nghttpx: Enable neverbleed for client private key; don't run nb without TLS
This commit is contained in:
parent
8dd5f7585e
commit
566b0476d7
|
@ -165,7 +165,11 @@ int ConnectionHandler::create_single_worker() {
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
auto cl_ssl_ctx = ssl::setup_client_ssl_context();
|
auto cl_ssl_ctx = ssl::setup_client_ssl_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
nb_.get()
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
);
|
||||||
|
|
||||||
if (cl_ssl_ctx) {
|
if (cl_ssl_ctx) {
|
||||||
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
||||||
|
@ -193,7 +197,11 @@ int ConnectionHandler::create_worker_thread(size_t num) {
|
||||||
nb_.get()
|
nb_.get()
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
);
|
);
|
||||||
auto cl_ssl_ctx = ssl::setup_client_ssl_context();
|
auto cl_ssl_ctx = ssl::setup_client_ssl_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
nb_.get()
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
);
|
||||||
|
|
||||||
if (cl_ssl_ctx) {
|
if (cl_ssl_ctx) {
|
||||||
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
all_ssl_ctx_.push_back(cl_ssl_ctx);
|
||||||
|
|
|
@ -635,7 +635,11 @@ int select_next_proto_cb(SSL *ssl, unsigned char **out, unsigned char *outlen,
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
SSL_CTX *create_ssl_client_context() {
|
SSL_CTX *create_ssl_client_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
neverbleed_t *nb
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
) {
|
||||||
auto ssl_ctx = SSL_CTX_new(SSLv23_client_method());
|
auto ssl_ctx = SSL_CTX_new(SSLv23_client_method());
|
||||||
if (!ssl_ctx) {
|
if (!ssl_ctx) {
|
||||||
LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
|
LOG(FATAL) << ERR_error_string(ERR_get_error(), nullptr);
|
||||||
|
@ -681,6 +685,7 @@ SSL_CTX *create_ssl_client_context() {
|
||||||
}
|
}
|
||||||
|
|
||||||
if (get_config()->client_private_key_file) {
|
if (get_config()->client_private_key_file) {
|
||||||
|
#ifndef HAVE_NEVERBLEED
|
||||||
if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
|
if (SSL_CTX_use_PrivateKey_file(ssl_ctx,
|
||||||
get_config()->client_private_key_file.get(),
|
get_config()->client_private_key_file.get(),
|
||||||
SSL_FILETYPE_PEM) != 1) {
|
SSL_FILETYPE_PEM) != 1) {
|
||||||
|
@ -689,6 +694,16 @@ SSL_CTX *create_ssl_client_context() {
|
||||||
<< ERR_error_string(ERR_get_error(), nullptr);
|
<< ERR_error_string(ERR_get_error(), nullptr);
|
||||||
DIE();
|
DIE();
|
||||||
}
|
}
|
||||||
|
#else // HAVE_NEVERBLEED
|
||||||
|
std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
|
||||||
|
if (neverbleed_load_private_key_file(
|
||||||
|
nb, ssl_ctx, get_config()->client_private_key_file.get(),
|
||||||
|
errbuf.data()) != 1) {
|
||||||
|
LOG(FATAL) << "neverbleed_load_private_key_file failed: "
|
||||||
|
<< errbuf.data();
|
||||||
|
DIE();
|
||||||
|
}
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
}
|
}
|
||||||
if (get_config()->client_cert_file) {
|
if (get_config()->client_cert_file) {
|
||||||
if (SSL_CTX_use_certificate_chain_file(
|
if (SSL_CTX_use_certificate_chain_file(
|
||||||
|
@ -1165,15 +1180,28 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
|
||||||
return ssl_ctx;
|
return ssl_ctx;
|
||||||
}
|
}
|
||||||
|
|
||||||
SSL_CTX *setup_client_ssl_context() {
|
bool downstream_tls_enabled() {
|
||||||
if (get_config()->client_mode) {
|
if (get_config()->client_mode) {
|
||||||
return get_config()->downstream_no_tls ? nullptr
|
return !get_config()->downstream_no_tls;
|
||||||
: ssl::create_ssl_client_context();
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return get_config()->http2_bridge && !get_config()->downstream_no_tls
|
return get_config()->http2_bridge && !get_config()->downstream_no_tls;
|
||||||
? ssl::create_ssl_client_context()
|
}
|
||||||
: nullptr;
|
|
||||||
|
SSL_CTX *setup_client_ssl_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
neverbleed_t *nb
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
) {
|
||||||
|
if (!downstream_tls_enabled()) {
|
||||||
|
return nullptr;
|
||||||
|
}
|
||||||
|
|
||||||
|
return ssl::create_ssl_client_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
nb
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
CertLookupTree *create_cert_lookup_tree() {
|
CertLookupTree *create_cert_lookup_tree() {
|
||||||
|
|
|
@ -69,7 +69,11 @@ SSL_CTX *create_ssl_context(const char *private_key_file, const char *cert_file
|
||||||
);
|
);
|
||||||
|
|
||||||
// Create client side SSL_CTX
|
// Create client side SSL_CTX
|
||||||
SSL_CTX *create_ssl_client_context();
|
SSL_CTX *create_ssl_client_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
neverbleed_t *nb
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
);
|
||||||
|
|
||||||
ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
|
ClientHandler *accept_connection(Worker *worker, int fd, sockaddr *addr,
|
||||||
int addrlen);
|
int addrlen);
|
||||||
|
@ -179,7 +183,11 @@ SSL_CTX *setup_server_ssl_context(std::vector<SSL_CTX *> &all_ssl_ctx,
|
||||||
// Setups client side SSL_CTX. This function inspects get_config()
|
// Setups client side SSL_CTX. This function inspects get_config()
|
||||||
// and if downstream_no_tls is true, returns nullptr. Otherwise, only
|
// and if downstream_no_tls is true, returns nullptr. Otherwise, only
|
||||||
// construct SSL_CTX if either client_mode or http2_bridge is true.
|
// construct SSL_CTX if either client_mode or http2_bridge is true.
|
||||||
SSL_CTX *setup_client_ssl_context();
|
SSL_CTX *setup_client_ssl_context(
|
||||||
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
neverbleed_t *nb
|
||||||
|
#endif // HAVE_NEVERBLEED
|
||||||
|
);
|
||||||
|
|
||||||
// Creates CertLookupTree. If frontend is configured not to use TLS,
|
// Creates CertLookupTree. If frontend is configured not to use TLS,
|
||||||
// this function returns nullptr.
|
// this function returns nullptr.
|
||||||
|
@ -187,6 +195,9 @@ CertLookupTree *create_cert_lookup_tree();
|
||||||
|
|
||||||
SSL *create_ssl(SSL_CTX *ssl_ctx);
|
SSL *create_ssl(SSL_CTX *ssl_ctx);
|
||||||
|
|
||||||
|
// Returns true if SSL/TLS is enabled on downstream
|
||||||
|
bool downstream_tls_enabled();
|
||||||
|
|
||||||
} // namespace ssl
|
} // namespace ssl
|
||||||
|
|
||||||
} // namespace shrpx
|
} // namespace shrpx
|
||||||
|
|
|
@ -48,6 +48,7 @@
|
||||||
#include "shrpx_memcached_dispatcher.h"
|
#include "shrpx_memcached_dispatcher.h"
|
||||||
#include "shrpx_memcached_request.h"
|
#include "shrpx_memcached_request.h"
|
||||||
#include "shrpx_process.h"
|
#include "shrpx_process.h"
|
||||||
|
#include "shrpx_ssl.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
#include "app_helper.h"
|
#include "app_helper.h"
|
||||||
#include "template.h"
|
#include "template.h"
|
||||||
|
@ -84,7 +85,9 @@ void drop_privileges(
|
||||||
exit(EXIT_FAILURE);
|
exit(EXIT_FAILURE);
|
||||||
}
|
}
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
if (nb) {
|
||||||
neverbleed_setuidgid(nb, get_config()->user.get(), 1);
|
neverbleed_setuidgid(nb, get_config()->user.get(), 1);
|
||||||
|
}
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
@ -400,8 +403,8 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
|
||||||
}
|
}
|
||||||
|
|
||||||
#ifdef HAVE_NEVERBLEED
|
#ifdef HAVE_NEVERBLEED
|
||||||
|
if (!get_config()->upstream_no_tls || ssl::downstream_tls_enabled()) {
|
||||||
std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
|
std::array<char, NEVERBLEED_ERRBUF_SIZE> errbuf;
|
||||||
{
|
|
||||||
auto nb = make_unique<neverbleed_t>();
|
auto nb = make_unique<neverbleed_t>();
|
||||||
if (neverbleed_init(nb.get(), errbuf.data()) != 0) {
|
if (neverbleed_init(nb.get(), errbuf.data()) != 0) {
|
||||||
LOG(FATAL) << "neverbleed_init failed: " << errbuf.data();
|
LOG(FATAL) << "neverbleed_init failed: " << errbuf.data();
|
||||||
|
@ -416,9 +419,11 @@ int worker_process_event_loop(WorkerProcessConfig *wpconf) {
|
||||||
auto nb = conn_handler.get_neverbleed();
|
auto nb = conn_handler.get_neverbleed();
|
||||||
|
|
||||||
ev_child nb_childev;
|
ev_child nb_childev;
|
||||||
|
if (nb) {
|
||||||
ev_child_init(&nb_childev, nb_child_cb, nb->daemon_pid, 0);
|
ev_child_init(&nb_childev, nb_child_cb, nb->daemon_pid, 0);
|
||||||
nb_childev.data = nullptr;
|
nb_childev.data = nullptr;
|
||||||
ev_child_start(loop, &nb_childev);
|
ev_child_start(loop, &nb_childev);
|
||||||
|
}
|
||||||
|
|
||||||
#endif // HAVE_NEVERBLEED
|
#endif // HAVE_NEVERBLEED
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue