1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
|
local get_req_ssl, get_req_ssl_ctx
local get_socket_ssl, get_socket_ssl_ctx
local pok, nginx_c = pcall(require, "resty.openssl.auxiliary.nginx_c")
if pok and not os.getenv("CI_SKIP_NGINX_C") then
get_req_ssl = nginx_c.get_req_ssl
get_req_ssl_ctx = nginx_c.get_req_ssl_ctx
get_socket_ssl = nginx_c.get_socket_ssl
get_socket_ssl_ctx = nginx_c.get_socket_ssl
else
local ffi = require "ffi"
ffi.cdef [[
// Nginx seems to always config _FILE_OFFSET_BITS=64, this should always be 8 byte
typedef long long off_t;
typedef unsigned int socklen_t; // windows uses int, same size
typedef unsigned short in_port_t;
typedef struct ssl_st SSL;
typedef struct ssl_ctx_st SSL_CTX;
typedef long (*ngx_recv_pt)(void *c, void *buf, size_t size);
typedef long (*ngx_recv_chain_pt)(void *c, void *in,
off_t limit);
typedef long (*ngx_send_pt)(void *c, void *buf, size_t size);
typedef void *(*ngx_send_chain_pt)(void *c, void *in,
off_t limit);
typedef struct {
size_t len;
void *data;
} ngx_str_t;
typedef struct {
SSL *connection;
SSL_CTX *session_ctx;
// trimmed
} ngx_ssl_connection_s;
]]
local ngx_version = ngx.config.nginx_version
if ngx_version == 1017008 or ngx_version == 1019003 or ngx_version == 1019009
or ngx_version == 1021004 then
-- 1.17.8, 1.19.3, 1.19.9, 1.21.4
-- https://github.com/nginx/nginx/blob/master/src/core/ngx_connection.h
ffi.cdef [[
typedef struct {
ngx_str_t src_addr;
ngx_str_t dst_addr;
in_port_t src_port;
in_port_t dst_port;
} ngx_proxy_protocol_t;
typedef struct {
void *data;
void *read;
void *write;
int fd;
ngx_recv_pt recv;
ngx_send_pt send;
ngx_recv_chain_pt recv_chain;
ngx_send_chain_pt send_chain;
void *listening;
off_t sent;
void *log;
void *pool;
int type;
void *sockaddr;
socklen_t socklen;
ngx_str_t addr_text;
// https://github.com/nginx/nginx/commit/be932e81a1531a3ba032febad968fc2006c4fa48
ngx_proxy_protocol_t *proxy_protocol;
ngx_ssl_connection_s *ssl;
// trimmed
} ngx_connection_s;
]]
else
error("resty.openssl.auxiliary.nginx doesn't support Nginx version " .. ngx_version, 2)
end
ffi.cdef [[
typedef struct {
ngx_connection_s *connection;
// trimmed
} ngx_stream_lua_request_s;
typedef struct {
unsigned int signature; /* "HTTP" */
ngx_connection_s *connection;
// trimmed
} ngx_http_request_s;
]]
local get_request
do
local ok, exdata = pcall(require, "thread.exdata")
if ok and exdata then
function get_request()
local r = exdata()
if r ~= nil then
return r
end
end
else
local getfenv = getfenv
function get_request()
return getfenv(0).__ngx_req
end
end
end
local SOCKET_CTX_INDEX = 1
local NO_C_MODULE_WARNING_MSG_SHOWN = false
local NO_C_MODULE_WARNING_MSG = "note resty.openssl.auxiliary.nginx is using plain FFI " ..
"and it's only intended to be used in development, " ..
"consider using lua-resty-openssl.aux-module in production."
local function get_ngx_ssl_from_req()
if not NO_C_MODULE_WARNING_MSG_SHOWN then
ngx.log(ngx.WARN, NO_C_MODULE_WARNING_MSG)
NO_C_MODULE_WARNING_MSG_SHOWN = true
end
local c = get_request()
if ngx.config.subsystem == "stream" then
c = ffi.cast("ngx_stream_lua_request_s*", c)
else -- http
c = ffi.cast("ngx_http_request_s*", c)
end
local ngx_ssl = c.connection.ssl
if ngx_ssl == nil then
return nil, "c.connection.ssl is nil"
end
return ngx_ssl
end
get_req_ssl = function()
local ssl, err = get_ngx_ssl_from_req()
if err then
return nil, err
end
return ssl.connection
end
get_req_ssl_ctx = function()
local ssl, err = get_ngx_ssl_from_req()
if err then
return nil, err
end
return ssl.session_ctx
end
ffi.cdef[[
typedef struct ngx_http_lua_socket_tcp_upstream_s
ngx_http_lua_socket_tcp_upstream_t;
typedef struct {
ngx_connection_s *connection;
// trimmed
} ngx_peer_connection_s;
typedef
int (*ngx_http_lua_socket_tcp_retval_handler_masked)(void *r,
void *u, void *L);
typedef void (*ngx_http_lua_socket_tcp_upstream_handler_pt_masked)
(void *r, void *u);
typedef
int (*ngx_stream_lua_socket_tcp_retval_handler)(void *r,
void *u, void *L);
typedef void (*ngx_stream_lua_socket_tcp_upstream_handler_pt)
(void *r, void *u);
typedef struct {
ngx_stream_lua_socket_tcp_retval_handler read_prepare_retvals;
ngx_stream_lua_socket_tcp_retval_handler write_prepare_retvals;
ngx_stream_lua_socket_tcp_upstream_handler_pt read_event_handler;
ngx_stream_lua_socket_tcp_upstream_handler_pt write_event_handler;
void *socket_pool;
void *conf;
void *cleanup;
void *request;
ngx_peer_connection_s peer;
// trimmed
} ngx_stream_lua_socket_tcp_upstream_s;
]]
local ngx_lua_version = ngx.config and
ngx.config.ngx_lua_version and
ngx.config.ngx_lua_version
if ngx_lua_version >= 10019 and ngx_lua_version <= 10021 then
-- https://github.com/openresty/lua-nginx-module/blob/master/src/ngx_http_lua_socket_tcp.h
ffi.cdef[[
typedef struct {
ngx_http_lua_socket_tcp_retval_handler_masked read_prepare_retvals;
ngx_http_lua_socket_tcp_retval_handler_masked write_prepare_retvals;
ngx_http_lua_socket_tcp_upstream_handler_pt_masked read_event_handler;
ngx_http_lua_socket_tcp_upstream_handler_pt_masked write_event_handler;
void *udata_queue; // 0.10.19
void *socket_pool;
void *conf;
void *cleanup;
void *request;
ngx_peer_connection_s peer;
// trimmed
} ngx_http_lua_socket_tcp_upstream_s;
]]
elseif ngx_lua_version < 10019 then
-- the struct doesn't seem to get changed a long time since birth
ffi.cdef[[
typedef struct {
ngx_http_lua_socket_tcp_retval_handler_masked read_prepare_retvals;
ngx_http_lua_socket_tcp_retval_handler_masked write_prepare_retvals;
ngx_http_lua_socket_tcp_upstream_handler_pt_masked read_event_handler;
ngx_http_lua_socket_tcp_upstream_handler_pt_masked write_event_handler;
void *socket_pool;
void *conf;
void *cleanup;
void *request;
ngx_peer_connection_s peer;
// trimmed
} ngx_http_lua_socket_tcp_upstream_s;
]]
else
error("resty.openssl.auxiliary.nginx doesn't support lua-nginx-module version " .. (ngx_lua_version or "nil"), 2)
end
local function get_ngx_ssl_from_socket_ctx(sock)
if not NO_C_MODULE_WARNING_MSG_SHOWN then
ngx.log(ngx.WARN, NO_C_MODULE_WARNING_MSG)
NO_C_MODULE_WARNING_MSG_SHOWN = true
end
local u = sock[SOCKET_CTX_INDEX]
if u == nil then
return nil, "lua_socket_tcp_upstream_t not found"
end
if ngx.config.subsystem == "stream" then
u = ffi.cast("ngx_stream_lua_socket_tcp_upstream_s*", u)
else -- http
u = ffi.cast("ngx_http_lua_socket_tcp_upstream_s*", u)
end
local p = u.peer
if p == nil then
return nil, "u.peer is nil"
end
local uc = p.connection
if uc == nil then
return nil, "u.peer.connection is nil"
end
local ngx_ssl = uc.ssl
if ngx_ssl == nil then
return nil, "u.peer.connection.ssl is nil"
end
return ngx_ssl
end
get_socket_ssl = function(sock)
local ssl, err = get_ngx_ssl_from_socket_ctx(sock)
if err then
return nil, err
end
return ssl.connection
end
get_socket_ssl_ctx = function(sock)
local ssl, err = get_ngx_ssl_from_socket_ctx(sock)
if err then
return nil, err
end
return ssl.session_ctx
end
end
return {
get_req_ssl = get_req_ssl,
get_req_ssl_ctx = get_req_ssl_ctx,
get_socket_ssl = get_socket_ssl,
get_socket_ssl_ctx = get_socket_ssl_ctx,
}
|
