nghttp2/nghttp2
1
0
Fork 0
mirror of https://github.com/nghttp2/nghttp2.git synced 2025-12-07 02:28:53 +08:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: nghttp2:v1.39.0
Branches Tags
nghttp2:master nghttp2:src-slist nghttp2:copilot/find-unused-functions-and-macros nghttp2:v1.67.x nghttp2:v1.62.x nghttp2:invoke-result nghttp2:v1.55.x nghttp2:android-docker nghttp2:v1.45.x nghttp2:nghttpx-http3 nghttp2:quic nghttp2:gh-actions nghttp2:v1.39.x nghttp2:v1.35.x nghttp2:v1.32.x nghttp2:ws nghttp2:v1.31.x nghttp2:tls13-early-data-strike-reg nghttp2:v1.23.x nghttp2:nproc nghttp2:v1.21.x nghttp2:nghttpx-usr2-graceful-shutdown nghttp2:asio_threading nghttp2:boringssl-tls13 nghttp2:v1.18.x nghttp2:v1.16.x nghttp2:v1.14.x nghttp2:cache-digest nghttp2:v1.11.x nghttp2:http-parser-unknown-method nghttp2:v1.9.x nghttp2:v1.7.x nghttp2:hpack-8bits nghttp2:gh-pages nghttp2:v0.3-fix
nghttp2:v1.68.0 nghttp2:v1.67.1 nghttp2:v1.67.0 nghttp2:v1.66.0 nghttp2:v1.65.0 nghttp2:v1.64.0 nghttp2:v1.63.0 nghttp2:v1.62.1 nghttp2:v1.62.0 nghttp2:v1.61.0 nghttp2:v1.60.0 nghttp2:v1.59.0 nghttp2:v1.58.0 nghttp2:v1.57.0 nghttp2:v1.56.0 nghttp2:v1.55.1 nghttp2:v1.55.0 nghttp2:v1.54.0 nghttp2:v1.53.0 nghttp2:v1.52.0 nghttp2:v1.51.0 nghttp2:v1.50.0 nghttp2:v1.49.0 nghttp2:v1.48.0 nghttp2:v1.47.0 nghttp2:v1.46.0 nghttp2:v1.45.1 nghttp2:v1.45.0 nghttp2:v1.44.0 nghttp2:v1.43.0 nghttp2:v1.42.0 nghttp2:v1.41.0 nghttp2:v1.40.0 nghttp2:v1.39.2 nghttp2:v1.39.1 nghttp2:v1.39.0 nghttp2:v1.38.0 nghttp2:v1.37.0 nghttp2:v1.36.0 nghttp2:v1.35.1 nghttp2:v1.35.0 nghttp2:v1.34.0 nghttp2:v1.33.0 nghttp2:v1.32.1 nghttp2:v1.32.0 nghttp2:v1.31.1 nghttp2:v1.31.0 nghttp2:v1.30.0 nghttp2:v1.29.0 nghttp2:v1.28.0 nghttp2:v1.27.0 nghttp2:v1.26.0 nghttp2:v1.25.0 nghttp2:v1.24.0 nghttp2:v1.23.1 nghttp2:v1.23.0 nghttp2:v1.22.0 nghttp2:v1.21.1 nghttp2:v1.21.0 nghttp2:v1.20.0 nghttp2:v1.19.0 nghttp2:v1.18.1 nghttp2:v1.18.0 nghttp2:v1.17.0 nghttp2:v1.16.1 nghttp2:v1.16.0 nghttp2:v1.15.0 nghttp2:v1.14.1 nghttp2:v1.14.0 nghttp2:v1.13.0 nghttp2:v1.12.0 nghttp2:v1.11.1 nghttp2:v1.11.0 nghttp2:v1.10.0 nghttp2:v1.9.2 nghttp2:v1.9.1 nghttp2:v1.9.0 nghttp2:v1.8.0 nghttp2:v1.7.1 nghttp2:v1.7.0 nghttp2:v1.6.0 nghttp2:v1.5.0 nghttp2:v1.4.0 nghttp2:v1.3.4 nghttp2:v1.3.3 nghttp2:v1.3.2 nghttp2:v1.3.1 nghttp2:v1.3.0 nghttp2:v1.2.1 nghttp2:v1.2.0 nghttp2:v1.1.2 nghttp2:v1.1.1 nghttp2:v1.1.0 nghttp2:v1.0.5 nghttp2:v1.0.4 nghttp2:v1.0.3 nghttp2:v1.0.2 nghttp2:v1.0.1 nghttp2:v1.0.0 nghttp2:v0.7.15 nghttp2:v0.7.14 nghttp2:v0.7.13 nghttp2:v0.7.12 nghttp2:v0.7.11 nghttp2:v0.7.10 nghttp2:v0.7.9 nghttp2:v0.7.8 nghttp2:v0.7.7 nghttp2:v0.7.6 nghttp2:v0.7.5 nghttp2:v0.7.4 nghttp2:v0.7.3 nghttp2:v0.7.2 nghttp2:v0.7.1 nghttp2:v0.7.0 nghttp2:v0.6.7 nghttp2:v0.6.6 nghttp2:v0.6.5 nghttp2:v0.6.4 nghttp2:v0.6.3 nghttp2:v0.6.2 nghttp2:v0.6.1 nghttp2:v0.6.0 nghttp2:v0.5.1 nghttp2:v0.5.0 nghttp2:v0.4.1 nghttp2:v0.4.0 nghttp2:v0.3.2 nghttp2:v0.3.1 nghttp2:v0.3.0 nghttp2:v0.2.0 nghttp2:v0.1.0
..
compare: nghttp2:boringssl-tls13
Branches Tags
nghttp2:master nghttp2:src-slist nghttp2:copilot/find-unused-functions-and-macros nghttp2:v1.67.x nghttp2:v1.62.x nghttp2:invoke-result nghttp2:v1.55.x nghttp2:android-docker nghttp2:v1.45.x nghttp2:nghttpx-http3 nghttp2:quic nghttp2:gh-actions nghttp2:v1.39.x nghttp2:v1.35.x nghttp2:v1.32.x nghttp2:ws nghttp2:v1.31.x nghttp2:tls13-early-data-strike-reg nghttp2:v1.23.x nghttp2:nproc nghttp2:v1.21.x nghttp2:nghttpx-usr2-graceful-shutdown nghttp2:asio_threading nghttp2:boringssl-tls13 nghttp2:v1.18.x nghttp2:v1.16.x nghttp2:v1.14.x nghttp2:cache-digest nghttp2:v1.11.x nghttp2:http-parser-unknown-method nghttp2:v1.9.x nghttp2:v1.7.x nghttp2:hpack-8bits nghttp2:gh-pages nghttp2:v0.3-fix
nghttp2:v1.68.0 nghttp2:v1.67.1 nghttp2:v1.67.0 nghttp2:v1.66.0 nghttp2:v1.65.0 nghttp2:v1.64.0 nghttp2:v1.63.0 nghttp2:v1.62.1 nghttp2:v1.62.0 nghttp2:v1.61.0 nghttp2:v1.60.0 nghttp2:v1.59.0 nghttp2:v1.58.0 nghttp2:v1.57.0 nghttp2:v1.56.0 nghttp2:v1.55.1 nghttp2:v1.55.0 nghttp2:v1.54.0 nghttp2:v1.53.0 nghttp2:v1.52.0 nghttp2:v1.51.0 nghttp2:v1.50.0 nghttp2:v1.49.0 nghttp2:v1.48.0 nghttp2:v1.47.0 nghttp2:v1.46.0 nghttp2:v1.45.1 nghttp2:v1.45.0 nghttp2:v1.44.0 nghttp2:v1.43.0 nghttp2:v1.42.0 nghttp2:v1.41.0 nghttp2:v1.40.0 nghttp2:v1.39.2 nghttp2:v1.39.1 nghttp2:v1.39.0 nghttp2:v1.38.0 nghttp2:v1.37.0 nghttp2:v1.36.0 nghttp2:v1.35.1 nghttp2:v1.35.0 nghttp2:v1.34.0 nghttp2:v1.33.0 nghttp2:v1.32.1 nghttp2:v1.32.0 nghttp2:v1.31.1 nghttp2:v1.31.0 nghttp2:v1.30.0 nghttp2:v1.29.0 nghttp2:v1.28.0 nghttp2:v1.27.0 nghttp2:v1.26.0 nghttp2:v1.25.0 nghttp2:v1.24.0 nghttp2:v1.23.1 nghttp2:v1.23.0 nghttp2:v1.22.0 nghttp2:v1.21.1 nghttp2:v1.21.0 nghttp2:v1.20.0 nghttp2:v1.19.0 nghttp2:v1.18.1 nghttp2:v1.18.0 nghttp2:v1.17.0 nghttp2:v1.16.1 nghttp2:v1.16.0 nghttp2:v1.15.0 nghttp2:v1.14.1 nghttp2:v1.14.0 nghttp2:v1.13.0 nghttp2:v1.12.0 nghttp2:v1.11.1 nghttp2:v1.11.0 nghttp2:v1.10.0 nghttp2:v1.9.2 nghttp2:v1.9.1 nghttp2:v1.9.0 nghttp2:v1.8.0 nghttp2:v1.7.1 nghttp2:v1.7.0 nghttp2:v1.6.0 nghttp2:v1.5.0 nghttp2:v1.4.0 nghttp2:v1.3.4 nghttp2:v1.3.3 nghttp2:v1.3.2 nghttp2:v1.3.1 nghttp2:v1.3.0 nghttp2:v1.2.1 nghttp2:v1.2.0 nghttp2:v1.1.2 nghttp2:v1.1.1 nghttp2:v1.1.0 nghttp2:v1.0.5 nghttp2:v1.0.4 nghttp2:v1.0.3 nghttp2:v1.0.2 nghttp2:v1.0.1 nghttp2:v1.0.0 nghttp2:v0.7.15 nghttp2:v0.7.14 nghttp2:v0.7.13 nghttp2:v0.7.12 nghttp2:v0.7.11 nghttp2:v0.7.10 nghttp2:v0.7.9 nghttp2:v0.7.8 nghttp2:v0.7.7 nghttp2:v0.7.6 nghttp2:v0.7.5 nghttp2:v0.7.4 nghttp2:v0.7.3 nghttp2:v0.7.2 nghttp2:v0.7.1 nghttp2:v0.7.0 nghttp2:v0.6.7 nghttp2:v0.6.6 nghttp2:v0.6.5 nghttp2:v0.6.4 nghttp2:v0.6.3 nghttp2:v0.6.2 nghttp2:v0.6.1 nghttp2:v0.6.0 nghttp2:v0.5.1 nghttp2:v0.5.0 nghttp2:v0.4.1 nghttp2:v0.4.0 nghttp2:v0.3.2 nghttp2:v0.3.1 nghttp2:v0.3.0 nghttp2:v0.2.0 nghttp2:v0.1.0

1 Commits
v1.39.0 ... boringssl-

Author SHA1 Message Date
Tatsuhiro Tsujikawa
f1beff1e10 src: Enable TLS 1.3 with boringssl 
This commit enables TLS 1.3 using latest boringssl.  This doesn't
compile with OpenSSL or libressl at the moment.
 2017-01-09 23:16:15 +09:00
451 changed files with 16043 additions and 23800 deletions
Expand all files Collapse all files

32
.clang-format
View File

@@ -4,7 +4,7 @@ AccessModifierOffset: -2
AlignAfterOpenBracket: Align
AlignConsecutiveAssignments: false
AlignConsecutiveDeclarations: false
AlignEscapedNewlines: Right
AlignEscapedNewlinesLeft: false
AlignOperands: true
AlignTrailingComments: true
AllowAllParametersOfDeclarationOnNextLine: true
@@ -16,7 +16,7 @@ AllowShortLoopsOnASingleLine: false
AlwaysBreakAfterDefinitionReturnType: None
AlwaysBreakAfterReturnType: None
AlwaysBreakBeforeMultilineStrings: false
AlwaysBreakTemplateDeclarations: MultiLine
AlwaysBreakTemplateDeclarations: false
BinPackArguments: true
BinPackParameters: true
BraceWrapping:
@@ -28,25 +28,17 @@ BraceWrapping:
AfterObjCDeclaration: false
AfterStruct: false
AfterUnion: false
AfterExternBlock: false
BeforeCatch: false
BeforeElse: false
IndentBraces: false
SplitEmptyFunction: true
SplitEmptyRecord: true
SplitEmptyNamespace: true
BreakBeforeBinaryOperators: None
BreakBeforeBraces: Attach
BreakBeforeInheritanceComma: false
BreakInheritanceList: BeforeColon
BreakBeforeTernaryOperators: true
BreakConstructorInitializersBeforeComma: false
BreakConstructorInitializers: BeforeColon
BreakAfterJavaFieldAnnotations: false
BreakStringLiterals: true
ColumnLimit: 80
CommentPragmas: '^ IWYU pragma:'
CompactNamespaces: false
ConstructorInitializerAllOnOneLineOrOnePerLine: true
ConstructorInitializerIndentWidth: 4
ContinuationIndentWidth: 4
@@ -54,12 +46,7 @@ Cpp11BracedListStyle: true
DerivePointerAlignment: false
DisableFormat: false
ExperimentalAutoDetectBinPacking: false
FixNamespaceComments: true
ForEachMacros:
- foreach
- Q_FOREACH
- BOOST_FOREACH
IncludeBlocks: Preserve
ForEachMacros: [ foreach, Q_FOREACH, BOOST_FOREACH ]
IncludeCategories:
- Regex: '^"(llvm|llvm-c|clang|clang-c)/'
Priority: 2
@@ -69,7 +56,6 @@ IncludeCategories:
Priority: 1
IncludeIsMainRegex: '$'
IndentCaseLabels: false
IndentPPDirectives: AfterHash
IndentWidth: 2
IndentWrappedFunctionNames: false
JavaScriptQuotes: Leave
@@ -79,30 +65,21 @@ MacroBlockBegin: ''
MacroBlockEnd: ''
MaxEmptyLinesToKeep: 1
NamespaceIndentation: None
ObjCBinPackProtocolList: Auto
ObjCBlockIndentWidth: 2
ObjCSpaceAfterProperty: false
ObjCSpaceBeforeProtocolList: true
PenaltyBreakAssignment: 2
PenaltyBreakBeforeFirstCallParameter: 19
PenaltyBreakComment: 300
PenaltyBreakFirstLessLess: 120
PenaltyBreakString: 1000
PenaltyBreakTemplateDeclaration: 10
PenaltyExcessCharacter: 1000000
PenaltyReturnTypeOnItsOwnLine: 60
PointerAlignment: Right
ReflowComments: true
SortIncludes: false
SortUsingDeclarations: true
SpaceAfterCStyleCast: false
SpaceAfterTemplateKeyword: true
SpaceBeforeAssignmentOperators: true
SpaceBeforeCpp11BracedList: false
SpaceBeforeCtorInitializerColon: true
SpaceBeforeInheritanceColon: true
SpaceBeforeParens: ControlStatements
SpaceBeforeRangeBasedForLoopColon: true
SpaceInEmptyParentheses: false
SpacesBeforeTrailingComments: 1
SpacesInAngles: false
@@ -111,9 +88,6 @@ SpacesInCStyleCastParentheses: false
SpacesInParentheses: false
SpacesInSquareBrackets: false
Standard: Cpp11
StatementMacros:
- Q_UNUSED
- QT_REQUIRE_VERSION
TabWidth: 8
UseTab: Never
...

3
.gitmodules vendored
View File

@@ -3,5 +3,4 @@
url = https://github.com/mruby/mruby
[submodule "third-party/neverbleed"]
path = third-party/neverbleed
url = https://github.com/tatsuhiro-t/neverbleed.git
branch = openssl111fix
url = https://github.com/h2o/neverbleed.git

84
.travis.yml
View File

@@ -1,27 +1,20 @@
dist: xenial
os:
- linux
compiler:
- clang
- gcc
env:
matrix:
- CI_BUILD=cmake
- CI_BUILD=autotools
matrix:
include:
- os: osx
compiler: clang
osx_image: xcode10.2
env: CI_BUILD=autotools
language: cpp
sudo: required
compiler:
- clang
- gcc
sudo: false
addons:
apt:
sources:
- ubuntu-toolchain-r-test
- george-edison55-precise-backports
packages:
- g++-8
- g++-4.9
- libstdc++-4.9-dev
- autoconf
- automake
- autotools-dev
@@ -38,52 +31,35 @@ addons:
- libc-ares-dev
- cmake
- cmake-data
homebrew:
packages:
- libev
- libevent
- c-ares
- cunit
- libressl
before_install:
- $CC --version
- if [ "$CXX" = "g++" ]; then export CXX="g++-8" CC="gcc-8"; fi
- if [ "$CXX" = "g++" ]; then export CXX="g++-4.9" CC="gcc-4.9"; fi
- $CC --version
- go version
- cmake --version
before_script:
- |
if [ "$TRAVIS_OS_NAME" = "linux" ]; then
CPPFLAGS="-fsanitize=address" LDFLAGS="-fsanitize=address -fuse-ld=gold"
fi
- |
if [ "$TRAVIS_OS_NAME" = "osx" ]; then
PKG_CONFIG_PATH="/usr/local/opt/libressl/lib/pkgconfig:/usr/local/opt/libxml2/lib/pkgconfig"
fi
# First build spdylay, since integration tests require it.
# spdylay is going to be built under third-party/spdylay
- cd third-party
- git clone https://github.com/tatsuhiro-t/spdylay.git
- cd spdylay
- autoreconf -i
# Don't use ASAN for spdylay since failmalloc does not work with it.
- ./configure --disable-src --disable-examples
- make check
- export SPDYLAY_HOME=$PWD
- cd ../..
# Now build nghttp2
- if [ "$CI_BUILD" = "autotools" ]; then autoreconf -i; fi
- git submodule update --init
- |
if [ "$CI_BUILD" = "autotools" ]; then
autoreconf -i && ./configure --with-mruby PKG_CONFIG_PATH=$PKG_CONFIG_PATH
fi
- |
if [ "$CI_BUILD" = "cmake" ]; then
cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DWITH_NEVERBLEED=1
fi
- if [ "$CI_BUILD" = "autotools" ]; then ./configure --enable-werror --with-mruby --with-neverbleed LIBSPDYLAY_CFLAGS="-I$SPDYLAY_HOME/lib/includes" LIBSPDYLAY_LIBS="-L$SPDYLAY_HOME/lib/.libs -lspdylay" CPPFLAGS=-fsanitize=address LDFLAGS=-fsanitize=address; fi
- if [ "$CI_BUILD" = "cmake" ]; then cmake -DENABLE_WERROR=1 -DWITH_MRUBY=1 -DWITH_NEVERBLEED=1 -DSPDYLAY_INCLUDE_DIR="$SPDYLAY_HOME/lib/includes" -DSPDYLAY_LIBRARY="$SPDYLAY_HOME/lib/.libs/libspdylay.so"; fi
script:
- |
if [ "$CI_BUILD" = "autotools" ]; then
make distcheck DISTCHECK_CONFIGURE_FLAGS="--with-mruby --with-neverbleed --enable-werror CPPFLAGS=$CPPFLAGS LDFLAGS=\"$LDFLAGS\" PKG_CONFIG_PATH=$PKG_CONFIG_PATH"
fi
- |
if [ "$CI_BUILD" = "cmake" ]; then
make && make check
fi
- |
if [ "$CI_BUILD" = "cmake" ]; then
# Integration tests for nghttpx; autotools build erases build
# for packaging test.
cd integration-tests
export GO111MODULE=on
make it
fi
- if [ "$CI_BUILD" = "autotools" ]; then make distcheck; fi
- if [ "$CI_BUILD" = "cmake" ]; then make check; fi
# As of April, 23, 2016, golang http2 build fails, probably because
# the default go version is too old.
# - cd integration-tests
# - export GOPATH="$PWD/integration-tests/golang"
# - make itprep
# - make it

35
AUTHORS
View File

@@ -14,47 +14,31 @@ github issues [2].
--------
187j3x1
Adam Gołębiowski
Alek Storm
Alex Nalivko
Alexandros Konstantinakis-Karmis
Alexis La Goutte
Amir Pakdel
Anders Bakken
Andreas Pohl
Andy Davies
Angus Gratton
Anna Henningsen
Ant Bryan
Benedikt Christoph Wolters
Benjamin Peterson
Bernard Spil
Brendan Heinonen
Brian Card
Brian Suh
Daniel Evers
Daniel Stenberg
Dave Reisner
David Beitey
David Weekly
Dmitriy Vetutnev
Don
Dylan Plecki
Etienne Cimon
Fabian Möller
Fabian Wiesel
Gabi Davar
Gitai
Google Inc.
Jacob Champion
Jan Kundrát
Jan-E
Janusz Dziemidowicz
Jay Satiro
Jeff 'Raid' Baitis
Jianqing Wang
Jim Morrison
Josh Braegger
José F. Calcerrada
Kamil Dudka
Kazuho Oku
@@ -62,46 +46,32 @@ Kenny (kang-yen) Peng
Kenny Peng
Kit Chan
Kyle Schomp
LazyHamster
Lucas Pardue
MATSUMOTO Ryosuke
Marc Bachmann
Matt Rudary
Matt Way
Mike Conlen
Mike Frysinger
Mike Lothian
Nicholas Hurley
Nora Shoemaker
Pedro Santos
Peeyush Aggarwal
Peter Wu
Piotr Sikora
Raul Gutierrez Segales
Remo E
Reza Tavakoli
Rick Lei
Ross Smith II
Scott Mitchell
Sebastiaan Deckers
Simon Frankenberger
Simone Basso
Soham Sinha
Stefan Eissing
Stephen Ludin
Sunpoet Po-Chuan Hsieh
Svante Signell
Syohei YOSHIDA
Tapanito
Tatsuhiko Kubo
Tatsuhiro Tsujikawa
Tobias Geerinckx-Rice
Tom Harwood
Tomasz Buchert
Tomasz Torcz
Vernon Tang
Viacheslav Biriukov
Viktor Szakats
Viktor Szépe
Wenfeng Liu
Xiaoguang Sun
@@ -109,15 +79,10 @@ Zhuoyun Wei
acesso
ayanamist
bxshi
clemahieu
dalf
dawg
es
fangdingjun
jwchoi
kumagi
lstefani
makovich
mod-h2-dev
moparisthebest
snnn

27
CMakeLists.txt
View File

@@ -24,15 +24,15 @@
cmake_minimum_required(VERSION 3.0)
# XXX using 1.8.90 instead of 1.9.0-DEV
project(nghttp2 VERSION 1.39.0)
project(nghttp2 VERSION 1.18.90)
# See versioning rule:
# http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
set(LT_CURRENT 31)
set(LT_REVISION 4)
set(LT_AGE 17)
set(LT_CURRENT 26)
set(LT_REVISION 3)
set(LT_AGE 12)
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake" ${CMAKE_MODULE_PATH})
set(CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
include(Version)
math(EXPR LT_SOVERSION "${LT_CURRENT} - ${LT_AGE}")
@@ -79,7 +79,7 @@ else()
set(ENABLE_PYTHON_BINDINGS_DEFAULT OFF)
endif()
find_package(LibXml2 2.6.26)
find_package(LibXml2 2.7.7)
set(WITH_LIBXML2_DEFAULT ${LIBXML2_FOUND})
find_package(Jemalloc)
set(WITH_JEMALLOC_DEFAULT ${JEMALLOC_FOUND})
@@ -106,18 +106,28 @@ endif()
foreach(_build_type "Release" "MinSizeRel" "RelWithDebInfo")
foreach(_lang C CXX)
string(TOUPPER "CMAKE_${_lang}_FLAGS_${_build_type}" _var)
string(REGEX REPLACE "(^| )[/-]D *NDEBUG($| )" " " ${_var} "${${_var}}")
string(REGEX REPLACE "(^| )[/-]D *NDEBUG($| )" "" ${_var} "${${_var}}")
endforeach()
endforeach()
#
# If we're running GCC or clang define _U_ to be "__attribute__((unused))"
# so we can use _U_ to flag unused function parameters and not get warnings
# about them. Otherwise, define _U_ to be an empty string so that _U_ used
# to flag an unused function parameters will compile with other compilers.
#
# XXX - similar hints for other compilers?
#
if(CMAKE_C_COMPILER_ID MATCHES "GNU" OR CMAKE_C_COMPILER_ID MATCHES "Clang")
set(HINT_UNUSED_PARAM "__attribute__((unused))")
set(HINT_NORETURN "__attribute__((noreturn))")
else()
set(HINT_UNUSED_PARAM)
set(HINT_NORETURN)
endif()
include(ExtractValidFlags)
foreach(_cxx1x_flag -std=c++14)
foreach(_cxx1x_flag -std=c++11 -std=c++0x)
extract_valid_cxx_flags(_cxx1x_flag_supported ${_cxx1x_flag})
if(_cxx1x_flag_supported)
set(CXX1XCXXFLAGS ${_cxx1x_flag})
@@ -302,7 +312,6 @@ check_type_size("time_t" SIZEOF_TIME_T)
include(CheckFunctionExists)
check_function_exists(_Exit HAVE__EXIT)
check_function_exists(accept4 HAVE_ACCEPT4)
check_function_exists(mkostemp HAVE_MKOSTEMP)
include(CheckSymbolExists)
# XXX does this correctly detect initgroups (un)availability on cygwin?

2
CMakeOptions.txt
View File

@@ -14,8 +14,6 @@ option(ENABLE_PYTHON_BINDINGS "Build Python bindings"
${ENABLE_PYTHON_BINDINGS_DEFAULT})
option(ENABLE_FAILMALLOC "Build failmalloc test program" ON)
option(ENABLE_LIB_ONLY "Build libnghttp2 only. This is a short hand for -DENABLE_APP=0 -DENABLE_EXAMPLES=0 -DENABLE_HPACK_TOOLS=0 -DENABLE_PYTHON_BINDINGS=0")
option(ENABLE_STATIC_LIB "Build libnghttp2 in static mode also")
option(ENABLE_SHARED_LIB "Build libnghttp2 as a shared library" ON)
option(WITH_LIBXML2 "Use libxml2"
${WITH_LIBXML2_DEFAULT})

104
Dockerfile.android
View File

@@ -10,47 +10,39 @@
#
# $ sudo docker run -v /path/to/dest:/out nghttp2-android cp /root/build/nghttp2/src/nghttpx /out
FROM ubuntu:vivid
# Only use standalone-toolchain for reduce size
FROM ubuntu:xenial
MAINTAINER Tatsuhiro Tsujikawa
ENV ANDROID_HOME /root
ENV ANDROID_HOME /root/android
ENV PREFIX $ANDROID_HOME/usr/local
ENV TOOLCHAIN $ANDROID_HOME/toolchain
ENV PATH $TOOLCHAIN/bin:$PATH
ENV NDK_VERSION r14b
# It would be better to use nearest ubuntu archive mirror for faster
# downloads.
# RUN sed -ie 's/archive\.ubuntu/jp.archive.ubuntu/g' /etc/apt/sources.list
WORKDIR /root
RUN apt-get update && \
apt-get install -y unzip make binutils autoconf \
automake autotools-dev libtool pkg-config git \
curl dpkg-dev libxml2-dev genisoimage libc6-i386 \
lib32stdc++6 python&& \
rm -rf /var/cache/apk/*
# Install toolchain
RUN curl -L -O https://dl.google.com/android/repository/android-ndk-$NDK_VERSION-linux-x86_64.zip && \
unzip -q android-ndk-$NDK_VERSION-linux-x86_64.zip && \
rm android-ndk-$NDK_VERSION-linux-x86_64.zip && \
mkdir -p $ANDROID_HOME/toolchain && \
$ANDROID_HOME/android-ndk-$NDK_VERSION/build/tools/make-standalone-toolchain.sh \
--install-dir=$ANDROID_HOME/toolchain \
--toolchain=arm-linux-androideabi-4.9 \
--force && \
rm -r android-ndk-$NDK_VERSION
ENV PREFIX /root/usr/local
# Setup version of libraries
ENV OPENSSL_VERSION 1.0.2d
ENV SPDYLAY_VERSION v1.4.0
ENV LIBEV_VERSION 4.19
ENV ZLIB_VERSION 1.2.8
ENV CARES_VERSION 1.13.0
ENV NGHTTP2_VERSION v1.24.0
RUN apt-get update
# genisoimage, libc6-i386 and lib32stdc++6 are required to decompress ndk.
RUN apt-get install -y make binutils autoconf automake autotools-dev libtool \
pkg-config git curl dpkg-dev libxml2-dev \
genisoimage libc6-i386 lib32stdc++6
WORKDIR /root/build
RUN git clone https://github.com/tatsuhiro-t/spdylay -b $SPDYLAY_VERSION --depth 1
RUN curl -L -O http://dl.google.com/android/ndk/android-ndk-r10d-linux-x86_64.bin && \
chmod a+x android-ndk-r10d-linux-x86_64.bin && \
./android-ndk-r10d-linux-x86_64.bin && \
rm android-ndk-r10d-linux-x86_64.bin
WORKDIR /root/build/android-ndk-r10d
RUN /bin/bash build/tools/make-standalone-toolchain.sh \
--install-dir=$ANDROID_HOME/toolchain \
--toolchain=arm-linux-androideabi-4.9 --llvm-version=3.5 \
--system=linux-x86_64
WORKDIR /root/build
RUN git clone https://github.com/tatsuhiro-t/spdylay
WORKDIR /root/build/spdylay
RUN autoreconf -i && \
./configure \
@@ -67,22 +59,22 @@ RUN autoreconf -i && \
make install
WORKDIR /root/build
RUN curl -L -O https://www.openssl.org/source/openssl-$OPENSSL_VERSION.tar.gz && \
tar xf openssl-$OPENSSL_VERSION.tar.gz && \
rm openssl-$OPENSSL_VERSION.tar.gz
RUN curl -L -O https://www.openssl.org/source/openssl-1.0.2d.tar.gz && \
tar xf openssl-1.0.2d.tar.gz && \
rm openssl-1.0.2d.tar.gz
WORKDIR /root/build/openssl-$OPENSSL_VERSION
WORKDIR /root/build/openssl-1.0.2d
RUN export CROSS_COMPILE=$TOOLCHAIN/bin/arm-linux-androideabi- && \
./Configure --prefix=$PREFIX android && \
make && make install_sw
WORKDIR /root/build
RUN curl -L -O http://dist.schmorp.de/libev/Attic/libev-$LIBEV_VERSION.tar.gz && \
RUN curl -L -O http://dist.schmorp.de/libev/libev-4.19.tar.gz && \
curl -L -O https://gist.github.com/tatsuhiro-t/48c45f08950f587180ed/raw/80a8f003b5d1091eae497c5995bbaa68096e739b/libev-4.19-android.patch && \
tar xf libev-$LIBEV_VERSION.tar.gz && \
rm libev-$LIBEV_VERSION.tar.gz
tar xf libev-4.19.tar.gz && \
rm libev-4.19.tar.gz
WORKDIR /root/build/libev-$LIBEV_VERSION
WORKDIR /root/build/libev-4.19
RUN patch -p1 < ../libev-4.19-android.patch && \
./configure \
--host=arm-linux-androideabi \
@@ -95,11 +87,11 @@ RUN patch -p1 < ../libev-4.19-android.patch && \
make install
WORKDIR /root/build
RUN curl -L -O https://downloads.sourceforge.net/project/libpng/zlib/$ZLIB_VERSION/zlib-$ZLIB_VERSION.tar.gz && \
tar xf zlib-$ZLIB_VERSION.tar.gz && \
rm zlib-$ZLIB_VERSION.tar.gz
RUN curl -L -O http://zlib.net/zlib-1.2.8.tar.gz && \
tar xf zlib-1.2.8.tar.gz && \
rm zlib-1.2.8.tar.gz
WORKDIR /root/build/zlib-$ZLIB_VERSION
WORKDIR /root/build/zlib-1.2.8
RUN HOST=arm-linux-androideabi \
CC=$HOST-gcc \
AR=$HOST-ar \
@@ -113,26 +105,11 @@ RUN HOST=arm-linux-androideabi \
--static && \
make install
WORKDIR /root/build
RUN curl -L -O https://c-ares.haxx.se/download/c-ares-$CARES_VERSION.tar.gz && \
tar xf c-ares-$CARES_VERSION.tar.gz && \
rm c-ares-$CARES_VERSION.tar.gz
WORKDIR /root/build/c-ares-$CARES_VERSION
RUN ./configure \
--host=arm-linux-androideabi \
--build=`dpkg-architecture -qDEB_BUILD_GNU_TYPE` \
--prefix=$PREFIX \
--disable-shared && \
make install
WORKDIR /root/build
RUN git clone https://github.com/nghttp2/nghttp2 -b $NGHTTP2_VERSION --depth 1
RUN git clone https://github.com/nghttp2/nghttp2
WORKDIR /root/build/nghttp2
RUN autoreconf -i && \
./configure \
--enable-app \
--disable-shared \
--host=arm-linux-androideabi \
--build=`dpkg-architecture -qDEB_BUILD_GNU_TYPE` \
@@ -141,9 +118,10 @@ RUN autoreconf -i && \
--disable-python-bindings \
--disable-examples \
--disable-threads \
CC="$TOOLCHAIN"/bin/arm-linux-androideabi-clang \
CXX="$TOOLCHAIN"/bin/arm-linux-androideabi-clang++ \
LIBSPDYLAY_CFLAGS=-I$PREFIX/usr/local/include \
LIBSPDYLAY_LIBS="-L$PREFIX/usr/local/lib -lspdylay" \
CPPFLAGS="-fPIE -I$PREFIX/include" \
CXXFLAGS="-fno-strict-aliasing" \
PKG_CONFIG_LIBDIR="$PREFIX/lib/pkgconfig" \
LDFLAGS="-fPIE -pie -L$PREFIX/lib" && \
make && \

183
README.rst
View File

@@ -4,10 +4,10 @@ nghttp2 - HTTP/2 C Library
This is an implementation of the Hypertext Transfer Protocol version 2
in C.
The framing layer of HTTP/2 is implemented as a reusable C library.
On top of that, we have implemented an HTTP/2 client, server and
proxy. We have also developed load test and benchmarking tools for
HTTP/2.
The framing layer of HTTP/2 is implemented as a reusable C
library. On top of that, we have implemented an HTTP/2 client, server
and proxy. We have also developed load test and benchmarking tools for
HTTP/2 and SPDY.
An HPACK encoder and decoder are available as a public API.
@@ -34,8 +34,8 @@ implementation.
* https://nghttp2.org/ (TLS + ALPN/NPN)
This endpoint supports ``h2``, ``h2-16``, ``h2-14``, and
``http/1.1`` via ALPN/NPN and requires TLSv1.2 for HTTP/2
This endpoint supports ``h2``, ``h2-16``, ``h2-14``, ``spdy/3.1``
and ``http/1.1`` via ALPN/NPN and requires TLSv1.2 for HTTP/2
connection.
* http://nghttp2.org/ (HTTP Upgrade and HTTP/2 Direct)
@@ -76,15 +76,15 @@ ALPN support requires OpenSSL >= 1.0.2 (released 22 January 2015).
LibreSSL >= 2.2.0 can be used instead of OpenSSL, but OpenSSL has more
features than LibreSSL at the time of this writing.
To enable the SPDY protocol in the application program ``nghttpx`` and
``h2load``, the following package is required:
* spdylay >= 1.3.2
To enable ``-a`` option (getting linked assets from the downloaded
resource) in ``nghttp``, the following package is required:
* libxml2 >= 2.6.26
To enable systemd support in nghttpx, the following package is
required:
* libsystemd-dev >= 209
* libxml2 >= 2.7.7
The HPACK tools require the following package:
@@ -115,15 +115,17 @@ The Python bindings require the following packages:
* python >= 2.7
* python-setuptools
If you are using Ubuntu 16.04 LTS (Xenial Xerus) or Debian 8 (jessie)
and above, run the following to install the required packages:
If you are using Ubuntu 14.04 LTS (trusty) or Debian 7.0 (wheezy) and above run the following to install the needed packages:
.. code-block:: text
sudo apt-get install g++ make binutils autoconf automake autotools-dev libtool pkg-config \
zlib1g-dev libcunit1-dev libssl-dev libxml2-dev libev-dev libevent-dev libjansson-dev \
libc-ares-dev libjemalloc-dev libsystemd-dev \
cython python3-dev python-setuptools
libc-ares-dev libjemalloc-dev cython python3-dev python-setuptools
From Ubuntu 15.10, spdylay has been available as a package named
`libspdylay-dev`. For the earlier Ubuntu release, you need to build
it yourself: http://tatsuhiro-t.github.io/spdylay/
To enable mruby support for nghttpx, `mruby
<https://github.com/mruby/mruby>`_ is required. We need to build
@@ -145,10 +147,22 @@ minimizes the risk of private key leakage when serious bug like
Heartbleed is exploited. The neverbleed is disabled by default. To
enable it, use ``--with-neverbleed`` configure option.
Compiling libnghttp2 C source code requires a C99 compiler. gcc 4.8
is known to be adequate. In order to compile the C++ source code, gcc
>= 6.0 or clang >= 6.0 is required. C++ source code requires C++14
language features.
Building from git
-----------------
Building from git is easy, but please be sure that at least autoconf 2.68 is
used:
.. code-block:: text
$ git submodule update --init
$ autoreconf -i
$ automake
$ autoconf
$ ./configure
$ make
To compile the source code, gcc >= 4.8.3 or clang >= 3.4 is required.
.. note::
@@ -173,62 +187,6 @@ language features.
applications were not built, then using ``--enable-app`` may find
that cause, such as the missing dependency.
.. note::
In order to detect third party libraries, pkg-config is used
(however we don't use pkg-config for some libraries (e.g., libev)).
By default, pkg-config searches ``*.pc`` file in the standard
locations (e.g., /usr/lib/pkgconfig). If it is necessary to use
``*.pc`` file in the custom location, specify paths to
``PKG_CONFIG_PATH`` environment variable, and pass it to configure
script, like so:
.. code-block:: text
$ ./configure PKG_CONFIG_PATH=/path/to/pkgconfig
For pkg-config managed libraries, ``*_CFLAG`` and ``*_LIBS``
environment variables are defined (e.g., ``OPENSSL_CFLAGS``,
``OPENSSL_LIBS``). Specifying non-empty string to these variables
completely overrides pkg-config. In other words, if they are
specified, pkg-config is not used for detection, and user is
responsible to specify the correct values to these variables. For
complete list of these variables, run ``./configure -h``.
Building nghttp2 from release tar archive
-----------------------------------------
The nghttp2 project regularly releases tar archives which includes
nghttp2 source code, and generated build files. They can be
downloaded from `Releases
<https://github.com/nghttp2/nghttp2/releases>`_ page.
Building nghttp2 from git requires autotools development packages.
Building from tar archives does not require them, and thus it is much
easier. The usual build step is as follows:
.. code-block:: text
$ tar xf nghttp2-X.Y.Z.tar.bz2
$ cd nghttp2-X.Y.Z
$ ./configure
$ make
Building from git
-----------------
Building from git is easy, but please be sure that at least autoconf 2.68 is
used:
.. code-block:: text
$ git submodule update --init
$ autoreconf -i
$ automake
$ autoconf
$ ./configure
$ make
Notes for building on Windows (MSVC)
------------------------------------
@@ -275,18 +233,6 @@ If you want to compile the applications under ``examples/``, you need
to remove or rename the ``event.h`` from libev's installation, because
it conflicts with libevent's installation.
Notes for installation on Linux systems
--------------------------------------------
After installing nghttp2 tool suite with ``make install`` one might experience a similar error:
.. code-block:: text
nghttpx: error while loading shared libraries: libnghttp2.so.14: cannot open shared object file: No such file or directory
This means that the tool is unable to locate the ``libnghttp2.so`` shared library.
To update the shared library cache run ``sudo ldconfig``.
Building the documentation
--------------------------
@@ -322,8 +268,14 @@ its testing framework. We depend on the following libraries:
* golang.org/x/net/http2
* golang.org/x/net/websocket
* https://github.com/tatsuhiro-t/go-nghttp2
* https://github.com/tatsuhiro-t/spdy
Go modules will download these dependencies automatically.
To download the above packages, after settings ``GOPATH``, run the
following command under ``integration-tests`` directory:
.. code-block:: text
$ make itprep
To run the tests, run the following command under
``integration-tests`` directory:
@@ -334,6 +286,11 @@ To run the tests, run the following command under
Inside the tests, we use port 3009 to run the test subject server.
.. note::
github.com/tatsuhiro-t/spdy is a copy used to be available at
golang.org/x/net/spdy, but it is now gone.
Migration from v0.7.15 or earlier
---------------------------------
@@ -734,7 +691,7 @@ information. Here is sample output from ``nghttpd``:
nghttpx - proxy
+++++++++++++++
``nghttpx`` is a multi-threaded reverse proxy for HTTP/2, and
``nghttpx`` is a multi-threaded reverse proxy for HTTP/2, SPDY and
HTTP/1.1, and powers http://nghttp2.org and supports HTTP/2 server
push.
@@ -749,30 +706,31 @@ to know how to migrate from earlier releases.
``nghttpx`` implements `important performance-oriented features
<https://istlsfastyet.com/#server-performance>`_ in TLS, such as
session IDs, session tickets (with automatic key rotation), OCSP
stapling, dynamic record sizing, ALPN/NPN, forward secrecy and HTTP/2.
``nghttpx`` also offers the functionality to share session cache and
ticket keys among multiple ``nghttpx`` instances via memcached.
stapling, dynamic record sizing, ALPN/NPN, forward secrecy and SPDY &
HTTP/2. ``nghttpx`` also offers the functionality to share session
cache and ticket keys among multiple ``nghttpx`` instances via
memcached.
``nghttpx`` has 2 operation modes:
================== ================ ================ =============
================== ====================== ================ =============
Mode option Frontend Backend Note
================== ================ ================ =============
default mode HTTP/2, HTTP/1.1 HTTP/1.1, HTTP/2 Reverse proxy
``--http2-proxy`` HTTP/2, HTTP/1.1 HTTP/1.1, HTTP/2 Forward proxy
================== ================ ================ =============
================== ====================== ================ =============
default mode HTTP/2, SPDY, HTTP/1.1 HTTP/1.1, HTTP/2 Reverse proxy
``--http2-proxy`` HTTP/2, SPDY, HTTP/1.1 HTTP/1.1, HTTP/2 Forward proxy
================== ====================== ================ =============
The interesting mode at the moment is the default mode. It works like
a reverse proxy and listens for HTTP/2, and HTTP/1.1 and can be
a reverse proxy and listens for HTTP/2, SPDY and HTTP/1.1 and can be
deployed as a SSL/TLS terminator for existing web server.
In all modes, the frontend connections are encrypted by SSL/TLS by
default. To disable encryption, use the ``no-tls`` keyword in
``--frontend`` option. If encryption is disabled, incoming HTTP/1.1
connections can be upgraded to HTTP/2 through HTTP Upgrade. On the
other hard, backend connections are not encrypted by default. To
encrypt backend connections, use ``tls`` keyword in ``--backend``
option.
``--frontend`` option. If encryption is disabled, SPDY is disabled in
the frontend and incoming HTTP/1.1 connections can be upgraded to
HTTP/2 through HTTP Upgrade. On the other hard, backend connections
are not encrypted by default. To encrypt backend connections, use
``tls`` keyword in ``--backend`` option.
``nghttpx`` supports a configuration file. See the ``--conf`` option and
sample configuration file ``nghttpx.conf.sample``.
@@ -782,15 +740,15 @@ server:
.. code-block:: text
Client <-- (HTTP/2, HTTP/1.1) --> nghttpx <-- (HTTP/1.1, HTTP/2) --> Web Server
Client <-- (HTTP/2, SPDY, HTTP/1.1) --> nghttpx <-- (HTTP/1.1, HTTP/2) --> Web Server
[reverse proxy]
With the ``--http2-proxy`` option, it works as forward proxy, and it
is so called secure HTTP/2 proxy:
is so called secure HTTP/2 proxy (aka SPDY proxy):
.. code-block:: text
Client <-- (HTTP/2, HTTP/1.1) --> nghttpx <-- (HTTP/1.1) --> Proxy
Client <-- (HTTP/2, SPDY, HTTP/1.1) --> nghttpx <-- (HTTP/1.1) --> Proxy
[secure proxy] (e.g., Squid, ATS)
The ``Client`` in the above example needs to be configured to use
@@ -823,7 +781,7 @@ proxy through an HTTP proxy:
.. code-block:: text
Client <-- (HTTP/2, HTTP/1.1) --> nghttpx <-- (HTTP/2) --
Client <-- (HTTP/2, SPDY, HTTP/1.1) --> nghttpx <-- (HTTP/2) --
--===================---> HTTP/2 Proxy
(HTTP proxy tunnel) (e.g., nghttpx -s)
@@ -831,8 +789,9 @@ proxy through an HTTP proxy:
Benchmarking tool
-----------------
The ``h2load`` program is a benchmarking tool for HTTP/2. The UI of
``h2load`` is heavily inspired by ``weighttp``
The ``h2load`` program is a benchmarking tool for HTTP/2 and SPDY.
The SPDY support is enabled if the program was built with the spdylay
library. The UI of ``h2load`` is heavily inspired by ``weighttp``
(https://github.com/lighttpd/weighttp). The typical usage is as
follows:
@@ -948,7 +907,7 @@ output_length
The length of the compressed header block.
percentage_of_original_size
``output_length`` / ``input_length`` * 100
``input_length`` / ``output_length`` * 100
wire
The compressed header block as a hex string.
@@ -1329,7 +1288,7 @@ are:
* Boost::Thread
The server API is designed to build an HTTP/2 server very easily to utilize
C++14 anonymous functions and closures. The bare minimum example of
C++11 anonymous functions and closures. The bare minimum example of
an HTTP/2 server looks like this:
.. code-block:: cpp

5
android-config
View File

@@ -39,9 +39,8 @@ PATH="$TOOLCHAIN"/bin:"$PATH"
--without-libxml2 \
--disable-python-bindings \
--disable-examples \
--disable-threads \
CC="$TOOLCHAIN"/bin/arm-linux-androideabi-clang \
CXX="$TOOLCHAIN"/bin/arm-linux-androideabi-clang++ \
CC="$TOOLCHAIN"/bin/arm-linux-androideabi-gcc \
CXX="$TOOLCHAIN"/bin/arm-linux-androideabi-g++ \
CPPFLAGS="-fPIE -I$PREFIX/include" \
PKG_CONFIG_LIBDIR="$PREFIX/lib/pkgconfig" \
LDFLAGS="-fPIE -pie -L$PREFIX/lib"

3
cmake/FindLibevent.cmake
View File

@@ -40,9 +40,6 @@ if(LIBEVENT_INCLUDE_DIR)
# Libevent 2.0
file(STRINGS "${LIBEVENT_INCLUDE_DIR}/event2/event-config.h"
LIBEVENT_VERSION REGEX "${_version_regex}")
if("${LIBEVENT_VERSION}" STREQUAL "")
set(LIBEVENT_VERSION ${PC_LIBEVENT_VERSION})
endif()
else()
# Libevent 1.4
file(STRINGS "${LIBEVENT_INCLUDE_DIR}/event-config.h"

7
cmakeconfig.h.in
View File

@@ -1,3 +1,7 @@
/* Hint to the compiler that a function parameter is not used */
#define _U_ @HINT_UNUSED_PARAM@
/* Hint to the compiler that a function never returns */
#define NGHTTP2_NORETURN @HINT_NORETURN@
@@ -34,9 +38,6 @@
/* Define to 1 if you have the `accept4` function. */
#cmakedefine HAVE_ACCEPT4 1
/* Define to 1 if you have the `mkostemp` function. */
#cmakedefine HAVE_MKOSTEMP 1
/* Define to 1 if you have the `initgroups` function. */
#cmakedefine01 HAVE_DECL_INITGROUPS

79
configure.ac
View File

@@ -25,7 +25,7 @@ dnl Do not change user variables!
dnl http://www.gnu.org/software/automake/manual/html_node/Flag-Variables-Ordering.html
AC_PREREQ(2.61)
AC_INIT([nghttp2], [1.39.0], [t-tujikawa@users.sourceforge.net])
AC_INIT([nghttp2], [1.19.0-DEV], [t-tujikawa@users.sourceforge.net])
AC_CONFIG_AUX_DIR([.])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([config.h])
@@ -44,9 +44,9 @@ m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
dnl See versioning rule:
dnl http://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
AC_SUBST(LT_CURRENT, 31)
AC_SUBST(LT_REVISION, 4)
AC_SUBST(LT_AGE, 17)
AC_SUBST(LT_CURRENT, 26)
AC_SUBST(LT_REVISION, 3)
AC_SUBST(LT_AGE, 12)
major=`echo $PACKAGE_VERSION |cut -d. -f1 | sed -e "s/[^0-9]//g"`
minor=`echo $PACKAGE_VERSION |cut -d. -f2 | sed -e "s/[^0-9]//g"`
@@ -117,10 +117,10 @@ AC_ARG_WITH([jemalloc],
[Use jemalloc [default=check]])],
[request_jemalloc=$withval], [request_jemalloc=check])
AC_ARG_WITH([systemd],
[AS_HELP_STRING([--with-systemd],
[Enable systemd support in nghttpx [default=check]])],
[request_systemd=$withval], [request_systemd=check])
AC_ARG_WITH([spdylay],
[AS_HELP_STRING([--with-spdylay],
[Use spdylay [default=check]])],
[request_spdylay=$withval], [request_spdylay=check])
AC_ARG_WITH([mruby],
[AS_HELP_STRING([--with-mruby],
@@ -171,16 +171,26 @@ else
AC_SUBST([CYTHON])
fi
#
# If we're running GCC or clang define _U_ to be "__attribute__((unused))"
# so we can use _U_ to flag unused function parameters and not get warnings
# about them. Otherwise, define _U_ to be an empty string so that _U_ used
# to flag an unused function parameters will compile with other compilers.
#
# XXX - similar hints for other compilers?
#
if test "x$GCC" = "xyes" -o "x$CC" = "xclang" ; then
AC_DEFINE([_U_], [__attribute__((unused))], [Hint to the compiler that a function parameters is not used])
AC_DEFINE([NGHTTP2_NORETURN], [__attribute__((noreturn))], [Hint to the compiler that a function never return])
else
AC_DEFINE([_U_], , [Hint to the compiler that a function parameter is not used])
AC_DEFINE([NGHTTP2_NORETURN], , [Hint to the compiler that a function never return])
fi
save_CXXFLAGS="$CXXFLAGS"
CXXFLAGS=
AX_CXX_COMPILE_STDCXX([14], [noext], [optional])
AX_CXX_COMPILE_STDCXX_11([noext], [optional])
CXX1XCXXFLAGS="$CXXFLAGS"
CXXFLAGS="$save_CXXFLAGS"
@@ -385,27 +395,8 @@ else
AC_MSG_NOTICE($JANSSON_PKG_ERRORS)
fi
# libsystemd (for src/nghttpx)
have_libsystemd=no
if test "x${request_systemd}" != "xno"; then
PKG_CHECK_MODULES([SYSTEMD], [libsystemd >= 209], [have_libsystemd=yes],
[have_libsystemd=no])
if test "x${have_libsystemd}" = "xyes"; then
AC_DEFINE([HAVE_LIBSYSTEMD], [1],
[Define to 1 if you have `libsystemd` library.])
else
AC_MSG_NOTICE($SYSTEMD_PKG_ERRORS)
fi
fi
if test "x${request_systemd}" = "xyes" &&
test "x${have_libsystemd}" != "xyes"; then
AC_MSG_ERROR([systemd was requested (--with-systemd) but not found])
fi
# libxml2 (for src/nghttp)
PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.6.26],
PKG_CHECK_MODULES([LIBXML2], [libxml-2.0 >= 2.7.7],
[have_libxml2=yes], [have_libxml2=no])
if test "x${have_libxml2}" = "xyes"; then
AC_DEFINE([HAVE_LIBXML2], [1], [Define to 1 if you have `libxml2` library.])
@@ -453,6 +444,26 @@ if test "x${request_jemalloc}" = "xyes" &&
AC_MSG_ERROR([jemalloc was requested (--with-jemalloc) but not found])
fi
# spdylay (for src/nghttpx and src/h2load)
have_spdylay=no
if test "x${request_spdylay}" != "xno"; then
PKG_CHECK_MODULES([LIBSPDYLAY], [libspdylay >= 1.3.2],
[have_spdylay=yes], [have_spdylay=no])
if test "x${have_spdylay}" = "xyes"; then
AC_DEFINE([HAVE_SPDYLAY], [1], [Define to 1 if you have `spdylay` library.])
else
AC_MSG_NOTICE($LIBSPDYLAY_PKG_ERRORS)
AC_MSG_NOTICE([The SPDY support in nghttpx and h2load will be disabled.])
fi
fi
if test "x${request_spdylay}" = "xyes" &&
test "x${have_spdylay}" != "xyes"; then
AC_MSG_ERROR([spdylay was requested (--with-spdylay) but not found])
fi
AM_CONDITIONAL([HAVE_SPDYLAY], [ test "x${have_spdylay}" = "xyes" ])
# Check Boost Asio library
have_asio_lib=no
@@ -688,7 +699,6 @@ AC_CHECK_FUNCS([ \
memchr \
memmove \
memset \
mkostemp \
socket \
sqrt \
strchr \
@@ -780,9 +790,6 @@ if test "x$werror" != "xno"; then
AX_CHECK_COMPILE_FLAG([-Werror], [CXXFLAGS="$CXXFLAGS -Werror"])
AX_CHECK_COMPILE_FLAG([-Wformat-security], [CXXFLAGS="$CXXFLAGS -Wformat-security"])
AX_CHECK_COMPILE_FLAG([-Wsometimes-uninitialized], [CXXFLAGS="$CXXFLAGS -Wsometimes-uninitialized"])
# Disable noexcept-type warning of g++-7. This is not harmful as
# long as all source files are compiled with the same compiler.
AX_CHECK_COMPILE_FLAG([-Wno-noexcept-type], [CXXFLAGS="$CXXFLAGS -Wno-noexcept-type"])
AC_LANG_POP()
fi
@@ -899,14 +906,14 @@ AC_MSG_NOTICE([summary of build options:
Failmalloc: ${enable_failmalloc}
Libs:
OpenSSL: ${have_openssl} (CFLAGS='${OPENSSL_CFLAGS}' LIBS='${OPENSSL_LIBS}')
Libxml2: ${have_libxml2} (CFLAGS='${LIBXML2_CFLAGS}' LIBS='${LIBXML2_LIBS}')
Libxml2: ${have_libxml2} (CFLAGS='${LIBXML2_CPPFLAGS}' LIBS='${LIBXML2_LIBS}')
Libev: ${have_libev} (CFLAGS='${LIBEV_CFLAGS}' LIBS='${LIBEV_LIBS}')
Libc-ares: ${have_libcares} (CFLAGS='${LIBCARES_CFLAGS}' LIBS='${LIBCARES_LIBS}')
Libc-ares ${have_libcares} (CFLAGS='${LIBCARES_CFLAGS}' LIBS='${LIBCARES_LIBS}')
Libevent(SSL): ${have_libevent_openssl} (CFLAGS='${LIBEVENT_OPENSSL_CFLAGS}' LIBS='${LIBEVENT_OPENSSL_LIBS}')
Spdylay: ${have_spdylay} (CFLAGS='${LIBSPDYLAY_CFLAGS}' LIBS='${LIBSPDYLAY_LIBS}')
Jansson: ${have_jansson} (CFLAGS='${JANSSON_CFLAGS}' LIBS='${JANSSON_LIBS}')
Jemalloc: ${have_jemalloc} (LIBS='${JEMALLOC_LIBS}')
Zlib: ${have_zlib} (CFLAGS='${ZLIB_CFLAGS}' LIBS='${ZLIB_LIBS}')
Systemd: ${have_libsystemd} (CFLAGS='${SYSTEMD_CFLAGS}' LIBS='${SYSTEMD_LIBS}')
Boost CPPFLAGS: ${BOOST_CPPFLAGS}
Boost LDFLAGS: ${BOOST_LDFLAGS}
Boost::ASIO: ${BOOST_ASIO_LIB}

11
contrib/nghttpx.service.in
View File

@@ -1,17 +1,10 @@
[Unit]
Description=HTTP/2 proxy
Documentation=man:nghttpx
After=network.target
[Service]
Type=notify
ExecStart=@bindir@/nghttpx --conf=/etc/nghttpx/nghttpx.conf
ExecReload=/bin/kill --signal HUP $MAINPID
KillSignal=SIGQUIT
PrivateTmp=yes
ProtectHome=yes
ProtectSystem=full
Restart=always
Type=forking
ExecStart=@bindir@/nghttpx --conf=/etc/nghttpx/nghttpx.conf --pid-file=/run/nghttpx.pid --daemon
[Install]
WantedBy=multi-user.target

1
doc/CMakeLists.txt
View File

@@ -49,7 +49,6 @@ set(APIDOCS
nghttp2_rcbuf_decref.rst
nghttp2_rcbuf_get_buf.rst
nghttp2_rcbuf_incref.rst
nghttp2_rcbuf_is_static.rst
nghttp2_select_next_protocol.rst
nghttp2_session_callbacks_del.rst
nghttp2_session_callbacks_new.rst

7
doc/Makefile.am
View File

@@ -62,7 +62,6 @@ APIDOCS= \
nghttp2_option_set_max_send_header_block_length.rst \
nghttp2_option_set_no_auto_ping_ack.rst \
nghttp2_option_set_no_auto_window_update.rst \
nghttp2_option_set_no_closed_streams.rst \
nghttp2_option_set_no_http_messaging.rst \
nghttp2_option_set_no_recv_client_magic.rst \
nghttp2_option_set_peer_max_concurrent_streams.rst \
@@ -74,14 +73,12 @@ APIDOCS= \
nghttp2_rcbuf_decref.rst \
nghttp2_rcbuf_get_buf.rst \
nghttp2_rcbuf_incref.rst \
nghttp2_rcbuf_is_static.rst \
nghttp2_select_next_protocol.rst \
nghttp2_session_callbacks_del.rst \
nghttp2_session_callbacks_new.rst \
nghttp2_session_callbacks_set_before_frame_send_callback.rst \
nghttp2_session_callbacks_set_data_source_read_length_callback.rst \
nghttp2_session_callbacks_set_error_callback.rst \
nghttp2_session_callbacks_set_error_callback2.rst \
nghttp2_session_callbacks_set_on_begin_frame_callback.rst \
nghttp2_session_callbacks_set_on_begin_headers_callback.rst \
nghttp2_session_callbacks_set_on_data_chunk_recv_callback.rst \
@@ -143,7 +140,6 @@ APIDOCS= \
nghttp2_session_set_local_window_size.rst \
nghttp2_session_set_next_stream_id.rst \
nghttp2_session_set_stream_user_data.rst \
nghttp2_session_set_user_data.rst \
nghttp2_session_terminate_session.rst \
nghttp2_session_terminate_session2.rst \
nghttp2_session_upgrade.rst \
@@ -164,7 +160,6 @@ APIDOCS= \
nghttp2_submit_extension.rst \
nghttp2_submit_goaway.rst \
nghttp2_submit_headers.rst \
nghttp2_submit_origin.rst \
nghttp2_submit_ping.rst \
nghttp2_submit_priority.rst \
nghttp2_submit_push_promise.rst \
@@ -271,7 +266,7 @@ apiref.rst: \
$(APIDOCS): apiref.rst
clean-local:
if [ $(srcdir) != $(builddir) ]; then for i in $(RST_FILES); do rm -f $(builddir)/$$i; done fi
[ $(srcdir) = $(builddir) ] || for i in $(RST_FILES); do [ -e $(builddir)/$$i ] && rm -f $(builddir)/$$i; done
-rm -f apiref.rst
-rm -f $(APIDOCS)
-rm -rf $(BUILDDIR)/*

3
doc/_exts/sphinxcontrib/rubydomain.py
View File

@@ -13,7 +13,6 @@ import re
from docutils import nodes
from docutils.parsers.rst import directives
from docutils.parsers.rst import Directive
from sphinx import addnodes
from sphinx import version_info
@@ -22,8 +21,10 @@ from sphinx.locale import l_, _
from sphinx.domains import Domain, ObjType, Index
from sphinx.directives import ObjectDescription
from sphinx.util.nodes import make_refnode
from sphinx.util.compat import Directive
from sphinx.util.docfields import Field, GroupedField, TypedField
# REs for Ruby signatures
rb_sig_re = re.compile(
r'''^ ([\w.]*\.)? # class name(s)

2
doc/bash_completion/h2load
View File

@@ -8,7 +8,7 @@ _h2load()
_get_comp_words_by_ref cur prev
case $cur in
-*)
COMPREPLY=( $( compgen -W '--connection-window-bits --clients --verbose --ciphers --rate --no-tls-proto --header-table-size --requests --log-file --base-uri --h1 --threads --npn-list --rate-period --data --version --connection-inactivity-timeout --timing-script-file --encoder-header-table-size --max-concurrent-streams --connection-active-timeout --input-file --help --window-bits --warm-up-time --duration --header ' -- "$cur" ) )
COMPREPLY=( $( compgen -W '--connection-window-bits --clients --verbose --ciphers --rate --no-tls-proto --header-table-size --requests --base-uri --h1 --threads --npn-list --rate-period --data --version --connection-inactivity-timeout --timing-script-file --encoder-header-table-size --max-concurrent-streams --connection-active-timeout --input-file --help --window-bits --header ' -- "$cur" ) )
;;
*)
_filedir

2
doc/bash_completion/nghttp
View File

@@ -8,7 +8,7 @@ _nghttp()
_get_comp_words_by_ref cur prev
case $cur in
-*)
COMPREPLY=( $( compgen -W '--no-push --verbose --no-dep --get-assets --har --header-table-size --multiply --encoder-header-table-size --padding --hexdump --max-concurrent-streams --continuation --connection-window-bits --peer-max-concurrent-streams --timeout --data --no-content-length --version --color --cert --upgrade --remote-name --trailer --weight --help --key --null-out --window-bits --expect-continue --stat --no-verify-peer --header ' -- "$cur" ) )
COMPREPLY=( $( compgen -W '--no-push --verbose --no-dep --get-assets --har --header-table-size --multiply --encoder-header-table-size --padding --hexdump --max-concurrent-streams --continuation --connection-window-bits --peer-max-concurrent-streams --timeout --data --no-content-length --version --color --cert --upgrade --remote-name --trailer --weight --help --key --null-out --window-bits --expect-continue --stat --header ' -- "$cur" ) )
;;
*)
_filedir

2
doc/bash_completion/nghttpx
View File

@@ -8,7 +8,7 @@ _nghttpx()
_get_comp_words_by_ref cur prev
case $cur in
-*)
COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --tls13-client-ciphers --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --backend-connect-timeout --tls-max-proto-version --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --add-forwarded --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --ocsp-update-interval --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --frontend-max-requests --tls-no-postpone-early-data --rlimit-nofile --no-strip-incoming-x-forwarded-proto --tls-ticket-key-memcached-cert-file --no-verify-ocsp --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --ocsp-startup --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --redirect-https-port --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --no-add-x-forwarded-proto --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --fastopen --no-location-rewrite --single-thread --tls-session-cache-memcached --no-ocsp --backend-response-buffer --tls-min-proto-version --workers --add-x-forwarded-for --no-server-push --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ignore-per-pattern-mruby-error --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --no-strip-incoming-early-data --user --verify-client-tolerate-expired --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --tls-max-early-data --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --accesslog-write-early --backend-address-family --backend-http2-connection-window-size --tls13-ciphers --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --single-process --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --frontend-http2-encoder-dynamic-table-size --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
COMPREPLY=( $( compgen -W '--worker-read-rate --include --frontend-http2-dump-response-header --tls-ticket-key-file --verify-client-cacert --max-response-header-fields --backend-http2-window-size --frontend-keep-alive-timeout --backend-request-buffer --max-request-header-fields --fastopen --backend-connect-timeout --conf --dns-lookup-timeout --backend-http2-max-concurrent-streams --worker-write-burst --npn-list --dns-max-try --fetch-ocsp-response-file --no-via --tls-session-cache-memcached-cert-file --no-http2-cipher-black-list --mruby-file --client-no-http2-cipher-black-list --stream-read-timeout --client-ciphers --forwarded-for --accesslog-syslog --dns-cache-timeout --frontend-http2-read-timeout --listener-disable-timeout --ciphers --client-psk-secrets --strip-incoming-x-forwarded-for --no-server-rewrite --private-key-passwd-file --backend-keep-alive-timeout --backend-http-proxy-uri --rlimit-nofile --tls-ticket-key-memcached-cert-file --ocsp-update-interval --forwarded-by --tls-session-cache-memcached-private-key-file --error-page --backend-write-timeout --tls-dyn-rec-warmup-threshold --tls-ticket-key-memcached-max-retry --frontend-http2-window-size --http2-no-cookie-crumbling --worker-read-burst --dh-param-file --accesslog-format --errorlog-syslog --request-header-field-buffer --api-max-request-body --frontend-http2-decoder-dynamic-table-size --errorlog-file --frontend-http2-max-concurrent-streams --psk-secrets --frontend-write-timeout --tls-ticket-key-cipher --read-burst --backend --server-name --insecure --backend-max-backoff --log-level --host-rewrite --tls-proto-list --tls-ticket-key-memcached-interval --frontend-http2-setting-timeout --frontend-http2-connection-window-size --worker-frontend-connections --syslog-facility --no-server-push --no-location-rewrite --tls-session-cache-memcached --no-ocsp --frontend-http2-encoder-dynamic-table-size --workers --add-forwarded --worker-write-rate --add-request-header --backend-http2-settings-timeout --subcert --ecdh-curves --no-kqueue --help --frontend-frame-debug --tls-sct-dir --pid-file --frontend-http2-dump-request-header --daemon --write-rate --altsvc --backend-http2-decoder-dynamic-table-size --user --add-x-forwarded-for --frontend-read-timeout --tls-ticket-key-memcached-max-fail --backlog --write-burst --backend-connections-per-host --response-header-field-buffer --tls-ticket-key-memcached-address-family --padding --tls-session-cache-memcached-address-family --stream-write-timeout --cacert --tls-ticket-key-memcached-private-key-file --backend-address-family --backend-http2-connection-window-size --version --add-response-header --backend-read-timeout --frontend-http2-optimize-window-size --frontend --accesslog-file --http2-proxy --backend-http2-encoder-dynamic-table-size --client-private-key-file --client-cert-file --tls-ticket-key-memcached --tls-dyn-rec-idle-timeout --frontend-http2-optimize-write-buffer-size --verify-client --backend-response-buffer --read-rate --backend-connections-per-frontend --strip-incoming-forwarded ' -- "$cur" ) )
;;
*)
_filedir

2
doc/conf.py.in
View File

@@ -157,7 +157,7 @@ html_theme_path = ['@top_srcdir@/doc/_themes']
# If true, SmartyPants will be used to convert quotes and dashes to
# typographically correct entities.
#html_use_smartypants = False
html_use_smartypants = False
# Custom sidebar templates, maps document names to template names.
html_sidebars = {

2
doc/docutils.conf
View File

@@ -1,2 +0,0 @@
[parsers]
smart_quotes=no

61
doc/h2load.1
View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "H2LOAD" "1" "Jun 11, 2019" "1.39.0" "nghttp2"
.TH "H2LOAD" "1" "Jan 09, 2017" "1.19.0-DEV" "nghttp2"
.SH NAME
h2load \- HTTP/2 benchmarking tool
.
@@ -35,7 +35,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
\fBh2load\fP [OPTIONS]... [URI]...
.SH DESCRIPTION
.sp
benchmarking tool for HTTP/2 server
benchmarking tool for HTTP/2 and SPDY server
.INDENT 0.0
.TP
.B <URI>
@@ -54,9 +54,7 @@ scheme, host or port values.
Number of requests across all clients. If it is used
with \fI\%\-\-timing\-script\-file\fP option, this option specifies
the number of requests each client performs rather than
the number of requests across all clients. This option
is ignored if timing\-based benchmarking is enabled (see
\fI\%\-\-duration\fP option).
the number of requests across all clients.
.sp
Default: \fB1\fP
.UNINDENT
@@ -101,6 +99,7 @@ Default: \fB1\fP
.TP
.B \-w, \-\-window\-bits=<N>
Sets the stream level initial window size to (2**<N>)\-1.
For SPDY, 2**<N> is used instead.
.sp
Default: \fB30\fP
.UNINDENT
@@ -108,7 +107,9 @@ Default: \fB30\fP
.TP
.B \-W, \-\-connection\-window\-bits=<N>
Sets the connection level initial window size to
(2**<N>)\-1.
(2**<N>)\-1. For SPDY, if <N> is strictly less than 16,
this option is ignored. Otherwise 2**<N> is used for
SPDY.
.sp
Default: \fB30\fP
.UNINDENT
@@ -123,14 +124,15 @@ Add/Override a header to the requests.
Set allowed cipher list. The format of the string is
described in OpenSSL ciphers(1).
.sp
Default: \fBECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256\fP
Default: \fBECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256:ECDHE\-ECDSA\-AES128\-SHA:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-RSA\-AES128\-SHA:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES256\-SHA:ECDHE\-RSA\-AES256\-SHA:DHE\-RSA\-AES128\-SHA256:DHE\-RSA\-AES128\-SHA:DHE\-RSA\-AES256\-SHA256:DHE\-RSA\-AES256\-SHA:ECDHE\-ECDSA\-DES\-CBC3\-SHA:ECDHE\-RSA\-DES\-CBC3\-SHA:EDH\-RSA\-DES\-CBC3\-SHA:AES128\-GCM\-SHA256:AES256\-GCM\-SHA384:AES128\-SHA256:AES256\-SHA256:AES128\-SHA:AES256\-SHA:DES\-CBC3\-SHA:!DSS\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-p, \-\-no\-tls\-proto=<PROTOID>
Specify ALPN identifier of the protocol to be used when
accessing http URI without SSL/TLS.
Available protocols: h2c and http/1.1
Available protocols: spdy/2, spdy/3, spdy/3.1, h2c and
http/1.1
.sp
Default: \fBh2c\fP
.UNINDENT
@@ -155,7 +157,7 @@ example, with \fI\%\-t\fP2 and \fI\%\-r\fP4, each thread gets 2
connections per period. When the rate is 0, the program
will run as it normally does, creating connections at
whatever variable rate it wants. The default value for
this option is 0. \fI\%\-r\fP and \fI\%\-D\fP are mutually exclusive.
this option is 0.
.UNINDENT
.INDENT 0.0
.TP
@@ -168,20 +170,6 @@ option is 1s.
.UNINDENT
.INDENT 0.0
.TP
.B \-D, \-\-duration=<N>
Specifies the main duration for the measurements in case
of timing\-based benchmarking. \fI\%\-D\fP and \fI\%\-r\fP are mutually
exclusive.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-warm\-up\-time=<DURATION>
Specifies the time period before starting the actual
measurements, in case of timing\-based benchmarking.
Needs to provided along with \fI\%\-D\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-T, \-\-connection\-active\-timeout=<DURATION>
Specifies the maximum time that h2load is willing to
keep a connection open, regardless of the activity on
@@ -245,7 +233,7 @@ NPN. The parameter must be delimited by a single comma
only and any white spaces are treated as a part of
protocol string.
.sp
Default: \fBh2,h2\-16,h2\-14,http/1.1\fP
Default: \fBh2,h2\-16,h2\-14,spdy/3.1,spdy/3,spdy/2,http/1.1\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -273,17 +261,6 @@ Default: \fB4K\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-log\-file=<PATH>
Write per\-request information to a file as tab\-separated
columns: start time as microseconds since epoch; HTTP
status code; microseconds until end of response. More
columns may be added later. Rows are ordered by end\-of\-
response time when using one worker thread, but may
appear slightly out of order with multiple threads due
to buffering. Status code is \-1 for failed streams.
.UNINDENT
.INDENT 0.0
.TP
.B \-v, \-\-verbose
Output debug information.
.UNINDENT
@@ -358,7 +335,8 @@ compression. Let \fBdecompressed(headers)\fP to the number of bytes
used for header fields after decompression. The \fBspace savings\fP
is calculated by (1 \- \fBheaders\fP / \fBdecompressed(headers)\fP) *
100. For HTTP/1.1, this is usually 0.00%, since it does not have
header compression. For HTTP/2, it shows some insightful numbers.
header compression. For HTTP/2 and SPDY, it shows some insightful
numbers.
.TP
.B data
The number of response body bytes received from the server.
@@ -388,16 +366,13 @@ range (mean +/\- sd) against total number of successful requests.
.INDENT 7.0
.TP
.B min
The minimum time taken to connect to a server including TLS
handshake.
The minimum time taken to connect to a server.
.TP
.B max
The maximum time taken to connect to a server including TLS
handshake.
The maximum time taken to connect to a server.
.TP
.B mean
The mean time taken to connect to a server including TLS
handshake.
The mean time taken to connect to a server.
.TP
.B sd
The standard deviation of the time taken to connect to a server.
@@ -458,7 +433,7 @@ h2load sets large flow control window by default, and effectively
disables flow control to avoid under utilization of server
performance. To set smaller flow control window, use \fI\%\-w\fP and
\fI\%\-W\fP options. For example, use \fB\-w16 \-W16\fP to set default
window size described in HTTP/2 protocol specification.
window size described in HTTP/2 and SPDY protocol specification.
.SH SEE ALSO
.sp
\fBnghttp(1)\fP, \fBnghttpd(1)\fP, \fBnghttpx(1)\fP

56
doc/h2load.1.rst
View File

@@ -14,7 +14,7 @@ SYNOPSIS
DESCRIPTION
-----------
benchmarking tool for HTTP/2 server
benchmarking tool for HTTP/2 and SPDY server
.. describe:: <URI>
@@ -34,9 +34,7 @@ OPTIONS
Number of requests across all clients. If it is used
with :option:`--timing-script-file` option, this option specifies
the number of requests each client performs rather than
the number of requests across all clients. This option
is ignored if timing-based benchmarking is enabled (see
:option:`--duration` option).
the number of requests across all clients.
Default: ``1``
@@ -76,13 +74,16 @@ OPTIONS
.. option:: -w, --window-bits=<N>
Sets the stream level initial window size to (2\*\*<N>)-1.
For SPDY, 2\*\*<N> is used instead.
Default: ``30``
.. option:: -W, --connection-window-bits=<N>
Sets the connection level initial window size to
(2\*\*<N>)-1.
(2\*\*<N>)-1. For SPDY, if <N> is strictly less than 16,
this option is ignored. Otherwise 2\*\*<N> is used for
SPDY.
Default: ``30``
@@ -95,13 +96,14 @@ OPTIONS
Set allowed cipher list. The format of the string is
described in OpenSSL ciphers(1).
Default: ``ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256``
Default: ``ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS``
.. option:: -p, --no-tls-proto=<PROTOID>
Specify ALPN identifier of the protocol to be used when
accessing http URI without SSL/TLS.
Available protocols: h2c and http/1.1
Available protocols: spdy/2, spdy/3, spdy/3.1, h2c and
http/1.1
Default: ``h2c``
@@ -124,7 +126,7 @@ OPTIONS
connections per period. When the rate is 0, the program
will run as it normally does, creating connections at
whatever variable rate it wants. The default value for
this option is 0. :option:`-r` and :option:`\-D` are mutually exclusive.
this option is 0.
.. option:: --rate-period=<DURATION>
@@ -134,18 +136,6 @@ OPTIONS
the rate option is not used. The default value for this
option is 1s.
.. option:: -D, --duration=<N>
Specifies the main duration for the measurements in case
of timing-based benchmarking. :option:`-D` and :option:`\-r` are mutually
exclusive.
.. option:: --warm-up-time=<DURATION>
Specifies the time period before starting the actual
measurements, in case of timing-based benchmarking.
Needs to provided along with :option:`-D` option.
.. option:: -T, --connection-active-timeout=<DURATION>
Specifies the maximum time that h2load is willing to
@@ -206,7 +196,7 @@ OPTIONS
only and any white spaces are treated as a part of
protocol string.
Default: ``h2,h2-16,h2-14,http/1.1``
Default: ``h2,h2-16,h2-14,spdy/3.1,spdy/3,spdy/2,http/1.1``
.. option:: --h1
@@ -229,16 +219,6 @@ OPTIONS
Default: ``4K``
.. option:: --log-file=<PATH>
Write per-request information to a file as tab-separated
columns: start time as microseconds since epoch; HTTP
status code; microseconds until end of response. More
columns may be added later. Rows are ordered by end-of-
response time when using one worker thread, but may
appear slightly out of order with multiple threads due
to buffering. Status code is -1 for failed streams.
.. option:: -v, --verbose
Output debug information.
@@ -304,7 +284,8 @@ traffic
used for header fields after decompression. The ``space savings``
is calculated by (1 - ``headers`` / ``decompressed(headers)``) *
100. For HTTP/1.1, this is usually 0.00%, since it does not have
header compression. For HTTP/2, it shows some insightful numbers.
header compression. For HTTP/2 and SPDY, it shows some insightful
numbers.
data
The number of response body bytes received from the server.
@@ -323,14 +304,11 @@ time for request
time for connect
min
The minimum time taken to connect to a server including TLS
handshake.
The minimum time taken to connect to a server.
max
The maximum time taken to connect to a server including TLS
handshake.
The maximum time taken to connect to a server.
mean
The mean time taken to connect to a server including TLS
handshake.
The mean time taken to connect to a server.
sd
The standard deviation of the time taken to connect to a server.
+/- sd
@@ -375,7 +353,7 @@ h2load sets large flow control window by default, and effectively
disables flow control to avoid under utilization of server
performance. To set smaller flow control window, use :option:`-w` and
:option:`-W` options. For example, use ``-w16 -W16`` to set default
window size described in HTTP/2 protocol specification.
window size described in HTTP/2 and SPDY protocol specification.
SEE ALSO
--------

14
doc/h2load.h2r
View File

@@ -41,7 +41,8 @@ traffic
used for header fields after decompression. The ``space savings``
is calculated by (1 - ``headers`` / ``decompressed(headers)``) *
100. For HTTP/1.1, this is usually 0.00%, since it does not have
header compression. For HTTP/2, it shows some insightful numbers.
header compression. For HTTP/2 and SPDY, it shows some insightful
numbers.
data
The number of response body bytes received from the server.
@@ -60,14 +61,11 @@ time for request
time for connect
min
The minimum time taken to connect to a server including TLS
handshake.
The minimum time taken to connect to a server.
max
The maximum time taken to connect to a server including TLS
handshake.
The maximum time taken to connect to a server.
mean
The mean time taken to connect to a server including TLS
handshake.
The mean time taken to connect to a server.
sd
The standard deviation of the time taken to connect to a server.
+/- sd
@@ -112,7 +110,7 @@ h2load sets large flow control window by default, and effectively
disables flow control to avoid under utilization of server
performance. To set smaller flow control window, use :option:`-w` and
:option:`-W` options. For example, use ``-w16 -W16`` to set default
window size described in HTTP/2 protocol specification.
window size described in HTTP/2 and SPDY protocol specification.
SEE ALSO
--------

8
doc/nghttp.1
View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "NGHTTP" "1" "Jun 11, 2019" "1.39.0" "nghttp2"
.TH "NGHTTP" "1" "Jan 09, 2017" "1.19.0-DEV" "nghttp2"
.SH NAME
nghttp \- HTTP/2 client
.
@@ -236,12 +236,6 @@ combined with the \fI\%\-d\fP option.
.UNINDENT
.INDENT 0.0
.TP
.B \-y, \-\-no\-verify\-peer
Suppress warning on server certificate verification
failure.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-version
Display version information and exit.
.UNINDENT

5
doc/nghttp.1.rst
View File

@@ -186,11 +186,6 @@ OPTIONS
Continue interim response. This option is ignored unless
combined with the :option:`-d` option.
.. option:: -y, --no-verify-peer
Suppress warning on server certificate verification
failure.
.. option:: --version
Display version information and exit.

2
doc/nghttpd.1
View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "NGHTTPD" "1" "Jun 11, 2019" "1.39.0" "nghttp2"
.TH "NGHTTPD" "1" "Jan 09, 2017" "1.19.0-DEV" "nghttp2"
.SH NAME
nghttpd \- HTTP/2 server
.

621
doc/nghttpx.1
View File

@@ -1,6 +1,6 @@
.\" Man page generated from reStructuredText.
.
.TH "NGHTTPX" "1" "Jun 11, 2019" "1.39.0" "nghttp2"
.TH "NGHTTPX" "1" "Jan 09, 2017" "1.19.0-DEV" "nghttp2"
.SH NAME
nghttpx \- HTTP/2 proxy
.
@@ -35,7 +35,7 @@ level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
\fBnghttpx\fP [OPTIONS]... [<PRIVATE_KEY> <CERT>]
.SH DESCRIPTION
.sp
A reverse proxy for HTTP/2, and HTTP/1.
A reverse proxy for HTTP/2, HTTP/1 and SPDY.
.INDENT 0.0
.TP
.B <PRIVATE_KEY>
@@ -62,7 +62,8 @@ domain socket can be specified by prefixing path name
with "unix:" (e.g., unix:/var/run/backend.sock).
.sp
Optionally, if <PATTERN>s are given, the backend address
is only used if request matches the pattern. The
is only used if request matches the pattern. If
\fI\%\-\-http2\-proxy\fP is used, <PATTERN>s are ignored. The
pattern matching is closely designed to ServeMux in
net/http package of Go programming language. <PATTERN>
consists of path, host + path or just host. The path
@@ -73,16 +74,11 @@ path which ends with "\fI/\fP" also matches the request path
which only lacks trailing \(aq\fI/\fP\(aq (e.g., path "\fI/foo/\fP"
matches request path "\fI/foo\fP"). If it does not end with
"\fI/\fP", it performs exact match against the request path.
If host is given, it performs a match against the
request host. For a request received on the frontend
listener with "sni\-fwd" parameter enabled, SNI host is
used instead of a request host. If host alone is given,
"\fI/\fP" is appended to it, so that it matches all request
paths under the host (e.g., specifying "nghttp2.org"
equals to "nghttp2.org/"). CONNECT method is treated
specially. It does not have path, and we don\(aqt allow
empty path. To workaround this, we assume that CONNECT
method has "\fI/\fP" as path.
If host is given, it performs exact match against the
request host. If host alone is given, "\fI/\fP" is appended
to it, so that it matches all request paths under the
host (e.g., specifying "nghttp2.org" equals to
"nghttp2.org/").
.sp
Patterns with host take precedence over patterns with
just path. Then, longer patterns take precedence over
@@ -96,18 +92,6 @@ host pattern "*.nghttp2.org" matches against
match against "nghttp2.org". The exact hosts match
takes precedence over the wildcard hosts match.
.sp
If path part ends with "*", it is treated as wildcard
path. The wildcard path behaves differently from the
normal path. For normal path, match is made around the
boundary of path component separator,"\fI/\fP". On the other
hand, the wildcard path does not take into account the
path component separator. All paths which include the
wildcard path without last "*" as prefix, and are
strictly longer than wildcard path without last "*" are
matched. "*" must match at least one character. For
example, the pattern "\fI/foo*\fP" matches "\fI/foo/\fP" and
"\fI/foobar\fP". But it does not match "\fI/foo\fP", or "\fI/fo\fP".
.sp
If <PATTERN> is omitted or empty string, "\fI/\fP" is used as
pattern, which matches all request paths (catch\-all
pattern). The catch\-all backend must be given.
@@ -137,15 +121,12 @@ Several parameters <PARAM> are accepted after <PATTERN>.
The parameters are delimited by ";". The available
parameters are: "proto=<PROTO>", "tls",
"sni=<SNI_HOST>", "fall=<N>", "rise=<N>",
"affinity=<METHOD>", "dns", "redirect\-if\-not\-tls",
"upgrade\-scheme", "mruby=<PATH>",
"read\-timeout=<DURATION>", "write\-timeout=<DURATION>",
"group=<GROUP>", "group\-weight=<N>", and "weight=<N>".
The parameter consists of keyword, and optionally
followed by "=" and value. For example, the parameter
"proto=h2" consists of the keyword "proto" and value
"h2". The parameter "tls" consists of the keyword "tls"
without value. Each parameter is described as follows.
"affinity=<METHOD>", and "dns". The parameter consists
of keyword, and optionally followed by "=" and value.
For example, the parameter "proto=h2" consists of the
keyword "proto" and value "h2". The parameter "tls"
consists of the keyword "tls" without value. Each
parameter is described as follows.
.sp
The backend application protocol can be specified using
optional "proto" parameter, and in the form of
@@ -183,32 +164,16 @@ state, and this is the default behaviour.
The session affinity is enabled using
"affinity=<METHOD>" parameter. If "ip" is given in
<METHOD>, client IP based session affinity is enabled.
If "cookie" is given in <METHOD>, cookie based session
affinity is enabled. If "none" is given in <METHOD>,
session affinity is disabled, and this is the default.
The session affinity is enabled per <PATTERN>. If at
least one backend has "affinity" parameter, and its
<METHOD> is not "none", session affinity is enabled for
all backend servers sharing the same <PATTERN>. It is
advised to set "affinity" parameter to all backend
explicitly if session affinity is desired. The session
affinity may break if one of the backend gets
unreachable, or backend settings are reloaded or
replaced by API.
.sp
If "affinity=cookie" is used, the additional
configuration is required.
"affinity\-cookie\-name=<NAME>" must be used to specify a
name of cookie to use. Optionally,
"affinity\-cookie\-path=<PATH>" can be used to specify a
path which cookie is applied. The optional
"affinity\-cookie\-secure=<SECURE>" controls the Secure
attribute of a cookie. The default value is "auto", and
the Secure attribute is determined by a request scheme.
If a request scheme is "https", then Secure attribute is
set. Otherwise, it is not set. If <SECURE> is "yes",
the Secure attribute is always set. If <SECURE> is
"no", the Secure attribute is always omitted.
If "none" is given in <METHOD>, session affinity is
disabled, and this is the default. The session affinity
is enabled per <PATTERN>. If at least one backend has
"affinity" parameter, and its <METHOD> is not "none",
session affinity is enabled for all backend servers
sharing the same <PATTERN>. It is advised to set
"affinity" parameter to all backend explicitly if
session affinity is desired. The session affinity may
break if one of the backend gets unreachable, or backend
settings are reloaded or replaced by API.
.sp
By default, name resolution of backend host name is done
at start up, or reloading configuration. If "dns"
@@ -218,64 +183,6 @@ frequently. If "dns" is given, name resolution of
backend host name at start up, or reloading
configuration is skipped.
.sp
If "redirect\-if\-not\-tls" parameter is used, the matched
backend requires that frontend connection is TLS
encrypted. If it isn\(aqt, nghttpx responds to the request
with 308 status code, and https URI the client should
use instead is included in Location header field. The
port number in redirect URI is 443 by default, and can
be changed using \fI\%\-\-redirect\-https\-port\fP option. If at
least one backend has "redirect\-if\-not\-tls" parameter,
this feature is enabled for all backend servers sharing
the same <PATTERN>. It is advised to set
"redirect\-if\-no\-tls" parameter to all backends
explicitly if this feature is desired.
.sp
If "upgrade\-scheme" parameter is used along with "tls"
parameter, HTTP/2 :scheme pseudo header field is changed
to "https" from "http" when forwarding a request to this
particular backend. This is a workaround for a backend
server which requires "https" :scheme pseudo header
field on TLS encrypted connection.
.sp
"mruby=<PATH>" parameter specifies a path to mruby
script file which is invoked when this pattern is
matched. All backends which share the same pattern must
have the same mruby path.
.sp
"read\-timeout=<DURATION>" and "write\-timeout=<DURATION>"
parameters specify the read and write timeout of the
backend connection when this pattern is matched. All
backends which share the same pattern must have the same
timeouts. If these timeouts are entirely omitted for a
pattern, \fI\%\-\-backend\-read\-timeout\fP and
\fI\%\-\-backend\-write\-timeout\fP are used.
.sp
"group=<GROUP>" parameter specifies the name of group
this backend address belongs to. By default, it belongs
to the unnamed default group. The name of group is
unique per pattern. "group\-weight=<N>" parameter
specifies the weight of the group. The higher weight
gets more frequently selected by the load balancing
algorithm. <N> must be [1, 256] inclusive. The weight
8 has 4 times more weight than 2. <N> must be the same
for all addresses which share the same <GROUP>. If
"group\-weight" is omitted in an address, but the other
address which belongs to the same group specifies
"group\-weight", its weight is used. If no
"group\-weight" is specified for all addresses, the
weight of a group becomes 1. "group" and "group\-weight"
are ignored if session affinity is enabled.
.sp
"weight=<N>" parameter specifies the weight of the
backend address inside a group which this address
belongs to. The higher weight gets more frequently
selected by the load balancing algorithm. <N> must be
[1, 256] inclusive. The weight 8 has 4 times more
weight than weight 2. If this parameter is omitted,
weight becomes 1. "weight" is ignored if session
affinity is enabled.
.sp
Since ";" and ":" are used as delimiter, <PATTERN> must
not contain these characters. Since ";" has special
meaning in shell, the option value must be quoted.
@@ -299,11 +206,6 @@ parameters are mutually exclusive.
Optionally, TLS can be disabled by specifying "no\-tls"
parameter. TLS is enabled by default.
.sp
If "sni\-fwd" parameter is used, when performing a match
to select a backend server, SNI host name received from
the client is used instead of the request host. See
\fI\%\-\-backend\fP option about the pattern match.
.sp
To make this frontend as API endpoint, specify "api"
parameter. This is disabled by default. It is
important to limit the access to the API frontend.
@@ -327,7 +229,7 @@ Default: \fB*,3000\fP
.B \-\-backlog=<N>
Set listen backlog size.
.sp
Default: \fB65536\fP
Default: \fB512\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -365,15 +267,6 @@ Default: \fB1\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-single\-thread
Run everything in one thread inside the worker process.
This feature is provided for better debugging
experience, or for the platforms which lack thread
support. If threading is disabled, this option is
always enabled.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-read\-rate=<SIZE>
Set maximum average read rate on frontend connection.
Setting 0 to this option means read rate is unlimited.
@@ -519,7 +412,8 @@ this option will be simply ignored.
.INDENT 0.0
.TP
.B \-\-frontend\-http2\-read\-timeout=<DURATION>
Specify read timeout for HTTP/2 frontend connection.
Specify read timeout for HTTP/2 and SPDY frontend
connection.
.sp
Default: \fB3m\fP
.UNINDENT
@@ -548,18 +442,18 @@ Default: \fB1m\fP
.INDENT 0.0
.TP
.B \-\-stream\-read\-timeout=<DURATION>
Specify read timeout for HTTP/2 streams. 0 means no
timeout.
Specify read timeout for HTTP/2 and SPDY streams. 0
means no timeout.
.sp
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-stream\-write\-timeout=<DURATION>
Specify write timeout for HTTP/2 streams. 0 means no
timeout.
Specify write timeout for HTTP/2 and SPDY streams. 0
means no timeout.
.sp
Default: \fB1m\fP
Default: \fB0\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -636,40 +530,16 @@ Default: \fB2m\fP
.B \-\-ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use \fI\%\-\-tls13\-ciphers\fP for TLSv1.3.
.sp
Default: \fBECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls13\-ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
\fI\%\-\-ciphers\fP for TLSv1.2 or earlier.
.sp
Default: \fBTLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\fP
Default: \fBECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256:ECDHE\-ECDSA\-AES128\-SHA:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-RSA\-AES128\-SHA:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES256\-SHA:ECDHE\-RSA\-AES256\-SHA:DHE\-RSA\-AES128\-SHA256:DHE\-RSA\-AES128\-SHA:DHE\-RSA\-AES256\-SHA256:DHE\-RSA\-AES256\-SHA:ECDHE\-ECDSA\-DES\-CBC3\-SHA:ECDHE\-RSA\-DES\-CBC3\-SHA:EDH\-RSA\-DES\-CBC3\-SHA:AES128\-GCM\-SHA256:AES256\-GCM\-SHA384:AES128\-SHA256:AES256\-SHA256:AES128\-SHA:AES256\-SHA:DES\-CBC3\-SHA:!DSS\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client\-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use \fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.3.
.sp
Default: \fBECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls13\-client\-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
\fI\%\-\-tls13\-client\-ciphers\fP for TLSv1.2 or earlier.
.sp
Default: \fBTLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256\fP
Default: \fBECDHE\-ECDSA\-CHACHA20\-POLY1305:ECDHE\-RSA\-CHACHA20\-POLY1305:ECDHE\-ECDSA\-AES128\-GCM\-SHA256:ECDHE\-RSA\-AES128\-GCM\-SHA256:ECDHE\-ECDSA\-AES256\-GCM\-SHA384:ECDHE\-RSA\-AES256\-GCM\-SHA384:DHE\-RSA\-AES128\-GCM\-SHA256:DHE\-RSA\-AES256\-GCM\-SHA384:ECDHE\-ECDSA\-AES128\-SHA256:ECDHE\-RSA\-AES128\-SHA256:ECDHE\-ECDSA\-AES128\-SHA:ECDHE\-RSA\-AES256\-SHA384:ECDHE\-RSA\-AES128\-SHA:ECDHE\-ECDSA\-AES256\-SHA384:ECDHE\-ECDSA\-AES256\-SHA:ECDHE\-RSA\-AES256\-SHA:DHE\-RSA\-AES128\-SHA256:DHE\-RSA\-AES128\-SHA:DHE\-RSA\-AES256\-SHA256:DHE\-RSA\-AES256\-SHA:ECDHE\-ECDSA\-DES\-CBC3\-SHA:ECDHE\-RSA\-DES\-CBC3\-SHA:EDH\-RSA\-DES\-CBC3\-SHA:AES128\-GCM\-SHA256:AES256\-GCM\-SHA384:AES128\-SHA256:AES256\-SHA256:AES128\-SHA:AES256\-SHA:DES\-CBC3\-SHA:!DSS\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -691,14 +561,11 @@ enabled for backend connections.
.INDENT 0.0
.TP
.B \-\-cacert=<PATH>
Set path to trusted CA certificate file. It is used in
backend TLS connections to verify peer\(aqs certificate.
It is also used to verify OCSP response from the script
set by \fI\%\-\-fetch\-ocsp\-response\-file\fP\&. The file must be in
PEM format. It can contain multiple certificates. If
the linked OpenSSL is configured to load system wide
certificates, they are loaded at startup regardless of
this option.
Set path to trusted CA certificate file used in backend
TLS connections. The file must be in PEM format. It
can contain multiple certificates. If the linked
OpenSSL is configured to load system wide certificates,
they are loaded at startup regardless of this option.
.UNINDENT
.INDENT 0.0
.TP
@@ -712,14 +579,9 @@ password protected it\(aqll be requested interactively.
.B \-\-subcert=<KEYPATH>:<CERTPATH>[[;<PARAM>]...]
Specify additional certificate and private key file.
nghttpx will choose certificates based on the hostname
indicated by client using TLS SNI extension. If nghttpx
is built with OpenSSL >= 1.0.2, the shared elliptic
curves (e.g., P\-256) between client and server are also
taken into consideration. This allows nghttpx to send
ECDSA certificate to modern clients, while sending RSA
based certificate to older clients. This option can be
used multiple times. To make OCSP stapling work,
<CERTPATH> must be absolute path.
indicated by client using TLS SNI extension. This
option can be used multiple times. To make OCSP
stapling work, <CERTPATH> must be absolute path.
.sp
Additional parameter can be specified in <PARAM>. The
available <PARAM> is "sct\-dir=<DIR>".
@@ -747,7 +609,7 @@ NPN. The parameter must be delimited by a single comma
only and any white spaces are treated as a part of
protocol string.
.sp
Default: \fBh2,h2\-16,h2\-14,http/1.1\fP
Default: \fBh2,h2\-16,h2\-14,spdy/3.1,http/1.1\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -763,14 +625,6 @@ can contain multiple certificates.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-verify\-client\-tolerate\-expired
Accept expired client certificate. Operator should
handle the expired client certificate by some means
(e.g., mruby script). Otherwise, this option might
cause a security risk.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-client\-private\-key\-file=<PATH>
Path to file that contains client private key used in
backend client authentication.
@@ -783,33 +637,18 @@ backend client authentication.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-min\-proto\-version=<VER>
Specify minimum SSL/TLS protocol. The name matching is
done in case\-insensitive manner. The versions between
\fI\%\-\-tls\-min\-proto\-version\fP and \fI\%\-\-tls\-max\-proto\-version\fP are
enabled. If the protocol list advertised by client does
not overlap this range, you will receive the error
message "unknown protocol". If a protocol version lower
than TLSv1.2 is specified, make sure that the compatible
ciphers are included in \fI\%\-\-ciphers\fP option. The default
cipher list only includes ciphers compatible with
TLSv1.2 or above. The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
.B \-\-tls\-proto\-list=<LIST>
Comma delimited list of SSL/TLS protocol to be enabled.
The following protocols are available: TLSv1.2, TLSv1.1
and TLSv1.0. The name matching is done in
case\-insensitive manner. The parameter must be
delimited by a single comma only and any white spaces
are treated as a part of protocol string. If the
protocol list advertised by client does not overlap this
list, you will receive the error message "unknown
protocol".
.sp
Default: \fBTLSv1.2\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-max\-proto\-version=<VER>
Specify maximum SSL/TLS protocol. The name matching is
done in case\-insensitive manner. The versions between
\fI\%\-\-tls\-min\-proto\-version\fP and \fI\%\-\-tls\-max\-proto\-version\fP are
enabled. If the protocol list advertised by client does
not overlap this range, you will receive the error
message "unknown protocol". The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
.sp
Default: \fBTLSv1.3\fP
Default: \fBTLSv1.2,TLSv1.1\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -926,20 +765,6 @@ Default: \fB4h\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ocsp\-startup
Start accepting connections after initial attempts to
get OCSP responses finish. It does not matter some of
the attempts fail. This feature is useful if OCSP
responses must be available before accepting
connections.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-verify\-ocsp
nghttpx does not verify OCSP response.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-ocsp
Disable OCSP stapling.
.UNINDENT
@@ -1062,32 +887,14 @@ HTTP/2. To use those cipher suites with HTTP/2,
consider to use \fI\%\-\-client\-no\-http2\-cipher\-black\-list\fP
option. But be aware its implications.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-no\-postpone\-early\-data
By default, nghttpx postpones forwarding HTTP requests
sent in early data, including those sent in partially in
it, until TLS handshake finishes. If all backend server
recognizes "Early\-Data" header field, using this option
makes nghttpx not postpone forwarding request and get
full potential of 0\-RTT data.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-tls\-max\-early\-data=<SIZE>
Sets the maximum amount of 0\-RTT data that server
accepts.
.sp
Default: \fB16K\fP
.UNINDENT
.SS HTTP/2
.SS HTTP/2 and SPDY
.INDENT 0.0
.TP
.B \-c, \-\-frontend\-http2\-max\-concurrent\-streams=<N>
Set the maximum number of the concurrent streams in one
frontend HTTP/2 session.
frontend HTTP/2 and SPDY session.
.sp
Default: \fB100\fP
Default: \(ga\(ga 100\(ga\(ga
.UNINDENT
.INDENT 0.0
.TP
@@ -1102,16 +909,17 @@ Default: \fB100\fP
.INDENT 0.0
.TP
.B \-\-frontend\-http2\-window\-size=<SIZE>
Sets the per\-stream initial window size of HTTP/2
frontend connection.
Sets the per\-stream initial window size of HTTP/2 and
SPDY frontend connection.
.sp
Default: \fB65535\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-http2\-connection\-window\-size=<SIZE>
Sets the per\-connection window size of HTTP/2 frontend
connection.
Sets the per\-connection window size of HTTP/2 and SPDY
frontend connection. For SPDY connection, the value
less than 64KiB is rounded up to 64KiB.
.sp
Default: \fB65535\fP
.UNINDENT
@@ -1152,7 +960,8 @@ default mode and HTTP/2 frontend via Link header field.
It is also supported if both frontend and backend are
HTTP/2 in default mode. In this case, server push from
backend session is relayed to frontend, and server push
via Link header field is also supported.
via Link header field is also supported. SPDY frontend
does not support server push.
.UNINDENT
.INDENT 0.0
.TP
@@ -1223,7 +1032,7 @@ Default: \fB4K\fP
.INDENT 0.0
.TP
.B (default mode)
Accept HTTP/2, and HTTP/1.1 over SSL/TLS. "no\-tls"
Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. "no\-tls"
parameter is used in \fI\%\-\-frontend\fP option, accept HTTP/2
and HTTP/1.1 over cleartext TCP. The incoming HTTP/1.1
connection can be upgraded to HTTP/2 through HTTP
@@ -1293,32 +1102,15 @@ $alpn: ALPN identifier of the protocol which generates
the response. For HTTP/1, ALPN is always http/1.1,
regardless of minor version.
.IP \(bu 2
$tls_cipher: cipher used for SSL/TLS connection.
$ssl_cipher: cipher used for SSL/TLS connection.
.IP \(bu 2
$tls_client_fingerprint_sha256: SHA\-256 fingerprint of
client certificate.
$ssl_protocol: protocol for SSL/TLS connection.
.IP \(bu 2
$tls_client_fingerprint_sha1: SHA\-1 fingerprint of
client certificate.
$ssl_session_id: session ID for SSL/TLS connection.
.IP \(bu 2
$tls_client_subject_name: subject name in client
certificate.
.IP \(bu 2
$tls_client_issuer_name: issuer name in client
certificate.
.IP \(bu 2
$tls_client_serial: serial number in client
certificate.
.IP \(bu 2
$tls_protocol: protocol for SSL/TLS connection.
.IP \(bu 2
$tls_session_id: session ID for SSL/TLS connection.
.IP \(bu 2
$tls_session_reused: "r" if SSL/TLS session was
$ssl_session_reused: "r" if SSL/TLS session was
reused. Otherwise, "."
.IP \(bu 2
$tls_sni: SNI server name for SSL/TLS connection.
.IP \(bu 2
$backend_host: backend host used to fulfill the
request. "\-" if backend host is not available.
.IP \(bu 2
@@ -1333,13 +1125,6 @@ Default: \fB$remote_addr \- \- [$time_local] "$request" $status $body_bytes_sent
.UNINDENT
.INDENT 0.0
.TP
.B \-\-accesslog\-write\-early
Write access log when response header fields are
received from backend rather than when request
transaction finishes.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-errorlog\-file=<PATH>
Set path to write error log. To reopen file, send USR1
signal to nghttpx. stderr will be redirected to the
@@ -1375,21 +1160,6 @@ requests.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-add\-x\-forwarded\-proto
Don\(aqt append additional X\-Forwarded\-Proto header field
to the backend request. If inbound client sets
X\-Forwarded\-Proto, and
\fI\%\-\-no\-strip\-incoming\-x\-forwarded\-proto\fP option is used,
they are passed to the backend.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-strip\-incoming\-x\-forwarded\-proto
Don\(aqt strip X\-Forwarded\-Proto header field from inbound
client requests.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-add\-forwarded=<LIST>
Append RFC 7239 Forwarded header field with parameters
specified in comma delimited list <LIST>. The supported
@@ -1443,12 +1213,6 @@ is received, it is left unaltered.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-strip\-incoming\-early\-data
Don\(aqt strip Early\-Data header field from inbound client
requests.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-no\-location\-rewrite
Don\(aqt rewrite location header field in default mode.
When \fI\%\-\-http2\-proxy\fP is used, location header field will
@@ -1542,7 +1306,7 @@ backend server, the custom error pages are not used.
.B \-\-server\-name=<NAME>
Change server response header field value to <NAME>.
.sp
Default: \fBnghttpx\fP
Default: \fBnghttpx nghttp2/1.19.0\-DEV\fP
.UNINDENT
.INDENT 0.0
.TP
@@ -1551,22 +1315,13 @@ Don\(aqt rewrite server header field in default mode. When
\fI\%\-\-http2\-proxy\fP is used, these headers will not be altered
regardless of this option.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-redirect\-https\-port=<PORT>
Specify the port number which appears in Location header
field when redirect to HTTPS URI is made due to
"redirect\-if\-not\-tls" parameter in \fI\%\-\-backend\fP option.
.sp
Default: \fB443\fP
.UNINDENT
.SS API
.INDENT 0.0
.TP
.B \-\-api\-max\-request\-body=<SIZE>
Set the maximum size of request body for API request.
.sp
Default: \fB32M\fP
Default: \fB16K\fP
.UNINDENT
.SS DNS
.INDENT 0.0
@@ -1595,16 +1350,6 @@ lookup.
.sp
Default: \fB2\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-\-frontend\-max\-requests=<N>
The number of requests that single frontend connection
can process. For HTTP/2, this is the number of streams
in one HTTP/2 connection. For HTTP/1, this is the
number of keep alive requests. This is hint to nghttpx,
and it may allow additional few requests. The default
value is unlimited.
.UNINDENT
.SS Debug
.INDENT 0.0
.TP
@@ -1649,37 +1394,17 @@ Set path to save PID of this program.
Run this program as <USER>. This option is intended to
be used to drop root privileges.
.UNINDENT
.INDENT 0.0
.TP
.B \-\-single\-process
Run this program in a single process mode for debugging
purpose. Without this option, nghttpx creates at least
2 processes: master and worker processes. If this
option is used, master and worker are unified into a
single process. nghttpx still spawns additional process
if neverbleed is used. In the single process mode, the
signal handling feature is disabled.
.UNINDENT
.SS Scripting
.INDENT 0.0
.TP
.B \-\-mruby\-file=<PATH>
Set mruby script file
.UNINDENT
.INDENT 0.0
.TP
.B \-\-ignore\-per\-pattern\-mruby\-error
Ignore mruby compile error for per\-pattern mruby script
file. If error occurred, it is treated as if no mruby
file were specified for the pattern.
.UNINDENT
.SS Misc
.INDENT 0.0
.TP
.B \-\-conf=<PATH>
Load configuration from <PATH>. Please note that
nghttpx always tries to read the default configuration
file if \fI\%\-\-conf\fP is not given.
Load configuration from <PATH>.
.sp
Default: \fB/etc/nghttpx/nghttpx.conf\fP
.UNINDENT
@@ -1773,7 +1498,7 @@ follows:
.INDENT 7.0
.TP
.B <datetime>
It is a combination of date and time when the log is written. It
It is a conbination of date and time when the log is written. It
is in ISO 8601 format.
.TP
.B <master\-pid>
@@ -1806,23 +1531,16 @@ Reload configuration file given in \fI\%\-\-conf\fP\&.
.TP
.B SIGUSR1
Reopen log files.
.UNINDENT
.sp
SIGUSR2
.INDENT 0.0
.INDENT 3.5
.TP
.B SIGUSR2
Fork and execute nghttpx. It will execute the binary in the same
path with same command\-line arguments and environment variables. As
of nghttpx version 1.20.0, the new master process sends SIGQUIT to
the original master process when it is ready to serve requests. For
the earlier versions of nghttpx, user has to send SIGQUIT to the
original master process.
.sp
The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former
is usually used to execute new binary, and the master process is
newly spawned. On the other hand, the latter just reloads
configuration file, and the same master process continues to exist.
.UNINDENT
path with same command\-line arguments and environment variables.
After new process comes up, sending SIGQUIT to the original process
to perform hot swapping. The difference between SIGUSR2 + SIGQUIT
and SIGHUP is that former is usually used to execute new binary, and
the master process is newly spawned. On the other hand, the latter
just reloads configuration file, and the same master process
continues to exist.
.UNINDENT
.sp
\fBNOTE:\fP
@@ -1902,22 +1620,6 @@ be customized using \fI\%\-\-fetch\-ocsp\-response\-file\fP option.
.sp
If OCSP query is failed, previous OCSP response, if any, is continued
to be used.
.sp
\fI\%\-\-fetch\-ocsp\-response\-file\fP option provides wide range of
possibility to manage OCSP response. It can take an arbitrary script
or executable. The requirement is that it supports the command\-line
interface of \fBfetch\-ocsp\-response\fP script, and it must return a
valid DER encoded OCSP response on success. It must return exit code
0 on success, and 75 for temporary error, and the other error code for
generic failure. For large cluster of servers, it is not efficient
for each server to perform OCSP query using \fBfetch\-ocsp\-response\fP\&.
Instead, you can retrieve OCSP response in some way, and store it in a
disk or a shared database. Then specify a program in
\fI\%\-\-fetch\-ocsp\-response\-file\fP to fetch it from those stores.
This could provide a way to share the OCSP response between fleet of
servers, and also any OCSP query strategy can be applied which may be
beyond the ability of nghttpx itself or \fBfetch\-ocsp\-response\fP
script.
.SH TLS SESSION RESUMPTION
.sp
nghttpx supports TLS session resumption through both session ID and
@@ -1928,7 +1630,7 @@ By default, session ID is shared by all worker threads.
.sp
If \fI\%\-\-tls\-session\-cache\-memcached\fP is given, nghttpx will
insert serialized session data to memcached with
\fBnghttpx:tls\-session\-cache:\fP + lowercase hex string of session ID
\fBnghttpx:tls\-session\-cache:\fP + lowercased hex string of session ID
as a memcached entry key, with expiry time 12 hours. Session timeout
is set to 12 hours.
.sp
@@ -2010,17 +1712,6 @@ API is subject to change in the future release.
.UNINDENT
.UNINDENT
.sp
\fBWARNING:\fP
.INDENT 0.0
.INDENT 3.5
Almost all string value returned from method, or attribute is a
fresh new mruby string, which involves memory allocation, and
copies. Therefore, it is strongly recommended to store a return
value in a local variable, and use it, instead of calling method or
accessing attribute repeatedly.
.UNINDENT
.UNINDENT
.sp
nghttpx allows users to extend its capability using mruby scripts.
nghttpx has 2 hook points to execute mruby script: request phase and
response phase. The request phase hook is invoked after all request
@@ -2030,28 +1721,9 @@ server. These hooks allows users to modify header fields, or common
HTTP variables, like authority or request path, and even return custom
response without forwarding request to backend servers.
.sp
There are 2 levels of mruby script invocations: global and
per\-pattern. The global mruby script is set by \fI\%\-\-mruby\-file\fP
option and is called for all requests. The per\-pattern mruby script
is set by "mruby" parameter in \fI\%\-b\fP option. It is invoked for
a request which matches the particular pattern. The order of hook
invocation is: global request phase hook, per\-pattern request phase
hook, per\-pattern response phase hook, and finally global response
phase hook. If a hook returns a response, any later hooks are not
invoked. The global request hook is invoked before the pattern
matching is made and changing request path may affect the pattern
matching.
.sp
Please note that request and response hooks of per\-pattern mruby
script for a single request might not come from the same script. This
might happen after a request hook is executed, backend failed for some
reason, and at the same time, backend configuration is replaced by API
request, and then the request uses new configuration on retry. The
response hook from new configuration, if it is specified, will be
invoked.
.sp
The all mruby script will be evaluated once per thread on startup, and
it must instantiate object and evaluate it as the return value (e.g.,
To specify mruby script file, use \fI\%\-\-mruby\-file\fP option. The
script will be evaluated once per thread on startup, and it must
instantiate object and evaluate it as the return value (e.g.,
\fBApp.new\fP). This object is called app object. If app object
defines \fBon_req\fP method, it is called with \fI\%Nghttpx::Env\fP
object on request hook. Similarly, if app object defines \fBon_resp\fP
@@ -2088,7 +1760,7 @@ Return \fI\%Response\fP object.
.TP
.B attribute [R] ctx
Return Ruby hash object. It persists until request finishes.
So values set in request phase hook can be retrieved in
So values set in request phase hoo can be retrieved in
response phase hook.
.UNINDENT
.INDENT 7.0
@@ -2126,77 +1798,6 @@ Return true if TLS is used on the connection.
.B attribute [R] tls_sni
Return the TLS SNI value which client sent in this connection.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_fingerprint_sha256
Return the SHA\-256 fingerprint of a client certificate.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_fingerprint_sha1
Return the SHA\-1 fingerprint of a client certificate.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_issuer_name
Return the issuer name of a client certificate.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_subject_name
Return the subject name of a client certificate.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_serial
Return the serial number of a client certificate.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_not_before
Return the start date of a client certificate in seconds since
the epoch.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_client_not_after
Return the end date of a client certificate in seconds since
the epoch.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_cipher
Return a TLS cipher negotiated in this connection.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_protocol
Return a TLS protocol version negotiated in this connection.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_session_id
Return a session ID for this connection in hex string.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_session_reused
Return true if, and only if a SSL/TLS session is reused.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] alpn
Return ALPN identifier negotiated in this connection.
.UNINDENT
.INDENT 7.0
.TP
.B attribute [R] tls_handshake_finished
Return true if SSL/TLS handshake has finished. If it returns
false in the request phase hook, the request is received in
TLSv1.3 early data (0\-RTT) and might be vulnerable to the
replay attack. nghttpx will send Early\-Data header field to
backend servers to indicate this.
.UNINDENT
.UNINDENT
.INDENT 0.0
.TP
@@ -2348,10 +1949,10 @@ to the backend, and response phase hook for this request will
not be invoked. When this method is called in response phase
hook, response from backend server is canceled and discarded.
The status code and response header fields should be set
before using this method. To set status code, use
before using this method. To set status code, use :rb:meth To
set response header fields, use
\fI\%Nghttpx::Response#status\fP\&. If status code is not
set, 200 is used. To set response header fields,
\fI\%Nghttpx::Response#add_header\fP and
set, 200 is used. \fI\%Nghttpx::Response#add_header\fP and
\fI\%Nghttpx::Response#set_header\fP\&. When this method is
invoked in response phase hook, the response headers are
filled with the ones received from backend server. To send
@@ -2360,19 +1961,6 @@ completely custom header fields, first call
existing header fields, and then add required header fields.
It is an error to call this method twice for a given request.
.UNINDENT
.INDENT 7.0
.TP
.B send_info(status, headers)
Send non\-final (informational) response to a client. \fIstatus\fP
must be in the range [100, 199], inclusive. \fIheaders\fP is a
hash containing response header fields. Its key must be a
string, and the associated value must be either string or
array of strings. Since this is not a final response, even if
this method is invoked, request is still forwarded to a
backend unless \fI\%Nghttpx::Response#return\fP is called.
This method can be called multiple times. It cannot be called
after \fI\%Nghttpx::Response#return\fP is called.
.UNINDENT
.UNINDENT
.SS MRUBY EXAMPLES
.sp
@@ -2448,18 +2036,15 @@ The request was failed. No change has been made.
HTTP status code
.UNINDENT
.sp
Additionally, depending on the API endpoint, \fBdata\fP key may be
present, and its value contains the API endpoint specific data.
.sp
We wrote "normally", since nghttpx may return ordinal HTML response in
some cases where the error has occurred before reaching API endpoint
(e.g., header field is too large).
.sp
The following section describes available API endpoints.
.SS POST /api/v1beta1/backendconfig
.SS PUT /api/v1beta1/backendconfig
.sp
This API replaces the current backend server settings with the
requested ones. The request method should be POST, but PUT is also
requested ones. The request method should be PUT, but POST is also
acceptable. The request body must be nghttpx configuration file
format. For configuration file format, see \fI\%FILES\fP section. The
line separator inside the request body must be single LF (0x0A).
@@ -2474,28 +2059,10 @@ The replacement is done instantly without breaking existing
connections or requests. It also avoids any process creation as is
the case with hot swapping with signals.
.sp
The one limitation is that only numeric IP address is allowed in
The one limitation is that only numeric IP address is allowd in
\fI\%backend\fP in request body unless "dns" parameter
is used while non numeric hostname is allowed in command\-line or
configuration file is read using \fI\%\-\-conf\fP\&.
.SS GET /api/v1beta1/configrevision
.sp
This API returns configuration revision of the current nghttpx. The
configuration revision is opaque string, and it changes after each
reloading by SIGHUP. With this API, an external application knows
that whether nghttpx has finished reloading its configuration by
comparing the configuration revisions between before and after
reloading. It is recommended to disable persistent (keep\-alive)
connection for this purpose in order to avoid to send a request using
the reused connection which may bound to an old process.
.sp
This API returns response including \fBdata\fP key. Its value is JSON
object, and it contains at least the following key:
.INDENT 0.0
.TP
.B configRevision
The configuration revision of the current nghttpx
.UNINDENT
.SH SEE ALSO
.sp
\fBnghttp(1)\fP, \fBnghttpd(1)\fP, \fBh2load(1)\fP

577
doc/nghttpx.1.rst
View File

@@ -14,7 +14,7 @@ SYNOPSIS
DESCRIPTION
-----------
A reverse proxy for HTTP/2, and HTTP/1.
A reverse proxy for HTTP/2, HTTP/1 and SPDY.
.. describe:: <PRIVATE_KEY>
@@ -46,7 +46,8 @@ Connections
with "unix:" (e.g., unix:/var/run/backend.sock).
Optionally, if <PATTERN>s are given, the backend address
is only used if request matches the pattern. The
is only used if request matches the pattern. If
:option:`--http2-proxy` is used, <PATTERN>s are ignored. The
pattern matching is closely designed to ServeMux in
net/http package of Go programming language. <PATTERN>
consists of path, host + path or just host. The path
@@ -57,16 +58,11 @@ Connections
which only lacks trailing '*/*' (e.g., path "*/foo/*"
matches request path "*/foo*"). If it does not end with
"*/*", it performs exact match against the request path.
If host is given, it performs a match against the
request host. For a request received on the frontend
listener with "sni-fwd" parameter enabled, SNI host is
used instead of a request host. If host alone is given,
"*/*" is appended to it, so that it matches all request
paths under the host (e.g., specifying "nghttp2.org"
equals to "nghttp2.org/"). CONNECT method is treated
specially. It does not have path, and we don't allow
empty path. To workaround this, we assume that CONNECT
method has "*/*" as path.
If host is given, it performs exact match against the
request host. If host alone is given, "*/*" is appended
to it, so that it matches all request paths under the
host (e.g., specifying "nghttp2.org" equals to
"nghttp2.org/").
Patterns with host take precedence over patterns with
just path. Then, longer patterns take precedence over
@@ -80,18 +76,6 @@ Connections
match against "nghttp2.org". The exact hosts match
takes precedence over the wildcard hosts match.
If path part ends with "\*", it is treated as wildcard
path. The wildcard path behaves differently from the
normal path. For normal path, match is made around the
boundary of path component separator,"*/*". On the other
hand, the wildcard path does not take into account the
path component separator. All paths which include the
wildcard path without last "\*" as prefix, and are
strictly longer than wildcard path without last "\*" are
matched. "\*" must match at least one character. For
example, the pattern "*/foo\**" matches "*/foo/*" and
"*/foobar*". But it does not match "*/foo*", or "*/fo*".
If <PATTERN> is omitted or empty string, "*/*" is used as
pattern, which matches all request paths (catch-all
pattern). The catch-all backend must be given.
@@ -121,15 +105,12 @@ Connections
The parameters are delimited by ";". The available
parameters are: "proto=<PROTO>", "tls",
"sni=<SNI_HOST>", "fall=<N>", "rise=<N>",
"affinity=<METHOD>", "dns", "redirect-if-not-tls",
"upgrade-scheme", "mruby=<PATH>",
"read-timeout=<DURATION>", "write-timeout=<DURATION>",
"group=<GROUP>", "group-weight=<N>", and "weight=<N>".
The parameter consists of keyword, and optionally
followed by "=" and value. For example, the parameter
"proto=h2" consists of the keyword "proto" and value
"h2". The parameter "tls" consists of the keyword "tls"
without value. Each parameter is described as follows.
"affinity=<METHOD>", and "dns". The parameter consists
of keyword, and optionally followed by "=" and value.
For example, the parameter "proto=h2" consists of the
keyword "proto" and value "h2". The parameter "tls"
consists of the keyword "tls" without value. Each
parameter is described as follows.
The backend application protocol can be specified using
optional "proto" parameter, and in the form of
@@ -167,32 +148,16 @@ Connections
The session affinity is enabled using
"affinity=<METHOD>" parameter. If "ip" is given in
<METHOD>, client IP based session affinity is enabled.
If "cookie" is given in <METHOD>, cookie based session
affinity is enabled. If "none" is given in <METHOD>,
session affinity is disabled, and this is the default.
The session affinity is enabled per <PATTERN>. If at
least one backend has "affinity" parameter, and its
<METHOD> is not "none", session affinity is enabled for
all backend servers sharing the same <PATTERN>. It is
advised to set "affinity" parameter to all backend
explicitly if session affinity is desired. The session
affinity may break if one of the backend gets
unreachable, or backend settings are reloaded or
replaced by API.
If "affinity=cookie" is used, the additional
configuration is required.
"affinity-cookie-name=<NAME>" must be used to specify a
name of cookie to use. Optionally,
"affinity-cookie-path=<PATH>" can be used to specify a
path which cookie is applied. The optional
"affinity-cookie-secure=<SECURE>" controls the Secure
attribute of a cookie. The default value is "auto", and
the Secure attribute is determined by a request scheme.
If a request scheme is "https", then Secure attribute is
set. Otherwise, it is not set. If <SECURE> is "yes",
the Secure attribute is always set. If <SECURE> is
"no", the Secure attribute is always omitted.
If "none" is given in <METHOD>, session affinity is
disabled, and this is the default. The session affinity
is enabled per <PATTERN>. If at least one backend has
"affinity" parameter, and its <METHOD> is not "none",
session affinity is enabled for all backend servers
sharing the same <PATTERN>. It is advised to set
"affinity" parameter to all backend explicitly if
session affinity is desired. The session affinity may
break if one of the backend gets unreachable, or backend
settings are reloaded or replaced by API.
By default, name resolution of backend host name is done
at start up, or reloading configuration. If "dns"
@@ -202,64 +167,6 @@ Connections
backend host name at start up, or reloading
configuration is skipped.
If "redirect-if-not-tls" parameter is used, the matched
backend requires that frontend connection is TLS
encrypted. If it isn't, nghttpx responds to the request
with 308 status code, and https URI the client should
use instead is included in Location header field. The
port number in redirect URI is 443 by default, and can
be changed using :option:`--redirect-https-port` option. If at
least one backend has "redirect-if-not-tls" parameter,
this feature is enabled for all backend servers sharing
the same <PATTERN>. It is advised to set
"redirect-if-no-tls" parameter to all backends
explicitly if this feature is desired.
If "upgrade-scheme" parameter is used along with "tls"
parameter, HTTP/2 :scheme pseudo header field is changed
to "https" from "http" when forwarding a request to this
particular backend. This is a workaround for a backend
server which requires "https" :scheme pseudo header
field on TLS encrypted connection.
"mruby=<PATH>" parameter specifies a path to mruby
script file which is invoked when this pattern is
matched. All backends which share the same pattern must
have the same mruby path.
"read-timeout=<DURATION>" and "write-timeout=<DURATION>"
parameters specify the read and write timeout of the
backend connection when this pattern is matched. All
backends which share the same pattern must have the same
timeouts. If these timeouts are entirely omitted for a
pattern, :option:`--backend-read-timeout` and
:option:`--backend-write-timeout` are used.
"group=<GROUP>" parameter specifies the name of group
this backend address belongs to. By default, it belongs
to the unnamed default group. The name of group is
unique per pattern. "group-weight=<N>" parameter
specifies the weight of the group. The higher weight
gets more frequently selected by the load balancing
algorithm. <N> must be [1, 256] inclusive. The weight
8 has 4 times more weight than 2. <N> must be the same
for all addresses which share the same <GROUP>. If
"group-weight" is omitted in an address, but the other
address which belongs to the same group specifies
"group-weight", its weight is used. If no
"group-weight" is specified for all addresses, the
weight of a group becomes 1. "group" and "group-weight"
are ignored if session affinity is enabled.
"weight=<N>" parameter specifies the weight of the
backend address inside a group which this address
belongs to. The higher weight gets more frequently
selected by the load balancing algorithm. <N> must be
[1, 256] inclusive. The weight 8 has 4 times more
weight than weight 2. If this parameter is omitted,
weight becomes 1. "weight" is ignored if session
affinity is enabled.
Since ";" and ":" are used as delimiter, <PATTERN> must
not contain these characters. Since ";" has special
meaning in shell, the option value must be quoted.
@@ -283,11 +190,6 @@ Connections
Optionally, TLS can be disabled by specifying "no-tls"
parameter. TLS is enabled by default.
If "sni-fwd" parameter is used, when performing a match
to select a backend server, SNI host name received from
the client is used instead of the request host. See
:option:`--backend` option about the pattern match.
To make this frontend as API endpoint, specify "api"
parameter. This is disabled by default. It is
important to limit the access to the API frontend.
@@ -311,7 +213,7 @@ Connections
Set listen backlog size.
Default: ``65536``
Default: ``512``
.. option:: --backend-address-family=(auto|IPv4|IPv6)
@@ -347,14 +249,6 @@ Performance
Default: ``1``
.. option:: --single-thread
Run everything in one thread inside the worker process.
This feature is provided for better debugging
experience, or for the platforms which lack thread
support. If threading is disabled, this option is
always enabled.
.. option:: --read-rate=<SIZE>
Set maximum average read rate on frontend connection.
@@ -488,7 +382,8 @@ Timeout
.. option:: --frontend-http2-read-timeout=<DURATION>
Specify read timeout for HTTP/2 frontend connection.
Specify read timeout for HTTP/2 and SPDY frontend
connection.
Default: ``3m``
@@ -513,17 +408,17 @@ Timeout
.. option:: --stream-read-timeout=<DURATION>
Specify read timeout for HTTP/2 streams. 0 means no
timeout.
Specify read timeout for HTTP/2 and SPDY streams. 0
means no timeout.
Default: ``0``
.. option:: --stream-write-timeout=<DURATION>
Specify write timeout for HTTP/2 streams. 0 means no
timeout.
Specify write timeout for HTTP/2 and SPDY streams. 0
means no timeout.
Default: ``1m``
Default: ``0``
.. option:: --backend-read-timeout=<DURATION>
@@ -594,37 +489,15 @@ SSL/TLS
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use :option:`--tls13-ciphers` for TLSv1.3.
Default: ``ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256``
.. option:: --tls13-ciphers=<SUITE>
Set allowed cipher list for frontend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
:option:`--ciphers` for TLSv1.2 or earlier.
Default: ``TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256``
Default: ``ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS``
.. option:: --client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.2 or earlier.
Use :option:`--tls13-client-ciphers` for TLSv1.3.
Default: ``ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256``
.. option:: --tls13-client-ciphers=<SUITE>
Set allowed cipher list for backend connection. The
format of the string is described in OpenSSL ciphers(1).
This option sets cipher suites for TLSv1.3. Use
:option:`--tls13-client-ciphers` for TLSv1.2 or earlier.
Default: ``TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256``
Default: ``ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS``
.. option:: --ecdh-curves=<LIST>
@@ -643,14 +516,11 @@ SSL/TLS
.. option:: --cacert=<PATH>
Set path to trusted CA certificate file. It is used in
backend TLS connections to verify peer's certificate.
It is also used to verify OCSP response from the script
set by :option:`--fetch-ocsp-response-file`\. The file must be in
PEM format. It can contain multiple certificates. If
the linked OpenSSL is configured to load system wide
certificates, they are loaded at startup regardless of
this option.
Set path to trusted CA certificate file used in backend
TLS connections. The file must be in PEM format. It
can contain multiple certificates. If the linked
OpenSSL is configured to load system wide certificates,
they are loaded at startup regardless of this option.
.. option:: --private-key-passwd-file=<PATH>
@@ -662,14 +532,9 @@ SSL/TLS
Specify additional certificate and private key file.
nghttpx will choose certificates based on the hostname
indicated by client using TLS SNI extension. If nghttpx
is built with OpenSSL >= 1.0.2, the shared elliptic
curves (e.g., P-256) between client and server are also
taken into consideration. This allows nghttpx to send
ECDSA certificate to modern clients, while sending RSA
based certificate to older clients. This option can be
used multiple times. To make OCSP stapling work,
<CERTPATH> must be absolute path.
indicated by client using TLS SNI extension. This
option can be used multiple times. To make OCSP
stapling work, <CERTPATH> must be absolute path.
Additional parameter can be specified in <PARAM>. The
available <PARAM> is "sct-dir=<DIR>".
@@ -695,7 +560,7 @@ SSL/TLS
only and any white spaces are treated as a part of
protocol string.
Default: ``h2,h2-16,h2-14,http/1.1``
Default: ``h2,h2-16,h2-14,spdy/3.1,http/1.1``
.. option:: --verify-client
@@ -707,13 +572,6 @@ SSL/TLS
client certificate. The file must be in PEM format. It
can contain multiple certificates.
.. option:: --verify-client-tolerate-expired
Accept expired client certificate. Operator should
handle the expired client certificate by some means
(e.g., mruby script). Otherwise, this option might
cause a security risk.
.. option:: --client-private-key-file=<PATH>
Path to file that contains client private key used in
@@ -724,33 +582,19 @@ SSL/TLS
Path to file that contains client certificate used in
backend client authentication.
.. option:: --tls-min-proto-version=<VER>
.. option:: --tls-proto-list=<LIST>
Specify minimum SSL/TLS protocol. The name matching is
done in case-insensitive manner. The versions between
:option:`--tls-min-proto-version` and :option:`\--tls-max-proto-version` are
enabled. If the protocol list advertised by client does
not overlap this range, you will receive the error
message "unknown protocol". If a protocol version lower
than TLSv1.2 is specified, make sure that the compatible
ciphers are included in :option:`--ciphers` option. The default
cipher list only includes ciphers compatible with
TLSv1.2 or above. The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
Comma delimited list of SSL/TLS protocol to be enabled.
The following protocols are available: TLSv1.2, TLSv1.1
and TLSv1.0. The name matching is done in
case-insensitive manner. The parameter must be
delimited by a single comma only and any white spaces
are treated as a part of protocol string. If the
protocol list advertised by client does not overlap this
list, you will receive the error message "unknown
protocol".
Default: ``TLSv1.2``
.. option:: --tls-max-proto-version=<VER>
Specify maximum SSL/TLS protocol. The name matching is
done in case-insensitive manner. The versions between
:option:`--tls-min-proto-version` and :option:`\--tls-max-proto-version` are
enabled. If the protocol list advertised by client does
not overlap this range, you will receive the error
message "unknown protocol". The available versions are:
TLSv1.3, TLSv1.2, TLSv1.1, and TLSv1.0
Default: ``TLSv1.3``
Default: ``TLSv1.2,TLSv1.1``
.. option:: --tls-ticket-key-file=<PATH>
@@ -854,18 +698,6 @@ SSL/TLS
Default: ``4h``
.. option:: --ocsp-startup
Start accepting connections after initial attempts to
get OCSP responses finish. It does not matter some of
the attempts fail. This feature is useful if OCSP
responses must be available before accepting
connections.
.. option:: --no-verify-ocsp
nghttpx does not verify OCSP response.
.. option:: --no-ocsp
Disable OCSP stapling.
@@ -978,32 +810,16 @@ SSL/TLS
consider to use :option:`--client-no-http2-cipher-black-list`
option. But be aware its implications.
.. option:: --tls-no-postpone-early-data
By default, nghttpx postpones forwarding HTTP requests
sent in early data, including those sent in partially in
it, until TLS handshake finishes. If all backend server
recognizes "Early-Data" header field, using this option
makes nghttpx not postpone forwarding request and get
full potential of 0-RTT data.
.. option:: --tls-max-early-data=<SIZE>
Sets the maximum amount of 0-RTT data that server
accepts.
Default: ``16K``
HTTP/2
~~~~~~
HTTP/2 and SPDY
~~~~~~~~~~~~~~~
.. option:: -c, --frontend-http2-max-concurrent-streams=<N>
Set the maximum number of the concurrent streams in one
frontend HTTP/2 session.
frontend HTTP/2 and SPDY session.
Default: ``100``
Default: `` 100``
.. option:: --backend-http2-max-concurrent-streams=<N>
@@ -1016,15 +832,16 @@ HTTP/2
.. option:: --frontend-http2-window-size=<SIZE>
Sets the per-stream initial window size of HTTP/2
frontend connection.
Sets the per-stream initial window size of HTTP/2 and
SPDY frontend connection.
Default: ``65535``
.. option:: --frontend-http2-connection-window-size=<SIZE>
Sets the per-connection window size of HTTP/2 frontend
connection.
Sets the per-connection window size of HTTP/2 and SPDY
frontend connection. For SPDY connection, the value
less than 64KiB is rounded up to 64KiB.
Default: ``65535``
@@ -1060,7 +877,8 @@ HTTP/2
It is also supported if both frontend and backend are
HTTP/2 in default mode. In this case, server push from
backend session is relayed to frontend, and server push
via Link header field is also supported.
via Link header field is also supported. SPDY frontend
does not support server push.
.. option:: --frontend-http2-optimize-write-buffer-size
@@ -1128,7 +946,7 @@ Mode
.. describe:: (default mode)
Accept HTTP/2, and HTTP/1.1 over SSL/TLS. "no-tls"
Accept HTTP/2, SPDY and HTTP/1.1 over SSL/TLS. "no-tls"
parameter is used in :option:`--frontend` option, accept HTTP/2
and HTTP/1.1 over cleartext TCP. The incoming HTTP/1.1
connection can be upgraded to HTTP/2 through HTTP
@@ -1183,22 +1001,11 @@ Logging
* $alpn: ALPN identifier of the protocol which generates
the response. For HTTP/1, ALPN is always http/1.1,
regardless of minor version.
* $tls_cipher: cipher used for SSL/TLS connection.
* $tls_client_fingerprint_sha256: SHA-256 fingerprint of
client certificate.
* $tls_client_fingerprint_sha1: SHA-1 fingerprint of
client certificate.
* $tls_client_subject_name: subject name in client
certificate.
* $tls_client_issuer_name: issuer name in client
certificate.
* $tls_client_serial: serial number in client
certificate.
* $tls_protocol: protocol for SSL/TLS connection.
* $tls_session_id: session ID for SSL/TLS connection.
* $tls_session_reused: "r" if SSL/TLS session was
* $ssl_cipher: cipher used for SSL/TLS connection.
* $ssl_protocol: protocol for SSL/TLS connection.
* $ssl_session_id: session ID for SSL/TLS connection.
* $ssl_session_reused: "r" if SSL/TLS session was
reused. Otherwise, "."
* $tls_sni: SNI server name for SSL/TLS connection.
* $backend_host: backend host used to fulfill the
request. "-" if backend host is not available.
* $backend_port: backend port used to fulfill the
@@ -1210,12 +1017,6 @@ Logging
Default: ``$remote_addr - - [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"``
.. option:: --accesslog-write-early
Write access log when response header fields are
received from backend rather than when request
transaction finishes.
.. option:: --errorlog-file=<PATH>
Set path to write error log. To reopen file, send USR1
@@ -1249,19 +1050,6 @@ HTTP
Strip X-Forwarded-For header field from inbound client
requests.
.. option:: --no-add-x-forwarded-proto
Don't append additional X-Forwarded-Proto header field
to the backend request. If inbound client sets
X-Forwarded-Proto, and
:option:`--no-strip-incoming-x-forwarded-proto` option is used,
they are passed to the backend.
.. option:: --no-strip-incoming-x-forwarded-proto
Don't strip X-Forwarded-Proto header field from inbound
client requests.
.. option:: --add-forwarded=<LIST>
Append RFC 7239 Forwarded header field with parameters
@@ -1310,11 +1098,6 @@ HTTP
Don't append to Via header field. If Via header field
is received, it is left unaltered.
.. option:: --no-strip-incoming-early-data
Don't strip Early-Data header field from inbound client
requests.
.. option:: --no-location-rewrite
Don't rewrite location header field in default mode.
@@ -1399,7 +1182,7 @@ HTTP
Change server response header field value to <NAME>.
Default: ``nghttpx``
Default: ``nghttpx nghttp2/1.19.0-DEV``
.. option:: --no-server-rewrite
@@ -1407,14 +1190,6 @@ HTTP
:option:`--http2-proxy` is used, these headers will not be altered
regardless of this option.
.. option:: --redirect-https-port=<PORT>
Specify the port number which appears in Location header
field when redirect to HTTPS URI is made due to
"redirect-if-not-tls" parameter in :option:`--backend` option.
Default: ``443``
API
~~~
@@ -1423,7 +1198,7 @@ API
Set the maximum size of request body for API request.
Default: ``32M``
Default: ``16K``
DNS
@@ -1452,15 +1227,6 @@ DNS
Default: ``2``
.. option:: --frontend-max-requests=<N>
The number of requests that single frontend connection
can process. For HTTP/2, this is the number of streams
in one HTTP/2 connection. For HTTP/1, this is the
number of keep alive requests. This is hint to nghttpx,
and it may allow additional few requests. The default
value is unlimited.
Debug
~~~~~
@@ -1505,16 +1271,6 @@ Process
Run this program as <USER>. This option is intended to
be used to drop root privileges.
.. option:: --single-process
Run this program in a single process mode for debugging
purpose. Without this option, nghttpx creates at least
2 processes: master and worker processes. If this
option is used, master and worker are unified into a
single process. nghttpx still spawns additional process
if neverbleed is used. In the single process mode, the
signal handling feature is disabled.
Scripting
~~~~~~~~~
@@ -1523,21 +1279,13 @@ Scripting
Set mruby script file
.. option:: --ignore-per-pattern-mruby-error
Ignore mruby compile error for per-pattern mruby script
file. If error occurred, it is treated as if no mruby
file were specified for the pattern.
Misc
~~~~
.. option:: --conf=<PATH>
Load configuration from <PATH>. Please note that
nghttpx always tries to read the default configuration
file if :option:`--conf` is not given.
Load configuration from <PATH>.
Default: ``/etc/nghttpx/nghttpx.conf``
@@ -1617,7 +1365,7 @@ Error log
<datetime> <master-pid> <current-pid> <thread-id> <level> (<filename>:<line>) <msg>
<datetime>
It is a combination of date and time when the log is written. It
It is a conbination of date and time when the log is written. It
is in ISO 8601 format.
<master-pid>
@@ -1651,18 +1399,14 @@ SIGUSR1
Reopen log files.
SIGUSR2
Fork and execute nghttpx. It will execute the binary in the same
path with same command-line arguments and environment variables. As
of nghttpx version 1.20.0, the new master process sends SIGQUIT to
the original master process when it is ready to serve requests. For
the earlier versions of nghttpx, user has to send SIGQUIT to the
original master process.
The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former
is usually used to execute new binary, and the master process is
newly spawned. On the other hand, the latter just reloads
configuration file, and the same master process continues to exist.
path with same command-line arguments and environment variables.
After new process comes up, sending SIGQUIT to the original process
to perform hot swapping. The difference between SIGUSR2 + SIGQUIT
and SIGHUP is that former is usually used to execute new binary, and
the master process is newly spawned. On the other hand, the latter
just reloads configuration file, and the same master process
continues to exist.
.. note::
@@ -1739,22 +1483,6 @@ be customized using :option:`--fetch-ocsp-response-file` option.
If OCSP query is failed, previous OCSP response, if any, is continued
to be used.
:option:`--fetch-ocsp-response-file` option provides wide range of
possibility to manage OCSP response. It can take an arbitrary script
or executable. The requirement is that it supports the command-line
interface of ``fetch-ocsp-response`` script, and it must return a
valid DER encoded OCSP response on success. It must return exit code
0 on success, and 75 for temporary error, and the other error code for
generic failure. For large cluster of servers, it is not efficient
for each server to perform OCSP query using ``fetch-ocsp-response``.
Instead, you can retrieve OCSP response in some way, and store it in a
disk or a shared database. Then specify a program in
:option:`--fetch-ocsp-response-file` to fetch it from those stores.
This could provide a way to share the OCSP response between fleet of
servers, and also any OCSP query strategy can be applied which may be
beyond the ability of nghttpx itself or ``fetch-ocsp-response``
script.
TLS SESSION RESUMPTION
----------------------
@@ -1768,7 +1496,7 @@ By default, session ID is shared by all worker threads.
If :option:`--tls-session-cache-memcached` is given, nghttpx will
insert serialized session data to memcached with
``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
``nghttpx:tls-session-cache:`` + lowercased hex string of session ID
as a memcached entry key, with expiry time 12 hours. Session timeout
is set to 12 hours.
@@ -1850,14 +1578,6 @@ MRUBY SCRIPTING
The current mruby extension API is experimental and not frozen. The
API is subject to change in the future release.
.. warning::
Almost all string value returned from method, or attribute is a
fresh new mruby string, which involves memory allocation, and
copies. Therefore, it is strongly recommended to store a return
value in a local variable, and use it, instead of calling method or
accessing attribute repeatedly.
nghttpx allows users to extend its capability using mruby scripts.
nghttpx has 2 hook points to execute mruby script: request phase and
response phase. The request phase hook is invoked after all request
@@ -1867,28 +1587,9 @@ server. These hooks allows users to modify header fields, or common
HTTP variables, like authority or request path, and even return custom
response without forwarding request to backend servers.
There are 2 levels of mruby script invocations: global and
per-pattern. The global mruby script is set by :option:`--mruby-file`
option and is called for all requests. The per-pattern mruby script
is set by "mruby" parameter in :option:`-b` option. It is invoked for
a request which matches the particular pattern. The order of hook
invocation is: global request phase hook, per-pattern request phase
hook, per-pattern response phase hook, and finally global response
phase hook. If a hook returns a response, any later hooks are not
invoked. The global request hook is invoked before the pattern
matching is made and changing request path may affect the pattern
matching.
Please note that request and response hooks of per-pattern mruby
script for a single request might not come from the same script. This
might happen after a request hook is executed, backend failed for some
reason, and at the same time, backend configuration is replaced by API
request, and then the request uses new configuration on retry. The
response hook from new configuration, if it is specified, will be
invoked.
The all mruby script will be evaluated once per thread on startup, and
it must instantiate object and evaluate it as the return value (e.g.,
To specify mruby script file, use :option:`--mruby-file` option. The
script will be evaluated once per thread on startup, and it must
instantiate object and evaluate it as the return value (e.g.,
``App.new``). This object is called app object. If app object
defines ``on_req`` method, it is called with :rb:class:`Nghttpx::Env`
object on request hook. Similarly, if app object defines ``on_resp``
@@ -1923,7 +1624,7 @@ respectively.
.. rb:attr_reader:: ctx
Return Ruby hash object. It persists until request finishes.
So values set in request phase hook can be retrieved in
So values set in request phase hoo can be retrieved in
response phase hook.
.. rb:attr_reader:: phase
@@ -1955,64 +1656,6 @@ respectively.
Return the TLS SNI value which client sent in this connection.
.. rb:attr_reader:: tls_client_fingerprint_sha256
Return the SHA-256 fingerprint of a client certificate.
.. rb:attr_reader:: tls_client_fingerprint_sha1
Return the SHA-1 fingerprint of a client certificate.
.. rb:attr_reader:: tls_client_issuer_name
Return the issuer name of a client certificate.
.. rb:attr_reader:: tls_client_subject_name
Return the subject name of a client certificate.
.. rb:attr_reader:: tls_client_serial
Return the serial number of a client certificate.
.. rb:attr_reader:: tls_client_not_before
Return the start date of a client certificate in seconds since
the epoch.
.. rb:attr_reader:: tls_client_not_after
Return the end date of a client certificate in seconds since
the epoch.
.. rb:attr_reader:: tls_cipher
Return a TLS cipher negotiated in this connection.
.. rb:attr_reader:: tls_protocol
Return a TLS protocol version negotiated in this connection.
.. rb:attr_reader:: tls_session_id
Return a session ID for this connection in hex string.
.. rb:attr_reader:: tls_session_reused
Return true if, and only if a SSL/TLS session is reused.
.. rb:attr_reader:: alpn
Return ALPN identifier negotiated in this connection.
.. rb:attr_reader:: tls_handshake_finished
Return true if SSL/TLS handshake has finished. If it returns
false in the request phase hook, the request is received in
TLSv1.3 early data (0-RTT) and might be vulnerable to the
replay attack. nghttpx will send Early-Data header field to
backend servers to indicate this.
.. rb:class:: Request
Object to represent request from client. The modification to
@@ -2143,10 +1786,10 @@ respectively.
not be invoked. When this method is called in response phase
hook, response from backend server is canceled and discarded.
The status code and response header fields should be set
before using this method. To set status code, use
before using this method. To set status code, use :rb:meth To
set response header fields, use
:rb:attr:`Nghttpx::Response#status`. If status code is not
set, 200 is used. To set response header fields,
:rb:meth:`Nghttpx::Response#add_header` and
set, 200 is used. :rb:meth:`Nghttpx::Response#add_header` and
:rb:meth:`Nghttpx::Response#set_header`. When this method is
invoked in response phase hook, the response headers are
filled with the ones received from backend server. To send
@@ -2155,18 +1798,6 @@ respectively.
existing header fields, and then add required header fields.
It is an error to call this method twice for a given request.
.. rb:method:: send_info(status, headers)
Send non-final (informational) response to a client. *status*
must be in the range [100, 199], inclusive. *headers* is a
hash containing response header fields. Its key must be a
string, and the associated value must be either string or
array of strings. Since this is not a final response, even if
this method is invoked, request is still forwarded to a
backend unless :rb:meth:`Nghttpx::Response#return` is called.
This method can be called multiple times. It cannot be called
after :rb:meth:`Nghttpx::Response#return` is called.
MRUBY EXAMPLES
~~~~~~~~~~~~~~
@@ -2228,20 +1859,17 @@ status
code
HTTP status code
Additionally, depending on the API endpoint, ``data`` key may be
present, and its value contains the API endpoint specific data.
We wrote "normally", since nghttpx may return ordinal HTML response in
some cases where the error has occurred before reaching API endpoint
(e.g., header field is too large).
The following section describes available API endpoints.
POST /api/v1beta1/backendconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PUT /api/v1beta1/backendconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This API replaces the current backend server settings with the
requested ones. The request method should be POST, but PUT is also
requested ones. The request method should be PUT, but POST is also
acceptable. The request body must be nghttpx configuration file
format. For configuration file format, see `FILES`_ section. The
line separator inside the request body must be single LF (0x0A).
@@ -2257,30 +1885,11 @@ The replacement is done instantly without breaking existing
connections or requests. It also avoids any process creation as is
the case with hot swapping with signals.
The one limitation is that only numeric IP address is allowed in
The one limitation is that only numeric IP address is allowd in
:option:`backend <--backend>` in request body unless "dns" parameter
is used while non numeric hostname is allowed in command-line or
configuration file is read using :option:`--conf`.
GET /api/v1beta1/configrevision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This API returns configuration revision of the current nghttpx. The
configuration revision is opaque string, and it changes after each
reloading by SIGHUP. With this API, an external application knows
that whether nghttpx has finished reloading its configuration by
comparing the configuration revisions between before and after
reloading. It is recommended to disable persistent (keep-alive)
connection for this purpose in order to avoid to send a request using
the reused connection which may bound to an old process.
This API returns response including ``data`` key. Its value is JSON
object, and it contains at least the following key:
configRevision
The configuration revision of the current nghttpx
SEE ALSO
--------

179
doc/nghttpx.h2r
View File

@@ -49,7 +49,7 @@ Error log
<datetime> <master-pid> <current-pid> <thread-id> <level> (<filename>:<line>) <msg>
<datetime>
It is a combination of date and time when the log is written. It
It is a conbination of date and time when the log is written. It
is in ISO 8601 format.
<master-pid>
@@ -83,18 +83,14 @@ SIGUSR1
Reopen log files.
SIGUSR2
Fork and execute nghttpx. It will execute the binary in the same
path with same command-line arguments and environment variables. As
of nghttpx version 1.20.0, the new master process sends SIGQUIT to
the original master process when it is ready to serve requests. For
the earlier versions of nghttpx, user has to send SIGQUIT to the
original master process.
The difference between SIGUSR2 (+ SIGQUIT) and SIGHUP is that former
is usually used to execute new binary, and the master process is
newly spawned. On the other hand, the latter just reloads
configuration file, and the same master process continues to exist.
path with same command-line arguments and environment variables.
After new process comes up, sending SIGQUIT to the original process
to perform hot swapping. The difference between SIGUSR2 + SIGQUIT
and SIGHUP is that former is usually used to execute new binary, and
the master process is newly spawned. On the other hand, the latter
just reloads configuration file, and the same master process
continues to exist.
.. note::
@@ -171,22 +167,6 @@ be customized using :option:`--fetch-ocsp-response-file` option.
If OCSP query is failed, previous OCSP response, if any, is continued
to be used.
:option:`--fetch-ocsp-response-file` option provides wide range of
possibility to manage OCSP response. It can take an arbitrary script
or executable. The requirement is that it supports the command-line
interface of ``fetch-ocsp-response`` script, and it must return a
valid DER encoded OCSP response on success. It must return exit code
0 on success, and 75 for temporary error, and the other error code for
generic failure. For large cluster of servers, it is not efficient
for each server to perform OCSP query using ``fetch-ocsp-response``.
Instead, you can retrieve OCSP response in some way, and store it in a
disk or a shared database. Then specify a program in
:option:`--fetch-ocsp-response-file` to fetch it from those stores.
This could provide a way to share the OCSP response between fleet of
servers, and also any OCSP query strategy can be applied which may be
beyond the ability of nghttpx itself or ``fetch-ocsp-response``
script.
TLS SESSION RESUMPTION
----------------------
@@ -200,7 +180,7 @@ By default, session ID is shared by all worker threads.
If :option:`--tls-session-cache-memcached` is given, nghttpx will
insert serialized session data to memcached with
``nghttpx:tls-session-cache:`` + lowercase hex string of session ID
``nghttpx:tls-session-cache:`` + lowercased hex string of session ID
as a memcached entry key, with expiry time 12 hours. Session timeout
is set to 12 hours.
@@ -282,14 +262,6 @@ MRUBY SCRIPTING
The current mruby extension API is experimental and not frozen. The
API is subject to change in the future release.
.. warning::
Almost all string value returned from method, or attribute is a
fresh new mruby string, which involves memory allocation, and
copies. Therefore, it is strongly recommended to store a return
value in a local variable, and use it, instead of calling method or
accessing attribute repeatedly.
nghttpx allows users to extend its capability using mruby scripts.
nghttpx has 2 hook points to execute mruby script: request phase and
response phase. The request phase hook is invoked after all request
@@ -299,28 +271,9 @@ server. These hooks allows users to modify header fields, or common
HTTP variables, like authority or request path, and even return custom
response without forwarding request to backend servers.
There are 2 levels of mruby script invocations: global and
per-pattern. The global mruby script is set by :option:`--mruby-file`
option and is called for all requests. The per-pattern mruby script
is set by "mruby" parameter in :option:`-b` option. It is invoked for
a request which matches the particular pattern. The order of hook
invocation is: global request phase hook, per-pattern request phase
hook, per-pattern response phase hook, and finally global response
phase hook. If a hook returns a response, any later hooks are not
invoked. The global request hook is invoked before the pattern
matching is made and changing request path may affect the pattern
matching.
Please note that request and response hooks of per-pattern mruby
script for a single request might not come from the same script. This
might happen after a request hook is executed, backend failed for some
reason, and at the same time, backend configuration is replaced by API
request, and then the request uses new configuration on retry. The
response hook from new configuration, if it is specified, will be
invoked.
The all mruby script will be evaluated once per thread on startup, and
it must instantiate object and evaluate it as the return value (e.g.,
To specify mruby script file, use :option:`--mruby-file` option. The
script will be evaluated once per thread on startup, and it must
instantiate object and evaluate it as the return value (e.g.,
``App.new``). This object is called app object. If app object
defines ``on_req`` method, it is called with :rb:class:`Nghttpx::Env`
object on request hook. Similarly, if app object defines ``on_resp``
@@ -355,7 +308,7 @@ respectively.
.. rb:attr_reader:: ctx
Return Ruby hash object. It persists until request finishes.
So values set in request phase hook can be retrieved in
So values set in request phase hoo can be retrieved in
response phase hook.
.. rb:attr_reader:: phase
@@ -387,64 +340,6 @@ respectively.
Return the TLS SNI value which client sent in this connection.
.. rb:attr_reader:: tls_client_fingerprint_sha256
Return the SHA-256 fingerprint of a client certificate.
.. rb:attr_reader:: tls_client_fingerprint_sha1
Return the SHA-1 fingerprint of a client certificate.
.. rb:attr_reader:: tls_client_issuer_name
Return the issuer name of a client certificate.
.. rb:attr_reader:: tls_client_subject_name
Return the subject name of a client certificate.
.. rb:attr_reader:: tls_client_serial
Return the serial number of a client certificate.
.. rb:attr_reader:: tls_client_not_before
Return the start date of a client certificate in seconds since
the epoch.
.. rb:attr_reader:: tls_client_not_after
Return the end date of a client certificate in seconds since
the epoch.
.. rb:attr_reader:: tls_cipher
Return a TLS cipher negotiated in this connection.
.. rb:attr_reader:: tls_protocol
Return a TLS protocol version negotiated in this connection.
.. rb:attr_reader:: tls_session_id
Return a session ID for this connection in hex string.
.. rb:attr_reader:: tls_session_reused
Return true if, and only if a SSL/TLS session is reused.
.. rb:attr_reader:: alpn
Return ALPN identifier negotiated in this connection.
.. rb:attr_reader:: tls_handshake_finished
Return true if SSL/TLS handshake has finished. If it returns
false in the request phase hook, the request is received in
TLSv1.3 early data (0-RTT) and might be vulnerable to the
replay attack. nghttpx will send Early-Data header field to
backend servers to indicate this.
.. rb:class:: Request
Object to represent request from client. The modification to
@@ -575,10 +470,10 @@ respectively.
not be invoked. When this method is called in response phase
hook, response from backend server is canceled and discarded.
The status code and response header fields should be set
before using this method. To set status code, use
before using this method. To set status code, use :rb:meth To
set response header fields, use
:rb:attr:`Nghttpx::Response#status`. If status code is not
set, 200 is used. To set response header fields,
:rb:meth:`Nghttpx::Response#add_header` and
set, 200 is used. :rb:meth:`Nghttpx::Response#add_header` and
:rb:meth:`Nghttpx::Response#set_header`. When this method is
invoked in response phase hook, the response headers are
filled with the ones received from backend server. To send
@@ -587,18 +482,6 @@ respectively.
existing header fields, and then add required header fields.
It is an error to call this method twice for a given request.
.. rb:method:: send_info(status, headers)
Send non-final (informational) response to a client. *status*
must be in the range [100, 199], inclusive. *headers* is a
hash containing response header fields. Its key must be a
string, and the associated value must be either string or
array of strings. Since this is not a final response, even if
this method is invoked, request is still forwarded to a
backend unless :rb:meth:`Nghttpx::Response#return` is called.
This method can be called multiple times. It cannot be called
after :rb:meth:`Nghttpx::Response#return` is called.
MRUBY EXAMPLES
~~~~~~~~~~~~~~
@@ -660,20 +543,17 @@ status
code
HTTP status code
Additionally, depending on the API endpoint, ``data`` key may be
present, and its value contains the API endpoint specific data.
We wrote "normally", since nghttpx may return ordinal HTML response in
some cases where the error has occurred before reaching API endpoint
(e.g., header field is too large).
The following section describes available API endpoints.
POST /api/v1beta1/backendconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
PUT /api/v1beta1/backendconfig
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This API replaces the current backend server settings with the
requested ones. The request method should be POST, but PUT is also
requested ones. The request method should be PUT, but POST is also
acceptable. The request body must be nghttpx configuration file
format. For configuration file format, see `FILES`_ section. The
line separator inside the request body must be single LF (0x0A).
@@ -689,30 +569,11 @@ The replacement is done instantly without breaking existing
connections or requests. It also avoids any process creation as is
the case with hot swapping with signals.
The one limitation is that only numeric IP address is allowed in
The one limitation is that only numeric IP address is allowd in
:option:`backend <--backend>` in request body unless "dns" parameter
is used while non numeric hostname is allowed in command-line or
configuration file is read using :option:`--conf`.
GET /api/v1beta1/configrevision
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This API returns configuration revision of the current nghttpx. The
configuration revision is opaque string, and it changes after each
reloading by SIGHUP. With this API, an external application knows
that whether nghttpx has finished reloading its configuration by
comparing the configuration revisions between before and after
reloading. It is recommended to disable persistent (keep-alive)
connection for this purpose in order to avoid to send a request using
the reused connection which may bound to an old process.
This API returns response including ``data`` key. Its value is JSON
object, and it contains at least the following key:
configRevision
The configuration revision of the current nghttpx
SEE ALSO
--------

25
doc/programmers-guide.rst
View File

@@ -110,16 +110,13 @@ HTTP Messaging
By default, nghttp2 library checks HTTP messaging rules described in
`HTTP/2 specification, section 8
<https://tools.ietf.org/html/rfc7540#section-8>`_. Everything
described in that section is not validated however. We briefly
describe what the library does in this area. In the following
<https://tools.ietf.org/html/draft-ietf-httpbis-http2-17#section-8>`_.
Everything described in that section is not validated however. We
briefly describe what the library does in this area. In the following
description, without loss of generality we omit CONTINUATION frame
since they must follow HEADERS frame and are processed atomically. In
other words, they are just one big HEADERS frame. To disable these
validations, use `nghttp2_option_set_no_http_messaging()`. Please
note that disabling this feature does not change the fundamental
client and server model of HTTP. That is, even if the validation is
disabled, only client can send requests.
validations, use `nghttp2_option_set_no_http_messaging()`.
For HTTP request, including those carried by PUSH_PROMISE, HTTP
message starts with one HEADERS frame containing request headers. It
@@ -152,11 +149,13 @@ header fields must not appear: "Connection", "Keep-Alive",
Each header field name and value must obey the field-name and
field-value production rules described in `RFC 7230, section
3.2. <https://tools.ietf.org/html/rfc7230#section-3.2>`_.
Additionally, all field name must be lower cased. The invalid header
fields are treated as stream error, and that stream is reset. If
application wants to treat these headers in their own way, use
`nghttp2_on_invalid_header_callback
<https://nghttp2.org/documentation/types.html#c.nghttp2_on_invalid_header_callback>`_.
Additionally, all field name must be lower cased. While the pseudo
header fields must satisfy these rules, we just ignore illegal regular
headers (this means that these header fields are not passed to
application callback). This is because these illegal header fields
are floating around in existing internet and resetting stream just
because of this may break many web sites. This is especially true if
we forward to or translate from HTTP/1 traffic.
For "http" or "https" URIs, ":path" pseudo header fields must start
with "/". The only exception is OPTIONS request, in that case, "*" is
@@ -249,7 +248,7 @@ set to :type:`nghttp2_session_callbacks` using
`nghttp2_session_callbacks_set_pack_extension_callback()`.
For example, we will illustrate how to send `ALTSVC
<https://tools.ietf.org/html/rfc7838>`_ frame.
<https://tools.ietf.org/html/draft-ietf-httpbis-alt-svc-14>`_ frame.
.. code-block:: c

35
doc/sources/building-android-binary.rst
View File

@@ -2,7 +2,7 @@ Building Android binary
=======================
In this article, we briefly describe how to build Android binary using
`Android NDK <https://developer.android.com/ndk/index.html>`_
`Android NDK <http://developer.android.com/tools/sdk/ndk/index.html>`_
cross-compiler on Debian Linux.
The easiest way to build android binary is use Dockerfile.android.
@@ -22,7 +22,7 @@ unpacked:
.. code-block:: text
$ build/tools/make_standalone_toolchain.py \
--arch arm --api 16 --stl gnustl \
--arch arm --api 16 --stl gnustl
--install-dir $ANDROID_HOME/toolchain
The API level (``--api``) is not important here because we don't use
@@ -38,6 +38,9 @@ Although zlib comes with Android NDK, it seems not to be a part of
public API, so we have to built it for our own. That also provides us
proper .pc file as a bonus.
If SPDY support is required for nghttpx and h2load, build and install
spdylay as well.
Before running ``android-config`` and ``android-make``,
``ANDROID_HOME`` environment variable must be set to point to the
correct path. Also add ``$ANDROID_HOME/toolchain/bin`` to ``PATH``:
@@ -143,6 +146,34 @@ To configure zlib, use the following script:
And run ``make install`` to build and install.
To configure spdylay, use the following script:
.. code-block:: sh
#!/bin/sh -e
if [ -z "$ANDROID_HOME" ]; then
echo 'No $ANDROID_HOME specified.'
exit 1
fi
PREFIX=$ANDROID_HOME/usr/local
TOOLCHAIN=$ANDROID_HOME/toolchain
PATH=$TOOLCHAIN/bin:$PATH
./configure \
--disable-shared \
--host=arm-linux-androideabi \
--build=`dpkg-architecture -qDEB_BUILD_GNU_TYPE` \
--prefix=$PREFIX \
--without-libxml2 \
--disable-src \
--disable-examples \
CPPFLAGS="-I$PREFIX/include" \
PKG_CONFIG_LIBDIR="$PREFIX/lib/pkgconfig" \
LDFLAGS="-L$PREFIX/lib"
And run ``make install`` to build and install.
After prerequisite libraries are prepared, run ``android-config`` and
then ``android-make`` to compile nghttp2 source files.

9
doc/sources/contribute.rst
View File

@@ -26,16 +26,17 @@ Coding style
We use clang-format to format source code consistently. The
clang-format configuration file .clang-format is located at the root
directory. Since clang-format produces slightly different results
between versions, we currently use clang-format-8.
between versions, we currently use clang-format which comes with
clang-3.9.
To detect any violation to the coding style, we recommend to setup git
pre-commit hook to check coding style of the changes you introduced.
The pre-commit file is located at the root directory. Copy it under
.git/hooks and make sure that it is executable. The pre-commit script
uses clang-format-diff.py to detect any style errors. If it is not in
your PATH or it exists under different name (e.g., clang-format-diff-8
in debian), either add it to PATH variable or add git option
``clangformatdiff.binary`` to point to the script.
your PATH or it exists under different name (e.g.,
clang-format-diff-3.9 in debian), either add it to PATH variable or
add git option ``clangformatdiff.binary`` to point to the script.
For emacs users, integrating clang-format to emacs is very easy.
clang-format.el should come with clang distribution. If it is not

41
doc/sources/h2load-howto.rst
View File

@@ -3,14 +3,16 @@
h2load - HTTP/2 benchmarking tool - HOW-TO
==========================================
:doc:`h2load.1` is benchmarking tool for HTTP/2 and HTTP/1.1. It
supports SSL/TLS and clear text for all supported protocols.
:doc:`h2load.1` is benchmarking tool for HTTP/2 and HTTP/1.1. If
built with spdylay (http://tatsuhiro-t.github.io/spdylay/) library, it
also supports SPDY protocol. It supports SSL/TLS and clear text for
all supported protocols.
Compiling from source
---------------------
h2load is compiled alongside nghttp2 and requires that the
``--enable-app`` flag is passed to ``./configure`` and `required
``--enable-apps`` flag is passed to ``./configure`` and `required
dependencies <https://github.com/nghttp2/nghttp2#requirements>`_ are
available during compilation. For details on compiling, see `nghttp2:
Building from Git
@@ -62,40 +64,23 @@ The benchmarking result looks like this:
See the h2load manual page :ref:`h2load-1-output` section for the
explanation of the above numbers.
Timing-based load-testing
-------------------------
As of v1.26.0, h2load supports timing-based load-testing. This method
performs load-testing in terms of a given duration instead of a
pre-defined number of requests. The new option :option:`--duration`
specifies how long the load-testing takes. For example,
``--duration=10`` makes h2load perform load-testing against a server
for 10 seconds. You can also specify a “warming-up” period with
:option:`--warm-up-time`. If :option:`--duration` is used,
:option:`-n` option is ignored.
The following command performs load-testing for 10 seconds after 5
seconds warming up period:
.. code-block:: text
$ h2load -c100 -m100 --duration=10 --warm-up-time=5 https://localhost
Flow Control
------------
HTTP/2 has flow control and it may affect benchmarking results. By
default, h2load uses large enough flow control window, which
effectively disables flow control. To adjust receiver flow control
window size, there are following options:
HTTP/2 and SPDY/3 or later employ flow control and it may affect
benchmarking results. By default, h2load uses large enough flow
control window, which effectively disables flow control. To adjust
receiver flow control window size, there are following options:
:option:`-w`
Sets the stream level initial window size to
(2**<N>)-1.
(2**<N>)-1. For SPDY, 2**<N> is used instead.
:option:`-W`
Sets the connection level initial window size to
(2**<N>)-1.
(2**<N>)-1. For SPDY, if <N> is strictly less
than 16, this option is ignored. Otherwise
2**<N> is used for SPDY.
Multi-Threading
---------------

2
doc/sources/libnghttp2_asio.rst
View File

@@ -290,7 +290,7 @@ Normally, client does not stop even after all requests are done unless
connection is lost. To stop client, call
``nghttp2::asio_http2::server::session::shutdown()``.
Receive server push and enable SSL/TLS
Recieve server push and enable SSL/TLS
++++++++++++++++++++++++++++++++++++++
.. code-block:: cpp

153
doc/sources/nghttpx-howto.rst
View File

@@ -4,10 +4,10 @@ nghttpx - HTTP/2 proxy - HOW-TO
===============================
:doc:`nghttpx.1` is a proxy translating protocols between HTTP/2 and
other protocols (e.g., HTTP/1). It operates in several modes and each
mode may require additional programs to work with. This article
describes each operation mode and explains the intended use-cases. It
also covers some useful options later.
other protocols (e.g., HTTP/1, SPDY). It operates in several modes
and each mode may require additional programs to work with. This
article describes each operation mode and explains the intended
use-cases. It also covers some useful options later.
Default mode
------------
@@ -15,7 +15,9 @@ Default mode
If nghttpx is invoked without :option:`--http2-proxy`, it operates in
default mode. In this mode, it works as reverse proxy (gateway) for
both HTTP/2 and HTTP/1 clients to backend servers. This is also known
as "HTTP/2 router".
as "HTTP/2 router". If nghttpx is linked with spdylay library and
frontend connection is SSL/TLS, the frontend also supports SPDY
protocol.
By default, frontend connection is encrypted using SSL/TLS. So
server's private key and certificate must be supplied to the command
@@ -23,10 +25,11 @@ line (or through configuration file). In this case, the frontend
protocol selection will be done via ALPN or NPN.
To turn off encryption on frontend connection, use ``no-tls`` keyword
in :option:`--frontend` option. HTTP/2 and HTTP/1 are available on
the frontend, and an HTTP/1 connection can be upgraded to HTTP/2 using
HTTP Upgrade. Starting HTTP/2 connection by sending HTTP/2 connection
preface is also supported.
in :option:`--frontend` option. In this case, SPDY protocol is not
available even if spdylay library is liked to nghttpx. HTTP/2 and
HTTP/1 are available on the frontend, and an HTTP/1 connection can be
upgraded to HTTP/2 using HTTP Upgrade. Starting HTTP/2 connection by
sending HTTP/2 connection preface is also supported.
nghttpx can listen on multiple frontend addresses. This is achieved
by using multiple :option:`--frontend` options. For each frontend
@@ -42,17 +45,17 @@ that default backend protocol is HTTP/1.1. To use HTTP/2 in backend,
you have to specify ``h2`` in ``proto`` keyword in :option:`--backend`
explicitly.
The backend is supposed to be a Web server. For example, to make
The backend is supposed to be Web server. For example, to make
nghttpx listen to encrypted HTTP/2 requests at port 8443, and a
backend Web server is configured to listen to HTTP requests at port
8080 on the same host, run nghttpx command-line like this:
backend Web server is configured to listen to HTTP request at port
8080 in the same host, run nghttpx command-line like this:
.. code-block:: text
$ nghttpx -f0.0.0.0,8443 -b127.0.0.1,8080 /path/to/server.key /path/to/server.crt
Then an HTTP/2 enabled client can access the nghttpx server using HTTP/2. For
example, you can send a GET request using nghttp:
Then HTTP/2 enabled client can access to the nghttpx in HTTP/2. For
example, you can send GET request to the server using nghttp:
.. code-block:: text
@@ -63,18 +66,19 @@ HTTP/2 proxy mode
If nghttpx is invoked with :option:`--http2-proxy` (or its shorthand
:option:`-s`) option, it operates in HTTP/2 proxy mode. The supported
protocols in frontend and backend connections are the same as in `default
mode`_. The difference is that this mode acts like a forward proxy and
assumes the backend is an HTTP proxy server (e.g., Squid, Apache Traffic
Server). HTTP/1 requests must include an absolute URI in request line.
protocols in frontend and backend connections are the same in `default
mode`_. The difference is that this mode acts like forward proxy and
assumes the backend is HTTP proxy server (e.g., Squid, Apache Traffic
Server). HTTP/1 request must include absolute URI in request line.
By default, the frontend connection is encrypted. So this mode is
also called secure proxy.
By default, frontend connection is encrypted. So this mode is also
called secure proxy. If nghttpx is linked with spdylay, it supports
SPDY protocols and it works as so called SPDY proxy.
To turn off encryption on the frontend connection, use ``no-tls`` keyword
To turn off encryption on frontend connection, use ``no-tls`` keyword
in :option:`--frontend` option.
The backend must be an HTTP proxy server. nghttpx supports multiple
The backend must be HTTP proxy server. nghttpx supports multiple
backend server addresses. It translates incoming requests to HTTP
request to backend server. The backend server performs real proxy
work for each request, for example, dispatching requests to the origin
@@ -88,7 +92,7 @@ connection, use :option:`--backend` option, and specify ``h2`` in
For example, to make nghttpx listen to encrypted HTTP/2 requests at
port 8443, and a backend HTTP proxy server is configured to listen to
HTTP/1 requests at port 8080 on the same host, run nghttpx command-line
HTTP/1 request at port 8080 in the same host, run nghttpx command-line
like this:
.. code-block:: text
@@ -98,8 +102,8 @@ like this:
At the time of this writing, Firefox 41 and Chromium v46 can use
nghttpx as HTTP/2 proxy.
To make Firefox or Chromium use nghttpx as HTTP/2 proxy, user has to
create proxy.pac script file like this:
To make Firefox or Chromium use nghttpx as HTTP/2 or SPDY proxy, user
has to create proxy.pac script file like this:
.. code-block:: javascript
@@ -225,18 +229,12 @@ Hot swapping
nghttpx supports hot swapping using signals. The hot swapping in
nghttpx is multi step process. First send USR2 signal to nghttpx
process. It will do fork and execute new executable, using same
command-line arguments and environment variables.
As of nghttpx version 1.20.0, that is all you have to do. The new
master process sends QUIT signal to the original process, when it is
ready to serve requests, to shut it down gracefully.
For earlier versions of nghttpx, you have to do one more thing. At
this point, both current and new processes can accept requests. To
gracefully shutdown current process, send QUIT signal to current
nghttpx process. When all existing frontend connections are done, the
current process will exit. At this point, only new nghttpx process
exists and serves incoming requests.
command-line arguments and environment variables. At this point, both
current and new processes can accept requests. To gracefully shutdown
current process, send QUIT signal to current nghttpx process. When
all existing frontend connections are done, the current process will
exit. At this point, only new nghttpx process exists and serves
incoming requests.
If you want to just reload configuration file without executing new
binary, send SIGHUP to nghttpx master process.
@@ -293,31 +291,13 @@ When you write this option in command-line, you should enclose
argument with single or double quotes, since the character ``;`` has a
special meaning in shell.
To route, request to request path ``/foo`` to backend server
``[::1]:8080``, you can write like so:
To route, request to request path whose prefix is ``/foo`` to backend
server ``[::1]:8080``, you can write like so:
.. code-block:: text
backend=::1,8080;/foo
If the last character of path pattern is ``/``, all request paths
which start with that pattern match:
.. code-block:: text
backend=::1,8080;/bar/
The request path ``/bar/buzz`` matches the ``/bar/``.
You can use ``*`` at the end of the path pattern to make it wildcard
pattern. ``*`` must match at least one character:
.. code-block:: text
backend=::1,8080;/sample*
The request path ``/sample1/foo`` matches the ``/sample*`` pattern.
Of course, you can specify both host and request path at the same
time:
@@ -385,7 +365,7 @@ parameter in :option:`--backend` option, like so:
.. code-block:: text
backend=foo.example.com,80;;dns
backend=foo.example.com;;dns
nghttpx will cache resolved addresses for certain period of time. To
change this cache period, use :option:`--dns-cache-timeout`.
@@ -401,28 +381,6 @@ like so:
frontend=*,443;proxyproto
Session affinity
----------------
Two kinds of session affinity are available: client IP, and HTTP
Cookie.
To enable client IP based affinity, specify ``affinity=ip`` parameter
in :option:`--backend` option. If PROXY protocol is enabled, then an
address obtained from PROXY protocol is taken into consideration.
To enable HTTP Cookie based affinity, specify ``affinity=cookie``
parameter, and specify a name of cookie in ``affinity-cookie-name``
parameter. Optionally, a Path attribute can be specified in
``affinity-cookie-path`` parameter:
.. code-block:: text
backend=127.0.0.1,3000;;affinity=cookie;affinity-cookie-name=nghttpxlb;affinity-cookie-path=/
Secure attribute of cookie is set if client connection is protected by
TLS.
PSK cipher suites
-----------------
@@ -471,41 +429,6 @@ such PSK cipher suite with HTTP/2, disable HTTP/2 cipher black list by
using :option:`--client-no-http2-cipher-black-list` option. But you
should understand its implications.
TLSv1.3
-------
As of nghttpx v1.34.0, if it is built with OpenSSL 1.1.1 or later, it
supports TLSv1.3. 0-RTT data is supported, but by default its
processing is postponed until TLS handshake completes to mitigate
replay attack. This costs extra round trip and reduces effectiveness
of 0-RTT data. :option:`--tls-no-postpone-early-data` makes nghttpx
not wait for handshake to complete before forwarding request included
in 0-RTT to get full potential of 0-RTT data. In this case, nghttpx
adds ``Early-Data: 1`` header field when forwarding a request to a
backend server. All backend servers should recognize this header
field and understand that there is a risk for replay attack. See `RFC
8470 <https://tools.ietf.org/html/rfc8470>`_ for ``Early-Data`` header
field.
nghttpx disables anti replay protection provided by OpenSSL. The anti
replay protection of OpenSSL requires that a resumed request must hit
the same server which generates the session ticket. Therefore it
might not work nicely in a deployment where there are multiple nghttpx
instances sharing ticket encryption keys via memcached.
Because TLSv1.3 completely changes the semantics of cipher suite
naming scheme and structure, nghttpx provides the new option
:option:`--tls13-ciphers` and :option:`--tls13-client-ciphers` to
change preferred cipher list for TLSv1.3.
WebSockets over HTTP/2
----------------------
nghttpx supports `RFC 8441 <https://tools.ietf.org/html/rfc8441>`_
Bootstrapping WebSockets with HTTP/2 for both frontend and backend
connections. This feature is enabled by default and no configuration
is required.
Migration from nghttpx v1.18.x or earlier
-----------------------------------------

1
doc/sources/tutorial-client.rst
View File

@@ -124,7 +124,6 @@ remote server. It's defined as::
bev = bufferevent_openssl_socket_new(
evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING,
BEV_OPT_DEFER_CALLBACKS | BEV_OPT_CLOSE_ON_FREE);
bufferevent_enable(bev, EV_READ | EV_WRITE);
bufferevent_setcb(bev, readcb, writecb, eventcb, session_data);
rv = bufferevent_socket_connect_hostname(bev, session_data->dnsbase,
AF_UNSPEC, host, port);

28
examples/CMakeLists.txt
View File

@@ -7,9 +7,11 @@ if(ENABLE_EXAMPLES)
COMPILE_FLAGS "${WARNCXXFLAGS} ${CXX1XCXXFLAGS}")
include_directories(
${CMAKE_CURRENT_SOURCE_DIR}
"${CMAKE_CURRENT_SOURCE_DIR}/../third-party"
"${CMAKE_CURRENT_SOURCE_DIR}/../third-party/llhttp/include"
${CMAKE_SOURCE_DIR}
${CMAKE_SOURCE_DIR}/lib/includes
${CMAKE_BINARY_DIR}/lib/includes
${CMAKE_SOURCE_DIR}/src/includes
${CMAKE_SOURCE_DIR}/third-party
${LIBEVENT_INCLUDE_DIRS}
${OPENSSL_INCLUDE_DIRS}
@@ -22,24 +24,14 @@ if(ENABLE_EXAMPLES)
${APP_LIBRARIES}
)
add_executable(client client.c $<TARGET_OBJECTS:llhttp>
$<TARGET_OBJECTS:url-parser>
)
add_executable(libevent-client libevent-client.c $<TARGET_OBJECTS:llhttp>
$<TARGET_OBJECTS:url-parser>
)
add_executable(libevent-server libevent-server.c $<TARGET_OBJECTS:llhttp>
$<TARGET_OBJECTS:url-parser>
)
add_executable(deflate deflate.c $<TARGET_OBJECTS:llhttp>
$<TARGET_OBJECTS:url-parser>
)
add_executable(client client.c $<TARGET_OBJECTS:http-parser>)
add_executable(libevent-client libevent-client.c $<TARGET_OBJECTS:http-parser>)
add_executable(libevent-server libevent-server.c $<TARGET_OBJECTS:http-parser>)
add_executable(deflate deflate.c $<TARGET_OBJECTS:http-parser>)
if(ENABLE_ASIO_LIB)
foreach(name asio-sv asio-sv2 asio-cl asio-cl2)
add_executable(${name} ${name}.cc $<TARGET_OBJECTS:llhttp>
$<TARGET_OBJECTS:url-parser>
)
add_executable(${name} ${name}.cc $<TARGET_OBJECTS:http-parser>)
target_include_directories(${name} PRIVATE
${OPENSSL_INCLUDE_DIRS}
${Boost_INCLUDE_DIRS}

6
examples/Makefile.am
View File

@@ -36,7 +36,7 @@ AM_CPPFLAGS = \
@OPENSSL_CFLAGS@ \
@DEFS@
LDADD = $(top_builddir)/lib/libnghttp2.la \
$(top_builddir)/third-party/liburl-parser.la \
$(top_builddir)/third-party/libhttp-parser.la \
@LIBEVENT_OPENSSL_LIBS@ \
@OPENSSL_LIBS@ \
@APPLDFLAGS@
@@ -61,12 +61,12 @@ noinst_PROGRAMS += asio-sv asio-sv2 asio-cl asio-cl2
ASIOCPPFLAGS = ${AM_CPPFLAGS} ${BOOST_CPPFLAGS}
ASIOLDADD = $(top_builddir)/lib/libnghttp2.la \
$(top_builddir)/src/libnghttp2_asio.la @JEMALLOC_LIBS@ \
$(top_builddir)/third-party/liburl-parser.la \
@OPENSSL_LIBS@ \
$(top_builddir)/third-party/libhttp-parser.la \
${BOOST_LDFLAGS} \
${BOOST_ASIO_LIB} \
${BOOST_THREAD_LIB} \
${BOOST_SYSTEM_LIB} \
@OPENSSL_LIBS@ \
@APPLDFLAGS@
asio_sv_SOURCES = asio-sv.cc

4
examples/asio-cl.cc
View File

@@ -67,14 +67,14 @@ int main(int argc, char *argv[]) {
return;
}
req->on_response([](const response &res) {
req->on_response([&sess](const response &res) {
std::cerr << "HTTP/2 " << res.status_code() << std::endl;
for (auto &kv : res.header()) {
std::cerr << kv.first << ": " << kv.second.value << "\n";
}
std::cerr << std::endl;
res.on_data([](const uint8_t *data, std::size_t len) {
res.on_data([&sess](const uint8_t *data, std::size_t len) {
std::cerr.write(reinterpret_cast<const char *>(data), len);
std::cerr << std::endl;
});

6
examples/asio-cl2.cc
View File

@@ -91,17 +91,17 @@ int main(int argc, char *argv[]) {
return;
}
req->on_response([](const response &res) {
req->on_response([&sess, req](const response &res) {
std::cerr << "response header was received" << std::endl;
print_header(res);
res.on_data([](const uint8_t *data, std::size_t len) {
res.on_data([&sess](const uint8_t *data, std::size_t len) {
std::cerr.write(reinterpret_cast<const char *>(data), len);
std::cerr << std::endl;
});
});
req->on_close([](uint32_t error_code) {
req->on_close([&sess](uint32_t error_code) {
std::cerr << "request done with error_code=" << error_code << std::endl;
});

4
examples/asio-sv2.cc
View File

@@ -36,10 +36,10 @@
#include <sys/types.h>
#include <sys/stat.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#include <unistd.h>
#endif // HAVE_UNISTD_H
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#include <fcntl.h>
#endif // HAVE_FCNTL_H
#include <iostream>
#include <string>

63
examples/client.c
View File

@@ -27,26 +27,26 @@
* intentionally made simple.
*/
#ifdef HAVE_CONFIG_H
# include <config.h>
#include <config.h>
#endif /* HAVE_CONFIG_H */
#include <inttypes.h>
#include <stdlib.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#include <fcntl.h>
#endif /* HAVE_FCNTL_H */
#include <sys/types.h>
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#include <sys/socket.h>
#endif /* HAVE_SYS_SOCKET_H */
#ifdef HAVE_NETDB_H
# include <netdb.h>
#include <netdb.h>
#endif /* HAVE_NETDB_H */
#ifdef HAVE_NETINET_IN_H
# include <netinet/in.h>
#include <netinet/in.h>
#endif /* HAVE_NETINET_IN_H */
#include <netinet/tcp.h>
#include <poll.h>
@@ -159,13 +159,10 @@ static void diec(const char *func, int error_code) {
* bytes actually written. See the documentation of
* nghttp2_send_callback for the details.
*/
static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
size_t length, int flags, void *user_data) {
static ssize_t send_callback(nghttp2_session *session _U_, const uint8_t *data,
size_t length, int flags _U_, void *user_data) {
struct Connection *connection;
int rv;
(void)session;
(void)flags;
connection = (struct Connection *)user_data;
connection->want_io = IO_NONE;
ERR_clear_error();
@@ -189,13 +186,10 @@ static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
* |length| bytes. Returns the number of bytes stored in |buf|. See
* the documentation of nghttp2_recv_callback for the details.
*/
static ssize_t recv_callback(nghttp2_session *session, uint8_t *buf,
size_t length, int flags, void *user_data) {
static ssize_t recv_callback(nghttp2_session *session _U_, uint8_t *buf,
size_t length, int flags _U_, void *user_data) {
struct Connection *connection;
int rv;
(void)session;
(void)flags;
connection = (struct Connection *)user_data;
connection->want_io = IO_NONE;
ERR_clear_error();
@@ -216,10 +210,9 @@ static ssize_t recv_callback(nghttp2_session *session, uint8_t *buf,
}
static int on_frame_send_callback(nghttp2_session *session,
const nghttp2_frame *frame, void *user_data) {
const nghttp2_frame *frame,
void *user_data _U_) {
size_t i;
(void)user_data;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (nghttp2_session_get_stream_user_data(session, frame->hd.stream_id)) {
@@ -244,10 +237,9 @@ static int on_frame_send_callback(nghttp2_session *session,
}
static int on_frame_recv_callback(nghttp2_session *session,
const nghttp2_frame *frame, void *user_data) {
const nghttp2_frame *frame,
void *user_data _U_) {
size_t i;
(void)user_data;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (frame->headers.cat == NGHTTP2_HCAT_RESPONSE) {
@@ -282,11 +274,9 @@ static int on_frame_recv_callback(nghttp2_session *session,
* we submit GOAWAY and close the session.
*/
static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
uint32_t error_code, void *user_data) {
uint32_t error_code _U_,
void *user_data _U_) {
struct Request *req;
(void)error_code;
(void)user_data;
req = nghttp2_session_get_stream_user_data(session, stream_id);
if (req) {
int rv;
@@ -303,13 +293,11 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
* The implementation of nghttp2_on_data_chunk_recv_callback type. We
* use this function to print the received response body.
*/
static int on_data_chunk_recv_callback(nghttp2_session *session, uint8_t flags,
int32_t stream_id, const uint8_t *data,
size_t len, void *user_data) {
static int on_data_chunk_recv_callback(nghttp2_session *session,
uint8_t flags _U_, int32_t stream_id,
const uint8_t *data, size_t len,
void *user_data _U_) {
struct Request *req;
(void)flags;
(void)user_data;
req = nghttp2_session_get_stream_user_data(session, stream_id);
if (req) {
printf("[INFO] C <---------------------------- S (DATA chunk)\n"
@@ -345,19 +333,15 @@ static void setup_nghttp2_callbacks(nghttp2_session_callbacks *callbacks) {
callbacks, on_data_chunk_recv_callback);
}
#ifndef OPENSSL_NO_NEXTPROTONEG
/*
* Callback function for TLS NPN. Since this program only supports
* HTTP/2 protocol, if server does not offer HTTP/2 the nghttp2
* library supports, we terminate program.
*/
static int select_next_proto_cb(SSL *ssl, unsigned char **out,
static int select_next_proto_cb(SSL *ssl _U_, unsigned char **out,
unsigned char *outlen, const unsigned char *in,
unsigned int inlen, void *arg) {
unsigned int inlen, void *arg _U_) {
int rv;
(void)ssl;
(void)arg;
/* nghttp2_select_next_protocol() selects HTTP/2 protocol the
nghttp2 library supports. */
rv = nghttp2_select_next_protocol(out, outlen, in, inlen);
@@ -366,7 +350,6 @@ static int select_next_proto_cb(SSL *ssl, unsigned char **out,
}
return SSL_TLSEXT_ERR_OK;
}
#endif /* !OPENSSL_NO_NEXTPROTONEG */
/*
* Setup SSL/TLS context.
@@ -377,9 +360,7 @@ static void init_ssl_ctx(SSL_CTX *ssl_ctx) {
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(ssl_ctx, SSL_MODE_RELEASE_BUFFERS);
/* Set NPN callback */
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
}
static void ssl_handshake(SSL *ssl, int fd) {

4
examples/deflate.c
View File

@@ -23,7 +23,7 @@
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifdef HAVE_CONFIG_H
# include <config.h>
#include <config.h>
#endif /* !HAVE_CONFIG_H */
#include <stdio.h>
@@ -44,7 +44,7 @@ static void deflate(nghttp2_hd_deflater *deflater,
static int inflate_header_block(nghttp2_hd_inflater *inflater, uint8_t *in,
size_t inlen, int final);
int main() {
int main(int argc _U_, char **argv _U_) {
int rv;
nghttp2_hd_deflater *deflater;
nghttp2_hd_inflater *inflater;

73
examples/libevent-client.c
View File

@@ -23,33 +23,33 @@
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifdef __sgi
# include <string.h>
# define errx(exitcode, format, args...) \
#include <string.h>
#define errx(exitcode, format, args...) \
{ \
warnx(format, ##args); \
exit(exitcode); \
}
# define warnx(format, args...) fprintf(stderr, format "\n", ##args)
#define warnx(format, args...) fprintf(stderr, format "\n", ##args)
char *strndup(const char *s, size_t size);
#endif
#ifdef HAVE_CONFIG_H
# include <config.h>
#include <config.h>
#endif /* HAVE_CONFIG_H */
#include <sys/types.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#include <sys/socket.h>
#endif /* HAVE_SYS_SOCKET_H */
#ifdef HAVE_NETINET_IN_H
# include <netinet/in.h>
#include <netinet/in.h>
#endif /* HAVE_NETINET_IN_H */
#include <netinet/tcp.h>
#ifndef __sgi
# include <err.h>
#include <err.h>
#endif
#include <signal.h>
#include <string.h>
@@ -65,7 +65,7 @@ char *strndup(const char *s, size_t size);
#include <nghttp2/nghttp2.h>
#include "url-parser/url_parser.h"
#include "http-parser/http_parser.h"
#define ARRLEN(x) (sizeof(x) / sizeof(x[0]))
@@ -199,27 +199,22 @@ static void print_headers(FILE *f, nghttp2_nv *nva, size_t nvlen) {
/* nghttp2_send_callback. Here we transmit the |data|, |length| bytes,
to the network. Because we are using libevent bufferevent, we just
write those bytes into bufferevent buffer. */
static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
size_t length, int flags, void *user_data) {
static ssize_t send_callback(nghttp2_session *session _U_, const uint8_t *data,
size_t length, int flags _U_, void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
struct bufferevent *bev = session_data->bev;
(void)session;
(void)flags;
bufferevent_write(bev, data, length);
return (ssize_t)length;
}
/* nghttp2_on_header_callback: Called when nghttp2 library emits
single header name/value pair. */
static int on_header_callback(nghttp2_session *session,
static int on_header_callback(nghttp2_session *session _U_,
const nghttp2_frame *frame, const uint8_t *name,
size_t namelen, const uint8_t *value,
size_t valuelen, uint8_t flags, void *user_data) {
size_t valuelen, uint8_t flags _U_,
void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
(void)session;
(void)flags;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (frame->headers.cat == NGHTTP2_HCAT_RESPONSE &&
@@ -234,12 +229,10 @@ static int on_header_callback(nghttp2_session *session,
/* nghttp2_on_begin_headers_callback: Called when nghttp2 library gets
started to receive header block. */
static int on_begin_headers_callback(nghttp2_session *session,
static int on_begin_headers_callback(nghttp2_session *session _U_,
const nghttp2_frame *frame,
void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
(void)session;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (frame->headers.cat == NGHTTP2_HCAT_RESPONSE &&
@@ -254,11 +247,9 @@ static int on_begin_headers_callback(nghttp2_session *session,
/* nghttp2_on_frame_recv_callback: Called when nghttp2 library
received a complete frame from the remote peer. */
static int on_frame_recv_callback(nghttp2_session *session,
static int on_frame_recv_callback(nghttp2_session *session _U_,
const nghttp2_frame *frame, void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
(void)session;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (frame->headers.cat == NGHTTP2_HCAT_RESPONSE &&
@@ -275,13 +266,11 @@ static int on_frame_recv_callback(nghttp2_session *session,
is meant to the stream we initiated, print the received data in
stdout, so that the user can redirect its output to the file
easily. */
static int on_data_chunk_recv_callback(nghttp2_session *session, uint8_t flags,
int32_t stream_id, const uint8_t *data,
size_t len, void *user_data) {
static int on_data_chunk_recv_callback(nghttp2_session *session _U_,
uint8_t flags _U_, int32_t stream_id,
const uint8_t *data, size_t len,
void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
(void)session;
(void)flags;
if (session_data->stream_data->stream_id == stream_id) {
fwrite(data, 1, len, stdout);
}
@@ -308,22 +297,17 @@ static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
return 0;
}
#ifndef OPENSSL_NO_NEXTPROTONEG
/* NPN TLS extension client callback. We check that server advertised
the HTTP/2 protocol the nghttp2 library supports. If not, exit
the program. */
static int select_next_proto_cb(SSL *ssl, unsigned char **out,
static int select_next_proto_cb(SSL *ssl _U_, unsigned char **out,
unsigned char *outlen, const unsigned char *in,
unsigned int inlen, void *arg) {
(void)ssl;
(void)arg;
unsigned int inlen, void *arg _U_) {
if (nghttp2_select_next_protocol(out, outlen, in, inlen) <= 0) {
errx(1, "Server did not advertise " NGHTTP2_PROTO_VERSION_ID);
}
return SSL_TLSEXT_ERR_OK;
}
#endif /* !OPENSSL_NO_NEXTPROTONEG */
/* Create SSL_CTX. */
static SSL_CTX *create_ssl_ctx(void) {
@@ -337,13 +321,11 @@ static SSL_CTX *create_ssl_ctx(void) {
SSL_OP_ALL | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
SSL_OP_NO_COMPRESSION |
SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_proto_select_cb(ssl_ctx, select_next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_protos(ssl_ctx, (const unsigned char *)"\x02h2", 3);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
return ssl_ctx;
}
@@ -479,10 +461,8 @@ static void readcb(struct bufferevent *bev, void *ptr) {
receiving GOAWAY, we check the some conditions on the nghttp2
library and output buffer of bufferevent. If it indicates we have
no business to this session, tear down the connection. */
static void writecb(struct bufferevent *bev, void *ptr) {
static void writecb(struct bufferevent *bev _U_, void *ptr) {
http2_session_data *session_data = (http2_session_data *)ptr;
(void)bev;
if (nghttp2_session_want_read(session_data->session) == 0 &&
nghttp2_session_want_write(session_data->session) == 0 &&
evbuffer_get_length(bufferevent_get_output(session_data->bev)) == 0) {
@@ -508,14 +488,12 @@ static void eventcb(struct bufferevent *bev, short events, void *ptr) {
ssl = bufferevent_openssl_get_ssl(session_data->bev);
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (alpn == NULL) {
SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
fprintf(stderr, "h2 is not negotiated\n");
@@ -554,7 +532,6 @@ static void initiate_connection(struct event_base *evbase, SSL_CTX *ssl_ctx,
bev = bufferevent_openssl_socket_new(
evbase, -1, ssl, BUFFEREVENT_SSL_CONNECTING,
BEV_OPT_DEFER_CALLBACKS | BEV_OPT_CLOSE_ON_FREE);
bufferevent_enable(bev, EV_READ | EV_WRITE);
bufferevent_setcb(bev, readcb, writecb, eventcb, session_data);
rv = bufferevent_socket_connect_hostname(bev, session_data->dnsbase,
AF_UNSPEC, host, port);

88
examples/libevent-server.c
View File

@@ -23,41 +23,41 @@
* WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
*/
#ifdef __sgi
# define errx(exitcode, format, args...) \
#define errx(exitcode, format, args...) \
{ \
warnx(format, ##args); \
exit(exitcode); \
}
# define warn(format, args...) warnx(format ": %s", ##args, strerror(errno))
# define warnx(format, args...) fprintf(stderr, format "\n", ##args)
#define warn(format, args...) warnx(format ": %s", ##args, strerror(errno))
#define warnx(format, args...) fprintf(stderr, format "\n", ##args)
#endif
#ifdef HAVE_CONFIG_H
# include <config.h>
#include <config.h>
#endif /* HAVE_CONFIG_H */
#include <sys/types.h>
#ifdef HAVE_SYS_SOCKET_H
# include <sys/socket.h>
#include <sys/socket.h>
#endif /* HAVE_SYS_SOCKET_H */
#ifdef HAVE_NETDB_H
# include <netdb.h>
#include <netdb.h>
#endif /* HAVE_NETDB_H */
#include <signal.h>
#ifdef HAVE_UNISTD_H
# include <unistd.h>
#include <unistd.h>
#endif /* HAVE_UNISTD_H */
#include <sys/stat.h>
#ifdef HAVE_FCNTL_H
# include <fcntl.h>
#include <fcntl.h>
#endif /* HAVE_FCNTL_H */
#include <ctype.h>
#ifdef HAVE_NETINET_IN_H
# include <netinet/in.h>
#include <netinet/in.h>
#endif /* HAVE_NETINET_IN_H */
#include <netinet/tcp.h>
#ifndef __sgi
# include <err.h>
#include <err.h>
#endif
#include <string.h>
#include <errno.h>
@@ -109,25 +109,18 @@ struct app_context {
static unsigned char next_proto_list[256];
static size_t next_proto_list_len;
#ifndef OPENSSL_NO_NEXTPROTONEG
static int next_proto_cb(SSL *ssl, const unsigned char **data,
unsigned int *len, void *arg) {
(void)ssl;
(void)arg;
static int next_proto_cb(SSL *s _U_, const unsigned char **data,
unsigned int *len, void *arg _U_) {
*data = next_proto_list;
*len = (unsigned int)next_proto_list_len;
return SSL_TLSEXT_ERR_OK;
}
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
static int alpn_select_proto_cb(SSL *ssl _U_, const unsigned char **out,
unsigned char *outlen, const unsigned char *in,
unsigned int inlen, void *arg) {
unsigned int inlen, void *arg _U_) {
int rv;
(void)ssl;
(void)arg;
rv = nghttp2_select_next_protocol((unsigned char **)out, outlen, in, inlen);
@@ -137,7 +130,7 @@ static int alpn_select_proto_cb(SSL *ssl, const unsigned char **out,
return SSL_TLSEXT_ERR_OK;
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
/* Create SSL_CTX. */
static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
@@ -174,13 +167,11 @@ static SSL_CTX *create_ssl_ctx(const char *key_file, const char *cert_file) {
NGHTTP2_PROTO_VERSION_ID_LEN);
next_proto_list_len = 1 + NGHTTP2_PROTO_VERSION_ID_LEN;
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_CTX_set_next_protos_advertised_cb(ssl_ctx, next_proto_cb, NULL);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_proto_cb, NULL);
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
return ssl_ctx;
}
@@ -206,10 +197,8 @@ static void add_stream(http2_session_data *session_data,
}
}
static void remove_stream(http2_session_data *session_data,
static void remove_stream(http2_session_data *session_data _U_,
http2_stream_data *stream_data) {
(void)session_data;
stream_data->prev->next = stream_data->next;
if (stream_data->next) {
stream_data->next->prev = stream_data->prev;
@@ -254,7 +243,6 @@ static http2_session_data *create_http2_session_data(app_context *app_ctx,
session_data->bev = bufferevent_openssl_socket_new(
app_ctx->evbase, fd, ssl, BUFFEREVENT_SSL_ACCEPTING,
BEV_OPT_CLOSE_ON_FREE | BEV_OPT_DEFER_CALLBACKS);
bufferevent_enable(session_data->bev, EV_READ | EV_WRITE);
rv = getnameinfo(addr, (socklen_t)addrlen, host, sizeof(host), NULL, 0,
NI_NUMERICHOST);
if (rv != 0) {
@@ -321,13 +309,10 @@ static int session_recv(http2_session_data *session_data) {
return 0;
}
static ssize_t send_callback(nghttp2_session *session, const uint8_t *data,
size_t length, int flags, void *user_data) {
static ssize_t send_callback(nghttp2_session *session _U_, const uint8_t *data,
size_t length, int flags _U_, void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
struct bufferevent *bev = session_data->bev;
(void)session;
(void)flags;
/* Avoid excessive buffering in server side. */
if (evbuffer_get_length(bufferevent_get_output(session_data->bev)) >=
OUTPUT_WOULDBLOCK_THRESHOLD) {
@@ -390,17 +375,13 @@ static char *percent_decode(const uint8_t *value, size_t valuelen) {
return res;
}
static ssize_t file_read_callback(nghttp2_session *session, int32_t stream_id,
uint8_t *buf, size_t length,
uint32_t *data_flags,
static ssize_t file_read_callback(nghttp2_session *session _U_,
int32_t stream_id _U_, uint8_t *buf,
size_t length, uint32_t *data_flags,
nghttp2_data_source *source,
void *user_data) {
void *user_data _U_) {
int fd = source->fd;
ssize_t r;
(void)session;
(void)stream_id;
(void)user_data;
while ((r = read(fd, buf, length)) == -1 && errno == EINTR)
;
if (r == -1) {
@@ -473,12 +454,10 @@ static int error_reply(nghttp2_session *session,
static int on_header_callback(nghttp2_session *session,
const nghttp2_frame *frame, const uint8_t *name,
size_t namelen, const uint8_t *value,
size_t valuelen, uint8_t flags, void *user_data) {
size_t valuelen, uint8_t flags _U_,
void *user_data _U_) {
http2_stream_data *stream_data;
const char PATH[] = ":path";
(void)flags;
(void)user_data;
switch (frame->hd.type) {
case NGHTTP2_HEADERS:
if (frame->headers.cat != NGHTTP2_HCAT_REQUEST) {
@@ -591,10 +570,9 @@ static int on_frame_recv_callback(nghttp2_session *session,
}
static int on_stream_close_callback(nghttp2_session *session, int32_t stream_id,
uint32_t error_code, void *user_data) {
uint32_t error_code _U_, void *user_data) {
http2_session_data *session_data = (http2_session_data *)user_data;
http2_stream_data *stream_data;
(void)error_code;
stream_data = nghttp2_session_get_stream_user_data(session, stream_id);
if (!stream_data) {
@@ -647,10 +625,8 @@ static int send_server_connection_header(http2_session_data *session_data) {
/* readcb for bufferevent after client connection header was
checked. */
static void readcb(struct bufferevent *bev, void *ptr) {
static void readcb(struct bufferevent *bev _U_, void *ptr) {
http2_session_data *session_data = (http2_session_data *)ptr;
(void)bev;
if (session_recv(session_data) != 0) {
delete_http2_session_data(session_data);
return;
@@ -682,26 +658,23 @@ static void writecb(struct bufferevent *bev, void *ptr) {
}
/* eventcb for bufferevent */
static void eventcb(struct bufferevent *bev, short events, void *ptr) {
static void eventcb(struct bufferevent *bev _U_, short events, void *ptr) {
http2_session_data *session_data = (http2_session_data *)ptr;
if (events & BEV_EVENT_CONNECTED) {
const unsigned char *alpn = NULL;
unsigned int alpnlen = 0;
SSL *ssl;
(void)bev;
fprintf(stderr, "%s connected\n", session_data->client_addr);
ssl = bufferevent_openssl_get_ssl(session_data->bev);
#ifndef OPENSSL_NO_NEXTPROTONEG
SSL_get0_next_proto_negotiated(ssl, &alpn, &alpnlen);
#endif /* !OPENSSL_NO_NEXTPROTONEG */
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
if (alpn == NULL) {
SSL_get0_alpn_selected(ssl, &alpn, &alpnlen);
}
#endif /* OPENSSL_VERSION_NUMBER >= 0x10002000L */
#endif // OPENSSL_VERSION_NUMBER >= 0x10002000L
if (alpn == NULL || alpnlen != 2 || memcmp("h2", alpn, 2) != 0) {
fprintf(stderr, "%s h2 is not negotiated\n", session_data->client_addr);
@@ -730,11 +703,10 @@ static void eventcb(struct bufferevent *bev, short events, void *ptr) {
}
/* callback for evconnlistener */
static void acceptcb(struct evconnlistener *listener, int fd,
static void acceptcb(struct evconnlistener *listener _U_, int fd,
struct sockaddr *addr, int addrlen, void *arg) {
app_context *app_ctx = (app_context *)arg;
http2_session_data *session_data;
(void)listener;
session_data = create_http2_session_data(app_ctx, fd, addr, addrlen);

33
fuzz/README.rst
View File

@@ -1,33 +0,0 @@
Fuzzer
======
This directory contains fuzzer target mainly written to integrate
nghttp2 into `oss-fuzz <https://github.com/google/oss-fuzz>`_.
fuzz_target.cc contains an entry point of fuzzer. corpus directory
contains initial data for fuzzer.
The file name of initial data under corpus is the lower-cased hex
string of SHA-256 hash of its own content.
corpus/h2spec contains input data which was recorded when we ran
`h2spec <https://github.com/summerwind/h2spec>`_ against nghttpd.
corpus/nghttp contains input data which was recorded when we ran
nghttp against nghttpd with some varying command line options of
nghttp.
To build fuzz_target.cc, make sure that libnghttp2 is built with
following compiler/linker flags:
.. code-block:: text
CPPFLAGS="-fsanitize-coverage=edge -fsanitize=address"
LDFLAGS="-fsanitize-coverage=edge -fsanitize=address"
Then, fuzz_target.cc can be built using the following command:
.. code-block:: text
$ clang++ -fsanitize-coverage=edge -fsanitize=address -I../lib/includes -std=c++11 fuzz_target.cc ../lib/.libs/libnghttp2.a /usr/lib/llvm-3.9/lib/libFuzzer.a -o nghttp2_fuzzer

BIN
fuzz/corpus/h2spec/025ca25c8427361ea5498e4c3ba49d20eac5b4332f7b75b8f74bfba5e43f59f8
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/0276779c73bddcebc63b863c23a338b4c827bf6164640ff20a2d64d45a6b3f5a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/0428d1e3b2364efcc93ffd8fcfff43b378a92c7da44268b9dda2bf32a1178c66
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/06bc5f79b7e68e005bd4382bd3a6c6b1b6005c5f7d5783e99baf2f8f7432d71a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/09f76550ec065944a5d1d52f5d07b1dd87de1f651f80ef82c2815b0248b7dccd
View File

Binary file not shown.

2
fuzz/corpus/h2spec/0b39d9df6e1721030667980a41547272ad42377149edcf130b2bf0b76804c61f
View File

@@ -1,2 +0,0 @@
INVALID CONNECTION PREFACE

BIN
fuzz/corpus/h2spec/0bb4365b02c05540936f9606ca725770a731e73c2144c7b81953dcc4b4f73c32
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/0d577f6eb853e987b8fdab6ca4615a351ab74bfc75eb0d227acbef6a35bcae39
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/0df702020c019dd33d0643c5a2b9a9637d325c8f38b4cc6d3f808b5b2a4169a9
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/0f8054152149c73e64c9f3e83f97e6585c8a51ec2413e7a2e8dfcc444082a5c5
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/105f72bc9184bf47a857ed84e8c2f917946ec7ef3f4720535478b41e097a798a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1368ed7160cc4115e31a8a158af429421570e7363a3b75441edc5d740513b0dc
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1402c49b963994284b0d429edfac603133e0144dba08836f90b1ae164b328800
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1468c2cddae629788f6957847b76c09921e984796f6dc482859b119cf4879300
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/14f66ce296f03e52f039f4fad189d3d70aebe70ecb14ffb1ffe2cd5fc5d1e5f0
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/17caaf734401d2d25d09a65432789b45aff588c606536e93824b89739a6d07ab
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/195b4a74a62fabc877052454d935ebc543f4d1305e318ccd2ff407517636bed8
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1960fc215485486f3e8ab97f853954e6f11c1f4754ccd83b1603b808878cfa76
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1a56272611761f0687dfb0ea37c900f13f429b750c87e6175b234b881bda6248
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1d31cd88fae35f2329e201983d11256d2432fcdeb55bfba9634aa88e3794adc6
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1e27187b10c02fe7e151818ddd0722f69830ac04975ddb5a9d83cdc406cbb678
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1ecace234d8542fbaab35c7c55330e80d8121a0cff19633a56eba8f2182a59df
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/1f4f3a16f5ad0425e0b38601339096b80a382afa1083a19c4deab11be847502f
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/203a798d4b658be744fe34042038692eaede4d2c1f9e05a27f2410a6e0230132
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/21904e842e90becb56ff9748ae962bb543dd5ca188dabc30897726f87403fbce
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/23df7e0419240a9709b55af68a89c9750332ae5063e36401eae150ce63188fe0
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/245ba702520fa32cf41d994f5d37e4111fe6203bac35b220d50362d5e986aa91
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/274faf343feb9cb44079316401fee50c647552c99c0550ebfd7a3b736e8db9e5
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/2b042a1dfa3aeed6af58c58a4336f1386633bac75dea2c4b64c02541e7320933
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/2d8ec606661a9f12960893aab9a74dd392cbdae104307e8512e5e4113739e93a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/2e0c8a3ce53e8e3711f781b480efaf9e2526f4ae87c5f5a585d68d6f7f7da13c
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/315e6acba7d715333d0865a8dfc0cd0e7aef8a1f5f420eae3d39067ad78df17d
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/3376a2cdde0b98759f14490881328f80b5d3c942de3b1304a0382923ce896f8f
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/35c2719913a19f197fb6484a34c3574da63554ff06f52377b73a9cfc24eb02ca
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/35ddf0611cd98d025f6a625e7e4a102ba74721a04dfa1811e0968e9a4966d92c
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/37e9eab291d6bca69510354e1d029cbbbb6113071b2bb13fc9646b5a0447d2cf
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/381c81f5e4d1b02de39c4f99f21e9793f6ffc82ae0ef6917a8611e8879e05941
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/38ac32c81952cc832ade7aea13b0740f76898ccbb1da25f2281da76e50c1d04a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/3e297dd8fcdb50a751c397a505d84e76374b064aa5c71aab33bd9650c9a9d801
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/3e5a57c30a97d3f06a3181f4baf3996053b8572da5f2deee3a636c3bc8dfcc60
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/420b9790375f59a6e8c326391023a0981789c2351817996e0c253bfed708ad82
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/43df3c3af62ddd1393269ffcf964f1897063e81da79c971e8af8c1fefa3e3cab
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/443f39c99e1c9ca1908b54153c480754054a57777f22a00d377d745d78e9d193
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/44f3fc1504a14e693fde420da94f77bf4a44e4e741420291491343f7ae4ecc16
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/4528e6beb34f695f4df8ddbb7ac85f76a91229d9ba675fc9e09fe12f4a497937
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/4534032d57020d2910641561a9f9da021f0fe52ebdbb148ee776ced87bac9b13
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/47c5e9b339f9e7f1dccad5c9f51f211183795660ec81a6bdb5614031d39ebe3a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/48ca2b3f63206aa8f774c3cb33958a806a1debf3d9ccf7b09c2d31256498cda6
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/4ddbb54259df7ee7ecbdf9f8b4a0e8f7756b9846f2e2add8dd0df825296d993e
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/4e612f3c1dfa468d94bbc3bde202c732b06a9b5f6bc5471c879fa56ec2daa4aa
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/55860c89ef796d41b06b3c0fe60a3e6f90709c6a0e7063a8b4057dafa57c878a
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/5748e7a24e8d9ecb43de7d1e14519f10d8c669a5a2602fc948bc9a80e6114b63
View File

Binary file not shown.

BIN
fuzz/corpus/h2spec/5a13c8e09802e07fd3ceee625307fe48ef29bc66641c4f80ed4593bf8b773f88
View File

Binary file not shown.

Some files were not shown because too many files have changed in this diff Show More