-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy_connect: use the default_server or SNI selected server block #1797
Conversation
问题描述该补丁会导致在没有开启TLS的情况下出现问题。 比如有如下配置:
执行命令:
可以看到,即便 问题原因HTTPS在TLS的协商阶段,Nginx会通过SNI去获取对应的location配置,在函数 针对Host在CONNECT中存在问题的讨论目前面临的问题如下:
针对上述问题,发表想法:
修正临时补丁目前暂没有好的解决思路,针对此补丁有以下两个临时修正方案:
static ngx_int_t
ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
{
ngx_int_t rc;
ngx_http_connection_t *hc;
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;
#if (NGX_SUPPRESS_WARN)
cscf = NULL;
#endif
hc = r->http_connection;
#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
if (hc->ssl_servername) {
#if (NGX_HTTP_PROXY_CONNECT)
if (r->method == NGX_HTTP_CONNECT) {
return NGX_OK;
}
#endif // if (NGX_HTTP_PROXY_CONNECT)
if (hc->ssl_servername->len == host->len
&& ngx_strncmp(hc->ssl_servername->data,
host->data, host->len) == 0)
{
#if (NGX_PCRE)
if (hc->ssl_servername_regex
&& ngx_http_regex_exec(r, hc->ssl_servername_regex,
hc->ssl_servername) != NGX_OK)
{
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return NGX_ERROR;
}
#endif
return NGX_OK;
}
}
#endif
省略...
} |
抱歉,重新阅读了下 unlike(http_connect_request('sKip-this-server.com', '8081', '/'), qr/500 Internal Server Error/, 'skip ngx_http_set_virtual_server()'); 由该用例可以看出,你似乎是特意要跳过location的匹配的,也就是废除了虚拟服务器。 那我在这里加个提醒吧:如果应用该补丁的话,请不要在 |
Its a trade-off that if you use this patch, only default_server can serve the CONNECT request and its established tunnel. |
try to fix #1794.
In the CONNECT request, the host field is used to specify the backend server, rather than for selecting a server block.