walkero
/
nghttp2
1
0
Fork 0
Code Issues Pull Requests Projects Releases 1 Wiki Activity
nghttp2/src/shrpx_config.cc

543 lines
18 KiB
C++
Raw Normal View History

Initial commit of shrpx: SPDY/HTTPS to HTTP reverse proxy Put libhtparse in examples/htparse
2012-06-04 16:48:31 +02:00
/*
* Spdylay - SPDY Library
*
* Copyright (c) 2012 Tatsuhiro Tsujikawa
*
* Permission is hereby granted, free of charge, to any person obtaining
* a copy of this software and associated documentation files (the
* "Software"), to deal in the Software without restriction, including
* without limitation the rights to use, copy, modify, merge, publish,
* distribute, sublicense, and/or sell copies of the Software, and to
* permit persons to whom the Software is furnished to do so, subject to
* the following conditions:
*
* The above copyright notice and this permission notice shall be
* included in all copies or substantial portions of the Software.
*
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#include "shrpx_config.h"
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
#include <pwd.h>
#include <netdb.h>
shrpx: Add syslog support
2012-08-01 18:20:18 +02:00
#include <syslog.h>
[shrpx] read private key's passwd from a file This avoids the need to provide the password for your private key interactively. It can be used via --private-key-passwd-file or private-key-passwd-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored. The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (700) and you *should* drop root and run as an unprivileged user. If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed). If the file exists with the wrong permisions it'll be logged and ignored.
2012-12-03 07:33:04 +01:00
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
#include <cstring>
#include <cerrno>
#include <limits>
#include <fstream>
shrpx: Add non-TLS SPDY backend connection support Use --backend-spdy-no-tls to disable TLS on backend SPDY connection. The SPDY protocol used there must be configured by --backend-spdy-proto option.
2013-02-22 13:54:07 +01:00
#include <spdylay/spdylay.h>
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
#include "shrpx_log.h"
shrpx: Add --subcert option to add additional certificate/private key This option specifies additional certificate and private key file. Shrpx will choose certificates based on the hostname indicated by client using TLS SNI extension. This option can be used multiple times.
2013-02-06 15:27:05 +01:00
#include "shrpx_ssl.h"
shprx: Add --backend-http-proxy-uri option Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and PASS are optional and if they exist they must be properly percent-encoded. This proxy is used when the backend connection is SPDY. First, make a CONNECT request to the proxy and it connects to the backend on behalf of shrpx. This forms tunnel. After that, shrpx performs SSL/TLS handshake with the downstream through the tunnel. The timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 08:42:01 +01:00
#include "shrpx_http.h"
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
#include "util.h"
using namespace spdylay;
Initial commit of shrpx: SPDY/HTTPS to HTTP reverse proxy Put libhtparse in examples/htparse
2012-06-04 16:48:31 +02:00
namespace shrpx {
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char SHRPX_OPT_PRIVATE_KEY_FILE[] = "private-key-file";
[shrpx] read private key's passwd from a file This avoids the need to provide the password for your private key interactively. It can be used via --private-key-passwd-file or private-key-passwd-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored. The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (700) and you *should* drop root and run as an unprivileged user. If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed). If the file exists with the wrong permisions it'll be logged and ignored.
2012-12-03 07:33:04 +01:00
const char SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE[] = "private-key-passwd-file";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char SHRPX_OPT_CERTIFICATE_FILE[] = "certificate-file";
shrpx: Add --subcert option to add additional certificate/private key This option specifies additional certificate and private key file. Shrpx will choose certificates based on the hostname indicated by client using TLS SNI extension. This option can be used multiple times.
2013-02-06 15:27:05 +01:00
const char SHRPX_OPT_SUBCERT[] = "subcert";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char SHRPX_OPT_BACKEND[] = "backend";
const char SHRPX_OPT_FRONTEND[] = "frontend";
const char SHRPX_OPT_WORKERS[] = "workers";
const char
SHRPX_OPT_SPDY_MAX_CONCURRENT_STREAMS[] = "spdy-max-concurrent-streams";
const char SHRPX_OPT_LOG_LEVEL[] = "log-level";
const char SHRPX_OPT_DAEMON[] = "daemon";
const char SHRPX_OPT_SPDY_PROXY[] = "spdy-proxy";
shrpx: Add --spdy-bridge option With --spdy-bridge option, it listens SPDY/HTTPS connections from front end and forwards them to the backend in SPDY. The usage will be written later. This change fixes the crash when more than 2 outstanding SpdyDownstreamConnection objects are added to SpdySession and establishing connection to SPDY backend is failed.
