use IO::Handle; # ->autoflush
use IO::Socket;
use File::Spec;
-use POSIX qw(WNOHANG :signal_h);
+use POSIX qw(WNOHANG :signal_h F_SETFD);
use Socket qw(IPPROTO_TCP SOL_SOCKET);
STDOUT->autoflush(1);
STDERR->autoflush(1);
use PublicInbox::Git;
use PublicInbox::GitAsyncCat;
use PublicInbox::Eml;
+use PublicInbox::Config;
our $SO_ACCEPTFILTER = 0x1000;
my @CMD;
my ($set_user, $oldset);
my $worker_processes = 1;
my @listeners;
my (%pids, %logs);
-my %tls_opt; # scheme://sockname => args for IO::Socket::SSL->start_SSL
+my %tls_opt; # scheme://sockname => args for IO::Socket::SSL::SSL_Context->new
my $reexec_pid;
my ($uid, $gid);
my ($default_cert, $default_key);
my %KNOWN_TLS = (443 => 'https', 563 => 'nntps', 993 => 'imaps', 995 =>'pop3s');
my %KNOWN_STARTTLS = (110 => 'pop3', 119 => 'nntp', 143 => 'imap');
+my %SCHEME2PORT = map { $KNOWN_TLS{$_} => $_ + 0 } keys %KNOWN_TLS;
+for (keys %KNOWN_STARTTLS) { $SCHEME2PORT{$KNOWN_STARTTLS{$_}} = $_ + 0 }
+$SCHEME2PORT{http} = 80;
sub listener_opt ($) {
my ($str) = @_; # opt1=val1,opt2=val2 (opt may repeat for multi-value)
$o;
}
+sub check_absolute ($$) {
+ my ($var, $val) = @_;
+ die <<EOM if index($val // '/', '/') != 0;
+$var must be an absolute path when using --daemonize: $val
+EOM
+}
+
sub accept_tls_opt ($) {
my ($opt) = @_;
my $o = ref($opt) eq 'HASH' ? $opt : listener_opt($opt);
return if !defined($o->{cert});
require PublicInbox::TLS;
- my %ctx_opt = (SSL_server => 1);
+ my @ctx_opt;
# parse out hostname:/path/to/ mappings:
for my $k (qw(cert key)) {
$o->{$k} // next;
- my $x = $ctx_opt{'SSL_'.$k.'_file'} = {};
+ push(@ctx_opt, "SSL_${k}_file", {});
foreach my $path (@{$o->{$k}}) {
my $host = '';
$path =~ s/\A([^:]+):// and $host = $1;
- $x->{$host} = $path;
+ $ctx_opt[-1]->{$host} = $path;
check_absolute($k, $path) if $daemonize;
}
}
- my $ctx = IO::Socket::SSL::SSL_Context->new(%ctx_opt) or
- die 'SSL_Context->new: '.PublicInbox::TLS::err();
-
- # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl))
- # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64
- # cf. https://rt.cpan.org/Ticket/Display.html?id=129463
- my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() };
- if ($mode && $ctx->{context}) {
- eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) };
- warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@;
- }
-
- { SSL_server => 1, SSL_startHandshake => 0, SSL_reuse_ctx => $ctx };
-}
-
-sub check_absolute ($$) {
- my ($var, $val) = @_;
- die <<EOM if index($val // '/', '/') != 0;
-$var must be an absolute path when using --daemonize: $val
-EOM
+ \@ctx_opt;
}
sub do_chown ($) {
open $_[0], '>>', $_[1] or die "open(>> $_[1]): $!";
$_[0]->autoflush(1);
do_chown($_[1]);
+ $_[0];
}
-sub load_mod ($;$) {
- my ($scheme, $opt) = @_;
+sub load_mod ($;$$) {
+ my ($scheme, $opt, $addr) = @_;
my $modc = "PublicInbox::\U$scheme";
+ $modc =~ s/S\z//;
my $mod = $modc.'D';
eval "require $mod"; # IMAPD|HTTPD|NNTPD|POP3D
die $@ if $@;
die "multiple psgi= options specified\n" if @$p > 1;
check_absolute('psgi=', $p->[0]) if $daemonize;
$tlsd->{psgi} = $p->[0];
+ warn "# $scheme://$addr psgi=$p->[0]\n";
}
}
for my $f (@paths) {
die "multiple $f= options specified\n" if @$p > 1;
check_absolute("$f=", $p->[0]) if $daemonize;
$p = File::Spec->canonpath($p->[0]);
- open_log_path(my $fh, $p);
- $tlsd->{$f} = $logs{$p} = $fh;
+ $tlsd->{$f} = $logs{$p} //= open_log_path(my $fh, $p);
+ warn "# $scheme://$addr $f=$p\n";
}
+ my $err = $tlsd->{err};
+ $tlsd->{warn_cb} = sub { print $err @_ }; # for local $SIG{__WARN__}
\%xn;
}
die "--pid-file cannot end with '.oldbin'\n";
}
@listeners = inherit($listener_names);
-
- # allow socket-activation users to set certs once and not
- # have to configure each socket:
- my @inherited_names = keys(%$listener_names) if defined($default_cert);
+ my @inherited_names = keys(%$listener_names);
# ignore daemonize when inheriting
$daemonize = undef if scalar @listeners;
$default_listen // die "no listeners specified\n";
push @cfg_listen, $default_listen
}
-
+ my ($default_scheme) = (($default_listen // '') =~ m!\A([^:]+)://!);
foreach my $l (@cfg_listen) {
my $orig = $l;
- my $scheme = '';
- if ($l =~ s!\A([^:]+)://!!) {
- $scheme = $1;
- } elsif ($l =~ /\A(?:\[[^\]]+\]|[^:]+):([0-9])+/) {
- my $s = $KNOWN_TLS{$1} // $KNOWN_STARTTLS{$1};
- $scheme = $s if defined $s;
+ my ($scheme, $port, $opt);
+ $l =~ s!\A([a-z0-9]+)://!! and $scheme = $1;
+ $scheme //= $default_scheme;
+ if ($l =~ /\A(?:\[[^\]]+\]|[^:]+):([0-9]+)/) {
+ $port = $1 + 0;
+ $scheme //= $KNOWN_TLS{$port} // $KNOWN_STARTTLS{$port};
}
- my $opt; # non-TLS options
+ $scheme // die "unable to determine URL scheme of $orig\n";
+ if (!defined($port) && index($l, '/') != 0) { # AF_UNIX socket
+ $port = $SCHEME2PORT{$scheme} //
+ die "no port in listen=$orig\n";
+ $l =~ s!\A([^/]+)!$1:$port! or
+ die "unable to add port=$port to $l\n";
+ }
+ $l =~ s!/\z!!; # chop one trailing slash
if ($l =~ s!/?\?(.+)\z!!) {
$opt = listener_opt($1);
$tls_opt{"$scheme://$l"} = accept_tls_opt($opt);
} elsif ($scheme =~ /\A(?:https|imaps|nntps|pop3s)\z/) {
die "$orig specified w/o cert=\n";
}
- $scheme =~ /\A(http|imap|nntp|pop3)/ and
- $xnetd->{$l} = load_mod($1, $opt);
-
- next if $listener_names->{$l}; # already inherited
+ if ($listener_names->{$l}) { # already inherited
+ $xnetd->{$l} = load_mod($scheme, $opt, $l);
+ next;
+ }
my (%o, $sock_pkg);
if (index($l, '/') == 0) {
$sock_pkg = 'IO::Socket::UNIX';
}
$o{Listen} = 1024;
my $prev = umask 0000;
- my $s = eval { $sock_pkg->new(%o) };
- warn "error binding $l: $! ($@)\n" unless $s;
+ my $s = eval { $sock_pkg->new(%o) } or
+ warn "error binding $l: $! ($@)\n";
umask $prev;
- if ($s) {
- $listener_names->{sockname($s)} = $s;
- $s->blocking(0);
- push @listeners, $s;
- }
+ $s // next;
+ $s->blocking(0);
+ my $sockname = sockname($s);
+ warn "# bound $scheme://$sockname\n";
+ $xnetd->{$sockname} //= load_mod($scheme);
+ $listener_names->{$sockname} = $s;
+ push @listeners, $s;
}
# cert/key options in @cfg_listen takes precedence when inheriting,
# but map well-known inherited ports if --listen isn't specified
- # at all
- for my $sockname (@inherited_names) {
- $sockname =~ /:([0-9]+)\z/ or next;
- if (my $scheme = $KNOWN_TLS{$1}) {
- $xnetd->{$sockname} = load_mod(substr($scheme, 0, -1));
- $tls_opt{"$scheme://$sockname"} ||= accept_tls_opt('');
- } elsif (($scheme = $KNOWN_STARTTLS{$1})) {
- $xnetd->{$sockname} = load_mod($scheme);
- $tls_opt{"$scheme://$sockname"} ||= accept_tls_opt('');
- $tls_opt{''} ||= accept_tls_opt('');
+ # at all. This allows socket-activation users to set certs once
+ # and not have to configure each socket:
+ if (defined $default_cert) {
+ my ($stls) = (($default_scheme // '') =~ /\A(pop3|nntp|imap)/);
+ for my $x (@inherited_names) {
+ $x =~ /:([0-9]+)\z/ or next; # no TLS for AF_UNIX
+ if (my $scheme = $KNOWN_TLS{$1}) {
+ $xnetd->{$x} //= load_mod($scheme);
+ $tls_opt{"$scheme://$x"} ||= accept_tls_opt('');
+ } elsif (($scheme = $KNOWN_STARTTLS{$1})) {
+ $xnetd->{$x} //= load_mod($scheme);
+ $tls_opt{"$scheme://$x"} ||= accept_tls_opt('');
+ } elsif (defined $stls) {
+ $tls_opt{"$stls://$x"} ||= accept_tls_opt('');
+ }
+ }
+ }
+ if (defined $default_scheme) {
+ for my $x (@inherited_names) {
+ $xnetd->{$x} //= load_mod($default_scheme);
}
}
- my @d;
- while (my ($k, $v) = each %tls_opt) { push(@d, $k) if !defined($v) }
- delete @tls_opt{@d};
die "No listeners bound\n" unless @listeners;
}
if (my $k = sockname($s)) {
my $prev_was_blocking = $s->blocking(0);
warn <<"" if $prev_was_blocking;
-Inherited socket (fd=$fd) is blocking, making it non-blocking.
+Inherited socket ($k fd=$fd) is blocking, making it non-blocking.
Set 'NonBlocking = true' in the systemd.service unit to avoid stalled
processes when multiple service instances start.
$listener_names->{$k} = $s;
+ warn "# inherited $k fd=$fd\n";
push @rv, $s;
} else {
warn "failed to inherit fd=$fd (LISTEN_FDS=$fds)";
return;
}
if ($pid == 0) {
- use Fcntl qw(FD_CLOEXEC F_SETFD F_GETFD);
$ENV{LISTEN_FDS} = scalar @listeners;
$ENV{LISTEN_PID} = $$;
foreach my $s (@listeners) {
# @listeners are globs with workers, PI::L w/o workers
$s = $s->{sock} if ref($s) eq 'PublicInbox::Listener';
-
- my $fl = fcntl($s, F_GETFD, 0);
- fcntl($s, F_SETFD, $fl &= ~FD_CLOEXEC);
+ fcntl($s, F_SETFD, 0) // die "F_SETFD: $!";
}
exec @CMD;
die "Failed to exec: $!\n";
exit # never gets here, just for documentation
}
-sub tls_start_cb ($$) {
- my ($opt, $orig_post_accept) = @_;
+sub tls_cb {
+ my ($post_accept, $tlsd) = @_;
sub {
my ($io, $addr, $srv) = @_;
- my $ssl = IO::Socket::SSL->start_SSL($io, %$opt);
- $orig_post_accept->($ssl, $addr, $srv);
+ $post_accept->(PublicInbox::TLS::start($io, $tlsd), $addr, $srv)
}
}
sub daemon_loop ($) {
my ($xnetd) = @_;
+ local $PublicInbox::Config::DEDUPE = {}; # enable dedupe cache
my $refresh = sub {
my ($sig) = @_;
+ %$PublicInbox::Config::DEDUPE = (); # clear cache
for my $xn (values %$xnetd) {
+ delete $xn->{tlsd}->{ssl_ctx}; # PublicInbox::TLS::start
eval { $xn->{refresh}->($sig) };
warn "refresh $@\n" if $@;
}
};
my %post_accept;
- while (my ($k, $v) = each %tls_opt) {
- my $l = $k;
- $l =~ s!\A([^:]+)://!!;
- my $scheme = $1 // '';
- my $xn = $xnetd->{$l} // $xnetd->{''};
- if ($scheme =~ m!\A(?:https|imaps|nntps|pop3s)!) {
- $post_accept{$l} = tls_start_cb($v, $xn->{post_accept});
- } elsif ($xn->{tlsd}) { # STARTTLS, $k eq '' is OK
- $xn->{tlsd}->{accept_tls} = $v;
- }
+ while (my ($k, $ctx_opt) = each %tls_opt) {
+ $ctx_opt // next;
+ my ($scheme, $l) = split(m!://!, $k, 2);
+ my $xn = $xnetd->{$l} // die "BUG: no xnetd for $k";
+ $xn->{tlsd}->{ssl_ctx_opt} //= $ctx_opt;
+ $scheme =~ m!\A(?:https|imaps|nntps|pop3s)! and
+ $post_accept{$l} = tls_cb(@$xn{qw(post_accept tlsd)});
}
+ undef %tls_opt;
my $sig = {
HUP => $refresh,
INT => \&worker_quit,
if ($worker_processes > 0) {
$refresh->(); # preload by default
my $fh = master_loop(); # returns if in child process
- PublicInbox::EOFpipe->new($fh, \&worker_quit, undef);
+ PublicInbox::EOFpipe->new($fh, \&worker_quit);
} else {
reopen_logs();
$set_user->() if $set_user;
@listeners = map {;
my $l = sockname($_);
my $tls_cb = $post_accept{$l};
- my $xn = $xnetd->{$l} // $xnetd->{''};
+ my $xn = $xnetd->{$l} // die "BUG: no xnetd for $l";
# NNTPS, HTTPS, HTTP, IMAPS and POP3S are client-first traffic
# IMAP, NNTP and POP3 are server-first
sub run {
my ($default_listen) = @_;
- my $xnetd = {};
- if ($default_listen) {
- $default_listen =~ /\A(http|imap|nntp|pop3)/ or
- die "BUG: $default_listen";
- $xnetd->{''} = load_mod($1);
- }
- daemon_prepare($default_listen, $xnetd);
+ daemon_prepare($default_listen, my $xnetd = {});
my $for_destroy = daemonize();
# localize GCF2C for tests: