3 * Copyright (C) Igor Sysoev
4 * Copyright (C) Nginx, Inc.
8 #include <ngx_config.h>
13 typedef ngx_int_t (*ngx_ssl_variable_handler_pt
)(ngx_connection_t
*c
,
14 ngx_pool_t
*pool
, ngx_str_t
*s
);
17 #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5"
18 #define NGX_DEFAULT_ECDH_CURVE "prime256v1"
21 #ifdef TLSEXT_TYPE_next_proto_neg
22 static int ngx_http_ssl_npn_advertised(ngx_ssl_conn_t
*ssl_conn
,
23 const unsigned char **out
, unsigned int *outlen
, void *arg
);
26 static ngx_int_t
ngx_http_ssl_static_variable(ngx_http_request_t
*r
,
27 ngx_http_variable_value_t
*v
, uintptr_t data
);
28 static ngx_int_t
ngx_http_ssl_variable(ngx_http_request_t
*r
,
29 ngx_http_variable_value_t
*v
, uintptr_t data
);
31 static ngx_int_t
ngx_http_ssl_add_variables(ngx_conf_t
*cf
);
32 static void *ngx_http_ssl_create_srv_conf(ngx_conf_t
*cf
);
33 static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t
*cf
,
34 void *parent
, void *child
);
36 static char *ngx_http_ssl_enable(ngx_conf_t
*cf
, ngx_command_t
*cmd
,
38 static char *ngx_http_ssl_session_cache(ngx_conf_t
*cf
, ngx_command_t
*cmd
,
41 static ngx_int_t
ngx_http_ssl_init(ngx_conf_t
*cf
);
44 static ngx_conf_bitmask_t ngx_http_ssl_protocols
[] = {
45 { ngx_string("SSLv2"), NGX_SSL_SSLv2
},
46 { ngx_string("SSLv3"), NGX_SSL_SSLv3
},
47 { ngx_string("TLSv1"), NGX_SSL_TLSv1
},
48 { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1
},
49 { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2
},
50 { ngx_null_string
, 0 }
54 static ngx_conf_enum_t ngx_http_ssl_verify
[] = {
55 { ngx_string("off"), 0 },
56 { ngx_string("on"), 1 },
57 { ngx_string("optional"), 2 },
58 { ngx_string("optional_no_ca"), 3 },
59 { ngx_null_string
, 0 }
63 static ngx_command_t ngx_http_ssl_commands
[] = {
66 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_FLAG
,
68 NGX_HTTP_SRV_CONF_OFFSET
,
69 offsetof(ngx_http_ssl_srv_conf_t
, enable
),
72 { ngx_string("ssl_certificate"),
73 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
74 ngx_conf_set_str_slot
,
75 NGX_HTTP_SRV_CONF_OFFSET
,
76 offsetof(ngx_http_ssl_srv_conf_t
, certificate
),
79 { ngx_string("ssl_certificate_key"),
80 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
81 ngx_conf_set_str_slot
,
82 NGX_HTTP_SRV_CONF_OFFSET
,
83 offsetof(ngx_http_ssl_srv_conf_t
, certificate_key
),
86 { ngx_string("ssl_dhparam"),
87 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
88 ngx_conf_set_str_slot
,
89 NGX_HTTP_SRV_CONF_OFFSET
,
90 offsetof(ngx_http_ssl_srv_conf_t
, dhparam
),
93 { ngx_string("ssl_ecdh_curve"),
94 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
95 ngx_conf_set_str_slot
,
96 NGX_HTTP_SRV_CONF_OFFSET
,
97 offsetof(ngx_http_ssl_srv_conf_t
, ecdh_curve
),
100 { ngx_string("ssl_protocols"),
101 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_1MORE
,
102 ngx_conf_set_bitmask_slot
,
103 NGX_HTTP_SRV_CONF_OFFSET
,
104 offsetof(ngx_http_ssl_srv_conf_t
, protocols
),
105 &ngx_http_ssl_protocols
},
107 { ngx_string("ssl_ciphers"),
108 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
109 ngx_conf_set_str_slot
,
110 NGX_HTTP_SRV_CONF_OFFSET
,
111 offsetof(ngx_http_ssl_srv_conf_t
, ciphers
),
114 { ngx_string("ssl_verify_client"),
115 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
116 ngx_conf_set_enum_slot
,
117 NGX_HTTP_SRV_CONF_OFFSET
,
118 offsetof(ngx_http_ssl_srv_conf_t
, verify
),
119 &ngx_http_ssl_verify
},
121 { ngx_string("ssl_verify_depth"),
122 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_1MORE
,
123 ngx_conf_set_num_slot
,
124 NGX_HTTP_SRV_CONF_OFFSET
,
125 offsetof(ngx_http_ssl_srv_conf_t
, verify_depth
),
128 { ngx_string("ssl_client_certificate"),
129 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
130 ngx_conf_set_str_slot
,
131 NGX_HTTP_SRV_CONF_OFFSET
,
132 offsetof(ngx_http_ssl_srv_conf_t
, client_certificate
),
135 { ngx_string("ssl_trusted_certificate"),
136 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
137 ngx_conf_set_str_slot
,
138 NGX_HTTP_SRV_CONF_OFFSET
,
139 offsetof(ngx_http_ssl_srv_conf_t
, trusted_certificate
),
142 { ngx_string("ssl_prefer_server_ciphers"),
143 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_FLAG
,
144 ngx_conf_set_flag_slot
,
145 NGX_HTTP_SRV_CONF_OFFSET
,
146 offsetof(ngx_http_ssl_srv_conf_t
, prefer_server_ciphers
),
149 { ngx_string("ssl_session_cache"),
150 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE12
,
151 ngx_http_ssl_session_cache
,
152 NGX_HTTP_SRV_CONF_OFFSET
,
156 { ngx_string("ssl_session_timeout"),
157 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
158 ngx_conf_set_sec_slot
,
159 NGX_HTTP_SRV_CONF_OFFSET
,
160 offsetof(ngx_http_ssl_srv_conf_t
, session_timeout
),
163 { ngx_string("ssl_crl"),
164 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
165 ngx_conf_set_str_slot
,
166 NGX_HTTP_SRV_CONF_OFFSET
,
167 offsetof(ngx_http_ssl_srv_conf_t
, crl
),
170 { ngx_string("ssl_stapling"),
171 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_FLAG
,
172 ngx_conf_set_flag_slot
,
173 NGX_HTTP_SRV_CONF_OFFSET
,
174 offsetof(ngx_http_ssl_srv_conf_t
, stapling
),
177 { ngx_string("ssl_stapling_file"),
178 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
179 ngx_conf_set_str_slot
,
180 NGX_HTTP_SRV_CONF_OFFSET
,
181 offsetof(ngx_http_ssl_srv_conf_t
, stapling_file
),
184 { ngx_string("ssl_stapling_responder"),
185 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_TAKE1
,
186 ngx_conf_set_str_slot
,
187 NGX_HTTP_SRV_CONF_OFFSET
,
188 offsetof(ngx_http_ssl_srv_conf_t
, stapling_responder
),
191 { ngx_string("ssl_stapling_verify"),
192 NGX_HTTP_MAIN_CONF
|NGX_HTTP_SRV_CONF
|NGX_CONF_FLAG
,
193 ngx_conf_set_flag_slot
,
194 NGX_HTTP_SRV_CONF_OFFSET
,
195 offsetof(ngx_http_ssl_srv_conf_t
, stapling_verify
),
202 static ngx_http_module_t ngx_http_ssl_module_ctx
= {
203 ngx_http_ssl_add_variables
, /* preconfiguration */
204 ngx_http_ssl_init
, /* postconfiguration */
206 NULL
, /* create main configuration */
207 NULL
, /* init main configuration */
209 ngx_http_ssl_create_srv_conf
, /* create server configuration */
210 ngx_http_ssl_merge_srv_conf
, /* merge server configuration */
212 NULL
, /* create location configuration */
213 NULL
/* merge location configuration */
217 ngx_module_t ngx_http_ssl_module
= {
219 &ngx_http_ssl_module_ctx
, /* module context */
220 ngx_http_ssl_commands
, /* module directives */
221 NGX_HTTP_MODULE
, /* module type */
222 NULL
, /* init master */
223 NULL
, /* init module */
224 NULL
, /* init process */
225 NULL
, /* init thread */
226 NULL
, /* exit thread */
227 NULL
, /* exit process */
228 NULL
, /* exit master */
229 NGX_MODULE_V1_PADDING
233 static ngx_http_variable_t ngx_http_ssl_vars
[] = {
235 { ngx_string("ssl_protocol"), NULL
, ngx_http_ssl_static_variable
,
236 (uintptr_t) ngx_ssl_get_protocol
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
238 { ngx_string("ssl_cipher"), NULL
, ngx_http_ssl_static_variable
,
239 (uintptr_t) ngx_ssl_get_cipher_name
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
241 { ngx_string("ssl_session_id"), NULL
, ngx_http_ssl_variable
,
242 (uintptr_t) ngx_ssl_get_session_id
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
244 { ngx_string("ssl_client_cert"), NULL
, ngx_http_ssl_variable
,
245 (uintptr_t) ngx_ssl_get_certificate
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
247 { ngx_string("ssl_client_raw_cert"), NULL
, ngx_http_ssl_variable
,
248 (uintptr_t) ngx_ssl_get_raw_certificate
,
249 NGX_HTTP_VAR_CHANGEABLE
, 0 },
251 { ngx_string("ssl_client_s_dn"), NULL
, ngx_http_ssl_variable
,
252 (uintptr_t) ngx_ssl_get_subject_dn
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
254 { ngx_string("ssl_client_i_dn"), NULL
, ngx_http_ssl_variable
,
255 (uintptr_t) ngx_ssl_get_issuer_dn
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
257 { ngx_string("ssl_client_serial"), NULL
, ngx_http_ssl_variable
,
258 (uintptr_t) ngx_ssl_get_serial_number
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
260 { ngx_string("ssl_client_verify"), NULL
, ngx_http_ssl_variable
,
261 (uintptr_t) ngx_ssl_get_client_verify
, NGX_HTTP_VAR_CHANGEABLE
, 0 },
263 { ngx_null_string
, NULL
, NULL
, 0, 0, 0 }
267 static ngx_str_t ngx_http_ssl_sess_id_ctx
= ngx_string("HTTP");
270 #ifdef TLSEXT_TYPE_next_proto_neg
272 #define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1"
275 ngx_http_ssl_npn_advertised(ngx_ssl_conn_t
*ssl_conn
,
276 const unsigned char **out
, unsigned int *outlen
, void *arg
)
278 #if (NGX_HTTP_SPDY || NGX_DEBUG)
281 c
= ngx_ssl_get_connection(ssl_conn
);
282 ngx_log_debug0(NGX_LOG_DEBUG_HTTP
, c
->log
, 0, "SSL NPN advertised");
287 ngx_http_connection_t
*hc
;
291 if (hc
->addr_conf
->spdy
) {
292 *out
= (unsigned char *) NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE
;
293 *outlen
= sizeof(NGX_SPDY_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE
) - 1;
295 return SSL_TLSEXT_ERR_OK
;
300 *out
= (unsigned char *) NGX_HTTP_NPN_ADVERTISE
;
301 *outlen
= sizeof(NGX_HTTP_NPN_ADVERTISE
) - 1;
303 return SSL_TLSEXT_ERR_OK
;
310 ngx_http_ssl_static_variable(ngx_http_request_t
*r
,
311 ngx_http_variable_value_t
*v
, uintptr_t data
)
313 ngx_ssl_variable_handler_pt handler
= (ngx_ssl_variable_handler_pt
) data
;
318 if (r
->connection
->ssl
) {
320 (void) handler(r
->connection
, NULL
, &s
);
324 for (len
= 0; v
->data
[len
]; len
++) { /* void */ }
341 ngx_http_ssl_variable(ngx_http_request_t
*r
, ngx_http_variable_value_t
*v
,
344 ngx_ssl_variable_handler_pt handler
= (ngx_ssl_variable_handler_pt
