[PATCH] New variable: $ssl_sni_host

Christian Marie pingu at anchor.net.au
Tue May 21 03:08:43 UTC 2013 

Patch attached adds a new variable, $ssl_sni_host.

I would find this quite useful as there is no other way of knowing for sure
which host a request is directed at (at the SSL layer), as the HTTP HOST header
can be wrong.

Possibly somewhat related to: http://trac.nginx.org/nginx/ticket/229

I should mention that I don't intend for this to be a drop in replacement for
$http_host, though that could very well work with proxy_pass.
-------------- next part --------------
# HG changeset patch
# User Christian Marie <pingu at anchor.net.au>
# Date 1369104447 -36000
#      Tue May 21 12:47:27 2013 +1000
# Node ID aad7765348785a6e3958ea7594dc77e67a1119f5
# Parent  cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
Add new $ssl_sni_host ngx_http_ssl_variable.

Useful when using SNI and multiple vhosts or proxy backends, as $http_host can
be entirely arbitrary.

diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c	Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.c	Tue May 21 12:47:27 2013 +1000
@@ -2496,6 +2496,33 @@
 }
 
 
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t
+ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+    const char *host;
+
+    host = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+    if (host == NULL) {
+        return NGX_ERROR;
+    }
+
+    s->len = ngx_strlen(host);
+    if (s->len == 0) {
+        return NGX_ERROR;
+    }
+
+    s->data = ngx_pnalloc(pool, s->len);
+    if(s->data == NULL) {
+        return NGX_ERROR;
+    }
+
+    ngx_memcpy(s->data, host, s->len);
+    return NGX_OK;
+}
+#endif
+
+
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)
 {
diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h	Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.h	Tue May 21 12:47:27 2013 +1000
@@ -153,6 +153,10 @@
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool,
+    ngx_str_t *s);
+#endif
 
 
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r cfab1e7e4ac2 -r aad776534878 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c	Thu May 16 15:37:13 2013 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c	Tue May 21 12:47:27 2013 +1000
@@ -260,6 +260,11 @@
     { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+    { ngx_string("ssl_sni_host"), NULL, ngx_http_ssl_variable,
+      (uintptr_t) ngx_ssl_get_sni_host, NGX_HTTP_VAR_CHANGEABLE, 0 },
+#endif
+
     { ngx_null_string, NULL, NULL, 0, 0, 0 }
 };

More information about the nginx-devel mailing list