feature: proxy_ssl_certificate_by_lua directives

README.md

@@ -151,6 +151,8 @@ behavior.
 * [ssl_client_hello_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_client_hello_by_lua_file)
 * [ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_block)
 * [ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#ssl_certificate_by_lua_file)
+* [proxy_ssl_certificate_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_certificate_by_lua_block)
+* [proxy_ssl_certificate_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_certificate_by_lua_file)
 * [proxy_ssl_verify_by_lua_block](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_block)
 * [proxy_ssl_verify_by_lua_file](https://github.com/openresty/lua-nginx-module#proxy_ssl_verify_by_lua_file)
 * [lua_shared_dict](https://github.com/openresty/lua-nginx-module#lua_shared_dict)

config

@@ -278,6 +278,7 @@ STREAM_LUA_SRCS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.c \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_certby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.c \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.c \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.c \
@@ -323,6 +324,7 @@ STREAM_LUA_DEPS=" \
                 $ngx_addon_dir/src/ngx_stream_lua_semaphore.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_client_helloby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_ssl_certby.h \
+                $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_certby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_proxy_ssl_verifyby.h \
                 $ngx_addon_dir/src/ngx_stream_lua_log_ringbuf.h \
                 $ngx_addon_dir/src/ngx_stream_lua_input_filters.h \

src/ngx_stream_lua_common.h

@@ -138,6 +138,7 @@
 
 #ifdef HAVE_PROXY_SSL_PATCH
 #define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY                     0x0100
+#define NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT                       0x0200
 #endif
 
 
@@ -277,6 +278,10 @@ struct ngx_stream_lua_srv_conf_s {
 
 #ifdef HAVE_PROXY_SSL_PATCH
     struct {
+        ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_cert_handler;
+        ngx_str_t                                    proxy_ssl_cert_src;
+        u_char                                      *proxy_ssl_cert_src_key;
+
         ngx_stream_lua_srv_conf_handler_pt           proxy_ssl_verify_handler;
         ngx_str_t                                    proxy_ssl_verify_src;
         u_char                                      *proxy_ssl_verify_src_key;

src/ngx_stream_lua_control.c

@@ -117,6 +117,7 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
         | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
         | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
         | NGX_STREAM_LUA_CONTEXT_PREREAD,
@@ -127,6 +128,7 @@ ngx_stream_lua_ffi_exit(ngx_stream_lua_request_t *r, int status, u_char *err,
 
     if (ctx->context & (NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                        | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                         | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                         | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO ))

src/ngx_stream_lua_coroutine.c

@@ -206,6 +206,7 @@ ngx_stream_lua_coroutine_resume(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
@@ -270,6 +271,7 @@ ngx_stream_lua_coroutine_yield(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD
@@ -433,6 +435,7 @@ ngx_stream_lua_coroutine_status(lua_State *L)
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CLIENT_HELLO
                                  | NGX_STREAM_LUA_CONTEXT_SSL_CERT
 #ifdef HAVE_PROXY_SSL_PATCH
+                                 | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT
                                  | NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY
 #endif
                                  | NGX_STREAM_LUA_CONTEXT_PREREAD

src/ngx_stream_lua_module.c

@@ -32,6 +32,7 @@
 #include "ngx_stream_lua_ssl_certby.h"
 
 #ifdef HAVE_PROXY_SSL_PATCH
+#include "ngx_stream_lua_proxy_ssl_certby.h"
 #include "ngx_stream_lua_proxy_ssl_verifyby.h"
 #endif
 
@@ -428,6 +429,20 @@ static ngx_command_t ngx_stream_lua_cmds[] = {
 
 #ifdef HAVE_PROXY_SSL_PATCH
     /* same context as proxy_pass directive */
+    { ngx_string("proxy_ssl_certificate_by_lua_block"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
+      ngx_stream_lua_proxy_ssl_cert_by_lua_block,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_cert_handler_inline },
+
+    { ngx_string("proxy_ssl_certificate_by_lua_file"),
+      NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      ngx_stream_lua_proxy_ssl_cert_by_lua,
+      NGX_STREAM_SRV_CONF_OFFSET,
+      0,
+      (void *) ngx_stream_lua_proxy_ssl_cert_handler_file },
+
     { ngx_string("proxy_ssl_verify_by_lua_block"),
       NGX_STREAM_SRV_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS,
       ngx_stream_lua_proxy_ssl_verify_by_lua_block,
@@ -855,6 +870,10 @@ ngx_stream_lua_create_srv_conf(ngx_conf_t *cf)
      *      lscf->srv.ssl_client_hello_src = { 0, NULL };
      *      lscf->srv.ssl_client_hello_src_key = NULL;
      *
+     *      lscf->ups.proxy_ssl_cert_handler = NULL;
+     *      lscf->ups.proxy_ssl_cert_src = { 0, NULL };
+     *      lscf->ups.proxy_ssl_cert_src_key = NULL;
+     *
      *      lscf->ups.proxy_ssl_verify_handler = NULL;
      *      lscf->ups.proxy_ssl_verify_src = { 0, NULL };
      *      lscf->ups.proxy_ssl_verify_src_key = NULL;
@@ -1038,6 +1057,18 @@ ngx_stream_lua_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 #endif
 
 #ifdef HAVE_PROXY_SSL_PATCH
+    if (conf->ups.proxy_ssl_cert_src.len == 0) {
+        conf->ups.proxy_ssl_cert_src = prev->ups.proxy_ssl_cert_src;
+        conf->ups.proxy_ssl_cert_handler = prev->ups.proxy_ssl_cert_handler;
+        conf->ups.proxy_ssl_cert_src_key = prev->ups.proxy_ssl_cert_src_key;
+    }
+
+    if (conf->ups.proxy_ssl_cert_src.len) {
+        if (ngx_stream_lua_proxy_ssl_cert_set_callback(cf) != NGX_OK) {
+            return NGX_CONF_ERROR;
+        }
+    }
+
     if (conf->ups.proxy_ssl_verify_src.len == 0) {
         conf->ups.proxy_ssl_verify_src = prev->ups.proxy_ssl_verify_src;
         conf->ups.proxy_ssl_verify_handler = prev->ups.proxy_ssl_verify_handler;

src/ngx_stream_lua_phase.c

@@ -67,6 +67,10 @@ ngx_stream_lua_ngx_get_phase(lua_State *L)
         break;
 
 #ifdef HAVE_PROXY_SSL_PATCH
+    case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_CERT:
+        lua_pushliteral(L, "proxy_ssl_cert");
+        break;
+
     case NGX_STREAM_LUA_CONTEXT_PROXY_SSL_VERIFY:
         lua_pushliteral(L, "proxy_ssl_verify");
         break;