) data
;
348 if (r
->connection
->ssl
) {
350 if (handler(r
->connection
, r
->pool
, &s
) != NGX_OK
) {
373 ngx_http_ssl_add_variables(ngx_conf_t
*cf
)
375 ngx_http_variable_t
*var
, *v
;
377 for (v
= ngx_http_ssl_vars
; v
->name
.len
; v
++) {
378 var
= ngx_http_add_variable(cf
, &v
->name
, v
->flags
);
383 var
->get_handler
= v
->get_handler
;
392 ngx_http_ssl_create_srv_conf(ngx_conf_t
*cf
)
394 ngx_http_ssl_srv_conf_t
*sscf
;
396 sscf
= ngx_pcalloc(cf
->pool
, sizeof(ngx_http_ssl_srv_conf_t
));
402 * set by ngx_pcalloc():
404 * sscf->protocols = 0;
405 * sscf->certificate = { 0, NULL };
406 * sscf->certificate_key = { 0, NULL };
407 * sscf->dhparam = { 0, NULL };
408 * sscf->ecdh_curve = { 0, NULL };
409 * sscf->client_certificate = { 0, NULL };
410 * sscf->trusted_certificate = { 0, NULL };
411 * sscf->crl = { 0, NULL };
412 * sscf->ciphers = { 0, NULL };
413 * sscf->shm_zone = NULL;
414 * sscf->stapling_file = { 0, NULL };
415 * sscf->stapling_responder = { 0, NULL };
418 sscf
->enable
= NGX_CONF_UNSET
;
419 sscf
->prefer_server_ciphers
= NGX_CONF_UNSET
;
420 sscf
->verify
= NGX_CONF_UNSET_UINT
;
421 sscf
->verify_depth
= NGX_CONF_UNSET_UINT
;
422 sscf
->builtin_session_cache
= NGX_CONF_UNSET
;
423 sscf
->session_timeout
= NGX_CONF_UNSET
;
424 sscf
->stapling
= NGX_CONF_UNSET
;
425 sscf
->stapling_verify
= NGX_CONF_UNSET
;
432 ngx_http_ssl_merge_srv_conf(ngx_conf_t
*cf
, void *parent
, void *child
)
434 ngx_http_ssl_srv_conf_t
*prev
= parent
;
435 ngx_http_ssl_srv_conf_t
*conf
= child
;
437 ngx_pool_cleanup_t
*cln
;
439 if (conf
->enable
== NGX_CONF_UNSET
) {
440 if (prev
->enable
== NGX_CONF_UNSET
) {
444 conf
->enable
= prev
->enable
;
445 conf
->file
= prev
->file
;
446 conf
->line
= prev
->line
;
450 ngx_conf_merge_value(conf
->session_timeout
,
451 prev
->session_timeout
, 300);
453 ngx_conf_merge_value(conf
->prefer_server_ciphers
,
454 prev
->prefer_server_ciphers
, 0);
456 ngx_conf_merge_bitmask_value(conf
->protocols
, prev
->protocols
,
457 (NGX_CONF_BITMASK_SET
|NGX_SSL_SSLv3
|NGX_SSL_TLSv1
458 |NGX_SSL_TLSv1_1
|NGX_SSL_TLSv1_2
));
460 ngx_conf_merge_uint_value(conf
->verify
, prev
->verify
, 0);
461 ngx_conf_merge_uint_value(conf
->verify_depth
, prev
->verify_depth
, 1);
463 ngx_conf_merge_str_value(conf
->certificate
, prev
->certificate
, "");
464 ngx_conf_merge_str_value(conf
->certificate_key
, prev
->certificate_key
, "");
466 ngx_conf_merge_str_value(conf
->dhparam
, prev
->dhparam
, "");
468 ngx_conf_merge_str_value(conf
->client_certificate
, prev
->client_certificate
,
470 ngx_conf_merge_str_value(conf
->trusted_certificate
,
471 prev
->trusted_certificate
, "");
472 ngx_conf_merge_str_value(conf
->crl
, prev
->crl
, "");
474 ngx_conf_merge_str_value(conf
->ecdh_curve
, prev
->ecdh_curve
,
475 NGX_DEFAULT_ECDH_CURVE
);
477 ngx_conf_merge_str_value(conf
->ciphers
, prev
->ciphers
, NGX_DEFAULT_CIPHERS
);
479 ngx_conf_merge_value(conf
->stapling
, prev
->stapling
, 0);
480 ngx_conf_merge_value(conf
->stapling_verify
, prev
->stapling_verify
, 0);
481 ngx_conf_merge_str_value(conf
->stapling_file
, prev
->stapling_file
, "");
482 ngx_conf_merge_str_value(conf
->stapling_responder
