2012-06-04 16:48:31 +02:00
|
|
|
/*
|
2014-03-30 12:09:21 +02:00
|
|
|
* nghttp2 - HTTP/2 C Library
|
2012-06-04 16:48:31 +02:00
|
|
|
*
|
|
|
|
|
* Copyright (c) 2012 Tatsuhiro Tsujikawa
|
|
|
|
|
*
|
|
|
|
|
* Permission is hereby granted, free of charge, to any person obtaining
|
|
|
|
|
* a copy of this software and associated documentation files (the
|
|
|
|
|
* "Software"), to deal in the Software without restriction, including
|
|
|
|
|
* without limitation the rights to use, copy, modify, merge, publish,
|
|
|
|
|
* distribute, sublicense, and/or sell copies of the Software, and to
|
|
|
|
|
* permit persons to whom the Software is furnished to do so, subject to
|
|
|
|
|
* the following conditions:
|
|
|
|
|
*
|
|
|
|
|
* The above copyright notice and this permission notice shall be
|
|
|
|
|
* included in all copies or substantial portions of the Software.
|
|
|
|
|
*
|
|
|
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
|
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|
|
|
|
* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
|
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
|
|
|
|
|
* LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
|
|
|
|
|
* OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
|
|
|
|
|
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|
|
|
|
*/
|
|
|
|
|
#ifndef SHRPX_CONFIG_H
|
|
|
|
|
#define SHRPX_CONFIG_H
|
|
|
|
|
|
2012-06-04 20:11:43 +02:00
|
|
|
#include "shrpx.h"
|
|
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
#include <sys/types.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#ifdef HAVE_SYS_SOCKET_H
|
2012-06-04 16:48:31 +02:00
|
|
|
#include <sys/socket.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#endif // HAVE_SYS_SOCKET_H
|
2015-02-22 04:27:51 +01:00
|
|
|
#include <sys/un.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#ifdef HAVE_NETINET_IN_H
|
2012-06-04 16:48:31 +02:00
|
|
|
#include <netinet/in.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#endif // HAVE_NETINET_IN_H
|
|
|
|
|
#ifdef HAVE_ARPA_INET_H
|
2012-06-04 16:48:31 +02:00
|
|
|
#include <arpa/inet.h>
|
2015-05-13 15:30:35 +02:00
|
|
|
#endif // HAVE_ARPA_INET_H
|
2015-05-13 17:17:45 +02:00
|
|
|
#include <cinttypes>
|
2013-11-17 15:52:19 +01:00
|
|
|
#include <cstdio>
|
2013-02-06 15:27:05 +01:00
|
|
|
#include <vector>
|
2014-04-08 15:44:30 +02:00
|
|
|
#include <memory>
|
2015-07-13 14:44:06 +02:00
|
|
|
#include <set>
|
2013-02-06 15:27:05 +01:00
|
|
|
|
|
|
|
|
#include <openssl/ssl.h>
|
2012-06-04 16:48:31 +02:00
|
|
|
|
2014-12-27 18:59:06 +01:00
|
|
|
#include <ev.h>
|
|
|
|
|
|
2014-04-04 14:57:47 +02:00
|
|
|
#include <nghttp2/nghttp2.h>
|
|
|
|
|
|
2015-09-25 19:38:45 +02:00
|
|
|
#include "shrpx_router.h"
|
2015-07-14 15:40:33 +02:00
|
|
|
#include "template.h"
|
|
|
|
|
|
|
|
|
|
using namespace nghttp2;
|
|
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
namespace shrpx {
|
|
|
|
|
|
2014-11-18 16:56:44 +01:00
|
|
|
struct LogFragment;
|
|
|
|
|
|
2013-02-06 15:27:05 +01:00
|
|
|
namespace ssl {
|
|
|
|
|
|
2015-02-02 14:47:12 +01:00
|
|
|
class CertLookupTree;
|
2013-02-06 15:27:05 +01:00
|
|
|
|
|
|
|
|
} // namespace ssl
|
|
|
|
|
|
2015-05-29 15:31:02 +02:00
|
|
|
constexpr char SHRPX_UNIX_PATH_PREFIX[] = "unix:";
|
2015-02-22 04:27:51 +01:00
|
|
|
|
2015-05-29 15:48:46 +02:00
|
|
|
constexpr char SHRPX_OPT_PRIVATE_KEY_FILE[] = "private-key-file";
|
|
|
|
|
constexpr char SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE[] = "private-key-passwd-file";
|
|
|
|
|
constexpr char SHRPX_OPT_CERTIFICATE_FILE[] = "certificate-file";
|
|
|
|
|
constexpr char SHRPX_OPT_DH_PARAM_FILE[] = "dh-param-file";
|
|
|
|
|
constexpr char SHRPX_OPT_SUBCERT[] = "subcert";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND[] = "backend";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND[] = "frontend";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKERS[] = "workers";
|
|
|
|
|
constexpr char SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS[] =
|
|
|
|
|
"http2-max-concurrent-streams";
|
|
|
|
|
constexpr char SHRPX_OPT_LOG_LEVEL[] = "log-level";
|
|
|
|
|
constexpr char SHRPX_OPT_DAEMON[] = "daemon";
|
|
|
|
|
constexpr char SHRPX_OPT_HTTP2_PROXY[] = "http2-proxy";
|
|
|
|
|
constexpr char SHRPX_OPT_HTTP2_BRIDGE[] = "http2-bridge";
|
|
|
|
|
constexpr char SHRPX_OPT_CLIENT_PROXY[] = "client-proxy";
|
|
|
|
|
constexpr char SHRPX_OPT_ADD_X_FORWARDED_FOR[] = "add-x-forwarded-for";
|
|
|
|
|
constexpr char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[] =
|
|
|
|
|
"strip-incoming-x-forwarded-for";
|
|
|
|
|
constexpr char SHRPX_OPT_NO_VIA[] = "no-via";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[] =
|
|
|
|
|
"frontend-http2-read-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_READ_TIMEOUT[] = "frontend-read-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_WRITE_TIMEOUT[] = "frontend-write-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_READ_TIMEOUT[] = "backend-read-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_WRITE_TIMEOUT[] = "backend-write-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_STREAM_READ_TIMEOUT[] = "stream-read-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_STREAM_WRITE_TIMEOUT[] = "stream-write-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_ACCESSLOG_FILE[] = "accesslog-file";
|
|
|
|
|
constexpr char SHRPX_OPT_ACCESSLOG_SYSLOG[] = "accesslog-syslog";
|
|
|
|
|
constexpr char SHRPX_OPT_ACCESSLOG_FORMAT[] = "accesslog-format";
|
|
|
|
|
constexpr char SHRPX_OPT_ERRORLOG_FILE[] = "errorlog-file";
|
|
|
|
|
constexpr char SHRPX_OPT_ERRORLOG_SYSLOG[] = "errorlog-syslog";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT[] =
|
|
|
|
|
"backend-keep-alive-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS[] =
|
|
|
|
|
"frontend-http2-window-bits";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS[] =
|
|
|
|
|
"backend-http2-window-bits";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS[] =
|
|
|
|
|
"frontend-http2-connection-window-bits";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS[] =
|
|
|
|
|
"backend-http2-connection-window-bits";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_NO_TLS[] = "frontend-no-tls";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_NO_TLS[] = "backend-no-tls";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_TLS_SNI_FIELD[] = "backend-tls-sni-field";
|
|
|
|
|
constexpr char SHRPX_OPT_PID_FILE[] = "pid-file";
|
|
|
|
|
constexpr char SHRPX_OPT_USER[] = "user";
|
|
|
|
|
constexpr char SHRPX_OPT_SYSLOG_FACILITY[] = "syslog-facility";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKLOG[] = "backlog";
|
|
|
|
|
constexpr char SHRPX_OPT_CIPHERS[] = "ciphers";
|
|
|
|
|
constexpr char SHRPX_OPT_CLIENT[] = "client";
|
|
|
|
|
constexpr char SHRPX_OPT_INSECURE[] = "insecure";
|
|
|
|
|
constexpr char SHRPX_OPT_CACERT[] = "cacert";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_IPV4[] = "backend-ipv4";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_IPV6[] = "backend-ipv6";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP_PROXY_URI[] = "backend-http-proxy-uri";
|
|
|
|
|
constexpr char SHRPX_OPT_READ_RATE[] = "read-rate";
|
|
|
|
|
constexpr char SHRPX_OPT_READ_BURST[] = "read-burst";
|
|
|
|
|
constexpr char SHRPX_OPT_WRITE_RATE[] = "write-rate";
|
|
|
|
|
constexpr char SHRPX_OPT_WRITE_BURST[] = "write-burst";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKER_READ_RATE[] = "worker-read-rate";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKER_READ_BURST[] = "worker-read-burst";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKER_WRITE_RATE[] = "worker-write-rate";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKER_WRITE_BURST[] = "worker-write-burst";
|
|
|
|
|
constexpr char SHRPX_OPT_NPN_LIST[] = "npn-list";
|
|
|
|
|
constexpr char SHRPX_OPT_TLS_PROTO_LIST[] = "tls-proto-list";
|
|
|
|
|
constexpr char SHRPX_OPT_VERIFY_CLIENT[] = "verify-client";
|
|
|
|
|
constexpr char SHRPX_OPT_VERIFY_CLIENT_CACERT[] = "verify-client-cacert";
|
|
|
|
|
constexpr char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[] = "client-private-key-file";
|
|
|
|
|
constexpr char SHRPX_OPT_CLIENT_CERT_FILE[] = "client-cert-file";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER[] =
|
|
|
|
|
"frontend-http2-dump-request-header";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER[] =
|
|
|
|
|
"frontend-http2-dump-response-header";
|
|
|
|
|
constexpr char SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING[] =
|
|
|
|
|
"http2-no-cookie-crumbling";
