projects / platform / upstream / nghttp2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Apply PIE to nghttpx
[platform/upstream/nghttp2.git] / src / shrpx_config.h
1 /*
2  * nghttp2 - HTTP/2 C Library
3  *
4  * Copyright (c) 2012 Tatsuhiro Tsujikawa
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining
7  * a copy of this software and associated documentation files (the
8  * "Software"), to deal in the Software without restriction, including
9  * without limitation the rights to use, copy, modify, merge, publish,
10  * distribute, sublicense, and/or sell copies of the Software, and to
11  * permit persons to whom the Software is furnished to do so, subject to
12  * the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be
15  * included in all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21  * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24  */
25 #ifndef SHRPX_CONFIG_H
26 #define SHRPX_CONFIG_H
27
28 #include "shrpx.h"
29
30 #include <sys/types.h>
31 #ifdef HAVE_SYS_SOCKET_H
32 #  include <sys/socket.h>
33 #endif // HAVE_SYS_SOCKET_H
34 #include <sys/un.h>
35 #ifdef HAVE_NETINET_IN_H
36 #  include <netinet/in.h>
37 #endif // HAVE_NETINET_IN_H
38 #ifdef HAVE_ARPA_INET_H
39 #  include <arpa/inet.h>
40 #endif // HAVE_ARPA_INET_H
41 #include <cinttypes>
42 #include <cstdio>
43 #include <vector>
44 #include <memory>
45 #include <set>
46
47 #include <openssl/ssl.h>
48
49 #include <ev.h>
50
51 #include <nghttp2/nghttp2.h>
52
53 #include "shrpx_router.h"
54 #include "template.h"
55 #include "http2.h"
56 #include "network.h"
57 #include "allocator.h"
58
59 using namespace nghttp2;
60
61 namespace shrpx {
62
63 struct LogFragment;
64 class ConnectBlocker;
65 class Http2Session;
66
67 namespace tls {
68
69 class CertLookupTree;
70
71 } // namespace tls
72
73 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
74     StringRef::from_lit("private-key-file");
75 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE =
76     StringRef::from_lit("private-key-passwd-file");
77 constexpr auto SHRPX_OPT_CERTIFICATE_FILE =
78     StringRef::from_lit("certificate-file");
79 constexpr auto SHRPX_OPT_DH_PARAM_FILE = StringRef::from_lit("dh-param-file");
80 constexpr auto SHRPX_OPT_SUBCERT = StringRef::from_lit("subcert");
81 constexpr auto SHRPX_OPT_BACKEND = StringRef::from_lit("backend");
82 constexpr auto SHRPX_OPT_FRONTEND = StringRef::from_lit("frontend");
83 constexpr auto SHRPX_OPT_WORKERS = StringRef::from_lit("workers");
84 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS =
85     StringRef::from_lit("http2-max-concurrent-streams");
86 constexpr auto SHRPX_OPT_LOG_LEVEL = StringRef::from_lit("log-level");
87 constexpr auto SHRPX_OPT_DAEMON = StringRef::from_lit("daemon");
88 constexpr auto SHRPX_OPT_HTTP2_PROXY = StringRef::from_lit("http2-proxy");
89 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = StringRef::from_lit("http2-bridge");
90 constexpr auto SHRPX_OPT_CLIENT_PROXY = StringRef::from_lit("client-proxy");
91 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR =
92     StringRef::from_lit("add-x-forwarded-for");
93 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR =
94     StringRef::from_lit("strip-incoming-x-forwarded-for");
95 constexpr auto SHRPX_OPT_NO_VIA = StringRef::from_lit("no-via");
96 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT =
97     StringRef::from_lit("frontend-http2-read-timeout");
98 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT =
99     StringRef::from_lit("frontend-read-timeout");
100 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT =
101     StringRef::from_lit("frontend-write-timeout");
102 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT =
103     StringRef::from_lit("backend-read-timeout");
104 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT =
105     StringRef::from_lit("backend-write-timeout");
106 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT =
107     StringRef::from_lit("stream-read-timeout");
108 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT =
109     StringRef::from_lit("stream-write-timeout");
110 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = StringRef::from_lit("accesslog-file");
111 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG =
112     StringRef::from_lit("accesslog-syslog");
113 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT =
114     StringRef::from_lit("accesslog-format");
115 constexpr auto SHRPX_OPT_ERRORLOG_FILE = StringRef::from_lit("errorlog-file");
116 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG =
117     StringRef::from_lit("errorlog-syslog");
118 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT =
119     StringRef::from_lit("backend-keep-alive-timeout");
120 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS =
121     StringRef::from_lit("frontend-http2-window-bits");
122 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS =
123     StringRef::from_lit("backend-http2-window-bits");
124 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS =
125     StringRef::from_lit("frontend-http2-connection-window-bits");
126 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS =
127     StringRef::from_lit("backend-http2-connection-window-bits");
128 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS =
129     StringRef::from_lit("frontend-no-tls");
130 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = StringRef::from_lit("backend-no-tls");
131 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD =
132     StringRef::from_lit("backend-tls-sni-field");
133 constexpr auto SHRPX_OPT_PID_FILE = StringRef::from_lit("pid-file");
134 constexpr auto SHRPX_OPT_USER = StringRef::from_lit("user");
135 constexpr auto SHRPX_OPT_SYSLOG_FACILITY =
136     StringRef::from_lit("syslog-facility");
137 constexpr auto SHRPX_OPT_BACKLOG = StringRef::from_lit("backlog");
138 constexpr auto SHRPX_OPT_CIPHERS = StringRef::from_lit("ciphers");
139 constexpr auto SHRPX_OPT_CLIENT = StringRef::from_lit("client");
140 constexpr auto SHRPX_OPT_INSECURE = StringRef::from_lit("insecure");
141 constexpr auto SHRPX_OPT_CACERT = StringRef::from_lit("cacert");
142 constexpr auto SHRPX_OPT_BACKEND_IPV4 = StringRef::from_lit("backend-ipv4");
143 constexpr auto SHRPX_OPT_BACKEND_IPV6 = StringRef::from_lit("backend-ipv6");
144 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI =
145     StringRef::from_lit("backend-http-proxy-uri");
146 constexpr auto SHRPX_OPT_READ_RATE = StringRef::from_lit("read-rate");
147 constexpr auto SHRPX_OPT_READ_BURST = StringRef::from_lit("read-burst");
148 constexpr auto SHRPX_OPT_WRITE_RATE = StringRef::from_lit("write-rate");
149 constexpr auto SHRPX_OPT_WRITE_BURST = StringRef::from_lit("write-burst");
150 constexpr auto SHRPX_OPT_WORKER_READ_RATE =
151     StringRef::from_lit("worker-read-rate");
152 constexpr auto SHRPX_OPT_WORKER_READ_BURST =
153     StringRef::from_lit("worker-read-burst");
154 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE =
155     StringRef::from_lit("worker-write-rate");
156 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST =
157     StringRef::from_lit("worker-write-burst");
158 constexpr auto SHRPX_OPT_NPN_LIST = StringRef::from_lit("npn-list");
159 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = StringRef::from_lit("tls-proto-list");
160 constexpr auto SHRPX_OPT_VERIFY_CLIENT = StringRef::from_lit("verify-client");
161 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT =
162     StringRef::from_lit("verify-client-cacert");
163 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE =
164     StringRef::from_lit("client-private-key-file");
165 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE =
166     StringRef::from_lit("client-cert-file");
167 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER =
168     StringRef::from_lit("frontend-http2-dump-request-header");
169 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER =
170     StringRef::from_lit("frontend-http2-dump-response-header");
171 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING =
172     StringRef::from_lit("http2-no-cookie-crumbling");
173 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG =
174     StringRef::from_lit("frontend-frame-debug");
175 constexpr auto SHRPX_OPT_PADDING = StringRef::from_lit("padding");
176 constexpr auto SHRPX_OPT_ALTSVC = StringRef::from_lit("altsvc");
177 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER =
178     StringRef::from_lit("add-request-header");
179 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER =
180     StringRef::from_lit("add-response-header");
181 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS =
182     StringRef::from_lit("worker-frontend-connections");
183 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE =
184     StringRef::from_lit("no-location-rewrite");
185 constexpr auto SHRPX_OPT_NO_HOST_REWRITE =
186     StringRef::from_lit("no-host-rewrite");
187 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST =
188     StringRef::from_lit("backend-http1-connections-per-host");
189 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND =
190     StringRef::from_lit("backend-http1-connections-per-frontend");
191 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT =
192     StringRef::from_lit("listener-disable-timeout");
193 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE =
194     StringRef::from_lit("tls-ticket-key-file");
195 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = StringRef::from_lit("rlimit-nofile");
196 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER =
197     StringRef::from_lit("backend-request-buffer");
198 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER =
199     StringRef::from_lit("backend-response-buffer");
200 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = StringRef::from_lit("no-server-push");
201 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER =
202     StringRef::from_lit("backend-http2-connections-per-worker");
203 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE =
204     StringRef::from_lit("fetch-ocsp-response-file");
205 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL =
206     StringRef::from_lit("ocsp-update-interval");
207 constexpr auto SHRPX_OPT_NO_OCSP = StringRef::from_lit("no-ocsp");
208 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER =
209     StringRef::from_lit("header-field-buffer");
210 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS =
211     StringRef::from_lit("max-header-fields");
212 constexpr auto SHRPX_OPT_INCLUDE = StringRef::from_lit("include");
213 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER =
214     StringRef::from_lit("tls-ticket-key-cipher");
215 constexpr auto SHRPX_OPT_HOST_REWRITE = StringRef::from_lit("host-rewrite");
216 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED =
217     StringRef::from_lit("tls-session-cache-memcached");
218 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED =
219     StringRef::from_lit("tls-ticket-key-memcached");
220 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL =
221     StringRef::from_lit("tls-ticket-key-memcached-interval");
222 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY =
223     StringRef::from_lit("tls-ticket-key-memcached-max-retry");
224 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL =
225     StringRef::from_lit("tls-ticket-key-memcached-max-fail");
226 constexpr auto SHRPX_OPT_MRUBY_FILE = StringRef::from_lit("mruby-file");
227 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL =
228     StringRef::from_lit("accept-proxy-protocol");
229 constexpr auto SHRPX_OPT_FASTOPEN = StringRef::from_lit("fastopen");
230 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD =
231     StringRef::from_lit("tls-dyn-rec-warmup-threshold");
232 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT =
233     StringRef::from_lit("tls-dyn-rec-idle-timeout");
234 constexpr auto SHRPX_OPT_ADD_FORWARDED = StringRef::from_lit("add-forwarded");
235 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED =
236     StringRef::from_lit("strip-incoming-forwarded");
237 constexpr auto SHRPX_OPT_FORWARDED_BY = StringRef::from_lit("forwarded-by");
238 constexpr auto SHRPX_OPT_FORWARDED_FOR = StringRef::from_lit("forwarded-for");
239 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER =
240     StringRef::from_lit("request-header-field-buffer");
241 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS =
242     StringRef::from_lit("max-request-header-fields");
243 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
244     StringRef::from_lit("response-header-field-buffer");
245 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
246     StringRef::from_lit("max-response-header-fields");
247 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
248     StringRef::from_lit("no-http2-cipher-black-list");
249 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
250     StringRef::from_lit("backend-http1-tls");
251 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS =
252     StringRef::from_lit("tls-session-cache-memcached-tls");
253 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE =
254     StringRef::from_lit("tls-session-cache-memcached-cert-file");
255 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE =
256     StringRef::from_lit("tls-session-cache-memcached-private-key-file");
257 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY =
258     StringRef::from_lit("tls-session-cache-memcached-address-family");
259 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS =
260     StringRef::from_lit("tls-ticket-key-memcached-tls");
261 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE =
262     StringRef::from_lit("tls-ticket-key-memcached-cert-file");
263 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE =
264     StringRef::from_lit("tls-ticket-key-memcached-private-key-file");
265 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY =
266     StringRef::from_lit("tls-ticket-key-memcached-address-family");
267 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY =
268     StringRef::from_lit("backend-address-family");
269 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS =
270     StringRef::from_lit("frontend-http2-max-concurrent-streams");
271 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS =
272     StringRef::from_lit("backend-http2-max-concurrent-streams");
