From f1963a51541845741ce8be881a436c1b47372e5d Mon Sep 17 00:00:00 2001 From: James Callahan Date: Wed, 21 Mar 2018 11:09:35 +1100 Subject: [PATCH 1/3] balancer: Add set_ssl_ctx as binding to ngx_lua_ffi_balancer_set_ssl_ctx --- lib/ngx/balancer.lua | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/lib/ngx/balancer.lua b/lib/ngx/balancer.lua index 1c72e1500..716242323 100644 --- a/lib/ngx/balancer.lua +++ b/lib/ngx/balancer.lua @@ -21,6 +21,7 @@ local subsystem = ngx.config.subsystem local ngx_lua_ffi_balancer_set_current_peer local ngx_lua_ffi_balancer_set_more_tries local ngx_lua_ffi_balancer_get_last_failure +local ngx_lua_ffi_balancer_set_ssl_ctx local ngx_lua_ffi_balancer_set_timeouts -- used by both stream and http @@ -35,6 +36,9 @@ if subsystem == 'http' then int ngx_http_lua_ffi_balancer_get_last_failure(ngx_http_request_t *r, int *status, char **err); + int ngx_http_lua_ffi_balancer_set_ssl_ctx(ngx_http_request_t *r, + void* ssl_ctx, char **err); + int ngx_http_lua_ffi_balancer_set_timeouts(ngx_http_request_t *r, long connect_timeout, long send_timeout, long read_timeout, char **err); @@ -49,6 +53,9 @@ if subsystem == 'http' then ngx_lua_ffi_balancer_get_last_failure = C.ngx_http_lua_ffi_balancer_get_last_failure + ngx_lua_ffi_balancer_set_ssl_ctx = + C.ngx_http_lua_ffi_balancer_set_ssl_ctx + ngx_lua_ffi_balancer_set_timeouts = C.ngx_http_lua_ffi_balancer_set_timeouts @@ -163,6 +170,23 @@ function _M.get_last_failure() end +if subsystem == 'http' then + function _M.set_ssl_ctx(ssl_ctx) + local r = getfenv(0).__ngx_req + if not r then + error("no request found") + end + + local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) + + if state == FFI_ERROR then + return false, ffi_str(errmsg[0]) + end + return true + end +end + + function _M.set_timeouts(connect_timeout, send_timeout, read_timeout) local r = getfenv(0).__ngx_req if not r then From 4195769af2966ba54deee994a5f4c1b1cac20170 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Wed, 21 Mar 2018 12:20:06 +1100 Subject: [PATCH 2/3] balancer.set_ssl_ctx: Check that argument is ffi cdata --- lib/ngx/balancer.lua | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/lib/ngx/balancer.lua b/lib/ngx/balancer.lua index 716242323..6fdb33243 100644 --- a/lib/ngx/balancer.lua +++ b/lib/ngx/balancer.lua @@ -177,6 +177,10 @@ if subsystem == 'http' then error("no request found") end + if type(ssl_ctx) ~= "cdata" then + error("ssl context must be an ffi pointer") + end + local state = ngx_lua_ffi_balancer_set_ssl_ctx(r, ssl_ctx, errmsg) if state == FFI_ERROR then From 190e1ed797fcc099be90ebf4a3e73471914ce266 Mon Sep 17 00:00:00 2001 From: James Callahan Date: Wed, 21 Mar 2018 12:23:51 +1100 Subject: [PATCH 3/3] Document balancer.set_ssl_ctx --- lib/ngx/balancer.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/lib/ngx/balancer.md b/lib/ngx/balancer.md index b2f852be1..710888cc4 100644 --- a/lib/ngx/balancer.md +++ b/lib/ngx/balancer.md @@ -207,6 +207,18 @@ method always returns a single `nil` value. [Back to TOC](#table-of-contents) +set_ssl_ctx +---------------- +**syntax:** *ok, err = balancer.set_ssl_ctx(ssl_ctx)* + +**context:** *balancer_by_lua** + +Set the OpenSSL `SSL_CTX*` used to negotiate with the upstream. `ssl_ctx` should be an FFI pointer to a valid `SSL_CTX`. The reference count of the `SSL_CTX*` is incremented, so it is safe to free your reference to the object. + +This function does not exist in the stream module. + +[Back to TOC](#table-of-contents) + set_timeouts ------------ **syntax:** `ok, err = balancer.set_timeouts(connect_timeout, send_timeout, read_timeout)`