Commit Graph

105 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 7271537a15 nghttpx: Add --rlimit-memlock option 2021-09-24 18:13:38 +09:00
Tatsuhiro Tsujikawa 308c73bfa2 nghttpx: Read QUIC keying materials from file
Add --frontend-quic-secret-file to read QUIC keying materials from
file.  --frontend-quic-connection-id-encryption-key was removed in
favor of this new option.
2021-09-23 11:18:07 +09:00
Tatsuhiro Tsujikawa 80cc623eb2 nghttpx: Allocate server id in Connection ID 2021-09-21 23:08:55 +09:00
Tatsuhiro Tsujikawa fd060eb9f1 nghttpx: Connection ID encryption 2021-09-15 21:31:03 +09:00
Tatsuhiro Tsujikawa 8f419a4869 nghttpx: Add --frontend-quic-congestion-controller option 2021-09-13 21:35:46 +09:00
Tatsuhiro Tsujikawa f74b6d9a43 nghttpx: Add --frontend-quic-require-token option 2021-09-12 15:04:54 +09:00
Tatsuhiro Tsujikawa addd614e94 nghttpx: Add qlog support 2021-09-06 20:06:38 +09:00
Tatsuhiro Tsujikawa ab16a11aa3 nghttpx: Add --frontend-quic-early-data, disable early data by default 2021-09-05 21:39:45 +09:00
Tatsuhiro Tsujikawa 7d13891066 nghttpx: Rename eBPF options 2021-08-27 21:34:18 +09:00
Tatsuhiro Tsujikawa d2729193c7 nghttpx: Add --frontend-http3-max-concurrent-streams option 2021-08-27 21:11:03 +09:00
Tatsuhiro Tsujikawa 87fb325357 nghttpx: Add window size options for HTTP/3 connection 2021-08-27 21:02:45 +09:00
Tatsuhiro Tsujikawa 5aeae7444f nghttpx: Add --frontend-quic-debug-log option 2021-08-27 19:16:25 +09:00
Tatsuhiro Tsujikawa c9b11e9fbf nghttpx: Rename --quic-idle-timeout to --frontend-quic-idle-timeout 2021-08-27 19:03:06 +09:00
Tatsuhiro Tsujikawa 6931cb9d65 nghttpx: Add --quic-idle-timeout option 2021-08-27 18:44:33 +09:00
Tatsuhiro Tsujikawa 717e7ae8b2 nghttpx: Add --frontend-http3-read-timeout option
Add --frontend-http3-read-timeout option.  QUIC idle timeout option
will be added later.
2021-08-27 18:29:06 +09:00
Tatsuhiro Tsujikawa 51bf79bb8c nghttpx: Add --http2-altsvc option 2021-08-26 21:34:49 +09:00
Tatsuhiro Tsujikawa 8563ec5a7a nghttpx: Add options to specify eBPF program file path and disable eBPF 2021-08-26 21:34:49 +09:00
Tatsuhiro Tsujikawa cef458c31c Replace black-list with block-list
nghttpx --no-http2-cipher-black-list and
--client-no-http2-cipher-black-list are deprecated and replaced with
--no-http2-cipher-block-list and --client-no-http2-cipher-block-list
respectively.
2021-04-02 22:35:37 +09:00
Tatsuhiro Tsujikawa 6b7ade9f3f Require python3 for python scripts 2020-12-29 17:35:55 +09:00
Tatsuhiro Tsujikawa 4e3c61ef4d nghttpx: Add accesslog variables to record request path without query
This commit the following variables to construct request line without
including query component:

* $method
* $path
* $path_without_query
* $protocol_version
2020-09-19 23:58:37 +09:00
Tatsuhiro Tsujikawa 4d562b773b nghttpx: Convert LogFragmentType to enum class 2018-11-02 14:14:48 +09:00
Tatsuhiro Tsujikawa 5b42815afb nghttpx: Strip incoming Early-Data header field by default 2018-09-09 22:37:22 +09:00
Tatsuhiro Tsujikawa cfe7fa9a75 nghttpx: Add --tls13-ciphers and --tls-client-ciphers options 2018-09-09 16:35:47 +09:00
Tatsuhiro Tsujikawa 9b03c64f68 nghttpx: Should postpone early data by default 2018-09-08 19:22:30 +09:00
Tatsuhiro Tsujikawa 9f21258720 Specify SSL_CTX_set_max_early_data and add an option to change max value 2018-09-08 17:59:28 +09:00
Tatsuhiro Tsujikawa 47f6012407 nghttpx: Add an option to postpone early data processing 2018-09-08 17:57:21 +09:00
Tatsuhiro Tsujikawa 7417fd71a4 nghttpx: Per-pattern not per-backend 2018-08-28 17:50:01 +09:00
Tatsuhiro Tsujikawa b574ae6aa2 nghttpx: Support per-backend mruby script 2018-08-23 18:13:29 +09:00
Tatsuhiro Tsujikawa e8af7afc65 nghttpx: Add an option to accept expired client certificate 2018-02-08 16:51:23 +09:00
Tatsuhiro Tsujikawa eca0a3025b nghttpx: Add $tls_client_serial log variable 2017-11-16 22:53:54 +09:00
Tatsuhiro Tsujikawa 22502182d0 Add tls_client_issuer_name log variable and expose it to mruby 2017-11-15 23:41:47 +09:00
Tatsuhiro Tsujikawa 539e27812b nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
Also tls_client_fingerprint is renamed to
tls_client_fingerprint_sha256.
2017-10-31 21:41:40 +09:00
Tatsuhiro Tsujikawa cb376bcd80 nghttpx: Add client fingerprint and subject name to accesslog 2017-10-29 21:47:00 +09:00
Tatsuhiro Tsujikawa 74c2f1257a nghttpx: Add --no-verify-ocsp to disable OCSP response verification 2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa 0d4f0f0db5 nghttpx: Run OCSP at startup
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish.  It does not matter
some of the attempts fail.  This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa a2e35a0757 nghttpx: Add $tls_sni access log variable 2017-04-18 22:44:26 +09:00
Tatsuhiro Tsujikawa 03be97e437 nghttpx: Rename ssl_* log variables as tls_*
The exiting ssl_* log variables still work for backward compatibility.
2017-04-18 22:11:05 +09:00
Tatsuhiro Tsujikawa cc9190ab37 nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value.  The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit preserves this behaviour, and adds
additional knobs.
2017-04-08 18:46:36 +09:00
Tatsuhiro Tsujikawa 980570de71 Revert "nghttpx: Add options for X-Forwarded-Proto header field"
This reverts commit 8c0b2c684a.
2017-04-08 18:37:54 +09:00
Tatsuhiro Tsujikawa ef92b54db3 Revert "integration: Add tests for X-Forwarded-Proto handling"
This reverts commit 6aa581d2f0.
2017-04-08 18:34:10 +09:00
Tatsuhiro Tsujikawa 223e971c7e nghttpx: Add --single-process option
With --single-process option, nghttpx will run in a single process
mode where master and worker are unified into one process.  nghttpx
still spawns additional process for neverbleed.  In the single process
mode, signal handling is disabled.
2017-04-06 20:02:57 +09:00
Tatsuhiro Tsujikawa 6aa581d2f0 integration: Add tests for X-Forwarded-Proto handling 2017-04-06 19:20:08 +09:00
Tatsuhiro Tsujikawa 8c0b2c684a nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --add-x-forwarded-proto option makes nghttpx append
X-Forwarded-Proto value.  The --strip-incoming-x-forwarded-proto
option makes nghttpx to strip the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit changes this behaviour.  Now nghttpx
does not strip, and append X-Forwarded-Proto header field by default.
The X-Forwarded-For, and Forwarded header fields are also handled in
the same way.  To recover the old behaviour, use
--add-x-forwarded-proto and --strip-incoming-x-forwarded-proto
options.
2017-04-06 19:17:36 +09:00
Tatsuhiro Tsujikawa 2af57c3cfc nghttpx: Add --single-worker option
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default).  If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.

With this commit, we use the same processing model for N > 1 even if N
== 1.  To restore the original single thread execution mode,
--single-worker option is added.  If threading is disabled
--single-worker is always true.
2017-02-21 22:19:34 +09:00
Tatsuhiro Tsujikawa 9d16292fe4 nghttpx: Add --frontend-max-requests option 2017-02-20 23:36:50 +09:00
Tatsuhiro Tsujikawa a7c780a732 nghttpx: Redirect to HTTPS URI with redirect-if-not-tls param
This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option.  nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option.  The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
2017-02-18 22:32:27 +09:00
Tatsuhiro Tsujikawa b36e53cccd nghttpx: Specify TLS protocol by version range
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively.  Versions
between the two are enabled.  The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
2017-02-14 00:01:09 +09:00
Tatsuhiro Tsujikawa 685e926494 nghttpx: Add --accesslog-write-early option
--accesslog-write-early option is analogous to HAProxy's logasap.  If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
2017-01-13 22:12:21 +09:00
Tatsuhiro Tsujikawa 9c7e54d9b5 nghttpx: Add client-ciphers option
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections.  With this commit, ciphers option only sets
cipher list for frontend connections.  The new client-ciphers option
sets cipher list for backend connection.
2017-01-08 22:40:58 +09:00
Tatsuhiro Tsujikawa 3c03024881 nghttpx: Add client-no-http2-cipher-black-list option
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections.  Now no-http2-cipher-black-list
option only disables it for frontend connection.
2017-01-08 22:33:19 +09:00