[trafficserver] branch master updated: Cleanup: Remove SSL Wire Trace releated code in UnixNetVConnection (#7368)
This is an automated email from the ASF dual-hosted git repository. masaori pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 00366d9 Cleanup: Remove SSL Wire Trace releated code in UnixNetVConnection (#7368) 00366d9 is described below commit 00366d91470bfcff7e25494ef130afc0e946 Author: Masaori Koshiba AuthorDate: Fri Dec 4 10:16:03 2020 +0900 Cleanup: Remove SSL Wire Trace releated code in UnixNetVConnection (#7368) --- iocore/net/P_UnixNetVConnection.h | 23 --- 1 file changed, 23 deletions(-) diff --git a/iocore/net/P_UnixNetVConnection.h b/iocore/net/P_UnixNetVConnection.h index e636814..64e1738 100644 --- a/iocore/net/P_UnixNetVConnection.h +++ b/iocore/net/P_UnixNetVConnection.h @@ -268,11 +268,6 @@ public: bool from_accept_thread = false; NetAccept *accept_object = nullptr; - // es - origin_trace associated connections - bool origin_trace; - const sockaddr *origin_trace_addr; - int origin_trace_port; - int startEvent(int event, Event *e); int acceptEvent(int event, Event *e); int mainEvent(int event, Event *e); @@ -296,24 +291,6 @@ public: void apply_options() override; friend void write_to_net_io(NetHandler *, UnixNetVConnection *, EThread *); - - void - setOriginTrace(bool t) - { -origin_trace = t; - } - - void - setOriginTraceAddr(const sockaddr *addr) - { -origin_trace_addr = addr; - } - - void - setOriginTracePort(int port) - { -origin_trace_port = port; - } }; extern ClassAllocator netVCAllocator;
[trafficserver] branch master updated: Use EVP MAC API if available (#7363)
This is an automated email from the ASF dual-hosted git repository. maskit pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new c6f1ea6 Use EVP MAC API if available (#7363) c6f1ea6 is described below commit c6f1ea6dc19fba3b13cac526d4af2f90c640766a Author: Masakazu Kitajo AuthorDate: Fri Dec 4 09:33:57 2020 +0900 Use EVP MAC API if available (#7363) HMAC_Init_ex is going to be deprecated since OpenSSL 3.0 --- build/crypto.m4 | 47 configure.ac | 3 ++ include/tscore/ink_config.h.in| 1 + iocore/net/SSLCertLookup.cc | 7 +++-- iocore/net/SSLConfig.cc | 7 +++-- iocore/net/SSLSessionTicket.cc| 9 -- iocore/net/SSLSessionTicket.h | 14 - iocore/net/SSLUtils.cc| 13 +--- iocore/net/TLSSessionResumptionSupport.cc | 51 ++- iocore/net/TLSSessionResumptionSupport.h | 12 10 files changed, 137 insertions(+), 27 deletions(-) diff --git a/build/crypto.m4 b/build/crypto.m4 index 331be06..8a4d8fe 100644 --- a/build/crypto.m4 +++ b/build/crypto.m4 @@ -318,3 +318,50 @@ AC_DEFUN([TS_CHECK_EARLY_DATA], [ AC_SUBST(has_tls_early_data) ]) + +dnl +dnl Since OpenSSL 1.1.1 +dnl +dnl SSL_CTX_set_tlsext_ticket_key_evp_cb function is for OpenSSL 3.0 +dnl SSL_CTX_set_tlsext_ticket_key_cb macro is for OpenSSL 1.1.1 +dnl SSL_CTX_set_tlsext_ticket_key_cb function is for BoringSSL +AC_DEFUN([TS_CHECK_SESSION_TICKET], [ + _set_ssl_ctx_set_tlsext_ticket_key_evp_cb_saved_LIBS=$LIBS + + TS_ADDTO(LIBS, [$OPENSSL_LIBS]) + AC_CHECK_HEADERS(openssl/ssl.h) + session_ticket_check=no + has_tls_session_ticket=0 + AC_MSG_CHECKING([for SSL_CTX_set_tlsext_ticket_key_cb macro]) + AC_COMPILE_IFELSE( +[AC_LANG_PROGRAM([[#include ]], + [[ + #ifndef SSL_CTX_set_tlsext_ticket_key_cb + #error + #endif + ]]) +], +[ + AC_DEFINE(HAVE_SSL_CTX_SET_TLSEXT_TICKET_KEY_CB, 1, [Whether SSL_CTX_set_tlsext_ticket_key_cb is available]) + session_ticket_check=yes + has_tls_session_ticket=1 +], +[] + ) + AC_MSG_RESULT([$session_ticket_check]) + AC_CHECK_FUNCS( +SSL_CTX_set_tlsext_ticket_key_evp_cb SSL_CTX_set_tlsext_ticket_key_cb, +[ + session_ticket_check=yes + has_tls_session_ticket=1 +], +[] + ) + + LIBS=$_set_ssl_ctx_set_tlsext_ticket_key_evp_cb_saved_LIBS + + AC_MSG_CHECKING([for session ticket support]) + AC_MSG_RESULT([$session_ticket_check]) + + AC_SUBST(has_tls_session_ticket) +]) diff --git a/configure.ac b/configure.ac index d7ab893..b9b99c3 100644 --- a/configure.ac +++ b/configure.ac @@ -1298,6 +1298,9 @@ TS_CHECK_CRYPTO_SET_CIPHERSUITES # Check for openssl early data support TS_CHECK_EARLY_DATA +# Check for openssl session ticket support +TS_CHECK_SESSION_TICKET + saved_LIBS="$LIBS" TS_ADDTO([LIBS], ["$OPENSSL_LIBS"]) diff --git a/include/tscore/ink_config.h.in b/include/tscore/ink_config.h.in index d633990..49135ee 100644 --- a/include/tscore/ink_config.h.in +++ b/include/tscore/ink_config.h.in @@ -79,6 +79,7 @@ #define TS_USE_REMOTE_UNWINDING @use_remote_unwinding@ #define TS_USE_TLS_OCSP @use_tls_ocsp@ #define TS_HAS_TLS_EARLY_DATA @has_tls_early_data@ +#define TS_HAS_TLS_SESSION_TICKET @has_tls_session_ticket@ #define TS_HAS_SO_PEERCRED @has_so_peercred@ diff --git a/iocore/net/SSLCertLookup.cc b/iocore/net/SSLCertLookup.cc index e6385b4..9b887e5 100644 --- a/iocore/net/SSLCertLookup.cc +++ b/iocore/net/SSLCertLookup.cc @@ -28,6 +28,7 @@ #include "tscore/MatcherUtils.h" #include "tscore/Regex.h" #include "tscore/Trie.h" +#include "tscore/ink_config.h" #include "tscore/BufferWriter.h" #include "tscore/bwf_std_format.h" #include "tscore/TestBox.h" @@ -216,7 +217,7 @@ fail: ssl_ticket_key_block * ssl_create_ticket_keyblock(const char *ticket_key_path) { -#if TS_HAVE_OPENSSL_SESSION_TICKETS +#if TS_HAS_TLS_SESSION_TICKET ats_scoped_str ticket_key_data; int ticket_key_len; ssl_ticket_key_block *keyblock = nullptr; @@ -241,10 +242,10 @@ fail: ticket_block_free(keyblock); return nullptr; -#else /* !TS_HAVE_OPENSSL_SESSION_TICKETS */ +#else /* !TS_HAS_TLS_SESSION_TICKET */ (void)ticket_key_path; return nullptr; -#endif /* TS_HAVE_OPENSSL_SESSION_TICKETS */ +#endif /* TS_HAS_TLS_SESSION_TICKET */ } SSLCertContext::SSLCertContext(SSLCertContext const ) diff --git a/iocore/net/SSLConfig.cc b/iocore/net/SSLConfig.cc index cbe7855..4c34d67 100644 --- a/iocore/net/SSLConfig.cc +++ b/iocore/net/SSLConfig.cc @@ -34,6 +34,7 @@ #include #include +#include "tscore/ink_config.h" #include "tscore/ink_platform.h" #include "tscore/I_Layout.h" #include
[trafficserver] branch master updated (024a76b -> f34cf6f)
This is an automated email from the ASF dual-hosted git repository. maskit pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 024a76b Use ERR_get_error_all if available (#7354) add f34cf6f Use EVP API instead of MD5_Init/Update/Final (secure_link plugin) (#7355) No new revisions were added by this update. Summary of changes: example/plugins/c-api/secure_link/secure_link.c | 28 ++--- 1 file changed, 20 insertions(+), 8 deletions(-)
[trafficserver] branch master updated: Use ERR_get_error_all if available (#7354)
This is an automated email from the ASF dual-hosted git repository. maskit pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/master by this push: new 024a76b Use ERR_get_error_all if available (#7354) 024a76b is described below commit 024a76bc2b1c4ae1230c2aa6b0ff3aba5d84e607 Author: Masakazu Kitajo AuthorDate: Fri Dec 4 09:33:04 2020 +0900 Use ERR_get_error_all if available (#7354) ERR_get_error_line_data is going to be deprecated since OpenSSL 3.0.0 --- configure.ac | 1 + iocore/net/SSLDiags.cc | 5 + 2 files changed, 6 insertions(+) diff --git a/configure.ac b/configure.ac index ea97c89..d7ab893 100644 --- a/configure.ac +++ b/configure.ac @@ -1307,6 +1307,7 @@ AC_CHECK_FUNCS([ \ CRYPTO_set_mem_functions \ HMAC_CTX_new \ X509_get0_signature \ + ERR_get_error_all \ ]) AC_CHECK_FUNC([ASN1_STRING_get0_data], [], diff --git a/iocore/net/SSLDiags.cc b/iocore/net/SSLDiags.cc index 9d76fd9..1742e7b 100644 --- a/iocore/net/SSLDiags.cc +++ b/iocore/net/SSLDiags.cc @@ -137,7 +137,12 @@ SSLDiagnostic(const SourceLocation , bool debug, SSLNetVConnection *vc, cons } es = reinterpret_cast(pthread_self()); +#ifdef HAVE_ERR_GET_ERROR_ALL + while ((l = ERR_get_error_all(, , nullptr, , )) != 0) { +#else + // ERR_get_error_line_data is going to be deprecated since OpenSSL 3.0.0 while ((l = ERR_get_error_line_data(, , , )) != 0) { +#endif if (debug) { if (unlikely(diags->on())) { diags->log("ssl-diag", DL_Debug, , "SSL::%lu:%s:%s:%d%s%s%s%s", es, ERR_error_string(l, buf), file, line,
[trafficserver] branch master updated (95db097 -> 51f8260)
This is an automated email from the ASF dual-hosted git repository. maskit pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 95db097 Cleanup: Get rid of NetVConnection::outstanding() (#7366) add 51f8260 Use OpeSSL EVP API instead of SHA256_Init/Update/Final (#7342) No new revisions were added by this update. Summary of changes: include/tscore/SHA256.h | 15 ++- 1 file changed, 10 insertions(+), 5 deletions(-)
[trafficserver-ingress-controller] branch master updated: fix for health check + other minor fixes (#65)
This is an automated email from the ASF dual-hosted git repository. kichan pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver-ingress-controller.git The following commit(s) were added to refs/heads/master by this push: new 3074b05 fix for health check + other minor fixes (#65) 3074b05 is described below commit 3074b054d7aa7cede13dceac12ceb84622488da6 Author: Kit Chan AuthorDate: Thu Dec 3 12:08:57 2020 -0800 fix for health check + other minor fixes (#65) --- Dockerfile | 4 bin/entry.sh | 3 ++- k8s/traffic-server/ats-deployment.yaml | 7 +-- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index b7267d6..8bc13c5 100644 --- a/Dockerfile +++ b/Dockerfile @@ -26,6 +26,8 @@ RUN apk add --no-cache --virtual .ats-build-deps \ libexecinfo-dev linux-headers libunwind-dev \ brotli-dev jansson-dev luajit-dev readline-dev geoip-dev +RUN apk add --no-cache --virtual .ats-extra-build-deps --repository https://dl-cdn.alpinelinux.org/alpine/edge/testing hwloc-dev + RUN curl -L https://www-us.apache.org/dist/trafficserver/trafficserver-8.1.1.tar.bz2 | bzip2 -dc | tar xf - \ && cd trafficserver-8.1.1/ \ && autoreconf -if \ @@ -131,6 +133,8 @@ RUN apk add -U \ cpulimit \ logrotate +RUN apk add -U --repository https://dl-cdn.alpinelinux.org/alpine/edge/testing hwloc + # redis RUN mkdir -p /var/run/redis/ \ && touch /var/run/redis/redis.sock \ diff --git a/bin/entry.sh b/bin/entry.sh index 55f143c..c3dccd9 100755 --- a/bin/entry.sh +++ b/bin/entry.sh @@ -34,7 +34,8 @@ crond # start redis redis-server /usr/local/etc/redis.conf -# start ats +# create health check file and start ats +touch /var/run/ts-alive chown -R nobody:nobody /usr/local/etc/trafficserver DISTRIB_ID=gentoo /usr/local/bin/trafficserver start diff --git a/k8s/traffic-server/ats-deployment.yaml b/k8s/traffic-server/ats-deployment.yaml index c61fc64..3e2b632 100644 --- a/k8s/traffic-server/ats-deployment.yaml +++ b/k8s/traffic-server/ats-deployment.yaml @@ -35,9 +35,8 @@ spec: matchLabels: app: trafficserver-test - # DO NOT EXCEED ONE COPY replicas: 1 - # DO NOT EXCEED ONE COPY + template: metadata: labels: @@ -46,6 +45,9 @@ spec: containers: - name: trafficserver-test image: ats-ingress:latest # Needs to be updated +# Optional privileged securityContext that can be handy when you need to do debugging +# securityContext: +#privileged: true volumeMounts: - mountPath: "/etc/ats/ssl" name: ats-ssl @@ -64,6 +66,7 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace +# Optional environment variables #- name: INGRESS_CLASS # value: "ats" #- name: LOG_CONFIG_FNAME
[trafficserver] branch 8.1.x updated: Updated to v8.1.2
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 8.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/8.1.x by this push: new 98cdf28 Updated to v8.1.2 98cdf28 is described below commit 98cdf288fb1daa9d02eb32cc85d8802b7f0e0b6e Author: Leif Hedstrom AuthorDate: Thu Dec 3 13:00:34 2020 -0700 Updated to v8.1.2 --- configure.ac | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index 99bf39a..0047918 100644 --- a/configure.ac +++ b/configure.ac @@ -32,8 +32,8 @@ # Version number is calculated as MAJOR * 100 + MINOR * 1000 + MICRO # Version string is in the form of MAJOR.MINOR.MICRO[sufix] # -m4_define([TS_VERSION_S],[8.1.1]) -m4_define([TS_VERSION_N],[8001001]) +m4_define([TS_VERSION_S],[8.1.2]) +m4_define([TS_VERSION_N],[8001002]) AC_INIT([Apache Traffic Server], TS_VERSION_S(), [d...@trafficserver.apache.org], [trafficserver],[http://trafficserver.apache.org]) AC_PREREQ([2.59])
[trafficserver] branch 9.0.x updated: Updated ChangeLog
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 3e4df6a Updated ChangeLog 3e4df6a is described below commit 3e4df6a45fc38226f39d19fcca6994fc46121f46 Author: Leif Hedstrom AuthorDate: Thu Dec 3 12:44:04 2020 -0700 Updated ChangeLog --- CHANGELOG-9.0.0 | 7 +++ 1 file changed, 7 insertions(+) diff --git a/CHANGELOG-9.0.0 b/CHANGELOG-9.0.0 index 5dc64c4..1fe9f6d 100644 --- a/CHANGELOG-9.0.0 +++ b/CHANGELOG-9.0.0 @@ -1126,7 +1126,14 @@ Changes with Apache Traffic Server 9.0.0 #7282 - Reduce the number of write operation on H2 #7293 - sphinx for 9.x has to be 2.0.1 #7294 - Make double Au test more reliable. + #7295 - Get appropriate locks on SSN_START hook delays #7299 - Adds a shell script to help build the H3 toolchains #7301 - Updated release notes for 9.0.0 to have QUIC draft 29 support as well + #7306 - s3_auth: demote noisy errors around configuration that doesn't affect plugin usability + #7313 - Make reloading client certificate configuration more reliable + #7320 - Fix lookup split dns rule with fast path + #7321 - Set thread mutex to the DNSHandler mutex of SplitDNS + #7337 - Fix vc close migration race condition + #7343 - Add note to background fetch about include/exclude #7360 - ESI: Ensure gzip header is always initialized #7361 - Add negative caching tests and fixes.
[trafficserver] 07/07: Add note to background fetch about include/exclude (#7343)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit a29ba2ac3f499886d8b64800e87165243c1ea4e9 Author: mlibbey AuthorDate: Thu Nov 26 12:17:50 2020 -0800 Add note to background fetch about include/exclude (#7343) The include configuraton directive for background fetch is a bit confusing, in that it requires a corresponding exclude directive. That is, its used as an exemption mechanism to an exclude directive. (cherry picked from commit 2c9d4c753aa5b946acc7876618f611dfd53203f1) --- doc/admin-guide/plugins/background_fetch.en.rst | 10 ++ 1 file changed, 10 insertions(+) diff --git a/doc/admin-guide/plugins/background_fetch.en.rst b/doc/admin-guide/plugins/background_fetch.en.rst index 1e2f511..8f28a7e 100644 --- a/doc/admin-guide/plugins/background_fetch.en.rst +++ b/doc/admin-guide/plugins/background_fetch.en.rst @@ -74,6 +74,16 @@ The contents of the config-file could be as below:: exclude X-Foo-Bar text exclude Content-Length <1000 +.. important:: + + The ``include`` configuration directive is only used when there is a corresponding ``exclude`` to exempt. + For example, a single line directive, ``include Host example.com`` would not make the plugin + *only* act on example.com. To acheive classic allow (only) lists, one would need to have a broad + exclude line, such as:: + + exclude Host * + include Host example.com + The plugin also now supports per remap activation. To activate the plugin for a given remap, add the below on the remap line::
[trafficserver] 06/07: Fix lookup split dns rule with fast path (#7320)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 3db80ca9085ad7c236291f07a441e1e6e2dfe6c2 Author: Masaori Koshiba AuthorDate: Fri Nov 27 07:57:57 2020 +0900 Fix lookup split dns rule with fast path (#7320) (cherry picked from commit 4e2ac3b2be8b535ab89d0f5762b3201647e5efba) --- iocore/dns/P_SplitDNSProcessor.h | 8 +--- iocore/dns/SplitDNS.cc | 22 ++ 2 files changed, 15 insertions(+), 15 deletions(-) diff --git a/iocore/dns/P_SplitDNSProcessor.h b/iocore/dns/P_SplitDNSProcessor.h index 316e2eb..fa9a556 100644 --- a/iocore/dns/P_SplitDNSProcessor.h +++ b/iocore/dns/P_SplitDNSProcessor.h @@ -39,6 +39,8 @@ */ #include "ProxyConfig.h" +#include "tscore/HostLookup.h" + /* --- forward declarations ... --- */ @@ -95,9 +97,9 @@ struct SplitDNS : public ConfigInfo { required by the alleged fast path */ - bool m_bEnableFastPath = false; - void *m_pxLeafArray= nullptr; - int m_numEle = 0; + bool m_bEnableFastPath = false; + HostLookup::LeafArray *m_pxLeafArray = nullptr; + int m_numEle = 0; }; /* -- diff --git a/iocore/dns/SplitDNS.cc b/iocore/dns/SplitDNS.cc index 08a0178..a6688dd 100644 --- a/iocore/dns/SplitDNS.cc +++ b/iocore/dns/SplitDNS.cc @@ -221,7 +221,7 @@ SplitDNS::findServer(RequestData *rdata, SplitDNSResult *result) /* --- the 'alleged' fast path ... --- */ - if (m_bEnableFastPath) { + if (m_bEnableFastPath && m_pxLeafArray) { SplitDNSRecord *data_ptr = nullptr; char *pHost = const_cast(rdata->get_host()); if (nullptr == pHost) { @@ -229,30 +229,28 @@ SplitDNS::findServer(RequestData *rdata, SplitDNSResult *result) return; } -int len= strlen(pHost); -HostLeaf *pxHL = static_cast(m_pxLeafArray); -for (int i = 0; i < m_numEle; i++) { - if (nullptr == pxHL) { -break; - } +int len = strlen(pHost); +int n = std::min(static_cast(m_numEle), m_pxLeafArray->size()); +for (int i = 0; i < n; i++) { + const HostLeaf = m_pxLeafArray->at(i); - if (false == pxHL[i].isNot && static_cast(pxHL[i].match.size()) > len) { + if (false == pxHL.isNot && static_cast(pxHL.match.size()) > len) { continue; } - int idx= len - pxHL[i].match.size(); + int idx= len - pxHL.match.size(); char *pH = [idx]; - const char *pMatch = pxHL[i].match.data(); + const char *pMatch = pxHL.match.data(); char cNot = *pMatch; if ('!' == cNot) { pMatch++; } - int res = memcmp(pH, pMatch, pxHL[i].match.size()); + int res = memcmp(pH, pMatch, pxHL.match.size()); if ((0 != res && '!' == cNot) || (0 == res && '!' != cNot)) { -data_ptr = static_cast(pxHL[i].opaque_data); +data_ptr = static_cast(pxHL.opaque_data); data_ptr->UpdateMatch(result, rdata); break; }
[trafficserver] 02/07: Set thread mutex to the DNSHandler mutex of SplitDNS (#7321)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 70174506a80ca5ab5ff23635d57cef11c0d37477 Author: Masaori Koshiba AuthorDate: Fri Nov 27 07:58:05 2020 +0900 Set thread mutex to the DNSHandler mutex of SplitDNS (#7321) (cherry picked from commit 3f11f151db24ec92ea0af61197401e5b10144e27) --- iocore/dns/DNS.cc | 1 + iocore/dns/SplitDNS.cc | 2 -- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/iocore/dns/DNS.cc b/iocore/dns/DNS.cc index d33c4dc..986d16b 100644 --- a/iocore/dns/DNS.cc +++ b/iocore/dns/DNS.cc @@ -239,6 +239,7 @@ DNSProcessor::start(int, size_t stacksize) dns_failover_try_period = dns_timeout + 1; // Modify the "default" accordingly if (SplitDNSConfig::gsplit_dns_enabled) { +SplitDNSConfig::dnsHandler_mutex = thread->mutex; // reconfigure after threads start SplitDNSConfig::reconfigure(); } diff --git a/iocore/dns/SplitDNS.cc b/iocore/dns/SplitDNS.cc index 49f5a99..08a0178 100644 --- a/iocore/dns/SplitDNS.cc +++ b/iocore/dns/SplitDNS.cc @@ -113,8 +113,6 @@ SplitDNSConfig::release(SplitDNS *params) void SplitDNSConfig::startup() { - dnsHandler_mutex = new_ProxyMutex(); - // startup just check gsplit_dns_enabled REC_ReadConfigInt32(gsplit_dns_enabled, "proxy.config.dns.splitDNS.enabled"); SplitDNSConfig::splitDNSUpdate = new ConfigUpdateHandler();
[trafficserver] 03/07: s3_auth: demote noisy errors around configuration that doesn't affect plugin usability (#7306)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 7bf24497e12e6d5c46a23393f962788bb4e2c5f4 Author: Randall Meyer AuthorDate: Mon Nov 2 09:15:42 2020 -0800 s3_auth: demote noisy errors around configuration that doesn't affect plugin usability (#7306) (cherry picked from commit a52bd121080dd94f757e54ed65fae2188472b004) --- plugins/s3_auth/s3_auth.cc | 8 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/plugins/s3_auth/s3_auth.cc b/plugins/s3_auth/s3_auth.cc index 4261406..696fcab 100644 --- a/plugins/s3_auth/s3_auth.cc +++ b/plugins/s3_auth/s3_auth.cc @@ -188,16 +188,16 @@ public: /* Optional parameters, issue warning if v2 parameters are used with v4 and vice-versa (wrong parameters are ignored anyways) */ if (2 == _version) { if (_v4includeHeaders_modified && !_v4includeHeaders.empty()) { -TSError("[%s] headers are not being signed with AWS auth v2, included headers parameter ignored", PLUGIN_NAME); +TSDebug("[%s] headers are not being signed with AWS auth v2, included headers parameter ignored", PLUGIN_NAME); } if (_v4excludeHeaders_modified && !_v4excludeHeaders.empty()) { -TSError("[%s] headers are not being signed with AWS auth v2, excluded headers parameter ignored", PLUGIN_NAME); +TSDebug("[%s] headers are not being signed with AWS auth v2, excluded headers parameter ignored", PLUGIN_NAME); } if (_region_map_modified && !_region_map.empty()) { -TSError("[%s] region map is not used with AWS auth v2, parameter ignored", PLUGIN_NAME); +TSDebug("[%s] region map is not used with AWS auth v2, parameter ignored", PLUGIN_NAME); } if (nullptr != _token || _token_len > 0) { -TSError("[%s] session token support with AWS auth v2 is not implemented, parameter ignored", PLUGIN_NAME); +TSDebug("[%s] session token support with AWS auth v2 is not implemented, parameter ignored", PLUGIN_NAME); } } else { /* 4 == _version */
[trafficserver] 04/07: Get appropriate locks on SSN_START hook delays (#7295)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit c0ae43ccf9f67098795c024c20be5ee2a26c Author: Susan Hinrichs AuthorDate: Mon Nov 2 12:46:25 2020 -0600 Get appropriate locks on SSN_START hook delays (#7295) (cherry picked from commit 1765c9f2d6ade367773342983db6973015d70f42) --- proxy/http/HttpSessionAccept.cc| 2 + proxy/http2/Http2SessionAccept.cc | 3 ++ src/traffic_server/InkAPI.cc | 36 ++--- .../pluginTest/test_hooks/ssn_delay.gold | 8 +++ .../test_hooks/ssn_start_delay_hook.test.py| 60 ++ tests/tools/plugins/hook_add_plugin.cc | 35 + 6 files changed, 127 insertions(+), 17 deletions(-) diff --git a/proxy/http/HttpSessionAccept.cc b/proxy/http/HttpSessionAccept.cc index e7fd20f..ea9d075 100644 --- a/proxy/http/HttpSessionAccept.cc +++ b/proxy/http/HttpSessionAccept.cc @@ -54,6 +54,8 @@ HttpSessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferReade new_session->accept_options = static_cast(this); new_session->acl= std::move(acl); + // Pin session to current ET_NET thread + new_session->setThreadAffinity(this_ethread()); new_session->new_connection(netvc, iobuf, reader); new_session->trans.upstream_outbound_options = *new_session->accept_options; diff --git a/proxy/http2/Http2SessionAccept.cc b/proxy/http2/Http2SessionAccept.cc index 7f68e64..f0226fd 100644 --- a/proxy/http2/Http2SessionAccept.cc +++ b/proxy/http2/Http2SessionAccept.cc @@ -56,6 +56,9 @@ Http2SessionAccept::accept(NetVConnection *netvc, MIOBuffer *iobuf, IOBufferRead Http2ClientSession *new_session = THREAD_ALLOC_INIT(http2ClientSessionAllocator, this_ethread()); new_session->acl= std::move(session_acl); new_session->accept_options = + + // Pin session to current ET_NET thread + new_session->setThreadAffinity(this_ethread()); new_session->new_connection(netvc, iobuf, reader); return true; diff --git a/src/traffic_server/InkAPI.cc b/src/traffic_server/InkAPI.cc index e02106b..4b2d9af 100644 --- a/src/traffic_server/InkAPI.cc +++ b/src/traffic_server/InkAPI.cc @@ -4895,7 +4895,7 @@ TSHttpSsnServerVConnGet(TSHttpSsn ssnp) class TSHttpSsnCallback : public Continuation { public: - TSHttpSsnCallback(ProxySession *cs, TSEvent event) : Continuation(cs->mutex), m_cs(cs), m_event(event) + TSHttpSsnCallback(ProxySession *cs, Ptr m, TSEvent event) : Continuation(m), m_cs(cs), m_event(event) { SET_HANDLER(::event_handler); } @@ -4903,8 +4903,18 @@ public: int event_handler(int, void *) { -m_cs->handleEvent((int)m_event, nullptr); -delete this; +// The current continuation is associated with the nethandler mutex. +// We need to hold the nethandler mutex because the later Session logic may +// activate the nethandler add_to_queue logic +// Need to make sure we have the ProxySession mutex as well. +EThread *eth = this_ethread(); +MUTEX_TRY_LOCK(trylock, m_cs->mutex, eth); +if (!trylock.is_locked()) { + eth->schedule_imm(this); +} else { + m_cs->handleEvent((int)m_event, nullptr); + delete this; +} return 0; } @@ -4923,13 +4933,25 @@ TSHttpSsnReenable(TSHttpSsn ssnp, TSEvent event) // If this function is being executed on a thread created by the API // which is DEDICATED, the continuation needs to be called back on a - // REGULAR thread. - if (eth->tt != REGULAR) { -eventProcessor.schedule_imm(new TSHttpSsnCallback(cs, event), ET_NET); + // REGULAR thread. Specially an ET_NET thread + if (!eth->is_event_type(ET_NET)) { +EThread *affinity_thread = cs->getThreadAffinity(); +if (affinity_thread && affinity_thread->is_event_type(ET_NET)) { + NetHandler *nh = get_NetHandler(affinity_thread); + affinity_thread->schedule_imm(new TSHttpSsnCallback(cs, nh->mutex, event), ET_NET); +} else { + eventProcessor.schedule_imm(new TSHttpSsnCallback(cs, cs->mutex, event), ET_NET); +} } else { MUTEX_TRY_LOCK(trylock, cs->mutex, eth); if (!trylock.is_locked()) { - eventProcessor.schedule_imm(new TSHttpSsnCallback(cs, event), ET_NET); + EThread *affinity_thread = cs->getThreadAffinity(); + if (affinity_thread && affinity_thread->is_event_type(ET_NET)) { +NetHandler *nh = get_NetHandler(affinity_thread); +affinity_thread->schedule_imm(new TSHttpSsnCallback(cs, nh->mutex, event), ET_NET); + } else { +eventProcessor.schedule_imm(new TSHttpSsnCallback(cs, cs->mutex, event), ET_NET); + } } else { cs->handleEvent((int)event, nullptr); } diff --git a/tests/gold_tests/pluginTest/test_hooks/ssn_delay.gold b/tests/gold_tests/pluginTest/test_hooks/ssn_delay.gold new file mode 100644 index
[trafficserver] branch 9.0.x updated (34f29ab -> a29ba2a)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 34f29ab Updated ChangeLog new 69944c4 Make reloading client certificate configuration more reliable (#7313) new 7017450 Set thread mutex to the DNSHandler mutex of SplitDNS (#7321) new 7bf2449 s3_auth: demote noisy errors around configuration that doesn't affect plugin usability (#7306) new c0ae43c Get appropriate locks on SSN_START hook delays (#7295) new 4b7e635 Fix vc close migration race condition (#7337) new 3db80ca Fix lookup split dns rule with fast path (#7320) new a29ba2a Add note to background fetch about include/exclude (#7343) The 7 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: doc/admin-guide/plugins/background_fetch.en.rst| 10 iocore/dns/DNS.cc | 1 + iocore/dns/P_SplitDNSProcessor.h | 8 ++-- iocore/dns/SplitDNS.cc | 24 -- iocore/net/Makefile.am | 2 + .../I_Tasks.h => net/P_SSLClientCoordinator.h} | 20 iocore/net/SSLClientCoordinator.cc | 54 ++ iocore/net/SSLConfig.cc| 10 ++-- iocore/net/SSLNetProcessor.cc | 5 +- iocore/net/SSLSNIConfig.cc | 5 +- iocore/net/UnixNetVConnection.cc | 17 +++ plugins/s3_auth/s3_auth.cc | 8 ++-- proxy/http/HttpSessionAccept.cc| 2 + proxy/http2/Http2SessionAccept.cc | 3 ++ src/traffic_server/InkAPI.cc | 36 --- .../test_hooks/{hook_add.gold => ssn_delay.gold} | 1 + ...ok_add.test.py => ssn_start_delay_hook.test.py} | 6 +-- tests/gold_tests/tls/gold/proxycert-accesslog.gold | 4 ++ tests/gold_tests/tls/tls_client_cert.test.py | 2 +- tests/tools/plugins/hook_add_plugin.cc | 35 ++ 20 files changed, 178 insertions(+), 75 deletions(-) copy iocore/{eventsystem/I_Tasks.h => net/P_SSLClientCoordinator.h} (71%) create mode 100644 iocore/net/SSLClientCoordinator.cc copy tests/gold_tests/pluginTest/test_hooks/{hook_add.gold => ssn_delay.gold} (86%) copy tests/gold_tests/pluginTest/test_hooks/{hook_add.test.py => ssn_start_delay_hook.test.py} (93%)
[trafficserver] 01/07: Make reloading client certificate configuration more reliable (#7313)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 69944c4656a020c6db95d03b20ba0dbd2a2a591b Author: Susan Hinrichs AuthorDate: Mon Nov 30 14:03:52 2020 -0600 Make reloading client certificate configuration more reliable (#7313) (cherry picked from commit 495a3a13dc0dc3195d725e3ff03d9aa634884335) --- iocore/net/Makefile.am | 2 + iocore/net/P_SSLClientCoordinator.h| 34 ++ iocore/net/SSLClientCoordinator.cc | 54 ++ iocore/net/SSLConfig.cc| 10 ++-- iocore/net/SSLNetProcessor.cc | 5 +- iocore/net/SSLSNIConfig.cc | 5 +- tests/gold_tests/tls/gold/proxycert-accesslog.gold | 4 ++ tests/gold_tests/tls/tls_client_cert.test.py | 2 +- 8 files changed, 102 insertions(+), 14 deletions(-) diff --git a/iocore/net/Makefile.am b/iocore/net/Makefile.am index 6af18e9..fa60587 100644 --- a/iocore/net/Makefile.am +++ b/iocore/net/Makefile.am @@ -120,6 +120,7 @@ libinknet_a_SOURCES = \ P_SSLNextProtocolSet.h \ P_SSLSNI.h \ P_SSLUtils.h \ +P_SSLClientCoordinator.h \ P_SSLClientUtils.h \ P_OCSPStapling.h \ P_UDPConnection.h \ @@ -137,6 +138,7 @@ libinknet_a_SOURCES = \ ProxyProtocol.cc \ Socks.cc \ SSLCertLookup.cc \ +SSLClientCoordinator.cc \ SSLClientUtils.cc \ SSLConfig.cc \ SSLDiags.cc \ diff --git a/iocore/net/P_SSLClientCoordinator.h b/iocore/net/P_SSLClientCoordinator.h new file mode 100644 index 000..779653e --- /dev/null +++ b/iocore/net/P_SSLClientCoordinator.h @@ -0,0 +1,34 @@ +/** @file + + P_SSLClientCoordinator.h - coordinate the loading of SSL related configs + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#include "ProxyConfig.h" +#include + +// A class to pass the ConfigUpdateHandler, so both SSLConfig and SNIConfig get updated +// when the relevant files/configs get updated. +class SSLClientCoordinator +{ +public: + static void startup(); + static void reconfigure(); +}; diff --git a/iocore/net/SSLClientCoordinator.cc b/iocore/net/SSLClientCoordinator.cc new file mode 100644 index 000..c58ccd1 --- /dev/null +++ b/iocore/net/SSLClientCoordinator.cc @@ -0,0 +1,54 @@ +/** @file + + SSLClientCoordinator.cc - Coordinate the loading of SSL related configs + + @section license License + + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. + */ + +#include "P_SSLClientCoordinator.h" +#include "P_SSLConfig.h" +#include "P_SSLSNI.h" + +std::unique_ptr> sslClientUpdate; + +void +SSLClientCoordinator::reconfigure() +{ + // The SSLConfig must have its configuration loaded before the SNIConfig. + // The SSLConfig owns the client cert context storage and the SNIConfig will load + // into it. + SSLConfig::reconfigure(); + SNIConfig::reconfigure(); +} + +void +SSLClientCoordinator::startup() +{ + // The SSLConfig must have its configuration loaded before the SNIConfig. + // The SSLConfig owns the client cert context storage and the SNIConfig will load + // into it. + sslClientUpdate.reset(new ConfigUpdateHandler()); + sslClientUpdate->attach("proxy.config.ssl.client.cert.path"); + sslClientUpdate->attach("proxy.config.ssl.client.cert.filename"); +
[trafficserver] 05/07: Fix vc close migration race condition (#7337)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 4b7e635b37308447c0893621a6450894f2ed47b4 Author: Susan Hinrichs AuthorDate: Mon Nov 23 12:23:10 2020 -0600 Fix vc close migration race condition (#7337) (cherry picked from commit 526952faaa21c5d54a0628b20ed3bbc45a03d497) --- iocore/net/UnixNetVConnection.cc | 17 + 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc index 840469a..0d5ad00 100644 --- a/iocore/net/UnixNetVConnection.cc +++ b/iocore/net/UnixNetVConnection.cc @@ -652,17 +652,11 @@ UnixNetVConnection::do_io_close(int alerrno /* = -1 */) // FIXME: the nh must not nullptr. ink_assert(nh); - // mark it closed first - if (alerrno == -1) { -closed = 1; - } else { -closed = -1; - } + // The vio continuations will be cleared in ::clear called from ::free read.enabled= 0; write.enabled = 0; read.vio.nbytes = 0; read.vio.op = VIO::NONE; - read.vio.cont = nullptr; if (netvc_context == NET_VCONNECTION_OUT) { // do not clear the iobufs yet to guard @@ -676,7 +670,6 @@ UnixNetVConnection::do_io_close(int alerrno /* = -1 */) write.vio.nbytes = 0; write.vio.op = VIO::NONE; - write.vio.cont = nullptr; EThread *t= this_ethread(); bool close_inline = !recursion && (!nh || nh->mutex->thread_holding == t); @@ -686,6 +679,14 @@ UnixNetVConnection::do_io_close(int alerrno /* = -1 */) this->lerrno = alerrno; } + // Must mark for closed last in case this is a + // cross thread migration scenario. + if (alerrno == -1) { +closed = 1; + } else { +closed = -1; + } + if (close_inline) { if (nh) { nh->free_netevent(this);
[trafficserver-site] branch asf-site updated: Automatic Site Publish by Buildbot
This is an automated email from the ASF dual-hosted git repository. git-site-role pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/trafficserver-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 4dd7950 Automatic Site Publish by Buildbot 4dd7950 is described below commit 4dd795059e64ea949ce1cfdd85760847bba95d05 Author: buildbot AuthorDate: Thu Dec 3 16:12:51 2020 + Automatic Site Publish by Buildbot --- content/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/index.html b/content/index.html index a869887..b7c36a2 100644 --- a/content/index.html +++ b/content/index.html @@ -72,7 +72,7 @@ Apache Traffic Serverâ„¢ software is a fast, scalable and extensible HTTP/1.1 and - HTTP/2.0 compliant caching + HTTP/2 compliant caching proxy server. Formerly a commercial product, Yahoo! donated it to the Apache Foundation, and currently used by several major CDNs and content owners.
[trafficserver-site] branch asf-site updated: Replace HTTP/2.0 with HTTP/2 (#1)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/trafficserver-site.git The following commit(s) were added to refs/heads/asf-site by this push: new ff21a90 Replace HTTP/2.0 with HTTP/2 (#1) ff21a90 is described below commit ff21a9026a75038e39e27312b8912ae0151bcc47 Author: Masaori Koshiba AuthorDate: Fri Dec 4 01:12:34 2020 +0900 Replace HTTP/2.0 with HTTP/2 (#1) --- source/markdown/index.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/markdown/index.html b/source/markdown/index.html index a869887..b7c36a2 100644 --- a/source/markdown/index.html +++ b/source/markdown/index.html @@ -72,7 +72,7 @@ Apache Traffic Serverâ„¢ software is a fast, scalable and extensible HTTP/1.1 and - HTTP/2.0 compliant caching + HTTP/2 compliant caching proxy server. Formerly a commercial product, Yahoo! donated it to the Apache Foundation, and currently used by several major CDNs and content owners.