From 9dbc40d83a89ef735d94dc235aa825135aef5407 Mon Sep 17 00:00:00 2001 From: Laurent Bercot Date: Sat, 30 Sep 2023 09:37:46 +0000 Subject: s6-tlsserver bugfix, doc updates Signed-off-by: Laurent Bercot --- .gitignore | 8 ++----- NEWS | 15 +++++++++++-- doc/s6-tlsclient.html | 32 ++++++++++++++------------- doc/s6-tlsserver.html | 59 ++++++++++++++++++++------------------------------ doc/upgrade.html | 2 ++ src/tls/s6-tlsserver.c | 23 +++++--------------- 6 files changed, 64 insertions(+), 75 deletions(-) diff --git a/.gitignore b/.gitignore index c2177b6..2585d56 100644 --- a/.gitignore +++ b/.gitignore @@ -13,13 +13,9 @@ /s6-taiclockd /s6-tcpclient /s6-tcpserver +/s6-tcpserver-socketbinder +/s6-tcpserverd /s6-tcpserver-access -/s6-tcpserver4 -/s6-tcpserver4-socketbinder -/s6-tcpserver4d -/s6-tcpserver6 -/s6-tcpserver6-socketbinder -/s6-tcpserver6d /s6-tlsc /s6-tlsclient /s6-tlsd diff --git a/NEWS b/NEWS index 3ce5292..8fbe693 100644 --- a/NEWS +++ b/NEWS @@ -4,8 +4,19 @@ In 2.6.0.0 ---------- - Bugfixes. - - Major performance improvements. - - Removed extra warning on s6-tcpserver-access with no ruleset. + - s6-tcpserver has been unified! no ipv4 and ipv6 separation anymore. + * the only programs in the superserver chain are now s6-tcpserver, +s6-tcpserver-socketbinder, and s6-tcpserverd. + * s6-tcpserver-access still exists, should now run under s6-tcpserverd, +still invoked once per connection. Doesn't spam the log anymore when +invoked with no ruleset. + * Options -4 and -6 removed from s6-tcpserver and s6-tlsserver. +Protocol detection happens when the cmdline address is scanned. + * Option -e removed from s6-tlsserver. It should now always invoke +s6-tcpserver-access when needed (and only then). + - Major performance improvements. s6-tcpserverd does not fork on +systems that support posix_spawn. Also, its lookups are now logarithmic +instead of linear (which only matters on *heavy* loads). In 2.5.1.3 diff --git a/doc/s6-tlsclient.html b/doc/s6-tlsclient.html index fc357a7..287c02c 100644 --- a/doc/s6-tlsclient.html +++ b/doc/s6-tlsclient.html @@ -118,7 +118,7 @@ variables will not appear in prog's environment.

Options

- s6-tlsclient accepts a myriad of options, most of which are + s6-tlsclient accepts a myriad of options, all of which are passed as is to the correct executable. Not giving any options will generally work: the defaults are sensible.

@@ -126,25 +126,27 @@ generally work: the defaults are sensible.

Options passed as is to s6-tcpclient

Options passed as is to s6-tlsc

Example

diff --git a/doc/s6-tlsserver.html b/doc/s6-tlsserver.html index b338326..d1ca3e2 100644 --- a/doc/s6-tlsserver.html +++ b/doc/s6-tlsserver.html @@ -41,8 +41,7 @@ listens to TCP connections on IP address ip port port and forks a command line for every connection. Note that s6-tcpserver also rewrites itself into a more complex command line (the final long-lived -process being s6-tcpserver4d -or s6-tcpserver6d), +process being s6-tcpserverd), so your end command line may look a lot longer in ps than what you originally wrote. This is normal and healthy.
  • (if applicable) s6-tcpserver-access, @@ -73,9 +72,8 @@ be a network socket - they will be pipes.

    s6-tlsserver reacts to the same signals as -s6-tcpserver4d or -s6-tcpserver6d, -one of which is the long-lived process hanging around. +s6-tcpserverd, +which is the long-lived process hanging around.

    Environment variables

    @@ -104,9 +102,8 @@ every s6-tlsd invocation:

    prog... is run with the following variables added to, -or removed from, its environment by s6-tcpserver4d -or s6-tcpserver6d, and possibly -by s6-tcpserver-access: +or removed from, its environment by s6-tcpserverd +and possibly by s6-tcpserver-access:

      @@ -142,28 +139,17 @@ variables will not appear in prog's environment.

      Options

      - s6-tlsserver accepts a myriad of options, most of which are + s6-tlsserver accepts a myriad of options, all of which are passed as is to the correct executable. Not giving any options will generally work, but unless you're running a very public server (such as a Web server) or base your access control on client certificates, you probably still want TCP access rules.

      -

      Options handled directly by s6-tlsserver

      - -
        -
      • -e: : indicates that -s6-tcpserver-access should -be invoked, even if no other option requires it, even in the absence -of an access control ruleset. This ensures that prog... -will always have access to environment variables such as TCPLOCALPORT.
      • -
      -

      Options passed as is to s6-tcpserver

      • -q, -Q, -v
      • -
      • -4, -6
      • -1
      • -c maxconn
      • -C localmaxconn
      • @@ -174,31 +160,34 @@ will always have access to environment variables such as TCPLOCALPORT.
        • The verbosity level, if not default, as -v0 or -v2
        • -
        • -w, -W
        • -
        • -d, -D
        • -
        • -r, -R
        • -
        • -p, -P
        • -
        • -h, -H, -l localname
        • -
        • -B banner
        • -
        • -t timeout
        • -
        • -i rulesdir, -x rulesfile
        • +
        • -w, -W : be strict or tolerant with DNS or IDENT resolution errors
        • +
        • -d, -D : enable or disable Nagle's algorithm
        • +
        • -r, -R : enable or disable IDENT lookups
        • +
        • -p, -P : enable or disable paranoid DNS cross-checking
        • +
        • -h, -H : enable or disable DNS lookups
        • +
        • -l localname : get the local name from the command line, not from DNS
        • +
        • -B banner : initial server-side banner
        • +
        • -t timeout : set a timeout for all the lookups
        • +
        • -i rulesdir, -x rulesfile : TCP access control

        Options passed as is to s6-tlsd

          -
        • -Z, -z
        • -
        • -S, -s
        • -
        • -Y, -y
        • -
        • -K kimeout
        • -
        • -k snilevel
        • +
        • -Z, -z : keep or remove the s6-tlsd-io-specific +variables from the application's environment
        • +
        • -S, -s : use close_notify or EOF to signal the end of a TLS connection
        • +
        • -Y, -y : request an optional or a mandatory client certificate
        • +
        • -K kimeout : set a timeout for the TLS handshake
        • +
        • -k snilevel : support SNI-based certificate chains

        Options passed to s6-applyuidgid

          -
        • -u uid, -g gid, -G gidlist
        • -
        • -U (passed as -Uz)
        • +
        • -u uid, -g gid, -G gidlist : set uid, gid, or supplementary group list
        • +
        • -U (passed as -Uz) : get the uid, gid and supplementary group list from the UID, GID and GIDLIST variables, +and remove these variables from the application's environment

        Example

        diff --git a/doc/upgrade.html b/doc/upgrade.html index 0f20319..1ef9c25 100644 --- a/doc/upgrade.html +++ b/doc/upgrade.html @@ -53,6 +53,8 @@ the same interface except that the -4 and -6 options have been removed, and that is still a wrapper around the others.
      +
    • -e, -4 and -6 options removed from +s6-tlsserver

    in 2.5.1.3

    diff --git a/src/tls/s6-tlsserver.c b/src/tls/s6-tlsserver.c index deffe0d..be96f39 100644 --- a/src/tls/s6-tlsserver.c +++ b/src/tls/s6-tlsserver.c @@ -12,8 +12,8 @@ #include -#define USAGE "s6-tlsserver [ -e ] [ options ] ip port prog...\n" \ -"s6-tcpserver options: [ -q | -Q | -v ] [ -4 | -6 ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ]\n" \ +#define USAGE "s6-tlsserver [ options ] ip port prog...\n" \ +"s6-tcpserver options: [ -q | -Q | -v ] [ -1 ] [ -c maxconn ] [ -C localmaxconn ] [ -b backlog ] [ -G gidlist ] [ -g gid ] [ -u uid ] [ -U ]\n" \ "s6-tcpserver-access options: [ -W | -w ] [ -D | -d ] [ -H | -h ] [ -R | -r ] [ -P | -p ] [ -l localname ] [ -B banner ] [ -t timeout ] [ -i rulesdir | -x rulesfile ]\n" \ "s6-tlsd options: [ -S | -s ] [ -Y | -y ] [ -K timeout ] [ -Z | -z ] [ -k snilevel ]" @@ -36,7 +36,6 @@ struct options_s unsigned int kimeout ; unsigned int snilevel ; unsigned int verbosity : 2 ; - unsigned int flag46 : 2 ; unsigned int flag1 : 1 ; unsigned int flagU : 1 ; unsigned int flagw : 1 ; @@ -49,8 +48,6 @@ struct options_s unsigned int flagy : 1 ; unsigned int flagY : 1 ; unsigned int flagZ : 1 ; - unsigned int forceaccess : 1 ; - unsigned int doaccess : 1 ; unsigned int doapply : 1 ; } ; @@ -69,7 +66,6 @@ struct options_s .kimeout = 0, \ .verbosity = 1, \ .snilevel = 0, \ - .flag46 = 0, \ .flag1 = 0, \ .flagU = 0, \ .flagw = 0, \ @@ -82,8 +78,6 @@ struct options_s .flagy = 0, \ .flagY = 0, \ .flagZ = 0, \ - .forceaccess = 0, \ - .doaccess = 1, \ .doapply = 0 \ } @@ -95,15 +89,13 @@ int main (int argc, char const *const *argv) subgetopt l = SUBGETOPT_ZERO ; for (;;) { - int opt = subgetopt_r(argc, argv, "qQv461c:C:b:G:g:u:UWwDdHhRrPpl:eB:t:i:x:SsYyK:Zzk:", &l) ; + int opt = subgetopt_r(argc, argv, "qQv1c:C:b:G:g:u:UWwDdHhRrPpl:B:t:i:x:SsYyK:Zzk:", &l) ; if (opt == -1) break ; switch (opt) { case 'q' : o.verbosity = 0 ; break ; case 'Q' : o.verbosity = 1 ; break ; case 'v' : o.verbosity = 2 ; break ; - case '4' : o.flag46 = 1 ; break ; - case '6' : o.flag46 = 2 ; break ; case '1' : o.flag1 = 1 ; break ; case 'c' : if (!uint0_scan(l.arg, &o.maxconn)) dieusage() ; if (!o.maxconn) o.maxconn = 1 ; break ; case 'C' : if (!uint0_scan(l.arg, &o.localmaxconn)) dieusage() ; if (!o.localmaxconn) o.localmaxconn = 1 ; break ; @@ -123,7 +115,6 @@ int main (int argc, char const *const *argv) case 'P' : o.flagp = 0 ; break ; case 'p' : o.flagp = 1 ; break ; case 'l' : o.localname = l.arg ; break ; - case 'e' : o.forceaccess = 1 ; break ; case 'B' : o.banner = l.arg ; break ; case 't' : if (!uint0_scan(l.arg, &o.timeout)) dieusage() ; break ; case 'i' : o.rules = l.arg ; o.rulesx = 0 ; break ; @@ -143,13 +134,12 @@ int main (int argc, char const *const *argv) if (argc < 3) dieusage() ; } - o.doaccess = o.forceaccess || o.flagw || o.flagD || !o.flagH || o.flagr || o.flagp || o.localname || o.banner || o.timeout || o.rules ; - { size_t pos = 0 ; unsigned int m = 0 ; char fmt[UINT_FMT * 6 + UID_FMT + GID_FMT * (NGROUPS_MAX + 1)] ; - char const *newargv[50 + argc] ; + char const *newargv[49 + argc] ; + int doaccess = o.flagw || o.flagD || !o.flagH || o.flagr || o.flagp || o.localname || o.banner || o.timeout || o.rules ; newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver" ; if (o.verbosity != 1) { @@ -157,7 +147,6 @@ int main (int argc, char const *const *argv) pos = uint_fmt(fmt, o.verbosity) ; fmt[pos++] = 0 ; } - if (o.flag46) newargv[m++] = o.flag46 == 1 ? "-4" : "-6" ; if (o.flag1) newargv[m++] = "-1" ; if (o.maxconn) { @@ -183,7 +172,7 @@ int main (int argc, char const *const *argv) newargv[m++] = "--" ; newargv[m++] = *argv++ ; newargv[m++] = *argv++ ; - if (o.doaccess) + if (doaccess) { newargv[m++] = S6_NETWORKING_BINPREFIX "s6-tcpserver-access" ; if (o.verbosity != 1) -- cgit v1.2.3