|
|
|
|
|
constexpr char SHRPX_OPT_FRONTEND_FRAME_DEBUG[] = "frontend-frame-debug";
|
|
|
|
|
constexpr char SHRPX_OPT_PADDING[] = "padding";
|
|
|
|
|
constexpr char SHRPX_OPT_ALTSVC[] = "altsvc";
|
2015-06-05 16:04:20 +02:00
|
|
|
constexpr char SHRPX_OPT_ADD_REQUEST_HEADER[] = "add-request-header";
|
2015-05-29 15:48:46 +02:00
|
|
|
constexpr char SHRPX_OPT_ADD_RESPONSE_HEADER[] = "add-response-header";
|
|
|
|
|
constexpr char SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS[] =
|
|
|
|
|
"worker-frontend-connections";
|
|
|
|
|
constexpr char SHRPX_OPT_NO_LOCATION_REWRITE[] = "no-location-rewrite";
|
|
|
|
|
constexpr char SHRPX_OPT_NO_HOST_REWRITE[] = "no-host-rewrite";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST[] =
|
|
|
|
|
"backend-http1-connections-per-host";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[] =
|
|
|
|
|
"backend-http1-connections-per-frontend";
|
|
|
|
|
constexpr char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[] =
|
|
|
|
|
"listener-disable-timeout";
|
|
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_FILE[] = "tls-ticket-key-file";
|
|
|
|
|
constexpr char SHRPX_OPT_RLIMIT_NOFILE[] = "rlimit-nofile";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_REQUEST_BUFFER[] = "backend-request-buffer";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[] = "backend-response-buffer";
|
|
|
|
|
constexpr char SHRPX_OPT_NO_SERVER_PUSH[] = "no-server-push";
|
|
|
|
|
constexpr char SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER[] =
|
|
|
|
|
"backend-http2-connections-per-worker";
|
|
|
|
|
constexpr char SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE[] =
|
|
|
|
|
"fetch-ocsp-response-file";
|
|
|
|
|
constexpr char SHRPX_OPT_OCSP_UPDATE_INTERVAL[] = "ocsp-update-interval";
|
|
|
|
|
constexpr char SHRPX_OPT_NO_OCSP[] = "no-ocsp";
|
|
|
|
|
constexpr char SHRPX_OPT_HEADER_FIELD_BUFFER[] = "header-field-buffer";
|
|
|
|
|
constexpr char SHRPX_OPT_MAX_HEADER_FIELDS[] = "max-header-fields";
|
2015-07-12 16:18:36 +02:00
|
|
|
constexpr char SHRPX_OPT_INCLUDE[] = "include";
|
2015-07-28 16:49:37 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_CIPHER[] = "tls-ticket-key-cipher";
|
2015-07-23 16:54:56 +02:00
|
|
|
constexpr char SHRPX_OPT_HOST_REWRITE[] = "host-rewrite";
|
2015-07-25 15:22:17 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED[] =
|
|
|
|
|
"tls-session-cache-memcached";
|
2015-07-27 17:54:44 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED[] =
|
|
|
|
|
"tls-ticket-key-memcached";
|
2015-07-27 18:02:33 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL[] =
|
|
|
|
|
"tls-ticket-key-memcached-interval";
|
2015-07-27 18:17:29 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY[] =
|
|
|
|
|
"tls-ticket-key-memcached-max-retry";
|
|
|
|
|
constexpr char SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL[] =
|
|
|
|
|
"tls-ticket-key-memcached-max-fail";
|
2015-10-05 17:10:42 +02:00
|
|
|
constexpr char SHRPX_OPT_MRUBY_FILE[] = "mruby-file";
|
2015-09-06 11:39:32 +02:00
|
|
|
constexpr char SHRPX_OPT_ACCEPT_PROXY_PROTOCOL[] = "accept-proxy-protocol";
|
2015-10-03 00:32:58 +02:00
|
|
|
constexpr char SHRPX_OPT_FASTOPEN[] = "fastopen";
|
2015-10-21 12:22:46 +02:00
|
|
|
constexpr char SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD[] =
|
|
|
|
|
"tls-dyn-rec-warmup-threshold";
|
|
|
|
|
constexpr char SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT[] =
|
|
|
|
|
"tls-dyn-rec-idle-timeout";
|
2016-01-15 15:04:58 +01:00
|
|
|
constexpr char SHRPX_OPT_ADD_FORWARDED[] = "add-forwarded";
|
|
|
|
|
constexpr char SHRPX_OPT_STRIP_INCOMING_FORWARDED[] =
|
|
|
|
|
"strip-incoming-forwarded";
|
|
|
|
|
constexpr static char SHRPX_OPT_FORWARDED_BY[] = "forwarded-by";
|
|
|
|
|
constexpr char SHRPX_OPT_FORWARDED_FOR[] = "forwarded-for";
|
|
|
|
|
|
|
|
|
|
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
|
2012-08-01 17:06:41 +02:00
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
union sockaddr_union {
|
|
|
|
|
sockaddr_storage storage;
|
2015-01-17 06:59:24 +01:00
|
|
|
sockaddr sa;
|
2012-06-04 16:48:31 +02:00
|
|
|
sockaddr_in6 in6;
|
|
|
|
|
sockaddr_in in;
|
2015-02-22 04:27:51 +01:00
|
|
|
sockaddr_un un;
|
2012-06-04 16:48:31 +02:00
|
|
|
};
|
|
|
|
|
|
2015-07-26 18:41:10 +02:00
|
|
|
struct Address {
|
|
|
|
|
size_t len;
|
|
|
|
|
union sockaddr_union su;
|
|
|
|
|
};
|
|
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
enum shrpx_proto { PROTO_HTTP2, PROTO_HTTP };
|
2013-02-22 13:54:07 +01:00
|
|
|
|
2016-01-15 15:04:58 +01:00
|
|
|
enum shrpx_forwarded_param {
|
|
|
|
|
FORWARDED_NONE = 0,
|
|
|
|
|
FORWARDED_BY = 0x1,
|
|
|
|
|
FORWARDED_FOR = 0x2,
|
|
|
|
|
FORWARDED_HOST = 0x4,
|
|
|
|
|
FORWARDED_PROTO = 0x8,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enum shrpx_forwarded_node_type {
|
|
|
|
|
FORWARDED_NODE_OBFUSCATED,
|
|
|
|
|
FORWARDED_NODE_IP,
|
|
|
|
|
};
|
|
|
|
|
|
2014-04-08 15:28:50 +02:00
|
|
|
struct AltSvc {
|
2015-07-20 15:37:26 +02:00
|
|
|
AltSvc() : port(0) {}
|
2014-04-08 15:28:50 +02:00
|
|
|
|
2015-07-20 15:37:26 +02:00
|
|
|
std::string protocol_id, host, origin, service;
|
2014-04-08 15:28:50 +02:00
|
|
|
|
|
|
|
|
uint16_t port;
|
|
|
|
|
};
|
|
|
|
|
|
2014-12-06 10:31:46 +01:00
|
|
|
struct DownstreamAddr {
|
2015-07-26 18:41:10 +02:00
|
|
|
DownstreamAddr() : addr{}, port(0), host_unix(false) {}
|
2015-07-09 19:52:11 +02:00
|
|
|
DownstreamAddr(const DownstreamAddr &other);
|
|
|
|
|
DownstreamAddr(DownstreamAddr &&) = default;
|
|
|
|
|
DownstreamAddr &operator=(const DownstreamAddr &other);
|
|
|
|
|
DownstreamAddr &operator=(DownstreamAddr &&other) = default;
|
|
|
|
|
|
2015-07-26 18:41:10 +02:00
|
|
|
Address addr;
|
2015-02-22 09:12:00 +01:00
|
|
|
// backend address. If |host_unix| is true, this is UNIX domain
|
|
|
|
|
// socket path.
|
2014-12-06 10:31:46 +01:00
|
|
|
std::unique_ptr<char[]> host;
|
|
|
|
|
std::unique_ptr<char[]> hostport;
|
2015-02-22 09:12:00 +01:00
|
|
|
// backend port. 0 if |host_unix| is true.
|
2014-12-06 10:31:46 +01:00
|
|
|
uint16_t port;
|
2015-02-22 09:12:00 +01:00
|
|
|
// true if |host| contains UNIX domain socket path.
|
|
|
|
|
bool host_unix;
|
2014-12-06 10:31:46 +01:00
|
|
|
};
|
|
|
|
|
|
2015-07-09 19:52:11 +02:00
|
|
|
struct DownstreamAddrGroup {
|
2015-09-25 19:38:45 +02:00
|
|
|
DownstreamAddrGroup(const std::string &pattern) : pattern(strcopy(pattern)) {}
|
|
|
|
|
DownstreamAddrGroup(const DownstreamAddrGroup &other);
|
|
|
|
|
DownstreamAddrGroup(DownstreamAddrGroup &&) = default;
|
|
|
|
|
DownstreamAddrGroup &operator=(const DownstreamAddrGroup &other);
|
|
|
|
|
DownstreamAddrGroup &operator=(DownstreamAddrGroup &&) = default;
|
|
|
|
|
|
|
|
|
|
std::unique_ptr<char[]> pattern;
|
2015-07-09 19:52:11 +02:00
|
|
|
std::vector<DownstreamAddr> addrs;
|
|
|
|
|
};
|
|
|
|
|
|
2015-01-07 16:01:09 +01:00
|
|
|
struct TicketKey {
|
2015-07-17 18:49:20 +02:00
|
|
|
const EVP_CIPHER *cipher;
|
|
|
|
|
const EVP_MD *hmac;
|
|
|
|
|
size_t hmac_keylen;
|
|
|
|
|
struct {
|
|
|
|
|
// name of this ticket configuration
|
2015-07-26 19:12:07 +02:00
|
|
|
std::array<uint8_t, 16> name;
|
2015-07-17 18:49:20 +02:00
|
|
|
// encryption key for |cipher|
|
2015-07-26 19:12:07 +02:00
|
|
|
std::array<uint8_t, 32> enc_key;
|
2015-07-17 18:49:20 +02:00
|
|
|
// hmac key for |hmac|
|
2015-07-26 19:12:07 +02:00
|
|
|
std::array<uint8_t, 32> hmac_key;
|
2015-07-17 18:49:20 +02:00
|
|
|
} data;
|
2015-01-07 16:01:09 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
struct TicketKeys {
|
|
|
|
|
~TicketKeys();
|
|
|
|
|
std::vector<TicketKey> keys;
|
|
|
|
|
};
|
|
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
struct Config {
|
2013-12-06 15:17:38 +01:00
|
|
|
// The list of (private key file, certificate file) pair
|
|
|
|
|
std::vector<std::pair<std::string, std::string>> subcerts;
|
2014-04-08 15:28:50 +02:00
|
|
|
std::vector<AltSvc> altsvcs;
|
2015-06-05 16:04:20 +02:00
|
|
|
std::vector<std::pair<std::string, std::string>> add_request_headers;
|
2014-04-26 07:56:08 +02:00
|
|
|
std::vector<std::pair<std::string, std::string>> add_response_headers;
|
2014-06-10 16:15:29 +02:00
|
|
|
std::vector<unsigned char> alpn_prefs;
|
2014-11-18 16:56:44 +01:00
|
|
|
std::vector<LogFragment> accesslog_format;
|
2015-07-09 19:52:11 +02:00
|
|
|
std::vector<DownstreamAddrGroup> downstream_addr_groups;
|
2015-01-07 17:26:30 +01:00
|
|
|
std::vector<std::string> tls_ticket_key_files;
|
2015-07-20 15:37:26 +02:00
|
|
|
// list of supported NPN/ALPN protocol strings in the order of
|
|
|
|
|
// preference.
