Mercurial > hg > nginx
view src/http/modules/perl/nginx.pm @ 7732:59e1c73fe02b
SSL: ssl_reject_handshake directive (ticket #195).
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for
this. This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.
With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.
For example, to reject handshake with names other than example.com,
one can use the following configuration:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name example.com;
ssl_certificate example.com.crt;
ssl_certificate_key example.com.key;
}
The following configuration can be used to reject all SSL handshakes
without SNI server name provided:
server {
listen 443 ssl;
ssl_reject_handshake on;
}
server {
listen 443 ssl;
server_name ~^;
ssl_certificate example.crt;
ssl_certificate_key example.key;
}
Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional. If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Thu, 22 Oct 2020 18:02:28 +0300 |
parents | be5cfa918bfc |
children | 985b0bda403c |
line wrap: on
line source
package nginx; use 5.006001; use strict; use warnings; require Exporter; our @ISA = qw(Exporter); our @EXPORT = qw( OK DECLINED HTTP_OK HTTP_CREATED HTTP_ACCEPTED HTTP_NO_CONTENT HTTP_PARTIAL_CONTENT HTTP_MOVED_PERMANENTLY HTTP_MOVED_TEMPORARILY HTTP_REDIRECT HTTP_SEE_OTHER HTTP_NOT_MODIFIED HTTP_TEMPORARY_REDIRECT HTTP_PERMANENT_REDIRECT HTTP_BAD_REQUEST HTTP_UNAUTHORIZED HTTP_PAYMENT_REQUIRED HTTP_FORBIDDEN HTTP_NOT_FOUND HTTP_NOT_ALLOWED HTTP_NOT_ACCEPTABLE HTTP_REQUEST_TIME_OUT HTTP_CONFLICT HTTP_GONE HTTP_LENGTH_REQUIRED HTTP_REQUEST_ENTITY_TOO_LARGE HTTP_REQUEST_URI_TOO_LARGE HTTP_UNSUPPORTED_MEDIA_TYPE HTTP_RANGE_NOT_SATISFIABLE HTTP_INTERNAL_SERVER_ERROR HTTP_SERVER_ERROR HTTP_NOT_IMPLEMENTED HTTP_BAD_GATEWAY HTTP_SERVICE_UNAVAILABLE HTTP_GATEWAY_TIME_OUT HTTP_INSUFFICIENT_STORAGE ); our $VERSION = '%%VERSION%%'; require XSLoader; XSLoader::load('nginx', $VERSION); # Preloaded methods go here. use constant OK => 0; use constant DECLINED => -5; use constant HTTP_OK => 200; use constant HTTP_CREATED => 201; use constant HTTP_ACCEPTED => 202; use constant HTTP_NO_CONTENT => 204; use constant HTTP_PARTIAL_CONTENT => 206; use constant HTTP_MOVED_PERMANENTLY => 301; use constant HTTP_MOVED_TEMPORARILY => 302; use constant HTTP_REDIRECT => 302; use constant HTTP_SEE_OTHER => 303; use constant HTTP_NOT_MODIFIED => 304; use constant HTTP_TEMPORARY_REDIRECT => 307; use constant HTTP_PERMANENT_REDIRECT => 308; use constant HTTP_BAD_REQUEST => 400; use constant HTTP_UNAUTHORIZED => 401; use constant HTTP_PAYMENT_REQUIRED => 402; use constant HTTP_FORBIDDEN => 403; use constant HTTP_NOT_FOUND => 404; use constant HTTP_NOT_ALLOWED => 405; use constant HTTP_NOT_ACCEPTABLE => 406; use constant HTTP_REQUEST_TIME_OUT => 408; use constant HTTP_CONFLICT => 409; use constant HTTP_GONE => 410; use constant HTTP_LENGTH_REQUIRED => 411; use constant HTTP_REQUEST_ENTITY_TOO_LARGE => 413; use constant HTTP_REQUEST_URI_TOO_LARGE => 414; use constant HTTP_UNSUPPORTED_MEDIA_TYPE => 415; use constant HTTP_RANGE_NOT_SATISFIABLE => 416; use constant HTTP_INTERNAL_SERVER_ERROR => 500; use constant HTTP_SERVER_ERROR => 500; use constant HTTP_NOT_IMPLEMENTED => 501; use constant HTTP_BAD_GATEWAY => 502; use constant HTTP_SERVICE_UNAVAILABLE => 503; use constant HTTP_GATEWAY_TIME_OUT => 504; use constant HTTP_INSUFFICIENT_STORAGE => 507; sub rflush { my $r = shift; $r->flush; } 1; __END__ =head1 NAME nginx - Perl interface to the nginx HTTP server API =head1 SYNOPSIS use nginx; =head1 DESCRIPTION This module provides a Perl interface to the nginx HTTP server API. =head1 SEE ALSO http://nginx.org/en/docs/http/ngx_http_perl_module.html =head1 AUTHOR Igor Sysoev =head1 COPYRIGHT AND LICENSE Copyright (C) Igor Sysoev Copyright (C) Nginx, Inc. =cut