1 /* 2 * nghttp2 - HTTP/2 C Library 3 * 4 * Copyright (c) 2012 Tatsuhiro Tsujikawa 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining 7 * a copy of this software and associated documentation files (the 8 * "Software"), to deal in the Software without restriction, including 9 * without limitation the rights to use, copy, modify, merge, publish, 10 * distribute, sublicense, and/or sell copies of the Software, and to 11 * permit persons to whom the Software is furnished to do so, subject to 12 * the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be 15 * included in all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 24 */ 25 #ifndef SHRPX_CONFIG_H 26 #define SHRPX_CONFIG_H 27 28 #include "shrpx.h" 29 30 #include <sys/types.h> 31 #ifdef HAVE_SYS_SOCKET_H 32 # include <sys/socket.h> 33 #endif // HAVE_SYS_SOCKET_H 34 #include <sys/un.h> 35 #ifdef HAVE_NETINET_IN_H 36 # include <netinet/in.h> 37 #endif // HAVE_NETINET_IN_H 38 #ifdef HAVE_ARPA_INET_H 39 # include <arpa/inet.h> 40 #endif // HAVE_ARPA_INET_H 41 #include <cinttypes> 42 #include <cstdio> 43 #include <vector> 44 #include <memory> 45 #include <set> 46 47 #include <openssl/ssl.h> 48 49 #include <ev.h> 50 51 #include <nghttp2/nghttp2.h> 52 53 #include "shrpx_router.h" 54 #include "template.h" 55 #include "http2.h" 56 #include "network.h" 57 #include "allocator.h" 58 59 using namespace nghttp2; 60 61 namespace shrpx { 62 63 struct LogFragment; 64 class ConnectBlocker; 65 class Http2Session; 66 67 namespace tls { 68 69 class CertLookupTree; 70 71 } // namespace tls 72 73 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE = 74 StringRef::from_lit("private-key-file"); 75 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE = 76 StringRef::from_lit("private-key-passwd-file"); 77 constexpr auto SHRPX_OPT_CERTIFICATE_FILE = 78 StringRef::from_lit("certificate-file"); 79 constexpr auto SHRPX_OPT_DH_PARAM_FILE = StringRef::from_lit("dh-param-file"); 80 constexpr auto SHRPX_OPT_SUBCERT = StringRef::from_lit("subcert"); 81 constexpr auto SHRPX_OPT_BACKEND = StringRef::from_lit("backend"); 82 constexpr auto SHRPX_OPT_FRONTEND = StringRef::from_lit("frontend"); 83 constexpr auto SHRPX_OPT_WORKERS = StringRef::from_lit("workers"); 84 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS = 85 StringRef::from_lit("http2-max-concurrent-streams"); 86 constexpr auto SHRPX_OPT_LOG_LEVEL = StringRef::from_lit("log-level"); 87 constexpr auto SHRPX_OPT_DAEMON = StringRef::from_lit("daemon"); 88 constexpr auto SHRPX_OPT_HTTP2_PROXY = StringRef::from_lit("http2-proxy"); 89 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = StringRef::from_lit("http2-bridge"); 90 constexpr auto SHRPX_OPT_CLIENT_PROXY = StringRef::from_lit("client-proxy"); 91 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR = 92 StringRef::from_lit("add-x-forwarded-for"); 93 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR = 94 StringRef::from_lit("strip-incoming-x-forwarded-for"); 95 constexpr auto SHRPX_OPT_NO_VIA = StringRef::from_lit("no-via"); 96 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT = 97 StringRef::from_lit("frontend-http2-read-timeout"); 98 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT = 99 StringRef::from_lit("frontend-read-timeout"); 100 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT = 101 StringRef::from_lit("frontend-write-timeout"); 102 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT = 103 StringRef::from_lit("backend-read-timeout"); 104 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT = 105 StringRef::from_lit("backend-write-timeout"); 106 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT = 107 StringRef::from_lit("stream-read-timeout"); 108 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT = 109 StringRef::from_lit("stream-write-timeout"); 110 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = StringRef::from_lit("accesslog-file"); 111 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG = 112 StringRef::from_lit("accesslog-syslog"); 113 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT = 114 StringRef::from_lit("accesslog-format"); 115 constexpr auto SHRPX_OPT_ERRORLOG_FILE = StringRef::from_lit("errorlog-file"); 116 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG = 117 StringRef::from_lit("errorlog-syslog"); 118 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT = 119 StringRef::from_lit("backend-keep-alive-timeout"); 120 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS = 121 StringRef::from_lit("frontend-http2-window-bits"); 122 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS = 123 StringRef::from_lit("backend-http2-window-bits"); 124 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS = 125 StringRef::from_lit("frontend-http2-connection-window-bits"); 126 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS = 127 StringRef::from_lit("backend-http2-connection-window-bits"); 128 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS = 129 StringRef::from_lit("frontend-no-tls"); 130 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = StringRef::from_lit("backend-no-tls"); 131 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD = 132 StringRef::from_lit("backend-tls-sni-field"); 133 constexpr auto SHRPX_OPT_PID_FILE = StringRef::from_lit("pid-file"); 134 constexpr auto SHRPX_OPT_USER = StringRef::from_lit("user"); 135 constexpr auto SHRPX_OPT_SYSLOG_FACILITY = 136 StringRef::from_lit("syslog-facility"); 137 constexpr auto SHRPX_OPT_BACKLOG = StringRef::from_lit("backlog"); 138 constexpr auto SHRPX_OPT_CIPHERS = StringRef::from_lit("ciphers"); 139 constexpr auto SHRPX_OPT_CLIENT = StringRef::from_lit("client"); 140 constexpr auto SHRPX_OPT_INSECURE = StringRef::from_lit("insecure"); 141 constexpr auto SHRPX_OPT_CACERT = StringRef::from_lit("cacert"); 142 constexpr auto SHRPX_OPT_BACKEND_IPV4 = StringRef::from_lit("backend-ipv4"); 143 constexpr auto SHRPX_OPT_BACKEND_IPV6 = StringRef::from_lit("backend-ipv6"); 144 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI = 145 StringRef::from_lit("backend-http-proxy-uri"); 146 constexpr auto SHRPX_OPT_READ_RATE = StringRef::from_lit("read-rate"); 147 constexpr auto SHRPX_OPT_READ_BURST = StringRef::from_lit("read-burst"); 148 constexpr auto SHRPX_OPT_WRITE_RATE = StringRef::from_lit("write-rate"); 149 constexpr auto SHRPX_OPT_WRITE_BURST = StringRef::from_lit("write-burst"); 150 constexpr auto SHRPX_OPT_WORKER_READ_RATE = 151 StringRef::from_lit("worker-read-rate"); 152 constexpr auto SHRPX_OPT_WORKER_READ_BURST = 153 StringRef::from_lit("worker-read-burst"); 154 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE = 155 StringRef::from_lit("worker-write-rate"); 156 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST = 157 StringRef::from_lit("worker-write-burst"); 158 constexpr auto SHRPX_OPT_NPN_LIST = StringRef::from_lit("npn-list"); 159 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = StringRef::from_lit("tls-proto-list"); 160 constexpr auto SHRPX_OPT_VERIFY_CLIENT = StringRef::from_lit("verify-client"); 161 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT = 162 StringRef::from_lit("verify-client-cacert"); 163 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE = 164 StringRef::from_lit("client-private-key-file"); 165 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE = 166 StringRef::from_lit("client-cert-file"); 167 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER = 168 StringRef::from_lit("frontend-http2-dump-request-header"); 169 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER = 170 StringRef::from_lit("frontend-http2-dump-response-header"); 171 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING = 172 StringRef::from_lit("http2-no-cookie-crumbling"); 173 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG = 174 StringRef::from_lit("frontend-frame-debug"); 175 constexpr auto SHRPX_OPT_PADDING = StringRef::from_lit("padding"); 176 constexpr auto SHRPX_OPT_ALTSVC = StringRef::from_lit("altsvc"); 177 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER = 178 StringRef::from_lit("add-request-header"); 179 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER = 180 StringRef::from_lit("add-response-header"); 181 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS = 182 StringRef::from_lit("worker-frontend-connections"); 183 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE = 184 StringRef::from_lit("no-location-rewrite"); 185 constexpr auto SHRPX_OPT_NO_HOST_REWRITE = 186 StringRef::from_lit("no-host-rewrite"); 187 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST = 188 StringRef::from_lit("backend-http1-connections-per-host"); 189 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND = 190 StringRef::from_lit("backend-http1-connections-per-frontend"); 191 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT = 192 StringRef::from_lit("listener-disable-timeout"); 193 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE = 194 StringRef::from_lit("tls-ticket-key-file"); 195 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = StringRef::from_lit("rlimit-nofile"); 196 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER = 197 StringRef::from_lit("backend-request-buffer"); 198 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER = 199 StringRef::from_lit("backend-response-buffer"); 200 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = StringRef::from_lit("no-server-push"); 201 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER = 202 StringRef::from_lit("backend-http2-connections-per-worker"); 203 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE = 204 StringRef::from_lit("fetch-ocsp-response-file"); 205 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL = 206 StringRef::from_lit("ocsp-update-interval"); 207 constexpr auto SHRPX_OPT_NO_OCSP = StringRef::from_lit("no-ocsp"); 208 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER = 209 StringRef::from_lit("header-field-buffer"); 210 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS = 211 StringRef::from_lit("max-header-fields"); 212 constexpr auto SHRPX_OPT_INCLUDE = StringRef::from_lit("include"); 213 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER = 214 StringRef::from_lit("tls-ticket-key-cipher"); 215 constexpr auto SHRPX_OPT_HOST_REWRITE = StringRef::from_lit("host-rewrite"); 216 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED = 217 StringRef::from_lit("tls-session-cache-memcached"); 218 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED = 219 StringRef::from_lit("tls-ticket-key-memcached"); 220 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL = 221 StringRef::from_lit("tls-ticket-key-memcached-interval"); 222 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY = 223 StringRef::from_lit("tls-ticket-key-memcached-max-retry"); 224 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL = 225 StringRef::from_lit("tls-ticket-key-memcached-max-fail"); 226 constexpr auto SHRPX_OPT_MRUBY_FILE = StringRef::from_lit("mruby-file"); 227 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL = 228 StringRef::from_lit("accept-proxy-protocol"); 229 constexpr auto SHRPX_OPT_FASTOPEN = StringRef::from_lit("fastopen"); 230 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD = 231 StringRef::from_lit("tls-dyn-rec-warmup-threshold"); 232 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT = 233 StringRef::from_lit("tls-dyn-rec-idle-timeout"); 234 constexpr auto SHRPX_OPT_ADD_FORWARDED = StringRef::from_lit("add-forwarded"); 235 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED = 236 StringRef::from_lit("strip-incoming-forwarded"); 237 constexpr auto SHRPX_OPT_FORWARDED_BY = StringRef::from_lit("forwarded-by"); 238 constexpr auto SHRPX_OPT_FORWARDED_FOR = StringRef::from_lit("forwarded-for"); 239 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER = 240 StringRef::from_lit("request-header-field-buffer"); 241 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS = 242 StringRef::from_lit("max-request-header-fields"); 243 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER = 244 StringRef::from_lit("response-header-field-buffer"); 245 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = 246 StringRef::from_lit("max-response-header-fields"); 247 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = 248 StringRef::from_lit("no-http2-cipher-black-list"); 249 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = 250 StringRef::from_lit("backend-http1-tls"); 251 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS = 252 StringRef::from_lit("tls-session-cache-memcached-tls"); 253 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE = 254 StringRef::from_lit("tls-session-cache-memcached-cert-file"); 255 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE = 256 StringRef::from_lit("tls-session-cache-memcached-private-key-file"); 257 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY = 258 StringRef::from_lit("tls-session-cache-memcached-address-family"); 259 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS = 260 StringRef::from_lit("tls-ticket-key-memcached-tls"); 261 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE = 262 StringRef::from_lit("tls-ticket-key-memcached-cert-file"); 263 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE = 264 StringRef::from_lit("tls-ticket-key-memcached-private-key-file"); 265 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY = 266 StringRef::from_lit("tls-ticket-key-memcached-address-family"); 267 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY = 268 StringRef::from_lit("backend-address-family"); 269 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS = 270 StringRef::from_lit("frontend-http2-max-concurrent-streams"); 271 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS = 272 StringRef::from_lit("backend-http2-max-concurrent-streams"); 273 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND = 274 StringRef::from_lit("backend-connections-per-frontend"); 275 constexpr auto SHRPX_OPT_BACKEND_TLS = StringRef::from_lit("backend-tls"); 276 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST = 277 StringRef::from_lit("backend-connections-per-host"); 278 constexpr auto SHRPX_OPT_ERROR_PAGE = StringRef::from_lit("error-page"); 279 constexpr auto SHRPX_OPT_NO_KQUEUE = StringRef::from_lit("no-kqueue"); 280 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT = 281 StringRef::from_lit("frontend-http2-settings-timeout"); 282 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT = 283 StringRef::from_lit("backend-http2-settings-timeout"); 284 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY = 285 StringRef::from_lit("api-max-request-body"); 286 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF = 287 StringRef::from_lit("backend-max-backoff"); 288 constexpr auto SHRPX_OPT_SERVER_NAME = StringRef::from_lit("server-name"); 289 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE = 290 StringRef::from_lit("no-server-rewrite"); 291 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE = 292 StringRef::from_lit("frontend-http2-optimize-write-buffer-size"); 293 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE = 294 StringRef::from_lit("frontend-http2-optimize-window-size"); 295 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE = 296 StringRef::from_lit("frontend-http2-window-size"); 297 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE = 298 StringRef::from_lit("frontend-http2-connection-window-size"); 299 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE = 300 StringRef::from_lit("backend-http2-window-size"); 301 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE = 302 StringRef::from_lit("backend-http2-connection-window-size"); 303 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 304 StringRef::from_lit("frontend-http2-encoder-dynamic-table-size"); 305 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 306 StringRef::from_lit("frontend-http2-decoder-dynamic-table-size"); 307 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 308 StringRef::from_lit("backend-http2-encoder-dynamic-table-size"); 309 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 310 StringRef::from_lit("backend-http2-decoder-dynamic-table-size"); 311 constexpr auto SHRPX_OPT_ECDH_CURVES = StringRef::from_lit("ecdh-curves"); 312 constexpr auto SHRPX_OPT_TLS_SCT_DIR = StringRef::from_lit("tls-sct-dir"); 313 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT = 314 StringRef::from_lit("backend-connect-timeout"); 315 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT = 316 StringRef::from_lit("dns-cache-timeout"); 317 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT = 318 StringRef::from_lit("dns-lookup-timeout"); 319 constexpr auto SHRPX_OPT_DNS_MAX_TRY = StringRef::from_lit("dns-max-try"); 320 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT = 321 StringRef::from_lit("frontend-keep-alive-timeout"); 322 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets"); 323 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = 324 StringRef::from_lit("client-psk-secrets"); 325 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = 326 StringRef::from_lit("client-no-http2-cipher-black-list"); 327 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers"); 328 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY = 329 StringRef::from_lit("accesslog-write-early"); 330 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION = 331 StringRef::from_lit("tls-min-proto-version"); 332 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION = 333 StringRef::from_lit("tls-max-proto-version"); 334 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT = 335 StringRef::from_lit("redirect-https-port"); 336 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS = 337 StringRef::from_lit("frontend-max-requests"); 338 constexpr auto SHRPX_OPT_SINGLE_THREAD = StringRef::from_lit("single-thread"); 339 constexpr auto SHRPX_OPT_SINGLE_PROCESS = StringRef::from_lit("single-process"); 340 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO = 341 StringRef::from_lit("no-add-x-forwarded-proto"); 342 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO = 343 StringRef::from_lit("no-strip-incoming-x-forwarded-proto"); 344 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup"); 345 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp"); 346 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = 347 StringRef::from_lit("verify-client-tolerate-expired"); 348 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = 349 StringRef::from_lit("ignore-per-pattern-mruby-error"); 350 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA = 351 StringRef::from_lit("tls-no-postpone-early-data"); 352 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = 353 StringRef::from_lit("tls-max-early-data"); 354 constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers"); 355 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS = 356 StringRef::from_lit("tls13-client-ciphers"); 357 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA = 358 StringRef::from_lit("no-strip-incoming-early-data"); 359 360 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; 361 362 constexpr char DEFAULT_DOWNSTREAM_HOST[] = "127.0.0.1"; 363 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80; 364 365 enum class Proto { 366 NONE, 367 HTTP1, 368 HTTP2, 369 MEMCACHED, 370 }; 371 372 enum class SessionAffinity { 373 // No session affinity 374 NONE, 375 // Client IP affinity 376 IP, 377 // Cookie based affinity 378 COOKIE, 379 }; 380 381 enum class SessionAffinityCookieSecure { 382 // Secure attribute of session affinity cookie is determined by the 383 // request scheme. 384 AUTO, 385 // Secure attribute of session affinity cookie is always set. 386 YES, 387 // Secure attribute of session affinity cookie is always unset. 388 NO, 389 }; 390 391 struct AffinityConfig { 392 // Type of session affinity. 393 SessionAffinity type; 394 struct { 395 // Name of a cookie to use. 396 StringRef name; 397 // Path which a cookie is applied to. 398 StringRef path; 399 // Secure attribute 400 SessionAffinityCookieSecure secure; 401 } cookie; 402 }; 403 404 enum shrpx_forwarded_param { 405 FORWARDED_NONE = 0, 406 FORWARDED_BY = 0x1, 407 FORWARDED_FOR = 0x2, 408 FORWARDED_HOST = 0x4, 409 FORWARDED_PROTO = 0x8, 410 }; 411 412 enum class ForwardedNode { 413 OBFUSCATED, 414 IP, 415 }; 416 417 struct AltSvc { 418 StringRef protocol_id, host, origin, service; 419 420 uint16_t port; 421 }; 422 423 enum class UpstreamAltMode { 424 // No alternative mode 425 NONE, 426 // API processing mode 427 API, 428 // Health monitor mode 429 HEALTHMON, 430 }; 431 432 struct UpstreamAddr { 433 // The frontend address (e.g., FQDN, hostname, IP address). If 434 // |host_unix| is true, this is UNIX domain socket path. This must 435 // be NULL terminated string. 436 StringRef host; 437 // For TCP socket, this is <IP address>:<PORT>. For IPv6 address, 438 // address is surrounded by square brackets. If socket is UNIX 439 // domain socket, this is "localhost". 440 StringRef hostport; 441 // frontend port. 0 if |host_unix| is true. 442 uint16_t port; 443 // For TCP socket, this is either AF_INET or AF_INET6. For UNIX 444 // domain socket, this is 0. 445 int family; 446 // Alternate mode 447 UpstreamAltMode alt_mode; 448 // true if |host| contains UNIX domain socket path. 449 bool host_unix; 450 // true if TLS is enabled. 451 bool tls; 452 // true if SNI host should be used as a host when selecting backend 453 // server. 454 bool sni_fwd; 455 // true if client is supposed to send PROXY protocol v1 header. 456 bool accept_proxy_protocol; 457 int fd; 458 }; 459 460 struct DownstreamAddrConfig { 461 // Resolved address if |dns| is false 462 Address addr; 463 // backend address. If |host_unix| is true, this is UNIX domain 464 // socket path. This must be NULL terminated string. 465 StringRef host; 466 // <HOST>:<PORT>. This does not treat 80 and 443 specially. If 467 // |host_unix| is true, this is "localhost". 468 StringRef hostport; 469 // hostname sent as SNI field 470 StringRef sni; 471 // name of group which this address belongs to. 472 StringRef group; 473 size_t fall; 474 size_t rise; 475 // weight of this address inside a weight group. Its range is [1, 476 // 256], inclusive. 477 uint32_t weight; 478 // weight of the weight group. Its range is [1, 256], inclusive. 479 uint32_t group_weight; 480 // Application protocol used in this group 481 Proto proto; 482 // backend port. 0 if |host_unix| is true. 483 uint16_t port; 484 // true if |host| contains UNIX domain socket path. 485 bool host_unix; 486 bool tls; 487 // true if dynamic DNS is enabled 488 bool dns; 489 // true if :scheme pseudo header field should be upgraded to secure 490 // variant (e.g., "https") when forwarding request to a backend 491 // connected by TLS connection. 492 bool upgrade_scheme; 493 }; 494 495 // Mapping hash to idx which is an index into 496 // DownstreamAddrGroupConfig::addrs. 497 struct AffinityHash { AffinityHashAffinityHash498 AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {} 499 500 size_t idx; 501 uint32_t hash; 502 }; 503 504 struct DownstreamAddrGroupConfig { DownstreamAddrGroupConfigDownstreamAddrGroupConfig505 DownstreamAddrGroupConfig(const StringRef &pattern) 506 : pattern(pattern), 507 affinity{SessionAffinity::NONE}, 508 redirect_if_not_tls(false), 509 timeout{} {} 510 511 StringRef pattern; 512 StringRef mruby_file; 513 std::vector<DownstreamAddrConfig> addrs; 514 // Bunch of session affinity hash. Only used if affinity == 515 // SessionAffinity::IP. 516 std::vector<AffinityHash> affinity_hash; 517 // Cookie based session affinity configuration. 518 AffinityConfig affinity; 519 // true if this group requires that client connection must be TLS, 520 // and the request must be redirected to https URI. 521 bool redirect_if_not_tls; 522 // Timeouts for backend connection. 523 struct { 524 ev_tstamp read; 525 ev_tstamp write; 526 } timeout; 527 }; 528 529 struct TicketKey { 530 const EVP_CIPHER *cipher; 531 const EVP_MD *hmac; 532 size_t hmac_keylen; 533 struct { 534 // name of this ticket configuration 535 std::array<uint8_t, 16> name; 536 // encryption key for |cipher| 537 std::array<uint8_t, 32> enc_key; 538 // hmac key for |hmac| 539 std::array<uint8_t, 32> hmac_key; 540 } data; 541 }; 542 543 struct TicketKeys { 544 ~TicketKeys(); 545 std::vector<TicketKey> keys; 546 }; 547 548 struct TLSCertificate { TLSCertificateTLSCertificate549 TLSCertificate(StringRef private_key_file, StringRef cert_file, 550 std::vector<uint8_t> sct_data) 551 : private_key_file(std::move(private_key_file)), 552 cert_file(std::move(cert_file)), 553 sct_data(std::move(sct_data)) {} 554 555 StringRef private_key_file; 556 StringRef cert_file; 557 std::vector<uint8_t> sct_data; 558 }; 559 560 struct HttpProxy { 561 Address addr; 562 // host in http proxy URI 563 StringRef host; 564 // userinfo in http proxy URI, not percent-encoded form 565 StringRef userinfo; 566 // port in http proxy URI 567 uint16_t port; 568 }; 569 570 struct TLSConfig { 571 // RFC 5077 Session ticket related configurations 572 struct { 573 struct { 574 Address addr; 575 uint16_t port; 576 // Hostname of memcached server. This is also used as SNI field 577 // if TLS is enabled. 578 StringRef host; 579 // Client private key and certificate for authentication 580 StringRef private_key_file; 581 StringRef cert_file; 582 ev_tstamp interval; 583 // Maximum number of retries when getting TLS ticket key from 584 // mamcached, due to network error. 585 size_t max_retry; 586 // Maximum number of consecutive error from memcached, when this 587 // limit reached, TLS ticket is disabled. 588 size_t max_fail; 589 // Address family of memcached connection. One of either 590 // AF_INET, AF_INET6 or AF_UNSPEC. 591 int family; 592 bool tls; 593 } memcached; 594 std::vector<StringRef> files; 595 const EVP_CIPHER *cipher; 596 // true if --tls-ticket-key-cipher is used 597 bool cipher_given; 598 } ticket; 599 600 // Session cache related configurations 601 struct { 602 struct { 603 Address addr; 604 uint16_t port; 605 // Hostname of memcached server. This is also used as SNI field 606 // if TLS is enabled. 607 StringRef host; 608 // Client private key and certificate for authentication 609 StringRef private_key_file; 610 StringRef cert_file; 611 // Address family of memcached connection. One of either 612 // AF_INET, AF_INET6 or AF_UNSPEC. 613 int family; 614 bool tls; 615 } memcached; 616 } session_cache; 617 618 // Dynamic record sizing configurations 619 struct { 620 size_t warmup_threshold; 621 ev_tstamp idle_timeout; 622 } dyn_rec; 623 624 // OCSP realted configurations 625 struct { 626 ev_tstamp update_interval; 627 StringRef fetch_ocsp_response_file; 628 bool disabled; 629 bool startup; 630 bool no_verify; 631 } ocsp; 632 633 // Client verification configurations 634 struct { 635 // Path to file containing CA certificate solely used for client 636 // certificate validation 637 StringRef cacert; 638 bool enabled; 639 // true if we accept an expired client certificate. 640 bool tolerate_expired; 641 } client_verify; 642 643 // Client (backend connection) TLS configuration. 644 struct { 645 // Client PSK configuration 646 struct { 647 // identity must be NULL terminated string. 648 StringRef identity; 649 StringRef secret; 650 } psk; 651 StringRef private_key_file; 652 StringRef cert_file; 653 StringRef ciphers; 654 StringRef tls13_ciphers; 655 bool no_http2_cipher_black_list; 656 } client; 657 658 // PSK secrets. The key is identity, and the associated value is 659 // its secret. 660 std::map<StringRef, StringRef> psk_secrets; 661 // The list of additional TLS certificate pair 662 std::vector<TLSCertificate> subcerts; 663 std::vector<unsigned char> alpn_prefs; 664 // list of supported NPN/ALPN protocol strings in the order of 665 // preference. 666 std::vector<StringRef> npn_list; 667 // list of supported SSL/TLS protocol strings. 668 std::vector<StringRef> tls_proto_list; 669 std::vector<uint8_t> sct_data; 670 BIO_METHOD *bio_method; 671 // Bit mask to disable SSL/TLS protocol versions. This will be 672 // passed to SSL_CTX_set_options(). 673 long int tls_proto_mask; 674 StringRef backend_sni_name; 675 std::chrono::seconds session_timeout; 676 StringRef private_key_file; 677 StringRef private_key_passwd; 678 StringRef cert_file; 679 StringRef dh_param_file; 680 StringRef ciphers; 681 StringRef tls13_ciphers; 682 StringRef ecdh_curves; 683 StringRef cacert; 684 // The maximum amount of 0-RTT data that server accepts. 685 uint32_t max_early_data; 686 // The minimum and maximum TLS version. These values are defined in 687 // OpenSSL header file. 688 int min_proto_version; 689 int max_proto_version; 690 bool insecure; 691 bool no_http2_cipher_black_list; 692 // true if forwarding requests included in TLS early data should not 693 // be postponed until TLS handshake finishes. 694 bool no_postpone_early_data; 695 }; 696 697 // custom error page 698 struct ErrorPage { 699 // not NULL-terminated 700 std::vector<uint8_t> content; 701 // 0 is special value, and it matches all HTTP status code. 702 unsigned int http_status; 703 }; 704 705 struct HttpConfig { 706 struct { 707 // obfuscated value used in "by" parameter of Forwarded header 708 // field. This is only used when user defined static obfuscated 709 // string is provided. 710 StringRef by_obfuscated; 711 // bitwise-OR of one or more of shrpx_forwarded_param values. 712 uint32_t params; 713 // type of value recorded in "by" parameter of Forwarded header 714 // field. 715 ForwardedNode by_node_type; 716 // type of value recorded in "for" parameter of Forwarded header 717 // field. 718 ForwardedNode for_node_type; 719 bool strip_incoming; 720 } forwarded; 721 struct { 722 bool add; 723 bool strip_incoming; 724 } xff; 725 struct { 726 bool add; 727 bool strip_incoming; 728 } xfp; 729 struct { 730 bool strip_incoming; 731 } early_data; 732 std::vector<AltSvc> altsvcs; 733 std::vector<ErrorPage> error_pages; 734 HeaderRefs add_request_headers; 735 HeaderRefs add_response_headers; 736 StringRef server_name; 737 // Port number which appears in Location header field when https 738 // redirect is made. 739 StringRef redirect_https_port; 740 size_t request_header_field_buffer; 741 size_t max_request_header_fields; 742 size_t response_header_field_buffer; 743 size_t max_response_header_fields; 744 size_t max_requests; 745 bool no_via; 746 bool no_location_rewrite; 747 bool no_host_rewrite; 748 bool no_server_rewrite; 749 }; 750 751 struct Http2Config { 752 struct { 753 struct { 754 struct { 755 StringRef request_header_file; 756 StringRef response_header_file; 757 FILE *request_header; 758 FILE *response_header; 759 } dump; 760 bool frame_debug; 761 } debug; 762 struct { 763 ev_tstamp settings; 764 } timeout; 765 nghttp2_option *option; 766 nghttp2_option *alt_mode_option; 767 nghttp2_session_callbacks *callbacks; 768 size_t max_concurrent_streams; 769 size_t encoder_dynamic_table_size; 770 size_t decoder_dynamic_table_size; 771 int32_t window_size; 772 int32_t connection_window_size; 773 bool optimize_write_buffer_size; 774 bool optimize_window_size; 775 } upstream; 776 struct { 777 struct { 778 ev_tstamp settings; 779 } timeout; 780 nghttp2_option *option; 781 nghttp2_session_callbacks *callbacks; 782 size_t encoder_dynamic_table_size; 783 size_t decoder_dynamic_table_size; 784 int32_t window_size; 785 int32_t connection_window_size; 786 size_t max_concurrent_streams; 787 } downstream; 788 struct { 789 ev_tstamp stream_read; 790 ev_tstamp stream_write; 791 } timeout; 792 bool no_cookie_crumbling; 793 bool no_server_push; 794 }; 795 796 struct LoggingConfig { 797 struct { 798 std::vector<LogFragment> format; 799 StringRef file; 800 // Send accesslog to syslog, ignoring accesslog_file. 801 bool syslog; 802 // Write accesslog when response headers are received from 803 // backend, rather than response body is received and sent. 804 bool write_early; 805 } access; 806 struct { 807 StringRef file; 808 // Send errorlog to syslog, ignoring errorlog_file. 809 bool syslog; 810 } error; 811 int syslog_facility; 812 int severity; 813 }; 814 815 struct RateLimitConfig { 816 size_t rate; 817 size_t burst; 818 }; 819 820 // Wildcard host pattern routing. We strips left most '*' from host 821 // field. router includes all path patterns sharing the same wildcard 822 // host. 823 struct WildcardPattern { WildcardPatternWildcardPattern824 WildcardPattern(const StringRef &host) : host(host) {} 825 826 // This might not be NULL terminated. Currently it is only used for 827 // comparison. 828 StringRef host; 829 Router router; 830 }; 831 832 // Configuration to select backend to forward request 833 struct RouterConfig { 834 Router router; 835 // Router for reversed wildcard hosts. Since this router has 836 // wildcard hosts reversed without '*', one should call match() 837 // function with reversed host stripping last character. This is 838 // because we require at least one character must match for '*'. 839 // The index stored in this router is index of wildcard_patterns. 840 Router rev_wildcard_router; 841 std::vector<WildcardPattern> wildcard_patterns; 842 }; 843 844 struct DownstreamConfig { DownstreamConfigDownstreamConfig845 DownstreamConfig() 846 : balloc(1024, 1024), 847 timeout{}, 848 addr_group_catch_all{0}, 849 connections_per_host{0}, 850 connections_per_frontend{0}, 851 request_buffer_size{0}, 852 response_buffer_size{0}, 853 family{0} {} 854 855 DownstreamConfig(const DownstreamConfig &) = delete; 856 DownstreamConfig(DownstreamConfig &&) = delete; 857 DownstreamConfig &operator=(const DownstreamConfig &) = delete; 858 DownstreamConfig &operator=(DownstreamConfig &&) = delete; 859 860 // Allocator to allocate memory for Downstream configuration. Since 861 // we may swap around DownstreamConfig in arbitrary times with API 862 // calls, we should use their own allocator instead of per Config 863 // allocator. 864 BlockAllocator balloc; 865 struct { 866 ev_tstamp read; 867 ev_tstamp write; 868 ev_tstamp idle_read; 869 ev_tstamp connect; 870 // The maximum backoff while checking health check for offline 871 // backend or while detaching failed backend from load balancing 872 // group temporarily. 873 ev_tstamp max_backoff; 874 } timeout; 875 RouterConfig router; 876 std::vector<DownstreamAddrGroupConfig> addr_groups; 877 // The index of catch-all group in downstream_addr_groups. 878 size_t addr_group_catch_all; 879 size_t connections_per_host; 880 size_t connections_per_frontend; 881 size_t request_buffer_size; 882 size_t response_buffer_size; 883 // Address family of backend connection. One of either AF_INET, 884 // AF_INET6 or AF_UNSPEC. This is ignored if backend connection 885 // is made via Unix domain socket. 886 int family; 887 }; 888 889 struct ConnectionConfig { 890 struct { 891 struct { 892 ev_tstamp sleep; 893 } timeout; 894 // address of frontend acceptors 895 std::vector<UpstreamAddr> addrs; 896 int backlog; 897 // TCP fastopen. If this is positive, it is passed to 898 // setsockopt() along with TCP_FASTOPEN. 899 int fastopen; 900 } listener; 901 902 struct { 903 struct { 904 ev_tstamp http2_read; 905 ev_tstamp read; 906 ev_tstamp write; 907 ev_tstamp idle_read; 908 } timeout; 909 struct { 910 RateLimitConfig read; 911 RateLimitConfig write; 912 } ratelimit; 913 size_t worker_connections; 914 // Deprecated. See UpstreamAddr.accept_proxy_protocol. 915 bool accept_proxy_protocol; 916 } upstream; 917 918 std::shared_ptr<DownstreamConfig> downstream; 919 }; 920 921 struct APIConfig { 922 // Maximum request body size for one API request 923 size_t max_request_body; 924 // true if at least one of UpstreamAddr has api enabled 925 bool enabled; 926 }; 927 928 struct DNSConfig { 929 struct { 930 ev_tstamp cache; 931 ev_tstamp lookup; 932 } timeout; 933 // The number of tries name resolver makes before abandoning 934 // request. 935 size_t max_try; 936 }; 937 938 struct Config { ConfigConfig939 Config() 940 : balloc(4096, 4096), 941 downstream_http_proxy{}, 942 http{}, 943 http2{}, 944 tls{}, 945 logging{}, 946 conn{}, 947 api{}, 948 dns{}, 949 config_revision{0}, 950 num_worker{0}, 951 padding{0}, 952 rlimit_nofile{0}, 953 uid{0}, 954 gid{0}, 955 pid{0}, 956 verbose{false}, 957 daemon{false}, 958 http2_proxy{false}, 959 single_process{false}, 960 single_thread{false}, 961 ignore_per_pattern_mruby_error{false}, 962 ev_loop_flags{0} {} 963 ~Config(); 964 965 Config(Config &&) = delete; 966 Config(const Config &&) = delete; 967 Config &operator=(Config &&) = delete; 968 Config &operator=(const Config &&) = delete; 969 970 // Allocator to allocate memory for this object except for 971 // DownstreamConfig. Currently, it is used to allocate memory for 972 // strings. 973 BlockAllocator balloc; 974 HttpProxy downstream_http_proxy; 975 HttpConfig http; 976 Http2Config http2; 977 TLSConfig tls; 978 LoggingConfig logging; 979 ConnectionConfig conn; 980 APIConfig api; 981 DNSConfig dns; 982 StringRef pid_file; 983 StringRef conf_path; 984 StringRef user; 985 StringRef mruby_file; 986 // The revision of configuration which is opaque string, and changes 987 // on each configuration reloading. This does not change on 988 // backendconfig API call. This value is returned in health check 989 // as "nghttpx-conf-rev" response header field. The external 990 // program can check this value to know whether reloading has 991 // completed or not. 992 uint64_t config_revision; 993 size_t num_worker; 994 size_t padding; 995 size_t rlimit_nofile; 996 uid_t uid; 997 gid_t gid; 998 pid_t pid; 999 bool verbose; 1000 bool daemon; 1001 bool http2_proxy; 1002 // Run nghttpx in single process mode. With this mode, signal 1003 // handling is omitted. 1004 bool single_process; 1005 bool single_thread; 1006 // Ignore mruby compile error for per-pattern mruby script. 1007 bool ignore_per_pattern_mruby_error; 1008 // flags passed to ev_default_loop() and ev_loop_new() 1009 int ev_loop_flags; 1010 }; 1011 1012 const Config *get_config(); 1013 Config *mod_config(); 1014 // Replaces the current config with given |new_config|. The old config is 1015 // returned. 1016 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config); 1017 void create_config(); 1018 1019 // generated by gennghttpxfun.py 1020 enum { 1021 SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL, 1022 SHRPX_OPTID_ACCESSLOG_FILE, 1023 SHRPX_OPTID_ACCESSLOG_FORMAT, 1024 SHRPX_OPTID_ACCESSLOG_SYSLOG, 1025 SHRPX_OPTID_ACCESSLOG_WRITE_EARLY, 1026 SHRPX_OPTID_ADD_FORWARDED, 1027 SHRPX_OPTID_ADD_REQUEST_HEADER, 1028 SHRPX_OPTID_ADD_RESPONSE_HEADER, 1029 SHRPX_OPTID_ADD_X_FORWARDED_FOR, 1030 SHRPX_OPTID_ALTSVC, 1031 SHRPX_OPTID_API_MAX_REQUEST_BODY, 1032 SHRPX_OPTID_BACKEND, 1033 SHRPX_OPTID_BACKEND_ADDRESS_FAMILY, 1034 SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT, 1035 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND, 1036 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST, 1037 SHRPX_OPTID_BACKEND_HTTP_PROXY_URI, 1038 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND, 1039 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST, 1040 SHRPX_OPTID_BACKEND_HTTP1_TLS, 1041 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS, 1042 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE, 1043 SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER, 1044 SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1045 SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1046 SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS, 1047 SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT, 1048 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS, 1049 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE, 1050 SHRPX_OPTID_BACKEND_IPV4, 1051 SHRPX_OPTID_BACKEND_IPV6, 1052 SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT, 1053 SHRPX_OPTID_BACKEND_MAX_BACKOFF, 1054 SHRPX_OPTID_BACKEND_NO_TLS, 1055 SHRPX_OPTID_BACKEND_READ_TIMEOUT, 1056 SHRPX_OPTID_BACKEND_REQUEST_BUFFER, 1057 SHRPX_OPTID_BACKEND_RESPONSE_BUFFER, 1058 SHRPX_OPTID_BACKEND_TLS, 1059 SHRPX_OPTID_BACKEND_TLS_SNI_FIELD, 1060 SHRPX_OPTID_BACKEND_WRITE_TIMEOUT, 1061 SHRPX_OPTID_BACKLOG, 1062 SHRPX_OPTID_CACERT, 1063 SHRPX_OPTID_CERTIFICATE_FILE, 1064 SHRPX_OPTID_CIPHERS, 1065 SHRPX_OPTID_CLIENT, 1066 SHRPX_OPTID_CLIENT_CERT_FILE, 1067 SHRPX_OPTID_CLIENT_CIPHERS, 1068 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, 1069 SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, 1070 SHRPX_OPTID_CLIENT_PROXY, 1071 SHRPX_OPTID_CLIENT_PSK_SECRETS, 1072 SHRPX_OPTID_CONF, 1073 SHRPX_OPTID_DAEMON, 1074 SHRPX_OPTID_DH_PARAM_FILE, 1075 SHRPX_OPTID_DNS_CACHE_TIMEOUT, 1076 SHRPX_OPTID_DNS_LOOKUP_TIMEOUT, 1077 SHRPX_OPTID_DNS_MAX_TRY, 1078 SHRPX_OPTID_ECDH_CURVES, 1079 SHRPX_OPTID_ERROR_PAGE, 1080 SHRPX_OPTID_ERRORLOG_FILE, 1081 SHRPX_OPTID_ERRORLOG_SYSLOG, 1082 SHRPX_OPTID_FASTOPEN, 1083 SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE, 1084 SHRPX_OPTID_FORWARDED_BY, 1085 SHRPX_OPTID_FORWARDED_FOR, 1086 SHRPX_OPTID_FRONTEND, 1087 SHRPX_OPTID_FRONTEND_FRAME_DEBUG, 1088 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS, 1089 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE, 1090 SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1091 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER, 1092 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER, 1093 SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1094 SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS, 1095 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE, 1096 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE, 1097 SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT, 1098 SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT, 1099 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS, 1100 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE, 1101 SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT, 1102 SHRPX_OPTID_FRONTEND_MAX_REQUESTS, 1103 SHRPX_OPTID_FRONTEND_NO_TLS, 1104 SHRPX_OPTID_FRONTEND_READ_TIMEOUT, 1105 SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT, 1106 SHRPX_OPTID_HEADER_FIELD_BUFFER, 1107 SHRPX_OPTID_HOST_REWRITE, 1108 SHRPX_OPTID_HTTP2_BRIDGE, 1109 SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS, 1110 SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING, 1111 SHRPX_OPTID_HTTP2_PROXY, 1112 SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR, 1113 SHRPX_OPTID_INCLUDE, 1114 SHRPX_OPTID_INSECURE, 1115 SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT, 1116 SHRPX_OPTID_LOG_LEVEL, 1117 SHRPX_OPTID_MAX_HEADER_FIELDS, 1118 SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS, 1119 SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS, 1120 SHRPX_OPTID_MRUBY_FILE, 1121 SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, 1122 SHRPX_OPTID_NO_HOST_REWRITE, 1123 SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, 1124 SHRPX_OPTID_NO_KQUEUE, 1125 SHRPX_OPTID_NO_LOCATION_REWRITE, 1126 SHRPX_OPTID_NO_OCSP, 1127 SHRPX_OPTID_NO_SERVER_PUSH, 1128 SHRPX_OPTID_NO_SERVER_REWRITE, 1129 SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA, 1130 SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO, 1131 SHRPX_OPTID_NO_VERIFY_OCSP, 1132 SHRPX_OPTID_NO_VIA, 1133 SHRPX_OPTID_NPN_LIST, 1134 SHRPX_OPTID_OCSP_STARTUP, 1135 SHRPX_OPTID_OCSP_UPDATE_INTERVAL, 1136 SHRPX_OPTID_PADDING, 1137 SHRPX_OPTID_PID_FILE, 1138 SHRPX_OPTID_PRIVATE_KEY_FILE, 1139 SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE, 1140 SHRPX_OPTID_PSK_SECRETS, 1141 SHRPX_OPTID_READ_BURST, 1142 SHRPX_OPTID_READ_RATE, 1143 SHRPX_OPTID_REDIRECT_HTTPS_PORT, 1144 SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER, 1145 SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER, 1146 SHRPX_OPTID_RLIMIT_NOFILE, 1147 SHRPX_OPTID_SERVER_NAME, 1148 SHRPX_OPTID_SINGLE_PROCESS, 1149 SHRPX_OPTID_SINGLE_THREAD, 1150 SHRPX_OPTID_STREAM_READ_TIMEOUT, 1151 SHRPX_OPTID_STREAM_WRITE_TIMEOUT, 1152 SHRPX_OPTID_STRIP_INCOMING_FORWARDED, 1153 SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR, 1154 SHRPX_OPTID_SUBCERT, 1155 SHRPX_OPTID_SYSLOG_FACILITY, 1156 SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT, 1157 SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD, 1158 SHRPX_OPTID_TLS_MAX_EARLY_DATA, 1159 SHRPX_OPTID_TLS_MAX_PROTO_VERSION, 1160 SHRPX_OPTID_TLS_MIN_PROTO_VERSION, 1161 SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA, 1162 SHRPX_OPTID_TLS_PROTO_LIST, 1163 SHRPX_OPTID_TLS_SCT_DIR, 1164 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, 1165 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY, 1166 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE, 1167 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE, 1168 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS, 1169 SHRPX_OPTID_TLS_TICKET_KEY_CIPHER, 1170 SHRPX_OPTID_TLS_TICKET_KEY_FILE, 1171 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED, 1172 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY, 1173 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE, 1174 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL, 1175 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL, 1176 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY, 1177 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE, 1178 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS, 1179 SHRPX_OPTID_TLS13_CIPHERS, 1180 SHRPX_OPTID_TLS13_CLIENT_CIPHERS, 1181 SHRPX_OPTID_USER, 1182 SHRPX_OPTID_VERIFY_CLIENT, 1183 SHRPX_OPTID_VERIFY_CLIENT_CACERT, 1184 SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED, 1185 SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS, 1186 SHRPX_OPTID_WORKER_READ_BURST, 1187 SHRPX_OPTID_WORKER_READ_RATE, 1188 SHRPX_OPTID_WORKER_WRITE_BURST, 1189 SHRPX_OPTID_WORKER_WRITE_RATE, 1190 SHRPX_OPTID_WORKERS, 1191 SHRPX_OPTID_WRITE_BURST, 1192 SHRPX_OPTID_WRITE_RATE, 1193 SHRPX_OPTID_MAXIDX, 1194 }; 1195 1196 // Looks up token for given option name |name| of length |namelen|. 1197 int option_lookup_token(const char *name, size_t namelen); 1198 1199 // Parses option name |opt| and value |optarg|. The results are 1200 // stored into the object pointed by |config|. This function returns 0 1201 // if it succeeds, or -1. The |included_set| contains the all paths 1202 // already included while processing this configuration, to avoid loop 1203 // in --include option. The |pattern_addr_indexer| contains a pair of 1204 // pattern of backend, and its index in DownstreamConfig::addr_groups. 1205 // It is introduced to speed up loading configuration file with lots 1206 // of backends. 1207 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg, 1208 std::set<StringRef> &included_set, 1209 std::map<StringRef, size_t> &pattern_addr_indexer); 1210 1211 // Similar to parse_config() above, but additional |optid| which 1212 // should be the return value of option_lookup_token(opt). 1213 int parse_config(Config *config, int optid, const StringRef &opt, 1214 const StringRef &optarg, std::set<StringRef> &included_set, 1215 std::map<StringRef, size_t> &pattern_addr_indexer); 1216 1217 // Loads configurations from |filename| and stores them in |config|. 1218 // This function returns 0 if it succeeds, or -1. See parse_config() 1219 // for |include_set|. 1220 int load_config(Config *config, const char *filename, 1221 std::set<StringRef> &include_set, 1222 std::map<StringRef, size_t> &pattern_addr_indexer); 1223 1224 // Parses header field in |optarg|. We expect header field is formed 1225 // like "NAME: VALUE". We require that NAME is non empty string. ":" 1226 // is allowed at the start of the NAME, but NAME == ":" is not 1227 // allowed. This function returns pair of NAME and VALUE. 1228 HeaderRefs::value_type parse_header(BlockAllocator &balloc, 1229 const StringRef &optarg); 1230 1231 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc, 1232 const StringRef &optarg); 1233 1234 // Returns string for syslog |facility|. 1235 StringRef str_syslog_facility(int facility); 1236 1237 // Returns integer value of syslog |facility| string. 1238 int int_syslog_facility(const StringRef &strfacility); 1239 1240 FILE *open_file_for_write(const char *filename); 1241 1242 // Reads TLS ticket key file in |files| and returns TicketKey which 1243 // stores read key data. The given |cipher| and |hmac| determine the 1244 // expected file size. This function returns TicketKey if it 1245 // succeeds, or nullptr. 1246 std::unique_ptr<TicketKeys> 1247 read_tls_ticket_key_file(const std::vector<StringRef> &files, 1248 const EVP_CIPHER *cipher, const EVP_MD *hmac); 1249 1250 // Returns string representation of |proto|. 1251 StringRef strproto(Proto proto); 1252 1253 int configure_downstream_group(Config *config, bool http2_proxy, 1254 bool numeric_addr_only, 1255 const TLSConfig &tlsconf); 1256 1257 int resolve_hostname(Address *addr, const char *hostname, uint16_t port, 1258 int family, int additional_flags = 0); 1259 1260 } // namespace shrpx 1261 1262 #endif // SHRPX_CONFIG_H 1263