feat: support set upstream ssl verify (#97)

AlinsRan · web-flow · commit 8ed17e70c16e · 2025-01-21T09:31:12.000+08:00
diff --git a/lib/resty/apisix/upstream.lua b/lib/resty/apisix/upstream.lua
@@ -14,6 +14,7 @@ ffi.cdef([[
 typedef intptr_t        ngx_int_t;
 ngx_int_t ngx_http_apisix_upstream_set_cert_and_key(ngx_http_request_t *r, void *cert, void *key);
 ngx_int_t ngx_http_apisix_upstream_set_ssl_trusted_store(ngx_http_request_t *r, void *store);
+int ngx_http_apisix_upstream_set_ssl_verify(ngx_http_request_t *r, int verify);
 ]])
 local _M = {}
 
@@ -70,4 +71,39 @@ end
 _M.set_ssl_trusted_store = set_ssl_trusted_store
 
 
+local set_ssl_verify
+do
+    local ALLOWED_PHASES = {
+        ['rewrite'] = true,
+        ['balancer'] = true,
+        ['access'] = true,
+        ['preread'] = true,
+    }
+    function set_ssl_verify(verify)
+        if not ALLOWED_PHASES[get_phase()] then
+            error("API disabled in the current context", 2)
+        end
+
+        if type(verify) ~= 'boolean' then
+            error("verify expects a boolean but found " .. type(verify), 2)
+        end
+
+        local r = get_request()
+
+        local ret = C.ngx_http_apisix_upstream_set_ssl_verify(
+            r, verify)
+        if ret == NGX_OK then
+            return true
+        end
+
+        if ret == NGX_ERROR then
+            return nil, "error while setting upstream ssl verify mode"
+        end
+
+        error("unknown return code: " .. tostring(ret))
+    end
+end
+_M.set_ssl_verify = set_ssl_verify
+
+
 return _M
diff --git a/patch/1.21.4/nginx-upstream_mtls.patch b/patch/1.21.4/nginx-upstream_mtls.patch
@@ -1,5 +1,5 @@
 diff --git src/http/ngx_http_upstream.c src/http/ngx_http_upstream.c
-index 76045c4..cee3e2a 100644
+index 04d813a..c812242 100644
 --- src/http/ngx_http_upstream.c
 +++ src/http/ngx_http_upstream.c
 @@ -8,6 +8,9 @@
@@ -10,9 +10,22 @@ index 76045c4..cee3e2a 100644
 +#include <ngx_http_apisix_module.h>
 +#endif
  
- #if (T_NGX_MULTI_UPSTREAM)
- #include <ngx_http_multi_upstream_module.h>
-@@ -1766,6 +1769,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+ 
+ #if (NGX_HTTP_CACHE)
+@@ -1697,8 +1700,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+                                            NGX_HTTP_INTERNAL_SERVER_ERROR);
+         return;
+     }
+-
++#if (NGX_HTTP_APISIX)
++    if (u->conf->ssl_server_name || ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+     if (u->conf->ssl_server_name || u->conf->ssl_verify) {
++#endif
+         if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
+             ngx_http_upstream_finalize_request(r, u,
+                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
+@@ -1738,6 +1744,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
  
      r->connection->log->action = "SSL handshaking to upstream";
  
@@ -23,3 +36,15 @@ index 76045c4..cee3e2a 100644
      rc = ngx_ssl_handshake(c);
  
      if (rc == NGX_AGAIN) {
+@@ -1785,7 +1795,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,
+ 
+     if (c->ssl->handshaked) {
+ 
++#if (NGX_HTTP_APISIX)
++        if (ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+         if (u->conf->ssl_verify) {
++#endif
+             rc = SSL_get_verify_result(c->ssl->connection);
+ 
+             if (rc != X509_V_OK) {
diff --git a/patch/1.25.3.1/nginx-upstream_mtls.patch b/patch/1.25.3.1/nginx-upstream_mtls.patch
@@ -1,5 +1,5 @@
 diff --git src/http/ngx_http_upstream.c src/http/ngx_http_upstream.c
-index 2be233c..78474f3 100644
+index 2be233c..06bbbb9 100644
 --- src/http/ngx_http_upstream.c
 +++ src/http/ngx_http_upstream.c
 @@ -8,6 +8,9 @@
@@ -12,7 +12,20 @@ index 2be233c..78474f3 100644
  
  
  #if (NGX_HTTP_CACHE)
-@@ -1756,6 +1759,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+@@ -1713,8 +1716,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
+                                            NGX_HTTP_INTERNAL_SERVER_ERROR);
+         return;
+     }
+-
++#if (NGX_HTTP_APISIX)
++    if (u->conf->ssl_server_name || ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+     if (u->conf->ssl_server_name || u->conf->ssl_verify) {
++#endif
+         if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) {
+             ngx_http_upstream_finalize_request(r, u,
+                                                NGX_HTTP_INTERNAL_SERVER_ERROR);
+@@ -1756,6 +1762,10 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
  
      r->connection->log->action = "SSL handshaking to upstream";
  
@@ -23,3 +36,15 @@ index 2be233c..78474f3 100644
      rc = ngx_ssl_handshake(c);
  
      if (rc == NGX_AGAIN) {
+@@ -1803,7 +1813,11 @@ ngx_http_upstream_ssl_handshake(ngx_http_request_t *r, ngx_http_upstream_t *u,
+ 
+     if (c->ssl->handshaked) {
+ 
++#if (NGX_HTTP_APISIX)
++        if (ngx_http_apisix_get_upstream_ssl_verify(r, u->conf->ssl_verify)) {
++#else
+         if (u->conf->ssl_verify) {
++#endif
+             rc = SSL_get_verify_result(c->ssl->connection);
+ 
+             if (rc != X509_V_OK) {
diff --git a/src/ngx_http_apisix_module.c b/src/ngx_http_apisix_module.c
@@ -383,6 +383,42 @@ ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c)
 
     ngx_http_apisix_flush_ssl_error();
 }
+
+
+int
+ngx_http_apisix_upstream_set_ssl_verify(ngx_http_request_t *r, int verify)
+{
+    ngx_http_apisix_ctx_t       *ctx;
+
+    ctx = ngx_http_apisix_get_module_ctx(r);
+
+    if (ctx == NULL) {
+        return NGX_ERROR;
+    }
+    
+    ctx->upstream_ssl_verify_set = 1;
+    ctx->upstream_ssl_verify = verify;
+
+    return NGX_OK;
+}
+
+ngx_flag_t
+ngx_http_apisix_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify)
+{
+    ngx_http_apisix_ctx_t       *ctx;
+
+    ctx = ngx_http_apisix_get_module_ctx(r);
+
+    if (ctx == NULL) {
+        return proxy_ssl_verify;
+    }
+
+    if (!ctx->upstream_ssl_verify_set) {
+        return proxy_ssl_verify;
+    }
+
+    return ctx->upstream_ssl_verify;
+}
 #endif
 
 
diff --git a/src/ngx_http_apisix_module.h b/src/ngx_http_apisix_module.h
@@ -35,10 +35,13 @@ typedef struct {
     unsigned             request_header_set:1;
     unsigned             header_filter_by_lua_skipped:1;
     unsigned             body_filter_by_lua_skipped:1;
+    unsigned             upstream_ssl_verify:1;
+    unsigned             upstream_ssl_verify_set:1;
 } ngx_http_apisix_ctx_t;
 
 
 void ngx_http_apisix_set_upstream_ssl(ngx_http_request_t *r, ngx_connection_t *c);
+ngx_flag_t ngx_http_apisix_get_upstream_ssl_verify(ngx_http_request_t *r, ngx_flag_t proxy_ssl_verify);
 
 ngx_flag_t ngx_http_apisix_delay_client_max_body_check(ngx_http_request_t *r);
 off_t ngx_http_apisix_client_max_body_size(ngx_http_request_t *r);
diff --git a/t/upstream_ssl_verify.t b/t/upstream_ssl_verify.t
