From 5adab8730a91136d0e3cc838403f18e0e8ac22fc Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 13:05:19 +0800 Subject: [PATCH 01/15] feat: introduce tls.disable_alpn() function --- lualib/resty/kong/tls.lua | 24 +++++- src/ngx_http_lua_kong_module.h | 3 + src/ngx_http_lua_kong_ssl.c | 42 +++++++++ t/012-tls_disable_http2_alpn.t | 152 +++++++++++++++++++++++++++++++++ 4 files changed, 220 insertions(+), 1 deletion(-) create mode 100644 t/012-tls_disable_http2_alpn.t diff --git a/lualib/resty/kong/tls.lua b/lualib/resty/kong/tls.lua index 648d5342..eeec5d88 100644 --- a/lualib/resty/kong/tls.lua +++ b/lualib/resty/kong/tls.lua @@ -31,6 +31,8 @@ local get_string_buf = base.get_string_buf local size_ptr = base.get_size_ptr() local orig_get_request = base.get_request local subsystem = ngx.config.subsystem +local errmsg = base.get_errmsg_ptr() +local FFI_OK = base.FFI_OK base.allows_subsystem('http', 'stream') local kong_lua_kong_ffi_get_full_client_certificate_chain @@ -41,6 +43,7 @@ local kong_lua_kong_ffi_set_upstream_ssl_verify local kong_lua_kong_ffi_set_upstream_ssl_verify_depth local kong_lua_kong_ffi_get_socket_ssl local kong_lua_kong_ffi_get_request_ssl +local kong_lua_kong_ffi_disable_http2_alpn if subsystem == "http" then ffi.cdef([[ typedef struct ssl_st SSL; @@ -61,6 +64,7 @@ if subsystem == "http" then void **ssl_conn); int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, void **ssl_conn); + int ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err); ]]) kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain @@ -71,7 +75,7 @@ if subsystem == "http" then kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl - + kong_lua_kong_ffi_disable_http2_alpn = C.ngx_http_lua_ffi_ssl_disable_http2_alpn elseif subsystem == 'stream' then ffi.cdef([[ @@ -333,6 +337,24 @@ do error("unknown return code: " .. tostring(ret)) end + + function _M.disable_http2_alpn() + if get_phase() ~= "ssl_client_hello" then + error("API disabled in the current context") + end + + local r = get_request() + if not r then + error("no request found") + end + + local rc = kong_lua_kong_ffi_disable_http2_alpn(r, errmsg) + if rc == FFI_OK then + return true + end + + return false, ffi_string(errmsg[0]) + end end if ngx.config.subsystem == "stream" then diff --git a/src/ngx_http_lua_kong_module.h b/src/ngx_http_lua_kong_module.h index 0996262b..2f27821e 100644 --- a/src/ngx_http_lua_kong_module.h +++ b/src/ngx_http_lua_kong_module.h @@ -36,5 +36,8 @@ ngx_flag_t ngx_http_lua_kong_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify); +ngx_flag_t +ngx_lua_kong_ssl_enable_http2_alpn(ngx_ssl_connection_t *ssl, + ngx_flag_t enable_http2); #endif /* _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_ */ diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 7e56501b..2de48ecb 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -198,6 +198,48 @@ ngx_http_lua_kong_get_upstream_ssl_verify(ngx_http_request_t *r, return ngx_lua_kong_ssl_get_upstream_ssl_verify(&ctx->ssl_ctx, proxy_ssl_verify); } +ngx_flag_t +ngx_lua_kong_ssl_enable_http2_alpn(ngx_ssl_connection_t *ssl, + ngx_flag_t enable_http2) +{ + ngx_http_lua_ssl_ctx_t *cctx; + + cctx = ngx_http_lua_ssl_get_ctx(ssl->connection); + if (cctx->disable_http2_alpn) { + return 0; + } + + return enable_http2; +} + +int +ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + ngx_http_lua_ssl_ctx_t *cctx; + + if (r->connection == NULL || r->connection->ssl == NULL) { + *err = "bad request"; + return NGX_ERROR; + } + + ssl_conn = r->connection->ssl->connection; + if (ssl_conn == NULL) { + *err = "bad ssl conn"; + return NGX_ERROR; + } + + cctx = ngx_http_lua_ssl_get_ctx(ssl_conn); + if (cctx == NULL) { + *err = "bad lua context"; + return NGX_ERROR; + } + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "lua ssl disable http2"); + cctx->disable_http2_alpn = 1; + + return NGX_OK; +} #endif diff --git a/t/012-tls_disable_http2_alpn.t b/t/012-tls_disable_http2_alpn.t new file mode 100644 index 00000000..f5fdc1dd --- /dev/null +++ b/t/012-tls_disable_http2_alpn.t @@ -0,0 +1,152 @@ +# vim:set ft= ts=4 sw=4 et: + +use Test::Nginx::Socket::Lua; +use Cwd qw(cwd); + +repeat_each(2); + +plan tests => repeat_each() * (blocks() * 7 - 2); + +my $pwd = cwd(); + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +log_level('info'); +no_long_string(); +#no_diff(); + +run_tests(); + +__DATA__ + +=== TEST 1: normal http2 alpn +--- http_config + lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + listen 60000 ssl; + server_name konghq.com; + ssl_certificate ../../certs/test.crt; + ssl_certificate_key ../../certs/test.key; + ssl_session_cache off; + ssl_session_tickets on; + server_tokens off; + http2 on; + ssl_client_hello_by_lua_block { + local tls = require("resty.kong.tls") + local ok, err = tls.disable_http2_alpn() + if not ok then + ngx.log(ngx.ERR, "failed to disable http2") + end + } + location /foo { + default_type 'text/plain'; + content_by_lua_block {ngx.exit(200)} + more_clear_headers Date; + } + } +--- config + server_tokens off; + location /t { + content_by_lua_block { + local ngx_pipe = require "ngx.pipe" + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local stdout_data, err = proc:stdout_read_all() + if not stdout_data then + ngx.say(err) + return + end + + local stderr_data, err = proc:stderr_read_all() + if not stderr_data then + ngx.say(err) + return + end + + if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + ngx.say("alpn server accepted h2") + return + end + + if string.find(stderr_data, "ALPN: server accepted http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") + return + end + } + } +--- request +GET /t +--- response_body +alpn server accepted http/1.1 +--- no_error_log +[error] +[alert] +[warn] +[crit] + +=== TEST 2: disable http2 alpn +--- http_config + lua_package_path "../lua-resty-core/lib/?.lua;lualib/?.lua;;"; + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + listen 60000 ssl; + server_name konghq.com; + ssl_certificate ../../certs/test.crt; + ssl_certificate_key ../../certs/test.key; + ssl_session_cache off; + ssl_session_tickets on; + server_tokens off; + http2 on; + ssl_client_hello_by_lua_block { + local tls = require("resty.kong.tls") + local ok, err = tls.disable_http2_alpn() + if not ok then + ngx.log(ngx.ERR, "failed to disable http2") + end + } + location /foo { + default_type 'text/plain'; + content_by_lua_block {ngx.exit(200)} + more_clear_headers Date; + } + } +--- config + server_tokens off; + location /t { + content_by_lua_block { + local ngx_pipe = require "ngx.pipe" + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local stdout_data, err = proc:stdout_read_all() + if not stdout_data then + ngx.say(err) + return + end + + local stderr_data, err = proc:stderr_read_all() + if not stderr_data then + ngx.say(err) + return + end + + if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + ngx.say("alpn server accepted h2") + return + end + + if string.find(stderr_data, "ALPN: server accepted http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") + return + end + } + } +--- request +GET /t +--- response_body +alpn server accepted http/1.1 +--- no_error_log +[error] +[alert] +[warn] +[crit] \ No newline at end of file From bb9b4bcbaa8da071d744ddefad88bee18e128b51 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 14:07:45 +0800 Subject: [PATCH 02/15] feat(patch): support dynamic disable http2 alpn in ssl client hello phase --- src/ngx_http_lua_kong_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 2de48ecb..47fd456a 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -17,7 +17,7 @@ #include "ngx_http_lua_kong_common.h" #include "ngx_http_lua_socket_tcp.h" - +#include "ngx_http_lua_ssl.h" /* * disables session reuse for the current TLS connection, must be called From 3f8774a1dbddc179585bac6e149a184878af6029 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 14:12:03 +0800 Subject: [PATCH 03/15] feat(patch): support dynamic disable http2 alpn in ssl client hello phase --- src/ngx_http_lua_kong_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 47fd456a..7be6ba6a 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -18,7 +18,7 @@ #include "ngx_http_lua_kong_common.h" #include "ngx_http_lua_socket_tcp.h" #include "ngx_http_lua_ssl.h" - +#include "ngx_http_lua_util.h" /* * disables session reuse for the current TLS connection, must be called * in ssl_certby_lua* phase From ac8092aa3acfdab18f602be2b4f88d1c166cc107 