Skip to content
Browse files

Merge branch 'develop'

Conflicts:
	README
	doc/README.html
	doc/README.txt
	doc/README.wiki
  • Loading branch information...
2 parents 445f57d + 73087e2 commit a40c99ac943fc93c0ddcdf27a31f39542d7b1915 @yaoweibin committed Jul 5, 2012
Showing with 7,133 additions and 1,054 deletions.
  1. +307 −27 README
  2. +18 −5 config
  3. +38 −0 config_without_ssl
  4. +263 −24 doc/README.html
  5. +307 −27 doc/README.txt
  6. +278 −25 doc/README.wiki
  7. +169 −127 modules/{ngx_tcp_proxy_module.c → ngx_tcp_generic_proxy_module.c}
  8. +508 −0 modules/ngx_tcp_ssl_module.c
  9. +48 −0 modules/ngx_tcp_ssl_module.h
  10. +235 −0 modules/ngx_tcp_upstream_busyness_module.c
  11. +6 −5 modules/ngx_tcp_upstream_ip_hash_module.c
  12. +1,216 −0 modules/ngx_tcp_websocket_proxy_module.c
  13. +77 −11 ngx_tcp.c
  14. +104 −40 ngx_tcp.h
  15. +1 −1 ngx_tcp_access.c
  16. +397 −86 ngx_tcp_core_module.c
  17. +204 −0 ngx_tcp_log.c
  18. +161 −26 ngx_tcp_session.c
  19. +10 −16 ngx_tcp_session.h
  20. +117 −106 ngx_tcp_upstream.c
  21. +13 −12 ngx_tcp_upstream.h
  22. +282 −230 ngx_tcp_upstream_check.c
  23. +40 −92 ngx_tcp_upstream_check.h
  24. +23 −7 ngx_tcp_upstream_round_robin.c
  25. +4 −4 ngx_tcp_upstream_round_robin.h
  26. +4 −0 parsers/gen.shell
  27. +1,231 −0 parsers/http_request_parser.c
  28. +41 −0 parsers/http_request_parser.h
  29. +189 −0 parsers/http_request_parser.rl
  30. +48 −48 http_response_parse.c → parsers/http_response_parser.c
  31. +39 −0 parsers/http_response_parser.h
  32. +12 −12 http_response_parse.rl → parsers/http_response_parser.rl
  33. +13 −0 parsers/parser.h
  34. +76 −76 smtp_response_parse.c → parsers/smtp_response_parser.c
  35. +31 −0 parsers/smtp_response_parser.h
  36. +1 −1 smtp_response_parse.rl → parsers/smtp_response_parser.rl
  37. +4 −4 tcp.patch
  38. +37 −2 test/lib/Test/Nginx/LWP.pm
  39. +60 −5 test/lib/Test/Nginx/Util.pm
  40. +3 −3 test/t/acl.t
  41. +3 −3 test/t/http_check.t
  42. +1 −2 test/t/imap_check.t
  43. +1 −1 test/t/mysql_check.t
  44. +1 −1 test/t/pop3_check.t
  45. +1 −1 test/t/smtp_check.t
  46. +117 −0 test/t/ssl.t
  47. +3 −3 test/t/ssl_hello_check.t
  48. +36 −11 test/t/tcp_check.t
  49. +64 −0 test/t/upstream_busyness.t
  50. +20 −10 test/t/upstream_ip_hash.t
  51. +251 −0 test/t/websocket.t
  52. +20 −0 test/websocket/server.rb
View
334 README
@@ -5,11 +5,6 @@ Installation
Download the latest stable version of the release tarball of this module
from github (<http://github.com/yaoweibin/nginx_tcp_proxy_module>)
- The development version of this module is here
- (<https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/develop>). I
- have added the features of tcp_ssl_proxy, tcp_upstream_busyness,
- access_log.
-
Grab the nginx source code from nginx.org (<http://nginx.org/>), for
example, the version 1.2.1 (see nginx compatibility), and then build the
source with this module:
@@ -40,8 +35,8 @@ Synopsis
upstream cluster {
# simple round-robin
- server 127.0.0.1:3306;
- server 127.0.0.1:1234;
+ server 192.168.0.1:80;
+ server 192.168.0.2:80;
check interval=3000 rise=2 fall=5 timeout=1000;
@@ -62,16 +57,17 @@ Synopsis
Description
This module actually include many modules: ngx_tcp_module,
ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module,
- ngx_tcp_upstream_ip_hash_module. All these modules work togther to add
- the support of TCP proxy with Nginx. I also add other features: ip_hash,
+ ngx_tcp_websocket_module, ngx_tcp_ssl_module,
+ ngx_tcp_upstream_ip_hash_module. All these modules work together to
+ support TCP proxy with Nginx. I also added other features: ip_hash,
upstream server health check, status monitor.
The motivation of writing these modules is Nginx's high performance and
robustness. At first, I developed this module just for general TCP
proxy. And now, this module is frequently used in websocket reverse
proxying.
- You can't use the same listening port with HTTP modules.
+ Note, You can't use the same listening port with HTTP modules.
Directives
ngx_tcp_moodule
@@ -98,14 +94,48 @@ Directives
server block.
listen
- syntax: *listen address:port [ bind ]*
+ syntax: *listen address:port [ bind | ssl | default]*
default: *none*
context: *server*
description: The same as listen
- (<http://wiki.nginx.org/NginxMailCoreModule#listen>).
+ (<http://wiki.nginx.org/NginxMailCoreModule#listen>). The parameter of
+ default means the default server if you have several server blocks with
+ the same port.
+
+ access_log
+ syntax: *access_log path [buffer=size] | off*
+
+ default: *access_log logs/tcp_access.log*
+
+ context: *tcp, server*
+
+ description: Set the access.log. Each record's format is like this:
+
+ log_time worker_process_pid client_ip host_ip accept_time upstream_ip
+ bytes_read bytes_write
+
+ 2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19
+ 172.19.0.129:80 80 236305
+
+ * *log_time*: The current time when writing this log. The log action
+ is called when the proxy session is closed.
+
+ * *worker_process_pid*: the pid of worker process
+
+ * *client_ip*: the client ip
+
+ * *host_ip*: the server ip and port
+
+ * *accept_time*: the time when the server accepts client's connection
+
+ * *upstream_ip*: the upstream server's ip
+
+ * *bytes_read*: the bytes read from client
+
+ * *bytes_write*: the bytes written to client
allow
syntax: *allow [ address | CIDR | all ]*
@@ -157,14 +187,16 @@ Directives
description: set the timeout value with clients.
server_name
- syntax: *server_name name fqdn_server_host*
+ syntax: *server_name name*
default: *The name of the host, obtained through gethostname()*
context: *tcp, server*
description: The same as server_name
- (<http://wiki.nginx.org/NginxMailCoreModule#server_name>).
+ (<http://wiki.nginx.org/NginxMailCoreModule#server_name>). You can
+ specify several server name in different server block with the same
+ port. They can be used in websocket module.
resolver
syntax: *resolver address*
@@ -237,21 +269,21 @@ Directives
2. *ssl_hello* sends a client ssl hello packet and receives the
server ssl hello packet.
- 3. *http* sends a http requst packet, recvives and parses the http
+ 3. *http* sends a http request packet, receives and parses the http
response to diagnose if the upstream server is alive.
- 4. *smtp* sends a smtp requst packet, recvives and parses the smtp
+ 4. *smtp* sends a smtp request packet, receives and parses the smtp
response to diagnose if the upstream server is alive. The
response begins with '2' should be an OK response.
- 5. *mysql* connects to the mysql server, recvives the greeting
+ 5. *mysql* connects to the mysql server, receives the greeting
response to diagnose if the upstream server is alive.
- 6. *pop3* recvives and parses the pop3 response to diagnose if the
+ 6. *pop3* receives and parses the pop3 response to diagnose if the
upstream server is alive. The response begins with '+' should be
an OK response.
- 7. *imap* connects to the imap server, recvives the greeting
+ 7. *imap* connects to the imap server, receives the greeting
response to diagnose if the upstream server is alive.
check_http_send
@@ -273,7 +305,7 @@ Directives
context: *upstream*
description: These status codes indicate the upstream server's http
- response is ok, the backend is alive.
+ response is OK, the backend is alive.
check_smtp_send
syntax: *check_smtp_send smtp_packet*
@@ -294,7 +326,7 @@ Directives
context: *upstream*
description: These status codes indicate the upstream server's smtp
- response is ok, the backend is alive.
+ response is OK, the backend is alive.
check_shm_size
syntax: *check_shm_size size*
@@ -303,9 +335,9 @@ Directives
context: *tcp*
- description: If you store hundreds of serveres in one upstream block,
- the shared memory for health check may be not enough, you can enlarged
- it by this directive.
+ description: If you store hundreds of servers in one upstream block, the
+ shared memory for health check may be not enough, you can enlarged it by
+ this directive.
check_status
syntax: *check_status*
@@ -336,6 +368,18 @@ Directives
* *Check type*: The type of the check packet
+ ngx_tcp_upstream_busyness_module
+
+ busyness
+ syntax: *busyness*
+
+ default: *none*
+
+ context: *upstream*
+
+ description: the upstream server will be dispatched by backend servers'
+ busyness.
+
ngx_tcp_upstream_ip_hash_module
ip_hash
@@ -394,8 +438,236 @@ Directives
description: set the timeout value of sending to backends.
+ ngx_tcp_websocket_module
+ websocket_pass
+ syntax: *websocket_pass [path] host:port*
+
+ default: *none*
+
+ context: *server*
+
+ description: proxy the websocket request to the backend server. Default
+ port is 80. You can specify several different paths in the same server
+ block.
+
+ websocket_buffer
+ syntax: *websocket_buffer size*
+
+ default: *4k*
+
+ context: *tcp, server*
+
+ description: set the size of proxy buffer.
+
+ websocket_connect_timeout
+ syntax: *websocket_connect_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of connection to backends.
+
+ websocket_read_timeout
+ syntax: *websocket_read_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of reading from backends. Your
+ timeout will be the minimum of this and the *timeout* parameter, so if
+ you want a long timeout for your websockets, make sure to set both
+ paramaters.
+
+ websocket_send_timeout
+ syntax: *websocket_send_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of sending to backends.
+
+ ngx_tcp_ssl_module
+ The default config file includes this ngx_tcp_ssl_module. If you want to
+ just compile nginx without ngx_tcp_ssl_module, copy the
+ ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config,
+ reconfigrure and compile nginx.
+
+ ssl
+ syntax: *ssl [on|off] *
+
+ default: *ssl off*
+
+ context: *tcp, server*
+
+ Enables SSL for a server.
