ACME: allow "acme_certificate server_name ...".

The parameter allows fetching the list of identifiers from the
server_name directive in the same server block.

Author: bavshin-f5

README.md

@@ -49,7 +49,6 @@ Add the moduel to the nginx configuration and configure as described below.
 
 ## Example Configuration
 
-
 ```nginx
 resolver 127.0.0.1;
 
@@ -64,7 +63,7 @@ acme_shared_zone 1M;
 server {
     server_name  .example.test;
 
-    acme_certificate .example.test
+    acme_certificate server_name
                      issuer=example;
 
     ssl_certificate     $acme_certificate;
@@ -209,14 +208,22 @@ challenge data for all the configured certificate issuers.
 
 ### acme_certificate
 
-**Syntax:** acme_certificate `identifier` ... `issuer` = `issuer_name` [ `key` = `alg[:size]` | `file` ]
+**Syntax:** acme_certificate `server_name` | `identifier` ... `issuer` = `issuer_name` [ `key` = `alg[:size]` | `file` ]
 
 **Default:** -
 
 **Context:** server
 
 Defines a certificate with the list of `identifier`s requested from
 issuer `issuer_name`.
+
+The `server_name` parameter allows taking the list of identifiers from the
+[server_name] directive in the same `server` block instead of specifying names
+explicitly. Not all the values accepted by [server_name] are valid certificate
+identifiers: regular expressions and wildcards are not supported.
+
+[server_name]: https://nginx.org/en/docs/http/ngx_http_core_module.html#server_name
+
 The `key` parameter sets the type of generated private key or a
 path to an existing file. Supported key algorithms and sizes:
 `ecdsa:256` (default), `ecdsa:384`,

src/conf.rs

@@ -39,6 +39,8 @@ pub struct AcmeServerConfig {
     // A single sertificate per server is supported for now.
     // With multiple certs we will have to implement certificate selection.
     pub order: Option<CertificateOrder<ngx_str_t, Pool>>,
+    /// Read identifiers set by "server_name" in the server block.
+    pub server_name: bool,
 }
 
 pub static mut NGX_HTTP_ACME_COMMANDS: [ngx_command_t; 4] = [
@@ -277,12 +279,17 @@ extern "C" fn cmd_add_certificate(
             continue;
         }
 
+        if value.as_bytes() == b"server_name" {
+            ascf.server_name = true;
+            continue;
+        }
+
         if let Err(err) = order.try_add_identifier(value) {
             return cf.error(args[0], &err);
         }
     }
 
-    if order.identifiers.is_empty() {
+    if order.identifiers.is_empty() && !ascf.server_name {
         return c"no identifiers".as_ptr().cast_mut();
     }
 
@@ -443,6 +450,25 @@ impl AcmeMainConfig {
                 continue;
             };
 
+            // At this point, the server names list should be fully initialized.
+            if ascf.server_name {
+                let server_names = unsafe { cscfp.server_names.as_slice() };
+
+                if let Err(err) = order.add_server_names(cf, server_names) {
+                    ngx_log_error!(NGX_LOG_EMERG, cf.log, "\"acme_certificate\": {err}");
+                    return Err(Status::NGX_ERROR);
+                }
+
+                if order.identifiers.is_empty() {
+                    ngx_log_error!(
+                        NGX_LOG_EMERG,
+                        cf.log,
+                        "\"acme_certificate\": no identifiers found in \"server_name\""
+                    );
+                    return Err(Status::NGX_ERROR);
+                }
+            }
+
             if let Some(issuer) = self.issuer_mut(&ascf.issuer) {
                 issuer.add_certificate_order(cf, order)?;
             } else {

src/conf/order.rs

@@ -3,10 +3,11 @@ use core::hash::{self, Hash, Hasher};
 use core::net::IpAddr;
 use core::str::Utf8Error;
 
-use nginx_sys::ngx_str_t;
+use nginx_sys::{ngx_conf_t, ngx_http_server_name_t, ngx_str_t};
 use ngx::allocator::{AllocError, Allocator, TryCloneIn};
 use ngx::collections::Vec;
 use ngx::core::{NgxString, Pool, Status};
+use ngx::ngx_log_error;
 use siphasher::sip::SipHasher;
 use thiserror::Error;
 
@@ -147,6 +148,34 @@ impl CertificateOrder<ngx_str_t, Pool> {
         Ok(())
     }
 
+    pub fn add_server_names(
+        &mut self,
+        cf: &mut ngx_conf_t,
+        server_names: &[ngx_http_server_name_t],
+    ) -> Result<(), IdentifierError> {
+        for server_name in server_names {
+            if !server_name.regex.is_null() {
+                ngx_log_error!(
+                    nginx_sys::NGX_LOG_WARN,
+                    cf.log,
+                    "\"acme_certificate\": unsupported regular expression in server_name: {}",
+                    server_name.name
+                );
+                continue;
+            }
+
+            // A valid server_name entry that we want to ignore.
+            // We'll fail properly later if that's the only entry.
+            if server_name.name.is_empty() {
+                continue;
+            }
+
+            self.try_add_identifier(&server_name.name)?;
+        }
+
+        Ok(())
+    }
+
     pub fn try_add_identifier(&mut self, value: &ngx_str_t) -> Result<(), IdentifierError> {
         if value.is_empty() {
             return Err(IdentifierError::Empty);