Sindbad~EG File Manager

Current Path : /opt/nginxhttpd_/etc/openresty_config/lua/
Upload File :
Current File : //opt/nginxhttpd_/etc/openresty_config/lua/ssl_certificate.lua

--[[
    This file is used to dynamically load SSL certificate for a domain
--]]

local ngx = ngx
local ssl = require("ngx.ssl")
local ban = require "lib/o2switch_ban"
local o2debug = require "lib/o2switch_debug"
local ipUtils = require "lib/o2switch_ip_utils"
local tostring = tostring

--
-- Early DROP of bad IP to avoid the SSL handshake and CPU exhaustion
-- The ngx.var API is not available in this context so we must parse the raw IP stuff
-- https://github.com/openresty/lua-resty-core/blob/master/lib/ngx/ssl.md#raw_client_addr
--
local addr, addrtyp, err = ssl.raw_client_addr()

if not addr then
    o2debug.error("failed to fetch raw client addr: " .. tostring(err))
else
    if addrtyp == 'inet' and ban.isBlacklisted(addr) == true then
        o2debug.error("Dropping bad IP at the SSL handshake level : " .. ipUtils.binaryToStringIp(addr))
        ngx.exit(444)
    end
end

local o2utils = require "lib/o2switch_utils"
local o2config = require "lib/o2switch_config"
local o2ssl = require "lib/o2switch_ssl"
local o2ocsp = require "lib/o2switch_ocsp"
local cacheWrapper = require "lib/o2switch_cache_wrapper"

--[[
    Begin of the main code
    - Retrive the SNI name, it will serve as a key for the cache and to retrieve SSL files from the filesystem
    - Get the CRT and CABUNDLE, concatenate those, convert to DER format, get/put from/to cache
    - Get the KEY, convert it to DER format
    - Pass values to Nginx
    - Extra : OCSP
--]]

--
-- Get the TLS (SNI) name
--
local sslname = ssl.server_name()
local name = nil
local err = nil

if not sslname then
    -- Use the default fallback certificate, those are already set by nginx
    return
end

name =  o2utils.extractDomainWww(sslname)
if not name then
    o2debug.error('Cant extract the name/remove www, original sslname is : ' .. tostring(sslname))
     -- Use the default fallback certificate, those are already set by nginx
     return
end

--
-- Get the CRT + cabundle concatenated
--
local crt, err = cacheWrapper.get(name .. '_crt', o2ssl.getCrtFromRedis, name)

if crt == nil then
    o2debug.error('Cant retrieve the CRT for ' .. name .. ' original sslname ' .. tostring(sslname)  .. ' err:' .. tostring(err))
    -- If it's a mutu, we'll check for a wildcard + proxy subdomain before switching to the default SSL
    if o2config.serverType == 'mutu' then
		-- Remove proxy subdomain now 
		name =  o2utils.extractDomain(sslname)
		crt, err = cacheWrapper.get(name .. '_crt', o2ssl.getCrtFromRedis, name)
		if crt == nil or crt == ngx.null or err ~= nil then
			-- Can be a wildcard case, try again but we transform the first subdom to a wildcard
			name = o2utils.transformSubdomainToWildcard(name)
			crt, err = cacheWrapper.get(name .. '_crt', o2ssl.getCrtFromRedis, name)
		end
    end

    -- Not CRT found ? We switch to the default CRT/KEY
    if crt == nil or crt == ngx.null or err ~= nil then
        o2debug.error('Cant retrieve the CRT for ' .. name .. ' original sslname ' .. tostring(sslname)  .. ' err:' .. tostring(err))
        return
    end
end

--
-- Get the KEY
--
local key, err = cacheWrapper.get(name .. '_key', o2ssl.getKeyFromRedis, name)
if key == nil or err ~= nil then
    o2debug.error('Cant retrieve the KEY for ' .. name .. ' original sslname ' .. tostring(sslname) .. ' err:' .. tostring(err))
    return
end

--
-- Remove the fallback certificates
--
local ok, err = ssl.clear_certs()
if not ok then
    o2debug.debugErr("Failed to clear existing (fallback) certificates : " .. tostring(err))
    ngx.exit(ngx.ERROR)
end

--
-- Pass the values to Nginx / Set the certificates
-- 
local ok, err = ssl.set_der_cert(crt)
if not ok then
    o2debug.debugErr("Unable to set cert for: " .. name .. ' original sslname ' .. tostring(sslname) .. ' : ' .. tostring(err))
    ngx.exit(ngx.ERROR)
end

local ok, err = ssl.set_der_priv_key(key)
if not ok then
    o2debug.debugErr("Unable to set key for: " .. name .. ' original sslname ' .. tostring(sslname) .. ' : ' .. tostring(err))
    ngx.exit(ngx.ERROR)
end

--
-- Get the OCSP Response and staple-it.
--
local ocsp_resp, err = cacheWrapper.get(name .. '_ocsp', o2ocsp.getOcsp, crt, name)
if ocsp_resp and not err then
    local ok, err = o2ocsp.stapleOcspResponse(ocsp_resp)
    if not ok then
        o2debug.debugErr("Cant staple the OSCP for : " .. name .. ':' .. tostring(err))
    end
end

Sindbad File Manager Version 1.0, Coded By Sindbad EG ~ The Terrorists