ssl/nonssl listener в контексте одного server'а
Igor Sysoev
is at rambler-co.ru
Wed Aug 27 23:49:43 MSD 2008
On Wed, Aug 27, 2008 at 05:05:33PM +0700, Artem Bokhan wrote:
> Игорь, а нельзя ли упростить включение ssl до вида, схожего с указанным
> ниже? Возможно, я ошибаюсь, и возможность слушать ssl и не-ssl порты в
> контексте одного сервера уже реализована?
>
> server {
> listen 80;
> listen 443 ssl;
> ....
> }
Прилагаемый патч добавляет такую функциональность.
Если тестирование пройдёт успешно, то патч будет включён в 0.7.14.
server {
listen 80;
listen 443 default ssl;
server_name www.example.com;
ssl_certificate /path/to/cert;
ssl_certificate_key /path/to/key;
location / {
...
}
location /ssl/only/dir/ {
if ($scheme = http) {
rewrite ^(.+)$ https://www.example.com$1;
}
...
}
}
--
Игорь Сысоев
http://sysoev.ru
-------------- next part --------------
Index: src/http/ngx_http_request.c
===================================================================
--- src/http/ngx_http_request.c (revision 1538)
+++ src/http/ngx_http_request.c (working copy)
@@ -357,9 +357,20 @@
ngx_http_ssl_srv_conf_t *sscf;
sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
- if (sscf->enable) {
+ if (sscf->enable || c->listening->ssl) {
if (c->ssl == NULL) {
+
+ c->log->action = "SSL handshaking";
+
+ if (c->listening->ssl && sscf->ssl.ctx == NULL) {
+ ngx_log_error(NGX_LOG_ERR, c->log, 0,
+ "no \"ssl_certificate\" is defined "
+ "in server listening on SSL port");
+ ngx_http_close_connection(c);
+ return;
+ }
+
if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
== NGX_ERROR)
{
@@ -529,6 +540,8 @@
}
}
+ c->log->action = "reading client request line";
+
rev->handler = ngx_http_process_request_line;
ngx_http_process_request_line(rev);
}
Index: src/http/ngx_http_core_module.c
===================================================================
--- src/http/ngx_http_core_module.c (revision 1538)
+++ src/http/ngx_http_core_module.c (working copy)
@@ -3081,6 +3081,18 @@
continue;
}
+ if (ngx_strcmp(value[n].data, "ssl") == 0) {
+#if (NGX_HTTP_SSL)
+ ls->conf.ssl = 1;
+ ls->conf.bind = 1;
+#else
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "the \"ssl\" parameter requires "
+ "ngx_http_ssl_module, ignored");
+#endif
+ continue;
+ }
+
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"the invalid \"%V\" parameter", &value[n]);
return NGX_CONF_ERROR;
Index: src/http/ngx_http_core_module.h
===================================================================
--- src/http/ngx_http_core_module.h (revision 1538)
+++ src/http/ngx_http_core_module.h (working copy)
@@ -35,6 +35,9 @@
typedef struct {
unsigned default_server:1;
unsigned bind:1;
+#if (NGX_HTTP_SSL)
+ unsigned ssl:1;
+#endif
int backlog;
int rcvbuf;
Index: src/http/modules/ngx_http_ssl_module.c
===================================================================
--- src/http/modules/ngx_http_ssl_module.c (revision 1538)
+++ src/http/modules/ngx_http_ssl_module.c (working copy)
@@ -13,8 +13,6 @@
ngx_pool_t *pool, ngx_str_t *s);
-#define NGX_DEFAULT_CERTIFICATE "cert.pem"
-#define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
#define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
@@ -28,6 +26,8 @@
static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
void *parent, void *child);
+static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
@@ -61,7 +61,7 @@
{ ngx_string("ssl"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
- ngx_conf_set_flag_slot,
+ ngx_http_ssl_enable,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, enable),
NULL },
@@ -339,10 +339,6 @@
ngx_conf_merge_value(conf->enable, prev->enable, 0);
- if (conf->enable == 0) {
- return NGX_CONF_OK;
- }
-
ngx_conf_merge_value(conf->session_timeout,
prev->session_timeout, 300);
@@ -356,11 +352,9 @@
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
- ngx_conf_merge_str_value(conf->certificate, prev->certificate,
- NGX_DEFAULT_CERTIFICATE);
+ ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
- ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
- NGX_DEFAULT_CERTIFICATE_KEY);
+ ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -372,6 +366,39 @@
conf->ssl.log = cf->log;
+ if (conf->enable) {
+
+ if (conf->certificate.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "SSL mode is enabled, "
+ "but no \"ssl_certificate\" is defined in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "SSL mode is enabled, "
+ "but no \"ssl_certificate_key\" is defined in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ } else {
+
+ if (conf->certificate.len == 0) {
+ return NGX_CONF_OK;
+ }
+
+ if (conf->certificate_key.len == 0) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\"",
+ &conf->certificate);
+ return NGX_CONF_ERROR;
+ }
+ }
+
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -467,6 +494,26 @@
static char *
+ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+{
+ ngx_http_ssl_srv_conf_t *sscf = conf;
+
+ char *rv;
+
+ rv = ngx_conf_set_flag_slot(cf, cmd, conf);
+
+ if (rv != NGX_CONF_OK) {
+ return rv;
+ }
+
+ sscf->file = cf->conf_file->file.name.data;
+ sscf->line = cf->conf_file->line;
+
+ return NGX_CONF_OK;
+}
+
+
+static char *
ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_http_ssl_srv_conf_t *sscf = conf;
Index: src/http/modules/ngx_http_ssl_module.h
===================================================================
--- src/http/modules/ngx_http_ssl_module.h (revision 1538)
+++ src/http/modules/ngx_http_ssl_module.h (working copy)
@@ -37,6 +37,9 @@
ngx_str_t ciphers;
ngx_shm_zone_t *shm_zone;
+
+ u_char *file;
+ ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;
Index: src/http/ngx_http.c
===================================================================
--- src/http/ngx_http.c (revision 1538)
+++ src/http/ngx_http.c (working copy)
@@ -1591,6 +1591,10 @@
}
#endif
+#if (NGX_HTTP_SSL)
+ ls->ssl = in_addr[a].listen_conf->ssl;
+#endif
+
ls->backlog = in_addr[a].listen_conf->backlog;
ls->rcvbuf = in_addr[a].listen_conf->rcvbuf;
ls->sndbuf = in_addr[a].listen_conf->sndbuf;
Index: src/core/ngx_connection.h
===================================================================
--- src/core/ngx_connection.h (revision 1538)
+++ src/core/ngx_connection.h (working copy)
@@ -57,6 +57,10 @@
unsigned shared:1; /* shared between threads or processes */
unsigned addr_ntop:1;
+#if (NGX_SSL)
+ unsigned ssl:1;
+#endif
+
#if (NGX_HAVE_DEFERRED_ACCEPT)
unsigned deferred_accept:1;
unsigned delete_deferred:1;
More information about the nginx-ru
mailing list