ssl/nonssl listener в контексте одного server'а
Artem Bokhan
artist at academ.org
Mon Sep 1 10:47:32 MSD 2008
Пока что работает ;) Спасибо.
Igor Sysoev пишет:
> On Wed, Aug 27, 2008 at 11:49:43PM +0400, Igor Sysoev wrote:
>
>
>> On Wed, Aug 27, 2008 at 05:05:33PM +0700, Artem Bokhan wrote:
>>
>>
>>> Игорь, а нельзя ли упростить включение ssl до вида, схожего с указанным
>>> ниже? Возможно, я ошибаюсь, и возможность слушать ssl и не-ssl порты в
>>> контексте одного сервера уже реализована?
>>>
>>> server {
>>> listen 80;
>>> listen 443 ssl;
>>> ....
>>> }
>>>
>> Прилагаемый патч добавляет такую функциональность.
>> Если тестирование пройдёт успешно, то патч будет включён в 0.7.14.
>>
>> server {
>> listen 80;
>> listen 443 default ssl;
>>
>> server_name www.example.com;
>>
>> ssl_certificate /path/to/cert;
>> ssl_certificate_key /path/to/key;
>>
>> location / {
>> ...
>> }
>>
>> location /ssl/only/dir/ {
>> if ($scheme = http) {
>> rewrite ^(.+)$ https://www.example.com$1;
>> }
>> ...
>> }
>>
>> }
>>
>
> Новая версия.
>
>
>
> ------------------------------------------------------------------------
>
> Index: src/http/ngx_http_request.c
> ===================================================================
> --- src/http/ngx_http_request.c (revision 1538)
> +++ src/http/ngx_http_request.c (working copy)
> @@ -357,9 +357,20 @@
> ngx_http_ssl_srv_conf_t *sscf;
>
> sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
> - if (sscf->enable) {
> + if (sscf->enable || hia[i].ssl) {
>
> if (c->ssl == NULL) {
> +
> + c->log->action = "SSL handshaking";
> +
> + if (hia[i].ssl && sscf->ssl.ctx == NULL) {
> + ngx_log_error(NGX_LOG_ERR, c->log, 0,
> + "no \"ssl_certificate\" is defined "
> + "in server listening on SSL port");
> + ngx_http_close_connection(c);
> + return;
> + }
> +
> if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
> == NGX_ERROR)
> {
> @@ -529,6 +540,8 @@
> }
> }
>
> + c->log->action = "reading client request line";
> +
> rev->handler = ngx_http_process_request_line;
> ngx_http_process_request_line(rev);
> }
> Index: src/http/ngx_http_core_module.c
> ===================================================================
> --- src/http/ngx_http_core_module.c (revision 1538)
> +++ src/http/ngx_http_core_module.c (working copy)
> @@ -3081,6 +3081,17 @@
> continue;
> }
>
> + if (ngx_strcmp(value[n].data, "ssl") == 0) {
> +#if (NGX_HTTP_SSL)
> + ls->conf.ssl = 1;
> +#else
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "the \"ssl\" parameter requires "
> + "ngx_http_ssl_module, ignored");
> +#endif
> + continue;
> + }
> +
> ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> "the invalid \"%V\" parameter", &value[n]);
> return NGX_CONF_ERROR;
> Index: src/http/ngx_http_core_module.h
> ===================================================================
> --- src/http/ngx_http_core_module.h (revision 1538)
> +++ src/http/ngx_http_core_module.h (working copy)
> @@ -35,6 +35,9 @@
> typedef struct {
> unsigned default_server:1;
> unsigned bind:1;
> +#if (NGX_HTTP_SSL)
> + unsigned ssl:1;
> +#endif
>
> int backlog;
> int rcvbuf;
> @@ -167,6 +170,10 @@
> ngx_http_core_srv_conf_t *core_srv_conf;
>
> ngx_http_virtual_names_t *virtual_names;
> +
> +#if (NGX_HTTP_SSL)
> + ngx_uint_t ssl; /* unsigned ssl:1; */
> +#endif
> } ngx_http_in_addr_t;
>
>
> @@ -203,6 +210,9 @@
>
