mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-07-20 19:27:29 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Minimal patch: only protocol and cipher exposure

Browse Source
This commit is contained in:
Kanaga Vasantharaj (WIPRO LIMITED) 2025-07-01 15:13:55 +05:30
parent 4eaecc5e8a
commit 33aff6e406
3 changed files with 281 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

132
src/http/ngx_http_upstream.c
View File

@ -28,7 +28,20 @@ static ngx_int_t ngx_http_upstream_cache_last_modified(ngx_http_request_t *r,
static ngx_int_t ngx_http_upstream_cache_etag(ngx_http_request_t *r,
ngx_http_variable_value_t *v, uintptr_t data);
#endif
static u_char *last_ssl_cipher = NULL;
static u_char *last_ssl_protocol = NULL;
static ngx_int_t ssl_protocol_index = NGX_ERROR;
static ngx_int_t ssl_cipher_index = NGX_ERROR;
u_char *ngx_ssl_get_backend_protocol(ngx_connection_t *c);
u_char *ngx_ssl_get_backend_cipher(ngx_connection_t *c);
static ngx_int_t ngx_http_variable_backend_ssl_cipher(ngx_http_request_t *r,
ngx_http_variable_value_t *v,
uintptr_t data);
static ngx_int_t ngx_http_variable_backend_ssl_protocol(ngx_http_request_t *r,
ngx_http_variable_value_t *v,
uintptr_t data);
static void ngx_http_upstream_init_request(ngx_http_request_t *r);
static void ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx);
static void ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r);
@ -405,6 +418,14 @@ static ngx_http_variable_t ngx_http_upstream_vars[] = {
ngx_http_upstream_addr_variable, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },
{ ngx_string("backend_ssl_protocol"), NULL,
ngx_http_variable_backend_ssl_protocol, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },
{ ngx_string("backend_ssl_cipher"), NULL,
ngx_http_variable_backend_ssl_cipher, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },
{ ngx_string("upstream_status"), NULL,
ngx_http_upstream_status_variable, 0,
NGX_HTTP_VAR_NOCACHEABLE, 0 },
@ -1835,6 +1856,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,
long rc;
if (c->ssl->handshaked) {
if (c->ssl && c->ssl->connection) {
last_ssl_protocol = (u_char *) SSL_get_version(c->ssl->connection);
last_ssl_cipher = (u_char *) SSL_get_cipher_name(c->ssl->connection);
}
if (u->conf->ssl_verify) {
rc = SSL_get_verify_result(c->ssl->connection);
@ -2576,10 +2602,33 @@ ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u)
}
}
if (ngx_http_upstream_process_headers(r, u) != NGX_OK) {
return;
if (u->peer.connection && u->peer.connection->ssl && u->peer.connection->ssl->connection) {
SSL *ssl_conn = u->peer.connection->ssl->connection;
const char *proto = SSL_get_version(ssl_conn);
const char *cipher = SSL_get_cipher_name(ssl_conn);
if (ssl_protocol_index != NGX_ERROR) {
r->variables[ssl_protocol_index].data = (u_char *) proto;
r->variables[ssl_protocol_index].len = ngx_strlen(proto);
r->variables[ssl_protocol_index].valid = 1;
r->variables[ssl_protocol_index].no_cacheable = 0;
r->variables[ssl_protocol_index].not_found = 0;
}
if (ssl_cipher_index != NGX_ERROR) {
r->variables[ssl_cipher_index].data = (u_char *) cipher;
r->variables[ssl_cipher_index].len = ngx_strlen(cipher);
r->variables[ssl_cipher_index].valid = 1;
r->variables[ssl_cipher_index].no_cacheable = 0;
r->variables[ssl_cipher_index].not_found = 0;
}
}
if (ngx_http_upstream_process_headers(r, u) != NGX_OK) {
return;
}
ngx_http_upstream_send_response(r, u);
}
@ -2868,7 +2917,74 @@ ngx_http_upstream_test_next(ngx_http_request_t *r, ngx_http_upstream_t *u)
return NGX_DECLINED;
}
static ngx_int_t
ngx_http_variable_backend_ssl_protocol(ngx_http_request_t *r,
ngx_http_variable_value_t *v,
uintptr_t data)
{
if (last_ssl_protocol == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->data = last_ssl_protocol;
v->len = ngx_strlen(last_ssl_protocol);
v->valid = 1;
v->no_cacheable = 1;
v->not_found = 0;
return NGX_OK;
}
static ngx_int_t
ngx_http_variable_backend_ssl_cipher(ngx_http_request_t *r,
ngx_http_variable_value_t *v,
uintptr_t data)
{
if (last_ssl_cipher == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->data = last_ssl_cipher;
v->len = ngx_strlen(last_ssl_cipher);
v->valid = 1;
v->no_cacheable = 1;
v->not_found = 0;
return NGX_OK;
}
u_char *
ngx_ssl_get_backend_cipher(ngx_connection_t *c)
{
const SSL_CIPHER *cipher;
const char *cipher_name;
if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) {
return NULL;
}
cipher = SSL_get_current_cipher(c->ssl->connection);
if (cipher == NULL) {
return NULL;
}
cipher_name = SSL_CIPHER_get_name(cipher);
return (u_char *) cipher_name;
}
u_char *
ngx_ssl_get_backend_protocol(ngx_connection_t *c)
{
const char *proto;
if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) {
return NULL;
}
proto = SSL_get_version(c->ssl->connection);
return (u_char *) proto;
}
static ngx_int_t
ngx_http_upstream_intercept_errors(ngx_http_request_t *r,
ngx_http_upstream_t *u)
@ -5808,7 +5924,6 @@ ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r,
return NGX_OK;
}
static ngx_int_t
ngx_http_upstream_add_variables(ngx_conf_t *cf)
{
@ -5823,6 +5938,17 @@ ngx_http_upstream_add_variables(ngx_conf_t *cf)
var->get_handler = v->get_handler;
var->data = v->data;
}
ngx_str_t proto_name = ngx_string("backend_ssl_protocol");
ssl_protocol_index = ngx_http_get_variable_index(cf, &proto_name);
if (ssl_protocol_index == NGX_ERROR) {
return NGX_ERROR;
}
ngx_str_t cipher_name = ngx_string("backend_ssl_cipher");
ssl_cipher_index = ngx_http_get_variable_index(cf, &cipher_name);
if (ssl_cipher_index == NGX_ERROR) {
return NGX_ERROR;
}
return NGX_OK;
}

