ACME: remove per-issuer resolver configuration.

bavshin-f5 · bavshin-f5 · commit 2557fb599a14 · 2025-07-31T13:24:31.000-07:00
The resolver configuration is an implementation detail that might become
unneeded in the future, thus we should avoid exposing it unless
absolutely necessary.
diff --git a/README.md b/README.md
@@ -46,6 +46,9 @@ the linker to perform LTO and dead code elimination.
 ## How to Use
 
 Add the module to the nginx configuration and configure as described below.
+Note that this module requires a [resolver] configuration in the `http` block.
+
+[resolver]: https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver
 
 ## Example Configuration
 
@@ -139,35 +142,6 @@ explicitly.
 
 Can be specified multiple times.
 
-### resolver
-
-**Syntax:** resolver `address` ... [ `valid` = `time` ] [ `ipv4` = `on` | `off` ] [ `ipv6` = `on` | `off` ] [ `status_zone` = `zone` ]
-
-**Default:** -
-
-**Context:** acme_issuer
-
-Configures name servers used to resolve names of upstream servers into
-addresses.
-See [resolver](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver)
-for the parameter reference.
-
-Required, but can be inherited from the `http` block.
-### resolver_timeout
-
-**Syntax:** resolver_timeout `time`
-
-**Default:** 30s
-
-**Context:** acme_issuer
-
-Sets a timeout for name resolution, for example:
-
-```nginx
-resolver_timeout 5s;
-
-```
-
 ### ssl_trusted_certificate
 
 **Syntax:** ssl_trusted_certificate `file`
diff --git a/src/conf.rs b/src/conf.rs
@@ -74,7 +74,7 @@ pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
     ngx_command_t::empty(),
 ];
 
-static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 10] = [
+static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 8] = [
     ngx_command_t {
         name: ngx_string!("uri"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -99,22 +99,6 @@ static mut NGX_HTTP_ACME_ISSUER_COMMANDS: [ngx_command_t; 10] = [
         offset: 0,
         post: ptr::null_mut(),
     },
-    ngx_command_t {
-        name: ngx_string!("resolver"),
-        type_: NGX_CONF_TAKE1 as ngx_uint_t,
-        set: Some(cmd_issuer_set_resolver),
-        conf: 0,
-        offset: 0,
-        post: ptr::null_mut(),
-    },
-    ngx_command_t {
-        name: ngx_string!("resolver_timeout"),
-        type_: NGX_CONF_TAKE1 as ngx_uint_t,
-        set: Some(nginx_sys::ngx_conf_set_msec_slot),
-        conf: 0,
-        offset: mem::offset_of!(Issuer, resolver_timeout),
-        post: ptr::null_mut(),
-    },
     ngx_command_t {
         name: ngx_string!("ssl_trusted_certificate"),
         type_: NGX_CONF_TAKE1 as ngx_uint_t,
@@ -394,32 +378,6 @@ extern "C" fn cmd_issuer_set_account_key(
     NGX_CONF_OK
 }
 
-extern "C" fn cmd_issuer_set_resolver(
-    cf: *mut ngx_conf_t,
-    _cmd: *mut ngx_command_t,
-    conf: *mut c_void,
-) -> *mut c_char {
-    let cf = unsafe { cf.as_mut().expect("cf") };
-    let issuer = unsafe { conf.cast::<Issuer>().as_mut().expect("issuer conf") };
-
-    if issuer.resolver.is_some() {
-        return NGX_CONF_DUPLICATE;
-    }
-
-    let args = unsafe { &mut *cf.args };
-    let value: *mut ngx_str_t = args.elts.cast();
-
-    issuer.resolver = ptr::NonNull::new(unsafe {
-        nginx_sys::ngx_resolver_create(cf, value.add(1), args.nelts - 1)
-    });
-
-    if issuer.resolver.is_none() {
-        return NGX_CONF_ERROR;
-    }
-
-    NGX_CONF_OK
-}
-
 extern "C" fn cmd_issuer_set_uri(
     cf: *mut ngx_conf_t,
     _cmd: *mut ngx_command_t,
diff --git a/src/conf/issuer.rs b/src/conf/issuer.rs
@@ -59,7 +59,7 @@ pub enum IssuerError {
     AccountKey(super::ssl::CertificateFetchError),
     #[error("cannot generate account key: {0}")]
     AccountKeyGen(#[from] super::pkey::PKeyGenError),
-    #[error("resolver is not configured")]
+    #[error("\"resolver\" is not configured")]
     Resolver,
     #[error("memory allocation failed")]
     Alloc(#[from] AllocError),
diff --git a/t/acme_conf_certificate.t b/t/acme_conf_certificate.t
@@ -54,9 +54,10 @@ http {
 
