feature: proxy_ssl_verify_by_lua directives

README.md

@@ -151,6 +151,8 @@ behavior.
 * [ssl_client_hello_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_file)
 * [ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)
 * [ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_file)
+* [proxy_ssl_verify_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_block)
+* [proxy_ssl_verify_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_file)
 * [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict)
 * [lua_socket_connect_timeout](https://github.com/openresty/lua-nginx-module#lua_socket_connect_timeout)
 * [lua_socket_buffer_size](https://github.com/openresty/lua-nginx-module#lua_socket_buffer_size)
@@ -166,6 +168,7 @@ behavior.
 * [lua_ssl_verify_depth](https://github.com/openresty/lua-nginx-module#lua_ssl_verify_depth)
 * [lua_ssl_key_log](https://github.com/openresty/lua-nginx-module#lua_ssl_key_log)
 * [lua_ssl_conf_command](https://github.com/openresty/lua-nginx-module#lua_ssl_conf_command)
+* [lua_upstream_skip_openssl_default_verify](https://github.com/openresty/lua-nginx-module#lua_upstream_skip_openssl_default_verify)
 * [lua_check_client_abort](https://github.com/openresty/lua-nginx-module#lua_check_client_abort)
 * [lua_max_pending_timers](https://github.com/openresty/lua-nginx-module#lua_max_pending_timers)
 * [lua_max_running_timers](https://github.com/openresty/lua-nginx-module#lua_max_running_timers)

config

@@ -278,6 +278,7 @@ STREAM_LUA_SRCS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.c \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.c \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.c \
                 "
@@ -322,6 +323,7 @@ STREAM_LUA_DEPS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.h \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.h \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.h \
                 "

src/ngx_stream_lua_common.h

@@ -136,6 +136,10 @@
 #define NGX_STREAM_LUA_CONTEXT_SSL_CERT                             0x0040
 #define NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO                     0x0080
 
+#ifdef HAVE_PROXY_SSL_PATCH
+#define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY                     0x0100
+#endif
+
 
 #define NGX_STREAM_LUA_FFI_NO_REQ_CTX         -100
 #define NGX_STREAM_LUA_FFI_BAD_CONTEXT        -101
@@ -270,6 +274,17 @@ struct ngx_stream_lua_srv_conf_s {
         ngx_str_t                                    ssl_client_hello_src;
         u_char                                      *ssl_client_hello_src_key;
     } srv;
+
+#ifdef HAVE_PROXY_SSL_PATCH
+    struct {
+        ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_verify_handler;
+        ngx_str_t                                    proxy_ssl_verify_src;
+        u_char                                      *proxy_ssl_verify_src_key;
+
+        ngx_flag_t  upstream_skip_openssl_default_verify;
+    } ups;
+#endif
+
 #endif
 
     ngx_flag_t              enable_code_cache; /* whether to enable

src/ngx_stream_lua_control.c

@@ -116,13 +116,19 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
         | NGX_STREAM_LUA_CONTEXT_BALANCER
         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
         | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
         | NGX_STREAM_LUA_CONTEXT_PREREAD,
         err, errlen) != NGX_OK)
     {
         return NGX_ERROR;
     }
 
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))
     {
 

src/ngx_stream_lua_coroutine.c

@@ -205,6 +205,9 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 
@@ -266,6 +269,9 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 
@@ -426,6 +432,9 @@ ngx_stream_lua_coroutine_status(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_TIMER
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
                                  );
 

src/ngx_stream_lua_ctx.c

@@ -131,6 +131,9 @@ ngx_stream_lua_ffi_set_ctx_ref(ngx_stream_lua_request_t *r, int ref)
 
 #if (NGX_STREAM_SSL)
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
+#ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
+#endif
                         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO))
     {
         ssl_ctx = ngx_stream_lua_ssl_get_ctx(r->connection->ssl->connection);

src/ngx_stream_lua_module.c

@@ -31,6 +31,10 @@
 #include "ngx_stream_lua_ssl_client_helloby.h"
 #include "ngx_stream_lua_ssl_certby.h"
 
+#ifdef HAVE_PROXY_SSL_PATCH
+#include "ngx_stream_lua_proxy_ssl_verifyby.h"
+#endif
+
 
 #include "ngx_stream_lua_prereadby.h"
 
@@ -422,6 +426,30 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       0,
       (void *) ngx_stream_lua_ssl_cert_handler_file },
 
+#ifdef HAVE_PROXY_SSL_PATCH
+    /* same context as proxy_pass directive */
+    { ngx_string("proxy_ssl_verify_by_lua_block"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_stream_lua_proxy_ssl_verify_by_lua_block,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_verify_handler_inline },
+
+    { ngx_string("proxy_ssl_verify_by_lua_file"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_stream_lua_proxy_ssl_verify_by_lua,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_verify_handler_file },
+
+    { ngx_string("lua_upstream_skip_openssl_default_verify"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+      ngx_conf_set_flag_slot,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      offsetof(ngx_stream_lua_srv_conf_t,
+               ups.upstream_skip_openssl_default_verify),
+      NULL },
+#endif
 
     { ngx_string("lua_ssl_verify_depth"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
@@ -827,6 +855,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
      *      lscf->srv.ssl_client_hello_src = { 0, NULL };
      *      lscf->srv.ssl_client_hello_src_key = NULL;
      *
+     *      lscf->ups.proxy_ssl_verify_handler = NULL;
+     *      lscf->ups.proxy_ssl_verify_src = { 0, NULL };
+     *      lscf->ups.proxy_ssl_verify_src_key = NULL;
+     *
      *      lscf->srv.ssl_cert_handler = NULL;
      *      lscf->srv.ssl_cert_src = { 0, NULL };
      *      lscf->srv.ssl_cert_src_key = NULL;
@@ -868,6 +900,9 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
     conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
     conf->ssl_certificates = NGX_CONF_UNSET_PTR;
     conf->ssl_certificate_keys = NGX_CONF_UNSET_PTR;
+#ifdef HAVE_PROXY_SSL_PATCH
+    conf->ups.upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
+#endif
 #endif
 
     return conf;
@@ -1002,6 +1037,23 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                              NULL);
 #endif
 
+#ifdef HAVE_PROXY_SSL_PATCH
+    if (conf->ups.proxy_ssl_verify_src.len == 0) {
+        conf->ups.proxy_ssl_verify_src = prev->ups.proxy_ssl_verify_src;
+        conf->ups.proxy_ssl_verify_handler = prev->ups.proxy_ssl_verify_handler;
+        conf->ups.proxy_ssl_verify_src_key = prev->ups.proxy_ssl_verify_src_key;
+    }
+
+    if (conf->ups.proxy_ssl_verify_src.len) {
+        if (ngx_stream_lua_proxy_ssl_verify_set_callback(cf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
+    ngx_conf_merge_value(conf->ups.upstream_skip_openssl_default_verify,
+                         prev->ups.upstream_skip_openssl_default_verify, 0);
+#endif
+
     if (ngx_stream_lua_set_ssl(cf, conf) != NGX_OK) {
         return NGX_CONF_ERROR;
     }

src/ngx_stream_lua_phase.c

@@ -66,6 +66,12 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "content");
         break;
 
+#ifdef HAVE_PROXY_SSL_PATCH
+    case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY:
+        lua_pushliteral(L, "proxy_ssl_verify");
+        break;
+#endif
+
     case NGX_STREAM_LUA_CONTEXT_LOG:
         lua_pushliteral(L, "log");
         break;