nginxtra 1.2.8.8 → 1.4.0.8
Sign up to get free protection for your applications and to get access to all the features.
- data/bin/nginxtra +1 -1
- data/bin/nginxtra_rails +1 -1
- data/lib/nginxtra/version.rb +1 -1
- data/vendor/nginx/CHANGES +202 -63
- data/vendor/nginx/CHANGES.ru +208 -66
- data/vendor/nginx/auto/lib/md5/conf +3 -3
- data/vendor/nginx/auto/lib/perl/conf +3 -1
- data/vendor/nginx/auto/lib/perl/make +21 -16
- data/vendor/nginx/auto/lib/sha1/conf +1 -1
- data/vendor/nginx/auto/modules +25 -4
- data/vendor/nginx/auto/options +7 -1
- data/vendor/nginx/auto/sources +15 -1
- data/vendor/nginx/auto/unix +14 -0
- data/vendor/nginx/src/core/nginx.h +2 -2
- data/vendor/nginx/src/core/ngx_array.c +1 -7
- data/vendor/nginx/src/core/ngx_array.h +2 -2
- data/vendor/nginx/src/core/ngx_connection.c +13 -7
- data/vendor/nginx/src/core/ngx_connection.h +1 -2
- data/vendor/nginx/src/core/ngx_core.h +1 -2
- data/vendor/nginx/src/core/ngx_crypt.c +37 -0
- data/vendor/nginx/src/core/ngx_cycle.h +1 -1
- data/vendor/nginx/src/core/ngx_inet.c +219 -48
- data/vendor/nginx/src/core/ngx_inet.h +1 -1
- data/vendor/nginx/src/event/modules/ngx_devpoll_module.c +7 -1
- data/vendor/nginx/src/event/modules/ngx_eventport_module.c +1 -1
- data/vendor/nginx/src/event/ngx_event.c +5 -1
- data/vendor/nginx/src/event/ngx_event.h +1 -0
- data/vendor/nginx/src/event/ngx_event_connect.c +1 -1
- data/vendor/nginx/src/event/ngx_event_openssl.c +135 -9
- data/vendor/nginx/src/event/ngx_event_openssl.h +9 -0
- data/vendor/nginx/src/event/ngx_event_openssl_stapling.c +1749 -0
- data/vendor/nginx/src/http/modules/ngx_http_addition_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/ngx_http_chunked_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/ngx_http_fastcgi_module.c +5 -0
- data/vendor/nginx/src/http/modules/ngx_http_flv_module.c +4 -0
- data/vendor/nginx/src/http/modules/ngx_http_geo_module.c +7 -8
- data/vendor/nginx/src/http/modules/ngx_http_geoip_module.c +10 -12
- data/vendor/nginx/src/http/modules/ngx_http_gunzip_filter_module.c +677 -0
- data/vendor/nginx/src/http/modules/ngx_http_gzip_filter_module.c +3 -0
- data/vendor/nginx/src/http/modules/ngx_http_gzip_static_module.c +36 -10
- data/vendor/nginx/src/http/modules/ngx_http_headers_filter_module.c +31 -13
- data/vendor/nginx/src/http/modules/ngx_http_image_filter_module.c +13 -0
- data/vendor/nginx/src/http/modules/ngx_http_limit_conn_module.c +18 -2
- data/vendor/nginx/src/http/modules/ngx_http_limit_req_module.c +19 -2
- data/vendor/nginx/src/http/modules/ngx_http_map_module.c +1 -1
- data/vendor/nginx/src/http/modules/ngx_http_memcached_module.c +60 -8
- data/vendor/nginx/src/http/modules/ngx_http_mp4_module.c +4 -8
- data/vendor/nginx/src/http/modules/ngx_http_not_modified_filter_module.c +126 -29
- data/vendor/nginx/src/http/modules/ngx_http_proxy_module.c +59 -301
- data/vendor/nginx/src/http/modules/ngx_http_range_filter_module.c +34 -6
- data/vendor/nginx/src/http/modules/ngx_http_realip_module.c +13 -12
- data/vendor/nginx/src/http/modules/ngx_http_scgi_module.c +30 -11
