From c7071258391eda73bb40fc583364ae73d0dfe875 Mon Sep 17 00:00:00 2001 From: Tatsuhiro Tsujikawa Date: Thu, 7 Feb 2013 21:13:36 +0900 Subject: [PATCH] shrpx: Explicitly hold server SSL_CTX and client SSL_CTX --- src/shrpx.cc | 11 ++++++----- src/shrpx_client_handler.cc | 2 +- src/shrpx_client_handler.h | 4 ++-- src/shrpx_listen_handler.cc | 19 ++++++++++--------- src/shrpx_listen_handler.h | 16 +++++++++------- src/shrpx_ssl.cc | 12 ++++++------ src/shrpx_ssl.h | 6 +++--- src/shrpx_thread_event_receiver.cc | 8 ++++---- src/shrpx_worker.cc | 9 +++++---- src/shrpx_worker.h | 3 ++- 10 files changed, 48 insertions(+), 42 deletions(-) diff --git a/src/shrpx.cc b/src/shrpx.cc index 3cbb94ff..73a3a254 100644 --- a/src/shrpx.cc +++ b/src/shrpx.cc @@ -242,11 +242,12 @@ int event_loop() { event_base *evbase = event_base_new(); - SSL_CTX *ssl_ctx = get_config()->client_mode ? - ssl::create_ssl_client_context() : get_config()->default_ssl_ctx; - - ListenHandler *listener_handler = new ListenHandler(evbase, ssl_ctx); + SSL_CTX *sv_ssl_ctx = get_config()->default_ssl_ctx; + SSL_CTX *cl_ssl_ctx = get_config()->client_mode ? + ssl::create_ssl_client_context() : 0; + ListenHandler *listener_handler = new ListenHandler(evbase, sv_ssl_ctx, + cl_ssl_ctx); if(get_config()->daemon) { if(daemon(0, 0) == -1) { LOG(FATAL) << "Failed to daemonize: " << strerror(errno); @@ -269,7 +270,7 @@ int event_loop() if(get_config()->num_worker > 1) { listener_handler->create_worker_thread(get_config()->num_worker); - } else if(get_config()->client_mode) { + } else if(cl_ssl_ctx) { listener_handler->create_spdy_session(); } diff --git a/src/shrpx_client_handler.cc b/src/shrpx_client_handler.cc index fa5ae7a8..914a815d 100644 --- a/src/shrpx_client_handler.cc +++ b/src/shrpx_client_handler.cc @@ -272,7 +272,7 @@ DownstreamConnection* ClientHandler::get_downstream_connection() CLOG(INFO, this) << "Downstream connection pool is empty." << " Create new one"; } - if(get_config()->client_mode) { + if(spdy_) { return new SpdyDownstreamConnection(this); } else { return new HttpDownstreamConnection(this); diff --git a/src/shrpx_client_handler.h b/src/shrpx_client_handler.h index 0cb843b7..18bd24df 100644 --- a/src/shrpx_client_handler.h +++ b/src/shrpx_client_handler.h @@ -71,8 +71,8 @@ private: std::string ipaddr_; bool should_close_after_write_; std::set dconn_pool_; - // Shared SPDY session for each thread. NULL if not client mode. Not - // deleted by this object. + // Shared SPDY session for each thread. NULL if backend is not + // SPDY. Not deleted by this object. SpdySession *spdy_; }; diff --git a/src/shrpx_listen_handler.cc b/src/shrpx_listen_handler.cc index d617a7af..3e876966 100644 --- a/src/shrpx_listen_handler.cc +++ b/src/shrpx_listen_handler.cc @@ -40,9 +40,11 @@ namespace shrpx { -ListenHandler::ListenHandler(event_base *evbase, SSL_CTX *ssl_ctx) +ListenHandler::ListenHandler(event_base *evbase, SSL_CTX *sv_ssl_ctx, + SSL_CTX *cl_ssl_ctx) : evbase_(evbase), - ssl_ctx_(ssl_ctx), + sv_ssl_ctx_(sv_ssl_ctx), + cl_ssl_ctx_(cl_ssl_ctx), worker_round_robin_cnt_(0), workers_(0), num_worker_(0), @@ -68,7 +70,8 @@ void ListenHandler::create_worker_thread(size_t num) LLOG(ERROR, this) << "socketpair() failed: " << strerror(errno); continue; } - info->ssl_ctx = ssl_ctx_; + info->sv_ssl_ctx = sv_ssl_ctx_; + info->cl_ssl_ctx = cl_ssl_ctx_; rv = pthread_create(&thread, &attr, start_threaded_worker, info); if(rv != 0) { LLOG(ERROR, this) << "pthread_create() failed: " << strerror(rv); @@ -94,11 +97,9 @@ int ListenHandler::accept_connection(evutil_socket_t fd, LLOG(INFO, this) << "Accepted connection. fd=" << fd; } if(num_worker_ == 0) { - ClientHandler* client = - ssl::accept_ssl_connection(evbase_, ssl_ctx_, fd, addr, addrlen); - if(get_config()->client_mode) { - client->set_spdy_session(spdy_); - } + ClientHandler* client = ssl::accept_connection(evbase_, sv_ssl_ctx_, + fd, addr, addrlen); + client->set_spdy_session(spdy_); } else { size_t idx = worker_round_robin_cnt_ % num_worker_; ++worker_round_robin_cnt_; @@ -124,7 +125,7 @@ event_base* ListenHandler::get_evbase() const int ListenHandler::create_spdy_session() { int rv; - spdy_ = new SpdySession(evbase_, ssl_ctx_); + spdy_ = new SpdySession(evbase_, cl_ssl_ctx_); rv = spdy_->init_notification(); return rv; } diff --git a/src/shrpx_listen_handler.h b/src/shrpx_listen_handler.h index cbfc02df..adde44e5 100644 --- a/src/shrpx_listen_handler.h +++ b/src/shrpx_listen_handler.h @@ -38,7 +38,8 @@ namespace shrpx { struct WorkerInfo { int sv[2]; - SSL_CTX *ssl_ctx; + SSL_CTX *sv_ssl_ctx; + SSL_CTX *cl_ssl_ctx; bufferevent *bev; }; @@ -46,7 +47,7 @@ class SpdySession; class ListenHandler { public: - ListenHandler(event_base *evbase, SSL_CTX *ssl_ctx); + ListenHandler(event_base *evbase, SSL_CTX *sv_ssl_ctx, SSL_CTX *cl_ssl_ctx); ~ListenHandler(); int accept_connection(evutil_socket_t fd, sockaddr *addr, int addrlen); void create_worker_thread(size_t num); @@ -54,14 +55,15 @@ public: int create_spdy_session(); private: event_base *evbase_; - // In client-mode, this is for backend SPDY connection. Otherwise, - // for frontend. - SSL_CTX *ssl_ctx_; + // The frontend server SSL_CTX + SSL_CTX *sv_ssl_ctx_; + // The backend server SSL_CTX + SSL_CTX *cl_ssl_ctx_; unsigned int worker_round_robin_cnt_; WorkerInfo *workers_; size_t num_worker_; - // Shared SPDY session. NULL if not client mode or - // multi-threaded. In multi-threaded case, see shrpx_worker.cc. + // Shared backend SPDY session. NULL if multi-threaded. In + // multi-threaded case, see shrpx_worker.cc. SpdySession *spdy_; }; diff --git a/src/shrpx_ssl.cc b/src/shrpx_ssl.cc index 5929118c..1fd3e079 100644 --- a/src/shrpx_ssl.cc +++ b/src/shrpx_ssl.cc @@ -245,9 +245,9 @@ SSL_CTX* create_ssl_client_context() return ssl_ctx; } -ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx, - evutil_socket_t fd, - sockaddr *addr, int addrlen) +ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx, + evutil_socket_t fd, + sockaddr *addr, int addrlen) { char host[NI_MAXHOST]; int rv; @@ -266,9 +266,7 @@ ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx, } SSL *ssl = 0; bufferevent *bev; - if(get_config()->client_mode) { - bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS); - } else { + if(ssl_ctx) { ssl = SSL_new(ssl_ctx); if(!ssl) { LOG(ERROR) << "SSL_new() failed: " @@ -278,6 +276,8 @@ ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx, bev = bufferevent_openssl_socket_new (evbase, fd, ssl, BUFFEREVENT_SSL_ACCEPTING, BEV_OPT_DEFER_CALLBACKS); + } else { + bev = bufferevent_socket_new(evbase, fd, BEV_OPT_DEFER_CALLBACKS); } ClientHandler *client_handler = new ClientHandler(bev, fd, ssl, host); return client_handler; diff --git a/src/shrpx_ssl.h b/src/shrpx_ssl.h index 0f3b60b5..56665b82 100644 --- a/src/shrpx_ssl.h +++ b/src/shrpx_ssl.h @@ -45,9 +45,9 @@ SSL_CTX* create_ssl_context(const char *private_key_file, SSL_CTX* create_ssl_client_context(); -ClientHandler* accept_ssl_connection(event_base *evbase, SSL_CTX *ssl_ctx, - evutil_socket_t fd, - sockaddr *addr, int addrlen); +ClientHandler* accept_connection(event_base *evbase, SSL_CTX *ssl_ctx, + evutil_socket_t fd, + sockaddr *addr, int addrlen); bool numeric_host(const char *hostname); diff --git a/src/shrpx_thread_event_receiver.cc b/src/shrpx_thread_event_receiver.cc index f29a169d..8d5c2c35 100644 --- a/src/shrpx_thread_event_receiver.cc +++ b/src/shrpx_thread_event_receiver.cc @@ -58,10 +58,10 @@ void ThreadEventReceiver::on_read(bufferevent *bev) } event_base *evbase = bufferevent_get_base(bev); ClientHandler *client_handler; - client_handler = ssl::accept_ssl_connection(evbase, ssl_ctx_, - wev.client_fd, - &wev.client_addr.sa, - wev.client_addrlen); + client_handler = ssl::accept_connection(evbase, ssl_ctx_, + wev.client_fd, + &wev.client_addr.sa, + wev.client_addrlen); if(client_handler) { client_handler->set_spdy_session(spdy_); if(LOG_ENABLED(INFO)) { diff --git a/src/shrpx_worker.cc b/src/shrpx_worker.cc index f9d12da4..43d2b16c 100644 --- a/src/shrpx_worker.cc +++ b/src/shrpx_worker.cc @@ -39,7 +39,8 @@ namespace shrpx { Worker::Worker(WorkerInfo *info) : fd_(info->sv[1]), - ssl_ctx_(info->ssl_ctx) + sv_ssl_ctx_(info->sv_ssl_ctx), + cl_ssl_ctx_(info->cl_ssl_ctx) {} Worker::~Worker() @@ -74,13 +75,13 @@ void Worker::run() bufferevent *bev = bufferevent_socket_new(evbase, fd_, BEV_OPT_DEFER_CALLBACKS); SpdySession *spdy = 0; - if(get_config()->client_mode) { - spdy = new SpdySession(evbase, ssl_ctx_); + if(cl_ssl_ctx_) { + spdy = new SpdySession(evbase, cl_ssl_ctx_); if(spdy->init_notification() == -1) { DIE(); } } - ThreadEventReceiver *receiver = new ThreadEventReceiver(ssl_ctx_, spdy); + ThreadEventReceiver *receiver = new ThreadEventReceiver(sv_ssl_ctx_, spdy); bufferevent_enable(bev, EV_READ); bufferevent_setcb(bev, readcb, 0, eventcb, receiver); diff --git a/src/shrpx_worker.h b/src/shrpx_worker.h index e9451d2c..e0c2d8f1 100644 --- a/src/shrpx_worker.h +++ b/src/shrpx_worker.h @@ -42,7 +42,8 @@ public: private: // Channel to the main thread int fd_; - SSL_CTX *ssl_ctx_; + SSL_CTX *sv_ssl_ctx_; + SSL_CTX *cl_ssl_ctx_; }; void* start_threaded_worker(void *arg);