From b5aa5b3afadd188564eb3ece9787757140f05914 Mon Sep 17 00:00:00 2001 From: Fabian Franz BSc Date: Mon, 20 May 2019 19:02:39 +0200 Subject: [PATCH] www/nginx: add TLS 1.3 0-RTT handshake support (HTTPS performance) (#1112) * www/nginx: add TLS 1.3 0-RTT handshake support * www/nginx: model bug fix * www/nginx: Release note --- www/nginx/Makefile | 2 +- www/nginx/pkg-descr | 4 ++++ .../app/controllers/OPNsense/Nginx/forms/httpserver.xml | 7 +++++++ .../src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml | 6 +++++- .../opnsense/service/templates/OPNsense/Nginx/http.conf | 3 +++ .../service/templates/OPNsense/Nginx/location.conf | 6 ++++++ 6 files changed, 26 insertions(+), 2 deletions(-) diff --git a/www/nginx/Makefile b/www/nginx/Makefile index 3b3f783f4..03adf3887 100644 --- a/www/nginx/Makefile +++ b/www/nginx/Makefile @@ -1,5 +1,5 @@ PLUGIN_NAME= nginx -PLUGIN_VERSION= 1.12 +PLUGIN_VERSION= 1.13 PLUGIN_COMMENT= Nginx HTTP server and reverse proxy PLUGIN_DEPENDS= nginx PLUGIN_MAINTAINER= franz.fabian.94@gmail.com diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr index d6acc75d7..1c7bb939b 100644 --- a/www/nginx/pkg-descr +++ b/www/nginx/pkg-descr @@ -8,6 +8,10 @@ reuse, SSL offload and HTTP media streaming. Plugin Changelog ================ +1.13 + +* add support for 0-RTT (Early Data in TLS 1.3) + 1.12 * add log to SYSLOG server support diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml index 140949cb7..2ec09b01c 100644 --- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml +++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml @@ -104,6 +104,13 @@ true
  • On: the certificate is requested and validated. Use this option to protect a service with TLS authentication.
  • Off: The certificate is not requested. Choose this option for a normal website.
  • Optional: The certificate is requested and validated if existing. Choose this option for websites, with TLS login support or mixed TLS protected API and web content.
  • Optional, don't verify: Do accept the certificate and let the application choose what to do. Choose this option, for the same reasons as optional but in this case, the request is passed to the backend without rejecting untrusted certificates.
    • ]]>     + + httpserver.zero_rtt + + checkbox + true + RFC 8446 for more information. The Backend will get a HTTP header "Early-Data" which can be used if a short handshake was used. If a response is too risky, answer with HTTP status code 425.]]> + httpserver.access_log_format diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml index f57dda9a0..c4d108a23 100644 --- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml +++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml @@ -1,6 +1,6 @@ //OPNsense/Nginx - 1.8.0 + 1.13.0 nginx web server, reverse proxy and waf @@ -749,6 +749,10 @@ N + + Y + 0 + diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf index 16643d934..adc6213d0 100644 --- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf +++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf @@ -93,6 +93,9 @@ server { {% if server.ca is defined %} ssl_client_certificate /usr/local/etc/nginx/key/{{ single_servername }}_ca.pem; ssl_verify_client {{ server.verify_client }}; +{% endif %} +{% if server.zero_rtt == '1' %} + ssl_early_data on; {% endif %} ssl_certificate_key /usr/local/etc/nginx/key/{{ single_servername }}.key; ssl_certificate /usr/local/etc/nginx/key/{{ single_servername }}.pem; diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf index 3664795fa..4ed7e97cb 100644 --- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf +++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf @@ -87,6 +87,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} { fastcgi_param TLS-Protocol $ssl_protocol; fastcgi_param TLS-SNI-Host $ssl_server_name; fastcgi_param TLS-Client-Intercepted $tls_intercepted; +{% if server.zero_rtt == '1' %} + fastcgi_param Early-Data $ssl_early_data; +{% endif %} fastcgi_intercept_errors off; {% if location.upstream is not defined %} fastcgi_pass unix:/var/run/php-www.socket; @@ -134,6 +137,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} { {% endif %} {% if server.verify_client == 'optional_no_ca' %} proxy_set_header X-Client-Certificate $ssl_client_escaped_cert; +{% endif %} +{% if server.zero_rtt == '1' %} + proxy_set_header Early-Data $ssl_early_data; {% endif %} proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;