[nginx] Upstream: fixed passwords usage for certificates with va...
Maxim Dounin
mdounin at mdounin.ru
Mon Apr 14 23:23:45 UTC 2025
details: http://freenginx.org/hg/nginx/rev/4f20c52c5f1b
branches:
changeset: 9343:4f20c52c5f1b
user: Maxim Dounin <mdounin at mdounin.ru>
date: Tue Apr 15 02:20:08 2025 +0300
description:
Upstream: fixed passwords usage for certificates with variables.
SSL certificate passwords are stored separately from the SSL context
created for SSL proxying, yet modified when the context is created
if certificates with variables are used (to ensure passwords will be
available at run time). Optimizations introduced in 8053:9d98d524bd02
(1.23.1) did not take this into account, and might end up using at run
time passwords which weren't preserved to be usable at run time, such as
in the following configuration:
server {
proxy_ssl_certificate $crt;
proxy_ssl_certificate_key $key;
proxy_ssl_password_file foo;
location /1/ {
proxy_pass https://u;
}
location /2/ {
proxy_pass https://u;
}
}
Fix is to preserve passwords if needed when using an inherited SSL
context.
diffstat:
src/http/modules/ngx_http_grpc_module.c | 13 +++++++++++++
src/http/modules/ngx_http_proxy_module.c | 13 +++++++++++++
src/http/modules/ngx_http_uwsgi_module.c | 13 +++++++++++++
3 files changed, 39 insertions(+), 0 deletions(-)
diffs (69 lines):
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4935,6 +4935,19 @@ ngx_http_grpc_set_ssl(ngx_conf_t *cf, ng
ngx_pool_cleanup_t *cln;
if (glcf->upstream.ssl->ctx) {
+
+ if (glcf->upstream.ssl_certificate
+ && glcf->upstream.ssl_certificate->value.len
+ && (glcf->upstream.ssl_certificate->lengths
+ || glcf->upstream.ssl_certificate_key->lengths))
+ {
+ glcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, glcf->upstream.ssl_passwords);
+ if (glcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -4987,6 +4987,19 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n
ngx_pool_cleanup_t *cln;
if (plcf->upstream.ssl->ctx) {
+
+ if (plcf->upstream.ssl_certificate
+ && plcf->upstream.ssl_certificate->value.len
+ && (plcf->upstream.ssl_certificate->lengths
+ || plcf->upstream.ssl_certificate_key->lengths))
+ {
+ plcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, plcf->upstream.ssl_passwords);
+ if (plcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2519,6 +2519,19 @@ ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, n
ngx_pool_cleanup_t *cln;
if (uwcf->upstream.ssl->ctx) {
+
+ if (uwcf->upstream.ssl_certificate
+ && uwcf->upstream.ssl_certificate->value.len
+ && (uwcf->upstream.ssl_certificate->lengths
+ || uwcf->upstream.ssl_certificate_key->lengths))
+ {
+ uwcf->upstream.ssl_passwords =
+ ngx_ssl_preserve_passwords(cf, uwcf->upstream.ssl_passwords);
+ if (uwcf->upstream.ssl_passwords == NULL) {
+ return NGX_ERROR;
+ }
+ }
+
return NGX_OK;
}
More information about the nginx-devel
mailing list