Tatsuhiro Tsujikawa
539e27812b
nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
...
Also tls_client_fingerprint is renamed to
tls_client_fingerprint_sha256.
2017-10-31 21:41:40 +09:00
Tatsuhiro Tsujikawa
7008afd40e
nghttpx: Refactor get_x509_fingerprint to accept hash function
2017-10-31 21:28:16 +09:00
Tatsuhiro Tsujikawa
60baca27e4
nghttpx: Add more TLS related attributes to mruby Env object
...
The added attributes are:
* tls_cipher
* tls_protocol
* tls_session_id
* tls_session_reused
* alpn
2017-10-29 22:42:30 +09:00
Tatsuhiro Tsujikawa
cb376bcd80
nghttpx: Add client fingerprint and subject name to accesslog
2017-10-29 21:47:00 +09:00
Tatsuhiro Tsujikawa
f2b8edd1e2
nghttpx: Fix memory leak
2017-10-29 21:46:12 +09:00
Tatsuhiro Tsujikawa
c4f8afcfde
nghttpx: Get TLS info only when it is necessary when writing accesslog
2017-10-29 21:22:33 +09:00
Tatsuhiro Tsujikawa
9f80a82c1a
nghttpx: Add client fingerprint and subject name to mruby env
2017-10-29 19:54:42 +09:00
Tatsuhiro Tsujikawa
c573c80bd3
nghttpx: Pass a pointer to SSL instead of TLSSessionInfo to LogSpec
2017-10-29 19:47:39 +09:00
Tatsuhiro Tsujikawa
3cd6817e21
Fix typos
2017-10-29 16:54:21 +09:00
Tatsuhiro Tsujikawa
aaeeec8f1c
Fix typos
2017-10-28 22:25:42 +09:00
Tatsuhiro Tsujikawa
5119e82b93
src: Fix memory leak in unit test
2017-10-24 21:40:30 +09:00
Tatsuhiro Tsujikawa
3be5856c82
nghttpx: Fix unused function warnings
2017-10-24 21:40:30 +09:00
Tatsuhiro Tsujikawa
a319143901
nghttpx: Fix bug that header fields are missing in HTTP/1.0 response
2017-10-22 01:11:32 +09:00
Tatsuhiro Tsujikawa
f507b5eee4
nghttpx: Use an existing h2 backend connection as much as possible
...
h2load measurement reveals that this strategy is 3 times faster than
the previous implementations.
2017-10-19 21:15:08 +09:00
Tatsuhiro Tsujikawa
aaa0b858e4
Amend some macro comments
2017-10-14 11:50:16 +09:00
Tatsuhiro Tsujikawa
5fa1938691
clang-format
2017-10-14 11:45:41 +09:00
Daniel Evers
c2d9a1ed6f
Support for Windows / MinGW
2017-10-12 18:15:12 +02:00
Tatsuhiro Tsujikawa
8ffe389daa
h2load: Print out h2 header fields with --verbose option
2017-09-22 18:12:20 +09:00
Tatsuhiro Tsujikawa
2576855ded
nghttpx: Send non-final response to HTTP/1.1 or HTTP/2 client only
2017-09-21 21:42:56 +09:00
Tatsuhiro Tsujikawa
cc6f759190
src: Add static to constexpr char[]
2017-09-20 23:54:10 +09:00
Tatsuhiro Tsujikawa
323001238a
clang-format
2017-09-20 22:08:22 +09:00
Tatsuhiro Tsujikawa
91f062f873
src: Fix compile error
2017-09-20 22:08:08 +09:00
Tatsuhiro Tsujikawa
a170023f23
nghttpx: Verify OCSP response using trusted CA certificates
2017-09-01 21:35:38 +09:00
Tatsuhiro Tsujikawa
4be4c0cddc
Revert "nghttpx: Verify OCSP response using trusted CA certificates"
...
This reverts commit 59c78d5809
.
2017-08-30 22:27:02 +09:00
Rick Lei
5996798a34
Fix OCSP related error when building with BoringSSL
...
BoringSSL has no "openssl/ocsp.h" nor most OCSP related APIs used in
shrpx_tls.cc. This commit add ifdefs to disable related code to allow
building nghttp2 with BoringSSL (again).
It's possible to use !defined(OPENSSL_IS_BORINGSSL), but since BoringSSL
defines OPENSSL_NO_OCSP which is more specific, I chose to go with the
latter one.
2017-08-24 11:56:46 -04:00
Tatsuhiro Tsujikawa
6fec532012
Merge pull request #998 from nghttp2/h2load-fix-timing-script-stall
...
Fix bug that timing script stalls with -m1
2017-08-24 21:17:43 +09:00
Tatsuhiro Tsujikawa
15713e0b7c
h2load: Ignore -n for timing-based mode instead of requiring -n=0
2017-08-23 20:35:01 +09:00
Tatsuhiro Tsujikawa
a6a561af47
Fix bug that timing script stalls with -m1
2017-08-23 20:10:23 +09:00
Tatsuhiro Tsujikawa
bcda1c2409
Fix assertion failure
2017-08-23 19:22:23 +09:00
Tatsuhiro Tsujikawa
afcd8d9ab1
clang-format
2017-08-23 19:19:00 +09:00
Tatsuhiro Tsujikawa
c9b1c91944
Fix compile error
2017-08-23 19:18:27 +09:00
Tatsuhiro Tsujikawa
5d9434eb09
Merge branch 'master' of https://github.com/sohamm17/nghttp2 into sohamm17-master
2017-08-23 19:16:40 +09:00
Tatsuhiro Tsujikawa
1a44b5d52a
Merge pull request #984 from nghttp2/h2load-reservoir-sampling
...
h2load: Reservoir sampling
2017-08-23 19:00:28 +09:00
Dmitriy Vetutnev
af926fbe1f
Refactoring include directories for build as CMake subdirectory (add_subdirectory(nghttp2))
2017-08-16 21:28:12 +03:00
Tatsuhiro Tsujikawa
83039ae2d4
h2load: Reservoir sampling
2017-08-14 20:25:02 +09:00
Tatsuhiro Tsujikawa
4d76606fa2
Fix bug that forwarded for is not affected by proxy protocol
2017-08-09 22:44:14 +09:00
Soham Sinha
1baf7d34b3
Duration watcher and warmup watcher is initialised in Worker constructor. Statistic calculation is removed from duration watcher call_back, it's done in free_client.
