nghttpx: Memcached connection encryption with tls keyword
Like frontend and backend options, encryption for memcached connections is configured using tls keyword in tls-session-cache-memcached and tls-ticket-key-memcached options. tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls options are deprecated.
This commit is contained in:
parent
eec0b04a33
commit
144ae3af9d
26
src/shrpx.cc
26
src/shrpx.cc
|
@ -1533,7 +1533,7 @@ SSL/TLS:
|
||||||
they are valid for 12 hours. This is recommended if
|
they are valid for 12 hours. This is recommended if
|
||||||
ticket key sharing between nghttpx instances is not
|
ticket key sharing between nghttpx instances is not
|
||||||
required.
|
required.
|
||||||
--tls-ticket-key-memcached=<HOST>,<PORT>
|
--tls-ticket-key-memcached=<HOST>,<PORT>[;tls]
|
||||||
Specify address of memcached server to get TLS ticket
|
Specify address of memcached server to get TLS ticket
|
||||||
keys for session resumption. This enables shared TLS
|
keys for session resumption. This enables shared TLS
|
||||||
ticket key between multiple nghttpx instances. nghttpx
|
ticket key between multiple nghttpx instances. nghttpx
|
||||||
|
@ -1543,7 +1543,9 @@ SSL/TLS:
|
||||||
replacing current set of keys. It is up to extern TLS
|
replacing current set of keys. It is up to extern TLS
|
||||||
ticket key generator to rotate keys frequently. See
|
ticket key generator to rotate keys frequently. See
|
||||||
"TLS SESSION TICKET RESUMPTION" section in manual page
|
"TLS SESSION TICKET RESUMPTION" section in manual page
|
||||||
to know the data format in memcached entry.
|
to know the data format in memcached entry. Optionally,
|
||||||
|
memcached connection can be encrypted with TLS by
|
||||||
|
specifying "tls" keyword.
|
||||||
--tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
|
--tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
|
||||||
Specify address family of memcached connections to get
|
Specify address family of memcached connections to get
|
||||||
TLS ticket keys. If "auto" is given, both IPv4 and IPv6
|
TLS ticket keys. If "auto" is given, both IPv4 and IPv6
|
||||||
|
@ -1571,9 +1573,6 @@ SSL/TLS:
|
||||||
Specify cipher to encrypt TLS session ticket. Specify
|
Specify cipher to encrypt TLS session ticket. Specify
|
||||||
either aes-128-cbc or aes-256-cbc. By default,
|
either aes-128-cbc or aes-256-cbc. By default,
|
||||||
aes-128-cbc is used.
|
aes-128-cbc is used.
|
||||||
--tls-ticket-key-memcached-tls
|
|
||||||
Enable SSL/TLS on memcached connections to get TLS
|
|
||||||
ticket keys.
|
|
||||||
--tls-ticket-key-memcached-cert-file=<PATH>
|
--tls-ticket-key-memcached-cert-file=<PATH>
|
||||||
Path to client certificate for memcached connections to
|
Path to client certificate for memcached connections to
|
||||||
get TLS ticket keys.
|
get TLS ticket keys.
|
||||||
|
@ -1590,10 +1589,12 @@ SSL/TLS:
|
||||||
Default: )"
|
Default: )"
|
||||||
<< util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
|
<< util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
|
||||||
--no-ocsp Disable OCSP stapling.
|
--no-ocsp Disable OCSP stapling.
|
||||||
--tls-session-cache-memcached=<HOST>,<PORT>
|
--tls-session-cache-memcached=<HOST>,<PORT>[;tls]
|
||||||
Specify address of memcached server to store session
|
Specify address of memcached server to store session
|
||||||
cache. This enables shared session cache between
|
cache. This enables shared session cache between
|
||||||
multiple nghttpx instances.
|
multiple nghttpx instances. Optionally, memcached
|
||||||
|
connection can be encrypted with TLS by specifying "tls"
|
||||||
|
keyword.
|
||||||
--tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
|
--tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
|
||||||
Specify address family of memcached connections to store
|
Specify address family of memcached connections to store
|
||||||
session cache. If "auto" is given, both IPv4 and IPv6
|
session cache. If "auto" is given, both IPv4 and IPv6
|
||||||
|
@ -1601,9 +1602,6 @@ SSL/TLS:
|
||||||
is considered. If "IPv6" is given, only IPv6 address is
|
is considered. If "IPv6" is given, only IPv6 address is
|
||||||
considered.
|
considered.
|
||||||
Default: auto
|
Default: auto
|
||||||
--tls-session-cache-memcached-tls
|
|
||||||
Enable SSL/TLS on memcached connections to store session
|
|
||||||
cache.
|
|
||||||
--tls-session-cache-memcached-cert-file=<PATH>
|
--tls-session-cache-memcached-cert-file=<PATH>
|
||||||
Path to client certificate for memcached connections to
|
Path to client certificate for memcached connections to
|
||||||
store session cache.
|
store session cache.
|
||||||
|
@ -2230,6 +2228,10 @@ void process_options(
|
||||||
}
|
}
|
||||||
LOG(NOTICE) << "Memcached address for TLS session cache: " << hostport
|
LOG(NOTICE) << "Memcached address for TLS session cache: " << hostport
|
||||||
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
||||||
|
if (memcachedconf.tls) {
|
||||||
|
LOG(NOTICE) << "Connection to memcached for TLS session cache will be "
|
||||||
|
"encrypted by TLS";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -2246,6 +2248,10 @@ void process_options(
|
||||||
}
|
}
|
||||||
LOG(NOTICE) << "Memcached address for TLS ticket key: " << hostport
|
LOG(NOTICE) << "Memcached address for TLS ticket key: " << hostport
|
||||||
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
||||||
|
if (memcachedconf.tls) {
|
||||||
|
LOG(NOTICE) << "Connection to memcached for TLS ticket key will be "
|
||||||
|
"encrypted by TLS";
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -568,6 +568,42 @@ int parse_duration(ev_tstamp *dest, const char *opt, const char *optarg) {
|
||||||
}
|
}
|
||||||
} // namespace
|
} // namespace
|
||||||
|
|
||||||
|
struct MemcachedConnectionParams {
|
||||||
|
bool tls;
|
||||||
|
};
|
||||||
|
|
||||||
|
namespace {
|
||||||
|
// Parses memcached connection configuration parameter |src_params|,
|
||||||
|
// and stores parsed results into |out|. This function returns 0 if
|
||||||
|
// it succeeds, or -1.
|
||||||
|
int parse_memcached_connection_params(MemcachedConnectionParams &out,
|
||||||
|
const StringRef &src_params,
|
||||||
|
const StringRef &opt) {
|
||||||
|
auto last = std::end(src_params);
|
||||||
|
for (auto first = std::begin(src_params); first != last;) {
|
||||||
|
auto end = std::find(first, last, ';');
|
||||||
|
auto param = StringRef{first, end};
|
||||||
|
|
||||||
|
if (util::strieq_l("tls", param)) {
|
||||||
|
out.tls = true;
|
||||||
|
} else if (util::strieq_l("no-tls", param)) {
|
||||||
|
out.tls = false;
|
||||||
|
} else if (!param.empty()) {
|
||||||
|
LOG(ERROR) << opt << ": " << param << ": unknown keyword";
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (end == last) {
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
first = end + 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
} // namespace
|
||||||
|
|
||||||
struct UpstreamParams {
|
struct UpstreamParams {
|
||||||
bool tls;
|
bool tls;
|
||||||
};
|
};
|
||||||
|
@ -2403,27 +2439,39 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
mod_config()->http.no_host_rewrite = !util::strieq(optarg, "yes");
|
mod_config()->http.no_host_rewrite = !util::strieq(optarg, "yes");
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
|
||||||
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
||||||
-1) {
|
auto src = StringRef{optarg};
|
||||||
|
auto addr_end = std::find(std::begin(src), std::end(src), ';');
|
||||||
|
auto src_params = StringRef{addr_end, std::end(src)};
|
||||||
|
|
||||||
|
MemcachedConnectionParams params{};
|
||||||
|
if (parse_memcached_connection_params(params, src_params, StringRef{opt}) !=
|
||||||
|
0) {
|
||||||
return -1;
|
return -1;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (split_host_port(host, sizeof(host), &port, src.c_str(),
|
||||||
|
addr_end - std::begin(src)) == -1) {
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (optid) {
|
||||||
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
|
||||||
auto &memcachedconf = mod_config()->tls.session_cache.memcached;
|
auto &memcachedconf = mod_config()->tls.session_cache.memcached;
|
||||||
memcachedconf.host = host;
|
memcachedconf.host = host;
|
||||||
memcachedconf.port = port;
|
memcachedconf.port = port;
|
||||||
|
memcachedconf.tls = params.tls;
|
||||||
return 0;
|
break;
|
||||||
}
|
}
|
||||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
||||||
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
|
|
||||||
-1) {
|
|
||||||
return -1;
|
|
||||||
}
|
|
||||||
|
|
||||||
auto &memcachedconf = mod_config()->tls.ticket.memcached;
|
auto &memcachedconf = mod_config()->tls.ticket.memcached;
|
||||||
memcachedconf.host = host;
|
memcachedconf.host = host;
|
||||||
memcachedconf.port = port;
|
memcachedconf.port = port;
|
||||||
|
memcachedconf.tls = params.tls;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
};
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -2545,8 +2593,8 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
<< SHRPX_OPT_BACKEND << " instead.";
|
<< SHRPX_OPT_BACKEND << " instead.";
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS:
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS:
|
||||||
mod_config()->tls.session_cache.memcached.tls = util::strieq(optarg, "yes");
|
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
|
||||||
|
<< SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED;
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE:
|
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE:
|
||||||
mod_config()->tls.session_cache.memcached.cert_file = optarg;
|
mod_config()->tls.session_cache.memcached.cert_file = optarg;
|
||||||
|
@ -2557,8 +2605,8 @@ int parse_config(const char *opt, const char *optarg,
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS:
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS:
|
||||||
mod_config()->tls.ticket.memcached.tls = util::strieq(optarg, "yes");
|
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
|
||||||
|
<< SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED;
|
||||||
return 0;
|
return 0;
|
||||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE:
|
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE:
|
||||||
mod_config()->tls.ticket.memcached.cert_file = optarg;
|
mod_config()->tls.ticket.memcached.cert_file = optarg;
|
||||||
|
|
Loading…
Reference in New Issue