# HG changeset patch # User Andrei Belov # Date 1379601033 -14400 # Node ID 7c1f4977d8a0bf49075139c4b8ac4fbd7bef4a63 # Parent cfbf1d1cc233639251cc92ed9c6cac2379d03644 Proxy: added the "proxy_ssl_protocols" directive. diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -76,6 +76,11 @@ typedef struct { ngx_uint_t headers_hash_max_size; ngx_uint_t headers_hash_bucket_size; + +#if (NGX_HTTP_SSL) + ngx_uint_t ssl; + ngx_uint_t ssl_protocols; +#endif } ngx_http_proxy_loc_conf_t; @@ -186,6 +191,20 @@ static ngx_conf_bitmask_t ngx_http_prox }; +#if (NGX_HTTP_SSL) + +static ngx_conf_bitmask_t ngx_http_proxy_ssl_protocols[] = { + { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, + { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, + { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, + { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, + { ngx_null_string, 0 } +}; + +#endif + + static ngx_conf_enum_t ngx_http_proxy_http_version[] = { { ngx_string("1.0"), NGX_HTTP_VERSION_10 }, { ngx_string("1.1"), NGX_HTTP_VERSION_11 }, @@ -512,6 +531,13 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse), NULL }, + { ngx_string("proxy_ssl_protocols"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE, + ngx_conf_set_bitmask_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_protocols), + &ngx_http_proxy_ssl_protocols }, + #endif ngx_null_command @@ -2386,6 +2412,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->body_set = NULL; * conf->body_source = { 0, NULL }; * conf->redirects = NULL; + * conf->ssl = 0; + * conf->ssl_protocols = 0; */ conf->upstream.store = NGX_CONF_UNSET; @@ -2701,6 +2729,15 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t #if (NGX_HTTP_SSL) ngx_conf_merge_value(conf->upstream.ssl_session_reuse, prev->upstream.ssl_session_reuse, 1); + + ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols, + (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3 + |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1 + |NGX_SSL_TLSv1_2)); + + if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { + return NGX_CONF_ERROR; + } #endif ngx_conf_merge_value(conf->redirect, prev->redirect, 1); @@ -3146,9 +3183,7 @@ ngx_http_proxy_pass(ngx_conf_t *cf, ngx_ } #if (NGX_HTTP_SSL) - if (ngx_http_proxy_set_ssl(cf, plcf) != NGX_OK) { - return NGX_CONF_ERROR; - } + plcf->ssl = 1; #endif return NGX_CONF_OK; @@ -3161,9 +3196,7 @@ ngx_http_proxy_pass(ngx_conf_t *cf, ngx_ } else if (ngx_strncasecmp(url->data, (u_char *) "https://", 8) == 0) { #if (NGX_HTTP_SSL) - if (ngx_http_proxy_set_ssl(cf, plcf) != NGX_OK) { - return NGX_CONF_ERROR; - } + plcf->ssl = 1; add = 8; port = 443; @@ -3745,10 +3778,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n plcf->upstream.ssl->log = cf->log; - if (ngx_ssl_create(plcf->upstream.ssl, - NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1 - |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2, - NULL) + if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL) != NGX_OK) { return NGX_ERROR;