Welcome! Log In Create A New Profile

Advanced

[PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Previous Message Next Message
Forum List Message List New Topic Print View
Piotr Sikora
February 04, 2014 09:32PM
# HG changeset patch
# User Piotr Sikora <piotr@cloudflare.com>
# Date 1391566491 28800
# Tue Feb 04 18:14:51 2014 -0800
# Node ID 92b99bb6851da6c2c72bb7b3e14bae059b6d5db0
# Parent 3abb7076b3ecc27d970183c4d0238cefaa7a7c78
SSL: add "{proxy,uwsgi}_ssl_server_name" directives.

Send TLS Server Name Indication (SNI) when connecting to
an SSL upstream and provided value isn't an empty string.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>

diff -r 3abb7076b3ec -r 92b99bb6851d src/event/ngx_event_connect.h
--- a/src/event/ngx_event_connect.h Tue Feb 04 16:26:46 2014 +0400
+++ b/src/event/ngx_event_connect.h Tue Feb 04 18:14:51 2014 -0800
@@ -50,6 +50,8 @@ struct ngx_peer_connection_s {
#if (NGX_SSL)
ngx_event_set_peer_session_pt set_session;
ngx_event_save_peer_session_pt save_session;
+
+ ngx_str_t server_name;
#endif

#if (NGX_THREADS)
diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 16:26:46 2014 +0400
+++ b/src/http/modules/ngx_http_proxy_module.c Tue Feb 04 18:14:51 2014 -0800
@@ -553,6 +553,13 @@ static ngx_command_t ngx_http_proxy_com
offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
NULL },

+ { ngx_string("proxy_ssl_server_name"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_set_complex_value_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name),
+ NULL },
+
#endif

ngx_null_command
@@ -2390,6 +2397,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
* conf->upstream.location = NULL;
* conf->upstream.store_lengths = NULL;
* conf->upstream.store_values = NULL;
+ * conf->upstream.ssl_server_name = NULL;
*
* conf->method = { 0, NULL };
* conf->headers_source = NULL;
@@ -2725,6 +2733,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");

+ if (conf->upstream.ssl_server_name == NULL) {
+ conf->upstream.ssl_server_name = prev->upstream.ssl_server_name;
+ }
+
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_upstream_keepalive_module.c
--- a/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 16:26:46 2014 +0400
+++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Tue Feb 04 18:14:51 2014 -0800
@@ -49,6 +49,10 @@ typedef struct {
socklen_t socklen;
u_char sockaddr[NGX_SOCKADDRLEN];

+#if (NGX_HTTP_SSL)
+ ngx_str_t server_name;
+#endif
+
} ngx_http_upstream_keepalive_cache_t;


@@ -237,9 +241,17 @@ ngx_http_upstream_get_keepalive_peer(ngx
item = ngx_queue_data(q, ngx_http_upstream_keepalive_cache_t, queue);
c = item->connection;

- if (ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr,
- item->socklen, pc->socklen)
- == 0)
+ if ((ngx_memn2cmp((u_char *) &item->sockaddr, (u_char *) pc->sockaddr,
+ item->socklen, pc->socklen)
+ == 0)
+#if (NGX_HTTP_SSL)
+ && (pc->server_name.len == item->server_name.len)
+ && (pc->server_name.len == 0
+ || ngx_strncmp(pc->server_name.data, item->server_name.data,
+ pc->server_name.len)
+ == 0)
+#endif
+ )
{
ngx_queue_remove(q);
ngx_queue_insert_head(&kp->conf->free, q);
@@ -346,6 +358,24 @@ ngx_http_upstream_free_keepalive_peer(ng
item->socklen = pc->socklen;
ngx_memcpy(&item->sockaddr, pc->sockaddr, pc->socklen);