2017-08-08 17:26:37 -04:00
Soham Sinha
c78159469a
Added a function to free a client from Worker's list of client, if the client is destroyed
2017-08-07 18:58:12 -04:00
Soham Sinha
b72ca0289c
formatting issue
2017-08-04 14:20:00 -04:00
Soham Sinha
46f670f8a2
concurrent connections are created in timing-based mode. Some safety asserts added.
2017-08-03 16:15:14 -04:00
Soham Sinha
4b44362b9f
minor style changes
2017-08-01 20:22:20 -04:00
Soham Sinha
d068a29798
removed unnecessary code
2017-08-01 19:51:47 -04:00
Soham Sinha
0836a51408
Handling requests starting in warm-up phase and ending in MAIN_DURATION
2017-08-01 18:29:00 -04:00
Soham Sinha
566cee8fe7
MAIN_DURATION is initiliazed in Worker constructor, MAIN_DURATION check is removed from two functions because those functions are needed in warm-up phase as well.
2017-08-01 17:45:52 -04:00
Soham Sinha
e85698e131
MAIN_DURATION is initiliazed in Worker constructor, MAIN_DURATION check is removed from two functions because those functions are needed in warm-up phase as well.
2017-08-01 17:45:18 -04:00
Soham Sinha
5f3c541c4c
enabled --duration option.
2017-07-28 17:31:13 -04:00
Soham Sinha
3c43e00d8a
Timing ( #1 )
...
* Adding timing-sensitive load test option in h2load.
* more checks added for parameters
* A worker thread can control its clients' warmup and main duration.
* Changed warmup to an enum variable.
* removed unnecessary call to ev_timer_stop
* assertion is done before starting main measurement phase
* phase variable is implemented only inside the Worker class
* enum to enum class
* else indentation corrected
* check added for timing-based test when duration CB is called explicitly
* New argument is introduced for timing-based benchmarking.
* styling corrections
* duration watcher initialization is pushed back into warmup timeout
* Warmup and Duration timer is moved to Worker instead of clients. Now both timers and phase belongs to the Workers.
* some client functions are modified to return if it's not main_duration phase. client is not destructed but sessions are terminated
* outputs are adjusted for thread.
* Needed to check if a session exist before terminating
* formatting
* more formatting
* formatting
2017-07-28 17:08:20 -04:00
Tatsuhiro Tsujikawa
1002c6da1c
src: Use llround instead of round
2017-07-12 23:23:47 +09:00
Tatsuhiro Tsujikawa
18dd20ce55
nghttp: Fix bug that upgrade fails if reason-phrase is missing
2017-06-28 01:01:39 +09:00
Tatsuhiro Tsujikawa
a18d154e0e
Merge pull request #943 from nghttp2/nghttpx-verify-ocsp-resp-with-cacerts
...
nghttpx: Verify OCSP response using trusted CA certificates
2017-06-15 20:56:44 +09:00
Tatsuhiro Tsujikawa
59c78d5809
nghttpx: Verify OCSP response using trusted CA certificates
2017-06-13 23:00:26 +09:00
Tatsuhiro Tsujikawa
be164fc8f9
nghttpx: Set default minimum TLS version to TLSv1.2
...
Previously, the default minimum TLS version was TLSv1.1, but the
default cipher list didn't include any compatible ciphers with it.
This made handshake fail if TLSv1.1 was negotiated because there was
no shared ciphers. To make the default settings consistent, the
default minimum TLS version is now TLSv1.2.
2017-06-12 23:54:12 +09:00
Tatsuhiro Tsujikawa
6ec7683991
nghttpx: Use nocopy version to send trailer headers to backend
...
It looks like we can use nocopy version here. We use nocopy version
in frontend in day 1.
2017-06-02 22:38:39 +09:00
Tatsuhiro Tsujikawa
8f7fa1b1bf
nghttpx: Fix crash in OCSP response verification
2017-05-30 23:52:38 +09:00
Tatsuhiro Tsujikawa
db7483ef10
Merge branch 'nghttpx-verify-ocsp'
2017-05-25 23:37:34 +09:00
Tatsuhiro Tsujikawa
74c2f1257a
nghttpx: Add --no-verify-ocsp to disable OCSP response verification
2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa
1428a5e3ae
nghttpx: Verify OCSP response
...
At least we should make sure that the OCSP response is targeted to the
expected certificate. This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ. Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
2017-05-25 23:14:57 +09:00
Tatsuhiro Tsujikawa
c57bf21306
src: memchunks: Don't use std::unique_ptr to avoid potential SO
2017-05-25 00:23:51 +09:00
Tatsuhiro Tsujikawa
8401e16a15
nghttpx: Fix compile error with gcc
2017-05-22 22:10:55 +09:00
Tatsuhiro Tsujikawa
07fb5854f3
nghttpx: Compile with openssl 1.0.2
2017-05-22 22:09:34 +09:00
Tatsuhiro Tsujikawa
796ab87b14
nghttpx: Fix certificate selection based on pub key algorithm
2017-05-21 11:12:47 +09:00
Tatsuhiro Tsujikawa
ed1fad3bd4
nghttpx: Call ERR_clear_error()
...
Call ERR_clear_error() before the OpenSSL function if we use
SSL_get_error() to examine error stack.
2017-05-21 10:32:12 +09:00
Tatsuhiro Tsujikawa
9c1876f542
nghttpx: Fix certificate indexing bug
2017-05-21 00:19:33 +09:00
Tatsuhiro Tsujikawa
7d111d9963
Merge pull request #923 from nghttp2/compile-with-disable-assert
...
Compile with --disable-assert
2017-05-18 23:49:41 +09:00
Tatsuhiro Tsujikawa
1b442cb16f
Compile with --disable-assert
2017-05-18 23:10:44 +09:00
Tatsuhiro Tsujikawa
0d4f0f0db5
nghttpx: Run OCSP at startup
...
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish. It does not matter
some of the attempts fail. This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa
14edd12304
nghttpx: Refactor the code for the anti-replay
2017-05-14 17:45:35 +09:00
Tatsuhiro Tsujikawa
e6ffdb23a4
nghttpx: Share session_cache_ssl_ctx across threads
2017-05-14 17:43:11 +09:00
Tatsuhiro Tsujikawa
b5007d45f7
nghttpx: Wildcard path matching
...
This commit adds wildcard path matching. If path pattern given in
backend option ends with "*", it is considered as wildcard path. "*"
must match at least one character. All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
2017-05-11 22:15:28 +09:00
Tatsuhiro Tsujikawa
a584cf5a4f
Use clang-format-4.0
2017-04-30 15:45:53 +09:00
Tatsuhiro Tsujikawa
196673bbce
nghttp: Remove unused short option 'g'
2017-04-28 22:39:12 +09:00
Tatsuhiro Tsujikawa
794d13082c
Merge branch 'nghttp-no-verify-peer'
2017-04-28 22:36:23 +09:00
Tatsuhiro Tsujikawa
5f5cf4107e
nghttpx: Reseve rcbufs_
2017-04-28 22:31:09 +09:00
Tatsuhiro Tsujikawa
6f3ec54b9f
nghttp: Add -y, --no-verify-peer option to suppress peer verify warn
2017-04-28 09:53:37 +09:00
Tatsuhiro Tsujikawa
58043a6b04
nghttpx: Guard the presence of TLS1_3_VERSION
2017-04-27 23:13:15 +09:00
Tatsuhiro Tsujikawa
a885315ef5
Merge branch 'nghttpx-unrecognized-sni'
2017-04-27 22:57:54 +09:00
Tatsuhiro Tsujikawa
d7581525ac
nghttpx: Update TLSv1.3 TLS record overhead
2017-04-27 22:57:06 +09:00
Tatsuhiro Tsujikawa
1085f68018
nghttpx: Return SSL_TLSEXT_ERR_NOACK if server name is not recognized
...
With this commit, SSL_TLSEXT_ERR_NOACK is returned from
servername_callback, which removes server_name extension from
ServerHello. CertLookupTree is now used even if the number of server
certificate is one. It is better to exercise it regularly.
2017-04-27 22:25:58 +09:00
Tatsuhiro Tsujikawa
d63b4c1034
nghttpx: Forward multiple via, xff, and xfp header fields
...
Previously, for Via, X-Forwarded-For, and X-Forwarded-Proto header
field, nghttpx only forwarded the last header field of each. With
this commit, nghttpx forwards all of them if it is configured to do
so.
2017-04-26 21:23:13 +09:00
Tatsuhiro Tsujikawa
c3f5f5ca36
nghttpx: Clarify --conf option behaviour
2017-04-20 22:25:38 +09:00
Tatsuhiro Tsujikawa
911d12f7c4
nghttpx: Add log when loading configuration file
2017-04-20 22:22:29 +09:00
Tatsuhiro Tsujikawa
17614312e0
Merge pull request #892 from nghttp2/nghttpx-sni-fwd
...
nghttpx: SNI based backend server selection
2017-04-19 21:22:15 +09:00
Tatsuhiro Tsujikawa
a2e35a0757
nghttpx: Add $tls_sni access log variable
2017-04-18 22:44:26 +09:00
Tatsuhiro Tsujikawa
a4a2b6403b
nghttpx: Use SHRPX_LOGF_TLS_* instead of SHRPX_LOGF_SSL_*
2017-04-18 22:34:08 +09:00
Tatsuhiro Tsujikawa
03be97e437
nghttpx: Rename ssl_* log variables as tls_*
...
The exiting ssl_* log variables still work for backward compatibility.
2017-04-18 22:11:05 +09:00
Tatsuhiro Tsujikawa
0a2d1965df
nghttpx: Fix path matching bug
...
Previously, if path is empty or path does not start with "/", nghttpx
did not try to match with wildcard pattern. This commit fixes it.
2017-04-18 21:03:50 +09:00
Tatsuhiro Tsujikawa
c8a5f1e335
nghttpx: SNI based backend server selection
2017-04-16 23:47:10 +09:00
Tatsuhiro Tsujikawa
a1bc83a2ba
Merge pull request #881 from mway/dev/request-priority
...
Support specifying stream priority via session::submit()
2017-04-12 23:36:40 +09:00
Matt Way
bc3949db9e
Support specifying stream priority via session::submit()
2017-04-12 10:07:16 -04:00
Tatsuhiro Tsujikawa
6cfa885207
nghttpx: Remove unused lambda capture
2017-04-12 22:09:44 +09:00
Tatsuhiro Tsujikawa
e61ac4682e
Merge branch 'nghttpx-xfp-take2'
2017-04-09 16:02:53 +09:00
Tatsuhiro Tsujikawa
4d10dce61d
nghttpx: Only send SCT for leaf certificate
2017-04-09 14:38:18 +09:00
Tatsuhiro Tsujikawa
2d9fd87029
nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3
2017-04-09 14:11:49 +09:00
Tatsuhiro Tsujikawa
cc9190ab37
nghttpx: Add options for X-Forwarded-Proto header field
...
This commit adds 2 new options to handle X-Forwarded-Proto header
field. The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value. The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.
Previously, nghttpx always strips incoming header field, and set its
own header field. This commit preserves this behaviour, and adds
additional knobs.
2017-04-08 18:46:36 +09:00
Tatsuhiro Tsujikawa
980570de71
Revert "nghttpx: Add options for X-Forwarded-Proto header field"
...
This reverts commit 8c0b2c684a
.
2017-04-08 18:37:54 +09:00
Tatsuhiro Tsujikawa
46ccc4332c
nghttpx: Fix bug that 204 from h1 backend is always treated as error
2017-04-07 21:45:13 +09:00
Tatsuhiro Tsujikawa
4e6bd54dd1
Merge branch 'nghttpx-single-process'
2017-04-06 20:18:33 +09:00
Tatsuhiro Tsujikawa
5c9f46a6b0
Merge branch 'nghttp-verify-server-certificate'
2017-04-06 20:17:29 +09:00
Tatsuhiro Tsujikawa
223e971c7e
nghttpx: Add --single-process option
...
With --single-process option, nghttpx will run in a single process
mode where master and worker are unified into one process. nghttpx
still spawns additional process for neverbleed. In the single process
mode, signal handling is disabled.
2017-04-06 20:02:57 +09:00
Tatsuhiro Tsujikawa
8c0b2c684a
nghttpx: Add options for X-Forwarded-Proto header field
...
This commit adds 2 new options to handle X-Forwarded-Proto header
field. The --add-x-forwarded-proto option makes nghttpx append
X-Forwarded-Proto value. The --strip-incoming-x-forwarded-proto
option makes nghttpx to strip the header field from client.
Previously, nghttpx always strips incoming header field, and set its
own header field. This commit changes this behaviour. Now nghttpx
does not strip, and append X-Forwarded-Proto header field by default.
The X-Forwarded-For, and Forwarded header fields are also handled in
the same way. To recover the old behaviour, use
--add-x-forwarded-proto and --strip-incoming-x-forwarded-proto
options.
2017-04-06 19:17:36 +09:00
Tatsuhiro Tsujikawa
7ae0b2dc09
nghttp: Verify server certificate and show warning if it fails
2017-04-01 17:49:57 +09:00
Tatsuhiro Tsujikawa
058122b804
nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc}
...
The namespace shrpx::ssl was also renamed as shrpx::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa
69f63c529d
src: Rename ssl.{h,cc} as tls.{h,cc}
...
nghttp2::ssl namespace was also renamed as nghttp2::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa
e17a6b29b6
nghttpx: Use 502 as server error code
2017-04-01 14:04:55 +09:00
Tatsuhiro Tsujikawa
b12c2a13c0
nghttpx: Fail handshake if server certificate verification fails
...
Previously, we drop connection if server certificate verification
fails after handshake. With this commit, we fail handshake if that
happens.
2017-04-01 13:41:41 +09:00
Tatsuhiro Tsujikawa
236c835abc
nghttpx: Don't enable SSL_MODE_AUTO_RETRY since we do non-blocking I/O
2017-04-01 12:05:07 +09:00
Tatsuhiro Tsujikawa
ad338bfa44
asio: Fix crash if connect takes longer time than ping interval
2017-03-31 21:17:57 +09:00
Tatsuhiro Tsujikawa
a899522679
asio: Fix compile error
2017-03-31 21:14:08 +09:00
Tatsuhiro Tsujikawa
b9b58c781e
nghttpx: Avoid extra TLS handshake calls
2017-03-30 22:23:55 +09:00
Tatsuhiro Tsujikawa
aa1eec4642
nghttpx: Cache client side session inside openssl callback
2017-03-30 21:07:58 +09:00
Tatsuhiro Tsujikawa
0c8d9469ea
nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl
2017-03-27 23:58:49 +09:00
Tatsuhiro Tsujikawa
079e1bdffc
Revert "nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl"
...
This reverts commit b4337d1b54
.
2017-03-27 23:47:24 +09:00
Tatsuhiro Tsujikawa
b4337d1b54
nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl
2017-03-27 23:29:28 +09:00
Tatsuhiro Tsujikawa
dbe287ff5e
nghttpx: Print version number with -v option
2017-03-27 22:49:53 +09:00
Tatsuhiro Tsujikawa
041531458b
Merge pull request #858 from nghttp2/nghttpx-ai-addrconfig
...
nghttpx: Retry getaddrinfo without AI_ADDRCONFIG
2017-03-27 22:37:07 +09:00
Tatsuhiro Tsujikawa
1374bb81fd
nghttpx: Enable X25519 with boringssl
2017-03-27 21:18:44 +09:00
Tatsuhiro Tsujikawa
f41ac103d3
nghttpx: Retry getaddrinfo without AI_ADDRCONFIG
2017-03-27 00:20:42 +09:00
Tatsuhiro Tsujikawa
f6301714db
nghttpx: Avoid copy of std::mt19937 which is huge
2017-03-26 21:14:34 +09:00
Tatsuhiro Tsujikawa
7dc39b1ee9
nghttpx: Failing to listen on server socket is fatal error
2017-03-26 11:04:45 +09:00
Tatsuhiro Tsujikawa
696a7ce407
Merge pull request #856 from nghttp2/escape-access-log
...
Escape access log
2017-03-25 23:36:02 +09:00
Tatsuhiro Tsujikawa
99122ee7bb
nghttpx: Find illegal character in path for SPDY CONNECT method
2017-03-25 19:18:35 +09:00
Tatsuhiro Tsujikawa
19ee7ec794
nghttpx: Escape certain characters in access log
...
The certain characters coming from client are now escaped with "\xNN"
where NN is the ascii code of the character in hex notation.
2017-03-25 19:17:24 +09:00
Piotr Sikora
cd9ec0d20f
src: BoringSSL supports SSL_CTX_set_{min,max}_proto_version.
...
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-23 19:26:49 -07:00
Tatsuhiro Tsujikawa
e77883e980
nghttpx: Fix typo
2017-03-22 22:53:46 +09:00
Tatsuhiro Tsujikawa
0994c92550
nghttpx: Don't cache session server side if TLS version is 1.3
2017-03-22 21:34:13 +09:00
Tatsuhiro Tsujikawa
465c7208cc
nghttpx: Don't look up session ID if length is 0
2017-03-22 21:33:31 +09:00
Tatsuhiro Tsujikawa
b7e7a4bf26
asio: client: Send PING after 30 seconds idle
2017-03-20 18:37:56 +09:00
Tatsuhiro Tsujikawa
c7df65309b
nghttpx: Ignore further input if connection is going to close
2017-03-19 13:24:12 +09:00
Tatsuhiro Tsujikawa
26900262f3
Revert "nghttpx: Attempt to avoid TCP RST on socket closure on Linux"
...
This reverts commit f69b52b1aa
.
2017-03-18 22:43:30 +09:00
Tatsuhiro Tsujikawa
9b5ce36368
nghttpx: Reset write timer on write
2017-03-18 21:33:00 +09:00
Tatsuhiro Tsujikawa
f69b52b1aa
nghttpx: Attempt to avoid TCP RST on socket closure on Linux
2017-03-18 00:59:26 +09:00
Tatsuhiro Tsujikawa
1e1d908c12
nghttpx: Eliminate global std::random_device
2017-03-17 22:25:10 +09:00
Tatsuhiro Tsujikawa
6c69d675da
nghttpx: Should take reference
2017-03-17 22:24:32 +09:00
Tatsuhiro Tsujikawa
feabd6f739
nghttpx: Delete unused delete_bio_method
2017-03-15 23:37:39 +09:00
Tatsuhiro Tsujikawa
1ea590c364
nghttpx: Return new BIO_METHOD object with OpenSSL < 1.1.0
2017-03-15 23:36:38 +09:00
Tatsuhiro Tsujikawa
b21779e685
nghttpx: Use raw pointer for apis
2017-03-15 23:33:07 +09:00
Tatsuhiro Tsujikawa
12a4e7c3a2
src: Use raw pointer for ssl_global_locks
2017-03-15 23:24:28 +09:00
Tatsuhiro Tsujikawa
799a76de74
nghttpx: Lesser usage of DIE
2017-03-15 23:14:07 +09:00
Tatsuhiro Tsujikawa
b1fee8ff63
nghttpx: Use raw pointer for config
2017-03-15 23:13:14 +09:00
Tatsuhiro Tsujikawa
9cc223d419
nghttpx: Use constexpr
2017-03-15 23:12:50 +09:00
Tatsuhiro Tsujikawa
20edd64301
nghttpx: Handle return value of write(2)
2017-03-15 21:28:53 +09:00
Tatsuhiro Tsujikawa
9aee518352
nghttpx: Effectively revert ff64f64e1d
2017-03-15 00:07:57 +09:00
Tatsuhiro Tsujikawa
51b933c5f0
src: Use "Modern compatibility" ciphers by default
2017-03-11 23:58:52 +09:00
Tatsuhiro Tsujikawa
3e0e3f5459
src: Fix typo
2017-03-10 23:10:13 +09:00
Tatsuhiro Tsujikawa
fa074145a4
Merge pull request #788 from nghttp2/nghttpx-h2-proxy-pattern-match
...
nghttpx: Enable backend pattern matching with http2-proxy
2017-03-06 21:22:34 +09:00
Tatsuhiro Tsujikawa
b2d6550179
src: BoringSSL only requires CRYPTO_library_init
2017-03-05 21:36:52 +09:00
Tatsuhiro Tsujikawa
62dd1f5177
src: OpenSSL 1.1.0 does not require explicit initialization
2017-03-05 19:57:06 +09:00
Tatsuhiro Tsujikawa
a6dda5f91c
nghttpx: Log rstatus in hex
2017-03-01 23:21:11 +09:00
Tatsuhiro Tsujikawa
c1f7795dd6
nghttpx: Set close-on-exec flag on listener in worker process
2017-03-01 23:20:36 +09:00
Tatsuhiro Tsujikawa
4989e6e419
nghttpx: Don't call functions which are not async-signal-safe
...
.. after fork but before execv in multithreaded process.
2017-03-01 22:42:30 +09:00
Alexis La Goutte
d725255784
nghttp2_gzip: fix this statement may fall through [-Werror=implicit-fallthrough=] found by gcc7
2017-02-27 21:38:55 +01:00
Tatsuhiro Tsujikawa
373be22d7e
nghttpx: Simpler
2017-02-23 22:32:04 +09:00
Tatsuhiro Tsujikawa
b647a7c5b7
nghttpx: Simplify code using parse_uint
2017-02-23 22:22:49 +09:00
Tatsuhiro Tsujikawa
e1b8317ae8
nghttpx: Strip version number from server header field
2017-02-22 20:56:40 +09:00
Tatsuhiro Tsujikawa
2af57c3cfc
nghttpx: Add --single-worker option
...
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default). If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.
With this commit, we use the same processing model for N > 1 even if N
== 1. To restore the original single thread execution mode,
--single-worker option is added. If threading is disabled
--single-worker is always true.
