feature: enable ngx.var at the ssl_certificate_by_lua and ssl_client_hello_by_lua.

zhuizhuhaomeng · zhuizhuhaomeng · commit 7a40a36f7344 · 2025-01-11T10:23:49.000+08:00
diff --git a/src/ngx_stream_lua_variable.c b/src/ngx_stream_lua_variable.c
@@ -32,27 +32,39 @@ ngx_stream_lua_ffi_var_get(ngx_stream_lua_request_t *r, u_char *name_data,
     ngx_uint_t                   hash;
     ngx_str_t                    name;
 
-    ngx_stream_variable_value_t         *vv;
+    ngx_stream_session_t          *session;
+    ngx_stream_lua_ctx_t          *ctx;
+    ngx_stream_lua_ssl_ctx_t      *cctx;
+    ngx_stream_variable_value_t   *vv;
 
     if (r == NULL) {
         *err = "no request object found";
         return NGX_ERROR;
     }
 
+    session = r->session;
     if ((r)->connection->fd == (ngx_socket_t) -1) {
-        *err = "API disabled in the current context";
-        return NGX_ERROR;
+        ctx = ngx_stream_lua_get_module_ctx(r, ngx_stream_lua_module);
+        if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
+                            | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO))
+        {
+            cctx = ngx_stream_lua_ssl_get_ctx(r->connection->ssl->connection);
+            session = cctx->connection->data;
+
+        } else {
+            *err = "API disabled in the current context";
+            return NGX_ERROR;
+        }
     }
 
-
     hash = ngx_hash_strlow(lowcase_buf, name_data, name_len);
 
     name.data = lowcase_buf;
     name.len = name_len;
 
     dd("variable name: %.*s", (int) name_len, lowcase_buf);
 
-    vv = ngx_stream_get_variable(r->session, &name, hash);
+    vv = ngx_stream_get_variable(session, &name, hash);
 
     if (vv == NULL || vv->not_found) {
         return NGX_DECLINED;
diff --git a/t/139-ssl-cert-by.t b/t/139-ssl-cert-by.t
@@ -1787,3 +1787,73 @@ client socket file:
 --- no_error_log
 [error]
 [alert]
+
+
+
+=== TEST 27: call ngx.var
+--- stream_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        ssl_certificate_by_lua_block {
+            ngx.log(ngx.INFO, "hostname:", ngx.var.hostname)
+        }
+
+        ssl_certificate ../../cert/test.crt;
+        ssl_certificate_key ../../cert/test.key;
+
+        return 'it works!\n';
+    }
+--- stream_server_config
+    lua_ssl_trusted_certificate ../../cert/test.crt;
+
+    content_by_lua_block {
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "test.com", true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(sess))
+
+            while true do
+                local line, err = sock:receive()
+                if not line then
+                    -- ngx.say("failed to receive response status line: ", err)
+                    break
+                end
+
+                ngx.say("received: ", line)
+            end
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        -- collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+ssl handshake: userdata
+received: it works!
+close: 1 nil
+
+--- error_log
+lua ssl server name: "test.com"
+
+--- no_error_log
+[error]
+[alert]
+[crit]
diff --git a/t/162-ssl-client-hello-by.t b/t/162-ssl-client-hello-by.t
@@ -1806,3 +1806,74 @@ ssl handshake: userdata
 uthread: hello from f()
 uthread: killed
 uthread: failed to kill: already waited or killed
+
+
+
+=== TEST 27: call ngx.var
+--- stream_config
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        ssl_client_hello_by_lua_block {
+            ngx.log(ngx.INFO, "hostname: ", ngx.var.hostname)
+        }
+
+        ssl_certificate ../../cert/test.crt;
+        ssl_certificate_key ../../cert/test.key;
+
+        return 'it works!\n';
+    }
+
+--- stream_server_config
+    lua_ssl_trusted_certificate ../../cert/test.crt;
+
+    content_by_lua_block {
+        do
+            local sock = ngx.socket.tcp()
+
+            sock:settimeout(2000)
+
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+
+            ngx.say("connected: ", ok)
+
+            local sess, err = sock:sslhandshake(nil, "test.com", true)
+            if not sess then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+
+            ngx.say("ssl handshake: ", type(sess))
+
+            while true do
+                local line, err = sock:receive()
+                if not line then
+                    -- ngx.say("failed to receive response status line: ", err)
+                    break
+                end
+
+                ngx.say("received: ", line)
+            end
+
+            local ok, err = sock:close()
+            ngx.say("close: ", ok, " ", err)
+        end  -- do
+        -- collectgarbage()
+    }
+
+--- stream_response
+connected: 1
+ssl handshake: userdata
+received: it works!
+close: 1 nil
+
+--- error_log
+lua ssl server name: "test.com"
+
+--- no_error_log
+[error]
+[alert]
+[crit]
