yuanbiao
/
emqx
1
0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(ws connection): fix peer_cert_as_username error when ws connect

This commit is contained in:
zhanghongtong 2021-04-15 09:35:07 +08:00 committed by tigercl
parent 054f9907c6
commit 28810b62c8
4 changed files with 69 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
etc/emqx.conf
View File

@ -1088,10 +1088,18 @@ listener.tcp.external.access.1 = allow all
## Enable the option for X.509 certificate based authentication. ## Enable the option for X.509 certificate based authentication.
## EMQX will use the common name of certificate as MQTT username. ## EMQX will use the common name of certificate as MQTT username.
## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info
## ##
## Value: cn | dn | crt ## Value: cn | dn | crt
## listener.tcp.external.peer_cert_as_username = cn ## listener.tcp.external.peer_cert_as_username = cn
## Enable the option for X.509 certificate based authentication.
## EMQX will use the common name of certificate as MQTT clientid.
## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info
##
## Value: cn
## listener.tcp.external.peer_cert_as_clientid = cn
## The TCP backlog defines the maximum length that the queue of pending ## The TCP backlog defines the maximum length that the queue of pending
## connections can grow to. ## connections can grow to.
## ##
@ -1567,6 +1575,20 @@ listener.ws.external.verify_protocol_header = on
## Value: Duration ## Value: Duration
## listener.ws.external.proxy_protocol_timeout = 3s ## listener.ws.external.proxy_protocol_timeout = 3s
## Enable the option for X.509 certificate based authentication.
## EMQX will use the common name of certificate as MQTT username.
## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info
##
## Value: cn
## listener.ws.external.peer_cert_as_username = cn
## Enable the option for X.509 certificate based authentication.
## EMQX will use the common name of certificate as MQTT clientid.
## Only support Proxy Protocol V2, the CN is available in Proxy Protocol V2 additional info
##
## Value: cn
## listener.ws.external.peer_cert_as_clientid = cn
## The TCP backlog of external MQTT/WebSocket Listener. ## The TCP backlog of external MQTT/WebSocket Listener.
## ##
## See: listener.ws.$name.backlog ## See: listener.ws.$name.backlog

8
priv/emqx.schema
View File

@ -1572,6 +1572,14 @@ end}.
hidden hidden
]}. ]}.
{mapping, "listener.ws.$name.peer_cert_as_username", "emqx.listeners", [
{datatype, {enum, [cn]}}
]}.
{mapping, "listener.ws.$name.peer_cert_as_clientid", "emqx.listeners", [
{datatype, {enum, [cn]}}
]}.
%%-------------------------------------------------------------------- %%--------------------------------------------------------------------
%% MQTT/WebSocket/SSL Listeners %% MQTT/WebSocket/SSL Listeners

32
src/emqx.appup.src
View File

@ -8,23 +8,29 @@
end, end,
{VSN, {VSN,
[ [
{"4.2.10", [
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]},
{"4.2.9", [ {"4.2.9", [
{load_module, emqx_connection, brutal_purge, soft_purge, []}, {load_module, emqx_connection, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []} {load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{<<"4.2.[34567]">>, [ {<<"4.2.[34567]">>, [
{load_module, emqx_frame, brutal_purge, soft_purge, []} {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.2", [ {"4.2.2", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []} {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.1", [ {"4.2.1", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []} {load_module, emqx_json, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.0", [ {"4.2.0", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
@ -32,6 +38,7 @@
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []}, {load_module, emqx_json, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
{apply, {application, set_env, {apply, {application, set_env,
[emqx, force_shutdown_policy, [emqx, force_shutdown_policy,
#{message_queue_len => DefaultLen, #{message_queue_len => DefaultLen,
@ -40,26 +47,37 @@
{<<".*">>, []} {<<".*">>, []}
], ],
[ [
{"4.2.10", [
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]},
{"4.2.9", [
{load_module, emqx_connection, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]},
{<<"4.2.[34567]">>, [ {<<"4.2.[34567]">>, [
{load_module, emqx_frame, brutal_purge, soft_purge, []} {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.2", [ {"4.2.2", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []} {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.1", [ {"4.2.1", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []} {load_module, emqx_json, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{"4.2.0", [ {"4.2.0", [
{load_module, emqx_frame, brutal_purge, soft_purge, []}, {load_module, emqx_frame, brutal_purge, soft_purge, []},
{load_module, emqx_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_channel, brutal_purge, soft_purge, []}, {load_module, emqx_channel, brutal_purge, soft_purge, []},
{load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []}, {load_module, emqx_mod_topic_metrics, brutal_purge, soft_purge, []},
{load_module, emqx_json, brutal_purge, soft_purge, []} {load_module, emqx_json, brutal_purge, soft_purge, []},
{load_module, emqx_ws_connection, brutal_purge, soft_purge, []}
]}, ]},
{<<".*">>, []} {<<".*">>, []}
] ]

16
src/emqx_ws_connection.erl
View File

@ -196,15 +196,21 @@ init(Req, Opts) ->
end. end.
websocket_init([Req, Opts]) -> websocket_init([Req, Opts]) ->
Peername = case proplists:get_bool(proxy_protocol, Opts) {Peername, Peercert} =
case proplists:get_bool(proxy_protocol, Opts)
andalso maps:get(proxy_header, Req) of andalso maps:get(proxy_header, Req) of
#{src_address := SrcAddr, src_port := SrcPort} -> #{src_address := SrcAddr, src_port := SrcPort, ssl := SSL} ->
{SrcAddr, SrcPort}; ProxyName = {SrcAddr, SrcPort},
%% Notice: Only CN is available in Proxy Protocol V2 additional info
ProxySSL = case maps:get(cn, SSL, undefined) of
undeined -> nossl;
CN -> [{pp2_ssl_cn, CN}]
end,
{ProxyName, ProxySSL};
_ -> _ ->
cowboy_req:peer(Req) {cowboy_req:peer(Req), cowboy_req:cert(Req)}
end, end,
Sockname = cowboy_req:sock(Req), Sockname = cowboy_req:sock(Req),
Peercert = cowboy_req:cert(Req),
WsCookie = try cowboy_req:parse_cookies(Req) WsCookie = try cowboy_req:parse_cookies(Req)
catch catch
error:badarg -> error:badarg ->