fastopen now only enabled in https by default. added TCPFastOpen and …

…ListenQueue config options

Makefile

@@ -1,13 +1,13 @@
 CC = gcc
 CFLAGS = -g -O2
 CPPFLAGS = 
-LIBS =  -lcrypt -lcrypto -lssl -lpam -lcap -lz  libUseful/libUseful.a
+LIBS =  -lcrypt -lcrypto -lssl -lpam -lcap -lc -lc -lz  libUseful/libUseful.a
 INSTALL=/bin/install -c
 prefix=/usr/local
 exec_prefix=${prefix}
 bindir=${exec_prefix}/sbin
 sysconfdir=${prefix}/etc
-FLAGS=$(CFLAGS) $(CPPFLAGS) -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DSTDC_HEADERS=1 -D_FILE_OFFSET_BITS=64 -DHAVE_LIBZ=1 -DHAVE_LIBCAP=1 -DUSE_LINUX_CAPABILITIES=1 -DHAVE_LIBPAM=1 -DHAVE_LIBSSL=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBCRYPT=1 -DHAVE_SHADOW_H=1 
+FLAGS=$(CFLAGS) $(CPPFLAGS) -DPACKAGE_NAME=\"\" -DPACKAGE_TARNAME=\"\" -DPACKAGE_VERSION=\"\" -DPACKAGE_STRING=\"\" -DPACKAGE_BUGREPORT=\"\" -DPACKAGE_URL=\"\" -DSTDC_HEADERS=1 -D_FILE_OFFSET_BITS=64 -DHAVE_LIBZ=1 -DHAVE_LIBC=1 -DHAVE_LIBC=1 -DUSE_UNSHARE=1 -DUSE_PRCTL=1 -DHAVE_LIBCAP=1 -DUSE_LINUX_CAPABILITIES=1 -DHAVE_LIBPAM=1 -DHAVE_LIBSSL=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBCRYPT=1 -DHAVE_SHADOW_H=1 
 OBJ=auth_access_token.o Authenticate.o auth_client_certificate.o auth_alaya_native.o auth_unix.o auth_pam.o MimeType.o DavProps.o Settings.o common.o server.o cgi.o FileProperties.o tar.o directory_listing.o FileDetailsPage.o VPath.o ChrootHelper.o UserAdminScreen.o Events.o ID3.o upload.o proxy.o websocket.o icecast.o xssi.o libUseful/libUseful.a
 EXE=alaya
 

README.md

@@ -169,17 +169,20 @@ CustomHeader=<full HTTP header>   Custom HTTP header to be added to all server r
 LookupClientName 	 If present then lookup client hostnames with DNS and use in logging. The default is just to log the ip-address, as this is faster.
 SanitizeAllowTags=<tag list>		List of HTML tags allowed to be used in 'POST' to cgi-scripts. If left blank, then all are allowed, if set, then all but the listed html elements will be stripped 
 UserAgentSettings=UserAgentString,Settings		Settings to be applied when a particular user agent string is seen.
-FileCacheTime=<seconds>		Amount of time to recommend the browser	caches documents for.
-HttpKeepAlive=<yes|no>		Use http keep-alive
-ReusePort=<yes|no>				Bind server socket with SO_REUSEPORT allowing multiple server processes to bind to the same port (on by default).
-UseNamespaces=<yes|no>		Use linux namespaces to isolate the connection-handler processes (on by default).
-
-MaxMemory=<max bytes>			Maximum amount of memory per alaya process. A suffix can be used to express the size as, for instance, 1G, 2M, 900k
-MaxStack=<max bytes>			Maximum Stack Size. A suffix can be used to express the size as, for instance, 1G, 2M, 900k
-PackFormats=<list>	List of 'pack formats' to offer in the 'download as packed' item on the directory page.
+FileCacheTime=<seconds>		  Amount of time to recommend the browser	caches documents for.
+ListenQueue=<num>           Number of connections to queue waiting for 'accept'. Default is 10.
