mirror of
https://github.com/NLnetLabs/unbound.git
synced 2025-12-20 23:00:56 -05:00
- Create additional tls service interfaces by opening them on other
portnumbers and listing the portnumbers as additional-tls-port: nr. git-svn-id: file:///svn/unbound/trunk@4588 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
Wouter Wijngaards
parent
59935375a3
commit
1d2d33d01a
5 changed files with 43 additions and 13 deletions
|
|
@ -7,6 +7,8 @@
|
|||
should exist). Patch from Jinmei Tatuya (Infoblox).
|
||||
- Fix #3817: core dump happens in libunbound delete, when queued
|
||||
servfail hits deleted message queue.
|
||||
- Create additional tls service interfaces by opening them on other
|
||||
portnumbers and listing the portnumbers as additional-tls-port: nr.
|
||||
|
||||
13 March 2018: Wouter
|
||||
- Fix typo in documentation.
|
||||
|
|
|
|||
|
|
@ -678,6 +678,9 @@ server:
|
|||
# Certificates used to authenticate connections made upstream.
|
||||
# tls-cert-bundle: ""
|
||||
|
||||
# Also serve tls on these port numbers (eg. 443, ...), by listing
|
||||
# additional-tls-port: portno for each of the port numbers.
|
||||
|
||||
# DNS64 prefix. Must be specified when DNS64 is use.
|
||||
# Enable dns64 in module-config. Used to synthesize IPv6 from IPv4.
|
||||
# dns64-prefix: 64:ff9b::0/96
|
||||
|
|
|
|||
|
|
@ -1056,6 +1056,24 @@ set_recvpktinfo(int s, int family)
|
|||
return 1;
|
||||
}
|
||||
|
||||
/** see if interface is ssl, its port number == the ssl port number */
|
||||
static int
|
||||
if_is_ssl(const char* ifname, const char* port, int ssl_port,
|
||||
struct config_strlist* additional_tls_port)
|
||||
{
|
||||
struct config_strlist* s;
|
||||
char* p = strchr(ifname, '@');
|
||||
if(!p && atoi(port) == ssl_port)
|
||||
return 1;
|
||||
if(p && atoi(p+1) == ssl_port)
|
||||
return 1;
|
||||
for(s = additional_tls_port; s; s = s->next) {
|
||||
if(atoi(s->str) == atoi(port))
|
||||
return 1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Helper for ports_open. Creates one interface (or NULL for default).
|
||||
* @param ifname: The interface ip address.
|
||||
|
|
@ -1069,6 +1087,7 @@ set_recvpktinfo(int s, int family)
|
|||
* @param rcv: receive buffer size for UDP
|
||||
* @param snd: send buffer size for UDP
|
||||
* @param ssl_port: ssl service port number
|
||||
* @param additional_tls_port: list of additional ssl service port numbers.
|
||||
* @param reuseport: try to set SO_REUSEPORT if nonNULL and true.
|
||||
* set to false on exit if reuseport failed due to no kernel support.
|
||||
* @param transparent: set IP_TRANSPARENT socket option.
|
||||
|
|
@ -1081,8 +1100,10 @@ set_recvpktinfo(int s, int family)
|
|||
static int
|
||||
ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
struct addrinfo *hints, const char* port, struct listen_port** list,
|
||||
size_t rcv, size_t snd, int ssl_port, int* reuseport, int transparent,
|
||||
int tcp_mss, int freebind, int use_systemd, int dnscrypt_port)
|
||||
size_t rcv, size_t snd, int ssl_port,
|
||||
struct config_strlist* additional_tls_port, int* reuseport,
|
||||
int transparent, int tcp_mss, int freebind, int use_systemd,
|
||||
int dnscrypt_port)
|
||||
{
|
||||
int s, noip6=0;
|
||||
#ifdef USE_DNSCRYPT
|
||||
|
|
@ -1146,9 +1167,8 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
|||
}
|
||||
}
|
||||
if(do_tcp) {
|
||||
int is_ssl = ((strchr(ifname, '@') &&
|
||||
atoi(strchr(ifname, '@')+1) == ssl_port) ||
|
||||
(!strchr(ifname, '@') && atoi(port) == ssl_port));
|
||||
int is_ssl = if_is_ssl(ifname, port, ssl_port,
|
||||
additional_tls_port);
|
||||
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
||||
&noip6, 0, 0, reuseport, transparent, tcp_mss,
|
||||
freebind, use_systemd)) == -1) {
|
||||
|
|
@ -1334,8 +1354,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
|||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, reuseport,
|
||||
cfg->ip_transparent,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
listening_ports_free(list);
|
||||
|
|
@ -1348,8 +1368,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
|||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, reuseport,
|
||||
cfg->ip_transparent,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
listening_ports_free(list);
|
||||
|
|
@ -1364,8 +1384,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
|||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, reuseport,
|
||||
cfg->ip_transparent,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
listening_ports_free(list);
|
||||
|
|
@ -1378,8 +1398,8 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
|
|||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port, reuseport,
|
||||
cfg->ip_transparent,
|
||||
cfg->ssl_port, cfg->additional_tls_port,
|
||||
reuseport, cfg->ip_transparent,
|
||||
cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
|
||||
cfg->dnscrypt_port)) {
|
||||
listening_ports_free(list);
|
||||
|
|
|
|||
|
|
@ -446,6 +446,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
|||
else S_STR("ssl-service-pem:", ssl_service_pem)
|
||||
else S_NUMBER_NONZERO("ssl-port:", ssl_port)
|
||||
else S_STR("tls-cert-bundle:", tls_cert_bundle)
|
||||
else S_STRLIST("additional-tls-port:", additional_tls_port)
|
||||
else S_YNO("interface-automatic:", if_automatic)
|
||||
else S_YNO("use-systemd:", use_systemd)
|
||||
else S_YNO("do-daemonize:", do_daemonize)
|
||||
|
|
@ -856,6 +857,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
|||
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
|
||||
else O_DEC(opt, "ssl-port", ssl_port)
|
||||
else O_STR(opt, "tls-cert-bundle", tls_cert_bundle)
|
||||
else O_LST(opt, "additional-tls-port", additional_tls_port)
|
||||
else O_YNO(opt, "use-systemd", use_systemd)
|
||||
else O_YNO(opt, "do-daemonize", do_daemonize)
|
||||
else O_STR(opt, "chroot", chrootdir)
|
||||
|
|
@ -1274,6 +1276,7 @@ config_delete(struct config_file* cfg)
|
|||
free(cfg->ssl_service_key);
|
||||
free(cfg->ssl_service_pem);
|
||||
free(cfg->tls_cert_bundle);
|
||||
config_delstrlist(cfg->additional_tls_port);
|
||||
free(cfg->log_identity);
|
||||
config_del_strarray(cfg->ifs, cfg->num_ifs);
|
||||
config_del_strarray(cfg->out_ifs, cfg->num_out_ifs);
|
||||
|
|
|
|||
|
|
@ -102,6 +102,8 @@ struct config_file {
|
|||
int ssl_upstream;
|
||||
/** cert bundle for outgoing connections */
|
||||
char* tls_cert_bundle;
|
||||
/** additional tls ports */
|
||||
struct config_strlist* additional_tls_port;
|
||||
|
||||
/** outgoing port range number of ports (per thread) */
|
||||
int outgoing_num_ports;
|
||||
|
|
|
|||
Loading…
Reference in a new issue