Merge pull request #1828 from drawing/master

lianglli · web-flow · commit 66b9539e5d7e · 2023-07-26T12:58:39.000+08:00
xquic: support lua cert cb
diff --git a/modules/ngx_http_lua_module/config b/modules/ngx_http_lua_module/config
@@ -514,3 +514,5 @@ CORE_INCS="$CORE_INCS $ngx_addon_dir/src/api"
 CFLAGS="$CFLAGS -DNDK_SET_VAR"
 
 echo "/* DO NOT EDIT! This file was automatically generated by config */" > "$ngx_addon_dir/src/ngx_http_lua_autoconf.h"
+
+have=T_NGX_HTTP_HAVE_LUA_MODULE . auto/have
diff --git a/modules/ngx_http_lua_module/src/ngx_http_lua_ssl_certby.c b/modules/ngx_http_lua_module/src/ngx_http_lua_ssl_certby.c
@@ -231,6 +231,13 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
 
     hc = c->data;
 
+#if (T_NGX_XQUIC)
+    if (c->xquic_conn) {
+        ngx_http_xquic_connection_t *qc = (ngx_http_xquic_connection_t *)c->data;
+        hc = qc->http_connection;
+    }
+#endif
+
     fc = ngx_http_lua_create_fake_connection(NULL);
     if (fc == NULL) {
         goto failed;
@@ -255,6 +262,10 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
     fc->log->log_level = c->log->log_level;
     fc->ssl = c->ssl;
 
+#if (T_NGX_XQUIC)
+    fc->xquic_conn = c->xquic_conn;
+#endif
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
 #if (nginx_version >= 1009000)
diff --git a/modules/ngx_http_xquic_module/README.md b/modules/ngx_http_xquic_module/README.md
@@ -100,6 +100,8 @@ http {
 
 # 浏览器使用 HTTP3
 
+**注意：浏览器访问需要确保证书受信。**
+
 浏览器默认不会使用 `HTTP3` 请求，需要服务端响应包头 `Alt-Svc` 进行升级说明，浏览器通过响应包头感知到服务端是支持 `HTTP3` 的，下次请求会尝试使用 `HTTP3`。
 
 ```nginx
@@ -190,4 +192,4 @@ http {
     app: tengine
 ```
 
-对用户来讲，还是通过 443 端口访问，通过四层负责均衡设备，转换为 `Tengine` 的 2443 端口。
+对用户来讲，还是通过 443 端口访问，通过四层负载均衡设备，转换为 `Tengine` 的 2443 端口。
diff --git a/modules/ngx_http_xquic_module/ngx_http_xquic.c b/modules/ngx_http_xquic_module/ngx_http_xquic.c
@@ -20,6 +20,10 @@
 #endif
 
 
+#ifdef T_NGX_HTTP_HAVE_LUA_MODULE
+#include <ngx_http_lua_ssl_certby.h>
+extern ngx_module_t ngx_http_lua_module;
+#endif
 
 ngx_int_t
 ngx_http_v3_conn_check_concurrent_cnt(ngx_http_xquic_main_conf_t *qmcf)
@@ -187,6 +191,22 @@ ngx_http_v3_cert_cb(const char *sni, void **chain,
     hc = qc->http_connection;
     c = qc->connection;
 
+#ifdef T_NGX_HTTP_HAVE_LUA_MODULE
+    ngx_http_lua_srv_conf_t *lscf = NULL;
+
+    lscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_lua_module);
+    if (lscf != NULL && lscf->srv.ssl_cert_src.len)  {
+        ngx_ssl_conn_t *ssl_conn = qc->ssl_conn;
+        
+        ngx_http_lua_ssl_cert_handler(ssl_conn, NULL);
+        *chain = NULL;
+        *cert = NULL;
+        *key = NULL;
+
+        return XQC_OK;
+    }
+#endif
+
     /*
      * get the server core conf by sni, this is useful when multiple server
      * block listen on the same port. but useless when there is noly a single
@@ -256,6 +276,8 @@ int
 ngx_http_v3_conn_create_notify(xqc_h3_conn_t *h3_conn, 
     const xqc_cid_t *cid, void *user_data)
 {
+    ngx_connection_t               *c;
+
     /* we set alp user_data when accept connection */
     ngx_http_xquic_connection_t *user_conn = (ngx_http_xquic_connection_t *) user_data;
     user_conn->ssl_conn = (ngx_ssl_conn_t *) xqc_h3_conn_get_ssl(h3_conn);
@@ -265,6 +287,24 @@ ngx_http_v3_conn_create_notify(xqc_h3_conn_t *h3_conn,
 
     xqc_h3_conn_set_user_data(h3_conn, user_conn);
 
+    c = user_conn->connection;
+
+    if (SSL_set_ex_data(user_conn->ssl_conn, ngx_ssl_connection_index, c) == 0)
+    {
+        ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "|xquic|SSL_set_ex_data() failed|");
+        return XQC_ERROR;
+    }
+    
+    c->xquic_conn = 1;
+
+    ngx_ssl_connection_t *p_ssl = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t));
+    if (p_ssl ==  NULL) {
+        ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, "|xquic|alloc ngx_ssl_connection_t failed|");
+        return XQC_ERROR;
+    }
+    p_ssl->connection = user_conn->ssl_conn;
+    c->ssl = p_ssl;
+
     return NGX_OK;
 }
 
diff --git a/modules/ngx_http_xquic_module/ngx_http_xquic_filter_module.c b/modules/ngx_http_xquic_module/ngx_http_xquic_filter_module.c
@@ -465,8 +465,18 @@ ngx_http_xquic_header_filter(ngx_http_request_t *r)
 
         h->hash = 1;
         ngx_str_set(&h->key, NGX_HTTP_XQUIC_NAME_SERVER);
-        if (clcf->server_tokens) {
+        if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_ON) {
+#if (T_NGX_SERVER_INFO)
+            ngx_str_set(&h->value, TENGINE_VER);
+#else
             ngx_str_set(&h->value, NGINX_VER);
+#endif
+        } else if (clcf->server_tokens == NGX_HTTP_SERVER_TOKENS_BUILD) {
+#if (T_NGX_SERVER_INFO)
+            ngx_str_set(&h->value, TENGINE_VER_BUILD);
+#else
+            ngx_str_set(&h->value, NGINX_VER_BUILD);
+#endif
         } else {
             ngx_str_set(&h->value, TENGINE);
         }
diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h
@@ -264,6 +264,10 @@ struct ngx_connection_s {
 #if (T_NGX_HAVE_XUDP)
     unsigned            xudp_tx:1;
 #endif
+
+#if (T_NGX_XQUIC)
+    unsigned            xquic_conn:1;
+#endif
 };
 
 
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
@@ -3898,7 +3898,13 @@ ngx_ssl_shutdown(ngx_connection_t *c)
         return rc;
     }
 
+#if (T_NGX_XQUIC)
+	if (!c->xquic_conn) {
+		SSL_free(c->ssl->connection);
+	}
+#else
     SSL_free(c->ssl->connection);
+#endif
     c->ssl = NULL;
     c->recv = ngx_recv;
 
