[nginx] Upstream: add "proxy_ssl_certificate" and friends.
Maxim Dounin
mdounin at mdounin.ru
Tue Nov 11 14:02:26 UTC 2014
details: http://hg.nginx.org/nginx/rev/20d966ad5e89
branches:
changeset: 5900:20d966ad5e89
user: Piotr Sikora <piotr at cloudflare.com>
date: Thu Oct 30 04:30:41 2014 -0700
description:
Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr at cloudflare.com>
diffstat:
src/http/modules/ngx_http_proxy_module.c | 81 ++++++++++++++++++++++++++++++++
src/http/modules/ngx_http_uwsgi_module.c | 73 ++++++++++++++++++++++++++++
2 files changed, 154 insertions(+), 0 deletions(-)
diffs (265 lines):
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -84,6 +84,9 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_str_t ssl_certificate;
+ ngx_str_t ssl_certificate_key;
+ ngx_array_t *ssl_passwords;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -162,6 +165,10 @@ static char *ngx_http_proxy_cache(ngx_co
static char *ngx_http_proxy_cache_key(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
#endif
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_password_file(ngx_conf_t *cf,
+ ngx_command_t *cmd, void *conf);
+#endif
static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
@@ -626,6 +633,27 @@ static ngx_command_t ngx_http_proxy_com
offsetof(ngx_http_proxy_loc_conf_t, ssl_crl),
NULL },
+ { ngx_string("proxy_ssl_certificate"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate),
+ NULL },
+
+ { ngx_string("proxy_ssl_certificate_key"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate_key),
+ NULL },
+
+ { ngx_string("proxy_ssl_password_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_proxy_ssl_password_file,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ 0,
+ NULL },
+
#endif
ngx_null_command
@@ -2479,6 +2507,8 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
* conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
+ * conf->ssl_certificate = { 0, NULL };
+ * conf->ssl_certificate_key = { 0, NULL };
*/
conf->upstream.store = NGX_CONF_UNSET;
@@ -2527,6 +2557,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
#endif
/* "proxy_cyclic_temp_file" is disabled */
@@ -2836,6 +2867,12 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_str_value(conf->ssl_certificate,
+ prev->ssl_certificate, "");
+ ngx_conf_merge_str_value(conf->ssl_certificate_key,
+ prev->ssl_certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -3837,6 +3874,33 @@ ngx_http_proxy_cache_key(ngx_conf_t *cf,
#endif
+#if (NGX_HTTP_SSL)
+
+static char *
+ngx_http_proxy_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_http_proxy_loc_conf_t *plcf = conf;
+
+ ngx_str_t *value;
+
+ if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (plcf->ssl_passwords == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+#endif
+
+
static char *
ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data)
{
@@ -3894,6 +3958,23 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
+ if (plcf->ssl_certificate.len) {
+
+ if (plcf->ssl_certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"proxy_ssl_certificate_key\" is defined "
+ "for certificate \"%V\"", &plcf->ssl_certificate);
+ return NGX_ERROR;
+ }
+
+ if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->ssl_certificate,
+ &plcf->ssl_certificate_key, plcf->ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
(const char *) plcf->ssl_ciphers.data)
== 0)
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -42,6 +42,9 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_str_t ssl_certificate;
+ ngx_str_t ssl_certificate_key;
+ ngx_array_t *ssl_passwords;
#endif
} ngx_http_uwsgi_loc_conf_t;
@@ -76,6 +79,8 @@ static char *ngx_http_uwsgi_cache_key(ng
#endif
#if (NGX_HTTP_SSL)
+static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
+ ngx_command_t *cmd, void *conf);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
@@ -482,6 +487,27 @@ static ngx_command_t ngx_http_uwsgi_comm
offsetof(ngx_http_uwsgi_loc_conf_t, ssl_crl),
NULL },
+ { ngx_string("uwsgi_ssl_certificate"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_certificate),
+ NULL },
+
+ { ngx_string("uwsgi_ssl_certificate_key"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_certificate_key),
+ NULL },
+
+ { ngx_string("uwsgi_ssl_password_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+ ngx_http_uwsgi_ssl_password_file,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ 0,
+ NULL },
+
#endif
ngx_null_command
@@ -1326,6 +1352,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
#endif
/* "uwsgi_cyclic_temp_file" is disabled */
@@ -1619,6 +1646,12 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
+ ngx_conf_merge_str_value(conf->ssl_certificate,
+ prev->ssl_certificate, "");
+ ngx_conf_merge_str_value(conf->ssl_certificate_key,
+ prev->ssl_certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+
if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -2109,6 +2142,29 @@ ngx_http_uwsgi_cache_key(ngx_conf_t *cf,
#if (NGX_HTTP_SSL)
+static char *
+ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_http_uwsgi_loc_conf_t *uwcf = conf;
+
+ ngx_str_t *value;
+
+ if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ value = cf->args->elts;
+
+ uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (uwcf->ssl_passwords == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
@@ -2135,6 +2191,23 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
+ if (uwcf->ssl_certificate.len) {
+
+ if (uwcf->ssl_certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"uwsgi_ssl_certificate_key\" is defined "
+ "for certificate \"%V\"", &uwcf->ssl_certificate);
+ return NGX_ERROR;
+ }
+
+ if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->ssl_certificate,
+ &uwcf->ssl_certificate_key, uwcf->ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+ }
+
if (SSL_CTX_set_cipher_list(uwcf->upstream.ssl->ctx,
(const char *) uwcf->ssl_ciphers.data)
== 0)
More information about the nginx-devel
mailing list