nghttpx: Add --frontend-quic-early-data, disable early data by default

This commit is contained in:
Tatsuhiro Tsujikawa 2021-09-05 21:39:45 +09:00
parent 85347e12de
commit ab16a11aa3
6 changed files with 46 additions and 8 deletions

View File

@ -188,6 +188,7 @@ OPTIONS = [
"frontend-http3-max-window-size",
"frontend-http3-max-connection-window-size",
"frontend-http3-max-concurrent-streams",
"frontend-quic-early-data",
]
LOGVARS = [

View File

@ -2776,12 +2776,13 @@ SSL/TLS:
consider to use --client-no-http2-cipher-block-list
option. But be aware its implications.
--tls-no-postpone-early-data
By default, nghttpx postpones forwarding HTTP requests
sent in early data, including those sent in partially in
it, until TLS handshake finishes. If all backend server
recognizes "Early-Data" header field, using this option
makes nghttpx not postpone forwarding request and get
full potential of 0-RTT data.
By default, except for QUIC connections, nghttpx
postpones forwarding HTTP requests sent in early data,
including those sent in partially in it, until TLS
handshake finishes. If all backend server recognizes
"Early-Data" header field, using this option makes
nghttpx not postpone forwarding request and get full
potential of 0-RTT data.
--tls-max-early-data=<SIZE>
Sets the maximum amount of 0-RTT data that server
accepts.
@ -3209,6 +3210,12 @@ HTTP/3 and QUIC:
socket.
Default: )"
<< config->quic.bpf.prog_file << R"(
--frontend-quic-early-data
Enable early data on frontend QUIC connections. nghttpx
sends "Early-Data" header field to a backend server if a
request is received in early data and handshake has not
finished. All backend servers should deal with possibly
replayed requests.
--no-quic-bpf
Disable eBPF.
--frontend-http3-window-size=<SIZE>
@ -3995,6 +4002,7 @@ int main(int argc, char **argv) {
required_argument, &flag, 178},
{SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS.c_str(),
required_argument, &flag, 179},
{SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA.c_str(), no_argument, &flag, 180},
{nullptr, 0, nullptr, 0}};
int option_index = 0;
@ -4852,6 +4860,11 @@ int main(int argc, char **argv) {
cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS,
StringRef{optarg});
break;
case 180:
// --frontend-quic-early-data
cmdcfgs.emplace_back(SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA,
StringRef::from_lit("yes"));
break;
default:
break;
}

View File

@ -2297,6 +2297,11 @@ int option_lookup_token(const char *name, size_t namelen) {
break;
case 24:
switch (name[23]) {
case 'a':
if (util::strieq_l("frontend-quic-early-dat", name, 23)) {
return SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA;
}
break;
case 'd':
if (util::strieq_l("strip-incoming-forwarde", name, 23)) {
return SHRPX_OPTID_STRIP_INCOMING_FORWARDED;
@ -3967,6 +3972,12 @@ int parse_config(Config *config, int optid, const StringRef &opt,
#else // !ENABLE_HTTP3
return 0;
#endif // !ENABLE_HTTP3
case SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA:
#ifdef ENABLE_HTTP3
config->quic.upstream.early_data = util::strieq_l("yes", optarg);
#endif // ENABLE_HTTP3
return 0;
case SHRPX_OPTID_CONF:
LOG(WARN) << "conf: ignored";

View File

@ -383,6 +383,8 @@ constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE =
StringRef::from_lit("frontend-http3-max-connection-window-size");
constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS =
StringRef::from_lit("frontend-http3-max-concurrent-streams");
constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA =
StringRef::from_lit("frontend-quic-early-data");
constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
@ -746,6 +748,7 @@ struct QUICConfig {
struct {
bool log;
} debug;
bool early_data;
} upstream;
struct {
StringRef prog_file;
@ -1199,6 +1202,7 @@ enum {
SHRPX_OPTID_FRONTEND_MAX_REQUESTS,
SHRPX_OPTID_FRONTEND_NO_TLS,
SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG,
SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA,
SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT,
SHRPX_OPTID_FRONTEND_READ_TIMEOUT,
SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT,

View File

@ -259,7 +259,13 @@ ClientHandler *QUICConnectionHandler::handle_new_connection(
assert(SSL_is_quic(ssl));
SSL_set_accept_state(ssl);
auto config = get_config();
auto &quicconf = config->quic;
if (quicconf.upstream.early_data) {
SSL_set_quic_early_data_enabled(ssl, 1);
}
// Disable TLS session ticket if we don't have working ticket
// keys.

View File

@ -1389,7 +1389,10 @@ SSL_CTX *create_quic_ssl_context(const char *private_key_file,
// !defined(OPENSSL_IS_BORINGSSL)
# if OPENSSL_1_1_1_API
if (SSL_CTX_set_max_early_data(ssl_ctx,
auto &quicconf = config->quic;
if (quicconf.upstream.early_data &&
SSL_CTX_set_max_early_data(ssl_ctx,
std::numeric_limits<uint32_t>::max()) != 1) {
LOG(FATAL) << "SSL_CTX_set_max_early_data failed: "
<< ERR_error_string(ERR_get_error(), nullptr);