Commit Graph

339 Commits

Author SHA1 Message Date
Tatsuhiro Tsujikawa b165775811 nghttpx: Refactor CertLookupTree 2015-02-06 21:25:43 +09:00
Tatsuhiro Tsujikawa 7c75d9db98 nghttpx: Set nghttp2_option_set_peer_max_concurrent_streams for HTTP/2 backend 2015-02-05 03:05:34 +09:00
Tatsuhiro Tsujikawa a68c4c1e3c nghttpx: Add --no-host-rewrite option 2015-02-04 01:42:26 +09:00
Tatsuhiro Tsujikawa d1a4002b22 nghttpx: Remove --accept-delay and --num-accept options 2015-01-29 20:58:47 +09:00
Fabian Möller 3167aa4081 nghttpx: set the supplementary group access list 2015-01-28 20:56:05 +09:00
Tatsuhiro Tsujikawa 402ebb277f nghttpx: Add --num-accept and --accept-delay options 2015-01-27 23:47:56 +09:00
Tatsuhiro Tsujikawa 13a14ecda8 nghttpx: Workaround IRIX's struct sockaddr which contains union 2015-01-17 14:59:24 +09:00
Tatsuhiro Tsujikawa f004361ef2 nghttpx: Add --backend-request-buffer option 2015-01-13 23:30:28 +09:00
Tatsuhiro Tsujikawa c88a5291b7 nghttpx: Add --backend-response-buffer option 2015-01-13 23:20:06 +09:00
Tatsuhiro Tsujikawa 1e4f8f27fd nghttpx: Add --tls-ctx-per-worker option
When same SSL_CTX is used by multiple thread simultaneously we have to
setup some number of mutex locks for it.  We could not check how this
locking affects scalability since we have 4 cores at best in our
development machine.  Good side of sharing SSL_CTX across threads is
we can share session ID pool.

If --tls-ctx-per-worker is enabled, SSL_CTX is created per thread
basis and we can eliminate mutex locks.  The downside is session ID is
no longer shared, which means if session ID generated by one thread
cannot be acceptable by another thread.  But we have now session
ticket enabled and its keys are shared by all threads.
2015-01-13 00:25:02 +09:00
Tatsuhiro Tsujikawa 0ca979b453 nghttpx: Add --rlimit-nofile option 2015-01-10 23:17:48 +09:00
Tatsuhiro Tsujikawa fcddb5c06c nghttpx: Distribute session ticket keys to workers without mutex 2015-01-08 21:15:45 +09:00
Tatsuhiro Tsujikawa 5dce9501a6 Fix compile error with libstdc++ and/or --disable-threads 2015-01-08 01:57:59 +09:00
Tatsuhiro Tsujikawa 08e8cc1915 nghttpx: Add --tls-ticket-key-file option
This option specifies files contains 48 random bytes to construct
session ticket key data.  This option can be used repeatedly to
specify multiple keys, but only the first one is used to encrypt
tickets.
2015-01-08 01:26:30 +09:00
Tatsuhiro Tsujikawa 52f3572d5b nghttpx: Enable TLS session tickets with session key rotation every 12hrs 2015-01-08 00:01:09 +09:00
Tatsuhiro Tsujikawa ba795d86f0 nghttpx: Don't cache time for logging
Update is done by main event loop which is stopped after graceful
shutdown is commenced, which means time is no longer update.  To avoid
this situation, we just avoid caching and get time for each logging.
2015-01-06 23:17:09 +09:00
Tatsuhiro Tsujikawa 7db1864766 nghttpx: Add --backend-http1-connections-per-frontend option 2015-01-03 00:19:41 +09:00
Tatsuhiro Tsujikawa bfac015d61 src: Use libev for rest of the applications 2015-01-03 00:19:41 +09:00
Tatsuhiro Tsujikawa b607a22076 nghttpx: Support multiple HTTP/1 backend address
For HTTP/1 backend, -b option can be used several times to specify
multiple backend address.  HTTP/2 backend does not support multiple
addresses and only uses first address even if multiple addresses are
specified.
2014-12-06 19:30:27 +09:00
Tatsuhiro Tsujikawa 9614611969 nghttpx: Limit # of downstream connections per host when h2 proxy is used
This commit limits the number of concurrent HTTP/1 downstream
connections to same host.  By defualt, it is limited to 8 connections.
--backend-connections-per-frontend option was replaced with
--backend-http1-connections-per-host, which changes the maximum number
of connections per host.  This limitation only kicks in when h2 proxy
is used (-s option).
2014-12-05 01:47:03 +09:00
Tatsuhiro Tsujikawa b1f807abd1 Reformat lines with clang-format-3.5 2014-11-27 23:56:30 +09:00
Tatsuhiro Tsujikawa 1fe50f272b nghttpx: Add $pid to --accesslog-format variable
$pid refers to the PID of the running process.
2014-11-24 14:34:43 +09:00
Tatsuhiro Tsujikawa 958cd0de64 nghttpx: Add configurable access logging format
This commit adds functionality to customize access logging format in
nghttpx.  The format variables are inspired by nginx.  The default
format is combined format.
2014-11-19 01:29:55 +09:00
Lucas Pardue 9ea4905f68 Added X-Forwarded-For header stripping option to nghttpx 2014-10-27 10:23:20 +00:00
Tatsuhiro Tsujikawa 822ec75814 nghttpx: Add --listener-disable-timeout option 2014-08-27 22:34:00 +09:00
Tatsuhiro Tsujikawa 5d2390deba nghttpx: Bring per-connection rate limit back
--read-burst=0 still does not work.  But specifying n > 0 workarounds
this.
2014-08-17 16:17:10 +09:00
Tatsuhiro Tsujikawa 0e8419ac37 nghttpx: Add backend-connections-per-frontend option
This option limits the number of backend connections per frontend.
This is meaningful for the combination of HTTP/2 and SPDY frontend and
HTTP/1 backend.
2014-08-16 22:24:17 +09:00
Tatsuhiro Tsujikawa ca680c16e3 nghttpx: Chown file to effective user 2014-08-13 01:53:44 +09:00
Tatsuhiro Tsujikawa bf13d91264 nghttpx: Add hot deploy feature
nghttpx supports hot deploy feature using signals.  The host deploy in
nghttpx is multi step process.  First send USR2 signal to nghttpx
process.  It will do fork and execute new executable, using same
command-line arguments and environment variables.  At this point, both
current and new processes can accept requests.  To gracefully shutdown
current process, send QUIT signal to current nghttpx process.  When
all existing frontend connections are done, the current process will
exit.  At this point, only new nghttpx process exists and serves
incoming requests.
2014-08-13 00:43:54 +09:00
Tatsuhiro Tsujikawa 24cfb52b5a nghttpx: Add --no-location-rewrite option
--no-location-rewrite option disallows location header rewrite on
--http2-bridge, --client and default mode.  This option is useful when
connecting nghttpx proxy with --http2-bridge to backend nghttpx with
http2-proxy mode.
2014-08-10 12:39:27 +09:00
Tatsuhiro Tsujikawa 76703f79fa nghttpx: Add stream level timeout for HTTP/2 and SPDY upstream/downstream 2014-08-09 22:56:27 +09:00
Tatsuhiro Tsujikawa a02624c9ed nghttpx: Use std::shared_ptr to share cached time
To ensure that cached time buffer is not altered while referencing it,
we rely on inerlocking in std::shared_ptr to acheive this.
2014-07-06 13:27:51 +09:00
Tatsuhiro Tsujikawa 933e24d412 nghttpx: Use std::atomic for Config::cached_time 2014-07-05 23:50:32 +09:00
Tatsuhiro Tsujikawa bf4042ce98 nghttpx: Cache time for logging 2014-07-05 19:40:30 +09:00
Tatsuhiro Tsujikawa 0ce848a611 nghttpx: Rewrite logging system
This change rewrites logging system of nghttpx.  Previously access log
and error log are written to stderr or syslog and there was no option
to change stderr to something else.  With this change, file path of
access log and error log can be configured separately and logging to
regular file is now added.  To support rotating log, if SIGUSR1 signal
is received by nghttpx, it closes the current log files and reopen it
with the same name.  The format of access log is changed and has same
look of apache's.  But not all columns are not supported yet.
2014-07-05 18:43:24 +09:00
Tatsuhiro Tsujikawa 479e15469c nghttpx: Add worker-frontend-connections option 2014-06-26 22:55:22 +09:00
Tatsuhiro Tsujikawa 266a15ccd3 nghttpx: Remove per-connection rate limit
It looks like setting read-rate and read-burst to 0 makes busy loop.
It seems a bug.  On the other hand, we most likely want per-thread
rate limit rather than per-connection.  So we decided to drop them.
2014-06-19 23:19:14 +09:00
Tatsuhiro Tsujikawa 1af9a9cee0 nghttpx: Don't stderr log if syslog is used
This change also reverts previous commits and tty is set to false if
syslog is used.
2014-06-12 21:47:00 +09:00
Tatsuhiro Tsujikawa 6a2950aef0 nghttpx: Make tty to false when daemonized 2014-06-12 00:19:46 +09:00
Tatsuhiro Tsujikawa c204861dec nghttpx: Create NPN prefs only once 2014-06-10 23:22:23 +09:00
Tatsuhiro Tsujikawa 7b0ed5d9bd nghttpx: Only allow DHE, ECDHE + AEAD ciphers for HTTP/2
Cipher suites are chosen by DHE and ECDHE ciphers + GCM (AEAD).  Now
default cipher list is the one recommended by Mozilla web site.  The
--honor-cipher-order option is removed and now it is always assumed.
2014-06-10 22:47:22 +09:00
Tatsuhiro Tsujikawa 0fd5b2aa32 nghttpx: Use std::vector for tls_proto_list and npn_list
Now SSL/TLS option mask to disable particular SSL/TLS protocol
versions are pre-calculated and stored in Config.
2014-06-08 23:09:44 +09:00
Tatsuhiro Tsujikawa 14b818efc8 nghttpx: Use std::unique_ptr<char[]> instead of char* 2014-06-08 21:02:40 +09:00
Tatsuhiro Tsujikawa a8a2236da9 nghttpx: Add --add-response-header option 2014-04-26 14:56:08 +09:00
Tatsuhiro Tsujikawa 6326aec089 nghttpx: Return std::unique_ptr from parse_config_str_list 2014-04-08 22:44:30 +09:00
Tatsuhiro Tsujikawa f9f6cdc93d nghttpx: Specify altsvc info in one option and allow multiple occurrences 2014-04-08 22:28:50 +09:00
Tatsuhiro Tsujikawa d668d2448b Hide session option from public API
To make adding new option easier, we decided to make the details of
option struct private and hide it from public API.  We provide
functions to set individual option value.
2014-04-04 21:57:47 +09:00
Tatsuhiro Tsujikawa db6c41a219 nghttpx: Add altsvc related options
To advertise alternative serive, at least --altsvc-port and
--altsvc-protocol-id must be specified.
2014-04-03 13:20:50 +09:00
Tatsuhiro Tsujikawa ab2dc5967d Replace HTTP/2.0 with HTTP/2 2014-03-30 19:26:37 +09:00
Tatsuhiro Tsujikawa d074cb611f nghttpx: Add rate limit per worker thread
The existing options --{read,write}-{rate,burst} are per connection.
The new options --worker-{read,write}-{rate,burst} are per worker
thread, which is overall rate limit of all connections worker handles.
2014-03-09 14:53:28 +09:00
Tatsuhiro Tsujikawa c280cc7c4d nghttpx: Add --padding option for debugging purpose 2014-02-11 17:23:22 +09:00
Tatsuhiro Tsujikawa c7c283f3a9 nghttpx: Add --frontend-frame-debug option to debug HTTP/2 frame in upstream
The output format is the same one with nghttp/nghttpd. The output
is made into stderr to make it sync with logging.
2014-02-09 18:47:26 +09:00
Tatsuhiro Tsujikawa 7ce3065f32 nghttpx: Add --tls-proto-list option to enable SSL/TLS protocol selectively 2014-01-02 13:08:54 +09:00
Tatsuhiro Tsujikawa 3e21bed4f9 nghttpx: Make parse_config_npn_list generic 2014-01-02 13:08:54 +09:00
Tatsuhiro Tsujikawa 20877b1107 nghttpx: Don't allow application protocol not listed in --npn-list option 2014-01-02 00:53:07 +09:00
Tatsuhiro Tsujikawa 6ea91e57e0 Adjust struct/class alignment 2013-12-06 23:17:38 +09:00
Tatsuhiro Tsujikawa 01f7162be3 nghttpx: Add connection-level flow control window size options
This commit also changes SPDY's flow control size. Previously,
the size for SPDY is the same amount of bytes with HTTP/2.
For example, --frontend-http2-upstream-window-bits=N,
the window size is 2**N - 1. Now SPDY code uses 2**N.
2013-11-21 00:15:17 +09:00
Tatsuhiro Tsujikawa 53b3fba05b nghttpx: Add --http2-no-cookie-crumbling option 2013-11-18 00:03:55 +09:00
Tatsuhiro Tsujikawa faedc4381d nghttpx: Add options to dump HTTP headers in HTTP/2.0 upstream 2013-11-17 23:52:19 +09:00
Tatsuhiro Tsujikawa 0fcd14300a nghttpx: Rename PROTO_SPDY with PROTO_HTTP2 for backend protocol name 2013-11-04 18:15:56 +09:00
Tatsuhiro Tsujikawa ba3db66cec nghttpx: Replace "spdy" in option name with "http2" 2013-11-04 18:14:05 +09:00
Tatsuhiro Tsujikawa 69967aeef8 nghttpx: Add --client-private-key-file and --client-cert-file options 2013-11-02 23:34:25 +09:00
Tatsuhiro Tsujikawa 5bb7066474 nghttpx: Add --verify-client-cacert option
Using --cacert to load certificate for client certificate authentication
is problematic since, --cacert is also used for client mode.
This commit adds --verify-client-cacert option which specify the CA
certficate file used only for client certificate validation.
This change also removes the default certficate load function for
client certificate validation.
2013-11-02 21:41:05 +09:00
Tatsuhiro Tsujikawa 02acfd7d70 nghttpx: Add --verify-client option
This option requires client certificate and successful verification.
Use --cacert option to add CA certificates as necessary.
2013-11-02 01:10:18 +09:00
Tatsuhiro Tsujikawa ab39ae849f nghttpx: Add --npn-list option 2013-09-23 20:55:39 +09:00
Tatsuhiro Tsujikawa c48a1d7516 nghttpx: Add rate limit options 2013-09-13 21:23:55 +09:00
Tatsuhiro Tsujikawa 0f75997839 nghttpx: Share ev_token_bucket_cfg across ClientHandlers 2013-09-13 00:25:24 +09:00
Tatsuhiro Tsujikawa aea036c9d4 nghttpx: Support ECDHE and DHE cipher suites
Use --dh-param-file option to specify a file including DH parameters
in PEM format.