- data/vendor/nginx/src/http/modules/ngx_http_ssi_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.c +155 -4
- data/vendor/nginx/src/http/modules/ngx_http_ssl_module.h +6 -0
- data/vendor/nginx/src/http/modules/ngx_http_static_module.c +4 -0
- data/vendor/nginx/src/http/modules/ngx_http_stub_status_module.c +90 -3
- data/vendor/nginx/src/http/modules/ngx_http_sub_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/ngx_http_upstream_ip_hash_module.c +5 -0
- data/vendor/nginx/src/http/modules/ngx_http_upstream_least_conn_module.c +5 -0
- data/vendor/nginx/src/http/modules/ngx_http_uwsgi_module.c +14 -1
- data/vendor/nginx/src/http/modules/ngx_http_xslt_filter_module.c +1 -0
- data/vendor/nginx/src/http/modules/perl/Makefile.PL +4 -2
- data/vendor/nginx/src/http/modules/perl/nginx.pm +1 -1
- data/vendor/nginx/src/http/modules/perl/nginx.xs +36 -3
- data/vendor/nginx/src/http/ngx_http.c +24 -1
- data/vendor/nginx/src/http/ngx_http.h +26 -2
- data/vendor/nginx/src/http/ngx_http_core_module.c +136 -10
- data/vendor/nginx/src/http/ngx_http_core_module.h +37 -13
- data/vendor/nginx/src/http/ngx_http_header_filter_module.c +9 -2
- data/vendor/nginx/src/http/ngx_http_parse.c +404 -0
- data/vendor/nginx/src/http/ngx_http_request.c +840 -517
- data/vendor/nginx/src/http/ngx_http_request.h +37 -25
- data/vendor/nginx/src/http/ngx_http_request_body.c +585 -156
- data/vendor/nginx/src/http/ngx_http_spdy.c +2882 -0
- data/vendor/nginx/src/http/ngx_http_spdy.h +235 -0
- data/vendor/nginx/src/http/ngx_http_spdy_filter_module.c +999 -0
- data/vendor/nginx/src/http/ngx_http_spdy_module.c +351 -0
- data/vendor/nginx/src/http/ngx_http_spdy_module.h +36 -0
- data/vendor/nginx/src/http/ngx_http_special_response.c +3 -1
- data/vendor/nginx/src/http/ngx_http_upstream.c +415 -26
- data/vendor/nginx/src/http/ngx_http_upstream.h +11 -1
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.c +2 -45
- data/vendor/nginx/src/http/ngx_http_upstream_round_robin.h +0 -2
- data/vendor/nginx/src/http/ngx_http_variables.c +72 -12
- data/vendor/nginx/src/mail/ngx_mail.h +2 -2
- data/vendor/nginx/src/mail/ngx_mail_auth_http_module.c +35 -25
- data/vendor/nginx/src/mail/ngx_mail_core_module.c +5 -1
- metadata +9 -2
@@ -146,7 +146,8 @@ static ngx_http_output_body_filter_pt ngx_http_next_body_filter;
|
|
146
146
|
static ngx_int_t
|
147
147
|
ngx_http_range_header_filter(ngx_http_request_t *r)
|
148
148
|
{
|
149
|
-
time_t
|
149
|
+
time_t if_range_time;
|
150
|
+
ngx_str_t *if_range, *etag;
|
150
151
|
ngx_http_core_loc_conf_t *clcf;
|
151
152
|
ngx_http_range_filter_ctx_t *ctx;
|
152
153
|
|
@@ -174,20 +175,47 @@ ngx_http_range_header_filter(ngx_http_request_t *r)
|
|
174
175
|
goto next_filter;
|
175
176
|
}
|
176
177
|
|
177
|
-
if (r->headers_in.if_range
|
178
|
+
if (r->headers_in.if_range) {
|
178
179
|
|
179
|
-
if_range =
|
180
|
-
|
180
|
+
if_range = &r->headers_in.if_range->value;
|
181
|
+
|
182
|
+
if (if_range->len >= 2 && if_range->data[if_range->len - 1] == '"') {
|
183
|
+
|
184
|
+
if (r->headers_out.etag == NULL) {
|
185
|
+
goto next_filter;
|
186
|
+
}
|
187
|
+
|
188
|
+
etag = &r->headers_out.etag->value;
|
189
|
+
|
190
|
+
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
191
|
+
"http ir:%V etag:%V", if_range, etag);
|
192
|
+
|
193
|
+
if (if_range->len != etag->len
|
194
|
+
|| ngx_strncmp(if_range->data, etag->data, etag->len) != 0)
|
195
|
+
{
|
196
|
+
goto next_filter;
|
197
|
+
}
|
198
|
+
|
199
|
+
goto parse;
|
200
|
+
}
|
201
|
+
|
202
|
+
if (r->headers_out.last_modified_time == (time_t) -1) {
|
203
|
+
goto next_filter;
|
204
|
+
}
|
205
|
+
|
206
|
+
if_range_time = ngx_http_parse_time(if_range->data, if_range->len);
|
181
207
|
|
182
208
|
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
|
183
209
|
"http ir:%d lm:%d",
|
184
|
-
|
210
|
+
if_range_time, r->headers_out.last_modified_time);
|
185
211
|
|
186
|
-
if (
|
212
|
+
if (if_range_time != r->headers_out.last_modified_time) {
|
187
213
|
goto next_filter;
|
188
214
|
}
|
189
215
|
}
|
190
216
|
|
217
|
+
parse:
|
218
|
+
|
191
219
|
ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_range_filter_ctx_t));
|
192
220
|
if (ctx == NULL) {
|
193
221
|
return NGX_ERROR;
|
@@ -107,10 +107,12 @@ ngx_module_t ngx_http_realip_module = {
|
|
107
107
|
static ngx_int_t
|
108
108
|
ngx_http_realip_handler(ngx_http_request_t *r)
|
109
109
|
{
|
110
|
-
u_char *
|
110
|
+
u_char *p;
|
111
111
|
size_t len;
|
112
|
+
ngx_str_t *value;
|
112
113
|
ngx_uint_t i, hash;
|
113
114
|
ngx_addr_t addr;
|
115
|
+
ngx_array_t *xfwd;
|
114
116
|
ngx_list_part_t *part;
|
115
117
|
ngx_table_elt_t *header;
|
116
118
|
ngx_connection_t *c;
|
@@ -137,19 +139,20 @@ ngx_http_realip_handler(ngx_http_request_t *r)
|
|
137
139
|
return NGX_DECLINED;
|
138
140
|
}
|
139
141
|
|
140
|
-
|
141
|
-
|
142
|
+
value = &r->headers_in.x_real_ip->value;
|
143
|
+
xfwd = NULL;
|
142
144
|
|
143
145
|
break;
|
144
146
|
|
145
147
|
case NGX_HTTP_REALIP_XFWD:
|
146
148
|
|
147
|
-
|
149
|
+
xfwd = &r->headers_in.x_forwarded_for;
|
150
|
+
|
151
|
+
if (xfwd->elts == NULL) {
|
148
152
|
return NGX_DECLINED;
|
149
153
|
}
|
150
154
|
|
151
|
-
|
152
|
-
ip = r->headers_in.x_forwarded_for->value.data;
|
155
|
+
value = NULL;
|
153
156
|
|
154
157
|
break;
|
155
158
|
|
@@ -178,8 +181,8 @@ ngx_http_realip_handler(ngx_http_request_t *r)
|
|
178
181
|
&& len == header[i].key.len
|
179
182
|
&& ngx_strncmp(p, header[i].lowcase_key, len) == 0)
|
180
183
|
{
|
181
|
-
|
182
|
-
|
184
|
+
value = &header[i].value;
|
185
|
+
xfwd = NULL;
|
183
186
|
|
184
187
|
goto found;
|
185
188
|
}
|
@@ -192,15 +195,13 @@ found:
|
|
192
195
|
|
193
196
|
c = r->connection;
|
194
197
|
|
195
|
-
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, "realip: \"%s\"", ip);
|
196
|
-
|
197
198
|
addr.sockaddr = c->sockaddr;
|
198
199
|
addr.socklen = c->socklen;
|
199
200
|
/* addr.name = c->addr_text; */
|
200
201
|
|
201
|
-
if (ngx_http_get_forwarded_addr(r, &addr,
|
202
|
+
if (ngx_http_get_forwarded_addr(r, &addr, xfwd, value, rlcf->from,
|
202
203
|
rlcf->recursive)
|
203
|
-
|
204
|
+
!= NGX_DECLINED)
|
204
205
|
{
|
205
206
|
return ngx_http_realip_set_addr(r, &addr);
|
206
207
|
}
|
@@ -533,10 +533,11 @@ ngx_http_scgi_create_key(ngx_http_request_t *r)
|
|
533
533
|
static ngx_int_t
