Commit Graph

108 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 47c33b8d03 nghttpx: Receive ECN 2021-11-05 20:57:24 +09:00
Tatsuhiro Tsujikawa 7055501efd src: Enable HTTP/3 with boringssl 2021-10-15 22:50:34 +09:00
Tatsuhiro Tsujikawa 3742acaf39 nghttpx: Fix wrong SSL_CTX object usage 2021-10-15 18:19:07 +09:00
Tatsuhiro Tsujikawa df064fa2ba nghttpx: Unload BPF objects on reload to avoid running out of memlock 2021-09-29 19:33:16 +09:00
Tatsuhiro Tsujikawa 308c73bfa2 nghttpx: Read QUIC keying materials from file
Add --frontend-quic-secret-file to read QUIC keying materials from
file.  --frontend-quic-connection-id-encryption-key was removed in
favor of this new option.
2021-09-23 11:18:07 +09:00
Tatsuhiro Tsujikawa 80cc623eb2 nghttpx: Allocate server id in Connection ID 2021-09-21 23:08:55 +09:00
Tatsuhiro Tsujikawa fd060eb9f1 nghttpx: Connection ID encryption 2021-09-15 21:31:03 +09:00
Tatsuhiro Tsujikawa 2b4dc4496f nghttpx: Forward QUIC UDP datagram to lingering worker in graceful shutdown
Forward QUIC UDP datagram to lingering worker process which is in
graceful shutdown.  Both SIGHUP and SIGUSR2 work.  To make this work
correctly, eBPF is required.
2021-08-29 18:35:41 +09:00
Tatsuhiro Tsujikawa 137da6adf6 nghttpx: Generate and set QUIC secrets 2021-08-26 21:34:49 +09:00
Tatsuhiro Tsujikawa 8ac4bee3bc nghttpx: Add eBPF program to steer QUIC datagram to a correct socket 2021-08-26 21:34:49 +09:00
Tatsuhiro Tsujikawa 33c580ebbf Forward QUIC packet to the correct worker 2021-08-23 22:21:48 +09:00
Tatsuhiro Tsujikawa 4eced8a393 Build without HTTP/3 support 2021-08-22 23:54:29 +09:00
Tatsuhiro Tsujikawa 3ed2da562b nghttpx: Add HTTP3 skeleton and minor SSL_CTX fix 2021-08-21 18:34:07 +09:00
Tatsuhiro Tsujikawa 940fdd5573 nghttpx: Read quic packet 2021-08-21 18:34:04 +09:00
Tatsuhiro Tsujikawa ef53db201e nghttpx: Create QUIC SSL_CTX
We choose an easier route to duplicate SSL_CTX for QUIC.
2021-08-21 18:33:39 +09:00
Tatsuhiro Tsujikawa 01da060496 nghttpx: Create quic server socket 2021-08-21 18:33:39 +09:00
Tatsuhiro Tsujikawa f2fde180cd Remove redundant null check before delete
Reported in https://github.com/nghttp2/nghttp2/issues/1384
2019-08-19 22:27:32 +09:00
Tatsuhiro Tsujikawa 1daf9ce8b7 nghttpx: Convert WorkerEventType to enum class 2018-11-02 14:14:48 +09:00
Tatsuhiro Tsujikawa 0963f38935 nghttpx: Convert SerialEventType to enum class 2018-10-17 14:19:58 +09:00
Tatsuhiro Tsujikawa f2159bc2c1 nghttpx: Convert UpstreamAltMode to enum class 2018-10-17 08:38:55 +09:00
Tatsuhiro Tsujikawa ec5729b1fa Use std::make_unique 2018-10-15 23:02:44 +09:00
Tatsuhiro Tsujikawa 9c824b87fe nghttpx: Get rid of std::stringstream from Log 2018-09-14 22:58:48 +09:00
Tatsuhiro Tsujikawa 0422f8a844 nghttpx: Fix worker process crash with neverbleed write error 2018-08-24 22:22:53 +09:00
Tatsuhiro Tsujikawa 880f948684 Enable IndentPPDirectives 2018-06-09 16:21:30 +09:00
Tatsuhiro Tsujikawa 45d76cf501 nghttpx: Close listening socket on graceful shutdown 2018-02-26 22:40:24 +09:00
Tatsuhiro Tsujikawa ff200bfcf3 clang-format-5.0 2017-11-23 14:19:12 +09:00
Tatsuhiro Tsujikawa 74c2f1257a nghttpx: Add --no-verify-ocsp to disable OCSP response verification 2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa 1428a5e3ae nghttpx: Verify OCSP response
At least we should make sure that the OCSP response is targeted to the
expected certificate.  This is important because we pass the file path
to the external script, and if the file is replaced because of
renewal, and nghttpx has not reloaded its configuration, the
certificate nghttpx has loaded and the one included in the file
differ.  Verifying the OCSP response detects this, and avoids to send
wrong OCSP response.
2017-05-25 23:14:57 +09:00
Tatsuhiro Tsujikawa 0d4f0f0db5 nghttpx: Run OCSP at startup
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish.  It does not matter
some of the attempts fail.  This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa 14edd12304 nghttpx: Refactor the code for the anti-replay 2017-05-14 17:45:35 +09:00
Tatsuhiro Tsujikawa e6ffdb23a4 nghttpx: Share session_cache_ssl_ctx across threads 2017-05-14 17:43:11 +09:00
Tatsuhiro Tsujikawa 058122b804 nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc}
The namespace shrpx::ssl was also renamed as shrpx::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa f6301714db nghttpx: Avoid copy of std::mt19937 which is huge 2017-03-26 21:14:34 +09:00
Tatsuhiro Tsujikawa 1e1d908c12 nghttpx: Eliminate global std::random_device 2017-03-17 22:25:10 +09:00
Tatsuhiro Tsujikawa a6dda5f91c nghttpx: Log rstatus in hex 2017-03-01 23:21:11 +09:00
Tatsuhiro Tsujikawa 2af57c3cfc nghttpx: Add --single-worker option
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default).  If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.

