Hello, Yeah. The proposed design would work well for me.
On Fri, Apr 9, 2021 at 5:17 PM Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Fri, Apr 09, 2021 at 04:26:52PM +0300, Vasiliy Soshnikov wrote: > > [...] > > > + /** SSL TLVs */ > > + > > +#if (NGX_STREAM_SSL) > > + > > + data = NULL; > > + data_len = 0; > > + > > + tlv = (ngx_tlv_ssl_t *) (buf + len); > > + ngx_memzero(tlv, sizeof(ngx_tlv_ssl_t)); > > + > > + tlv->tlv.type = NGX_PROXY_PROTOCOL_V2_TYPE_SSL; > > + pos = buf + len + sizeof(ngx_tlv_ssl_t); > > + > > + tlv->client |= NGX_PROXY_PROTOCOL_V2_CLIENT_SSL; > > + > > + if (c->ssl != NULL) { > > + > > +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation > > + SSL_get0_alpn_selected(c->ssl->connection, &data, &data_len); > > + > > +#ifdef TLSEXT_TYPE_next_proto_neg > > + if (data_len == 0) { > > + SSL_get0_next_proto_negotiated(c->ssl->connection, > > + &data, &data_len); > > + } > > +#endif > > + > > +#else /* TLSEXT_TYPE_next_proto_neg */ > > + SSL_get0_next_proto_negotiated(c->ssl->connection, &data, > > &data_len); > > +#endif > > + > > + if (data_len) { > > + > > + pos = ngx_copy_tlv(pos, last, > > + NGX_PROXY_PROTOCOL_V2_TYPE_ALPN, > > + (u_char *) data, (uint16_t) data_len); > > + if (pos == NULL) { > > + return NULL; > > + } > > + } > > + > > + value = (u_char *) SSL_get_version(c->ssl->connection); > > + if (value != NULL) { > > + > > + pos = ngx_copy_tlv(pos, last, > > + NGX_PROXY_PROTOCOL_V2_SUBTYPE_SSL_VERSION, > > + value, ngx_strlen(value)); > > + if (pos == NULL) { > > + return NULL; > > + } > > + } > > [...] > > Thanks for the patch. > > For the record, as discussed privately: this is more or less > proof-of-concept for the ticket #1639[1], used for tests with > RabbitMQ[2]. A committable solution probably needs something similar > to proxy_set_header / fastcgi_param to control TLVs sent to the > upstream server instead of hardcoding them. > > [1] https://trac.nginx.org/nginx/ticket/1639 > [2] https://www.rabbitmq.com/networking.html#proxy-protocol > > -- > Maxim Dounin > http://mdounin.ru/ > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel >
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel