Merge pull request #4356 from aledbf/only-dynamic-mode

Only support SSL dynamic mode
2019-08-14 17:08:35 -07:00 · 2019-08-14 17:08:35 -07:00 · 0d690fba1a
commit 0d690fba1a
parent e5b766e8ed 80bd481abb
40 changed files with 415 additions and 709 deletions
--- a/rootfs/etc/nginx/lua/test/balancer_test.lua
+++ b/rootfs/etc/nginx/lua/test/balancer_test.lua
@ -33,7 +33,7 @@ local function reset_backends()
  backends = {
    {
      name = "access-router-production-web-80", port = "80", secure = false,
-      secureCACert = { secret = "", caFilename = "", pemSha = "" },
+      secureCACert = { secret = "", caFilename = "", caSha = "" },
      sslPassthrough = false,
      endpoints = {
        { address = "10.184.7.40", port = "8080", maxFails = 0, failTimeout = 0 },
@ -49,7 +49,7 @@ local function reset_backends()
      },
    },
    { name = "my-dummy-app-1", ["load-balance"] = "round_robin", },
-    { 
+    {
      name = "my-dummy-app-2", ["load-balance"] = "chash",
      upstreamHashByConfig = { ["upstream-hash-by"] = "$request_uri", },
    },
--- a/rootfs/etc/nginx/template/nginx.tmpl
+++ b/rootfs/etc/nginx/template/nginx.tmpl
@ -95,14 +95,12 @@ http {
        end
        {{ end }}

-        {{ if $all.EnableDynamicCertificates }}
        ok, res = pcall(require, "certificate")
        if not ok then
          error("require failed: " .. tostring(res))
        else
          certificate = res
        end
-        {{ end }}

        ok, res = pcall(require, "plugins")
        if not ok then
@ -382,6 +380,10 @@ http {

    ssl_ecdh_curve {{ $cfg.SSLECDHCurve }};

+    # PEM sha: {{ $cfg.DefaultSSLCertificate.PemSHA }}
+    ssl_certificate     {{ $cfg.DefaultSSLCertificate.PemFileName }};
+    ssl_certificate_key {{ $cfg.DefaultSSLCertificate.PemFileName }};
+
    {{ if gt (len $cfg.CustomHTTPErrors) 0 }}
    proxy_intercept_errors on;
    {{ end }}
@ -473,18 +475,9 @@ http {
        {{ buildHTTPListener  $all $redirect.From }}
        {{ buildHTTPSListener $all $redirect.From }}

-        {{ if not (empty $redirect.SSLCert.PemFileName) }}
-        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
-        # PEM sha: {{ $redirect.SSLCert.PemSHA }}
-        ssl_certificate                         {{ $redirect.SSLCert.PemFileName }};
-        ssl_certificate_key                     {{ $redirect.SSLCert.PemFileName }};
-
-        {{ if $all.EnableDynamicCertificates}}
        ssl_certificate_by_lua_block {
            certificate.call()
        }
-        {{ end }}
-        {{ end }}

        {{ if gt (len $cfg.BlockUserAgents) 0 }}
        if ($block_ua) {
@ -746,7 +739,7 @@ stream {
            proxy_set_header       X-Request-ID       $req_id;
            proxy_set_header       Host               $best_http_host;

-            set $proxy_upstream_name {{ $upstreamName }};
+            set $proxy_upstream_name {{ $upstreamName | quote }};

            rewrite                (.*) / break;

@ -792,18 +785,9 @@ stream {

        set $proxy_upstream_name "-";

-        {{ if not (empty $server.SSLCert.PemFileName) }}
-        {{/* comment PEM sha is required to detect changes in the generated configuration and force a reload */}}
-        # PEM sha: {{ $server.SSLCert.PemSHA }}
-        ssl_certificate                         {{ $server.SSLCert.PemFileName }};
-        ssl_certificate_key                     {{ $server.SSLCert.PemFileName }};
-
-        {{ if $all.EnableDynamicCertificates}}
        ssl_certificate_by_lua_block {
            certificate.call()
        }
-        {{ end }}
-        {{ end }}

        {{ if not (empty $server.AuthTLSError) }}
        # {{ $server.AuthTLSError }}
@ -811,7 +795,7 @@ stream {
        {{ else }}

        {{ if not (empty $server.CertificateAuth.CAFileName) }}
-        # PEM sha: {{ $server.CertificateAuth.PemSHA }}
+        # PEM sha: {{ $server.CertificateAuth.CASHA }}
        ssl_client_certificate                  {{ $server.CertificateAuth.CAFileName }};
        ssl_verify_client                       {{ $server.CertificateAuth.VerifyClient }};
        ssl_verify_depth                        {{ $server.CertificateAuth.ValidationDepth }};
@ -1046,7 +1030,7 @@ stream {
                plugins.run()
            }

-            {{ if (and (not (empty $server.SSLCert.PemFileName)) $all.Cfg.HSTS) }}
+            {{ if (and $server.SSLCert $all.Cfg.HSTS) }}
            if ($scheme = https) {
            more_set_headers                        "Strict-Transport-Security: max-age={{ $all.Cfg.HSTSMaxAge }}{{ if $all.Cfg.HSTSIncludeSubdomains }}; includeSubDomains{{ end }}{{ if $all.Cfg.HSTSPreload }}; preload{{ end }}";
            }
@ -1067,12 +1051,12 @@ stream {
            port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};

            set $balancer_ewma_score -1;
-            set $proxy_upstream_name    {{ buildUpstreamName $location | quote }};
-            set $proxy_host             $proxy_upstream_name;
-            set $pass_access_scheme $scheme;
-            set $pass_server_port $server_port;
-            set $best_http_host $http_host;
-            set $pass_port $pass_server_port;
+            set $proxy_upstream_name {{ buildUpstreamName $location | quote }};
+            set $proxy_host          $proxy_upstream_name;
+            set $pass_access_scheme  $scheme;
+            set $pass_server_port    $server_port;
+            set $best_http_host      $http_host;
+            set $pass_port           $pass_server_port;

            set $proxy_alternative_upstream_name "";