nghttpx: Memcached connection encryption with tls keyword

Like frontend and backend options, encryption for memcached
connections is configured using tls keyword in
tls-session-cache-memcached and tls-ticket-key-memcached options.
tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls
options are deprecated.
This commit is contained in:
Tatsuhiro Tsujikawa 2016-03-24 00:22:13 +09:00
parent eec0b04a33
commit 144ae3af9d
2 changed files with 85 additions and 31 deletions

View File

@ -1533,7 +1533,7 @@ SSL/TLS:
they are valid for 12 hours. This is recommended if
ticket key sharing between nghttpx instances is not
required.
--tls-ticket-key-memcached=<HOST>,<PORT>
--tls-ticket-key-memcached=<HOST>,<PORT>[;tls]
Specify address of memcached server to get TLS ticket
keys for session resumption. This enables shared TLS
ticket key between multiple nghttpx instances. nghttpx
@ -1543,7 +1543,9 @@ SSL/TLS:
replacing current set of keys. It is up to extern TLS
ticket key generator to rotate keys frequently. See
"TLS SESSION TICKET RESUMPTION" section in manual page
to know the data format in memcached entry.
to know the data format in memcached entry. Optionally,
memcached connection can be encrypted with TLS by
specifying "tls" keyword.
--tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
Specify address family of memcached connections to get
TLS ticket keys. If "auto" is given, both IPv4 and IPv6
@ -1571,9 +1573,6 @@ SSL/TLS:
Specify cipher to encrypt TLS session ticket. Specify
either aes-128-cbc or aes-256-cbc. By default,
aes-128-cbc is used.
--tls-ticket-key-memcached-tls
Enable SSL/TLS on memcached connections to get TLS
ticket keys.
--tls-ticket-key-memcached-cert-file=<PATH>
Path to client certificate for memcached connections to
get TLS ticket keys.
@ -1590,10 +1589,12 @@ SSL/TLS:
Default: )"
<< util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
--no-ocsp Disable OCSP stapling.
--tls-session-cache-memcached=<HOST>,<PORT>
--tls-session-cache-memcached=<HOST>,<PORT>[;tls]
Specify address of memcached server to store session
cache. This enables shared session cache between
multiple nghttpx instances.
multiple nghttpx instances. Optionally, memcached
connection can be encrypted with TLS by specifying "tls"
keyword.
--tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
Specify address family of memcached connections to store
session cache. If "auto" is given, both IPv4 and IPv6
@ -1601,9 +1602,6 @@ SSL/TLS:
is considered. If "IPv6" is given, only IPv6 address is
considered.
Default: auto
--tls-session-cache-memcached-tls
Enable SSL/TLS on memcached connections to store session
cache.
--tls-session-cache-memcached-cert-file=<PATH>
Path to client certificate for memcached connections to
store session cache.
@ -2230,6 +2228,10 @@ void process_options(
}
LOG(NOTICE) << "Memcached address for TLS session cache: " << hostport
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
if (memcachedconf.tls) {
LOG(NOTICE) << "Connection to memcached for TLS session cache will be "
"encrypted by TLS";
}
}
}
@ -2246,6 +2248,10 @@ void process_options(
}
LOG(NOTICE) << "Memcached address for TLS ticket key: " << hostport
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
if (memcachedconf.tls) {
LOG(NOTICE) << "Connection to memcached for TLS ticket key will be "
"encrypted by TLS";
}
}
}

View File

@ -568,6 +568,42 @@ int parse_duration(ev_tstamp *dest, const char *opt, const char *optarg) {
}
} // namespace
struct MemcachedConnectionParams {
bool tls;
};
namespace {
// Parses memcached connection configuration parameter |src_params|,
// and stores parsed results into |out|. This function returns 0 if
// it succeeds, or -1.
int parse_memcached_connection_params(MemcachedConnectionParams &out,
const StringRef &src_params,
const StringRef &opt) {
auto last = std::end(src_params);
for (auto first = std::begin(src_params); first != last;) {
auto end = std::find(first, last, ';');
auto param = StringRef{first, end};
if (util::strieq_l("tls", param)) {
out.tls = true;
} else if (util::strieq_l("no-tls", param)) {
out.tls = false;
} else if (!param.empty()) {
LOG(ERROR) << opt << ": " << param << ": unknown keyword";
return -1;
}
if (end == last) {
break;
}
first = end + 1;
}
return 0;
}
} // namespace
struct UpstreamParams {
bool tls;
};
@ -2403,27 +2439,39 @@ int parse_config(const char *opt, const char *optarg,
mod_config()->http.no_host_rewrite = !util::strieq(optarg, "yes");
return 0;
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
-1) {
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
auto src = StringRef{optarg};
auto addr_end = std::find(std::begin(src), std::end(src), ';');
auto src_params = StringRef{addr_end, std::end(src)};
MemcachedConnectionParams params{};
if (parse_memcached_connection_params(params, src_params, StringRef{opt}) !=
0) {
return -1;
}
if (split_host_port(host, sizeof(host), &port, src.c_str(),
addr_end - std::begin(src)) == -1) {
return -1;
}
switch (optid) {
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
auto &memcachedconf = mod_config()->tls.session_cache.memcached;
memcachedconf.host = host;
memcachedconf.port = port;
return 0;
memcachedconf.tls = params.tls;
break;
}
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
-1) {
return -1;
}
auto &memcachedconf = mod_config()->tls.ticket.memcached;
memcachedconf.host = host;
memcachedconf.port = port;
memcachedconf.tls = params.tls;
break;
}
};
return 0;
}
@ -2545,8 +2593,8 @@ int parse_config(const char *opt, const char *optarg,
<< SHRPX_OPT_BACKEND << " instead.";
return 0;
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS:
mod_config()->tls.session_cache.memcached.tls = util::strieq(optarg, "yes");
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
<< SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED;
return 0;
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE:
mod_config()->tls.session_cache.memcached.cert_file = optarg;
@ -2557,8 +2605,8 @@ int parse_config(const char *opt, const char *optarg,
return 0;
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS:
mod_config()->tls.ticket.memcached.tls = util::strieq(optarg, "yes");
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
<< SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED;
return 0;
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE:
mod_config()->tls.ticket.memcached.cert_file = optarg;