Mercurial > hg > nginx

comparison src/stream/ngx_stream_proxy_module.c @ 7833:3ab8e1e2f0f7

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: variables support in certificates.
author Maxim Dounin <mdounin@mdounin.ru>
date Thu, 06 May 2021 02:22:09 +0300
parents bdd4d89370a7
children 419c066cb710
comparison
equal deleted inserted replaced
7832:be82e72c9af8 7833:3ab8e1e2f0f7
44 44
45 ngx_flag_t ssl_verify; 45 ngx_flag_t ssl_verify;
46 ngx_uint_t ssl_verify_depth; 46 ngx_uint_t ssl_verify_depth;
47 ngx_str_t ssl_trusted_certificate; 47 ngx_str_t ssl_trusted_certificate;
48 ngx_str_t ssl_crl; 48 ngx_str_t ssl_crl;
49 ngx_str_t ssl_certificate; 49 ngx_stream_complex_value_t *ssl_certificate;
50 ngx_str_t ssl_certificate_key; 50 ngx_stream_complex_value_t *ssl_certificate_key;
51 ngx_array_t *ssl_passwords; 51 ngx_array_t *ssl_passwords;
52 ngx_array_t *ssl_conf_commands; 52 ngx_array_t *ssl_conf_commands;
53 53
54 ngx_ssl_t *ssl; 54 ngx_ssl_t *ssl;
55 #endif 55 #endif
99 void *data); 99 void *data);
100 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); 100 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
101 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); 101 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
102 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); 102 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
103 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); 103 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
104 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
104 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, 105 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
105 ngx_stream_proxy_srv_conf_t *pscf); 106 ngx_stream_proxy_srv_conf_t *pscf);
106 107
107 108
108 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { 109 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = {
316 offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl), 317 offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl),
317 NULL }, 318 NULL },
318 319
319 { ngx_string("proxy_ssl_certificate"), 320 { ngx_string("proxy_ssl_certificate"),
320 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, 321 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
321 ngx_conf_set_str_slot, 322 ngx_stream_set_complex_value_zero_slot,
322 NGX_STREAM_SRV_CONF_OFFSET, 323 NGX_STREAM_SRV_CONF_OFFSET,
323 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate), 324 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate),
324 NULL }, 325 NULL },
325 326
326 { ngx_string("proxy_ssl_certificate_key"), 327 { ngx_string("proxy_ssl_certificate_key"),
327 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, 328 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
328 ngx_conf_set_str_slot, 329 ngx_stream_set_complex_value_zero_slot,
329 NGX_STREAM_SRV_CONF_OFFSET, 330 NGX_STREAM_SRV_CONF_OFFSET,
330 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate_key), 331 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate_key),
331 NULL }, 332 NULL },
332 333
333 { ngx_string("proxy_ssl_password_file"), 334 { ngx_string("proxy_ssl_password_file"),
1058 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); 1059 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
1059 return; 1060 return;
1060 } 1061 }
1061 } 1062 }
1062 1063
1064 if (pscf->ssl_certificate && (pscf->ssl_certificate->lengths
1065 || pscf->ssl_certificate_key->lengths))
1066 {
1067 if (ngx_stream_proxy_ssl_certificate(s) != NGX_OK) {
1068 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
1069 return;
1070 }
1071 }
1072
1063 if (pscf->ssl_session_reuse) { 1073 if (pscf->ssl_session_reuse) {
1064 pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; 1074 pc->ssl->save_session = ngx_stream_proxy_ssl_save_session;
1065 1075
1066 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { 1076 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
1067 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); 1077 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
1241 #endif 1251 #endif
1242 1252
1243 done: 1253 done:
1244 1254
1245 u->ssl_name = name; 1255 u->ssl_name = name;
1256
1257 return NGX_OK;
1258 }
1259
1260
1261 static ngx_int_t
1262 ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s)
1263 {
1264 ngx_str_t cert, key;
1265 ngx_connection_t *c;
1266 ngx_stream_proxy_srv_conf_t *pscf;
1267
1268 c = s->upstream->peer.connection;
1269
1270 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
1271
1272 if (ngx_stream_complex_value(s, pscf->ssl_certificate, &cert)
1273 != NGX_OK)
1274 {
1275 return NGX_ERROR;
1276 }
1277
1278 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
1279 "stream upstream ssl cert: \"%s\"", cert.data);
