diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c index d1bcdbbe0..5bd987266 100644 --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -28,7 +28,20 @@ static ngx_int_t ngx_http_upstream_cache_last_modified(ngx_http_request_t *r, static ngx_int_t ngx_http_upstream_cache_etag(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); #endif +static u_char *last_ssl_cipher = NULL; +static u_char *last_ssl_protocol = NULL; +static ngx_int_t ssl_protocol_index = NGX_ERROR; +static ngx_int_t ssl_cipher_index = NGX_ERROR; +u_char *ngx_ssl_get_backend_protocol(ngx_connection_t *c); +u_char *ngx_ssl_get_backend_cipher(ngx_connection_t *c); +static ngx_int_t ngx_http_variable_backend_ssl_cipher(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data); + +static ngx_int_t ngx_http_variable_backend_ssl_protocol(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data); static void ngx_http_upstream_init_request(ngx_http_request_t *r); static void ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx); static void ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r); @@ -404,6 +417,14 @@ static ngx_http_variable_t ngx_http_upstream_vars[] = { { ngx_string("upstream_addr"), NULL, ngx_http_upstream_addr_variable, 0, NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_protocol"), NULL, + ngx_http_variable_backend_ssl_protocol, 0, + NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_cipher"), NULL, + ngx_http_variable_backend_ssl_cipher, 0, + NGX_HTTP_VAR_NOCACHEABLE, 0 }, { ngx_string("upstream_status"), NULL, ngx_http_upstream_status_variable, 0, @@ -1835,6 +1856,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u, long rc; if (c->ssl->handshaked) { + if (c->ssl && c->ssl->connection) { + last_ssl_protocol = (u_char *) SSL_get_version(c->ssl->connection); + last_ssl_cipher = (u_char *) SSL_get_cipher_name(c->ssl->connection); +} + if (u->conf->ssl_verify) { rc = SSL_get_verify_result(c->ssl->connection); @@ -2576,10 +2602,33 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) } } - if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { - return; +if (u->peer.connection && u->peer.connection->ssl && u->peer.connection->ssl->connection) { + SSL *ssl_conn = u->peer.connection->ssl->connection; + + const char *proto = SSL_get_version(ssl_conn); + const char *cipher = SSL_get_cipher_name(ssl_conn); + + if (ssl_protocol_index != NGX_ERROR) { + r->variables[ssl_protocol_index].data = (u_char *) proto; + r->variables[ssl_protocol_index].len = ngx_strlen(proto); + r->variables[ssl_protocol_index].valid = 1; + r->variables[ssl_protocol_index].no_cacheable = 0; + r->variables[ssl_protocol_index].not_found = 0; } + if (ssl_cipher_index != NGX_ERROR) { + r->variables[ssl_cipher_index].data = (u_char *) cipher; + r->variables[ssl_cipher_index].len = ngx_strlen(cipher); + r->variables[ssl_cipher_index].valid = 1; + r->variables[ssl_cipher_index].no_cacheable = 0; + r->variables[ssl_cipher_index].not_found = 0; + } +} + +if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { + return; +} + ngx_http_upstream_send_response(r, u); } @@ -2868,7 +2917,74 @@ ngx_http_upstream_test_next(ngx_http_request_t *r, ngx_http_upstream_t *u) return NGX_DECLINED; } +static ngx_int_t +ngx_http_variable_backend_ssl_protocol(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data) +{ + if (last_ssl_protocol == NULL) { + v->not_found = 1; + return NGX_OK; + } + v->data = last_ssl_protocol; + v->len = ngx_strlen(last_ssl_protocol); + v->valid = 1; + v->no_cacheable = 1; + v->not_found = 0; + return NGX_OK; +} + +static ngx_int_t +ngx_http_variable_backend_ssl_cipher(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data) +{ + if (last_ssl_cipher == NULL) { + v->not_found = 1; + return NGX_OK; + } + + v->data = last_ssl_cipher; + v->len = ngx_strlen(last_ssl_cipher); + v->valid = 1; + v->no_cacheable = 1; + v->not_found = 0; + return NGX_OK; +} + + +u_char * +ngx_ssl_get_backend_cipher(ngx_connection_t *c) +{ + const SSL_CIPHER *cipher; + const char *cipher_name; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + cipher = SSL_get_current_cipher(c->ssl->connection); + if (cipher == NULL) { + return NULL; + } + + cipher_name = SSL_CIPHER_get_name(cipher); + return (u_char *) cipher_name; +} + +u_char * +ngx_ssl_get_backend_protocol(ngx_connection_t *c) +{ + const char *proto; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + proto = SSL_get_version(c->ssl->connection); + return (u_char *) proto; +} static ngx_int_t ngx_http_upstream_intercept_errors(ngx_http_request_t *r, ngx_http_upstream_t *u) @@ -5808,7 +5924,6 @@ ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r, return NGX_OK; } - static ngx_int_t ngx_http_upstream_add_variables(ngx_conf_t *cf) { @@ -5823,6 +5938,17 @@ ngx_http_upstream_add_variables(ngx_conf_t *cf) var->get_handler = v->get_handler; var->data = v->data; } +ngx_str_t proto_name = ngx_string("backend_ssl_protocol"); +ssl_protocol_index = ngx_http_get_variable_index(cf, &proto_name); +if (ssl_protocol_index == NGX_ERROR) { + return NGX_ERROR; +} + +ngx_str_t cipher_name = ngx_string("backend_ssl_cipher"); +ssl_cipher_index = ngx_http_get_variable_index(cf, &cipher_name); +if (ssl_cipher_index == NGX_ERROR) { + return NGX_ERROR; +} return NGX_OK; } diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c index 6e51585f6..1b1358537 100644 --- a/src/stream/ngx_stream_proxy_module.c +++ b/src/stream/ngx_stream_proxy_module.c @@ -18,6 +18,10 @@ typedef struct { #endif } ngx_stream_upstream_local_t; +typedef struct { + u_char *protocol; + u_char *cipher; +} ngx_stream_proxy_ssl_ctx_t; typedef struct { ngx_msec_t connect_timeout; @@ -84,6 +88,11 @@ static void ngx_stream_proxy_finalize(ngx_stream_session_t *s, ngx_uint_t rc); static u_char *ngx_stream_proxy_log_error(ngx_log_t *log, u_char *buf, size_t len); +//static u_char ssl_proto_buf[32]; +//static u_char ssl_cipher_buf[64]; +u_char *last_stream_ssl_protocol = NULL; +u_char *last_stream_ssl_cipher = NULL; + static void *ngx_stream_proxy_create_srv_conf(ngx_conf_t *cf); static char *ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child); @@ -1239,17 +1248,56 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s) static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc) { + if (pc->ssl && pc->ssl->connection) { + ngx_log_error(NGX_LOG_ERR, pc->log, 0, + "[stream-debug] handshake function called, handshaked=%d", + pc->ssl->handshaked); + } long rc; ngx_stream_session_t *s; ngx_stream_upstream_t *u; ngx_stream_proxy_srv_conf_t *pscf; s = pc->data; + ngx_stream_proxy_ssl_ctx_t *ctx; + +ctx = ngx_pcalloc(s->connection->pool, sizeof(ngx_stream_proxy_ssl_ctx_t)); +if (ctx == NULL) { + goto failed; +} +ngx_stream_set_ctx(s, ctx, ngx_stream_proxy_module); + pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); if (pc->ssl->handshaked) { +#if (NGX_STREAM_SSL) +if (pc->ssl && pc->ssl->connection) { + const char *proto = SSL_get_version(pc->ssl->connection); + if (proto) { + ngx_str_t proto_str = ngx_string(proto); +ctx->protocol = ngx_pstrdup(s->connection->pool, &proto_str); +last_stream_ssl_protocol = ctx->protocol; + } + const SSL_CIPHER *cipher = SSL_get_current_cipher(pc->ssl->connection); + if (cipher) { + const char *name = SSL_CIPHER_get_name(cipher); + ngx_str_t cipher_str = ngx_string(name); +ctx->cipher = ngx_pstrdup(s->connection->pool, &cipher_str); +last_stream_ssl_cipher = ctx->cipher; + } + + ngx_log_error(NGX_LOG_ERR, pc->log, 0, + "[stream-ssl] protocol='%s' cipher='%s'", + ctx->protocol ? (char *)ctx->protocol : "(null)", + ctx->cipher ? (char *)ctx->cipher : "(null)"); +} +#endif + + } + + if (pc->ssl && pc->ssl->handshaked) { if (pscf->ssl_verify) { rc = SSL_get_verify_result(pc->ssl->connection); @@ -1275,14 +1323,12 @@ ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc) } ngx_stream_proxy_init_upstream(s); - return; } failed: - ngx_stream_proxy_next_upstream(s); -} +} static void diff --git a/src/stream/ngx_stream_upstream.c b/src/stream/ngx_stream_upstream.c index 6526d3c22..4ec09b12f 