Merge branch 'nginx' (nginx-1.19.4).
Change-Id: If817abb58eba1453da6784134afb5b39eb8774cb
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
diff --git a/.hgtags b/.hgtags
index 713fa4a..da0a246 100644
--- a/.hgtags
+++ b/.hgtags
@@ -453,3 +453,4 @@
062920e2f3bf871ef7a3d8496edec1b3065faf80 release-1.19.1
a7b46539f507e6c64efa0efda69ad60b6f4ffbce release-1.19.2
3cbc2602325f0ac08917a4397d76f5155c34b7b1 release-1.19.3
+dc0cc425fa63a80315f6efb68697cadb6626cdf2 release-1.19.4
diff --git a/BUILD b/BUILD
index 6350360..b93a856 100644
--- a/BUILD
+++ b/BUILD
@@ -1536,5 +1536,5 @@
preinst = "@nginx_pkgoss//:debian_preinst",
prerm = "@nginx_pkgoss//:debian_prerm",
section = "httpd",
- version = "1.19.3",
+ version = "1.19.4",
)
diff --git a/build.bzl b/build.bzl
index a0361a1..4ef0d9f 100644
--- a/build.bzl
+++ b/build.bzl
@@ -673,9 +673,9 @@
name = "nginx_pkgoss",
build_file_content = _PKGOSS_BUILD_FILE.format(nginx = nginx) +
_PKGOSS_BUILD_FILE_TAIL,
- commit = "e2f55198a552a62e81759264645d0d3219db8611", # nginx-1.19.3
+ commit = "0d4cbab8a8ee0c010bface3e0b16945ffbdc0658", # nginx-1.19.4
remote = "https://nginx.googlesource.com/nginx-pkgoss",
- shallow_since = "1601388760 +0300",
+ shallow_since = "1603812347 +0300",
)
def nginx_repositories_zlib(bind):
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index 976c9de..a7417f5 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,40 @@
<change_log title="nginx">
+<changes ver="1.19.4" date="2020-10-27">
+
+<change type="feature">
+<para lang="ru">
+директивы ssl_conf_command, proxy_ssl_conf_command, grpc_ssl_conf_command
+и uwsgi_ssl_conf_command.
+</para>
+<para lang="en">
+the "ssl_conf_command", "proxy_ssl_conf_command", "grpc_ssl_conf_command",
+and "uwsgi_ssl_conf_command" directives.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+директива ssl_reject_handshake.
+</para>
+<para lang="en">
+the "ssl_reject_handshake" directive.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+директива proxy_smtp_auth в почтовом прокси-сервере.
+</para>
+<para lang="en">
+the "proxy_smtp_auth" directive in mail proxy.
+</para>
+</change>
+
+</changes>
+
+
<changes ver="1.19.3" date="2020-09-29">
<change type="feature">
diff --git a/src/core/nginx.h b/src/core/nginx.h
index 0964302..d84fe5b 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
#define NGINX_NAME "nginx"
#endif
-#define nginx_version 1019003
-#define NGINX_VERSION "1.19.3"
+#define nginx_version 1019004
+#define NGINX_VERSION "1.19.4"
#define NGINX_VER NGINX_NAME "/" NGINX_VERSION
#ifdef NGX_BUILD
diff --git a/src/core/ngx_conf_file.c b/src/core/ngx_conf_file.c
index 6d1629e..fec7bb8 100644
--- a/src/core/ngx_conf_file.c
+++ b/src/core/ngx_conf_file.c
@@ -1137,7 +1137,7 @@
a = (ngx_array_t **) (p + cmd->offset);
- if (*a == NULL) {
+ if (*a == NGX_CONF_UNSET_PTR || *a == NULL) {
*a = ngx_array_create(cf->pool, 4, sizeof(ngx_keyval_t));
if (*a == NULL) {
return NGX_CONF_ERROR;
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index c186b9b..d32aba0 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1494,6 +1494,78 @@
ngx_int_t
+ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *commands)
+{
+ if (commands == NULL) {
+ return NGX_OK;
+ }
+
+#ifdef SSL_CONF_FLAG_FILE
+ {
+ int type;
+ u_char *key, *value;
+ ngx_uint_t i;
+ ngx_keyval_t *cmd;
+ SSL_CONF_CTX *cctx;
+
+ cctx = SSL_CONF_CTX_new();
+ if (cctx == NULL) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CONF_CTX_new() failed");
+ return NGX_ERROR;
+ }
+
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_FILE);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CERTIFICATE);
+ SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SHOW_ERRORS);
+
+ SSL_CONF_CTX_set_ssl_ctx(cctx, ssl->ctx);
+
+ cmd = commands->elts;
+ for (i = 0; i < commands->nelts; i++) {
+
+ key = cmd[i].key.data;
+ type = SSL_CONF_cmd_value_type(cctx, (char *) key);
+
+ if (type == SSL_CONF_TYPE_FILE || type == SSL_CONF_TYPE_DIR) {
+ if (ngx_conf_full_name(cf->cycle, &cmd[i].value, 1) != NGX_OK) {
+ SSL_CONF_CTX_free(cctx);
+ return NGX_ERROR;
+ }
+ }
+
+ value = cmd[i].value.data;
+
+ if (SSL_CONF_cmd(cctx, (char *) key, (char *) value) <= 0) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CONF_cmd(\"%s\", \"%s\") failed", key, value);
+ SSL_CONF_CTX_free(cctx);
+ return NGX_ERROR;
+ }
+ }
+
+ if (SSL_CONF_CTX_finish(cctx) != 1) {
+ ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CONF_finish() failed");
+ SSL_CONF_CTX_free(cctx);
+ return NGX_ERROR;
+ }
+
+ SSL_CONF_CTX_free(cctx);
+
+ return NGX_OK;
+ }
+#else
+ ngx_log_error(NGX_LOG_EMERG, ssl->log, 0,
+ "SSL_CONF_cmd() is not available on this platform");