,
483 prev
->stapling_responder
, "");
485 conf
->ssl
.log
= cf
->log
;
489 if (conf
->certificate
.len
== 0) {
490 ngx_log_error(NGX_LOG_EMERG
, cf
->log
, 0,
491 "no \"ssl_certificate\" is defined for "
492 "the \"ssl\" directive in %s:%ui",
493 conf
->file
, conf
->line
);
494 return NGX_CONF_ERROR
;
497 if (conf
->certificate_key
.len
== 0) {
498 ngx_log_error(NGX_LOG_EMERG
, cf
->log
, 0,
499 "no \"ssl_certificate_key\" is defined for "
500 "the \"ssl\" directive in %s:%ui",
501 conf
->file
, conf
->line
);
502 return NGX_CONF_ERROR
;
507 if (conf
->certificate
.len
== 0) {
511 if (conf
->certificate_key
.len
== 0) {
512 ngx_log_error(NGX_LOG_EMERG
, cf
->log
, 0,
513 "no \"ssl_certificate_key\" is defined "
514 "for certificate \"%V\"", &conf
->certificate
);
515 return NGX_CONF_ERROR
;
519 if (ngx_ssl_create(&conf
->ssl
, conf
->protocols
, conf
) != NGX_OK
) {
520 return NGX_CONF_ERROR
;
523 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
525 if (SSL_CTX_set_tlsext_servername_callback(conf
->ssl
.ctx
,
526 ngx_http_ssl_servername
)
529 ngx_log_error(NGX_LOG_WARN
, cf
->log
, 0,
530 "nginx was built with SNI support, however, now it is linked "
531 "dynamically to an OpenSSL library which has no tlsext support, "
532 "therefore SNI is not available");
537 #ifdef TLSEXT_TYPE_next_proto_neg
538 SSL_CTX_set_next_protos_advertised_cb(conf
->ssl
.ctx
,
539 ngx_http_ssl_npn_advertised
, NULL
);
542 cln
= ngx_pool_cleanup_add(cf
->pool
, 0);
544 return NGX_CONF_ERROR
;
547 cln
->handler
= ngx_ssl_cleanup_ctx
;
548 cln
->data
= &conf
->ssl
;
550 if (ngx_ssl_certificate(cf
, &conf
->ssl
, &conf
->certificate
,
551 &conf
->certificate_key
)
554 return NGX_CONF_ERROR
;
557 if (SSL_CTX_set_cipher_list(conf
->ssl
.ctx
,
558 (const char *) conf
->ciphers
.data
)
561 ngx_ssl_error(NGX_LOG_EMERG
, cf
->log
, 0,
562 "SSL_CTX_set_cipher_list(\"%V\") failed",
568 if (conf
->client_certificate
.len
== 0 && conf
->verify
!= 3) {
569 ngx_log_error(NGX_LOG_EMERG
, cf
->log
, 0,
570 "no ssl_client_certificate for ssl_client_verify");
571 return NGX_CONF_ERROR
;
574 if (ngx_ssl_client_certificate(cf
, &conf
->ssl
,
575 &conf
->client_certificate
,
579 return NGX_CONF_ERROR
;
583 if (ngx_ssl_trusted_certificate(cf
, &conf
->ssl
,
584 &conf
->trusted_certificate
,
588 return NGX_CONF_ERROR
;
591 if (ngx_ssl_crl(cf
, &conf
->ssl
, &conf
->crl
) != NGX_OK
) {
592 return NGX_CONF_ERROR
;
595 if (conf
->prefer_server_ciphers
) {
596 SSL_CTX_set_options(conf
->ssl
.ctx
, SSL_OP_CIPHER_SERVER_PREFERENCE
);
599 /* a temporary 512-bit RSA key is required for export versions of MSIE */
600 SSL_CTX_set_tmp_rsa_callback(conf
->ssl
.ctx
, ngx_ssl_rsa512_key_callback
);
602 if (ngx_ssl_dhparam(cf
, &conf
->ssl
, &conf
->dhparam
) != NGX_OK
) {
603 return NGX_CONF_ERROR
;
606 if (ngx_ssl_ecdh_curve(cf
, &conf
->ssl
, &conf
->ecdh_curve
) != NGX_OK
) {
607 return NGX_CONF_ERROR
;
610 ngx_conf_merge_value(conf
->builtin_session_cache
,
611 prev
->builtin_session_cache
, NGX_SSL_NONE_SCACHE
);
613 if (conf
->shm_zone
== NULL
) {
614 conf
->shm_zone
= prev
->shm_zone
;
617 if (ngx_ssl_session_cache(&conf
->ssl
, &ngx_http_ssl_sess_id_ctx
,