+HttpKeepAlive=<yes|no>		  Use http keep-alive
+ReusePort=<yes|no>				  Bind server socket with SO_REUSEPORT allowing multiple server processes to bind to the same port (on by default).
+UseNamespaces=<yes|no>		  Use linux namespaces to isolate the connection-handler processes (on by default).
+TcpFastOpen=<https|yes|no>  Use 'tcp fast open'. 'https' only enables this in for encrypted channels, which is the default due to some security concerns.
+
+MaxMemory=<max bytes>			  Maximum amount of memory per alaya process. A suffix can be used to express the size as, for instance, 1G, 2M, 900k
+MaxStack=<max bytes>			  Maximum Stack Size. A suffix can be used to express the size as, for instance, 1G, 2M, 900k
+PackFormats=<list>	        List of 'pack formats' to offer in the 'download as packed' item on the directory page.
 WebsocketHandler:<path>:<protocol>=<script path>   Specify a program that handles websockets requests to a particular path and protocol.
-DenyProxy=<host>:<port>   Configuration for proxy systems, see 'PROXY' section below
+DenyProxy=<host>:<port>     Configuration for proxy systems, see 'PROXY' section below
 AllowProxy=<host>:<port> [redirect=<host>:<port>] [ssl]   Configuration for proxy systems, see 'PROXY' section below
+
 ```
 
 

Settings.c

@@ -164,11 +164,11 @@ void ParseConfigItem(const char *ConfigLine)
 {
 const char *ConfTokens[]={"include","Chroot","Chhome","AllowUsers","DenyUsers","Port","LogFile","AuthPath","BindAddress","LogPasswords","HttpMethods","AuthMethods","DefaultUser","DefaultGroup","Path","FileType","LogVerbose","AuthRealm","Compression","DirListType","DisplayNameLen","MaxLogSize","ScriptHandler","ScriptHashFile","WebsocketHandler","LookupClientName","SanitizeAllowTags","CustomHeader","UserAgentSettings",
 "SSLKey","SSLCert","SSLCiphers","SSLDHParams","SSLClientCertificate","SSLVerifyPath", "SSLVersion",
-"Event","FileCacheTime","HttpKeepAlive","AccessTokenKey","Timezone","MaxMemory","MaxStack","ActivityTimeout","PackFormats","Admin","AllowProxy", "DenyProxy", "UseNamespaces", "ReusePort",
+"Event","FileCacheTime","HttpKeepAlive","AccessTokenKey","Timezone","MaxMemory","MaxStack","ActivityTimeout","PackFormats","Admin","AllowProxy", "DenyProxy", "UseNamespaces", "ReusePort", "TCPFastOpen","ListenQueue",
 NULL};
 typedef enum {CT_INCLUDE,CT_CHROOT, CT_CHHOME, CT_ALLOWUSERS,CT_DENYUSERS,CT_PORT, CT_LOGFILE,CT_AUTHFILE,CT_BINDADDRESS,CT_LOGPASSWORDS,CT_HTTPMETHODS, CT_AUTHMETHODS,CT_DEFAULTUSER, CT_DEFAULTGROUP, CT_PATH, CT_FILETYPE, CT_LOG_VERBOSE, CT_AUTH_REALM, CT_COMPRESSION, CT_DIRTYPE, CT_DISPLAYNAMELEN, CT_MAXLOGSIZE, CT_SCRIPTHANDLER, CT_SCRIPTHASHFILE, CT_WEBSOCKETHANDLER, CT_LOOKUPCLIENT, CT_SANITIZEALLOW, CT_CUSTOMHEADER, CT_USERAGENTSETTINGS, 