2013-02-08 13:46:58 +01:00
const char SHRPX_OPT_SPDY_BRIDGE[] = "spdy-bridge";
Rename --client-mode as --client and add --client-proxy With --client-proxy option, shrpx makes sure that the request path is an absolute URI, otherwise it will return 400 status code.
2012-11-21 14:10:35 +01:00
const char SHRPX_OPT_CLIENT_PROXY[] = "client-proxy";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char SHRPX_OPT_ADD_X_FORWARDED_FOR[] = "add-x-forwarded-for";
shrpx: Add --no-via option If --no-via option is given, shrpx does not append to Via header field. If Via header field is received, it is left unaltered.
2013-01-09 14:01:25 +01:00
const char SHRPX_OPT_NO_VIA[] = "no-via";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char
SHRPX_OPT_FRONTEND_SPDY_READ_TIMEOUT[] = "frontend-spdy-read-timeout";
const char SHRPX_OPT_FRONTEND_READ_TIMEOUT[] = "frontend-read-timeout";
const char SHRPX_OPT_FRONTEND_WRITE_TIMEOUT[] = "frontend-write-timeout";
const char SHRPX_OPT_BACKEND_READ_TIMEOUT[] = "backend-read-timeout";
const char SHRPX_OPT_BACKEND_WRITE_TIMEOUT[] = "backend-write-timeout";
const char SHRPX_OPT_ACCESSLOG[] = "accesslog";
const char
SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT[] = "backend-keep-alive-timeout";
const char SHRPX_OPT_FRONTEND_SPDY_WINDOW_BITS[] = "frontend-spdy-window-bits";
shrpx: Implement downstream SPDY flow control
2012-11-21 15:47:48 +01:00
const char SHRPX_OPT_BACKEND_SPDY_WINDOW_BITS[] = "backend-spdy-window-bits";
shrpx: Support non-TLS SPDY in frontend connection
2013-03-24 13:03:39 +01:00
const char SHRPX_OPT_FRONTEND_SPDY_NO_TLS[] = "frontend-spdy-no-tls";
const char SHRPX_OPT_FRONTEND_SPDY_PROTO[] = "frontend-spdy-proto";
shrpx: Add non-TLS SPDY backend connection support Use --backend-spdy-no-tls to disable TLS on backend SPDY connection. The SPDY protocol used there must be configured by --backend-spdy-proto option.
2013-02-22 13:54:07 +01:00
const char SHRPX_OPT_BACKEND_SPDY_NO_TLS[] = "backend-spdy-no-tls";
const char SHRPX_OPT_BACKEND_SPDY_PROTO[] = "backend-spdy-proto";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
const char SHRPX_OPT_PID_FILE[] = "pid-file";
const char SHRPX_OPT_USER[] = "user";
shrpx: Add syslog support
2012-08-01 18:20:18 +02:00
const char SHRPX_OPT_SYSLOG[] = "syslog";
const char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
shrpx: Added --backlog option
2012-08-01 18:28:59 +02:00
const char SHRPX_OPT_BACKLOG[] = "backlog";
shrpx: add --ciphers option to specify allowed cipher list
2012-08-20 14:50:03 +02:00
const char SHRPX_OPT_CIPHERS[] = "ciphers";
Rename --client-mode as --client and add --client-proxy With --client-proxy option, shrpx makes sure that the request path is an absolute URI, otherwise it will return 400 status code.
2012-11-21 14:10:35 +01:00
const char SHRPX_OPT_CLIENT[] = "client";
shrpx: Verify backend server's certificate in client mode The -k, --insecure option is added to skip this verification. The system wide trusted CA certificates will be loaded at startup. The --cacert option is added to specify the trusted CA certificate file.
2012-11-22 13:46:15 +01:00
const char SHRPX_OPT_INSECURE[] = "insecure";
const char SHRPX_OPT_CACERT[] = "cacert";
shrpx: Add --backend-ipv4 and --backend-ipv6 options.
2012-11-23 13:11:01 +01:00
const char SHRPX_OPT_BACKEND_IPV4[] = "backend-ipv4";
const char SHRPX_OPT_BACKEND_IPV6[] = "backend-ipv6";
shprx: Add --backend-http-proxy-uri option Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and PASS are optional and if they exist they must be properly percent-encoded. This proxy is used when the backend connection is SPDY. First, make a CONNECT request to the proxy and it connects to the backend on behalf of shrpx. This forms tunnel. After that, shrpx performs SSL/TLS handshake with the downstream through the tunnel. The timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 08:42:01 +01:00
const char SHRPX_OPT_BACKEND_HTTP_PROXY_URI[] = "backend-http-proxy-uri";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
Initial commit of shrpx: SPDY/HTTPS to HTTP reverse proxy Put libhtparse in examples/htparse
2012-06-04 16:48:31 +02:00
namespace {
Config *config = 0;
} // namespace
const Config* get_config()
{
return config;
}
Config* mod_config()
{
return config;
}
void create_config()
{
config = new Config();
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
namespace {
int split_host_port(char *host, size_t hostlen, uint16_t *port_ptr,
const char *hostport)
{
// host and port in |hostport| is separated by single ','.
const char *p = strchr(hostport, ',');
if(!p) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Invalid host, port: " << hostport;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
size_t len = p-hostport;
if(hostlen < len+1) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Hostname too long: " << hostport;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
memcpy(host, hostport, len);
host[len] = '\0';
errno = 0;
unsigned long d = strtoul(p+1, 0, 10);
if(errno == 0 && 1 <= d && d <= std::numeric_limits<uint16_t>::max()) {
*port_ptr = d;
return 0;
} else {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Port is invalid: " << p+1;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
}
} // namespace
shrpx: Make is_secure() static
2012-12-07 15:14:20 +01:00
namespace {
[shrpx] read private key's passwd from a file This avoids the need to provide the password for your private key interactively. It can be used via --private-key-passwd-file or private-key-passwd-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored. The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (700) and you *should* drop root and run as an unprivileged user. If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed). If the file exists with the wrong permisions it'll be logged and ignored.
2012-12-03 07:33:04 +01:00
bool is_secure(const char *filename)
{
struct stat buf;
int rv = stat(filename, &buf);
if (rv == 0) {
if ((buf.st_mode & S_IRWXU) &&
!(buf.st_mode & S_IRWXG) &&
!(buf.st_mode & S_IRWXO)) {
return true;
}
}
return false;
}
shrpx: Make is_secure() static
2012-12-07 15:14:20 +01:00
} // namespace
[shrpx] read private key's passwd from a file This avoids the need to provide the password for your private key interactively. It can be used via --private-key-passwd-file or private-key-passwd-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored. The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (700) and you *should* drop root and run as an unprivileged user. If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed). If the file exists with the wrong permisions it'll be logged and ignored.
2012-12-03 07:33:04 +01:00
std::string read_passwd_from_file(const char *filename)
{
std::string line;
if (!is_secure(filename)) {
LOG(ERROR) << "Private key passwd file " << filename
<< " has insecure mode.";
return line;
}
std::ifstream in(filename, std::ios::binary);
if(!in) {
LOG(ERROR) << "Could not open key passwd file " << filename;
return line;
}
std::getline(in, line);
return line;
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
void set_config_str(char **destp, const char *val)
{
if(*destp) {
free(*destp);
}
*destp = strdup(val);
}
shrpx: Support non-TLS SPDY in frontend connection
2013-03-24 13:03:39 +01:00
namespace {
// Parses |optarg| as SPDY NPN protocol string and returns SPDY
// protocol version number. This function returns -1 on error.
