Re: DTLS patches

[Wang Shanker]

> 在 2018年2月21日，23:34，Vladimir Homutov  写道：
> 
>> On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
>> Hi,
>> 
>> I noticed that you have introduced `ngx_event_udp_accept()`, which can
>> create a separate socket for receiving datagrams from a specific client.
>> I understand that it is necessary for DTLS servers. However I wonder
>> why it is also called for normal udp servers.
> 
> for normal udp server this is beneficial if you need to process
> bidirectional stream, i.e. proxying DTLS or similar protocols without
> offloading it. Probably this should be at least configurable.
> 
>> For udp servers listening on a port below 1024, such call will fail if
>> the worker processes drop their privilege as a non-root user.
>> The  following patch solves this problem by retaining CAP_NET_BIND_SERVICE
>> after worker processes change UID.
> 
> yes, there is an issue in such case, and retaining (partial) permissions
> is a possible (but ugly) solution.

You can see from the code that it is not the first time to use that solution. I 
wonder if there is better solution for this issue. 

Cheers,

Miao Wang

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Vladimir Homutov]

On Wed, Feb 21, 2018 at 10:44:00PM +0800, Wang Shanker wrote:
> Hi,
>
> I noticed that you have introduced `ngx_event_udp_accept()`, which can
> create a separate socket for receiving datagrams from a specific client.
> I understand that it is necessary for DTLS servers. However I wonder
> why it is also called for normal udp servers.

for normal udp server this is beneficial if you need to process
bidirectional stream, i.e. proxying DTLS or similar protocols without
offloading it. Probably this should be at least configurable.

> For udp servers listening on a port below 1024, such call will fail if
> the worker processes drop their privilege as a non-root user.
> The  following patch solves this problem by retaining CAP_NET_BIND_SERVICE
> after worker processes change UID.

yes, there is an issue in such case, and retaining (partial) permissions
is a possible (but ugly) solution.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Wang Shanker]

Hi,

I noticed that you have introduced `ngx_event_udp_accept()`, which can 
create a separate socket for receiving datagrams from a specific client. 
I understand that it is necessary for DTLS servers. However I wonder 
why it is also called for normal udp servers.

For udp servers listening on a port below 1024, such call will fail if
the worker processes drop their privilege as a non-root user. The 
following patch solves this problem by retaining CAP_NET_BIND_SERVICE 
after worker processes change UID.

Cheers,

Miao Wang
 

0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch
Description: Binary data


> 在 2018年02月21日，22:30，Wang Shanker  写道：
> 
> Hi, of course. I'm implementing RFC8094, which is for transmitting dns
> queries through DTLS. Nginx is used for offloading DTLS encryption and
> the software behind nginx is bind9.
> 
> Cheers,
> 
> Miao Wang
> 
>> 在 2018年02月21日，22:12，Vladimir Homutov  写道：
>> 
>> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>>> 
>>> I have tested this patch in my environment. Before the patch is applied,
>>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>>> enabled to work the problem around.
>>> 
>> 
>> Hello,
>> can you please elaborate about your environment? Do you proxy DTLS
>> stream directly to backend, or you perform DTLS offload ?
>> What protocol are you using and which server/client software
>> before/behind nginx?
>> 
>> I'm attaching refreshed patch against nginx-1.13.9 for those who are
>> interested to test.
>> ___
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
> 

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Wang Shanker]

Hi, of course. I'm implementing RFC8094, which is for transmitting dns
queries through DTLS. Nginx is used for offloading DTLS encryption and
the software behind nginx is bind9.

Cheers,

Miao Wang

> 在 2018年02月21日，22:12，Vladimir Homutov  写道：
> 
> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>> 
>> I have tested this patch in my environment. Before the patch is applied,
>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>> enabled to work the problem around.
>> 
> 
> Hello,
> can you please elaborate about your environment? Do you proxy DTLS
> stream directly to backend, or you perform DTLS offload ?
> What protocol are you using and which server/client software
> before/behind nginx?
> 
> I'm attaching refreshed patch against nginx-1.13.9 for those who are
> interested to test.
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Vladimir Homutov]

On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>
> I have tested this patch in my environment. Before the patch is applied,
> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
> enabled to work the problem around.
>

Hello,
can you please elaborate about your environment? Do you proxy DTLS
stream directly to backend, or you perform DTLS offload ?
What protocol are you using and which server/client software
before/behind nginx?

I'm attaching refreshed patch against nginx-1.13.9 for those who are
interested to test.
# HG changeset patch
# User Vladimir Homutov 
# Date 1519222093 -10800
#  Wed Feb 21 17:08:13 2018 +0300
# Node ID b4b14f20123598d6c4bdff01e3c421e4f180f526
# Parent  88aad69eccef0422719698b54c82e3a020c0fe93
Stream: experimental DTLS support.

With the patch, the "listen" directive in the "stream" block now accepts
both "udp" and "ssl" directives.

The "ssl_protocols" and "proxy_ssl_protocols" directives now accepts "DTLSv1"
and "DTLSv1.2" parameters that enable support of corresponding protocols.

DTLS termination:

stream {
# please enable debug log
error_log logs/error.log debug;

server {
# add 'udp' and 'ssl' simultaneously to the listen directive
listen 127.0.0.1:4443 udp ssl;

# enable DTLSv1 or DTLSv1.2 or both protocols
ssl_protocols DTLSv1;

# setup other SSL options as usually
ssl_certificate ...;
ssl_certificate_key ...;

proxy_pass ...;
}
}

DTLS to backends:

stream {
# please enable debug log
error_log logs/error.log debug;

server {
listen 127.0.0.1: udp;

# enable SSL to proxy
proxy_ssl on;
# enable DTLSv1 or DTLSv1.2 or both protocols
proxy_ssl_protocols DTLSv1;

# setup other proxy SSL options as usually
proxy_ssl_certificate ...;
proxy_ssl_certificate_key ...;

# the backend is a DTLS server
proxy_pass 127.0.0.1:4433;
}

diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf
--- a/auto/lib/openssl/conf
+++ b/auto/lib/openssl/conf
@@ -132,4 +132,16 @@ END
 exit 1
 fi
 
+ngx_feature="OpenSSL DTLS support"
+ngx_feature_name="NGX_OPENSSL_DTLS"
+ngx_feature_run=no
+ngx_feature_incs="#include "
+ngx_feature_path=
+ngx_feature_libs="-lssl -lcrypto $NGX_LIBDL"
+ngx_feature_test="DTLSv1_listen(NULL, NULL)"
+. auto/feature
+
+if [ $ngx_found = yes ]; then
+have=NGX_SSL_DTLS . auto/have
+fi
 fi
diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h
--- a/src/event/ngx_event.h
+++ b/src/event/ngx_event.h
@@ -507,6 +507,7 @@ void ngx_event_accept(ngx_event_t *ev);
 #if !(NGX_WIN32)
 void ngx_event_recvmsg(ngx_event_t *ev);
 #endif
+ngx_int_t ngx_event_udp_accept(ngx_connection_t *c);
 ngx_int_t ngx_trylock_accept_mutex(ngx_cycle_t *cycle);
 u_char *ngx_accept_log_error(ngx_log_t *log, u_char *buf, size_t len);
 
diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
--- a/src/event/ngx_event_accept.c
+++ b/src/event/ngx_event_accept.c
@@ -644,6 +644,81 @@ ngx_event_recvmsg(ngx_event_t *ev)
 
 
 ngx_int_t
+ngx_event_udp_accept(ngx_connection_t *c)
+{
+int  on, rc;
+ngx_socket_t fd;
+
+fd = ngx_socket(c->listening->sockaddr->sa_family, SOCK_DGRAM, 0);
+if (fd == (ngx_socket_t) -1) {
+ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+  ngx_socket_n " failed");
+return NGX_ERROR;
+}
+
+if (ngx_nonblocking(fd) == -1) {
+ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+  ngx_nonblocking_n " failed");
+goto failed;
+}
+
+on = 1;
+rc = setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, (char *) , sizeof(int));
+if (rc == -1) {
+ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+  "setsockopt(SO_REUSEADDR, 1) failed");
+goto failed;
+}
+
+#if (NGX_HAVE_REUSEPORT && NGX_FREEBSD)
+on = 1;
+rc = setsockopt(fd, SOL_SOCKET, SO_REUSEPORT, (char *) , sizeof(int));
+if (rc == -1) {
+ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+  "setsockopt(SO_REUSEPORT, 1) failed");
+goto failed;
+}
+#endif
+
+rc = bind(fd, c->listening->sockaddr, c->listening->socklen);
+if (-1 == rc) {
+ngx_log_error(NGX_LOG_EMERG, c->log, ngx_socket_errno,
+  "bind() to %V failed", >listening->addr_text);
+goto failed;
+}
+
+if (connect(fd, c->sockaddr, c->socklen) == -1) {
+ngx_log_error(NGX_LOG_ALERT, c->log, ngx_socket_errno,
+  "connect() failed");
+goto failed;
+}
+
+c->fd = fd;
+c->shared = 0;
+c->recv = ngx_udp_recv;
+
+if (ngx_add_conn && (ngx_event_flags & NGX_USE_EPOLL_EVENT) == 0) {
+if (ngx_add_conn(c) == NGX_ERROR) {
+ goto failed;
+ }
+ 

