[PATCH] Proxy: added the "proxy_ssl_ciphers" directive.

Piotr Sikora piotr at cloudflare.com
Mon Sep 23 05:40:23 UTC 2013


# HG changeset patch
# User Piotr Sikora <piotr at cloudflare.com>
# Date 1379914582 25200
#      Sun Sep 22 22:36:22 2013 -0700
# Node ID 1039d5b5365dd553a5cc3fbca95a6f3aa9ff6dc2
# Parent  0fbcfab0bfd72dbc40c3ee75665e81a08ed2fa0b
Proxy: added the "proxy_ssl_ciphers" directive.

Signed-off-by: Piotr Sikora <piotr at cloudflare.com>

diff -r 0fbcfab0bfd7 -r 1039d5b5365d src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c  Sun Sep 22 22:36:11 2013 -0700
+++ b/src/http/modules/ngx_http_proxy_module.c  Sun Sep 22 22:36:22 2013 -0700
@@ -10,6 +10,9 @@
 #include <ngx_http.h>


+#define NGX_DEFAULT_CIPHERS  "HIGH:!aNULL:!MD5"
+
+
 typedef struct ngx_http_proxy_rewrite_s  ngx_http_proxy_rewrite_t;

 typedef ngx_int_t (*ngx_http_proxy_rewrite_pt)(ngx_http_request_t *r,
@@ -80,6 +83,7 @@ typedef struct {
 #if (NGX_HTTP_SSL)
     ngx_uint_t                     ssl;
     ngx_uint_t                     ssl_protocols;
+    ngx_str_t                      ssl_ciphers;
 #endif
 } ngx_http_proxy_loc_conf_t;

@@ -538,6 +542,13 @@ static ngx_command_t  ngx_http_proxy_com
       offsetof(ngx_http_proxy_loc_conf_t, ssl_protocols),
       &ngx_http_proxy_ssl_protocols },

+    { ngx_string("proxy_ssl_ciphers"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
+      NULL },
+
 #endif

       ngx_null_command
@@ -2414,6 +2425,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
      *     conf->redirects = NULL;
      *     conf->ssl = 0;
      *     conf->ssl_protocols = 0;
+     *     conf->ssl_ciphers = { 0, NULL };
      */

     conf->upstream.store = NGX_CONF_UNSET;
@@ -2735,6 +2747,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
                                   |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
                                   |NGX_SSL_TLSv1_2));

+    ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
+                             NGX_DEFAULT_CIPHERS);
+
     if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -3784,6 +3799,16 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
         return NGX_ERROR;
     }

+    if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
+                                (const char *) plcf->ssl_ciphers.data)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+                      "SSL_CTX_set_cipher_list(\"%V\") failed",
+                      &plcf->ssl_ciphers);
+        return NGX_ERROR;
+    }
+
     cln = ngx_pool_cleanup_add(cf->pool, 0);
     if (cln == NULL) {
         return NGX_ERROR;



More information about the nginx-devel mailing list