Commit Graph

482 Commits

Author SHA1 Message Date
moparisthebest 7dfa559bc4 Add --honor-cipher-order option to mitigate BEAST attacks 2013-04-18 14:25:48 -04:00
snnn 4c238c5b36 fix building on mac os x. "error: invalid suffix on literal; C++11 requires a space between literal and identifier" 2013-04-17 14:33:55 +08:00
Tatsuhiro Tsujikawa 34e119fde2 shrpx: Remove useless backend spdy version check
It is unnecessary because spdy version at this point is always valid.
2013-03-29 22:16:50 +09:00
Tatsuhiro Tsujikawa a9f475fb88 spdycat, shrpx: TLS SNI enhancements
shrpx:
* Added an option to set the TLS SNI extension between shrpx and the
  origin on the command line

spdycat:
* If the user set an explicit host header ( using --headers ) use that
  name for the TLS SNI extension.
* Added the handshake completion time to the verbose output
* The gettimeofday call in get_time was using the incorrect structure
  ( I believe )
* In update_html_parser it was submitting the request regardless of
  the return value of add_request.

Patch from Stephen Ludin
2013-03-29 22:06:33 +09:00
Tatsuhiro Tsujikawa 7d709fa3ff shrpx: Support non-TLS SPDY in frontend connection 2013-03-24 21:03:39 +09:00
Tatsuhiro Tsujikawa c487d152b2 shrpx: Add non-TLS SPDY backend connection support
Use --backend-spdy-no-tls to disable TLS on backend SPDY connection.
The SPDY protocol used there must be configured by
--backend-spdy-proto option.
2013-02-22 22:54:54 +09:00
Tatsuhiro Tsujikawa 8b6fbbf3a6 shrpx: Update --backend-http-proxy-uri usage 2013-02-09 19:08:02 +09:00
Tatsuhiro Tsujikawa ceba5539a1 shrpx: Fix client mode does not work 2013-02-09 17:45:57 +09:00
Tatsuhiro Tsujikawa 99b687ceca shrpx: Documented --spdy-bridge 2013-02-09 16:55:49 +09:00
Tatsuhiro Tsujikawa cb8b8050b5 shprx: Add --backend-http-proxy-uri option
Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and
PASS are optional and if they exist they must be properly
percent-encoded. This proxy is used when the backend connection is
SPDY. First, make a CONNECT request to the proxy and it connects to
the backend on behalf of shrpx. This forms tunnel. After that, shrpx
performs SSL/TLS handshake with the downstream through the tunnel. The
timeouts when connecting and making CONNECT request can be specified
by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 16:55:39 +09:00
Tatsuhiro Tsujikawa 9ba19df813 shrpx: Add --spdy-bridge option
With --spdy-bridge option, it listens SPDY/HTTPS connections from
front end and forwards them to the backend in SPDY. The usage will be
written later. This change fixes the crash when more than 2
outstanding SpdyDownstreamConnection objects are added to SpdySession
and establishing connection to SPDY backend is failed.
2013-02-08 21:46:58 +09:00
Tatsuhiro Tsujikawa c707125839 shrpx: Explicitly hold server SSL_CTX and client SSL_CTX 2013-02-07 21:13:36 +09:00
Tatsuhiro Tsujikawa b18af854af shrpx: Add --subcert option to add additional certificate/private key
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
2013-02-06 23:41:28 +09:00
Tatsuhiro Tsujikawa 29bec93eb9 shrpx: Don't run expensive INFO log code
INFO log and its surrounding code are now guarded by
LOG_ENABLED(SEVERITY) macro so that they don't run if log level
threshold is higher. This increases performance because log formatting
is somewhat expensive.
2013-01-21 22:48:08 +09:00
Tatsuhiro Tsujikawa dc2fe52e57 shrpx: Add missing \n to help message 2013-01-12 16:42:48 +09:00
Tatsuhiro Tsujikawa c45fa16f94 shrpx: Add --no-via option
If --no-via option is given, shrpx does not append to Via header
field. If Via header field is received, it is left unaltered.
2013-01-09 22:03:49 +09:00
Tatsuhiro Tsujikawa 4d1f1f2395 shrpx: Log IP version number when getaddrinfo failed 2013-01-09 22:03:34 +09:00
Tatsuhiro Tsujikawa 9b1f36d274 shrpx: Color severity level in terminal
Color severity level if stderr refers to a terminal.
2012-12-09 21:02:48 +09:00
Raul Gutierrez Segales cbf8ccf7d1 [shrpx] read private key's passwd from a file
This avoids the need to provide the password for your
private key interactively.

