nghttpx: Memcached connection encryption with tls keyword

Like frontend and backend options, encryption for memcached
connections is configured using tls keyword in
tls-session-cache-memcached and tls-ticket-key-memcached options.
tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls
options are deprecated.

src/shrpx.cc

@@ -1533,7 +1533,7 @@ SSL/TLS:
               they are  valid for  12 hours.   This is  recommended if
               ticket  key sharing  between  nghttpx  instances is  not
               required.
-  --tls-ticket-key-memcached=<HOST>,<PORT>
+  --tls-ticket-key-memcached=<HOST>,<PORT>[;tls]
               Specify address  of memcached  server to get  TLS ticket
               keys for  session resumption.   This enables  shared TLS
               ticket key between  multiple nghttpx instances.  nghttpx
@@ -1543,7 +1543,9 @@ SSL/TLS:
               replacing current set  of keys.  It is up  to extern TLS
               ticket  key generator  to rotate  keys frequently.   See
               "TLS SESSION  TICKET RESUMPTION" section in  manual page
-              to know the data format in memcached entry.
+              to know the data format in memcached entry.  Optionally,
+              memcached  connection  can  be  encrypted  with  TLS  by
+              specifying "tls" keyword.
   --tls-ticket-key-memcached-address-family=(auto|IPv4|IPv6)
               Specify address  family of memcached connections  to get
               TLS ticket keys.  If "auto" is given, both IPv4 and IPv6
@@ -1571,9 +1573,6 @@ SSL/TLS:
               Specify cipher  to encrypt TLS session  ticket.  Specify
               either   aes-128-cbc   or  aes-256-cbc.    By   default,
               aes-128-cbc is used.
-  --tls-ticket-key-memcached-tls
-              Enable  SSL/TLS  on  memcached connections  to  get  TLS
-              ticket keys.
   --tls-ticket-key-memcached-cert-file=<PATH>
               Path to client certificate  for memcached connections to
               get TLS ticket keys.
@@ -1590,10 +1589,12 @@ SSL/TLS:
               Default: )"
       << util::duration_str(get_config()->tls.ocsp.update_interval) << R"(
   --no-ocsp   Disable OCSP stapling.
-  --tls-session-cache-memcached=<HOST>,<PORT>
+  --tls-session-cache-memcached=<HOST>,<PORT>[;tls]
               Specify  address of  memcached server  to store  session
               cache.   This  enables   shared  session  cache  between
-              multiple nghttpx instances.
+              multiple   nghttpx  instances.    Optionally,  memcached
+              connection can be encrypted with TLS by specifying "tls"
+              keyword.
   --tls-session-cache-memcached-address-family=(auto|IPv4|IPv6)
               Specify address family of memcached connections to store
               session cache.  If  "auto" is given, both  IPv4 and IPv6
@@ -1601,9 +1602,6 @@ SSL/TLS:
               is considered.  If "IPv6" is given, only IPv6 address is
               considered.
               Default: auto
-  --tls-session-cache-memcached-tls
-              Enable SSL/TLS on memcached connections to store session
-              cache.
   --tls-session-cache-memcached-cert-file=<PATH>
               Path to client certificate  for memcached connections to
               store session cache.
@@ -2230,6 +2228,10 @@ void process_options(
       }
       LOG(NOTICE) << "Memcached address for TLS session cache: " << hostport
                   << " -> " << util::to_numeric_addr(&memcachedconf.addr);
+      if (memcachedconf.tls) {
+        LOG(NOTICE) << "Connection to memcached for TLS session cache will be "
+                       "encrypted by TLS";
+      }
     }
   }
 
@@ -2246,6 +2248,10 @@ void process_options(
       }
       LOG(NOTICE) << "Memcached address for TLS ticket key: " << hostport
                   << " -> " << util::to_numeric_addr(&memcachedconf.addr);
+      if (memcachedconf.tls) {
+        LOG(NOTICE) << "Connection to memcached for TLS ticket key will be "
+                       "encrypted by TLS";
+      }
     }
   }
 

src/shrpx_config.cc

@@ -568,6 +568,42 @@ int parse_duration(ev_tstamp *dest, const char *opt, const char *optarg) {
 }
 } // namespace
 
+struct MemcachedConnectionParams {
+  bool tls;
+};
+
+namespace {
+// Parses memcached connection configuration parameter |src_params|,
+// and stores parsed results into |out|.  This function returns 0 if
+// it succeeds, or -1.
+int parse_memcached_connection_params(MemcachedConnectionParams &out,
+                                      const StringRef &src_params,
+                                      const StringRef &opt) {
+  auto last = std::end(src_params);
+  for (auto first = std::begin(src_params); first != last;) {
+    auto end = std::find(first, last, ';');
+    auto param = StringRef{first, end};
+
+    if (util::strieq_l("tls", param)) {
+      out.tls = true;
+    } else if (util::strieq_l("no-tls", param)) {
+      out.tls = false;
+    } else if (!param.empty()) {
+      LOG(ERROR) << opt << ": " << param << ": unknown keyword";
+      return -1;
+    }
+
+    if (end == last) {
+      break;
+    }
+
+    first = end + 1;
+  }
+
+  return 0;
+}
+} // namespace
+
 struct UpstreamParams {
   bool tls;
 };
@@ -2403,27 +2439,39 @@ int parse_config(const char *opt, const char *optarg,
     mod_config()->http.no_host_rewrite = !util::strieq(optarg, "yes");
 
     return 0;
-  case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
-    if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
-        -1) {
-      return -1;
-    }
-
-    auto &memcachedconf = mod_config()->tls.session_cache.memcached;
-    memcachedconf.host = host;
-    memcachedconf.port = port;
-
-    return 0;
-  }
+  case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED:
   case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
-    if (split_host_port(host, sizeof(host), &port, optarg, strlen(optarg)) ==
-        -1) {
+    auto src = StringRef{optarg};
+    auto addr_end = std::find(std::begin(src), std::end(src), ';');
+    auto src_params = StringRef{addr_end, std::end(src)};
+
+    MemcachedConnectionParams params{};
+    if (parse_memcached_connection_params(params, src_params, StringRef{opt}) !=
+        0) {
       return -1;
     }
 
-    auto &memcachedconf = mod_config()->tls.ticket.memcached;
-    memcachedconf.host = host;
-    memcachedconf.port = port;
+    if (split_host_port(host, sizeof(host), &port, src.c_str(),
+                        addr_end - std::begin(src)) == -1) {
+      return -1;
+    }
+
+    switch (optid) {
+    case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED: {
+      auto &memcachedconf = mod_config()->tls.session_cache.memcached;
+      memcachedconf.host = host;
+      memcachedconf.port = port;
+      memcachedconf.tls = params.tls;
+      break;
+    }
+    case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED: {
+      auto &memcachedconf = mod_config()->tls.ticket.memcached;
+      memcachedconf.host = host;
+      memcachedconf.port = port;
+      memcachedconf.tls = params.tls;
+      break;
+    }
+    };
 
     return 0;
   }
@@ -2545,8 +2593,8 @@ int parse_config(const char *opt, const char *optarg,
               << SHRPX_OPT_BACKEND << " instead.";
     return 0;
   case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS:
-    mod_config()->tls.session_cache.memcached.tls = util::strieq(optarg, "yes");
-
+    LOG(WARN) << opt << ": deprecated.  Use tls keyword in "
+              << SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED;
     return 0;
   case SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE:
     mod_config()->tls.session_cache.memcached.cert_file = optarg;
@@ -2557,8 +2605,8 @@ int parse_config(const char *opt, const char *optarg,
 
     return 0;
   case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS:
-    mod_config()->tls.ticket.memcached.tls = util::strieq(optarg, "yes");
-
+    LOG(WARN) << opt << ": deprecated.  Use tls keyword in "
+              << SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED;
     return 0;
   case SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE:
     mod_config()->tls.ticket.memcached.cert_file = optarg;