2 * nghttp2 - HTTP/2 C Library
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
25 #ifndef SHRPX_CONFIG_H
26 #define SHRPX_CONFIG_H
30 #include <sys/types.h>
31 #ifdef HAVE_SYS_SOCKET_H
32 #include <sys/socket.h>
33 #endif // HAVE_SYS_SOCKET_H
35 #ifdef HAVE_NETINET_IN_H
36 #include <netinet/in.h>
37 #endif // HAVE_NETINET_IN_H
38 #ifdef HAVE_ARPA_INET_H
39 #include <arpa/inet.h>
40 #endif // HAVE_ARPA_INET_H
46 #include <openssl/ssl.h>
50 #include <nghttp2/nghttp2.h>
62 #define SHRPX_UNIX_PATH_PREFIX "unix:"
64 extern const char SHRPX_OPT_PRIVATE_KEY_FILE[];
65 extern const char SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE[];
66 extern const char SHRPX_OPT_CERTIFICATE_FILE[];
67 extern const char SHRPX_OPT_DH_PARAM_FILE[];
68 extern const char SHRPX_OPT_SUBCERT[];
69 extern const char SHRPX_OPT_BACKEND[];
70 extern const char SHRPX_OPT_FRONTEND[];
71 extern const char SHRPX_OPT_WORKERS[];
72 extern const char SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS[];
73 extern const char SHRPX_OPT_LOG_LEVEL[];
74 extern const char SHRPX_OPT_DAEMON[];
75 extern const char SHRPX_OPT_HTTP2_PROXY[];
76 extern const char SHRPX_OPT_HTTP2_BRIDGE[];
77 extern const char SHRPX_OPT_CLIENT_PROXY[];
78 extern const char SHRPX_OPT_ADD_X_FORWARDED_FOR[];
79 extern const char SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR[];
80 extern const char SHRPX_OPT_NO_VIA[];
81 extern const char SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT[];
82 extern const char SHRPX_OPT_FRONTEND_READ_TIMEOUT[];
83 extern const char SHRPX_OPT_FRONTEND_WRITE_TIMEOUT[];
84 extern const char SHRPX_OPT_BACKEND_READ_TIMEOUT[];
85 extern const char SHRPX_OPT_BACKEND_WRITE_TIMEOUT[];
86 extern const char SHRPX_OPT_STREAM_READ_TIMEOUT[];
87 extern const char SHRPX_OPT_STREAM_WRITE_TIMEOUT[];
88 extern const char SHRPX_OPT_ACCESSLOG_FILE[];
89 extern const char SHRPX_OPT_ACCESSLOG_SYSLOG[];
90 extern const char SHRPX_OPT_ACCESSLOG_FORMAT[];
91 extern const char SHRPX_OPT_ERRORLOG_FILE[];
92 extern const char SHRPX_OPT_ERRORLOG_SYSLOG[];
93 extern const char SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT[];
94 extern const char SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS[];
95 extern const char SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS[];
96 extern const char SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS[];
97 extern const char SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS[];
98 extern const char SHRPX_OPT_FRONTEND_NO_TLS[];
99 extern const char SHRPX_OPT_BACKEND_NO_TLS[];
100 extern const char SHRPX_OPT_PID_FILE[];
101 extern const char SHRPX_OPT_USER[];
102 extern const char SHRPX_OPT_SYSLOG_FACILITY[];
103 extern const char SHRPX_OPT_BACKLOG[];
104 extern const char SHRPX_OPT_CIPHERS[];
105 extern const char SHRPX_OPT_CLIENT[];
106 extern const char SHRPX_OPT_INSECURE[];
107 extern const char SHRPX_OPT_CACERT[];
108 extern const char SHRPX_OPT_BACKEND_IPV4[];
109 extern const char SHRPX_OPT_BACKEND_IPV6[];
110 extern const char SHRPX_OPT_BACKEND_HTTP_PROXY_URI[];
111 extern const char SHRPX_OPT_BACKEND_TLS_SNI_FIELD[];
112 extern const char SHRPX_OPT_READ_RATE[];
113 extern const char SHRPX_OPT_READ_BURST[];
114 extern const char SHRPX_OPT_WRITE_RATE[];
115 extern const char SHRPX_OPT_WRITE_BURST[];
116 extern const char SHRPX_OPT_WORKER_READ_RATE[];
117 extern const char SHRPX_OPT_WORKER_READ_BURST[];
118 extern const char SHRPX_OPT_WORKER_WRITE_RATE[];
119 extern const char SHRPX_OPT_WORKER_WRITE_BURST[];
120 extern const char SHRPX_OPT_NPN_LIST[];
121 extern const char SHRPX_OPT_TLS_PROTO_LIST[];
122 extern const char SHRPX_OPT_VERIFY_CLIENT[];
123 extern const char SHRPX_OPT_VERIFY_CLIENT_CACERT[];
124 extern const char SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE[];
125 extern const char SHRPX_OPT_CLIENT_CERT_FILE[];
126 extern const char SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER[];
127 extern const char SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER[];
128 extern const char SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING[];
129 extern const char SHRPX_OPT_FRONTEND_FRAME_DEBUG[];
130 extern const char SHRPX_OPT_PADDING[];
131 extern const char SHRPX_OPT_ALTSVC[];
132 extern const char SHRPX_OPT_ADD_RESPONSE_HEADER[];
133 extern const char SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS[];
134 extern const char SHRPX_OPT_NO_LOCATION_REWRITE[];
135 extern const char SHRPX_OPT_NO_HOST_REWRITE[];
136 extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST[];
137 extern const char SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND[];
138 extern const char SHRPX_OPT_LISTENER_DISABLE_TIMEOUT[];
139 extern const char SHRPX_OPT_TLS_TICKET_KEY_FILE[];
140 extern const char SHRPX_OPT_RLIMIT_NOFILE[];
141 extern const char SHRPX_OPT_BACKEND_REQUEST_BUFFER[];
142 extern const char SHRPX_OPT_BACKEND_RESPONSE_BUFFER[];
143 extern const char SHRPX_OPT_NO_SERVER_PUSH[];
144 extern const char SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER[];
145 extern const char SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE[];
146 extern const char SHRPX_OPT_OCSP_UPDATE_INTERVAL[];
147 extern const char SHRPX_OPT_NO_OCSP[];
148 extern const char SHRPX_OPT_HEADER_FIELD_BUFFER[];
149 extern const char SHRPX_OPT_MAX_HEADER_FIELDS[];
151 union sockaddr_union {
152 sockaddr_storage storage;
159 enum shrpx_proto { PROTO_HTTP2, PROTO_HTTP };
163 : protocol_id(nullptr), host(nullptr), origin(nullptr),
164 protocol_id_len(0), host_len(0), origin_len(0), port(0) {}
170 size_t protocol_id_len;
177 struct DownstreamAddr {
178 DownstreamAddr() : addr{{0}}, addrlen(0), port(0), host_unix(false) {}
180 // backend address. If |host_unix| is true, this is UNIX domain
182 std::unique_ptr<char[]> host;
183 std::unique_ptr<char[]> hostport;
185 // backend port. 0 if |host_unix| is true.
187 // true if |host| contains UNIX domain socket path.
194 uint8_t hmac_key[16];
199 std::vector<TicketKey> keys;
203 // The list of (private key file, certificate file) pair
204 std::vector<std::pair<std::string, std::string>> subcerts;
205 std::vector<AltSvc> altsvcs;
206 std::vector<std::pair<std::string, std::string>> add_response_headers;
207 std::vector<unsigned char> alpn_prefs;
208 std::vector<LogFragment> accesslog_format;
209 std::vector<DownstreamAddr> downstream_addrs;
210 std::vector<std::string> tls_ticket_key_files;
211 // binary form of http proxy host and port
212 sockaddr_union downstream_http_proxy_addr;
213 ev_tstamp http2_upstream_read_timeout;
214 ev_tstamp upstream_read_timeout;
215 ev_tstamp upstream_write_timeout;
216 ev_tstamp downstream_read_timeout;
217 ev_tstamp downstream_write_timeout;
218 ev_tstamp stream_read_timeout;
219 ev_tstamp stream_write_timeout;
220 ev_tstamp downstream_idle_read_timeout;
221 ev_tstamp listener_disable_timeout;
222 ev_tstamp ocsp_update_interval;
223 // address of frontend connection. This could be a path to UNIX
224 // domain socket. In this case, |host_unix| must be true.
225 std::unique_ptr<char[]> host;
226 std::unique_ptr<char[]> private_key_file;
227 std::unique_ptr<char[]> private_key_passwd;
228 std::unique_ptr<char[]> cert_file;
229 std::unique_ptr<char[]> dh_param_file;
230 const char *server_name;
231 std::unique_ptr<char[]> backend_tls_sni_name;
232 std::unique_ptr<char[]> pid_file;
233 std::unique_ptr<char[]> conf_path;
234 std::unique_ptr<char[]> ciphers;
235 std::unique_ptr<char[]> cacert;
236 // userinfo in http proxy URI, not percent-encoded form
237 std::unique_ptr<char[]> downstream_http_proxy_userinfo;
238 // host in http proxy URI
239 std::unique_ptr<char[]> downstream_http_proxy_host;
240 std::unique_ptr<char[]> http2_upstream_dump_request_header_file;
241 std::unique_ptr<char[]> http2_upstream_dump_response_header_file;
242 // // Rate limit configuration per connection
243 // ev_token_bucket_cfg *rate_limit_cfg;
244 // // Rate limit configuration per worker (thread)
245 // ev_token_bucket_cfg *worker_rate_limit_cfg;
246 // list of supported NPN/ALPN protocol strings in the order of
247 // preference. The each element of this list is a NULL-terminated
249 std::vector<char *> npn_list;
250 // list of supported SSL/TLS protocol strings. The each element of
251 // this list is a NULL-terminated string.
252 std::vector<char *> tls_proto_list;
253 // Path to file containing CA certificate solely used for client
254 // certificate validation
255 std::unique_ptr<char[]> verify_client_cacert;
256 std::unique_ptr<char[]> client_private_key_file;
257 std::unique_ptr<char[]> client_cert_file;
258 std::unique_ptr<char[]> accesslog_file;
259 std::unique_ptr<char[]> errorlog_file;
260 std::unique_ptr<char[]> fetch_ocsp_response_file;
261 FILE *http2_upstream_dump_request_header;
262 FILE *http2_upstream_dump_response_header;
263 nghttp2_session_callbacks *http2_upstream_callbacks;
264 nghttp2_session_callbacks *http2_downstream_callbacks;
265 nghttp2_option *http2_option;
266 nghttp2_option *http2_client_option;
270 size_t http2_max_concurrent_streams;
271 size_t http2_upstream_window_bits;
272 size_t http2_downstream_window_bits;
273 size_t http2_upstream_connection_window_bits;
274 size_t http2_downstream_connection_window_bits;
275 size_t http2_downstream_connections_per_worker;
276 size_t downstream_connections_per_host;
277 size_t downstream_connections_per_frontend;
278 // actual size of downstream_http_proxy_addr
279 size_t downstream_http_proxy_addrlen;
284 size_t worker_read_rate;
285 size_t worker_read_burst;
286 size_t worker_write_rate;
287 size_t worker_write_burst;
289 size_t worker_frontend_connections;
290 size_t rlimit_nofile;
291 size_t downstream_request_buffer_size;
292 size_t downstream_response_buffer_size;
293 size_t header_field_buffer;
294 size_t max_header_fields;
295 // Bit mask to disable SSL/TLS protocol versions. This will be
296 // passed to SSL_CTX_set_options().
297 long int tls_proto_mask;
298 // downstream protocol; this will be determined by given options.
299 shrpx_proto downstream_proto;
303 std::unique_ptr<char[]> user;
307 // frontend listening port. 0 if frontend listens on UNIX domain
308 // socket, in this case |host_unix| must be true.
310 // port in http proxy URI
311 uint16_t downstream_http_proxy_port;
318 bool add_x_forwarded_for;
319 bool strip_incoming_x_forwarded_for;
321 bool upstream_no_tls;
322 bool downstream_no_tls;
323 // Send accesslog to syslog, ignoring accesslog_file.
324 bool accesslog_syslog;
325 // Send errorlog to syslog, ignoring errorlog_file.
326 bool errorlog_syslog;
328 // true if --client or --client-proxy are enabled.
333 bool http2_no_cookie_crumbling;
334 bool upstream_frame_debug;
335 bool no_location_rewrite;
336 bool no_host_rewrite;
338 // true if host contains UNIX domain socket path
343 const Config *get_config();
344 Config *mod_config();
345 void create_config();
347 // Parses option name |opt| and value |optarg|. The results are
348 // stored into statically allocated Config object. This function
349 // returns 0 if it succeeds, or -1.
350 int parse_config(const char *opt, const char *optarg);
352 // Loads configurations from |filename| and stores them in statically
353 // allocated Config object. This function returns 0 if it succeeds, or
355 int load_config(const char *filename);
357 // Read passwd from |filename|
358 std::string read_passwd_from_file(const char *filename);
360 // Parses comma delimited strings in |s| and returns the array of
361 // pointers, each element points to the each substring in |s|. The
362 // |s| must be comma delimited list of strings. The strings must be
363 // delimited by a single comma and any white spaces around it are
364 // treated as a part of protocol strings. This function may modify
365 // |s| and the caller must leave it as is after this call. This
366 // function copies |s| and first element in the return value points to
367 // it. It is caller's responsibility to deallocate its memory.
368 std::vector<char *> parse_config_str_list(const char *s);
370 // Clears all elements of |list|, which is returned by
371 // parse_config_str_list(). If list is not empty, list[0] is freed by
372 // free(2). After this call, list.empty() must be true.
373 void clear_config_str_list(std::vector<char *> &list);
375 // Parses header field in |optarg|. We expect header field is formed
376 // like "NAME: VALUE". We require that NAME is non empty string. ":"
377 // is allowed at the start of the NAME, but NAME == ":" is not
378 // allowed. This function returns pair of NAME and VALUE.
379 std::pair<std::string, std::string> parse_header(const char *optarg);
381 std::vector<LogFragment> parse_log_format(const char *optarg);
383 // Returns a copy of NULL-terminated string |val|.
384 std::unique_ptr<char[]> strcopy(const char *val);
386 // Returns a copy of string |val| of length |n|. The returned string
387 // will be NULL-terminated.
388 std::unique_ptr<char[]> strcopy(const char *val, size_t n);
390 // Returns a copy of val.c_str().
391 std::unique_ptr<char[]> strcopy(const std::string &val);
393 // Returns string for syslog |facility|.
394 const char *str_syslog_facility(int facility);
396 // Returns integer value of syslog |facility| string.
397 int int_syslog_facility(const char *strfacility);
399 FILE *open_file_for_write(const char *filename);
401 // Reads TLS ticket key file in |files| and returns TicketKey which
402 // stores read key data. This function returns TicketKey if it
403 // succeeds, or nullptr.
404 std::unique_ptr<TicketKeys>
405 read_tls_ticket_key_file(const std::vector<std::string> &files);
409 #endif // SHRPX_CONFIG_H