Nginx | Lua openresty core SSL FFI embedded luaff bindings

[c0nw...@googlemail.com]

Hello,

I come from the mystical world / realm of Windows Nginx + Lua.

The error i receive is this.

2017/04/05 20:21:40 [error] 11096#5896: *2 lua entry thread aborted: runtime error: ...0n\Desktop\lerroy jenkins\nginx-test-del\lua\ngx\ssl.lua:77: cannot resolve symbol 'ngx_http_lua_ffi_ssl_clear_certs': The specified procedure could not be found.

stack traceback:
coroutine 0:
    [C]: in function '__index'
    ...0n\Desktop\lerroy jenkins\nginx-test-del\lua\ngx\ssl.lua:77: in function 'clear_certs'
    ssl_certificate_by_lua:7: in function <ssl_certificate_by_lua:1>, context: ssl_certificate_by_lua*, client: 127.0.0.1, server: 0.0.0.0:443
2017/04/05 20:21:40 [crit] 11096#5896: *1 SSL_do_handshake() failed (SSL: error:1408A179:SSL routines:ssl3_get_client_hello:cert cb error) while SSL handshaking, client: 127.0.0.1, server: 0.0.0.0:443

The code I am trying to run is as follows.

ssl_certificate_by_lua_block {
    local ssl = require "ngx.ssl"

    -- clear the fallback certificates and private keys
    -- set by the ssl_certificate and ssl_certificate_key
    -- directives above:
    local ok, err = ssl.clear_certs()
    if not ok then
        ngx.log(ngx.ERR, "failed to clear existing (fallback) certificates")
        return ngx.exit(ngx.ERROR)
    end
   
    local name, err = ssl.server_name()
    if not name then
        ngx.log(ngx.ERR, "failed to read ssl.server_name() client sent")
        return ngx.exit(ngx.ERROR)
    else
        local ssl_server_name = ssl.server_name()
    end
}

I have installed and got all the paths correctly setup and downloaded the files required for ngx.ssl to work from these two Github repo's

https://github.com/openresty/lua-resty-core
https://github.com/openresty/lua-resty-lrucache

The Windows Nginx Lua builds can be obtained from here. http://nginx-win.ecsds.eu/download/nginx%201.11.11.1%20Lion.zip

I have contacted itpp2012 ( https://forum.nginx.org/profile.php?11,7488 ) Who is the one who compiles and maintains those builds and is also one of the Nginx mailing lists admins I believe.

In our email conversation about this error on windows he/she said this.

Ok we got everything now and can reproduce the error.
It looks like some include file is still missing as "ngx_http_lua_ffi_ssl_clear_certs" is not a compile time function but a JIT function.

Openresty allows embedded c++ (luaff bindings) which is treated as Luajit code, its like adding 'c' code without having to compile anything, but it does need some other includes.

No ffi means you can use C code without having to compile it.
Any other code needs to be compiled, ffi doesn't, its pulled in via Luajit and bytecode compiled at runtime.
If ffi complains its missing something this means some definition file is missing.

We haven't had time yet to sort this out, you can always try google groups.

itpp2012 was also kind enough to provide me with a working example of "ffi" on Windows here.

location = /141t {
            content_by_lua_block {
                local ffi = require "ffi"
                ffi.cdef[[
                    void *malloc(size_t size);
                    void free(void *p);
                ]]
                local p = ffi.C.malloc(1);
                local num = tonumber(ffi.cast("uintptr_t", p))
                ffi.C.free(p)
                if ffi.abi("64bit") then
                    if num < 2^31 then
                        ngx.say("fail: ", string.format("p = %#x", num))
                        return
                    end
                end
                ngx.say("pass on 141t")
            }
}

To anyone who wanted to reproduce the error on Windows in their own live windows environment here is my Nginx config folder.

https://www.dropbox.com/s/6p0s841lmesvs4t/conf.zip?dl=1
Inside the zip archive is a "conf" folder and a "lua" folder the lua folder contains these two github repo's https://github.com/openresty/lua-resty-core | https://github.com/openresty/lua-resty-lrucache

If you download the Nginx builds http://nginx-win.ecsds.eu/download/nginx%201.11.11.1%20Lion.zip

And just extract replace/overwrite the "conf" folder with my "conf" folder you should be able to reproduce the SSL error.

Hopefully someone can help and guide / show me what is wrong hopefully it is something easy / simple to fix.

Thank's in advance :) <3

[c0nw...@googlemail.com]

Can anyone help with this ? I can't upgrade / begin using SSL without Lua's dynamic abilities :( currently stuck and http://nginx-win.ecsds.eu/ | sup...@ecsystems.nl

Said they have not had the time to look at this and said it is a include file but does not help any of us on windows get this working :( nobody seems to be able to provide or show a working example of the Lua SSL functions in Windows.

these definitions are written in Lua so they must be in an include file.
We can't find any relation to compile time functions, resty.core are Lua includes and definitions.

Everyone is pushing for secured traffic and to upgrade to HTTPS but it is seeming to be impossible and more hassle than it is worth at this rate. Hope someone can help every week passes and I am getting no where.

[James Andrew-Smith]

Hello, 

Did you end up finding a solution? 

I've tried everything but the FFI implementation doesn't appear to be aware of any of the nginx C.

Thanks,

James

[C0nw0nk]

Hello,

Nope I still am stuck too still with it even after all these months I am sorry to say hopefully someone can point out to us what the issue is but I am clueless unfortunately :(

Glad to see I am not alone at least.

It is a shame because so much could be achieved with it.

--
You received this message because you are subscribed to a topic in the Google Groups "openresty-en" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/openresty-en/4EMKfN3I1KI/unsubscribe.
To unsubscribe from this group and all its topics, send an email to openresty-en+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[James Andrew-Smith]

You are not :) 

I'm sorry to hear that. 

It looks like there is no way to do this with NGINX on windows alone, BUT, I've got a solution. 

I am using https://github.com/fabiolb/fabio to terminate the HTTPS traffic and then "route" requests to my existing NGINX backend locally. Fabio is written in Go, is very fast, and can be configured using static files, and reads all the certificates in a directory (it will even refresh when new ones are added) without restarting the process. 

Obviously it would be nicer if we just needed one thing, but I got this working in less time than working out the FFI solution. 

Good luck :)

Noong Martes, Setyembre 12, 2017 ng 4:39:31 PM UTC+10, si C0nw0nk ay sumulat:

To unsubscribe from this group and all its topics, send an email to openresty-en...@googlegroups.com.

[Yichun Zhang (agentzh)]

Hello!

On Fri, Apr 7, 2017 at 8:47 AM, c0nw0nks via openresty-en
<openre...@googlegroups.com> wrote:
> I come from the mystical world / realm of Windows Nginx + Lua.
>
> The error i receive is this.
>
> 2017/04/05 20:21:40 [error] 11096#5896: *2 lua entry thread aborted: runtime
> error: ...0n\Desktop\lerroy jenkins\nginx-test-del\lua\ngx\ssl.lua:77:
> cannot resolve symbol 'ngx_http_lua_ffi_ssl_clear_certs': The specified
> procedure could not be found.
>

Sorry for the delay on my side. Are you using the official OpenResty
Win32 binary here?

https://openresty.org/en/download.html#win32

I've just tried your ssl_certificate_by_lua_block example on my
Windows 10 and it works fine. I also confirmed that I can indeed get
the SNI name in the server side Lua code on that Windows 10 box by
sending HTTP requests via curl and openssl s_client.

BTW, itpp2012's nginx builds are not official and we do not support them.

Best regards,
Yichun