From 445082f11a20f11584bf8a839a20044adef8e83d Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 19 Jan 2026 22:23:36 +0800 Subject: [PATCH 1/8] bugfix: failed to build proxy_ssl*. --- src/ngx_http_lua_common.h | 23 +++- src/ngx_http_lua_control.c | 6 +- src/ngx_http_lua_module.c | 8 +- src/ngx_http_lua_proxy_ssl_certby.c | 155 +------------------------- src/ngx_http_lua_proxy_ssl_certby.h | 7 +- src/ngx_http_lua_proxy_ssl_verifyby.c | 4 +- src/ngx_http_lua_proxy_ssl_verifyby.h | 15 +-- src/ngx_http_lua_ssl.h | 6 +- src/ngx_http_lua_util.c | 8 +- 9 files changed, 45 insertions(+), 187 deletions(-) diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index 262f71feab..59d7d3b416 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -24,6 +24,25 @@ #include + +#if (NGX_HTTP_SSL) +#ifdef HAVE_PROXY_SSL_PATCH + +#if defined(LIBRESSL_VERSION_NUMBER) +#define HAVE_LUA_PROXY_SSL 0 +#elif defined(OPENSSL_IS_BORINGSSL) +#define HAVE_LUA_PROXY_SSL 0 +#elif defined(SSL_ERROR_WANT_RETRY_VERIFY) && \ + OPENSSL_VERSION_NUMBER >= 0x30000020uL +#define HAVE_LUA_PROXY_SSL 1 +#else +#define HAVE_LUA_PROXY_SSL 0 +#endif + +#endif /* HAVE_PROXY_SSL_PATCH */ +#endif /* NGX_HTTP_SSL */ + + #if defined(NDK) && NDK #include @@ -393,13 +412,15 @@ struct ngx_http_lua_loc_conf_s { ngx_array_t *ssl_conf_commands; #endif -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL ngx_http_lua_loc_conf_handler_pt proxy_ssl_cert_handler; ngx_str_t proxy_ssl_cert_src; u_char *proxy_ssl_cert_src_key; u_char *proxy_ssl_cert_chunkname; int proxy_ssl_cert_src_ref; +#endif +#if HAVE_LUA_PROXY_SSL ngx_http_lua_loc_conf_handler_pt proxy_ssl_verify_handler; ngx_str_t proxy_ssl_verify_src; u_char *proxy_ssl_verify_src_key; diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c index c3febe3094..63d0b7f56f 100644 --- a/src/ngx_http_lua_control.c +++ b/src/ngx_http_lua_control.c @@ -387,8 +387,10 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err, | NGX_HTTP_LUA_CONTEXT_TIMER | NGX_HTTP_LUA_CONTEXT_HEADER_FILTER | NGX_HTTP_LUA_CONTEXT_BALANCER -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT +#endif +#if HAVE_LUA_PROXY_SSL | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY #endif | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO @@ -402,7 +404,7 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err, } if (ctx->context & (NGX_HTTP_LUA_CONTEXT_SSL_CERT -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY #endif diff --git a/src/ngx_http_lua_module.c b/src/ngx_http_lua_module.c index 638c6ac28d..19880ff599 100644 --- a/src/ngx_http_lua_module.c +++ b/src/ngx_http_lua_module.c @@ -33,10 +33,8 @@ #include "ngx_http_lua_ssl_session_storeby.h" #include "ngx_http_lua_ssl_session_fetchby.h" -#ifdef HAVE_PROXY_SSL_PATCH #include "ngx_http_lua_proxy_ssl_certby.h" #include "ngx_http_lua_proxy_ssl_verifyby.h" -#endif #include "ngx_http_lua_headers.h" #include "ngx_http_lua_headers_out.h" @@ -698,7 +696,7 @@ static ngx_command_t ngx_http_lua_cmds[] = { 0, (void *) ngx_http_lua_ssl_sess_fetch_handler_file }, -#if HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL /* same context as proxy_pass directive */ { ngx_string("proxy_ssl_certificate_by_lua_block"), NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF|NGX_CONF_BLOCK|NGX_CONF_NOARGS, @@ -1586,7 +1584,7 @@ ngx_http_lua_create_loc_conf(ngx_conf_t *cf) #if (nginx_version >= 1019004) conf->ssl_conf_commands = NGX_CONF_UNSET_PTR; #endif -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL conf->proxy_ssl_cert_src_ref = LUA_REFNIL; conf->proxy_ssl_verify_src_ref = LUA_REFNIL; conf->upstream_skip_openssl_default_verify = NGX_CONF_UNSET; @@ -1693,7 +1691,7 @@ ngx_http_lua_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) NULL); #endif -#if HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL if (conf->proxy_ssl_cert_src.len == 0) { conf->proxy_ssl_cert_src = prev->proxy_ssl_cert_src; conf->proxy_ssl_cert_handler = prev->proxy_ssl_cert_handler; diff --git a/src/ngx_http_lua_proxy_ssl_certby.c b/src/ngx_http_lua_proxy_ssl_certby.c index e38d2f72bb..ee86211eb2 100644 --- a/src/ngx_http_lua_proxy_ssl_certby.c +++ b/src/ngx_http_lua_proxy_ssl_certby.c @@ -10,7 +10,6 @@ #if (NGX_HTTP_SSL) - #include "ngx_http_lua_cache.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_util.h" @@ -18,10 +17,10 @@ #include "ngx_http_lua_contentby.h" #include "ngx_http_lua_directive.h" #include "ngx_http_lua_ssl.h" - -#ifdef HAVE_PROXY_SSL_PATCH #include "ngx_http_lua_proxy_ssl_certby.h" +#if HAVE_LUA_PROXY_SSL + static void ngx_http_lua_proxy_ssl_cert_done(void *data); static void ngx_http_lua_proxy_ssl_cert_aborted(void *data); @@ -32,16 +31,6 @@ static ngx_int_t ngx_http_lua_proxy_ssl_cert_by_chunk(lua_State *L, ngx_int_t ngx_http_lua_proxy_ssl_cert_set_callback(ngx_conf_t *cf) { - -#ifdef LIBRESSL_VERSION_NUMBER - - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "LibreSSL does not support by proxy_ssl_certificate_by_lua*"); - - return NGX_ERROR; - -#else - void *plcf; ngx_http_upstream_conf_t *ucf; ngx_ssl_t *ssl; @@ -63,22 +52,9 @@ ngx_http_lua_proxy_ssl_cert_set_callback(ngx_conf_t *cf) return NGX_ERROR; } -#if OPENSSL_VERSION_NUMBER >= 0x1000205fL - SSL_CTX_set_cert_cb(ssl->ctx, ngx_http_lua_proxy_ssl_cert_handler, NULL); return NGX_OK; - -#else - - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "OpenSSL too old to support " - "proxy_ssl_certificate_by_lua*"); - - return NGX_ERROR; - -#endif - -#endif } @@ -149,16 +125,6 @@ char * ngx_http_lua_proxy_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) { -#if OPENSSL_VERSION_NUMBER < 0x1000205fL - - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "at least OpenSSL 1.0.2e required but found " - OPENSSL_VERSION_TEXT); - - return NGX_CONF_ERROR; - -#else - size_t chunkname_len; u_char *chunkname; u_char *cache_key = NULL; @@ -227,8 +193,6 @@ ngx_http_lua_proxy_ssl_cert_by_lua(ngx_conf_t *cf, ngx_command_t *cmd, llcf->proxy_ssl_cert_src_key = cache_key; return NGX_CONF_OK; - -#endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ } @@ -561,20 +525,6 @@ ngx_http_lua_ffi_proxy_ssl_get_tls1_version(ngx_http_request_t *r, char **err) int ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err) { -#ifdef LIBRESSL_VERSION_NUMBER - - *err = "LibreSSL not supported"; - return NGX_ERROR; - -#else - -# if OPENSSL_VERSION_NUMBER < 0x1000205fL - - *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; - return NGX_ERROR; - -# else - ngx_http_upstream_t *u; ngx_ssl_conn_t *ssl_conn; ngx_connection_t *c; @@ -599,9 +549,6 @@ ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err) SSL_certs_clear(ssl_conn); return NGX_OK; - -# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ -#endif } @@ -609,20 +556,6 @@ int ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r, const char *data, size_t len, char **err) { -#ifdef LIBRESSL_VERSION_NUMBER - - *err = "LibreSSL not supported"; - return NGX_ERROR; - -#else - -# if OPENSSL_VERSION_NUMBER < 0x1000205fL - - *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; - return NGX_ERROR; - -# else - ngx_http_upstream_t *u; ngx_ssl_conn_t *ssl_conn; ngx_connection_t *c; @@ -701,9 +634,6 @@ ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r, ERR_clear_error(); return NGX_ERROR; - -# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ -#endif } @@ -777,20 +707,6 @@ int ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r, void *cdata, char **err) { -#ifdef LIBRESSL_VERSION_NUMBER - - *err = "LibreSSL not supported"; - return NGX_ERROR; - -#else - -# if OPENSSL_VERSION_NUMBER < 0x1000205fL - - *err = "at least OpenSSL 1.0.2e required but found " OPENSSL_VERSION_TEXT; - return NGX_ERROR; - -# else - #ifdef OPENSSL_IS_BORINGSSL size_t i; #else @@ -862,9 +778,6 @@ ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r, ERR_clear_error(); return NGX_ERROR; - -# endif /* OPENSSL_VERSION_NUMBER < 0x1000205fL */ -#endif } @@ -915,67 +828,5 @@ ngx_http_lua_ffi_proxy_ssl_set_priv_key(ngx_http_request_t *r, return NGX_ERROR; } - -#else /* HAVE_PROXY_SSL_PATCH */ - - -int -ngx_http_lua_ffi_proxy_ssl_get_tls1_version(ngx_http_request_t *r, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -int -ngx_http_lua_ffi_proxy_ssl_clear_certs(ngx_http_request_t *r, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -int -ngx_http_lua_ffi_proxy_ssl_set_der_certificate(ngx_http_request_t *r, - const char *data, size_t len, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -int -ngx_http_lua_ffi_proxy_ssl_set_der_private_key(ngx_http_request_t *r, - const char *data, size_t len, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -int -ngx_http_lua_ffi_proxy_ssl_set_cert(ngx_http_request_t *r, - void *cdata, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -int -ngx_http_lua_ffi_proxy_ssl_set_priv_key(ngx_http_request_t *r, - void *cdata, char **err) -{ - *err = "Does not have HAVE_PROXY_SSL_PATCH to support this function"; - - return NGX_ERROR; -} - - -#endif /* HAVE_PROXY_SSL_PATCH */ +#endif /* HAVE_LUA_PROXY_SSL */ #endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_proxy_ssl_certby.h b/src/ngx_http_lua_proxy_ssl_certby.h index 0e3905b87a..d72ff5ed82 100644 --- a/src/ngx_http_lua_proxy_ssl_certby.h +++ b/src/ngx_http_lua_proxy_ssl_certby.h @@ -8,9 +8,7 @@ #include "ngx_http_lua_common.h" - -#if (NGX_HTTP_SSL) -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL /* do not introduce ngx_http_proxy_module to pollute ngx_http_lua_module.c */ extern ngx_module_t ngx_http_proxy_module; @@ -31,8 +29,7 @@ int ngx_http_lua_proxy_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data); ngx_int_t ngx_http_lua_proxy_ssl_cert_set_callback(ngx_conf_t *cf); -#endif /* HAVE_PROXY_SSL_PATCH */ -#endif /* NGX_HTTP_SSL */ +#endif /* HAVE_LUA_PROXY_SSL */ #endif /* _NGX_HTTP_LUA_PROXY_SSL_CERTBY_H_INCLUDED_ */ diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.c b/src/ngx_http_lua_proxy_ssl_verifyby.c index ace9e9bcc5..db3ec2689f 100644 --- a/src/ngx_http_lua_proxy_ssl_verifyby.c +++ b/src/ngx_http_lua_proxy_ssl_verifyby.c @@ -20,7 +20,7 @@ #include "ngx_http_lua_proxy_ssl_verifyby.h" -#if HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL static void ngx_http_lua_proxy_ssl_verify_done(void *data); static void ngx_http_lua_proxy_ssl_verify_aborted(void *data); @@ -658,5 +658,5 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err) return x509; } -#endif /* HAVE_PROXY_SSL_PATCH */ +#endif /* HAVE_LUA_PROXY_SSL */ #endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.h b/src/ngx_http_lua_proxy_ssl_verifyby.h index bba0ecbeab..4e8a8b2dc8 100644 --- a/src/ngx_http_lua_proxy_ssl_verifyby.h +++ b/src/ngx_http_lua_proxy_ssl_verifyby.h @@ -10,18 +10,7 @@ #if (NGX_HTTP_SSL) -#ifdef HAVE_PROXY_SSL_PATCH - -#if defined(LIBRESSL_VERSION_NUMBER) -#define HAVE_PROXY_SSL_PATCH 0 -#elif defined(OPENSSL_IS_BORINGSSL) -#define HAVE_PROXY_SSL_PATCH 0 -#elif defined(SSL_ERROR_WANT_RETRY_VERIFY) && \ - OPENSSL_VERSION_NUMBER >= 0x30000020uL -#define HAVE_PROXY_SSL_PATCH 1 -#else -#define HAVE_PROXY_SSL_PATCH 0 -#endif +#if HAVE_LUA_PROXY_SSL /* do not introduce ngx_http_proxy_module to pollute ngx_http_lua_module.c */ @@ -44,7 +33,7 @@ int ngx_http_lua_proxy_ssl_verify_handler(X509_STORE_CTX *x509_store, ngx_int_t ngx_http_lua_proxy_ssl_verify_set_callback(ngx_conf_t *cf); -#endif /* HAVE_PROXY_SSL_PATCH */ +#endif /* HAVE_LUA_PROXY_SSL */ #endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_ssl.h b/src/ngx_http_lua_ssl.h index 173e2dc762..a7cdc6e633 100644 --- a/src/ngx_http_lua_ssl.h +++ b/src/ngx_http_lua_ssl.h @@ -24,7 +24,7 @@ typedef struct { ngx_str_t session_id; -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL X509_STORE_CTX *x509_store; ngx_pool_t *pool; #endif @@ -38,7 +38,7 @@ typedef struct { request ctx data in lua registry */ -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL /* same size as count field of ngx_http_request_t */ unsigned original_request_count:16; #endif @@ -48,7 +48,7 @@ typedef struct { unsigned entered_client_hello_handler:1; unsigned entered_cert_handler:1; unsigned entered_sess_fetch_handler:1; -#ifdef HAVE_PROXY_SSL_PATCH +#if HAVE_LUA_PROXY_SSL unsigned entered_proxy_ssl_cert_handler:1; unsigned entered_proxy_ssl_verify_handler:1; #endif diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index d7e697888b..be0b7c5fa2 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -1684,7 +1684,7 @@ ngx_http_lua_run_thread(lua_State *L, ngx_http_request_t *r, done: -#ifdef HAVE_PROXY_SSL_PATCH +#ifdef HAVE_LUA_PROXY_SSL if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT || ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) { @@ -2447,7 +2447,7 @@ ngx_http_lua_handle_exit(lua_State *L, ngx_http_request_t *r, return ctx->exit_code; } -#ifdef HAVE_PROXY_SSL_PATCH +#ifdef HAVE_LUA_PROXY_SSL if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT || ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) { @@ -3691,7 +3691,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc) { ngx_http_lua_ctx_t *ctx; #if (NGX_HTTP_SSL) -#ifdef HAVE_PROXY_SSL_PATCH +#ifdef HAVE_LUA_PROXY_SSL ngx_http_upstream_t *u; ngx_connection_t *c; ngx_http_lua_ssl_ctx_t *cctx; @@ -3704,7 +3704,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc) } #if (NGX_HTTP_SSL) -#ifdef HAVE_PROXY_SSL_PATCH +#ifdef HAVE_LUA_PROXY_SSL u = r->upstream; if (u) { c = u->peer.connection; From 376d31cc75cb01725f91d6792911588b3525f3ef Mon Sep 17 00:00:00 2001 From: lijunlong Date: Mon, 19 Jan 2026 22:28:27 +0800 Subject: [PATCH 2/8] more fixes --- src/ngx_http_lua_common.h | 2 -- src/ngx_http_lua_control.c | 2 -- src/ngx_http_lua_proxy_ssl_certby.c | 3 ++- 3 files changed, 2 insertions(+), 5 deletions(-) diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index 59d7d3b416..09212f8b07 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -418,9 +418,7 @@ struct ngx_http_lua_loc_conf_s { u_char *proxy_ssl_cert_src_key; u_char *proxy_ssl_cert_chunkname; int proxy_ssl_cert_src_ref; -#endif -#if HAVE_LUA_PROXY_SSL ngx_http_lua_loc_conf_handler_pt proxy_ssl_verify_handler; ngx_str_t proxy_ssl_verify_src; u_char *proxy_ssl_verify_src_key; diff --git a/src/ngx_http_lua_control.c b/src/ngx_http_lua_control.c index 63d0b7f56f..895604c42c 100644 --- a/src/ngx_http_lua_control.c +++ b/src/ngx_http_lua_control.c @@ -389,8 +389,6 @@ ngx_http_lua_ffi_exit(ngx_http_request_t *r, int status, u_char *err, | NGX_HTTP_LUA_CONTEXT_BALANCER #if HAVE_LUA_PROXY_SSL | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT -#endif -#if HAVE_LUA_PROXY_SSL | NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY #endif | NGX_HTTP_LUA_CONTEXT_SSL_CLIENT_HELLO diff --git a/src/ngx_http_lua_proxy_ssl_certby.c b/src/ngx_http_lua_proxy_ssl_certby.c index ee86211eb2..3fdf38ea95 100644 --- a/src/ngx_http_lua_proxy_ssl_certby.c +++ b/src/ngx_http_lua_proxy_ssl_certby.c @@ -10,6 +10,7 @@ #if (NGX_HTTP_SSL) + #include "ngx_http_lua_cache.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_util.h" @@ -19,8 +20,8 @@ #include "ngx_http_lua_ssl.h" #include "ngx_http_lua_proxy_ssl_certby.h" -#if HAVE_LUA_PROXY_SSL +#if HAVE_LUA_PROXY_SSL static void ngx_http_lua_proxy_ssl_cert_done(void *data); static void ngx_http_lua_proxy_ssl_cert_aborted(void *data); From e5f0fd012d3794c2e5c16ca12d59be4a9890537e Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 10:11:24 +0800 Subject: [PATCH 3/8] feature: fixed typo. --- src/ngx_http_lua_util.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index be0b7c5fa2..1420560818 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -3704,7 +3704,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc) } #if (NGX_HTTP_SSL) -#ifdef HAVE_LUA_PROXY_SSL +#if HAVE_LUA_PROXY_SSL u = r->upstream; if (u) { c = u->peer.connection; From 49f4722eae582a4acc7a3f859db78d34f0e21968 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 10:16:27 +0800 Subject: [PATCH 4/8] use the same directory. --- .travis.yml | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/.travis.yml b/.travis.yml index bb3400f5a8..9be036238e 100644 --- a/.travis.yml +++ b/.travis.yml @@ -45,12 +45,10 @@ env: - LUAJIT_LIB=$LUAJIT_PREFIX/lib - LUAJIT_INC=$LUAJIT_PREFIX/include/luajit-2.1 - LUA_INCLUDE_DIR=$LUAJIT_INC - #- PCRE2_PREFIX=/usr/local/openresty/pcre2 - - PCRE2_PREFIX=/opt/pcre2 + - PCRE2_PREFIX=/usr/local/openresty/pcre2 - PCRE2_LIB=$PCRE2_PREFIX/lib - PCRE2_INC=$PCRE2_PREFIX/include - #- OPENSSL_PREFIX=/usr/local/openresty/openssl3 - - OPENSSL_PREFIX=/opt/openssl3 + - OPENSSL_PREFIX=/usr/local/openresty/openssl3 - OPENSSL_LIB=$OPENSSL_PREFIX/lib - OPENSSL_INC=$OPENSSL_PREFIX/include - LIBDRIZZLE_PREFIX=/opt/drizzle @@ -84,8 +82,8 @@ before_install: install: - if [ ! -f download-cache/drizzle7-$DRIZZLE_VER.tar.gz ]; then wget -P download-cache https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/drizzle7-$DRIZZLE_VER.tar.gz; fi - - if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi - - if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi + #- if [ -n "$PCRE2_VER" ] && [ ! -f download-cache/pcre2-$PCRE2_VER.tar.gz ]; then wget -P download-cache https://github.com/PCRE2Project/pcre2/releases/download/pcre2-${PCRE2_VER}/pcre2-${PCRE2_VER}.tar.gz; fi + #- if [ -n "$OPENSSL_VER" ] && [ ! -f download-cache/openssl-$OPENSSL_VER.tar.gz ]; then wget -P download-cache https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VER/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/openssl-$OPENSSL_VER.tar.gz || wget -P download-cache https://www.openssl.org/source/old/${OPENSSL_VER//[a-z]/}/openssl-$OPENSSL_VER.tar.gz; fi - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/boringssl-20230902-x64-focal.tar.gz - wget https://github.com/openresty/openresty-deps-prebuild/releases/download/v20230902/curl-h3-x64-focal.tar.gz - git clone https://github.com/openresty/test-nginx.git @@ -137,8 +135,8 @@ script: - sudo make install-libdrizzle-1.0 > build.log 2>&1 || (cat build.log && exit 1) - cd ../mockeagain/ && make CC=$CC -j$JOBS && cd .. - cd lua-cjson/ && make -j$JOBS && sudo make install && cd .. - - if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - - if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi + #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi + #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - if [ -n "$BORINGSSL" ]; then sudo rm -fr /usr/local/openresty/openssl3/ && sudo mkdir -p /usr/local/openresty/openssl3 && sudo tar -C /usr/local/openresty/openssl3 -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi - export NGX_BUILD_CC=$CC - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) From afc3972f2a4e4c949639d422755c5a29805743e6 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 10:18:22 +0800 Subject: [PATCH 5/8] update openssldir. --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index 9be036238e..ee5f43d1c7 100644 --- a/.travis.yml +++ b/.travis.yml @@ -137,7 +137,7 @@ script: - cd lua-cjson/ && make -j$JOBS && sudo make install && cd .. #- if [ -n "$PCRE2_VER" ]; then tar zxf download-cache/pcre2-$PCRE2_VER.tar.gz; cd pcre2-$PCRE2_VER/; ./configure --prefix=$PCRE2_PREFIX --enable-jit --enable-utf > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo PATH=$PATH make install > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi #- if [ -n "$OPENSSL_VER" ]; then tar zxf download-cache/openssl-$OPENSSL_VER.tar.gz; cd openssl-$OPENSSL_VER/; patch -p1 < ../../openresty/patches/openssl-$OPENSSL_PATCH_VER-sess_set_get_cb_yield.patch; ./config shared enable-ssl3 enable-ssl3-method -g --prefix=$OPENSSL_PREFIX --libdir=lib -DPURIFY > build.log 2>&1 || (cat build.log && exit 1); make -j$JOBS > build.log 2>&1 || (cat build.log && exit 1); sudo make PATH=$PATH install_sw > build.log 2>&1 || (cat build.log && exit 1); cd ..; fi - - if [ -n "$BORINGSSL" ]; then sudo rm -fr /usr/local/openresty/openssl3/ && sudo mkdir -p /usr/local/openresty/openssl3 && sudo tar -C /usr/local/openresty/openssl3 -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi + - if [ -n "$BORINGSSL" ]; then sudo rm -fr $OPENSSL_PREFIX && sudo mkdir -p $OPENSSL_PREFIX && sudo tar -C $OPENSSL_PREFIX -xf boringssl-20230902-x64-focal.tar.gz --strip-components=1; fi - export NGX_BUILD_CC=$CC - sh util/build-without-ssl.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) - sh util/build-with-dd.sh $NGINX_VERSION > build.log 2>&1 || (cat build.log && exit 1) From 5597714ad149d4efa422105ad69b1b12ed5dfd1d Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 11:02:45 +0800 Subject: [PATCH 6/8] more fixes. --- src/ngx_http_lua_common.h | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/ngx_http_lua_common.h b/src/ngx_http_lua_common.h index 09212f8b07..28538cc224 100644 --- a/src/ngx_http_lua_common.h +++ b/src/ngx_http_lua_common.h @@ -26,6 +26,9 @@ #if (NGX_HTTP_SSL) +/* introduce OPENSSL_IS_BORINGSSL and LIBRESSL_VERSION_NUMBER */ +#include + #ifdef HAVE_PROXY_SSL_PATCH #if defined(LIBRESSL_VERSION_NUMBER) From 965938649389726ad8c4762768487b0c4343cb1b Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 18:13:06 +0800 Subject: [PATCH 7/8] more fixes. --- src/ngx_http_lua_util.