feat: add support for wildcard on SNIs for SSL #12668
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -55,24 +55,30 @@ local function create_router(ssl_items) | |
| if type(ssl.value.snis) == "table" and #ssl.value.snis > 0 then | ||
| sni = core.table.new(0, #ssl.value.snis) | ||
| for _, s in ipairs(ssl.value.snis) do | ||
| if s ~= "*" then | ||
| j = j + 1 | ||
| sni[j] = s:reverse() | ||
| end | ||
|
||
| end | ||
| else | ||
| if ssl.value.sni ~= "*" then | ||
| sni = ssl.value.sni:reverse() | ||
| end | ||
|
||
| end | ||
|
|
||
| if sni and (type(sni) == "table" and #sni > 0 or type(sni) == "string") then | ||
|
||
| idx = idx + 1 | ||
| route_items[idx] = { | ||
| paths = sni, | ||
| handler = function (api_ctx) | ||
| if not api_ctx then | ||
| return | ||
| end | ||
| api_ctx.matched_ssl = ssl | ||
| api_ctx.matched_sni = sni | ||
| end | ||
| } | ||
| end | ||
nic-6443 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| end | ||
| end | ||
|
|
||
|
|
@@ -89,7 +95,6 @@ local function create_router(ssl_items) | |
| return router | ||
| end | ||
|
|
||
| local function set_pem_ssl_key(sni, cert, pkey) | ||
| local r = get_request() | ||
| if r == nil then | ||
|
|
@@ -171,6 +176,33 @@ function _M.match_and_set(api_ctx, match_only, alt_sni) | |
|
|
||
| local sni_rev = sni:reverse() | ||
| local ok = radixtree_router:dispatch(sni_rev, nil, api_ctx) | ||
|
|
||
| -- if no SSL matched, try to find a wildcard SSL | ||
|
||
| if not ok then | ||
| for _, ssl in config_util.iterate_values(ssl_certificates.values) do | ||
| if ssl.value and ssl.value.type == "server" and | ||
| (ssl.value.status == nil or ssl.value.status == 1) then | ||
| local has_wildcard = false | ||
| if ssl.value.sni == "*" then | ||
| has_wildcard = true | ||
| elseif type(ssl.value.snis) == "table" then | ||
| for _, s in ipairs(ssl.value.snis) do | ||
| if s == "*" then | ||
| has_wildcard = true | ||
| break | ||
| end | ||
| end | ||
| end | ||
| if has_wildcard then | ||
| api_ctx.matched_ssl = ssl | ||
| api_ctx.matched_sni = "*" | ||
| ok = true | ||
| break | ||
| end | ||
| end | ||
| end | ||
| end | ||
|
|
||
| if not ok then | ||
| if not alt_sni then | ||
| -- it is expected that alternative SNI doesn't have a SSL certificate associated | ||
|
|
@@ -180,8 +212,10 @@ function _M.match_and_set(api_ctx, match_only, alt_sni) | |
| return false | ||
| end | ||
|
|
||
| if api_ctx.matched_sni == "*" then | ||
| -- wildcard matches everything, no need for further validation | ||
| core.log.info("matched wildcard SSL for SNI: ", sni) | ||
| elseif type(api_ctx.matched_sni) == "table" then | ||
| local matched = false | ||
| for _, msni in ipairs(api_ctx.matched_sni) do | ||
| if sni_rev == msni or not str_find(sni_rev, ".", #msni) then | ||
|
|
@@ -221,7 +255,6 @@ function _M.match_and_set(api_ctx, match_only, alt_sni) | |
| return true | ||
| end | ||
|
|
||
| function _M.set(matched_ssl, sni) | ||
| if not matched_ssl then | ||
| return false, "failed to match ssl certificate" | ||
|
|
||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
to me, I think we can keep old code, it seems work fine too? all right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The main point of contention lies in #12668 (comment), which determines whether we must handle the * case separately.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Okay i was wrong. Due to an initial mistake in my code I got that failure and falsely assumed it was because radixtree couldn't handle it. I have modified the PR. Apologies for mistake