| Age | Commit message (Collapse) | Author |
|---|
|
a Content-Length header). HTTP RFC 7231 section 4.3.2.
found by niklas@, claudio@ agrees.
|
|
no objection claudio@
ok tb@ jsing@
|
|
Feedback by Olivier Cherrier, Hiltjo Posthuma, Mischa
OK benno@
|
|
with the help from tb@ jsing@; ok tb@
|
|
This matches the documented behaviour.
On matching "forward to <table>" filter rules the "forward to destination"
address is unset, so that in that case the "forward to <table>" rule is still
used.
OK benno@, regression tests still passing.
|
|
value < 0. errno is only updated in this case. Change all (most?)
callers of syscalls to follow this better, and let's see if this strictness
helps us in the future.
|
|
Many thanks to Bruno Flueckiger who independently sent a very similar
patch. He also tested the one I'm committing that it works as
expected.
OK tb@
|
|
Moving the certs out of the relay struct will help to add multiple SNI certs.
Tested by many users (thanks!)
Feedback & OK rob@
|
|
Pass the *env as an explicit argument instead of using the global
pointer: The relay_load_certfiles() function is called early before
the *env is set up. This does not change anything in the current code
as *env is not used by anything in the function (not even
ssl_load_key() that is taking it as an argument) but it will be needed
by upcoming changes for SNI.
Ok rob@
|
|
OK bentley@ mikeb@
|
|
For example,
pass from 10.0.0.0/8 path "/hello/*" forward to <b>
Ok benno@
|
|
- Don't expect the Connection header to equal Upgrade, it may include Upgrade
- Reshuffle the code to check the Upgrade/Connection headers in one place
Reported and tested by Rivo Nurges
OK and input from benno@
Cvs: ----------------------------------------------------------------------
|
|
option 'http { [no] websockets }' to allow such connections (default
is no). Original diff from Daniel Lamando (dan AT danopia DOT net),
option and header checks by me. suggestions and ok bluhm@ and earlier
diff claudio@
|
|
OK claudio@
|
|
log updates|all
with
log state changes
log host checks
log connection [errors]
The first two control the logging of host check results: either changes in host state only or
all checks.
The third option controls logging of connections in relay mode:
Either log all connections, or only errors.
Additionaly, errors will be logged with LOG_WARN and good connections
will be logged with LOG_INFO, so they can be differentiated in syslog.
ok and feedback from claudio@
|
|
connection closed log message, not just as debug message.
ok claudio@ reyk@
|
|
to 1024 session per process (esp. with keep-alive). Now the fd limit is
the new maximum and relayd will make sure to not accept too many sessions.
The tcp backlog config maximum is now 512, adjust manpage accordingly.
OK benno@ deraadt@
|
|
ok claudio@, feedback bluhm@
|
|
Currently this is only used by relay_close() but will be needed in near
future.
OK benno@
|
|
For this we need to add an additional pointer to the ctl_relay_event.
Diff from Petri Mikkila (pmikkila at gmail)
OK benno@
|
|
|
|
This removes 'no ecdh' and renames 'ecdh curve auto' to ecdhe default.
The code uses now tls_config_set_ecdhecurves(3) so it is possible to
specify multiple curves now. If people specified curves in their config
they need to adjust their config now.
OK beck@
|
|
Solves the startup issues seen by bluhm@. pread idea from guenther@.
While there save the errno in the error case.
OK bluhm@
|
|
|
|
the ca file (having all the trusted certs in them) can be so big that loading
via imsg fails.
OK beck@
|
|
initial bufferevent_write_buffer() to write out the queued up HTTP request.
OK benno@
|
|
Be more careful and remove the events before resetting them to the new
backends. This is also what some of the bufferevent functions are doing.
OK benno@
|
|
sporadically. If the \r and \n were read in separate chunks, relayd
got out of sync with the protocol as they were interpreted as two
lines. Use evbuffer_readln() with EVBUFFER_EOL_CRLF instead of
evbuffer_readline().
OK benno@
|
|
Otherwise data not written could get lost. Also try to drain the
buffers when socket splicing should be enabled. The latter was
lost when the expicit bufferevent_enable() was added in relay_write().
bug report, analysis, initial fix, testing Rivo Nurges; OK beck@
|
|
the inspect case (same is done in the regular server mode).
OK bluhm@ and jsing@
|
|
OK claudio@
|
|
Check whether TLS server object is available before using it. With
these fixes the ssl inspect regress test just fails and does not
crash relayd.
OK claudio@
|
|
needs revisiting. From Rivo Nurges, thanks.
ok florian@
|
|
From Hiltjo Posthuma hiltjo -AT codemadness -DOT- org, thanks!
ok florian, claudio
|
|
engine but at least we can use a sane API for new features.
Going in now so it is possible to work with this in tree.
General agreement at d2k17.
|
|
It is rarely needed and imposes a light DoS risk. LibreSSL's libssl
allows to turn it off with a simple SSL_OP_NO_CLIENT_RENEGOTIATION
option instead of the complicated implementation that was used before.
It now turns it off completely instead of allowing one initial
client-initiated renegotiation.
It can still be enabled with "tls client-renegotiation".
ok benno@ beck@ jsing@
|
|
This replaces log_verbose() and "extern int verbose" with the two functions
log_setverbose() and log_getverbose().
Pointed out by benno@
OK krw@ eric@ gilles@ (OK gilles@ for the snmpd bits as well)
|
|
ok florian@
|
|
ok reyk@ bluhm@
|
|
|
|
suggested by and ok reyk@
|
|
"unsigned char *keyname" to make it clear that an array size can not
be inferred. Suggested by millert@
|
|
ok krw@ millert@ claudio@
|
|
relayd_config". This way we can send all the relevant global
configuration to the children, not just the flags and the opts.
With input from and
OK claudio@ benno@
|
|
OK claudio@
|
|
OK benno@ rzalamena@
|
|
or killing child processes. - Based on rzalamena@'s diff for httpd.
OK deraadt@ rzalamena@
|
|
nature of relayd) to tls session tickets to do TLS session resumption.
TLS session tickets do not need to store SSL session data in the server but
instead send an encrypted ticket to the clients that allows to resume the
session. This is mostly stateless (apart from the encryption keys).
relayd now ensures that all relay processes use the same key to encrypt
the tickets. Keys are rotated every 2h and there is a primary and backup key.
The tls session timeout is set to 2h to hint to the clients how long the
session tickets is supposed to be alive.
Input and OK benno@, reyk@
|
|
ok jung@ tedu@ deraadt@
|
|
|
