Mercurial > hg > nginx
comparison src/stream/ngx_stream_proxy_module.c @ 7833:3ab8e1e2f0f7
Upstream: variables support in certificates.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 06 May 2021 02:22:09 +0300 |
parents | bdd4d89370a7 |
children | 419c066cb710 |
comparison
equal
deleted
inserted
replaced
7832:be82e72c9af8 | 7833:3ab8e1e2f0f7 |
---|---|
44 | 44 |
45 ngx_flag_t ssl_verify; | 45 ngx_flag_t ssl_verify; |
46 ngx_uint_t ssl_verify_depth; | 46 ngx_uint_t ssl_verify_depth; |
47 ngx_str_t ssl_trusted_certificate; | 47 ngx_str_t ssl_trusted_certificate; |
48 ngx_str_t ssl_crl; | 48 ngx_str_t ssl_crl; |
49 ngx_str_t ssl_certificate; | 49 ngx_stream_complex_value_t *ssl_certificate; |
50 ngx_str_t ssl_certificate_key; | 50 ngx_stream_complex_value_t *ssl_certificate_key; |
51 ngx_array_t *ssl_passwords; | 51 ngx_array_t *ssl_passwords; |
52 ngx_array_t *ssl_conf_commands; | 52 ngx_array_t *ssl_conf_commands; |
53 | 53 |
54 ngx_ssl_t *ssl; | 54 ngx_ssl_t *ssl; |
55 #endif | 55 #endif |
99 void *data); | 99 void *data); |
100 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); | 100 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); |
101 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); | 101 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); |
102 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); | 102 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); |
103 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); | 103 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); |
104 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s); | |
104 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, | 105 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, |
105 ngx_stream_proxy_srv_conf_t *pscf); | 106 ngx_stream_proxy_srv_conf_t *pscf); |
106 | 107 |
107 | 108 |
108 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { | 109 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { |
316 offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl), | 317 offsetof(ngx_stream_proxy_srv_conf_t, ssl_crl), |
317 NULL }, | 318 NULL }, |
318 | 319 |
319 { ngx_string("proxy_ssl_certificate"), | 320 { ngx_string("proxy_ssl_certificate"), |
320 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 321 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
321 ngx_conf_set_str_slot, | 322 ngx_stream_set_complex_value_zero_slot, |
322 NGX_STREAM_SRV_CONF_OFFSET, | 323 NGX_STREAM_SRV_CONF_OFFSET, |
323 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate), | 324 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate), |
324 NULL }, | 325 NULL }, |
325 | 326 |
326 { ngx_string("proxy_ssl_certificate_key"), | 327 { ngx_string("proxy_ssl_certificate_key"), |
327 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, | 328 NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
328 ngx_conf_set_str_slot, | 329 ngx_stream_set_complex_value_zero_slot, |
329 NGX_STREAM_SRV_CONF_OFFSET, | 330 NGX_STREAM_SRV_CONF_OFFSET, |
330 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate_key), | 331 offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate_key), |
331 NULL }, | 332 NULL }, |
332 | 333 |
333 { ngx_string("proxy_ssl_password_file"), | 334 { ngx_string("proxy_ssl_password_file"), |
1058 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | 1059 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); |
1059 return; | 1060 return; |
1060 } | 1061 } |
1061 } | 1062 } |
1062 | 1063 |
1064 if (pscf->ssl_certificate && (pscf->ssl_certificate->lengths | |
1065 || pscf->ssl_certificate_key->lengths)) | |
1066 { | |
1067 if (ngx_stream_proxy_ssl_certificate(s) != NGX_OK) { | |
1068 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | |
1069 return; | |
1070 } | |
1071 } | |
1072 | |
1063 if (pscf->ssl_session_reuse) { | 1073 if (pscf->ssl_session_reuse) { |
1064 pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; | 1074 pc->ssl->save_session = ngx_stream_proxy_ssl_save_session; |
1065 | 1075 |
1066 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { | 1076 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { |
1067 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); | 1077 ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); |
1241 #endif | 1251 #endif |
1242 | 1252 |
1243 done: | 1253 done: |
1244 | 1254 |
1245 u->ssl_name = name; | 1255 u->ssl_name = name; |
1256 | |
1257 return NGX_OK; | |
1258 } | |
1259 | |
1260 | |
1261 static ngx_int_t | |
1262 ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s) | |
1263 { | |
1264 ngx_str_t cert, key; | |
1265 ngx_connection_t *c; | |
1266 ngx_stream_proxy_srv_conf_t *pscf; | |
1267 | |
1268 c = s->upstream->peer.connection; | |
1269 | |
1270 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); | |
1271 | |
1272 if (ngx_stream_complex_value(s, pscf->ssl_certificate, &cert) | |
1273 != NGX_OK) | |
1274 { | |
1275 return NGX_ERROR; | |
1276 } | |
1277 | |
1278 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, | |
1279 "stream upstream ssl cert: \"%s\"", cert.data); | |
1280 | |
1281 if (*cert.data == '\0') { | |
