2 * Copyright (c) 2015, Facebook, Inc.
5 * This source code is licensed under the BSD-style license found in the
6 * LICENSE file in the root directory of this source tree. An additional grant
7 * of patent rights can be found in the PATENTS file in the same directory.
12 #include <folly/wangle/ssl/SSLCacheOptions.h>
13 #include <folly/wangle/ssl/SSLContextConfig.h>
14 #include <folly/wangle/ssl/TLSTicketKeySeeds.h>
15 #include <folly/wangle/ssl/SSLUtil.h>
16 #include <folly/wangle/acceptor/SocketOptions.h>
18 #include <boost/optional.hpp>
21 #include <folly/Random.h>
22 #include <folly/SocketAddress.h>
23 #include <folly/String.h>
24 #include <folly/io/async/SSLContext.h>
28 #include <sys/types.h>
29 #include <folly/io/async/AsyncSocket.h>
30 #include <folly/io/async/SSLContext.h>
31 #include <folly/SocketAddress.h>
36 * Configuration for a single Acceptor.
38 * This configures not only accept behavior, but also some types of SSL
39 * behavior that may make sense to configure on a per-VIP basis (e.g. which
40 * cert(s) we use, etc).
42 struct ServerSocketConfig {
43 ServerSocketConfig() {
44 // generate a single random current seed
46 folly::Random::secureRandom(seed, sizeof(seed));
47 initialTicketSeeds.currentSeeds.push_back(
48 SSLUtil::hexlify(std::string((char *)seed, sizeof(seed))));
51 bool isSSL() const { return !(sslContextConfigs.empty()); }
54 * Set/get the socket options to apply on all downstream connections.
56 void setSocketOptions(
57 const AsyncSocket::OptionMap& opts) {
58 socketOptions_ = filterIPSocketOptions(opts, bindAddress.getFamily());
60 AsyncSocket::OptionMap&
62 return socketOptions_;
64 const AsyncSocket::OptionMap&
65 getSocketOptions() const {
66 return socketOptions_;
69 bool hasExternalPrivateKey() const {
70 for (const auto& cfg : sslContextConfigs) {
71 if (!cfg.isLocalPrivateKey) {
79 * The name of this acceptor; used for stats/reporting purposes.
84 * The depth of the accept queue backlog.
86 uint32_t acceptBacklog{1024};
89 * The number of milliseconds a connection can be idle before we close it.
91 std::chrono::milliseconds connectionIdleTimeout{600000};
94 * The address to bind to.
96 SocketAddress bindAddress;
99 * Options for controlling the SSL cache.
101 SSLCacheOptions sslCacheOptions{std::chrono::seconds(600), 20480, 200};
104 * The initial TLS ticket seeds.
106 TLSTicketKeySeeds initialTicketSeeds;
109 * The configs for all the SSL_CTX for use by this Acceptor.
111 std::vector<SSLContextConfig> sslContextConfigs;
114 * Determines if the Acceptor does strict checking when loading the SSL
117 bool strictSSL{true};
120 * Maximum number of concurrent pending SSL handshakes
122 uint32_t maxConcurrentSSLHandshakes{30720};
125 AsyncSocket::OptionMap socketOptions_;