<div dir="ltr">Hello,<div><br></div><div>Yeah. The proposed design would work well for me.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Apr 9, 2021 at 5:17 PM Maxim Dounin <<a href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-style:solid;border-left-color:rgb(204,204,204);padding-left:1ex">Hello!<br>
<br>
On Fri, Apr 09, 2021 at 04:26:52PM +0300, Vasiliy Soshnikov wrote:<br>
<br>
[...]<br>
<br>
> +    /** SSL TLVs */<br>
> +<br>
> +#if (NGX_STREAM_SSL)<br>
> +<br>
> +    data = NULL;<br>
> +    data_len = 0;<br>
> +<br>
> +    tlv = (ngx_tlv_ssl_t *) (buf + len);<br>
> +    ngx_memzero(tlv, sizeof(ngx_tlv_ssl_t));<br>
> +<br>
> +    tlv->tlv.type = NGX_PROXY_PROTOCOL_V2_TYPE_SSL;<br>
> +    pos = buf + len + sizeof(ngx_tlv_ssl_t);<br>
> +<br>
> +    tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_SSL;<br>
> +<br>
> +    if (c->ssl != NULL) {<br>
> +<br>
> +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation<br>
> +        SSL_get0_alpn_selected(c->ssl->connection, &data, &data_len);<br>
> +<br>
> +#ifdef TLSEXT_TYPE_next_proto_neg<br>
> +        if (data_len == 0) {<br>
> +            SSL_get0_next_proto_negotiated(c->ssl->connection,<br>
> +                    &data, &data_len);<br>
> +        }<br>
> +#endif<br>
> +<br>
> +#else /* TLSEXT_TYPE_next_proto_neg */<br>
> +        SSL_get0_next_proto_negotiated(c->ssl->connection, &data,<br>
> &data_len);<br>
> +#endif<br>
> +<br>
> +        if (data_len) {<br>
> +<br>
> +            pos = ngx_copy_tlv(pos, last,<br>
> +                        NGX_PROXY_PROTOCOL_V2_TYPE_ALPN,<br>
> +                        (u_char *) data, (uint16_t) data_len);<br>
> +            if (pos == NULL) {<br>
> +                return NULL;<br>
> +            }<br>
> +        }<br>
> +<br>
> +        value = (u_char *) SSL_get_version(c->ssl->connection);<br>
> +        if (value != NULL) {<br>
> +<br>
> +            pos = ngx_copy_tlv(pos, last,<br>
> +                    NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_VERSION,<br>
> +                    value, ngx_strlen(value));<br>
> +            if (pos == NULL) {<br>
> +                return NULL;<br>
> +            }<br>
> +        }<br>
<br>
[...]<br>
<br>
Thanks for the patch.<br>
<br>
For the record, as discussed privately: this is more or less <br>
proof-of-concept for the ticket #1639[1], used for tests with <br>
RabbitMQ[2].  A committable solution probably needs something similar <br>
to proxy_set_header / fastcgi_param to control TLVs sent to the <br>
upstream server instead of hardcoding them.<br>
<br>
[1] <a href="https://trac.nginx.org/nginx/ticket/1639" rel="noreferrer" target="_blank">https://trac.nginx.org/nginx/ticket/1639</a><br>
[2] <a href="https://www.rabbitmq.com/networking.html#proxy-protocol" rel="noreferrer" target="_blank">https://www.rabbitmq.com/networking.html#proxy-protocol</a><br>
<br>
-- <br>
Maxim Dounin<br>
<a href="http://mdounin.ru/" rel="noreferrer" target="_blank">http://mdounin.ru/</a><br>
_______________________________________________<br>
nginx-devel mailing list<br>
<a href="mailto:nginx-devel@nginx.org" target="_blank">nginx-devel@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx-devel" rel="noreferrer" target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a><br>
</blockquote></div>