> unsigned default_server:1;
> unsigned bind:1;
> +#if (NGX_HTTP_SSL)
> + unsigned ssl:1;
> +#endif
>
> ngx_http_listen_conf_t *listen_conf;
> } ngx_http_conf_in_addr_t;
> Index: src/http/modules/ngx_http_ssl_module.c
> ===================================================================
> --- src/http/modules/ngx_http_ssl_module.c (revision 1538)
> +++ src/http/modules/ngx_http_ssl_module.c (working copy)
> @@ -13,8 +13,6 @@
> ngx_pool_t *pool, ngx_str_t *s);
>
>
> -#define NGX_DEFAULT_CERTIFICATE "cert.pem"
> -#define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
> #define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
>
>
> @@ -28,6 +26,8 @@
> static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
> void *parent, void *child);
>
> +static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
> + void *conf);
> static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
> void *conf);
>
> @@ -61,7 +61,7 @@
>
> { ngx_string("ssl"),
> NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
> - ngx_conf_set_flag_slot,
> + ngx_http_ssl_enable,
> NGX_HTTP_SRV_CONF_OFFSET,
> offsetof(ngx_http_ssl_srv_conf_t, enable),
> NULL },
> @@ -339,10 +339,6 @@
>
> ngx_conf_merge_value(conf->enable, prev->enable, 0);
>
> - if (conf->enable == 0) {
> - return NGX_CONF_OK;
> - }
> -
> ngx_conf_merge_value(conf->session_timeout,
> prev->session_timeout, 300);
>
> @@ -356,12 +352,9 @@
> ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
> ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
>
> - ngx_conf_merge_str_value(conf->certificate, prev->certificate,
> - NGX_DEFAULT_CERTIFICATE);
> + ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
> + ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
>
> - ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
> - NGX_DEFAULT_CERTIFICATE_KEY);
> -
> ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
>
> ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
> @@ -372,6 +365,39 @@
>
> conf->ssl.log = cf->log;
>
> + if (conf->enable) {
> +
> + if (conf->certificate.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "SSL mode is enabled, "
> + "but no \"ssl_certificate\" is defined in %s:%ui",
> + conf->file, conf->line);
> + return NGX_CONF_ERROR;
> + }
> +
> + if (conf->certificate_key.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "SSL mode is enabled, "
> + "but no \"ssl_certificate_key\" is defined in %s:%ui",
> + conf->file, conf->line);
> + return NGX_CONF_ERROR;
> + }
> +
> + } else {
> +
> + if (conf->certificate.len == 0) {
> + return NGX_CONF_OK;
> + }
> +
> + if (conf->certificate_key.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "no \"ssl_certificate_key\" is defined "
> + "for certificate \"%V\"",
> + &conf->certificate);
> + return NGX_CONF_ERROR;
> + }
> + }
> +
> if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
> return NGX_CONF_ERROR;
> }
> @@ -467,6 +493,26 @@
>
>
> static char *
> +ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> +{
> + ngx_http_ssl_srv_conf_t *sscf = conf;
> +
> + char *rv;
> +
> + rv = ngx_conf_set_flag_slot(cf, cmd, conf);
> +
> + if (rv != NGX_CONF_OK) {
> + return rv;
> + }
> +
> + sscf->file = cf->conf_file->file.name.data;
> + sscf->line = cf->conf_file->line;
> +
> + return NGX_CONF_OK;
> +}
> +
> +
> +static char *
> ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> {
> ngx_http_ssl_srv_conf_t *sscf = conf;
> Index: src/http/modules/ngx_http_ssl_module.h
> ===================================================================
> --- src/http/modules/ngx_http_ssl_module.h (revision 1538)
> +++ src/http/modules/ngx_http_ssl_module.h (working copy)
> @@ -37,6 +37,9 @@
> ngx_str_t ciphers;
>
> ngx_shm_zone_t *shm_zone;
> +
> + u_char *file;
> + ngx_uint_t line;
> } ngx_http_ssl_srv_conf_t;
>
>
> Index: src/http/ngx_http.c
> ===================================================================
> --- src/http/ngx_http.c (revision 1538)
> +++ src/http/ngx_http.c (working copy)
> @@ -1158,6 +1158,10 @@
>
> in_addr[a].core_srv_conf = cscfp[s];
> in_addr[a].default_server = 1;
> +#if (NGX_HTTP_SSL)
> + in_addr[a].ssl = listen[l].conf.ssl;
> +#endif
> + in_addr[a].listen_conf = &listen[l].conf;
> }
>
> goto found;
> @@ -1241,6 +1245,9 @@
> in_addr->core_srv_conf = cscf;
> in_addr->default_server = listen->conf.default_server;
> in_addr->bind = listen->conf.bind;
> +#if (NGX_HTTP_SSL)
> + in_addr->ssl = listen->conf.ssl;
> +#endif
> in_addr->listen_conf = &listen->conf;
>
> return ngx_http_add_names(cf, cscf, in_addr);
> @@ -1647,6 +1654,10 @@
> hip->addrs[i].addr = in_addr[i].addr;
> hip->addrs[i].core_srv_conf = in_addr[i].core_srv_conf;
>
> +#if (NGX_HTTP_SSL)
> + hip->addrs[i].ssl = in_addr[i].ssl;
> +#endif
> +
> if (in_addr[i].hash.buckets == NULL
> && (in_addr[i].wc_head == NULL
> || in_addr[i].wc_head->hash.buckets == NULL)
> Index: src/mail/ngx_mail.c
> ===================================================================
> --- src/mail/ngx_mail.c (revision 1538)
> +++ src/mail/ngx_mail.c (working copy)
> @@ -261,6 +261,9 @@
> in_addr->addr = imls[l].addr;
> in_addr->ctx = imls[l].ctx;
> in_addr->bind = imls[l].bind;
> +#if (NGX_MAIL_SSL)
> + in_addr->ssl = imls[l].ssl;
> +#endif
> }
>
> /* optimize the lists of ports and addresses */
> @@ -370,6 +373,10 @@
>
> imip->addrs[i].addr_text.len = len;
> imip->addrs[i].addr_text.data = text;
> +
> +#if (NGX_MAIL_SSL)
> + imip->addrs[i].ssl = in_addr[i].ssl;
> +#endif
> }
>
> if (done) {
> Index: src/mail/ngx_mail.h
> ===================================================================
> --- src/mail/ngx_mail.h (revision 1538)
> +++ src/mail/ngx_mail.h (working copy)
> @@ -34,6 +34,9 @@
> ngx_mail_conf_ctx_t *ctx;
>
> unsigned bind:1;
> +#if (NGX_MAIL_SSL)
> + unsigned ssl:1;
> +#endif
> } ngx_mail_listen_t;
>
>
> @@ -41,6 +44,9 @@
> in_addr_t addr;
> ngx_mail_conf_ctx_t *ctx;
> ngx_str_t addr_text;
> +#if (NGX_MAIL_SSL)
> + ngx_uint_t ssl; /* unsigned ssl:1; */
> +#endif
> } ngx_mail_in_addr_t;
>
>
> @@ -60,6 +66,9 @@
> in_addr_t addr;
> ngx_mail_conf_ctx_t *ctx;
> unsigned bind:1;
> +#if (NGX_MAIL_SSL)
> + unsigned ssl:1;
> +#endif
> } ngx_mail_conf_in_addr_t;
>
>
> Index: src/mail/ngx_mail_core_module.c
> ===================================================================
> --- src/mail/ngx_mail_core_module.c (revision 1538)
> +++ src/mail/ngx_mail_core_module.c (working copy)
> @@ -351,18 +351,30 @@
> }
> }
>
> - if (cf->args->nelts == 2) {
> - return NGX_CONF_OK;
> - }
> + for (i = 2; i < cf->args->nelts; i++) {
>
> - if (ngx_strcmp(value[2].data, "bind") == 0) {
> - imls->bind = 1;
> - return NGX_CONF_OK;
> + if (ngx_strcmp(value[i].data, "bind") == 0) {
> + imls->bind = 1;
