|
1 | 1 | diff --git lib/ngx/balancer.lua lib/ngx/balancer.lua |
2 | | -index 7d64d63..781cbd1 100644 |
| 2 | +index 18bdc2c..cc1c61a 100644 |
3 | 3 | --- lib/ngx/balancer.lua |
4 | 4 | +++ lib/ngx/balancer.lua |
5 | | -@@ -3,6 +3,7 @@ |
| 5 | +@@ -3,7 +3,7 @@ |
6 | 6 |
|
7 | 7 | local base = require "resty.core.base" |
8 | 8 | base.allows_subsystem('http', 'stream') |
| 9 | +- |
9 | 10 | +require "resty.core.hash" |
10 | 11 |
|
11 | | - |
12 | 12 | local ffi = require "ffi" |
13 | | -@@ -17,8 +18,10 @@ local error = error |
| 13 | + local C = ffi.C |
| 14 | +@@ -20,6 +20,7 @@ local error = error |
14 | 15 | local type = type |
15 | 16 | local tonumber = tonumber |
16 | 17 | local max = math.max |
17 | 18 | +local ngx_crc32_long = ngx.crc32_long |
| 19 | + |
18 | 20 | local subsystem = ngx.config.subsystem |
19 | 21 | local ngx_lua_ffi_balancer_set_current_peer |
20 | | -+local ngx_lua_ffi_balancer_enable_keepalive |
21 | | - local ngx_lua_ffi_balancer_set_more_tries |
22 | | - local ngx_lua_ffi_balancer_get_last_failure |
23 | | - local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http |
24 | | -@@ -27,7 +30,11 @@ local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http |
25 | | - if subsystem == 'http' then |
26 | | - ffi.cdef[[ |
| 22 | +@@ -36,7 +37,7 @@ if subsystem == 'http' then |
27 | 23 | int ngx_http_lua_ffi_balancer_set_current_peer(ngx_http_request_t *r, |
28 | | -- const unsigned char *addr, size_t addr_len, int port, char **err); |
29 | | -+ const unsigned char *addr, size_t addr_len, int port, |
| 24 | + const unsigned char *addr, size_t addr_len, int port, |
| 25 | + const unsigned char *host, ssize_t host_len, |
| 26 | +- char **err); |
30 | 27 | + unsigned int cpool_crc32, unsigned int cpool_size, char **err); |
31 | | -+ |
32 | | -+ int ngx_http_lua_ffi_balancer_enable_keepalive(ngx_http_request_t *r, |
33 | | -+ unsigned long timeout, unsigned int max_requests, char **err); |
34 | | - |
35 | | - int ngx_http_lua_ffi_balancer_set_more_tries(ngx_http_request_t *r, |
36 | | - int count, char **err); |
37 | | -@@ -46,6 +53,9 @@ if subsystem == 'http' then |
38 | | - ngx_lua_ffi_balancer_set_current_peer = |
39 | | - C.ngx_http_lua_ffi_balancer_set_current_peer |
40 | 28 |
|
41 | | -+ ngx_lua_ffi_balancer_enable_keepalive = |
42 | | -+ C.ngx_http_lua_ffi_balancer_enable_keepalive |
43 | | -+ |
44 | | - ngx_lua_ffi_balancer_set_more_tries = |
45 | | - C.ngx_http_lua_ffi_balancer_set_more_tries |
46 | | - |
47 | | -@@ -96,6 +106,11 @@ else |
| 29 | + int ngx_http_lua_ffi_balancer_enable_keepalive(ngx_http_request_t *r, |
| 30 | + unsigned long timeout, unsigned int max_requests, char **err); |
| 31 | +@@ -130,6 +131,7 @@ else |
| 32 | + error("unknown subsystem: " .. subsystem) |
48 | 33 | end |
49 | 34 |
|
50 | | - |
51 | 35 | +local DEFAULT_KEEPALIVE_POOL_SIZE = 30 |
52 | | -+local DEFAULT_KEEPALIVE_IDLE_TIMEOUT = 60000 |
53 | | -+local DEFAULT_KEEPALIVE_MAX_REQUESTS = 100 |
54 | | -+ |
55 | | -+ |
56 | | - local peer_state_names = { |
57 | | - [1] = "keepalive", |
58 | | - [2] = "next", |
59 | | -@@ -106,25 +121,147 @@ local peer_state_names = { |
60 | | - local _M = { version = base.version } |
| 36 | + local DEFAULT_KEEPALIVE_IDLE_TIMEOUT = 60000 |
| 37 | + local DEFAULT_KEEPALIVE_MAX_REQUESTS = 100 |
61 | 38 |
|
| 39 | +@@ -143,27 +145,61 @@ local peer_state_names = { |
| 40 | + local _M = { version = base.version } |
62 | 41 |
|
63 | | --function _M.set_current_peer(addr, port) |
64 | | -- local r = get_request() |
65 | | -- if not r then |
66 | | -- error("no request found") |
67 | | -+if subsystem == "http" then |
| 42 | + if subsystem == "http" then |
| 43 | +- function _M.set_current_peer(addr, port, host) |
68 | 44 | + function _M.set_current_peer(addr, port, opts) |
69 | | -+ local r = get_request() |
70 | | -+ if not r then |
71 | | -+ error("no request found") |
72 | | -+ end |
73 | | -+ |
| 45 | + local r = get_request() |
| 46 | + if not r then |
| 47 | + error("no request found") |
| 48 | + end |
| 49 | + |
74 | 50 | + local pool_crc32 |
75 | 51 | + local pool_size |
76 | | -+ |
77 | 52 | + if opts then |
78 | 53 | + if type(opts) ~= "table" then |
79 | 54 | + error("bad argument #3 to 'set_current_peer' " .. |
@@ -104,116 +79,113 @@ index 7d64d63..781cbd1 100644 |
104 | 79 | + end |
105 | 80 | + end |
106 | 81 | + |
107 | | -+ if not port then |
108 | | -+ port = 0 |
109 | | -+ |
110 | | -+ elseif type(port) ~= "number" then |
111 | | -+ port = tonumber(port) |
112 | | -+ end |
| 82 | + if not port then |
| 83 | + port = 0 |
113 | 84 | + |
| 85 | + elseif type(port) ~= "number" then |
| 86 | + port = tonumber(port) |
| 87 | + end |
| 88 | + |
| 89 | +- if host ~= nil and type(host) ~= "string" then |
| 90 | +- error("bad argument #3 to 'set_current_peer' " |
| 91 | +- .. "(string expected, got " .. type(host) .. ")") |
114 | 92 | + if not pool_crc32 then |
115 | 93 | + pool_crc32 = 0 |
116 | | -+ end |
117 | | -+ |
| 94 | + end |
| 95 | + |
| 96 | +- local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, |
| 97 | +- port, |
| 98 | +- host, |
| 99 | +- host and #host or 0, |
118 | 100 | + if not pool_size then |
119 | 101 | + pool_size = DEFAULT_KEEPALIVE_POOL_SIZE |
120 | 102 | + end |
121 | 103 | + |
122 | 104 | + local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, port, |
123 | 105 | + pool_crc32, pool_size, |
124 | | -+ errmsg) |
125 | | -+ if rc == FFI_OK then |
126 | | -+ return true |
127 | | -+ end |
128 | | -+ |
129 | | -+ return nil, ffi_str(errmsg[0]) |
| 106 | + errmsg) |
| 107 | + if rc == FFI_OK then |
| 108 | + return true |
| 109 | +@@ -172,26 +208,26 @@ if subsystem == "http" then |
| 110 | + return nil, ffi_str(errmsg[0]) |
130 | 111 | end |
131 | | - |
132 | | -- if not port then |
133 | | -- port = 0 |
134 | | -- elseif type(port) ~= "number" then |
135 | | -- port = tonumber(port) |
136 | | -+else |
| 112 | + else |
| 113 | +- function _M.set_current_peer(addr, port, host) |
137 | 114 | + function _M.set_current_peer(addr, port, opts) |
138 | | -+ local r = get_request() |
139 | | -+ if not r then |
140 | | -+ error("no request found") |
141 | | -+ end |
142 | | -+ |
| 115 | + local r = get_request() |
| 116 | + if not r then |
| 117 | + error("no request found") |
| 118 | + end |
| 119 | + |
143 | 120 | + if opts then |
144 | 121 | + error("bad argument #3 to 'set_current_peer' ('opts' not yet " .. |
145 | 122 | + "implemented in " .. subsystem .. " subsystem)", 2) |
146 | 123 | + end |
147 | 124 | + |
148 | | -+ if not port then |
149 | | -+ port = 0 |
150 | | -+ |
151 | | -+ elseif type(port) ~= "number" then |
152 | | -+ port = tonumber(port) |
153 | | -+ end |
| 125 | + if not port then |
| 126 | + port = 0 |
154 | 127 | + |
155 | | -+ local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, |
| 128 | + elseif type(port) ~= "number" then |
| 129 | + port = tonumber(port) |
| 130 | + end |
| 131 | + |
| 132 | +- if host ~= nil then |
| 133 | +- error("bad argument #3 to 'set_current_peer' ('host' not yet " .. |
| 134 | +- "implemented in " .. subsystem .. " subsystem)", 2) |
| 135 | +- end |
| 136 | +- |
| 137 | + local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, |
| 138 | +- port, |
| 139 | +- errmsg) |
156 | 140 | + port, errmsg) |
157 | | -+ if rc == FFI_OK then |
158 | | -+ return true |
159 | | -+ end |
160 | | -+ |
161 | | -+ return nil, ffi_str(errmsg[0]) |
162 | | - end |
163 | | -+end |
| 141 | + if rc == FFI_OK then |
| 142 | + return true |
| 143 | + end |
| 144 | +diff --git lib/ngx/ssl.lua lib/ngx/ssl.lua |
| 145 | +index b696bea..f3b20e0 100644 |
| 146 | +--- lib/ngx/ssl.lua |
| 147 | ++++ lib/ngx/ssl.lua |
| 148 | +@@ -100,7 +100,7 @@ if subsystem == 'http' then |
| 149 | + void ngx_http_lua_ffi_free_priv_key(void *cdata); |
164 | 150 |
|
165 | | -- local rc = ngx_lua_ffi_balancer_set_current_peer(r, addr, #addr, |
166 | | -- port, errmsg) |
167 | | -- if rc == FFI_OK then |
168 | | -- return true |
169 | | -+ |
170 | | -+if subsystem == "http" then |
171 | | -+ function _M.enable_keepalive(idle_timeout, max_requests) |
172 | | -+ local r = get_request() |
173 | | -+ if not r then |
174 | | -+ error("no request found") |
175 | | -+ end |
176 | | -+ |
177 | | -+ if not idle_timeout then |
178 | | -+ idle_timeout = DEFAULT_KEEPALIVE_IDLE_TIMEOUT |
179 | | -+ |
180 | | -+ elseif type(idle_timeout) ~= "number" then |
181 | | -+ error("bad argument #1 to 'enable_keepalive' " .. |
182 | | -+ "(number expected, got " .. type(idle_timeout) .. ")", 2) |
183 | | -+ |
184 | | -+ elseif idle_timeout < 0 then |
185 | | -+ error("bad argument #1 to 'enable_keepalive' (expected >= 0)", 2) |
186 | | -+ |
187 | | -+ else |
188 | | -+ idle_timeout = idle_timeout * 1000 |
189 | | -+ end |
190 | | -+ |
191 | | -+ if not max_requests then |
192 | | -+ max_requests = DEFAULT_KEEPALIVE_MAX_REQUESTS |
193 | | -+ |
194 | | -+ elseif type(max_requests) ~= "number" then |
195 | | -+ error("bad argument #2 to 'enable_keepalive' " .. |
196 | | -+ "(number expected, got " .. type(max_requests) .. ")", 2) |
197 | | -+ |
198 | | -+ elseif max_requests < 0 then |
199 | | -+ error("bad argument #2 to 'enable_keepalive' (expected >= 0)", 2) |
200 | | -+ end |
201 | | -+ |
202 | | -+ local rc = ngx_lua_ffi_balancer_enable_keepalive(r, idle_timeout, |
203 | | -+ max_requests, errmsg) |
204 | | -+ if rc == FFI_OK then |
205 | | -+ return true |
206 | | -+ end |
207 | | -+ |
208 | | -+ return nil, ffi_str(errmsg[0]) |
209 | | - end |
| 151 | + int ngx_http_lua_ffi_ssl_verify_client(void *r, |
| 152 | +- void *client_certs, void *trusted_certs, int depth, char **err); |
| 153 | ++ void *client_certs, void *trusted_certs, int depth, int reject_in_handshake, char **err); |
210 | 154 |
|
211 | | -- return nil, ffi_str(errmsg[0]) |
212 | | -+else |
213 | | -+ function _M.enable_keepalive() |
214 | | -+ error("'enable_keepalive' not yet implemented in " .. subsystem .. |
215 | | -+ " subsystem", 2) |
216 | | -+ end |
| 155 | + int ngx_http_lua_ffi_ssl_client_random(ngx_http_request_t *r, |
| 156 | + const unsigned char *out, size_t *outlen, char **err); |
| 157 | +@@ -198,7 +198,7 @@ elseif subsystem == 'stream' then |
| 158 | + void ngx_stream_lua_ffi_free_priv_key(void *cdata); |
| 159 | + |
| 160 | + int ngx_stream_lua_ffi_ssl_verify_client(void *r, |
| 161 | +- void *client_certs, void *trusted_certs, int depth, char **err); |
| 162 | ++ void *client_certs, void *trusted_certs, int depth, int reject_in_handshake, char **err); |
| 163 | + |
| 164 | + int ngx_stream_lua_ffi_ssl_client_random(ngx_stream_lua_request_t *r, |
| 165 | + unsigned char *out, size_t *outlen, char **err); |
| 166 | +@@ -484,7 +484,7 @@ function _M.set_priv_key(priv_key) |
217 | 167 | end |
218 | 168 |
|
219 | 169 |
|
| 170 | +-function _M.verify_client(client_certs, depth, trusted_certs) |
| 171 | ++function _M.verify_client(client_certs, depth, trusted_certs, reject_in_handshake) |
| 172 | + local r = get_request() |
| 173 | + if not r then |
| 174 | + error("no request found") |
| 175 | +@@ -494,8 +494,15 @@ function _M.verify_client(client_certs, depth, trusted_certs) |
| 176 | + depth = -1 |
| 177 | + end |
| 178 | + |
| 179 | ++ if reject_in_handshake == nil then |
| 180 | ++ -- reject by default so we can migrate to the new behavior |
| 181 | ++ -- without modifying Lua code |
| 182 | ++ reject_in_handshake = true |
| 183 | ++ end |
| 184 | ++ |
| 185 | ++ local reject_in_handshake_int = reject_in_handshake and 1 or 0 |
| 186 | + local rc = ngx_lua_ffi_ssl_verify_client(r, client_certs, trusted_certs, |
| 187 | +- depth, errmsg) |
| 188 | ++ depth, reject_in_handshake_int, errmsg) |
| 189 | + if rc == FFI_OK then |
| 190 | + return true |
| 191 | + end |
0 commit comments