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/src/ngx_http_lua_util.c b/src/ngx_http_lua_util.c index 1420560818..2dc4f84902 100644 --- a/src/ngx_http_lua_util.c +++ b/src/ngx_http_lua_util.c @@ -1684,7 +1684,7 @@ ngx_http_lua_run_thread(lua_State *L, ngx_http_request_t *r, done: -#ifdef HAVE_LUA_PROXY_SSL +#if HAVE_LUA_PROXY_SSL if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT || ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) { @@ -2447,7 +2447,7 @@ ngx_http_lua_handle_exit(lua_State *L, ngx_http_request_t *r, return ctx->exit_code; } -#ifdef HAVE_LUA_PROXY_SSL +#if HAVE_LUA_PROXY_SSL if (ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_CERT || ctx->context == NGX_HTTP_LUA_CONTEXT_PROXY_SSL_VERIFY) { @@ -3691,7 +3691,7 @@ ngx_http_lua_finalize_request(ngx_http_request_t *r, ngx_int_t rc) { ngx_http_lua_ctx_t *ctx; #if (NGX_HTTP_SSL) -#ifdef HAVE_LUA_PROXY_SSL +#if HAVE_LUA_PROXY_SSL ngx_http_upstream_t *u; ngx_connection_t *c; ngx_http_lua_ssl_ctx_t *cctx; From 62d0efab3cbd3e61b859139764222347a627d196 Mon Sep 17 00:00:00 2001 From: lijunlong Date: Tue, 20 Jan 2026 22:16:01 +0800 Subject: [PATCH 8/8] more fixes. --- src/ngx_http_lua_proxy_ssl_certby.c | 9 +++------ src/ngx_http_lua_proxy_ssl_verifyby.c | 9 +++------ 2 files changed, 6 insertions(+), 12 deletions(-) diff --git a/src/ngx_http_lua_proxy_ssl_certby.c b/src/ngx_http_lua_proxy_ssl_certby.c index 3fdf38ea95..4be90de007 100644 --- a/src/ngx_http_lua_proxy_ssl_certby.c +++ b/src/ngx_http_lua_proxy_ssl_certby.c @@ -5,12 +5,12 @@ #ifndef DDEBUG #define DDEBUG 0 #endif -#include "ddebug.h" - -#if (NGX_HTTP_SSL) +#include "ddebug.h" +#include "ngx_http_lua_proxy_ssl_certby.h" +#if HAVE_LUA_PROXY_SSL #include "ngx_http_lua_cache.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_util.h" @@ -18,10 +18,8 @@ #include "ngx_http_lua_contentby.h" #include "ngx_http_lua_directive.h" #include "ngx_http_lua_ssl.h" -#include "ngx_http_lua_proxy_ssl_certby.h" -#if HAVE_LUA_PROXY_SSL static void ngx_http_lua_proxy_ssl_cert_done(void *data); static void ngx_http_lua_proxy_ssl_cert_aborted(void *data); @@ -830,4 +828,3 @@ ngx_http_lua_ffi_proxy_ssl_set_priv_key(ngx_http_request_t *r, } #endif /* HAVE_LUA_PROXY_SSL */ -#endif /* NGX_HTTP_SSL */ diff --git a/src/ngx_http_lua_proxy_ssl_verifyby.c b/src/ngx_http_lua_proxy_ssl_verifyby.c index db3ec2689f..0eced5e380 100644 --- a/src/ngx_http_lua_proxy_ssl_verifyby.c +++ b/src/ngx_http_lua_proxy_ssl_verifyby.c @@ -5,11 +5,12 @@ #ifndef DDEBUG #define DDEBUG 0 #endif -#include "ddebug.h" +#include "ddebug.h" +#include "ngx_http_lua_proxy_ssl_verifyby.h" -#if (NGX_HTTP_SSL) +#if HAVE_LUA_PROXY_SSL #include "ngx_http_lua_cache.h" #include "ngx_http_lua_initworkerby.h" #include "ngx_http_lua_util.h" @@ -17,10 +18,7 @@ #include "ngx_http_lua_contentby.h" #include "ngx_http_lua_directive.h" #include "ngx_http_lua_ssl.h" -#include "ngx_http_lua_proxy_ssl_verifyby.h" - -#if HAVE_LUA_PROXY_SSL static void ngx_http_lua_proxy_ssl_verify_done(void *data); static void ngx_http_lua_proxy_ssl_verify_aborted(void *data); @@ -659,4 +657,3 @@ ngx_http_lua_ffi_proxy_ssl_get_verify_cert(ngx_http_request_t *r, char **err) } #endif /* HAVE_LUA_PROXY_SSL */ -#endif /* NGX_HTTP_SSL */