Commit Graph

2657 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 1002c6da1c src: Use llround instead of round 2017-07-12 23:23:47 +09:00
Tatsuhiro Tsujikawa 18dd20ce55 nghttp: Fix bug that upgrade fails if reason-phrase is missing 2017-06-28 01:01:39 +09:00
Tatsuhiro Tsujikawa a18d154e0e Merge pull request #943 from nghttp2/nghttpx-verify-ocsp-resp-with-cacerts
nghttpx: Verify OCSP response using trusted CA certificates
2017-06-15 20:56:44 +09:00
Tatsuhiro Tsujikawa 59c78d5809 nghttpx: Verify OCSP response using trusted CA certificates 2017-06-13 23:00:26 +09:00
Tatsuhiro Tsujikawa be164fc8f9 nghttpx: Set default minimum TLS version to TLSv1.2
Previously, the default minimum TLS version was TLSv1.1, but the
default cipher list didn't include any compatible ciphers with it.
This made handshake fail if TLSv1.1 was negotiated because there was
no shared ciphers.  To make the default settings consistent, the
default minimum TLS version is now TLSv1.2.
2017-06-12 23:54:12 +09:00
Tatsuhiro Tsujikawa 6ec7683991 nghttpx: Use nocopy version to send trailer headers to backend
It looks like we can use nocopy version here.  We use nocopy version
in frontend in day 1.
2017-06-02 22:38:39 +09:00
Tatsuhiro Tsujikawa 8f7fa1b1bf nghttpx: Fix crash in OCSP response verification 2017-05-30 23:52:38 +09:00
Tatsuhiro Tsujikawa db7483ef10 Merge branch 'nghttpx-verify-ocsp' 2017-05-25 23:37:34 +09:00
Tatsuhiro Tsujikawa 74c2f1257a nghttpx: Add --no-verify-ocsp to disable OCSP response verification 2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa 1428a5e3ae nghttpx: Verify OCSP response
At least we should make sure that the OCSP response is targeted to the
expected certificate.  This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ.  Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
2017-05-25 23:14:57 +09:00
Tatsuhiro Tsujikawa c57bf21306 src: memchunks: Don't use std::unique_ptr to avoid potential SO 2017-05-25 00:23:51 +09:00
Tatsuhiro Tsujikawa 8401e16a15 nghttpx: Fix compile error with gcc 2017-05-22 22:10:55 +09:00
Tatsuhiro Tsujikawa 07fb5854f3 nghttpx: Compile with openssl 1.0.2 2017-05-22 22:09:34 +09:00
Tatsuhiro Tsujikawa 796ab87b14 nghttpx: Fix certificate selection based on pub key algorithm 2017-05-21 11:12:47 +09:00
Tatsuhiro Tsujikawa ed1fad3bd4 nghttpx: Call ERR_clear_error()
Call ERR_clear_error() before the OpenSSL function if we use
SSL_get_error() to examine error stack.
2017-05-21 10:32:12 +09:00
Tatsuhiro Tsujikawa 9c1876f542 nghttpx: Fix certificate indexing bug 2017-05-21 00:19:33 +09:00
Tatsuhiro Tsujikawa 7d111d9963 Merge pull request #923 from nghttp2/compile-with-disable-assert
Compile with --disable-assert
2017-05-18 23:49:41 +09:00
Tatsuhiro Tsujikawa 1b442cb16f Compile with --disable-assert 2017-05-18 23:10:44 +09:00
Tatsuhiro Tsujikawa 0d4f0f0db5 nghttpx: Run OCSP at startup
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish.  It does not matter
some of the attempts fail.  This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa 14edd12304 nghttpx: Refactor the code for the anti-replay 2017-05-14 17:45:35 +09:00
Tatsuhiro Tsujikawa e6ffdb23a4 nghttpx: Share session_cache_ssl_ctx across threads 2017-05-14 17:43:11 +09:00
Tatsuhiro Tsujikawa b5007d45f7 nghttpx: Wildcard path matching
This commit adds wildcard path matching.  If path pattern given in
backend option ends with "*", it is considered as wildcard path.  "*"
must match at least one character.  All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
2017-05-11 22:15:28 +09:00
Tatsuhiro Tsujikawa a584cf5a4f Use clang-format-4.0 2017-04-30 15:45:53 +09:00
Tatsuhiro Tsujikawa 196673bbce nghttp: Remove unused short option 'g' 2017-04-28 22:39:12 +09:00
Tatsuhiro Tsujikawa 794d13082c Merge branch 'nghttp-no-verify-peer' 2017-04-28 22:36:23 +09:00
Tatsuhiro Tsujikawa 5f5cf4107e nghttpx: Reseve rcbufs_ 2017-04-28 22:31:09 +09:00
Tatsuhiro Tsujikawa 6f3ec54b9f nghttp: Add -y, --no-verify-peer option to suppress peer verify warn 2017-04-28 09:53:37 +09:00
Tatsuhiro Tsujikawa 58043a6b04 nghttpx: Guard the presence of TLS1_3_VERSION 2017-04-27 23:13:15 +09:00
Tatsuhiro Tsujikawa a885315ef5 Merge branch 'nghttpx-unrecognized-sni' 2017-04-27 22:57:54 +09:00
Tatsuhiro Tsujikawa d7581525ac nghttpx: Update TLSv1.3 TLS record overhead 2017-04-27 22:57:06 +09:00
Tatsuhiro Tsujikawa 1085f68018 nghttpx: Return SSL_TLSEXT_ERR_NOACK if server name is not recognized
With this commit, SSL_TLSEXT_ERR_NOACK is returned from
servername_callback, which removes server_name extension from
ServerHello.  CertLookupTree is now used even if the number of server
certificate is one.  It is better to exercise it regularly.
2017-04-27 22:25:58 +09:00
Tatsuhiro Tsujikawa d63b4c1034 nghttpx: Forward multiple via, xff, and xfp header fields
Previously, for Via, X-Forwarded-For, and X-Forwarded-Proto header
field, nghttpx only forwarded the last header field of each.  With
this commit, nghttpx forwards all of them if it is configured to do
so.
2017-04-26 21:23:13 +09:00
Tatsuhiro Tsujikawa c3f5f5ca36 nghttpx: Clarify --conf option behaviour 2017-04-20 22:25:38 +09:00
Tatsuhiro Tsujikawa 911d12f7c4 nghttpx: Add log when loading configuration file 2017-04-20 22:22:29 +09:00
Tatsuhiro Tsujikawa 17614312e0 Merge pull request #892 from nghttp2/nghttpx-sni-fwd
nghttpx: SNI based backend server selection
2017-04-19 21:22:15 +09:00
Tatsuhiro Tsujikawa a2e35a0757 nghttpx: Add $tls_sni access log variable 2017-04-18 22:44:26 +09:00
Tatsuhiro Tsujikawa a4a2b6403b nghttpx: Use SHRPX_LOGF_TLS_* instead of SHRPX_LOGF_SSL_* 2017-04-18 22:34:08 +09:00
Tatsuhiro Tsujikawa 03be97e437 nghttpx: Rename ssl_* log variables as tls_*
The exiting ssl_* log variables still work for backward compatibility.
2017-04-18 22:11:05 +09:00
Tatsuhiro Tsujikawa 0a2d1965df nghttpx: Fix path matching bug
Previously, if path is empty or path does not start with "/", nghttpx
did not try to match with wildcard pattern.  This commit fixes it.
2017-04-18 21:03:50 +09:00
Tatsuhiro Tsujikawa c8a5f1e335 nghttpx: SNI based backend server selection 2017-04-16 23:47:10 +09:00
Tatsuhiro Tsujikawa a1bc83a2ba Merge pull request #881 from mway/dev/request-priority
Support specifying stream priority via session::submit()
2017-04-12 23:36:40 +09:00
Matt Way bc3949db9e Support specifying stream priority via session::submit() 2017-04-12 10:07:16 -04:00
Tatsuhiro Tsujikawa 6cfa885207 nghttpx: Remove unused lambda capture 2017-04-12 22:09:44 +09:00
Tatsuhiro Tsujikawa e61ac4682e Merge branch 'nghttpx-xfp-take2' 2017-04-09 16:02:53 +09:00
Tatsuhiro Tsujikawa 4d10dce61d nghttpx: Only send SCT for leaf certificate 2017-04-09 14:38:18 +09:00
Tatsuhiro Tsujikawa 2d9fd87029 nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3 2017-04-09 14:11:49 +09:00
Tatsuhiro Tsujikawa cc9190ab37 nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value.  The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit preserves this behaviour, and adds
additional knobs.
2017-04-08 18:46:36 +09:00
Tatsuhiro Tsujikawa 980570de71 Revert "nghttpx: Add options for X-Forwarded-Proto header field"
This reverts commit 8c0b2c684a.
2017-04-08 18:37:54 +09:00
Tatsuhiro Tsujikawa 46ccc4332c nghttpx: Fix bug that 204 from h1 backend is always treated as error 2017-04-07 21:45:13 +09:00
Tatsuhiro Tsujikawa 4e6bd54dd1 Merge branch 'nghttpx-single-process' 2017-04-06 20:18:33 +09:00