翻译自: ngx.ssl - Lua API for controlling NGINX downstream SSL handshakes
# 注意:如果你使用的是 OpenResty 1.9.7.2+,则不需要该行
lua_package_path "/path/to/lua-resty-core/lib/?.lua;;";
server {
listen 443 ssl;
server_name test.com;
# useless placeholders: just to shut up NGINX configuration
# loder errors:
ssl_certificate /path/to/fallback.crt;
ssl_certificate_key /path/to/fallback.key;
ssl_certificate_by_lua_block {
local ssl = require "ngx.ssl"
-- clear the fallback certificates and private keys
-- set by the ssl_certificate and ssl_certificate_key
-- directives above:
local ok, err = ssl.clear_certs()
if not ok then
ngx.log(ngx.ERR, "failed to clear existing (fallback) certificates")
return ngx.exit(ngx.ERROR)
end
-- assuming the user already the my_load_certificate_chain()
-- herself.
local pem_cert_chain = assert(my_load_certifiate_chain())
local der_cert_chain, err = ssl.cert_pem_to_der(pem_cert_chain)
if not der_cert_chain then
ngx.log(ngx.ERR, "failed to convert certificate chain ",
"from PEM to DER: ", err)
return ngx.exit(ngx.ERROR)
end
local ok, err = ssl.set_der_cert(der_cert_chain)
if not ok then
ngx.log(ngx.ERR, "failed to set DER cert: ", err)
return ngx.exit(ngx.ERROR)
end
-- assuming the user already defined the my_load_private_key()
-- function herself.
local pem_pkey = assert(my_load_private_key())
local der_pkey, err = ssl.priv_key_pem_to_der(pem_pkey)
if not der_pkey then
ngx.log(ngx.ERR, "failed to convert private key ",
"from PEM to DER: ", err)
return ngx.exit(ngx.ERROR)
end
local ok, err = ssl.ser_der_priv_key(der_pkey)
if not ok then
ngx.log(ngx.ERR, "failed to set DER private key: ", err)
return ngx.exit(ngx.ERROR)
end
}
location / {
root html;
}
}
该 Lua 模块提供 API 函数来控制类似 ssl_certificate_by_lua*(ngx_lua 模块) 等上下文的 SSL 握手过程。
OpenSSL 允许我们动态地设置证书和私钥,因此期望可以在建立连接前才设置证书和私钥,这样,可以结合 SNI,针对不同的请求域名动态设置不同的证书和私钥,而无需事先把可能用到的证书和私钥都准备好。该 lua 模块提供的 API 以在 ssl_certificate_by_lua* 指令的上下文中支持此种情况。
在 Lua 中加载 ngx.ssl 模块,因如下:
local ssl = require "ngx.ssl"
语法:ok, err = ssl.clear_certs()
上下文:ssl_certificate_by_lua*
语法:der_cert_chain, err = ssl.cert_pem_to_der(pem_cert_chain)
上下文:任意
语法:ok, err = ssl.set_der_cert(der_cert_chain)
上下文:ssl_certificate_by_lua*
语法:der_priv_key, err = ssl.priv_key_perm_to_der(perm_priv_key)
上下文:任意
openssl rsa -in key.pem -outform DER -out key.der
语法:ok, err = ssl.set_der_priv_key(der_priv_key)
上下文:ssl_certificate_by_lua*
openssl rsa -in key.pem -outform DER -out key.der
语法:name, err = ssl.server_name()
上下文:任意
语法:addr_data, addr_type, err = ssl.raw_server_addr()
上下文:任意
local ssl = require "ngx.ssl"
local byte = string.byte
local addr, addrtyp, err = ssl.raw_server_addr()
if not addr then
ngx.log(ngx.ERR, "failed to fetch raw server addr: ", err)
return
end
if addrtyp == "inet" then -- IPv4
ip = string.format("%d.%d.%d.%d", byte(addr, 1), byte(addr, 2),
byte(addr, 3), byte(addr, 4))
print("Using IPv4 address: ", ip)
elseif addrtyp == "unix" then -- UNIX
print("Using unix socket file ", addr)
else -- IPv6
-- leave as an exercise for the readers
end
语法:addr_data, addr_type, err = ssl.raw_client_addr()
上下文:任意
原文:https://www.cnblogs.com/jimodetiantang/p/9260698.html