From ed2c03780c6d7136115460437133c2a153e5774f Mon Sep 17 00:00:00 2001 From: Sijie Yang Date: Fri, 15 Jan 2021 13:15:37 +0800 Subject: [PATCH 01/35] Merge Release/v1.0.0 --- CHANGELOG.md | 13 ++++++++++--- VERSION | 2 +- go.sum | 4 ++-- 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 664f0ddf7..4a58d5ed5 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,14 +10,20 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). -## [Unreleased] +## [v1.0.0] - 2021-01-15 + +### Added +- Add condition primitive: req_path_contain/req_path_element_prefix_in/req_context_value_in +- Add outlier detection options +- Add mod_waf with rule to detect exploitation of "Shellshock" GNU Bash RCE vulnerability. ### Fixed - Fix build issue under go1.15 environment - Fix processing X-Forwarded-For header value +- Fix write timeout of internal response generated by bfe -## [v0.12.0] - 2020-09-03 +## [v0.12.0] - 2020-09-03 ### Added - Support gRPC over HTTP/2 @@ -209,7 +215,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 - Flexible plugin framework to extend functionality. Based on the framework, developer can add new features rapidly - Detailed built-in metrics available for service status monitor -[Unreleased]: https://github.com/bfenetworks/bfe/compare/v0.11.0...HEAD + +[v1.0.0]: https://github.com/bfenetworks/bfe/compare/v0.12.0...v1.0.0 [v0.12.0]: https://github.com/bfenetworks/bfe/compare/v0.11.0...v0.12.0 [v0.11.0]: https://github.com/bfenetworks/bfe/compare/v0.10.0...v0.11.0 [v0.10.0]: https://github.com/bfenetworks/bfe/compare/v0.9.0...v0.10.0 diff --git a/VERSION b/VERSION index 05639a556..afaf360d3 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0-dev +1.0.0 \ No newline at end of file diff --git a/go.sum b/go.sum index 3bd2f7361..862b3a750 100644 --- a/go.sum +++ b/go.sum @@ -13,8 +13,8 @@ github.com/asergeyev/nradix v0.0.0-20170505151046-3872ab85bb56 h1:Wi5Tgn8K+jDcBY github.com/asergeyev/nradix v0.0.0-20170505151046-3872ab85bb56/go.mod h1:8BhOLuqtSuT5NZtZMwfvEibi09RO3u79uqfHZzfDTR4= github.com/aymerick/douceur v0.2.0 h1:Mv+mAeH1Q+n9Fr+oyamOlAkUNPWPlA8PPGR0QAaYuPk= github.com/aymerick/douceur v0.2.0/go.mod h1:wlT5vV2O3h55X9m7iVYN0TBM0NH/MmbLnd30/FjWUq4= -github.com/baidu/go-lib v0.0.0-20191217050907-c1bbbad6b030 h1:P8Bwa/d4AEH5qnHroVFI4hUqvy/1kh6UsfbDI+JJ2GI= -github.com/baidu/go-lib v0.0.0-20191217050907-c1bbbad6b030/go.mod h1:FneHDqz3wLeDGdWfRyW4CzBbCwaqesLGIFb09N80/ww= +github.com/baidu/go-lib v0.0.0-20200819072111-21df249f5e6a h1:m/u39GNhkoUSC9WxTuM5hWShEqEfVioeXDiqiQd6tKg= +github.com/baidu/go-lib v0.0.0-20200819072111-21df249f5e6a/go.mod h1:FneHDqz3wLeDGdWfRyW4CzBbCwaqesLGIFb09N80/ww= github.com/chris-ramon/douceur v0.2.0 h1:IDMEdxlEUUBYBKE4z/mJnFyVXox+MjuEVDJNN27glkU= github.com/chris-ramon/douceur v0.2.0/go.mod h1:wDW5xjJdeoMm1mRt4sD4c/LbF/mWdEpRXQKjTR8nIBE= github.com/client9/misspell v0.3.4/go.mod h1:qj6jICC3Q7zFZvVWo7KLAzC3yx5G7kyvSDkc90ppPyw= From 4e6e6e3b38d40aa2263db38f778ffdce7b50abc9 Mon Sep 17 00:00:00 2001 From: Sijie Yang Date: Fri, 15 Jan 2021 13:18:40 +0800 Subject: [PATCH 02/35] Update VERSION --- VERSION | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/VERSION b/VERSION index afaf360d3..336c36775 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.0.0 \ No newline at end of file +1.1.0-dev From 6767c89ddf2686ce691ed3f77f1d0ca2627664ad Mon Sep 17 00:00:00 2001 From: yangsijie Date: Fri, 15 Jan 2021 13:29:33 +0800 Subject: [PATCH 03/35] Update mkdocs_*.yml --- docs/mkdocs_en.yml | 2 ++ docs/mkdocs_zh.yml | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/mkdocs_en.yml b/docs/mkdocs_en.yml index 0abc0ab86..1787b46a1 100644 --- a/docs/mkdocs_en.yml +++ b/docs/mkdocs_en.yml @@ -69,12 +69,14 @@ nav: - 'Request redirect': 'example/redirect.md' - 'Request rewrite': 'example/rewrite.md' - 'TLS mutual authentication': 'example/client_auth.md' + - 'FastCGI': 'example/fastcgi.md' - 'Installation': - 'Overview': 'installation/install.md' - 'Install from source': 'installation/install_from_source.md' - 'Install using binaries': 'installation/install_using_binaries.md' - 'Install using go': 'installation/install_using_go.md' - 'Install using snap': 'installation/install_using_snap.md' + - 'Install using docker': 'installation/install_using_docker.md' - 'Configuration': - 'Overview': 'configuration/config.md' - 'Core': 'configuration/bfe.conf.md' diff --git a/docs/mkdocs_zh.yml b/docs/mkdocs_zh.yml index 43304ee9b..0f046c23d 100644 --- a/docs/mkdocs_zh.yml +++ b/docs/mkdocs_zh.yml @@ -69,12 +69,14 @@ nav: - '重定向': 'example/redirect.md' - '重写': 'example/rewrite.md' - 'TLS客户端认证': 'example/client_auth.md' + - 'FastCGI': 'example/fastcgi.md' - '安装说明': - '安装概述': 'installation/install.md' - '源码编译安装': 'installation/install_from_source.md' - '二进制文件下载安装': 'installation/install_using_binaries.md' - 'go方式安装': 'installation/install_using_go.md' - 'snap方式安装': 'installation/install_using_snap.md' + - 'docker方式安装': 'installation/install_using_docker.md' - '配置说明': - '配置概述': 'configuration/config.md' - '核心配置': 'configuration/bfe.conf.md' From 859a174e8c39eb22cc43a3f0c0e03850b854449c Mon Sep 17 00:00:00 2001 From: yangshuothtf <38379701+yangshuothtf@users.noreply.github.com> Date: Mon, 1 Feb 2021 17:17:35 +0800 Subject: [PATCH 04/35] =?UTF-8?q?Support=20slow=E2=80=91start=20feature=20?= =?UTF-8?q?to=20=20allows=20a=20backend=20instance=20gradually=20recover?= =?UTF-8?q?=20its=20weight=20=20(#692)?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- bfe_balance/backend/bfe_backend.go | 15 ++++ bfe_balance/backend/health_check.go | 1 + bfe_balance/bal_gslb/bal_gslb.go | 10 +++ bfe_balance/bal_gslb/bal_gslb_test.go | 62 ++++++++++++++ bfe_balance/bal_gslb/sub_cluster.go | 4 + bfe_balance/bal_slb/backend_rr.go | 56 +++++++++++-- bfe_balance/bal_slb/backend_rr_test.go | 8 +- bfe_balance/bal_slb/bal_rr.go | 38 ++++++++- bfe_balance/bal_slb/bal_rr_test.go | 82 ++++++++++++++++--- bfe_balance/bal_table.go | 23 ++++++ .../cluster_conf/cluster_conf_load.go | 6 ++ .../cluster_conf/testdata/cluster_conf_1.conf | 6 +- bfe_server/bfe_confdata_load.go | 7 +- 13 files changed, 290 insertions(+), 28 deletions(-) diff --git a/bfe_balance/backend/bfe_backend.go b/bfe_balance/backend/bfe_backend.go index 969822a6f..75b2b79bb 100644 --- a/bfe_balance/backend/bfe_backend.go +++ b/bfe_balance/backend/bfe_backend.go @@ -41,6 +41,8 @@ type BfeBackend struct { succNum int // number of consecutive successes of health-check request closeChan chan bool // tell health-check to stop + + restarted bool // indicate if this backend is new bring-up by health-check } func NewBfeBackend() *BfeBackend { @@ -90,6 +92,19 @@ func (back *BfeBackend) setAvail(avail bool) { } } +func (back *BfeBackend) SetRestart(restart bool) { + back.Lock() + back.restarted = restart + back.Unlock() +} + +func (back *BfeBackend) GetRestart() bool { + back.RLock() + restart := back.restarted + back.RUnlock() + return restart +} + func (back *BfeBackend) ConnNum() int { back.RLock() connNum := back.connNum diff --git a/bfe_balance/backend/health_check.go b/bfe_balance/backend/health_check.go index 05f0c9ad1..c28b48542 100644 --- a/bfe_balance/backend/health_check.go +++ b/bfe_balance/backend/health_check.go @@ -96,6 +96,7 @@ loop: } log.Logger.Info("backend %s back to Normal", backend.Name) + backend.SetRestart(true) backend.SetAvail(true) break loop } diff --git a/bfe_balance/bal_gslb/bal_gslb.go b/bfe_balance/bal_gslb/bal_gslb.go index 4bd1e6c02..051d90442 100644 --- a/bfe_balance/bal_gslb/bal_gslb.go +++ b/bfe_balance/bal_gslb/bal_gslb.go @@ -89,6 +89,16 @@ func (bal *BalanceGslb) SetGslbBasic(gslbBasic cluster_conf.GslbBasicConf) { bal.lock.Unlock() } +func (bal *BalanceGslb) SetSlowStart(backendConf cluster_conf.BackendBasic) { + bal.lock.Lock() + + for _, sub := range bal.subClusters { + sub.setSlowStart(*backendConf.SlowStartTime) + } + + bal.lock.Unlock() +} + // Init inializes gslb cluster with config func (bal *BalanceGslb) Init(gslbConf gslb_conf.GslbClusterConf) error { totalWeight := 0 diff --git a/bfe_balance/bal_gslb/bal_gslb_test.go b/bfe_balance/bal_gslb/bal_gslb_test.go index 83fdf6b20..df09d6b37 100644 --- a/bfe_balance/bal_gslb/bal_gslb_test.go +++ b/bfe_balance/bal_gslb/bal_gslb_test.go @@ -133,3 +133,65 @@ func SetReqHeader(req *bfe_basic.Request, key string) { req.HttpRequest.Header.Set(key, "val") } } + +func TestSlowStart(t *testing.T) { + t.Logf("bal_gslb_test: TestSlowStart") + var c cluster_table_conf.ClusterBackend + var gb cluster_conf.GslbBasicConf + var g gslb_conf.GslbClusterConf + var err error + + loadJson("testdata/cluster1", &c) + loadJson("testdata/gb", &gb) + loadJson("testdata/g1", &g) + t.Logf("%v %v %v\n", c, gb, g) + + bal := NewBalanceGslb("cluster_dumi") + if err := bal.Init(g); err != nil { + t.Errorf("init error %s", err) + } + t.Logf("%+v\n", bal) + if bal.totalWeight != 100 || !bal.single || bal.subClusters[bal.avail].Name != "light.example.wt" || bal.retryMax != 3 || bal.crossRetry != 1 { + t.Errorf("init error") + } + + if len(bal.subClusters) != 3 { + t.Errorf("cluster len error") + } + + t.Logf("%+v", bal.subClusters[0]) + t.Logf("%+v", bal.subClusters[1]) + t.Logf("%+v", bal.subClusters[2]) + + var c1 cluster_table_conf.ClusterBackend + var gb1 cluster_conf.GslbBasicConf + var g1 gslb_conf.GslbClusterConf + loadJson("testdata/cluster2", &c1) + loadJson("testdata/gb2", &gb1) + loadJson("testdata/g2", &g1) + + err = cluster_conf.GslbBasicConfCheck(&gb1) + if err != nil { + t.Errorf("GslbBasicConfCheck err %s", err) + } + t.Logf("%v %v %v\n", c1, gb1, g1) + if err := bal.Reload(g1); err != nil { + t.Errorf("reload error %s", err) + } + + bal.SetGslbBasic(gb1) + + var backendConf cluster_conf.BackendBasic + err = cluster_conf.BackendBasicCheck(&backendConf) + if err != nil { + t.Errorf("BackendBasicCheck err %s", err) + } + var ssTime = 30 + backendConf.SlowStartTime = &ssTime + bal.SetSlowStart(backendConf) + + t.Logf("%+v\n", bal) + t.Logf("%+v", bal.subClusters[0]) + t.Logf("%+v", bal.subClusters[1]) + t.Logf("%+v", bal.subClusters[2]) +} diff --git a/bfe_balance/bal_gslb/sub_cluster.go b/bfe_balance/bal_gslb/sub_cluster.go index 6ea9c82c0..7498ba9ef 100644 --- a/bfe_balance/bal_gslb/sub_cluster.go +++ b/bfe_balance/bal_gslb/sub_cluster.go @@ -85,6 +85,10 @@ func (sub *SubCluster) balance(algor int, key []byte) (*backend.BfeBackend, erro return sub.backends.Balance(algor, key) } +func (sub *SubCluster) setSlowStart(slowStartTime int) { + sub.backends.SetSlowStart(slowStartTime) +} + // SubClusterList is a list of subcluster. type SubClusterList []*SubCluster diff --git a/bfe_balance/bal_slb/backend_rr.go b/bfe_balance/bal_slb/backend_rr.go index 54d79878b..1561aa042 100644 --- a/bfe_balance/bal_slb/backend_rr.go +++ b/bfe_balance/bal_slb/backend_rr.go @@ -16,15 +16,27 @@ package bal_slb +import ( + "time" +) + import ( "github.com/bfenetworks/bfe/bfe_balance/backend" "github.com/bfenetworks/bfe/bfe_config/bfe_cluster_conf/cluster_table_conf" ) +type WeightSS struct { + final int // final target weight after slow-start + slowStartTime int // time for backend increases the weight to the full value, in seconds + startTime time.Time // time of the first request +} + type BackendRR struct { - weight int // weight of this backend - current int // current weight - backend *backend.BfeBackend // point to BfeBackend + weight int // weight of this backend + current int // current weight + backend *backend.BfeBackend // point to BfeBackend + inSlowStart bool // indicate if in slow-start phase + weightSS WeightSS // slow_start related parameters } func NewBackendRR() *BackendRR { @@ -36,15 +48,17 @@ func NewBackendRR() *BackendRR { // Init initialize BackendRR with BackendConf func (backRR *BackendRR) Init(subClusterName string, conf *cluster_table_conf.BackendConf) { - backRR.weight = *conf.Weight - backRR.current = *conf.Weight + // scale up 100 times from conf file + backRR.weight = *conf.Weight * 100 + backRR.current = backRR.weight + backRR.weightSS.final = backRR.weight back := backRR.backend back.Init(subClusterName, conf) } func (backRR *BackendRR) UpdateWeight(weight int) { - backRR.weight = weight + backRR.weight = weight * 100 // if weight > 0, don't touch backRR.current if weight <= 0 { @@ -60,3 +74,33 @@ func (backRR *BackendRR) MatchAddrPort(addr string, port int) bool { back := backRR.backend return back.Addr == addr && back.Port == port } + +func (backRR *BackendRR) initSlowStart(ssTime int) { + backRR.weightSS.slowStartTime = ssTime + if backRR.weightSS.slowStartTime == 0 { + backRR.inSlowStart = false + } else { + backRR.weightSS.startTime = time.Now() + backRR.inSlowStart = true + + // set weight/current to 1, to avoid no traffic allowed at the beginning of start + backRR.weight = 1 + backRR.current = 1 + } +} + +func (backRR *BackendRR) updateSlowStart() { + if backRR.inSlowStart { + current := time.Duration(backRR.weightSS.final) * time.Since(backRR.weightSS.startTime) + if backRR.weightSS.slowStartTime != 0 { + current /= time.Duration(backRR.weightSS.slowStartTime) * time.Second + backRR.weight = int(current) + } else { + backRR.weight = backRR.weightSS.final + } + if backRR.weight >= backRR.weightSS.final { + backRR.weight = backRR.weightSS.final + backRR.inSlowStart = false + } + } +} diff --git a/bfe_balance/bal_slb/backend_rr_test.go b/bfe_balance/bal_slb/backend_rr_test.go index 96b1d19e6..82138d82c 100644 --- a/bfe_balance/bal_slb/backend_rr_test.go +++ b/bfe_balance/bal_slb/backend_rr_test.go @@ -36,12 +36,12 @@ func TestBackendRRInit_case1(t *testing.T) { backendRR := NewBackendRR() backendRR.Init("example.cluster", &conf) - if backendRR.weight != 10 { - t.Error("backend.weight should be 10") + if backendRR.weight != 10 * 100 { + t.Error("backend.weight should be 10 * 100") } - if backendRR.current != 10 { - t.Error("backend.current should be 10") + if backendRR.current != 10 * 100 { + t.Error("backend.current should be 10 * 100") } backend := backendRR.backend diff --git a/bfe_balance/bal_slb/bal_rr.go b/bfe_balance/bal_slb/bal_rr.go index fcd76dd31..b8b036a7e 100644 --- a/bfe_balance/bal_slb/bal_rr.go +++ b/bfe_balance/bal_slb/bal_rr.go @@ -89,10 +89,13 @@ func (s BackendListSorter) Less(i, j int) bool { type BalanceRR struct { sync.Mutex - Name string - backends BackendList // list of BackendRR - sorted bool // list of BackeneRR sorted or not - next int // next backend to schedule + Name string + backends BackendList // list of BackendRR + sorted bool // list of BackeneRR sorted or not + next int // next backend to schedule + + slowStartNum int // number of backends in slow_start phase + slowStartTime int // time for backend increases the weight to the full value, in seconds } func NewBalanceRR(name string) *BalanceRR { @@ -113,6 +116,27 @@ func (brr *BalanceRR) Init(conf cluster_table_conf.SubClusterBackend) { brr.next = 0 } +func (brr *BalanceRR) SetSlowStart(ssTime int) { + brr.Lock() + brr.slowStartTime = ssTime + brr.Unlock() +} + +func (brr *BalanceRR) checkSlowStart() { + brr.Lock() + defer brr.Unlock() + if brr.slowStartTime > 0 { + for _, backendRR := range brr.backends { + backend := backendRR.backend + if backend.GetRestart() { + backend.SetRestart(false) + backendRR.initSlowStart(brr.slowStartTime) + } + backendRR.updateSlowStart() + } + } +} + // Release releases backend list. func (brr *BalanceRR) Release() { for _, back := range brr.backends { @@ -162,6 +186,8 @@ func (brr *BalanceRR) Update(conf cluster_table_conf.SubClusterBackend) { for _, bkConf := range confMap { backendRR := NewBackendRR() backendRR.Init(brr.Name, bkConf) + backend := backendRR.backend + backend.SetRestart(true) // add to backendsNew backendsNew = append(backendsNew, backendRR) } @@ -195,6 +221,10 @@ func (brr *BalanceRR) ensureSortedUnlocked() { // Balance select one backend from sub cluster in round robin manner. func (brr *BalanceRR) Balance(algor int, key []byte) (*backend.BfeBackend, error) { + // Slow start is not supported when session sticky is enabled + if algor != WrrSticky { + brr.checkSlowStart() + } switch algor { case WrrSimple: return brr.simpleBalance() diff --git a/bfe_balance/bal_slb/bal_rr_test.go b/bfe_balance/bal_slb/bal_rr_test.go index 39905183c..2d478a577 100644 --- a/bfe_balance/bal_slb/bal_rr_test.go +++ b/bfe_balance/bal_slb/bal_rr_test.go @@ -45,18 +45,18 @@ func prepareBalanceRR() *BalanceRR { rr := &BalanceRR{ backends: []*BackendRR{ { - weight: 3, - current: 3, + weight: 300, + current: 300, backend: b1, }, { - weight: 2, - current: 2, + weight: 200, + current: 200, backend: b2, }, { - weight: 1, - current: 1, + weight: 100, + current: 100, backend: b3, }, }, @@ -80,11 +80,63 @@ func processBalance(t *testing.T, label string, algor int, key []byte, rr *Balan } } +func processSimpleBalance(t *testing.T, label string, algor int, key []byte, rr *BalanceRR, result []string) { + var l []string + loopCount := (300+200+100)+4 + + for i := 1; i < loopCount; i++ { + r, err := rr.Balance(algor, key) + if err != nil { + t.Errorf("should not error") + } + r.IncConnNum() + // append the end of backend b3 + if (i > 297) && (i <= 303) { + l = append(l, r.Name) + } + // append the end of backend b1 + if (i > 600) && (i <= 603) { + l = append(l, r.Name) + } + } + + if !reflect.DeepEqual(l, result) { + t.Errorf("balance error [%s] %v, expect %v", label, l, result) + } +} + +func processSimpleBalance3(t *testing.T, label string, algor int, key []byte, rr *BalanceRR, result []string) { + var l []string + loopCount := (200+100)*3+4 + + for i := 1; i < loopCount; i++ { + r, err := rr.Balance(algor, key) + if err != nil { + t.Errorf("should not error") + } + r.IncConnNum() + // append the end of backend b3 + if (i > 198) && (i <= 201) { + l = append(l, r.Name) + } + if (i > 498) && (i <= 501) { + l = append(l, r.Name) + } + if (i > 798) && (i <= 801) { + l = append(l, r.Name) + } + } + + if !reflect.DeepEqual(l, result) { + t.Errorf("balance error [%s] %v, expect %v", label, l, result) + } +} + func TestBalance(t *testing.T) { // case 1 rr := prepareBalanceRR() expectResult := []string{"b1", "b2", "b3", "b1", "b2", "b1", "b1", "b2", "b3"} - processBalance(t, "case 1", WrrSimple, nil, rr, expectResult) + processSimpleBalance(t, "case 1", WrrSimple, nil, rr, expectResult) // case 2 rr = prepareBalanceRR() @@ -95,7 +147,7 @@ func TestBalance(t *testing.T) { rr = prepareBalanceRR() rr.backends[0].backend.SetAvail(false) expectResult = []string{"b2", "b3", "b2", "b2", "b3", "b2", "b2", "b3", "b2"} - processBalance(t, "case 3", WrrSimple, nil, rr, expectResult) + processSimpleBalance3(t, "case 3", WrrSimple, nil, rr, expectResult) // case 4 rr = prepareBalanceRR() @@ -105,7 +157,7 @@ func TestBalance(t *testing.T) { // case 5 rr = prepareBalanceRR() - expectResult = []string{"b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2"} + expectResult = []string{"b1", "b1", "b1", "b1", "b1", "b1", "b1", "b1", "b1"} processBalance(t, "case 5", WrrSticky, []byte{1}, rr, expectResult) rr.backends[0], rr.backends[2] = rr.backends[2], rr.backends[0] @@ -115,7 +167,9 @@ func TestBalance(t *testing.T) { // case 6 rr = prepareBalanceRR() rr.backends[0].backend.SetAvail(false) - expectResult = []string{"b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2"} + // after scale up 100, the hash result changed + expectResult = []string{"b3", "b3", "b3", "b3", "b3", "b3", "b3", "b3", "b3"} +// expectResult = []string{"b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2", "b2"} processBalance(t, "case 6", WrrSticky, []byte{1}, rr, expectResult) // case 7, lcw balance @@ -190,7 +244,7 @@ func checkBackend(t *testing.T, brr *BackendRR, name string, addr string, port i if b.Port != port { t.Errorf("backend port wrong, expect %d, actual %d", port, b.Port) } - if brr.weight != weight { + if brr.weight != weight*100 { t.Errorf("backend weight wrong, expect %d, actual %d", weight, brr.weight) } if connNum != -1 && b.ConnNum() != connNum { @@ -239,3 +293,9 @@ func BenchmarkStickyBalance(b *testing.B) { rr.stickyBalance(key) } } + +func TestSlowStart(t *testing.T) { + // case 1 + rr := prepareBalanceRR() + rr.SetSlowStart(30) +} diff --git a/bfe_balance/bal_table.go b/bfe_balance/bal_table.go index 046a49795..5f53ad9f2 100644 --- a/bfe_balance/bal_table.go +++ b/bfe_balance/bal_table.go @@ -188,6 +188,29 @@ func (t *BalTable) SetGslbBasic(clusterTable *bfe_route.ClusterTable) { } } +// SetSlowStart sets slow_start related conf (from server data conf) for BalTable. +// +// Note: +// - SetSlowStart() is called after server reload server data conf +// - SetSlowStart() should be concurrency safe +func (t *BalTable) SetSlowStart(clusterTable *bfe_route.ClusterTable) { + t.lock.RLock() + defer t.lock.RUnlock() + + if clusterTable == nil { + return + } + + for clusterName, bal := range t.balTable { + cluster, err := clusterTable.Lookup(clusterName) + if err != nil { + continue + } + + bal.SetSlowStart(*cluster.BackendConf()) + } +} + func (t *BalTable) BalTableReload(gslbConfs gslb_conf.GslbConf, backendConfs cluster_table_conf.ClusterTableConf) error { t.lock.Lock() diff --git a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go index 47ad35747..caf1b4c24 100644 --- a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go +++ b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go @@ -101,6 +101,7 @@ type BackendBasic struct { MaxIdleConnsPerHost *int // max idle conns for each backend RetryLevel *int // retry level if request fail OutlierDetectionLevel *int // outlier detection level + SlowStartTime *int // time for backend increases the weight to the full value, in seconds // protocol specific configurations FCGIConf *FCGIConf @@ -196,6 +197,11 @@ func BackendBasicCheck(conf *BackendBasic) error { conf.OutlierDetectionLevel = &outlierDetectionLevel } + if conf.SlowStartTime == nil { + defaultSlowStartTime := 0 + conf.SlowStartTime = &defaultSlowStartTime + } + if conf.FCGIConf == nil { defaultFCGIConf := new(FCGIConf) defaultFCGIConf.EnvVars = make(map[string]string) diff --git a/bfe_config/bfe_cluster_conf/cluster_conf/testdata/cluster_conf_1.conf b/bfe_config/bfe_cluster_conf/cluster_conf/testdata/cluster_conf_1.conf index 3f16d81c7..cc76434c8 100644 --- a/bfe_config/bfe_cluster_conf/cluster_conf/testdata/cluster_conf_1.conf +++ b/bfe_config/bfe_cluster_conf/cluster_conf/testdata/cluster_conf_1.conf @@ -6,7 +6,8 @@ "TimeoutConnSrv": 1000, "TimeoutWriteSrv": 2000, "TimeoutReadSrv": 2000, - "TimeoutResponseHeader":1000 + "TimeoutResponseHeader":1000, + "SlowStartTime": 30 }, "CheckConf": { "Uri": "/health", @@ -30,7 +31,8 @@ "TimeoutConnSrv": 1000, "TimeoutWriteSrv": 2000, "TimeoutReadSrv": 2000, - "TimeoutResponseHeader":1000 + "TimeoutResponseHeader":1000, + "SlowStartTime": 0 }, "CheckConf": { "Uri": "/health", diff --git a/bfe_server/bfe_confdata_load.go b/bfe_server/bfe_confdata_load.go index c44cf1e0c..ae99a2112 100644 --- a/bfe_server/bfe_confdata_load.go +++ b/bfe_server/bfe_confdata_load.go @@ -56,10 +56,11 @@ func (srv *BfeServer) InitDataLoad() error { return fmt.Errorf("InitDataLoad():balTableInit Error %s", err) } - // set gslb retry config + // set gslb retry config, slow_start config if srv.ServerConf != nil { ct := srv.ServerConf.ClusterTable srv.balTable.SetGslbBasic(ct) + srv.balTable.SetSlowStart(ct) } log.Logger.Info("init bal table success") @@ -116,6 +117,8 @@ func (srv *BfeServer) serverDataConfReload(hostFile, vipFile, routeFile, cluster // set gslb basic srv.balTable.SetGslbBasic(newServerConf.ClusterTable) + // set slow_start config + srv.balTable.SetSlowStart(newServerConf.ClusterTable) return nil } @@ -152,6 +155,8 @@ func (srv *BfeServer) gslbDataConfReload(gslbFile, clusterTableFile string) erro serverConf := srv.ServerConf srv.confLock.Unlock() srv.balTable.SetGslbBasic(serverConf.ClusterTable) + // set slow_start config + srv.balTable.SetSlowStart(serverConf.ClusterTable) return nil } From 8ac0ccb2db6d07fce6ac453ecb3a9206a5d31784 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 5 Feb 2021 15:21:48 +0800 Subject: [PATCH 05/35] Change outlierDetectionLevel to OutlierDetectionHttpCode (#693) --- .../cluster_conf/cluster_conf_load.go | 39 +++++++------------ bfe_route/bfe_cluster/bfe_cluster.go | 7 ++-- bfe_server/reverseproxy.go | 27 +++++++++++-- 3 files changed, 42 insertions(+), 31 deletions(-) diff --git a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go index caf1b4c24..4d89010df 100644 --- a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go +++ b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go @@ -40,19 +40,6 @@ const ( DefaultReadClientAgainTimeout = 60000 ) -// Outlier detection levels -const ( - // Abnormal events about backend: - // - connect backend error - // - write request error(caused by backend) - // - read response header error - OutlierDetectionBasic = 0 - - // All abnormal events in basic level and: - // - response code is 5xx - OutlierDetection5XX = 1 -) - // HashStrategy for subcluster-level load balance (GSLB). // Note: // - CLIENTID is a special request header which represents a unique client, @@ -95,14 +82,14 @@ type FCGIConf struct { // BackendBasic is conf of backend basic type BackendBasic struct { - Protocol *string // backend protocol - TimeoutConnSrv *int // timeout for connect backend, in ms - TimeoutResponseHeader *int // timeout for read header from backend, in ms - MaxIdleConnsPerHost *int // max idle conns for each backend - RetryLevel *int // retry level if request fail - OutlierDetectionLevel *int // outlier detection level - SlowStartTime *int // time for backend increases the weight to the full value, in seconds - + Protocol *string // backend protocol + TimeoutConnSrv *int // timeout for connect backend, in ms + TimeoutResponseHeader *int // timeout for read header from backend, in ms + MaxIdleConnsPerHost *int // max idle conns for each backend + RetryLevel *int // retry level if request fail + OutlierDetectionLevel *int // outlier detection level + SlowStartTime *int // time for backend increases the weight to the full value, in seconds + OutlierDetectionHttpCode *string // outlier detection http status code // protocol specific configurations FCGIConf *FCGIConf } @@ -192,9 +179,13 @@ func BackendBasicCheck(conf *BackendBasic) error { conf.RetryLevel = &retryLevel } - if conf.OutlierDetectionLevel == nil { - outlierDetectionLevel := OutlierDetectionBasic - conf.OutlierDetectionLevel = &outlierDetectionLevel + if conf.OutlierDetectionHttpCode == nil { + outlierDetectionCode := "" + conf.OutlierDetectionHttpCode = &outlierDetectionCode + } else { + httpCode := *conf.OutlierDetectionHttpCode + httpCode = strings.ToLower(httpCode) + conf.OutlierDetectionHttpCode = &httpCode } if conf.SlowStartTime == nil { diff --git a/bfe_route/bfe_cluster/bfe_cluster.go b/bfe_route/bfe_cluster/bfe_cluster.go index 095ea7071..19eb2bb31 100644 --- a/bfe_route/bfe_cluster/bfe_cluster.go +++ b/bfe_route/bfe_cluster/bfe_cluster.go @@ -113,12 +113,11 @@ func (cluster *BfeCluster) RetryLevel() int { return *retryLevel } -func (cluster *BfeCluster) OutlierDetectionLevel() int { +func (cluster *BfeCluster) OutlierDetectionHttpCode() string { cluster.RLock() - outlierDetectionLevel := cluster.backendConf.OutlierDetectionLevel + outlierDetectionHttpCode := cluster.backendConf.OutlierDetectionHttpCode cluster.RUnlock() - - return *outlierDetectionLevel + return *outlierDetectionHttpCode } func (cluster *BfeCluster) TimeoutReadClient() time.Duration { diff --git a/bfe_server/reverseproxy.go b/bfe_server/reverseproxy.go index 29af312b2..99465e986 100644 --- a/bfe_server/reverseproxy.go +++ b/bfe_server/reverseproxy.go @@ -25,6 +25,8 @@ import ( "io" "net" "reflect" + "strconv" + "strings" "sync" "time" ) @@ -334,7 +336,7 @@ func (p *ReverseProxy) clusterInvoke(srv *BfeServer, cluster *bfe_cluster.BfeClu request.Backend.BackendPort = uint32(backend.Port) if err == nil { - if checkBackendStatus(cluster.OutlierDetectionLevel(), res.StatusCode) { + if checkBackendStatus(cluster.OutlierDetectionHttpCode(), res.StatusCode) { backend.OnFail(cluster.Name) } else { backend.OnSuccess() @@ -878,6 +880,25 @@ func checkRequestWithoutBody(req *bfe_http.Request) bool { return false } -func checkBackendStatus(outlierDetectionLevel int, statusCode int) bool { - return outlierDetectionLevel == cluster_conf.OutlierDetection5XX && statusCode/100 == 5 +func checkBackendStatus(outlierDetectionHttpCodeStr string, statusCode int) bool { + if outlierDetectionHttpCodeStr == "" { + return false + } + for _, code := range strings.Split(outlierDetectionHttpCodeStr, "|") { + switch code { + case "3xx", "4xx", "5xx": + if strconv.Itoa(statusCode/100) == code[0:1] { + return true + } + default: + codeInt, err := strconv.Atoi(code) + if err != nil { + continue + } + if codeInt == statusCode { + return true + } + } + } + return false } From 1b5c7dcd0435b5d5273c3d09d0c5179f9a16d7f3 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 19 Feb 2021 09:34:46 +0800 Subject: [PATCH 06/35] Add maxConnPerHost to limit the number of connections to a backend (#694) --- .../cluster_conf/cluster_conf_load.go | 6 +++ bfe_http/transport.go | 46 +++++++++++++++++++ bfe_server/reverseproxy.go | 2 + 3 files changed, 54 insertions(+) diff --git a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go index 4d89010df..b51ed50b0 100644 --- a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go +++ b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go @@ -86,6 +86,7 @@ type BackendBasic struct { TimeoutConnSrv *int // timeout for connect backend, in ms TimeoutResponseHeader *int // timeout for read header from backend, in ms MaxIdleConnsPerHost *int // max idle conns for each backend + MaxConnsPerHost *int // max conns for each backend (zero means unrestricted) RetryLevel *int // retry level if request fail OutlierDetectionLevel *int // outlier detection level SlowStartTime *int // time for backend increases the weight to the full value, in seconds @@ -174,6 +175,11 @@ func BackendBasicCheck(conf *BackendBasic) error { conf.MaxIdleConnsPerHost = &defaultIdle } + if conf.MaxConnsPerHost == nil || *conf.MaxConnsPerHost < 0 { + defaultConns := 0 + conf.MaxConnsPerHost = &defaultConns + } + if conf.RetryLevel == nil { retryLevel := RetryConnect conf.RetryLevel = &retryLevel diff --git a/bfe_http/transport.go b/bfe_http/transport.go index 1c2bae3c1..3f129d176 100644 --- a/bfe_http/transport.go +++ b/bfe_http/transport.go @@ -69,6 +69,12 @@ type Transport struct { altMu sync.RWMutex altProto map[string]RoundTripper // nil or map of URI scheme => RoundTripper + connMu sync.Mutex // mutex for conn count + // Conn count which record current connection of each backend + // when create a persistConn we count plus one of the cm key, + // and minus one when the persistConn is close. + connCnt map[string]int + // Proxy specifies a function to return a proxy for a given // Request. If the function returns a non-nil error, the // request is aborted with the provided error. @@ -103,6 +109,10 @@ type Transport struct { // DefaultMaxIdleConnsPerHost is used. MaxIdleConnsPerHost int + // MaxConnsPerHost, if non-zero, controls the maximum currency conns + // to per-host. If less than or equal zero, transport will ignore this value. + MaxConnsPerHost int + // ResponseHeaderTimeout, if non-zero, specifies the amount of // time to wait for a server's response headers after fully // writing the request (including its body, if any). This @@ -321,6 +331,16 @@ func (cm *connectMethod) proxyAuth() string { return "" } +func (t *Transport) releaseConnCnt(cacheKey string) { + t.connMu.Lock() + if t.connCnt == nil { + t.connMu.Unlock() + return + } + t.connCnt[cacheKey]-- + t.connMu.Unlock() +} + // putIdleConn adds pconn to the list of idle persistent connections awaiting // a new request. // If pconn is no longer needed or not in a good state, putIdleConn @@ -443,6 +463,21 @@ func (t *Transport) dial(network, addr string) (c net.Conn, err error) { return net.Dial(network, addr) } +// check whether we can create new conn to backend with given cachekey +func (t *Transport) checkAndIncConnCnt(cacheKey string, maxValue int) bool { + t.connMu.Lock() + if t.connCnt == nil { + t.connCnt = make(map[string]int) + } + if val, ok := t.connCnt[cacheKey]; ok && val >= maxValue { + t.connMu.Unlock() + return false + } + t.connCnt[cacheKey]++ + t.connMu.Unlock() + return true +} + // getConn dials and creates a new persistConn to the target as // specified in the connectMethod. This includes doing a proxy CONNECT // and/or setting up TLS. If this doesn't return an error, the persistConn @@ -458,11 +493,19 @@ func (t *Transport) getConn(cm *connectMethod) (*persistConn, error) { } dialc := make(chan dialRes) go func() { + cacheKey := cm.key() + if t.MaxConnsPerHost > 0 && !t.checkAndIncConnCnt(cacheKey, t.MaxConnsPerHost) { + dialc <- dialRes{nil, fmt.Errorf("cm key[%v] greater than max conns[%d]", cacheKey, t.MaxConnsPerHost)} + return + } pc, err := t.dialConn(cm) state.HttpBackendConnAll.Inc(1) if err == nil { state.HttpBackendConnSucc.Inc(1) + } else { + t.releaseConnCnt(cacheKey) } + dialc <- dialRes{pc, err} }() @@ -1035,6 +1078,9 @@ func (pc *persistConn) closeLocked() { if !pc.closed { pc.conn.Close() pc.closed = true + // there are some many reason to close a conn, in order to avoid missing release in some place, + // it is a safely way to release conn cnt in pc.close() + pc.t.releaseConnCnt(pc.cacheKey) } pc.mutateHeaderFunc = nil } diff --git a/bfe_server/reverseproxy.go b/bfe_server/reverseproxy.go index 99465e986..d14f6216e 100644 --- a/bfe_server/reverseproxy.go +++ b/bfe_server/reverseproxy.go @@ -157,6 +157,7 @@ func (p *ReverseProxy) setTransports(clusterMap bfe_route.ClusterMap) { // get transport, check if transport needs update backendConf := conf.BackendConf() if (t.MaxIdleConnsPerHost != *backendConf.MaxIdleConnsPerHost) || + (t.MaxConnsPerHost != *backendConf.MaxConnsPerHost) || (t.ResponseHeaderTimeout != time.Millisecond*time.Duration(*backendConf.TimeoutResponseHeader)) || (t.ReqWriteBufferSize != conf.ReqWriteBufferSize()) || (t.ReqFlushInterval != conf.ReqFlushInterval()) { @@ -217,6 +218,7 @@ func createTransport(cluster *bfe_cluster.BfeCluster) bfe_http.RoundTripper { ReqWriteBufferSize: cluster.ReqWriteBufferSize(), ReqFlushInterval: cluster.ReqFlushInterval(), DisableCompression: true, + MaxConnsPerHost: *backendConf.MaxConnsPerHost, } case "fcgi": return &bfe_fcgi.Transport{ From 79a5468a292c80b84d9ee2e9f0e706ba61b5da8a Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 26 Feb 2021 12:50:21 +0800 Subject: [PATCH 07/35] Add maxConnsPerHost to cluster config docs (#695) --- docs/en_us/configuration/server_data_conf/cluster_conf.data.md | 2 ++ docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/en_us/configuration/server_data_conf/cluster_conf.data.md b/docs/en_us/configuration/server_data_conf/cluster_conf.data.md index a293045f2..06ccc94fc 100644 --- a/docs/en_us/configuration/server_data_conf/cluster_conf.data.md +++ b/docs/en_us/configuration/server_data_conf/cluster_conf.data.md @@ -23,6 +23,7 @@ BackendConf is config for backend. | TimeoutConnSrv | Int
Timeout for connect backend, in ms | | TimeoutResponseHeader | Int
Timeout for read response header, in ms | | MaxIdleConnsPerHost | Int
Max idle conns to each backend | +| MaxConnsPerHost | Int
Max number of concurrent conns to each backend | | RetryLevel | Int
Retry level if request fail | | FCGIConf | Object
Conf for FastCGI Protocol | | FCGIConf.Root | String
the root folder to the site | @@ -78,6 +79,7 @@ ClusterBasic is basic config for cluster. "TimeoutConnSrv": 2000, "TimeoutResponseHeader": 50000, "MaxIdleConnsPerHost": 0, + "MaxConnsPerHost": 0, "RetryLevel": 0 }, "CheckConf": { diff --git a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md index 30eaa4866..99934f0a6 100644 --- a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md +++ b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md @@ -27,6 +27,7 @@ cluster_conf.data为集群转发配置文件。 | BackendConf.TimeoutConnSrv | Integer
连接后端的超时时间,单位是毫秒
默认值2 | | BackendConf.TimeoutResponseHeader | Integer
从后端读响应头的超时时间,单位是毫秒
默认值60 | | BackendConf.MaxIdleConnsPerHost | Integer
BFE实例与每个后端的最大空闲长连接数
默认值2 | +| BackendConf.MaxConnsPerHost | Integer
BFE实例与每个后端的最大长连接数,0代表无限制
默认值0 | | BackendConf.RetryLevel | Integer
请求重试级别。0:连接后端失败时,进行重试;1:连接后端失败、转发GET请求失败时均进行重试
默认值0 | | BackendConf.FCGIConf | Object
FastCGI 协议的配置 | | BackendConf.FCGIConf.Root | String
网站的Root文件夹位置 | @@ -107,6 +108,7 @@ cluster_conf.data为集群转发配置文件。 "TimeoutConnSrv": 2000, "TimeoutResponseHeader": 50000, "MaxIdleConnsPerHost": 0, + "MaxConnsPerHost": 0, "RetryLevel": 0, "FCGIConf": { "Root": "/home/work", From b4ba843b55a7b8b75c5ac9a535c5fa9e0e44cc89 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 26 Feb 2021 12:50:43 +0800 Subject: [PATCH 08/35] Add req_path_contain doc (#696) --- .../en_us/condition/condition_primitive_index.md | 1 + docs/en_us/condition/request/uri.md | 16 ++++++++++++++++ .../zh_cn/condition/condition_primitive_index.md | 1 + docs/zh_cn/condition/request/uri.md | 15 +++++++++++++++ 4 files changed, 33 insertions(+) diff --git a/docs/en_us/condition/condition_primitive_index.md b/docs/en_us/condition/condition_primitive_index.md index 6fbe76a5e..9d1179e81 100644 --- a/docs/en_us/condition/condition_primitive_index.md +++ b/docs/en_us/condition/condition_primitive_index.md @@ -21,6 +21,7 @@ * req_proto_secure() * req_tag_match(tagName, tagValue) * req_path_in(path_list, case_insensitive) + * req_path_contain(path_list, case_insensitive) * req_path_prefix_in(prefix_list, case_insensitive) * req_path_element_prefix_in(prefix_list, case_insensitive) * req_path_suffix_in(suffix_list, case_insensitive) diff --git a/docs/en_us/condition/request/uri.md b/docs/en_us/condition/request/uri.md index 1b302dd1f..82206ab6f 100644 --- a/docs/en_us/condition/request/uri.md +++ b/docs/en_us/condition/request/uri.md @@ -35,6 +35,22 @@ req_host_in("www.bfe-networks.com | bfe-networks.com") req_path_in("/api/search|/api/list", true) ``` +## req_path_contain(path_list, case_insensitive) +* Description: Judge if request path contains configured patterns + +* Parameters + +| Parameter | Descrption | +| --------- | ---------- | +| path_list | String
path's substring list which are concatenated with | | +| case_insensitive | Boolean
case insensitive | + +* Example + +```go +req_path_contain("search|analytics", true) +``` + ## req_path_prefix_in(prefix_list, case_insensitive) * Description: Judge if request path prefix matches configured patterns diff --git a/docs/zh_cn/condition/condition_primitive_index.md b/docs/zh_cn/condition/condition_primitive_index.md index fe0de0183..751061ddf 100644 --- a/docs/zh_cn/condition/condition_primitive_index.md +++ b/docs/zh_cn/condition/condition_primitive_index.md @@ -21,6 +21,7 @@ * req_proto_secure() * req_tag_match(tagName, tagValue) * req_path_in(path_list, case_insensitive) + * req_path_contain(path_list, case_insensitive) * req_path_prefix_in(prefix_list, case_insensitive) * req_path_suffix_in(suffix_list, case_insensitive) * req_path_element_suffix_in(suffix_list, case_insensitive) diff --git a/docs/zh_cn/condition/request/uri.md b/docs/zh_cn/condition/request/uri.md index 2496cf68c..8d1f42c19 100644 --- a/docs/zh_cn/condition/request/uri.md +++ b/docs/zh_cn/condition/request/uri.md @@ -28,6 +28,21 @@ req_host_in("www.bfe-networks.com|bfe-networks.com") req_path_in("/api/search|/api/list", true) ``` +## req_path_contain(path_list, case_insensitive) +* 含义: 判断http的path是否包含path_list中的子串 + +* 参数 + +| 参数 | 描述 | +| -------- | ---------------------- | +| path_list | String
path子串列表,多个列表之间使用‘|’连接| +| case_insensitive | Boolean
是否忽略大小写 | + +* 示例 +```go +req_path_contain("search", true) +``` + ## req_path_prefix_in(prefix_list, case_insensitive) * 含义: 判断http的path是否前缀匹配prefix_list之一 From 340c0b98a5a2e76bc7596857e1939102558048bf Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 26 Feb 2021 12:53:33 +0800 Subject: [PATCH 09/35] Set pipe with a real error when pipe.error is EOF (#697) --- bfe_util/pipe/pipe.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/bfe_util/pipe/pipe.go b/bfe_util/pipe/pipe.go index 661ff1f7a..56919fa36 100644 --- a/bfe_util/pipe/pipe.go +++ b/bfe_util/pipe/pipe.go @@ -119,6 +119,12 @@ func (p *Pipe) closeWithError(dst *error, err error, fn func()) { } defer p.c.Signal() if *dst != nil { + // Note: Here we do not consider the existing io.EOF(i.e. *dst) as a real error + // and replace it if necessary. The error handling policy allows us to release + // underlying resource(eg. PipeBuffer) as soon as possible. + if *dst == io.EOF { + *dst = err + } // Already been done. return } From 0d5fb649606086b5ed54de3b1d96019a0f2e0d62 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Mon, 1 Mar 2021 08:50:51 +0800 Subject: [PATCH 10/35] Add doc for OutlierDetectionHttpCode (#701) --- bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go | 1 - .../en_us/configuration/server_data_conf/cluster_conf.data.md | 4 +++- .../zh_cn/configuration/server_data_conf/cluster_conf.data.md | 4 +++- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go index b51ed50b0..a42894a8b 100644 --- a/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go +++ b/bfe_config/bfe_cluster_conf/cluster_conf/cluster_conf_load.go @@ -88,7 +88,6 @@ type BackendBasic struct { MaxIdleConnsPerHost *int // max idle conns for each backend MaxConnsPerHost *int // max conns for each backend (zero means unrestricted) RetryLevel *int // retry level if request fail - OutlierDetectionLevel *int // outlier detection level SlowStartTime *int // time for backend increases the weight to the full value, in seconds OutlierDetectionHttpCode *string // outlier detection http status code // protocol specific configurations diff --git a/docs/en_us/configuration/server_data_conf/cluster_conf.data.md b/docs/en_us/configuration/server_data_conf/cluster_conf.data.md index 06ccc94fc..e7e02a1ad 100644 --- a/docs/en_us/configuration/server_data_conf/cluster_conf.data.md +++ b/docs/en_us/configuration/server_data_conf/cluster_conf.data.md @@ -25,6 +25,7 @@ BackendConf is config for backend. | MaxIdleConnsPerHost | Int
Max idle conns to each backend | | MaxConnsPerHost | Int
Max number of concurrent conns to each backend | | RetryLevel | Int
Retry level if request fail | +| BackendConf.OutlierDetectionHttpCode | String
Http status code that represent error status of backend | | FCGIConf | Object
Conf for FastCGI Protocol | | FCGIConf.Root | String
the root folder to the site | | FCGIConf.EnvVars | Map[string]string
extra environment variable | @@ -80,7 +81,8 @@ ClusterBasic is basic config for cluster. "TimeoutResponseHeader": 50000, "MaxIdleConnsPerHost": 0, "MaxConnsPerHost": 0, - "RetryLevel": 0 + "RetryLevel": 0, + "OutlierDetectionHttpCode": "5xx|400" }, "CheckConf": { "Schem": "http", diff --git a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md index 99934f0a6..1a4ad01b6 100644 --- a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md +++ b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md @@ -29,6 +29,7 @@ cluster_conf.data为集群转发配置文件。 | BackendConf.MaxIdleConnsPerHost | Integer
BFE实例与每个后端的最大空闲长连接数
默认值2 | | BackendConf.MaxConnsPerHost | Integer
BFE实例与每个后端的最大长连接数,0代表无限制
默认值0 | | BackendConf.RetryLevel | Integer
请求重试级别。0:连接后端失败时,进行重试;1:连接后端失败、转发GET请求失败时均进行重试
默认值0 | +| BackendConf.OutlierDetectionHttpCode | String
后端响应状态码检查,""代表不开启检查,"500"表示后端返回500则认为后端失败,失败计数加一
状态码支持"dxx"格式,例如"5xx";多个状态码之间使用'|'连接
默认值"",不开启后端响应状态码错误检查 | | BackendConf.FCGIConf | Object
FastCGI 协议的配置 | | BackendConf.FCGIConf.Root | String
网站的Root文件夹位置 | | BackendConf.FCGIConf.EnvVars | Map[string]string
拓展的环境变量 | @@ -77,7 +78,8 @@ cluster_conf.data为集群转发配置文件。 "TimeoutConnSrv": 2000, "TimeoutResponseHeader": 50000, "MaxIdleConnsPerHost": 0, - "RetryLevel": 0 + "RetryLevel": 0, + "OutlierDetectionHttpCode": "5xx|403" }, "CheckConf": { "Schem": "http", From de466dc1d531f6d85c7081f9a745e8245808c524 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Mon, 1 Mar 2021 08:57:10 +0800 Subject: [PATCH 11/35] mod_header: add header renaming actions (#702) --- bfe_modules/mod_header/action.go | 29 +++++++++++++++---- bfe_modules/mod_header/action_header.go | 7 +++++ bfe_modules/mod_header/action_test.go | 21 ++++++++++++++ .../testdata/mod_header/header_rule.data | 15 +++++++++- 4 files changed, 65 insertions(+), 7 deletions(-) diff --git a/bfe_modules/mod_header/action.go b/bfe_modules/mod_header/action.go index f0d0a55f4..2c18b6e00 100644 --- a/bfe_modules/mod_header/action.go +++ b/bfe_modules/mod_header/action.go @@ -52,7 +52,9 @@ func ActionFileCheck(conf ActionFile) error { case "REQ_HEADER_SET", "REQ_HEADER_ADD", "RSP_HEADER_SET", - "RSP_HEADER_ADD": + "RSP_HEADER_ADD", + "REQ_HEADER_RENAME", + "RSP_HEADER_RENAME": // header and value if len(conf.Params) != 2 { @@ -374,7 +376,11 @@ func actionConvert(actionFile ActionFile) (Action, error) { // append key values action.Params = append(action.Params, key) action.Params = append(action.Params, values...) - + case "REQ_HEADER_RENAME", "RSP_HEADER_RENAME": + originalKey := textproto.CanonicalMIMEHeaderKey(actionFile.Params[0]) + newKey := textproto.CanonicalMIMEHeaderKey(actionFile.Params[1]) + action.Params = append(action.Params, originalKey) + action.Params = append(action.Params, newKey) case "REQ_HEADER_DEL", "RSP_HEADER_DEL": // - REQ_HEADER_DEL: [referer] // - RSP_HEADER_DEL: [location] @@ -430,6 +436,8 @@ func HeaderActionDo(h *bfe_http.Header, cmd string, headerName string, value str // delete case "HEADER_DEL": headerDel(h, headerName) + case "HEADER_RENAME": + headerRename(h, headerName, value) } } @@ -447,26 +455,35 @@ func getHeader(req *bfe_basic.Request, headerType int) (h *bfe_http.Header) { func processHeader(req *bfe_basic.Request, headerType int, action Action) { var key string var value string + var cmd string h := getHeader(req, headerType) - if action.Cmd[4:] == "HEADER_MOD" { + cmd = action.Cmd[4:] + + switch cmd { + case "HEADER_MOD": key = action.Params[1] // get header value if value = h.Get(key); value == "" { // if req do not have this header, continue return } - // mod header value value = modHeaderValue(value, action) - } else { + case "HEADER_RENAME": + originalKey, newKey := action.Params[0], action.Params[1] + if h.Get(originalKey) == "" || h.Get(newKey) != "" { + return + } + key, value = originalKey, newKey + default: key = action.Params[0] value = getHeaderValue(req, action) } // trim action.Cmd prefix REQ_ and RSP_ - HeaderActionDo(h, action.Cmd[4:], key, value) + HeaderActionDo(h, cmd, key, value) } func processCookie(req *bfe_basic.Request, headerType int, action Action) { diff --git a/bfe_modules/mod_header/action_header.go b/bfe_modules/mod_header/action_header.go index cabe273f7..906b35102 100644 --- a/bfe_modules/mod_header/action_header.go +++ b/bfe_modules/mod_header/action_header.go @@ -32,3 +32,10 @@ func headerAdd(h *bfe_http.Header, key string, value string) { func headerDel(h *bfe_http.Header, key string) { h.Del(key) } + +// rename header originalKey to newKey +func headerRename(h *bfe_http.Header, originalKey, newKey string) { + val := h.Get(originalKey) + h.Set(newKey, val) + h.Del(originalKey) +} diff --git a/bfe_modules/mod_header/action_test.go b/bfe_modules/mod_header/action_test.go index 8018e8fc4..8c1e1454c 100644 --- a/bfe_modules/mod_header/action_test.go +++ b/bfe_modules/mod_header/action_test.go @@ -165,6 +165,27 @@ func TestHeaderActionsDo_Case4(t *testing.T) { } } +func TestHeaderActionsDo_Case5(t *testing.T) { + req := makeBasicRequest("http://www.example.org") + + cmdMod := "REQ_HEADER_RENAME" + action := Action{Cmd: cmdMod, Params: []string{"OriginalKey", "NewKey"}} + expectVal := "TestCase" + + req.HttpRequest.Header.Add("OriginalKey", expectVal) + HeaderActionsDo(req, 0, []Action{action}) + + value := req.HttpRequest.Header.Get("NewKey") + if value != expectVal { + t.Errorf("header rename newkey want[%s] got[%s]", expectVal, value) + } + + value = req.HttpRequest.Header.Get("OriginalKey") + if value != "" { + t.Errorf("header rename originalkey want[%s] got[%s]", "", value) + } +} + func TestActionsConvert(t *testing.T) { cmdSet := "REQ_HEADER_SET" cmdAdd := "REQ_HEADER_ADD" diff --git a/bfe_modules/mod_header/testdata/mod_header/header_rule.data b/bfe_modules/mod_header/testdata/mod_header/header_rule.data index 46c494953..6fe18d256 100644 --- a/bfe_modules/mod_header/testdata/mod_header/header_rule.data +++ b/bfe_modules/mod_header/testdata/mod_header/header_rule.data @@ -2,6 +2,19 @@ "Version": "1234", "Config": { "p1": [ + { + "cond": "req_path_prefix_in(\"/header_rename\", false)", + "actions": [ + { + "cmd": "REQ_HEADER_RENAME", + "params": [ + "OriginalKey", + "NewKey" + ] + } + ], + "last": true + }, { "cond": "req_path_prefix_in(\"/cookie_set\", false)", "actions": [ @@ -183,7 +196,7 @@ ] } ], - "last": true + "last": false } ] } From 71a0b8c380df54e2feefcbe9f2197e9b22fc2462 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Mon, 1 Mar 2021 14:37:31 +0800 Subject: [PATCH 12/35] Tweak bfe_modules/mod_header/action.go (#703) --- bfe_modules/mod_header/action.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/bfe_modules/mod_header/action.go b/bfe_modules/mod_header/action.go index 2c18b6e00..de88d18c6 100644 --- a/bfe_modules/mod_header/action.go +++ b/bfe_modules/mod_header/action.go @@ -51,9 +51,9 @@ func ActionFileCheck(conf ActionFile) error { switch *conf.Cmd { case "REQ_HEADER_SET", "REQ_HEADER_ADD", + "REQ_HEADER_RENAME", "RSP_HEADER_SET", "RSP_HEADER_ADD", - "REQ_HEADER_RENAME", "RSP_HEADER_RENAME": // header and value From 8f7524da0604742af7d7385d9e53664654f445ce Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Tue, 2 Mar 2021 11:12:36 +0800 Subject: [PATCH 13/35] net/textproto: properly write terminating sequence if DotWriter is closed with no writes (#705) --- bfe_net/textproto/writer.go | 5 +++-- bfe_net/textproto/writer_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 29 insertions(+), 2 deletions(-) diff --git a/bfe_net/textproto/writer.go b/bfe_net/textproto/writer.go index 118dbb878..2d23e337b 100644 --- a/bfe_net/textproto/writer.go +++ b/bfe_net/textproto/writer.go @@ -75,7 +75,8 @@ type dotWriter struct { } const ( - wstateBeginLine = iota // beginning of line; initial state; must be zero + wstateBegin = iota // initial state; must be zero + wstateBeginLine // beginning of line wstateCR // wrote \r (possibly at end of line) wstateData // writing data in middle of line ) @@ -85,7 +86,7 @@ func (d *dotWriter) Write(b []byte) (n int, err error) { for n < len(b) { c := b[n] switch d.state { - case wstateBeginLine: + case wstateBegin, wstateBeginLine: d.state = wstateData if c == '.' { // escape leading dot diff --git a/bfe_net/textproto/writer_test.go b/bfe_net/textproto/writer_test.go index b7056257b..70cba2a2c 100644 --- a/bfe_net/textproto/writer_test.go +++ b/bfe_net/textproto/writer_test.go @@ -50,3 +50,29 @@ func TestDotWriter(t *testing.T) { t.Fatalf("wrote %q", s) } } + +func TestDotWriterCloseEmptyWrite(t *testing.T) { + var buf bytes.Buffer + w := NewWriter(bfe_bufio.NewWriter(&buf)) + d := w.DotWriter() + n, err := d.Write([]byte{}) + if n != 0 || err != nil { + t.Fatalf("Write: %d, %s", n, err) + } + d.Close() + want := "\r\n.\r\n" + if s := buf.String(); s != want { + t.Fatalf("wrote %q; want %q", s, want) + } +} + +func TestDotWriterCloseNoWrite(t *testing.T) { + var buf bytes.Buffer + w := NewWriter(bfe_bufio.NewWriter(&buf)) + d := w.DotWriter() + d.Close() + want := "\r\n.\r\n" + if s := buf.String(); s != want { + t.Fatalf("wrote %q; want %q", s, want) + } +} From c9e492a18277c2d7a898a4717e32739b9c948ea0 Mon Sep 17 00:00:00 2001 From: yangsijie Date: Tue, 2 Mar 2021 11:51:48 +0800 Subject: [PATCH 14/35] Support JA3 fingerprint for SSL/TLS client --- bfe_modules/mod_header/action.go | 2 +- bfe_modules/mod_header/action_header_var.go | 20 ++++++++++ bfe_tls/common.go | 2 + bfe_tls/conn.go | 4 ++ bfe_tls/handshake_messages.go | 43 +++++++++++++++++++++ bfe_tls/handshake_messages_test.go | 33 ++++++++++++++++ bfe_tls/handshake_server.go | 5 +++ go.mod | 6 +-- go.sum | 26 +++++++------ 9 files changed, 125 insertions(+), 16 deletions(-) diff --git a/bfe_modules/mod_header/action.go b/bfe_modules/mod_header/action.go index de88d18c6..b302a9158 100644 --- a/bfe_modules/mod_header/action.go +++ b/bfe_modules/mod_header/action.go @@ -195,7 +195,7 @@ func expectPercent(str string) int { return index } -const variableCharset = "abcdefghijklmnopqrstuvwxyz_" +const variableCharset = "abcdefghijklmnopqrstuvwxyz0123456789_" func expectVariableParam(str string) int { index := 0 diff --git a/bfe_modules/mod_header/action_header_var.go b/bfe_modules/mod_header/action_header_var.go index cc864c488..ac5460063 100644 --- a/bfe_modules/mod_header/action_header_var.go +++ b/bfe_modules/mod_header/action_header_var.go @@ -62,6 +62,8 @@ var VariableHandlers = map[string]HeaderValueHandler{ "bfe_ssl_resume": getBfeSslResume, "bfe_ssl_cipher": getBfeSslCipher, "bfe_ssl_version": getBfeSslVersion, + "bfe_ssl_ja3_raw": getBfeSslJa3Raw, + "bfe_ssl_ja3_hash": getBfeSslJa3Hash, "bfe_protocol": getBfeProtocol, "client_cert_serial_number": getClientCertSerialNumber, "client_cert_subject_title": getClientCertSubjectTitle, @@ -180,6 +182,24 @@ func getBfeSslVersion(req *bfe_basic.Request) string { return bfe_tls.VersionTextForOpenSSL(state.Version) } +// get tls ja3 string +func getBfeSslJa3Raw(req *bfe_basic.Request) string { + if req.Session.TlsState == nil { + return "" + } + state := req.Session.TlsState + return state.JA3Raw +} + +// get tls ja3 hash +func getBfeSslJa3Hash(req *bfe_basic.Request) string { + if req.Session.TlsState == nil { + return "" + } + state := req.Session.TlsState + return state.JA3Hash +} + // get protocol for application level func getBfeProtocol(req *bfe_basic.Request) string { return req.Protocol() diff --git a/bfe_tls/common.go b/bfe_tls/common.go index 8bf38041c..039aa64eb 100644 --- a/bfe_tls/common.go +++ b/bfe_tls/common.go @@ -224,6 +224,8 @@ type ConnectionState struct { ClientCiphers []uint16 // ciphers supported by client ClientAuth bool // enable TLS Client Authentication ClientCAName string // TLS client CA name + JA3Raw string // JA3 fingerprint string for TLS Client + JA3Hash string // JA3 fingerprint hash for TLS Client } // ClientAuthType declares the policy the server will follow for diff --git a/bfe_tls/conn.go b/bfe_tls/conn.go index 4948fe0b5..e9c756d20 100644 --- a/bfe_tls/conn.go +++ b/bfe_tls/conn.go @@ -76,6 +76,8 @@ type Conn struct { serverRandom []byte // random in server hello msg masterSecret []byte // master secret for conn clientCiphers []uint16 // ciphers supported by client + ja3Raw string // JA3 fingerprint string for TLS Client + ja3Hash string // JA3 fingerprint hash for TLS Client clientProtocol string clientProtocolFallback bool @@ -1276,6 +1278,8 @@ func (c *Conn) ConnectionState() ConnectionState { state.ClientAuth = true } state.ClientCAName = c.clientCAName + state.JA3Raw = c.ja3Raw + state.JA3Hash = c.ja3Hash } return state diff --git a/bfe_tls/handshake_messages.go b/bfe_tls/handshake_messages.go index 37db09f05..fb7e1ab23 100644 --- a/bfe_tls/handshake_messages.go +++ b/bfe_tls/handshake_messages.go @@ -20,6 +20,7 @@ package bfe_tls import ( "bytes" + "fmt" ) type clientHelloMsg struct { @@ -40,6 +41,7 @@ type clientHelloMsg struct { secureRenegotiation bool alpnProtocols []string padding bool + extensionIds []uint16 } func (m *clientHelloMsg) equal(i interface{}) bool { @@ -66,6 +68,45 @@ func (m *clientHelloMsg) equal(i interface{}) bool { eqStrings(m.alpnProtocols, m1.alpnProtocols) } +// JA3String returns a JA3 fingerprint string for TLS client. +// For more information, see https://github.com/salesforce/ja3 +func (m *clientHelloMsg) JA3String() string { + var buf bytes.Buffer + // version + fmt.Fprintf(&buf, "%d,", m.vers) + // cipher surites + writeJA3Uint16Values(&buf, m.cipherSuites) + fmt.Fprintf(&buf, ",") + // extensions + writeJA3Uint16Values(&buf, m.extensionIds) + fmt.Fprintf(&buf, ",") + // elliptic curves + for i, curve := range m.supportedCurves { + fmt.Fprintf(&buf, "%d", curve) + if i != len(m.supportedCurves)-1 { + fmt.Fprintf(&buf, "-") + } + } + fmt.Fprintf(&buf, ",") + // elliptic curves point formats + for i, point := range m.supportedPoints { + fmt.Fprintf(&buf, "%d", point) + if i != len(m.supportedPoints)-1 { + fmt.Fprintf(&buf, "-") + } + } + return buf.String() +} + +func writeJA3Uint16Values(buf *bytes.Buffer, values []uint16) { + for i, value := range values { + fmt.Fprintf(buf, "%d", value) + if i != len(values)-1 { + fmt.Fprintf(buf, "-") + } + } +} + func (m *clientHelloMsg) marshal() []byte { if m.raw != nil { return m.raw @@ -344,6 +385,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { m.signatureAndHashes = nil m.alpnProtocols = nil + m.extensionIds = make([]uint16, 0) if len(data) == 0 { // ClientHello is optionally followed by extension data return true @@ -369,6 +411,7 @@ func (m *clientHelloMsg) unmarshal(data []byte) bool { return false } + m.extensionIds = append(m.extensionIds, extension) switch extension { case extensionServerName: if length < 2 { diff --git a/bfe_tls/handshake_messages_test.go b/bfe_tls/handshake_messages_test.go index edd846d1f..04eb208fb 100644 --- a/bfe_tls/handshake_messages_test.go +++ b/bfe_tls/handshake_messages_test.go @@ -19,6 +19,8 @@ package bfe_tls import ( + "crypto/md5" + "fmt" "math/rand" "reflect" "testing" @@ -263,3 +265,34 @@ func (*sessionState) Generate(rand *rand.Rand, size int) reflect.Value { } return reflect.ValueOf(s) } + +var ja3HashTests = []struct { + vers uint16 + cipherSuites []uint16 + extensionIds []uint16 + supportedCurves []CurveID + supportedPoints []uint8 + ja3Hash string +}{ + {769, []uint16{47, 53, 5, 10, 49161, 49162, 49171, 49172, 50, 56, 19, 4}, + []uint16{0, 10, 11}, []CurveID{23, 24, 25}, []uint8{0}, + "ada70206e40642a3e4461f35503241d5"}, + {769, []uint16{4, 5, 10, 9, 100, 98, 3, 6, 19, 18, 99}, + []uint16{}, []CurveID{}, []uint8{}, + "de350869b8c85de67a350c8d186f11e6"}, +} + +func TestJA3Hash(t *testing.T) { + for i, d := range ja3HashTests { + msg := clientHelloMsg{} + msg.vers = d.vers + msg.cipherSuites = d.cipherSuites + msg.extensionIds = d.extensionIds + msg.supportedCurves = d.supportedCurves + msg.supportedPoints = d.supportedPoints + ja3Value := md5.Sum([]byte(msg.JA3String())) + if d.ja3Hash != fmt.Sprintf("%x", ja3Value) { + t.Errorf("#%d: unexpected ja3 value", i) + } + } +} diff --git a/bfe_tls/handshake_server.go b/bfe_tls/handshake_server.go index ef0730767..4118c4489 100644 --- a/bfe_tls/handshake_server.go +++ b/bfe_tls/handshake_server.go @@ -21,6 +21,7 @@ package bfe_tls import ( "crypto" "crypto/ecdsa" + "crypto/md5" "crypto/rsa" "crypto/subtle" "crypto/x509" @@ -73,6 +74,10 @@ func (c *Conn) serverHandshake() error { return err } + // Record JA3 fingerpint for TLS client + c.ja3Raw = hs.clientHello.JA3String() + c.ja3Hash = fmt.Sprintf("%x", md5.Sum([]byte(c.ja3Raw))) + // For an overview of TLS handshaking, see https://tools.ietf.org/html/rfc5246#section-7.3 if isResume { state.TlsHandshakeResumeAll.Inc(1) diff --git a/go.mod b/go.mod index 91e651001..a5612e485 100644 --- a/go.mod +++ b/go.mod @@ -29,9 +29,9 @@ require ( go.elastic.co/apm/module/apmot v1.7.2 go.uber.org/atomic v1.6.0 // indirect golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 - golang.org/x/net v0.0.0-20200625001655-4c5254603344 - golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd - golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7 // indirect + golang.org/x/net v0.0.0-20201021035429-f5854403a974 + golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 + golang.org/x/tools v0.1.0 // indirect gopkg.in/gcfg.v1 v1.2.3 gopkg.in/square/go-jose.v2 v2.4.1 gopkg.in/warnings.v0 v0.1.2 // indirect diff --git a/go.sum b/go.sum index 862b3a750..171873994 100644 --- a/go.sum +++ b/go.sum @@ -124,7 +124,7 @@ github.com/uber/jaeger-client-go v2.22.1+incompatible h1:NHcubEkVbahf9t3p75TOCR8 github.com/uber/jaeger-client-go v2.22.1+incompatible/go.mod h1:WVhlPFC8FDjOFMMWRy2pZqQJSXxYSwNYOkTr/Z6d3Kk= github.com/uber/jaeger-lib v2.2.0+incompatible h1:MxZXOiR2JuoANZ3J6DE/U0kSFv/eJ/GfSYVCjK7dyaw= github.com/uber/jaeger-lib v2.2.0+incompatible/go.mod h1:ComeNDZlWwrWnDv8aPp0Ba6+uUTzImX/AauajbLI56U= -github.com/yuin/goldmark v1.1.32/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= +github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/zmap/go-iptree v0.0.0-20170831022036-1948b1097e25 h1:LRoXAcKX48QV4LV23W5ZtsG/MbJOgNUNvWiXwM0iLWw= github.com/zmap/go-iptree v0.0.0-20170831022036-1948b1097e25/go.mod h1:qOasALtPByO1Jk6LhgpNv6htPMK2QJfiGorUk57nO/U= go.elastic.co/apm v1.7.2 h1:0nwzVIPp4PDBXSYYtN19+1W5V+sj+C25UjqxDVoKcA8= @@ -155,15 +155,15 @@ golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190724013045-ca1201d0de80/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20190923162816-aa69164e4478/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4= -golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA= +golang.org/x/net v0.0.0-20201021035429-f5854403a974 h1:IX6qOQeG5uLjB/hjjwjedwfjND0hgjPMMyO1RoIXQNI= +golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20181221193216-37e7f081c4d4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208 h1:qwRHBd0NqMbJxfbotnDhm2ByMI1Shq4Y6oRJo21SGJA= -golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9 h1:SQFwaSi55rU7vdNs9Yr0Z324VNlrF+0wMqRXT4St8ck= +golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sys v0.0.0-20180909124046-d0be0721c37e/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= @@ -171,26 +171,28 @@ golang.org/x/sys v0.0.0-20190924154521-2837fb4f24fe/go.mod h1:h1NjWce9XRLGQEsW7w golang.org/x/sys v0.0.0-20191025021431-6c3a3bfe00ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191204072324-ce4227a45e2e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191224085550-c709ea063b76/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884= -golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4 h1:myAQVi0cGEoqQVR5POX+8RR2mrocKqNN1hmeMqhX27k= +golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs= golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk= +golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k= +golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/tools v0.0.0-20190311212946-11955173bddd/go.mod h1:LCzVGOaR6xXOjkQ3onu1FJEFr0SW1gC7cKk1uF8kGRs= golang.org/x/tools v0.0.0-20190524140312-2c0ae7006135/go.mod h1:RgjU9mgBXZiqYHBnxXauZ1Gv1EHHAz9KjViQ78xBX0Q= -golang.org/x/tools v0.0.0-20191018212557-ed542cd5b28a h1:UuQ+70Pi/ZdWHuP4v457pkXeOynTdgd/4enxeIO/98k= golang.org/x/tools v0.0.0-20191029041327-9cc4af7d6b2c/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191119224855-298f0cb1881e/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo= golang.org/x/tools v0.0.0-20191216052735-49a3e744a425 h1:VvQyQJN0tSuecqgcIxMWnnfG5kSmgy9KZR9sW3W5QeA= golang.org/x/tools v0.0.0-20191216052735-49a3e744a425/go.mod h1:TB2adYChydJhpapKDTa4BR/hXlZSLoq2Wpct/0txZ28= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7 h1:LHW24ah7B+uV/OePwNP0p/t889F3QSyLvY8Sg/bK0SY= -golang.org/x/tools v0.0.0-20200729194436-6467de6f59a7/go.mod h1:njjCfa9FT2d7l9Bc6FUM5FLjQPp3cFF28FI3qnDFljA= +golang.org/x/tools v0.1.0 h1:po9/4sTYwZU9lPhi1tOrb4hCv3qrhiQ77LZfGa2OjwY= +golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4= -golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= +golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM= google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc= google.golang.org/grpc v1.20.0/go.mod h1:chYK+tFQF0nDUGJgXMSgLCQk3phJEuONr2DCgLDdAQM= From a11703eea3fa3cff185ee41cfe719d1cae3c738a Mon Sep 17 00:00:00 2001 From: yangsijie Date: Tue, 2 Mar 2021 12:01:48 +0800 Subject: [PATCH 15/35] Update doc for JA3 --- docs/en_us/modules/mod_header/mod_header.md | 2 ++ docs/zh_cn/modules/mod_header/mod_header.md | 2 ++ 2 files changed, 4 insertions(+) diff --git a/docs/en_us/modules/mod_header/mod_header.md b/docs/en_us/modules/mod_header/mod_header.md index 34c258743..5bed26f2e 100644 --- a/docs/en_us/modules/mod_header/mod_header.md +++ b/docs/en_us/modules/mod_header/mod_header.md @@ -108,6 +108,8 @@ See the **Example** above. | %bfe_ssl_resume | Whether the TLS/SSL session is resumed with session id or session ticket | | %bfe_ssl_cipher | TLS/SSL cipher suite | | %bfe_ssl_version | TLS/SSL version | +| %bfe_ssl_ja3_raw | JA3 fingerprint string for TLS/SSL client | +| %bfe_ssl_ja3_hash | JA3 fingerprint hash for TLS/SSL client | | %bfe_protocol | Application level protocol | | %client_cert_serial_number | Serial number of client certificate | | %client_cert_subject_title | Subject title of client certificate | diff --git a/docs/zh_cn/modules/mod_header/mod_header.md b/docs/zh_cn/modules/mod_header/mod_header.md index c365f3217..b262954af 100644 --- a/docs/zh_cn/modules/mod_header/mod_header.md +++ b/docs/zh_cn/modules/mod_header/mod_header.md @@ -102,6 +102,8 @@ BFE支持如下一系列变量并在处理请求阶段求值。关于变量的 | %bfe_ssl_resume | 是否TLS/SSL会话复用 | | %bfe_ssl_cipher | TLS/SSL加密套件 | | %bfe_ssl_version | TLS/SSL协议版本 | +| %bfe_ssl_ja3_raw | TLS/SSL客户端JA3算法指纹数据 | +| %bfe_ssl_ja3_hash | TLS/SSL客户端JA3算法指纹哈希值 | | %bfe_protocol | 访问协议 | | %client_cert_serial_number | 客户端证书序列号 | | %client_cert_subject_title | 客户端证书Subject title | From 2213ce0fff1dd96a1143e7d80443028ef1d98b20 Mon Sep 17 00:00:00 2001 From: Sijie Yang Date: Tue, 2 Mar 2021 12:51:25 +0800 Subject: [PATCH 16/35] Update MAINTAINERS.md --- MAINTAINERS.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/MAINTAINERS.md b/MAINTAINERS.md index 3d71e318c..cadcf4def 100644 --- a/MAINTAINERS.md +++ b/MAINTAINERS.md @@ -18,5 +18,6 @@ This file lists who are the maintainers of the BFE project. The responsibilities | ---- | --------- | ----------- | | [Derek Zheng](mailto:shanhu5739@gmail.com) | [shanhuhai5739](https://github.com/shanhuhai5739) | Kuaishou | | [Xiaofei Yu](mailto:nemo_00o@hotmail.com) | [xiaofei0800](https://github.com/xiaofei0800) | Baidu | -| [Wensi Yang](mailto:tianxinheihei@gmail.com) | [tianxinheihei](https://github.com/tianxinheihei) | Baidu | +| [Wensi Yang](mailto:tianxinheihei@gmail.com) | [tianxinheihei](https://github.com/tianxinheihei) | ByteDance | | [Kaiyu Zheng](mailto:412674752@qq.com) | [kaiyuzheng](https://github.com/kaiyuzheng) | ByteDance | +| [Yuqi Xiao](mailto:xiao19910705@163.com) | [Yuqi Xiao](https://github.com/YuqiXiao) | Baidu | From 076f4e7fbef0c9496fd27eea675c09b18314b097 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Tue, 2 Mar 2021 12:59:05 +0800 Subject: [PATCH 17/35] net/textproto: close channel to signal pipeline event completion and unlock mutexes appropriately before panics (#706) --- bfe_net/textproto/pipeline.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/bfe_net/textproto/pipeline.go b/bfe_net/textproto/pipeline.go index a10d294fd..5db2001d3 100644 --- a/bfe_net/textproto/pipeline.go +++ b/bfe_net/textproto/pipeline.go @@ -86,7 +86,7 @@ func (p *Pipeline) EndResponse(id uint) { type sequencer struct { mu sync.Mutex id uint - wait map[uint]chan uint + wait map[uint]chan struct{} } // Start waits until it is time for the event numbered id to begin. @@ -98,9 +98,9 @@ func (s *sequencer) Start(id uint) { s.mu.Unlock() return } - c := make(chan uint) + c := make(chan struct{}) if s.wait == nil { - s.wait = make(map[uint]chan uint) + s.wait = make(map[uint]chan struct{}) } s.wait[id] = c s.mu.Unlock() @@ -113,12 +113,13 @@ func (s *sequencer) Start(id uint) { func (s *sequencer) End(id uint) { s.mu.Lock() if s.id != id { + s.mu.Unlock() panic("out of sync") } id++ s.id = id if s.wait == nil { - s.wait = make(map[uint]chan uint) + s.wait = make(map[uint]chan struct{}) } c, ok := s.wait[id] if ok { @@ -126,6 +127,6 @@ func (s *sequencer) End(id uint) { } s.mu.Unlock() if ok { - c <- 1 + close(c) } } From 0cd2ce6c8f69dd069e1393ca3e65a4d4e188f989 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Tue, 2 Mar 2021 13:39:24 +0800 Subject: [PATCH 18/35] Update gitignore (#708) --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index f398beae7..4963ee75b 100644 --- a/.gitignore +++ b/.gitignore @@ -8,3 +8,5 @@ output /**/*.log profile.out coverage.txt +.idea/* +.vscode/* From 91977922236298df9ede4a9077e2c792c2233d48 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Tue, 2 Mar 2021 13:40:12 +0800 Subject: [PATCH 19/35] net/textproto: add Header.Values, MIMEHeader.Values methods (#707) --- bfe_http/header.go | 9 +++++ bfe_net/textproto/header.go | 12 ++++++ bfe_net/textproto/header_test.go | 68 ++++++++++++++++++++++++++++++++ bfe_net/textproto/reader_test.go | 35 ---------------- 4 files changed, 89 insertions(+), 35 deletions(-) create mode 100644 bfe_net/textproto/header_test.go diff --git a/bfe_http/header.go b/bfe_http/header.go index f8642338d..f316a983b 100644 --- a/bfe_http/header.go +++ b/bfe_http/header.go @@ -59,6 +59,15 @@ func (h Header) Get(key string) string { return textproto.MIMEHeader(h).Get(key) } +// Values returns all values associated with the given key. +// It is case insensitive; textproto.CanonicalMIMEHeaderKey is +// used to canonicalize the provided key. To use non-canonical +// keys, access the map directly. +// The returned slice is not a copy. +func (h Header) Values(key string) []string { + return textproto.MIMEHeader(h).Values(key) +} + // GetDirect gets the value associated with the given key // in CanonicalHeaderKey form. func (h Header) GetDirect(key string) string { diff --git a/bfe_net/textproto/header.go b/bfe_net/textproto/header.go index 84c2b4b32..d6db58303 100644 --- a/bfe_net/textproto/header.go +++ b/bfe_net/textproto/header.go @@ -54,6 +54,18 @@ func (h MIMEHeader) Get(key string) string { return v[0] } +// Values returns all values associated with the given key. +// It is case insensitive; CanonicalMIMEHeaderKey is +// used to canonicalize the provided key. To use non-canonical +// keys, access the map directly. +// The returned slice is not a copy. +func (h MIMEHeader) Values(key string) []string { + if h == nil { + return nil + } + return h[CanonicalMIMEHeaderKey(key)] +} + // Del deletes the values associated with key. func (h MIMEHeader) Del(key string) { delete(h, CanonicalMIMEHeaderKey(key)) diff --git a/bfe_net/textproto/header_test.go b/bfe_net/textproto/header_test.go new file mode 100644 index 000000000..e800aede9 --- /dev/null +++ b/bfe_net/textproto/header_test.go @@ -0,0 +1,68 @@ +// Copyright (c) 2021 The BFE Authors. +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. + +// Copyright 2010 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package textproto + +import "testing" + +type canonicalHeaderKeyTest struct { + in, out string +} + +var canonicalHeaderKeyTests = []canonicalHeaderKeyTest{ + {"a-b-c", "A-B-C"}, + {"a-1-c", "A-1-C"}, + {"User-Agent", "User-Agent"}, + {"uSER-aGENT", "User-Agent"}, + {"user-agent", "User-Agent"}, + {"USER-AGENT", "User-Agent"}, + + // Other valid tchar bytes in tokens: + {"foo-bar_baz", "Foo-Bar_baz"}, + {"foo-bar$baz", "Foo-Bar$baz"}, + {"foo-bar~baz", "Foo-Bar~baz"}, + {"foo-bar*baz", "Foo-Bar*baz"}, + + // Non-ASCII or anything with spaces or non-token chars is unchanged: + {"üser-agenT", "üser-agenT"}, + {"a B", "a B"}, + + // This caused a panic due to mishandling of a space: + {"C Ontent-Transfer-Encoding", "C Ontent-Transfer-Encoding"}, + {"foo bar", "foo bar"}, +} + +func TestCanonicalMIMEHeaderKey(t *testing.T) { + for _, tt := range canonicalHeaderKeyTests { + if s := CanonicalMIMEHeaderKey(tt.in); s != tt.out { + t.Errorf("CanonicalMIMEHeaderKey(%q) = %q, want %q", tt.in, s, tt.out) + } + } +} + +// Issue #34799 add a Header method to get multiple values []string, with canonicalized key +func TestMIMEHeaderMultipleValues(t *testing.T) { + testHeader := MIMEHeader{ + "Set-Cookie": {"cookie 1", "cookie 2"}, + } + values := testHeader.Values("set-cookie") + n := len(values) + if n != 2 { + t.Errorf("count: %d; want 2", n) + } +} diff --git a/bfe_net/textproto/reader_test.go b/bfe_net/textproto/reader_test.go index 42f1dce8a..966c5e796 100644 --- a/bfe_net/textproto/reader_test.go +++ b/bfe_net/textproto/reader_test.go @@ -30,41 +30,6 @@ import ( "github.com/bfenetworks/bfe/bfe_bufio" ) -type canonicalHeaderKeyTest struct { - in, out string -} - -var canonicalHeaderKeyTests = []canonicalHeaderKeyTest{ - {"a-b-c", "A-B-C"}, - {"a-1-c", "A-1-C"}, - {"User-Agent", "User-Agent"}, - {"uSER-aGENT", "User-Agent"}, - {"user-agent", "User-Agent"}, - {"USER-AGENT", "User-Agent"}, - - // Other valid tchar bytes in tokens: - {"foo-bar_baz", "Foo-Bar_baz"}, - {"foo-bar$baz", "Foo-Bar$baz"}, - {"foo-bar~baz", "Foo-Bar~baz"}, - {"foo-bar*baz", "Foo-Bar*baz"}, - - // Non-ASCII or anything with spaces or non-token chars is unchanged: - {"üser-agenT", "üser-agenT"}, - {"a B", "a B"}, - - // This caused a panic due to mishandling of a space: - {"C Ontent-Transfer-Encoding", "C Ontent-Transfer-Encoding"}, - {"foo bar", "foo bar"}, -} - -func TestCanonicalMIMEHeaderKey(t *testing.T) { - for _, tt := range canonicalHeaderKeyTests { - if s := CanonicalMIMEHeaderKey(tt.in); s != tt.out { - t.Errorf("CanonicalMIMEHeaderKey(%q) = %q, want %q", tt.in, s, tt.out) - } - } -} - func reader(s string) *Reader { return NewReader(bfe_bufio.NewReader(strings.NewReader(s))) } From 9e3bb490999bea0995b9dee40309e8b2bcd7a54d Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Wed, 3 Mar 2021 09:54:25 +0800 Subject: [PATCH 20/35] net/textproto: properly trim continued lines in MIME headers (#709) --- bfe_net/textproto/reader.go | 2 +- bfe_net/textproto/reader_test.go | 26 ++++++++++++++++++++++++++ 2 files changed, 27 insertions(+), 1 deletion(-) diff --git a/bfe_net/textproto/reader.go b/bfe_net/textproto/reader.go index e4eedb5d5..b2af1bc22 100644 --- a/bfe_net/textproto/reader.go +++ b/bfe_net/textproto/reader.go @@ -169,7 +169,7 @@ func (r *Reader) readContinuedLineSlice() ([]byte, error) { break } r.buf = append(r.buf, ' ') - r.buf = append(r.buf, line...) + r.buf = append(r.buf, trim(line)...) } return r.buf, nil } diff --git a/bfe_net/textproto/reader_test.go b/bfe_net/textproto/reader_test.go index 966c5e796..0b1632704 100644 --- a/bfe_net/textproto/reader_test.go +++ b/bfe_net/textproto/reader_test.go @@ -191,6 +191,32 @@ func TestReadMIMEHeaderNonCompliant(t *testing.T) { } } +// Test that continued lines are properly trimmed. Issue 11204. +func TestReadMIMEHeaderTrimContinued(t *testing.T) { + // In this header, \n and \r\n terminated lines are mixed on purpose. + // We expect each line to be trimmed (prefix and suffix) before being concatenated. + // Keep the spaces as they are. + r := reader("" + // for code formatting purpose. + "a:\n" + + " 0 \r\n" + + "b:1 \t\r\n" + + "c: 2\r\n" + + " 3\t\n" + + " \t 4 \r\n\n") + m, err := r.ReadMIMEHeader() + if err != nil { + t.Fatal(err) + } + want := MIMEHeader{ + "A": {"0"}, + "B": {"1"}, + "C": {"2 3 4"}, + } + if !reflect.DeepEqual(m, want) { + t.Fatalf("ReadMIMEHeader mismatch.\n got: %q\nwant: %q", m, want) + } +} + type readResponseTest struct { in string inCode int From 5f871d05db48f6192a8296f4ac1e792bee5b6d5c Mon Sep 17 00:00:00 2001 From: Sijie Yang Date: Wed, 3 Mar 2021 09:58:20 +0800 Subject: [PATCH 21/35] Update CONTRIBUTORS.md --- CONTRIBUTORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index 012d7c12d..fb3858000 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -41,6 +41,7 @@ | Shan Xiao | arlingtonroad | | Shengnan Yu | goldfish-fish | | Shuai Yan | yanshuai615270 | +| Shuo Yang | yangshuothtf | | Sijie Yang | iyangsj | | Tianqi Zhang | NKztq | | Weijie Zhao | zwj13513118235 | From d8f3a21fcd529e2aeb469d2e969b63676b471d35 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Thu, 4 Mar 2021 10:44:57 +0800 Subject: [PATCH 22/35] net/textproto: do not buffer a line if we know the next line is empty (#711) --- bfe_net/textproto/reader.go | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/bfe_net/textproto/reader.go b/bfe_net/textproto/reader.go index b2af1bc22..153e6c664 100644 --- a/bfe_net/textproto/reader.go +++ b/bfe_net/textproto/reader.go @@ -148,12 +148,13 @@ func (r *Reader) readContinuedLineSlice() ([]byte, error) { } // Optimistically assume that we have started to buffer the next line - // and it starts with an ASCII letter (the next header key), so we can - // avoid copying that buffered data around in memory and skipping over - // non-existent whitespace. + // and it starts with an ASCII letter (the next header key), or a blank + // line, so we can avoid copying that buffered data around in memory + // and skipping over non-existent whitespace. if r.R.Buffered() > 1 { - peek, err := r.R.Peek(1) - if err == nil && isASCIILetter(peek[0]) { + peek, _ := r.R.Peek(2) + if len(peek) > 0 && (isASCIILetter(peek[0]) || peek[0] == '\n') || + len(peek) == 2 && peek[0] == '\r' && peek[1] == '\n' { return trim(line), nil } } From 424044960a1605db3bd3050f57670c78b55ae11a Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Thu, 4 Mar 2021 18:15:54 +0800 Subject: [PATCH 23/35] http2: discard DATA frames with higher stream IDs after shutdown (#712) --- bfe_http2/server.go | 13 +++++++++++- bfe_http2/server_test.go | 45 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+), 1 deletion(-) diff --git a/bfe_http2/server.go b/bfe_http2/server.go index 60e387f82..2286b09fb 100644 --- a/bfe_http2/server.go +++ b/bfe_http2/server.go @@ -1567,12 +1567,23 @@ func (sc *serverConn) processSettingInitialWindowSize(val uint32) error { func (sc *serverConn) processData(f *DataFrame) error { sc.serveG.Check() + id := f.Header().StreamID + if sc.inGoAway && (sc.goAwayCode != ErrCodeNo || id > sc.maxStreamID) { + // Discard all DATA frames if the GOAWAY is due to an + // error, or: + // + // Section 6.8: After sending a GOAWAY frame, the sender + // can discard frames for streams initiated by the + // receiver with identifiers higher than the identified + // last stream. + return nil + } + data := f.Data() // "If a DATA frame is received whose stream is not in "open" // or "half closed (local)" state, the recipient MUST respond // with a stream error (Section 5.4.2) of type STREAM_CLOSED." - id := f.Header().StreamID st, ok := sc.streams[id] if !ok || st.state != stateOpen || st.gotTrailerHeader { // This includes sending a RST_STREAM if the stream is diff --git a/bfe_http2/server_test.go b/bfe_http2/server_test.go index 57fe049be..7be6318d9 100644 --- a/bfe_http2/server_test.go +++ b/bfe_http2/server_test.go @@ -2960,3 +2960,48 @@ y2ptGsuSmgUtWj3NM9xuwYPm+Z/F84K6+ARYiZ6PYj013sovGKUFfYAqVXVlxtIX qyUBnu3X9ps8ZfjLZO7BAkEAlT4R5Yl6cGhaJQYZHOde3JEMhNRcVFMO8dJDaFeo f9Oeos0UUothgiDktdQHxdNEwLjQf7lJJBzV+5OtwswCWA== -----END RSA PRIVATE KEY-----`) + +func TestNoRstPostAfterGOAWAY(t *testing.T) { + const msg = "Hello, world." + st := newServerTester(t, func(w http.ResponseWriter, r *http.Request) { + n, err := io.Copy(ioutil.Discard, r.Body) + if err != nil || n > 0 { + t.Errorf("Read %d bytes, error %v; want 0 bytes.", n, err) + } + io.WriteString(w, msg) + }) + defer st.Close() + st.greet() + // Give the server quota to reply. (plus it has the the 64KB) + if err := st.fr.WriteWindowUpdate(0, uint32(1*len(msg))); err != nil { + t.Fatal(err) + } + hbf := st.encodeHeader(":method", "POST") + st.writeHeaders(HeadersFrameParam{ + StreamID: 1, + BlockFragment: hbf, + EndStream: false, + EndHeaders: true, + }) + close(st.sc.closeNotifyCh) + st.writeData(1, true, nil) + + st.wantGoAway() + for { + f, err := st.readFrame() + if err == io.EOF { + st.t.Fatal("got a EOF; want *GoAwayFrame") + } + if err != nil && err.Error() == "timeout waiting for frame" { + break + } + if err != nil { + t.Fatal(err) + } + if gf, ok := f.(*RSTStreamFrame); ok && gf.StreamID == 1 { + t.Fatal("got rst but want no ret") + break + } + } + +} From c4f3a62af24ef888e65c9e2f9d095f1211204521 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 5 Mar 2021 13:30:14 +0800 Subject: [PATCH 24/35] http2: receiving too much data is a protocol error (#713) --- bfe_http2/server.go | 5 ++++- bfe_http2/server_test.go | 19 +++++++++++++++++++ 2 files changed, 23 insertions(+), 1 deletion(-) diff --git a/bfe_http2/server.go b/bfe_http2/server.go index 2286b09fb..9ccc0945c 100644 --- a/bfe_http2/server.go +++ b/bfe_http2/server.go @@ -1618,7 +1618,10 @@ func (sc *serverConn) processData(f *DataFrame) error { if st.declBodyBytes != -1 && st.bodyBytes+int64(len(data)) > st.declBodyBytes { err := fmt.Errorf("sender tried to send more than declared Content-Length of %d bytes", st.declBodyBytes) st.body.CloseWithError(err) - return StreamError{id, ErrCodeStreamClosed, err.Error()} + // RFC 7540, sec 8.1.2.6: A request or response is also malformed if the + // value of a content-length header field does not equal the sum of the + // DATA frame payload lengths that form the body. + return StreamError{id, ErrCodeProtocol, err.Error()} } if f.Length > 0 { // Check whether the client has flow control quota. diff --git a/bfe_http2/server_test.go b/bfe_http2/server_test.go index 7be6318d9..966d3efb7 100644 --- a/bfe_http2/server_test.go +++ b/bfe_http2/server_test.go @@ -3005,3 +3005,22 @@ func TestNoRstPostAfterGOAWAY(t *testing.T) { } } + +func TestServer_Rejects_TooSmall(t *testing.T) { + testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error { + return nil + }, func(st *serverTester) { + st.writeHeaders(HeadersFrameParam{ + StreamID: 1, // clients send odd numbers + BlockFragment: st.encodeHeader( + ":method", "POST", + "content-length", "4", + ), + EndStream: false, // to say DATA frames are coming + EndHeaders: true, + }) + st.writeData(1, true, []byte("12345")) + + st.wantRSTStream(1, ErrCodeProtocol) + }) +} From 240995ebf9c2a4882d218faa7ca0190c828feb1d Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 5 Mar 2021 14:03:36 +0800 Subject: [PATCH 25/35] Update DOWNLOAD.md add bfe v1.0.0 release info --- docs/en_us/DOWNLOAD.md | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/docs/en_us/DOWNLOAD.md b/docs/en_us/DOWNLOAD.md index b73e7fdb7..fdcc7c93f 100644 --- a/docs/en_us/DOWNLOAD.md +++ b/docs/en_us/DOWNLOAD.md @@ -1,5 +1,17 @@ We provide precompiled binaries for bfe components. [Download the latest release](https://github.com/bfenetworks/bfe/releases) of BFE for your platform. +## bfe v1.0.0 + +* 2021-01-15 [Release notes](https://github.com/bfenetworks/bfe/releases/tag/v1.0.0) + +| File name | OS | Arch | Size | SHA256 Checksum | +| --------- | -- | ---- | ---- | --------------- | +| [bfe_1.0.0_darwin_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_darwin_amd64.tar.gz) | darwin | amd64 | 7.03 MB | c0d13440d89ab97f52c61610d1b10dec6dcfb47b468a66078d1dd60f0541ec9e | +| [bfe_1.0.0_linux_arm64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_linux_arm64.tar.gz) | linux | arm64 | 5.63 MB | 47a3730ac90c4700c557d6c5903361c557e169102256bac870cede4eb90ff829 | +| [bfe_1.0.0_linux_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_linux_amd64.tar.gz) | linux | amd64 | 6.18 MB | 5ec46c26827d554ba4c76f7f5e12b6b6afb68a9333213065802fa425fb81cbd1 | +| [bfe_1.0.0_windows_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_windows_amd64.tar.gz) | windows | amd64 | 6.15 MB | 95ba788d0335ac536036c77e39249ce1629b2d159c942293077fd57ddc487f29 | + + ## bfe v0.10.0 * 2020-05-25 [Release notes](https://github.com/bfenetworks/bfe/releases/tag/v0.10.0) From 0ef9a5868ca5843898dc1bb6885a175581121e53 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 5 Mar 2021 14:05:04 +0800 Subject: [PATCH 26/35] Update DOWNLOAD.md add bfe v1.0.0 release info --- docs/zh_cn/DOWNLOAD.md | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/docs/zh_cn/DOWNLOAD.md b/docs/zh_cn/DOWNLOAD.md index f6d2e7a67..cab6a53e7 100644 --- a/docs/zh_cn/DOWNLOAD.md +++ b/docs/zh_cn/DOWNLOAD.md @@ -1,5 +1,16 @@ BFE提供预编译二进制文件供下载。也可在GitHub下载各平台[最新版本BFE](https://github.com/bfenetworks/bfe/releases)。 +## bfe v1.0.0 + +* 2021-01-15 [发布说明](https://github.com/bfenetworks/bfe/releases/tag/v1.0.0) + +| 文件名 | 操作系统 | 平台 | 大小 | SHA256检验和 | +| --------- | -- | ---- | ---- | --------------- | +| [bfe_1.0.0_darwin_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_darwin_amd64.tar.gz) | darwin | amd64 | 7.03 MB | c0d13440d89ab97f52c61610d1b10dec6dcfb47b468a66078d1dd60f0541ec9e | +| [bfe_1.0.0_linux_arm64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_linux_arm64.tar.gz) | linux | arm64 | 5.63 MB | 47a3730ac90c4700c557d6c5903361c557e169102256bac870cede4eb90ff829 | +| [bfe_1.0.0_linux_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_linux_amd64.tar.gz) | linux | amd64 | 6.18 MB | 5ec46c26827d554ba4c76f7f5e12b6b6afb68a9333213065802fa425fb81cbd1 | +| [bfe_1.0.0_windows_amd64.tar.gz](https://github.com/bfenetworks/bfe/releases/download/v1.0.0/bfe_1.0.0_windows_amd64.tar.gz) | windows | amd64 | 6.15 MB | 95ba788d0335ac536036c77e39249ce1629b2d159c942293077fd57ddc487f29 | + ## bfe v0.10.0 * 2020-05-25 [发布说明](https://github.com/bfenetworks/bfe/releases/tag/v0.10.0) From 2c17bdf8859ea5643c0a61ea114691debdd1f92d Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Fri, 5 Mar 2021 18:49:17 +0800 Subject: [PATCH 27/35] Fix unit test in bfe_http2 (#714) --- bfe_http2/server_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/bfe_http2/server_test.go b/bfe_http2/server_test.go index 966d3efb7..a37650f85 100644 --- a/bfe_http2/server_test.go +++ b/bfe_http2/server_test.go @@ -3008,6 +3008,7 @@ func TestNoRstPostAfterGOAWAY(t *testing.T) { func TestServer_Rejects_TooSmall(t *testing.T) { testServerResponse(t, func(w http.ResponseWriter, r *http.Request) error { + ioutil.ReadAll(r.Body) return nil }, func(st *serverTester) { st.writeHeaders(HeadersFrameParam{ From 75586845f00c516de38f14edc2e603a6be9d325c Mon Sep 17 00:00:00 2001 From: Cooper Song Date: Fri, 12 Mar 2021 16:12:40 +0800 Subject: [PATCH 28/35] Fix some typos in docs (#715) --- .../server_data_conf/cluster_conf.data.md | 10 +++++----- docs/zh_cn/development/local_dev_guide.md | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md index 1a4ad01b6..b88856ff6 100644 --- a/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md +++ b/docs/zh_cn/configuration/server_data_conf/cluster_conf.data.md @@ -61,11 +61,11 @@ cluster_conf.data为集群转发配置文件。 #### 集群基础配置 -| 配置项 | 描述 | -| ----------------------------------- | ------------------------------------ | -| ClusterBasic.TimeoutReadClient | Integer
读用户请求wody的超时时间,单位为毫秒
默认值30 | -| ClusterBasic.TimeoutWriteClient | Integer
写响应的超时时间,单位为毫秒
默认值60 | -| ClusterBasic.TimeoutReadClientAgain | Integer
连接闲置超时时间,单位为毫秒
默认值60 | +| 配置项 | 描述 | +| ----------------------------------- | ----------------------------------------------------------- | +| ClusterBasic.TimeoutReadClient | Integer
读用户请求body的超时时间,单位为毫秒
默认值30 | +| ClusterBasic.TimeoutWriteClient | Integer
写响应的超时时间,单位为毫秒
默认值60 | +| ClusterBasic.TimeoutReadClientAgain | Integer
连接闲置超时时间,单位为毫秒
默认值60 | ## 配置示例 diff --git a/docs/zh_cn/development/local_dev_guide.md b/docs/zh_cn/development/local_dev_guide.md index 35b09b2da..4337e0645 100644 --- a/docs/zh_cn/development/local_dev_guide.md +++ b/docs/zh_cn/development/local_dev_guide.md @@ -116,7 +116,7 @@ clang-formater.......................................(no files to check)Skipped # 触发develop分支的CI单测 $ git commit -m "test=develop" -# 触发release/1.1分支的CI单侧 +# 触发release/1.1分支的CI单测 $ git commit -m "test=release/1.1" ``` From 77dca8669065c5452f67392a371f2bb00bbf0328 Mon Sep 17 00:00:00 2001 From: Sijie Yang Date: Fri, 12 Mar 2021 16:22:02 +0800 Subject: [PATCH 29/35] Update CONTRIBUTORS.md --- CONTRIBUTORS.md | 1 + 1 file changed, 1 insertion(+) diff --git a/CONTRIBUTORS.md b/CONTRIBUTORS.md index fb3858000..3327464a6 100644 --- a/CONTRIBUTORS.md +++ b/CONTRIBUTORS.md @@ -16,6 +16,7 @@ | Hao Dong | anotherwriter | | Haobin zhang | zhanghaobin | | Hui Yu | dblate | +| Guangze Song | coopersong | | Gen Wang | gracewang510 | | Jie Liu | freeHackOfJeff | | Jie Wan | wanjiecs | From a957e883a861311dfddcf187e6c48ab9b077c42b Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Thu, 18 Mar 2021 19:38:06 +0800 Subject: [PATCH 30/35] net/http: speed up parsing of Cookie headers (#716) --- bfe_http/cookie.go | 32 +++++++++++++++++--------------- 1 file changed, 17 insertions(+), 15 deletions(-) diff --git a/bfe_http/cookie.go b/bfe_http/cookie.go index c768f6196..9ac477909 100644 --- a/bfe_http/cookie.go +++ b/bfe_http/cookie.go @@ -295,25 +295,28 @@ func (c *Cookie) String() string { // // if filter isn't empty, only cookies of that name are returned func readCookies(h Header, filter string) []*Cookie { - cookies := []*Cookie{} - lines, ok := h["Cookie"] - if !ok { - return cookies + lines := h["Cookie"] + if len(lines) == 0 { + return []*Cookie{} } + cookies := make([]*Cookie, 0, len(lines)+strings.Count(lines[0], ";")) + for _, line := range lines { - parts := strings.Split(strings.TrimSpace(line), ";") - if len(parts) == 1 && parts[0] == "" { - continue - } - // Per-line attributes - parsedPairs := 0 - for i := 0; i < len(parts); i++ { - parts[i] = strings.TrimSpace(parts[i]) - if len(parts[i]) == 0 { + line = strings.TrimSpace(line) + + var part string + for len(line) > 0 { + if splitIndex := strings.Index(line, ";"); splitIndex > 0 { + part, line = line[:splitIndex], line[splitIndex+1:] + } else { + part, line = line, "" + } + part = strings.TrimSpace(part) + if len(part) == 0 { continue } - name, val := parts[i], "" + name, val := part, "" if j := strings.Index(name, "="); j >= 0 { name, val = name[:j], name[j+1:] } @@ -328,7 +331,6 @@ func readCookies(h Header, filter string) []*Cookie { continue } cookies = append(cookies, &Cookie{Name: name, Value: val}) - parsedPairs++ } } return cookies From 1b00ecd6ca27b3126ffb9b267b9177795e4ab611 Mon Sep 17 00:00:00 2001 From: YuqiXiao Date: Tue, 23 Mar 2021 15:36:52 +0800 Subject: [PATCH 31/35] bfe_http: optimize cookie functions and replace fmt.Fprintf with writes to a bytes.Buffer (#717) --- bfe_http/cookie.go | 27 ++++++++++++++++++--------- bfe_http/cookie_test.go | 21 +++++++++++++++++++++ 2 files changed, 39 insertions(+), 9 deletions(-) diff --git a/bfe_http/cookie.go b/bfe_http/cookie.go index 9ac477909..1a23d9f81 100644 --- a/bfe_http/cookie.go +++ b/bfe_http/cookie.go @@ -20,7 +20,6 @@ package bfe_http import ( "bytes" - "fmt" "net" "strconv" "strings" @@ -243,9 +242,12 @@ func SetCookie(w ResponseWriter, cookie *Cookie) { // header (if other fields are set). func (c *Cookie) String() string { var b bytes.Buffer - fmt.Fprintf(&b, "%s=%s", sanitizeCookieName(c.Name), sanitizeCookieValue(c.Value)) + b.WriteString(sanitizeCookieName(c.Name)) + b.WriteRune('=') + b.WriteString(sanitizeCookieValue(c.Value)) if len(c.Path) > 0 { - fmt.Fprintf(&b, "; Path=%s", sanitizeCookiePath(c.Path)) + b.WriteString("; Path=") + b.WriteString(sanitizeCookiePath(c.Path)) } if len(c.Domain) > 0 { if validCookieDomain(c.Domain) { @@ -257,25 +259,32 @@ func (c *Cookie) String() string { if d[0] == '.' { d = d[1:] } - fmt.Fprintf(&b, "; Domain=%s", d) + b.WriteString("; Domain=") + b.WriteString(d) } else { log.Logger.Warn("net/http: invalid Cookie.Domain %q; dropping domain attribute", c.Domain) } } if c.Expires.Unix() > 0 { - fmt.Fprintf(&b, "; Expires=%s", c.Expires.UTC().Format(TimeFormat)) + b.WriteString("; Expires=") + b2 := b.Bytes() + b.Reset() + b.Write(c.Expires.UTC().AppendFormat(b2, TimeFormat)) } if c.MaxAge > 0 { - fmt.Fprintf(&b, "; Max-Age=%d", c.MaxAge) + b.WriteString("; Max-Age=") + b2 := b.Bytes() + b.Reset() + b.Write(strconv.AppendInt(b2, int64(c.MaxAge), 10)) } else if c.MaxAge < 0 { - fmt.Fprintf(&b, "; Max-Age=0") + b.WriteString("; Max-Age=0") } if c.HttpOnly { - fmt.Fprintf(&b, "; HttpOnly") + b.WriteString("; HttpOnly") } if c.Secure { - fmt.Fprintf(&b, "; Secure") + b.WriteString("; Secure") } switch c.SameSite { case SameSiteDefaultMode: diff --git a/bfe_http/cookie_test.go b/bfe_http/cookie_test.go index 98959a295..0fffcda97 100644 --- a/bfe_http/cookie_test.go +++ b/bfe_http/cookie_test.go @@ -386,3 +386,24 @@ func TestDisableSanitize(t *testing.T) { } } } + +func BenchmarkCookieString(b *testing.B) { + const wantCookieString = `cookie-9=i3e01nf61b6t23bvfmplnanol3; Path=/restricted/; Domain=example.com; Expires=Tue, 10 Nov 2009 23:00:00 GMT; Max-Age=3600` + c := &Cookie{ + Name: "cookie-9", + Value: "i3e01nf61b6t23bvfmplnanol3", + Expires: time.Unix(1257894000, 0), + Path: "/restricted/", + Domain: ".example.com", + MaxAge: 3600, + } + var benchmarkCookieString string + b.ReportAllocs() + b.ResetTimer() + for i := 0; i < b.N; i++ { + benchmarkCookieString = c.String() + } + if have, want := benchmarkCookieString, wantCookieString; have != want { + b.Fatalf("Have: %v Want: %v", have, want) + } +} From 3e3aa1019c44c4ade4eea9a72f09109be52fed8d Mon Sep 17 00:00:00 2001 From: Marswin Kwok Date: Mon, 29 Mar 2021 19:35:56 +0800 Subject: [PATCH 32/35] Fix unit test in bfe_spdy/frame_test.go (#721) --- bfe_spdy/frame_test.go | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/bfe_spdy/frame_test.go b/bfe_spdy/frame_test.go index 28020a5e0..cbf73d89e 100644 --- a/bfe_spdy/frame_test.go +++ b/bfe_spdy/frame_test.go @@ -538,10 +538,12 @@ func TestMultipleSPDYFrames(t *testing.T) { // Start the goroutines to write the frames. go func() { if err := writer.WriteFrame(&headersFrame); err != nil { - t.Fatal("WriteFrame (HEADERS): ", err) + t.Log("WriteFrame (HEADERS): ", err) + return } if err := writer.WriteFrame(&synStreamFrame); err != nil { - t.Fatal("WriteFrame (SYN_STREAM): ", err) + t.Log("WriteFrame (SYN_STREAM): ", err) + return } }() From 7adbe5210549746cd6b0ffd306a034b7666274e3 Mon Sep 17 00:00:00 2001 From: icyang Date: Tue, 6 Apr 2021 16:41:26 +0800 Subject: [PATCH 33/35] Fix panic when write internal response timeout (#723) --- bfe_server/reverseproxy.go | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/bfe_server/reverseproxy.go b/bfe_server/reverseproxy.go index d14f6216e..fdfc954e1 100644 --- a/bfe_server/reverseproxy.go +++ b/bfe_server/reverseproxy.go @@ -762,8 +762,16 @@ response_got: // we must timeout both conns after specified duration. p.setTimeout(bfe_basic.StageWriteClient, basicReq.Connection, req, timeoutWriteClient) writeTimer = time.AfterFunc(timeoutWriteClient, func() { - transport := basicReq.Trans.Transport.(*bfe_http.Transport) - transport.CancelRequest(basicReq.OutRequest) // force close connection to backend + if basicReq.Trans.Transport != nil { + // TODO: process bfe_fcgi.Transport & bfe_http2.Transport + switch t := basicReq.Trans.Transport.(type) { + case *bfe_http.Transport: + t.CancelRequest(req) + default: + // do nothing + } + } + }) defer writeTimer.Stop() From 5a2aca2e0ca8e1ff54a3a171e0822ef69d2af660 Mon Sep 17 00:00:00 2001 From: xiaofei0800 <54530729+xiaofei0800@users.noreply.github.com> Date: Thu, 8 Apr 2021 20:24:05 +0800 Subject: [PATCH 34/35] Fix config loading for multi-value option (#726) --- bfe_config/bfe_conf/bfe_config_load.go | 1 - bfe_config/bfe_conf/conf_https_basic.go | 91 ++++++++++++++----------- 2 files changed, 51 insertions(+), 41 deletions(-) diff --git a/bfe_config/bfe_conf/bfe_config_load.go b/bfe_config/bfe_conf/bfe_config_load.go index 7adc45e8b..2dfc13ef4 100644 --- a/bfe_config/bfe_conf/bfe_config_load.go +++ b/bfe_config/bfe_conf/bfe_config_load.go @@ -34,7 +34,6 @@ type BfeConfig struct { func SetDefaultConf(conf *BfeConfig) { conf.Server.SetDefaultConf() - conf.HttpsBasic.SetDefaultConf() conf.SessionCache.SetDefaultConf() conf.SessionTicket.SetDefaultConf() } diff --git a/bfe_config/bfe_conf/conf_https_basic.go b/bfe_config/bfe_conf/conf_https_basic.go index 8e63f24a2..32b4a1395 100644 --- a/bfe_config/bfe_conf/conf_https_basic.go +++ b/bfe_config/bfe_conf/conf_https_basic.go @@ -82,38 +82,12 @@ type ConfigHttpsBasic struct { ClientCRLBaseDir string // client cert CRL base directory } -func (cfg *ConfigHttpsBasic) SetDefaultConf() { - cfg.ServerCertConf = "tls_conf/server_cert_conf.data" - cfg.TlsRuleConf = "tls_conf/tls_rule_conf.data" - - cfg.CipherSuites = []string{ - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", - "TLS_ECDHE_RSA_WITH_RC4_128_SHA", - "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", - "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", - "TLS_RSA_WITH_RC4_128_SHA", - "TLS_RSA_WITH_AES_128_CBC_SHA", - "TLS_RSA_WITH_AES_256_CBC_SHA", - } - cfg.CurvePreferences = []string{ - "CurveP256", - } - - cfg.EnableSslv2ClientHello = true - - cfg.ClientCABaseDir = "tls_conf/client_ca" -} - func (cfg *ConfigHttpsBasic) Check(confRoot string) error { - // check cert file conf err := certConfCheck(cfg, confRoot) if err != nil { return err } - // check cert rule conf err = certRuleCheck(cfg, confRoot) if err != nil { return err @@ -129,24 +103,16 @@ func (cfg *ConfigHttpsBasic) Check(confRoot string) error { return err } - // check CipherSuites - for _, cipherGroup := range cfg.CipherSuites { - ciphers := strings.Split(cipherGroup, EquivCipherSep) - for _, cipher := range ciphers { - if _, ok := CipherSuitesMap[cipher]; !ok { - return fmt.Errorf("cipher (%s) not support", cipher) - } - } + err = cipherSuitesCheck(cfg) + if err != nil { + return err } - // check CurvePreferences - for _, curve := range cfg.CurvePreferences { - if _, ok := CurvesMap[curve]; !ok { - return fmt.Errorf("curve (%s) not support", curve) - } + err = curvePreferencesCheck(cfg) + if err != nil { + return err } - // check tls version err = tlsVersionCheck(cfg) if err != nil { return err @@ -169,6 +135,51 @@ func certConfCheck(cfg *ConfigHttpsBasic, confRoot string) error { return nil } +func cipherSuitesCheck(cfg *ConfigHttpsBasic) error { + if len(cfg.CipherSuites) == 0 { + log.Logger.Warn("CipherSuites not set, use default value") + cfg.CipherSuites = []string{ + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256|TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256", + "TLS_ECDHE_RSA_WITH_RC4_128_SHA", + "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA", + "TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA", + "TLS_RSA_WITH_RC4_128_SHA", + "TLS_RSA_WITH_AES_128_CBC_SHA", + "TLS_RSA_WITH_AES_256_CBC_SHA", + } + } + + for _, cipherGroup := range cfg.CipherSuites { + ciphers := strings.Split(cipherGroup, EquivCipherSep) + for _, cipher := range ciphers { + if _, ok := CipherSuitesMap[cipher]; !ok { + return fmt.Errorf("cipher (%s) not support", cipher) + } + } + } + + return nil +} + +func curvePreferencesCheck(cfg *ConfigHttpsBasic) error { + if len(cfg.CurvePreferences) == 0 { + log.Logger.Warn("CurvePreferences not set, use default value") + cfg.CurvePreferences = []string{ + "CurveP256", + } + } + + for _, curve := range cfg.CurvePreferences { + if _, ok := CurvesMap[curve]; !ok { + return fmt.Errorf("curve (%s) not support", curve) + } + } + + return nil +} + func certRuleCheck(cfg *ConfigHttpsBasic, confRoot string) error { if cfg.TlsRuleConf == "" { log.Logger.Warn("TlsRuleConf not set, use default value") From 77c9e31b7ddbb72a83452914ddb712b1d48d3617 Mon Sep 17 00:00:00 2001 From: yangsijie Date: Thu, 8 Apr 2021 20:46:07 +0800 Subject: [PATCH 35/35] Update VERSION and CHANGELOG.md --- CHANGELOG.md | 23 +++++++++++++++++++++++ VERSION | 2 +- 2 files changed, 24 insertions(+), 1 deletion(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4a58d5ed5..b4b35ac7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -10,6 +10,29 @@ All notable changes to this project will be documented in this file. The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html). +## [v1.0.0] - 2021-04-08 + +### Added +- Support JA3 fingerprint for SSL/TLS client +- Support Slow‑Start to allow a backend instance gradually recover its weight +- Add maxConnPerHost to limit the number of connections to a backend +- mod_header: add header renaming actions +- Merge some updates from golang/net/textproto +- Merge some updates from golang/net/http +- Merge some updates from golang/net/http2 +- Documents optimization + +### Changed +- Change outlierDetectionLevel to OutlierDetectionHttpCode + +### Fixed +- Fix panic when write internal response timeout +- Fix unit test in bfe_spdy/frame_test.go under go 1.16 + +### Security +- Fix config loading for multi-value option + + ## [v1.0.0] - 2021-01-15 ### Added diff --git a/VERSION b/VERSION index 336c36775..9084fa2f7 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.1.0-dev +1.1.0