<div dir="ltr"><div class="gmail_extra">Looks like attachment didn't go through. Here is a patch:</div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">
# HG changeset patch<br><div class="gmail_extra"># User Rohit Joshi <<a href="mailto:rohit.c.joshi@gmail.com">rohit.c.joshi@gmail.com</a>></div><div class="gmail_extra"># Date 1408406738 14400</div><div class="gmail_extra">
# Mon Aug 18 20:05:38 2014 -0400</div><div class="gmail_extra"># Node ID 61724860610aee50d73a3a0515c17ee09e8eb349</div><div class="gmail_extra"># Parent 8cdec62a7751153117a46acdf46b50dcf8ac24de</div><div class="gmail_extra">
Mail:Support for two way SSL for upstream http proxy </div><div class="gmail_extra"><br></div><div class="gmail_extra">Added support for two way SSL using client certificate/key.</div><div class="gmail_extra"><br></div><div class="gmail_extra">
diff -r 8cdec62a7751 -r 61724860610a src/http/modules/ngx_http_proxy_module.c</div><div class="gmail_extra">--- a/src/http/modules/ngx_http_proxy_module.c<span class="" style="white-space:pre"> </span>Mon Aug 18 12:03:41 2014 +0400</div>
<div class="gmail_extra">+++ b/src/http/modules/ngx_http_proxy_module.c<span class="" style="white-space:pre"> </span>Mon Aug 18 20:05:38 2014 -0400</div><div class="gmail_extra">@@ -84,6 +84,8 @@</div><div class="gmail_extra">
ngx_uint_t ssl_verify_depth;</div><div class="gmail_extra"> ngx_str_t ssl_trusted_certificate;</div><div class="gmail_extra"> ngx_str_t ssl_crl;</div>
<div class="gmail_extra">+ ngx_str_t ssl_client_certificate;</div><div class="gmail_extra">+ ngx_str_t ssl_client_certificate_key;</div><div class="gmail_extra"> #endif</div>
<div class="gmail_extra"> } ngx_http_proxy_loc_conf_t;</div><div class="gmail_extra"> </div><div class="gmail_extra">@@ -598,6 +600,21 @@</div><div class="gmail_extra"> offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),</div>
<div class="gmail_extra"> NULL },</div><div class="gmail_extra"> </div><div class="gmail_extra">+ { ngx_string("proxy_ssl_client_certificate"),</div><div class="gmail_extra">+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,</div>
<div class="gmail_extra">+ ngx_conf_set_str_slot,</div><div class="gmail_extra">+ NGX_HTTP_LOC_CONF_OFFSET,</div><div class="gmail_extra">+ offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate),</div>
<div class="gmail_extra">+ NULL },</div><div class="gmail_extra">+</div><div class="gmail_extra">+ { ngx_string("proxy_ssl_client_certificate_key"),</div><div class="gmail_extra">+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,</div>
<div class="gmail_extra">+ ngx_conf_set_str_slot,</div><div class="gmail_extra">+ NGX_HTTP_LOC_CONF_OFFSET,</div><div class="gmail_extra">+ offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate_key),</div>
<div class="gmail_extra">+ NULL },</div><div class="gmail_extra">+</div><div class="gmail_extra">+</div><div class="gmail_extra"> #endif</div><div class="gmail_extra"> </div><div class="gmail_extra"> ngx_null_command</div>
<div class="gmail_extra">@@ -2451,6 +2468,8 @@</div><div class="gmail_extra"> * conf->ssl_ciphers = { 0, NULL };</div><div class="gmail_extra"> * conf->ssl_trusted_certificate = { 0, NULL };</div>
<div class="gmail_extra">
* conf->ssl_crl = { 0, NULL };</div><div class="gmail_extra">+ * conf->ssl_client_certificate = { 0, NULL };</div><div class="gmail_extra">+ * conf->ssl_client_certificate_key = { 0, NULL };</div>
<div class="gmail_extra"> */</div><div class="gmail_extra"> </div><div class="gmail_extra"> conf->upstream.store = NGX_CONF_UNSET;</div><div class="gmail_extra">@@ -2795,6 +2814,19 @@</div><div class="gmail_extra">
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {</div><div class="gmail_extra"> return NGX_CONF_ERROR;</div><div class="gmail_extra"> }</div><div class="gmail_extra">+ ngx_conf_merge_str_value(conf->ssl_client_certificate,</div>
