mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-06-11 04:12:40 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Upstream: fixed passwords support for dynamic certificates.

Browse Source 
Passwords were not preserved in optimized SSL contexts, the bug had
appeared in d791b4aab (1.23.1), as in the following configuration:

    server {
        proxy_ssl_password_file password;
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location /original/ {
            proxy_pass https://u1/;
        }

        location /optimized/ {
            proxy_pass https://u2/;
        }
    }

The fix is to always preserve passwords, by copying to the configuration
pool, if dynamic certificates are used.  This is done as part of merging
"ssl_passwords" configuration.

To minimize the number of copies, a preserved version is then used for
inheritance.  A notable exception is inheritance of preserved empty
passwords to the context with statically configured certificates:

    server {
        proxy_ssl_certificate $ssl_server_name.crt;
        proxy_ssl_certificate_key $ssl_server_name.key;

        location / {
            proxy_pass ...;

            proxy_ssl_certificate example.com.crt;
            proxy_ssl_certificate_key example.com.key;
        }
    }

In this case, an unmodified version (NULL) of empty passwords is set,
to allow reading them from the password prompt on nginx startup.

As an additional optimization, a preserved instance of inherited
configured passwords is set to the previous level, to inherit it
to other contexts:

    server {
        proxy_ssl_password_file password;

        location /1/ {
            proxy_pass https://u1/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }

        location /2/ {
            proxy_pass https://u2/;
            proxy_ssl_certificate $ssl_server_name.crt;
            proxy_ssl_certificate_key $ssl_server_name.key;
        }
    }
This commit is contained in:
Sergey Kandaurov 2025-02-05 19:16:05 +04:00 committed by pluknet
parent a813c63921
commit 6c3a9d5612
6 changed files with 144 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/http/modules/ngx_http_grpc_module.c
View File

@ -4509,8 +4509,13 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
prev->upstream.ssl_passwords, NULL);
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
&prev->upstream)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@ -5077,16 +5082,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
return NGX_ERROR;
}
if (glcf->upstream.ssl_certificate->lengths
|| glcf->upstream.ssl_certificate_key->lengths)
if (glcf->upstream.ssl_certificate->lengths == NULL
&& glcf->upstream.ssl_certificate_key->lengths == NULL)
{
glcf->upstream.ssl_passwords =
ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
if (glcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
} else {
if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
&glcf->upstream.ssl_certificate->value,
&glcf->upstream.ssl_certificate_key->value,

20
src/http/modules/ngx_http_proxy_module.c
View File

@ -3976,8 +3976,13 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
prev->upstream.ssl_passwords, NULL);
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
&prev->upstream)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@ -5337,16 +5342,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
return NGX_ERROR;
}
if (plcf->upstream.ssl_certificate->lengths
|| plcf->upstream.ssl_certificate_key->lengths)
if (plcf->upstream.ssl_certificate->lengths == NULL
&& plcf->upstream.ssl_certificate_key->lengths == NULL)
{
plcf->upstream.ssl_passwords =
ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
if (plcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
} else {
if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
&plcf->upstream.ssl_certificate->value,
&plcf->upstream.ssl_certificate_key->value,

20
src/http/modules/ngx_http_uwsgi_module.c
View File

@ -1933,8 +1933,13 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
prev->upstream.ssl_passwords, NULL);
if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
&prev->upstream)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@ -2685,16 +2690,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
return NGX_ERROR;
}
if (uwcf->upstream.ssl_certificate->lengths
|| uwcf->upstream.ssl_certificate_key->lengths)
if (uwcf->upstream.ssl_certificate->lengths == NULL
&& uwcf->upstream.ssl_certificate_key->lengths == NULL)
{
uwcf->upstream.ssl_passwords =
ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
if (uwcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
} else {
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
&uwcf->upstream.ssl_certificate->value,
&uwcf->upstream.ssl_certificate_key->value,

55
src/http/ngx_http_upstream.c
View File

@ -6921,6 +6921,61 @@ ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
}
#if (NGX_HTTP_SSL)
ngx_int_t
ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev)
{
ngx_uint_t preserve;
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
if (conf->ssl_certificate == NULL
|| conf->ssl_certificate->value.len == 0
|| conf->ssl_certificate_key == NULL)
{
return NGX_OK;
}
if (conf->ssl_certificate->lengths == NULL
&& conf->ssl_certificate_key->lengths == NULL)
{
if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
/* un-preserve empty password list */
conf->ssl_passwords = NULL;
}
return NGX_OK;
}
if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
/* already preserved */
return NGX_OK;
}
preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
if (conf->ssl_passwords == NULL) {
return NGX_ERROR;
}
/*
* special handling to keep a preserved ssl_passwords copy
* in the previous configuration to inherit it to all children
*/
if (preserve) {
prev->ssl_passwords = conf->ssl_passwords;
}
return NGX_OK;
}
#endif
static void *
ngx_http_upstream_create_main_conf(ngx_conf_t *cf)
{

4
src/http/ngx_http_upstream.h
View File

@ -437,6 +437,10 @@ char *ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd,
ngx_int_t ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev,
ngx_str_t *default_hide_headers, ngx_hash_init_t *hash);
#if (NGX_HTTP_SSL)
ngx_int_t ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev);
#endif
#define ngx_http_conf_upstream_srv_conf(uscf, module) \

68
src/stream/ngx_stream_proxy_module.c
View File

@ -108,6 +108,8 @@ static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
static ngx_int_t ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@ -2315,7 +2317,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->ssl_certificate_cache,
prev->ssl_certificate_cache, NULL);
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
if (ngx_stream_proxy_merge_ssl_passwords(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@ -2381,6 +2385,57 @@ ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf,
}
static ngx_int_t
ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev)
{
ngx_uint_t preserve;
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
if (conf->ssl_certificate == NULL
|| conf->ssl_certificate->value.len == 0
|| conf->ssl_certificate_key == NULL)
{
return NGX_OK;
}
if (conf->ssl_certificate->lengths == NULL
&& conf->ssl_certificate_key->lengths == NULL)
{
if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
/* un-preserve empty password list */
conf->ssl_passwords = NULL;
}
return NGX_OK;
}
if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
/* already preserved */
return NGX_OK;
}
preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
if (conf->ssl_passwords == NULL) {
return NGX_ERROR;
}
/*
* special handling to keep a preserved ssl_passwords copy
* in the previous configuration to inherit it to all children
*/
if (preserve) {
prev->ssl_passwords = conf->ssl_passwords;
}
return NGX_OK;
}
static ngx_int_t
ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
{
@ -2418,16 +2473,9 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
return NGX_ERROR;
}
if (pscf->ssl_certificate->lengths
|| pscf->ssl_certificate_key->lengths)
if (pscf->ssl_certificate->lengths == NULL
&& pscf->ssl_certificate_key->lengths == NULL)
{
pscf->ssl_passwords =
ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
if (pscf->ssl_passwords == NULL) {
return NGX_ERROR;
}
} else {
if (ngx_ssl_certificate(cf, pscf->ssl,
&pscf->ssl_certificate->value,
&pscf->ssl_certificate_key->value,