1 /* 2 * nghttp2 - HTTP/2 C Library 3 * 4 * Copyright (c) 2012 Tatsuhiro Tsujikawa 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining 7 * a copy of this software and associated documentation files (the 8 * "Software"), to deal in the Software without restriction, including 9 * without limitation the rights to use, copy, modify, merge, publish, 10 * distribute, sublicense, and/or sell copies of the Software, and to 11 * permit persons to whom the Software is furnished to do so, subject to 12 * the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be 15 * included in all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 24 */ 25 #ifndef SHRPX_CONFIG_H 26 #define SHRPX_CONFIG_H 27 28 #include "shrpx.h" 29 30 #include <sys/types.h> 31 #ifdef HAVE_SYS_SOCKET_H 32 # include <sys/socket.h> 33 #endif // HAVE_SYS_SOCKET_H 34 #include <sys/un.h> 35 #ifdef HAVE_NETINET_IN_H 36 # include <netinet/in.h> 37 #endif // HAVE_NETINET_IN_H 38 #ifdef HAVE_ARPA_INET_H 39 # include <arpa/inet.h> 40 #endif // HAVE_ARPA_INET_H 41 #include <cinttypes> 42 #include <cstdio> 43 #include <vector> 44 #include <memory> 45 #include <set> 46 #include <unordered_map> 47 48 #include <openssl/ssl.h> 49 50 #include <ev.h> 51 52 #include <nghttp2/nghttp2.h> 53 54 #include "shrpx_log.h" 55 #include "shrpx_router.h" 56 #if ENABLE_HTTP3 57 # include "shrpx_quic.h" 58 #endif // ENABLE_HTTP3 59 #include "template.h" 60 #include "http2.h" 61 #include "network.h" 62 #include "allocator.h" 63 64 using namespace nghttp2; 65 66 namespace shrpx { 67 68 struct LogFragment; 69 class ConnectBlocker; 70 class Http2Session; 71 72 namespace tls { 73 74 class CertLookupTree; 75 76 } // namespace tls 77 78 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE = "private-key-file"_sr; 79 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE = "private-key-passwd-file"_sr; 80 constexpr auto SHRPX_OPT_CERTIFICATE_FILE = "certificate-file"_sr; 81 constexpr auto SHRPX_OPT_DH_PARAM_FILE = "dh-param-file"_sr; 82 constexpr auto SHRPX_OPT_SUBCERT = "subcert"_sr; 83 constexpr auto SHRPX_OPT_BACKEND = "backend"_sr; 84 constexpr auto SHRPX_OPT_FRONTEND = "frontend"_sr; 85 constexpr auto SHRPX_OPT_WORKERS = "workers"_sr; 86 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS = 87 "http2-max-concurrent-streams"_sr; 88 constexpr auto SHRPX_OPT_LOG_LEVEL = "log-level"_sr; 89 constexpr auto SHRPX_OPT_DAEMON = "daemon"_sr; 90 constexpr auto SHRPX_OPT_HTTP2_PROXY = "http2-proxy"_sr; 91 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = "http2-bridge"_sr; 92 constexpr auto SHRPX_OPT_CLIENT_PROXY = "client-proxy"_sr; 93 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR = "add-x-forwarded-for"_sr; 94 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR = 95 "strip-incoming-x-forwarded-for"_sr; 96 constexpr auto SHRPX_OPT_NO_VIA = "no-via"_sr; 97 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT = 98 "frontend-http2-read-timeout"_sr; 99 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT = "frontend-read-timeout"_sr; 100 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT = "frontend-write-timeout"_sr; 101 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT = "backend-read-timeout"_sr; 102 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT = "backend-write-timeout"_sr; 103 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT = "stream-read-timeout"_sr; 104 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT = "stream-write-timeout"_sr; 105 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = "accesslog-file"_sr; 106 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG = "accesslog-syslog"_sr; 107 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT = "accesslog-format"_sr; 108 constexpr auto SHRPX_OPT_ERRORLOG_FILE = "errorlog-file"_sr; 109 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG = "errorlog-syslog"_sr; 110 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT = 111 "backend-keep-alive-timeout"_sr; 112 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS = 113 "frontend-http2-window-bits"_sr; 114 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS = 115 "backend-http2-window-bits"_sr; 116 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS = 117 "frontend-http2-connection-window-bits"_sr; 118 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS = 119 "backend-http2-connection-window-bits"_sr; 120 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS = "frontend-no-tls"_sr; 121 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = "backend-no-tls"_sr; 122 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD = "backend-tls-sni-field"_sr; 123 constexpr auto SHRPX_OPT_PID_FILE = "pid-file"_sr; 124 constexpr auto SHRPX_OPT_USER = "user"_sr; 125 constexpr auto SHRPX_OPT_SYSLOG_FACILITY = "syslog-facility"_sr; 126 constexpr auto SHRPX_OPT_BACKLOG = "backlog"_sr; 127 constexpr auto SHRPX_OPT_CIPHERS = "ciphers"_sr; 128 constexpr auto SHRPX_OPT_CLIENT = "client"_sr; 129 constexpr auto SHRPX_OPT_INSECURE = "insecure"_sr; 130 constexpr auto SHRPX_OPT_CACERT = "cacert"_sr; 131 constexpr auto SHRPX_OPT_BACKEND_IPV4 = "backend-ipv4"_sr; 132 constexpr auto SHRPX_OPT_BACKEND_IPV6 = "backend-ipv6"_sr; 133 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI = "backend-http-proxy-uri"_sr; 134 constexpr auto SHRPX_OPT_READ_RATE = "read-rate"_sr; 135 constexpr auto SHRPX_OPT_READ_BURST = "read-burst"_sr; 136 constexpr auto SHRPX_OPT_WRITE_RATE = "write-rate"_sr; 137 constexpr auto SHRPX_OPT_WRITE_BURST = "write-burst"_sr; 138 constexpr auto SHRPX_OPT_WORKER_READ_RATE = "worker-read-rate"_sr; 139 constexpr auto SHRPX_OPT_WORKER_READ_BURST = "worker-read-burst"_sr; 140 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE = "worker-write-rate"_sr; 141 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST = "worker-write-burst"_sr; 142 constexpr auto SHRPX_OPT_NPN_LIST = "npn-list"_sr; 143 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = "tls-proto-list"_sr; 144 constexpr auto SHRPX_OPT_VERIFY_CLIENT = "verify-client"_sr; 145 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT = "verify-client-cacert"_sr; 146 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE = "client-private-key-file"_sr; 147 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE = "client-cert-file"_sr; 148 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER = 149 "frontend-http2-dump-request-header"_sr; 150 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER = 151 "frontend-http2-dump-response-header"_sr; 152 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING = 153 "http2-no-cookie-crumbling"_sr; 154 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG = "frontend-frame-debug"_sr; 155 constexpr