<div class="gmail_extra">+ prev->ssl_client_certificate, "");</div><div class="gmail_extra">+ ngx_conf_merge_str_value(conf->ssl_client_certificate_key,</div><div class="gmail_extra">
+ prev->ssl_client_certificate_key, "");</div><div class="gmail_extra">+ if( conf->ssl_trusted_certificate.len != 0 && </div><div class="gmail_extra">+ ( conf->ssl_client_certificate.len != 0 </div>
<div class="gmail_extra">+ || conf->ssl_client_certificate_key.len != 0) ) {</div><div class="gmail_extra">+ </div><div class="gmail_extra">+ ngx_log_error(NGX_LOG_WARN, cf->log, 0,</div><div class="gmail_extra">
+ "proxy_ssl_trusted_certificate is configured "</div><div class="gmail_extra">+ "so proxy_ssl_client_certificate and "</div><div class="gmail_extra">+ "proxy_ssl_client_certificate_key will be ignored");</div>
<div class="gmail_extra">+ }</div><div class="gmail_extra"> </div><div class="gmail_extra"> #endif</div><div class="gmail_extra"> </div><div class="gmail_extra">@@ -3861,22 +3893,42 @@</div><div class="gmail_extra"> }</div>
<div class="gmail_extra"> </div><div class="gmail_extra"> if (plcf->upstream.ssl_verify) {</div><div class="gmail_extra">- if (plcf->ssl_trusted_certificate.len == 0) {</div><div class="gmail_extra">- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,</div>
<div class="gmail_extra">- "no proxy_ssl_trusted_certificate for proxy_ssl_verify");</div><div class="gmail_extra">- return NGX_ERROR;</div><div class="gmail_extra">- }</div>
<div class="gmail_extra">-</div><div class="gmail_extra">- if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,</div><div class="gmail_extra">+</div><div class="gmail_extra">+ if (plcf->ssl_trusted_certificate.len != 0) {</div>
<div class="gmail_extra">+</div><div class="gmail_extra">+ if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl,</div><div class="gmail_extra"> &plcf->ssl_trusted_certificate,</div>
<div class="gmail_extra"> plcf->ssl_verify_depth)</div><div class="gmail_extra">- != NGX_OK)</div><div class="gmail_extra">- {</div><div class="gmail_extra">+ != NGX_OK)</div>
<div class="gmail_extra">+ {</div><div class="gmail_extra">+ return NGX_ERROR;</div><div class="gmail_extra">+ }</div><div class="gmail_extra">+</div><div class="gmail_extra">+ if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {</div>
<div class="gmail_extra">+ return NGX_ERROR;</div><div class="gmail_extra">+ }</div><div class="gmail_extra">+</div><div class="gmail_extra">+ }else if (plcf->ssl_client_certificate_key.len != 0 && </div>
<div class="gmail_extra">+ plcf->ssl_client_certificate.len != 0) {</div><div class="gmail_extra">+ </div><div class="gmail_extra">+ if (ngx_ssl_certificate(cf, plcf->upstream.ssl,</div>
<div class="gmail_extra">+ &plcf->ssl_client_certificate,</div><div class="gmail_extra">+ &plcf->ssl_client_certificate_key,</div><div class="gmail_extra">
+ 0)</div><div class="gmail_extra">+ != NGX_OK)</div><div class="gmail_extra">+ {</div><div class="gmail_extra">+ ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,</div>
<div class="gmail_extra">+ "ngx_ssl_certificate failed.");</div><div class="gmail_extra">+ return NGX_ERROR;</div><div class="gmail_extra">+ }</div><div class="gmail_extra">
+ }else {</div><div class="gmail_extra">+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,</div><div class="gmail_extra">+ "no proxy_ssl_trusted_certificate or "</div><div class="gmail_extra">
+ "(proxy_ssl_client_certificate and "</div><div class="gmail_extra">+ "proxy_ssl_client_certificate_key for "</div><div class="gmail_extra">+ "mutual authentication) for proxy_ssl_verify");</div>
<div class="gmail_extra"> return NGX_ERROR;</div><div class="gmail_extra">- }</div><div class="gmail_extra">-</div><div class="gmail_extra">- if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) {</div>
<div class="gmail_extra">- return NGX_ERROR;</div><div class="gmail_extra">+ </div><div class="gmail_extra"> }</div><div class="gmail_extra"> }</div><div class="gmail_extra"> </div><div><br>
</div>
</div></div>