| Age | Commit message (Collapse) | Author |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
glibc is clearly violating POSIX since they set HOST_NAME_MAX to 64, and
they've known so for years. Unfortunately this means that, despite
using the right interfaces, we have to work around bugs in their libc.
ugh.
Luckily, gmid doesn't need to do DNS, it just needs a define large
enough to store a hostname, but not unlimited, to catch possible
misconfigurations. We don't risk to round-trip this into an interface
that expects smaller strings.
Reported and fix tested by Anna “CyberTailor”,
see <https://codeberg.org/op/gmid/issues/3>.
|
|
|
|
Due to a strict interpretation of the spec if "TCP4" is used we
expect two ipv4 addresses (and similar for "TCP6" and ipv6 addresses).
However, the family specified in the proxy header matters only for
the first address (the source), not the destination! After all,
it's not strange to proxy from/to ipv4 and ipv6.
Use getaddrinfo(NI_NUMERICHOST) to parse the IP addresses since
inet_pton() is too strict.
|
|
|
|
|
|
we're not running under `set -e' since a long time.
|
|
This is symmetrical to the support for *incoming* requests. The
new regress case uses this to proxy to itself using the proxy-protocol
v1.
Fixes https://github.com/omar-polo/gmid/issues/31
|
|
Soon we may want to run (some) proxies with the proxy-protocol so
we can't reuse the same port.
|
|
we don't load the prefork dynamically, only the prefork at startup
is honoured, so fix the test by stopping gmid so it is started with
the right prefork.
|
|
|
|
|
|
|
|
|
|
otherwise the child processes still believet the prefork value is
3 and can end up reading/writing out of bounds when setting up the
sockets. Actually, server processes shouldn't create pipes to other
servers, but this is left for a follow-up diff.
Issue reported by la ninpre, thank you!
|
|
|
|
Related to https://github.com/omar-polo/gmid/issues/12
|
|
|
|
|
|
I choose to out of paranoia, but the algorithm defined in RFC3986
allows for them. So, we should rather remove the leading '..'
component and continue to handle the rest of the path.
Fixes https://github.com/omar-polo/gmid/issues/12
|
|
|
|
|
|
|
|
Based on the bug report from Alex, thanks!
|
|
|
|
at least on the CI is failing with "can't connect to ::1:10965:
Address not available" which suggests IPv6 is broken there.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
now common is no longer a reserved keyword
|
|
See Codeberg issue #1.
|
|
Call the certificates .pem and the keys .key; use contrib/gencert
to generate the certificates and provide a GENCERT_FLAGS knob so
that regress can be run with EC keys (GENCERT_FLAGS=-e). Still no
automatic way of testing with both RSA and EC keys.
|
|
gmid (like all other daemons that want to do privsep crypto) has a
very close relationship with libtls and need to stay in sync with
it.
OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD
instead of the older ECDSA_METHOD, on the gmid side we have to do
the same otherwise failures happens at runtime. In a similar manner,
privsep crypto is silently broken in the current libretls (next
version should fix it.)
The proper solution would be to complete the signer APIs so that
applications don't need to dive into the library' internals, but
that's a mid-term goal, for the immediate bundling the 'little'
libtls is the lesser evil.
The configure script has gained a new (undocumented for the time
being) flag `--with-libtls=bundled|system' to control which libtls
to use. It defaults to `bundled' except for OpenBSD where it uses
the `system' one. Note that OpenBSD versions before 7.3 (inclusive)
ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
|
|
|
|
|
|
|
|
|
|
|
|
add `log style <style>'; The old default is called `legacy' now, a
new default format is added called `condensed', and `common' and
`combined' to mimick Apache httpd and nginx (respectively) are also
added.
|
|
|
