mirror of
https://github.com/nginx/nginx.git
synced 2024-11-27 15:39:01 +08:00
Stream: virtual servers.
Server name is taken either from ngx_stream_ssl_module or ngx_stream_ssl_preread_module. The change adds "default_server" parameter to the "listen" directive, as well as the following directives: "server_names_hash_max_size", "server_names_hash_bucket_size", "server_name" and "ssl_reject_handshake".
This commit is contained in:
Roman Arutyunyan
parent
72e5d6ac19
commit
d21675228a
File diff suppressed because it is too large
Load Diff
@ -45,9 +45,8 @@ typedef struct {
|
||||
socklen_t socklen;
|
||||
ngx_str_t addr_text;
|
||||
|
||||
/* server ctx */
|
||||
ngx_stream_conf_ctx_t *ctx;
|
||||
|
||||
unsigned set:1;
|
||||
unsigned default_server:1;
|
||||
unsigned bind:1;
|
||||
unsigned wildcard:1;
|
||||
unsigned ssl:1;
|
||||
@ -69,50 +68,7 @@ typedef struct {
|
||||
int fastopen;
|
||||
#endif
|
||||
int type;
|
||||
} ngx_stream_listen_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
ngx_stream_conf_ctx_t *ctx;
|
||||
ngx_str_t addr_text;
|
||||
unsigned ssl:1;
|
||||
unsigned proxy_protocol:1;
|
||||
} ngx_stream_addr_conf_t;
|
||||
|
||||
typedef struct {
|
||||
in_addr_t addr;
|
||||
ngx_stream_addr_conf_t conf;
|
||||
} ngx_stream_in_addr_t;
|
||||
|
||||
|
||||
#if (NGX_HAVE_INET6)
|
||||
|
||||
typedef struct {
|
||||
struct in6_addr addr6;
|
||||
ngx_stream_addr_conf_t conf;
|
||||
} ngx_stream_in6_addr_t;
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
typedef struct {
|
||||
/* ngx_stream_in_addr_t or ngx_stream_in6_addr_t */
|
||||
void *addrs;
|
||||
ngx_uint_t naddrs;
|
||||
} ngx_stream_port_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
int family;
|
||||
int type;
|
||||
in_port_t port;
|
||||
ngx_array_t addrs; /* array of ngx_stream_conf_addr_t */
|
||||
} ngx_stream_conf_port_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
ngx_stream_listen_t opt;
|
||||
} ngx_stream_conf_addr_t;
|
||||
} ngx_stream_listen_opt_t;
|
||||
|
||||
|
||||
typedef enum {
|
||||
@ -153,7 +109,6 @@ typedef struct {
|
||||
|
||||
typedef struct {
|
||||
ngx_array_t servers; /* ngx_stream_core_srv_conf_t */
|
||||
ngx_array_t listen; /* ngx_stream_listen_t */
|
||||
|
||||
ngx_stream_phase_engine_t phase_engine;
|
||||
|
||||
@ -163,16 +118,24 @@ typedef struct {
|
||||
ngx_array_t prefix_variables; /* ngx_stream_variable_t */
|
||||
ngx_uint_t ncaptures;
|
||||
|
||||
ngx_uint_t server_names_hash_max_size;
|
||||
ngx_uint_t server_names_hash_bucket_size;
|
||||
|
||||
ngx_uint_t variables_hash_max_size;
|
||||
ngx_uint_t variables_hash_bucket_size;
|
||||
|
||||
ngx_hash_keys_arrays_t *variables_keys;
|
||||
|
||||
ngx_array_t *ports;
|
||||
|
||||
ngx_stream_phase_t phases[NGX_STREAM_LOG_PHASE + 1];
|
||||
} ngx_stream_core_main_conf_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
/* array of the ngx_stream_server_name_t, "server_name" directive */
|
||||
ngx_array_t server_names;
|
||||
|
||||
ngx_stream_content_handler_pt handler;
|
||||
|
||||
ngx_stream_conf_ctx_t *ctx;
|
||||
@ -180,6 +143,8 @@ typedef struct {
|
||||
u_char *file_name;
|
||||
ngx_uint_t line;
|
||||
|
||||
ngx_str_t server_name;
|
||||
|
||||
ngx_flag_t tcp_nodelay;
|
||||
size_t preread_buffer_size;
|
||||
ngx_msec_t preread_timeout;
|
||||
@ -191,10 +156,98 @@ typedef struct {
|
||||
|
||||
ngx_msec_t proxy_protocol_timeout;
|
||||
|
||||
ngx_uint_t listen; /* unsigned listen:1; */
|
||||
unsigned listen:1;
|
||||
#if (NGX_PCRE)
|
||||
unsigned captures:1;
|
||||
#endif
|
||||
} ngx_stream_core_srv_conf_t;
|
||||
|
||||
|
||||
/* list of structures to find core_srv_conf quickly at run time */
|
||||
|
||||
|
||||
typedef struct {
|
||||
#if (NGX_PCRE)
|
||||
ngx_stream_regex_t *regex;
|
||||
#endif
|
||||
ngx_stream_core_srv_conf_t *server; /* virtual name server conf */
|
||||
ngx_str_t name;
|
||||
} ngx_stream_server_name_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
ngx_hash_combined_t names;
|
||||
|
||||
ngx_uint_t nregex;
|
||||
ngx_stream_server_name_t *regex;
|
||||
} ngx_stream_virtual_names_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
/* the default server configuration for this address:port */
|
||||
ngx_stream_core_srv_conf_t *default_server;
|
||||
|
||||
ngx_stream_virtual_names_t *virtual_names;
|
||||
|
||||
unsigned ssl:1;
|
||||
unsigned proxy_protocol:1;
|
||||
} ngx_stream_addr_conf_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
in_addr_t addr;
|
||||
ngx_stream_addr_conf_t conf;
|
||||
} ngx_stream_in_addr_t;
|
||||
|
||||
|
||||
#if (NGX_HAVE_INET6)
|
||||
|
||||
typedef struct {
|
||||
struct in6_addr addr6;
|
||||
ngx_stream_addr_conf_t conf;
|
||||
} ngx_stream_in6_addr_t;
|
||||
|
||||
#endif
|
||||
|
||||
|
||||
typedef struct {
|
||||
/* ngx_stream_in_addr_t or ngx_stream_in6_addr_t */
|
||||
void *addrs;
|
||||
ngx_uint_t naddrs;
|
||||
} ngx_stream_port_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
int family;
|
||||
int type;
|
||||
in_port_t port;
|
||||
ngx_array_t addrs; /* array of ngx_stream_conf_addr_t */
|
||||