+
+ ssl_certificate
+ syntax: *ssl_certificate file*
+
+ default: *ssl_certificate cert.pem*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the certificate, in PEM
+ format. This file can contain also other certificates and the server
+ private key.
+
+ ssl_certificate_key
+ syntax: *ssl_certificate_key file*
+
+ default: *ssl_certificate_key cert.pem*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the private key, in PEM
+ format.
+
+ ssl_client_certificate
+ syntax: *ssl_client_certificate file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the CA (root) certificate,
+ in PEM format, that is used for validating client certificates.
+
+ ssl_dhparam
+ syntax: *ssl_dhparam file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies a file containing Diffie-Hellman key agreement
+ protocol cryptographic parameters, in PEM format, utilized for
+ exchanging session keys between server and client.
+
+ ssl_ciphers
+ syntax: *ssl_ciphers openssl_cipherlist_spec*
+
+ default: *ssl_ciphers HIGH:!aNULL:!MD5*
+
+ context: *tcp, server*
+
+ This directive describes the list of cipher suites the server supports
+ for establishing a secure connection. Cipher suites are specified in the
+ OpenSSL (<http://openssl.org/docs/apps/ciphers.html>) cipherlist format,
+ for example:
+
+ ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+
+ The complete cipherlist supported by the currently installed version of
+ OpenSSL in your platform can be obtained by issuing the command: openssl
+ ciphers
+
+ ssl_crl
+ syntax: *ssl_crl file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies the filename of a Certificate Revocation List,
+ in PEM format, which is used to check the revocation status of
+ certificates.
+
+ ssl_prefer_server_ciphers
+ syntax: *ssl_prefer_server_ciphers [on|off] *
+
+ default: *ssl_prefer_server_ciphers off*
+
+ context: *tcp, server*
+
+ The server requires that the cipher suite list for protocols SSLv3 and
+ TLSv1 are to be preferred over the client supported cipher suite list.
+
+ ssl_protocols
+ syntax: *ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]*
+
+ default: *ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2*
+
+ context: *tcp, server*
+
+ This directive enables the protocol versions specified.
+
+ ssl_verify_client
+ syntax: *ssl_verify_client on|off|optional*
+
+ default: *ssl_verify_client off*
+
+ context: *tcp, server*
+
+ This directive enables the verification of the client identity.
+ Parameter 'optional' checks the client identity using its certificate in
+ case it was made available to the server.
+
+ ssl_verify_depth
+ syntax: *ssl_verify_depth number*
+
+ default: *ssl_verify_depth 1*
+
+ context: *tcp, server*
+
+ This directive sets how deep the server should go in the client provided
+ certificate chain in order to verify the client identity.
+
+ ssl_session_cache
+ syntax: *ssl_session_cache off|none|builtin:size and/or
+ shared:name:size*
+
+ default: *ssl_session_cache off*
+
+ context: *tcp, server*
+
+ The directive sets the types and sizes of caches to store the SSL
+ sessions.
+
+ The cache types are:
+
+ * off -- Hard off: nginx says explicitly to a client that sessions can
+ not reused.
+
+ * none -- Soft off: nginx says to a client that session can be resued,
+ but nginx actually never reuses them. This is workaround for some
+ mail clients as ssl_session_cache may be used in mail proxy as well
+ as in HTTP server.
+
+ * builtin -- the OpenSSL builtin cache, is used inside one worker
+ process only. The cache size is assigned in the number of the
+ sessions. Note: there appears to be a memory fragmentation issue
+ using this method, please take that into consideration when using
+ this. See "References" below.
+
+ * shared -- the cache is shared between all worker processes. The size
+ of the cache is assigned in bytes: 1 MB cache can contain roughly
+ 4000 sessions. Each shared cache must be given an arbitrary name. A
+ shared cache with a given name can be used in several virtual hosts.
+
+ It's possible to use both types of cache &mdash; builtin and shared
+ &mdash; simultaneously, for example:
+
+ ssl_session_cache builtin:1000 shared:SSL:10m;
+
+ Bear in mind however, that using only shared cache, i.e., without
+ builtin, should be more effective.
+
+ ssl_session_timeout
+ syntax: *ssl_session_timeout time*
+
+ default: *ssl_session_timeout 5m*
+
+ context: *tcp, server*
+
+ This directive defines the maximum time during which the client can
+ re-use the previously negotiated cryptographic parameters of the secure
+ session that is stored in the SSL cache.
+
Compatibility
- * Nginx 0.7.65+
+ * My test bed is 0.7.65+
Notes
The http_response_parse.rl and smtp_response_parse.rl are ragel
@@ -405,11 +677,19 @@ Notes
$ ragel -G2 http_response_parse.rl
$ ragel -G2 smtp_response_parse.rl
-TODO
Known Issues
* This module can't use the same listening port with the HTTP module.
Changelogs
+ v0.2.0
+ * add ssl proxy module
+
+ * add websocket proxy module
+
+ * add upstream busyness module
+
+ * add tcp access log module
+
v0.19
* add many check methods
@@ -430,7 +710,7 @@ Copyright & License
This module is licensed under the BSD license.
- Copyright (C) 2011 by Weibin Yao <yaoweibin@gmail.com>.
+ Copyright (C) 2012 by Weibin Yao <yaoweibin@gmail.com>.
All rights reserved.
View
23 config
@@ -2,21 +2,34 @@ ngx_feature="nginx_tcp_module"
ngx_feature_name=
ngx_feature_run=no
ngx_feature_incs=
-ngx_feature_path="$ngx_addon_dir/modules $ngx_addon_dir"
+ngx_feature_path="$ngx_addon_dir/modules $ngx_addon_dir/parsers $ngx_addon_dir"
ngx_feature_deps="$ngx_addon_dir/ngx_tcp.h $ngx_addon_dir/ngx_tcp_session.h $ngx_addon_dir/ngx_tcp_upstream.h $ngx_addon_dir/ngx_tcp_upstream_check.h $ngx_addon_dir/ngx_tcp_upstream_round_robin.h"
-ngx_tcp_src="$ngx_addon_dir/ngx_tcp.c $ngx_addon_dir/ngx_tcp_core_module.c $ngx_addon_dir/ngx_tcp_session.c $ngx_addon_dir/ngx_tcp_access.c $ngx_addon_dir/ngx_tcp_upstream.c $ngx_addon_dir/ngx_tcp_upstream_round_robin.c $ngx_addon_dir/modules/ngx_tcp_proxy_module.c $ngx_addon_dir/modules/ngx_tcp_upstream_ip_hash_module.c $ngx_addon_dir/ngx_tcp_upstream_check.c $ngx_addon_dir/http_response_parse.c $ngx_addon_dir/smtp_response_parse.c"
+ngx_tcp_src="$ngx_addon_dir/ngx_tcp.c $ngx_addon_dir/ngx_tcp_core_module.c $ngx_addon_dir/ngx_tcp_session.c $ngx_addon_dir/ngx_tcp_access.c $ngx_addon_dir/ngx_tcp_log.c $ngx_addon_dir/ngx_tcp_upstream.c $ngx_addon_dir/ngx_tcp_upstream_round_robin.c $ngx_addon_dir/modules/ngx_tcp_generic_proxy_module.c $ngx_addon_dir/modules/ngx_tcp_websocket_proxy_module.c $ngx_addon_dir/modules/ngx_tcp_upstream_ip_hash_module.c $ngx_addon_dir/modules/ngx_tcp_upstream_busyness_module.c $ngx_addon_dir/ngx_tcp_upstream_check.c "
+ngx_tcp_ssl_deps="$ngx_addon_dir/modules/ngx_tcp_ssl_module.h"
+ngx_tcp_ssl_src="$ngx_addon_dir/modules/ngx_tcp_ssl_module.c"
+ngx_tcp_parser_deps="$ngx_addon_dir/parsers/parser.h $ngx_addon_dir/parsers/http_request_parser.h $ngx_addon_dir/parsers/http_response_parser.h $ngx_addon_dir/parsers/smtp_response_parser.h"
+ngx_tcp_parser_src="$ngx_addon_dir/parsers/http_request_parser.c $ngx_addon_dir/parsers/http_response_parser.c $ngx_addon_dir/parsers/smtp_response_parser.c"
ngx_feature_test="int a;"
. auto/feature
if [ $ngx_found = yes ]; then
CORE_INCS="$CORE_INCS $ngx_feature_path"
ngx_addon_name=ngx_tcp_module
+
TCP_CORE_MODULES="ngx_tcp_module ngx_tcp_core_module ngx_tcp_upstream_module"
- TCP_MODULES="ngx_tcp_proxy_module ngx_tcp_upstream_ip_hash_module"
+ TCP_MODULES="ngx_tcp_proxy_module ngx_tcp_websocket_module ngx_tcp_upstream_ip_hash_module ngx_tcp_upstream_busyness_module"
+
+ NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_feature_deps $ngx_tcp_parser_deps"
+ NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_tcp_src $ngx_tcp_parser_src"
+
+ have=NGX_TCP_SSL . auto/have
+ USE_OPENSSL=YES
+ TCP_MODULES="$TCP_MODULES ngx_tcp_ssl_module"
+ NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_tcp_ssl_deps"
+ NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_tcp_ssl_src"
+
EVENT_MODULES="$EVENT_MODULES $TCP_CORE_MODULES $TCP_MODULES"
HTTP_MODULES="$HTTP_MODULES ngx_tcp_upstream_check_status_module"
- NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_feature_deps"
- NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_tcp_src"
else
cat << END
$0: error: the ngx_tcp_module addon error.
