Merge branch 'nginx' (nginx-1.21.0).
Change-Id: Ib16bf8d49f050c0fc419ae18a7e970099157034d
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
diff --git a/.hgtags b/.hgtags
index 94734fe..ea345c9 100644
--- a/.hgtags
+++ b/.hgtags
@@ -460,3 +460,4 @@
8c65d21464aaa5923775f80c32474adc7a320068 release-1.19.8
da571b8eaf8f30f36c43b3c9b25e01e31f47149c release-1.19.9
ffcbb9980ee2bad27b4d7b1cd680b14ff47b29aa release-1.19.10
+df34dcc9ac072ffd0945e5a1f3eb7987e8275375 release-1.21.0
diff --git a/BUILD b/BUILD
index abe2cc4..76bfc50 100644
--- a/BUILD
+++ b/BUILD
@@ -1538,5 +1538,5 @@
preinst = "@nginx_pkgoss//:debian_preinst",
prerm = "@nginx_pkgoss//:debian_prerm",
section = "httpd",
- version = "1.19.10",
+ version = "1.21.0",
)
diff --git a/bazel/repositories.bzl b/bazel/repositories.bzl
index 6a0a30a..e1e37ab 100644
--- a/bazel/repositories.bzl
+++ b/bazel/repositories.bzl
@@ -34,9 +34,9 @@
new_git_repository(
name = "nginx_pkgoss",
build_file = "@nginx//bazel/external:nginx_pkgoss.BUILD",
- commit = "f06f134e8080fd8a65201bacd7edfae69f7fa3a9", # nginx-1.19.10
+ commit = "da83706fb54e9719d0bf4930df2109a8138f3d59", # nginx-1.21.0
remote = "https://nginx.googlesource.com/nginx-pkgoss",
- shallow_since = "1618332472 +0300",
+ shallow_since = "1621951952 +0300",
)
http_archive(
diff --git a/conf/mime.types b/conf/mime.types
index 2961256..b53f7f7 100644
--- a/conf/mime.types
+++ b/conf/mime.types
@@ -51,6 +51,7 @@
application/vnd.openxmlformats-officedocument.wordprocessingml.document
docx;
application/vnd.wap.wmlc wmlc;
+ application/wasm wasm;
application/x-7z-compressed 7z;
application/x-cocoa cco;
application/x-java-archive-diff jardiff;
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index 3d0637b..ea3551a 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,100 @@
<change_log title="nginx">
+<changes ver="1.21.0" date="2021-05-25">
+
+<change type="security">
+<para lang="ru">
+при использовании директивы resolver
+во время обработки ответа DNS-сервера
+могла происходить перезапись одного байта памяти,
+что позволяло атакующему,
+имеющему возможность подделывать UDP-пакеты от DNS-сервера,
+вызвать падение рабочего процесса
+или, потенциально, выполнение произвольного кода (CVE-2021-23017).
+</para>
+<para lang="en">
+1-byte memory overwrite might occur
+during DNS server response processing
+if the "resolver" directive was used,
+allowing an attacker
+who is able to forge UDP packets from the DNS server
+to cause worker process crash
+or, potentially, arbitrary code execution (CVE-2021-23017).
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+директивы proxy_ssl_certificate, proxy_ssl_certificate_key,
+grpc_ssl_certificate, grpc_ssl_certificate_key,
+uwsgi_ssl_certificate и uwsgi_ssl_certificate_key
+поддерживают переменные.
+</para>
+<para lang="en">
+variables support
+in the "proxy_ssl_certificate", "proxy_ssl_certificate_key"
+"grpc_ssl_certificate", "grpc_ssl_certificate_key",
+"uwsgi_ssl_certificate", and "uwsgi_ssl_certificate_key" directives.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+директива max_errors в почтовом прокси-сервере.
+</para>
+<para lang="en">
+the "max_errors" directive in the mail proxy module.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+почтовый прокси-сервер поддерживает POP3 и IMAP pipelining.
+</para>
+<para lang="en">
+the mail proxy module supports POP3 and IMAP pipelining.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+параметр fastopen директивы listen в модуле stream.<br/>
+Спасибо Anbang Wen.
+</para>
+<para lang="en">
+the "fastopen" parameter of the "listen" directive in the stream module.<br/>
+Thanks to Anbang Wen.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+специальные символы не экранировались
+при автоматическом перенаправлении с добавлением завершающего слэша.
+</para>
+<para lang="en">
+special characters were not escaped
+during automatic redirect with appended trailing slash.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при использовании SMTP pipelining
+соединения с клиентами в почтовом прокси-сервере
+могли неожиданно закрываться.
+</para>
+<para lang="en">
+connections with clients in the mail proxy module
+might be closed unexpectedly
+when using SMTP pipelining.
+</para>
+</change>
+
+</changes>
+
+
<changes ver="1.19.10" date="2021-04-13">
<change type="change">
diff --git a/src/core/nginx.h b/src/core/nginx.h
index e4d1bb0..be3ee7c 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
#define NGINX_NAME "nginx"
#endif
-#define nginx_version 1019010
-#define NGINX_VERSION "1.19.10"
+#define nginx_version 1021000
+#define NGINX_VERSION "1.21.0"
#define NGINX_VER NGINX_NAME "/" NGINX_VERSION
#ifdef NGX_BUILD
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 7939070..58d5f3e 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -1798,6 +1798,12 @@
i = sizeof(ngx_resolver_hdr_t);
while (i < (ngx_uint_t) n) {
+
+ if (buf[i] & 0xc0) {
+ err = "unexpected compression pointer in DNS response";
+ goto done;
+ }
+
if (buf[i] == '\0') {
goto found;
}
@@ -3939,11 +3945,11 @@
{
char *err;
u_char *p, *dst;
- ssize_t len;
+ size_t len;
ngx_uint_t i, n;
p = src;
- len = -1;
+ len = 0;
/*
* compression pointers allow to create endless loop, so we set limit;
@@ -3958,6 +3964,16 @@
}
if (n & 0xc0) {
+ if ((n & 0xc0) != 0xc0) {
+ err = "invalid label type in DNS response";
+ goto invalid;
+ }
+
+ if (p >= last) {
+ err = "name is out of DNS response";
+ goto invalid;
+ }
+
n = ((n & 0x3f) << 8) + *p;
p = &buf[n];
@@ -3986,7 +4002,7 @@
return NGX_OK;
}
- if (len == -1) {
+ if (len == 0) {
ngx_str_null(name);
return NGX_OK;
}
@@ -3998,30 +4014,23 @@
name->data = dst;
- n = *src++;
-
for ( ;; ) {
+ n = *src++;
+
+ if (n == 0) {
+ name->len = dst - name->data - 1;
+ return NGX_OK;
+ }
+
if (n & 0xc0) {
n = ((n & 0x3f) << 8) + *src;
src = &buf[n];
- n = *src++;
-
} else {
ngx_strlow(dst, src, n);
dst += n;
src += n;
-
- n = *src++;
-
- if (n != 0) {
- *dst++ = '.';
- }
- }
-
- if (n == 0) {
- name->len = dst - name->data;
- return NGX_OK;
+ *dst++ = '.';
}
}
}
diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
index 93f32ea..5cc9b26 100644
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -1573,7 +1573,7 @@
0xffffffff /* 1111 1111 1111 1111 1111 1111 1111 1111 */
};
- /* " ", """, "%", "'", %00-%1F, %7F-%FF */
+ /* " ", """, "'", %00-%1F, %7F-%FF */
static uint32_t refresh[] = {
0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */
diff --git a/src/http/modules/ngx_http_auth_basic_module.c b/src/http/modules/ngx_http_auth_basic_module.c
index ed9df34..0693319 100644
--- a/src/http/modules/ngx_http_auth_basic_module.c
+++ b/src/http/modules/ngx_http_auth_basic_module.c
@@ -16,7 +16,7 @@
typedef struct {
ngx_http_complex_value_t *realm;
- ngx_http_complex_value_t user_file;
+ ngx_http_complex_value_t *user_file;
} ngx_http_auth_basic_loc_conf_t;
@@ -107,7 +107,7 @@
alcf = ngx_http_get_module_loc_conf(r, ngx_http_auth_basic_module);
- if (alcf->realm == NULL || alcf->user_file.value.data == NULL) {
+ if (alcf->realm == NULL || alcf->user_file == NULL) {
return NGX_DECLINED;
}
@@ -133,7 +133,7 @@
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
- if (ngx_http_complex_value(r, &alcf->user_file, &user_file) != NGX_OK) {
+ if (ngx_http_complex_value(r, alcf->user_file, &user_file) != NGX_OK) {
return NGX_ERROR;
}
@@ -357,6 +357,9 @@
return NULL;
}
+ conf->realm = NGX_CONF_UNSET_PTR;
+ conf->user_file = NGX_CONF_UNSET_PTR;
+
return conf;
}
@@ -367,13 +370,8 @@
ngx_http_auth_basic_loc_conf_t *prev = parent;
ngx_http_auth_basic_loc_conf_t *conf = child;
- if (conf->realm == NULL) {
- conf->realm = prev->realm;
- }
-
- if (conf->user_file.value.data == NULL) {
- conf->user_file = prev->user_file;
- }
+ ngx_conf_merge_ptr_value(conf->realm, prev->realm, NULL);
+ ngx_conf_merge_ptr_value(conf->user_file, prev->user_file, NULL);
return NGX_CONF_OK;
}
@@ -406,17 +404,22 @@
ngx_str_t *value;
ngx_http_compile_complex_value_t ccv;
- if (alcf->user_file.value.data) {
+ if (alcf->user_file != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
+ alcf->user_file = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t));
+ if (alcf->user_file == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
value = cf->args->elts;
ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
ccv.cf = cf;
ccv.value = &value[1];
- ccv.complex_value = &alcf->user_file;
+ ccv.complex_value = alcf->user_file;
ccv.zero = 1;
ccv.conf_prefix = 1;
diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c
index 8b69e6f..0cc9ae1 100644
--- a/src/http/modules/ngx_http_dav_module.c
+++ b/src/http/modules/ngx_http_dav_module.c
@@ -1072,6 +1072,10 @@
static ngx_int_t
ngx_http_dav_location(ngx_http_request_t *r)
{
+ u_char *p;
+ size_t len;
+ uintptr_t escape;
+
r->headers_out.location = ngx_list_push(&r->headers_out.headers);
if (r->headers_out.location == NULL) {
return NGX_ERROR;
@@ -1079,7 +1083,26 @@
r->headers_out.location->hash = 1;
ngx_str_set(&r->headers_out.location->key, "Location");
- r->headers_out.location->value = r->uri;
+
+ escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+ if (escape) {
+ len = r->uri.len + escape;
+
+ p = ngx_pnalloc(r->pool, len);
+ if (p == NULL) {
+ ngx_http_clear_location(r);
+ return NGX_ERROR;
+ }
+
+ r->headers_out.location->value.len = len;
+ r->headers_out.location->value.data = p;
+
+ ngx_escape_uri(p, r->uri.data, r->uri.len, NGX_ESCAPE_URI);
+
+ } else {
+ r->headers_out.location->value = r->uri;
+ }
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 53bc547..2e20e5f 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -37,9 +37,6 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
- ngx_str_t ssl_certificate;
- ngx_str_t ssl_certificate_key;
- ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_grpc_loc_conf_t;
@@ -425,16 +422,16 @@
{ ngx_string("grpc_ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_grpc_loc_conf_t, ssl_certificate),
+ offsetof(ngx_http_grpc_loc_conf_t, upstream.ssl_certificate),
NULL },
{ ngx_string("grpc_ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_grpc_loc_conf_t, ssl_certificate_key),
+ offsetof(ngx_http_grpc_loc_conf_t, upstream.ssl_certificate_key),
NULL },
{ ngx_string("grpc_ssl_password_file"),
@@ -4331,7 +4328,6 @@
* conf->upstream.ignore_headers = 0;
* conf->upstream.next_upstream = 0;
* conf->upstream.hide_headers_hash = { NULL, 0 };
- * conf->upstream.ssl_name = NULL;
*
* conf->headers.lengths = NULL;
* conf->headers.values = NULL;
@@ -4343,8 +4339,6 @@
* conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
- * conf->ssl_certificate = { 0, NULL };
- * conf->ssl_certificate_key = { 0, NULL };
*/
conf->upstream.local = NGX_CONF_UNSET_PTR;
@@ -4364,10 +4358,13 @@
#if (NGX_HTTP_SSL)
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
+ conf->upstream.ssl_name = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
- conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -4459,10 +4456,8 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
- if (conf->upstream.ssl_name == NULL) {
- conf->upstream.ssl_name = prev->upstream.ssl_name;
- }
-
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_name,
+ prev->upstream.ssl_name, NULL);
ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0);
ngx_conf_merge_value(conf->upstream.ssl_verify,
@@ -4473,11 +4468,12 @@
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
- ngx_conf_merge_str_value(conf->ssl_certificate,
- prev->ssl_certificate, "");
- ngx_conf_merge_str_value(conf->ssl_certificate_key,
- prev->ssl_certificate_key, "");
- ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate,
+ prev->upstream.ssl_certificate, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
+ prev->upstream.ssl_certificate_key, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
+ prev->upstream.ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -4833,15 +4829,15 @@
ngx_str_t *value;
- if (glcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (glcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- glcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+ glcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
- if (glcf->ssl_passwords == NULL) {
+ if (glcf->upstream.ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -4887,20 +4883,34 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = glcf->upstream.ssl;
- if (glcf->ssl_certificate.len) {
+ if (glcf->upstream.ssl_certificate) {
- if (glcf->ssl_certificate_key.len == 0) {
+ if (glcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"grpc_ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &glcf->ssl_certificate);
+ "for certificate \"%V\"",
+ &glcf->upstream.ssl_certificate->value);
return NGX_ERROR;
}
- if (ngx_ssl_certificate(cf, glcf->upstream.ssl, &glcf->ssl_certificate,
- &glcf->ssl_certificate_key, glcf->ssl_passwords)
- != NGX_OK)
+ if (glcf->upstream.ssl_certificate->lengths
+ || glcf->upstream.ssl_certificate_key->lengths)
{
- return NGX_ERROR;
+ glcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ if (glcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
+ &glcf->upstream.ssl_certificate->value,
+ &glcf->upstream.ssl_certificate_key->value,
+ glcf->upstream.ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
}
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index c309ab9..ac21451 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -124,9 +124,6 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
- ngx_str_t ssl_certificate;
- ngx_str_t ssl_certificate_key;
- ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -760,16 +757,16 @@
{ ngx_string("proxy_ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate),
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate),
NULL },
{ ngx_string("proxy_ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_proxy_loc_conf_t, ssl_certificate_key),
+ offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_certificate_key),
NULL },
{ ngx_string("proxy_ssl_password_file"),
@@ -3334,9 +3331,7 @@
* conf->upstream.hide_headers_hash = { NULL, 0 };
* conf->upstream.store_lengths = NULL;
* conf->upstream.store_values = NULL;
- * conf->upstream.ssl_name = NULL;
*
- * conf->method = NULL;
* conf->location = NULL;
* conf->url = { 0, NULL };
* conf->headers.lengths = NULL;
@@ -3354,8 +3349,6 @@
* conf->ssl_ciphers = { 0, NULL };
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
- * conf->ssl_certificate = { 0, NULL };
- * conf->ssl_certificate_key = { 0, NULL };
*/
conf->upstream.store = NGX_CONF_UNSET;
@@ -3408,20 +3401,26 @@
#if (NGX_HTTP_SSL)
conf->upstream.ssl_alpn = NGX_CONF_UNSET;
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
+ conf->upstream.ssl_name = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
+ conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
- conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
/* "proxy_cyclic_temp_file" is disabled */
conf->upstream.cyclic_temp_file = 0;
+ conf->upstream.change_buffering = 1;
+
conf->headers_source = NGX_CONF_UNSET_PTR;
+ conf->method = NGX_CONF_UNSET_PTR;
+
conf->redirect = NGX_CONF_UNSET;
- conf->upstream.change_buffering = 1;
conf->cookie_domains = NGX_CONF_UNSET_PTR;
conf->cookie_paths = NGX_CONF_UNSET_PTR;
@@ -3716,10 +3715,6 @@
#endif
- if (conf->method == NULL) {
- conf->method = prev->method;
- }
-
ngx_conf_merge_value(conf->upstream.pass_request_headers,
prev->upstream.pass_request_headers, 1);
ngx_conf_merge_value(conf->upstream.pass_request_body,
@@ -3740,12 +3735,10 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
- if (conf->upstream.ssl_name == NULL) {
- conf->upstream.ssl_name = prev->upstream.ssl_name;
- }
-
ngx_conf_merge_value(conf->upstream.ssl_alpn,
prev->upstream.ssl_alpn, 0);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_name,
+ prev->upstream.ssl_name, NULL);
ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0);
ngx_conf_merge_value(conf->upstream.ssl_verify,
@@ -3756,11 +3749,12 @@
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
- ngx_conf_merge_str_value(conf->ssl_certificate,
- prev->ssl_certificate, "");
- ngx_conf_merge_str_value(conf->ssl_certificate_key,
- prev->ssl_certificate_key, "");
- ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate,
+ prev->upstream.ssl_certificate, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
+ prev->upstream.ssl_certificate_key, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
+ prev->upstream.ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -3771,6 +3765,8 @@
#endif
+ ngx_conf_merge_ptr_value(conf->method, prev->method, NULL);
+
ngx_conf_merge_value(conf->redirect, prev->redirect, 1);
if (conf->redirect) {
@@ -4889,15 +4885,15 @@
ngx_str_t *value;
- if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (plcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+ plcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
- if (plcf->ssl_passwords == NULL) {
+ if (plcf->upstream.ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -4977,20 +4973,34 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = plcf->upstream.ssl;
- if (plcf->ssl_certificate.len) {
+ if (plcf->upstream.ssl_certificate) {
- if (plcf->ssl_certificate_key.len == 0) {
+ if (plcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"proxy_ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &plcf->ssl_certificate);
+ "for certificate \"%V\"",
+ &plcf->upstream.ssl_certificate->value);
return NGX_ERROR;
}
- if (ngx_ssl_certificate(cf, plcf->upstream.ssl, &plcf->ssl_certificate,
- &plcf->ssl_certificate_key, plcf->ssl_passwords)
- != NGX_OK)
+ if (plcf->upstream.ssl_certificate->lengths
+ || plcf->upstream.ssl_certificate_key->lengths)
{
- return NGX_ERROR;
+ plcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ if (plcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
+ &plcf->upstream.ssl_certificate->value,
+ &plcf->upstream.ssl_certificate_key->value,
+ plcf->upstream.ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
}
}
diff --git a/src/http/modules/ngx_http_secure_link_module.c b/src/http/modules/ngx_http_secure_link_module.c
index 536e09a..4d4ce6a 100644
--- a/src/http/modules/ngx_http_secure_link_module.c
+++ b/src/http/modules/ngx_http_secure_link_module.c
@@ -302,11 +302,12 @@
/*
* set by ngx_pcalloc():
*
- * conf->variable = NULL;
- * conf->md5 = NULL;
* conf->secret = { 0, NULL };
*/
+ conf->variable = NGX_CONF_UNSET_PTR;
+ conf->md5 = NGX_CONF_UNSET_PTR;
+
return conf;
}
@@ -318,6 +319,9 @@
ngx_http_secure_link_conf_t *conf = child;
if (conf->secret.data) {
+ ngx_conf_init_ptr_value(conf->variable, NULL);
+ ngx_conf_init_ptr_value(conf->md5, NULL);
+
if (conf->variable || conf->md5) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"\"secure_link_secret\" cannot be mixed with "
@@ -328,13 +332,8 @@
return NGX_CONF_OK;
}
- if (conf->variable == NULL) {
- conf->variable = prev->variable;
- }
-
- if (conf->md5 == NULL) {
- conf->md5 = prev->md5;
- }
+ ngx_conf_merge_ptr_value(conf->variable, prev->variable, NULL);
+ ngx_conf_merge_ptr_value(conf->md5, prev->md5, NULL);
if (conf->variable == NULL && conf->md5 == NULL) {
conf->secret = prev->secret;
diff --git a/src/http/modules/ngx_http_static_module.c b/src/http/modules/ngx_http_static_module.c
index 282d6ee..cf29d5a 100644
--- a/src/http/modules/ngx_http_static_module.c
+++ b/src/http/modules/ngx_http_static_module.c
@@ -50,6 +50,7 @@
{
u_char *last, *location;
size_t root, len;
+ uintptr_t escape;
ngx_str_t path;
ngx_int_t rc;
ngx_uint_t level;
@@ -155,14 +156,18 @@
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
- len = r->uri.len + 1;
+ escape = 2 * ngx_escape_uri(NULL, r->uri.data, r->uri.len,
+ NGX_ESCAPE_URI);
- if (!clcf->alias && r->args.len == 0) {
+ if (!clcf->alias && r->args.len == 0 && escape == 0) {
+ len = r->uri.len + 1;
location = path.data + root;
*last = '/';
} else {
+ len = r->uri.len + escape + 1;
+
if (r->args.len) {
len += r->args.len + 1;
}
@@ -173,7 +178,13 @@
return NGX_HTTP_INTERNAL_SERVER_ERROR;
}
- last = ngx_copy(location, r->uri.data, r->uri.len);