50
src/stream/ngx_stream_proxy_module.c
View File

@ -18,6 +18,10 @@ typedef struct {
#endif
} ngx_stream_upstream_local_t;
typedef struct {
u_char *protocol;
u_char *cipher;
} ngx_stream_proxy_ssl_ctx_t;
typedef struct {
ngx_msec_t connect_timeout;
@ -84,6 +88,11 @@ static void ngx_stream_proxy_finalize(ngx_stream_session_t *s, ngx_uint_t rc);
static u_char *ngx_stream_proxy_log_error(ngx_log_t *log, u_char *buf,
size_t len);
//static u_char ssl_proto_buf[32];
//static u_char ssl_cipher_buf[64];
u_char *last_stream_ssl_protocol = NULL;
u_char *last_stream_ssl_cipher = NULL;
static void *ngx_stream_proxy_create_srv_conf(ngx_conf_t *cf);
static char *ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent,
void *child);
@ -1239,17 +1248,56 @@ ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
static void
ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc)
{
if (pc->ssl && pc->ssl->connection) {
ngx_log_error(NGX_LOG_ERR, pc->log, 0,
"[stream-debug] handshake function called, handshaked=%d",
pc->ssl->handshaked);
}
long rc;
ngx_stream_session_t *s;
ngx_stream_upstream_t *u;
ngx_stream_proxy_srv_conf_t *pscf;
s = pc->data;
ngx_stream_proxy_ssl_ctx_t *ctx;
ctx = ngx_pcalloc(s->connection->pool, sizeof(ngx_stream_proxy_ssl_ctx_t));
if (ctx == NULL) {
goto failed;
}
ngx_stream_set_ctx(s, ctx, ngx_stream_proxy_module);
pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
if (pc->ssl->handshaked) {
#if (NGX_STREAM_SSL)
if (pc->ssl && pc->ssl->connection) {
const char *proto = SSL_get_version(pc->ssl->connection);
if (proto) {
ngx_str_t proto_str = ngx_string(proto);
ctx->protocol = ngx_pstrdup(s->connection->pool, &proto_str);
last_stream_ssl_protocol = ctx->protocol;
}
const SSL_CIPHER *cipher = SSL_get_current_cipher(pc->ssl->connection);
if (cipher) {
const char *name = SSL_CIPHER_get_name(cipher);
ngx_str_t cipher_str = ngx_string(name);
ctx->cipher = ngx_pstrdup(s->connection->pool, &cipher_str);
last_stream_ssl_cipher = ctx->cipher;
}
ngx_log_error(NGX_LOG_ERR, pc->log, 0,
"[stream-ssl] protocol='%s' cipher='%s'",
ctx->protocol ? (char *)ctx->protocol : "(null)",
ctx->cipher ? (char *)ctx->cipher : "(null)");
}
#endif
}
if (pc->ssl && pc->ssl->handshaked) {
if (pscf->ssl_verify) {
rc = SSL_get_verify_result(pc->ssl->connection);
@ -1275,12 +1323,10 @@ ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc)
}
ngx_stream_proxy_init_upstream(s);
return;
}
failed:
ngx_stream_proxy_next_upstream(s);
}

