ssl/nonssl listener в контексте одного server'а

Igor Sysoev is at rambler-co.ru
Fri Aug 29 18:16:42 MSD 2008


On Wed, Aug 27, 2008 at 11:49:43PM +0400, Igor Sysoev wrote:

> On Wed, Aug 27, 2008 at 05:05:33PM +0700, Artem Bokhan wrote:
> 
> > Игорь, а нельзя ли упростить включение ssl до вида, схожего с указанным 
> > ниже? Возможно, я ошибаюсь, и возможность слушать ssl и не-ssl порты в 
> > контексте одного сервера уже реализована?
> > 
> >    server {
> >        listen  80;
> >        listen  443 ssl;
> >        ....
> >    }
> 
> Прилагаемый патч добавляет такую функциональность.
> Если тестирование пройдёт успешно, то патч будет включён в 0.7.14.
> 
>     server {
>         listen  80;
>         listen  443 default ssl;
> 
>         server_name  www.example.com;
> 
>         ssl_certificate       /path/to/cert;
>         ssl_certificate_key   /path/to/key;
> 
>         location / {
>             ...
>         }
> 
>         location /ssl/only/dir/ {
>             if ($scheme = http) {
>                 rewrite  ^(.+)$   https://www.example.com$1;
>             }
>             ...
>         }
> 
>     }

Новая версия.


-- 
Игорь Сысоев
http://sysoev.ru
-------------- next part --------------
Index: src/http/ngx_http_request.c
===================================================================
--- src/http/ngx_http_request.c	(revision 1538)
+++ src/http/ngx_http_request.c	(working copy)
@@ -357,9 +357,20 @@
     ngx_http_ssl_srv_conf_t  *sscf;
 
     sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
-    if (sscf->enable) {
+    if (sscf->enable || hia[i].ssl) {
 
         if (c->ssl == NULL) {
+
+            c->log->action = "SSL handshaking";
+
+            if (hia[i].ssl && sscf->ssl.ctx == NULL) {
+                ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                              "no \"ssl_certificate\" is defined "
+                              "in server listening on SSL port");
+                ngx_http_close_connection(c);
+                return;
+            }
+
             if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
                 == NGX_ERROR)
             {
@@ -529,6 +540,8 @@
         }
     }
 
+    c->log->action = "reading client request line";
+
     rev->handler = ngx_http_process_request_line;
     ngx_http_process_request_line(rev);
 }
Index: src/http/ngx_http_core_module.c
===================================================================
--- src/http/ngx_http_core_module.c	(revision 1538)
+++ src/http/ngx_http_core_module.c	(working copy)
@@ -3081,6 +3081,17 @@
             continue;
         }
 
+        if (ngx_strcmp(value[n].data, "ssl") == 0) {
+#if (NGX_HTTP_SSL)
+            ls->conf.ssl = 1;
+#else
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "the \"ssl\" parameter requires "
+                               "ngx_http_ssl_module, ignored");
+#endif
+            continue;
+        }
+
         ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                            "the invalid \"%V\" parameter", &value[n]);
         return NGX_CONF_ERROR;
Index: src/http/ngx_http_core_module.h
===================================================================
--- src/http/ngx_http_core_module.h	(revision 1538)
+++ src/http/ngx_http_core_module.h	(working copy)
@@ -35,6 +35,9 @@
 typedef struct {
     unsigned                   default_server:1;
     unsigned                   bind:1;
+#if (NGX_HTTP_SSL)
+    unsigned                   ssl:1;
+#endif
 
     int                        backlog;
     int                        rcvbuf;
@@ -167,6 +170,10 @@
     ngx_http_core_srv_conf_t  *core_srv_conf;
 
     ngx_http_virtual_names_t  *virtual_names;
+
+#if (NGX_HTTP_SSL)
+    ngx_uint_t                 ssl;   /* unsigned  ssl:1; */
+#endif
 } ngx_http_in_addr_t;
 
 
@@ -203,6 +210,9 @@
 
     unsigned                   default_server:1;
     unsigned                   bind:1;
+#if (NGX_HTTP_SSL)
+    unsigned                   ssl:1;
+#endif
 
     ngx_http_listen_conf_t    *listen_conf;
 } ngx_http_conf_in_addr_t;
Index: src/http/modules/ngx_http_ssl_module.c
===================================================================
--- src/http/modules/ngx_http_ssl_module.c	(revision 1538)
+++ src/http/modules/ngx_http_ssl_module.c	(working copy)
@@ -13,8 +13,6 @@
     ngx_pool_t *pool, ngx_str_t *s);
 
 
-#define NGX_DEFAULT_CERTIFICATE      "cert.pem"
-#define NGX_DEFAULT_CERTIFICATE_KEY  "cert.pem"
 #define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 
 
@@ -28,6 +26,8 @@
 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
     void *parent, void *child);
 
+static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 
@@ -61,7 +61,7 @@
 
     { ngx_string("ssl"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
+      ngx_http_ssl_enable,
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, enable),
       NULL },
@@ -339,10 +339,6 @@
 
     ngx_conf_merge_value(conf->enable, prev->enable, 0);
 
-    if (conf->enable == 0) {
-        return NGX_CONF_OK;
-    }
-
     ngx_conf_merge_value(conf->session_timeout,
                          prev->session_timeout, 300);
 
@@ -356,12 +352,9 @@
     ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
     ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
 
-    ngx_conf_merge_str_value(conf->certificate, prev->certificate,
-                         NGX_DEFAULT_CERTIFICATE);
+    ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
+    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
 
-    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
-                         NGX_DEFAULT_CERTIFICATE_KEY);
-
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 
     ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
@@ -372,6 +365,39 @@
 
     conf->ssl.log = cf->log;
 
+    if (conf->enable) {
+
+        if (conf->certificate.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "SSL mode is enabled, "
+                          "but no \"ssl_certificate\" is defined in %s:%ui",
+                          conf->file, conf->line);
+            return NGX_CONF_ERROR;
+        }
+
+        if (conf->certificate_key.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "SSL mode is enabled, "
+                          "but no \"ssl_certificate_key\" is defined in %s:%ui",
+                          conf->file, conf->line);
+            return NGX_CONF_ERROR;
+        }
+
+    } else {
+
+        if (conf->certificate.len == 0) {
+            return NGX_CONF_OK;
+        }
+
+        if (conf->certificate_key.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no \"ssl_certificate_key\" is defined "
+                          "for certificate \"%V\"",
+                          &conf->certificate);
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -467,6 +493,26 @@
 
 
 static char *
+ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_http_ssl_srv_conf_t *sscf = conf;
+
+    char  *rv;
+
+    rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+    if (rv != NGX_CONF_OK) {
+        return rv;
+    }
+
+    sscf->file = cf->conf_file->file.name.data;
+    sscf->line = cf->conf_file->line;
+
+    return NGX_CONF_OK;
+}
+
+
+static char *
 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
     ngx_http_ssl_srv_conf_t *sscf = conf;
Index: src/http/modules/ngx_http_ssl_module.h
===================================================================
--- src/http/modules/ngx_http_ssl_module.h	(revision 1538)
+++ src/http/modules/ngx_http_ssl_module.h	(working copy)
@@ -37,6 +37,9 @@
     ngx_str_t                       ciphers;
 
     ngx_shm_zone_t                 *shm_zone;
+
+    u_char                         *file;
+    ngx_uint_t                      line;
 } ngx_http_ssl_srv_conf_t;
 
 
Index: src/http/ngx_http.c
===================================================================
--- src/http/ngx_http.c	(revision 1538)
+++ src/http/ngx_http.c	(working copy)
@@ -1158,6 +1158,10 @@
 
                         in_addr[a].core_srv_conf = cscfp[s];
                         in_addr[a].default_server = 1;
+#if (NGX_HTTP_SSL)
+                        in_addr[a].ssl = listen[l].conf.ssl;
+#endif
+                        in_addr[a].listen_conf = &listen[l].conf;
                     }
 
                     goto found;
@@ -1241,6 +1245,9 @@
     in_addr->core_srv_conf = cscf;
     in_addr->default_server = listen->conf.default_server;
     in_addr->bind = listen->conf.bind;
+#if (NGX_HTTP_SSL)
+    in_addr->ssl = listen->conf.ssl;
+#endif
     in_addr->listen_conf = &listen->conf;
 
     return ngx_http_add_names(cf, cscf, in_addr);
@@ -1647,6 +1654,10 @@
             hip->addrs[i].addr = in_addr[i].addr;
             hip->addrs[i].core_srv_conf = in_addr[i].core_srv_conf;
 
+#if (NGX_HTTP_SSL)
+            hip->addrs[i].ssl = in_addr[i].ssl;
+#endif
+
             if (in_addr[i].hash.buckets == NULL
                 && (in_addr[i].wc_head == NULL
                     || in_addr[i].wc_head->hash.buckets == NULL)
Index: src/mail/ngx_mail.c
===================================================================
--- src/mail/ngx_mail.c	(revision 1538)
+++ src/mail/ngx_mail.c	(working copy)
@@ -261,6 +261,9 @@
         in_addr->addr = imls[l].addr;
         in_addr->ctx = imls[l].ctx;
         in_addr->bind = imls[l].bind;
+#if (NGX_MAIL_SSL)
+        in_addr->ssl = imls[l].ssl;
+#endif
     }
 