} ngx_stream_conf_port_t;
|
||||
|
||||
|
||||
typedef struct {
|
||||
ngx_stream_listen_opt_t opt;
|
||||
|
||||
unsigned protocols:3;
|
||||
unsigned protocols_set:1;
|
||||
unsigned protocols_changed:1;
|
||||
|
||||
ngx_hash_t hash;
|
||||
ngx_hash_wildcard_t *wc_head;
|
||||
ngx_hash_wildcard_t *wc_tail;
|
||||
|
||||
#if (NGX_PCRE)
|
||||
ngx_uint_t nregex;
|
||||
ngx_stream_server_name_t *regex;
|
||||
#endif
|
||||
|
||||
/* the default server configuration for this address:port */
|
||||
ngx_stream_core_srv_conf_t *default_server;
|
||||
ngx_array_t servers;
|
||||
/* array of ngx_stream_core_srv_conf_t */
|
||||
} ngx_stream_conf_addr_t;
|
||||
|
||||
|
||||
struct ngx_stream_session_s {
|
||||
uint32_t signature; /* "STRM" */
|
||||
|
||||
@ -210,6 +263,8 @@ struct ngx_stream_session_s {
|
||||
void **main_conf;
|
||||
void **srv_conf;
|
||||
|
||||
ngx_stream_virtual_names_t *virtual_names;
|
||||
|
||||
ngx_stream_upstream_t *upstream;
|
||||
ngx_array_t *upstream_states;
|
||||
/* of ngx_stream_upstream_state_t */
|
||||
@ -283,6 +338,9 @@ typedef struct {
|
||||
#define NGX_STREAM_WRITE_BUFFERED 0x10
|
||||
|
||||
|
||||
ngx_int_t ngx_stream_add_listen(ngx_conf_t *cf,
|
||||
ngx_stream_core_srv_conf_t *cscf, ngx_stream_listen_opt_t *lsopt);
|
||||
|
||||
void ngx_stream_core_run_phases(ngx_stream_session_t *s);
|
||||
ngx_int_t ngx_stream_core_generic_phase(ngx_stream_session_t *s,
|
||||
ngx_stream_phase_handler_t *ph);
|
||||
@ -291,6 +349,10 @@ ngx_int_t ngx_stream_core_preread_phase(ngx_stream_session_t *s,
|
||||
ngx_int_t ngx_stream_core_content_phase(ngx_stream_session_t *s,
|
||||
ngx_stream_phase_handler_t *ph);
|
||||
|
||||
ngx_int_t ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool,
|
||||
ngx_uint_t alloc);
|
||||
ngx_int_t ngx_stream_find_virtual_server(ngx_stream_session_t *s,
|
||||
ngx_str_t *host, ngx_stream_core_srv_conf_t **cscfp);
|
||||
|
||||
void ngx_stream_init_connection(ngx_connection_t *c);
|
||||
void ngx_stream_session_handler(ngx_event_t *rev);
|
||||
|
||||
@ -27,6 +27,8 @@ static char *ngx_stream_core_server(ngx_conf_t *cf, ngx_command_t *cmd,
|
||||
void *conf);
|
||||
static char *ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd,
|
||||
void *conf);
|
||||
static char *ngx_stream_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd,
|
||||
void *conf);
|
||||
static char *ngx_stream_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd,
|
||||
void *conf);
|
||||
|
||||
@ -47,6 +49,20 @@ static ngx_command_t ngx_stream_core_commands[] = {
|
||||
offsetof(ngx_stream_core_main_conf_t, variables_hash_bucket_size),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("server_names_hash_max_size"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_num_slot,
|
||||
NGX_STREAM_MAIN_CONF_OFFSET,
|
||||
offsetof(ngx_stream_core_main_conf_t, server_names_hash_max_size),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("server_names_hash_bucket_size"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_CONF_TAKE1,
|
||||
ngx_conf_set_num_slot,
|
||||
NGX_STREAM_MAIN_CONF_OFFSET,
|
||||
offsetof(ngx_stream_core_main_conf_t, server_names_hash_bucket_size),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("server"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
|
||||
ngx_stream_core_server,
|
||||
@ -61,6 +77,13 @@ static ngx_command_t ngx_stream_core_commands[] = {
|
||||
0,
|
||||
NULL },
|
||||
|
||||
{ ngx_string("server_name"),
|
||||
NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
|
||||
ngx_stream_core_server_name,
|
||||
NGX_STREAM_SRV_CONF_OFFSET,
|
||||
0,
|
||||
NULL },
|
||||
|
||||
{ ngx_string("error_log"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
|
||||
ngx_stream_core_error_log,
|
||||
@ -441,6 +464,149 @@ ngx_stream_core_content_phase(ngx_stream_session_t *s,
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
|
||||
{
|
||||
u_char *h, ch;
|
||||
size_t i, dot_pos, host_len;
|
||||
|
||||
enum {
|
||||
sw_usual = 0,
|
||||
sw_literal,
|
||||
sw_rest
|
||||
} state;
|
||||
|
||||
dot_pos = host->len;
|
||||
host_len = host->len;
|
||||
|
||||
h = host->data;
|
||||
|
||||
state = sw_usual;
|
||||
|
||||
for (i = 0; i < host->len; i++) {
|
||||
ch = h[i];
|
||||
|
||||
switch (ch) {
|
||||
|
||||
case '.':
|
||||
if (dot_pos == i - 1) {
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
dot_pos = i;
|
||||
break;
|
||||
|
||||
case ':':
|
||||
if (state == sw_usual) {
|
||||
host_len = i;
|
||||
state = sw_rest;
|
||||
}
|
||||
break;
|
||||
|
||||
case '[':
|
||||
if (i == 0) {
|
||||
state = sw_literal;
|
||||
}
|
||||
break;
|
||||
|
||||
case ']':
|
||||
if (state == sw_literal) {
|
||||
host_len = i + 1;
|
||||
state = sw_rest;
|
||||
}
|
||||
break;
|
||||
|
||||
default:
|
||||
|
||||
if (ngx_path_separator(ch)) {
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
if (ch <= 0x20 || ch == 0x7f) {
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
if (ch >= 'A' && ch <= 'Z') {
|
||||
alloc = 1;
|
||||
}
|
||||
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
if (dot_pos == host_len - 1) {
|
||||
host_len--;
|
||||
}
|
||||
|
||||
if (host_len == 0) {
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
if (alloc) {
|
||||
host->data = ngx_pnalloc(pool, host_len);
|
||||
if (host->data == NULL) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
ngx_strlow(host->data, h, host_len);
|
||||
}
|
||||
|
||||
host->len = host_len;
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
ngx_int_t
|
||||
ngx_stream_find_virtual_server(ngx_stream_session_t *s,
|
||||
ngx_str_t *host, ngx_stream_core_srv_conf_t **cscfp)
|
||||
{
|
||||
ngx_stream_core_srv_conf_t *cscf;
|
||||
|
||||
if (s->virtual_names == NULL) {
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
cscf = ngx_hash_find_combined(&s->virtual_names->names,
|
||||
ngx_hash_key(host->data, host->len),
|
||||
host->data, host->len);
|
||||
|
||||
if (cscf) {
|
||||
*cscfp = cscf;
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
#if (NGX_PCRE)
|
||||
|
||||
if (host->len && s->virtual_names->nregex) {
|
||||
ngx_int_t n;
|
||||
ngx_uint_t i;
|
||||
ngx_stream_server_name_t *sn;
|
||||
|
||||
sn = s->virtual_names->regex;
|
||||
|
||||
for (i = 0; i < s->virtual_names->nregex; i++) {
|
||||
|
||||
n = ngx_stream_regex_exec(s, sn[i].regex, host);
|
||||
|
||||
if (n == NGX_DECLINED) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (n == NGX_OK) {
|
||||
*cscfp = sn[i].server;
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
|
||||
#endif /* NGX_PCRE */
|
||||
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_stream_core_preconfiguration(ngx_conf_t *cf)
|
||||
{
|
||||
@ -465,11 +631,8 @@ ngx_stream_core_create_main_conf(ngx_conf_t *cf)
|
||||
return NULL;
|
||||
}
|
||||
|
||||
if (ngx_array_init(&cmcf->listen, cf->pool, 4, sizeof(ngx_stream_listen_t))
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
cmcf->server_names_hash_max_size = NGX_CONF_UNSET_UINT;
|
||||
cmcf->server_names_hash_bucket_size = NGX_CONF_UNSET_UINT;
|
||||
|
||||
cmcf->variables_hash_max_size = NGX_CONF_UNSET_UINT;
|
||||
cmcf->variables_hash_bucket_size = NGX_CONF_UNSET_UINT;
|
||||
@ -483,6 +646,14 @@ ngx_stream_core_init_main_conf(ngx_conf_t *cf, void *conf)
|
||||
{
|
||||
ngx_stream_core_main_conf_t *cmcf = conf;
|
||||
|
||||
ngx_conf_init_uint_value(cmcf->server_names_hash_max_size, 512);
|
||||
ngx_conf_init_uint_value(cmcf->server_names_hash_bucket_size,
|
||||
ngx_cacheline_size);
|
||||
|
||||
cmcf->server_names_hash_bucket_size =
|
||||
ngx_align(cmcf->server_names_hash_bucket_size, ngx_cacheline_size);
|
||||
|
||||
|
||||
ngx_conf_init_uint_value(cmcf->variables_hash_max_size, 1024);
|
||||
ngx_conf_init_uint_value(cmcf->variables_hash_bucket_size, 64);
|
||||
|
||||
@ -514,6 +685,13 @@ ngx_stream_core_create_srv_conf(ngx_conf_t *cf)
|
||||
* cscf->error_log = NULL;
|
||||
*/
|
||||
|
||||
if (ngx_array_init(&cscf->server_names, cf->temp_pool, 4,
|
||||
sizeof(ngx_stream_server_name_t))
|
||||
!= NGX_OK)
|
||||
{
|
||||
return NULL;
|
||||
}
|
||||
|
||||
cscf->file_name = cf->conf_file->file.name.data;
|
||||
cscf->line = cf->conf_file->line;
|
||||
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
|
||||
@ -532,6 +710,9 @@ ngx_stream_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
ngx_stream_core_srv_conf_t *prev = parent;
|
||||
ngx_stream_core_srv_conf_t *conf = child;
|
||||
|
||||
ngx_str_t name;
|
||||
ngx_stream_server_name_t *sn;
|
||||
|
||||
ngx_conf_merge_msec_value(conf->resolver_timeout,
|
||||
prev->resolver_timeout, 30000);
|
||||
|
||||
@ -579,6 +760,37 @@ ngx_stream_core_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
ngx_conf_merge_msec_value(conf->preread_timeout,
|
||||
prev->preread_timeout, 30000);
|
||||
|
||||
if (conf->server_names.nelts == 0) {
|
||||
/* the array has 4 empty preallocated elements, so push cannot fail */
|
||||
sn = ngx_array_push(&conf->server_names);
|
||||
#if (NGX_PCRE)
|
||||
sn->regex = NULL;
|
||||
#endif
|
||||
sn->server = conf;
|
||||
ngx_str_set(&sn->name, "");
|
||||
}
|
||||
|
||||
sn = conf->server_names.elts;
|
||||
name = sn[0].name;
|
||||
|
||||
#if (NGX_PCRE)
|
||||
if (sn->regex) {
|
||||
name.len++;
|
||||
name.data--;
|
||||
} else
|
||||
#endif
|
||||
|
||||
if (name.data[0] == '.') {
|
||||
name.len--;
|
||||
name.data++;
|
||||
}
|
||||
|
||||
conf->server_name.len = name.len;
|
||||
conf->server_name.data = ngx_pstrdup(cf->pool, &name);
|
||||
if (conf->server_name.data == NULL) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
return NGX_CONF_OK;
|
||||
}
|
||||
|
||||
@ -678,11 +890,10 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
{
|
||||
ngx_stream_core_srv_conf_t *cscf = conf;
|
||||
|
||||
ngx_str_t *value, size;
|
||||
ngx_url_t u;
|
||||
ngx_uint_t i, n, backlog;
|
||||
ngx_stream_listen_t *ls, *als, *nls;
|
||||
ngx_stream_core_main_conf_t *cmcf;
|
||||
ngx_str_t *value, size;
|
||||
ngx_url_t u;
|
||||
ngx_uint_t n, i, backlog;
|
||||
ngx_stream_listen_opt_t lsopt;
|
||||
|
||||
cscf->listen = 1;
|
||||
|
||||
@ -703,51 +914,48 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
|
||||
|
||||
ls = ngx_array_push(&cmcf->listen);
|
||||
if (ls == NULL) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
ngx_memzero(ls, sizeof(ngx_stream_listen_t));
|
||||
|
||||
ls->backlog = NGX_LISTEN_BACKLOG;
|
||||
ls->rcvbuf = -1;
|
||||
ls->sndbuf = -1;
|
||||
ls->type = SOCK_STREAM;
|
||||
ls->ctx = cf->ctx;
|
||||
ngx_memzero(&lsopt, sizeof(ngx_stream_listen_opt_t));
|
||||
|
||||
lsopt.backlog = NGX_LISTEN_BACKLOG;
|
||||
lsopt.type = SOCK_STREAM;
|
||||
lsopt.rcvbuf = -1;
|
||||
lsopt.sndbuf = -1;
|
||||
#if (NGX_HAVE_TCP_FASTOPEN)
|
||||
ls->fastopen = -1;
|
||||
lsopt.fastopen = -1;
|
||||
#endif
|
||||
|
||||
#if (NGX_HAVE_INET6)
|
||||
ls->ipv6only = 1;
|
||||
lsopt.ipv6only = 1;
|
||||
#endif
|
||||
|
||||
backlog = 0;
|
||||
|
||||
for (i = 2; i < cf->args->nelts; i++) {
|
||||
|
||||
if (ngx_strcmp(value[i].data, "default_server") == 0) {
|
||||
lsopt.default_server = 1;
|
||||
continue;
|
||||
}
|
||||
|
||||
#if !(NGX_WIN32)
|
||||
if (ngx_strcmp(value[i].data, "udp") == 0) {
|
||||
ls->type = SOCK_DGRAM;
|
||||
lsopt.type = SOCK_DGRAM;
|
||||
continue;
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ngx_strcmp(value[i].data, "bind") == 0) {
|
||||
ls->bind = 1;
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
continue;
|
||||
}
|
||||
|
||||
#if (NGX_HAVE_TCP_FASTOPEN)
|
||||
if (ngx_strncmp(value[i].data, "fastopen=", 9) == 0) {
|
||||
ls->fastopen = ngx_atoi(value[i].data + 9, value[i].len - 9);
|
||||
ls->bind = 1;
|
||||
lsopt.fastopen = ngx_atoi(value[i].data + 9, value[i].len - 9);
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
if (ls->fastopen == NGX_ERROR) {
|
||||
if (lsopt.fastopen == NGX_ERROR) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"invalid fastopen \"%V\"", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
@ -758,10 +966,11 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
#endif
|
||||
|
||||
if (ngx_strncmp(value[i].data, "backlog=", 8) == 0) {
|
||||
ls->backlog = ngx_atoi(value[i].data + 8, value[i].len - 8);
|
||||
ls->bind = 1;
|
||||
lsopt.backlog = ngx_atoi(value[i].data + 8, value[i].len - 8);
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
if (ls->backlog == NGX_ERROR || ls->backlog == 0) {
|
||||
if (lsopt.backlog == NGX_ERROR || lsopt.backlog == 0) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"invalid backlog \"%V\"", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
@ -776,10 +985,11 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
size.len = value[i].len - 7;
|
||||
size.data = value[i].data + 7;
|
||||
|
||||
ls->rcvbuf = ngx_parse_size(&size);
|
||||
ls->bind = 1;
|
||||
lsopt.rcvbuf = ngx_parse_size(&size);
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
if (ls->rcvbuf == NGX_ERROR) {
|
||||
if (lsopt.rcvbuf == NGX_ERROR) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"invalid rcvbuf \"%V\"", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
@ -792,10 +1002,11 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
size.len = value[i].len - 7;
|
||||
size.data = value[i].data + 7;
|
||||
|
||||
ls->sndbuf = ngx_parse_size(&size);
|
||||
ls->bind = 1;
|
||||
lsopt.sndbuf = ngx_parse_size(&size);
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
if (ls->sndbuf == NGX_ERROR) {
|
||||
if (lsopt.sndbuf == NGX_ERROR) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"invalid sndbuf \"%V\"", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
@ -807,10 +1018,10 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
if (ngx_strncmp(value[i].data, "ipv6only=o", 10) == 0) {
|
||||
#if (NGX_HAVE_INET6 && defined IPV6_V6ONLY)
|
||||
if (ngx_strcmp(&value[i].data[10], "n") == 0) {
|
||||
ls->ipv6only = 1;
|
||||
lsopt.ipv6only = 1;
|
||||
|
||||
} else if (ngx_strcmp(&value[i].data[10], "ff") == 0) {
|
||||
ls->ipv6only = 0;
|
||||
lsopt.ipv6only = 0;
|
||||
|
||||
} else {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
@ -819,7 +1030,9 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
ls->bind = 1;
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
continue;
|
||||
#else
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
@ -831,8 +1044,9 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
|
||||
if (ngx_strcmp(value[i].data, "reuseport") == 0) {
|
||||
#if (NGX_HAVE_REUSEPORT)
|
||||
ls->reuseport = 1;
|
||||
ls->bind = 1;
|
||||
lsopt.reuseport = 1;
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
#else
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"reuseport is not supported "
|
||||
@ -843,17 +1057,7 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
|
||||
if (ngx_strcmp(value[i].data, "ssl") == 0) {
|
||||
#if (NGX_STREAM_SSL)
|
||||
ngx_stream_ssl_conf_t *sslcf;
|
||||
|
||||
sslcf = ngx_stream_conf_get_module_srv_conf(cf,
|
||||
ngx_stream_ssl_module);
|
||||
|
||||
sslcf->listen = 1;
|
||||
sslcf->file = cf->conf_file->file.name.data;
|
||||
sslcf->line = cf->conf_file->line;
|
||||
|
||||
ls->ssl = 1;
|
||||
|
||||
lsopt.ssl = 1;
|
||||
continue;
|
||||
#else
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
@ -866,10 +1070,10 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
if (ngx_strncmp(value[i].data, "so_keepalive=", 13) == 0) {
|
||||
|
||||
if (ngx_strcmp(&value[i].data[13], "on") == 0) {
|
||||
ls->so_keepalive = 1;
|
||||
lsopt.so_keepalive = 1;
|
||||
|
||||
} else if (ngx_strcmp(&value[i].data[13], "off") == 0) {
|
||||
ls->so_keepalive = 2;
|
||||
lsopt.so_keepalive = 2;
|
||||
|
||||
} else {
|
||||
|
||||
@ -888,8 +1092,8 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
if (p > s.data) {
|
||||
s.len = p - s.data;
|
||||
|
||||
ls->tcp_keepidle = ngx_parse_time(&s, 1);
|
||||
if (ls->tcp_keepidle == (time_t) NGX_ERROR) {
|
||||
lsopt.tcp_keepidle = ngx_parse_time(&s, 1);
|
||||
if (lsopt.tcp_keepidle == (time_t) NGX_ERROR) {
|
||||
goto invalid_so_keepalive;
|
||||
}
|
||||
}
|
||||
@ -904,8 +1108,8 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
if (p > s.data) {
|
||||
s.len = p - s.data;
|
||||
|
||||
ls->tcp_keepintvl = ngx_parse_time(&s, 1);
|
||||
if (ls->tcp_keepintvl == (time_t) NGX_ERROR) {
|
||||
lsopt.tcp_keepintvl = ngx_parse_time(&s, 1);
|
||||
if (lsopt.tcp_keepintvl == (time_t) NGX_ERROR) {
|
||||
goto invalid_so_keepalive;
|
||||
}
|
||||
}
|
||||
@ -915,19 +1119,19 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
if (s.data < end) {
|
||||
s.len = end - s.data;
|
||||
|
||||
ls->tcp_keepcnt = ngx_atoi(s.data, s.len);
|
||||
if (ls->tcp_keepcnt == NGX_ERROR) {
|
||||
lsopt.tcp_keepcnt = ngx_atoi(s.data, s.len);
|
||||
if (lsopt.tcp_keepcnt == NGX_ERROR) {
|
||||
goto invalid_so_keepalive;
|
||||
}
|
||||
}
|
||||
|
||||
if (ls->tcp_keepidle == 0 && ls->tcp_keepintvl == 0
|
||||
&& ls->tcp_keepcnt == 0)
|
||||
if (lsopt.tcp_keepidle == 0 && lsopt.tcp_keepintvl == 0
|
||||
&& lsopt.tcp_keepcnt == 0)
|
||||
{
|
||||
goto invalid_so_keepalive;
|
||||
}
|
||||
|
||||
ls->so_keepalive = 1;
|
||||
lsopt.so_keepalive = 1;
|
||||
|
||||
#else
|
||||
|
||||
@ -939,7 +1143,8 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
#endif
|
||||
}
|
||||
|
||||
ls->bind = 1;
|
||||
lsopt.set = 1;
|
||||
lsopt.bind = 1;
|
||||
|
||||
continue;
|
||||
|
||||
@ -954,7 +1159,7 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
}
|
||||
|
||||
if (ngx_strcmp(value[i].data, "proxy_protocol") == 0) {
|
||||
ls->proxy_protocol = 1;
|
||||
lsopt.proxy_protocol = 1;
|
||||
continue;
|
||||
}
|
||||
|
||||
@ -963,27 +1168,27 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ls->type == SOCK_DGRAM) {
|
||||
if (lsopt.type == SOCK_DGRAM) {
|
||||
if (backlog) {
|
||||
return "\"backlog\" parameter is incompatible with \"udp\"";
|
||||
}
|
||||
|
||||
#if (NGX_STREAM_SSL)
|
||||
if (ls->ssl) {
|
||||
if (lsopt.ssl) {
|
||||
return "\"ssl\" parameter is incompatible with \"udp\"";
|
||||
}
|
||||
#endif
|
||||
|
||||
if (ls->so_keepalive) {
|
||||
if (lsopt.so_keepalive) {
|
||||
return "\"so_keepalive\" parameter is incompatible with \"udp\"";
|
||||
}
|
||||
|
||||
if (ls->proxy_protocol) {
|
||||
if (lsopt.proxy_protocol) {
|
||||
return "\"proxy_protocol\" parameter is incompatible with \"udp\"";
|
||||
}
|
||||
|
||||
#if (NGX_HAVE_TCP_FASTOPEN)
|
||||
if (ls->fastopen != -1) {
|
||||
if (lsopt.fastopen != -1) {
|
||||
return "\"fastopen\" parameter is incompatible with \"udp\"";
|
||||
}
|
||||
#endif
|
||||
@ -1000,40 +1205,12 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
}
|
||||
}
|
||||
|
||||
if (n != 0) {
|
||||
nls = ngx_array_push(&cmcf->listen);
|
||||
if (nls == NULL) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
lsopt.sockaddr = u.addrs[n].sockaddr;
|
||||
lsopt.socklen = u.addrs[n].socklen;
|
||||
lsopt.addr_text = u.addrs[n].name;
|
||||
lsopt.wildcard = ngx_inet_wildcard(lsopt.sockaddr);
|
||||
|
||||
*nls = *ls;
|
||||
|
||||
} else {
|
||||
nls = ls;
|
||||
}
|
||||
|
||||
nls->sockaddr = u.addrs[n].sockaddr;
|
||||
nls->socklen = u.addrs[n].socklen;
|
||||
nls->addr_text = u.addrs[n].name;
|
||||
nls->wildcard = ngx_inet_wildcard(nls->sockaddr);
|
||||
|
||||
als = cmcf->listen.elts;
|
||||
|
||||
for (i = 0; i < cmcf->listen.nelts - 1; i++) {
|
||||
if (nls->type != als[i].type) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (ngx_cmp_sockaddr(als[i].sockaddr, als[i].socklen,
|
||||
nls->sockaddr, nls->socklen, 1)
|
||||
!= NGX_OK)
|
||||
{
|
||||
continue;
|
||||
}
|
||||
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"duplicate \"%V\" address and port pair",
|
||||
&nls->addr_text);
|
||||
if (ngx_stream_add_listen(cf, cscf, &lsopt) != NGX_OK) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
@ -1045,6 +1222,107 @@ ngx_stream_core_listen(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
}
|
||||
|
||||
|
||||
static char *
|
||||
ngx_stream_core_server_name(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
{
|
||||
ngx_stream_core_srv_conf_t *cscf = conf;
|
||||
|
||||
u_char ch;
|
||||
ngx_str_t *value;
|
||||
ngx_uint_t i;
|
||||
ngx_stream_server_name_t *sn;
|
||||
|
||||
value = cf->args->elts;
|
||||
|
||||
for (i = 1; i < cf->args->nelts; i++) {
|
||||
|
||||
ch = value[i].data[0];
|
||||
|
||||
if ((ch == '*' && (value[i].len < 3 || value[i].data[1] != '.'))
|
||||
|| (ch == '.' && value[i].len < 2))
|
||||
{
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"server name \"%V\" is invalid", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_strchr(value[i].data, '/')) {
|
||||
ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
|
||||
"server name \"%V\" has suspicious symbols",
|
||||
&value[i]);
|
||||
}
|
||||
|
||||
sn = ngx_array_push(&cscf->server_names);
|
||||
if (sn == NULL) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
#if (NGX_PCRE)
|
||||
sn->regex = NULL;
|
||||
#endif
|
||||
sn->server = cscf;
|
||||
|
||||
if (ngx_strcasecmp(value[i].data, (u_char *) "$hostname") == 0) {
|
||||
sn->name = cf->cycle->hostname;
|
||||
|
||||
} else {
|
||||
sn->name = value[i];
|
||||
}
|
||||
|
||||
if (value[i].data[0] != '~') {
|
||||
ngx_strlow(sn->name.data, sn->name.data, sn->name.len);
|
||||
continue;
|
||||
}
|
||||
|
||||
#if (NGX_PCRE)
|
||||
{
|
||||
u_char *p;
|
||||
ngx_regex_compile_t rc;
|
||||
u_char errstr[NGX_MAX_CONF_ERRSTR];
|
||||
|
||||
if (value[i].len == 1) {
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"empty regex in server name \"%V\"", &value[i]);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
value[i].len--;
|
||||
value[i].data++;
|
||||
|
||||
ngx_memzero(&rc, sizeof(ngx_regex_compile_t));
|
||||
|
||||
rc.pattern = value[i];
|
||||
rc.err.len = NGX_MAX_CONF_ERRSTR;
|
||||
rc.err.data = errstr;
|
||||
|
||||
for (p = value[i].data; p < value[i].data + value[i].len; p++) {
|
||||
if (*p >= 'A' && *p <= 'Z') {
|
||||
rc.options = NGX_REGEX_CASELESS;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
sn->regex = ngx_stream_regex_compile(cf, &rc);
|
||||
if (sn->regex == NULL) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
sn->name = value[i];
|
||||
cscf->captures = (rc.captures > 0);
|
||||
}
|
||||
#else
|
||||
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
|
||||
"using regex \"%V\" "
|
||||
"requires PCRE library", &value[i]);
|
||||
|
||||
return NGX_CONF_ERROR;
|
||||
#endif
|
||||
}
|
||||
|
||||
return NGX_CONF_OK;
|
||||
}
|
||||
|
||||
|
||||
static char *
|
||||
ngx_stream_core_resolver(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
|
||||
{
|
||||
|
||||
@ -30,6 +30,7 @@ ngx_stream_init_connection(ngx_connection_t *c)
|
||||
struct sockaddr_in *sin;
|
||||
ngx_stream_in_addr_t *addr;
|
||||
ngx_stream_session_t *s;
|
||||
ngx_stream_conf_ctx_t *ctx;
|
||||
ngx_stream_addr_conf_t *addr_conf;
|
||||
#if (NGX_HAVE_INET6)
|
||||
struct sockaddr_in6 *sin6;
|
||||
@ -121,9 +122,12 @@ ngx_stream_init_connection(ngx_connection_t *c)
|
||||
return;
|
||||
}
|
||||
|
||||
ctx = addr_conf->default_server->ctx;
|
||||
|
||||
s->signature = NGX_STREAM_MODULE;
|
||||
s->main_conf = addr_conf->ctx->main_conf;
|
||||
s->srv_conf = addr_conf->ctx->srv_conf;
|
||||
s->main_conf = ctx->main_conf;
|
||||
s->srv_conf = ctx->srv_conf;
|
||||
s->virtual_names = addr_conf->virtual_names;
|
||||
|
||||
#if (NGX_STREAM_SSL)
|
||||
s->ssl = addr_conf->ssl;
|
||||
@ -144,7 +148,7 @@ ngx_stream_init_connection(ngx_connection_t *c)
|
||||
|
||||
ngx_log_error(NGX_LOG_INFO, c->log, 0, "*%uA %sclient %*s connected to %V",
|
||||
c->number, c->type == SOCK_DGRAM ? "udp " : "",
|
||||
len, text, &addr_conf->addr_text);
|
||||
len, text, &c->listening->addr_text);
|
||||
|
||||
c->log->connection = c->number;
|
||||
c->log->handler = ngx_stream_log_error;
|
||||
|
||||
@ -219,6 +219,13 @@ static ngx_command_t ngx_stream_ssl_commands[] = {
|
||||
offsetof(ngx_stream_ssl_conf_t, conf_commands),
|
||||
&ngx_stream_ssl_conf_command_post },
|
||||
|
||||
{ ngx_string("ssl_reject_handshake"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
|
||||
ngx_conf_set_flag_slot,
|
||||
NGX_STREAM_SRV_CONF_OFFSET,
|
||||
offsetof(ngx_stream_ssl_conf_t, reject_handshake),
|
||||
NULL },
|
||||
|
||||
{ ngx_string("ssl_alpn"),
|
||||
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_1MORE,
|
||||
ngx_stream_ssl_alpn,
|
||||
@ -458,7 +465,112 @@ ngx_stream_ssl_handshake_handler(ngx_connection_t *c)
|
||||
static int
|
||||
ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
ngx_str_t host;
|
||||
const char *servername;
|
||||
ngx_connection_t *c;
|
||||
ngx_stream_session_t *s;
|
||||
ngx_stream_ssl_conf_t *sscf;
|
||||
ngx_stream_core_srv_conf_t *cscf;
|
||||
|
||||
c = ngx_ssl_get_connection(ssl_conn);
|
||||
|
||||
if (c->ssl->handshaked) {
|
||||
*ad = SSL_AD_NO_RENEGOTIATION;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
s = c->data;
|
||||
|
||||
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
|
||||
|
||||
if (servername == NULL) {
|
||||
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: null");
|
||||
goto done;
|
||||
}
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL server name: \"%s\"", servername);
|
||||
|
||||
host.len = ngx_strlen(servername);
|
||||
|
||||
if (host.len == 0) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
host.data = (u_char *) servername;
|
||||
|
||||
rc = ngx_stream_validate_host(&host, c->pool, 1);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
rc = ngx_stream_find_virtual_server(s, &host, &cscf);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
goto done;
|
||||
}
|
||||
|
||||
s->srv_conf = cscf->ctx->srv_conf;
|
||||
|
||||
ngx_set_connection_log(c, cscf->error_log);
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
|
||||
|
||||
if (sscf->ssl.ctx) {
|
||||
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
|
||||
goto error;
|
||||
}
|
||||
|
||||
/*
|
||||
* SSL_set_SSL_CTX() only changes certs as of 1.0.0d
|
||||
* adjust other things we care about
|
||||
*/
|
||||
|
||||
SSL_set_verify(ssl_conn, SSL_CTX_get_verify_mode(sscf->ssl.ctx),
|
||||
SSL_CTX_get_verify_callback(sscf->ssl.ctx));
|
||||
|
||||
SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
|
||||
/* only in 0.9.8m+ */
|
||||
SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
|
||||
~SSL_CTX_get_options(sscf->ssl.ctx));
|
||||
#endif
|
||||
|
||||
SSL_set_options(ssl_conn, SSL_CTX_get_options(sscf->ssl.ctx));
|
||||
|
||||
#ifdef SSL_OP_NO_RENEGOTIATION
|
||||
SSL_set_options(ssl_conn, SSL_OP_NO_RENEGOTIATION);
|
||||
#endif
|
||||
}
|
||||
|
||||
done:
|
||||
|
||||
sscf = ngx_stream_get_module_srv_conf(s, ngx_stream_ssl_module);
|
||||
|
||||
if (sscf->reject_handshake) {
|
||||
c->ssl->handshake_rejected = 1;
|
||||
*ad = SSL_AD_UNRECOGNIZED_NAME;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
return SSL_TLSEXT_ERR_OK;
|
||||
|
||||
error:
|
||||
|
||||
*ad = SSL_AD_INTERNAL_ERROR;
|
||||
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
||||
}
|
||||
|
||||
#endif
|
||||
@ -655,7 +767,6 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
|
||||
/*
|
||||
* set by ngx_pcalloc():
|
||||
*
|
||||
* scf->listen = 0;
|
||||
* scf->protocols = 0;
|
||||
* scf->certificate_values = NULL;
|
||||
* scf->dhparam = { 0, NULL };
|
||||
@ -674,6 +785,7 @@ ngx_stream_ssl_create_conf(ngx_conf_t *cf)
|
||||
scf->passwords = NGX_CONF_UNSET_PTR;
|
||||
scf->conf_commands = NGX_CONF_UNSET_PTR;
|
||||
scf->prefer_server_ciphers = NGX_CONF_UNSET;
|
||||
scf->reject_handshake = NGX_CONF_UNSET;
|
||||
scf->verify = NGX_CONF_UNSET_UINT;
|
||||
scf->verify_depth = NGX_CONF_UNSET_UINT;
|
||||
scf->builtin_session_cache = NGX_CONF_UNSET;
|
||||
@ -702,6 +814,8 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
ngx_conf_merge_value(conf->prefer_server_ciphers,
|
||||
prev->prefer_server_ciphers, 0);
|
||||
|
||||
ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
|
||||
|
||||
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
|
||||
(NGX_CONF_BITMASK_SET
|
||||
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|
||||
@ -735,37 +849,23 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
|
||||
conf->ssl.log = cf->log;
|
||||
|
||||
if (!conf->listen) {
|
||||
if (conf->certificates) {
|
||||
|
||||
if (conf->certificate_keys == NULL
|
||||
|| conf->certificate_keys->nelts < conf->certificates->nelts)
|
||||
{
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate_key\" is defined "
|
||||
"for certificate \"%V\"",
|
||||
((ngx_str_t *) conf->certificates->elts)
|
||||
+ conf->certificates->nelts - 1);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
} else if (!conf->reject_handshake) {
|
||||
return NGX_CONF_OK;
|
||||
}
|
||||
|
||||
if (conf->certificates == NULL) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate\" is defined for "
|
||||
"the \"listen ... ssl\" directive in %s:%ui",
|
||||
conf->file, conf->line);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (conf->certificate_keys == NULL) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate_key\" is defined for "
|
||||
"the \"listen ... ssl\" directive in %s:%ui",
|
||||
conf->file, conf->line);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (conf->certificate_keys->nelts < conf->certificates->nelts) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate_key\" is defined "
|
||||
"for certificate \"%V\" and "
|
||||
"the \"listen ... ssl\" directive in %s:%ui",
|
||||
((ngx_str_t *) conf->certificates->elts)
|
||||
+ conf->certificates->nelts - 1,
|
||||
conf->file, conf->line);
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
|
||||
if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
|
||||
return NGX_CONF_ERROR;
|
||||
}
|
||||
@ -818,7 +918,7 @@ ngx_stream_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child)
|
||||
return NGX_CONF_ERROR;
|
||||
#endif
|
||||
|
||||
} else {
|
||||
} else if (conf->certificates) {
|
||||
|
||||
/* configure certificates */
|
||||
|
||||
@ -917,6 +1017,10 @@ ngx_stream_ssl_compile_certificates(ngx_conf_t *cf,
|
||||
ngx_stream_complex_value_t *cv;
|
||||
ngx_stream_compile_complex_value_t ccv;
|
||||
|
||||
if (conf->certificates == NULL) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
cert = conf->certificates->elts;
|
||||
key = conf->certificate_keys->elts;
|
||||
nelts = conf->certificates->nelts;
|
||||
@ -1195,8 +1299,13 @@ ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
|
||||
static ngx_int_t
|
||||
ngx_stream_ssl_init(ngx_conf_t *cf)
|
||||
{
|
||||
ngx_stream_handler_pt *h;
|
||||
ngx_stream_core_main_conf_t *cmcf;
|
||||
ngx_uint_t a, p, s;
|
||||
ngx_stream_handler_pt *h;
|
||||
ngx_stream_ssl_conf_t *sscf;
|
||||
ngx_stream_conf_addr_t *addr;
|
||||
ngx_stream_conf_port_t *port;
|
||||
ngx_stream_core_srv_conf_t **cscfp, *cscf;
|
||||
ngx_stream_core_main_conf_t *cmcf;
|
||||
|
||||
cmcf = ngx_stream_conf_get_module_main_conf(cf, ngx_stream_core_module);
|
||||
|
||||
@ -1207,5 +1316,58 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
|
||||
|
||||
*h = ngx_stream_ssl_handler;
|
||||
|
||||
if (cmcf->ports == NULL) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
port = cmcf->ports->elts;
|
||||
for (p = 0; p < cmcf->ports->nelts; p++) {
|
||||
|
||||
addr = port[p].addrs.elts;
|
||||
for (a = 0; a < port[p].addrs.nelts; a++) {
|
||||
|
||||
if (!addr[a].opt.ssl) {
|
||||
continue;
|
||||
}
|
||||
|
||||
cscf = addr[a].default_server;
|
||||
sscf = cscf->ctx->srv_conf[ngx_stream_ssl_module.ctx_index];
|
||||
|
||||
if (sscf->certificates) {
|
||||
continue;
|
||||
}
|
||||
|
||||
if (!sscf->reject_handshake) {
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate\" is defined for "
|
||||
"the \"listen ... ssl\" directive in %s:%ui",
|
||||
cscf->file_name, cscf->line);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
/*
|
||||
* if no certificates are defined in the default server,
|
||||
* check all non-default server blocks
|
||||
*/
|
||||
|
||||
cscfp = addr[a].servers.elts;
|
||||
for (s = 0; s < addr[a].servers.nelts; s++) {
|
||||
|
||||
cscf = cscfp[s];
|
||||
sscf = cscf->ctx->srv_conf[ngx_stream_ssl_module.ctx_index];
|
||||
|
||||
if (sscf->certificates || sscf->reject_handshake) {
|
||||
continue;
|
||||
}
|
||||
|
||||
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
|
||||
"no \"ssl_certificate\" is defined for "
|
||||
"the \"listen ... ssl\" directive in %s:%ui",
|
||||
cscf->file_name, cscf->line);
|
||||
return NGX_ERROR;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
@ -18,10 +18,10 @@ typedef struct {
|
||||
ngx_msec_t handshake_timeout;
|
||||
|
||||
ngx_flag_t prefer_server_ciphers;
|
||||
ngx_flag_t reject_handshake;
|
||||
|
||||
ngx_ssl_t ssl;
|
||||
|
||||
ngx_uint_t listen;
|
||||
ngx_uint_t protocols;
|
||||
|
||||
ngx_uint_t verify;
|
||||
@ -53,9 +53,6 @@ typedef struct {
|
||||
|
||||
ngx_flag_t session_tickets;
|
||||
ngx_array_t *session_ticket_keys;
|
||||
|
||||
u_char *file;
|
||||
ngx_uint_t line;
|
||||
} ngx_stream_ssl_conf_t;
|
||||
|
||||
|
||||
|
||||
@ -33,6 +33,8 @@ typedef struct {
|
||||
static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s);
|
||||
static ngx_int_t ngx_stream_ssl_preread_parse_record(
|
||||
ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
|
||||
static ngx_int_t ngx_stream_ssl_preread_servername(ngx_stream_session_t *s,
|
||||
ngx_str_t *servername);
|
||||
static ngx_int_t ngx_stream_ssl_preread_protocol_variable(
|
||||
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
|
||||
static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
|
||||
@ -187,6 +189,10 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
|
||||
return NGX_DECLINED;
|
||||
}
|
||||
|
||||
if (rc == NGX_OK) {
|
||||
return ngx_stream_ssl_preread_servername(s, &ctx->host);
|
||||
}
|
||||
|
||||
if (rc != NGX_AGAIN) {
|
||||
return rc;
|
||||
}
|
||||
@ -404,9 +410,6 @@ ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx,
|
||||
case sw_sni_host:
|
||||
ctx->host.len = (p[1] << 8) + p[2];
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
|
||||
"ssl preread: SNI hostname \"%V\"", &ctx->host);
|
||||
|
||||
state = sw_ext;
|
||||
dst = NULL;
|
||||
size = ext;
|
||||
@ -496,6 +499,54 @@ ngx_stream_ssl_preread_parse_record(ngx_stream_ssl_preread_ctx_t *ctx,
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_stream_ssl_preread_servername(ngx_stream_session_t *s,
|
||||
ngx_str_t *servername)
|
||||
{
|
||||
ngx_int_t rc;
|
||||
ngx_str_t host;
|
||||
ngx_connection_t *c;
|
||||
ngx_stream_core_srv_conf_t *cscf;
|
||||
|
||||
c = s->connection;
|
||||
|
||||
ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
|
||||
"SSL preread server name: \"%V\"", servername);
|
||||
|
||||
if (servername->len == 0) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
host = *servername;
|
||||
|
||||
rc = ngx_stream_validate_host(&host, c->pool, 1);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
rc = ngx_stream_find_virtual_server(s, &host, &cscf);
|
||||
|
||||
if (rc == NGX_ERROR) {
|
||||
return NGX_ERROR;
|
||||
}
|
||||
|
||||
if (rc == NGX_DECLINED) {
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
s->srv_conf = cscf->ctx->srv_conf;
|
||||
|
||||
ngx_set_connection_log(c, cscf->error_log);
|
||||
|
||||
return NGX_OK;
|
||||
}
|
||||
|
||||
|
||||
static ngx_int_t
|
||||
ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s,
|
||||
ngx_variable_value_t *v, uintptr_t data)
|
||||
|
||||
Loading…
Reference in New Issue
Block a user