From abd5e202ca141988f73af226cc5ce2cc29909556 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 11 Sep 2024 12:38:24 +0800 Subject: [PATCH 1/4] feat(patch): support dynamic disable http2 alpn in ssl client hello phase --- ...x_lua-0.10.26_01-ssl-disable-h2-alpn.patch | 101 ++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch diff --git a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch new file mode 100644 index 000000000000..8ef2fa3aa71a --- /dev/null +++ b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch @@ -0,0 +1,101 @@ +diff --git a/bundle/nginx-1.25.3/src/http/ngx_http_request.c b/bundle/nginx-1.25.3/src/http/ngx_http_request.c +index bd2be5e..2084ecd 100644 +--- a/bundle/nginx-1.25.3/src/http/ngx_http_request.c ++++ b/bundle/nginx-1.25.3/src/http/ngx_http_request.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + + static void ngx_http_wait_request_handler(ngx_event_t *ev); +@@ -837,7 +838,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) + + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + +- if (h2scf->enable || hc->addr_conf->http2) { ++ if ((h2scf->enable || hc->addr_conf->http2) && ngx_http_lua_get_ssl_disable_http2(c->ssl)) { + + SSL_get0_alpn_selected(c->ssl->connection, &data, &len); + +diff --git a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h +index 193c44e..fec6d61 100644 +--- a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h ++++ b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h +@@ -70,6 +70,7 @@ void ngx_http_lua_co_ctx_resume_helper(ngx_http_lua_co_ctx_t *coctx, int nrets); + + int ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r); + ++unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl); + + #endif /* _NGX_HTTP_LUA_API_H_INCLUDED_ */ + +diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c +index 0d3ec9c..fe030c5 100644 +--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c ++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c +@@ -340,5 +340,14 @@ ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r) + return llcf->http10_buffering; + } + ++unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl) ++{ ++ ngx_http_lua_assert(ssl->connection); ++ ngx_http_lua_ssl_ctx_t *cctx; ++ ++ cctx = ngx_http_lua_ssl_get_ctx(ssl->connection); ++ ngx_http_lua_assert(cctx); ++ return cctx->disable_http2; ++} + + /* vi:set ft=c ts=4 sw=4 et fdm=marker: */ +diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h +index 3d577c6..e1b1583 100644 +--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h ++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h +@@ -38,6 +38,7 @@ typedef struct { + unsigned entered_client_hello_handler:1; + unsigned entered_cert_handler:1; + unsigned entered_sess_fetch_handler:1; ++ unsigned disable_http2:1; + } ngx_http_lua_ssl_ctx_t; + + +diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c +index 03ac430..cc3e30f 100644 +--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c ++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c +@@ -713,4 +713,32 @@ ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r, + return NGX_OK; + } + ++int ++ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r, char **err) ++{ ++ ngx_ssl_conn_t *ssl_conn; ++ ngx_http_lua_ssl_ctx_t *cctx; ++ ++ if (r->connection == NULL || r->connection->ssl == NULL) { ++ *err = "bad request"; ++ return NGX_ERROR; ++ } ++ ++ ssl_conn = r->connection->ssl->connection; ++ if (ssl_conn == NULL) { ++ *err = "bad ssl conn"; ++ return NGX_ERROR; ++ } ++ ++ cctx = ngx_http_lua_ssl_get_ctx(ssl_conn); ++ if (cctx == NULL) { ++ *err = "bad lua context"; ++ return NGX_ERROR; ++ } ++ ++ cctx->disable_http2 = 1; ++ ++ return NGX_OK; ++} ++ + #endif /* NGX_HTTP_SSL */ From 94c33c987b6b65908f3ede11a6a38e5028dd4cf0 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Wed, 11 Sep 2024 18:03:47 +0800 Subject: [PATCH 2/4] fix: add test for disable http2 patch --- ...x_lua-0.10.26_01-ssl-disable-h2-alpn.patch | 62 +++++++++++++ t/04-patch/04-ngx-ssl-disable-http2-alpn.t | 89 +++++++++++++++++++ 2 files changed, 151 insertions(+) create mode 100644 t/04-patch/04-ngx-ssl-disable-http2-alpn.t diff --git a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch index 8ef2fa3aa71a..2e9307f44a5e 100644 --- a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch +++ b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch @@ -1,3 +1,65 @@ +diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua +index 8792be0..f4e4832 100644 +--- a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua ++++ b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua +@@ -18,6 +18,7 @@ local get_size_ptr = base.get_size_ptr + local FFI_DECLINED = base.FFI_DECLINED + local FFI_OK = base.FFI_OK + local subsystem = ngx.config.subsystem ++local get_phase = ngx.get_phase + + + local ngx_lua_ffi_ssl_set_der_certificate +@@ -37,7 +38,7 @@ local ngx_lua_ffi_set_priv_key + local ngx_lua_ffi_free_cert + local ngx_lua_ffi_free_priv_key + local ngx_lua_ffi_ssl_verify_client +- ++local ngx_lua_ffi_disable_http2 + + if subsystem == 'http' then + ffi.cdef[[ +@@ -87,6 +88,7 @@ if subsystem == 'http' then + + int ngx_http_lua_ffi_ssl_verify_client(void *r, + void *cdata, int depth, char **err); ++ int ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r); + ]] + + ngx_lua_ffi_ssl_set_der_certificate = +@@ -108,6 +110,7 @@ if subsystem == 'http' then + ngx_lua_ffi_free_cert = C.ngx_http_lua_ffi_free_cert + ngx_lua_ffi_free_priv_key = C.ngx_http_lua_ffi_free_priv_key + ngx_lua_ffi_ssl_verify_client = C.ngx_http_lua_ffi_ssl_verify_client ++ ngx_lua_ffi_disable_http2 = C.ngx_http_lua_ffi_ssl_disable_http2 + + elseif subsystem == 'stream' then + ffi.cdef[[ +@@ -436,6 +439,24 @@ function _M.verify_client(ca_certs, depth) + end + + ++function _M.disable_http2() ++ if get_phase() ~= "ssl_client_hello" then ++ error("API disabled in the current context") ++ end ++ ++ local r = get_request() ++ if not r then ++ error("no request found") ++ end ++ local rc = ngx_lua_ffi_disable_http2(r) ++ if rc == FFI_OK then ++ return true ++ end ++ ++ return false ++end ++ ++ + do + _M.SSL3_VERSION = 0x0300 + _M.TLS1_VERSION = 0x0301 diff --git a/bundle/nginx-1.25.3/src/http/ngx_http_request.c b/bundle/nginx-1.25.3/src/http/ngx_http_request.c index bd2be5e..2084ecd 100644 --- a/bundle/nginx-1.25.3/src/http/ngx_http_request.c diff --git a/t/04-patch/04-ngx-ssl-disable-http2-alpn.t b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t new file mode 100644 index 000000000000..6f8e164de461 --- /dev/null +++ b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t @@ -0,0 +1,89 @@ +# vim:set ft= ts=4 sw=4 et: + +use Test::Nginx::Socket::Lua; +use Cwd qw(cwd); + +repeat_each(2); + +plan tests => repeat_each() * (blocks() * 7 - 1); + +my $pwd = cwd(); + +$ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); + +log_level('debug'); +no_long_string(); +#no_diff(); + +run_tests(); + +__DATA__ + +=== TEST 1: disable http2 can not failed +--- http_config + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + server_name konghq.com; + ssl_certificate ../../certs/test.crt; + ssl_certificate_key ../../certs/test.key; + ssl_session_cache off; + ssl_session_tickets on; + server_tokens off; + ssl_client_hello_by_lua_block { + local ssl = require "ngx.ssl" + local ok, err = ssl.disable_http2() + if not ok then + ngx.log(ngx.ERR, "failed to disable http2") + end + } + location /foo { + default_type 'text/plain'; + content_by_lua_block {ngx.exit(200)} + more_clear_headers Date; + } + } +--- config + server_tokens off; + location /t { + content_by_lua_block { + local sock = ngx.socket.tcp() + local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") + if not ok then + ngx.say("failed to connect: ", err) + return + end + local session + session, err = sock:sslhandshake(session, "konghq.com") + if not session then + ngx.say("failed to do SSL handshake: ", err) + return + end + local req = "GET /foo HTTP/1.1\r\nHost: konghq.com\r\nConnection: close\r\n\r\n" + local bytes, err = sock:send(req) + if not bytes then + ngx.say("failed to send http request: ", err) + return + end + local line, err = sock:receive() + if not line then + ngx.say("failed to receive response status line: ", err) + return + end + ngx.say("received: ", line) + local ok, err = sock:close() + if not ok then + ngx.say("failed to close: ", err) + return + end + } + } +--- request +GET /t +--- response_body +received: HTTP/1.1 200 OK +--- no_error_log +[error] +[alert] +[warn] +[crit] \ No newline at end of file From 3ffb167ff4655cceb901fc9d33e59810a6133ec0 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Tue, 24 Sep 2024 17:29:46 +0800 Subject: [PATCH 3/4] chore: fix code --- ...x_lua-0.10.26_01-ssl-disable-h2-alpn.patch | 43 +++++-- t/04-patch/04-ngx-ssl-disable-http2-alpn.t | 107 ++++++++++++++---- 2 files changed, 117 insertions(+), 33 deletions(-) diff --git a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch index 2e9307f44a5e..4f72afe3bcbe 100644 --- a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch +++ b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch @@ -1,5 +1,5 @@ diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua -index 8792be0..f4e4832 100644 +index 8792be0..39279aa 100644 --- a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua +++ b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua @@ -18,6 +18,7 @@ local get_size_ptr = base.get_size_ptr @@ -23,7 +23,7 @@ index 8792be0..f4e4832 100644 int ngx_http_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err); -+ int ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r); ++ int ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r, char **err); ]] ngx_lua_ffi_ssl_set_der_certificate = @@ -35,7 +35,7 @@ index 8792be0..f4e4832 100644 elseif subsystem == 'stream' then ffi.cdef[[ -@@ -436,6 +439,24 @@ function _M.verify_client(ca_certs, depth) +@@ -436,6 +439,25 @@ function _M.verify_client(ca_certs, depth) end @@ -48,20 +48,42 @@ index 8792be0..f4e4832 100644 + if not r then + error("no request found") + end -+ local rc = ngx_lua_ffi_disable_http2(r) ++ ++ local rc = ngx_lua_ffi_disable_http2(r, errmsg) + if rc == FFI_OK then + return true + end + -+ return false ++ return false, ffi_str(errmsg[0]) +end + + do _M.SSL3_VERSION = 0x0300 _M.TLS1_VERSION = 0x0301 +diff --git a/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c b/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c +index 1c92d9f..e9094c5 100644 +--- a/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c ++++ b/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c +@@ -8,6 +8,7 @@ + #include + #include + #include ++#include + + #if (NGX_QUIC_OPENSSL_COMPAT) + #include +@@ -474,7 +475,7 @@ ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, const unsigned char **out, + #if (NGX_HTTP_V2) + h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); + +- if (h2scf->enable || hc->addr_conf->http2) { ++ if ((h2scf->enable || hc->addr_conf->http2) && !ngx_http_lua_get_ssl_disable_http2(c->ssl)) { + srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; + srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; + diff --git a/bundle/nginx-1.25.3/src/http/ngx_http_request.c b/bundle/nginx-1.25.3/src/http/ngx_http_request.c -index bd2be5e..2084ecd 100644 +index bd2be5e..9492551 100644 --- a/bundle/nginx-1.25.3/src/http/ngx_http_request.c +++ b/bundle/nginx-1.25.3/src/http/ngx_http_request.c @@ -8,6 +8,7 @@ @@ -77,7 +99,7 @@ index bd2be5e..2084ecd 100644 h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); - if (h2scf->enable || hc->addr_conf->http2) { -+ if ((h2scf->enable || hc->addr_conf->http2) && ngx_http_lua_get_ssl_disable_http2(c->ssl)) { ++ if ((h2scf->enable || hc->addr_conf->http2) && !ngx_http_lua_get_ssl_disable_http2(c->ssl)) { SSL_get0_alpn_selected(c->ssl->connection, &data, &len); @@ -125,10 +147,10 @@ index 3d577c6..e1b1583 100644 diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c -index 03ac430..cc3e30f 100644 +index 03ac430..fe125a2 100644 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c -@@ -713,4 +713,32 @@ ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r, +@@ -713,4 +713,33 @@ ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r, return NGX_OK; } @@ -154,7 +176,8 @@ index 03ac430..cc3e30f 100644 + *err = "bad lua context"; + return NGX_ERROR; + } -+ ++ ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, ++ "lua ssl disable http2"); + cctx->disable_http2 = 1; + + return NGX_OK; diff --git a/t/04-patch/04-ngx-ssl-disable-http2-alpn.t b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t index 6f8e164de461..f5bf2c335812 100644 --- a/t/04-patch/04-ngx-ssl-disable-http2-alpn.t +++ b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t @@ -5,13 +5,13 @@ use Cwd qw(cwd); repeat_each(2); -plan tests => repeat_each() * (blocks() * 7 - 1); +plan tests => repeat_each() * (blocks() * 7 - 2); my $pwd = cwd(); $ENV{TEST_NGINX_HTML_DIR} ||= html_dir(); -log_level('debug'); +log_level('info'); no_long_string(); #no_diff(); @@ -19,17 +19,19 @@ run_tests(); __DATA__ -=== TEST 1: disable http2 can not failed +=== TEST 1: normal http2 alpn --- http_config server { listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + listen 60000 ssl; server_name konghq.com; ssl_certificate ../../certs/test.crt; ssl_certificate_key ../../certs/test.key; ssl_session_cache off; ssl_session_tickets on; server_tokens off; + http2 on; ssl_client_hello_by_lua_block { local ssl = require "ngx.ssl" local ok, err = ssl.disable_http2() @@ -47,33 +49,92 @@ __DATA__ server_tokens off; location /t { content_by_lua_block { - local sock = ngx.socket.tcp() - local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock") - if not ok then - ngx.say("failed to connect: ", err) + local ngx_pipe = require "ngx.pipe" + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local stdout_data, err = proc:stdout_read_all() + if not stdout_data then + ngx.say(err) return end - local session - session, err = sock:sslhandshake(session, "konghq.com") - if not session then - ngx.say("failed to do SSL handshake: ", err) + + local stderr_data, err = proc:stderr_read_all() + if not stderr_data then + ngx.say(err) return end - local req = "GET /foo HTTP/1.1\r\nHost: konghq.com\r\nConnection: close\r\n\r\n" - local bytes, err = sock:send(req) - if not bytes then - ngx.say("failed to send http request: ", err) + + if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + ngx.say("alpn server accepted h2") return end - local line, err = sock:receive() - if not line then - ngx.say("failed to receive response status line: ", err) + + if string.find(stderr_data, "ALPN: server accepted http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") return end - ngx.say("received: ", line) - local ok, err = sock:close() + } + } +--- request +GET /t +--- response_body +alpn server accepted http/1.1 +--- no_error_log +[error] +[alert] +[warn] +[crit] + +=== TEST 2: disable http2 alpn +--- http_config + + server { + listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl; + listen 60000 ssl; + server_name konghq.com; + ssl_certificate ../../certs/test.crt; + ssl_certificate_key ../../certs/test.key; + ssl_session_cache off; + ssl_session_tickets on; + server_tokens off; + http2 on; + ssl_client_hello_by_lua_block { + local ssl = require "ngx.ssl" + local ok, err = ssl.disable_http2() if not ok then - ngx.say("failed to close: ", err) + ngx.log(ngx.ERR, "failed to disable http2") + end + } + location /foo { + default_type 'text/plain'; + content_by_lua_block {ngx.exit(200)} + more_clear_headers Date; + } + } +--- config + server_tokens off; + location /t { + content_by_lua_block { + local ngx_pipe = require "ngx.pipe" + local proc = ngx_pipe.spawn({'curl', '-vk', '--resolve', 'konghq.com:60000:127.0.0.1', 'https://konghq.com:60000'}) + local stdout_data, err = proc:stdout_read_all() + if not stdout_data then + ngx.say(err) + return + end + + local stderr_data, err = proc:stderr_read_all() + if not stderr_data then + ngx.say(err) + return + end + + if string.find(stdout_data, "ALPN: server accepted h2") ~= nil then + ngx.say("alpn server accepted h2") + return + end + + if string.find(stderr_data, "ALPN: server accepted http/1.1") ~= nil then + ngx.say("alpn server accepted http/1.1") return end } @@ -81,9 +142,9 @@ __DATA__ --- request GET /t --- response_body -received: HTTP/1.1 200 OK +alpn server accepted http/1.1 --- no_error_log [error] [alert] [warn] -[crit] \ No newline at end of file +[crit] From 2b64b0748c18c4e6becec3b78d07453a4dc04072 Mon Sep 17 00:00:00 2001 From: Jun Ouyang Date: Tue, 24 Sep 2024 17:43:40 +0800 Subject: [PATCH 4/4] chore: fix code --- ...x_lua-0.10.26_01-ssl-disable-h2-alpn.patch | 43 ++++++++----------- t/04-patch/04-ngx-ssl-disable-http2-alpn.t | 4 +- 2 files changed, 19 insertions(+), 28 deletions(-) diff --git a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch index 4f72afe3bcbe..0a5d0f2b9f92 100644 --- a/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch +++ b/build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch @@ -1,5 +1,5 @@ diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua -index 8792be0..39279aa 100644 +index 8792be0..38cbc51 100644 --- a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua +++ b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua @@ -18,6 +18,7 @@ local get_size_ptr = base.get_size_ptr @@ -23,7 +23,7 @@ index 8792be0..39279aa 100644 int ngx_http_lua_ffi_ssl_verify_client(void *r, void *cdata, int depth, char **err); -+ int ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r, char **err); ++ int ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err); ]] ngx_lua_ffi_ssl_set_der_certificate = @@ -31,7 +31,7 @@ index 8792be0..39279aa 100644 ngx_lua_ffi_free_cert = C.ngx_http_lua_ffi_free_cert ngx_lua_ffi_free_priv_key = C.ngx_http_lua_ffi_free_priv_key ngx_lua_ffi_ssl_verify_client = C.ngx_http_lua_ffi_ssl_verify_client -+ ngx_lua_ffi_disable_http2 = C.ngx_http_lua_ffi_ssl_disable_http2 ++ ngx_lua_ffi_disable_http2 = C.ngx_http_lua_ffi_ssl_disable_http2_alpn elseif subsystem == 'stream' then ffi.cdef[[ @@ -39,7 +39,7 @@ index 8792be0..39279aa 100644 end -+function _M.disable_http2() ++function _M.disable_http2_alpn() + if get_phase() ~= "ssl_client_hello" then + error("API disabled in the current context") + end @@ -62,7 +62,7 @@ index 8792be0..39279aa 100644 _M.SSL3_VERSION = 0x0300 _M.TLS1_VERSION = 0x0301 diff --git a/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c b/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c -index 1c92d9f..e9094c5 100644 +index 1c92d9f..cab2300 100644 --- a/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c +++ b/bundle/nginx-1.25.3/src/http/modules/ngx_http_ssl_module.c @@ -8,6 +8,7 @@ @@ -78,12 +78,12 @@ index 1c92d9f..e9094c5 100644 h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); - if (h2scf->enable || hc->addr_conf->http2) { -+ if ((h2scf->enable || hc->addr_conf->http2) && !ngx_http_lua_get_ssl_disable_http2(c->ssl)) { ++ if ((h2scf->enable || hc->addr_conf->http2) && !ngx_http_lua_get_ssl_disable_http2_alpn(c->ssl)) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS; srvlen = sizeof(NGX_HTTP_V2_ALPN_PROTO NGX_HTTP_ALPN_PROTOS) - 1; diff --git a/bundle/nginx-1.25.3/src/http/ngx_http_request.c b/bundle/nginx-1.25.3/src/http/ngx_http_request.c -index