Commit Graph

446 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa 144ae3af9d nghttpx: Memcached connection encryption with tls keyword
Like frontend and backend options, encryption for memcached
connections is configured using tls keyword in
tls-session-cache-memcached and tls-ticket-key-memcached options.
tls-session-cache-memcached-tls and tls-ticket-key-memcached-tls
options are deprecated.
2016-03-24 00:22:13 +09:00
Tatsuhiro Tsujikawa eec0b04a33 nghttpx: Enable/disable TLS per frontend address
This change allows user to disable TLS per frontend address using
no-tls keyword in --frontend option.  We removed --frontend-no-tls in
favor of this new feature.
2016-03-23 23:56:09 +09:00
Tatsuhiro Tsujikawa 58b06f32a2 nghttpx: Configure TLS per backend routing pattern
We added "tls" parameter to --backend option to enable TLS on that
backend connection.  --backend-tls options was deprecated, now is
noop.
2016-03-23 22:56:18 +09:00
Tatsuhiro Tsujikawa 4bb88b35ec nghttpx: "*" must match at least one character 2016-03-22 22:40:23 +09:00
Tatsuhiro Tsujikawa 04145e22a2 Revert "nghttpx: Call setsid after executing new binary"
This reverts commit 6680d8b792.
2016-03-22 00:21:32 +09:00
Tatsuhiro Tsujikawa d2b55ad1a2 nghttpx: Allow '*' in --error-page to be used as wildcard 2016-03-19 23:49:15 +09:00
Tatsuhiro Tsujikawa d7051f5207 nghttpx: Add custom error pages 2016-03-19 23:41:21 +09:00
Tatsuhiro Tsujikawa 34d209b30b nghttpx: Add wildcard host routing
This change allows host pattern in --backend to include '*' to
indicate wildcard match.  The wildcard match is made in suffix match
only.
2016-03-13 01:01:34 +09:00
Tatsuhiro Tsujikawa df6466cfbd nghttpx: Update doc 2016-02-28 23:15:57 +09:00
Tatsuhiro Tsujikawa 2326337d32 nghttpx: Deprecate backend-http1-connections-per-host in favor of backend-connections-per-host 2016-02-28 22:15:49 +09:00
Tatsuhiro Tsujikawa 06921f35f3 nghttpx: Restructure mode settings
It is very hard to support multiple protocols in backend while
retaining multiple mode settings.  Therefore, we dropped modes except
for default and HTTP/2 proxy mode.  The other removed modes can be
emulated using combinations of options.  Now the backend connection is
not encrypted by default.  To enable encryption on backend connection,
use --backend-tls option.
2016-02-28 21:35:26 +09:00
Tatsuhiro Tsujikawa 44d3801760 nghttpx: Deprecate backend-http1-connections-per-frontend in favor of backend-connections-per-frontend 2016-02-28 17:11:12 +09:00
Tatsuhiro Tsujikawa 1832f78684 nghttpx: Move downstream proto to DownstreamAddrGroup 2016-02-28 16:56:14 +09:00
Tatsuhiro Tsujikawa 36f6a009b8 nghttpx: Effectively disable backend HTTP/2 connection flow control
This is required to avoid session stall because of too slow frontend
connection.
2016-02-28 00:19:18 +09:00
Tatsuhiro Tsujikawa aafcc55006 nghttpx: Deprecate --http2-max-concurrent-streams option
We added 2 new option instead: --frontend-http2-max-concurrent-streams
and --backend-http2-max-concurrent-streams.
