1 /* 2 * nghttp2 - HTTP/2 C Library 3 * 4 * Copyright (c) 2012 Tatsuhiro Tsujikawa 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining 7 * a copy of this software and associated documentation files (the 8 * "Software"), to deal in the Software without restriction, including 9 * without limitation the rights to use, copy, modify, merge, publish, 10 * distribute, sublicense, and/or sell copies of the Software, and to 11 * permit persons to whom the Software is furnished to do so, subject to 12 * the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be 15 * included in all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 24 */ 25 #ifndef SHRPX_CONFIG_H 26 #define SHRPX_CONFIG_H 27 28 #include "shrpx.h" 29 30 #include <sys/types.h> 31 #ifdef HAVE_SYS_SOCKET_H 32 # include <sys/socket.h> 33 #endif // HAVE_SYS_SOCKET_H 34 #include <sys/un.h> 35 #ifdef HAVE_NETINET_IN_H 36 # include <netinet/in.h> 37 #endif // HAVE_NETINET_IN_H 38 #ifdef HAVE_ARPA_INET_H 39 # include <arpa/inet.h> 40 #endif // HAVE_ARPA_INET_H 41 #include <cinttypes> 42 #include <cstdio> 43 #include <vector> 44 #include <memory> 45 #include <set> 46 #include <unordered_map> 47 48 #include <openssl/ssl.h> 49 50 #include <ev.h> 51 52 #include <nghttp2/nghttp2.h> 53 54 #include "shrpx_router.h" 55 #if ENABLE_HTTP3 56 # include "shrpx_quic.h" 57 #endif // ENABLE_HTTP3 58 #include "template.h" 59 #include "http2.h" 60 #include "network.h" 61 #include "allocator.h" 62 63 using namespace nghttp2; 64 65 namespace shrpx { 66 67 struct LogFragment; 68 class ConnectBlocker; 69 class Http2Session; 70 71 namespace tls { 72 73 class CertLookupTree; 74 75 } // namespace tls 76 77 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE = 78 StringRef::from_lit("private-key-file"); 79 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE = 80 StringRef::from_lit("private-key-passwd-file"); 81 constexpr auto SHRPX_OPT_CERTIFICATE_FILE = 82 StringRef::from_lit("certificate-file"); 83 constexpr auto SHRPX_OPT_DH_PARAM_FILE = StringRef::from_lit("dh-param-file"); 84 constexpr auto SHRPX_OPT_SUBCERT = StringRef::from_lit("subcert"); 85 constexpr auto SHRPX_OPT_BACKEND = StringRef::from_lit("backend"); 86 constexpr auto SHRPX_OPT_FRONTEND = StringRef::from_lit("frontend"); 87 constexpr auto SHRPX_OPT_WORKERS = StringRef::from_lit("workers"); 88 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS = 89 StringRef::from_lit("http2-max-concurrent-streams"); 90 constexpr auto SHRPX_OPT_LOG_LEVEL = StringRef::from_lit("log-level"); 91 constexpr auto SHRPX_OPT_DAEMON = StringRef::from_lit("daemon"); 92 constexpr auto SHRPX_OPT_HTTP2_PROXY = StringRef::from_lit("http2-proxy"); 93 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = StringRef::from_lit("http2-bridge"); 94 constexpr auto SHRPX_OPT_CLIENT_PROXY = StringRef::from_lit("client-proxy"); 95 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR = 96 StringRef::from_lit("add-x-forwarded-for"); 97 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR = 98 StringRef::from_lit("strip-incoming-x-forwarded-for"); 99 constexpr auto SHRPX_OPT_NO_VIA = StringRef::from_lit("no-via"); 100 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT = 101 StringRef::from_lit("frontend-http2-read-timeout"); 102 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT = 103 StringRef::from_lit("frontend-read-timeout"); 104 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT = 105 StringRef::from_lit("frontend-write-timeout"); 106 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT = 107 StringRef::from_lit("backend-read-timeout"); 108 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT = 109 StringRef::from_lit("backend-write-timeout"); 110 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT = 111 StringRef::from_lit("stream-read-timeout"); 112 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT = 113 StringRef::from_lit("stream-write-timeout"); 114 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = StringRef::from_lit("accesslog-file"); 115 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG = 116 StringRef::from_lit("accesslog-syslog"); 117 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT = 118 StringRef::from_lit("accesslog-format"); 119 constexpr auto SHRPX_OPT_ERRORLOG_FILE = StringRef::from_lit("errorlog-file"); 120 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG = 121 StringRef::from_lit("errorlog-syslog"); 122 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT = 123 StringRef::from_lit("backend-keep-alive-timeout"); 124 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS = 125 StringRef::from_lit("frontend-http2-window-bits"); 126 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS = 127 StringRef::from_lit("backend-http2-window-bits"); 128 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS = 129 StringRef::from_lit("frontend-http2-connection-window-bits"); 130 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS = 131 StringRef::from_lit("backend-http2-connection-window-bits"); 132 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS = 133 StringRef::from_lit("frontend-no-tls"); 134 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = StringRef::from_lit("backend-no-tls"); 135 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD = 136 StringRef::from_lit("backend-tls-sni-field"); 137 constexpr auto SHRPX_OPT_PID_FILE = StringRef::from_lit("pid-file"); 138 constexpr auto SHRPX_OPT_USER = StringRef::from_lit("user"); 139 constexpr auto SHRPX_OPT_SYSLOG_FACILITY = 140 StringRef::from_lit("syslog-facility"); 141 constexpr auto SHRPX_OPT_BACKLOG = StringRef::from_lit("backlog"); 142 constexpr auto SHRPX_OPT_CIPHERS = StringRef::from_lit("ciphers"); 143 constexpr auto SHRPX_OPT_CLIENT = StringRef::from_lit("client"); 144 constexpr auto SHRPX_OPT_INSECURE = StringRef::from_lit("insecure"); 145 constexpr auto SHRPX_OPT_CACERT = StringRef::from_lit("cacert"); 146 constexpr auto SHRPX_OPT_BACKEND_IPV4 = StringRef::from_lit("backend-ipv4"); 147 constexpr auto SHRPX_OPT_BACKEND_IPV6 = StringRef::from_lit("backend-ipv6"); 148 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI = 149 StringRef::from_lit("backend-http-proxy-uri"); 150 constexpr auto SHRPX_OPT_READ_RATE = StringRef::from_lit("read-rate"); 151 constexpr auto SHRPX_OPT_READ_BURST = StringRef::from_lit("read-burst"); 152 constexpr auto SHRPX_OPT_WRITE_RATE = StringRef::from_lit("write-rate"); 153 constexpr auto SHRPX_OPT_WRITE_BURST = StringRef::from_lit("write-burst"); 154 constexpr auto SHRPX_OPT_WORKER_READ_RATE = 155 StringRef::from_lit("worker-read-rate"); 156 constexpr auto SHRPX_OPT_WORKER_READ_BURST = 157 StringRef::from_lit("worker-read-burst"); 158 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE = 159 StringRef::from_lit("worker-write-rate"); 160 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST = 161 StringRef::from_lit("worker-write-burst"); 162 constexpr auto SHRPX_OPT_NPN_LIST = StringRef::from_lit("npn-list"); 163 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = StringRef::from_lit("tls-proto-list"); 