bd2be5e..9492551 100644 +index bd2be5e..022e905 100644 --- a/bundle/nginx-1.25.3/src/http/ngx_http_request.c +++ b/bundle/nginx-1.25.3/src/http/ngx_http_request.c @@ -8,6 +8,7 @@ @@ -94,60 +94,51 @@ index bd2be5e..9492551 100644 static void ngx_http_wait_request_handler(ngx_event_t *ev); -@@ -837,7 +838,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c) - - h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); - -- if (h2scf->enable || hc->addr_conf->http2) { -+ if ((h2scf->enable || hc->addr_conf->http2) && !ngx_http_lua_get_ssl_disable_http2(c->ssl)) { - - SSL_get0_alpn_selected(c->ssl->connection, &data, &len); - diff --git a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h -index 193c44e..fec6d61 100644 +index 193c44e..b81c73d 100644 --- a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h +++ b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h @@ -70,6 +70,7 @@ void ngx_http_lua_co_ctx_resume_helper(ngx_http_lua_co_ctx_t *coctx, int nrets); int ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r); -+unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl); ++unsigned ngx_http_lua_get_ssl_disable_http2_alpn(ngx_ssl_connection_t *ssl); #endif /* _NGX_HTTP_LUA_API_H_INCLUDED_ */ diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c -index 0d3ec9c..fe030c5 100644 +index 0d3ec9c..963bf96 100644 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c @@ -340,5 +340,14 @@ ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r) return llcf->http10_buffering; } -+unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl) ++unsigned ngx_http_lua_get_ssl_disable_http2_alpn(ngx_ssl_connection_t *ssl) +{ + ngx_http_lua_assert(ssl->connection); + ngx_http_lua_ssl_ctx_t *cctx; + + cctx = ngx_http_lua_ssl_get_ctx(ssl->connection); + ngx_http_lua_assert(cctx); -+ return cctx->disable_http2; ++ return cctx->disable_http2_alpn; +} /* vi:set ft=c ts=4 sw=4 et fdm=marker: */ diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h -index 3d577c6..e1b1583 100644 +index 3d577c6..c6ff1ed 100644 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h @@ -38,6 +38,7 @@ typedef struct { unsigned entered_client_hello_handler:1; unsigned entered_cert_handler:1; unsigned entered_sess_fetch_handler:1; -+ unsigned disable_http2:1; ++ unsigned disable_http2_alpn:1; } ngx_http_lua_ssl_ctx_t; diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c -index 03ac430..fe125a2 100644 +index 03ac430..4f178f8 100644 --- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c +++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c @@ -713,4 +713,33 @@ ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r, @@ -155,7 +146,7 @@ index 03ac430..fe125a2 100644 } +int -+ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r, char **err) ++ngx_http_lua_ffi_ssl_disable_http2_alpn(ngx_http_request_t *r, char **err) +{ + ngx_ssl_conn_t *ssl_conn; + ngx_http_lua_ssl_ctx_t *cctx; @@ -178,7 +169,7 @@ index 03ac430..fe125a2 100644 + } + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "lua ssl disable http2"); -+ cctx->disable_http2 = 1; ++ cctx->disable_http2_alpn = 1; + + return NGX_OK; +} diff --git a/t/04-patch/04-ngx-ssl-disable-http2-alpn.t b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t index f5bf2c335812..3607cb7bc011 100644 --- a/t/04-patch/04-ngx-ssl-disable-http2-alpn.t +++ b/t/04-patch/04-ngx-ssl-disable-http2-alpn.t @@ -34,7 +34,7 @@ __DATA__ http2 on; ssl_client_hello_by_lua_block { local ssl = require "ngx.ssl" - local ok, err = ssl.disable_http2() + local ok, err = ssl.disable_http2_alpn() if not ok then ngx.log(ngx.ERR, "failed to disable http2") end @@ -99,7 +99,7 @@ alpn server accepted http/1.1 http2 on; ssl_client_hello_by_lua_block { local ssl = require "ngx.ssl" - local ok, err = ssl.disable_http2() + local ok, err = ssl.disable_http2_alpn() if not ok then ngx.log(ngx.ERR, "failed to disable http2") end