2016-02-28 00:19:18 +09:00
Tatsuhiro Tsujikawa c731d1fea5 nghttpx: Deprecate --backend-http2-connections-per-worker option 2016-02-28 00:19:18 +09:00
Tatsuhiro Tsujikawa 8ca3e5f6ba nghttpx: Separate Downstream address group from config to runtime 2016-02-28 00:19:18 +09:00
Tatsuhiro Tsujikawa c098b4ac70 nghttpx: Remove --backend-tls-session-cache-per-worker option 2016-02-25 22:46:25 +09:00
Tatsuhiro Tsujikawa dfc02843b6 src: Rename and rewrite numeric_hostport as to_numeric_addr and support AF_UNIX path 2016-02-21 15:28:11 +09:00
Tatsuhiro Tsujikawa 466e4b7a1e nghttpx: Use ImmutableString for conf_path 2016-02-14 22:20:10 +09:00
Tatsuhiro Tsujikawa 76a425226f nghttpx: Use ImmutableString for pid_file 2016-02-14 22:17:10 +09:00
Tatsuhiro Tsujikawa 2b707bff27 nghttpx: Use ImmutableString for log file 2016-02-14 22:17:10 +09:00
Tatsuhiro Tsujikawa 9055323b67 nghttpx: Use ImmutableString for request_header_file and response_header_file 2016-02-14 22:17:10 +09:00
Tatsuhiro Tsujikawa ac81003669 nghttpx: Use ImmutableString for cert_file 2016-02-14 22:17:10 +09:00
Tatsuhiro Tsujikawa c999987baf nghttpx: Use ImmutableString for private_key_file 2016-02-14 22:17:10 +09:00
Tatsuhiro Tsujikawa 660bc389e6 nghttpx: Use ImmutableString for fetch_ocsp_response_file 2016-02-14 21:01:54 +09:00
Tatsuhiro Tsujikawa bfc26e8299 nghttpx: Use ImmutableString to store memcached server host 2016-02-14 20:59:10 +09:00
Tatsuhiro Tsujikawa 2d273f8237 nghttpx: Use StringRef for pattern paramter in Router::add_route 2016-02-14 18:55:53 +09:00
Tatsuhiro Tsujikawa a53f0f0a17 nghttpx: Refactor DownstreamAddrGroup and router API 2016-02-14 18:47:24 +09:00
Tatsuhiro Tsujikawa 1bd98dcf4f nghttpx: Remove user defined ctor/assignment op from DownstreamAddr 2016-02-14 18:31:08 +09:00
Tatsuhiro Tsujikawa eb0c82d91f nghttpx: More log output when resolving addresses for better debugging 2016-02-13 23:21:32 +09:00
Tatsuhiro Tsujikawa 72877379ec nghttpx: Deprecate --backend-ipv4 and --backend-ipv6 in favor of --backend-address-family 2016-02-13 19:09:39 +09:00
Tatsuhiro Tsujikawa c0078ab45a nghttpx: Add options to specify address family of memcached connections 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa 3a41e4dd1a nghttpx: Add encryption support for TLS ticket key retrieval 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa 3297a303bf nghttpx: Add client auth options for session cache memcached TLS connection 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa f1580f95d4 nghttpx: Add TLS support for session cache memcached connection 2016-02-13 18:46:07 +09:00
Tatsuhiro Tsujikawa 60c0c2dd56 src: Code cleanup 2016-02-07 18:41:38 +09:00
Tatsuhiro Tsujikawa 6d49110a33 Rename FrontendAddr as UpstreamAddr 2016-02-07 17:51:53 +09:00
Tatsuhiro Tsujikawa 15fa38c72f nghttpx: Rename backend_session_cache_per_worker as downstream_session_cache_per_worker 2016-02-07 17:43:30 +09:00
Tatsuhiro Tsujikawa 6806196404 nghttpx: Update doc for HTTP/1 TLS backend connections 2016-02-07 17:43:30 +09:00
Tatsuhiro Tsujikawa e763770f3e nghttpx: Add option to specify maximum number of session cache 2016-02-07 17:43:30 +09:00
Tatsuhiro Tsujikawa bb4e2f6a24 nghttpx: Add TLS support for HTTP/1 backend 2016-02-07 17:43:30 +09:00
Tatsuhiro Tsujikawa 024d0d09ee nghttpx: Fix unexpected failure due to missing address family 2016-02-06 23:28:04 +09:00
Tatsuhiro Tsujikawa ee07694783 nghttpx: Add request-header-field-buffer and max-request-header-fields options
This commit adds request-header-field-buffer and
max-request-header-fields, and deprecates header-field-buffer and
max-header-fields options.
2016-02-06 17:22:23 +09:00
Tatsuhiro Tsujikawa 8741503db1 nghttpx: Add --no-http2-cipher-black-list to allow black listed cipher suite 2016-02-06 17:05:14 +09:00
Tatsuhiro Tsujikawa eec409dba7 nghttpx: Limit header fields from backend 2016-02-06 12:27:01 +09:00
Tatsuhiro Tsujikawa 35c3b36549 nghttpx: Document special value localhost in Forwarded "by" and "for" params 2016-02-01 23:34:07 +09:00
Tatsuhiro Tsujikawa aa07fe7fa6 nghttpx: Support multiple frontend addresses
This commit allows nghttpx to listen to multiple address and port pair
by specifying -f option multiple times.
2016-02-01 23:10:29 +09:00
Tatsuhiro Tsujikawa 85bb37ab7c Enable ConstructorInitializerAllOnOneLineOrOnePerLine for better diff 2016-01-27 21:14:07 +09:00
Tatsuhiro Tsujikawa efc3206ae0 nghttpx: Revert accidental change 2016-01-21 22:14:10 +09:00
Tatsuhiro Tsujikawa 497ffc6387 nghttpx: Change pushed stream's priority
By default, as RFC 7540 calls for, pushed stream depends on its
associated (parent) stream.  There are some situations that this is
sub-optimal.  For example, if associated stream is HTML, and server is
configured to push css and javascript files which are in critical
rendering path.  Then the default priority scheme is sub-optimal,
since browser typically blocks rendering while waiting for critical
resources.  In this case, it is better to at least give pushed stream
the same priority of associated stream, and interleave these streams.

This change gives pushed stream the same priority of associated stream
if pushed stream has content-type "application/javascript" or
"text/css".  The pushed stream now depends on the stream which
associated stream depends on.  We use the same weight of associated
stream.
2016-01-21 21:11:57 +09:00
Tatsuhiro Tsujikawa 5a3ca7e700 nghttpx: Disallow user defined static obfuscated string for "for" parameter 2016-01-21 21:05:07 +09:00
Tatsuhiro Tsujikawa 9ac3e643d8 Revert "nghttpx: Add --curves option to specify supported elliptic curves"
This reverts commit e278893b64.

SSL_CONF_CTX functions are not working correctly with OpenSSL 1.0.2.
It requires 1.1.0 to make it work.
2016-01-21 19:50:38 +09:00
Tatsuhiro Tsujikawa e278893b64 nghttpx: Add --curves option to specify supported elliptic curves 2016-01-21 18:23:13 +09:00
Tatsuhiro Tsujikawa 03f7f8cb9c nghttpx: About implicit conversion from ImmutableString and std::string to StringRef
This is required to avoid creation of temporary ImmutableString
like so:

std::string x;
ImmutableString y = ...;
StringRef ref = !x.empty() ? x : y;

First, temporary ImmutableString is created with x since
ImmutableString has constructor to accept std::string.  After
StringRef gets this, the temporary ImmutableString is destroyed, and
ref has dangling pointer.
2016-01-21 17:12:40 +09:00
Tatsuhiro Tsujikawa f44128774c nghttpx: Update doc 2016-01-19 21:01:34 +09:00
Tatsuhiro Tsujikawa f3946ae314 nghttpx: Remove assignment of zero values
Because of zero initialization, these assignments are unnecessary.
2016-01-19 17:27:56 +09:00
Tatsuhiro Tsujikawa 2f9946327a nghttpx: Fix bug that --listener-disable-timeout option is not used 2016-01-19 17:03:01 +09:00
Tatsuhiro Tsujikawa 0402481be4 nghttpx: Organize connection related configuration into struct 2016-01-19 16:56:12 +09:00
Tatsuhiro Tsujikawa 35feae3b0c nghttpx: Group up logging related options 2016-01-18 17:26:27 +09:00
Tatsuhiro Tsujikawa a053d10839 nghttpx: Move option handling code to separate function 2016-01-18 17:08:28 +09:00
Tatsuhiro Tsujikawa 16549bb276 nghttpx: Structured configurations for http and http2 2016-01-18 17:00:20 +09:00
Tatsuhiro Tsujikawa f3e1dc7a4f nghttpx: Structured TLS related configurations 2016-01-18 14:21:09 +09:00
Tatsuhiro Tsujikawa b12af8c410 nghttpx: Refactor backend proxy configuration 2016-01-17 22:51:40 +09:00
Tatsuhiro Tsujikawa 4f07db8bcb src: Rename our new string classes 2016-01-17 11:33:45 +09:00
Tatsuhiro Tsujikawa d16ff1f519 nghttpx: Use StringAdaptor for Config::server_name 2016-01-17 01:15:11 +09:00
Tatsuhiro Tsujikawa 34d5382d66 nghttpx: Use VString for DownstreamAddr::host and hostport to remember size 2016-01-17 00:52:41 +09:00
Tatsuhiro Tsujikawa 25570367b3 nghttpx: Document Forwarded related options 2016-01-16 11:58:02 +09:00
Tatsuhiro Tsujikawa d678c07ddf nghttpx: Allow user to specify static obfuscated value via command-line 2016-01-16 11:32:26 +09:00
Tatsuhiro Tsujikawa 5c3f74b424 nghttpx: Add RFC 7239 Forwarded header field support 2016-01-16 11:32:14 +09:00
Tatsuhiro Tsujikawa fe8005327a src: Make util::utos_with_unit and utos_with_funit names shorter 2016-01-11 18:12:31 +09:00
Tatsuhiro Tsujikawa 848f8fbe54 nghttpx: Don't apply max_header_fields and header_field_buffer limit to response
We modeled max_header_fields and header_field_buffer limit from Apache
configuration directives.  In Apache, they are only applied to request
header fields, while we applied both request and response.  Since
nghttpx is used as reverse proxy and backend server is relatively
"trusted", this commit removes the application to response header
fields.
2016-01-05 16:44:44 +09:00
Tatsuhiro Tsujikawa de247f7d33 src: Rename startsWith as starts_with 2015-11-28 00:42:51 +09:00
Tatsuhiro Tsujikawa 1753bea692 nghttpx: Support server push from HTTP/2 backend
This commits enables HTTP/2 server push from HTTP/2 backend to be
relayed to HTTP/2 frontend.  To use this feature, --http2-bridge or
--client is required.  Server push via Link header field contiues to
work.
2015-11-16 23:12:25 +09:00
Tatsuhiro Tsujikawa c711a80411 src: Fix typo
Apply typo fixes to the original source files in the previous commit
which were done in generated text.
2015-11-09 21:43:25 +09:00
Tatsuhiro Tsujikawa 6b0bde6c31 Update doc so that we can use hyperlink to referred options 2015-10-25 17:10:41 +09:00
Tatsuhiro Tsujikawa 9231a4ba57 nghttpx: Replace old script file options with --mruby-file 2015-10-25 17:05:15 +09:00
Tatsuhiro Tsujikawa 0b2c139eaa clang-format-3.5 2015-10-25 17:04:54 +09:00
Lucas Pardue dcc9aaaa24 Add TLS dynamic record size behaviour command line options 2015-10-22 14:07:18 +00:00
Tatsuhiro Tsujikawa 48edbc8687 nghttpx: Reduce default timeouts for read sockets to 1m 2015-10-18 00:15:58 +09:00
Tatsuhiro Tsujikawa eff3dfd50b src: Move exception handling code to one function 2015-10-17 23:34:05 +09:00
Tatsuhiro Tsujikawa 5594e3df25 src: Handle exception in main 2015-10-17 11:52:33 +09:00
Tatsuhiro Tsujikawa 85bc696c38 nghttpx: Add error handling for strdup and sigaction 2015-10-16 22:33:48 +09:00
Tatsuhiro Tsujikawa 338b4ba739 nghttpx: Don't use units to display fastopen default 2015-10-14 23:45:56 +09:00
Tatsuhiro Tsujikawa 41710bfc7e nghttpx: Add description about error message when TLS protocols do not overlap 2015-10-14 23:23:43 +09:00
Tatsuhiro Tsujikawa 0e87d464a2 clang-format 2015-10-14 23:23:34 +09:00
Tatsuhiro Tsujikawa f1eb7638d1 nghttpx: Change mruby script handling
This commit changes nghttpx's mruby script handling.  Previously we
have 2 options to specify the mruby script file to be run on request
and on response.  Now they are merged into 1 option, namely
--mruby-file.  It now must return object.  On request, the object's
on_req(env) method is invoked with env object.  Similarly, on
response, the object's on_resp(env) method is invoked.  The
specification of Env object has not changed.
2015-10-08 23:32:15 +09:00
Peeyush Aggarwal 349f3e2c7b Added support for RFC 7413 (TCP Fast Open) on nghttpx proxy listening connections.
Fixed code as per PR comments
2015-10-05 13:40:45 -07:00
Tatsuhiro Tsujikawa 0155c9115a nghttpx: Fix so that --padding option works again 2015-10-04 10:36:20 +09:00
Tatsuhiro Tsujikawa 2aa8d9642c nghttpx: Fix crash on http2/client proxy mode 2015-09-30 23:45:43 +09:00
Tatsuhiro Tsujikawa f150f9aec4 Fix compile error without BoringSSL 2015-09-29 23:45:13 +09:00
Tatsuhiro Tsujikawa f0d2c9f94b Compile with BoringSSL
Compile with BoringSSL except for neverbleed and libnghttp2_asio.  The
former uses ENGINE and RSA_METHOD, and they are quite different
between OpenSSL and BoringSSL.  The latter uses boost::asio, which
calls OpenSSL functions deleted in BoringSSL.
2015-09-29 23:38:17 +09:00
Tatsuhiro Tsujikawa a28aee058f nghttpx: Don't need to trap SIGTERM and SIGINT signals 2015-09-29 00:07:29 +09:00
Tatsuhiro Tsujikawa 8acf9a2802 nghttpx: Trie based routing 2015-09-26 22:19:10 +09:00
Tatsuhiro Tsujikawa 044385ab6e Add neverbleed support
neverbleed is disabled by default.  To enable it, use
--with-neverbleed configure option.
2015-09-26 19:01:31 +09:00
Tatsuhiro Tsujikawa 6680d8b792 nghttpx: Call setsid after executing new binary 2015-09-25 00:55:08 +09:00
Tatsuhiro Tsujikawa 0b32df94a5 nghttpx: Log when worker process exits 2015-09-25 00:11:35 +09:00
Tatsuhiro Tsujikawa c44587a70c nghttpx: Use _Exit when exiting from child process 2015-09-24 23:57:24 +09:00
Tatsuhiro Tsujikawa 389a96483a nghttpx: Fix improper signal handling 2015-09-24 23:43:24 +09:00
Tatsuhiro Tsujikawa a54062bd5e nghttpx: Fix output glitch 2015-09-24 00:11:02 +09:00