Merge branch 'master' into i110/include-conf

.clang-format

@@ -4,3 +4,4 @@ IndentWidth: 4
 ColumnLimit: 132
 BreakBeforeBraces: Linux
 AllowShortFunctionsOnASingleLine: None
+SortIncludes: false

.travis.yml

@@ -3,6 +3,11 @@ language: cpp
 compiler:
   - gcc
 
+addons:
+  hosts:
+    - 127.0.0.1.xip.io
+    - alternate.127.0.0.1.xip.io
+
 before_install:
   # upgrade g++ and libstdc++ to build nghttp2
   - sudo add-apt-repository --yes ppa:ubuntu-toolchain-r/test
@@ -27,6 +32,8 @@ before_script:
   - misc/install-perl-module.pl FCGI::ProcManager
   - misc/install-perl-module.pl Starlet
   - misc/install-perl-module.pl JSON
+  - misc/install-perl-module.pl Path::Tiny
+  - misc/install-perl-module.pl Test::Exception
   # install the `ab` command (a.k.a. ApacheBench; optionally required for running some of the tests)
   - sudo apt-get install -qq apache2-utils
   # install nghttp2 with `--enable-app` (optionally required for running HTTP/2 tests)

CMakeLists.txt

@@ -249,6 +249,7 @@ SET(LIB_SOURCE_FILES
     lib/handler/status.c
     lib/handler/status/events.c
     lib/handler/status/requests.c
+    lib/handler/http2_debug_state.c
     lib/handler/configurator/access_log.c
     lib/handler/configurator/compress.c
     lib/handler/configurator/errordoc.c
@@ -261,6 +262,7 @@ SET(LIB_SOURCE_FILES
     lib/handler/configurator/reproxy.c
     lib/handler/configurator/throttle_resp.c
     lib/handler/configurator/status.c
+    lib/handler/configurator/http2_debug_state.c
 
     lib/http1.c
 
@@ -272,7 +274,8 @@ SET(LIB_SOURCE_FILES
     lib/http2/frame.c
     lib/http2/hpack.c
     lib/http2/scheduler.c
-    lib/http2/stream.c)
+    lib/http2/stream.c
+    lib/http2/http2_debug_state.c)
 
 SET(UNIT_TEST_SOURCE_FILES
     ${LIB_SOURCE_FILES}

doc/Makefile

@@ -26,6 +26,7 @@ OUTPUT=\
     configure/basic_auth.html \
     configure/cgi.html \
     configure/mruby.html \
+    configure/dos_detection.html \
     faq.html \
 
 %.html: %.mt snippets/directive.mt snippets/wrapper.mt

doc/configure.html

@@ -89,6 +89,7 @@ <h2>
 <li><a href="configure/basic_auth.html">Using Basic Authentication</a></li>
 <li><a href="configure/cgi.html">Using CGI</a></li>
 <li><a href="configure/mruby.html">Using Mruby</a></li>
+<li><a href="configure/dos_detection.html">Using DoS Detection</a></li>
 </ul>
 </li>
 <li><a href="https://github.com/h2o/h2o/wiki#configuration-examples" target="_blank">Configuration Examples (Wiki)</a>

