Commit Graph

2756 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 18dd20ce55 nghttp: Fix bug that upgrade fails if reason-phrase is missing 2017-06-28 01:01:39 +09:00
Tatsuhiro Tsujikawa a18d154e0e Merge pull request #943 from nghttp2/nghttpx-verify-ocsp-resp-with-cacerts
nghttpx: Verify OCSP response using trusted CA certificates
2017-06-15 20:56:44 +09:00
Tatsuhiro Tsujikawa 59c78d5809 nghttpx: Verify OCSP response using trusted CA certificates 2017-06-13 23:00:26 +09:00
Tatsuhiro Tsujikawa be164fc8f9 nghttpx: Set default minimum TLS version to TLSv1.2
Previously, the default minimum TLS version was TLSv1.1, but the
default cipher list didn't include any compatible ciphers with it.
This made handshake fail if TLSv1.1 was negotiated because there was
no shared ciphers.  To make the default settings consistent, the
default minimum TLS version is now TLSv1.2.
2017-06-12 23:54:12 +09:00
Tatsuhiro Tsujikawa 6ec7683991 nghttpx: Use nocopy version to send trailer headers to backend
It looks like we can use nocopy version here.  We use nocopy version
in frontend in day 1.
2017-06-02 22:38:39 +09:00
Tatsuhiro Tsujikawa 8f7fa1b1bf nghttpx: Fix crash in OCSP response verification 2017-05-30 23:52:38 +09:00
Tatsuhiro Tsujikawa db7483ef10 Merge branch 'nghttpx-verify-ocsp' 2017-05-25 23:37:34 +09:00
Tatsuhiro Tsujikawa 74c2f1257a nghttpx: Add --no-verify-ocsp to disable OCSP response verification 2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa 1428a5e3ae nghttpx: Verify OCSP response
At least we should make sure that the OCSP response is targeted to the
expected certificate.  This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ.  Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
2017-05-25 23:14:57 +09:00
Tatsuhiro Tsujikawa c57bf21306 src: memchunks: Don't use std::unique_ptr to avoid potential SO 2017-05-25 00:23:51 +09:00
Tatsuhiro Tsujikawa 8401e16a15 nghttpx: Fix compile error with gcc 2017-05-22 22:10:55 +09:00
Tatsuhiro Tsujikawa 07fb5854f3 nghttpx: Compile with openssl 1.0.2 2017-05-22 22:09:34 +09:00
Tatsuhiro Tsujikawa 796ab87b14 nghttpx: Fix certificate selection based on pub key algorithm 2017-05-21 11:12:47 +09:00
Tatsuhiro Tsujikawa ed1fad3bd4 nghttpx: Call ERR_clear_error()
Call ERR_clear_error() before the OpenSSL function if we use
SSL_get_error() to examine error stack.
2017-05-21 10:32:12 +09:00
Tatsuhiro Tsujikawa 9c1876f542 nghttpx: Fix certificate indexing bug 2017-05-21 00:19:33 +09:00
Tatsuhiro Tsujikawa 7d111d9963 Merge pull request #923 from nghttp2/compile-with-disable-assert
Compile with --disable-assert
2017-05-18 23:49:41 +09:00
Tatsuhiro Tsujikawa 1b442cb16f Compile with --disable-assert 2017-05-18 23:10:44 +09:00
Tatsuhiro Tsujikawa 0d4f0f0db5 nghttpx: Run OCSP at startup
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish.  It does not matter
some of the attempts fail.  This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa 14edd12304 nghttpx: Refactor the code for the anti-replay 2017-05-14 17:45:35 +09:00
Tatsuhiro Tsujikawa e6ffdb23a4 nghttpx: Share session_cache_ssl_ctx across threads 2017-05-14 17:43:11 +09:00
Tatsuhiro Tsujikawa b5007d45f7 nghttpx: Wildcard path matching
This commit adds wildcard path matching.  If path pattern given in
backend option ends with "*", it is considered as wildcard path.  "*"
must match at least one character.  All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
2017-05-11 22:15:28 +09:00
Tatsuhiro Tsujikawa a584cf5a4f Use clang-format-4.0 2017-04-30 15:45:53 +09:00
Tatsuhiro Tsujikawa 196673bbce nghttp: Remove unused short option 'g' 2017-04-28 22:39:12 +09:00
Tatsuhiro Tsujikawa 794d13082c Merge branch 'nghttp-no-verify-peer' 2017-04-28 22:36:23 +09:00
Tatsuhiro Tsujikawa 5f5cf4107e nghttpx: Reseve rcbufs_ 2017-04-28 22:31:09 +09:00
Tatsuhiro Tsujikawa 6f3ec54b9f nghttp: Add -y, --no-verify-peer option to suppress peer verify warn 2017-04-28 09:53:37 +09:00
Tatsuhiro Tsujikawa 58043a6b04 nghttpx: Guard the presence of TLS1_3_VERSION 2017-04-27 23:13:15 +09:00
Tatsuhiro Tsujikawa a885315ef5 Merge branch 'nghttpx-unrecognized-sni' 2017-04-27 22:57:54 +09:00
Tatsuhiro Tsujikawa d7581525ac nghttpx: Update TLSv1.3 TLS record overhead 2017-04-27 22:57:06 +09:00
Tatsuhiro Tsujikawa 1085f68018 nghttpx: Return SSL_TLSEXT_ERR_NOACK if server name is not recognized
With this commit, SSL_TLSEXT_ERR_NOACK is returned from
servername_callback, which removes server_name extension from
ServerHello.  CertLookupTree is now used even if the number of server
certificate is one.  It is better to exercise it regularly.
2017-04-27 22:25:58 +09:00
Tatsuhiro Tsujikawa d63b4c1034 nghttpx: Forward multiple via, xff, and xfp header fields
Previously, for Via, X-Forwarded-For, and X-Forwarded-Proto header
field, nghttpx only forwarded the last header field of each.  With
this commit, nghttpx forwards all of them if it is configured to do
so.
2017-04-26 21:23:13 +09:00
Tatsuhiro Tsujikawa c3f5f5ca36 nghttpx: Clarify --conf option behaviour 2017-04-20 22:25:38 +09:00
Tatsuhiro Tsujikawa 911d12f7c4 nghttpx: Add log when loading configuration file 2017-04-20 22:22:29 +09:00
Tatsuhiro Tsujikawa 17614312e0 Merge pull request #892 from nghttp2/nghttpx-sni-fwd
nghttpx: SNI based backend server selection
2017-04-19 21:22:15 +09:00
Tatsuhiro Tsujikawa a2e35a0757 nghttpx: Add $tls_sni access log variable 2017-04-18 22:44:26 +09:00
Tatsuhiro Tsujikawa a4a2b6403b nghttpx: Use SHRPX_LOGF_TLS_* instead of SHRPX_LOGF_SSL_* 2017-04-18 22:34:08 +09:00
Tatsuhiro Tsujikawa 03be97e437 nghttpx: Rename ssl_* log variables as tls_*
The exiting ssl_* log variables still work for backward compatibility.
2017-04-18 22:11:05 +09:00
Tatsuhiro Tsujikawa 0a2d1965df nghttpx: Fix path matching bug
Previously, if path is empty or path does not start with "/", nghttpx
did not try to match with wildcard pattern.  This commit fixes it.
2017-04-18 21:03:50 +09:00
Tatsuhiro Tsujikawa c8a5f1e335 nghttpx: SNI based backend server selection 2017-04-16 23:47:10 +09:00
Tatsuhiro Tsujikawa a1bc83a2ba Merge pull request #881 from mway/dev/request-priority
Support specifying stream priority via session::submit()
2017-04-12 23:36:40 +09:00
Matt Way bc3949db9e Support specifying stream priority via session::submit() 2017-04-12 10:07:16 -04:00
Tatsuhiro Tsujikawa 6cfa885207 nghttpx: Remove unused lambda capture 2017-04-12 22:09:44 +09:00
Tatsuhiro Tsujikawa e61ac4682e Merge branch 'nghttpx-xfp-take2' 2017-04-09 16:02:53 +09:00
Tatsuhiro Tsujikawa 4d10dce61d nghttpx: Only send SCT for leaf certificate 2017-04-09 14:38:18 +09:00
Tatsuhiro Tsujikawa 2d9fd87029 nghttpx: Enable signed_certificate_timestamp extension for TLSv1.3 2017-04-09 14:11:49 +09:00
Tatsuhiro Tsujikawa cc9190ab37 nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value.  The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit preserves this behaviour, and adds
additional knobs.
2017-04-08 18:46:36 +09:00
Tatsuhiro Tsujikawa 980570de71 Revert "nghttpx: Add options for X-Forwarded-Proto header field"
This reverts commit 8c0b2c684a.
2017-04-08 18:37:54 +09:00
Tatsuhiro Tsujikawa 46ccc4332c nghttpx: Fix bug that 204 from h1 backend is always treated as error 2017-04-07 21:45:13 +09:00
Tatsuhiro Tsujikawa 4e6bd54dd1 Merge branch 'nghttpx-single-process' 2017-04-06 20:18:33 +09:00
Tatsuhiro Tsujikawa 5c9f46a6b0 Merge branch 'nghttp-verify-server-certificate' 2017-04-06 20:17:29 +09:00
Tatsuhiro Tsujikawa 223e971c7e nghttpx: Add --single-process option
With --single-process option, nghttpx will run in a single process
mode where master and worker are unified into one process.  nghttpx
still spawns additional process for neverbleed.  In the single process
mode, signal handling is disabled.
2017-04-06 20:02:57 +09:00
Tatsuhiro Tsujikawa 8c0b2c684a nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --add-x-forwarded-proto option makes nghttpx append
X-Forwarded-Proto value.  The --strip-incoming-x-forwarded-proto
option makes nghttpx to strip the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit changes this behaviour.  Now nghttpx
does not strip, and append X-Forwarded-Proto header field by default.
The X-Forwarded-For, and Forwarded header fields are also handled in
the same way.  To recover the old behaviour, use
--add-x-forwarded-proto and --strip-incoming-x-forwarded-proto
options.
2017-04-06 19:17:36 +09:00
Tatsuhiro Tsujikawa 7ae0b2dc09 nghttp: Verify server certificate and show warning if it fails 2017-04-01 17:49:57 +09:00
Tatsuhiro Tsujikawa 058122b804 nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc}
The namespace shrpx::ssl was also renamed as shrpx::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa 69f63c529d src: Rename ssl.{h,cc} as tls.{h,cc}
nghttp2::ssl namespace was also renamed as nghttp2::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa e17a6b29b6 nghttpx: Use 502 as server error code 2017-04-01 14:04:55 +09:00
Tatsuhiro Tsujikawa b12c2a13c0 nghttpx: Fail handshake if server certificate verification fails
Previously, we drop connection if server certificate verification
fails after handshake.  With this commit, we fail handshake if that
happens.
2017-04-01 13:41:41 +09:00
Tatsuhiro Tsujikawa 236c835abc nghttpx: Don't enable SSL_MODE_AUTO_RETRY since we do non-blocking I/O 2017-04-01 12:05:07 +09:00
Tatsuhiro Tsujikawa ad338bfa44 asio: Fix crash if connect takes longer time than ping interval 2017-03-31 21:17:57 +09:00
Tatsuhiro Tsujikawa a899522679 asio: Fix compile error 2017-03-31 21:14:08 +09:00
Tatsuhiro Tsujikawa b9b58c781e nghttpx: Avoid extra TLS handshake calls 2017-03-30 22:23:55 +09:00
Tatsuhiro Tsujikawa aa1eec4642 nghttpx: Cache client side session inside openssl callback 2017-03-30 21:07:58 +09:00
Tatsuhiro Tsujikawa 0c8d9469ea nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl 2017-03-27 23:58:49 +09:00
Tatsuhiro Tsujikawa 079e1bdffc Revert "nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl"
This reverts commit b4337d1b54.
2017-03-27 23:47:24 +09:00
Tatsuhiro Tsujikawa b4337d1b54 nghttpx: Use SSL_CTX_set_early_data_enabled with boringssl 2017-03-27 23:29:28 +09:00
Tatsuhiro Tsujikawa dbe287ff5e nghttpx: Print version number with -v option 2017-03-27 22:49:53 +09:00
Tatsuhiro Tsujikawa 041531458b Merge pull request #858 from nghttp2/nghttpx-ai-addrconfig
nghttpx: Retry getaddrinfo without AI_ADDRCONFIG
2017-03-27 22:37:07 +09:00
Tatsuhiro Tsujikawa 1374bb81fd nghttpx: Enable X25519 with boringssl 2017-03-27 21:18:44 +09:00
Tatsuhiro Tsujikawa f41ac103d3 nghttpx: Retry getaddrinfo without AI_ADDRCONFIG 2017-03-27 00:20:42 +09:00
Tatsuhiro Tsujikawa f6301714db nghttpx: Avoid copy of std::mt19937 which is huge 2017-03-26 21:14:34 +09:00
Tatsuhiro Tsujikawa 7dc39b1ee9 nghttpx: Failing to listen on server socket is fatal error 2017-03-26 11:04:45 +09:00
Tatsuhiro Tsujikawa 696a7ce407 Merge pull request #856 from nghttp2/escape-access-log
Escape access log
2017-03-25 23:36:02 +09:00
Tatsuhiro Tsujikawa 99122ee7bb nghttpx: Find illegal character in path for SPDY CONNECT method 2017-03-25 19:18:35 +09:00
Tatsuhiro Tsujikawa 19ee7ec794 nghttpx: Escape certain characters in access log
The certain characters coming from client are now escaped with "\xNN"
where NN is the ascii code of the character in hex notation.
2017-03-25 19:17:24 +09:00
Piotr Sikora cd9ec0d20f src: BoringSSL supports SSL_CTX_set_{min,max}_proto_version.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-23 19:26:49 -07:00
Tatsuhiro Tsujikawa e77883e980 nghttpx: Fix typo 2017-03-22 22:53:46 +09:00
Tatsuhiro Tsujikawa 0994c92550 nghttpx: Don't cache session server side if TLS version is 1.3 2017-03-22 21:34:13 +09:00
Tatsuhiro Tsujikawa 465c7208cc nghttpx: Don't look up session ID if length is 0 2017-03-22 21:33:31 +09:00
Tatsuhiro Tsujikawa b7e7a4bf26 asio: client: Send PING after 30 seconds idle 2017-03-20 18:37:56 +09:00
Tatsuhiro Tsujikawa c7df65309b nghttpx: Ignore further input if connection is going to close 2017-03-19 13:24:12 +09:00
Tatsuhiro Tsujikawa 26900262f3 Revert "nghttpx: Attempt to avoid TCP RST on socket closure on Linux"
This reverts commit f69b52b1aa.
2017-03-18 22:43:30 +09:00
Tatsuhiro Tsujikawa 9b5ce36368 nghttpx: Reset write timer on write 2017-03-18 21:33:00 +09:00
Tatsuhiro Tsujikawa f69b52b1aa nghttpx: Attempt to avoid TCP RST on socket closure on Linux 2017-03-18 00:59:26 +09:00
Tatsuhiro Tsujikawa 1e1d908c12 nghttpx: Eliminate global std::random_device 2017-03-17 22:25:10 +09:00
Tatsuhiro Tsujikawa 6c69d675da nghttpx: Should take reference 2017-03-17 22:24:32 +09:00
Tatsuhiro Tsujikawa feabd6f739 nghttpx: Delete unused delete_bio_method 2017-03-15 23:37:39 +09:00
Tatsuhiro Tsujikawa 1ea590c364 nghttpx: Return new BIO_METHOD object with OpenSSL < 1.1.0 2017-03-15 23:36:38 +09:00
Tatsuhiro Tsujikawa b21779e685 nghttpx: Use raw pointer for apis 2017-03-15 23:33:07 +09:00
Tatsuhiro Tsujikawa 12a4e7c3a2 src: Use raw pointer for ssl_global_locks 2017-03-15 23:24:28 +09:00
Tatsuhiro Tsujikawa 799a76de74 nghttpx: Lesser usage of DIE 2017-03-15 23:14:07 +09:00
Tatsuhiro Tsujikawa b1fee8ff63 nghttpx: Use raw pointer for config 2017-03-15 23:13:14 +09:00
Tatsuhiro Tsujikawa 9cc223d419 nghttpx: Use constexpr 2017-03-15 23:12:50 +09:00
Tatsuhiro Tsujikawa 20edd64301 nghttpx: Handle return value of write(2) 2017-03-15 21:28:53 +09:00
Tatsuhiro Tsujikawa 9aee518352 nghttpx: Effectively revert ff64f64e1d 2017-03-15 00:07:57 +09:00
Tatsuhiro Tsujikawa 51b933c5f0 src: Use "Modern compatibility" ciphers by default 2017-03-11 23:58:52 +09:00
Tatsuhiro Tsujikawa 3e0e3f5459 src: Fix typo 2017-03-10 23:10:13 +09:00
Tatsuhiro Tsujikawa fa074145a4 Merge pull request #788 from nghttp2/nghttpx-h2-proxy-pattern-match
nghttpx: Enable backend pattern matching with http2-proxy
2017-03-06 21:22:34 +09:00
Tatsuhiro Tsujikawa b2d6550179 src: BoringSSL only requires CRYPTO_library_init 2017-03-05 21:36:52 +09:00
Tatsuhiro Tsujikawa 62dd1f5177 src: OpenSSL 1.1.0 does not require explicit initialization 2017-03-05 19:57:06 +09:00
Tatsuhiro Tsujikawa a6dda5f91c nghttpx: Log rstatus in hex 2017-03-01 23:21:11 +09:00
Tatsuhiro Tsujikawa c1f7795dd6 nghttpx: Set close-on-exec flag on listener in worker process 2017-03-01 23:20:36 +09:00
Tatsuhiro Tsujikawa 4989e6e419 nghttpx: Don't call functions which are not async-signal-safe
.. after fork but before execv in multithreaded process.
2017-03-01 22:42:30 +09:00
Alexis La Goutte d725255784 nghttp2_gzip: fix this statement may fall through [-Werror=implicit-fallthrough=] found by gcc7 2017-02-27 21:38:55 +01:00
Tatsuhiro Tsujikawa 373be22d7e nghttpx: Simpler 2017-02-23 22:32:04 +09:00
Tatsuhiro Tsujikawa b647a7c5b7 nghttpx: Simplify code using parse_uint 2017-02-23 22:22:49 +09:00
Tatsuhiro Tsujikawa e1b8317ae8 nghttpx: Strip version number from server header field 2017-02-22 20:56:40 +09:00
Tatsuhiro Tsujikawa 2af57c3cfc nghttpx: Add --single-worker option
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default).  If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.

With this commit, we use the same processing model for N > 1 even if N
== 1.  To restore the original single thread execution mode,
--single-worker option is added.  If threading is disabled
--single-worker is always true.
2017-02-21 22:19:34 +09:00
Tatsuhiro Tsujikawa 0c8b1a4f74 nghttpx: Fix bug that send_reply does not participate graceful shutdown 2017-02-21 21:27:57 +09:00
Tatsuhiro Tsujikawa 9d16292fe4 nghttpx: Add --frontend-max-requests option 2017-02-20 23:36:50 +09:00
Tatsuhiro Tsujikawa e2b9590c0f nghttpx: Enable stream-write-timeout by default 2017-02-20 22:18:49 +09:00
Tatsuhiro Tsujikawa 24fb640a55 nghttpx: Fix stream wtimer handling 2017-02-20 22:08:39 +09:00
Tatsuhiro Tsujikawa 450ffaa6f0 nghttpx: Add configrevision API endpoint
This commit adds configuration revision, which is considered opaque
string, and changes after reloading configuration with SIGHUP.  This
revision is returned as a response to configrevision API endpoint.
This allows external application to know whether nghttpx has finished
reloading new configuration or not.  Note that this revision does not
change on backendconfig API calls.
2017-02-19 23:40:06 +09:00
Tatsuhiro Tsujikawa dc15832030 nghttpx: Refactor API downstream connection to allow more endpoints 2017-02-19 22:49:53 +09:00
Tatsuhiro Tsujikawa a7c780a732 nghttpx: Redirect to HTTPS URI with redirect-if-not-tls param
This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option.  nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option.  The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
2017-02-18 22:32:27 +09:00
Tatsuhiro Tsujikawa e06ed85747 nghttpx: Fix travis gcc compile error 2017-02-17 00:42:25 +09:00
Tatsuhiro Tsujikawa 83fd72c97e nghttpx: Use std::chrono::duration_cast 2017-02-17 00:33:26 +09:00
Tatsuhiro Tsujikawa ace40f298d nghttpx: Update log time stamp in millisecond interval 2017-02-17 00:18:07 +09:00
Tatsuhiro Tsujikawa 1133cc0bbc nghttpx: Don't call get_config() repeatedly 2017-02-16 23:41:23 +09:00
Tatsuhiro Tsujikawa 6960039aee nghttpx: C++ style cast 2017-02-16 23:02:19 +09:00
Tatsuhiro Tsujikawa bf5eeb831b nghttpx: Better error message when private key and certificate are missing 2017-02-16 23:00:25 +09:00
Tatsuhiro Tsujikawa e5b84fad09 nghttpx: Fix bug that old config is used during reloading config 2017-02-16 22:46:22 +09:00
Tatsuhiro Tsujikawa cfb39171a7 nghttpx: Remove redundant StringRef ctor invocation 2017-02-16 22:45:55 +09:00
Tatsuhiro Tsujikawa 9e8d9d658a src: Enable TLSv1.3 if OpenSSL supports it
If OpenSSL supports TLSv1.3, enable it by default for all applications
under src.  BoringSSL can work at the moment although it does not
unlock all the features nghttpx offers.  OpenSSL's TLSv1.3 support is
still WIP at the time of writing.
2017-02-15 22:34:53 +09:00
Tatsuhiro Tsujikawa 6ecfac6954 nghttpx: Parse default TLS min and max versions from string 2017-02-15 21:28:40 +09:00
Tatsuhiro Tsujikawa 56e86cd944 src: h2 requires >= TLSv1.2 2017-02-14 22:21:35 +09:00
Tatsuhiro Tsujikawa b36e53cccd nghttpx: Specify TLS protocol by version range
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively.  Versions
between the two are enabled.  The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
2017-02-14 00:01:09 +09:00
Tatsuhiro Tsujikawa 001d45efad Merge branch 'nghttpx-graceful-sigusr2' 2017-02-12 23:52:03 +09:00
Tatsuhiro Tsujikawa 56c455bca4 nghttpx: Send SIGQUIT to the original master process
Previously, after sending SIGUSR2 to the original master process, and
the new master process gets ready, user has to send SIGQUIT to the
original master process to shut it down gracefully.  With this commit,
the new master process sends SIGQUIT to the original master process
when it is ready to serve requests, eliminating for user to send
SIGQUIT manually.

This works nicely with systemd, because now you can replace nghttpx
binary with new one by "systemctl kill -s USR2 --kill-who=main
nghttpx".
2017-02-12 23:29:44 +09:00
Tatsuhiro Tsujikawa 4bf3cb2cc0 Revert "nghttpx: Don't capitalize h1 header fields"
This reverts commit f994664934.
2017-02-12 23:27:38 +09:00
Tatsuhiro Tsujikawa c78528d54b nghttpx: Restrict HTTP major and minor in 0 or 1 2017-02-11 18:42:29 +09:00
Tatsuhiro Tsujikawa f994664934 nghttpx: Don't capitalize h1 header fields 2017-02-11 18:41:52 +09:00
Tatsuhiro Tsujikawa 44e290da66 clang-format 2017-02-11 13:08:08 +09:00
Tatsuhiro Tsujikawa 8aed101585 Merge pull request #805 from pakdel/graceful_stop
graceful stop of nghttp2::asio_http2::server::http2
2017-02-11 13:07:10 +09:00
Tatsuhiro Tsujikawa e44c58282e Drop privilege of neverbleed daemon first 2017-02-10 17:43:19 +09:00
Tatsuhiro Tsujikawa c02b1041d9 nghttpx: Use nullptr instead of NULL 2017-02-10 17:14:47 +09:00
Tatsuhiro Tsujikawa 23209baaf5 clang-format 2017-02-10 17:02:46 +09:00
Tatsuhiro Tsujikawa 9d2503f9c0 Merge pull request #802 from zdzichu/master
nghttpx: add systemd support
2017-02-10 16:17:01 +09:00
Amir Pakdel 1c31213aef More graceful stop of nghttp2::asio_http2::server::http2
Explicit io_service::stop() will prevent running streams from
finishing their task. That means if there are already reposnes
that we have called end(std::string) on them and they have not
finished sending back their data, they will be closed with a
NGHTTP2_INTERNAL_ERROR
Instead, we can stop accepting connections and destroy all
io_service::work objects to signals end of work.
2017-02-09 23:34:19 -05:00
Tomasz Torcz fdb75ba5fe nghttpx: add systemd support
Add systemd's Type=notify support by sending information about
 master process PID around forks.
  Add some hardening option to service unit.
2017-02-09 18:58:00 +01:00
Tatsuhiro Tsujikawa 8f888b29bd clang-format 2017-02-09 21:00:47 +09:00
clemahieu 298808f276 Holding more shared_ptrs instead of raw ptrs to make sure called objects don't get deleted. 2017-02-09 21:00:11 +09:00
Tatsuhiro Tsujikawa a231874e1e Merge branch 'nghttpx-certs-per-sigalg' 2017-02-08 23:36:23 +09:00
Tatsuhiro Tsujikawa 2101f4ae3f Merge branch 'mruby-send-1xx' 2017-02-08 22:18:11 +09:00
Tatsuhiro Tsujikawa 4a06f9684f nghttpx: Fix crash on SIGHUP with multi thread configuration 2017-02-08 22:14:23 +09:00
Tatsuhiro Tsujikawa 9a85c5264a nghttpx: Send 1xx non-final response using mruby script 2017-02-08 00:30:03 +09:00
Tatsuhiro Tsujikawa 68a724cf7b nghttpx: Select certificate by client's supported signature algo
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate.  With this
commit, signature algorithm presented by client is also taken into
consideration.  nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).

Currently, this feature requires OpenSSL >= 1.0.2.  BoringSSL, and
LibreSSL do not work since they lack required APIs.
2017-02-04 23:37:24 +09:00
Tatsuhiro Tsujikawa 779ec50e73 Merge pull request #795 from clemahieu/close_stream_iterator
close_stream erases from streams_ while it's being iterated over.
2017-02-04 11:37:43 +09:00
Tatsuhiro Tsujikawa 1649948e78 asio: Add curly brackets to avoid possible well known issue 2017-02-04 11:33:21 +09:00
clemahieu 6d3e010ae7 Infinite loop in acceptor handler. 2017-02-04 11:31:12 +09:00
Tatsuhiro Tsujikawa 7dddac081e clang-format 2017-02-04 11:29:10 +09:00