feature: implemented ssl_session_fetch_by_lua* and ssl_session_store_by_lua* config directives for doing (distributed) caching of SSL sessions (via SSL session IDs) for downstream connections.

thanks Zi Lin for the patches.

Author: agentzh

.gitignore

@@ -154,6 +154,9 @@ src/timer.[ch]
 src/config.[ch]
 src/worker.[ch]
 src/certby.[ch]
+src/storeby.[ch]
+src/fetchby.[ch]
+src/ssl.[ch]
 src/ocsp.c
 src/lex.[ch]
 src/balancer.[ch]

.travis.yml

@@ -107,6 +107,8 @@ script:
   - cd ..
   - tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz
   - cd openssl-$OPENSSL_VER/
+  - wget https://raw.githubusercontent.com/openresty/openresty/master/patches/openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
+  - patch -p1 < openssl-$OPENSSL_VER-sess_set_get_cb_yield.patch
   - ./config shared --prefix=$OPENSSL_PREFIX -DPURIFY > build.log 2>&1 || (cat build.log && exit 1)
   - make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1)
   - sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1)

README.markdown

@@ -357,6 +357,9 @@ HTTP_LUA_SRCS=" \
             $ngx_addon_dir/src/ngx_http_lua_ssl_ocsp.c \
             $ngx_addon_dir/src/ngx_http_lua_lex.c \
             $ngx_addon_dir/src/ngx_http_lua_balancer.c \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.c \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.c \
+            $ngx_addon_dir/src/ngx_http_lua_ssl.c \
             "
 
 HTTP_LUA_DEPS=" \
@@ -414,6 +417,9 @@ HTTP_LUA_DEPS=" \
             $ngx_addon_dir/src/ngx_http_lua_ssl_certby.h \
             $ngx_addon_dir/src/ngx_http_lua_lex.h \
             $ngx_addon_dir/src/ngx_http_lua_balancer.h \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.h \
+            $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.h \
+            $ngx_addon_dir/src/ngx_http_lua_ssl.h \
             "
 
 CFLAGS="$CFLAGS -DNDK_SET_VAR"

config

@@ -103,17 +103,19 @@ typedef struct {
 
 
 /* must be within 16 bit */
-#define NGX_HTTP_LUA_CONTEXT_SET            0x001
-#define NGX_HTTP_LUA_CONTEXT_REWRITE        0x002
-#define NGX_HTTP_LUA_CONTEXT_ACCESS         0x004
-#define NGX_HTTP_LUA_CONTEXT_CONTENT        0x008
-#define NGX_HTTP_LUA_CONTEXT_LOG            0x010
-#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER  0x020
-#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER    0x040
-#define NGX_HTTP_LUA_CONTEXT_TIMER          0x080
-#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER    0x100
-#define NGX_HTTP_LUA_CONTEXT_BALANCER       0x200
-#define NGX_HTTP_LUA_CONTEXT_SSL_CERT       0x400
+#define NGX_HTTP_LUA_CONTEXT_SET            0x0001
+#define NGX_HTTP_LUA_CONTEXT_REWRITE        0x0002
+#define NGX_HTTP_LUA_CONTEXT_ACCESS         0x0004
+#define NGX_HTTP_LUA_CONTEXT_CONTENT        0x0008
+#define NGX_HTTP_LUA_CONTEXT_LOG            0x0010
+#define NGX_HTTP_LUA_CONTEXT_HEADER_FILTER  0x0020
+#define NGX_HTTP_LUA_CONTEXT_BODY_FILTER    0x0040
+#define NGX_HTTP_LUA_CONTEXT_TIMER          0x0080
+#define NGX_HTTP_LUA_CONTEXT_INIT_WORKER    0x0100
+#define NGX_HTTP_LUA_CONTEXT_BALANCER       0x0200
+#define NGX_HTTP_LUA_CONTEXT_SSL_CERT       0x0400
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE 0x0800
+#define NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH 0x1000
 
 
 #ifndef NGX_LUA_NO_FFI_API
@@ -204,10 +206,18 @@ struct ngx_http_lua_main_conf_s {
 union ngx_http_lua_srv_conf_u {
 #if (NGX_HTTP_SSL)
     struct {
-        ngx_http_lua_srv_conf_handler_pt     cert_handler;
-        ngx_str_t                            cert_src;
-        u_char                              *cert_src_key;
-    } ssl;
+        ngx_http_lua_srv_conf_handler_pt     ssl_cert_handler;
+        ngx_str_t                            ssl_cert_src;
+        u_char                              *ssl_cert_src_key;
+
+        ngx_http_lua_srv_conf_handler_pt     ssl_sess_store_handler;
+        ngx_str_t                            ssl_sess_store_src;
+        u_char                              *ssl_sess_store_src_key;
+
+        ngx_http_lua_srv_conf_handler_pt     ssl_sess_fetch_handler;
+        ngx_str_t                            ssl_sess_fetch_src;
+        u_char                              *ssl_sess_fetch_src_key;
+    } srv;
 #endif
 
     struct {

doc/HttpLuaModule.wiki

@@ -318,11 +318,16 @@ ngx_http_lua_ngx_exit(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_TIMER
                                | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
                                | NGX_HTTP_LUA_CONTEXT_BALANCER
-                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
 
     rc = (ngx_int_t) luaL_checkinteger(L, 1);
 
-    if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_CERT) {
+    if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE
+                        | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH))
+    {
 
 #if (NGX_HTTP_SSL)
 
@@ -332,6 +337,10 @@ ngx_http_lua_ngx_exit(lua_State *L)
         ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                        "lua exit with code %i", rc);
 
+        if (ctx->context == NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE) {
+            return 0;
+        }
+
         return lua_yield(L, 0);
 
 #else

src/ngx_http_lua_common.h

@@ -77,7 +77,8 @@ ngx_http_lua_coroutine_create_helper(lua_State *L, ngx_http_request_t *r,
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
                                | NGX_HTTP_LUA_CONTEXT_TIMER
-                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
 
     vm = ngx_http_lua_get_lua_vm(r, ctx);
 
@@ -153,7 +154,8 @@ ngx_http_lua_coroutine_resume(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
                                | NGX_HTTP_LUA_CONTEXT_TIMER
-                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
 
     p_coctx = ctx->cur_co_ctx;
     if (p_coctx == NULL) {
@@ -213,7 +215,8 @@ ngx_http_lua_coroutine_yield(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
                                | NGX_HTTP_LUA_CONTEXT_TIMER
-                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
 
     coctx = ctx->cur_co_ctx;
 
@@ -362,7 +365,8 @@ ngx_http_lua_coroutine_status(lua_State *L)
                                | NGX_HTTP_LUA_CONTEXT_ACCESS
                                | NGX_HTTP_LUA_CONTEXT_CONTENT
                                | NGX_HTTP_LUA_CONTEXT_TIMER
-                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT);
+                               | NGX_HTTP_LUA_CONTEXT_SSL_CERT
+                               | NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH);
 
     coctx = ngx_http_lua_get_co_ctx(co, ctx);
     if (coctx == NULL) {

src/ngx_http_lua_control.c

@@ -26,6 +26,8 @@
 #include "ngx_http_lua_semaphore.h"
 #include "ngx_http_lua_balancer.h"
 #include "ngx_http_lua_ssl_certby.h"
+#include "ngx_http_lua_ssl_session_storeby.h"
+#include "ngx_http_lua_ssl_session_fetchby.h"
 
 
 static void *ngx_http_lua_create_main_conf(ngx_conf_t *cf);
@@ -525,6 +527,34 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       0,
       (void *) ngx_http_lua_ssl_cert_handler_file },
 
+    { ngx_string("ssl_session_store_by_lua_block"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_http_lua_ssl_sess_store_by_lua_block,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_sess_store_handler_inline },
+
+    { ngx_string("ssl_session_store_by_lua_file"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_http_lua_ssl_sess_store_by_lua,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_sess_store_handler_file },
+
+    { ngx_string("ssl_session_fetch_by_lua_block"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_http_lua_ssl_sess_fetch_by_lua_block,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_sess_fetch_handler_inline },
+
+    { ngx_string("ssl_session_fetch_by_lua_file"),
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_http_lua_ssl_sess_fetch_by_lua,
+      NGX_HTTP_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
+
     { ngx_string("lua_ssl_verify_depth"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1,
       ngx_conf_set_num_slot,
@@ -855,9 +885,18 @@ ngx_http_lua_create_srv_conf(ngx_conf_t *cf)
     }
 
     /* set by ngx_pcalloc:
-     *      lscf->ssl.cert_handler = NULL;
-     *      lscf->ssl.cert_src = { 0, NULL };
-     *      lscf->ssl.cert_src_key = NULL;
+     *      lscf->srv.ssl_cert_handler = NULL;
+     *      lscf->srv.ssl_cert_src = { 0, NULL };
+     *      lscf->srv.ssl_cert_src_key = NULL;
+     *
+     *      lscf->srv.ssl_session_store_handler = NULL;
+     *      lscf->srv.ssl_session_store_src = { 0, NULL };
+     *      lscf->srv.ssl_session_store_src_key = NULL;
+     *
+     *      lscf->srv.ssl_session_fetch_handler = NULL;
+     *      lscf->srv.ssl_session_fetch_src = { 0, NULL };
+     *      lscf->srv.ssl_session_fetch_src_key = NULL;
+     *
      *      lscf->balancer.handler = NULL;
      *      lscf->balancer.src = { 0, NULL };
      *      lscf->balancer.src_key = NULL;
@@ -878,13 +917,13 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     dd("merge srv conf");
 
-    if (conf->ssl.cert_src.len == 0) {
-        conf->ssl.cert_src = prev->ssl.cert_src;
-        conf->ssl.cert_src_key = prev->ssl.cert_src_key;
-        conf->ssl.cert_handler = prev->ssl.cert_handler;
+    if (conf->srv.ssl_cert_src.len == 0) {
+        conf->srv.ssl_cert_src = prev->srv.ssl_cert_src;
+        conf->srv.ssl_cert_src_key = prev->srv.ssl_cert_src_key;
+        conf->srv.ssl_cert_handler = prev->srv.ssl_cert_handler;
     }
 
-    if (conf->ssl.cert_src.len) {
+    if (conf->srv.ssl_cert_src.len) {
         sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
         if (sscf == NULL || sscf->ssl.ctx == NULL) {
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
@@ -913,6 +952,56 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
 #   endif
 
+#endif
+    }
+
+    if (conf->srv.ssl_sess_store_src.len == 0) {
+        conf->srv.ssl_sess_store_src = prev->srv.ssl_sess_store_src;
+        conf->srv.ssl_sess_store_src_key = prev->srv.ssl_sess_store_src_key;
+        conf->srv.ssl_sess_store_handler = prev->srv.ssl_sess_store_handler;
+    }
+
+    if (conf->srv.ssl_sess_store_src.len) {
+        sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl configured for the server");
+
+            return NGX_CONF_ERROR;
+        }
+
+#ifdef LIBRESSL_VERSION_NUMBER
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "LibreSSL does not support ssl_session_store_by_lua*");
+        return NGX_CONF_ERROR;
+#else
+        SSL_CTX_sess_set_new_cb(sscf->ssl.ctx,
+                                ngx_http_lua_ssl_sess_store_handler);
+#endif
+    }
+
+    if (conf->srv.ssl_sess_fetch_src.len == 0) {
+        conf->srv.ssl_sess_fetch_src = prev->srv.ssl_sess_fetch_src;
+        conf->srv.ssl_sess_fetch_src_key = prev->srv.ssl_sess_fetch_src_key;
+        conf->srv.ssl_sess_fetch_handler = prev->srv.ssl_sess_fetch_handler;
+    }
+
+    if (conf->srv.ssl_sess_fetch_src.len) {
+        sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
+        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                          "no ssl configured for the server");
+
+            return NGX_CONF_ERROR;
+        }
+
+#ifdef LIBRESSL_VERSION_NUMBER
+        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+                      "LibreSSL does not support ssl_session_fetch_by_lua*");
+        return NGX_CONF_ERROR;
+#else
+        SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
+                                ngx_http_lua_ssl_sess_fetch_handler);
 #endif
     }
 

src/ngx_http_lua_coroutine.c

@@ -84,8 +84,16 @@ ngx_http_lua_ngx_get_phase(lua_State *L)
         lua_pushliteral(L, "ssl_cert");
         break;
 
+    case NGX_HTTP_LUA_CONTEXT_SSL_SESS_STORE:
+        lua_pushliteral(L, "ssl_session_store");
+        break;
+
+    case NGX_HTTP_LUA_CONTEXT_SSL_SESS_FETCH:
+        lua_pushliteral(L, "ssl_session_fetch");
+        break;
+
     default:
-        return luaL_error(L, "unknown phase: %d", (int) ctx->context);
+        return luaL_error(L, "unknown phase: %#x", (int) ctx->context);
     }
 
     return 1;