xref: /unit/src/nxt_conf_validation.c (revision 2161:f8e608f69800)
1 
2 /*
3  * Copyright (C) Valentin V. Bartenev
4  * Copyright (C) NGINX, Inc.
5  */
6 
7 #include <nxt_main.h>
8 #include <nxt_conf.h>
9 #include <nxt_cert.h>
10 #include <nxt_router.h>
11 #include <nxt_http.h>
12 #include <nxt_sockaddr.h>
13 #include <nxt_http_route_addr.h>
14 #include <nxt_regex.h>
15 
16 
17 typedef enum {
18     NXT_CONF_VLDT_NULL    = 1 << NXT_CONF_NULL,
19     NXT_CONF_VLDT_BOOLEAN = 1 << NXT_CONF_BOOLEAN,
20     NXT_CONF_VLDT_INTEGER = 1 << NXT_CONF_INTEGER,
21     NXT_CONF_VLDT_NUMBER  = (1 << NXT_CONF_NUMBER) | NXT_CONF_VLDT_INTEGER,
22     NXT_CONF_VLDT_STRING  = 1 << NXT_CONF_STRING,
23     NXT_CONF_VLDT_ARRAY   = 1 << NXT_CONF_ARRAY,
24     NXT_CONF_VLDT_OBJECT  = 1 << NXT_CONF_OBJECT,
25 } nxt_conf_vldt_type_t;
26 
27 #define NXT_CONF_VLDT_ANY_TYPE  (NXT_CONF_VLDT_NULL                           \
28                                  |NXT_CONF_VLDT_BOOLEAN                       \
29                                  |NXT_CONF_VLDT_NUMBER                        \
30                                  |NXT_CONF_VLDT_STRING                        \
31                                  |NXT_CONF_VLDT_ARRAY                         \
32                                  |NXT_CONF_VLDT_OBJECT)
33 
34 
35 typedef enum {
36     NXT_CONF_VLDT_REQUIRED  = 1 << 0,
37     NXT_CONF_VLDT_VAR       = 1 << 1,
38 } nxt_conf_vldt_flags_t;
39 
40 
41 typedef nxt_int_t (*nxt_conf_vldt_handler_t)(nxt_conf_validation_t *vldt,
42                                              nxt_conf_value_t *value,
43                                              void *data);
44 typedef nxt_int_t (*nxt_conf_vldt_member_t)(nxt_conf_validation_t *vldt,
45                                             nxt_str_t *name,
46                                             nxt_conf_value_t *value);
47 typedef nxt_int_t (*nxt_conf_vldt_element_t)(nxt_conf_validation_t *vldt,
48                                              nxt_conf_value_t *value);
49 
50 
51 typedef struct nxt_conf_vldt_object_s  nxt_conf_vldt_object_t;
52 
53 struct nxt_conf_vldt_object_s {
54     nxt_str_t                     name;
55     nxt_conf_vldt_type_t          type:32;
56     nxt_conf_vldt_flags_t         flags:32;
57     nxt_conf_vldt_handler_t       validator;
58 
59     union {
60         nxt_conf_vldt_object_t    *members;
61         nxt_conf_vldt_object_t    *next;
62         nxt_conf_vldt_member_t    object;
63         nxt_conf_vldt_element_t   array;
64         const char                *string;
65     } u;
66 };
67 
68 
69 #define NXT_CONF_VLDT_NEXT(next)  { .u.members = next }
70 #define NXT_CONF_VLDT_END         { .name = nxt_null_string }
71 
72 
73 static nxt_int_t nxt_conf_vldt_type(nxt_conf_validation_t *vldt,
74     nxt_str_t *name, nxt_conf_value_t *value, nxt_conf_vldt_type_t type);
75 static nxt_int_t nxt_conf_vldt_error(nxt_conf_validation_t *vldt,
76     const char *fmt, ...);
77 static nxt_int_t nxt_conf_vldt_var(nxt_conf_validation_t *vldt, nxt_str_t *name,
78     nxt_str_t *value);
79 nxt_inline nxt_int_t nxt_conf_vldt_unsupported(nxt_conf_validation_t *vldt,
80     nxt_conf_value_t *value, void *data)
81     NXT_MAYBE_UNUSED;
82 
83 static nxt_int_t nxt_conf_vldt_mtypes(nxt_conf_validation_t *vldt,
84     nxt_conf_value_t *value, void *data);
85 static nxt_int_t nxt_conf_vldt_mtypes_type(nxt_conf_validation_t *vldt,
86     nxt_str_t *name, nxt_conf_value_t *value);
87 static nxt_int_t nxt_conf_vldt_mtypes_extension(nxt_conf_validation_t *vldt,
88     nxt_conf_value_t *value);
89 static nxt_int_t nxt_conf_vldt_listener(nxt_conf_validation_t *vldt,
90     nxt_str_t *name, nxt_conf_value_t *value);
91 #if (NXT_TLS)
92 static nxt_int_t nxt_conf_vldt_certificate(nxt_conf_validation_t *vldt,
93     nxt_conf_value_t *value, void *data);
94 #if (NXT_HAVE_OPENSSL_CONF_CMD)
95 static nxt_int_t nxt_conf_vldt_object_conf_commands(nxt_conf_validation_t *vldt,
96     nxt_conf_value_t *value, void *data);
97 #endif
98 static nxt_int_t nxt_conf_vldt_certificate_element(nxt_conf_validation_t *vldt,
99     nxt_conf_value_t *value);
100 static nxt_int_t nxt_conf_vldt_tls_cache_size(nxt_conf_validation_t *vldt,
101     nxt_conf_value_t *value, void *data);
102 static nxt_int_t nxt_conf_vldt_tls_timeout(nxt_conf_validation_t *vldt,
103     nxt_conf_value_t *value, void *data);
104 #if (NXT_HAVE_OPENSSL_TLSEXT)
105 static nxt_int_t nxt_conf_vldt_ticket_key(nxt_conf_validation_t *vldt,
106     nxt_conf_value_t *value, void *data);
107 static nxt_int_t nxt_conf_vldt_ticket_key_element(nxt_conf_validation_t *vldt,
108     nxt_conf_value_t *value);
109 #endif
110 #endif
111 static nxt_int_t nxt_conf_vldt_action(nxt_conf_validation_t *vldt,
112     nxt_conf_value_t *value, void *data);
113 static nxt_int_t nxt_conf_vldt_pass(nxt_conf_validation_t *vldt,
114     nxt_conf_value_t *value, void *data);
115 static nxt_int_t nxt_conf_vldt_return(nxt_conf_validation_t *vldt,
116     nxt_conf_value_t *value, void *data);
117 static nxt_int_t nxt_conf_vldt_share(nxt_conf_validation_t *vldt,
118     nxt_conf_value_t *value, void *data);
119 static nxt_int_t nxt_conf_vldt_share_element(nxt_conf_validation_t *vldt,
120     nxt_conf_value_t *value);
121 static nxt_int_t nxt_conf_vldt_proxy(nxt_conf_validation_t *vldt,
122     nxt_conf_value_t *value, void *data);
123 static nxt_int_t nxt_conf_vldt_python(nxt_conf_validation_t *vldt,
124     nxt_conf_value_t *value, void *data);
125 static nxt_int_t nxt_conf_vldt_python_path(nxt_conf_validation_t *vldt,
126     nxt_conf_value_t *value, void *data);
127 static nxt_int_t nxt_conf_vldt_python_path_element(nxt_conf_validation_t *vldt,
128     nxt_conf_value_t *value);
129 static nxt_int_t nxt_conf_vldt_python_protocol(nxt_conf_validation_t *vldt,
130     nxt_conf_value_t *value, void *data);
131 static nxt_int_t nxt_conf_vldt_threads(nxt_conf_validation_t *vldt,
132     nxt_conf_value_t *value, void *data);
133 static nxt_int_t nxt_conf_vldt_thread_stack_size(nxt_conf_validation_t *vldt,
134     nxt_conf_value_t *value, void *data);
135 static nxt_int_t nxt_conf_vldt_routes(nxt_conf_validation_t *vldt,
136     nxt_conf_value_t *value, void *data);
137 static nxt_int_t nxt_conf_vldt_routes_member(nxt_conf_validation_t *vldt,
138     nxt_str_t *name, nxt_conf_value_t *value);
139 static nxt_int_t nxt_conf_vldt_route(nxt_conf_validation_t *vldt,
140     nxt_conf_value_t *value);
141 static nxt_int_t nxt_conf_vldt_match_encoded_patterns_sets(
142     nxt_conf_validation_t *vldt, nxt_conf_value_t *value, void *data);
143 static nxt_int_t nxt_conf_vldt_match_encoded_patterns_set(
144     nxt_conf_validation_t *vldt, nxt_conf_value_t *value);
145 static nxt_int_t nxt_conf_vldt_match_encoded_patterns_set_member(
146     nxt_conf_validation_t *vldt, nxt_str_t *name, nxt_conf_value_t *value);
147 static nxt_int_t nxt_conf_vldt_match_encoded_patterns(
148     nxt_conf_validation_t *vldt, nxt_conf_value_t *value, void *data);
149 static nxt_int_t nxt_conf_vldt_match_encoded_pattern(
150     nxt_conf_validation_t *vldt, nxt_conf_value_t *value);
151 static nxt_int_t nxt_conf_vldt_match_patterns(nxt_conf_validation_t *vldt,
152     nxt_conf_value_t *value, void *data);
153 static nxt_int_t nxt_conf_vldt_match_pattern(nxt_conf_validation_t *vldt,
154     nxt_conf_value_t *value);
155 static nxt_int_t nxt_conf_vldt_match_patterns_sets(nxt_conf_validation_t *vldt,
156     nxt_conf_value_t *value, void *data);
157 static nxt_int_t nxt_conf_vldt_match_patterns_set(nxt_conf_validation_t *vldt,
158     nxt_conf_value_t *value);
159 static nxt_int_t nxt_conf_vldt_match_patterns_set_member(
160     nxt_conf_validation_t *vldt, nxt_str_t *name, nxt_conf_value_t *value);
161 static nxt_int_t nxt_conf_vldt_match_scheme_pattern(nxt_conf_validation_t *vldt,
162     nxt_conf_value_t *value, void *data);
163 static nxt_int_t nxt_conf_vldt_match_addrs(nxt_conf_validation_t *vldt,
164     nxt_conf_value_t *value, void *data);
165 static nxt_int_t nxt_conf_vldt_match_addr(nxt_conf_validation_t *vldt,
166     nxt_conf_value_t *value);
167 static nxt_int_t nxt_conf_vldt_app_name(nxt_conf_validation_t *vldt,
168     nxt_conf_value_t *value, void *data);
169 static nxt_int_t nxt_conf_vldt_forwarded(nxt_conf_validation_t *vldt,
170     nxt_conf_value_t *value, void *data);
171 static nxt_int_t nxt_conf_vldt_app(nxt_conf_validation_t *vldt,
172     nxt_str_t *name, nxt_conf_value_t *value);
173 static nxt_int_t nxt_conf_vldt_object(nxt_conf_validation_t *vldt,
174     nxt_conf_value_t *value, void *data);
175 static nxt_int_t nxt_conf_vldt_processes(nxt_conf_validation_t *vldt,
176     nxt_conf_value_t *value, void *data);
177 static nxt_int_t nxt_conf_vldt_object_iterator(nxt_conf_validation_t *vldt,
178     nxt_conf_value_t *value, void *data);
179 static nxt_int_t nxt_conf_vldt_array_iterator(nxt_conf_validation_t *vldt,
180     nxt_conf_value_t *value, void *data);
181 static nxt_int_t nxt_conf_vldt_environment(nxt_conf_validation_t *vldt,
182     nxt_str_t *name, nxt_conf_value_t *value);
183 static nxt_int_t nxt_conf_vldt_targets_exclusive(
184     nxt_conf_validation_t *vldt, nxt_conf_value_t *value, void *data);
185 static nxt_int_t nxt_conf_vldt_targets(nxt_conf_validation_t *vldt,
186     nxt_conf_value_t *value, void *data);
187 static nxt_int_t nxt_conf_vldt_target(nxt_conf_validation_t *vldt,
188     nxt_str_t *name, nxt_conf_value_t *value);
189 static nxt_int_t nxt_conf_vldt_argument(nxt_conf_validation_t *vldt,
190     nxt_conf_value_t *value);
191 static nxt_int_t nxt_conf_vldt_php(nxt_conf_validation_t *vldt,
192     nxt_conf_value_t *value, void *data);
193 static nxt_int_t nxt_conf_vldt_php_option(nxt_conf_validation_t *vldt,
194     nxt_str_t *name, nxt_conf_value_t *value);
195 static nxt_int_t nxt_conf_vldt_java_classpath(nxt_conf_validation_t *vldt,
196     nxt_conf_value_t *value);
197 static nxt_int_t nxt_conf_vldt_java_option(nxt_conf_validation_t *vldt,
198     nxt_conf_value_t *value);
199 static nxt_int_t nxt_conf_vldt_upstream(nxt_conf_validation_t *vldt,
200     nxt_str_t *name, nxt_conf_value_t *value);
201 static nxt_int_t nxt_conf_vldt_server(nxt_conf_validation_t *vldt,
202     nxt_str_t *name, nxt_conf_value_t *value);
203 static nxt_int_t nxt_conf_vldt_server_weight(nxt_conf_validation_t *vldt,
204     nxt_conf_value_t *value, void *data);
205 
206 static nxt_int_t nxt_conf_vldt_isolation(nxt_conf_validation_t *vldt,
207     nxt_conf_value_t *value, void *data);
208 static nxt_int_t nxt_conf_vldt_clone_namespaces(nxt_conf_validation_t *vldt,
209     nxt_conf_value_t *value, void *data);
210 
211 #if (NXT_HAVE_CLONE_NEWUSER)
212 static nxt_int_t nxt_conf_vldt_clone_procmap(nxt_conf_validation_t *vldt,
213     const char* mapfile, nxt_conf_value_t *value);
214 static nxt_int_t nxt_conf_vldt_clone_uidmap(nxt_conf_validation_t *vldt,
215     nxt_conf_value_t *value);
216 static nxt_int_t nxt_conf_vldt_clone_gidmap(nxt_conf_validation_t *vldt,
217     nxt_conf_value_t *value);
218 #endif
219 
220 
221 static nxt_conf_vldt_object_t  nxt_conf_vldt_setting_members[];
222 static nxt_conf_vldt_object_t  nxt_conf_vldt_http_members[];
223 static nxt_conf_vldt_object_t  nxt_conf_vldt_websocket_members[];
224 static nxt_conf_vldt_object_t  nxt_conf_vldt_static_members[];
225 static nxt_conf_vldt_object_t  nxt_conf_vldt_forwarded_members[];
226 static nxt_conf_vldt_object_t  nxt_conf_vldt_client_ip_members[];
227 #if (NXT_TLS)
228 static nxt_conf_vldt_object_t  nxt_conf_vldt_tls_members[];
229 static nxt_conf_vldt_object_t  nxt_conf_vldt_session_members[];
230 #endif
231 static nxt_conf_vldt_object_t  nxt_conf_vldt_match_members[];
232 static nxt_conf_vldt_object_t  nxt_conf_vldt_python_target_members[];
233 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_common_members[];
234 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_options_members[];
235 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_target_members[];
236 static nxt_conf_vldt_object_t  nxt_conf_vldt_common_members[];
237 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_limits_members[];
238 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_processes_members[];
239 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_isolation_members[];
240 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_namespaces_members[];
241 #if (NXT_HAVE_ISOLATION_ROOTFS)
242 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_automount_members[];
243 #endif
244 
245 
246 static nxt_conf_vldt_object_t  nxt_conf_vldt_root_members[] = {
247     {
248         .name       = nxt_string("settings"),
249         .type       = NXT_CONF_VLDT_OBJECT,
250         .validator  = nxt_conf_vldt_object,
251         .u.members  = nxt_conf_vldt_setting_members,
252     }, {
253         .name       = nxt_string("listeners"),
254         .type       = NXT_CONF_VLDT_OBJECT,
255         .validator  = nxt_conf_vldt_object_iterator,
256         .u.object   = nxt_conf_vldt_listener,
257     }, {
258         .name       = nxt_string("routes"),
259         .type       = NXT_CONF_VLDT_ARRAY | NXT_CONF_VLDT_OBJECT,
260         .validator  = nxt_conf_vldt_routes,
261     }, {
262         .name       = nxt_string("applications"),
263         .type       = NXT_CONF_VLDT_OBJECT,
264         .validator  = nxt_conf_vldt_object_iterator,
265         .u.object   = nxt_conf_vldt_app,
266     }, {
267         .name       = nxt_string("upstreams"),
