- Add mem.http.query_buffer and mem.http.response_buffer stats

- Add configurable limits for http-query-buffer-size and
  http-response-buffer-size
- Make http endpoint, max_streams, and TCP_NODELAY for HTTP sockets
  configurable.

Makefile.in

@@ -904,7 +904,7 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h \
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
  $(srcdir)/services/outside_network.h  $(srcdir)/services/cache/infra.h \
  $(srcdir)/util/rtt.h $(srcdir)/services/cache/rrset.h $(srcdir)/util/storage/slabhash.h $(srcdir)/dns64/dns64.h \
  $(srcdir)/iterator/iterator.h $(srcdir)/services/outbound_list.h $(srcdir)/iterator/iter_fwd.h \
@@ -915,7 +915,15 @@ fptr_wlist.lo fptr_wlist.o: $(srcdir)/util/fptr_wlist.c config.h $(srcdir)/util/
  $(srcdir)/libunbound/worker.h
 locks.lo locks.o: $(srcdir)/util/locks.c config.h $(srcdir)/util/locks.h $(srcdir)/util/log.h
 log.lo log.o: $(srcdir)/util/log.c config.h $(srcdir)/util/log.h $(srcdir)/util/locks.h $(srcdir)/sldns/sbuffer.h
-mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h
+mini_event.lo mini_event.o: $(srcdir)/util/mini_event.c config.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h \
+ $(srcdir)/util/fptr_wlist.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
+  $(srcdir)/util/storage/lruhash.h $(srcdir)/util/locks.h \
+ $(srcdir)/util/log.h $(srcdir)/util/module.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
+ $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/util/tube.h \
+ $(srcdir)/services/mesh.h $(srcdir)/util/rbtree.h $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h \
+ $(srcdir)/services/localzone.h $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h \
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h \
+ $(srcdir)/util/timehist.h $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
 module.lo module.o: $(srcdir)/util/module.c config.h $(srcdir)/util/module.h $(srcdir)/util/storage/lruhash.h \
  $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/util/data/msgreply.h $(srcdir)/util/data/packed_rrset.h \
  $(srcdir)/util/data/msgparse.h $(srcdir)/sldns/pkthdr.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
@@ -987,7 +995,7 @@ tube.lo tube.o: $(srcdir)/util/tube.c config.h $(srcdir)/util/tube.h $(srcdir)/u
  $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/ub_event.h
 ub_event.lo ub_event.o: $(srcdir)/util/ub_event.c config.h $(srcdir)/util/ub_event.h $(srcdir)/util/log.h \
  $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h  \
- $(srcdir)/util/tube.h
+ $(srcdir)/util/tube.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c config.h $(srcdir)/util/ub_event.h \
  $(srcdir)/libunbound/unbound-event.h $(srcdir)/util/netevent.h $(srcdir)/dnscrypt/dnscrypt.h \
   $(srcdir)/util/log.h $(srcdir)/util/fptr_wlist.h \
@@ -997,7 +1005,7 @@ ub_event_pluggable.lo ub_event_pluggable.o: $(srcdir)/util/ub_event_pluggable.c
  $(srcdir)/services/modstack.h $(srcdir)/services/rpz.h $(srcdir)/services/localzone.h \
  $(srcdir)/util/storage/dnstree.h $(srcdir)/services/view.h $(srcdir)/sldns/sbuffer.h \
  $(srcdir)/util/config_file.h $(srcdir)/services/authzone.h $(srcdir)/daemon/stats.h $(srcdir)/util/timehist.h \
- $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h
+ $(srcdir)/libunbound/unbound.h $(srcdir)/respip/respip.h $(srcdir)/util/mini_event.h $(srcdir)/util/rbtree.h
 winsock_event.lo winsock_event.o: $(srcdir)/util/winsock_event.c config.h
 autotrust.lo autotrust.o: $(srcdir)/validator/autotrust.c config.h $(srcdir)/validator/autotrust.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/data/packed_rrset.h $(srcdir)/util/storage/lruhash.h \
@@ -1160,7 +1168,8 @@ testpkts.lo testpkts.o: $(srcdir)/testcode/testpkts.c config.h $(srcdir)/testcod
  $(srcdir)/util/net_help.h $(srcdir)/util/log.h $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/pkthdr.h \
  $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/wire2str.h
 unitldns.lo unitldns.o: $(srcdir)/testcode/unitldns.c config.h $(srcdir)/util/log.h $(srcdir)/testcode/unitmain.h \
- $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h
+ $(srcdir)/sldns/sbuffer.h $(srcdir)/sldns/str2wire.h $(srcdir)/sldns/rrdef.h $(srcdir)/sldns/wire2str.h \
+ $(srcdir)/sldns/parseutil.h
 unitecs.lo unitecs.o: $(srcdir)/testcode/unitecs.c config.h
 unitauth.lo unitauth.o: $(srcdir)/testcode/unitauth.c config.h $(srcdir)/services/authzone.h \
  $(srcdir)/util/rbtree.h $(srcdir)/util/locks.h $(srcdir)/util/log.h $(srcdir)/services/mesh.h $(srcdir)/util/netevent.h \

daemon/remote.c

@@ -853,6 +853,12 @@ print_mem(RES* ssl, struct worker* worker, struct daemon* daemon,
 	if(!print_longnum(ssl, "mem.streamwait"SQ,
 		(size_t)s->svr.mem_stream_wait))
 		return 0;
+	if(!print_longnum(ssl, "mem.http.query_buffer"SQ,
+		(size_t)s->svr.mem_http2_query_buffer))
+		return 0;
+	if(!print_longnum(ssl, "mem.http.response_buffer"SQ,
+		(size_t)s->svr.mem_http2_response_buffer))
+		return 0;
 	return 1;
 }
 

daemon/stats.c

@@ -335,6 +335,10 @@ server_stats_compile(struct worker* worker, struct ub_stats_info* s, int reset)
 	}
 	s->svr.mem_stream_wait =
 		(long long)tcp_req_info_get_stream_buffer_size();
+	s->svr.mem_http2_query_buffer =
+		(long long)http2_get_query_buffer_size();
+	s->svr.mem_http2_response_buffer =
+		(long long)http2_get_response_buffer_size();
 
 	/* Set neg cache usage numbers */
 	set_neg_cache_stats(worker, &s->svr, reset);

daemon/worker.c

@@ -1797,8 +1797,8 @@ worker_init(struct worker* worker, struct config_file *cfg,
 		cfg->do_tcp_keepalive
 			? cfg->tcp_keepalive_timeout
 			: cfg->tcp_idle_timeout,
-		cfg->harden_large_queries,
+		cfg->harden_large_queries, cfg->http_max_streams,
-		worker->daemon->tcl,
+		cfg->http_endpoint, worker->daemon->tcl,
 		worker->daemon->listen_sslctx,
 		dtenv, worker_handle_request, worker);
 	if(!worker->front) {

doc/unbound-control.8.in

@@ -506,6 +506,14 @@ negative cache.
 Memory in bytes in used by the TCP and TLS stream wait buffers.  These are
 answers waiting to be written back to the clients.
 .TP
+.I mem.http.query_buffer
+Memory in bytes used by the HTTP/2 query buffers. Containing (partial) DNS
+queries waiting for request stream completion.
+.TP
+.I mem.http.response_buffer
+Memory in bytes used by the HTTP/2 response buffers. Containing DNS responses
+waiting to be written back to the clients.
+.TP
 .I histogram.<sec>.<usec>.to.<sec>.<usec>
 Shows a histogram, summed over all threads. Every element counts the
 recursive queries whose reply time fit between the lower and upper bound.

libunbound/unbound.h

@@ -788,6 +788,10 @@ struct ub_server_stats {
 	long long num_query_subnet_cache;
 	/** number of bytes in the stream wait buffers */
 	long long mem_stream_wait;
+	/** number of bytes in the HTTP2 query buffers */
+	long long mem_http2_query_buffer;
+	/** number of bytes in the HTTP2 response buffers */
+	long long mem_http2_response_buffer;
 	/** number of TLS connection resume */
 	long long qtls_resume;
 	/** RPZ action stats */

services/listen_dnsport.c

@@ -80,11 +80,23 @@
 #ifndef THREADS_DISABLED
 /** lock on the counter of stream buffer memory */
 static lock_basic_type stream_wait_count_lock;
+/** lock on the counter of HTTP2 query buffer memory */
+static lock_basic_type http2_query_buffer_count_lock;
+/** lock on the counter of HTTP2 response buffer memory */
+static lock_basic_type http2_response_buffer_count_lock;
 #endif
 /** size (in bytes) of stream wait buffers */
 static size_t stream_wait_count = 0;
 /** is the lock initialised for stream wait buffers */
 static int stream_wait_lock_inited = 0;
+/** size (in bytes) of HTTP2 query buffers */
+static size_t http2_query_buffer_count = 0;
+/** is the lock initialised for HTTP2 query buffers */
+static int http2_query_buffer_lock_inited = 0;
+/** size (in bytes) of HTTP2 response buffers */
+static size_t http2_response_buffer_count = 0;
+/** is the lock initialised for HTTP2 response buffers */
+static int http2_response_buffer_lock_inited = 0;
 
 /**
  * Debug print of the getaddrinfo returned address.
@@ -707,20 +719,6 @@ create_tcp_accept_sock(struct addrinfo *addr, int v6only, int* noproto,
 #else
 		log_warn(" setsockopt(TCP_NODELAY) unsupported");
 #endif /* defined(IPPROTO_TCP) && defined(TCP_NODELAY) */
-#if defined(IPPROTO_TCP) && defined(TCP_QUICKACK)
-		if(setsockopt(s, IPPROTO_TCP, TCP_QUICKACK, (void*)&on,
-			(socklen_t)sizeof(on)) < 0) {
-			#ifndef USE_WINSOCK
-			log_err(" setsockopt(.. TCP_QUICKACK ..) failed: %s",
-				strerror(errno));
-			#else
-			log_err(" setsockopt(.. TCP_QUICKACK ..) failed: %s",
-				wsa_strerror(WSAGetLastError()));
-			#endif
-		}
-#else
-		log_warn(" setsockopt(TCP_QUICKACK) unsupported");
-#endif /* defined(IPPROTO_TCP) && defined(TCP_QUICKACK) */
 	}
 	if (mss > 0) {
 #if defined(IPPROTO_TCP) && defined(TCP_MAXSEG)
@@ -1251,6 +1249,7 @@ if_is_https(const char* ifname, const char* port, int https_port)
  * @param transparent: set IP_TRANSPARENT socket option.
  * @param tcp_mss: maximum segment size of tcp socket. default if zero.
  * @param freebind: set IP_FREEBIND socket option.
+ * @param http2_nodelay: set TCP_NODELAY on HTTP/2 connection
  * @param use_systemd: if true, fetch sockets from systemd.
  * @param dnscrypt_port: dnscrypt service port number
  * @param dscp: DSCP to use.
@@ -1262,11 +1261,11 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
 	size_t rcv, size_t snd, int ssl_port,
 	struct config_strlist* tls_additional_port, int https_port,
 	int* reuseport, int transparent, int tcp_mss, int freebind,
-	int use_systemd, int dnscrypt_port, int dscp)
+	int http2_nodelay, int use_systemd, int dnscrypt_port, int dscp)
 {
 	int s, noip6=0;
 	int is_https = if_is_https(ifname, port, https_port);
-	int nodelay = is_https; /* TODO make config option */
+	int nodelay = is_https && http2_nodelay;
 #ifdef USE_DNSCRYPT
 	int is_dnscrypt = ((strchr(ifname, '@') && 
 			atoi(strchr(ifname, '@')+1) == dnscrypt_port) ||
@@ -1384,7 +1383,8 @@ listen_cp_insert(struct comm_point* c, struct listen_dnsport* front)
 struct listen_dnsport* 
 listen_create(struct comm_base* base, struct listen_port* ports,
 	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
-	int harden_large_queries, struct tcl_list* tcp_conn_limit, void* sslctx,
+	int harden_large_queries, uint32_t http_max_streams,
+	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
 	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg)
 {
 	struct listen_dnsport* front = (struct listen_dnsport*)
@@ -1404,6 +1404,14 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 		lock_basic_init(&stream_wait_count_lock);
 		stream_wait_lock_inited = 1;
 	}
+	if(!http2_query_buffer_lock_inited) {
+		lock_basic_init(&http2_query_buffer_count_lock);
+		http2_query_buffer_lock_inited = 1;
+	}
+	if(!http2_response_buffer_lock_inited) {
+		lock_basic_init(&http2_response_buffer_count_lock);
+		http2_response_buffer_lock_inited = 1;
+	}
 