+ if (escape) {
+ last = (u_char *) ngx_escape_uri(location, r->uri.data,
+ r->uri.len, NGX_ESCAPE_URI);
+
+ } else {
+ last = ngx_copy(location, r->uri.data, r->uri.len);
+ }
*last = '/';
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 1334f44..655be98 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -54,9 +54,6 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
- ngx_str_t ssl_certificate;
- ngx_str_t ssl_certificate_key;
- ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_uwsgi_loc_conf_t;
@@ -548,16 +545,16 @@
{ ngx_string("uwsgi_ssl_certificate"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_uwsgi_loc_conf_t, ssl_certificate),
+ offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_certificate),
NULL },
{ ngx_string("uwsgi_ssl_certificate_key"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_http_set_complex_value_zero_slot,
NGX_HTTP_LOC_CONF_OFFSET,
- offsetof(ngx_http_uwsgi_loc_conf_t, ssl_certificate_key),
+ offsetof(ngx_http_uwsgi_loc_conf_t, upstream.ssl_certificate_key),
NULL },
{ ngx_string("uwsgi_ssl_password_file"),
@@ -1509,10 +1506,13 @@
#if (NGX_HTTP_SSL)
conf->upstream.ssl_session_reuse = NGX_CONF_UNSET;
+ conf->upstream.ssl_name = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_server_name = NGX_CONF_UNSET;
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
- conf->ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
+ conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -1824,10 +1824,8 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
"DEFAULT");
- if (conf->upstream.ssl_name == NULL) {
- conf->upstream.ssl_name = prev->upstream.ssl_name;
- }
-
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_name,
+ prev->upstream.ssl_name, NULL);
ngx_conf_merge_value(conf->upstream.ssl_server_name,
prev->upstream.ssl_server_name, 0);
ngx_conf_merge_value(conf->upstream.ssl_verify,
@@ -1838,11 +1836,12 @@
prev->ssl_trusted_certificate, "");
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
- ngx_conf_merge_str_value(conf->ssl_certificate,
- prev->ssl_certificate, "");
- ngx_conf_merge_str_value(conf->ssl_certificate_key,
- prev->ssl_certificate_key, "");
- ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate,
+ prev->upstream.ssl_certificate, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
+ prev->upstream.ssl_certificate_key, NULL);
+ ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
+ prev->upstream.ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -2377,15 +2376,15 @@
ngx_str_t *value;
- if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (uwcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+ uwcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
- if (uwcf->ssl_passwords == NULL) {
+ if (uwcf->upstream.ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -2431,20 +2430,34 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = uwcf->upstream.ssl;
- if (uwcf->ssl_certificate.len) {
+ if (uwcf->upstream.ssl_certificate) {
- if (uwcf->ssl_certificate_key.len == 0) {
+ if (uwcf->upstream.ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"uwsgi_ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &uwcf->ssl_certificate);
+ "for certificate \"%V\"",
+ &uwcf->upstream.ssl_certificate->value);
return NGX_ERROR;
}
- if (ngx_ssl_certificate(cf, uwcf->upstream.ssl, &uwcf->ssl_certificate,
- &uwcf->ssl_certificate_key, uwcf->ssl_passwords)
- != NGX_OK)
+ if (uwcf->upstream.ssl_certificate->lengths
+ || uwcf->upstream.ssl_certificate_key->lengths)
{
- return NGX_ERROR;
+ uwcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ if (uwcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
+ &uwcf->upstream.ssl_certificate->value,
+ &uwcf->upstream.ssl_certificate_key->value,
+ uwcf->upstream.ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
}
}
diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c
index e1d3d00..3d5c4ac 100644
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -37,6 +37,8 @@
ngx_http_core_srv_conf_t *cscf, ngx_http_core_loc_conf_t *pclcf);
static ngx_int_t ngx_http_init_static_location_trees(ngx_conf_t *cf,
ngx_http_core_loc_conf_t *pclcf);
+static ngx_int_t ngx_http_escape_location_name(ngx_conf_t *cf,
+ ngx_http_core_loc_conf_t *clcf);
static ngx_int_t ngx_http_cmp_locations(const ngx_queue_t *one,
const ngx_queue_t *two);
static ngx_int_t ngx_http_join_exact_locations(ngx_conf_t *cf,
@@ -882,6 +884,41 @@
ngx_queue_insert_tail(*locations, &lq->queue);
+ if (ngx_http_escape_location_name(cf, clcf) != NGX_OK) {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
+ngx_http_escape_location_name(ngx_conf_t *cf, ngx_http_core_loc_conf_t *clcf)
+{
+ u_char *p;
+ size_t len;
+ uintptr_t escape;
+
+ escape = 2 * ngx_escape_uri(NULL, clcf->name.data, clcf->name.len,
+ NGX_ESCAPE_URI);
+
+ if (escape) {
+ len = clcf->name.len + escape;
+
+ p = ngx_pnalloc(cf->pool, len);
+ if (p == NULL) {
+ return NGX_ERROR;
+ }
+
+ clcf->escaped_name.len = len;
+ clcf->escaped_name.data = p;
+
+ ngx_escape_uri(p, clcf->name.data, clcf->name.len, NGX_ESCAPE_URI);
+
+ } else {
+ clcf->escaped_name = clcf->name;
+ }
+
return NGX_OK;
}
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index 14327cc..127a35c 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1010,10 +1010,10 @@
ngx_str_set(&r->headers_out.location->key, "Location");
if (r->args.len == 0) {
- r->headers_out.location->value = clcf->name;
+ r->headers_out.location->value = clcf->escaped_name;
} else {
- len = clcf->name.len + 1 + r->args.len;
+ len = clcf->escaped_name.len + 1 + r->args.len;
p = ngx_pnalloc(r->pool, len);
if (p == NULL) {
@@ -1025,7 +1025,7 @@
r->headers_out.location->value.len = len;
r->headers_out.location->value.data = p;
- p = ngx_cpymem(p, clcf->name.data, clcf->name.len);
+ p = ngx_cpymem(p, clcf->escaped_name.data, clcf->escaped_name.len);
*p++ = '?';
ngx_memcpy(p, r->args.data, r->args.len);
}
@@ -3467,6 +3467,7 @@
/*
* set by ngx_pcalloc():
*
+ * clcf->escaped_name = { 0, NULL };
* clcf->root = { 0, NULL };
* clcf->limit_except = 0;
* clcf->post_action = { 0, NULL };
@@ -3479,8 +3480,6 @@
* clcf->exact_match = 0;
* clcf->auto_redirect = 0;
* clcf->alias = 0;
- * clcf->limit_rate = NULL;
- * clcf->limit_rate_after = NULL;
* clcf->gzip_proxied = 0;
* clcf->keepalive_disable = 0;
*/
@@ -3512,6 +3511,8 @@
clcf->send_timeout = NGX_CONF_UNSET_MSEC;
clcf->send_lowat = NGX_CONF_UNSET_SIZE;
clcf->postpone_output = NGX_CONF_UNSET_SIZE;
+ clcf->limit_rate = NGX_CONF_UNSET_PTR;
+ clcf->limit_rate_after = NGX_CONF_UNSET_PTR;
clcf->keepalive_time = NGX_CONF_UNSET_MSEC;
clcf->keepalive_timeout = NGX_CONF_UNSET_MSEC;
clcf->keepalive_header = NGX_CONF_UNSET;