Re: DTLS patches

[shankerwangmiao]

Vladimir Homutov Wrote:
---
> On Wed, Feb 21, 2018 at 12:18:27PM +0800, Wang Shanker wrote:
> > Hi, Vladimir
> >
> > `ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the
> given connection.
> > The following patch adds a test for the type of connection before
> set.
> >
> > Cheers,
> >
> > Miao Wang
> >
> > diff --git a/src/stream/ngx_stream_ssl_module.c
> b/src/stream/ngx_stream_ssl_module.c
> > index f85bbb6..36f7fdd 100644
> > --- a/src/stream/ngx_stream_ssl_module.c
> > +++ b/src/stream/ngx_stream_ssl_module.c
> > @@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl,
> ngx_connection_t *c)
> >
> > cscf = ngx_stream_get_module_srv_conf(s,
> ngx_stream_core_module);
> >
> > -if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
> > +if (cscf->tcp_nodelay && c->type == SOCK_STREAM &&
> ngx_tcp_nodelay(c) != NGX_OK) {
> > return NGX_ERROR;
> > }
> >
> >
> 
> Hi, Miao
> 
> The change is indeed correct, it is required since
> http://hg.nginx.org/nginx/rev/29c6d66b83ba
> 
> Have you tried patches in work?
> ___
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx

I have tested this patch in my environment. Before the patch is applied,
`tcp_nodelay off` needs to be placed in every `server` clause with DTLS
enabled to work the problem around.

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274289,278704#msg-278704

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Vladimir Homutov]

On Wed, Feb 21, 2018 at 12:18:27PM +0800, Wang Shanker wrote:
> Hi, Vladimir
>
> `ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the given 
> connection.
> The following patch adds a test for the type of connection before set.
>
> Cheers,
>
> Miao Wang
>
> diff --git a/src/stream/ngx_stream_ssl_module.c 
> b/src/stream/ngx_stream_ssl_module.c
> index f85bbb6..36f7fdd 100644
> --- a/src/stream/ngx_stream_ssl_module.c
> +++ b/src/stream/ngx_stream_ssl_module.c
> @@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, 
> ngx_connection_t *c)
>
> cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);
>
> -if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
> +if (cscf->tcp_nodelay && c->type == SOCK_STREAM && ngx_tcp_nodelay(c) != 
> NGX_OK) {
> return NGX_ERROR;
> }
>
>

Hi, Miao

The change is indeed correct, it is required since
http://hg.nginx.org/nginx/rev/29c6d66b83ba

Have you tried patches in work?
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Wang Shanker]

Hi, Vladimir

`ngx_stream_ssl_init_connection` trys to set tcp_nodelay on the given 
connection. 
The following patch adds a test for the type of connection before set.

Cheers,

Miao Wang

diff --git a/src/stream/ngx_stream_ssl_module.c 
b/src/stream/ngx_stream_ssl_module.c
index f85bbb6..36f7fdd 100644
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@@ -369,7 +369,7 @@ ngx_stream_ssl_init_connection(ngx_ssl_t *ssl, 
ngx_connection_t *c)

cscf = ngx_stream_get_module_srv_conf(s, ngx_stream_core_module);

-if (cscf->tcp_nodelay && ngx_tcp_nodelay(c) != NGX_OK) {
+if (cscf->tcp_nodelay && c->type == SOCK_STREAM && ngx_tcp_nodelay(c) != 
NGX_OK) {
return NGX_ERROR;
}



> Hello all,
> 
> For all those interested in testing DTLS support, experimental patch
> is now available at 
> http://nginx.org/patches/dtls/
> 
> 
> Check the README.txt for details .
> 
> If you have any feedback, please report to this thread.
> 

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[George]

thanks Vladimir :)

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274289,274312#msg-274312

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[Vladimir Homutov]

On Thu, May 18, 2017 at 10:29:16AM -0400, George wrote:
> thanks for sharing. Is it necessary to compile with --with-debug ?
>
no, it will work without debug as well
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: DTLS patches

[George]

thanks for sharing. Is it necessary to compile with --with-debug ?

Posted at Nginx Forum: 
https://forum.nginx.org/read.php?2,274289,274299#msg-274299

___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

DTLS patches

[Vladimir Homutov]

Hello all,

For all those interested in testing DTLS support, experimental patch
is now available at http://nginx.org/patches/dtls/

Check the README.txt for details .

If you have any feedback, please report to this thread.
___
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx