feat: allow setting TCP over TLS dynamically (#32)

Author: spacewander

.github/workflows/ci.yml

@@ -26,7 +26,8 @@ jobs:
 
       - name: Install
         run: |
-          wget https://raw.githubusercontent.com/api7/apisix-build-tools/master/build-apisix-base.sh
+          # TODO: change it back once we have merged it
+          wget https://raw.githubusercontent.com/api7/apisix-build-tools/stream-apisix/build-apisix-base.sh
           chmod +x build-apisix-base.sh
           OR_PREFIX=$OPENRESTY_PREFIX ./build-apisix-base.sh latest
 

Makefile

@@ -6,3 +6,5 @@ INSTALL ?= install
 install:
 	$(INSTALL) -d $(OPENRESTY_PREFIX)/lualib/resty/apisix/
 	$(INSTALL) -m 664 lib/resty/apisix/*.lua $(OPENRESTY_PREFIX)/lualib/resty/apisix/
+	$(INSTALL) -d $(OPENRESTY_PREFIX)/lualib/resty/apisix/stream
+	$(INSTALL) -m 664 lib/resty/apisix/stream/*.lua $(OPENRESTY_PREFIX)/lualib/resty/apisix/stream

lib/resty/apisix/stream/upstream.lua

@@ -0,0 +1,33 @@
+local ffi = require("ffi")
+local base = require("resty.core.base")
+local get_request = base.get_request
+local C = ffi.C
+local NGX_ERROR = ngx.ERROR
+
+
+base.allows_subsystem("stream")
+
+
+ffi.cdef([[
+typedef intptr_t        ngx_int_t;
+ngx_int_t
+ngx_stream_apisix_upstream_enable_tls(ngx_stream_lua_request_t *r);
+]])
+local _M = {}
+
+
+function _M.set_tls()
+    -- Unlike Kong, we choose to enable TLS instead of disabling it by Lua method.
+    -- This way is more intuitive.
+    -- The side effect is that we need to change Nginx to check `ssl_enable` flag instead.
+    local r = get_request()
+    local rc = C.ngx_stream_apisix_upstream_enable_tls(r)
+    if rc == NGX_ERROR then
+        return nil, "error while setting upstream tls"
+    end
+
+    return true
+end
+
+
+return _M

patch/1.19.9/nginx-tcp_over_tls.patch

@@ -0,0 +1,40 @@
+diff --git src/stream/ngx_stream_proxy_module.c src/stream/ngx_stream_proxy_module.c
+index b3d8a43..424c381 100644
+--- src/stream/ngx_stream_proxy_module.c
++++ src/stream/ngx_stream_proxy_module.c
+@@ -8,6 +8,9 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ #include <ngx_stream.h>
++#if (NGX_STREAM_APISIX)
++#include <ngx_stream_apisix_module.h>
++#endif
+ 
+ 
+ typedef struct {
+@@ -812,7 +815,13 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s)
+ 
+ #if (NGX_STREAM_SSL)
+ 
++#if (NGX_STREAM_APISIX)
++    if (pc->type == SOCK_STREAM &&
++        (ngx_stream_apisix_is_proxy_ssl_enabled(s) || pscf->ssl_enable))
++    {
++#else
+     if (pc->type == SOCK_STREAM && pscf->ssl) {
++#endif
+ 
+         if (u->proxy_protocol) {
+             if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
+@@ -2126,7 +2135,11 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
+     ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+                               prev->ssl_conf_commands, NULL);
+ 
++#if (NGX_STREAM_APISIX)
++    if (ngx_stream_proxy_set_ssl(cf, conf) != NGX_OK) {
++#else
+     if (conf->ssl_enable && ngx_stream_proxy_set_ssl(cf, conf) != NGX_OK) {
++#endif
+         return NGX_CONF_ERROR;
+     }
+ 

patch/1.19.9/ngx_stream_lua-expose_request_struct.patch

@@ -0,0 +1,15 @@
+diff --git src/api/ngx_stream_lua_api.h src/api/ngx_stream_lua_api.h
+index 92f933d..812e0c4 100644
+--- src/api/ngx_stream_lua_api.h
++++ src/api/ngx_stream_lua_api.h
+@@ -20,6 +20,10 @@
+ #include <ngx_core.h>
+ 
+ 
++#if (NGX_STREAM_APISIX)
++#include <ngx_stream.h>
++#include "../ngx_stream_lua_request.h"
++#endif
+ 
+ 
+ #include <lua.h>

patch/README.md

@@ -6,6 +6,9 @@ We have modified them a lot and even changed the API.
 The `*-upstream_mtls` patches originally come from the Kong's kong-build-tools and lua-kong-nginx-module
 projects, which is also under Apache-2.0 License.
 
+The `*-expose_request_struct.patch` patches originally come from the Kong's kong-build-tools
+projects, which is also under Apache-2.0 License.
+
 The `*-ngx_pipe_environ_on_mac` patches support the environ argument of the ngx.pipe.spawn function on macos.
 
