Proxy: added the "proxy_ssl_ciphers" directive.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2024-12-19 21:53:31 -06:00 · 2013-09-23 15:58:28 -07:00 · 2013-09-23 15:58:28 -07:00 · 43736b12de
commit 43736b12de
parent e11584164f
1 changed files with 22 additions and 0 deletions
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -80,6 +80,7 @@ typedef struct {
 #if (NGX_HTTP_SSL)
    ngx_uint_t                     ssl;
    ngx_uint_t                     ssl_protocols;
+    ngx_str_t                      ssl_ciphers;
 #endif
 } ngx_http_proxy_loc_conf_t;

@ -538,6 +539,13 @@ static ngx_command_t  ngx_http_proxy_commands[] = {
      offsetof(ngx_http_proxy_loc_conf_t, ssl_protocols),
      &ngx_http_proxy_ssl_protocols },

+    { ngx_string("proxy_ssl_ciphers"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
+      ngx_conf_set_str_slot,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers),
+      NULL },
+
 #endif

      ngx_null_command
@ -2414,6 +2422,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
     *     conf->redirects = NULL;
     *     conf->ssl = 0;
     *     conf->ssl_protocols = 0;
+     *     conf->ssl_ciphers = { 0, NULL };
     */

    conf->upstream.store = NGX_CONF_UNSET;
@ -2735,6 +2744,9 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
                                  |NGX_SSL_TLSv1|NGX_SSL_TLSv1_1
                                  |NGX_SSL_TLSv1_2));

+    ngx_conf_merge_str_value(conf->ssl_ciphers, prev->ssl_ciphers,
+                             "DEFAULT");
+
    if (conf->ssl && ngx_http_proxy_set_ssl(cf, conf) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
@ -3784,6 +3796,16 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
        return NGX_ERROR;
    }

+    if (SSL_CTX_set_cipher_list(plcf->upstream.ssl->ctx,
+                                (const char *) plcf->ssl_ciphers.data)
+        == 0)
+    {
+        ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
+                      "SSL_CTX_set_cipher_list(\"%V\") failed",
+                      &plcf->ssl_ciphers);
+        return NGX_ERROR;
+    }
+
    cln = ngx_pool_cleanup_add(cf->pool, 0);
    if (cln == NULL) {
        return NGX_ERROR;