+ return NGX_ERROR;
+#endif
+}
+
+
+ngx_int_t
ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
{
if (!enable) {
@@ -1744,6 +1816,13 @@
return NGX_ERROR;
}
+ if (c->ssl->handshake_rejected) {
+ ngx_connection_error(c, err, "handshake rejected");
+ ERR_clear_error();
+
+ return NGX_ERROR;
+ }
+
c->read->error = 1;
ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed");
@@ -3308,8 +3387,9 @@
}
}
- if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL) {
-
+ if (SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index) == NULL
+ && certificates != NULL)
+ {
/*
* If certificates are loaded dynamically, we use certificate
* names as specified in the configuration (with variables).
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 84e4947..49888d5 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -95,6 +95,7 @@
u_char early_buf;
unsigned handshaked:1;
+ unsigned handshake_rejected:1;
unsigned renegotiation:1;
unsigned buffer:1;
unsigned no_wait_shutdown:1;
@@ -205,6 +206,9 @@
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_uint_t enable);
+ngx_int_t ngx_ssl_conf_commands(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_array_t *commands);
+
ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_uint_t enable);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
@@ -213,6 +217,7 @@
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
+
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index ab4ad6b..7e14af8 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -40,6 +40,7 @@
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_grpc_loc_conf_t;
@@ -208,6 +209,8 @@
#if (NGX_HTTP_SSL)
static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
@@ -242,6 +245,9 @@
{ ngx_null_string, 0 }
};
+static ngx_conf_post_t ngx_http_grpc_ssl_conf_command_post =
+ { ngx_http_grpc_ssl_conf_command_check };
+
#endif
@@ -438,6 +444,13 @@
0,
NULL },
+ { ngx_string("grpc_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_grpc_loc_conf_t, ssl_conf_commands),
+ &ngx_http_grpc_ssl_conf_command_post },
+
#endif
ngx_null_command
@@ -4324,7 +4337,6 @@
* conf->upstream.hide_headers_hash = { NULL, 0 };
* conf->upstream.ssl_name = NULL;
*
- * conf->headers_source = NULL;
* conf->headers.lengths = NULL;
* conf->headers.values = NULL;
* conf->headers.hash = { NULL, 0 };
@@ -4360,6 +4372,7 @@
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* the hardcoded values */
@@ -4377,6 +4390,8 @@
conf->upstream.pass_trailers = 1;
conf->upstream.preserve_output = 1;
+ conf->headers_source = NGX_CONF_UNSET_PTR;
+
ngx_str_set(&conf->upstream.module, "grpc");
return conf;
@@ -4468,6 +4483,9 @@
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_grpc_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -4507,9 +4525,10 @@
clcf->handler = ngx_http_grpc_handler;
}
- if (conf->headers_source == NULL) {
+ ngx_conf_merge_ptr_value(conf->headers_source, prev->headers_source, NULL);
+
+ if (conf->headers_source == prev->headers_source) {
conf->headers = prev->headers;
- conf->headers_source = prev->headers_source;
conf->host_set = prev->host_set;
}
@@ -4834,6 +4853,17 @@
}
+static char *
+ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
@@ -4924,6 +4954,12 @@
#endif
+ if (ngx_ssl_conf_commands(cf, glcf->upstream.ssl, glcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_limit_req_module.c b/src/http/modules/ngx_http_limit_req_module.c
index 6bd3e6a..dad5edb 100644
--- a/src/http/modules/ngx_http_limit_req_module.c
+++ b/src/http/modules/ngx_http_limit_req_module.c
@@ -69,6 +69,8 @@
ngx_uint_t hash, ngx_str_t *key, ngx_uint_t *ep, ngx_uint_t account);
static ngx_msec_t ngx_http_limit_req_account(ngx_http_limit_req_limit_t *limits,
ngx_uint_t n, ngx_uint_t *ep, ngx_http_limit_req_limit_t **limit);
+static void ngx_http_limit_req_unlock(ngx_http_limit_req_limit_t *limits,
+ ngx_uint_t n);
static void ngx_http_limit_req_expire(ngx_http_limit_req_ctx_t *ctx,
ngx_uint_t n);
@@ -223,6 +225,7 @@
ctx = limit->shm_zone->data;
if (ngx_http_complex_value(r, &ctx->key, &key) != NGX_OK) {
+ ngx_http_limit_req_unlock(limits, n);
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
@@ -270,21 +273,7 @@
&limit->shm_zone->shm.name);
}
- while (n--) {
- ctx = limits[n].shm_zone->data;
-
- if (ctx->node == NULL) {
- continue;
- }
-
- ngx_shmtx_lock(&ctx->shpool->mutex);
-
- ctx->node->count--;
-
- ngx_shmtx_unlock(&ctx->shpool->mutex);
-
- ctx->node = NULL;
- }
+ ngx_http_limit_req_unlock(limits, n);
if (lrcf->dry_run) {
r->main->limit_req_status = NGX_HTTP_LIMIT_REQ_REJECTED_DRY_RUN;
@@ -613,6 +602,29 @@
static void
+ngx_http_limit_req_unlock(ngx_http_limit_req_limit_t *limits, ngx_uint_t n)
+{
+ ngx_http_limit_req_ctx_t *ctx;
+
+ while (n--) {
+ ctx = limits[n].shm_zone->data;
+
+ if (ctx->node == NULL) {
+ continue;
+ }
+
+ ngx_shmtx_lock(&ctx->shpool->mutex);
+
+ ctx->node->count--;
+
+ ngx_shmtx_unlock(&ctx->shpool->mutex);
+
+ ctx->node = NULL;
+ }
+}
+
+
+static void
ngx_http_limit_req_expire(ngx_http_limit_req_ctx_t *ctx, ngx_uint_t n)
{
ngx_int_t excess;
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 64393dc..060f2c7 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -127,6 +127,7 @@
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -229,6 +230,10 @@
#endif
static char *ngx_http_proxy_lowat_check(ngx_conf_t *cf, void *post, void *data);
+#if (NGX_HTTP_SSL)
+static char *ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
+#endif
static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
@@ -274,6 +279,9 @@
{ ngx_null_string, 0 }
};
+static ngx_conf_post_t ngx_http_proxy_ssl_conf_command_post =
+ { ngx_http_proxy_ssl_conf_command_check };
+
#endif
@@ -771,6 +779,13 @@
0,
NULL },
+ { ngx_string("proxy_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_proxy_loc_conf_t, ssl_conf_commands),
+ &ngx_http_proxy_ssl_conf_command_post },
+
#endif
ngx_null_command
@@ -3275,7 +3290,6 @@
* conf->method = NULL;
* conf->location = NULL;
* conf->url = { 0, NULL };
- * conf->headers_source = NULL;
* conf->headers.lengths = NULL;
* conf->headers.values = NULL;
* conf->headers.hash = { NULL, 0 };
@@ -3349,11 +3363,14 @@
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* "proxy_cyclic_temp_file" is disabled */
conf->upstream.cyclic_temp_file = 0;
+ conf->headers_source = NGX_CONF_UNSET_PTR;
+
conf->redirect = NGX_CONF_UNSET;
conf->upstream.change_buffering = 1;
@@ -3696,6 +3713,9 @@
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -3829,12 +3849,13 @@
}
}
- if (conf->headers_source == NULL) {
+ ngx_conf_merge_ptr_value(conf->headers_source, prev->headers_source, NULL);
+
+ if (conf->headers_source == prev->headers_source) {
conf->headers = prev->headers;
#if (NGX_HTTP_CACHE)
conf->headers_cache = prev->headers_cache;
#endif
- conf->headers_source = prev->headers_source;
}
rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@@ -4873,6 +4894,17 @@
#if (NGX_HTTP_SSL)
+static char *
+ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
@@ -4969,6 +5001,12 @@
return NGX_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, plcf->upstream.ssl, plcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 7b1f1d7..b8ea065 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -51,6 +51,9 @@
static char *ngx_http_ssl_ocsp_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+static char *ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
+
static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
@@ -87,6 +90,10 @@
};
+static ngx_conf_post_t ngx_http_ssl_conf_command_post =
+ { ngx_http_ssl_conf_command_check };
+
+
static ngx_command_t ngx_http_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -278,6 +285,20 @@
offsetof(ngx_http_ssl_srv_conf_t, early_data),
NULL },
+ { ngx_string("ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, conf_commands),
+ &ngx_http_ssl_conf_command_post },
+
+ { ngx_string("ssl_reject_handshake"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, reject_handshake),
+ NULL },
+
ngx_null_command
};
@@ -598,12 +619,14 @@
sscf->enable = NGX_CONF_UNSET;
sscf->prefer_server_ciphers = NGX_CONF_UNSET;
sscf->early_data = NGX_CONF_UNSET;
+ sscf->reject_handshake = NGX_CONF_UNSET;
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
+ sscf->conf_commands = NGX_CONF_UNSET_PTR;
sscf->builtin_session_cache = NGX_CONF_UNSET;
sscf->session_timeout = NGX_CONF_UNSET;
sscf->session_tickets = NGX_CONF_UNSET;
@@ -643,6 +666,7 @@
prev->prefer_server_ciphers, 0);
ngx_conf_merge_value(conf->early_data, prev->early_data, 0);
+ ngx_conf_merge_value(conf->reject_handshake, prev->reject_handshake, 0);
ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
(NGX_CONF_BITMASK_SET|NGX_SSL_TLSv1
@@ -673,6 +697,8 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
+
ngx_conf_merge_uint_value(conf->ocsp, prev->ocsp, 0);
ngx_conf_merge_str_value(conf->ocsp_responder, prev->ocsp_responder, "");
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
@@ -688,7 +714,27 @@
if (conf->enable) {
- if (conf->certificates == NULL) {
+ if (conf->certificates) {
+ if (conf->certificate_keys == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\" and "
+ "the \"ssl\" directive in %s:%ui",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1,
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }
+