618 conf
->builtin_session_cache
,
619 conf
->shm_zone
, conf
->session_timeout
)
622 return NGX_CONF_ERROR
;
625 if (conf
->stapling
) {
627 if (ngx_ssl_stapling(cf
, &conf
->ssl
, &conf
->stapling_file
,
628 &conf
->stapling_responder
, conf
->stapling_verify
)
631 return NGX_CONF_ERROR
;
641 ngx_http_ssl_enable(ngx_conf_t
*cf
, ngx_command_t
*cmd
, void *conf
)
643 ngx_http_ssl_srv_conf_t
*sscf
= conf
;
647 rv
= ngx_conf_set_flag_slot(cf
, cmd
, conf
);
649 if (rv
!= NGX_CONF_OK
) {
653 sscf
->file
= cf
->conf_file
->file
.name
.data
;
654 sscf
->line
= cf
->conf_file
->line
;
661 ngx_http_ssl_session_cache(ngx_conf_t
*cf
, ngx_command_t
*cmd
, void *conf
)
663 ngx_http_ssl_srv_conf_t
*sscf
= conf
;
666 ngx_str_t
*value
, name
, size
;
670 value
= cf
->args
->elts
;
672 for (i
= 1; i
< cf
->args
->nelts
; i
++) {
674 if (ngx_strcmp(value
[i
].data
, "off") == 0) {
675 sscf
->builtin_session_cache
= NGX_SSL_NO_SCACHE
;
679 if (ngx_strcmp(value
[i
].data
, "none") == 0) {
680 sscf
->builtin_session_cache
= NGX_SSL_NONE_SCACHE
;
684 if (ngx_strcmp(value
[i
].data
, "builtin") == 0) {
685 sscf
->builtin_session_cache
= NGX_SSL_DFLT_BUILTIN_SCACHE
;
689 if (value
[i
].len
> sizeof("builtin:") - 1
690 && ngx_strncmp(value
[i
].data
, "builtin:", sizeof("builtin:") - 1)
693 n
= ngx_atoi(value
[i
].data
+ sizeof("builtin:") - 1,
694 value
[i
].len
- (sizeof("builtin:") - 1));
696 if (n
== NGX_ERROR
) {
700 sscf
->builtin_session_cache
= n
;
705 if (value
[i
].len
> sizeof("shared:") - 1
706 && ngx_strncmp(value
[i
].data
, "shared:", sizeof("shared:") - 1)
711 for (j
= sizeof("shared:") - 1; j
< value
[i
].len
; j
++) {
712 if (value
[i
].data
[j
] == ':') {
724 name
.data
= value
[i
].data
+ sizeof("shared:") - 1;
726 size
.len
= value
[i
].len
- j
- 1;
727 size
.data
= name
.data
+ len
+ 1;
729 n
= ngx_parse_size(&size
);
731 if (n
== NGX_ERROR
) {
735 if (n
< (ngx_int_t
) (8 * ngx_pagesize
)) {
736 ngx_conf_log_error(NGX_LOG_EMERG
, cf
, 0,
737 "session cache \"%V\" is too small",
740 return NGX_CONF_ERROR
;
743 sscf
->shm_zone
= ngx_shared_memory_add(cf
, &name
, n
,
744 &ngx_http_ssl_module
);
745 if (sscf
->shm_zone
== NULL
) {
746 return NGX_CONF_ERROR
;
749 sscf
->shm_zone
->init
= ngx_ssl_session_cache_init
;
757 if (sscf
->shm_zone
&& sscf
->builtin_session_cache
== NGX_CONF_UNSET
) {
758 sscf
->builtin_session_cache
= NGX_SSL_NO_BUILTIN_SCACHE
;
765 ngx_conf_log_error(NGX_LOG_EMERG
, cf
, 0,
766 "invalid session cache \"%V\"", &value
[i
]);
768 return NGX_CONF_ERROR
;
773 ngx_http_ssl_init(ngx_conf_t
*cf
)
776 ngx_http_ssl_srv_conf_t
*sscf
;
777 ngx_http_core_loc_conf_t
*clcf
;
778 ngx_http_core_srv_conf_t
**cscfp
;
779 ngx_http_core_main_conf_t
*cmcf
;
781 cmcf
= ngx_http_conf_get_module_main_conf(cf
, ngx_http_core_module
);
782 cscfp
= cmcf
->servers
.elts
;
784 for (s
= 0; s
< cmcf
->servers
.nelts
; s
++) {
786 sscf
= cscfp
[s
]->ctx
->srv_conf
[ngx_http_ssl_module
.ctx_index
];
788 if (sscf
->ssl
.ctx
== NULL
|| !sscf
->stapling
) {
792 clcf
= cscfp
[s
]->ctx
->loc_conf
[ngx_http_core_module
.ctx_index
];
794 if (ngx_ssl_stapling_resolver(cf
, &sscf
->ssl
, clcf
->resolver
,
795 clcf
->resolver_timeout
)