BBlack has submitted this change and it was merged. Change subject: Add ssl_stapling_proxy patch ......................................................................
Add ssl_stapling_proxy patch Usage: ssl_stapling_proxy http://proxy.example.com:8080/; Should work with responder from certificate or fixed ssl_stapling_responder. Bug: T93927 Change-Id: I2ba7473d441d1c66ebd6a0b65755c965c525c179 --- A debian/patches/0600-stapling-proxy.patch M debian/patches/series 2 files changed, 234 insertions(+), 0 deletions(-) Approvals: BBlack: Verified; Looks good to me, approved diff --git a/debian/patches/0600-stapling-proxy.patch b/debian/patches/0600-stapling-proxy.patch new file mode 100644 index 0000000..436e012 --- /dev/null +++ b/debian/patches/0600-stapling-proxy.patch @@ -0,0 +1,233 @@ +ssl_stapling_proxy feature + +Usage: +ssl_stapling_proxy http://proxy.example.com:8080; + +Should work with responder from certificate or fixed +ssl_stapling_responder. + +diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h +index b96dde2..5587237 100644 +--- a/src/event/ngx_event_openssl.h ++++ b/src/event/ngx_event_openssl.h +@@ -165,7 +165,8 @@ ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *cert, ngx_int_t depth); + ngx_int_t ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl); + ngx_int_t ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, +- ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ++ ngx_str_t *file, ngx_str_t *responder, ngx_str_t *proxy, ++ ngx_uint_t verify); + ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_resolver_t *resolver, ngx_msec_t resolver_timeout); + RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, +diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c +index 09fab76..06ff6e1 100644 +--- a/src/event/ngx_event_openssl_stapling.c ++++ b/src/event/ngx_event_openssl_stapling.c +@@ -25,6 +25,7 @@ typedef struct { + ngx_str_t host; + ngx_str_t uri; + in_port_t port; ++ int using_proxy; + + SSL_CTX *ssl_ctx; + +@@ -51,6 +52,7 @@ struct ngx_ssl_ocsp_ctx_s { + ngx_str_t host; + ngx_str_t uri; + in_port_t port; ++ int using_proxy; + + ngx_resolver_t *resolver; + ngx_msec_t resolver_timeout; +@@ -84,13 +86,14 @@ struct ngx_ssl_ocsp_ctx_s { + + + static ngx_int_t ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, +- X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify); ++ X509 *cert, ngx_str_t *file, ngx_str_t *responder, ngx_str_t* proxy, ++ ngx_uint_t verify); + static ngx_int_t ngx_ssl_stapling_file(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_ssl_stapling_t *staple, ngx_str_t *file); + static ngx_int_t ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_ssl_stapling_t *staple); + static ngx_int_t ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, +- ngx_ssl_stapling_t *staple, ngx_str_t *responder); ++ ngx_ssl_stapling_t *staple, ngx_str_t *responder, ngx_str_t *proxy); + + static int ngx_ssl_certificate_status_callback(ngx_ssl_conn_t *ssl_conn, + void *data); +@@ -122,7 +125,7 @@ static u_char *ngx_ssl_ocsp_log_error(ngx_log_t *log, u_char *buf, size_t len); + + ngx_int_t + ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, +- ngx_str_t *responder, ngx_uint_t verify) ++ ngx_str_t *responder, ngx_str_t *proxy, ngx_uint_t verify) + { + X509 *cert; + +@@ -130,8 +133,8 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + cert; + cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) + { +- if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, verify) +- != NGX_OK) ++ if (ngx_ssl_stapling_certificate(cf, ssl, cert, file, responder, proxy, ++ verify) != NGX_OK) + { + return NGX_ERROR; + } +@@ -145,7 +148,8 @@ ngx_ssl_stapling(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file, + + static ngx_int_t + ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, +- ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify) ++ ngx_str_t *file, ngx_str_t *responder, ngx_str_t *proxy, ++ ngx_uint_t verify) + { + ngx_int_t rc; + ngx_pool_cleanup_t *cln; +@@ -194,7 +198,7 @@ ngx_ssl_stapling_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, X509 *cert, + return NGX_ERROR; + } + +- rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder); ++ rc = ngx_ssl_stapling_responder(cf, ssl, staple, responder, proxy); + + if (rc == NGX_DECLINED) { + return NGX_OK; +@@ -372,7 +376,7 @@ ngx_ssl_stapling_issuer(ngx_conf_t *cf, ngx_ssl_t *ssl, + + static ngx_int_t + ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, +- ngx_ssl_stapling_t *staple, ngx_str_t *responder) ++ ngx_ssl_stapling_t *staple, ngx_str_t *responder, ngx_str_t *proxy) + { + ngx_url_t u; + char *s; +@@ -419,7 +423,14 @@ ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, + + ngx_memzero(&u, sizeof(ngx_url_t)); + +- u.url = *responder; ++ if (proxy->len != 0) { ++ staple->using_proxy = 1; ++ u.url = *proxy; ++ } else { ++ staple->using_proxy = 0; ++ u.url = *responder; ++ } ++ + u.default_port = 80; + u.uri_part = 1; + +@@ -449,9 +460,14 @@ ngx_ssl_stapling_responder(ngx_conf_t *cf, ngx_ssl_t *ssl, + + staple->addrs = u.addrs; + staple->host = u.host; +- staple->uri = u.uri; + staple->port = u.port; + ++ if (staple->using_proxy) { ++ staple->uri = *responder; ++ } else { ++ staple->uri = u.uri; ++ } ++ + if (staple->uri.len == 0) { + ngx_str_set(&staple->uri, "/"); + } +@@ -552,6 +568,7 @@ ngx_ssl_stapling_update(ngx_ssl_stapling_t *staple) + ctx->host = staple->host; + ctx->uri = staple->uri; + ctx->port = staple->port; ++ ctx->using_proxy = staple->using_proxy; + ctx->timeout = staple->timeout; + + ctx->resolver = staple->resolver; +@@ -1254,9 +1271,12 @@ ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) + + len = sizeof("GET ") - 1 + ctx->uri.len + sizeof("/") - 1 + + base64.len + 2 * escape + sizeof(" HTTP/1.0" CRLF) - 1 +- + sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1 + + sizeof(CRLF) - 1; + ++ if (!ctx->using_proxy) { ++ len += sizeof("Host: ") - 1 + ctx->host.len + sizeof(CRLF) - 1; ++ } ++ + b = ngx_create_temp_buf(ctx->pool, len); + if (b == NULL) { + goto failed; +@@ -1280,9 +1300,12 @@ ngx_ssl_ocsp_create_request(ngx_ssl_ocsp_ctx_t *ctx) + } + + p = ngx_cpymem(p, " HTTP/1.0" CRLF, sizeof(" HTTP/1.0" CRLF) - 1); +- p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); +- p = ngx_cpymem(p, ctx->host.data, ctx->host.len); +- *p++ = CR; *p++ = LF; ++ ++ if (!ctx->using_proxy) { ++ p = ngx_cpymem(p, "Host: ", sizeof("Host: ") - 1); ++ p = ngx_cpymem(p, ctx->host.data, ctx->host.len); ++ *p++ = CR; *p++ = LF; ++ } + + /* add "\r\n" at the header end */ + *p++ = CR; *p++ = LF; +diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c +index 2615e68..a1735e5 100644 +--- a/src/http/modules/ngx_http_ssl_module.c ++++ b/src/http/modules/ngx_http_ssl_module.c +@@ -226,6 +226,13 @@ static ngx_command_t ngx_http_ssl_commands[] = { + offsetof(ngx_http_ssl_srv_conf_t, stapling_responder), + NULL }, + ++ { ngx_string("ssl_stapling_proxy"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ++ ngx_conf_set_str_slot, ++ NGX_HTTP_SRV_CONF_OFFSET, ++ offsetof(ngx_http_ssl_srv_conf_t, stapling_proxy), ++ NULL }, ++ + { ngx_string("ssl_stapling_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, +@@ -555,6 +562,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf) + * sscf->shm_zone = NULL; + * sscf->stapling_file = { 0, NULL }; + * sscf->stapling_responder = { 0, NULL }; ++ * sscf->stapling_proxy = { 0, NULL }; + */ + + sscf->enable = NGX_CONF_UNSET; +@@ -640,6 +648,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, ""); + ngx_conf_merge_str_value(conf->stapling_responder, + prev->stapling_responder, ""); ++ ngx_conf_merge_str_value(conf->stapling_proxy, prev->stapling_proxy, ""); + + ngx_conf_merge_value(conf->dyn_rec_enable, prev->dyn_rec_enable, 0); + ngx_conf_merge_msec_value(conf->dyn_rec_timeout, prev->dyn_rec_timeout, +@@ -827,7 +836,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) + if (conf->stapling) { + + if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file, +- &conf->stapling_responder, conf->stapling_verify) ++ &conf->stapling_responder, &conf->stapling_proxy, ++ conf->stapling_verify) + != NGX_OK) + { + return NGX_CONF_ERROR; +diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h +index 309ac00..fe4782a 100644 +--- a/src/http/modules/ngx_http_ssl_module.h ++++ b/src/http/modules/ngx_http_ssl_module.h +@@ -54,6 +54,7 @@ typedef struct { + ngx_flag_t stapling_verify; + ngx_str_t stapling_file; + ngx_str_t stapling_responder; ++ ngx_str_t stapling_proxy; + + u_char *file; + ngx_uint_t line; diff --git a/debian/patches/series b/debian/patches/series index 38343b8..69dc84e 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -3,3 +3,4 @@ 0003-define_gnu_source-on-other-glibc-based-platforms.patch 0100-dynamic-tls-records.patch 0500-ssl-curve.patch +0600-stapling-proxy.patch -- To view, visit https://gerrit.wikimedia.org/r/315982 To unsubscribe, visit https://gerrit.wikimedia.org/r/settings Gerrit-MessageType: merged Gerrit-Change-Id: I2ba7473d441d1c66ebd6a0b65755c965c525c179 Gerrit-PatchSet: 5 Gerrit-Project: operations/software/nginx Gerrit-Branch: wmf-1.11.4 Gerrit-Owner: BBlack <bbl...@wikimedia.org> Gerrit-Reviewer: BBlack <bbl...@wikimedia.org> _______________________________________________ MediaWiki-commits mailing list MediaWiki-commits@lists.wikimedia.org https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits