1 /* 2 * nghttp2 - HTTP/2 C Library 3 * 4 * Copyright (c) 2012 Tatsuhiro Tsujikawa 5 * 6 * Permission is hereby granted, free of charge, to any person obtaining 7 * a copy of this software and associated documentation files (the 8 * "Software"), to deal in the Software without restriction, including 9 * without limitation the rights to use, copy, modify, merge, publish, 10 * distribute, sublicense, and/or sell copies of the Software, and to 11 * permit persons to whom the Software is furnished to do so, subject to 12 * the following conditions: 13 * 14 * The above copyright notice and this permission notice shall be 15 * included in all copies or substantial portions of the Software. 16 * 17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE 21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION 22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION 23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. 24 */ 25 #ifndef SHRPX_CONFIG_H 26 #define SHRPX_CONFIG_H 27 28 #include "shrpx.h" 29 30 #include <sys/types.h> 31 #ifdef HAVE_SYS_SOCKET_H 32 # include <sys/socket.h> 33 #endif // HAVE_SYS_SOCKET_H 34 #include <sys/un.h> 35 #ifdef HAVE_NETINET_IN_H 36 # include <netinet/in.h> 37 #endif // HAVE_NETINET_IN_H 38 #ifdef HAVE_ARPA_INET_H 39 # include <arpa/inet.h> 40 #endif // HAVE_ARPA_INET_H 41 #include <cinttypes> 42 #include <cstdio> 43 #include <vector> 44 #include <memory> 45 #include <set> 46 #include <unordered_map> 47 48 #include "ssl_compat.h" 49 50 #ifdef NGHTTP2_OPENSSL_IS_WOLFSSL 51 # include <wolfssl/options.h> 52 # include <wolfssl/openssl/ssl.h> 53 #else // !NGHTTP2_OPENSSL_IS_WOLFSSL 54 # include <openssl/ssl.h> 55 #endif // !NGHTTP2_OPENSSL_IS_WOLFSSL 56 57 #include <ev.h> 58 59 #include <nghttp2/nghttp2.h> 60 61 #include "shrpx_log.h" 62 #include "shrpx_router.h" 63 #if ENABLE_HTTP3 64 # include "shrpx_quic.h" 65 #endif // ENABLE_HTTP3 66 #include "template.h" 67 #include "http2.h" 68 #include "network.h" 69 #include "allocator.h" 70 71 using namespace nghttp2; 72 73 namespace shrpx { 74 75 struct LogFragment; 76 class ConnectBlocker; 77 class Http2Session; 78 79 namespace tls { 80 81 class CertLookupTree; 82 83 } // namespace tls 84 85 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE = "private-key-file"_sr; 86 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE = "private-key-passwd-file"_sr; 87 constexpr auto SHRPX_OPT_CERTIFICATE_FILE = "certificate-file"_sr; 88 constexpr auto SHRPX_OPT_DH_PARAM_FILE = "dh-param-file"_sr; 89 constexpr auto SHRPX_OPT_SUBCERT = "subcert"_sr; 90 constexpr auto SHRPX_OPT_BACKEND = "backend"_sr; 91 constexpr auto SHRPX_OPT_FRONTEND = "frontend"_sr; 92 constexpr auto SHRPX_OPT_WORKERS = "workers"_sr; 93 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS = 94 "http2-max-concurrent-streams"_sr; 95 constexpr auto SHRPX_OPT_LOG_LEVEL = "log-level"_sr; 96 constexpr auto SHRPX_OPT_DAEMON = "daemon"_sr; 97 constexpr auto SHRPX_OPT_HTTP2_PROXY = "http2-proxy"_sr; 98 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = "http2-bridge"_sr; 99 constexpr auto SHRPX_OPT_CLIENT_PROXY = "client-proxy"_sr; 100 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR = "add-x-forwarded-for"_sr; 101 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR = 102 "strip-incoming-x-forwarded-for"_sr; 103 constexpr auto SHRPX_OPT_NO_VIA = "no-via"_sr; 104 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT = 105 "frontend-http2-read-timeout"_sr; 106 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT = "frontend-read-timeout"_sr; 107 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT = "frontend-write-timeout"_sr; 108 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT = "backend-read-timeout"_sr; 109 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT = "backend-write-timeout"_sr; 110 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT = "stream-read-timeout"_sr; 111 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT = "stream-write-timeout"_sr; 112 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = "accesslog-file"_sr; 113 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG = "accesslog-syslog"_sr; 114 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT = "accesslog-format"_sr; 115 constexpr auto SHRPX_OPT_ERRORLOG_FILE = "errorlog-file"_sr; 116 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG = "errorlog-syslog"_sr; 117 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT = 118 "backend-keep-alive-timeout"_sr; 119 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS = 120 "frontend-http2-window-bits"_sr; 121 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS = 122 "backend-http2-window-bits"_sr; 123 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS = 124 "frontend-http2-connection-window-bits"_sr; 125 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS = 126 "backend-http2-connection-window-bits"_sr; 127 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS = "frontend-no-tls"_sr; 128 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = "backend-no-tls"_sr; 129 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD = "backend-tls-sni-field"_sr; 130 constexpr auto SHRPX_OPT_PID_FILE = "pid-file"_sr; 131 constexpr auto SHRPX_OPT_USER = "user"_sr; 132 constexpr auto SHRPX_OPT_SYSLOG_FACILITY = "syslog-facility"_sr; 133 constexpr auto SHRPX_OPT_BACKLOG = "backlog"_sr; 134 constexpr auto SHRPX_OPT_CIPHERS = "ciphers"_sr; 135 constexpr auto SHRPX_OPT_CLIENT = "client"_sr; 136 constexpr auto SHRPX_OPT_INSECURE = "insecure"_sr; 137 constexpr auto SHRPX_OPT_CACERT = "cacert"_sr; 138 constexpr auto SHRPX_OPT_BACKEND_IPV4 = "backend-ipv4"_sr; 139 constexpr auto SHRPX_OPT_BACKEND_IPV6 = "backend-ipv6"_sr; 140 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI = "backend-http-proxy-uri"_sr; 141 constexpr auto SHRPX_OPT_READ_RATE = "read-rate"_sr; 142 constexpr auto SHRPX_OPT_READ_BURST = "read-burst"_sr; 143 constexpr auto SHRPX_OPT_WRITE_RATE = "write-rate"_sr; 144 constexpr auto SHRPX_OPT_WRITE_BURST = "write-burst"_sr; 145 constexpr auto SHRPX_OPT_WORKER_READ_RATE = "worker-read-rate"_sr; 146 constexpr auto SHRPX_OPT_WORKER_READ_BURST = "worker-read-burst"_sr; 147 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE = "worker-write-rate"_sr; 148 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST = "worker-write-burst"_sr; 149 constexpr auto SHRPX_OPT_NPN_LIST = "npn-list"_sr; 150 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = "tls-proto-list"_sr; 151 constexpr auto SHRPX_OPT_VERIFY_CLIENT = "verify-client"_sr; 152 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT = "verify-client-cacert"_sr; 153 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE = "client-private-key-file"_sr; 154 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE = "client-cert-file"_sr; 155 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER = 156 "frontend-http2-dump-request-header"_sr; 157 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER = 158 "frontend-http2-dump-response-header"_sr; 159 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING = 160 "http2-no-cookie-crumbling"_sr; 161 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG = "frontend-frame-debug"_sr; 162 constexpr auto SHRPX_OPT_PADDING = "padding"_sr; 163 constexpr auto SHRPX_OPT_ALTSVC = "altsvc"_sr; 164 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER = "add-request-header"_sr; 165 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER = "add-response-header"_sr; 166 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS = 167 "worker-frontend-connections"_sr; 168 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE = "no-location-rewrite"_sr; 169 constexpr auto SHRPX_OPT_NO_HOST_REWRITE = "no-host-rewrite"_sr; 170 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST = 171 "backend-http1-connections-per-host"_sr; 172 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND = 173 "backend-http1-connections-per-frontend"_sr; 174 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT = 175 "listener-disable-timeout"_sr; 176 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE = "tls-ticket-key-file"_sr; 177 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = "rlimit-nofile"_sr; 178 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER = "backend-request-buffer"_sr; 179 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER = "backend-response-buffer"_sr; 180 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = "no-server-push"_sr; 181 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER = 182 "backend-http2-connections-per-worker"_sr; 183 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE = 184 "fetch-ocsp-response-file"_sr; 185 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL = "ocsp-update-interval"_sr; 186 constexpr auto SHRPX_OPT_NO_OCSP = "no-ocsp"_sr; 187 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER = "header-field-buffer"_sr; 188 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS = "max-header-fields"_sr; 189 constexpr auto SHRPX_OPT_INCLUDE = "include"_sr; 190 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER = "tls-ticket-key-cipher"_sr; 191 constexpr auto SHRPX_OPT_HOST_REWRITE = "host-rewrite"_sr; 192 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED = 193 "tls-session-cache-memcached"_sr; 194 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED = 195 "tls-ticket-key-memcached"_sr; 196 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL = 197 "tls-ticket-key-memcached-interval"_sr; 198 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY = 199 "tls-ticket-key-memcached-max-retry"_sr; 200 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL = 201 "tls-ticket-key-memcached-max-fail"_sr; 202 constexpr auto SHRPX_OPT_MRUBY_FILE = "mruby-file"_sr; 203 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL = "accept-proxy-protocol"_sr; 204 constexpr auto SHRPX_OPT_FASTOPEN = "fastopen"_sr; 205 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD = 206 "tls-dyn-rec-warmup-threshold"_sr; 207 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT = 208 "tls-dyn-rec-idle-timeout"_sr; 209 constexpr auto SHRPX_OPT_ADD_FORWARDED = "add-forwarded"_sr; 210 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED = 211 "strip-incoming-forwarded"_sr; 212 constexpr auto SHRPX_OPT_FORWARDED_BY = "forwarded-by"_sr; 213 constexpr auto SHRPX_OPT_FORWARDED_FOR = "forwarded-for"_sr; 214 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER = 215 "request-header-field-buffer"_sr; 216 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS = 217 "max-request-header-fields"_sr; 218 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER = 219 "response-header-field-buffer"_sr; 220 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS = 221 "max-response-header-fields"_sr; 222 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST = 223 "no-http2-cipher-block-list"_sr; 224 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST = 225 "no-http2-cipher-black-list"_sr; 226 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS = "backend-http1-tls"_sr; 227 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS = 228 "tls-session-cache-memcached-tls"_sr; 229 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE = 230 "tls-session-cache-memcached-cert-file"_sr; 231 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE = 232 "tls-session-cache-memcached-private-key-file"_sr; 233 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY = 234 "tls-session-cache-memcached-address-family"_sr; 235 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS = 236 "tls-ticket-key-memcached-tls"_sr; 237 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE = 238 "tls-ticket-key-memcached-cert-file"_sr; 239 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE = 240 "tls-ticket-key-memcached-private-key-file"_sr; 241 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY = 242 "tls-ticket-key-memcached-address-family"_sr; 243 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY = "backend-address-family"_sr; 244 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS = 245 "frontend-http2-max-concurrent-streams"_sr; 246 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS = 247 "backend-http2-max-concurrent-streams"_sr; 248 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND = 249 "backend-connections-per-frontend"_sr; 250 constexpr auto SHRPX_OPT_BACKEND_TLS = "backend-tls"_sr; 251 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST = 252 "backend-connections-per-host"_sr; 253 constexpr auto SHRPX_OPT_ERROR_PAGE = "error-page"_sr; 254 constexpr auto SHRPX_OPT_NO_KQUEUE = "no-kqueue"_sr; 255 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT = 256 "frontend-http2-settings-timeout"_sr; 257 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT = 258 "backend-http2-settings-timeout"_sr; 259 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY = "api-max-request-body"_sr; 260 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF = "backend-max-backoff"_sr; 261 constexpr auto SHRPX_OPT_SERVER_NAME = "server-name"_sr; 262 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE = "no-server-rewrite"_sr; 263 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE = 264 "frontend-http2-optimize-write-buffer-size"_sr; 265 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE = 266 "frontend-http2-optimize-window-size"_sr; 267 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE = 268 "frontend-http2-window-size"_sr; 269 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE = 270 "frontend-http2-connection-window-size"_sr; 271 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE = 272 "backend-http2-window-size"_sr; 273 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE = 274 "backend-http2-connection-window-size"_sr; 275 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 276 "frontend-http2-encoder-dynamic-table-size"_sr; 277 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 278 "frontend-http2-decoder-dynamic-table-size"_sr; 279 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE = 280 "backend-http2-encoder-dynamic-table-size"_sr; 281 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE = 282 "backend-http2-decoder-dynamic-table-size"_sr; 283 constexpr auto SHRPX_OPT_ECDH_CURVES = "ecdh-curves"_sr; 284 constexpr auto SHRPX_OPT_TLS_SCT_DIR = "tls-sct-dir"_sr; 285 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT = "backend-connect-timeout"_sr; 286 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT = "dns-cache-timeout"_sr; 287 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT = "dns-lookup-timeout"_sr; 288 constexpr auto SHRPX_OPT_DNS_MAX_TRY = "dns-max-try"_sr; 289 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT = 290 "frontend-keep-alive-timeout"_sr; 291 constexpr auto SHRPX_OPT_PSK_SECRETS = "psk-secrets"_sr; 292 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS = "client-psk-secrets"_sr; 293 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST = 294 "client-no-http2-cipher-block-list"_sr; 295 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST = 296 "client-no-http2-cipher-black-list"_sr; 297 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = "client-ciphers"_sr; 298 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY = "accesslog-write-early"_sr; 299 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION = "tls-min-proto-version"_sr; 300 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION = "tls-max-proto-version"_sr; 301 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT = "redirect-https-port"_sr; 302 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS = "frontend-max-requests"_sr; 303 constexpr auto SHRPX_OPT_SINGLE_THREAD = "single-thread"_sr; 304 constexpr auto SHRPX_OPT_SINGLE_PROCESS = "single-process"_sr; 305 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO = 306 "no-add-x-forwarded-proto"_sr; 307 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO = 308 "no-strip-incoming-x-forwarded-proto"_sr; 309 constexpr auto SHRPX_OPT_OCSP_STARTUP = "ocsp-startup"_sr; 310 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = "no-verify-ocsp"_sr; 311 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED = 312 "verify-client-tolerate-expired"_sr; 313 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR = 314 "ignore-per-pattern-mruby-error"_sr; 315 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA = 316 "tls-no-postpone-early-data"_sr; 317 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA = "tls-max-early-data"_sr; 318 constexpr auto SHRPX_OPT_TLS13_CIPHERS = "tls13-ciphers"_sr; 319 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS = "tls13-client-ciphers"_sr; 320 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA = 321 "no-strip-incoming-early-data"_sr; 322 constexpr auto SHRPX_OPT_QUIC_BPF_PROGRAM_FILE = "quic-bpf-program-file"_sr; 323 constexpr auto SHRPX_OPT_NO_QUIC_BPF = "no-quic-bpf"_sr; 324 constexpr auto SHRPX_OPT_HTTP2_ALTSVC = "http2-altsvc"_sr; 325 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_READ_TIMEOUT = 326 "frontend-http3-read-timeout"_sr; 327 constexpr auto SHRPX_OPT_FRONTEND_QUIC_IDLE_TIMEOUT = 328 "frontend-quic-idle-timeout"_sr; 329 constexpr auto SHRPX_OPT_FRONTEND_QUIC_DEBUG_LOG = "frontend-quic-debug-log"_sr; 330 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_WINDOW_SIZE = 331 "frontend-http3-window-size"_sr; 332 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE = 333 "frontend-http3-connection-window-size"_sr; 334 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_WINDOW_SIZE = 335 "frontend-http3-max-window-size"_sr; 336 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE = 337 "frontend-http3-max-connection-window-size"_sr; 338 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS = 339 "frontend-http3-max-concurrent-streams"_sr; 340 constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA = 341 "frontend-quic-early-data"_sr; 342 constexpr auto SHRPX_OPT_FRONTEND_QUIC_QLOG_DIR = "frontend-quic-qlog-dir"_sr; 343 constexpr auto SHRPX_OPT_FRONTEND_QUIC_REQUIRE_TOKEN = 344 "frontend-quic-require-token"_sr; 345 constexpr auto SHRPX_OPT_FRONTEND_QUIC_CONGESTION_CONTROLLER = 346 "frontend-quic-congestion-controller"_sr; 347 constexpr auto SHRPX_OPT_QUIC_SERVER_ID = "quic-server-id"_sr; 348 constexpr auto SHRPX_OPT_FRONTEND_QUIC_SECRET_FILE = 349 "frontend-quic-secret-file"_sr; 350 constexpr auto SHRPX_OPT_RLIMIT_MEMLOCK = "rlimit-memlock"_sr; 351 constexpr auto SHRPX_OPT_MAX_WORKER_PROCESSES = "max-worker-processes"_sr; 352 constexpr auto SHRPX_OPT_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD = 353 "worker-process-grace-shutdown-period"_sr; 354 constexpr auto SHRPX_OPT_FRONTEND_QUIC_INITIAL_RTT = 355 "frontend-quic-initial-rtt"_sr; 356 constexpr auto SHRPX_OPT_REQUIRE_HTTP_SCHEME = "require-http-scheme"_sr; 357 constexpr auto SHRPX_OPT_TLS_KTLS = "tls-ktls"_sr; 358 constexpr auto SHRPX_OPT_ALPN_LIST = "alpn-list"_sr; 359 constexpr auto SHRPX_OPT_FRONTEND_HEADER_TIMEOUT = "frontend-header-timeout"_sr; 360 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_IDLE_TIMEOUT = 361 "frontend-http2-idle-timeout"_sr; 362 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_IDLE_TIMEOUT = 363 "frontend-http3-idle-timeout"_sr; 364 365 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8; 366 367 constexpr auto DEFAULT_DOWNSTREAM_HOST = "127.0.0.1"_sr; 368 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80; 369 370 enum class Proto { 371 NONE, 372 HTTP1, 373 HTTP2, 374 HTTP3, 375 MEMCACHED, 376 }; 377 378 enum class SessionAffinity { 379 // No session affinity 380 NONE, 381 // Client IP affinity 382 IP, 383 // Cookie based affinity 384 COOKIE, 385 }; 386 387 enum class SessionAffinityCookieSecure { 388 // Secure attribute of session affinity cookie is determined by the 389 // request scheme. 390 AUTO, 391 // Secure attribute of session affinity cookie is always set. 392 YES, 393 // Secure attribute of session affinity cookie is always unset. 394 NO, 395 }; 396 397 enum class SessionAffinityCookieStickiness { 398 // Backend server might be changed when an existing backend server 399 // is removed, or new backend server is added. 400 LOOSE, 401 // Backend server might be changed when a designated backend server 402 // is removed, but adding new backend server does not cause 403 // breakage. 404 STRICT, 405 }; 406 407 struct AffinityConfig { 408 // Type of session affinity. 409 SessionAffinity type; 410 struct { 411 // Name of a cookie to use. 412 StringRef name; 413 // Path which a cookie is applied to. 414 StringRef path; 415 // Secure attribute 416 SessionAffinityCookieSecure secure; 417 // Affinity Stickiness 418 SessionAffinityCookieStickiness stickiness; 419 } cookie; 420 }; 421 422 enum shrpx_forwarded_param { 423 FORWARDED_NONE = 0, 424 FORWARDED_BY = 0x1, 425 FORWARDED_FOR = 0x2, 426 FORWARDED_HOST = 0x4, 427 FORWARDED_PROTO = 0x8, 428 }; 429 430 enum class ForwardedNode { 431 OBFUSCATED, 432 IP, 433 }; 434 435 struct AltSvc { 436 StringRef protocol_id, host, origin, service, params; 437 438 uint16_t port; 439 }; 440 441 enum class UpstreamAltMode { 442 // No alternative mode 443 NONE, 444 // API processing mode 445 API, 446 // Health monitor mode 447 HEALTHMON, 448 }; 449 450 struct UpstreamAddr { 451 // The unique index of this address. 452 size_t index; 453 // The frontend address (e.g., FQDN, hostname, IP address). If 454 // |host_unix| is true, this is UNIX domain socket path. This must 455 // be NULL terminated string. 456 StringRef host; 457 // For TCP socket, this is <IP address>:<PORT>. For IPv6 address, 458 // address is surrounded by square brackets. If socket is UNIX 459 // domain socket, this is "localhost". 460 StringRef hostport; 461 // frontend port. 0 if |host_unix| is true. 462 uint16_t port; 463 // For TCP socket, this is either AF_INET or AF_INET6. For UNIX 464 // domain socket, this is 0. 465 int family; 466 // Alternate mode 467 UpstreamAltMode alt_mode; 468 // true if |host| contains UNIX domain socket path. 469 bool host_unix; 470 // true if TLS is enabled. 471 bool tls; 472 // true if SNI host should be used as a host when selecting backend 473 // server. 474 bool sni_fwd; 475 // true if client is supposed to send PROXY protocol v1 header. 476 bool accept_proxy_protocol; 477 bool quic; 478 int fd; 479 }; 480 481 struct DownstreamAddrConfig { 482 // Resolved address if |dns| is false 483 Address addr; 484 // backend address. If |host_unix| is true, this is UNIX domain 485 // socket path. This must be NULL terminated string. 486 StringRef host; 487 // <HOST>:<PORT>. This does not treat 80 and 443 specially. If 488 // |host_unix| is true, this is "localhost". 489 StringRef hostport; 490 // hostname sent as SNI field 491 StringRef sni; 492 // name of group which this address belongs to. 493 StringRef group; 494 size_t fall; 495 size_t rise; 496 // weight of this address inside a weight group. Its range is [1, 497 // 256], inclusive. 498 uint32_t weight; 499 // weight of the weight group. Its range is [1, 256], inclusive. 500 uint32_t group_weight; 501 // affinity hash for this address. It is assigned when strict 502 // stickiness is enabled. 503 uint32_t affinity_hash; 504 // Application protocol used in this group 505 Proto proto; 506 // backend port. 0 if |host_unix| is true. 507 uint16_t port; 508 // true if |host| contains UNIX domain socket path. 509 bool host_unix; 510 bool tls; 511 // true if dynamic DNS is enabled 512 bool dns; 513 // true if :scheme pseudo header field should be upgraded to secure 514 // variant (e.g., "https") when forwarding request to a backend 515 // connected by TLS connection. 516 bool upgrade_scheme; 517 // true if a request should not be forwarded to a backend. 518 bool dnf; 519 }; 520 521 // Mapping hash to idx which is an index into 522 // DownstreamAddrGroupConfig::addrs. 523 struct AffinityHash { AffinityHashAffinityHash524 AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {} 525 526 size_t idx; 527 uint32_t hash; 528 }; 529 530 struct DownstreamAddrGroupConfig { DownstreamAddrGroupConfigDownstreamAddrGroupConfig531 DownstreamAddrGroupConfig(const StringRef &pattern) 532 : pattern(pattern), 533 affinity{SessionAffinity::NONE}, 534 redirect_if_not_tls(false), 535 dnf{false}, 536 timeout{} {} 537 538 StringRef pattern; 539 StringRef mruby_file; 540 std::vector<DownstreamAddrConfig> addrs; 541 // Bunch of session affinity hash. Only used if affinity == 542 // SessionAffinity::IP. 543 std::vector<AffinityHash> affinity_hash; 544 // Maps affinity hash of each DownstreamAddrConfig to its index in 545 // addrs. It is only assigned when strict stickiness is enabled. 546 std::unordered_map<uint32_t, size_t> affinity_hash_map; 547 // Cookie based session affinity configuration. 548 AffinityConfig affinity; 549 // true if this group requires that client connection must be TLS, 550 // and the request must be redirected to https URI. 551 bool redirect_if_not_tls; 552 // true if a request should not be forwarded to a backend. 553 bool dnf; 554 // Timeouts for backend connection. 555 struct { 556 ev_tstamp read; 557 ev_tstamp write; 558 } timeout; 559 }; 560 561 struct TicketKey { 562 const EVP_CIPHER *cipher; 563 const EVP_MD *hmac; 564 size_t hmac_keylen; 565 struct { 566 // name of this ticket configuration 567 std::array<uint8_t, 16> name; 568 // encryption key for |cipher| 569 std::array<uint8_t, 32> enc_key; 570 // hmac key for |hmac| 571 std::array<uint8_t, 32> hmac_key; 572 } data; 573 }; 574 575 struct TicketKeys { 576 ~TicketKeys(); 577 std::vector<TicketKey> keys; 578 }; 579 580 struct TLSCertificate { TLSCertificateTLSCertificate581 TLSCertificate(StringRef private_key_file, StringRef cert_file, 582 std::vector<uint8_t> sct_data) 583 : private_key_file(std::move(private_key_file)), 584 cert_file(std::move(cert_file)), 585 sct_data(std::move(sct_data)) {} 586 587 StringRef private_key_file; 588 StringRef cert_file; 589 std::vector<uint8_t> sct_data; 590 }; 591 592 #ifdef ENABLE_HTTP3 593 struct QUICKeyingMaterial { 594 QUICKeyingMaterial() noexcept = default; 595 QUICKeyingMaterial(QUICKeyingMaterial &&other) noexcept; 596 ~QUICKeyingMaterial() noexcept; 597 QUICKeyingMaterial &operator=(QUICKeyingMaterial &&other) noexcept; 598 EVP_CIPHER_CTX *cid_encryption_ctx; 599 EVP_CIPHER_CTX *cid_decryption_ctx; 600 std::array<uint8_t, SHRPX_QUIC_SECRET_RESERVEDLEN> reserved; 601 std::array<uint8_t, SHRPX_QUIC_SECRETLEN> secret; 602 std::array<uint8_t, SHRPX_QUIC_SALTLEN> salt; 603 std::array<uint8_t, SHRPX_QUIC_CID_ENCRYPTION_KEYLEN> cid_encryption_key; 604 // Identifier of this keying material. Only the first 2 bits are 605 // used. 606 uint8_t id; 607 }; 608 609 struct QUICKeyingMaterials { 610 std::vector<QUICKeyingMaterial> keying_materials; 611 }; 612 #endif // ENABLE_HTTP3 613 614 struct HttpProxy { 615 Address addr; 616 // host in http proxy URI 617 StringRef host; 618 // userinfo in http proxy URI, not percent-encoded form 619 StringRef userinfo; 620 // port in http proxy URI 621 uint16_t port; 622 }; 623 624 struct TLSConfig { 625 // RFC 5077 Session ticket related configurations 626 struct { 627 struct { 628 Address addr; 629 uint16_t port; 630 // Hostname of memcached server. This is also used as SNI field 631 // if TLS is enabled. 632 StringRef host; 633 // Client private key and certificate for authentication 634 StringRef private_key_file; 635 StringRef cert_file; 636 ev_tstamp interval; 637 // Maximum number of retries when getting TLS ticket key from 638 // mamcached, due to network error. 639 size_t max_retry; 640 // Maximum number of consecutive error from memcached, when this 641 // limit reached, TLS ticket is disabled. 642 size_t max_fail; 643 // Address family of memcached connection. One of either 644 // AF_INET, AF_INET6 or AF_UNSPEC. 645 int family; 646 bool tls; 647 } memcached; 648 std::vector<StringRef> files; 649 const EVP_CIPHER *cipher; 650 // true if --tls-ticket-key-cipher is used 651 bool cipher_given; 652 } ticket; 653 654 // Session cache related configurations 655 struct { 656 struct { 657 Address addr; 658 uint16_t port; 659 // Hostname of memcached server. This is also used as SNI field 660 // if TLS is enabled. 661 StringRef host; 662 // Client private key and certificate for authentication 663 StringRef private_key_file; 664 StringRef cert_file; 665 // Address family of memcached connection. One of either 666 // AF_INET, AF_INET6 or AF_UNSPEC. 667 int family; 668 bool tls; 669 } memcached; 670 } session_cache; 671 672 // Dynamic record sizing configurations 673 struct { 674 size_t warmup_threshold; 675 ev_tstamp idle_timeout; 676 } dyn_rec; 677 678 // OCSP related configurations 679 struct { 680 ev_tstamp update_interval; 681 StringRef fetch_ocsp_response_file; 682 bool disabled; 683 bool startup; 684 bool no_verify; 685 } ocsp; 686 687 // Client verification configurations 688 struct { 689 // Path to file containing CA certificate solely used for client 690 // certificate validation 691 StringRef cacert; 692 bool enabled; 693 // true if we accept an expired client certificate. 694 bool tolerate_expired; 695 } client_verify; 696 697 // Client (backend connection) TLS configuration. 698 struct { 699 // Client PSK configuration 700 struct { 701 // identity must be NULL terminated string. 702 StringRef identity; 703 StringRef secret; 704 } psk; 705 StringRef private_key_file; 706 StringRef cert_file; 707 StringRef ciphers; 708 StringRef tls13_ciphers; 709 bool no_http2_cipher_block_list; 710 } client; 711 712 // PSK secrets. The key is identity, and the associated value is 713 // its secret. 714 std::map<StringRef, StringRef> psk_secrets; 715 // The list of additional TLS certificate pair 716 std::vector<TLSCertificate> subcerts; 717 std::vector<unsigned char> alpn_prefs; 718 // list of supported ALPN protocol strings in the order of 719 // preference. 720 std::vector<StringRef> alpn_list; 721 // list of supported SSL/TLS protocol strings. 722 std::vector<StringRef> tls_proto_list; 723 std::vector<uint8_t> sct_data; 724 BIO_METHOD *bio_method; 725 // Bit mask to disable SSL/TLS protocol versions. This will be 726 // passed to SSL_CTX_set_options(). 727 long int tls_proto_mask; 728 StringRef backend_sni_name; 729 std::chrono::seconds session_timeout; 730 StringRef private_key_file; 731 StringRef private_key_passwd; 732 StringRef cert_file; 733 StringRef dh_param_file; 734 StringRef ciphers; 735 StringRef tls13_ciphers; 736 StringRef ecdh_curves; 737 StringRef cacert; 738 // The maximum amount of 0-RTT data that server accepts. 739 uint32_t max_early_data; 740 // The minimum and maximum TLS version. These values are defined in 741 // OpenSSL header file. 742 int min_proto_version; 743 int max_proto_version; 744 bool insecure; 745 bool no_http2_cipher_block_list; 746 // true if forwarding requests included in TLS early data should not 747 // be postponed until TLS handshake finishes. 748 bool no_postpone_early_data; 749 bool ktls; 750 }; 751 752 #ifdef ENABLE_HTTP3 753 struct QUICConfig { 754 struct { 755 struct { 756 ev_tstamp idle; 757 } timeout; 758 struct { 759 bool log; 760 } debug; 761 struct { 762 StringRef dir; 763 } qlog; 764 ngtcp2_cc_algo congestion_controller; 765 bool early_data; 766 bool require_token; 767 StringRef secret_file; 768 ev_tstamp initial_rtt; 769 } upstream; 770 struct { 771 StringRef prog_file; 772 bool disabled; 773 } bpf; 774 uint32_t server_id; 775 }; 776 777 struct Http3Config { 778 struct { 779 size_t max_concurrent_streams; 780 int32_t window_size; 781 int32_t connection_window_size; 782 int32_t max_window_size; 783 int32_t max_connection_window_size; 784 } upstream; 785 }; 786 #endif // ENABLE_HTTP3 787 788 // custom error page 789 struct ErrorPage { 790 // not NULL-terminated 791 std::vector<uint8_t> content; 792 // 0 is special value, and it matches all HTTP status code. 793 unsigned int http_status; 794 }; 795 796 struct HttpConfig { 797 struct { 798 // obfuscated value used in "by" parameter of Forwarded header 799 // field. This is only used when user defined static obfuscated 800 // string is provided. 801 StringRef by_obfuscated; 802 // bitwise-OR of one or more of shrpx_forwarded_param values. 803 uint32_t params; 804 // type of value recorded in "by" parameter of Forwarded header 805 // field. 806 ForwardedNode by_node_type; 807 // type of value recorded in "for" parameter of Forwarded header 808 // field. 809 ForwardedNode for_node_type; 810 bool strip_incoming; 811 } forwarded; 812 struct { 813 bool add; 814 bool strip_incoming; 815 } xff; 816 struct { 817 bool add; 818 bool strip_incoming; 819 } xfp; 820 struct { 821 bool strip_incoming; 822 } early_data; 823 struct { 824 ev_tstamp header; 825 } timeout; 826 std::vector<AltSvc> altsvcs; 827 // altsvcs serialized in a wire format. 828 StringRef altsvc_header_value; 829 std::vector<AltSvc> http2_altsvcs; 830 // http2_altsvcs serialized in a wire format. 831 StringRef http2_altsvc_header_value; 832 std::vector<ErrorPage> error_pages; 833 HeaderRefs add_request_headers; 834 HeaderRefs add_response_headers; 835 StringRef server_name; 836 // Port number which appears in Location header field when https 837 // redirect is made. 838 StringRef redirect_https_port; 839 size_t request_header_field_buffer; 840 size_t max_request_header_fields; 841 size_t response_header_field_buffer; 842 size_t max_response_header_fields; 843 size_t max_requests; 844 bool no_via; 845 bool no_location_rewrite; 846 bool no_host_rewrite; 847 bool no_server_rewrite; 848 bool require_http_scheme; 849 }; 850 851 struct Http2Config { 852 struct { 853 struct { 854 struct { 855 StringRef request_header_file; 856 StringRef response_header_file; 857 FILE *request_header; 858 FILE *response_header; 859 } dump; 860 bool frame_debug; 861 } debug; 862 struct { 863 ev_tstamp settings; 864 } timeout; 865 nghttp2_option *option; 866 nghttp2_option *alt_mode_option; 867 nghttp2_session_callbacks *callbacks; 868 size_t max_concurrent_streams; 869 size_t encoder_dynamic_table_size; 870 size_t decoder_dynamic_table_size; 871 int32_t window_size; 872 int32_t connection_window_size; 873 bool optimize_write_buffer_size; 874 bool optimize_window_size; 875 } upstream; 876 struct { 877 struct { 878 ev_tstamp settings; 879 } timeout; 880 nghttp2_option *option; 881 nghttp2_session_callbacks *callbacks; 882 size_t encoder_dynamic_table_size; 883 size_t decoder_dynamic_table_size; 884 int32_t window_size; 885 int32_t connection_window_size; 886 size_t max_concurrent_streams; 887 } downstream; 888 struct { 889 ev_tstamp stream_read; 890 ev_tstamp stream_write; 891 } timeout; 892 bool no_cookie_crumbling; 893 bool no_server_push; 894 }; 895 896 struct LoggingConfig { 897 struct { 898 std::vector<LogFragment> format; 899 StringRef file; 900 // Send accesslog to syslog, ignoring accesslog_file. 901 bool syslog; 902 // Write accesslog when response headers are received from 903 // backend, rather than response body is received and sent. 904 bool write_early; 905 } access; 906 struct { 907 StringRef file; 908 // Send errorlog to syslog, ignoring errorlog_file. 909 bool syslog; 910 } error; 911 int syslog_facility; 912 int severity; 913 }; 914 915 struct RateLimitConfig { 916 size_t rate; 917 size_t burst; 918 }; 919 920 // Wildcard host pattern routing. We strips left most '*' from host 921 // field. router includes all path patterns sharing the same wildcard 922 // host. 923 struct WildcardPattern { WildcardPatternWildcardPattern924 WildcardPattern(const StringRef &host) : host(host) {} 925 926 // This might not be NULL terminated. Currently it is only used for 927 // comparison. 928 StringRef host; 929 Router router; 930 }; 931 932 // Configuration to select backend to forward request 933 struct RouterConfig { 934 Router router; 935 // Router for reversed wildcard hosts. Since this router has 936 // wildcard hosts reversed without '*', one should call match() 937 // function with reversed host stripping last character. This is 938 // because we require at least one character must match for '*'. 939 // The index stored in this router is index of wildcard_patterns. 940 Router rev_wildcard_router; 941 std::vector<WildcardPattern> wildcard_patterns; 942 }; 943 944 struct DownstreamConfig { DownstreamConfigDownstreamConfig945 DownstreamConfig() 946 : balloc(1024, 1024), 947 timeout{}, 948 addr_group_catch_all{0}, 949 connections_per_host{0}, 950 connections_per_frontend{0}, 951 request_buffer_size{0}, 952 response_buffer_size{0}, 953 family{0} {} 954 955 DownstreamConfig(const DownstreamConfig &) = delete; 956 DownstreamConfig(DownstreamConfig &&) = delete; 957 DownstreamConfig &operator=(const DownstreamConfig &) = delete; 958 DownstreamConfig &operator=(DownstreamConfig &&) = delete; 959 960 // Allocator to allocate memory for Downstream configuration. Since 961 // we may swap around DownstreamConfig in arbitrary times with API 962 // calls, we should use their own allocator instead of per Config 963 // allocator. 964 BlockAllocator balloc; 965 struct { 966 ev_tstamp read; 967 ev_tstamp write; 968 ev_tstamp idle_read; 969 ev_tstamp connect; 970 // The maximum backoff while checking health check for offline 971 // backend or while detaching failed backend from load balancing 972 // group temporarily. 973 ev_tstamp max_backoff; 974 } timeout; 975 RouterConfig router; 976 std::vector<DownstreamAddrGroupConfig> addr_groups; 977 // The index of catch-all group in downstream_addr_groups. 978 size_t addr_group_catch_all; 979 size_t connections_per_host; 980 size_t connections_per_frontend; 981 size_t request_buffer_size; 982 size_t response_buffer_size; 983 // Address family of backend connection. One of either AF_INET, 984 // AF_INET6 or AF_UNSPEC. This is ignored if backend connection 985 // is made via Unix domain socket. 986 int family; 987 }; 988 989 struct ConnectionConfig { 990 struct { 991 struct { 992 ev_tstamp sleep; 993 } timeout; 994 // address of frontend acceptors 995 std::vector<UpstreamAddr> addrs; 996 int backlog; 997 // TCP fastopen. If this is positive, it is passed to 998 // setsockopt() along with TCP_FASTOPEN. 999 int fastopen; 1000 } listener; 1001 1002 #ifdef ENABLE_HTTP3 1003 struct { 1004 std::vector<UpstreamAddr> addrs; 1005 } quic_listener; 1006 #endif // ENABLE_HTTP3 1007 1008 struct { 1009 struct { 1010 ev_tstamp http2_idle; 1011 ev_tstamp http3_idle; 1012 ev_tstamp write; 1013 ev_tstamp idle; 1014 } timeout; 1015 struct { 1016 RateLimitConfig read; 1017 RateLimitConfig write; 1018 } ratelimit; 1019 size_t worker_connections; 1020 // Deprecated. See UpstreamAddr.accept_proxy_protocol. 1021 bool accept_proxy_protocol; 1022 } upstream; 1023 1024 std::shared_ptr<DownstreamConfig> downstream; 1025 }; 1026 1027 struct APIConfig { 1028 // Maximum request body size for one API request 1029 size_t max_request_body; 1030 // true if at least one of UpstreamAddr has api enabled 1031 bool enabled; 1032 }; 1033 1034 struct DNSConfig { 1035 struct { 1036 ev_tstamp cache; 1037 ev_tstamp lookup; 1038 } timeout; 1039 // The number of tries name resolver makes before abandoning 1040 // request. 1041 size_t max_try; 1042 }; 1043 1044 struct Config { ConfigConfig1045 Config() 1046 : balloc(4096, 4096), 1047 downstream_http_proxy{}, 1048 http{}, 1049 http2{}, 1050 tls{}, 1051 #ifdef ENABLE_HTTP3 1052 quic{}, 1053 #endif // ENABLE_HTTP3 1054 logging{}, 1055 conn{}, 1056 api{}, 1057 dns{}, 1058 config_revision{0}, 1059 num_worker{0}, 1060 padding{0}, 1061 rlimit_nofile{0}, 1062 rlimit_memlock{0}, 1063 uid{0}, 1064 gid{0}, 1065 pid{0}, 1066 verbose{false}, 1067 daemon{false}, 1068 http2_proxy{false}, 1069 single_process{false}, 1070 single_thread{false}, 1071 ignore_per_pattern_mruby_error{false}, 1072 ev_loop_flags{0}, 1073 max_worker_processes{0}, 1074 worker_process_grace_shutdown_period{0.} { 1075 } 1076 ~Config(); 1077 1078 Config(Config &&) = delete; 1079 Config(const Config &&) = delete; 1080 Config &operator=(Config &&) = delete; 1081 Config &operator=(const Config &&) = delete; 1082 1083 // Allocator to allocate memory for this object except for 1084 // DownstreamConfig. Currently, it is used to allocate memory for 1085 // strings. 1086 BlockAllocator balloc; 1087 HttpProxy downstream_http_proxy; 1088 HttpConfig http; 1089 Http2Config http2; 1090 TLSConfig tls; 1091 #ifdef ENABLE_HTTP3 1092 QUICConfig quic; 1093 Http3Config http3; 1094 #endif // ENABLE_HTTP3 1095 LoggingConfig logging; 1096 ConnectionConfig conn; 1097 APIConfig api; 1098 DNSConfig dns; 1099 StringRef pid_file; 1100 StringRef conf_path; 1101 StringRef user; 1102 StringRef mruby_file; 1103 // The revision of configuration which is opaque string, and changes 1104 // on each configuration reloading. This does not change on 1105 // backendconfig API call. This value is returned in health check 1106 // as "nghttpx-conf-rev" response header field. The external 1107 // program can check this value to know whether reloading has 1108 // completed or not. 1109 uint64_t config_revision; 1110 size_t num_worker; 1111 size_t padding; 1112 size_t rlimit_nofile; 1113 size_t rlimit_memlock; 1114 uid_t uid; 1115 gid_t gid; 1116 pid_t pid; 1117 bool verbose; 1118 bool daemon; 1119 bool http2_proxy; 1120 // Run nghttpx in single process mode. With this mode, signal 1121 // handling is omitted. 1122 bool single_process; 1123 bool single_thread; 1124 // Ignore mruby compile error for per-pattern mruby script. 1125 bool ignore_per_pattern_mruby_error; 1126 // flags passed to ev_default_loop() and ev_loop_new() 1127 int ev_loop_flags; 1128 size_t max_worker_processes; 1129 ev_tstamp worker_process_grace_shutdown_period; 1130 }; 1131 1132 const Config *get_config(); 1133 Config *mod_config(); 1134 // Replaces the current config with given |new_config|. The old config is 1135 // returned. 1136 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config); 1137 void create_config(); 1138 1139 // generated by gennghttpxfun.py 1140 enum { 1141 SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL, 1142 SHRPX_OPTID_ACCESSLOG_FILE, 1143 SHRPX_OPTID_ACCESSLOG_FORMAT, 1144 SHRPX_OPTID_ACCESSLOG_SYSLOG, 1145 SHRPX_OPTID_ACCESSLOG_WRITE_EARLY, 1146 SHRPX_OPTID_ADD_FORWARDED, 1147 SHRPX_OPTID_ADD_REQUEST_HEADER, 1148 SHRPX_OPTID_ADD_RESPONSE_HEADER, 1149 SHRPX_OPTID_ADD_X_FORWARDED_FOR, 1150 SHRPX_OPTID_ALPN_LIST, 1151 SHRPX_OPTID_ALTSVC, 1152 SHRPX_OPTID_API_MAX_REQUEST_BODY, 1153 SHRPX_OPTID_BACKEND, 1154 SHRPX_OPTID_BACKEND_ADDRESS_FAMILY, 1155 SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT, 1156 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND, 1157 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST, 1158 SHRPX_OPTID_BACKEND_HTTP_PROXY_URI, 1159 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND, 1160 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST, 1161 SHRPX_OPTID_BACKEND_HTTP1_TLS, 1162 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS, 1163 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE, 1164 SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER, 1165 SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1166 SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1167 SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS, 1168 SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT, 1169 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS, 1170 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE, 1171 SHRPX_OPTID_BACKEND_IPV4, 1172 SHRPX_OPTID_BACKEND_IPV6, 1173 SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT, 1174 SHRPX_OPTID_BACKEND_MAX_BACKOFF, 1175 SHRPX_OPTID_BACKEND_NO_TLS, 1176 SHRPX_OPTID_BACKEND_READ_TIMEOUT, 1177 SHRPX_OPTID_BACKEND_REQUEST_BUFFER, 1178 SHRPX_OPTID_BACKEND_RESPONSE_BUFFER, 1179 SHRPX_OPTID_BACKEND_TLS, 1180 SHRPX_OPTID_BACKEND_TLS_SNI_FIELD, 1181 SHRPX_OPTID_BACKEND_WRITE_TIMEOUT, 1182 SHRPX_OPTID_BACKLOG, 1183 SHRPX_OPTID_CACERT, 1184 SHRPX_OPTID_CERTIFICATE_FILE, 1185 SHRPX_OPTID_CIPHERS, 1186 SHRPX_OPTID_CLIENT, 1187 SHRPX_OPTID_CLIENT_CERT_FILE, 1188 SHRPX_OPTID_CLIENT_CIPHERS, 1189 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST, 1190 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST, 1191 SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE, 1192 SHRPX_OPTID_CLIENT_PROXY, 1193 SHRPX_OPTID_CLIENT_PSK_SECRETS, 1194 SHRPX_OPTID_CONF, 1195 SHRPX_OPTID_DAEMON, 1196 SHRPX_OPTID_DH_PARAM_FILE, 1197 SHRPX_OPTID_DNS_CACHE_TIMEOUT, 1198 SHRPX_OPTID_DNS_LOOKUP_TIMEOUT, 1199 SHRPX_OPTID_DNS_MAX_TRY, 1200 SHRPX_OPTID_ECDH_CURVES, 1201 SHRPX_OPTID_ERROR_PAGE, 1202 SHRPX_OPTID_ERRORLOG_FILE, 1203 SHRPX_OPTID_ERRORLOG_SYSLOG, 1204 SHRPX_OPTID_FASTOPEN, 1205 SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE, 1206 SHRPX_OPTID_FORWARDED_BY, 1207 SHRPX_OPTID_FORWARDED_FOR, 1208 SHRPX_OPTID_FRONTEND, 1209 SHRPX_OPTID_FRONTEND_FRAME_DEBUG, 1210 SHRPX_OPTID_FRONTEND_HEADER_TIMEOUT, 1211 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS, 1212 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE, 1213 SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE, 1214 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER, 1215 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER, 1216 SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE, 1217 SHRPX_OPTID_FRONTEND_HTTP2_IDLE_TIMEOUT, 1218 SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS, 1219 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE, 1220 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE, 1221 SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT, 1222 SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT, 1223 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS, 1224 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE, 1225 SHRPX_OPTID_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE, 1226 SHRPX_OPTID_FRONTEND_HTTP3_IDLE_TIMEOUT, 1227 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS, 1228 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE, 1229 SHRPX_OPTID_FRONTEND_HTTP3_MAX_WINDOW_SIZE, 1230 SHRPX_OPTID_FRONTEND_HTTP3_READ_TIMEOUT, 1231 SHRPX_OPTID_FRONTEND_HTTP3_WINDOW_SIZE, 1232 SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT, 1233 SHRPX_OPTID_FRONTEND_MAX_REQUESTS, 1234 SHRPX_OPTID_FRONTEND_NO_TLS, 1235 SHRPX_OPTID_FRONTEND_QUIC_CONGESTION_CONTROLLER, 1236 SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG, 1237 SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA, 1238 SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT, 1239 SHRPX_OPTID_FRONTEND_QUIC_INITIAL_RTT, 1240 SHRPX_OPTID_FRONTEND_QUIC_QLOG_DIR, 1241 SHRPX_OPTID_FRONTEND_QUIC_REQUIRE_TOKEN, 1242 SHRPX_OPTID_FRONTEND_QUIC_SECRET_FILE, 1243 SHRPX_OPTID_FRONTEND_READ_TIMEOUT, 1244 SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT, 1245 SHRPX_OPTID_HEADER_FIELD_BUFFER, 1246 SHRPX_OPTID_HOST_REWRITE, 1247 SHRPX_OPTID_HTTP2_ALTSVC, 1248 SHRPX_OPTID_HTTP2_BRIDGE, 1249 SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS, 1250 SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING, 1251 SHRPX_OPTID_HTTP2_PROXY, 1252 SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR, 1253 SHRPX_OPTID_INCLUDE, 1254 SHRPX_OPTID_INSECURE, 1255 SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT, 1256 SHRPX_OPTID_LOG_LEVEL, 1257 SHRPX_OPTID_MAX_HEADER_FIELDS, 1258 SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS, 1259 SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS, 1260 SHRPX_OPTID_MAX_WORKER_PROCESSES, 1261 SHRPX_OPTID_MRUBY_FILE, 1262 SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO, 1263 SHRPX_OPTID_NO_HOST_REWRITE, 1264 SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST, 1265 SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST, 1266 SHRPX_OPTID_NO_KQUEUE, 1267 SHRPX_OPTID_NO_LOCATION_REWRITE, 1268 SHRPX_OPTID_NO_OCSP, 1269 SHRPX_OPTID_NO_QUIC_BPF, 1270 SHRPX_OPTID_NO_SERVER_PUSH, 1271 SHRPX_OPTID_NO_SERVER_REWRITE, 1272 SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA, 1273 SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO, 1274 SHRPX_OPTID_NO_VERIFY_OCSP, 1275 SHRPX_OPTID_NO_VIA, 1276 SHRPX_OPTID_NPN_LIST, 1277 SHRPX_OPTID_OCSP_STARTUP, 1278 SHRPX_OPTID_OCSP_UPDATE_INTERVAL, 1279 SHRPX_OPTID_PADDING, 1280 SHRPX_OPTID_PID_FILE, 1281 SHRPX_OPTID_PRIVATE_KEY_FILE, 1282 SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE, 1283 SHRPX_OPTID_PSK_SECRETS, 1284 SHRPX_OPTID_QUIC_BPF_PROGRAM_FILE, 1285 SHRPX_OPTID_QUIC_SERVER_ID, 1286 SHRPX_OPTID_READ_BURST, 1287 SHRPX_OPTID_READ_RATE, 1288 SHRPX_OPTID_REDIRECT_HTTPS_PORT, 1289 SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER, 1290 SHRPX_OPTID_REQUIRE_HTTP_SCHEME, 1291 SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER, 1292 SHRPX_OPTID_RLIMIT_MEMLOCK, 1293 SHRPX_OPTID_RLIMIT_NOFILE, 1294 SHRPX_OPTID_SERVER_NAME, 1295 SHRPX_OPTID_SINGLE_PROCESS, 1296 SHRPX_OPTID_SINGLE_THREAD, 1297 SHRPX_OPTID_STREAM_READ_TIMEOUT, 1298 SHRPX_OPTID_STREAM_WRITE_TIMEOUT, 1299 SHRPX_OPTID_STRIP_INCOMING_FORWARDED, 1300 SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR, 1301 SHRPX_OPTID_SUBCERT, 1302 SHRPX_OPTID_SYSLOG_FACILITY, 1303 SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT, 1304 SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD, 1305 SHRPX_OPTID_TLS_KTLS, 1306 SHRPX_OPTID_TLS_MAX_EARLY_DATA, 1307 SHRPX_OPTID_TLS_MAX_PROTO_VERSION, 1308 SHRPX_OPTID_TLS_MIN_PROTO_VERSION, 1309 SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA, 1310 SHRPX_OPTID_TLS_PROTO_LIST, 1311 SHRPX_OPTID_TLS_SCT_DIR, 1312 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED, 1313 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY, 1314 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE, 1315 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE, 1316 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS, 1317 SHRPX_OPTID_TLS_TICKET_KEY_CIPHER, 1318 SHRPX_OPTID_TLS_TICKET_KEY_FILE, 1319 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED, 1320 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY, 1321 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE, 1322 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL, 1323 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL, 1324 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY, 1325 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE, 1326 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS, 1327 SHRPX_OPTID_TLS13_CIPHERS, 1328 SHRPX_OPTID_TLS13_CLIENT_CIPHERS, 1329 SHRPX_OPTID_USER, 1330 SHRPX_OPTID_VERIFY_CLIENT, 1331 SHRPX_OPTID_VERIFY_CLIENT_CACERT, 1332 SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED, 1333 SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS, 1334 SHRPX_OPTID_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD, 1335 SHRPX_OPTID_WORKER_READ_BURST, 1336 SHRPX_OPTID_WORKER_READ_RATE, 1337 SHRPX_OPTID_WORKER_WRITE_BURST, 1338 SHRPX_OPTID_WORKER_WRITE_RATE, 1339 SHRPX_OPTID_WORKERS, 1340 SHRPX_OPTID_WRITE_BURST, 1341 SHRPX_OPTID_WRITE_RATE, 1342 SHRPX_OPTID_MAXIDX, 1343 }; 1344 1345 // Looks up token for given option name |name|. 1346 int option_lookup_token(const StringRef &name); 1347 1348 // Parses option name |opt| and value |optarg|. The results are 1349 // stored into the object pointed by |config|. This function returns 0 1350 // if it succeeds, or -1. The |included_set| contains the all paths 1351 // already included while processing this configuration, to avoid loop 1352 // in --include option. The |pattern_addr_indexer| contains a pair of 1353 // pattern of backend, and its index in DownstreamConfig::addr_groups. 1354 // It is introduced to speed up loading configuration file with lots 1355 // of backends. 1356 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg, 1357 std::set<StringRef> &included_set, 1358 std::map<StringRef, size_t> &pattern_addr_indexer); 1359 1360 // Similar to parse_config() above, but additional |optid| which 1361 // should be the return value of option_lookup_token(opt). 1362 int parse_config(Config *config, int optid, const StringRef &opt, 1363 const StringRef &optarg, std::set<StringRef> &included_set, 1364 std::map<StringRef, size_t> &pattern_addr_indexer); 1365 1366 // Loads configurations from |filename| and stores them in |config|. 1367 // This function returns 0 if it succeeds, or -1. See parse_config() 1368 // for |include_set|. 1369 int load_config(Config *config, const char *filename, 1370 std::set<StringRef> &include_set, 1371 std::map<StringRef, size_t> &pattern_addr_indexer); 1372 1373 // Parses header field in |optarg|. We expect header field is formed 1374 // like "NAME: VALUE". We require that NAME is non empty string. ":" 1375 // is allowed at the start of the NAME, but NAME == ":" is not 1376 // allowed. This function returns pair of NAME and VALUE. 1377 HeaderRefs::value_type parse_header(BlockAllocator &balloc, 1378 const StringRef &optarg); 1379 1380 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc, 1381 const StringRef &optarg); 1382 1383 // Returns string for syslog |facility|. 1384 StringRef str_syslog_facility(int facility); 1385 1386 // Returns integer value of syslog |facility| string. 1387 int int_syslog_facility(const StringRef &strfacility); 1388 1389 FILE *open_file_for_write(const char *filename); 1390 1391 // Reads TLS ticket key file in |files| and returns TicketKey which 1392 // stores read key data. The given |cipher| and |hmac| determine the 1393 // expected file size. This function returns TicketKey if it 1394 // succeeds, or nullptr. 1395 std::unique_ptr<TicketKeys> 1396 read_tls_ticket_key_file(const std::vector<StringRef> &files, 1397 const EVP_CIPHER *cipher, const EVP_MD *hmac); 1398 1399 #ifdef ENABLE_HTTP3 1400 std::shared_ptr<QUICKeyingMaterials> 1401 read_quic_secret_file(const StringRef &path); 1402 #endif // ENABLE_HTTP3 1403 1404 // Returns string representation of |proto|. 1405 StringRef strproto(Proto proto); 1406 1407 int configure_downstream_group(Config *config, bool http2_proxy, 1408 bool numeric_addr_only, 1409 const TLSConfig &tlsconf); 1410 1411 int resolve_hostname(Address *addr, const char *hostname, uint16_t port, 1412 int family, int additional_flags = 0); 1413 1414 } // namespace shrpx 1415 1416 #endif // SHRPX_CONFIG_H 1417