It can be used via --private-key-passwd-file or private-key-passwd-file
in the given config file. The first line in the file
(without \n) will be treated as the passwd. There isn't
any validation and all lines after the first one (if any)
are ignored.

The security model behind this is a bit simplistic so I
am open to better ideas. Basically your password file
should be root:root (700) and you *should* drop root
and run as an unprivileged user.

If the file exists and a line can be read then a callback
will be set for the SSL ctxt and it'll feed the passwd
when the private key is read (if password is needed).

If the file exists with the wrong permisions it'll be
logged and ignored.
2012-12-03 21:55:32 -08:00
Tatsuhiro Tsujikawa baf2dc3ddf shrpx: Add --backend-ipv4 and --backend-ipv6 options. 2012-11-23 21:11:01 +09:00
Tatsuhiro Tsujikawa 7a21905312 shrpx: Remove Config ctor and fill all initial values in fill_default_config() 2012-11-22 23:35:10 +09:00
Tatsuhiro Tsujikawa c1332a35a5 shrpx: Add -v, --version option 2012-11-22 23:08:36 +09:00
Tatsuhiro Tsujikawa 774e64d2b4 shrpx: Group up options in -h output 2012-11-22 23:04:27 +09:00
Tatsuhiro Tsujikawa 9c70c1b867 shrpx: Code cleanup 2012-11-22 22:05:52 +09:00
Tatsuhiro Tsujikawa 4349d42988 shrpx: Add usage for <PRIVATE_KEY> <CERT> 2012-11-22 22:00:38 +09:00
Tatsuhiro Tsujikawa d589f4c74c shrpx: Verify backend server's certificate in client mode
The -k, --insecure option is added to skip this verification.  The
system wide trusted CA certificates will be loaded at startup. The
--cacert option is added to specify the trusted CA certificate file.
2012-11-22 21:46:15 +09:00
Tatsuhiro Tsujikawa 81adb6bc7f shrpx: Implement downstream SPDY flow control 2012-11-21 23:47:48 +09:00
Tatsuhiro Tsujikawa 0bf15a7694 Rename --client-mode as --client and add --client-proxy
With --client-proxy option, shrpx makes sure that the request path is
an absolute URI, otherwise it will return 400 status code.
2012-11-21 22:10:35 +09:00
Tatsuhiro Tsujikawa fa552c6788 shrpx: Share SPDY session among multiple frontend connections per thread
In client mode, now SPDY connection to the backend server is
established per thread.  The frontend connections which belong to the
same thread share the SPDY connection.
2012-11-21 01:29:39 +09:00
Tatsuhiro Tsujikawa 026f4ca3a2 Add --client-mode option
With --client-mode option, shrpx now accepts unencrypted HTTP
connections and communicates with backend server in SPDY.  In short,
this is the "reversed" operation mode against normal mode.  This may
be useful for testing purpose because it can sit between HTTP client
and shrpx "normal" mode.
2012-11-18 21:46:07 +09:00
Raul Gutierrez Segales 6f6f6ffc41 [shrpx] fix password handling for certs keys
We should only call daemon() after ListenHandler is
instantiated, where  SSL_CTX_use_PrivateKey_file is called,
otherwise we have no stdin/stdout to get the password for
keyfile.
2012-10-27 22:29:27 -07:00
Tatsuhiro Tsujikawa b0fcd68783 Move spdycat, spdyd and shrpx from examples to src
To distinguish the to-be-installed programs and non-installable
example source code, the former programs, spdycat, spdydyd and shrpx,
were moved to src directory. spdynative was removed from Makefile
because it does not appeal to any users much.
2012-09-10 21:39:51 +09:00