BBlack has uploaded a new change for review.

  https://gerrit.wikimedia.org/r/315982

Change subject: [WIP] preliminary ssl_stapling_proxy work
......................................................................

[WIP] preliminary ssl_stapling_proxy work

Bug: T93927
Change-Id: I2ba7473d441d1c66ebd6a0b65755c965c525c179
---
M src/event/ngx_event_openssl.h
M src/event/ngx_event_openssl_stapling.c
M src/http/modules/ngx_http_ssl_module.c
M src/http/modules/ngx_http_ssl_module.h
4 files changed, 29 insertions(+), 9 deletions(-)


  git pull ssh://gerrit.wikimedia.org:29418/operations/software/nginx 
refs/changes/82/315982/1

diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 3367d10..23c22d0 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -152,7 +152,8 @@
     ngx_str_t *cert, ngx_int_t depth);
 ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl);
 ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+    ngx_str_t *file, ngx_str_t *responder, ngx_str_t *proxy,
+    ngx_uint_t verify);
 ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
 RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
diff --git a/src/event/ngx_event_openssl_stapling.c 
b/src/event/ngx_event_openssl_stapling.c
index 09fab76..8c4a81f 100644
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -84,7 +84,8 @@
 
 
 static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
+    X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_str_t* proxy,
+    ngx_uint_t verify);
 static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_ssl_stapling_t *staple, ngx_str_t *file);
 static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl,
@@ -122,7 +123,7 @@
 
 ngx_int_t
 ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file,
-    ngx_str_t *responder, ngx_uint_t verify)
+    ngx_str_t *responder, ngx_str_t *proxy, ngx_uint_t verify)
 {
     X509  *cert;
 
@@ -130,8 +131,8 @@
          cert;
          cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index))
     {
-        if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, 
verify)
-            != NGX_OK)
+        if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, proxy,
+                                         verify) != NGX_OK)
         {
             return NGX_ERROR;
         }
@@ -145,7 +146,8 @@
 
 static ngx_int_t
 ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert,
-    ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify)
+    ngx_str_t *file, ngx_str_t *responder, ngx_str_t *responder,
+    ngx_uint_t verify)
 {
     ngx_int_t            rc;
     ngx_pool_cleanup_t  *cln;
@@ -194,7 +196,7 @@
         return NGX_ERROR;
     }
 
-    rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder);
+    rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder, proxy);
 
     if (rc == NGX_DECLINED) {
         return NGX_OK;
@@ -372,7 +374,7 @@
 
 static ngx_int_t
 ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_ssl_stapling_t *staple, ngx_str_t *responder)
+    ngx_ssl_stapling_t *staple, ngx_str_t *responder, ngx_str_t *proxy)
 {
     ngx_url_t                  u;
     char                      *s;
@@ -419,6 +421,12 @@
 
     ngx_memzero(&u, sizeof(ngx_url_t));
 
+    // XXX
+    if (proxy->len != 0) {
+        // XXX do something different with the staple host/uri/port/etc...
+       // XXX I think basically we want to end up with staple->uri as the full 
URL, addrs/host/port from the proxy string, and some flag for deeper to know 
that no Host: header should be sent (but maybe that's ok)?
+    }
+
     u.url = *responder;
     u.default_port = 80;
     u.uri_part = 1;
diff --git a/src/http/modules/ngx_http_ssl_module.c 
b/src/http/modules/ngx_http_ssl_module.c
index d685ae9..0f2a7cf 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -226,6 +226,13 @@
       offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
       NULL },
 
+    { ngx_string("ssl_stapling_proxy"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      offsetof(ngx_http_ssl_srv_conf_t, stapling_proxy),
+      NULL },
+
     { ngx_string("ssl_stapling_verify"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
       ngx_conf_set_flag_slot,
@@ -517,6 +524,7 @@
      *     sscf->shm_zone = NULL;
      *     sscf->stapling_file = { 0, NULL };
      *     sscf->stapling_responder = { 0, NULL };
+     *     sscf->stapling_proxy = { 0, NULL };
      */
 
     sscf->enable = NGX_CONF_UNSET;
@@ -597,6 +605,7 @@
     ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
     ngx_conf_merge_str_value(conf->stapling_responder,
                          prev->stapling_responder, "");
+    ngx_conf_merge_str_value(conf->stapling_proxy, prev->stapling_proxy, "");
 
     conf->ssl.log = cf->log;
 
@@ -770,7 +779,8 @@
     if (conf->stapling) {
 
         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
-                             &conf->stapling_responder, conf->stapling_verify)
+                             &conf->stapling_responder, &conf->stapling_proxy,
+                            conf->stapling_verify)
             != NGX_OK)
         {
             return NGX_CONF_ERROR;
diff --git a/src/http/modules/ngx_http_ssl_module.h 
b/src/http/modules/ngx_http_ssl_module.h
index 57f5941..7fe429f 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -54,6 +54,7 @@
     ngx_flag_t                      stapling_verify;
     ngx_str_t                       stapling_file;
     ngx_str_t                       stapling_responder;
+    ngx_str_t                       stapling_proxy;
 
     u_char                         *file;
     ngx_uint_t                      line;

-- 
To view, visit https://gerrit.wikimedia.org/r/315982
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings

Gerrit-MessageType: newchange
Gerrit-Change-Id: I2ba7473d441d1c66ebd6a0b65755c965c525c179
Gerrit-PatchSet: 1
Gerrit-Project: operations/software/nginx
Gerrit-Branch: wmf-1.11.4
Gerrit-Owner: BBlack <bbl...@wikimedia.org>

_______________________________________________
MediaWiki-commits mailing list
MediaWiki-commits@lists.wikimedia.org
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits

Reply via email to