101
src/stream/ngx_stream_upstream.c
View File

@ -8,7 +8,9 @@
#include <ngx_config.h>
#include <ngx_core.h>
#include <ngx_stream.h>
#if (NGX_STREAM_SSL)
#include <openssl/ssl.h>
#endif
static ngx_int_t ngx_stream_upstream_add_variables(ngx_conf_t *cf);
static ngx_int_t ngx_stream_upstream_addr_variable(ngx_stream_session_t *s,
@ -30,6 +32,47 @@ static char *ngx_stream_upstream_resolver(ngx_conf_t *cf, ngx_command_t *cmd,
static void *ngx_stream_upstream_create_main_conf(ngx_conf_t *cf);
static char *ngx_stream_upstream_init_main_conf(ngx_conf_t *cf, void *conf);
#if (NGX_STREAM_SSL)
extern u_char *last_stream_ssl_protocol;
extern u_char *last_stream_ssl_cipher;
#endif
#if (NGX_STREAM_SSL)
u_char *
ngx_stream_ssl_get_backend_cipher(ngx_connection_t *c)
{
const SSL_CIPHER *cipher;
const char *cipher_name;
if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) {
return NULL;
}
cipher = SSL_get_current_cipher(c->ssl->connection);
if (cipher == NULL) {
return NULL;
}
cipher_name = SSL_CIPHER_get_name(cipher);
return (u_char *) cipher_name;
}
#endif
#if (NGX_STREAM_SSL)
u_char *
ngx_stream_ssl_get_backend_protocol(ngx_connection_t *c)
{
const char *proto;
if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) {
return NULL;
}
proto = SSL_get_version(c->ssl->connection);
return (u_char *) proto;
}
#endif /* NGX_HTTP_SSL */
static ngx_command_t ngx_stream_upstream_commands[] = {
@ -70,7 +113,9 @@ static ngx_command_t ngx_stream_upstream_commands[] = {
static ngx_stream_module_t ngx_stream_upstream_module_ctx = {
ngx_stream_upstream_add_variables, /* preconfiguration */
NULL, /* postconfiguration */
ngx_stream_upstream_create_main_conf, /* create main configuration */
@ -81,6 +126,7 @@ static ngx_stream_module_t ngx_stream_upstream_module_ctx = {
};
ngx_module_t ngx_stream_upstream_module = {
NGX_MODULE_V1,
&ngx_stream_upstream_module_ctx, /* module context */
@ -96,13 +142,29 @@ ngx_module_t ngx_stream_upstream_module = {
NGX_MODULE_V1_PADDING
};
static ngx_int_t
ngx_stream_variable_backend_ssl_protocol(ngx_stream_session_t *s,
ngx_stream_variable_value_t *v,
uintptr_t data);
static ngx_int_t
ngx_stream_variable_backend_ssl_cipher(ngx_stream_session_t *s,
ngx_stream_variable_value_t *v,
uintptr_t data);
static ngx_stream_variable_t ngx_stream_upstream_vars[] = {
{ ngx_string("upstream_addr"), NULL,
ngx_stream_upstream_addr_variable, 0,
NGX_STREAM_VAR_NOCACHEABLE, 0 },
{ ngx_string("backend_ssl_protocol"), NULL,
ngx_stream_variable_backend_ssl_protocol, 0,
NGX_STREAM_VAR_NOCACHEABLE, 0 },
{ ngx_string("backend_ssl_cipher"), NULL,
ngx_stream_variable_backend_ssl_cipher, 0,
NGX_STREAM_VAR_NOCACHEABLE, 0 },
{ ngx_string("upstream_bytes_sent"), NULL,
ngx_stream_upstream_bytes_variable, 0,
NGX_STREAM_VAR_NOCACHEABLE, 0 },
@ -202,6 +264,43 @@ ngx_stream_upstream_addr_variable(ngx_stream_session_t *s,
return NGX_OK;
}
static ngx_int_t
ngx_stream_variable_backend_ssl_protocol(ngx_stream_session_t *s,
ngx_stream_variable_value_t *v,
uintptr_t data)
{
if (last_stream_ssl_protocol == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->len = ngx_strlen(last_stream_ssl_protocol);
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->data = last_stream_ssl_protocol;
return NGX_OK;
}
static ngx_int_t
ngx_stream_variable_backend_ssl_cipher(ngx_stream_session_t *s,
ngx_stream_variable_value_t *v,
uintptr_t data)
{
if (last_stream_ssl_cipher == NULL) {
v->not_found = 1;
return NGX_OK;
}
v->len = ngx_strlen(last_stream_ssl_cipher);
v->valid = 1;
v->no_cacheable = 0;
v->not_found = 0;
v->data = last_stream_ssl_cipher;
return NGX_OK;
}
static ngx_int_t
ngx_stream_upstream_bytes_variable(ngx_stream_session_t *s,