errorCounters = &front->tlsFrontend->d_tlsCounters;
}
else if (front->dohFrontend != nullptr) {
- errorCounters = &front->dohFrontend->d_tlsContext.d_tlsCounters;
+ errorCounters = &front->dohFrontend->d_tlsContext->d_tlsCounters;
}
if (errorCounters != nullptr) {
str << base << "tlsdhkeytoosmall" << ' ' << errorCounters->d_dhKeyTooSmall << " " << now << "\r\n";
std::map<std::string, uint64_t> dohFrontendDuplicates;
const string base = "dnsdist." + hostname + ".main.doh.";
for (const auto& doh : dnsdist::getDoHFrontends()) {
- string name = doh->d_tlsContext.d_addr.toStringWithPort();
+ string name = doh->d_tlsContext->d_addr.toStringWithPort();
std::replace(name.begin(), name.end(), '.', '_');
std::replace(name.begin(), name.end(), ':', '_');
std::replace(name.begin(), name.end(), '[', '_');
return true;
}
-static bool handleTLSConfiguration(const dnsdist::rust::settings::BindConfiguration& bind, ClientState& state)
+static bool handleTLSConfiguration(const dnsdist::rust::settings::BindConfiguration& bind, ClientState& state, std::shared_ptr<const TLSFrontend> parent)
{
auto tlsConfig = getTLSConfigFromRustIncomingTLS(bind.tls);
if (!validateTLSConfiguration(bind, tlsConfig)) {
auto protocol = boost::to_lower_copy(std::string(bind.protocol));
if (protocol == "dot") {
auto frontend = std::make_shared<TLSFrontend>(TLSFrontend::ALPN::DoT);
+ frontend->setParent(parent);
frontend->d_provider = std::string(bind.tls.provider);
boost::algorithm::to_lower(frontend->d_provider);
frontend->d_proxyProtocolOutsideTLS = bind.tls.proxy_protocol_outside_tls;
#endif /* HAVE_DNS_OVER_HTTP3 */
else if (protocol == "doh") {
auto frontend = std::make_shared<DOHFrontend>();
- frontend->d_tlsContext.d_provider = std::string(bind.tls.provider);
- boost::algorithm::to_lower(frontend->d_tlsContext.d_provider);
+ auto& tlsContext = frontend->d_tlsContext;
+ tlsContext->d_provider = std::string(bind.tls.provider);
+ boost::algorithm::to_lower(tlsContext->d_provider);
frontend->d_library = std::string(bind.doh.provider);
if (frontend->d_library == "h2o") {
#ifdef HAVE_LIBH2OEVLOOP
}
if (!tlsConfig.d_certKeyPairs.empty()) {
- frontend->d_tlsContext.d_addr = ComboAddress(std::string(bind.listen_address), 443);
+ tlsContext->d_addr = ComboAddress(std::string(bind.listen_address), 443);
infolog("DNS over HTTPS configured");
}
else {
- frontend->d_tlsContext.d_addr = ComboAddress(std::string(bind.listen_address), 80);
- infolog("No certificate provided for DoH endpoint %s, running in DNS over HTTP mode instead of DNS over HTTPS", frontend->d_tlsContext.d_addr.toStringWithPort());
+ tlsContext->d_addr = ComboAddress(std::string(bind.listen_address), 80);
+ infolog("No certificate provided for DoH endpoint %s, running in DNS over HTTP mode instead of DNS over HTTPS", tlsContext->d_addr.toStringWithPort());
}
- frontend->d_tlsContext.d_proxyProtocolOutsideTLS = bind.tls.proxy_protocol_outside_tls;
- frontend->d_tlsContext.d_tlsConfig = std::move(tlsConfig);
+ tlsContext->d_proxyProtocolOutsideTLS = bind.tls.proxy_protocol_outside_tls;
+ tlsContext->d_tlsConfig = std::move(tlsConfig);
+ tlsContext->setParent(parent);
state.dohFrontend = std::move(frontend);
}
else if (protocol != "do53") {
}
}
+ std::shared_ptr<const TLSFrontend> tlsFrontendParent;
for (size_t idx = 0; idx < bind.threads; idx++) {
#if defined(HAVE_DNSCRYPT)
std::shared_ptr<DNSCryptContext> dnsCryptContext;
#endif /* defined(HAVE_DNSCRYPT) */
}
else if (protocol != "do53") {
- if (!handleTLSConfiguration(bind, *state)) {
+ if (!handleTLSConfiguration(bind, *state, tlsFrontendParent)) {
continue;
}
+ if (tlsFrontendParent == nullptr) {
+ tlsFrontendParent = state->getTLSFrontend();
+ }
}
config.d_frontends.emplace_back(std::move(state));
#ifdef HAVE_DNS_OVER_HTTPS
void DOHFrontend::rotateTicketsKey(time_t now)
{
- return d_tlsContext.rotateTicketsKey(now);
+ return d_tlsContext->rotateTicketsKey(now);
}
void DOHFrontend::loadTicketsKeys(const std::string& keyFile)
{
- return d_tlsContext.loadTicketsKeys(keyFile);
+ return d_tlsContext->loadTicketsKeys(keyFile);
}
void DOHFrontend::loadTicketsKey(const std::string& key)
{
- return d_tlsContext.loadTicketsKey(key);
+ return d_tlsContext->loadTicketsKey(key);
}
void DOHFrontend::handleTicketsKeyRotation()
std::string DOHFrontend::getNextTicketsKeyRotation() const
{
- return d_tlsContext.getNextTicketsKeyRotation();
+ return d_tlsContext->getNextTicketsKeyRotation();
}
size_t DOHFrontend::getTicketsKeysCount()
{
- return d_tlsContext.getTicketsKeysCount();
+ return d_tlsContext->getTicketsKeysCount();
}
void DOHFrontend::reloadCertificates()
{
if (isHTTPS()) {
- d_tlsContext.setupTLS();
+ d_tlsContext->setupTLS();
}
}
void DOHFrontend::setup()
{
if (isHTTPS()) {
- if (!d_tlsContext.setupTLS()) {
- throw std::runtime_error("Error setting up TLS context for DoH listener on '" + d_tlsContext.d_addr.toStringWithPort());
+ if (!d_tlsContext->setupTLS()) {
+ throw std::runtime_error("Error setting up TLS context for DoH listener on '" + d_tlsContext->d_addr.toStringWithPort());
}
}
}
struct DOHFrontend
{
- DOHFrontend()
+ DOHFrontend() :
+ d_tlsContext(std::make_shared<TLSFrontend>(TLSFrontend::ALPN::DoH))
{
}
DOHFrontend(std::shared_ptr<TLSCtx> tlsCtx) :
- d_tlsContext(std::move(tlsCtx))
+ d_tlsContext(std::make_shared<TLSFrontend>(std::move(tlsCtx)))
{
}
std::shared_ptr<DOHServerConfig> d_dsc{nullptr};
std::shared_ptr<std::vector<std::shared_ptr<DOHResponseMapEntry>>> d_responsesMap;
- TLSFrontend d_tlsContext{TLSFrontend::ALPN::DoH};
+ std::shared_ptr<TLSFrontend> d_tlsContext;
std::string d_serverTokens{"h2o/dnsdist"};
std::unordered_map<std::string, std::string> d_customResponseHeaders;
std::string d_library;
time_t getTicketsKeyRotationDelay() const
{
- return d_tlsContext.d_tlsConfig.d_ticketsKeyRotationDelay;
+ return d_tlsContext->d_tlsConfig.d_ticketsKeyRotationDelay;
}
bool isHTTPS() const
{
- return !d_tlsContext.d_tlsConfig.d_certKeyPairs.empty();
+ return !d_tlsContext->d_tlsConfig.d_certKeyPairs.empty();
}
#ifndef HAVE_DNS_OVER_HTTPS
errorCounters = &frontend->tlsFrontend->d_tlsCounters;
}
else if (frontend->dohFrontend != nullptr) {
- errorCounters = &frontend->dohFrontend->d_tlsContext.d_tlsCounters;
+ errorCounters = &frontend->dohFrontend->d_tlsContext->d_tlsCounters;
}
if (errorCounters == nullptr) {
continue;
bool useTLS = true;
if (certFiles && !certFiles->empty()) {
- if (!loadTLSCertificateAndKeys("addDOHLocal", frontend->d_tlsContext.d_tlsConfig.d_certKeyPairs, *certFiles, *keyFiles)) {
+ if (!loadTLSCertificateAndKeys("addDOHLocal", frontend->d_tlsContext->d_tlsConfig.d_certKeyPairs, *certFiles, *keyFiles)) {
return;
}
- frontend->d_tlsContext.d_addr = ComboAddress(addr, 443);
+ frontend->d_tlsContext->d_addr = ComboAddress(addr, 443);
}
else {
- frontend->d_tlsContext.d_addr = ComboAddress(addr, 80);
- infolog("No certificate provided for DoH endpoint %s, running in DNS over HTTP mode instead of DNS over HTTPS", frontend->d_tlsContext.d_addr.toStringWithPort());
+ frontend->d_tlsContext->d_addr = ComboAddress(addr, 80);
+ infolog("No certificate provided for DoH endpoint %s, running in DNS over HTTP mode instead of DNS over HTTPS", frontend->d_tlsContext->d_addr.toStringWithPort());
useTLS = false;
}
parseLocalBindVars(vars, reusePort, tcpFastOpenQueueSize, interface, cpus, tcpListenQueueSize, maxInFlightQueriesPerConn, tcpMaxConcurrentConnections, enableProxyProtocol);
getOptionalValue<int>(vars, "idleTimeout", frontend->d_idleTimeout);
getOptionalValue<std::string>(vars, "serverTokens", frontend->d_serverTokens);
- getOptionalValue<std::string>(vars, "provider", frontend->d_tlsContext.d_provider);
- boost::algorithm::to_lower(frontend->d_tlsContext.d_provider);
- getOptionalValue<bool>(vars, "proxyProtocolOutsideTLS", frontend->d_tlsContext.d_proxyProtocolOutsideTLS);
+ getOptionalValue<std::string>(vars, "provider", frontend->d_tlsContext->d_provider);
+ boost::algorithm::to_lower(frontend->d_tlsContext->d_provider);
+ getOptionalValue<bool>(vars, "proxyProtocolOutsideTLS", frontend->d_tlsContext->d_proxyProtocolOutsideTLS);
LuaAssociativeTable<std::string> customResponseHeaders;
if (getOptionalValue<decltype(customResponseHeaders)>(vars, "customResponseHeaders", customResponseHeaders) > 0) {
}
}
- parseTLSConfig(frontend->d_tlsContext.d_tlsConfig, "addDOHLocal", vars);
+ parseTLSConfig(frontend->d_tlsContext->d_tlsConfig, "addDOHLocal", vars);
bool ignoreTLSConfigurationErrors = false;
if (getOptionalValue<bool>(vars, "ignoreTLSConfigurationErrors", ignoreTLSConfigurationErrors) > 0 && ignoreTLSConfigurationErrors) {
// and properly ignore the frontend before actually launching it
try {
std::map<int, std::string> ocspResponses = {};
- auto ctx = libssl_init_server_context(frontend->d_tlsContext.d_tlsConfig, ocspResponses);
+ auto ctx = libssl_init_server_context(frontend->d_tlsContext->d_tlsConfig, ocspResponses);
}
catch (const std::runtime_error& e) {
errlog("Ignoring DoH frontend: '%s'", e.what());
}
if (useTLS && frontend->d_library == "nghttp2") {
- if (!frontend->d_tlsContext.d_provider.empty()) {
- vinfolog("Loading TLS provider '%s'", frontend->d_tlsContext.d_provider);
+ if (!frontend->d_tlsContext->d_provider.empty()) {
+ vinfolog("Loading TLS provider '%s'", frontend->d_tlsContext->d_provider);
}
else {
#ifdef HAVE_LIBSSL
}
}
- auto clientState = std::make_shared<ClientState>(frontend->d_tlsContext.d_addr, true, reusePort, tcpFastOpenQueueSize, interface, cpus, enableProxyProtocol);
+ auto clientState = std::make_shared<ClientState>(frontend->d_tlsContext->d_addr, true, reusePort, tcpFastOpenQueueSize, interface, cpus, enableProxyProtocol);
clientState->dohFrontend = std::move(frontend);
clientState->d_additionalAddresses = std::move(additionalAddresses);
ret << (fmt % "#" % "Address" % "HTTP" % "HTTP/1" % "HTTP/2" % "GET" % "POST" % "Bad" % "Errors" % "Redirects" % "Valid" % "# ticket keys" % "Rotation delay" % "Next rotation") << endl;
size_t counter = 0;
for (const auto& ctx : dnsdist::getDoHFrontends()) {
- ret << (fmt % counter % ctx->d_tlsContext.d_addr.toStringWithPort() % ctx->d_httpconnects % ctx->d_http1Stats.d_nbQueries % ctx->d_http2Stats.d_nbQueries % ctx->d_getqueries % ctx->d_postqueries % ctx->d_badrequests % ctx->d_errorresponses % ctx->d_redirectresponses % ctx->d_validresponses % ctx->getTicketsKeysCount() % ctx->getTicketsKeyRotationDelay() % ctx->getNextTicketsKeyRotation()) << endl;
+ ret << (fmt % counter % ctx->d_tlsContext->d_addr.toStringWithPort() % ctx->d_httpconnects % ctx->d_http1Stats.d_nbQueries % ctx->d_http2Stats.d_nbQueries % ctx->d_getqueries % ctx->d_postqueries % ctx->d_badrequests % ctx->d_errorresponses % ctx->d_redirectresponses % ctx->d_validresponses % ctx->getTicketsKeysCount() % ctx->getTicketsKeyRotationDelay() % ctx->getNextTicketsKeyRotation()) << endl;
counter++;
}
g_outputBuffer = ret.str();
ret << (fmt % "#" % "Address" % "200" % "400" % "403" % "500" % "502" % "Others") << endl;
size_t counter = 0;
for (const auto& ctx : dnsdist::getDoHFrontends()) {
- ret << (fmt % counter % ctx->d_tlsContext.d_addr.toStringWithPort() % ctx->d_http1Stats.d_nb200Responses % ctx->d_http1Stats.d_nb400Responses % ctx->d_http1Stats.d_nb403Responses % ctx->d_http1Stats.d_nb500Responses % ctx->d_http1Stats.d_nb502Responses % ctx->d_http1Stats.d_nbOtherResponses) << endl;
+ ret << (fmt % counter % ctx->d_tlsContext->d_addr.toStringWithPort() % ctx->d_http1Stats.d_nb200Responses % ctx->d_http1Stats.d_nb400Responses % ctx->d_http1Stats.d_nb403Responses % ctx->d_http1Stats.d_nb500Responses % ctx->d_http1Stats.d_nb502Responses % ctx->d_http1Stats.d_nbOtherResponses) << endl;
counter++;
}
g_outputBuffer += ret.str();
ret << (fmt % "#" % "Address" % "200" % "400" % "403" % "500" % "502" % "Others") << endl;
counter = 0;
for (const auto& ctx : dnsdist::getDoHFrontends()) {
- ret << (fmt % counter % ctx->d_tlsContext.d_addr.toStringWithPort() % ctx->d_http2Stats.d_nb200Responses % ctx->d_http2Stats.d_nb400Responses % ctx->d_http2Stats.d_nb403Responses % ctx->d_http2Stats.d_nb500Responses % ctx->d_http2Stats.d_nb502Responses % ctx->d_http2Stats.d_nbOtherResponses) << endl;
+ ret << (fmt % counter % ctx->d_tlsContext->d_addr.toStringWithPort() % ctx->d_http2Stats.d_nb200Responses % ctx->d_http2Stats.d_nb400Responses % ctx->d_http2Stats.d_nb403Responses % ctx->d_http2Stats.d_nb500Responses % ctx->d_http2Stats.d_nb502Responses % ctx->d_http2Stats.d_nbOtherResponses) << endl;
counter++;
}
g_outputBuffer += ret.str();
luaCtx.registerFunction<void (std::shared_ptr<DOHFrontend>::*)(boost::variant<std::string, std::shared_ptr<TLSCertKeyPair>, LuaArray<std::string>, LuaArray<std::shared_ptr<TLSCertKeyPair>>> certFiles, LuaTypeOrArrayOf<std::string> keyFiles)>("loadNewCertificatesAndKeys", []([[maybe_unused]] const std::shared_ptr<DOHFrontend>& frontend, [[maybe_unused]] const boost::variant<std::string, std::shared_ptr<TLSCertKeyPair>, LuaArray<std::string>, LuaArray<std::shared_ptr<TLSCertKeyPair>>>& certFiles, [[maybe_unused]] const LuaTypeOrArrayOf<std::string>& keyFiles) {
#ifdef HAVE_DNS_OVER_HTTPS
if (frontend != nullptr) {
- if (loadTLSCertificateAndKeys("DOHFrontend::loadNewCertificatesAndKeys", frontend->d_tlsContext.d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) {
+ if (loadTLSCertificateAndKeys("DOHFrontend::loadNewCertificatesAndKeys", frontend->d_tlsContext->d_tlsConfig.d_certKeyPairs, certFiles, keyFiles)) {
frontend->reloadCertificates();
}
}
enum class QueryProcessingResult : uint8_t { Forwarded, TooSmall, InvalidHeaders, Dropped, SelfAnswered, NoBackend, Asynchronous };
enum class ProxyProtocolResult : uint8_t { Reading, Done, Error };
- IncomingTCPConnectionState(ConnectionInfo&& ci, TCPClientThreadData& threadData, const struct timeval& now): d_buffer(sizeof(uint16_t)), d_ci(std::move(ci)), d_handler(d_ci.fd, timeval{dnsdist::configuration::getCurrentRuntimeConfiguration().d_tcpRecvTimeout,0}, d_ci.cs->tlsFrontend ? d_ci.cs->tlsFrontend->getContext() : (d_ci.cs->dohFrontend ? d_ci.cs->dohFrontend->d_tlsContext.getContext() : nullptr), now.tv_sec), d_connectionStartTime(now), d_ioState(make_unique<IOStateHandler>(*threadData.mplexer, d_ci.fd)), d_threadData(threadData), d_creatorThreadID(std::this_thread::get_id())
+ IncomingTCPConnectionState(ConnectionInfo&& ci, TCPClientThreadData& threadData, const struct timeval& now): d_buffer(sizeof(uint16_t)), d_ci(std::move(ci)), d_handler(d_ci.fd, timeval{dnsdist::configuration::getCurrentRuntimeConfiguration().d_tcpRecvTimeout,0}, d_ci.cs->tlsFrontend ? d_ci.cs->tlsFrontend->getContext() : (d_ci.cs->dohFrontend ? d_ci.cs->dohFrontend->d_tlsContext->getContext() : nullptr), now.tv_sec), d_connectionStartTime(now), d_ioState(make_unique<IOStateHandler>(*threadData.mplexer, d_ci.fd)), d_threadData(threadData), d_creatorThreadID(std::this_thread::get_id())
{
d_origDest.reset();
d_origDest.sin4.sin_family = d_ci.remote.sin4.sin_family;
if (!d_ci.cs->hasTLS()) {
return false;
}
- return d_ci.cs->getTLSFrontend().d_proxyProtocolOutsideTLS;
+ return d_ci.cs->getTLSFrontend()->d_proxyProtocolOutsideTLS;
}
virtual bool forwardViaUDPFirst() const
errorCounters = &front->tlsFrontend->d_tlsCounters;
}
else if (front->dohFrontend != nullptr) {
- errorCounters = &front->dohFrontend->d_tlsContext.d_tlsCounters;
+ errorCounters = &front->dohFrontend->d_tlsContext->d_tlsCounters;
}
if (errorCounters != nullptr) {
#ifdef HAVE_DNS_OVER_HTTPS
std::map<std::string,uint64_t> dohFrontendDuplicates;
for(const auto& doh : dnsdist::getDoHFrontends()) {
- const string frontName = doh->d_tlsContext.d_addr.toStringWithPort();
+ const string frontName = doh->d_tlsContext->d_addr.toStringWithPort();
uint64_t threadNumber = 0;
auto dupPair = frontendDuplicates.emplace(frontName, 1);
if (!dupPair.second) {
errorCounters = &front->tlsFrontend->d_tlsCounters;
}
else if (front->dohFrontend != nullptr) {
- errorCounters = &front->dohFrontend->d_tlsContext.d_tlsCounters;
+ errorCounters = &front->dohFrontend->d_tlsContext->d_tlsCounters;
}
if (errorCounters != nullptr) {
frontend["tlsHandshakeFailuresDHKeyTooSmall"] = (double)errorCounters->d_dhKeyTooSmall;
for (const auto& doh : dohFrontends) {
dohs.emplace_back(Json::object{
{"id", num++},
- {"address", doh->d_tlsContext.d_addr.toStringWithPort()},
+ {"address", doh->d_tlsContext->d_addr.toStringWithPort()},
{"http-connects", (double)doh->d_httpconnects},
{"http1-queries", (double)doh->d_http1Stats.d_nbQueries},
{"http2-queries", (double)doh->d_http2Stats.d_nbQueries},
return tlsFrontend != nullptr || (dohFrontend != nullptr && dohFrontend->isHTTPS());
}
- const TLSFrontend& getTLSFrontend() const
+ const std::shared_ptr<const TLSFrontend> getTLSFrontend() const
{
if (tlsFrontend != nullptr) {
- return *tlsFrontend;
+ return tlsFrontend;
}
if (dohFrontend) {
return dohFrontend->d_tlsContext;
nativeCtx->ctx = &dsc.h2o_ctx;
nativeCtx->hosts = dsc.h2o_config.hosts;
auto dohFrontend = std::atomic_load_explicit(&dsc.dohFrontend, std::memory_order_acquire);
- ctx.d_ticketsKeyRotationDelay = dohFrontend->d_tlsContext.d_tlsConfig.d_ticketsKeyRotationDelay;
+ ctx.d_ticketsKeyRotationDelay = dohFrontend->d_tlsContext->d_tlsConfig.d_ticketsKeyRotationDelay;
if (setupTLS && dohFrontend->isHTTPS()) {
try {
setupTLSContext(ctx,
- dohFrontend->d_tlsContext.d_tlsConfig,
- dohFrontend->d_tlsContext.d_tlsCounters);
+ dohFrontend->d_tlsContext->d_tlsConfig,
+ dohFrontend->d_tlsContext->d_tlsCounters);
}
catch (const std::runtime_error& e) {
- throw std::runtime_error("Error setting up TLS context for DoH listener on '" + dohFrontend->d_tlsContext.d_addr.toStringWithPort() + "': " + e.what());
+ throw std::runtime_error("Error setting up TLS context for DoH listener on '" + dohFrontend->d_tlsContext->d_addr.toStringWithPort() + "': " + e.what());
}
}
ctx.d_cs = dsc.clientState;
setThreadName("dnsdist/doh");
// I wonder if this registers an IP address.. I think it does
// this may mean we need to actually register a site "name" here and not the IP address
- h2o_hostconf_t *hostconf = h2o_config_register_host(&dsc->h2o_config, h2o_iovec_init(dohFrontend->d_tlsContext.d_addr.toString().c_str(), dohFrontend->d_tlsContext.d_addr.toString().size()), 65535);
+ h2o_hostconf_t *hostconf = h2o_config_register_host(&dsc->h2o_config, h2o_iovec_init(dohFrontend->d_tlsContext->d_addr.toString().c_str(), dohFrontend->d_tlsContext->d_addr.toString().size()), 65535);
dsc->paths = dohFrontend->d_urls;
for (const auto& url : dsc->paths) {
setupAcceptContext(*dsc->accept_ctx, *dsc, false);
if (create_listener(dsc, clientState->tcpFD) != 0) {
- throw std::runtime_error("DOH server failed to listen on " + dohFrontend->d_tlsContext.d_addr.toStringWithPort() + ": " + stringerror(errno));
+ throw std::runtime_error("DOH server failed to listen on " + dohFrontend->d_tlsContext->d_addr.toStringWithPort() + ": " + stringerror(errno));
}
for (const auto& [addr, descriptor] : clientState->d_additionalAddresses) {
if (create_listener(dsc, descriptor) != 0) {
- throw std::runtime_error("DOH server failed to listen on additional address " + addr.toStringWithPort() + " for DOH local" + dohFrontend->d_tlsContext.d_addr.toStringWithPort() + ": " + stringerror(errno));
+ throw std::runtime_error("DOH server failed to listen on additional address " + addr.toStringWithPort() + " for DOH local" + dohFrontend->d_tlsContext->d_addr.toStringWithPort() + ": " + stringerror(errno));
}
}
if (isHTTPS()) {
try {
setupTLSContext(*d_dsc->accept_ctx,
- d_tlsContext.d_tlsConfig,
- d_tlsContext.d_tlsCounters);
+ d_tlsContext->d_tlsConfig,
+ d_tlsContext->d_tlsCounters);
}
catch (const std::runtime_error& e) {
- throw std::runtime_error("Error setting up TLS context for DoH listener on '" + d_tlsContext.d_addr.toStringWithPort() + "': " + e.what());
+ throw std::runtime_error("Error setting up TLS context for DoH listener on '" + d_tlsContext->d_addr.toStringWithPort() + "': " + e.what());
}
}
}
{
#if defined(HAVE_DNS_OVER_TLS) || defined(HAVE_DNS_OVER_HTTPS)
std::shared_ptr<TLSCtx> newCtx{nullptr};
+ if (d_parentFrontend) {
+ newCtx = d_parentFrontend->getContext();
+ if (newCtx) {
+ std::atomic_store_explicit(&d_ctx, std::move(newCtx), std::memory_order_release);
+ return true;
+ }
+ }
+
/* get the "best" available provider */
#if defined(HAVE_GNUTLS)
if (d_provider == "gnutls") {
void rotateTicketsKey(time_t now)
{
- if (d_ctx != nullptr) {
+ if (d_ctx != nullptr && d_parentFrontend == nullptr) {
d_ctx->rotateTicketsKey(now);
}
}
void loadTicketsKeys(const std::string& file)
{
- if (d_ctx != nullptr) {
+ if (d_ctx != nullptr && d_parentFrontend == nullptr) {
d_ctx->loadTicketsKeys(file);
}
}
void loadTicketsKey(const std::string& key)
{
- if (d_ctx != nullptr) {
+ if (d_ctx != nullptr && d_parentFrontend == nullptr) {
d_ctx->loadTicketsKey(key);
}
}
- std::shared_ptr<TLSCtx> getContext()
+ std::shared_ptr<TLSCtx> getContext() const
{
return std::atomic_load_explicit(&d_ctx, std::memory_order_acquire);
}
+ void setParent(std::shared_ptr<const TLSFrontend> parent)
+ {
+ std::atomic_store_explicit(&d_parentFrontend, std::move(parent), std::memory_order_release);
+ }
+
void cleanup()
{
d_ctx.reset();
bool d_proxyProtocolOutsideTLS{false};
protected:
std::shared_ptr<TLSCtx> d_ctx{nullptr};
+ std::shared_ptr<const TLSFrontend> d_parentFrontend{nullptr};
};
class TCPIOHandler
projects / thirdparty / pdns.git / commitdiff
