Skip to content

Commit f01f6de

Browse files
willmafhwillmafh
committed
feature: proxy_ssl_verify_by_lua* directives
working after receiving server certificates, allowing us to control upstream ssl handshake dynamically with Lua
1 parent 90c3964 commit f01f6de

15 files changed

+1782
-7
lines changed

README.md

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -151,6 +151,8 @@ behavior.
151151
* [ssl_client_hello_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_file)
152152
* [ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)
153153
* [ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_file)
154+
* [proxy_ssl_verify_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_block)
155+
* [proxy_ssl_verify_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_file)
154156
* [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict)
155157
* [lua_socket_connect_timeout](https://github.com/openresty/lua-nginx-module#lua_socket_connect_timeout)
156158
* [lua_socket_buffer_size](https://github.com/openresty/lua-nginx-module#lua_socket_buffer_size)

config

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -278,6 +278,7 @@ STREAM_LUA_SRCS=" \
278278
$ngx_addon_dir/src/ngx_stream_lua_semaphore.c \
279279
$ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.c \
280280
$ngx_addon_dir/src/ngx_stream_lua_ssl_certby.c \
281+
$ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.c \
281282
$ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.c \
282283
$ngx_addon_dir/src/ngx_stream_lua_input_filters.c \
283284
"
@@ -322,6 +323,7 @@ STREAM_LUA_DEPS=" \
322323
$ngx_addon_dir/src/ngx_stream_lua_semaphore.h \
323324
$ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.h \
324325
$ngx_addon_dir/src/ngx_stream_lua_ssl_certby.h \
326+
$ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.h \
325327
$ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.h \
326328
$ngx_addon_dir/src/ngx_stream_lua_input_filters.h \
327329
"

src/ngx_stream_lua_common.h

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,7 @@
135135
#define NGX_STREAM_LUA_CONTEXT_PREREAD 0x0020
136136
#define NGX_STREAM_LUA_CONTEXT_SSL_CERT 0x0040
137137
#define NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO 0x0080
138+
#define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY 0x0100
138139

139140

140141
#define NGX_STREAM_LUA_FFI_NO_REQ_CTX -100
@@ -269,6 +270,14 @@ struct ngx_stream_lua_srv_conf_s {
269270
ngx_str_t ssl_client_hello_src;
270271
u_char *ssl_client_hello_src_key;
271272
} srv;
273+
274+
struct {
275+
ngx_stream_lua_srv_conf_handler_pt proxy_ssl_verify_handler;
276+
ngx_str_t proxy_ssl_verify_src;
277+
u_char *proxy_ssl_verify_src_key;
278+
279+
ngx_flag_t upstream_skip_openssl_default_verify;
280+
} ups;
272281
#endif
273282

274283
ngx_flag_t enable_code_cache; /* whether to enable

src/ngx_stream_lua_control.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -116,14 +116,16 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
116116
| NGX_STREAM_LUA_CONTEXT_BALANCER
117117
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
118118
| NGX_STREAM_LUA_CONTEXT_SSL_CERT
119-
| NGX_STREAM_LUA_CONTEXT_PREREAD,
119+
| NGX_STREAM_LUA_CONTEXT_PREREAD
120+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY,
120121
err, errlen) != NGX_OK)
121122
{
122123
return NGX_ERROR;
123124
}
124125

125126
if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
126-
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))
127+
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
128+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY ))
127129
{
128130

129131
#if (NGX_STREAM_SSL)

src/ngx_stream_lua_coroutine.c

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,7 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
205205
| NGX_STREAM_LUA_CONTEXT_TIMER
206206
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
207207
| NGX_STREAM_LUA_CONTEXT_SSL_CERT
208+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
208209
| NGX_STREAM_LUA_CONTEXT_PREREAD
209210
);
210211

@@ -266,6 +267,7 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
266267
| NGX_STREAM_LUA_CONTEXT_TIMER
267268
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
268269
| NGX_STREAM_LUA_CONTEXT_SSL_CERT
270+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
269271
| NGX_STREAM_LUA_CONTEXT_PREREAD
270272
);
271273

@@ -426,6 +428,7 @@ ngx_stream_lua_coroutine_status(lua_State *L)
426428
| NGX_STREAM_LUA_CONTEXT_TIMER
427429
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
428430
| NGX_STREAM_LUA_CONTEXT_SSL_CERT
431+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
429432
| NGX_STREAM_LUA_CONTEXT_PREREAD
430433
);
431434

src/ngx_stream_lua_ctx.c

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,8 @@ ngx_stream_lua_ffi_get_ctx_ref(ngx_stream_lua_request_t *r, int *in_ssl_phase,
9797
}
9898

9999
*in_ssl_phase = ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
100-
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO);
100+
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
101+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY);
101102
*ssl_ctx_ref = LUA_NOREF;
102103

