diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c index 43fcafd50..ca1c3c402 100644 --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -39,7 +39,7 @@ static ngx_int_t ngx_http_ssl_add_variables(ngx_conf_t *cf); static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf); static char *ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child); - + static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf, ngx_http_ssl_srv_conf_t *conf); @@ -347,7 +347,6 @@ ngx_module_t ngx_http_ssl_module = { NGX_MODULE_V1_PADDING }; - static ngx_http_variable_t ngx_http_ssl_vars[] = { { ngx_string("ssl_protocol"), NULL, ngx_http_ssl_static_variable, @@ -965,6 +964,37 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child) return NGX_CONF_OK; } +u_char * +ngx_ssl_get_backend_cipher(ngx_connection_t *c) +{ + const SSL_CIPHER *cipher; + const char *name; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + cipher = SSL_get_current_cipher(c->ssl->connection); + if (cipher == NULL) { + return NULL; + } + + name = SSL_CIPHER_get_name(cipher); + return (u_char *) name; +} + +u_char * +ngx_ssl_get_backend_protocol(ngx_connection_t *c) +{ + const char *proto; + + if (c == NULL || c->ssl == NULL || c->ssl->connection == NULL) { + return NULL; + } + + proto = SSL_get_version(c->ssl->connection); + return (u_char *) proto; +} static ngx_int_t ngx_http_ssl_compile_certificates(ngx_conf_t *cf, diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c index bb8964add..c12040d2e 100644 --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -173,6 +173,10 @@ static ngx_int_t ngx_http_upstream_trailer_variable(ngx_http_request_t *r, static ngx_int_t ngx_http_upstream_cookie_variable(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_upstream_backend_ssl_cipher(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_upstream_backend_ssl_protocol(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static char *ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy); static char *ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); @@ -412,6 +416,14 @@ static ngx_http_variable_t ngx_http_upstream_vars[] = { { ngx_string("upstream_status"), NULL, ngx_http_upstream_status_variable, 0, NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_protocol"), NULL, + ngx_http_upstream_backend_ssl_protocol, 0, + NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("backend_ssl_cipher"), NULL, + ngx_http_upstream_backend_ssl_cipher, 0, + NGX_HTTP_VAR_NOCACHEABLE, 0 }, { ngx_string("upstream_connect_time"), NULL, ngx_http_upstream_response_time_variable, 2, @@ -1834,18 +1846,32 @@ ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c) ngx_http_upstream_t *u; r = c->data; - + u = r->upstream; - c = r->connection; + + if (c->ssl && c->ssl->handshaked) { + SSL *ssl_conn = c->ssl->connection; - ngx_http_set_log_request(c->log, r); + const char *proto = SSL_get_version(ssl_conn); + const char *cipher = SSL_get_cipher_name(ssl_conn); - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream ssl handshake: \"%V?%V\"", - &r->uri, &r->args); + if (r->upstream_states && r->upstream_states->nelts > 0) { + ngx_http_upstream_state_t *state = r->upstream_states->elts; - ngx_http_upstream_ssl_handshake(r, u, u->peer.connection); + state->backend_ssl_protocol.len = ngx_strlen(proto); + state->backend_ssl_protocol.data = ngx_pnalloc(r->pool, state->backend_ssl_protocol.len); + if (state->backend_ssl_protocol.data) { + ngx_memcpy(state->backend_ssl_protocol.data, proto, state->backend_ssl_protocol.len); + } + state->backend_ssl_cipher.len = ngx_strlen(cipher); + state->backend_ssl_cipher.data = ngx_pnalloc(r->pool, state->backend_ssl_cipher.len); + if (state->backend_ssl_cipher.data) { + ngx_memcpy(state->backend_ssl_cipher.data, cipher, state->backend_ssl_cipher.len); + } + } + ngx_http_upstream_ssl_handshake(r, u, c); + } ngx_http_run_posted_requests(c); } @@ -1899,6 +1925,57 @@ failed: ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); } +static ngx_int_t +ngx_http_upstream_backend_ssl_cipher(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data) +{ + if (r == NULL || r->upstream_states == NULL || r->upstream_states->nelts == 0) { + v->not_found = 1; + return NGX_OK; + } + + ngx_http_upstream_state_t *state = r->upstream_states->elts; + + if (state->backend_ssl_cipher.data == NULL) { + v->not_found = 1; + return NGX_OK; + } + + v->data = state->backend_ssl_cipher.data; + v->len = state->backend_ssl_cipher.len; + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + + return NGX_OK; +} + +static ngx_int_t +ngx_http_upstream_backend_ssl_protocol(ngx_http_request_t *r, + ngx_http_variable_value_t *v, + uintptr_t data) +{ + if (r == NULL || r->upstream_states == NULL || r->upstream_states->nelts == 0) { + v->not_found = 1; + return NGX_OK; + } + + ngx_http_upstream_state_t *state = r->upstream_states->elts; + + if (state->backend_ssl_protocol.data == NULL) { + v->not_found = 1; + return NGX_OK; + } + + v->data = state->backend_ssl_protocol.data; + v->len = state->backend_ssl_protocol.len; + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + + return NGX_OK; +} static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c) @@ -2625,7 +2702,6 @@ done: if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { return; } - ngx_http_upstream_send_response(r, u); } diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h index 4560bbe9a..520a5144c 100644 --- a/src/http/ngx_http_upstream.h +++ b/src/http/ngx_http_upstream.h @@ -64,6 +64,8 @@ typedef struct { ngx_uint_t status; ngx_msec_t response_time; ngx_msec_t connect_time; + ngx_str_t backend_ssl_protocol; + ngx_str_t backend_ssl_cipher; ngx_msec_t header_time; ngx_msec_t queue_time; off_t response_length;