auto SHRPX_OPT_PADDING = "padding"_sr; 156 constexpr auto SHRPX_OPT_ALTSVC = "altsvc"_sr; 157 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER = "add-request-header"_sr; 158 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER = "add-response-header"_sr; 159 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS = 160 "worker-frontend-connections"_sr; 161 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE = "no-location-rewrite"_sr; 162 constexpr auto SHRPX_OPT_NO_HOST_REWRITE = "no-host-rewrite"_sr; 163 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST = 164 "backend-http1-connections-per-host"_sr; 165 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND = 166 "backend-http1-connections-per-frontend"_sr; 167 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT = 168 "listener-disable-timeout"_sr; 169 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE = "tls-ticket-key-file"_sr; 170 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = "rlimit-nofile"_sr; 171 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER = "backend-request-buffer"_sr; 172 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER = "backend-response-buffer"_sr; 173 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = "no-server-push"_sr; 174 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER = 175 "backend-http2-connections-per-worker"_sr; 176 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE = 177 "fetch-ocsp-response-file"_sr; 178 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL = "ocsp-update-interval"_sr; 179 constexpr auto SHRPX_OPT_NO_OCSP = "no-ocsp"_sr; 180 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER = "header-field-buffer"_sr; 181 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS = "max-header-fields"_sr; 182 constexpr auto SHRPX_OPT_INCLUDE = "include"_sr; 183 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER = "tls-ticket-key-cipher"_sr; 184 constexpr auto SHRPX_OPT_HOST_REWRITE = "host-rewrite"_sr; 185 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED = 186 "tls-session-cache-memcached"_sr; 187 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED = 188 "tls-ticket-key-memcached"_sr; 189 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL = 190 "tls-ticket-key-memcached-interval"_sr; 191 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY = 192 "tls-ticket-key-memcached-max-retry"_sr; 193 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL = 194 "tls-ticket-key-memcached-max-fail"_sr; 195 constexpr auto SHRPX_OPT_MRUBY_FILE = "mruby-file"_sr; 196 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL = "accept-proxy-protocol"_sr; 197 constexpr auto SHRPX_OPT_FASTOPEN = "fastopen"_sr; 198 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD = 199 "tls-dyn-rec-warmup-threshold"_sr; 200 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT = 201 "tls-dyn-rec-idle-timeout"_sr; 202 constexpr auto SHRPX_OPT_ADD_FORWARDED = "add-forwarded"_sr; 203 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED = 204 "strip-incoming-forwarded"_sr; 205 constexpr auto SHRPX_OPT_FORWARDED_BY = "forwarded-by"_sr; 206 constexpr auto SHRPX_OPT_FORWARDED_FOR = "forwarded-for"_sr; 207 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER = 208 "request-header-field-buffer"_sr; 209 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS = 210 "max-request-header-fields"_sr; 211 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER = 212 "response-header-field-buffer"_sr; 213 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = 214 "max-response-header-fields"_sr; 215 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST = 216 "no-http2-cipher-block-list"_sr; 217 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = 218 "no-http2-cipher-black-list"_sr; 219 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = "backend-http1-tls"_sr; 220 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS = 221 "tls-session-cache-memcached-tls"_sr; 222 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE = 223 "tls-session-cache-memcached-cert-file"_sr; 224 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE = 225 "tls-session-cache-memcached-private-key-file"_sr; 226 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY = 227 "tls-session-cache-memcached-address-family"_sr; 228 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS = 229 "tls-ticket-key-memcached-tls"_sr; 230 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE = 231 "tls-ticket-key-memcached-cert-file"_sr; 232 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE = 233 "tls-ticket-key-memcached-private-key-file"_sr; 234 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY = 235 "tls-ticket-key-memcached-address-family"_sr; 236 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY = "backend-address-family"_sr; 237 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS = 238 "frontend-http2-max-concurrent-streams"_sr; 239 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS = 240 "backend-http2-max-concurrent-streams"_sr; 241 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND = 242 "backend-connections-per-frontend"_sr; 243 constexpr auto SHRPX_OPT_BACKEND_TLS = "backend-tls"_sr; 244 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST = 245 "backend-connections-per-host"_sr; 246 constexpr auto SHRPX_OPT_ERROR_PAGE = "error-page"_sr; 247 constexpr auto SHRPX_OPT_NO_KQUEUE = "no-kqueue"_sr; 248 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT = 249 "frontend-http2-settings-timeout"_sr; 250 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT = 251 "backend-http2-settings-timeout"_sr; 252 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY = "api-max-request-body"_sr; 253 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF = "backend-max-backoff"_sr; 254 constexpr auto SHRPX_OPT_SERVER_NAME = "server-name"_sr; 255 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE = "no-server-rewrite"_sr; 256 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE = 257 "frontend-http2-optimize-write-buffer-size"_sr; 258 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE = 259 "frontend-http2-optimize-window-size"_sr; 260 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE = 261 "frontend-http2-window-size"_sr; 262 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE = 263 "frontend-http2-connection-window-size"_sr; 264 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE = 265 "backend-http2-window-size"_sr; 266 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE = 267 "backend-http2-connection-window-size"_sr; 268 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 269 "frontend-http2-encoder-dynamic-table-size"_sr; 270 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 271 "frontend-http2-decoder-dynamic-table-size"_sr; 272 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 273 "backend-http2-encoder-dynamic-table-size"_sr; 274 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 275 "backend-http2-decoder-dynamic-table-size"_sr; 276 constexpr auto SHRPX_OPT_ECDH_CURVES = "ecdh-curves"_sr; 277 constexpr auto SHRPX_OPT_TLS_SCT_DIR = "tls-sct-dir"_sr; 278 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT = "backend-connect-timeout"_sr; 279 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT = "dns-cache-timeout"_sr; 280 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT = "dns-lookup-timeout"_sr; 281 constexpr auto SHRPX_OPT_DNS_MAX_TRY = "dns-max-try"_sr; 282 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT = 283 "frontend-keep-alive-timeout"_sr; 284 constexpr auto SHRPX_OPT_PSK_SECRETS = "psk-secrets"_sr; 285 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = "client-psk-secrets"_sr; 286 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST = 287 "client-no-http2-cipher-block-list"_sr; 288 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = 289 "client-no-http2-cipher-black-list"_sr; 290 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = "client-ciphers"_sr; 291 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY = "accesslog-write-early"_sr; 292 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION = "tls-min-proto-version"_sr; 293 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION = "tls-max-proto-version"_sr; 294 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT = "redirect-https-port"_sr; 295 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS = "frontend-max-requests"_sr; 296 constexpr auto SHRPX_OPT_SINGLE_THREAD = "single-thread"_sr; 297 constexpr auto SHRPX_OPT_SINGLE_PROCESS = "single-process"_sr; 298 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO = 299 "no-add-x-forwarded-proto"_sr; 300 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO = 301 "no-strip-incoming-x-forwarded-proto"_sr; 302 constexpr auto SHRPX_OPT_OCSP_STARTUP = "ocsp-startup"_sr; 303 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = "no-verify-ocsp"_sr; 304 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = 305 "verify-client-tolerate-expired"_sr; 306 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = 307 "ignore-per-pattern-mruby-error"_sr; 308 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA = 309 "tls-no-postpone-early-data"_sr; 310 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = "tls-max-early-data"_sr; 311 constexpr auto SHRPX_OPT_TLS13_CIPHERS = "tls13-ciphers"_sr; 312 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS = "tls13-client-ciphers"_sr; 313 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA = 314 "no-strip-incoming-early-data"_sr; 315 constexpr auto SHRPX_OPT_QUIC_BPF_PROGRAM_FILE = "quic-bpf-program-file"_sr; 316 constexpr auto SHRPX_OPT_NO_QUIC_BPF = "no-quic-bpf"_sr; 317 constexpr auto SHRPX_OPT_HTTP2_ALTSVC = "http2-altsvc"_sr; 318 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_READ_TIMEOUT = 319 "frontend-http3-read-timeout"_sr; 320 constexpr auto SHRPX_OPT_FRONTEND_QUIC_IDLE_TIMEOUT = 321 "frontend-quic-idle-timeout"_sr; 322 constexpr auto SHRPX_OPT_FRONTEND_QUIC_DEBUG_LOG = "frontend-quic-debug-log"_sr; 323 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_WINDOW_SIZE = 324 "frontend-http3-window-size"_sr; 325 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE = 326 "frontend-http3-connection-window-size"_sr; 327 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_WINDOW_SIZE = 328 "frontend-http3-max-window-size"_sr; 329 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE = 330 "frontend-http3-max-connection-window-size"_sr; 331 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS = 332 "frontend-http3-max-concurrent-streams"_sr; 333 constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA = 334 "frontend-quic-early-data"_sr; 335 constexpr auto SHRPX_OPT_FRONTEND_QUIC_QLOG_DIR = "frontend-quic-qlog-dir"_sr; 336 constexpr auto SHRPX_OPT_FRONTEND_QUIC_REQUIRE_TOKEN = 337 "frontend-quic-require-token"_sr; 338 constexpr auto SHRPX_OPT_FRONTEND_QUIC_CONGESTION_CONTROLLER = 339 "frontend-quic-congestion-controller"_sr; 340 constexpr auto SHRPX_OPT_QUIC_SERVER_ID = "quic-server-id"_sr; 341 constexpr auto SHRPX_OPT_FRONTEND_QUIC_SECRET_FILE = 342 "frontend-quic-secret-file"_sr; 343 constexpr auto SHRPX_OPT_RLIMIT_MEMLOCK = "rlimit-memlock"_sr; 344 constexpr auto SHRPX_OPT_MAX_WORKER_PROCESSES = "max-worker-processes"_sr; 345 constexpr auto SHRPX_OPT_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD = 346 "worker-process-grace-shutdown-period"_sr; 347 constexpr auto SHRPX_OPT_FRONTEND_QUIC_INITIAL_RTT = 348 "frontend-quic-initial-rtt"_sr; 349 constexpr auto SHRPX_OPT_REQUIRE_HTTP_SCHEME = "require-http-scheme"_sr; 350 constexpr auto SHRPX_OPT_TLS_KTLS = "tls-ktls"_sr; 351 constexpr auto SHRPX_OPT_ALPN_LIST = "alpn-list"_sr; 352 constexpr auto SHRPX_OPT_FRONTEND_HEADER_TIMEOUT = "frontend-header-timeout"_sr; 353 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_IDLE_TIMEOUT = 354 "frontend-http2-idle-timeout"_sr; 355 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_IDLE_TIMEOUT = 356 "frontend-http3-idle-timeout"_sr; 357 358 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; 359 360 constexpr auto DEFAULT_DOWNSTREAM_HOST = "127.0.0.1"_sr; 361 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80; 362 363 enum class Proto { 364 NONE, 365 HTTP1, 366 HTTP2, 367 HTTP3, 368 MEMCACHED, 369 }; 370 371 enum class SessionAffinity { 372 // No session affinity 373 NONE, 374 // Client IP affinity 375 IP, 376 // Cookie based affinity 377 COOKIE, 378 }; 379 380 enum class SessionAffinityCookieSecure { 381 // Secure attribute of session affinity cookie is determined by the 382 // request scheme. 383 AUTO, 384 // Secure attribute of session affinity cookie is always set. 385 YES, 386 // Secure attribute of session affinity cookie is always unset. 387 NO, 388 }; 389 390 enum class SessionAffinityCookieStickiness { 391 // Backend server might be changed when an existing backend server 392 // is removed, or new backend server is added. 393 LOOSE, 394 // Backend server might be changed when a designated backend server 395 // is removed, but adding new backend server does not cause 396 // breakage. 397 STRICT, 398 }; 399 400 struct AffinityConfig { 401 // Type of session affinity. 