100644 --- a/src/stream/ngx_stream_upstream.c +++ b/src/stream/ngx_stream_upstream.c @@ -8,7 +8,9 @@ #include #include #include - +#if (NGX_STREAM_SSL) +#include +#endif static ngx_int_t ngx_stream_upstream_add_variables(ngx_conf_t *cf); static ngx_int_t ngx_stream_upstream_addr_variable(ngx_stream_session_t *s, @@ -30,6 +32,47 @@ static char *ngx_stream_upstream_resolver(ngx_conf_t *cf, ngx_command_t *cmd, static void *ngx_stream_upstream_create_main_conf(ngx_conf_t *cf); static char *ngx_stream_upstream_init_main_conf(ngx_conf_t *cf, void *conf); +#if (NGX_STREAM_SSL) +extern u_char *last_stream_ssl_protocol; +extern u_char *last_stream_ssl_cipher; + +#endif +#if (NGX_STREAM_SSL) +u_char * +ngx_stream_ssl_get_backend_cipher(ngx_connection_t *c) +{ + const SSL_CIPHER *cipher; + const char *cipher_name; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + cipher = SSL_get_current_cipher(c->ssl->connection); + if (cipher == NULL) { + return NULL; + } + + cipher_name = SSL_CIPHER_get_name(cipher); + return (u_char *) cipher_name; +} +#endif + +#if (NGX_STREAM_SSL) +u_char * +ngx_stream_ssl_get_backend_protocol(ngx_connection_t *c) +{ + const char *proto; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + proto = SSL_get_version(c->ssl->connection); + return (u_char *) proto; +} + +#endif /* NGX_HTTP_SSL */ static ngx_command_t ngx_stream_upstream_commands[] = { @@ -70,9 +113,11 @@ static ngx_command_t ngx_stream_upstream_commands[] = { static ngx_stream_module_t ngx_stream_upstream_module_ctx = { - ngx_stream_upstream_add_variables, /* preconfiguration */ - NULL, /* postconfiguration */ + ngx_stream_upstream_add_variables, /* preconfiguration */ + + NULL, /* postconfiguration */ + ngx_stream_upstream_create_main_conf, /* create main configuration */ ngx_stream_upstream_init_main_conf, /* init main configuration */ @@ -81,6 +126,7 @@ static ngx_stream_module_t ngx_stream_upstream_module_ctx = { }; + ngx_module_t ngx_stream_upstream_module = { NGX_MODULE_V1, &ngx_stream_upstream_module_ctx, /* module context */ @@ -96,12 +142,28 @@ ngx_module_t ngx_stream_upstream_module = { NGX_MODULE_V1_PADDING }; +static ngx_int_t +ngx_stream_variable_backend_ssl_protocol(ngx_stream_session_t *s, + ngx_stream_variable_value_t *v, + uintptr_t data); +static ngx_int_t +ngx_stream_variable_backend_ssl_cipher(ngx_stream_session_t *s, + ngx_stream_variable_value_t *v, + uintptr_t data); static ngx_stream_variable_t ngx_stream_upstream_vars[] = { { ngx_string("upstream_addr"), NULL, ngx_stream_upstream_addr_variable, 0, NGX_STREAM_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_protocol"), NULL, + ngx_stream_variable_backend_ssl_protocol, 0, + NGX_STREAM_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_cipher"), NULL, + ngx_stream_variable_backend_ssl_cipher, 0, + NGX_STREAM_VAR_NOCACHEABLE, 0 }, { ngx_string("upstream_bytes_sent"), NULL, ngx_stream_upstream_bytes_variable, 0, @@ -202,6 +264,43 @@ ngx_stream_upstream_addr_variable(ngx_stream_session_t *s, return NGX_OK; } +static ngx_int_t +ngx_stream_variable_backend_ssl_protocol(ngx_stream_session_t *s, + ngx_stream_variable_value_t *v, + uintptr_t data) +{ + if (last_stream_ssl_protocol == NULL) { + v->not_found = 1; + return NGX_OK; + } + + v->len = ngx_strlen(last_stream_ssl_protocol); + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + v->data = last_stream_ssl_protocol; + + return NGX_OK; +} + +static ngx_int_t +ngx_stream_variable_backend_ssl_cipher(ngx_stream_session_t *s, + ngx_stream_variable_value_t *v, + uintptr_t data) +{ + if (last_stream_ssl_cipher == NULL) { + v->not_found = 1; + return NGX_OK; + } + + v->len = ngx_strlen(last_stream_ssl_cipher); + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + v->data = last_stream_ssl_cipher; + + return NGX_OK; +} static ngx_int_t ngx_stream_upstream_bytes_variable(ngx_stream_session_t *s, @@ -865,4 +964,4 @@ ngx_stream_upstream_init_main_conf(ngx_conf_t *cf, void *conf) } return NGX_CONF_OK; -} +} \ No newline at end of file