@@ -3743,13 +3744,9 @@
ngx_conf_merge_size_value(conf->postpone_output, prev->postpone_output,
1460);
- if (conf->limit_rate == NULL) {
- conf->limit_rate = prev->limit_rate;
- }
-
- if (conf->limit_rate_after == NULL) {
- conf->limit_rate_after = prev->limit_rate_after;
- }
+ ngx_conf_merge_ptr_value(conf->limit_rate, prev->limit_rate, NULL);
+ ngx_conf_merge_ptr_value(conf->limit_rate_after,
+ prev->limit_rate_after, NULL);
ngx_conf_merge_msec_value(conf->keepalive_time,
prev->keepalive_time, 3600000);
diff --git a/src/http/ngx_http_core_module.h b/src/http/ngx_http_core_module.h
index 97e0ede..c9a6109 100644
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@@ -299,6 +299,7 @@
struct ngx_http_core_loc_conf_s {
ngx_str_t name; /* location name */
+ ngx_str_t escaped_name;
#if (NGX_PCRE)
ngx_http_regex_t *regex;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 4fe51b7..eae56c6 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1207,12 +1207,14 @@
}
ngx_http_free_request(r, 0);
+ c->log->action = "SSL handshaking";
c->destroyed = 0;
return 1;
failed:
ngx_http_free_request(r, 0);
+ c->log->action = "SSL handshaking";
c->destroyed = 0;
return 0;
}
diff --git a/src/http/ngx_http_script.c b/src/http/ngx_http_script.c
index 13c57d6..bebdbd9 100644
--- a/src/http/ngx_http_script.c
+++ b/src/http/ngx_http_script.c
@@ -250,7 +250,7 @@
cv = (ngx_http_complex_value_t **) (p + cmd->offset);
- if (*cv != NULL) {
+ if (*cv != NGX_CONF_UNSET_PTR && *cv != NULL) {
return "is duplicate";
}
@@ -276,6 +276,44 @@
char *
+ngx_http_set_complex_value_zero_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf)
+{
+ char *p = conf;
+
+ ngx_str_t *value;
+ ngx_http_complex_value_t **cv;
+ ngx_http_compile_complex_value_t ccv;
+
+ cv = (ngx_http_complex_value_t **) (p + cmd->offset);
+
+ if (*cv != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ *cv = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t));
+ if (*cv == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ value = cf->args->elts;
+
+ ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t));
+
+ ccv.cf = cf;
+ ccv.value = &value[1];
+ ccv.complex_value = *cv;
+ ccv.zero = 1;
+
+ if (ngx_http_compile_complex_value(&ccv) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
+char *
ngx_http_set_complex_value_size_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf)
{
diff --git a/src/http/ngx_http_script.h b/src/http/ngx_http_script.h
index a6b345e..4360038 100644
--- a/src/http/ngx_http_script.h
+++ b/src/http/ngx_http_script.h
@@ -216,6 +216,8 @@
ngx_int_t ngx_http_compile_complex_value(ngx_http_compile_complex_value_t *ccv);
char *ngx_http_set_complex_value_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+char *ngx_http_set_complex_value_zero_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
char *ngx_http_set_complex_value_size_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index e2e6930..8522ffa 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -187,6 +187,8 @@
static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r,
ngx_http_upstream_t *u, ngx_connection_t *c);
+static ngx_int_t ngx_http_upstream_ssl_certificate(ngx_http_request_t *r,
+ ngx_http_upstream_t *u, ngx_connection_t *c);
#endif
@@ -1692,6 +1694,16 @@
}
}
+ if (u->conf->ssl_certificate && (u->conf->ssl_certificate->lengths
+ || u->conf->ssl_certificate_key->lengths))
+ {
+ if (ngx_http_upstream_ssl_certificate(r, u, c) != NGX_OK) {
+ ngx_http_upstream_finalize_request(r, u,
+ NGX_HTTP_INTERNAL_SERVER_ERROR);
+ return;
+ }
+ }
+
if (u->conf->ssl_session_reuse) {
c->ssl->save_session = ngx_http_upstream_ssl_save_session;
@@ -1912,6 +1924,45 @@
return NGX_OK;
}
+
+static ngx_int_t
+ngx_http_upstream_ssl_certificate(ngx_http_request_t *r,
+ ngx_http_upstream_t *u, ngx_connection_t *c)
+{
+ ngx_str_t cert, key;
+
+ if (ngx_http_complex_value(r, u->conf->ssl_certificate, &cert)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+ "http upstream ssl cert: \"%s\"", cert.data);
+
+ if (*cert.data == '\0') {
+ return NGX_OK;
+ }
+
+ if (ngx_http_complex_value(r, u->conf->ssl_certificate_key, &key)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
+ "http upstream ssl key: \"%s\"", key.data);
+
+ if (ngx_ssl_connection_certificate(c, r->pool, &cert, &key,
+ u->conf->ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
#endif
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
index a568899..b6cef95 100644
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@@ -235,6 +235,10 @@
ngx_http_complex_value_t *ssl_name;
ngx_flag_t ssl_server_name;
ngx_flag_t ssl_verify;
+
+ ngx_http_complex_value_t *ssl_certificate;
+ ngx_http_complex_value_t *ssl_certificate_key;
+ ngx_array_t *ssl_passwords;
#endif
ngx_str_t module;
diff --git a/src/mail/ngx_mail.h b/src/mail/ngx_mail.h
index b865a3b..21178c3 100644
--- a/src/mail/ngx_mail.h
+++ b/src/mail/ngx_mail.h
@@ -115,6 +115,8 @@
ngx_msec_t timeout;
ngx_msec_t resolver_timeout;
+ ngx_uint_t max_errors;
+
ngx_str_t server_name;
u_char *file_name;
@@ -231,14 +233,15 @@
ngx_uint_t command;
ngx_array_t args;
+ ngx_uint_t errors;
ngx_uint_t login_attempt;
/* used to parse POP3/IMAP/SMTP command */
ngx_uint_t state;
+ u_char *tag_start;
u_char *cmd_start;
u_char *arg_start;
- u_char *arg_end;
ngx_uint_t literal_len;
} ngx_mail_session_t;
diff --git a/src/mail/ngx_mail_core_module.c b/src/mail/ngx_mail_core_module.c
index 4083124..115671c 100644
--- a/src/mail/ngx_mail_core_module.c
+++ b/src/mail/ngx_mail_core_module.c
@@ -85,6 +85,13 @@
offsetof(ngx_mail_core_srv_conf_t, resolver_timeout),
NULL },
+ { ngx_string("max_errors"),
+ NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_MAIL_SRV_CONF_OFFSET,
+ offsetof(ngx_mail_core_srv_conf_t, max_errors),
+ NULL },
+
ngx_null_command
};
@@ -163,6 +170,8 @@
cscf->timeout = NGX_CONF_UNSET_MSEC;
cscf->resolver_timeout = NGX_CONF_UNSET_MSEC;
+ cscf->max_errors = NGX_CONF_UNSET_UINT;
+
cscf->resolver = NGX_CONF_UNSET_PTR;
cscf->file_name = cf->conf_file->file.name.data;
@@ -182,6 +191,7 @@
ngx_conf_merge_msec_value(conf->resolver_timeout, prev->resolver_timeout,
30000);
+ ngx_conf_merge_uint_value(conf->max_errors, prev->max_errors, 5);
ngx_conf_merge_str_value(conf->server_name, prev->server_name, "");
diff --git a/src/mail/ngx_mail_handler.c b/src/mail/ngx_mail_handler.c
index 0aaa0e7..246ba97 100644
--- a/src/mail/ngx_mail_handler.c
+++ b/src/mail/ngx_mail_handler.c
@@ -833,20 +833,23 @@
ngx_str_t l;
ngx_mail_core_srv_conf_t *cscf;
- n = c->recv(c, s->buffer->last, s->buffer->end - s->buffer->last);
+ if (s->buffer->last < s->buffer->end) {
- if (n == NGX_ERROR || n == 0) {
- ngx_mail_close_connection(c);
- return NGX_ERROR;
