From 73e659f5fc8cc36df628299a4f1aa8d7824285d6 Mon Sep 17 00:00:00 2001 From: Elvin Efendi Date: Tue, 24 Sep 2019 21:17:02 -0400 Subject: [PATCH] improve certificate configuration detection per request --- rootfs/etc/nginx/lua/certificate.lua | 10 ++++++---- rootfs/etc/nginx/lua/lua_ingress.lua | 6 +++--- rootfs/etc/nginx/lua/test/certificate_test.lua | 17 ++++++++++++----- 3 files changed, 21 insertions(+), 12 deletions(-) diff --git a/rootfs/etc/nginx/lua/certificate.lua b/rootfs/etc/nginx/lua/certificate.lua index 03d177669..eb7feabd3 100644 --- a/rootfs/etc/nginx/lua/certificate.lua +++ b/rootfs/etc/nginx/lua/certificate.lua @@ -48,12 +48,14 @@ local function get_pem_cert_key(raw_hostname) return pem_cert_key end -function _M.configured_for_server(hostname) - if not hostname then - return false +function _M.configured_for_current_request() + if ngx.ctx.configured_for_current_request ~= nil then + return ngx.ctx.configured_for_current_request end - return get_pem_cert_key(hostname) ~= nil + ngx.ctx.configured_for_current_request = get_pem_cert_key(ngx.var.host) ~= nil + + return ngx.ctx.configured_for_current_request end function _M.call() diff --git a/rootfs/etc/nginx/lua/lua_ingress.lua b/rootfs/etc/nginx/lua/lua_ingress.lua index e3ea01b75..463924792 100644 --- a/rootfs/etc/nginx/lua/lua_ingress.lua +++ b/rootfs/etc/nginx/lua/lua_ingress.lua @@ -1,6 +1,6 @@ local ngx_re_split = require("ngx.re").split -local certificate_configured_for_server = require("certificate").configured_for_server +local certificate_configured_for_current_request = require("certificate").configured_for_current_request local original_randomseed = math.randomseed local string_format = string.format @@ -69,7 +69,7 @@ local function redirect_to_https(location_config) return true end - return location_config.ssl_redirect and certificate_configured_for_server(ngx.var.host) + return location_config.ssl_redirect and certificate_configured_for_current_request() end local function redirect_host() @@ -143,7 +143,7 @@ function _M.rewrite(location_config) ngx_redirect(uri, config.http_redirect_code) end - if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_server(ngx.var.host) then + if config.hsts and ngx.var.scheme == "https" and certificate_configured_for_current_request then local value = "max-age=" .. config.hsts_max_age if config.hsts_include_subdomains then value = value .. "; includeSubDomains" diff --git a/rootfs/etc/nginx/lua/test/certificate_test.lua b/rootfs/etc/nginx/lua/test/certificate_test.lua index 3d9e44e66..dc9b3dcfd 100644 --- a/rootfs/etc/nginx/lua/test/certificate_test.lua +++ b/rootfs/etc/nginx/lua/test/certificate_test.lua @@ -130,21 +130,28 @@ describe("Certificate", function() end) end) - describe("configured_for_server", function() + describe("configured_for_current_request", function() before_each(function() + local _ngx = { var = { host = "hostname" } } + setmetatable(_ngx, {__index = _G.ngx}) + _G.ngx = _ngx + ngx.ctx.configured_for_current_request = nil + set_certificate("hostname", EXAMPLE_CERT, UUID) end) it("returns true when certificate exists for given server", function() - assert.is_true(certificate.configured_for_server("hostname")) + assert.is_true(certificate.configured_for_current_request()) end) it("returns false when certificate does not exist for given server", function() - assert.is_false(certificate.configured_for_server("hostname.xyz")) + ngx.var.host = "hostname.xyz" + assert.is_false(certificate.configured_for_current_request()) end) - it("returns false when no server given", function() - assert.is_false(certificate.configured_for_server()) + it("returns cached value from ngx.ctx", function() + ngx.ctx.configured_for_current_request = false + assert.is_false(certificate.configured_for_current_request()) end) end) end)