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 14:27:08 +0800 Subject: [PATCH 04/15] fix code --- src/ngx_http_lua_kong_ssl.c | 1 + t/012-tls_disable_http2_alpn.t | 16 ++++++++-------- 2 files changed, 9 insertions(+), 8 deletions(-) diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 7be6ba6a..22353240 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -19,6 +19,7 @@ #include "ngx_http_lua_socket_tcp.h" #include "ngx_http_lua_ssl.h" #include "ngx_http_lua_util.h" + /* * disables session reuse for the current TLS connection, must be called * in ssl_certby_lua* phase diff --git a/t/012-tls_disable_http2_alpn.t b/t/012-tls_disable_http2_alpn.t index f5fdc1dd..d5c37640 100644 --- a/t/012-tls_disable_http2_alpn.t +++ b/t/012-tls_disable_http2_alpn.t @@ -26,9 +26,9 @@ __DATA__ server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; listen 60000 ssl; - server_name konghq.com; - ssl_certificate ../../certs/test.crt; - ssl_certificate_key ../../certs/test.key; + server_name example.com; + ssl_certificate ../../cert/example.com.crt; + ssl_certificate_key ../../cert/example.com.key; ssl_session_cache off; ssl_session_tickets on; server_tokens off; @@ -51,7 +51,7 @@ __DATA__ location /t { content_by_lua_block { local ngx_pipe = require "ngx.pipe" - local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'example.com:60000:127.0.0.1', 'https://example.com:60000'}) local stdout_data, err = proc:stdout_read_all() if not stdout_data then ngx.say(err) @@ -92,9 +92,9 @@ alpn server accepted http/1.1 server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; listen 60000 ssl; - server_name konghq.com; - ssl_certificate ../../certs/test.crt; - ssl_certificate_key ../../certs/test.key; + server_name example.com; + ssl_certificate ../../cert/example.com.crt; + ssl_certificate_key ../../cert/example.com.key; ssl_session_cache off; ssl_session_tickets on; server_tokens off; @@ -117,7 +117,7 @@ alpn server accepted http/1.1 location /t { content_by_lua_block { local ngx_pipe = require "ngx.pipe" - local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'example.com:60000:127.0.0.1', 'https://example.com:60000'}) local stdout_data, err = proc:stdout_read_all() if not stdout_data then ngx.say(err) From 19144dcab80b2151f49bc1444e44e94409a327da Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 14:34:30 +0800 Subject: [PATCH 05/15] fix code --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 10d24289..546769a8 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -5,7 +5,7 @@ on: push: env: - KONG_VERSION: master + KONG_VERSION: disable-h2-alpn-re BUILD_ROOT: ${{ github.workspace }}/kong/bazel-bin/build concurrency: From bc158b5d948904988349288e9a187783451243fa Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 15:18:19 +0800 Subject: [PATCH 06/15] fix code --- t/012-tls_disable_http2_alpn.t | 3 +++ 1 file changed, 3 insertions(+) diff --git a/t/012-tls_disable_http2_alpn.t b/t/012-tls_disable_http2_alpn.t index d5c37640..ba044bfb 100644 --- a/t/012-tls_disable_http2_alpn.t +++ b/t/012-tls_disable_http2_alpn.t @@ -64,6 +64,9 @@ __DATA__ return end + ngx.log(ngx.ERR, stdout_data) + ngx.log(ngx.ERR, stderr_data) + if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then ngx.say("alpn server accepted h2") return From bdcc55b2caf0e9277ce39a363e3a9e94625b1239 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 15:22:14 +0800 Subject: [PATCH 07/15] fix code --- .github/workflows/tests.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 546769a8..f7c4bdaf 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -135,7 +135,8 @@ jobs: openssl version prove -r t - + - name: Setup tmate session + uses: mxschmitt/action-tmate@v3 - name: Run Test with Valgrind run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh From 115e101f3348c3e07e897793e985a26d4fd00f46 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 15:32:45 +0800 Subject: [PATCH 08/15] fix code --- .github/workflows/tests.