[trafficserver] branch 9.0.x updated: Adds important config notes for TLS v1/1.1 (#6646)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new ad92c8e  Adds important config notes for TLS v1/1.1 (#6646)
ad92c8e is described below

commit ad92c8ee17025bbc1e82f3d8319a27c40f0869c6
Author: Leif Hedstrom 
AuthorDate: Fri Apr 10 16:41:56 2020 -0600

Adds important config notes for TLS v1/1.1 (#6646)

* Adds important config notes for TLS v1/1.1

* Fix typo

(cherry picked from commit 1fae1c9569f75d0f42c5f9377575bf25dbdac1e1)
---
 doc/admin-guide/files/records.config.en.rst | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 948f36c..adef1e2 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3220,11 +3220,18 @@ SSL Termination
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0
 
-   Enables (``1``) or disables (``0``) TLSv1.0.
+   Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by 
default.
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0
 
-   Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, enabled by 
default.  [Requires OpenSSL v1.0.1 and higher]
+   Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, disabled 
by default.  [Requires OpenSSL v1.0.1 and higher]
+
+.. note::
+   In order to enable TLS v1 or v1.1, additional ciphers must be added to 
proxy.config.ssl.client.cipher_suite. For
+   example this list would restore the SHA1 (insecure!) cipher suites suitable 
for these deprecated TLS versions:
+
+   
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
+
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
 

[trafficserver] branch master updated: Adds important config notes for TLS v1/1.1 (#6646)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
 new 1fae1c9  Adds important config notes for TLS v1/1.1 (#6646)
1fae1c9 is described below

commit 1fae1c9569f75d0f42c5f9377575bf25dbdac1e1
Author: Leif Hedstrom 
AuthorDate: Fri Apr 10 16:41:56 2020 -0600

Adds important config notes for TLS v1/1.1 (#6646)

* Adds important config notes for TLS v1/1.1

* Fix typo
---
 doc/admin-guide/files/records.config.en.rst | 11 +--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 127de69..ffa6181 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3233,11 +3233,18 @@ SSL Termination
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1 INT 0
 
-   Enables (``1``) or disables (``0``) TLSv1.0.
+   Enables (``1``) or disables (``0``) TLSv1.0. If not specified, disabled by 
default.
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_1 INT 0
 
-   Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, enabled by 
default.  [Requires OpenSSL v1.0.1 and higher]
+   Enables (``1``) or disables (``0``) TLS v1.1.  If not specified, disabled 
by default.  [Requires OpenSSL v1.0.1 and higher]
+
+.. note::
+   In order to enable TLS v1 or v1.1, additional ciphers must be added to 
proxy.config.ssl.client.cipher_suite. For
+   example this list would restore the SHA1 (insecure!) cipher suites suitable 
for these deprecated TLS versions:
+
+   
ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:AES256-SHA:AES128-SHA
+
 
 .. ts:cv:: CONFIG proxy.config.ssl.TLSv1_2 INT 1
 

[trafficserver] branch 9.0.x updated: Fixing shadowed variables, both global and local: (#6371)

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 44b220d  Fixing shadowed variables, both global and local: (#6371)
44b220d is described below

commit 44b220d652b74af0b5f3a47acad374766ebcee67
Author: Evan Zelkowitz 
AuthorDate: Wed Jan 29 13:56:21 2020 -0700

Fixing shadowed variables, both global and local: (#6371)


https://lgtm.com/projects/g/apache/trafficserver/?mode=tree=2157860312

https://lgtm.com/projects/g/apache/trafficserver/?mode=tree=2156240606

Addresses issue #6352

(cherry picked from commit 2e1202023219457496c2cc49d199f20fc79d5796)
---
 iocore/hostdb/HostDB.cc  |  4 +-
 iocore/net/SSLUtils.cc   | 12 +++---
 iocore/net/UnixNetAccept.cc  |  6 +--
 plugins/background_fetch/background_fetch.cc |  4 +-
 plugins/experimental/memcache/tsmemcache.cc  |  8 ++--
 plugins/header_rewrite/conditions.cc | 16 +++
 plugins/multiplexer/dispatch.cc  |  6 +--
 src/traffic_cache_tool/CacheTool.cc  | 10 ++---
 src/traffic_logcat/logcat.cc | 12 +++---
 src/traffic_server/InkAPI.cc | 10 ++---
 src/traffic_server/traffic_server.cc | 18 
 src/tscore/IpMap.cc  | 62 ++--
 tools/jtest/jtest.cc |  8 ++--
 13 files changed, 88 insertions(+), 88 deletions(-)

diff --git a/iocore/hostdb/HostDB.cc b/iocore/hostdb/HostDB.cc
index 045593c..3e6aaad 100644
--- a/iocore/hostdb/HostDB.cc
+++ b/iocore/hostdb/HostDB.cc
@@ -2216,7 +2216,7 @@ ParseHostLine(Ptr , char *l)
 }
 
 void
-ParseHostFile(const char *path, unsigned int hostdb_hostfile_check_interval)
+ParseHostFile(const char *path, unsigned int 
hostdb_hostfile_check_interval_parse)
 {
   Ptr parsed_hosts_file_ptr;
 
@@ -2236,7 +2236,7 @@ ParseHostFile(const char *path, unsigned int 
hostdb_hostfile_check_interval)
 int64_t size = info.st_size + 1;
 
 parsed_hosts_file_ptr = new RefCountedHostsFileMap;
-parsed_hosts_file_ptr->next_sync_time = ink_time() + 
hostdb_hostfile_check_interval;
+parsed_hosts_file_ptr->next_sync_time = ink_time() + 
hostdb_hostfile_check_interval_parse;
 parsed_hosts_file_ptr->HostFileText   = static_cast(ats_malloc(size));
 if (parsed_hosts_file_ptr->HostFileText) {
   char *base = parsed_hosts_file_ptr->HostFileText;
diff --git a/iocore/net/SSLUtils.cc b/iocore/net/SSLUtils.cc
index 1e6c09a..54cc5e8 100644
--- a/iocore/net/SSLUtils.cc
+++ b/iocore/net/SSLUtils.cc
@@ -1737,10 +1737,10 @@ SSLWriteBuffer(SSL *ssl, const void *buf, int64_t 
nbytes, int64_t )
   }
   int ssl_error = SSL_get_error(ssl, ret);
   if (ssl_error == SSL_ERROR_SSL && is_debug_tag_set("ssl.error.write")) {
-char buf[512];
+char tempbuf[512];
 unsigned long e = ERR_peek_last_error();
-ERR_error_string_n(e, buf, sizeof(buf));
-Debug("ssl.error.write", "SSL write returned %d, ssl_error=%d, 
ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
+ERR_error_string_n(e, tempbuf, sizeof(tempbuf));
+Debug("ssl.error.write", "SSL write returned %d, ssl_error=%d, 
ERR_get_error=%ld (%s)", ret, ssl_error, e, tempbuf);
   }
   return ssl_error;
 }
@@ -1818,10 +1818,10 @@ SSLReadBuffer(SSL *ssl, void *buf, int64_t nbytes, 
int64_t )
   }
   int ssl_error = SSL_get_error(ssl, ret);
   if (ssl_error == SSL_ERROR_SSL && is_debug_tag_set("ssl.error.read")) {
-char buf[512];
+char tempbuf[512];
 unsigned long e = ERR_peek_last_error();
-ERR_error_string_n(e, buf, sizeof(buf));
-Debug("ssl.error.read", "SSL read returned %d, ssl_error=%d, 
ERR_get_error=%ld (%s)", ret, ssl_error, e, buf);
+ERR_error_string_n(e, tempbuf, sizeof(tempbuf));
+Debug("ssl.error.read", "SSL read returned %d, ssl_error=%d, 
ERR_get_error=%ld (%s)", ret, ssl_error, e, tempbuf);
   }
 
   return ssl_error;
diff --git a/iocore/net/UnixNetAccept.cc b/iocore/net/UnixNetAccept.cc
index 9254d7f..7109a27 100644
--- a/iocore/net/UnixNetAccept.cc
+++ b/iocore/net/UnixNetAccept.cc
@@ -356,11 +356,11 @@ NetAccept::do_blocking_accept(EThread *t)
 #endif
 SET_CONTINUATION_HANDLER(vc, 
(NetVConnHandler)::acceptEvent);
 
-EThread *t= eventProcessor.assign_thread(opt.etype);
-NetHandler *h = get_NetHandler(t);
+EThread *localt = eventProcessor.assign_thread(opt.etype);
+NetHandler *h   = get_NetHandler(localt);
 // Assign NetHandler->mutex to NetVC
 vc->mutex = h->mutex;
-t->schedule_imm_signal(vc);
+localt->schedule_imm_signal(vc);
   } while (loop);
 
   return 1;
diff --git a/plugins/background_fetch/background_fetch.cc 
b/plugins/background_fetch/background_fetch.cc
index fbeba7d..13aaff4 100644
--- 

[trafficserver] branch 9.0.x updated: Add docs for memory leak detection configs

[zwoop]

This is an automated email from the ASF dual-hosted git repository.

zwoop pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new f924633  Add docs for memory leak detection configs
f924633 is described below

commit f92463337b21138c052e81475cabfdab3db885be
Author: Sudheer Vinukonda 
AuthorDate: Fri Apr 10 09:43:58 2020 -0700

Add docs for memory leak detection configs

(cherry picked from commit 70b1bf69c06cd3d967a8bdf9b351e4ec97bf01f9)
---
 doc/admin-guide/files/records.config.en.rst   | 27 ---
 doc/developer-guide/debugging/memory-leaks.en.rst | 16 ++
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 6d95181..948f36c 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -4316,11 +4316,32 @@ Sockets
For more information on the implications of enabling huge pages, see
`Wikipedia 
_`.
 
+.. ts:cv:: CONFIG proxy.config.dump_mem_info_frequency INT 0
+   :reloadable:
+
+   Enable . When enabled makes Traffic Server dump IO Buffer memory 
information
+   to ``traffic.out`` at  (intervals are in seconds). A zero value 
implies it is
+   disabled
+
+.. ts:cv:: CONFIG proxy.config.res_track_memory INT 0
+
+   When enabled makes Traffic Server track memory usage (allocations and 
releases). This
+   information is dumped  to ``traffic.out`` when the user sends a SIGUSR1 
signal or
+   periodically when :ts:cv:`proxy.config.dump_mem_info_frequency` is enabled.
+
+   = ==
+   Value Description
+   = ==
+   ``0`` Memory tracking Disabled
+   ``1`` Tracks IO Buffer Memory allocations and releases
+   ``2`` Tracks IO Buffer Memory and OpenSSL Memory allocations and releases
+   = ==
+
 .. ts:cv:: CONFIG proxy.config.allocator.dontdump_iobuffers INT 1
 
-  Enable (1) the exclusion of IO buffers from core files when ATS crashes on 
supported
-  platforms.  (Currently only linux).  IO buffers are allocated with the 
MADV_DONTDUMP
-  with madvise() on linux platforms that support MADV_DONTDUMP.  Enabled by 
default.
+   Enable (1) the exclusion of IO buffers from core files when ATS crashes on 
supported
+   platforms.  (Currently only linux).  IO buffers are allocated with the 
MADV_DONTDUMP
+   with madvise() on linux platforms that support MADV_DONTDUMP.  Enabled by 
default.
 
