2 * nghttp2 - HTTP/2 C Library
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
25 #ifndef SHRPX_CONFIG_H
26 #define SHRPX_CONFIG_H
30 #include <sys/types.h>
31 #ifdef HAVE_SYS_SOCKET_H
32 # include <sys/socket.h>
33 #endif // HAVE_SYS_SOCKET_H
35 #ifdef HAVE_NETINET_IN_H
36 # include <netinet/in.h>
37 #endif // HAVE_NETINET_IN_H
38 #ifdef HAVE_ARPA_INET_H
39 # include <arpa/inet.h>
40 #endif // HAVE_ARPA_INET_H
47 #include <openssl/ssl.h>
51 #include <nghttp2/nghttp2.h>
53 #include "shrpx_router.h"
55 # include "shrpx_quic.h"
56 #endif // ENABLE_HTTP3
60 #include "allocator.h"
62 using namespace nghttp2;
76 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
77 StringRef::from_lit("private-key-file");
78 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE =
79 StringRef::from_lit("private-key-passwd-file");
80 constexpr auto SHRPX_OPT_CERTIFICATE_FILE =
81 StringRef::from_lit("certificate-file");
82 constexpr auto SHRPX_OPT_DH_PARAM_FILE = StringRef::from_lit("dh-param-file");
83 constexpr auto SHRPX_OPT_SUBCERT = StringRef::from_lit("subcert");
84 constexpr auto SHRPX_OPT_BACKEND = StringRef::from_lit("backend");
85 constexpr auto SHRPX_OPT_FRONTEND = StringRef::from_lit("frontend");
86 constexpr auto SHRPX_OPT_WORKERS = StringRef::from_lit("workers");
87 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS =
88 StringRef::from_lit("http2-max-concurrent-streams");
89 constexpr auto SHRPX_OPT_LOG_LEVEL = StringRef::from_lit("log-level");
90 constexpr auto SHRPX_OPT_DAEMON = StringRef::from_lit("daemon");
91 constexpr auto SHRPX_OPT_HTTP2_PROXY = StringRef::from_lit("http2-proxy");
92 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = StringRef::from_lit("http2-bridge");
93 constexpr auto SHRPX_OPT_CLIENT_PROXY = StringRef::from_lit("client-proxy");
94 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR =
95 StringRef::from_lit("add-x-forwarded-for");
96 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR =
97 StringRef::from_lit("strip-incoming-x-forwarded-for");
98 constexpr auto SHRPX_OPT_NO_VIA = StringRef::from_lit("no-via");
99 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT =
100 StringRef::from_lit("frontend-http2-read-timeout");
101 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT =
102 StringRef::from_lit("frontend-read-timeout");
103 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT =
104 StringRef::from_lit("frontend-write-timeout");
105 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT =
106 StringRef::from_lit("backend-read-timeout");
107 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT =
108 StringRef::from_lit("backend-write-timeout");
109 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT =
110 StringRef::from_lit("stream-read-timeout");
111 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT =
112 StringRef::from_lit("stream-write-timeout");
113 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = StringRef::from_lit("accesslog-file");
114 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG =
115 StringRef::from_lit("accesslog-syslog");
116 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT =
117 StringRef::from_lit("accesslog-format");
118 constexpr auto SHRPX_OPT_ERRORLOG_FILE = StringRef::from_lit("errorlog-file");
119 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG =
120 StringRef::from_lit("errorlog-syslog");
121 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT =
122 StringRef::from_lit("backend-keep-alive-timeout");
123 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS =
124 StringRef::from_lit("frontend-http2-window-bits");
125 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS =
126 StringRef::from_lit("backend-http2-window-bits");
127 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS =
128 StringRef::from_lit("frontend-http2-connection-window-bits");
129 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS =
130 StringRef::from_lit("backend-http2-connection-window-bits");
131 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS =
132 StringRef::from_lit("frontend-no-tls");
133 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = StringRef::from_lit("backend-no-tls");
134 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD =
135 StringRef::from_lit("backend-tls-sni-field");
136 constexpr auto SHRPX_OPT_PID_FILE = StringRef::from_lit("pid-file");
137 constexpr auto SHRPX_OPT_USER = StringRef::from_lit("user");
138 constexpr auto SHRPX_OPT_SYSLOG_FACILITY =
139 StringRef::from_lit("syslog-facility");
140 constexpr auto SHRPX_OPT_BACKLOG = StringRef::from_lit("backlog");
141 constexpr auto SHRPX_OPT_CIPHERS = StringRef::from_lit("ciphers");
142 constexpr auto SHRPX_OPT_CLIENT = StringRef::from_lit("client");
143 constexpr auto SHRPX_OPT_INSECURE = StringRef::from_lit("insecure");
144 constexpr auto SHRPX_OPT_CACERT = StringRef::from_lit("cacert");
145 constexpr auto SHRPX_OPT_BACKEND_IPV4 = StringRef::from_lit("backend-ipv4");
146 constexpr auto SHRPX_OPT_BACKEND_IPV6 = StringRef::from_lit("backend-ipv6");
147 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI =
148 StringRef::from_lit("backend-http-proxy-uri");
149 constexpr auto SHRPX_OPT_READ_RATE = StringRef::from_lit("read-rate");
150 constexpr auto SHRPX_OPT_READ_BURST = StringRef::from_lit("read-burst");
151 constexpr auto SHRPX_OPT_WRITE_RATE = StringRef::from_lit("write-rate");
152 constexpr auto SHRPX_OPT_WRITE_BURST = StringRef::from_lit("write-burst");
153 constexpr auto SHRPX_OPT_WORKER_READ_RATE =
154 StringRef::from_lit("worker-read-rate");
155 constexpr auto SHRPX_OPT_WORKER_READ_BURST =
156 StringRef::from_lit("worker-read-burst");
157 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE =
158 StringRef::from_lit("worker-write-rate");
159 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST =
160 StringRef::from_lit("worker-write-burst");
161 constexpr auto SHRPX_OPT_NPN_LIST = StringRef::from_lit("npn-list");
162 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = StringRef::from_lit("tls-proto-list");
163 constexpr auto SHRPX_OPT_VERIFY_CLIENT = StringRef::from_lit("verify-client");
164 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT =
165 StringRef::from_lit("verify-client-cacert");
166 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE =
167 StringRef::from_lit("client-private-key-file");
168 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE =
169 StringRef::from_lit("client-cert-file");
170 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER =
171 StringRef::from_lit("frontend-http2-dump-request-header");
172 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER =
173 StringRef::from_lit("frontend-http2-dump-response-header");
174 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING =
175 StringRef::from_lit("http2-no-cookie-crumbling");
176 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG =
177 StringRef::from_lit("frontend-frame-debug");
178 constexpr auto SHRPX_OPT_PADDING = StringRef::from_lit("padding");
179 constexpr auto SHRPX_OPT_ALTSVC = StringRef::from_lit("altsvc");