273 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND =
274     StringRef::from_lit("backend-connections-per-frontend");
275 constexpr auto SHRPX_OPT_BACKEND_TLS = StringRef::from_lit("backend-tls");
276 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST =
277     StringRef::from_lit("backend-connections-per-host");
278 constexpr auto SHRPX_OPT_ERROR_PAGE = StringRef::from_lit("error-page");
279 constexpr auto SHRPX_OPT_NO_KQUEUE = StringRef::from_lit("no-kqueue");
280 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT =
281     StringRef::from_lit("frontend-http2-settings-timeout");
282 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT =
283     StringRef::from_lit("backend-http2-settings-timeout");
284 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY =
285     StringRef::from_lit("api-max-request-body");
286 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF =
287     StringRef::from_lit("backend-max-backoff");
288 constexpr auto SHRPX_OPT_SERVER_NAME = StringRef::from_lit("server-name");
289 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE =
290     StringRef::from_lit("no-server-rewrite");
291 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE =
292     StringRef::from_lit("frontend-http2-optimize-write-buffer-size");
293 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE =
294     StringRef::from_lit("frontend-http2-optimize-window-size");
295 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE =
296     StringRef::from_lit("frontend-http2-window-size");
297 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE =
298     StringRef::from_lit("frontend-http2-connection-window-size");
299 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE =
300     StringRef::from_lit("backend-http2-window-size");
301 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE =
302     StringRef::from_lit("backend-http2-connection-window-size");
303 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
304     StringRef::from_lit("frontend-http2-encoder-dynamic-table-size");
305 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
306     StringRef::from_lit("frontend-http2-decoder-dynamic-table-size");
307 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
308     StringRef::from_lit("backend-http2-encoder-dynamic-table-size");
309 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
310     StringRef::from_lit("backend-http2-decoder-dynamic-table-size");
311 constexpr auto SHRPX_OPT_ECDH_CURVES = StringRef::from_lit("ecdh-curves");
312 constexpr auto SHRPX_OPT_TLS_SCT_DIR = StringRef::from_lit("tls-sct-dir");
313 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT =
314     StringRef::from_lit("backend-connect-timeout");
315 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT =
316     StringRef::from_lit("dns-cache-timeout");
317 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT =
318     StringRef::from_lit("dns-lookup-timeout");
319 constexpr auto SHRPX_OPT_DNS_MAX_TRY = StringRef::from_lit("dns-max-try");
320 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
321     StringRef::from_lit("frontend-keep-alive-timeout");
322 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
323 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
324     StringRef::from_lit("client-psk-secrets");
325 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
326     StringRef::from_lit("client-no-http2-cipher-black-list");
327 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
328 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY =
329     StringRef::from_lit("accesslog-write-early");
330 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION =
331     StringRef::from_lit("tls-min-proto-version");
332 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION =
333     StringRef::from_lit("tls-max-proto-version");
334 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT =
335     StringRef::from_lit("redirect-https-port");
336 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS =
337     StringRef::from_lit("frontend-max-requests");
338 constexpr auto SHRPX_OPT_SINGLE_THREAD = StringRef::from_lit("single-thread");
339 constexpr auto SHRPX_OPT_SINGLE_PROCESS = StringRef::from_lit("single-process");
340 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO =
341     StringRef::from_lit("no-add-x-forwarded-proto");
342 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
343     StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
344 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
345 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
346 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
347     StringRef::from_lit("verify-client-tolerate-expired");
348 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR =
349     StringRef::from_lit("ignore-per-pattern-mruby-error");
350 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
351     StringRef::from_lit("tls-no-postpone-early-data");
352 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
353     StringRef::from_lit("tls-max-early-data");
354 constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
355 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
356     StringRef::from_lit("tls13-client-ciphers");
357 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA =
358     StringRef::from_lit("no-strip-incoming-early-data");
359
360 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
361
362 constexpr char DEFAULT_DOWNSTREAM_HOST[] = "127.0.0.1";
363 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80;
364
365 enum class Proto {
366   NONE,
367   HTTP1,
368   HTTP2,
369   MEMCACHED,
370 };
371
372 enum class SessionAffinity {
373   // No session affinity
374   NONE,
375   // Client IP affinity
376   IP,
377   // Cookie based affinity
378   COOKIE,
379 };
380
381 enum class SessionAffinityCookieSecure {
382   // Secure attribute of session affinity cookie is determined by the
383   // request scheme.
384   AUTO,
385   // Secure attribute of session affinity cookie is always set.
386   YES,
387   // Secure attribute of session affinity cookie is always unset.
388   NO,
389 };
390
391 struct AffinityConfig {
392   // Type of session affinity.
393   SessionAffinity type;
394   struct {
395     // Name of a cookie to use.
396     StringRef name;
397     // Path which a cookie is applied to.
398     StringRef path;
399     // Secure attribute
400     SessionAffinityCookieSecure secure;
401   } cookie;
402 };
403
404 enum shrpx_forwarded_param {
405   FORWARDED_NONE = 0,
406   FORWARDED_BY = 0x1,
407   FORWARDED_FOR = 0x2,
408   FORWARDED_HOST = 0x4,
409   FORWARDED_PROTO = 0x8,
410 };
411
412 enum class ForwardedNode {
413   OBFUSCATED,
414   IP,
415 };
416
417 struct AltSvc {
418   StringRef protocol_id, host, origin, service;
419
420   uint16_t port;
421 };
422
423 enum class UpstreamAltMode {
424   // No alternative mode
425   NONE,
426   // API processing mode
427   API,
428   // Health monitor mode
429   HEALTHMON,
430 };
431
432 struct UpstreamAddr {
433   // The frontend address (e.g., FQDN, hostname, IP address).  If
434   // |host_unix| is true, this is UNIX domain socket path.  This must
435   // be NULL terminated string.
436   StringRef host;
437   // For TCP socket, this is <IP address>:<PORT>.  For IPv6 address,
438   // address is surrounded by square brackets.  If socket is UNIX
439   // domain socket, this is "localhost".
440   StringRef hostport;
441   // frontend port.  0 if |host_unix| is true.
442   uint16_t port;
443   // For TCP socket, this is either AF_INET or AF_INET6.  For UNIX
444   // domain socket, this is 0.
445   int family;
446   // Alternate mode
447   UpstreamAltMode alt_mode;
448   // true if |host| contains UNIX domain socket path.
449   bool host_unix;
450   // true if TLS is enabled.
451   bool tls;
452   // true if SNI host should be used as a host when selecting backend
453   // server.
454   bool sni_fwd;
455   // true if client is supposed to send PROXY protocol v1 header.
456   bool accept_proxy_protocol;
457   int fd;
458 };
459
460 struct DownstreamAddrConfig {
461   // Resolved address if |dns| is false
462   Address addr;
463   // backend address.  If |host_unix| is true, this is UNIX domain
464   // socket path.  This must be NULL terminated string.
465   StringRef host;
466   // <HOST>:<PORT>.  This does not treat 80 and 443 specially.  If
467   // |host_unix| is true, this is "localhost".
468   StringRef hostport;
469   // hostname sent as SNI field
470   StringRef sni;
471   // name of group which this address belongs to.
472   StringRef group;
473   size_t fall;
474   size_t rise;
475   // weight of this address inside a weight group.  Its range is [1,
476   // 256], inclusive.
477   uint32_t weight;
478   // weight of the weight group.  Its range is [1, 256], inclusive.
479   uint32_t group_weight;
480   // Application protocol used in this group
481   Proto proto;
482   // backend port.  0 if |host_unix| is true.
483   uint16_t port;
484   // true if |host| contains UNIX domain socket path.
485   bool host_unix;
486   bool tls;
487   // true if dynamic DNS is enabled
488   bool dns;
489   // true if :scheme pseudo header field should be upgraded to secure
490   // variant (e.g., "https") when forwarding request to a backend
491   // connected by TLS connection.
492   bool upgrade_scheme;
493 };
494
495 // Mapping hash to idx which is an index into
496 // DownstreamAddrGroupConfig::addrs.
497 struct AffinityHash {
498   AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {}
499
500   size_t idx;
501   uint32_t hash;
502 };
503
504 struct DownstreamAddrGroupConfig {
505   DownstreamAddrGroupConfig(const StringRef &pattern)
506       : pattern(pattern),
507         affinity{SessionAffinity::NONE},
508         redirect_if_not_tls(false),
509         timeout{} {}
510
511   StringRef pattern;
512   StringRef mruby_file;
513   std::vector<DownstreamAddrConfig> addrs;
514   // Bunch of session affinity hash.  Only used if affinity ==
515   // SessionAffinity::IP.
516   std::vector<AffinityHash> affinity_hash;
517   // Cookie based session affinity configuration.
518   AffinityConfig affinity;
519   // true if this group requires that client connection must be TLS,
520   // and the request must be redirected to https URI.
521   bool redirect_if_not_tls;
522   // Timeouts for backend connection.
523   struct {
524     ev_tstamp read;
525     ev_tstamp write;
526   } timeout;
527 };
528
529 struct TicketKey {
530   const EVP_CIPHER *cipher;
531   const EVP_MD *hmac;
532   size_t hmac_keylen;
533   struct {
534     // name of this ticket configuration
535     std::array<uint8_t, 16> name;
536     // encryption key for |cipher|
537     std::array<uint8_t, 32> enc_key;
538     // hmac key for |hmac|
539     std::array<uint8_t, 32> hmac_key;
540   } data;
541 };
542
543 struct TicketKeys {
544   ~TicketKeys();
545   std::vector<TicketKey> keys;
546 };
547
548 struct TLSCertificate {
549   TLSCertificate(StringRef private_key_file, StringRef cert_file,
550                  std::vector<uint8_t> sct_data)
551       : private_key_file(std::move(private_key_file)),
552         cert_file(std::move(cert_file)),
553         sct_data(std::move(sct_data)) {}
554
555   StringRef private_key_file;
556   StringRef cert_file;
557   std::vector<uint8_t> sct_data;
558 };
559
560 struct HttpProxy {
561   Address addr;
562   // host in http proxy URI
563   StringRef host;
564   // userinfo in http proxy URI, not percent-encoded form
565   StringRef userinfo;
566   // port in http proxy URI
567   uint16_t port;
568 };
569
570 struct TLSConfig {
571   // RFC 5077 Session ticket related configurations
572   struct {
573     struct {
574       Address addr;
575       uint16_t port;
576       // Hostname of memcached server.  This is also used as SNI field
577       // if TLS is enabled.
578       StringRef host;
579       // Client private key and certificate for authentication
580       StringRef private_key_file;
581       StringRef cert_file;
582       ev_tstamp interval;
583       // Maximum number of retries when getting TLS ticket key from
584       // mamcached, due to network error.
585       size_t max_retry;
586       // Maximum number of consecutive error from memcached, when this
587       // limit reached, TLS ticket is disabled.
588       size_t max_fail;
589       // Address family of memcached connection.  One of either
590       // AF_INET, AF_INET6 or AF_UNSPEC.
591       int family;
592       bool tls;
593     } memcached;
594     std::vector<StringRef> files;
595     const EVP_CIPHER *cipher;
596     // true if --tls-ticket-key-cipher is used
597     bool cipher_given;
598   } ticket;
599
600   // Session cache related configurations
601   struct {
602     struct {
603       Address addr;
604       uint16_t port;
605       // Hostname of memcached server.  This is also used as SNI field
606       // if TLS is enabled.
607       StringRef host;
608       // Client private key and certificate for authentication
609       StringRef private_key_file;
610       StringRef cert_file;
611       // Address family of memcached connection.  One of either
612       // AF_INET, AF_INET6 or AF_UNSPEC.
613       int family;
614       bool tls;
615     } memcached;
616   } session_cache;
617
618   // Dynamic record sizing configurations
619   struct {
620     size_t warmup_threshold;
621     ev_tstamp idle_timeout;
622   } dyn_rec;
623
624   // OCSP realted configurations
625   struct {
626     ev_tstamp update_interval;
627     StringRef fetch_ocsp_response_file;
628     bool disabled;
629     bool startup;
630     bool no_verify;
631   } ocsp;
632
633   // Client verification configurations
634   struct {
635     // Path to file containing CA certificate solely used for client
636     // certificate validation
637     StringRef cacert;
638     bool enabled;
639     // true if we accept an expired client certificate.
640     bool tolerate_expired;
641   } client_verify;
642
643   // Client (backend connection) TLS configuration.
644   struct {
645     // Client PSK configuration
646     struct {
647       // identity must be NULL terminated string.
648       StringRef identity;
649       StringRef secret;
650     } psk;
651     StringRef private_key_file;
652     StringRef cert_file;
653     StringRef ciphers;
654     StringRef tls13_ciphers;
655     bool no_http2_cipher_black_list;
656   } client;
657
658   // PSK secrets.  The key is identity, and the associated value is
659   // its secret.
660   std::map<StringRef, StringRef> psk_secrets;
661   // The list of additional TLS certificate pair
662   std::vector<TLSCertificate> subcerts;
663   std::vector<unsigned char> alpn_prefs;
664   // list of supported NPN/ALPN protocol strings in the order of
665   // preference.
666   std::vector<StringRef> npn_list;
667   // list of supported SSL/TLS protocol strings.
668   std::vector<StringRef> tls_proto_list;
669   std::vector<uint8_t> sct_data;
670   BIO_METHOD *bio_method;
671   // Bit mask to disable SSL/TLS protocol versions.  This will be
672   // passed to SSL_CTX_set_options().
673   long int tls_proto_mask;
674   StringRef backend_sni_name;
675   std::chrono::seconds session_timeout;
676   StringRef private_key_file;
677   StringRef private_key_passwd;
678   StringRef cert_file;
679   StringRef dh_param_file;
680   StringRef ciphers;
681   StringRef tls13_ciphers;
682   StringRef ecdh_curves;
683   StringRef cacert;
684   // The maximum amount of 0-RTT data that server accepts.
685   uint32_t max_early_data;
686   // The minimum and maximum TLS version.  These values are defined in
687   // OpenSSL header file.
688   int min_proto_version;
689   int max_proto_version;
690   bool insecure;
691   bool no_http2_cipher_black_list;
692   // true if forwarding requests included in TLS early data should not
693   // be postponed until TLS handshake finishes.
694   bool no_postpone_early_data;
695 };
696
697 // custom error page
698 struct ErrorPage {
699   // not NULL-terminated
700   std::vector<uint8_t> content;
701   // 0 is special value, and it matches all HTTP status code.
702   unsigned int http_status;
703 };
704
705 struct HttpConfig {
706   struct {
707     // obfuscated value used in "by" parameter of Forwarded header
708     // field.  This is only used when user defined static obfuscated
709     // string is provided.
710     StringRef by_obfuscated;
711     // bitwise-OR of one or more of shrpx_forwarded_param values.
712     uint32_t params;
713     // type of value recorded in "by" parameter of Forwarded header
714     // field.
715     ForwardedNode by_node_type;
716     // type of value recorded in "for" parameter of Forwarded header
717     // field.
718     ForwardedNode for_node_type;
719     bool strip_incoming;
720   } forwarded;
721   struct {
722     bool add;
723     bool strip_incoming;
724   } xff;
725   struct {
726     bool add;
727     bool strip_incoming;
728   } xfp;
729   struct {
730     bool strip_incoming;
731   } early_data;
732   std::vector<AltSvc> altsvcs;
733   std::vector<ErrorPage> error_pages;
734   HeaderRefs add_request_headers;
735   HeaderRefs add_response_headers;
736   StringRef server_name;
737   // Port number which appears in Location header field when https
738   // redirect is made.
739   StringRef redirect_https_port;
740   size_t request_header_field_buffer;
741   size_t max_request_header_fields;
742   size_t response_header_field_buffer;
743   size_t max_response_header_fields;
744   size_t max_requests;
745   bool no_via;
746   bool no_location_rewrite;
747   bool no_host_rewrite;
748   bool no_server_rewrite;
749 };
750
751 struct Http2Config {
752   struct {
753     struct {
754       struct {
755         StringRef request_header_file;
756         StringRef response_header_file;
757         FILE *request_header;
758         FILE *response_header;
759       } dump;
760       bool frame_debug;
761     } debug;
762     struct {
763       ev_tstamp settings;
764     } timeout;
765     nghttp2_option *option;
766     nghttp2_option *alt_mode_option;
767     nghttp2_session_callbacks *callbacks;
768     size_t max_concurrent_streams;
769     size_t encoder_dynamic_table_size;
770     size_t decoder_dynamic_table_size;
771     int32_t window_size;
772     int32_t connection_window_size;
773     bool optimize_write_buffer_size;
774     bool optimize_window_size;
775   } upstream;
776   struct {
777     struct {
778       ev_tstamp settings;
779     } timeout;
780     nghttp2_option *option;
781     nghttp2_session_callbacks *callbacks;
782     size_t encoder_dynamic_table_size;
783     size_t decoder_dynamic_table_size;
784     int32_t window_size;
785     int32_t connection_window_size;
786     size_t max_concurrent_streams;
787   } downstream;
788   struct {
789     ev_tstamp stream_read;
790     ev_tstamp stream_write;
791   } timeout;
792   bool no_cookie_crumbling;
793   bool no_server_push;
794 };
795
796 struct LoggingConfig {
797   struct {
798     std::vector<LogFragment> format;
799     StringRef file;
800     // Send accesslog to syslog, ignoring accesslog_file.
801     bool syslog;
802     // Write accesslog when response headers are received from
803     // backend, rather than response body is received and sent.
804     bool write_early;
805   } access;
806   struct {
807     StringRef file;
808     // Send errorlog to syslog, ignoring errorlog_file.
809     bool syslog;
810   } error;
811   int syslog_facility;
812   int severity;
813 };
814
815 struct RateLimitConfig {
816   size_t rate;
817   size_t burst;
818 };
819
820 // Wildcard host pattern routing.  We strips left most '*' from host
821 // field.  router includes all path patterns sharing the same wildcard
822 // host.
823 struct WildcardPattern {
824   WildcardPattern(const StringRef &host) : host(host) {}
825
826   // This might not be NULL terminated.  Currently it is only used for
827   // comparison.
828   StringRef host;
829   Router router;
830 };
831
832 // Configuration to select backend to forward request
833 struct RouterConfig {
834   Router router;
835   // Router for reversed wildcard hosts.  Since this router has
836   // wildcard hosts reversed without '*', one should call match()
837   // function with reversed host stripping last character.  This is
838   // because we require at least one character must match for '*'.
839   // The index stored in this router is index of wildcard_patterns.
840   Router rev_wildcard_router;
841   std::vector<WildcardPattern> wildcard_patterns;
842 };
843
844 struct DownstreamConfig {
845   DownstreamConfig()
846       : balloc(1024, 1024),
847         timeout{},
848         addr_group_catch_all{0},
849         connections_per_host{0},
850         connections_per_frontend{0},
851         request_buffer_size{0},
852         response_buffer_size{0},
853         family{0} {}
854
855   DownstreamConfig(const DownstreamConfig &) = delete;
856   DownstreamConfig(DownstreamConfig &&) = delete;
857   DownstreamConfig &operator=(const DownstreamConfig &) = delete;
858   DownstreamConfig &operator=(DownstreamConfig &&) = delete;
859
860   // Allocator to allocate memory for Downstream configuration.  Since
861   // we may swap around DownstreamConfig in arbitrary times with API
862   // calls, we should use their own allocator instead of per Config
863   // allocator.
864   BlockAllocator balloc;
865   struct {
866     ev_tstamp read;
867     ev_tstamp write;
868     ev_tstamp idle_read;
869     ev_tstamp connect;
870     // The maximum backoff while checking health check for offline
871     // backend or while detaching failed backend from load balancing
872     // group temporarily.
873     ev_tstamp max_backoff;
874   } timeout;
875   RouterConfig router;
876   std::vector<DownstreamAddrGroupConfig> addr_groups;
877   // The index of catch-all group in downstream_addr_groups.
878   size_t addr_group_catch_all;
879   size_t connections_per_host;
880   size_t connections_per_frontend;
881   size_t request_buffer_size;
882   size_t response_buffer_size;
883   // Address family of backend connection.  One of either AF_INET,
884   // AF_INET6 or AF_UNSPEC.  This is ignored if backend connection
885   // is made via Unix domain socket.
886   int family;
887 };
888
889 struct ConnectionConfig {
890   struct {
891     struct {
892       ev_tstamp sleep;
893     } timeout;
894     // address of frontend acceptors
895     std::vector<UpstreamAddr> addrs;
896     int backlog;
897     // TCP fastopen.  If this is positive, it is passed to
898     // setsockopt() along with TCP_FASTOPEN.
899     int fastopen;
900   } listener;
901
902   struct {
903     struct {
904       ev_tstamp http2_read;
905       ev_tstamp read;
906       ev_tstamp write;
907       ev_tstamp idle_read;
908     } timeout;
909     struct {
910       RateLimitConfig read;
911       RateLimitConfig write;
912     } ratelimit;
913     size_t worker_connections;
914     // Deprecated.  See UpstreamAddr.accept_proxy_protocol.
915     bool accept_proxy_protocol;
916   } upstream;
917
918   std::shared_ptr<DownstreamConfig> downstream;
919 };
920
921 struct APIConfig {
922   // Maximum request body size for one API request
923   size_t max_request_body;
924   // true if at least one of UpstreamAddr has api enabled
925   bool enabled;
926 };
927
928 struct DNSConfig {
929   struct {
930     ev_tstamp cache;
931     ev_tstamp lookup;
932   } timeout;
933   // The number of tries name resolver makes before abandoning
934   // request.
935   size_t max_try;
936 };
937
938 struct Config {
939   Config()
940       : balloc(4096, 4096),
941         downstream_http_proxy{},
942         http{},
943         http2{},
944         tls{},
945         logging{},
946         conn{},
947         api{},
948         dns{},
949         config_revision{0},
950         num_worker{0},
951         padding{0},
952         rlimit_nofile{0},
953         uid{0},
954         gid{0},
955         pid{0},
956         verbose{false},
957         daemon{false},
958         http2_proxy{false},
959         single_process{false},
960         single_thread{false},
961         ignore_per_pattern_mruby_error{false},
962         ev_loop_flags{0} {}
963   ~Config();
964
965   Config(Config &&) = delete;
966   Config(const Config &&) = delete;
967   Config &operator=(Config &&) = delete;
968   Config &operator=(const Config &&) = delete;
969
970   // Allocator to allocate memory for this object except for
971   // DownstreamConfig.  Currently, it is used to allocate memory for
972   // strings.
973   BlockAllocator balloc;
974   HttpProxy downstream_http_proxy;
975   HttpConfig http;
976   Http2Config http2;
977   TLSConfig tls;
978   LoggingConfig logging;
979   ConnectionConfig conn;
980   APIConfig api;
981   DNSConfig dns;
982   StringRef pid_file;
983   StringRef conf_path;
984   StringRef user;
985   StringRef mruby_file;
986   // The revision of configuration which is opaque string, and changes
987   // on each configuration reloading.  This does not change on
988   // backendconfig API call.  This value is returned in health check
989   // as "nghttpx-conf-rev" response header field.  The external
990   // program can check this value to know whether reloading has
991   // completed or not.
992   uint64_t config_revision;
993   size_t num_worker;
994   size_t padding;
995   size_t rlimit_nofile;
996   uid_t uid;
997   gid_t gid;
998   pid_t pid;
999   bool verbose;
1000   bool daemon;
1001   bool http2_proxy;
1002   // Run nghttpx in single process mode.  With this mode, signal
1003   // handling is omitted.
1004   bool single_process;
1005   bool single_thread;
1006   // Ignore mruby compile error for per-pattern mruby script.
1007   bool ignore_per_pattern_mruby_error;
1008   // flags passed to ev_default_loop() and ev_loop_new()
1009   int ev_loop_flags;
1010 };
1011
1012 const Config *get_config();
1013 Config *mod_config();
1014 // Replaces the current config with given |new_config|.  The old config is
1015 // returned.
1016 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config);
1017 void create_config();
1018
1019 // generated by gennghttpxfun.py
1020 enum {
1021   SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL,
1022   SHRPX_OPTID_ACCESSLOG_FILE,
1023   SHRPX_OPTID_ACCESSLOG_FORMAT,
1024   SHRPX_OPTID_ACCESSLOG_SYSLOG,
1025   SHRPX_OPTID_ACCESSLOG_WRITE_EARLY,
1026   SHRPX_OPTID_ADD_FORWARDED,
1027   SHRPX_OPTID_ADD_REQUEST_HEADER,
1028   SHRPX_OPTID_ADD_RESPONSE_HEADER,
1029   SHRPX_OPTID_ADD_X_FORWARDED_FOR,
1030   SHRPX_OPTID_ALTSVC,
1031   SHRPX_OPTID_API_MAX_REQUEST_BODY,
1032   SHRPX_OPTID_BACKEND,
1033   SHRPX_OPTID_BACKEND_ADDRESS_FAMILY,
1034   SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT,
1035   SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND,
1036   SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST,
1037   SHRPX_OPTID_BACKEND_HTTP_PROXY_URI,
1038   SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND,
1039   SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST,
1040   SHRPX_OPTID_BACKEND_HTTP1_TLS,
1041   SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS,
1042   SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE,
1043   SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER,
1044   SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1045   SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1046   SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS,
1047   SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT,
1048   SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS,
1049   SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE,
1050   SHRPX_OPTID_BACKEND_IPV4,
1051   SHRPX_OPTID_BACKEND_IPV6,
1052   SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT,
1053   SHRPX_OPTID_BACKEND_MAX_BACKOFF,
1054   SHRPX_OPTID_BACKEND_NO_TLS,
1055   SHRPX_OPTID_BACKEND_READ_TIMEOUT,
1056   SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
1057   SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
1058   SHRPX_OPTID_BACKEND_TLS,
1059   SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
1060   SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
1061   SHRPX_OPTID_BACKLOG,
1062   SHRPX_OPTID_CACERT,
1063   SHRPX_OPTID_CERTIFICATE_FILE,
1064   SHRPX_OPTID_CIPHERS,
1065   SHRPX_OPTID_CLIENT,
1066   SHRPX_OPTID_CLIENT_CERT_FILE,
1067   SHRPX_OPTID_CLIENT_CIPHERS,
1068   SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
1069   SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
1070   SHRPX_OPTID_CLIENT_PROXY,
1071   SHRPX_OPTID_CLIENT_PSK_SECRETS,
1072   SHRPX_OPTID_CONF,
1073   SHRPX_OPTID_DAEMON,
1074   SHRPX_OPTID_DH_PARAM_FILE,
1075   SHRPX_OPTID_DNS_CACHE_TIMEOUT,
1076   SHRPX_OPTID_DNS_LOOKUP_TIMEOUT,
1077   SHRPX_OPTID_DNS_MAX_TRY,
1078   SHRPX_OPTID_ECDH_CURVES,
1079   SHRPX_OPTID_ERROR_PAGE,
1080   SHRPX_OPTID_ERRORLOG_FILE,
1081   SHRPX_OPTID_ERRORLOG_SYSLOG,
1082   SHRPX_OPTID_FASTOPEN,
1083   SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE,
1084   SHRPX_OPTID_FORWARDED_BY,
1085   SHRPX_OPTID_FORWARDED_FOR,
1086   SHRPX_OPTID_FRONTEND,
1087   SHRPX_OPTID_FRONTEND_FRAME_DEBUG,
1088   SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS,
1089   SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE,
1090   SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1091   SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER,
1092   SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER,
1093   SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1094   SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS,
1095   SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE,
1096   SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE,
1097   SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT,
1098   SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT,
1099   SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS,
1100   SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE,
1101   SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT,
1102   SHRPX_OPTID_FRONTEND_MAX_REQUESTS,
1103   SHRPX_OPTID_FRONTEND_NO_TLS,
1104   SHRPX_OPTID_FRONTEND_READ_TIMEOUT,
1105   SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT,
1106   SHRPX_OPTID_HEADER_FIELD_BUFFER,
1107   SHRPX_OPTID_HOST_REWRITE,
1108   SHRPX_OPTID_HTTP2_BRIDGE,
1109   SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS,
1110   SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING,
1111   SHRPX_OPTID_HTTP2_PROXY,
1112   SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR,
1113   SHRPX_OPTID_INCLUDE,
1114   SHRPX_OPTID_INSECURE,
1115   SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT,
1116   SHRPX_OPTID_LOG_LEVEL,
1117   SHRPX_OPTID_MAX_HEADER_FIELDS,
1118   SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS,
1119   SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS,
1120   SHRPX_OPTID_MRUBY_FILE,
1121   SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
1122   SHRPX_OPTID_NO_HOST_REWRITE,
1123   SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
1124   SHRPX_OPTID_NO_KQUEUE,
1125   SHRPX_OPTID_NO_LOCATION_REWRITE,
1126   SHRPX_OPTID_NO_OCSP,
1127   SHRPX_OPTID_NO_SERVER_PUSH,
1128   SHRPX_OPTID_NO_SERVER_REWRITE,
1129   SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA,
1130   SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
1131   SHRPX_OPTID_NO_VERIFY_OCSP,
1132   SHRPX_OPTID_NO_VIA,
1133   SHRPX_OPTID_NPN_LIST,
1134   SHRPX_OPTID_OCSP_STARTUP,
1135   SHRPX_OPTID_OCSP_UPDATE_INTERVAL,
1136   SHRPX_OPTID_PADDING,
1137   SHRPX_OPTID_PID_FILE,
1138   SHRPX_OPTID_PRIVATE_KEY_FILE,
1139   SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE,
1140   SHRPX_OPTID_PSK_SECRETS,
1141   SHRPX_OPTID_READ_BURST,
1142   SHRPX_OPTID_READ_RATE,
1143   SHRPX_OPTID_REDIRECT_HTTPS_PORT,
1144   SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER,
1145   SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER,
1146   SHRPX_OPTID_RLIMIT_NOFILE,
1147   SHRPX_OPTID_SERVER_NAME,
1148   SHRPX_OPTID_SINGLE_PROCESS,
1149   SHRPX_OPTID_SINGLE_THREAD,
1150   SHRPX_OPTID_STREAM_READ_TIMEOUT,
1151   SHRPX_OPTID_STREAM_WRITE_TIMEOUT,
1152   SHRPX_OPTID_STRIP_INCOMING_FORWARDED,
1153   SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR,
1154   SHRPX_OPTID_SUBCERT,
1155   SHRPX_OPTID_SYSLOG_FACILITY,
1156   SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT,
1157   SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD,
1158   SHRPX_OPTID_TLS_MAX_EARLY_DATA,
1159   SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
1160   SHRPX_OPTID_TLS_MIN_PROTO_VERSION,
1161   SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA,
1162   SHRPX_OPTID_TLS_PROTO_LIST,
1163   SHRPX_OPTID_TLS_SCT_DIR,
1164   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
1165   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY,
1166   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE,
1167   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE,
1168   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS,
1169   SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
1170   SHRPX_OPTID_TLS_TICKET_KEY_FILE,
1171   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
1172   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY,
1173   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE,
1174   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
1175   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL,
1176   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
1177   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
1178   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
1179   SHRPX_OPTID_TLS13_CIPHERS,
1180   SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
1181   SHRPX_OPTID_USER,
1182   SHRPX_OPTID_VERIFY_CLIENT,
1183   SHRPX_OPTID_VERIFY_CLIENT_CACERT,
1184   SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED,
1185   SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
1186   SHRPX_OPTID_WORKER_READ_BURST,
1187   SHRPX_OPTID_WORKER_READ_RATE,
1188   SHRPX_OPTID_WORKER_WRITE_BURST,
1189   SHRPX_OPTID_WORKER_WRITE_RATE,
1190   SHRPX_OPTID_WORKERS,
1191   SHRPX_OPTID_WRITE_BURST,
1192   SHRPX_OPTID_WRITE_RATE,
1193   SHRPX_OPTID_MAXIDX,
1194 };
1195
1196 // Looks up token for given option name |name| of length |namelen|.
1197 int option_lookup_token(const char *name, size_t namelen);
1198
1199 // Parses option name |opt| and value |optarg|.  The results are
1200 // stored into the object pointed by |config|. This function returns 0
1201 // if it succeeds, or -1.  The |included_set| contains the all paths
1202 // already included while processing this configuration, to avoid loop
1203 // in --include option.  The |pattern_addr_indexer| contains a pair of
1204 // pattern of backend, and its index in DownstreamConfig::addr_groups.
1205 // It is introduced to speed up loading configuration file with lots
1206 // of backends.
1207 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg,
1208                  std::set<StringRef> &included_set,
1209                  std::map<StringRef, size_t> &pattern_addr_indexer);
1210
1211 // Similar to parse_config() above, but additional |optid| which
1212 // should be the return value of option_lookup_token(opt).
1213 int parse_config(Config *config, int optid, const StringRef &opt,
1214                  const StringRef &optarg, std::set<StringRef> &included_set,
1215                  std::map<StringRef, size_t> &pattern_addr_indexer);
1216
1217 // Loads configurations from |filename| and stores them in |config|.
1218 // This function returns 0 if it succeeds, or -1.  See parse_config()
1219 // for |include_set|.
1220 int load_config(Config *config, const char *filename,
1221                 std::set<StringRef> &include_set,
1222                 std::map<StringRef, size_t> &pattern_addr_indexer);
1223
1224 // Parses header field in |optarg|.  We expect header field is formed
1225 // like "NAME: VALUE".  We require that NAME is non empty string.  ":"
1226 // is allowed at the start of the NAME, but NAME == ":" is not
1227 // allowed.  This function returns pair of NAME and VALUE.
1228 HeaderRefs::value_type parse_header(BlockAllocator &balloc,
1229                                     const StringRef &optarg);
1230
1231 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc,
1232                                           const StringRef &optarg);
1233
1234 // Returns string for syslog |facility|.
1235 StringRef str_syslog_facility(int facility);
1236
1237 // Returns integer value of syslog |facility| string.
1238 int int_syslog_facility(const StringRef &strfacility);
1239
1240 FILE *open_file_for_write(const char *filename);
1241
1242 // Reads TLS ticket key file in |files| and returns TicketKey which
1243 // stores read key data.  The given |cipher| and |hmac| determine the
1244 // expected file size.  This function returns TicketKey if it
1245 // succeeds, or nullptr.
1246 std::unique_ptr<TicketKeys>
1247 read_tls_ticket_key_file(const std::vector<StringRef> &files,
1248                          const EVP_CIPHER *cipher, const EVP_MD *hmac);
1249
1250 // Returns string representation of |proto|.
1251 StringRef strproto(Proto proto);
1252
1253 int configure_downstream_group(Config *config, bool http2_proxy,
1254                                bool numeric_addr_only,
1255                                const TLSConfig &tlsconf);
1256
1257 int resolve_hostname(Address *addr, const char *hostname, uint16_t port,
1258                      int family, int additional_flags = 0);
1259
1260 } // namespace shrpx
1261
1262 #endif // SHRPX_CONFIG_H
Domain: Network & Connectivity / Data Network;