feature: proxy_ssl_certificate_by_lua directives

Author: willmafh

README.md

@@ -151,6 +151,8 @@ behavior.
 * [ssl_client_hello_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_file)
 * [ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)
 * [ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_file)
+* [proxy_ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_certificate_by_lua_block)
+* [proxy_ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_certificate_by_lua_file)
 * [proxy_ssl_verify_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_block)
 * [proxy_ssl_verify_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_file)
 * [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict)

config

@@ -278,6 +278,7 @@ STREAM_LUA_SRCS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.c \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_certby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.c \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.c \
@@ -323,6 +324,7 @@ STREAM_LUA_DEPS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.h \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_certby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.h \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.h \

src/ngx_stream_lua_common.h

@@ -135,10 +135,8 @@
 #define NGX_STREAM_LUA_CONTEXT_PREREAD                              0x0020
 #define NGX_STREAM_LUA_CONTEXT_SSL_CERT                             0x0040
 #define NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO                     0x0080
-
-#ifdef HAVE_PROXY_SSL_PATCH
 #define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY                     0x0100
-#endif
+#define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT                       0x0200
 
 
 #define NGX_STREAM_LUA_FFI_NO_REQ_CTX         -100
@@ -277,6 +275,10 @@ struct ngx_stream_lua_srv_conf_s {
 
 #ifdef HAVE_PROXY_SSL_PATCH
     struct {
+        ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_cert_handler;
+        ngx_str_t                                    proxy_ssl_cert_src;
+        u_char                                      *proxy_ssl_cert_src_key;
+
         ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_verify_handler;
         ngx_str_t                                    proxy_ssl_verify_src;
         u_char                                      *proxy_ssl_verify_src_key;

src/ngx_stream_lua_control.c

@@ -117,6 +117,7 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
         | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
         | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
         | NGX_STREAM_LUA_CONTEXT_PREREAD,
@@ -127,6 +128,7 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
 
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                         | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))

src/ngx_stream_lua_coroutine.c

@@ -206,6 +206,7 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
@@ -270,6 +271,7 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
@@ -433,6 +435,7 @@ ngx_stream_lua_coroutine_status(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD

src/ngx_stream_lua_module.c

@@ -30,7 +30,11 @@
 #include "ngx_stream_lua_semaphore.h"
 #include "ngx_stream_lua_ssl_client_helloby.h"
 #include "ngx_stream_lua_ssl_certby.h"
+
+#ifdef HAVE_PROXY_SSL_PATCH
+#include "ngx_stream_lua_proxy_ssl_certby.h"
 #include "ngx_stream_lua_proxy_ssl_verifyby.h"
+#endif
 
 #include "ngx_stream_lua_prereadby.h"
 
@@ -429,8 +433,22 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
       0,
       (void *) ngx_stream_lua_ssl_cert_handler_file },
 
-#if HAVE_LUA_PROXY_SSL_VERIFY
+#if HAVE_PROXY_SSL_PATCH
     /* same context as proxy_pass directive */
+    { ngx_string("proxy_ssl_certificate_by_lua_block"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_stream_lua_proxy_ssl_cert_by_lua_block,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_cert_handler_inline },
+
+    { ngx_string("proxy_ssl_certificate_by_lua_file"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_stream_lua_proxy_ssl_cert_by_lua,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_cert_handler_file },
+
     { ngx_string("proxy_ssl_verify_by_lua_block"),
       NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_stream_lua_proxy_ssl_verify_by_lua_block,
@@ -858,6 +876,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
      *      lscf->srv.ssl_client_hello_src = { 0, NULL };
      *      lscf->srv.ssl_client_hello_src_key = NULL;
      *
+     *      lscf->ups.proxy_ssl_cert_handler = NULL;
+     *      lscf->ups.proxy_ssl_cert_src = { 0, NULL };
+     *      lscf->ups.proxy_ssl_cert_src_key = NULL;
+     *
      *      lscf->ups.proxy_ssl_verify_handler = NULL;
      *      lscf->ups.proxy_ssl_verify_src = { 0, NULL };
      *      lscf->ups.proxy_ssl_verify_src_key = NULL;
@@ -1039,7 +1061,19 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
                              NULL);
 #endif
 
-#if HAVE_LUA_PROXY_SSL_VERIFY
+#ifdef HAVE_PROXY_SSL_PATCH
+    if (conf->ups.proxy_ssl_cert_src.len == 0) {
+        conf->ups.proxy_ssl_cert_src = prev->ups.proxy_ssl_cert_src;
+        conf->ups.proxy_ssl_cert_handler = prev->ups.proxy_ssl_cert_handler;
+        conf->ups.proxy_ssl_cert_src_key = prev->ups.proxy_ssl_cert_src_key;
+    }
+
+    if (conf->ups.proxy_ssl_cert_src.len) {
+        if (ngx_stream_lua_proxy_ssl_cert_set_callback(cf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (conf->ups.proxy_ssl_verify_src.len == 0) {
         conf->ups.proxy_ssl_verify_src = prev->ups.proxy_ssl_verify_src;
         conf->ups.proxy_ssl_verify_handler = prev->ups.proxy_ssl_verify_handler;

src/ngx_stream_lua_phase.c

@@ -67,6 +67,10 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
         break;
 
 #ifdef HAVE_PROXY_SSL_PATCH
+    case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT:
+        lua_pushliteral(L, "proxy_ssl_cert");
+        break;
+
     case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY:
         lua_pushliteral(L, "proxy_ssl_verify");
         break;