int parse_spdy_proto(const char *optarg)
{
size_t len = strlen(optarg);
const unsigned char *proto;
proto = reinterpret_cast<const unsigned char*>(optarg);
uint16_t version = spdylay_npn_get_version(proto, len);
if(!version) {
LOG(ERROR) << "Unsupported SPDY version: " << optarg;
return -1;
}
return version;
}
} // namespace
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
int parse_config(const char *opt, const char *optarg)
{
char host[NI_MAXHOST];
uint16_t port;
if(util::strieq(opt, SHRPX_OPT_BACKEND)) {
if(split_host_port(host, sizeof(host), &port, optarg) == -1) {
return -1;
} else {
set_config_str(&mod_config()->downstream_host, host);
mod_config()->downstream_port = port;
}
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND)) {
if(split_host_port(host, sizeof(host), &port, optarg) == -1) {
return -1;
} else {
set_config_str(&mod_config()->host, host);
mod_config()->port = port;
}
} else if(util::strieq(opt, SHRPX_OPT_WORKERS)) {
mod_config()->num_worker = strtol(optarg, 0, 10);
} else if(util::strieq(opt, SHRPX_OPT_SPDY_MAX_CONCURRENT_STREAMS)) {
mod_config()->spdy_max_concurrent_streams = strtol(optarg, 0, 10);
} else if(util::strieq(opt, SHRPX_OPT_LOG_LEVEL)) {
if(Log::set_severity_level_by_name(optarg) == -1) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Invalid severity level: " << optarg;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
} else if(util::strieq(opt, SHRPX_OPT_DAEMON)) {
mod_config()->daemon = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_SPDY_PROXY)) {
mod_config()->spdy_proxy = util::strieq(optarg, "yes");
shrpx: Add --spdy-bridge option With --spdy-bridge option, it listens SPDY/HTTPS connections from front end and forwards them to the backend in SPDY. The usage will be written later. This change fixes the crash when more than 2 outstanding SpdyDownstreamConnection objects are added to SpdySession and establishing connection to SPDY backend is failed.
2013-02-08 13:46:58 +01:00
} else if(util::strieq(opt, SHRPX_OPT_SPDY_BRIDGE)) {
mod_config()->spdy_bridge = util::strieq(optarg, "yes");
Rename --client-mode as --client and add --client-proxy With --client-proxy option, shrpx makes sure that the request path is an absolute URI, otherwise it will return 400 status code.
2012-11-21 14:10:35 +01:00
} else if(util::strieq(opt, SHRPX_OPT_CLIENT_PROXY)) {
mod_config()->client_proxy = util::strieq(optarg, "yes");
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else if(util::strieq(opt, SHRPX_OPT_ADD_X_FORWARDED_FOR)) {
mod_config()->add_x_forwarded_for = util::strieq(optarg, "yes");
shrpx: Add --no-via option If --no-via option is given, shrpx does not append to Via header field. If Via header field is received, it is left unaltered.
2013-01-09 14:01:25 +01:00
} else if(util::strieq(opt, SHRPX_OPT_NO_VIA)) {
mod_config()->no_via = util::strieq(optarg, "yes");
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_SPDY_READ_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->spdy_upstream_read_timeout = tv;
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_READ_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->upstream_read_timeout = tv;
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_WRITE_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->upstream_write_timeout = tv;
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_READ_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->downstream_read_timeout = tv;
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_WRITE_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->downstream_write_timeout = tv;
} else if(util::strieq(opt, SHRPX_OPT_ACCESSLOG)) {
mod_config()->accesslog = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT)) {
timeval tv = {strtol(optarg, 0, 10), 0};
mod_config()->downstream_idle_read_timeout = tv;
shrpx: Implement downstream SPDY flow control
2012-11-21 15:47:48 +01:00
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_SPDY_WINDOW_BITS) ||
util::strieq(opt, SHRPX_OPT_BACKEND_SPDY_WINDOW_BITS)) {
size_t *resp;
const char *optname;
if(util::strieq(opt, SHRPX_OPT_FRONTEND_SPDY_WINDOW_BITS)) {
resp = &mod_config()->spdy_upstream_window_bits;
optname = SHRPX_OPT_FRONTEND_SPDY_WINDOW_BITS;
} else {
resp = &mod_config()->spdy_downstream_window_bits;
optname = SHRPX_OPT_BACKEND_SPDY_WINDOW_BITS;
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
errno = 0;
unsigned long int n = strtoul(optarg, 0, 10);
if(errno == 0 && n < 31) {
shrpx: Implement downstream SPDY flow control
2012-11-21 15:47:48 +01:00
*resp = n;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else {
shrpx: Implement downstream SPDY flow control
2012-11-21 15:47:48 +01:00
LOG(ERROR) << "--" << optname
<< " specify the integer in the range [0, 30], inclusive";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
shrpx: Support non-TLS SPDY in frontend connection
2013-03-24 13:03:39 +01:00
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_SPDY_NO_TLS)) {
mod_config()->spdy_upstream_no_tls = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_FRONTEND_SPDY_PROTO)) {
int version = parse_spdy_proto(optarg);
if(version == -1) {
return -1;
} else {
mod_config()->spdy_upstream_version = version;
}
shrpx: Add non-TLS SPDY backend connection support Use --backend-spdy-no-tls to disable TLS on backend SPDY connection. The SPDY protocol used there must be configured by --backend-spdy-proto option.
2013-02-22 13:54:07 +01:00
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_SPDY_NO_TLS)) {
mod_config()->spdy_downstream_no_tls = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_SPDY_PROTO)) {
shrpx: Support non-TLS SPDY in frontend connection
2013-03-24 13:03:39 +01:00
int version = parse_spdy_proto(optarg);
if(version == -1) {
shrpx: Add non-TLS SPDY backend connection support Use --backend-spdy-no-tls to disable TLS on backend SPDY connection. The SPDY protocol used there must be configured by --backend-spdy-proto option.
2013-02-22 13:54:07 +01:00
return -1;
shrpx: Support non-TLS SPDY in frontend connection
2013-03-24 13:03:39 +01:00
} else {
mod_config()->spdy_downstream_version = version;
shrpx: Add non-TLS SPDY backend connection support Use --backend-spdy-no-tls to disable TLS on backend SPDY connection. The SPDY protocol used there must be configured by --backend-spdy-proto option.
2013-02-22 13:54:07 +01:00
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else if(util::strieq(opt, SHRPX_OPT_PID_FILE)) {
set_config_str(&mod_config()->pid_file, optarg);
} else if(util::strieq(opt, SHRPX_OPT_USER)) {
passwd *pwd = getpwnam(optarg);
if(pwd == 0) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "--user: failed to get uid from " << optarg
<< ": " << strerror(errno);
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
mod_config()->uid = pwd->pw_uid;
mod_config()->gid = pwd->pw_gid;
} else if(util::strieq(opt, SHRPX_OPT_PRIVATE_KEY_FILE)) {
set_config_str(&mod_config()->private_key_file, optarg);
[shrpx] read private key's passwd from a file This avoids the need to provide the password for your private key interactively. It can be used via --private-key-passwd-file or private-key-passwd-file in the given config file. The first line in the file (without \n) will be treated as the passwd. There isn't any validation and all lines after the first one (if any) are ignored. The security model behind this is a bit simplistic so I am open to better ideas. Basically your password file should be root:root (700) and you *should* drop root and run as an unprivileged user. If the file exists and a line can be read then a callback will be set for the SSL ctxt and it'll feed the passwd when the private key is read (if password is needed). If the file exists with the wrong permisions it'll be logged and ignored.
2012-12-03 07:33:04 +01:00
} else if(util::strieq(opt, SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE)) {
std::string passwd = read_passwd_from_file(optarg);
if (passwd.empty()) {
LOG(ERROR) << "Couldn't read key file's passwd from " << optarg;
return -1;
}
set_config_str(&mod_config()->private_key_passwd, passwd.c_str());
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else if(util::strieq(opt, SHRPX_OPT_CERTIFICATE_FILE)) {
set_config_str(&mod_config()->cert_file, optarg);
shrpx: Add --subcert option to add additional certificate/private key This option specifies additional certificate and private key file. Shrpx will choose certificates based on the hostname indicated by client using TLS SNI extension. This option can be used multiple times.
2013-02-06 15:27:05 +01:00
} else if(util::strieq(opt, SHRPX_OPT_SUBCERT)) {
// Private Key file and certificate file separated by ':'.
const char *sp = strchr(optarg, ':');
if(sp) {
std::string keyfile(optarg, sp);
// TODO Do we need private key for subcert?
SSL_CTX *ssl_ctx = ssl::create_ssl_context(keyfile.c_str(), sp+1);
if(!get_config()->cert_tree) {
mod_config()->cert_tree = ssl::cert_lookup_tree_new();
}
if(ssl::cert_lookup_tree_add_cert_from_file(get_config()->cert_tree,
ssl_ctx, sp+1) == -1) {
return -1;
}
}
shrpx: Add syslog support
2012-08-01 18:20:18 +02:00
} else if(util::strieq(opt, SHRPX_OPT_SYSLOG)) {
mod_config()->syslog = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_SYSLOG_FACILITY)) {
int facility = int_syslog_facility(optarg);
if(facility == -1) {
LOG(ERROR) << "Unknown syslog facility: " << optarg;
return -1;
}
mod_config()->syslog_facility = facility;
shrpx: Added --backlog option
2012-08-01 18:28:59 +02:00
} else if(util::strieq(opt, SHRPX_OPT_BACKLOG)) {
mod_config()->backlog = strtol(optarg, 0, 10);
shrpx: add --ciphers option to specify allowed cipher list
2012-08-20 14:50:03 +02:00
} else if(util::strieq(opt, SHRPX_OPT_CIPHERS)) {
set_config_str(&mod_config()->ciphers, optarg);
Rename --client-mode as --client and add --client-proxy With --client-proxy option, shrpx makes sure that the request path is an absolute URI, otherwise it will return 400 status code.
