Merge pull request #252 from baidu/release/v0.6.0

Release/v0.6.0

.goreleaser.yml

@@ -0,0 +1,30 @@
+project_name: bfe
+
+builds:
+  - binary: bfe
+    main: ./bfe.go
+    ldflags:
+      - -X main.Version={{.Version}}
+    goos:
+      - linux
+    goarch:
+      - amd64
+      - 386
+
+changelog:
+  skip: true
+
+archives:
+  - id: bfe
+    name_template: "{{ .ProjectName }}_{{ .Version }}_{{ .Os }}_{{ .Arch }}"
+    format: tar.gz
+    files:
+      - LICENSE
+      - CHANGELOG.md
+      - conf/*/*
+
+checksum:
+  name_template: "{{ .ProjectName }}_{{ .Version }}_checksums.txt"
+
+release:
+  disable: true

.travis.yml

@@ -1,7 +1,7 @@
 language: go
 
 go:
-  - 1.12.x
+  - 1.13.x
 
 script:
   - echo "start to build and test bfe"

CHANGELOG.md

@@ -10,6 +10,27 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [v0.6.0] - 2020-01-21
+### Added
+- Add mod_prison to limit the amount of requests a user can make in a given period of time.
+- Add condition primitive: ses_tls_sni_in/ses_tls_client_auth/ses_tls_client_ca_in
+- Add tls mutual authentication
+- mod_header support client cert related variables
+- mod_header support geo related variables
+- mod_static support customized mime rules
+- mod_static allow sending precompressed files instead of regular files
+- Expose information about module handlers in web monitor
+- Optimize number of accept goroutines
+- Optimize lock of bfe_balance.BalTable
+- Optimize io.Copy while forwarding responses
+- Compiling on MacOS is supported
+- Documents optimization
+
+### Changed
+- Change default Layer4LoadBalancer to NONE
+- Upgrade from go1.12 to go1.13
+
+
 ## [v0.5.0] - 2019-12-12
 ### Added
 - Add mod_geo to determine user geolocation by MaxMind database
@@ -79,6 +100,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Flexible plugin framework to extend functionality. Based on the framework, developer can add new features rapidly
 - Detailed built-in metrics available for service status monitor
 
+[v0.6.0]: https://github.com/baidu/bfe/compare/v0.5.0...v0.6.0
 [v0.5.0]: https://github.com/baidu/bfe/compare/v0.4.0...v0.5.0
 [v0.4.0]: https://github.com/baidu/bfe/compare/v0.3.0...v0.4.0
 [v0.3.0]: https://github.com/baidu/bfe/compare/v0.2.0...v0.3.0

CONTRIBUTING.md

@@ -1,6 +1,7 @@
 # Contribute Code
 
-You are welcome to contribute to project BFE. 
+You are welcome to contribute to project BFE. To contribute to BFE, you have to agree with the 
+[Contributor License Agreement](https://cla-assistant.io/baidu/bfe).
 
 We sincerely appreciate your contribution. This document explains our workflow and work style.
 

CONTRIBUTORS.md

@@ -3,14 +3,22 @@
 
 | Name | Github Account |
 | ---- | -------------- |
+| Chongmiao Liu | lcmmhcc |
 | Derek Zheng | shanhuhai5739 |
+| Jie Liu | freeHackOfJeff |
+| Jin Tong | cumirror |
+| Jiyang Zhang | scriptkids |
 | Kaiyu Zheng | kaiyuzheng | 
 | Lihua Chen | clh651188968 |
+| Limei Xiao | limeix |
 | Lu Guo | guolu60 |
 | Miao Zhang | mileszhang2016 |
-| Min Dai | daimin |
+| Min Dai | daimg |
+| Ming Lin | zhugelianglongming |
+| Pengwei Tian | Tovi163 |
 | Qing Liu | liuximu |
 | Qingxin Yang | yangqingxin1993 |
+| Shan Xiao | arlingtonroad |
 | Shuai Yan | yanshuai615270 |
 | Sijie Yang | iyangsj |
 | Wenjie Tian | WJTian |
@@ -20,7 +28,9 @@
 | Xiaoye Jiang | kidleaf-jiang |
 | Xin Li | lx-or-xxxl |
 | Yang Liu | dut-yangliu |
+| Zhichao Lin | lxiaozhic |
 |          | 0xflotus |
 |          | calify |
 |          | MoonShining |
+|          | u5surf |
 |          | xiaocongwjb |