180 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER =
181 StringRef::from_lit("add-request-header");
182 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER =
183 StringRef::from_lit("add-response-header");
184 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS =
185 StringRef::from_lit("worker-frontend-connections");
186 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE =
187 StringRef::from_lit("no-location-rewrite");
188 constexpr auto SHRPX_OPT_NO_HOST_REWRITE =
189 StringRef::from_lit("no-host-rewrite");
190 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST =
191 StringRef::from_lit("backend-http1-connections-per-host");
192 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND =
193 StringRef::from_lit("backend-http1-connections-per-frontend");
194 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT =
195 StringRef::from_lit("listener-disable-timeout");
196 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE =
197 StringRef::from_lit("tls-ticket-key-file");
198 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = StringRef::from_lit("rlimit-nofile");
199 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER =
200 StringRef::from_lit("backend-request-buffer");
201 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER =
202 StringRef::from_lit("backend-response-buffer");
203 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = StringRef::from_lit("no-server-push");
204 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER =
205 StringRef::from_lit("backend-http2-connections-per-worker");
206 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE =
207 StringRef::from_lit("fetch-ocsp-response-file");
208 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL =
209 StringRef::from_lit("ocsp-update-interval");
210 constexpr auto SHRPX_OPT_NO_OCSP = StringRef::from_lit("no-ocsp");
211 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER =
212 StringRef::from_lit("header-field-buffer");
213 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS =
214 StringRef::from_lit("max-header-fields");
215 constexpr auto SHRPX_OPT_INCLUDE = StringRef::from_lit("include");
216 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER =
217 StringRef::from_lit("tls-ticket-key-cipher");
218 constexpr auto SHRPX_OPT_HOST_REWRITE = StringRef::from_lit("host-rewrite");
219 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED =
220 StringRef::from_lit("tls-session-cache-memcached");
221 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED =
222 StringRef::from_lit("tls-ticket-key-memcached");
223 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL =
224 StringRef::from_lit("tls-ticket-key-memcached-interval");
225 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY =
226 StringRef::from_lit("tls-ticket-key-memcached-max-retry");
227 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL =
228 StringRef::from_lit("tls-ticket-key-memcached-max-fail");
229 constexpr auto SHRPX_OPT_MRUBY_FILE = StringRef::from_lit("mruby-file");
230 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL =
231 StringRef::from_lit("accept-proxy-protocol");
232 constexpr auto SHRPX_OPT_FASTOPEN = StringRef::from_lit("fastopen");
233 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD =
234 StringRef::from_lit("tls-dyn-rec-warmup-threshold");
235 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT =
236 StringRef::from_lit("tls-dyn-rec-idle-timeout");
237 constexpr auto SHRPX_OPT_ADD_FORWARDED = StringRef::from_lit("add-forwarded");
238 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED =
239 StringRef::from_lit("strip-incoming-forwarded");
240 constexpr auto SHRPX_OPT_FORWARDED_BY = StringRef::from_lit("forwarded-by");
241 constexpr auto SHRPX_OPT_FORWARDED_FOR = StringRef::from_lit("forwarded-for");
242 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER =
243 StringRef::from_lit("request-header-field-buffer");
244 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS =
245 StringRef::from_lit("max-request-header-fields");
246 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
247 StringRef::from_lit("response-header-field-buffer");
248 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
249 StringRef::from_lit("max-response-header-fields");
250 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST =
251 StringRef::from_lit("no-http2-cipher-block-list");
252 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
253 StringRef::from_lit("no-http2-cipher-black-list");
254 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
255 StringRef::from_lit("backend-http1-tls");
256 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS =
257 StringRef::from_lit("tls-session-cache-memcached-tls");
258 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE =
259 StringRef::from_lit("tls-session-cache-memcached-cert-file");
260 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE =
261 StringRef::from_lit("tls-session-cache-memcached-private-key-file");
262 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY =
263 StringRef::from_lit("tls-session-cache-memcached-address-family");
264 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS =
265 StringRef::from_lit("tls-ticket-key-memcached-tls");
266 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE =
267 StringRef::from_lit("tls-ticket-key-memcached-cert-file");
268 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE =
269 StringRef::from_lit("tls-ticket-key-memcached-private-key-file");
270 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY =
271 StringRef::from_lit("tls-ticket-key-memcached-address-family");
272 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY =
273 StringRef::from_lit("backend-address-family");
274 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS =
275 StringRef::from_lit("frontend-http2-max-concurrent-streams");
276 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS =
277 StringRef::from_lit("backend-http2-max-concurrent-streams");
278 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND =
279 StringRef::from_lit("backend-connections-per-frontend");
280 constexpr auto SHRPX_OPT_BACKEND_TLS = StringRef::from_lit("backend-tls");
281 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST =
282 StringRef::from_lit("backend-connections-per-host");
283 constexpr auto SHRPX_OPT_ERROR_PAGE = StringRef::from_lit("error-page");
284 constexpr auto SHRPX_OPT_NO_KQUEUE = StringRef::from_lit("no-kqueue");
285 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT =
286 StringRef::from_lit("frontend-http2-settings-timeout");
287 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT =
288 StringRef::from_lit("backend-http2-settings-timeout");
289 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY =
290 StringRef::from_lit("api-max-request-body");
291 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF =
292 StringRef::from_lit("backend-max-backoff");
293 constexpr auto SHRPX_OPT_SERVER_NAME = StringRef::from_lit("server-name");
294 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE =
295 StringRef::from_lit("no-server-rewrite");
296 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE =
297 StringRef::from_lit("frontend-http2-optimize-write-buffer-size");
298 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE =
299 StringRef::from_lit("frontend-http2-optimize-window-size");
300 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE =
301 StringRef::from_lit("frontend-http2-window-size");
302 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE =
303 StringRef::from_lit("frontend-http2-connection-window-size");
304 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE =
305 StringRef::from_lit("backend-http2-window-size");
306 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE =
307 StringRef::from_lit("backend-http2-connection-window-size");
308 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
309 StringRef::from_lit("frontend-http2-encoder-dynamic-table-size");
310 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
311 StringRef::from_lit("frontend-http2-decoder-dynamic-table-size");
312 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
313 StringRef::from_lit("backend-http2-encoder-dynamic-table-size");
314 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
315 StringRef::from_lit("backend-http2-decoder-dynamic-table-size");
316 constexpr auto SHRPX_OPT_ECDH_CURVES = StringRef::from_lit("ecdh-curves");
317 constexpr auto SHRPX_OPT_TLS_SCT_DIR = StringRef::from_lit("tls-sct-dir");
318 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT =
319 StringRef::from_lit("backend-connect-timeout");
320 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT =
321 StringRef::from_lit("dns-cache-timeout");
322 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT =
323 StringRef::from_lit("dns-lookup-timeout");
324 constexpr auto SHRPX_OPT_DNS_MAX_TRY = StringRef::from_lit("dns-max-try");
325 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
326 StringRef::from_lit("frontend-keep-alive-timeout");
327 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
328 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
329 StringRef::from_lit("client-psk-secrets");
330 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST =
331 StringRef::from_lit("client-no-http2-cipher-block-list");
332 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
333 StringRef::from_lit("client-no-http2-cipher-black-list");
334 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
335 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY =
336 StringRef::from_lit("accesslog-write-early");
337 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION =
338 StringRef::from_lit("tls-min-proto-version");
339 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION =
340 StringRef::from_lit("tls-max-proto-version");
341 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT =
342 StringRef::from_lit("redirect-https-port");
343 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS =
344 StringRef::from_lit("frontend-max-requests");
345 constexpr auto SHRPX_OPT_SINGLE_THREAD = StringRef::from_lit("single-thread");
346 constexpr auto SHRPX_OPT_SINGLE_PROCESS = StringRef::from_lit("single-process");
347 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO =
348 StringRef::from_lit("no-add-x-forwarded-proto");
349 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
350 StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
351 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
352 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
353 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
354 StringRef::from_lit("verify-client-tolerate-expired");
355 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR =
356 StringRef::from_lit("ignore-per-pattern-mruby-error");
357 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
358 StringRef::from_lit("tls-no-postpone-early-data");
359 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
360 StringRef::from_lit("tls-max-early-data");
361 constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
362 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
363 StringRef::from_lit("tls13-client-ciphers");
364 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA =
365 StringRef::from_lit("no-strip-incoming-early-data");
366 constexpr auto SHRPX_OPT_QUIC_BPF_PROGRAM_FILE =
367 StringRef::from_lit("quic-bpf-program-file");
368 constexpr auto SHRPX_OPT_NO_QUIC_BPF = StringRef::from_lit("no-quic-bpf");
369 constexpr auto SHRPX_OPT_HTTP2_ALTSVC = StringRef::from_lit("http2-altsvc");
370 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_READ_TIMEOUT =
371 StringRef::from_lit("frontend-http3-read-timeout");
372 constexpr auto SHRPX_OPT_FRONTEND_QUIC_IDLE_TIMEOUT =
373 StringRef::from_lit("frontend-quic-idle-timeout");
374 constexpr auto SHRPX_OPT_FRONTEND_QUIC_DEBUG_LOG =
375 StringRef::from_lit("frontend-quic-debug-log");
376 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_WINDOW_SIZE =
377 StringRef::from_lit("frontend-http3-window-size");
378 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE =
379 StringRef::from_lit("frontend-http3-connection-window-size");
380 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_WINDOW_SIZE =
381 StringRef::from_lit("frontend-http3-max-window-size");
382 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE =
383 StringRef::from_lit("frontend-http3-max-connection-window-size");
384 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS =
385 StringRef::from_lit("frontend-http3-max-concurrent-streams");
386 constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA =
387 StringRef::from_lit("frontend-quic-early-data");
388 constexpr auto SHRPX_OPT_FRONTEND_QUIC_QLOG_DIR =
389 StringRef::from_lit("frontend-quic-qlog-dir");
390 constexpr auto SHRPX_OPT_FRONTEND_QUIC_REQUIRE_TOKEN =
391 StringRef::from_lit("frontend-quic-require-token");
392 constexpr auto SHRPX_OPT_FRONTEND_QUIC_CONGESTION_CONTROLLER =
393 StringRef::from_lit("frontend-quic-congestion-controller");
394 constexpr auto SHRPX_OPT_QUIC_SERVER_ID = StringRef::from_lit("quic-server-id");
395 constexpr auto SHRPX_OPT_FRONTEND_QUIC_SECRET_FILE =
396 StringRef::from_lit("frontend-quic-secret-file");
397 constexpr auto SHRPX_OPT_RLIMIT_MEMLOCK = StringRef::from_lit("rlimit-memlock");
398 constexpr auto SHRPX_OPT_MAX_WORKER_PROCESSES =
399 StringRef::from_lit("max-worker-processes");
400 constexpr auto SHRPX_OPT_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD =
401 StringRef::from_lit("worker-process-grace-shutdown-period");
402 constexpr auto SHRPX_OPT_FRONTEND_QUIC_INITIAL_RTT =
403 StringRef::from_lit("frontend-quic-initial-rtt");
405 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
407 constexpr char DEFAULT_DOWNSTREAM_HOST[] = "127.0.0.1";
408 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80;
418 enum class SessionAffinity {
419 // No session affinity
421 // Client IP affinity
423 // Cookie based affinity
427 enum class SessionAffinityCookieSecure {
428 // Secure attribute of session affinity cookie is determined by the
431 // Secure attribute of session affinity cookie is always set.