402 SessionAffinity type; 403 struct { 404 // Name of a cookie to use. 405 StringRef name; 406 // Path which a cookie is applied to. 407 StringRef path; 408 // Secure attribute 409 SessionAffinityCookieSecure secure; 410 // Affinity Stickiness 411 SessionAffinityCookieStickiness stickiness; 412 } cookie; 413 }; 414 415 enum shrpx_forwarded_param { 416 FORWARDED_NONE = 0, 417 FORWARDED_BY = 0x1, 418 FORWARDED_FOR = 0x2, 419 FORWARDED_HOST = 0x4, 420 FORWARDED_PROTO = 0x8, 421 }; 422 423 enum class ForwardedNode { 424 OBFUSCATED, 425 IP, 426 }; 427 428 struct AltSvc { 429 StringRef protocol_id, host, origin, service, params; 430 431 uint16_t port; 432 }; 433 434 enum class UpstreamAltMode { 435 // No alternative mode 436 NONE, 437 // API processing mode 438 API, 439 // Health monitor mode 440 HEALTHMON, 441 }; 442 443 struct UpstreamAddr { 444 // The unique index of this address. 445 size_t index; 446 // The frontend address (e.g., FQDN, hostname, IP address). If 447 // |host_unix| is true, this is UNIX domain socket path. This must 448 // be NULL terminated string. 449 StringRef host; 450 // For TCP socket, this is <IP address>:<PORT>. For IPv6 address, 451 // address is surrounded by square brackets. If socket is UNIX 452 // domain socket, this is "localhost". 453 StringRef hostport; 454 // frontend port. 0 if |host_unix| is true. 455 uint16_t port; 456 // For TCP socket, this is either AF_INET or AF_INET6. For UNIX 457 // domain socket, this is 0. 458 int family; 459 // Alternate mode 460 UpstreamAltMode alt_mode; 461 // true if |host| contains UNIX domain socket path. 462 bool host_unix; 463 // true if TLS is enabled. 464 bool tls; 465 // true if SNI host should be used as a host when selecting backend 466 // server. 467 bool sni_fwd; 468 // true if client is supposed to send PROXY protocol v1 header. 469 bool accept_proxy_protocol; 470 bool quic; 471 int fd; 472 }; 473 474 struct DownstreamAddrConfig { 475 // Resolved address if |dns| is false 476 Address addr; 477 // backend address. If |host_unix| is true, this is UNIX domain 478 // socket path. This must be NULL terminated string. 479 StringRef host; 480 // <HOST>:<PORT>. This does not treat 80 and 443 specially. If 481 // |host_unix| is true, this is "localhost". 482 StringRef hostport; 483 // hostname sent as SNI field 484 StringRef sni; 485 // name of group which this address belongs to. 486 StringRef group; 487 size_t fall; 488 size_t rise; 489 // weight of this address inside a weight group. Its range is [1, 490 // 256], inclusive. 491 uint32_t weight; 492 // weight of the weight group. Its range is [1, 256], inclusive. 493 uint32_t group_weight; 494 // affinity hash for this address. It is assigned when strict 495 // stickiness is enabled. 496 uint32_t affinity_hash; 497 // Application protocol used in this group 498 Proto proto; 499 // backend port. 0 if |host_unix| is true. 500 uint16_t port; 501 // true if |host| contains UNIX domain socket path. 502 bool host_unix; 503 bool tls; 504 // true if dynamic DNS is enabled 505 bool dns; 506 // true if :scheme pseudo header field should be upgraded to secure 507 // variant (e.g., "https") when forwarding request to a backend 508 // connected by TLS connection. 509 bool upgrade_scheme; 510 // true if a request should not be forwarded to a backend. 511 bool dnf; 512 }; 513 514 // Mapping hash to idx which is an index into 515 // DownstreamAddrGroupConfig::addrs. 516 struct AffinityHash { AffinityHashAffinityHash517 AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {} 518 519 size_t idx; 520 uint32_t hash; 521 }; 522 523 struct DownstreamAddrGroupConfig { DownstreamAddrGroupConfigDownstreamAddrGroupConfig524 DownstreamAddrGroupConfig(const StringRef &pattern) 525 : pattern(pattern), 526 affinity{SessionAffinity::NONE}, 527 redirect_if_not_tls(false), 528 dnf{false}, 529 timeout{} {} 530 531 StringRef pattern; 532 StringRef mruby_file; 533 std::vector<DownstreamAddrConfig> addrs; 534 // Bunch of session affinity hash. Only used if affinity == 535 // SessionAffinity::IP. 536 std::vector<AffinityHash> affinity_hash; 537 // Maps affinity hash of each DownstreamAddrConfig to its index in 538 // addrs. It is only assigned when strict stickiness is enabled. 539 std::unordered_map<uint32_t, size_t> affinity_hash_map; 540 // Cookie based session affinity configuration. 541 AffinityConfig affinity; 542 // true if this group requires that client connection must be TLS, 543 // and the request must be redirected to https URI. 544 bool redirect_if_not_tls; 545 // true if a request should not be forwarded to a backend. 546 bool dnf; 547 // Timeouts for backend connection. 548 struct { 549 ev_tstamp read; 550 ev_tstamp write; 551 } timeout; 552 }; 553 554 struct TicketKey { 555 const EVP_CIPHER *cipher; 556 const EVP_MD *hmac; 557 size_t hmac_keylen; 558 struct { 559 // name of this ticket configuration 560 std::array<uint8_t, 16> name; 561 // encryption key for |cipher| 562 std::array<uint8_t, 32> enc_key; 563 // hmac key for |hmac| 564 std::array<uint8_t, 32> hmac_key; 565 } data; 566 }; 567 568 struct TicketKeys { 569 ~TicketKeys(); 570 std::vector<TicketKey> keys; 571 }; 572 573 struct TLSCertificate { TLSCertificateTLSCertificate574 TLSCertificate(StringRef private_key_file, StringRef cert_file, 575 std::vector<uint8_t> sct_data) 576 : private_key_file(std::move(private_key_file)), 577 cert_file(std::move(cert_file)), 578 sct_data(std::move(sct_data)) {} 579 580 StringRef private_key_file; 581 StringRef cert_file; 582 std::vector<uint8_t> sct_data; 583 }; 584 585 #ifdef ENABLE_HTTP3 586 struct QUICKeyingMaterial { 587 QUICKeyingMaterial() noexcept = default; 588 QUICKeyingMaterial(QUICKeyingMaterial &&other) noexcept; 589 ~QUICKeyingMaterial() noexcept; 590 QUICKeyingMaterial &operator=(QUICKeyingMaterial &&other) noexcept; 591 EVP_CIPHER_CTX *cid_encryption_ctx; 592 EVP_CIPHER_CTX *cid_decryption_ctx; 593 std::array<uint8_t, SHRPX_QUIC_SECRET_RESERVEDLEN> reserved; 594 std::array<uint8_t, SHRPX_QUIC_SECRETLEN> secret; 595 std::array<uint8_t, SHRPX_QUIC_SALTLEN> salt; 596 std::array<uint8_t, SHRPX_QUIC_CID_ENCRYPTION_KEYLEN> cid_encryption_key; 597 // Identifier of this keying material. Only the first 2 bits are 598 // used. 599 uint8_t id; 600 }; 601 602 struct QUICKeyingMaterials { 603 std::vector<QUICKeyingMaterial> keying_materials; 604 }; 605 #endif // ENABLE_HTTP3 606 607 struct HttpProxy { 608 Address addr; 609 // host in http proxy URI 610 StringRef host; 611 // userinfo in http proxy URI, not percent-encoded form 612 StringRef userinfo; 613 // port in http proxy URI 614 uint16_t port; 615 }; 616 617 struct TLSConfig { 618 // RFC 5077 Session ticket related configurations 619 struct { 620 struct { 621 Address addr; 622 uint16_t port; 623 // Hostname of memcached server. This is also used as SNI field 624 // if TLS is enabled. 625 StringRef host; 626 // Client private key and certificate for authentication 627 StringRef private_key_file; 628 StringRef cert_file; 629 ev_tstamp interval; 630 // Maximum number of retries when getting TLS ticket key from 631 // mamcached, due to network error. 632 size_t max_retry; 633 // Maximum number of consecutive error from memcached, when this 634 // limit reached, TLS ticket is disabled. 635 size_t max_fail; 636 // Address family of memcached connection. One of either 637 // AF_INET, AF_INET6 or AF_UNSPEC. 638 int family; 639 bool tls; 640 } memcached; 641 std::vector<StringRef> files; 642 const EVP_CIPHER *cipher; 643 // true if --tls-ticket-key-cipher is used 644 bool cipher_given; 645 } ticket; 646 647 // Session cache related configurations 648 struct { 649 struct { 650 Address addr; 651 uint16_t port; 652 // Hostname of memcached server. This is also used as SNI field 653 // if TLS is enabled. 654 StringRef host; 655 // Client private key and certificate for authentication 656 StringRef private_key_file; 657 StringRef cert_file; 658 // Address family of memcached connection. One of either 659 // AF_INET, AF_INET6 or AF_UNSPEC. 660 int family; 661 bool tls; 662 } memcached; 663 } session_cache; 664 665 // Dynamic record sizing configurations 666 struct { 667 size_t warmup_threshold; 668 ev_tstamp idle_timeout; 669 } dyn_rec; 670 671 // OCSP related configurations 672 struct { 673 ev_tstamp update_interval; 674 StringRef fetch_ocsp_response_file; 675 bool disabled; 676 bool startup; 677 bool no_verify; 678 } ocsp; 679 680 // Client verification configurations 681 struct { 682 // Path to file containing CA certificate solely used for client 683 // certificate validation 684 StringRef cacert; 685 bool enabled; 686 // true if we accept an expired client certificate. 687 bool tolerate_expired; 688 } client_verify; 689 690 // Client (backend connection) TLS configuration. 691 struct { 692 // Client PSK configuration 693 struct { 694 // identity must be NULL terminated string. 695 StringRef identity; 696 StringRef secret; 697 } psk; 698 StringRef private_key_file; 699 StringRef cert_file; 700 StringRef ciphers; 701 StringRef tls13_ciphers; 702 bool no_http2_cipher_block_list; 703 } client; 704 705 // PSK secrets. The key is identity, and the associated value is 706 // its secret. 707 std::map<StringRef, StringRef> psk_secrets; 708 // The list of additional TLS certificate pair 709 std::vector<TLSCertificate> subcerts; 710 std::vector<unsigned char> alpn_prefs; 711 // list of supported ALPN protocol strings in the order of 712 // preference. 713 std::vector<StringRef> alpn_list; 714 // list of supported SSL/TLS protocol strings. 715 std::vector<StringRef> tls_proto_list; 716 std::vector<uint8_t> sct_data; 717 BIO_METHOD *bio_method; 718 // Bit mask to disable SSL/TLS protocol versions. This will be 719 // passed to SSL_CTX_set_options(). 720 long int tls_proto_mask; 721 StringRef backend_sni_name; 722 std::chrono::seconds session_timeout; 723 StringRef private_key_file; 724 StringRef private_key_passwd; 725 StringRef cert_file; 726 StringRef dh_param_file; 727 StringRef ciphers; 728 StringRef tls13_ciphers; 729 StringRef ecdh_curves; 730 StringRef cacert; 731 // The maximum amount of 0-RTT data that server accepts. 732 uint32_t max_early_data; 733 // The minimum and maximum TLS version. These values are defined in 734 // OpenSSL header file. 735 int min_proto_version; 736 int max_proto_version; 737 bool insecure; 738 bool no_http2_cipher_block_list; 739 // true if forwarding requests included in TLS early data should not 740 // be postponed until TLS handshake finishes. 741 bool no_postpone_early_data; 742 bool ktls; 743 }; 744 745 #ifdef ENABLE_HTTP3 746 struct QUICConfig { 747 struct { 748 struct { 749 ev_tstamp idle; 750 } timeout; 751 struct { 752 bool log; 753 } debug; 754 struct { 755 StringRef dir; 756 } qlog; 757 ngtcp2_cc_algo congestion_controller; 758 bool early_data; 759 bool require_token; 760 StringRef secret_file; 761 ev_tstamp initial_rtt; 762 } upstream; 763 struct { 764 StringRef prog_file; 765 bool disabled; 766 } bpf; 767 uint32_t server_id; 768 }; 769 770 struct Http3Config { 771 struct { 772 size_t max_concurrent_streams; 773 int32_t window_size; 774 int32_t connection_window_size; 775 int32_t max_window_size; 776 int32_t max_connection_window_size; 777 } upstream; 778 }; 779 #endif // ENABLE_HTTP3 780 781 // custom error page 782 struct ErrorPage { 783 // not NULL-terminated 784 std::vector<uint8_t> content; 785 // 0 is special value, and it matches all HTTP status code. 786 unsigned int http_status; 787 }; 788 789 struct HttpConfig { 790 struct { 791 // obfuscated value used in "by" parameter of Forwarded header 792 // field. This is only used when user defined static obfuscated 793 // string is provided. 794 StringRef by_obfuscated; 795 // bitwise-OR of one or more of shrpx_forwarded_param values. 796 uint32_t params; 797 // type of value recorded in "by" parameter of Forwarded header 798 // field. 799 ForwardedNode by_node_type; 800 // type of value recorded in "for" parameter of Forwarded header 801 // field. 802 ForwardedNode for_node_type; 803 bool strip_incoming; 804 } forwarded; 805 struct { 806 bool add; 807 bool strip_incoming; 808 } xff; 809 struct { 810 bool add; 811 bool strip_incoming; 812 } xfp; 813 struct { 814 bool strip_incoming; 815 } early_data; 816 struct { 817 ev_tstamp header; 818 } timeout; 819 std::vector<AltSvc> altsvcs; 820 // altsvcs serialized in a wire format. 821 StringRef altsvc_header_value; 822 std::vector<AltSvc> http2_altsvcs; 823 // http2_altsvcs serialized in a wire format. 824 StringRef http2_altsvc_header_value; 825 std::vector<ErrorPage> error_pages; 826 HeaderRefs add_request_headers; 827 HeaderRefs add_response_headers; 828 StringRef server_name; 829 // Port number which appears in Location header field when https 830 // redirect is made. 831 StringRef redirect_https_port; 832 size_t request_header_field_buffer; 833 size_t max_request_header_fields; 834 size_t response_header_field_buffer; 835 size_t max_response_header_fields; 836 size_t max_requests; 837 bool no_via; 838 bool no_location_rewrite; 839 bool no_host_rewrite; 840 bool no_server_rewrite; 841 bool require_http_scheme; 842 }; 843 844 struct Http2Config { 845 struct { 846 struct { 847 struct { 848 StringRef request_header_file; 849 StringRef response_header_file; 850 FILE *request_header; 851 FILE *response_header; 852 } dump; 853 bool frame_debug; 854 } debug; 855 struct { 856 ev_tstamp settings; 857 } timeout; 858 nghttp2_option *option; 859 nghttp2_option *alt_mode_option; 860 nghttp2_session_callbacks *callbacks; 861 size_t max_concurrent_streams; 862 size_t encoder_dynamic_table_size; 863 size_t decoder_dynamic_table_size; 864 int32_t window_size; 865 int32_t connection_window_size; 866 bool optimize_write_buffer_size; 867 bool optimize_window_size; 868 } upstream; 869 struct { 870 struct { 871 ev_tstamp settings; 872 } timeout; 873 nghttp2_option *option; 874 nghttp2_session_callbacks *callbacks; 875 size_t encoder_dynamic_table_size; 876 size_t decoder_dynamic_table_size; 877 int32_t window_size; 878 int32_t connection_window_size; 879 size_t max_concurrent_streams; 880 } downstream; 881 struct { 882 ev_tstamp stream_read; 883 ev_tstamp stream_write; 884 } timeout; 885 bool no_cookie_crumbling; 886 bool no_server_push; 887 }; 888 889 struct LoggingConfig { 890 struct { 891 std::vector<LogFragment> format; 892 StringRef file; 893 // Send accesslog to syslog, ignoring accesslog_file. 894 bool syslog; 895 // Write accesslog when response headers are received from 896 // backend, rather than response body is received and sent. 897 bool write_early; 898 } access; 899 struct { 900 StringRef file; 901 // Send errorlog to syslog, ignoring errorlog_file. 902 bool syslog; 903 } error; 904 int syslog_facility; 905 int severity; 906 }; 907 908 struct RateLimitConfig { 909 size_t rate; 910 size_t burst; 911 }; 912 913 // Wildcard host pattern routing. We strips left most '*' from host 914 // field. router includes all path patterns sharing the same wildcard 915 // host. 916 struct WildcardPattern { WildcardPatternWildcardPattern917 WildcardPattern(const StringRef &host) : host(host) {} 918 919 // This might not be NULL terminated. Currently it is only used for 920 // comparison. 921 StringRef host; 922 Router router; 923 }; 924 925 // Configuration to select backend to forward request 926 struct RouterConfig { 927 Router router; 928 // Router for reversed wildcard hosts. Since this router has 929 // wildcard hosts reversed without '*', one should call match() 930 // function with reversed host stripping last character. This is 931 // because we require at least one character must match for '*'. 932 // The index stored in this router is index of wildcard_patterns. 933 Router rev_wildcard_router; 934 std::vector<WildcardPattern> wildcard_patterns; 935 }; 936 937 struct DownstreamConfig { DownstreamConfigDownstreamConfig938 DownstreamConfig() 939 : balloc(1024, 1024), 940 timeout{}, 941 addr_group_catch_all{0}, 942 connections_per_host{0}, 943 connections_per_frontend{0}, 944 request_buffer_size{0}, 945 response_buffer_size{0}, 946 family{0} {} 947 948 DownstreamConfig(const DownstreamConfig &) = delete; 949 DownstreamConfig(DownstreamConfig &&) = delete; 950 DownstreamConfig &operator=(const DownstreamConfig &) = delete; 951 DownstreamConfig &operator=(DownstreamConfig &&) = delete; 952 953 // Allocator to allocate memory for Downstream configuration. Since 954 // we may swap around DownstreamConfig in arbitrary times with API 955 // calls, we should use their own allocator instead of per Config 956 // allocator. 957 BlockAllocator balloc; 958 struct { 959 ev_tstamp read; 960 ev_tstamp write; 961 ev_tstamp idle_read; 962 ev_tstamp connect; 963 // The maximum backoff while checking health check for offline 964 // backend or while detaching failed backend from load balancing 965 // group temporarily. 966 ev_tstamp max_backoff; 967 } timeout; 968 RouterConfig router; 969 std::vector<DownstreamAddrGroupConfig> addr_groups; 970 // The index of catch-all group in downstream_addr_groups. 971 size_t addr_group_catch_all; 972 size_t connections_per_host; 973 size_t connections_per_frontend; 974 size_t request_buffer_size; 975 size_t response_buffer_size; 976 // Address family of backend connection. One of either AF_INET, 977 // AF_INET6 or AF_UNSPEC. This is ignored if backend connection 978 // is made via Unix domain socket. 979 int family; 980 }; 981 982 struct ConnectionConfig { 983 struct { 984 struct { 985 ev_tstamp sleep; 986 } timeout; 987 // address of frontend acceptors 988 std::vector<UpstreamAddr> addrs; 989 int backlog; 990 // TCP fastopen. If this is positive, it is passed to 991 // setsockopt() along with TCP_FASTOPEN. 992 int fastopen; 993 } listener; 994 995 #ifdef ENABLE_HTTP3 996 struct { 997 std::vector<UpstreamAddr> addrs; 998 } quic_listener; 999 #endif // ENABLE_HTTP3 1000 1001 struct { 1002 struct { 1003 ev_tstamp http2_idle; 1004 ev_tstamp http3_idle; 1005 ev_tstamp write; 1006 ev_tstamp idle; 1007 } timeout; 1008 struct { 1009 RateLimitConfig read; 1010 RateLimitConfig write; 1011 } ratelimit; 1012 size_t worker_connections; 1013 // Deprecated. See UpstreamAddr.accept_proxy_protocol. 1014 bool accept_proxy_protocol; 1015 } upstream; 1016 1017 std::shared_ptr<DownstreamConfig> downstream; 1018 }; 1019 1020 struct APIConfig { 1021 // Maximum request body size for one API request 1022 size_t max_request_body; 1023 // true if at least one of UpstreamAddr has api enabled 1024 bool enabled; 1025 }; 1026 1027 struct DNSConfig { 1028 struct { 1029 ev_tstamp cache; 1030 ev_tstamp lookup; 1031 } timeout; 1032 // The number of tries name resolver makes before abandoning 1033 // request. 1034 size_t max_try; 1035 }; 1036 1037 struct Config { ConfigConfig1038 Config() 1039 : balloc(4096, 4096), 1040 downstream_http_proxy{}, 1041 http{}, 1042 http2{}, 1043 tls{}, 1044 #ifdef ENABLE_HTTP3 1045 quic{}, 1046 #endif // ENABLE_HTTP3 1047 logging{}, 1048 conn{}, 1049 api{}, 1050 dns{}, 1051 config_revision{0}, 1052 num_worker{0}, 1053 padding{0}, 1054 rlimit_nofile{0}, 1055 rlimit_memlock{0}, 1056 uid{0}, 1057 gid{0}, 1058 pid{0}, 1059 verbose{false}, 1060 daemon{false}, 1061 http2_proxy{false}, 1062 single_process{false}, 1063 single_thread{false}, 1064 ignore_per_pattern_mruby_error{false}, 1065 ev_loop_flags{0}, 1066 max_worker_processes{0}, 1067 worker_process_grace_shutdown_period{0.} { 1068 } 1069 ~Config(); 1070 1071 Config(Config &&) = delete; 1072 Config(const Config &&) = delete; 1073 Config &operator=(Config &&) = delete; 1074 Config &operator=(const Config &&) = delete; 1075 1076 // Allocator to allocate memory for this object except for 1077 // DownstreamConfig. Currently, it is used to allocate memory for 1078 // strings. 