From 4a9f3cc14b96777edfc5264e0ec6eec09050336a Mon Sep 17 00:00:00 2001 From: ryokdy Date: Mon, 4 Sep 2017 15:48:44 +0900 Subject: [PATCH 01/18] Store expiry date to the storage --- Makefile | 1 + bin/letsencrypt_hooks | 7 +++- lib/resty/auto-ssl/jobs/renewal.lua | 29 +++++++++++++++++ lib/resty/auto-ssl/servers/hook.lua | 3 +- lib/resty/auto-ssl/ssl_certificate.lua | 7 ++++ lib/resty/auto-ssl/storage.lua | 14 ++++---- lib/resty/auto-ssl/utils/verify_domain.lua | 37 ++++++++++++++++++++++ 7 files changed, 89 insertions(+), 9 deletions(-) create mode 100644 lib/resty/auto-ssl/utils/verify_domain.lua diff --git a/Makefile b/Makefile index 134eb57..a74c686 100644 --- a/Makefile +++ b/Makefile @@ -43,6 +43,7 @@ install: install -m 644 lib/resty/auto-ssl/utils/shell_execute.lua $(INST_LUADIR)/resty/auto-ssl/utils/shell_execute.lua install -m 644 lib/resty/auto-ssl/utils/start_sockproc.lua $(INST_LUADIR)/resty/auto-ssl/utils/start_sockproc.lua install -m 644 lib/resty/auto-ssl/utils/run_command.lua $(INST_LUADIR)/resty/auto-ssl/utils/run_command.lua + install -m 644 lib/resty/auto-ssl/utils/verify_domain.lua $(INST_LUADIR)/resty/auto-ssl/utils/verify_domain.lua install -d $(INST_LUADIR)/resty/auto-ssl/vendor install -m 644 lib/resty/auto-ssl/vendor/shell.lua $(INST_LUADIR)/resty/auto-ssl/vendor/shell.lua install -d $(INST_BINDIR)/resty-auto-ssl diff --git a/bin/letsencrypt_hooks b/bin/letsencrypt_hooks index 914ab1b..17db0b2 100755 --- a/bin/letsencrypt_hooks +++ b/bin/letsencrypt_hooks @@ -33,13 +33,18 @@ function clean_challenge { function deploy_cert { local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - + local EXPIRY=$(date --date="$(openssl x509 -enddate -noout -in "$CERTFILE"|cut -d= -f 2)" +%s) + if [ $? -ne 0 ]; then + echo "failed to get the expiry date." + exit 1 + fi curl --silent --show-error --fail -XPOST \ --header "X-Hook-Secret: $HOOK_SECRET" \ --data-urlencode "domain=$DOMAIN" \ --data-urlencode "privkey@$KEYFILE" \ --data-urlencode "cert@$CERTFILE" \ --data-urlencode "fullchain@$FULLCHAINFILE" \ + --data-urlencode "expiry=$EXPIRY" \ "http://127.0.0.1:$HOOK_SERVER_PORT/deploy-cert" || { echo "hook request (deploy_cert) failed" 1>&2; exit 1; } } diff --git a/lib/resty/auto-ssl/jobs/renewal.lua b/lib/resty/auto-ssl/jobs/renewal.lua index 3347056..afe570f 100644 --- a/lib/resty/auto-ssl/jobs/renewal.lua +++ b/lib/resty/auto-ssl/jobs/renewal.lua @@ -1,6 +1,7 @@ local lock = require "resty.lock" local run_command = require "resty.auto-ssl.utils.run_command" local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt" +local verify_domain = require "resty.auto-ssl.utils.verify_domain" local _M = {} @@ -45,6 +46,34 @@ local function renew_check_cert_unlock(domain, storage, local_lock, distributed_ end local function renew_check_cert(auto_ssl_instance, storage, domain) + -- Check if the expiry date is comming. + local _, _, _, expiry = storage:get_cert(domain) + if not expiry then + ngx.log(ngx.ERR, "auto-ssl: failed to get expiry date: ", domain) + return + end + + local now = ngx.now() + + ngx.log(ngx.NOTICE, "now:" .. tostring(now)) + ngx.log(ngx.NOTICE, "expiry:" .. tostring(expiry)) + if now + (30 * 24 * 60 * 60) < expiry then + return + end + + if now > expiry then + storage:delete_cert(domain) + ngx.log(ngx.ERR, "auto-ssl: this cert is expired and deleted: ", domain) + return + end + + -- Check to ensure the domain is one we allow again. + local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) + if not valid then + ngx.log(ngx.ERR, "auto-ssl: this domain seems to have been invalid: ", verify_domain_err) + return + end + -- Before issuing a cert, create a local lock to ensure multiple workers -- don't simultaneously try to register the same cert. local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 30 }) diff --git a/lib/resty/auto-ssl/servers/hook.lua b/lib/resty/auto-ssl/servers/hook.lua index 51823d4..ac3cbf8 100644 --- a/lib/resty/auto-ssl/servers/hook.lua +++ b/lib/resty/auto-ssl/servers/hook.lua @@ -39,7 +39,8 @@ return function(auto_ssl_instance) assert(params["domain"]) assert(params["fullchain"]) assert(params["privkey"]) - local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"]) + assert(params["expiry"]) + local _, err = storage:set_cert(params["domain"], params["fullchain"], params["privkey"], params["cert"], tonumber(params["expiry"])) if err then ngx.log(ngx.ERR, "auto-ssl: failed to set cert: ", err) return ngx.exit(ngx.HTTP_INTERNAL_SERVER_ERROR) diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index 7930e81..51c7b64 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -3,6 +3,7 @@ local lock = require "resty.lock" local ocsp = require "ngx.ocsp" local ssl = require "ngx.ssl" local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt" +local verify_domain = require "resty.auto-ssl.utils.verify_domain" local function convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, newly_issued) -- Convert certificate from PEM to DER format. @@ -112,6 +113,12 @@ local function get_cert(auto_ssl_instance, domain) return convert_to_der_and_cache(domain, fullchain_pem, privkey_pem, false) end + -- Next, Check to ensure the domain is one we allow. + local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) + if not valid then + return nil, nil, nil, verify_domain_err + end + -- Finally, issue a new certificate if one hasn't been found yet. fullchain_pem, privkey_pem = issue_cert(auto_ssl_instance, storage, domain) if fullchain_pem and privkey_pem then diff --git a/lib/resty/auto-ssl/storage.lua b/lib/resty/auto-ssl/storage.lua index cedeb52..478080c 100644 --- a/lib/resty/auto-ssl/storage.lua +++ b/lib/resty/auto-ssl/storage.lua @@ -30,10 +30,14 @@ function _M.get_cert(self, domain) end local data = cjson.decode(json) - return data["fullchain_pem"], data["privkey_pem"], data["cert_pem"] + return data["fullchain_pem"], data["privkey_pem"], data["cert_pem"], data["expiry"] end -function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem) +function _M.delete_cert(self, domain) + return self.adapter:delete(domain .. ":latest") +end + +function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem, expiry) -- Store the public certificate and private key as a single JSON string. -- -- We use a single JSON string so that the storage adapter just has to store @@ -44,13 +48,9 @@ function _M.set_cert(self, domain, fullchain_pem, privkey_pem, cert_pem) fullchain_pem = fullchain_pem, privkey_pem = privkey_pem, cert_pem = cert_pem, + expiry = expiry, }) - -- Store the cert with the current timestamp, so the old certs are preserved - -- in case something goes wrong. - local time = ngx.now() * 1000 - self.adapter:set(domain .. ":" .. time, data) - -- Store the cert under the "latest" alias, which is what this app will use. return self.adapter:set(domain .. ":latest", data) end diff --git a/lib/resty/auto-ssl/utils/verify_domain.lua b/lib/resty/auto-ssl/utils/verify_domain.lua new file mode 100644 index 0000000..1b54eb5 --- /dev/null +++ b/lib/resty/auto-ssl/utils/verify_domain.lua @@ -0,0 +1,37 @@ +local http = require "resty.http" +local cjson = require "cjson" + +-- Verify the domain name and return its result. +return function(auto_ssl_instance, domain) + local httpc = http.new() + local url = auto_ssl_instance:get("verification_url") + + if not url then + return true, nil + end + + url = url .. "d=" .. domain + httpc:set_timeout(10000) + local res, req_err = httpc:request_uri(url, { + method = "GET" + }) + + if not res then + return false, "Verification failed (" .. (url or "") .. "): " .. (req_err or "") + end + + if res.status ~= 200 then + return false, "Verification returns bad HTTP status code (" .. (url or "") .. "): " .. (res.status or "") + end + + local resp = res.body + if not resp or resp == "" then + return false, "Verification returns bad response body (" .. (url or "") .. "): " .. (resp or "") + end + + local data = cjson.decode(resp) + if not data["valid"] then + return false, "Invalid domain: " .. domain + end + return true, nil +end From 87953af59e720b135abe4f165b2273eb16e62f3c Mon Sep 17 00:00:00 2001 From: ryokdy Date: Mon, 4 Sep 2017 18:26:00 +0900 Subject: [PATCH 02/18] Fix test --- t/file.t | 4 ++-- t/redis.t | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/t/file.t b/t/file.t index c413b08..7c831d9 100644 --- a/t/file.t +++ b/t/file.t @@ -263,11 +263,11 @@ received: Connection: close received: received: foo --- error_log -(Longer than 30 days). Skipping -auto-ssl: checking certificate renewals for --- no_error_log [warn] [error] [alert] [emerg] issuing new certificate for +(Longer than 30 days). Skipping +auto-ssl: checking certificate renewals for diff --git a/t/redis.t b/t/redis.t index 5bb94b8..281cbad 100644 --- a/t/redis.t +++ b/t/redis.t @@ -280,14 +280,14 @@ received: Connection: close received: received: foo --- error_log -(Longer than 30 days). Skipping -auto-ssl: checking certificate renewals for --- no_error_log [warn] [error] [alert] [emerg] issuing new certificate for +(Longer than 30 days). Skipping +auto-ssl: checking certificate renewals for === TEST 3: issues a new SSL certificate and stores it in redis with a prefix --- http_config @@ -549,8 +549,6 @@ received: Connection: close received: received: foo --- error_log -(Longer than 30 days). Skipping -auto-ssl: checking certificate renewals for --- no_error_log [warn] [error] @@ -558,4 +556,6 @@ auto-ssl: checking certificate renewals for [emerg] attempting to renew certificate for domain without certificates in storage issuing new certificate for +(Longer than 30 days). Skipping +auto-ssl: checking certificate renewals for From 812f682f75f829be205da627ffe7aee4ea62d208 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Mon, 4 Sep 2017 18:27:55 +0900 Subject: [PATCH 03/18] Change repository --- lua-resty-auto-ssl-0.11.0-1.rockspec | 2 +- lua-resty-auto-ssl-git-1.rockspec | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/lua-resty-auto-ssl-0.11.0-1.rockspec b/lua-resty-auto-ssl-0.11.0-1.rockspec index 378bb35..b79d62a 100644 --- a/lua-resty-auto-ssl-0.11.0-1.rockspec +++ b/lua-resty-auto-ssl-0.11.0-1.rockspec @@ -1,7 +1,7 @@ package = "lua-resty-auto-ssl" version = "0.11.0-1" source = { - url = "git://github.com/GUI/lua-resty-auto-ssl.git", + url = "git://github.com/ryokdy/lua-resty-auto-ssl.git", tag = "v0.11.0", } description = { diff --git a/lua-resty-auto-ssl-git-1.rockspec b/lua-resty-auto-ssl-git-1.rockspec index ec64a57..5155cb0 100644 --- a/lua-resty-auto-ssl-git-1.rockspec +++ b/lua-resty-auto-ssl-git-1.rockspec @@ -1,7 +1,7 @@ package = "lua-resty-auto-ssl" version = "git-1" source = { - url = "git://github.com/GUI/lua-resty-auto-ssl.git", + url = "git://github.com/ryokdy/lua-resty-auto-ssl.git", } description = { summary = "Automatic SSL handling for OpenResty", From c48b2024d645ac3be4744594ed6b001cccd58dd0 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Mon, 4 Sep 2017 19:27:46 +0900 Subject: [PATCH 04/18] Do not use ssl verification --- lib/resty/auto-ssl/utils/verify_domain.lua | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/lib/resty/auto-ssl/utils/verify_domain.lua b/lib/resty/auto-ssl/utils/verify_domain.lua index 1b54eb5..8990a2d 100644 --- a/lib/resty/auto-ssl/utils/verify_domain.lua +++ b/lib/resty/auto-ssl/utils/verify_domain.lua @@ -10,11 +10,12 @@ return function(auto_ssl_instance, domain) return true, nil end - url = url .. "d=" .. domain + url = url .. "?d=" .. domain httpc:set_timeout(10000) local res, req_err = httpc:request_uri(url, { - method = "GET" - }) + ssl_verify = false, + method = "GET" + }) if not res then return false, "Verification failed (" .. (url or "") .. "): " .. (req_err or "") From ac034e5ac2bf4596fb69d965bd6dc2e3ed56d0bb Mon Sep 17 00:00:00 2001 From: ryokdy Date: Tue, 8 Sep 2020 21:07:58 +0900 Subject: [PATCH 05/18] Unlock the certificate renewal lock when verify_domain returns false --- lib/resty/auto-ssl/jobs/renewal.lua | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/resty/auto-ssl/jobs/renewal.lua b/lib/resty/auto-ssl/jobs/renewal.lua index 743787a..a60ec25 100644 --- a/lib/resty/auto-ssl/jobs/renewal.lua +++ b/lib/resty/auto-ssl/jobs/renewal.lua @@ -147,8 +147,9 @@ local function renew_check_cert(auto_ssl_instance, storage, domain) local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) if not valid then ngx.log(ngx.ERR, "auto-ssl: this domain seems to have been invalid: ", verify_domain_err) + renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value) return - end + end -- We didn't previously store the cert.pem (since it can be derived from the -- fullchain.pem). So for backwards compatibility, set the cert.pem value to From 666e00657b82374218476561d6b8fc096ed4dd2d Mon Sep 17 00:00:00 2001 From: ryokdy Date: Thu, 22 Oct 2020 16:43:01 +0900 Subject: [PATCH 06/18] Remove wrong return value --- lib/resty/auto-ssl/ssl_certificate.lua | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index 1bb5111..802ff63 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -144,7 +144,7 @@ local function get_cert_der(auto_ssl_instance, domain, ssl_options) -- Next, Check to ensure the domain is one we allow. local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) if not valid then - return nil, nil, nil, verify_domain_err + return nil, verify_domain_err end -- Finally, issue a new certificate if one hasn't been found yet. From b591d7654765600745ab1388d00f42167365712c Mon Sep 17 00:00:00 2001 From: ryokdy Date: Thu, 22 Oct 2020 16:49:54 +0900 Subject: [PATCH 07/18] Add test code which uses the original allow_domain function. This forked repo has been obsoleted. --- spec/allow_domain_spec.lua | 63 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) create mode 100644 spec/allow_domain_spec.lua diff --git a/spec/allow_domain_spec.lua b/spec/allow_domain_spec.lua new file mode 100644 index 0000000..1a229b2 --- /dev/null +++ b/spec/allow_domain_spec.lua @@ -0,0 +1,63 @@ +local cjson = require "cjson.safe" +local file = require "pl.file" +local http = require "resty.http" +local server = require "spec.support.server" + +describe("allow_domain", function() + before_each(server.stop) + after_each(server.stop) + + it("verifies domain from remote server", function() + server.start({ + auto_ssl_pre_new = [[ + options["allow_domain"] = function(domain) + if ngx.re.match(domain, "^([0-9]\\.[0-9]\\.[0-9]\\.[0-9])$", "ijo") then + return false + elseif ngx.re.match(domain, "(amazonaws.com|google-analytics.com)$", "ijo") then + return false + end + + local httpc = (require "resty.http").new() + local cjson = (require "cjson") + + local url = "http://localhost:3000/domains?d=" .. domain + httpc:set_timeout(10000) + local res, req_err = httpc:request_uri(url, { + ssl_verify = false, + method = "GET" + }) + + if not res then + ngx.log(ngx.ERR, "Verification failed (" .. (url or "") .. "): " .. (req_err or "")) + return false + end + + if res.status ~= 200 then + ngx.log(ngx.ERR, "Verification returns bad HTTP status code (" .. (url or "") .. "): " .. (res.status or "")) + return false + end + + local resp = res.body + if not resp or resp == "" then + ngx.log(ngx.ERR, "Verification returns bad response body (" .. (url or "") .. "): " .. (resp or "")) + return false + end + + local data = cjson.decode(resp) + if not data["valid"] then + ngx.log(ngx.ERR, "Invalid domain: " .. domain) + return false + end + return true + end + ]], + }) + + local httpc = http.new() + local _, connect_err = httpc:connect("127.0.0.1", 9443) + assert.equal(nil, connect_err) + + local _, ssl_err = httpc:ssl_handshake(nil, server.ngrok_hostname, true) + assert.equal(nil, ssl_err) + end) +end) \ No newline at end of file From fa52b00476da75bdab8cb1ec6abf9a5acf95545d Mon Sep 17 00:00:00 2001 From: ryokdy Date: Thu, 22 Oct 2020 17:11:04 +0900 Subject: [PATCH 08/18] Add test code which uses the original allow_domain function. This forked repo has been obsoleted. --- spec/allow_domain_spec.lua | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/spec/allow_domain_spec.lua b/spec/allow_domain_spec.lua index 1a229b2..99c3904 100644 --- a/spec/allow_domain_spec.lua +++ b/spec/allow_domain_spec.lua @@ -11,7 +11,7 @@ describe("allow_domain", function() server.start({ auto_ssl_pre_new = [[ options["allow_domain"] = function(domain) - if ngx.re.match(domain, "^([0-9]\\.[0-9]\\.[0-9]\\.[0-9])$", "ijo") then + if ngx.re.match(domain, "^([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)$", "ijo") then return false elseif ngx.re.match(domain, "(amazonaws.com|google-analytics.com)$", "ijo") then return false @@ -56,8 +56,7 @@ describe("allow_domain", function() local httpc = http.new() local _, connect_err = httpc:connect("127.0.0.1", 9443) assert.equal(nil, connect_err) - local _, ssl_err = httpc:ssl_handshake(nil, server.ngrok_hostname, true) - assert.equal(nil, ssl_err) + assert.equal("18: self signed certificate", ssl_err) end) -end) \ No newline at end of file +end) From 6b440dc6e869ddf8b2935a35c70f06c05e6a5b42 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Thu, 22 Oct 2020 17:15:25 +0900 Subject: [PATCH 09/18] Remove whitespaces --- spec/allow_domain_spec.lua | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/spec/allow_domain_spec.lua b/spec/allow_domain_spec.lua index 99c3904..5e75095 100644 --- a/spec/allow_domain_spec.lua +++ b/spec/allow_domain_spec.lua @@ -1,5 +1,3 @@ -local cjson = require "cjson.safe" -local file = require "pl.file" local http = require "resty.http" local server = require "spec.support.server" @@ -19,30 +17,30 @@ describe("allow_domain", function() local httpc = (require "resty.http").new() local cjson = (require "cjson") - + local url = "http://localhost:3000/domains?d=" .. domain httpc:set_timeout(10000) local res, req_err = httpc:request_uri(url, { ssl_verify = false, method = "GET" }) - + if not res then ngx.log(ngx.ERR, "Verification failed (" .. (url or "") .. "): " .. (req_err or "")) return false end - + if res.status ~= 200 then ngx.log(ngx.ERR, "Verification returns bad HTTP status code (" .. (url or "") .. "): " .. (res.status or "")) return false end - + local resp = res.body if not resp or resp == "" then ngx.log(ngx.ERR, "Verification returns bad response body (" .. (url or "") .. "): " .. (resp or "")) return false end - + local data = cjson.decode(resp) if not data["valid"] then ngx.log(ngx.ERR, "Invalid domain: " .. domain) From 383637969e727ed6b53c35f91d89d68233bb8764 Mon Sep 17 00:00:00 2001 From: Chris Gunther Date: Fri, 14 Jul 2023 11:08:41 -0400 Subject: [PATCH 10/18] Bump dehydrated to v0.7.1 Notably this includes support for asynchronous order finalization, which was tentatively scheduled to be released in April, however was postponed indefinitely: https://community.letsencrypt.org/t/enabling-asynchronous-order-finalization/193522/8 However, for a brief period between 7/13 and 7/14, I saw errors issuing certifcates looking highly similar to what was initially reported when Let's Encrypt tried the roll out of asychronous order finalization: https://community.letsencrypt.org/t/openresty-with-resty-auto-ssl-failing-with-curl-error-3/195924/1 Fixes #289 --- Makefile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Makefile b/Makefile index 0636d73..78882e8 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ ROOT_DIR:=$(shell dirname $(realpath $(lastword $(MAKEFILE_LIST)))) BUILD_DIR?=$(ROOT_DIR)/build -DEHYDRATED_VERSION:=05eda91a2fbaed1e13c733230238fc68475c535e +DEHYDRATED_VERSION:=ea841998631561543357f032fa7c06598c34d517 LUA_RESTY_SHELL_VERSION:=955243d70506c21e7cc29f61d745d1a8a718994f SOCKPROC_VERSION:=92aba736027bb5d96e190b71555857ac5bb6b2be From 57c0880d36155ae46aba1bb7d69e1f749afdd378 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Tue, 21 Nov 2023 19:55:53 +0900 Subject: [PATCH 11/18] Bump openresty to v1.21.4 --- .github/workflows/main.yml | 2 +- Dockerfile-test | 4 +- Dockerfile-test-alpine | 6 +- Dockerfile-test-lua51 | 4 +- ...resty1.13 => Dockerfile-test-openresty1.21 | 4 +- Dockerfile-test-ubuntu | 8 +-- Makefile | 4 +- docker-compose.yml | 8 +-- spec/certs/letsencrypt-stg-root-x1.pem | 32 +++++++++++ spec/certs/letsencrypt_staging_chain.pem | 56 ------------------- spec/config/busted-nginx.conf | 2 +- spec/proxy_spec.lua | 2 +- spec/support/server.lua | 6 +- 13 files changed, 55 insertions(+), 83 deletions(-) rename Dockerfile-test-openresty1.13 => Dockerfile-test-openresty1.21 (86%) create mode 100644 spec/certs/letsencrypt-stg-root-x1.pem delete mode 100644 spec/certs/letsencrypt_staging_chain.pem diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index 212f443..f61653d 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -20,7 +20,7 @@ jobs: - centos - alpine - ubuntu - - openresty1.13 + - openresty1.21 - lua51 steps: - uses: actions/checkout@v1 diff --git a/Dockerfile-test b/Dockerfile-test index b044892..4086167 100644 --- a/Dockerfile-test +++ b/Dockerfile-test @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.15.8.1-4-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ @@ -26,7 +26,7 @@ RUN yum -y install epel-release && \ procps-ng \ redis \ sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine index 0d2d56d..199d6af 100644 --- a/Dockerfile-test-alpine +++ b/Dockerfile-test-alpine @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.15.8.2-1-alpine-fat +FROM openresty/openresty:1.21.4.1-0-alpine-fat RUN mkdir /app WORKDIR /app @@ -28,9 +28,7 @@ RUN apk add --no-cache \ sudo \ tzdata \ wget && \ - curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/a/naDTyS8Kyxv/ngrok-2.3.34-linux-386.tar.gz && \ - tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ - rm -f /tmp/ngrok.tar.gz && \ + curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok && \ chmod +x /usr/local/bin/ngrok COPY Makefile /app/Makefile diff --git a/Dockerfile-test-lua51 b/Dockerfile-test-lua51 index 4509620..8e410e1 100644 --- a/Dockerfile-test-lua51 +++ b/Dockerfile-test-lua51 @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.11.2.1-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ @@ -23,7 +23,7 @@ RUN yum -y install epel-release && \ procps-ng \ redis \ sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off diff --git a/Dockerfile-test-openresty1.13 b/Dockerfile-test-openresty1.21 similarity index 86% rename from Dockerfile-test-openresty1.13 rename to Dockerfile-test-openresty1.21 index 3a285d3..0afff2d 100644 --- a/Dockerfile-test-openresty1.13 +++ b/Dockerfile-test-openresty1.21 @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.13.6.2-2-centos +FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ @@ -23,7 +23,7 @@ RUN yum -y install epel-release && \ procps-ng \ redis \ sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-2.3.34-linux-amd64.rpm + https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu index fff7566..e58b58f 100644 --- a/Dockerfile-test-ubuntu +++ b/Dockerfile-test-ubuntu @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.15.8.2-1-bionic +FROM openresty/openresty:1.21.4.1-0-bionic ENV DEBIAN_FRONTEND noninteractive @@ -22,13 +22,11 @@ RUN apt-get update && \ apt-get -y install \ git \ lsof \ - lua5.2 \ + lua5.4 \ redis-server \ sudo \ tzdata && \ - curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-2.3.34-linux-amd64.deb && \ - dpkg -i /tmp/ngrok.deb || apt-get -fy install && \ - rm -f /tmp/ngrok.deb + curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok RUN mkdir /app WORKDIR /app diff --git a/Makefile b/Makefile index 48df607..d223a0f 100644 --- a/Makefile +++ b/Makefile @@ -96,11 +96,11 @@ install-test-deps: luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install busted 2.0.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install etlua 1.3.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install inspect 3.1.1-0 - luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.15-0 + luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install lua-resty-http 0.17.1-0 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luacheck 0.23.0-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install luaposix 34.1.1-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install penlight 1.5.4-1 - luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.0-1 + luarocks install luarocks-fetch-gitrec && luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install process 1.9.1-1 luarocks --tree=/tmp/resty-auto-ssl-test-luarocks install shell-games 1.0.1-1 lint: diff --git a/docker-compose.yml b/docker-compose.yml index abfa231..7942fcb 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -36,13 +36,13 @@ services: - ubuntu_build_cache:/app/build sysctls: net.core.somaxconn: 1024 - openresty1.13: + openresty1.21: build: context: . - dockerfile: Dockerfile-test-openresty1.13 + dockerfile: Dockerfile-test-openresty1.21 volumes: - .:/app - - openresty1.13_build_cache:/app/build + - openresty1.21_build_cache:/app/build sysctls: net.core.somaxconn: 1024 lua51: @@ -59,5 +59,5 @@ volumes: centos_build_cache: alpine_build_cache: ubuntu_build_cache: - openresty1.13_build_cache: + openresty1.21_build_cache: lua51_build_cache: diff --git a/spec/certs/letsencrypt-stg-root-x1.pem b/spec/certs/letsencrypt-stg-root-x1.pem new file mode 100644 index 0000000..37655b2 --- /dev/null +++ b/spec/certs/letsencrypt-stg-root-x1.pem @@ -0,0 +1,32 @@ +-----BEGIN CERTIFICATE----- +MIIFmDCCA4CgAwIBAgIQU9C87nMpOIFKYpfvOHFHFDANBgkqhkiG9w0BAQsFADBm +MQswCQYDVQQGEwJVUzEzMDEGA1UEChMqKFNUQUdJTkcpIEludGVybmV0IFNlY3Vy +aXR5IFJlc2VhcmNoIEdyb3VwMSIwIAYDVQQDExkoU1RBR0lORykgUHJldGVuZCBQ +ZWFyIFgxMB4XDTE1MDYwNDExMDQzOFoXDTM1MDYwNDExMDQzOFowZjELMAkGA1UE +BhMCVVMxMzAxBgNVBAoTKihTVEFHSU5HKSBJbnRlcm5ldCBTZWN1cml0eSBSZXNl +YXJjaCBHcm91cDEiMCAGA1UEAxMZKFNUQUdJTkcpIFByZXRlbmQgUGVhciBYMTCC +AiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALbagEdDTa1QgGBWSYkyMhsc +ZXENOBaVRTMX1hceJENgsL0Ma49D3MilI4KS38mtkmdF6cPWnL++fgehT0FbRHZg +jOEr8UAN4jH6omjrbTD++VZneTsMVaGamQmDdFl5g1gYaigkkmx8OiCO68a4QXg4 +wSyn6iDipKP8utsE+x1E28SA75HOYqpdrk4HGxuULvlr03wZGTIf/oRt2/c+dYmD +oaJhge+GOrLAEQByO7+8+vzOwpNAPEx6LW+crEEZ7eBXih6VP19sTGy3yfqK5tPt +TdXXCOQMKAp+gCj/VByhmIr+0iNDC540gtvV303WpcbwnkkLYC0Ft2cYUyHtkstO +fRcRO+K2cZozoSwVPyB8/J9RpcRK3jgnX9lujfwA/pAbP0J2UPQFxmWFRQnFjaq6 +rkqbNEBgLy+kFL1NEsRbvFbKrRi5bYy2lNms2NJPZvdNQbT/2dBZKmJqxHkxCuOQ +FjhJQNeO+Njm1Z1iATS/3rts2yZlqXKsxQUzN6vNbD8KnXRMEeOXUYvbV4lqfCf8 +mS14WEbSiMy87GB5S9ucSV1XUrlTG5UGcMSZOBcEUpisRPEmQWUOTWIoDQ5FOia/ +GI+Ki523r2ruEmbmG37EBSBXdxIdndqrjy+QVAmCebyDx9eVEGOIpn26bW5LKeru +mJxa/CFBaKi4bRvmdJRLAgMBAAGjQjBAMA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMB +Af8EBTADAQH/MB0GA1UdDgQWBBS182Xy/rAKkh/7PH3zRKCsYyXDFDANBgkqhkiG +9w0BAQsFAAOCAgEAncDZNytDbrrVe68UT6py1lfF2h6Tm2p8ro42i87WWyP2LK8Y +nLHC0hvNfWeWmjZQYBQfGC5c7aQRezak+tHLdmrNKHkn5kn+9E9LCjCaEsyIIn2j +qdHlAkepu/C3KnNtVx5tW07e5bvIjJScwkCDbP3akWQixPpRFAsnP+ULx7k0aO1x +qAeaAhQ2rgo1F58hcflgqKTXnpPM02intVfiVVkX5GXpJjK5EoQtLceyGOrkxlM/ +sTPq4UrnypmsqSagWV3HcUlYtDinc+nukFk6eR4XkzXBbwKajl0YjztfrCIHOn5Q +CJL6TERVDbM/aAPly8kJ1sWGLuvvWYzMYgLzDul//rUF10gEMWaXVZV51KpS9DY/ +5CunuvCXmEQJHo7kGcViT7sETn6Jz9KOhvYcXkJ7po6d93A/jy4GKPIPnsKKNEmR +xUuXY4xRdh45tMJnLTUDdC9FIU0flTeO9/vNpVA8OPU1i14vCz+MU8KX1bV3GXm/ +fxlB7VBBjX9v5oUep0o/j68R/iDlCOM4VVfRa8gX6T2FU7fNdatvGro7uQzIvWof +gN9WUwCbEMBy/YhBSrXycKA8crgGg3x1mIsopn88JKwmMBa68oS7EHM9w7C4y71M +7DiA+/9Qdp9RBWJpTS9i/mDnJg1xvo8Xz49mrrgfmcAXTCJqXi24NatI3Oc= +-----END CERTIFICATE----- diff --git a/spec/certs/letsencrypt_staging_chain.pem b/spec/certs/letsencrypt_staging_chain.pem deleted file mode 100644 index 1c458f4..0000000 --- a/spec/certs/letsencrypt_staging_chain.pem +++ /dev/null @@ -1,56 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIFATCCAumgAwIBAgIRAKc9ZKBASymy5TLOEp57N98wDQYJKoZIhvcNAQELBQAw -GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTM0NloXDTM2 -MDMyMzIyNTM0NlowGjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMIICIjANBgkq -hkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA+pYHvQw5iU3v2b3iNuYNKYgsWD6KU7aJ -diddtZQxSWYzUI3U0I1UsRPTxnhTifs/M9NW4ZlV13ZfB7APwC8oqKOIiwo7IwlP -xg0VKgyz+kT8RJfYr66PPIYP0fpTeu42LpMJ+CKo9sbpgVNDZN2z/qiXrRNX/VtG -TkPV7a44fZ5bHHVruAxvDnylpQxJobtCBWlJSsbIRGFHMc2z88eUz9NmIOWUKGGj -EmP76x8OfRHpIpuxRSCjn0+i9+hR2siIOpcMOGd+40uVJxbRRP5ZXnUFa2fF5FWd -O0u0RPI8HON0ovhrwPJY+4eWKkQzyC611oLPYGQ4EbifRsTsCxUZqyUuStGyp8oa -aoSKfF6X0+KzGgwwnrjRTUpIl19A92KR0Noo6h622OX+4sZiO/JQdkuX5w/HupK0 -A0M0WSMCvU6GOhjGotmh2VTEJwHHY4+TUk0iQYRtv1crONklyZoAQPD76hCrC8Cr -IbgsZLfTMC8TWUoMbyUDgvgYkHKMoPm0VGVVuwpRKJxv7+2wXO+pivrrUl2Q9fPe -Kk055nJLMV9yPUdig8othUKrRfSxli946AEV1eEOhxddfEwBE3Lt2xn0hhiIedbb -Ftf/5kEWFZkXyUmMJK8Ra76Kus2ABueUVEcZ48hrRr1Hf1N9n59VbTUaXgeiZA50 -qXf2bymE6F8CAwEAAaNCMEAwDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMB -Af8wHQYDVR0OBBYEFMEmdKSKRKDm+iAo2FwjmkWIGHngMA0GCSqGSIb3DQEBCwUA -A4ICAQBCPw74M9X/Xx04K1VAES3ypgQYH5bf9FXVDrwhRFSVckria/7dMzoF5wln -uq9NGsjkkkDg17AohcQdr8alH4LvPdxpKr3BjpvEcmbqF8xH+MbbeUEnmbSfLI8H -sefuhXF9AF/9iYvpVNC8FmJ0OhiVv13VgMQw0CRKkbtjZBf8xaEhq/YqxWVsgOjm -dm5CAQ2X0aX7502x8wYRgMnZhA5goC1zVWBVAi8yhhmlhhoDUfg17cXkmaJC5pDd -oenZ9NVhW8eDb03MFCrWNvIh89DDeCGWuWfDltDq0n3owyL0IeSn7RfpSclpxVmV -/53jkYjwIgxIG7Gsv0LKMbsf6QdBcTjhvfZyMIpBRkTe3zuHd2feKzY9lEkbRvRQ -zbh4Ps5YBnG6CKJPTbe2hfi3nhnw/MyEmF3zb0hzvLWNrR9XW3ibb2oL3424XOwc -VjrTSCLzO9Rv6s5wi03qoWvKAQQAElqTYRHhynJ3w6wuvKYF5zcZF3MDnrVGLbh1 -Q9ePRFBCiXOQ6wPLoUhrrbZ8LpFUFYDXHMtYM7P9sc9IAWoONXREJaO08zgFtMp4 -8iyIYUyQAbsvx8oD2M8kRvrIRSrRJSl6L957b4AFiLIQ/GgV2curs0jje7Edx34c -idWw1VrejtwclobqNMVtG3EiPUIpJGpbMcJgbiLSmKkrvQtGng== ------END CERTIFICATE----- ------BEGIN CERTIFICATE----- -MIIEqTCCApGgAwIBAgIRAIvhKg5ZRO08VGQx8JdhT+QwDQYJKoZIhvcNAQELBQAw -GjEYMBYGA1UEAwwPRmFrZSBMRSBSb290IFgxMB4XDTE2MDMyMzIyNTkwNFoXDTM2 -MDMyMzIyNTkwNFowIjEgMB4GA1UEAwwXRmFrZSBMRSBJbnRlcm1lZGlhdGUgWDEw -ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWKySDn7rWZc5ggjz3ZB0 -8jO4xti3uzINfD5sQ7Lj7hzetUT+wQob+iXSZkhnvx+IvdbXF5/yt8aWPpUKnPym -oLxsYiI5gQBLxNDzIec0OIaflWqAr29m7J8+NNtApEN8nZFnf3bhehZW7AxmS1m0 -ZnSsdHw0Fw+bgixPg2MQ9k9oefFeqa+7Kqdlz5bbrUYV2volxhDFtnI4Mh8BiWCN -xDH1Hizq+GKCcHsinDZWurCqder/afJBnQs+SBSL6MVApHt+d35zjBD92fO2Je56 -dhMfzCgOKXeJ340WhW3TjD1zqLZXeaCyUNRnfOmWZV8nEhtHOFbUCU7r/KkjMZO9 -AgMBAAGjgeEwgd4wDgYDVR0PAQH/BAQDAgGGMBIGA1UdEwEB/wQIMAYBAf8CAQAw -HQYDVR0OBBYEFMDMA0a5WCDMXHJw8+EuyyCm9Wg6MHgGCCsGAQUFBwEBBGwwajAz -BggrBgEFBQcwAYYnaHR0cDovL29jc3Auc3RnLWludC14MS5sZXRzZW5jcnlwdC5v -cmcvMDMGCCsGAQUFBzAChidodHRwOi8vY2VydC5zdGctaW50LXgxLmxldHNlbmNy -eXB0Lm9yZy8wHwYDVR0jBBgwFoAUwSZ0pIpEoOb6ICjYXCOaRYgYeeAwDQYJKoZI -hvcNAQELBQADggIBAHODDwZVaO5EqEYoVvEPPzaZas5BNVRHUAdc+xNg4oKACBAW -o3mnX1tKr9lsWSDxLrCE7y+mdRq37PKzapEaL1q8KYXgzI1Ua7JeyOvCs4IMmhSZ -HLSJMFgAv77nD28kB6teMlJI+NxmvD5cmsDl+1C2D862DFuiy3R/80c++ZIqfWg3 -CvsQmwx0bategh3cT8mPwQEdRW0LpgomT37kSxZSGn9TzPXQ+NSvD/CpEF0mVQWM -09aiOE3QWg8BpdzxpbbmEhtWv4MNU1U3iyYNjaPzqD1J3R/7IjJmsNbDY5XKoqIB -AeHPisSzP8CdCwQpJC8rBDefUfrbYqvhWuCff+amrUe01nvp9jtWefwUWWSwcjEg -xYwz2vt6TgLNw5wBWk854x6yc323se/Wp7u7F9lguCRIUMPVH9MfBzR1wyUfpbZa -eFVPFkHQsKv5ydKNQlk8fO97xXhpK4yueMNLnjbWEDKnEvJtCsbqlQm3XHWvqhz9 -B/V1c95n8Z9Av2uVZ5HvZKnA9OXi4WF1ES6hkiFzom/exWxBxd+skh6yJuX1edpX -L5TSN5XTa5OPONWh3AQfz7/0aenJNhyPJ4687pwQpGir4ctvT1k3enSRNqO6Vwxv -0BB50f7tpC0k/XzGyQyCVXo6jjDv1057VbZTUB+Y7BzXvcm7aglHPA71K3nW ------END CERTIFICATE----- diff --git a/spec/config/busted-nginx.conf b/spec/config/busted-nginx.conf index c21b5c7..4ff94c1 