mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-12-03 13:09:01 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Upstream: proxy_ssl_name and proxy_ssl_server_name directives.

Browse Source 
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
This commit is contained in:
Maxim Dounin 2014-04-18 20:13:28 +04:00
parent 93eb94d622
commit 59ef4a3417
3 changed files with 137 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
src/http/modules/ngx_http_proxy_module.c
View File

@ -553,6 +553,20 @@ static ngx_command_t ngx_http_proxy_commands[] = {
offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
NULL },
{ ngx_string("proxy_ssl_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_http_set_complex_value_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_name),
NULL },
{ ngx_string("proxy_ssl_server_name"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_server_name),
NULL },
#endif
ngx_null_command
@ -2390,6 +2404,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
* conf->upstream.location = NULL;
* conf->upstream.store_lengths = NULL;
* conf->upstream.store_values = NULL;
* conf->upstream.ssl_name = NULL;
*
* conf->method = { 0, NULL };
* conf->headers_source = NULL;
@ -2441,8 +2456,10 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
conf->upstream.pass_headers = NGX_CONF_UNSET_PTR;
conf->upstream.intercept_errors = NGX_CONF_UNSET;
#if (NGX_HTTP_SSL)
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
#endif
/* "proxy_cyclic_temp_file" is disabled */
@ -2714,6 +2731,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.intercept_errors, 0);
#if (NGX_HTTP_SSL)
ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);
@ -2725,9 +2743,17 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
if (conf->upstream.ssl_name == NULL) {
conf->upstream.ssl_name = prev->upstream.ssl_name;
}
ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0);
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
#endif
ngx_conf_merge_value(conf->redirect, prev->redirect, 1);

104
src/http/ngx_http_upstream.c
View File

@ -156,6 +156,8 @@ static char *ngx_http_upstream_init_main_conf(ngx_conf_t *cf, void *conf);
static void ngx_http_upstream_ssl_init_connection(ngx_http_request_t *,
ngx_http_upstream_t *u, ngx_connection_t *c);
static void ngx_http_upstream_ssl_handshake(ngx_connection_t *c);
static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r,
ngx_http_upstream_t *u, ngx_connection_t *c);
#endif
@ -581,9 +583,16 @@ ngx_http_upstream_init_request(ngx_http_request_t *r)
if (u->resolved == NULL) {
uscf = u->conf->upstream;
#if (NGX_HTTP_SSL)
u->ssl_name = uscf->host;
#endif
} else {
#if (NGX_HTTP_SSL)
u->ssl_name = u->resolved->host;
#endif
if (u->resolved->sockaddr) {
if (ngx_http_upstream_create_round_robin_peer(r, u->resolved)
@ -1355,6 +1364,14 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
c->sendfile = 0;
u->output.sendfile = 0;
if (u->conf->ssl_server_name) {
if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
NGX_HTTP_INTERNAL_SERVER_ERROR);
return;
}
}
if (u->conf->ssl_session_reuse) {
if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
@ -1409,6 +1426,93 @@ ngx_http_upstream_ssl_handshake(ngx_connection_t *c)
ngx_http_run_posted_requests(c);
}
static ngx_int_t
ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
ngx_connection_t *c)
{
u_char *p, *last;
ngx_str_t name;
if (u->conf->ssl_name) {
if (ngx_http_complex_value(r, u->conf->ssl_name, &name) != NGX_OK) {
return NGX_ERROR;
}
} else {
name = u->ssl_name;
}
if (name.len == 0) {
goto done;
}
/*
* ssl name here may contain port, notably if derived from $proxy_host
* or $http_host; we have to strip it
*/
p = name.data;
last = name.data + name.len;
if (*p == '[') {
p = ngx_strlchr(p, last, ']');
if (p == NULL) {
p = name.data;
}
}
p = ngx_strlchr(p, last, ':');
if (p != NULL) {
name.len = p - name.data;
}
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
/* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */
if (name.len == 0 || *name.data == '[') {
goto done;
}
if (ngx_inet_addr(name.data, name.len) != INADDR_NONE) {
goto done;
}
/*
* SSL_set_tlsext_host_name() needs a null-terminated string,
* hence we explicitly null-terminate name here
*/
p = ngx_palloc(r->pool, name.len + 1);
if (p == NULL) {
return NGX_ERROR;
}
(void) ngx_cpystrn(p, name.data, name.len + 1);
name.data = p;
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"upstream SSL server name: \"%s\"", name.data);
if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) {
ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0,
"SSL_set_tlsext_host_name(\"%s\") failed", name.data);
return NGX_ERROR;
}
#endif
done:
u->ssl_name = name;
return NGX_OK;
}
#endif

7
src/http/ngx_http_upstream.h
View File

@ -195,6 +195,9 @@ typedef struct {
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl;
ngx_flag_t ssl_session_reuse;
ngx_http_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name;
#endif
ngx_str_t module;
@ -323,6 +326,10 @@ struct ngx_http_upstream_s {
ngx_str_t schema;
ngx_str_t uri;
#if (NGX_HTTP_SSL)
ngx_str_t ssl_name;
#endif
ngx_http_cleanup_pt *cleanup;
unsigned store:1;