|
534
534
|
ngx_http_scgi_create_request(ngx_http_request_t *r)
|
535
535
|
{
|
536
|
+
off_t content_length_n;
|
536
537
|
u_char ch, *key, *val, *lowcase_key;
|
537
538
|
size_t len, key_len, val_len, allocated;
|
538
539
|
ngx_buf_t *b;
|
539
|
-
ngx_str_t
|
540
|
+
ngx_str_t content_length;
|
540
541
|
ngx_uint_t i, n, hash, skip_empty, header_params;
|
541
542
|
ngx_chain_t *cl, *body;
|
542
543
|
ngx_list_part_t *part;
|
@@ -545,12 +546,20 @@ ngx_http_scgi_create_request(ngx_http_request_t *r)
|
|
545
546
|
ngx_http_script_engine_t e, le;
|
546
547
|
ngx_http_scgi_loc_conf_t *scf;
|
547
548
|
ngx_http_script_len_code_pt lcode;
|
548
|
-
|
549
|
+
u_char buffer[NGX_OFF_T_LEN];
|
549
550
|
|
550
|
-
|
551
|
-
|
551
|
+
content_length_n = 0;
|
552
|
+
body = r->upstream->request_bufs;
|
552
553
|
|
553
|
-
|
554
|
+
while (body) {
|
555
|
+
content_length_n += ngx_buf_size(body->buf);
|
556
|
+
body = body->next;
|
557
|
+
}
|
558
|
+
|
559
|
+
content_length.data = buffer;
|
560
|
+
content_length.len = ngx_sprintf(buffer, "%O", content_length_n) - buffer;
|
561
|
+
|
562
|
+
len = sizeof("CONTENT_LENGTH") + content_length.len + 1;
|
554
563
|
|
555
564
|
header_params = 0;
|
556
565
|
ignored = NULL;
|
@@ -672,11 +681,8 @@ ngx_http_scgi_create_request(ngx_http_request_t *r)
|
|
672
681
|
|
673
682
|
cl->buf = b;
|
674
683
|
|
675
|
-
b->last =
|
676
|
-
|
677
|
-
+ NGX_OFF_T_LEN + 1,
|
678
|
-
"%ui:CONTENT_LENGTH%Z%V%Z",
|
679
|
-
len, content_length);
|
684
|
+
b->last = ngx_sprintf(b->last, "%ui:CONTENT_LENGTH%Z%V%Z",
|
685
|
+
len, &content_length);
|
680
686
|
|
681
687
|
if (scf->params_len) {
|
682
688
|
ngx_memzero(&e, sizeof(ngx_http_script_engine_t));
|
@@ -978,7 +984,7 @@ ngx_http_scgi_process_header(ngx_http_request_t *r)
|
|
978
984
|
u = r->upstream;
|
979
985
|
|
980
986
|
if (u->headers_in.status_n) {
|
981
|
-
|
987
|
+
goto done;
|
982
988
|
}
|
983
989
|
|
984
990
|
if (u->headers_in.status) {
|
@@ -1009,6 +1015,14 @@ ngx_http_scgi_process_header(ngx_http_request_t *r)
|
|
1009
1015
|
u->state->status = u->headers_in.status_n;
|
1010
1016
|
}
|
1011
1017
|
|
1018
|
+
done:
|
1019
|
+
|
1020
|
+
if (u->headers_in.status_n == NGX_HTTP_SWITCHING_PROTOCOLS
|
1021
|
+
&& r->headers_in.upgrade)
|
1022
|
+
{
|
1023
|
+
u->upgrade = 1;
|
1024
|
+
}
|
1025
|
+
|
1012
1026
|
return NGX_OK;
|
1013
1027
|
}
|
1014
1028
|
|
@@ -1061,6 +1075,8 @@ ngx_http_scgi_create_loc_conf(ngx_conf_t *cf)
|
|
1061
1075
|
conf->upstream.buffering = NGX_CONF_UNSET;
|
1062
1076
|
conf->upstream.ignore_client_abort = NGX_CONF_UNSET;
|
1063
1077
|
|
1078
|
+
conf->upstream.local = NGX_CONF_UNSET_PTR;
|
1079
|
+
|
1064
1080
|
conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC;
|
1065
1081
|
conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC;
|
1066
1082
|
conf->upstream.read_timeout = NGX_CONF_UNSET_MSEC;
|
@@ -1129,6 +1145,9 @@ ngx_http_scgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
1129
1145
|
ngx_conf_merge_value(conf->upstream.ignore_client_abort,
|
1130
1146
|
prev->upstream.ignore_client_abort, 0);
|
1131
1147
|
|
1148
|
+
ngx_conf_merge_ptr_value(conf->upstream.local,