2012-11-21 14:10:35 +01:00
} else if(util::strieq(opt, SHRPX_OPT_CLIENT)) {
mod_config()->client = util::strieq(optarg, "yes");
shrpx: Verify backend server's certificate in client mode The -k, --insecure option is added to skip this verification. The system wide trusted CA certificates will be loaded at startup. The --cacert option is added to specify the trusted CA certificate file.
2012-11-22 13:46:15 +01:00
} else if(util::strieq(opt, SHRPX_OPT_INSECURE)) {
mod_config()->insecure = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_CACERT)) {
set_config_str(&mod_config()->cacert, optarg);
shrpx: Add --backend-ipv4 and --backend-ipv6 options.
2012-11-23 13:11:01 +01:00
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_IPV4)) {
mod_config()->backend_ipv4 = util::strieq(optarg, "yes");
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_IPV6)) {
mod_config()->backend_ipv6 = util::strieq(optarg, "yes");
shprx: Add --backend-http-proxy-uri option Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and PASS are optional and if they exist they must be properly percent-encoded. This proxy is used when the backend connection is SPDY. First, make a CONNECT request to the proxy and it connects to the backend on behalf of shrpx. This forms tunnel. After that, shrpx performs SSL/TLS handshake with the downstream through the tunnel. The timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 08:42:01 +01:00
} else if(util::strieq(opt, SHRPX_OPT_BACKEND_HTTP_PROXY_URI)) {
// parse URI and get hostname, port and optionally userinfo.
http_parser_url u;
memset(&u, 0, sizeof(u));
int rv = http_parser_parse_url(optarg, strlen(optarg), 0, &u);
if(rv == 0) {
std::string val;
if(u.field_set & UF_USERINFO) {
http::copy_url_component(val, &u, UF_USERINFO, optarg);
shrpx: Fix Proxy-Authorization is alwasy sent even if userinfo is empty Surprisingly, field_set & UF_USERINFO is nonzero even if userinfo component is empty string.
2013-02-22 13:23:59 +01:00
// Surprisingly, u.field_set & UF_USERINFO is nonzero even if
// userinfo component is empty string.
if(!val.empty()) {
val = util::percentDecode(val.begin(), val.end());
set_config_str(&mod_config()->downstream_http_proxy_userinfo,
val.c_str());
}
shprx: Add --backend-http-proxy-uri option Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and PASS are optional and if they exist they must be properly percent-encoded. This proxy is used when the backend connection is SPDY. First, make a CONNECT request to the proxy and it connects to the backend on behalf of shrpx. This forms tunnel. After that, shrpx performs SSL/TLS handshake with the downstream through the tunnel. The timeouts when connecting and making CONNECT request can be specified by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 08:42:01 +01:00
}
if(u.field_set & UF_HOST) {
http::copy_url_component(val, &u, UF_HOST, optarg);
set_config_str(&mod_config()->downstream_http_proxy_host, val.c_str());
} else {
LOG(ERROR) << "backend-http-proxy-uri does not contain hostname";
return -1;
}
if(u.field_set & UF_PORT) {
mod_config()->downstream_http_proxy_port = u.port;
} else {
LOG(ERROR) << "backend-http-proxy-uri does not contain port";
return -1;
}
} else {
LOG(ERROR) << "Could not parse backend-http-proxy-uri";
return -1;
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else if(util::strieq(opt, "conf")) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(WARNING) << "conf is ignored";
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
} else {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Unknown option: " << opt;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
shrpx: Add --subcert option to add additional certificate/private key This option specifies additional certificate and private key file. Shrpx will choose certificates based on the hostname indicated by client using TLS SNI extension. This option can be used multiple times.