1079 BlockAllocator balloc; 1080 HttpProxy downstream_http_proxy; 1081 HttpConfig http; 1082 Http2Config http2; 1083 TLSConfig tls; 1084 #ifdef ENABLE_HTTP3 1085 QUICConfig quic; 1086 Http3Config http3; 1087 #endif // ENABLE_HTTP3 1088 LoggingConfig logging; 1089 ConnectionConfig conn; 1090 APIConfig api; 1091 DNSConfig dns; 1092 StringRef pid_file; 1093 StringRef conf_path; 1094 StringRef user; 1095 StringRef mruby_file; 1096 // The revision of configuration which is opaque string, and changes 1097 // on each configuration reloading. This does not change on 1098 // backendconfig API call. This value is returned in health check 1099 // as "nghttpx-conf-rev" response header field. The external 1100 // program can check this value to know whether reloading has 1101 // completed or not. 1102 uint64_t config_revision; 1103 size_t num_worker; 1104 size_t padding; 1105 size_t rlimit_nofile; 1106 size_t rlimit_memlock; 1107 uid_t uid; 1108 gid_t gid; 1109 pid_t pid; 1110 bool verbose; 1111 bool daemon; 1112 bool http2_proxy; 1113 // Run nghttpx in single process mode. With this mode, signal 1114 // handling is omitted. 1115 bool single_process; 1116 bool single_thread; 1117 // Ignore mruby compile error for per-pattern mruby script. 1118 bool ignore_per_pattern_mruby_error; 1119 // flags passed to ev_default_loop() and ev_loop_new() 1120 int ev_loop_flags; 1121 size_t max_worker_processes; 1122 ev_tstamp worker_process_grace_shutdown_period; 1123 }; 1124 1125 const Config *get_config(); 1126 Config *mod_config(); 1127 // Replaces the current config with given |new_config|. The old config is 1128 // returned. 1129 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config); 1130 void create_config(); 1131 1132 // generated by gennghttpxfun.py 1133 enum { 1134 SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL, 1135 SHRPX_OPTID_ACCESSLOG_FILE, 1136 SHRPX_OPTID_ACCESSLOG_FORMAT, 1137 SHRPX_OPTID_ACCESSLOG_SYSLOG, 1138 SHRPX_OPTID_ACCESSLOG_WRITE_EARLY, 1139 SHRPX_OPTID_ADD_FORWARDED, 1140 SHRPX_OPTID_ADD_REQUEST_HEADER, 1141 SHRPX_OPTID_ADD_RESPONSE_HEADER, 1142 SHRPX_OPTID_ADD_X_FORWARDED_FOR, 1143 SHRPX_OPTID_ALPN_LIST, 1144 SHRPX_OPTID_ALTSVC, 1145 SHRPX_OPTID_API_MAX_REQUEST_BODY, 1146 SHRPX_OPTID_BACKEND, 1147 SHRPX_OPTID_BACKEND_ADDRESS_FAMILY, 1148 SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT, 1149 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND, 1150 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST, 1151 SHRPX_OPTID_BACKEND_HTTP_PROXY_URI, 1152 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND, 1153 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST, 1154 SHRPX_OPTID_BACKEND_HTTP1_TLS, 1155 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS, 1156 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE, 1157 SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER, 1158 SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1159 SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1160 SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS, 1161 SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT, 1162 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS, 1163 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE, 1164 SHRPX_OPTID_BACKEND_IPV4, 1165 SHRPX_OPTID_BACKEND_IPV6, 1166 SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT, 1167 SHRPX_OPTID_BACKEND_MAX_BACKOFF, 1168 SHRPX_OPTID_BACKEND_NO_TLS, 1169 SHRPX_OPTID_BACKEND_READ_TIMEOUT, 1170 SHRPX_OPTID_BACKEND_REQUEST_BUFFER, 1171 SHRPX_OPTID_BACKEND_RESPONSE_BUFFER, 1172 SHRPX_OPTID_BACKEND_TLS, 1173 SHRPX_OPTID_BACKEND_TLS_SNI_FIELD, 1174 SHRPX_OPTID_BACKEND_WRITE_TIMEOUT, 1175 SHRPX_OPTID_BACKLOG, 1176 SHRPX_OPTID_CACERT, 1177 SHRPX_OPTID_CERTIFICATE_FILE, 1178 SHRPX_OPTID_CIPHERS, 1179 SHRPX_OPTID_CLIENT, 1180 SHRPX_OPTID_CLIENT_CERT_FILE, 1181 SHRPX_OPTID_CLIENT_CIPHERS, 1182 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, 1183 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST, 1184 SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, 1185 SHRPX_OPTID_CLIENT_PROXY, 1186 SHRPX_OPTID_CLIENT_PSK_SECRETS, 1187 SHRPX_OPTID_CONF, 1188 SHRPX_OPTID_DAEMON, 1189 SHRPX_OPTID_DH_PARAM_FILE, 1190 SHRPX_OPTID_DNS_CACHE_TIMEOUT, 1191 SHRPX_OPTID_DNS_LOOKUP_TIMEOUT, 1192 SHRPX_OPTID_DNS_MAX_TRY, 1193 SHRPX_OPTID_ECDH_CURVES, 1194 SHRPX_OPTID_ERROR_PAGE, 1195 SHRPX_OPTID_ERRORLOG_FILE, 1196 SHRPX_OPTID_ERRORLOG_SYSLOG, 1197 SHRPX_OPTID_FASTOPEN, 1198 SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE, 1199 SHRPX_OPTID_FORWARDED_BY, 1200 SHRPX_OPTID_FORWARDED_FOR, 1201 SHRPX_OPTID_FRONTEND, 1202 SHRPX_OPTID_FRONTEND_FRAME_DEBUG, 1203 SHRPX_OPTID_FRONTEND_HEADER_TIMEOUT, 1204 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS, 1205 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE, 1206 SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1207 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER, 1208 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER, 1209 SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1210 SHRPX_OPTID_FRONTEND_HTTP2_IDLE_TIMEOUT, 1211 SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS, 1212 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE, 1213 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE, 1214 SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT, 1215 SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT, 1216 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS, 1217 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE, 1218 SHRPX_OPTID_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE, 1219 SHRPX_OPTID_FRONTEND_HTTP3_IDLE_TIMEOUT, 1220 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS, 1221 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE, 1222 SHRPX_OPTID_FRONTEND_HTTP3_MAX_WINDOW_SIZE, 1223 SHRPX_OPTID_FRONTEND_HTTP3_READ_TIMEOUT, 1224 SHRPX_OPTID_FRONTEND_HTTP3_WINDOW_SIZE, 1225 SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT, 1226 SHRPX_OPTID_FRONTEND_MAX_REQUESTS, 1227 SHRPX_OPTID_FRONTEND_NO_TLS, 1228 SHRPX_OPTID_FRONTEND_QUIC_CONGESTION_CONTROLLER, 1229 SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG, 1230 SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA, 1231 SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT, 1232 SHRPX_OPTID_FRONTEND_QUIC_INITIAL_RTT, 1233 SHRPX_OPTID_FRONTEND_QUIC_QLOG_DIR, 1234 SHRPX_OPTID_FRONTEND_QUIC_REQUIRE_TOKEN, 1235 SHRPX_OPTID_FRONTEND_QUIC_SECRET_FILE, 1236 SHRPX_OPTID_FRONTEND_READ_TIMEOUT, 1237 SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT, 1238 SHRPX_OPTID_HEADER_FIELD_BUFFER, 1239 SHRPX_OPTID_HOST_REWRITE, 1240 SHRPX_OPTID_HTTP2_ALTSVC, 1241 SHRPX_OPTID_HTTP2_BRIDGE, 1242 SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS, 1243 SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING, 1244 SHRPX_OPTID_HTTP2_PROXY, 1245 SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR, 1246 SHRPX_OPTID_INCLUDE, 1247 SHRPX_OPTID_INSECURE, 1248 SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT, 1249 SHRPX_OPTID_LOG_LEVEL, 1250 SHRPX_OPTID_MAX_HEADER_FIELDS, 1251 SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS, 1252 SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS, 1253 SHRPX_OPTID_MAX_WORKER_PROCESSES, 1254 SHRPX_OPTID_MRUBY_FILE, 1255 SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, 1256 SHRPX_OPTID_NO_HOST_REWRITE, 1257 SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, 1258 SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST, 1259 SHRPX_OPTID_NO_KQUEUE, 1260 SHRPX_OPTID_NO_LOCATION_REWRITE, 1261 SHRPX_OPTID_NO_OCSP, 1262 SHRPX_OPTID_NO_QUIC_BPF, 1263 SHRPX_OPTID_NO_SERVER_PUSH, 1264 SHRPX_OPTID_NO_SERVER_REWRITE, 1265 SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA, 1266 SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO, 1267 SHRPX_OPTID_NO_VERIFY_OCSP, 1268 SHRPX_OPTID_NO_VIA, 1269 SHRPX_OPTID_NPN_LIST, 1270 SHRPX_OPTID_OCSP_STARTUP, 1271 SHRPX_OPTID_OCSP_UPDATE_INTERVAL, 1272 SHRPX_OPTID_PADDING, 1273 SHRPX_OPTID_PID_FILE, 1274 SHRPX_OPTID_PRIVATE_KEY_FILE, 1275 SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE, 1276 SHRPX_OPTID_PSK_SECRETS, 1277 SHRPX_OPTID_QUIC_BPF_PROGRAM_FILE, 1278 SHRPX_OPTID_QUIC_SERVER_ID, 1279 SHRPX_OPTID_READ_BURST, 1280 SHRPX_OPTID_READ_RATE, 1281 SHRPX_OPTID_REDIRECT_HTTPS_PORT, 1282 SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER, 1283 SHRPX_OPTID_REQUIRE_HTTP_SCHEME, 1284 SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER, 1285 SHRPX_OPTID_RLIMIT_MEMLOCK, 1286 SHRPX_OPTID_RLIMIT_NOFILE, 1287 SHRPX_OPTID_SERVER_NAME, 1288 SHRPX_OPTID_SINGLE_PROCESS, 1289 SHRPX_OPTID_SINGLE_THREAD, 1290 SHRPX_OPTID_STREAM_READ_TIMEOUT, 1291 SHRPX_OPTID_STREAM_WRITE_TIMEOUT, 1292 SHRPX_OPTID_STRIP_INCOMING_FORWARDED, 1293 SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR, 1294 SHRPX_OPTID_SUBCERT, 1295 SHRPX_OPTID_SYSLOG_FACILITY, 1296 SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT, 1297 SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD, 1298 SHRPX_OPTID_TLS_KTLS, 1299 SHRPX_OPTID_TLS_MAX_EARLY_DATA, 1300 SHRPX_OPTID_TLS_MAX_PROTO_VERSION, 1301 SHRPX_OPTID_TLS_MIN_PROTO_VERSION, 1302 SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA, 1303 SHRPX_OPTID_TLS_PROTO_LIST, 1304 SHRPX_OPTID_TLS_SCT_DIR, 1305 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, 1306 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY, 1307 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE, 1308 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE, 1309 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS, 1310 SHRPX_OPTID_TLS_TICKET_KEY_CIPHER, 1311 SHRPX_OPTID_TLS_TICKET_KEY_FILE, 1312 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED, 1313 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY, 1314 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE, 1315 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL, 1316 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL, 1317 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY, 1318 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE, 1319 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS, 1320 SHRPX_OPTID_TLS13_CIPHERS, 1321 SHRPX_OPTID_TLS13_CLIENT_CIPHERS, 1322 SHRPX_OPTID_USER, 1323 SHRPX_OPTID_VERIFY_CLIENT, 1324 SHRPX_OPTID_VERIFY_CLIENT_CACERT, 1325 SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED, 1326 SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS, 1327 SHRPX_OPTID_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD, 1328 SHRPX_OPTID_WORKER_READ_BURST, 1329 SHRPX_OPTID_WORKER_READ_RATE, 1330 SHRPX_OPTID_WORKER_WRITE_BURST, 1331 SHRPX_OPTID_WORKER_WRITE_RATE, 1332 SHRPX_OPTID_WORKERS, 1333 SHRPX_OPTID_WRITE_BURST, 1334 SHRPX_OPTID_WRITE_RATE, 1335 SHRPX_OPTID_MAXIDX, 1336 }; 1337 1338 // Looks up token for given option name |name|. 1339 int option_lookup_token(const StringRef &name); 1340 1341 // Parses option name |opt| and value |optarg|. The results are 1342 // stored into the object pointed by |config|. This function returns 0 1343 // if it succeeds, or -1. The |included_set| contains the all paths 1344 // already included while processing this configuration, to avoid loop 1345 // in --include option. The |pattern_addr_indexer| contains a pair of 1346 // pattern of backend, and its index in DownstreamConfig::addr_groups. 1347 // It is introduced to speed up loading configuration file with lots 1348 // of backends. 1349 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg, 1350 std::set<StringRef> &included_set, 1351 std::map<StringRef, size_t> &pattern_addr_indexer); 1352 1353 // Similar to parse_config() above, but additional |optid| which 1354 // should be the return value of option_lookup_token(opt). 1355 int parse_config(Config *config, int optid, const StringRef &opt, 1356 const StringRef &optarg, std::set<StringRef> &included_set, 1357 std::map<StringRef, size_t> &pattern_addr_indexer); 1358 1359 // Loads configurations from |filename| and stores them in |config|. 1360 // This function returns 0 if it succeeds, or -1. See parse_config() 1361 // for |include_set|. 1362 int load_config(Config *config, const char *filename, 1363 std::set<StringRef> &include_set, 1364 std::map<StringRef, size_t> &pattern_addr_indexer); 1365 1366 // Parses header field in |optarg|. We expect header field is formed 1367 // like "NAME: VALUE". We require that NAME is non empty string. ":" 1368 // is allowed at the start of the NAME, but NAME == ":" is not 1369 // allowed. This function returns pair of NAME and VALUE. 1370 HeaderRefs::value_type parse_header(BlockAllocator &balloc, 1371 const StringRef &optarg); 1372 1373 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc, 1374 const StringRef &optarg); 1375 1376 // Returns string for syslog |facility|. 1377 StringRef str_syslog_facility(int facility); 1378 1379 // Returns integer value of syslog |facility| string. 1380 int int_syslog_facility(const StringRef &strfacility); 1381 1382 FILE *open_file_for_write(const char *filename); 1383 1384 // Reads TLS ticket key file in |files| and returns TicketKey which 1385 // stores read key data. The given |cipher| and |hmac| determine the 1386 // expected file size. This function returns TicketKey if it 1387 // succeeds, or nullptr. 1388 std::unique_ptr<TicketKeys> 1389 read_tls_ticket_key_file(const std::vector<StringRef> &files, 1390 const EVP_CIPHER *cipher, const EVP_MD *hmac); 1391 1392 #ifdef ENABLE_HTTP3 1393 std::shared_ptr<QUICKeyingMaterials> 1394 read_quic_secret_file(const StringRef &path); 1395 #endif // ENABLE_HTTP3 1396 1397 // Returns string representation of |proto|. 1398 StringRef strproto(Proto proto); 1399 1400 int configure_downstream_group(Config *config, bool http2_proxy, 1401 bool numeric_addr_only, 1402 const TLSConfig &tlsconf); 1403 1404 int resolve_hostname(Address *addr, const char *hostname, uint16_t port, 1405 int family, int additional_flags = 0); 1406 1407 } // namespace shrpx 1408 1409 #endif // SHRPX_CONFIG_H 1410