h2o: remove, nothing depends on it anymore
Signed-off-by: Peter van Dijk <peter.van.dijk@powerdns.com>
This commit is contained in:
parent
aa4fb5151a
commit
d30a34bac1
|
@ -1,59 +0,0 @@
|
|||
include $(TOPDIR)/rules.mk
|
||||
|
||||
PKG_NAME:=h2o
|
||||
PKG_VERSION:=2.2.6
|
||||
PKG_RELEASE:=15
|
||||
|
||||
PKG_SOURCE_URL:=https://codeload.github.com/h2o/h2o/tar.gz/v${PKG_VERSION}?
|
||||
PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.gz
|
||||
PKG_HASH:=f8cbc1b530d85ff098f6efc2c3fdbc5e29baffb30614caac59d5c710f7bda201
|
||||
|
||||
PKG_MAINTAINER:=Peter van Dijk <peter.van.dijk@powerdns.com>
|
||||
PKG_LICENSE:=MIT
|
||||
PKG_LICENSE_FILES:=LICENSE
|
||||
|
||||
include $(INCLUDE_DIR)/package.mk
|
||||
include $(INCLUDE_DIR)/cmake.mk
|
||||
|
||||
PKG_BUILD_DEPENDS:=libwslay
|
||||
|
||||
CMAKE_OPTIONS += \
|
||||
-DBUILD_SHARED_LIBS=ON \
|
||||
-DWITH_MRUBY=OFF
|
||||
|
||||
define Package/libh2o-evloop
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=H2O Library compiled with its own event loop
|
||||
URL:=https://h2o.examp1e.net/
|
||||
DEPENDS:=+libopenssl +zlib
|
||||
endef
|
||||
|
||||
define Package/libh2o
|
||||
SECTION:=libs
|
||||
CATEGORY:=Libraries
|
||||
TITLE:=H2O Library compiled with libuv
|
||||
URL:=https://h2o.examp1e.net/
|
||||
DEPENDS:=+libuv +libopenssl +zlib +libyaml
|
||||
endef
|
||||
|
||||
define Build/InstallDev
|
||||
$(call Build/InstallDev/cmake,$(1))
|
||||
$(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc
|
||||
$(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o-evloop.pc
|
||||
$(SED) 's,/usr/include,$$$${prefix}/include,g' $(1)/usr/lib/pkgconfig/libh2o.pc
|
||||
$(SED) 's,/usr/lib,$$$${exec_prefix}/lib,g' $(1)/usr/lib/pkgconfig/libh2o.pc
|
||||
endef
|
||||
|
||||
define Package/libh2o-evloop/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o-evloop.so* $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
define Package/libh2o/install
|
||||
$(INSTALL_DIR) $(1)/usr/lib
|
||||
$(CP) $(PKG_INSTALL_DIR)/usr/lib/libh2o.so* $(1)/usr/lib/
|
||||
endef
|
||||
|
||||
$(eval $(call BuildPackage,libh2o-evloop))
|
||||
$(eval $(call BuildPackage,libh2o))
|
|
@ -1,22 +0,0 @@
|
|||
--- a/include/h2o/socket.h
|
||||
+++ b/include/h2o/socket.h
|
||||
@@ -29,6 +29,7 @@ extern "C" {
|
||||
#include <stdint.h>
|
||||
#include <sys/socket.h>
|
||||
#include <openssl/ssl.h>
|
||||
+#include <openssl/opensslconf.h>
|
||||
#include "h2o/cache.h"
|
||||
#include "h2o/memory.h"
|
||||
#include "h2o/openssl_backport.h"
|
||||
@@ -44,7 +45,11 @@ extern "C" {
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L
|
||||
#define H2O_USE_ALPN 1
|
||||
+#ifndef OPENSSL_NO_NEXTPROTONEG
|
||||
#define H2O_USE_NPN 1
|
||||
+#else
|
||||
+#define H2O_USE_NPN 0
|
||||
+#endif
|
||||
#elif OPENSSL_VERSION_NUMBER >= 0x10001000L
|
||||
#define H2O_USE_ALPN 0
|
||||
#define H2O_USE_NPN 1
|
|
@ -1,43 +0,0 @@
|
|||
From f7d5cb83826c7e2b1a3dc618b434d85df130a4d5 Mon Sep 17 00:00:00 2001
|
||||
From: James Taylor <james@jtaylor.id.au>
|
||||
Date: Tue, 10 Dec 2019 21:58:45 +1100
|
||||
Subject: [PATCH] Explicitly link against WSLAY when available
|
||||
|
||||
When other libraries attempt to link against libh2o and libh2o-evloop that was
|
||||
compiled with libwslay available, there are errors from missing symbols
|
||||
associated with code which makes use of the wslay library. To rectify this,
|
||||
explicitly link against libwslay during the build process.
|
||||
|
||||
Fixes #2105
|
||||
|
||||
Signed-off-by: James Taylor <james@jtaylor.id.au>
|
||||
---
|
||||
CMakeLists.txt | 12 ++++++++++--
|
||||
1 file changed, 10 insertions(+), 2 deletions(-)
|
||||
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -386,13 +386,21 @@ SET_TARGET_PROPERTIES(libh2o PROPERTIES
|
||||
OUTPUT_NAME h2o
|
||||
VERSION ${LIBRARY_VERSION}
|
||||
SOVERSION ${LIBRARY_SOVERSION})
|
||||
-TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
|
||||
+IF (WSLAY_FOUND)
|
||||
+ TARGET_LINK_LIBRARIES(libh2o ${WSLAY_LIBRARIES} ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
|
||||
+ELSE ()
|
||||
+ TARGET_LINK_LIBRARIES(libh2o ${LIBUV_LIBRARIES} ${EXTRA_LIBS})
|
||||
+ENDIF (WSLAY_FOUND)
|
||||
SET_TARGET_PROPERTIES(libh2o-evloop PROPERTIES
|
||||
OUTPUT_NAME h2o-evloop
|
||||
COMPILE_FLAGS "-DH2O_USE_LIBUV=0"
|
||||
VERSION ${LIBRARY_VERSION}
|
||||
SOVERSION ${LIBRARY_SOVERSION})
|
||||
-TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS})
|
||||
+IF (WSLAY_FOUND)
|
||||
+ TARGET_LINK_LIBRARIES(libh2o-evloop ${WSLAY_LIBRARIES} ${EXTRA_LIBS})
|
||||
+ELSE ()
|
||||
+ TARGET_LINK_LIBRARIES(libh2o-evloop ${EXTRA_LIBS})
|
||||
+ENDIF (WSLAY_FOUND)
|
||||
|
||||
IF (OPENSSL_FOUND)
|
||||
TARGET_INCLUDE_DIRECTORIES(libh2o PUBLIC ${OPENSSL_INCLUDE_DIR})
|
|
@ -1,17 +0,0 @@
|
|||
--- a/deps/picotls/include/picotls/openssl.h
|
||||
+++ b/deps/picotls/include/picotls/openssl.h
|
||||
@@ -26,11 +26,14 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/hmac.h>
|
||||
#include <openssl/x509.h>
|
||||
+#include <openssl/opensslconf.h>
|
||||
#include "../picotls.h"
|
||||
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
+#if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
|
||||
#define PTLS_OPENSSL_HAVE_CHACHA20_POLY1305
|
||||
#endif
|
||||
+#endif
|
||||
|
||||
extern ptls_key_exchange_algorithm_t ptls_openssl_secp256r1;
|
||||
extern ptls_key_exchange_algorithm_t *ptls_openssl_key_exchanges[];
|
|
@ -1,70 +0,0 @@
|
|||
From 03dbd6757d043581b5d250107b6f1cda6ae203a9 Mon Sep 17 00:00:00 2001
|
||||
From: Frederik Deweerdt <fdeweerdt@fastly.com>
|
||||
Date: Wed, 25 Oct 2017 13:52:28 -0700
|
||||
Subject: [PATCH] Autodetect backtrace and backtrace_symbols_fd
|
||||
|
||||
---
|
||||
CMakeLists.txt | 13 +++++++++++++
|
||||
src/main.c | 10 ++++++----
|
||||
2 files changed, 19 insertions(+), 4 deletions(-)
|
||||
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -58,6 +58,19 @@ __sync_add_and_fetch(&a, 1);
|
||||
return 0;
|
||||
}" ARCH_SUPPORTS_64BIT_ATOMICS)
|
||||
|
||||
+CHECK_C_SOURCE_COMPILES("
|
||||
+#include <execinfo.h>
|
||||
+int main(void) {
|
||||
+void *p[10];
|
||||
+int ret = backtrace(p, 10);
|
||||
+backtrace_symbols_fd(p, ret, 2);
|
||||
+return 0;
|
||||
+}" LIBC_HAS_BACKTRACE)
|
||||
+
|
||||
+IF (LIBC_HAS_BACKTRACE)
|
||||
+ ADD_DEFINITIONS("-DLIBC_HAS_BACKTRACE")
|
||||
+ENDIF ()
|
||||
+
|
||||
SET(WITH_BUNDLED_SSL_DEFAULT "ON")
|
||||
IF ((NOT UNIX) OR CYGWIN)
|
||||
SET(WITH_BUNDLED_SSL_DEFAULT "OFF")
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -48,7 +48,7 @@
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
-#ifdef __GLIBC__
|
||||
+#ifdef LIBC_HAS_BACKTRACE
|
||||
#include <execinfo.h>
|
||||
#endif
|
||||
#if H2O_USE_PICOTLS
|
||||
@@ -1436,7 +1436,8 @@ static void on_sigterm(int signo)
|
||||
notify_all_threads();
|
||||
}
|
||||
|
||||
-#ifdef __GLIBC__
|
||||
+#ifdef LIBC_HAS_BACKTRACE
|
||||
+
|
||||
static int popen_crash_handler(void)
|
||||
{
|
||||
char *cmd_fullpath = h2o_configurator_get_cmd_path(conf.crash_handler), *argv[] = {cmd_fullpath, NULL};
|
||||
@@ -1488,13 +1489,14 @@ static void on_sigfatal(int signo)
|
||||
|
||||
raise(signo);
|
||||
}
|
||||
-#endif
|
||||
+
|
||||
+#endif /* LIBC_HAS_BACKTRACE */
|
||||
|
||||
static void setup_signal_handlers(void)
|
||||
{
|
||||
h2o_set_signal_handler(SIGTERM, on_sigterm);
|
||||
h2o_set_signal_handler(SIGPIPE, SIG_IGN);
|
||||
-#ifdef __GLIBC__
|
||||
+#ifdef LIBC_HAS_BACKTRACE
|
||||
if ((crash_handler_fd = popen_crash_handler()) == -1)
|
||||
crash_handler_fd = 2;
|
||||
h2o_set_signal_handler(SIGABRT, on_sigfatal);
|
|
@ -1,96 +0,0 @@
|
|||
--- a/deps/neverbleed/neverbleed.c
|
||||
+++ b/deps/neverbleed/neverbleed.c
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/uio.h>
|
||||
#include <unistd.h>
|
||||
+#include <openssl/engine.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/ssl.h>
|
||||
#include <openssl/rsa.h>
|
||||
--- a/deps/picotls/lib/openssl.c
|
||||
+++ b/deps/picotls/lib/openssl.c
|
||||
@@ -36,6 +36,7 @@
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/objects.h>
|
||||
#include <openssl/rand.h>
|
||||
+#include <openssl/rsa.h>
|
||||
#include <openssl/x509.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <openssl/x509_vfy.h>
|
||||
@@ -941,7 +942,7 @@ int ptls_openssl_encrypt_ticket(ptls_buf
|
||||
|
||||
Exit:
|
||||
if (cctx != NULL)
|
||||
- EVP_CIPHER_CTX_cleanup(cctx);
|
||||
+ EVP_CIPHER_CTX_reset(cctx);
|
||||
if (hctx != NULL)
|
||||
HMAC_CTX_free(hctx);
|
||||
return ret;
|
||||
@@ -1011,7 +1012,7 @@ int ptls_openssl_decrypt_ticket(ptls_buf
|
||||
|
||||
Exit:
|
||||
if (cctx != NULL)
|
||||
- EVP_CIPHER_CTX_cleanup(cctx);
|
||||
+ EVP_CIPHER_CTX_reset(cctx);
|
||||
if (hctx != NULL)
|
||||
HMAC_CTX_free(hctx);
|
||||
return ret;
|
||||
--- a/src/main.c
|
||||
+++ b/src/main.c
|
||||
@@ -45,6 +45,7 @@
|
||||
#include <sys/types.h>
|
||||
#include <sys/un.h>
|
||||
#include <sys/wait.h>
|
||||
+#include <openssl/dh.h>
|
||||
#include <openssl/crypto.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/ssl.h>
|
||||
@@ -1827,7 +1828,7 @@ static h2o_iovec_t on_extra_status(void
|
||||
" \"listeners\": %zu,\n"
|
||||
" \"worker-threads\": %zu,\n"
|
||||
" \"num-sessions\": %lu",
|
||||
- SSLeay_version(SSLEAY_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation,
|
||||
+ OpenSSL_version(OPENSSL_VERSION), current_time, restart_time, (uint64_t)(now - conf.launch_time), generation,
|
||||
num_connections(0), conf.max_connections, conf.num_listeners, conf.num_threads, num_sessions(0));
|
||||
assert(ret.len < BUFSIZE);
|
||||
|
||||
@@ -2008,7 +2009,7 @@ int main(int argc, char **argv)
|
||||
break;
|
||||
case 'v':
|
||||
printf("h2o version " H2O_VERSION "\n");
|
||||
- printf("OpenSSL: %s\n", SSLeay_version(SSLEAY_VERSION));
|
||||
+ printf("OpenSSL: %s\n", OpenSSL_version(OPENSSL_VERSION));
|
||||
#if H2O_USE_MRUBY
|
||||
printf(
|
||||
"mruby: YES\n"); /* TODO determine the way to obtain the version of mruby (that is being linked dynamically) */
|
||||
--- a/src/ssl.c
|
||||
+++ b/src/ssl.c
|
||||
@@ -911,6 +911,7 @@ void ssl_setup_session_resumption(SSL_CT
|
||||
#endif
|
||||
}
|
||||
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
static pthread_mutex_t *mutexes;
|
||||
|
||||
static void lock_callback(int mode, int n, const char *file, int line)
|
||||
@@ -937,9 +938,11 @@ static int add_lock_callback(int *num, i
|
||||
|
||||
return __sync_add_and_fetch(num, amount);
|
||||
}
|
||||
+#endif
|
||||
|
||||
void init_openssl(void)
|
||||
{
|
||||
+#if OPENSSL_VERSION_NUMBER < 0x1010000fL && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
int nlocks = CRYPTO_num_locks(), i;
|
||||
mutexes = h2o_mem_alloc(sizeof(*mutexes) * nlocks);
|
||||
for (i = 0; i != nlocks; ++i)
|
||||
@@ -953,6 +956,7 @@ void init_openssl(void)
|
||||
SSL_load_error_strings();
|
||||
SSL_library_init();
|
||||
OpenSSL_add_all_algorithms();
|
||||
+#endif
|
||||
|
||||
cache_init_defaults();
|
||||
#if H2O_USE_SESSION_TICKETS
|
|
@ -1,28 +0,0 @@
|
|||
--- a/deps/neverbleed/neverbleed.c
|
||||
+++ b/deps/neverbleed/neverbleed.c
|
||||
@@ -1486,6 +1486,7 @@ int neverbleed_init(neverbleed_t *nb, ch
|
||||
close(pipe_fds[0]);
|
||||
pipe_fds[0] = -1;
|
||||
|
||||
+#ifndef OPENSSL_NO_ENGINE
|
||||
/* setup engine */
|
||||
if ((nb->engine = ENGINE_new()) == NULL || !ENGINE_set_id(nb->engine, "neverbleed") ||
|
||||
!ENGINE_set_name(nb->engine, "privilege separation software engine") || !ENGINE_set_RSA(nb->engine, rsa_method)
|
||||
@@ -1497,6 +1498,7 @@ int neverbleed_init(neverbleed_t *nb, ch
|
||||
goto Fail;
|
||||
}
|
||||
ENGINE_add(nb->engine);
|
||||
+#endif
|
||||
|
||||
/* setup thread key */
|
||||
pthread_key_create(&nb->thread_key, dispose_thread_data);
|
||||
@@ -1515,7 +1517,9 @@ Fail:
|
||||
if (listen_fd != -1)
|
||||
close(listen_fd);
|
||||
if (nb->engine != NULL) {
|
||||
+#ifndef OPENSSL_NO_ENGINE
|
||||
ENGINE_free(nb->engine);
|
||||
+#endif
|
||||
nb->engine = NULL;
|
||||
}
|
||||
return -1;
|
|
@ -1,73 +0,0 @@
|
|||
--- a/lib/core/config.c
|
||||
+++ b/lib/core/config.c
|
||||
@@ -1,3 +1,4 @@
|
||||
+
|
||||
/*
|
||||
* Copyright (c) 2014-2016 DeNA Co., Ltd.
|
||||
*
|
||||
@@ -37,7 +38,9 @@ static h2o_hostconf_t *create_hostconf(h
|
||||
hostconf->http2.push_preload = 1; /* enabled by default */
|
||||
h2o_config_init_pathconf(&hostconf->fallback_path, globalconf, NULL, globalconf->mimemap);
|
||||
hostconf->mimemap = globalconf->mimemap;
|
||||
- h2o_mem_addref_shared(hostconf->mimemap);
|
||||
+ if (hostconf->mimemap) {
|
||||
+ h2o_mem_addref_shared(hostconf->mimemap);
|
||||
+ }
|
||||
return hostconf;
|
||||
}
|
||||
|
||||
@@ -54,7 +57,9 @@ static void destroy_hostconf(h2o_hostcon
|
||||
}
|
||||
free(hostconf->paths.entries);
|
||||
h2o_config_dispose_pathconf(&hostconf->fallback_path);
|
||||
- h2o_mem_release_shared(hostconf->mimemap);
|
||||
+ if (hostconf->mimemap) {
|
||||
+ h2o_mem_release_shared(hostconf->mimemap);
|
||||
+ }
|
||||
|
||||
free(hostconf);
|
||||
}
|
||||
@@ -136,8 +141,10 @@ void h2o_config_init_pathconf(h2o_pathco
|
||||
h2o_chunked_register(pathconf);
|
||||
if (path != NULL)
|
||||
pathconf->path = h2o_strdup(NULL, path, SIZE_MAX);
|
||||
- h2o_mem_addref_shared(mimemap);
|
||||
- pathconf->mimemap = mimemap;
|
||||
+ if (mimemap) {
|
||||
+ h2o_mem_addref_shared(mimemap);
|
||||
+ pathconf->mimemap = mimemap;
|
||||
+ }
|
||||
pathconf->error_log.emit_request_errors = 1;
|
||||
}
|
||||
|
||||
@@ -190,7 +197,7 @@ void h2o_config_init(h2o_globalconf_t *c
|
||||
config->http2.latency_optimization.max_additional_delay = 10;
|
||||
config->http2.latency_optimization.max_cwnd = 65535;
|
||||
config->http2.callbacks = H2O_HTTP2_CALLBACKS;
|
||||
- config->mimemap = h2o_mimemap_create();
|
||||
+ // config->mimemap = h2o_mimemap_create();
|
||||
|
||||
h2o_configurator__init_core(config);
|
||||
}
|
||||
@@ -279,7 +286,9 @@ void h2o_config_dispose(h2o_globalconf_t
|
||||
}
|
||||
free(config->hosts);
|
||||
|
||||
- h2o_mem_release_shared(config->mimemap);
|
||||
+ if (config->mimemap) {
|
||||
+ h2o_mem_release_shared(config->mimemap);
|
||||
+ }
|
||||
h2o_configurator__dispose_configurators(config);
|
||||
}
|
||||
|
||||
--- a/lib/core/request.c
|
||||
+++ b/lib/core/request.c
|
||||
@@ -486,7 +486,7 @@ void h2o_req_fill_mime_attributes(h2o_re
|
||||
ssize_t content_type_index;
|
||||
h2o_mimemap_type_t *mime;
|
||||
|
||||
- if (req->res.mime_attr != NULL)
|
||||
+ if (req->res.mime_attr != NULL || req->pathconf->mimemap == NULL)
|
||||
return;
|
||||
|
||||
if ((content_type_index = h2o_find_header(&req->res.headers, H2O_TOKEN_CONTENT_TYPE, -1)) != -1 &&
|
|
@ -1,11 +0,0 @@
|
|||
--- a/include/h2o/http2_internal.h
|
||||
+++ b/include/h2o/http2_internal.h
|
||||
@@ -33,7 +33,7 @@
|
||||
typedef struct st_h2o_http2_conn_t h2o_http2_conn_t;
|
||||
typedef struct st_h2o_http2_stream_t h2o_http2_stream_t;
|
||||
|
||||
-#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 81920 /* the target size of each write call; connection flow control window + alpha */
|
||||
+#define H2O_HTTP2_DEFAULT_OUTBUF_SIZE 8192 /* the target size of each write call; connection flow control window + alpha */
|
||||
#define H2O_HTTP2_DEFAULT_OUTBUF_SOFT_MAX_SIZE 524288 /* 512KB; stops reading if size exceeds this value */
|
||||
|
||||
/* hpack */
|
|
@ -1,203 +0,0 @@
|
|||
commit d07b601a5549798f8e500582336756e04dfd25c5
|
||||
Author: Remi Gacogne <remi.gacogne@powerdns.com>
|
||||
Date: Tue Oct 10 15:47:57 2023 +0200
|
||||
|
||||
[http2] delay processing requests upon observing suspicious behavior
|
||||
|
||||
Backport of 94fbc54b6c9309912fe3d53e7b63408bbe9a1b0d to v2.2.x
|
||||
|
||||
--- a/include/h2o.h
|
||||
+++ b/include/h2o.h
|
||||
@@ -378,6 +378,10 @@ struct st_h2o_globalconf_t {
|
||||
* list of callbacks
|
||||
*/
|
||||
h2o_protocol_callbacks_t callbacks;
|
||||
+ /**
|
||||
+ * milliseconds to delay processing requests when suspicious behavior is detected
|
||||
+ */
|
||||
+ uint64_t dos_delay;
|
||||
} http2;
|
||||
|
||||
struct {
|
||||
@@ -590,6 +594,10 @@ struct st_h2o_context_t {
|
||||
* timeout entry used for graceful shutdown
|
||||
*/
|
||||
h2o_timeout_entry_t _graceful_shutdown_timeout;
|
||||
+ /*
|
||||
+ * dos timeout
|
||||
+ */
|
||||
+ h2o_timeout_t dos_delay_timeout;
|
||||
struct {
|
||||
/**
|
||||
* counter for http2 errors internally emitted by h2o
|
||||
--- a/include/h2o/http2_internal.h
|
||||
+++ b/include/h2o/http2_internal.h
|
||||
@@ -179,6 +179,7 @@ struct st_h2o_http2_stream_t {
|
||||
h2o_linklist_t link;
|
||||
h2o_http2_scheduler_openref_t scheduler;
|
||||
} _refs;
|
||||
+ unsigned reset_by_peer : 1;
|
||||
h2o_send_state_t send_state; /* state of the ostream, only used in push mode */
|
||||
/* placed at last since it is large and has it's own ctor */
|
||||
h2o_req_t req;
|
||||
@@ -232,6 +233,13 @@ struct st_h2o_http2_conn_t {
|
||||
} _write;
|
||||
h2o_cache_t *push_memo;
|
||||
h2o_http2_casper_t *casper;
|
||||
+ /**
|
||||
+ * DoS mitigation; the idea here is to delay processing requests when observing suspicious behavior
|
||||
+ */
|
||||
+ struct {
|
||||
+ h2o_timeout_entry_t process_delay;
|
||||
+ size_t reset_budget; /* RST_STREAM frames are considered suspicious when this value goes down to zero */
|
||||
+ } dos_mitigation;
|
||||
};
|
||||
|
||||
int h2o_http2_update_peer_settings(h2o_http2_settings_t *settings, const uint8_t *src, size_t len, const char **err_desc);
|
||||
--- a/lib/core/config.c
|
||||
+++ b/lib/core/config.c
|
||||
@@ -196,6 +196,7 @@ void h2o_config_init(h2o_globalconf_t *c
|
||||
config->http2.latency_optimization.min_rtt = 50; // milliseconds
|
||||
config->http2.latency_optimization.max_additional_delay = 10;
|
||||
config->http2.latency_optimization.max_cwnd = 65535;
|
||||
+ config->http2.dos_delay = 100; /* 100ms processing delay when observing suspicious behavior */
|
||||
config->http2.callbacks = H2O_HTTP2_CALLBACKS;
|
||||
// config->mimemap = h2o_mimemap_create();
|
||||
|
||||
--- a/lib/core/configurator.c
|
||||
+++ b/lib/core/configurator.c
|
||||
@@ -531,6 +531,12 @@ static int on_config_http2_casper(h2o_co
|
||||
return 0;
|
||||
}
|
||||
|
||||
+
|
||||
+static int on_config_http2_dos_delay(h2o_configurator_command_t *cmd, h2o_configurator_context_t *ctx, yoml_t *node)
|
||||
+{
|
||||
+ return config_timeout(cmd, node, &ctx->globalconf->http2.dos_delay);
|
||||
+}
|
||||
+
|
||||
static int assert_is_mimetype(h2o_configurator_command_t *cmd, yoml_t *node)
|
||||
{
|
||||
if (node->type != YOML_TYPE_SCALAR) {
|
||||
@@ -910,6 +916,9 @@ void h2o_configurator__init_core(h2o_glo
|
||||
on_config_http2_push_preload);
|
||||
h2o_configurator_define_command(&c->super, "http2-casper", H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_HOST,
|
||||
on_config_http2_casper);
|
||||
+ h2o_configurator_define_command(&c->super, "http2-dos-delay",
|
||||
+ H2O_CONFIGURATOR_FLAG_GLOBAL | H2O_CONFIGURATOR_FLAG_EXPECT_SCALAR,
|
||||
+ on_config_http2_dos_delay);
|
||||
h2o_configurator_define_command(&c->super, "file.mime.settypes",
|
||||
(H2O_CONFIGURATOR_FLAG_ALL_LEVELS & ~H2O_CONFIGURATOR_FLAG_EXTENSION) |
|
||||
H2O_CONFIGURATOR_FLAG_EXPECT_MAPPING,
|
||||
--- a/lib/core/context.c
|
||||
+++ b/lib/core/context.c
|
||||
@@ -101,6 +101,7 @@ void h2o_context_init(h2o_context_t *ctx
|
||||
h2o_linklist_init_anchor(&ctx->http1._conns);
|
||||
h2o_timeout_init(ctx->loop, &ctx->http2.idle_timeout, config->http2.idle_timeout);
|
||||
h2o_timeout_init(ctx->loop, &ctx->http2.graceful_shutdown_timeout, config->http2.graceful_shutdown_timeout);
|
||||
+ h2o_timeout_init(ctx->loop, &ctx->http2.dos_delay_timeout, config->http2.dos_delay);
|
||||
h2o_linklist_init_anchor(&ctx->http2._conns);
|
||||
ctx->proxy.client_ctx.loop = loop;
|
||||
h2o_timeout_init(ctx->loop, &ctx->proxy.io_timeout, config->proxy.io_timeout);
|
||||
@@ -146,6 +147,7 @@ void h2o_context_dispose(h2o_context_t *
|
||||
h2o_timeout_dispose(ctx->loop, &ctx->http1.req_timeout);
|
||||
h2o_timeout_dispose(ctx->loop, &ctx->http2.idle_timeout);
|
||||
h2o_timeout_dispose(ctx->loop, &ctx->http2.graceful_shutdown_timeout);
|
||||
+ h2o_timeout_dispose(ctx->loop, &ctx->http2.dos_delay_timeout);
|
||||
h2o_timeout_dispose(ctx->loop, &ctx->proxy.io_timeout);
|
||||
/* what should we do here? assert(!h2o_linklist_is_empty(&ctx->http2._conns); */
|
||||
|
||||
--- a/lib/http2/connection.c
|
||||
+++ b/lib/http2/connection.c
|
||||
@@ -161,7 +161,6 @@ static void update_idle_timeout(h2o_http
|
||||
h2o_timeout_unlink(&conn->_timeout_entry);
|
||||
|
||||
if (conn->num_streams.pull.half_closed + conn->num_streams.push.half_closed == 0) {
|
||||
- assert(h2o_linklist_is_empty(&conn->_pending_reqs));
|
||||
conn->_timeout_entry.cb = on_idle_timeout;
|
||||
h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.idle_timeout, &conn->_timeout_entry);
|
||||
}
|
||||
@@ -175,6 +174,9 @@ static int can_run_requests(h2o_http2_co
|
||||
|
||||
static void run_pending_requests(h2o_http2_conn_t *conn)
|
||||
{
|
||||
+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
|
||||
+ return;
|
||||
+
|
||||
while (!h2o_linklist_is_empty(&conn->_pending_reqs) && can_run_requests(conn)) {
|
||||
/* fetch and detach a pending stream */
|
||||
h2o_http2_stream_t *stream = H2O_STRUCT_FROM_MEMBER(h2o_http2_stream_t, _refs.link, conn->_pending_reqs.next);
|
||||
@@ -226,6 +228,16 @@ void h2o_http2_conn_unregister_stream(h2
|
||||
assert(h2o_http2_scheduler_is_open(&stream->_refs.scheduler));
|
||||
h2o_http2_scheduler_close(&stream->_refs.scheduler);
|
||||
|
||||
+ /* Decrement reset_budget if the stream was reset by peer, otherwise increment. By doing so, we penalize connections that
|
||||
+ * generate resets for >50% of requests. */
|
||||
+ if (stream->reset_by_peer) {
|
||||
+ if (conn->dos_mitigation.reset_budget > 0)
|
||||
+ --conn->dos_mitigation.reset_budget;
|
||||
+ } else {
|
||||
+ if (conn->dos_mitigation.reset_budget < conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection)
|
||||
+ ++conn->dos_mitigation.reset_budget;
|
||||
+ }
|
||||
+
|
||||
switch (stream->state) {
|
||||
case H2O_HTTP2_STREAM_STATE_IDLE:
|
||||
case H2O_HTTP2_STREAM_STATE_RECV_HEADERS:
|
||||
@@ -272,6 +284,8 @@ void close_connection_now(h2o_http2_conn
|
||||
h2o_hpack_dispose_header_table(&conn->_output_header_table);
|
||||
assert(h2o_linklist_is_empty(&conn->_pending_reqs));
|
||||
h2o_timeout_unlink(&conn->_timeout_entry);
|
||||
+ if (h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
|
||||
+ h2o_timeout_unlink(&conn->dos_mitigation.process_delay);
|
||||
h2o_buffer_dispose(&conn->_write.buf);
|
||||
if (conn->_write.buf_in_flight != NULL)
|
||||
h2o_buffer_dispose(&conn->_write.buf_in_flight);
|
||||
@@ -797,11 +811,19 @@ static int handle_rst_stream_frame(h2o_h
|
||||
return H2O_HTTP2_ERROR_PROTOCOL;
|
||||
}
|
||||
|
||||
- stream = h2o_http2_conn_get_stream(conn, frame->stream_id);
|
||||
- if (stream != NULL) {
|
||||
+ if ((stream = h2o_http2_conn_get_stream(conn, frame->stream_id)) == NULL)
|
||||
+ return 0;
|
||||
+
|
||||
/* reset the stream */
|
||||
+ stream->reset_by_peer = 1;
|
||||
h2o_http2_stream_reset(conn, stream);
|
||||
- }
|
||||
+
|
||||
+ /* setup process delay if we've just ran out of reset budget */
|
||||
+ if (conn->dos_mitigation.reset_budget == 0 && conn->super.ctx->globalconf->http2.dos_delay != 0 &&
|
||||
+ !h2o_timeout_is_linked(&conn->dos_mitigation.process_delay))
|
||||
+ h2o_timeout_link(conn->super.ctx->loop, &conn->super.ctx->http2.dos_delay_timeout,
|
||||
+ &conn->dos_mitigation.process_delay);
|
||||
+
|
||||
/* TODO log */
|
||||
|
||||
return 0;
|
||||
@@ -1204,6 +1226,14 @@ static h2o_iovec_t log_priority_actual_w
|
||||
return h2o_iovec_init(s, len);
|
||||
}
|
||||
|
||||
+static void on_dos_process_delay(h2o_timeout_entry_t *timer)
|
||||
+{
|
||||
+ h2o_http2_conn_t *conn = H2O_STRUCT_FROM_MEMBER(h2o_http2_conn_t, dos_mitigation.process_delay, timer);
|
||||
+
|
||||
+ assert(!h2o_timeout_is_linked(&conn->dos_mitigation.process_delay));
|
||||
+ run_pending_requests(conn);
|
||||
+}
|
||||
+
|
||||
static h2o_http2_conn_t *create_conn(h2o_context_t *ctx, h2o_hostconf_t **hosts, h2o_socket_t *sock, struct timeval connected_at)
|
||||
{
|
||||
static const h2o_conn_callbacks_t callbacks = {
|
||||
@@ -1240,6 +1270,9 @@ static h2o_http2_conn_t *create_conn(h2o
|
||||
conn->_write.timeout_entry.cb = emit_writereq;
|
||||
h2o_http2_window_init(&conn->_write.window, &conn->peer_settings);
|
||||
|
||||
+ conn->dos_mitigation.process_delay.cb = on_dos_process_delay;
|
||||
+ conn->dos_mitigation.reset_budget = conn->super.ctx->globalconf->http2.max_concurrent_requests_per_connection;
|
||||
+
|
||||
return conn;
|
||||
}
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
commit e47cd15ff1fec9211088c809cb92593800dd4da2
|
||||
Author: Peter van Dijk <peter.van.dijk@powerdns.com>
|
||||
Date: Wed Oct 11 11:39:48 2023 +0200
|
||||
|
||||
bump soname
|
||||
|
||||
--- a/CMakeLists.txt
|
||||
+++ b/CMakeLists.txt
|
||||
@@ -29,9 +29,9 @@ SET(VERSION_MINOR "2")
|
||||
SET(VERSION_PATCH "6")
|
||||
SET(VERSION_PRERELEASE "")
|
||||
SET(VERSION "${VERSION_MAJOR}.${VERSION_MINOR}.${VERSION_PATCH}${VERSION_PRERELEASE}")
|
||||
-SET(LIBRARY_VERSION_MAJOR "0")
|
||||
-SET(LIBRARY_VERSION_MINOR "13")
|
||||
-SET(LIBRARY_VERSION_PATCH "6")
|
||||
+SET(LIBRARY_VERSION_MAJOR "1")
|
||||
+SET(LIBRARY_VERSION_MINOR "0")
|
||||
+SET(LIBRARY_VERSION_PATCH "0")
|
||||
SET(LIBRARY_VERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}.${LIBRARY_VERSION_PATCH}${VERSION_PRERELEASE}")
|
||||
SET(LIBRARY_SOVERSION "${LIBRARY_VERSION_MAJOR}.${LIBRARY_VERSION_MINOR}")
|
||||
|
||||
--- a/include/h2o/version.h
|
||||
+++ b/include/h2o/version.h
|
||||
@@ -28,8 +28,8 @@
|
||||
#define H2O_VERSION_MINOR 2
|
||||
#define H2O_VERSION_PATCH 6
|
||||
|
||||
-#define H2O_LIBRARY_VERSION_MAJOR 0
|
||||
-#define H2O_LIBRARY_VERSION_MINOR 13
|
||||
-#define H2O_LIBRARY_VERSION_PATCH 6
|
||||
+#define H2O_LIBRARY_VERSION_MAJOR 1
|
||||
+#define H2O_LIBRARY_VERSION_MINOR 0
|
||||
+#define H2O_LIBRARY_VERSION_PATCH 0
|
||||
|
||||
#endif
|
Loading…
Reference in New Issue