bw - manage http to https redirection from LUA, use ctx instead of var, replace RSA key from self signed certs and clear existing certs when a plugin sets one

2026-05-24 09:28:37 +00:00 · 2024-02-27 16:59:59 +01:00 · 2024-02-27 16:59:59 +01:00 · fc44c77660
commit fc44c77660
parent d1e157a94c
8 changed files with 18 additions and 34 deletions
--- a/src/common/confs/server-http/ssl-certificate-lua.conf
+++ b/src/common/confs/server-http/ssl-certificate-lua.conf
@ -30,6 +30,7 @@ ssl_certificate_by_lua_block {
 	local is_internal = ngx_req.is_internal
 	local ERR = ngx.ERR
 	local INFO = ngx.INFO
+	local clear_certs = ssl.clear_certs
 	local set_cert = ssl.set_cert
 	local set_priv_key = ssl.set_priv_key
 	local require_plugin = helpers.require_plugin
@ -75,7 +76,11 @@ ssl_certificate_by_lua_block {
 						logger:log(INFO, plugin_id .. ":ssl_certificate() call successful : " .. ret.msg)
 						if ret.status then
 							logger:log(INFO, plugin_id .. " is setting certificate/key : " .. ret.msg)
-							local ok, err = set_cert(ret.status[1])
+							local ok, err = clear_certs()
+							if not ok then
+								logger:log(ERR, "error while clearing certificates : " .. err)
+							end
+							ok, err = set_cert(ret.status[1])
 							if not ok then
 								logger:log(ERR, "error while setting certificate : " .. err)
 							else
--- a/src/common/core/customcert/customcert.lua
+++ b/src/common/core/customcert/customcert.lua
@ -21,10 +21,9 @@ function customcert:initialize(ctx)
 end

 function customcert:set()
-	local ngx_var = ngx.var
 	local https_configured = self.variables["USE_CUSTOM_SSL"]
-	if ngx_var.https_configured == "no" and https_configured == "yes" then
-		ngx_var.https_configured = "yes"
+	if https_configured == "yes" then
+		self.ctx.bw.https_configured = "yes"
 	end
 	return self:ret(true, "set https_configured to " .. https_configured)
 end
--- a/src/common/core/letsencrypt/letsencrypt.lua
+++ b/src/common/core/letsencrypt/letsencrypt.lua
@ -34,10 +34,9 @@ function letsencrypt:initialize(ctx)
 end

 function letsencrypt:set()
-	local ngx_var = ngx.var
 	local https_configured = self.variables["AUTO_LETS_ENCRYPT"]
-	if ngx_var.https_configured == "no" and https_configured == "yes" then
-		ngx_var.https_configured = "yes"
+	if https_configured == "yes" then
+		self.ctx.bw.https_configured = "yes"
 	end
 	return self:ret(true, "set https_configured to " .. https_configured)
 end
--- a/src/common/core/misc/confs/server-http/redirect-http-to-https.conf
+++ b/src/common/core/misc/confs/server-http/redirect-http-to-https.conf
@ -1,12 +0,0 @@
-set $https_configured 'no';
-set $auto_redirect 'no';
-
-{% if REDIRECT_HTTP_TO_HTTPS == "yes" +%}
-if ($scheme = http) {
-	return 301 https://$host$request_uri;
-}
-{% elif AUTO_REDIRECT_HTTP_TO_HTTPS == "yes" +%}
-if ($auto_redirect = yes) {
-	return 301 https://$host$request_uri;
-}
-{% endif +%}
--- a/src/common/core/misc/misc.lua
+++ b/src/common/core/misc/misc.lua
@ -14,17 +14,11 @@ function misc:initialize(ctx)
 	plugin.initialize(self, "misc", ctx)
 end

-function misc:set()
-	local ngx_var = ngx.var
-	local auto_redirect = "no"
-	if ngx_var.scheme == "http" and ngx_var.https_configured == "yes" then
-		auto_redirect = "yes"
-		ngx_var.auto_redirect = auto_redirect
-	end
-	return self:ret(true, "set auto_redirect to " .. auto_redirect)
-end
-
 function misc:access()
+	-- Check if we need to redirect to HTTPS
+	if self.ctx.bw.scheme == "http" and ((self.ctx.bw.https_configured == "yes" and self.variables["AUTO_REDIRECT_HTTP_TO_HTTPS"] == "yes") or self.variables["REDIRECT_HTTP_TO_HTTPS"] == "yes") then
+		return self:ret(true, "redirect to HTTPS", nil, "https://" .. self.ctx.bw.http_host .. self.ctx.bw.request_uri)
+	end
 	-- Check if method is valid
 	local method = self.ctx.bw.request_method
 	if not method or not regex_match(method, "^[A-Z]+$") then
--- a/src/common/core/order.json
+++ b/src/common/core/order.json
@ -15,7 +15,7 @@
    "letsencrypt",
    "selfsigned"
  ],
-  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned", "misc"],
+  "set": ["sessions", "whitelist", "letsencrypt", "customcert", "selfsigned"],
  "ssl_certificate": ["customcert", "letsencrypt", "selfsigned"],
  "access": [
    "whitelist",
--- a/src/common/core/selfsigned/jobs/self-signed.py
+++ b/src/common/core/selfsigned/jobs/self-signed.py
@ -75,7 +75,7 @@ def generate_cert(first_server: str, days: str, subj: str, self_signed_path: Pat
                "-nodes",
                "-x509",
                "-newkey",
-                "rsa:4096",
+                "ed25519",
                "-keyout",
                str(self_signed_path.joinpath(f"{first_server}.key")),
                "-out",
--- a/src/common/core/selfsigned/selfsigned.lua
+++ b/src/common/core/selfsigned/selfsigned.lua
@ -21,10 +21,9 @@ function selfsigned:initialize(ctx)
 end

 function selfsigned:set()
-	local ngx_var = ngx.var
 	local https_configured = self.variables["GENERATE_SELF_SIGNED_SSL"]
-	if ngx_var.https_configured == "no" and https_configured == "yes" then
-		ngx_var.https_configured = "yes"
+	if https_configured == "yes" then
+		self.ctx.bw.https_configured = "yes"
 	end
 	return self:ret(true, "set https_configured to " .. https_configured)
 end