> + continue;
> + }
> +
> + if (ngx_strcmp(value[i].data, "ssl") == 0) {
> +#if (NGX_MAIL_SSL)
> + imls->ssl = 1;
> +#else
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "the \"ssl\" parameter requires "
> + "ngx_mail_ssl_module, ignored");
> +#endif
> + continue;
> + }
> +
> + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> + "the invalid \"%V\" parameter", &value[i]);
> + return NGX_CONF_ERROR;
> }
>
> - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
> - "the invalid \"%V\" parameter", &value[2]);
> - return NGX_CONF_ERROR;
> + return NGX_CONF_OK;
> }
>
>
> Index: src/mail/ngx_mail_ssl_module.c
> ===================================================================
> --- src/mail/ngx_mail_ssl_module.c (revision 1538)
> +++ src/mail/ngx_mail_ssl_module.c (working copy)
> @@ -9,13 +9,16 @@
> #include <ngx_mail.h>
>
>
> -#define NGX_DEFAULT_CERTIFICATE "cert.pem"
> -#define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
> #define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
>
>
> static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
> static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
> +
> +static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
> + void *conf);
> +static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
> + void *conf);
> static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
> void *conf);
>
> @@ -50,14 +53,14 @@
>
> { ngx_string("ssl"),
> NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
> - ngx_conf_set_flag_slot,
> + ngx_mail_ssl_enable,
> NGX_MAIL_SRV_CONF_OFFSET,
> offsetof(ngx_mail_ssl_conf_t, enable),
> NULL },
>
> { ngx_string("starttls"),
> NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
> - ngx_conf_set_enum_slot,
> + ngx_mail_ssl_starttls,
> NGX_MAIL_SRV_CONF_OFFSET,
> offsetof(ngx_mail_ssl_conf_t, starttls),
> ngx_http_starttls_state },
> @@ -197,12 +200,9 @@
> ngx_pool_cleanup_t *cln;
>
> ngx_conf_merge_value(conf->enable, prev->enable, 0);
> - ngx_conf_merge_value(conf->starttls, prev->starttls, NGX_MAIL_STARTTLS_OFF);
> + ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
> + NGX_MAIL_STARTTLS_OFF);
>
> - if (conf->enable == 0 && conf->starttls == NGX_MAIL_STARTTLS_OFF) {
> - return NGX_CONF_OK;
> - }
> -
> ngx_conf_merge_value(conf->session_timeout,
> prev->session_timeout, 300);
>
> @@ -213,12 +213,9 @@
> (NGX_CONF_BITMASK_SET
> |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
>
> - ngx_conf_merge_str_value(conf->certificate, prev->certificate,
> - NGX_DEFAULT_CERTIFICATE);
> + ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
> + ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
>
> - ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
> - NGX_DEFAULT_CERTIFICATE_KEY);
> -
> ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
>
> ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
> @@ -226,6 +223,39 @@
>
> conf->ssl.log = cf->log;
>
> + if (conf->enable || conf->starttls != NGX_MAIL_STARTTLS_OFF) {
> +
> + if (conf->certificate.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "SSL mode is enabled, "
> + "but no \"ssl_certificate\" is defined in %s:%ui",
> + conf->file, conf->line);
> + return NGX_CONF_ERROR;
> + }
> +
> + if (conf->certificate_key.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "SSL mode is enabled, "
> + "but no \"ssl_certificate_key\" is defined in %s:%ui",
> + conf->file, conf->line);
> + return NGX_CONF_ERROR;
> + }
> +
> + } else {
> +
> + if (conf->certificate.len == 0) {
> + return NGX_CONF_OK;
> + }
> +
> + if (conf->certificate_key.len == 0) {
> + ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
> + "no \"ssl_certificate_key\" is defined "
> + "for certificate \"%V\"",
> + &conf->certificate);
> + return NGX_CONF_ERROR;
> + }
> + }
> +
> if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
> return NGX_CONF_ERROR;
> }
> @@ -292,6 +322,58 @@
>
>
> static char *
> +ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> +{
> + ngx_mail_ssl_conf_t *scf = conf;
> +
> + char *rv;
> +
> + rv = ngx_conf_set_flag_slot(cf, cmd, conf);
> +
> + if (rv != NGX_CONF_OK) {
> + return rv;
> + }
> +
> + if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
> + ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
> + "\"starttls\" directive conflicts with \"ssl on\"");
> + return NGX_CONF_ERROR;
> + }
> +
> + scf->file = cf->conf_file->file.name.data;
> + scf->line = cf->conf_file->line;
> +
> + return NGX_CONF_OK;
> +}
> +
> +
> +static char *
> +ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> +{
> + ngx_mail_ssl_conf_t *scf = conf;
> +
> + char *rv;
> +
> + rv = ngx_conf_set_enum_slot(cf, cmd, conf);
> +
> + if (rv != NGX_CONF_OK) {
> + return rv;
> + }
> +
> + if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
> + ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
> + "\"ssl\" directive conflicts with \"starttls\"");
> + return NGX_CONF_ERROR;
> + }
> +
> + scf->file = cf->conf_file->file.name.data;
> + scf->line = cf->conf_file->line;
> +
> + return NGX_CONF_OK;
> +}
> +
> +
> +static char *
> ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
> {
> ngx_mail_ssl_conf_t *scf = conf;
> Index: src/mail/ngx_mail_ssl_module.h
> ===================================================================
> --- src/mail/ngx_mail_ssl_module.h (revision 1538)
> +++ src/mail/ngx_mail_ssl_module.h (working copy)
> @@ -20,12 +20,11 @@
>
> typedef struct {
> ngx_flag_t enable;
> + ngx_flag_t prefer_server_ciphers;
>
> ngx_ssl_t ssl;
>
> - ngx_flag_t prefer_server_ciphers;
> - ngx_flag_t starttls;
> -
> + ngx_uint_t starttls;
> ngx_uint_t protocols;
>
> ssize_t builtin_session_cache;
> @@ -39,6 +38,9 @@
> ngx_str_t ciphers;
>
> ngx_shm_zone_t *shm_zone;
> +
> + u_char *file;
> + ngx_uint_t line;
> } ngx_mail_ssl_conf_t;
>
>
> Index: src/mail/ngx_mail_handler.c
> ===================================================================
> --- src/mail/ngx_mail_handler.c (revision 1538)
> +++ src/mail/ngx_mail_handler.c (working copy)
> @@ -118,10 +118,29 @@
> sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
>
> if (sslcf->enable) {
> + c->log->action = "SSL handshaking";
> +
> ngx_mail_ssl_init_connection(&sslcf->ssl, c);
> return;
> }
> +
> + if (imia[i].ssl) {
> +
> + c->log->action = "SSL handshaking";
> +
> + if (sslcf->ssl.ctx == NULL) {
> + ngx_log_error(NGX_LOG_ERR, c->log, 0,
> + "no \"ssl_certificate\" is defined "
> + "in server listening on SSL port");
> + ngx_mail_close_connection(c);
> + return;
> + }
> +
> + ngx_mail_ssl_init_connection(&sslcf->ssl, c);
> + return;
> }
> +
> + }
> #endif
>
> ngx_mail_init_session(c);
>
More information about the nginx-ru
mailing list