Merge branch 'main' of github.com:api7/apisix-nginx-module into 12711

Author: shreemaan-abhishek

.github/workflows/ci.yml

@@ -30,6 +30,7 @@ jobs:
         run: |
           sudo apt install -y cpanminus build-essential libncurses5-dev libreadline-dev libssl-dev perl luarocks libpcre3 libpcre3-dev zlib1g-dev
           sudo luarocks install lua-resty-http > build.log 2>&1 || (cat build.log && exit 1)
+          sudo luarocks install lua-resty-openssl > build.log 2>&1 || (cat build.log && exit 1)
 
       - name: Before install
         run: |

lib/resty/apisix/upstream.lua

@@ -1,17 +1,20 @@
 local ffi = require("ffi")
 local base = require("resty.core.base")
 local get_request = base.get_request
+local get_phase = ngx.get_phase
 local C = ffi.C
 local NGX_ERROR = ngx.ERROR
+local NGX_OK = ngx.OK
 
 
 base.allows_subsystem("http")
 
 
 ffi.cdef([[
 typedef intptr_t        ngx_int_t;
-ngx_int_t
-ngx_http_apisix_upstream_set_cert_and_key(ngx_http_request_t *r, void *cert, void *key);
+ngx_int_t ngx_http_apisix_upstream_set_cert_and_key(ngx_http_request_t *r, void *cert, void *key);
+ngx_int_t ngx_http_apisix_upstream_set_ssl_trusted_store(ngx_http_request_t *r, void *store);
+int ngx_http_apisix_upstream_set_ssl_verify(ngx_http_request_t *r, int verify);
 ]])
 local _M = {}
 
@@ -30,5 +33,77 @@ function _M.set_cert_and_key(cert, key)
     return true
 end
 
+local set_ssl_trusted_store
+do
+    local ALLOWED_PHASES = {
+        ['rewrite'] = true,
+        ['balancer'] = true,
+        ['access'] = true,
+        ['preread'] = true,
+    }
+
+    local openssl_x509_store = require "resty.openssl.x509.store"
+    function set_ssl_trusted_store(store)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if not openssl_x509_store.istype(store) then
+            error("store expects a resty.openssl.x509.store" ..
+                " object but get " .. type(store), 2)
+        end
+
+        local r = get_request()
+
+        local ret = C.ngx_http_apisix_upstream_set_ssl_trusted_store(
+            r, store.ctx)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream trusted store"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+end
+_M.set_ssl_trusted_store = set_ssl_trusted_store
+
+
+local set_ssl_verify
+do
+    local ALLOWED_PHASES = {
+        ['rewrite'] = true,
+        ['balancer'] = true,
+        ['access'] = true,
+        ['preread'] = true,
+    }
+    function set_ssl_verify(verify)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if type(verify) ~= 'boolean' then
+            error("verify expects a boolean but found " .. type(verify), 2)
+        end
+
+        local r = get_request()
+
+        local ret = C.ngx_http_apisix_upstream_set_ssl_verify(
+            r, verify)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream ssl verify mode"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+end
+_M.set_ssl_verify = set_ssl_verify
+
 
 return _M

patch/1.21.4/nginx-upstream_mtls.patch

@@ -1,5 +1,5 @@
 diff --git src/http/ngx_http_upstream.c src/http/ngx_http_upstream.c
-index 76045c4..cee3e2a 100644
+index 04d813a..c812242 100644
 --- src/http/ngx_http_upstream.c
 +++ src/http/ngx_http_upstream.c
 @@ -8,6 +8,9 @@
@@ -10,9 +10,22 @@ index 76045c4..cee3e2a 100644
 +#include <ngx_http_apisix_module.h>
 +#endif
 
- #if (T_NGX_MULTI_UPSTREAM)
- #include <ngx_http_multi_upstream_module.h>
-@@ -1766,6 +1769,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+ 
+ #if (NGX_HTTP_CACHE)
+@@ -1697,8 +1700,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+                                            NGX_HTTP_INTERNAL_SERVER_ERROR);
+         return;
+     }
+-
++#if (NGX_HTTP_APISIX)
++    if (u->conf->ssl_server_name || ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+     if (u->conf->ssl_server_name || u->conf->ssl_verify) {
++#endif
+         if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
+             ngx_http_upstream_finalize_request(r, u,
+                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
+@@ -1738,6 +1744,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
 
      r->connection->log->action = "SSL handshaking to upstream";
 
@@ -23,3 +36,15 @@ index 76045c4..cee3e2a 100644
      rc = ngx_ssl_handshake(c);
 
      if (rc == NGX_AGAIN) {
+@@ -1785,7 +1795,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,
+ 
+     if (c->ssl->handshaked) {
+ 
++#if (NGX_HTTP_APISIX)
++        if (ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+         if (u->conf->ssl_verify) {
++#endif
+             rc = SSL_get_verify_result(c->ssl->connection);
+ 
+             if (rc != X509_V_OK) {

patch/1.25.3.1/nginx-upstream_mtls.patch

@@ -1,5 +1,5 @@
 diff --git src/http/ngx_http_upstream.c src/http/ngx_http_upstream.c
-index 2be233c..78474f3 100644
+index 2be233c..06bbbb9 100644
 --- src/http/ngx_http_upstream.c
 +++ src/http/ngx_http_upstream.c
 @@ -8,6 +8,9 @@
@@ -12,7 +12,20 @@ index 2be233c..78474f3 100644
 
 
  #if (NGX_HTTP_CACHE)
-@@ -1756,6 +1759,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+@@ -1713,8 +1716,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+                                            NGX_HTTP_INTERNAL_SERVER_ERROR);
+         return;
+     }
+-
++#if (NGX_HTTP_APISIX)
++    if (u->conf->ssl_server_name || ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+     if (u->conf->ssl_server_name || u->conf->ssl_verify) {
++#endif
+         if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
+             ngx_http_upstream_finalize_request(r, u,
+                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
+@@ -1756,6 +1762,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
 
      r->connection->log->action = "SSL handshaking to upstream";
 
@@ -23,3 +36,15 @@ index 2be233c..78474f3 100644
      rc = ngx_ssl_handshake(c);
 
      if (rc == NGX_AGAIN) {
+@@ -1803,7 +1813,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,
+ 
+     if (c->ssl->handshaked) {
+ 
++#if (NGX_HTTP_APISIX)
++        if (ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+         if (u->conf->ssl_verify) {
++#endif
+             rc = SSL_get_verify_result(c->ssl->connection);
+ 
+             if (rc != X509_V_OK) {

src/ngx_http_apisix_module.c

@@ -158,6 +158,15 @@ ngx_http_apisix_cleanup_cert_and_key(ngx_http_apisix_ctx_t *ctx)
         ctx->upstream_pkey = NULL;
     }
 }
+
+static void
+ngx_http_apisix_cleanup_trusted_store(ngx_http_apisix_ctx_t *ctx)
+{
+    if (ctx->upstream_trusted_store != NULL) {
+        X509_STORE_free(ctx->upstream_trusted_store);
+        ctx->upstream_trusted_store = NULL;
+    }
+}
 #endif
 
 
@@ -168,6 +177,7 @@ ngx_http_apisix_cleanup(void *data)
 
 #if (NGX_HTTP_SSL)
     ngx_http_apisix_cleanup_cert_and_key(ctx);
+    ngx_http_apisix_cleanup_trusted_store(ctx);
 #endif
 }
 
@@ -250,6 +260,41 @@ ngx_http_apisix_upstream_set_cert_and_key(ngx_http_request_t *r,
     return NGX_ERROR;
 }
 