 CT_SSLKEY, CT_SSLCERT, CT_SSLCIPHERS, CT_SSLDHPARAMS, CT_CLIENT_CERTIFICATION, CT_SSLVERIFY_PATH, CT_SSL_VERSION, 
-CT_EVENT, CT_FILE_CACHE_TIME, CT_SESSION_KEEPALIVE, CT_ACCESS_TOKEN_KEY, CT_TIMEZONE, CT_MAX_MEM, CT_MAX_STACK, CT_ACTIVITY_TIMEOUT, CT_ARCHIVE_FORMATS, CT_ADMIN, CT_ALLOWPROXY, CT_DENYPROXY, CT_USE_NAMESPACES, CT_REUSE_PORT} TConfigTokens;
+CT_EVENT, CT_FILE_CACHE_TIME, CT_SESSION_KEEPALIVE, CT_ACCESS_TOKEN_KEY, CT_TIMEZONE, CT_MAX_MEM, CT_MAX_STACK, CT_ACTIVITY_TIMEOUT, CT_ARCHIVE_FORMATS, CT_ADMIN, CT_ALLOWPROXY, CT_DENYPROXY, CT_USE_NAMESPACES, CT_REUSE_PORT, CT_FAST_OPEN, CT_LISTEN_QUEUE} TConfigTokens;
 
 char *Token=NULL;
 const char *ptr;
@@ -408,6 +408,10 @@ switch(TokType)
 		Settings.ActivityTimeout=atoi(ptr);
 	break;
 
+	case CT_LISTEN_QUEUE:
+		Settings.ListenQueueLen=atoi(ptr);
+	break;
+
 	case CT_ARCHIVE_FORMATS:
 		Settings.PackFormats=ParsePackFormats(Settings.PackFormats, ptr);
 	break;
@@ -433,6 +437,13 @@ switch(TokType)
 		if (strtobool(ptr)) Settings.Flags |= FLAG_USE_REUSEPORT;
 		else Settings.Flags &= ~FLAG_USE_REUSEPORT;
 	break;
+
+	case CT_FAST_OPEN:
+		if (strcasecmp(ptr, "https")==0) Settings.Flags |= FLAG_USE_HTTPS_FASTOPEN;
+		else if (strtobool(ptr)) Settings.Flags |= FLAG_USE_FASTOPEN;
+		else Settings.Flags &= ~(FLAG_USE_FASTOPEN | FLAG_USE_HTTPS_FASTOPEN);
+	break;
+
 }
 
 Destroy(Token);
@@ -784,13 +795,14 @@ SetTimezoneEnv();
 
 uname(&UnameData);
 memset(&Settings,0,sizeof(TSettings));
+Settings.ListenQueueLen=10;
 Settings.MaxLogSize=999999;
 Settings.MaxLogRotate=5;
 Settings.LogPath=CopyStr(Settings.LogPath,"SYSLOG");
 Settings.ConfigPath=CopyStr(Settings.ConfigPath,"/etc/alaya.conf");
 Settings.DefaultDir=CopyStr(Settings.DefaultDir,"./");
 Settings.BindAddress=CopyStr(Settings.BindAddress,"");
-Settings.Flags |= FLAG_KEEPALIVES | FLAG_USE_REUSEPORT | FLAG_USE_UNSHARE;
+Settings.Flags |= FLAG_KEEPALIVES | FLAG_USE_REUSEPORT | FLAG_USE_UNSHARE | FLAG_USE_HTTPS_FASTOPEN;
 Settings.DirListFlags=DIR_SHOWFILES | DIR_FANCY;
 Settings.AuthFlags=FLAG_AUTH_REQUIRED | FLAG_AUTH_COOKIE;
 Settings.AuthPath=CopyStr(Settings.AuthPath,"/etc/alaya.auth:~/.alaya/alaya.auth");

Settings.h

@@ -23,6 +23,8 @@
 #define FLAG_SIGHUP_RECV 65536
 #define FLAG_LOG_VERBOSE 131072
 #define FLAG_LOG_MORE_VERBOSE 262144
+#define FLAG_USE_FASTOPEN 524288
+#define FLAG_USE_HTTPS_FASTOPEN 1048576
 
 
 //Flag values for Settings->AuthFlags and Session->AuthFlags
@@ -42,6 +44,7 @@ typedef struct
 {
 int Flags;
 int Port;
+int ListenQueueLen;
 char *DefaultUser;
 char *DefaultGroup;
 gid_t DefaultGroupID;

common.c

@@ -6,7 +6,7 @@
 #include "Authenticate.h"
 
 TSettings Settings;
-char *Version="4.0";
+char *Version="4.1";
 
 void SetTimezoneEnv()
 {

config.status

@@ -417,7 +417,7 @@ $config_files
 
 Report bugs to the package provider."
 
-ac_cs_config="'--enable-ssl' '--enable-simd'"
+ac_cs_config="'--enable-unshare' '--enable-ssl'"
 ac_cs_version="\
 config.status
 configured by ./configure, generated by GNU Autoconf 2.69,
@@ -427,7 +427,7 @@ Copyright (C) 2012 Free Software Foundation, Inc.
 This config.status script is free software; the Free Software Foundation
 gives unlimited permission to copy, distribute and modify it."
 
-ac_pwd='/home/colum/work/alaya'
+ac_pwd='/home/colum/alaya'
 srcdir='.'
 INSTALL='/bin/install -c'
 test -n "$AWK" || AWK=awk
@@ -496,7 +496,7 @@ if $ac_cs_silent; then
 fi
 
 if $ac_cs_recheck; then
-  set X /bin/sh './configure'  '--enable-ssl' '--enable-simd' $ac_configure_extra_args --no-create --no-recursion
+  set X /bin/sh './configure'  '--enable-unshare' '--enable-ssl' $ac_configure_extra_args --no-create --no-recursion
   shift
   $as_echo "running CONFIG_SHELL=/bin/sh $*" >&6
   CONFIG_SHELL='/bin/sh'
@@ -603,13 +603,13 @@ S["CC"]="gcc"
 S["target_alias"]=""
 S["host_alias"]=""
 S["build_alias"]=""
-S["LIBS"]="-lcrypt -lcrypto -lssl -lpam -lcap -lz "
+S["LIBS"]="-lcrypt -lcrypto -lssl -lpam -lcap -lc -lc -lz "
 S["ECHO_T"]=""
 S["ECHO_N"]="-n"
 S["ECHO_C"]=""
 S["DEFS"]="-DPACKAGE_NAME=\\\"\\\" -DPACKAGE_TARNAME=\\\"\\\" -DPACKAGE_VERSION=\\\"\\\" -DPACKAGE_STRING=\\\"\\\" -DPACKAGE_BUGREPORT=\\\"\\\" -DPACKAGE_URL=\\\"\\\" -DSTDC_HEADERS=1"\
-" -D_FILE_OFFSET_BITS=64 -DHAVE_LIBZ=1 -DHAVE_LIBCAP=1 -DUSE_LINUX_CAPABILITIES=1 -DHAVE_LIBPAM=1 -DHAVE_LIBSSL=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBCRYPT="\
-"1 -DHAVE_SHADOW_H=1"
+" -D_FILE_OFFSET_BITS=64 -DHAVE_LIBZ=1 -DHAVE_LIBC=1 -DHAVE_LIBC=1 -DUSE_UNSHARE=1 -DUSE_PRCTL=1 -DHAVE_LIBCAP=1 -DUSE_LINUX_CAPABILITIES=1 -DHAVE_LI"\
+"BPAM=1 -DHAVE_LIBSSL=1 -DHAVE_LIBCRYPTO=1 -DHAVE_LIBCRYPT=1 -DHAVE_SHADOW_H=1"
 S["mandir"]="${datarootdir}/man"
 S["localedir"]="${datarootdir}/locale"
 S["libdir"]="${exec_prefix}/lib"

libUseful/Makefile

@@ -1,5 +1,5 @@
 CC = gcc
-VERSION = 4.44
+VERSION = 4.46
 CFLAGS = -g -O2 
 LDFLAGS=
 LIBS = -lssl -lcrypto -lc -lc -lc -lc -lc -lc -lc -lc 

libUseful/Makefile.in

@@ -1,5 +1,5 @@
 CC = @CC@
-VERSION = 4.44
+VERSION = 4.46
 CFLAGS = @CFLAGS@ @SIMD_CFLAGS@
 LDFLAGS=@LDFLAGS@
 LIBS = @LIBS@

libUseful/OpenSSL.c

@@ -458,7 +458,7 @@ int OpenSSLSetOptions(STREAM *S, SSL *ssl, int Options)
 
 int DoSSLClientNegotiation(STREAM *S, int Flags)
 {
-    int result=FALSE, Options=0;
+    int result=FALSE, Options=0, i, val;
     char *Token=NULL;
 #ifdef HAVE_LIBSSL