164 constexpr auto SHRPX_OPT_VERIFY_CLIENT = StringRef::from_lit("verify-client"); 165 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT = 166 StringRef::from_lit("verify-client-cacert"); 167 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE = 168 StringRef::from_lit("client-private-key-file"); 169 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE = 170 StringRef::from_lit("client-cert-file"); 171 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER = 172 StringRef::from_lit("frontend-http2-dump-request-header"); 173 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER = 174 StringRef::from_lit("frontend-http2-dump-response-header"); 175 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING = 176 StringRef::from_lit("http2-no-cookie-crumbling"); 177 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG = 178 StringRef::from_lit("frontend-frame-debug"); 179 constexpr auto SHRPX_OPT_PADDING = StringRef::from_lit("padding"); 180 constexpr auto SHRPX_OPT_ALTSVC = StringRef::from_lit("altsvc"); 181 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER = 182 StringRef::from_lit("add-request-header"); 183 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER = 184 StringRef::from_lit("add-response-header"); 185 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS = 186 StringRef::from_lit("worker-frontend-connections"); 187 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE = 188 StringRef::from_lit("no-location-rewrite"); 189 constexpr auto SHRPX_OPT_NO_HOST_REWRITE = 190 StringRef::from_lit("no-host-rewrite"); 191 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST = 192 StringRef::from_lit("backend-http1-connections-per-host"); 193 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND = 194 StringRef::from_lit("backend-http1-connections-per-frontend"); 195 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT = 196 StringRef::from_lit("listener-disable-timeout"); 197 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE = 198 StringRef::from_lit("tls-ticket-key-file"); 199 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = StringRef::from_lit("rlimit-nofile"); 200 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER = 201 StringRef::from_lit("backend-request-buffer"); 202 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER = 203 StringRef::from_lit("backend-response-buffer"); 204 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = StringRef::from_lit("no-server-push"); 205 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER = 206 StringRef::from_lit("backend-http2-connections-per-worker"); 207 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE = 208 StringRef::from_lit("fetch-ocsp-response-file"); 209 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL = 210 StringRef::from_lit("ocsp-update-interval"); 211 constexpr auto SHRPX_OPT_NO_OCSP = StringRef::from_lit("no-ocsp"); 212 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER = 213 StringRef::from_lit("header-field-buffer"); 214 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS = 215 StringRef::from_lit("max-header-fields"); 216 constexpr auto SHRPX_OPT_INCLUDE = StringRef::from_lit("include"); 217 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER = 218 StringRef::from_lit("tls-ticket-key-cipher"); 219 constexpr auto SHRPX_OPT_HOST_REWRITE = StringRef::from_lit("host-rewrite"); 220 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED = 221 StringRef::from_lit("tls-session-cache-memcached"); 222 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED = 223 StringRef::from_lit("tls-ticket-key-memcached"); 224 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL = 225 StringRef::from_lit("tls-ticket-key-memcached-interval"); 226 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY = 227 StringRef::from_lit("tls-ticket-key-memcached-max-retry"); 228 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL = 229 StringRef::from_lit("tls-ticket-key-memcached-max-fail"); 230 constexpr auto SHRPX_OPT_MRUBY_FILE = StringRef::from_lit("mruby-file"); 231 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL = 232 StringRef::from_lit("accept-proxy-protocol"); 233 constexpr auto SHRPX_OPT_FASTOPEN = StringRef::from_lit("fastopen"); 234 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD = 235 StringRef::from_lit("tls-dyn-rec-warmup-threshold"); 236 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT = 237 StringRef::from_lit("tls-dyn-rec-idle-timeout"); 238 constexpr auto SHRPX_OPT_ADD_FORWARDED = StringRef::from_lit("add-forwarded"); 239 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED = 240 StringRef::from_lit("strip-incoming-forwarded"); 241 constexpr auto SHRPX_OPT_FORWARDED_BY = StringRef::from_lit("forwarded-by"); 242 constexpr auto SHRPX_OPT_FORWARDED_FOR = StringRef::from_lit("forwarded-for"); 243 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER = 244 StringRef::from_lit("request-header-field-buffer"); 245 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS = 246 StringRef::from_lit("max-request-header-fields"); 247 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER = 248 StringRef::from_lit("response-header-field-buffer"); 249 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = 250 StringRef::from_lit("max-response-header-fields"); 251 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST = 252 StringRef::from_lit("no-http2-cipher-block-list"); 253 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = 254 StringRef::from_lit("no-http2-cipher-black-list"); 255 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = 256 StringRef::from_lit("backend-http1-tls"); 257 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS = 258 StringRef::from_lit("tls-session-cache-memcached-tls"); 259 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE = 260 StringRef::from_lit("tls-session-cache-memcached-cert-file"); 261 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE = 262 StringRef::from_lit("tls-session-cache-memcached-private-key-file"); 263 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY = 264 StringRef::from_lit("tls-session-cache-memcached-address-family"); 265 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS = 266 StringRef::from_lit("tls-ticket-key-memcached-tls"); 267 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE = 268 StringRef::from_lit("tls-ticket-key-memcached-cert-file"); 269 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE = 270 StringRef::from_lit("tls-ticket-key-memcached-private-key-file"); 271 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY = 272 StringRef::from_lit("tls-ticket-key-memcached-address-family"); 273 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY = 274 StringRef::from_lit("backend-address-family"); 275 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS = 276 StringRef::from_lit("frontend-http2-max-concurrent-streams"); 277 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS = 278 StringRef::from_lit("backend-http2-max-concurrent-streams"); 279 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND = 280 StringRef::from_lit("backend-connections-per-frontend"); 281 constexpr auto SHRPX_OPT_BACKEND_TLS = StringRef::from_lit("backend-tls"); 282 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST = 283 StringRef::from_lit("backend-connections-per-host"); 284 constexpr auto SHRPX_OPT_ERROR_PAGE = StringRef::from_lit("error-page"); 285 constexpr auto SHRPX_OPT_NO_KQUEUE = StringRef::from_lit("no-kqueue"); 286 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT = 287 StringRef::from_lit("frontend-http2-settings-timeout"); 288 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT = 289 StringRef::from_lit("backend-http2-settings-timeout"); 290 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY = 291 StringRef::from_lit("api-max-request-body"); 292 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF = 293 StringRef::from_lit("backend-max-backoff"); 294 constexpr auto SHRPX_OPT_SERVER_NAME = StringRef::from_lit("server-name"); 295 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE = 296 StringRef::from_lit("no-server-rewrite"); 297 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE = 298 StringRef::from_lit("frontend-http2-optimize-write-buffer-size"); 299 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE = 300 StringRef::from_lit("frontend-http2-optimize-window-size"); 301 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE = 302 StringRef::from_lit("frontend-http2-window-size"); 303 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE = 304 StringRef::from_lit("frontend-http2-connection-window-size"); 305 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE = 306 StringRef::from_lit("backend-http2-window-size"); 307 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE = 308 StringRef::from_lit("backend-http2-connection-window-size"); 309 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 310 StringRef::from_lit("frontend-http2-encoder-dynamic-table-size"); 311 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 312 StringRef::from_lit("frontend-http2-decoder-dynamic-table-size"); 313 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 314 StringRef::from_lit("backend-http2-encoder-dynamic-table-size"); 315 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 316 StringRef::from_lit("backend-http2-decoder-dynamic-table-size"); 317 constexpr auto SHRPX_OPT_ECDH_CURVES = StringRef::from_lit("ecdh-curves"); 318 constexpr auto SHRPX_OPT_TLS_SCT_DIR = StringRef::from_lit("tls-sct-dir"); 319 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT = 320 StringRef::from_lit("backend-connect-timeout"); 321 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT = 322 StringRef::from_lit("dns-cache-timeout"); 323 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT = 324 StringRef::from_lit("dns-lookup-timeout"); 325 constexpr auto SHRPX_OPT_DNS_MAX_TRY = StringRef::from_lit("dns-max-try"); 326 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT = 327 StringRef::from_lit("frontend-keep-alive-timeout"); 328 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets"); 329 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = 330 StringRef::from_lit("client-psk-secrets"); 331 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST = 332 StringRef::from_lit("client-no-http2-cipher-block-list"); 333 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = 334 StringRef::from_lit("client-no-http2-cipher-black-list"); 335 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers"); 336 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY = 337 StringRef::from_lit("accesslog-write-early"); 338 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION = 339 StringRef::from_lit("tls-min-proto-version"); 340 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION = 341 StringRef::from_lit("tls-max-proto-version"); 342 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT = 343 StringRef::from_lit("redirect-https-port"); 344 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS = 345 StringRef::from_lit("frontend-max-requests"); 346 constexpr auto SHRPX_OPT_SINGLE_THREAD = StringRef::from_lit("single-thread"); 347 constexpr auto SHRPX_OPT_SINGLE_PROCESS = StringRef::from_lit("single-process"); 348 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO = 349 StringRef::from_lit("no-add-x-forwarded-proto"); 350 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO = 351 StringRef::from_lit("no-strip-incoming-x-forwarded-proto"); 352 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup"); 353 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp"); 354 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = 355 StringRef::from_lit("verify-client-tolerate-expired"); 356 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = 357 StringRef::from_lit("ignore-per-pattern-mruby-error"); 358 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA = 359 StringRef::from_lit("tls-no-postpone-early-data"); 360 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = 361 StringRef::from_lit("tls-max-early-data"); 362 constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers"); 363 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS = 364 StringRef::from_lit("tls13-client-ciphers"); 365 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA = 366 StringRef::from_lit("no-strip-incoming-early-data"); 367 constexpr auto SHRPX_OPT_QUIC_BPF_PROGRAM_FILE = 368 StringRef::from_lit("quic-bpf-program-file"); 369 constexpr auto SHRPX_OPT_NO_QUIC_BPF = StringRef::from_lit("no-quic-bpf"); 370 constexpr auto SHRPX_OPT_HTTP2_ALTSVC = StringRef::from_lit("http2-altsvc"); 371 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_READ_TIMEOUT = 372 StringRef::from_lit("frontend-http3-read-timeout"); 373 constexpr auto SHRPX_OPT_FRONTEND_QUIC_IDLE_TIMEOUT = 374 StringRef::from_lit("frontend-quic-idle-timeout"); 375 constexpr auto SHRPX_OPT_FRONTEND_QUIC_DEBUG_LOG = 376 StringRef::from_lit("frontend-quic-debug-log"); 377 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_WINDOW_SIZE = 378 StringRef::from_lit("frontend-http3-window-size"); 379 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE = 380 StringRef::from_lit("frontend-http3-connection-window-size"); 381 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_WINDOW_SIZE = 382 StringRef::from_lit("frontend-http3-max-window-size"); 383 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE = 384 StringRef::from_lit("frontend-http3-max-connection-window-size"); 385 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS = 386 StringRef::from_lit("frontend-http3-max-concurrent-streams"); 387 constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA = 388 StringRef::from_lit("frontend-quic-early-data"); 389 constexpr auto SHRPX_OPT_FRONTEND_QUIC_QLOG_DIR = 390 StringRef::from_lit("frontend-quic-qlog-dir"); 391 constexpr auto SHRPX_OPT_FRONTEND_QUIC_REQUIRE_TOKEN = 392 StringRef::from_lit("frontend-quic-require-token"); 393 constexpr auto SHRPX_OPT_FRONTEND_QUIC_CONGESTION_CONTROLLER = 394 StringRef::from_lit("frontend-quic-congestion-controller"); 395 constexpr auto