Re: DTLS patches
> 在 2018年2月21日,23:34,Vladimir Homutov写道: > >> On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote: >> Hi, >> >> I noticed that you have introduced `ngx_event_udp_accept()`, which can >> create a separate socket for receiving datagrams from a specific client. >> I understand that it is necessary for DTLS servers. However I wonder >> why it is also called for normal udp servers. > > for normal udp server this is beneficial if you need to process > bidirectional stream, i.e. proxying DTLS or similar protocols without > offloading it. Probably this should be at least configurable. > >> For udp servers listening on a port below 1024, such call will fail if >> the worker processes drop their privilege as a non-root user. >> The following patch solves this problem by retaining CAP_NET_BIND_SERVICE >> after worker processes change UID. > > yes, there is an issue in such case, and retaining (partial) permissions > is a possible (but ugly) solution. You can see from the code that it is not the first time to use that solution. I wonder if there is better solution for this issue. Cheers, Miao Wang ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote: > Hi, > > I noticed that you have introduced `ngx_event_udp_accept()`, which can > create a separate socket for receiving datagrams from a specific client. > I understand that it is necessary for DTLS servers. However I wonder > why it is also called for normal udp servers. for normal udp server this is beneficial if you need to process bidirectional stream, i.e. proxying DTLS or similar protocols without offloading it. Probably this should be at least configurable. > For udp servers listening on a port below 1024, such call will fail if > the worker processes drop their privilege as a non-root user. > The following patch solves this problem by retaining CAP_NET_BIND_SERVICE > after worker processes change UID. yes, there is an issue in such case, and retaining (partial) permissions is a possible (but ugly) solution. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
Hi, I noticed that you have introduced `ngx_event_udp_accept()`, which can create a separate socket for receiving datagrams from a specific client. I understand that it is necessary for DTLS servers. However I wonder why it is also called for normal udp servers. For udp servers listening on a port below 1024, such call will fail if the worker processes drop their privilege as a non-root user. The following patch solves this problem by retaining CAP_NET_BIND_SERVICE after worker processes change UID. Cheers, Miao Wang 0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch Description: Binary data > 在 2018年02月21日,22:30,Wang Shanker写道: > > Hi, of course. I'm implementing RFC8094, which is for transmitting dns > queries through DTLS. Nginx is used for offloading DTLS encryption and > the software behind nginx is bind9. > > Cheers, > > Miao Wang > >> 在 2018年02月21日,22:12,Vladimir Homutov 写道: >> >> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote: >>> >>> I have tested this patch in my environment. Before the patch is applied, >>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS >>> enabled to work the problem around. >>> >> >> Hello, >> can you please elaborate about your environment? Do you proxy DTLS >> stream directly to backend, or you perform DTLS offload ? >> What protocol are you using and which server/client software >> before/behind nginx? >> >> I'm attaching refreshed patch against nginx-1.13.9 for those who are >> interested to test. >> ___ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
Hi, of course. I'm implementing RFC8094, which is for transmitting dns queries through DTLS. Nginx is used for offloading DTLS encryption and the software behind nginx is bind9. Cheers, Miao Wang > 在 2018年02月21日,22:12,Vladimir Homutov写道: > > On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote: >> >> I have tested this patch in my environment. Before the patch is applied, >> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS >> enabled to work the problem around. >> > > Hello, > can you please elaborate about your environment? Do you proxy DTLS > stream directly to backend, or you perform DTLS offload ? > What protocol are you using and which server/client software > before/behind nginx? > > I'm attaching refreshed patch against nginx-1.13.9 for those who are > interested to test. > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote: > > I have tested this patch in my environment. Before the patch is applied, > `tcp_nodelay off` needs to be placed in every `server` clause with DTLS > enabled to work the problem around. > Hello, can you please elaborate about your environment? Do you proxy DTLS stream directly to backend, or you perform DTLS offload ? What protocol are you using and which server/client software before/behind nginx? I'm attaching refreshed patch against nginx-1.13.9 for those who are interested to test. # HG changeset patch # User Vladimir Homutov# Date 1519222093 -10800 # Wed Feb 21 17:08:13 2018 +0300 # Node ID b4b14f20123598d6c4bdff01e3c421e4f180f526 # Parent 88aad69eccef0422719698b54c82e3a020c0fe93 Stream: experimental DTLS support. With the patch, the "listen" directive in the "stream" block now accepts both "udp" and "ssl" directives. The "ssl_protocols" and "proxy_ssl_protocols" directives now accepts "DTLSv1" and "DTLSv1.2" parameters that enable support of corresponding protocols. DTLS termination: stream { # please enable debug log error_log logs/error.log debug; server { # add 'udp' and 'ssl' simultaneously to the listen directive listen 127.0.0.1:4443 udp ssl; # enable DTLSv1 or DTLSv1.2 or both protocols ssl_protocols DTLSv1; # setup other SSL options as usually ssl_certificate ...; ssl_certificate_key ...; proxy_pass ...; } } DTLS to backends: stream { # please enable debug log error_log logs/error.log debug; server { listen 127.0.0.1: udp; # enable SSL to proxy proxy_ssl on; # enable DTLSv1 or DTLSv1.2 or both protocols proxy_ssl_protocols DTLSv1; # setup other proxy SSL options as usually proxy_ssl_certificate ...; proxy_ssl_certificate_key ...; # the backend is a DTLS server proxy_pass 127.0.0.1:4433; } diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf --- a/auto/lib/openssl/conf +++ b/auto/lib/openssl/conf @@ -132,4 +132,16 @@ END exit 1 fi +ngx_feature="OpenSSL DTLS support" +ngx_feature_name="NGX_OPENSSL_DTLS" +ngx_feature_run=no +ngx_feature_incs="#include " +ngx_feature_path= +ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL" +ngx_feature_test="DTLSv1_listen(NULL, NULL)" +. auto/feature + +if [ $ngx_found = yes ]; then +have=NGX_SSL_DTLS . auto/have +fi fi diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h --- a/src/event/ngx_event.h +++ b/src/event/ngx_event.h @@ -507,6 +507,7 @@ void ngx_event_accept(ngx_event_t *ev); #if !(NGX_WIN32) void ngx_event_recvmsg(ngx_event_t *ev); #endif +ngx_int_t ngx_event_udp_accept(ngx_connection_t *c); ngx_int_t ngx_trylock_accept_mutex(ngx_cycle_t *cycle); u_char *ngx_accept_log_error(ngx_log_t *log, u_char *buf, size_t len); diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c --- a/src/event/ngx_event_accept.c +++ b/src/event/ngx_event_accept.c @@ -644,6 +644,81 @@ ngx_event_recvmsg(ngx_event_t *ev) ngx_int_t +ngx_event_udp_accept(ngx_connection_t *c) +{ +int on, rc; +ngx_socket_t fd; + +fd = ngx_socket(c->listening->sockaddr->sa_family, SOCK_DGRAM, 0); +if (fd == (ngx_socket_t) -1) { +ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, + ngx_socket_n " failed"); +return NGX_ERROR; +} + +if (ngx_nonblocking(fd) == -1) { +ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, + ngx_nonblocking_n " failed"); +goto failed; +} + +on = 1; +rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) , sizeof(int)); +if (rc == -1) { +ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, + "setsockopt(SO_REUSEADDR, 1) failed"); +goto failed; +} + +#if (NGX_HAVE_REUSEPORT && NGX_FREEBSD) +on = 1; +rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) , sizeof(int)); +if (rc == -1) { +ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, + "setsockopt(SO_REUSEPORT, 1) failed"); +goto failed; +} +#endif + +rc = bind(fd, c->listening->sockaddr, c->listening->socklen); +if (-1 == rc) { +ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno, + "bind() to %V failed", >listening->addr_text); +goto failed; +} + +if (connect(fd, c->sockaddr, c->socklen) == -1) { +ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno, + "connect() failed"); +goto failed; +} + +c->fd = fd; +c->shared = 0; +c->recv = ngx_udp_recv; + +if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) { +if (ngx_add_conn(c) == NGX_ERROR) { + goto failed; + } +
