IntenseWebs/nginx
3
0
Fork 0
mirror of https://github.com/nginx/nginx.git synced 2024-11-24 09:50:18 -06:00
Code Issues Packages Projects Releases Wiki Activity

Stream: OCSP stapling.

Browse Source
This commit is contained in:
Sergey Kandaurov 2024-08-22 14:57:46 +04:00
parent 581cf22673
commit fb89d50eeb
2 changed files with 73 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

60
src/stream/ngx_stream_ssl_module.c
View File

@ -243,6 +243,34 @@ static ngx_command_t ngx_stream_ssl_commands[] = {
0, 0,
NULL }, NULL },
{ ngx_string("ssl_stapling"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_srv_conf_t, stapling),
NULL },
{ ngx_string("ssl_stapling_file"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_srv_conf_t, stapling_file),
NULL },
{ ngx_string("ssl_stapling_responder"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_srv_conf_t, stapling_responder),
NULL },
{ ngx_string("ssl_stapling_verify"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
ngx_conf_set_flag_slot,
NGX_STREAM_SRV_CONF_OFFSET,
offsetof(ngx_stream_ssl_srv_conf_t, stapling_verify),
NULL },
{ ngx_string("ssl_conf_command"), { ngx_string("ssl_conf_command"),
NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2, NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE2,
ngx_conf_set_keyval_slot, ngx_conf_set_keyval_slot,
@ -809,6 +837,8 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
* sscf->ciphers = { 0, NULL }; * sscf->ciphers = { 0, NULL };
* sscf->shm_zone = NULL; * sscf->shm_zone = NULL;
* sscf->ocsp_responder = { 0, NULL }; * sscf->ocsp_responder = { 0, NULL };
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
*/ */
sscf->handshake_timeout = NGX_CONF_UNSET_MSEC; sscf->handshake_timeout = NGX_CONF_UNSET_MSEC;
@ -826,6 +856,8 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->ocsp = NGX_CONF_UNSET_UINT; sscf->ocsp = NGX_CONF_UNSET_UINT;
sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR; sscf->ocsp_cache_zone = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
return sscf; return sscf;
} }
@ -885,6 +917,12 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
ngx_conf_merge_ptr_value(conf->ocsp_cache_zone, ngx_conf_merge_ptr_value(conf->ocsp_cache_zone,
prev->ocsp_cache_zone, NULL); prev->ocsp_cache_zone, NULL);
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");
conf->ssl.log = cf->log; conf->ssl.log = cf->log;
if (conf->certificates) { if (conf->certificates) {
@ -983,6 +1021,7 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
{ {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
}
if (ngx_ssl_trusted_certificate(cf, &conf->ssl, if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
&conf->trusted_certificate, &conf->trusted_certificate,
@ -995,7 +1034,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) { if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
}
if (conf->ocsp) { if (conf->ocsp) {
@ -1055,6 +1093,17 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
if (conf->stapling) {
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
&conf->stapling_responder, conf->stapling_verify)
!= NGX_OK)
{
return NGX_CONF_ERROR;
}
}
if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) { if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
return NGX_CONF_ERROR; return NGX_CONF_ERROR;
} }
@ -1454,6 +1503,15 @@ ngx_stream_ssl_init(ngx_conf_t *cf)
cscf = cscfp[s]->ctx->srv_conf[ngx_stream_core_module.ctx_index]; cscf = cscfp[s]->ctx->srv_conf[ngx_stream_core_module.ctx_index];
if (sscf->stapling) {
if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, cscf->resolver,
cscf->resolver_timeout)
!= NGX_OK)
{
return NGX_ERROR;
}
}
if (sscf->ocsp) { if (sscf->ocsp) {
if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, cscf->resolver, if (ngx_ssl_ocsp_resolver(cf, &sscf->ssl, cscf->resolver,
cscf->resolver_timeout) cscf->resolver_timeout)

5
src/stream/ngx_stream_ssl_module.h
View File

@ -57,6 +57,11 @@ typedef struct {
ngx_uint_t ocsp; ngx_uint_t ocsp;
ngx_str_t ocsp_responder; ngx_str_t ocsp_responder;
ngx_shm_zone_t *ocsp_cache_zone; ngx_shm_zone_t *ocsp_cache_zone;
ngx_flag_t stapling;
ngx_flag_t stapling_verify;
ngx_str_t stapling_file;
ngx_str_t stapling_responder;
} ngx_stream_ssl_srv_conf_t; } ngx_stream_ssl_srv_conf_t;