SHRPX_OPT_QUIC_SERVER_ID = StringRef::from_lit("quic-server-id"); 396 constexpr auto SHRPX_OPT_FRONTEND_QUIC_SECRET_FILE = 397 StringRef::from_lit("frontend-quic-secret-file"); 398 constexpr auto SHRPX_OPT_RLIMIT_MEMLOCK = StringRef::from_lit("rlimit-memlock"); 399 constexpr auto SHRPX_OPT_MAX_WORKER_PROCESSES = 400 StringRef::from_lit("max-worker-processes"); 401 constexpr auto SHRPX_OPT_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD = 402 StringRef::from_lit("worker-process-grace-shutdown-period"); 403 constexpr auto SHRPX_OPT_FRONTEND_QUIC_INITIAL_RTT = 404 StringRef::from_lit("frontend-quic-initial-rtt"); 405 constexpr auto SHRPX_OPT_REQUIRE_HTTP_SCHEME = 406 StringRef::from_lit("require-http-scheme"); 407 constexpr auto SHRPX_OPT_TLS_KTLS = StringRef::from_lit("tls-ktls"); 408 409 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; 410 411 constexpr char DEFAULT_DOWNSTREAM_HOST[] = "127.0.0.1"; 412 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80; 413 414 enum class Proto { 415 NONE, 416 HTTP1, 417 HTTP2, 418 HTTP3, 419 MEMCACHED, 420 }; 421 422 enum class SessionAffinity { 423 // No session affinity 424 NONE, 425 // Client IP affinity 426 IP, 427 // Cookie based affinity 428 COOKIE, 429 }; 430 431 enum class SessionAffinityCookieSecure { 432 // Secure attribute of session affinity cookie is determined by the 433 // request scheme. 434 AUTO, 435 // Secure attribute of session affinity cookie is always set. 436 YES, 437 // Secure attribute of session affinity cookie is always unset. 438 NO, 439 }; 440 441 enum class SessionAffinityCookieStickiness { 442 // Backend server might be changed when an existing backend server 443 // is removed, or new backend server is added. 444 LOOSE, 445 // Backend server might be changed when a designated backend server 446 // is removed, but adding new backend server does not cause 447 // breakage. 448 STRICT, 449 }; 450 451 struct AffinityConfig { 452 // Type of session affinity. 453 SessionAffinity type; 454 struct { 455 // Name of a cookie to use. 456 StringRef name; 457 // Path which a cookie is applied to. 458 StringRef path; 459 // Secure attribute 460 SessionAffinityCookieSecure secure; 461 // Affinity Stickiness 462 SessionAffinityCookieStickiness stickiness; 463 } cookie; 464 }; 465 466 enum shrpx_forwarded_param { 467 FORWARDED_NONE = 0, 468 FORWARDED_BY = 0x1, 469 FORWARDED_FOR = 0x2, 470 FORWARDED_HOST = 0x4, 471 FORWARDED_PROTO = 0x8, 472 }; 473 474 enum class ForwardedNode { 475 OBFUSCATED, 476 IP, 477 }; 478 479 struct AltSvc { 480 StringRef protocol_id, host, origin, service, params; 481 482 uint16_t port; 483 }; 484 485 enum class UpstreamAltMode { 486 // No alternative mode 487 NONE, 488 // API processing mode 489 API, 490 // Health monitor mode 491 HEALTHMON, 492 }; 493 494 struct UpstreamAddr { 495 // The unique index of this address. 496 size_t index; 497 // The frontend address (e.g., FQDN, hostname, IP address). If 498 // |host_unix| is true, this is UNIX domain socket path. This must 499 // be NULL terminated string. 500 StringRef host; 501 // For TCP socket, this is <IP address>:<PORT>. For IPv6 address, 502 // address is surrounded by square brackets. If socket is UNIX 503 // domain socket, this is "localhost". 504 StringRef hostport; 505 // frontend port. 0 if |host_unix| is true. 506 uint16_t port; 507 // For TCP socket, this is either AF_INET or AF_INET6. For UNIX 508 // domain socket, this is 0. 509 int family; 510 // Alternate mode 511 UpstreamAltMode alt_mode; 512 // true if |host| contains UNIX domain socket path. 513 bool host_unix; 514 // true if TLS is enabled. 515 bool tls; 516 // true if SNI host should be used as a host when selecting backend 517 // server. 518 bool sni_fwd; 519 // true if client is supposed to send PROXY protocol v1 header. 520 bool accept_proxy_protocol; 521 bool quic; 522 int fd; 523 }; 524 525 struct DownstreamAddrConfig { 526 // Resolved address if |dns| is false 527 Address addr; 528 // backend address. If |host_unix| is true, this is UNIX domain 529 // socket path. This must be NULL terminated string. 530 StringRef host; 531 // <HOST>:<PORT>. This does not treat 80 and 443 specially. If 532 // |host_unix| is true, this is "localhost". 533 StringRef hostport; 534 // hostname sent as SNI field 535 StringRef sni; 536 // name of group which this address belongs to. 537 StringRef group; 538 size_t fall; 539 size_t rise; 540 // weight of this address inside a weight group. Its range is [1, 541 // 256], inclusive. 542 uint32_t weight; 543 // weight of the weight group. Its range is [1, 256], inclusive. 544 uint32_t group_weight; 545 // affinity hash for this address. It is assigned when strict 546 // stickiness is enabled. 547 uint32_t affinity_hash; 548 // Application protocol used in this group 549 Proto proto; 550 // backend port. 0 if |host_unix| is true. 551 uint16_t port; 552 // true if |host| contains UNIX domain socket path. 553 bool host_unix; 554 bool tls; 555 // true if dynamic DNS is enabled 556 bool dns; 557 // true if :scheme pseudo header field should be upgraded to secure 558 // variant (e.g., "https") when forwarding request to a backend 559 // connected by TLS connection. 560 bool upgrade_scheme; 561 // true if a request should not be forwarded to a backend. 562 bool dnf; 563 }; 564 565 // Mapping hash to idx which is an index into 566 // DownstreamAddrGroupConfig::addrs. 567 struct AffinityHash { AffinityHashAffinityHash568 AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {} 569 570 size_t idx; 571 uint32_t hash; 572 }; 573 574 struct DownstreamAddrGroupConfig { DownstreamAddrGroupConfigDownstreamAddrGroupConfig575 DownstreamAddrGroupConfig(const StringRef &pattern) 576 : pattern(pattern), 577 affinity{SessionAffinity::NONE}, 578 redirect_if_not_tls(false), 579 dnf{false}, 580 timeout{} {} 581 582 StringRef pattern; 583 StringRef mruby_file; 584 std::vector<DownstreamAddrConfig> addrs; 585 // Bunch of session affinity hash. Only used if affinity == 586 // SessionAffinity::IP. 587 std::vector<AffinityHash> affinity_hash; 588 // Maps affinity hash of each DownstreamAddrConfig to its index in 589 // addrs. It is only assigned when strict stickiness is enabled. 590 std::unordered_map<uint32_t, size_t> affinity_hash_map; 591 // Cookie based session affinity configuration. 592 AffinityConfig affinity; 593 // true if this group requires that client connection must be TLS, 594 // and the request must be redirected to https URI. 595 bool redirect_if_not_tls; 596 // true if a request should not be forwarded to a backend. 597 bool dnf; 598 // Timeouts for backend connection. 