libwebsockets/lib/roles/http/server/server.c

/*
 * libwebsockets - small server side websockets and web server implementation
 *
 * Copyright (C) 2010 - 2019 Andy Green <andy@warmcat.com>
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to
 * deal in the Software without restriction, including without limitation the
 * rights to use, copy, modify, merge, publish, distribute, sublicense, and/or
 * sell copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
 * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
 * IN THE SOFTWARE.
 */

#include "private-lib-core.h"

#if !defined(SOL_TCP) && defined(IPPROTO_TCP)
#define SOL_TCP IPPROTO_TCP
#endif

const char * const method_names[] = {
	"GET", "POST",
#if defined(LWS_WITH_HTTP_UNCOMMON_HEADERS)
	"OPTIONS", "PUT", "PATCH", "DELETE",
#endif
	"CONNECT", "HEAD",
#ifdef LWS_WITH_HTTP2
	":path",
#endif
	};

#if defined(LWS_WITH_FILE_OPS)
static const char * const intermediates[] = { "private", "public" };
#endif

/*
 * return 0: all done
 *        1: nonfatal error
 *       <0: fatal error
 *
 *       REQUIRES CONTEXT LOCK HELD
 */

#if defined(LWS_WITH_SERVER)

struct vh_sock_args {
	const struct lws_context_creation_info	*info;
	struct lws_vhost			*vhost;
	int					af;
};


static int
check_extant(struct lws_dll2 *d, void *user)
{
	struct lws *wsi = lws_container_of(d, struct lws, listen_list);
	struct vh_sock_args *a = (struct vh_sock_args *)user;

	if (!lws_vhost_compare_listen(wsi->a.vhost, a->vhost))
		return 0;

	if (wsi->af != a ->af)
		return 0;

	if (a->info && a->info->vh_listen_sockfd &&
	    wsi->desc.sockfd != a->info->vh_listen_sockfd)
		return 0;

	lwsl_notice(" using listen skt from vhost %s\n", wsi->a.vhost->name);

	return 1;
}

/*
 * Creates a single listen socket of a specific AF
 */

int
_lws_vhost_init_server_af(struct vh_sock_args *a)
{
	struct lws_context *cx = a->vhost->context;
	struct lws_context_per_thread *pt;
	int n, opt = 1, limit = 1, san = 2;
	lws_sockfd_type sockfd;
	struct lws *wsi;
	int m = 0, is = 0;
#if defined(LWS_WITH_IPV6)
	int value = 1;
#endif

	(void)method_names;
	(void)opt;

	lwsl_info("%s: af %d\n", __func__, (int)a->af);

	if (lws_vhost_foreach_listen_wsi(a->vhost->context, a, check_extant))
		return 0;

deal:

	if (!san--)
		return -1;

	if (a->vhost->iface && (!a->info || !a->info->vh_listen_sockfd)) {

		/*
		 * let's check before we do anything else about the disposition
		 * of the interface he wants to bind to...
		 */
		is = lws_socket_bind(a->vhost, NULL, LWS_SOCK_INVALID,
				     a->vhost->listen_port, a->vhost->iface,
				     a->af);
		lwsl_debug("initial if check says %d\n", is);

		if (is == LWS_ITOSA_BUSY)
			/* treat as fatal */
			return -1;

		lws_start_foreach_llp(struct lws_vhost **, pv,
				      cx->no_listener_vhost_list) {
			if (is >= LWS_ITOSA_USABLE && *pv == a->vhost) {
				/* on the list and shouldn't be: remove it */
				lwsl_debug("deferred iface: removing vh %s\n",
						(*pv)->name);
				*pv = a->vhost->no_listener_vhost_list;
				a->vhost->no_listener_vhost_list = NULL;
				goto done_list;
			}
			if (is < LWS_ITOSA_USABLE && *pv == a->vhost)
				goto done_list;
		} lws_end_foreach_llp(pv, no_listener_vhost_list);

		/* not on the list... */

		if (is < LWS_ITOSA_USABLE) {

			/* ... but needs to be: so add it */

			lwsl_debug("deferred iface: adding vh %s\n",
					a->vhost->name);
			a->vhost->no_listener_vhost_list =
					cx->no_listener_vhost_list;
			cx->no_listener_vhost_list = a->vhost;
		}

done_list:

		switch (is) {
		default:
			break;
		case LWS_ITOSA_NOT_EXIST:
			/* can't add it */
			if (!a->info)
				return -1;

			/* first time */
			lwsl_err("%s: VH %s: iface %s port %d DOESN'T EXIST\n",
				 __func__, a->vhost->name, a->vhost->iface,
				 a->vhost->listen_port);

			return (a->info->options &
				LWS_SERVER_OPTION_FAIL_UPON_UNABLE_TO_BIND) ==
				LWS_SERVER_OPTION_FAIL_UPON_UNABLE_TO_BIND ?
				-1 : 1;

		case LWS_ITOSA_NOT_USABLE:
			/* can't add it */
			if (!a->info) /* first time */
				return -1;

			lwsl_err("%s: VH %s: iface %s port %d NOT USABLE\n",
				 __func__, a->vhost->name, a->vhost->iface,
				 a->vhost->listen_port);

			return (a->info->options &
				LWS_SERVER_OPTION_FAIL_UPON_UNABLE_TO_BIND) ==
				LWS_SERVER_OPTION_FAIL_UPON_UNABLE_TO_BIND ?
				-1 : 1;
		}
	} else {
		if (a->info && a->info->vh_listen_sockfd) {
			a->vhost->iface = "inherited";
			a->vhost->listen_port = a->info->port;
		}
	}

	(void)n;
#if defined(__linux__)
	/*
	 * A Unix domain sockets cannot be bound multiple times, even if we
	 * set the SO_REUSE* options on.
	 *
	 * However on recent linux, each thread is able to independently listen.
	 *
	 * So we can assume creating just one listening socket for a multi-
	 * threaded environment will typically work.
	 */
	if (a->af != AF_UNIX)
		limit = cx->count_threads;
#endif

	for (m = 0; m < limit; m++) {

		if (a->info && a->info->vh_listen_sockfd)
		{
#if defined(_WIN32)
			if (!DuplicateHandle(GetCurrentProcess(),
					(HANDLE)a->info->vh_listen_sockfd,
					GetCurrentProcess(), (HANDLE*)&sockfd, 0,
					FALSE, DUPLICATE_SAME_ACCESS))
				sockfd = LWS_SOCK_INVALID;
#else
#if defined(LWS_PLAT_FREERTOS)
			sockfd = a->info->vh_listen_sockfd;
#else
			sockfd = dup(a->info->vh_listen_sockfd);
#endif
#endif
		}
		else
			sockfd = lws_fi(&a->vhost->fic, "listenskt") ?
					LWS_SOCK_INVALID :
					socket(a->af, SOCK_STREAM, 0);

		if (sockfd == LWS_SOCK_INVALID) {
			lwsl_err("ERROR opening socket\n");
			return 1;
		}

#if !defined(LWS_PLAT_FREERTOS)
#if (defined(WIN32) || defined(_WIN32)) && defined(SO_EXCLUSIVEADDRUSE)
		/*
		 * only accept that we are the only listener on the port
		 * https://msdn.microsoft.com/zh-tw/library/
		 *    windows/desktop/ms740621(v=vs.85).aspx
		 *
		 * for lws, to match Linux, we default to exclusive listen
		 */
		if (!lws_check_opt(a->vhost->options,
				LWS_SERVER_OPTION_ALLOW_LISTEN_SHARE)) {
			if (setsockopt(sockfd, SOL_SOCKET, SO_EXCLUSIVEADDRUSE,
				       (const void *)&opt, sizeof(opt)) < 0) {
				lwsl_err("reuseaddr failed\n");
				compatible_close(sockfd);
				return -1;
			}
		} else
#endif

		/*
		 * allow us to restart even if old sockets in TIME_WAIT
		 */
		if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEADDR,
			       (const void *)&opt, sizeof(opt)) < 0) {
			lwsl_err("reuseaddr failed\n");
			compatible_close(sockfd);
			return -1;
		}

#if defined(LWS_WITH_IPV6) && defined(IPV6_V6ONLY)
		/*
		 * If we have an ipv6 listen socket, it only accepts ipv6.
		 *
		 * There will be a separate ipv4 listen socket if that's
		 * enabled.
		 */
		if (a->af == AF_INET6 && (!a->info || !a->info->vh_listen_sockfd) &&
		    setsockopt(sockfd, IPPROTO_IPV6, IPV6_V6ONLY,
			       (const void*)&value, sizeof(value)) < 0) {
			lwsl_err("ipv6 only failed\n");

			compatible_close(sockfd);
			return -1;
		}
#endif

#if defined(__linux__) && defined(SO_REUSEPORT)
		/* keep coverity happy */
#if LWS_MAX_SMP > 1
		n = 1;
#else
		n = lws_check_opt(a->vhost->options,
				  LWS_SERVER_OPTION_ALLOW_LISTEN_SHARE);
#endif
		if (n || cx->count_threads > 1) /* ... also implied by threads > 1 */
			if (setsockopt(sockfd, SOL_SOCKET, SO_REUSEPORT,
					(const void *)&opt, sizeof(opt)) < 0) {
				lwsl_err("reuseport failed\n");
				compatible_close(sockfd);
				return -1;
			}
#endif
#endif
		lws_plat_set_socket_options(a->vhost, sockfd, 0);

		if (!a->info || !a->info->vh_listen_sockfd) {
			is = lws_socket_bind(a->vhost, NULL, sockfd,
					     a->vhost->listen_port,
					     a->vhost->iface, a->af);

			if (is == LWS_ITOSA_BUSY) {
				/* treat as fatal */
				compatible_close(sockfd);

				return -1;
			}

			/*
			 * There is a race where the network device may come up and then
			 * go away and fail here.  So correctly handle unexpected failure
			 * here despite we earlier confirmed it.
			 */
			if (is < 0) {
				lwsl_info("%s: lws_socket_bind says %d\n", __func__, is);
				compatible_close(sockfd);
				if (a->vhost->iface)
					goto deal;
				return -1;
			}
		}

		/*
		 * Create the listen wsi and customize it
		 */

		lws_context_lock(cx, __func__);
		wsi = __lws_wsi_create_with_role(cx, m, &role_ops_listen, NULL);
		lws_context_unlock(cx);
		if (wsi == NULL) {
			lwsl_err("Out of mem\n");
			goto bail;
		}

		wsi->af = (uint8_t)a->af;

#ifdef LWS_WITH_UNIX_SOCK
		if (!LWS_UNIX_SOCK_ENABLED(a->vhost))
#endif
		{
			wsi->unix_skt = 1;
			a->vhost->listen_port = is;

			lwsl_debug("%s: lws_socket_bind says %d\n", __func__, is);
		}

		wsi->desc.sockfd = sockfd;
		wsi->a.protocol = a->vhost->protocols;
		lws_vhost_bind_wsi(a->vhost, wsi);
		wsi->listener = 1;

		if (wsi->a.context->event_loop_ops->init_vhost_listen_wsi)
			wsi->a.context->event_loop_ops->init_vhost_listen_wsi(wsi);

		pt = &cx->pt[m];
		lws_pt_lock(pt, __func__);

		if (__insert_wsi_socket_into_fds(cx, wsi)) {
			lwsl_notice("inserting wsi socket into fds failed\n");
			lws_pt_unlock(pt);
			goto bail;
		}

		lws_dll2_add_tail(&wsi->listen_list, &a->vhost->listen_wsi);
		lws_pt_unlock(pt);

#if defined(WIN32) && defined(TCP_FASTOPEN)
		if (a->vhost->fo_listen_queue) {
			int optval = 1;
			if (setsockopt(wsi->desc.sockfd, IPPROTO_TCP,
				       TCP_FASTOPEN,
				       (const char*)&optval, sizeof(optval)) < 0) {
#if (_LWS_ENABLED_LOGS & LLL_WARN)
				int error = LWS_ERRNO;
				lwsl_warn("%s: TCP_NODELAY failed with error %d\n",
						__func__, error);
#endif
			}
		}
#else
#if defined(TCP_FASTOPEN)
		if (a->vhost->fo_listen_queue) {
			int qlen = a->vhost->fo_listen_queue;

			if (setsockopt(wsi->desc.sockfd, SOL_TCP, TCP_FASTOPEN,
				       &qlen, sizeof(qlen)))
				lwsl_warn("%s: TCP_FASTOPEN failed\n", __func__);
		}
#endif
#endif

		n = listen(wsi->desc.sockfd, LWS_SOMAXCONN);
		if (n < 0) {
			lwsl_err("listen failed with error %d\n", LWS_ERRNO);
			lws_dll2_remove(&wsi->listen_list);
			__remove_wsi_socket_from_fds(wsi);
			goto bail;
		}

		if (wsi) {
			if (a->info && a->info->vh_listen_sockfd)
				a->vhost->listen_port = a->info->port;

			__lws_lc_tag(a->vhost->context,
				     &a->vhost->context->lcg[LWSLCG_WSI],
				     &wsi->lc, "listen|%s|%s|%d",
				     a->vhost->name,
				     a->vhost->iface ? a->vhost->iface : "",
				     (int)a->vhost->listen_port);
		}

	} /* for each thread able to independently listen */

	if (!lws_check_opt(cx->options, LWS_SERVER_OPTION_EXPLICIT_VHOSTS)) {
#ifdef LWS_WITH_UNIX_SOCK
		if (a->af == AF_UNIX)
			lwsl_info(" Listening on \"%s\"\n", a->vhost->iface);
		else
#endif
			lwsl_info(" Listening on %s:%d\n",
					a->vhost->iface,
					a->vhost->listen_port);
        }

	// info->port = vhost->listen_port;

	return 0;

bail:
	lwsl_err("%s: bailing\n", __func__);
	compatible_close(sockfd);

	return -1;
}


int
_lws_vhost_init_server(const struct lws_context_creation_info *info,
		       struct lws_vhost *vhost)
{
	struct vh_sock_args a;
	int n;

	a.info = info;
	a.vhost = vhost;

	if (info) {
		vhost->iface = info->iface;
		vhost->listen_port = info->port;
	}

	/* set up our external listening socket we serve on */

	if (vhost->listen_port == CONTEXT_PORT_NO_LISTEN ||
	    vhost->listen_port == CONTEXT_PORT_NO_LISTEN_SERVER)
		return 0;

	if (info && info->vh_listen_sockfd) {
		a.af = AF_UNSPEC;
		goto single;
	}

	/*
	 * Let's figure out what AF(s) we want this vhost to listen on.
	 *
	 * We want AF_UNIX alone if that's what's told
	 */

#if defined(LWS_WITH_UNIX_SOCK)
	/*
	 * If unix socket, ask for that and we are done
	 */
	if (LWS_UNIX_SOCK_ENABLED(vhost)) {
		a.af = AF_UNIX;
		goto single;
	}
#endif

	/*
	 * We may support both ipv4 and ipv6, but get a numeric vhost listen
	 * iface that is unambiguously ipv4 or ipv6, meaning we can only listen
	 * for the related AF then.
	 */

	if (vhost->iface) {
		uint8_t buf[16];
		int q;

		q = lws_parse_numeric_address(vhost->iface, buf, sizeof(buf));

		if (q == 4) {
			a.af = AF_INET;
			goto single;
		}

		if (q == 16) {
#if defined(LWS_WITH_IPV6)
			if (LWS_IPV6_ENABLED(vhost)) {
				a.af = AF_INET6;
				goto single;
			}
#endif
			lwsl_err("%s: ipv6 not supported on %s\n", __func__,
					vhost->name);
			return 1;
		}
	}

	/*
	 * ... if we make it here, we would want to listen on AF_INET and
	 * AF_INET6 unless one or the other is forbidden
	 */

#if defined(LWS_WITH_IPV6)
	if (!(LWS_IPV6_ENABLED(vhost) &&
	      (vhost->options & LWS_SERVER_OPTION_IPV6_V6ONLY_MODIFY) &&
	      (vhost->options & LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE))) {
#endif
		a.af = AF_INET;
		n = _lws_vhost_init_server_af(&a);
		if (n)
			return n;

#if defined(LWS_WITH_IPV6)
	}
	if (LWS_IPV6_ENABLED(vhost)) {
		a.af = AF_INET6;
		goto single;
	}
#endif

	return 0;

single:
	return _lws_vhost_init_server_af(&a);
}

#endif

struct lws_vhost *
lws_select_vhost(struct lws_context *context, int port, const char *servername)
{
	struct lws_vhost *vhost = context->vhost_list;
	const char *p;
	int n, colon;

	n = (int)strlen(servername);
	colon = n;
	p = strchr(servername, ':');
	if (p)
		colon = lws_ptr_diff(p, servername);

	/* Priotity 1: first try exact matches */

	while (vhost) {
		if (port == vhost->listen_port &&
		    !strncmp(vhost->name, servername, (unsigned int)colon)) {
			lwsl_info("SNI: Found: %s\n", servername);
			return vhost;
		}
		vhost = vhost->vhost_next;
	}

	/*
	 * Priority 2: if no exact matches, try matching *.vhost-name
	 * unintentional matches are possible but resolve to x.com for *.x.com
	 * which is reasonable.  If exact match exists we already chose it and
	 * never reach here.  SSL will still fail it if the cert doesn't allow
	 * *.x.com.
	 */
	vhost = context->vhost_list;
	while (vhost) {
		int m = (int)strlen(vhost->name);
		if (port && port == vhost->listen_port &&
		    m <= (colon - 2) &&
		    servername[colon - m - 1] == '.' &&
		    !strncmp(vhost->name, servername + colon - m, (unsigned int)m)) {
			lwsl_info("SNI: Found %s on wildcard: %s\n",
				    servername, vhost->name);
			return vhost;
		}
		vhost = vhost->vhost_next;
	}

	/* Priority 3: match the first vhost on our port */

	vhost = context->vhost_list;
	while (vhost) {
		if (port && port == vhost->listen_port) {
			lwsl_info("%s: vhost match to %s based on port %d\n",
					__func__, vhost->name, port);
			return vhost;
		}
		vhost = vhost->vhost_next;
	}

	/* no match */

	return NULL;
}

static const struct lws_mimetype {
	const char *extension;
	const char *mimetype;
} server_mimetypes[] = {
	{ ".html", "text/html" },
	{ ".htm", "text/html" },
	{ ".js", "text/javascript" },
	{ ".css", "text/css" },
	{ ".png", "image/png" },
	{ ".jpg", "image/jpeg" },
	{ ".jpeg", "image/jpeg" },
	{ ".ico", "image/x-icon" },
	{ ".gif", "image/gif" },
	{ ".svg", "image/svg+xml" },
	{ ".ttf", "application/x-font-ttf" },
	{ ".otf", "application/font-woff" },
	{ ".woff", "application/font-woff" },
	{ ".woff2", "application/font-woff2" },
	{ ".gz", "application/gzip" },
	{ ".txt", "text/plain" },
	{ ".xml", "application/xml" },
	{ ".json", "application/json" },
	{ ".mjs", "text/javascript" },
};

const char *
lws_get_mimetype(const char *file, const struct lws_http_mount *m)
{
	const struct lws_protocol_vhost_options *pvo;
	size_t n = strlen(file), len, i;
	const char *fallback_mimetype = NULL;
	const struct lws_mimetype *mt;

	/* prioritize user-defined mimetypes */
	for (pvo = m ? m->extra_mimetypes : NULL; pvo; pvo = pvo->next) {
		/* ie, match anything */
		if (!fallback_mimetype && pvo->name[0] == '*') {
			fallback_mimetype = pvo->value;
			continue;
		}

		len = strlen(pvo->name);
		if (n > len && !strcasecmp(&file[n - len], pvo->name)) {
			lwsl_info("%s: match to user mimetype: %s\n", __func__,
				  pvo->value);
			return pvo->value;
		}
	}

	/* fallback to server-defined mimetypes */
	for (i = 0; i < LWS_ARRAY_SIZE(server_mimetypes); ++i) {
		mt = &server_mimetypes[i];

		len = strlen(mt->extension);
		if (n > len && !strcasecmp(&file[n - len], mt->extension)) {
			lwsl_info("%s: match to server mimetype: %s\n", __func__,
				  mt->mimetype);
			return mt->mimetype;
		}
	}

	/* fallback to '*' if defined */
	if (fallback_mimetype) {
		lwsl_info("%s: match to any mimetype: %s\n", __func__,
			  fallback_mimetype);
		return fallback_mimetype;
	}

	return NULL;
}

#if defined(LWS_WITH_FILE_OPS)
static lws_fop_flags_t
lws_vfs_prepare_flags(struct lws *wsi)
{
	lws_fop_flags_t f = 0;

	if (!lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_ACCEPT_ENCODING))
		return f;

	if (strstr(lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_ACCEPT_ENCODING),
		   "gzip")) {
		lwsl_info("client indicates GZIP is acceptable\n");
		f |= LWS_FOP_FLAG_COMPR_ACCEPTABLE_GZIP;
	}

	return f;
}

static int
lws_http_serve(struct lws *wsi, char *uri, const char *origin,
	       const struct lws_http_mount *m)
{
	const struct lws_protocol_vhost_options *pvo = m->interpret;
	struct lws_process_html_args args;
	const char *mimetype;
#if !defined(_WIN32_WCE)
	const struct lws_plat_file_ops *fops;
	const char *vpath;
	lws_fop_flags_t fflags = LWS_O_RDONLY;
#if defined(WIN32) && defined(LWS_HAVE__STAT32I64)
	struct _stat32i64 st;
#else
	struct stat st;
#endif
	int spin = 0;
#endif
	char path[256], sym[2048];
	unsigned char *p = (unsigned char *)sym + 32 + LWS_PRE, *start = p;
	unsigned char *end = p + sizeof(sym) - 32 - LWS_PRE;
#if !defined(WIN32) && !defined(LWS_PLAT_FREERTOS)
	size_t len;
#endif
	int n;

	wsi->handling_404 = 0;
	if (!wsi->a.vhost)
		return -1;

#if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
	if (wsi->a.vhost->http.error_document_404 &&
	    !strcmp(uri, wsi->a.vhost->http.error_document_404))
		wsi->handling_404 = 1;
#endif

	lws_snprintf(path, sizeof(path) - 1, "%s/%s", origin, uri);

#if !defined(_WIN32_WCE)

	fflags |= lws_vfs_prepare_flags(wsi);

	do {
		spin++;
		fops = lws_vfs_select_fops(wsi->a.context->fops, path, &vpath);

		if (wsi->http.fop_fd)
			lws_vfs_file_close(&wsi->http.fop_fd);

		wsi->http.fop_fd = fops->LWS_FOP_OPEN(fops, wsi->a.context->fops,
							path, vpath, &fflags);
		if (!wsi->http.fop_fd) {
			lwsl_info("%s: Unable to open '%s': errno %d\n",
				  __func__, path, errno);

			return 1;
		}

		/* if it can't be statted, don't try */
		if (fflags & LWS_FOP_FLAG_VIRTUAL)
			break;
#if defined(LWS_PLAT_FREERTOS)
		break;
#endif
#if !defined(WIN32)
		if (fstat(wsi->http.fop_fd->fd, &st)) {
			lwsl_info("unable to stat %s\n", path);
			goto notfound;
		}
#else
#if defined(LWS_HAVE__STAT32I64)
		{
			WCHAR buf[MAX_PATH];
			MultiByteToWideChar(CP_UTF8, 0, path, -1, buf, LWS_ARRAY_SIZE(buf));
			if (_wstat32i64(buf, &st)) {
				lwsl_info("unable to stat %s\n", path);
				goto notfound;
			}
		}
#else
		if (stat(path, &st)) {
			lwsl_info("unable to stat %s\n", path);
			goto notfound;
		}
#endif
#endif

		wsi->http.fop_fd->mod_time = (uint32_t)st.st_mtime;
		fflags |= LWS_FOP_FLAG_MOD_TIME_VALID;

#if !defined(WIN32) && !defined(LWS_PLAT_FREERTOS)
		if ((S_IFMT & st.st_mode) == S_IFLNK) {
			len = (size_t)readlink(path, sym, sizeof(sym) - 1);
			if (len) {
				lwsl_err("Failed to read link %s\n", path);
				goto notfound;
			}
			sym[len] = '\0';
			lwsl_debug("symlink %s -> %s\n", path, sym);
			lws_snprintf(path, sizeof(path) - 1, "%s", sym);
		}
#endif
		if ((S_IFMT & st.st_mode) == S_IFDIR) {
			lwsl_debug("default filename append to dir\n");
			lws_snprintf(path, sizeof(path) - 1, "%s/%s/%s",
				 origin, uri, m->def ? m->def : "index.html");
		}

	} while ((S_IFMT & st.st_mode) != S_IFREG && spin < 5);

	if (spin == 5)
		lwsl_err("symlink loop %s \n", path);

	n = sprintf(sym, "%08llX%08lX",
		    (unsigned long long)lws_vfs_get_length(wsi->http.fop_fd),
		    (unsigned long)lws_vfs_get_mod_time(wsi->http.fop_fd));

	/* disable ranges if IF_RANGE token invalid */

	if (lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_IF_RANGE))
		if (strcmp(sym, lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_IF_RANGE)))
			/* differs - defeat Range: */
			wsi->http.ah->frag_index[WSI_TOKEN_HTTP_RANGE] = 0;

	if (lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_IF_NONE_MATCH)) {
		/*
		 * he thinks he has some version of it already,
		 * check if the tag matches
		 */
		if (!strcmp(sym, lws_hdr_simple_ptr(wsi,
					WSI_TOKEN_HTTP_IF_NONE_MATCH))) {

			char cache_control[50], *cc = "no-store";
			int cclen = 8;

			lwsl_debug("%s: ETAG match %s %s\n", __func__,
				   uri, origin);

			/* we don't need to send the payload */
			if (lws_add_http_header_status(wsi,
					HTTP_STATUS_NOT_MODIFIED, &p, end)) {
				lwsl_err("%s: failed adding not modified\n",
						__func__);
				return -1;
			}

			if (lws_add_http_header_by_token(wsi,
					WSI_TOKEN_HTTP_ETAG,
					(unsigned char *)sym, n, &p, end))
				return -1;

			/* but we still need to send cache control... */

			if (m->cache_max_age && m->cache_reusable) {
				if (!m->cache_revalidate) {
					cc = cache_control;
					cclen = sprintf(cache_control,
						"%s, max-age=%u",
						intermediates[wsi->cache_intermediaries],
						m->cache_max_age);
				} else {
					cc = cache_control;
                                        cclen = sprintf(cache_control,
                                        	"must-revalidate, %s, max-age=%u",
                                                intermediates[wsi->cache_intermediaries],
                                                m->cache_max_age);
				}
			}

			if (lws_add_http_header_by_token(wsi,
					WSI_TOKEN_HTTP_CACHE_CONTROL,
					(unsigned char *)cc, cclen, &p, end))
				return -1;

			if (lws_finalize_http_header(wsi, &p, end))
				return -1;

			n = lws_write(wsi, start, lws_ptr_diff_size_t(p, start),
				      LWS_WRITE_HTTP_HEADERS |
				      LWS_WRITE_H2_STREAM_END);
			if (n != lws_ptr_diff(p, start)) {
				lwsl_err("_write returned %d from %ld\n", n,
					 (long)(p - start));
				return -1;
			}

			lws_vfs_file_close(&wsi->http.fop_fd);

			if (lws_http_transaction_completed(wsi))
				return -1;

			return 0;
		}
	}

	if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_ETAG,
			(unsigned char *)sym, n, &p, end))
		return -1;
#endif

	mimetype = lws_get_mimetype(path, m);
	if (!mimetype) {
		lwsl_info("unknown mimetype for %s\n", path);
		if (lws_return_http_status(wsi,
				HTTP_STATUS_UNSUPPORTED_MEDIA_TYPE, NULL) ||
		    lws_http_transaction_completed(wsi))
			return -1;

		return 0;
	}
	if (!mimetype[0])
		lwsl_debug("sending no mimetype for %s\n", path);

	wsi->sending_chunked = 0;
	wsi->interpreting = 0;

	/*
	 * check if this is in the list of file suffixes to be interpreted by
	 * a protocol
	 */
	while (pvo) {
		n = (int)strlen(path);
		if (n > (int)strlen(pvo->name) &&
		    !strcmp(&path[(unsigned int)n - strlen(pvo->name)], pvo->name)) {
			wsi->interpreting = 1;
			if (!wsi->mux_substream)
				wsi->sending_chunked = 1;

			wsi->protocol_interpret_idx = (char)(
				lws_vhost_name_to_protocol(wsi->a.vhost,
							   pvo->value) -
				&lws_get_vhost(wsi)->protocols[0]);

			lwsl_debug("want %s interpreted by %s (pcol is %s)\n", path,
				    wsi->a.vhost->protocols[
				             (int)wsi->protocol_interpret_idx].name,
				             wsi->a.protocol->name);
			if (lws_bind_protocol(wsi, &wsi->a.vhost->protocols[
			          (int)wsi->protocol_interpret_idx], __func__))
				return -1;

			if (lws_ensure_user_space(wsi))
				return -1;
			break;
		}
		pvo = pvo->next;
	}

	if (wsi->sending_chunked) {
		if (lws_add_http_header_by_token(wsi,
				WSI_TOKEN_HTTP_TRANSFER_ENCODING,
				(unsigned char *)"chunked", 7,
				&p, end))
			return -1;
	}

	if (m->protocol) {
		const struct lws_protocols *pp = lws_vhost_name_to_protocol(
						       wsi->a.vhost, m->protocol);

		if (lws_bind_protocol(wsi, pp, __func__))
			return -1;
		args.p = (char *)p;
		args.max_len = lws_ptr_diff(end, p);
		if (pp->callback(wsi, LWS_CALLBACK_ADD_HEADERS,
					  wsi->user_space, &args, 0))
			return -1;
		p = (unsigned char *)args.p;
	}

	*p = '\0';
	n = lws_serve_http_file(wsi, path, mimetype, (char *)start,
				lws_ptr_diff(p, start));

	if (n < 0 || ((n > 0) && lws_http_transaction_completed(wsi)))
		return -1; /* error or can't reuse connection: close the socket */

	return 0;

notfound:

	return 1;
}
#endif

#if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
const struct lws_http_mount *
lws_find_mount(struct lws *wsi, const char *uri_ptr, int uri_len)
{
	const struct lws_http_mount *hm, *hit = NULL;
	int best = 0;

	hm = wsi->a.vhost->http.mount_list;
	while (hm) {
		if (uri_len >= hm->mountpoint_len &&
		    !strncmp(uri_ptr, hm->mountpoint, hm->mountpoint_len) &&
		    (uri_ptr[hm->mountpoint_len] == '\0' ||
		     uri_ptr[hm->mountpoint_len] == '/' ||
		     hm->mountpoint_len == 1)
		    ) {
#if defined(LWS_WITH_SYS_METRICS)
			lws_metrics_tag_wsi_add(wsi, "mnt", hm->mountpoint);
#endif

			if (hm->origin_protocol == LWSMPRO_NO_MOUNT)
				return NULL;

			if (hm->origin_protocol == LWSMPRO_CALLBACK ||
			    ((hm->origin_protocol == LWSMPRO_CGI ||
			     lws_hdr_total_length(wsi, WSI_TOKEN_GET_URI) ||
			     lws_hdr_total_length(wsi, WSI_TOKEN_POST_URI) ||
#if defined(LWS_WITH_HTTP_UNCOMMON_HEADERS)
			     lws_hdr_total_length(wsi, WSI_TOKEN_PUT_URI) ||
			     lws_hdr_total_length(wsi, WSI_TOKEN_PATCH_URI) ||
			     lws_hdr_total_length(wsi, WSI_TOKEN_DELETE_URI) ||
#endif
			     lws_hdr_total_length(wsi, WSI_TOKEN_HEAD_URI) ||
#if defined(LWS_ROLE_H2)
			     (wsi->mux_substream &&
				lws_hdr_total_length(wsi,
						WSI_TOKEN_HTTP_COLON_PATH)) ||
#endif
			     hm->protocol) &&
			    hm->mountpoint_len > best)) {
				best = hm->mountpoint_len;
				hit = hm;
			}
		}
		hm = hm->mount_next;
	}

	return hit;
}
#endif

#if defined(LWS_WITH_HTTP_BASIC_AUTH) && !defined(LWS_PLAT_FREERTOS) && defined(LWS_WITH_FILE_OPS)
static int
lws_find_string_in_file(const char *filename, const char *string, int stringlen)
{
	char buf[128];
	int fd, match = 0, pos = 0, n = 0, hit = 0;

	fd = lws_open(filename, O_RDONLY);
	if (fd < 0) {
		lwsl_err("can't open auth file: %s\n", filename);
		return 0;
	}

	while (1) {
		if (pos == n) {
			n = (int)read(fd, buf, sizeof(buf));
			if (n <= 0) {
				if (match == stringlen)
					hit = 1;
				break;
			}
			pos = 0;
		}

		if (match == stringlen) {
			if (buf[pos] == '\r' || buf[pos] == '\n') {
				hit = 1;
				break;
			}
			match = 0;
		}

		if (buf[pos] == string[match])
			match++;
		else
			match = 0;

		pos++;
	}

	close(fd);

	return hit;
}
#endif

#if defined(LWS_WITH_HTTP_BASIC_AUTH)

int
lws_unauthorised_basic_auth(struct lws *wsi)
{
	struct lws_context_per_thread *pt = &wsi->a.context->pt[(int)wsi->tsi];
	unsigned char *start = pt->serv_buf + LWS_PRE,
		      *p = start, *end = p + 2048;
	char buf[64];
	int n;

	/* no auth... tell him it is required */

	if (lws_add_http_header_status(wsi, HTTP_STATUS_UNAUTHORIZED, &p, end))
		return -1;

	n = lws_snprintf(buf, sizeof(buf), "Basic realm=\"lwsws\"");
	if (lws_add_http_header_by_token(wsi,
			WSI_TOKEN_HTTP_WWW_AUTHENTICATE,
			(unsigned char *)buf, n, &p, end))
		return -1;

	if (lws_add_http_header_content_length(wsi, 0, &p, end))
		return -1;

	if (lws_finalize_http_header(wsi, &p, end))
		return -1;

	n = lws_write(wsi, start, lws_ptr_diff_size_t(p, start), LWS_WRITE_HTTP_HEADERS |
					     LWS_WRITE_H2_STREAM_END);
	if (n < 0)
		return -1;

	return lws_http_transaction_completed(wsi);

}

#endif

int lws_clean_url(char *p)
{
	if (p[0] == 'h' && p[1] == 't' && p[2] == 't' && p[3] == 'p') {
		p += 4;
		if (*p == 's')
		p++;
		if (*p == ':') {
			p++;
			if (*p == '/')
			p++;
		}
	}

	while (*p) {
		if (p[0] == '/' && p[1] == '/') {
			char *p1 = p;
			while (*p1) {
				*p1 = p1[1];
				p1++;
			}
			continue;
		}
		p++;
	}

	return 0;
}

static const unsigned char methods[] = {
	WSI_TOKEN_GET_URI,
	WSI_TOKEN_POST_URI,
#if defined(LWS_WITH_HTTP_UNCOMMON_HEADERS)
	WSI_TOKEN_OPTIONS_URI,
	WSI_TOKEN_PUT_URI,
	WSI_TOKEN_PATCH_URI,
	WSI_TOKEN_DELETE_URI,
#endif
	WSI_TOKEN_CONNECT,
	WSI_TOKEN_HEAD_URI,
#ifdef LWS_WITH_HTTP2
	WSI_TOKEN_HTTP_COLON_PATH,
#endif
};

int
lws_http_get_uri_and_method(struct lws *wsi, char **puri_ptr, int *puri_len)
{
	int n, count = 0;

	for (n = 0; n < (int)LWS_ARRAY_SIZE(methods); n++)
		if (lws_hdr_total_length(wsi, methods[n]))
			count++;
	if (!count) {
		lwsl_warn("Missing URI in HTTP request\n");
		return -1;
	}

	if (count != 1 &&
	    !((wsi->mux_substream || wsi->h2_stream_carries_ws)
#if defined(LWS_ROLE_H2)
			    &&
	      lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_COLON_PATH)
#endif
	      )) {
		lwsl_warn("multiple methods?\n");
		return -1;
	}

	for (n = 0; n < (int)LWS_ARRAY_SIZE(methods); n++)
		if (lws_hdr_total_length(wsi, methods[n])) {
			*puri_ptr = lws_hdr_simple_ptr(wsi, methods[n]);
			*puri_len = lws_hdr_total_length(wsi, methods[n]);
			return n;
		}

	return -1;
}

#if defined(LWS_WITH_HTTP_BASIC_AUTH)

enum lws_check_basic_auth_results
lws_check_basic_auth(struct lws *wsi, const char *basic_auth_login_file,
		     unsigned int auth_mode)
{
#if defined(LWS_WITH_FILE_OPS)
	char b64[160], plain[(sizeof(b64) * 3) / 4], *pcolon;
	int m, ml, fi, bar;

	if (!basic_auth_login_file && auth_mode == LWSAUTHM_DEFAULT)
		return LCBA_CONTINUE;

	/* Did he send auth? */
	ml = lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_AUTHORIZATION);
	if (!ml)
		return LCBA_FAILED_AUTH;

	/* Disallow fragmentation monkey business */

	fi = wsi->http.ah->frag_index[WSI_TOKEN_HTTP_AUTHORIZATION];
	if (wsi->http.ah->frags[fi].nfrag) {
		lwsl_err("fragmented basic auth header not allowed\n");
		return LCBA_FAILED_AUTH;
	}

	m = lws_hdr_copy(wsi, b64, sizeof(b64),
			 WSI_TOKEN_HTTP_AUTHORIZATION);
	if (m < 7) {
		lwsl_err("b64 auth too long\n");
		return LCBA_END_TRANSACTION;
	}

	b64[5] = '\0';
	if (strcasecmp(b64, "Basic")) {
		lwsl_err("auth missing basic: %s\n", b64);
		return LCBA_END_TRANSACTION;
	}

	/* It'll be like Authorization: Basic QWxhZGRpbjpPcGVuU2VzYW1l */

	m = lws_b64_decode_string(b64 + 6, plain, sizeof(plain) - 1);
	if (m < 0) {
		lwsl_err("plain auth too long\n");
		return LCBA_END_TRANSACTION;
	}

	plain[m] = '\0';
	pcolon = strchr(plain, ':');
	if (!pcolon) {
		lwsl_err("basic auth format broken\n");
		return LCBA_END_TRANSACTION;
	}

	switch (auth_mode) {
	case LWSAUTHM_DEFAULT:
		if (lws_find_string_in_file(basic_auth_login_file, plain, m))
			break;
		lwsl_err("%s: basic auth lookup failed\n", __func__);
		return LCBA_FAILED_AUTH;

	case LWSAUTHM_BASIC_AUTH_CALLBACK:
		bar = wsi->a.protocol->callback(wsi,
				LWS_CALLBACK_VERIFY_BASIC_AUTHORIZATION,
				wsi->user_space, plain, (unsigned int)m);
		if (!bar)
			return LCBA_FAILED_AUTH;
		break;
	default:
		/* Invalid auth mode so lets fail all authentication attempts */
		return LCBA_FAILED_AUTH;
	}

	/*
	 * Rewrite WSI_TOKEN_HTTP_AUTHORIZATION so it is just the
	 * authorized username
	 */

	*pcolon = '\0';
	wsi->http.ah->frags[fi].len = (uint16_t)lws_ptr_diff_size_t(pcolon, &plain[0]);
	pcolon = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_AUTHORIZATION);
	strncpy(pcolon, plain, (unsigned int)(ml - 1));
	pcolon[ml - 1] = '\0';
	lwsl_info("%s: basic auth accepted for %s\n", __func__,
		 lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_AUTHORIZATION));

	return LCBA_CONTINUE;
#else
	if (!basic_auth_login_file && auth_mode == LWSAUTHM_DEFAULT)
		return LCBA_CONTINUE;
	return LCBA_FAILED_AUTH;
#endif
}

#endif

#if defined(LWS_WITH_HTTP_PROXY)
/*
 * Set up an onward http proxy connection according to the mount this
 * uri falls under.  Notice this can also be starting the proxying of what was
 * originally an incoming h1 upgrade, or an h2 ws "upgrade".
 */
int
lws_http_proxy_start(struct lws *wsi, const struct lws_http_mount *hit,
		     char *uri_ptr, char ws)
{
	char ads[96], host[96], *pcolon, *pslash, unix_skt = 0;
	struct lws_client_connect_info i;
	struct lws *cwsi;
	int n, na;
	unsigned int max_http_header_data = wsi->a.context->max_http_header_data > 256 ?
					    wsi->a.context->max_http_header_data : 256;
	char *rpath = NULL;

#if defined(LWS_ROLE_WS)
	if (ws)
		/*
		 * Neither our inbound ws upgrade request side, nor our onward
		 * ws client connection on our side can bind to the actual
		 * protocol that only the remote inbound side and the remote
		 * onward side understand.
		 *
		 * Instead these are both bound to our built-in "lws-ws-proxy"
		 * protocol, which understands how to proxy between the two
		 * sides.
		 *
		 * We bind the parent, inbound part here and our side of the
		 * onward client connection is bound to the same handler using
		 * the .local_protocol_name.
		 */
		lws_bind_protocol(wsi, &lws_ws_proxy, __func__);
#endif
	memset(&i, 0, sizeof(i));
	i.context = lws_get_context(wsi);

	if (hit->origin[0] == '+')
		unix_skt = 1;

	pcolon = strchr(hit->origin, ':');
	pslash = strchr(hit->origin, '/');
	if (!pslash) {
		lwsl_err("Proxy mount origin '%s' must have /\n", hit->origin);
		return -1;
	}

	if (unix_skt) {
		if (!pcolon) {
			lwsl_err("Proxy mount origin for unix skt must "
				 "have address delimited by :\n");

			return -1;
		}
		n = lws_ptr_diff(pcolon, hit->origin);
		pslash = pcolon;
	} else {
		if (pcolon > pslash)
			pcolon = NULL;

		if (pcolon)
			n = (int)(pcolon - hit->origin);
		else
			n = (int)(pslash - hit->origin);

		if (n >= (int)sizeof(ads) - 2)
			n = sizeof(ads) - 2;
	}

	memcpy(ads, hit->origin, (unsigned int)n);
	ads[n] = '\0';

	i.address = ads;
	i.port = 80;
	if (hit->origin_protocol == LWSMPRO_HTTPS) {
		i.port = 443;
		i.ssl_connection = 1;
	}
	if (pcolon)
		i.port = atoi(pcolon + 1);

	rpath = lws_malloc(max_http_header_data, __func__);
	if (!rpath)
		return -1;

	/* rpath needs cleaning after this... ---> */

	n = lws_snprintf(rpath, max_http_header_data - 1, "/%s/%s",
			 pslash + 1, uri_ptr + hit->mountpoint_len) - 1;
	lws_clean_url(rpath);
	n = (int)strlen(rpath);
	if (n && rpath[n - 1] == '/')
		n--;

	na = lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_URI_ARGS);
	if (na) {
		char *p;
		int budg;

		if (!n) /* don't start with the ?... use the first / if so */
			n++;

		p = rpath + n;

		if (na >= (int)max_http_header_data - n - 2) {
			lwsl_info("%s: query string %d longer "
				  "than we can handle\n", __func__,
				  na);
			lws_free(rpath);
			return -1;
		}

		*p++ = '?';
		budg = lws_hdr_copy(wsi, p,
			     (int)(&rpath[max_http_header_data - 1] - p),
			     WSI_TOKEN_HTTP_URI_ARGS);
	       if (budg > 0)
		       p += budg;

		*p = '\0';
	}

	i.path = rpath;
	lwsl_notice("%s: proxied path '%s'\n", __func__, i.path);

	/* incoming may be h1 or h2... if he sends h1 HOST, use that
	 * directly, otherwise we must convert h2 :authority to h1
	 * host */

#if 0
	i.host = NULL;
#if defined(LWS_ROLE_H2)
	n = lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_COLON_AUTHORITY);
	if (n > 0)
		i.host = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_COLON_AUTHORITY);
	else
#endif
	{
		n = lws_hdr_total_length(wsi, WSI_TOKEN_HOST);
		if (n > 0)
			i.host = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST);
	}
#endif
	i.host = i.address;

#if 0
	if (i.address[0] != '+' ||
	    !lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST))
		i.host = i.address;
	else
		i.host = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST);
#endif
	i.origin = NULL;
	if (!ws) {
		if (lws_hdr_simple_ptr(wsi, WSI_TOKEN_POST_URI)
#if defined(LWS_WITH_HTTP2)
								|| (
			lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_COLON_METHOD) &&
			!strcmp(lws_hdr_simple_ptr(wsi,
					WSI_TOKEN_HTTP_COLON_METHOD), "post")
			)
#endif
		)
			i.method = "POST";
		else if (lws_hdr_simple_ptr(wsi, WSI_TOKEN_PUT_URI)
#if defined(LWS_WITH_HTTP2)
								|| (
			lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_COLON_METHOD) &&
			!strcmp(lws_hdr_simple_ptr(wsi,
					WSI_TOKEN_HTTP_COLON_METHOD), "put")
			)
#endif
		)
			i.method = "PUT";
		else if (lws_hdr_simple_ptr(wsi, WSI_TOKEN_PATCH_URI)
#if defined(LWS_WITH_HTTP2)
								|| (
			lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_COLON_METHOD) &&
			!strcmp(lws_hdr_simple_ptr(wsi,
					WSI_TOKEN_HTTP_COLON_METHOD), "patch")
			)
#endif
		)
			i.method = "PATCH";
		else if (lws_hdr_simple_ptr(wsi, WSI_TOKEN_DELETE_URI)
#if defined(LWS_WITH_HTTP2)
								|| (
			lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP_COLON_METHOD) &&
			!strcmp(lws_hdr_simple_ptr(wsi,
					WSI_TOKEN_HTTP_COLON_METHOD), "delete")
			)
#endif
		)
			i.method = "DELETE";
		else
			i.method = "GET";
	}

	if (i.host)
		lws_snprintf(host, sizeof(host), "%s:%u", i.host,
					wsi->a.vhost->listen_port);
	else
		lws_snprintf(host, sizeof(host), "%s:%d", i.address, i.port);

	i.host = host;

	i.alpn = "http/1.1";
	i.parent_wsi = wsi;
	i.pwsi = &cwsi;
#if defined(LWS_ROLE_WS)
	i.protocol = lws_hdr_simple_ptr(wsi, WSI_TOKEN_PROTOCOL);
	if (ws)
		i.local_protocol_name = "lws-ws-proxy";
#endif

//	i.uri_replace_from = hit->origin;
//	i.uri_replace_to = hit->mountpoint;

	lwsl_info("proxying to %s port %d url %s, ssl %d, from %s, to %s\n",
		   i.address, i.port, i.path, i.ssl_connection,
		   i.uri_replace_from, i.uri_replace_to);

	if (!lws_client_connect_via_info(&i)) {
		lwsl_err("proxy connect fail\n");

		/*
		 * ... we can't do the proxy action, but we can
		 * cleanly return him a 503 and a description
		 */

		lws_return_http_status(wsi,
			HTTP_STATUS_SERVICE_UNAVAILABLE,
			"<h1>Service Temporarily Unavailable</h1>"
			"The server is temporarily unable to service "
			"your request due to maintenance downtime or "
			"capacity problems. Please try again later.");
		lws_free(rpath);
		return 1;
	}
	lws_free(rpath);

	lwsl_info("%s: setting proxy clientside on %s (parent %s)\n",
		  __func__, lws_wsi_tag(cwsi), lws_wsi_tag(lws_get_parent(cwsi)));

	cwsi->http.proxy_clientside = 1;
	if (ws) {
		wsi->proxied_ws_parent = 1;
		cwsi->h1_ws_proxied = 1;
		if (i.protocol) {
			lwsl_debug("%s: (requesting '%s')\n",
					__func__, i.protocol);
		}
	}

	return 0;
}
#endif


static const char * const oprot[] = {
	"http://", "https://"
};


static int
lws_http_redirect_hit(struct lws_context_per_thread *pt, struct lws *wsi,
		      const struct lws_http_mount *hit, char *uri_ptr,
		      int uri_len, int *h)
{
	char *s;
	int n;

	*h = 0;
	s = uri_ptr + hit->mountpoint_len;

	/*
	 * if we have a mountpoint like https://xxx.com/yyy
	 * there is an implied / at the end for our purposes since
	 * we can only mount on a "directory".
	 *
	 * But if we just go with that, the browser cannot understand
	 * that he is actually looking down one "directory level", so
	 * even though we give him /yyy/abc.html he acts like the
	 * current directory level is /.  So relative urls like "x.png"
	 * wrongly look outside the mountpoint.
	 *
	 * Therefore if we didn't come in on a url with an explicit
	 * / at the end, we must redirect to add it so the browser
	 * understands he is one "directory level" down.
	 */
	if ((hit->mountpoint_len > 1 ||
	     (hit->origin_protocol == LWSMPRO_REDIR_HTTP ||
	      hit->origin_protocol == LWSMPRO_REDIR_HTTPS)) &&
	    (*s != '/' ||
	     (hit->origin_protocol == LWSMPRO_REDIR_HTTP ||
	      hit->origin_protocol == LWSMPRO_REDIR_HTTPS)) &&
	    (hit->origin_protocol != LWSMPRO_CGI &&
	     hit->origin_protocol != LWSMPRO_CALLBACK)) {
		unsigned char *start = pt->serv_buf + LWS_PRE, *p = start,
			      *end = p + wsi->a.context->pt_serv_buf_size -
					LWS_PRE - 512;

		*h = 1;

		lwsl_info("Doing 301 '%s' org %s\n", s, hit->origin);

		/* > at start indicates deal with by redirect */
		if (hit->origin_protocol == LWSMPRO_REDIR_HTTP ||
		    hit->origin_protocol == LWSMPRO_REDIR_HTTPS)
			n = lws_snprintf((char *)end, 256, "%s%s",
				    oprot[hit->origin_protocol & 1],
				    hit->origin);
		else {
			if (!lws_hdr_total_length(wsi, WSI_TOKEN_HOST)) {
#if defined(LWS_ROLE_H2)
				if (!lws_hdr_total_length(wsi,
						WSI_TOKEN_HTTP_COLON_AUTHORITY))
#endif
					goto bail_nuke_ah;
#if defined(LWS_ROLE_H2)
				n = lws_snprintf((char *)end, 256,
				    "%s%s%s/", oprot[!!lws_is_ssl(wsi)],
				    lws_hdr_simple_ptr(wsi,
						WSI_TOKEN_HTTP_COLON_AUTHORITY),
				    uri_ptr);
#endif
			} else
				n = lws_snprintf((char *)end, 256,
				    "%s%s%s/", oprot[!!lws_is_ssl(wsi)],
				    lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST),
				    uri_ptr);
		}

		lws_clean_url((char *)end);
		n = lws_http_redirect(wsi, HTTP_STATUS_MOVED_PERMANENTLY,
				      end, n, &p, end);
		if ((int)n < 0)
			goto bail_nuke_ah;

		return lws_http_transaction_completed(wsi);
	}

	return 0;

bail_nuke_ah:
	lws_header_table_detach(wsi, 1);

	return 1;
}

int
lws_http_action(struct lws *wsi)
{
	struct lws_context_per_thread *pt = &wsi->a.context->pt[(int)wsi->tsi];
	int uri_len = 0, meth, m, http_version_len, ha;
	const struct lws_http_mount *hit = NULL;
	enum http_version request_version;
	struct lws_process_html_args args;
	enum http_conn_type conn_type;
	char content_length_str[32];
	char http_version_str[12];
	char http_conn_str[25];
	char *uri_ptr = NULL;
#if defined(LWS_WITH_FILE_OPS)
	char *s;
#endif
	unsigned int n;

	meth = lws_http_get_uri_and_method(wsi, &uri_ptr, &uri_len);
	if (meth < 0 || meth >= (int)LWS_ARRAY_SIZE(method_names))
		goto bail_nuke_ah;

	lws_metrics_tag_wsi_add(wsi, "vh", wsi->a.vhost->name);
	lws_metrics_tag_wsi_add(wsi, "meth", method_names[meth]);

	/* we insist on absolute paths */

	if (!uri_ptr || uri_ptr[0] != '/') {
		lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);

		goto bail_nuke_ah;
	}

	lwsl_info("Method: '%s' (%d), request for '%s'\n", method_names[meth],
		  meth, uri_ptr);

	if (wsi->role_ops &&
	    lws_rops_fidx(wsi->role_ops, LWS_ROPS_check_upgrades))
		switch (lws_rops_func_fidx(wsi->role_ops,
					   LWS_ROPS_check_upgrades).
							check_upgrades(wsi)) {
		case LWS_UPG_RET_DONE:
			return 0;
		case LWS_UPG_RET_CONTINUE:
			break;
		case LWS_UPG_RET_BAIL:
			goto bail_nuke_ah;
		}

	if (lws_ensure_user_space(wsi))
		goto bail_nuke_ah;

	/* HTTP header had a content length? */

	wsi->http.rx_content_length = 0;
	wsi->http.content_length_explicitly_zero = 0;
	if (lws_hdr_total_length(wsi, WSI_TOKEN_POST_URI)
#if defined(LWS_WITH_HTTP_UNCOMMON_HEADERS)
			||
	    lws_hdr_total_length(wsi, WSI_TOKEN_PATCH_URI) ||
	    lws_hdr_total_length(wsi, WSI_TOKEN_PUT_URI)
#endif
	    )
		wsi->http.rx_content_length = 100 * 1024 * 1024;

	if (lws_hdr_total_length(wsi, WSI_TOKEN_HTTP_CONTENT_LENGTH) &&
	    lws_hdr_copy(wsi, content_length_str,
			 sizeof(content_length_str) - 1,
			 WSI_TOKEN_HTTP_CONTENT_LENGTH) > 0) {
		wsi->http.rx_content_remain = wsi->http.rx_content_length =
				(lws_filepos_t)atoll(content_length_str);
		if (!wsi->http.rx_content_length) {
			wsi->http.content_length_explicitly_zero = 1;
			lwsl_debug("%s: explicit 0 content-length\n", __func__);
		}
	}

	if (wsi->mux_substream) {
		wsi->http.request_version = HTTP_VERSION_2;
	} else {
		/* http_version? Default to 1.0, override with token: */
		request_version = HTTP_VERSION_1_0;

		/* Works for single digit HTTP versions. : */
		http_version_len = lws_hdr_total_length(wsi, WSI_TOKEN_HTTP);
		if (http_version_len > 7 &&
		    lws_hdr_copy(wsi, http_version_str,
				 sizeof(http_version_str) - 1,
				 WSI_TOKEN_HTTP) > 0 &&
		    http_version_str[5] == '1' && http_version_str[7] == '1')
			request_version = HTTP_VERSION_1_1;

		wsi->http.request_version = request_version;

		/* HTTP/1.1 defaults to "keep-alive", 1.0 to "close" */
		if (request_version == HTTP_VERSION_1_1)
			conn_type = HTTP_CONNECTION_KEEP_ALIVE;
		else
			conn_type = HTTP_CONNECTION_CLOSE;

		/* Override default if http "Connection:" header: */
		if (lws_hdr_total_length(wsi, WSI_TOKEN_CONNECTION) &&
		    lws_hdr_copy(wsi, http_conn_str, sizeof(http_conn_str) - 1,
				 WSI_TOKEN_CONNECTION) > 0) {
			http_conn_str[sizeof(http_conn_str) - 1] = '\0';
			if (!strcasecmp(http_conn_str, "keep-alive"))
				conn_type = HTTP_CONNECTION_KEEP_ALIVE;
			else
				if (!strcasecmp(http_conn_str, "close"))
					conn_type = HTTP_CONNECTION_CLOSE;
		}
		wsi->http.conn_type = conn_type;
	}

	n = (unsigned int)wsi->a.protocol->callback(wsi, LWS_CALLBACK_FILTER_HTTP_CONNECTION,
				    wsi->user_space, uri_ptr, (unsigned int)uri_len);
	if (n) {
		lwsl_info("LWS_CALLBACK_HTTP closing\n");

		return 1;
	}
	/*
	 * if there is content supposed to be coming,
	 * put a timeout on it having arrived
	 */
	if (!wsi->mux_stream_immortal)
		lws_set_timeout(wsi, PENDING_TIMEOUT_HTTP_CONTENT,
				(int)wsi->a.context->timeout_secs);
#if defined(LWS_WITH_TLS)
	if (wsi->tls.redirect_to_https) {
		/*
		 * We accepted http:// only so we could redirect to
		 * https://, so issue the redirect.  Create the redirection
		 * URI from the host: header, and regenerate the path part from
		 * the parsed pieces
		 */
		unsigned char *start = pt->serv_buf + LWS_PRE, *p = start,
			      *end = p + wsi->a.context->pt_serv_buf_size -
				     LWS_PRE;

		n = (unsigned int)lws_hdr_total_length(wsi, WSI_TOKEN_HOST);
		if (!n || n > 128)
			goto bail_nuke_ah;

		if (!lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST))
			goto bail_nuke_ah;

		p += lws_snprintf((char *)p, lws_ptr_diff_size_t(end, p), "https://");
		memcpy(p, lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST), n);
		p += n;
		*p++ = '/';
		if (uri_len >= lws_ptr_diff(end, p))
			goto bail_nuke_ah;

		if (uri_ptr[0])
			p--;
		memcpy(p, uri_ptr, (unsigned int)uri_len);
		p += uri_len;

		n = 0;
		while (lws_hdr_copy_fragment(wsi, (char *)p + 1,
					     lws_ptr_diff(end, p) - 2,
					     WSI_TOKEN_HTTP_URI_ARGS, (int)n) > 0) {
			*p = n ? '&' : '?';
			p += strlen((char *)p);
			if (p >= end - 2)
				goto bail_nuke_ah;
			n++;
		}

		n = (unsigned int)lws_ptr_diff(p, start);

		p += LWS_PRE;
		n = (unsigned int)lws_http_redirect(wsi, HTTP_STATUS_MOVED_PERMANENTLY,
				      start, (int)n, &p, end);
		if ((int)n < 0)
			goto bail_nuke_ah;

		return lws_http_transaction_completed(wsi);
	}
#endif

#ifdef LWS_WITH_ACCESS_LOG
	lws_prepare_access_log_info(wsi, uri_ptr, uri_len, meth);
#endif

	/* can we serve it from the mount list? */

	wsi->mount_hit = 0;
	hit = lws_find_mount(wsi, uri_ptr, uri_len);
	if (!hit) {
		/* deferred cleanup and reset to protocols[0] */

		lwsl_info("no hit\n");

		if (lws_bind_protocol(wsi, &wsi->a.vhost->protocols[0],
				      "no mount hit"))
			return 1;

		lwsi_set_state(wsi, LRS_DOING_TRANSACTION);

		m = wsi->a.protocol->callback(wsi, LWS_CALLBACK_HTTP,
				    wsi->user_space, uri_ptr, (unsigned int)uri_len);

		goto after;
	}

	wsi->mount_hit = 1;

#if defined(LWS_WITH_FILE_OPS)
	s = uri_ptr + hit->mountpoint_len;
#endif
	n = (unsigned int)lws_http_redirect_hit(pt, wsi, hit, uri_ptr, uri_len, &ha);
	if (ha)
		return (int)n;

#if defined(LWS_WITH_HTTP_BASIC_AUTH)

	/* basic auth? */

	switch (lws_check_basic_auth(wsi, hit->basic_auth_login_file,
				     hit->auth_mask & AUTH_MODE_MASK)) {
	case LCBA_CONTINUE:
		break;
	case LCBA_FAILED_AUTH:
		return lws_unauthorised_basic_auth(wsi);
	case LCBA_END_TRANSACTION:
		lws_return_http_status(wsi, HTTP_STATUS_FORBIDDEN, NULL);
		return lws_http_transaction_completed(wsi);
	}
#endif

#if defined(LWS_WITH_HTTP_PROXY)
	/*
	 * The mount is a reverse proxy?
	 */

	// if (hit)
	// lwsl_notice("%s: origin_protocol: %d\n", __func__, hit->origin_protocol);
	//else
	//	lwsl_notice("%s: no hit\n", __func__);

	if (hit->origin_protocol == LWSMPRO_HTTPS ||
	    hit->origin_protocol == LWSMPRO_HTTP) {
		n = (unsigned int)lws_http_proxy_start(wsi, hit, uri_ptr, 0);
		// lwsl_notice("proxy start says %d\n", n);
		if (n)
			return (int)n;

		goto deal_body;
	}
#endif

	/*
	 * A particular protocol callback is mounted here?
	 *
	 * For the duration of this http transaction, bind us to the
	 * associated protocol
	 */
	if (hit->origin_protocol == LWSMPRO_CALLBACK || hit->protocol) {
		const struct lws_protocols *pp;
		const char *name = hit->origin;
		if (hit->protocol)
			name = hit->protocol;

		pp = lws_vhost_name_to_protocol(wsi->a.vhost, name);
		if (!pp) {
			lwsl_err("Unable to find plugin '%s'\n",
				 name);
			return 1;
		}

		if (lws_bind_protocol(wsi, pp, "http action CALLBACK bind"))
			return 1;

		lwsl_debug("%s: %s, checking access rights for mask 0x%x\n",
				__func__, hit->origin, hit->auth_mask);

		args.p = uri_ptr;
		args.len = uri_len;
		args.max_len = hit->auth_mask & ~AUTH_MODE_MASK;
		args.final = 0; /* used to signal callback dealt with it */
		args.chunked = 0;

		n = (unsigned int)wsi->a.protocol->callback(wsi,
					    LWS_CALLBACK_CHECK_ACCESS_RIGHTS,
					    wsi->user_space, &args, 0);
		if (n) {
			lws_return_http_status(wsi, HTTP_STATUS_UNAUTHORIZED,
					       NULL);
			goto bail_nuke_ah;
		}
		if (args.final) /* callback completely handled it well */
			return 0;

		if (hit->cgienv && wsi->a.protocol->callback(wsi,
				LWS_CALLBACK_HTTP_PMO,
				wsi->user_space, (void *)hit->cgienv, 0))
			return 1;

		if (lws_hdr_total_length(wsi, WSI_TOKEN_POST_URI)) {
			m = wsi->a.protocol->callback(wsi, LWS_CALLBACK_HTTP,
					    wsi->user_space,
					    uri_ptr + hit->mountpoint_len,
					    (unsigned int)uri_len - hit->mountpoint_len);
			goto after;
		}
	}

#ifdef LWS_WITH_CGI
	/* did we hit something with a cgi:// origin? */
	if (hit->origin_protocol == LWSMPRO_CGI) {
		const char *cmd[] = {
			NULL, /* replace with cgi path */
			NULL
		};

		lwsl_debug("%s: cgi\n", __func__);
		cmd[0] = hit->origin;

		n = 5;
		if (hit->cgi_timeout)
			n = (unsigned int)hit->cgi_timeout;

		n = (unsigned int)lws_cgi(wsi, cmd, hit->mountpoint_len, (int)n,
			    hit->cgienv);
		if (n) {
			lwsl_err("%s: cgi failed\n", __func__);
			return -1;
		}

		goto deal_body;
	}
#endif

#if defined(LWS_WITH_FILE_OPS)
	n = (unsigned int)(uri_len - lws_ptr_diff(s, uri_ptr));
	if (s[0] == '\0' || (n == 1 && s[n - 1] == '/'))
		s = (char *)hit->def;
	if (!s)
		s = "index.html";
#endif

	wsi->cache_secs = (unsigned int)hit->cache_max_age;
	wsi->cache_reuse = hit->cache_reusable;
	wsi->cache_revalidate = hit->cache_revalidate;
	wsi->cache_no = hit->cache_no;
	wsi->cache_intermediaries = hit->cache_intermediaries;

#if defined(LWS_WITH_FILE_OPS)
	m = 1;
	if (hit->origin_protocol == LWSMPRO_FILE)
		m = lws_http_serve(wsi, s, hit->origin, hit);

	if (m > 0)
#endif
	{
lwsl_notice("%s: hit->protocol %s\n", __func__, hit->protocol);
		/*
		 * lws_return_http_status(wsi, HTTP_STATUS_NOT_FOUND, NULL);
		 */
		if (hit->protocol) {
			const struct lws_protocols *pp =
					lws_vhost_name_to_protocol(
						wsi->a.vhost, hit->protocol);
lwsl_notice("%s: pp %p\n", __func__, pp);
			/* coverity */
			if (!pp)
				return 1;

			lwsi_set_state(wsi, LRS_DOING_TRANSACTION);

			if (lws_bind_protocol(wsi, pp, "http_action HTTP"))
				return 1;

			m = pp->callback(wsi, LWS_CALLBACK_HTTP,
					 wsi->user_space,
					 uri_ptr + hit->mountpoint_len,
					 (size_t)(uri_len - hit->mountpoint_len));
		} else
			m = wsi->a.protocol->callback(wsi, LWS_CALLBACK_HTTP,
				    wsi->user_space, uri_ptr, (size_t)uri_len);
	}

after:
	if (m) {
		lwsl_info("LWS_CALLBACK_HTTP closing\n");

		return 1;
	}

#if defined(LWS_WITH_CGI) || defined(LWS_WITH_HTTP_PROXY)
deal_body:
#endif
	/*
	 * If we're not issuing a file, check for content_length or
	 * HTTP keep-alive. No keep-alive header allocation for
	 * ISSUING_FILE, as this uses HTTP/1.0.
	 *
	 * In any case, return 0 and let lws_read decide how to
	 * proceed based on state
	 */
	if (lwsi_state(wsi) == LRS_ISSUING_FILE)
		return 0;

	/* Prepare to read body if we have a content length: */
	lwsl_debug("wsi->http.rx_content_length %lld %d %d\n",
		   (long long)wsi->http.rx_content_length,
		   wsi->upgraded_to_http2, wsi->mux_substream);

	if (wsi->http.content_length_explicitly_zero &&
	    lws_hdr_total_length(wsi, WSI_TOKEN_POST_URI)) {

		/*
		 * POST with an explicit content-length of zero
		 *
		 * If we don't give the user code the empty HTTP_BODY callback,
		 * he may become confused to hear the HTTP_BODY_COMPLETION (due
		 * to, eg, instantiation of lws_spa never happened).
		 *
		 * HTTP_BODY_COMPLETION is responsible for sending the result
		 * status code and result body if any, and to do the transaction
		 * complete processing.
		 */
		if (wsi->a.protocol->callback(wsi, LWS_CALLBACK_HTTP_BODY,
					    wsi->user_space, NULL, 0))
			return 1;
		if (wsi->a.protocol->callback(wsi, LWS_CALLBACK_HTTP_BODY_COMPLETION,
					    wsi->user_space, NULL, 0))
			return 1;

		return 0;
	}

	if (wsi->http.rx_content_length <= 0)
		return 0;

	if (lwsi_state(wsi) != LRS_DISCARD_BODY) {
		lwsi_set_state(wsi, LRS_BODY);
		lwsl_info("%s: %s: LRS_BODY state set (0x%x)\n", __func__,
			  lws_wsi_tag(wsi), (int)wsi->wsistate);
	}
	wsi->http.rx_content_remain = wsi->http.rx_content_length;

	/*
	 * At this point we have transitioned from deferred
	 * action to expecting BODY on the stream wsi, if it's
	 * in a bundle like h2.  So if the stream wsi has its
	 * own buflist, we need to deal with that first.
	 */

	while (1) {
		struct lws_tokens ebuf;
		int m;

		ebuf.len = (int)lws_buflist_next_segment_len(&wsi->buflist,
							     &ebuf.token);
		if (!ebuf.len)
			break;

		lwsl_debug("%s: consuming %d\n", __func__, (int)ebuf.len);
		m = lws_read_h1(wsi, ebuf.token, (lws_filepos_t)ebuf.len);
		if (m < 0)
			return -1;

		if (lws_buflist_aware_finished_consuming(wsi, &ebuf, m, 1,
							 __func__))
			return -1;
	}

	return 0;

bail_nuke_ah:
	lws_header_table_detach(wsi, 1);

	return 1;
}

int
lws_confirm_host_header(struct lws *wsi)
{
	struct lws_tokenize ts;
	lws_tokenize_elem e;
	int port = 80, n;
	char buf[128];

	/*
	 * this vhost wants us to validate what the
	 * client sent against our vhost name
	 */

	if (!lws_hdr_total_length(wsi, WSI_TOKEN_HOST)) {
		lwsl_info("%s: missing host on upgrade\n", __func__);

		return 1;
	}

#if defined(LWS_WITH_TLS)
	if (wsi->tls.ssl)
		port = 443;
#endif

	n = lws_hdr_copy(wsi, buf, sizeof(buf) - 1, WSI_TOKEN_HOST);
	if (n <= 0) {
		lwsl_info("%s: missing or oversize host header\n", __func__);
		return 1;
	}
	ts.len = (size_t)n;
	lws_tokenize_init(&ts, buf, LWS_TOKENIZE_F_DOT_NONTERM /* server.com */|
				    LWS_TOKENIZE_F_NO_FLOATS /* 1.server.com */|
				    LWS_TOKENIZE_F_MINUS_NONTERM /* a-b.com */);

	if (lws_tokenize(&ts) != LWS_TOKZE_TOKEN)
		goto bad_format;

	if (strncmp(ts.token, wsi->a.vhost->name, ts.token_len)) {
		buf[(size_t)(ts.token - buf) + ts.token_len] = '\0';
		lwsl_info("%s: '%s' in host hdr but vhost name %s\n",
			  __func__, ts.token, wsi->a.vhost->name);
		return 1;
	}

	e = lws_tokenize(&ts);
	if (e == LWS_TOKZE_DELIMITER && ts.token[0] == ':') {
		if (lws_tokenize(&ts) != LWS_TOKZE_INTEGER)
			goto bad_format;
		else
			port = atoi(ts.token);
	} else
		if (e != LWS_TOKZE_ENDED)
			goto bad_format;

	if (wsi->a.vhost->listen_port != port &&
		wsi->a.vhost->listen_port != CONTEXT_PORT_NO_LISTEN_SERVER) {
		lwsl_info("%s: host port %d mismatches vhost port %d\n",
			  __func__, port, wsi->a.vhost->listen_port);
		return 1;
	}

	lwsl_debug("%s: host header OK\n", __func__);

	return 0;

bad_format:
	lwsl_info("%s: bad host header format\n", __func__);

	return 1;
}

#if defined(LWS_WITH_SERVER)
int
lws_http_to_fallback(struct lws *wsi, unsigned char *obuf, size_t olen)
{
	const struct lws_role_ops *role = &role_ops_raw_skt;
	const struct lws_protocols *p1, *protocol =
			 &wsi->a.vhost->protocols[wsi->a.vhost->raw_protocol_index];
	char ipbuf[64];
	int n;

	if (wsi->a.vhost->listen_accept_role &&
	    lws_role_by_name(wsi->a.vhost->listen_accept_role))
		role = lws_role_by_name(wsi->a.vhost->listen_accept_role);

	if (wsi->a.vhost->listen_accept_protocol) {
		p1 = lws_vhost_name_to_protocol(wsi->a.vhost,
			    wsi->a.vhost->listen_accept_protocol);
		if (p1)
			protocol = p1;
	}

	lws_bind_protocol(wsi, protocol, __func__);

	lws_role_transition(wsi, LWSIFR_SERVER, LRS_ESTABLISHED, role);

	lws_header_table_detach(wsi, 0);
	lws_set_timeout(wsi, NO_PENDING_TIMEOUT, 0);

	n = LWS_CALLBACK_SERVER_NEW_CLIENT_INSTANTIATED;
	if (wsi->role_ops->adoption_cb[1])
		n = wsi->role_ops->adoption_cb[1];

	ipbuf[0] = '\0';
#if !defined(LWS_PLAT_OPTEE)
	lws_get_peer_simple(wsi, ipbuf, sizeof(ipbuf));
#endif

	lwsl_notice("%s: vh %s, peer: %s, role %s, "
		    "protocol %s, cb %d, ah %p\n", __func__, wsi->a.vhost->name,
		    ipbuf, role ? role->name : "null", protocol->name, n,
		    wsi->http.ah);

	if ((wsi->a.protocol->callback)(wsi, (enum lws_callback_reasons)n, wsi->user_space, NULL, 0))
		return 1;

	n = LWS_CALLBACK_RAW_RX;
	if (wsi->role_ops->rx_cb[lwsi_role_server(wsi)])
		n = wsi->role_ops->rx_cb[lwsi_role_server(wsi)];
	if (wsi->a.protocol->callback(wsi, (enum lws_callback_reasons)n, wsi->user_space, obuf, olen))
		return 1;

	return 0;
}

int
lws_handshake_server(struct lws *wsi, unsigned char **buf, size_t len)
{
	struct lws_context *context = lws_get_context(wsi);
	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
#if defined(LWS_WITH_HTTP2)
	struct allocated_headers *ah;
#endif
	unsigned char *obuf = *buf;
#if defined(LWS_WITH_HTTP2)
	char tbuf[128], *p;
#endif
	size_t olen = len;
	int n = 0, m, i;

	if (len >= 10000000) {
		lwsl_err("%s: assert: len %ld\n", __func__, (long)len);
		assert(0);
	}

	if (!wsi->http.ah) {
		lwsl_err("%s: assert: NULL ah\n", __func__);
		assert(0);
	}

	while (len) {
		if (!lwsi_role_server(wsi) || !lwsi_role_http(wsi)) {
			lwsl_err("%s: bad wsi role 0x%x\n", __func__,
					(int)lwsi_role(wsi));
			goto bail_nuke_ah;
		}

		i = (int)len;
		m = lws_parse(wsi, *buf, &i);
		lwsl_info("%s: parsed count %d\n", __func__, (int)len - i);
		(*buf) += (int)len - i;
		len = (unsigned int)i;

		if (m == LPR_DO_FALLBACK) {

			/*
			 * http parser went off the rails and
			 * LWS_SERVER_OPTION_FALLBACK_TO_APPLY_LISTEN_
			 * ACCEPT_CONFIG is set on this vhost.
			 *
			 * We are transitioning from http with an AH, to
			 * a backup role (raw-skt, by default).  Drop
			 * the ah, bind to the role with mode as
			 * ESTABLISHED.
			 */
raw_transition:

			if (lws_http_to_fallback(wsi, obuf, olen)) {
				lwsl_info("%s: fallback -> close\n", __func__);
				goto bail_nuke_ah;
			}

			(*buf) = obuf + olen;

			return 0;
		}
		if (m) {
			lwsl_info("lws_parse failed\n");
			goto bail_nuke_ah;
		}

		/* coverity... */
		if (!wsi->http.ah)
			goto bail_nuke_ah;

		if (wsi->http.ah->parser_state != WSI_PARSING_COMPLETE)
			continue;

		lwsl_parser("%s: lws_parse sees parsing complete\n", __func__);

		/* select vhost */

		if (wsi->a.vhost->listen_port &&
		    lws_hdr_total_length(wsi, WSI_TOKEN_HOST)) {
			struct lws_vhost *vhost = lws_select_vhost(
				context, wsi->a.vhost->listen_port,
				lws_hdr_simple_ptr(wsi, WSI_TOKEN_HOST));

			if (vhost)
				lws_vhost_bind_wsi(vhost, wsi);
		} else
			lwsl_info("no host\n");

		if ((!lwsi_role_h2(wsi) || !lwsi_role_server(wsi)) &&
		    (!wsi->conn_stat_done))
			wsi->conn_stat_done = 1;

		/* check for unwelcome guests */
#if defined(LWS_WITH_HTTP_UNCOMMON_HEADERS)
		if (wsi->a.context->reject_service_keywords) {
			const struct lws_protocol_vhost_options *rej =
					wsi->a.context->reject_service_keywords;
			char ua[384], *msg = NULL;

			if (lws_hdr_copy(wsi, ua, sizeof(ua) - 1,
					 WSI_TOKEN_HTTP_USER_AGENT) > 0) {
#ifdef LWS_WITH_ACCESS_LOG
				char *uri_ptr = NULL;
				int meth, uri_len;
#endif
				ua[sizeof(ua) - 1] = '\0';
				while (rej) {
					if (!strstr(ua, rej->name)) {
						rej = rej->next;
						continue;
					}

					msg = strchr(rej->value, ' ');
					if (msg)
						msg++;
					lws_return_http_status(wsi,
						(unsigned int)atoi(rej->value), msg);
#ifdef LWS_WITH_ACCESS_LOG
					meth = lws_http_get_uri_and_method(wsi,
							&uri_ptr, &uri_len);
					if (meth >= 0)
						lws_prepare_access_log_info(wsi,
							uri_ptr, uri_len, meth);

					/* wsi close will do the log */
#endif
					/*
					 * We don't want anything from
					 * this rejected guy.  Follow
					 * the close flow, not the
					 * transaction complete flow.
					 */
					goto bail_nuke_ah;
				}
			}
		}
#endif
		/*
		 * So he may have come to us requesting one or another kind
		 * of upgrade from http... but we may want to redirect him at
		 * http level.  In that case, we need to check the redirect
		 * situation even though he's not actually wanting http and
		 * prioritize returning that if there is one.
		 */

		{
			const struct lws_http_mount *hit = NULL;
			int uri_len = 0, ha, n;
			char *uri_ptr = NULL;

			n = lws_http_get_uri_and_method(wsi, &uri_ptr, &uri_len);
			if (n >= 0) {
				hit = lws_find_mount(wsi, uri_ptr, uri_len);
				if (hit) {
					n = lws_http_redirect_hit(pt, wsi, hit, uri_ptr,
								  uri_len, &ha);
					if (ha)
						return n;
				}
			}
		}



		if (lws_hdr_total_length(wsi, WSI_TOKEN_CONNECT)) {
			lwsl_info("Changing to RAW mode\n");
			goto raw_transition;
		}

		lwsi_set_state(wsi, LRS_PRE_WS_SERVING_ACCEPT);
		lws_set_timeout(wsi, NO_PENDING_TIMEOUT, 0);

		if (lws_hdr_total_length(wsi, WSI_TOKEN_UPGRADE)) {

			const char *up = lws_hdr_simple_ptr(wsi,
							    WSI_TOKEN_UPGRADE);

			if (strcasecmp(up, "websocket") &&
			    strcasecmp(up, "h2c")) {
				lwsl_info("Unknown upgrade '%s'\n", up);

				if (lws_return_http_status(wsi,
						HTTP_STATUS_FORBIDDEN, NULL) ||
				    lws_http_transaction_completed(wsi))
					goto bail_nuke_ah;
			}

			n = user_callback_handle_rxflow(wsi->a.protocol->callback,
					wsi, LWS_CALLBACK_HTTP_CONFIRM_UPGRADE,
					wsi->user_space, (char *)up, 0);

			/* just hang up? */

			if (n < 0)
				goto bail_nuke_ah;

			/* callback returned headers already, do t_c? */

			if (n > 0) {
				if (lws_http_transaction_completed(wsi))
					goto bail_nuke_ah;

				/* continue on */

				return 0;
			}

			/* callback said 0, it was allowed */

			if (wsi->a.vhost->options &
			    LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK &&
			    lws_confirm_host_header(wsi))
				goto bail_nuke_ah;

			if (!strcasecmp(up, "websocket")) {
#if defined(LWS_ROLE_WS)
				lws_metrics_tag_wsi_add(wsi, "upg", "ws");
				lwsl_info("Upgrade to ws\n");
				goto upgrade_ws;
#endif
			}
#if defined(LWS_WITH_HTTP2)
			if (!strcasecmp(up, "h2c")) {
				lws_metrics_tag_wsi_add(wsi, "upg", "h2c");
				lwsl_info("Upgrade to h2c\n");
				goto upgrade_h2c;
			}
#endif
		}

		/* no upgrade ack... he remained as HTTP */

		lwsl_info("%s: %s: No upgrade\n", __func__, lws_wsi_tag(wsi));

		lwsi_set_state(wsi, LRS_ESTABLISHED);
#if defined(LWS_WITH_FILE_OPS)
		wsi->http.fop_fd = NULL;
#endif

#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
		lws_http_compression_validate(wsi);
#endif

		lwsl_debug("%s: %s: ah %p\n", __func__, lws_wsi_tag(wsi),
			   (void *)wsi->http.ah);

		n = lws_http_action(wsi);

		return n;

#if defined(LWS_WITH_HTTP2)
upgrade_h2c:
		if (!lws_hdr_total_length(wsi, WSI_TOKEN_HTTP2_SETTINGS)) {
			lwsl_info("missing http2_settings\n");
			goto bail_nuke_ah;
		}

		lwsl_info("h2c upgrade...\n");

		p = lws_hdr_simple_ptr(wsi, WSI_TOKEN_HTTP2_SETTINGS);
		/* convert the peer's HTTP-Settings */
		n = lws_b64_decode_string(p, tbuf, sizeof(tbuf));
		if (n < 0) {
			lwsl_parser("HTTP2_SETTINGS too long\n");
			return 1;
		}

		wsi->upgraded_to_http2 = 1;

		/* adopt the header info */

		ah = wsi->http.ah;
		lws_role_transition(wsi, LWSIFR_SERVER, LRS_H2_AWAIT_PREFACE,
				    &role_ops_h2);

		/* http2 union member has http union struct at start */
		wsi->http.ah = ah;

		if (!wsi->h2.h2n) {
			wsi->h2.h2n = lws_zalloc(sizeof(*wsi->h2.h2n), "h2n");
			if (!wsi->h2.h2n)
				return 1;
		}

		lws_h2_init(wsi);

		/* HTTP2 union */

		lws_h2_settings(wsi, &wsi->h2.h2n->peer_set, (uint8_t *)tbuf, n);

		if (lws_hpack_dynamic_size(wsi, (int)wsi->h2.h2n->peer_set.s[
		                                      H2SET_HEADER_TABLE_SIZE]))
			return 1;

		strcpy(tbuf, "HTTP/1.1 101 Switching Protocols\x0d\x0a"
			      "Connection: Upgrade\x0d\x0a"
			      "Upgrade: h2c\x0d\x0a\x0d\x0a");
		m = (int)strlen(tbuf);
		n = lws_issue_raw(wsi, (unsigned char *)tbuf, (unsigned int)m);
		if (n != m) {
			lwsl_debug("http2 switch: ERROR writing to socket\n");
			return 1;
		}

		return 0;
#endif
#if defined(LWS_ROLE_WS)
upgrade_ws:
		if (lws_process_ws_upgrade(wsi))
			goto bail_nuke_ah;

		return 0;
#endif
	} /* while all chars are handled */

	return 0;

bail_nuke_ah:
	/* drop the header info */
	lws_header_table_detach(wsi, 1);

	return 1;
}
#endif

int LWS_WARN_UNUSED_RESULT
lws_http_transaction_completed(struct lws *wsi)
{
	int n;

	if (wsi->http.cgi_transaction_complete)
		return 0;

	if (lws_has_buffered_out(wsi)
#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
			|| wsi->http.comp_ctx.buflist_comp ||
	    wsi->http.comp_ctx.may_have_more
#endif
	) {
		/*
		 * ...so he tried to send something large as the http reply,
		 * it went as a partial, but he immediately said the
		 * transaction was completed.
		 *
		 * Defer the transaction completed until the last part of the
		 * partial is sent.
		 */
		lwsl_debug("%s: %s: deferring due to partial\n", __func__,
				lws_wsi_tag(wsi));
		wsi->http.deferred_transaction_completed = 1;
		lws_callback_on_writable(wsi);

		return 0;
	}
	/*
	 * Are we finishing the transaction before we have consumed any body?
	 *
	 * For h1 this would kill keepalive pipelining, and for h2, considering
	 * it can extend over multiple DATA frames, it would kill the network
	 * connection.
	 */
	if (wsi->http.rx_content_length && wsi->http.rx_content_remain) {
		/*
		 * are we already in LRS_DISCARD_BODY and didn't clear the
		 * remaining before trying to complete the transaction again?
		 */
		if (lwsi_state(wsi) == LRS_DISCARD_BODY)
			return -1;
		/*
		 * let's defer transaction completed processing until we
		 * discarded the remaining body
		 */
		lwsi_set_state(wsi, LRS_DISCARD_BODY);

		return 0;
	}

#if defined(LWS_WITH_SYS_METRICS)
	{
		char tmp[10];

		lws_snprintf(tmp, sizeof(tmp), "%u", wsi->http.response_code);
		lws_metrics_tag_wsi_add(wsi, "status", tmp);
	}
#endif

	lwsl_info("%s: %s\n", __func__, lws_wsi_tag(wsi));

#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
	lws_http_compression_destroy(wsi);
#endif
	lws_access_log(wsi);

	if (!wsi->hdr_parsing_completed
#if defined(LWS_WITH_CGI)
			&& !wsi->http.cgi
#endif
	) {
		char peer[64];

#if !defined(LWS_PLAT_OPTEE)
		lws_get_peer_simple(wsi, peer, sizeof(peer) - 1);
#else
		peer[0] = '\0';
#endif
		peer[sizeof(peer) - 1] = '\0';
		lwsl_info("%s: (from %s) ignoring, ah parsing incomplete\n",
				__func__, peer);
		return 0;
	}

#if defined(LWS_WITH_CGI)
	if (wsi->http.cgi) {
		lwsl_debug("%s: cleaning cgi\n", __func__);
		wsi->http.cgi_transaction_complete = 1;
		lws_cgi_remove_and_kill(wsi);
		lws_spawn_piped_destroy(&wsi->http.cgi->lsp);
		lws_sul_cancel(&wsi->http.cgi->sul_grace);

		lws_free_set_NULL(wsi->http.cgi);
		wsi->http.cgi_transaction_complete = 0;
	}
#endif

	/* if we can't go back to accept new headers, drop the connection */
	if (wsi->mux_substream)
		return 1;

	if (wsi->seen_zero_length_recv)
		return 1;

	if (wsi->http.conn_type != HTTP_CONNECTION_KEEP_ALIVE) {
		lwsl_info("%s: %s: close connection\n", __func__, lws_wsi_tag(wsi));
		return 1;
	}

	if (lws_bind_protocol(wsi, &wsi->a.vhost->protocols[0], __func__))
		return 1;

	/*
	 * otherwise set ourselves up ready to go again, but because we have no
	 * idea about the wsi writability, we make put it in a holding state
	 * until we can verify POLLOUT.  The part of this that confirms POLLOUT
	 * with no partials is in lws_server_socket_service() below.
	 */
	lwsl_debug("%s: %s: setting DEF_ACT from 0x%x: %p\n", __func__,
		   lws_wsi_tag(wsi), (int)wsi->wsistate, wsi->buflist);
	lwsi_set_state(wsi, LRS_DEFERRING_ACTION);
	wsi->http.tx_content_length = 0;
	wsi->http.tx_content_remain = 0;
	wsi->hdr_parsing_completed = 0;
	wsi->sending_chunked = 0;
#ifdef LWS_WITH_ACCESS_LOG
	wsi->http.access_log.sent = 0;
#endif
#if defined(LWS_WITH_FILE_OPS) && (defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2))
	if (lwsi_role_http(wsi) && lwsi_role_server(wsi) &&
	    wsi->http.fop_fd != NULL)
		lws_vfs_file_close(&wsi->http.fop_fd);
#endif

	n = NO_PENDING_TIMEOUT;
	if (wsi->a.vhost->keepalive_timeout)
		n = PENDING_TIMEOUT_HTTP_KEEPALIVE_IDLE;
	lws_set_timeout(wsi, (enum pending_timeout)n, wsi->a.vhost->keepalive_timeout);

	/*
	 * We already know we are on http1.1 / keepalive and the next thing
	 * coming will be another header set.
	 *
	 * If there is no pending rx and we still have the ah, drop it and
	 * reacquire a new ah when the new headers start to arrive.  (Otherwise
	 * we needlessly hog an ah indefinitely.)
	 *
	 * However if there is pending rx and we know from the keepalive state
	 * that is already at least the start of another header set, simply
	 * reset the existing header table and keep it.
	 */
	if (wsi->http.ah) {
		// lws_buflist_describe(&wsi->buflist, wsi, __func__);
		if (!lws_buflist_next_segment_len(&wsi->buflist, NULL)) {
			lwsl_debug("%s: %s: nothing in buflist, detaching ah\n",
				  __func__, lws_wsi_tag(wsi));
			lws_header_table_detach(wsi, 1);
#ifdef LWS_WITH_TLS
			/*
			 * additionally... if we are hogging an SSL instance
			 * with no pending pipelined headers (or ah now), and
			 * SSL is scarce, drop this connection without waiting
			 */

			if (wsi->a.vhost->tls.use_ssl &&
			    wsi->a.context->simultaneous_ssl_restriction &&
			    wsi->a.context->simultaneous_ssl ==
				   wsi->a.context->simultaneous_ssl_restriction) {
				lwsl_info("%s: simultaneous_ssl_restriction\n",
					  __func__);
				return 1;
			}
#endif
		} else {
			lwsl_info("%s: %s: resetting/keeping ah as pipeline\n",
				  __func__, lws_wsi_tag(wsi));
			lws_header_table_reset(wsi, 0);
			/*
			 * If we kept the ah, we should restrict the amount
			 * of time we are willing to keep it.  Otherwise it
			 * will be bound the whole time the connection remains
			 * open.
			 */
			lws_set_timeout(wsi, PENDING_TIMEOUT_HOLDING_AH,
					wsi->a.vhost->keepalive_timeout);
		}
		/* If we're (re)starting on headers, need other implied init */
		if (wsi->http.ah)
			wsi->http.ah->ues = URIES_IDLE;

		//lwsi_set_state(wsi, LRS_ESTABLISHED); // !!!
	} else
		if (lws_buflist_next_segment_len(&wsi->buflist, NULL))
			if (lws_header_table_attach(wsi, 0))
				lwsl_debug("acquired ah\n");

	lwsl_debug("%s: %s: keep-alive await new transaction (state 0x%x)\n",
		   __func__, lws_wsi_tag(wsi), (int)wsi->wsistate);
	lws_callback_on_writable(wsi);

	return 0;
}

#if defined(LWS_WITH_FILE_OPS)
int
lws_serve_http_file(struct lws *wsi, const char *file, const char *content_type,
		    const char *other_headers, int other_headers_len)
{
	struct lws_context *context = lws_get_context(wsi);
	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
	unsigned char *response = pt->serv_buf + LWS_PRE;
#if defined(LWS_WITH_RANGES)
	struct lws_range_parsing *rp = &wsi->http.range;
#endif
	int ret = 0, cclen = 8, n = HTTP_STATUS_OK;
	char cache_control[50], *cc = "no-store";
	lws_fop_flags_t fflags = LWS_O_RDONLY;
	const struct lws_plat_file_ops *fops;
	lws_filepos_t total_content_length;
	unsigned char *p = response;
	unsigned char *end = p + context->pt_serv_buf_size - LWS_PRE;
	const char *vpath;
#if defined(LWS_WITH_RANGES)
	int ranges;
#endif

	if (wsi->handling_404)
		n = HTTP_STATUS_NOT_FOUND;

	/*
	 * We either call the platform fops .open with first arg platform fops,
	 * or we call fops_zip .open with first arg platform fops, and fops_zip
	 * open will decide whether to switch to fops_zip or stay with fops_def.
	 *
	 * If wsi->http.fop_fd is already set, the caller already opened it
	 */
	if (!wsi->http.fop_fd) {
		fops = lws_vfs_select_fops(wsi->a.context->fops, file, &vpath);
		fflags |= lws_vfs_prepare_flags(wsi);
		wsi->http.fop_fd = fops->LWS_FOP_OPEN(fops, wsi->a.context->fops,
							file, vpath, &fflags);
		if (!wsi->http.fop_fd) {
			lwsl_info("%s: Unable to open: '%s': errno %d\n",
				  __func__, file, errno);
			if (lws_return_http_status(wsi, HTTP_STATUS_NOT_FOUND,
						   NULL))
						return -1;
			return !wsi->mux_substream;
		}
	}

	/*
	 * Caution... wsi->http.fop_fd is live from here
	 */

	wsi->http.filelen = lws_vfs_get_length(wsi->http.fop_fd);
	total_content_length = wsi->http.filelen;

#if defined(LWS_WITH_RANGES)
	ranges = lws_ranges_init(wsi, rp, wsi->http.filelen);

	lwsl_debug("Range count %d\n", ranges);
	/*
	 * no ranges -> 200;
	 *  1 range  -> 206 + Content-Type: normal; Content-Range;
	 *  more     -> 206 + Content-Type: multipart/byteranges
	 *  		Repeat the true Content-Type in each multipart header
	 *  		along with Content-Range
	 */
	if (ranges < 0) {
		/* it means he expressed a range in Range:, but it was illegal */
		lws_return_http_status(wsi,
				HTTP_STATUS_REQ_RANGE_NOT_SATISFIABLE, NULL);
		if (lws_http_transaction_completed(wsi))
			goto bail; /* <0 means just hang up */

		lws_vfs_file_close(&wsi->http.fop_fd);

		return 0; /* == 0 means we did the transaction complete */
	}
	if (ranges)
		n = HTTP_STATUS_PARTIAL_CONTENT;
#endif

	if (lws_add_http_header_status(wsi, (unsigned int)n, &p, end))
		goto bail;

	if ((wsi->http.fop_fd->flags & (LWS_FOP_FLAG_COMPR_ACCEPTABLE_GZIP |
		       LWS_FOP_FLAG_COMPR_IS_GZIP)) ==
	    (LWS_FOP_FLAG_COMPR_ACCEPTABLE_GZIP | LWS_FOP_FLAG_COMPR_IS_GZIP)) {
		if (lws_add_http_header_by_token(wsi,
			WSI_TOKEN_HTTP_CONTENT_ENCODING,
			(unsigned char *)"gzip", 4, &p, end))
			goto bail;
		lwsl_info("file is being provided in gzip\n");
	}
#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
	else {
		/*
		 * if we know its very compressible, and we can use
		 * compression, then use the most preferred compression
		 * method that the client said he will accept
		 */

		if (!wsi->interpreting && (
		     !strncmp(content_type, "text/", 5) ||
		     !strcmp(content_type, "application/javascript") ||
		     !strcmp(content_type, "image/svg+xml")))
			lws_http_compression_apply(wsi, NULL, &p, end, 0);
	}
#endif

	if (
#if defined(LWS_WITH_RANGES)
	    ranges < 2 &&
#endif
	    content_type && content_type[0])
		if (lws_add_http_header_by_token(wsi,
						 WSI_TOKEN_HTTP_CONTENT_TYPE,
						 (unsigned char *)content_type,
						 (int)strlen(content_type),
						 &p, end))
			goto bail;

#if defined(LWS_WITH_RANGES)
	if (ranges >= 2) { /* multipart byteranges */
		lws_strncpy(wsi->http.multipart_content_type, content_type,
			sizeof(wsi->http.multipart_content_type));

		if (lws_add_http_header_by_token(wsi,
						 WSI_TOKEN_HTTP_CONTENT_TYPE,
						 (unsigned char *)
						 "multipart/byteranges; "
						 "boundary=_lws",
			 	 	 	 20, &p, end))
			goto bail;

		/*
		 *  our overall content length has to include
		 *
		 *  - (n + 1) x "_lws\r\n"
		 *  - n x Content-Type: xxx/xxx\r\n
		 *  - n x Content-Range: bytes xxx-yyy/zzz\r\n
		 *  - n x /r/n
		 *  - the actual payloads (aggregated in rp->agg)
		 *
		 *  Precompute it for the main response header
		 */

		total_content_length = (lws_filepos_t)rp->agg +
				       6 /* final _lws\r\n */;

		lws_ranges_reset(rp);
		while (lws_ranges_next(rp)) {
			n = lws_snprintf(cache_control, sizeof(cache_control),
					"bytes %llu-%llu/%llu",
					rp->start, rp->end, rp->extent);

			total_content_length = total_content_length +
					(lws_filepos_t)(
				6 /* header _lws\r\n */ +
				/* Content-Type: xxx/xxx\r\n */
				14 + (int)strlen(content_type) + 2 +
				/* Content-Range: xxxx\r\n */
				15 + n + 2 +
				2); /* /r/n */
		}

		lws_ranges_reset(rp);
		lws_ranges_next(rp);
	}

	if (ranges == 1) {
		total_content_length = (lws_filepos_t)rp->agg;
		n = lws_snprintf(cache_control, sizeof(cache_control),
				 "bytes %llu-%llu/%llu",
				 rp->start, rp->end, rp->extent);

		if (lws_add_http_header_by_token(wsi,
						 WSI_TOKEN_HTTP_CONTENT_RANGE,
						 (unsigned char *)cache_control,
						 n, &p, end))
			goto bail;
	}

	wsi->http.range.inside = 0;

	if (lws_add_http_header_by_token(wsi, WSI_TOKEN_HTTP_ACCEPT_RANGES,
					 (unsigned char *)"bytes", 5, &p, end))
		goto bail;
#endif

	if (!wsi->mux_substream) {
		/* for http/1.1 ... */
		if (!wsi->sending_chunked
#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
				&& !wsi->http.lcs
#endif
		) {
			/* ... if not already using chunked and not using an
			 * http compression translation, then send the naive
			 * content length
			 */
			if (lws_add_http_header_content_length(wsi,
						total_content_length, &p, end))
				goto bail;
		} else {

#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
			if (wsi->http.lcs) {

				/* ...otherwise, for http 1 it must go chunked.
				 * For the compression case, the reason is we
				 * compress on the fly and do not know the
				 * compressed content-length until it has all
				 * been sent.  Http/1.1 pipelining must be able
				 * to know where the transaction boundaries are
				 * ... so chunking...
				 */
				if (lws_add_http_header_by_token(wsi,
						WSI_TOKEN_HTTP_TRANSFER_ENCODING,
						(unsigned char *)"chunked", 7,
						&p, end))
					goto bail;

				/*
				 * ...this is fun, isn't it :-)  For h1 that is
				 * using an http compression translation, the
				 * compressor must chunk its output privately.
				 *
				 * h2 doesn't need (or support) any of this
				 * crap.
				 */
				lwsl_debug("setting chunking\n");
				wsi->http.comp_ctx.chunking = 1;
			}
#endif
		}
	}

	if (wsi->cache_no) {
		cc = cache_control;
		cclen = sprintf(cache_control, "no-cache");
	}
	else if (wsi->cache_secs && wsi->cache_reuse) {
		if (!wsi->cache_revalidate) {
			cc = cache_control;
			cclen = sprintf(cache_control, "%s, max-age=%u",
                         intermediates[wsi->cache_intermediaries],
                         wsi->cache_secs);
		} else {
			cc = cache_control;
			cclen = sprintf(cache_control,
                         "must-revalidate, %s, max-age=%u",
                         intermediates[wsi->cache_intermediaries],
                         wsi->cache_secs);
		}
	}

	/* Only add cache control if its not specified by any other_headers. */
	if (!other_headers ||
	    (!strstr(other_headers, "cache-control") &&
	     !strstr(other_headers, "Cache-Control"))) {
		if (lws_add_http_header_by_token(wsi,
				WSI_TOKEN_HTTP_CACHE_CONTROL,
				(unsigned char *)cc, cclen, &p, end))
			goto bail;
	}

	if (other_headers) {
		if ((end - p) < other_headers_len)
			goto bail;
		memcpy(p, other_headers, (unsigned int)other_headers_len);
		p += other_headers_len;
	}

	if (lws_finalize_http_header(wsi, &p, end))
		goto bail;

	ret = lws_write(wsi, response, lws_ptr_diff_size_t(p, response), LWS_WRITE_HTTP_HEADERS);
	if (ret != (p - response)) {
		lwsl_err("_write returned %d from %ld\n", ret,
			 (long)(p - response));
		goto bail;
	}

	wsi->http.filepos = 0;
	lwsi_set_state(wsi, LRS_ISSUING_FILE);

	if (lws_hdr_total_length(wsi, WSI_TOKEN_HEAD_URI)) {
		/* we do not emit the body */
		lws_vfs_file_close(&wsi->http.fop_fd);
		if (lws_http_transaction_completed(wsi))
			goto bail;

		return 0;
	}

	lws_callback_on_writable(wsi);

	return 0;

bail:
	lws_vfs_file_close(&wsi->http.fop_fd);

	return -1;
}
#endif

#if defined(LWS_WITH_FILE_OPS)

int lws_serve_http_file_fragment(struct lws *wsi)
{
	struct lws_context *context = wsi->a.context;
	struct lws_context_per_thread *pt = &context->pt[(int)wsi->tsi];
	struct lws_process_html_args args;
	lws_filepos_t amount, poss;
	unsigned char *p, *pstart;
#if defined(LWS_WITH_RANGES)
	unsigned char finished = 0;
#endif
#if defined(LWS_ROLE_H2)
	struct lws *nwsi;
#endif
	int n, m;

	lwsl_debug("wsi->mux_substream %d\n", wsi->mux_substream);

	do {

		/* priority 1: buffered output */

		if (lws_has_buffered_out(wsi)) {
			if (lws_issue_raw(wsi, NULL, 0) < 0) {
				lwsl_info("%s: closing\n", __func__);
				goto file_had_it;
			}
			break;
		}

		/* priority 2: buffered pre-compression-transform */

#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
	if (wsi->http.comp_ctx.buflist_comp ||
	    wsi->http.comp_ctx.may_have_more) {
		enum lws_write_protocol wp = LWS_WRITE_HTTP;

		lwsl_info("%s: completing comp partial (buflist %p, may %d)\n",
			   __func__, wsi->http.comp_ctx.buflist_comp,
			   wsi->http.comp_ctx.may_have_more);

		if (lws_rops_fidx(wsi->role_ops, LWS_ROPS_write_role_protocol) &&
		    lws_rops_func_fidx(wsi->role_ops, LWS_ROPS_write_role_protocol).
					write_role_protocol(wsi, NULL, 0, &wp) < 0) {
			lwsl_info("%s signalling to close\n", __func__);
			goto file_had_it;
		}
		lws_callback_on_writable(wsi);

		break;
	}
#endif

		if (wsi->http.filepos == wsi->http.filelen)
			goto all_sent;

		n = 0;
		p = pstart = pt->serv_buf + LWS_H2_FRAME_HEADER_LENGTH;

#if defined(LWS_WITH_RANGES)
		if (wsi->http.range.count_ranges && !wsi->http.range.inside) {

			lwsl_notice("%s: doing range start %llu\n", __func__,
				    wsi->http.range.start);

			if ((long long)lws_vfs_file_seek_cur(wsi->http.fop_fd,
						   (lws_fileofs_t)wsi->http.range.start -
						   (lws_fileofs_t)wsi->http.filepos) < 0)
				goto file_had_it;

			wsi->http.filepos = wsi->http.range.start;

			if (wsi->http.range.count_ranges > 1) {
				n =  lws_snprintf((char *)p,
						context->pt_serv_buf_size -
						LWS_H2_FRAME_HEADER_LENGTH,
					"_lws\x0d\x0a"
					"Content-Type: %s\x0d\x0a"
					"Content-Range: bytes "
						"%llu-%llu/%llu\x0d\x0a"
					"\x0d\x0a",
					wsi->http.multipart_content_type,
					wsi->http.range.start,
					wsi->http.range.end,
					wsi->http.range.extent);
				p += n;
			}

			wsi->http.range.budget = wsi->http.range.end -
						   wsi->http.range.start + 1;
			wsi->http.range.inside = 1;
		}
#endif

		poss = context->pt_serv_buf_size;

#if defined(LWS_ROLE_H2)
		/*
		 * If it's h2, restrict any lump that we are sending to the
		 * max h2 frame size the peer indicated he could handle in
		 * his SETTINGS
		 */
		nwsi = lws_get_network_wsi(wsi);
		if (nwsi->h2.h2n &&
		    poss > (lws_filepos_t)nwsi->h2.h2n->peer_set.s[H2SET_MAX_FRAME_SIZE])
			poss = (lws_filepos_t)nwsi->h2.h2n->peer_set.s[H2SET_MAX_FRAME_SIZE];
#endif
		poss = poss - (lws_filepos_t)(n + LWS_H2_FRAME_HEADER_LENGTH);

		if (wsi->http.tx_content_length)
			if (poss > wsi->http.tx_content_remain)
				poss = wsi->http.tx_content_remain;

		/*
		 * If there is a hint about how much we will do well to send at
		 * one time, restrict ourselves to only trying to send that.
		 */
		if (wsi->a.protocol->tx_packet_size &&
		    poss > wsi->a.protocol->tx_packet_size)
			poss = wsi->a.protocol->tx_packet_size;

		if (lws_rops_fidx(wsi->role_ops, LWS_ROPS_tx_credit)) {
			lws_filepos_t txc = (unsigned int)lws_rops_func_fidx(wsi->role_ops,
							       LWS_ROPS_tx_credit).
					tx_credit(wsi, LWSTXCR_US_TO_PEER, 0);

			if (!txc) {
				/*
				 * We shouldn't've been able to get the
				 * WRITEABLE if we are skint
				 */
				lwsl_notice("%s: %s: no tx credit\n", __func__,
						lws_wsi_tag(wsi));

				return 0;
			}
			if (txc < poss)
				poss = txc;

			/*
			 * Tracking consumption of the actual payload amount
			 * will be handled when the role data frame is sent...
			 */
		}

#if defined(LWS_WITH_RANGES)
		if (wsi->http.range.count_ranges) {
			if (wsi->http.range.count_ranges > 1)
				poss -= 7; /* allow for final boundary */
			if (poss > wsi->http.range.budget)
				poss = wsi->http.range.budget;
		}
#endif
		if (wsi->sending_chunked) {
			/* we need to drop the chunk size in here */
			p += 10;
			/* allow for the chunk to grow by 128 in translation */
			poss -= 10 + 128;
		}

		amount = 0;
		if (lws_vfs_file_read(wsi->http.fop_fd, &amount, p, poss) < 0)
			goto file_had_it; /* caller will close */

		if (wsi->sending_chunked)
			n = (int)amount;
		else
			n = lws_ptr_diff(p, pstart) + (int)amount;

		lwsl_debug("%s: sending %d\n", __func__, n);

		if (n) {
			lws_set_timeout(wsi, PENDING_TIMEOUT_HTTP_CONTENT,
					(int)context->timeout_secs);

			if (wsi->interpreting) {
				args.p = (char *)p;
				args.len = n;
				args.max_len = (int)(unsigned int)poss + 128;
				args.final = wsi->http.filepos + (unsigned int)n ==
							wsi->http.filelen;
				args.chunked = wsi->sending_chunked;
				if (user_callback_handle_rxflow(
				     wsi->a.vhost->protocols[
				     (int)wsi->protocol_interpret_idx].callback,
				     wsi, LWS_CALLBACK_PROCESS_HTML,
				     wsi->user_space, &args, 0) < 0)
					goto file_had_it;
				n = args.len;
				p = (unsigned char *)args.p;
			} else
				p = pstart;

#if defined(LWS_WITH_RANGES)
			if (wsi->http.range.send_ctr + 1 ==
				wsi->http.range.count_ranges && // last range
			    wsi->http.range.count_ranges > 1 && // was 2+ ranges (ie, multipart)
			    wsi->http.range.budget - amount == 0) {// final part
				n += lws_snprintf((char *)pstart + n, 6,
					"_lws\x0d\x0a"); // append trailing boundary
				lwsl_debug("added trailing boundary\n");
			}
#endif
			m = lws_write(wsi, p, (unsigned int)n, wsi->http.filepos + amount ==
					wsi->http.filelen ?
					 LWS_WRITE_HTTP_FINAL : LWS_WRITE_HTTP);
			if (m < 0)
				goto file_had_it;

			wsi->http.filepos += amount;

#if defined(LWS_WITH_RANGES)
			if (wsi->http.range.count_ranges >= 1) {
				wsi->http.range.budget -= amount;
				if (wsi->http.range.budget == 0) {
					lwsl_notice("range budget exhausted\n");
					wsi->http.range.inside = 0;
					wsi->http.range.send_ctr++;

					if (lws_ranges_next(&wsi->http.range) < 1) {
						finished = 1;
						goto all_sent;
					}
				}
			}
#endif

			if (m != n) {
				/* adjust for what was not sent */
				if (lws_vfs_file_seek_cur(wsi->http.fop_fd,
							   m - n) ==
							     (lws_fileofs_t)-1)
					goto file_had_it;
			}
		}

all_sent:
		if ((!lws_has_buffered_out(wsi)
#if defined(LWS_WITH_HTTP_STREAM_COMPRESSION)
				&& !wsi->http.comp_ctx.buflist_comp &&
		    !wsi->http.comp_ctx.may_have_more
#endif
		    ) && (wsi->http.filepos >= wsi->http.filelen
#if defined(LWS_WITH_RANGES)
		    || finished)
#else
		)
#endif
		) {
			lwsi_set_state(wsi, LRS_ESTABLISHED);
			/* we might be in keepalive, so close it off here */
			lws_vfs_file_close(&wsi->http.fop_fd);

			lwsl_debug("file completed\n");

			if (wsi->a.protocol->callback &&
			    user_callback_handle_rxflow(wsi->a.protocol->callback,
					wsi, LWS_CALLBACK_HTTP_FILE_COMPLETION,
					wsi->user_space, NULL, 0) < 0) {
					/*
					 * For http/1.x, the choices from
					 * transaction_completed are either
					 * 0 to use the connection for pipelined
					 * or nonzero to hang it up.
					 *
					 * However for http/2. while we are
					 * still interested in hanging up the
					 * nwsi if there was a network-level
					 * fatal error, simply completing the
					 * transaction is a matter of the stream
					 * state, not the root connection at the
					 * network level
					 */

					if (wsi->mux_substream)
						return 1;
					else
						return -1;
				}

			if (wsi->http.ah)
				lws_header_table_reset(wsi, 0);


			return 1;  /* >0 indicates completed */
		}
		/*
		 * while(1) here causes us to spam the whole file contents into
		 * a hugely bloated output buffer if it ever can't send the
		 * whole chunk...
		 */
	} while (!lws_send_pipe_choked(wsi));

	lws_callback_on_writable(wsi);

	return 0; /* indicates further processing must be done */

file_had_it:
	lws_vfs_file_close(&wsi->http.fop_fd);

	return -1;
}

#endif

#if defined(LWS_WITH_SERVER)
void
lws_server_get_canonical_hostname(struct lws_context *context,
				  const struct lws_context_creation_info *info)
{
	if (lws_check_opt(info->options,
			LWS_SERVER_OPTION_SKIP_SERVER_CANONICAL_NAME))
		return;
#if !defined(LWS_PLAT_FREERTOS)
	/* find canonical hostname */
	if (gethostname((char *)context->canonical_hostname,
		        sizeof(context->canonical_hostname) - 1))
		lws_strncpy((char *)context->canonical_hostname, "unknown",
			    sizeof(context->canonical_hostname));

	lwsl_cx_info(context, " canonical_hostname = %s\n",
					context->canonical_hostname);
#else
	(void)context;
#endif
}
#endif

int
lws_chunked_html_process(struct lws_process_html_args *args,
			 struct lws_process_html_state *s)
{
	char *sp, buffer[32];
	const char *pc;
	int old_len, n;

	/* do replacements */
	sp = args->p;
	old_len = args->len;
	args->len = 0;
	s->start = sp;
	while (sp < args->p + old_len) {

		if (args->len + 7 >= args->max_len) {
			lwsl_err("Used up interpret padding\n");
			return -1;
		}

		if ((!s->pos && *sp == '$') || s->pos) {
			int hits = 0, hit = 0;

			if (!s->pos)
				s->start = sp;
			s->swallow[s->pos++] = *sp;
			if (s->pos == sizeof(s->swallow) - 1)
				goto skip;
			for (n = 0; n < s->count_vars; n++)
				if (!strncmp(s->swallow, s->vars[n], (unsigned int)s->pos)) {
					hits++;
					hit = n;
				}
			if (!hits) {
skip:
				s->swallow[s->pos] = '\0';
				memcpy(s->start, s->swallow, (unsigned int)s->pos);
				args->len++;
				s->pos = 0;
				sp = s->start + 1;
				continue;
			}
			if (hits == 1 && s->pos == (int)strlen(s->vars[hit])) {
				pc = s->replace(s->data, hit);
				if (!pc)
					pc = "NULL";
				n = (int)strlen(pc);
				s->swallow[s->pos] = '\0';
				if (n != s->pos) {
					memmove(s->start + n, s->start + s->pos,
						(unsigned int)(old_len - (sp - args->p) - 1));
					old_len += (n - s->pos) + 1;
				}
				memcpy(s->start, pc, (unsigned int)n);
				args->len++;
				sp = s->start + 1;

				s->pos = 0;
			}
			sp++;
			continue;
		}

		args->len++;
		sp++;
	}

	if (args->chunked) {
		/* no space left for final chunk trailer */
		if (args->final && args->len + 7 >= args->max_len)
			return -1;

		n = sprintf(buffer, "%X\x0d\x0a", args->len);

		args->p -= n;
		memcpy(args->p, buffer, (unsigned int)n);
		args->len += n;

		if (args->final) {
			sp = args->p + args->len;
			*sp++ = '\x0d';
			*sp++ = '\x0a';
			*sp++ = '0';
			*sp++ = '\x0d';
			*sp++ = '\x0a';
			*sp++ = '\x0d';
			*sp++ = '\x0a';
			args->len += 7;
		} else {
			sp = args->p + args->len;
			*sp++ = '\x0d';
			*sp++ = '\x0a';
			args->len += 2;
		}
	}

	return 0;
}