103104
#if (NGX_STREAM_SSL)
@@ -131,7 +132,8 @@ ngx_stream_lua_ffi_set_ctx_ref(ngx_stream_lua_request_t *r, int ref)
131132

132133
#if (NGX_STREAM_SSL)
133134
if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
134-
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO))
135+
| NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
136+
| NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY))
135137
{
136138
ssl_ctx = ngx_stream_lua_ssl_get_ctx(r->connection->ssl->connection);
137139
if (ssl_ctx == NULL) {

src/ngx_stream_lua_module.c

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -30,6 +30,7 @@
3030
#include "ngx_stream_lua_semaphore.h"
3131
#include "ngx_stream_lua_ssl_client_helloby.h"
3232
#include "ngx_stream_lua_ssl_certby.h"
33+
#include "ngx_stream_lua_proxy_ssl_verifyby.h"
3334

3435

3536
#include "ngx_stream_lua_prereadby.h"
@@ -417,6 +418,28 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
417418
0,
418419
(void *) ngx_stream_lua_ssl_cert_handler_file },
419420

421+
/* same context as proxy_pass directive */
422+
{ ngx_string("proxy_ssl_verify_by_lua_block"),
423+
NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
424+
ngx_stream_lua_proxy_ssl_verify_by_lua_block,
425+
NGX_STREAM_SRV_CONF_OFFSET,
426+
0,
427+
(void *) ngx_stream_lua_proxy_ssl_verify_handler_inline },
428+
429+
{ ngx_string("proxy_ssl_verify_by_lua_file"),
430+
NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
431+
ngx_stream_lua_proxy_ssl_verify_by_lua,
432+
NGX_STREAM_SRV_CONF_OFFSET,
433+
0,
434+
(void *) ngx_stream_lua_proxy_ssl_verify_handler_file },
435+
436+
{ ngx_string("lua_upstream_skip_openssl_default_verify"),
437+
NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
438+
ngx_conf_set_flag_slot,
439+
NGX_STREAM_SRV_CONF_OFFSET,
440+
offsetof(ngx_stream_lua_srv_conf_t,
441+
ups.upstream_skip_openssl_default_verify),
442+
NULL },
420443

421444
{ ngx_string("lua_ssl_verify_depth"),
422445
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
@@ -813,6 +836,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
813836
* lscf->srv.ssl_client_hello_src = { 0, NULL };
814837
* lscf->srv.ssl_client_hello_src_key = NULL;
815838
*
839+
* lscf->ups.proxy_ssl_verify_handler = NULL;
840+
* lscf->ups.proxy_ssl_verify_src = { 0, NULL };
841+
* lscf->ups.proxy_ssl_verify_src_key = NULL;
842+
*
816843
* lscf->srv.ssl_cert_handler = NULL;
817844
* lscf->srv.ssl_cert_src = { 0, NULL };
818845
* lscf->srv.ssl_cert_src_key = NULL;
@@ -847,6 +874,7 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
847874
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
848875
conf->ssl_certificates = NGX_CONF_UNSET_PTR;
849876
conf->ssl_certificate_keys = NGX_CONF_UNSET_PTR;
877+
conf->ups.upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
850878
#endif
851879

852880
return conf;
@@ -980,6 +1008,21 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
9801008
NULL);
9811009
#endif
9821010

1011+
if (conf->ups.proxy_ssl_verify_src.len == 0) {
1012+
conf->ups.proxy_ssl_verify_src = prev->ups.proxy_ssl_verify_src;
1013+
conf->ups.proxy_ssl_verify_handler = prev->ups.proxy_ssl_verify_handler;
1014+
conf->ups.proxy_ssl_verify_src_key = prev->ups.proxy_ssl_verify_src_key;
1015+
}
1016+
1017+
if (conf->ups.proxy_ssl_verify_src.len) {
1018+
if (ngx_stream_lua_proxy_ssl_verify_set_callback(cf) != NGX_OK) {
1019+
return NGX_CONF_ERROR;
1020+
}
1021+
}
1022+
1023+
ngx_conf_merge_value(conf->ups.upstream_skip_openssl_default_verify,
1024+
prev->ups.upstream_skip_openssl_default_verify, 0);
1025+
9831026
if (ngx_stream_lua_set_ssl(cf, conf) != NGX_OK) {
9841027
return NGX_CONF_ERROR;
9851028
}

src/ngx_stream_lua_phase.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -66,6 +66,10 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
6666
lua_pushliteral(L, "content");
6767
break;
6868

69+
case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY:
70+
lua_pushliteral(L, "proxy_ssl_verify");
71+
break;
72+
6973
case NGX_STREAM_LUA_CONTEXT_LOG:
7074
lua_pushliteral(L, "log");
7175
break;

0 commit comments

Comments
 (0)