|
28 | 28 | #include "ngx_stream_lua_balancer.h" |
29 | 29 | #include "ngx_stream_lua_logby.h" |
30 | 30 | #include "ngx_stream_lua_semaphore.h" |
| 31 | +#include "ngx_stream_lua_ssl_client_helloby.h" |
31 | 32 | #include "ngx_stream_lua_ssl_certby.h" |
32 | 33 |
|
33 | 34 |
|
@@ -385,6 +386,20 @@ static ngx_command_t ngx_stream_lua_cmds[] = { |
385 | 386 | offsetof(ngx_stream_lua_srv_conf_t, ssl_ciphers), |
386 | 387 | NULL }, |
387 | 388 |
|
| 389 | + { ngx_string("ssl_client_hello_by_lua_block"), |
| 390 | + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, |
| 391 | + ngx_stream_lua_ssl_client_hello_by_lua_block, |
| 392 | + NGX_STREAM_SRV_CONF_OFFSET, |
| 393 | + 0, |
| 394 | + (void *) ngx_stream_lua_ssl_client_hello_handler_inline }, |
| 395 | + |
| 396 | + { ngx_string("ssl_client_hello_by_lua_file"), |
| 397 | + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, |
| 398 | + ngx_stream_lua_ssl_client_hello_by_lua, |
| 399 | + NGX_STREAM_SRV_CONF_OFFSET, |
| 400 | + 0, |
| 401 | + (void *) ngx_stream_lua_ssl_client_hello_handler_file }, |
| 402 | + |
388 | 403 | { ngx_string("ssl_certificate_by_lua_block"), |
389 | 404 | NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, |
390 | 405 | ngx_stream_lua_ssl_cert_by_lua_block, |
@@ -763,6 +778,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf) |
763 | 778 | } |
764 | 779 |
|
765 | 780 | /* set by ngx_pcalloc: |
| 781 | + * lscf->srv.ssl_client_hello_handler = NULL; |
| 782 | + * lscf->srv.ssl_client_hello_src = { 0, NULL }; |
| 783 | + * lscf->srv.ssl_client_hello_src_key = NULL; |
| 784 | + * |
766 | 785 | * lscf->srv.ssl_cert_handler = NULL; |
767 | 786 | * lscf->srv.ssl_cert_src = { 0, NULL }; |
768 | 787 | * lscf->srv.ssl_cert_src_key = NULL; |
@@ -814,14 +833,53 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) |
814 | 833 |
|
815 | 834 | sscf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module); |
816 | 835 | if (sscf && sscf->listen) { |
| 836 | + if (conf->srv.ssl_client_hello_src.len == 0) { |
| 837 | + conf->srv.ssl_client_hello_src = prev->srv.ssl_client_hello_src; |
| 838 | + conf->srv.ssl_client_hello_src_key = |
| 839 | + prev->srv.ssl_client_hello_src_key; |
| 840 | + conf->srv.ssl_client_hello_handler = |
| 841 | + prev->srv.ssl_client_hello_handler; |
| 842 | + } |
| 843 | + |
| 844 | + if (conf->srv.ssl_client_hello_src.len) { |
| 845 | + if (sscf->ssl.ctx == NULL) { |
| 846 | + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 847 | + "no ssl configured for the server"); |
| 848 | + |
| 849 | + return NGX_CONF_ERROR; |
| 850 | + } |
| 851 | +#ifdef LIBRESSL_VERSION_NUMBER |
| 852 | + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 853 | + "LibreSSL does not support by " |
| 854 | + "ssl_client_hello_by_lua*"); |
| 855 | + return NGX_CONF_ERROR; |
| 856 | + |
| 857 | +#else |
| 858 | + |
| 859 | +# ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB |
| 860 | + |
| 861 | + SSL_CTX_set_client_hello_cb(sscf->ssl.ctx, |
| 862 | + ngx_stream_lua_ssl_client_hello_handler, |
| 863 | + NULL); |
| 864 | + |
| 865 | +# else |
| 866 | + |
| 867 | + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
| 868 | + "OpenSSL too old to support " |
| 869 | + "ssl_client_hello_by_lua*"); |
| 870 | + return NGX_CONF_ERROR; |
| 871 | + |
| 872 | +# endif |
| 873 | +#endif |
| 874 | + } |
| 875 | + |
817 | 876 | if (conf->srv.ssl_cert_src.len == 0) { |
818 | 877 | conf->srv.ssl_cert_src = prev->srv.ssl_cert_src; |
819 | 878 | conf->srv.ssl_cert_src_key = prev->srv.ssl_cert_src_key; |
820 | 879 | conf->srv.ssl_cert_handler = prev->srv.ssl_cert_handler; |
821 | 880 | } |
822 | 881 |
|
823 | 882 | if (conf->srv.ssl_cert_src.len) { |
824 | | - sscf = ngx_stream_conf_get_module_srv_conf(cf, ngx_stream_ssl_module); |
825 | 883 | if (sscf->ssl.ctx == NULL) { |
826 | 884 | ngx_log_error(NGX_LOG_EMERG, cf->log, 0, |
827 | 885 | "no ssl configured for the server"); |
|
0 commit comments