mirror/nginx
1
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2025-08-06 06:46:16 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merged with the default branch.

Browse Source
This commit is contained in:
Sergey Kandaurov 2020-10-29 14:53:58 +00:00
commit 6f73d24061
21 changed files with 583 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.hgtags
View File

@ -453,3 +453,4 @@ cbe6ba650211541310618849168631ce0b788f35 release-1.19.0
062920e2f3bf871ef7a3d8496edec1b3065faf80 release-1.19.1
a7b46539f507e6c64efa0efda69ad60b6f4ffbce release-1.19.2
3cbc2602325f0ac08917a4397d76f5155c34b7b1 release-1.19.3
dc0cc425fa63a80315f6efb68697cadb6626cdf2 release-1.19.4

34
docs/xml/nginx/changes.xml
View File

@ -5,6 +5,40 @@
<change_log title="nginx">
<changes ver="1.19.4" date="2020-10-27">
<change type="feature">
<para lang="ru">
директивы ssl_conf_command, proxy_ssl_conf_command, grpc_ssl_conf_command
и uwsgi_ssl_conf_command.
</para>
<para lang="en">
the "ssl_conf_command", "proxy_ssl_conf_command", "grpc_ssl_conf_command",
and "uwsgi_ssl_conf_command" directives.
</para>
</change>
<change type="feature">
<para lang="ru">
директива ssl_reject_handshake.
</para>
<para lang="en">
the "ssl_reject_handshake" directive.
</para>
</change>
<change type="feature">
<para lang="ru">
директива proxy_smtp_auth в почтовом прокси-сервере.
</para>
<para lang="en">
the "proxy_smtp_auth" directive in mail proxy.
</para>
</change>
</changes>
<changes ver="1.19.3" date="2020-09-29">
<change type="feature">

4
src/core/nginx.h
View File

@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
#define nginx_version 1019003
#define NGINX_VERSION "1.19.3"
#define nginx_version 1019004
#define NGINX_VERSION "1.19.4"
#define NGINX_VER "nginx/" NGINX_VERSION
#ifdef NGX_BUILD

2
src/core/ngx_conf_file.c
View File

@ -1137,7 +1137,7 @@ ngx_conf_set_keyval_slot(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
a = (ngx_array_t **) (p + cmd->offset);
if (*a == NULL) {
if (*a == NGX_CONF_UNSET_PTR || *a == NULL) {
*a = ngx_array_create(cf->pool, 4, sizeof(ngx_keyval_t));
if (*a == NULL) {
return NGX_CONF_ERROR;

84
src/event/ngx_event_openssl.c
View File

@ -1470,6 +1470,78 @@ ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
}
ngx_int_t
ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands)
{
if (commands == NULL) {
return NGX_OK;
}
#ifdef SSL_CONF_FLAG_FILE
{
int type;
u_char *key, *value;
ngx_uint_t i;
ngx_keyval_t *cmd;
SSL_CONF_CTX *cctx;
cctx = SSL_CONF_CTX_new();
if (cctx == NULL) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CONF_CTX_new() failed");
return NGX_ERROR;
}
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx);
cmd = commands->elts;
for (i = 0; i < commands->nelts; i++) {
key = cmd[i].key.data;
type = SSL_CONF_cmd_value_type(cctx, (char *) key);
if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) {
if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) {
SSL_CONF_CTX_free(cctx);
return NGX_ERROR;
}
}
value = cmd[i].value.data;
if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value);
SSL_CONF_CTX_free(cctx);
return NGX_ERROR;
}
}
if (SSL_CONF_CTX_finish(cctx) != 1) {
ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CONF_finish() failed");
SSL_CONF_CTX_free(cctx);
return NGX_ERROR;
}
SSL_CONF_CTX_free(cctx);
return NGX_OK;
}
#else
ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
"SSL_CONF_cmd() is not available on this platform");
return NGX_ERROR;
#endif
}
ngx_int_t
ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
{
@ -1721,6 +1793,13 @@ ngx_ssl_handshake(ngx_connection_t *c)
return NGX_ERROR;
}
if (c->ssl->handshake_rejected) {
ngx_connection_error(c, err, "handshake rejected");
ERR_clear_error();
return NGX_ERROR;
}
c->read->error = 1;
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
@ -3289,8 +3368,9 @@ ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
}
}
if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL) {
if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL
&& certificates != NULL)
{
/*
* If certificates are loaded dynamically, we use certificate
* names as specified in the configuration (with variables).

5
src/event/ngx_event_openssl.h
View File

@ -102,6 +102,7 @@ struct ngx_ssl_connection_s {
u_char early_buf;
unsigned handshaked:1;
unsigned handshake_rejected:1;
unsigned renegotiation:1;
unsigned buffer:1;
unsigned no_wait_shutdown:1;
@ -210,6 +211,9 @@ ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_uint_t enable);
ngx_int_t ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *commands);
ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_uint_t enable);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
@ -218,6 +222,7 @@ ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);

42
src/http/modules/ngx_http_grpc_module.c
View File

@ -40,6 +40,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_grpc_loc_conf_t;
@ -208,6 +209,8 @@ static char *ngx_http_grpc_pass(ngx_conf_t *cf, ngx_command_t *cmd,
#if (NGX_HTTP_SSL)
static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
@ -242,6 +245,9 @@ static ngx_conf_bitmask_t ngx_http_grpc_ssl_protocols[] = {
{ ngx_null_string, 0 }
};
static ngx_conf_post_t ngx_http_grpc_ssl_conf_command_post =
{ ngx_http_grpc_ssl_conf_command_check };
#endif
@ -438,6 +444,13 @@ static ngx_command_t ngx_http_grpc_commands[] = {
0,
NULL },
{ ngx_string("grpc_ssl_conf_command"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_grpc_loc_conf_t, ssl_conf_commands),
&ngx_http_grpc_ssl_conf_command_post },
#endif
ngx_null_command
@ -4324,7 +4337,6 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t *cf)
* conf->upstream.hide_headers_hash = { NULL, 0 };
* conf->upstream.ssl_name = NULL;
*
* conf->headers_source = NULL;
* conf->headers.lengths = NULL;
* conf->headers.values = NULL;
* conf->headers.hash = { NULL, 0 };
@ -4360,6 +4372,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t *cf)
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* the hardcoded values */
@ -4377,6 +4390,8 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t *cf)
conf->upstream.pass_trailers = 1;
conf->upstream.preserve_output = 1;
conf->headers_source = NGX_CONF_UNSET_PTR;
ngx_str_set(&conf->upstream.module, "grpc");
return conf;
@ -4468,6 +4483,9 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
if (conf->ssl && ngx_http_grpc_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -4507,9 +4525,10 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
clcf->handler = ngx_http_grpc_handler;
}
if (conf->headers_source == NULL) {
ngx_conf_merge_ptr_value(conf->headers_source, prev->headers_source, NULL);
if (conf->headers_source == prev->headers_source) {
conf->headers = prev->headers;
conf->headers_source = prev->headers_source;
conf->host_set = prev->host_set;
}
@ -4834,6 +4853,17 @@ ngx_http_grpc_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
}
static char *
ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
@ -4924,6 +4954,12 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
#endif
if (ngx_ssl_conf_commands(cf, glcf->upstream.ssl, glcf->ssl_conf_commands)
!= NGX_OK)
{
return NGX_ERROR;
}
return NGX_OK;
}

42
src/http/modules/ngx_http_limit_req_module.c
View File

@ -69,6 +69,8 @@ static ngx_int_t ngx_http_limit_req_lookup(ngx_http_limit_req_limit_t *limit,
ngx_uint_t hash, ngx_str_t *key, ngx_uint_t *ep, ngx_uint_t account);
static ngx_msec_t ngx_http_limit_req_account(ngx_http_limit_req_limit_t *limits,
ngx_uint_t n, ngx_uint_t *ep, ngx_http_limit_req_limit_t **limit);
static void ngx_http_limit_req_unlock(ngx_http_limit_req_limit_t *limits,
ngx_uint_t n);
static void ngx_http_limit_req_expire(ngx_http_limit_req_ctx_t *ctx,
ngx_uint_t n);
@ -223,6 +225,7 @@ ngx_http_limit_req_handler(ngx_http_request_t *r)
ctx = limit->shm_zone->data;
if (ngx_http_complex_value(r, &ctx->key, &key) != NGX_OK) {
ngx_http_limit_req_unlock(limits, n);
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
@ -270,21 +273,7 @@ ngx_http_limit_req_handler(ngx_http_request_t *r)
&limit->shm_zone->shm.name);
}
while (n--) {
ctx = limits[n].shm_zone->data;
if (ctx->node == NULL) {
continue;
}
ngx_shmtx_lock(&ctx->shpool->mutex);
ctx->node->count--;
ngx_shmtx_unlock(&ctx->shpool->mutex);
ctx->node = NULL;
}
ngx_http_limit_req_unlock(limits, n);
if (lrcf->dry_run) {
r->main->limit_req_status = NGX_HTTP_LIMIT_REQ_REJECTED_DRY_RUN;
@ -612,6 +601,29 @@ ngx_http_limit_req_account(ngx_http_limit_req_limit_t *limits, ngx_uint_t n,
}
static void
ngx_http_limit_req_unlock(ngx_http_limit_req_limit_t *limits, ngx_uint_t n)
{
ngx_http_limit_req_ctx_t *ctx;
while (n--) {
ctx = limits[n].shm_zone->data;
if (ctx->node == NULL) {
continue;
}
ngx_shmtx_lock(&ctx->shpool->mutex);
ctx->node->count--;
ngx_shmtx_unlock(&ctx->shpool->mutex);
ctx->node = NULL;
}
}
static void
ngx_http_limit_req_expire(ngx_http_limit_req_ctx_t *ctx, ngx_uint_t n)
{

44
src/http/modules/ngx_http_proxy_module.c
View File

@ -127,6 +127,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_proxy_loc_conf_t;
@ -229,6 +230,10 @@ static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf,
#endif
static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
#if (NGX_HTTP_SSL)
static char *ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
#endif
static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
@ -274,6 +279,9 @@ static ngx_conf_bitmask_t ngx_http_proxy_ssl_protocols[] = {
{ ngx_null_string, 0 }
};
static ngx_conf_post_t ngx_http_proxy_ssl_conf_command_post =
{ ngx_http_proxy_ssl_conf_command_check };
#endif
@ -764,6 +772,13 @@ static ngx_command_t ngx_http_proxy_commands[] = {
0,
NULL },
{ ngx_string("proxy_ssl_conf_command"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, ssl_conf_commands),
&ngx_http_proxy_ssl_conf_command_post },
#endif
ngx_null_command
@ -3268,7 +3283,6 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
* conf->method = NULL;
* conf->location = NULL;
* conf->url = { 0, NULL };
* conf->headers_source = NULL;
* conf->headers.lengths = NULL;
* conf->headers.values = NULL;
* conf->headers.hash = { NULL, 0 };
@ -3341,11 +3355,14 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* "proxy_cyclic_temp_file" is disabled */
conf->upstream.cyclic_temp_file = 0;
conf->headers_source = NGX_CONF_UNSET_PTR;
conf->redirect = NGX_CONF_UNSET;
conf->upstream.change_buffering = 1;
@ -3686,6 +3703,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -3819,12 +3839,13 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
}
}
if (conf->headers_source == NULL) {
ngx_conf_merge_ptr_value(conf->headers_source, prev->headers_source, NULL);
if (conf->headers_source == prev->headers_source) {
conf->headers = prev->headers;
#if (NGX_HTTP_CACHE)
conf->headers_cache = prev->headers_cache;
#endif
conf->headers_source = prev->headers_source;
}
rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@ -4843,6 +4864,17 @@ ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data)
#if (NGX_HTTP_SSL)
static char *
ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
@ -4920,6 +4952,12 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
return NGX_ERROR;
}
if (ngx_ssl_conf_commands(cf, plcf->upstream.ssl, plcf->ssl_conf_commands)
!= NGX_OK)
{
return NGX_ERROR;
}
return NGX_OK;
}

125
src/http/modules/ngx_http_ssl_module.c
View File

@ -53,6 +53,9 @@ static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
@ -89,6 +92,10 @@ static ngx_conf_deprecated_t ngx_http_ssl_deprecated = {
};
static ngx_conf_post_t ngx_http_ssl_conf_command_post =
{ ngx_http_ssl_conf_command_check };
static ngx_command_t ngx_http_ssl_commands[] = {
{ ngx_string("ssl"),
@ -280,6 +287,20 @@ static ngx_command_t ngx_http_ssl_commands[] = {
offsetof(ngx_http_ssl_srv_conf_t, early_data),
NULL },
{ ngx_string("ssl_conf_command"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
&ngx_http_ssl_conf_command_post },
{ ngx_string("ssl_reject_handshake"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
NULL },
ngx_null_command
};
@ -614,12 +635,14 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
sscf->enable = NGX_CONF_UNSET;
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
sscf->early_data = NGX_CONF_UNSET;
sscf->reject_handshake = NGX_CONF_UNSET;
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
sscf->conf_commands = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
sscf->session_tickets = NGX_CONF_UNSET;
@ -659,6 +682,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
prev->prefer_server_ciphers, 0);
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
@ -689,6 +713,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
@ -704,7 +730,27 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (conf->enable) {
if (conf->certificates == NULL) {
if (conf->certificates) {
if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"ssl\" directive in %s:%ui",
conf->file, conf->line);
return NGX_CONF_ERROR;
}
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\" and "
"the \"ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1,
conf->file, conf->line);
return NGX_CONF_ERROR;
}
} else if (!conf->reject_handshake) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"ssl\" directive in %s:%ui",
@ -712,30 +758,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
if (conf->certificate_keys == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined for "
"the \"ssl\" directive in %s:%ui",
conf->file, conf->line);
return NGX_CONF_ERROR;
}
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate_key\" is defined "
"for certificate \"%V\" and "
"the \"ssl\" directive in %s:%ui",
((ngx_str_t *) conf->certificates->elts)
+ conf->certificates->nelts - 1,
conf->file, conf->line);
return NGX_CONF_ERROR;
}
} else {
if (conf->certificates == NULL) {
return NGX_CONF_OK;
}
} else if (conf->certificates) {
if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
@ -747,6 +770,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
} else if (!conf->reject_handshake) {
return NGX_CONF_OK;
}
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
@ -805,7 +831,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
#endif
} else {
} else if (conf->certificates) {
/* configure certificates */
@ -927,6 +953,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
return NGX_CONF_ERROR;
}
return NGX_CONF_OK;
}
@ -940,6 +970,10 @@ ngx_http_ssl_compile_certificates(ngx_conf_t *cf,
ngx_http_complex_value_t *cv;
ngx_http_compile_complex_value_t ccv;
if (conf->certificates == NULL) {
return NGX_OK;
}
cert = conf->certificates->elts;
key = conf->certificate_keys->elts;
nelts = conf->certificates->nelts;
@ -1249,6 +1283,17 @@ invalid:
}
static char *
ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static ngx_int_t
ngx_http_ssl_init(ngx_conf_t *cf)
{
@ -1320,7 +1365,33 @@ ngx_http_ssl_init(ngx_conf_t *cf)
cscf = addr[a].default_server;
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
if (sscf->certificates == NULL) {
if (sscf->certificates) {
continue;
}
if (!sscf->reject_handshake) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"listen ... ssl\" directive in %s:%ui",
cscf->file_name, cscf->line);
return NGX_ERROR;
}
/*
* if no certificates are defined in the default server,
* check all non-default server blocks
*/
cscfp = addr[a].servers.elts;
for (s = 0; s < addr[a].servers.nelts; s++) {
cscf = cscfp[s];
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
if (sscf->certificates || sscf->reject_handshake) {
continue;
}
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"listen ... %s\" directive in %s:%ui",

2
src/http/modules/ngx_http_ssl_module.h
View File

@ -21,6 +21,7 @@ typedef struct {
ngx_flag_t prefer_server_ciphers;
ngx_flag_t early_data;
ngx_flag_t reject_handshake;
ngx_uint_t protocols;
@ -48,6 +49,7 @@ typedef struct {
ngx_str_t ciphers;
ngx_array_t *passwords;
ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;

34
src/http/modules/ngx_http_uwsgi_module.c
View File

@ -57,6 +57,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_uwsgi_loc_conf_t;
@ -96,6 +97,8 @@ static char *ngx_http_uwsgi_cache_key(ngx_conf_t *cf, ngx_command_t *cmd,
#if (NGX_HTTP_SSL)
static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
@ -134,6 +137,9 @@ static ngx_conf_bitmask_t ngx_http_uwsgi_ssl_protocols[] = {
{ ngx_null_string, 0 }
};
static ngx_conf_post_t ngx_http_uwsgi_ssl_conf_command_post =
{ ngx_http_uwsgi_ssl_conf_command_check };
#endif
@ -561,6 +567,13 @@ static ngx_command_t ngx_http_uwsgi_commands[] = {
0,
NULL },
{ ngx_string("uwsgi_ssl_conf_command"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_conf_commands),
&ngx_http_uwsgi_ssl_conf_command_post },
#endif
ngx_null_command
@ -1500,6 +1513,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_t *cf)
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* "uwsgi_cyclic_temp_file" is disabled */
@ -1830,6 +1844,9 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -2376,6 +2393,17 @@ ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
}
static char *
ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
@ -2453,6 +2481,12 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
return NGX_ERROR;
}
if (ngx_ssl_conf_commands(cf, uwcf->upstream.ssl, uwcf->ssl_conf_commands)
!= NGX_OK)
{
return NGX_ERROR;
}
return NGX_OK;
}

41
src/http/ngx_http_request.c
View File

@ -927,10 +927,14 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
hc = c->data;
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
return SSL_TLSEXT_ERR_OK;
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
"SSL server name: null");
goto done;
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@ -939,7 +943,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
host.len = ngx_strlen(servername);
if (host.len == 0) {
return SSL_TLSEXT_ERR_OK;
goto done;
}
host.data = (u_char *) servername;
@ -947,32 +951,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
rc = ngx_http_validate_host(&host, c->pool, 1);
if (rc == NGX_ERROR) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
goto error;
}
if (rc == NGX_DECLINED) {
return SSL_TLSEXT_ERR_OK;
goto done;
}
hc = c->data;
rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
NULL, &cscf);
if (rc == NGX_ERROR) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
goto error;
}
if (rc == NGX_DECLINED) {
return SSL_TLSEXT_ERR_OK;
goto done;
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
goto error;
}
*hc->ssl_servername = host;
@ -989,8 +988,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
if (sscf->ssl.ctx) {
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
goto error;
}
/*
@ -1016,7 +1014,22 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
#endif
}
done:
sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
if (sscf->reject_handshake) {
c->ssl->handshake_rejected = 1;
*ad = SSL_AD_UNRECOGNIZED_NAME;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
return SSL_TLSEXT_ERR_OK;
error:
*ad = SSL_AD_INTERNAL_ERROR;
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
#endif

2
src/mail/ngx_mail.h
View File

@ -162,10 +162,12 @@ typedef enum {
ngx_smtp_auth_external,
ngx_smtp_helo,
ngx_smtp_helo_xclient,
ngx_smtp_helo_auth,
ngx_smtp_helo_from,
ngx_smtp_xclient,
ngx_smtp_xclient_from,
ngx_smtp_xclient_helo,
ngx_smtp_xclient_auth,
ngx_smtp_from,
ngx_smtp_to
} ngx_smtp_state_e;

89
src/mail/ngx_mail_proxy_module.c
View File

@ -16,6 +16,7 @@ typedef struct {
ngx_flag_t enable;
ngx_flag_t pass_error_message;
ngx_flag_t xclient;
ngx_flag_t smtp_auth;
size_t buffer_size;
ngx_msec_t timeout;
} ngx_mail_proxy_conf_t;
@ -74,6 +75,13 @@ static ngx_command_t ngx_mail_proxy_commands[] = {
offsetof(ngx_mail_proxy_conf_t, xclient),
NULL },
{ ngx_string("proxy_smtp_auth"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_proxy_conf_t, smtp_auth),
NULL },
ngx_null_command
};
@ -450,7 +458,7 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
{
u_char *p;
ngx_int_t rc;
ngx_str_t line;
ngx_str_t line, auth, encoded;
ngx_buf_t *b;
ngx_connection_t *c;
ngx_mail_session_t *s;
@ -513,6 +521,9 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
} else if (s->auth_method == NGX_MAIL_AUTH_NONE) {
s->mail_state = ngx_smtp_helo_from;
} else if (pcf->smtp_auth) {
s->mail_state = ngx_smtp_helo_auth;
} else {
s->mail_state = ngx_smtp_helo;
}
@ -552,7 +563,9 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
p = ngx_copy(p, s->connection->addr_text.data,
s->connection->addr_text.len);
if (s->login.len) {
pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module);
if (s->login.len && !pcf->smtp_auth) {
p = ngx_cpymem(p, " LOGIN=", sizeof(" LOGIN=") - 1);
p = ngx_copy(p, s->login.data, s->login.len);
}
@ -570,6 +583,9 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
} else if (s->auth_method == NGX_MAIL_AUTH_NONE) {
s->mail_state = ngx_smtp_xclient_from;
} else if (pcf->smtp_auth) {
s->mail_state = ngx_smtp_xclient_auth;
} else {
s->mail_state = ngx_smtp_xclient;
}
@ -595,8 +611,62 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
&s->smtp_helo)
- line.data;
s->mail_state = (s->auth_method == NGX_MAIL_AUTH_NONE) ?
ngx_smtp_helo_from : ngx_smtp_helo;
pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module);
if (s->auth_method == NGX_MAIL_AUTH_NONE) {
s->mail_state = ngx_smtp_helo_from;
} else if (pcf->smtp_auth) {
s->mail_state = ngx_smtp_helo_auth;
} else {
s->mail_state = ngx_smtp_helo;
}
break;
case ngx_smtp_helo_auth:
case ngx_smtp_xclient_auth:
ngx_log_debug0(NGX_LOG_DEBUG_MAIL, rev->log, 0,
"mail proxy send auth");
s->connection->log->action = "sending AUTH to upstream";
if (s->passwd.data == NULL) {
ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
"no password available");
ngx_mail_proxy_internal_server_error(s);
return;
}
auth.len = 1 + s->login.len + 1 + s->passwd.len;
auth.data = ngx_pnalloc(c->pool, auth.len);
if (auth.data == NULL) {
ngx_mail_proxy_internal_server_error(s);
return;
}
auth.len = ngx_sprintf(auth.data, "%Z%V%Z%V", &s->login, &s->passwd)
- auth.data;
line.len = sizeof("AUTH PLAIN " CRLF) - 1
+ ngx_base64_encoded_length(auth.len);
line.data = ngx_pnalloc(c->pool, line.len);
if (line.data == NULL) {
ngx_mail_proxy_internal_server_error(s);
return;
}
encoded.data = ngx_cpymem(line.data, "AUTH PLAIN ",
sizeof("AUTH PLAIN ") - 1);
ngx_encode_base64(&encoded, &auth);
p = encoded.data + encoded.len;
*p++ = CR; *p = LF;
s->mail_state = ngx_smtp_auth_plain;
break;
@ -643,6 +713,7 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
case ngx_smtp_helo:
case ngx_smtp_xclient:
case ngx_smtp_auth_plain:
case ngx_smtp_to:
b = s->proxy->buffer;
@ -824,6 +895,7 @@ ngx_mail_proxy_read_response(ngx_mail_session_t *s, ngx_uint_t state)
case ngx_smtp_helo:
case ngx_smtp_helo_xclient:
case ngx_smtp_helo_from:
case ngx_smtp_helo_auth:
case ngx_smtp_from:
if (p[0] == '2' && p[1] == '5' && p[2] == '0') {
return NGX_OK;
@ -833,11 +905,18 @@ ngx_mail_proxy_read_response(ngx_mail_session_t *s, ngx_uint_t state)
case ngx_smtp_xclient:
case ngx_smtp_xclient_from:
case ngx_smtp_xclient_helo:
case ngx_smtp_xclient_auth:
if (p[0] == '2' && (p[1] == '2' || p[1] == '5') && p[2] == '0') {
return NGX_OK;
}
break;
case ngx_smtp_auth_plain:
if (p[0] == '2' && p[1] == '3' && p[2] == '5') {
return NGX_OK;
}
break;
case ngx_smtp_to:
return NGX_OK;
}
@ -1102,6 +1181,7 @@ ngx_mail_proxy_create_conf(ngx_conf_t *cf)
pcf->enable = NGX_CONF_UNSET;
pcf->pass_error_message = NGX_CONF_UNSET;
pcf->xclient = NGX_CONF_UNSET;
pcf->smtp_auth = NGX_CONF_UNSET;
pcf->buffer_size = NGX_CONF_UNSET_SIZE;
pcf->timeout = NGX_CONF_UNSET_MSEC;
@ -1118,6 +1198,7 @@ ngx_mail_proxy_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_value(conf->enable, prev->enable, 0);
ngx_conf_merge_value(conf->pass_error_message, prev->pass_error_message, 0);
ngx_conf_merge_value(conf->xclient, prev->xclient, 1);
ngx_conf_merge_value(conf->smtp_auth, prev->smtp_auth, 0);
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
(size_t) ngx_pagesize);
ngx_conf_merge_msec_value(conf->timeout, prev->timeout, 24 * 60 * 60000);

32
src/mail/ngx_mail_ssl_module.c
View File

@ -26,6 +26,9 @@ static char *ngx_mail_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_conf_enum_t ngx_mail_starttls_state[] = {
{ ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
@ -61,6 +64,10 @@ static ngx_conf_deprecated_t ngx_mail_ssl_deprecated = {
};
static ngx_conf_post_t ngx_mail_ssl_conf_command_post =
{ ngx_mail_ssl_conf_command_check };
static ngx_command_t ngx_mail_ssl_commands[] = {
{ ngx_string("ssl"),
@ -196,6 +203,13 @@ static ngx_command_t ngx_mail_ssl_commands[] = {
offsetof(ngx_mail_ssl_conf_t, crl),
NULL },
{ ngx_string("ssl_conf_command"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, conf_commands),
&ngx_mail_ssl_conf_command_post },
ngx_null_command
};
@ -259,6 +273,7 @@ ngx_mail_ssl_create_conf(ngx_conf_t *cf)
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
@ -316,6 +331,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
conf->ssl.log = cf->log;
@ -461,6 +478,10 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
return NGX_CONF_ERROR;
}
return NGX_CONF_OK;
}
@ -654,3 +675,14 @@ invalid:
return NGX_CONF_ERROR;
}
static char *
ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}

1
src/mail/ngx_mail_ssl_module.h
View File

@ -48,6 +48,7 @@ typedef struct {
ngx_str_t ciphers;
ngx_array_t *passwords;
ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;

2
src/misc/ngx_cpp_test_module.cpp
View File

@ -14,6 +14,8 @@ extern "C" {
#include <ngx_mail_pop3_module.h>
#include <ngx_mail_imap_module.h>
#include <ngx_mail_smtp_module.h>
#include <ngx_stream.h>
}
// nginx header files should go before other, because they define 64-bit off_t

34
src/stream/ngx_stream_proxy_module.c
View File

@ -49,6 +49,7 @@ typedef struct {
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
ngx_ssl_t *ssl;
#endif
@ -94,6 +95,8 @@ static char *ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd,
static ngx_int_t ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s);
static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
@ -112,6 +115,9 @@ static ngx_conf_bitmask_t ngx_stream_proxy_ssl_protocols[] = {
{ ngx_null_string, 0 }
};
static ngx_conf_post_t ngx_stream_proxy_ssl_conf_command_post =
{ ngx_stream_proxy_ssl_conf_command_check };
#endif
@ -331,6 +337,13 @@ static ngx_command_t ngx_stream_proxy_commands[] = {
0,
NULL },
{ ngx_string("proxy_ssl_conf_command"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_proxy_srv_conf_t, ssl_conf_commands),
&ngx_stream_proxy_ssl_conf_command_post },
#endif
ngx_null_command
@ -1008,6 +1021,17 @@ ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
}
static char *
ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static void
ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
{
@ -1985,6 +2009,7 @@ ngx_stream_proxy_create_srv_conf(ngx_conf_t *cf)
conf->ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
return conf;
@ -2072,6 +2097,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
if (conf->ssl_enable && ngx_stream_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@ -2156,6 +2184,12 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
return NGX_ERROR;
}
if (ngx_ssl_conf_commands(cf, pscf->ssl, pscf->ssl_conf_commands)
!= NGX_OK)
{
return NGX_ERROR;
}
return NGX_OK;
}

33
src/stream/ngx_stream_ssl_module.c
View File

@ -45,6 +45,10 @@ static char *ngx_stream_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
@ -68,6 +72,10 @@ static ngx_conf_enum_t ngx_stream_ssl_verify[] = {
};
static ngx_conf_post_t ngx_stream_ssl_conf_command_post =
{ ngx_stream_ssl_conf_command_check };
static ngx_command_t ngx_stream_ssl_commands[] = {
{ ngx_string("ssl_handshake_timeout"),
@ -196,6 +204,13 @@ static ngx_command_t ngx_stream_ssl_commands[] = {
offsetof(ngx_stream_ssl_conf_t, crl),
NULL },
{ ngx_string("ssl_conf_command"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_conf_t, conf_commands),
&ngx_stream_ssl_conf_command_post },
ngx_null_command
};
@ -595,6 +610,7 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
@ -650,6 +666,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
conf->ssl.log = cf->log;
@ -811,6 +829,10 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR;
}
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
return NGX_CONF_ERROR;
}
return NGX_CONF_OK;
}
@ -1034,6 +1056,17 @@ invalid:
}
static char *
ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
{
#ifndef SSL_CONF_FLAG_FILE
return "is not supported on this platform";
#endif
return NGX_CONF_OK;
}
static ngx_int_t
ngx_stream_ssl_init(ngx_conf_t *cf)
{

1
src/stream/ngx_stream_ssl_module.h
View File

@ -46,6 +46,7 @@ typedef struct {
ngx_str_t ciphers;
ngx_array_t *passwords;
ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;