Mercurial > hg > nginx
comparison src/http/ngx_http_upstream.c @ 7320:696df3ac27ac
SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time. Therefore we use a callback to save the session
when we know about it. This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.
Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback. To preserve API, the session is
cached in c->ssl->session. It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
author | Sergey Kandaurov <pluknet@nginx.com> |
---|---|
date | Tue, 17 Jul 2018 12:53:23 +0300 |
parents | ece9b5454b8a |
children | 70c6b08973a0 |
comparison
equal
deleted
inserted
replaced
7319:dcab86115261 | 7320:696df3ac27ac |
---|---|
185 static void ngx_http_upstream_ssl_init_connection(ngx_http_request_t *, | 185 static void ngx_http_upstream_ssl_init_connection(ngx_http_request_t *, |
186 ngx_http_upstream_t *u, ngx_connection_t *c); | 186 ngx_http_upstream_t *u, ngx_connection_t *c); |
187 static void ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c); | 187 static void ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c); |
188 static void ngx_http_upstream_ssl_handshake(ngx_http_request_t *, | 188 static void ngx_http_upstream_ssl_handshake(ngx_http_request_t *, |
189 ngx_http_upstream_t *u, ngx_connection_t *c); | 189 ngx_http_upstream_t *u, ngx_connection_t *c); |
190 static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c); | |
190 static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, | 191 static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, |
191 ngx_http_upstream_t *u, ngx_connection_t *c); | 192 ngx_http_upstream_t *u, ngx_connection_t *c); |
192 #endif | 193 #endif |
193 | 194 |
194 | 195 |
1673 return; | 1674 return; |
1674 } | 1675 } |
1675 } | 1676 } |
1676 | 1677 |
1677 if (u->conf->ssl_session_reuse) { | 1678 if (u->conf->ssl_session_reuse) { |
1679 c->ssl->save_session = ngx_http_upstream_ssl_save_session; | |
1680 | |
1678 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { | 1681 if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { |
1679 ngx_http_upstream_finalize_request(r, u, | 1682 ngx_http_upstream_finalize_request(r, u, |
1680 NGX_HTTP_INTERNAL_SERVER_ERROR); | 1683 NGX_HTTP_INTERNAL_SERVER_ERROR); |
1681 return; | 1684 return; |
1682 } | 1685 } |
1757 &u->ssl_name); | 1760 &u->ssl_name); |
1758 goto failed; | 1761 goto failed; |
1759 } | 1762 } |
1760 } | 1763 } |
1761 | 1764 |
1762 if (u->conf->ssl_session_reuse) { | |
1763 u->peer.save_session(&u->peer, u->peer.data); | |
1764 } | |
1765 | |
1766 c->write->handler = ngx_http_upstream_handler; | 1765 c->write->handler = ngx_http_upstream_handler; |
1767 c->read->handler = ngx_http_upstream_handler; | 1766 c->read->handler = ngx_http_upstream_handler; |
1768 | 1767 |
1769 ngx_http_upstream_send_request(r, u, 1); | 1768 ngx_http_upstream_send_request(r, u, 1); |
1770 | 1769 |
1777 } | 1776 } |
1778 | 1777 |
1779 failed: | 1778 failed: |
1780 | 1779 |
1781 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); | 1780 ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); |
1781 } | |
1782 | |
1783 | |
1784 static void | |
1785 ngx_http_upstream_ssl_save_session(ngx_connection_t *c) | |
1786 { | |
1787 ngx_http_request_t *r; | |
1788 ngx_http_upstream_t *u; | |
1789 | |
1790 if (c->idle) { | |
1791 return; | |
1792 } | |
1793 | |
1794 r = c->data; | |
1795 | |
1796 u = r->upstream; | |
1797 c = r->connection; | |
1798 | |
1799 ngx_http_set_log_request(c->log, r); | |
1800 | |
1801 u->peer.save_session(&u->peer, u->peer.data); | |
1782 } | 1802 } |
1783 | 1803 |
1784 | 1804 |
1785 static ngx_int_t | 1805 static ngx_int_t |
1786 ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, | 1806 ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, |