diff --git a/build/test-lua.sh b/build/test-lua.sh index 22d257154..c9b3ec53e 100755 --- a/build/test-lua.sh +++ b/build/test-lua.sh @@ -30,6 +30,7 @@ resty \ --shdict "configuration_data 5M" \ --shdict "certificate_data 16M" \ --shdict "certificate_servers 1M" \ + --shdict "ocsp_response_cache 1M" \ --shdict "balancer_ewma 1M" \ --shdict "balancer_ewma_last_touched_at 1M" \ --shdict "balancer_ewma_locks 512k" \ diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index aab994c5e..42b605e1e 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -182,7 +182,7 @@ local function fetch_and_cache_ocsp_response(uid, der_cert) end if forcible then ngx.log(ngx.NOTICE, "removed an existing item when saving OCSP response, ", - "consider increasing shared dictionary size for 'ocsp_reponse_cache'") + "consider increasing shared dictionary size for 'ocsp_response_cache'") end end diff --git a/rootfs/etc/nginx/lua/configuration.lua b/rootfs/etc/nginx/lua/configuration.lua index 84076c406..2a0762383 100644 --- a/rootfs/etc/nginx/lua/configuration.lua +++ b/rootfs/etc/nginx/lua/configuration.lua @@ -11,6 +11,7 @@ local pairs = pairs local configuration_data = ngx.shared.configuration_data local certificate_data = ngx.shared.certificate_data local certificate_servers = ngx.shared.certificate_servers +local ocsp_response_cache = ngx.shared.ocsp_response_cache local EMPTY_UID = "-1" @@ -100,6 +101,11 @@ local function handle_servers() end for uid, cert in pairs(configuration.certificates) do + local old_cert = certificate_data:get(uid) + if old_cert ~= cert then + ocsp_response_cache:delete(uid) + end + local success, set_err, forcible = certificate_data:set(uid, cert) if not success then local err_msg = string.format("error setting certificate for %s: %s\n", diff --git a/rootfs/etc/nginx/lua/test/configuration_test.lua b/rootfs/etc/nginx/lua/test/configuration_test.lua index aa4ba38b3..cb301ba61 100644 --- a/rootfs/etc/nginx/lua/test/configuration_test.lua +++ b/rootfs/etc/nginx/lua/test/configuration_test.lua @@ -4,6 +4,7 @@ local configuration = require("configuration") local unmocked_ngx = _G.ngx local certificate_data = ngx.shared.certificate_data local certificate_servers = ngx.shared.certificate_servers +local ocsp_response_cache = ngx.shared.ocsp_response_cache function get_backends() return { @@ -184,6 +185,56 @@ describe("Configuration", function() assert.same(ngx.status, ngx.HTTP_BAD_REQUEST) end) + it("should not delete ocsp_response_cache if certificate remain the same", function() + ngx.shared.certificate_data.get = function(self, uid) + return "pemCertKey" + end + + mock_ssl_configuration({ + servers = { ["hostname"] = UUID }, + certificates = { [UUID] = "pemCertKey" } + }) + + local s = spy.on(ngx.shared.ocsp_response_cache, "delete") + assert.has_no.errors(configuration.handle_servers) + assert.spy(s).was_not_called_with(UUID) + end) + + it("should not delete ocsp_response_cache if certificate is empty", function() + ngx.shared.certificate_data.get = function(self, uid) + return nil + end + + mock_ssl_configuration({ + servers = { ["hostname"] = UUID }, + certificates = { [UUID] = "pemCertKey" } + }) + + local s = spy.on(ngx.shared.ocsp_response_cache, "delete") + assert.has_no.errors(configuration.handle_servers) + assert.spy(s).was_not_called_with(UUID) + end) + + it("should delete ocsp_response_cache if certificate changed", function() + local stored_entries = { + [UUID] = "pemCertKey" + } + + ngx.shared.certificate_data.get = function(self, uid) + return stored_entries[uid] + end + + mock_ssl_configuration({ + servers = { ["hostname"] = UUID }, + certificates = { [UUID] = "pemCertKey2" } + }) + + local s = spy.on(ngx.shared.ocsp_response_cache, "delete") + + assert.has_no.errors(configuration.handle_servers) + assert.spy(s).was.called_with(ocsp_response_cache, UUID) + end) + it("deletes server with empty UID without touching the corresponding certificate", function() mock_ssl_configuration({ servers = { ["hostname"] = UUID },