+ } else if (!conf->reject_handshake) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"ssl\" directive in %s:%ui",
@@ -696,30 +742,7 @@
return NGX_CONF_ERROR;
}
- if (conf->certificate_keys == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined for "
- "the \"ssl\" directive in %s:%ui",
- conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
-
- if (conf->certificate_keys->nelts < conf->certificates->nelts) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\" and "
- "the \"ssl\" directive in %s:%ui",
- ((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1,
- conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
-
- } else {
-
- if (conf->certificates == NULL) {
- return NGX_CONF_OK;
- }
+ } else if (conf->certificates) {
if (conf->certificate_keys == NULL
|| conf->certificate_keys->nelts < conf->certificates->nelts)
@@ -731,6 +754,9 @@
+ conf->certificates->nelts - 1);
return NGX_CONF_ERROR;
}
+
+ } else if (!conf->reject_handshake) {
+ return NGX_CONF_OK;
}
if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
@@ -804,7 +830,7 @@
return NGX_CONF_ERROR;
#endif
- } else {
+ } else if (conf->certificates) {
/* configure certificates */
@@ -926,6 +952,10 @@
return NGX_CONF_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}
@@ -939,6 +969,10 @@
ngx_http_complex_value_t *cv;
ngx_http_compile_complex_value_t ccv;
+ if (conf->certificates == NULL) {
+ return NGX_OK;
+ }
+
cert = conf->certificates->elts;
key = conf->certificate_keys->elts;
nelts = conf->certificates->nelts;
@@ -1248,6 +1282,17 @@
}
+static char *
+ngx_http_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_ssl_init(ngx_conf_t *cf)
{
@@ -1308,7 +1353,33 @@
cscf = addr[a].default_server;
sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
- if (sscf->certificates == NULL) {
+ if (sscf->certificates) {
+ continue;
+ }
+
+ if (!sscf->reject_handshake) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"listen ... ssl\" directive in %s:%ui",
+ cscf->file_name, cscf->line);
+ return NGX_ERROR;
+ }
+
+ /*
+ * if no certificates are defined in the default server,
+ * check all non-default server blocks
+ */
+
+ cscfp = addr[a].servers.elts;
+ for (s = 0; s < addr[a].servers.nelts; s++) {
+
+ cscf = cscfp[s];
+ sscf = cscf->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
+
+ if (sscf->certificates || sscf->reject_handshake) {
+ continue;
+ }
+
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"ssl_certificate\" is defined for "
"the \"listen ... ssl\" directive in %s:%ui",
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index 98aa1be..7ab0f7e 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -21,6 +21,7 @@
ngx_flag_t prefer_server_ciphers;
ngx_flag_t early_data;
+ ngx_flag_t reject_handshake;
ngx_uint_t protocols;
@@ -48,6 +49,7 @@
ngx_str_t ciphers;
ngx_array_t *passwords;
+ ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index fe15ee8..bf27326 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -57,6 +57,7 @@
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_uwsgi_loc_conf_t;
@@ -96,6 +97,8 @@
#if (NGX_HTTP_SSL)
static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
@@ -134,6 +137,9 @@
{ ngx_null_string, 0 }
};
+static ngx_conf_post_t ngx_http_uwsgi_ssl_conf_command_post =
+ { ngx_http_uwsgi_ssl_conf_command_check };
+
#endif
@@ -561,6 +567,13 @@
0,
NULL },
+ { ngx_string("uwsgi_ssl_conf_command"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_HTTP_LOC_CONF_OFFSET,
+ offsetof(ngx_http_uwsgi_loc_conf_t, ssl_conf_commands),
+ &ngx_http_uwsgi_ssl_conf_command_post },
+
#endif
ngx_null_command
@@ -1500,6 +1513,7 @@
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* "uwsgi_cyclic_temp_file" is disabled */
@@ -1830,6 +1844,9 @@
prev->ssl_certificate_key, "");
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl && ngx_http_uwsgi_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -2376,6 +2393,17 @@
}
+static char *
+ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
@@ -2453,6 +2481,12 @@
return NGX_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, uwcf->upstream.ssl, uwcf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 0c8104b..35ef12d 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -858,6 +858,7 @@
ngx_http_ssl_client_hello(const SSL_CLIENT_HELLO *client_hello)
{
CBS extension, list, name;
+ int alert, rc;
size_t len;
uint8_t type;
ngx_str_t hostname;
@@ -893,12 +894,7 @@
return ssl_select_cert_error;
}
- /*
- * Store requested server name and call the regular callback, but ignore
- * its response, since it returns SSL_TLSEXT_ERRO_NOACK for both: errors
- * and when no server matching requested server name was found (in which
- * case the default server is used).
