From 37912aee331d2a43eea052a877491a27cc3a7033 Mon Sep 17 00:00:00 2001 From: unbeatablekb Date: Mon, 21 Dec 2020 10:46:09 +0800 Subject: [PATCH 1/3] feature: add proxy_ssl_server_name --- apisix/cli/ngx_tpl.lua | 4 ++++ conf/config-default.yaml | 2 ++ 2 files changed, 6 insertions(+) diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua index dab32d02083d..78693439dead 100644 --- a/apisix/cli/ngx_tpl.lua +++ b/apisix/cli/ngx_tpl.lua @@ -176,6 +176,10 @@ http { lua_ssl_verify_depth 5; ssl_session_timeout 86400; + {% if http.proxy_ssl_server_name then %} + proxy_ssl_server_name on; + {% end %} + {% if http.underscores_in_headers then %} underscores_in_headers {* http.underscores_in_headers *}; {%end%} diff --git a/conf/config-default.yaml b/conf/config-default.yaml index ed8ec4c07402..d0f58201ecac 100644 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -180,6 +180,8 @@ nginx_config: # config for render the template to generate n # lua_shared_dicts: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` + proxy_ssl_server_name: true # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server. + etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. - "http://127.0.0.1:2379" # multiple etcd address, if your etcd cluster enables TLS, please use https scheme, From 16e243e6ce407567c7d16e280595fd8df5618e0f Mon Sep 17 00:00:00 2001 From: unbeatablekb Date: Mon, 25 Jan 2021 21:49:57 +0800 Subject: [PATCH 2/3] feature: add test case for proxy_ssl_server_name --- t/APISIX.pm | 18 ++++++++++++ t/core/proxy_ssl.t | 71 ++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 89 insertions(+) create mode 100644 t/core/proxy_ssl.t diff --git a/t/APISIX.pm b/t/APISIX.pm index 220745e778de..5612efb32a7a 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -384,6 +384,24 @@ _EOC_ } } + server { + listen 1985 ssl; + server_name www.wrong.com; + ssl_certificate cert/apisix.crt; + ssl_certificate_key cert/apisix.key; + lua_ssl_trusted_certificate cert/apisix.crt; + + server_tokens off; + + location / { + content_by_lua_block { + require("lib.server").go() + } + + more_clear_headers Date; + } + } + _EOC_ $block->set_value("http_config", $http_config); diff --git a/t/core/proxy_ssl.t b/t/core/proxy_ssl.t new file mode 100644 index 000000000000..ae04f3081402 --- /dev/null +++ b/t/core/proxy_ssl.t @@ -0,0 +1,71 @@ +# +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +use t::APISIX 'no_plan'; + +repeat_each(1); +no_long_string(); +no_root_location(); +log_level("info"); + +run_tests; + +__DATA__ + +=== TEST 1: add route +--- config + location /t { + content_by_lua_block { + local t = require("lib.test_admin").test + local code, body = t('/apisix/admin/routes/1', + ngx.HTTP_PUT, + [[{ + "methods": ["GET"], + "upstream": { + "type": "roundrobin", + "nodes": { + "127.0.0.1:1985": 1 + } + }, + "uri": "/hello" + }]] + ) + + if code >= 300 then + ngx.status = code + end + ngx.say(body) + } + } +--- request +GET /t +--- response_body +passed +--- no_error_log +[error] + + + +=== TEST 2: get upstream carrying host +--- http_config +proxy_ssl_server_name on; +--- request +GET /hello +--- more_headers +host: www.wrong.com +--- error_code: 502 +--- error_log +ssl From c3879e9dfa7b6c0ad72a9b5b0807a0c2f4ef8c32 Mon Sep 17 00:00:00 2001 From: spacewander Date: Tue, 26 Jan 2021 13:35:33 +0800 Subject: [PATCH 3/3] also enable proxy_ssl_name & rewrite the test Signed-off-by: spacewander --- apisix/cli/ngx_tpl.lua | 9 ++++---- conf/config-default.yaml | 4 +++- t/APISIX.pm | 24 +++++++--------------- t/{core/proxy_ssl.t => node/proxy_https.t} | 14 +++++++------ 4 files changed, 23 insertions(+), 28 deletions(-) rename t/{core/proxy_ssl.t => node/proxy_https.t} (86%) diff --git a/apisix/cli/ngx_tpl.lua b/apisix/cli/ngx_tpl.lua index 78693439dead..d5fe05fd68ae 100644 --- a/apisix/cli/ngx_tpl.lua +++ b/apisix/cli/ngx_tpl.lua @@ -176,10 +176,6 @@ http { lua_ssl_verify_depth 5; ssl_session_timeout 86400; - {% if http.proxy_ssl_server_name then %} - proxy_ssl_server_name on; - {% end %} - {% if http.underscores_in_headers then %} underscores_in_headers {* http.underscores_in_headers *}; {%end%} @@ -487,6 +483,11 @@ http { proxy_set_header X-Real-IP $remote_addr; proxy_pass_header Date; + {% if http.proxy_ssl_server_name then %} + proxy_ssl_name $host; + proxy_ssl_server_name on; + {% end %} + ### the following x-forwarded-* headers is to send to upstream server set $var_x_forwarded_for $remote_addr; diff --git a/conf/config-default.yaml b/conf/config-default.yaml index d0f58201ecac..9fa47b62e378 100644 --- a/conf/config-default.yaml +++ b/conf/config-default.yaml @@ -180,7 +180,9 @@ nginx_config: # config for render the template to generate n # lua_shared_dicts: # add custom shared cache to nginx.conf # ipc_shared_dict: 100m # custom shared cache, format: `cache-key: cache-size` - proxy_ssl_server_name: true # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) when establishing a connection with the proxied HTTPS server. + # Enables or disables passing of the server name through TLS Server Name Indication extension (SNI, RFC 6066) + # when establishing a connection with the proxied HTTPS server. + proxy_ssl_server_name: true etcd: host: # it's possible to define multiple etcd hosts addresses of the same etcd cluster. diff --git a/t/APISIX.pm b/t/APISIX.pm index 5612efb32a7a..044e7fae3f6c 100644 --- a/t/APISIX.pm +++ b/t/APISIX.pm @@ -299,6 +299,9 @@ _EOC_ lua_shared_dict plugin-api-breaker 10m; lua_capture_error_log 1m; # plugin error-log-logger + proxy_ssl_name \$host; + proxy_ssl_server_name on; + resolver $dns_addrs_str; resolver_timeout 5; @@ -375,29 +378,16 @@ _EOC_ server_tokens off; - location / { - content_by_lua_block { - require("lib.server").go() - } - - more_clear_headers Date; + ssl_certificate_by_lua_block { + local ngx_ssl = require "ngx.ssl" + ngx.log(ngx.WARN, "Receive SNI: ", ngx_ssl.server_name()) } - } - server { - listen 1985 ssl; - server_name www.wrong.com; - ssl_certificate cert/apisix.crt; - ssl_certificate_key cert/apisix.key; - lua_ssl_trusted_certificate cert/apisix.crt; - - server_tokens off; - location / { content_by_lua_block { require("lib.server").go() } - + more_clear_headers Date; } } diff --git a/t/core/proxy_ssl.t b/t/node/proxy_https.t similarity index 86% rename from t/core/proxy_ssl.t rename to t/node/proxy_https.t index ae04f3081402..0c3daf0e3815 100644 --- a/t/core/proxy_ssl.t +++ b/t/node/proxy_https.t @@ -34,10 +34,15 @@ __DATA__ ngx.HTTP_PUT, [[{ "methods": ["GET"], + "plugins": { + "proxy-rewrite": { + "scheme": "https" + } + }, "upstream": { "type": "roundrobin", "nodes": { - "127.0.0.1:1985": 1 + "127.0.0.1:1983": 1 } }, "uri": "/hello" @@ -60,12 +65,9 @@ passed === TEST 2: get upstream carrying host ---- http_config -proxy_ssl_server_name on; --- request GET /hello --- more_headers -host: www.wrong.com ---- error_code: 502 +host: www.sni.com --- error_log -ssl +Receive SNI: www.sni.com