allow to disable TLS when proxying requests

gmid.h

@@ -100,6 +100,7 @@ extern struct fcgi fcgi[FCGI_MAX];
 struct proxy {
 	char		*host;
 	const char	*port;
+	int		 notls;
 	uint32_t	 protocols;
 	int		 noverifyname;
 	uint8_t		*cert;

parse.y

@@ -125,7 +125,7 @@ typedef struct {
 %token	RELAY_TO REQUIRE RETURN ROOT
 %token	SERVER SPAWN STRIP
 %token	TCP TOEXT TYPE
-%token	USER
+%token	USE_TLS USER
 %token	VERIFYNAME
 
 %token	ERROR
@@ -339,6 +339,9 @@ proxy_opt	: CERT string {
 				yyerror("proxy port is %s: %s", errstr,
 				    p->port);
 		}
+		| USE_TLS bool {
+			host->proxy.notls = !$2;
+		}
 		| VERIFYNAME bool {
 			host->proxy.noverifyname = !$2;
 		}
@@ -482,6 +485,7 @@ static struct keyword {
 	{"tcp", TCP},
 	{"to-ext", TOEXT},
 	{"type", TYPE},
+	{"use-tls", USE_TLS},
 	{"user", USER},
 	{"verifyname", VERIFYNAME},
 };

proxy.c

@@ -230,12 +230,42 @@ proxy_error(struct bufferevent *bev, short error, void *d)
 	client_write(c->bev, c);
 }
 
+static void
+proxy_enqueue_req(struct client *c)
+{
+	struct proxy *p = &c->host->proxy;
+	struct evbuffer	*evb;
+	char		 iribuf[GEMINI_URL_LEN];
+
+	c->proxybev = bufferevent_new(c->pfd, proxy_read, proxy_write,
+	    proxy_error, c);
+	if (c->proxybev == NULL)
+		fatal("can't allocate bufferevent: %s", strerror(errno));
+
+	if (!p->notls) {
+		event_set(&c->proxybev->ev_read, c->pfd, EV_READ,
+		    proxy_tls_readcb, c->proxybev);
+		event_set(&c->proxybev->ev_write, c->pfd, EV_WRITE,
+		    proxy_tls_writecb, c->proxybev);
+
+#if HAVE_LIBEVENT2
+		evbuffer_unfreeze(c->proxybev->input, 0);
+		evbuffer_unfreeze(c->proxybev->output, 1);
+#endif
+	}
+
+	serialize_iri(&c->iri, iribuf, sizeof(iribuf));
+
+	evb = EVBUFFER_OUTPUT(c->proxybev);
+	evbuffer_add_printf(evb, "%s\r\n", iribuf);
+
+	bufferevent_enable(c->proxybev, EV_READ|EV_WRITE);
+}
+
 static void
 proxy_handshake(int fd, short event, void *d)
 {
 	struct client	*c = d;
-	struct evbuffer	*evb;
-	char		 iribuf[GEMINI_URL_LEN];
 
 	if (event == EV_TIMEOUT) {
 		start_reply(c, PROXY_ERROR, "timeout");
@@ -258,37 +288,15 @@ proxy_handshake(int fd, short event, void *d)
 		return;
 	}
 
-	c->proxybev = bufferevent_new(c->pfd, proxy_read, proxy_write,
-	    proxy_error, c);
-	if (c->proxybev == NULL)
-		fatal("can't allocate bufferevent: %s", strerror(errno));
-
-	event_set(&c->proxybev->ev_read, c->pfd, EV_READ,
-	    proxy_tls_readcb, c->proxybev);
-	event_set(&c->proxybev->ev_write, c->pfd, EV_WRITE,
-	    proxy_tls_writecb, c->proxybev);
-
-#if HAVE_LIBEVENT2
-	evbuffer_unfreeze(c->proxybev->input, 0);
-	evbuffer_unfreeze(c->proxybev->output, 1);
-#endif
-
-	serialize_iri(&c->iri, iribuf, sizeof(iribuf));
-
-	evb = EVBUFFER_OUTPUT(c->proxybev);
-	evbuffer_add_printf(evb, "%s\r\n", iribuf);
-
-	bufferevent_enable(c->proxybev, EV_READ|EV_WRITE);
+	proxy_enqueue_req(c);
 }
 
-int
-proxy_init(struct client *c)
+static int
+proxy_setup_tls(struct client *c)
 {
 	struct proxy *p = &c->host->proxy;
 	struct tls_config *conf = NULL;
 
-	c->type = REQUEST_PROXY;
-
 	if ((conf = tls_config_new()) == NULL)
 		return -1;
 
@@ -327,7 +335,24 @@ proxy_init(struct client *c)
 
 err:
 	tls_config_free(conf);
-	if (c->proxyctx != NULL)
+	if (c->proxyctx != NULL) {
 		tls_free(c->proxyctx);
+		c->proxyctx = NULL;
+	}
 	return -1;
 }
+
+int
+proxy_init(struct client *c)
+{
+	struct proxy *p = &c->host->proxy;
+
+	c->type = REQUEST_PROXY;
+
+	if (p->notls) {
+		proxy_enqueue_req(c);
+		return 0;
+	}
+
+	return proxy_setup_tls(c);
+}

server.c

@@ -1239,7 +1239,8 @@ client_close(struct client *c)
 		if (event_pending(&c->proxyev, EV_READ|EV_WRITE, NULL))
 			event_del(&c->proxyev);
 
-		if (c->pfd != -1) {
+		if (c->pfd != -1 && c->proxyctx != NULL) {
+			/* shut down the proxy TLS connection */
 			client_proxy_close(c->pfd, 0, c->proxyctx);
 			c->pfd = -1;
 		}