2 * nghttp2 - HTTP/2 C Library
4 * Copyright (c) 2012 Tatsuhiro Tsujikawa
6 * Permission is hereby granted, free of charge, to any person obtaining
7 * a copy of this software and associated documentation files (the
8 * "Software"), to deal in the Software without restriction, including
9 * without limitation the rights to use, copy, modify, merge, publish,
10 * distribute, sublicense, and/or sell copies of the Software, and to
11 * permit persons to whom the Software is furnished to do so, subject to
12 * the following conditions:
14 * The above copyright notice and this permission notice shall be
15 * included in all copies or substantial portions of the Software.
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
18 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
19 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
20 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
21 * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
22 * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
23 * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
25 #ifndef SHRPX_CONNECTION_HANDLER_H
26 #define SHRPX_CONNECTION_HANDLER_H
30 #include <sys/types.h>
31 #ifdef HAVE_SYS_SOCKET_H
32 # include <sys/socket.h>
33 #endif // HAVE_SYS_SOCKET_H
44 # include <bpf/libbpf.h>
47 #include <openssl/ssl.h>
51 #ifdef HAVE_NEVERBLEED
52 # include <neverbleed.h>
53 #endif // HAVE_NEVERBLEED
55 #include "shrpx_downstream_connection_pool.h"
56 #include "shrpx_config.h"
57 #include "shrpx_exec.h"
67 class MemcachedDispatcher;
76 struct OCSPUpdateContext {
77 // ocsp response buffer
78 std::vector<uint8_t> resp;
79 // Process running fetch-ocsp-response script
81 // index to ConnectionHandler::all_ssl_ctx_, which points to next
82 // SSL_CTX to update ocsp response cache.
86 // errno encountered while processing response
90 // SerialEvent is an event sent from Worker thread.
91 enum class SerialEventType {
97 // ctor for event uses DownstreamConfig
98 SerialEvent(SerialEventType type,
99 const std::shared_ptr<DownstreamConfig> &downstreamconf)
100 : type(type), downstreamconf(downstreamconf) {}
102 SerialEventType type;
103 std::shared_ptr<DownstreamConfig> downstreamconf;
113 # endif // HAVE_LIBBPF
115 // QUIC IPC message type.
116 enum class QUICIPCType {
118 // Send forwarded QUIC UDP datagram and its metadata.
122 // WorkerProcesses which are in graceful shutdown period.
123 struct QUICLingeringWorkerProcess {
124 QUICLingeringWorkerProcess(
125 std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>> cid_prefixes,
127 : cid_prefixes{std::move(cid_prefixes)}, quic_ipc_fd{quic_ipc_fd} {}
129 std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>> cid_prefixes;
130 // Socket to send QUIC IPC message to this worker process.
133 #endif // ENABLE_HTTP3
135 class ConnectionHandler {
137 ConnectionHandler(struct ev_loop *loop, std::mt19937 &gen);
138 ~ConnectionHandler();
139 int handle_connection(int fd, sockaddr *addr, int addrlen,
140 const UpstreamAddr *faddr);
141 // Creates Worker object for single threaded configuration.
142 int create_single_worker();
143 // Creates |num| Worker objects for multi threaded configuration.
144 // The |num| must be strictly more than 1.
145 int create_worker_thread(size_t num);
147 set_ticket_keys_to_worker(const std::shared_ptr<TicketKeys> &ticket_keys);
148 void worker_reopen_log_files();
149 void set_ticket_keys(std::shared_ptr<TicketKeys> ticket_keys);
150 const std::shared_ptr<TicketKeys> &get_ticket_keys() const;
151 struct ev_loop *get_loop() const;
152 Worker *get_single_worker() const;
153 void add_acceptor(std::unique_ptr<AcceptHandler> h);
154 void delete_acceptor();
155 void enable_acceptor();
156 void disable_acceptor();
157 void sleep_acceptor(ev_tstamp t);
158 void accept_pending_connection();
159 void graceful_shutdown_worker();
160 void set_graceful_shutdown(bool f);
161 bool get_graceful_shutdown() const;
164 // Cancels ocsp update process
165 void cancel_ocsp_update();
166 // Starts ocsp update for certficate |cert_file|.
167 int start_ocsp_update(const char *cert_file);
168 // Reads incoming data from ocsp update process
169 void read_ocsp_chunk();
170 // Handles the completion of one ocsp update
171 void handle_ocsp_complete();
174 // Proceeds to the next certificate's ocsp update. If all
175 // certificates' ocsp update has been done, schedule next ocsp
177 void proceed_next_cert_ocsp();
179 void set_tls_ticket_key_memcached_dispatcher(
180 std::unique_ptr<MemcachedDispatcher> dispatcher);
182 MemcachedDispatcher *get_tls_ticket_key_memcached_dispatcher() const;
183 void on_tls_ticket_key_network_error(ev_timer *w);
184 void on_tls_ticket_key_not_found(ev_timer *w);
186 on_tls_ticket_key_get_success(const std::shared_ptr<TicketKeys> &ticket_keys,
188 void schedule_next_tls_ticket_key_memcached_get(ev_timer *w);
189 SSL_CTX *create_tls_ticket_key_memcached_ssl_ctx();
190 // Returns the SSL_CTX at all_ssl_ctx_[idx]. This does not perform
191 // array bound checking.