100644 --- a/spec/config/busted-nginx.conf +++ b/spec/config/busted-nginx.conf @@ -1,3 +1,3 @@ -lua_ssl_trusted_certificate /app/spec/certs/letsencrypt_staging_chain.pem; +lua_ssl_trusted_certificate /app/spec/certs/letsencrypt-stg-root-x1.pem; lua_ssl_verify_depth 5; lua_shared_dict test_counts 128k; diff --git a/spec/proxy_spec.lua b/spec/proxy_spec.lua index 8c7c2b3..726d700 100644 --- a/spec/proxy_spec.lua +++ b/spec/proxy_spec.lua @@ -44,7 +44,7 @@ describe("proxy", function() local error_log = server.read_error_log() assert.matches("auto-ssl: issuing new certificate for " .. server.ngrok_hostname, error_log, nil, true) assert.matches("http proxy auth: Basic ZGVtbzp0ZXN0", error_log, nil, true) - assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://ocsp.stg-int-x1.letsencrypt.org): ,", error_log, nil, true) + assert.matches("auto-ssl: failed to set ocsp stapling for " .. server.ngrok_hostname .. " - continuing anyway - failed to get ocsp response: OCSP responder returns bad response body (http://stg-e1.o.lencr.org): ,", error_log, nil, true) assert.Not.matches("[warn]", error_log, nil, true) assert.matches("[error]", error_log, nil, true) assert.Not.matches("[alert]", error_log, nil, true) diff --git a/spec/support/server.lua b/spec/support/server.lua index d41cc7a..490cdd5 100644 --- a/spec/support/server.lua +++ b/spec/support/server.lua @@ -49,12 +49,12 @@ end local function start_ngrok() if not _M.ngrok_hostname then assert(dir.makepath(_M.ngrok_test_dir)) - local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" }) + local ngrok_process, exec_err = process.exec("ngrok", { "http", "9080", "--scheme", "http", "--log", _M.ngrok_test_dir .. "/ngrok.log", "--log-format", "logfmt", "--log-level", "debug" }) assert(not exec_err, exec_err) _M.ngrok_process = ngrok_process local log = log_tail.new(_M.ngrok_test_dir .. "/ngrok.log") - local ok, output = log:read_until("start tunnel listen.*Hostname:[a-z0-9]+.ngrok.io") + local ok, output = log:read_until("started tunnel.*url=https?://[a-z0-9-]+.ngrok.io") if not ok then print(ngrok_process:stdout()) print(ngrok_process:stderr()) @@ -68,7 +68,7 @@ local function start_ngrok() error("ngrok did not startup as expected") end - local matches, match_err = ngx.re.match(output, "Hostname:([a-z0-9]+.ngrok.io)", "jo") + local matches, match_err = ngx.re.match(output, "url=https?://([a-z0-9-]+.ngrok.io)", "jo") assert(not match_err, match_err) _M.ngrok_hostname = matches[1] end From 06030ed41d9ef72b09180396b46578ac87008390 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Tue, 21 Nov 2023 22:54:32 +0900 Subject: [PATCH 12/18] Install ngrok from tar ball --- Dockerfile-test | 7 ++++--- Dockerfile-test-alpine | 7 ++++--- Dockerfile-test-lua51 | 7 ++++--- Dockerfile-test-openresty1.21 | 7 ++++--- Dockerfile-test-ubuntu | 7 ++++--- 5 files changed, 20 insertions(+), 15 deletions(-) diff --git a/Dockerfile-test b/Dockerfile-test index 4086167..a3f5642 100644 --- a/Dockerfile-test +++ b/Dockerfile-test @@ -3,7 +3,6 @@ FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -25,8 +24,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-alpine b/Dockerfile-test-alpine index 199d6af..e42de6b 100644 --- a/Dockerfile-test-alpine +++ b/Dockerfile-test-alpine @@ -27,9 +27,10 @@ RUN apk add --no-cache \ redis \ sudo \ tzdata \ - wget && \ - curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok && \ - chmod +x /usr/local/bin/ngrok + wget +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-386.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz COPY Makefile /app/Makefile RUN make install-test-deps diff --git a/Dockerfile-test-lua51 b/Dockerfile-test-lua51 index 8e410e1..bfedf12 100644 --- a/Dockerfile-test-lua51 +++ b/Dockerfile-test-lua51 @@ -3,7 +3,6 @@ FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -22,8 +21,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz ENV PATH /usr/local/openresty/luajit/bin:/usr/local/openresty/bin:/usr/local/openresty/nginx/sbin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin ENV TEST_NGINX_RESOLVER 127.0.0.11 ipv6=off diff --git a/Dockerfile-test-openresty1.21 b/Dockerfile-test-openresty1.21 index 0afff2d..6c7f3cc 100644 --- a/Dockerfile-test-openresty1.21 +++ b/Dockerfile-test-openresty1.21 @@ -3,7 +3,6 @@ FROM openresty/openresty:1.21.4.1-0-centos # Runtime dependencies RUN yum -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -22,8 +21,10 @@ RUN yum -y install epel-release && \ lua \ procps-ng \ redis \ - sudo \ - https://bin.equinox.io/a/6iuHhJeWypm/ngrok-3.4.0-linux-amd64.rpm + sudo +RUN curl -fsSL -o /tmp/ngrok.tar.gz https://bin.equinox.io/c/bNyj1mQVY4c/ngrok-v3-stable-linux-amd64.tgz && \ + tar -xvf /tmp/ngrok.tar.gz -C /usr/local/bin/ && \ + rm -f /tmp/ngrok.tar.gz RUN mkdir /app WORKDIR /app diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu index e58b58f..21d2432 100644 --- a/Dockerfile-test-ubuntu +++ b/Dockerfile-test-ubuntu @@ -1,4 +1,4 @@ -FROM openresty/openresty:1.21.4.1-0-bionic +FROM openresty/openresty:1.21.4.1-0-jammy ENV DEBIAN_FRONTEND noninteractive @@ -6,7 +6,6 @@ ENV DEBIAN_FRONTEND noninteractive RUN apt-get update && \ apt-get -y install \ bash \ - coreutils \ curl \ diffutils \ grep \ @@ -26,7 +25,9 @@ RUN apt-get update && \ redis-server \ sudo \ tzdata && \ - curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | sudo tee /etc/apt/sources.list.d/ngrok.list && sudo apt update && sudo apt install ngrok + curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-3.4.0-linux-amd64.deb && \ + dpkg -i /tmp/ngrok.deb || apt-get -fy install && \ + rm -f /tmp/ngrok.deb RUN mkdir /app WORKDIR /app From 5aabc2b910a6aeaf4ddb2e09c9be9832e99b3b26 Mon Sep 17 00:00:00 2001 From: kadoya Date: Wed, 22 Nov 2023 12:11:37 +0900 Subject: [PATCH 13/18] Install ngrok via apt for Ubuntu --- Dockerfile-test-ubuntu | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu index 21d2432..e7b612c 100644 --- a/Dockerfile-test-ubuntu +++ b/Dockerfile-test-ubuntu @@ -24,10 +24,13 @@ RUN apt-get update && \ lua5.4 \ redis-server \ sudo \ - tzdata && \ - curl -fsSL -o /tmp/ngrok.deb https://bin.equinox.io/a/b2wQezFbsHk/ngrok-3.4.0-linux-amd64.deb && \ - dpkg -i /tmp/ngrok.deb || apt-get -fy install && \ - rm -f /tmp/ngrok.deb + tzdata +RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \ + sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \ + echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \ + sudo tee /etc/apt/sources.list.d/ngrok.list && \ + sudo apt update && \ + sudo apt install ngrok RUN mkdir /app WORKDIR /app From ee6975bd86f1863c14cb72556b5a664d08b5639a Mon Sep 17 00:00:00 2001 From: kadoya Date: Wed, 22 Nov 2023 12:32:33 +0900 Subject: [PATCH 14/18] Dehydrated 0.71 needs hexdump --- Dockerfile-test-ubuntu | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile-test-ubuntu b/Dockerfile-test-ubuntu index e7b612c..9756af0 100644 --- a/Dockerfile-test-ubuntu +++ b/Dockerfile-test-ubuntu @@ -24,7 +24,8 @@ RUN apt-get update && \ lua5.4 \ redis-server \ sudo \ - tzdata + tzdata \ + bsdmainutils RUN curl -s https://ngrok-agent.s3.amazonaws.com/ngrok.asc | \ sudo tee /etc/apt/trusted.gpg.d/ngrok.asc >/dev/null && \ echo "deb https://ngrok-agent.s3.amazonaws.com buster main" | \ From b03f5173c86990eb1cd0dcf4d6c6e61889bf018c Mon Sep 17 00:00:00 2001 From: ryokdy Date: Wed, 22 Nov 2023 15:41:16 +0900 Subject: [PATCH 15/18] Prevent too many request error due to race conditions --- lib/resty/auto-ssl/ssl_certificate.lua | 41 +++++++++++++++++++++++--- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index 802ff63..46d5f6c 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -214,9 +214,24 @@ local function get_ocsp_response(fullchain_der, auto_ssl_instance) return ocsp_resp end -local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) - -- Fetch the OCSP stapling response from the cache, or make the request to - -- fetch it. +local function get_ocsp_response_unlock(domain, local_lock) + local _, local_unlock_err = local_lock:unlock() + if local_unlock_err then + ngx.log(ngx.ERR, "auto-ssl: failed to unlock: ", local_unlock_err) + end +end + +local function get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) + -- Before issuing a cert, create a local lock to ensure multiple workers + -- don't simultaneously try to get OCSP response for the same cert. + local local_lock, new_local_lock_err = lock:new("auto_ssl", { exptime = 30, timeout = 5 }) + if new_local_lock_err then + return nil, "auto-ssl: failed to create lock: " .. (new_local_lock_err or "") + end + local _, local_lock_err = local_lock:lock("set_ocsp_stapling:" .. domain) + if local_lock_err then + return nil, "auto-ssl: failed to obtain lock: " .. (local_lock_err or "") + end local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain) if not ocsp_resp then -- If the certificate was just issued on the current request, wait 1 second @@ -229,7 +244,8 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) local ocsp_response_err ocsp_resp, ocsp_response_err = get_ocsp_response(cert_der["fullchain_der"], auto_ssl_instance) if ocsp_response_err then - return false, "failed to get ocsp response: " .. (ocsp_response_err or "") + get_ocsp_response_unlock(domain, local_lock) + return nil, "failed to get ocsp response: " .. (ocsp_response_err or "") end -- Cache the OCSP stapling response for 1 hour (this is what nginx does by @@ -242,6 +258,23 @@ local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) end end + get_ocsp_response_unlock(domain, local_lock) + + return ocsp_resp +end + +local function set_ocsp_stapling(domain, cert_der, auto_ssl_instance) + -- Fetch the OCSP stapling response from the cache, or make the request to + -- fetch it. + local ocsp_resp = ngx.shared.auto_ssl:get("domain:ocsp:" .. domain) + if not ocsp_resp then + local ocsp_response_err + ocsp_resp, ocsp_response_err = get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) + if not ocsp_resp then + return false, ocsp_response_err + end + end + -- Set the OCSP stapling response. local ok, ocsp_status_err = ocsp.set_ocsp_status_resp(ocsp_resp) if not ok then From c079506db2134a0a70d2baed421916689dd75719 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Wed, 22 Nov 2023 15:46:54 +0900 Subject: [PATCH 16/18] Remove unused variable --- lib/resty/auto-ssl/ssl_certificate.lua | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index 46d5f6c..9a53b2b 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -214,7 +214,7 @@ local function get_ocsp_response(fullchain_der, auto_ssl_instance) return ocsp_resp end -local function get_ocsp_response_unlock(domain, local_lock) +local function get_ocsp_response_unlock(local_lock) local _, local_unlock_err = local_lock:unlock() if local_unlock_err then ngx.log(ngx.ERR, "auto-ssl: failed to unlock: ", local_unlock_err) @@ -244,7 +244,7 @@ local function get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) local ocsp_response_err ocsp_resp, ocsp_response_err = get_ocsp_response(cert_der["fullchain_der"], auto_ssl_instance) if ocsp_response_err then - get_ocsp_response_unlock(domain, local_lock) + get_ocsp_response_unlock(local_lock) return nil, "failed to get ocsp response: " .. (ocsp_response_err or "") end @@ -258,7 +258,7 @@ local function get_ocsp_response_lock(domain, cert_der, auto_ssl_instance) end end - get_ocsp_response_unlock(domain, local_lock) + get_ocsp_response_unlock(local_lock) return ocsp_resp end From 6b8c217c7b0829ce3cb973def30565cfda1d06e7 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Wed, 22 Nov 2023 16:04:00 +0900 Subject: [PATCH 17/18] Remove custom code --- lib/resty/auto-ssl/jobs/renewal.lua | 9 ---- lib/resty/auto-ssl/ssl_certificate.lua | 7 --- lib/resty/auto-ssl/utils/verify_domain.lua | 38 -------------- lua-resty-auto-ssl-git-1.rockspec | 2 +- spec/allow_domain_spec.lua | 60 ---------------------- 5 files changed, 1 insertion(+), 115 deletions(-) delete mode 100644 lib/resty/auto-ssl/utils/verify_domain.lua delete mode 100644 spec/allow_domain_spec.lua diff --git a/lib/resty/auto-ssl/jobs/renewal.lua b/lib/resty/auto-ssl/jobs/renewal.lua index b6859ad..5f4c16a 100644 --- a/lib/resty/auto-ssl/jobs/renewal.lua +++ b/lib/resty/auto-ssl/jobs/renewal.lua @@ -3,7 +3,6 @@ local parse_openssl_time = require "resty.auto-ssl.utils.parse_openssl_time" local shell_blocking = require "shell-games" local shuffle_table = require "resty.auto-ssl.utils.shuffle_table" local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt" -local verify_domain = require "resty.auto-ssl.utils.verify_domain" local _M = {} @@ -153,14 +152,6 @@ local function renew_check_cert(auto_ssl_instance, storage, domain) return end - -- Check to ensure the domain is one we allow again. - local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) - if not valid then - ngx.log(ngx.ERR, "auto-ssl: this domain seems to have been invalid: ", verify_domain_err) - renew_check_cert_unlock(domain, storage, local_lock, distributed_lock_value) - return - end - -- We didn't previously store the cert.pem (since it can be derived from the -- fullchain.pem). So for backwards compatibility, set the cert.pem value to -- the fullchain.pem value, since that should work for our date checking diff --git a/lib/resty/auto-ssl/ssl_certificate.lua b/lib/resty/auto-ssl/ssl_certificate.lua index 9a53b2b..22a1d29 100644 --- a/lib/resty/auto-ssl/ssl_certificate.lua +++ b/lib/resty/auto-ssl/ssl_certificate.lua @@ -3,7 +3,6 @@ local lock = require "resty.lock" local ocsp = require "ngx.ocsp" local ssl = require "ngx.ssl" local ssl_provider = require "resty.auto-ssl.ssl_providers.lets_encrypt" -local verify_domain = require "resty.auto-ssl.utils.verify_domain" local function convert_to_der_and_cache(domain, cert) -- Convert certificate from PEM to DER format. @@ -141,12 +140,6 @@ local function get_cert_der(auto_ssl_instance, domain, ssl_options) return cert_der end - -- Next, Check to ensure the domain is one we allow. - local valid, verify_domain_err = verify_domain(auto_ssl_instance, domain) - if not valid then - return nil, verify_domain_err - end - -- Finally, issue a new certificate if one hasn't been found yet. if not ssl_options or ssl_options["generate_certs"] ~= false then cert = issue_cert(auto_ssl_instance, storage, domain) diff --git a/lib/resty/auto-ssl/utils/verify_domain.lua b/lib/resty/auto-ssl/utils/verify_domain.lua deleted file mode 100644 index 8990a2d..0000000 --- a/lib/resty/auto-ssl/utils/verify_domain.lua +++ /dev/null @@ -1,38 +0,0 @@ -local http = require "resty.http" -local cjson = require "cjson" - --- Verify the domain name and return its result. -return function(auto_ssl_instance, domain) - local httpc = http.new() - local url = auto_ssl_instance:get("verification_url") - - if not url then - return true, nil - end - - url = url .. "?d=" .. domain - httpc:set_timeout(10000) - local res, req_err = httpc:request_uri(url, { - ssl_verify = false, - method = "GET" - }) - - if not res then - return false, "Verification failed (" .. (url or "") .. "): " .. (req_err or "") - end - - if res.status ~= 200 then - return false, "Verification returns bad HTTP status code (" .. (url or "") .. "): " .. (res.status or "") - end - - local resp = res.body - if not resp or resp == "" then - return false, "Verification returns bad response body (" .. (url or "") .. "): " .. (resp or "") - end - - local data = cjson.decode(resp) - if not data["valid"] then - return false, "Invalid domain: " .. domain - end - return true, nil -end diff --git a/lua-resty-auto-ssl-git-1.rockspec b/lua-resty-auto-ssl-git-1.rockspec index 969f0c9..b75ecbe 100644 --- a/lua-resty-auto-ssl-git-1.rockspec +++ b/lua-resty-auto-ssl-git-1.rockspec @@ -1,7 +1,7 @@ package = "lua-resty-auto-ssl" version = "git-1" source = { - url = "git://github.com/ryokdy/lua-resty-auto-ssl.git", + url = "git://github.com/GUI/lua-resty-auto-ssl.git", } description = { summary = "Automatic SSL handling for OpenResty", diff --git a/spec/allow_domain_spec.lua b/spec/allow_domain_spec.lua deleted file mode 100644 index 5e75095..0000000 --- a/spec/allow_domain_spec.lua +++ /dev/null @@ -1,60 +0,0 @@ -local http = require "resty.http" -local server = require "spec.support.server" - -describe("allow_domain", function() - before_each(server.stop) - after_each(server.stop) - - it("verifies domain from remote server", function() - server.start({ - auto_ssl_pre_new = [[ - options["allow_domain"] = function(domain) - if ngx.re.match(domain, "^([0-9]+\\.[0-9]+\\.[0-9]+\\.[0-9]+)$", "ijo") then - return false - elseif ngx.re.match(domain, "(amazonaws.com|google-analytics.com)$", "ijo") then - return false - end - - local httpc = (require "resty.http").new() - local cjson = (require "cjson") - - local url = "http://localhost:3000/domains?d=" .. domain - httpc:set_timeout(10000) - local res, req_err = httpc:request_uri(url, { - ssl_verify = false, - method = "GET" - }) - - if not res then - ngx.log(ngx.ERR, "Verification failed (" .. (url or "") .. "): " .. (req_err or "")) - return false - end - - if res.status ~= 200 then - ngx.log(ngx.ERR, "Verification returns bad HTTP status code (" .. (url or "") .. "): " .. (res.status or "")) - return false - end - - local resp = res.body - if not resp or resp == "" then - ngx.log(ngx.ERR, "Verification returns bad response body (" .. (url or "") .. "): " .. (resp or "")) - return false - end - - local data = cjson.decode(resp) - if not data["valid"] then - ngx.log(ngx.ERR, "Invalid domain: " .. domain) - return false - end - return true - end - ]], - }) - - local httpc = http.new() - local _, connect_err = httpc:connect("127.0.0.1", 9443) - assert.equal(nil, connect_err) - local _, ssl_err = httpc:ssl_handshake(nil, server.ngrok_hostname, true) - assert.equal("18: self signed certificate", ssl_err) - end) -end) From c04dfa7b7a59cb1b8d212d161986c78f541d8bd9 Mon Sep 17 00:00:00 2001 From: ryokdy Date: Wed, 22 Nov 2023 16:11:22 +0900 Subject: [PATCH 18/18] Remove custom code --- Makefile | 1 - 1 file changed, 1 deletion(-) diff --git a/Makefile b/Makefile index d223a0f..4478f34 100644 --- a/Makefile +++ b/Makefile @@ -52,7 +52,6 @@ install: check-dependencies install -m 644 lib/resty/auto-ssl/utils/shell_execute.lua $(INST_LUADIR)/resty/auto-ssl/utils/shell_execute.lua install -m 644 lib/resty/auto-ssl/utils/shuffle_table.lua $(INST_LUADIR)/resty/auto-ssl/utils/shuffle_table.lua install -m 644 lib/resty/auto-ssl/utils/start_sockproc.lua $(INST_LUADIR)/resty/auto-ssl/utils/start_sockproc.lua - install -m 644 lib/resty/auto-ssl/utils/verify_domain.lua $(INST_LUADIR)/resty/auto-ssl/utils/verify_domain.lua install -d $(INST_LUADIR)/resty/auto-ssl/vendor install -m 644 lib/resty/auto-ssl/vendor/shell.lua $(INST_LUADIR)/resty/auto-ssl/vendor/shell.lua install -d $(INST_BINDIR)/resty-auto-ssl