details: https://hg.nginx.org/nginx/rev/fd0b2226919b
branches:
changeset: 7731:fd0b2226919b
user: Maxim Dounin <mdounin@mdounin.ru>
date: Thu Oct 22 18:00:27 2020 +0300
description:
Stream: proxy_ssl_conf_command directive.

Similarly to ssl_conf_command, proxy_ssl_conf_command can be used to
set arbitrary OpenSSL configuration parameters as long as nginx is
compiled with OpenSSL 1.0.2 or later, when connecting to upstream
servers with SSL. Full list of available configuration commands
can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

diffstat:

src/stream/ngx_stream_proxy_module.c | 34 ++++++++++++++++++++++++++++++++++
1 files changed, 34 insertions(+), 0 deletions(-)

diffs (93 lines):

diff -r 1a719ee45526 -r fd0b2226919b src/stream/ngx_stream_proxy_module.c
--- a/src/stream/ngx_stream_proxy_module.c Thu Oct 22 18:00:23 2020 +0300
+++ b/src/stream/ngx_stream_proxy_module.c Thu Oct 22 18:00:27 2020 +0300
@@ -49,6 +49,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;

ngx_ssl_t *ssl;
#endif
@@ -94,6 +95,8 @@ static char *ngx_stream_proxy_bind(ngx_c
static ngx_int_t ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s);
static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
@@ -112,6 +115,9 @@ static ngx_conf_bitmask_t ngx_stream_pr
{ ngx_null_string, 0 }
};

+static ngx_conf_post_t ngx_stream_proxy_ssl_conf_command_post =
+ { ngx_stream_proxy_ssl_conf_command_check };
+
#endif


@@ -331,6 +337,13 @@ static ngx_command_t ngx_stream_proxy_c
0,
NULL },

+ { ngx_string("proxy_ssl_conf_command"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, ssl_conf_commands),
+ &ngx_stream_proxy_ssl_conf_command_post },
+
#endif

ngx_null_command
@@ -1008,6 +1021,17 @@ ngx_stream_proxy_ssl_password_file(ngx_c
}


+static char *
+ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static void
ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
{
@@ -1985,6 +2009,7 @@ ngx_stream_proxy_create_srv_conf(ngx_con
conf->ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif

return conf;
@@ -2072,6 +2097,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf

ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);

+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl_enable && ngx_stream_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -2156,6 +2184,12 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
return NGX_ERROR;
}

+ if (ngx_ssl_conf_commands(cf, pscf->ssl, pscf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel