Hello!

On Fri, Apr 09, 2021 at 04:26:52PM +0300, Vasiliy Soshnikov wrote:

[...]

> + /** SSL TLVs */
> +
> +#if (NGX_STREAM_SSL)
> +
> + data = NULL;
> + data_len = 0;
> +
> + tlv = (ngx_tlv_ssl_t *) (buf + len);
> + ngx_memzero(tlv, sizeof(ngx_tlv_ssl_t));
> +
> + tlv->tlv.type = NGX_PROXY_PROTOCOL_V2_TYPE_SSL;
> + pos = buf + len + sizeof(ngx_tlv_ssl_t);
> +
> + tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_SSL;
> +
> + if (c->ssl != NULL) {
> +
> +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
> + SSL_get0_alpn_selected(c->ssl->connection, &data, &data_len);
> +
> +#ifdef TLSEXT_TYPE_next_proto_neg
> + if (data_len == 0) {
> + SSL_get0_next_proto_negotiated(c->ssl->connection,
> + &data, &data_len);
> + }
> +#endif
> +
> +#else /* TLSEXT_TYPE_next_proto_neg */
> + SSL_get0_next_proto_negotiated(c->ssl->connection, &data,
> &data_len);
> +#endif
> +
> + if (data_len) {
> +
> + pos = ngx_copy_tlv(pos, last,
> + NGX_PROXY_PROTOCOL_V2_TYPE_ALPN,
> + (u_char *) data, (uint16_t) data_len);
> + if (pos == NULL) {
> + return NULL;
> + }
> + }
> +
> + value = (u_char *) SSL_get_version(c->ssl->connection);
> + if (value != NULL) {
> +
> + pos = ngx_copy_tlv(pos, last,
> + NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_VERSION,
> + value, ngx_strlen(value));
> + if (pos == NULL) {
> + return NULL;
> + }
> + }

[...]

Thanks for the patch.

For the record, as discussed privately: this is more or less
proof-of-concept for the ticket #1639[1], used for tests with
RabbitMQ[2]. A committable solution probably needs something similar
to proxy_set_header / fastcgi_param to control TLVs sent to the
upstream server instead of hardcoding them.

[1] https://trac.nginx.org/nginx/ticket/1639
[2] https://www.rabbitmq.com/networking.html#proxy-protocol

--
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel