[PATCH] SNI: store server name in the ngx_ssl_connection_t structure.

Piotr Sikora piotr at cloudflare.com
Tue May 21 23:12:07 UTC 2013 

# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1369177330 25200
# Node ID 8646199ded31a725bea599aeafc581f9c969872d
# Parent  4b277448dfd56751c7c88477e78b2ba3cf6ae472
SNI: store server name in the ngx_ssl_connection_t structure.

SNI server name is a property of the SSL connection and there is
no good reason to store it elsewhere.

Also, this makes the stored value accessible by non-HTTP modules.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 4b277448dfd5 -r 8646199ded31 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h     Tue May 21 16:01:59 2013 -0700
+++ b/src/event/ngx_event_openssl.h     Tue May 21 16:02:10 2013 -0700
@@ -43,6 +43,13 @@
     ngx_event_handler_pt        saved_read_handler;
     ngx_event_handler_pt        saved_write_handler;

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+    ngx_str_t                  *servername;
+#if (NGX_PCRE)
+    void                       *servername_regex;
+#endif
+#endif
+
     unsigned                    handshaked:1;
     unsigned                    renegotiation:1;
     unsigned                    buffer:1;
diff -r 4b277448dfd5 -r 8646199ded31 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c       Tue May 21 16:01:59 2013 -0700
+++ b/src/http/ngx_http_request.c       Tue May 21 16:02:10 2013 -0700
@@ -807,12 +807,12 @@
         return SSL_TLSEXT_ERR_NOACK;
     }

-    hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
-    if (hc->ssl_servername == NULL) {
+    c->ssl->servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+    if (c->ssl->servername == NULL) {
         return SSL_TLSEXT_ERR_NOACK;
     }

-    *hc->ssl_servername = host;
+    *c->ssl->servername = host;

     if (rc == NGX_DECLINED || hc->conf_ctx == cscf->ctx) {
         return SSL_TLSEXT_ERR_OK;
@@ -1954,23 +1954,24 @@
 ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
 {
     ngx_int_t                  rc;
+    ngx_connection_t          *c;
     ngx_http_connection_t     *hc;
     ngx_http_core_loc_conf_t  *clcf;
     ngx_http_core_srv_conf_t  *cscf;

-    hc = r->http_connection;
+    c = r->connection;

 #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

-    if (hc->ssl_servername) {
-        if (hc->ssl_servername->len == host->len
-            && ngx_strncmp(hc->ssl_servername->data,
+    if (c->ssl && c->ssl->servername) {
+        if (c->ssl->servername->len == host->len
+            && ngx_strncmp(c->ssl->servername->data,
                            host->data, host->len) == 0)
         {
 #if (NGX_PCRE)
-            if (hc->ssl_servername_regex
-                && ngx_http_regex_exec(r, hc->ssl_servername_regex,
-                                          hc->ssl_servername) != NGX_OK)
+            if (c->ssl->servername_regex
+                && ngx_http_regex_exec(r, c->ssl->servername_regex,
+                                          c->ssl->servername) != NGX_OK)
             {
                 ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
                 return NGX_ERROR;
@@ -1982,8 +1983,9 @@

 #endif

-    rc = ngx_http_find_virtual_server(r->connection,
-                                      hc->addr_conf->virtual_names,
+    hc = r->http_connection;
+
+    rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names,
                                       host, r, &cscf);

     if (rc == NGX_ERROR) {
@@ -1993,7 +1995,7 @@

 #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

-    if (hc->ssl_servername) {
+    if (c->ssl && c->ssl->servername) {
         ngx_http_ssl_srv_conf_t  *sscf;

         if (rc == NGX_DECLINED) {
@@ -2004,7 +2006,7 @@
         sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);

         if (sscf->verify) {
-            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+            ngx_log_error(NGX_LOG_INFO, c->log, 0,
                           "client attempted to request the server name "
                           "different from that one was negotiated");
             ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
@@ -2023,7 +2025,7 @@

     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

-    ngx_http_set_connection_log(r->connection, clcf->error_log);
+    ngx_http_set_connection_log(c, clcf->error_log);

     return NGX_OK;
 }
@@ -2060,8 +2062,7 @@

 #if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

-        if (r == NULL) {
-            ngx_http_connection_t  *hc;
+        if (r == NULL && c->ssl) {

             for (i = 0; i < virtual_names->nregex; i++) {

@@ -2072,8 +2073,7 @@
                 }

                 if (n >= 0) {
-                    hc = c->data;
-                    hc->ssl_servername_regex = sn[i].regex;
+                    c->ssl->servername_regex = sn[i].regex;

                     *cscfp = sn[i].server;
                     return NGX_OK;
diff -r 4b277448dfd5 -r 8646199ded31 src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h       Tue May 21 16:01:59 2013 -0700
+++ b/src/http/ngx_http_request.h       Tue May 21 16:02:10 2013 -0700
@@ -295,13 +295,6 @@
     ngx_http_addr_conf_t             *addr_conf;
     ngx_http_conf_ctx_t              *conf_ctx;

-#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
-    ngx_str_t                        *ssl_servername;
-#if (NGX_PCRE)
-    ngx_http_regex_t                 *ssl_servername_regex;
-#endif
-#endif
-
     ngx_buf_t                       **busy;
     ngx_int_t                         nbusy;

More information about the nginx-devel mailing list