mirror of
https://github.com/NLnetLabs/unbound.git
synced 2024-09-21 14:47:09 +00:00
ssl_port setting, so that the dnssec-trigger server can be on one host machine.
git-svn-id: file:///svn/unbound/trunk@2539 be551aaa-1e26-0410-a405-d3ace91eadb9
This commit is contained in:
parent
a798dcb5bd
commit
8f5596f643
@ -1,3 +1,6 @@
|
||||
8 November 2011: Wouter
|
||||
- can configure ssl service to one port number, and not on others.
|
||||
|
||||
1 November 2011: Wouter
|
||||
- dns over ssl support as a client, ssl-upstream yes turns it on.
|
||||
It performs an SSL transaction for every DNS query (250 msec).
|
||||
|
@ -458,6 +458,7 @@ server:
|
||||
# default is "" (disabled). requires restart to take effect.
|
||||
# ssl-service-key: "path/to/privatekeyfile.key"
|
||||
# ssl-service-pem: "path/to/publiccertfile.pem"
|
||||
# ssl-port: 443
|
||||
|
||||
# request upstream over SSL (with plain DNS inside the SSL stream).
|
||||
# Default is no. Can be turned on and off with unbound-control.
|
||||
|
@ -315,6 +315,10 @@ suffixes in the \fBinterface\fR config.
|
||||
The public key certificate pem file for the ssl service. Default is "",
|
||||
turned off.
|
||||
.TP
|
||||
.B ssl\-port: \fI<number>
|
||||
The port number on which to provide TCP SSL service, default 443, only
|
||||
interfaces configured with that port number as @number get the SSL service.
|
||||
.TP
|
||||
.B do\-daemonize: \fI<yes or no>
|
||||
Enable or disable whether the unbound server forks into the background as
|
||||
a daemon. Default is yes.
|
||||
|
@ -632,12 +632,13 @@ set_recvpktinfo(int s, int family)
|
||||
* @param list: list of open ports, appended to, changed to point to list head.
|
||||
* @param rcv: receive buffer size for UDP
|
||||
* @param snd: send buffer size for UDP
|
||||
* @param ssl_port: ssl service port number
|
||||
* @return: returns false on error.
|
||||
*/
|
||||
static int
|
||||
ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
struct addrinfo *hints, const char* port, struct listen_port** list,
|
||||
size_t rcv, size_t snd)
|
||||
size_t rcv, size_t snd, int ssl_port)
|
||||
{
|
||||
int s, noip6=0;
|
||||
if(!do_udp && !do_tcp)
|
||||
@ -682,6 +683,9 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
}
|
||||
}
|
||||
if(do_tcp) {
|
||||
int is_ssl = ((strchr(ifname, '@') &&
|
||||
atoi(strchr(ifname, '@')+1) == ssl_port) ||
|
||||
(!strchr(ifname, '@') && atoi(port) == ssl_port));
|
||||
if((s = make_sock_port(SOCK_STREAM, ifname, port, hints, 1,
|
||||
&noip6, 0, 0)) == -1) {
|
||||
if(noip6) {
|
||||
@ -690,7 +694,10 @@ ports_create_if(const char* ifname, int do_auto, int do_udp, int do_tcp,
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
if(!port_insert(list, s, listen_type_tcp)) {
|
||||
if(is_ssl)
|
||||
verbose(VERB_ALGO, "setup TCP for SSL service");
|
||||
if(!port_insert(list, s, is_ssl?listen_type_ssl:
|
||||
listen_type_tcp)) {
|
||||
#ifndef USE_WINSOCK
|
||||
close(s);
|
||||
#else
|
||||
@ -736,9 +743,6 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
free(front);
|
||||
return NULL;
|
||||
}
|
||||
if(sslctx) {
|
||||
verbose(VERB_ALGO, "setup for SSL-wrapped TCP service");
|
||||
}
|
||||
|
||||
/* create comm points as needed */
|
||||
while(ports) {
|
||||
@ -746,7 +750,10 @@ listen_create(struct comm_base* base, struct listen_port* ports,
|
||||
if(ports->ftype == listen_type_udp)
|
||||
cp = comm_point_create_udp(base, ports->fd,
|
||||
front->udp_buff, cb, cb_arg);
|
||||
else if(ports->ftype == listen_type_tcp) {
|
||||
else if(ports->ftype == listen_type_tcp)
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
tcp_accept_count, bufsize, cb, cb_arg);
|
||||
else if(ports->ftype == listen_type_ssl) {
|
||||
cp = comm_point_create_tcp(base, ports->fd,
|
||||
tcp_accept_count, bufsize, cb, cb_arg);
|
||||
cp->ssl = sslctx;
|
||||
@ -834,7 +841,8 @@ listening_ports_open(struct config_file* cfg)
|
||||
if(!ports_create_if(do_auto?"::0":"::1",
|
||||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
@ -844,7 +852,8 @@ listening_ports_open(struct config_file* cfg)
|
||||
if(!ports_create_if(do_auto?"0.0.0.0":"127.0.0.1",
|
||||
do_auto, cfg->do_udp, do_tcp,
|
||||
&hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
@ -856,7 +865,8 @@ listening_ports_open(struct config_file* cfg)
|
||||
hints.ai_family = AF_INET6;
|
||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
@ -866,7 +876,8 @@ listening_ports_open(struct config_file* cfg)
|
||||
hints.ai_family = AF_INET;
|
||||
if(!ports_create_if(cfg->ifs[i], 0, cfg->do_udp,
|
||||
do_tcp, &hints, portbuf, &list,
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf)) {
|
||||
cfg->so_rcvbuf, cfg->so_sndbuf,
|
||||
cfg->ssl_port)) {
|
||||
listening_ports_free(list);
|
||||
return NULL;
|
||||
}
|
||||
|
@ -82,7 +82,9 @@ enum listen_type {
|
||||
/** tcp type */
|
||||
listen_type_tcp,
|
||||
/** udp ipv6 (v4mapped) for use with ancillary data */
|
||||
listen_type_udpancil
|
||||
listen_type_udpancil,
|
||||
/** ssl over tcp type */
|
||||
listen_type_ssl
|
||||
};
|
||||
|
||||
/**
|
||||
|
@ -90,6 +90,7 @@ config_create(void)
|
||||
cfg->tcp_upstream = 0;
|
||||
cfg->ssl_service_key = NULL;
|
||||
cfg->ssl_service_pem = NULL;
|
||||
cfg->ssl_port = 443;
|
||||
cfg->ssl_upstream = 0;
|
||||
cfg->use_syslog = 1;
|
||||
cfg->log_time_ascii = 0;
|
||||
@ -332,6 +333,7 @@ int config_set_option(struct config_file* cfg, const char* opt,
|
||||
else S_YNO("ssl-upstream:", ssl_upstream)
|
||||
else S_STR("ssl-service-key:", ssl_service_key)
|
||||
else S_STR("ssl-service-pem:", ssl_service_pem)
|
||||
else S_NUMBER_NONZERO("ssl-port:", ssl_port)
|
||||
else S_YNO("interface-automatic:", if_automatic)
|
||||
else S_YNO("do-daemonize:", do_daemonize)
|
||||
else S_NUMBER_NONZERO("port:", port)
|
||||
@ -583,6 +585,7 @@ config_get_option(struct config_file* cfg, const char* opt,
|
||||
else O_YNO(opt, "ssl-upstream", ssl_upstream)
|
||||
else O_STR(opt, "ssl-service-key", ssl_service_key)
|
||||
else O_STR(opt, "ssl-service-pem", ssl_service_pem)
|
||||
else O_DEC(opt, "ssl-port", ssl_port)
|
||||
else O_YNO(opt, "do-daemonize", do_daemonize)
|
||||
else O_STR(opt, "chroot", chrootdir)
|
||||
else O_STR(opt, "username", username)
|
||||
|
@ -83,6 +83,8 @@ struct config_file {
|
||||
char* ssl_service_key;
|
||||
/** public key file for dnstcp-ssl service */
|
||||
char* ssl_service_pem;
|
||||
/** port on which to provide ssl service */
|
||||
int ssl_port;
|
||||
/** if outgoing tcp connections use SSL */
|
||||
int ssl_upstream;
|
||||
|
||||
|
1940
util/configlexer.c
1940
util/configlexer.c
File diff suppressed because it is too large
Load Diff
@ -140,6 +140,7 @@ tcp-upstream{COLON} { YDVAR(1, VAR_TCP_UPSTREAM) }
|
||||
ssl-upstream{COLON} { YDVAR(1, VAR_SSL_UPSTREAM) }
|
||||
ssl-service-key{COLON} { YDVAR(1, VAR_SSL_SERVICE_KEY) }
|
||||
ssl-service-pem{COLON} { YDVAR(1, VAR_SSL_SERVICE_PEM) }
|
||||
ssl-port{COLON} { YDVAR(1, VAR_SSL_PORT) }
|
||||
do-daemonize{COLON} { YDVAR(1, VAR_DO_DAEMONIZE) }
|
||||
interface{COLON} { YDVAR(1, VAR_INTERFACE) }
|
||||
outgoing-interface{COLON} { YDVAR(1, VAR_OUTGOING_INTERFACE) }
|
||||
|
File diff suppressed because it is too large
Load Diff
@ -159,7 +159,8 @@
|
||||
VAR_TCP_UPSTREAM = 376,
|
||||
VAR_SSL_UPSTREAM = 377,
|
||||
VAR_SSL_SERVICE_KEY = 378,
|
||||
VAR_SSL_SERVICE_PEM = 379
|
||||
VAR_SSL_SERVICE_PEM = 379,
|
||||
VAR_SSL_PORT = 380
|
||||
};
|
||||
#endif
|
||||
/* Tokens. */
|
||||
@ -285,6 +286,7 @@
|
||||
#define VAR_SSL_UPSTREAM 377
|
||||
#define VAR_SSL_SERVICE_KEY 378
|
||||
#define VAR_SSL_SERVICE_PEM 379
|
||||
#define VAR_SSL_PORT 380
|
||||
|
||||
|
||||
|
||||
@ -301,7 +303,7 @@ typedef union YYSTYPE
|
||||
|
||||
|
||||
/* Line 1685 of yacc.c */
|
||||
#line 305 "util/configparser.h"
|
||||
#line 307 "util/configparser.h"
|
||||
} YYSTYPE;
|
||||
# define YYSTYPE_IS_TRIVIAL 1
|
||||
# define yystype YYSTYPE /* obsolescent; will be withdrawn */
|
||||
|
@ -103,7 +103,7 @@ extern struct config_parser_state* cfg_parser;
|
||||
%token VAR_DEL_HOLDDOWN VAR_SO_RCVBUF VAR_EDNS_BUFFER_SIZE VAR_PREFETCH
|
||||
%token VAR_PREFETCH_KEY VAR_SO_SNDBUF VAR_HARDEN_BELOW_NXDOMAIN
|
||||
%token VAR_IGNORE_CD_FLAG VAR_LOG_QUERIES VAR_TCP_UPSTREAM VAR_SSL_UPSTREAM
|
||||
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM
|
||||
%token VAR_SSL_SERVICE_KEY VAR_SSL_SERVICE_PEM VAR_SSL_PORT
|
||||
|
||||
%%
|
||||
toplevelvars: /* empty */ | toplevelvars toplevelvar ;
|
||||
@ -159,7 +159,7 @@ content_server: server_num_threads | server_verbosity | server_port |
|
||||
server_edns_buffer_size | server_prefetch | server_prefetch_key |
|
||||
server_so_sndbuf | server_harden_below_nxdomain | server_ignore_cd_flag |
|
||||
server_log_queries | server_tcp_upstream | server_ssl_upstream |
|
||||
server_ssl_service_key | server_ssl_service_pem
|
||||
server_ssl_service_key | server_ssl_service_pem | server_ssl_port
|
||||
;
|
||||
stubstart: VAR_STUB_ZONE
|
||||
{
|
||||
@ -399,6 +399,15 @@ server_ssl_service_pem: VAR_SSL_SERVICE_PEM STRING_ARG
|
||||
cfg_parser->cfg->ssl_service_pem = $2;
|
||||
}
|
||||
;
|
||||
server_ssl_port: VAR_SSL_PORT STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_ssl_port:%s)\n", $2));
|
||||
if(atoi($2) == 0)
|
||||
yyerror("port number expected");
|
||||
else cfg_parser->cfg->ssl_port = atoi($2);
|
||||
free($2);
|
||||
}
|
||||
;
|
||||
server_do_daemonize: VAR_DO_DAEMONIZE STRING_ARG
|
||||
{
|
||||
OUTYY(("P(server_do_daemonize:%s)\n", $2));
|
||||
|
Loading…
Reference in New Issue
Block a user