Mercurial > hg > nginx

comparison src/stream/ngx_stream_proxy_module.c @ 8053:9d98d524bd02

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Upstream: optimized use of SSL contexts (ticket #1234). To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy.
author Maxim Dounin <mdounin@mdounin.ru>
date Wed, 29 Jun 2022 02:47:45 +0300
parents 457afc332c67
children 17d6a537fb1b b30bec3d71d6
comparison
equal deleted inserted replaced
8052:e210c8942a54 8053:9d98d524bd02
101 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s); 101 static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
102 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc); 102 static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
103 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); 103 static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
104 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); 104 static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
105 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s); 105 static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
106 static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf,
107 ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
106 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, 108 static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
107 ngx_stream_proxy_srv_conf_t *pscf); 109 ngx_stream_proxy_srv_conf_t *pscf);
108 110
109 111
110 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = { 112 static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = {
799 801
800 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); 802 pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
801 803
802 #if (NGX_STREAM_SSL) 804 #if (NGX_STREAM_SSL)
803 805
804 if (pc->type == SOCK_STREAM && pscf->ssl) { 806 if (pc->type == SOCK_STREAM && pscf->ssl_enable) {
805 807
806 if (u->proxy_protocol) { 808 if (u->proxy_protocol) {
807 if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) { 809 if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
808 return; 810 return;
809 } 811 }
2148 2150
2149 ngx_conf_merge_value(conf->half_close, prev->half_close, 0); 2151 ngx_conf_merge_value(conf->half_close, prev->half_close, 0);
2150 2152
2151 #if (NGX_STREAM_SSL) 2153 #if (NGX_STREAM_SSL)
2152 2154
2155 if (ngx_stream_proxy_merge_ssl(cf, conf, prev) != NGX_OK) {
2156 return NGX_CONF_ERROR;
2157 }
2158
2153 ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0); 2159 ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0);
2154 2160
2155 ngx_conf_merge_value(conf->ssl_session_reuse, 2161 ngx_conf_merge_value(conf->ssl_session_reuse,
2156 prev->ssl_session_reuse, 1); 2162 prev->ssl_session_reuse, 1);
2157 2163
2197 2203
2198 2204
2199 #if (NGX_STREAM_SSL) 2205 #if (NGX_STREAM_SSL)
2200 2206
2201 static ngx_int_t 2207 static ngx_int_t
2208 ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf,
2209 ngx_stream_proxy_srv_conf_t *prev)
2210 {
2211 ngx_uint_t preserve;
2212
2213 if (conf->ssl_protocols == 0
2214 && conf->ssl_ciphers.data == NULL
2215 && conf->ssl_certificate == NGX_CONF_UNSET_PTR
2216 && conf->ssl_certificate_key == NGX_CONF_UNSET_PTR
2217 && conf->ssl_passwords == NGX_CONF_UNSET_PTR
2218 && conf->ssl_verify == NGX_CONF_UNSET
2219 && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
2220 && conf->ssl_trusted_certificate.data == NULL
2221 && conf->ssl_crl.data == NULL
2222 && conf->ssl_session_reuse == NGX_CONF_UNSET
2223 && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
2224 {
2225 if (prev->ssl) {
2226 conf->ssl = prev->ssl;
2227 return NGX_OK;
2228 }
2229
2230 preserve = 1;
2231
2232 } else {
2233 preserve = 0;
2234 }
2235
2236 conf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
2237 if (conf->ssl == NULL) {
2238 return NGX_ERROR;
2239 }
2240
2241 conf->ssl->log = cf->log;
2242
2243 /*
2244 * special handling to preserve conf->ssl
2245 * in the "stream" section to inherit it to all servers
2246 */
2247
2248 if (preserve) {
2249 prev->ssl = conf->ssl;
2250 }
2251
2252 return NGX_OK;
2253 }
2254
2255
2256 static ngx_int_t
2202 ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) 2257 ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
2203 { 2258 {
2204 ngx_pool_cleanup_t *cln; 2259 ngx_pool_cleanup_t *cln;
2205 2260
2206 pscf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); 2261 if (pscf->ssl->ctx) {
2207 if (pscf->ssl == NULL) { 2262 return NGX_OK;
2208 return NGX_ERROR; 2263 }
2209 }
2210
2211 pscf->ssl->log = cf->log;
2212 2264
2213 if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) { 2265 if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) {
2214 return NGX_ERROR; 2266 return NGX_ERROR;
2215 } 2267 }
2216 2268