Permalink
Browse files

feature: implemented ssl_session_fetch_by_lua* and ssl_session_store_…

…by_lua* config directives for doing (distributed) caching of SSL sessions (via SSL session IDs) for downstream connections.

thanks Zi Lin for the patches.
  • Loading branch information...
1 parent a5ac9fa commit 5bcc53cab6a178bd75a6da1113f1bcda1b70077b @agentzh agentzh committed Jul 19, 2016
View
@@ -154,6 +154,9 @@ src/timer.[ch]
src/config.[ch]
src/worker.[ch]
src/certby.[ch]
+src/storeby.[ch]
+src/fetchby.[ch]
+src/ssl.[ch]
src/ocsp.c
src/lex.[ch]
src/balancer.[ch]
View
@@ -107,6 +107,8 @@ script:
- cd ..
- tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
- cd openssl-$OPENSSL_VER/
+ - wget https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
+ - patch -p1 < openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
- ./config shared --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
- make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
- sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)
View
Oops, something went wrong.
View
@@ -357,6 +357,9 @@ HTTP_LUA_SRCS=" \
$ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
$ngx_addon_dir/src/ngx_http_lua_lex.c \
$ngx_addon_dir/src/ngx_http_lua_balancer.c \
+ $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.c \
+ $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.c \
+ $ngx_addon_dir/src/ngx_http_lua_ssl.c \
"
HTTP_LUA_DEPS=" \
@@ -414,6 +417,9 @@ HTTP_LUA_DEPS=" \
$ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
$ngx_addon_dir/src/ngx_http_lua_lex.h \
$ngx_addon_dir/src/ngx_http_lua_balancer.h \
+ $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.h \
+ $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.h \
+ $ngx_addon_dir/src/ngx_http_lua_ssl.h \
"
CFLAGS="$CFLAGS -DNDK_SET_VAR"
View
Oops, something went wrong.
@@ -103,17 +103,19 @@ typedef struct {
/* must be within 16 bit */
-#define NGX_HTTP_LUA_CONTEXT_SET 0x001
-#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x002
-#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x004
-#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x008
-#define NGX_HTTP_LUA_CONTEXT_LOG 0x010
-#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x020
-#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x040
-#define NGX_HTTP_LUA_CONTEXT_TIMER 0x080
-#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x100
-#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x200
-#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x400
+#define NGX_HTTP_LUA_CONTEXT_SET 0x0001
+#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x0002
+#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x0004
+#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x0008
+#define NGX_HTTP_LUA_CONTEXT_LOG 0x0010
+#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x0020
+#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x0040
+#define NGX_HTTP_LUA_CONTEXT_TIMER 0x0080
+#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x0100
+#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x0200
+#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x0400
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
#ifndef NGX_LUA_NO_FFI_API
@@ -204,10 +206,18 @@ struct ngx_http_lua_main_conf_s {
union ngx_http_lua_srv_conf_u {
#if (NGX_HTTP_SSL)
struct {
- ngx_http_lua_srv_conf_handler_pt cert_handler;
- ngx_str_t cert_src;
- u_char *cert_src_key;
- } ssl;
+ ngx_http_lua_srv_conf_handler_pt ssl_cert_handler;
+ ngx_str_t ssl_cert_src;
+ u_char *ssl_cert_src_key;
+
+ ngx_http_lua_srv_conf_handler_pt ssl_sess_store_handler;
+ ngx_str_t ssl_sess_store_src;
+ u_char *ssl_sess_store_src_key;
+
+ ngx_http_lua_srv_conf_handler_pt ssl_sess_fetch_handler;
+ ngx_str_t ssl_sess_fetch_src;
+ u_char *ssl_sess_fetch_src_key;
+ } srv;
#endif
struct {
@@ -318,11 +318,16 @@ ngx_http_lua_ngx_exit(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
| NGX_HTTP_LUA_CONTEXT_BALANCER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
rc = (ngx_int_t) luaL_checkinteger(L, 1);
- if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) {
+ if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
+ {
#if (NGX_HTTP_SSL)
@@ -332,6 +337,10 @@ ngx_http_lua_ngx_exit(lua_State *L)
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
"lua exit with code %i", rc);
+ if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE) {
+ return 0;
+ }
+
return lua_yield(L, 0);
#else
@@ -77,7 +77,8 @@ ngx_http_lua_coroutine_create_helper(lua_State *L, ngx_http_request_t *r,
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
vm = ngx_http_lua_get_lua_vm(r, ctx);
@@ -153,7 +154,8 @@ ngx_http_lua_coroutine_resume(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
p_coctx = ctx->cur_co_ctx;
if (p_coctx == NULL) {
@@ -213,7 +215,8 @@ ngx_http_lua_coroutine_yield(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
coctx = ctx->cur_co_ctx;
@@ -362,7 +365,8 @@ ngx_http_lua_coroutine_status(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
coctx = ngx_http_lua_get_co_ctx(co, ctx);
if (coctx == NULL) {
@@ -26,6 +26,8 @@
#include "ngx_http_lua_semaphore.h"
#include "ngx_http_lua_balancer.h"
#include "ngx_http_lua_ssl_certby.h"
+#include "ngx_http_lua_ssl_session_storeby.h"
+#include "ngx_http_lua_ssl_session_fetchby.h"
static void *ngx_http_lua_create_main_conf(ngx_conf_t *cf);
@@ -525,6 +527,34 @@ static ngx_command_t ngx_http_lua_cmds[] = {
0,
(void *) ngx_http_lua_ssl_cert_handler_file },
+ { ngx_string("ssl_session_store_by_lua_block"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+ ngx_http_lua_ssl_sess_store_by_lua_block,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ 0,
+ (void *) ngx_http_lua_ssl_sess_store_handler_inline },
+
+ { ngx_string("ssl_session_store_by_lua_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_http_lua_ssl_sess_store_by_lua,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ 0,
+ (void *) ngx_http_lua_ssl_sess_store_handler_file },
+
+ { ngx_string("ssl_session_fetch_by_lua_block"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+ ngx_http_lua_ssl_sess_fetch_by_lua_block,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ 0,
+ (void *) ngx_http_lua_ssl_sess_fetch_handler_inline },
+
+ { ngx_string("ssl_session_fetch_by_lua_file"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_http_lua_ssl_sess_fetch_by_lua,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ 0,
+ (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
+
{ ngx_string("lua_ssl_verify_depth"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
ngx_conf_set_num_slot,
@@ -855,9 +885,18 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
}
/* set by ngx_pcalloc:
- * lscf->ssl.cert_handler = NULL;
- * lscf->ssl.cert_src = { 0, NULL };
- * lscf->ssl.cert_src_key = NULL;
+ * lscf->srv.ssl_cert_handler = NULL;
+ * lscf->srv.ssl_cert_src = { 0, NULL };
+ * lscf->srv.ssl_cert_src_key = NULL;
+ *
+ * lscf->srv.ssl_session_store_handler = NULL;
+ * lscf->srv.ssl_session_store_src = { 0, NULL };
+ * lscf->srv.ssl_session_store_src_key = NULL;
+ *
+ * lscf->srv.ssl_session_fetch_handler = NULL;
+ * lscf->srv.ssl_session_fetch_src = { 0, NULL };
+ * lscf->srv.ssl_session_fetch_src_key = NULL;
+ *
* lscf->balancer.handler = NULL;
* lscf->balancer.src = { 0, NULL };
* lscf->balancer.src_key = NULL;
@@ -878,13 +917,13 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
dd("merge srv conf");
- if (conf->ssl.cert_src.len == 0) {
- conf->ssl.cert_src = prev->ssl.cert_src;
- conf->ssl.cert_src_key = prev->ssl.cert_src_key;
- conf->ssl.cert_handler = prev->ssl.cert_handler;
+ if (conf->srv.ssl_cert_src.len == 0) {
+ conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
+ conf->srv.ssl_cert_src_key = prev->srv.ssl_cert_src_key;
+ conf->srv.ssl_cert_handler = prev->srv.ssl_cert_handler;
}
- if (conf->ssl.cert_src.len) {
+ if (conf->srv.ssl_cert_src.len) {
sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
if (sscf == NULL || sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
@@ -916,6 +955,56 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
#endif
}
+ if (conf->srv.ssl_sess_store_src.len == 0) {
+ conf->srv.ssl_sess_store_src = prev->srv.ssl_sess_store_src;
+ conf->srv.ssl_sess_store_src_key = prev->srv.ssl_sess_store_src_key;
+ conf->srv.ssl_sess_store_handler = prev->srv.ssl_sess_store_handler;
+ }
+
+ if (conf->srv.ssl_sess_store_src.len) {
+ sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+ if (sscf == NULL || sscf->ssl.ctx == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl configured for the server");
+
+ return NGX_CONF_ERROR;
+ }
+
+#ifdef LIBRESSL_VERSION_NUMBER
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "LibreSSL does not support ssl_session_store_by_lua*");
+ return NGX_CONF_ERROR;
+#else
+ SSL_CTX_sess_set_new_cb(sscf->ssl.ctx,
+ ngx_http_lua_ssl_sess_store_handler);
+#endif
+ }
+
+ if (conf->srv.ssl_sess_fetch_src.len == 0) {
+ conf->srv.ssl_sess_fetch_src = prev->srv.ssl_sess_fetch_src;
+ conf->srv.ssl_sess_fetch_src_key = prev->srv.ssl_sess_fetch_src_key;
+ conf->srv.ssl_sess_fetch_handler = prev->srv.ssl_sess_fetch_handler;
+ }
+
+ if (conf->srv.ssl_sess_fetch_src.len) {
+ sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+ if (sscf == NULL || sscf->ssl.ctx == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no ssl configured for the server");
+
+ return NGX_CONF_ERROR;
+ }
+
+#ifdef LIBRESSL_VERSION_NUMBER
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "LibreSSL does not support ssl_session_fetch_by_lua*");
+ return NGX_CONF_ERROR;
+#else
+ SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
+ ngx_http_lua_ssl_sess_fetch_handler);
+#endif
+ }
+
#endif /* NGX_HTTP_SSL */
return NGX_CONF_OK;
}
@@ -84,8 +84,16 @@ ngx_http_lua_ngx_get_phase(lua_State *L)
lua_pushliteral(L, "ssl_cert");
break;
+ case NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE:
+ lua_pushliteral(L, "ssl_session_store");
+ break;
+
+ case NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH:
+ lua_pushliteral(L, "ssl_session_fetch");
+ break;
+
default:
- return luaL_error(L, "unknown phase: %d", (int) ctx->context);
+ return luaL_error(L, "unknown phase: %#x", (int) ctx->context);
}
return 1;
@@ -56,7 +56,8 @@ ngx_http_lua_ngx_sleep(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
coctx = ctx->cur_co_ctx;
if (coctx == NULL) {
@@ -386,7 +386,8 @@ ngx_http_lua_socket_tcp(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
lua_createtable(L, 3 /* narr */, 1 /* nrec */);
lua_pushlightuserdata(L, &ngx_http_lua_tcp_socket_metatable_key);
@@ -444,7 +445,8 @@ ngx_http_lua_socket_tcp_connect(lua_State *L)
| NGX_HTTP_LUA_CONTEXT_ACCESS
| NGX_HTTP_LUA_CONTEXT_CONTENT
| NGX_HTTP_LUA_CONTEXT_TIMER
- | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+ | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+ | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
luaL_checktype(L, 1, LUA_TTABLE);
@@ -0,0 +1,37 @@
+
+/*
+ * Copyright (C) Yichun Zhang (agentzh)
+ */
+
+
+#ifndef DDEBUG
+#define DDEBUG 0
+#endif
+#include "ddebug.h"
+
+
+#if (NGX_HTTP_SSL)
+
+
+int ngx_http_lua_ssl_ctx_index = -1;
+
+
+ngx_int_t
+ngx_http_lua_ssl_init(ngx_log_t *log)
+{
+ if (ngx_http_lua_ssl_ctx_index == -1) {
+ ngx_http_lua_ssl_ctx_index = SSL_get_ex_new_index(0, NULL, NULL,
+ NULL, NULL);
+
+ if (ngx_http_lua_ssl_ctx_index == -1) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0,
+ "lua: SSL_get_ex_new_index() for ctx failed");
+ return NGX_ERROR;
+ }
+ }
+
+ return NGX_OK;
+}
+
+
+#endif /* NGX_HTTP_SSL */
Oops, something went wrong.

0 comments on commit 5bcc53c

Please sign in to comment.