268         .type       = NXT_CONF_VLDT_OBJECT,
269         .validator  = nxt_conf_vldt_object_iterator,
270         .u.object   = nxt_conf_vldt_upstream,
271     }, {
272         .name       = nxt_string("access_log"),
273         .type       = NXT_CONF_VLDT_STRING,
274     },
275 
276     NXT_CONF_VLDT_END
277 };
278 
279 
280 static nxt_conf_vldt_object_t  nxt_conf_vldt_setting_members[] = {
281     {
282         .name       = nxt_string("http"),
283         .type       = NXT_CONF_VLDT_OBJECT,
284         .validator  = nxt_conf_vldt_object,
285         .u.members  = nxt_conf_vldt_http_members,
286     },
287 
288     NXT_CONF_VLDT_END
289 };
290 
291 
292 static nxt_conf_vldt_object_t  nxt_conf_vldt_http_members[] = {
293     {
294         .name       = nxt_string("header_read_timeout"),
295         .type       = NXT_CONF_VLDT_INTEGER,
296     }, {
297         .name       = nxt_string("body_read_timeout"),
298         .type       = NXT_CONF_VLDT_INTEGER,
299     }, {
300         .name       = nxt_string("send_timeout"),
301         .type       = NXT_CONF_VLDT_INTEGER,
302     }, {
303         .name       = nxt_string("idle_timeout"),
304         .type       = NXT_CONF_VLDT_INTEGER,
305     }, {
306         .name       = nxt_string("body_buffer_size"),
307         .type       = NXT_CONF_VLDT_INTEGER,
308     }, {
309         .name       = nxt_string("max_body_size"),
310         .type       = NXT_CONF_VLDT_INTEGER,
311     }, {
312         .name       = nxt_string("body_temp_path"),
313         .type       = NXT_CONF_VLDT_STRING,
314     }, {
315         .name       = nxt_string("discard_unsafe_fields"),
316         .type       = NXT_CONF_VLDT_BOOLEAN,
317     }, {
318         .name       = nxt_string("websocket"),
319         .type       = NXT_CONF_VLDT_OBJECT,
320         .validator  = nxt_conf_vldt_object,
321         .u.members  = nxt_conf_vldt_websocket_members,
322     }, {
323         .name       = nxt_string("static"),
324         .type       = NXT_CONF_VLDT_OBJECT,
325         .validator  = nxt_conf_vldt_object,
326         .u.members  = nxt_conf_vldt_static_members,
327     },
328 
329     NXT_CONF_VLDT_END
330 };
331 
332 
333 static nxt_conf_vldt_object_t  nxt_conf_vldt_websocket_members[] = {
334     {
335         .name       = nxt_string("read_timeout"),
336         .type       = NXT_CONF_VLDT_INTEGER,
337     }, {
338 
339         .name       = nxt_string("keepalive_interval"),
340         .type       = NXT_CONF_VLDT_INTEGER,
341     }, {
342         .name       = nxt_string("max_frame_size"),
343         .type       = NXT_CONF_VLDT_INTEGER,
344     },
345 
346     NXT_CONF_VLDT_END
347 };
348 
349 
350 static nxt_conf_vldt_object_t  nxt_conf_vldt_static_members[] = {
351     {
352         .name       = nxt_string("mime_types"),
353         .type       = NXT_CONF_VLDT_OBJECT,
354         .validator  = nxt_conf_vldt_mtypes,
355     },
356 
357     NXT_CONF_VLDT_END
358 };
359 
360 
361 static nxt_conf_vldt_object_t  nxt_conf_vldt_listener_members[] = {
362     {
363         .name       = nxt_string("pass"),
364         .type       = NXT_CONF_VLDT_STRING,
365         .validator  = nxt_conf_vldt_pass,
366         .flags      = NXT_CONF_VLDT_VAR,
367     }, {
368         .name       = nxt_string("application"),
369         .type       = NXT_CONF_VLDT_STRING,
370         .validator  = nxt_conf_vldt_app_name,
371     }, {
372         .name       = nxt_string("forwarded"),
373         .type       = NXT_CONF_VLDT_OBJECT,
374         .validator  = nxt_conf_vldt_forwarded,
375     }, {
376         .name       = nxt_string("client_ip"),
377         .type       = NXT_CONF_VLDT_OBJECT,
378         .validator  = nxt_conf_vldt_object,
379         .u.members  = nxt_conf_vldt_client_ip_members
380     },
381 
382 #if (NXT_TLS)
383     {
384         .name       = nxt_string("tls"),
385         .type       = NXT_CONF_VLDT_OBJECT,
386         .validator  = nxt_conf_vldt_object,
387         .u.members  = nxt_conf_vldt_tls_members,
388     },
389 #endif
390 
391     NXT_CONF_VLDT_END
392 };
393 
394 
395 static nxt_conf_vldt_object_t  nxt_conf_vldt_forwarded_members[] = {
396     {
397         .name       = nxt_string("client_ip"),
398         .type       = NXT_CONF_VLDT_STRING,
399     }, {
400         .name       = nxt_string("protocol"),
401         .type       = NXT_CONF_VLDT_STRING,
402     }, {
403         .name       = nxt_string("source"),
404         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
405         .validator  = nxt_conf_vldt_match_addrs,
406         .flags      = NXT_CONF_VLDT_REQUIRED
407     }, {
408         .name       = nxt_string("recursive"),
409         .type       = NXT_CONF_VLDT_BOOLEAN,
410     },
411 
412     NXT_CONF_VLDT_END
413 };
414 
415 
416 static nxt_conf_vldt_object_t  nxt_conf_vldt_client_ip_members[] = {
417     {
418         .name       = nxt_string("source"),
419         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
420         .validator  = nxt_conf_vldt_match_addrs,
421         .flags      = NXT_CONF_VLDT_REQUIRED
422     }, {
423         .name       = nxt_string("header"),
424         .type       = NXT_CONF_VLDT_STRING,
425         .flags      = NXT_CONF_VLDT_REQUIRED
426     }, {
427         .name       = nxt_string("recursive"),
428         .type       = NXT_CONF_VLDT_BOOLEAN,
429     },
430 
431     NXT_CONF_VLDT_END
432 };
433 
434 
435 #if (NXT_TLS)
436 
437 static nxt_conf_vldt_object_t  nxt_conf_vldt_tls_members[] = {
438     {
439         .name       = nxt_string("certificate"),
440         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
441         .flags      = NXT_CONF_VLDT_REQUIRED,
442         .validator  = nxt_conf_vldt_certificate,
443     }, {
444         .name       = nxt_string("conf_commands"),
445         .type       = NXT_CONF_VLDT_OBJECT,
446 #if (NXT_HAVE_OPENSSL_CONF_CMD)
447         .validator  = nxt_conf_vldt_object_conf_commands,
448 #else
449         .validator  = nxt_conf_vldt_unsupported,
450         .u.string   = "conf_commands",
451 #endif
452     }, {
453         .name       = nxt_string("session"),
454         .type       = NXT_CONF_VLDT_OBJECT,
455         .validator  = nxt_conf_vldt_object,
456         .u.members  = nxt_conf_vldt_session_members,
457     },
458 
459     NXT_CONF_VLDT_END
460 };
461 
462 
463 static nxt_conf_vldt_object_t  nxt_conf_vldt_session_members[] = {
464     {
465         .name       = nxt_string("cache_size"),
466         .type       = NXT_CONF_VLDT_INTEGER,
467         .validator  = nxt_conf_vldt_tls_cache_size,
468     }, {
469         .name       = nxt_string("timeout"),
470         .type       = NXT_CONF_VLDT_INTEGER,
471         .validator  = nxt_conf_vldt_tls_timeout,
472     }, {
473         .name       = nxt_string("tickets"),
474         .type       = NXT_CONF_VLDT_STRING
475                      | NXT_CONF_VLDT_ARRAY
476                      | NXT_CONF_VLDT_BOOLEAN,
477 #if (NXT_HAVE_OPENSSL_TLSEXT)
478         .validator  = nxt_conf_vldt_ticket_key,
479 #else
480         .validator  = nxt_conf_vldt_unsupported,
481         .u.string   = "tickets",
482 #endif
483     },
484 
485     NXT_CONF_VLDT_END
486 };
487 
488 
489 static nxt_int_t
490 nxt_conf_vldt_tls_cache_size(nxt_conf_validation_t *vldt,
491     nxt_conf_value_t *value, void *data)
492 {
493     int64_t  cache_size;
494 
495     cache_size = nxt_conf_get_number(value);
496 
497     if (cache_size < 0) {
498         return nxt_conf_vldt_error(vldt, "The \"cache_size\" number must not "
499                                          "be negative.");
500     }
501 
502     return NXT_OK;
503 }
504 
505 
506 static nxt_int_t
507 nxt_conf_vldt_tls_timeout(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
508     void *data)
509 {
510     int64_t  timeout;
511 
512     timeout = nxt_conf_get_number(value);
513 
514     if (timeout <= 0) {
515         return nxt_conf_vldt_error(vldt, "The \"timeout\" number must be "
516                                          "greater than zero.");
517     }
518 
519     return NXT_OK;
520 }
521 
522 #endif
523 
524 #if (NXT_HAVE_OPENSSL_TLSEXT)
525 
526 static nxt_int_t
527 nxt_conf_vldt_ticket_key(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
528     void *data)
529 {
530     if (nxt_conf_type(value) == NXT_CONF_BOOLEAN) {
531         return NXT_OK;
532     }
533 
534     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
535         return nxt_conf_vldt_array_iterator(vldt, value,
536                                             &nxt_conf_vldt_ticket_key_element);
537     }
538 
539     /* NXT_CONF_STRING */
540 
541     return nxt_conf_vldt_ticket_key_element(vldt, value);
542 }
543 
544 
545 static nxt_int_t
546 nxt_conf_vldt_ticket_key_element(nxt_conf_validation_t *vldt,
547     nxt_conf_value_t *value)
548 {
549     ssize_t    ret;
550     nxt_str_t  key;
551 
552     if (nxt_conf_type(value) != NXT_CONF_STRING) {
553         return nxt_conf_vldt_error(vldt, "The \"key\" array must "
554                                    "contain only string values.");
555     }
556 
557     nxt_conf_get_string(value, &key);
558 
559     ret = nxt_base64_decode(NULL, key.start, key.length);
560     if (ret == NXT_ERROR) {
561         return nxt_conf_vldt_error(vldt, "Invalid Base64 format for the ticket "
562                                    "key \"%V\".", &key);
563     }
564 
565     if (ret != 48 && ret != 80) {
566         return nxt_conf_vldt_error(vldt, "Invalid length %d of the ticket "
567                                    "key \"%V\".  Must be 48 or 80 bytes.",
568                                    ret, &key);
569     }
570 
571     return NXT_OK;
572 }
573 
574 #endif
575 
576 
577 static nxt_conf_vldt_object_t  nxt_conf_vldt_route_members[] = {
578     {
579         .name       = nxt_string("match"),
580         .type       = NXT_CONF_VLDT_OBJECT,
581         .validator  = nxt_conf_vldt_object,
582         .u.members  = nxt_conf_vldt_match_members,
583     }, {
584         .name       = nxt_string("action"),
585         .type       = NXT_CONF_VLDT_OBJECT,
586         .validator  = nxt_conf_vldt_action,
587     },
588 
589     NXT_CONF_VLDT_END
590 };
591 
592 
593 static nxt_conf_vldt_object_t  nxt_conf_vldt_match_members[] = {
594     {
595         .name       = nxt_string("method"),
596         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
597         .validator  = nxt_conf_vldt_match_patterns,
598         .u.string   = "method",
599     }, {
600         .name       = nxt_string("scheme"),
601         .type       = NXT_CONF_VLDT_STRING,
602         .validator  = nxt_conf_vldt_match_scheme_pattern,
603     }, {
604         .name       = nxt_string("host"),
605         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
606         .validator  = nxt_conf_vldt_match_patterns,
607         .u.string   = "host",
608     }, {
609         .name       = nxt_string("source"),
610         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
611         .validator  = nxt_conf_vldt_match_addrs,
612     }, {
613         .name       = nxt_string("destination"),
614         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
615         .validator  = nxt_conf_vldt_match_addrs,
616     }, {
617         .name       = nxt_string("uri"),
618         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
619         .validator  = nxt_conf_vldt_match_encoded_patterns,
620         .u.string   = "uri"
621     }, {
622         .name       = nxt_string("query"),
623         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
624         .validator  = nxt_conf_vldt_match_encoded_patterns,
625         .u.string   = "query"
626     }, {
627         .name       = nxt_string("arguments"),
628         .type       = NXT_CONF_VLDT_OBJECT | NXT_CONF_VLDT_ARRAY,
629         .validator  = nxt_conf_vldt_match_encoded_patterns_sets,
630     }, {
631         .name       = nxt_string("headers"),
632         .type       = NXT_CONF_VLDT_OBJECT | NXT_CONF_VLDT_ARRAY,
633         .validator  = nxt_conf_vldt_match_patterns_sets,
634         .u.string   = "headers"
635     }, {
636         .name       = nxt_string("cookies"),
637         .type       = NXT_CONF_VLDT_OBJECT | NXT_CONF_VLDT_ARRAY,
638         .validator  = nxt_conf_vldt_match_patterns_sets,
639         .u.string   = "cookies"
640     },
641 
642     NXT_CONF_VLDT_END
643 };
644 
645 
646 static nxt_conf_vldt_object_t  nxt_conf_vldt_pass_action_members[] = {
647     {
648         .name       = nxt_string("pass"),
649         .type       = NXT_CONF_VLDT_STRING,
650         .validator  = nxt_conf_vldt_pass,
651         .flags      = NXT_CONF_VLDT_VAR,
652     },
653 
654     NXT_CONF_VLDT_END
655 };
656 
657 
658 static nxt_conf_vldt_object_t  nxt_conf_vldt_return_action_members[] = {
659     {
660         .name       = nxt_string("return"),
661         .type       = NXT_CONF_VLDT_INTEGER,
662         .validator  = nxt_conf_vldt_return,
663     }, {
664         .name       = nxt_string("location"),
665         .type       = NXT_CONF_VLDT_STRING,
666         .flags      = NXT_CONF_VLDT_VAR,
667     },
668 
669     NXT_CONF_VLDT_END
670 };
671 
672 
673 static nxt_conf_vldt_object_t  nxt_conf_vldt_share_action_members[] = {
674     {
675         .name       = nxt_string("share"),
676         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
677         .validator  = nxt_conf_vldt_share,
678     }, {
679         .name       = nxt_string("index"),
680         .type       = NXT_CONF_VLDT_STRING,
681     }, {
682         .name       = nxt_string("types"),
683         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
684         .validator  = nxt_conf_vldt_match_patterns,
685     }, {
686         .name       = nxt_string("fallback"),
687         .type       = NXT_CONF_VLDT_OBJECT,
688         .validator  = nxt_conf_vldt_action,
689     }, {
690         .name       = nxt_string("chroot"),
691         .type       = NXT_CONF_VLDT_STRING,
692 #if !(NXT_HAVE_OPENAT2)
693         .validator  = nxt_conf_vldt_unsupported,
694         .u.string   = "chroot",
695 #endif
696         .flags      = NXT_CONF_VLDT_VAR,
697     }, {
698         .name       = nxt_string("follow_symlinks"),
699         .type       = NXT_CONF_VLDT_BOOLEAN,
700 #if !(NXT_HAVE_OPENAT2)
701         .validator  = nxt_conf_vldt_unsupported,
702         .u.string   = "follow_symlinks",
703 #endif
704     }, {
705         .name       = nxt_string("traverse_mounts"),
706         .type       = NXT_CONF_VLDT_BOOLEAN,
707 #if !(NXT_HAVE_OPENAT2)
708         .validator  = nxt_conf_vldt_unsupported,
709         .u.string   = "traverse_mounts",
710 #endif
711     },
712 
713     NXT_CONF_VLDT_END
714 };
715 
716 
717 static nxt_conf_vldt_object_t  nxt_conf_vldt_proxy_action_members[] = {
718     {
719         .name       = nxt_string("proxy"),
720         .type       = NXT_CONF_VLDT_STRING,
721         .validator  = nxt_conf_vldt_proxy,
722     },
723 
724     NXT_CONF_VLDT_END
725 };
726 
727 
728 static nxt_conf_vldt_object_t  nxt_conf_vldt_external_members[] = {
729     {
730         .name       = nxt_string("executable"),
731         .type       = NXT_CONF_VLDT_STRING,
732         .flags      = NXT_CONF_VLDT_REQUIRED,
733     }, {
734         .name       = nxt_string("arguments"),
735         .type       = NXT_CONF_VLDT_ARRAY,
736         .validator  = nxt_conf_vldt_array_iterator,
737         .u.array    = nxt_conf_vldt_argument,
738     },
739 
740     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
741 };
742 
743 
744 static nxt_conf_vldt_object_t  nxt_conf_vldt_python_common_members[] = {
745     {
746         .name       = nxt_string("home"),
747         .type       = NXT_CONF_VLDT_STRING,
748     }, {
749         .name       = nxt_string("path"),
750         .type       = NXT_CONF_VLDT_STRING | NXT_CONF_VLDT_ARRAY,
751         .validator  = nxt_conf_vldt_python_path,
752     }, {
753         .name       = nxt_string("protocol"),
754         .type       = NXT_CONF_VLDT_STRING,
755         .validator  = nxt_conf_vldt_python_protocol,
756     }, {
757         .name       = nxt_string("threads"),
758         .type       = NXT_CONF_VLDT_INTEGER,
759         .validator  = nxt_conf_vldt_threads,
760     }, {
761         .name       = nxt_string("thread_stack_size"),
762         .type       = NXT_CONF_VLDT_INTEGER,
763         .validator  = nxt_conf_vldt_thread_stack_size,
764     },
765 
766     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
767 };
768 
769 static nxt_conf_vldt_object_t  nxt_conf_vldt_python_members[] = {
770     {
771         .name       = nxt_string("module"),
772         .type       = NXT_CONF_VLDT_STRING,
773         .validator  = nxt_conf_vldt_targets_exclusive,
774         .u.string   = "module",
775     }, {
776         .name       = nxt_string("callable"),
777         .type       = NXT_CONF_VLDT_STRING,
778         .validator  = nxt_conf_vldt_targets_exclusive,
779         .u.string   = "callable",
780     }, {
781         .name       = nxt_string("targets"),
782         .type       = NXT_CONF_VLDT_OBJECT,
783         .validator  = nxt_conf_vldt_targets,
784         .u.members  = nxt_conf_vldt_python_target_members
785     },
786 
787     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_python_common_members)
788 };
789 
790 
791 static nxt_conf_vldt_object_t  nxt_conf_vldt_python_target_members[] = {
792     {
793         .name       = nxt_string("module"),
794         .type       = NXT_CONF_VLDT_STRING,
795         .flags      = NXT_CONF_VLDT_REQUIRED,
796     }, {
797         .name       = nxt_string("callable"),
798         .type       = NXT_CONF_VLDT_STRING,
799     },
800 
801     NXT_CONF_VLDT_END
802 };
803 
804 
805 static nxt_conf_vldt_object_t  nxt_conf_vldt_python_notargets_members[] = {
806     {
807         .name       = nxt_string("module"),
808         .type       = NXT_CONF_VLDT_STRING,
