Commit Graph

167 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 03a2828fcf src: Disable SSL_MODE_ENABLE_PARTIAL_WRITE for apps which use libevent 2014-11-05 01:15:38 +09:00
Tatsuhiro Tsujikawa c6cfcc3c30 src: Disable insecure SSLv3 2014-10-22 23:14:07 +09:00
Tatsuhiro Tsujikawa 20de432725 nghttpx: Pool http downstream connection per thread 2014-10-13 21:09:00 +09:00
Tatsuhiro Tsujikawa e4751a798a Replace auto_delete* with defer 2014-09-16 23:39:38 +09:00
Tatsuhiro Tsujikawa 8890e593e6 src: Add util::array_size 2014-08-28 00:45:12 +09:00
Tatsuhiro Tsujikawa 0ce848a611 nghttpx: Rewrite logging system
This change rewrites logging system of nghttpx.  Previously access log
and error log are written to stderr or syslog and there was no option
to change stderr to something else.  With this change, file path of
access log and error log can be configured separately and logging to
regular file is now added.  To support rotating log, if SIGUSR1 signal
is received by nghttpx, it closes the current log files and reopen it
with the same name.  The format of access log is changed and has same
look of apache's.  But not all columns are not supported yet.
2014-07-05 18:43:24 +09:00
Tatsuhiro Tsujikawa a3334bb21c nghttpd: Use cipher suites recommended by Mozilla 2014-06-28 15:28:19 +09:00
Tatsuhiro Tsujikawa 479e15469c nghttpx: Add worker-frontend-connections option 2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa 2bfa772472 nghttpx: Update cipher suite list 2014-06-19 23:26:30 +09:00
Tatsuhiro Tsujikawa 87360b4f7d nghttpx: Require TLSv.12 for h2 2014-06-18 12:09:30 +09:00
Tatsuhiro Tsujikawa 041cec2d97 nghttpx: Check error from SSL_set_fd 2014-06-12 23:39:58 +09:00
Tatsuhiro Tsujikawa 21c4931197 nghttpx: Get rid of openssl filter
Libevent Openssl filter is very inconvenient in various respect.  The
most annoying thing is it somehow emits data when SSL_shutdown is
called.  The reason we introduced this filter solution is drop
connection if TLS renegotiation is detected.  This commit implements
renegotiation detection and drop connection without filtering.
2014-06-11 01:16:49 +09:00
Tatsuhiro Tsujikawa d6b5824c9c nghttpx: Don't check TLS requirement in ALPN cb cause cipher obj is nullptr
Also don't compare ALPN identifier with streq, since they are just
byte string.
2014-06-10 23:22:52 +09:00
Tatsuhiro Tsujikawa c204861dec nghttpx: Create NPN prefs only once 2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa 7b0ed5d9bd nghttpx: Only allow DHE, ECDHE + AEAD ciphers for HTTP/2
Cipher suites are chosen by DHE and ECDHE ciphers + GCM (AEAD).  Now
default cipher list is the one recommended by Mozilla web site.  The
--honor-cipher-order option is removed and now it is always assumed.
2014-06-10 22:47:22 +09:00
Tatsuhiro Tsujikawa 0fd5b2aa32 nghttpx: Use std::vector for tls_proto_list and npn_list
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
2014-06-08 23:09:44 +09:00
Tatsuhiro Tsujikawa 14b818efc8 nghttpx: Use std::unique_ptr<char[]> instead of char* 2014-06-08 21:02:40 +09:00
Tatsuhiro Tsujikawa b8ed74c1ec nghttpx: Disable SSL_CTX_set_ecdh_auto() for now 2014-06-06 23:17:32 +09:00
Tatsuhiro Tsujikawa 896717f5d4 nghttpx: Make --npn-list option work in ALPN
Previously --npn-list option is ignored in ALPN protocol selection
callback.  This change fixes this issue.
2014-05-21 21:16:44 +09:00
Tatsuhiro Tsujikawa 2ae1da113e src: Use C++ style comments for C++ source code 2014-05-14 23:22:23 +09:00
Tatsuhiro Tsujikawa fa8b310cfd nghttpx: Return SSL_TLSEXT_ERR_OK from servername_callback 2014-04-27 23:17:19 +09:00
Tatsuhiro Tsujikawa 6c66bd5c7c ALPN: Do not negotiate HTTP/2 unless TLSv1.2 or TLSv1.1 was used 2014-04-26 22:37:48 +09:00
