feature: proxy_ssl_verify_by_lua directives #2436
Conversation
working after receiving server certificates, allowing us to control upstream ssl handshake dynamically with Lua
to control whether to skip openssl's default verify function
…ify server certificate
|
Should this pr be prepared for grpc and uwsgi module as well? They also support upstream SSL related configurations. grpc_ssl_verify_by_lua |
Let's first focus on proxy_ssl_verify_by_lua, since grpc/uwsgi are not that commonly used |
|
@agentzh @zhuizhuhaomeng ping for review...sorry to bother, but please take some time to review the PR, thanks! |
phases to upstream phases & its related test case
proxy ssl verify instead of fake request and connection.
|
|
||
| **phase:** *right-after-server-certificate-message-was-processed* | ||
|
|
||
| Equivalent to [proxy_ssl_verify_by_lua_block](#proxy_ssl_verify_by_lua_block), except that the file specified by `<path-to-lua-script-file>` contains the Lua code, or, as from the `v0.5.0rc32` release, the [LuaJIT bytecode](#luajit-bytecode-support) to be executed. |
There was a problem hiding this comment.
Copied from other places in this README.markdown, please search it!
| cctx->original_request_count = r->main->count; | ||
| cctx->done = 0; | ||
| cctx->entered_proxy_ssl_verify_handler = 1; | ||
| cctx->pool = ngx_create_pool(128, c->log); |
There was a problem hiding this comment.
should we use c->pool?
There was a problem hiding this comment.
Nope! c is upstream connection and we will destroy the pool when calling ngx_http_lua_proxy_ssl_verify_done for proxy ssl verify to reenter, but the connection to upstream need to maintain, so we create a new pool specially for proxy ssl.
|
|
||
| c->log->action = "loading proxy ssl verify by lua"; | ||
|
|
||
| if (llcf->proxy_ssl_verify_handler == NULL) { |
There was a problem hiding this comment.
Is this needed? Do you have test case to cover this code path?
There was a problem hiding this comment.
Original code structure was copied from ngx_http_lua_ssl_certby.c, but it seems unnecessary, so I will delete it.
|
|
||
|
|
||
| int | ||
| ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_get_verify_result(ngx_http_request_t *r, char **err) | |
| ngx_http_lua_ffi_get_upstream_ssl_verify_result(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
These functions will be used in lua file proxysslverify.lua like this proxy_ssl_vfy.get_verify_result(23), it seems redundant to add upstream in the function name, or change it to ngx_http_lua_ffi_proxy_ssl_get_verify_result seems more reasonable?
|
|
||
|
|
||
| void | ||
| ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_free_verify_cert(void *cdata) | |
| ngx_http_lua_ffi_free_upstream_ssl_free_verify_cert(void *cdata) |
|
|
||
|
|
||
| void * | ||
| ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err) |
There was a problem hiding this comment.
| ngx_http_lua_ffi_ssl_get_verify_cert(ngx_http_request_t *r, char **err) | |
| ngx_http_lua_ffi_get_upstream_ssl_verify_cert(ngx_http_request_t *r, char **err) |
| --- request | ||
| GET /t | ||
| --- response_body | ||
| lua_upstream_skip_openssl_default_verify default off |
There was a problem hiding this comment.
The directive is lua_upstream_skip_openssl_default_verify, the default behavior is NOT to bypass openssl's default verify process, otherwise security problems maybe introduced, notice the semantic!
| plan tests => repeat_each() * (blocks() * 6 + 6); | ||
| } else { | ||
| plan tests => repeat_each() * (blocks() * 5 + 10); | ||
| } |
There was a problem hiding this comment.
We should add a test to test the client abort during the upstream ssl verify.
| conf->proxy_ssl_verify_chunkname = prev->proxy_ssl_verify_chunkname; | ||
| } | ||
|
|
||
| if (conf->proxy_ssl_verify_src.len) { |
There was a problem hiding this comment.
We should add a macro in th patch to test if the patch has been applied.
willmafh
force-pushed
the
proxy_ssl_verify_by_lua
branch
from
143af2b to
c4888f8
Compare
proxy_ssl_verify_by_lua directives
proxy_ssl_verify_by_lua directives are working after receiving server certificates, allowing us to control upstream ssl handshake dynamically with Lua
a series of related PRs
some of the docs hasn't finished yet, since the PR has not been merged, and some release infos can't be added, please review the codes first and docs may be updated later