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index f7c4bdaf..3036caca 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -136,6 +136,7 @@ jobs: prove -r t - name: Setup tmate session + if: ${{ failure() }} uses: mxschmitt/action-tmate@v3 - name: Run Test with Valgrind run: | From 69f9a08e7f2a30410c3ec4797bb97fb8d6fb9e5a Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 25 Sep 2024 15:55:27 +0800 Subject: [PATCH 09/15] fix code --- .github/workflows/tests.yml | 3 --- t/012-tls_disable_http2_alpn.t | 22 +++++++++++++++++++--- 2 files changed, 19 insertions(+), 6 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 3036caca..e758d258 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -135,9 +135,6 @@ jobs: openssl version prove -r t - - name: Setup tmate session - if: ${{ failure() }} - uses: mxschmitt/action-tmate@v3 - name: Run Test with Valgrind run: | source ${{ env.BUILD_ROOT }}/kong-dev-venv.sh diff --git a/t/012-tls_disable_http2_alpn.t b/t/012-tls_disable_http2_alpn.t index ba044bfb..527b63d2 100644 --- a/t/012-tls_disable_http2_alpn.t +++ b/t/012-tls_disable_http2_alpn.t @@ -64,9 +64,6 @@ __DATA__ return end - ngx.log(ngx.ERR, stdout_data) - ngx.log(ngx.ERR, stderr_data) - if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then ngx.say("alpn server accepted h2") return @@ -76,6 +73,15 @@ __DATA__ ngx.say("alpn server accepted http/1.1") return end + if string.find(stdout_data, "ALPN, server accepted to use h2") ~= nil then + ngx.say("alpn server accepted h2") + return + end + + if string.find(stderr_data, " ALPN, server accepted to use http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") + return + end } } --- request @@ -142,6 +148,16 @@ alpn server accepted http/1.1 ngx.say("alpn server accepted http/1.1") return end + + if string.find(stdout_data, "ALPN, server accepted to use h2") ~= nil then + ngx.say("alpn server accepted h2") + return + end + + if string.find(stderr_data, " ALPN, server accepted to use http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") + return + end } } --- request From 8e2c7967a8442e7d00f2fe13c81147329de22a8a Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Thu, 26 Sep 2024 15:43:03 +0800 Subject: [PATCH 10/15] fix code --- t/012-tls_disable_http2_alpn.t | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/t/012-tls_disable_http2_alpn.t b/t/012-tls_disable_http2_alpn.t index 527b63d2..89a9d95f 100644 --- a/t/012-tls_disable_http2_alpn.t +++ b/t/012-tls_disable_http2_alpn.t @@ -35,10 +35,6 @@ __DATA__ http2 on; ssl_client_hello_by_lua_block { local tls = require("resty.kong.tls") - local ok, err = tls.disable_http2_alpn() - if not ok then - ngx.log(ngx.ERR, "failed to disable http2") - end } location /foo { default_type 'text/plain'; @@ -64,7 +60,7 @@ __DATA__ return end - if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + if string.find(stderr_data, "ALPN: server accepted h2") ~= nil then ngx.say("alpn server accepted h2") return end @@ -73,7 +69,7 @@ __DATA__ ngx.say("alpn server accepted http/1.1") return end - if string.find(stdout_data, "ALPN, server accepted to use h2") ~= nil then + if string.find(stderr_data, "ALPN, server accepted to use h2") ~= nil then ngx.say("alpn server accepted h2") return end @@ -87,7 +83,7 @@ __DATA__ --- request GET /t --- response_body -alpn server accepted http/1.1 +alpn server accepted h2 --- no_error_log [error] [alert] @@ -139,7 +135,7 @@ alpn server accepted http/1.1 return end - if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + if string.find(stderr_data, "ALPN: server accepted h2") ~= nil then ngx.say("alpn server accepted h2") return end @@ -149,7 +145,7 @@ alpn server accepted http/1.1 return end - if string.find(stdout_data, "ALPN, server accepted to use h2") ~= nil then + if string.find(stderr_data, "ALPN, server accepted to use h2") ~= nil then ngx.say("alpn server accepted h2") return end From c2f1b74577a896520aab6fd3b20c1e6890a84941 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Thu, 26 Sep 2024 16:04:58 +0800 Subject: [PATCH 11/15] fix code --- src/ngx_http_lua_kong_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 22353240..04ac9a31 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -206,7 +206,7 @@ ngx_lua_kong_ssl_enable_http2_alpn(ngx_ssl_connection_t *ssl, ngx_http_lua_ssl_ctx_t *cctx; cctx = ngx_http_lua_ssl_get_ctx(ssl->connection); - if (cctx->disable_http2_alpn) { + if (cctx && cctx->disable_http2_alpn) { return 0; } From 6f31fb971ff94f42436487d3230934139bc54b76 