View
38 config_without_ssl
@@ -0,0 +1,38 @@
+ngx_feature="nginx_tcp_module"
+ngx_feature_name=
+ngx_feature_run=no
+ngx_feature_incs=
+ngx_feature_path="$ngx_addon_dir/modules $ngx_addon_dir/parsers $ngx_addon_dir"
+ngx_feature_deps="$ngx_addon_dir/ngx_tcp.h $ngx_addon_dir/ngx_tcp_session.h $ngx_addon_dir/ngx_tcp_upstream.h $ngx_addon_dir/ngx_tcp_upstream_check.h $ngx_addon_dir/ngx_tcp_upstream_round_robin.h"
+ngx_tcp_src="$ngx_addon_dir/ngx_tcp.c $ngx_addon_dir/ngx_tcp_core_module.c $ngx_addon_dir/ngx_tcp_session.c $ngx_addon_dir/ngx_tcp_access.c $ngx_addon_dir/ngx_tcp_log.c $ngx_addon_dir/ngx_tcp_upstream.c $ngx_addon_dir/ngx_tcp_upstream_round_robin.c $ngx_addon_dir/modules/ngx_tcp_generic_proxy_module.c $ngx_addon_dir/modules/ngx_tcp_websocket_proxy_module.c $ngx_addon_dir/modules/ngx_tcp_upstream_ip_hash_module.c $ngx_addon_dir/modules/ngx_tcp_upstream_busyness_module.c $ngx_addon_dir/ngx_tcp_upstream_check.c "
+ngx_tcp_ssl_deps="$ngx_addon_dir/modules/ngx_tcp_ssl_module.h"
+ngx_tcp_ssl_src="$ngx_addon_dir/modules/ngx_tcp_ssl_module.c"
+ngx_tcp_parser_deps="$ngx_addon_dir/parsers/parser.h $ngx_addon_dir/parsers/http_request_parser.h $ngx_addon_dir/parsers/http_response_parser.h $ngx_addon_dir/parsers/smtp_response_parser.h"
+ngx_tcp_parser_src="$ngx_addon_dir/parsers/http_request_parser.c $ngx_addon_dir/parsers/http_response_parser.c $ngx_addon_dir/parsers/smtp_response_parser.c"
+ngx_feature_test="int a;"
+. auto/feature
+
+if [ $ngx_found = yes ]; then
+ CORE_INCS="$CORE_INCS $ngx_feature_path"
+ ngx_addon_name=ngx_tcp_module
+
+ TCP_CORE_MODULES="ngx_tcp_module ngx_tcp_core_module ngx_tcp_upstream_module"
+ TCP_MODULES="ngx_tcp_proxy_module ngx_tcp_websocket_module ngx_tcp_upstream_ip_hash_module ngx_tcp_upstream_busyness_module"
+
+ NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_feature_deps $ngx_tcp_parser_deps"
+ NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_tcp_src $ngx_tcp_parser_src"
+
+ #have=NGX_TCP_SSL . auto/have
+ #USE_OPENSSL=YES
+ #TCP_MODULES="$TCP_MODULES ngx_tcp_ssl_module"
+ #NGX_ADDON_DEPS="$NGX_ADDON_DEPS $ngx_tcp_ssl_deps"
+ #NGX_ADDON_SRCS="$NGX_ADDON_SRCS $ngx_tcp_ssl_src"
+
+ EVENT_MODULES="$EVENT_MODULES $TCP_CORE_MODULES $TCP_MODULES"
+ HTTP_MODULES="$HTTP_MODULES ngx_tcp_upstream_check_status_module"
+else
+ cat << END
+ $0: error: the ngx_tcp_module addon error.
+END
+ exit 1
+fi
View
287 doc/README.html
@@ -27,6 +27,7 @@
<li><a href="#tcp">tcp</a></li>
<li><a href="#server">server</a></li>
<li><a href="#listen">listen</a></li>
+ <li><a href="#access_log">access_log</a></li>
<li><a href="#allow">allow</a></li>
<li><a href="#deny">deny</a></li>
<li><a href="#so_keepalive">so_keepalive</a></li>
@@ -49,6 +50,7 @@
<li><a href="#check_smtp_expect_alive">check_smtp_expect_alive</a></li>
<li><a href="#check_shm_size">check_shm_size</a></li>
<li><a href="#check_status">check_status</a></li>
+ <li><a href="#busyness">busyness</a></li>
<li><a href="#ip_hash">ip_hash</a></li>
</ul>
@@ -62,15 +64,43 @@
<li><a href="#proxy_send_timeout">proxy_send_timeout</a></li>
</ul>
+ <li><a href="#ngx_tcp_websocket_module">ngx_tcp_websocket_module</a></li>
+ <ul>
+
+ <li><a href="#websocket_pass">websocket_pass</a></li>
+ <li><a href="#websocket_buffer">websocket_buffer</a></li>
+ <li><a href="#websocket_connect_timeout">websocket_connect_timeout</a></li>
+ <li><a href="#websocket_read_timeout">websocket_read_timeout</a></li>
+ <li><a href="#websocket_send_timeout">websocket_send_timeout</a></li>
+ </ul>
+
+ <li><a href="#ngx_tcp_ssl_module">ngx_tcp_ssl_module</a></li>
+ <ul>
+
+ <li><a href="#ssl">ssl</a></li>
+ <li><a href="#ssl_certificate">ssl_certificate</a></li>
+ <li><a href="#ssl_certificate_key">ssl_certificate_key</a></li>
+ <li><a href="#ssl_client_certificate">ssl_client_certificate</a></li>
+ <li><a href="#ssl_dhparam">ssl_dhparam</a></li>
+ <li><a href="#ssl_ciphers">ssl_ciphers</a></li>
+ <li><a href="#ssl_crl">ssl_crl</a></li>
+ <li><a href="#ssl_prefer_server_ciphers">ssl_prefer_server_ciphers</a></li>
+ <li><a href="#ssl_protocols">ssl_protocols</a></li>
+ <li><a href="#ssl_verify_client">ssl_verify_client</a></li>
+ <li><a href="#ssl_verify_depth">ssl_verify_depth</a></li>
+ <li><a href="#ssl_session_cache">ssl_session_cache</a></li>
+ <li><a href="#ssl_session_timeout">ssl_session_timeout</a></li>
+ </ul>
+
</ul>
<li><a href="#compatibility">Compatibility</a></li>
<li><a href="#notes">Notes</a></li>
- <li><a href="#todo">TODO</a></li>
<li><a href="#known_issues">Known Issues</a></li>
<li><a href="#changelogs">Changelogs</a></li>
<ul>
+ <li><a href="#v0_2_0">v0.2.0</a></li>
<li><a href="#v0_19">v0.19</a></li>
<li><a href="#v0_1">v0.1</a></li>
</ul>
@@ -91,7 +121,6 @@
<hr />
<h1><a name="installation">Installation</a></h1>
<p>Download the latest stable version of the release tarball of this module from github (<a href="http://github.com/yaoweibin/nginx_tcp_proxy_module">http://github.com/yaoweibin/nginx_tcp_proxy_module</a>)</p>
-<p>The development version of this module is here (<a href="https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/develop">https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/develop</a>). I have added the features of tcp_ssl_proxy, tcp_upstream_busyness, access_log.</p>
<p>Grab the nginx source code from nginx.org (<a href="http://nginx.org/">http://nginx.org/</a>), for example, the version 1.2.1 (see nginx compatibility), and then build the source with this module:</p>
<pre>
$ wget '<a href="http://nginx.org/download/nginx-1.2.1.tar.gz">http://nginx.org/download/nginx-1.2.1.tar.gz</a>'
@@ -121,8 +150,8 @@
<pre>
upstream cluster {
# simple round-robin
- server 127.0.0.1:3306;
- server 127.0.0.1:1234;</pre>
+ server 192.168.0.1:80;
+ server 192.168.0.2:80;</pre>
<pre>
check interval=3000 rise=2 fall=5 timeout=1000;</pre>
<pre>
@@ -143,9 +172,9 @@
</p>
<hr />
<h1><a name="description">Description</a></h1>
-<p>This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_upstream_ip_hash_module. All these modules work togther to add the support of TCP proxy with Nginx. I also add other features: ip_hash, upstream server health check, status monitor.</p>
+<p>This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_websocket_module, ngx_tcp_ssl_module, ngx_tcp_upstream_ip_hash_module. All these modules work together to support TCP proxy with Nginx. I also added other features: ip_hash, upstream server health check, status monitor.</p>
<p>The motivation of writing these modules is Nginx's high performance and robustness. At first, I developed this module just for general TCP proxy. And now, this module is frequently used in websocket reverse proxying.</p>
-<p>You can't use the same listening port with HTTP modules.</p>
+<p>Note, You can't use the same listening port with HTTP modules.</p>
<p>
</p>
<hr />
@@ -171,10 +200,45 @@
<p>
</p>
<h3><a name="listen">listen</a></h3>
-<p><strong>syntax:</strong> <em>listen address:port [ bind ]</em></p>
+<p><strong>syntax:</strong> <em>listen address:port [ bind | ssl | default]</em></p>
<p><strong>default:</strong> <em>none</em></p>
<p><strong>context:</strong> <em>server</em></p>
-<p><strong>description:</strong> The same as listen (<a href="http://wiki.nginx.org/NginxMailCoreModule#listen">http://wiki.nginx.org/NginxMailCoreModule#listen</a>).</p>
+<p><strong>description:</strong> The same as listen (<a href="http://wiki.nginx.org/NginxMailCoreModule#listen">http://wiki.nginx.org/NginxMailCoreModule#listen</a>). The parameter of default means the default server if you have several server blocks with the same port.</p>
+<p>
+</p>
+<h3><a name="access_log">access_log</a></h3>
+<p><strong>syntax:</strong> <em>access_log path [buffer=size] | off</em></p>
+<p><strong>default:</strong> <em>access_log logs/tcp_access.log</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p><strong>description:</strong> Set the access.log. Each record's format is like this:</p>
+<p>log_time worker_process_pid client_ip host_ip accept_time upstream_ip bytes_read bytes_write</p>
+<p>2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19 172.19.0.129:80 80 236305</p>
+<ul>
+<li>
+<p><em>log_time</em>: The current time when writing this log. The log action is called when the proxy session is closed.</p>
+</li>
+<li>
+<p><em>worker_process_pid</em>: the pid of worker process</p>
+</li>
+<li>
+<p><em>client_ip</em>: the client ip</p>
+</li>
+<li>
+<p><em>host_ip</em>: the server ip and port</p>
+</li>
+<li>
+<p><em>accept_time</em>: the time when the server accepts client's connection</p>
+</li>
+<li>
+<p><em>upstream_ip</em>: the upstream server's ip</p>
+</li>
+<li>
+<p><em>bytes_read</em>: the bytes read from client</p>
+</li>
+<li>
+<p><em>bytes_write</em>: the bytes written to client</p>
+</li>
+</ul>
<p>
</p>
<h3><a name="allow">allow</a></h3>
@@ -213,10 +277,10 @@
<p>
</p>
<h3><a name="server_name">server_name</a></h3>
-<p><strong>syntax:</strong> <em>server_name name fqdn_server_host</em></p>
+<p><strong>syntax:</strong> <em>server_name name</em></p>
<p><strong>default:</strong> <em>The name of the host, obtained through gethostname()</em></p>
<p><strong>context:</strong> <em>tcp, server</em></p>
-<p><strong>description:</strong> The same as server_name (<a href="http://wiki.nginx.org/NginxMailCoreModule#server_name">http://wiki.nginx.org/NginxMailCoreModule#server_name</a>).</p>
+<p><strong>description:</strong> The same as server_name (<a href="http://wiki.nginx.org/NginxMailCoreModule#server_name">http://wiki.nginx.org/NginxMailCoreModule#server_name</a>). You can specify several server name in different server block with the same port. They can be used in websocket module.</p>
<p>
</p>
<h3><a name="resolver">resolver</a></h3>
@@ -279,19 +343,19 @@
<p><em>ssl_hello</em> sends a client ssl hello packet and receives the server ssl hello packet.</p>
</li>
<li>
-<p><em>http</em> sends a http requst packet, recvives and parses the http response to diagnose if the upstream server is alive.</p>
+<p><em>http</em> sends a http request packet, receives and parses the http response to diagnose if the upstream server is alive.</p>
