use PublicInbox::Git;
use PublicInbox::GitAsyncCat;
use PublicInbox::Eml;
+use PublicInbox::Config;
our $SO_ACCEPTFILTER = 0x1000;
my @CMD;
my ($set_user, $oldset);
my $worker_processes = 1;
my @listeners;
my (%pids, %logs);
-my %tls_opt; # scheme://sockname => args for IO::Socket::SSL->start_SSL
+my %tls_opt; # scheme://sockname => args for IO::Socket::SSL::SSL_Context->new
my $reexec_pid;
my ($uid, $gid);
my ($default_cert, $default_key);
$o;
}
+sub check_absolute ($$) {
+ my ($var, $val) = @_;
+ die <<EOM if index($val // '/', '/') != 0;
+$var must be an absolute path when using --daemonize: $val
+EOM
+}
+
sub accept_tls_opt ($) {
my ($opt) = @_;
my $o = ref($opt) eq 'HASH' ? $opt : listener_opt($opt);
return if !defined($o->{cert});
require PublicInbox::TLS;
- my %ctx_opt = (SSL_server => 1);
+ my @ctx_opt;
# parse out hostname:/path/to/ mappings:
for my $k (qw(cert key)) {
$o->{$k} // next;
- my $x = $ctx_opt{'SSL_'.$k.'_file'} = {};
+ push(@ctx_opt, "SSL_${k}_file", {});
foreach my $path (@{$o->{$k}}) {
my $host = '';
$path =~ s/\A([^:]+):// and $host = $1;
- $x->{$host} = $path;
+ $ctx_opt[-1]->{$host} = $path;
check_absolute($k, $path) if $daemonize;
}
}
- my $ctx = IO::Socket::SSL::SSL_Context->new(%ctx_opt) or
- die 'SSL_Context->new: '.PublicInbox::TLS::err();
-
- # save ~34K per idle connection (cf. SSL_CTX_set_mode(3ssl))
- # RSS goes from 346MB to 171MB with 10K idle NNTPS clients on amd64
- # cf. https://rt.cpan.org/Ticket/Display.html?id=129463
- my $mode = eval { Net::SSLeay::MODE_RELEASE_BUFFERS() };
- if ($mode && $ctx->{context}) {
- eval { Net::SSLeay::CTX_set_mode($ctx->{context}, $mode) };
- warn "W: $@ (setting SSL_MODE_RELEASE_BUFFERS)\n" if $@;
- }
-
- { SSL_server => 1, SSL_startHandshake => 0, SSL_reuse_ctx => $ctx };
-}
-
-sub check_absolute ($$) {
- my ($var, $val) = @_;
- die <<EOM if index($val // '/', '/') != 0;
-$var must be an absolute path when using --daemonize: $val
-EOM
+ \@ctx_opt;
}
sub do_chown ($) {
open $_[0], '>>', $_[1] or die "open(>> $_[1]): $!";
$_[0]->autoflush(1);
do_chown($_[1]);
+ $_[0];
}
sub load_mod ($;$$) {
die "multiple $f= options specified\n" if @$p > 1;
check_absolute("$f=", $p->[0]) if $daemonize;
$p = File::Spec->canonpath($p->[0]);
- open_log_path(my $fh, $p);
- $tlsd->{$f} = $logs{$p} = $fh;
+ $tlsd->{$f} = $logs{$p} //= open_log_path(my $fh, $p);
warn "# $scheme://$addr $f=$p\n";
}
\%xn;
for my $sockname (@inherited_names) {
$sockname =~ /:([0-9]+)\z/ or next;
if (my $scheme = $KNOWN_TLS{$1}) {
- $xnetd->{$sockname} = load_mod($scheme);
+ $xnetd->{$sockname} //= load_mod($scheme);
$tls_opt{"$scheme://$sockname"} ||= accept_tls_opt('');
} elsif (($scheme = $KNOWN_STARTTLS{$1})) {
- $xnetd->{$sockname} = load_mod($scheme);
+ $xnetd->{$sockname} //= load_mod($scheme);
$tls_opt{"$scheme://$sockname"} ||= accept_tls_opt('');
$tls_opt{''} ||= accept_tls_opt('');
}
exit # never gets here, just for documentation
}
-sub tls_start_cb ($$) {
- my ($opt, $orig_post_accept) = @_;
+sub tls_cb {
+ my ($post_accept, $tlsd) = @_;
sub {
my ($io, $addr, $srv) = @_;
- my $ssl = IO::Socket::SSL->start_SSL($io, %$opt);
- $orig_post_accept->($ssl, $addr, $srv);
+ $post_accept->(PublicInbox::TLS::start($io, $tlsd), $addr, $srv)
}
}
sub daemon_loop ($) {
my ($xnetd) = @_;
+ local $PublicInbox::Config::DEDUPE = {}; # enable dedupe cache
my $refresh = sub {
my ($sig) = @_;
+ %$PublicInbox::Config::DEDUPE = (); # clear cache
for my $xn (values %$xnetd) {
+ delete $xn->{tlsd}->{ssl_ctx}; # PublicInbox::TLS::start
eval { $xn->{refresh}->($sig) };
warn "refresh $@\n" if $@;
}
};
my %post_accept;
- while (my ($k, $v) = each %tls_opt) {
+ while (my ($k, $ctx_opt) = each %tls_opt) {
my $l = $k;
$l =~ s!\A([^:]+)://!!;
my $scheme = $1 // '';
my $xn = $xnetd->{$l} // $xnetd->{''};
- if ($scheme =~ m!\A(?:https|imaps|nntps|pop3s)!) {
- $post_accept{$l} = tls_start_cb($v, $xn->{post_accept});
- } elsif ($xn->{tlsd}) { # STARTTLS, $k eq '' is OK
- $xn->{tlsd}->{accept_tls} = $v;
- }
+ $xn->{tlsd}->{ssl_ctx_opt} //= $ctx_opt;
+ $scheme =~ m!\A(?:https|imaps|nntps|pop3s)! and
+ $post_accept{$l} = tls_cb(@$xn{qw(post_accept tlsd)});
}
my $sig = {
HUP => $refresh,