Previously, the default minimum TLS version was TLSv1.1, but the
default cipher list didn't include any compatible ciphers with it.
This made handshake fail if TLSv1.1 was negotiated because there was
no shared ciphers. To make the default settings consistent, the
default minimum TLS version is now TLSv1.2.
At least we should make sure that the OCSP response is targeted to the
expected certificate. This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ. Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish. It does not matter
some of the attempts fail. This feature is useful if OCSP responses
must be available before accepting connections.
This commit adds wildcard path matching. If path pattern given in
backend option ends with "*", it is considered as wildcard path. "*"
must match at least one character. All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
With this commit, SSL_TLSEXT_ERR_NOACK is returned from
servername_callback, which removes server_name extension from
ServerHello. CertLookupTree is now used even if the number of server
certificate is one. It is better to exercise it regularly.
Previously, for Via, X-Forwarded-For, and X-Forwarded-Proto header
field, nghttpx only forwarded the last header field of each. With
this commit, nghttpx forwards all of them if it is configured to do
so.
This commit adds 2 new options to handle X-Forwarded-Proto header
field. The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value. The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.
Previously, nghttpx always strips incoming header field, and set its
own header field. This commit preserves this behaviour, and adds
additional knobs.
With --single-process option, nghttpx will run in a single process
mode where master and worker are unified into one process. nghttpx
still spawns additional process for neverbleed. In the single process
mode, signal handling is disabled.
This commit adds 2 new options to handle X-Forwarded-Proto header
field. The --add-x-forwarded-proto option makes nghttpx append
X-Forwarded-Proto value. The --strip-incoming-x-forwarded-proto
option makes nghttpx to strip the header field from client.
Previously, nghttpx always strips incoming header field, and set its
own header field. This commit changes this behaviour. Now nghttpx
does not strip, and append X-Forwarded-Proto header field by default.
The X-Forwarded-For, and Forwarded header fields are also handled in
the same way. To recover the old behaviour, use
--add-x-forwarded-proto and --strip-incoming-x-forwarded-proto
options.
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default). If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.
With this commit, we use the same processing model for N > 1 even if N
== 1. To restore the original single thread execution mode,
--single-worker option is added. If threading is disabled
--single-worker is always true.
This commit adds configuration revision, which is considered opaque
string, and changes after reloading configuration with SIGHUP. This
revision is returned as a response to configrevision API endpoint.
This allows external application to know whether nghttpx has finished
reloading new configuration or not. Note that this revision does not
change on backendconfig API calls.
This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option. nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option. The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
If OpenSSL supports TLSv1.3, enable it by default for all applications
under src. BoringSSL can work at the moment although it does not
unlock all the features nghttpx offers. OpenSSL's TLSv1.3 support is
still WIP at the time of writing.
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively. Versions
between the two are enabled. The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
Previously, after sending SIGUSR2 to the original master process, and
the new master process gets ready, user has to send SIGQUIT to the
original master process to shut it down gracefully. With this commit,
the new master process sends SIGQUIT to the original master process
when it is ready to serve requests, eliminating for user to send
SIGQUIT manually.
This works nicely with systemd, because now you can replace nghttpx
binary with new one by "systemctl kill -s USR2 --kill-who=main
nghttpx".
Explicit io_service::stop() will prevent running streams from
finishing their task. That means if there are already reposnes
that we have called end(std::string) on them and they have not
finished sending back their data, they will be closed with a
NGHTTP2_INTERNAL_ERROR
Instead, we can stop accepting connections and destroy all
io_service::work objects to signals end of work.
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
Tatsuhiro Tsujikawa
Matt Way
Piotr Sikora
Alexis La Goutte
Amir Pakdel
Tomasz Torcz
clemahieu