Add SSL Support - completion of PR#5

[ElvinEfendi]

This PR is based on the work done at #5.

It adds SSL support and addresses all the comments(tests and session reuse) made in the original PR.

One significant modification to the original PR is that now, the health check will fail if ssl_verify = true and the certificate verification fails.

/r @agentzh

[ElvinEfendi]

ping

[charlescng]

@agentzh Can you review?

[agentzh]

Is session a global Lua variable? We should declare it as a local.

[agentzh]

Better use the lua-releng script of nginx-devel-utils to check your Lua code. I'm getting the following errors by running this tool against your branch:

$ lua-releng
lib/resty/upstream/healthcheck.lua: 0.03 (0.03)
Checking use of Lua global variables in file lib/resty/upstream/healthcheck.lua...
	op no.	line	instruction	args	; code
	53	[237]	SETGLOBAL	11 -14	; session
	54	[238]	GETGLOBAL	11 -14	; session
	73	[244]	GETGLOBAL	11 -14	; session
Checking line length exceeding 80...

So apparently the session is a misused Lua global variable.

[agentzh]

We should use init_worker_by_lua_block here for newly added tests.

[agentzh]

We should use content_by_lua_block in newly added tests. Please fix other similar places.

[agentzh]

Also, please rebase to the latest git master.

[agentzh]

@ElvinEfendi Thank you for your patch! Please take care of my comments above. Thanks!

[ElvinEfendi]

@agentzh thanks for reviewing, I addressed your comments.

Also, please rebase to the latest git master.

I don't see any conflict with the upstream master(there were some initially but those have been sycned to this branch already). And all the commits from it are already included in this branch. Why do you think this branch is not in sync with the upstream master?

[ElvinEfendi]

@agentzh any more comment on this PR?

[ElvinEfendi]

By default peer.name(an entry defined inside upstream block as <host>:<port>) is being passed to tcpsock:sslhandshake function as server_name which is used to validate the server name specified in the server certificate sent from the remote when ssl_verify is true. Refer to https://github.com/openresty/lua-nginx-module#tcpsocksslhandshake for more information. This is a constraint when we want to share a single server certificate to do SSL health check between multiple peers. Therefore I added TEST 20 and 21 to make ssl_verify option's behaviour more clear and added a new functionality that lets users to override peer.name with a custom name set during the initialization. TEST 21 covers the new functionality. These changes are added in commit: ce88ef0

[solio]

why this pr has not bean merged？
这个ssl support什么时候能合到主干上？

[agentzh]

@solio This is still in my review queue. Sorry for the delay on my side.

[agentzh]

@ElvinEfendi Will you please rebase to the latest git master? I'm seeing merge conflicts while rebasing it myself:

$ git rebase master
First, rewinding head to replay your work on top of it...
Applying: add ssl support
Using index info to reconstruct a base tree...
M	README.markdown
M	lib/resty/upstream/healthcheck.lua
Falling back to patching base and 3-way merge...
Auto-merging lib/resty/upstream/healthcheck.lua
CONFLICT (content): Merge conflict in lib/resty/upstream/healthcheck.lua
Auto-merging README.markdown
error: Failed to merge in the changes.
Patch failed at 0001 add ssl support
The copy of the patch that failed is found in: .git/rebase-apply/patch

Thanks! And sorry for the delay on my side.

[ElvinEfendi]

Will you please rebase to the latest git master? I'm seeing merge conflicts while rebasing it myself:

Hmm I don't know why does it show conflict. There's no commit in the upstream after 69751de which is already in downstream as well Shopify@69751de.

master...Shopify:master also shows "Able to merge":

[ElvinEfendi]

I'd also like to highlight that 6731f95 is not related to this PR, it is just included here because the downstream is Shopify fork's master.

If you don't want to merge that last unrelated commit, here is the PR with only SSL support: #44

[agentzh]

@ElvinEfendi Cool, thanks!

[berlincount]

hmmm, may I ping on this PR? :)

[pavelnemirovsky]

@agentzh when do u plan to merge it? Thx

[agentzh]

Sorry, we haven't had the time to look at this. Been busy with other things with higher priority.

[agentzh]

@dndx @spacewander Please help review this PR once you have a chance. Thanks!

[ricardosantosalves]

Hi,
Is there any update regarding this PR?

[gentle-king]

Dears, any update on this feature?

[TWHOI]

+1 year :-/
Would be nice to have this merged.

[doujiang24]

@rainingmaster do you have time to take a look at this PR?

[leandromoreira]

@agentzh is there any plan to merge this ?

[leandromoreira]

Hi @ElvinEfendi did you publish a rock with these changes? If you didn't, I'm thinking to keep a lua-resty-upstream-healthcheck-ssl repo patching your changes to the main branch of this repo, what do you think?

[leandromoreira]

I copied this PR and released it as a rock https://github.com/globocom/lua-resty-upstream-healthcheck

[xiaocang]

we do not add such a comment in the sample code, here just keep the options related to https, detailed explanation is placed below

[xiaocang]

It is better to point out in the error message what the unsupported type is

[xiaocang]

the "ssl" directive is deprecated, use the "listen ... ssl" directive instead

[xiaocang]

Ditto

[xiaocang]

Ditto

[xiaocang]

Ditto

[xiaocang]

Ditto

[xiaocang]

Ditto

[xiaocang]

Ditto

[xiaocang]

Ditto