Welcome! Log In Create A New Profile

Advanced

[nginx] Upstream: proxy_ssl_conf_command and friends.

Maxim Dounin
October 22, 2020 11:04AM
details: https://hg.nginx.org/nginx/rev/1a719ee45526
branches:
changeset: 7730:1a719ee45526
user: Maxim Dounin <mdounin@mdounin.ru>
date: Thu Oct 22 18:00:23 2020 +0300
description:
Upstream: proxy_ssl_conf_command and friends.

Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command,
uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration
parameters as long as nginx is compiled with OpenSSL 1.0.2 or later,
when connecting to upstream servers with SSL. Full list of available
configuration commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

diffstat:

src/http/modules/ngx_http_grpc_module.c | 34 ++++++++++++++++++++++++++++++
src/http/modules/ngx_http_proxy_module.c | 36 ++++++++++++++++++++++++++++++++
src/http/modules/ngx_http_uwsgi_module.c | 34 ++++++++++++++++++++++++++++++
3 files changed, 104 insertions(+), 0 deletions(-)

diffs (281 lines):

diff -r 3bff3f397c05 -r 1a719ee45526 src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c Thu Oct 22 18:00:22 2020 +0300
+++ b/src/http/modules/ngx_http_grpc_module.c Thu Oct 22 18:00:23 2020 +0300
@@ -40,6 +40,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_grpc_loc_conf_t;

@@ -208,6 +209,8 @@ static char *ngx_http_grpc_pass(ngx_conf
#if (NGX_HTTP_SSL)
static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
@@ -242,6 +245,9 @@ static ngx_conf_bitmask_t ngx_http_grpc
{ ngx_null_string, 0 }
};

+static ngx_conf_post_t ngx_http_grpc_ssl_conf_command_post =
+ { ngx_http_grpc_ssl_conf_command_check };
+
#endif


@@ -438,6 +444,13 @@ static ngx_command_t ngx_http_grpc_comm
0,
NULL },

+ { ngx_string("grpc_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_grpc_loc_conf_t, ssl_conf_commands),
+ &ngx_http_grpc_ssl_conf_command_post },
+
#endif

ngx_null_command
@@ -4359,6 +4372,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif

/* the hardcoded values */
@@ -4469,6 +4483,9 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);

+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_grpc_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -4836,6 +4853,17 @@ ngx_http_grpc_ssl_password_file(ngx_conf
}


+static char *
+ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
@@ -4926,6 +4954,12 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng

#endif

+ if (ngx_ssl_conf_commands(cf, glcf->upstream.ssl, glcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}

diff -r 3bff3f397c05 -r 1a719ee45526 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Thu Oct 22 18:00:22 2020 +0300
+++ b/src/http/modules/ngx_http_proxy_module.c Thu Oct 22 18:00:23 2020 +0300
@@ -127,6 +127,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_proxy_loc_conf_t;

@@ -229,6 +230,10 @@ static char *ngx_http_proxy_ssl_password
#endif

static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
+#endif

static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
@@ -274,6 +279,9 @@ static ngx_conf_bitmask_t ngx_http_prox
{ ngx_null_string, 0 }
};

+static ngx_conf_post_t ngx_http_proxy_ssl_conf_command_post =
+ { ngx_http_proxy_ssl_conf_command_check };
+
#endif


@@ -764,6 +772,13 @@ static ngx_command_t ngx_http_proxy_com
0,
NULL },

+ { ngx_string("proxy_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_conf_commands),
+ &ngx_http_proxy_ssl_conf_command_post },
+
#endif

ngx_null_command
@@ -3340,6 +3355,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif

/* "proxy_cyclic_temp_file" is disabled */
@@ -3687,6 +3703,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);

+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -4845,6 +4864,17 @@ ngx_http_proxy_lowat_check(ngx_conf_t *c

#if (NGX_HTTP_SSL)

+static char *
+ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
@@ -4922,6 +4952,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
return NGX_ERROR;
}

+ if (ngx_ssl_conf_commands(cf, plcf->upstream.ssl, plcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}

diff -r 3bff3f397c05 -r 1a719ee45526 src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c Thu Oct 22 18:00:22 2020 +0300
+++ b/src/http/modules/ngx_http_uwsgi_module.c Thu Oct 22 18:00:23 2020 +0300
@@ -57,6 +57,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_uwsgi_loc_conf_t;

@@ -96,6 +97,8 @@ static char *ngx_http_uwsgi_cache_key(ng
#if (NGX_HTTP_SSL)
static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
@@ -134,6 +137,9 @@ static ngx_conf_bitmask_t ngx_http_uwsg
{ ngx_null_string, 0 }
};

+static ngx_conf_post_t ngx_http_uwsgi_ssl_conf_command_post =
+ { ngx_http_uwsgi_ssl_conf_command_check };
+
#endif


@@ -561,6 +567,13 @@ static ngx_command_t ngx_http_uwsgi_comm
0,
NULL },

+ { ngx_string("uwsgi_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_conf_commands),
+ &ngx_http_uwsgi_ssl_conf_command_post },
+
#endif

ngx_null_command
@@ -1500,6 +1513,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif

/* "uwsgi_cyclic_temp_file" is disabled */
@@ -1830,6 +1844,9 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);

+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -2376,6 +2393,17 @@ ngx_http_uwsgi_ssl_password_file(ngx_con
}


+static char *
+ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
@@ -2453,6 +2481,12 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
return NGX_ERROR;
}

+ if (ngx_ssl_conf_commands(cf, uwcf->upstream.ssl, uwcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
Subject Author Views Posted

[nginx] Upstream: proxy_ssl_conf_command and friends.

Maxim Dounin 119 October 22, 2020 11:04AM



Sorry, you do not have permission to post/reply in this forum.

Online Users

Guests: 88
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready