feat(patch): support dynamic disable http2 alpn in ssl client hello p…

build/openresty/patches/ngx_lua-0.10.26_01-ssl-disable-h2-alpn.patch

@@ -0,0 +1,163 @@
+diff --git a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua
+index 8792be0..f4e4832 100644
+--- a/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua
++++ b/bundle/lua-resty-core-0.1.28/lib/ngx/ssl.lua
+@@ -18,6 +18,7 @@ local get_size_ptr = base.get_size_ptr
+ local FFI_DECLINED = base.FFI_DECLINED
+ local FFI_OK = base.FFI_OK
+ local subsystem = ngx.config.subsystem
++local get_phase = ngx.get_phase
+
+
+ local ngx_lua_ffi_ssl_set_der_certificate
+@@ -37,7 +38,7 @@ local ngx_lua_ffi_set_priv_key
+ local ngx_lua_ffi_free_cert
+ local ngx_lua_ffi_free_priv_key
+ local ngx_lua_ffi_ssl_verify_client
+-
++local ngx_lua_ffi_disable_http2
+
+ if subsystem == 'http' then
+     ffi.cdef[[
+@@ -87,6 +88,7 @@ if subsystem == 'http' then
+
+     int ngx_http_lua_ffi_ssl_verify_client(void *r,
+         void *cdata, int depth, char **err);
++    int ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r);
+     ]]
+
+     ngx_lua_ffi_ssl_set_der_certificate =
+@@ -108,6 +110,7 @@ if subsystem == 'http' then
+     ngx_lua_ffi_free_cert = C.ngx_http_lua_ffi_free_cert
+     ngx_lua_ffi_free_priv_key = C.ngx_http_lua_ffi_free_priv_key
+     ngx_lua_ffi_ssl_verify_client = C.ngx_http_lua_ffi_ssl_verify_client
++    ngx_lua_ffi_disable_http2 = C.ngx_http_lua_ffi_ssl_disable_http2
+
+ elseif subsystem == 'stream' then
+     ffi.cdef[[
+@@ -436,6 +439,24 @@ function _M.verify_client(ca_certs, depth)
+ end
+
+
++function _M.disable_http2()
++    if get_phase() ~= "ssl_client_hello" then
++        error("API disabled in the current context")
++    end
++
++    local r = get_request()
++    if not r then
++        error("no request found")
++    end
++    local rc = ngx_lua_ffi_disable_http2(r)
++    if rc == FFI_OK then
++        return true
++    end
++
++    return false
++end
++
++
+ do
+     _M.SSL3_VERSION = 0x0300
+     _M.TLS1_VERSION = 0x0301
+diff --git a/bundle/nginx-1.25.3/src/http/ngx_http_request.c b/bundle/nginx-1.25.3/src/http/ngx_http_request.c
+index bd2be5e..2084ecd 100644
+--- a/bundle/nginx-1.25.3/src/http/ngx_http_request.c
++++ b/bundle/nginx-1.25.3/src/http/ngx_http_request.c
+@@ -8,6 +8,7 @@
+ #include <ngx_config.h>
+ #include <ngx_core.h>
+ #include <ngx_http.h>
++#include <ngx_http_lua_api.h>
+
+
+ static void ngx_http_wait_request_handler(ngx_event_t *ev);
+@@ -837,7 +838,7 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+
+         h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module);
+
+-        if (h2scf->enable || hc->addr_conf->http2) {
++        if ((h2scf->enable || hc->addr_conf->http2) && ngx_http_lua_get_ssl_disable_http2(c->ssl)) {
+
+             SSL_get0_alpn_selected(c->ssl->connection, &data, &len);
+
+diff --git a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h
+index 193c44e..fec6d61 100644
+--- a/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h
++++ b/bundle/ngx_lua-0.10.26/src/api/ngx_http_lua_api.h
+@@ -70,6 +70,7 @@ void ngx_http_lua_co_ctx_resume_helper(ngx_http_lua_co_ctx_t *coctx, int nrets);
+
+ int ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r);
+
++unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl);
+
+ #endif /* _NGX_HTTP_LUA_API_H_INCLUDED_ */
+
+diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c
+index 0d3ec9c..fe030c5 100644
+--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c
++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_api.c
+@@ -340,5 +340,14 @@ ngx_http_lua_get_lua_http10_buffering(ngx_http_request_t *r)
+     return llcf->http10_buffering;
+ }
+
++unsigned ngx_http_lua_get_ssl_disable_http2(ngx_ssl_connection_t *ssl)
++{
++    ngx_http_lua_assert(ssl->connection);
++    ngx_http_lua_ssl_ctx_t *cctx;
++    
++    cctx = ngx_http_lua_ssl_get_ctx(ssl->connection);
++    ngx_http_lua_assert(cctx);
++    return cctx->disable_http2;
++}
+
+ /* vi:set ft=c ts=4 sw=4 et fdm=marker: */
+diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h
+index 3d577c6..e1b1583 100644
+--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h
++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl.h
+@@ -38,6 +38,7 @@ typedef struct {
+     unsigned                 entered_client_hello_handler:1;
+     unsigned                 entered_cert_handler:1;
+     unsigned                 entered_sess_fetch_handler:1;
++    unsigned                 disable_http2:1;
+ } ngx_http_lua_ssl_ctx_t;
+
+
+diff --git a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c
+index 03ac430..cc3e30f 100644
+--- a/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c
++++ b/bundle/ngx_lua-0.10.26/src/ngx_http_lua_ssl_client_helloby.c
+@@ -713,4 +713,32 @@ ngx_http_lua_ffi_ssl_set_protocols(ngx_http_request_t *r,
+     return NGX_OK;
+ }
+
++int
++ngx_http_lua_ffi_ssl_disable_http2(ngx_http_request_t *r, char **err)
++{
++    ngx_ssl_conn_t    *ssl_conn;
++    ngx_http_lua_ssl_ctx_t *cctx;
++
++    if (r->connection == NULL || r->connection->ssl == NULL) {
++        *err = "bad request";
++        return NGX_ERROR;
++    }
++
++    ssl_conn = r->connection->ssl->connection;
++    if (ssl_conn == NULL) {
++        *err = "bad ssl conn";
++        return NGX_ERROR;
++    }
++
++    cctx = ngx_http_lua_ssl_get_ctx(ssl_conn);
++    if (cctx == NULL) {
++        *err = "bad lua context";
++        return NGX_ERROR;
++    }
++
++    cctx->disable_http2 = 1;
++
++    return NGX_OK;
++}
++
+ #endif /* NGX_HTTP_SSL */

t/04-patch/04-ngx-ssl-disable-http2-alpn.t

@@ -0,0 +1,89 @@
+# vim:set ft= ts=4 sw=4 et:
+
+use Test::Nginx::Socket::Lua;
+use Cwd qw(cwd);
+
+repeat_each(2);
+
+plan tests => repeat_each() * (blocks() * 7 - 1);
+
+my $pwd = cwd();
+
+$ENV{TEST_NGINX_HTML_DIR} ||= html_dir();
+
+log_level('debug');
+no_long_string();
+#no_diff();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: disable http2 can not failed
+--- http_config
+
+    server {
+        listen unix:$TEST_NGINX_HTML_DIR/nginx.sock ssl;
+        server_name   konghq.com;
+        ssl_certificate ../../certs/test.crt;
+        ssl_certificate_key ../../certs/test.key;
+        ssl_session_cache off;
+        ssl_session_tickets on;
+        server_tokens off;
+        ssl_client_hello_by_lua_block {
+            local ssl = require "ngx.ssl"
+            local ok, err = ssl.disable_http2()
+            if not ok then
+                ngx.log(ngx.ERR, "failed to disable http2")
+            end
+        }
+        location /foo {
+            default_type 'text/plain';
+            content_by_lua_block {ngx.exit(200)}
+            more_clear_headers Date;
+        }
+    }
+--- config
+    server_tokens off;
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("unix:$TEST_NGINX_HTML_DIR/nginx.sock")
+            if not ok then
+                ngx.say("failed to connect: ", err)
+                return
+            end
+            local session
+            session, err = sock:sslhandshake(session, "konghq.com")
+            if not session then
+                ngx.say("failed to do SSL handshake: ", err)
+                return
+            end
+            local req = "GET /foo HTTP/1.1\r\nHost: konghq.com\r\nConnection: close\r\n\r\n"
+            local bytes, err = sock:send(req)
+            if not bytes then
+                ngx.say("failed to send http request: ", err)
+                return
+            end
+            local line, err = sock:receive()
+            if not line then
+                ngx.say("failed to receive response status line: ", err)
+                return
+            end
+            ngx.say("received: ", line)
+            local ok, err = sock:close()
+            if not ok then
+                ngx.say("failed to close: ", err)
+                return
+            end
+        }
+    }
+--- request
+GET /t
+--- response_body
+received: HTTP/1.1 200 OK
+--- no_error_log
+[error]
+[alert]
+[warn]
+[crit]