Many important changes related to web and TLS

* upgraded libmicrohttpd to version 0.9.68 * enabled SSL in curl * enabled SSL in libmicrohttpd compiling against GnuTLS * SSL is now enabled in Web UI * version checker in Web UI: - is now able to check latest version using HTTPS - uses the correct agent version
6 years ago · bb4e72c952
parent c85aceface
commit bb4e72c952
6 changed files with 79 additions and 14 deletions
--- a/deps/Makefile
+++ b/deps/Makefile
@ -24,6 +24,7 @@ libssl/openssl/libssl.a:
 	cd libssl && tar -zxf openssl-1.1.0h.tar.gz
 	cd libssl/openssl  && ./config no-ssl3
 	cd libssl/openssl && CC=${CC} CXX=${CXX} ${MAKE}
+	cd libssl/openssl && ln -s . lib # curl wants this path
 libssl: libssl/openssl/libssl.a

 libev/libev/.libs/libev.a:
@ -33,17 +34,17 @@ libev/libev/.libs/libev.a:
 	cd libev/libev && CC=${CC} CXX=${CXX} ${MAKE}
 ev: libev/libev/.libs/libev.a

-curl/curl/lib/.libs/libcurl.a: #libssl/openssl/libssl.a
+curl/curl/lib/.libs/libcurl.a: libssl/openssl/libssl.a
 	cd curl && rm -rf curl-7.57.0 || true
 	cd curl && tar -zxf curl-7.57.0.tar.gz
 	#cd curl/curl && ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-crypto-auth --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --with-ssl=$(shell pwd)/../../libssl/openssl/ && CC=${CC} CXX=${CXX} ${MAKE}
-	cd curl/curl && ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-crypto-auth --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --without-librtmp --without-libpsl --without-ssl && CC=${CC} CXX=${CXX} ${MAKE}
+	cd curl/curl && ./configure --disable-debug --disable-ftp --disable-ldap --disable-ldaps --disable-rtsp --disable-proxy --disable-dict --disable-telnet --disable-tftp --disable-pop3 --disable-imap --disable-smb --disable-smtp --disable-gopher --disable-manual --disable-ipv6 --disable-sspi --disable-crypto-auth --disable-ntlm-wb --disable-tls-srp --without-nghttp2 --without-libidn2 --without-libssh2 --without-brotli --without-librtmp --without-libpsl --with-ssl=$(shell pwd)/libssl/openssl/ && CC=${CC} CXX=${CXX} ${MAKE}
 curl: curl/curl/lib/.libs/libcurl.a

 libmicrohttpd/libmicrohttpd/src/microhttpd/.libs/libmicrohttpd.a:
-	cd libmicrohttpd && rm -rf libmicrohttpd-0.9.55 || true
-	cd libmicrohttpd && tar -zxf libmicrohttpd-0.9.55.tar.gz
-	cd libmicrohttpd/libmicrohttpd && ./configure --disable-https && CC=${CC} CXX=${CXX} ${MAKE}
+	cd libmicrohttpd && rm -rf libmicrohttpd-0.9.68 || true
+	cd libmicrohttpd && tar -zxf libmicrohttpd-0.9.68.tar.gz
+	cd libmicrohttpd/libmicrohttpd && ./configure --enable-https && CC=${CC} CXX=${CXX} ${MAKE}
 microhttpd: libmicrohttpd/libmicrohttpd/src/microhttpd/.libs/libmicrohttpd.a

 cityhash/cityhash/src/.libs/libcityhash.a:
@ -168,7 +169,7 @@ cleanall:
 	cd sqlite3/sqlite3 && rm -rf * || true
 	cd clickhouse-cpp/clickhouse-cpp && rm -rf * || true
 	cd lz4 && rm -rf lz4-1.7.5 || true
-	cd libmicrohttpd && rm -rf libmicrohttpd-0.9.55 || true
+	cd libmicrohttpd && rm -rf libmicrohttpd-0.9.68 || true
 	cd curl && rm -rf curl-7.57.0 || true
 	cd libev && rm -rf libev-4.24 || true
 	cd libssl && rm -rf openssl-1.1.0h || true
--- a/deps/libmicrohttpd/libmicrohttpd
+++ b/deps/libmicrohttpd/libmicrohttpd
@ -1 +1 @@
-libmicrohttpd-0.9.55
+libmicrohttpd-0.9.68
--- a/lib/ProxySQL_Admin.cpp
+++ b/lib/ProxySQL_Admin.cpp
@ -46,6 +46,50 @@ struct MHD_Daemon *Admin_HTTP_Server;

 extern ProxySQL_Statistics *GloProxyStats;

+extern char *ssl_key_fp;
+extern char *ssl_cert_fp;
+extern char *ssl_ca_fp;
+
+
+static long
+get_file_size (const char *filename) {
+	FILE *fp;
+	fp = fopen (filename, "rb");
+	if (fp) {
+		long size;
+		if ((0 != fseek (fp, 0, SEEK_END)) || (-1 == (size = ftell (fp))))
+			size = 0;
+		fclose (fp);
+		return size;
+	} else
+		return 0;
+}
+
+static char * load_file (const char *filename) {
+	FILE *fp;
+	char *buffer;
+	long size;
+	size = get_file_size (filename);
+	if (0 == size)
+		return NULL;
+	fp = fopen (filename, "rb");
+	if (! fp)
+		return NULL;
+	buffer = (char *)malloc (size + 1);
+	if (! buffer) {
+		fclose (fp);
+		return NULL;
+	}
+	buffer[size] = '\0';
+	if (size != (long)fread (buffer, 1, size, fp)) {
+		free (buffer);
+		buffer = NULL;
+	}
+	fclose (fp);
+	return buffer;
+}
+
+
 /*
 int sqlite3_json_init(
  sqlite3 *db,
@ -4787,12 +4831,18 @@ void ProxySQL_Admin::flush_admin_variables___database_to_runtime(SQLite3DB *db,
 		{
 			if (variables.web_enabled != variables.web_enabled_old) {
 				if (variables.web_enabled) {
-					Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
+					char *key_pem;
+					char *cert_pem;
+					key_pem = load_file(ssl_key_fp);
+					cert_pem = load_file(ssl_cert_fp);
+					Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_SSL,
 						variables.web_port,
 						NULL, NULL, http_handler, NULL,
 						MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 120, MHD_OPTION_STRICT_FOR_CLIENT, (int) 1,
 						MHD_OPTION_THREAD_POOL_SIZE, (unsigned int) 4,
 						MHD_OPTION_NONCE_NC_SIZE, (unsigned int) 300,
+						MHD_OPTION_HTTPS_MEM_KEY, key_pem,
+						MHD_OPTION_HTTPS_MEM_CERT, cert_pem,
 						MHD_OPTION_END);
 				} else {
 					MHD_stop_daemon(Admin_HTTP_Server);
@ -4804,12 +4854,18 @@ void ProxySQL_Admin::flush_admin_variables___database_to_runtime(SQLite3DB *db,
 					if (variables.web_enabled) {
 						MHD_stop_daemon(Admin_HTTP_Server);
 						Admin_HTTP_Server = NULL;
-						Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG,
+						char *key_pem;
+						char *cert_pem;
+						key_pem = load_file(ssl_key_fp);
+						cert_pem = load_file(ssl_cert_fp);
+						Admin_HTTP_Server = MHD_start_daemon(MHD_USE_AUTO | MHD_USE_INTERNAL_POLLING_THREAD | MHD_USE_ERROR_LOG | MHD_USE_SSL,
 							variables.web_port,
 							NULL, NULL, http_handler, NULL,
 							MHD_OPTION_CONNECTION_TIMEOUT, (unsigned int) 120, MHD_OPTION_STRICT_FOR_CLIENT, (int) 1,
 							MHD_OPTION_THREAD_POOL_SIZE, (unsigned int) 4,
 							MHD_OPTION_NONCE_NC_SIZE, (unsigned int) 300,
+							MHD_OPTION_HTTPS_MEM_KEY, key_pem,
+							MHD_OPTION_HTTPS_MEM_CERT, cert_pem,
 							MHD_OPTION_END);
 					}
 					variables.web_port_old = variables.web_port;
--- a/lib/ProxySQL_HTTP_Server.cpp
+++ b/lib/ProxySQL_HTTP_Server.cpp
@ -79,11 +79,14 @@ static char * check_latest_version() {
 	curl_global_init(CURL_GLOBAL_ALL);

 	curl_handle = curl_easy_init();
-	curl_easy_setopt(curl_handle, CURLOPT_URL, "http://www.proxysql.com/latest");
+	curl_easy_setopt(curl_handle, CURLOPT_URL, "https://www.proxysql.com/latest");
 	curl_easy_setopt(curl_handle, CURLOPT_WRITEFUNCTION, WriteMemoryCallback);
 	curl_easy_setopt(curl_handle, CURLOPT_WRITEDATA, (void *)&chunk);
+	curl_easy_setopt(curl_handle, CURLOPT_SSL_VERIFYPEER, 0);

-	curl_easy_setopt(curl_handle, CURLOPT_USERAGENT, "proxysql-agent/1.4.4");
+	string s = "proxysql-agent/";
+	s += PROXYSQL_VERSION;
+	curl_easy_setopt(curl_handle, CURLOPT_USERAGENT, s.c_str());
 	curl_easy_setopt(curl_handle, CURLOPT_TIMEOUT, 5);
 	curl_easy_setopt(curl_handle, CURLOPT_CONNECTTIMEOUT, 10);

--- a/src/Makefile
+++ b/src/Makefile
@ -77,9 +77,9 @@ MYCXXFLAGS=-std=c++11 $(IDIRS) $(OPTZ) $(DEBUG) $(PSQLCH) -DGITVERSION=\"$(GIT_V
 LDFLAGS+=
 NOJEMALLOC := $(shell echo $(NOJEMALLOC))
 ifeq ($(NOJEMALLOC),1)
-MYLIBS=-Wl,--export-dynamic -Wl,-Bstatic -lconfig -lproxysql -ldaemon -lconfig++ -lre2 -lpcrecpp -lpcre -lmariadbclient -lmicrohttpd -lcurl -lev -Wl,-Bdynamic -lpthread -lm -lz -lrt $(EXTRALINK)
+MYLIBS=-Wl,--export-dynamic -Wl,-Bstatic -lconfig -lproxysql -ldaemon -lconfig++ -lre2 -lpcrecpp -lpcre -lmariadbclient -lmicrohttpd -lcurl -lssl -lcrypto -lev -Wl,-Bdynamic -lgnutls -lpthread -lm -lz -lrt $(EXTRALINK)
 else
-MYLIBS=-Wl,--export-dynamic -Wl,-Bstatic -lconfig -lproxysql -ldaemon -ljemalloc -lconfig++ -lre2 -lpcrecpp -lpcre -lmariadbclient -lmicrohttpd -lcurl -lev -Wl,-Bdynamic -lpthread -lm -lz -lrt $(EXTRALINK)
+MYLIBS=-Wl,--export-dynamic -Wl,-Bstatic -lconfig -lproxysql -ldaemon -ljemalloc -lconfig++ -lre2 -lpcrecpp -lpcre -lmariadbclient -lmicrohttpd -lcurl -lssl -lcrypto -lev -Wl,-Bdynamic -lgnutls -lpthread -lm -lz -lrt $(EXTRALINK)
 endif

 ifeq ($(UNAME_S),Darwin)
--- a/src/main.cpp
+++ b/src/main.cpp
@ -28,6 +28,10 @@ extern "C" MySQL_LDAP_Authentication * create_MySQL_LDAP_Authentication_func() {
 volatile create_MySQL_LDAP_Authentication_t * create_MySQL_LDAP_Authentication = NULL;
 void * __mysql_ldap_auth;

+// absolute path of ssl files
+char *ssl_key_fp = NULL;
+char *ssl_cert_fp = NULL;
+char *ssl_ca_fp = NULL;

 char *binary_sha1 = NULL;

@ -353,11 +357,12 @@ int ssl_mkit(X509 **x509p, EVP_PKEY **pkeyp, int bits, int serial, int days) {
 	const char * ssl_cert_rp = (const char *)"proxysql-cert.pem";
 	const char * ssl_ca_rp = (const char *)"proxysql-ca.pem";

+/*
 	// absolute path of ssl files
 	char *ssl_key_fp = NULL;
 	char *ssl_cert_fp = NULL;
 	char *ssl_ca_fp = NULL;
-
+*/
 	// how many files exists ?
 	int nfiles = 0;
 	bool ssl_key_exists = true;