Patch attached adds a new variable, $ssl_sni_host. I would find this quite useful as there is no other way of knowing for sure which host a request is directed at (at the SSL layer), as the HTTP HOST header can be wrong.
Possibly somewhat related to: http://trac.nginx.org/nginx/ticket/229 I should mention that I don't intend for this to be a drop in replacement for $http_host, though that could very well work with proxy_pass.
# HG changeset patch # User Christian Marie <[email protected]> # Date 1369104447 -36000 # Tue May 21 12:47:27 2013 +1000 # Node ID aad7765348785a6e3958ea7594dc77e67a1119f5 # Parent cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3 Add new $ssl_sni_host ngx_http_ssl_variable. Useful when using SNI and multiple vhosts or proxy backends, as $http_host can be entirely arbitrary. diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Thu May 16 15:37:13 2013 -0700 +++ b/src/event/ngx_event_openssl.c Tue May 21 12:47:27 2013 +1000 @@ -2496,6 +2496,33 @@ } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +ngx_int_t +ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + const char *host; + + host = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name); + if (host == NULL) { + return NGX_ERROR; + } + + s->len = ngx_strlen(host); + if (s->len == 0) { + return NGX_ERROR; + } + + s->data = ngx_pnalloc(pool, s->len); + if(s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, host, s->len); + return NGX_OK; +} +#endif + + static void * ngx_openssl_create_conf(ngx_cycle_t *cycle) { diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Thu May 16 15:37:13 2013 -0700 +++ b/src/event/ngx_event_openssl.h Tue May 21 12:47:27 2013 +1000 @@ -153,6 +153,10 @@ ngx_str_t *s); ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME +ngx_int_t ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); +#endif ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff -r cfab1e7e4ac2 -r aad776534878 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Thu May 16 15:37:13 2013 -0700 +++ b/src/http/modules/ngx_http_ssl_module.c Tue May 21 12:47:27 2013 +1000 @@ -260,6 +260,11 @@ { ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 }, +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + { ngx_string("ssl_sni_host"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_sni_host, NGX_HTTP_VAR_CHANGEABLE, 0 }, +#endif + { ngx_null_string, NULL, NULL, 0, 0, 0 } };
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
