diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-02-05 19:16:05 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-04-10 17:27:45 +0400 |
| commit | 6c3a9d561271ec451f479a84fbe54c81a63dad2e (patch) | |
| tree | ca1adabfd7fd5c54904e0185e3aac70e6825e98a /src/http/ngx_http_upstream.h | |
| parent | a813c639211728a1441945dee149b44a0935f48b (diff) | |
| download | nginx-6c3a9d561271ec451f479a84fbe54c81a63dad2e.tar.gz nginx-6c3a9d561271ec451f479a84fbe54c81a63dad2e.tar.bz2 | |
Upstream: fixed passwords support for dynamic certificates.
Passwords were not preserved in optimized SSL contexts, the bug had
appeared in d791b4aab (1.23.1), as in the following configuration:
server {
proxy_ssl_password_file password;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
location /original/ {
proxy_pass https://u1/;
}
location /optimized/ {
proxy_pass https://u2/;
}
}
The fix is to always preserve passwords, by copying to the configuration
pool, if dynamic certificates are used. This is done as part of merging
"ssl_passwords" configuration.
To minimize the number of copies, a preserved version is then used for
inheritance. A notable exception is inheritance of preserved empty
passwords to the context with statically configured certificates:
server {
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
location / {
proxy_pass ...;
proxy_ssl_certificate example.com.crt;
proxy_ssl_certificate_key example.com.key;
}
}
In this case, an unmodified version (NULL) of empty passwords is set,
to allow reading them from the password prompt on nginx startup.
As an additional optimization, a preserved instance of inherited
configured passwords is set to the previous level, to inherit it
to other contexts:
server {
proxy_ssl_password_file password;
location /1/ {
proxy_pass https://u1/;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
}
location /2/ {
proxy_pass https://u2/;
proxy_ssl_certificate $ssl_server_name.crt;
proxy_ssl_certificate_key $ssl_server_name.key;
}
}
Diffstat (limited to 'src/http/ngx_http_upstream.h')
| -rw-r--r-- | src/http/ngx_http_upstream.h | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h index 069c0f7a4..e0a903669 100644 --- a/src/http/ngx_http_upstream.h +++ b/src/http/ngx_http_upstream.h @@ -437,6 +437,10 @@ char *ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd, ngx_int_t ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf, ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev, ngx_str_t *default_hide_headers, ngx_hash_init_t *hash); +#if (NGX_HTTP_SSL) +ngx_int_t ngx_http_upstream_merge_ssl_passwords(ngx_conf_t *cf, + ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev); +#endif #define ngx_http_conf_upstream_srv_conf(uscf, module) \ |