diff options
| author | Sergey Kandaurov <pluknet@nginx.com> | 2025-01-13 21:40:04 +0400 |
|---|---|---|
| committer | pluknet <pluknet@nginx.com> | 2025-01-17 04:37:46 +0400 |
| commit | 4b96ad14f3607ab39b160715aeba721097ac4da4 (patch) | |
| tree | 97ed697efcb569164ff2bd8e0e9ecc025de62944 /src | |
| parent | 0e756d67aa1e42e3b1b360936eb4d6c06bced2c1 (diff) | |
| download | nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.tar.gz nginx-4b96ad14f3607ab39b160715aeba721097ac4da4.zip | |
SSL: cache revalidation of file based dynamic certificates.
Revalidation is based on file modification time and uniq file index,
and happens after the cache object validity time is expired.
Diffstat (limited to 'src')
| -rw-r--r-- | src/event/ngx_event_openssl_cache.c | 44 |
1 files changed, 42 insertions, 2 deletions
diff --git a/src/event/ngx_event_openssl_cache.c b/src/event/ngx_event_openssl_cache.c index 7589e6c90..eb03e16b2 100644 --- a/src/event/ngx_event_openssl_cache.c +++ b/src/event/ngx_event_openssl_cache.c @@ -289,6 +289,7 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool, void *value; time_t now; uint32_t hash; + ngx_file_info_t fi; ngx_ssl_cache_key_t id; ngx_ssl_cache_type_t *type; ngx_ssl_cache_node_t *cn; @@ -318,7 +319,33 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool, goto found; } - if (now - cn->created > cache->valid) { + if (now - cn->created <= cache->valid) { + goto found; + } + + switch (id.type) { + + case NGX_SSL_CACHE_PATH: + + if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) { + + if (ngx_file_uniq(&fi) == cn->uniq + && ngx_file_mtime(&fi) == cn->mtime) + { + break; + } + + cn->mtime = ngx_file_mtime(&fi); + cn->uniq = ngx_file_uniq(&fi); + + } else { + cn->mtime = 0; + cn->uniq = 0; + } + + /* fall through */ + + default: ngx_log_debug1(NGX_LOG_DEBUG_CORE, pool->log, 0, "update cached ssl object: %s", cn->id.data); @@ -337,9 +364,10 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool, } cn->value = value; - cn->created = now; } + cn->created = now; + goto found; } @@ -365,6 +393,18 @@ ngx_ssl_cache_connection_fetch(ngx_ssl_cache_t *cache, ngx_pool_t *pool, ngx_cpystrn(cn->id.data, id.data, id.len + 1); + if (id.type == NGX_SSL_CACHE_PATH) { + + if (ngx_file_info(id.data, &fi) != NGX_FILE_ERROR) { + cn->mtime = ngx_file_mtime(&fi); + cn->uniq = ngx_file_uniq(&fi); + + } else { + cn->mtime = 0; + cn->uniq = 0; + } + } + ngx_ssl_cache_expire(cache, 1, pool->log); if (cache->current >= cache->max) { |