diff --git a/README.lwsws.md b/README.lwsws.md index 49732ba1..dea7411f 100644 --- a/README.lwsws.md +++ b/README.lwsws.md @@ -206,7 +206,10 @@ Other vhost options - "`ecdh-curve`": "" The default ecdh curve is "prime256v1", but you can override it here, per-vhost - - "`noipv6`": "on" Disable ipv6 for this vhost + - "`noipv6`": "on" Disable ipv6 completely for this vhost + + - "`ipv6only`": "on" Only allow ipv6 on this vhost / "off" only allow ipv4 on this vhost + Mounts ------ diff --git a/lib/lejp-conf.c b/lib/lejp-conf.c index 0d382cbd..31b03be9 100644 --- a/lib/lejp-conf.c +++ b/lib/lejp-conf.c @@ -75,6 +75,7 @@ static const char * const paths_vhosts[] = { "vhosts[].ciphers", "vhosts[].ecdh-curve", "vhosts[].noipv6", + "vhosts[].ipv6only", }; enum lejp_vhost_paths { @@ -107,6 +108,7 @@ enum lejp_vhost_paths { LEJPVP_CIPHERS, LEJPVP_ECDH_CURVE, LEJPVP_NOIPV6, + LEJPVP_IPV6ONLY, }; #define MAX_PLUGIN_DIRS 10 @@ -483,6 +485,14 @@ lejp_vhosts_cb(struct lejp_ctx *ctx, char reason) a->info->options &= ~(LWS_SERVER_OPTION_DISABLE_IPV6); return 0; + case LEJPVP_IPV6ONLY: + a->info->options |= LWS_SERVER_OPTION_IPV6_V6ONLY_MODIFY; + if (arg_to_bool(ctx->buf)) + a->info->options |= LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE; + else + a->info->options &= ~(LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE); + return 0; + default: return 0; } diff --git a/lib/libwebsockets.h b/lib/libwebsockets.h index 45fbad9f..bd15aad9 100644 --- a/lib/libwebsockets.h +++ b/lib/libwebsockets.h @@ -333,6 +333,58 @@ struct lws; * NOTE: These public enums are part of the abi. If you want to add one, * add it at where specified so existing users are unaffected. */ + + +/** + * enum lws_context_options() - context + vhost options + * + * LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT: (VH) Don't allow the + * connection unless the client has a client cert that we recognize; + * provides LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT + * + * LWS_SERVER_OPTION_SKIP_SERVER_CANONICAL_NAME: (CTX) Don't try to get the + * server's hostname + * + * LWS_SERVER_OPTION_ALLOW_NON_SSL_ON_SSL_PORT: (VH) Allow non-SSL (plaintext) + * connections on the same port as SSL is listening... undermines the + * security of SSL; provides LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT + * + * LWS_SERVER_OPTION_LIBEV: (CTX) Use libev event loop + * + * LWS_SERVER_OPTION_DISABLE_IPV6: (VH) Disable IPV6 support + * + * LWS_SERVER_OPTION_DISABLE_OS_CA_CERTS: (VH) Don't load OS CA certs, you + * will need to load your own CA cert(s) + * + * LWS_SERVER_OPTION_PEER_CERT_NOT_REQUIRED: (VH) Accept connections with no + * valid Cert (eg, selfsigned) + * + * LWS_SERVER_OPTION_VALIDATE_UTF8: (VH) Check UT-8 correctness + * + * LWS_SERVER_OPTION_SSL_ECDH: (VH) initialize ECDH ciphers + * + * LWS_SERVER_OPTION_LIBUV: (CTX) Use libuv event loop + * + * LWS_SERVER_OPTION_REDIRECT_HTTP_TO_HTTPS: (VH) Use http redirect to force + * http to https (deprecated: use mount redirection) + * + * LWS_SERVER_OPTION_DO_SSL_GLOBAL_INIT: (CTX) Initialize the SSL library + * at all + * + * LWS_SERVER_OPTION_EXPLICIT_VHOSTS: (CTX) Only create the context when + * calling context create api, user code will create its own vhosts + * + * LWS_SERVER_OPTION_UNIX_SOCK: (VH) Use Unix socket + * + * LWS_SERVER_OPTION_STS: (VH) Send Strict Transport Security header, making + * clients subsequently go to https even if user asked for http + * + * LWS_SERVER_OPTION_IPV6_V6ONLY_MODIFY: (VH) Enable + * LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE to take effect + * + * LWS_SERVER_OPTION_IPV6_V6ONLY_VALUE: (VH) if set, only ipv6 allowed on the + * vhost + */ enum lws_context_options { LWS_SERVER_OPTION_REQUIRE_VALID_OPENSSL_CLIENT_CERT = (1 << 1) | (1 << 12),