修改key_keeper请求为post
修改key_keeper请求连接为长连接 修改HTTP2流id设置时机
This commit is contained in:
fengweihao
@@ -455,6 +455,13 @@ void key_keeper_destroy(struct key_keeper *keeper)
|
||||
return;
|
||||
}
|
||||
|
||||
struct evhttp_connection* key_keeper_evhttp_init(struct event_base * evbase, struct evdns_base* dnsbase, struct key_keeper * key_keeper_handler)
|
||||
{
|
||||
char *cert_store_host = key_keeper_handler->cert_store_host;
|
||||
unsigned int cert_store_port =key_keeper_handler->cert_store_port;
|
||||
return evhttp_connection_base_new(evbase, dnsbase, cert_store_host, cert_store_port);
|
||||
}
|
||||
|
||||
struct key_keeper* key_keeper_init(const char * profile, const char* section, void* logger)
|
||||
{
|
||||
struct key_keeper* keeper = ALLOC(struct key_keeper, 1);
|
||||
@@ -565,7 +572,7 @@ char* url_escape(char* url)
|
||||
return _url;
|
||||
}
|
||||
|
||||
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase)
|
||||
void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const char* sni, int keyring_id, X509 * origin_cert, int is_cert_valid, struct event_base * evbase, struct evdns_base* dnsbase, struct evhttp_connection *evhttp)
|
||||
{
|
||||
struct promise* p = future_to_promise(f);
|
||||
unsigned int len = 0;
|
||||
@@ -602,13 +609,6 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "transform origin_cert to pem failed");
|
||||
return;
|
||||
}
|
||||
char* escaped_origin_cert_pem = url_escape(origin_cert_pem);
|
||||
free(origin_cert_pem);
|
||||
if(escaped_origin_cert_pem == NULL)
|
||||
{
|
||||
promise_failed(p, FUTURE_ERROR_EXCEPTION, "url escape failed");
|
||||
break;
|
||||
}
|
||||
struct future* f_certstore_rpc = future_create("crt_store", certstore_rpc_on_succ, certstore_rpc_on_fail, p);
|
||||
ctx->f_certstore_rpc = f_certstore_rpc;
|
||||
char *url = NULL;
|
||||
@@ -616,17 +616,16 @@ void key_keeper_async_ask(struct future * f, struct key_keeper * keeper, const c
|
||||
//keyring_id = 1;
|
||||
if(sni == NULL || sni[0] == '\0')
|
||||
{
|
||||
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d&origin_cert=%s",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid, escaped_origin_cert_pem);
|
||||
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&is_valid=%d",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, is_cert_valid);
|
||||
}
|
||||
else
|
||||
{
|
||||
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d&origin_cert=%s",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid, escaped_origin_cert_pem);
|
||||
asprintf(&url, "http://%s:%d/ca?keyring_id=%d&sni=%s&is_valid=%d",
|
||||
keeper->cert_store_host, keeper->cert_store_port, keyring_id, sni, is_cert_valid);
|
||||
}
|
||||
TFE_LOG_DEBUG(keeper->logger, "CertStore query: %.100s", url);
|
||||
curl_free(escaped_origin_cert_pem);
|
||||
tfe_rpc_async_ask(f_certstore_rpc, url, GET, DONE_CB, NULL, 0, evbase, dnsbase);
|
||||
tfe_rpc_async_ask(f_certstore_rpc, url, POST, DONE_CB, origin_cert_pem, strlen(origin_cert_pem), evbase, dnsbase, evhttp);
|
||||
free(url);
|
||||
break;
|
||||
}
|
||||
|
||||
@@ -44,7 +44,7 @@
|
||||
#include <acceptor_kni_v1.h>
|
||||
#include <acceptor_kni_v2.h>
|
||||
#include <watchdog_kni.h>
|
||||
|
||||
#include <key_keeper.h>
|
||||
/* Breakpad */
|
||||
#include <client/linux/handler/exception_handler.h>
|
||||
#include <common/linux/http_upload.h>
|
||||
@@ -243,6 +243,7 @@ void tfe_proxy_work_thread_create_ctx(struct tfe_proxy * proxy)
|
||||
proxy->work_threads[i]->thread_id = i;
|
||||
proxy->work_threads[i]->evbase = event_base_new();
|
||||
proxy->work_threads[i]->dnsbase = evdns_base_new(proxy->work_threads[i]->evbase, EVDNS_BASE_INITIALIZE_NAMESERVERS);
|
||||
proxy->work_threads[i]->evhttp = key_keeper_evhttp_init(proxy->work_threads[i]->evbase, proxy->work_threads[i]->dnsbase, proxy->key_keeper_handler);
|
||||
}
|
||||
return;
|
||||
}
|
||||
@@ -657,8 +658,12 @@ int main(int argc, char * argv[])
|
||||
g_default_proxy->gcev = event_new(g_default_proxy->evbase, -1, EV_PERSIST, __gc_handler_cb, g_default_proxy);
|
||||
CHECK_OR_EXIT(g_default_proxy->gcev, "Failed at creating GC event. Exit. ");
|
||||
|
||||
/* KEY_KEEP INIT */
|
||||
g_default_proxy->key_keeper_handler = key_keeper_init(main_profile, "key_keeper", g_default_logger);
|
||||
CHECK_OR_EXIT(g_default_proxy->key_keeper_handler, "Failed at init Key keeper. Exit.");
|
||||
|
||||
/* SSL INIT */
|
||||
g_default_proxy->ssl_mgr_handler = ssl_manager_init(main_profile, "ssl", g_default_proxy->evbase, g_default_logger);
|
||||
g_default_proxy->ssl_mgr_handler = ssl_manager_init(main_profile, "ssl", g_default_proxy->evbase, g_default_proxy->key_keeper_handler, g_default_logger);
|
||||
CHECK_OR_EXIT(g_default_proxy->ssl_mgr_handler, "Failed at init SSL manager. Exit.");
|
||||
|
||||
for (size_t i = 0; i < (sizeof(signals) / sizeof(int)); i++)
|
||||
@@ -719,11 +724,17 @@ struct event_base * tfe_proxy_get_work_thread_evbase(unsigned int thread_id)
|
||||
assert(thread_id < g_default_proxy->nr_work_threads);
|
||||
return g_default_proxy->work_threads[thread_id]->evbase;
|
||||
}
|
||||
|
||||
struct evdns_base* tfe_proxy_get_work_thread_dnsbase(unsigned int thread_id)
|
||||
{
|
||||
assert(thread_id < g_default_proxy->nr_work_threads);
|
||||
return g_default_proxy->work_threads[thread_id]->dnsbase;
|
||||
}
|
||||
|
||||
struct evhttp_connection* tfe_proxy_get_work_thread_evhttp(unsigned int thread_id)
|
||||
{
|
||||
assert(thread_id < g_default_proxy->nr_work_threads);
|
||||
return g_default_proxy->work_threads[thread_id]->evhttp;
|
||||
}
|
||||
|
||||
struct event_base * tfe_proxy_get_gc_evbase(void)
|
||||
|
||||
@@ -609,8 +609,8 @@ void ssl_manager_destroy(struct ssl_mgr * mgr)
|
||||
}
|
||||
|
||||
|
||||
struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section,
|
||||
struct event_base * ev_base_gc, void * logger)
|
||||
struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section,
|
||||
struct event_base * ev_base_gc, struct key_keeper * key_keeper, void * logger)
|
||||
{
|
||||
unsigned int stek_group_num = 0;
|
||||
unsigned int stek_rotation_time = 0;
|
||||
@@ -705,14 +705,8 @@ struct ssl_mgr * ssl_manager_init(const char * ini_profile, const char * section
|
||||
mgr->svc_fail_as_proto_err_cnt,
|
||||
mgr->svc_succ_as_app_not_pinning_cnt,
|
||||
mgr->svc_cnt_time_window);
|
||||
|
||||
mgr->key_keeper = key_keeper_init(ini_profile, "key_keeper", logger);
|
||||
if (mgr->key_keeper == NULL)
|
||||
{
|
||||
TFE_LOG_ERROR(logger, "Certificate Manager initiate failed.");
|
||||
goto error_out;
|
||||
}
|
||||
|
||||
|
||||
mgr->key_keeper = key_keeper;
|
||||
MESA_load_profile_uint_def(ini_profile, section, "trusted_cert_load_local",
|
||||
&(mgr->trusted_cert_load_local), 1);
|
||||
|
||||
@@ -1958,6 +1952,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
|
||||
ctx->tcp_stream = tcp_stream;
|
||||
struct event_base * evbase=tfe_proxy_get_work_thread_evbase(tcp_stream->thread_id);
|
||||
struct evdns_base* dnsbase=tfe_proxy_get_work_thread_dnsbase(tcp_stream->thread_id);
|
||||
struct evhttp_connection *evhttp=tfe_proxy_get_work_thread_evhttp(tcp_stream->thread_id);
|
||||
|
||||
if (upstream != NULL)
|
||||
{
|
||||
@@ -1972,7 +1967,7 @@ void ssl_async_downstream_create(struct future * f, struct ssl_mgr * mgr, struct
|
||||
ctx->f_ask_keyring = future_create("ask_kyr",ask_keyring_on_succ, ask_keyring_on_fail, p);
|
||||
ctx->is_origin_crt_verify_passed = upstream->up_parts.is_server_cert_verify_passed;
|
||||
key_keeper_async_ask(ctx->f_ask_keyring, mgr->key_keeper, sni, upstream->up_parts.keyring_id, ctx->origin_crt, ctx->is_origin_crt_verify_passed,
|
||||
evbase, dnsbase);
|
||||
evbase, dnsbase, evhttp);
|
||||
return;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user