+#if (NGX_HTTP_SSL)
+
+ item->server_name.len = pc->server_name.len;
+
+ if (item->server_name.len) {
+
+ item->server_name.data = ngx_pnalloc(c->pool, pc->server_name.len + 1);
+ if (item->server_name.data == NULL) {
+ goto invalid;
+ }
+
+ ngx_memcpy(item->server_name.data, pc->server_name.data,
+ pc->server_name.len);
+ item->server_name.data[pc->server_name.len] = '\0';
+ }
+
+#endif
+
if (c->read->ready) {
ngx_http_upstream_keepalive_close_handler(c->read);
}
diff -r 3abb7076b3ec -r 92b99bb6851d src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 16:26:46 2014 +0400
+++ b/src/http/modules/ngx_http_uwsgi_module.c Tue Feb 04 18:14:51 2014 -0800
@@ -409,6 +409,13 @@ static ngx_command_t ngx_http_uwsgi_comm
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_ciphers),
NULL },

+ { ngx_string("uwsgi_ssl_server_name"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_set_complex_value_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_server_name),
+ NULL },
+
#endif

ngx_null_command
@@ -1505,6 +1512,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");

+ if (conf->upstream.ssl_server_name == NULL) {
+ conf->upstream.ssl_server_name = prev->upstream.ssl_server_name;
+ }
+
if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
diff -r 3abb7076b3ec -r 92b99bb6851d src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Tue Feb 04 16:26:46 2014 +0400
+++ b/src/http/ngx_http_upstream.c Tue Feb 04 18:14:51 2014 -0800
@@ -478,6 +478,9 @@ static void
ngx_http_upstream_init_request(ngx_http_request_t *r)
{
ngx_str_t *host;
+#if (NGX_HTTP_SSL)
+ ngx_str_t name;
+#endif
ngx_uint_t i;
ngx_resolver_ctx_t *ctx, temp;
ngx_http_cleanup_t *cln;
@@ -536,6 +539,31 @@ ngx_http_upstream_init_request(ngx_http_

u->peer.local = ngx_http_upstream_get_local(r, u->conf->local);

+#if (NGX_HTTP_SSL)
+
+ if (u->ssl && u->conf->ssl_server_name) {
+
+ if (ngx_http_complex_value(r, u->conf->ssl_server_name, &name)
+ != NGX_OK)
+ {
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ u->peer.server_name.data = ngx_pnalloc(r->pool, name.len + 1);
+ if (u->peer.server_name.data == NULL) {
+ ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return;
+ }
+
+ u->peer.server_name.len = name.len;
+
+ ngx_memcpy(u->peer.server_name.data, name.data, name.len);
+ u->peer.server_name.data[name.len] = '\0';
+ }
+
+#endif
+
clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

u->output.alignment = clcf->directio_alignment;
@@ -1363,6 +1391,18 @@ ngx_http_upstream_ssl_init_connection(ng
}
}

+ if (u->peer.server_name.len) {
+
+ if (SSL_set_tlsext_host_name(c->ssl->connection,
+ u->peer.server_name.data)
+ == 0)
+ {
+ ngx_http_upstream_finalize_request(r, u,
+ NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return;
+ }
+ }
+
r->connection->log->action = "SSL handshaking to upstream";

rc = ngx_ssl_handshake(c);
diff -r 3abb7076b3ec -r 92b99bb6851d src/http/ngx_http_upstream.h
--- a/src/http/ngx_http_upstream.h Tue Feb 04 16:26:46 2014 +0400
+++ b/src/http/ngx_http_upstream.h Tue Feb 04 18:14:51 2014 -0800
@@ -195,6 +195,7 @@ typedef struct {
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl;
ngx_flag_t ssl_session_reuse;
+ ngx_http_complex_value_t *ssl_server_name;
#endif

ngx_str_t module;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Reply Quote
RSS
Subject Author Views Posted

[PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Piotr Sikora 700 February 04, 2014 09:32PM

[PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Piotr Sikora 338 February 05, 2014 01:56AM

Re: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Piotr Sikora 397 February 05, 2014 06:14PM

Re: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Maxim Dounin 360 February 06, 2014 06:22AM

Re: [PATCH] SSL: add "{proxy,uwsgi}_ssl_server_name" directives

Piotr Sikora 431 February 06, 2014 05:42PM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 166
Record Number of Users: 8 on April 13, 2023
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready