void uwsgi_corerouter_loop(int id, void *data) {
int i;
struct uwsgi_corerouter *ucr = (struct uwsgi_corerouter *) data;
ucr->cr_stats_server = -1;
ucr->cr_table = uwsgi_malloc(sizeof(struct corerouter_session *) * uwsgi.max_fd);
for (i = 0; i < (int) uwsgi.max_fd; i++) {
ucr->cr_table[i] = NULL;
}
ucr->i_am_cheap = ucr->cheap;
void *events = uwsgi_corerouter_setup_event_queue(ucr, id);
if (ucr->has_subscription_sockets)
event_queue_add_fd_read(ucr->queue, ushared->gateways[id].internal_subscription_pipe[1]);
if (!ucr->socket_timeout)
ucr->socket_timeout = 60;
if (!ucr->static_node_gracetime)
ucr->static_node_gracetime = 30;
int i_am_the_first = 1;
for(i=0;i<id;i++) {
if (!strcmp(ushared->gateways[i].name, ucr->name)) {
i_am_the_first = 0;
break;
}
}
if (ucr->stats_server && i_am_the_first) {
char *tcp_port = strchr(ucr->stats_server, ':');
if (tcp_port) {
// disable deferred accept for this socket
int current_defer_accept = uwsgi.no_defer_accept;
uwsgi.no_defer_accept = 1;
ucr->cr_stats_server = bind_to_tcp(ucr->stats_server, uwsgi.listen_queue, tcp_port);
uwsgi.no_defer_accept = current_defer_accept;
}
else {
ucr->cr_stats_server = bind_to_unix(ucr->stats_server, uwsgi.listen_queue, uwsgi.chmod_socket, uwsgi.abstract_socket);
}
event_queue_add_fd_read(ucr->queue, ucr->cr_stats_server);
uwsgi_log("*** %s stats server enabled on %s fd: %d ***\n", ucr->short_name, ucr->stats_server, ucr->cr_stats_server);
}
if (ucr->use_socket) {
ucr->to_socket = uwsgi_get_socket_by_num(ucr->socket_num);
if (ucr->to_socket) {
// fix socket name_len
if (ucr->to_socket->name_len == 0 && ucr->to_socket->name) {
ucr->to_socket->name_len = strlen(ucr->to_socket->name);
}
}
}
if (!ucr->pb_base_dir) {
ucr->pb_base_dir = getenv("TMPDIR");
if (!ucr->pb_base_dir)
ucr->pb_base_dir = "/tmp";
}
int nevents;
time_t delta;
struct uwsgi_rb_timer *min_timeout;
int new_connection;
if (ucr->pattern) {
init_magic_table(ucr->magic_table);
}
union uwsgi_sockaddr cr_addr;
socklen_t cr_addr_len = sizeof(struct sockaddr_un);
ucr->mapper = uwsgi_cr_map_use_void;
if (ucr->use_cache) {
ucr->cache = uwsgi_cache_by_name(ucr->use_cache);
if (!ucr->cache) {
uwsgi_log("!!! unable to find cache \"%s\" !!!\n", ucr->use_cache);
exit(1);
}
ucr->mapper = uwsgi_cr_map_use_cache;
}
else if (ucr->pattern) {
ucr->mapper = uwsgi_cr_map_use_pattern;
}
else if (ucr->has_subscription_sockets) {
ucr->mapper = uwsgi_cr_map_use_subscription;
if (uwsgi.subscription_dotsplit) {
ucr->mapper = uwsgi_cr_map_use_subscription_dotsplit;
}
}
else if (ucr->base) {
ucr->mapper = uwsgi_cr_map_use_base;
}
else if (ucr->code_string_code && ucr->code_string_function) {
ucr->mapper = uwsgi_cr_map_use_cs;
}
else if (ucr->to_socket) {
ucr->mapper = uwsgi_cr_map_use_to;
}
else if (ucr->static_nodes) {
ucr->mapper = uwsgi_cr_map_use_static_nodes;
}
ucr->timeouts = uwsgi_init_rb_timer();
for (;;) {
time_t now = uwsgi_now();
// set timeouts and harakiri
min_timeout = uwsgi_min_rb_timer(ucr->timeouts, NULL);
if (min_timeout == NULL) {
delta = -1;
}
else {
delta = min_timeout->value - now;
if (delta <= 0) {
corerouter_expire_timeouts(ucr, now);
delta = 0;
}
}
if (uwsgi.master_process && ucr->harakiri > 0) {
ushared->gateways_harakiri[id] = 0;
}
// wait for events
nevents = event_queue_wait_multi(ucr->queue, delta, events, ucr->nevents);
now = uwsgi_now();
if (uwsgi.master_process && ucr->harakiri > 0) {
ushared->gateways_harakiri[id] = now + ucr->harakiri;
}
if (nevents == 0) {
corerouter_expire_timeouts(ucr, now);
}
for (i = 0; i < nevents; i++) {
// get the interesting fd
ucr->interesting_fd = event_queue_interesting_fd(events, i);
// something bad happened
if (ucr->interesting_fd < 0) continue;
// check if the ucr->interesting_fd matches a gateway socket
struct uwsgi_gateway_socket *ugs = uwsgi.gateway_sockets;
int taken = 0;
while (ugs) {
if (ugs->gateway == &ushared->gateways[id] && ucr->interesting_fd == ugs->fd) {
if (!ugs->subscription) {
#if defined(__linux__) && defined(SOCK_NONBLOCK) && !defined(OBSOLETE_LINUX_KERNEL)
new_connection = accept4(ucr->interesting_fd, (struct sockaddr *) &cr_addr, &cr_addr_len, SOCK_NONBLOCK);
if (new_connection < 0) {
taken = 1;
break;
}
#else
new_connection = accept(ucr->interesting_fd, (struct sockaddr *) &cr_addr, &cr_addr_len);
if (new_connection < 0) {
taken = 1;
break;
}
// set socket in non-blocking mode, on non-linux platforms, clients get the server mode
#ifdef __linux__
uwsgi_socket_nb(new_connection);
#endif
#endif
struct corerouter_session *cr = corerouter_alloc_session(ucr, ugs, new_connection, (struct sockaddr *) &cr_addr, cr_addr_len);
//something wrong in the allocation
if (!cr) break;
}
else if (ugs->subscription) {
uwsgi_corerouter_manage_subscription(ucr, id, ugs);
}
taken = 1;
break;
}
ugs = ugs->next;
}
if (taken) {
continue;
}
// manage internal subscription
if (ucr->interesting_fd == ushared->gateways[id].internal_subscription_pipe[1]) {
uwsgi_corerouter_manage_internal_subscription(ucr, ucr->interesting_fd);
}
// manage a stats request
else if (ucr->interesting_fd == ucr->cr_stats_server) {
corerouter_send_stats(ucr);
}
else {
struct corerouter_peer *peer = ucr->cr_table[ucr->interesting_fd];
// something is going wrong...
if (peer == NULL)
continue;
// on error, destroy the session
if (event_queue_interesting_fd_has_error(events, i)) {
peer->failed = 1;
corerouter_close_peer(ucr, peer);
continue;
}
// set timeout (in main_peer too)
peer->timeout = corerouter_reset_timeout_fast(ucr, peer, now);
peer->session->main_peer->timeout = corerouter_reset_timeout_fast(ucr, peer->session->main_peer, now);
ssize_t (*hook)(struct corerouter_peer *) = NULL;
// call event hook
if (event_queue_interesting_fd_is_read(events, i)) {
hook = peer->hook_read;
}
else if (event_queue_interesting_fd_is_write(events, i)) {
hook = peer->hook_write;
}
if (!hook) continue;
// reset errno (as we use it for internal signalling)
errno = 0;
ssize_t ret = hook(peer);
// connection closed
if (ret == 0) {
corerouter_close_peer(ucr, peer);
continue;
}
else if (ret < 0) {
if (errno == EINPROGRESS) continue;
// remove keepalive on error
peer->session->can_keepalive = 0;
corerouter_close_peer(ucr, peer);
continue;
}
}
}
}
}
SSL_CTX *uwsgi_ssl_new_server_context(char *name, char *crt, char *key, char *ciphers, char *client_ca) {
SSL_CTX *ctx = SSL_CTX_new(SSLv23_server_method());
if (!ctx) {
uwsgi_log("[uwsgi-ssl] unable to initialize context \"%s\"\n", name);
return NULL;
}
// this part is taken from nginx and stud, removing unneeded functionality
// stud (for me) has made the best choice on choosing DH approach
long ssloptions = SSL_OP_NO_SSLv2 | SSL_OP_ALL | SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION;
// disable compression (if possibile)
#ifdef SSL_OP_NO_COMPRESSION
ssloptions |= SSL_OP_NO_COMPRESSION;
#endif
// release/reuse buffers as soon as possibile
#ifdef SSL_MODE_RELEASE_BUFFERS
SSL_CTX_set_mode(ctx, SSL_MODE_RELEASE_BUFFERS);
#endif
if (SSL_CTX_use_certificate_chain_file(ctx, crt) <= 0) {
uwsgi_log("[uwsgi-ssl] unable to assign certificate %s for context \"%s\"\n", crt, name);
SSL_CTX_free(ctx);
