projects / platform / upstream / nghttp2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Imported Upstream version 1.46.0
[platform/upstream/nghttp2.git] / src / shrpx_config.h
1 /*
2  * nghttp2 - HTTP/2 C Library
3  *
4  * Copyright (c) 2012 Tatsuhiro Tsujikawa
5  *
6  * Permission is hereby granted, free of charge, to any person obtaining
7  * a copy of this software and associated documentation files (the
8  * "Software"), to deal in the Software without restriction, including
9  * without limitation the rights to use, copy, modify, merge, publish,
10  * distribute, sublicense, and/or sell copies of the Software, and to
11  * permit persons to whom the Software is furnished to do so, subject to
12  * the following conditions:
13  *
14  * The above copyright notice and this permission notice shall be
15  * included in all copies or substantial portions of the Software.
16  *
17  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21  * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22  * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23  * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
24  */
25 #ifndef SHRPX_CONFIG_H
26 #define SHRPX_CONFIG_H
27
28 #include "shrpx.h"
29
30 #include <sys/types.h>
31 #ifdef HAVE_SYS_SOCKET_H
32 #  include <sys/socket.h>
33 #endif // HAVE_SYS_SOCKET_H
34 #include <sys/un.h>
35 #ifdef HAVE_NETINET_IN_H
36 #  include <netinet/in.h>
37 #endif // HAVE_NETINET_IN_H
38 #ifdef HAVE_ARPA_INET_H
39 #  include <arpa/inet.h>
40 #endif // HAVE_ARPA_INET_H
41 #include <cinttypes>
42 #include <cstdio>
43 #include <vector>
44 #include <memory>
45 #include <set>
46
47 #include <openssl/ssl.h>
48
49 #include <ev.h>
50
51 #include <nghttp2/nghttp2.h>
52
53 #include "shrpx_router.h"
54 #if ENABLE_HTTP3
55 #  include "shrpx_quic.h"
56 #endif // ENABLE_HTTP3
57 #include "template.h"
58 #include "http2.h"
59 #include "network.h"
60 #include "allocator.h"
61
62 using namespace nghttp2;
63
64 namespace shrpx {
65
66 struct LogFragment;
67 class ConnectBlocker;
68 class Http2Session;
69
70 namespace tls {
71
72 class CertLookupTree;
73
74 } // namespace tls
75
76 constexpr auto SHRPX_OPT_PRIVATE_KEY_FILE =
77     StringRef::from_lit("private-key-file");
78 constexpr auto SHRPX_OPT_PRIVATE_KEY_PASSWD_FILE =
79     StringRef::from_lit("private-key-passwd-file");
80 constexpr auto SHRPX_OPT_CERTIFICATE_FILE =
81     StringRef::from_lit("certificate-file");
82 constexpr auto SHRPX_OPT_DH_PARAM_FILE = StringRef::from_lit("dh-param-file");
83 constexpr auto SHRPX_OPT_SUBCERT = StringRef::from_lit("subcert");
84 constexpr auto SHRPX_OPT_BACKEND = StringRef::from_lit("backend");
85 constexpr auto SHRPX_OPT_FRONTEND = StringRef::from_lit("frontend");
86 constexpr auto SHRPX_OPT_WORKERS = StringRef::from_lit("workers");
87 constexpr auto SHRPX_OPT_HTTP2_MAX_CONCURRENT_STREAMS =
88     StringRef::from_lit("http2-max-concurrent-streams");
89 constexpr auto SHRPX_OPT_LOG_LEVEL = StringRef::from_lit("log-level");
90 constexpr auto SHRPX_OPT_DAEMON = StringRef::from_lit("daemon");
91 constexpr auto SHRPX_OPT_HTTP2_PROXY = StringRef::from_lit("http2-proxy");
92 constexpr auto SHRPX_OPT_HTTP2_BRIDGE = StringRef::from_lit("http2-bridge");
93 constexpr auto SHRPX_OPT_CLIENT_PROXY = StringRef::from_lit("client-proxy");
94 constexpr auto SHRPX_OPT_ADD_X_FORWARDED_FOR =
95     StringRef::from_lit("add-x-forwarded-for");
96 constexpr auto SHRPX_OPT_STRIP_INCOMING_X_FORWARDED_FOR =
97     StringRef::from_lit("strip-incoming-x-forwarded-for");
98 constexpr auto SHRPX_OPT_NO_VIA = StringRef::from_lit("no-via");
99 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_READ_TIMEOUT =
100     StringRef::from_lit("frontend-http2-read-timeout");
101 constexpr auto SHRPX_OPT_FRONTEND_READ_TIMEOUT =
102     StringRef::from_lit("frontend-read-timeout");
103 constexpr auto SHRPX_OPT_FRONTEND_WRITE_TIMEOUT =
104     StringRef::from_lit("frontend-write-timeout");
105 constexpr auto SHRPX_OPT_BACKEND_READ_TIMEOUT =
106     StringRef::from_lit("backend-read-timeout");
107 constexpr auto SHRPX_OPT_BACKEND_WRITE_TIMEOUT =
108     StringRef::from_lit("backend-write-timeout");
109 constexpr auto SHRPX_OPT_STREAM_READ_TIMEOUT =
110     StringRef::from_lit("stream-read-timeout");
111 constexpr auto SHRPX_OPT_STREAM_WRITE_TIMEOUT =
112     StringRef::from_lit("stream-write-timeout");
113 constexpr auto SHRPX_OPT_ACCESSLOG_FILE = StringRef::from_lit("accesslog-file");
114 constexpr auto SHRPX_OPT_ACCESSLOG_SYSLOG =
115     StringRef::from_lit("accesslog-syslog");
116 constexpr auto SHRPX_OPT_ACCESSLOG_FORMAT =
117     StringRef::from_lit("accesslog-format");
118 constexpr auto SHRPX_OPT_ERRORLOG_FILE = StringRef::from_lit("errorlog-file");
119 constexpr auto SHRPX_OPT_ERRORLOG_SYSLOG =
120     StringRef::from_lit("errorlog-syslog");
121 constexpr auto SHRPX_OPT_BACKEND_KEEP_ALIVE_TIMEOUT =
122     StringRef::from_lit("backend-keep-alive-timeout");
123 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_BITS =
124     StringRef::from_lit("frontend-http2-window-bits");
125 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_BITS =
126     StringRef::from_lit("backend-http2-window-bits");
127 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS =
128     StringRef::from_lit("frontend-http2-connection-window-bits");
129 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_BITS =
130     StringRef::from_lit("backend-http2-connection-window-bits");
131 constexpr auto SHRPX_OPT_FRONTEND_NO_TLS =
132     StringRef::from_lit("frontend-no-tls");
133 constexpr auto SHRPX_OPT_BACKEND_NO_TLS = StringRef::from_lit("backend-no-tls");
134 constexpr auto SHRPX_OPT_BACKEND_TLS_SNI_FIELD =
135     StringRef::from_lit("backend-tls-sni-field");
136 constexpr auto SHRPX_OPT_PID_FILE = StringRef::from_lit("pid-file");
137 constexpr auto SHRPX_OPT_USER = StringRef::from_lit("user");
138 constexpr auto SHRPX_OPT_SYSLOG_FACILITY =
139     StringRef::from_lit("syslog-facility");
140 constexpr auto SHRPX_OPT_BACKLOG = StringRef::from_lit("backlog");
141 constexpr auto SHRPX_OPT_CIPHERS = StringRef::from_lit("ciphers");
142 constexpr auto SHRPX_OPT_CLIENT = StringRef::from_lit("client");
143 constexpr auto SHRPX_OPT_INSECURE = StringRef::from_lit("insecure");
144 constexpr auto SHRPX_OPT_CACERT = StringRef::from_lit("cacert");
145 constexpr auto SHRPX_OPT_BACKEND_IPV4 = StringRef::from_lit("backend-ipv4");
146 constexpr auto SHRPX_OPT_BACKEND_IPV6 = StringRef::from_lit("backend-ipv6");
147 constexpr auto SHRPX_OPT_BACKEND_HTTP_PROXY_URI =
148     StringRef::from_lit("backend-http-proxy-uri");
149 constexpr auto SHRPX_OPT_READ_RATE = StringRef::from_lit("read-rate");
150 constexpr auto SHRPX_OPT_READ_BURST = StringRef::from_lit("read-burst");
151 constexpr auto SHRPX_OPT_WRITE_RATE = StringRef::from_lit("write-rate");
152 constexpr auto SHRPX_OPT_WRITE_BURST = StringRef::from_lit("write-burst");
153 constexpr auto SHRPX_OPT_WORKER_READ_RATE =
154     StringRef::from_lit("worker-read-rate");
155 constexpr auto SHRPX_OPT_WORKER_READ_BURST =
156     StringRef::from_lit("worker-read-burst");
157 constexpr auto SHRPX_OPT_WORKER_WRITE_RATE =
158     StringRef::from_lit("worker-write-rate");
159 constexpr auto SHRPX_OPT_WORKER_WRITE_BURST =
160     StringRef::from_lit("worker-write-burst");
161 constexpr auto SHRPX_OPT_NPN_LIST = StringRef::from_lit("npn-list");
162 constexpr auto SHRPX_OPT_TLS_PROTO_LIST = StringRef::from_lit("tls-proto-list");
163 constexpr auto SHRPX_OPT_VERIFY_CLIENT = StringRef::from_lit("verify-client");
164 constexpr auto SHRPX_OPT_VERIFY_CLIENT_CACERT =
165     StringRef::from_lit("verify-client-cacert");
166 constexpr auto SHRPX_OPT_CLIENT_PRIVATE_KEY_FILE =
167     StringRef::from_lit("client-private-key-file");
168 constexpr auto SHRPX_OPT_CLIENT_CERT_FILE =
169     StringRef::from_lit("client-cert-file");
170 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_REQUEST_HEADER =
171     StringRef::from_lit("frontend-http2-dump-request-header");
172 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER =
173     StringRef::from_lit("frontend-http2-dump-response-header");
174 constexpr auto SHRPX_OPT_HTTP2_NO_COOKIE_CRUMBLING =
175     StringRef::from_lit("http2-no-cookie-crumbling");
176 constexpr auto SHRPX_OPT_FRONTEND_FRAME_DEBUG =
177     StringRef::from_lit("frontend-frame-debug");
178 constexpr auto SHRPX_OPT_PADDING = StringRef::from_lit("padding");
179 constexpr auto SHRPX_OPT_ALTSVC = StringRef::from_lit("altsvc");
180 constexpr auto SHRPX_OPT_ADD_REQUEST_HEADER =
181     StringRef::from_lit("add-request-header");
182 constexpr auto SHRPX_OPT_ADD_RESPONSE_HEADER =
183     StringRef::from_lit("add-response-header");
184 constexpr auto SHRPX_OPT_WORKER_FRONTEND_CONNECTIONS =
185     StringRef::from_lit("worker-frontend-connections");
186 constexpr auto SHRPX_OPT_NO_LOCATION_REWRITE =
187     StringRef::from_lit("no-location-rewrite");
188 constexpr auto SHRPX_OPT_NO_HOST_REWRITE =
189     StringRef::from_lit("no-host-rewrite");
190 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_HOST =
191     StringRef::from_lit("backend-http1-connections-per-host");
192 constexpr auto SHRPX_OPT_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND =
193     StringRef::from_lit("backend-http1-connections-per-frontend");
194 constexpr auto SHRPX_OPT_LISTENER_DISABLE_TIMEOUT =
195     StringRef::from_lit("listener-disable-timeout");
196 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_FILE =
197     StringRef::from_lit("tls-ticket-key-file");
198 constexpr auto SHRPX_OPT_RLIMIT_NOFILE = StringRef::from_lit("rlimit-nofile");
199 constexpr auto SHRPX_OPT_BACKEND_REQUEST_BUFFER =
200     StringRef::from_lit("backend-request-buffer");
201 constexpr auto SHRPX_OPT_BACKEND_RESPONSE_BUFFER =
202     StringRef::from_lit("backend-response-buffer");
203 constexpr auto SHRPX_OPT_NO_SERVER_PUSH = StringRef::from_lit("no-server-push");
204 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTIONS_PER_WORKER =
205     StringRef::from_lit("backend-http2-connections-per-worker");
206 constexpr auto SHRPX_OPT_FETCH_OCSP_RESPONSE_FILE =
207     StringRef::from_lit("fetch-ocsp-response-file");
208 constexpr auto SHRPX_OPT_OCSP_UPDATE_INTERVAL =
209     StringRef::from_lit("ocsp-update-interval");
210 constexpr auto SHRPX_OPT_NO_OCSP = StringRef::from_lit("no-ocsp");
211 constexpr auto SHRPX_OPT_HEADER_FIELD_BUFFER =
212     StringRef::from_lit("header-field-buffer");
213 constexpr auto SHRPX_OPT_MAX_HEADER_FIELDS =
214     StringRef::from_lit("max-header-fields");
215 constexpr auto SHRPX_OPT_INCLUDE = StringRef::from_lit("include");
216 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_CIPHER =
217     StringRef::from_lit("tls-ticket-key-cipher");
218 constexpr auto SHRPX_OPT_HOST_REWRITE = StringRef::from_lit("host-rewrite");
219 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED =
220     StringRef::from_lit("tls-session-cache-memcached");
221 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED =
222     StringRef::from_lit("tls-ticket-key-memcached");
223 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_INTERVAL =
224     StringRef::from_lit("tls-ticket-key-memcached-interval");
225 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY =
226     StringRef::from_lit("tls-ticket-key-memcached-max-retry");
227 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL =
228     StringRef::from_lit("tls-ticket-key-memcached-max-fail");
229 constexpr auto SHRPX_OPT_MRUBY_FILE = StringRef::from_lit("mruby-file");
230 constexpr auto SHRPX_OPT_ACCEPT_PROXY_PROTOCOL =
231     StringRef::from_lit("accept-proxy-protocol");
232 constexpr auto SHRPX_OPT_FASTOPEN = StringRef::from_lit("fastopen");
233 constexpr auto SHRPX_OPT_TLS_DYN_REC_WARMUP_THRESHOLD =
234     StringRef::from_lit("tls-dyn-rec-warmup-threshold");
235 constexpr auto SHRPX_OPT_TLS_DYN_REC_IDLE_TIMEOUT =
236     StringRef::from_lit("tls-dyn-rec-idle-timeout");
237 constexpr auto SHRPX_OPT_ADD_FORWARDED = StringRef::from_lit("add-forwarded");
238 constexpr auto SHRPX_OPT_STRIP_INCOMING_FORWARDED =
239     StringRef::from_lit("strip-incoming-forwarded");
240 constexpr auto SHRPX_OPT_FORWARDED_BY = StringRef::from_lit("forwarded-by");
241 constexpr auto SHRPX_OPT_FORWARDED_FOR = StringRef::from_lit("forwarded-for");
242 constexpr auto SHRPX_OPT_REQUEST_HEADER_FIELD_BUFFER =
243     StringRef::from_lit("request-header-field-buffer");
244 constexpr auto SHRPX_OPT_MAX_REQUEST_HEADER_FIELDS =
245     StringRef::from_lit("max-request-header-fields");
246 constexpr auto SHRPX_OPT_RESPONSE_HEADER_FIELD_BUFFER =
247     StringRef::from_lit("response-header-field-buffer");
248 constexpr auto SHRPX_OPT_MAX_RESPONSE_HEADER_FIELDS =
249     StringRef::from_lit("max-response-header-fields");
250 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLOCK_LIST =
251     StringRef::from_lit("no-http2-cipher-block-list");
252 constexpr auto SHRPX_OPT_NO_HTTP2_CIPHER_BLACK_LIST =
253     StringRef::from_lit("no-http2-cipher-black-list");
254 constexpr auto SHRPX_OPT_BACKEND_HTTP1_TLS =
255     StringRef::from_lit("backend-http1-tls");
256 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_TLS =
257     StringRef::from_lit("tls-session-cache-memcached-tls");
258 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE =
259     StringRef::from_lit("tls-session-cache-memcached-cert-file");
260 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE =
261     StringRef::from_lit("tls-session-cache-memcached-private-key-file");
262 constexpr auto SHRPX_OPT_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY =
263     StringRef::from_lit("tls-session-cache-memcached-address-family");
264 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_TLS =
265     StringRef::from_lit("tls-ticket-key-memcached-tls");
266 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_CERT_FILE =
267     StringRef::from_lit("tls-ticket-key-memcached-cert-file");
268 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE =
269     StringRef::from_lit("tls-ticket-key-memcached-private-key-file");
270 constexpr auto SHRPX_OPT_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY =
271     StringRef::from_lit("tls-ticket-key-memcached-address-family");
272 constexpr auto SHRPX_OPT_BACKEND_ADDRESS_FAMILY =
273     StringRef::from_lit("backend-address-family");
274 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS =
275     StringRef::from_lit("frontend-http2-max-concurrent-streams");
276 constexpr auto SHRPX_OPT_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS =
277     StringRef::from_lit("backend-http2-max-concurrent-streams");
278 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_FRONTEND =
279     StringRef::from_lit("backend-connections-per-frontend");
280 constexpr auto SHRPX_OPT_BACKEND_TLS = StringRef::from_lit("backend-tls");
281 constexpr auto SHRPX_OPT_BACKEND_CONNECTIONS_PER_HOST =
282     StringRef::from_lit("backend-connections-per-host");
283 constexpr auto SHRPX_OPT_ERROR_PAGE = StringRef::from_lit("error-page");
284 constexpr auto SHRPX_OPT_NO_KQUEUE = StringRef::from_lit("no-kqueue");
285 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_SETTINGS_TIMEOUT =
286     StringRef::from_lit("frontend-http2-settings-timeout");
287 constexpr auto SHRPX_OPT_BACKEND_HTTP2_SETTINGS_TIMEOUT =
288     StringRef::from_lit("backend-http2-settings-timeout");
289 constexpr auto SHRPX_OPT_API_MAX_REQUEST_BODY =
290     StringRef::from_lit("api-max-request-body");
291 constexpr auto SHRPX_OPT_BACKEND_MAX_BACKOFF =
292     StringRef::from_lit("backend-max-backoff");
293 constexpr auto SHRPX_OPT_SERVER_NAME = StringRef::from_lit("server-name");
294 constexpr auto SHRPX_OPT_NO_SERVER_REWRITE =
295     StringRef::from_lit("no-server-rewrite");
296 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE =
297     StringRef::from_lit("frontend-http2-optimize-write-buffer-size");
298 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE =
299     StringRef::from_lit("frontend-http2-optimize-window-size");
300 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_WINDOW_SIZE =
301     StringRef::from_lit("frontend-http2-window-size");
302 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE =
303     StringRef::from_lit("frontend-http2-connection-window-size");
304 constexpr auto SHRPX_OPT_BACKEND_HTTP2_WINDOW_SIZE =
305     StringRef::from_lit("backend-http2-window-size");
306 constexpr auto SHRPX_OPT_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE =
307     StringRef::from_lit("backend-http2-connection-window-size");
308 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
309     StringRef::from_lit("frontend-http2-encoder-dynamic-table-size");
310 constexpr auto SHRPX_OPT_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
311     StringRef::from_lit("frontend-http2-decoder-dynamic-table-size");
312 constexpr auto SHRPX_OPT_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE =
313     StringRef::from_lit("backend-http2-encoder-dynamic-table-size");
314 constexpr auto SHRPX_OPT_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE =
315     StringRef::from_lit("backend-http2-decoder-dynamic-table-size");
316 constexpr auto SHRPX_OPT_ECDH_CURVES = StringRef::from_lit("ecdh-curves");
317 constexpr auto SHRPX_OPT_TLS_SCT_DIR = StringRef::from_lit("tls-sct-dir");
318 constexpr auto SHRPX_OPT_BACKEND_CONNECT_TIMEOUT =
319     StringRef::from_lit("backend-connect-timeout");
320 constexpr auto SHRPX_OPT_DNS_CACHE_TIMEOUT =
321     StringRef::from_lit("dns-cache-timeout");
322 constexpr auto SHRPX_OPT_DNS_LOOKUP_TIMEOUT =
323     StringRef::from_lit("dns-lookup-timeout");
324 constexpr auto SHRPX_OPT_DNS_MAX_TRY = StringRef::from_lit("dns-max-try");
325 constexpr auto SHRPX_OPT_FRONTEND_KEEP_ALIVE_TIMEOUT =
326     StringRef::from_lit("frontend-keep-alive-timeout");
327 constexpr auto SHRPX_OPT_PSK_SECRETS = StringRef::from_lit("psk-secrets");
328 constexpr auto SHRPX_OPT_CLIENT_PSK_SECRETS =
329     StringRef::from_lit("client-psk-secrets");
330 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST =
331     StringRef::from_lit("client-no-http2-cipher-block-list");
332 constexpr auto SHRPX_OPT_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST =
333     StringRef::from_lit("client-no-http2-cipher-black-list");
334 constexpr auto SHRPX_OPT_CLIENT_CIPHERS = StringRef::from_lit("client-ciphers");
335 constexpr auto SHRPX_OPT_ACCESSLOG_WRITE_EARLY =
336     StringRef::from_lit("accesslog-write-early");
337 constexpr auto SHRPX_OPT_TLS_MIN_PROTO_VERSION =
338     StringRef::from_lit("tls-min-proto-version");
339 constexpr auto SHRPX_OPT_TLS_MAX_PROTO_VERSION =
340     StringRef::from_lit("tls-max-proto-version");
341 constexpr auto SHRPX_OPT_REDIRECT_HTTPS_PORT =
342     StringRef::from_lit("redirect-https-port");
343 constexpr auto SHRPX_OPT_FRONTEND_MAX_REQUESTS =
344     StringRef::from_lit("frontend-max-requests");
345 constexpr auto SHRPX_OPT_SINGLE_THREAD = StringRef::from_lit("single-thread");
346 constexpr auto SHRPX_OPT_SINGLE_PROCESS = StringRef::from_lit("single-process");
347 constexpr auto SHRPX_OPT_NO_ADD_X_FORWARDED_PROTO =
348     StringRef::from_lit("no-add-x-forwarded-proto");
349 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_X_FORWARDED_PROTO =
350     StringRef::from_lit("no-strip-incoming-x-forwarded-proto");
351 constexpr auto SHRPX_OPT_OCSP_STARTUP = StringRef::from_lit("ocsp-startup");
352 constexpr auto SHRPX_OPT_NO_VERIFY_OCSP = StringRef::from_lit("no-verify-ocsp");
353 constexpr auto SHRPX_OPT_VERIFY_CLIENT_TOLERATE_EXPIRED =
354     StringRef::from_lit("verify-client-tolerate-expired");
355 constexpr auto SHRPX_OPT_IGNORE_PER_PATTERN_MRUBY_ERROR =
356     StringRef::from_lit("ignore-per-pattern-mruby-error");
357 constexpr auto SHRPX_OPT_TLS_NO_POSTPONE_EARLY_DATA =
358     StringRef::from_lit("tls-no-postpone-early-data");
359 constexpr auto SHRPX_OPT_TLS_MAX_EARLY_DATA =
360     StringRef::from_lit("tls-max-early-data");
361 constexpr auto SHRPX_OPT_TLS13_CIPHERS = StringRef::from_lit("tls13-ciphers");
362 constexpr auto SHRPX_OPT_TLS13_CLIENT_CIPHERS =
363     StringRef::from_lit("tls13-client-ciphers");
364 constexpr auto SHRPX_OPT_NO_STRIP_INCOMING_EARLY_DATA =
365     StringRef::from_lit("no-strip-incoming-early-data");
366 constexpr auto SHRPX_OPT_QUIC_BPF_PROGRAM_FILE =
367     StringRef::from_lit("quic-bpf-program-file");
368 constexpr auto SHRPX_OPT_NO_QUIC_BPF = StringRef::from_lit("no-quic-bpf");
369 constexpr auto SHRPX_OPT_HTTP2_ALTSVC = StringRef::from_lit("http2-altsvc");
370 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_READ_TIMEOUT =
371     StringRef::from_lit("frontend-http3-read-timeout");
372 constexpr auto SHRPX_OPT_FRONTEND_QUIC_IDLE_TIMEOUT =
373     StringRef::from_lit("frontend-quic-idle-timeout");
374 constexpr auto SHRPX_OPT_FRONTEND_QUIC_DEBUG_LOG =
375     StringRef::from_lit("frontend-quic-debug-log");
376 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_WINDOW_SIZE =
377     StringRef::from_lit("frontend-http3-window-size");
378 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE =
379     StringRef::from_lit("frontend-http3-connection-window-size");
380 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_WINDOW_SIZE =
381     StringRef::from_lit("frontend-http3-max-window-size");
382 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE =
383     StringRef::from_lit("frontend-http3-max-connection-window-size");
384 constexpr auto SHRPX_OPT_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS =
385     StringRef::from_lit("frontend-http3-max-concurrent-streams");
386 constexpr auto SHRPX_OPT_FRONTEND_QUIC_EARLY_DATA =
387     StringRef::from_lit("frontend-quic-early-data");
388 constexpr auto SHRPX_OPT_FRONTEND_QUIC_QLOG_DIR =
389     StringRef::from_lit("frontend-quic-qlog-dir");
390 constexpr auto SHRPX_OPT_FRONTEND_QUIC_REQUIRE_TOKEN =
391     StringRef::from_lit("frontend-quic-require-token");
392 constexpr auto SHRPX_OPT_FRONTEND_QUIC_CONGESTION_CONTROLLER =
393     StringRef::from_lit("frontend-quic-congestion-controller");
394 constexpr auto SHRPX_OPT_QUIC_SERVER_ID = StringRef::from_lit("quic-server-id");
395 constexpr auto SHRPX_OPT_FRONTEND_QUIC_SECRET_FILE =
396     StringRef::from_lit("frontend-quic-secret-file");
397 constexpr auto SHRPX_OPT_RLIMIT_MEMLOCK = StringRef::from_lit("rlimit-memlock");
398 constexpr auto SHRPX_OPT_MAX_WORKER_PROCESSES =
399     StringRef::from_lit("max-worker-processes");
400 constexpr auto SHRPX_OPT_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD =
401     StringRef::from_lit("worker-process-grace-shutdown-period");
402 constexpr auto SHRPX_OPT_FRONTEND_QUIC_INITIAL_RTT =
403     StringRef::from_lit("frontend-quic-initial-rtt");
404
405 constexpr size_t SHRPX_OBFUSCATED_NODE_LENGTH = 8;
406
407 constexpr char DEFAULT_DOWNSTREAM_HOST[] = "127.0.0.1";
408 constexpr int16_t DEFAULT_DOWNSTREAM_PORT = 80;
409
410 enum class Proto {
411   NONE,
412   HTTP1,
413   HTTP2,
414   HTTP3,
415   MEMCACHED,
416 };
417
418 enum class SessionAffinity {
419   // No session affinity
420   NONE,
421   // Client IP affinity
422   IP,
423   // Cookie based affinity
424   COOKIE,
425 };
426
427 enum class SessionAffinityCookieSecure {
428   // Secure attribute of session affinity cookie is determined by the
429   // request scheme.
430   AUTO,
431   // Secure attribute of session affinity cookie is always set.
432   YES,
433   // Secure attribute of session affinity cookie is always unset.
434   NO,
435 };
436
437 struct AffinityConfig {
438   // Type of session affinity.
439   SessionAffinity type;
440   struct {
441     // Name of a cookie to use.
442     StringRef name;
443     // Path which a cookie is applied to.
444     StringRef path;
445     // Secure attribute
446     SessionAffinityCookieSecure secure;
447   } cookie;
448 };
449
450 enum shrpx_forwarded_param {
451   FORWARDED_NONE = 0,
452   FORWARDED_BY = 0x1,
453   FORWARDED_FOR = 0x2,
454   FORWARDED_HOST = 0x4,
455   FORWARDED_PROTO = 0x8,
456 };
457
458 enum class ForwardedNode {
459   OBFUSCATED,
460   IP,
461 };
462
463 struct AltSvc {
464   StringRef protocol_id, host, origin, service, params;
465
466   uint16_t port;
467 };
468
469 enum class UpstreamAltMode {
470   // No alternative mode
471   NONE,
472   // API processing mode
473   API,
474   // Health monitor mode
475   HEALTHMON,
476 };
477
478 struct UpstreamAddr {
479   // The unique index of this address.
480   size_t index;
481   // The frontend address (e.g., FQDN, hostname, IP address).  If
482   // |host_unix| is true, this is UNIX domain socket path.  This must
483   // be NULL terminated string.
484   StringRef host;
485   // For TCP socket, this is <IP address>:<PORT>.  For IPv6 address,
486   // address is surrounded by square brackets.  If socket is UNIX
487   // domain socket, this is "localhost".
488   StringRef hostport;
489   // frontend port.  0 if |host_unix| is true.
490   uint16_t port;
491   // For TCP socket, this is either AF_INET or AF_INET6.  For UNIX
492   // domain socket, this is 0.
493   int family;
494   // Alternate mode
495   UpstreamAltMode alt_mode;
496   // true if |host| contains UNIX domain socket path.
497   bool host_unix;
498   // true if TLS is enabled.
499   bool tls;
500   // true if SNI host should be used as a host when selecting backend
501   // server.
502   bool sni_fwd;
503   // true if client is supposed to send PROXY protocol v1 header.
504   bool accept_proxy_protocol;
505   bool quic;
506   int fd;
507 };
508
509 struct DownstreamAddrConfig {
510   // Resolved address if |dns| is false
511   Address addr;
512   // backend address.  If |host_unix| is true, this is UNIX domain
513   // socket path.  This must be NULL terminated string.
514   StringRef host;
515   // <HOST>:<PORT>.  This does not treat 80 and 443 specially.  If
516   // |host_unix| is true, this is "localhost".
517   StringRef hostport;
518   // hostname sent as SNI field
519   StringRef sni;
520   // name of group which this address belongs to.
521   StringRef group;
522   size_t fall;
523   size_t rise;
524   // weight of this address inside a weight group.  Its range is [1,
525   // 256], inclusive.
526   uint32_t weight;
527   // weight of the weight group.  Its range is [1, 256], inclusive.
528   uint32_t group_weight;
529   // Application protocol used in this group
530   Proto proto;
531   // backend port.  0 if |host_unix| is true.
532   uint16_t port;
533   // true if |host| contains UNIX domain socket path.
534   bool host_unix;
535   bool tls;
536   // true if dynamic DNS is enabled
537   bool dns;
538   // true if :scheme pseudo header field should be upgraded to secure
539   // variant (e.g., "https") when forwarding request to a backend
540   // connected by TLS connection.
541   bool upgrade_scheme;
542   // true if a request should not be forwarded to a backend.
543   bool dnf;
544 };
545
546 // Mapping hash to idx which is an index into
547 // DownstreamAddrGroupConfig::addrs.
548 struct AffinityHash {
549   AffinityHash(size_t idx, uint32_t hash) : idx(idx), hash(hash) {}
550
551   size_t idx;
552   uint32_t hash;
553 };
554
555 struct DownstreamAddrGroupConfig {
556   DownstreamAddrGroupConfig(const StringRef &pattern)
557       : pattern(pattern),
558         affinity{SessionAffinity::NONE},
559         redirect_if_not_tls(false),
560         dnf{false},
561         timeout{} {}
562
563   StringRef pattern;
564   StringRef mruby_file;
565   std::vector<DownstreamAddrConfig> addrs;
566   // Bunch of session affinity hash.  Only used if affinity ==
567   // SessionAffinity::IP.
568   std::vector<AffinityHash> affinity_hash;
569   // Cookie based session affinity configuration.
570   AffinityConfig affinity;
571   // true if this group requires that client connection must be TLS,
572   // and the request must be redirected to https URI.
573   bool redirect_if_not_tls;
574   // true if a request should not be forwarded to a backend.
575   bool dnf;
576   // Timeouts for backend connection.
577   struct {
578     ev_tstamp read;
579     ev_tstamp write;
580   } timeout;
581 };
582
583 struct TicketKey {
584   const EVP_CIPHER *cipher;
585   const EVP_MD *hmac;
586   size_t hmac_keylen;
587   struct {
588     // name of this ticket configuration
589     std::array<uint8_t, 16> name;
590     // encryption key for |cipher|
591     std::array<uint8_t, 32> enc_key;
592     // hmac key for |hmac|
593     std::array<uint8_t, 32> hmac_key;
594   } data;
595 };
596
597 struct TicketKeys {
598   ~TicketKeys();
599   std::vector<TicketKey> keys;
600 };
601
602 struct TLSCertificate {
603   TLSCertificate(StringRef private_key_file, StringRef cert_file,
604                  std::vector<uint8_t> sct_data)
605       : private_key_file(std::move(private_key_file)),
606         cert_file(std::move(cert_file)),
607         sct_data(std::move(sct_data)) {}
608
609   StringRef private_key_file;
610   StringRef cert_file;
611   std::vector<uint8_t> sct_data;
612 };
613
614 #ifdef ENABLE_HTTP3
615 struct QUICKeyingMaterial {
616   std::array<uint8_t, SHRPX_QUIC_SECRET_RESERVEDLEN> reserved;
617   std::array<uint8_t, SHRPX_QUIC_SECRETLEN> secret;
618   std::array<uint8_t, SHRPX_QUIC_SALTLEN> salt;
619   std::array<uint8_t, SHRPX_QUIC_CID_ENCRYPTION_KEYLEN> cid_encryption_key;
620   // Identifier of this keying material.  Only the first 2 bits are
621   // used.
622   uint8_t id;
623 };
624
625 struct QUICKeyingMaterials {
626   std::vector<QUICKeyingMaterial> keying_materials;
627 };
628 #endif // ENABLE_HTTP3
629
630 struct HttpProxy {
631   Address addr;
632   // host in http proxy URI
633   StringRef host;
634   // userinfo in http proxy URI, not percent-encoded form
635   StringRef userinfo;
636   // port in http proxy URI
637   uint16_t port;
638 };
639
640 struct TLSConfig {
641   // RFC 5077 Session ticket related configurations
642   struct {
643     struct {
644       Address addr;
645       uint16_t port;
646       // Hostname of memcached server.  This is also used as SNI field
647       // if TLS is enabled.
648       StringRef host;
649       // Client private key and certificate for authentication
650       StringRef private_key_file;
651       StringRef cert_file;
652       ev_tstamp interval;
653       // Maximum number of retries when getting TLS ticket key from
654       // mamcached, due to network error.
655       size_t max_retry;
656       // Maximum number of consecutive error from memcached, when this
657       // limit reached, TLS ticket is disabled.
658       size_t max_fail;
659       // Address family of memcached connection.  One of either
660       // AF_INET, AF_INET6 or AF_UNSPEC.
661       int family;
662       bool tls;
663     } memcached;
664     std::vector<StringRef> files;
665     const EVP_CIPHER *cipher;
666     // true if --tls-ticket-key-cipher is used
667     bool cipher_given;
668   } ticket;
669
670   // Session cache related configurations
671   struct {
672     struct {
673       Address addr;
674       uint16_t port;
675       // Hostname of memcached server.  This is also used as SNI field
676       // if TLS is enabled.
677       StringRef host;
678       // Client private key and certificate for authentication
679       StringRef private_key_file;
680       StringRef cert_file;
681       // Address family of memcached connection.  One of either
682       // AF_INET, AF_INET6 or AF_UNSPEC.
683       int family;
684       bool tls;
685     } memcached;
686   } session_cache;
687
688   // Dynamic record sizing configurations
689   struct {
690     size_t warmup_threshold;
691     ev_tstamp idle_timeout;
692   } dyn_rec;
693
694   // OCSP realted configurations
695   struct {
696     ev_tstamp update_interval;
697     StringRef fetch_ocsp_response_file;
698     bool disabled;
699     bool startup;
700     bool no_verify;
701   } ocsp;
702
703   // Client verification configurations
704   struct {
705     // Path to file containing CA certificate solely used for client
706     // certificate validation
707     StringRef cacert;
708     bool enabled;
709     // true if we accept an expired client certificate.
710     bool tolerate_expired;
711   } client_verify;
712
713   // Client (backend connection) TLS configuration.
714   struct {
715     // Client PSK configuration
716     struct {
717       // identity must be NULL terminated string.
718       StringRef identity;
719       StringRef secret;
720     } psk;
721     StringRef private_key_file;
722     StringRef cert_file;
723     StringRef ciphers;
724     StringRef tls13_ciphers;
725     bool no_http2_cipher_block_list;
726   } client;
727
728   // PSK secrets.  The key is identity, and the associated value is
729   // its secret.
730   std::map<StringRef, StringRef> psk_secrets;
731   // The list of additional TLS certificate pair
732   std::vector<TLSCertificate> subcerts;
733   std::vector<unsigned char> alpn_prefs;
734   // list of supported NPN/ALPN protocol strings in the order of
735   // preference.
736   std::vector<StringRef> npn_list;
737   // list of supported SSL/TLS protocol strings.
738   std::vector<StringRef> tls_proto_list;
739   std::vector<uint8_t> sct_data;
740   BIO_METHOD *bio_method;
741   // Bit mask to disable SSL/TLS protocol versions.  This will be
742   // passed to SSL_CTX_set_options().
743   long int tls_proto_mask;
744   StringRef backend_sni_name;
745   std::chrono::seconds session_timeout;
746   StringRef private_key_file;
747   StringRef private_key_passwd;
748   StringRef cert_file;
749   StringRef dh_param_file;
750   StringRef ciphers;
751   StringRef tls13_ciphers;
752   StringRef ecdh_curves;
753   StringRef cacert;
754   // The maximum amount of 0-RTT data that server accepts.
755   uint32_t max_early_data;
756   // The minimum and maximum TLS version.  These values are defined in
757   // OpenSSL header file.
758   int min_proto_version;
759   int max_proto_version;
760   bool insecure;
761   bool no_http2_cipher_block_list;
762   // true if forwarding requests included in TLS early data should not
763   // be postponed until TLS handshake finishes.
764   bool no_postpone_early_data;
765 };
766
767 #ifdef ENABLE_HTTP3
768 struct QUICConfig {
769   struct {
770     struct {
771       ev_tstamp idle;
772     } timeout;
773     struct {
774       bool log;
775     } debug;
776     struct {
777       StringRef dir;
778     } qlog;
779     ngtcp2_cc_algo congestion_controller;
780     bool early_data;
781     bool require_token;
782     StringRef secret_file;
783     ev_tstamp initial_rtt;
784   } upstream;
785   struct {
786     StringRef prog_file;
787     bool disabled;
788   } bpf;
789   std::array<uint8_t, SHRPX_QUIC_SERVER_IDLEN> server_id;
790 };
791
792 struct Http3Config {
793   struct {
794     size_t max_concurrent_streams;
795     int32_t window_size;
796     int32_t connection_window_size;
797     int32_t max_window_size;
798     int32_t max_connection_window_size;
799   } upstream;
800 };
801 #endif // ENABLE_HTTP3
802
803 // custom error page
804 struct ErrorPage {
805   // not NULL-terminated
806   std::vector<uint8_t> content;
807   // 0 is special value, and it matches all HTTP status code.
808   unsigned int http_status;
809 };
810
811 struct HttpConfig {
812   struct {
813     // obfuscated value used in "by" parameter of Forwarded header
814     // field.  This is only used when user defined static obfuscated
815     // string is provided.
816     StringRef by_obfuscated;
817     // bitwise-OR of one or more of shrpx_forwarded_param values.
818     uint32_t params;
819     // type of value recorded in "by" parameter of Forwarded header
820     // field.
821     ForwardedNode by_node_type;
822     // type of value recorded in "for" parameter of Forwarded header
823     // field.
824     ForwardedNode for_node_type;
825     bool strip_incoming;
826   } forwarded;
827   struct {
828     bool add;
829     bool strip_incoming;
830   } xff;
831   struct {
832     bool add;
833     bool strip_incoming;
834   } xfp;
835   struct {
836     bool strip_incoming;
837   } early_data;
838   std::vector<AltSvc> altsvcs;
839   // altsvcs serialized in a wire format.
840   StringRef altsvc_header_value;
841   std::vector<AltSvc> http2_altsvcs;
842   // http2_altsvcs serialized in a wire format.
843   StringRef http2_altsvc_header_value;
844   std::vector<ErrorPage> error_pages;
845   HeaderRefs add_request_headers;
846   HeaderRefs add_response_headers;
847   StringRef server_name;
848   // Port number which appears in Location header field when https
849   // redirect is made.
850   StringRef redirect_https_port;
851   size_t request_header_field_buffer;
852   size_t max_request_header_fields;
853   size_t response_header_field_buffer;
854   size_t max_response_header_fields;
855   size_t max_requests;
856   bool no_via;
857   bool no_location_rewrite;
858   bool no_host_rewrite;
859   bool no_server_rewrite;
860 };
861
862 struct Http2Config {
863   struct {
864     struct {
865       struct {
866         StringRef request_header_file;
867         StringRef response_header_file;
868         FILE *request_header;
869         FILE *response_header;
870       } dump;
871       bool frame_debug;
872     } debug;
873     struct {
874       ev_tstamp settings;
875     } timeout;
876     nghttp2_option *option;
877     nghttp2_option *alt_mode_option;
878     nghttp2_session_callbacks *callbacks;
879     size_t max_concurrent_streams;
880     size_t encoder_dynamic_table_size;
881     size_t decoder_dynamic_table_size;
882     int32_t window_size;
883     int32_t connection_window_size;
884     bool optimize_write_buffer_size;
885     bool optimize_window_size;
886   } upstream;
887   struct {
888     struct {
889       ev_tstamp settings;
890     } timeout;
891     nghttp2_option *option;
892     nghttp2_session_callbacks *callbacks;
893     size_t encoder_dynamic_table_size;
894     size_t decoder_dynamic_table_size;
895     int32_t window_size;
896     int32_t connection_window_size;
897     size_t max_concurrent_streams;
898   } downstream;
899   struct {
900     ev_tstamp stream_read;
901     ev_tstamp stream_write;
902   } timeout;
903   bool no_cookie_crumbling;
904   bool no_server_push;
905 };
906
907 struct LoggingConfig {
908   struct {
909     std::vector<LogFragment> format;
910     StringRef file;
911     // Send accesslog to syslog, ignoring accesslog_file.
912     bool syslog;
913     // Write accesslog when response headers are received from
914     // backend, rather than response body is received and sent.
915     bool write_early;
916   } access;
917   struct {
918     StringRef file;
919     // Send errorlog to syslog, ignoring errorlog_file.
920     bool syslog;
921   } error;
922   int syslog_facility;
923   int severity;
924 };
925
926 struct RateLimitConfig {
927   size_t rate;
928   size_t burst;
929 };
930
931 // Wildcard host pattern routing.  We strips left most '*' from host
932 // field.  router includes all path patterns sharing the same wildcard
933 // host.
934 struct WildcardPattern {
935   WildcardPattern(const StringRef &host) : host(host) {}
936
937   // This might not be NULL terminated.  Currently it is only used for
938   // comparison.
939   StringRef host;
940   Router router;
941 };
942
943 // Configuration to select backend to forward request
944 struct RouterConfig {
945   Router router;
946   // Router for reversed wildcard hosts.  Since this router has
947   // wildcard hosts reversed without '*', one should call match()
948   // function with reversed host stripping last character.  This is
949   // because we require at least one character must match for '*'.
950   // The index stored in this router is index of wildcard_patterns.
951   Router rev_wildcard_router;
952   std::vector<WildcardPattern> wildcard_patterns;
953 };
954
955 struct DownstreamConfig {
956   DownstreamConfig()
957       : balloc(1024, 1024),
958         timeout{},
959         addr_group_catch_all{0},
960         connections_per_host{0},
961         connections_per_frontend{0},
962         request_buffer_size{0},
963         response_buffer_size{0},
964         family{0} {}
965
966   DownstreamConfig(const DownstreamConfig &) = delete;
967   DownstreamConfig(DownstreamConfig &&) = delete;
968   DownstreamConfig &operator=(const DownstreamConfig &) = delete;
969   DownstreamConfig &operator=(DownstreamConfig &&) = delete;
970
971   // Allocator to allocate memory for Downstream configuration.  Since
972   // we may swap around DownstreamConfig in arbitrary times with API
973   // calls, we should use their own allocator instead of per Config
974   // allocator.
975   BlockAllocator balloc;
976   struct {
977     ev_tstamp read;
978     ev_tstamp write;
979     ev_tstamp idle_read;
980     ev_tstamp connect;
981     // The maximum backoff while checking health check for offline
982     // backend or while detaching failed backend from load balancing
983     // group temporarily.
984     ev_tstamp max_backoff;
985   } timeout;
986   RouterConfig router;
987   std::vector<DownstreamAddrGroupConfig> addr_groups;
988   // The index of catch-all group in downstream_addr_groups.
989   size_t addr_group_catch_all;
990   size_t connections_per_host;
991   size_t connections_per_frontend;
992   size_t request_buffer_size;
993   size_t response_buffer_size;
994   // Address family of backend connection.  One of either AF_INET,
995   // AF_INET6 or AF_UNSPEC.  This is ignored if backend connection
996   // is made via Unix domain socket.
997   int family;
998 };
999
1000 struct ConnectionConfig {
1001   struct {
1002     struct {
1003       ev_tstamp sleep;
1004     } timeout;
1005     // address of frontend acceptors
1006     std::vector<UpstreamAddr> addrs;
1007     int backlog;
1008     // TCP fastopen.  If this is positive, it is passed to
1009     // setsockopt() along with TCP_FASTOPEN.
1010     int fastopen;
1011   } listener;
1012
1013 #ifdef ENABLE_HTTP3
1014   struct {
1015     std::vector<UpstreamAddr> addrs;
1016   } quic_listener;
1017 #endif // ENABLE_HTTP3
1018
1019   struct {
1020     struct {
1021       ev_tstamp http2_read;
1022       ev_tstamp http3_read;
1023       ev_tstamp read;
1024       ev_tstamp write;
1025       ev_tstamp idle_read;
1026     } timeout;
1027     struct {
1028       RateLimitConfig read;
1029       RateLimitConfig write;
1030     } ratelimit;
1031     size_t worker_connections;
1032     // Deprecated.  See UpstreamAddr.accept_proxy_protocol.
1033     bool accept_proxy_protocol;
1034   } upstream;
1035
1036   std::shared_ptr<DownstreamConfig> downstream;
1037 };
1038
1039 struct APIConfig {
1040   // Maximum request body size for one API request
1041   size_t max_request_body;
1042   // true if at least one of UpstreamAddr has api enabled
1043   bool enabled;
1044 };
1045
1046 struct DNSConfig {
1047   struct {
1048     ev_tstamp cache;
1049     ev_tstamp lookup;
1050   } timeout;
1051   // The number of tries name resolver makes before abandoning
1052   // request.
1053   size_t max_try;
1054 };
1055
1056 struct Config {
1057   Config()
1058       : balloc(4096, 4096),
1059         downstream_http_proxy{},
1060         http{},
1061         http2{},
1062         tls{},
1063 #ifdef ENABLE_HTTP3
1064         quic{},
1065 #endif // ENABLE_HTTP3
1066         logging{},
1067         conn{},
1068         api{},
1069         dns{},
1070         config_revision{0},
1071         num_worker{0},
1072         padding{0},
1073         rlimit_nofile{0},
1074         rlimit_memlock{0},
1075         uid{0},
1076         gid{0},
1077         pid{0},
1078         verbose{false},
1079         daemon{false},
1080         http2_proxy{false},
1081         single_process{false},
1082         single_thread{false},
1083         ignore_per_pattern_mruby_error{false},
1084         ev_loop_flags{0},
1085         max_worker_processes{0},
1086         worker_process_grace_shutdown_period{0.} {
1087   }
1088   ~Config();
1089
1090   Config(Config &&) = delete;
1091   Config(const Config &&) = delete;
1092   Config &operator=(Config &&) = delete;
1093   Config &operator=(const Config &&) = delete;
1094
1095   // Allocator to allocate memory for this object except for
1096   // DownstreamConfig.  Currently, it is used to allocate memory for
1097   // strings.
1098   BlockAllocator balloc;
1099   HttpProxy downstream_http_proxy;
1100   HttpConfig http;
1101   Http2Config http2;
1102   TLSConfig tls;
1103 #ifdef ENABLE_HTTP3
1104   QUICConfig quic;
1105   Http3Config http3;
1106 #endif // ENABLE_HTTP3
1107   LoggingConfig logging;
1108   ConnectionConfig conn;
1109   APIConfig api;
1110   DNSConfig dns;
1111   StringRef pid_file;
1112   StringRef conf_path;
1113   StringRef user;
1114   StringRef mruby_file;
1115   // The revision of configuration which is opaque string, and changes
1116   // on each configuration reloading.  This does not change on
1117   // backendconfig API call.  This value is returned in health check
1118   // as "nghttpx-conf-rev" response header field.  The external
1119   // program can check this value to know whether reloading has
1120   // completed or not.
1121   uint64_t config_revision;
1122   size_t num_worker;
1123   size_t padding;
1124   size_t rlimit_nofile;
1125   size_t rlimit_memlock;
1126   uid_t uid;
1127   gid_t gid;
1128   pid_t pid;
1129   bool verbose;
1130   bool daemon;
1131   bool http2_proxy;
1132   // Run nghttpx in single process mode.  With this mode, signal
1133   // handling is omitted.
1134   bool single_process;
1135   bool single_thread;
1136   // Ignore mruby compile error for per-pattern mruby script.
1137   bool ignore_per_pattern_mruby_error;
1138   // flags passed to ev_default_loop() and ev_loop_new()
1139   int ev_loop_flags;
1140   size_t max_worker_processes;
1141   ev_tstamp worker_process_grace_shutdown_period;
1142 };
1143
1144 const Config *get_config();
1145 Config *mod_config();
1146 // Replaces the current config with given |new_config|.  The old config is
1147 // returned.
1148 std::unique_ptr<Config> replace_config(std::unique_ptr<Config> new_config);
1149 void create_config();
1150
1151 // generated by gennghttpxfun.py
1152 enum {
1153   SHRPX_OPTID_ACCEPT_PROXY_PROTOCOL,
1154   SHRPX_OPTID_ACCESSLOG_FILE,
1155   SHRPX_OPTID_ACCESSLOG_FORMAT,
1156   SHRPX_OPTID_ACCESSLOG_SYSLOG,
1157   SHRPX_OPTID_ACCESSLOG_WRITE_EARLY,
1158   SHRPX_OPTID_ADD_FORWARDED,
1159   SHRPX_OPTID_ADD_REQUEST_HEADER,
1160   SHRPX_OPTID_ADD_RESPONSE_HEADER,
1161   SHRPX_OPTID_ADD_X_FORWARDED_FOR,
1162   SHRPX_OPTID_ALTSVC,
1163   SHRPX_OPTID_API_MAX_REQUEST_BODY,
1164   SHRPX_OPTID_BACKEND,
1165   SHRPX_OPTID_BACKEND_ADDRESS_FAMILY,
1166   SHRPX_OPTID_BACKEND_CONNECT_TIMEOUT,
1167   SHRPX_OPTID_BACKEND_CONNECTIONS_PER_FRONTEND,
1168   SHRPX_OPTID_BACKEND_CONNECTIONS_PER_HOST,
1169   SHRPX_OPTID_BACKEND_HTTP_PROXY_URI,
1170   SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_FRONTEND,
1171   SHRPX_OPTID_BACKEND_HTTP1_CONNECTIONS_PER_HOST,
1172   SHRPX_OPTID_BACKEND_HTTP1_TLS,
1173   SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_BITS,
1174   SHRPX_OPTID_BACKEND_HTTP2_CONNECTION_WINDOW_SIZE,
1175   SHRPX_OPTID_BACKEND_HTTP2_CONNECTIONS_PER_WORKER,
1176   SHRPX_OPTID_BACKEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1177   SHRPX_OPTID_BACKEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1178   SHRPX_OPTID_BACKEND_HTTP2_MAX_CONCURRENT_STREAMS,
1179   SHRPX_OPTID_BACKEND_HTTP2_SETTINGS_TIMEOUT,
1180   SHRPX_OPTID_BACKEND_HTTP2_WINDOW_BITS,
1181   SHRPX_OPTID_BACKEND_HTTP2_WINDOW_SIZE,
1182   SHRPX_OPTID_BACKEND_IPV4,
1183   SHRPX_OPTID_BACKEND_IPV6,
1184   SHRPX_OPTID_BACKEND_KEEP_ALIVE_TIMEOUT,
1185   SHRPX_OPTID_BACKEND_MAX_BACKOFF,
1186   SHRPX_OPTID_BACKEND_NO_TLS,
1187   SHRPX_OPTID_BACKEND_READ_TIMEOUT,
1188   SHRPX_OPTID_BACKEND_REQUEST_BUFFER,
1189   SHRPX_OPTID_BACKEND_RESPONSE_BUFFER,
1190   SHRPX_OPTID_BACKEND_TLS,
1191   SHRPX_OPTID_BACKEND_TLS_SNI_FIELD,
1192   SHRPX_OPTID_BACKEND_WRITE_TIMEOUT,
1193   SHRPX_OPTID_BACKLOG,
1194   SHRPX_OPTID_CACERT,
1195   SHRPX_OPTID_CERTIFICATE_FILE,
1196   SHRPX_OPTID_CIPHERS,
1197   SHRPX_OPTID_CLIENT,
1198   SHRPX_OPTID_CLIENT_CERT_FILE,
1199   SHRPX_OPTID_CLIENT_CIPHERS,
1200   SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLACK_LIST,
1201   SHRPX_OPTID_CLIENT_NO_HTTP2_CIPHER_BLOCK_LIST,
1202   SHRPX_OPTID_CLIENT_PRIVATE_KEY_FILE,
1203   SHRPX_OPTID_CLIENT_PROXY,
1204   SHRPX_OPTID_CLIENT_PSK_SECRETS,
1205   SHRPX_OPTID_CONF,
1206   SHRPX_OPTID_DAEMON,
1207   SHRPX_OPTID_DH_PARAM_FILE,
1208   SHRPX_OPTID_DNS_CACHE_TIMEOUT,
1209   SHRPX_OPTID_DNS_LOOKUP_TIMEOUT,
1210   SHRPX_OPTID_DNS_MAX_TRY,
1211   SHRPX_OPTID_ECDH_CURVES,
1212   SHRPX_OPTID_ERROR_PAGE,
1213   SHRPX_OPTID_ERRORLOG_FILE,
1214   SHRPX_OPTID_ERRORLOG_SYSLOG,
1215   SHRPX_OPTID_FASTOPEN,
1216   SHRPX_OPTID_FETCH_OCSP_RESPONSE_FILE,
1217   SHRPX_OPTID_FORWARDED_BY,
1218   SHRPX_OPTID_FORWARDED_FOR,
1219   SHRPX_OPTID_FRONTEND,
1220   SHRPX_OPTID_FRONTEND_FRAME_DEBUG,
1221   SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_BITS,
1222   SHRPX_OPTID_FRONTEND_HTTP2_CONNECTION_WINDOW_SIZE,
1223   SHRPX_OPTID_FRONTEND_HTTP2_DECODER_DYNAMIC_TABLE_SIZE,
1224   SHRPX_OPTID_FRONTEND_HTTP2_DUMP_REQUEST_HEADER,
1225   SHRPX_OPTID_FRONTEND_HTTP2_DUMP_RESPONSE_HEADER,
1226   SHRPX_OPTID_FRONTEND_HTTP2_ENCODER_DYNAMIC_TABLE_SIZE,
1227   SHRPX_OPTID_FRONTEND_HTTP2_MAX_CONCURRENT_STREAMS,
1228   SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WINDOW_SIZE,
1229   SHRPX_OPTID_FRONTEND_HTTP2_OPTIMIZE_WRITE_BUFFER_SIZE,
1230   SHRPX_OPTID_FRONTEND_HTTP2_READ_TIMEOUT,
1231   SHRPX_OPTID_FRONTEND_HTTP2_SETTINGS_TIMEOUT,
1232   SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_BITS,
1233   SHRPX_OPTID_FRONTEND_HTTP2_WINDOW_SIZE,
1234   SHRPX_OPTID_FRONTEND_HTTP3_CONNECTION_WINDOW_SIZE,
1235   SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONCURRENT_STREAMS,
1236   SHRPX_OPTID_FRONTEND_HTTP3_MAX_CONNECTION_WINDOW_SIZE,
1237   SHRPX_OPTID_FRONTEND_HTTP3_MAX_WINDOW_SIZE,
1238   SHRPX_OPTID_FRONTEND_HTTP3_READ_TIMEOUT,
1239   SHRPX_OPTID_FRONTEND_HTTP3_WINDOW_SIZE,
1240   SHRPX_OPTID_FRONTEND_KEEP_ALIVE_TIMEOUT,
1241   SHRPX_OPTID_FRONTEND_MAX_REQUESTS,
1242   SHRPX_OPTID_FRONTEND_NO_TLS,
1243   SHRPX_OPTID_FRONTEND_QUIC_CONGESTION_CONTROLLER,
1244   SHRPX_OPTID_FRONTEND_QUIC_DEBUG_LOG,
1245   SHRPX_OPTID_FRONTEND_QUIC_EARLY_DATA,
1246   SHRPX_OPTID_FRONTEND_QUIC_IDLE_TIMEOUT,
1247   SHRPX_OPTID_FRONTEND_QUIC_INITIAL_RTT,
1248   SHRPX_OPTID_FRONTEND_QUIC_QLOG_DIR,
1249   SHRPX_OPTID_FRONTEND_QUIC_REQUIRE_TOKEN,
1250   SHRPX_OPTID_FRONTEND_QUIC_SECRET_FILE,
1251   SHRPX_OPTID_FRONTEND_READ_TIMEOUT,
1252   SHRPX_OPTID_FRONTEND_WRITE_TIMEOUT,
1253   SHRPX_OPTID_HEADER_FIELD_BUFFER,
1254   SHRPX_OPTID_HOST_REWRITE,
1255   SHRPX_OPTID_HTTP2_ALTSVC,
1256   SHRPX_OPTID_HTTP2_BRIDGE,
1257   SHRPX_OPTID_HTTP2_MAX_CONCURRENT_STREAMS,
1258   SHRPX_OPTID_HTTP2_NO_COOKIE_CRUMBLING,
1259   SHRPX_OPTID_HTTP2_PROXY,
1260   SHRPX_OPTID_IGNORE_PER_PATTERN_MRUBY_ERROR,
1261   SHRPX_OPTID_INCLUDE,
1262   SHRPX_OPTID_INSECURE,
1263   SHRPX_OPTID_LISTENER_DISABLE_TIMEOUT,
1264   SHRPX_OPTID_LOG_LEVEL,
1265   SHRPX_OPTID_MAX_HEADER_FIELDS,
1266   SHRPX_OPTID_MAX_REQUEST_HEADER_FIELDS,
1267   SHRPX_OPTID_MAX_RESPONSE_HEADER_FIELDS,
1268   SHRPX_OPTID_MAX_WORKER_PROCESSES,
1269   SHRPX_OPTID_MRUBY_FILE,
1270   SHRPX_OPTID_NO_ADD_X_FORWARDED_PROTO,
1271   SHRPX_OPTID_NO_HOST_REWRITE,
1272   SHRPX_OPTID_NO_HTTP2_CIPHER_BLACK_LIST,
1273   SHRPX_OPTID_NO_HTTP2_CIPHER_BLOCK_LIST,
1274   SHRPX_OPTID_NO_KQUEUE,
1275   SHRPX_OPTID_NO_LOCATION_REWRITE,
1276   SHRPX_OPTID_NO_OCSP,
1277   SHRPX_OPTID_NO_QUIC_BPF,
1278   SHRPX_OPTID_NO_SERVER_PUSH,
1279   SHRPX_OPTID_NO_SERVER_REWRITE,
1280   SHRPX_OPTID_NO_STRIP_INCOMING_EARLY_DATA,
1281   SHRPX_OPTID_NO_STRIP_INCOMING_X_FORWARDED_PROTO,
1282   SHRPX_OPTID_NO_VERIFY_OCSP,
1283   SHRPX_OPTID_NO_VIA,
1284   SHRPX_OPTID_NPN_LIST,
1285   SHRPX_OPTID_OCSP_STARTUP,
1286   SHRPX_OPTID_OCSP_UPDATE_INTERVAL,
1287   SHRPX_OPTID_PADDING,
1288   SHRPX_OPTID_PID_FILE,
1289   SHRPX_OPTID_PRIVATE_KEY_FILE,
1290   SHRPX_OPTID_PRIVATE_KEY_PASSWD_FILE,
1291   SHRPX_OPTID_PSK_SECRETS,
1292   SHRPX_OPTID_QUIC_BPF_PROGRAM_FILE,
1293   SHRPX_OPTID_QUIC_SERVER_ID,
1294   SHRPX_OPTID_READ_BURST,
1295   SHRPX_OPTID_READ_RATE,
1296   SHRPX_OPTID_REDIRECT_HTTPS_PORT,
1297   SHRPX_OPTID_REQUEST_HEADER_FIELD_BUFFER,
1298   SHRPX_OPTID_RESPONSE_HEADER_FIELD_BUFFER,
1299   SHRPX_OPTID_RLIMIT_MEMLOCK,
1300   SHRPX_OPTID_RLIMIT_NOFILE,
1301   SHRPX_OPTID_SERVER_NAME,
1302   SHRPX_OPTID_SINGLE_PROCESS,
1303   SHRPX_OPTID_SINGLE_THREAD,
1304   SHRPX_OPTID_STREAM_READ_TIMEOUT,
1305   SHRPX_OPTID_STREAM_WRITE_TIMEOUT,
1306   SHRPX_OPTID_STRIP_INCOMING_FORWARDED,
1307   SHRPX_OPTID_STRIP_INCOMING_X_FORWARDED_FOR,
1308   SHRPX_OPTID_SUBCERT,
1309   SHRPX_OPTID_SYSLOG_FACILITY,
1310   SHRPX_OPTID_TLS_DYN_REC_IDLE_TIMEOUT,
1311   SHRPX_OPTID_TLS_DYN_REC_WARMUP_THRESHOLD,
1312   SHRPX_OPTID_TLS_MAX_EARLY_DATA,
1313   SHRPX_OPTID_TLS_MAX_PROTO_VERSION,
1314   SHRPX_OPTID_TLS_MIN_PROTO_VERSION,
1315   SHRPX_OPTID_TLS_NO_POSTPONE_EARLY_DATA,
1316   SHRPX_OPTID_TLS_PROTO_LIST,
1317   SHRPX_OPTID_TLS_SCT_DIR,
1318   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED,
1319   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_ADDRESS_FAMILY,
1320   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_CERT_FILE,
1321   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_PRIVATE_KEY_FILE,
1322   SHRPX_OPTID_TLS_SESSION_CACHE_MEMCACHED_TLS,
1323   SHRPX_OPTID_TLS_TICKET_KEY_CIPHER,
1324   SHRPX_OPTID_TLS_TICKET_KEY_FILE,
1325   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED,
1326   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_ADDRESS_FAMILY,
1327   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_CERT_FILE,
1328   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_INTERVAL,
1329   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_FAIL,
1330   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_MAX_RETRY,
1331   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_PRIVATE_KEY_FILE,
1332   SHRPX_OPTID_TLS_TICKET_KEY_MEMCACHED_TLS,
1333   SHRPX_OPTID_TLS13_CIPHERS,
1334   SHRPX_OPTID_TLS13_CLIENT_CIPHERS,
1335   SHRPX_OPTID_USER,
1336   SHRPX_OPTID_VERIFY_CLIENT,
1337   SHRPX_OPTID_VERIFY_CLIENT_CACERT,
1338   SHRPX_OPTID_VERIFY_CLIENT_TOLERATE_EXPIRED,
1339   SHRPX_OPTID_WORKER_FRONTEND_CONNECTIONS,
1340   SHRPX_OPTID_WORKER_PROCESS_GRACE_SHUTDOWN_PERIOD,
1341   SHRPX_OPTID_WORKER_READ_BURST,
1342   SHRPX_OPTID_WORKER_READ_RATE,
1343   SHRPX_OPTID_WORKER_WRITE_BURST,
1344   SHRPX_OPTID_WORKER_WRITE_RATE,
1345   SHRPX_OPTID_WORKERS,
1346   SHRPX_OPTID_WRITE_BURST,
1347   SHRPX_OPTID_WRITE_RATE,
1348   SHRPX_OPTID_MAXIDX,
1349 };
1350
1351 // Looks up token for given option name |name| of length |namelen|.
1352 int option_lookup_token(const char *name, size_t namelen);
1353
1354 // Parses option name |opt| and value |optarg|.  The results are
1355 // stored into the object pointed by |config|. This function returns 0
1356 // if it succeeds, or -1.  The |included_set| contains the all paths
1357 // already included while processing this configuration, to avoid loop
1358 // in --include option.  The |pattern_addr_indexer| contains a pair of
1359 // pattern of backend, and its index in DownstreamConfig::addr_groups.
1360 // It is introduced to speed up loading configuration file with lots
1361 // of backends.
1362 int parse_config(Config *config, const StringRef &opt, const StringRef &optarg,
1363                  std::set<StringRef> &included_set,
1364                  std::map<StringRef, size_t> &pattern_addr_indexer);
1365
1366 // Similar to parse_config() above, but additional |optid| which
1367 // should be the return value of option_lookup_token(opt).
1368 int parse_config(Config *config, int optid, const StringRef &opt,
1369                  const StringRef &optarg, std::set<StringRef> &included_set,
1370                  std::map<StringRef, size_t> &pattern_addr_indexer);
1371
1372 // Loads configurations from |filename| and stores them in |config|.
1373 // This function returns 0 if it succeeds, or -1.  See parse_config()
1374 // for |include_set|.
1375 int load_config(Config *config, const char *filename,
1376                 std::set<StringRef> &include_set,
1377                 std::map<StringRef, size_t> &pattern_addr_indexer);
1378
1379 // Parses header field in |optarg|.  We expect header field is formed
1380 // like "NAME: VALUE".  We require that NAME is non empty string.  ":"
1381 // is allowed at the start of the NAME, but NAME == ":" is not
1382 // allowed.  This function returns pair of NAME and VALUE.
1383 HeaderRefs::value_type parse_header(BlockAllocator &balloc,
1384                                     const StringRef &optarg);
1385
1386 std::vector<LogFragment> parse_log_format(BlockAllocator &balloc,
1387                                           const StringRef &optarg);
1388
1389 // Returns string for syslog |facility|.
1390 StringRef str_syslog_facility(int facility);
1391
1392 // Returns integer value of syslog |facility| string.
1393 int int_syslog_facility(const StringRef &strfacility);
1394
1395 FILE *open_file_for_write(const char *filename);
1396
1397 // Reads TLS ticket key file in |files| and returns TicketKey which
1398 // stores read key data.  The given |cipher| and |hmac| determine the
1399 // expected file size.  This function returns TicketKey if it
1400 // succeeds, or nullptr.
1401 std::unique_ptr<TicketKeys>
1402 read_tls_ticket_key_file(const std::vector<StringRef> &files,
1403                          const EVP_CIPHER *cipher, const EVP_MD *hmac);
1404
1405 #ifdef ENABLE_HTTP3
1406 std::shared_ptr<QUICKeyingMaterials>
1407 read_quic_secret_file(const StringRef &path);
1408 #endif // ENABLE_HTTP3
1409
1410 // Returns string representation of |proto|.
1411 StringRef strproto(Proto proto);
1412
1413 int configure_downstream_group(Config *config, bool http2_proxy,
1414                                bool numeric_addr_only,
1415                                const TLSConfig &tlsconf);
1416
1417 int resolve_hostname(Address *addr, const char *hostname, uint16_t port,
1418                      int family, int additional_flags = 0);
1419
1420 } // namespace shrpx
1421
1422 #endif // SHRPX_CONFIG_H
Domain: Network & Connectivity / Data Network;