     /* optimize the lists of ports and addresses */
@@ -370,6 +373,10 @@
 
                 imip->addrs[i].addr_text.len = len;
                 imip->addrs[i].addr_text.data = text;
+
+#if (NGX_MAIL_SSL)
+                imip->addrs[i].ssl = in_addr[i].ssl;
+#endif
             }
 
             if (done) {
Index: src/mail/ngx_mail.h
===================================================================
--- src/mail/ngx_mail.h	(revision 1538)
+++ src/mail/ngx_mail.h	(working copy)
@@ -34,6 +34,9 @@
     ngx_mail_conf_ctx_t    *ctx;
 
     unsigned                bind:1;
+#if (NGX_MAIL_SSL)
+    unsigned                ssl:1;
+#endif
 } ngx_mail_listen_t;
 
 
@@ -41,6 +44,9 @@
     in_addr_t               addr;
     ngx_mail_conf_ctx_t    *ctx;
     ngx_str_t               addr_text;
+#if (NGX_MAIL_SSL)
+    ngx_uint_t              ssl;    /* unsigned   ssl:1; */
+#endif
 } ngx_mail_in_addr_t;
 
 
@@ -60,6 +66,9 @@
     in_addr_t               addr;
     ngx_mail_conf_ctx_t    *ctx;
     unsigned                bind:1;
+#if (NGX_MAIL_SSL)
+    unsigned                ssl:1;
+#endif
 } ngx_mail_conf_in_addr_t;
 
 
Index: src/mail/ngx_mail_core_module.c
===================================================================
--- src/mail/ngx_mail_core_module.c	(revision 1538)
+++ src/mail/ngx_mail_core_module.c	(working copy)
@@ -351,18 +351,30 @@
         }
     }
 
-    if (cf->args->nelts == 2) {
-        return NGX_CONF_OK;
-    }
+    for (i = 2; i < cf->args->nelts; i++) {
 
-    if (ngx_strcmp(value[2].data, "bind") == 0) {
-        imls->bind = 1;
-        return NGX_CONF_OK;
+        if (ngx_strcmp(value[i].data, "bind") == 0) {
+            imls->bind = 1;
+            continue;
+        }
+
+        if (ngx_strcmp(value[i].data, "ssl") == 0) {
+#if (NGX_MAIL_SSL)
+            imls->ssl = 1;
+#else
+            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                               "the \"ssl\" parameter requires "
+                               "ngx_mail_ssl_module, ignored");
+#endif
+            continue;
+        }
+
+        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+                           "the invalid \"%V\" parameter", &value[i]);
+        return NGX_CONF_ERROR;
     }
 
-    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-                       "the invalid \"%V\" parameter", &value[2]);
-    return NGX_CONF_ERROR;
+    return NGX_CONF_OK;
 }
 
 
Index: src/mail/ngx_mail_ssl_module.c
===================================================================
--- src/mail/ngx_mail_ssl_module.c	(revision 1538)
+++ src/mail/ngx_mail_ssl_module.c	(working copy)
@@ -9,13 +9,16 @@
 #include <ngx_mail.h>
 
 
-#define NGX_DEFAULT_CERTIFICATE      "cert.pem"
-#define NGX_DEFAULT_CERTIFICATE_KEY  "cert.pem"
 #define NGX_DEFAULT_CIPHERS  "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
 
 
 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
+
+static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
+static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
+    void *conf);
 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
     void *conf);
 
@@ -50,14 +53,14 @@
 
     { ngx_string("ssl"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
-      ngx_conf_set_flag_slot,
+      ngx_mail_ssl_enable,
       NGX_MAIL_SRV_CONF_OFFSET,
       offsetof(ngx_mail_ssl_conf_t, enable),
       NULL },
 
     { ngx_string("starttls"),
       NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
-      ngx_conf_set_enum_slot,
+      ngx_mail_ssl_starttls,
       NGX_MAIL_SRV_CONF_OFFSET,
       offsetof(ngx_mail_ssl_conf_t, starttls),
       ngx_http_starttls_state },
@@ -197,12 +200,9 @@
     ngx_pool_cleanup_t  *cln;
 
     ngx_conf_merge_value(conf->enable, prev->enable, 0);
-    ngx_conf_merge_value(conf->starttls, prev->starttls, NGX_MAIL_STARTTLS_OFF);
+    ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
+                         NGX_MAIL_STARTTLS_OFF);
 