+ngx_int_t
+ngx_http_apisix_upstream_set_ssl_trusted_store(ngx_http_request_t *r, void *data)
+{
+    X509_STORE                  *store = data;
+    ngx_http_apisix_ctx_t       *ctx;
+
+    if (store == NULL) {
+        return NGX_ERROR;
+    }
+
+    ctx = ngx_http_apisix_get_module_ctx(r);
+
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+
+    if (ctx->upstream_trusted_store != NULL) {
+        ngx_http_apisix_cleanup_trusted_store(ctx);
+    }
+    
+    if (X509_STORE_up_ref(store) == 0) {
+        goto failed;
+    }
+
+    ctx->upstream_trusted_store = store;
+
+    return NGX_OK;
+
+failed:
+
+    ngx_http_apisix_flush_ssl_error();
+
+    return NGX_ERROR;
+}
+
 
 void
 ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
@@ -258,6 +303,7 @@ ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
     ngx_http_apisix_ctx_t       *ctx;
     STACK_OF(X509)              *cert;
     EVP_PKEY                    *pkey;
+    X509_STORE                  *store;
     X509                        *x509;
 #ifdef OPENSSL_IS_BORINGSSL
     size_t                       i;
@@ -275,8 +321,9 @@ ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
     }
 
     if (ctx->upstream_cert != NULL) {
-        cert = ctx->upstream_cert;
-        pkey = ctx->upstream_pkey;
+        cert  = ctx->upstream_cert;
+        pkey  = ctx->upstream_pkey;
+        store = ctx->upstream_trusted_store;
 
         if (sk_X509_num(cert) < 1) {
             ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
@@ -317,6 +364,17 @@ ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
                           "SSL_use_PrivateKey() failed");
             goto failed;
         }
+
+        if (store != NULL) {
+            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+                           "overriding upstream SSL trusted store");
+        
+            if (SSL_set1_verify_cert_store(sc, store) == 0) {
+                ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
+                              "SSL_set1_verify_cert_store() failed");
+                goto failed;
+            }
+        }
     }
 
     return;
@@ -325,6 +383,42 @@ ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
 
     ngx_http_apisix_flush_ssl_error();
 }
+
+
+int
+ngx_http_apisix_upstream_set_ssl_verify(ngx_http_request_t *r, int verify)
+{
+    ngx_http_apisix_ctx_t       *ctx;
+
+    ctx = ngx_http_apisix_get_module_ctx(r);
+
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    
+    ctx->upstream_ssl_verify_set = 1;
+    ctx->upstream_ssl_verify = verify;
+
+    return NGX_OK;
+}
+
+ngx_flag_t
+ngx_http_apisix_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify)
+{
+    ngx_http_apisix_ctx_t       *ctx;
+
+    ctx = ngx_http_apisix_get_module_ctx(r);
+
+    if (ctx == NULL) {
+        return proxy_ssl_verify;
+    }
+
+    if (!ctx->upstream_ssl_verify_set) {
+        return proxy_ssl_verify;
+    }
+
+    return ctx->upstream_ssl_verify;
+}
 #endif
 
 

src/ngx_http_apisix_module.h

@@ -22,6 +22,7 @@ typedef struct {
 typedef struct {
     STACK_OF(X509)      *upstream_cert;
     EVP_PKEY            *upstream_pkey;
+    X509_STORE          *upstream_trusted_store;
 
     off_t                client_max_body_size;
 
@@ -34,10 +35,13 @@ typedef struct {
     unsigned             request_header_set:1;
     unsigned             header_filter_by_lua_skipped:1;
     unsigned             body_filter_by_lua_skipped:1;
+    unsigned             upstream_ssl_verify:1;
+    unsigned             upstream_ssl_verify_set:1;
 } ngx_http_apisix_ctx_t;
 
 
 void ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c);
+ngx_flag_t ngx_http_apisix_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify);
 
 ngx_flag_t ngx_http_apisix_delay_client_max_body_check(ngx_http_request_t *r);
 off_t ngx_http_apisix_client_max_body_size(ngx_http_request_t *r);