feature: proxy_ssl_verify_by_lua* directives

working after receiving server certificates, allowing us
to control upstream ssl handshake dynamically with Lua

Author: willmafh

README.markdown

@@ -1174,6 +1174,8 @@ Directives
 * [ssl_session_fetch_by_lua_file](#ssl_session_fetch_by_lua_file)
 * [ssl_session_store_by_lua_block](#ssl_session_store_by_lua_block)
 * [ssl_session_store_by_lua_file](#ssl_session_store_by_lua_file)
+* [proxy_ssl_certificate_by_lua_block](#proxy_ssl_certificate_by_lua_block)
+* [proxy_ssl_certificate_by_lua_file](#proxy_ssl_certificate_by_lua_file)
 * [proxy_ssl_verify_by_lua_block](#proxy_ssl_verify_by_lua_block)
 * [proxy_ssl_verify_by_lua_file](#proxy_ssl_verify_by_lua_file)
 * [lua_shared_dict](#lua_shared_dict)
@@ -3236,6 +3238,96 @@ Note that: this directive is only allowed to used in **http context** from the `
 
 [Back to TOC](#directives)
 
+proxy_ssl_certificate_by_lua_block
+----------------------------------
+
+**syntax:** *proxy_ssl_certificate_by_lua_block { lua-script }*
+
+**context:** *location*
+
+**phase:** *right-after-server-certificate-request-message-was-processed*
+
+This directive runs user Lua code when Nginx is about to post-process the SSL server certificate request message from upstream. It is particularly useful for setting the SSL certificate chain and the corresponding private key for the upstream SSL (https) connections. It is also useful to load such handshake configurations nonblockingly from the remote (for example, with the [cosocket](#ngxsockettcp) API).
+
+The [ngx.ssl.proxysslcert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl/proxysslcert.md) Lua module provided by the [lua-resty-core](https://github.com/openresty/lua-resty-core/#readme) library are particularly useful in this context.
+
+Below is a trivial example using the [ngx.ssl](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md) module and the [ngx.ssl.proxysslcert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl/proxysslcert.md) module at the same time:
+
+```nginx
+
+ server {
+     listen 443 ssl;
+     server_name   test.com;
+     ssl_certificate /path/to/cert.crt;
+     ssl_certificate_key /path/to/key.key;
+
+     location /t {
+         proxy_pass https://upstream;
+
+         proxy_ssl_certificate_by_lua_block {
+             local ssl = require "ngx.ssl"
+             local proxy_ssl_cert = require "ngx.ssl.proxysslcert"
+
+             -- NOTE: for illustration only, we don't handle error below
+
+             local f = assert(io.open("/path/to/cert.crt"))
+             local cert_data = f:read("*a")
+             f:close()
+
+             local cert, err = ssl.parse_pem_cert(cert_data)
+             local ok, err = proxy_ssl_cert.set_cert(cert)
+
+             local f = assert(io.open("/path/to/key.key"))
+             local pkey_data = f:read("*a")
+             f:close()
+
+             local pkey, err = ssl.parse_pem_priv_key(pkey_data)
+             local ok, err = proxy_ssl_cert.set_priv_key(pkey)
+             -- ...
+        }
+     }
+     ...
+ }
+```
+
+See more information in the [ngx.ssl.proxysslcert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl/proxysslcert.md) Lua module's official documentation.
+
+Uncaught Lua exceptions in the user Lua code immediately abort the current SSL session, so does the
+[ngx.exit](#ngxexit) call with an error code like `ngx.ERROR`.
+
+This Lua code execution context *does* support yielding, so Lua APIs that may yield (like cosockets, sleeping, and "light threads") are enabled in this context.
+
+Note that, unlike the relations between the [ssl_certificate](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate) and [ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_certificate_key) directives and [ssl_certificate_by_lua*](#ssl_certificate_by_lua_block), the [proxy_ssl_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate) and [proxy_ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key) directives can be used together with [proxy_ssl_certificate_by_lua*](#proxy_ssl_certificate_by_lua_block).
+
+* When there are only [proxy_ssl_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate) and [proxy_ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key) directives, the original Nginx behavior will obviously remain the same.
+
+* When there is only [proxy_ssl_certificate_by_lua*](#proxy_ssl_certificate_by_lua_block), Nginx will send the certificate and its related private key and chain set by Lua codes.
+
+* When the [proxy_ssl_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate) and [proxy_ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key) directives and [proxy_ssl_certificate_by_lua*](#proxy_ssl_certificate_by_lua_block) are used at the same time, then [proxy_ssl_certificate_by_lua*](#proxy_ssl_certificate_by_lua_block) will take precedence over the [proxy_ssl_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate) and [proxy_ssl_certificate_key](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate_key) directives.
+
+Please refer to corresponding test case file and [ngx.ssl.proxysslcert](https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl/proxysslcert.md) for more details.
+
+Note also that, it has the same condition as the [proxy_ssl_certificate](https://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_ssl_certificate) directive for [proxy_ssl_certificate_by_lua*](#proxy_ssl_certificate_by_lua_block) to work, that is the upstream server should enable verification of client certificates.
+
+This directive requires OpenSSL 1.0.2e or greater.
+
+[Back to TOC](#directives)
+
+proxy_ssl_certificate_by_lua_file
+---------------------------------
+
+**syntax:** *proxy_ssl_certificate_by_lua_file <path-to-lua-script-file>*
+
+**context:** *location*
+
+**phase:** *right-after-server-certificate-request-message-was-processed*
+
+Equivalent to [proxy_ssl_certificate_by_lua_block](#proxy_ssl_certificate_by_lua_block), except that the file specified by `<path-to-lua-script-file>` contains the Lua code, or, as from the `v0.5.0rc32` release, the [LuaJIT bytecode](#luajit-bytecode-support) to be executed.
+
+When a relative path like `foo/bar.lua` is given, they will be turned into the absolute path relative to the `server prefix` path determined by the `-p PATH` command-line option while starting the Nginx server.
+
+[Back to TOC](#directives)
+
 proxy_ssl_verify_by_lua_block
 -----------------------------
 

config

@@ -297,6 +297,7 @@ HTTP_LUA_SRCS=" \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.c \
             $ngx_addon_dir/src/ngx_http_lua_ssl.c \
+            $ngx_addon_dir/src/ngx_http_lua_proxy_ssl_certby.c \
             $ngx_addon_dir/src/ngx_http_lua_proxy_ssl_verifyby.c \
             $ngx_addon_dir/src/ngx_http_lua_log_ringbuf.c \
             $ngx_addon_dir/src/ngx_http_lua_input_filters.c \
@@ -362,6 +363,7 @@ HTTP_LUA_DEPS=" \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_storeby.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl_session_fetchby.h \
             $ngx_addon_dir/src/ngx_http_lua_ssl.h \
+            $ngx_addon_dir/src/ngx_http_lua_proxy_ssl_certby.h \
             $ngx_addon_dir/src/ngx_http_lua_proxy_ssl_verifyby.h \
             $ngx_addon_dir/src/ngx_http_lua_log_ringbuf.h \
             $ngx_addon_dir/src/ngx_http_lua_input_filters.h \

src/ngx_http_lua_common.h

@@ -150,7 +150,7 @@ typedef struct {
 #define NGX_HTTP_LUA_CONTEXT_SERVER_REWRITE     0x00008000
 #define NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY   0x00010000
 #define NGX_HTTP_LUA_CONTEXT_PRECONTENT         0x00020000
-
+#define NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT     0x00040000
 
 #define NGX_HTTP_LUA_FFI_NO_REQ_CTX         -100
 #define NGX_HTTP_LUA_FFI_BAD_CONTEXT        -101
@@ -394,6 +394,12 @@ struct ngx_http_lua_loc_conf_s {
 #endif
 
