[PATCH] New variable: $ssl_sni_host
Christian Marie
pingu at anchor.net.au
Tue May 21 03:08:43 UTC 2013
Patch attached adds a new variable, $ssl_sni_host.
I would find this quite useful as there is no other way of knowing for sure
which host a request is directed at (at the SSL layer), as the HTTP HOST header
can be wrong.
Possibly somewhat related to: http://trac.nginx.org/nginx/ticket/229
I should mention that I don't intend for this to be a drop in replacement for
$http_host, though that could very well work with proxy_pass.
-------------- next part --------------
# HG changeset patch
# User Christian Marie <pingu at anchor.net.au>
# Date 1369104447 -36000
# Tue May 21 12:47:27 2013 +1000
# Node ID aad7765348785a6e3958ea7594dc77e67a1119f5
# Parent cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
Add new $ssl_sni_host ngx_http_ssl_variable.
Useful when using SNI and multiple vhosts or proxy backends, as $http_host can
be entirely arbitrary.
diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.c Tue May 21 12:47:27 2013 +1000
@@ -2496,6 +2496,33 @@
}
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t
+ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ const char *host;
+
+ host = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+ if (host == NULL) {
+ return NGX_ERROR;
+ }
+
+ s->len = ngx_strlen(host);
+ if (s->len == 0) {
+ return NGX_ERROR;
+ }
+
+ s->data = ngx_pnalloc(pool, s->len);
+ if(s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(s->data, host, s->len);
+ return NGX_OK;
+}
+#endif
+
+
static void *
ngx_openssl_create_conf(ngx_cycle_t *cycle)
{
diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.h Tue May 21 12:47:27 2013 +1000
@@ -153,6 +153,10 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
+#endif
ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r cfab1e7e4ac2 -r aad776534878 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu May 16 15:37:13 2013 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Tue May 21 12:47:27 2013 +1000
@@ -260,6 +260,11 @@
{ ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ { ngx_string("ssl_sni_host"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_sni_host, NGX_HTTP_VAR_CHANGEABLE, 0 },
+#endif
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};
More information about the nginx-devel
mailing list