Skip to content

Commit

Permalink
feature: implemented the ssl_client_hello_by_lua_block and ssl_client…
Browse files Browse the repository at this point in the history
…_hello_by_lua_file directives for controlling the NGINX downstream SSL handshake dynamically with Lua.
  • Loading branch information
catbro666 authored and zhuizhuhaomeng committed Sep 20, 2021
1 parent 776f829 commit fef2581
Show file tree
Hide file tree
Showing 12 changed files with 3,837 additions and 203 deletions.
314 changes: 222 additions & 92 deletions README.markdown

Large diffs are not rendered by default.

2 changes: 2 additions & 0 deletions config
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,7 @@ HTTP_LUA_SRCS=" \
$ngx_addon_dir/src/ngx_http_lua_timer.c \
$ngx_addon_dir/src/ngx_http_lua_config.c \
$ngx_addon_dir/src/ngx_http_lua_worker.c \
$ngx_addon_dir/src/ngx_http_lua_ssl_client_helloby.c \
$ngx_addon_dir/src/ngx_http_lua_ssl_certby.c \
$ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
$ngx_addon_dir/src/ngx_http_lua_lex.c \
Expand Down Expand Up @@ -347,6 +348,7 @@ HTTP_LUA_DEPS=" \
$ngx_addon_dir/src/ngx_http_lua_uthread.h \
$ngx_addon_dir/src/ngx_http_lua_timer.h \
$ngx_addon_dir/src/ngx_http_lua_config.h \
$ngx_addon_dir/src/ngx_http_lua_ssl_client_helloby.h \
$ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
$ngx_addon_dir/src/ngx_http_lua_lex.h \
$ngx_addon_dir/src/ngx_http_lua_balancer.h \
Expand Down
305 changes: 213 additions & 92 deletions doc/HttpLuaModule.wiki

Large diffs are not rendered by default.

34 changes: 20 additions & 14 deletions src/ngx_http_lua_common.h
Original file line number Diff line number Diff line change
Expand Up @@ -125,20 +125,21 @@ typedef struct {


/* must be within 16 bit */
#define NGX_HTTP_LUA_CONTEXT_SET 0x0001
#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x0002
#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x0004
#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x0008
#define NGX_HTTP_LUA_CONTEXT_LOG 0x0010
#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x0020
#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x0040
#define NGX_HTTP_LUA_CONTEXT_TIMER 0x0080
#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x0100
#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x0200
#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x0400
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
#define NGX_HTTP_LUA_CONTEXT_EXIT_WORKER 0x2000
#define NGX_HTTP_LUA_CONTEXT_SET 0x0001
#define NGX_HTTP_LUA_CONTEXT_REWRITE 0x0002
#define NGX_HTTP_LUA_CONTEXT_ACCESS 0x0004
#define NGX_HTTP_LUA_CONTEXT_CONTENT 0x0008
#define NGX_HTTP_LUA_CONTEXT_LOG 0x0010
#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER 0x0020
#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER 0x0040
#define NGX_HTTP_LUA_CONTEXT_TIMER 0x0080
#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER 0x0100
#define NGX_HTTP_LUA_CONTEXT_BALANCER 0x0200
#define NGX_HTTP_LUA_CONTEXT_SSL_CERT 0x0400
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
#define NGX_HTTP_LUA_CONTEXT_EXIT_WORKER 0x2000
#define NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO 0x4000


#define NGX_HTTP_LUA_FFI_NO_REQ_CTX -100
Expand Down Expand Up @@ -318,6 +319,11 @@ union ngx_http_lua_srv_conf_u {
ngx_str_t ssl_sess_fetch_src;
u_char *ssl_sess_fetch_src_key;
int ssl_sess_fetch_src_ref;

ngx_http_lua_srv_conf_handler_pt ssl_client_hello_handler;
ngx_str_t ssl_client_hello_src;
u_char *ssl_client_hello_src_key;
int ssl_client_hello_src_ref;
} srv;
#endif

Expand Down
2 changes: 2 additions & 0 deletions src/ngx_http_lua_control.c
Original file line number Diff line number Diff line change
Expand Up @@ -370,6 +370,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
| NGX_HTTP_LUA_CONTEXT_TIMER
| NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
| NGX_HTTP_LUA_CONTEXT_BALANCER
| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
| NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH,
Expand All @@ -380,6 +381,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
}

if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
{
Expand Down
2 changes: 2 additions & 0 deletions src/ngx_http_lua_ctx.c
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ ngx_http_lua_ffi_get_ctx_ref(ngx_http_request_t *r, int *in_ssl_phase,
}

*in_ssl_phase = ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE);
*ssl_ctx_ref = LUA_NOREF;
Expand Down Expand Up @@ -123,6 +124,7 @@ ngx_http_lua_ffi_set_ctx_ref(ngx_http_request_t *r, int ref)

#if (NGX_HTTP_SSL)
if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
| NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH
| NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE))
{
Expand Down
59 changes: 59 additions & 0 deletions src/ngx_http_lua_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@
#include "ngx_http_lua_probe.h"
#include "ngx_http_lua_semaphore.h"
#include "ngx_http_lua_balancer.h"
#include "ngx_http_lua_ssl_client_helloby.h"
#include "ngx_http_lua_ssl_certby.h"
#include "ngx_http_lua_ssl_session_storeby.h"
#include "ngx_http_lua_ssl_session_fetchby.h"
Expand Down Expand Up @@ -566,6 +567,20 @@ static ngx_command_t ngx_http_lua_cmds[] = {
offsetof(ngx_http_lua_loc_conf_t, ssl_ciphers),
NULL },

{ ngx_string("ssl_client_hello_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_ssl_client_hello_by_lua_block,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_client_hello_handler_inline },

{ ngx_string("ssl_client_hello_by_lua_file"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_http_lua_ssl_client_hello_by_lua,
NGX_HTTP_SRV_CONF_OFFSET,
0,
(void *) ngx_http_lua_ssl_client_hello_handler_file },

{ ngx_string("ssl_certificate_by_lua_block"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
ngx_http_lua_ssl_cert_by_lua_block,
Expand Down Expand Up @@ -1086,6 +1101,10 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
}

/* set by ngx_pcalloc:
* lscf->srv.ssl_client_hello_handler = NULL;
* lscf->srv.ssl_client_hello_src = { 0, NULL };
* lscf->srv.ssl_client_hello_src_key = NULL;
*
* lscf->srv.ssl_cert_handler = NULL;
* lscf->srv.ssl_cert_src = { 0, NULL };
* lscf->srv.ssl_cert_src_key = NULL;
Expand All @@ -1104,6 +1123,7 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
*/

#if (NGX_HTTP_SSL)
lscf->srv.ssl_client_hello_src_ref = LUA_REFNIL;
lscf->srv.ssl_cert_src_ref = LUA_REFNIL;
lscf->srv.ssl_sess_store_src_ref = LUA_REFNIL;
lscf->srv.ssl_sess_fetch_src_ref = LUA_REFNIL;
Expand All @@ -1126,6 +1146,45 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)

dd("merge srv conf");

if (conf->srv.ssl_client_hello_src.len == 0) {
conf->srv.ssl_client_hello_src = prev->srv.ssl_client_hello_src;
conf->srv.ssl_client_hello_src_ref = prev->srv.ssl_client_hello_src_ref;
conf->srv.ssl_client_hello_src_key = prev->srv.ssl_client_hello_src_key;
conf->srv.ssl_client_hello_handler = prev->srv.ssl_client_hello_handler;
}

if (conf->srv.ssl_client_hello_src.len) {
sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
if (sscf == NULL || sscf->ssl.ctx == NULL) {
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"no ssl configured for the server");

return NGX_CONF_ERROR;
}
#ifdef LIBRESSL_VERSION_NUMBER
ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"LibreSSL does not support by ssl_client_hello_by_lua*");
return NGX_CONF_ERROR;

#else

#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB

SSL_CTX_set_client_hello_cb(sscf->ssl.ctx,
ngx_http_lua_ssl_client_hello_handler,
NULL);

#else

ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
"OpenSSL too old to support "
"ssl_client_hello_by_lua*");
return NGX_CONF_ERROR;

#endif
#endif
}

if (conf->srv.ssl_cert_src.len == 0) {
conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
conf->srv.ssl_cert_src_ref = prev->srv.ssl_cert_src_ref;
Expand Down
2 changes: 2 additions & 0 deletions src/ngx_http_lua_ssl.h
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@ typedef struct {
ngx_str_t session_id;

int exit_code; /* exit code for openssl's
set_client_hello_cb or
set_cert_cb callback */

int ctx_ref; /* reference to anchor
Expand All @@ -34,6 +35,7 @@ typedef struct {
unsigned done:1;
unsigned aborted:1;

unsigned entered_client_hello_handler:1;
unsigned entered_cert_handler:1;
unsigned entered_sess_fetch_handler:1;
} ngx_http_lua_ssl_ctx_t;
Expand Down
Loading

0 comments on commit fef2581

Please sign in to comment.