[PATCH 2 of 2] Upstream: fixed SSL certificate password prompt in complex configs
Maxim Dounin
mdounin at mdounin.ru
Sun Apr 13 02:16:48 UTC 2025
# HG changeset patch
# User Maxim Dounin <mdounin at mdounin.ru>
# Date 1744509743 -10800
# Sun Apr 13 05:02:23 2025 +0300
# Node ID 0a8083b7093e88a56b6b06d534b52c367728d005
# Parent d154c555af30dc07a5a5d9bffa559fb1be0da019
Upstream: fixed SSL certificate password prompt in complex configs.
Variables support in certificates introduced in 7833:3ab8e1e2f0f7 (1.21.0)
inadvertently broke password prompt for static SSL certificates, such
as in the following configuration:
location / {
proxy_ssl_certificate $foo.crt;
proxy_ssl_certificate_key $foo.key;
proxy_pass https://u;
location /static/ {
proxy_ssl_certificate static.crt;
proxy_ssl_certificate_key static.key;
proxy_pass https://u;
}
}
Fix is to restore the conf->ssl_passwords field as previously used for
initial password reading and configuration inheritance, and only use the
conf->upstream.ssl_passwords field for passwords preserved for run time
usage.
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -37,6 +37,7 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_grpc_loc_conf_t;
@@ -4383,7 +4384,7 @@ ngx_http_grpc_create_loc_conf(ngx_conf_t
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -4496,8 +4497,8 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_certificate, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -4853,15 +4854,15 @@ ngx_http_grpc_ssl_password_file(ngx_conf
ngx_str_t *value;
- if (glcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (glcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- glcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (glcf->upstream.ssl_passwords == NULL) {
+ glcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (glcf->ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -4890,7 +4891,7 @@ ngx_http_grpc_merge_ssl(ngx_conf_t *cf,
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
@@ -4942,7 +4943,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
|| glcf->upstream.ssl_certificate_key->lengths))
{
glcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords);
if (glcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -4987,7 +4988,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
|| glcf->upstream.ssl_certificate_key->lengths)
{
glcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, glcf->ssl_passwords);
if (glcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -4996,7 +4997,7 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
if (ngx_ssl_certificate(cf, glcf->upstream.ssl,
&glcf->upstream.ssl_certificate->value,
&glcf->upstream.ssl_certificate_key->value,
- glcf->upstream.ssl_passwords)
+ glcf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -124,6 +124,7 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_proxy_loc_conf_t;
@@ -3410,7 +3411,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_
conf->upstream.ssl_verify = NGX_CONF_UNSET;
conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -3760,8 +3761,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_certificate, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -4872,15 +4873,15 @@ ngx_http_proxy_ssl_password_file(ngx_con
ngx_str_t *value;
- if (plcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (plcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- plcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (plcf->upstream.ssl_passwords == NULL) {
+ plcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (plcf->ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -4942,7 +4943,7 @@ ngx_http_proxy_merge_ssl(ngx_conf_t *cf,
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
@@ -4994,7 +4995,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
|| plcf->upstream.ssl_certificate_key->lengths))
{
plcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords);
if (plcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -5039,7 +5040,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
|| plcf->upstream.ssl_certificate_key->lengths)
{
plcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, plcf->ssl_passwords);
if (plcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -5048,7 +5049,7 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
if (ngx_ssl_certificate(cf, plcf->upstream.ssl,
&plcf->upstream.ssl_certificate->value,
&plcf->upstream.ssl_certificate_key->value,
- plcf->upstream.ssl_passwords)
+ plcf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -54,6 +54,7 @@ typedef struct {
ngx_uint_t ssl_verify_depth;
ngx_str_t ssl_trusted_certificate;
ngx_str_t ssl_crl;
+ ngx_array_t *ssl_passwords;
ngx_array_t *ssl_conf_commands;
#endif
} ngx_http_uwsgi_loc_conf_t;
@@ -1568,7 +1569,7 @@ ngx_http_uwsgi_create_loc_conf(ngx_conf_
conf->ssl_verify_depth = NGX_CONF_UNSET_UINT;
conf->upstream.ssl_certificate = NGX_CONF_UNSET_PTR;
conf->upstream.ssl_certificate_key = NGX_CONF_UNSET_PTR;
- conf->upstream.ssl_passwords = NGX_CONF_UNSET_PTR;
+ conf->ssl_passwords = NGX_CONF_UNSET_PTR;
conf->ssl_conf_commands = NGX_CONF_UNSET_PTR;
#endif
@@ -1901,8 +1902,8 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t
prev->upstream.ssl_certificate, NULL);
ngx_conf_merge_ptr_value(conf->upstream.ssl_certificate_key,
prev->upstream.ssl_certificate_key, NULL);
- ngx_conf_merge_ptr_value(conf->upstream.ssl_passwords,
- prev->upstream.ssl_passwords, NULL);
+ ngx_conf_merge_ptr_value(conf->ssl_passwords,
+ prev->ssl_passwords, NULL);
ngx_conf_merge_ptr_value(conf->ssl_conf_commands,
prev->ssl_conf_commands, NULL);
@@ -2437,15 +2438,15 @@ ngx_http_uwsgi_ssl_password_file(ngx_con
ngx_str_t *value;
- if (uwcf->upstream.ssl_passwords != NGX_CONF_UNSET_PTR) {
+ if (uwcf->ssl_passwords != NGX_CONF_UNSET_PTR) {
return "is duplicate";
}
value = cf->args->elts;
- uwcf->upstream.ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
-
- if (uwcf->upstream.ssl_passwords == NULL) {
+ uwcf->ssl_passwords = ngx_ssl_read_password_file(cf, &value[1]);
+
+ if (uwcf->ssl_passwords == NULL) {
return NGX_CONF_ERROR;
}
@@ -2474,7 +2475,7 @@ ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf,
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
- && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
+ && conf->ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
@@ -2526,7 +2527,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
|| uwcf->upstream.ssl_certificate_key->lengths))
{
uwcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords);
if (uwcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -2571,7 +2572,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
|| uwcf->upstream.ssl_certificate_key->lengths)
{
uwcf->upstream.ssl_passwords =
- ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ ngx_ssl_preserve_passwords(cf, uwcf->ssl_passwords);
if (uwcf->upstream.ssl_passwords == NULL) {
return NGX_ERROR;
}
@@ -2580,7 +2581,7 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
if (ngx_ssl_certificate(cf, uwcf->upstream.ssl,
&uwcf->upstream.ssl_certificate->value,
&uwcf->upstream.ssl_certificate_key->value,
- uwcf->upstream.ssl_passwords)
+ uwcf->ssl_passwords)
!= NGX_OK)
{
return NGX_ERROR;
More information about the nginx-devel
mailing list