With this commit, we use the same processing model for N > 1 even if N
== 1.  To restore the original single thread execution mode,
--single-worker option is added.  If threading is disabled
--single-worker is always true.
2017-02-21 22:19:34 +09:00
Tatsuhiro Tsujikawa e5b84fad09 nghttpx: Fix bug that old config is used during reloading config 2017-02-16 22:46:22 +09:00
Tatsuhiro Tsujikawa a231874e1e Merge branch 'nghttpx-certs-per-sigalg' 2017-02-08 23:36:23 +09:00
Tatsuhiro Tsujikawa 4a06f9684f nghttpx: Fix crash on SIGHUP with multi thread configuration 2017-02-08 22:14:23 +09:00
Tatsuhiro Tsujikawa 68a724cf7b nghttpx: Select certificate by client's supported signature algo
nghttpx supports multiple certificates using --subcert option.
Previously, SNI hostname is used to select certificate.  With this
commit, signature algorithm presented by client is also taken into
consideration.  nghttpx now accepts certificates which share the same
hostname (CN, SAN), but have different signature algorithm (e.g.,
ECDSA+SHA256, RSA+SHA256).

Currently, this feature requires OpenSSL >= 1.0.2.  BoringSSL, and
LibreSSL do not work since they lack required APIs.
2017-02-04 23:37:24 +09:00
Tatsuhiro Tsujikawa 85ba33c08f nghttpx: Wait for child process to exit
Normally, we don't have wait for child process to exit, since init can
take care of them.  But in containerized environment, pid 0 init might
not be available, and defunct processes can be piled up.  This commit
ensures that OCSP and neverbleed processes are waited for before
worker process exits.
2016-11-30 22:59:02 +09:00
Tatsuhiro Tsujikawa 4a4b2cf538 nghttpx: Embed Process into OCSPUpdateContext 2016-10-08 15:26:13 +09:00
Tatsuhiro Tsujikawa 2c2188c09d nghttpx: Refactor ocsp command execution
We have now generic read-only command execution in shrpx_exec.{h,cc}.
2016-10-08 15:22:11 +09:00
Tatsuhiro Tsujikawa 1b4ccd0d51 nghttpx: Don't call get_config() repeatedly 2016-10-08 11:37:18 +09:00
Tatsuhiro Tsujikawa 99a91e3172 nghttpx: Add BlockAllocator to Config object 2016-10-03 22:09:45 +09:00
Tatsuhiro Tsujikawa e1dfff8929 Use std::atomic_* overloads for std::shared_ptr if available 2016-09-20 22:39:01 +09:00
Tatsuhiro Tsujikawa d9bc6d04f7 nghttpx: Log client address 2016-09-11 23:30:33 +09:00
Tatsuhiro Tsujikawa 33153010c5 nghttpx: Retry memcached connection
Previously, we didn't retry request on connection failure.  Sometimes
we hit the edge case where connection is about to lost just when we
write request.  To avoid this situation, we now retry request to
failed attempt.  We also add ConnectBlocker to MemcachedConnection not
to attempt to connect to memcached if connection could not be made
previously.
2016-07-08 23:41:53 +09:00
Tatsuhiro Tsujikawa aced5b3b6c nghttpx: Fix memory leak from CertLookupTree 2016-06-25 23:47:22 +09:00
Tatsuhiro Tsujikawa f7c0d48152 nghttpx: Rewrite CertLookupTree using Router 2016-06-25 22:52:01 +09:00