From ace31ae24a9e484723d755b7a030c0598f1fabcb Mon Sep 17 00:00:00 2001 From: zhengchao Date: Sun, 2 Jun 2019 18:17:53 +0800 Subject: [PATCH] =?UTF-8?q?tfe.conf=E4=B8=AD=E7=B3=BB=E7=BB=9F=E5=8F=82?= =?UTF-8?q?=E6=95=B0=E7=9A=84section=E6=94=B9=E4=B8=BAsystem=EF=BC=8C?= =?UTF-8?q?=E5=85=BC=E5=AE=B9kniv1=E6=B5=8B=E8=AF=95=E5=AE=8C=E6=AF=95?= =?UTF-8?q?=E3=80=82?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- common/include/tfe_cmsg.h | 8 ++--- conf/tfe/tfe.conf | 50 +++++++++++++++++++------------- platform/src/acceptor_kni_v1.cpp | 4 +-- platform/src/proxy.cpp | 12 ++++---- platform/src/sender_scm.cpp | 24 ++++----------- platform/src/ssl_stream.cpp | 8 ++--- 6 files changed, 52 insertions(+), 54 deletions(-) diff --git a/common/include/tfe_cmsg.h b/common/include/tfe_cmsg.h index fa2ca97..cee1d81 100644 --- a/common/include/tfe_cmsg.h +++ b/common/include/tfe_cmsg.h @@ -31,10 +31,10 @@ enum tfe_cmsg_tlv_type TFE_CMSG_STREAM_TRACE_ID = 0x11, TFE_CMSG_SSL_INTERCEPT_STATE, //size uint64_t, 0-passthrough, 1-intercept, 2-shutdown, referer from enum ssl_stream_action - TFE_CMSG_SSL_UPSTREAM_LATENCY, //size uint64_t, milisecond - TFE_CMSG_SSL_DOWNSTREAM_LATENCY, //size uint64_t, milisecond - TFE_CMSG_SSL_UPSTREAM_VERSION, //string, SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 unknown - TFE_CMSG_SSL_DOWNSTREAM_VERSION, + TFE_CMSG_SSL_SERVER_SIDE_LATENCY, //size uint64_t, milisecond + TFE_CMSG_SSL_CLIENT_SIDE_LATENCY, //size uint64_t, milisecond + TFE_CMSG_SSL_SERVER_SIDE_VERSION, //string, SSLv3 TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 unknown + TFE_CMSG_SSL_CLIENT_SIDE_VERSION, TFE_CMSG_SSL_PINNING_STATE, //size uint64_t, 0-not pinning 1-pinning 2-maybe pinning TFE_CMSG_SSL_CERT_VERIFY, TFE_CMSG_SSL_ERROR //string diff --git a/conf/tfe/tfe.conf b/conf/tfe/tfe.conf index 651009c..79d7bf1 100644 --- a/conf/tfe/tfe.conf +++ b/conf/tfe/tfe.conf @@ -1,38 +1,51 @@ +[system] +nr_worker_threads=1 +enable_kni_v1=1 +enable_kni_v2=0 [kni] uxdomain=/home/server_unixsocket_file +ip=127.0.0.1 +scm_port=8888 + [ssl] -ssl_max_version=tls12 +ssl_max_version=tls13 +ssl_min_version=ssl3 +no_session_cache=0 no_session_ticket=0 log_master_key=1 trusted_cert_file=resource/tfe/tls-ca-bundle.pem trusted_cert_dir=resource/tfe/trusted_storage key_log_file=log/sslkeylog.log -no_alpn=1 - +no_alpn=0 +stek_group_num=4 +stek_rotation_time=3600 [key_keeper] #Mode: debug - generate cert with ca_path, normal - generate cert with cert store -#mode = normal -mode = debug -cert_store_host=192.168.11.100 +#0 on cache 1 off cache +no_cache=0 +mode=normal +cert_store_host=192.168.10.8 cert_store_port=9991 -ca_path=resource/tfe/mesalab-ca.pem -untrusted_ca_path=resource/tfe/mesalab-ca-untrust.pem - -[ratelimit] -#read_rate=1048576 -#read_burst=1048576 -#write_rate=1048576 -#write_burst=1048576 +ca_path=resource/tfe/tango-ca-trust-ca.pem +untrusted_ca_path=resource/tfe/tango-ca-untrust-ca.pem [debug] passthrough_all_tcp=0 +[ratelimit] +#read_rate=200000 +#read_burst=200000 +#write_rate=200000 +#write_burst=200000 + [tcp] -so_keepalive=0 +so_keepalive=1 tcp_keepcnt=8 tcp_keepintvl=15 tcp_keepidle=30 tcp_user_timeout=30 +tcp_ttl_upstream=75 +tcp_ttl_downstream=70 [log] level=10 @@ -40,9 +53,6 @@ level=10 [stat] statsd_server=192.168.10.72 statsd_port=8126 -histogram_bins=0.50,0.80,0.9,0.95 -[sender_scm] -switch = 1 -kni_ip = 192.168.10.37 -kni_port = 8888 +[http] +loglevel=20 diff --git a/platform/src/acceptor_kni_v1.cpp b/platform/src/acceptor_kni_v1.cpp index 40332cb..9dad068 100644 --- a/platform/src/acceptor_kni_v1.cpp +++ b/platform/src/acceptor_kni_v1.cpp @@ -206,8 +206,8 @@ void __kni_event_cb(evutil_socket_t fd, short what, void * user) struct tfe_cmsg * __tfe_cmsg; struct tfe_proxy_accept_para __accept_para{}; - uint16_t session_type; - uint16_t keyring_id; + uint8_t session_type; + int32_t keyring_id; int * __fds = NULL; assert(__ctx != NULL && __ctx->thread == pthread_self()); diff --git a/platform/src/proxy.cpp b/platform/src/proxy.cpp index 696d6ed..c29950c 100644 --- a/platform/src/proxy.cpp +++ b/platform/src/proxy.cpp @@ -258,8 +258,8 @@ int tfe_proxy_work_thread_run(struct tfe_proxy * proxy) int tfe_proxy_config(struct tfe_proxy * proxy, const char * profile) { /* Worker threads */ - MESA_load_profile_uint_def(profile, "main", "nr_worker_threads", &proxy->nr_work_threads, 1); - MESA_load_profile_uint_def(profile, "main", "buffer_output_limit", &proxy->buffer_output_limit, 0); + MESA_load_profile_uint_def(profile, "system", "nr_worker_threads", &proxy->nr_work_threads, 1); + MESA_load_profile_uint_def(profile, "system", "buffer_output_limit", &proxy->buffer_output_limit, 0); /* Debug */ MESA_load_profile_uint_def(profile, "debug", "passthrough_all_tcp", &proxy->tcp_all_passthrough, 0); @@ -355,13 +355,13 @@ int tfe_stat_init(struct tfe_proxy * proxy, const char * profile) void tfe_proxy_acceptor_init(struct tfe_proxy * proxy, const char * profile) { - MESA_load_profile_uint_def(profile, "acceptor", "en_kni_v1", &proxy->en_kni_v1_acceptor, 0); - MESA_load_profile_uint_def(profile, "acceptor", "en_kni_v2", &proxy->en_kni_v2_acceptor, 1); + MESA_load_profile_uint_def(profile, "system", "enable_kni_v1", &proxy->en_kni_v1_acceptor, 0); + MESA_load_profile_uint_def(profile, "system", "enable_kni_v2", &proxy->en_kni_v2_acceptor, 1); if (proxy->en_kni_v1_acceptor) { g_default_proxy->kni_v1_acceptor = acceptor_kni_v1_create(proxy, profile, proxy->logger); - CHECK_OR_EXIT(g_default_proxy->kni_v2_acceptor, "Failed at init KNIv2 acceptor. Exit. "); + CHECK_OR_EXIT(g_default_proxy->kni_v1_acceptor, "Failed at init KNIv1 acceptor. Exit. "); } if (proxy->en_kni_v2_acceptor) @@ -438,7 +438,7 @@ int main(int argc, char * argv[]) tfe_proxy_acceptor_init(g_default_proxy, main_profile); /* SCM Sender */ - g_default_proxy->scm_sender = sender_scm_init(main_profile, "sender_scm", g_default_logger); + g_default_proxy->scm_sender = sender_scm_init(main_profile, "kni", g_default_logger); CHECK_OR_EXIT(g_default_proxy->scm_sender != NULL, "Failed at creating scm sender, Exit."); /* PLUGIN INIT */ diff --git a/platform/src/sender_scm.cpp b/platform/src/sender_scm.cpp index b5adc14..dde1af2 100644 --- a/platform/src/sender_scm.cpp +++ b/platform/src/sender_scm.cpp @@ -41,26 +41,14 @@ struct sender_scm* sender_scm_init(const char *profile, const char *section, voi struct sockaddr_in server_addr; struct sender_scm *sender = ALLOC(struct sender_scm, 1); sender->logger = logger; - int ret = MESA_load_profile_int_nodef(profile, section, "send_switch", &send_switch); - if(ret < 0) + MESA_load_profile_int_def(profile, section, "send_switch", &send_switch, 1); + if(send_switch) { - TFE_LOG_ERROR(logger, "MESA_prof_load: send_switch not set, profile is %s, section is %s", profile, section); - goto error_out; + MESA_load_profile_string_def(profile, section, "ip", kni_ip, sizeof(kni_ip), "127.0.0.1"); + MESA_load_profile_int_def(profile, section, "cmsg_port", &kni_port, 2475); + TFE_LOG_INFO(logger, "MESA_prof_load, [%s]:\n kni_ip: %s\n kni_port: %d", + section, kni_ip, kni_port); } - ret = MESA_load_profile_string_nodef(profile, section, "kni_ip", kni_ip, sizeof(kni_ip)); - if(ret < 0) - { - TFE_LOG_ERROR(logger, "MESA_prof_load: kni_ip not set, profile is %s, section is %s", profile, section); - goto error_out; - } - ret = MESA_load_profile_int_nodef(profile, section, "kni_port", &kni_port); - if(ret < 0) - { - TFE_LOG_ERROR(logger, "MESA_prof_load: kni_port not set, profile is %s, section is %s", profile, section); - goto error_out; - } - TFE_LOG_INFO(logger, "MESA_prof_load, [%s]:\n kni_ip: %s\n kni_port: %d", - section, kni_ip, kni_port); sender->send_switch = send_switch; if(send_switch == 0) { diff --git a/platform/src/ssl_stream.cpp b/platform/src/ssl_stream.cpp index 8c2e68f..1f1e869 100644 --- a/platform/src/ssl_stream.cpp +++ b/platform/src/ssl_stream.cpp @@ -1179,7 +1179,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events, TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect server latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni); } s_stream->connect_latency_ms=jiffies_ms; - ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_UPSTREAM_LATENCY, jiffies_ms); + ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_SERVER_SIDE_LATENCY, jiffies_ms); if(!SSL_session_reused(s_stream->ssl)) { @@ -1253,7 +1253,7 @@ static void ssl_server_connected_eventcb(struct bufferevent * bev, short events, } } s_stream->negotiated_version=SSL_version(s_stream->ssl); - ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_UPSTREAM_VERSION, SSL_get_version(s_stream->ssl)); + ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_SERVER_SIDE_VERSION, SSL_get_version(s_stream->ssl)); ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_CERT_VERIFY, s_upstream->is_server_cert_verify_passed); promise_success(p, ctx); } @@ -1777,7 +1777,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events, TFE_LOG_ERROR(mgr->logger, "Warning: ssl connect client latency %ld ms: addr=%s, sni=%s", jiffies_ms, s_stream->tcp_stream->str_stream_info, sni); } s_stream->connect_latency_ms=jiffies_ms; - ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_DOWNSTREAM_LATENCY, jiffies_ms); + ssl_stream_set_cmsg_integer(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_LATENCY, jiffies_ms); bufferevent_disable(ctx->bev_down, EV_READ | EV_WRITE); bufferevent_setcb(ctx->bev_down, NULL, NULL, NULL, NULL); //leave a clean bev for on_success @@ -1786,7 +1786,7 @@ static void ssl_client_connected_eventcb(struct bufferevent * bev, short events, log_ssl_master_key(s_stream->ssl, ctx->fd_downstream, CONN_DIR_DOWNSTREAM, mgr->fp_master_key); } s_stream->negotiated_version=SSL_version(s_stream->ssl); - ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_DOWNSTREAM_VERSION, SSL_get_version(s_stream->ssl)); + ssl_stream_set_cmsg_string(s_stream, TFE_CMSG_SSL_CLIENT_SIDE_VERSION, SSL_get_version(s_stream->ssl)); promise_success(p, ctx); }