- */
+ /* Store requested server name and call the regular callback. */
c = ngx_ssl_get_connection(client_hello->ssl);
@@ -911,16 +907,28 @@
ngx_memcpy(hostname.data, CBS_data(&name), hostname.len);
hostname.data[hostname.len] = '\0';
- (void) ngx_http_ssl_servername(client_hello->ssl, 0, hostname.data);
+ rc = ngx_http_ssl_servername(client_hello->ssl, &alert, hostname.data);
- return ssl_select_cert_success;
+ /*
+ * BoringSSL cannot send a specific alert from the early callback, so
+ * don't error out here if we need to send one (e.g. unrecognized name),
+ * and continue processing the handshake, so that the desired alert can
+ * be sent from the regular callback.
+ */
+
+ if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && alert == SSL_AD_INTERNAL_ERROR) {
+ return ssl_select_cert_error;
+ } else {
+ return ssl_select_cert_success;
+ }
}
#elif defined(SSL_CLIENT_HELLO_CB)
int
-ngx_http_ssl_client_hello(ngx_ssl_conn_t *ssl_conn, int *al, void *arg)
+ngx_http_ssl_client_hello(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
{
+ int rc;
size_t len, remaining;
ngx_str_t hostname;
ngx_connection_t *c;
@@ -977,12 +985,7 @@
return SSL_CLIENT_HELLO_ERROR;
}
- /*
- * Store requested server name and call the regular callback, but ignore
- * its response, since it returns SSL_TLSEXT_ERRO_NOACK for both: errors
- * and when no server matching requested server name was found (in which
- * case the default server is used).
- */
+ /* Store requested server name and call the regular callback. */
c = ngx_ssl_get_connection(ssl_conn);
@@ -995,9 +998,10 @@
ngx_memcpy(hostname.data, p, hostname.len);
hostname.data[hostname.len] = '\0';
- (void) ngx_http_ssl_servername(ssl_conn, 0, hostname.data);
+ rc = ngx_http_ssl_servername(ssl_conn, ad, hostname.data);
- return SSL_CLIENT_HELLO_SUCCESS;
+ return rc == SSL_TLSEXT_ERR_OK ? SSL_CLIENT_HELLO_SUCCESS
+ : SSL_CLIENT_HELLO_ERROR;
}
#endif
@@ -1021,7 +1025,14 @@
return SSL_TLSEXT_ERR_ALERT_FATAL;
}
+ hc = c->data;
+
#if defined(OPENSSL_IS_BORINGSSL) || defined(SSL_CLIENT_HELLO_CB)
+ if (hc->ssl_servername) {
+ /* This function was already called from the early callback. */
+ goto done;
+ }
+
if (arg != NULL) {
servername = (const char *) arg;
} else
@@ -1029,7 +1040,9 @@
servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
if (servername == NULL) {
- return SSL_TLSEXT_ERR_OK;
+ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+ "SSL server name: null");
+ goto done;
}
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
@@ -1038,7 +1051,7 @@
host.len = ngx_strlen(servername);
if (host.len == 0) {
- return SSL_TLSEXT_ERR_OK;
+ goto done;
}
host.data = (u_char *) servername;
@@ -1046,32 +1059,27 @@
rc = ngx_http_validate_host(&host, c->pool, 1);
if (rc == NGX_ERROR) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto error;
}
if (rc == NGX_DECLINED) {
- return SSL_TLSEXT_ERR_OK;
+ goto done;
}
- hc = c->data;
-
rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
