diff -Npru nginx-1.4.1/src/http/modules/ngx_http_proxy_module.c nginx-1.4.1-proxy-ssl-verification/src/http/modules/ngx_http_proxy_module.c --- nginx-1.4.1/src/http/modules/ngx_http_proxy_module.c 2013-05-06 13:26:50.000000000 +0300 +++ nginx-1.4.1-proxy-ssl-verification/src/http/modules/ngx_http_proxy_module.c 2013-09-03 15:23:15.607874155 +0300 @@ -74,6 +74,11 @@ typedef struct { ngx_uint_t http_version; +#if (NGX_HTTP_SSL) + ngx_uint_t ssl_verify_depth; + ngx_str_t ssl_trusted_certificate; +#endif + ngx_uint_t headers_hash_max_size; ngx_uint_t headers_hash_bucket_size; } ngx_http_proxy_loc_conf_t; @@ -510,6 +515,27 @@ static ngx_command_t ngx_http_proxy_com NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_session_reuse), NULL }, + + { ngx_string("proxy_ssl_verify"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_verify), + NULL }, + + { ngx_string("proxy_ssl_verify_depth"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_verify_depth), + NULL }, + + { ngx_string("proxy_ssl_trusted_certificate"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, ssl_trusted_certificate), + NULL }, #endif @@ -2382,6 +2408,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ * conf->body_set = NULL; * conf->body_source = { 0, NULL }; * conf->redirects = NULL; + * conf->ssl_trusted_certificate = NULL; */ conf->upstream.store = NGX_CONF_UNSET; @@ -2419,8 +2446,11 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.pass_headers = NGX_CONF_UNSET_PTR; conf->upstream.intercept_errors = NGX_CONF_UNSET; + #if (NGX_HTTP_SSL) conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; + conf->upstream.ssl_verify = NGX_CONF_UNSET; + conf->ssl_verify_depth = NGX_CONF_UNSET_UINT; #endif /* "proxy_cyclic_temp_file" is disabled */ @@ -2695,8 +2725,36 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t prev->upstream.intercept_errors, 0); #if (NGX_HTTP_SSL) + ngx_conf_merge_value(conf->upstream.ssl_session_reuse, prev->upstream.ssl_session_reuse, 1); + ngx_conf_merge_value(conf->upstream.ssl_verify, + prev->upstream.ssl_verify, 0); + ngx_conf_merge_uint_value(conf->ssl_verify_depth, + prev->ssl_verify_depth, 1); + ngx_conf_merge_str_value(conf->ssl_trusted_certificate, + prev->ssl_trusted_certificate, ""); + + if (conf->upstream.ssl && conf->upstream.ssl_verify) { + if (conf->ssl_trusted_certificate.len == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "no \"proxy_ssl_trusted_certificate\" is " + " defined for the \"proxy_ssl_verify\" " + "directive"); + + return NGX_CONF_ERROR; + } + } + + if (conf->upstream.ssl + && ngx_ssl_trusted_certificate(cf, conf->upstream.ssl, + &conf->ssl_trusted_certificate, + conf->ssl_verify_depth) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + #endif ngx_conf_merge_value(conf->redirect, prev->redirect, 1); diff -Npru nginx-1.4.1/src/http/ngx_http_upstream.c nginx-1.4.1-proxy-ssl-verification/src/http/ngx_http_upstream.c --- nginx-1.4.1/src/http/ngx_http_upstream.c 2013-05-06 13:26:50.000000000 +0300 +++ nginx-1.4.1-proxy-ssl-verification/src/http/ngx_http_upstream.c 2013-09-03 15:23:15.611874377 +0300 @@ -1319,12 +1319,30 @@ ngx_http_upstream_ssl_handshake(ngx_conn { ngx_http_request_t *r; ngx_http_upstream_t *u; - + X509 *cert; + r = c->data; u = r->upstream; if (c->ssl->handshaked) { - + if (u->conf->ssl_verify) { + if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "upstream ssl certificate validation failed"); + goto fail; + } + + cert = SSL_get_peer_certificate(c->ssl->connection); + + if (cert == NULL) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "upstream sent no required SSL certificate"); + goto fail; + } + + X509_free(cert); + } + if (u->conf->ssl_session_reuse) { u->peer.save_session(&u->peer, u->peer.data); } @@ -1332,13 +1350,21 @@ ngx_http_upstream_ssl_handshake(ngx_conn c->write->handler = ngx_http_upstream_handler; c->read->handler = ngx_http_upstream_handler; + c = r->connection; + ngx_http_upstream_send_request(r, u); + ngx_http_run_posted_requests(c); + return; } +fail: + c = r->connection; + ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); + ngx_http_run_posted_requests(c); } #endif diff -Npru nginx-1.4.1/src/http/ngx_http_upstream.h nginx-1.4.1-proxy-ssl-verification/src/http/ngx_http_upstream.h --- nginx-1.4.1/src/http/ngx_http_upstream.h 2013-05-06 13:26:50.000000000 +0300 +++ nginx-1.4.1-proxy-ssl-verification/src/http/ngx_http_upstream.h 2013-09-03 15:23:15.611874377 +0300 @@ -191,6 +191,7 @@ typedef struct { #if (NGX_HTTP_SSL) ngx_ssl_t *ssl; ngx_flag_t ssl_session_reuse; + ngx_flag_t ssl_verify; #endif ngx_str_t module;