Commit Graph

348 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 7417fd71a4 nghttpx: Per-pattern not per-backend 2018-08-28 17:50:01 +09:00
Tatsuhiro Tsujikawa fb97f596e1 nghttpx: Allocate mruby file because fopen requires NULL terminated string 2018-08-24 23:08:15 +09:00
Tatsuhiro Tsujikawa b574ae6aa2 nghttpx: Support per-backend mruby script 2018-08-23 18:13:29 +09:00
Tatsuhiro Tsujikawa 880f948684 Enable IndentPPDirectives 2018-06-09 16:21:30 +09:00
Tatsuhiro Tsujikawa 1bf69b5662 Define LIBRESSL_LEGACY_API and LIBRESSL_2_7_API
LIBRESSL_LEGACY_API is drop-in replacement for LIBRESSL_IN_USE.  In
the upcoming commits, we will add changes to support libressl 2.7.
2018-04-14 18:09:47 +09:00
Tatsuhiro Tsujikawa e8af7afc65 nghttpx: Add an option to accept expired client certificate 2018-02-08 16:51:23 +09:00
Tatsuhiro Tsujikawa 5cc3d159e1 nghttpx: Add upgrade-scheme parameter to backend option
If "upgrade-scheme" parameter is present in backend option along with
"tls" paramter, HTTP/2 :scheme pseudo header field is changed to
"https" from "http" when forwarding a request to this particular
backend.  This is a workaround for a server which requests "https"
scheme on HTTP/2 connection encrypted by TLS.
2018-01-08 18:08:01 +09:00
Tatsuhiro Tsujikawa 4d1139f653 Remove SPDY 2017-12-17 13:28:44 +09:00
Tatsuhiro Tsujikawa 1ebb6810a1 nghttpx: Faster configuration loading with lots of backends 2017-12-01 23:06:06 +09:00
Tatsuhiro Tsujikawa ff200bfcf3 clang-format-5.0 2017-11-23 14:19:12 +09:00
Tatsuhiro Tsujikawa 0028275d7b nghttpx: Add affinity-cookie-secure parameter to backend option 2017-11-21 22:29:22 +09:00
Tatsuhiro Tsujikawa eca0a3025b nghttpx: Add $tls_client_serial log variable 2017-11-16 22:53:54 +09:00
Tatsuhiro Tsujikawa 22502182d0 Add tls_client_issuer_name log variable and expose it to mruby 2017-11-15 23:41:47 +09:00
Tatsuhiro Tsujikawa b8fda6808b nghttpx: Cookie based session affinity 2017-11-01 22:18:03 +09:00
Tatsuhiro Tsujikawa 539e27812b nghttpx: Add tls_client_fingerprint_sha1 to mruby and accesslog
Also tls_client_fingerprint is renamed to
tls_client_fingerprint_sha256.
2017-10-31 21:41:40 +09:00
Tatsuhiro Tsujikawa cb376bcd80 nghttpx: Add client fingerprint and subject name to accesslog 2017-10-29 21:47:00 +09:00
Tatsuhiro Tsujikawa 74c2f1257a nghttpx: Add --no-verify-ocsp to disable OCSP response verification 2017-05-25 23:14:58 +09:00
Tatsuhiro Tsujikawa 7d111d9963 Merge pull request #923 from nghttp2/compile-with-disable-assert
Compile with --disable-assert
2017-05-18 23:49:41 +09:00
Tatsuhiro Tsujikawa 1b442cb16f Compile with --disable-assert 2017-05-18 23:10:44 +09:00
Tatsuhiro Tsujikawa 0d4f0f0db5 nghttpx: Run OCSP at startup
With --ocsp-startup option, nghttpx starts accepting connections after
initial attempts to get OCSP responses finish.  It does not matter
some of the attempts fail.  This feature is useful if OCSP responses
must be available before accepting connections.
2017-05-18 22:33:49 +09:00
Tatsuhiro Tsujikawa b5007d45f7 nghttpx: Wildcard path matching
This commit adds wildcard path matching.  If path pattern given in
backend option ends with "*", it is considered as wildcard path.  "*"
must match at least one character.  All paths which include wildcard
path without last "*" as prefix, and are strictly longer than wildcard
path without last "*" are matched.
2017-05-11 22:15:28 +09:00
Tatsuhiro Tsujikawa 17614312e0 Merge pull request #892 from nghttp2/nghttpx-sni-fwd
nghttpx: SNI based backend server selection
2017-04-19 21:22:15 +09:00
Tatsuhiro Tsujikawa a2e35a0757 nghttpx: Add $tls_sni access log variable 2017-04-18 22:44:26 +09:00
Tatsuhiro Tsujikawa 03be97e437 nghttpx: Rename ssl_* log variables as tls_*
The exiting ssl_* log variables still work for backward compatibility.
2017-04-18 22:11:05 +09:00
Tatsuhiro Tsujikawa c8a5f1e335 nghttpx: SNI based backend server selection 2017-04-16 23:47:10 +09:00
Tatsuhiro Tsujikawa cc9190ab37 nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --no-add-x-forwarded-proto option makes nghttpx not to
append X-Forwarded-Proto value.  The
--no-strip-incoming-x-forwarded-proto option prevents nghttpx from
stripping the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit preserves this behaviour, and adds
additional knobs.
2017-04-08 18:46:36 +09:00
Tatsuhiro Tsujikawa 980570de71 Revert "nghttpx: Add options for X-Forwarded-Proto header field"
This reverts commit 8c0b2c684a.
2017-04-08 18:37:54 +09:00
Tatsuhiro Tsujikawa 223e971c7e nghttpx: Add --single-process option
With --single-process option, nghttpx will run in a single process
mode where master and worker are unified into one process.  nghttpx
still spawns additional process for neverbleed.  In the single process
mode, signal handling is disabled.
2017-04-06 20:02:57 +09:00
Tatsuhiro Tsujikawa 8c0b2c684a nghttpx: Add options for X-Forwarded-Proto header field
This commit adds 2 new options to handle X-Forwarded-Proto header
field.  The --add-x-forwarded-proto option makes nghttpx append
X-Forwarded-Proto value.  The --strip-incoming-x-forwarded-proto
option makes nghttpx to strip the header field from client.

Previously, nghttpx always strips incoming header field, and set its
own header field.  This commit changes this behaviour.  Now nghttpx
does not strip, and append X-Forwarded-Proto header field by default.
The X-Forwarded-For, and Forwarded header fields are also handled in
the same way.  To recover the old behaviour, use
--add-x-forwarded-proto and --strip-incoming-x-forwarded-proto
options.
2017-04-06 19:17:36 +09:00
Tatsuhiro Tsujikawa 058122b804 nghttpx: Rename shrpx_ssl.{h,cc} as shrpx_tls.{h,cc}
The namespace shrpx::ssl was also renamed as shrpx::tls.
2017-04-01 15:12:28 +09:00
Tatsuhiro Tsujikawa f41ac103d3 nghttpx: Retry getaddrinfo without AI_ADDRCONFIG 2017-03-27 00:20:42 +09:00
Tatsuhiro Tsujikawa b1fee8ff63 nghttpx: Use raw pointer for config 2017-03-15 23:13:14 +09:00
Tatsuhiro Tsujikawa fa074145a4 Merge pull request #788 from nghttp2/nghttpx-h2-proxy-pattern-match
nghttpx: Enable backend pattern matching with http2-proxy
2017-03-06 21:22:34 +09:00
Tatsuhiro Tsujikawa 373be22d7e nghttpx: Simpler 2017-02-23 22:32:04 +09:00
Tatsuhiro Tsujikawa b647a7c5b7 nghttpx: Simplify code using parse_uint 2017-02-23 22:22:49 +09:00
Tatsuhiro Tsujikawa 2af57c3cfc nghttpx: Add --single-worker option
Previously, nghttpx will use only one single thread inside the worker
process if --workers=1 (this is default).  If --workers=N, N > 1, we
use additional threads for accepting connections, or API request
processing, etc.

With this commit, we use the same processing model for N > 1 even if N
== 1.  To restore the original single thread execution mode,
--single-worker option is added.  If threading is disabled
--single-worker is always true.
2017-02-21 22:19:34 +09:00
Tatsuhiro Tsujikawa 9d16292fe4 nghttpx: Add --frontend-max-requests option 2017-02-20 23:36:50 +09:00
Tatsuhiro Tsujikawa a7c780a732 nghttpx: Redirect to HTTPS URI with redirect-if-not-tls param
This commit removes frontend-tls parameter, and adds
redirect-if-not-tls parameter parameter to --backend option.  nghttpx
now responds to the request with 308 status code to redirect the
request to https URI if frontend connection is not TLS encrypted, and
redirect-if-no-tls parameter is used in --backend option.  The port
number in Location header field is 443 by default (thus omitted), but
it can be configurable using --redirect-https-port option.
2017-02-18 22:32:27 +09:00
Tatsuhiro Tsujikawa cfb39171a7 nghttpx: Remove redundant StringRef ctor invocation 2017-02-16 22:45:55 +09:00
Tatsuhiro Tsujikawa b36e53cccd nghttpx: Specify TLS protocol by version range
This commit deprecates --tls-proto-list option, and adds 2 new
options: --tls-min-proto-version and --tls-max-proto-version to
specify minimum and maximum protocol version respectively.  Versions
between the two are enabled.  The deprecated --tls-proto-list has
empty default value, and acts like enabling only specific protocol
versions in the range for now.
2017-02-14 00:01:09 +09:00
Tatsuhiro Tsujikawa 0b1ddad62b nghttpx: Add frontend-tls parameter to backend to require client TLS 2017-01-28 22:19:14 +09:00
Tatsuhiro Tsujikawa 1cc08c0a51 nghttpx: Show warning if PSK options are used but not supported 2017-01-26 20:34:58 +09:00
Bernard Spil 16be89f9cc nghttpx: Don't build PSK features with LibreSSL
LibreSSL removed PSK

Signed-off-by: Bernard Spil <brnrd@FreeBSD.org>
2017-01-26 20:21:55 +09:00
Tatsuhiro Tsujikawa 3ddc446ba2 nghttpx: Enable backend pattern matching with http2-proxy 2017-01-26 01:04:27 +09:00
Tatsuhiro Tsujikawa 685e926494 nghttpx: Add --accesslog-write-early option
--accesslog-write-early option is analogous to HAProxy's logasap.  If
used, nghttpx writes access log when response header fields are
received from backend rather than when request transaction finishes.
2017-01-13 22:12:21 +09:00
Tatsuhiro Tsujikawa 9b574a5a76 nghttpx: Fix typo 2017-01-09 22:19:19 +09:00
Tatsuhiro Tsujikawa 9c7e54d9b5 nghttpx: Add client-ciphers option
Previously, ciphers option sets cipher list for both frontend and
backend TLS connections.  With this commit, ciphers option only sets
cipher list for frontend connections.  The new client-ciphers option
sets cipher list for backend connection.
2017-01-08 22:40:58 +09:00
Tatsuhiro Tsujikawa 3c03024881 nghttpx: Add client-no-http2-cipher-black-list option
This commit adds client-no-http2-cipher-black-list option to disable
enforcement of HTTP/2 cipher black list on backend HTTP/2 connection.
Previously, existing no-http2-cipher-black-list option disables it for
both frontend and backend connections.  Now no-http2-cipher-black-list
option only disables it for frontend connection.
2017-01-08 22:33:19 +09:00
Tatsuhiro Tsujikawa 36dfc0a56a nghttpx: Reorganize client side TLS configuration 2017-01-08 22:25:30 +09:00
Tatsuhiro Tsujikawa 79a24f5dd9 nghttpx: Add --client-psk-secret option to enable PSK in backend 2017-01-08 00:35:55 +09:00