Skip to content

Commit

Permalink
feature: SSL/TLS cosocket API
Browse files Browse the repository at this point in the history
* added new method sslhandshake() to the stream-typed cosocket objects.
* added new configuration directives lua_ssl_trusted_certificate,
  lua_ssl_verify_depth, lua_ssl_crl, lua_ssl_protocols, and
  lua_ssl_ciphers.

Thanks aviramc for the original patch in #290.
  • Loading branch information
agentzh committed Jul 22, 2014
1 parent 6ef9481 commit 5aed196
Show file tree
Hide file tree
Showing 10 changed files with 2,869 additions and 11 deletions.
9 changes: 9 additions & 0 deletions src/ngx_http_lua_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -164,6 +164,15 @@ struct ngx_http_lua_main_conf_s {


typedef struct {
#if (NGX_HTTP_SSL)
ngx_ssl_t *ssl; /* shared by SSL cosockets */
ngx_uint_t ssl_protocols;
ngx_str_t ssl_ciphers;
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
#endif

ngx_flag_t force_read_body; /* whether force request body to
be read */

Expand Down
166 changes: 166 additions & 0 deletions src/ngx_http_lua_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,10 @@ static char *ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent,
void *child);
static ngx_int_t ngx_http_lua_init(ngx_conf_t *cf);
static char *ngx_http_lua_lowat_check(ngx_conf_t *cf, void *post, void *data);
#if (NGX_HTTP_SSL)
static ngx_int_t ngx_http_lua_set_ssl(ngx_conf_t *cf,
ngx_http_lua_loc_conf_t *llcf);
#endif


static ngx_conf_post_t ngx_http_lua_lowat_post =
Expand All @@ -46,6 +50,20 @@ static ngx_conf_post_t ngx_http_lua_lowat_post =
static volatile ngx_cycle_t *ngx_http_lua_prev_cycle = NULL;


#if (NGX_HTTP_SSL) && defined(nginx_version) && nginx_version >= 1001013

static ngx_conf_bitmask_t ngx_http_lua_ssl_protocols[] = {
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
{ ngx_string("SSLv3"), NGX_SSL_SSLv3 },
{ ngx_string("TLSv1"), NGX_SSL_TLSv1 },
{ ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 },
{ ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 },
{ ngx_null_string, 0 }
};

#endif


static ngx_command_t ngx_http_lua_cmds[] = {

{ ngx_string("lua_max_running_timers"),
Expand Down Expand Up @@ -366,6 +384,49 @@ static ngx_command_t ngx_http_lua_cmds[] = {
offsetof(ngx_http_lua_loc_conf_t, use_default_type),
NULL },

#if (NGX_HTTP_SSL)

# if defined(nginx_version) && nginx_version >= 1001013

{ ngx_string("lua_ssl_protocols"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_protocols),
&ngx_http_lua_ssl_protocols },

# endif

{ ngx_string("lua_ssl_ciphers"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
NULL },

{ ngx_string("lua_ssl_verify_depth"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_num_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_verify_depth),
NULL },

{ ngx_string("lua_ssl_trusted_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_trusted_certificate),
NULL },

{ ngx_string("lua_ssl_crl"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_lua_loc_conf_t, ssl_crl),
NULL },

#endif /* NGX_HTTP_SSL */

ngx_null_command
};

Expand Down Expand Up @@ -650,6 +711,12 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
* conf->body_filter_src = {{ 0, NULL }, NULL, NULL, NULL};
* conf->body_filter_src_key = NULL
* conf->body_filter_handler = NULL;
*
* conf->ssl = 0;
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
*/

conf->force_read_body = NGX_CONF_UNSET;
Expand All @@ -669,6 +736,9 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
conf->transform_underscores_in_resp_headers = NGX_CONF_UNSET;
conf->log_socket_errors = NGX_CONF_UNSET;

#if (NGX_HTTP_SSL)
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
#endif

return conf;
}
Expand Down Expand Up @@ -716,6 +786,32 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->body_filter_src_key = prev->body_filter_src_key;
}

#if (NGX_HTTP_SSL)

# if defined(nginx_version) && nginx_version >= 1001013

ngx_conf_merge_bitmask_value(conf->ssl_protocols, prev->ssl_protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3
|NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
|NGX_SSL_TLSv1_2));

# endif

ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");

ngx_conf_merge_uint_value(conf->ssl_verify_depth,
prev->ssl_verify_depth, 1);
ngx_conf_merge_str_value(conf->ssl_trusted_certificate,
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");

if (ngx_http_lua_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}

#endif

ngx_conf_merge_value(conf->force_read_body, prev->force_read_body, 0);
ngx_conf_merge_value(conf->enable_code_cache, prev->enable_code_cache, 1);
ngx_conf_merge_value(conf->http10_buffering, prev->http10_buffering, 1);
Expand Down Expand Up @@ -751,4 +847,74 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_OK;
}


#if (NGX_HTTP_SSL)

static ngx_int_t
ngx_http_lua_set_ssl(ngx_conf_t *cf, ngx_http_lua_loc_conf_t *llcf)
{
ngx_pool_cleanup_t *cln;

llcf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (llcf->ssl == NULL) {
return NGX_ERROR;
}

llcf->ssl->log = cf->log;

if (ngx_ssl_create(llcf->ssl, llcf->ssl_protocols, NULL) != NGX_OK) {
return NGX_ERROR;
}

cln = ngx_pool_cleanup_add(cf->pool, 0);
if (cln == NULL) {
return NGX_ERROR;
}

cln->handler = ngx_ssl_cleanup_ctx;
cln->data = llcf->ssl;

if (SSL_CTX_set_cipher_list(llcf->ssl->ctx,
(const char *) llcf->ssl_ciphers.data)
== 0)
{
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
"SSL_CTX_set_cipher_list(\"%V\") failed",
&llcf->ssl_ciphers);
return NGX_ERROR;
}

if (llcf->ssl_trusted_certificate.len) {

#if defined(nginx_version) && nginx_version >= 1003007

if (ngx_ssl_trusted_certificate(cf, llcf->ssl,
&llcf->ssl_trusted_certificate,
llcf->ssl_verify_depth)
!= NGX_OK)
{
return NGX_ERROR;
}

#else

ngx_log_error(NGX_LOG_CRIT, cf->log, 0, "at least nginx 1.3.7 is "
"required for the \"lua_ssl_trusted_certificate\" "
"directive");
return NGX_ERROR;

#endif
}

dd("ssl crl: %.*s", (int) llcf->ssl_crl.len, llcf->ssl_crl.data);

if (ngx_ssl_crl(cf, llcf->ssl, &llcf->ssl_crl) != NGX_OK) {
return NGX_ERROR;
}

return NGX_OK;
}

#endif /* NGX_HTTP_SSL */

/* vi:set ft=c ts=4 sw=4 et fdm=marker: */
Loading

0 comments on commit 5aed196

Please sign in to comment.