NULL, &cscf);
if (rc == NGX_ERROR) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto error;
}
if (rc == NGX_DECLINED) {
- return SSL_TLSEXT_ERR_OK;
+ goto done;
}
hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
if (hc->ssl_servername == NULL) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto error;
}
*hc->ssl_servername = host;
@@ -1088,8 +1096,7 @@
if (sscf->ssl.ctx && sscf->ssl.ctx != SSL_get_SSL_CTX(ssl_conn)) {
if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
- *ad = SSL_AD_INTERNAL_ERROR;
- return SSL_TLSEXT_ERR_ALERT_FATAL;
+ goto error;
}
/*
@@ -1115,7 +1122,22 @@
#endif
}
+done:
+
+ sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module);
+
+ if (sscf->reject_handshake) {
+ c->ssl->handshake_rejected = 1;
+ *ad = SSL_AD_UNRECOGNIZED_NAME;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
+ }
+
return SSL_TLSEXT_ERR_OK;
+
+error:
+
+ *ad = SSL_AD_INTERNAL_ERROR;
+ return SSL_TLSEXT_ERR_ALERT_FATAL;
}
#endif
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index d904f25..25ac432 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -162,10 +162,12 @@
ngx_smtp_auth_external,
ngx_smtp_helo,
ngx_smtp_helo_xclient,
+ ngx_smtp_helo_auth,
ngx_smtp_helo_from,
ngx_smtp_xclient,
ngx_smtp_xclient_from,
ngx_smtp_xclient_helo,
+ ngx_smtp_xclient_auth,
ngx_smtp_from,
ngx_smtp_to
} ngx_smtp_state_e;
diff --git a/src/mail/ngx_mail_proxy_module.c b/src/mail/ngx_mail_proxy_module.c
index 1c86e54..610f547 100644
--- a/src/mail/ngx_mail_proxy_module.c
+++ b/src/mail/ngx_mail_proxy_module.c
@@ -16,6 +16,7 @@
ngx_flag_t enable;
ngx_flag_t pass_error_message;
ngx_flag_t xclient;
+ ngx_flag_t smtp_auth;
size_t buffer_size;
ngx_msec_t timeout;
} ngx_mail_proxy_conf_t;
@@ -74,6 +75,13 @@
offsetof(ngx_mail_proxy_conf_t, xclient),
NULL },
+ { ngx_string("proxy_smtp_auth"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_proxy_conf_t, smtp_auth),
+ NULL },
+
ngx_null_command
};
@@ -450,7 +458,7 @@
{
u_char *p;
ngx_int_t rc;
- ngx_str_t line;
+ ngx_str_t line, auth, encoded;
ngx_buf_t *b;
ngx_connection_t *c;
ngx_mail_session_t *s;
@@ -513,6 +521,9 @@
} else if (s->auth_method == NGX_MAIL_AUTH_NONE) {
s->mail_state = ngx_smtp_helo_from;
+ } else if (pcf->smtp_auth) {
+ s->mail_state = ngx_smtp_helo_auth;
+
} else {
s->mail_state = ngx_smtp_helo;
}
@@ -552,7 +563,9 @@
p = ngx_copy(p, s->connection->addr_text.data,
s->connection->addr_text.len);
- if (s->login.len) {
+ pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module);
+
+ if (s->login.len && !pcf->smtp_auth) {
p = ngx_cpymem(p, " LOGIN=", sizeof(" LOGIN=") - 1);
p = ngx_copy(p, s->login.data, s->login.len);
}
@@ -570,6 +583,9 @@
} else if (s->auth_method == NGX_MAIL_AUTH_NONE) {
s->mail_state = ngx_smtp_xclient_from;
+ } else if (pcf->smtp_auth) {
+ s->mail_state = ngx_smtp_xclient_auth;
+
} else {
s->mail_state = ngx_smtp_xclient;
}
@@ -595,8 +611,62 @@
&s->smtp_helo)
- line.data;
- s->mail_state = (s->auth_method == NGX_MAIL_AUTH_NONE) ?
- ngx_smtp_helo_from : ngx_smtp_helo;
+ pcf = ngx_mail_get_module_srv_conf(s, ngx_mail_proxy_module);
+
+ if (s->auth_method == NGX_MAIL_AUTH_NONE) {
+ s->mail_state = ngx_smtp_helo_from;
+
+ } else if (pcf->smtp_auth) {
+ s->mail_state = ngx_smtp_helo_auth;
+
+ } else {
+ s->mail_state = ngx_smtp_helo;
+ }
+
+ break;
+
+ case ngx_smtp_helo_auth:
+ case ngx_smtp_xclient_auth:
+ ngx_log_debug0(NGX_LOG_DEBUG_MAIL, rev->log, 0,
+ "mail proxy send auth");
+
+ s->connection->log->action = "sending AUTH to upstream";
+
+ if (s->passwd.data == NULL) {
+ ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
+ "no password available");
+ ngx_mail_proxy_internal_server_error(s);
+ return;
+ }
+
+ auth.len = 1 + s->login.len + 1 + s->passwd.len;
+ auth.data = ngx_pnalloc(c->pool, auth.len);
+ if (auth.data == NULL) {
+ ngx_mail_proxy_internal_server_error(s);
+ return;
+ }
+
+ auth.len = ngx_sprintf(auth.data, "%Z%V%Z%V", &s->login, &s->passwd)
+ - auth.data;
+
+ line.len = sizeof("AUTH PLAIN " CRLF) - 1
+ + ngx_base64_encoded_length(auth.len);
+
+ line.data = ngx_pnalloc(c->pool, line.len);
+ if (line.data == NULL) {
+ ngx_mail_proxy_internal_server_error(s);
+ return;
+ }
+
+ encoded.data = ngx_cpymem(line.data, "AUTH PLAIN ",
+ sizeof("AUTH PLAIN ") - 1);
+
+ ngx_encode_base64(&encoded, &auth);
+
+ p = encoded.data + encoded.len;
+ *p++ = CR; *p = LF;
+
+ s->mail_state = ngx_smtp_auth_plain;
break;
@@ -643,6 +713,7 @@
case ngx_smtp_helo:
case ngx_smtp_xclient:
+ case ngx_smtp_auth_plain:
case ngx_smtp_to:
b = s->proxy->buffer;
@@ -824,6 +895,7 @@
case ngx_smtp_helo:
case ngx_smtp_helo_xclient:
case ngx_smtp_helo_from:
+ case ngx_smtp_helo_auth:
case ngx_smtp_from:
if (p[0] == '2' && p[1] == '5' && p[2] == '0') {
return NGX_OK;
@@ -833,11 +905,18 @@
case ngx_smtp_xclient:
case ngx_smtp_xclient_from:
case ngx_smtp_xclient_helo:
+ case ngx_smtp_xclient_auth:
if (p[0] == '2' && (p[1] == '2' || p[1] == '5') && p[2] == '0') {
return NGX_OK;
}
break;
+ case ngx_smtp_auth_plain:
+ if (p[0] == '2' && p[1] == '3' && p[2] == '5') {
+ return NGX_OK;
+ }
+ break;
+
case ngx_smtp_to:
return NGX_OK;
}
@@ -1102,6 +1181,7 @@
pcf->enable = NGX_CONF_UNSET;
pcf->pass_error_message = NGX_CONF_UNSET;
pcf->xclient = NGX_CONF_UNSET;
+ pcf->smtp_auth = NGX_CONF_UNSET;
pcf->buffer_size = NGX_CONF_UNSET_SIZE;
pcf->timeout = NGX_CONF_UNSET_MSEC;
@@ -1118,6 +1198,7 @@
ngx_conf_merge_value(conf->enable, prev->enable, 0);
ngx_conf_merge_value(conf->pass_error_message, prev->pass_error_message, 0);
ngx_conf_merge_value(conf->xclient, prev->xclient, 1);
+ ngx_conf_merge_value(conf->smtp_auth, prev->smtp_auth, 0);
ngx_conf_merge_size_value(conf->buffer_size, prev->buffer_size,
(size_t) ngx_pagesize);
ngx_conf_merge_msec_value(conf->timeout, prev->timeout, 24 * 60 * 60000);
diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
index e193b29..d560bd6 100644
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -26,6 +26,9 @@
static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+static char *ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
+
static ngx_conf_enum_t ngx_mail_starttls_state[] = {
{ ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
@@ -61,6 +64,10 @@
};
+static ngx_conf_post_t ngx_mail_ssl_conf_command_post =
+ { ngx_mail_ssl_conf_command_check };
+
+
static ngx_command_t ngx_mail_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -196,6 +203,13 @@
offsetof(ngx_mail_ssl_conf_t, crl),
NULL },
+ { ngx_string("ssl_conf_command"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_ssl_conf_t, conf_commands),
+ &ngx_mail_ssl_conf_command_post },
+
ngx_null_command
};
@@ -259,6 +273,7 @@
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
+ scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
@@ -316,6 +331,8 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
+
conf->ssl.log = cf->log;
@@ -461,6 +478,10 @@
return NGX_CONF_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}
@@ -654,3 +675,14 @@
return NGX_CONF_ERROR;
}
+
+
+static char *
+ngx_mail_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
diff --git a/src/mail/ngx_mail_ssl_module.h b/src/mail/ngx_mail_ssl_module.h
index d6b0b8e..a0a6113 100644
--- a/src/mail/ngx_mail_ssl_module.h