 The `*-enable_keepalive` patches originally come from:

src/stream/config

@@ -0,0 +1,11 @@
+ngx_module_type=STREAM
+ngx_module_name=ngx_stream_apisix_module
+ngx_module_srcs="$ngx_addon_dir/ngx_stream_apisix_module.c"
+ngx_module_deps=$ngx_addon_dir/ngx_stream_apisix_module.h
+ngx_module_incs="$ngx_addon_dir/"
+
+. auto/module
+
+ngx_addon_name=$ngx_module_name
+
+have=NGX_STREAM_APISIX . auto/have

src/stream/ngx_stream_apisix_module.c

@@ -0,0 +1,68 @@
+#include <ngx_stream.h>
+#include <ngx_stream_lua_api.h>
+#include "ngx_stream_apisix_module.h"
+
+
+typedef struct {
+    unsigned             proxy_ssl_enabled:1;
+} ngx_stream_apisix_ctx_t;
+
+
+static ngx_stream_module_t ngx_stream_apisix_module_ctx = {
+    NULL,                                    /* preconfiguration */
+    NULL,                                    /* postconfiguration */
+
+    NULL,                                    /* create main configuration */
+    NULL,                                    /* init main configuration */
+
+    NULL,                                    /* create server configuration */
+    NULL,                                    /* merge server configuration */
+};
+
+
+ngx_module_t ngx_stream_apisix_module = {
+    NGX_MODULE_V1,
+    &ngx_stream_apisix_module_ctx,       /* module context */
+    NULL,                                /* module directives */
+    NGX_STREAM_MODULE,                   /* module type */
+    NULL,                                /* init master */
+    NULL,                                /* init module */
+    NULL,                                /* init process */
+    NULL,                                /* init thread */
+    NULL,                                /* exit thread */
+    NULL,                                /* exit process */
+    NULL,                                /* exit master */
+    NGX_MODULE_V1_PADDING
+};
+
+
+ngx_int_t
+ngx_stream_apisix_upstream_enable_tls(ngx_stream_lua_request_t *r)
+{
+    ngx_stream_apisix_ctx_t       *ctx;
+
+    ctx = ngx_stream_lua_get_module_ctx(r, ngx_stream_apisix_module);
+    if (ctx == NULL) {
+        ctx = ngx_pcalloc(r->pool, sizeof(ngx_stream_apisix_ctx_t));
+        if (ctx == NULL) {
+            return NGX_ERROR;
+        }
+
+        ngx_stream_lua_set_ctx(r, ctx, ngx_stream_apisix_module);
+    }
+
+    ctx->proxy_ssl_enabled = 1;
+
+    return NGX_OK;
+}
+
+
+ngx_int_t
+ngx_stream_apisix_is_proxy_ssl_enabled(ngx_stream_session_t *s)
+{
+    ngx_stream_apisix_ctx_t       *ctx;
+
+    ctx = ngx_stream_get_module_ctx(s, ngx_stream_apisix_module);
+
+    return ctx != NULL && ctx->proxy_ssl_enabled;
+}

src/stream/ngx_stream_apisix_module.h

@@ -0,0 +1,11 @@
+#ifndef _NGX_STREAM_APISIX_H_INCLUDED_
+#define _NGX_STREAM_APISIX_H_INCLUDED_
+
+
+#include <ngx_stream.h>
+
+
+ngx_int_t ngx_stream_apisix_is_proxy_ssl_enabled(ngx_stream_session_t *s);
+
+
+#endif /* _NGX_STREAM_APISIX_H_INCLUDED_ */

t/APISIX_NGINX.pm

@@ -18,20 +18,31 @@ $ENV{TEST_NGINX_SERVER_SSL_PORT} = 23456;
 add_block_preprocessor(sub {
     my ($block) = @_;
 
-    if (!$block->request) {
-        $block->set_value("request", "GET /t");
-    }
-
     if (!$block->no_error_log && !$block->error_log) {
         $block->set_value("no_error_log", "[error]\n[alert]");
     }
 
-    my $http_config = $block->http_config // '';
-    $http_config .= <<_EOC_;
-    lua_package_path "lib/?.lua;;";
+    if (defined $block->config) {
+        if (!$block->request) {
+            $block->set_value("request", "GET /t");
+        }
+
+        my $http_config = $block->http_config // '';
+        $http_config .= <<_EOC_;
+        lua_package_path "lib/?.lua;;";
+_EOC_
+
+        $block->set_value("http_config", $http_config);
+    }
+
+    if (defined $block->stream_server_config) {
+        my $stream_config = $block->stream_config // '';
+        $stream_config .= <<_EOC_;
+        lua_package_path "lib/?.lua;;";
 _EOC_
 
-    $block->set_value("http_config", $http_config);
+        $block->set_value("stream_config", $stream_config);
+    }
 });