拦截策略支持allow_http2的开关；恢复cmakelist漏掉的HTTP2的编译开关。

2019-05-27 14:17:52 +08:00
parent e53f5ebcf2
commit ea1f876eb7
4 changed files with 21 additions and 5 deletions
--- a/plugin/business/ssl-policy/src/ssl_policy.cpp
+++ b/plugin/business/ssl-policy/src/ssl_policy.cpp
@@ -29,6 +29,7 @@ struct intercept_param
 	int block_fake_cert;
 	int ssl_min_version;
 	int ssl_max_version;
+	int allow_http2;
 	int mirror_client_version;
 	int decrypt_mirror_enabled;
 	int mirror_profile_id;
@@ -125,6 +126,8 @@ void intercept_param_new_cb(int table_id, const char* key, const char* table_lin
 			item=cJSON_GetObjectItem(ssl_ver, "max");	
 			if(item && item->type==cJSON_String) param->ssl_max_version=sslver_str2num(item->valuestring);
 		}
+		item=cJSON_GetObjectItem(ssl_ver, "allow_http2"); 
+		if(item && item->type==cJSON_Number) param->allow_http2=item->valueint;
 	}
 	*ad=param;
 	TFE_LOG_INFO(enforcer->logger, "Add intercept policy: %d", param->policy_id);
@@ -188,6 +191,10 @@ enum ssl_stream_action ssl_policy_enforce(struct ssl_stream *upstream, void* u_p
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MIN_VERSION, param->ssl_min_version);
 		ret=ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_PROTOCOL_MAX_VERSION, param->ssl_max_version);
 	}
+	if(param->allow_http2)
+	{
+		ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_ENABLE_ALPN, 1);
+	}
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_COMMON_NAME, param->no_verify_cn);
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_ISSUER, param->no_verify_issuer);
 	ssl_stream_set_integer_opt(upstream, SSL_STREAM_OPT_NO_VERIFY_SELF_SIGNED, param->no_verify_self_signed);