 .. ts:cv:: CONFIG proxy.config.http.enabled INT 1
 
diff --git a/doc/developer-guide/debugging/memory-leaks.en.rst 
b/doc/developer-guide/debugging/memory-leaks.en.rst
index 64a8b78..23d4516 100644
--- a/doc/developer-guide/debugging/memory-leaks.en.rst
+++ b/doc/developer-guide/debugging/memory-leaks.en.rst
@@ -33,3 +33,19 @@ related to memory - you can use memory dump information. 
Enable
 This causes Traffic Server to dump memory information to ``traffic.out``
 at  (intervals are in seconds). A zero value means that it is
 disabled.
+
+::
+
+  CONFIG proxy.config.res_track_memory INT 
+
+   When enabled makes Traffic Server track memory usage (allocations and 
releases). This
+   information is dumped  to ``traffic.out`` when the user sends a SIGUSR1 
signal or
+   periodically when :ts:cv:`proxy.config.dump_mem_info_frequency` is enabled.
+
+   = ==
+   Value Description
+   = ==
+   ``0`` Memory tracking Disabled
+   ``1`` Tracks IO Buffer Memory allocations and releases
+   ``2`` Tracks IO Buffer Memory and OpenSSL Memory allocations and releases
+   = ==

[trafficserver] branch master updated: Add docs for memory leak detection configs

[sudheerv]

This is an automated email from the ASF dual-hosted git repository.

sudheerv pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
 new 70b1bf6  Add docs for memory leak detection configs
70b1bf6 is described below

commit 70b1bf69c06cd3d967a8bdf9b351e4ec97bf01f9
Author: Sudheer Vinukonda 
AuthorDate: Fri Apr 10 09:43:58 2020 -0700

Add docs for memory leak detection configs
---
 doc/admin-guide/files/records.config.en.rst   | 27 ---
 doc/developer-guide/debugging/memory-leaks.en.rst | 16 ++
 2 files changed, 40 insertions(+), 3 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 2ddd655..127de69 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -4329,11 +4329,32 @@ Sockets
For more information on the implications of enabling huge pages, see
`Wikipedia 
_`.
 
+.. ts:cv:: CONFIG proxy.config.dump_mem_info_frequency INT 0
+   :reloadable:
+
+   Enable . When enabled makes Traffic Server dump IO Buffer memory 
information
+   to ``traffic.out`` at  (intervals are in seconds). A zero value 
implies it is
+   disabled
+
+.. ts:cv:: CONFIG proxy.config.res_track_memory INT 0
+
+   When enabled makes Traffic Server track memory usage (allocations and 
releases). This
+   information is dumped  to ``traffic.out`` when the user sends a SIGUSR1 
signal or
+   periodically when :ts:cv:`proxy.config.dump_mem_info_frequency` is enabled.
+
+   = ==
+   Value Description
+   = ==
+   ``0`` Memory tracking Disabled
+   ``1`` Tracks IO Buffer Memory allocations and releases
+   ``2`` Tracks IO Buffer Memory and OpenSSL Memory allocations and releases
+   = ==
+
 .. ts:cv:: CONFIG proxy.config.allocator.dontdump_iobuffers INT 1
 
-  Enable (1) the exclusion of IO buffers from core files when ATS crashes on 
supported
-  platforms.  (Currently only linux).  IO buffers are allocated with the 
MADV_DONTDUMP
-  with madvise() on linux platforms that support MADV_DONTDUMP.  Enabled by 
default.
+   Enable (1) the exclusion of IO buffers from core files when ATS crashes on 
supported
+   platforms.  (Currently only linux).  IO buffers are allocated with the 
MADV_DONTDUMP
+   with madvise() on linux platforms that support MADV_DONTDUMP.  Enabled by 
default.
 
 .. ts:cv:: CONFIG proxy.config.http.enabled INT 1
 
diff --git a/doc/developer-guide/debugging/memory-leaks.en.rst 
b/doc/developer-guide/debugging/memory-leaks.en.rst
index 64a8b78..23d4516 100644
--- a/doc/developer-guide/debugging/memory-leaks.en.rst
+++ b/doc/developer-guide/debugging/memory-leaks.en.rst
@@ -33,3 +33,19 @@ related to memory - you can use memory dump information. 
Enable
 This causes Traffic Server to dump memory information to ``traffic.out``
 at  (intervals are in seconds). A zero value means that it is
 disabled.
+
+::
+
+  CONFIG proxy.config.res_track_memory INT 
+
+   When enabled makes Traffic Server track memory usage (allocations and 
releases). This
+   information is dumped  to ``traffic.out`` when the user sends a SIGUSR1 
signal or
+   periodically when :ts:cv:`proxy.config.dump_mem_info_frequency` is enabled.
+
+   = ==
+   Value Description
+   = ==
+   ``0`` Memory tracking Disabled
+   ``1`` Tracks IO Buffer Memory allocations and releases
+   ``2`` Tracks IO Buffer Memory and OpenSSL Memory allocations and releases
+   = ==

[trafficserver] annotated tag 7.1.10-rc0 updated (439a7cf -> bca063d)

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a change to annotated tag 7.1.10-rc0
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.


*** WARNING: tag 7.1.10-rc0 was modified! ***

from 439a7cf  (commit)
  to bca063d  (tag)
 tagging 439a7cfcb70dcb92485dd6989af80d9f900d1f99 (commit)
 replaces 7.1.9
  by Bryan Call
  on Fri Apr 10 13:30:41 2020 -0700

- Log -
Release Candidate 7.1.10-rc0
-BEGIN PGP SIGNATURE-

iQIcBAABAgAGBQJekNdxAAoJEE0VQRC4RQjssR0P/1GJKzaNLukUJ7fMsOxdfZFX
vrguokqegxk5pmyc/p5CYSWPZZjKLcpHNRh7fsxvAkrDmalyHUPwHyGyIZcDibMe
p/q1EFODu/C4JsjTuQDZXuF4qQewAtQcMWzkwZRDHMA/7R2vXZbCJT9ke/8xuaJZ
wRx3i9LresBZvn3qJF4tOgfI9AAbb1gON11FFvTfUeTBte3qDEFpbSYdu387Yvu+
dW6AGxnBvfzghf06soCOnfccQNCxqgGxcnx3j1yHGZwBNYRyT1QFkzUXPkLZAy+b
XFqSSYX2TXJdJSEogb9G0xsh03RFXDX9hzS1J87adCLLzW8zRY8moa1S1MKwHM2q
TyTIMMuZTk0zSECMNccSKMpgSWKrZn229H+eeavHXVJYQY5C88jGv/TZ1QI7aiZ0
xWhG4NU8W6AfNDIZir+uFKvhi5ypJgcHyUuaTyeanu71oCBp3JlMTPu3iHU/M8kB
sQ9Ae3Oygl/YJjULfux84uJrEbDHleg2xeJFF6QsDdv9zATLbSHtK+2+WKVYJDdY
RVzpxltD5ZYmvVVLOwiWxw/1FPSA2ilYuPWtZxEZNsExz6p/qYzKbC9PbbCm5wyo
QPEQ+NEEBM0k0Ui1Ogj46TlXIos2OD3Nt30WNGtAwPZc5LhuzbTv8AVuM1HQLgvl
BFaz6M9o2vMWpfzMjh7R
=95be
-END PGP SIGNATURE-
---


No new revisions were added by this update.

Summary of changes:

[trafficserver] branch master updated (96e1f46 -> 6ca86f0)

[shinrich]

This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.


from 96e1f46  Fixes crash loading combined(cert+key) certs
 add 6ca86f0  Add more options to session_sharing.match (#6566)

No new revisions were added by this update.

Summary of changes:
 doc/admin-guide/files/records.config.en.rst|  49 -
 .../types/TSServerSessionSharingMatchType.en.rst   |  46 
 .../types/TSServerSessionSharingPoolType.en.rst|  42 
 include/ts/apidefs.h.in|  16 ---
 proxy/hdrs/HTTP.h  |   4 +-
 proxy/http/Http1ServerSession.cc   |   2 +-
 proxy/http/Http1ServerSession.h|   2 +-
 proxy/http/HttpConfig.cc   |  64 +--
 proxy/http/HttpConfig.h|   4 +-
 proxy/http/HttpProxyAPIEnums.h |  26 +++--
 proxy/http/HttpSM.cc   |  43 +---
 proxy/http/HttpSM.h|   2 +
 proxy/http/HttpSessionManager.cc   | 118 -
 proxy/http/HttpSessionManager.h|   6 +-
 src/traffic_server/InkAPI.cc   |   5 +
 15 files changed, 233 insertions(+), 196 deletions(-)
 delete mode 100644 
doc/developer-guide/api/types/TSServerSessionSharingMatchType.en.rst
 delete mode 100644 
doc/developer-guide/api/types/TSServerSessionSharingPoolType.en.rst

[trafficserver] branch master updated (4d7aeb0 -> 96e1f46)

[rrm]

This is an automated email from the ASF dual-hosted git repository.

rrm pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.


from 4d7aeb0  traffic_dump: don't dump cookies from the wire (#6586)
 add 96e1f46  Fixes crash loading combined(cert+key) certs

No new revisions were added by this update.

Summary of changes:
 iocore/net/SSLUtils.cc | 13 +++--
 1 file changed, 11 insertions(+), 2 deletions(-)

[trafficserver] branch master updated: traffic_dump: don't dump cookies from the wire (#6586)

[shinrich]

This is an automated email from the ASF dual-hosted git repository.

shinrich pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
 new 4d7aeb0  traffic_dump: don't dump cookies from the wire (#6586)
4d7aeb0 is described below

commit 4d7aeb09f83e447b2d3112d23bb0a98ba32ca51d
Author: Brian Neradt 
AuthorDate: Fri Apr 10 15:00:04 2020 -0400

traffic_dump: don't dump cookies from the wire (#6586)

Cookies are often very sensitive information and should not be logged.
This change modifies traffic_dump to not dump the actual cookies from
the wire.

--promiscuous-mode is added in case the user wants to dump sensitive
headers.

--sensitive-fields is added so the user can treat custom fields as
sensitive.

Co-authored-by: bneradt 
---
 doc/admin-guide/plugins/traffic_dump.en.rst|   6 +-
 plugins/experimental/traffic_dump/traffic_dump.cc  | 140 -
 .../pluginTest/traffic_dump/gold/200.gold  |   1 +
 .../pluginTest/traffic_dump/traffic_dump.test.py   |  46 ---
 .../pluginTest/traffic_dump/verify_replay.py   |  55 
 5 files changed, 226 insertions(+), 22 deletions(-)

diff --git a/doc/admin-guide/plugins/traffic_dump.en.rst 
b/doc/admin-guide/plugins/traffic_dump.en.rst
index 45c7d51..eece215 100644
--- a/doc/admin-guide/plugins/traffic_dump.en.rst
+++ b/doc/admin-guide/plugins/traffic_dump.en.rst
@@ -46,6 +46,10 @@ Plugin Configuration
 
(`required`) - specifies the max disk usage N bytes (approximate). Traffic 
Dump will stop capturing new sessions once disk usage exceeds this limit.
 
+   .. option:: --sensitive-fields 
+
+   (`optional`) - a comma seperatated list of HTTP case-insensitive field 
names whose values are considered sensitive information. Traffic Dump will not 
dump the incoming field values for any of these fields but will instead dump a 
generic value for them of the same length as the original. If this option is 
not used, a default list of "Cookie,Set-Cookie" is used. Providing this option 
overwrites that default list with whatever values the user provides. Pass a 
quoted empty string as the a [...]
+
 ``traffic_ctl`` 
* ``traffic_ctl plugin msg traffic_dump.sample N`` - changes the sampling 
ratio N as mentioned above.
* ``traffic_ctl plugin msg traffic_dump.reset`` - resets the disk usage 
counter.
@@ -57,7 +61,7 @@ This format contains traffic data including:
 
 * Each session and transactions in the session.
 * Timestamps.
-* The four headers (ua request, proxy request, origin server response, proxy 
response).
+* The four sets of headers (user agent request, proxy request, origin server 
response, proxy response).
 * The protocol stack for the user agent.
 * The transaction count for the outbound session.
 * The content block sizes.
diff --git a/plugins/experimental/traffic_dump/traffic_dump.cc 
b/plugins/experimental/traffic_dump/traffic_dump.cc
index 31563b6..cfe5b36 100644
--- a/plugins/experimental/traffic_dump/traffic_dump.cc
+++ b/plugins/experimental/traffic_dump/traffic_dump.cc
@@ -32,20 +32,59 @@
 #include 
 #include 
 
+#include 
 #include 
 #include 
 #include 
 #include 
 #include 
 #include 
+#include 
 
 #include "tscore/ts_file.h"
+#include "tscpp/util/TextView.h"
 #include "ts/ts.h"
 
 namespace
 {
 const char *PLUGIN_NAME   = "traffic_dump";
 const std::string closing = "]}]}";
+std::string defaut_sensitive_field_value;
+
+// A case-insensitive comparitor used for comparing HTTP field names.
+struct InsensitiveCompare {
+  bool
+  operator()(std::string_view a, std::string_view b) const
+  {
+return strcasecmp(a, b) == 0;
+  }
+};
+
+struct StringHashByLower {
+public:
+  size_t
+  operator()(const std::string ) const
+  {
+std::string lower;
+std::transform(str.begin(), str.end(), lower.begin(), [](unsigned char c) 
-> unsigned char { return std::tolower(c); });
+return std::hash()(lower);
+  }
+};
+
+/// Fields considered sensitive because they may contain user-private
+/// information. These fields are replaced with auto-generated generic content
+/// by default. To turn off this behavior, the user should add the
+/// --promiscuous-mode flag as a commandline argument.
+///
+/// While these are specified with case, they are matched case-insensitively.
+std::unordered_set 
default_sensitive_fields = {
+  "Set-Cookie",
+  "Cookie",
+};
+
+/// The set of fields, default and user-specified, that are sensitive and whose
+/// values will be replaced with auto-generated generic content.
+std::unordered_set 
sensitive_fields;
 
 ts::file::path log_path{"dump"};   // default log directory
 int s_arg_idx = 0; // Session Arg Index to pass on 
session data
@@ -183,10 +222,10 @@ esc_json_out(const char *buf, int64_t len, std::ostream 
)
 
 /// escape_json(): escape chars in a string and returns 

[trafficserver] annotated tag 8.0.7-rc0 updated (ac05db1 -> b21c087)

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a change to annotated tag 8.0.7-rc0
in repository https://gitbox.apache.org/repos/asf/trafficserver.git.


*** WARNING: tag 8.0.7-rc0 was modified! ***

from ac05db1  (commit)
  to b21c087  (tag)
 tagging ac05db1ca58e990e0d2c49b57e5b6364df71dabc (commit)
 replaces 8.0.6
  by Bryan Call
  on Fri Apr 10 11:10:54 2020 -0700

- Log -
Release Candidate 8.0.7-rc0
-BEGIN PGP SIGNATURE-

iQIcBAABAgAGBQJekLauAAoJEE0VQRC4RQjsZy4P/iAzOyjfHz5o0PnySkcdUpQR
12WgsQPjOoleC/hzNmo4rkOoigj++CdqdghnzW6ODzyi7hjJQ/dwuY5f/DJG8qKD
TafAC03Y1qqt/BxrGDGIt4316d6YI1JHcWd6A5QUvIoiHAZXdZO3+5wTJtpJpaJN
/szwRGYHAxSvg2NgfxhL4dQMArglME9gjMkKd3aO0a9IQWvzUtHO9y4ruEr2rd/s
/o64Y2DXTYtXKkkMix2rfNnUGAVXcOJd7X1vY5UuUiaDZWc9cTLEZb4qckKmGQb4
KgCkum+2rwjIfUJFypkwFF9+ouIOSZmhRqa1fNwx35MwBcFZy4B/KiC6yRyFJi7Q
0OcSUiJQAMROccjgxMt6d2jQok7j3Wg4qk807dsYiApVF0vG4vtBPGt94w95fKO1
b3W0IXLxb2hQWWwzmo/kyx8eIDdxY4FyHCHMbqMALjHUIFMlX5T+J+r4fJIcdigK
lBie1adCNfDA9s5DBnJUL5GLgVsPkkFRKadoSfTm3VpYs9B2ydecA0F/PePXYqLZ
rk5ef9fANyjEfPHghLkxOsWFBL1gmHoyoinM1uGWWxKfzw7KeC+pxkbg7uRNMBQs
4Yk4HFRn6c8FSrAMbL9RragGLyjby1Q4VJrbW9svCoemvFx0/bNUzfIUyFsLMDuu
ShnhCxDFWx2umdMX5RLP
=dNLW
-END PGP SIGNATURE-
---


No new revisions were added by this update.

Summary of changes:

[trafficserver] branch 8.0.x updated: Updated Changelog

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/8.0.x by this push:
 new ac05db1  Updated Changelog
ac05db1 is described below

commit ac05db1ca58e990e0d2c49b57e5b6364df71dabc
Author: Bryan Call 
AuthorDate: Fri Apr 10 10:49:54 2020 -0700

Updated Changelog
---
 CHANGELOG-8.0.7 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG-8.0.7 b/CHANGELOG-8.0.7
index 1f2a90b..de1abcf 100644
--- a/CHANGELOG-8.0.7
+++ b/CHANGELOG-8.0.7
@@ -1,3 +1,4 @@
 Changes with Apache Traffic Server 8.0.7
   #6526 - Fixes crash in SNIConfigParams::cleanup()
   #6579 - Fix tunnel crash
+  #6639 - Bug fixes to h2 buffering

[trafficserver] branch 7.1.x updated: Updated Changelog

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
 new 439a7cf  Updated Changelog
439a7cf is described below

commit 439a7cfcb70dcb92485dd6989af80d9f900d1f99
Author: Bryan Call 
AuthorDate: Fri Apr 10 10:42:09 2020 -0700

Updated Changelog
---
 CHANGELOG-7.1.10 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/CHANGELOG-7.1.10 b/CHANGELOG-7.1.10
index 8ef962c..0259c29 100644
--- a/CHANGELOG-7.1.10
+++ b/CHANGELOG-7.1.10
@@ -1,2 +1,3 @@
 Changes with Apache Traffic Server 7.1.10
   #6592 - Fix tunnel crash
+  #6638 - Bug fixes to h2 buffering

[trafficserver] branch master updated: Adding a log pipe buffer size test.

[rrm]

This is an automated email from the ASF dual-hosted git repository.

rrm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/master by this push:
 new 15e749e  Adding a log pipe buffer size test.
15e749e is described below

commit 15e749ea4cf3b5e66ffd0ad53d20fa4c611e2ca5
Author: bneradt 
AuthorDate: Fri Apr 3 19:49:38 2020 +

Adding a log pipe buffer size test.
---
 proxy/logging/LogFile.cc   |  10 +-
 src/traffic_layout/info.cc |   6 +
 tests/gold_tests/autest-site/when.test.ext |  36 
 tests/gold_tests/logging/log_pipe.test.py  | 186 +
 .../logging/pipe_buffer_is_larger_than.py  |  69 
 5 files changed, 302 insertions(+), 5 deletions(-)

diff --git a/proxy/logging/LogFile.cc b/proxy/logging/LogFile.cc
index 59c6bde..26fcca6 100644
--- a/proxy/logging/LogFile.cc
+++ b/proxy/logging/LogFile.cc
@@ -199,21 +199,21 @@ LogFile::open_file()
 if (m_pipe_buffer_size) {
   long pipe_size = (long)fcntl(m_fd, F_GETPIPE_SZ);
   if (pipe_size == -1) {
-Error("get pipe size failed for pipe %s", m_name);
+Error("Get pipe size failed for pipe %s: %s", m_name, strerror(errno));
   } else {
-Debug("log-file", "Default pipe size for pipe %s = %ld", m_name, 
pipe_size);
+Debug("log-file", "Previous buffer size for pipe %s: %ld", m_name, 
pipe_size);
   }
 
   int ret = fcntl(m_fd, F_SETPIPE_SZ, m_pipe_buffer_size);
   if (ret == -1) {
-Error("set pipe size failed for pipe %s", m_name);
+Error("Set pipe size failed for pipe %s to size %d: %s", m_name, 
m_pipe_buffer_size, strerror(errno));
   }
 
   pipe_size = (long)fcntl(m_fd, F_GETPIPE_SZ);
   if (pipe_size == -1) {
-Error("get pipe size failed for pipe %s", m_name);
+Error("Get pipe size after setting it failed for pipe %s: %s", m_name, 
strerror(errno));
   } else {
-Debug("log-file", "NEW pipe size for pipe %s = %ld", m_name, 
pipe_size);
+Debug("log-file", "New buffer size for pipe %s: %ld", m_name, 
pipe_size);
   }
 }
 #endif // F_GETPIPE_SZ
diff --git a/src/traffic_layout/info.cc b/src/traffic_layout/info.cc
index 062aa7a..4cb6195 100644
--- a/src/traffic_layout/info.cc
+++ b/src/traffic_layout/info.cc
@@ -21,6 +21,7 @@
   limitations under the License.
  */
 
+#include 
 #include 
 #include "tscore/I_Layout.h"
 #include "tscore/Filenames.h"
@@ -88,6 +89,11 @@ produce_features(bool json)
 #else
   print_feature("TS_HAS_BROTLI", 0, json);
 #endif
+#ifdef F_GETPIPE_SZ
+  print_feature("TS_HAS_PIPE_BUFFER_SIZE_CONFIG", 1, json);
+#else
+  print_feature("TS_HAS_PIPE_BUFFER_SIZE_CONFIG", 0, json);
+#endif /* F_GETPIPE_SZ */
   print_feature("TS_HAS_JEMALLOC", TS_HAS_JEMALLOC, json);
   print_feature("TS_HAS_TCMALLOC", TS_HAS_TCMALLOC, json);
   print_feature("TS_HAS_IN6_IS_ADDR_UNSPECIFIED", 
TS_HAS_IN6_IS_ADDR_UNSPECIFIED, json);
diff --git a/tests/gold_tests/autest-site/when.test.ext 
b/tests/gold_tests/autest-site/when.test.ext
new file mode 100644
index 000..d44c9ba
--- /dev/null
+++ b/tests/gold_tests/autest-site/when.test.ext
@@ -0,0 +1,36 @@
+'''
+When extensions.
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright ownership.  The ASF licenses this file
+#  to you under the Apache License, Version 2.0 (the
+#  "License"); you may not use this file except in compliance
+#  with the License.  You may obtain a copy of the License at
+#
+#  http://www.apache.org/licenses/LICENSE-2.0
+#
+#  Unless required by applicable law or agreed to in writing, software
+#  distributed under the License is distributed on an "AS IS" BASIS,
+#  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#  See the License for the specific language governing permissions and
+#  limitations under the License.
+
+from autest.api import AddWhenFunction
+import hosts.output as host
+
+
+def FileContains(haystack, needle):
+with open(haystack) as f:
+result = needle in f.read()
+
+host.WriteDebug(
+['FileExists', 'when'],
+"Testing for file content '{0}' in '{1}' : {2}".format(
+needle, haystack, result))
+
+return result
+
+
+AddWhenFunction(FileContains)
diff --git a/tests/gold_tests/logging/log_pipe.test.py 
b/tests/gold_tests/logging/log_pipe.test.py
new file mode 100644
index 000..cdadbd0
--- /dev/null
+++ b/tests/gold_tests/logging/log_pipe.test.py
@@ -0,0 +1,186 @@
+'''
+'''
+#  Licensed to the Apache Software Foundation (ASF) under one
+#  or more contributor license agreements.  See the NOTICE file
+#  distributed with this work for additional information
+#  regarding copyright 

[trafficserver] branch 7.1.x updated: Bug fixes to h2 buffering

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 7.1.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/7.1.x by this push:
 new 7aa5cd8  Bug fixes to h2 buffering
7aa5cd8 is described below

commit 7aa5cd8bc886945c24c1eb42f065412f541fb176
Author: Masaori Koshiba 
AuthorDate: Thu Apr 9 11:59:26 2020 -0700

Bug fixes to h2 buffering
---
 doc/admin-guide/files/records.config.en.rst |  2 +-
 mgmt/RecordsConfig.cc   |  2 +-
 proxy/http2/HTTP2.cc|  2 +-
 proxy/http2/Http2ClientSession.cc   | 12 --
 proxy/http2/Http2ClientSession.h|  2 +
 proxy/http2/Http2ConnectionState.cc | 59 -
 proxy/http2/Http2ConnectionState.h  |  6 ++-
 proxy/http2/Http2Stream.cc  | 30 +++
 proxy/http2/Http2Stream.h   |  6 ++-
 9 files changed, 94 insertions(+), 27 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index d070dd2..7694915 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3347,7 +3347,7 @@ HTTP/2 Configuration
:ts:cv:`proxy.config.http2.min_concurrent_streams_in`.
To disable, set to zero (``0``).
 
-.. ts:cv:: CONFIG proxy.config.http2.initial_window_size_in INT 1048576
+.. ts:cv:: CONFIG proxy.config.http2.initial_window_size_in INT 65535
:reloadable:
 
The initial window size for inbound connections.
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index c3393f0..f47bc7f 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1422,7 +1422,7 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.http2.max_active_streams_in", RECD_INT, "0", 
RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.http2.initial_window_size_in", RECD_INT, 
"1048576", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.http2.initial_window_size_in", RECD_INT, 
"65535", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.http2.max_frame_size", RECD_INT, "16384", 
RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
diff --git a/proxy/http2/HTTP2.cc b/proxy/http2/HTTP2.cc
index d76256f..c4e1029 100644
--- a/proxy/http2/HTTP2.cc
+++ b/proxy/http2/HTTP2.cc
@@ -722,7 +722,7 @@ uint32_t Http2::min_concurrent_streams_in  = 10;
 uint32_t Http2::max_active_streams_in  = 0;
 bool Http2::throttling = false;
 uint32_t Http2::stream_priority_enabled= 0;
-uint32_t Http2::initial_window_size= 1048576;
+uint32_t Http2::initial_window_size= 65535;
 uint32_t Http2::max_frame_size = 16384;
 uint32_t Http2::header_table_size  = 4096;
 uint32_t Http2::max_header_list_size   = 4294967295;
diff --git a/proxy/http2/Http2ClientSession.cc 
b/proxy/http2/Http2ClientSession.cc
index a92aa82..67ae4bc 100644
--- a/proxy/http2/Http2ClientSession.cc
+++ b/proxy/http2/Http2ClientSession.cc
@@ -359,11 +359,9 @@ Http2ClientSession::main_event_handler(int event, void 
*edata)
 break;
 
   case VC_EVENT_WRITE_READY:
-retval = 0;
-break;
-
   case VC_EVENT_WRITE_COMPLETE:
-// Seems as this is being closed already
+this->connection_state.restart_streams();
+
 retval = 0;
 break;
 
@@ -588,3 +586,9 @@ Http2ClientSession::_should_do_something_else()
   // Do something else every 128 incoming frames
   return (this->_n_frame_read & 0x7F) == 0;
 }
+
+int64_t
+Http2ClientSession::write_avail()
+{
+  return this->write_buffer->write_avail();
+}
diff --git a/proxy/http2/Http2ClientSession.h b/proxy/http2/Http2ClientSession.h
index 8674123..84badf1 100644
--- a/proxy/http2/Http2ClientSession.h
+++ b/proxy/http2/Http2ClientSession.h
@@ -305,6 +305,8 @@ public:
 return write_buffer->max_read_avail();
   }
 
+  int64_t write_avail();
+
 private:
   Http2ClientSession(Http2ClientSession &);  // noncopyable
   Http2ClientSession =(const Http2ClientSession &); // noncopyable
diff --git a/proxy/http2/Http2ConnectionState.cc 
b/proxy/http2/Http2ConnectionState.cc
index 3a1de93..e33a08e 100644
--- a/proxy/http2/Http2ConnectionState.cc
+++ b/proxy/http2/Http2ConnectionState.cc
@@ -147,6 +147,12 @@ rcv_data_frame(Http2ConnectionState , const 
Http2Frame )
   cstate.decrement_server_rwnd(payload_length);
   stream->decrement_server_rwnd(payload_length);
 
+  if (is_debug_tag_set("http2_con")) {
+uint32_t rwnd = 
cstate.server_settings.get(HTTP2_SETTINGS_INITIAL_WINDOW_SIZE);
+Http2StreamDebug(cstate.ua_session, stream->get_id(), "Received DATA 
frame: rwnd con=%zd/%" PRId32 " stream=%zd/%" PRId32,
+ cstate.server_rwnd(), rwnd, 

[trafficserver] branch 8.0.x updated: Bug fixes to h2 buffering

[bcall]

This is an automated email from the ASF dual-hosted git repository.

bcall pushed a commit to branch 8.0.x
in repository https://gitbox.apache.org/repos/asf/trafficserver.git


The following commit(s) were added to refs/heads/8.0.x by this push:
 new 3387fa2  Bug fixes to h2 buffering
3387fa2 is described below

commit 3387fa27e47f5e862e40c714edfacb64d1a0e34f
Author: Masaori Koshiba 
AuthorDate: Thu Apr 9 13:33:03 2020 -0700

Bug fixes to h2 buffering
---
 doc/admin-guide/files/records.config.en.rst |  2 +-
 mgmt/RecordsConfig.cc   |  2 +-
 proxy/http2/HTTP2.cc|  2 +-
 proxy/http2/Http2ClientSession.cc   | 12 --
 proxy/http2/Http2ClientSession.h|  2 +
 proxy/http2/Http2ConnectionState.cc | 59 -
 proxy/http2/Http2ConnectionState.h  |  6 ++-
 proxy/http2/Http2Stream.cc  | 30 +++
 proxy/http2/Http2Stream.h   | 11 +++---
 9 files changed, 95 insertions(+), 31 deletions(-)

diff --git a/doc/admin-guide/files/records.config.en.rst 
b/doc/admin-guide/files/records.config.en.rst
index 3dc98a7..e51ec77 100644
--- a/doc/admin-guide/files/records.config.en.rst
+++ b/doc/admin-guide/files/records.config.en.rst
@@ -3450,7 +3450,7 @@ HTTP/2 Configuration
:ts:cv:`proxy.config.http2.min_concurrent_streams_in`.
To disable, set to zero (``0``).
 
-.. ts:cv:: CONFIG proxy.config.http2.initial_window_size_in INT 1048576
+.. ts:cv:: CONFIG proxy.config.http2.initial_window_size_in INT 65535
:reloadable:
 
The initial window size for inbound connections.
diff --git a/mgmt/RecordsConfig.cc b/mgmt/RecordsConfig.cc
index df38162..7bf85b9 100644
--- a/mgmt/RecordsConfig.cc
+++ b/mgmt/RecordsConfig.cc
@@ -1306,7 +1306,7 @@ static const RecordElement RecordsConfig[] =
   ,
   {RECT_CONFIG, "proxy.config.http2.max_active_streams_in", RECD_INT, "0", 
RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
-  {RECT_CONFIG, "proxy.config.http2.initial_window_size_in", RECD_INT, 
"1048576", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
+  {RECT_CONFIG, "proxy.config.http2.initial_window_size_in", RECD_INT, 
"65535", RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
   {RECT_CONFIG, "proxy.config.http2.max_frame_size", RECD_INT, "16384", 
RECU_DYNAMIC, RR_NULL, RECC_STR, "^[0-9]+$", RECA_NULL}
   ,
diff --git a/proxy/http2/HTTP2.cc b/proxy/http2/HTTP2.cc
index a74415b..b81e1bd 100644
--- a/proxy/http2/HTTP2.cc
+++ b/proxy/http2/HTTP2.cc
@@ -725,7 +725,7 @@ uint32_t Http2::min_concurrent_streams_in  = 10;
 uint32_t Http2::max_active_streams_in  = 0;
 bool Http2::throttling = false;
 uint32_t Http2::stream_priority_enabled= 0;
-uint32_t Http2::initial_window_size= 1048576;
+uint32_t Http2::initial_window_size= 65535;
 uint32_t Http2::max_frame_size = 16384;
 uint32_t Http2::header_table_size  = 4096;
 uint32_t Http2::max_header_list_size   = 4294967295;
diff --git a/proxy/http2/Http2ClientSession.cc 
b/proxy/http2/Http2ClientSession.cc
index 8b68db3..1d72da7 100644
--- a/proxy/http2/Http2ClientSession.cc
+++ b/proxy/http2/Http2ClientSession.cc
@@ -360,11 +360,9 @@ Http2ClientSession::main_event_handler(int event, void 
*edata)
 break;
 
   case VC_EVENT_WRITE_READY:
-retval = 0;
-break;
-
   case VC_EVENT_WRITE_COMPLETE:
-// Seems as this is being closed already
+this->connection_state.restart_streams();
+
 retval = 0;
 break;
 
@@ -627,3 +625,9 @@ Http2ClientSession::_should_do_something_else()
   // Do something else every 128 incoming frames
   return (this->_n_frame_read & 0x7F) == 0;
 }
+
+int64_t
+Http2ClientSession::write_avail()
+{
+  return this->write_buffer->write_avail();
+}
diff --git a/proxy/http2/Http2ClientSession.h b/proxy/http2/Http2ClientSession.h
index e8b43a5..21ce079 100644
--- a/proxy/http2/Http2ClientSession.h
+++ b/proxy/http2/Http2ClientSession.h
@@ -316,6 +316,8 @@ public:
 return write_buffer->max_read_avail();
   }
 
+  int64_t write_avail();
+
   // noncopyable
   Http2ClientSession(Http2ClientSession &) = delete;
   Http2ClientSession =(const Http2ClientSession &) = delete;
diff --git a/proxy/http2/Http2ConnectionState.cc 
b/proxy/http2/Http2ConnectionState.cc
index 5fc3a9e..3eaa558 100644
--- a/proxy/http2/Http2ConnectionState.cc
+++ b/proxy/http2/Http2ConnectionState.cc
@@ -151,6 +151,12 @@ rcv_data_frame(Http2ConnectionState , const 
Http2Frame )
   cstate.decrement_server_rwnd(payload_length);
   stream->decrement_server_rwnd(payload_length);
 
+  if (is_debug_tag_set("http2_con")) {
+uint32_t rwnd = 
cstate.server_settings.get(HTTP2_SETTINGS_INITIAL_WINDOW_SIZE);
+Http2StreamDebug(cstate.ua_session, stream->get_id(), "Received DATA 
frame: rwnd con=%zd/%" PRId32 " stream=%zd/%" PRId32,
+ cstate.server_rwnd(), rwnd, stream->server_rwnd(),