35ebdd35bc
nghttpx: Use ImmutableString for private_key_file
2016-02-14 22:17:10 +09:00
ac81003669
nghttpx: Use ImmutableString for cert_file
2016-02-14 22:17:10 +09:00
c999987baf
nghttpx: Use ImmutableString for private_key_file
2016-02-14 22:17:10 +09:00
529a59d309
nghttpx: Use ImmutableString for tls.client_verify.cacert
2016-02-14 22:17:10 +09:00
52f6417813
nghttpx: Use ImmutableString for tls.cacert
2016-02-14 22:17:00 +09:00
bfc26e8299
nghttpx: Use ImmutableString to store memcached server host
2016-02-14 20:59:10 +09:00
3297a303bf
nghttpx: Add client auth options for session cache memcached TLS connection
2016-02-13 18:46:07 +09:00
f1580f95d4
nghttpx: Add TLS support for session cache memcached connection
2016-02-13 18:46:07 +09:00
82f942c3a3
nghttpx: Parameterize configuration values for client side TLS context
2016-02-11 18:34:31 +09:00
6d49110a33
Rename FrontendAddr as UpstreamAddr
2016-02-07 17:51:53 +09:00
2e38208d74
nghttpx: Fixups for HTTP/1 backend TLS support
2016-02-07 17:43:30 +09:00
bb4e2f6a24
nghttpx: Add TLS support for HTTP/1 backend
2016-02-07 17:43:30 +09:00
5e9bcbec9a
nghttpx: Fix bug that IPv6 address in Forwarded "for" is not quoted-string
2016-02-01 23:29:17 +09:00
aa07fe7fa6
nghttpx: Support multiple frontend addresses
...
This commit allows nghttpx to listen to multiple address and port pair
by specifying -f option multiple times.
2016-02-01 23:10:29 +09:00
9ac3e643d8
Revert "nghttpx: Add --curves option to specify supported elliptic curves"
...
This reverts commit e278893b64
2016-01-21 19:50:38 +09:00
e278893b64
nghttpx: Add --curves option to specify supported elliptic curves
2016-01-21 18:23:13 +09:00
db8de490a0
nghttpx: Omit Forwarded for and by parameter if UNIX domain socket is used
2016-01-19 23:26:04 +09:00
0402481be4
nghttpx: Organize connection related configuration into struct
2016-01-19 16:56:12 +09:00
f3e1dc7a4f
nghttpx: Structured TLS related configurations
2016-01-18 14:21:09 +09:00
3d5f5b6a28
nghttpx: Fix compiler warning
2016-01-17 18:27:25 +09:00
4f07db8bcb
src: Rename our new string classes
2016-01-17 11:33:45 +09:00
2c7ed01f0c
nghttpx: Use std::string for Downstream::backend_tls_sni_name
2016-01-17 01:00:15 +09:00
34d5382d66
nghttpx: Use VString for DownstreamAddr::host and hostport to remember size
2016-01-17 00:52:41 +09:00
dbbf3a4a10
nghttpx: Refactor TLS hostname match
2016-01-16 23:54:21 +09:00
248a64f0b2
Compile with OpenSSL 1.1.0-pre1
2015-12-14 21:12:25 +09:00
d867fe64e3
src: Rename endsWith as ends_with
2015-11-28 00:42:51 +09:00
de247f7d33
src: Rename startsWith as starts_with
2015-11-28 00:42:51 +09:00
c6ef1c02b9
Switch to clang-format-3.6
2015-11-13 00:53:29 +09:00
9b18e47671
nghttpx: Use --backend-tls-sni-field to verify certificate hostname
2015-11-08 00:22:44 +09:00
f0d2c9f94b
Compile with BoringSSL
...
Compile with BoringSSL except for neverbleed and libnghttp2_asio. The
former uses ENGINE and RSA_METHOD, and they are quite different
between OpenSSL and BoringSSL. The latter uses boost::asio, which
calls OpenSSL functions deleted in BoringSSL.