2017-02-21 22:19:34 +09:00
Tatsuhiro Tsujikawa
0c8b1a4f74
nghttpx: Fix bug that send_reply does not participate graceful shutdown
2017-02-21 21:27:57 +09:00
Tatsuhiro Tsujikawa
9d16292fe4
nghttpx: Add --frontend-max-requests option
2017-02-20 23:36:50 +09:00
Tatsuhiro Tsujikawa
e2b9590c0f
nghttpx: Enable stream-write-timeout by default
2017-02-20 22:18:49 +09:00
Tatsuhiro Tsujikawa
24fb640a55
nghttpx: Fix stream wtimer handling
2017-02-20 22:08:39 +09:00
Tatsuhiro Tsujikawa
450ffaa6f0
nghttpx: Add configrevision API endpoint
...
This commit adds configuration revision, which is considered opaque
string, and changes after reloading configuration with SIGHUP. This
revision is returned as a response to configrevision API endpoint.
This allows external application to know whether nghttpx has finished
reloading new configuration or not. Note that this revision does not
change on backendconfig API calls.
2017-02-19 23:40:06 +09:00
Tatsuhiro Tsujikawa
dc15832030
nghttpx: Refactor API downstream connection to allow more endpoints
2017-02-19 22:49:53 +09:00
Tatsuhiro Tsujikawa
a7c780a732
nghttpx: Redirect to HTTPS URI with redirect-if-not-tls param
...
This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option. nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option. The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
2017-02-18 22:32:27 +09:00
Tatsuhiro Tsujikawa
e06ed85747
nghttpx: Fix travis gcc compile error
2017-02-17 00:42:25 +09:00
Tatsuhiro Tsujikawa
83fd72c97e
nghttpx: Use std::chrono::duration_cast
2017-02-17 00:33:26 +09:00
Tatsuhiro Tsujikawa
ace40f298d
nghttpx: Update log time stamp in millisecond interval
2017-02-17 00:18:07 +09:00
Tatsuhiro Tsujikawa
1133cc0bbc
nghttpx: Don't call get_config() repeatedly
2017-02-16 23:41:23 +09:00
Tatsuhiro Tsujikawa
6960039aee
nghttpx: C++ style cast
2017-02-16 23:02:19 +09:00
Tatsuhiro Tsujikawa
bf5eeb831b
nghttpx: Better error message when private key and certificate are missing
2017-02-16 23:00:25 +09:00
Tatsuhiro Tsujikawa
e5b84fad09
nghttpx: Fix bug that old config is used during reloading config
2017-02-16 22:46:22 +09:00
Tatsuhiro Tsujikawa
cfb39171a7
nghttpx: Remove redundant StringRef ctor invocation
2017-02-16 22:45:55 +09:00
Tatsuhiro Tsujikawa
9e8d9d658a
src: Enable TLSv1.3 if OpenSSL supports it
...
If OpenSSL supports TLSv1.3, enable it by default for all applications
under src. BoringSSL can work at the moment although it does not
unlock all the features nghttpx offers. OpenSSL's TLSv1.3 support is
still WIP at the time of writing.
2017-02-15 22:34:53 +09:00
Tatsuhiro Tsujikawa
6ecfac6954
nghttpx: Parse default TLS min and max versions from string
2017-02-15 21:28:40 +09:00
Tatsuhiro Tsujikawa
56e86cd944
src: h2 requires >= TLSv1.2
2017-02-14 22:21:35 +09:00
Tatsuhiro Tsujikawa
b36e53cccd
nghttpx: Specify TLS protocol by version range
...
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively. Versions
between the two are enabled. The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
2017-02-14 00:01:09 +09:00
Tatsuhiro Tsujikawa
001d45efad
Merge branch 'nghttpx-graceful-sigusr2'
2017-02-12 23:52:03 +09:00
Tatsuhiro Tsujikawa
56c455bca4
nghttpx: Send SIGQUIT to the original master process
...
Previously, after sending SIGUSR2 to the original master process, and
the new master process gets ready, user has to send SIGQUIT to the
original master process to shut it down gracefully. With this commit,
the new master process sends SIGQUIT to the original master process
when it is ready to serve requests, eliminating for user to send
SIGQUIT manually.
This works nicely with systemd, because now you can replace nghttpx
binary with new one by "systemctl kill -s USR2 --kill-who=main
nghttpx".
2017-02-12 23:29:44 +09:00
Tatsuhiro Tsujikawa
4bf3cb2cc0
Revert "nghttpx: Don't capitalize h1 header fields"
...
This reverts commit f994664934
.
2017-02-12 23:27:38 +09:00
Tatsuhiro Tsujikawa
c78528d54b
nghttpx: Restrict HTTP major and minor in 0 or 1
2017-02-11 18:42:29 +09:00
Tatsuhiro Tsujikawa
f994664934
nghttpx: Don't capitalize h1 header fields
2017-02-11 18:41:52 +09:00
Tatsuhiro Tsujikawa
44e290da66
clang-format
2017-02-11 13:08:08 +09:00
Tatsuhiro Tsujikawa
8aed101585
Merge pull request #805 from pakdel/graceful_stop
...
graceful stop of nghttp2::asio_http2::server::http2
2017-02-11 13:07:10 +09:00
Tatsuhiro Tsujikawa
e44c58282e
Drop privilege of neverbleed daemon first
2017-02-10 17:43:19 +09:00
Tatsuhiro Tsujikawa
c02b1041d9
nghttpx: Use nullptr instead of NULL
2017-02-10 17:14:47 +09:00
Tatsuhiro Tsujikawa
23209baaf5
clang-format
2017-02-10 17:02:46 +09:00
Tatsuhiro Tsujikawa
9d2503f9c0
Merge pull request #802 from zdzichu/master
...
nghttpx: add systemd support
2017-02-10 16:17:01 +09:00
Amir Pakdel
1c31213aef
More graceful stop of nghttp2::asio_http2::server::http2
...
Explicit io_service::stop() will prevent running streams from
finishing their task. That means if there are already reposnes
that we have called end(std::string) on them and they have not
finished sending back their data, they will be closed with a
NGHTTP2_INTERNAL_ERROR
Instead, we can stop accepting connections and destroy all
io_service::work objects to signals end of work.
2017-02-09 23:34:19 -05:00
Tomasz Torcz
fdb75ba5fe
nghttpx: add systemd support
...
Add systemd's Type=notify support by sending information about
master process PID around forks.
Add some hardening option to service unit.
2017-02-09 18:58:00 +01:00
Tatsuhiro Tsujikawa
8f888b29bd
clang-format
2017-02-09 21:00:47 +09:00
clemahieu
298808f276
Holding more shared_ptrs instead of raw ptrs to make sure called objects don't get deleted.
2017-02-09 21:00:11 +09:00
Tatsuhiro Tsujikawa
a231874e1e
Merge branch 'nghttpx-certs-per-sigalg'
2017-02-08 23:36:23 +09:00
Tatsuhiro Tsujikawa
2101f4ae3f
Merge branch 'mruby-send-1xx'
2017-02-08 22:18:11 +09:00
Tatsuhiro Tsujikawa
4a06f9684f
nghttpx: Fix crash on SIGHUP with multi thread configuration
2017-02-08 22:14:23 +09:00
Tatsuhiro Tsujikawa
9a85c5264a
nghttpx: Send 1xx non-final response using mruby script
2017-02-08 00:30:03 +09:00
Tatsuhiro Tsujikawa
68a724cf7b
nghttpx: Select certificate by client's supported signature algo
...
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
2017-02-04 23:37:24 +09:00
Tatsuhiro Tsujikawa
779ec50e73
Merge pull request #795 from clemahieu/close_stream_iterator
...
close_stream erases from streams_ while it's being iterated over.
2017-02-04 11:37:43 +09:00
Tatsuhiro Tsujikawa
1649948e78
asio: Add curly brackets to avoid possible well known issue
2017-02-04 11:33:21 +09:00
clemahieu
6d3e010ae7
Infinite loop in acceptor handler.
2017-02-04 11:31:12 +09:00
Tatsuhiro Tsujikawa
7dddac081e
clang-format
2017-02-04 11:29:10 +09:00
clemahieu
f0b6b9508d
close_stream erases from streams_ while it's being iterated over.
...
The destructor will already clean this structure up.
2017-02-03 01:36:18 -06:00
Benedikt Christoph Wolters
14ccb24be5
add support for link rel="preload" for --get-assets
2017-02-01 15:54:15 +01:00
Tatsuhiro Tsujikawa
025ec85144
Merge pull request #790 from nghttp2/nghttpx-backend-frontend-tls-parameter
...
nghttpx: Add frontend-tls parameter to backend to require client TLS
2017-01-31 21:49:51 +09:00
Tatsuhiro Tsujikawa
bd97886d8e
nghttpx: Use stack allocated buffer instead of making std::string
2017-01-29 22:11:33 +09:00
Tatsuhiro Tsujikawa
0b1ddad62b
nghttpx: Add frontend-tls parameter to backend to require client TLS
2017-01-28 22:19:14 +09:00
Tatsuhiro Tsujikawa
540853bde8
nghttpx: Fix typo
2017-01-28 22:18:17 +09:00
Tatsuhiro Tsujikawa
1cc08c0a51
nghttpx: Show warning if PSK options are used but not supported
2017-01-26 20:34:58 +09:00
Bernard Spil
16be89f9cc
nghttpx: Don't build PSK features with LibreSSL
...
LibreSSL removed PSK
Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2017-01-26 20:21:55 +09:00
Tatsuhiro Tsujikawa
3ddc446ba2
nghttpx: Enable backend pattern matching with http2-proxy
2017-01-26 01:04:27 +09:00
Tatsuhiro Tsujikawa
b72c5f104e
h2load: Fix wrong req_stat updates
2017-01-26 00:26:35 +09:00
Tatsuhiro Tsujikawa
7e6eb7e02a
h2load: Explicitly count the number of requests left and inflight
2017-01-26 00:16:12 +09:00
Tatsuhiro Tsujikawa
ba9f2c3ae2
Compile with Android NDK r13b using clang
2017-01-23 00:32:51 +09:00
Tatsuhiro Tsujikawa
5311185333
nghttpx: Define the maximum number of digits in uint64_t
2017-01-22 22:33:52 +09:00
Tatsuhiro Tsujikawa
2fc2a27ac1
nghttpx: Use char instead of char[] if possible
2017-01-22 22:28:14 +09:00
Tatsuhiro Tsujikawa
db938afd66
nghttpx: Increase default backlog
2017-01-20 23:06:24 +09:00
Tatsuhiro Tsujikawa
89ddc47616
nghttpx: More constexpr
2017-01-20 23:04:48 +09:00
Tatsuhiro Tsujikawa
3176e872b3
nghttpx: Efficient access.log writer
...
Write integer to log buffer directly to improve efficiency. Remove
unused function templates. Use [first, last) style arguments for
copy() function templates.
2017-01-20 22:42:41 +09:00
Tatsuhiro Tsujikawa
16206d5f67
nghttp: Use std::unique_ptr for html_parser
2017-01-18 00:34:39 +09:00
Tatsuhiro Tsujikawa
0f33749790
nghttp: Take into account scheme and port when parsing HTML links
...
Previously, when parsing HTML links, we only take into account
overridden host. But we actually need more variables to consider. In
this commit, we take into account overridden scheme, host, and port to
parse HTML links.
2017-01-18 00:29:51 +09:00
Tatsuhiro Tsujikawa
5e7e4c0cc0
nghttp: config.headers should be inspected rather than req->req_nva
2017-01-17 23:00:37 +09:00
Benedikt Christoph Wolters
8f513fceca
Fix authority for --get-assets if IP adress is used in conjunction with user-defined :authority header
2017-01-17 21:14:36 +09:00
Tatsuhiro Tsujikawa
685e926494
nghttpx: Add --accesslog-write-early option
...
--accesslog-write-early option is analogous to HAProxy's logasap. If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
2017-01-13 22:12:21 +09:00
Tatsuhiro Tsujikawa
a2afd393ed
nghttpx: Remove field from LogSpec which can be got from Downstream
2017-01-11 22:30:12 +09:00
Tatsuhiro Tsujikawa
33aa327ef5
nghttpx: Fix access.log timestamp
...
access.log timestamp is now when request header fields are received,
rather than when access log is written.
2017-01-11 20:47:17 +09:00
Tatsuhiro Tsujikawa
9067ff5eee
nghttp: Use nghttp2::ssl::DEFAULT_CIPHER_LIST
2017-01-09 23:50:38 +09:00
Tatsuhiro Tsujikawa
efeede4192
nghttpx: Fix typo
2017-01-09 23:49:10 +09:00
Tatsuhiro Tsujikawa
6a8749873f
nghttpx: Add detailed TLS connection logging
2017-01-09 23:32:35 +09:00
Tatsuhiro Tsujikawa
9b574a5a76
nghttpx: Fix typo
2017-01-09 22:19:19 +09:00
Tatsuhiro Tsujikawa
0567f1f038
Add constexpr to StringRef(const CharT *, size_t)
2017-01-09 21:15:53 +09:00
Tatsuhiro Tsujikawa
4be5de1163
src: Move log related functions from util.cc to shrpx_log.cc
2017-01-09 19:34:40 +09:00
Tatsuhiro Tsujikawa
9db1c9467c
src: Add constexpr to long_options
2017-01-09 19:28:00 +09:00
Tatsuhiro Tsujikawa
3444b42d44
src: Add more constexpr
2017-01-09 17:17:48 +09:00
Tatsuhiro Tsujikawa
6595ae26ea
src: Add constexpr to const objects
2017-01-09 17:11:37 +09:00
Tatsuhiro Tsujikawa
7e1a0d204b
h2load: Show default cipher list in -h
2017-01-09 14:47:32 +09:00
Tatsuhiro Tsujikawa
cbca2e35b5
nghttpx: Show default cipher list in -h
2017-01-09 14:43:13 +09:00
Tatsuhiro Tsujikawa
fc9bdf024f
src: Make DEFAULT_CIPHER_LIST constexpr char[]
2017-01-09 14:42:40 +09:00
Tatsuhiro Tsujikawa
4fa150c494
nghttpx: Use Memchunk based read buffer for frontend connection
...
Previously, we have dedicated read buffer for each frontend
connection. With this commit, the buffer spaces are only used when
needed, and pooled if they are not used. This reduces memory usage
for idle client connections.
2017-01-08 23:20:14 +09:00
Tatsuhiro Tsujikawa
e8b2508036
nghttpx: Rename confusing names in HttpDownstreamConnection
2017-01-08 23:09:00 +09:00
Tatsuhiro Tsujikawa
ac399e41ac
nghttpx: Update doc
...
Mention client-ciphers, and no-http2-cipher-black-list options in
psk-secrets and client-psk-secrets options.
2017-01-08 23:04:07 +09:00
Tatsuhiro Tsujikawa
9c7e54d9b5
nghttpx: Add client-ciphers option
...
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections. With this commit, ciphers option only sets
cipher list for frontend connections. The new client-ciphers option
sets cipher list for backend connection.
2017-01-08 22:40:58 +09:00
Tatsuhiro Tsujikawa
3c03024881
nghttpx: Add client-no-http2-cipher-black-list option
...
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections. Now no-http2-cipher-black-list
option only disables it for frontend connection.
2017-01-08 22:33:19 +09:00
Tatsuhiro Tsujikawa
36dfc0a56a
nghttpx: Reorganize client side TLS configuration
2017-01-08 22:25:30 +09:00
Tatsuhiro Tsujikawa
55bf6cdb15
Merge branch 'nghttpx-psk'
2017-01-08 21:10:07 +09:00
Tatsuhiro Tsujikawa
0abc220013
nghttpx: Fix the bug that no-http2-cipher-black-list does not work
...
Because of the redundant check in backend HTTP/2 session,
no-http2-cipher-black-list does not work on backend HTTP/2 connection.
This commit fixes it.
2017-01-08 19:43:24 +09:00
Tatsuhiro Tsujikawa
c28900990a
h2load: Show custom server temp key such as X25519
2017-01-08 17:58:19 +09:00
Tatsuhiro Tsujikawa
5108193d7b
h2load: Fix incorrect return value from spdylay_send_callback
2017-01-08 17:32:35 +09:00
Tatsuhiro Tsujikawa
79a24f5dd9
nghttpx: Add --client-psk-secret option to enable PSK in backend
2017-01-08 00:35:55 +09:00
Tatsuhiro Tsujikawa
83c759572c
nghttpx: Add --psk-secret option to enable PSK in frontend connection
2017-01-08 00:35:54 +09:00
Tatsuhiro Tsujikawa
1a07fb000b
nghttpx: Enable SCT with OpenSSL 1.1.0
2017-01-06 21:29:04 +09:00
Tatsuhiro Tsujikawa
b064d8a9ff
Merge branch 'nghttpx-fronend-proxyproto'
2017-01-03 17:28:20 +09:00
Tatsuhiro Tsujikawa
c6827a7dac
nghttpx: Fix assertion error in libev ev_io_start
2017-01-03 16:43:49 +09:00
Tatsuhiro Tsujikawa
55ecb082ee
nghttpx: Handle c-ares success without result
2017-01-03 14:35:05 +09:00