 	/* create comm points as needed */
 	while(ports) {
@@ -1416,7 +1424,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 				ports->ftype == listen_type_tcp_dnscrypt)
 			cp = comm_point_create_tcp(base, ports->fd, 
 				tcp_accept_count, tcp_idle_timeout,
-				harden_large_queries,
+				harden_large_queries, 0, NULL,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg);
 		else if(ports->ftype == listen_type_ssl ||
@@ -1424,6 +1432,7 @@ listen_create(struct comm_base* base, struct listen_port* ports,
 			cp = comm_point_create_tcp(base, ports->fd, 
 				tcp_accept_count, tcp_idle_timeout,
 				harden_large_queries,
+				http_max_streams, http_endpoint,
 				tcp_conn_limit, bufsize, front->udp_buff,
 				ports->ftype, cb, cb_arg);
 			cp->ssl = sslctx;
@@ -1518,6 +1527,14 @@ listen_delete(struct listen_dnsport* front)
 		stream_wait_lock_inited = 0;
 		lock_basic_destroy(&stream_wait_count_lock);
 	}
+	if(http2_query_buffer_lock_inited) {
+		http2_query_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_query_buffer_count_lock);
+	}
+	if(http2_response_buffer_lock_inited) {
+		http2_response_buffer_lock_inited = 0;
+		lock_basic_destroy(&http2_response_buffer_count_lock);
+	}
 }
 
 struct listen_port* 
@@ -1558,9 +1575,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port,
+				cfg->https_port, reuseport, cfg->ip_transparent,
-				reuseport, cfg->ip_transparent,
+				cfg->tcp_mss, cfg->ip_freebind,
-				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
+				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
@@ -1573,9 +1590,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				&hints, portbuf, &list,
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port,
+				cfg->https_port, reuseport, cfg->ip_transparent,
-				reuseport, cfg->ip_transparent,
+				cfg->tcp_mss, cfg->ip_freebind,
-				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
+				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
@@ -1590,9 +1607,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port,
+				cfg->https_port, reuseport, cfg->ip_transparent,
-				reuseport, cfg->ip_transparent,
+				cfg->tcp_mss, cfg->ip_freebind,
-				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
+				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
@@ -1605,9 +1622,9 @@ listening_ports_open(struct config_file* cfg, int* reuseport)
 				do_tcp, &hints, portbuf, &list, 
 				cfg->so_rcvbuf, cfg->so_sndbuf,
 				cfg->ssl_port, cfg->tls_additional_port,
-				cfg->https_port,
+				cfg->https_port, reuseport, cfg->ip_transparent,
-				reuseport, cfg->ip_transparent,
+				cfg->tcp_mss, cfg->ip_freebind,
-				cfg->tcp_mss, cfg->ip_freebind, cfg->use_systemd,
+				cfg->http_nodelay, cfg->use_systemd,
 				cfg->dnscrypt_port, cfg->ip_dscp)) {
 				listening_ports_free(list);
 				return NULL;
@@ -2050,6 +2067,28 @@ size_t tcp_req_info_get_stream_buffer_size(void)
 	return s;
 }
 
+size_t http2_get_query_buffer_size(void)
+{
+	size_t s;
+	if(!http2_query_buffer_lock_inited)
+		return http2_query_buffer_count;
+	lock_basic_lock(&http2_query_buffer_count_lock);
+	s = http2_query_buffer_count;
+	lock_basic_unlock(&http2_query_buffer_count_lock);
+	return s;
+}
+
+size_t http2_get_response_buffer_size(void)
+{
+	size_t s;
+	if(!http2_response_buffer_lock_inited)
+		return http2_response_buffer_count;
+	lock_basic_lock(&http2_response_buffer_count_lock);
+	s = http2_response_buffer_count;
+	lock_basic_unlock(&http2_response_buffer_count_lock);
+	return s;
+}
+
 #ifdef HAVE_NGHTTP2
 /** nghttp2 callback. Used to copy response from rbuffer to nghttp2 session */
 static ssize_t http2_submit_response_read_callback(
@@ -2070,8 +2109,7 @@ static ssize_t http2_submit_response_read_callback(
 		sldns_buffer_remaining(h2_stream->rbuffer) == 0) {
 		verbose(VERB_QUERY, "http2: cannot submit buffer. No data "
 			"available in rbuffer");
-		sldns_buffer_free(h2_stream->rbuffer);
+		/* rbuffer will be free'd in frame close cb */
-		h2_stream->rbuffer = NULL;
 		return NGHTTP2_ERR_TEMPORAL_CALLBACK_FAILURE;
 	}
 
@@ -2085,6 +2123,10 @@ static ssize_t http2_submit_response_read_callback(
 
 	if(sldns_buffer_remaining(h2_stream->rbuffer) == 0) {
 		*data_flags |= NGHTTP2_DATA_FLAG_EOF;
+		lock_basic_lock(&http2_response_buffer_count_lock);
+		http2_response_buffer_count -=
+			sldns_buffer_capacity(h2_stream->rbuffer);
+		lock_basic_unlock(&http2_response_buffer_count_lock);
 		sldns_buffer_free(h2_stream->rbuffer);
 		h2_stream->rbuffer = NULL;
 	}
@@ -2092,6 +2134,26 @@ static ssize_t http2_submit_response_read_callback(
 	return copylen;
 }
 
+/**
+ * Send RST_STREAM frame for stream.
+ * @param h2_session: http2 session to submit frame to
+ * @param h2_stream: http2 stream containing frame ID to use in RST_STREAM
+ * @return 0 on error, 1 otherwise
+ */
+static int http2_submit_rst_stream(struct http2_session* h2_session,
+		struct http2_stream* h2_stream)
+{
+	int ret = nghttp2_submit_rst_stream(h2_session->session,
+		NGHTTP2_FLAG_NONE, h2_stream->stream_id,
+		NGHTTP2_INTERNAL_ERROR);
+	if(ret) {
+		verbose(VERB_QUERY, "http2: nghttp2_submit_rst_stream failed, "
+			"error: %s", nghttp2_strerror(ret));
+		return 0;
+	}
+	return 1;
+}
+
 /**
  * DNS response ready to be submitted to nghttp2, to be prepared for sending
  * out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer
@@ -2106,6 +2168,7 @@ int http2_submit_dns_response(struct http2_session* h2_session)
 	char status[4];
 	nghttp2_nv headers[2];
 	struct http2_stream* h2_stream = h2_session->c->h2_stream;
+	size_t rlen;
 
 	if(h2_stream->rbuffer) {
 		log_err("http2 submit response error: rbuffer already "
@@ -2117,17 +2180,28 @@ int http2_submit_dns_response(struct http2_session* h2_session)
 		return 0;
 	}
 
-	if(!(h2_stream->rbuffer = sldns_buffer_new(
-		sldns_buffer_remaining(h2_session->c->buffer)))) {
-		log_err("http2 submit response error: malloc failure");
-		return 0;
-	}
-
 	if(snprintf(status, 4, "%d", h2_stream->status) != 3) {
 		verbose(VERB_QUERY, "http2: submit response error: "
 			"invalid status");
 		return 0;
 	}
+
+	rlen = sldns_buffer_remaining(h2_session->c->buffer);
+	lock_basic_lock(&http2_response_buffer_count_lock);
+	if(http2_response_buffer_count + rlen > http2_response_buffer_max) {
+		lock_basic_unlock(&http2_response_buffer_count_lock);
+		verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
+			"in https-response-buffer-size");
+		return http2_submit_rst_stream(h2_session, h2_stream);
+	}
+	if(!(h2_stream->rbuffer = sldns_buffer_new(rlen))) {
+		lock_basic_unlock(&http2_response_buffer_count_lock);
+		log_err("http2 submit response error: malloc failure");
+		return 0;
+	}
+	http2_response_buffer_count += rlen;
+	lock_basic_unlock(&http2_response_buffer_count_lock);
+
 	headers[0].name = (uint8_t*)":status";
 	headers[0].namelen = 7;
 	headers[0].value = (uint8_t*)status;
@@ -2275,8 +2349,7 @@ static int http2_query_read_done(struct http2_session* h2_session,
 	}
 	if(sldns_buffer_remaining(h2_session->c->buffer) <
 		sldns_buffer_remaining(h2_stream->qbuffer)) {
-		sldns_buffer_free(h2_stream->qbuffer);
+		/* qbuffer will be free'd in frame close cb */
-		h2_stream->qbuffer = NULL;
 		sldns_buffer_clear(h2_session->c->buffer);
 		verbose(VERB_ALGO, "http2_query_read_done failure: can't fit "
 			"qbuffer in c->buffer");
@@ -2287,6 +2360,9 @@ static int http2_query_read_done(struct http2_session* h2_session,
 		sldns_buffer_current(h2_stream->qbuffer),
 		sldns_buffer_remaining(h2_stream->qbuffer));
 
+	lock_basic_lock(&http2_query_buffer_count_lock);
+	http2_query_buffer_count -= sldns_buffer_capacity(h2_stream->qbuffer);
+	lock_basic_unlock(&http2_query_buffer_count_lock);
 	sldns_buffer_free(h2_stream->qbuffer);
 	h2_stream->qbuffer = NULL;
 
@@ -2449,21 +2525,34 @@ static int http2_buffer_uri_query(struct http2_session* h2_session,
 	expectb64len = sldns_b64_pton_calculate_size(length);
 	log_assert(expectb64len > 0);
 	if(expectb64len >
-		h2_session->c->http2_max_qbuffer_size) {
+		h2_session->c->http2_stream_max_qbuffer_size) {
 		h2_stream->query_too_large = 1;
 		return 1;
 	}
 
+	lock_basic_lock(&http2_query_buffer_count_lock);
+	if(http2_query_buffer_count + expectb64len > http2_query_buffer_max) {
+		lock_basic_unlock(&http2_query_buffer_count_lock);
+		verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
+			"in http2-query-buffer-size");
+		return http2_submit_rst_stream(h2_session, h2_stream);
+	}
 	if(!(h2_stream->qbuffer = sldns_buffer_new(expectb64len))) {
+		lock_basic_unlock(&http2_query_buffer_count_lock);
 		log_err("http2_req_header fail, qbuffer "
 			"malloc failure");
 		return 0;
 	}
+	http2_query_buffer_count += expectb64len;
+	lock_basic_unlock(&http2_query_buffer_count_lock);
 
 	if(!(b64len = sldns_b64url_pton(
 		(char const *)start, length,
 		sldns_buffer_current(h2_stream->qbuffer),
 		expectb64len)) || b64len < 0) {
+		lock_basic_lock(&http2_query_buffer_count_lock);
+		http2_query_buffer_count -= expectb64len;
+		lock_basic_unlock(&http2_query_buffer_count_lock);
 		sldns_buffer_free(h2_stream->qbuffer);
 		h2_stream->qbuffer = NULL;
 		/* return without error, method can be an
@@ -2518,6 +2607,10 @@ static int http2_req_header_cb(nghttp2_session* session,
 			h2_stream->http_method = HTTP_METHOD_POST;
 			if(h2_stream->qbuffer) {
 				/* POST method uses query from DATA frames */
+				lock_basic_lock(&http2_query_buffer_count_lock);
+				http2_query_buffer_count -=
+					sldns_buffer_capacity(h2_stream->qbuffer);
+				lock_basic_unlock(&http2_query_buffer_count_lock);
 				sldns_buffer_free(h2_stream->qbuffer);
 				h2_stream->qbuffer = NULL;
 			}
@@ -2526,17 +2619,15 @@ static int http2_req_header_cb(nghttp2_session* session,
 		return 0;
 	}
 	if(namelen == 5 && memcmp(":path", name, namelen) == 0) {
-		/* Hard coded /dns-query endpoint, might be nice to make
+		/* :path may contain DNS query, depending on method. Method might
-		 * configurable.
-		 * :path may contain DNS query, depending on method. Method might
 		 * not be known yet here, so check after finishing receiving
 		 * stream. */
-#define HTTP_ENDPOINT "/dns-query"
 #define	HTTP_QUERY_PARAM "?dns="
-		size_t el = sizeof(HTTP_ENDPOINT) - 1;
+		size_t el = strlen(h2_session->c->http_endpoint);
 		size_t qpl = sizeof(HTTP_QUERY_PARAM) - 1;
 
-		if(valuelen < el || memcmp(HTTP_ENDPOINT, value, el) != 0) {
+		if(valuelen < el || memcmp(h2_session->c->http_endpoint,
+			value, el) != 0) {
 			h2_stream->invalid_endpoint = 1;
 			return 0;
 		}
@@ -2583,7 +2674,7 @@ static int http2_req_header_cb(nghttp2_session* session,
 		/* guaranteed to only contian digits and be null terminated */
 		h2_stream->content_length = atoi((const char*)value);
 		if(h2_stream->content_length >
-			h2_session->c->http2_max_qbuffer_size) {
+			h2_session->c->http2_stream_max_qbuffer_size) {
 			h2_stream->query_too_large = 1;
 			return 0;
 		}
@@ -2599,6 +2690,7 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 {
 	struct http2_session* h2_session = (struct http2_session*)cb_arg;
 	struct http2_stream* h2_stream;
+	size_t qlen = 0;
 
 	if(!(h2_stream = nghttp2_session_get_stream_user_data(
 		h2_session->session, stream_id))) {
@@ -2614,17 +2706,28 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 				/* getting more data in DATA frame than
 				 * advertised in content-length header. */
 				return NGHTTP2_ERR_CALLBACK_FAILURE;
-			h2_stream->qbuffer = sldns_buffer_new(
+			qlen = h2_stream->content_length;
-				h2_stream->content_length);
+		} else if(len <= h2_session->c->http2_stream_max_qbuffer_size) {
-		} else if(len <= h2_session->c->http2_max_qbuffer_size) {
 			/* setting this to msg-buffer-size can result in a lot
 			 * of memory consuption. Most queries should fit in a
 			 * single DATA frame, and most POST queries will
 			 * containt content-length which does not impose this
 			 * limit. */
-			h2_stream->qbuffer = sldns_buffer_new(len);
+			qlen = len;
 		}
 	}
+	if(!h2_stream->qbuffer && qlen) {
+		lock_basic_lock(&http2_query_buffer_count_lock);
+		if(http2_query_buffer_count + qlen > http2_query_buffer_max) {
+			lock_basic_unlock(&http2_query_buffer_count_lock);
+			verbose(VERB_ALGO, "reset HTTP2 stream, no space left, "
+				"in http2-query-buffer-size");
+			return http2_submit_rst_stream(h2_session, h2_stream);
+		}
+		if((h2_stream->qbuffer = sldns_buffer_new(qlen)))
+			http2_query_buffer_count += qlen;
+		lock_basic_unlock(&http2_query_buffer_count_lock);
+	}
 
 	if(!h2_stream->qbuffer ||
 		sldns_buffer_remaining(h2_stream->qbuffer) < len) {
@@ -2640,6 +2743,26 @@ static int http2_req_data_chunk_recv_cb(nghttp2_session* ATTR_UNUSED(session),
 	return 0;
 }
 
+void http2_req_stream_clear(struct http2_stream* h2_stream)
+{
+	if(h2_stream->qbuffer) {
+		lock_basic_lock(&http2_query_buffer_count_lock);
+		http2_query_buffer_count -=
+			sldns_buffer_capacity(h2_stream->qbuffer);
+		lock_basic_unlock(&http2_query_buffer_count_lock);
+		sldns_buffer_free(h2_stream->qbuffer);
+		h2_stream->qbuffer = NULL;
+	}
+	if(h2_stream->rbuffer) {
+		lock_basic_lock(&http2_response_buffer_count_lock);
+		http2_response_buffer_count -=
+			sldns_buffer_capacity(h2_stream->rbuffer);
+		lock_basic_unlock(&http2_response_buffer_count_lock);
+		sldns_buffer_free(h2_stream->rbuffer);
+		h2_stream->rbuffer = NULL;
+	}
+}
+
 nghttp2_session_callbacks* http2_req_callbacks_create()
 {
 	nghttp2_session_callbacks *callbacks;

services/listen_dnsport.h

@@ -144,6 +144,8 @@ void listening_ports_free(struct listen_port* list);
  * 	from clients.
  * @param tcp_idle_timeout: idle timeout for TCP connections in msec.
  * @param harden_large_queries: whether query size should be limited.
+ * @param http_max_streams: maximum number of HTTP/2 streams per connection.
+ * @param http_endpoint: HTTP endpoint to service queries on
  * @param tcp_conn_limit: TCP connection limit info.
  * @param sslctx: nonNULL if ssl context.
  * @param dtenv: nonNULL if dnstap enabled.
@@ -152,11 +154,12 @@ void listening_ports_free(struct listen_port* list);
  * @param cb_arg: user data argument for callback function.
  * @return: the malloced listening structure, ready for use. NULL on error.
  */
-struct listen_dnsport* listen_create(struct comm_base* base,
+struct listen_dnsport*
-	struct listen_port* ports, size_t bufsize,
+listen_create(struct comm_base* base, struct listen_port* ports,
-	int tcp_accept_count, int tcp_idle_timeout, int harden_large_queries,
+	size_t bufsize, int tcp_accept_count, int tcp_idle_timeout,
-	struct tcl_list* tcp_conn_limit, void* sslctx,
+	int harden_large_queries, uint32_t http_max_streams,
-	struct dt_env *dtenv, comm_point_callback_type* cb, void* cb_arg);
+	char* http_endpoint, struct tcl_list* tcp_conn_limit, void* sslctx,
+	struct dt_env* dtenv, comm_point_callback_type* cb, void *cb_arg);
 
 /**
  * delete the listening structure
@@ -376,6 +379,11 @@ int tcp_req_info_handle_read_close(struct tcp_req_info* req);
 /** get the size of currently used tcp stream wait buffers (in bytes) */
 size_t tcp_req_info_get_stream_buffer_size(void);
 
+/** get the size of currently used HTTP2 query buffers (in bytes) */
+size_t http2_get_query_buffer_size(void);
+/** get the size of currently used HTTP2 response buffers (in bytes) */
+size_t http2_get_response_buffer_size(void);
+
 #ifdef HAVE_NGHTTP2
 /** 
  * Create nghttp2 callbacks to handle HTTP2 requests.
@@ -383,6 +391,9 @@ size_t tcp_req_info_get_stream_buffer_size(void);
  */
 nghttp2_session_callbacks* http2_req_callbacks_create();
 
+/** Free http2 stream buffers and decrease buffer counters */
+void http2_req_stream_clear(struct http2_stream* h2_stream);
+
 /**
  * DNS response ready to be submitted to nghttp2, to be prepared for sending
  * out. Response is stored in c->buffer. Copy to rbuffer because the c->buffer

smallapp/unbound-control.c

@@ -275,6 +275,8 @@ static void print_mem(struct ub_shm_stat_info* shm_stat,
 		shm_stat->mem.dnscrypt_nonce);
 #endif
 	PR_LL("mem.streamwait", s->svr.mem_stream_wait);
+	PR_LL("mem.http.query_buffer", s->svr.mem_http2_query_buffer);
+	PR_LL("mem.http.response_buffer", s->svr.mem_http2_response_buffer);
 }
 
 /** print histogram */

testcode/fake_event.c

@@ -869,9 +869,11 @@ listen_create(struct comm_base* base, struct listen_port* ATTR_UNUSED(ports),
 	size_t bufsize, int ATTR_UNUSED(tcp_accept_count),
 	int ATTR_UNUSED(tcp_idle_timeout),
 	int ATTR_UNUSED(harden_large_queries),
+	uint32_t ATTR_UNUSED(http_max_streams),
+	char* ATTR_UNUSED(http_endpoint),
 	struct tcl_list* ATTR_UNUSED(tcp_conn_limit),
 	void* ATTR_UNUSED(sslctx), struct dt_env* ATTR_UNUSED(dtenv),
-	comm_point_callback_type* cb, void* cb_arg)
+	comm_point_callback_type* cb, void *cb_arg)
 {
 	struct replay_runtime* runtime = (struct replay_runtime*)base;
 	struct listen_dnsport* l= calloc(1, sizeof(struct listen_dnsport));
@@ -1826,6 +1828,18 @@ tcp_req_info_get_stream_buffer_size(void)
 	return 0;
 }
 
+size_t
+http2_get_query_buffer_size(void)
+{
+	return 0;
+}
+
+size_t
+http2_get_response_buffer_size(void)
+{
+	return 0;
+}
+
 void http2_stream_add_meshstate(struct http2_stream* ATTR_UNUSED(h2_stream),
 	struct mesh_area* ATTR_UNUSED(mesh), struct mesh_state* ATTR_UNUSED(m))
 {

util/config_file.c

@@ -78,6 +78,8 @@ gid_t cfg_gid = (gid_t)-1;
 int autr_permit_small_holddown = 0;
 /** size (in bytes) of stream wait buffers max */
 size_t stream_wait_max = 4 * 1024 * 1024;
+size_t http2_query_buffer_max = 4 * 1024 * 1024;
+size_t http2_response_buffer_max = 4 * 1024 * 1024;
 
 /** global config during parsing */
 struct config_parser_state* cfg_parser = 0;
@@ -116,8 +118,13 @@ config_create(void)
 	cfg->ssl_upstream = 0;
 	cfg->tls_cert_bundle = NULL;
 	cfg->tls_win_cert = 0;
-	cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
 	cfg->tls_use_sni = 1;
+	cfg->https_port = UNBOUND_DNS_OVER_HTTPS_PORT;
+	if(!(cfg->http_endpoint = strdup("/dns-query"))) goto error_exit;
+	cfg->http_max_streams = 100;
+	cfg->http_query_buffer_size = 4*1024*1024;
+	cfg->http_response_buffer_size = 4*1024*1024;
+	cfg->http_nodelay = 1;
 	cfg->use_syslog = 1;
 	cfg->log_identity = NULL; /* changed later with argv[0] */
 	cfg->log_time_ascii = 0;
@@ -509,8 +516,13 @@ int config_set_option(struct config_file* cfg, const char* opt,
 	else S_STRLIST_APPEND("tls-session-ticket-keys:", tls_session_ticket_keys)
 	else S_STR("tls-ciphers:", tls_ciphers)
 	else S_STR("tls-ciphersuites:", tls_ciphersuites)
-	else S_NUMBER_NONZERO("https-port:", https_port)
 	else S_YNO("tls-use-sni:", tls_use_sni)
+	else S_NUMBER_NONZERO("https-port:", https_port)
+	else S_STR("http-endpoint", http_endpoint)
+	else S_NUMBER_NONZERO("http-max-streams", http_max_streams)
+	else S_MEMSIZE("http-query-buffer-size", http_query_buffer_size)
+	else S_MEMSIZE("http-response-buffer-size", http_response_buffer_size)
+	else S_YNO("http-nodelay", http_nodelay)
 	else S_YNO("interface-automatic:", if_automatic)
 	else S_YNO("use-systemd:", use_systemd)
 	else S_YNO("do-daemonize:", do_daemonize)
@@ -965,8 +977,13 @@ config_get_option(struct config_file* cfg, const char* opt,
 	else O_LST(opt, "tls-session-ticket-keys", tls_session_ticket_keys.first)
 	else O_STR(opt, "tls-ciphers", tls_ciphers)
 	else O_STR(opt, "tls-ciphersuites", tls_ciphersuites)
-	else O_DEC(opt, "https-port", https_port)
 	else O_YNO(opt, "tls-use-sni", tls_use_sni)
+	else O_DEC(opt, "https-port", https_port)
+	else O_STR(opt, "http-endpoint", http_endpoint)
+	else O_UNS(opt, "http-max-streams", http_max_streams)
+	else O_MEM(opt, "http-query-buffer-size", http_query_buffer_size)
+	else O_MEM(opt, "http-response-buffer-size", http_response_buffer_size)
+	else O_YNO(opt, "http-nodelay", http_nodelay)
 	else O_YNO(opt, "use-systemd", use_systemd)
 	else O_YNO(opt, "do-daemonize", do_daemonize)
 	else O_STR(opt, "chroot", chrootdir)
@@ -1431,6 +1448,7 @@ config_delete(struct config_file* cfg)
 	config_delstrlist(cfg->tls_session_ticket_keys.first);
 	free(cfg->tls_ciphers);
 	free(cfg->tls_ciphersuites);
+	free(cfg->http_endpoint);
 	if(cfg->log_identity) {
 		log_ident_revert_to_default();
 		free(cfg->log_identity);
@@ -2039,6 +2057,8 @@ config_apply(struct config_file* config)
 	log_set_time_asc(config->log_time_ascii);
 	autr_permit_small_holddown = config->permit_small_holddown;
 	stream_wait_max = config->stream_wait_size;
+	http2_query_buffer_max = config->http_query_buffer_size;
+	http2_response_buffer_max = config->http_response_buffer_size;
 }
 
 void config_lookup_uid(struct config_file* cfg)

util/config_file.h

@@ -128,11 +128,22 @@ struct config_file {
 	char* tls_ciphers;
 	/** TLS chiphersuites (TLSv1.3) */
 	char* tls_ciphersuites;
-	/** port on which to provide DNS over HTTPS service */
-	int https_port;
 	/** if SNI is to be used */
 	int tls_use_sni;
 
+	/** port on which to provide DNS over HTTPS service */
+	int https_port;
+	/** endpoint for HTTP service */
+	char* http_endpoint;
+	/** MAX_CONCURRENT_STREAMS HTTP/2 setting */
+	uint32_t http_max_streams;
+	/** maximum size of all HTTP2 query buffers combined. */
+	size_t http_query_buffer_size;
+	/** maximum size of all HTTP2 response buffers combined. */
+	size_t http_response_buffer_size;
+	/** set TCP_NODELAY option for http sockets */
+	int http_nodelay;
+
 	/** outgoing port range number of ports (per thread) */
 	int outgoing_num_ports;
 	/** number of outgoing tcp buffers per (per thread) */
@@ -622,6 +633,10 @@ extern gid_t cfg_gid;
 extern int autr_permit_small_holddown;
 /** size (in bytes) of stream wait buffers max */
 extern size_t stream_wait_max;
+/** size (in bytes) of all total HTTP2 query buffers max */
+extern size_t http2_query_buffer_max;
+/** size (in bytes) of all total HTTP2 response buffers max */
+extern size_t http2_response_buffer_max;
 
 /**
  * Stub config options

util/configlexer.lex

@@ -248,8 +248,13 @@ tls-additional-port{COLON}	{ YDVAR(1, VAR_TLS_ADDITIONAL_PORT) }
 tls-session-ticket-keys{COLON}	{ YDVAR(1, VAR_TLS_SESSION_TICKET_KEYS) }
 tls-ciphers{COLON}		{ YDVAR(1, VAR_TLS_CIPHERS) }
 tls-ciphersuites{COLON}		{ YDVAR(1, VAR_TLS_CIPHERSUITES) }
-https-port{COLON}		{ YDVAR(1, VAR_HTTPS_PORT) }
 tls-use-sni{COLON}		{ YDVAR(1, VAR_TLS_USE_SNI) }
+https-port{COLON}		{ YDVAR(1, VAR_HTTPS_PORT) }
+http-endpoint{COLON}		{ YDVAR(1, VAR_HTTP_ENDPOINT) }
+http-max-streams{COLON}		{ YDVAR(1, VAR_HTTP_MAX_STREAMS) }
+http-query-buffer-size{COLON}	{ YDVAR(1, VAR_HTTP_QUERY_BUFFER_SIZE) }
+http-response-buffer-size{COLON} { YDVAR(1, VAR_HTTP_RESPONSE_BUFFER_SIZE) }
+http-nodelay{COLON}		{ YDVAR(1, VAR_HTTP_NODELAY) }
 use-systemd{COLON}		{ YDVAR(1, VAR_USE_SYSTEMD) }
 do-daemonize{COLON}		{ YDVAR(1, VAR_DO_DAEMONIZE) }
 interface{COLON}		{ YDVAR(1, VAR_INTERFACE) }

util/configparser.h

@@ -184,153 +184,158 @@ extern int yydebug;
     VAR_FORWARD_SSL_UPSTREAM = 394,
     VAR_TLS_CERT_BUNDLE = 395,
     VAR_HTTPS_PORT = 396,
-    VAR_STUB_FIRST = 397,
+    VAR_HTTP_ENDPOINT = 397,
-    VAR_MINIMAL_RESPONSES = 398,
+    VAR_HTTP_MAX_STREAMS = 398,
-    VAR_RRSET_ROUNDROBIN = 399,
+    VAR_HTTP_QUERY_BUFFER_SIZE = 399,
-    VAR_MAX_UDP_SIZE = 400,
+    VAR_HTTP_RESPONSE_BUFFER_SIZE = 400,
-    VAR_DELAY_CLOSE = 401,
+    VAR_HTTP_NODELAY = 401,
-    VAR_UNBLOCK_LAN_ZONES = 402,
+    VAR_STUB_FIRST = 402,
-    VAR_INSECURE_LAN_ZONES = 403,
+    VAR_MINIMAL_RESPONSES = 403,
-    VAR_INFRA_CACHE_MIN_RTT = 404,
+    VAR_RRSET_ROUNDROBIN = 404,
-    VAR_DNS64_PREFIX = 405,
+    VAR_MAX_UDP_SIZE = 405,
-    VAR_DNS64_SYNTHALL = 406,
+    VAR_DELAY_CLOSE = 406,
-    VAR_DNS64_IGNORE_AAAA = 407,
+    VAR_UNBLOCK_LAN_ZONES = 407,
-    VAR_DNSTAP = 408,
+    VAR_INSECURE_LAN_ZONES = 408,
-    VAR_DNSTAP_ENABLE = 409,
+    VAR_INFRA_CACHE_MIN_RTT = 409,
-    VAR_DNSTAP_SOCKET_PATH = 410,
+    VAR_DNS64_PREFIX = 410,
-    VAR_DNSTAP_IP = 411,
+    VAR_DNS64_SYNTHALL = 411,
-    VAR_DNSTAP_TLS = 412,
+    VAR_DNS64_IGNORE_AAAA = 412,
-    VAR_DNSTAP_TLS_SERVER_NAME = 413,
+    VAR_DNSTAP = 413,
-    VAR_DNSTAP_TLS_CERT_BUNDLE = 414,
+    VAR_DNSTAP_ENABLE = 414,
-    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 415,
+    VAR_DNSTAP_SOCKET_PATH = 415,
-    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 416,
+    VAR_DNSTAP_IP = 416,
-    VAR_DNSTAP_SEND_IDENTITY = 417,
+    VAR_DNSTAP_TLS = 417,
-    VAR_DNSTAP_SEND_VERSION = 418,
+    VAR_DNSTAP_TLS_SERVER_NAME = 418,
-    VAR_DNSTAP_IDENTITY = 419,
+    VAR_DNSTAP_TLS_CERT_BUNDLE = 419,
-    VAR_DNSTAP_VERSION = 420,
+    VAR_DNSTAP_TLS_CLIENT_KEY_FILE = 420,
-    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 421,
+    VAR_DNSTAP_TLS_CLIENT_CERT_FILE = 421,
-    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 422,
+    VAR_DNSTAP_SEND_IDENTITY = 422,
-    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 423,
+    VAR_DNSTAP_SEND_VERSION = 423,
-    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 424,
+    VAR_DNSTAP_IDENTITY = 424,
-    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 425,
+    VAR_DNSTAP_VERSION = 425,
-    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 426,
+    VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES = 426,
-    VAR_RESPONSE_IP_TAG = 427,
+    VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES = 427,
-    VAR_RESPONSE_IP = 428,
+    VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES = 428,
-    VAR_RESPONSE_IP_DATA = 429,
+    VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES = 429,
-    VAR_HARDEN_ALGO_DOWNGRADE = 430,
+    VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES = 430,
-    VAR_IP_TRANSPARENT = 431,
+    VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES = 431,
-    VAR_IP_DSCP = 432,
+    VAR_RESPONSE_IP_TAG = 432,
-    VAR_DISABLE_DNSSEC_LAME_CHECK = 433,
+    VAR_RESPONSE_IP = 433,
-    VAR_IP_RATELIMIT = 434,
+    VAR_RESPONSE_IP_DATA = 434,
-    VAR_IP_RATELIMIT_SLABS = 435,
+    VAR_HARDEN_ALGO_DOWNGRADE = 435,
-    VAR_IP_RATELIMIT_SIZE = 436,
+    VAR_IP_TRANSPARENT = 436,
-    VAR_RATELIMIT = 437,
+    VAR_IP_DSCP = 437,
-    VAR_RATELIMIT_SLABS = 438,
+    VAR_DISABLE_DNSSEC_LAME_CHECK = 438,
-    VAR_RATELIMIT_SIZE = 439,
+    VAR_IP_RATELIMIT = 439,
-    VAR_RATELIMIT_FOR_DOMAIN = 440,
+    VAR_IP_RATELIMIT_SLABS = 440,
-    VAR_RATELIMIT_BELOW_DOMAIN = 441,
+    VAR_IP_RATELIMIT_SIZE = 441,
-    VAR_IP_RATELIMIT_FACTOR = 442,
+    VAR_RATELIMIT = 442,
-    VAR_RATELIMIT_FACTOR = 443,
+    VAR_RATELIMIT_SLABS = 443,
-    VAR_SEND_CLIENT_SUBNET = 444,
+    VAR_RATELIMIT_SIZE = 444,
-    VAR_CLIENT_SUBNET_ZONE = 445,
+    VAR_RATELIMIT_FOR_DOMAIN = 445,
-    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 446,
+    VAR_RATELIMIT_BELOW_DOMAIN = 446,
-    VAR_CLIENT_SUBNET_OPCODE = 447,
+    VAR_IP_RATELIMIT_FACTOR = 447,
-    VAR_MAX_CLIENT_SUBNET_IPV4 = 448,
+    VAR_RATELIMIT_FACTOR = 448,
-    VAR_MAX_CLIENT_SUBNET_IPV6 = 449,
+    VAR_SEND_CLIENT_SUBNET = 449,
-    VAR_MIN_CLIENT_SUBNET_IPV4 = 450,
+    VAR_CLIENT_SUBNET_ZONE = 450,
-    VAR_MIN_CLIENT_SUBNET_IPV6 = 451,
+    VAR_CLIENT_SUBNET_ALWAYS_FORWARD = 451,
-    VAR_MAX_ECS_TREE_SIZE_IPV4 = 452,
+    VAR_CLIENT_SUBNET_OPCODE = 452,
-    VAR_MAX_ECS_TREE_SIZE_IPV6 = 453,
+    VAR_MAX_CLIENT_SUBNET_IPV4 = 453,
-    VAR_CAPS_WHITELIST = 454,
+    VAR_MAX_CLIENT_SUBNET_IPV6 = 454,
-    VAR_CACHE_MAX_NEGATIVE_TTL = 455,
+    VAR_MIN_CLIENT_SUBNET_IPV4 = 455,
-    VAR_PERMIT_SMALL_HOLDDOWN = 456,
+    VAR_MIN_CLIENT_SUBNET_IPV6 = 456,
-    VAR_QNAME_MINIMISATION = 457,
+    VAR_MAX_ECS_TREE_SIZE_IPV4 = 457,
-    VAR_QNAME_MINIMISATION_STRICT = 458,
+    VAR_MAX_ECS_TREE_SIZE_IPV6 = 458,
-    VAR_IP_FREEBIND = 459,
+    VAR_CAPS_WHITELIST = 459,
-    VAR_DEFINE_TAG = 460,
+    VAR_CACHE_MAX_NEGATIVE_TTL = 460,
-    VAR_LOCAL_ZONE_TAG = 461,
+    VAR_PERMIT_SMALL_HOLDDOWN = 461,
-    VAR_ACCESS_CONTROL_TAG = 462,
+    VAR_QNAME_MINIMISATION = 462,
-    VAR_LOCAL_ZONE_OVERRIDE = 463,
+    VAR_QNAME_MINIMISATION_STRICT = 463,
-    VAR_ACCESS_CONTROL_TAG_ACTION = 464,
+    VAR_IP_FREEBIND = 464,
-    VAR_ACCESS_CONTROL_TAG_DATA = 465,
+    VAR_DEFINE_TAG = 465,
-    VAR_VIEW = 466,
+    VAR_LOCAL_ZONE_TAG = 466,
-    VAR_ACCESS_CONTROL_VIEW = 467,
+    VAR_ACCESS_CONTROL_TAG = 467,
-    VAR_VIEW_FIRST = 468,
+    VAR_LOCAL_ZONE_OVERRIDE = 468,
-    VAR_SERVE_EXPIRED = 469,
+    VAR_ACCESS_CONTROL_TAG_ACTION = 469,
-    VAR_SERVE_EXPIRED_TTL = 470,
+    VAR_ACCESS_CONTROL_TAG_DATA = 470,
-    VAR_SERVE_EXPIRED_TTL_RESET = 471,
+    VAR_VIEW = 471,
-    VAR_SERVE_EXPIRED_REPLY_TTL = 472,
+    VAR_ACCESS_CONTROL_VIEW = 472,
-    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 473,
+    VAR_VIEW_FIRST = 473,
-    VAR_FAKE_DSA = 474,
+    VAR_SERVE_EXPIRED = 474,
-    VAR_FAKE_SHA1 = 475,
+    VAR_SERVE_EXPIRED_TTL = 475,
-    VAR_LOG_IDENTITY = 476,
+    VAR_SERVE_EXPIRED_TTL_RESET = 476,
-    VAR_HIDE_TRUSTANCHOR = 477,
+    VAR_SERVE_EXPIRED_REPLY_TTL = 477,
-    VAR_TRUST_ANCHOR_SIGNALING = 478,
+    VAR_SERVE_EXPIRED_CLIENT_TIMEOUT = 478,
-    VAR_AGGRESSIVE_NSEC = 479,
+    VAR_FAKE_DSA = 479,
-    VAR_USE_SYSTEMD = 480,
+    VAR_FAKE_SHA1 = 480,
-    VAR_SHM_ENABLE = 481,
+    VAR_LOG_IDENTITY = 481,
-    VAR_SHM_KEY = 482,
+    VAR_HIDE_TRUSTANCHOR = 482,
-    VAR_ROOT_KEY_SENTINEL = 483,
+    VAR_TRUST_ANCHOR_SIGNALING = 483,
-    VAR_DNSCRYPT = 484,
+    VAR_AGGRESSIVE_NSEC = 484,
-    VAR_DNSCRYPT_ENABLE = 485,
+    VAR_USE_SYSTEMD = 485,
-    VAR_DNSCRYPT_PORT = 486,
+    VAR_SHM_ENABLE = 486,
-    VAR_DNSCRYPT_PROVIDER = 487,
+    VAR_SHM_KEY = 487,
-    VAR_DNSCRYPT_SECRET_KEY = 488,
+    VAR_ROOT_KEY_SENTINEL = 488,
-    VAR_DNSCRYPT_PROVIDER_CERT = 489,
+    VAR_DNSCRYPT = 489,
-    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 490,
+    VAR_DNSCRYPT_ENABLE = 490,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 491,
+    VAR_DNSCRYPT_PORT = 491,
-    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 492,
+    VAR_DNSCRYPT_PROVIDER = 492,
-    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 493,
+    VAR_DNSCRYPT_SECRET_KEY = 493,
-    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 494,
+    VAR_DNSCRYPT_PROVIDER_CERT = 494,
-    VAR_IPSECMOD_ENABLED = 495,
+    VAR_DNSCRYPT_PROVIDER_CERT_ROTATED = 495,
-    VAR_IPSECMOD_HOOK = 496,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE = 496,
-    VAR_IPSECMOD_IGNORE_BOGUS = 497,
+    VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS = 497,
-    VAR_IPSECMOD_MAX_TTL = 498,
+    VAR_DNSCRYPT_NONCE_CACHE_SIZE = 498,
-    VAR_IPSECMOD_WHITELIST = 499,
+    VAR_DNSCRYPT_NONCE_CACHE_SLABS = 499,
-    VAR_IPSECMOD_STRICT = 500,
+    VAR_IPSECMOD_ENABLED = 500,
-    VAR_CACHEDB = 501,
+    VAR_IPSECMOD_HOOK = 501,
-    VAR_CACHEDB_BACKEND = 502,
+    VAR_IPSECMOD_IGNORE_BOGUS = 502,
-    VAR_CACHEDB_SECRETSEED = 503,
+    VAR_IPSECMOD_MAX_TTL = 503,
-    VAR_CACHEDB_REDISHOST = 504,
+    VAR_IPSECMOD_WHITELIST = 504,
-    VAR_CACHEDB_REDISPORT = 505,
+    VAR_IPSECMOD_STRICT = 505,
-    VAR_CACHEDB_REDISTIMEOUT = 506,
+    VAR_CACHEDB = 506,
-    VAR_CACHEDB_REDISEXPIRERECORDS = 507,
+    VAR_CACHEDB_BACKEND = 507,
-    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 508,
+    VAR_CACHEDB_SECRETSEED = 508,
-    VAR_FOR_UPSTREAM = 509,
+    VAR_CACHEDB_REDISHOST = 509,
-    VAR_AUTH_ZONE = 510,
+    VAR_CACHEDB_REDISPORT = 510,
-    VAR_ZONEFILE = 511,
+    VAR_CACHEDB_REDISTIMEOUT = 511,
-    VAR_MASTER = 512,
+    VAR_CACHEDB_REDISEXPIRERECORDS = 512,
-    VAR_URL = 513,
+    VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM = 513,
-    VAR_FOR_DOWNSTREAM = 514,
+    VAR_FOR_UPSTREAM = 514,
-    VAR_FALLBACK_ENABLED = 515,
+    VAR_AUTH_ZONE = 515,
-    VAR_TLS_ADDITIONAL_PORT = 516,
+    VAR_ZONEFILE = 516,
-    VAR_LOW_RTT = 517,
+    VAR_MASTER = 517,
-    VAR_LOW_RTT_PERMIL = 518,
+    VAR_URL = 518,
-    VAR_FAST_SERVER_PERMIL = 519,
+    VAR_FOR_DOWNSTREAM = 519,
-    VAR_FAST_SERVER_NUM = 520,
+    VAR_FALLBACK_ENABLED = 520,
-    VAR_ALLOW_NOTIFY = 521,
+    VAR_TLS_ADDITIONAL_PORT = 521,
-    VAR_TLS_WIN_CERT = 522,
+    VAR_LOW_RTT = 522,
-    VAR_TCP_CONNECTION_LIMIT = 523,
+    VAR_LOW_RTT_PERMIL = 523,
-    VAR_FORWARD_NO_CACHE = 524,
+    VAR_FAST_SERVER_PERMIL = 524,
-    VAR_STUB_NO_CACHE = 525,
+    VAR_FAST_SERVER_NUM = 525,
-    VAR_LOG_SERVFAIL = 526,
+    VAR_ALLOW_NOTIFY = 526,
-    VAR_DENY_ANY = 527,
+    VAR_TLS_WIN_CERT = 527,
-    VAR_UNKNOWN_SERVER_TIME_LIMIT = 528,
+    VAR_TCP_CONNECTION_LIMIT = 528,
-    VAR_LOG_TAG_QUERYREPLY = 529,
+    VAR_FORWARD_NO_CACHE = 529,
-    VAR_STREAM_WAIT_SIZE = 530,
+    VAR_STUB_NO_CACHE = 530,
-    VAR_TLS_CIPHERS = 531,
+    VAR_LOG_SERVFAIL = 531,
-    VAR_TLS_CIPHERSUITES = 532,
+    VAR_DENY_ANY = 532,
-    VAR_TLS_USE_SNI = 533,
+    VAR_UNKNOWN_SERVER_TIME_LIMIT = 533,
-    VAR_IPSET = 534,
+    VAR_LOG_TAG_QUERYREPLY = 534,
-    VAR_IPSET_NAME_V4 = 535,
+    VAR_STREAM_WAIT_SIZE = 535,
-    VAR_IPSET_NAME_V6 = 536,
+    VAR_TLS_CIPHERS = 536,
-    VAR_TLS_SESSION_TICKET_KEYS = 537,
+    VAR_TLS_CIPHERSUITES = 537,
-    VAR_RPZ = 538,
+    VAR_TLS_USE_SNI = 538,
-    VAR_TAGS = 539,
+    VAR_IPSET = 539,
-    VAR_RPZ_ACTION_OVERRIDE = 540,
+    VAR_IPSET_NAME_V4 = 540,
-    VAR_RPZ_CNAME_OVERRIDE = 541,
+    VAR_IPSET_NAME_V6 = 541,
-    VAR_RPZ_LOG = 542,
+    VAR_TLS_SESSION_TICKET_KEYS = 542,
-    VAR_RPZ_LOG_NAME = 543
+    VAR_RPZ = 543,
+    VAR_TAGS = 544,
+    VAR_RPZ_ACTION_OVERRIDE = 545,
+    VAR_RPZ_CNAME_OVERRIDE = 546,
+    VAR_RPZ_LOG = 547,
+    VAR_RPZ_LOG_NAME = 548
   };
 #endif
 /* Tokens.  */
@@ -473,153 +478,158 @@ extern int yydebug;
 #define VAR_FORWARD_SSL_UPSTREAM 394
 #define VAR_TLS_CERT_BUNDLE 395
 #define VAR_HTTPS_PORT 396
-#define VAR_STUB_FIRST 397
+#define VAR_HTTP_ENDPOINT 397
-#define VAR_MINIMAL_RESPONSES 398
+#define VAR_HTTP_MAX_STREAMS 398
-#define VAR_RRSET_ROUNDROBIN 399
+#define VAR_HTTP_QUERY_BUFFER_SIZE 399
-#define VAR_MAX_UDP_SIZE 400
+#define VAR_HTTP_RESPONSE_BUFFER_SIZE 400
-#define VAR_DELAY_CLOSE 401
+#define VAR_HTTP_NODELAY 401
-#define VAR_UNBLOCK_LAN_ZONES 402
+#define VAR_STUB_FIRST 402
-#define VAR_INSECURE_LAN_ZONES 403
+#define VAR_MINIMAL_RESPONSES 403
-#define VAR_INFRA_CACHE_MIN_RTT 404
+#define VAR_RRSET_ROUNDROBIN 404
-#define VAR_DNS64_PREFIX 405
+#define VAR_MAX_UDP_SIZE 405
-#define VAR_DNS64_SYNTHALL 406
+#define VAR_DELAY_CLOSE 406
-#define VAR_DNS64_IGNORE_AAAA 407
+#define VAR_UNBLOCK_LAN_ZONES 407
-#define VAR_DNSTAP 408
+#define VAR_INSECURE_LAN_ZONES 408
-#define VAR_DNSTAP_ENABLE 409
+#define VAR_INFRA_CACHE_MIN_RTT 409
-#define VAR_DNSTAP_SOCKET_PATH 410
+#define VAR_DNS64_PREFIX 410
-#define VAR_DNSTAP_IP 411
+#define VAR_DNS64_SYNTHALL 411
-#define VAR_DNSTAP_TLS 412
+#define VAR_DNS64_IGNORE_AAAA 412
-#define VAR_DNSTAP_TLS_SERVER_NAME 413
+#define VAR_DNSTAP 413
-#define VAR_DNSTAP_TLS_CERT_BUNDLE 414
+#define VAR_DNSTAP_ENABLE 414
-#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 415
+#define VAR_DNSTAP_SOCKET_PATH 415
-#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 416
+#define VAR_DNSTAP_IP 416
-#define VAR_DNSTAP_SEND_IDENTITY 417
+#define VAR_DNSTAP_TLS 417
-#define VAR_DNSTAP_SEND_VERSION 418
+#define VAR_DNSTAP_TLS_SERVER_NAME 418
-#define VAR_DNSTAP_IDENTITY 419
+#define VAR_DNSTAP_TLS_CERT_BUNDLE 419
-#define VAR_DNSTAP_VERSION 420
+#define VAR_DNSTAP_TLS_CLIENT_KEY_FILE 420
-#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 421
+#define VAR_DNSTAP_TLS_CLIENT_CERT_FILE 421
-#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 422
+#define VAR_DNSTAP_SEND_IDENTITY 422
-#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 423
+#define VAR_DNSTAP_SEND_VERSION 423
-#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 424
+#define VAR_DNSTAP_IDENTITY 424
-#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 425
+#define VAR_DNSTAP_VERSION 425
-#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 426
+#define VAR_DNSTAP_LOG_RESOLVER_QUERY_MESSAGES 426
-#define VAR_RESPONSE_IP_TAG 427
+#define VAR_DNSTAP_LOG_RESOLVER_RESPONSE_MESSAGES 427
-#define VAR_RESPONSE_IP 428
+#define VAR_DNSTAP_LOG_CLIENT_QUERY_MESSAGES 428
-#define VAR_RESPONSE_IP_DATA 429
+#define VAR_DNSTAP_LOG_CLIENT_RESPONSE_MESSAGES 429
-#define VAR_HARDEN_ALGO_DOWNGRADE 430
+#define VAR_DNSTAP_LOG_FORWARDER_QUERY_MESSAGES 430
-#define VAR_IP_TRANSPARENT 431
+#define VAR_DNSTAP_LOG_FORWARDER_RESPONSE_MESSAGES 431
-#define VAR_IP_DSCP 432
+#define VAR_RESPONSE_IP_TAG 432
-#define VAR_DISABLE_DNSSEC_LAME_CHECK 433
+#define VAR_RESPONSE_IP 433
-#define VAR_IP_RATELIMIT 434
+#define VAR_RESPONSE_IP_DATA 434
-#define VAR_IP_RATELIMIT_SLABS 435
+#define VAR_HARDEN_ALGO_DOWNGRADE 435
-#define VAR_IP_RATELIMIT_SIZE 436
+#define VAR_IP_TRANSPARENT 436
-#define VAR_RATELIMIT 437
+#define VAR_IP_DSCP 437
-#define VAR_RATELIMIT_SLABS 438
+#define VAR_DISABLE_DNSSEC_LAME_CHECK 438
-#define VAR_RATELIMIT_SIZE 439
+#define VAR_IP_RATELIMIT 439
-#define VAR_RATELIMIT_FOR_DOMAIN 440
+#define VAR_IP_RATELIMIT_SLABS 440
-#define VAR_RATELIMIT_BELOW_DOMAIN 441
+#define VAR_IP_RATELIMIT_SIZE 441
-#define VAR_IP_RATELIMIT_FACTOR 442
+#define VAR_RATELIMIT 442
-#define VAR_RATELIMIT_FACTOR 443
+#define VAR_RATELIMIT_SLABS 443
-#define VAR_SEND_CLIENT_SUBNET 444
+#define VAR_RATELIMIT_SIZE 444
-#define VAR_CLIENT_SUBNET_ZONE 445
+#define VAR_RATELIMIT_FOR_DOMAIN 445
-#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 446
+#define VAR_RATELIMIT_BELOW_DOMAIN 446
-#define VAR_CLIENT_SUBNET_OPCODE 447
+#define VAR_IP_RATELIMIT_FACTOR 447
-#define VAR_MAX_CLIENT_SUBNET_IPV4 448
+#define VAR_RATELIMIT_FACTOR 448
-#define VAR_MAX_CLIENT_SUBNET_IPV6 449
+#define VAR_SEND_CLIENT_SUBNET 449
-#define VAR_MIN_CLIENT_SUBNET_IPV4 450
+#define VAR_CLIENT_SUBNET_ZONE 450
-#define VAR_MIN_CLIENT_SUBNET_IPV6 451
+#define VAR_CLIENT_SUBNET_ALWAYS_FORWARD 451
-#define VAR_MAX_ECS_TREE_SIZE_IPV4 452
+#define VAR_CLIENT_SUBNET_OPCODE 452
-#define VAR_MAX_ECS_TREE_SIZE_IPV6 453
+#define VAR_MAX_CLIENT_SUBNET_IPV4 453
-#define VAR_CAPS_WHITELIST 454
+#define VAR_MAX_CLIENT_SUBNET_IPV6 454
-#define VAR_CACHE_MAX_NEGATIVE_TTL 455
+#define VAR_MIN_CLIENT_SUBNET_IPV4 455
-#define VAR_PERMIT_SMALL_HOLDDOWN 456
+#define VAR_MIN_CLIENT_SUBNET_IPV6 456
-#define VAR_QNAME_MINIMISATION 457
+#define VAR_MAX_ECS_TREE_SIZE_IPV4 457
-#define VAR_QNAME_MINIMISATION_STRICT 458
+#define VAR_MAX_ECS_TREE_SIZE_IPV6 458
-#define VAR_IP_FREEBIND 459
+#define VAR_CAPS_WHITELIST 459
-#define VAR_DEFINE_TAG 460
+#define VAR_CACHE_MAX_NEGATIVE_TTL 460
-#define VAR_LOCAL_ZONE_TAG 461
+#define VAR_PERMIT_SMALL_HOLDDOWN 461
-#define VAR_ACCESS_CONTROL_TAG 462
+#define VAR_QNAME_MINIMISATION 462
-#define VAR_LOCAL_ZONE_OVERRIDE 463
+#define VAR_QNAME_MINIMISATION_STRICT 463
-#define VAR_ACCESS_CONTROL_TAG_ACTION 464
+#define VAR_IP_FREEBIND 464
-#define VAR_ACCESS_CONTROL_TAG_DATA 465
+#define VAR_DEFINE_TAG 465
-#define VAR_VIEW 466
+#define VAR_LOCAL_ZONE_TAG 466
-#define VAR_ACCESS_CONTROL_VIEW 467
+#define VAR_ACCESS_CONTROL_TAG 467
-#define VAR_VIEW_FIRST 468
+#define VAR_LOCAL_ZONE_OVERRIDE 468
-#define VAR_SERVE_EXPIRED 469
+#define VAR_ACCESS_CONTROL_TAG_ACTION 469
-#define VAR_SERVE_EXPIRED_TTL 470
+#define VAR_ACCESS_CONTROL_TAG_DATA 470
-#define VAR_SERVE_EXPIRED_TTL_RESET 471
+#define VAR_VIEW 471
-#define VAR_SERVE_EXPIRED_REPLY_TTL 472
+#define VAR_ACCESS_CONTROL_VIEW 472
-#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 473
+#define VAR_VIEW_FIRST 473
-#define VAR_FAKE_DSA 474
+#define VAR_SERVE_EXPIRED 474
-#define VAR_FAKE_SHA1 475
+#define VAR_SERVE_EXPIRED_TTL 475
-#define VAR_LOG_IDENTITY 476
+#define VAR_SERVE_EXPIRED_TTL_RESET 476
-#define VAR_HIDE_TRUSTANCHOR 477
+#define VAR_SERVE_EXPIRED_REPLY_TTL 477
-#define VAR_TRUST_ANCHOR_SIGNALING 478
+#define VAR_SERVE_EXPIRED_CLIENT_TIMEOUT 478
-#define VAR_AGGRESSIVE_NSEC 479
+#define VAR_FAKE_DSA 479
-#define VAR_USE_SYSTEMD 480
+#define VAR_FAKE_SHA1 480
-#define VAR_SHM_ENABLE 481
+#define VAR_LOG_IDENTITY 481
-#define VAR_SHM_KEY 482
+#define VAR_HIDE_TRUSTANCHOR 482
-#define VAR_ROOT_KEY_SENTINEL 483
+#define VAR_TRUST_ANCHOR_SIGNALING 483
-#define VAR_DNSCRYPT 484
+#define VAR_AGGRESSIVE_NSEC 484
-#define VAR_DNSCRYPT_ENABLE 485
+#define VAR_USE_SYSTEMD 485
-#define VAR_DNSCRYPT_PORT 486
+#define VAR_SHM_ENABLE 486
-#define VAR_DNSCRYPT_PROVIDER 487
+#define VAR_SHM_KEY 487
-#define VAR_DNSCRYPT_SECRET_KEY 488
+#define VAR_ROOT_KEY_SENTINEL 488
-#define VAR_DNSCRYPT_PROVIDER_CERT 489
+#define VAR_DNSCRYPT 489
-#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 490
+#define VAR_DNSCRYPT_ENABLE 490
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 491
+#define VAR_DNSCRYPT_PORT 491
-#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 492
+#define VAR_DNSCRYPT_PROVIDER 492
-#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 493
+#define VAR_DNSCRYPT_SECRET_KEY 493
-#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 494
+#define VAR_DNSCRYPT_PROVIDER_CERT 494
-#define VAR_IPSECMOD_ENABLED 495
+#define VAR_DNSCRYPT_PROVIDER_CERT_ROTATED 495
-#define VAR_IPSECMOD_HOOK 496
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SIZE 496
-#define VAR_IPSECMOD_IGNORE_BOGUS 497
+#define VAR_DNSCRYPT_SHARED_SECRET_CACHE_SLABS 497
-#define VAR_IPSECMOD_MAX_TTL 498
+#define VAR_DNSCRYPT_NONCE_CACHE_SIZE 498
-#define VAR_IPSECMOD_WHITELIST 499
+#define VAR_DNSCRYPT_NONCE_CACHE_SLABS 499
-#define VAR_IPSECMOD_STRICT 500
+#define VAR_IPSECMOD_ENABLED 500
-#define VAR_CACHEDB 501
+#define VAR_IPSECMOD_HOOK 501
-#define VAR_CACHEDB_BACKEND 502
+#define VAR_IPSECMOD_IGNORE_BOGUS 502
-#define VAR_CACHEDB_SECRETSEED 503
+#define VAR_IPSECMOD_MAX_TTL 503
-#define VAR_CACHEDB_REDISHOST 504
+#define VAR_IPSECMOD_WHITELIST 504
-#define VAR_CACHEDB_REDISPORT 505
+#define VAR_IPSECMOD_STRICT 505
-#define VAR_CACHEDB_REDISTIMEOUT 506
+#define VAR_CACHEDB 506
-#define VAR_CACHEDB_REDISEXPIRERECORDS 507
+#define VAR_CACHEDB_BACKEND 507
-#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 508
+#define VAR_CACHEDB_SECRETSEED 508
-#define VAR_FOR_UPSTREAM 509
+#define VAR_CACHEDB_REDISHOST 509
-#define VAR_AUTH_ZONE 510
+#define VAR_CACHEDB_REDISPORT 510
-#define VAR_ZONEFILE 511
+#define VAR_CACHEDB_REDISTIMEOUT 511
-#define VAR_MASTER 512
+#define VAR_CACHEDB_REDISEXPIRERECORDS 512
-#define VAR_URL 513
+#define VAR_UDP_UPSTREAM_WITHOUT_DOWNSTREAM 513
-#define VAR_FOR_DOWNSTREAM 514
+#define VAR_FOR_UPSTREAM 514
-#define VAR_FALLBACK_ENABLED 515
+#define VAR_AUTH_ZONE 515
-#define VAR_TLS_ADDITIONAL_PORT 516
+#define VAR_ZONEFILE 516
-#define VAR_LOW_RTT 517
+#define VAR_MASTER 517
-#define VAR_LOW_RTT_PERMIL 518
+#define VAR_URL 518
-#define VAR_FAST_SERVER_PERMIL 519
+#define VAR_FOR_DOWNSTREAM 519
-#define VAR_FAST_SERVER_NUM 520
+#define VAR_FALLBACK_ENABLED 520
-#define VAR_ALLOW_NOTIFY 521
+#define VAR_TLS_ADDITIONAL_PORT 521
-#define VAR_TLS_WIN_CERT 522
+#define VAR_LOW_RTT 522
-#define VAR_TCP_CONNECTION_LIMIT 523
+#define VAR_LOW_RTT_PERMIL 523
-#define VAR_FORWARD_NO_CACHE 524
+#define VAR_FAST_SERVER_PERMIL 524
-#define VAR_STUB_NO_CACHE 525
+#define VAR_FAST_SERVER_NUM 525
-#define VAR_LOG_SERVFAIL 526
+#define VAR_ALLOW_NOTIFY 526
-#define VAR_DENY_ANY 527
+#define VAR_TLS_WIN_CERT 527
-#define VAR_UNKNOWN_SERVER_TIME_LIMIT 528
+#define VAR_TCP_CONNECTION_LIMIT 528
-#define VAR_LOG_TAG_QUERYREPLY 529
+#define VAR_FORWARD_NO_CACHE 529
-#define VAR_STREAM_WAIT_SIZE 530
+#define VAR_STUB_NO_CACHE 530
-#define VAR_TLS_CIPHERS 531
+#define VAR_LOG_SERVFAIL 531
-#define VAR_TLS_CIPHERSUITES 532
+#define VAR_DENY_ANY 532
-#define VAR_TLS_USE_SNI 533
+#define VAR_UNKNOWN_SERVER_TIME_LIMIT 533
-#define VAR_IPSET 534
+#define VAR_LOG_TAG_QUERYREPLY 534
-#define VAR_IPSET_NAME_V4 535
+#define VAR_STREAM_WAIT_SIZE 535
-#define VAR_IPSET_NAME_V6 536
+#define VAR_TLS_CIPHERS 536
-#define VAR_TLS_SESSION_TICKET_KEYS 537
+#define VAR_TLS_CIPHERSUITES 537
-#define VAR_RPZ 538
+#define VAR_TLS_USE_SNI 538
-#define VAR_TAGS 539
+#define VAR_IPSET 539
-#define VAR_RPZ_ACTION_OVERRIDE 540
+#define VAR_IPSET_NAME_V4 540
-#define VAR_RPZ_CNAME_OVERRIDE 541
+#define VAR_IPSET_NAME_V6 541
-#define VAR_RPZ_LOG 542
+#define VAR_TLS_SESSION_TICKET_KEYS 542
-#define VAR_RPZ_LOG_NAME 543
+#define VAR_RPZ 543
+#define VAR_TAGS 544
+#define VAR_RPZ_ACTION_OVERRIDE 545
+#define VAR_RPZ_CNAME_OVERRIDE 546
+#define VAR_RPZ_LOG 547
+#define VAR_RPZ_LOG_NAME 548
 
 /* Value type.  */
 #if ! defined YYSTYPE && ! defined YYSTYPE_IS_DECLARED
@@ -630,7 +640,7 @@ union YYSTYPE
 
 	char*	str;
 
-#line 634 "util/configparser.h" /* yacc.c:1909  */
+#line 644 "util/configparser.h" /* yacc.c:1909  */
 };
 
 typedef union YYSTYPE YYSTYPE;

util/configparser.y

@@ -111,7 +111,9 @@ extern struct config_parser_state* cfg_parser;
 %token VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
 %token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT VAR_FORWARD_FIRST
 %token VAR_STUB_SSL_UPSTREAM VAR_FORWARD_SSL_UPSTREAM VAR_TLS_CERT_BUNDLE
-%token VAR_HTTPS_PORT
+%token VAR_HTTPS_PORT VAR_HTTP_ENDPOINT VAR_HTTP_MAX_STREAMS
+%token VAR_HTTP_QUERY_BUFFER_SIZE VAR_HTTP_RESPONSE_BUFFER_SIZE
+%token VAR_HTTP_NODELAY
 %token VAR_STUB_FIRST VAR_MINIMAL_RESPONSES VAR_RRSET_ROUNDROBIN
 %token VAR_MAX_UDP_SIZE VAR_DELAY_CLOSE
 %token VAR_UNBLOCK_LAN_ZONES VAR_INSECURE_LAN_ZONES
@@ -238,7 +240,9 @@ content_server: server_num_threads | server_verbosity | server_port |
 	server_log_queries | server_log_replies | server_tcp_upstream | server_ssl_upstream |
 	server_log_local_actions |
 	server_ssl_service_key | server_ssl_service_pem | server_ssl_port |
-	server_https_port |
+	server_https_port | server_http_endpoint | server_http_max_streams |
+	server_http_query_buffer_size | server_http_response_buffer_size |
+	server_http_nodelay |
 	server_minimal_responses | server_rrset_roundrobin | server_max_udp_size |
 	server_so_reuseport | server_delay_close |
 	server_unblock_lan_zones | server_insecure_lan_zones |
@@ -955,13 +959,6 @@ server_tls_session_ticket_keys: VAR_TLS_SESSION_TICKET_KEYS STRING_ARG
 			yyerror("out of memory");
 	}
 	;
-server_https_port: VAR_HTTPS_PORT STRING_ARG
-	{
-		OUTYY(("P(server_https_port:%s)\n", $2));
-		if(atoi($2) == 0)
-			yyerror("port number expected");
-		else cfg_parser->cfg->https_port = atoi($2);
-	};
 server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
 	{
 		OUTYY(("P(server_tls_use_sni:%s)\n", $2));
@@ -971,6 +968,59 @@ server_tls_use_sni: VAR_TLS_USE_SNI STRING_ARG
 		free($2);
 	}
 	;
+server_https_port: VAR_HTTPS_PORT STRING_ARG
+	{
+		OUTYY(("P(server_https_port:%s)\n", $2));
+		if(atoi($2) == 0)
+			yyerror("port number expected");
+		else cfg_parser->cfg->https_port = atoi($2);
+	};
+server_http_endpoint: VAR_HTTP_ENDPOINT STRING_ARG
+	{
+		OUTYY(("P(server_http_endpoint:%s)\n", $2));
+		free(cfg_parser->cfg->http_endpoint);
+		if($2 && $2[0] != '/') {
+			cfg_parser->cfg->http_endpoint = malloc(strlen($2)+2);
+			cfg_parser->cfg->http_endpoint[0] = '/';
+			memcpy(cfg_parser->cfg->http_endpoint+1, $2,
+				strlen($2)+1);
+			free($2);
+		} else {
+			cfg_parser->cfg->http_endpoint = $2;
+		}
+	};
+server_http_max_streams: VAR_HTTP_MAX_STREAMS STRING_ARG
+	{
+		OUTYY(("P(server_http_max_streams:%s)\n", $2));
+		if(atoi($2) == 0 && strcmp($2, "0") != 0)
+			yyerror("number expected");
+		else cfg_parser->cfg->http_max_streams = atoi($2);
+		free($2);
+	};
+server_http_query_buffer_size: VAR_HTTP_QUERY_BUFFER_SIZE STRING_ARG
+	{
+		OUTYY(("P(server_http_query_buffer_size:%s)\n", $2));
+		if(!cfg_parse_memsize($2,
+			&cfg_parser->cfg->http_query_buffer_size))
+			yyerror("memory size expected");
+		free($2);
+	};
+server_http_response_buffer_size: VAR_HTTP_RESPONSE_BUFFER_SIZE STRING_ARG
+	{
+		OUTYY(("P(server_http_response_buffer_size:%s)\n", $2));
+		if(!cfg_parse_memsize($2,
+			&cfg_parser->cfg->http_response_buffer_size))
+			yyerror("memory size expected");
+		free($2);
+	};
+server_http_nodelay: VAR_HTTP_NODELAY STRING_ARG
+	{
+		OUTYY(("P(server_http_nodelay:%s)\n", $2));
+		if(strcmp($2, "yes") != 0 && strcmp($2, "no") != 0)
+			yyerror("expected yes or no.");
+		else cfg_parser->cfg->http_nodelay = (strcmp($2, "yes")==0);
+		free($2);
+	};
 server_use_systemd: VAR_USE_SYSTEMD STRING_ARG
 	{
 		OUTYY(("P(server_use_systemd:%s)\n", $2));

util/netevent.c

@@ -929,7 +929,8 @@ static int http2_submit_settings(struct http2_session* h2_session)
 {
 	int ret;
 	nghttp2_settings_entry settings[1] = {
-		{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS, 100}};
+		{NGHTTP2_SETTINGS_MAX_CONCURRENT_STREAMS,
+		 h2_session->c->http2_max_streams}};
 
 	ret = nghttp2_submit_settings(h2_session->session, NGHTTP2_FLAG_NONE,
 		settings, 1);
@@ -965,27 +966,27 @@ comm_point_tcp_accept_callback(int fd, short event, void* arg)
 	 * correct event base for the event structure for libevent */
 	ub_event_free(c_hdl->ev->ev);
 
+	if(c_hdl->type == comm_http) {
 #ifdef HAVE_NGHTTP2
-	if(c_hdl->type == comm_http && c_hdl->h2_session) {
+		if(!c_hdl->h2_session ||
-		if(!http2_session_server_create(c_hdl->h2_session)) {
+			!http2_session_server_create(c_hdl->h2_session)) {
 			log_warn("failed to create nghttp2");
 			return;
 		}
-		if(!http2_submit_settings(c_hdl->h2_session)) {
+		if(!c_hdl->h2_session ||
+			!http2_submit_settings(c_hdl->h2_session)) {
 			log_warn("failed to submit http2 settings");
 			return;
 		}
+#endif
 		c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
 			UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
 			comm_point_http_handle_callback, c_hdl);
 	} else {
-#endif
 		c_hdl->ev->ev = ub_event_new(c_hdl->ev->base->eb->base, -1,
 			UB_EV_PERSIST | UB_EV_READ | UB_EV_TIMEOUT,
 			comm_point_tcp_handle_callback, c_hdl);
-#ifdef HAVE_NGHTTP2
 	}
-#endif
 	if(!c_hdl->ev->ev) {
 		log_warn("could not ub_event_new, dropped tcp");
 		return;
@@ -2295,10 +2296,7 @@ void http2_stream_delete(struct http2_session* h2_session,
 		mesh_state_remove_reply(h2_stream->mesh, h2_stream->mesh_state,
 			h2_session->c);
 	}
-	if(h2_stream->qbuffer)
+	http2_req_stream_clear(h2_stream);
-		sldns_buffer_free(h2_stream->qbuffer);
-	if(h2_stream->rbuffer)
-		sldns_buffer_free(h2_stream->rbuffer);
 	free(h2_stream);
 }
 #endif
@@ -3091,6 +3089,7 @@ comm_point_create_tcp_handler(struct comm_base *base,
 static struct comm_point* 
 comm_point_create_http_handler(struct comm_base *base, 
 	struct comm_point* parent, size_t bufsize, int harden_large_queries,
+	uint32_t http_max_streams, char* http_endpoint,
 	comm_point_callback_type* callback, void* callback_arg)
 {
 	struct comm_point* c = (struct comm_point*)calloc(1,
@@ -3147,9 +3146,11 @@ comm_point_create_http_handler(struct comm_base *base,
 	c->cb_arg = callback_arg;
 
 	c->http_min_version = http_version_2;
-	c->http2_max_qbuffer_size = bufsize;
+	c->http2_stream_max_qbuffer_size = bufsize;
 	if(harden_large_queries && bufsize > 512)
-		c->http2_max_qbuffer_size = 512;
+		c->http2_stream_max_qbuffer_size = 512;
+	c->http2_max_streams = http_max_streams;
+	c->http_endpoint = strdup(http_endpoint);
 	c->alpn_h2 = 0;
 #ifdef HAVE_NGHTTP2
 	if(!(c->h2_session = http2_session_create(c))) {
@@ -3195,6 +3196,7 @@ comm_point_create_http_handler(struct comm_base *base,
 struct comm_point* 
 comm_point_create_tcp(struct comm_base *base, int fd, int num,
 	int idle_timeout, int harden_large_queries,
+	uint32_t http_max_streams, char* http_endpoint,
 	struct tcl_list* tcp_conn_limit, size_t bufsize,
 	struct sldns_buffer* spoolbuf, enum listen_type port_type,
 	comm_point_callback_type* callback, void* callback_arg)
@@ -3271,6 +3273,7 @@ comm_point_create_tcp(struct comm_base *base, int fd, int num,
 		} else if(port_type == listen_type_http) {
 			c->tcp_handlers[i] = comm_point_create_http_handler(
 				base, c, bufsize, harden_large_queries,
+				http_max_streams, http_endpoint,
 				callback, callback_arg);
 		}
 		else {
@@ -3592,6 +3595,10 @@ comm_point_delete(struct comm_point* c)
 		SSL_free(c->ssl);
 #endif
 	}
+	if(c->type == comm_http && c->http_endpoint) {
+		free(c->http_endpoint);
+		c->http_endpoint = NULL;
+	}
 	comm_point_close(c);
 	if(c->tcp_handlers) {
 		int i;

util/netevent.h

@@ -219,6 +219,8 @@ struct comm_point {
 		http_version_none = 0,
 		http_version_2 = 2
 	} http_min_version;
+	/** http endpoint */
+	char* http_endpoint;
 	/* -------- HTTP/1.1 ------- */
 	/** Currently reading in http headers */
 	int http_in_headers;
@@ -236,10 +238,13 @@ struct comm_point {
 	struct http2_session* h2_session;
 	/** set to 1 if h2 is negatiated using alpn */
 	int alpn_h2;
-	/** maximum allowed query buffer size */
-	size_t http2_max_qbuffer_size;
 	/** stream currently being handled */
 	struct http2_stream* h2_stream;
+	/** maximum allowed query buffer size, per stream */
+	size_t http2_stream_max_qbuffer_size;
+	/** maximum number of HTTP/2 streams per connection. Send in HTTP/2
+	 * SETTINGS frame. */
+	uint32_t http2_max_streams;
 
 	/* -------- dnstap ------- */
 	/** the dnstap environment */
@@ -481,6 +486,8 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
  *	many tcp handler commpoints.
  * @param idle_timeout: TCP idle timeout in ms.
  * @param harden_large_queries: whether query size should be limited.
+ * @param http_max_streams: maximum number of HTTP/2 streams per connection.
+ * @param http_endpoint: HTTP endpoint to service queries on
  * @param tcp_conn_limit: TCP connection limit info.
  * @param bufsize: size of buffer to create for handlers.
  * @param spoolbuf: shared spool buffer for tcp_req_info structures.
@@ -496,6 +503,7 @@ struct comm_point* comm_point_create_udp_ancil(struct comm_base* base,
  */
 struct comm_point* comm_point_create_tcp(struct comm_base* base,
 	int fd, int num, int idle_timeout, int harden_large_queries,
+	uint32_t http_max_streams, char* http_endpoint,
 	struct tcl_list* tcp_conn_limit,
 	size_t bufsize, struct sldns_buffer* spoolbuf,
 	enum listen_type port_type,