[trafficserver] branch 9.1.x updated (4ebab9d -> 39f9a4e)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 4ebab9d Add TSMgmtConfigFileAdd api doc (#8190) add 39f9a4e Various maxmind_acl fixes (#8181) No new revisions were added by this update. Summary of changes: plugins/experimental/maxmind_acl/mmdb.cc | 16 ++-- 1 file changed, 14 insertions(+), 2 deletions(-)
[trafficserver] branch 9.1.x updated: Add TSMgmtConfigFileAdd api doc (#8190)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.1.x by this push: new 4ebab9d Add TSMgmtConfigFileAdd api doc (#8190) 4ebab9d is described below commit 4ebab9d33a9a12461ed61c5769bd199f02b9c8f0 Author: Evan Zelkowitz AuthorDate: Fri Jul 30 15:57:39 2021 -0700 Add TSMgmtConfigFileAdd api doc (#8190) (cherry picked from commit 7f8c48537c41939d9d9d3eb55b43c1b2d70abc2b) --- .../api/functions/TSMgmtConfigFileAdd.en.rst | 43 ++ 1 file changed, 43 insertions(+) diff --git a/doc/developer-guide/api/functions/TSMgmtConfigFileAdd.en.rst b/doc/developer-guide/api/functions/TSMgmtConfigFileAdd.en.rst new file mode 100644 index 000..fde2125 --- /dev/null +++ b/doc/developer-guide/api/functions/TSMgmtConfigFileAdd.en.rst @@ -0,0 +1,43 @@ +.. Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed + with this work for additional information regarding copyright + ownership. The ASF licenses this file to you under the Apache + License, Version 2.0 (the "License"); you may not use this file + except in compliance with the License. You may obtain a copy of + the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied. See the License for the specific language governing + permissions and limitations under the License. + +.. include:: ../../../common.defs + +.. default-domain:: c + +TSMgmtConfigFileAdd +*** + +Synopsis + + +.. code-block:: cpp + +#include + +.. function:: TSReturnCode TSMgmtConfigFileAdd(const char *parent, const char *fileName) + +Description +=== + +This is used to 'attach' a config file to a parent config file. It is meant to be used in the context +of a plugin but can also be used internally. Using this you can tie a plugin's config file to, for example, +remap.config. In that instance any changes to the fileName file will trigger a reload of the parent file when +a config reload is requested. + +In the case of a remap.config reload all parent-child file associations are destroyed on reload but plugins are also +reloaded, so if using it within a plugin the API should be called in a location that will be known to be called on +plugin initialization. \ No newline at end of file
[trafficserver] 02/02: rate_limit: Add a global hook to rate limit concurrent connections based on SNI (#8021)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit cec62b759af3c39e41dbf685492c2b0390ee6482 Author: Leif Hedstrom AuthorDate: Tue Jul 6 17:03:49 2021 -0600 rate_limit: Add a global hook to rate limit concurrent connections based on SNI (#8021) * Refactors to allow for a global plugin * Basic SNI based limiting, but needs refactoring * Another round of refactoring, but still need more * Adds the SNI rate limiter, now properly refactored * Adds a SNI selector for picking the limiter for the VC * Finished refactoring / cleanup after moving SNI continuation to selector (cherry picked from commit 77c8dbacbf7b1e50f9db0fcf49d56438f03504ae) --- doc/admin-guide/plugins/rate_limit.en.rst | 47 - plugins/experimental/rate_limit/Makefile.inc | 5 +- plugins/experimental/rate_limit/README | 24 +++ plugins/experimental/rate_limit/limiter.h | 70 +++- plugins/experimental/rate_limit/rate_limit.cc | 126 -- plugins/experimental/rate_limit/sni_limiter.cc | 131 ++ plugins/experimental/rate_limit/sni_limiter.h | 41 + plugins/experimental/rate_limit/sni_selector.cc| 142 +++ plugins/experimental/rate_limit/sni_selector.h | 62 +++ .../rate_limit/{limiter.cc => txn_limiter.cc} | 193 +++-- plugins/experimental/rate_limit/txn_limiter.h | 49 ++ plugins/experimental/rate_limit/utilities.cc | 113 plugins/experimental/rate_limit/utilities.h| 29 13 files changed, 838 insertions(+), 194 deletions(-) diff --git a/doc/admin-guide/plugins/rate_limit.en.rst b/doc/admin-guide/plugins/rate_limit.en.rst index 8341707..4efa408 100644 --- a/doc/admin-guide/plugins/rate_limit.en.rst +++ b/doc/admin-guide/plugins/rate_limit.en.rst @@ -30,6 +30,9 @@ The limit counters and queues are per remap rule only, i.e. there is (currently) no way to group transaction limits from different remap rules into a single rate limiter. +Remap Plugin + + All configuration is done via :file:`remap.config`, and the following options are available: @@ -76,12 +79,54 @@ are available: An optional `max-age` for how long a transaction can sit in the delay queue. The value (default 0) is the age in milliseconds. +Global Plugin +- + +As a global plugin, the rate limiting currently applies only for TLS enabled +connections, based on the SNI from the TLS handshake. The basic use is as:: + +rate_limit.so SNI=www1.example.com,www2.example.com --limit=2 --queue=2 --maxage=1 + +.. Note:: + +As a global plugin, it's highly recommended to also reduce the Keep-Alive inactive +timeout for the service(s) controlled by this plugin. This avoids the risk of having +idle connections consume too many of the available resources. This is easily +done using e.g. the ``conf_remap`` plugin, +:ts:cv:`proxy.config.http.keep_alive_no_activity_timeout_in`. + +The following options are available: + +.. program:: rate-limit + +.. option:: --limit + + The maximum number of active client transactions. + +.. option:: --queue + + When the limit (above) has been reached, all new connections are placed + on a FIFO queue. This option (optional) sets an upper bound on how many + queued transactions we will allow. When this threshold is reached, all + additional connections are immediately errored out in the TLS handshake. + + The queue is effectively disabled if this is set to `0`, which implies + that when the transaction limit is reached, we immediately start serving + error responses. + + The default queue size is `UINT_MAX`, which is essentially unlimited. + +.. option:: --maxage + + An optional `max-age` for how long a transaction can sit in the delay queue. + The value (default 0) is the age in milliseconds. + Examples This example shows a simple rate limiting of `128` concurrently active client transactions, with a maximum queue size of `256`. The default of HTTP status -code `429` is used when queue is full. :: +code `429` is used when queue is full: :: map http://cdn.example.com/ http://some-server.example.com \ @plugin=rate_limit.so @pparam=--limit=128 @pparam=--queue=256 diff --git a/plugins/experimental/rate_limit/Makefile.inc b/plugins/experimental/rate_limit/Makefile.inc index 250ce13..72469de 100644 --- a/plugins/experimental/rate_limit/Makefile.inc +++ b/plugins/experimental/rate_limit/Makefile.inc @@ -18,4 +18,7 @@ pkglib_LTLIBRARIES += experimental/rate_limit/rate_limit.la experimental_rate_limit_rate_limit_la_SOURCES = \ experimental/rate_limit/rate_limit.cc \ - experimental/rate_limit/limiter.cc + experimental/rate_limit/txn_limiter.cc \ +
[trafficserver] 01/02: Docs: Fix pre-formatting for ratelimit plugin (#7986)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 58e155d3bc730c88d0ef5fef372acaa8628ca10f Author: mlibbey AuthorDate: Thu Jul 1 14:07:14 2021 -0700 Docs: Fix pre-formatting for ratelimit plugin (#7986) (cherry picked from commit 3538b5f83609e8f009060576531194e992607e31) --- doc/admin-guide/plugins/rate_limit.en.rst | 9 - 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/doc/admin-guide/plugins/rate_limit.en.rst b/doc/admin-guide/plugins/rate_limit.en.rst index aea3b46..8341707 100644 --- a/doc/admin-guide/plugins/rate_limit.en.rst +++ b/doc/admin-guide/plugins/rate_limit.en.rst @@ -53,7 +53,6 @@ are available: The default queue size is `UINT_MAX`, which is essentially unlimited. .. option:: --error - An optional HTTP status error code, to be used together with the :option:`--queue` option above. The default is `429`. @@ -82,27 +81,27 @@ Examples This example shows a simple rate limiting of `128` concurrently active client transactions, with a maximum queue size of `256`. The default of HTTP status -code `429` is used when queue is full. +code `429` is used when queue is full. :: map http://cdn.example.com/ http://some-server.example.com \ @plugin=rate_limit.so @pparam=--limit=128 @pparam=--queue=256 This example would put a hard transaction (in) limit to 256, with no backoff -queue, and add a header with the transaction delay if it was queued: +queue, and add a header with the transaction delay if it was queued: :: map http://cdn.example.com/ http://some-server.example.com \ @plugin=rate_limit.so @pparam=--limit=256 @pparam=--queue=0 \ @pparam=--header=@RateLimit-Delay This final example will limit the active transaction, queue size, and also -add a `Retry-After` header once the queue is full and we return a `429` error: +add a `Retry-After` header once the queue is full and we return a `429` error: :: map http://cdn.example.com/ http://some-server.example.com \ @plugin=rate_limit.so @pparam=--limit=256 @pparam=--queue=1024 \ @pparam=--retry=3600 @pparam=--header=@RateLimit-Delay -In this case, the response would look like this when the queue is full: +In this case, the response would look like this when the queue is full: :: HTTP/1.1 429 Too Many Requests Date: Fri, 26 Mar 2021 22:42:38 GMT
[trafficserver] branch 9.1.x updated (717a514 -> cec62b7)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a change to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 717a514 Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596) new 58e155d Docs: Fix pre-formatting for ratelimit plugin (#7986) new cec62b7 rate_limit: Add a global hook to rate limit concurrent connections based on SNI (#8021) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: doc/admin-guide/plugins/rate_limit.en.rst | 54 +- plugins/experimental/rate_limit/Makefile.inc | 5 +- plugins/experimental/rate_limit/README | 24 +++ plugins/experimental/rate_limit/limiter.h | 70 +++- plugins/experimental/rate_limit/rate_limit.cc | 126 -- plugins/experimental/rate_limit/sni_limiter.cc | 131 ++ .../request_queue.h => rate_limit/sni_limiter.h} | 39 ++--- plugins/experimental/rate_limit/sni_selector.cc| 142 +++ plugins/experimental/rate_limit/sni_selector.h | 62 +++ .../rate_limit/{limiter.cc => txn_limiter.cc} | 193 +++-- plugins/experimental/rate_limit/txn_limiter.h | 49 ++ plugins/experimental/rate_limit/utilities.cc | 113 .../cookie.h => rate_limit/utilities.h}| 13 +- 13 files changed, 799 insertions(+), 222 deletions(-) create mode 100644 plugins/experimental/rate_limit/README create mode 100644 plugins/experimental/rate_limit/sni_limiter.cc copy plugins/experimental/{fastcgi/src/request_queue.h => rate_limit/sni_limiter.h} (62%) create mode 100644 plugins/experimental/rate_limit/sni_selector.cc create mode 100644 plugins/experimental/rate_limit/sni_selector.h rename plugins/experimental/rate_limit/{limiter.cc => txn_limiter.cc} (51%) create mode 100644 plugins/experimental/rate_limit/txn_limiter.h create mode 100644 plugins/experimental/rate_limit/utilities.cc copy plugins/experimental/{uri_signing/cookie.h => rate_limit/utilities.h} (72%)
[trafficserver] branch 9.1.x updated: Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.1.x by this push: new 717a514 Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596) 717a514 is described below commit 717a514c2482bfe671c912c28f8eae59cbd920ae Author: Masaori Koshiba AuthorDate: Tue Aug 3 07:43:53 2021 +0900 Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596) * Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596)" This reverts commit a56638f8ba92c48e2cc8b677438c36e13f393e2b. * Fix a use-after-free reported by clang-analyzer Co-authored-by: Tomoaki Tanaka (cherry picked from commit 6efb8d8090b9f6f820e8dd48505134af143c7005) --- iocore/net/P_QUICNetVConnection.h | 1 + iocore/net/P_UnixNetVConnection.h | 1 + iocore/net/QUICNetProcessor.cc| 1 + iocore/net/QUICNetVConnection.cc | 20 iocore/net/SSLNetVConnection.cc | 1 + iocore/net/UnixNetVConnection.cc | 22 +- 6 files changed, 45 insertions(+), 1 deletion(-) diff --git a/iocore/net/P_QUICNetVConnection.h b/iocore/net/P_QUICNetVConnection.h index a9cde60..f04f32d 100644 --- a/iocore/net/P_QUICNetVConnection.h +++ b/iocore/net/P_QUICNetVConnection.h @@ -166,6 +166,7 @@ public: int connectUp(EThread *t, int fd) override; // QUICNetVConnection + int startEvent(int event, Event *e); int state_pre_handshake(int event, Event *data); int state_handshake(int event, Event *data); int state_connection_established(int event, Event *data); diff --git a/iocore/net/P_UnixNetVConnection.h b/iocore/net/P_UnixNetVConnection.h index 8d34bf8..29b3366 100644 --- a/iocore/net/P_UnixNetVConnection.h +++ b/iocore/net/P_UnixNetVConnection.h @@ -268,6 +268,7 @@ public: bool from_accept_thread = false; NetAccept *accept_object = nullptr; + int startEvent(int event, Event *e); int acceptEvent(int event, Event *e); int mainEvent(int event, Event *e); virtual int connectUp(EThread *t, int fd); diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc index edb5110..5bdaa2b 100644 --- a/iocore/net/QUICNetProcessor.cc +++ b/iocore/net/QUICNetProcessor.cc @@ -149,6 +149,7 @@ QUICNetProcessor::connect_re(Continuation *cont, sockaddr const *remote_addr, Ne // Setup QUICNetVConnection QUICConnectionId client_dst_cid; client_dst_cid.randomize(); + // vc->init