This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option. nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option. The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
If OpenSSL supports TLSv1.3, enable it by default for all applications
under src. BoringSSL can work at the moment although it does not
unlock all the features nghttpx offers. OpenSSL's TLSv1.3 support is
still WIP at the time of writing.
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively. Versions
between the two are enabled. The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
Previously, after sending SIGUSR2 to the original master process, and
the new master process gets ready, user has to send SIGQUIT to the
original master process to shut it down gracefully. With this commit,
the new master process sends SIGQUIT to the original master process
when it is ready to serve requests, eliminating for user to send
SIGQUIT manually.
This works nicely with systemd, because now you can replace nghttpx
binary with new one by "systemctl kill -s USR2 --kill-who=main
nghttpx".
Explicit io_service::stop() will prevent running streams from
finishing their task. That means if there are already reposnes
that we have called end(std::string) on them and they have not
finished sending back their data, they will be closed with a
NGHTTP2_INTERNAL_ERROR
Instead, we can stop accepting connections and destroy all
io_service::work objects to signals end of work.
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
Write integer to log buffer directly to improve efficiency. Remove
unused function templates. Use [first, last) style arguments for
copy() function templates.
Previously, when parsing HTML links, we only take into account
overridden host. But we actually need more variables to consider. In
this commit, we take into account overridden scheme, host, and port to
parse HTML links.
--accesslog-write-early option is analogous to HAProxy's logasap. If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
Previously, we have dedicated read buffer for each frontend
connection. With this commit, the buffer spaces are only used when
needed, and pooled if they are not used. This reduces memory usage
for idle client connections.
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections. With this commit, ciphers option only sets
cipher list for frontend connections. The new client-ciphers option
sets cipher list for backend connection.
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections. Now no-http2-cipher-black-list
option only disables it for frontend connection.
Previously, global accept-proxy-protocol option enables PROXY protocol
support for all frontend listeners, but this was inflexible. To fix
this issue, accept-proxy-protocol option is now deprecated, and
instead proxyproto parameter in frontend option enables PROXY protocol
support per frontend.
boringssl says:
/* It is an error to clear any bits that have already been set. (We can't try
* to get a second close_notify or send two.) */
assert((SSL_get_shutdown(ssl) & mode) == SSL_get_shutdown(ssl));
on_read may fail, but we failed to check its return value most of the
places. This is because failure means deletion of ClientHandler, but
because of architecture, we cannot delete it. Feeding read event is
better since we can move call on_read from libev callback. We can
delete ClientHandler form there.
Tatsuhiro Tsujikawa
Amir Pakdel
Tomasz Torcz
clemahieu
Benedikt Christoph Wolters
Bernard Spil