[nginx] Upstream: fixed passwords support for dynamic certificates.
noreply at nginx.com
noreply at nginx.com
Thu Apr 10 13:28:02 UTC 2025
details: https://github.com/nginx/nginx/commit/6c3a9d561271ec451f479a84fbe54c81a63dad2e
branches: master
commit: 6c3a9d561271ec451f479a84fbe54c81a63dad2e
user: Sergey Kandaurov <pluknet at nginx.com>
date: Wed, 5 Feb 2025 19:16:05 +0400
description:
Upstream: fixed passwords support for dynamic certificates.
Passwords were not preserved in optimized SSL contexts, the bug had
appeared in d791b4aab (1.23.1), as in the following configuration:
server {
proxy_ssl_password_file password;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
location /original/ {
proxy_pass https://u1/;
}
location /optimized/ {
proxy_pass https://u2/;
}
}
The fix is to always preserve passwords, by copying to the configuration
pool, if dynamic certificates are used. This is done as part of merging
"ssl_passwords" configuration.
To minimize the number of copies, a preserved version is then used for
inheritance. A notable exception is inheritance of preserved empty
passwords to the context with statically configured certificates:
server {
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
location / {
proxy_pass ...;
proxy_ssl_certificate example.com.crt;
proxy_ssl_certificate_key example.com.key;
}
}
In this case, an unmodified version (NULL) of empty passwords is set,
to allow reading them from the password prompt on nginx startup.
As an additional optimization, a preserved instance of inherited
configured passwords is set to the previous level, to inherit it
to other contexts:
server {
proxy_ssl_password_file password;
location /1/ {
proxy_pass https://u1/;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
}
location /2/ {
proxy_pass https://u2/;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
}
}
---
src/http/modules/ngx_http_grpc_module.c | 20 +++++-----
src/http/modules/ngx_http_proxy_module.c | 20 +++++-----
src/http/modules/ngx_http_uwsgi_module.c | 20 +++++-----
src/http/ngx_http_upstream.c | 55 ++++++++++++++++++++++++++
src/http/ngx_http_upstream.h | 4 ++
src/stream/ngx_stream_proxy_module.c | 68 +++++++++++++++++++++++++++-----
6 files changed, 144 insertions(+), 43 deletions(-)
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 8e246c3cf..80046d6a4 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4509,8 +4509,13 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+
+ if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
+ &prev->upstream)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -5077,16 +5082,9 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
return NGX_ERROR;
}
- if (glcf->upstream.ssl_certificate->lengths
- || glcf->upstream.ssl_certificate_key->lengths)
+ if (glcf->upstream.ssl_certificate->lengths == NULL
+ && glcf->upstream.ssl_certificate_key->lengths == NULL)
{
- glcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
- if (glcf->upstream.ssl_passwords == NULL) {
- return NGX_ERROR;
- }
-
- } else {
if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
&glcf->upstream.ssl_certificate->value,
&glcf->upstream.ssl_certificate_key->value,
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 27c34fef2..d4c5abf62 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3976,8 +3976,13 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+
+ if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
+ &prev->upstream)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -5337,16 +5342,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
return NGX_ERROR;
}
- if (plcf->upstream.ssl_certificate->lengths
- || plcf->upstream.ssl_certificate_key->lengths)
+ if (plcf->upstream.ssl_certificate->lengths == NULL
+ && plcf->upstream.ssl_certificate_key->lengths == NULL)
{
- plcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
- if (plcf->upstream.ssl_passwords == NULL) {
- return NGX_ERROR;
- }
-
- } else {
if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
&plcf->upstream.ssl_certificate->value,
&plcf->upstream.ssl_certificate_key->value,
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 14aae5bf1..51a861d9a 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -1933,8 +1933,13 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
prev->upstream.ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_cache,
prev->upstream.ssl_certificate_cache, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+
+ if (ngx_http_upstream_merge_ssl_passwords(cf, &conf->upstream,
+ &prev->upstream)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -2685,16 +2690,9 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
return NGX_ERROR;
}
- if (uwcf->upstream.ssl_certificate->lengths
- || uwcf->upstream.ssl_certificate_key->lengths)
+ if (uwcf->upstream.ssl_certificate->lengths == NULL
+ && uwcf->upstream.ssl_certificate_key->lengths == NULL)
{
- uwcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
- if (uwcf->upstream.ssl_passwords == NULL) {
- return NGX_ERROR;
- }
-
- } else {
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
&uwcf->upstream.ssl_certificate->value,
&uwcf->upstream.ssl_certificate_key->value,
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index 77dc032f2..d4cf1b7fe 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -6921,6 +6921,61 @@ ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
}
+#if (NGX_HTTP_SSL)
+
+ngx_int_t
+ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
+ ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev)
+{
+ ngx_uint_t preserve;
+
+ ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+
+ if (conf->ssl_certificate == NULL
+ || conf->ssl_certificate->value.len == 0
+ || conf->ssl_certificate_key == NULL)
+ {
+ return NGX_OK;
+ }
+
+ if (conf->ssl_certificate->lengths == NULL
+ && conf->ssl_certificate_key->lengths == NULL)
+ {
+ if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
+ /* un-preserve empty password list */
+ conf->ssl_passwords = NULL;
+ }
+
+ return NGX_OK;
+ }
+
+ if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
+ /* already preserved */
+ return NGX_OK;
+ }
+
+ preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
+
+ conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
+ if (conf->ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ /*
+ * special handling to keep a preserved ssl_passwords copy
+ * in the previous configuration to inherit it to all children
+ */
+
+ if (preserve) {
+ prev->ssl_passwords = conf->ssl_passwords;
+ }
+
+ return NGX_OK;
+}
+
+#endif
+
+
static void *
ngx_http_upstream_create_main_conf(ngx_conf_t *cf)
{
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
index 069c0f7a4..e0a903669 100644
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@@ -437,6 +437,10 @@ char *ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd,
ngx_int_t ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf,
ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev,
ngx_str_t *default_hide_headers, ngx_hash_init_t *hash);
+#if (NGX_HTTP_SSL)
+ngx_int_t ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf,
+ ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev);
+#endif
#define ngx_http_conf_upstream_srv_conf(uscf, module) \
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 7f8bfc4e0..6e51585f6 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -108,6 +108,8 @@ static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
+static ngx_int_t ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
+ ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@@ -2315,7 +2317,9 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->ssl_certificate_cache,
prev->ssl_certificate_cache, NULL);
- ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ if (ngx_stream_proxy_merge_ssl_passwords(cf, conf, prev) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -2381,6 +2385,57 @@ ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf,
}
+static ngx_int_t
+ngx_stream_proxy_merge_ssl_passwords(ngx_conf_t *cf,
+ ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev)
+{
+ ngx_uint_t preserve;
+
+ ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+
+ if (conf->ssl_certificate == NULL
+ || conf->ssl_certificate->value.len == 0
+ || conf->ssl_certificate_key == NULL)
+ {
+ return NGX_OK;
+ }
+
+ if (conf->ssl_certificate->lengths == NULL
+ && conf->ssl_certificate_key->lengths == NULL)
+ {
+ if (conf->ssl_passwords && conf->ssl_passwords->pool == NULL) {
+ /* un-preserve empty password list */
+ conf->ssl_passwords = NULL;
+ }
+
+ return NGX_OK;
+ }
+
+ if (conf->ssl_passwords && conf->ssl_passwords->pool != cf->temp_pool) {
+ /* already preserved */
+ return NGX_OK;
+ }
+
+ preserve = (conf->ssl_passwords == prev->ssl_passwords) ? 1 : 0;
+
+ conf->ssl_passwords = ngx_ssl_preserve_passwords(cf, conf->ssl_passwords);
+ if (conf->ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ /*
+ * special handling to keep a preserved ssl_passwords copy
+ * in the previous configuration to inherit it to all children
+ */
+
+ if (preserve) {
+ prev->ssl_passwords = conf->ssl_passwords;
+ }
+
+ return NGX_OK;
+}
+
+
static ngx_int_t
ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
{
@@ -2418,16 +2473,9 @@ ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
return NGX_ERROR;
}
- if (pscf->ssl_certificate->lengths
- || pscf->ssl_certificate_key->lengths)
+ if (pscf->ssl_certificate->lengths == NULL
+ && pscf->ssl_certificate_key->lengths == NULL)
{
- pscf->ssl_passwords =
- ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
- if (pscf->ssl_passwords == NULL) {
- return NGX_ERROR;
- }
-
- } else {
if (ngx_ssl_certificate(cf, pscf->ssl,
&pscf->ssl_certificate->value,
&pscf->ssl_certificate_key->value,
More information about the nginx-devel
mailing list