set handler of vc `QUICNetVConnection::startEvent` vc->init(QUIC_SUPPORTED_VERSIONS[0], client_dst_cid, client_dst_cid, con, packet_handler, this->_rtable); packet_handler->init(vc); diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc index dc9d1b6..fbba684 100644 --- a/iocore/net/QUICNetVConnection.cc +++ b/iocore/net/QUICNetVConnection.cc @@ -242,6 +242,7 @@ void QUICNetVConnection::init(QUICVersion version, QUICConnectionId peer_cid, QUICConnectionId original_cid, UDPConnection *udp_con, QUICPacketHandler *packet_handler, QUICResetTokenTable *rtable) { + SET_HANDLER((NetVConnHandler)::startEvent); this->_initial_version = version; this->_udp_con = udp_con; this->_packet_handler = packet_handler; @@ -388,6 +389,25 @@ QUICNetVConnection::acceptEvent(int event, Event *e) return EVENT_DONE; } +int +QUICNetVConnection::startEvent(int event, Event *e) +{ + ink_assert(event == EVENT_IMMEDIATE); + MUTEX_TRY_LOCK(lock, get_NetHandler(e->ethread)->mutex, e->ethread); + if (!lock.is_locked()) { +e->schedule_in(HRTIME_MSECONDS(net_retry_delay)); +return EVENT_CONT; + } + + if (!action_.cancelled) { +this->connectUp(e->ethread, NO_FD); + } else { +this->free(e->ethread); + } + + return EVENT_DONE; +} + // XXX This might be called on ET_UDP thread void QUICNetVConnection::start() diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index 4b1f88d..aad7c66 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -982,6 +982,7 @@ SSLNetVConnection::free(EThread *t) early_data_buf= nullptr; clear(); + SET_CONTINUATION_HANDLER(this, (SSLNetVConnHandler)::startEvent); ink_assert(con.fd == NO_FD); ink_assert(t == this_ethread()); diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc index af5deec..3b7e26d 100644 --- a/iocore/net/UnixNetVConnection.cc +++ b/iocore/net/UnixNetVConnection.cc @@ -897,7 +897,10 @@ UnixNetVConnection::reenable_re(VIO *vio) } } -UnixNetVConnection::UnixNetVConnection() {} +UnixNetVConnection::UnixNetVConnection() +{ + SET_HANDLER((NetVConnHandler)::startEvent); +} // Private methods @@ -1060,6 +1063,22 @@ UnixNetVConnection::netActivity(EThread *lthread) } int
[trafficserver] branch 9.0.x updated: Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596)
This is an automated email from the ASF dual-hosted git repository. zwoop pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.0.x by this push: new 64270eb Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596) 64270eb is described below commit 64270eb5214d99d30212f28048df5abd9c969232 Author: Masaori Koshiba AuthorDate: Tue Aug 3 07:43:53 2021 +0900 Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596) * Revert "Remove UnixNetVConnection::startEvent - not actually called. (#7596)" This reverts commit a56638f8ba92c48e2cc8b677438c36e13f393e2b. * Fix a use-after-free reported by clang-analyzer Co-authored-by: Tomoaki Tanaka (cherry picked from commit 6efb8d8090b9f6f820e8dd48505134af143c7005) --- iocore/net/P_QUICNetVConnection.h | 1 + iocore/net/P_UnixNetVConnection.h | 1 + iocore/net/QUICNetProcessor.cc| 1 + iocore/net/QUICNetVConnection.cc | 20 iocore/net/SSLNetVConnection.cc | 1 + iocore/net/UnixNetVConnection.cc | 22 +- 6 files changed, 45 insertions(+), 1 deletion(-) diff --git a/iocore/net/P_QUICNetVConnection.h b/iocore/net/P_QUICNetVConnection.h index a9cde60..f04f32d 100644 --- a/iocore/net/P_QUICNetVConnection.h +++ b/iocore/net/P_QUICNetVConnection.h @@ -166,6 +166,7 @@ public: int connectUp(EThread *t, int fd) override; // QUICNetVConnection + int startEvent(int event, Event *e); int state_pre_handshake(int event, Event *data); int state_handshake(int event, Event *data); int state_connection_established(int event, Event *data); diff --git a/iocore/net/P_UnixNetVConnection.h b/iocore/net/P_UnixNetVConnection.h index 0fffdcb..ea08c68 100644 --- a/iocore/net/P_UnixNetVConnection.h +++ b/iocore/net/P_UnixNetVConnection.h @@ -291,6 +291,7 @@ public: bool from_accept_thread = false; NetAccept *accept_object = nullptr; + int startEvent(int event, Event *e); int acceptEvent(int event, Event *e); int mainEvent(int event, Event *e); virtual int connectUp(EThread *t, int fd); diff --git a/iocore/net/QUICNetProcessor.cc b/iocore/net/QUICNetProcessor.cc index edb5110..5bdaa2b 100644 --- a/iocore/net/QUICNetProcessor.cc +++ b/iocore/net/QUICNetProcessor.cc @@ -149,6 +149,7 @@ QUICNetProcessor::connect_re(Continuation *cont, sockaddr const *remote_addr, Ne // Setup QUICNetVConnection QUICConnectionId client_dst_cid; client_dst_cid.randomize(); + // vc->init set handler of vc `QUICNetVConnection::startEvent` vc->init(QUIC_SUPPORTED_VERSIONS[0], client_dst_cid, client_dst_cid, con, packet_handler, this->_rtable); packet_handler->init(vc); diff --git a/iocore/net/QUICNetVConnection.cc b/iocore/net/QUICNetVConnection.cc index 65e925f..9b2b33d 100644 --- a/iocore/net/QUICNetVConnection.cc +++ b/iocore/net/QUICNetVConnection.cc @@ -242,6 +242,7 @@ void QUICNetVConnection::init(QUICVersion version, QUICConnectionId peer_cid, QUICConnectionId original_cid, UDPConnection *udp_con, QUICPacketHandler *packet_handler, QUICResetTokenTable *rtable) { + SET_HANDLER((NetVConnHandler)::startEvent); this->_initial_version = version; this->_udp_con = udp_con; this->_packet_handler = packet_handler; @@ -388,6 +389,25 @@ QUICNetVConnection::acceptEvent(int event, Event *e) return EVENT_DONE; } +int +QUICNetVConnection::startEvent(int event, Event *e) +{ + ink_assert(event == EVENT_IMMEDIATE); + MUTEX_TRY_LOCK(lock, get_NetHandler(e->ethread)->mutex, e->ethread); + if (!lock.is_locked()) { +e->schedule_in(HRTIME_MSECONDS(net_retry_delay)); +return EVENT_CONT; + } + + if (!action_.cancelled) { +this->connectUp(e->ethread, NO_FD); + } else { +this->free(e->ethread); + } + + return EVENT_DONE; +} + // XXX This might be called on ET_UDP thread void QUICNetVConnection::start() diff --git a/iocore/net/SSLNetVConnection.cc b/iocore/net/SSLNetVConnection.cc index e5f6bf1..e1b7d99 100644 --- a/iocore/net/SSLNetVConnection.cc +++ b/iocore/net/SSLNetVConnection.cc @@ -971,6 +971,7 @@ SSLNetVConnection::free(EThread *t) early_data_buf= nullptr; clear(); + SET_CONTINUATION_HANDLER(this, (SSLNetVConnHandler)::startEvent); ink_assert(con.fd == NO_FD); ink_assert(t == this_ethread()); diff --git a/iocore/net/UnixNetVConnection.cc b/iocore/net/UnixNetVConnection.cc index 045f54b..489ebf9 100644 --- a/iocore/net/UnixNetVConnection.cc +++ b/iocore/net/UnixNetVConnection.cc @@ -896,7 +896,10 @@ UnixNetVConnection::reenable_re(VIO *vio) } } -UnixNetVConnection::UnixNetVConnection() {} +UnixNetVConnection::UnixNetVConnection() +{ + SET_HANDLER((NetVConnHandler)::startEvent); +} // Private methods @@ -1060,6 +1063,22 @@ UnixNetVConnection::netActivity(EThread *lthread) } int
[trafficserver] branch 9.1.x updated: Ran clang-tidy over the 9.1.x branch (#8186)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git The following commit(s) were added to refs/heads/9.1.x by this push: new 76dcc80 Ran clang-tidy over the 9.1.x branch (#8186) 76dcc80 is described below commit 76dcc800964b80200774ade84fe3c9212b518008 Author: Bryan Call AuthorDate: Tue Aug 3 15:21:05 2021 -0700 Ran clang-tidy over the 9.1.x branch (#8186) --- .../plugins/c-api/ssl_preaccept/ssl_preaccept.cc | 2 +- iocore/cache/test/main.cc | 4 +-- plugins/background_fetch/background_fetch.cc | 2 +- .../cache_range_requests/cache_range_requests.cc | 4 +-- plugins/escalate/escalate.cc | 2 +- plugins/esi/esi.cc | 2 +- plugins/esi/test/parser_test.cc| 2 +- plugins/esi/test/utils_test.cc | 6 ++-- plugins/experimental/access_control/utils.cc | 2 +- .../experimental/cache_fill/background_fetch.cc| 2 +- plugins/experimental/cache_fill/cache_fill.cc | 5 ++-- .../collapsed_forwarding/collapsed_forwarding.cc | 4 +-- plugins/experimental/cookie_remap/cookie_remap.cc | 4 +-- plugins/experimental/magick/magick.cc | 2 +- plugins/experimental/maxmind_acl/mmdb.cc | 32 +++--- plugins/experimental/memcache/tsmemcache.cc| 2 +- plugins/experimental/mysql_remap/mysql_remap.cc| 4 +-- plugins/experimental/rate_limit/rate_limit.cc | 2 +- plugins/experimental/statichit/statichit.cc| 12 .../experimental/stream_editor/stream_editor.cc| 4 +-- plugins/header_rewrite/conditions_geo_maxmind.cc | 4 +-- plugins/header_rewrite/header_rewrite.cc | 10 +++ plugins/multiplexer/ats-multiplexer.cc | 2 +- proxy/CacheControl.cc | 2 +- proxy/ParentSelection.cc | 2 +- proxy/hdrs/HuffmanCodec.cc | 4 +-- proxy/http/HttpTransact.cc | 2 +- proxy/http2/HPACK.cc | 4 +-- proxy/logging/LogField.cc | 2 +- src/traffic_crashlog/traffic_crashlog.cc | 4 +-- src/traffic_ctl/config.cc | 4 +-- src/traffic_logstats/logstats.cc | 14 +- src/traffic_server/Crash.cc| 2 +- src/traffic_server/InkAPI.cc | 2 +- src/traffic_server/InkAPITest.cc | 2 +- src/traffic_server/SocksProxy.cc | 10 +++ src/tscore/ink_file.cc | 4 +-- src/tscore/ink_queue.cc| 4 +-- src/tscore/unit_tests/test_layout.cc | 3 +- 39 files changed, 91 insertions(+), 89 deletions(-) diff --git a/example/plugins/c-api/ssl_preaccept/ssl_preaccept.cc b/example/plugins/c-api/ssl_preaccept/ssl_preaccept.cc index d580584..be662ad 100644 --- a/example/plugins/c-api/ssl_preaccept/ssl_preaccept.cc +++ b/example/plugins/c-api/ssl_preaccept/ssl_preaccept.cc @@ -39,7 +39,7 @@ namespace { -typedef std::pair IpRange; +using IpRange = std::pair; using IpRangeQueue = std::deque; IpRangeQueue ClientBlindTunnelIp; diff --git a/iocore/cache/test/main.cc b/iocore/cache/test/main.cc index 7c57a0c..3585ab6 100644 --- a/iocore/cache/test/main.cc +++ b/iocore/cache/test/main.cc @@ -210,7 +210,7 @@ CacheWriteTest::start_test(int event, void *e) } SET_HANDLER(::write_event); - cacheProcessor.open_write(this, 0, , (CacheHTTPHdr *)this->info.request_get(), old_info); + cacheProcessor.open_write(this, 0, , static_cast(this->info.request_get()), old_info); return 0; } @@ -271,7 +271,7 @@ CacheReadTest::start_test(int event, void *e) key = generate_key(this->info); SET_HANDLER(::read_event); - cacheProcessor.open_read(this, , (CacheHTTPHdr *)this->info.request_get(), >params); + cacheProcessor.open_read(this, , static_cast(this->info.request_get()), >params); return 0; } diff --git a/plugins/background_fetch/background_fetch.cc b/plugins/background_fetch/background_fetch.cc index cc5c7fd..ba68372 100644 --- a/plugins/background_fetch/background_fetch.cc +++ b/plugins/background_fetch/background_fetch.cc @@ -55,7 +55,7 @@ static const std::array FILTER_HEADERS{ // Hold the global background fetch state. This is currently shared across all // configurations, as a singleton. ToDo: Would it ever make sense to do this // per remap rule? Maybe for per-remap logging ?? -typedef std::unordered_map OutstandingRequests; +using OutstandingRequests = std::unordered_map; class BgFetchState { diff --git a/plugins/cache_range_requests/cache_range_requests.cc b/plugins/cache_range_requests/cache_range_requests.cc index 5b43d45..cb294e8 100644 ---
[trafficserver] branch 9.1.x updated (e987d0a -> 152d6ea)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a change to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from e987d0a Revert "Apply log throttling to HTTP/2 session error rate messages (#7772)" new 80aaf66 Enforce HTTP parsing restrictions on HTTP versions supported (#7875) new 152d6ea Minor updates to HTTP version validation (#8189) The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: proxy/hdrs/HTTP.cc | 34 ++ proxy/hdrs/HTTP.h | 4 +++- proxy/http/HttpSM.cc | 4 proxy/http/HttpTransact.cc | 4 4 files changed, 37 insertions(+), 9 deletions(-)
[trafficserver] 01/02: Enforce HTTP parsing restrictions on HTTP versions supported (#7875)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 80aaf6669799093bbc4623d298abd96fcdb73e90 Author: Sudheer Vinukonda AuthorDate: Mon May 24 21:14:19 2021 -0700 Enforce HTTP parsing restrictions on HTTP versions supported (#7875) This change restricts allowed HTTP versions to 1.0, 1.1 on the HTTP request line to prevent potential mishandling, request smugging or other vulns due to random/arbitrary version tags Note that HTTP/2.0 and HTTP/3.0 are negotiated via ALPN on TLS and not via the HTTP request line. (cherry picked from commit f36cf6a6e5b1372916170541bec681a80b34c46f) --- proxy/hdrs/HTTP.cc | 37 + proxy/hdrs/HTTP.h | 4 +++- proxy/http/HttpSM.cc | 4 proxy/http/HttpTransact.cc | 4 4 files changed, 40 insertions(+), 9 deletions(-) diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc index 3cf0e18..793f6e8 100644 --- a/proxy/hdrs/HTTP.cc +++ b/proxy/hdrs/HTTP.cc @@ -623,12 +623,36 @@ http_hdr_type_set(HTTPHdrImpl *hh, HTTPType type) } /*- + RFC2616 specifies that HTTP version is of the format . + in the request line. However, the features supported and in use are + for versions 1.0, 1.1 and 2.0 (with HTTP/3.0 being developed). HTTP/2.0 + and HTTP/3.0 are both negotiated using ALPN over TLS and not via the HTTP + request line thus leaving the versions supported on the request line to be + HTTP/1.0 and HTTP/1.1 alone. This utility checks if the HTTP Version + received in the request line is one of these and returns false otherwise -*/ -void +bool +is_version_supported(const uint8_t major, const uint8_t minor) +{ + if (major == 1) { +return minor == 1 || minor == 0; + } + + return false; +} + +bool +is_http_hdr_version_supported(const HTTPVersion _version) +{ + return is_version_supported(http_version.get_major(), http_version.get_minor()); +} + +bool http_hdr_version_set(HTTPHdrImpl *hh, const HTTPVersion ) { hh->m_version = ver; + return is_version_supported(ver.get_major(), ver.get_minor()); } /*- @@ -939,13 +963,12 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const if (err < 0) { return err; } - http_hdr_version_set(hh, version); + if (!http_hdr_version_set(hh, version)) { +return PARSE_RESULT_ERROR; + } end= real_end; parser->m_parsing_http = false; - if (version == HTTP_0_9) { -return PARSE_RESULT_ERROR; - } ParseResult ret = mime_parser_parse(>m_mime_parser, heap, hh->m_fields_impl, start, end, must_copy_strings, eof, false, max_hdr_field_size); @@ -1094,12 +1117,10 @@ http_parser_parse_req(HTTPParser *parser, HdrHeap *heap, HTTPHdrImpl *hh, const return PARSE_RESULT_ERROR; } -if (version == HTTP_0_9) { +if (!http_hdr_version_set(hh, version)) { return PARSE_RESULT_ERROR; } -http_hdr_version_set(hh, version); - end= real_end; parser->m_parsing_http = false; } diff --git a/proxy/hdrs/HTTP.h b/proxy/hdrs/HTTP.h index 3214c98..dabde58 100644 --- a/proxy/hdrs/HTTP.h +++ b/proxy/hdrs/HTTP.h @@ -422,7 +422,7 @@ inkcoreapi int http_hdr_print(HdrHeap *heap, HTTPHdrImpl *hh, char *buf, int buf void http_hdr_describe(HdrHeapObjImpl *obj, bool recurse = true); -inkcoreapi void http_hdr_version_set(HTTPHdrImpl *hh, const HTTPVersion ); +inkcoreapi bool http_hdr_version_set(HTTPHdrImpl *hh, const HTTPVersion ); const char *http_hdr_method_get(HTTPHdrImpl *hh, int *length); inkcoreapi void http_hdr_method_set(HdrHeap *heap, HTTPHdrImpl *hh, const char *method, int16_t method_wks_idx, int method_length, @@ -460,6 +460,8 @@ HTTPValRange* http_parse_range (const char *buf, Arena *arena); */ HTTPValTE *http_parse_te(const char *buf, int len, Arena *arena); +inkcoreapi bool is_http_hdr_version_supported(const HTTPVersion _version); + class IOBufferReader; class HTTPHdr : public MIMEHdr diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 856c110..68a6343 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -823,6 +823,10 @@ HttpSM::state_read_client_request_header(int event, void *data) t_state.http_return_code = HTTP_STATUS_REQUEST_URI_TOO_LONG : t_state.http_return_code = HTTP_STATUS_NONE; +if (!is_http_hdr_version_supported(t_state.hdr_info.client_request.version_get())) { + t_state.http_return_code = HTTP_STATUS_HTTPVER_NOT_SUPPORTED; +} +
[trafficserver] 02/02: Minor updates to HTTP version validation (#8189)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch 9.1.x in repository https://gitbox.apache.org/repos/asf/trafficserver.git commit 152d6eafdf53deebb8c403928d66550cf0a0c9d6 Author: Bryan Call AuthorDate: Tue Aug 3 14:03:04 2021 -0700 Minor updates to HTTP version validation (#8189) Renamed the functions to be more explicit about only supporting HTTP/1.x Changed the version check to be only a logic statement (cherry picked from commit c5105cd0ec77b71a15cf01b61b1ddbb07a8d44b8) Conflicts: proxy/hdrs/HTTP.h --- proxy/hdrs/HTTP.cc | 15 ++- proxy/hdrs/HTTP.h| 2 +- proxy/http/HttpSM.cc | 2 +- 3 files changed, 8 insertions(+), 11 deletions(-) diff --git a/proxy/hdrs/HTTP.cc b/proxy/hdrs/HTTP.cc index 793f6e8..c0b16cf 100644 --- a/proxy/hdrs/HTTP.cc +++ b/proxy/hdrs/HTTP.cc @@ -633,26 +633,23 @@ http_hdr_type_set(HTTPHdrImpl *hh, HTTPType type) -*/ bool -is_version_supported(const uint8_t major, const uint8_t minor) +is_http1_version(const uint8_t major, const uint8_t minor) { - if (major == 1) { -return minor == 1 || minor == 0; - } - - return false; + // Return true if 1.1 or 1.0 + return (major == 1) && (minor == 1 || minor == 0); } bool -is_http_hdr_version_supported(const HTTPVersion _version) +is_http1_hdr_version_supported(const HTTPVersion _version) { - return is_version_supported(http_version.get_major(), http_version.get_minor()); + return is_http1_version(http_version.get_major(), http_version.get_minor()); } bool http_hdr_version_set(HTTPHdrImpl *hh, const HTTPVersion ) { hh->m_version = ver; - return is_version_supported(ver.get_major(), ver.get_minor()); + return is_http1_version(ver.get_major(), ver.get_minor()); } /*- diff --git a/proxy/hdrs/HTTP.h b/proxy/hdrs/HTTP.h index dabde58..52602af 100644 --- a/proxy/hdrs/HTTP.h +++ b/proxy/hdrs/HTTP.h @@ -460,7 +460,7 @@ HTTPValRange* http_parse_range (const char *buf, Arena *arena); */ HTTPValTE *http_parse_te(const char *buf, int len, Arena *arena); -inkcoreapi bool is_http_hdr_version_supported(const HTTPVersion _version); +bool is_http1_hdr_version_supported(const HTTPVersion _version); class IOBufferReader; diff --git a/proxy/http/HttpSM.cc b/proxy/http/HttpSM.cc index 68a6343..f461287 100644 --- a/proxy/http/HttpSM.cc +++ b/proxy/http/HttpSM.cc @@ -823,7 +823,7 @@ HttpSM::state_read_client_request_header(int event, void *data) t_state.http_return_code = HTTP_STATUS_REQUEST_URI_TOO_LONG : t_state.http_return_code = HTTP_STATUS_NONE; -if (!is_http_hdr_version_supported(t_state.hdr_info.client_request.version_get())) { +if (!is_http1_hdr_version_supported(t_state.hdr_info.client_request.version_get())) { t_state.http_return_code = HTTP_STATUS_HTTPVER_NOT_SUPPORTED; }
[trafficserver] branch master updated (532e30c -> c5105cd)
This is an automated email from the ASF dual-hosted git repository. bcall pushed a change to branch master in repository https://gitbox.apache.org/repos/asf/trafficserver.git. from 532e30c Fix error connection logging crash (#8191) add c5105cd Minor updates to HTTP version validation (#8189) No new revisions were added by this update. Summary of changes: proxy/hdrs/HTTP.cc | 15 ++- proxy/hdrs/HTTP.h| 2 +- proxy/http/HttpSM.cc | 2 +- 3 files changed, 8 insertions(+), 11 deletions(-)
[trafficserver-ci] branch main updated: GITHUB_BRANC -> GITHUB_BRANCH (#35)
This is an automated email from the ASF dual-hosted git repository. bneradt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/trafficserver-ci.git The following commit(s) were added to refs/heads/main by this push: new 0eed7ee GITHUB_BRANC -> GITHUB_BRANCH (#35) 0eed7ee is described below commit 0eed7ee6e4d4a3d6c0516c0ccb34d8c21b631012 Author: Brian Neradt AuthorDate: Tue Aug 3 15:48:06 2021 -0500 GITHUB_BRANC -> GITHUB_BRANCH (#35) --- jenkins/branch/autest.pipeline | 6 +++--- jenkins/branch/coverage.pipeline | 2 +- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/jenkins/branch/autest.pipeline b/jenkins/branch/autest.pipeline index 4d9f59c..acfbf34 100644 --- a/jenkins/branch/autest.pipeline +++ b/jenkins/branch/autest.pipeline @@ -92,14 +92,14 @@ pipeline { # The HTTP/3 AuTests depend upon this, so update the PATH accordingly. export PATH=/opt/bin:${PATH} - mkdir -p ${WORKSPACE}/output/${GITHUB_BRANC} + mkdir -p ${WORKSPACE}/output/${GITHUB_BRANCH} ./autest.sh --ats-bin /tmp/ats/bin/ --sandbox /tmp/sandbox || true if [ -n "$(ls -A /tmp/sandbox/)" ]; then - cp -rf /tmp/sandbox/ ${WORKSPACE}/output/${GITHUB_BRANC}/ + cp -rf /tmp/sandbox/ ${WORKSPACE}/output/${GITHUB_BRANCH}/ sudo chmod -R 777 ${WORKSPACE} exit 1 else - sudo touch ${WORKSPACE}/output/${GITHUB_BRANC}/No_autest_failures + sudo touch ${WORKSPACE}/output/${GITHUB_BRANCH}/No_autest_failures sudo chmod -R 777 ${WORKSPACE} exit 0 fi diff --git a/jenkins/branch/coverage.pipeline b/jenkins/branch/coverage.pipeline index babff77..57b8897 100644 --- a/jenkins/branch/coverage.pipeline +++ b/jenkins/branch/coverage.pipeline @@ -177,7 +177,7 @@ pipeline { --output-directory /tmp/lcov-report \ /tmp/lcov_tracefile_filtered.info - cp -rf /tmp/lcov-report ${WORKSPACE}/output/${GITHUB_BRANC}/ + cp -rf /tmp/lcov-report ${WORKSPACE}/output/${GITHUB_BRANCH}/ sudo chmod -R 777 ${WORKSPACE} ''' }
[trafficserver-site] branch asf-site updated: Updated the .asf.yaml file
This is an automated email from the ASF dual-hosted git repository. bcall pushed a commit to branch asf-site in repository https://gitbox.apache.org/repos/asf/trafficserver-site.git The following commit(s) were added to refs/heads/asf-site by this push: new 91b8fd1 Updated the .asf.yaml file 91b8fd1 is described below commit 91b8fd144ed933108b01f6328477dc3e50d27f73 Author: Bryan Call AuthorDate: Tue Aug 3 10:29:06 2021 -0700 Updated the .asf.yaml file --- .asf.yaml | 29 + 1 file changed, 29 insertions(+) diff --git a/.asf.yaml b/.asf.yaml index a6585d7..88f4ebd 100644 --- a/.asf.yaml +++ b/.asf.yaml @@ -1,3 +1,32 @@ +# Documentation https://cwiki.apache.org/confluence/display/INFRA/git+-+.asf.yaml+features +notifications: + commits: commits@trafficserver.apache.org + issues: iss...@trafficserver.apache.org + pullrequests: git...@trafficserver.apache.org + +github: + description: "Apache Traffic Serverâ„¢ is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server." + homepage: https://trafficserver.apache.org/ + labels: +- proxy +- cdn +- cache +- apache + features: +# Enable wiki for documentation +wiki: false +# Enable issue management +issues: true +# Enable projects for project management boards +projects: false + enabled_merge_buttons: +# Enable squash button: +squash: true +# Disable rebase button: +rebase: false +# Disable merge button: +merge: false + publish: whoami: asf-site