433 // Secure attribute of session affinity cookie is always unset.
437 struct AffinityConfig {
438 // Type of session affinity.
439 SessionAffinity type;
441 // Name of a cookie to use.
443 // Path which a cookie is applied to.
446 SessionAffinityCookieSecure secure;
450 enum shrpx_forwarded_param {
454 FORWARDED_HOST = 0x4,
455 FORWARDED_PROTO = 0x8,
458 enum class ForwardedNode {
464 StringRef protocol_id, host, origin, service, params;
469 enum class UpstreamAltMode {
470 // No alternative mode
472 // API processing mode
474 // Health monitor mode
478 struct UpstreamAddr {
479 // The unique index of this address.
481 // The frontend address (e.g., FQDN, hostname, IP address). If
482 // |host_unix| is true, this is UNIX domain socket path. This must
483 // be NULL terminated string.
485 // For TCP socket, this is <IP address>:<PORT>. For IPv6 address,
486 // address is surrounded by square brackets. If socket is UNIX
487 // domain socket, this is "localhost".
489 // frontend port. 0 if |host_unix| is true.
491 // For TCP socket, this is either AF_INET or AF_INET6. For UNIX
492 // domain socket, this is 0.
495 UpstreamAltMode alt_mode;
496 // true if |host| contains UNIX domain socket path.
498 // true if TLS is enabled.
500 // true if SNI host should be used as a host when selecting backend
503 // true if client is supposed to send PROXY protocol v1 header.
504 bool accept_proxy_protocol;
509 struct DownstreamAddrConfig {
510 // Resolved address if |dns| is false
512 // backend address. If |host_unix| is true, this is UNIX domain
513 // socket path. This must be NULL terminated string.
515 // <HOST>:<PORT>. This does not treat 80 and 443 specially. If
516 // |host_unix| is true, this is "localhost".
518 // hostname sent as SNI field
520 // name of group which this address belongs to.
524 // weight of this address inside a weight group. Its range is [1,
527 // weight of the weight group. Its range is [1, 256], inclusive.
528 uint32_t group_weight;
529 // Application protocol used in this group
531 // backend port. 0 if |host_unix| is true.
533 // true if |host| contains UNIX domain socket path.
536 // true if dynamic DNS is enabled
538 // true if :scheme pseudo header field should be upgraded to secure
539 // variant (e.g., "https") when forwarding request to a backend
540 // connected by TLS connection.
542 // true if a request should not be forwarded to a backend.
546 // Mapping hash to idx which is an index into
547 // DownstreamAddrGroupConfig::addrs.
548 struct AffinityHash {
549 AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {}
555 struct DownstreamAddrGroupConfig {
556 DownstreamAddrGroupConfig(const StringRef &pattern)
558 affinity{SessionAffinity::NONE},
559 redirect_if_not_tls(false),
564 StringRef mruby_file;
565 std::vector<DownstreamAddrConfig> addrs;
566 // Bunch of session affinity hash. Only used if affinity ==
567 // SessionAffinity::IP.
568 std::vector<AffinityHash> affinity_hash;
569 // Cookie based session affinity configuration.
570 AffinityConfig affinity;
571 // true if this group requires that client connection must be TLS,
572 // and the request must be redirected to https URI.
573 bool redirect_if_not_tls;
574 // true if a request should not be forwarded to a backend.
576 // Timeouts for backend connection.
584 const EVP_CIPHER *cipher;
588 // name of this ticket configuration
589 std::array<uint8_t, 16> name;
590 // encryption key for |cipher|
591 std::array<uint8_t, 32> enc_key;
592 // hmac key for |hmac|
593 std::array<uint8_t, 32> hmac_key;
599 std::vector<TicketKey> keys;
602 struct TLSCertificate {
603 TLSCertificate(StringRef private_key_file, StringRef cert_file,
604 std::vector<uint8_t> sct_data)
605 : private_key_file(std::move(private_key_file)),
606 cert_file(std::move(cert_file)),
607 sct_data(std::move(sct_data)) {}
609 StringRef private_key_file;
611 std::vector<uint8_t> sct_data;
615 struct QUICKeyingMaterial {
616 std::array<uint8_t, SHRPX_QUIC_SECRET_RESERVEDLEN> reserved;
617 std::array<uint8_t, SHRPX_QUIC_SECRETLEN> secret;
618 std::array<uint8_t, SHRPX_QUIC_SALTLEN> salt;
619 std::array<uint8_t, SHRPX_QUIC_CID_ENCRYPTION_KEYLEN> cid_encryption_key;
620 // Identifier of this keying material. Only the first 2 bits are
625 struct QUICKeyingMaterials {
626 std::vector<QUICKeyingMaterial> keying_materials;
628 #endif // ENABLE_HTTP3
632 // host in http proxy URI
634 // userinfo in http proxy URI, not percent-encoded form
636 // port in http proxy URI
641 // RFC 5077 Session ticket related configurations
646 // Hostname of memcached server. This is also used as SNI field
647 // if TLS is enabled.
649 // Client private key and certificate for authentication
650 StringRef private_key_file;
653 // Maximum number of retries when getting TLS ticket key from
654 // mamcached, due to network error.
656 // Maximum number of consecutive error from memcached, when this
657 // limit reached, TLS ticket is disabled.
659 // Address family of memcached connection. One of either
660 // AF_INET, AF_INET6 or AF_UNSPEC.
664 std::vector<StringRef> files;
665 const EVP_CIPHER *cipher;
666 // true if --tls-ticket-key-cipher is used
670 // Session cache related configurations
675 // Hostname of memcached server. This is also used as SNI field
676 // if TLS is enabled.
678 // Client private key and certificate for authentication
679 StringRef private_key_file;
681 // Address family of memcached connection. One of either
682 // AF_INET, AF_INET6 or AF_UNSPEC.
688 // Dynamic record sizing configurations
690 size_t warmup_threshold;
691 ev_tstamp idle_timeout;
694 // OCSP realted configurations
696 ev_tstamp update_interval;
697 StringRef fetch_ocsp_response_file;
703 // Client verification configurations
705 // Path to file containing CA certificate solely used for client
706 // certificate validation
709 // true if we accept an expired client certificate.
710 bool tolerate_expired;
713 // Client (backend connection) TLS configuration.
715 // Client PSK configuration
717 // identity must be NULL terminated string.
721 StringRef private_key_file;
724 StringRef tls13_ciphers;
725 bool no_http2_cipher_block_list;
728 // PSK secrets. The key is identity, and the associated value is
730 std::map<StringRef, StringRef> psk_secrets;
731 // The list of additional TLS certificate pair
732 std::vector<TLSCertificate> subcerts;
733 std::vector<unsigned char> alpn_prefs;
734 // list of supported NPN/ALPN protocol strings in the order of
736 std::vector<StringRef> npn_list;
737 // list of supported SSL/TLS protocol strings.
738 std::vector<StringRef> tls_proto_list;
739 std::vector<uint8_t> sct_data;
740 BIO_METHOD *bio_method;
741 // Bit mask to disable SSL/TLS protocol versions. This will be
742 // passed to SSL_CTX_set_options().
743 long int tls_proto_mask;
744 StringRef backend_sni_name;
745 std::chrono::seconds session_timeout;
746 StringRef private_key_file;
747 StringRef private_key_passwd;
749 StringRef dh_param_file;
751 StringRef tls13_ciphers;
752 StringRef ecdh_curves;
754 // The maximum amount of 0-RTT data that server accepts.
755 uint32_t max_early_data;
756 // The minimum and maximum TLS version. These values are defined in
757 // OpenSSL header file.
758 int min_proto_version;
759 int max_proto_version;
761 bool no_http2_cipher_block_list;
762 // true if forwarding requests included in TLS early data should not
763 // be postponed until TLS handshake finishes.
764 bool no_postpone_early_data;
779 ngtcp2_cc_algo congestion_controller;
782 StringRef secret_file;
783 ev_tstamp initial_rtt;
789 std::array<uint8_t, SHRPX_QUIC_SERVER_IDLEN> server_id;
794 size_t max_concurrent_streams;
796 int32_t connection_window_size;
797 int32_t max_window_size;
798 int32_t max_connection_window_size;
801 #endif // ENABLE_HTTP3
805 // not NULL-terminated
806 std::vector<uint8_t> content;
807 // 0 is special value, and it matches all HTTP status code.
808 unsigned int http_status;
813 // obfuscated value used in "by" parameter of Forwarded header
814 // field. This is only used when user defined static obfuscated
815 // string is provided.
816 StringRef by_obfuscated;
817 // bitwise-OR of one or more of shrpx_forwarded_param values.
819 // type of value recorded in "by" parameter of Forwarded header
821 ForwardedNode by_node_type;
822 // type of value recorded in "for" parameter of Forwarded header
824 ForwardedNode for_node_type;
838 std::vector<AltSvc> altsvcs;
839 // altsvcs serialized in a wire format.
840 StringRef altsvc_header_value;
841 std::vector<AltSvc> http2_altsvcs;
842 // http2_altsvcs serialized in a wire format.
843 StringRef http2_altsvc_header_value;
844 std::vector<ErrorPage> error_pages;
845 HeaderRefs add_request_headers;
846 HeaderRefs add_response_headers;
847 StringRef server_name;
848 // Port number which appears in Location header field when https
850 StringRef redirect_https_port;
851 size_t request_header_field_buffer;
852 size_t max_request_header_fields;
853 size_t response_header_field_buffer;
854 size_t max_response_header_fields;
857 bool no_location_rewrite;
858 bool no_host_rewrite;
859 bool no_server_rewrite;
866 StringRef request_header_file;
867 StringRef response_header_file;
868 FILE *request_header;
869 FILE *response_header;
876 nghttp2_option *option;
877 nghttp2_option *alt_mode_option;
878 nghttp2_session_callbacks *callbacks;
879 size_t max_concurrent_streams;
880 size_t encoder_dynamic_table_size;
881 size_t decoder_dynamic_table_size;
883 int32_t connection_window_size;
884 bool optimize_write_buffer_size;
885 bool optimize_window_size;
891 nghttp2_option *option;
892 nghttp2_session_callbacks *callbacks;
893 size_t encoder_dynamic_table_size;
894 size_t decoder_dynamic_table_size;
896 int32_t connection_window_size;
897 size_t max_concurrent_streams;
900 ev_tstamp stream_read;
901 ev_tstamp stream_write;
903 bool no_cookie_crumbling;
907 struct LoggingConfig {
909 std::vector<LogFragment> format;
911 // Send accesslog to syslog, ignoring accesslog_file.
913 // Write accesslog when response headers are received from
914 // backend, rather than response body is received and sent.
919 // Send errorlog to syslog, ignoring errorlog_file.
926 struct RateLimitConfig {
931 // Wildcard host pattern routing. We strips left most '*' from host
932 // field. router includes all path patterns sharing the same wildcard
934 struct WildcardPattern {
935 WildcardPattern(const StringRef &host) : host(host) {}
937 // This might not be NULL terminated. Currently it is only used for
943 // Configuration to select backend to forward request
944 struct RouterConfig {
946 // Router for reversed wildcard hosts. Since this router has
947 // wildcard hosts reversed without '*', one should call match()
948 // function with reversed host stripping last character. This is
949 // because we require at least one character must match for '*'.
950 // The index stored in this router is index of wildcard_patterns.
951 Router rev_wildcard_router;
952 std::vector<WildcardPattern> wildcard_patterns;
955 struct DownstreamConfig {
957 : balloc(1024, 1024),
959 addr_group_catch_all{0},
960 connections_per_host{0},
961 connections_per_frontend{0},
962 request_buffer_size{0},
963 response_buffer_size{0},
966 DownstreamConfig(const DownstreamConfig &) = delete;
967 DownstreamConfig(DownstreamConfig &&) = delete;
968 DownstreamConfig &operator=(const DownstreamConfig &) = delete;
969 DownstreamConfig &operator=(DownstreamConfig &&) = delete;
971 // Allocator to allocate memory for Downstream configuration. Since
972 // we may swap around DownstreamConfig in arbitrary times with API
973 // calls, we should use their own allocator instead of per Config
975 BlockAllocator balloc;
981 // The maximum backoff while checking health check for offline
982 // backend or while detaching failed backend from load balancing
983 // group temporarily.
984 ev_tstamp max_backoff;
987 std::vector<DownstreamAddrGroupConfig> addr_groups;
988 // The index of catch-all group in downstream_addr_groups.
989 size_t addr_group_catch_all;
990 size_t connections_per_host;
991 size_t connections_per_frontend;
992 size_t request_buffer_size;
993 size_t response_buffer_size;
994 // Address family of backend connection. One of either AF_INET,
995 // AF_INET6 or AF_UNSPEC. This is ignored if backend connection
996 // is made via Unix domain socket.
1000 struct ConnectionConfig {
1005 // address of frontend acceptors
1006 std::vector<UpstreamAddr> addrs;
1008 // TCP fastopen. If this is positive, it is passed to
1009 // setsockopt() along with TCP_FASTOPEN.
1015 std::vector<UpstreamAddr> addrs;
1017 #endif // ENABLE_HTTP3
1021 ev_tstamp http2_read;
1022 ev_tstamp http3_read;
1025 ev_tstamp idle_read;
1028 RateLimitConfig read;
1029 RateLimitConfig write;
1031 size_t worker_connections;
1032 // Deprecated. See UpstreamAddr.accept_proxy_protocol.
1033 bool accept_proxy_protocol;
1036 std::shared_ptr<DownstreamConfig> downstream;
1040 // Maximum request body size for one API request
1041 size_t max_request_body;
1042 // true if at least one of UpstreamAddr has api enabled
1051 // The number of tries name resolver makes before abandoning
1058 : balloc(4096, 4096),
1059 downstream_http_proxy{},
1065 #endif // ENABLE_HTTP3
1081 single_process{false},
1082 single_thread{false},
1083 ignore_per_pattern_mruby_error{false},
1085 max_worker_processes{0},
1086 worker_process_grace_shutdown_period{0.} {
1090 Config(Config &&) = delete;
1091 Config(const Config &&) = delete;
1092 Config &operator=(Config &&) = delete;
1093 Config &operator=(const Config &&) = delete;
1095 // Allocator to allocate memory for this object except for
1096 // DownstreamConfig. Currently, it is used to allocate memory for
1098 BlockAllocator balloc;
1099 HttpProxy downstream_http_proxy;
1106 #endif // ENABLE_HTTP3
1107 LoggingConfig logging;
1108 ConnectionConfig conn;
1112 StringRef conf_path;
1114 StringRef mruby_file;
1115 // The revision of configuration which is opaque string, and changes
1116 // on each configuration reloading. This does not change on
1117 // backendconfig API call. This value is returned in health check
1118 // as "nghttpx-conf-rev" response header field. The external
1119 // program can check this value to know whether reloading has
1120 // completed or not.
1121 uint64_t config_revision;
1124 size_t rlimit_nofile;
1125 size_t rlimit_memlock;
1132 // Run nghttpx in single process mode. With this mode, signal
1133 // handling is omitted.
1134 bool single_process;
1136 // Ignore mruby compile error for per-pattern mruby script.
1137 bool ignore_per_pattern_mruby_error;
1138 // flags passed to ev_default_loop() and ev_loop_new()
1140 size_t max_worker_processes;
1141 ev_tstamp worker_process_grace_shutdown_period;
1144 const Config *get_config();
1145 Config *mod_config();
1146 // Replaces the current config with given |new_config|. The old config is
1148 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config);
1149 void create_config();
1151 // generated by gennghttpxfun.py
1153 SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL,
1154 SHRPX_OPTID_ACCESSLOG_FILE,
1155 SHRPX_OPTID_ACCESSLOG_FORMAT,
1156 SHRPX_OPTID_ACCESSLOG_SYSLOG,
1157 SHRPX_OPTID_ACCESSLOG_WRITE_EARLY,
1158 SHRPX_OPTID_ADD_FORWARDED,
1159 SHRPX_OPTID_ADD_REQUEST_HEADER,
1160 SHRPX_OPTID_ADD_RESPONSE_HEADER,
1161 SHRPX_OPTID_ADD_X_FORWARDED_FOR,
1163 SHRPX_OPTID_API_MAX_REQUEST_BODY,
1164 SHRPX_OPTID_BACKEND,
1165 SHRPX_OPTID_BACKEND_ADDRESS_FAMILY,
1166 SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT,
1167 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND,
1168 SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST,
1169 SHRPX_OPTID_BACKEND_HTTP_PROXY_URI,
1170 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND,
1171 SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST,
1172 SHRPX_OPTID_BACKEND_HTTP1_TLS,
1173 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS,
1174 SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE,
1175 SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER,
1176 SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1177 SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1178 SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS,
1179 SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT,
1180 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS,
1181 SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE,
1182 SHRPX_OPTID_BACKEND_IPV4,
1183 SHRPX_OPTID_BACKEND_IPV6,
1184 SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT,
1185 SHRPX_OPTID_BACKEND_MAX_BACKOFF,
1186 SHRPX_OPTID_BACKEND_NO_TLS,
1187 SHRPX_OPTID_BACKEND_READ_TIMEOUT,
1188 SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
1189 SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
1190 SHRPX_OPTID_BACKEND_TLS,
1191 SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
1192 SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
1193 SHRPX_OPTID_BACKLOG,
1195 SHRPX_OPTID_CERTIFICATE_FILE,
1196 SHRPX_OPTID_CIPHERS,
1198 SHRPX_OPTID_CLIENT_CERT_FILE,
1199 SHRPX_OPTID_CLIENT_CIPHERS,
1200 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
1201 SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
1202 SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
1203 SHRPX_OPTID_CLIENT_PROXY,
1204 SHRPX_OPTID_CLIENT_PSK_SECRETS,
1207 SHRPX_OPTID_DH_PARAM_FILE,
1208 SHRPX_OPTID_DNS_CACHE_TIMEOUT,
1209 SHRPX_OPTID_DNS_LOOKUP_TIMEOUT,
1210 SHRPX_OPTID_DNS_MAX_TRY,
1211 SHRPX_OPTID_ECDH_CURVES,
1212 SHRPX_OPTID_ERROR_PAGE,
1213 SHRPX_OPTID_ERRORLOG_FILE,
1214 SHRPX_OPTID_ERRORLOG_SYSLOG,
1215 SHRPX_OPTID_FASTOPEN,
1216 SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE,
1217 SHRPX_OPTID_FORWARDED_BY,
1218 SHRPX_OPTID_FORWARDED_FOR,
1219 SHRPX_OPTID_FRONTEND,
1220 SHRPX_OPTID_FRONTEND_FRAME_DEBUG,
1221 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS,
1222 SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE,
1223 SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1224 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER,
1225 SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER,
1226 SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1227 SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS,
1228 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE,
1229 SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE,
1230 SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT,
1231 SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT,
1232 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS,
1233 SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE,
1234 SHRPX_OPTID_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE,
1235 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS,
1236 SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE,
1237 SHRPX_OPTID_FRONTEND_HTTP3_MAX_WINDOW_SIZE,
1238 SHRPX_OPTID_FRONTEND_HTTP3_READ_TIMEOUT,
1239 SHRPX_OPTID_FRONTEND_HTTP3_WINDOW_SIZE,
1240 SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT,
1241 SHRPX_OPTID_FRONTEND_MAX_REQUESTS,
1242 SHRPX_OPTID_FRONTEND_NO_TLS,
1243 SHRPX_OPTID_FRONTEND_QUIC_CONGESTION_CONTROLLER,
1244 SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG,
1245 SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA,
1246 SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT,
1247 SHRPX_OPTID_FRONTEND_QUIC_INITIAL_RTT,
1248 SHRPX_OPTID_FRONTEND_QUIC_QLOG_DIR,
1249 SHRPX_OPTID_FRONTEND_QUIC_REQUIRE_TOKEN,
1250 SHRPX_OPTID_FRONTEND_QUIC_SECRET_FILE,
1251 SHRPX_OPTID_FRONTEND_READ_TIMEOUT,
1252 SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT,
1253 SHRPX_OPTID_HEADER_FIELD_BUFFER,
1254 SHRPX_OPTID_HOST_REWRITE,
1255 SHRPX_OPTID_HTTP2_ALTSVC,
1256 SHRPX_OPTID_HTTP2_BRIDGE,
1257 SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS,
1258 SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING,
1259 SHRPX_OPTID_HTTP2_PROXY,
1260 SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR,
1261 SHRPX_OPTID_INCLUDE,
1262 SHRPX_OPTID_INSECURE,
1263 SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT,
1264 SHRPX_OPTID_LOG_LEVEL,
1265 SHRPX_OPTID_MAX_HEADER_FIELDS,
1266 SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS,
1267 SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS,
1268 SHRPX_OPTID_MAX_WORKER_PROCESSES,
1269 SHRPX_OPTID_MRUBY_FILE,
1270 SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
1271 SHRPX_OPTID_NO_HOST_REWRITE,
1272 SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
1273 SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST,
1274 SHRPX_OPTID_NO_KQUEUE,
1275 SHRPX_OPTID_NO_LOCATION_REWRITE,
1276 SHRPX_OPTID_NO_OCSP,
1277 SHRPX_OPTID_NO_QUIC_BPF,
1278 SHRPX_OPTID_NO_SERVER_PUSH,
1279 SHRPX_OPTID_NO_SERVER_REWRITE,
1280 SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA,
1281 SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
1282 SHRPX_OPTID_NO_VERIFY_OCSP,
1284 SHRPX_OPTID_NPN_LIST,
1285 SHRPX_OPTID_OCSP_STARTUP,
1286 SHRPX_OPTID_OCSP_UPDATE_INTERVAL,
1287 SHRPX_OPTID_PADDING,
1288 SHRPX_OPTID_PID_FILE,
1289 SHRPX_OPTID_PRIVATE_KEY_FILE,
1290 SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE,
1291 SHRPX_OPTID_PSK_SECRETS,
1292 SHRPX_OPTID_QUIC_BPF_PROGRAM_FILE,
1293 SHRPX_OPTID_QUIC_SERVER_ID,
1294 SHRPX_OPTID_READ_BURST,
1295 SHRPX_OPTID_READ_RATE,
1296 SHRPX_OPTID_REDIRECT_HTTPS_PORT,
1297 SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER,
1298 SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER,
1299 SHRPX_OPTID_RLIMIT_MEMLOCK,
1300 SHRPX_OPTID_RLIMIT_NOFILE,
1301 SHRPX_OPTID_SERVER_NAME,
1302 SHRPX_OPTID_SINGLE_PROCESS,
1303 SHRPX_OPTID_SINGLE_THREAD,
1304 SHRPX_OPTID_STREAM_READ_TIMEOUT,
1305 SHRPX_OPTID_STREAM_WRITE_TIMEOUT,
1306 SHRPX_OPTID_STRIP_INCOMING_FORWARDED,
1307 SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR,
1308 SHRPX_OPTID_SUBCERT,
1309 SHRPX_OPTID_SYSLOG_FACILITY,
1310 SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT,
1311 SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD,
1312 SHRPX_OPTID_TLS_MAX_EARLY_DATA,
1313 SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
1314 SHRPX_OPTID_TLS_MIN_PROTO_VERSION,
1315 SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA,
1316 SHRPX_OPTID_TLS_PROTO_LIST,
1317 SHRPX_OPTID_TLS_SCT_DIR,
1318 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
1319 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY,
1320 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE,
1321 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE,
1322 SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS,
1323 SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
1324 SHRPX_OPTID_TLS_TICKET_KEY_FILE,
1325 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
1326 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY,
1327 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE,
1328 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
1329 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL,
1330 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
1331 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
1332 SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
1333 SHRPX_OPTID_TLS13_CIPHERS,
1334 SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
1336 SHRPX_OPTID_VERIFY_CLIENT,
1337 SHRPX_OPTID_VERIFY_CLIENT_CACERT,
1338 SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED,
1339 SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
1340 SHRPX_OPTID_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD,
1341 SHRPX_OPTID_WORKER_READ_BURST,
1342 SHRPX_OPTID_WORKER_READ_RATE,
1343 SHRPX_OPTID_WORKER_WRITE_BURST,
1344 SHRPX_OPTID_WORKER_WRITE_RATE,
1345 SHRPX_OPTID_WORKERS,
1346 SHRPX_OPTID_WRITE_BURST,
1347 SHRPX_OPTID_WRITE_RATE,
1351 // Looks up token for given option name |name| of length |namelen|.
1352 int option_lookup_token(const char *name, size_t namelen);
1354 // Parses option name |opt| and value |optarg|. The results are
1355 // stored into the object pointed by |config|. This function returns 0
1356 // if it succeeds, or -1. The |included_set| contains the all paths
1357 // already included while processing this configuration, to avoid loop
1358 // in --include option. The |pattern_addr_indexer| contains a pair of
1359 // pattern of backend, and its index in DownstreamConfig::addr_groups.
1360 // It is introduced to speed up loading configuration file with lots
1362 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg,
1363 std::set<StringRef> &included_set,
1364 std::map<StringRef, size_t> &pattern_addr_indexer);
1366 // Similar to parse_config() above, but additional |optid| which
1367 // should be the return value of option_lookup_token(opt).
1368 int parse_config(Config *config, int optid, const StringRef &opt,
1369 const StringRef &optarg, std::set<StringRef> &included_set,
1370 std::map<StringRef, size_t> &pattern_addr_indexer);
1372 // Loads configurations from |filename| and stores them in |config|.
1373 // This function returns 0 if it succeeds, or -1. See parse_config()
1374 // for |include_set|.
1375 int load_config(Config *config, const char *filename,
1376 std::set<StringRef> &include_set,
1377 std::map<StringRef, size_t> &pattern_addr_indexer);
1379 // Parses header field in |optarg|. We expect header field is formed
1380 // like "NAME: VALUE". We require that NAME is non empty string. ":"
1381 // is allowed at the start of the NAME, but NAME == ":" is not
1382 // allowed. This function returns pair of NAME and VALUE.
1383 HeaderRefs::value_type parse_header(BlockAllocator &balloc,
1384 const StringRef &optarg);
1386 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc,
1387 const StringRef &optarg);
1389 // Returns string for syslog |facility|.
1390 StringRef str_syslog_facility(int facility);
1392 // Returns integer value of syslog |facility| string.
1393 int int_syslog_facility(const StringRef &strfacility);
1395 FILE *open_file_for_write(const char *filename);
1397 // Reads TLS ticket key file in |files| and returns TicketKey which
1398 // stores read key data. The given |cipher| and |hmac| determine the
1399 // expected file size. This function returns TicketKey if it
1400 // succeeds, or nullptr.
1401 std::unique_ptr<TicketKeys>
1402 read_tls_ticket_key_file(const std::vector<StringRef> &files,
1403 const EVP_CIPHER *cipher, const EVP_MD *hmac);
1406 std::shared_ptr<QUICKeyingMaterials>
1407 read_quic_secret_file(const StringRef &path);
1408 #endif // ENABLE_HTTP3
1410 // Returns string representation of |proto|.
1411 StringRef strproto(Proto proto);
1413 int configure_downstream_group(Config *config, bool http2_proxy,
1414 bool numeric_addr_only,
1415 const TLSConfig &tlsconf);
1417 int resolve_hostname(Address *addr, const char *hostname, uint16_t port,
1418 int family, int additional_flags = 0);
1420 } // namespace shrpx
1422 #endif // SHRPX_CONFIG_H