この記事は
QUIC (Wikipedia)によると
quic-reverse-proxyと呼ばれるDockerイメージが存在し、これは、QUICのリクエストを、オリジンサーバーが理解できる単純なHTTPリクエストに変換するリバースプロキシサーバーとして動作する。
なるものが存在するらしい。
そのDockerイメージがコチラ→devsisters/quic-reverse-proxy
このDockerイメージを使って、QUICのリバースプロキシを試してみた
結果として、このリバースプロキシをHTTP/3,QUICで動作させることができなかった
その経緯を書き残し、モチベーションが戻れば、このセーブポイントからやり直したい
サーバ証明書と鍵の作成
HTTP/3はTLS1.3を前提としている
HTTPS通信するために、サーバ証明書と鍵の作成を参考に、必要なファイルを用意する
openssl genrsa -out server.key -aes256 -rand rand.dat 2048
openssl req -new -sha256 -key server.key -out server.pem
openssl x509 -in server.pem -out server.crt -req -signkey server.key -days 365
openssl rsa -in server.key -out serverinstall.key
コモンネーム(CN)はproxy
とする。これはプロキシマシンのホスト名
証明書を置いたサーバのホスト名とCNが合致しないとエラーになる
Dockerで検証環境をつくる
長ったらしいので、付録にdocker-compose.yml
を記載
名前 | 役割 |
---|---|
nginx | サーバー |
proxy | QUIC対応リバースロキシ |
client | proxyに向けてHTTP/3アクセスするクライアント |
- サーバはシンプルな
nginx
- プロキシは証明書と鍵をマウントする
- エントリポイントでプロキシサーバを開始する
- クライアントは
keioni/curl-http3
イメージを使うことで、HTTP/3に対応したcurl
コマンドを使えるようにした
クライアントに証明書をインストール
パッケージマネージャが使える場合は、上記方法でよいが、今回は使えない環境
なので、直接ファイルに書き込む
cat /nginx/server.crt >>/etc/ssl/certs/ca-certificates.crt
参考:update-ca-certificatesが使えない場合
プロキシサーバの開始
Go言語の引数指定の方法にハマり、なかなかエントリポイントでプロキシサーバ起動できなかった
結局動いたのは下記の書き方
reverse_proxy -cert=/opt/configs/cert/server.crt -key=/opt/configs/key/serverinstall.key -addr=172.23.230.20 -port=4433 -n=4 -loglevel=4 http://172.23.230.10:80"
先にオプション引数を書いて、最後にプロキシの裏で構えるnginxサーバのアドレスを書く
プロキシ経由でHTTP2アクセスはできた
クライアントからプロキシの4433番ポートにアクセス
curl https://proxy:4433
プロキシにはHTTP/2でアクセスできた。証明書エラーもなし(200 OK)
プロキシから先はHTTP/1.1でアクセスしていることがわかる
proxy | H2 | 172.23.230.30 - - [30/Jul/2023:09:15:41 +0000] "GET / HTTP/2.0" 200 615 "" "curl/7.73.0-DEV"
nginx | 172.23.230.20 - - [30/Jul/2023:09:15:41 +0000] "GET / HTTP/1.1" 200 615 "-" "curl/7.73.0-DEV" "172.23.230.30"
プロキシにHTTP/3アクセスが無応答
プロキシ(172.23.230.20)にQUICアクセスしてみるものの、沈黙
curl https://proxy:4433 --http3 -v
* Trying 172.23.230.20:4433...
* Connect socket 5 over QUIC to 172.23.230.20:4433
#このまま何も表示されず・・・
TLS1.3で繋がらないぞ
クライアントからプロキシにTLS1.2, TLS1.3でアクセスした結果
openssl s_client -connect proxy:4433 -tls1_2
これはOK
openssl s_client -connect proxy:4433 -tls1_3
これはダメ
QUICはTLS1.3必須なのに、これではダメそう
プロキシがTLS1.3に対応しているか?
プロキシはTLS1.3に対応していなかった
openssl s_client --help 2>&1 | grep '\-tls1'
-tls1_2 - just use TLSv1.2
-tls1_1 - just use TLSv1.1
-tls1 - just use TLSv1
openssl
の手動アップデート
cd /tmp
wget http://www.openssl.org/source/openssl-1.1.1u.tar.gz --no-check-certificate
tar -zxf openssl-1.1.1u.tar.gz
./config shared –prefix=/usr –openssldir=/usr/local/openssl
apt install -y build-essential
make && make test
make install
ln -s /usr/local/bin/openssl /usr/bin/
cd /tmp/openssl-1.1.1u
cp libssl.so.1.1 /usr/lib/x86_64-linux-gnu/
cp libcrypto.so.1.1 /usr/lib/x86_64-linux-gnu/
proxy
からopenssl s_client -connect google.com:443 -tls1_3
はOK
ソースコードからビルドしよう
goquic 超入門を参考に、ビルドしてみたが、エラーで詰まった
エラー内容は付録参照
apt install -y cmake ninja-build build-essential git
apt update && apt install -y wget
wget https://go.dev/dl/go1.12rc1.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.12rc1.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
export GOPATH="/tmp"
source ~/.profile
go get -u -d github.com/devsisters/goquic
cd $GOPATH/src/github.com/devsisters/goquic
./build_libs.sh
Debian8でapt update
できない場合の対処
debianパッケージのURLが違うようなので、リポジトリの参照先を書き換える
cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 8 (jessie)"
Debian 8 (Jessie)の場合
cd /etc/apt
rm sources.list
touch sources.list
echo deb http://archive.debian.org/debian/ jessie main contrib non-free >>sources.list
echo deb http://archive.debian.org/debian-security jessie/updates main contrib non-free >>sources.list
viが使えない前提なので、echo
で無理やりリストを書き換えた
HTTP3テストサイトへ接続
そもそも、curl
の動作が正しいかの検証
HTTP/3対応のサイトにアクセスしてみた結果、正常に動作している
/usr/local/bin # curl --http3 -v https://quic.rocks:4433/
* Trying 216.155.158.183:4433...
* Connect socket 5 over QUIC to 216.155.158.183:4433
* Trying 2001:19f0:4:34::1:4433...
* Immediate connect fail for 2001:19f0:4:34::1: Address not available
* QUIC handshake is completed
* Connected to quic.rocks () port 4433 (#0)
* Using HTTP/3 Stream ID: 0 (easy handle 0x565378bc5be0)
> GET / HTTP/3
> Host: quic.rocks:4433
> user-agent: curl/7.73.0-DEV
> accept: */*
>
* ngh3_stream_recv returns 0 bytes and EAGAIN
* ngh3_stream_recv returns 0 bytes and EAGAIN
< HTTP/3 200
< content-type: text/html; charset=UTF-8
< x-original-url: https://quic.rocks/
< alt-svc: h3=":4433"; ma=3600, h3-29=":4433"; ma=3600
<
<!doctype html>
<html>
<head><title>quic.rocks</title></head>
<body>
<h1>quic.rocks</h1>
<p>You have successfully loaded quic.rocks using QUIC!</p>
</body>
</html>
* Connection #0 to host quic.rocks left intact
/usr/local/bin # curl --tlsv1.3 -v https://quic.rocks:4433/
* Trying 216.155.158.183:4433...
* Connected to quic.rocks (216.155.158.183) port 4433 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server accepted to use http/1.1
* Server certificate:
* subject: CN=ipv4only.quic.rocks
* start date: Jul 28 06:15:28 2023 GMT
* expire date: Oct 26 06:15:27 2023 GMT
* subjectAltName: host "quic.rocks" matched cert's "quic.rocks"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
> GET / HTTP/1.1
> Host: quic.rocks:4433
> User-Agent: curl/7.73.0-DEV
> Accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Sat, 29 Jul 2023 08:17:42 GMT
< Server: Apache
< X-Frame-Options: SAMEORIGIN
< X-Powered-By: PHP/8.2.5
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: same-origin
< X-Robots-Tag: none
< Alt-Svc: h3=":4433"; ma=3600, h3-29=":4433"; ma=3600
< Content-Length: 319
< Content-Type: text/html; charset=UTF-8
<
<html>
<head></head>
<body>
<h1>QUIC Rocks!</h1>
<p>
You are currently visiting <a href="https://quic.rocks:4433/">https://quic.rocks:4433/</a> using HTTP/1.1 over TLSv1.3 (TLS_AES_256_GCM_SHA384) over TCP over IPv4.<br/>Experimental QUIC support is available at <https://quic.rocks:4433/>.
</p>
</body>
</html>
* Connection #0 to host quic.rocks left intact
namp
でポートスキャン
UDPで空いているか確認
少なくともclosedではない
nmap -sU -p 4433 proxy
Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-30 09:41 UTC
Nmap scan report for proxy (172.23.230.20)
Host is up (0.00046s latency).
rDNS record for 172.23.230.20: proxy.2307_quicreverseproxy_net1
PORT STATE SERVICE
4433/udp open|filtered unknown
MAC Address: 02:42:AC:17:E6:14 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 0.55 seconds
おわりに
openssl
の使い方や、証明書のインストール方法など
いろいろ勉強になったが、結局QUICをリバースプロキシで動かせなかった
参考
goquic/example/reverse_proxy.go
付録
docker-compose.yml
version: "3.9"
services:
nginx:
image: nginx:latest
container_name: nginx
hostname: nginx
networks:
net1:
ipv4_address: 172.23.230.10
proxy:
image: devsisters/quic-reverse-proxy
container_name: proxy
hostname: proxy
volumes:
- './nginx:/opt/configs/cert'
- './nginx:/opt/configs/key'
ulimits:
nofile: 32768
networks:
net1:
ipv4_address: 172.23.230.20
entrypoint: "/go/src/github.com/devsisters/goquic/reverse_proxy -cert=/opt/configs/cert/server.crt -key=/opt/configs/key/serverinstall.key -addr=172.23.230.20 -port=4433 -n=4 -loglevel=4 http://172.23.230.10:80"
client:
image: keioni/curl-http3
container_name: client
hostname: client
tty: true
stdin_open: true
volumes:
- './nginx/server.crt:/nginx/server.crt'
networks:
net1:
ipv4_address: 172.23.230.30
networks:
net1:
ipam:
driver: default
config:
- subnet: 172.23.230.0/24
goquic/reverse_proxy
Usage
Usage: /go/src/github.com/devsisters/goquic/reverse_proxy backend_url
Options:
-addr string
UDP listen address (default "0.0.0.0")
-cert string
Certificate file (PEM), will use encrypted QUIC and SSL when provided
-key string
Private key file (PEM), will use encrypted QUIC and SSL when provided
-loglevel int
Log level (default -1)
-n int
Number of concurrent quic dispatchers (default 1)
-port int
TCP/UDP port number to listen (default 8080)
-quic_only
Use Quic Only
-test.bench string
regular expression to select benchmarks to run
-test.benchmem
print memory allocations for benchmarks
-test.benchtime duration
approximate run time for each benchmark (default 1s)
-test.blockprofile string
write a goroutine blocking profile to the named file after execution
-test.blockprofilerate int
if >= 0, calls runtime.SetBlockProfileRate() (default 1)
-test.count n
run tests and benchmarks n times (default 1)
-test.coverprofile string
write a coverage profile to the named file after execution
-test.cpu string
comma-separated list of number of CPUs to use for each test
-test.cpuprofile string
write a cpu profile to the named file during execution
-test.memprofile string
write a memory profile to the named file after execution
-test.memprofilerate int
if >=0, sets runtime.MemProfileRate
-test.outputdir string
directory in which to write profiles
-test.parallel int
maximum test parallelism (default 8)
-test.run string
regular expression to select tests and examples to run
-test.short
run smaller test suite to save time
-test.timeout duration
if positive, sets an aggregate time limit for all tests
-test.trace string
write an execution trace to the named file after execution
-test.v
verbose: print additional output
Curl
オプション
Usage: curl [options...] <url>
--abstract-unix-socket <path> Connect via abstract Unix domain socket
--alt-svc <file name> Enable alt-svc with this cache file
--anyauth Pick any authentication method
-a, --append Append to target file when uploading
--basic Use HTTP Basic Authentication
--cacert <file> CA certificate to verify peer against
--capath <dir> CA directory to verify peer against
-E, --cert <certificate[:password]> Client certificate file and password
--cert-status Verify the status of the server certificate
--cert-type <type> Certificate type (DER/PEM/ENG)
--ciphers <list of ciphers> SSL ciphers to use
--compressed Request compressed response
--compressed-ssh Enable SSH compression
-K, --config <file> Read config from a file
--connect-timeout <seconds> Maximum time allowed for connection
--connect-to <HOST1:PORT1:HOST2:PORT2> Connect to host
-C, --continue-at <offset> Resumed transfer offset
-b, --cookie <data|filename> Send cookies from string/file
-c, --cookie-jar <filename> Write cookies to <filename> after operation
--create-dirs Create necessary local directory hierarchy
--crlf Convert LF to CRLF in upload
--crlfile <file> Get a CRL list in PEM format from the given file
--curves <algorithm list> (EC) TLS key exchange algorithm(s) to request
-d, --data <data> HTTP POST data
--data-ascii <data> HTTP POST ASCII data
--data-binary <data> HTTP POST binary data
--data-raw <data> HTTP POST data, '@' allowed
--data-urlencode <data> HTTP POST data url encoded
--delegation <LEVEL> GSS-API delegation permission
--digest Use HTTP Digest Authentication
-q, --disable Disable .curlrc
--disable-eprt Inhibit using EPRT or LPRT
--disable-epsv Inhibit using EPSV
--disallow-username-in-url Disallow username in url
--dns-interface <interface> Interface to use for DNS requests
--dns-ipv4-addr <address> IPv4 address to use for DNS requests
--dns-ipv6-addr <address> IPv6 address to use for DNS requests
--dns-servers <addresses> DNS server addrs to use
--doh-url <URL> Resolve host names over DOH
-D, --dump-header <filename> Write the received headers to <filename>
--egd-file <file> EGD socket path for random data
--engine <name> Crypto engine to use
--etag-compare <file> Pass an ETag from a file as a custom header
--etag-save <file> Parse ETag from a request and save it to a file
--expect100-timeout <seconds> How long to wait for 100-continue
-f, --fail Fail silently (no output at all) on HTTP errors
--fail-early Fail on first transfer error, do not continue
--false-start Enable TLS False Start
-F, --form <name=content> Specify multipart MIME data
--form-string <name=string> Specify multipart MIME data
--ftp-account <data> Account data string
--ftp-alternative-to-user <command> String to replace USER [name]
--ftp-create-dirs Create the remote dirs if not present
--ftp-method <method> Control CWD usage
--ftp-pasv Use PASV/EPSV instead of PORT
-P, --ftp-port <address> Use PORT instead of PASV
--ftp-pret Send PRET before PASV
--ftp-skip-pasv-ip Skip the IP address for PASV
--ftp-ssl-ccc Send CCC after authenticating
--ftp-ssl-ccc-mode <active/passive> Set CCC mode
--ftp-ssl-control Require SSL/TLS for FTP login, clear for transfer
-G, --get Put the post data in the URL and use GET
-g, --globoff Disable URL sequences and ranges using {} and []
--happy-eyeballs-timeout-ms <milliseconds> Time for IPv6 before trying IPv4
--haproxy-protocol Send HAProxy PROXY protocol v1 header
-I, --head Show document info only
-H, --header <header/@file> Pass custom header(s) to server
-h, --help This help text
--hostpubmd5 <md5> Acceptable MD5 hash of the host public key
--http0.9 Allow HTTP 0.9 responses
-0, --http1.0 Use HTTP 1.0
--http1.1 Use HTTP 1.1
--http2 Use HTTP 2
--http2-prior-knowledge Use HTTP 2 without HTTP/1.1 Upgrade
--http3 Use HTTP v3
--ignore-content-length Ignore the size of the remote resource
-i, --include Include protocol response headers in the output
-k, --insecure Allow insecure server connections when using SSL
--interface <name> Use network INTERFACE (or address)
-4, --ipv4 Resolve names to IPv4 addresses
-6, --ipv6 Resolve names to IPv6 addresses
-j, --junk-session-cookies Ignore session cookies read from file
--keepalive-time <seconds> Interval time for keepalive probes
--key <key> Private key file name
--key-type <type> Private key file type (DER/PEM/ENG)
--krb <level> Enable Kerberos with security <level>
--libcurl <file> Dump libcurl equivalent code of this command line
--limit-rate <speed> Limit transfer speed to RATE
-l, --list-only List only mode
--local-port <num/range> Force use of RANGE for local port numbers
-L, --location Follow redirects
--location-trusted Like --location, and send auth to other hosts
--login-options <options> Server login options
--mail-auth <address> Originator address of the original email
--mail-from <address> Mail from this address
--mail-rcpt <address> Mail to this address
--mail-rcpt-allowfails Allow RCPT TO command to fail for some recipients
-M, --manual Display the full manual
--max-filesize <bytes> Maximum file size to download
--max-redirs <num> Maximum number of redirects allowed
-m, --max-time <seconds> Maximum time allowed for the transfer
--metalink Process given URLs as metalink XML file
--negotiate Use HTTP Negotiate (SPNEGO) authentication
-n, --netrc Must read .netrc for user name and password
--netrc-file <filename> Specify FILE for netrc
--netrc-optional Use either .netrc or URL
-:, --next Make next URL use its separate set of options
--no-alpn Disable the ALPN TLS extension
-N, --no-buffer Disable buffering of the output stream
--no-keepalive Disable TCP keepalive on the connection
--no-npn Disable the NPN TLS extension
--no-progress-meter Do not show the progress meter
--no-sessionid Disable SSL session-ID reusing
--noproxy <no-proxy-list> List of hosts which do not use proxy
--ntlm Use HTTP NTLM authentication
--ntlm-wb Use HTTP NTLM authentication with winbind
--oauth2-bearer <token> OAuth 2 Bearer Token
-o, --output <file> Write to file instead of stdout
--output-dir <dir> Directory to save files in
-Z, --parallel Perform transfers in parallel
--parallel-immediate Do not wait for multiplexing (with --parallel)
--parallel-max Maximum concurrency for parallel transfers
--pass <phrase> Pass phrase for the private key
--path-as-is Do not squash .. sequences in URL path
--pinnedpubkey <hashes> FILE/HASHES Public key to verify peer against
--post301 Do not switch to GET after following a 301
--post302 Do not switch to GET after following a 302
--post303 Do not switch to GET after following a 303
--preproxy [protocol://]host[:port] Use this proxy first
-#, --progress-bar Display transfer progress as a bar
--proto <protocols> Enable/disable PROTOCOLS
--proto-default <protocol> Use PROTOCOL for any URL missing a scheme
--proto-redir <protocols> Enable/disable PROTOCOLS on redirect
-x, --proxy [protocol://]host[:port] Use this proxy
--proxy-anyauth Pick any proxy authentication method
--proxy-basic Use Basic authentication on the proxy
--proxy-cacert <file> CA certificate to verify peer against for proxy
--proxy-capath <dir> CA directory to verify peer against for proxy
--proxy-cert <cert[:passwd]> Set client certificate for proxy
--proxy-cert-type <type> Client certificate type for HTTPS proxy
--proxy-ciphers <list> SSL ciphers to use for proxy
--proxy-crlfile <file> Set a CRL list for proxy
--proxy-digest Use Digest authentication on the proxy
--proxy-header <header/@file> Pass custom header(s) to proxy
--proxy-insecure Do HTTPS proxy connections without verifying the proxy
--proxy-key <key> Private key for HTTPS proxy
--proxy-key-type <type> Private key file type for proxy
--proxy-negotiate Use HTTP Negotiate (SPNEGO) authentication on the proxy
--proxy-ntlm Use NTLM authentication on the proxy
--proxy-pass <phrase> Pass phrase for the private key for HTTPS proxy
--proxy-pinnedpubkey <hashes> FILE/HASHES public key to verify proxy with
--proxy-service-name <name> SPNEGO proxy service name
--proxy-ssl-allow-beast Allow security flaw for interop for HTTPS proxy
--proxy-tls13-ciphers <ciphersuite list> TLS 1.3 proxy cipher suites
--proxy-tlsauthtype <type> TLS authentication type for HTTPS proxy
--proxy-tlspassword <string> TLS password for HTTPS proxy
--proxy-tlsuser <name> TLS username for HTTPS proxy
--proxy-tlsv1 Use TLSv1 for HTTPS proxy
-U, --proxy-user <user:password> Proxy user and password
--proxy1.0 <host[:port]> Use HTTP/1.0 proxy on given port
-p, --proxytunnel Operate through an HTTP proxy tunnel (using CONNECT)
--pubkey <key> SSH Public key file name
-Q, --quote Send command(s) to server before transfer
--random-file <file> File for reading random data from
-r, --range <range> Retrieve only the bytes within RANGE
--raw Do HTTP "raw"; no transfer decoding
-e, --referer <URL> Referrer URL
-J, --remote-header-name Use the header-provided filename
-O, --remote-name Write output to a file named as the remote file
--remote-name-all Use the remote file name for all URLs
-R, --remote-time Set the remote file's time on the local output
-X, --request <command> Specify request command to use
--request-target Specify the target for this request
--resolve <host:port:addr[,addr]...> Resolve the host+port to this address
--retry <num> Retry request if transient problems occur
--retry-all-errors Retry all errors (use with --retry)
--retry-connrefused Retry on connection refused (use with --retry)
--retry-delay <seconds> Wait time between retries
--retry-max-time <seconds> Retry only within this period
--sasl-authzid <identity> Identity for SASL PLAIN authentication
--sasl-ir Enable initial response in SASL authentication
--service-name <name> SPNEGO service name
-S, --show-error Show error even when -s is used
-s, --silent Silent mode
--socks4 <host[:port]> SOCKS4 proxy on given host + port
--socks4a <host[:port]> SOCKS4a proxy on given host + port
--socks5 <host[:port]> SOCKS5 proxy on given host + port
--socks5-basic Enable username/password auth for SOCKS5 proxies
--socks5-gssapi Enable GSS-API auth for SOCKS5 proxies
--socks5-gssapi-nec Compatibility with NEC SOCKS5 server
--socks5-gssapi-service <name> SOCKS5 proxy service name for GSS-API
--socks5-hostname <host[:port]> SOCKS5 proxy, pass host name to proxy
-Y, --speed-limit <speed> Stop transfers slower than this
-y, --speed-time <seconds> Trigger 'speed-limit' abort after this time
--ssl Try SSL/TLS
--ssl-allow-beast Allow security flaw to improve interop
--ssl-no-revoke Disable cert revocation checks (Schannel)
--ssl-reqd Require SSL/TLS
--ssl-revoke-best-effort Ignore missing/offline cert CRL dist points
-2, --sslv2 Use SSLv2
-3, --sslv3 Use SSLv3
--stderr Where to redirect stderr
--styled-output Enable styled output for HTTP headers
--suppress-connect-headers Suppress proxy CONNECT response headers
--tcp-fastopen Use TCP Fast Open
--tcp-nodelay Use the TCP_NODELAY option
-t, --telnet-option <opt=val> Set telnet option
--tftp-blksize <value> Set TFTP BLKSIZE option
--tftp-no-options Do not send any TFTP options
-z, --time-cond <time> Transfer based on a time condition
--tls-max <VERSION> Set maximum allowed TLS version
--tls13-ciphers <ciphersuite list> TLS 1.3 cipher suites to use
--tlsauthtype <type> TLS authentication type
--tlspassword TLS password
--tlsuser <name> TLS user name
-1, --tlsv1 Use TLSv1.0 or greater
--tlsv1.0 Use TLSv1.0 or greater
--tlsv1.1 Use TLSv1.1 or greater
--tlsv1.2 Use TLSv1.2 or greater
--tlsv1.3 Use TLSv1.3 or greater
--tr-encoding Request compressed transfer encoding
--trace <file> Write a debug trace to FILE
--trace-ascii <file> Like --trace, but without hex output
--trace-time Add time stamps to trace/verbose output
--unix-socket <path> Connect through this Unix domain socket
-T, --upload-file <file> Transfer local FILE to destination
--url <url> URL to work with
-B, --use-ascii Use ASCII/text transfer
-u, --user <user:password> Server user and password
-A, --user-agent <name> Send User-Agent <name> to server
-v, --verbose Make the operation more talkative
-V, --version Show version number and quit
-w, --write-out <format> Use output FORMAT after completion
--xattr Store metadata in extended file attributes
goquicビルドエラー
GOARCH: amd64
GOOS: linux
OPTION:
-- The C compiler identification is GNU 5.4.0
-- The CXX compiler identification is GNU 5.4.0
-- Check for working C compiler using: Ninja
-- Check for working C compiler using: Ninja -- works
-- Detecting C compiler ABI info
-- Detecting C compiler ABI info - done
-- Detecting C compile features
-- Detecting C compile features - done
-- Check for working CXX compiler using: Ninja
-- Check for working CXX compiler using: Ninja -- works
-- Detecting CXX compiler ABI info
-- Detecting CXX compiler ABI info - done
-- Detecting CXX compile features
-- Detecting CXX compile features - done
-- Setting build type to 'Debug' as none was specified.
-- Looking for pthread.h
-- Looking for pthread.h - found
-- Looking for pthread_create
-- Looking for pthread_create - not found
-- Looking for pthread_create in pthreads
-- Looking for pthread_create in pthreads - not found
-- Looking for pthread_create in pthread
-- Looking for pthread_create in pthread - found
-- Found Threads: TRUE
-- Could NOT find Protobuf (missing: PROTOBUF_LIBRARY PROTOBUF_INCLUDE_DIR) (Required is at least version "3")
-- Found Perl: /usr/bin/perl (found version "5.22.1")
-- The ASM compiler identification is GNU
-- Found assembler: /usr/bin/cc
-- Configuring done
-- Generating done
-- Build files have been written to: /tmp/src/github.com/devsisters/goquic/libquic/build/debug
/tmp/src/github.com/devsisters/goquic
ninja: Entering directory `libquic/build/debug'
[364/752] Building CXX object protobuf/CMakeFi...protobuf/src/google/protobuf/stubs/common.cc.o
../../src/third_party/protobuf/src/google/protobuf/stubs/common.cc: In function 'void google::protobuf::ShutdownProtobufLibrary()':
../../src/third_party/protobuf/src/google/protobuf/stubs/common.cc:441:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = 0; i < internal::shutdown_functions->size(); i++) {
^
[370/752] Building CXX object protobuf/CMakeFi...le/protobuf/io/zero_copy_stream_impl_lite.cc.o
../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.cc: In member function 'virtual bool google::protobuf::io::StringOutputStream::Next(void**, int*)':
../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.cc:164:16: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (old_size < target_->capacity()) {
^
In file included from ../../src/third_party/protobuf/src/google/protobuf/stubs/common.h:45:0,
from ../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream.h:111,
from ../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.h:53,
from ../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.cc:35:
../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.cc: In member function 'virtual void google::protobuf::io::StringOutputStream::BackUp(int)':
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:157:48: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
#define GOOGLE_CHECK_LE(A, B) GOOGLE_CHECK((A) <= (B))
^
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:149:5: note: in definition of macro 'GOOGLE_LOG_IF'
!(CONDITION) ? (void)0 : GOOGLE_LOG(LEVEL)
^
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:157:31: note: in expansion of macro 'GOOGLE_CHECK'
#define GOOGLE_CHECK_LE(A, B) GOOGLE_CHECK((A) <= (B))
^
../../src/third_party/protobuf/src/google/protobuf/io/zero_copy_stream_impl_lite.cc:193:3: note: in expansion of macro 'GOOGLE_CHECK_LE'
GOOGLE_CHECK_LE(count, target_->size());
^
[374/752] Building CXX object protobuf/CMakeFi...otobuf/src/google/protobuf/repeated_field.cc.o
In file included from ../../src/third_party/protobuf/src/google/protobuf/stubs/common.h:45:0,
from ../../src/third_party/protobuf/src/google/protobuf/stubs/casts.h:34,
from ../../src/third_party/protobuf/src/google/protobuf/repeated_field.h:56,
from ../../src/third_party/protobuf/src/google/protobuf/repeated_field.cc:37:
../../src/third_party/protobuf/src/google/protobuf/repeated_field.cc: In member function 'void** google::protobuf::internal::RepeatedPtrFieldBase::InternalExtend(int)':
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:157:48: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
#define GOOGLE_CHECK_LE(A, B) GOOGLE_CHECK((A) <= (B))
^
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:149:5: note: in definition of macro 'GOOGLE_LOG_IF'
!(CONDITION) ? (void)0 : GOOGLE_LOG(LEVEL)
^
../../src/third_party/protobuf/src/google/protobuf/stubs/logging.h:157:31: note: in expansion of macro 'GOOGLE_CHECK'
#define GOOGLE_CHECK_LE(A, B) GOOGLE_CHECK((A) <= (B))
^
../../src/third_party/protobuf/src/google/protobuf/repeated_field.cc:57:3: note: in expansion of macro 'GOOGLE_CHECK_LE'
GOOGLE_CHECK_LE(new_size,
^
[375/752] Building CXX object protobuf/CMakeFi...tobuf/src/google/protobuf/io/coded_stream.cc.o
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc: In member function 'bool google::protobuf::io::CodedInputStream::ReadLittleEndian32Fallback(google::protobuf::uint32*)':
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc:306:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (BufferSize() >= sizeof(*value)) {
^
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc: In member function 'bool google::protobuf::io::CodedInputStream::ReadLittleEndian64Fallback(google::protobuf::uint64*)':
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc:323:20: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (BufferSize() >= sizeof(*value)) {
^
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc: In member function 'void google::protobuf::io::CodedOutputStream::WriteLittleEndian32(google::protobuf::uint32)':
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc:717:32: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
bool use_fast = buffer_size_ >= sizeof(value);
^
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc: In member function 'void google::protobuf::io::CodedOutputStream::WriteLittleEndian64(google::protobuf::uint64)':
../../src/third_party/protobuf/src/google/protobuf/io/coded_stream.cc:732:32: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
bool use_fast = buffer_size_ >= sizeof(value);
^
[468/752] Building CXX object protobuf/CMakeFi...uf/src/google/protobuf/stubs/stringprintf.cc.o
../../src/third_party/protobuf/src/google/protobuf/stubs/stringprintf.cc: In function 'std::__cxx11::string google::protobuf::StringPrintfVector(const char*, const std::vector<std::__cxx11::basic_string<char> >&)':
../../src/third_party/protobuf/src/google/protobuf/stubs/stringprintf.cc:151:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = 0; i < v.size(); ++i) {
^
../../src/third_party/protobuf/src/google/protobuf/stubs/stringprintf.cc:154:28: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = v.size(); i < GOOGLE_ARRAYSIZE(cstr); ++i) {
^
[471/752] Building CXX object protobuf/CMakeFi...protobuf/src/google/protobuf/stubs/int128.cc.o
../../src/third_party/protobuf/src/google/protobuf/stubs/int128.cc: In function 'std::ostream& google::protobuf::operator<<(std::ostream&, const google::protobuf::uint128&)':
../../src/third_party/protobuf/src/google/protobuf/stubs/int128.cc:187:13: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
if (width > rep.size()) {
^
[479/752] Building CXX object protobuf/CMakeFi...buf/src/google/protobuf/unknown_field_set.cc.o
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc: In member function 'void google::protobuf::UnknownFieldSet::ClearFallback()':
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc:82:23: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = 0; i < fields_->size(); i++) {
^
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc: In member function 'int google::protobuf::UnknownFieldSet::SpaceUsedExcludingSelf() const':
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc:138:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = 0; i < fields_->size(); i++) {
^
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc: In member function 'void google::protobuf::UnknownFieldSet::DeleteSubrange(int, int)':
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc:220:31: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = start + num; i < fields_->size(); ++i) {
^
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc: In member function 'void google::protobuf::UnknownFieldSet::DeleteByNumber(int)':
../../src/third_party/protobuf/src/google/protobuf/unknown_field_set.cc:237:21: warning: comparison between signed and unsigned integer expressions [-Wsign-compare]
for (int i = 0; i < fields_->size(); ++i) {
^
[717/752] Building CXX object CMakeFiles/quic.dir/src/base/sys_info.cc.o
../../src/base/sys_info.cc:38:3: warning: 'base::g_lazy_low_end_device' defined but not used [-Wunused-variable]
g_lazy_low_end_device = LAZY_INSTANCE_INITIALIZER;
^
[752/752] Linking CXX static library libquic.a
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_utils.o src/go_utils.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_spdy_client_stream.o src/go_quic_spdy_client_stream.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_connection_helper.o src/go_quic_connection_helper.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/stateless_rejector.o src/stateless_rejector.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/adaptor_client.o src/adaptor_client.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_dispatcher.o src/go_quic_dispatcher.cc
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_simple_server_session_helper.o src/go_quic_simple_server_session_helper.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_server_packet_writer.o src/go_quic_server_packet_writer.cc
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
mkdir -p build/
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_alarm_factory.o src/go_quic_alarm_factory.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/proof_source_goquic.o src/proof_source_goquic.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_simple_server_stream.o src/go_quic_simple_server_stream.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_ephemeral_key_source.o src/go_ephemeral_key_source.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_proof_verifier.o src/go_proof_verifier.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_simple_server_session.o src/go_quic_simple_server_session.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/chlo_extractor.o src/chlo_extractor.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/adaptor.o src/adaptor.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_client_session.o src/go_quic_client_session.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_simple_dispatcher.o src/go_quic_simple_dispatcher.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_time_wait_list_manager.o src/go_quic_time_wait_list_manager.cc
mkdir -p build/
mkdir -p build/
mkdir -p build/
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_simple_crypto_server_stream_helper.o src/go_quic_simple_crypto_server_stream_helper.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_client_packet_writer.o src/go_quic_client_packet_writer.cc
g++ -Wall -Ilibquic/src -Ilibquic/src/third_party/protobuf/src -DUSE_OPENSSL=1 -Iboringssl/include -g --std=gnu++11 -c -o build/go_quic_per_connection_packet_writer.o src/go_quic_per_connection_packet_writer.cc
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_simple_server_session_helper.o' failed
make: *** [build/go_quic_simple_server_session_helper.o] Error 4
make: *** Waiting for unfinished jobs....
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_connection_helper.o' failed
make: *** [build/go_quic_connection_helper.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_simple_crypto_server_stream_helper.o' failed
make: *** [build/go_quic_simple_crypto_server_stream_helper.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/chlo_extractor.o' failed
make: *** [build/chlo_extractor.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_simple_server_session.o' failed
make: *** [build/go_quic_simple_server_session.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_simple_server_stream.o' failed
make: *** [build/go_quic_simple_server_stream.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/stateless_rejector.o' failed
make: *** [build/stateless_rejector.o] Error 4
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/go_quic_client_session.o' failed
make: *** [build/go_quic_client_session.o] Error 4
src/go_proof_verifier.cc: In member function 'virtual net::QuicAsyncStatus net::GoProofVerifier::VerifyCertChain(const string&, const std::vector<std::__cxx11::basic_string<char> >&, const net::ProofVerifyContext*, std::__cxx11::string*, std::unique_ptr<net::ProofVerifyDetails>*, std::unique_ptr<net::ProofVerifierCallback>)':
src/go_proof_verifier.cc:79:1: warning: no return statement in function returning non-void [-Wreturn-type]
}
^
g++: internal compiler error: Killed (program cc1plus)
Please submit a full bug report,
with preprocessed source if appropriate.
See <file:///usr/share/doc/gcc-5/README.Bugs> for instructions.
Makefile:31: recipe for target 'build/adaptor.o' failed
make: *** [build/adaptor.o] Error 4
In file included from src/adaptor_client.h:9:0,
from src/adaptor_client.cc:1:
src/go_quic_client_session.h: In member function 'virtual bool net::GoQuicClientSession::ShouldCreateIncomingDynamicStream(net::QuicStreamId)':
src/go_quic_client_session.h:57:69: warning: no return statement in function returning non-void [-Wreturn-type]
bool ShouldCreateIncomingDynamicStream(QuicStreamId id) override {} // TODO(hodduc)
^
In file included from src/go_quic_spdy_client_stream.cc:13:0:
src/go_quic_client_session.h: In member function 'virtual bool net::GoQuicClientSession::ShouldCreateIncomingDynamicStream(net::QuicStreamId)':
src/go_quic_client_session.h:57:69: warning: no return statement in function returning non-void [-Wreturn-type]
bool ShouldCreateIncomingDynamicStream(QuicStreamId id) override {} // TODO(hodduc)
^
In file included from src/go_quic_dispatcher.cc:1:0:
src/go_quic_dispatcher.h: In constructor 'net::GoQuicDispatcher::GoQuicDispatcher(const net::QuicConfig&, const net::QuicCryptoServerConfig*, net::QuicVersionManager*, std::unique_ptr<net::QuicConnectionHelperInterface>, std::unique_ptr<net::QuicCryptoServerStream::Helper>, std::unique_ptr<net::QuicAlarmFactory>, GoPtr)':
src/go_quic_dispatcher.h:366:11: warning: 'net::GoQuicDispatcher::new_sessions_allowed_per_event_loop_' will be initialized after [-Wreorder]
int16_t new_sessions_allowed_per_event_loop_;
^
src/go_quic_dispatcher.h:362:9: warning: 'GoPtr net::GoQuicDispatcher::go_quic_dispatcher_' [-Wreorder]
GoPtr go_quic_dispatcher_;
^
src/go_quic_dispatcher.cc:188:1: warning: when initialized here [-Wreorder]
GoQuicDispatcher::GoQuicDispatcher(