     const SSL_METHOD *Method;
@@ -495,10 +495,19 @@ int DoSSLClientNegotiation(STREAM *S, int Flags)
             ptr=GetToken(ptr,":",&Token,0);
             SSL_set_tlsext_host_name(ssl, Token);
 #endif
-						SSL_CTX_set_timeout (ctx, 1);
+						if (S->Timeout > 0) 
+						{
+								//convert centisecs to seconds
+								val=S->Timeout / 100;
+								if (val==0) val++;
+								SSL_CTX_set_timeout (ctx, val);
+						}
+
             result=SSL_connect(ssl);
-            while (result==-1)
+            for (i=0; i < 3; i ++)
             {
+								//if we succeeded don't keep looping
+								if (result > -1) break;
                 result=SSL_get_error(ssl, result);
                 if ( (result != SSL_ERROR_WANT_READ) && (result != SSL_ERROR_WANT_WRITE) && (result != SSL_ERROR_WANT_CONNECT)) break;
                 usleep(300);

libUseful/Socket.c

@@ -18,6 +18,51 @@
 #endif
 
 
+typedef struct
+{
+int Flags;
+int QueueLen;
+} TSockSettings;
+
+int SocketParseConfig(const char *Config, TSockSettings *Settings)
+{
+const char *ptr;
+char *Name=NULL, *Value=NULL;
+
+Settings->Flags=0;
+Settings->QueueLen=0;
+
+ptr=GetToken(Config, "\\S", &Value, 0);
+for (ptr=Value; *ptr !='\0'; ptr++)
+{
+	switch (*ptr)
+	{
+		case 'E': Settings->Flags |= CONNECT_ERROR; break;
+		case 'k': Settings->Flags |= SOCK_NOKEEPALIVE; break;
+		case 'A': Settings->Flags |= SOCK_TLS_AUTO; break;
+		case 'B': Settings->Flags |= SOCK_BROADCAST; break;
+		case 'F': Settings->Flags |= SOCK_TCP_FASTOPEN; break;
+		case 'R': Settings->Flags |= SOCK_DONTROUTE; break;
+		case 'P': Settings->Flags |= SOCK_REUSEPORT; break;
+		case 'N': Settings->Flags |= SOCK_TCP_NODELAY; break;
+	}
+}
+
+ptr=GetNameValuePair(ptr, "=", "\\S", &Name, &Value);
+while (ptr)
+{
+if (strcmp(Name, "listen")==0) Settings->QueueLen=atoi(Value);
+ptr=GetNameValuePair(ptr, "=", "\\S", &Name, &Value);
+}
+
+Destroy(Name);
+Destroy(Value);
+
+return(Settings->Flags);
+}
+
+
+
 int IsIP4Address(const char *Str)
 {
     const char *ptr;
@@ -739,40 +784,19 @@ STREAM *STREAMFromSock(int sock, int Type, const char *Peer, const char *DestIP,
 }
 
 
-int SocketParseConfig(const char *Config)
-{
-const char *ptr;
-int Flags=0;
-
-for (ptr=Config; *ptr !='\0'; ptr++)
-{
-	switch (*ptr)
-	{
-		case 'E': Flags |= CONNECT_ERROR; break;
-		case 'k': Flags |= SOCK_NOKEEPALIVE; break;
-		case 'A': Flags |= SOCK_TLS_AUTO; break;
-		case 'B': Flags |= SOCK_BROADCAST; break;
-		case 'F': Flags |= SOCK_TCP_FASTOPEN; break;
-		case 'R': Flags |= SOCK_DONTROUTE; break;
-		case 'P': Flags |= SOCK_REUSEPORT; break;
-		case 'N': Flags |= SOCK_TCP_NODELAY; break;
-	}
-}
-
-return(Flags);
-}
 
 
 STREAM *STREAMServerNew(const char *URL, const char *Config)
 {
     char *Proto=NULL, *Host=NULL, *Token=NULL;
     int fd=-1, Port=0, Type, Flags=0;
+		TSockSettings Settings;
     STREAM *S=NULL;
 
     ParseURL(URL, &Proto, &Host, &Token,NULL, NULL,NULL,NULL);
     if (StrValid(Token)) Port=atoi(Token);
 
-		Flags=SocketParseConfig(Config);
+		Flags=SocketParseConfig(Config, &Settings);
 
     switch (*Proto)
     {
@@ -799,6 +823,11 @@ STREAM *STREAMServerNew(const char *URL, const char *Config)
         {
             fd=IPServerNew(SOCK_STREAM, Host, Port, Flags);
             Type=STREAM_TYPE_TCP_SERVER;
+						if (Settings.QueueLen > 0)
+						{
+							listen(fd, Settings.QueueLen);
+							if (Flags & SOCK_TCP_FASTOPEN) SockSetOpt(fd, TCP_FASTOPEN, "TCP_FASTOPEN", Settings.QueueLen);
+						}
         }
         else if (strcmp(Proto,"tproxy")==0)
         {
@@ -1270,11 +1299,13 @@ int STREAMConnect(STREAM *S, const char *URL, const char *Config)
 {
     int result=FALSE;
     char *Name=NULL, *Value=NULL;
+		TSockSettings Settings;
     const char *ptr;
+
     int Flags=0;
 
 		ptr=GetToken(Config, "\\S", &Value, 0);
-		Flags=SocketParseConfig(Value);
+		Flags=SocketParseConfig(Value, &Settings);
 
 		ptr=LibUsefulGetValue("TCP:Keepalives");
 		if ( StrValid(ptr) &&  (! strtobool(ptr)) ) Flags |= SOCK_NOKEEPALIVE;

main.c

@@ -282,9 +282,12 @@ while (ptr)
 	}
 	else 
 	{
-		Tempstr=FormatStr(Tempstr,"tcp:%s:%d",Token,Settings.Port);
-		Config=CopyStr(Config, "F");
+
+		if (Settings.Flags & FLAG_USE_FASTOPEN) Config=CatStr(Config, "F");
 		if (Settings.Flags & FLAG_USE_REUSEPORT) Config=CatStr(Config, "P");
+		Tempstr=FormatStr(Tempstr, " listen=", Settings.ListenQueueLen);
+
+		Tempstr=FormatStr(Tempstr,"tcp:%s:%d",Token,Settings.Port);
 	}
 
 	S=STREAMServerNew(Tempstr, Config);

server.c

@@ -17,6 +17,7 @@
 #include "VPath.h"
 #include "xssi.h"
 #include "icecast.h"
+#include <netinet/tcp.h>
 
 #ifdef USE_UNSHARE
  #define _GNU_SOURCE
@@ -97,6 +98,9 @@ if (Settings.AuthFlags & (FLAG_AUTH_CERT_REQUIRED | FLAG_AUTH_CERT_SUFFICIENT |
 if (DoSSLServerNegotiation(Session->S,Flags))
 {
 	Session->Flags |= HTTP_SSL;
+	#ifndef TCP_FASTOPEN
+	if (Settings.Flags & FLAG_HTTPS_FAST_OPEN) SockSetOpen(Session->S->in_fd, TCP_FASTOPEN, "TCP_FASTOPEN", Settings.ListenQueue);
+	#endif
 	return(TRUE);
 }