|
1149
|
+
prev->upstream.local, NULL);
|
1150
|
+
|
1132
1151
|
ngx_conf_merge_msec_value(conf->upstream.connect_timeout,
|
1133
1152
|
prev->upstream.connect_timeout, 60000);
|
1134
1153
|
|
@@ -18,6 +18,11 @@ typedef ngx_int_t (*ngx_ssl_variable_handler_pt)(ngx_connection_t *c,
|
|
18
18
|
#define NGX_DEFAULT_ECDH_CURVE "prime256v1"
|
19
19
|
|
20
20
|
|
21
|
+
#ifdef TLSEXT_TYPE_next_proto_neg
|
22
|
+
static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
|
23
|
+
const unsigned char **out, unsigned int *outlen, void *arg);
|
24
|
+
#endif
|
25
|
+
|
21
26
|
static ngx_int_t ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
22
27
|
ngx_http_variable_value_t *v, uintptr_t data);
|
23
28
|
static ngx_int_t ngx_http_ssl_variable(ngx_http_request_t *r,
|
@@ -33,6 +38,8 @@ static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
|
|
33
38
|
static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
|
34
39
|
void *conf);
|
35
40
|
|
41
|
+
static ngx_int_t ngx_http_ssl_init(ngx_conf_t *cf);
|
42
|
+
|
36
43
|
|
37
44
|
static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
|
38
45
|
{ ngx_string("SSLv2"), NGX_SSL_SSLv2 },
|
@@ -125,6 +132,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|
125
132
|
offsetof(ngx_http_ssl_srv_conf_t, client_certificate),
|
126
133
|
NULL },
|
127
134
|
|
135
|
+
{ ngx_string("ssl_trusted_certificate"),
|
136
|
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
137
|
+
ngx_conf_set_str_slot,
|
138
|
+
NGX_HTTP_SRV_CONF_OFFSET,
|
139
|
+
offsetof(ngx_http_ssl_srv_conf_t, trusted_certificate),
|
140
|
+
NULL },
|
141
|
+
|
128
142
|
{ ngx_string("ssl_prefer_server_ciphers"),
|
129
143
|
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
130
144
|
ngx_conf_set_flag_slot,
|
@@ -153,13 +167,41 @@ static ngx_command_t ngx_http_ssl_commands[] = {
|
|
153
167
|
offsetof(ngx_http_ssl_srv_conf_t, crl),
|
154
168
|
NULL },
|
155
169
|
|
170
|
+
{ ngx_string("ssl_stapling"),
|
171
|
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
172
|
+
ngx_conf_set_flag_slot,
|
173
|
+
NGX_HTTP_SRV_CONF_OFFSET,
|
174
|
+
offsetof(ngx_http_ssl_srv_conf_t, stapling),
|
175
|
+
NULL },
|
176
|
+
|
177
|
+
{ ngx_string("ssl_stapling_file"),
|
178
|
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
179
|
+
ngx_conf_set_str_slot,
|
180
|
+
NGX_HTTP_SRV_CONF_OFFSET,
|
181
|
+
offsetof(ngx_http_ssl_srv_conf_t, stapling_file),
|
182
|
+
NULL },
|
183
|
+
|
184
|
+
{ ngx_string("ssl_stapling_responder"),
|
185
|
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
|
186
|
+
ngx_conf_set_str_slot,
|
187
|
+
NGX_HTTP_SRV_CONF_OFFSET,
|
188
|
+
offsetof(ngx_http_ssl_srv_conf_t, stapling_responder),
|
189
|
+
NULL },
|
190
|
+
|
191
|
+
{ ngx_string("ssl_stapling_verify"),
|
192
|
+
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
|
193
|
+
ngx_conf_set_flag_slot,
|
194
|
+
NGX_HTTP_SRV_CONF_OFFSET,
|
195
|
+
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
|
196
|
+
NULL },
|
197
|
+
|
156
198
|
ngx_null_command
|
157
199
|
};
|
158
200
|
|
159
201
|
|
160
202
|
static ngx_http_module_t ngx_http_ssl_module_ctx = {
|
161
203
|
ngx_http_ssl_add_variables, /* preconfiguration */
|
162
|
-
|
204
|
+
ngx_http_ssl_init, /* postconfiguration */
|
163
205
|
|
164
206
|
NULL, /* create main configuration */
|
165
207
|
NULL, /* init main configuration */
|
@@ -225,6 +267,45 @@ static ngx_http_variable_t ngx_http_ssl_vars[] = {
|
|
225
267
|
static ngx_str_t ngx_http_ssl_sess_id_ctx = ngx_string("HTTP");
|
226
268
|
|
227
269
|
|
270
|
+
#ifdef TLSEXT_TYPE_next_proto_neg
|
271
|
+
|
272
|
+
#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
|
273
|
+
|
274
|
+
static int
|
275
|
+
ngx_http_ssl_npn_advertised(ngx_ssl_conn_t *ssl_conn,
|
276
|
+
const unsigned char **out, unsigned int *outlen, void *arg)
|
277
|
+
{
|
278
|
+
#if (NGX_HTTP_SPDY || NGX_DEBUG)
|
279
|
+
ngx_connection_t *c;
|
280
|
+
|
281
|
+
c = ngx_ssl_get_connection(ssl_conn);
|
282
|
+
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "SSL NPN advertised");
|
283
|
+
#endif
|
284
|
+
|
285
|
+
#if (NGX_HTTP_SPDY)
|
286
|
+
{
|
287
|
+
ngx_http_connection_t *hc;
|
288
|
+
|
289
|
+
hc = c->data;
|
290
|
+
|
291
|
+
if (hc->addr_conf->spdy) {
|
292
|
+
*out = (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE;
|
293
|
+
*outlen = sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1;
|
294
|
+
|
295
|
+
return SSL_TLSEXT_ERR_OK;
|
296
|
+
}
|
297
|
+
}
|
298
|
+
#endif
|
299
|
+
|
300
|
+
*out = (unsigned char *) NGX_HTTP_NPN_ADVERTISE;
|
301
|
+
*outlen = sizeof(NGX_HTTP_NPN_ADVERTISE) - 1;
|
302
|
+
|
303
|
+
return SSL_TLSEXT_ERR_OK;
|
304
|
+
}
|
305
|
+
|
306
|
+
#endif
|
307
|
+
|
308
|
+
|
228
309
|
static ngx_int_t
|
229
310
|
ngx_http_ssl_static_variable(ngx_http_request_t *r,
|
230
311
|
ngx_http_variable_value_t *v, uintptr_t data)
|
@@ -326,9 +407,12 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|
326
407
|
* sscf->dhparam = { 0, NULL };
|
327
408
|
* sscf->ecdh_curve = { 0, NULL };
|
328
409
|
* sscf->client_certificate = { 0, NULL };
|
410
|
+
* sscf->trusted_certificate = { 0, NULL };
|
329
411
|
* sscf->crl = { 0, NULL };
|
330
412
|
* sscf->ciphers = { 0, NULL };
|
331
413
|
* sscf->shm_zone = NULL;
|
414
|
+
* sscf->stapling_file = { 0, NULL };
|
415
|
+
* sscf->stapling_responder = { 0, NULL };
|
332
416
|
*/
|
333
417
|
|
334
418
|
sscf->enable = NGX_CONF_UNSET;
|
@@ -337,6 +421,8 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
|
|
337
421
|
sscf->verify_depth = NGX_CONF_UNSET_UINT;
|
338
422
|
sscf->builtin_session_cache = NGX_CONF_UNSET;
|
339
423
|
sscf->session_timeout = NGX_CONF_UNSET;
|
424
|
+
sscf->stapling = NGX_CONF_UNSET;
|
425
|
+
sscf->stapling_verify = NGX_CONF_UNSET;
|
340
426
|
|
341
427
|
return sscf;
|
342
428
|
}
|
@@ -381,6 +467,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
381
467
|
|
382
468
|
ngx_conf_merge_str_value(conf->client_certificate, prev->client_certificate,
|
383
469
|
"");
|
470
|
+
ngx_conf_merge_str_value(conf->trusted_certificate,
|
471
|
+
prev->trusted_certificate, "");
|
384
472
|
ngx_conf_merge_str_value(conf->crl, prev->crl, "");
|
385
473
|
|
386
474
|
ngx_conf_merge_str_value(conf->ecdh_curve, prev->ecdh_curve,
|
