Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL support, completion of bb498ffb459b88cc9889d30f68a1e267bec102bb #44

Open
wants to merge 24 commits into
base: master
Choose a base branch
from
Open

SSL support, completion of bb498ffb459b88cc9889d30f68a1e267bec102bb #44

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
3f077a0
add ssl support
sitano Aug 24, 2015
e9a373d
reuse ctx.type to allow https
sitano Aug 25, 2015
282f5b8
Merge branch 'master' into ssl_support
ElvinEfendi Jan 18, 2017
0ee70dd
a blank line before the else line
ElvinEfendi Jan 18, 2017
212b25a
session reuse
ElvinEfendi Jan 18, 2017
19a0b13
initial ssl testing
ElvinEfendi Jan 19, 2017
20e6ba3
when ssl_verify, fail if certificate missmatch
ElvinEfendi Jan 23, 2017
a63f03f
added tests for SSL health check
ElvinEfendi Jan 23, 2017
6819ea7
removed trailing whitespace
ElvinEfendi Jan 23, 2017
3034363
assert that ssl session is reused
ElvinEfendi Jan 23, 2017
e568b74
make ssl session reuse optional
ElvinEfendi Jan 23, 2017
44fcbef
document ssl_reuse_session flag
ElvinEfendi Jan 23, 2017
9eaa01c
return test plan back with the adjusted number
ElvinEfendi Jan 23, 2017
0623e89
Merge pull request #1 from Shopify/ssl_support
ElvinEfendi Jan 27, 2017
ba4bdf3
avoid permission requirement by using port > 1024
ElvinEfendi Jan 27, 2017
62ff3e1
Merge pull request #2 from Shopify/use-different-port
ElvinEfendi Jan 27, 2017
683b771
make sure session is declared as local variable
ElvinEfendi Feb 15, 2017
63eaad5
make sure line lengths do not exceed 80
ElvinEfendi Feb 15, 2017
ec633a8
use new *_by_lua_block directive
ElvinEfendi Feb 15, 2017
109526c
Merge pull request #3 from Shopify/comply-with-lua-releng-requirements
ElvinEfendi Feb 15, 2017
e09b29e
bump version
ElvinEfendi Feb 15, 2017
6227b39
add missing comma
ElvinEfendi Feb 22, 2017
ce88ef0
let users to pass custom server_name to tcpsock:sslhandshake function
ElvinEfendi Feb 22, 2017
bb498ff
Merge pull request #5 from Shopify/custom-server-name-option
ElvinEfendi Feb 22, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion README.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,13 @@ http {
local ok, err = hc.spawn_checker{
shm = "healthcheck", -- defined by "lua_shared_dict"
upstream = "foo.com", -- defined by "upstream"

type = "http",

-- type = "https",
-- ssl_verify = true, -- verify SSL certs
-- ssl_server_name = "custom_server_name" -- if given, will be passed to tcpsock:sslhandshake as server_name instead of peer.name
-- ssl_reuse_session = true, -- this makes sure SSL session will be reused

http_req = "GET /status HTTP/1.0\r\nHost: foo.com\r\n\r\n",
-- raw HTTP request for checking

Expand Down
49 changes: 35 additions & 14 deletions lib/resty/upstream/healthcheck.lua
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ local wait = ngx.thread.wait
local pcall = pcall

local _M = {
_VERSION = '0.03'
_VERSION = '0.04'
}

if not ngx.config
Expand Down Expand Up @@ -230,16 +230,29 @@ local function check_peer(ctx, id, peer, is_backup)
ok, err = sock:connect(name)
end
if not ok then
if not peer.down then
errlog("failed to connect to ", name, ": ", err)
return peer_error(ctx, is_backup, id, peer,
"failed to connect to ", name, ": ", err)
end

if ctx.type == "https" then
local session, err = sock:sslhandshake(ctx.session,
ctx.ssl_server_name or name,
ctx.ssl_verify)
if not session then
peer_error(ctx, is_backup, id, peer,
"failed to do SSL handshake: ", name, ": ", err)
return sock:close()
end
if ctx.ssl_reuse_session then
ctx.session = session
end
return peer_fail(ctx, is_backup, id, peer)
end

local bytes, err = sock:send(req)
if not bytes then
return peer_error(ctx, is_backup, id, peer,
"failed to send request to ", name, ": ", err)
peer_error(ctx, is_backup, id, peer,
"failed to send request to ", name, ": ", err)
return sock:close()
end

local status_line, err = sock:receive()
Expand All @@ -260,16 +273,15 @@ local function check_peer(ctx, id, peer, is_backup)
peer_error(ctx, is_backup, id, peer,
"bad status line from ", name, ": ",
status_line)
sock:close()
return
return sock:close()
end

local status = tonumber(sub(status_line, from, to))
if not statuses[status] then
peer_error(ctx, is_backup, id, peer, "bad status code from ",
name, ": ", status)
sock:close()
return
peer_error(ctx, is_backup, id, peer,
"bad status code from ", name, ": ",
status)
return sock:close()
end
end

Expand Down Expand Up @@ -530,10 +542,14 @@ function _M.spawn_checker(opts)
return nil, "\"type\" option required"
end

if typ ~= "http" then
return nil, "only \"http\" type is supported right now"
if typ ~= "http" and typ ~= "https" then
return nil, "no support for this protocol type"
end

local ssl_verify = opts.ssl_verify and true

local ssl_reuse_session = opts.ssl_reuse_session and true

local http_req = opts.http_req
if not http_req then
return nil, "\"http_req\" option required"
Expand Down Expand Up @@ -611,6 +627,10 @@ function _M.spawn_checker(opts)
upstream = u,
primary_peers = preprocess_peers(ppeers),
backup_peers = preprocess_peers(bpeers),
type = typ,
ssl_verify = ssl_verify,
ssl_reuse_session = ssl_reuse_session,
ssl_server_name = opts.ssl_server_name,
http_req = http_req,
timeout = timeout,
interval = interval,
Expand All @@ -620,6 +640,7 @@ function _M.spawn_checker(opts)
statuses = statuses,
version = 0,
concurrency = concur,
session = nil,
}

local ok, err = new_timer(0, check, ctx)
Expand Down
Loading