nghttpx: Memcached connection encryption with tls keyword
Like frontend and backend options, encryption for memcached connections is configured using tls keyword in tls-session-cache-memcached and tls-ticket-key-memcached options. tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls options are deprecated.
This commit is contained in:
parent
eec0b04a33
commit
144ae3af9d
26
src/shrpx.cc
26
src/shrpx.cc
|
@ -1533,7 +1533,7 @@ SSL/TLS:
|
|||
they are valid for 12 hours. This is recommended if
|
||||
ticket key sharing between nghttpx instances is not
|
||||
required.
|
||||
--tls-ticket-key-memcached=<HOST>,<PORT>
|
||||
--tls-ticket-key-memcached=<HOST>,<PORT>[;tls]
|
||||
Specify address of memcached server to get TLS ticket
|
||||
keys for session resumption. This enables shared TLS
|
||||
ticket key between multiple nghttpx instances. nghttpx
|
||||
|
@ -1543,7 +1543,9 @@ SSL/TLS:
|
|||
replacing current set of keys. It is up to extern TLS
|
||||
ticket key generator to rotate keys frequently. See
|
||||
"TLS SESSION TICKET RESUMPTION" section in manual page
|
||||
to know the data format in memcached entry.
|
||||
to know the data format in memcached entry. Optionally,
|
||||
memcached connection can be encrypted with TLS by
|
||||
specifying "tls" keyword.
|
||||
--tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
|
||||
Specify address family of memcached connections to get
|
||||
TLS ticket keys. If "auto" is given, both IPv4 and IPv6
|
||||
|
@ -1571,9 +1573,6 @@ SSL/TLS:
|
|||
Specify cipher to encrypt TLS session ticket. Specify
|
||||
either aes-128-cbc or aes-256-cbc. By default,
|
||||
aes-128-cbc is used.
|
||||
--tls-ticket-key-memcached-tls
|
||||
Enable SSL/TLS on memcached connections to get TLS
|
||||
ticket keys.
|
||||
--tls-ticket-key-memcached-cert-file=<PATH>
|
||||
Path to client certificate for memcached connections to
|
||||
get TLS ticket keys.
|
||||
|
@ -1590,10 +1589,12 @@ SSL/TLS:
|
|||
Default: )"
|
||||
<< util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
|
||||
--no-ocsp Disable OCSP stapling.
|
||||
--tls-session-cache-memcached=<HOST>,<PORT>
|
||||
--tls-session-cache-memcached=<HOST>,<PORT>[;tls]
|
||||
Specify address of memcached server to store session
|
||||
cache. This enables shared session cache between
|
||||
multiple nghttpx instances.
|
||||
multiple nghttpx instances. Optionally, memcached
|
||||
connection can be encrypted with TLS by specifying "tls"
|
||||
keyword.
|
||||
--tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
|
||||
Specify address family of memcached connections to store
|
||||
session cache. If "auto" is given, both IPv4 and IPv6
|
||||
|
@ -1601,9 +1602,6 @@ SSL/TLS:
|
|||
is considered. If "IPv6" is given, only IPv6 address is
|
||||
considered.
|
||||
Default: auto
|
||||
--tls-session-cache-memcached-tls
|
||||
Enable SSL/TLS on memcached connections to store session
|
||||
cache.
|
||||
--tls-session-cache-memcached-cert-file=<PATH>
|
||||
Path to client certificate for memcached connections to
|
||||
store session cache.
|
||||
|
@ -2230,6 +2228,10 @@ void process_options(
|
|||
}
|
||||
LOG(NOTICE) << "Memcached address for TLS session cache: " << hostport
|
||||
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
||||
if (memcachedconf.tls) {
|
||||
LOG(NOTICE) << "Connection to memcached for TLS session cache will be "
|
||||
"encrypted by TLS";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -2246,6 +2248,10 @@ void process_options(
|
|||
}
|
||||
LOG(NOTICE) << "Memcached address for TLS ticket key: " << hostport
|
||||
<< " -> " << util::to_numeric_addr(&memcachedconf.addr);
|
||||
if (memcachedconf.tls) {
|
||||
LOG(NOTICE) << "Connection to memcached for TLS ticket key will be "
|
||||
"encrypted by TLS";
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -568,6 +568,42 @@ int parse_duration(ev_tstamp *dest, const char *opt, const char *optarg) {
|
|||
}
|
||||
} // namespace
|
||||
|
||||
struct MemcachedConnectionParams {
|
||||
bool tls;
|
||||
};
|
||||
|
||||
namespace {
|
||||
// Parses memcached connection configuration parameter |src_params|,
|
||||
// and stores parsed results into |out|. This function returns 0 if
|
||||
// it succeeds, or -1.
|
||||
int parse_memcached_connection_params(MemcachedConnectionParams &out,
|
||||
const StringRef &src_params,
|
||||
const StringRef &opt) {
|
||||
auto last = std::end(src_params);
|
||||
for (auto first = std::begin(src_params); first != last;) {
|
||||
auto end = std::find(first, last, ';');
|
||||
auto param = StringRef{first, end};
|
||||
|
||||
if (util::strieq_l("tls", param)) {
|
||||
out.tls = true;
|
||||
} else if (util::strieq_l("no-tls", param)) {
|
||||
out.tls = false;
|
||||
} else if (!param.empty()) {
|
||||
LOG(ERROR) << opt << ": " << param << ": unknown keyword";
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (end == last) {
|
||||
break;
|
||||
}
|
||||
|
||||
first = end + 1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
} // namespace
|
||||
|
||||
struct UpstreamParams {
|
||||
bool tls;
|
||||
};
|
||||
|
@ -2403,27 +2439,39 @@ int parse_config(const char *opt, const char *optarg,
|
|||
mod_config()->http.no_host_rewrite = !util::strieq(optarg, "yes");
|
||||
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
|
||||
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
|
||||
-1) {
|
||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
|
||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
||||
auto src = StringRef{optarg};
|
||||
auto addr_end = std::find(std::begin(src), std::end(src), ';');
|
||||
auto src_params = StringRef{addr_end, std::end(src)};
|
||||
|
||||
MemcachedConnectionParams params{};
|
||||
if (parse_memcached_connection_params(params, src_params, StringRef{opt}) !=
|
||||
0) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (split_host_port(host, sizeof(host), &port, src.c_str(),
|
||||
addr_end - std::begin(src)) == -1) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
switch (optid) {
|
||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
|
||||
auto &memcachedconf = mod_config()->tls.session_cache.memcached;
|
||||
memcachedconf.host = host;
|
||||
memcachedconf.port = port;
|
||||
|
||||
return 0;
|
||||
memcachedconf.tls = params.tls;
|
||||
break;
|
||||
}
|
||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
|
||||
if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
|
||||
-1) {
|
||||
return -1;
|
||||
}
|
||||
|
||||
auto &memcachedconf = mod_config()->tls.ticket.memcached;
|
||||
memcachedconf.host = host;
|
||||
memcachedconf.port = port;
|
||||
memcachedconf.tls = params.tls;
|
||||
break;
|
||||
}
|
||||
};
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
@ -2545,8 +2593,8 @@ int parse_config(const char *opt, const char *optarg,
|
|||
<< SHRPX_OPT_BACKEND << " instead.";
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS:
|
||||
mod_config()->tls.session_cache.memcached.tls = util::strieq(optarg, "yes");
|
||||
|
||||
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
|
||||
<< SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED;
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE:
|
||||
mod_config()->tls.session_cache.memcached.cert_file = optarg;
|
||||
|
@ -2557,8 +2605,8 @@ int parse_config(const char *opt, const char *optarg,
|
|||
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS:
|
||||
mod_config()->tls.ticket.memcached.tls = util::strieq(optarg, "yes");
|
||||
|
||||
LOG(WARN) << opt << ": deprecated. Use tls keyword in "
|
||||
<< SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED;
|
||||
return 0;
|
||||
case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE:
|
||||
mod_config()->tls.ticket.memcached.cert_file = optarg;
|
||||
|
|
Loading…
Reference in New Issue