-    if (conf->enable == 0 && conf->starttls == NGX_MAIL_STARTTLS_OFF) {
-        return NGX_CONF_OK;
-    }
-
     ngx_conf_merge_value(conf->session_timeout,
                          prev->session_timeout, 300);
 
@@ -213,12 +213,9 @@
                          (NGX_CONF_BITMASK_SET
                           |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
 
-    ngx_conf_merge_str_value(conf->certificate, prev->certificate,
-                         NGX_DEFAULT_CERTIFICATE);
+    ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
+    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
 
-    ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
-                         NGX_DEFAULT_CERTIFICATE_KEY);
-
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
 
     ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
@@ -226,6 +223,39 @@
 
     conf->ssl.log = cf->log;
 
+    if (conf->enable || conf->starttls != NGX_MAIL_STARTTLS_OFF) {
+
+        if (conf->certificate.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "SSL mode is enabled, "
+                          "but no \"ssl_certificate\" is defined in %s:%ui",
+                          conf->file, conf->line);
+            return NGX_CONF_ERROR;
+        }
+
+        if (conf->certificate_key.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "SSL mode is enabled, "
+                          "but no \"ssl_certificate_key\" is defined in %s:%ui",
+                          conf->file, conf->line);
+            return NGX_CONF_ERROR;
+        }
+
+    } else {
+
+        if (conf->certificate.len == 0) {
+            return NGX_CONF_OK;
+        }
+
+        if (conf->certificate_key.len == 0) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no \"ssl_certificate_key\" is defined "
+                          "for certificate \"%V\"",
+                          &conf->certificate);
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -292,6 +322,58 @@
 
 
 static char *
+ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_mail_ssl_conf_t  *scf = conf;
+
+    char  *rv;
+
+    rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+    if (rv != NGX_CONF_OK) {
+        return rv;
+    }
+
+    if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
+        ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+                           "\"starttls\" directive conflicts with \"ssl on\"");
+        return NGX_CONF_ERROR;
+    }
+
+    scf->file = cf->conf_file->file.name.data;
+    scf->line = cf->conf_file->line;
+
+    return NGX_CONF_OK;
+}
+
+
+static char *
+ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+    ngx_mail_ssl_conf_t  *scf = conf;
+
+    char  *rv;
+
+    rv = ngx_conf_set_enum_slot(cf, cmd, conf);
+
+    if (rv != NGX_CONF_OK) {
+        return rv;
+    }
+
+    if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
+        ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
+                           "\"ssl\" directive conflicts with \"starttls\"");
+        return NGX_CONF_ERROR;
+    }
+
+    scf->file = cf->conf_file->file.name.data;
+    scf->line = cf->conf_file->line;
+
+    return NGX_CONF_OK;
+}
+
+
+static char *
 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
 {
     ngx_mail_ssl_conf_t  *scf = conf;
Index: src/mail/ngx_mail_ssl_module.h
===================================================================
--- src/mail/ngx_mail_ssl_module.h	(revision 1538)
+++ src/mail/ngx_mail_ssl_module.h	(working copy)
@@ -20,12 +20,11 @@
 
 typedef struct {
     ngx_flag_t       enable;
+    ngx_flag_t       prefer_server_ciphers;
 
     ngx_ssl_t        ssl;
 
-    ngx_flag_t       prefer_server_ciphers;
-    ngx_flag_t       starttls;
-
+    ngx_uint_t       starttls;
     ngx_uint_t       protocols;
 
     ssize_t          builtin_session_cache;
@@ -39,6 +38,9 @@
     ngx_str_t        ciphers;
 
     ngx_shm_zone_t  *shm_zone;
+
+    u_char          *file;
+    ngx_uint_t       line;
 } ngx_mail_ssl_conf_t;
 
 
Index: src/mail/ngx_mail_handler.c
===================================================================
--- src/mail/ngx_mail_handler.c	(revision 1538)
+++ src/mail/ngx_mail_handler.c	(working copy)
@@ -118,10 +118,29 @@
     sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
 
     if (sslcf->enable) {
+        c->log->action = "SSL handshaking";
+
         ngx_mail_ssl_init_connection(&sslcf->ssl, c);
         return;
     }
+
+    if (imia[i].ssl) {
+
+        c->log->action = "SSL handshaking";
+
+        if (sslcf->ssl.ctx == NULL) {
+            ngx_log_error(NGX_LOG_ERR, c->log, 0,
+                          "no \"ssl_certificate\" is defined "
+                          "in server listening on SSL port");
+            ngx_mail_close_connection(c);
+            return;
+        }
+
+        ngx_mail_ssl_init_connection(&sslcf->ssl, c);
+        return;
     }
+
+    }
 #endif
 
     ngx_mail_init_session(c);


More information about the nginx-ru mailing list