2013-02-06 15:27:05 +01:00
if(get_config()->cert_file && get_config()->private_key_file) {
mod_config()->default_ssl_ctx =
ssl::create_ssl_context(get_config()->private_key_file,
get_config()->cert_file);
if(get_config()->cert_tree) {
if(ssl::cert_lookup_tree_add_cert_from_file(get_config()->cert_tree,
get_config()->default_ssl_ctx,
get_config()->cert_file)
== -1) {
return -1;
}
}
}
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return 0;
}
int load_config(const char *filename)
{
std::ifstream in(filename, std::ios::binary);
if(!in) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Could not open config file " << filename;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
std::string line;
int linenum = 0;
while(std::getline(in, line)) {
++linenum;
if(line.empty() || line[0] == '#') {
continue;
}
size_t i;
size_t size = line.size();
for(i = 0; i < size && line[i] != '='; ++i);
if(i == size) {
shrpx:: Use LOG() instead of std::cerr
2012-08-01 17:26:24 +02:00
LOG(ERROR) << "Bad configuration format at line " << linenum;
shrpx: Support configuration file By default, configuration file is /etc/shrpx/shrpx.conf. It can be overridden using --conf option. See shrpx.conf.sample to know how to write shrpx.conf. The configurations given in shrpx.conf will be overridden by the options specified in cmmand-line.
2012-08-01 17:06:41 +02:00
return -1;
}
line[i] = '\0';
const char *s = line.c_str();
if(parse_config(s, s+i+1) == -1) {
return -1;
}
}
return 0;
}
shrpx: Add syslog support
2012-08-01 18:20:18 +02:00
const char* str_syslog_facility(int facility)
{
switch(facility) {
case(LOG_AUTH):
return "auth";
case(LOG_AUTHPRIV):
return "authpriv";
case(LOG_CRON):
return "cron";
case(LOG_DAEMON):
return "daemon";
case(LOG_FTP):
return "ftp";
case(LOG_KERN):
return "kern";
case(LOG_LOCAL0):
return "local0";
case(LOG_LOCAL1):
return "local1";
case(LOG_LOCAL2):
return "local2";
case(LOG_LOCAL3):
return "local3";
case(LOG_LOCAL4):
return "local4";
case(LOG_LOCAL5):
return "local5";
case(LOG_LOCAL6):
return "local6";
case(LOG_LOCAL7):
return "local7";
case(LOG_LPR):
return "lpr";
case(LOG_MAIL):
return "mail";
case(LOG_SYSLOG):
return "syslog";
case(LOG_USER):
return "user";
case(LOG_UUCP):
return "uucp";
default:
return "(unknown)";
}
}
int int_syslog_facility(const char *strfacility)
{
if(util::strieq(strfacility, "auth")) {
return LOG_AUTH;
} else if(util::strieq(strfacility, "authpriv")) {
return LOG_AUTHPRIV;
} else if(util::strieq(strfacility, "cron")) {
return LOG_CRON;
} else if(util::strieq(strfacility, "daemon")) {
return LOG_DAEMON;
} else if(util::strieq(strfacility, "ftp")) {
return LOG_FTP;
} else if(util::strieq(strfacility, "kern")) {
return LOG_KERN;
} else if(util::strieq(strfacility, "local0")) {
return LOG_LOCAL0;
} else if(util::strieq(strfacility, "local1")) {
return LOG_LOCAL1;
} else if(util::strieq(strfacility, "local2")) {
return LOG_LOCAL2;
} else if(util::strieq(strfacility, "local3")) {
return LOG_LOCAL3;
} else if(util::strieq(strfacility, "local4")) {
return LOG_LOCAL4;
} else if(util::strieq(strfacility, "local5")) {
return LOG_LOCAL5;
} else if(util::strieq(strfacility, "local6")) {
return LOG_LOCAL6;
} else if(util::strieq(strfacility, "local7")) {
return LOG_LOCAL7;
} else if(util::strieq(strfacility, "lpr")) {
return LOG_LPR;
} else if(util::strieq(strfacility, "mail")) {
return LOG_MAIL;
} else if(util::strieq(strfacility, "news")) {
return LOG_NEWS;
} else if(util::strieq(strfacility, "syslog")) {
return LOG_SYSLOG;
} else if(util::strieq(strfacility, "user")) {
return LOG_USER;
} else if(util::strieq(strfacility, "uucp")) {
return LOG_UUCP;
} else {
return -1;
}
}
Initial commit of shrpx: SPDY/HTTPS to HTTP reverse proxy Put libhtparse in examples/htparse
2012-06-04 16:48:31 +02:00
} // namespace shrpx