</li>
<li>
-<p><em>smtp</em> sends a smtp requst packet, recvives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.</p>
+<p><em>smtp</em> sends a smtp request packet, receives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.</p>
</li>
<li>
-<p><em>mysql</em> connects to the mysql server, recvives the greeting response to diagnose if the upstream server is alive.</p>
+<p><em>mysql</em> connects to the mysql server, receives the greeting response to diagnose if the upstream server is alive.</p>
</li>
<li>
-<p><em>pop3</em> recvives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.</p>
+<p><em>pop3</em> receives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.</p>
</li>
<li>
-<p><em>imap</em> connects to the imap server, recvives the greeting response to diagnose if the upstream server is alive.</p>
+<p><em>imap</em> connects to the imap server, receives the greeting response to diagnose if the upstream server is alive.</p>
</li>
</ol>
</ul>
@@ -308,7 +372,7 @@
<p><strong>syntax:</strong> <em>check_http_expect_alive [ http_2xx | http_3xx | http_4xx | http_5xx ]</em></p>
<p><strong>default:</strong> <em>http_2xx | http_3xx</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
-<p><strong>description:</strong> These status codes indicate the upstream server's http response is ok, the backend is alive.</p>
+<p><strong>description:</strong> These status codes indicate the upstream server's http response is OK, the backend is alive.</p>
<p>
</p>
<h3><a name="check_smtp_send">check_smtp_send</a></h3>
@@ -322,14 +386,14 @@
<p><strong>syntax:</strong> <em>check_smtp_expect_alive [smtp_2xx | smtp_3xx | smtp_4xx | smtp_5xx]</em></p>
<p><strong>default:</strong> <em>smtp_2xx</em></p>
<p><strong>context:</strong> <em>upstream</em></p>
-<p><strong>description:</strong> These status codes indicate the upstream server's smtp response is ok, the backend is alive.</p>
+<p><strong>description:</strong> These status codes indicate the upstream server's smtp response is OK, the backend is alive.</p>
<p>
</p>
<h3><a name="check_shm_size">check_shm_size</a></h3>
<p><strong>syntax:</strong> <em>check_shm_size size</em></p>
<p><strong>default:</strong> <em>(number_of_checked_upstream_blocks + 1) * pagesize</em></p>
<p><strong>context:</strong> <em>tcp</em></p>
-<p><strong>description:</strong> If you store hundreds of serveres in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.</p>
+<p><strong>description:</strong> If you store hundreds of servers in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.</p>
<p>
</p>
<h3><a name="check_status">check_status</a></h3>
@@ -364,6 +428,14 @@
<p><em>Check type</em>: The type of the check packet</p>
</li>
</ul>
+<p><strong>ngx_tcp_upstream_busyness_module</strong></p>
+<p>
+</p>
+<h3><a name="busyness">busyness</a></h3>
+<p><strong>syntax:</strong> <em>busyness</em></p>
+<p><strong>default:</strong> <em>none</em></p>
+<p><strong>context:</strong> <em>upstream</em></p>
+<p><strong>description:</strong> the upstream server will be dispatched by backend servers' busyness.</p>
<p><strong>ngx_tcp_upstream_ip_hash_module</strong></p>
<p>
</p>
@@ -412,11 +484,165 @@
<p><strong>description:</strong> set the timeout value of sending to backends.</p>
<p>
</p>
+<h2><a name="ngx_tcp_websocket_module">ngx_tcp_websocket_module</a></h2>
+<p>
+</p>
+<h3><a name="websocket_pass">websocket_pass</a></h3>
+<p><strong>syntax:</strong> <em>websocket_pass [path] host:port</em></p>
+<p><strong>default:</strong> <em>none</em></p>
+<p><strong>context:</strong> <em>server</em></p>
+<p><strong>description:</strong> proxy the websocket request to the backend server. Default port is 80. You can specify several different paths in the same server block.</p>
+<p>
+</p>
+<h3><a name="websocket_buffer">websocket_buffer</a></h3>
+<p><strong>syntax:</strong> <em>websocket_buffer size</em></p>
+<p><strong>default:</strong> <em>4k</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p><strong>description:</strong> set the size of proxy buffer.</p>
+<p>
+</p>
+<h3><a name="websocket_connect_timeout">websocket_connect_timeout</a></h3>
+<p><strong>syntax:</strong> <em>websocket_connect_timeout miliseconds</em></p>
+<p><strong>default:</strong> <em>60000</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p><strong>description:</strong> set the timeout value of connection to backends.</p>
+<p>
+</p>
+<h3><a name="websocket_read_timeout">websocket_read_timeout</a></h3>
+<p><strong>syntax:</strong> <em>websocket_read_timeout miliseconds</em></p>
+<p><strong>default:</strong> <em>60000</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p><strong>description:</strong> set the timeout value of reading from backends. Your timeout will be the minimum of this and the *timeout* parameter, so if you want a long timeout for your websockets, make sure to set both paramaters.</p>
+<p>
+</p>
+<h3><a name="websocket_send_timeout">websocket_send_timeout</a></h3>
+<p><strong>syntax:</strong> <em>websocket_send_timeout miliseconds</em></p>
+<p><strong>default:</strong> <em>60000</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p><strong>description:</strong> set the timeout value of sending to backends.</p>
+<p>
+</p>
+<h2><a name="ngx_tcp_ssl_module">ngx_tcp_ssl_module</a></h2>
+<p>The default config file includes this ngx_tcp_ssl_module. If you want to just compile nginx without ngx_tcp_ssl_module, copy the ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config, reconfigrure and compile nginx.</p>
+<p>
+</p>
+<h3><a name="ssl">ssl</a></h3>
+<p><strong>syntax:</strong> <em>ssl [on|off] </em></p>
+<p><strong>default:</strong> <em>ssl off</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>Enables SSL for a server.</p>
+<p>
+</p>
+<h3><a name="ssl_certificate">ssl_certificate</a></h3>
+<p><strong>syntax:</strong> <em>ssl_certificate file</em></p>
+<p><strong>default:</strong> <em>ssl_certificate cert.pem</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive specifies the file containing the certificate, in PEM format. This file can contain also other certificates and the server private key.</p>
+<p>
+</p>
+<h3><a name="ssl_certificate_key">ssl_certificate_key</a></h3>
+<p><strong>syntax:</strong> <em>ssl_certificate_key file</em></p>
+<p><strong>default:</strong> <em>ssl_certificate_key cert.pem</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive specifies the file containing the private key, in PEM format.</p>
+<p>
+</p>
+<h3><a name="ssl_client_certificate">ssl_client_certificate</a></h3>
+<p><strong>syntax:</strong> <em>ssl_client_certificate file</em></p>
+<p><strong>default:</strong> <em>none</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive specifies the file containing the CA (root) certificate, in PEM format, that is used for validating client certificates.</p>
+<p>
+</p>
+<h3><a name="ssl_dhparam">ssl_dhparam</a></h3>
+<p><strong>syntax:</strong> <em>ssl_dhparam file</em></p>
+<p><strong>default:</strong> <em>none</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM format, utilized for exchanging session keys between server and client.</p>
+<p>
+</p>
+<h3><a name="ssl_ciphers">ssl_ciphers</a></h3>
+<p><strong>syntax:</strong> <em>ssl_ciphers openssl_cipherlist_spec</em></p>
+<p><strong>default:</strong> <em>ssl_ciphers HIGH:!aNULL:!MD5</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive describes the list of cipher suites the server supports for establishing a secure connection. Cipher suites are specified in the OpenSSL (<a href="http://openssl.org/docs/apps/ciphers.html">http://openssl.org/docs/apps/ciphers.html</a>) cipherlist format, for example:</p>
+<p>ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;</p>
+<p>The complete cipherlist supported by the currently installed version of OpenSSL in your platform can be obtained by issuing the command:
+openssl ciphers</p>
+<p>
+</p>
+<h3><a name="ssl_crl">ssl_crl</a></h3>
+<p><strong>syntax:</strong> <em>ssl_crl file</em></p>
+<p><strong>default:</strong> <em>none</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive specifies the filename of a Certificate Revocation List, in PEM format, which is used to check the revocation status of certificates.</p>
+<p>
+</p>
+<h3><a name="ssl_prefer_server_ciphers">ssl_prefer_server_ciphers</a></h3>
+<p><strong>syntax:</strong> <em>ssl_prefer_server_ciphers [on|off] </em></p>
+<p><strong>default:</strong> <em>ssl_prefer_server_ciphers off</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>The server requires that the cipher suite list for protocols SSLv3 and TLSv1 are to be preferred over the client supported cipher suite list.</p>
+<p>
+</p>
+<h3><a name="ssl_protocols">ssl_protocols</a></h3>
+<p><strong>syntax:</strong> <em>ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]</em></p>
+<p><strong>default:</strong> <em>ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive enables the protocol versions specified.</p>
+<p>
+</p>
+<h3><a name="ssl_verify_client">ssl_verify_client</a></h3>
+<p><strong>syntax:</strong> <em>ssl_verify_client on|off|optional</em></p>
+<p><strong>default:</strong> <em>ssl_verify_client off</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive enables the verification of the client identity. Parameter 'optional' checks the client identity using its certificate in case it was made available to the server.</p>
+<p>
+</p>
+<h3><a name="ssl_verify_depth">ssl_verify_depth</a></h3>
+<p><strong>syntax:</strong> <em>ssl_verify_depth number</em></p>
+<p><strong>default:</strong> <em>ssl_verify_depth 1</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive sets how deep the server should go in the client provided certificate chain in order to verify the client identity.</p>
+<p>
+</p>
+<h3><a name="ssl_session_cache">ssl_session_cache</a></h3>
+<p><strong>syntax:</strong> <em>ssl_session_cache off|none|builtin:size and/or shared:name:size</em></p>
+<p><strong>default:</strong> <em>ssl_session_cache off</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>The directive sets the types and sizes of caches to store the SSL sessions.</p>