return NULL;
}
// this part is based from stud
BIO *bio = BIO_new_file(crt, "r");
if (bio) {
DH *dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
BIO_free(bio);
if (dh) {
SSL_CTX_set_tmp_dh(ctx, dh);
DH_free(dh);
#if OPENSSL_VERSION_NUMBER >= 0x0090800fL
#ifndef OPENSSL_NO_ECDH
#ifdef NID_X9_62_prime256v1
EC_KEY *ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
SSL_CTX_set_tmp_ecdh(ctx, ecdh);
EC_KEY_free(ecdh);
#endif
#endif
#endif
}
}
if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0) {
uwsgi_log("[uwsgi-ssl] unable to assign key %s for context \"%s\"\n", key, name);
SSL_CTX_free(ctx);
return NULL;
}
// if ciphers are specified, prefer server ciphers
if (ciphers && strlen(ciphers) > 0) {
if (SSL_CTX_set_cipher_list(ctx, ciphers) == 0) {
uwsgi_log("[uwsgi-ssl] unable to set requested ciphers (%s) for context \"%s\"\n", ciphers, name);
SSL_CTX_free(ctx);
return NULL;
}
ssloptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;
}
// set session context (if possibile), this is required for client certificate authentication
if (name) {
SSL_CTX_set_session_id_context(ctx, (unsigned char *) name, strlen(name));
}
if (client_ca) {
if (client_ca[0] == '!') {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, uwsgi_ssl_verify_callback);
client_ca++;
}
else {
SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, uwsgi_ssl_verify_callback);
}
// in the future we should allow to set the verify depth
SSL_CTX_set_verify_depth(ctx, 1);
if (SSL_CTX_load_verify_locations(ctx, client_ca, NULL) == 0) {
uwsgi_log("[uwsgi-ssl] unable to set ssl verify locations (%s) for context \"%s\"\n", client_ca, name);
SSL_CTX_free(ctx);
return NULL;
}
STACK_OF(X509_NAME) * list = SSL_load_client_CA_file(client_ca);
if (!list) {
uwsgi_log("unable to load client CA certificate (%s) for context \"%s\"\n", client_ca, name);
SSL_CTX_free(ctx);
return NULL;
}
SSL_CTX_set_client_CA_list(ctx, list);
}
SSL_CTX_set_info_callback(ctx, uwsgi_ssl_info_cb);
#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
SSL_CTX_set_tlsext_servername_callback(ctx, uwsgi_sni_cb);
#endif
// disable session caching by default
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
if (uwsgi.ssl_sessions_use_cache) {
// we need to early initialize locking and caching
uwsgi_setup_locking();
uwsgi_cache_create_all();
uwsgi.ssl_sessions_cache = uwsgi_cache_by_name(uwsgi.ssl_sessions_use_cache);
if (!uwsgi.ssl_sessions_cache) {
// check for default cache
if (!strcmp(uwsgi.ssl_sessions_use_cache, "true") && uwsgi.caches) {
uwsgi.ssl_sessions_cache = uwsgi.caches;
}
else {
uwsgi_log("unable to find cache \"%s\"\n", uwsgi.ssl_sessions_use_cache ? uwsgi.ssl_sessions_use_cache : "default");
exit(1);
}
}
if (!uwsgi.ssl_sessions_cache->max_items) {
uwsgi_log("you have to enable uWSGI cache to use it as SSL session store !!!\n");
exit(1);
}
if (uwsgi.ssl_sessions_cache->blocksize < 4096) {
uwsgi_log("cache blocksize for SSL session store must be at least 4096 bytes\n");
exit(1);
}
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER|
SSL_SESS_CACHE_NO_INTERNAL|
SSL_SESS_CACHE_NO_AUTO_CLEAR);
#ifdef SSL_OP_NO_TICKET
ssloptions |= SSL_OP_NO_TICKET;
#endif
// just for fun
SSL_CTX_sess_set_cache_size(ctx, 0);
// set the callback for ssl sessions
SSL_CTX_sess_set_new_cb(ctx, uwsgi_ssl_session_new_cb);
SSL_CTX_sess_set_get_cb(ctx, uwsgi_ssl_session_get_cb);
SSL_CTX_sess_set_remove_cb(ctx, uwsgi_ssl_session_remove_cb);
}
SSL_CTX_set_timeout(ctx, uwsgi.ssl_sessions_timeout);
SSL_CTX_set_options(ctx, ssloptions);
return ctx;
}
