nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate. With this
commit, signature algorithm presented by client is also taken into
consideration. nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).
Currently, this feature requires OpenSSL >= 1.0.2. BoringSSL, and
LibreSSL do not work since they lack required APIs.
--accesslog-write-early option is analogous to HAProxy's logasap. If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections. With this commit, ciphers option only sets
cipher list for frontend connections. The new client-ciphers option
sets cipher list for backend connection.
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections. Now no-http2-cipher-black-list
option only disables it for frontend connection.
Previously, global accept-proxy-protocol option enables PROXY protocol
support for all frontend listeners, but this was inflexible. To fix
this issue, accept-proxy-protocol option is now deprecated, and
instead proxyproto parameter in frontend option enables PROXY protocol
support per frontend.
We have added "dns" parameter to backend option. If specified, name
lookup is done dynamically. If not, name lookup is done at start up,
or configuration reloading. nghttpx caches DNS result including error
case in 30 seconds in this commit. Later commit makes this
configurable.
DNS resolution is done asynchronously using c-ares library.
This option requires OpenSSL >= 1.0.2. With OpenSSL 1.0.2, the
default value is "P-256". With OpenSSL 1.1.0 or later, the default
value is "X25519:P-256".
We added --frontend-http2-window-size,
--frontend-http2-connection-window-size, --backend-http2-window-size,
and --backend-http2-connection-window-size option to replace existing
*-bits options. The old options are not flexible because they only
specify number of bits. Now we can specify integer value, with
possible g, m, and k unit. The old options are still available for
backend compatibility, but are deprecated.
This commit also fixes the bug that old configuration is still used
for worker process. The another bug fix is that inherited, but not
used fd is not closed in worker process. That makes reloading next
configuration fail if it contains the address which are leaked into
worker process.
This commit implements configuration reloading with SIGHUP.
There are rough edges left:
* Rename SignalServer with more meaningful name, say, WorkerProcess.
* We should introduce global configuration object which is not
affected by configuration reloading. It should hold cmdcfgs, argc,
argv, and last worker PID.
* We should close the listener file descriptor when some operation was
failed after that.
For those connections via frontend with api parameter, they use solely
APIDownstreamConnection.
In this commit, APIDownstreamConnection just consumes all request
body, and do nothing. The next few commits implements our first API
endpoint: /v1/api/dynamicconfig.
Write PID in temporary file first. Then rename it as the real
destination. It will avoid the issue that the external process may
read the empty PID file because of race condition.
* don't use CRYPTO_LOCK stuff (they are sorted out by openssl, and no
application intervention is required, just like boringSSL)
* don't use OPENSSL_config
* use provided API to access BIO member
The --backend-tls-sni-field is deprecated in favor of sni keyword.
--backend-tls-sni-field still works, and it overrides all sni keyword
in --backend option. But it will be removed in the future release.
Like frontend and backend options, encryption for memcached
connections is configured using tls keyword in
tls-session-cache-memcached and tls-ticket-key-memcached options.
tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls
options are deprecated.
This change allows user to disable TLS per frontend address using
no-tls keyword in --frontend option. We removed --frontend-no-tls in
favor of this new feature.