+<p>The cache types are:</p>
+<ul>
+<li>
+<p>off -- Hard off: nginx says explicitly to a client that sessions can not reused.</p>
+</li>
+<li>
+<p>none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.</p>
+</li>
+<li>
+<p>builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See ``References'' below.</p>
+</li>
+<li>
+<p>shared -- the cache is shared between all worker processes. The size of the cache is assigned in bytes: 1 MB cache can contain roughly 4000 sessions. Each shared cache must be given an arbitrary name. A shared cache with a given name can be used in several virtual hosts.</p>
+</li>
+</ul>
+<p>It's possible to use both types of cache &amp;mdash; builtin and shared &amp;mdash; simultaneously, for example:</p>
+<p>ssl_session_cache builtin:1000 shared:SSL:10m;</p>
+<p>Bear in mind however, that using only shared cache, i.e., without builtin, should be more effective.</p>
+<p>
+</p>
+<h3><a name="ssl_session_timeout">ssl_session_timeout</a></h3>
+<p><strong>syntax:</strong> <em>ssl_session_timeout time</em></p>
+<p><strong>default:</strong> <em>ssl_session_timeout 5m</em></p>
+<p><strong>context:</strong> <em>tcp, server</em></p>
+<p>This directive defines the maximum time during which the client can re-use the previously negotiated cryptographic parameters of the secure session that is stored in the SSL cache.</p>
+<p>
+</p>
<hr />
<h1><a name="compatibility">Compatibility</a></h1>
<ul>
<li>
-<p>Nginx 0.7.65+</p>
+<p>My test bed is 0.7.65+</p>
</li>
</ul>
<p>
@@ -430,10 +656,6 @@
<p>
</p>
<hr />
-<h1><a name="todo">TODO</a></h1>
-<p>
-</p>
-<hr />
<h1><a name="known_issues">Known Issues</a></h1>
<ul>
<li>
@@ -446,6 +668,23 @@
<h1><a name="changelogs">Changelogs</a></h1>
<p>
</p>
+<h2><a name="v0_2_0">v0.2.0</a></h2>
+<ul>
+<li>
+<p>add ssl proxy module</p>
+</li>
+<li>
+<p>add websocket proxy module</p>
+</li>
+<li>
+<p>add upstream busyness module</p>
+</li>
+<li>
+<p>add tcp access log module</p>
+</li>
+</ul>
+<p>
+</p>
<h2><a name="v0_19">v0.19</a></h2>
<ul>
<li>
@@ -472,7 +711,7 @@
<p>This README template copy from agentzh (<a href="http://github.com/agentzh">http://github.com/agentzh</a>).</p>
<p>I borrowed a lot of code from upstream and mail module from the nginx 0.7.* core. This part of code is copyrighted by Igor Sysoev. And the health check part is borrowed the design of Jack Lindamood's healthcheck module healthcheck_nginx_upstreams (<a href="http://github.com/cep21/healthcheck_nginx_upstreams">http://github.com/cep21/healthcheck_nginx_upstreams</a>);</p>
<p>This module is licensed under the BSD license.</p>
-<p>Copyright (C) 2011 by Weibin Yao &lt;<a href="mailto:yaoweibin@gmail.com">yaoweibin@gmail.com</a>&gt;.</p>
+<p>Copyright (C) 2012 by Weibin Yao &lt;<a href="mailto:yaoweibin@gmail.com">yaoweibin@gmail.com</a>&gt;.</p>
<p>All rights reserved.</p>
<p>Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:</p>
<ul>
View
334 doc/README.txt
@@ -5,11 +5,6 @@ Installation
Download the latest stable version of the release tarball of this module
from github (<http://github.com/yaoweibin/nginx_tcp_proxy_module>)
- The development version of this module is here
- (<https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/develop>). I
- have added the features of tcp_ssl_proxy, tcp_upstream_busyness,
- access_log.
-
Grab the nginx source code from nginx.org (<http://nginx.org/>), for
example, the version 1.2.1 (see nginx compatibility), and then build the
source with this module:
@@ -40,8 +35,8 @@ Synopsis
upstream cluster {
# simple round-robin
- server 127.0.0.1:3306;
- server 127.0.0.1:1234;
+ server 192.168.0.1:80;
+ server 192.168.0.2:80;
check interval=3000 rise=2 fall=5 timeout=1000;
@@ -62,16 +57,17 @@ Synopsis
Description
This module actually include many modules: ngx_tcp_module,
ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module,
- ngx_tcp_upstream_ip_hash_module. All these modules work togther to add
- the support of TCP proxy with Nginx. I also add other features: ip_hash,
+ ngx_tcp_websocket_module, ngx_tcp_ssl_module,
+ ngx_tcp_upstream_ip_hash_module. All these modules work together to
+ support TCP proxy with Nginx. I also added other features: ip_hash,
upstream server health check, status monitor.
The motivation of writing these modules is Nginx's high performance and
robustness. At first, I developed this module just for general TCP
proxy. And now, this module is frequently used in websocket reverse
proxying.
- You can't use the same listening port with HTTP modules.
+ Note, You can't use the same listening port with HTTP modules.
Directives
ngx_tcp_moodule
@@ -98,14 +94,48 @@ Directives
server block.
listen
- syntax: *listen address:port [ bind ]*
+ syntax: *listen address:port [ bind | ssl | default]*
default: *none*
context: *server*
description: The same as listen
- (<http://wiki.nginx.org/NginxMailCoreModule#listen>).
+ (<http://wiki.nginx.org/NginxMailCoreModule#listen>). The parameter of
+ default means the default server if you have several server blocks with
+ the same port.
+
+ access_log
+ syntax: *access_log path [buffer=size] | off*
+
+ default: *access_log logs/tcp_access.log*
+
+ context: *tcp, server*
+
+ description: Set the access.log. Each record's format is like this:
+
+ log_time worker_process_pid client_ip host_ip accept_time upstream_ip
+ bytes_read bytes_write
+
+ 2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19
+ 172.19.0.129:80 80 236305
+
+ * *log_time*: The current time when writing this log. The log action
+ is called when the proxy session is closed.
+
+ * *worker_process_pid*: the pid of worker process
+
+ * *client_ip*: the client ip
+
+ * *host_ip*: the server ip and port
+
+ * *accept_time*: the time when the server accepts client's connection
+
+ * *upstream_ip*: the upstream server's ip
+
+ * *bytes_read*: the bytes read from client
+
+ * *bytes_write*: the bytes written to client
allow
syntax: *allow [ address | CIDR | all ]*
@@ -157,14 +187,16 @@ Directives
description: set the timeout value with clients.
server_name
- syntax: *server_name name fqdn_server_host*
+ syntax: *server_name name*
default: *The name of the host, obtained through gethostname()*
context: *tcp, server*
description: The same as server_name
- (<http://wiki.nginx.org/NginxMailCoreModule#server_name>).
+ (<http://wiki.nginx.org/NginxMailCoreModule#server_name>). You can
+ specify several server name in different server block with the same
+ port. They can be used in websocket module.
resolver
syntax: *resolver address*
@@ -237,21 +269,21 @@ Directives
2. *ssl_hello* sends a client ssl hello packet and receives the
server ssl hello packet.
- 3. *http* sends a http requst packet, recvives and parses the http
+ 3. *http* sends a http request packet, receives and parses the http
response to diagnose if the upstream server is alive.
- 4. *smtp* sends a smtp requst packet, recvives and parses the smtp
+ 4. *smtp* sends a smtp request packet, receives and parses the smtp
response to diagnose if the upstream server is alive. The
response begins with '2' should be an OK response.
- 5. *mysql* connects to the mysql server, recvives the greeting
+ 5. *mysql* connects to the mysql server, receives the greeting
response to diagnose if the upstream server is alive.
- 6. *pop3* recvives and parses the pop3 response to diagnose if the
+ 6. *pop3* receives and parses the pop3 response to diagnose if the
upstream server is alive. The response begins with '+' should be
an OK response.
- 7. *imap* connects to the imap server, recvives the greeting
+ 7. *imap* connects to the imap server, receives the greeting
response to diagnose if the upstream server is alive.
check_http_send
@@ -273,7 +305,7 @@ Directives
context: *upstream*
description: These status codes indicate the upstream server's http
- response is ok, the backend is alive.
+ response is OK, the backend is alive.
check_smtp_send
syntax: *check_smtp_send smtp_packet*
@@ -294,7 +326,7 @@ Directives
context: *upstream*
description: These status codes indicate the upstream server's smtp
- response is ok, the backend is alive.
+ response is OK, the backend is alive.
check_shm_size
syntax: *check_shm_size size*
@@ -303,9 +335,9 @@ Directives
context: *tcp*
- description: If you store hundreds of serveres in one upstream block,
- the shared memory for health check may be not enough, you can enlarged
- it by this directive.
+ description: If you store hundreds of servers in one upstream block, the
+ shared memory for health check may be not enough, you can enlarged it by
+ this directive.
check_status
syntax: *check_status*
@@ -336,6 +368,18 @@ Directives
* *Check type*: The type of the check packet
+ ngx_tcp_upstream_busyness_module
+
+ busyness
+ syntax: *busyness*
+
+ default: *none*
+
+ context: *upstream*
+
+ description: the upstream server will be dispatched by backend servers'
+ busyness.
+
ngx_tcp_upstream_ip_hash_module
ip_hash
@@ -394,8 +438,236 @@ Directives
description: set the timeout value of sending to backends.
+ ngx_tcp_websocket_module
+ websocket_pass
+ syntax: *websocket_pass [path] host:port*
+
+ default: *none*
+
+ context: *server*
+
+ description: proxy the websocket request to the backend server. Default
+ port is 80. You can specify several different paths in the same server
+ block.
+
+ websocket_buffer
+ syntax: *websocket_buffer size*
+
+ default: *4k*
+
+ context: *tcp, server*
+
+ description: set the size of proxy buffer.
+
+ websocket_connect_timeout
+ syntax: *websocket_connect_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of connection to backends.
+
+ websocket_read_timeout
+ syntax: *websocket_read_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of reading from backends. Your
+ timeout will be the minimum of this and the *timeout* parameter, so if
+ you want a long timeout for your websockets, make sure to set both
+ paramaters.
+
+ websocket_send_timeout
+ syntax: *websocket_send_timeout miliseconds*
+
+ default: *60000*
+
+ context: *tcp, server*
+
+ description: set the timeout value of sending to backends.
