change: ssl_session_fetch_by_lua* and ssl_session_store_by_lua* are now only allowed in the http {} context.

Use of these session hooks in the server {} scope did not make much
sense since server name dispatch happens *after* ssl session resumption.

Signed-off-by: Yichun Zhang (agentzh) <[email protected]>

Author: doujiang24

README.markdown

@@ -2485,7 +2485,7 @@ ssl_session_fetch_by_lua_block
 
 **syntax:** *ssl_session_fetch_by_lua_block { lua-script }*
 
-**context:** *server*
+**context:** *http*
 
 **phase:** *right-before-SSL-handshake*
 
@@ -2541,14 +2541,17 @@ apply the following patch to the standard NGINX core 1.11.2 or later:
 
 This directive was first introduced in the `v0.10.6` release.
 
+Note that: this directive is only allowed to used in **http context** from the `v0.10.7` release
+(because SSL session resumption happens before server name dispatch).
+
 [Back to TOC](#directives)
 
 ssl_session_fetch_by_lua_file
 -----------------------------
 
 **syntax:** *ssl_session_fetch_by_lua_file <path-to-lua-script-file>*
 
-**context:** *server*
+**context:** *http*
 
 **phase:** *right-before-SSL-handshake*
 
@@ -2558,14 +2561,17 @@ When a relative path like `foo/bar.lua` is given, they will be turned into the a
 
 This directive was first introduced in the `v0.10.6` release.
 
+Note that: this directive is only allowed to used in **http context** from the `v0.10.7` release
+(because SSL session resumption happens before server name dispatch).
+
 [Back to TOC](#directives)
 
 ssl_session_store_by_lua_block
 ------------------------------
 
 **syntax:** *ssl_session_store_by_lua_block { lua-script }*
 
-**context:** *server*
+**context:** *http*
 
 **phase:** *right-after-SSL-handshake*
 
@@ -2592,14 +2598,17 @@ But do not forget to comment this line out before publishing your site to the wo
 
 This directive was first introduced in the `v0.10.6` release.
 
+Note that: this directive is only allowed to used in **http context** from the `v0.10.7` release
+(because SSL session resumption happens before server name dispatch).
+
 [Back to TOC](#directives)
 
 ssl_session_store_by_lua_file
 -----------------------------
 
 **syntax:** *ssl_session_store_by_lua_file <path-to-lua-script-file>*
 
-**context:** *server*
+**context:** *http*
 
 **phase:** *right-before-SSL-handshake*
 
@@ -2609,6 +2618,9 @@ When a relative path like `foo/bar.lua` is given, they will be turned into the a
 
 This directive was first introduced in the `v0.10.6` release.
 
+Note that: this directive is only allowed to used in **http context** from the `v0.10.7` release
+(because SSL session resumption happens before server name dispatch).
+
 [Back to TOC](#directives)
 
 lua_shared_dict

doc/HttpLuaModule.wiki

@@ -2087,7 +2087,7 @@ This directive was first introduced in the <code>v0.10.0</code> release.
 
 '''syntax:''' ''ssl_session_fetch_by_lua_block { lua-script }''
 
-'''context:''' ''server''
+'''context:''' ''http''
 
 '''phase:''' ''right-before-SSL-handshake''
 
@@ -2143,11 +2143,14 @@ http://openresty.org/download/nginx-1.11.2-nonblocking_ssl_handshake_hooks.patch
 
 This directive was first introduced in the <code>v0.10.6</code> release.
 
+Note that: this directive is only allowed to used in '''http context''' from the <code>v0.10.7</code> release
+(because SSL session resumption happens before server name dispatch).
+
 == ssl_session_fetch_by_lua_file ==
 
 '''syntax:''' ''ssl_session_fetch_by_lua_file <path-to-lua-script-file>''
 
-'''context:''' ''server''
+'''context:''' ''http''
 
 '''phase:''' ''right-before-SSL-handshake''
 
@@ -2157,11 +2160,14 @@ When a relative path like <code>foo/bar.lua</code> is given, they will be turned
 
 This directive was first introduced in the <code>v0.10.6</code> release.
 
+Note that: this directive is only allowed to used in '''http context''' from the <code>v0.10.7</code> release
+(because SSL session resumption happens before server name dispatch).
+
 == ssl_session_store_by_lua_block ==
 
 '''syntax:''' ''ssl_session_store_by_lua_block { lua-script }''
 
-'''context:''' ''server''
+'''context:''' ''http''
 
 '''phase:''' ''right-after-SSL-handshake''
 
@@ -2188,11 +2194,14 @@ But do not forget to comment this line out before publishing your site to the wo
 
 This directive was first introduced in the <code>v0.10.6</code> release.
 
+Note that: this directive is only allowed to used in '''http context''' from the <code>v0.10.7</code> release
+(because SSL session resumption happens before server name dispatch).
+
 == ssl_session_store_by_lua_file ==
 
 '''syntax:''' ''ssl_session_store_by_lua_file <path-to-lua-script-file>''
 
-'''context:''' ''server''
+'''context:''' ''http''
 
 '''phase:''' ''right-before-SSL-handshake''
 
@@ -2202,6 +2211,9 @@ When a relative path like <code>foo/bar.lua</code> is given, they will be turned
 
 This directive was first introduced in the <code>v0.10.6</code> release.
 
+Note that: this directive is only allowed to used in '''http context''' from the <code>v0.10.7</code> release
+(because SSL session resumption happens before server name dispatch).
+
 == lua_shared_dict ==
 
 '''syntax:''' ''lua_shared_dict <name> <size>''

src/ngx_http_lua_module.c

@@ -530,28 +530,28 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       (void *) ngx_http_lua_ssl_cert_handler_file },
 
     { ngx_string("ssl_session_store_by_lua_block"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_sess_store_by_lua_block,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_sess_store_handler_inline },
 
     { ngx_string("ssl_session_store_by_lua_file"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
       ngx_http_lua_ssl_sess_store_by_lua,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_sess_store_handler_file },
 
     { ngx_string("ssl_session_fetch_by_lua_block"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_http_lua_ssl_sess_fetch_by_lua_block,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
       (void *) ngx_http_lua_ssl_sess_fetch_handler_inline },
 
     { ngx_string("ssl_session_fetch_by_lua_file"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_HTTP_MAIN_CONF|NGX_CONF_TAKE1,
       ngx_http_lua_ssl_sess_fetch_by_lua,
       NGX_HTTP_SRV_CONF_OFFSET,
       0,
@@ -983,21 +983,18 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     if (conf->srv.ssl_sess_store_src.len) {
         sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
-        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+        if (sscf && sscf->ssl.ctx) {
+#ifdef LIBRESSL_VERSION_NUMBER
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no ssl configured for the server");
+                          "LibreSSL does not support "
+                          "ssl_session_store_by_lua*");
 
             return NGX_CONF_ERROR;
-        }
-
-#ifdef LIBRESSL_VERSION_NUMBER
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                      "LibreSSL does not support ssl_session_store_by_lua*");
-        return NGX_CONF_ERROR;
 #else
-        SSL_CTX_sess_set_new_cb(sscf->ssl.ctx,
-                                ngx_http_lua_ssl_sess_store_handler);
+            SSL_CTX_sess_set_new_cb(sscf->ssl.ctx,
+                                    ngx_http_lua_ssl_sess_store_handler);
 #endif
+        }
     }
 
     if (conf->srv.ssl_sess_fetch_src.len == 0) {
@@ -1008,21 +1005,18 @@ ngx_http_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     if (conf->srv.ssl_sess_fetch_src.len) {
         sscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_ssl_module);
-        if (sscf == NULL || sscf->ssl.ctx == NULL) {
+        if (sscf && sscf->ssl.ctx) {
+#ifdef LIBRESSL_VERSION_NUMBER
             ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "no ssl configured for the server");
+                          "LibreSSL does not support "
+                          "ssl_session_fetch_by_lua*");
 
             return NGX_CONF_ERROR;
-        }
-
-#ifdef LIBRESSL_VERSION_NUMBER
-        ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                      "LibreSSL does not support ssl_session_fetch_by_lua*");
-        return NGX_CONF_ERROR;
 #else
-        SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
-                                ngx_http_lua_ssl_sess_fetch_handler);
+            SSL_CTX_sess_set_get_cb(sscf->ssl.ctx,
+                                    ngx_http_lua_ssl_sess_fetch_handler);
 #endif
+        }
     }
 
 #endif  /* NGX_HTTP_SSL */