+++ b/src/mail/ngx_mail_ssl_module.h
@@ -48,6 +48,7 @@
ngx_str_t ciphers;
ngx_array_t *passwords;
+ ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;
diff --git a/src/misc/ngx_cpp_test_module.cpp b/src/misc/ngx_cpp_test_module.cpp
index 5d2f08d..0026409 100644
--- a/src/misc/ngx_cpp_test_module.cpp
+++ b/src/misc/ngx_cpp_test_module.cpp
@@ -14,6 +14,8 @@
#include <ngx_mail_pop3_module.h>
#include <ngx_mail_imap_module.h>
#include <ngx_mail_smtp_module.h>
+
+ #include <ngx_stream.h>
}
// nginx header files should go before other, because they define 64-bit off_t
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index db11dd8..0c86083 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -49,6 +49,7 @@
ngx_str_t ssl_certificate;
ngx_str_t ssl_certificate_key;
ngx_array_t *ssl_passwords;
+ ngx_array_t *ssl_conf_commands;
ngx_ssl_t *ssl;
#endif
@@ -94,6 +95,8 @@
static ngx_int_t ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s);
static char *ngx_stream_proxy_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
+static char *ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
@@ -112,6 +115,9 @@
{ ngx_null_string, 0 }
};
+static ngx_conf_post_t ngx_stream_proxy_ssl_conf_command_post =
+ { ngx_stream_proxy_ssl_conf_command_check };
+
#endif
@@ -331,6 +337,13 @@
0,
NULL },
+ { ngx_string("proxy_ssl_conf_command"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_proxy_srv_conf_t, ssl_conf_commands),
+ &ngx_stream_proxy_ssl_conf_command_post },
+
#endif
ngx_null_command
@@ -1008,6 +1021,17 @@
}
+static char *
+ngx_stream_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static void
ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s)
{
@@ -1985,6 +2009,7 @@
conf->ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
return conf;
@@ -2072,6 +2097,9 @@
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
+ prev->ssl_conf_commands, NULL);
+
if (conf->ssl_enable && ngx_stream_proxy_set_ssl(cf, conf) != NGX_OK) {
return NGX_CONF_ERROR;
}
@@ -2156,6 +2184,12 @@
return NGX_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, pscf->ssl, pscf->ssl_conf_commands)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c
index 79f30a8..ccd359f 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -45,6 +45,10 @@
void *conf);
static char *ngx_stream_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+
+static char *ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post,
+ void *data);
+
static ngx_int_t ngx_stream_ssl_init(ngx_conf_t *cf);
@@ -68,6 +72,10 @@
};
+static ngx_conf_post_t ngx_stream_ssl_conf_command_post =
+ { ngx_stream_ssl_conf_command_check };
+
+
static ngx_command_t ngx_stream_ssl_commands[] = {
{ ngx_string("ssl_handshake_timeout"),
@@ -196,6 +204,13 @@
offsetof(ngx_stream_ssl_conf_t, crl),
NULL },
+ { ngx_string("ssl_conf_command"),
+ NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
+ ngx_conf_set_keyval_slot,
+ NGX_STREAM_SRV_CONF_OFFSET,
+ offsetof(ngx_stream_ssl_conf_t, conf_commands),
+ &ngx_stream_ssl_conf_command_post },
+
ngx_null_command
};
@@ -595,6 +610,7 @@
scf->certificates = NGX_CONF_UNSET_PTR;
scf->certificate_keys = NGX_CONF_UNSET_PTR;
scf->passwords = NGX_CONF_UNSET_PTR;
+ scf->conf_commands = NGX_CONF_UNSET_PTR;
scf->prefer_server_ciphers = NGX_CONF_UNSET;
scf->verify = NGX_CONF_UNSET_UINT;
scf->verify_depth = NGX_CONF_UNSET_UINT;
@@ -650,6 +666,8 @@
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
+ ngx_conf_merge_ptr_value(conf->conf_commands, prev->conf_commands, NULL);
+
conf->ssl.log = cf->log;
@@ -811,6 +829,10 @@
return NGX_CONF_ERROR;
}
+ if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}
@@ -1034,6 +1056,17 @@
}
+static char *
+ngx_stream_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
+{
+#ifndef SSL_CONF_FLAG_FILE
+ return "is not supported on this platform";
+#endif
+
+ return NGX_CONF_OK;
+}
+
+
static ngx_int_t
ngx_stream_ssl_init(ngx_conf_t *cf)
{
diff --git a/src/stream/ngx_stream_ssl_module.h b/src/stream/ngx_stream_ssl_module.h
index 6cb4140..c6e24be 100644
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@@ -46,6 +46,7 @@
ngx_str_t ciphers;
ngx_array_t *passwords;
+ ngx_array_t *conf_commands;
ngx_shm_zone_t *shm_zone;