Makefile

@@ -17,8 +17,7 @@ WORKROOT := $(shell pwd)
 OUTDIR   := $(WORKROOT)/output
 
 # init environment variables
-export GOPATH      := $(WORKROOT)/../../../../
-export PATH        := $(GOPATH)/bin:$(PATH)
+export PATH        := $(shell go env GOPATH)/bin:$(PATH)
 export GO111MODULE := on
 
 # init command params

README.md

@@ -6,6 +6,8 @@
 [![GoDoc](https://godoc.org/github.com/baidu/bfe?status.svg)](https://godoc.org/github.com/baidu/bfe/bfe_module)
 [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3209/badge)](https://bestpractices.coreinfrastructure.org/projects/3209)
 [![FOSSA Status](https://app.fossa.io/api/projects/git%2Bgithub.com%2Fbaidu%2Fbfe.svg?type=shield)](https://app.fossa.io/reports/1bd1bae4-31bf-41bf-8865-320eedbd1f85)
+[![CLA assistant](https://cla-assistant.io/readme/badge/baidu/bfe)](https://cla-assistant.io/baidu/bfe)
+[![Slack Widget](https://img.shields.io/badge/join-us%20on%20slack-gray.svg?longCache=true&logo=slack&colorB=green)](https://bfe-networks.slack.com/messages/bfedev)
 
 BFE is an open-source layer 7 load balancer derived from proprietary Baidu FrontEnd.
 

VERSION

@@ -1 +1 @@
-0.5.0
+0.6.0

bfe_balance/bal_gslb/bal_gslb.go

@@ -140,7 +140,7 @@ func (bal *BalanceGslb) BackendInit(clusterBackend cluster_table_conf.ClusterBac
 	return nil
 }
 
-// Reload reloades gslb config
+// Reload reloads gslb config
 func (bal *BalanceGslb) Reload(gslbConf gslb_conf.GslbClusterConf) error {
 	bal.lock.Lock()
 	defer bal.lock.Unlock()

bfe_balance/bal_table.go

@@ -258,9 +258,9 @@ func (t *BalTable) lookup(clusterName string) (*bal_gslb.BalanceGslb, error) {
 
 // Lookup lookup BalanceGslb by cluster name.
 func (t *BalTable) Lookup(clusterName string) (*bal_gslb.BalanceGslb, error) {
-	t.lock.Lock()
+	t.lock.RLock()
 	res, err := t.lookup(clusterName)
-	t.lock.Unlock()
+	t.lock.RUnlock()
 
 	return res, err
 }
@@ -272,11 +272,11 @@ func NewBalTableState() *BalTableState {
 	return state
 }
 
-// GetState returnes state of BalTable.
+// GetState returns state of BalTable.
 func (t *BalTable) GetState() *BalTableState {
 	state := NewBalTableState()
 
-	t.lock.Lock()
+	t.lock.RLock()
 
 	// go through clusters
 	for name, bal := range t.balTable {
@@ -285,12 +285,16 @@ func (t *BalTable) GetState() *BalTableState {
 		state.BackendNum += gs.BackendNum
 	}
 
-	t.lock.Unlock()
+	t.lock.RUnlock()
 
 	return state
 }
 
-// GetVersions returnes versions of BalTable.
+// GetVersions returns versions of BalTable.
 func (t *BalTable) GetVersions() BalVersion {
-	return t.versions
+	t.lock.RLock()
+	versions := t.versions
+	t.lock.RUnlock()
+
+	return versions
 }

bfe_basic/condition/build.go

@@ -473,7 +473,22 @@ func buildPrimitive(node *parser.CallExpr) (Condition, error) {
 			fetcher: &SIPFetcher{},
 			matcher: matcher,
 		}, nil
-
+	case "ses_tls_sni_in":
+		return &PrimitiveCond{
+			name:    node.Fun.Name,
+			node:    node,
+			fetcher: &SniFetcher{},
+			matcher: NewInMatcher(node.Args[0].Value, true),
+		}, nil
+	case "ses_tls_client_auth":
+		return &ClientAuthMatcher{}, nil
+	case "ses_tls_client_ca_in":
+		return &PrimitiveCond{
+			name:    node.Fun.Name,
+			node:    node,
+			fetcher: &ClientCANameFetcher{},
+			matcher: NewInMatcher(node.Args[0].Value, false),
+		}, nil
 	default:
 		return nil, fmt.Errorf("unsupported primitive %s", node.Fun.Name)
 	}

bfe_basic/condition/build_test.go

@@ -24,6 +24,7 @@ import (
 import (
 	"github.com/baidu/bfe/bfe_basic"
 	"github.com/baidu/bfe/bfe_http"
+	"github.com/baidu/bfe/bfe_tls"
 	"github.com/baidu/bfe/bfe_util/net_util"
 )
 
@@ -343,3 +344,57 @@ func TestBuildHeaderValueHashIn(t *testing.T) {
 		t.Errorf("test-uid-0004 not match req_header_value_hash_in(\"X-Bfe-Uid\", \"4073|5000-9999\", true)")
 	}
 }
+
+func TestBuildTlsSniIn(t *testing.T) {
+	buildTlsSniIn, err := Build("ses_tls_sni_in(\"test.com\")")
+	if err != nil {
+		t.Errorf("build failed, ses_tls_sni_in(\"test.com\"), err(%s)",
+			err.Error())
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ServerName: "test.com"}, IsSecure: true}
+	if !buildTlsSniIn.Match(&req) {
+		t.Errorf("sni not match ses_tls_sni_in(\"test.com\")")
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ServerName: "test.com"}}
+	if buildTlsSniIn.Match(&req) {
+		t.Errorf("sni match ses_tls_sni_in(\"test.com\")")
+	}
+}
+
+func TestBuildTlsClientAuth(t *testing.T) {
+	buildTlsClientAuth, err := Build("ses_tls_client_auth()")
+	if err != nil {
+		t.Errorf("build failed, ses_tls_client_auth(), err(%s)",
+			err.Error())
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ClientAuth: true}, IsSecure: true}
+	if !buildTlsClientAuth.Match(&req) {
+		t.Errorf("clientauth not match ses_tls_client_auth()")
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ClientAuth: false}, IsSecure: true}
+	if buildTlsClientAuth.Match(&req) {
+		t.Errorf("clientauth match ses_tls_client_auth()")
+	}
+}
+
+func TestBuildTlsClientCAIn(t *testing.T) {
+	buildTlsClientCAIn, err := Build("ses_tls_client_ca_in(\"clientCa\")")
+	if err != nil {
+		t.Errorf("build failed, ses_tls_client_ca_in(\"clientCa\"), err(%s)",
+			err.Error())
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ClientAuth: true, ClientCAName: "clientCa"}, IsSecure: true}
+	if !buildTlsClientCAIn.Match(&req) {
+		t.Errorf("ca not match ses_tls_client_ca_in(\"clientCa\")")
+	}
+
+	req.Session = &bfe_basic.Session{TlsState: &bfe_tls.ConnectionState{ClientAuth: false, ClientCAName: "clientCa"}, IsSecure: true}
+	if buildTlsClientCAIn.Match(&req) {
+		t.Errorf("ca match ses_tls_client_ca_in(\"clientCa\")")
+	}
+}

bfe_basic/condition/parser/semant.go

@@ -69,6 +69,9 @@ var funcProtos = map[string][]Token{
 	"res_header_value_in":        {STRING, STRING, BOOL},
 	"ses_vip_range":              {STRING, STRING},
 	"ses_sip_range":              {STRING, STRING},
+	"ses_tls_sni_in":             {STRING},
+	"ses_tls_client_auth":        nil,
+	"ses_tls_client_ca_in":       {STRING},
 }
 
 func prototypeCheck(expr *CallExpr) error {

bfe_basic/condition/primitive.go

@@ -878,3 +878,46 @@ func GetHash(value []byte, base uint) int {
 
 	return int(hash % uint64(base))
 }
+
+// SniFetcher fetches serverName in tls
+type SniFetcher struct{}
+
+func (fetcher *SniFetcher) Fetch(req *bfe_basic.Request) (interface{}, error) {
+	if req == nil {
+		return nil, fmt.Errorf("fetcher: no req")
+	}
+
+	ses := req.Session
+	if ses == nil || !ses.IsSecure || ses.TlsState == nil || ses.TlsState.ServerName == "" {
+		return nil, fmt.Errorf("fetcher: no sni")
+	}
+
+	return req.Session.TlsState.ServerName, nil
+}
+
+type ClientAuthMatcher struct{}
+
+func (m *ClientAuthMatcher) Match(req *bfe_basic.Request) bool {
+	if req == nil || req.Session == nil || !req.Session.IsSecure || req.Session.TlsState == nil {
+		return false
+	}
+
+	return req.Session.TlsState.ClientAuth
+}
+
+// ClientCANameFetcher fetches client CA name
+type ClientCANameFetcher struct{}
+
+func (fetcher *ClientCANameFetcher) Fetch(req *bfe_basic.Request) (interface{}, error) {
+	if req == nil {
+		return nil, fmt.Errorf("fetcher: no req")
+	}
+
+	ses := req.Session
+	if ses == nil || !ses.IsSecure || ses.TlsState == nil || !ses.TlsState.ClientAuth ||
+		ses.TlsState.ClientCAName == "" {
+		return nil, fmt.Errorf("fetcher: no client CA name")
+	}
+
+	return req.Session.TlsState.ClientCAName, nil
+}

bfe_basic/session.go

@@ -21,6 +21,7 @@ import (
 	"sync"
 	"sync/atomic"
 	"time"
+	"fmt"
 )
 
 import (
@@ -141,3 +142,10 @@ func (s *Session) GetContext(key interface{}) interface{} {
 	s.lock.Unlock()
 	return val
 }
+
+func (s *Session) String() string {
+	s.lock.Lock()
+	val := s.SessionId
+	s.lock.Unlock()
+	return fmt.Sprintf("session id: %s", val)
+}

bfe_config/bfe_cluster_conf/cluster_table_conf/cluster_table_load.go

@@ -210,7 +210,7 @@ func ClusterTableConfCheck(conf ClusterTableConf) error {
 	return nil
 }
 
-// ClusterTableLoad loades config of cluster table from file
+// ClusterTableLoad loads config of cluster table from file
 func ClusterTableLoad(filename string) (ClusterTableConf, error) {
 	var config ClusterTableConf
 

bfe_config/bfe_conf/bfe_config_load.go

@@ -39,7 +39,7 @@ func SetDefaultConf(conf *BfeConfig) {
 	conf.SessionTicket.SetDefaultConf()
 }
 
-// BfeConfigLoad loades config from config file.
+// BfeConfigLoad loads config from config file.
 // NOTICE: some value will be modified when not set or out of range!!
 func BfeConfigLoad(filePath string, confRoot string) (BfeConfig, error) {
 	var cfg BfeConfig