssl_certificate_key, "");
2874 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
2838 2875
2839 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { 2876 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
2840 return NGX_CONF_ERROR; 2877 return NGX_CONF_ERROR;
2841 } 2878 }
2842 2879
3835 } 3872 }
3836 3873
3837 #endif 3874 #endif
3838 3875
3839 3876
3877 #if (NGX_HTTP_SSL)
3878
3879 static char *
3880 ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
3881 {
3882 ngx_http_proxy_loc_conf_t *plcf = conf;
3883
3884 ngx_str_t *value;
3885
3886 if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
3887 return "is duplicate";
3888 }
3889
3890 value = cf->args->elts;
3891
3892 plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
3893
3894 if (plcf->ssl_passwords == NULL) {
3895 return NGX_CONF_ERROR;
3896 }
3897
3898 return NGX_CONF_OK;
3899 }
3900
3901 #endif
3902
3903
3840 static char * 3904 static char *
3841 ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data) 3905 ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data)
3842 { 3906 {
3843 #if (NGX_FREEBSD) 3907 #if (NGX_FREEBSD)
3844 ssize_t *np = data; 3908 ssize_t *np = data;
3891 return NGX_ERROR; 3955 return NGX_ERROR;
3892 } 3956 }
3893 3957
3894 cln->handler = ngx_ssl_cleanup_ctx; 3958 cln->handler = ngx_ssl_cleanup_ctx;
3895 cln->data = plcf->upstream.ssl; 3959 cln->data = plcf->upstream.ssl;
3960
3961 if (plcf->ssl_certificate.len) {
3962
3963 if (plcf->ssl_certificate_key.len == 0) {
3964 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
3965 "no \"proxy_ssl_certificate_key\" is defined "
3966 "for certificate \"%V\"", &plcf->ssl_certificate);
3967 return NGX_ERROR;
3968 }
3969
3970 if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->ssl_certificate,
3971 &plcf->ssl_certificate_key, plcf->ssl_passwords)
3972 != NGX_OK)
3973 {
3974 return NGX_ERROR;
3975 }
3976 }
3896 3977
3897 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, 3978 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
3898 (const char *) plcf->ssl_ciphers.data) 3979 (const char *) plcf->ssl_ciphers.data)
3899 == 0) 3980 == 0)
3900 { 3981 {