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Sun, 29 Sep 2024 18:08:45 +0800 Subject: [PATCH 12/15] fix code --- src/ngx_http_lua_kong_ssl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 04ac9a31..3196b891 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -200,7 +200,7 @@ ngx_http_lua_kong_get_upstream_ssl_verify(ngx_http_request_t *r, } ngx_flag_t -ngx_lua_kong_ssl_enable_http2_alpn(ngx_ssl_connection_t *ssl, +ngx_http_lua_kong_ssl_get_http2_alpn_enabled(ngx_ssl_connection_t *ssl, ngx_flag_t enable_http2) { ngx_http_lua_ssl_ctx_t *cctx; From f3db2dc95beaebf91cf5c338260930b1ac2b4fa5 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Sun, 29 Sep 2024 18:18:39 +0800 Subject: [PATCH 13/15] fix code --- README.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/README.md b/README.md index a576fdde..b8d84f8d 100644 --- a/README.md +++ b/README.md @@ -380,6 +380,18 @@ Retrieves the OpenSSL `SSL*` object for the current HTTP request. On success, this function returns the pointer of type `SSL`. Otherwise `nil` and a string describing the error will be returned. +resty.kong.tls.disable\_http2\_alpn +---------------------------------------------------- +**syntax:** *ok, err = resty.kong.tls.disable\_http2\_alpn()* + +**context:** *client_hello_by_lua* + +**subsystems:** *http* + +Disables HTTP/2 ALPN negotiation for the current TLS connection. When called, the +connection will not negotiate HTTP/2 using ALPN and will fallback to HTTP/1.1 even though [`http2`](https://nginx.org/en/docs/http/ngx_http_v2_module.html#http2) directive is enabled. + +This function returns `true` when the call is successful. Otherwise it returns `false` and a string describing the error. [Back to TOC](#table-of-contents) From 1d0b70d8c1496fdd65d30fb61e8138cdec64827c Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Sun, 29 Sep 2024 18:19:26 +0800 Subject: [PATCH 14/15] fix code --- src/ngx_http_lua_kong_module.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_kong_module.h b/src/ngx_http_lua_kong_module.h index 2f27821e..528b3318 100644 --- a/src/ngx_http_lua_kong_module.h +++ b/src/ngx_http_lua_kong_module.h @@ -37,7 +37,7 @@ ngx_http_lua_kong_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify); ngx_flag_t -ngx_lua_kong_ssl_enable_http2_alpn(ngx_ssl_connection_t *ssl, +ngx_http_lua_kong_ssl_get_http2_alpn_enabled(ngx_ssl_connection_t *ssl, ngx_flag_t enable_http2); #endif /* _NGX_HTTP_LUA_KONG_MODULE_H_INCLUDED_ */ From c50352b6bd4b982d163d15eb5e9493c8288582fe Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Mon, 21 Oct 2024 14:42:09 +0800 Subject: [PATCH 15/15] fix code --- lualib/resty/kong/tls.lua | 4 ++-- src/ngx_http_lua_kong_ssl.c | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/lualib/resty/kong/tls.lua b/lualib/resty/kong/tls.lua index eeec5d88..1cb9edc2 100644 --- a/lualib/resty/kong/tls.lua +++ b/lualib/resty/kong/tls.lua @@ -64,7 +64,7 @@ if subsystem == "http" then void **ssl_conn); int ngx_http_lua_kong_ffi_get_request_ssl(ngx_http_request_t *r, void **ssl_conn); - int ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err); + int ngx_http_lua_ffi_disable_http2_alpn(ngx_http_request_t *r, char **err); ]]) kong_lua_kong_ffi_get_full_client_certificate_chain = C.ngx_http_lua_kong_ffi_get_full_client_certificate_chain @@ -75,7 +75,7 @@ if subsystem == "http" then kong_lua_kong_ffi_set_upstream_ssl_verify_depth = C.ngx_http_lua_kong_ffi_set_upstream_ssl_verify_depth kong_lua_kong_ffi_get_socket_ssl = C.ngx_http_lua_kong_ffi_get_socket_ssl kong_lua_kong_ffi_get_request_ssl = C.ngx_http_lua_kong_ffi_get_request_ssl - kong_lua_kong_ffi_disable_http2_alpn = C.ngx_http_lua_ffi_ssl_disable_http2_alpn + kong_lua_kong_ffi_disable_http2_alpn = C.ngx_http_lua_ffi_disable_http2_alpn elseif subsystem == 'stream' then ffi.cdef([[ diff --git a/src/ngx_http_lua_kong_ssl.c b/src/ngx_http_lua_kong_ssl.c index 3196b891..9f819363 100644 --- a/src/ngx_http_lua_kong_ssl.c +++ b/src/ngx_http_lua_kong_ssl.c @@ -214,7 +214,7 @@ ngx_http_lua_kong_ssl_get_http2_alpn_enabled(ngx_ssl_connection_t *ssl, } int -ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err) +ngx_http_lua_ffi_disable_http2_alpn(ngx_http_request_t *r, char **err) { ngx_ssl_conn_t *ssl_conn; ngx_http_lua_ssl_ctx_t *cctx;