 #ifdef HAVE_PROXY_SSL_PATCH
+    ngx_http_lua_loc_conf_handler_pt       proxy_ssl_cert_handler;
+    ngx_str_t                              proxy_ssl_cert_src;
+    u_char                                *proxy_ssl_cert_src_key;
+    u_char                                *proxy_ssl_cert_chunkname;
+    int                                    proxy_ssl_cert_src_ref;
+
     ngx_http_lua_loc_conf_handler_pt       proxy_ssl_verify_handler;
     ngx_str_t                              proxy_ssl_verify_src;
     u_char                                *proxy_ssl_verify_src_key;

src/ngx_http_lua_control.c

@@ -388,6 +388,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
                                        | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER
                                        | NGX_HTTP_LUA_CONTEXT_BALANCER
 #ifdef HAVE_PROXY_SSL_PATCH
+                                       | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT
                                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                        | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO
@@ -402,6 +403,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err,
 
     if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT
                         | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                         | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO

src/ngx_http_lua_module.c

@@ -32,7 +32,11 @@
 #include "ngx_http_lua_ssl_certby.h"
 #include "ngx_http_lua_ssl_session_storeby.h"
 #include "ngx_http_lua_ssl_session_fetchby.h"
+
+#ifdef HAVE_PROXY_SSL_PATCH
+#include "ngx_http_lua_proxy_ssl_certby.h"
 #include "ngx_http_lua_proxy_ssl_verifyby.h"
+#endif
 
 #include "ngx_http_lua_headers.h"
 #include "ngx_http_lua_headers_out.h"
@@ -695,6 +699,21 @@ static ngx_command_t ngx_http_lua_cmds[] = {
       (void *) ngx_http_lua_ssl_sess_fetch_handler_file },
 
 #if HAVE_LUA_PROXY_SSL_VERIFY
+    /* same context as proxy_pass directive */
+    { ngx_string("proxy_ssl_certificate_by_lua_block"),
+      NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_http_lua_proxy_ssl_cert_by_lua_block,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_proxy_ssl_cert_handler_inline },
+
+    { ngx_string("proxy_ssl_certificate_by_lua_file"),
+      NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_TAKE1,
+      ngx_http_lua_proxy_ssl_cert_by_lua,
+      NGX_HTTP_LOC_CONF_OFFSET,
+      0,
+      (void *) ngx_http_lua_proxy_ssl_cert_handler_file },
+
     /* same context as proxy_pass directive */
     { ngx_string("proxy_ssl_verify_by_lua_block"),
       NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
@@ -1524,6 +1543,11 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
      *      conf->ssl_crl = { 0, NULL };
      *      conf->ssl_key_log = { 0, NULL };
      *
+     *      conf->proxy_ssl_cert_handler = NULL;
+     *      conf->proxy_ssl_cert_src = { 0, NULL };
+     *      conf->proxy_ssl_cert_chunkname = NULL;
+     *      conf->proxy_ssl_cert_src_key = NULL;
+     *
      *      conf->proxy_ssl_verify_handler = NULL;
      *      conf->proxy_ssl_verify_src = { 0, NULL };
      *      conf->proxy_ssl_verify_chunkname = NULL;
@@ -1563,6 +1587,7 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf)
     conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
 #endif
 #ifdef HAVE_PROXY_SSL_PATCH
+    conf->proxy_ssl_cert_src_ref = LUA_REFNIL;
     conf->proxy_ssl_verify_src_ref = LUA_REFNIL;
     conf->upstream_skip_openssl_default_verify = NGX_CONF_UNSET;
 #endif
@@ -1669,6 +1694,20 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #endif
 
 #if HAVE_LUA_PROXY_SSL_VERIFY
+    if (conf->proxy_ssl_cert_src.len == 0) {
+        conf->proxy_ssl_cert_src = prev->proxy_ssl_cert_src;
+        conf->proxy_ssl_cert_handler = prev->proxy_ssl_cert_handler;
+        conf->proxy_ssl_cert_src_ref = prev->proxy_ssl_cert_src_ref;
+        conf->proxy_ssl_cert_src_key = prev->proxy_ssl_cert_src_key;
+        conf->proxy_ssl_cert_chunkname = prev->proxy_ssl_cert_chunkname;
+    }
+
+    if (conf->proxy_ssl_cert_src.len) {
+        if (ngx_http_lua_proxy_ssl_cert_set_callback(cf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (conf->proxy_ssl_verify_src.len == 0) {
         conf->proxy_ssl_verify_src = prev->proxy_ssl_verify_src;
         conf->proxy_ssl_verify_handler = prev->proxy_ssl_verify_handler;