[nginx] Proxy: added the "proxy_ssl_protocols" directive.
Andrei Belov
defan at nginx.com
Thu Sep 19 14:31:56 UTC 2013
details: http://hg.nginx.org/nginx/rev/7c1f4977d8a0
branches:
changeset: 5385:7c1f4977d8a0
user: Andrei Belov <defan at nginx.com>
date: Thu Sep 19 18:30:33 2013 +0400
description:
Proxy: added the "proxy_ssl_protocols" directive.
diffstat:
src/http/modules/ngx_http_proxy_module.c | 50 +++++++++++++++++++++++++------
1 files changed, 40 insertions(+), 10 deletions(-)
diffs (109 lines):
diff -r cfbf1d1cc233 -r 7c1f4977d8a0 src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c Wed Sep 18 16:51:30 2013 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c Thu Sep 19 18:30:33 2013 +0400
@@ -76,6 +76,11 @@ typedef struct {
ngx_uint_t headers_hash_max_size;
ngx_uint_t headers_hash_bucket_size;
+
+#if (NGX_HTTP_SSL)
+ ngx_uint_t ssl;
+ ngx_uint_t ssl_protocols;
+#endif
} ngx_http_proxy_loc_conf_t;
@@ -186,6 +191,20 @@ static ngx_conf_bitmask_t ngx_http_prox
};
+#if (NGX_HTTP_SSL)
+
+static ngx_conf_bitmask_t ngx_http_proxy_ssl_protocols[] = {
+ { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
+ { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
+ { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
+ { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
+ { ngx_null_string, 0 }
+};
+
+#endif
+
+
static ngx_conf_enum_t ngx_http_proxy_http_version[] = {
{ ngx_string("1.0"), NGX_HTTP_VERSION_10 },
{ ngx_string("1.1"), NGX_HTTP_VERSION_11 },
@@ -512,6 +531,13 @@ static ngx_command_t ngx_http_proxy_com
offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse),
NULL },
+ { ngx_string("proxy_ssl_protocols"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
+ ngx_conf_set_bitmask_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_protocols),
+ &ngx_http_proxy_ssl_protocols },
+
#endif
ngx_null_command
@@ -2386,6 +2412,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
* conf->body_set = NULL;
* conf->body_source = { 0, NULL };
* conf->redirects = NULL;
+ * conf->ssl = 0;
+ * conf->ssl_protocols = 0;
*/
conf->upstream.store = NGX_CONF_UNSET;
@@ -2701,6 +2729,15 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
#if (NGX_HTTP_SSL)
ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);
+
+ ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
+ (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
+ |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
+ |NGX_SSL_TLSv1_2));
+
+ if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
#endif
ngx_conf_merge_value(conf->redirect, prev->redirect, 1);
@@ -3146,9 +3183,7 @@ ngx_http_proxy_pass(ngx_conf_t *cf, ngx_
}
#if (NGX_HTTP_SSL)
- if (ngx_http_proxy_set_ssl(cf, plcf) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
+ plcf->ssl = 1;
#endif
return NGX_CONF_OK;
@@ -3161,9 +3196,7 @@ ngx_http_proxy_pass(ngx_conf_t *cf, ngx_
} else if (ngx_strncasecmp(url->data, (u_char *) "https://", 8) == 0) {
#if (NGX_HTTP_SSL)
- if (ngx_http_proxy_set_ssl(cf, plcf) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
+ plcf->ssl = 1;
add = 8;
port = 443;
@@ -3745,10 +3778,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
plcf->upstream.ssl->log = cf->log;
- if (ngx_ssl_create(plcf->upstream.ssl,
- NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1
- |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2,
- NULL)
+ if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL)
!= NGX_OK)
{
return NGX_ERROR;
More information about the nginx-devel
mailing list