Klaus Demo nginx / f100c78
*) listen ssl *) no default ssl_cetificate and ssl_cetificate_key Igor Sysoev 13 years ago
12 changed file(s) with 278 addition(s) and 42 deletion(s). Raw diff Collapse all Expand all
1212 ngx_pool_t *pool, ngx_str_t *s);
1313
1414
15 #define NGX_DEFAULT_CERTIFICATE "cert.pem"
16 #define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
1715 #define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
1816
1917
2725 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf,
2826 void *parent, void *child);
2927
28 static char *ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
29 void *conf);
3030 static char *ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
3131 void *conf);
3232
6060
6161 { ngx_string("ssl"),
6262 NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
63 ngx_conf_set_flag_slot,
63 ngx_http_ssl_enable,
6464 NGX_HTTP_SRV_CONF_OFFSET,
6565 offsetof(ngx_http_ssl_srv_conf_t, enable),
6666 NULL },
338338
339339 ngx_conf_merge_value(conf->enable, prev->enable, 0);
340340
341 if (conf->enable == 0) {
342 return NGX_CONF_OK;
343 }
344
345341 ngx_conf_merge_value(conf->session_timeout,
346342 prev->session_timeout, 300);
347343
355351 ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
356352 ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);
357353
358 ngx_conf_merge_str_value(conf->certificate, prev->certificate,
359 NGX_DEFAULT_CERTIFICATE);
360
361 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
362 NGX_DEFAULT_CERTIFICATE_KEY);
354 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
355 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
363356
364357 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
365358
370363
371364
372365 conf->ssl.log = cf->log;
366
367 if (conf->enable) {
368
369 if (conf->certificate.len == 0) {
370 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
371 "no \"ssl_certificate\" is defined for "
372 "the \"ssl\" directive in %s:%ui",
373 conf->file, conf->line);
374 return NGX_CONF_ERROR;
375 }
376
377 if (conf->certificate_key.len == 0) {
378 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
379 "no \"ssl_certificate_key\" is defined for "
380 "the \"ssl\" directive in %s:%ui",
381 conf->file, conf->line);
382 return NGX_CONF_ERROR;
383 }
384
385 } else {
386
387 if (conf->certificate.len == 0) {
388 return NGX_CONF_OK;
389 }
390
391 if (conf->certificate_key.len == 0) {
392 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
393 "no \"ssl_certificate_key\" is defined "
394 "for certificate \"%V\"", &conf->certificate);
395 return NGX_CONF_ERROR;
396 }
397 }
373398
374399 if (ngx_ssl_create(&conf->ssl, conf->protocols, conf) != NGX_OK) {
375400 return NGX_CONF_ERROR;
466491
467492
468493 static char *
494 ngx_http_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
495 {
496 ngx_http_ssl_srv_conf_t *sscf = conf;
497
498 char *rv;
499
500 rv = ngx_conf_set_flag_slot(cf, cmd, conf);
501
502 if (rv != NGX_CONF_OK) {
503 return rv;
504 }
505
506 sscf->file = cf->conf_file->file.name.data;
507 sscf->line = cf->conf_file->line;
508
509 return NGX_CONF_OK;
510 }
511
512
513 static char *
469514 ngx_http_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
470515 {
471516 ngx_http_ssl_srv_conf_t *sscf = conf;
3636 ngx_str_t ciphers;
3737
3838 ngx_shm_zone_t *shm_zone;
39
40 u_char *file;
41 ngx_uint_t line;
3942 } ngx_http_ssl_srv_conf_t;
4043
4144
11571157
11581158 in_addr[a].core_srv_conf = cscfp[s];
11591159 in_addr[a].default_server = 1;
1160 #if (NGX_HTTP_SSL)
1161 in_addr[a].ssl = listen[l].conf.ssl;
1162 #endif
11601163 in_addr[a].listen_conf = &listen[l].conf;
11611164 }
11621165
12411244 in_addr->core_srv_conf = cscf;
12421245 in_addr->default_server = listen->conf.default_server;
12431246 in_addr->bind = listen->conf.bind;
1247 #if (NGX_HTTP_SSL)
1248 in_addr->ssl = listen->conf.ssl;
1249 #endif
12441250 in_addr->listen_conf = &listen->conf;
12451251
12461252 return ngx_http_add_names(cf, cscf, in_addr);
16471653 hip->addrs[i].addr = in_addr[i].addr;
16481654 hip->addrs[i].core_srv_conf = in_addr[i].core_srv_conf;
16491655
1656 #if (NGX_HTTP_SSL)
1657 hip->addrs[i].ssl = in_addr[i].ssl;
1658 #endif
1659
16501660 if (in_addr[i].hash.buckets == NULL
16511661 && (in_addr[i].wc_head == NULL
16521662 || in_addr[i].wc_head->hash.buckets == NULL)
30803080 continue;
30813081 }
30823082
3083 if (ngx_strcmp(value[n].data, "ssl") == 0) {
3084 #if (NGX_HTTP_SSL)
3085 ls->conf.ssl = 1;
3086 continue;
3087 #else
3088 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
3089 "the \"ssl\" parameter requires "
3090 "ngx_http_ssl_module");
3091 return NGX_CONF_ERROR;
3092 #endif
3093 }
3094
30833095 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
30843096 "the invalid \"%V\" parameter", &value[n]);
30853097 return NGX_CONF_ERROR;
3434 typedef struct {
3535 unsigned default_server:1;
3636 unsigned bind:1;
37 #if (NGX_HTTP_SSL)
38 unsigned ssl:1;
39 #endif
3740
3841 int backlog;
3942 int rcvbuf;
166169 ngx_http_core_srv_conf_t *core_srv_conf;
167170
168171 ngx_http_virtual_names_t *virtual_names;
172
173 #if (NGX_HTTP_SSL)
174 ngx_uint_t ssl; /* unsigned ssl:1; */
175 #endif
169176 } ngx_http_in_addr_t;
170177
171178
202209
203210 unsigned default_server:1;
204211 unsigned bind:1;
212 #if (NGX_HTTP_SSL)
213 unsigned ssl:1;
214 #endif
205215
206216 ngx_http_listen_conf_t *listen_conf;
207217 } ngx_http_conf_in_addr_t;
356356 ngx_http_ssl_srv_conf_t *sscf;
357357
358358 sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module);
359 if (sscf->enable) {
359 if (sscf->enable || hia[i].ssl) {
360360
361361 if (c->ssl == NULL) {
362
363 c->log->action = "SSL handshaking";
364
365 if (hia[i].ssl && sscf->ssl.ctx == NULL) {
366 ngx_log_error(NGX_LOG_ERR, c->log, 0,
367 "no \"ssl_certificate\" is defined "
368 "in server listening on SSL port");
369 ngx_http_close_connection(c);
370 return;
371 }
372
362373 if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
363374 == NGX_ERROR)
364375 {
527538 r->plain_http = 1;
528539 }
529540 }
541
542 c->log->action = "reading client request line";
530543
531544 rev->handler = ngx_http_process_request_line;
532545 ngx_http_process_request_line(rev);
260260 in_addr->addr = imls[l].addr;
261261 in_addr->ctx = imls[l].ctx;
262262 in_addr->bind = imls[l].bind;
263 #if (NGX_MAIL_SSL)
264 in_addr->ssl = imls[l].ssl;
265 #endif
263266 }
264267
265268 /* optimize the lists of ports and addresses */
369372
370373 imip->addrs[i].addr_text.len = len;
371374 imip->addrs[i].addr_text.data = text;
375
376 #if (NGX_MAIL_SSL)
377 imip->addrs[i].ssl = in_addr[i].ssl;
378 #endif
372379 }
373380
374381 if (done) {
3333 ngx_mail_conf_ctx_t *ctx;
3434
3535 unsigned bind:1;
36 #if (NGX_MAIL_SSL)
37 unsigned ssl:1;
38 #endif
3639 } ngx_mail_listen_t;
3740
3841
4043 in_addr_t addr;
4144 ngx_mail_conf_ctx_t *ctx;
4245 ngx_str_t addr_text;
46 #if (NGX_MAIL_SSL)
47 ngx_uint_t ssl; /* unsigned ssl:1; */
48 #endif
4349 } ngx_mail_in_addr_t;
4450
4551
5965 in_addr_t addr;
6066 ngx_mail_conf_ctx_t *ctx;
6167 unsigned bind:1;
68 #if (NGX_MAIL_SSL)
69 unsigned ssl:1;
70 #endif
6271 } ngx_mail_conf_in_addr_t;
6372
6473
350350 }
351351 }
352352
353 if (cf->args->nelts == 2) {
354 return NGX_CONF_OK;
355 }
356
357 if (ngx_strcmp(value[2].data, "bind") == 0) {
358 imls->bind = 1;
359 return NGX_CONF_OK;
360 }
361
362 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
363 "the invalid \"%V\" parameter", &value[2]);
364 return NGX_CONF_ERROR;
353 for (i = 2; i < cf->args->nelts; i++) {
354
355 if (ngx_strcmp(value[i].data, "bind") == 0) {
356 imls->bind = 1;
357 continue;
358 }
359
360 if (ngx_strcmp(value[i].data, "ssl") == 0) {
361 #if (NGX_MAIL_SSL)
362 imls->ssl = 1;
363 continue;
364 #else
365 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
366 "the \"ssl\" parameter requires "
367 "ngx_mail_ssl_module");
368 return NGX_CONF_ERROR;
369 #endif
370 }
371
372 ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
373 "the invalid \"%V\" parameter", &value[i]);
374 return NGX_CONF_ERROR;
375 }
376
377 return NGX_CONF_OK;
365378 }
366379
367380
117117 sslcf = ngx_mail_get_module_srv_conf(s, ngx_mail_ssl_module);
118118
119119 if (sslcf->enable) {
120 c->log->action = "SSL handshaking";
121
120122 ngx_mail_ssl_init_connection(&sslcf->ssl, c);
121123 return;
122124 }
125
126 if (imia[i].ssl) {
127
128 c->log->action = "SSL handshaking";
129
130 if (sslcf->ssl.ctx == NULL) {
131 ngx_log_error(NGX_LOG_ERR, c->log, 0,
132 "no \"ssl_certificate\" is defined "
133 "in server listening on SSL port");
134 ngx_mail_close_connection(c);
135 return;
136 }
137
138 ngx_mail_ssl_init_connection(&sslcf->ssl, c);
139 return;
140 }
141
123142 }
124143 #endif
125144
88 #include <ngx_mail.h>
99
1010
11 #define NGX_DEFAULT_CERTIFICATE "cert.pem"
12 #define NGX_DEFAULT_CERTIFICATE_KEY "cert.pem"
1311 #define NGX_DEFAULT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
1412
1513
1614 static void *ngx_mail_ssl_create_conf(ngx_conf_t *cf);
1715 static char *ngx_mail_ssl_merge_conf(ngx_conf_t *cf, void *parent, void *child);
16
17 static char *ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd,
18 void *conf);
19 static char *ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd,
20 void *conf);
1821 static char *ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd,
1922 void *conf);
2023
4952
5053 { ngx_string("ssl"),
5154 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_FLAG,
52 ngx_conf_set_flag_slot,
55 ngx_mail_ssl_enable,
5356 NGX_MAIL_SRV_CONF_OFFSET,
5457 offsetof(ngx_mail_ssl_conf_t, enable),
5558 NULL },
5659
5760 { ngx_string("starttls"),
5861 NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
59 ngx_conf_set_enum_slot,
62 ngx_mail_ssl_starttls,
6063 NGX_MAIL_SRV_CONF_OFFSET,
6164 offsetof(ngx_mail_ssl_conf_t, starttls),
6265 ngx_http_starttls_state },
193196 ngx_mail_ssl_conf_t *prev = parent;
194197 ngx_mail_ssl_conf_t *conf = child;
195198
199 char *mode;
196200 ngx_pool_cleanup_t *cln;
197201
198202 ngx_conf_merge_value(conf->enable, prev->enable, 0);
199 ngx_conf_merge_value(conf->starttls, prev->starttls, NGX_MAIL_STARTTLS_OFF);
200
201 if (conf->enable == 0 && conf->starttls == NGX_MAIL_STARTTLS_OFF) {
202 return NGX_CONF_OK;
203 }
203 ngx_conf_merge_uint_value(conf->starttls, prev->starttls,
204 NGX_MAIL_STARTTLS_OFF);
204205
205206 ngx_conf_merge_value(conf->session_timeout,
206207 prev->session_timeout, 300);
