Skip to content

Commit

Permalink
Upstream: optimized use of SSL contexts (ticket #1234).
Browse files Browse the repository at this point in the history 
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.
  • Loading branch information
@mdounin
mdounin committed Jun 28, 2022
1 parent 225a2c1 commit d791b4a
Show file tree
Hide file tree
Showing 4 changed files with 235 additions and 27 deletions.
66 changes: 59 additions & 7 deletions src/http/modules/ngx_http_grpc_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,8 @@ static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_grpc_merge_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *conf, ngx_http_grpc_loc_conf_t *prev);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
Expand Down Expand Up @@ -562,7 +564,7 @@ ngx_http_grpc_handler(ngx_http_request_t *r)
ctx->host = glcf->host;

#if (NGX_HTTP_SSL)
u->ssl = (glcf->upstream.ssl != NULL);
u->ssl = glcf->ssl;

if (u->ssl) {
ngx_str_set(&u->schema, "grpcs://");
Expand Down Expand Up @@ -4463,6 +4465,10 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

#if (NGX_HTTP_SSL)

if (ngx_http_grpc_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}

ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);

Expand Down Expand Up @@ -4524,7 +4530,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->grpc_values = prev->grpc_values;

#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}

Expand Down Expand Up @@ -4874,16 +4880,62 @@ ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)


static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
ngx_http_grpc_merge_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *conf,
ngx_http_grpc_loc_conf_t *prev)
{
ngx_pool_cleanup_t *cln;
ngx_uint_t preserve;

if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}

glcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (glcf->upstream.ssl == NULL) {
preserve = 1;

} else {
preserve = 0;
}

conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}

glcf->upstream.ssl->log = cf->log;
conf->upstream.ssl->log = cf->log;

/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/

if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}

return NGX_OK;
}


static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
ngx_pool_cleanup_t *cln;

if (glcf->upstream.ssl->ctx) {
return NGX_OK;
}

if (ngx_ssl_create(glcf->upstream.ssl, glcf->ssl_protocols, NULL)
!= NGX_OK)
Expand Down
66 changes: 59 additions & 7 deletions src/http/modules/ngx_http_proxy_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -236,6 +236,8 @@ static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);

#if (NGX_HTTP_SSL)
static ngx_int_t ngx_http_proxy_merge_ssl(ngx_conf_t *cf,
ngx_http_proxy_loc_conf_t *conf, ngx_http_proxy_loc_conf_t *prev);
static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf,
ngx_http_proxy_loc_conf_t *plcf);
#endif
Expand Down Expand Up @@ -959,7 +961,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
ctx->vars = plcf->vars;
u->schema = plcf->vars.schema;
#if (NGX_HTTP_SSL)
u->ssl = (plcf->upstream.ssl != NULL);
u->ssl = plcf->ssl;
#endif

} else {
Expand Down Expand Up @@ -3724,6 +3726,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

#if (NGX_HTTP_SSL)

if (ngx_http_proxy_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}

ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);

Expand Down Expand Up @@ -3857,7 +3863,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->proxy_values = prev->proxy_values;

#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}

Expand Down Expand Up @@ -4923,16 +4929,62 @@ ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)


static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
ngx_http_proxy_merge_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
ngx_http_proxy_loc_conf_t *prev)
{
ngx_pool_cleanup_t *cln;
ngx_uint_t preserve;

if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}

plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (plcf->upstream.ssl == NULL) {
preserve = 1;

} else {
preserve = 0;
}

conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}

plcf->upstream.ssl->log = cf->log;
conf->upstream.ssl->log = cf->log;

/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/

if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}

return NGX_OK;
}


static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
ngx_pool_cleanup_t *cln;

if (plcf->upstream.ssl->ctx) {
return NGX_OK;
}

if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL)
!= NGX_OK)
Expand Down
66 changes: 59 additions & 7 deletions src/http/modules/ngx_http_uwsgi_module.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,8 @@ static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *conf, ngx_http_uwsgi_loc_conf_t *prev);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
Expand Down Expand Up @@ -668,7 +670,7 @@ ngx_http_uwsgi_handler(ngx_http_request_t *r)
if (uwcf->uwsgi_lengths == NULL) {

#if (NGX_HTTP_SSL)
u->ssl = (uwcf->upstream.ssl != NULL);
u->ssl = uwcf->ssl;

if (u->ssl) {
ngx_str_set(&u->schema, "suwsgi://");
Expand Down Expand Up @@ -1865,6 +1867,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

#if (NGX_HTTP_SSL)

if (ngx_http_uwsgi_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}

ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);

Expand Down Expand Up @@ -1927,7 +1933,7 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->uwsgi_values = prev->uwsgi_values;

#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}

Expand Down Expand Up @@ -2455,16 +2461,62 @@ ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)


static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *conf,
ngx_http_uwsgi_loc_conf_t *prev)
{
ngx_pool_cleanup_t *cln;
ngx_uint_t preserve;

if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}

uwcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (uwcf->upstream.ssl == NULL) {
preserve = 1;

} else {
preserve = 0;
}

conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}

uwcf->upstream.ssl->log = cf->log;
conf->upstream.ssl->log = cf->log;

/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/

if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}

return NGX_OK;
}


static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
ngx_pool_cleanup_t *cln;

if (uwcf->upstream.ssl->ctx) {
return NGX_OK;
}

if (ngx_ssl_create(uwcf->upstream.ssl, uwcf->ssl_protocols, NULL)
!= NGX_OK)
Expand Down
Loading

0 comments on commit d791b4a

Please sign in to comment.