[PATCH] SSL support for the mail proxy module

Kunal Pariani kpariani at zimbra.com
Fri Aug 22 21:13:27 UTC 2014


Any comments on this yet ? 

Thanks 
-Kunal 


From: "Kunal Pariani" <kpariani at zimbra.com> 
To: "nginx-devel" <nginx-devel at nginx.org> 
Sent: Tuesday, August 19, 2014 3:58:15 PM 
Subject: [PATCH] SSL support for the mail proxy module 



# HG changeset patch 

# User Kunal Pariani <kpariani at zimbra.com> 

# Date 1408485440 25200 

# Tue Aug 19 14:57:20 2014 -0700 

# Node ID 7858c2a9ac0e83aa779197fc028b4d078612e7e8 

# Parent f25ab24517bb5e45b1b7fa1a1502b907f2cff213 

SSL support for the mail proxy 




diff -r f25ab24517bb -r 7858c2a9ac0e src/mail/ngx_mail_proxy_module.c 

--- a/src/mail/ngx_mail_proxy_module.c Mon Aug 04 16:26:30 2014 -0700 

+++ b/src/mail/ngx_mail_proxy_module.c Tue Aug 19 14:57:20 2014 -0700 

@@ -18,6 +18,8 @@ 

ngx_flag_t xclient; 

size_t buffer_size; 

ngx_msec_t timeout; 

+ ngx_flag_t proxy_ssl; 

+ ngx_ssl_t *ssl; 

} ngx_mail_proxy_conf_t; 





@@ -35,7 +37,13 @@ 

static void *ngx_mail_proxy_create_conf(ngx_conf_t *cf); 

static char *ngx_mail_proxy_merge_conf(ngx_conf_t *cf, void *parent, 

void *child); 

- 

+#if (NGX_MAIL_SSL) 

+static char *ngx_mail_proxy_ssl(ngx_conf_t *cf, ngx_command_t *cmd, 

+ void *conf); 

+static void ngx_mail_proxy_ssl_init_connection(ngx_mail_session_t *s, 

+ ngx_connection_t *c); 

+static void ngx_mail_proxy_ssl_handshake(ngx_connection_t *c); 

+#endif 



static ngx_command_t ngx_mail_proxy_commands[] = { 



@@ -74,6 +82,16 @@ 

offsetof(ngx_mail_proxy_conf_t, xclient), 

NULL }, 



+#if (NGX_MAIL_SSL) 

+ { ngx_string("proxy_ssl"), 

+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG, 

+ ngx_mail_proxy_ssl, 

+ NGX_MAIL_SRV_CONF_OFFSET, 

+ offsetof(ngx_mail_proxy_conf_t, proxy_ssl), 

+ NULL }, 

+ 

+#endif 

+ 

ngx_null_command 

}; 



@@ -174,6 +192,15 @@ 



s->out.len = 0; 



+#if (NGX_MAIL_SSL) 

+ 

+ if (pcf->proxy_ssl && p->upstream.connection->ssl == NULL) { 

+ ngx_mail_proxy_ssl_init_connection(s, p->upstream.connection); 

+ return; 

+ } 

+ 

+#endif 

+ 

switch (s->protocol) { 



case NGX_MAIL_POP3_PROTOCOL: 

@@ -1092,6 +1119,13 @@ 

"close mail proxy connection: %d", 

s->proxy->upstream.connection->fd); 



+#if (NGX_MAIL_SSL) 

+ if (s->proxy->upstream.connection->ssl) { 

+ s->proxy->upstream.connection->ssl->no_wait_shutdown = 1; 

+ ngx_ssl_shutdown(s->proxy->upstream.connection); 

+ } 

+#endif 

+ 

ngx_close_connection(s->proxy->upstream.connection); 

} 



@@ -1114,6 +1148,8 @@ 

pcf->xclient = NGX_CONF_UNSET; 

pcf->buffer_size = NGX_CONF_UNSET_SIZE; 

pcf->timeout = NGX_CONF_UNSET_MSEC; 

+ pcf->proxy_ssl = NGX_CONF_UNSET; 

+ pcf->ssl = NGX_CONF_UNSET_PTR; 



return pcf; 

} 

@@ -1131,6 +1167,118 @@ 

ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size, 

(size_t) ngx_pagesize); 

ngx_conf_merge_msec_value(conf->timeout, prev->timeout, 24 * 60 * 60000); 

