Support ssl_handshake handler and dynamic certificate change

[matsumotory]

• config

    server {
        listen       58082 ssl;
        server_name  localhost;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        # one day cert
        ssl_certificate     /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.crt;
        ssl_certificate_key /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.key;

        #365 days cert
        mruby_ssl_handshake_handler_code '
          ssl = Nginx::SSL.new
          ssl.certificate = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.crt"
          ssl.certificate_key = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.key"
        ';

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

• normal ssl

    server {
        listen       58082 ssl;
        server_name  localhost;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        # one day cert
        ssl_certificate     /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.crt;
        ssl_certificate_key /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.key;

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

access via browser.

- dynamic certificate

    server {
        listen       58082 ssl;
        server_name  localhost;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        # one day cert
        ssl_certificate     /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.crt;
        ssl_certificate_key /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.key;

        #365 days cert
        mruby_ssl_handshake_handler_code '
          ssl = Nginx::SSL.new
          ssl.certificate = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.crt"
          ssl.certificate_key = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.key"
        ';

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

access via browser

[matsumotory]

create certificate and certificate key.

sh -c 'yes "" | openssl req -new -days 365 -x509 -nodes -keyout server.key -out server.crt'
sh -c 'yes "" | openssl req -new -days 1 -x509 -nodes -keyout dummy.key -out dummy.crt' 

• dynamic certificate

    server {
        listen       58082 ssl;
        server_name  localhost;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_certificate     /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.crt;
        ssl_certificate_key /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.key;

        mruby_ssl_handshake_handler_code '
          ssl = Nginx::SSL.new
          ssl.certificate = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.crt"
          ssl.certificate_key = "/Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//server.key"
        ';

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

access via openssl.

 openssl s_client -servername localhost -connect localhost:58082 < /dev/null 2> /dev/null | openssl x509 -text | grep Not
            Not Before: Jan  7 11:29:51 2016 GMT
            Not After : Jan  6 11:29:51 2017 GMT

• normal certificate configuration

    server {
        listen       58082 ssl;
        server_name  localhost;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         HIGH:!aNULL:!MD5;
        ssl_certificate     /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.crt;
        ssl_certificate_key /Users/matsumoto_r/DEV/ngx_mruby/build/nginx/html//dummy.key;

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

access via openssl

 openssl s_client -servername localhost -connect localhost:58082 < /dev/null 2> /dev/null | openssl x509 -text | grep Not
            Not Before: Jan  7 11:29:51 2016 GMT
            Not After : Jan  8 11:29:51 2016 GMT

[matsumotory]

Add Nginx::SSL#servername and more dynamically certificate changed.

        mruby_ssl_handshake_handler_code '
          ssl = Nginx::SSL.new
          ssl.certificate = "__NGXDOCROOT__/#{ssl.servername}.crt"
          ssl.certificate_key = "__NGXDOCROOT__/#{ssl.servername}.key"
        ';

[kbrock]

This PR with documentation is great.

Would it make sense to have a directory (e.g.: examples/ssl_handshake_handler) with the various config files in them?

[matsumotory]

latest example

    server {
        listen       443 ssl http2;
        server_name  _;
        ssl_protocols       TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers         AESGCM:HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers on;
        ssl_dhparam         /path/to/dhparams.pem;
        ssl_certificate     /path/to/dummy.crt;
        ssl_certificate_key /path/to/dummy.key;
        ssl_session_tickets on;
        # need periodic update
        ssl_session_ticket_key /path/to/ticket.key;

        mruby_ssl_handshake_handler_code '
          ssl = Nginx::SSL.new
          ssl.certificate = "/path/to/#{ssl.servername}.crt"
          ssl.certificate_key = "/path/to/#{ssl.servername}.key"
        ';

        location / {
            mruby_content_handler_code "Nginx.rputs 'ssl test ok'";
        }
    }

[kbrock]

Yea. this is great. does it make sense to put these examples into the git repo?

[matsumotory]

@kbrock Yes, it's a good idea. I'll put these examples later. Also PRs are welcome!!

[kbrock]

+1