1280
1281 if (*cert.data == '\0') {
1282 return NGX_OK;
1283 }
1284
1285 if (ngx_stream_complex_value(s, pscf->ssl_certificate_key, &key)
1286 != NGX_OK)
1287 {
1288 return NGX_ERROR;
1289 }
1290
1291 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
1292 "stream upstream ssl key: \"%s\"", key.data);
1293
1294 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key,
1295 pscf->ssl_passwords)
1296 != NGX_OK)
1297 {
1298 return NGX_ERROR;
1299 }
1246 1300
1247 return NGX_OK; 1301 return NGX_OK;
1248 } 1302 }
1249 1303
1250 #endif 1304 #endif
1977 * 2031 *
1978 * conf->ssl_protocols = 0; 2032 * conf->ssl_protocols = 0;
1979 * conf->ssl_ciphers = { 0, NULL }; 2033 * conf->ssl_ciphers = { 0, NULL };
1980 * conf->ssl_trusted_certificate = { 0, NULL }; 2034 * conf->ssl_trusted_certificate = { 0, NULL };
1981 * conf->ssl_crl = { 0, NULL }; 2035 * conf->ssl_crl = { 0, NULL };
1982 * conf->ssl_certificate = { 0, NULL };
1983 * conf->ssl_certificate_key = { 0, NULL };
1984 * 2036 *
1985 * conf->ssl = NULL; 2037 * conf->ssl = NULL;
1986 * conf->upstream = NULL; 2038 * conf->upstream = NULL;
1987 * conf->upstream_value = NULL; 2039 * conf->upstream_value = NULL;
1988 */ 2040 */
2006 conf->ssl_session_reuse = NGX_CONF_UNSET; 2058 conf->ssl_session_reuse = NGX_CONF_UNSET;
2007 conf->ssl_name = NGX_CONF_UNSET_PTR; 2059 conf->ssl_name = NGX_CONF_UNSET_PTR;
2008 conf->ssl_server_name = NGX_CONF_UNSET; 2060 conf->ssl_server_name = NGX_CONF_UNSET;
2009 conf->ssl_verify = NGX_CONF_UNSET; 2061 conf->ssl_verify = NGX_CONF_UNSET;
2010 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; 2062 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
2063 conf->ssl_certificate = NGX_CONF_UNSET_PTR;
2064 conf->ssl_certificate_key = NGX_CONF_UNSET_PTR;
2011 conf->ssl_passwords = NGX_CONF_UNSET_PTR; 2065 conf->ssl_passwords = NGX_CONF_UNSET_PTR;
2012 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; 2066 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
2013 #endif 2067 #endif
2014 2068
2015 return conf; 2069 return conf;
2081 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, 2135 ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
2082 prev->ssl_trusted_certificate, ""); 2136 prev->ssl_trusted_certificate, "");
2083 2137
2084 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); 2138 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
2085 2139
2086 ngx_conf_merge_str_value(conf->ssl_certificate, 2140 ngx_conf_merge_ptr_value(conf->ssl_certificate,
2087 prev->ssl_certificate, ""); 2141 prev->ssl_certificate, NULL);
2088 2142
2089 ngx_conf_merge_str_value(conf->ssl_certificate_key, 2143 ngx_conf_merge_ptr_value(conf->ssl_certificate_key,
2090 prev->ssl_certificate_key, ""); 2144 prev->ssl_certificate_key, NULL);
2091 2145
2092 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); 2146 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
2093 2147
2094 ngx_conf_merge_ptr_value(conf->ssl_conf_commands, 2148 ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
2095 prev->ssl_conf_commands, NULL); 2149 prev->ssl_conf_commands, NULL);
2129 } 2183 }
2130 2184
2131 cln->handler = ngx_ssl_cleanup_ctx; 2185 cln->handler = ngx_ssl_cleanup_ctx;
2132 cln->data = pscf->ssl; 2186 cln->data = pscf->ssl;
2133 2187
2134 if (pscf->ssl_certificate.len) { 2188 if (pscf->ssl_certificate) {
2135 2189
2136 if (pscf->ssl_certificate_key.len == 0) { 2190 if (pscf->ssl_certificate_key == NULL) {
2137 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, 2191 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
2138 "no \"proxy_ssl_certificate_key\" is defined " 2192 "no \"proxy_ssl_certificate_key\" is defined "
2139 "for certificate \"%V\"", &pscf->ssl_certificate); 2193 "for certificate \"%V\"",
2194 &pscf->ssl_certificate->value);
2140 return NGX_ERROR; 2195 return NGX_ERROR;
2141 } 2196 }
2142 2197
2143 if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate, 2198 if (pscf->ssl_certificate->lengths
2144 &pscf->ssl_certificate_key, pscf->ssl_passwords) 2199 || pscf->ssl_certificate_key->lengths)
2145 != NGX_OK)
2146 { 2200 {
2147 return NGX_ERROR; 2201 pscf->ssl_passwords =
2202 ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
2203 if (pscf->ssl_passwords == NULL) {
2204 return NGX_ERROR;
2205 }
2206
2207 } else {
2208 if (ngx_ssl_certificate(cf, pscf->ssl,
2209 &pscf->ssl_certificate->value,
2210 &pscf->ssl_certificate_key->value,
2211 pscf->ssl_passwords)
2212 != NGX_OK)
2213 {
2214 return NGX_ERROR;
2215 }
2148 } 2216 }
2149 } 2217 }
2150 2218
2151 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { 2219 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) {
2152 return NGX_ERROR; 2220 return NGX_ERROR;