- }
+ n = c->recv(c, s->buffer->last, s->buffer->end - s->buffer->last);
- if (n > 0) {
- s->buffer->last += n;
- }
+ if (n == NGX_ERROR || n == 0) {
+ ngx_mail_close_connection(c);
+ return NGX_ERROR;
+ }
- if (n == NGX_AGAIN) {
- if (s->buffer->pos == s->buffer->last) {
- return NGX_AGAIN;
+ if (n > 0) {
+ s->buffer->last += n;
+ }
+
+ if (n == NGX_AGAIN) {
+ if (s->buffer->pos == s->buffer->last) {
+ return NGX_AGAIN;
+ }
}
}
@@ -871,7 +874,20 @@
return NGX_MAIL_PARSE_INVALID_COMMAND;
}
- if (rc == NGX_IMAP_NEXT || rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+ if (rc == NGX_MAIL_PARSE_INVALID_COMMAND) {
+
+ s->errors++;
+
+ if (s->errors >= cscf->max_errors) {
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
+ "client sent too many invalid commands");
+ s->quit = 1;
+ }
+
+ return rc;
+ }
+
+ if (rc == NGX_IMAP_NEXT) {
return rc;
}
diff --git a/src/mail/ngx_mail_imap_handler.c b/src/mail/ngx_mail_imap_handler.c
index 5dfdd76..291e87a 100644
--- a/src/mail/ngx_mail_imap_handler.c
+++ b/src/mail/ngx_mail_imap_handler.c
@@ -101,10 +101,9 @@
void
ngx_mail_imap_auth_state(ngx_event_t *rev)
{
- u_char *p, *dst, *src, *end;
- ngx_str_t *arg;
+ u_char *p;
ngx_int_t rc;
- ngx_uint_t tag, i;
+ ngx_uint_t tag;
ngx_connection_t *c;
ngx_mail_session_t *s;
@@ -158,27 +157,6 @@
ngx_log_debug1(NGX_LOG_DEBUG_MAIL, c->log, 0, "imap auth command: %i",
s->command);
- if (s->backslash) {
-
- arg = s->args.elts;
-
- for (i = 0; i < s->args.nelts; i++) {
- dst = arg[i].data;
- end = dst + arg[i].len;
-
- for (src = dst; src < end; dst++) {
- *dst = *src;
- if (*src++ == '\\') {
- *dst = *src++;
- }
- }
-
- arg[i].len = dst - arg[i].data;
- }
-
- s->backslash = 0;
- }
-
switch (s->mail_state) {
case ngx_imap_start:
@@ -248,6 +226,10 @@
ngx_str_set(&s->out, imap_next);
}
+ if (s->buffer->pos < s->buffer->last) {
+ s->blocked = 1;
+ }
+
switch (rc) {
case NGX_DONE:
@@ -297,13 +279,14 @@
if (s->state) {
/* preserve tag */
- s->arg_start = s->buffer->start + s->tag.len;
- s->buffer->pos = s->arg_start;
- s->buffer->last = s->arg_start;
+ s->arg_start = s->buffer->pos;
} else {
- s->buffer->pos = s->buffer->start;
- s->buffer->last = s->buffer->start;
+ if (s->buffer->pos == s->buffer->last) {
+ s->buffer->pos = s->buffer->start;
+ s->buffer->last = s->buffer->start;
+ }
+
s->tag.len = 0;
}
}
@@ -481,6 +464,8 @@
if (c->ssl == NULL) {
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (sslcf->starttls) {
+ s->buffer->pos = s->buffer->start;
+ s->buffer->last = s->buffer->start;
c->read->handler = ngx_mail_starttls_handler;
return NGX_OK;
}
diff --git a/src/mail/ngx_mail_parse.c b/src/mail/ngx_mail_parse.c
index 2c2cdff..4db1f18 100644
--- a/src/mail/ngx_mail_parse.c
+++ b/src/mail/ngx_mail_parse.c
@@ -21,6 +21,8 @@
ngx_str_t *arg;
enum {
sw_start = 0,
+ sw_command,
+ sw_invalid,
sw_spaces_before_argument,
sw_argument,
sw_almost_done
@@ -35,8 +37,14 @@
/* POP3 command */
case sw_start:
+ s->cmd_start = p;
+ state = sw_command;
+
+ /* fall through */
+
+ case sw_command:
if (ch == ' ' || ch == CR || ch == LF) {
- c = s->buffer->start;
+ c = s->cmd_start;
if (p - c == 4) {
@@ -85,6 +93,9 @@
goto invalid;
}
+ s->cmd.data = s->cmd_start;
+ s->cmd.len = p - s->cmd_start;
+
switch (ch) {
case ' ':
state = sw_spaces_before_argument;
@@ -104,16 +115,17 @@
break;
+ case sw_invalid:
+ goto invalid;
+
case sw_spaces_before_argument:
switch (ch) {
case ' ':
break;
case CR:
state = sw_almost_done;
- s->arg_end = p;
break;
case LF:
- s->arg_end = p;
goto done;
default:
if (s->args.nelts <= 2) {
@@ -188,37 +200,39 @@
done:
s->buffer->pos = p + 1;
-
- if (s->arg_start) {
- arg = ngx_array_push(&s->args);
- if (arg == NULL) {
- return NGX_ERROR;
- }
- arg->len = s->arg_end - s->arg_start;
- arg->data = s->arg_start;
- s->arg_start = NULL;
- }
-
s->state = (s->command != NGX_POP3_AUTH) ? sw_start : sw_argument;
return NGX_OK;
invalid:
- s->state = sw_start;
- s->arg_start = NULL;
+ s->state = sw_invalid;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
+ /* skip invalid command till LF */
+
+ for ( /* void */ ; p < s->buffer->last; p++) {
+ if (*p == LF) {
+ s->state = sw_start;
+ s->buffer->pos = p + 1;
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+ }
+
+ s->buffer->pos = p;
+
+ return NGX_AGAIN;
}
ngx_int_t
ngx_mail_imap_parse_command(ngx_mail_session_t *s)
{
- u_char ch, *p, *c;
+ u_char ch, *p, *c, *dst, *src, *end;
ngx_str_t *arg;
enum {
sw_start = 0,
+ sw_tag,
+ sw_invalid,
sw_spaces_before_command,
sw_command,
sw_spaces_before_argument,
@@ -241,31 +255,45 @@
/* IMAP tag */
case sw_start:
+ s->tag_start = p;
+ state = sw_tag;
+
+ /* fall through */
+
+ case sw_tag:
switch (ch) {
case ' ':
- s->tag.len = p - s->buffer->start + 1;
- s->tag.data = s->buffer->start;
+ s->tag.len = p - s->tag_start + 1;
+ s->tag.data = s->tag_start;
state = sw_spaces_before_command;
break;
case CR:
- s->state = sw_start;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
case LF:
- s->state = sw_start;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
+ goto invalid;
+ default:
+ if ((ch < 'A' || ch > 'Z') && (ch < 'a' || ch > 'z')
+ && (ch < '0' || ch > '9') && ch != '-' && ch != '.'
+ && ch != '_')
+ {
+ goto invalid;
+ }
+ if (p - s->tag_start > 31) {
+ goto invalid;
+ }
+ break;
}
break;
+ case sw_invalid:
+ goto invalid;
+
case sw_spaces_before_command:
switch (ch) {
case ' ':
break;
case CR:
- s->state = sw_start;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
case LF:
- s->state = sw_start;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
+ goto invalid;
default:
s->cmd_start = p;
state = sw_command;
@@ -385,6 +413,9 @@
goto invalid;
}
+ s->cmd.data = s->cmd_start;
+ s->cmd.len = p - s->cmd_start;
+
switch (ch) {
case ' ':
state = sw_spaces_before_argument;
@@ -410,10 +441,8 @@
break;
case CR:
state = sw_almost_done;
- s->arg_end = p;
break;
case LF:
- s->arg_end = p;
goto done;
case '"':
if (s->args.nelts <= 2) {
@@ -460,6 +489,22 @@
}
arg->len = p - s->arg_start;
arg->data = s->arg_start;
+
+ if (s->backslash) {
+ dst = s->arg_start;
+ end = p;
+
+ for (src = dst; src < end; dst++) {
+ *dst = *src;
+ if (*src++ == '\\') {
+ *dst = *src++;
+ }
+ }
+
+ arg->len = dst - s->arg_start;
+ s->backslash = 0;
+ }
+
s->arg_start = NULL;
switch (ch) {
@@ -588,34 +633,46 @@
done:
s->buffer->pos = p + 1;
-
- if (s->arg_start) {
- arg = ngx_array_push(&s->args);
- if (arg == NULL) {
- return NGX_ERROR;
- }
- arg->len = s->arg_end - s->arg_start;
- arg->data = s->arg_start;
-
- s->arg_start = NULL;
- s->cmd_start = NULL;
- s->quoted = 0;
- s->no_sync_literal = 0;
- s->literal_len = 0;
- }
-
s->state = (s->command != NGX_IMAP_AUTHENTICATE) ? sw_start : sw_argument;
return NGX_OK;
invalid:
- s->state = sw_start;
+ s->state = sw_invalid;
s->quoted = 0;
+ s->backslash = 0;
s->no_sync_literal = 0;
s->literal_len = 0;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
+ /* skip invalid command till LF */
+
+ for ( /* void */ ; p < s->buffer->last; p++) {
+ if (*p == LF) {
+ s->state = sw_start;
+ s->buffer->pos = p + 1;
+
+ /* detect non-synchronizing literals */
+
+ if ((size_t) (p - s->buffer->start) > sizeof("{1+}") - 1) {
+ p--;
+
+ if (*p == CR) {
+ p--;
+ }
+
+ if (*p == '}' && *(p - 1) == '+') {
+ s->quit = 1;
+ }
+ }
+
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
+ }
+ }
+
+ s->buffer->pos = p;
+
+ return NGX_AGAIN;
}
@@ -758,10 +815,8 @@
break;
case CR:
state = sw_almost_done;
- s->arg_end = p;
break;
case LF:
- s->arg_end = p;
goto done;
default:
if (s->args.nelts <= 10) {
@@ -821,17 +876,6 @@
done:
s->buffer->pos = p + 1;
-
- if (s->arg_start) {
- arg = ngx_array_push(&s->args);
- if (arg == NULL) {
- return NGX_ERROR;
- }
- arg->len = s->arg_end - s->arg_start;
- arg->data = s->arg_start;
- s->arg_start = NULL;
- }
-
s->state = (s->command != NGX_SMTP_AUTH) ? sw_start : sw_argument;
return NGX_OK;
@@ -839,21 +883,20 @@
invalid:
s->state = sw_invalid;
- s->arg_start = NULL;
/* skip invalid command till LF */
- for (p = s->buffer->pos; p < s->buffer->last; p++) {
+ for ( /* void */ ; p < s->buffer->last; p++) {
if (*p == LF) {
s->state = sw_start;
- p++;
- break;
+ s->buffer->pos = p + 1;
+ return NGX_MAIL_PARSE_INVALID_COMMAND;
}
}
s->buffer->pos = p;
- return NGX_MAIL_PARSE_INVALID_COMMAND;
+ return NGX_AGAIN;
}
diff --git a/src/mail/ngx_mail_pop3_handler.c b/src/mail/ngx_mail_pop3_handler.c
index edfd986..226e741 100644
--- a/src/mail/ngx_mail_pop3_handler.c
+++ b/src/mail/ngx_mail_pop3_handler.c
@@ -262,6 +262,10 @@
}
}
+ if (s->buffer->pos < s->buffer->last) {
+ s->blocked = 1;
+ }
+
switch (rc) {
case NGX_DONE:
@@ -283,11 +287,14 @@
case NGX_OK:
s->args.nelts = 0;
- s->buffer->pos = s->buffer->start;
- s->buffer->last = s->buffer->start;
+
+ if (s->buffer->pos == s->buffer->last) {
+ s->buffer->pos = s->buffer->start;
+ s->buffer->last = s->buffer->start;
+ }
if (s->state) {
- s->arg_start = s->buffer->start;
+ s->arg_start = s->buffer->pos;
}
if (ngx_handle_read_event(c->read, 0) != NGX_OK) {
@@ -400,6 +407,8 @@
if (c->ssl == NULL) {
sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
if (sslcf->starttls) {
+ s->buffer->pos = s->buffer->start;
+ s->buffer->last = s->buffer->start;
c->read->handler = ngx_mail_starttls_handler;
return NGX_OK;
}
diff --git a/src/mail/ngx_mail_proxy_module.c b/src/mail/ngx_mail_proxy_module.c
index 66aa0ba..a7ab077 100644
--- a/src/mail/ngx_mail_proxy_module.c
+++ b/src/mail/ngx_mail_proxy_module.c
@@ -327,6 +327,10 @@
c->log->action = NULL;
ngx_log_error(NGX_LOG_INFO, c->log, 0, "client logged in");
+ if (s->buffer->pos < s->buffer->last) {
+ ngx_post_event(c->write, &ngx_posted_events);
+ }
+
ngx_mail_proxy_handler(s->connection->write);
return;
@@ -482,6 +486,10 @@
c->log->action = NULL;
ngx_log_error(NGX_LOG_INFO, c->log, 0, "client logged in");
+ if (s->buffer->pos < s->buffer->last) {
+ ngx_post_event(c->write, &ngx_posted_events);
+ }
+
ngx_mail_proxy_handler(s->connection->write);
return;
@@ -813,13 +821,12 @@
c->log->action = NULL;
ngx_log_error(NGX_LOG_INFO, c->log, 0, "client logged in");
- if (s->buffer->pos == s->buffer->last) {
- ngx_mail_proxy_handler(s->connection->write);
-
- } else {
- ngx_mail_proxy_handler(c->write);
+ if (s->buffer->pos < s->buffer->last) {
+ ngx_post_event(c->write, &ngx_posted_events);
}
+ ngx_mail_proxy_handler(s->connection->write);
+
return;
default:
diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c
index b31485f..07cd05e 100644
--- a/src/os/unix/ngx_process_cycle.c
+++ b/src/os/unix/ngx_process_cycle.c
@@ -398,6 +398,8 @@
ngx_int_t i;
ngx_channel_t ch;
+ ngx_memzero(&ch, sizeof(ngx_channel_t));
+
ch.command = NGX_CMD_OPEN_CHANNEL;
ch.pid = ngx_processes[ngx_process_slot].pid;
ch.slot = ngx_process_slot;
diff --git a/src/stream/ngx_stream.c b/src/stream/ngx_stream.c
index 7835675..3304c84 100644
--- a/src/stream/ngx_stream.c
+++ b/src/stream/ngx_stream.c
@@ -510,6 +510,10 @@
ls->ipv6only = addr[i].opt.ipv6only;
#endif
+#if (NGX_HAVE_TCP_FASTOPEN)
+ ls->fastopen = addr[i].opt.fastopen;
+#endif
+
#if (NGX_HAVE_REUSEPORT)
ls->reuseport = addr[i].opt.reuseport;
#endif
diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
index 9e35832..46c3622 100644
--- a/src/stream/ngx_stream.h
+++ b/src/stream/ngx_stream.h
@@ -65,6 +65,9 @@
int backlog;
int rcvbuf;
int sndbuf;
+#if (NGX_HAVE_TCP_FASTOPEN)
+ int fastopen;
+#endif
int type;
} ngx_stream_listen_t;
diff --git a/src/stream/ngx_stream_core_module.c b/src/stream/ngx_stream_core_module.c
index 9b6afe9..d96d27a 100644
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@@ -615,6 +615,10 @@
ls->type = SOCK_STREAM;
ls->ctx = cf->ctx;
+#if (NGX_HAVE_TCP_FASTOPEN)
+ ls->fastopen = -1;
+#endif
+
#if (NGX_HAVE_INET6)
ls->ipv6only = 1;
#endif
@@ -635,6 +639,21 @@
continue;
}
+#if (NGX_HAVE_TCP_FASTOPEN)
+ if (ngx_strncmp(value[i].data, "fastopen=", 9) == 0) {
+ ls->fastopen = ngx_atoi(value[i].data + 9, value[i].len - 9);
+ ls->bind = 1;
+
+ if (ls->fastopen == NGX_ERROR) {
+ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
+ "invalid fastopen \"%V\"", &value[i]);
+ return NGX_CONF_ERROR;
+ }
+
+ continue;
+ }
+#endif
+
if (ngx_strncmp(value[i].data, "backlog=", 8) == 0) {
ls->backlog = ngx_atoi(value[i].data + 8, value[i].len - 8);
ls->bind = 1;
@@ -859,6 +878,12 @@
if (ls->proxy_protocol) {
return "\"proxy_protocol\" parameter is incompatible with \"udp\"";
}
+
+#if (NGX_HAVE_TCP_FASTOPEN)
+ if (ls->fastopen != -1) {
+ return "\"fastopen\" parameter is incompatible with \"udp\"";
+ }
+#endif
}
als = cmcf->listen.elts;
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 01cda7a..8c686ab 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -46,8 +46,8 @@
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
- ngx_str_t ssl_certificate;
- ngx_str_t ssl_certificate_key;
+ ngx_stream_complex_value_t *ssl_certificate;
+ ngx_stream_complex_value_t *ssl_certificate_key;
ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
@@ -101,6 +101,7 @@
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
+static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@@ -318,14 +319,14 @@
{ ngx_string("proxy_ssl_certificate"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_stream_set_complex_value_zero_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate),
NULL },
{ ngx_string("proxy_ssl_certificate_key"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_str_slot,
+ ngx_stream_set_complex_value_zero_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_proxy_srv_conf_t, ssl_certificate_key),
NULL },
@@ -1060,6 +1061,15 @@
}
}
+ if (pscf->ssl_certificate && (pscf->ssl_certificate->lengths
+ || pscf->ssl_certificate_key->lengths))
+ {
+ if (ngx_stream_proxy_ssl_certificate(s) != NGX_OK) {
+ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+ return;
+ }
+ }
+
if (pscf->ssl_session_reuse) {
pc->ssl->save_session = ngx_stream_proxy_ssl_save_session;
@@ -1247,6 +1257,50 @@
return NGX_OK;
}
+
+static ngx_int_t
+ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s)
+{
+ ngx_str_t cert, key;
+ ngx_connection_t *c;
+ ngx_stream_proxy_srv_conf_t *pscf;
+
+ c = s->upstream->peer.connection;
+
+ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+
+ if (ngx_stream_complex_value(s, pscf->ssl_certificate, &cert)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
+ "stream upstream ssl cert: \"%s\"", cert.data);
+
+ if (*cert.data == '\0') {
+ return NGX_OK;
+ }
+
+ if (ngx_stream_complex_value(s, pscf->ssl_certificate_key, &key)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
+ "stream upstream ssl key: \"%s\"", key.data);
+
+ if (ngx_ssl_connection_certificate(c, c->pool, &cert, &key,
+ pscf->ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
#endif
@@ -1977,14 +2031,9 @@
*
* conf->ssl_protocols = 0;
* conf->ssl_ciphers = { 0, NULL };
- * conf->ssl_name = NULL;
* conf->ssl_trusted_certificate = { 0, NULL };
* conf->ssl_crl = { 0, NULL };
- * conf->ssl_certificate = { 0, NULL };
- * conf->ssl_certificate_key = { 0, NULL };
*
- * conf->upload_rate = NULL;
- * conf->download_rate = NULL;
* conf->ssl = NULL;
* conf->upstream = NULL;
* conf->upstream_value = NULL;
@@ -1994,6 +2043,8 @@
conf->timeout = NGX_CONF_UNSET_MSEC;
conf->next_upstream_timeout = NGX_CONF_UNSET_MSEC;
conf->buffer_size = NGX_CONF_UNSET_SIZE;
+ conf->upload_rate = NGX_CONF_UNSET_PTR;
+ conf->download_rate = NGX_CONF_UNSET_PTR;
conf->requests = NGX_CONF_UNSET_UINT;
conf->responses = NGX_CONF_UNSET_UINT;
conf->next_upstream_tries = NGX_CONF_UNSET_UINT;
@@ -2005,9 +2056,12 @@
#if (NGX_STREAM_SSL)
conf->ssl_enable = NGX_CONF_UNSET;
conf->ssl_session_reuse = NGX_CONF_UNSET;
+ conf->ssl_name = NGX_CONF_UNSET_PTR;
conf->ssl_server_name = NGX_CONF_UNSET;
conf->ssl_verify = NGX_CONF_UNSET;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
+ conf->ssl_certificate = NGX_CONF_UNSET_PTR;
+ conf->ssl_certificate_key = NGX_CONF_UNSET_PTR;
conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -2034,13 +2088,9 @@
ngx_conf_merge_size_value(conf->buffer_size,
prev->buffer_size, 16384);
- if (conf->upload_rate == NULL) {
- conf->upload_rate = prev->upload_rate;
- }
+ ngx_conf_merge_ptr_value(conf->upload_rate, prev->upload_rate, NULL);
- if (conf->download_rate == NULL) {
- conf->download_rate = prev->download_rate;
- }
+ ngx_conf_merge_ptr_value(conf->download_rate, prev->download_rate, NULL);
ngx_conf_merge_uint_value(conf->requests,
prev->requests, 0);
@@ -2073,9 +2123,7 @@
ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers, "DEFAULT");
- if (conf->ssl_name == NULL) {
- conf->ssl_name = prev->ssl_name;
- }
+ ngx_conf_merge_ptr_value(conf->ssl_name, prev->ssl_name, NULL);
ngx_conf_merge_value(conf->ssl_server_name, prev->ssl_server_name, 0);
@@ -2089,11 +2137,11 @@
ngx_conf_merge_str_value(conf->ssl_crl, prev->ssl_crl, "");
- ngx_conf_merge_str_value(conf->ssl_certificate,
- prev->ssl_certificate, "");
+ ngx_conf_merge_ptr_value(conf->ssl_certificate,
+ prev->ssl_certificate, NULL);
- ngx_conf_merge_str_value(conf->ssl_certificate_key,
- prev->ssl_certificate_key, "");
+ ngx_conf_merge_ptr_value(conf->ssl_certificate_key,
+ prev->ssl_certificate_key, NULL);
ngx_conf_merge_ptr_value(conf->ssl_passwords, prev->ssl_passwords, NULL);
@@ -2137,20 +2185,34 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = pscf->ssl;
- if (pscf->ssl_certificate.len) {
+ if (pscf->ssl_certificate) {
- if (pscf->ssl_certificate_key.len == 0) {
+ if (pscf->ssl_certificate_key == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no \"proxy_ssl_certificate_key\" is defined "
- "for certificate \"%V\"", &pscf->ssl_certificate);
+ "for certificate \"%V\"",
+ &pscf->ssl_certificate->value);
return NGX_ERROR;
}
- if (ngx_ssl_certificate(cf, pscf->ssl, &pscf->ssl_certificate,
- &pscf->ssl_certificate_key, pscf->ssl_passwords)
- != NGX_OK)
+ if (pscf->ssl_certificate->lengths
+ || pscf->ssl_certificate_key->lengths)
{
- return NGX_ERROR;
+ pscf->ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, pscf->ssl_passwords);
+ if (pscf->ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+
+ } else {
+ if (ngx_ssl_certificate(cf, pscf->ssl,
+ &pscf->ssl_certificate->value,
+ &pscf->ssl_certificate_key->value,
+ pscf->ssl_passwords)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
}
}
diff --git a/src/stream/ngx_stream_script.c b/src/stream/ngx_stream_script.c
index a15f772..c447e15 100644
--- a/src/stream/ngx_stream_script.c
+++ b/src/stream/ngx_stream_script.c
@@ -252,7 +252,7 @@
cv = (ngx_stream_complex_value_t **) (p + cmd->offset);
- if (*cv != NULL) {
+ if (*cv != NGX_CONF_UNSET_PTR && *cv != NULL) {
return "is duplicate";
}
@@ -278,6 +278,44 @@
char *
+ngx_stream_set_complex_value_zero_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf)
+{
+ char *p = conf;
+
+ ngx_str_t *value;
+ ngx_stream_complex_value_t **cv;
+ ngx_stream_compile_complex_value_t ccv;
+
+ cv = (ngx_stream_complex_value_t **) (p + cmd->offset);
+
+ if (*cv != NGX_CONF_UNSET_PTR) {
+ return "is duplicate";
+ }
+
+ *cv = ngx_palloc(cf->pool, sizeof(ngx_stream_complex_value_t));
+ if (*cv == NULL) {
+ return NGX_CONF_ERROR;
+ }
+
+ value = cf->args->elts;
+
+ ngx_memzero(&ccv, sizeof(ngx_stream_compile_complex_value_t));
+
+ ccv.cf = cf;
+ ccv.value = &value[1];
+ ccv.complex_value = *cv;
+ ccv.zero = 1;
+
+ if (ngx_stream_compile_complex_value(&ccv) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
+ return NGX_CONF_OK;
+}
+
+
+char *
ngx_stream_set_complex_value_size_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf)
{
diff --git a/src/stream/ngx_stream_script.h b/src/stream/ngx_stream_script.h
index a481ca3..d8f3740 100644
--- a/src/stream/ngx_stream_script.h
+++ b/src/stream/ngx_stream_script.h
@@ -112,6 +112,8 @@
ngx_stream_compile_complex_value_t *ccv);
char *ngx_stream_set_complex_value_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);
+char *ngx_stream_set_complex_value_zero_slot(ngx_conf_t *cf, ngx_command_t *cmd,
+ void *conf);
char *ngx_stream_set_complex_value_size_slot(ngx_conf_t *cf, ngx_command_t *cmd,
void *conf);