     acme_issuer example {
         uri https://localhost:%%PORT_9000%%/dir;
-        resolver 127.0.0.1:%%PORT_8980_UDP%%;
-	ssl_verify off;
+        ssl_verify off;
     }
+
+    resolver 127.0.0.1:%%PORT_8980_UDP%%;
 }
 
 EOF
diff --git a/t/acme_conf_issuer.t b/t/acme_conf_issuer.t
@@ -24,7 +24,7 @@ use Test::Nginx;
 select STDERR; $| = 1;
 select STDOUT; $| = 1;
 
-my $t = Test::Nginx->new()->has(qw/http http_ssl/)->plan(8);
+my $t = Test::Nginx->new()->has(qw/http http_ssl/)->plan(7);
 
 use constant TEMPLATE_CONF => <<'EOF';
 
@@ -68,29 +68,18 @@ acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
     account_key ecdsa:256;
     contact admin@example.test;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
-    resolver_timeout 5s;
     ssl_verify off;
     state_path %%TESTDIR%%;
     accept_terms_of_service;
 }
 
-EOF
-
-
-is(check($t, <<'EOF' ), undef, 'valid - resolver in server');
-
-acme_issuer example {
-    uri https://localhost:%%PORT_9000%%/dir;
-    ssl_verify off;
-}
-
 resolver 127.0.0.1:%%PORT_8980_UDP%%;
+resolver_timeout 5s;
 
 EOF
 
 
-like(check($t, <<'EOF' ), qr/\[emerg].*resolver is not/, 'no resolver');
+like(check($t, <<'EOF' ), qr/\[emerg].*"resolver" is not/, 'no resolver');
 
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
@@ -106,10 +95,11 @@ acme_shared_zone bad-value;
 
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
     ssl_verify off;
 }
 
+resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
 EOF
 
 
@@ -119,10 +109,11 @@ acme_shared_zone zone=test:bad-size;
 
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
     ssl_verify off;
 }
 
+resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
 EOF
 
 
@@ -131,10 +122,11 @@ like(check($t, <<'EOF' ), qr/\[emerg].*cannot load/, 'bad key file');
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
     account_key no-such-file.key;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
     ssl_verify off;
 }
 
+resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
 EOF
 
 
@@ -143,10 +135,11 @@ like(check($t, <<'EOF' ), qr/\[emerg].*unsupported curve/, 'bad key curve');
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
     account_key ecdsa:234;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
     ssl_verify off;
 }
 
+resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
 EOF
 
 
@@ -155,10 +148,11 @@ like(check($t, <<'EOF' ), qr/\[emerg].*unsupported key size/, 'bad key size');
 acme_issuer example {
     uri https://localhost:%%PORT_9000%%/dir;
     account_key rsa:1024;
-    resolver 127.0.0.1:%%PORT_8980_UDP%%;
     ssl_verify off;
 }
 
+resolver 127.0.0.1:%%PORT_8980_UDP%%;
+
 EOF
 
 # stop and clear the log to avoid triggering sanitizer checks

Original file line number	Diff line number	Diff line change
`@@ -54,9 +54,10 @@ http {`
`54`	`54`
`55`	`55`	`acme_issuer example {`
`56`	`56`	`uri https://localhost:%%PORT_9000%%/dir;`
`57`		`- resolver 127.0.0.1:%%PORT_8980_UDP%%;`
`58`		`- ssl_verify off;`
	`57`	`+ ssl_verify off;`
`59`	`58`	`}`
	`59`	`+`
	`60`	`+ resolver 127.0.0.1:%%PORT_8980_UDP%%;`
`60`	`61`	`}`
`61`	`62`
`62`	`63`	`EOF`