2015-09-29 23:38:17 +09:00
566b0476d7
nghttpx: Enable neverbleed for client private key; don't run nb without TLS
2015-09-26 21:28:46 +09:00
044385ab6e
Add neverbleed support
...
neverbleed is disabled by default. To enable it, use
--with-neverbleed configure option.
2015-09-26 19:01:31 +09:00
c44587a70c
nghttpx: Use _Exit when exiting from child process
2015-09-24 23:57:24 +09:00
84f96a2fd5
Do not try to set TCP_NODELAY when frontend is an UNIX socket
...
This silences warning log that otherwise spams logs on every accepted
connection.
2015-09-23 12:22:34 +02:00
36d562927f
nghttpx: Use nghttp2::ssl::DEFAULT_CIPHER_LIST for backend TLS connection
2015-08-23 23:03:29 +09:00
1c12606e70
nghttpx: Don't allow blacked listed cipher suites for HTTP/2 connection
2015-08-19 23:42:43 +09:00
b8f05c89bd
nghttpx: App data in SSL is Connection, not ClientHandler
2015-08-13 00:42:59 +09:00
ff44e211ed
nghttpx: Fix tls handshake bug
...
This fixes 2 things:
1. potential busy loop
2. disabling ticket is not working after resumption
2015-08-09 18:33:49 +09:00
d0a37d59a5
nghttpx: Disable TLS session ticket if ticket key is not available
2015-07-29 20:38:49 +09:00
a1288a5826
nghttpx: Rename --tls-ticket-cipher as --tls-ticket-key-cipher
2015-07-28 23:49:37 +09:00
a4a9cfd650
nghttpx: Change session cache key prefix
2015-07-27 21:18:12 +09:00
bb228c27de
Merge branch 'master' into memcached
...
Conflicts:
src/shrpx_ssl.cc
2015-07-27 21:16:02 +09:00
7152e0f6b8
nghttpx: Fix bug that decrypt only key is not considered
2015-07-27 21:13:02 +09:00
e3cdfd12ea
nghttpx: Use std::array for TicketKey
2015-07-27 02:12:07 +09:00
cd25c6846e
nghttpx: Create struct Address which holds struct sockaddr_union and length
2015-07-27 01:41:10 +09:00
90b4b48c7e
nghttpx: Add shared session cache using memcached
2015-07-26 23:33:06 +09:00
adec2c06bf
nghttpx: Set SSL/TLS session timeout to 12 hours
2015-07-24 23:59:19 +09:00
04bd25d468
nghttpx: Simplify ticket handling between workers just using mutex
2015-07-23 23:13:29 +09:00
a8574fdef2
nghttpx: Use Use std::string instead of std::unique_ptr<char[]> for tls config
2015-07-20 23:15:01 +09:00
dd8ce1e9d2
nghttpx: Use std::unique_ptr<char[]> instead of raw char pointer
2015-07-20 21:37:23 +09:00
e8167ceea7
nghttpx: Add AES-256-CBC encryption for TLS session ticket
2015-07-18 02:02:33 +09:00
6307f96fb3
nghttpx: Enable host-path backend routing in HTTP/2 backend
...
To achieve host-path backend routing, we changed behaviour of
--backend-http2-connections-per-worker. It now sets the number of
HTTP/2 physical connections per pattern group if pattern is used in -b
option.
Fixes GH-292
2015-07-12 23:02:30 +09:00
3119fc259c
Select backend based on request host and path by extending -b option
...
-b option syntax is now <HOST>,<PORT>[;<PATTERN>[:...]]. The optional
<PATTERN>s specify the request host and path it is used for. The
<PATTERN> can contain path, host + path or host. The matching rule is
closely designed to ServeMux in Go programming language.
2015-07-11 00:15:52 +09:00
301df2a856
src: Disable SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS
2015-06-22 23:26:45 +09:00
532bffdb01
nghttpx: Minimize critical section for shared ocsp response
2015-06-12 21:27:12 +09:00
34efc6b7a4
More constexpr
2015-05-29 22:36:05 +09:00
0479f833fc
Revert "nghttpx: Remove last write/read fields for TLS"
...
This reverts commit 585af93828
2015-05-15 22:20:15 +09:00
38cfc5c47c
Check more headers and funcs
2015-05-13 23:29:20 +09:00
d247470da2
nghttpx: Rewrite ocsp without thread
...
Since libev handles SIGCHLD, using waitpid in separate thread to wait
for the completion of fetch-ocsp-response script process is undefined.
This commit rewrite ocsp handling code so that it utilizes libev
ev_child watcher and perform ocsp update without thread.
2015-04-09 01:03:28 +09:00
4bc9afe20a
nghttpx: Add OCSP stapling feature
2015-03-30 23:58:28 +09:00
585af93828
nghttpx: Remove last write/read fields for TLS
...
It seems that we don't care about this since we don't change buffer
pointer between would-block write/read and next write/read. Somehow
we decided we need these fields. As a precaution, we set
SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER in SSL_set_mode() for both server
and client contexts.
2015-03-10 00:11:11 +09:00
ae0100a9ab
nghttpx: Refactor worker interface
2015-02-11 22:49:03 +09:00
b4b2ddad3b
src: Rewrite defer function template
2015-02-06 23:27:15 +09:00
6ff67ae869
src: Move array_size to nghttp2 namespace
2015-02-06 22:44:09 +09:00
b165775811
nghttpx: Refactor CertLookupTree
2015-02-06 21:25:43 +09:00
b2fb888363
Share I/O code with all upstreams/downstream objects
2015-02-05 03:05:34 +09:00
4b58b25c19
nghttpx: Refactor code to build cert_tree, add SNI test
2015-01-25 15:36:14 +09:00
0f4b0966ef
nghttpx: Merge all options settings in one SSL_CTX_set_options
2015-01-23 23:32:01 +09:00
1e4f8f27fd
nghttpx: Add --tls-ctx-per-worker option
...
When same SSL_CTX is used by multiple thread simultaneously we have to
setup some number of mutex locks for it. We could not check how this
locking affects scalability since we have 4 cores at best in our
development machine. Good side of sharing SSL_CTX across threads is
we can share session ID pool.
If --tls-ctx-per-worker is enabled, SSL_CTX is created per thread
basis and we can eliminate mutex locks. The downside is session ID is
no longer shared, which means if session ID generated by one thread
cannot be acceptable by another thread. But we have now session
ticket enabled and its keys are shared by all threads.
2015-01-13 00:25:02 +09:00
0ea041e8cb
nghttpx: Add doc and clean up
2015-01-12 22:47:30 +09:00
689e8c0ee3
nghttpx: Don't copy ticket_keys std::shared_ptr
2015-01-08 21:49:19 +09:00
fcddb5c06c
nghttpx: Distribute session ticket keys to workers without mutex
2015-01-08 21:15:45 +09:00
5d3544185c
nghttpx: Fix crash in SSL_CTX_set_tlsext_ticket_key_cb
...
It seems that returning 0 when enc == 0 crashes OpenSSL.
2015-01-08 20:46:35 +09:00
5dce9501a6
Fix compile error with libstdc++ and/or --disable-threads
2015-01-08 01:57:59 +09:00
08e8cc1915
nghttpx: Add --tls-ticket-key-file option
...
This option specifies files contains 48 random bytes to construct
session ticket key data. This option can be used repeatedly to
specify multiple keys, but only the first one is used to encrypt
tickets.
2015-01-08 01:26:30 +09:00
52f3572d5b
nghttpx: Enable TLS session tickets with session key rotation every 12hrs
2015-01-08 00:01:09 +09:00
bfac015d61
src: Use libev for rest of the applications
2015-01-03 00:19:41 +09:00
d695d2ccc0
nghttp, nghttpx, nghttpd, h2load: Support h2-16 in NPN/ALPN
...
