[nginx] SSL: cache revalidation of file based dynamic certificates.

noreply at nginx.com noreply at nginx.com
Fri Jan 17 00:38:02 UTC 2025 

details:   https://github.com/nginx/nginx/commit/4b96ad14f3607ab39b160715aeba721097ac4da4
branches:  master
commit:    4b96ad14f3607ab39b160715aeba721097ac4da4
user:      Sergey Kandaurov <pluknet at nginx.com>
date:      Mon, 13 Jan 2025 21:40:04 +0400
description:
SSL: cache revalidation of file based dynamic certificates.

Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.

---
 src/event/ngx_event_openssl_cache.c | 44 +++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

diff --git a/src/event/ngx_event_openssl_cache.c b/src/event/ngx_event_openssl_cache.c
index 7589e6c90..eb03e16b2 100644
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
     void                  *value;
     time_t                 now;
     uint32_t               hash;
+    ngx_file_info_t        fi;
     ngx_ssl_cache_key_t    id;
     ngx_ssl_cache_type_t  *type;
     ngx_ssl_cache_node_t  *cn;
@@ -318,7 +319,33 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
             goto found;
         }
 
-        if (now - cn->created > cache->valid) {
+        if (now - cn->created <= cache->valid) {
+            goto found;
+        }
+
+        switch (id.type) {
+
+        case NGX_SSL_CACHE_PATH:
+
+            if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
+
+                if (ngx_file_uniq(&fi) == cn->uniq
+                    && ngx_file_mtime(&fi) == cn->mtime)
+                {
+                    break;
+                }
+
+                cn->mtime = ngx_file_mtime(&fi);
+                cn->uniq = ngx_file_uniq(&fi);
+
+            } else {
+                cn->mtime = 0;
+                cn->uniq = 0;
+            }
+
+            /* fall through */
+
+        default:
             ngx_log_debug1(NGX_LOG_DEBUG_CORE, pool->log, 0,
                            "update cached ssl object: %s", cn->id.data);
 
@@ -337,9 +364,10 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
             }
 
             cn->value = value;
-            cn->created = now;
         }
 
+        cn->created = now;
+
         goto found;
     }
 
@@ -365,6 +393,18 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool,
 
     ngx_cpystrn(cn->id.data, id.data, id.len + 1);
 
+    if (id.type == NGX_SSL_CACHE_PATH) {
+
+        if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) {
+            cn->mtime = ngx_file_mtime(&fi);
+            cn->uniq = ngx_file_uniq(&fi);
+
+        } else {
+            cn->mtime = 0;
+            cn->uniq = 0;
+        }
+    }
+
     ngx_ssl_cache_expire(cache, 1, pool->log);
 
     if (cache->current >= cache->max) {

More information about the nginx-devel mailing list