192 SSL_CTX *get_ssl_ctx(size_t idx) const;
194 const std::vector<SSL_CTX *> &get_indexed_ssl_ctx(size_t idx) const;
196 const std::vector<SSL_CTX *> &get_quic_indexed_ssl_ctx(size_t idx) const;
198 int forward_quic_packet(const UpstreamAddr *faddr, const Address &remote_addr,
199 const Address &local_addr, const uint8_t *cid_prefix,
200 const uint8_t *data, size_t datalen);
202 void set_quic_keying_materials(std::shared_ptr<QUICKeyingMaterials> qkms);
203 const std::shared_ptr<QUICKeyingMaterials> &get_quic_keying_materials() const;
205 void set_cid_prefixes(
206 const std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>>
209 void set_quic_lingering_worker_processes(
210 const std::vector<QUICLingeringWorkerProcess> &quic_lwps);
212 // Return matching QUICLingeringWorkerProcess which has a CID prefix
213 // such that |dcid| starts with it. If no such
214 // QUICLingeringWorkerProcess, it returns nullptr.
215 QUICLingeringWorkerProcess *
216 match_quic_lingering_worker_process_cid_prefix(const uint8_t *dcid,
219 int forward_quic_packet_to_lingering_worker_process(
220 QUICLingeringWorkerProcess *quic_lwp, const Address &remote_addr,
221 const Address &local_addr, const uint8_t *data, size_t datalen);
223 void set_quic_ipc_fd(int fd);
228 std::vector<BPFRef> &get_quic_bpf_refs();
229 void unload_bpf_objects();
230 # endif // HAVE_LIBBPF
231 #endif // ENABLE_HTTP3
233 #ifdef HAVE_NEVERBLEED
234 void set_neverbleed(neverbleed_t *nb);
235 #endif // HAVE_NEVERBLEED
237 // Send SerialEvent SerialEventType::REPLACE_DOWNSTREAM to this
239 void send_replace_downstream(
240 const std::shared_ptr<DownstreamConfig> &downstreamconf);
241 // Internal function to send |ev| to this object.
242 void send_serial_event(SerialEvent ev);
243 // Handles SerialEvents received.
244 void handle_serial_event();
245 // Sends WorkerEvent to make them replace downstream.
247 worker_replace_downstream(std::shared_ptr<DownstreamConfig> downstreamconf);
249 void set_enable_acceptor_on_ocsp_completion(bool f);
252 // Stores all SSL_CTX objects.
253 std::vector<SSL_CTX *> all_ssl_ctx_;
254 // Stores all SSL_CTX objects in a way that its index is stored in
255 // cert_tree. The SSL_CTXs stored in the same index share the same
256 // hostname, but could have different signature algorithm. The
257 // selection among them are performed by hostname presented by SNI,
258 // and signature algorithm presented by client.
259 std::vector<std::vector<SSL_CTX *>> indexed_ssl_ctx_;
261 std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>> cid_prefixes_;
262 std::vector<std::array<uint8_t, SHRPX_QUIC_CID_PREFIXLEN>>
263 lingering_cid_prefixes_;
265 std::vector<QUICLingeringWorkerProcess> quic_lingering_worker_processes_;
267 std::vector<BPFRef> quic_bpf_refs_;
268 # endif // HAVE_LIBBPF
269 std::shared_ptr<QUICKeyingMaterials> quic_keying_materials_;
270 std::vector<SSL_CTX *> quic_all_ssl_ctx_;
271 std::vector<std::vector<SSL_CTX *>> quic_indexed_ssl_ctx_;
272 #endif // ENABLE_HTTP3
273 OCSPUpdateContext ocsp_;
275 // ev_loop for each worker
276 std::vector<struct ev_loop *> worker_loops_;
277 // Worker instances when multi threaded mode (-nN, N >= 2) is used.
278 // If at least one frontend enables API request, we allocate 1
279 // additional worker dedicated to API request .
280 std::vector<std::unique_ptr<Worker>> workers_;
281 // mutex for serial event resive buffer handling
282 std::mutex serial_event_mu_;
283 // SerialEvent receive buffer
284 std::vector<SerialEvent> serial_events_;
285 // Worker instance used when single threaded mode (-n1) is used.
286 // Otherwise, nullptr and workers_ has instances of Worker instead.
287 std::unique_ptr<Worker> single_worker_;
288 std::unique_ptr<tls::CertLookupTree> cert_tree_;
290 std::unique_ptr<tls::CertLookupTree> quic_cert_tree_;
291 #endif // ENABLE_HTTP3
292 std::unique_ptr<MemcachedDispatcher> tls_ticket_key_memcached_dispatcher_;
293 // Current TLS session ticket keys. Note that TLS connection does
294 // not refer to this field directly. They use TicketKeys object in
296 std::shared_ptr<TicketKeys> ticket_keys_;
297 struct ev_loop *loop_;
298 std::vector<std::unique_ptr<AcceptHandler>> acceptors_;
299 #ifdef HAVE_NEVERBLEED
301 #endif // HAVE_NEVERBLEED
302 ev_timer disable_acceptor_timer_;
303 ev_timer ocsp_timer_;
304 ev_async thread_join_asyncev_;
305 ev_async serial_event_asyncev_;
307 std::future<void> thread_join_fut_;
309 size_t tls_ticket_key_memcached_get_retry_count_;
310 size_t tls_ticket_key_memcached_fail_count_;
311 unsigned int worker_round_robin_cnt_;
312 bool graceful_shutdown_;
313 // true if acceptors should be enabled after the initial ocsp update
315 bool enable_acceptor_on_ocsp_completion_;
320 #endif // SHRPX_CONNECTION_HANDLER_H