feature: proxy_ssl_verify_by_lua directives#2436
feature: proxy_ssl_verify_by_lua directives#2436zhuizhuhaomeng merged 19 commits intoopenresty:masterfrom
Conversation
working after receiving server certificates, allowing us to control upstream ssl handshake dynamically with Lua
to control whether to skip openssl's default verify function
…ify server certificate
|
Should this pr be prepared for grpc and uwsgi module as well? They also support upstream SSL related configurations. grpc_ssl_verify_by_lua |
Let's first focus on proxy_ssl_verify_by_lua, since grpc/uwsgi are not that commonly used |
|
@agentzh @zhuizhuhaomeng ping for review...sorry to bother, but please take some time to review the PR, thanks! |
phases to upstream phases & its related test case
proxy ssl verify instead of fake request and connection.
|
|
||
| **phase:** *right-after-server-certificate-message-was-processed* | ||
|
|
||
| Equivalent to [proxy_ssl_verify_by_lua_block](#proxy_ssl_verify_by_lua_block), except that the file specified by `<path-to-lua-script-file>` contains the Lua code, or, as from the `v0.5.0rc32` release, the [LuaJIT bytecode](#luajit-bytecode-support) to be executed. |
There was a problem hiding this comment.
Copied from other places in this README.markdown, please search it!
| cctx->original_request_count = r->main->count; | ||
| cctx->done = 0; | ||
| cctx->entered_proxy_ssl_verify_handler = 1; | ||
| cctx->pool = ngx_create_pool(128, c->log); |
There was a problem hiding this comment.
should we use c->pool?
There was a problem hiding this comment.
Nope! c is upstream connection and we will destroy the pool when calling ngx_http_lua_proxy_ssl_verify_done for proxy ssl verify to reenter, but the connection to upstream need to maintain, so we create a new pool specially for proxy ssl.
|
|
||
|
|
||
| int | ||
| ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, char **err) | |
| ngx_http_lua_ffi_get_upstream_ssl_verify_result(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
These functions will be used in lua file proxysslverify.lua like this proxy_ssl_vfy.get_verify_result(23), it seems redundant to add upstream in the function name, or change it to ngx_http_lua_ffi_proxy_ssl_get_verify_result seems more reasonable?
|
|
||
|
|
||
| void | ||
| ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata) | |
| ngx_http_lua_ffi_free_upstream_ssl_free_verify_cert(void *cdata) |
|
|
||
|
|
||
| void * | ||
| ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err) | |
| ngx_http_lua_ffi_get_upstream_ssl_verify_cert(ngx_http_request_t *r, char **err) |
| --- request | ||
| GET /t | ||
| --- response_body | ||
| lua_upstream_skip_openssl_default_verify default off |
There was a problem hiding this comment.
The directive is lua_upstream_skip_openssl_default_verify, the default behavior is NOT to bypass openssl's default verify process, otherwise security problems maybe introduced, notice the semantic!
willmafh
force-pushed
the
proxy_ssl_verify_by_lua
branch
from
143af2b to
c4888f8
Compare
3 participants
proxy_ssl_verify_by_lua directives
proxy_ssl_verify_by_lua directives are working after receiving server certificates, allowing us to control upstream ssl handshake dynamically with Lua
a series of related PRs
some of the docs hasn't finished yet, since the PR has not been merged, and some release infos can't be added, please review the codes first and docs may be updated later