Tatsuhiro Tsujikawa cd69ed20c3 nghttpx: Select SPDY protocol in ALPN 2014-04-26 19:36:35 +09:00
Tatsuhiro Tsujikawa ab2dc5967d Replace HTTP/2.0 with HTTP/2 2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa a457d2a138 h2load, nghttp: Use SNI field for non-numeric host 2014-03-15 15:32:38 +09:00
Tatsuhiro Tsujikawa d074cb611f nghttpx: Add rate limit per worker thread
The existing options --{read,write}-{rate,burst} are per connection.
The new options --worker-{read,write}-{rate,burst} are per worker
thread, which is overall rate limit of all connections worker handles.
2014-03-09 14:53:28 +09:00
Tatsuhiro Tsujikawa d4ea2418d8 nghttpx: Use LibsslGlobalLock 2014-03-04 21:33:43 +09:00
Tatsuhiro Tsujikawa dfbea797bd src: Use static_cast instead of reinterpret_cast if possible 2014-01-19 21:18:37 +09:00
Tatsuhiro Tsujikawa f59a9c5c58 nghttpx: Disable TLS renegotiation properly
4ed4efc does not disable TLS renegotiation at all, if client keeps
rengotiations without sending application data. In this change,
we intercept the raw incoming data from the client and if it is a
renegotiation, drop the connection immediately.
2014-01-19 17:25:18 +09:00
Tatsuhiro Tsujikawa 4ed4efc241 nghttpx: Disable TLS renegotiation 2014-01-18 19:53:52 +09:00
Tatsuhiro Tsujikawa 8c6f3d1054 nghttpx: Set our own default cipher list 2014-01-13 23:01:22 +09:00
Tatsuhiro Tsujikawa a15fc5fbb4 nghttpx: Send acceptable list of CAs when client cert auth is enabled 2014-01-09 00:07:51 +09:00
Tatsuhiro Tsujikawa 7ce3065f32 nghttpx: Add --tls-proto-list option to enable SSL/TLS protocol selectively 2014-01-02 13:08:54 +09:00
Tatsuhiro Tsujikawa 20877b1107 nghttpx: Don't allow application protocol not listed in --npn-list option 2014-01-02 00:53:07 +09:00
Tatsuhiro Tsujikawa 78e5149495 src: Support ALPN
Requires unreleased OpenSSL >= 1.0.2
2014-01-02 00:15:08 +09:00
Tatsuhiro Tsujikawa f0d7323902 nghttpx: Use SSL_CTX_set_ecdh_auto for OpenSSL >= 1.0.2 2014-01-01 23:26:00 +09:00
Tatsuhiro Tsujikawa 69967aeef8 nghttpx: Add --client-private-key-file and --client-cert-file options 2013-11-02 23:34:25 +09:00
Tatsuhiro Tsujikawa 5bb7066474 nghttpx: Add --verify-client-cacert option
Using --cacert to load certificate for client certificate authentication
is problematic since, --cacert is also used for client mode.
This commit adds --verify-client-cacert option which specify the CA
certficate file used only for client certificate validation.
This change also removes the default certficate load function for
client certificate validation.
2013-11-02 21:41:05 +09:00
Tatsuhiro Tsujikawa 02acfd7d70 nghttpx: Add --verify-client option
This option requires client certificate and successful verification.
Use --cacert option to add CA certificates as necessary.
2013-11-02 01:10:18 +09:00
Tatsuhiro Tsujikawa a0326b3f2b nghttpx: Handle error from bufferevent_socket_new and event_base_new 2013-09-24 23:17:53 +09:00
Tatsuhiro Tsujikawa b459e42ee5 shrpx_ssl.cc: Use std::unique_ptr for ssl_locks 2013-09-24 21:31:48 +09:00
Tatsuhiro Tsujikawa ab39ae849f nghttpx: Add --npn-list option 2013-09-23 20:55:39 +09:00
Tatsuhiro Tsujikawa e5e1e9b76e shrpx_ssl.cc: Another code cleanup 2013-09-23 18:49:39 +09:00
Tatsuhiro Tsujikawa bd55f9cf2a shrxp_ssl.cc: Code cleanup 2013-09-23 18:40:17 +09:00
Tatsuhiro Tsujikawa 10f131c9d8 nghttpx: Guard ecdh use with !OPENSSL_NO_EC 2013-09-07 23:37:17 +09:00
Tatsuhiro Tsujikawa 9e703170cd nghttpx: Enable --honor-cipher-order automatically when --ciphers is used 2013-08-30 23:02:47 +09:00
Tatsuhiro Tsujikawa aea036c9d4 nghttpx: Support ECDHE and DHE cipher suites
Use --dh-param-file option to specify a file including DH parameters
in PEM format.

For example, you can create DH parameters with 1024 bit key using
following command:

$ openssl dhparam -outform PEM -out dhparam.pem 1024
2013-08-30 22:07:42 +09:00
Tatsuhiro Tsujikawa 32bd1425b4 shrpx: SPDY support in upstream connection 2013-07-26 20:12:55 +09:00
Tatsuhiro Tsujikawa 0edce70343 Rebranding nghttp2 2013-07-13 00:43:06 +09:00
moparisthebest 7dfa559bc4 Add --honor-cipher-order option to mitigate BEAST attacks 2013-04-18 14:25:48 -04:00
Tatsuhiro Tsujikawa dbb0df5c5b Remove strerror(3) from code which may run in multi-thread 2013-02-25 22:43:44 +09:00
Tatsuhiro Tsujikawa 64fcac48b7 shrpx: Fix bug in building certificate lookup tree 2013-02-16 17:51:38 +09:00
Tatsuhiro Tsujikawa c8167234fa shrpx: Fix bug in certificate lookup 2013-02-16 02:33:16 +09:00
Tatsuhiro Tsujikawa 291cbc639b shrpx: Use patricia trie for cert lookup 2013-02-14 00:28:55 +09:00
Tatsuhiro Tsujikawa c707125839 shrpx: Explicitly hold server SSL_CTX and client SSL_CTX 2013-02-07 21:13:36 +09:00
Tatsuhiro Tsujikawa b18af854af shrpx: Add --subcert option to add additional certificate/private key
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
2013-02-06 23:41:28 +09:00
Tatsuhiro Tsujikawa 65e965791f shrpx: Replace strncpy + putting null with memcpy in ssl_pem_passwd_cb 2012-12-07 23:42:58 +09:00
Raul Gutierrez Segales cbf8ccf7d1 [shrpx] read private key's passwd from a file
This avoids the need to provide the password for your
private key interactively.

It can be used via --private-key-passwd-file or private-key-passwd-file
in the given config file. The first line in the file
(without \n) will be treated as the passwd. There isn't
any validation and all lines after the first one (if any)
are ignored.

The security model behind this is a bit simplistic so I
am open to better ideas. Basically your password file
should be root:root (700) and you *should* drop root
and run as an unprivileged user.

If the file exists and a line can be read then a callback
will be set for the SSL ctxt and it'll feed the passwd
when the private key is read (if password is needed).

If the file exists with the wrong permisions it'll be
logged and ignored.
2012-12-03 21:55:32 -08:00
Tatsuhiro Tsujikawa 9aa7af2c7f shrpx: Use SNI TLS extension in client mode 2012-11-22 21:51:11 +09:00
Tatsuhiro Tsujikawa d589f4c74c shrpx: Verify backend server's certificate in client mode
The -k, --insecure option is added to skip this verification.  The
system wide trusted CA certificates will be loaded at startup. The
--cacert option is added to specify the trusted CA certificate file.
2012-11-22 21:46:15 +09:00
Tatsuhiro Tsujikawa fa552c6788 shrpx: Share SPDY session among multiple frontend connections per thread
In client mode, now SPDY connection to the backend server is
established per thread.  The frontend connections which belong to the
same thread share the SPDY connection.
2012-11-21 01:29:39 +09:00
Tatsuhiro Tsujikawa ae30e7f71b shrpx: Split request path into SPDY specific headers 2012-11-19 21:40:59 +09:00
Tatsuhiro Tsujikawa 077275e783 Fix typo SPDY/3 2012-11-19 02:10:58 +09:00
Tatsuhiro Tsujikawa 026f4ca3a2 Add --client-mode option
With --client-mode option, shrpx now accepts unencrypted HTTP
connections and communicates with backend server in SPDY.  In short,
this is the "reversed" operation mode against normal mode.  This may
be useful for testing purpose because it can sit between HTTP client
and shrpx "normal" mode.
2012-11-18 21:46:07 +09:00
Tatsuhiro Tsujikawa 4748443899 shrpx: Log detailed error description in SSL code 2012-11-14 21:14:11 +09:00
Tatsuhiro Tsujikawa c0577602d1 shrpx: Made SPDY/3 default protocol in SPDY proxy mode
The reason why we choose SPDY/2 as default for SPDY prxy was due to
Chrome's window update bug. Now its fix is available in Chrome stable,
we make SPDY/3 as default.
2012-10-01 23:01:44 +09:00
Tatsuhiro Tsujikawa b0fcd68783 Move spdycat, spdyd and shrpx from examples to src
To distinguish the to-be-installed programs and non-installable
example source code, the former programs, spdycat, spdydyd and shrpx,
were moved to src directory. spdynative was removed from Makefile
because it does not appeal to any users much.
2012-09-10 21:39:51 +09:00