Skip to content

Commit

Permalink
Merge pull request #1828 from drawing/master
Browse files Browse the repository at this point in the history
xquic: support lua cert cb
  • Loading branch information
lianglli authored Jul 26, 2023
2 parents fb29798 + ca1126b commit 66b9539
Show file tree
Hide file tree
Showing 7 changed files with 77 additions and 2 deletions.
2 changes: 2 additions & 0 deletions modules/ngx_http_lua_module/config
Original file line number Diff line number Diff line change
Expand Up @@ -514,3 +514,5 @@ CORE_INCS="$CORE_INCS $ngx_addon_dir/src/api"
CFLAGS="$CFLAGS -DNDK_SET_VAR"

echo "/* DO NOT EDIT! This file was automatically generated by config */" > "$ngx_addon_dir/src/ngx_http_lua_autoconf.h"

have=T_NGX_HTTP_HAVE_LUA_MODULE . auto/have
11 changes: 11 additions & 0 deletions modules/ngx_http_lua_module/src/ngx_http_lua_ssl_certby.c
Original file line number Diff line number Diff line change
Expand Up @@ -231,6 +231,13 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)

hc = c->data;

#if (T_NGX_XQUIC)
if (c->xquic_conn) {
ngx_http_xquic_connection_t *qc = (ngx_http_xquic_connection_t *)c->data;
hc = qc->http_connection;
}
#endif

fc = ngx_http_lua_create_fake_connection(NULL);
if (fc == NULL) {
goto failed;
Expand All @@ -255,6 +262,10 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
fc->log->log_level = c->log->log_level;
fc->ssl = c->ssl;

#if (T_NGX_XQUIC)
fc->xquic_conn = c->xquic_conn;
#endif

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

#if (nginx_version >= 1009000)
Expand Down
4 changes: 3 additions & 1 deletion modules/ngx_http_xquic_module/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -100,6 +100,8 @@ http {

# 浏览器使用 HTTP3

**注意:浏览器访问需要确保证书受信。**

浏览器默认不会使用 `HTTP3` 请求,需要服务端响应包头 `Alt-Svc` 进行升级说明,浏览器通过响应包头感知到服务端是支持 `HTTP3` 的,下次请求会尝试使用 `HTTP3`

```nginx
Expand Down Expand Up @@ -190,4 +192,4 @@ http {
app: tengine
```
对用户来讲,还是通过 443 端口访问,通过四层负责均衡设备,转换为 `Tengine` 的 2443 端口。
对用户来讲,还是通过 443 端口访问,通过四层负载均衡设备,转换为 `Tengine` 的 2443 端口。
40 changes: 40 additions & 0 deletions modules/ngx_http_xquic_module/ngx_http_xquic.c
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,10 @@
#endif


#ifdef T_NGX_HTTP_HAVE_LUA_MODULE
#include <ngx_http_lua_ssl_certby.h>
extern ngx_module_t ngx_http_lua_module;
#endif

ngx_int_t
ngx_http_v3_conn_check_concurrent_cnt(ngx_http_xquic_main_conf_t *qmcf)
Expand Down Expand Up @@ -187,6 +191,22 @@ ngx_http_v3_cert_cb(const char *sni, void **chain,
hc = qc->http_connection;
c = qc->connection;

#ifdef T_NGX_HTTP_HAVE_LUA_MODULE
ngx_http_lua_srv_conf_t *lscf = NULL;

lscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_lua_module);
if (lscf != NULL && lscf->srv.ssl_cert_src.len) {
ngx_ssl_conn_t *ssl_conn = qc->ssl_conn;

ngx_http_lua_ssl_cert_handler(ssl_conn, NULL);
*chain = NULL;
*cert = NULL;
*key = NULL;

return XQC_OK;
}
#endif

/*
* get the server core conf by sni, this is useful when multiple server
* block listen on the same port. but useless when there is noly a single
Expand Down Expand Up @@ -256,6 +276,8 @@ int
ngx_http_v3_conn_create_notify(xqc_h3_conn_t *h3_conn,
const xqc_cid_t *cid, void *user_data)
{
ngx_connection_t *c;

/* we set alp user_data when accept connection */
ngx_http_xquic_connection_t *user_conn = (ngx_http_xquic_connection_t *) user_data;
user_conn->ssl_conn = (ngx_ssl_conn_t *) xqc_h3_conn_get_ssl(h3_conn);
Expand All @@ -265,6 +287,24 @@ ngx_http_v3_conn_create_notify(xqc_h3_conn_t *h3_conn,

xqc_h3_conn_set_user_data(h3_conn, user_conn);

c = user_conn->connection;

if (SSL_set_ex_data(user_conn->ssl_conn, ngx_ssl_connection_index, c) == 0)
{
ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "|xquic|SSL_set_ex_data() failed|");
return XQC_ERROR;
}

c->xquic_conn = 1;

ngx_ssl_connection_t *p_ssl = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
if (p_ssl == NULL) {
ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "|xquic|alloc ngx_ssl_connection_t failed|");
return XQC_ERROR;
}
p_ssl->connection = user_conn->ssl_conn;
c->ssl = p_ssl;

return NGX_OK;
}

Expand Down
12 changes: 11 additions & 1 deletion modules/ngx_http_xquic_module/ngx_http_xquic_filter_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -465,8 +465,18 @@ ngx_http_xquic_header_filter(ngx_http_request_t *r)

h->hash = 1;
ngx_str_set(&h->key, NGX_HTTP_XQUIC_NAME_SERVER);
if (clcf->server_tokens) {
if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
#if (T_NGX_SERVER_INFO)
ngx_str_set(&h->value, TENGINE_VER);
#else
ngx_str_set(&h->value, NGINX_VER);
#endif
} else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
#if (T_NGX_SERVER_INFO)
ngx_str_set(&h->value, TENGINE_VER_BUILD);
#else
ngx_str_set(&h->value, NGINX_VER_BUILD);
#endif
} else {
ngx_str_set(&h->value, TENGINE);
}
Expand Down
4 changes: 4 additions & 0 deletions src/core/ngx_connection.h
Original file line number Diff line number Diff line change
Expand Up @@ -264,6 +264,10 @@ struct ngx_connection_s {
#if (T_NGX_HAVE_XUDP)
unsigned xudp_tx:1;
#endif

#if (T_NGX_XQUIC)
unsigned xquic_conn:1;
#endif
};


Expand Down
6 changes: 6 additions & 0 deletions src/event/ngx_event_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -3898,7 +3898,13 @@ ngx_ssl_shutdown(ngx_connection_t *c)
return rc;
}

#if (T_NGX_XQUIC)
if (!c->xquic_conn) {
SSL_free(c->ssl->connection);
}
#else
SSL_free(c->ssl->connection);
#endif
c->ssl = NULL;
c->recv = ngx_recv;

Expand Down

0 comments on commit 66b9539

Please sign in to comment.