@@ -388,6 +476,11 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
388
476
|
|
389
477
|
ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFAULT_CIPHERS);
|
390
478
|
|
479
|
+
ngx_conf_merge_value(conf->stapling, prev->stapling, 0);
|
480
|
+
ngx_conf_merge_value(conf->stapling_verify, prev->stapling_verify, 0);
|
481
|
+
ngx_conf_merge_str_value(conf->stapling_file, prev->stapling_file, "");
|
482
|
+
ngx_conf_merge_str_value(conf->stapling_responder,
|
483
|
+
prev->stapling_responder, "");
|
391
484
|
|
392
485
|
conf->ssl.log = cf->log;
|
393
486
|
|
@@ -441,6 +534,11 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
441
534
|
|
442
535
|
#endif
|
443
536
|
|
537
|
+
#ifdef TLSEXT_TYPE_next_proto_neg
|
538
|
+
SSL_CTX_set_next_protos_advertised_cb(conf->ssl.ctx,
|
539
|
+
ngx_http_ssl_npn_advertised, NULL);
|
540
|
+
#endif
|
541
|
+
|
444
542
|
cln = ngx_pool_cleanup_add(cf->pool, 0);
|
445
543
|
if (cln == NULL) {
|
446
544
|
return NGX_CONF_ERROR;
|
@@ -480,10 +578,18 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
480
578
|
{
|
481
579
|
return NGX_CONF_ERROR;
|
482
580
|
}
|
581
|
+
}
|
483
582
|
|
484
|
-
|
485
|
-
|
486
|
-
|
583
|
+
if (ngx_ssl_trusted_certificate(cf, &conf->ssl,
|
584
|
+
&conf->trusted_certificate,
|
585
|
+
conf->verify_depth)
|
586
|
+
!= NGX_OK)
|
587
|
+
{
|
588
|
+
return NGX_CONF_ERROR;
|
589
|
+
}
|
590
|
+
|
591
|
+
if (ngx_ssl_crl(cf, &conf->ssl, &conf->crl) != NGX_OK) {
|
592
|
+
return NGX_CONF_ERROR;
|
487
593
|
}
|
488
594
|
|
489
595
|
if (conf->prefer_server_ciphers) {
|
@@ -516,6 +622,17 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
|
|
516
622
|
return NGX_CONF_ERROR;
|
517
623
|
}
|
518
624
|
|
625
|
+
if (conf->stapling) {
|
626
|
+
|
627
|
+
if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
|
628
|
+
&conf->stapling_responder, conf->stapling_verify)
|
629
|
+
!= NGX_OK)
|
630
|
+
{
|
631
|
+
return NGX_CONF_ERROR;
|
632
|
+
}
|
633
|
+
|
634
|
+
}
|
635
|
+
|
519
636
|
return NGX_CONF_OK;
|
520
637
|
}
|
521
638
|
|
@@ -650,3 +767,37 @@ invalid:
|
|
650
767
|
|
651
768
|
return NGX_CONF_ERROR;
|
652
769
|
}
|
770
|
+
|
771
|
+
|
772
|
+
static ngx_int_t
|
773
|
+
ngx_http_ssl_init(ngx_conf_t *cf)
|
774
|
+
{
|
775
|
+
ngx_uint_t s;
|
776
|
+
ngx_http_ssl_srv_conf_t *sscf;
|
777
|
+
ngx_http_core_loc_conf_t *clcf;
|
778
|
+
ngx_http_core_srv_conf_t **cscfp;
|
779
|
+
ngx_http_core_main_conf_t *cmcf;
|
780
|
+
|
781
|
+
cmcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_core_module);
|
782
|
+
cscfp = cmcf->servers.elts;
|
783
|
+
|
784
|
+
for (s = 0; s < cmcf->servers.nelts; s++) {
|
785
|
+
|
786
|
+
sscf = cscfp[s]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
|
787
|
+
|
788
|
+
if (sscf->ssl.ctx == NULL || !sscf->stapling) {
|
789
|
+
continue;
|
790
|
+
}
|
791
|
+
|
792
|
+
clcf = cscfp[s]->ctx->loc_conf[ngx_http_core_module.ctx_index];
|
793
|
+
|
794
|
+
if (ngx_ssl_stapling_resolver(cf, &sscf->ssl, clcf->resolver,
|
795
|
+
clcf->resolver_timeout)
|
796
|
+
!= NGX_OK)
|
797
|
+
{
|
798
|
+
return NGX_ERROR;
|
799
|
+
}
|
800
|
+
}
|
801
|
+
|
802
|
+
return NGX_OK;
|
803
|
+
}
|