+
+ ngx_tcp_ssl_module
+ The default config file includes this ngx_tcp_ssl_module. If you want to
+ just compile nginx without ngx_tcp_ssl_module, copy the
+ ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config,
+ reconfigrure and compile nginx.
+
+ ssl
+ syntax: *ssl [on|off] *
+
+ default: *ssl off*
+
+ context: *tcp, server*
+
+ Enables SSL for a server.
+
+ ssl_certificate
+ syntax: *ssl_certificate file*
+
+ default: *ssl_certificate cert.pem*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the certificate, in PEM
+ format. This file can contain also other certificates and the server
+ private key.
+
+ ssl_certificate_key
+ syntax: *ssl_certificate_key file*
+
+ default: *ssl_certificate_key cert.pem*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the private key, in PEM
+ format.
+
+ ssl_client_certificate
+ syntax: *ssl_client_certificate file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies the file containing the CA (root) certificate,
+ in PEM format, that is used for validating client certificates.
+
+ ssl_dhparam
+ syntax: *ssl_dhparam file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies a file containing Diffie-Hellman key agreement
+ protocol cryptographic parameters, in PEM format, utilized for
+ exchanging session keys between server and client.
+
+ ssl_ciphers
+ syntax: *ssl_ciphers openssl_cipherlist_spec*
+
+ default: *ssl_ciphers HIGH:!aNULL:!MD5*
+
+ context: *tcp, server*
+
+ This directive describes the list of cipher suites the server supports
+ for establishing a secure connection. Cipher suites are specified in the
+ OpenSSL (<http://openssl.org/docs/apps/ciphers.html>) cipherlist format,
+ for example:
+
+ ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+
+ The complete cipherlist supported by the currently installed version of
+ OpenSSL in your platform can be obtained by issuing the command: openssl
+ ciphers
+
+ ssl_crl
+ syntax: *ssl_crl file*
+
+ default: *none*
+
+ context: *tcp, server*
+
+ This directive specifies the filename of a Certificate Revocation List,
+ in PEM format, which is used to check the revocation status of
+ certificates.
+
+ ssl_prefer_server_ciphers
+ syntax: *ssl_prefer_server_ciphers [on|off] *
+
+ default: *ssl_prefer_server_ciphers off*
+
+ context: *tcp, server*
+
+ The server requires that the cipher suite list for protocols SSLv3 and
+ TLSv1 are to be preferred over the client supported cipher suite list.
+
+ ssl_protocols
+ syntax: *ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]*
+
+ default: *ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2*
+
+ context: *tcp, server*
+
+ This directive enables the protocol versions specified.
+
+ ssl_verify_client
+ syntax: *ssl_verify_client on|off|optional*
+
+ default: *ssl_verify_client off*
+
+ context: *tcp, server*
+
+ This directive enables the verification of the client identity.
+ Parameter 'optional' checks the client identity using its certificate in
+ case it was made available to the server.
+
+ ssl_verify_depth
+ syntax: *ssl_verify_depth number*
+
+ default: *ssl_verify_depth 1*
+
+ context: *tcp, server*
+
+ This directive sets how deep the server should go in the client provided
+ certificate chain in order to verify the client identity.
+
+ ssl_session_cache
+ syntax: *ssl_session_cache off|none|builtin:size and/or
+ shared:name:size*
+
+ default: *ssl_session_cache off*
+
+ context: *tcp, server*
+
+ The directive sets the types and sizes of caches to store the SSL
+ sessions.
+
+ The cache types are:
+
+ * off -- Hard off: nginx says explicitly to a client that sessions can
+ not reused.
+
+ * none -- Soft off: nginx says to a client that session can be resued,
+ but nginx actually never reuses them. This is workaround for some
+ mail clients as ssl_session_cache may be used in mail proxy as well
+ as in HTTP server.
+
+ * builtin -- the OpenSSL builtin cache, is used inside one worker
+ process only. The cache size is assigned in the number of the
+ sessions. Note: there appears to be a memory fragmentation issue
+ using this method, please take that into consideration when using
+ this. See "References" below.
+
+ * shared -- the cache is shared between all worker processes. The size
+ of the cache is assigned in bytes: 1 MB cache can contain roughly
+ 4000 sessions. Each shared cache must be given an arbitrary name. A
+ shared cache with a given name can be used in several virtual hosts.
+
+ It's possible to use both types of cache &mdash; builtin and shared
+ &mdash; simultaneously, for example:
+
+ ssl_session_cache builtin:1000 shared:SSL:10m;
+
+ Bear in mind however, that using only shared cache, i.e., without
+ builtin, should be more effective.
+
+ ssl_session_timeout
+ syntax: *ssl_session_timeout time*
+
+ default: *ssl_session_timeout 5m*
+
+ context: *tcp, server*
+
+ This directive defines the maximum time during which the client can
+ re-use the previously negotiated cryptographic parameters of the secure
+ session that is stored in the SSL cache.
+
Compatibility
- * Nginx 0.7.65+
+ * My test bed is 0.7.65+
Notes
The http_response_parse.rl and smtp_response_parse.rl are ragel
@@ -405,11 +677,19 @@ Notes
$ ragel -G2 http_response_parse.rl
$ ragel -G2 smtp_response_parse.rl
-TODO
Known Issues
* This module can't use the same listening port with the HTTP module.
Changelogs
+ v0.2.0
+ * add ssl proxy module
+
+ * add websocket proxy module
+
+ * add upstream busyness module
+
+ * add tcp access log module
+
v0.19
* add many check methods
@@ -430,7 +710,7 @@ Copyright & License
This module is licensed under the BSD license.
- Copyright (C) 2011 by Weibin Yao <yaoweibin@gmail.com>.
+ Copyright (C) 2012 by Weibin Yao <yaoweibin@gmail.com>.
All rights reserved.
View
303 doc/README.wiki
@@ -1,13 +1,11 @@
-= Name =
+= Name =
'''nginx_tcp_proxy_module''' - support TCP proxy with Nginx
= Installation =
Download the latest stable version of the release tarball of this module from [http://github.com/yaoweibin/nginx_tcp_proxy_module github]
-The development version of this module is [https://github.com/yaoweibin/nginx_tcp_proxy_module/tree/develop here]. I have added the features of tcp_ssl_proxy, tcp_upstream_busyness, access_log.
-
Grab the nginx source code from [http://nginx.org/ nginx.org], for example, the version 1.2.1 (see nginx compatibility), and then build the source with this module:
<geshi lang="bash">
@@ -43,8 +41,8 @@ tcp {
upstream cluster {
# simple round-robin
- server 127.0.0.1:3306;
- server 127.0.0.1:1234;
+ server 192.168.0.1:80;
+ server 192.168.0.2:80;
check interval=3000 rise=2 fall=5 timeout=1000;
@@ -65,11 +63,11 @@ tcp {
= Description =
-This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_upstream_ip_hash_module. All these modules work togther to add the support of TCP proxy with Nginx. I also add other features: ip_hash, upstream server health check, status monitor.
+This module actually include many modules: ngx_tcp_module, ngx_tcp_core_module, ngx_tcp_upstream_module, ngx_tcp_proxy_module, ngx_tcp_websocket_module, ngx_tcp_ssl_module, ngx_tcp_upstream_ip_hash_module. All these modules work together to support TCP proxy with Nginx. I also added other features: ip_hash, upstream server health check, status monitor.
The motivation of writing these modules is Nginx's high performance and robustness. At first, I developed this module just for general TCP proxy. And now, this module is frequently used in websocket reverse proxying.
-You can't use the same listening port with HTTP modules.
+Note, You can't use the same listening port with HTTP modules.
= Directives =
@@ -100,13 +98,40 @@ You can't use the same listening port with HTTP modules.
=== listen ===
-'''syntax:''' ''listen address:port [ bind ]''
+'''syntax:''' ''listen address:port [ bind | ssl | default]''
'''default:''' ''none''
'''context:''' ''server''
-'''description:''' The same as [http://wiki.nginx.org/NginxMailCoreModule#listen listen].
+'''description:''' The same as [http://wiki.nginx.org/NginxMailCoreModule#listen listen]. The parameter of default means the default server if you have several server blocks with the same port.
+
+=== access_log ===
+
+'''syntax:''' ''access_log path [buffer=size] | off''
+
+'''default:''' ''access_log logs/tcp_access.log''
+
+'''context:''' ''tcp, server''
+
+'''description:''' Set the access.log. Each record's format is like this:
+
+<pre>
+
+log_time worker_process_pid client_ip host_ip accept_time upstream_ip bytes_read bytes_write
+
+2011/08/02 06:19:07 [5972] 127.0.0.1 0.0.0.0:1982 2011/08/02 06:18:19 172.19.0.129:80 80 236305
+
+</pre>
+
+* ''log_time'': The current time when writing this log. The log action is called when the proxy session is closed.
+* ''worker_process_pid'': the pid of worker process
+* ''client_ip'': the client ip
+* ''host_ip'': the server ip and port
+* ''accept_time'': the time when the server accepts client's connection
+* ''upstream_ip'': the upstream server's ip
+* ''bytes_read'': the bytes read from client
+* ''bytes_write'': the bytes written to client
=== allow ===
@@ -160,13 +185,13 @@ You can't use the same listening port with HTTP modules.
=== server_name ===
-'''syntax:''' ''server_name name fqdn_server_host''
+'''syntax:''' ''server_name name''
'''default:''' ''The name of the host, obtained through gethostname()''
'''context:''' ''tcp, server''
-'''description:''' The same as [http://wiki.nginx.org/NginxMailCoreModule#server_name server_name].
+'''description:''' The same as [http://wiki.nginx.org/NginxMailCoreModule#server_name server_name]. You can specify several server name in different server block with the same port. They can be used in websocket module.
=== resolver ===
@@ -230,11 +255,11 @@ The parameters' meanings are:
* ''type'': the check protocol type:
# ''tcp'' is a simple tcp socket connect and peek one byte.
# ''ssl_hello'' sends a client ssl hello packet and receives the server ssl hello packet.
-# ''http'' sends a http requst packet, recvives and parses the http response to diagnose if the upstream server is alive.
-# ''smtp'' sends a smtp requst packet, recvives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.
-# ''mysql'' connects to the mysql server, recvives the greeting response to diagnose if the upstream server is alive.
-# ''pop3'' recvives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.
-# ''imap'' connects to the imap server, recvives the greeting response to diagnose if the upstream server is alive.
+# ''http'' sends a http request packet, receives and parses the http response to diagnose if the upstream server is alive.
+# ''smtp'' sends a smtp request packet, receives and parses the smtp response to diagnose if the upstream server is alive. The response begins with '2' should be an OK response.
+# ''mysql'' connects to the mysql server, receives the greeting response to diagnose if the upstream server is alive.
+# ''pop3'' receives and parses the pop3 response to diagnose if the upstream server is alive. The response begins with '+' should be an OK response.
+# ''imap'' connects to the imap server, receives the greeting response to diagnose if the upstream server is alive.
=== check_http_send ===
@@ -254,7 +279,7 @@ The parameters' meanings are:
'''context:''' ''upstream''
-'''description:''' These status codes indicate the upstream server's http response is ok, the backend is alive.
+'''description:''' These status codes indicate the upstream server's http response is OK, the backend is alive.
=== check_smtp_send ===
@@ -274,8 +299,7 @@ The parameters' meanings are:
'''context:''' ''upstream''
-'''description:''' These status codes indicate the upstream server's smtp response is ok, the backend is alive.
-
+'''description:''' These status codes indicate the upstream server's smtp response is OK, the backend is alive.
=== check_shm_size ===
@@ -285,7 +309,7 @@ The parameters' meanings are:
'''context:''' ''tcp''
-'''description:''' If you store hundreds of serveres in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.
+'''description:''' If you store hundreds of servers in one upstream block, the shared memory for health check may be not enough, you can enlarged it by this directive.
=== check_status ===
@@ -309,6 +333,19 @@ The table field meanings are:
* ''Check type'': The type of the check packet
+'''ngx_tcp_upstream_busyness_module'''
+
+=== busyness ===
+
+'''syntax:''' ''busyness''
+
+'''default:''' ''none''
+
+'''context:''' ''upstream''
+
+'''description:''' the upstream server will be dispatched by backend servers' busyness.
+
+
'''ngx_tcp_upstream_ip_hash_module'''
=== ip_hash ===
@@ -375,9 +412,219 @@ The table field meanings are:
'''description:''' set the timeout value of sending to backends.
+== ngx_tcp_websocket_module ==
+
+=== websocket_pass ===
+
+'''syntax:''' ''websocket_pass [path] host:port''
+
+'''default:''' ''none''
+
+'''context:''' ''server''
+
+'''description:''' proxy the websocket request to the backend server. Default port is 80. You can specify several different paths in the same server block.
+
+=== websocket_buffer ===
+
+'''syntax:''' ''websocket_buffer size''
+
+'''default:''' ''4k''
+
+'''context:''' ''tcp, server''
+
+'''description:''' set the size of proxy buffer.
+
+=== websocket_connect_timeout ===
+
+'''syntax:''' ''websocket_connect_timeout miliseconds''
+
+'''default:''' ''60000''
+
+'''context:''' ''tcp, server''
+
+'''description:''' set the timeout value of connection to backends.
+
+=== websocket_read_timeout ===
+
+'''syntax:''' ''websocket_read_timeout miliseconds''
+
+'''default:''' ''60000''
+
+'''context:''' ''tcp, server''
+
+'''description:''' set the timeout value of reading from backends. Your timeout will be the minimum of this and the *timeout* parameter, so if you want a long timeout for your websockets, make sure to set both paramaters.
+
+=== websocket_send_timeout ===
+
+'''syntax:''' ''websocket_send_timeout miliseconds''
+
+'''default:''' ''60000''
+
+'''context:''' ''tcp, server''
+
+'''description:''' set the timeout value of sending to backends.
+
+
+== ngx_tcp_ssl_module ==
+
+The default config file includes this ngx_tcp_ssl_module. If you want to just compile nginx without ngx_tcp_ssl_module, copy the ngx_tcp_proxy_module/config_without_ssl to ngx_tcp_proxy_module/config, reconfigrure and compile nginx.
+
+=== ssl ===
+
+'''syntax:''' ''ssl [on|off] ''
+
+'''default:''' ''ssl off''
+
+'''context:''' ''tcp, server''
+
+Enables SSL for a server.
+
+=== ssl_certificate ===
+
+'''syntax:''' ''ssl_certificate file''
+
+'''default:''' ''ssl_certificate cert.pem''
+
+'''context:''' ''tcp, server''
+
+This directive specifies the file containing the certificate, in PEM format. This file can contain also other certificates and the server private key.
+
+=== ssl_certificate_key ===
+
+'''syntax:''' ''ssl_certificate_key file''
+
+'''default:''' ''ssl_certificate_key cert.pem''
+
+'''context:''' ''tcp, server''
+
+This directive specifies the file containing the private key, in PEM format.
+
+=== ssl_client_certificate ===
+
+'''syntax:''' ''ssl_client_certificate file''
+
+'''default:''' ''none''
+
+'''context:''' ''tcp, server''
+
+This directive specifies the file containing the CA (root) certificate, in PEM format, that is used for validating client certificates.
+
+=== ssl_dhparam ===
+
+'''syntax:''' ''ssl_dhparam file''
+
+'''default:''' ''none''
+
+'''context:''' ''tcp, server''
+
+This directive specifies a file containing Diffie-Hellman key agreement protocol cryptographic parameters, in PEM format, utilized for exchanging session keys between server and client.
+
+=== ssl_ciphers ===
+
+'''syntax:''' ''ssl_ciphers openssl_cipherlist_spec''
+
+'''default:''' ''ssl_ciphers HIGH:!aNULL:!MD5''
+
+'''context:''' ''tcp, server''
+
+This directive describes the list of cipher suites the server supports for establishing a secure connection. Cipher suites are specified in the [http://openssl.org/docs/apps/ciphers.html OpenSSL] cipherlist format, for example:
+
+<geshi lang="nginx">
+ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
+</geshi>
+
+The complete cipherlist supported by the currently installed version of OpenSSL in your platform can be obtained by issuing the command:
+<pre>
+openssl ciphers
+</pre>
+
+=== ssl_crl ===
+
+'''syntax:''' ''ssl_crl file''
+
+'''default:''' ''none''
+
+'''context:''' ''tcp, server''
+
+This directive specifies the filename of a Certificate Revocation List, in PEM format, which is used to check the revocation status of certificates.
+
+=== ssl_prefer_server_ciphers ===
+
+'''syntax:''' ''ssl_prefer_server_ciphers [on|off] ''
+
+'''default:''' ''ssl_prefer_server_ciphers off''
+
+'''context:''' ''tcp, server''
+
+The server requires that the cipher suite list for protocols SSLv3 and TLSv1 are to be preferred over the client supported cipher suite list.
+
+=== ssl_protocols ===
+
+'''syntax:''' ''ssl_protocols [SSLv2] [SSLv3] [TLSv1] [TLSv1.1] [TLSv1.2]''
+
+'''default:''' ''ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2''
+
+'''context:''' ''tcp, server''
+
+This directive enables the protocol versions specified.
+
+=== ssl_verify_client ===
+
+'''syntax:''' ''ssl_verify_client on|off|optional''
+
+'''default:''' ''ssl_verify_client off''
+
+'''context:''' ''tcp, server''
+
+This directive enables the verification of the client identity. Parameter 'optional' checks the client identity using its certificate in case it was made available to the server.
+
+=== ssl_verify_depth ===
+
+'''syntax:''' ''ssl_verify_depth number''
+
+'''default:''' ''ssl_verify_depth 1''
+
+'''context:''' ''tcp, server''
+
+This directive sets how deep the server should go in the client provided certificate chain in order to verify the client identity.
+
+=== ssl_session_cache ===
+
+'''syntax:''' ''ssl_session_cache off|none|builtin:size and/or shared:name:size''
+
+'''default:''' ''ssl_session_cache off''
+
+'''context:''' ''tcp, server''
+
+The directive sets the types and sizes of caches to store the SSL sessions.
+
+The cache types are:
+
+* off -- Hard off: nginx says explicitly to a client that sessions can not reused.
+* none -- Soft off: nginx says to a client that session can be resued, but nginx actually never reuses them. This is workaround for some mail clients as ssl_session_cache may be used in mail proxy as well as in HTTP server.
+* builtin -- the OpenSSL builtin cache, is used inside one worker process only. The cache size is assigned in the number of the sessions. Note: there appears to be a memory fragmentation issue using this method, please take that into consideration when using this. See "References" below.
+* shared -- the cache is shared between all worker processes. The size of the cache is assigned in bytes: 1 MB cache can contain roughly 4000 sessions. Each shared cache must be given an arbitrary name. A shared cache with a given name can be used in several virtual hosts.
+It's possible to use both types of cache &mdash; builtin and shared &mdash; simultaneously, for example:
+
+<geshi lang="nginx">
+ssl_session_cache builtin:1000 shared:SSL:10m;
+</geshi>
+
+Bear in mind however, that using only shared cache, i.e., without builtin, should be more effective.
+
+=== ssl_session_timeout ===
+
+'''syntax:''' ''ssl_session_timeout time''
+
+'''default:''' ''ssl_session_timeout 5m''
+
+'''context:''' ''tcp, server''
+
+This directive defines the maximum time during which the client can re-use the previously negotiated cryptographic parameters of the secure session that is stored in the SSL cache.
+
= Compatibility =
-* Nginx 0.7.65+
+* My test bed is 0.7.65+
= Notes =
@@ -388,18 +635,25 @@ The http_response_parse.rl and smtp_response_parse.rl are [http://www.complang.o
$ ragel -G2 smtp_response_parse.rl
</geshi>
-= TODO =
-
= Known Issues =
* This module can't use the same listening port with the HTTP module.
= Changelogs =
+== v0.2.0 ==
+
+* add ssl proxy module
+* add websocket proxy module
+* add upstream busyness module
+* add tcp access log module
+
== v0.19 ==
+
* add many check methods
== v0.1 ==
+
* first release
= Authors =
@@ -414,7 +668,7 @@ I borrowed a lot of code from upstream and mail module from the nginx 0.7.* core
This module is licensed under the BSD license.
-Copyright (C) 2011 by Weibin Yao <yaoweibin@gmail.com>.
+Copyright (C) 2012 by Weibin Yao <yaoweibin@gmail.com>.
All rights reserved.
@@ -424,4 +678,3 @@ Redistribution and use in source and binary forms, with or without modification,
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
View
296 modules/ngx_tcp_proxy_module.c → modules/ngx_tcp_generic_proxy_module.c
@@ -1,81 +1,94 @@
+
#include <ngx_config.h>
#include <ngx_core.h>
-#include <ngx_event.h>
-#include <ngx_event_connect.h>
#include <ngx_tcp.h>
-#define _GNU_SOURCE
-#include <fcntl.h>
+typedef struct ngx_tcp_proxy_s {
+ ngx_peer_connection_t *upstream;
+ ngx_buf_t *buffer;
+} ngx_tcp_proxy_ctx_t;
-typedef struct ngx_tcp_proxy_conf_s {
- ngx_tcp_upstream_conf_t upstream;
- ngx_str_t url;
- size_t buffer_size;
+typedef struct ngx_tcp_proxy_conf_s {
+ ngx_tcp_upstream_conf_t upstream;
- /*TODO: support for the variable in the proxy_pass*/
- ngx_array_t *proxy_lengths;
- ngx_array_t *proxy_values;
+ ngx_str_t url;
+ size_t buffer_size;
} ngx_tcp_proxy_conf_t;
-static void ngx_tcp_set_session_socket(ngx_tcp_session_t *s);
-static void ngx_tcp_proxy_init(ngx_connection_t *c, ngx_tcp_session_t *s);
-static void ngx_tcp_upstream_proxy_generic_handler(ngx_tcp_session_t *s,
- ngx_tcp_upstream_t *u);
+static void ngx_tcp_proxy_init_session(ngx_tcp_session_t *s);
+static void ngx_tcp_proxy_init_upstream(ngx_connection_t *c,
+ ngx_tcp_session_t *s);
+static void ngx_tcp_upstream_init_proxy_handler(ngx_tcp_session_t *s,
+ ngx_tcp_upstream_t *u);
static char *ngx_tcp_proxy_pass(ngx_conf_t *cf, ngx_command_t *cmd, void *conf);
static void ngx_tcp_proxy_dummy_read_handler(ngx_event_t *ev);
static void ngx_tcp_proxy_dummy_write_handler(ngx_event_t *ev);
static void ngx_tcp_proxy_handler(ngx_event_t *ev);
static void *ngx_tcp_proxy_create_conf(ngx_conf_t *cf);
static char *ngx_tcp_proxy_merge_conf(ngx_conf_t *cf, void *parent,
- void *child);
+ void *child);
+
+
+static ngx_tcp_protocol_t ngx_tcp_generic_protocol = {
+
+ ngx_string("tcp_generic"),
+ { 0, 0, 0, 0 },
+ NGX_TCP_GENERIC_PROTOCOL,
+ ngx_tcp_proxy_init_session,
+ NULL,
+ NULL,
+ ngx_string("500 Internal server error" CRLF)
+
+};
+
static ngx_command_t ngx_tcp_proxy_commands[] = {
{ ngx_string("proxy_pass"),
- NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_tcp_proxy_pass,
- NGX_TCP_SRV_CONF_OFFSET,
- 0,
- NULL },
+ NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_tcp_proxy_pass,
+ NGX_TCP_SRV_CONF_OFFSET,
+ 0,
+ NULL },
{ ngx_string("proxy_buffer"),
- NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_size_slot,
- NGX_TCP_SRV_CONF_OFFSET,
- offsetof(ngx_tcp_proxy_conf_t, buffer_size),
- NULL },
+ NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_size_slot,
+ NGX_TCP_SRV_CONF_OFFSET,
+ offsetof(ngx_tcp_proxy_conf_t, buffer_size),
+ NULL },
{ ngx_string("proxy_connect_timeout"),
- NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_msec_slot,
- NGX_TCP_SRV_CONF_OFFSET,
- offsetof(ngx_tcp_proxy_conf_t, upstream.connect_timeout),
- NULL },
+ NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_TCP_SRV_CONF_OFFSET,
+ offsetof(ngx_tcp_proxy_conf_t, upstream.connect_timeout),
+ NULL },
{ ngx_string("proxy_read_timeout"),
- NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_msec_slot,
- NGX_TCP_SRV_CONF_OFFSET,
- offsetof(ngx_tcp_proxy_conf_t, upstream.read_timeout),
- NULL },
+ NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_TCP_SRV_CONF_OFFSET,
+ offsetof(ngx_tcp_proxy_conf_t, upstream.read_timeout),
+ NULL },
{ ngx_string("proxy_send_timeout"),
- NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
- ngx_conf_set_msec_slot,
- NGX_TCP_SRV_CONF_OFFSET,
- offsetof(ngx_tcp_proxy_conf_t, upstream.send_timeout),
- NULL },
+ NGX_TCP_MAIN_CONF|NGX_TCP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_msec_slot,
+ NGX_TCP_SRV_CONF_OFFSET,
+ offsetof(ngx_tcp_proxy_conf_t, upstream.send_timeout),
+ NULL },
ngx_null_command
};
static ngx_tcp_module_t ngx_tcp_proxy_module_ctx = {
- NULL, /* protocol */
+ &ngx_tcp_generic_protocol, /* protocol */
NULL, /* create main configuration */
NULL, /* init main configuration */
@@ -101,10 +114,18 @@ ngx_module_t ngx_tcp_proxy_module = {
};
-void
-ngx_tcp_proxy_init_session(ngx_connection_t *c, ngx_tcp_session_t *s)
+static void
+ngx_tcp_proxy_init_session(ngx_tcp_session_t *s)
{
+ ngx_connection_t *c;
ngx_tcp_proxy_conf_t *pcf;
+ ngx_tcp_core_srv_conf_t *cscf;
+
+ c = s->connection;
+
+ ngx_log_debug0(NGX_LOG_DEBUG_TCP, c->log, 0, "tcp proxy init session");
+
+ cscf = ngx_tcp_get_module_srv_conf(s, ngx_tcp_core_module);
pcf = ngx_tcp_get_module_srv_conf(s, ngx_tcp_proxy_module);
@@ -114,19 +135,14 @@ ngx_tcp_proxy_init_session(ngx_connection_t *c, ngx_tcp_session_t *s)
return;
}
+ s->out.len = 0;
+
c->write->handler = ngx_tcp_proxy_dummy_write_handler;
c->read->handler = ngx_tcp_proxy_dummy_read_handler;
- if (ngx_tcp_upstream_create(s) != NGX_OK) {
- ngx_tcp_finalize_session(s);
- return;
- }
-
- /*do something about the proxy related part in the session struct*/
+ ngx_add_timer(c->read, cscf->timeout);
- ngx_tcp_set_session_socket(s);
-
- ngx_tcp_proxy_init(c, s);
+ ngx_tcp_proxy_init_upstream(c, s);
return;
}
@@ -141,7 +157,8 @@ ngx_tcp_proxy_dummy_write_handler(ngx_event_t *wev)
c = wev->data;
s = c->data;
- ngx_log_debug1(NGX_LOG_DEBUG_TCP, wev->log, 0, "tcp proxy dummy write handler: %d", c->fd);
+ ngx_log_debug1(NGX_LOG_DEBUG_TCP, wev->log, 0,
+ "tcp proxy dummy write handler: %d", c->fd);
if (ngx_handle_write_event(wev, 0) != NGX_OK) {
ngx_tcp_finalize_session(s);
@@ -158,59 +175,29 @@ ngx_tcp_proxy_dummy_read_handler(ngx_event_t *rev)
c = rev->data;
s = c->data;
- ngx_log_debug1(NGX_LOG_DEBUG_TCP, rev->log, 0, "tcp proxy dummy read handler: %d", c->fd);
+ ngx_log_debug1(NGX_LOG_DEBUG_TCP, rev->log, 0,
+ "tcp proxy dummy read handler: %d", c->fd);
if (ngx_handle_read_event(rev, 0) != NGX_OK) {
ngx_tcp_finalize_session(s);
}
}
-static void
-ngx_tcp_set_session_socket(ngx_tcp_session_t *s)
-{
- int keepalive;
- int tcp_nodelay;
- ngx_tcp_core_srv_conf_t *cscf;
-
- cscf = ngx_tcp_get_module_srv_conf(s, ngx_tcp_core_module);
-
- if (cscf->so_keepalive) {
- keepalive = 1;
-
- if (setsockopt(s->connection->fd, SOL_SOCKET, SO_KEEPALIVE,
- (const void *) &keepalive, sizeof(int)) == -1)
- {
- ngx_log_error(NGX_LOG_ALERT, s->connection->log, ngx_socket_errno,
- "setsockopt(SO_KEEPALIVE) failed");
- }
- }
-
- if (cscf->tcp_nodelay) {
- tcp_nodelay = 1;
- if (setsockopt(s->connection->fd, IPPROTO_TCP, TCP_NODELAY,
- (const void *) &tcp_nodelay, sizeof(int))
- == -1)
- {
- ngx_log_error(NGX_LOG_ALERT, s->connection->log, ngx_socket_errno,
- "setsockopt(TCP_NODELAY) failed");
- }
-
- s->connection->tcp_nodelay = NGX_TCP_NODELAY_SET;
- }
-}
-
-
static void
-ngx_tcp_proxy_init(ngx_connection_t *c, ngx_tcp_session_t *s)
+ngx_tcp_proxy_init_upstream(ngx_connection_t *c, ngx_tcp_session_t *s)
{
ngx_tcp_upstream_t *u;
ngx_tcp_proxy_ctx_t *p;
ngx_tcp_proxy_conf_t *pcf;
- s->connection->log->action = "ngx_tcp_proxy_init";
+ s->connection->log->action = "ngx_tcp_proxy_init_upstream";
pcf = ngx_tcp_get_module_srv_conf(s, ngx_tcp_proxy_module);
+ if (pcf->upstream.upstream == NULL) {
+ ngx_tcp_finalize_session(s);
+ return;
+ }
p = ngx_pcalloc(s->connection->pool, sizeof(ngx_tcp_proxy_ctx_t));
if (p == NULL) {
@@ -220,12 +207,17 @@ ngx_tcp_proxy_init(ngx_connection_t *c, ngx_tcp_session_t *s)
ngx_tcp_set_ctx(s, p, ngx_tcp_proxy_module);
+ if (ngx_tcp_upstream_create(s) != NGX_OK) {
+ ngx_tcp_finalize_session(s);
+ return;
+ }
+
u = s->upstream;
u->conf = &pcf->upstream;
- u->write_event_handler = ngx_tcp_upstream_proxy_generic_handler;
- u->read_event_handler = ngx_tcp_upstream_proxy_generic_handler;
+ u->write_event_handler = ngx_tcp_upstream_init_proxy_handler;
+ u->read_event_handler = ngx_tcp_upstream_init_proxy_handler;
p->upstream = &u->peer;
@@ -235,28 +227,24 @@ ngx_tcp_proxy_init(ngx_connection_t *c, ngx_tcp_session_t *s)
return;
}
- s->out.len = 0;
-
ngx_tcp_upstream_init(s);
return;
}