diff options
| author | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-05-12 09:16:21 +0100 |
|---|---|---|
| committer | Vsevolod Stakhov <vsevolod@highsecure.ru> | 2015-05-12 09:16:21 +0100 |
| commit | 58cab14e7fd55d3a882d9f8b2448b1df7a8fcc43 (patch) | |
| tree | a73305d29b9e7c6c68d606bf8fb5e4632cfb48ff | |
| parent | ecc9191f1742707d2d8c6e90d54738ab31435d22 (diff) | |
| download | rspamd-58cab14e7fd55d3a882d9f8b2448b1df7a8fcc43.tar.gz rspamd-58cab14e7fd55d3a882d9f8b2448b1df7a8fcc43.zip | |
Add key rotation for http proxy.
| -rw-r--r-- | src/http_proxy.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/src/http_proxy.c b/src/http_proxy.c index 12df0492b..5bae04029 100644 --- a/src/http_proxy.c +++ b/src/http_proxy.c @@ -33,6 +33,10 @@ #include "libmime/message.h" #include "main.h" #include "keypairs_cache.h" +#include "ottery.h" + +/* Rotate keys each minute by default */ +#define DEFAULT_ROTATION_TIME 60.0 gpointer init_http_proxy (struct rspamd_config *cfg); void start_http_proxy (struct rspamd_worker *worker); @@ -72,6 +76,7 @@ struct http_proxy_ctx { /* Local rotating keypair for upstreams */ gpointer local_key; struct event rotate_ev; + gdouble rotate_tm; }; struct http_proxy_session { @@ -192,11 +197,16 @@ init_http_proxy (struct rspamd_config *cfg) ctx = g_malloc0 (sizeof (struct http_proxy_ctx)); ctx->timeout = 5.0; ctx->upstreams = g_hash_table_new (rspamd_strcase_hash, rspamd_strcase_equal); + ctx->rotate_tm = DEFAULT_ROTATION_TIME; rspamd_rcl_register_worker_option (cfg, type, "timeout", rspamd_rcl_parse_struct_time, ctx, G_STRUCT_OFFSET (struct http_proxy_ctx, timeout), RSPAMD_CL_FLAG_TIME_FLOAT); + rspamd_rcl_register_worker_option (cfg, type, "rotate", + rspamd_rcl_parse_struct_time, ctx, + G_STRUCT_OFFSET (struct http_proxy_ctx, + rotate_tm), RSPAMD_CL_FLAG_TIME_FLOAT); rspamd_rcl_register_worker_option (cfg, type, "keypair", rspamd_rcl_parse_struct_keypair, ctx, G_STRUCT_OFFSET (struct http_proxy_ctx, @@ -409,10 +419,28 @@ proxy_accept_socket (gint fd, short what, void *arg) ctx->ev_base); } +static void +proxy_rotate_key (gint fd, short what, void *arg) +{ + struct timeval rot_tv; + struct http_proxy_ctx *ctx = arg; + gpointer kp; + + double_to_tv (ctx->rotate_tm, &rot_tv); + rot_tv.tv_sec += ottery_rand_range (rot_tv.tv_sec); + event_del (&ctx->rotate_ev); + event_add (&ctx->rotate_ev, &rot_tv); + + kp = ctx->local_key; + ctx->local_key = rspamd_http_connection_gen_key (); + rspamd_http_connection_key_unref (kp); +} + void start_http_proxy (struct rspamd_worker *worker) { struct http_proxy_ctx *ctx = worker->ctx; + struct timeval rot_tv; ctx->ev_base = rspamd_prepare_worker (worker, "http_proxy", proxy_accept_socket); @@ -432,6 +460,12 @@ start_http_proxy (struct rspamd_worker *worker) ctx->keys_cache = rspamd_keypair_cache_new (256); ctx->local_key = rspamd_http_connection_gen_key (); + double_to_tv (ctx->rotate_tm, &rot_tv); + rot_tv.tv_sec += ottery_rand_range (rot_tv.tv_sec); + event_set (&ctx->rotate_ev, -1, EV_TIMEOUT, proxy_rotate_key, ctx); + event_base_set (ctx->ev_base, &ctx->rotate_ev); + event_add (&ctx->rotate_ev, &rot_tv); + event_base_loop (ctx->ev_base, 0); g_mime_shutdown (); |