212213 (NGX_CONF_BITMASK_SET
213214 |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
214215
215 ngx_conf_merge_str_value(conf->certificate, prev->certificate,
216 NGX_DEFAULT_CERTIFICATE);
217
218 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
219 NGX_DEFAULT_CERTIFICATE_KEY);
216 ngx_conf_merge_str_value(conf->certificate, prev->certificate, "");
217 ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, "");
220218
221219 ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
222220
224222
225223
226224 conf->ssl.log = cf->log;
225
226 if (conf->enable) {
227 mode = "ssl";
228
229 } else if (conf->starttls != NGX_MAIL_STARTTLS_OFF) {
230 mode = "starttls";
231
232 } else {
233 mode = "";
234 }
235
236 if (*mode) {
237
238 if (conf->certificate.len == 0) {
239 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
240 "no \"ssl_certificate\" is defined for "
241 "the \"%s\" directive in %s:%ui",
242 mode, conf->file, conf->line);
243 return NGX_CONF_ERROR;
244 }
245
246 if (conf->certificate_key.len == 0) {
247 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
248 "no \"ssl_certificate_key\" is defined for "
249 "the \"%s\" directive in %s:%ui",
250 mode, conf->file, conf->line);
251 return NGX_CONF_ERROR;
252 }
253
254 } else {
255
256 if (conf->certificate.len == 0) {
257 return NGX_CONF_OK;
258 }
259
260 if (conf->certificate_key.len == 0) {
261 ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
262 "no \"ssl_certificate_key\" is defined "
263 "for certificate \"%V\"",
264 &conf->certificate);
265 return NGX_CONF_ERROR;
266 }
267 }
227268
228269 if (ngx_ssl_create(&conf->ssl, conf->protocols, NULL) != NGX_OK) {
229270 return NGX_CONF_ERROR;
291332
292333
293334 static char *
335 ngx_mail_ssl_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
336 {
337 ngx_mail_ssl_conf_t *scf = conf;
338
339 char *rv;
340
341 rv = ngx_conf_set_flag_slot(cf, cmd, conf);
342
343 if (rv != NGX_CONF_OK) {
344 return rv;
345 }
346
347 if (scf->enable && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
348 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
349 "\"starttls\" directive conflicts with \"ssl on\"");
350 return NGX_CONF_ERROR;
351 }
352
353 scf->file = cf->conf_file->file.name.data;
354 scf->line = cf->conf_file->line;
355
356 return NGX_CONF_OK;
357 }
358
359
360 static char *
361 ngx_mail_ssl_starttls(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
362 {
363 ngx_mail_ssl_conf_t *scf = conf;
364
365 char *rv;
366
367 rv = ngx_conf_set_enum_slot(cf, cmd, conf);
368
369 if (rv != NGX_CONF_OK) {
370 return rv;
371 }
372
373 if (scf->enable == 1 && (ngx_int_t) scf->starttls > NGX_MAIL_STARTTLS_OFF) {
374 ngx_conf_log_error(NGX_LOG_WARN, cf, 0,
375 "\"ssl\" directive conflicts with \"starttls\"");
376 return NGX_CONF_ERROR;
377 }
378
379 scf->file = cf->conf_file->file.name.data;
380 scf->line = cf->conf_file->line;
381
382 return NGX_CONF_OK;
383 }
384
385
386 static char *
294387 ngx_mail_ssl_session_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
295388 {
296389 ngx_mail_ssl_conf_t *scf = conf;
1919
2020 typedef struct {
2121 ngx_flag_t enable;
22 ngx_flag_t prefer_server_ciphers;
2223
2324 ngx_ssl_t ssl;
2425
25 ngx_flag_t prefer_server_ciphers;
26 ngx_flag_t starttls;
27
26 ngx_uint_t starttls;
2827 ngx_uint_t protocols;
2928
3029 ssize_t builtin_session_cache;
3837 ngx_str_t ciphers;
3938
4039 ngx_shm_zone_t *shm_zone;
40
41 u_char *file;
42 ngx_uint_t line;
4143 } ngx_mail_ssl_conf_t;
4244
4345