Commit Graph

51 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 0875e66aab src: Remove streq(const char *) overload 2016-03-25 00:02:07 +09:00
Tatsuhiro Tsujikawa 4dfae3484f nghttpx: Refactor CertLookupTree interface 2016-03-24 23:35:15 +09:00
Tatsuhiro Tsujikawa 372123c178 nghttpx: Remove strieq(const char*, cosnt char*) overload, and fix unittests 2016-03-24 23:34:56 +09:00
Tatsuhiro Tsujikawa eec0b04a33 nghttpx: Enable/disable TLS per frontend address
This change allows user to disable TLS per frontend address using
no-tls keyword in --frontend option.  We removed --frontend-no-tls in
favor of this new feature.
2016-03-23 23:56:09 +09:00
Tatsuhiro Tsujikawa 58b06f32a2 nghttpx: Configure TLS per backend routing pattern
We added "tls" parameter to --backend option to enable TLS on that
backend connection.  --backend-tls options was deprecated, now is
noop.
2016-03-23 22:56:18 +09:00
Tatsuhiro Tsujikawa 1832f78684 nghttpx: Move downstream proto to DownstreamAddrGroup 2016-02-28 16:56:14 +09:00
Tatsuhiro Tsujikawa f2a7275700 nghttpx: Cache TLS session inside DownstreamAddr object 2016-02-21 16:35:43 +09:00
Tatsuhiro Tsujikawa dfc02843b6 src: Rename and rewrite numeric_hostport as to_numeric_addr and support AF_UNIX path 2016-02-21 15:28:11 +09:00
Tatsuhiro Tsujikawa 3297a303bf nghttpx: Add client auth options for session cache memcached TLS connection 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa f1580f95d4 nghttpx: Add TLS support for session cache memcached connection 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa 82f942c3a3 nghttpx: Parameterize configuration values for client side TLS context 2016-02-11 18:34:31 +09:00
Tatsuhiro Tsujikawa 6d49110a33 Rename FrontendAddr as UpstreamAddr 2016-02-07 17:51:53 +09:00
Tatsuhiro Tsujikawa aa07fe7fa6 nghttpx: Support multiple frontend addresses
This commit allows nghttpx to listen to multiple address and port pair
by specifying -f option multiple times.
2016-02-01 23:10:29 +09:00
Tatsuhiro Tsujikawa dbbf3a4a10 nghttpx: Refactor TLS hostname match 2016-01-16 23:54:21 +09:00
Tatsuhiro Tsujikawa 566b0476d7 nghttpx: Enable neverbleed for client private key; don't run nb without TLS 2015-09-26 21:28:46 +09:00
Tatsuhiro Tsujikawa 044385ab6e Add neverbleed support
neverbleed is disabled by default.  To enable it, use
--with-neverbleed configure option.
2015-09-26 19:01:31 +09:00
Tatsuhiro Tsujikawa ff44e211ed nghttpx: Fix tls handshake bug
This fixes 2 things:
1. potential busy loop
2. disabling ticket is not working after resumption
2015-08-09 18:33:49 +09:00
Tatsuhiro Tsujikawa d0a37d59a5 nghttpx: Disable TLS session ticket if ticket key is not available 2015-07-29 20:38:49 +09:00
Tatsuhiro Tsujikawa 90b4b48c7e nghttpx: Add shared session cache using memcached 2015-07-26 23:33:06 +09:00
Tatsuhiro Tsujikawa a8574fdef2 nghttpx: Use Use std::string instead of std::unique_ptr<char[]> for tls config 2015-07-20 23:15:01 +09:00
Tatsuhiro Tsujikawa dd8ce1e9d2 nghttpx: Use std::unique_ptr<char[]> instead of raw char pointer 2015-07-20 21:37:23 +09:00
Tatsuhiro Tsujikawa 3119fc259c Select backend based on request host and path by extending -b option
-b option syntax is now <HOST>,<PORT>[;<PATTERN>[:...]].  The optional
<PATTERN>s specify the request host and path it is used for.  The
<PATTERN> can contain path, host + path or host.  The matching rule is
closely designed to ServeMux in Go programming language.
2015-07-11 00:15:52 +09:00
Tatsuhiro Tsujikawa 532bffdb01 nghttpx: Minimize critical section for shared ocsp response 2015-06-12 21:27:12 +09:00
Tatsuhiro Tsujikawa 590a5c3ff3 Fix typo 2015-06-05 00:18:29 +09:00
Tatsuhiro Tsujikawa d247470da2 nghttpx: Rewrite ocsp without thread
Since libev handles SIGCHLD, using waitpid in separate thread to wait
for the completion of fetch-ocsp-response script process is undefined.
This commit rewrite ocsp handling code so that it utilizes libev
ev_child watcher and perform ocsp update without thread.
2015-04-09 01:03:28 +09:00
Tatsuhiro Tsujikawa 4bc9afe20a nghttpx: Add OCSP stapling feature 2015-03-30 23:58:28 +09:00
Tatsuhiro Tsujikawa ae0100a9ab nghttpx: Refactor worker interface 2015-02-11 22:49:03 +09:00
Tatsuhiro Tsujikawa b165775811 nghttpx: Refactor CertLookupTree 2015-02-06 21:25:43 +09:00
Tatsuhiro Tsujikawa 1e4f8f27fd nghttpx: Add --tls-ctx-per-worker option
When same SSL_CTX is used by multiple thread simultaneously we have to
setup some number of mutex locks for it.  We could not check how this
locking affects scalability since we have 4 cores at best in our
development machine.  Good side of sharing SSL_CTX across threads is
we can share session ID pool.

If --tls-ctx-per-worker is enabled, SSL_CTX is created per thread
basis and we can eliminate mutex locks.  The downside is session ID is
no longer shared, which means if session ID generated by one thread
cannot be acceptable by another thread.  But we have now session
ticket enabled and its keys are shared by all threads.
2015-01-13 00:25:02 +09:00
Tatsuhiro Tsujikawa 0ea041e8cb nghttpx: Add doc and clean up 2015-01-12 22:47:30 +09:00
Tatsuhiro Tsujikawa bfac015d61 src: Use libev for rest of the applications 2015-01-03 00:19:41 +09:00
Tatsuhiro Tsujikawa b607a22076 nghttpx: Support multiple HTTP/1 backend address
For HTTP/1 backend, -b option can be used several times to specify
multiple backend address.  HTTP/2 backend does not support multiple
addresses and only uses first address even if multiple addresses are
specified.
2014-12-06 19:30:27 +09:00
Tatsuhiro Tsujikawa b1f807abd1 Reformat lines with clang-format-3.5 2014-11-27 23:56:30 +09:00
Tatsuhiro Tsujikawa 20de432725 nghttpx: Pool http downstream connection per thread 2014-10-13 21:09:00 +09:00
Tatsuhiro Tsujikawa 479e15469c nghttpx: Add worker-frontend-connections option 2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa c204861dec nghttpx: Create NPN prefs only once 2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa 0fd5b2aa32 nghttpx: Use std::vector for tls_proto_list and npn_list
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
2014-06-08 23:09:44 +09:00
Tatsuhiro Tsujikawa 6c66bd5c7c ALPN: Do not negotiate HTTP/2 unless TLSv1.2 or TLSv1.1 was used 2014-04-26 22:37:48 +09:00
Tatsuhiro Tsujikawa ab2dc5967d Replace HTTP/2.0 with HTTP/2 2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa a457d2a138 h2load, nghttp: Use SNI field for non-numeric host 2014-03-15 15:32:38 +09:00
Tatsuhiro Tsujikawa d074cb611f nghttpx: Add rate limit per worker thread
The existing options --{read,write}-{rate,burst} are per connection.
The new options --worker-{read,write}-{rate,burst} are per worker
thread, which is overall rate limit of all connections worker handles.
2014-03-09 14:53:28 +09:00
Tatsuhiro Tsujikawa d4ea2418d8 nghttpx: Use LibsslGlobalLock 2014-03-04 21:33:43 +09:00
Tatsuhiro Tsujikawa 20877b1107 nghttpx: Don't allow application protocol not listed in --npn-list option 2014-01-02 00:53:07 +09:00
Tatsuhiro Tsujikawa 0edce70343 Rebranding nghttp2 2013-07-13 00:43:06 +09:00
Tatsuhiro Tsujikawa 291cbc639b shrpx: Use patricia trie for cert lookup 2013-02-14 00:28:55 +09:00
Tatsuhiro Tsujikawa c707125839 shrpx: Explicitly hold server SSL_CTX and client SSL_CTX 2013-02-07 21:13:36 +09:00
Tatsuhiro Tsujikawa b18af854af shrpx: Add --subcert option to add additional certificate/private key
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
2013-02-06 23:41:28 +09:00
Tatsuhiro Tsujikawa 9aa7af2c7f shrpx: Use SNI TLS extension in client mode 2012-11-22 21:51:11 +09:00
Tatsuhiro Tsujikawa d589f4c74c shrpx: Verify backend server's certificate in client mode
The -k, --insecure option is added to skip this verification.  The
system wide trusted CA certificates will be loaded at startup. The
--cacert option is added to specify the trusted CA certificate file.
2012-11-22 21:46:15 +09:00
Tatsuhiro Tsujikawa 026f4ca3a2 Add --client-mode option
With --client-mode option, shrpx now accepts unencrypted HTTP
connections and communicates with backend server in SPDY.  In short,
this is the "reversed" operation mode against normal mode.  This may
be useful for testing purpose because it can sit between HTTP client
and shrpx "normal" mode.
2012-11-18 21:46:07 +09:00