Mercurial > hg > nginx
comparison src/http/modules/ngx_http_proxy_module.c @ 5900:20d966ad5e89
Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
author | Piotr Sikora <piotr@cloudflare.com> |
---|---|
date | Thu, 30 Oct 2014 04:30:41 -0700 |
parents | 973ee2276300 |
children | 2f7e557eab5b |
comparison
equal
deleted
inserted
replaced
5899:234c5ecb00c0 | 5900:20d966ad5e89 |
---|---|
82 ngx_uint_t ssl_protocols; | 82 ngx_uint_t ssl_protocols; |
83 ngx_str_t ssl_ciphers; | 83 ngx_str_t ssl_ciphers; |
84 ngx_uint_t ssl_verify_depth; | 84 ngx_uint_t ssl_verify_depth; |
85 ngx_str_t ssl_trusted_certificate; | 85 ngx_str_t ssl_trusted_certificate; |
86 ngx_str_t ssl_crl; | 86 ngx_str_t ssl_crl; |
87 ngx_str_t ssl_certificate; | |
88 ngx_str_t ssl_certificate_key; | |
89 ngx_array_t *ssl_passwords; | |
87 #endif | 90 #endif |
88 } ngx_http_proxy_loc_conf_t; | 91 } ngx_http_proxy_loc_conf_t; |
89 | 92 |
90 | 93 |
91 typedef struct { | 94 typedef struct { |
160 static char *ngx_http_proxy_cache(ngx_conf_t *cf, ngx_command_t *cmd, | 163 static char *ngx_http_proxy_cache(ngx_conf_t *cf, ngx_command_t *cmd, |
161 void *conf); | 164 void *conf); |
162 static char *ngx_http_proxy_cache_key(ngx_conf_t *cf, ngx_command_t *cmd, | 165 static char *ngx_http_proxy_cache_key(ngx_conf_t *cf, ngx_command_t *cmd, |
163 void *conf); | 166 void *conf); |
164 #endif | 167 #endif |
168 #if (NGX_HTTP_SSL) | |
169 static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, | |
170 ngx_command_t *cmd, void *conf); | |
171 #endif | |
165 | 172 |
166 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data); | 173 static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data); |
167 | 174 |
168 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, | 175 static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf, |
169 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); | 176 ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); |
622 { ngx_string("proxy_ssl_crl"), | 629 { ngx_string("proxy_ssl_crl"), |
623 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | 630 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, |
624 ngx_conf_set_str_slot, | 631 ngx_conf_set_str_slot, |
625 NGX_HTTP_LOC_CONF_OFFSET, | 632 NGX_HTTP_LOC_CONF_OFFSET, |
626 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), | 633 offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), |
634 NULL }, | |
635 | |
636 { ngx_string("proxy_ssl_certificate"), | |
637 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
638 ngx_conf_set_str_slot, | |
639 NGX_HTTP_LOC_CONF_OFFSET, | |
640 offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate), | |
641 NULL }, | |
642 | |
643 { ngx_string("proxy_ssl_certificate_key"), | |
644 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
645 ngx_conf_set_str_slot, | |
646 NGX_HTTP_LOC_CONF_OFFSET, | |
647 offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate_key), | |
648 NULL }, | |
649 | |
650 { ngx_string("proxy_ssl_password_file"), | |
651 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, | |
652 ngx_http_proxy_ssl_password_file, | |
653 NGX_HTTP_LOC_CONF_OFFSET, | |
654 0, | |
627 NULL }, | 655 NULL }, |
628 | 656 |
629 #endif | 657 #endif |
630 | 658 |
631 ngx_null_command | 659 ngx_null_command |
2477 * conf->ssl = 0; | 2505 * conf->ssl = 0; |
2478 * conf->ssl_protocols = 0; | 2506 * conf->ssl_protocols = 0; |
2479 * conf->ssl_ciphers = { 0, NULL }; | 2507 * conf->ssl_ciphers = { 0, NULL }; |
2480 * conf->ssl_trusted_certificate = { 0, NULL }; | 2508 * conf->ssl_trusted_certificate = { 0, NULL }; |
2481 * conf->ssl_crl = { 0, NULL }; | 2509 * conf->ssl_crl = { 0, NULL }; |
2510 * conf->ssl_certificate = { 0, NULL }; | |
2511 * conf->ssl_certificate_key = { 0, NULL }; | |
2482 */ | 2512 */ |
2483 | 2513 |
2484 conf->upstream.store = NGX_CONF_UNSET; | 2514 conf->upstream.store = NGX_CONF_UNSET; |
2485 conf->upstream.store_access = NGX_CONF_UNSET_UINT; | 2515 conf->upstream.store_access = NGX_CONF_UNSET_UINT; |
2486 conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT; | 2516 conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT; |
2525 #if (NGX_HTTP_SSL) | 2555 #if (NGX_HTTP_SSL) |
2526 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; | 2556 conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; |
2527 conf->upstream.ssl_server_name = NGX_CONF_UNSET; | 2557 conf->upstream.ssl_server_name = NGX_CONF_UNSET; |
2528 conf->upstream.ssl_verify = NGX_CONF_UNSET; | 2558 conf->upstream.ssl_verify = NGX_CONF_UNSET; |
2529 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; | 2559 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; |
2560 conf->ssl_passwords = NGX_CONF_UNSET_PTR; | |
2530 #endif | 2561 #endif |
2531 | 2562 |
2532 /* "proxy_cyclic_temp_file" is disabled */ | 2563 /* "proxy_cyclic_temp_file" is disabled */ |
2533 conf->upstream.cyclic_temp_file = 0; | 2564 conf->upstream.cyclic_temp_file = 0; |
2534 | 2565 |
2833 ngx_conf_merge_uint_value(conf->ssl_verify_depth, | 2864 ngx_conf_merge_uint_value(conf->ssl_verify_depth, |
2834 prev->ssl_verify_depth, 1); | 2865 prev->ssl_verify_depth, 1); |
2835 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, | 2866 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, |
2836 prev->ssl_trusted_certificate, ""); | 2867 prev->ssl_trusted_certificate, ""); |
2837 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); | 2868 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); |
2869 | |
2870 ngx_conf_merge_str_value(conf->ssl_certificate, | |
2871 prev->ssl_certificate, ""); | |
2872 ngx_conf_merge_str_value(conf->ssl_certificate_key, | |
2873 prev->ssl_certificate_key, ""); | |
2874 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); | |
2838 | 2875 |
2839 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { | 2876 if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { |
2840 return NGX_CONF_ERROR; | 2877 return NGX_CONF_ERROR; |
2841 } | 2878 } |
2842 | 2879 |
3835 } | 3872 } |
3836 | 3873 |
3837 #endif | 3874 #endif |
3838 | 3875 |
3839 | 3876 |
3877 #if (NGX_HTTP_SSL) | |
3878 | |
3879 static char * | |
3880 ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) | |
3881 { | |
3882 ngx_http_proxy_loc_conf_t *plcf = conf; | |
3883 | |
3884 ngx_str_t *value; | |
3885 | |
3886 if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) { | |
3887 return "is duplicate"; | |
3888 } | |
3889 | |
3890 value = cf->args->elts; | |
3891 | |
3892 plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]); | |
3893 | |
3894 if (plcf->ssl_passwords == NULL) { | |
3895 return NGX_CONF_ERROR; | |
3896 } | |
3897 | |
3898 return NGX_CONF_OK; | |
3899 } | |
3900 | |
3901 #endif | |
3902 | |
3903 | |
3840 static char * | 3904 static char * |
3841 ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data) | 3905 ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data) |
3842 { | 3906 { |
3843 #if (NGX_FREEBSD) | 3907 #if (NGX_FREEBSD) |
3844 ssize_t *np = data; | 3908 ssize_t *np = data; |
3891 return NGX_ERROR; | 3955 return NGX_ERROR; |
3892 } | 3956 } |
3893 | 3957 |
3894 cln->handler = ngx_ssl_cleanup_ctx; | 3958 cln->handler = ngx_ssl_cleanup_ctx; |
3895 cln->data = plcf->upstream.ssl; | 3959 cln->data = plcf->upstream.ssl; |
3960 | |
3961 if (plcf->ssl_certificate.len) { | |
3962 | |
3963 if (plcf->ssl_certificate_key.len == 0) { | |
3964 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | |
3965 "no \"proxy_ssl_certificate_key\" is defined " | |
3966 "for certificate \"%V\"", &plcf->ssl_certificate); | |
3967 return NGX_ERROR; | |
3968 } | |
3969 | |
3970 if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->ssl_certificate, | |
3971 &plcf->ssl_certificate_key, plcf->ssl_passwords) | |
3972 != NGX_OK) | |
3973 { | |
3974 return NGX_ERROR; | |
3975 } | |
3976 } | |
3896 | 3977 |
3897 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, | 3978 if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx, |
3898 (const char *) plcf->ssl_ciphers.data) | 3979 (const char *) plcf->ssl_ciphers.data) |
3899 == 0) | 3980 == 0) |
3900 { | 3981 { |