Merge branch 'hamishforbes-ssl-cosocket'

calio · calio · commit 0a77946ab155 · 2015-02-09T14:41:42.000-08:00
diff --git a/README.md b/README.md
@@ -131,6 +131,18 @@ Available user configurations are listed as follows:
 
     Periodic flush interval (in seconds). Set to `nil` to turn off this feature.
 
+* `ssl`
+
+    Boolean, enable or disable connecting via SSL. Default to false.
+
+* `ssl_verify`
+
+    Boolean, enable or disable verifying host and certificate match. Default to true.
+
+* `sni_host`
+
+    Set the hostname to send in SNI and to use when verifying certificate match.
+
 [Back to TOC](#table-of-contents)
 
 initted
diff --git a/lib/resty/logger/socket.lua b/lib/resty/logger/socket.lua
@@ -49,6 +49,9 @@ local drop_limit            = 1048576      -- 1MB
 local timeout               = 1000         -- 1 sec
 local host
 local port
+local ssl                   = false
+local ssl_verify            = true
+local sni_host
 local path
 local max_buffer_reuse      = 10000        -- reuse buffer for at most 10000
                                            -- times
@@ -77,7 +80,7 @@ local pool_size             = 10
 local flushing
 local logger_initted
 local counter               = 0
-
+local ssl_session
 
 local function _write_error(msg)
     last_error = msg
@@ -110,6 +113,21 @@ local function _do_connect()
     return sock
 end
 
+local function _do_handshake(sock)
+    if not ssl then
+        return sock
+    end
+
+    local session, err = sock:sslhandshake(ssl_session, sni_host or host,
+                                           ssl_verify)
+    if not session then
+        return nil, err
+    end
+
+    ssl_session = session
+    return sock
+end
+
 local function _connect()
     local err, sock
 
@@ -129,8 +147,11 @@ local function _connect()
         sock, err = _do_connect()
 
         if sock then
-            connected = true
-            break
+            sock, err = _do_handshake(sock)
+            if sock then
+                connected = true
+                break
+            end
         end
 
         if debug then
@@ -360,6 +381,12 @@ function _M.init(user_config)
             max_buffer_reuse = v
         elseif k == "periodic_flush" then
             periodic_flush = v
+        elseif k == "ssl" then
+            ssl = v
+        elseif k == "ssl_verify" then
+            ssl_verify = v
+        elseif k == "sni_host" then
+            sni_host = v
         end
     end
 
diff --git a/t/cert/test.crt b/t/cert/test.crt
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgzCCAmugAwIBAgIJALyCyaxg9zbFMA0GCSqGSIb3DQEBBQUAMFgxCzAJBgNV
+BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
+aWRnaXRzIFB0eSBMdGQxETAPBgNVBAMMCHRlc3QuY29tMB4XDTE1MDIwOTIwMDEy
+M1oXDTE2MDIwOTIwMDEyM1owWDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUt
+U3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDERMA8GA1UE
+AwwIdGVzdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDtWTKs
+uFmcJcwQizcCHQXWXZO62h1IOuuE2+lygpJTjHgVeFniH7hRiXWLviza0RdvBx1j
+eTy1/OVGPOZo/mFNVkAQ4h3YBNphQxwlXIj+tzLH6/OPozKj+JsKXJU9VrBSyw2W
+KR1G+F+9NmEuteH361YR3O1WUrWuihCgXGc3VXevEyS4rjvu4pV8x73LUQJ7Hphm
+/rm9mAuLSXIDIZMewgg5lQKbVTEYKJppdLv0GztLztXmuNzD7ohmbksHfzCwPJ7b
+d4kdDeivVj+mw//TShWgDGSs/VkUbGrLjJ6wJBM84jbnlJuMEQezlFsCQbgv+AK5
+ypR6ZpcPkhfeaimHAgMBAAGjUDBOMB0GA1UdDgQWBBT07/1maBvi4l1OsOtj/pow
+F91UhzAfBgNVHSMEGDAWgBT07/1maBvi4l1OsOtj/powF91UhzAMBgNVHRMEBTAD
+AQH/MA0GCSqGSIb3DQEBBQUAA4IBAQBSQKKiuE9zAb3QsCPAgqW+XmPVSoMcAdfV
+/cJCLkGWnEUsiCX+D7M4+BqDxj4tnWXfwUD8kk86w1KCMTCyVSZXT9ru99RFaPF/
+/VGXXxXAQGcck3RqoURct4vcK1M5JJI7+89bu2gP9SbeFebPN+eaVaSdVyEAU3WU
+IA+2Oa1GDrVMG/ilJvG2g7ON0R21L5CggiPleYPEf9ACqN+QgCq3ms+6jwTs4L2n
+DPzRmgjvnEU8XOnt30SiEzWsBlOf54kIsyypBGEeHOqJhbIPpp2N7CDkz4Hzjh4S
+pwjA69Xy5W+MfiL/Swd+uzatmylAswM/Tuw4P7Levd7QdT8HLvt+
+-----END CERTIFICATE-----
diff --git a/t/cert/test.key b/t/cert/test.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDtWTKsuFmcJcwQ
+izcCHQXWXZO62h1IOuuE2+lygpJTjHgVeFniH7hRiXWLviza0RdvBx1jeTy1/OVG
+POZo/mFNVkAQ4h3YBNphQxwlXIj+tzLH6/OPozKj+JsKXJU9VrBSyw2WKR1G+F+9
+NmEuteH361YR3O1WUrWuihCgXGc3VXevEyS4rjvu4pV8x73LUQJ7Hphm/rm9mAuL
+SXIDIZMewgg5lQKbVTEYKJppdLv0GztLztXmuNzD7ohmbksHfzCwPJ7bd4kdDeiv
+Vj+mw//TShWgDGSs/VkUbGrLjJ6wJBM84jbnlJuMEQezlFsCQbgv+AK5ypR6ZpcP
+khfeaimHAgMBAAECggEACY3Dmmw5Py3OTwQrjKw6ZeySW70X3KZygICRnwhed3p6
+AvM7Ovzn4HBWCO/4wj4UYWW56x0gMnshh3hAFg3XQNOt9IAFj4Jyf+PBqEdXRFl/
+c8itnySEj1EcfIhJgZSRuGNwApFZGlg5Ela0BrtPgzk317Q64XSm14W7MZlGllWI
+iZZEh1q1TTA1CfroLjK0XOQqK+EQwkNuKca4T8YytcJVG6eSJApoYf0pKNVgRTnW
+tFAa3TrzxqhEEfw4dlIce6kTrGrNxhb2QZ2OeoYzsO140bn+yXs80a8reIxSWpzK
+lag6rMkonKCmKi8cU1HQbKbLPskteXs+Fx+PzJKlMQKBgQD3Jn/GN/S4TRpEw6R7
+CgsVZ/rhBGaYB2lEyYOb72Ex7BQFFAiqDes9EEssvd+0baRnVxkd0GCGtbF0laor
+ogDTDLuYv8VCaBmWZAy8aFhZbT8ygLjAjhOU1p5PWXgngyj+cPo5K0Hj1W/xCDcv
+0bmjhFguHlx1M6hhPO7ABYYjewKBgQD12NlsUdRttdIxEaV6KA2WKcvi2zIspUdi
+TBIaiq1P7a2KO2oDMStqlDvWSIvM2kyGHM6kWuAZWC5zSBndjHMH3+hXrHBEreVX
+3dcvx2El/3O36zuGSEBMye/EIlSe323dPohGObgW1iSaLdw+8dP+TiaJV6coh03g
+MffgFTVeZQKBgQD1a196P9pcoQOywOu12jVDXmt7wlj2InXf/pMX508GubzvhgNM
+imHL00Ay/6ECk9WrYIvqVR9k5Ut/z5aZmVdkO8KVXejNln3CHzueY6dHtfoJdlT/
+sJW1OKEffmKYKeAtOZbf6hqV2T49hMD4VTQYMbU2pqN9JnzPgig6ucGHvQKBgDpn
+TpeWBQIfLJTtnUMc2sVunnoBGrVSelfWvIJDqZKQYyawoKmrd6X1GxX33AZJYd6G
+X2zaDdzXfwlx+nsQT49yWM7jLzSRnyc1k1ZNZj3RptrtbhGjfmr/mg8dHL81UvM5
+VMRiF+KM8tsRw/3ME1GZnTwJb7OIGS8Gj91TDH+lAoGBAO/noqWfPpKlWB3gjj5q
+mUZXyHiqo7Rze5cLCif2CBt3GIhT/XS97kCJZLbWRUC/Hy7ncTtq/aATmqKkhr2U
+Uov2oz0B64/L89Ymy0KsAJczdoKWEd5A+Wg1uW+yju01Ds0sO3uW1HQJlqxPTTDE
+cMyz91ugbaoCZV877haZMklH
+-----END PRIVATE KEY-----
diff --git a/t/sanity.t b/t/sanity.t
@@ -5,10 +5,10 @@ use Cwd qw(cwd);
 
 repeat_each(2);
 
-plan tests => repeat_each() * (blocks() * 4 + 5);
+plan tests => repeat_each() * (blocks() * 4 + 4);
 our $HtmlDir = html_dir;
 