The nghttp2 library itself is still h2-14. To experiment with the
implementations to require h2-16 to test new features (e.g.,
prioritization), nghttp, nghttpx, nghttpd and h2load now support h2-16
as well as h2-14. Cleartext HTTP Upgrade is still limited to h2-14
however.
2014-12-16 22:57:58 +09:00
b607a22076
nghttpx: Support multiple HTTP/1 backend address
...
For HTTP/1 backend, -b option can be used several times to specify
multiple backend address. HTTP/2 backend does not support multiple
addresses and only uses first address even if multiple addresses are
specified.
2014-12-06 19:30:27 +09:00
b8dafbdf5e
nghttpx: Pass NI_NUMERICSERV to getnameinfo to get numeric service name
2014-12-06 01:07:05 +09:00
dcc7b23980
nghttpx: Remove cipher suite requirement
...
This makes the library h2-16 compatible now.
2014-11-30 22:52:34 +09:00
b1f807abd1
Reformat lines with clang-format-3.5
2014-11-27 23:56:30 +09:00
9cf1a0c77c
Add features to logging, client and server port,
...
time_iso8601 and request_time.
2014-11-23 20:37:51 +00:00
a2bc88f6db
nghttpx: Check max length of ALPN field
2014-11-14 23:19:16 +09:00
d98e9a63d0
src: Refactor code around ALPN setup
2014-11-14 23:14:39 +09:00
ce71e65aee
nghttpx: Replace WARNING with WARN for consistency
2014-11-08 10:51:56 +09:00
a067eb02a5
Add LOG_NOTICE level logging for application lifecycle events
2014-11-06 14:32:56 +00:00
03a2828fcf
src: Disable SSL_MODE_ENABLE_PARTIAL_WRITE for apps which use libevent
2014-11-05 01:15:38 +09:00
c6cfcc3c30
src: Disable insecure SSLv3
2014-10-22 23:14:07 +09:00
20de432725
nghttpx: Pool http downstream connection per thread
2014-10-13 21:09:00 +09:00
e4751a798a
Replace auto_delete* with defer
2014-09-16 23:39:38 +09:00
8890e593e6
src: Add util::array_size
2014-08-28 00:45:12 +09:00
0ce848a611
nghttpx: Rewrite logging system
...
This change rewrites logging system of nghttpx. Previously access log
and error log are written to stderr or syslog and there was no option
to change stderr to something else. With this change, file path of
access log and error log can be configured separately and logging to
regular file is now added. To support rotating log, if SIGUSR1 signal
is received by nghttpx, it closes the current log files and reopen it
with the same name. The format of access log is changed and has same
look of apache's. But not all columns are not supported yet.
2014-07-05 18:43:24 +09:00
a3334bb21c
nghttpd: Use cipher suites recommended by Mozilla
2014-06-28 15:28:19 +09:00
479e15469c
nghttpx: Add worker-frontend-connections option
2014-06-26 22:55:22 +09:00
2bfa772472
nghttpx: Update cipher suite list
2014-06-19 23:26:30 +09:00
87360b4f7d
nghttpx: Require TLSv.12 for h2
2014-06-18 12:09:30 +09:00
041cec2d97
nghttpx: Check error from SSL_set_fd
2014-06-12 23:39:58 +09:00
21c4931197
nghttpx: Get rid of openssl filter
...
Libevent Openssl filter is very inconvenient in various respect. The
most annoying thing is it somehow emits data when SSL_shutdown is
called. The reason we introduced this filter solution is drop
connection if TLS renegotiation is detected. This commit implements
renegotiation detection and drop connection without filtering.
2014-06-11 01:16:49 +09:00
d6b5824c9c
nghttpx: Don't check TLS requirement in ALPN cb cause cipher obj is nullptr
...
Also don't compare ALPN identifier with streq, since they are just
byte string.
2014-06-10 23:22:52 +09:00
Tatsuhiro Tsujikawa
Janusz Dziemidowicz
Lucas Pardue