doc/configure/dos_detection.html

@@ -0,0 +1,173 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
+<meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no" />
+<base href="../" />
+
+<!-- oktavia -->
+<link rel="stylesheet" href="assets/searchstyle.css" type="text/css" />
+<script src="search/jquery-1.9.1.min.js"></script>
+<script src="search/oktavia-jquery-ui.js"></script>
+<script src="search/oktavia-english-search.js"></script>
+<!-- /oktavia -->
+
+<link rel="stylesheet" href="assets/style.css" type="text/css" />
+
+<title>Using DoS Detection - Configure - H2O - the optimized HTTP/2 server</title>
+</head>
+<body>
+<div id="body">
+<div id="top">
+
+<h1>
+<a href="index.html">H2O</a>
+</h1>
+<p class="description">the optimized HTTP/1.x, HTTP/2 server</p>
+
+<!-- oktavia -->
+<form id="searchform">
+<input class="search" type="search" name="search" id="search" results="5" value="" placeholder="Search" />
+<div id="searchresult_box">
+<div id="close_search_box">&times;</div>
+<div id="searchresult_summary"></div>
+<div id="searchresult"></div>
+<div id="searchresult_nav"></div>
+<span class="pr">Powered by <a href="https://github.com/shibukawa/oktavia">Oktavia</a></span>
+</div>
+</form>
+<!-- /oktavia -->
+
+</div>
+
+<table id="menu">
+<tr>
+<td><a href="index.html">Top</a></td>
+<td><a href="install.html">Install</a></td>
+<td class="selected">Configure</td>
+<td><a href="faq.html">FAQ</a></td>
+<td><a href="http://blog.kazuhooku.com/search/label/H2O" target="_blank">Blog</a></td>
+<td><a href="http://github.com/h2o/h2o/" target="_blank">Source</a></td>
+</tr>
+</table>
+
+<div id="main">
+
+<h2>
+<a href="configure.html">Configure</a> &gt;
+Using DoS Detection
+</h2>
+
+
+<p>
+Starting from version 2.1, H2O comes with a mruby script named <a href="https://github.com/h2o/h2o/blob/master/share/h2o/mruby/dos_detector.rb">dos_detector.rb</a> that implements DoS Detection feature.
+The script provides a Rack handler that detects HTTP flooding attacks based on the client's IP address. 
+</p>
+
+<h3 id="basic-usage">Basic Usage</h3>
+
+<p>
+Below example uses the mruby script to detect DoS attacks.
+The default detecting strategy is simply counting requests within configured period.
+If the count exceeds configured threshold, the handler returns a <code>403 Forbidden</code> response.
+Otherwise, the handler returns a <code>399</code> response, and the request is <a href="configure/mruby.html#delegating-request">delegated</a> internally to the next handler.
+</p>
+
+<div class="example">
+<div class="caption">Example. Configuring DoS Detection</div>
+<pre><code>paths:
+  &quot;/&quot;:
+    mruby.handler: |
+      require &quot;dos_detector.rb&quot;
+      DoSDetector.new({
+        :strategy =&gt; DoSDetector.CountingStrategy.new({
+          :period     =&gt; 10,  # default
+          :threshold  =&gt; 100, # default
+          :ban_period =&gt; 300, # default
+        }),
+      })
+    file.dir: /path/to/doc_root
+</code></pre>
+</div>
+
+
+<p>
+In the example above, the handler countup the requests within 10 seconds for each IP address, and when the count exceeds 100,
+it returns a <code>403 Forbidden</code> response for the request and marks the client as "Banned" for 300 seconds. While marked as "Banned", the handler returns a <code>403 Forbidden</code> to all requests from the same IP address.
+</p>
+
+<h3 id="configuring-details">Configuring Details</h3>
+
+<p>
+You can pass the following parameters to <code>DoSDetector.new</code> .
+<ul>
+<li><code>:strategy</code>
+  <p>The algorithm to detect DoS attacks. You can write and pass your own strategies if needed. The default strategy is <code>DoSDetector.CountingStrategy</code> which takes the following parameters:</p>
+  <ul>
+    <li><code>:period</code>
+      <p>Time window in seconds to count requests. The default value is 10.</p>
+    </li>
+    <li><code>:threshold</code>
+      <p>Threshold count of request. The default value is 100.</p>
+    </li>
+    <li><code>:ban_period</code>
+      <p>Duration in seconds in which "Banned" client continues to be restricted. The default value is 300.</p>
+    </li>
+  </ul>
+</li>
+<li><code>:callback</code>
+  <p>The callback which is called by the handler with detecting result. You can define your own callback to return arbitrary response, set response headers, etc. The default callback returns <code>403 Forbidden</code> if DoS detected, otherwise delegate the request to the next handler.</p>
+</li>
+<li><code>:forwarded</code>
+  <p>
+    If set true, the handler uses X-HTTP-Forwarded-For header to get client's IP address if the header exists. The default value is true.
+  </p>
+</li>
+<li><code>:cache_size</code>
+  <p>
+    The capacity of the LRU cache which preserves client's IP address and associated request count. The default value is 128.
+  </p>
+</li>
+</ul>
+<div class="example">
+<div class="caption">Example. Configuring Details</div>
+<pre><code>paths:
+  &quot;/&quot;:
+    mruby.handler: |
+      require &quot;dos_detector.rb&quot;
+      DoSDetector.new({
+        :strategy =&gt; DoSDetector.CountingStrategy.new,
+        :forwarded =&gt; false,
+        :cache_size =&gt; 2048,
+        :callback =&gt; proc {|env, detected, ip|
+          if detected &amp;&amp; ! ip.start_with?(&quot;192.168.&quot;)
+            [503, {}, [&quot;Service Unavailable&quot;]]
+          else
+            [399, {}, []]
+          end
+        }
+      })
+    file.dir: /path/to/doc_root
+</code></pre>
+</div>
+
+</p>
+
+<h3 id="points-to-notice">Points to Notice</h3>
+<ul>
+<li>
+  For now, counting requests is "per-thread" and not shared between multiple threads.
+</li>
+</ul>
+
+
+
+
+</div>
+<div id="footer">
+<p>
+Copyright &copy; 2015 <a href="http://dena.com/intl/">DeNA Co., Ltd.</a> et al.
+</p>
+</div>
+</body>
+</html>

doc/configure/file_directives.html

@@ -395,7 +395,7 @@ <h3><a href="configure/file_directives.html#file.send-gzip"><code>"file.send-gzi
 <dd>
 <p>
 Obsoleted in 2.0.
-Synonym of <a href="configure/file_directives.html#send-compressed"><code>send-compressed</code></a>.
+Synonym of <a href="configure/file_directives.html#file.send-compressed"><code>file.send-compressed</code></a>.
 
 </p>
 

examples/libh2o/latency-optimization.c

@@ -36,11 +36,7 @@
 static char *host, *port;
 static SSL_CTX *ssl_ctx;
 static int mode_server, server_flag_received;
-static h2o_socket_latency_optimization_conditions_t latopt_cond = {
-    .min_rtt              = 50,
-    .max_additional_delay = 10,
-    .max_cwnd             = 65535
-};
+static h2o_socket_latency_optimization_conditions_t latopt_cond = {.min_rtt = 50, .max_additional_delay = 10, .max_cwnd = 65535};
 size_t write_block_size = 65536;
 
 /* globals */
@@ -158,7 +154,8 @@ static void client_on_read_second(h2o_socket_t *sock, const char *err)
 
     if (client_stats.bytes_received >= 1024 * 1024) {
         uint64_t now = h2o_now(h2o_socket_get_loop(sock));
-        printf("Delay: %" PRIu64 " octets, %" PRIu64 " ms\n", client_stats.bytes_before_sig, client_stats.sig_received_at - client_stats.resp_start_at);
+        printf("Delay: %" PRIu64 " octets, %" PRIu64 " ms\n", client_stats.bytes_before_sig,
+               client_stats.sig_received_at - client_stats.resp_start_at);
         printf("Total: %" PRIu64 " octets, %" PRIu64 " ms\n", client_stats.bytes_received, now - client_stats.resp_start_at);
         exit(0);
     }
@@ -245,21 +242,20 @@ static void usage(const char *cmd)
                     "         --block-size=octets  default write block size\n"
                     "         --min-rtt=ms         minimum RTT to enable latency optimization\n"
                     "         --max-cwnd=octets    maximum size of CWND to enable latency\n"
-                    "                              optimization\n", cmd);
+                    "                              optimization\n",
+            cmd);
     exit(1);
 }
 
 int main(int argc, char **argv)
 {
-    static const struct option longopts[] = {
-        {"listen", no_argument, NULL, 'l'},
-        {"reverse-role", no_argument, NULL, 'r'},
-        {"tls", no_argument, NULL, 't'},
-        {"block-size", no_argument, NULL, 'b'},
-        {"min-rtt", required_argument, NULL, 'R'},
-        {"max-cwnd", required_argument, NULL, 'c'},
-        {}
-    };
+    static const struct option longopts[] = {{"listen", no_argument, NULL, 'l'},
+                                             {"reverse-role", no_argument, NULL, 'r'},
+                                             {"tls", no_argument, NULL, 't'},
+                                             {"block-size", no_argument, NULL, 'b'},
+                                             {"min-rtt", required_argument, NULL, 'R'},
+                                             {"max-cwnd", required_argument, NULL, 'c'},
+                                             {}};
     int opt_ch, mode_listen = 0, mode_reverse_role = 0, mode_tls = 0;
     struct addrinfo hints, *res = NULL;
     int err;

h2o.xcodeproj/project.pbxproj

@@ -7,6 +7,9 @@
 	objects = {
 
 /* Begin PBXBuildFile section */
+		080D35EB1D5E060D0029B7E5 /* http2_debug_state.c in Sources */ = {isa = PBXBuildFile; fileRef = 080D35EA1D5E060D0029B7E5 /* http2_debug_state.c */; };
+		084FC7C11D54B90D00E89F66 /* http2_debug_state.c in Sources */ = {isa = PBXBuildFile; fileRef = 084FC7C01D54B90D00E89F66 /* http2_debug_state.c */; };
+		084FC7C51D54BB9200E89F66 /* http2_debug_state.c in Sources */ = {isa = PBXBuildFile; fileRef = 084FC7C31D54BB9200E89F66 /* http2_debug_state.c */; };
 		100A55101C2BB15600C4E3E0 /* http_request.c in Sources */ = {isa = PBXBuildFile; fileRef = 100A550E1C2BB15100C4E3E0 /* http_request.c */; };
 		100A55151C30C5BC00C4E3E0 /* chunked.c in Sources */ = {isa = PBXBuildFile; fileRef = 100A55141C30C5BC00C4E3E0 /* chunked.c */; };
 		101788B219B561AA0084C6D8 /* socket.c in Sources */ = {isa = PBXBuildFile; fileRef = 101788B119B561AA0084C6D8 /* socket.c */; };
@@ -335,6 +338,9 @@
 /* End PBXCopyFilesBuildPhase section */
 
 /* Begin PBXFileReference section */
+		080D35EA1D5E060D0029B7E5 /* http2_debug_state.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = http2_debug_state.c; sourceTree = "<group>"; };
+		084FC7C01D54B90D00E89F66 /* http2_debug_state.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = http2_debug_state.c; sourceTree = "<group>"; };
+		084FC7C31D54BB9200E89F66 /* http2_debug_state.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = http2_debug_state.c; sourceTree = "<group>"; };
 		100A550C1C22857B00C4E3E0 /* 50mruby-htpasswd.t */ = {isa = PBXFileReference; lastKnownFileType = text; path = "50mruby-htpasswd.t"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.perl; };
 		100A550E1C2BB15100C4E3E0 /* http_request.c */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.c; path = http_request.c; sourceTree = "<group>"; };
 		100A55131C2E5FAC00C4E3E0 /* 50mruby-http-request.t */ = {isa = PBXFileReference; lastKnownFileType = text; path = "50mruby-http-request.t"; sourceTree = "<group>"; xcLanguageSpecificationIdentifier = xcode.lang.perl; };
@@ -788,6 +794,7 @@
 				10835E021C9A860000197E59 /* status.c */,
 				10C45D521CFE9B180096DB06 /* status */,
 				10C45D501CFD160A0096DB06 /* throttle_resp.c */,
+				084FC7C01D54B90D00E89F66 /* http2_debug_state.c */,
 			);
 			path = handler;
 			sourceTree = "<group>";
@@ -897,6 +904,7 @@
 				10AA2EC11AA0402E004322AC /* reproxy.c */,
 				10835E041C9B3C6200197E59 /* status.c */,
 				10C45D4E1CFD15FA0096DB06 /* throttle_resp.c */,
+				084FC7C31D54BB9200E89F66 /* http2_debug_state.c */,
 			);
 			path = configurator;
 			sourceTree = "<group>";
@@ -1200,6 +1208,7 @@
 				107923B419A3217300C52AD6 /* hpack.c */,
 				10BA72A919AAD6300059392A /* stream.c */,
 				10E299571A67E68500701AA6 /* scheduler.c */,
+				080D35EA1D5E060D0029B7E5 /* http2_debug_state.c */,
 			);
 			path = http2;
 			sourceTree = "<group>";
@@ -1753,9 +1762,11 @@
 				107923CE19A3217300C52AD6 /* mimemap.c in Sources */,
 				107923C619A3217300C52AD6 /* connection.c in Sources */,
 				1022E7C31CA8BCCE00CE2A05 /* text_mode.c in Sources */,
+				080D35EB1D5E060D0029B7E5 /* http2_debug_state.c in Sources */,
 				10835E051C9B3C6200197E59 /* status.c in Sources */,
 				1058C87E1AA41A1F008D6180 /* headers.c in Sources */,
 				10835E031C9A860000197E59 /* status.c in Sources */,
+				084FC7C51D54BB9200E89F66 /* http2_debug_state.c in Sources */,
 				10AA2E961A80A612004322AC /* time.c in Sources */,
 				107923C319A3217300C52AD6 /* file.c in Sources */,
 				106C22F81C040F6400405689 /* tunnel.c in Sources */,
@@ -1805,6 +1816,7 @@
 				104481301BFD10450007863F /* filecache.c in Sources */,
 				10583BF21AE5A37B004A3AD6 /* README.md in Sources */,
 				10BCF2FD1B168CAE0076939D /* fastcgi.c in Sources */,
+				084FC7C11D54B90D00E89F66 /* http2_debug_state.c in Sources */,
 				10A3D40B1B50DAB700327CF9 /* send.c in Sources */,
 				106C23011C0544CE00405689 /* errordoc.c in Sources */,
 				10FCC13E1B2E4A4500F13674 /* cloexec.c in Sources */,