-my $pwd = cwd();
+our $pwd = cwd();
 
 our $HttpConfig = qq{
     lua_package_path "$pwd/lib/?.lua;;";
@@ -699,3 +699,183 @@ GET /t
 foo
 wrote bytes: 3
 wrote bytes: 3
+
+
+
+=== TEST 17: SSL logging
+--- http_config eval
+"
+    lua_package_path '$::pwd/lib/?.lua;;';
+    server {
+        listen unix:$::HtmlDir/ssl.sock ssl;
+        server_name test.com;
+        ssl_certificate $::pwd/t/cert/test.crt;
+        ssl_certificate_key $::pwd/t/cert/test.key;
+
+        location /test {
+            lua_need_request_body on;
+            default_type 'text/plain';
+            # 204 No content
+            content_by_lua '
+                ngx.log(ngx.WARN, \"Message received: \", ngx.var.http_message)
+                ngx.log(ngx.WARN, \"SNI Host: \", ngx.var.ssl_server_name)
+                ngx.exit(204)
+            ';
+        }
+    }
+"
+--- config
+    location /t {
+        content_by_lua '
+            ngx.say("foo")
+            local logger = require "resty.logger.socket"
+            if not logger.initted() then
+                local ok, err = logger.init{
+                    path = "$TEST_NGINX_HTML_DIR/ssl.sock",
+                    flush_limit = 1,
+                    drop_limit = 10000,
+                    retry_interval = 1,
+                    timeout = 50,
+                    ssl = true,
+                    ssl_verify = false,
+                    sni_host = "test.com",
+                }
+            end
+
+            local bytes, err
+            bytes, err = logger.log("GET /test HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\nMessage: Hello SSL\\r\\n\\r\\n")
+            if err then
+                ngx.log(ngx.ERR, err)
+            end
+            ngx.say("wrote bytes: ", bytes)
+
+            ngx.sleep(0.05)
+        ';
+    }
+--- request
+GET /t
+--- wait: 0.1
+--- response_body
+foo
+wrote bytes: 77
+--- error_log
+Message received: Hello SSL
+SNI Host: test.com
+
+
+
+=== TEST 18: SSL logging - Verify
+--- http_config eval
+"
+    lua_package_path '$::pwd/lib/?.lua;;';
+    server {
+        listen unix:$::HtmlDir/ssl.sock ssl;
+        server_name test.com;
+        ssl_certificate $::pwd/t/cert/test.crt;
+        ssl_certificate_key $::pwd/t/cert/test.key;
+
+        location /test {
+            lua_need_request_body on;
+            default_type 'text/plain';
+            # 204 No content
+            content_by_lua 'ngx.log(ngx.WARN, \"Message received: \", ngx.var.http_message) ngx.exit(204)';
+        }
+    }
+"
+--- config
+    location /t {
+        content_by_lua '
+            ngx.say("foo")
+            local logger = require "resty.logger.socket"
+            if not logger.initted() then
+                local ok, err = logger.init{
+                    path = "$TEST_NGINX_HTML_DIR/ssl.sock",
+                    flush_limit = 1,
+                    drop_limit = 10000,
+                    retry_interval = 1,
+                    timeout = 50,
+                    ssl = true,
+                    ssl_verify = true,
+                    sni_host = "test.com",
+                }
+            end
+
+            local bytes, err
+            bytes, err = logger.log("GET /test HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\nMessage: Hello SSL\\r\\n\\r\\n")
+            if err then
+                ngx.log(ngx.ERR, err)
+            end
+            ngx.say("wrote bytes: ", bytes)
+
+            ngx.sleep(0.05)
+        ';
+    }
+--- request
+GET /t
+--- wait: 0.1
+--- response_body
+foo
+wrote bytes: 77
+--- error_log
+lua ssl certificate verify error
+
+
+
+=== TEST 19: SSL logging - No SNI
+--- http_config eval
+"
+    lua_package_path '$::pwd/lib/?.lua;;';
+    server {
+        listen unix:$::HtmlDir/ssl.sock ssl;
+        server_name test.com;
+        ssl_certificate $::pwd/t/cert/test.crt;
+        ssl_certificate_key $::pwd/t/cert/test.key;
+
+        location /test {
+            lua_need_request_body on;
+            default_type 'text/plain';
+            # 204 No content
+            content_by_lua '
+                ngx.log(ngx.WARN, \"Message received: \", ngx.var.http_message)
+                ngx.log(ngx.WARN, \"SNI Host: \", ngx.var.ssl_server_name)
+                ngx.exit(204)
+            ';
+        }
+    }
+"
+--- config
+    location /t {
+        content_by_lua '
+            ngx.say("foo")
+            local logger = require "resty.logger.socket"
+            if not logger.initted() then
+                local ok, err = logger.init{
+                    path = "$TEST_NGINX_HTML_DIR/ssl.sock",
+                    flush_limit = 1,
+                    drop_limit = 10000,
+                    retry_interval = 1,
+                    timeout = 50,
+                    ssl = true,
+                    ssl_verify = false,
+                }
+            end
+
+            local bytes, err
+            bytes, err = logger.log("GET /test HTTP/1.0\\r\\nHost: test.com\\r\\nConnection: close\\r\\nMessage: Hello SSL\\r\\n\\r\\n")
+            if err then
+                ngx.log(ngx.ERR, err)
+            end
+            ngx.say("wrote bytes: ", bytes)
+
+            ngx.sleep(0.05)
+        ';
+    }
+--- request
+GET /t
+--- wait: 0.1
+--- response_body
+foo
+wrote bytes: 77
+--- error_log
+Message received: Hello SSL
+SNI Host: nil