Re: DTLS patches
Vladimir Homutov Wrote: --- > On Wed, Feb 21, 2018 at 12:18:27PM +0800, Wang Shanker wrote: > > Hi, Vladimir > > > > `ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the > given connection. > > The following patch adds a test for the type of connection before > set. > > > > Cheers, > > > > Miao Wang > > > > diff --git a/src/stream/ngx_stream_ssl_module.c > b/src/stream/ngx_stream_ssl_module.c > > index f85bbb6..36f7fdd 100644 > > --- a/src/stream/ngx_stream_ssl_module.c > > +++ b/src/stream/ngx_stream_ssl_module.c > > @@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, > ngx_connection_t *c) > > > > cscf = ngx_stream_get_module_srv_conf(s, > ngx_stream_core_module); > > > > -if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { > > +if (cscf->tcp_nodelay && c->type == SOCK_STREAM && > ngx_tcp_nodelay(c) != NGX_OK) { > > return NGX_ERROR; > > } > > > > > > Hi, Miao > > The change is indeed correct, it is required since > http://hg.nginx.org/nginx/rev/29c6d66b83ba > > Have you tried patches in work? > ___ > nginx mailing list > nginx@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx I have tested this patch in my environment. Before the patch is applied, `tcp_nodelay off` needs to be placed in every `server` clause with DTLS enabled to work the problem around. Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274289,278704#msg-278704 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
On Wed, Feb 21, 2018 at 12:18:27PM +0800, Wang Shanker wrote: > Hi, Vladimir > > `ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the given > connection. > The following patch adds a test for the type of connection before set. > > Cheers, > > Miao Wang > > diff --git a/src/stream/ngx_stream_ssl_module.c > b/src/stream/ngx_stream_ssl_module.c > index f85bbb6..36f7fdd 100644 > --- a/src/stream/ngx_stream_ssl_module.c > +++ b/src/stream/ngx_stream_ssl_module.c > @@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, > ngx_connection_t *c) > > cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); > > -if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { > +if (cscf->tcp_nodelay && c->type == SOCK_STREAM && ngx_tcp_nodelay(c) != > NGX_OK) { > return NGX_ERROR; > } > > Hi, Miao The change is indeed correct, it is required since http://hg.nginx.org/nginx/rev/29c6d66b83ba Have you tried patches in work? ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
Hi, Vladimir `ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the given connection. The following patch adds a test for the type of connection before set. Cheers, Miao Wang diff --git a/src/stream/ngx_stream_ssl_module.c b/src/stream/ngx_stream_ssl_module.c index f85bbb6..36f7fdd 100644 --- a/src/stream/ngx_stream_ssl_module.c +++ b/src/stream/ngx_stream_ssl_module.c @@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, ngx_connection_t *c) cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module); -if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) { +if (cscf->tcp_nodelay && c->type == SOCK_STREAM && ngx_tcp_nodelay(c) != NGX_OK) { return NGX_ERROR; } > Hello all, > > For all those interested in testing DTLS support, experimental patch > is now available at > http://nginx.org/patches/dtls/ > > > Check the README.txt for details . > > If you have any feedback, please report to this thread. > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
thanks Vladimir :) Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274289,274312#msg-274312 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
On Thu, May 18, 2017 at 10:29:16AM -0400, George wrote: > thanks for sharing. Is it necessary to compile with --with-debug ? > no, it will work without debug as well ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: DTLS patches
thanks for sharing. Is it necessary to compile with --with-debug ? Posted at Nginx Forum: https://forum.nginx.org/read.php?2,274289,274299#msg-274299 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
DTLS patches
Hello all, For all those interested in testing DTLS support, experimental patch is now available at http://nginx.org/patches/dtls/ Check the README.txt for details . If you have any feedback, please report to this thread. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx