Mirrors
/
libwebsockets
mirror of https://github.com/warmcat/libwebsockets.git
1
0
Fork 0
Code Issues Releases Wiki Activity
libwebsockets/READMEs
History
Carl Walsh 779915a2e9 Create SECURITY.md 
SECURITY.md shows up as a top menu bar item in GitHub's browser UI.

Moved and updated contents of https://libwebsockets.org/lws-api-doc-main/html/md_READMEs_README_vulnerability_reporting.html
 		2024-03-05 06:47:53 +00:00
..
README.async-dns.md async dns: recursion 2019-10-13 11:55:59 +01:00
README.build-android.md android: modernize toolchain file and add build README 2020-05-27 08:40:12 +01:00
README.build-windows.md CTest: migrate and deprecate existing selftest scripts 2020-05-11 15:40:13 +01:00
README.build.md docs: switch to use main 2020-10-19 16:35:03 +01:00
README.captive-portal-detection.md captive portal 2020-03-11 12:44:01 +00:00
README.cbor-cose.md cose: keys and signing + validation 2021-08-31 05:45:35 +01:00
README.cbor-lecp.md lecp: add CBOR stream parser LECP like JSON LEJP 2021-08-21 17:44:40 +01:00
README.ci.md README.ci.md 2018-10-13 08:16:27 +08:00
README.cmake.md docs: add notes on cmake 2020-04-20 18:23:10 +01:00
README.coding.md http: server: added no-cache handling to mounts 2021-12-13 19:02:56 +00:00
README.content-security-policy.md update some wording 2020-09-30 06:42:13 +01:00
README.contributing.md README.contributing.md 2018-10-13 08:16:27 +08:00
README.crypto-apis.md lws-x509: validation functions 2018-12-31 20:35:54 +08:00
README.ctest.md examples: move existing to m-e-lowlevel and start repoulating m-e with SS 2021-10-08 09:49:05 +01:00
README.debugging.md docs: add README-debugging.md and provide example points for decrypted traffic handling 2020-07-30 16:23:59 +01:00
README.display-list.md lws_display: add display list / DLO support 2022-03-25 08:18:29 +00:00
README.esp32.md esp32: map basic auth to nvs 2018-02-24 08:14:17 +08:00
README.event-libs.md event libs: default to building as dynamically loaded plugins 2020-08-31 16:51:37 +01:00
README.event-loops-intro.md docs: event loops intro 2021-08-09 17:31:16 +01:00
README.fault-injection.md ss: add fault injections in creation 2021-08-16 08:07:35 +01:00
README.h2-long-poll.md h2: unify immortal stream tracking across SSE and ws substreams 2019-09-22 03:08:36 -07:00
README.html-parser.md minimal: embedded lhp examples 2022-05-04 08:43:26 +01:00
README.http-cache.md http: cookies: support cookie jar in and out 2021-08-21 17:44:40 +01:00
README.http-fallback.md role: raw-proxy 2018-12-01 11:05:59 +08:00
README.http_parser.md http: parser: straighten out %00 legality 2021-04-10 09:21:33 +01:00
README.jit-trust.md tls: JIT Trust 2021-06-22 15:55:29 +01:00
README.jpeg-decoder.md lws-jpeg 2022-03-25 08:13:48 +00:00
README.json-lejp.md lejp: allow leading wildcard 2021-11-07 05:33:44 +00:00
README.jwt.md lws_jwt_token_sanity 2020-07-15 16:18:00 +01:00
README.libressl.md libressl: adapt type rules 2021-02-17 11:39:15 +00:00
README.lifecycle.md docs: explain context and client lifecycle 2020-09-18 11:37:17 +01:00
README.logging.md logs: introduce log_cx 2021-07-01 05:20:53 +01:00
README.lws_backtrace.md alloc: compressed backtrace instrumentation support 2022-03-15 10:28:09 +00:00
README.lws_cache.md lws_cache_ttl 2021-06-22 15:55:29 +01:00
README.lws_conmon.md lws_conmon: connection monitoring and stats generation 2021-03-17 07:31:49 +00:00
README.lws_dll.md docs: lws_dll and lws_dll2 documentation 3 2019-03-26 14:54:50 +08:00
README.lws_fixed3232.md lws_fx: fixed point 3232 arithmetic 2022-03-15 10:28:09 +00:00
README.lws_map.md lws_map 2021-08-21 17:44:40 +01:00
README.lws_metrics.md ss: mass update LE root to ISRG X1 2021-10-08 09:49:06 +01:00
README.lws_ota.md lws_ota 2022-03-25 08:18:30 +00:00
README.lws_plugins.md lws_plugins 2020-08-31 16:51:37 +01:00
README.lws_retry.md lws_validity: unified connection validity tracking 2019-09-22 09:35:07 -07:00
README.lws_struct.md lws_struct 2019-04-06 06:08:47 +08:00
README.lws_sul.md Subject: sul: Update README.lws_sul.md 2023-11-24 05:48:24 +00:00
README.lws_system.md lws_ota 2022-03-25 08:18:30 +00:00
README.lwsws.md unix skt: allow control over skt user:group 2019-03-26 14:54:49 +08:00
README.plugin-acme.md ACME client plugin 2017-12-01 11:37:35 +08:00
README.plugin-sshd-base.md license: fix up last mentions of lgpl outside of the source file license grant part 2019-12-02 11:19:30 +00:00
README.png-decoder.md upng: rewrite for stateful stream decode 2022-03-16 12:59:48 +00:00
README.porting.md docs: add READMEs/README.porting.md 2019-03-28 06:47:02 +08:00
README.problems.md docs: switch to use main 2020-10-19 16:35:03 +01:00
README.release-policy.md docs: switch to use main 2020-10-19 16:35:03 +01:00
README.routing.md roles: netlink 2020-10-19 16:35:03 +01:00
README.secure-streams.md ss: default policy 2022-02-22 14:35:43 +00:00
README.tcp_fastopen.md TCP_FASTOPEN 2021-05-25 08:13:13 +01:00
README.test-apps.md docs: switch to use main 2020-10-19 16:35:03 +01:00
README.tls-sessions.md tls: client: session cache synthetic cb 2021-04-29 20:03:41 +01:00
README.udp.md Fault injection 2021-04-05 10:55:04 +01:00
README.unix-domain-reverse-proxy.md clean: general whitespace cleanup 2018-11-23 08:47:56 +08:00
mainpage.md doxygen: add extra top level page pointers 2021-04-06 08:24:19 +01:00
release-checklist v4.1.0 2020-09-04 13:42:57 +01:00

README.unix-domain-reverse-proxy.md

Unix Domain Sockets Reverse Proxy

Introduction

lws is able to use a mount to place reverse proxies into the URL space.

These are particularly useful when using Unix Domain Sockets, basically files in the server filesystem, to communicate between lws and a separate server process and integrate the result into a coherent URL namespace on the lws side. It's also possible to proxy using tcp sockets.

overview

This has the advantage that the actual web server that forwards the data from the unix socket owner is in a different process than the server that serves on the unix socket. If it has problems, they do not affect the actual public-facing web server. The unix domain socket server may be in a completely different language than the web server.

Compared to CGI, there are no forks to make a connection to the unix domain socket server.

Mount origin format

Unix Domain Sockets are effectively "files" in the server filesystem, and are defined by their filepath. The "server" side that is to be proxied opens the socket and listens on it, which creates a file in the server filesystem. The socket understands either http or https protocol.

Lws can be told to act as a proxy for that at a mountpoint in the lws vhost url space.

If your mount is expressed in C code, then the mount type is LWSMPRO_HTTP or LWSMPRO_HTTPS depending on the protocol the unix socket understands, and the origin address has the form +/path/to/unix/socket:/path/inside/mount.

The + at the start indicates it is a local unix socket we are proxying, and the ':' acts as a delimiter for the socket path, since unlike other addresses the unix socket path can contain '/' itself.

Connectivity rules and translations

Onward proxy connections from lws to the Unix Domain Socket happen using http/1.1. That implies transfer-encoding: chunking in the case that the length of the output is not known beforehand.

Lws takes care of stripping any chunking (which is illegal in h2) and translating between h1 and h2 header formats if the return connection is actually in http/2.

The h1 onward proxy connection translates the following headers from the return connection, which may be h1 or h2:

Header Function
host Which vhost
etag Information on any etag the client has cached for this URI
if-modified-since Information on the freshness of any etag the client has cached for this URI
accept-language Which languages the return path client prefers
accept-encoding Which compression encodings the client can accept
cache-control Information from the return path client about cache acceptability
x-forwarded-for The IP address of the return path client

This implies that the proxied connection can

  • return 301 etc to say the return path client's etag is still valid

  • choose to compress using an acceptable content-encoding

The following headers are translated from the headers replied via the onward connection (always h1) back to the return path (which may be h1 or h2)

Header Function
content-length If present, an assertion of how much payload is expected
content-type The mimetype of the payload
etag The canonical etag for the content at this URI
accept-language This is returned to the return path client because there is no easy way for the return path client to know what it sent originally. It allows clientside selection of i18n.
content-encoding Any compression format on the payload (selected from what the client sent in accept-encoding, if anything)
cache-control The onward server's response about cacheability of its payload

h1 -> h2 conversion

Chunked encoding that may have been used on the outgoing proxy client connection is removed for h2 return connections (chunked encoding is illegal for h2).

Headers are converted to all lower-case and hpack format for h2 return connections.

Header and payload proxying is staged according to when the return connection (which may be an h2 child stream) is writable.

Behaviour if unix domain socket server unavailable

If the server that listens on the unix domain socket is down or being restarted, lws understands that it couldn't connect to it and returns a clean 503 response HTTP_STATUS_SERVICE_UNAVAILABLE along with a brief human-readable explanation.

The generated status page produced will try to bring in a stylesheet /error.css. This allows you to produce a styled error pages with logos, graphics etc. See this for an example of what you can do with it.