Looks like attachment didn't go through. Here is a patch:
# HG changeset patch # User Rohit Joshi <[email protected]> # Date 1408406738 14400 # Mon Aug 18 20:05:38 2014 -0400 # Node ID 61724860610aee50d73a3a0515c17ee09e8eb349 # Parent 8cdec62a7751153117a46acdf46b50dcf8ac24de Mail:Support for two way SSL for upstream http proxy Added support for two way SSL using client certificate/key. diff -r 8cdec62a7751 -r 61724860610a src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 12:03:41 2014 +0400 +++ b/src/http/modules/ngx_http_proxy_module.c Mon Aug 18 20:05:38 2014 -0400 @@ -84,6 +84,8 @@ ngx_uint_t ssl_verify_depth; ngx_str_t ssl_trusted_certificate; ngx_str_t ssl_crl; + ngx_str_t ssl_client_certificate; + ngx_str_t ssl_client_certificate_key; #endif } ngx_http_proxy_loc_conf_t; @@ -598,6 +600,21 @@ offsetof(ngx_http_proxy_loc_conf_t, ssl_crl), NULL }, + { ngx_string("proxy_ssl_client_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate), + NULL }, + + { ngx_string("proxy_ssl_client_certificate_key"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_client_certificate_key), + NULL }, + + #endif ngx_null_command @@ -2451,6 +2468,8 @@ * conf->ssl_ciphers = { 0, NULL }; * conf->ssl_trusted_certificate = { 0, NULL }; * conf->ssl_crl = { 0, NULL }; + * conf->ssl_client_certificate = { 0, NULL }; + * conf->ssl_client_certificate_key = { 0, NULL }; */ conf->upstream.store = NGX_CONF_UNSET; @@ -2795,6 +2814,19 @@ if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) { return NGX_CONF_ERROR; } + ngx_conf_merge_str_value(conf->ssl_client_certificate, + prev->ssl_client_certificate, ""); + ngx_conf_merge_str_value(conf->ssl_client_certificate_key, + prev->ssl_client_certificate_key, ""); + if( conf->ssl_trusted_certificate.len != 0 && + ( conf->ssl_client_certificate.len != 0 + || conf->ssl_client_certificate_key.len != 0) ) { + + ngx_log_error(NGX_LOG_WARN, cf->log, 0, + "proxy_ssl_trusted_certificate is configured " + "so proxy_ssl_client_certificate and " + "proxy_ssl_client_certificate_key will be ignored"); + } #endif @@ -3861,22 +3893,42 @@ } if (plcf->upstream.ssl_verify) { - if (plcf->ssl_trusted_certificate.len == 0) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no proxy_ssl_trusted_certificate for proxy_ssl_verify"); - return NGX_ERROR; - } - - if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, + + if (plcf->ssl_trusted_certificate.len != 0) { + + if (ngx_ssl_trusted_certificate(cf, plcf->upstream.ssl, &plcf->ssl_trusted_certificate, plcf->ssl_verify_depth) - != NGX_OK) - { + != NGX_OK) + { + return NGX_ERROR; + } + + if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) { + return NGX_ERROR; + } + + }else if (plcf->ssl_client_certificate_key.len != 0 && + plcf->ssl_client_certificate.len != 0) { + + if (ngx_ssl_certificate(cf, plcf->upstream.ssl, + &plcf->ssl_client_certificate, + &plcf->ssl_client_certificate_key, + 0) + != NGX_OK) + { + ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, + "ngx_ssl_certificate failed."); + return NGX_ERROR; + } + }else { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no proxy_ssl_trusted_certificate or " + "(proxy_ssl_client_certificate and " + "proxy_ssl_client_certificate_key for " + "mutual authentication) for proxy_ssl_verify"); return NGX_ERROR; - } - - if (ngx_ssl_crl(cf, plcf->upstream.ssl, &plcf->ssl_crl) != NGX_OK) { - return NGX_ERROR; + } }
_______________________________________________ nginx-devel mailing list [email protected] http://mailman.nginx.org/mailman/listinfo/nginx-devel
