add ssl patches to nginx-1.25 image for coroutines to work in lua cli…

…ent hello and cert ssl blocks (#11485) * feat: add ssl patches for coroutines to work in lua ssl blocks Signed-off-by: Jon Carl <[email protected]> * switch to include more patches Signed-off-by: Jon Carl <[email protected]> --------- Signed-off-by: Jon Carl <[email protected]>
kubernetes · Jul 2, 2024 · 7de28cf · 7de28cf
1 parent bcb98c0
commit 7de28cf
Show file tree

Hide file tree

Showing 32 changed files with 2,110 additions and 0 deletions.
diff --git a/...1.25/rootfs/patches/drop-alias-root.patch → ...5/rootfs/patches/00_drop-alias-root.patch b/...1.25/rootfs/patches/drop-alias-root.patch → ...5/rootfs/patches/00_drop-alias-root.patch
diff --git a/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch b/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch
@@ -0,0 +1,15 @@
+diff --git a/src/os/win32/ngx_event_log.c b/src/os/win32/ngx_event_log.c
+index e11ed1e8..dce8eddd 100644
+--- a/src/os/win32/ngx_event_log.c
++++ b/src/os/win32/ngx_event_log.c
+@@ -8,7 +8,9 @@
+ #include <ngx_core.h>
+
+
+-#define NGX_MAX_ERROR_STR   2048
++#ifndef NGX_MAX_ERROR_STR
++#define NGX_MAX_ERROR_STR   4096
++#endif
+
+
+ void ngx_cdecl
diff --git a/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch b/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch
@@ -0,0 +1,53 @@
+diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
+index 526de3a..b531ce1 100644
+--- a/src/stream/ngx_stream_upstream_round_robin.c
++++ b/src/stream/ngx_stream_upstream_round_robin.c
+@@ -21,10 +21,6 @@ static void ngx_stream_upstream_notify_round_robin_peer(
+
+ #if (NGX_STREAM_SSL)
+
+-static ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
+-    ngx_peer_connection_t *pc, void *data);
+-static void ngx_stream_upstream_save_round_robin_peer_session(
+-    ngx_peer_connection_t *pc, void *data);
+ static ngx_int_t ngx_stream_upstream_empty_set_session(
+     ngx_peer_connection_t *pc, void *data);
+ static void ngx_stream_upstream_empty_save_session(ngx_peer_connection_t *pc,
+@@ -690,7 +686,7 @@ ngx_stream_upstream_notify_round_robin_peer(ngx_peer_connection_t *pc,
+
+ #if (NGX_STREAM_SSL)
+
+-static ngx_int_t
++ngx_int_t
+ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
+     void *data)
+ {
+@@ -756,7 +752,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc,
+ }
+
+
+-static void
++void
+ ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc,
+     void *data)
+ {
+diff --git a/src/stream/ngx_stream_upstream_round_robin.h b/src/stream/ngx_stream_upstream_round_robin.h
+index 35d9fce..75f3e31 100644
+--- a/src/stream/ngx_stream_upstream_round_robin.h
++++ b/src/stream/ngx_stream_upstream_round_robin.h
+@@ -142,5 +142,15 @@ ngx_int_t ngx_stream_upstream_get_round_robin_peer(ngx_peer_connection_t *pc,
+ void ngx_stream_upstream_free_round_robin_peer(ngx_peer_connection_t *pc,
+     void *data, ngx_uint_t state);
+
++#if (NGX_STREAM_SSL)
++ngx_int_t ngx_stream_upstream_set_round_robin_peer_session(
++    ngx_peer_connection_t *pc, void *data);
++void ngx_stream_upstream_save_round_robin_peer_session(
++    ngx_peer_connection_t *pc, void *data);
++#endif
++
++
++#define HAVE_NGX_STREAM_BALANCER_EXPORT_PATCH 1
++
+
+ #endif /* _NGX_STREAM_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */
diff --git a/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch
@@ -0,0 +1,31 @@
+diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
+index 09d2459..de92724 100644
+--- a/src/stream/ngx_stream.h
++++ b/src/stream/ngx_stream.h
+@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
+ extern ngx_stream_filter_pt  ngx_stream_top_filter;
+
+
++#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1
++
++
+ #endif /* _NGX_STREAM_H_INCLUDED_ */
+diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
+index 0afde1c..3254ce1 100644
+--- a/src/stream/ngx_stream_proxy_module.c
++++ b/src/stream/ngx_stream_proxy_module.c
+@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
+
+     return NGX_CONF_OK;
+ }
++
++
++ngx_uint_t
++ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s)
++{
++    ngx_stream_proxy_srv_conf_t      *pscf;
++
++    pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
++
++    return pscf->next_upstream_tries;
++}
diff --git a/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch b/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch
@@ -0,0 +1,178 @@
+diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h
+--- nginx-1.25.3/src/stream/ngx_stream.h	2021-11-04 21:27:55.288708527 +0800
++++ nginx-1.25.3-patched/src/stream/ngx_stream.h	2021-11-04 21:28:50.768035209 +0800
+@@ -254,6 +254,15 @@ typedef struct {
+ } ngx_stream_module_t;
+
+
++typedef struct {
++    ngx_msec_t                       connect_timeout;
++    ngx_msec_t                       timeout;
++} ngx_stream_proxy_ctx_t;
++
++
++#define NGX_STREAM_HAVE_PROXY_TIMEOUT_FIELDS_PATCH 1
++
++
+ #define NGX_STREAM_MODULE       0x4d525453     /* "STRM" */
+
+ #define NGX_STREAM_MAIN_CONF    0x02000000
+@@ -307,6 +316,7 @@ void ngx_stream_finalize_session(ngx_str
+ extern ngx_module_t  ngx_stream_module;
+ extern ngx_uint_t    ngx_stream_max_module;
+ extern ngx_module_t  ngx_stream_core_module;
++extern ngx_module_t  ngx_stream_proxy_module;
+
+
+ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s,
+diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c
+--- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:27:55.289708533 +0800
++++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c	2021-11-04 21:37:03.578936990 +0800
+@@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess
+     ngx_stream_proxy_srv_conf_t      *pscf;
+     ngx_stream_upstream_srv_conf_t   *uscf, **uscfp;
+     ngx_stream_upstream_main_conf_t  *umcf;
++    ngx_stream_proxy_ctx_t           *pctx;
+
+     c = s->connection;
+
+@@ -408,6 +409,17 @@ ngx_stream_proxy_handler(ngx_stream_sess
+     ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
+                    "proxy connection handler");
+
++    pctx = ngx_palloc(c->pool, sizeof(ngx_stream_proxy_ctx_t));
++    if (pctx == NULL) {
++        ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
++        return;
++    }
++
++    pctx->connect_timeout = pscf->connect_timeout;
++    pctx->timeout = pscf->timeout;
++
++    ngx_stream_set_ctx(s, pctx, ngx_stream_proxy_module);
++
+     u = ngx_pcalloc(c->pool, sizeof(ngx_stream_upstream_t));
+     if (u == NULL) {
+         ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
+@@ -699,6 +711,7 @@ ngx_stream_proxy_connect(ngx_stream_sess
+     ngx_connection_t             *c, *pc;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
+
+     c = s->connection;
+
+@@ -706,6 +719,8 @@ ngx_stream_proxy_connect(ngx_stream_sess
+
+     pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
++
+     u = s->upstream;
+
+     u->connected = 0;
+@@ -774,7 +789,7 @@ ngx_stream_proxy_connect(ngx_stream_sess
+     pc->read->handler = ngx_stream_proxy_connect_handler;
+     pc->write->handler = ngx_stream_proxy_connect_handler;
+
+-    ngx_add_timer(pc->write, pscf->connect_timeout);
++    ngx_add_timer(pc->write, ctx->connect_timeout);
+ }
+
+
+@@ -957,12 +957,14 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s)
+ static ngx_int_t
+ ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s)
+ {
+-    u_char                       *p;
+-    ssize_t                       n, size;
+-    ngx_connection_t             *c, *pc;
+-    ngx_stream_upstream_t        *u;
+-    ngx_stream_proxy_srv_conf_t  *pscf;
+-    u_char                        buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER];
++    u_char                  *p;
++    u_char                   buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER];
++    ssize_t                  n, size;
++    ngx_connection_t        *c, *pc;
++    ngx_stream_upstream_t   *u;
++    ngx_stream_proxy_ctx_t  *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+
+     c = s->connection;
+
+@@ -976,9 +993,7 @@ ngx_stream_proxy_send_proxy_protocol(ngx
+             return NGX_ERROR;
+         }
+
+-        pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module);
+-
+-        ngx_add_timer(pc->write, pscf->timeout);
++        ngx_add_timer(pc->write, ctx->timeout);
+
+         pc->write->handler = ngx_stream_proxy_connect_handler;
+
+@@ -1053,6 +1068,9 @@ ngx_stream_proxy_ssl_init_connection(ngx
+     ngx_connection_t             *pc;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+
+     u = s->upstream;
+
+@@ -1099,7 +1117,7 @@ ngx_stream_proxy_ssl_init_connection(ngx
+     if (rc == NGX_AGAIN) {
+
+         if (!pc->write->timer_set) {
+-            ngx_add_timer(pc->write, pscf->connect_timeout);
++            ngx_add_timer(pc->write, ctx->connect_timeout);
+         }
+
+         pc->ssl->handler = ngx_stream_proxy_ssl_handshake;
+@@ -1408,6 +1426,7 @@ ngx_stream_proxy_process_connection(ngx_
+     ngx_stream_session_t         *s;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
+
+     c = ev->data;
+     s = c->data;
+@@ -1419,6 +1438,8 @@ ngx_stream_proxy_process_connection(ngx_
+         return;
+     }
+
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
++
+     c = s->connection;
+     pc = u->peer.connection;
+
+@@ -1438,7 +1459,7 @@ ngx_stream_proxy_process_connection(ngx_
+                 }
+
+                 if (u->connected && !c->read->delayed && !pc->read->delayed) {
+-                    ngx_add_timer(c->write, pscf->timeout);
++                    ngx_add_timer(c->write, ctx->timeout);
+                 }
+
+                 return;
+@@ -1600,6 +1621,9 @@ ngx_stream_proxy_process(ngx_stream_sess
+     ngx_log_handler_pt            handler;
+     ngx_stream_upstream_t        *u;
+     ngx_stream_proxy_srv_conf_t  *pscf;
++    ngx_stream_proxy_ctx_t       *ctx;
++
++    ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module);
+
+     u = s->upstream;
+
+@@ -1807,7 +1831,7 @@ ngx_stream_proxy_process(ngx_stream_sess
+         }
+
+         if (!c->read->delayed && !pc->read->delayed) {
+-            ngx_add_timer(c->write, pscf->timeout);
++            ngx_add_timer(c->write, ctx->timeout);
+
+         } else if (c->write->timer_set) {
+             ngx_del_timer(c->write);
diff --git a/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch b/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch
@@ -0,0 +1,13 @@
+diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
+index e3d11fd9..3717b5fe 100644
+--- a/src/stream/ngx_stream_ssl_preread_module.c
++++ b/src/stream/ngx_stream_ssl_preread_module.c
+@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
+
+         rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
+         if (rc != NGX_AGAIN) {
+-            return rc;
++            return rc == NGX_OK ? NGX_DECLINED : rc;
+         }
+
+         p += len;