1282 return NGX_OK; | |
1283 } | |
1284 | |
1285 if (ngx_stream_complex_value(s, pscf->ssl_certificate_key, &key) | |
1286 != NGX_OK) | |
1287 { | |
1288 return NGX_ERROR; | |
1289 } | |
1290 | |
1291 ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0, | |
1292 "stream upstream ssl key: \"%s\"", key.data); | |
1293 | |
1294 if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key, | |
1295 pscf->ssl_passwords) | |
1296 != NGX_OK) | |
1297 { | |
1298 return NGX_ERROR; | |
1299 } | |
1246 | 1300 |
1247 return NGX_OK; | 1301 return NGX_OK; |
1248 } | 1302 } |
1249 | 1303 |
1250 #endif | 1304 #endif |
1977 * | 2031 * |
1978 * conf->ssl_protocols = 0; | 2032 * conf->ssl_protocols = 0; |
1979 * conf->ssl_ciphers = { 0, NULL }; | 2033 * conf->ssl_ciphers = { 0, NULL }; |
1980 * conf->ssl_trusted_certificate = { 0, NULL }; | 2034 * conf->ssl_trusted_certificate = { 0, NULL }; |
1981 * conf->ssl_crl = { 0, NULL }; | 2035 * conf->ssl_crl = { 0, NULL }; |
1982 * conf->ssl_certificate = { 0, NULL }; | |
1983 * conf->ssl_certificate_key = { 0, NULL }; | |
1984 * | 2036 * |
1985 * conf->ssl = NULL; | 2037 * conf->ssl = NULL; |
1986 * conf->upstream = NULL; | 2038 * conf->upstream = NULL; |
1987 * conf->upstream_value = NULL; | 2039 * conf->upstream_value = NULL; |
1988 */ | 2040 */ |
2006 conf->ssl_session_reuse = NGX_CONF_UNSET; | 2058 conf->ssl_session_reuse = NGX_CONF_UNSET; |
2007 conf->ssl_name = NGX_CONF_UNSET_PTR; | 2059 conf->ssl_name = NGX_CONF_UNSET_PTR; |
2008 conf->ssl_server_name = NGX_CONF_UNSET; | 2060 conf->ssl_server_name = NGX_CONF_UNSET; |
2009 conf->ssl_verify = NGX_CONF_UNSET; | 2061 conf->ssl_verify = NGX_CONF_UNSET; |
2010 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; | 2062 conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; |
2063 conf->ssl_certificate = NGX_CONF_UNSET_PTR; | |
2064 conf->ssl_certificate_key = NGX_CONF_UNSET_PTR; | |
2011 conf->ssl_passwords = NGX_CONF_UNSET_PTR; | 2065 conf->ssl_passwords = NGX_CONF_UNSET_PTR; |
2012 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; | 2066 conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; |
2013 #endif | 2067 #endif |
2014 | 2068 |
2015 return conf; | 2069 return conf; |
2081 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, | 2135 ngx_conf_merge_str_value(conf->ssl_trusted_certificate, |
2082 prev->ssl_trusted_certificate, ""); | 2136 prev->ssl_trusted_certificate, ""); |
2083 | 2137 |
2084 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); | 2138 ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, ""); |
2085 | 2139 |
2086 ngx_conf_merge_str_value(conf->ssl_certificate, | 2140 ngx_conf_merge_ptr_value(conf->ssl_certificate, |
2087 prev->ssl_certificate, ""); | 2141 prev->ssl_certificate, NULL); |
2088 | 2142 |
2089 ngx_conf_merge_str_value(conf->ssl_certificate_key, | 2143 ngx_conf_merge_ptr_value(conf->ssl_certificate_key, |
2090 prev->ssl_certificate_key, ""); | 2144 prev->ssl_certificate_key, NULL); |
2091 | 2145 |
2092 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); | 2146 ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL); |
2093 | 2147 |
2094 ngx_conf_merge_ptr_value(conf->ssl_conf_commands, | 2148 ngx_conf_merge_ptr_value(conf->ssl_conf_commands, |
2095 prev->ssl_conf_commands, NULL); | 2149 prev->ssl_conf_commands, NULL); |
2129 } | 2183 } |
2130 | 2184 |
2131 cln->handler = ngx_ssl_cleanup_ctx; | 2185 cln->handler = ngx_ssl_cleanup_ctx; |
2132 cln->data = pscf->ssl; | 2186 cln->data = pscf->ssl; |
2133 | 2187 |
2134 if (pscf->ssl_certificate.len) { | 2188 if (pscf->ssl_certificate) { |
2135 | 2189 |
2136 if (pscf->ssl_certificate_key.len == 0) { | 2190 if (pscf->ssl_certificate_key == NULL) { |
2137 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, | 2191 ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
2138 "no \"proxy_ssl_certificate_key\" is defined " | 2192 "no \"proxy_ssl_certificate_key\" is defined " |
2139 "for certificate \"%V\"", &pscf->ssl_certificate); | 2193 "for certificate \"%V\"", |
2194 &pscf->ssl_certificate->value); | |
2140 return NGX_ERROR; | 2195 return NGX_ERROR; |
2141 } | 2196 } |
2142 | 2197 |
2143 if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate, | 2198 if (pscf->ssl_certificate->lengths |
2144 &pscf->ssl_certificate_key, pscf->ssl_passwords) | 2199 || pscf->ssl_certificate_key->lengths) |
2145 != NGX_OK) | |
2146 { | 2200 { |
2147 return NGX_ERROR; | 2201 pscf->ssl_passwords = |
2202 ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords); | |
2203 if (pscf->ssl_passwords == NULL) { | |
2204 return NGX_ERROR; | |
2205 } | |
2206 | |
2207 } else { | |
2208 if (ngx_ssl_certificate(cf, pscf->ssl, | |
2209 &pscf->ssl_certificate->value, | |
2210 &pscf->ssl_certificate_key->value, | |
2211 pscf->ssl_passwords) | |
2212 != NGX_OK) | |
2213 { | |
2214 return NGX_ERROR; | |
2215 } | |
2148 } | 2216 } |
2149 } | 2217 } |
2150 | 2218 |
2151 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { | 2219 if (ngx_ssl_ciphers(cf, pscf->ssl, &pscf->ssl_ciphers, 0) != NGX_OK) { |
2152 return NGX_ERROR; | 2220 return NGX_ERROR; |