improve certificate configuration detection per request

2019-09-24 21:17:02 -04:00 · 2019-09-24 21:17:02 -04:00 · 73e659f5fc
commit 73e659f5fc
parent c5a8357f1d
3 changed files with 21 additions and 12 deletions
--- a/rootfs/etc/nginx/lua/certificate.lua
+++ b/rootfs/etc/nginx/lua/certificate.lua
@ -48,12 +48,14 @@ local function get_pem_cert_key(raw_hostname)
  return pem_cert_key
 end

-function _M.configured_for_server(hostname)
-  if not hostname then
-    return false
+function _M.configured_for_current_request()
+  if ngx.ctx.configured_for_current_request ~= nil then
+    return ngx.ctx.configured_for_current_request
  end

-  return get_pem_cert_key(hostname) ~= nil
+  ngx.ctx.configured_for_current_request = get_pem_cert_key(ngx.var.host) ~= nil
+
+  return ngx.ctx.configured_for_current_request
 end

 function _M.call()
--- a/rootfs/etc/nginx/lua/lua_ingress.lua
+++ b/rootfs/etc/nginx/lua/lua_ingress.lua
@ -1,6 +1,6 @@
 local ngx_re_split = require("ngx.re").split

-local certificate_configured_for_server = require("certificate").configured_for_server
+local certificate_configured_for_current_request = require("certificate").configured_for_current_request

 local original_randomseed = math.randomseed
 local string_format = string.format
@ -69,7 +69,7 @@ local function redirect_to_https(location_config)
    return true
  end

-  return location_config.ssl_redirect and certificate_configured_for_server(ngx.var.host)
+  return location_config.ssl_redirect and certificate_configured_for_current_request()
 end

 local function redirect_host()
@ -143,7 +143,7 @@ function _M.rewrite(location_config)
    ngx_redirect(uri, config.http_redirect_code)
  end

-  if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_server(ngx.var.host) then
+  if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_current_request then
    local value = "max-age=" .. config.hsts_max_age
    if config.hsts_include_subdomains then
      value = value .. "; includeSubDomains"
--- a/rootfs/etc/nginx/lua/test/certificate_test.lua
+++ b/rootfs/etc/nginx/lua/test/certificate_test.lua
@ -130,21 +130,28 @@ describe("Certificate", function()
    end)
  end)

-  describe("configured_for_server", function()
+  describe("configured_for_current_request", function()
    before_each(function()
+      local _ngx = { var = { host = "hostname" } }
+      setmetatable(_ngx, {__index = _G.ngx})
+      _G.ngx = _ngx
+      ngx.ctx.configured_for_current_request = nil
+
      set_certificate("hostname", EXAMPLE_CERT, UUID)
    end)

    it("returns true when certificate exists for given server", function()
-      assert.is_true(certificate.configured_for_server("hostname"))
+      assert.is_true(certificate.configured_for_current_request())
    end)

    it("returns false when certificate does not exist for given server", function()
-      assert.is_false(certificate.configured_for_server("hostname.xyz"))
+      ngx.var.host = "hostname.xyz"
+      assert.is_false(certificate.configured_for_current_request())
    end)

-    it("returns false when no server given", function()
-      assert.is_false(certificate.configured_for_server())
+    it("returns cached value from ngx.ctx", function()
+      ngx.ctx.configured_for_current_request = false
+      assert.is_false(certificate.configured_for_current_request())
    end)
  end)
 end)