For example, you can create DH parameters with 1024 bit key using
following command:

$ openssl dhparam -outform PEM -out dhparam.pem 1024
2013-08-30 22:07:42 +09:00
Tatsuhiro Tsujikawa 0150312022 nghttpx: Rename spdy_{upstream,downstream}_no_tls as {upstream,downstream}_no_tls 2013-08-03 19:01:57 +09:00
Tatsuhiro Tsujikawa 564e6b9ffc nghttpx: Rename --{front,back}end-spdy-no-tls as --{front,back}end-no-tls 2013-08-03 18:58:14 +09:00
Tatsuhiro Tsujikawa 18f450fd2a Port shrpx to nghttp2 use 2013-07-26 19:33:25 +09:00
Tatsuhiro Tsujikawa 0edce70343 Rebranding nghttp2 2013-07-13 00:43:06 +09:00
moparisthebest 7dfa559bc4 Add --honor-cipher-order option to mitigate BEAST attacks 2013-04-18 14:25:48 -04:00
Tatsuhiro Tsujikawa a9f475fb88 spdycat, shrpx: TLS SNI enhancements
shrpx:
* Added an option to set the TLS SNI extension between shrpx and the
  origin on the command line

spdycat:
* If the user set an explicit host header ( using --headers ) use that
  name for the TLS SNI extension.
* Added the handshake completion time to the verbose output
* The gettimeofday call in get_time was using the incorrect structure
  ( I believe )
* In update_html_parser it was submitting the request regardless of
  the return value of add_request.

Patch from Stephen Ludin
2013-03-29 22:06:33 +09:00
Tatsuhiro Tsujikawa 7d709fa3ff shrpx: Support non-TLS SPDY in frontend connection 2013-03-24 21:03:39 +09:00
Tatsuhiro Tsujikawa c487d152b2 shrpx: Add non-TLS SPDY backend connection support
Use --backend-spdy-no-tls to disable TLS on backend SPDY connection.
The SPDY protocol used there must be configured by
--backend-spdy-proto option.
2013-02-22 22:54:54 +09:00
Tatsuhiro Tsujikawa cb8b8050b5 shprx: Add --backend-http-proxy-uri option
Specify proxy URI in the form http://[USER:PASS]PROXY:PORT. USER and
PASS are optional and if they exist they must be properly
percent-encoded. This proxy is used when the backend connection is
SPDY. First, make a CONNECT request to the proxy and it connects to
the backend on behalf of shrpx. This forms tunnel. After that, shrpx
performs SSL/TLS handshake with the downstream through the tunnel. The
timeouts when connecting and making CONNECT request can be specified
by --backend-read-timeout and --backend-write-timeout options.
2013-02-09 16:55:39 +09:00
Tatsuhiro Tsujikawa 9ba19df813 shrpx: Add --spdy-bridge option
With --spdy-bridge option, it listens SPDY/HTTPS connections from
front end and forwards them to the backend in SPDY. The usage will be
written later. This change fixes the crash when more than 2
outstanding SpdyDownstreamConnection objects are added to SpdySession
and establishing connection to SPDY backend is failed.
2013-02-08 21:46:58 +09:00
Tatsuhiro Tsujikawa b18af854af shrpx: Add --subcert option to add additional certificate/private key
This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
2013-02-06 23:41:28 +09:00
Tatsuhiro Tsujikawa c45fa16f94 shrpx: Add --no-via option
If --no-via option is given, shrpx does not append to Via header
field. If Via header field is received, it is left unaltered.
2013-01-09 22:03:49 +09:00
Tatsuhiro Tsujikawa 9b1f36d274 shrpx: Color severity level in terminal
Color severity level if stderr refers to a terminal.
2012-12-09 21:02:48 +09:00
Raul Gutierrez Segales cbf8ccf7d1 [shrpx] read private key's passwd from a file
This avoids the need to provide the password for your
private key interactively.

It can be used via --private-key-passwd-file or private-key-passwd-file
in the given config file. The first line in the file
(without \n) will be treated as the passwd. There isn't
any validation and all lines after the first one (if any)
are ignored.

The security model behind this is a bit simplistic so I
am open to better ideas. Basically your password file
should be root:root (700) and you *should* drop root
and run as an unprivileged user.

If the file exists and a line can be read then a callback
will be set for the SSL ctxt and it'll feed the passwd
when the private key is read (if password is needed).

If the file exists with the wrong permisions it'll be
logged and ignored.
2012-12-03 21:55:32 -08:00
Tatsuhiro Tsujikawa baf2dc3ddf shrpx: Add --backend-ipv4 and --backend-ipv6 options. 2012-11-23 21:11:01 +09:00
Tatsuhiro Tsujikawa 7a21905312 shrpx: Remove Config ctor and fill all initial values in fill_default_config() 2012-11-22 23:35:10 +09:00
Tatsuhiro Tsujikawa d589f4c74c shrpx: Verify backend server's certificate in client mode
The -k, --insecure option is added to skip this verification.  The
system wide trusted CA certificates will be loaded at startup. The
--cacert option is added to specify the trusted CA certificate file.
2012-11-22 21:46:15 +09:00
Tatsuhiro Tsujikawa 81adb6bc7f shrpx: Implement downstream SPDY flow control 2012-11-21 23:47:48 +09:00
Tatsuhiro Tsujikawa 0bf15a7694 Rename --client-mode as --client and add --client-proxy
With --client-proxy option, shrpx makes sure that the request path is
an absolute URI, otherwise it will return 400 status code.
2012-11-21 22:10:35 +09:00
Tatsuhiro Tsujikawa 026f4ca3a2 Add --client-mode option
With --client-mode option, shrpx now accepts unencrypted HTTP
connections and communicates with backend server in SPDY.  In short,
this is the "reversed" operation mode against normal mode.  This may
be useful for testing purpose because it can sit between HTTP client
and shrpx "normal" mode.
2012-11-18 21:46:07 +09:00
Tatsuhiro Tsujikawa b0fcd68783 Move spdycat, spdyd and shrpx from examples to src
To distinguish the to-be-installed programs and non-installable
example source code, the former programs, spdycat, spdydyd and shrpx,
were moved to src directory. spdynative was removed from Makefile
because it does not appeal to any users much.
2012-09-10 21:39:51 +09:00