599 struct { 600 ev_tstamp read; 601 ev_tstamp write; 602 } timeout; 603 }; 604 605 struct TicketKey { 606 const EVP_CIPHER *cipher; 607 const EVP_MD *hmac; 608 size_t hmac_keylen; 609 struct { 610 // name of this ticket configuration 611 std::array<uint8_t, 16> name; 612 // encryption key for |cipher| 613 std::array<uint8_t, 32> enc_key; 614 // hmac key for |hmac| 615 std::array<uint8_t, 32> hmac_key; 616 } data; 617 }; 618 619 struct TicketKeys { 620 ~TicketKeys(); 621 std::vector<TicketKey> keys; 622 }; 623 624 struct TLSCertificate { TLSCertificateTLSCertificate625 TLSCertificate(StringRef private_key_file, StringRef cert_file, 626 std::vector<uint8_t> sct_data) 627 : private_key_file(std::move(private_key_file)), 628 cert_file(std::move(cert_file)), 629 sct_data(std::move(sct_data)) {} 630 631 StringRef private_key_file; 632 StringRef cert_file; 633 std::vector<uint8_t> sct_data; 634 }; 635 636 #ifdef ENABLE_HTTP3 637 struct QUICKeyingMaterial { 638 std::array<uint8_t, SHRPX_QUIC_SECRET_RESERVEDLEN> reserved; 639 std::array<uint8_t, SHRPX_QUIC_SECRETLEN> secret; 640 std::array<uint8_t, SHRPX_QUIC_SALTLEN> salt; 641 std::array<uint8_t, SHRPX_QUIC_CID_ENCRYPTION_KEYLEN> cid_encryption_key; 642 // Identifier of this keying material. Only the first 2 bits are 643 // used. 644 uint8_t id; 645 }; 646 647 struct QUICKeyingMaterials { 648 std::vector<QUICKeyingMaterial> keying_materials; 649 }; 650 #endif // ENABLE_HTTP3 651 652 struct HttpProxy { 653 Address addr; 654 // host in http proxy URI 655 StringRef host; 656 // userinfo in http proxy URI, not percent-encoded form 657 StringRef userinfo; 658 // port in http proxy URI 659 uint16_t port; 660 }; 661 662 struct TLSConfig { 663 // RFC 5077 Session ticket related configurations 664 struct { 665 struct { 666 Address addr; 667 uint16_t port; 668 // Hostname of memcached server. This is also used as SNI field 669 // if TLS is enabled. 670 StringRef host; 671 // Client private key and certificate for authentication 672 StringRef private_key_file; 673 StringRef cert_file; 674 ev_tstamp interval; 675 // Maximum number of retries when getting TLS ticket key from 676 // mamcached, due to network error. 677 size_t max_retry; 678 // Maximum number of consecutive error from memcached, when this 679 // limit reached, TLS ticket is disabled. 680 size_t max_fail; 681 // Address family of memcached connection. One of either 682 // AF_INET, AF_INET6 or AF_UNSPEC. 683 int family; 684 bool tls; 685 } memcached; 686 std::vector<StringRef> files; 687 const EVP_CIPHER *cipher; 688 // true if --tls-ticket-key-cipher is used 689 bool cipher_given; 690 } ticket; 691 692 // Session cache related configurations 693 struct { 694 struct { 695 Address addr; 696 uint16_t port; 697 // Hostname of memcached server. This is also used as SNI field 698 // if TLS is enabled. 699 StringRef host; 700 // Client private key and certificate for authentication 701 StringRef private_key_file; 702 StringRef cert_file; 703 // Address family of memcached connection. One of either 704 // AF_INET, AF_INET6 or AF_UNSPEC. 705 int family; 706 bool tls; 707 } memcached; 708 } session_cache; 709 710 // Dynamic record sizing configurations 711 struct { 712 size_t warmup_threshold; 713 ev_tstamp idle_timeout; 714 } dyn_rec; 715 716 // OCSP related configurations 717 struct { 718 ev_tstamp update_interval; 719 StringRef fetch_ocsp_response_file; 720 bool disabled; 721 bool startup; 722 bool no_verify; 723 } ocsp; 724 725 // Client verification configurations 726 struct { 727 // Path to file containing CA certificate solely used for client 728 // certificate validation 729 StringRef cacert; 730 bool enabled; 731 // true if we accept an expired client certificate. 732 bool tolerate_expired; 733 } client_verify; 734 735 // Client (backend connection) TLS configuration. 736 struct { 737 // Client PSK configuration 738 struct { 739 // identity must be NULL terminated string. 740 StringRef identity; 741 StringRef secret; 742 } psk; 743 StringRef private_key_file; 744 StringRef cert_file; 745 StringRef ciphers; 746 StringRef tls13_ciphers; 747 bool no_http2_cipher_block_list; 748 } client; 749 750 // PSK secrets. The key is identity, and the associated value is 751 // its secret. 752 std::map<StringRef, StringRef> psk_secrets; 753 // The list of additional TLS certificate pair 754 std::vector<TLSCertificate> subcerts; 755 std::vector<unsigned char> alpn_prefs; 756 // list of supported NPN/ALPN protocol strings in the order of 757 // preference. 758 std::vector<StringRef> npn_list; 759 // list of supported SSL/TLS protocol strings. 760 std::vector<StringRef> tls_proto_list; 761 std::vector<uint8_t> sct_data; 762 BIO_METHOD *bio_method; 763 // Bit mask to disable SSL/TLS protocol versions. This will be 764 // passed to SSL_CTX_set_options(). 765 long int tls_proto_mask; 766 StringRef backend_sni_name; 767 std::chrono::seconds session_timeout; 768 StringRef private_key_file; 769 StringRef private_key_passwd; 770 StringRef cert_file; 771 StringRef dh_param_file; 772 StringRef ciphers; 773 StringRef tls13_ciphers; 774 StringRef ecdh_curves; 775 StringRef cacert; 776 // The maximum amount of 0-RTT data that server accepts. 777 uint32_t max_early_data; 778 // The minimum and maximum TLS version. These values are defined in 779 // OpenSSL header file. 780 int min_proto_version; 781 int max_proto_version; 782 bool insecure; 783 bool no_http2_cipher_block_list; 784 // true if forwarding requests included in TLS early data should not 785 // be postponed until TLS handshake finishes. 786 bool no_postpone_early_data; 787 bool ktls; 788 }; 789 790 #ifdef ENABLE_HTTP3 791 struct QUICConfig { 792 struct { 793 struct { 794 ev_tstamp idle; 795 } timeout; 796 struct { 797 bool log; 798 } debug; 799 struct { 800 StringRef dir; 801 } qlog; 802 ngtcp2_cc_algo congestion_controller; 803 bool early_data; 804 bool require_token; 805 StringRef secret_file; 806 ev_tstamp initial_rtt; 807 } upstream; 808 struct { 809 StringRef prog_file; 810 bool disabled; 811 } bpf; 812 std::array<uint8_t, SHRPX_QUIC_SERVER_IDLEN> server_id; 813 }; 814 815 struct Http3Config { 816 struct { 817 size_t max_concurrent_streams; 818 int32_t window_size; 819 int32_t connection_window_size; 820 int32_t max_window_size; 821 int32_t max_connection_window_size; 822 } upstream; 823 }; 824 #endif // ENABLE_HTTP3 825 826 // custom error page 827 struct ErrorPage { 828 // not NULL-terminated 829 std::vector<uint8_t> content; 830 // 0 is special value, and it matches all HTTP status code. 831 unsigned int http_status; 832 }; 833 834 struct HttpConfig { 835 struct { 836 // obfuscated value used in "by" parameter of Forwarded header 837 // field. This is only used when user defined static obfuscated 838 // string is provided. 839 StringRef by_obfuscated; 840 // bitwise-OR of one or more of shrpx_forwarded_param values. 841 uint32_t params; 842 // type of value recorded in "by" parameter of Forwarded header 843 // field. 844 ForwardedNode by_node_type; 845 // type of value recorded in "for" parameter of Forwarded header 846 // field. 847 ForwardedNode for_node_type; 848 bool strip_incoming; 849 } forwarded; 850 struct { 851 bool add; 852 bool strip_incoming; 853 } xff; 854 struct { 855 bool add; 856 bool strip_incoming; 857 } xfp; 858 struct { 859 bool strip_incoming; 860 } early_data; 861 std::vector<AltSvc> altsvcs; 862 // altsvcs serialized in a wire format. 863 StringRef altsvc_header_value; 864 std::vector<AltSvc> http2_altsvcs; 865 // http2_altsvcs serialized in a wire format. 866 StringRef http2_altsvc_header_value; 867 std::vector<ErrorPage> error_pages; 868 HeaderRefs add_request_headers; 869 HeaderRefs add_response_headers; 870 StringRef server_name; 871 // Port number which appears in Location header field when https 872 // redirect is made. 873 StringRef redirect_https_port; 874 size_t request_header_field_buffer; 875 size_t max_request_header_fields; 876 size_t response_header_field_buffer; 877 size_t max_response_header_fields; 878 size_t max_requests; 879 bool no_via; 880 bool no_location_rewrite; 881 bool no_host_rewrite; 882 bool no_server_rewrite; 883 bool require_http_scheme; 884 }; 885 886 struct Http2Config { 887 struct { 888 struct { 889 struct { 890 StringRef request_header_file; 891 StringRef response_header_file; 892 FILE *request_header; 893 FILE *response_header; 894 } dump; 895 bool frame_debug; 896 } debug; 897 struct { 898 ev_tstamp settings; 899 } timeout; 900 nghttp2_option *option; 901 nghttp2_option *alt_mode_option; 902 nghttp2_session_callbacks *callbacks; 903 size_t max_concurrent_streams; 904 size_t encoder_dynamic_table_size; 905 size_t decoder_dynamic_table_size; 906 int32_t window_size; 907 int32_t connection_window_size; 908 bool optimize_write_buffer_size; 909 bool optimize_window_size; 910 } upstream; 911 struct { 912 struct { 913 ev_tstamp settings; 914 } timeout; 915 nghttp2_option *option; 916 nghttp2_session_callbacks *callbacks; 917 size_t encoder_dynamic_table_size; 918 size_t decoder_dynamic_table_size; 919 int32_t window_size; 920 int32_t connection_window_size; 921 size_t max_concurrent_streams; 922 } downstream; 923 struct { 924 ev_tstamp stream_read; 925 ev_tstamp stream_write; 926 } timeout; 927 bool no_cookie_crumbling; 928 bool no_server_push; 929 }; 930 931 struct LoggingConfig { 932 struct { 933 std::vector<LogFragment> format; 934 StringRef file; 935 // Send accesslog to syslog, ignoring accesslog_file. 936 bool syslog; 937 // Write accesslog when response headers are received from 938 // backend, rather than response body is received and sent. 939 bool write_early; 940 } access; 941 struct { 942 StringRef file; 943 // Send errorlog to syslog, ignoring errorlog_file. 944 bool syslog; 945 } error; 946 int syslog_facility; 947 int severity; 948 }; 949 950 struct RateLimitConfig { 951 size_t rate; 952 size_t burst; 953 }; 954 955 // Wildcard host pattern routing. We strips left most '*' from host 956 // field. router includes all path patterns sharing the same wildcard 957 // host. 958 struct WildcardPattern { WildcardPatternWildcardPattern959 WildcardPattern(const StringRef &host) : host(host) {} 960 961 // This might not be NULL terminated. Currently it is only used for 962 // comparison. 963 StringRef host; 964 Router router; 965 }; 966 967 // Configuration to select backend to forward request 968 struct RouterConfig { 969 Router router; 970 // Router for reversed wildcard hosts. Since this router has 971 // wildcard hosts reversed without '*', one should call match() 972 // function with reversed host stripping last character. This is 973 // because we require at least one character must match for '*'. 974 // The index stored in this router is index of wildcard_patterns. 975 Router rev_wildcard_router; 976 std::vector<WildcardPattern> wildcard_patterns; 977 }; 978 979 struct DownstreamConfig { DownstreamConfigDownstreamConfig980 DownstreamConfig() 981 : balloc(1024, 1024), 982 timeout{}, 983 addr_group_catch_all{0}, 984 connections_per_host{0}, 985 connections_per_frontend{0}, 986 request_buffer_size{0}, 987 response_buffer_size{0}, 988 family{0} {} 989 990 DownstreamConfig(const DownstreamConfig &) = delete; 991 DownstreamConfig(DownstreamConfig &&) = delete; 992 DownstreamConfig &operator=(const DownstreamConfig &) = delete; 993 DownstreamConfig &operator=(DownstreamConfig &&) = delete; 994 995 // Allocator to allocate memory for Downstream configuration. Since 996 // we may swap around DownstreamConfig in arbitrary times with API 997 // calls, we should use their own allocator instead of per Config 998 // allocator. 999 BlockAllocator balloc; 1000 struct { 1001 ev_tstamp read; 1002 ev_tstamp write; 1003 ev_tstamp idle_read; 1004 ev_tstamp connect; 1005 // The maximum backoff while checking health check for offline 1006 // backend or while detaching failed backend from load balancing 1007 // group temporarily. 1008 ev_tstamp max_backoff; 1009 } timeout; 1010 RouterConfig router; 1011 std::vector<DownstreamAddrGroupConfig> addr_groups; 1012 // The index of catch-all group in downstream_addr_groups. 1013 size_t addr_group_catch_all; 1014 size_t connections_per_host; 1015 size_t connections_per_frontend; 1016 size_t request_buffer_size; 1017 size_t response_buffer_size; 1018 // Address family of backend connection. One of either AF_INET, 1019 // AF_INET6 or AF_UNSPEC. This is ignored if backend connection 1020 // is made via Unix domain socket. 1021 int family; 1022 }; 1023 1024 struct ConnectionConfig { 1025 struct { 1026 struct { 1027 ev_tstamp sleep; 1028 } timeout; 1029 // address of frontend acceptors 1030 std::vector<UpstreamAddr> addrs; 1031 int backlog; 1032 // TCP fastopen. If this is positive, it is passed to 1033 // setsockopt() along with TCP_FASTOPEN. 1034 int fastopen; 1035 } listener; 1036 1037 #ifdef ENABLE_HTTP3 1038 struct { 1039 std::vector<UpstreamAddr> addrs; 1040 } quic_listener; 1041 #endif // ENABLE_HTTP3 1042 1043 struct { 1044 struct { 1045 ev_tstamp http2_read; 1046 ev_tstamp http3_read; 1047 ev_tstamp read; 1048 ev_tstamp write; 1049 ev_tstamp idle_read; 1050 } timeout; 1051 struct { 1052 RateLimitConfig read; 1053 RateLimitConfig write; 1054 } ratelimit; 1055 size_t worker_connections; 1056 // Deprecated. See UpstreamAddr.accept_proxy_protocol. 1057 bool accept_proxy_protocol; 1058 } upstream; 1059 1060 std::shared_ptr<DownstreamConfig> downstream; 1061 }; 1062 1063 struct APIConfig { 1064 // Maximum request body size for one API request 1065 size_t max_request_body; 1066 // true if at least one of UpstreamAddr has api enabled 1067 bool enabled; 1068 }; 1069 1070 struct DNSConfig { 1071 struct { 1072 ev_tstamp cache; 1073 ev_tstamp lookup; 1074 } timeout; 1075 // The number of tries name resolver makes before abandoning 1076 // request. 1077 size_t max_try; 1078 }; 1079 1080 struct Config { ConfigConfig1081 Config() 1082 : balloc(4096, 4096), 1083 downstream_http_proxy{}, 1084 http{}, 1085 http2{}, 1086 tls{}, 1087 #ifdef ENABLE_HTTP3 1088 quic{}, 1089 #endif // ENABLE_HTTP3 1090 logging{}, 1091 conn{}, 1092 api{}, 1093 dns{}, 1094 config_revision{0}, 1095 num_worker{0}, 1096 padding{0}, 1097 rlimit_nofile{0}, 1098 rlimit_memlock{0}, 1099 uid{0}, 1100 gid{0}, 1101 pid{0}, 1102 verbose{false}, 1103 daemon{false}, 1104 http2_proxy{false}, 1105 single_process{false}, 1106 single_thread{false}, 1107 ignore_per_pattern_mruby_error{false}, 1108 ev_loop_flags{0}, 1109 max_worker_processes{0}, 1110 worker_process_grace_shutdown_period{0.} { 1111 } 1112 ~Config(); 1113 1114 Config(Config &&) = delete; 1115 Config(const Config &&) = delete; 1116 Config &operator=(Config &&) = delete; 1117 Config &operator=(const Config &&) = delete; 1118 1119 // Allocator to allocate memory for this object except for 1120 // DownstreamConfig. Currently, it is used to allocate memory for 1121 // strings. 1122 BlockAllocator balloc; 1123 HttpProxy downstream_http_proxy; 1124 HttpConfig http; 1125 Http2Config http2; 1126 TLSConfig tls; 1127 #ifdef ENABLE_HTTP3 1128 QUICConfig quic; 1129 Http3Config http3; 1130 #endif // ENABLE_HTTP3 1131 LoggingConfig logging; 1132 ConnectionConfig conn; 1133 APIConfig api; 1134 DNSConfig dns; 1135 StringRef pid_file; 1136 StringRef conf_path; 1137 StringRef user; 1138 StringRef mruby_file; 1139 // The revision of configuration which is opaque string, and changes 1140 // on each configuration reloading. This does not change on 1141 // backendconfig API call. This value is returned in health check 1142 // as "nghttpx-conf-rev" response header field. The external 1143 // program can check this value to know whether reloading has 1144 // completed or not. 1145 uint64_t config_revision; 1146 size_t num_worker; 1147 size_t padding; 1148 size_t rlimit_nofile; 1149 size_t rlimit_memlock; 1150 uid_t uid; 1151 gid_t gid; 1152 pid_t pid; 1153 bool verbose; 1154 bool daemon; 1155 bool http2_proxy; 1156 // Run nghttpx in single process mode. With this mode, signal 1157 // handling is omitted. 1158 bool single_process; 1159 bool single_thread; 1160 // Ignore mruby compile error for per-pattern mruby script. 1161 bool ignore_per_pattern_mruby_error; 1162 // flags passed to ev_default_loop() and ev_loop_new() 1163 int ev_loop_flags; 1164 size_t max_worker_processes; 1165 ev_tstamp worker_process_grace_shutdown_period; 1166 }; 1167 1168 const Config *get_config(); 1169 Config *mod_config(); 1170 // Replaces the current config with given |new_config|. The old config is 1171 // returned. 1172 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config); 1173 void create_config(); 1174 1175 // generated by gennghttpxfun.py 1176 enum { 1177 SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL, 1178 SHRPX_OPTID_ACCESSLOG_FILE, 1179 SHRPX_OPTID_ACCESSLOG_FORMAT, 1180 SHRPX_OPTID_ACCESSLOG_SYSLOG, 1181 SHRPX_OPTID_ACCESSLOG_WRITE_EARLY, 1182 SHRPX_OPTID_ADD_FORWARDED, 1183 SHRPX_OPTID_ADD_REQUEST_HEADER, 1184 SHRPX_OPTID_ADD_RESPONSE_HEADER, 1185 SHRPX_OPTID_ADD_X_FORWARDED_FOR, 1186 SHRPX_OPTID_ALTSVC, 1187 SHRPX_OPTID_API_MAX_REQUEST_BODY, 1188 SHRPX_OPTID_BACKEND, 1189 SHRPX_OPTID_BACKEND_ADDRESS_FAMILY, 1190 SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT, 1191 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND, 1192 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST, 1193 SHRPX_OPTID_BACKEND_HTTP_PROXY_URI, 1194 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND, 1195 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST, 1196 SHRPX_OPTID_BACKEND_HTTP1_TLS, 1197 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS, 1198 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE, 1199 SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER, 1200 SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1201 SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1202 SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS, 1203 SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT, 1204 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS, 1205 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE, 1206 SHRPX_OPTID_BACKEND_IPV4, 1207 SHRPX_OPTID_BACKEND_IPV6, 1208 SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT, 1209 SHRPX_OPTID_BACKEND_MAX_BACKOFF, 1210 SHRPX_OPTID_BACKEND_NO_TLS, 1211 SHRPX_OPTID_BACKEND_READ_TIMEOUT, 1212 SHRPX_OPTID_BACKEND_REQUEST_BUFFER, 1213 SHRPX_OPTID_BACKEND_RESPONSE_BUFFER, 1214 SHRPX_OPTID_BACKEND_TLS, 1215 SHRPX_OPTID_BACKEND_TLS_SNI_FIELD, 1216 SHRPX_OPTID_BACKEND_WRITE_TIMEOUT, 1217 SHRPX_OPTID_BACKLOG, 1218 SHRPX_OPTID_CACERT, 1219 SHRPX_OPTID_CERTIFICATE_FILE, 1220 SHRPX_OPTID_CIPHERS, 1221 SHRPX_OPTID_CLIENT, 1222 SHRPX_OPTID_CLIENT_CERT_FILE, 1223 SHRPX_OPTID_CLIENT_CIPHERS, 1224 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, 1225 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST, 1226 SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, 1227 SHRPX_OPTID_CLIENT_PROXY, 1228 SHRPX_OPTID_CLIENT_PSK_SECRETS, 1229 SHRPX_OPTID_CONF, 1230 SHRPX_OPTID_DAEMON, 1231 SHRPX_OPTID_DH_PARAM_FILE, 1232 SHRPX_OPTID_DNS_CACHE_TIMEOUT, 1233 SHRPX_OPTID_DNS_LOOKUP_TIMEOUT, 1234 SHRPX_OPTID_DNS_MAX_TRY, 1235 SHRPX_OPTID_ECDH_CURVES, 1236 SHRPX_OPTID_ERROR_PAGE, 1237 SHRPX_OPTID_ERRORLOG_FILE, 1238 SHRPX_OPTID_ERRORLOG_SYSLOG, 1239 SHRPX_OPTID_FASTOPEN, 1240 SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE, 1241 SHRPX_OPTID_FORWARDED_BY, 1242 SHRPX_OPTID_FORWARDED_FOR, 1243 SHRPX_OPTID_FRONTEND, 1244 SHRPX_OPTID_FRONTEND_FRAME_DEBUG, 1245 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS, 1246 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE, 1247 SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1248 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER, 1249 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER, 1250 SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1251 SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS, 1252 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE, 1253 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE, 1254 SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT, 1255 SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT, 1256 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS, 1257 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE, 1258 SHRPX_OPTID_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE, 1259 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS, 1260 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE, 1261 SHRPX_OPTID_FRONTEND_HTTP3_MAX_WINDOW_SIZE, 1262 SHRPX_OPTID_FRONTEND_HTTP3_READ_TIMEOUT, 1263 SHRPX_OPTID_FRONTEND_HTTP3_WINDOW_SIZE, 1264 SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT, 1265 SHRPX_OPTID_FRONTEND_MAX_REQUESTS, 1266 SHRPX_OPTID_FRONTEND_NO_TLS, 1267 SHRPX_OPTID_FRONTEND_QUIC_CONGESTION_CONTROLLER, 1268 SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG, 1269 SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA, 1270 SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT, 1271 SHRPX_OPTID_FRONTEND_QUIC_INITIAL_RTT, 1272 SHRPX_OPTID_FRONTEND_QUIC_QLOG_DIR, 1273 SHRPX_OPTID_FRONTEND_QUIC_REQUIRE_TOKEN, 1274 SHRPX_OPTID_FRONTEND_QUIC_SECRET_FILE, 1275 SHRPX_OPTID_FRONTEND_READ_TIMEOUT, 1276 SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT, 1277 SHRPX_OPTID_HEADER_FIELD_BUFFER, 1278 SHRPX_OPTID_HOST_REWRITE, 1279 SHRPX_OPTID_HTTP2_ALTSVC, 1280 SHRPX_OPTID_HTTP2_BRIDGE, 1281 SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS, 1282 SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING, 1283 SHRPX_OPTID_HTTP2_PROXY, 1284 SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR, 1285 SHRPX_OPTID_INCLUDE, 1286 SHRPX_OPTID_INSECURE, 1287 SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT, 1288 SHRPX_OPTID_LOG_LEVEL, 1289 SHRPX_OPTID_MAX_HEADER_FIELDS, 1290 SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS, 1291 SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS, 1292 SHRPX_OPTID_MAX_WORKER_PROCESSES, 1293 SHRPX_OPTID_MRUBY_FILE, 1294 SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, 1295 SHRPX_OPTID_NO_HOST_REWRITE, 1296 SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, 1297 SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST, 1298 SHRPX_OPTID_NO_KQUEUE, 1299 SHRPX_OPTID_NO_LOCATION_REWRITE, 1300 SHRPX_OPTID_NO_OCSP, 1301 SHRPX_OPTID_NO_QUIC_BPF, 1302 SHRPX_OPTID_NO_SERVER_PUSH, 1303 SHRPX_OPTID_NO_SERVER_REWRITE, 1304 SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA, 1305 SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO, 1306 SHRPX_OPTID_NO_VERIFY_OCSP, 1307 SHRPX_OPTID_NO_VIA, 1308 SHRPX_OPTID_NPN_LIST, 1309 SHRPX_OPTID_OCSP_STARTUP, 1310 SHRPX_OPTID_OCSP_UPDATE_INTERVAL, 1311 SHRPX_OPTID_PADDING, 1312 SHRPX_OPTID_PID_FILE, 1313 SHRPX_OPTID_PRIVATE_KEY_FILE, 1314 SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE, 1315 SHRPX_OPTID_PSK_SECRETS, 1316 SHRPX_OPTID_QUIC_BPF_PROGRAM_FILE, 1317 SHRPX_OPTID_QUIC_SERVER_ID, 1318 SHRPX_OPTID_READ_BURST, 1319 SHRPX_OPTID_READ_RATE, 1320 SHRPX_OPTID_REDIRECT_HTTPS_PORT, 1321 SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER, 1322 SHRPX_OPTID_REQUIRE_HTTP_SCHEME, 1323 SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER, 1324 SHRPX_OPTID_RLIMIT_MEMLOCK, 1325 SHRPX_OPTID_RLIMIT_NOFILE, 1326 SHRPX_OPTID_SERVER_NAME, 1327 SHRPX_OPTID_SINGLE_PROCESS, 1328 SHRPX_OPTID_SINGLE_THREAD, 1329 SHRPX_OPTID_STREAM_READ_TIMEOUT, 1330 SHRPX_OPTID_STREAM_WRITE_TIMEOUT, 1331 SHRPX_OPTID_STRIP_INCOMING_FORWARDED, 1332 SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR, 1333 SHRPX_OPTID_SUBCERT, 1334 SHRPX_OPTID_SYSLOG_FACILITY, 1335 SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT, 1336 SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD, 1337 SHRPX_OPTID_TLS_KTLS, 1338 SHRPX_OPTID_TLS_MAX_EARLY_DATA, 1339 SHRPX_OPTID_TLS_MAX_PROTO_VERSION, 1340 SHRPX_OPTID_TLS_MIN_PROTO_VERSION, 1341 SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA, 1342 SHRPX_OPTID_TLS_PROTO_LIST, 1343 SHRPX_OPTID_TLS_SCT_DIR, 1344 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, 1345 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY, 1346 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE, 1347 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE, 1348 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS, 1349 SHRPX_OPTID_TLS_TICKET_KEY_CIPHER, 1350 SHRPX_OPTID_TLS_TICKET_KEY_FILE, 1351 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED, 1352 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY, 1353 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE, 1354 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL, 1355 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL, 1356 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY, 1357 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE, 1358 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS, 1359 SHRPX_OPTID_TLS13_CIPHERS, 1360 SHRPX_OPTID_TLS13_CLIENT_CIPHERS, 1361 SHRPX_OPTID_USER, 1362 SHRPX_OPTID_VERIFY_CLIENT, 1363 SHRPX_OPTID_VERIFY_CLIENT_CACERT, 1364 SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED, 1365 SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS, 1366 SHRPX_OPTID_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD, 1367 SHRPX_OPTID_WORKER_READ_BURST, 1368 SHRPX_OPTID_WORKER_READ_RATE, 1369 SHRPX_OPTID_WORKER_WRITE_BURST, 1370 SHRPX_OPTID_WORKER_WRITE_RATE, 1371 SHRPX_OPTID_WORKERS, 1372 SHRPX_OPTID_WRITE_BURST, 1373 SHRPX_OPTID_WRITE_RATE, 1374 SHRPX_OPTID_MAXIDX, 1375 }; 1376 1377 // Looks up token for given option name |name| of length |namelen|. 1378 int option_lookup_token(const char *name, size_t namelen); 1379 1380 // Parses option name |opt| and value |optarg|. The results are 1381 // stored into the object pointed by |config|. This function returns 0 1382 // if it succeeds, or -1. The |included_set| contains the all paths 1383 // already included while processing this configuration, to avoid loop 1384 // in --include option. The |pattern_addr_indexer| contains a pair of 1385 // pattern of backend, and its index in DownstreamConfig::addr_groups. 1386 // It is introduced to speed up loading configuration file with lots 1387 // of backends. 1388 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg, 1389 std::set<StringRef> &included_set, 1390 std::map<StringRef, size_t> &pattern_addr_indexer); 1391 1392 // Similar to parse_config() above, but additional |optid| which 1393 // should be the return value of option_lookup_token(opt). 1394 int parse_config(Config *config, int optid, const StringRef &opt, 1395 const StringRef &optarg, std::set<StringRef> &included_set, 1396 std::map<StringRef, size_t> &pattern_addr_indexer); 1397 1398 // Loads configurations from |filename| and stores them in |config|. 1399 // This function returns 0 if it succeeds, or -1. See parse_config() 1400 // for |include_set|. 1401 int load_config(Config *config, const char *filename, 1402 std::set<StringRef> &include_set, 1403 std::map<StringRef, size_t> &pattern_addr_indexer); 1404 1405 // Parses header field in |optarg|. We expect header field is formed 1406 // like "NAME: VALUE". We require that NAME is non empty string. ":" 1407 // is allowed at the start of the NAME, but NAME == ":" is not 1408 // allowed. This function returns pair of NAME and VALUE. 1409 HeaderRefs::value_type parse_header(BlockAllocator &balloc, 1410 const StringRef &optarg); 1411 1412 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc, 1413 const StringRef &optarg); 1414 1415 // Returns string for syslog |facility|. 1416 StringRef str_syslog_facility(int facility); 1417 1418 // Returns integer value of syslog |facility| string. 1419 int int_syslog_facility(const StringRef &strfacility); 1420 1421 FILE *open_file_for_write(const char *filename); 1422 1423 // Reads TLS ticket key file in |files| and returns TicketKey which 1424 // stores read key data. The given |cipher| and |hmac| determine the 1425 // expected file size. This function returns TicketKey if it 1426 // succeeds, or nullptr. 1427 std::unique_ptr<TicketKeys> 1428 read_tls_ticket_key_file(const std::vector<StringRef> &files, 1429 const EVP_CIPHER *cipher, const EVP_MD *hmac); 1430 1431 #ifdef ENABLE_HTTP3 1432 std::shared_ptr<QUICKeyingMaterials> 1433 read_quic_secret_file(const StringRef &path); 1434 #endif // ENABLE_HTTP3 1435 1436 // Returns string representation of |proto|. 1437 StringRef strproto(Proto proto); 1438 1439 int configure_downstream_group(Config *config, bool http2_proxy, 1440 bool numeric_addr_only, 1441 const TLSConfig &tlsconf); 1442 1443 int resolve_hostname(Address *addr, const char *hostname, uint16_t port, 1444 int family, int additional_flags = 0); 1445 1446 } // namespace shrpx 1447 1448 #endif // SHRPX_CONFIG_H 1449