[multiple] limit scope of socket config options

warn if socket config options used only at startup are used outside
global scope or $SERVER["socket"] with '==' condition
master
Glenn Strauss 10 months ago
parent d0494fc081
commit b1f7ccd750

@ -307,8 +307,9 @@ int config_plugin_values_init(server * const srv, void *p_d, const config_plugin
/* traverse config contexts twice: once to count, once to store matches */
for (uint32_t u = 0; u < srv->config_context->used; ++u) {
const array *ca =
((data_config const *)srv->config_context->data[u])->value;
const data_config * const dc =
(const data_config *)srv->config_context->data[u];
const array * const ca = dc->value;
matches[n] = 0;
for (int i = 0; cpk[i].ktype != T_CONFIG_UNSET; ++i) {
@ -320,12 +321,19 @@ int config_plugin_values_init(server * const srv, void *p_d, const config_plugin
array_set_key_value(touched,cpk[i].k,cpk[i].klen,CONST_STR_LEN(""));
if (cpk[i].scope == T_CONFIG_SCOPE_SERVER && 0 != u) {
if (cpk[i].scope == T_CONFIG_SCOPE_CONNECTION || 0 == u) continue;
if (cpk[i].scope == T_CONFIG_SCOPE_SERVER)
/* server scope options should be set only in server scope */
log_error(srv->errh, __FILE__, __LINE__,
"DEPRECATED: do not set server options in conditionals, "
"variable: %s", cpk[i].k);
}
if (cpk[i].scope == T_CONFIG_SCOPE_SOCKET
&& (dc->comp!=COMP_SERVER_SOCKET || dc->cond!=CONFIG_COND_EQ))
/* socket options should be set in socket or global scope */
log_error(srv->errh, __FILE__, __LINE__,
"WARNING: %s must be in global scope or $SERVER[\"socket\"] "
"with '==', or else is ignored", cpk[i].k);
}
if (matches[n]) contexts[n++] = (unsigned short)u;
}

@ -735,7 +735,7 @@ static int config_insert_srvconf(server *srv) {
T_CONFIG_SCOPE_SERVER }
,{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("debug.log-request-header-on-error"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_SERVER }

@ -1891,34 +1891,34 @@ mod_gnutls_set_defaults_sockets(server *srv, plugin_data *p)
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.cipher-list"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.honor-cipher-order"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.dh-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.ec-curve"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.openssl.ssl-conf-cmd"),
T_CONFIG_ARRAY_KVSTRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.pemfile"), /* included to process global scope */
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.empty-fragments"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv2"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv3"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.stek-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_SERVER }

@ -1600,34 +1600,34 @@ mod_mbedtls_set_defaults_sockets(server *srv, plugin_data *p)
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.cipher-list"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.honor-cipher-order"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.dh-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.ec-curve"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.openssl.ssl-conf-cmd"),
T_CONFIG_ARRAY_KVSTRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.pemfile"), /* included to process global scope */
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.empty-fragments"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv2"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv3"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.stek-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_SERVER }

@ -1718,34 +1718,34 @@ mod_nss_set_defaults_sockets(server *srv, plugin_data *p)
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.cipher-list"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.honor-cipher-order"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.dh-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.ec-curve"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.openssl.ssl-conf-cmd"),
T_CONFIG_ARRAY_KVSTRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.pemfile"), /* included to process global scope */
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.empty-fragments"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv2"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv3"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.stek-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_SERVER }

@ -2478,34 +2478,34 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.cipher-list"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.honor-cipher-order"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.dh-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.ec-curve"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.openssl.ssl-conf-cmd"),
T_CONFIG_ARRAY_KVSTRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.pemfile"), /* included to process global scope */
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.empty-fragments"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv2"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv3"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.stek-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_SERVER }

@ -2250,34 +2250,34 @@ mod_openssl_set_defaults_sockets(server *srv, plugin_data *p)
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.cipher-list"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.honor-cipher-order"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.dh-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.ec-curve"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.openssl.ssl-conf-cmd"),
T_CONFIG_ARRAY_KVSTRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.pemfile"), /* included to process global scope */
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("ssl.empty-fragments"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv2"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.use-sslv3"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("ssl.stek-file"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_SERVER }

@ -607,33 +607,28 @@ int network_init(server *srv, int stdin_fd) {
static const config_plugin_keys_t cpk[] = {
{ CONST_STR_LEN("ssl.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.listen-backlog"),
T_CONFIG_INT,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.socket-perms"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.bsd-accept-filter"),
T_CONFIG_STRING,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.defer-accept"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.use-ipv6"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.set-v6only"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
T_CONFIG_SCOPE_SOCKET }
,{ CONST_STR_LEN("server.v4mapped"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
#if 0 /* TODO: more integration needed ... */
,{ CONST_STR_LEN("mbedtls.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
#endif
T_CONFIG_SCOPE_SOCKET }
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }

@ -103,7 +103,8 @@ typedef enum { T_CONFIG_UNSET,
typedef enum { T_CONFIG_SCOPE_UNSET,
T_CONFIG_SCOPE_SERVER,
T_CONFIG_SCOPE_CONNECTION
T_CONFIG_SCOPE_CONNECTION,
T_CONFIG_SCOPE_SOCKET
} config_scope_type_t;
typedef struct config_plugin_value {

Loading…
Cancel
Save