Mirrors/libwebsockets
1
0
Fork 0
mirror of https://github.com/warmcat/libwebsockets.git synced 2025-03-30 00:00:16 +01:00
Code Issues Releases Wiki Activity

content_info: make members conditional

Browse source
This commit is contained in:
Andy Green 2020-06-17 11:13:01 +01:00
parent fdf8a5f931
commit 6747ab830e
26 changed files with 424 additions and 272 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
CMakeLists-implied-options.txt
View file

@ -348,6 +348,7 @@ endif()
set(LWS_WITH_CLIENT 1)
if (LWS_WITHOUT_CLIENT)
set(LWS_WITH_CLIENT)
set(LWS_WITH_SECURE_STREAMS 0)
endif()
set(LWS_WITH_SERVER 1)
if (LWS_WITHOUT_SERVER)

535
include/libwebsockets/lws-context-vhost.h
View file

@ -251,15 +251,7 @@ typedef int (*lws_peer_limits_notify_t)(struct lws_context *ctx,
* at the same time as the context, they are expected to be created afterwards.
*/
struct lws_context_creation_info {
int port;
/**< VHOST: Port to listen on. Use CONTEXT_PORT_NO_LISTEN to suppress
* listening for a client. Use CONTEXT_PORT_NO_LISTEN_SERVER if you are
* writing a server but you are using \ref sock-adopt instead of the
* built-in listener.
*
* You can also set port to 0, in which case the kernel will pick
* a random port that is not already in use. You can find out what
* port the vhost is listening on using lws_get_vhost_listen_port() */
#if defined(LWS_WITH_NETWORK)
const char *iface;
/**< VHOST: NULL to bind the listen socket to all interfaces, or the
* interface name, eg, "eth2"
@ -273,12 +265,94 @@ struct lws_context_creation_info {
* entry that has a NULL callback pointer. SEE ALSO .pprotocols below,
* which gives an alternative way to provide an array of pointers to
* protocol structs. */
#if defined(LWS_ROLE_WS)
const struct lws_extension *extensions;
/**< VHOST: NULL or array of lws_extension structs listing the
* extensions this context supports. */
#endif
#if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
const struct lws_token_limits *token_limits;
/**< CONTEXT: NULL or struct lws_token_limits pointer which is
* initialized with a token length limit for each possible WSI_TOKEN_ */
const char *http_proxy_address;
/**< VHOST: If non-NULL, attempts to proxy via the given address.
* If proxy auth is required, use format
* "username:password\@server:port" */
const struct lws_protocol_vhost_options *headers;
/**< VHOST: pointer to optional linked list of per-vhost
* canned headers that are added to server responses */
const struct lws_protocol_vhost_options *reject_service_keywords;
/**< CONTEXT: Optional list of keywords and rejection codes + text.
*
* The keywords are checked for existing in the user agent string.
*
* Eg, "badrobot" "404 Not Found"
*/
const struct lws_protocol_vhost_options *pvo;
/**< VHOST: pointer to optional linked list of per-vhost
* options made accessible to protocols */
const char *log_filepath;
/**< VHOST: filepath to append logs to... this is opened before
* any dropping of initial privileges */
const struct lws_http_mount *mounts;
/**< VHOST: optional linked list of mounts for this vhost */
const char *server_string;
/**< CONTEXT: string used in HTTP headers to identify server
* software, if NULL, "libwebsockets". */
const char *error_document_404;
/**< VHOST: If non-NULL, when asked to serve a non-existent file,
* lws attempts to server this url path instead. Eg,
* "/404.html" */
int port;
/**< VHOST: Port to listen on. Use CONTEXT_PORT_NO_LISTEN to suppress
* listening for a client. Use CONTEXT_PORT_NO_LISTEN_SERVER if you are
* writing a server but you are using \ref sock-adopt instead of the
* built-in listener.
*
* You can also set port to 0, in which case the kernel will pick
* a random port that is not already in use. You can find out what
* port the vhost is listening on using lws_get_vhost_listen_port() */
unsigned int http_proxy_port;
/**< VHOST: If http_proxy_address was non-NULL, uses this port */
unsigned int max_http_header_data2;
/**< CONTEXT: if max_http_header_data is 0 and this
* is nonzero, this will be used in place of the default. It's
* like this for compatibility with the original short version,
* this is unsigned int length. */
unsigned int max_http_header_pool2;
/**< CONTEXT: if max_http_header_pool is 0 and this
* is nonzero, this will be used in place of the default. It's
* like this for compatibility with the original short version:
* this is unsigned int length. */
int keepalive_timeout;
/**< VHOST: (default = 0 = 5s, 31s for http/2) seconds to allow remote
* client to hold on to an idle HTTP/1.1 connection. Timeout lifetime
* applied to idle h2 network connections */
uint32_t http2_settings[7];
/**< VHOST: if http2_settings[0] is nonzero, the values given in
* http2_settings[1]..[6] are used instead of the lws
* platform default values.
* Just leave all at 0 if you don't care.
*/
unsigned short max_http_header_data;
/**< CONTEXT: The max amount of header payload that can be handled
* in an http request (unrecognized header payload is dropped) */
unsigned short max_http_header_pool;
/**< CONTEXT: The max number of connections with http headers that
* can be processed simultaneously (the corresponding memory is
* allocated and deallocated dynamically as needed). If the pool is
* fully busy new incoming connections must wait for accept until one
* becomes free. 0 = allow as many ah as number of availble fds for
* the process */
#endif
#if defined(LWS_WITH_TLS)
const char *ssl_private_key_password;
/**< VHOST: NULL or the passphrase needed for the private key. (For
* backwards compatibility, this can also be used to pass the client
@ -329,146 +403,62 @@ struct lws_context_creation_info {
* SEE .tls1_3_plus_cipher_list and .client_tls_1_3_plus_cipher_list
* for the equivalent for tls1.3.
*/
const char *http_proxy_address;
/**< VHOST: If non-NULL, attempts to proxy via the given address.
* If proxy auth is required, use format
* "username:password\@server:port" */
unsigned int http_proxy_port;
/**< VHOST: If http_proxy_address was non-NULL, uses this port */
int gid;
/**< CONTEXT: group id to change to after setting listen socket,
* or -1. See also .username below. */
int uid;
/**< CONTEXT: user id to change to after setting listen socket,
* or -1. See also .groupname below. */
uint64_t options;
/**< VHOST + CONTEXT: 0, or LWS_SERVER_OPTION_... bitfields */
void *user;
/**< VHOST + CONTEXT: optional user pointer that will be associated
* with the context when creating the context (and can be retrieved by
* lws_context_user(context), or with the vhost when creating the vhost
* (and can be retrieved by lws_vhost_user(vhost)). You will need to
* use LWS_SERVER_OPTION_EXPLICIT_VHOSTS and create the vhost separately
* if you care about giving the context and vhost different user pointer
* values.
*/
int ka_time;
/**< CONTEXT: 0 for no TCP keepalive, otherwise apply this keepalive
* timeout to all libwebsocket sockets, client or server */
int ka_probes;
/**< CONTEXT: if ka_time was nonzero, after the timeout expires how many
* times to try to get a response from the peer before giving up
* and killing the connection */
int ka_interval;
/**< CONTEXT: if ka_time was nonzero, how long to wait before each ka_probes
* attempt */
#if defined(LWS_WITH_TLS) && !defined(LWS_WITH_MBEDTLS)
SSL_CTX *provided_client_ssl_ctx;
/**< CONTEXT: If non-null, swap out libwebsockets ssl
* implementation for the one provided by provided_ssl_ctx.
* Libwebsockets no longer is responsible for freeing the context
* if this option is selected. */
#else /* maintain structure layout either way */
void *provided_client_ssl_ctx; /**< dummy if ssl disabled */
#endif
unsigned short max_http_header_data;
/**< CONTEXT: The max amount of header payload that can be handled
* in an http request (unrecognized header payload is dropped) */
unsigned short max_http_header_pool;
/**< CONTEXT: The max number of connections with http headers that
* can be processed simultaneously (the corresponding memory is
* allocated and deallocated dynamically as needed). If the pool is
* fully busy new incoming connections must wait for accept until one
* becomes free. 0 = allow as many ah as number of availble fds for
* the process */
unsigned int count_threads;
/**< CONTEXT: how many contexts to create in an array, 0 = 1 */
unsigned int fd_limit_per_thread;
/**< CONTEXT: nonzero means restrict each service thread to this
* many fds, 0 means the default which is divide the process fd
* limit by the number of threads.
*
* Note if this is nonzero, and fd_limit_per_thread multiplied by the
* number of service threads is less than the process ulimit, then lws
* restricts internal lookup table allocation to the smaller size, and
* switches to a less efficient lookup scheme. You should use this to
* trade off speed against memory usage if you know the lws context
* will only use a handful of fds.
*
* Bear in mind lws may use some fds internally, for example for the
* cancel pipe, so you may need to allow for some extras for normal
* operation.
*/
unsigned int timeout_secs;
/**< VHOST: various processes involving network roundtrips in the
* library are protected from hanging forever by timeouts. If
* nonzero, this member lets you set the timeout used in seconds.
* Otherwise a default timeout is used. */
unsigned int connect_timeout_secs;
/**< VHOST: client connections have this long to find a working server
* from the DNS results, or the whole connection times out. If zero,
* a default timeout is used */
const char *ecdh_curve;
/**< VHOST: if NULL, defaults to initializing server with
* "prime256v1" */
const char *vhost_name;
/**< VHOST: name of vhost, must match external DNS name used to
* access the site, like "warmcat.com" as it's used to match
* Host: header and / or SNI name for SSL. */
const char * const *plugin_dirs;
/**< CONTEXT: NULL, or NULL-terminated array of directories to
* scan for lws protocol plugins at context creation time */
const struct lws_protocol_vhost_options *pvo;
/**< VHOST: pointer to optional linked list of per-vhost
* options made accessible to protocols */
int keepalive_timeout;
/**< VHOST: (default = 0 = 5s, 31s for http/2) seconds to allow remote
* client to hold on to an idle HTTP/1.1 connection. Timeout lifetime
* applied to idle h2 network connections */
const char *log_filepath;
/**< VHOST: filepath to append logs to... this is opened before
* any dropping of initial privileges */
const struct lws_http_mount *mounts;
/**< VHOST: optional linked list of mounts for this vhost */
const char *server_string;
/**< CONTEXT: string used in HTTP headers to identify server
* software, if NULL, "libwebsockets". */
unsigned int pt_serv_buf_size;
/**< CONTEXT: 0 = default of 4096. This buffer is used by
* various service related features including file serving, it
* defines the max chunk of file that can be sent at once.
* At the risk of lws having to buffer failed large sends, it
* can be increased to, eg, 128KiB to improve throughput. */
unsigned int max_http_header_data2;
/**< CONTEXT: if max_http_header_data is 0 and this
* is nonzero, this will be used in place of the default. It's
* like this for compatibility with the original short version,
* this is unsigned int length. */
const char *tls1_3_plus_cipher_list;
/**< VHOST: List of valid ciphers to use for incoming server connections
* ON TLS1.3 AND ABOVE (eg, "TLS_CHACHA20_POLY1305_SHA256" on this vhost
* or you can leave it as NULL to get "DEFAULT".
* SEE .client_tls_1_3_plus_cipher_list to do the same on the vhost
* client SSL_CTX.
*/
const void *server_ssl_cert_mem;
/**< VHOST: Alternative for \p ssl_cert_filepath that allows setting
* from memory instead of from a file. At most one of
* \p ssl_cert_filepath or \p server_ssl_cert_mem should be non-NULL. */
const void *server_ssl_private_key_mem;
/**< VHOST: Alternative for \p ssl_private_key_filepath allowing
* init from a private key in memory instead of a file. At most one
* of \p ssl_private_key_filepath or \p server_ssl_private_key_mem
* should be non-NULL. */
const void *server_ssl_ca_mem;
/**< VHOST: Alternative for \p ssl_ca_filepath allowing
* init from a CA cert in memory instead of a file. At most one
* of \p ssl_ca_filepath or \p server_ssl_ca_mem should be non-NULL. */
long ssl_options_set;
/**< VHOST: Any bits set here will be set as server SSL options */
long ssl_options_clear;
/**< VHOST: Any bits set here will be cleared as server SSL options */
const struct lws_protocol_vhost_options *headers;
/**< VHOST: pointer to optional linked list of per-vhost
* canned headers that are added to server responses */
const struct lws_protocol_vhost_options *reject_service_keywords;
/**< CONTEXT: Optional list of keywords and rejection codes + text.
*
* The keywords are checked for existing in the user agent string.
*
* Eg, "badrobot" "404 Not Found"
int simultaneous_ssl_restriction;
/**< CONTEXT: 0 (no limit) or limit of simultaneous SSL sessions
* possible.*/
int ssl_info_event_mask;
/**< VHOST: mask of ssl events to be reported on LWS_CALLBACK_SSL_INFO
* callback for connections on this vhost. The mask values are of
* the form SSL_CB_ALERT, defined in openssl/ssl.h. The default of
* 0 means no info events will be reported.
*/
void *external_baggage_free_on_destroy;
/**< CONTEXT: NULL, or pointer to something externally malloc'd, that
* should be freed when the context is destroyed. This allows you to
* automatically sync the freeing action to the context destruction
* action, so there is no need for an external free() if the context
* succeeded to create.
unsigned int server_ssl_cert_mem_len;
/**< VHOST: Server SSL context init: length of server_ssl_cert_mem in
* bytes */
unsigned int server_ssl_private_key_mem_len;
/**< VHOST: length of \p server_ssl_private_key_mem in memory */
unsigned int server_ssl_ca_mem_len;
/**< VHOST: length of \p server_ssl_ca_mem in memory */
const char *alpn;
/**< CONTEXT: If non-NULL, default list of advertised alpn, comma-
* separated
*
* VHOST: If non-NULL, per-vhost list of advertised alpn, comma-
* separated
*/
#if defined(LWS_WITH_CLIENT)
const char *client_ssl_private_key_password;
/**< VHOST: Client SSL context init: NULL or the passphrase needed
* for the private key */
@ -490,23 +480,142 @@ struct lws_context_creation_info {
const void *client_ssl_key_mem;
/**< VHOST: Client SSL context init: client key memory buffer or
* NULL... use this to load client key from memory instead of file */
unsigned int client_ssl_key_mem_len;
/**< VHOST: Client SSL context init: length of client_ssl_key_mem in
* bytes */
const char *client_ssl_ca_filepath;
/**< VHOST: Client SSL context init: CA certificate filepath or NULL */
const void *client_ssl_ca_mem;
/**< VHOST: Client SSL context init: CA certificate memory buffer or
* NULL... use this to load CA cert from memory instead of file */
unsigned int client_ssl_ca_mem_len;
/**< VHOST: Client SSL context init: length of client_ssl_ca_mem in
* bytes */
const char *client_ssl_cipher_list;
/**< VHOST: Client SSL context init: List of valid ciphers to use (eg,
* "RC4-MD5:RC4-SHA:AES128-SHA:AES256-SHA:HIGH:!DSS:!aNULL"
* or you can leave it as NULL to get "DEFAULT" */
const char *client_tls_1_3_plus_cipher_list;
/**< VHOST: List of valid ciphers to use for outgoing client connections
* ON TLS1.3 AND ABOVE on this vhost (eg,
* "TLS_CHACHA20_POLY1305_SHA256") or you can leave it as NULL to get
* "DEFAULT".
*/
long ssl_client_options_set;
/**< VHOST: Any bits set here will be set as CLIENT SSL options */
long ssl_client_options_clear;
/**< VHOST: Any bits set here will be cleared as CLIENT SSL options */
unsigned int client_ssl_ca_mem_len;
/**< VHOST: Client SSL context init: length of client_ssl_ca_mem in
* bytes */
unsigned int client_ssl_key_mem_len;
/**< VHOST: Client SSL context init: length of client_ssl_key_mem in
* bytes */
#endif
#if !defined(LWS_WITH_MBEDTLS)
SSL_CTX *provided_client_ssl_ctx;
/**< CONTEXT: If non-null, swap out libwebsockets ssl
* implementation for the one provided by provided_ssl_ctx.
* Libwebsockets no longer is responsible for freeing the context
* if this option is selected. */
#endif
#endif
int ka_time;
/**< CONTEXT: 0 for no TCP keepalive, otherwise apply this keepalive
* timeout to all libwebsocket sockets, client or server */
int ka_probes;
/**< CONTEXT: if ka_time was nonzero, after the timeout expires how many
* times to try to get a response from the peer before giving up
* and killing the connection */
int ka_interval;
/**< CONTEXT: if ka_time was nonzero, how long to wait before each ka_probes
* attempt */
unsigned int timeout_secs;
/**< VHOST: various processes involving network roundtrips in the
* library are protected from hanging forever by timeouts. If
* nonzero, this member lets you set the timeout used in seconds.
* Otherwise a default timeout is used. */
unsigned int connect_timeout_secs;
/**< VHOST: client connections have this long to find a working server
* from the DNS results, or the whole connection times out. If zero,
* a default timeout is used */
int bind_iface;
/**< VHOST: nonzero to strictly bind sockets to the interface name in
* .iface (eg, "eth2"), using SO_BIND_TO_DEVICE.
*
* Requires SO_BINDTODEVICE support from your OS and CAP_NET_RAW
* capability.
*
* Notice that common things like access network interface IP from
* your local machine use your lo / loopback interface and will be
* disallowed by this.
*/
unsigned int timeout_secs_ah_idle;
/**< VHOST: seconds to allow a client to hold an ah without using it.
* 0 defaults to 10s. */
#endif /* WITH_NETWORK */
int gid;
/**< CONTEXT: group id to change to after setting listen socket,
* or -1. See also .username below. */
int uid;
/**< CONTEXT: user id to change to after setting listen socket,
* or -1. See also .groupname below. */
uint64_t options;
/**< VHOST + CONTEXT: 0, or LWS_SERVER_OPTION_... bitfields */
void *user;
/**< VHOST + CONTEXT: optional user pointer that will be associated
* with the context when creating the context (and can be retrieved by
* lws_context_user(context), or with the vhost when creating the vhost
* (and can be retrieved by lws_vhost_user(vhost)). You will need to
* use LWS_SERVER_OPTION_EXPLICIT_VHOSTS and create the vhost separately
* if you care about giving the context and vhost different user pointer
* values.
*/
unsigned int count_threads;
/**< CONTEXT: how many contexts to create in an array, 0 = 1 */
unsigned int fd_limit_per_thread;
/**< CONTEXT: nonzero means restrict each service thread to this
* many fds, 0 means the default which is divide the process fd
* limit by the number of threads.
*
* Note if this is nonzero, and fd_limit_per_thread multiplied by the
* number of service threads is less than the process ulimit, then lws
* restricts internal lookup table allocation to the smaller size, and
* switches to a less efficient lookup scheme. You should use this to
* trade off speed against memory usage if you know the lws context
* will only use a handful of fds.
*
* Bear in mind lws may use some fds internally, for example for the
* cancel pipe, so you may need to allow for some extras for normal
* operation.
*/
const char *vhost_name;
/**< VHOST: name of vhost, must match external DNS name used to
* access the site, like "warmcat.com" as it's used to match
* Host: header and / or SNI name for SSL. */
#if defined(LWS_WITH_PLUGINS)
const char * const *plugin_dirs;
/**< CONTEXT: NULL, or NULL-terminated array of directories to
* scan for lws protocol plugins at context creation time */
#endif
void *external_baggage_free_on_destroy;
/**< CONTEXT: NULL, or pointer to something externally malloc'd, that
* should be freed when the context is destroyed. This allows you to
* automatically sync the freeing action to the context destruction
* action, so there is no need for an external free() if the context
* succeeded to create.
*/
unsigned int pt_serv_buf_size;
/**< CONTEXT: 0 = default of 4096. This buffer is used by
* various service related features including file serving, it
* defines the max chunk of file that can be sent at once.
* At the risk of lws having to buffer failed large sends, it
* can be increased to, eg, 128KiB to improve throughput. */
#if defined(LWS_WITH_FILE_OPS)
const struct lws_plat_file_ops *fops;
/**< CONTEXT: NULL, or pointer to an array of fops structs, terminated
* by a sentinel with NULL .open.
@ -514,9 +623,9 @@ struct lws_context_creation_info {
* If NULL, lws provides just the platform file operations struct for
* backwards compatibility.
*/
int simultaneous_ssl_restriction;
/**< CONTEXT: 0 (no limit) or limit of simultaneous SSL sessions
* possible.*/
#endif
#if defined(LWS_WITH_SOCKS5)
const char *socks_proxy_address;
/**< VHOST: If non-NULL, attempts to proxy via the given address.
* If proxy auth is required, use format
@ -525,6 +634,8 @@ struct lws_context_creation_info {
/**< VHOST: If socks_proxy_address was non-NULL, uses this port
* if nonzero, otherwise requires "server:port" in .socks_proxy_address
*/
#endif
#if defined(LWS_HAVE_SYS_CAPABILITY_H) && defined(LWS_HAVE_LIBCAP)
cap_value_t caps[4];
/**< CONTEXT: array holding Linux capabilities you want to
@ -537,58 +648,6 @@ struct lws_context_creation_info {
/**< CONTEXT: count of Linux capabilities in .caps[]. 0 means
* no capabilities will be inherited from root (the default) */
#endif
int bind_iface;
/**< VHOST: nonzero to strictly bind sockets to the interface name in
* .iface (eg, "eth2"), using SO_BIND_TO_DEVICE.
*
* Requires SO_BINDTODEVICE support from your OS and CAP_NET_RAW
* capability.
*
* Notice that common things like access network interface IP from
* your local machine use your lo / loopback interface and will be
* disallowed by this.
*/
int ssl_info_event_mask;
/**< VHOST: mask of ssl events to be reported on LWS_CALLBACK_SSL_INFO
* callback for connections on this vhost. The mask values are of
* the form SSL_CB_ALERT, defined in openssl/ssl.h. The default of
* 0 means no info events will be reported.
*/
unsigned int timeout_secs_ah_idle;
/**< VHOST: seconds to allow a client to hold an ah without using it.
* 0 defaults to 10s. */
unsigned short ip_limit_ah;
/**< CONTEXT: max number of ah a single IP may use simultaneously
* 0 is no limit. This is a soft limit: if the limit is
* reached, connections from that IP will wait in the ah
* waiting list and not be able to acquire an ah until
* a connection belonging to the IP relinquishes one it
* already has.
*/
unsigned short ip_limit_wsi;
/**< CONTEXT: max number of wsi a single IP may use simultaneously.
* 0 is no limit. This is a hard limit, connections from
* the same IP will simply be dropped once it acquires the
* amount of simultaneous wsi / accepted connections
* given here.
*/
uint32_t http2_settings[7];
/**< VHOST: if http2_settings[0] is nonzero, the values given in
* http2_settings[1]..[6] are used instead of the lws
* platform default values.
* Just leave all at 0 if you don't care.
*/
const char *error_document_404;
/**< VHOST: If non-NULL, when asked to serve a non-existent file,
* lws attempts to server this url path instead. Eg,
* "/404.html" */
const char *alpn;
/**< CONTEXT: If non-NULL, default list of advertised alpn, comma-
* separated
*
* VHOST: If non-NULL, per-vhost list of advertised alpn, comma-
* separated
*/
void **foreign_loops;
/**< CONTEXT: This is ignored if the context is not being started with
* an event loop, ie, .options has a flag like
@ -624,30 +683,6 @@ struct lws_context_creation_info {
/**< VHOST: opaque pointer lws ignores but passes to the finalize
* callback. If you don't care, leave it NULL.
*/
unsigned int max_http_header_pool2;
/**< CONTEXT: if max_http_header_pool is 0 and this
* is nonzero, this will be used in place of the default. It's
* like this for compatibility with the original short version:
* this is unsigned int length. */
long ssl_client_options_set;
/**< VHOST: Any bits set here will be set as CLIENT SSL options */
long ssl_client_options_clear;
/**< VHOST: Any bits set here will be cleared as CLIENT SSL options */
const char *tls1_3_plus_cipher_list;
/**< VHOST: List of valid ciphers to use for incoming server connections
* ON TLS1.3 AND ABOVE (eg, "TLS_CHACHA20_POLY1305_SHA256" on this vhost
* or you can leave it as NULL to get "DEFAULT".
* SEE .client_tls_1_3_plus_cipher_list to do the same on the vhost
* client SSL_CTX.
*/
const char *client_tls_1_3_plus_cipher_list;
/**< VHOST: List of valid ciphers to use for outgoing client connections
* ON TLS1.3 AND ABOVE on this vhost (eg,
* "TLS_CHACHA20_POLY1305_SHA256") or you can leave it as NULL to get
* "DEFAULT".
*/
const char *listen_accept_role;
/**< VHOST: NULL for default, or force accepted incoming connections to
* bind to this role. Uses the role names from their ops struct, eg,
@ -668,26 +703,6 @@ struct lws_context_creation_info {
* the type of the user data to be known so its size can be given.
*/
const void *server_ssl_cert_mem;
/**< VHOST: Alternative for \p ssl_cert_filepath that allows setting
* from memory instead of from a file. At most one of
* \p ssl_cert_filepath or \p server_ssl_cert_mem should be non-NULL. */
unsigned int server_ssl_cert_mem_len;
/**< VHOST: Server SSL context init: length of server_ssl_cert_mem in
* bytes */
const void *server_ssl_private_key_mem;
/**< VHOST: Alternative for \p ssl_private_key_filepath allowing
* init from a private key in memory instead of a file. At most one
* of \p ssl_private_key_filepath or \p server_ssl_private_key_mem
* should be non-NULL. */
unsigned int server_ssl_private_key_mem_len;
/**< VHOST: length of \p server_ssl_private_key_mem in memory */
const void *server_ssl_ca_mem;
/**< VHOST: Alternative for \p ssl_ca_filepath allowing
* init from a CA cert in memory instead of a file. At most one
* of \p ssl_ca_filepath or \p server_ssl_ca_mem should be non-NULL. */
unsigned int server_ssl_ca_mem_len;
/**< VHOST: length of \p server_ssl_ca_mem in memory */
const char *username; /**< CONTEXT: string username for post-init
* permissions. Like .uid but takes a string username. */
const char *groupname; /**< CONTEXT: string groupname for post-init
@ -699,11 +714,13 @@ struct lws_context_creation_info {
const lws_system_ops_t *system_ops;
/**< CONTEXT: hook up lws_system_ apis to system-specific
* implementations */
#if defined(LWS_WITH_DETAILED_LATENCY)
det_lat_buf_cb_t detailed_latency_cb;
/**< CONTEXT: NULL, or callback to receive detailed latency information
* collected for each read and write */
const char *detailed_latency_filepath;
/**< CONTEXT: NULL, or filepath to put latency data into */
#endif
const lws_retry_bo_t *retry_and_idle_policy;
/**< VHOST: optional retry and idle policy to apply to this vhost.
* Currently only the idle parts are applied to the connections.
@ -712,12 +729,6 @@ struct lws_context_creation_info {
/**< CONTEXT: NULL, or pointer to an array of notifiers that should
* be registered during context creation, so they can see state change
* events from very early on. The array should end with a NULL. */
uint8_t udp_loss_sim_tx_pc;
/**< CONTEXT: percentage of udp writes we could have performed
* to instead not do, in order to simulate and test udp retry flow */
uint8_t udp_loss_sim_rx_pc;
/**< CONTEXT: percentage of udp reads we actually received
* to make disappear, in order to simulate and test udp retry flow */
#if defined(LWS_WITH_SECURE_STREAMS)
#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
const struct lws_ss_policy *pss_policies; /**< CONTEXT: point to first
@ -756,6 +767,30 @@ struct lws_context_creation_info {
* The callback provides the context, and an lws_sockaddr46 with the
* peer address and port.
*/
unsigned short ip_limit_ah;
/**< CONTEXT: max number of ah a single IP may use simultaneously
* 0 is no limit. This is a soft limit: if the limit is
* reached, connections from that IP will wait in the ah
* waiting list and not be able to acquire an ah until
* a connection belonging to the IP relinquishes one it
* already has.
*/
unsigned short ip_limit_wsi;
/**< CONTEXT: max number of wsi a single IP may use simultaneously.
* 0 is no limit. This is a hard limit, connections from
* the same IP will simply be dropped once it acquires the
* amount of simultaneous wsi / accepted connections
* given here.
*/
#endif /* PEER_LIMITS */
#if defined(LWS_WITH_UDP)
uint8_t udp_loss_sim_tx_pc;
/**< CONTEXT: percentage of udp writes we could have performed
* to instead not do, in order to simulate and test udp retry flow */
uint8_t udp_loss_sim_rx_pc;
/**< CONTEXT: percentage of udp reads we actually received
* to make disappear, in order to simulate and test udp retry flow */
#endif
/* Add new things just above here ---^

19
lib/core/context.c
View file

@ -134,7 +134,7 @@ lws_state_notify_protocol_init(struct lws_state_manager *mgr,
}
#endif
#if defined(LWS_WITH_SECURE_STREAMS_SYS_AUTH_API_AMAZON_COM)
#if defined(LWS_WITH_SECURE_STREAMS) && defined(LWS_WITH_SECURE_STREAMS_SYS_AUTH_API_AMAZON_COM)
/*
* Skip this if we are running something without the policy for it
*
@ -301,6 +301,8 @@ lws_create_context(const struct lws_context_creation_info *info)
context->groupname = info->groupname;
context->system_ops = info->system_ops;
context->pt_serv_buf_size = (unsigned int)s1;
#if defined(LWS_WITH_UDP)
context->udp_loss_sim_tx_pc = info->udp_loss_sim_tx_pc;
context->udp_loss_sim_rx_pc = info->udp_loss_sim_rx_pc;
@ -308,6 +310,7 @@ lws_create_context(const struct lws_context_creation_info *info)
lwsl_warn("%s: simulating udp loss tx: %d%%, rx: %d%%\n",
__func__, context->udp_loss_sim_tx_pc,
context->udp_loss_sim_rx_pc);
#endif
#if defined(LWS_WITH_SECURE_STREAMS_STATIC_POLICY_ONLY)
/* directly use the user-provided policy object list */
@ -331,7 +334,7 @@ lws_create_context(const struct lws_context_creation_info *info)
context->detailed_latency_filepath = info->detailed_latency_filepath;
context->latencies_fd = -1;
#endif
#if defined(LWS_WITHOUT_EXTENSIONS)
#if defined(LWS_ROLE_WS) && defined(LWS_WITHOUT_EXTENSIONS)
if (info->extensions)
lwsl_warn("%s: LWS_WITHOUT_EXTENSIONS but extensions ptr set\n", __func__);
#endif
@ -413,8 +416,10 @@ lws_create_context(const struct lws_context_creation_info *info)
#endif
context->pcontext_finalize = info->pcontext;
#if defined(LWS_WITH_TLS) && defined(LWS_WITH_NETWORK)
context->simultaneous_ssl_restriction =
info->simultaneous_ssl_restriction;
#endif
context->options = info->options;
@ -474,10 +479,10 @@ lws_create_context(const struct lws_context_creation_info *info)
}
}
context->token_limits = info->token_limits;
#if defined(LWS_WITH_NETWORK)
context->token_limits = info->token_limits;
/*
* set the context event loops ops struct
*
@ -546,14 +551,16 @@ lws_create_context(const struct lws_context_creation_info *info)
lwsl_info("Default ALPN advertisment: %s\n", context->tls.alpn_default);
#endif
#if defined(LWS_WITH_NETWORK)
if (info->timeout_secs)
context->timeout_secs = info->timeout_secs;
else
#endif
context->timeout_secs = 5;
lwsl_info(" default timeout (secs): %u\n", context->timeout_secs);
#if defined(LWS_ROLE_H1) || defined(LWS_ROLE_H2)
if (info->max_http_header_data)
context->max_http_header_data = info->max_http_header_data;
else
@ -571,7 +578,7 @@ lws_create_context(const struct lws_context_creation_info *info)
info->max_http_header_pool2;
else
context->max_http_header_pool = context->max_fds;
#endif
if (info->fd_limit_per_thread)
context->fd_limit_per_thread = lpf;

6
lib/core/libwebsockets.c
View file

@ -1092,8 +1092,10 @@ lws_cmdline_option(int argc, const char **argv, const char *val)
static const char * const builtins[] = {
"-d",
#if defined(LWS_WITH_UDP)
"--udp-tx-loss",
"--udp-rx-loss",
#endif
"--ignore-sigterm"
};
@ -1122,6 +1124,7 @@ lws_cmdline_option_handle_builtin(int argc, const char **argv,
case 0:
logs = m;
break;
#if defined(LWS_WITH_UDP)
case 1:
info->udp_loss_sim_tx_pc = m;
break;
@ -1129,6 +1132,9 @@ lws_cmdline_option_handle_builtin(int argc, const char **argv,
info->udp_loss_sim_rx_pc = m;
break;
case 3:
#else
case 1:
#endif
#if !defined(LWS_PLAT_FREERTOS)
signal(SIGTERM, lws_sigterm_catch);
#endif

38
lib/roles/http/server/lejp-conf.c
View file

@ -335,10 +335,13 @@ lejp_globals_cb(struct lejp_ctx *ctx, char reason)
a->info->timeout_secs = atoi(ctx->buf);
return 0;
#if defined(LWS_WITH_TLS)
case LWJPGP_DEFAULT_ALPN:
a->info->alpn = a->p;
break;
#endif
#if defined(LWS_WITH_PEER_LIMITS)
case LWJPGP_IP_LIMIT_AH:
a->info->ip_limit_ah = atoi(ctx->buf);
return 0;
@ -346,6 +349,7 @@ lejp_globals_cb(struct lejp_ctx *ctx, char reason)
case LWJPGP_IP_LIMIT_WSI:
a->info->ip_limit_wsi = atoi(ctx->buf);
return 0;
#endif
case LWJPGP_FD_LIMIT_PT:
a->info->rlimit_nofile = atoi(ctx->buf);
@ -415,8 +419,11 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->protocols = a->protocols;
a->info->pprotocols = a->pprotocols;
#if defined(LWS_ROLE_WS)
a->info->extensions = a->extensions;
#endif
#if defined(LWS_WITH_TLS)
#if defined(LWS_WITH_CLIENT)
a->info->client_ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
@ -431,6 +438,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
"!AES256-GCM-SHA384:"
"!AES256-SHA256";
#endif
#if defined(LWS_WITH_SERVER)
a->info->ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
@ -444,6 +452,8 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
"!DHE-RSA-AES256-SHA256:"
"!AES256-GCM-SHA384:"
"!AES256-SHA256";
#endif
#endif
a->info->keepalive_timeout = 5;
}
@ -529,7 +539,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
vhost->default_protocol_index = 255;
}
#if defined(LWS_WITH_TLS)
#if defined(LWS_WITH_TLS) && defined(LWS_WITH_CLIENT)
if (a->enable_client_ssl) {
const char *cert_filepath =
a->info->client_ssl_cert_filepath;
@ -632,6 +642,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
else
a->info->options &= ~(LWS_SERVER_OPTION_STS);
return 0;
#if defined(LWS_WITH_TLS)
case LEJPVP_HOST_SSL_KEY:
a->info->ssl_private_key_filepath = a->p;
break;
@ -641,6 +652,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
case LEJPVP_HOST_SSL_CA:
a->info->ssl_ca_filepath = a->p;
break;
#endif
case LEJPVP_ACCESS_LOG:
a->info->log_filepath = a->p;
break;
@ -685,23 +697,25 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->keepalive_timeout = atoi(ctx->buf);
return 0;
#if defined(LWS_WITH_TLS)
#if defined(LWS_WITH_CLIENT)
case LEJPVP_CLIENT_CIPHERS:
a->info->client_ssl_cipher_list = a->p;
break;
case LEJPVP_CLIENT_TLS13_CIPHERS:
a->info->client_tls_1_3_plus_cipher_list = a->p;
break;
#endif
case LEJPVP_CIPHERS:
a->info->ssl_cipher_list = a->p;
break;
case LEJPVP_TLS13_CIPHERS:
a->info->tls1_3_plus_cipher_list = a->p;
break;
case LEJPVP_CLIENT_TLS13_CIPHERS:
a->info->client_tls_1_3_plus_cipher_list = a->p;
break;
case LEJPVP_ECDH_CURVE:
a->info->ecdh_curve = a->p;
break;
#endif
case LEJPVP_PMO:
case LEJPVP_CGI_ENV:
mp_cgienv = lwsws_align(a);
@ -771,7 +785,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
case LEJPVP_ENABLE_CLIENT_SSL:
a->enable_client_ssl = arg_to_bool(ctx->buf);
return 0;
#if defined(LWS_WITH_TLS)
#if defined(LWS_WITH_TLS) && defined(LWS_WITH_CLIENT)
case LEJPVP_CLIENT_SSL_KEY:
a->info->client_ssl_private_key_filepath = a->p;
break;
@ -819,6 +833,7 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->error_document_404 = a->p;
break;
#if defined(LWS_WITH_TLS)
case LEJPVP_SSL_OPTION_SET:
a->info->ssl_options_set |= atol(ctx->buf);
return 0;
@ -826,16 +841,19 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason)
a->info->ssl_options_clear |= atol(ctx->buf);
return 0;
#if defined(LWS_WITH_CLIENT)
case LEJPVP_SSL_CLIENT_OPTION_SET:
a->info->ssl_client_options_set |= atol(ctx->buf);
return 0;
case LEJPVP_SSL_CLIENT_OPTION_CLEAR:
a->info->ssl_client_options_clear |= atol(ctx->buf);
return 0;
#endif
case LEJPVP_ALPN:
a->info->alpn = a->p;
break;
#endif
case LEJPVP_LISTEN_ACCEPT_ROLE:
a->info->listen_accept_role = a->p;
@ -972,7 +990,9 @@ lwsws_get_config_globals(struct lws_context_creation_info *info, const char *d,
{
struct lws_dir_args da;
struct jpargs a;
#if defined(LWS_WITH_PLUGINS)
const char * const *old = info->plugin_dirs;
#endif
char dd[128];
memset(&a, 0, sizeof(a));
@ -983,16 +1003,20 @@ lwsws_get_config_globals(struct lws_context_creation_info *info, const char *d,
a.valid = 0;
lwsws_align(&a);
#if defined(LWS_WITH_PLUGINS)
info->plugin_dirs = (void *)a.p;
#endif
a.plugin_dirs = (void *)a.p; /* writeable version */
a.p += MAX_PLUGIN_DIRS * sizeof(void *);
#if defined(LWS_WITH_PLUGINS)
/* copy any default paths */
while (old && *old) {
a.plugin_dirs[a.count_plugin_dirs++] = *old;
old++;
}
#endif
lws_snprintf(dd, sizeof(dd) - 1, "%s/conf", d);
if (lwsws_get_config(&a, dd, paths_global,
@ -1034,7 +1058,9 @@ lwsws_get_config_vhosts(struct lws_context *context,
a.context = context;
a.protocols = info->protocols;
a.pprotocols = info->pprotocols;
#if defined(LWS_ROLE_WS)
a.extensions = info->extensions;
#endif
lws_snprintf(dd, sizeof(dd) - 1, "%s/conf", d);
if (lwsws_get_config(&a, dd, paths_vhosts,

2
lib/secure-streams/CMakeLists.txt
View file

@ -26,6 +26,7 @@
include_directories(.)
if (LWS_WITH_CLIENT)
list(APPEND SOURCES
secure-streams/secure-streams.c
secure-streams/policy-common.c
@ -121,6 +122,7 @@ include_directories(.)
endmacro()
create_ss_plugin(ssp-h1url "h1url.c" "" "" "" "")
endif()
#
# Keep explicit parent scope exports at end

2
lib/secure-streams/policy-common.c
View file

@ -234,9 +234,11 @@ lws_ss_policy_set(struct lws_context *context, const char *name)
i.options = context->options;
i.vhost_name = pol->trust_store->name;
lwsl_debug("%s: %s\n", __func__, i.vhost_name);
#if defined(LWS_WITH_TLS) && defined(LWS_WITH_CLIENT)
i.client_ssl_ca_mem = pol->trust_store->ssx509[0]->ca_der;
i.client_ssl_ca_mem_len = (unsigned int)
pol->trust_store->ssx509[0]->ca_der_len;
#endif
i.port = CONTEXT_PORT_NO_LISTEN;
lwsl_info("%s: %s trust store initial '%s'\n", __func__,
i.vhost_name, pol->trust_store->ssx509[0]->vhost_name);

36
lib/tls/openssl/openssl-ssl.c
View file

@ -65,6 +65,7 @@ int lws_ssl_get_error(struct lws *wsi, int n)
return m;
}
#if defined(LWS_WITH_SERVER)
static int
lws_context_init_ssl_pem_passwd_cb(char *buf, int size, int rwflag,
void *userdata)
@ -77,7 +78,9 @@ lws_context_init_ssl_pem_passwd_cb(char *buf, int size, int rwflag,
return (int)strlen(buf);
}
#endif
#if defined(LWS_WITH_CLIENT)
static int
lws_context_init_ssl_pem_passwd_client_cb(char *buf, int size, int rwflag,
void *userdata)
@ -94,13 +97,23 @@ lws_context_init_ssl_pem_passwd_client_cb(char *buf, int size, int rwflag,
return (int)strlen(buf);
}
#endif
void
lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, int is_client,
const struct lws_context_creation_info *info)
{
if (!info->ssl_private_key_password &&
!info->client_ssl_private_key_password)
if (
#if defined(LWS_WITH_SERVER)
!info->ssl_private_key_password
#endif
#if defined(LWS_WITH_SERVER) && defined(LWS_WITH_CLIENT)
&&
#endif
#if defined(LWS_WITH_CLIENT)
!info->client_ssl_private_key_password
#endif
)
return;
/*
* password provided, set ssl callback and user data
@ -109,10 +122,20 @@ lws_ssl_bind_passphrase(SSL_CTX *ssl_ctx, int is_client,
*/
SSL_CTX_set_default_passwd_cb_userdata(ssl_ctx, (void *)info);
SSL_CTX_set_default_passwd_cb(ssl_ctx, is_client ?
#if defined(LWS_WITH_CLIENT)
lws_context_init_ssl_pem_passwd_client_cb:
lws_context_init_ssl_pem_passwd_cb);
#else
NULL:
#endif
#if defined(LWS_WITH_SERVER)
lws_context_init_ssl_pem_passwd_cb
#else
NULL
#endif
);
}
#if defined(LWS_WITH_CLIENT)
static void
lws_ssl_destroy_client_ctx(struct lws_vhost *vhost)
{
@ -135,7 +158,7 @@ lws_ssl_destroy_client_ctx(struct lws_vhost *vhost)
lws_dll2_remove(&tcr->cc_list);
lws_free(tcr);
}
#endif
void
lws_ssl_destroy(struct lws_vhost *vhost)
{
@ -145,8 +168,9 @@ lws_ssl_destroy(struct lws_vhost *vhost)
if (vhost->tls.ssl_ctx)
SSL_CTX_free(vhost->tls.ssl_ctx);
#if defined(LWS_WITH_CLIENT)
lws_ssl_destroy_client_ctx(vhost);
#endif
// after 1.1.0 no need
#if (OPENSSL_VERSION_NUMBER < 0x10100000)
@ -441,7 +465,9 @@ lws_ssl_SSL_CTX_destroy(struct lws_vhost *vhost)
if (vhost->tls.ssl_ctx)
SSL_CTX_free(vhost->tls.ssl_ctx);
#if defined(LWS_WITH_CLIENT)
lws_ssl_destroy_client_ctx(vhost);
#endif
#if defined(LWS_WITH_ACME)
lws_tls_acme_sni_cert_destroy(vhost);

2
lib/tls/tls-client.c
View file

@ -118,6 +118,7 @@ int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
if (vhost->tls.ssl_client_ctx)
return 0;
#if !defined(LWS_WITH_MBEDTLS)
if (info->provided_client_ssl_ctx) {
/* use the provided OpenSSL context if given one */
vhost->tls.ssl_client_ctx = info->provided_client_ssl_ctx;
@ -126,6 +127,7 @@ int lws_context_init_client_ssl(const struct lws_context_creation_info *info,
return 0;
}
#endif
if (lws_tls_client_create_vhost_context(vhost, info, cipher_list,
ca_filepath,

2
minimal-examples/http-server/minimal-http-server-custom-headers/minimal-http-server-custom-headers.c
View file

@ -201,8 +201,10 @@ int main(int argc, const char **argv)
info.port = 7682;
info.error_document_404 = "/404.html";
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
info.vhost_name = "https";
if (!lws_create_vhost(context, &info)) {

2
minimal-examples/http-server/minimal-http-server-deaddrop/minimal-http-server-deaddrop.c
View file

@ -153,8 +153,10 @@ int main(int argc, const char **argv)
info.error_document_404 = "/404.html";
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
context = lws_create_context(&info);
if (!context) {

2
minimal-examples/http-server/minimal-http-server-dynamic/minimal-http-server-dynamic.c
View file

@ -284,8 +284,10 @@ int main(int argc, const char **argv)
info.port = 7682;
info.error_document_404 = "/404.html";
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
info.vhost_name = "localhost";
if (!lws_create_vhost(context, &info)) {

2
minimal-examples/http-server/minimal-http-server-eventlib-demos/minimal-http-server-eventlib-demos.c
View file

@ -157,8 +157,10 @@ int main(int argc, const char **argv)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
}
if (lws_cmdline_option(argc, argv, "--uv"))

2
minimal-examples/http-server/minimal-http-server-eventlib-smp/minimal-http-server-eventlib-smp.c
View file

@ -122,11 +122,13 @@ int main(int argc, const char **argv)
} else
info.count_threads = COUNT_THREADS;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
if (lws_cmdline_option(argc, argv, "--uv"))
info.options |= LWS_SERVER_OPTION_LIBUV;

2
minimal-examples/http-server/minimal-http-server-eventlib/minimal-http-server-eventlib.c
View file

@ -86,11 +86,13 @@ int main(int argc, const char **argv)
info.options =
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
if (lws_cmdline_option(argc, argv, "--uv"))
info.options |= LWS_SERVER_OPTION_LIBUV;

2
minimal-examples/http-server/minimal-http-server-form-post-lwsac/minimal-http-server-form-post.c
View file

@ -198,8 +198,10 @@ int main(int argc, const char **argv)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
}
context = lws_create_context(&info);

3
minimal-examples/http-server/minimal-http-server-form-post/minimal-http-server-form-post.c
View file

@ -195,12 +195,13 @@ int main(int argc, const char **argv)
info.mounts = &mount;
info.options =
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
if ((p = lws_cmdline_option(argc, argv, "--port")))
info.port = atoi(p);

2
minimal-examples/http-server/minimal-http-server-h2-long-poll/minimal-http-server.c
View file

@ -128,8 +128,10 @@ int main(int argc, const char **argv)
memset(&info, 0, sizeof info); /* otherwise uninitialized garbage */
info.port = 7681;
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
#endif
info.protocols = protocols;
info.options =
LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |

2
minimal-examples/http-server/minimal-http-server-smp/minimal-http-server-smp.c
View file

@ -106,11 +106,13 @@ int main(int argc, const char **argv)
} else
info.count_threads = COUNT_THREADS;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options = LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT | LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
context = lws_create_context(&info);
if (!context) {

3
minimal-examples/http-server/minimal-http-server-sse/minimal-http-server-sse.c
View file

@ -208,12 +208,15 @@ int main(int argc, const char **argv)
info.options =
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
info.port = 7681;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.port = 443;
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
context = lws_create_context(&info);
if (!context) {

2
minimal-examples/raw/minimal-raw-fallback-http-server/minimal-raw-fallback-http-server.c
View file

@ -119,6 +119,7 @@ int main(int argc, const char **argv)
info.listen_accept_role = "raw-skt";
info.listen_accept_protocol = "raw-echo";
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT |
LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT;
@ -131,6 +132,7 @@ int main(int argc, const char **argv)
if (lws_cmdline_option(argc, argv, "-h"))
info.options |= LWS_SERVER_OPTION_ALLOW_HTTP_ON_HTTPS_LISTENER;
}
#endif
context = lws_create_context(&info);
if (!context) {

2
minimal-examples/raw/minimal-raw-vhost/minimal-raw-vhost.c
View file

@ -137,11 +137,13 @@ int main(int argc, const char **argv)
info.protocols = protocols;
info.options = LWS_SERVER_OPTION_ONLY_RAW; /* vhost accepts RAW */
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
context = lws_create_context(&info);
if (!context) {

2
minimal-examples/ws-server/minimal-ws-server-timer/minimal-ws-server.c
View file

@ -114,12 +114,14 @@ int main(int argc, const char **argv)
info.options =
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
lwsl_user("Server using TLS\n");
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
if (lws_cmdline_option(argc, argv, "-h"))
info.options |= LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK;

2
minimal-examples/ws-server/minimal-ws-server/minimal-ws-server.c
View file

@ -88,12 +88,14 @@ int main(int argc, const char **argv)
info.options =
LWS_SERVER_OPTION_HTTP_HEADERS_SECURITY_BEST_PRACTICES_ENFORCE;
#if defined(LWS_WITH_TLS)
if (lws_cmdline_option(argc, argv, "-s")) {
lwsl_user("Server using TLS\n");
info.options |= LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT;
info.ssl_cert_filepath = "localhost-100y.cert";
info.ssl_private_key_filepath = "localhost-100y.key";
}
#endif
if (lws_cmdline_option(argc, argv, "-h"))
info.options |= LWS_SERVER_OPTION_VHOST_UPG_STRICT_HOST_CHECK;

9
test-apps/test-client.c
View file

@ -510,6 +510,7 @@ static const struct lws_protocols protocols[] = {
{ NULL, NULL, 0, 0 } /* end */
};
#if defined(LWS_ROLE_WS)
static const struct lws_extension exts[] = {
{
"permessage-deflate",
@ -523,7 +524,7 @@ static const struct lws_extension exts[] = {
},
{ NULL, NULL, NULL /* terminator */ }
};
#endif
void sighandler(int sig)
@ -703,7 +704,9 @@ int main(int argc, char **argv)
info.protocols = protocols;
info.gid = -1;
info.uid = -1;
#if defined(LWS_ROLE_WS)
info.extensions = exts;
#endif
/*
* since we know this lws context is only ever going to be used with
@ -718,7 +721,7 @@ int main(int argc, char **argv)
#endif
info.options |= LWS_SERVER_OPTION_H2_JUST_FIX_WINDOW_UPDATE_OVERFLOW;
#if defined(LWS_WITH_TLS)
if (use_ssl) {
/*
* If the server wants us to present a valid SSL client certificate
@ -759,7 +762,7 @@ int main(int argc, char **argv)
lwsl_notice(" Skipping peer cert hostname check\n");
else
lwsl_notice(" Requiring peer cert hostname matches\n");
#endif
context = lws_create_context(&info);
if (context == NULL) {
fprintf(stderr, "Creating libwebsocket context failed\n");

14
test-apps/test-server.c
View file

@ -206,6 +206,7 @@ void sighandler(int sig)
lws_cancel_service(context);
}
#if defined(LWS_ROLE_WS)
static const struct lws_extension exts[] = {
{
"permessage-deflate",
@ -214,6 +215,7 @@ static const struct lws_extension exts[] = {
},
{ NULL, NULL, NULL /* terminator */ }
};
#endif
/*
* mount handlers for sections of the URL space
@ -503,6 +505,8 @@ int main(int argc, char **argv)
info.iface = iface;
info.protocols = protocols;
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = NULL;
info.ssl_private_key_filepath = NULL;
@ -521,17 +525,22 @@ int main(int argc, char **argv)
if (!key_path[0])
sprintf(key_path, "%s/libwebsockets-test-server.key.pem",
resource_path);
#if defined(LWS_WITH_TLS)
info.ssl_cert_filepath = cert_path;
info.ssl_private_key_filepath = key_path;
if (ca_path[0])
info.ssl_ca_filepath = ca_path;
#endif
}
#endif
info.gid = gid;
info.uid = uid;
info.options = opts | LWS_SERVER_OPTION_VALIDATE_UTF8 | LWS_SERVER_OPTION_EXPLICIT_VHOSTS;
#if defined(LWS_ROLE_WS)
info.extensions = exts;
#endif
info.timeout_secs = 5;
#if defined(LWS_WITH_TLS)
info.ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:"
"ECDHE-RSA-AES256-GCM-SHA384:"
"DHE-RSA-AES256-GCM-SHA384:"
@ -545,9 +554,12 @@ int main(int argc, char **argv)
"!DHE-RSA-AES256-SHA256:"
"!AES256-GCM-SHA384:"
"!AES256-SHA256";
#endif
info.mounts = &mount;
#if defined(LWS_WITH_PEER_LIMITS)
info.ip_limit_ah = 128; /* for testing */
info.ip_limit_wsi = 800; /* for testing */
#endif
if (use_ssl)
/* redirect guys coming on http */