feature: enabled HTTP2 and supported to set ssl_protocols. (#663)

* feature: enabled HTTP2 and supported to set `ssl_protocols`. * bugfix: used default certificate if failed to load certificate by SNI. Fix #595.
apache · Oct 10, 2019 · 0e10fa6 · 0e10fa6
1 parent 7434ea9
commit 0e10fa6
Show file tree

Hide file tree

Showing 9 changed files with 42 additions and 24 deletions.
diff --git a/bin/apisix b/bin/apisix
@@ -235,15 +235,24 @@ http {
 
     server {
         listen {* node_listen *};
-        listen {* node_ssl_listen *} ssl;
+        {% if ssl.enable then %}
+        listen {* ssl.listen_port *} ssl {% if ssl.enable_http2 then %} http2 {% end %};
+        {% end %}
+
         {% if enable_ipv6 then %}
         listen [::]:{* node_listen *};
-        listen [::]:{* node_ssl_listen *} ssl;
+        {% if ssl.enable then %}
+        listen [::]:{* node_ssl_listen *} ssl {% if ssl.enable_http2 then %} http2 {% end %};
         {% end %}
+        {% end %} {% -- if enable_ipv6 %}
+
         ssl_certificate      cert/apisix.crt;
         ssl_certificate_key  cert/apisix.key;
         ssl_session_cache    shared:SSL:1m;
 
+        ssl_protocols {* ssl.ssl_protocols *};
+        ssl_ciphers {* ssl.ssl_ciphers *};
+
         {% if with_module_status then %}
         location = /apisix/nginx_status {
             allow 127.0.0.0/24;

diff --git a/conf/config.yaml b/conf/config.yaml
@@ -1,6 +1,5 @@
 apisix:
   node_listen: 9080              # APISIX listening port
-  node_ssl_listen: 9443
   enable_heartbeat: true
   enable_admin: true
   enable_debug: false
@@ -33,6 +32,12 @@ apisix:
     - 114.114.114.114
   error_log:
     level: warn
+  ssl:
+    enable: true
+    enable_http2: true
+    listen_port: 9443
+    ssl_protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
+    ssl_ciphers: "TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5"
 
 etcd:
   host: "http://127.0.0.1:2379"   # etcd address

diff --git a/conf/nginx.conf b/conf/nginx.conf
@@ -17,6 +17,7 @@ working_directory   /tmp/apisix_cores/;
 
 worker_shutdown_timeout 3;
 
+
 http {
     lua_package_path  "$prefix/deps/share/lua/5.1/?.lua;$prefix/lua/?.lua;/usr/share/lua/5.1/?.lua;;";
     lua_package_cpath "$prefix/deps/lib64/lua/5.1/?.so;$prefix/deps/lib/lua/5.1/?.so;/usr/lib64/lua/5.1/?.so;;";
@@ -83,11 +84,15 @@ http {
 
     server {
         listen 9080;
-        listen 9443 ssl;
+        listen 9443 ssl http2;
+
         ssl_certificate      cert/apisix.crt;
         ssl_certificate_key  cert/apisix.key;
         ssl_session_cache    shared:SSL:1m;
 
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-CCM-SHA256:EECDH+CHACHA20:EECDH+CHACHA20-draft:EECDH+ECDSA+AES128:EECDH+aRSA+AES128:RSA+AES128:EECDH+ECDSA+AES256:EECDH+aRSA+AES256:RSA+AES256:EECDH+ECDSA+3DES:EECDH+aRSA+3DES:RSA+3DES:!MD5;
+
         location = /apisix/nginx_status {
             allow 127.0.0.0/24;
             deny all;
@@ -102,10 +107,6 @@ http {
             }
         }
 
-        ssl_certificate_by_lua_block {
-            apisix.http_ssl_phase()
-        }
-
         location /apisix/dashboard {
             index index.html;
 
@@ -118,6 +119,10 @@ http {
             try_files $uri $uri/ /index.html;
         }
 
+        ssl_certificate_by_lua_block {
+            apisix.http_ssl_phase()
+        }
+
         location / {
             set $upstream_scheme             'http';
             set $upstream_host               $host;

diff --git a/lua/apisix.lua b/lua/apisix.lua
@@ -11,7 +11,6 @@ local ipmatcher     = require("resty.ipmatcher")
 local ngx           = ngx
 local get_method    = ngx.req.get_method
 local ngx_exit      = ngx.exit
-local ngx_ERROR     = ngx.ERROR
 local math          = math
 local error         = error
 local ipairs        = ipairs
@@ -142,12 +141,11 @@ function _M.http_ssl_phase()
         ngx_ctx.api_ctx = api_ctx
     end
 
-    local ok, err = router.router_ssl.match(api_ctx)
+    local ok, err = router.router_ssl.match_and_set(api_ctx)
     if not ok then
         if err then
-            core.log.error("failed to fetch ssl config: ", err)
+            core.log.warn("failed to fetch ssl config: ", err)
         end
-        return ngx_exit(ngx_ERROR)
     end
 end
 

diff --git a/lua/apisix/http/router/r3_sni.lua b/lua/apisix/http/router/r3_sni.lua
@@ -66,6 +66,8 @@ local function set_pem_ssl_key(cert, pkey)
         return false, "no request found"
     end
 
+    ngx_ssl.clear_certs()
+
     local out = ffi.new("char [?]", #cert)
     local rc = C.ngx_http_lua_ffi_cert_pem_to_der(cert, #cert, out, errmsg)
     if rc < 1 then
@@ -97,9 +99,7 @@ local function set_pem_ssl_key(cert, pkey)
 end
 
 
-function _M.match(api_ctx)
-    ngx_ssl.clear_certs()
-
+function _M.match_and_set(api_ctx)
     local r3, err = core.lrucache.global("/ssl", ssl.conf_version,
                         create_r3_router, ssl.values)
     if not r3 then

diff --git a/lua/apisix/http/router/radixtree_sni.lua b/lua/apisix/http/router/radixtree_sni.lua
@@ -68,6 +68,8 @@ local function set_pem_ssl_key(cert, pkey)
         return false, "no request found"
     end
 
+    ngx_ssl.clear_certs()
+
     local out = ffi.new("char [?]", #cert)
     local rc = C.ngx_http_lua_ffi_cert_pem_to_der(cert, #cert, out, errmsg)
     if rc < 1 then
@@ -99,9 +101,7 @@ local function set_pem_ssl_key(cert, pkey)
 end
 
 
-function _M.match(api_ctx)
-    ngx_ssl.clear_certs()
-
+function _M.match_and_set(api_ctx)
     local err
     if not radixtree_router or
        radixtree_router_ver ~= ssl_certificates.conf_version then

diff --git a/t/plugin/proxy-rewrite.t b/t/plugin/proxy-rewrite.t
@@ -623,7 +623,7 @@ a: iresty
 
 
 
-=== TEST 16: set route(rewrite uri empty args)
+=== TEST 22: set route(rewrite uri empty args)
 --- config
     location /t {
         content_by_lua_block {
@@ -661,7 +661,8 @@ passed
 [error]
 
 
-=== TEST 22: rewrite uri empty args
+
+=== TEST 23: rewrite uri empty args
 --- request
 GET /hello HTTP/1.1
 --- response_body

diff --git a/t/router/r3-sni.t b/t/router/r3-sni.t
@@ -203,9 +203,9 @@ GET /t
 --- yaml_config eval: $::yaml_config
 --- response_body
 connected: 1
-failed to do SSL handshake: handshake failed
+failed to do SSL handshake: certificate host mismatch
 --- error_log
-SSL_do_handshake() failed (SSL: error:
+not found any valid sni configuration
 
 
 

diff --git a/t/router/radixtree-sni.t b/t/router/radixtree-sni.t
@@ -185,9 +185,9 @@ location /t {
 GET /t
 --- response_body
 connected: 1
-failed to do SSL handshake: handshake failed
+failed to do SSL handshake: certificate host mismatch
 --- error_log
-SSL_do_handshake() failed (SSL: error:
+not found any valid sni configuration