|
|
|
|
|
std::vector<std::string> npn_list;
|
|
|
|
|
// list of supported SSL/TLS protocol strings.
|
|
|
|
|
std::vector<std::string> tls_proto_list;
|
2013-12-06 15:17:38 +01:00
|
|
|
// binary form of http proxy host and port
|
2015-07-26 18:41:10 +02:00
|
|
|
Address downstream_http_proxy_addr;
|
|
|
|
|
Address session_cache_memcached_addr;
|
2015-07-27 17:54:44 +02:00
|
|
|
Address tls_ticket_key_memcached_addr;
|
2015-09-25 19:38:45 +02:00
|
|
|
Router router;
|
2016-01-15 15:04:58 +01:00
|
|
|
// obfuscated value used in "by" parameter of Forwarded header
|
|
|
|
|
// field.
|
|
|
|
|
std::string forwarded_by_obfuscated;
|
2016-01-15 15:18:27 +01:00
|
|
|
// obfuscated value used in "for" parameter of Forwarded header
|
|
|
|
|
// field. This is only used when user defined static obfuscated
|
|
|
|
|
// string is provided.
|
|
|
|
|
std::string forwarded_for_obfuscated;
|
2015-07-24 16:59:19 +02:00
|
|
|
std::chrono::seconds tls_session_timeout;
|
2014-12-27 18:59:06 +01:00
|
|
|
ev_tstamp http2_upstream_read_timeout;
|
|
|
|
|
ev_tstamp upstream_read_timeout;
|
|
|
|
|
ev_tstamp upstream_write_timeout;
|
|
|
|
|
ev_tstamp downstream_read_timeout;
|
|
|
|
|
ev_tstamp downstream_write_timeout;
|
|
|
|
|
ev_tstamp stream_read_timeout;
|
|
|
|
|
ev_tstamp stream_write_timeout;
|
|
|
|
|
ev_tstamp downstream_idle_read_timeout;
|
|
|
|
|
ev_tstamp listener_disable_timeout;
|
2015-03-30 16:20:40 +02:00
|
|
|
ev_tstamp ocsp_update_interval;
|
2015-07-27 17:54:44 +02:00
|
|
|
ev_tstamp tls_ticket_key_memcached_interval;
|
2015-02-22 09:01:19 +01:00
|
|
|
// address of frontend connection. This could be a path to UNIX
|
|
|
|
|
// domain socket. In this case, |host_unix| must be true.
|
2014-06-08 14:02:40 +02:00
|
|
|
std::unique_ptr<char[]> host;
|
|
|
|
|
std::unique_ptr<char[]> private_key_file;
|
|
|
|
|
std::unique_ptr<char[]> private_key_passwd;
|
|
|
|
|
std::unique_ptr<char[]> cert_file;
|
|
|
|
|
std::unique_ptr<char[]> dh_param_file;
|
|
|
|
|
std::unique_ptr<char[]> backend_tls_sni_name;
|
|
|
|
|
std::unique_ptr<char[]> pid_file;
|
|
|
|
|
std::unique_ptr<char[]> conf_path;
|
|
|
|
|
std::unique_ptr<char[]> ciphers;
|
|
|
|
|
std::unique_ptr<char[]> cacert;
|
2013-12-06 15:17:38 +01:00
|
|
|
// userinfo in http proxy URI, not percent-encoded form
|
2014-06-08 14:02:40 +02:00
|
|
|
std::unique_ptr<char[]> downstream_http_proxy_userinfo;
|
2013-12-06 15:17:38 +01:00
|
|
|
// host in http proxy URI
|
2014-06-08 14:02:40 +02:00
|
|
|
std::unique_ptr<char[]> downstream_http_proxy_host;
|
2014-08-12 18:53:44 +02:00
|
|
|
std::unique_ptr<char[]> http2_upstream_dump_request_header_file;
|
|
|
|
|
std::unique_ptr<char[]> http2_upstream_dump_response_header_file;
|
2014-12-27 18:59:06 +01:00
|
|
|
// // Rate limit configuration per connection
|
|
|
|
|
// ev_token_bucket_cfg *rate_limit_cfg;
|
|
|
|
|
// // Rate limit configuration per worker (thread)
|
|
|
|
|
// ev_token_bucket_cfg *worker_rate_limit_cfg;
|
2013-12-06 15:17:38 +01:00
|
|
|
// Path to file containing CA certificate solely used for client
|
|
|
|
|
// certificate validation
|
2014-06-08 14:02:40 +02:00
|
|
|
std::unique_ptr<char[]> verify_client_cacert;
|
|
|
|
|
std::unique_ptr<char[]> client_private_key_file;
|
|
|
|
|
std::unique_ptr<char[]> client_cert_file;
|
2014-07-05 11:22:40 +02:00
|
|
|
std::unique_ptr<char[]> accesslog_file;
|
|
|
|
|
std::unique_ptr<char[]> errorlog_file;
|
2015-03-30 16:20:40 +02:00
|
|
|
std::unique_ptr<char[]> fetch_ocsp_response_file;
|
2015-07-20 15:42:48 +02:00
|
|
|
std::unique_ptr<char[]> user;
|
2015-07-25 15:22:17 +02:00
|
|
|
std::unique_ptr<char[]> session_cache_memcached_host;
|
2015-07-27 17:54:44 +02:00
|
|
|
std::unique_ptr<char[]> tls_ticket_key_memcached_host;
|
2015-10-05 17:10:42 +02:00
|
|
|
std::unique_ptr<char[]> mruby_file;
|
2013-12-06 15:17:38 +01:00
|
|
|
FILE *http2_upstream_dump_request_header;
|
|
|
|
|
FILE *http2_upstream_dump_response_header;
|
2015-02-24 07:21:10 +01:00
|
|
|
nghttp2_session_callbacks *http2_upstream_callbacks;
|
|
|
|
|
nghttp2_session_callbacks *http2_downstream_callbacks;
|
2014-04-04 14:57:47 +02:00
|
|
|
nghttp2_option *http2_option;
|
2015-02-04 16:51:14 +01:00
|
|
|
nghttp2_option *http2_client_option;
|
2015-07-28 16:49:37 +02:00
|
|
|
const EVP_CIPHER *tls_ticket_key_cipher;
|
2015-07-20 15:42:48 +02:00
|
|
|
const char *server_name;
|
2015-09-17 18:16:49 +02:00
|
|
|
char **original_argv;
|
2014-08-12 15:22:02 +02:00
|
|
|
char **argv;
|
|
|
|
|
char *cwd;
|
2012-06-05 18:26:04 +02:00
|
|
|
size_t num_worker;
|
2013-11-04 10:14:05 +01:00
|
|
|
size_t http2_max_concurrent_streams;
|
2013-12-06 15:17:38 +01:00
|
|
|
size_t http2_upstream_window_bits;
|
|
|
|
|
size_t http2_downstream_window_bits;
|
|
|
|
|
size_t http2_upstream_connection_window_bits;
|
|
|
|
|
size_t http2_downstream_connection_window_bits;
|
2015-03-10 15:11:22 +01:00
|
|
|
size_t http2_downstream_connections_per_worker;
|
2014-12-04 17:07:00 +01:00
|
|
|
size_t downstream_connections_per_host;
|
2015-01-02 04:53:27 +01:00
|
|
|
size_t downstream_connections_per_frontend;
|
2013-12-06 15:17:38 +01:00
|
|
|
size_t read_rate;
|
|
|
|
|
size_t read_burst;
|
|
|
|
|
size_t write_rate;
|
|
|
|
|
size_t write_burst;
|
2014-03-09 06:53:28 +01:00
|
|
|
size_t worker_read_rate;
|
|
|
|
|
size_t worker_read_burst;
|
|
|
|
|
size_t worker_write_rate;
|
|
|
|
|
size_t worker_write_burst;
|
2014-02-11 09:23:22 +01:00
|
|
|
size_t padding;
|
2014-06-26 15:55:22 +02:00
|
|
|
size_t worker_frontend_connections;
|
2015-01-10 15:17:48 +01:00
|
|
|
size_t rlimit_nofile;
|
2015-01-13 15:30:28 +01:00
|
|
|
size_t downstream_request_buffer_size;
|
2015-01-13 15:20:06 +01:00
|
|
|
size_t downstream_response_buffer_size;
|
2015-04-29 14:10:59 +02:00
|
|
|
size_t header_field_buffer;
|
|
|
|
|
size_t max_header_fields;
|
2015-07-09 19:52:11 +02:00
|
|
|
// The index of catch-all group in downstream_addr_groups.
|
|
|
|
|
size_t downstream_addr_group_catch_all;
|
2015-07-27 17:54:44 +02:00
|
|
|
// Maximum number of retries when getting TLS ticket key from
|
|
|
|
|
// mamcached, due to network error.
|
|
|
|
|
size_t tls_ticket_key_memcached_max_retry;
|
|
|
|
|
// Maximum number of consecutive error from memcached, when this
|
|
|
|
|
// limit reached, TLS ticket is disabled.
|
|
|
|
|
size_t tls_ticket_key_memcached_max_fail;
|
2014-06-08 15:52:27 +02:00
|
|
|
// Bit mask to disable SSL/TLS protocol versions. This will be
|
|
|
|
|
// passed to SSL_CTX_set_options().
|
|
|
|
|
long int tls_proto_mask;
|
2013-12-06 15:17:38 +01:00
|
|
|
// downstream protocol; this will be determined by given options.
|
|
|
|
|
shrpx_proto downstream_proto;
|
2016-01-15 15:04:58 +01:00
|
|
|
// bitwise-OR of one or more of shrpx_forwarded_param values.
|
|
|
|
|
uint32_t forwarded_params;
|
|
|
|
|
// type of value recorded in "by" parameter of Forwarded header
|
|
|
|
|
// field.
|
|
|
|
|
shrpx_forwarded_node_type forwarded_by_node_type;
|
|
|
|
|
// type of value recorded in "for" parameter of Forwarded header
|
|
|
|
|
// field.
|
|
|
|
|
shrpx_forwarded_node_type forwarded_for_node_type;
|
2013-12-06 15:17:38 +01:00
|
|
|
int syslog_facility;
|
|
|
|
|
int backlog;
|
2014-08-12 15:22:02 +02:00
|
|
|
int argc;
|
2015-10-03 00:32:58 +02:00
|
|
|
int fastopen;
|
2013-12-06 15:17:38 +01:00
|
|
|
uid_t uid;
|
|
|
|
|
gid_t gid;
|
2014-11-24 06:34:43 +01:00
|
|
|
pid_t pid;
|
2015-02-22 09:01:19 +01:00
|
|
|
// frontend listening port. 0 if frontend listens on UNIX domain
|
|
|
|
|
// socket, in this case |host_unix| must be true.
|
2013-12-06 15:17:38 +01:00
|
|
|
uint16_t port;
|
|
|
|
|
// port in http proxy URI
|
|
|
|
|
uint16_t downstream_http_proxy_port;
|
2015-07-25 15:22:17 +02:00
|
|
|
uint16_t session_cache_memcached_port;
|
2015-07-27 17:54:44 +02:00
|
|
|
uint16_t tls_ticket_key_memcached_port;
|
2013-12-06 15:17:38 +01:00
|
|
|
bool verbose;
|
|
|
|
|
bool daemon;
|
|
|
|
|
bool verify_client;
|
2013-11-04 10:14:05 +01:00
|
|
|
bool http2_proxy;
|
|
|
|
|
bool http2_bridge;
|
2012-11-21 14:10:35 +01:00
|
|
|
bool client_proxy;
|
2012-07-12 16:39:11 +02:00
|
|
|
bool add_x_forwarded_for;
|
2014-10-24 15:24:17 +02:00
|
|
|
bool strip_incoming_x_forwarded_for;
|
2016-01-15 15:04:58 +01:00
|
|
|
bool strip_incoming_forwarded;
|
2013-01-09 14:01:25 +01:00
|
|
|
bool no_via;
|
2013-08-03 12:01:57 +02:00
|
|
|
bool upstream_no_tls;
|
|
|
|
|
bool downstream_no_tls;
|
2014-07-05 11:22:40 +02:00
|
|
|
// Send accesslog to syslog, ignoring accesslog_file.
|
|
|
|
|
bool accesslog_syslog;
|
|
|
|
|
// Send errorlog to syslog, ignoring errorlog_file.
|
|
|
|
|
bool errorlog_syslog;
|
2012-11-21 14:10:35 +01:00
|
|
|
bool client;
|
|
|
|
|
// true if --client or --client-proxy are enabled.
|
2012-11-18 13:23:13 +01:00
|
|
|
bool client_mode;
|
2012-11-22 13:46:15 +01:00
|
|
|
bool insecure;
|
2012-11-23 13:11:01 +01:00
|
|
|
bool backend_ipv4;
|
|
|
|
|
bool backend_ipv6;
|
2013-11-17 16:03:55 +01:00
|
|
|
bool http2_no_cookie_crumbling;
|
2014-02-09 10:47:26 +01:00
|
|
|
bool upstream_frame_debug;
|
2014-08-10 05:39:27 +02:00
|
|
|
bool no_location_rewrite;
|
2015-02-03 17:41:20 +01:00
|
|
|
bool no_host_rewrite;
|
2015-02-08 08:19:12 +01:00
|
|
|
bool no_server_push;
|
2015-02-22 09:01:19 +01:00
|
|
|
// true if host contains UNIX domain socket path
|
|
|
|
|
bool host_unix;
|
2015-03-30 16:20:40 +02:00
|
|
|
bool no_ocsp;
|
2015-07-28 16:49:37 +02:00
|
|
|
// true if --tls-ticket-key-cipher is used
|
|
|
|
|
bool tls_ticket_key_cipher_given;
|
2015-09-06 11:39:32 +02:00
|
|
|
bool accept_proxy_protocol;
|
2015-10-21 12:22:46 +02:00
|
|
|
size_t tls_dyn_rec_warmup_threshold;
|
|
|
|
|
ev_tstamp tls_dyn_rec_idle_timeout;
|
2012-06-04 16:48:31 +02:00
|
|
|
};
|
|
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
const Config *get_config();
|
|
|
|
|
Config *mod_config();
|
2012-06-04 16:48:31 +02:00
|
|
|
void create_config();
|
|
|
|
|
|
2012-08-01 17:06:41 +02:00
|
|
|
// Parses option name |opt| and value |optarg|. The results are
|
|
|
|
|
// stored into statically allocated Config object. This function
|
2015-07-13 14:44:06 +02:00
|
|
|
// returns 0 if it succeeds, or -1. The |included_set| contains the
|
|
|
|
|
// all paths already included while processing this configuration, to
|
|
|
|
|
// avoid loop in --include option.
|
|
|
|
|
int parse_config(const char *opt, const char *optarg,
|
|
|
|
|
std::set<std::string> &included_set);
|
2012-08-01 17:06:41 +02:00
|
|
|
|
|
|
|
|
// Loads configurations from |filename| and stores them in statically
|
|
|
|
|
// allocated Config object. This function returns 0 if it succeeds, or
|
2015-07-13 14:44:06 +02:00
|
|
|
// -1. See parse_config() for |include_set|.
|
|
|
|
|
int load_config(const char *filename, std::set<std::string> &include_set);
|
2012-08-01 17:06:41 +02:00
|
|
|
|
2012-12-03 07:33:04 +01:00
|
|
|
// Read passwd from |filename|
|
|
|
|
|
std::string read_passwd_from_file(const char *filename);
|
|
|
|
|
|
2014-04-26 07:56:08 +02:00
|
|
|
// Parses header field in |optarg|. We expect header field is formed
|
|
|
|
|
// like "NAME: VALUE". We require that NAME is non empty string. ":"
|
|
|
|
|
// is allowed at the start of the NAME, but NAME == ":" is not
|
|
|
|
|
// allowed. This function returns pair of NAME and VALUE.
|
|
|
|
|
std::pair<std::string, std::string> parse_header(const char *optarg);
|
|
|
|
|
|
2014-11-18 16:56:44 +01:00
|
|
|
std::vector<LogFragment> parse_log_format(const char *optarg);
|
|
|
|
|
|
2012-08-01 18:20:18 +02:00
|
|
|
// Returns string for syslog |facility|.
|
2014-11-27 15:39:04 +01:00
|
|
|
const char *str_syslog_facility(int facility);
|
2012-08-01 18:20:18 +02:00
|
|
|
|
|
|
|
|
// Returns integer value of syslog |facility| string.
|
|
|
|
|
int int_syslog_facility(const char *strfacility);
|
|
|
|
|
|
2014-11-27 15:39:04 +01:00
|
|
|
FILE *open_file_for_write(const char *filename);
|
2014-08-12 18:53:44 +02:00
|
|
|
|
2015-01-07 17:26:30 +01:00
|
|
|
// Reads TLS ticket key file in |files| and returns TicketKey which
|
2015-07-17 18:49:20 +02:00
|
|
|
// stores read key data. The given |cipher| and |hmac| determine the
|
|
|
|
|
// expected file size. This function returns TicketKey if it
|
2015-01-07 17:26:30 +01:00
|
|
|
// succeeds, or nullptr.
|
|
|
|
|
std::unique_ptr<TicketKeys>
|
2015-07-17 18:49:20 +02:00
|
|
|
read_tls_ticket_key_file(const std::vector<std::string> &files,
|
|
|
|
|
const EVP_CIPHER *cipher, const EVP_MD *hmac);
|
2015-01-07 17:26:30 +01:00
|
|
|
|
2015-07-09 19:52:11 +02:00
|
|
|
// Selects group based on request's |hostport| and |path|. |hostport|
|
|
|
|
|
// is the value taken from :authority or host header field, and may
|
|
|
|
|
// contain port. The |path| may contain query part. We require the
|
|
|
|
|
// catch-all pattern in place, so this function always selects one
|
|
|
|
|
// group. The catch-all group index is given in |catch_all|. All
|
|
|
|
|
// patterns are given in |groups|.
|
|
|
|
|
size_t match_downstream_addr_group(
|
2015-09-25 19:38:45 +02:00
|
|
|
const Router &router, const std::string &hostport, const std::string &path,
|
2015-07-09 19:52:11 +02:00
|
|
|
const std::vector<DownstreamAddrGroup> &groups, size_t catch_all);
|
|
|
|
|
|
2012-06-04 16:48:31 +02:00
|
|
|
} // namespace shrpx
|
|
|
|
|
|
|
|
|
|
#endif // SHRPX_CONFIG_H
|
