This option specifies additional certificate and private key
file. Shrpx will choose certificates based on the hostname indicated
by client using TLS SNI extension. This option can be used multiple
times.
INFO log and its surrounding code are now guarded by
LOG_ENABLED(SEVERITY) macro so that they don't run if log level
threshold is higher. This increases performance because log formatting
is somewhat expensive.
Added macros which log messages from the following components are
prefixed with their component name + object pointer address:
ListenHandler: LISTEN
ThreadEventReceiver: THREAD_RECV
Upstream: UPSTREAM
Downstream: DOWNSTREAM
DownstreamConnection: DCONN
SpdySession: DSPDY
This avoids the need to provide the password for your
private key interactively.
It can be used via --private-key-passwd-file or private-key-passwd-file
in the given config file. The first line in the file
(without \n) will be treated as the passwd. There isn't
any validation and all lines after the first one (if any)
are ignored.
The security model behind this is a bit simplistic so I
am open to better ideas. Basically your password file
should be root:root (700) and you *should* drop root
and run as an unprivileged user.
If the file exists and a line can be read then a callback
will be set for the SSL ctxt and it'll feed the passwd
when the private key is read (if password is needed).
If the file exists with the wrong permisions it'll be
logged and ignored.
The -k, --insecure option is added to skip this verification. The
system wide trusted CA certificates will be loaded at startup. The
--cacert option is added to specify the trusted CA certificate file.
In client mode, now SPDY connection to the backend server is
established per thread. The frontend connections which belong to the
same thread share the SPDY connection.
With --client-mode option, shrpx now accepts unencrypted HTTP
connections and communicates with backend server in SPDY. In short,
this is the "reversed" operation mode against normal mode. This may
be useful for testing purpose because it can sit between HTTP client
and shrpx "normal" mode.
We should only call daemon() after ListenHandler is
instantiated, where SSL_CTX_use_PrivateKey_file is called,
otherwise we have no stdin/stdout to get the password for
keyfile.
The reason why we choose SPDY/2 as default for SPDY prxy was due to
Chrome's window update bug. Now its fix is available in Chrome stable,
we make SPDY/3 as default.
The on_ctrl_not_send_callback, on_ctrl_recv_parse_error_callback and
on_unknown_ctrl_recv_callback were added. The latter 2 callbacks are
purely debugging purpose. In on_ctrl_not_send_callback, If sending
SYN_REPLY failed, issue RST_STREAM to avoid a stream hanging around.
When deciding whether to close the client connection, check
request_connection_close_ of Downstream in addition of
response_connection_close_. Also we only add "Connection: Keep-Alive"
header to the HTTP/1.0 or HTTP/0.9 clients.
When --enable-src is given, the programs in src directory will be
built. If --disable-src is given, those programs will not be built. If
none of them are given, --enable-src is assumed.
To distinguish the to-be-installed programs and non-installable
example source code, the former programs, spdycat, spdydyd and shrpx,
were moved to src directory. spdynative was removed from Makefile
because it does not appeal to any users much.
Tatsuhiro Tsujikawa
Raul Gutierrez Segales