+ ngx_conf_merge_value(conf->proxy_ssl, prev->proxy_ssl, 0); 

+ ngx_conf_merge_ptr_value(conf->ssl, prev->ssl, NULL); 



return NGX_CONF_OK; 

} 

+ 

+#if (NGX_MAIL_SSL) 

+ 

+static char * 

+ngx_mail_proxy_ssl(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { 

+ 

+ ngx_pool_cleanup_t *cln; 

+ char *rc; 

+ ngx_mail_proxy_conf_t *pcf; 

+ 

+ rc = ngx_conf_set_flag_slot(cf, cmd, conf); 

+ if (rc != NGX_CONF_OK) { 

+ return rc; 

+ } 

+ 

+ pcf = (ngx_mail_proxy_conf_t *)conf; 

+ 

+ if (!pcf->proxy_ssl) { 

+ return NGX_CONF_OK; 

+ } 

+ 

+ pcf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); 

+ 

+ if (pcf->ssl == NULL) { 

+ return NGX_CONF_ERROR; 

+ } 

+ 

+ pcf->ssl->log = cf->log; 

+ 

+ // don't support SSLv2 anymore 

+ if (ngx_ssl_create(pcf->ssl, NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL) 

+ != NGX_OK) { 

+ return NGX_CONF_ERROR; 

+ } 

+ 

+ cln = ngx_pool_cleanup_add(cf->pool, 0); 

+ if (cln == NULL) { 

+ return NGX_CONF_ERROR; 

+ } 

+ 

+ cln->handler = ngx_ssl_cleanup_ctx; 

+ cln->data = pcf->ssl; 

+ 

+ return NGX_CONF_OK; 

+} 

+ 

+static void 

+ngx_mail_proxy_ssl_init_connection(ngx_mail_session_t *s, ngx_connection_t *c) 

+{ 

+ ngx_int_t rc; 

+ ngx_mail_proxy_conf_t *pcf; 

+ 

+ pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module); 

+ 

+ if (ngx_ssl_create_connection(pcf->ssl, c, 

+ NGX_SSL_BUFFER|NGX_SSL_CLIENT) 

+ != NGX_OK) 

+ { 

+ ngx_mail_proxy_internal_server_error(s); 

+ return; 

+ } 

+ 

+ s->connection->log->action = "SSL handshaking to upstream"; 

+ 

+ rc = ngx_ssl_handshake(c); 

+ 

+ if (rc == NGX_AGAIN) { 

+ c->ssl->handler = ngx_mail_proxy_ssl_handshake; 

+ return; 

+ } 

+ 

+ ngx_mail_proxy_ssl_handshake(c); 

+} 

+ 

+ 

+static void 

+ngx_mail_proxy_ssl_handshake(ngx_connection_t *c) 

+{ 

+ ngx_mail_session_t *s; 

+ s = c->data; 

+ 

+ if (c->ssl->handshaked) { 

+ c->write->handler = ngx_mail_proxy_dummy_handler; 

+ switch (s->protocol) { 

+ 

+ case NGX_MAIL_POP3_PROTOCOL: 

+ c->read->handler = ngx_mail_proxy_pop3_handler; 

+ s->mail_state = ngx_pop3_start; 

+ break; 

+ 

+ case NGX_MAIL_IMAP_PROTOCOL: 

+ c->read->handler = ngx_mail_proxy_imap_handler; 

+ s->mail_state = ngx_imap_start; 

+ break; 

+ 

+ default: /* NGX_MAIL_SMTP_PROTOCOL */ 

+ c->read->handler = ngx_mail_proxy_smtp_handler; 

+ s->mail_state = ngx_smtp_start; 

+ break; 

+ } 

+ 

+ /* server might have sent the initial welcome msg */ 

+ c->read->handler(c->read); 

+ } else { 

+ /* when handshake fails, we should close the session */ 

+ ngx_mail_proxy_upstream_error(s); 

+ } 

+} 

+ 

+#endif 

Thanks 
-Kunal 

_______________________________________________ 
nginx-devel mailing list 
nginx-devel at nginx.org 
http://mailman.nginx.org/mailman/listinfo/nginx-devel 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20140822/9791ffa3/attachment-0001.html>


More information about the nginx-devel mailing list