1. 16 Feb, 2017 6 commits
  2. 15 Feb, 2017 1 commit
    • Augusto Roman's avatar
      Fix data race for max connection limiting in proxy directive. (#1438) · 463c9d9d
      Augusto Roman authored
      * Fix data race for max connection limiting in proxy directive.
      
      The Conns and Unhealthy fields are updated concurrently across all active
      requests.  Because of this, they must use atomic operations for reads and
      writes.
      
      Prior to this change, Conns was incremented atomically, but read unsafely.
      Unhealthly was updated & read unsafely.  The new test
      TestReverseProxyMaxConnLimit exposes this race when run with -race.
      
      Switching to atomic operations makes the race detector happy.
      
      * oops, remove leftover dead code.
      463c9d9d
  3. 14 Feb, 2017 4 commits
  4. 13 Feb, 2017 2 commits
  5. 11 Feb, 2017 2 commits
  6. 08 Feb, 2017 3 commits
  7. 07 Feb, 2017 2 commits
  8. 04 Feb, 2017 1 commit
  9. 28 Jan, 2017 2 commits
  10. 25 Jan, 2017 3 commits
  11. 24 Jan, 2017 9 commits
  12. 23 Jan, 2017 2 commits
    • Matt Holt's avatar
      Merge pull request #1356 from mholt/fix_hijack · 696b46f0
      Matt Holt authored
      proxy: Fixed #1352: invalid use of the HTTP hijacker
      696b46f0
    • Peer Beckmann's avatar
      Generate meta elements from prelude items description and keywords (#1335) · e5ef285e
      Peer Beckmann authored
      * Generate meta elements from useful front matters.
      Limited to the default template and specific elements.
      
      * Rerun gofmt
      
      * Add "keywords" and remove "language" to/from the list of meta tags.
      
      * Add a simple positive list test for the meta tag generation.
      
      * Move the meta tag list to a var at the begin of the file.
      Seperate the Meta tags from the other front matters:
      	- Don't override user settings with name `meta`
      	- Cleaner Code.
      
      * Remove the uneccessary `[:]` in the []Bytes to String casting.
      @mholt was right ;)
      
      * One minor refinement. Combining two statements.
      e5ef285e
  13. 21 Jan, 2017 3 commits
    • Matthew Holt's avatar
    • Matt Holt's avatar
      Merge pull request #1366 from mholt/tls-sni-renew-fix · 9369b814
      Matt Holt authored
      tls: Fix background certificate renewals that use TLS-SNI challenge
      9369b814
    • Matthew Holt's avatar
      tls: Fix background certificate renewals that use TLS-SNI challenge · 0e34c7c9
      Matthew Holt authored
      The loop which performs renewals in the background obtains a read lock
      on the certificate cache map, so that it can be safely iterated. Before
      this fix, it would obtain the renewals in the read lock. This has been
      fine, except that the TLS-SNI challenge, when invoked after Caddy has
      already started, requires adding a certificate to the cache. Doing this
      requires an exclusive write lock. But it cannot obtain a write lock
      because a read lock is obtained higher in the stack, while the loop
      iterates. In other words, it's a deadlock.
      
      I was able to reproduce this issue consistently locally, after jumping
      through many hoops to force a renewal in a short time that bypasses
      Let's Encrypt's authz caching. I was also able to verify that by queuing
      renewals (like we do deletions and OCSP updates), lock contention is
      relieved and the deadlock is avoided.
      
      This only affects background renewals where the TLS-SNI(-01) challenge
      are used. Users report seeing strange errors in the logs after this
      happens ("tls: client offered an unsupported, maximum protocol version
      of 301"), but I was not able to reproduce these locally. I was also not
      able to reproduce the leak of sockets which are left in CLOSE_WAIT.
      I am not sure if those are symptoms of running in production on Linux
      and are related to this bug, or not.
      
      Either way, this is an important fix. I do not yet know the ripple
      effects this will have on other symptoms we've been chasing. But it
      definitely resolves a deadlock during renewals.
      0e34c7c9