809         .flags      = NXT_CONF_VLDT_REQUIRED,
810     }, {
811         .name       = nxt_string("callable"),
812         .type       = NXT_CONF_VLDT_STRING,
813     },
814 
815     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_python_common_members)
816 };
817 
818 
819 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_members[] = {
820     {
821         .name       = nxt_string("root"),
822         .type       = NXT_CONF_VLDT_ANY_TYPE,
823         .validator  = nxt_conf_vldt_targets_exclusive,
824         .u.string   = "root",
825     }, {
826         .name       = nxt_string("script"),
827         .type       = NXT_CONF_VLDT_ANY_TYPE,
828         .validator  = nxt_conf_vldt_targets_exclusive,
829         .u.string   = "script",
830     }, {
831         .name       = nxt_string("index"),
832         .type       = NXT_CONF_VLDT_ANY_TYPE,
833         .validator  = nxt_conf_vldt_targets_exclusive,
834         .u.string   = "index",
835     }, {
836         .name       = nxt_string("targets"),
837         .type       = NXT_CONF_VLDT_OBJECT,
838         .validator  = nxt_conf_vldt_targets,
839         .u.members  = nxt_conf_vldt_php_target_members
840     },
841 
842     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_php_common_members)
843 };
844 
845 
846 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_common_members[] = {
847     {
848         .name       = nxt_string("options"),
849         .type       = NXT_CONF_VLDT_OBJECT,
850         .validator  = nxt_conf_vldt_object,
851         .u.members  = nxt_conf_vldt_php_options_members,
852     },
853 
854     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
855 };
856 
857 
858 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_options_members[] = {
859     {
860         .name       = nxt_string("file"),
861         .type       = NXT_CONF_VLDT_STRING,
862     }, {
863         .name       = nxt_string("admin"),
864         .type       = NXT_CONF_VLDT_OBJECT,
865         .validator  = nxt_conf_vldt_object_iterator,
866         .u.object   = nxt_conf_vldt_php_option,
867     }, {
868         .name       = nxt_string("user"),
869         .type       = NXT_CONF_VLDT_OBJECT,
870         .validator  = nxt_conf_vldt_object_iterator,
871         .u.object   = nxt_conf_vldt_php_option,
872     },
873 
874     NXT_CONF_VLDT_END
875 };
876 
877 
878 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_target_members[] = {
879     {
880         .name       = nxt_string("root"),
881         .type       = NXT_CONF_VLDT_STRING,
882         .flags      = NXT_CONF_VLDT_REQUIRED,
883     }, {
884         .name       = nxt_string("script"),
885         .type       = NXT_CONF_VLDT_STRING,
886     }, {
887         .name       = nxt_string("index"),
888         .type       = NXT_CONF_VLDT_STRING,
889     },
890 
891     NXT_CONF_VLDT_END
892 };
893 
894 
895 static nxt_conf_vldt_object_t  nxt_conf_vldt_php_notargets_members[] = {
896     {
897         .name       = nxt_string("root"),
898         .type       = NXT_CONF_VLDT_STRING,
899         .flags      = NXT_CONF_VLDT_REQUIRED,
900     }, {
901         .name       = nxt_string("script"),
902         .type       = NXT_CONF_VLDT_STRING,
903     }, {
904         .name       = nxt_string("index"),
905         .type       = NXT_CONF_VLDT_STRING,
906     },
907 
908     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_php_common_members)
909 };
910 
911 
912 static nxt_conf_vldt_object_t  nxt_conf_vldt_perl_members[] = {
913     {
914         .name       = nxt_string("script"),
915         .type       = NXT_CONF_VLDT_STRING,
916         .flags      = NXT_CONF_VLDT_REQUIRED,
917     }, {
918         .name       = nxt_string("threads"),
919         .type       = NXT_CONF_VLDT_INTEGER,
920         .validator  = nxt_conf_vldt_threads,
921     }, {
922         .name       = nxt_string("thread_stack_size"),
923         .type       = NXT_CONF_VLDT_INTEGER,
924         .validator  = nxt_conf_vldt_thread_stack_size,
925     },
926 
927     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
928 };
929 
930 
931 static nxt_conf_vldt_object_t  nxt_conf_vldt_ruby_members[] = {
932     {
933         .name       = nxt_string("script"),
934         .type       = NXT_CONF_VLDT_STRING,
935         .flags      = NXT_CONF_VLDT_REQUIRED,
936     }, {
937         .name       = nxt_string("threads"),
938         .type       = NXT_CONF_VLDT_INTEGER,
939         .validator  = nxt_conf_vldt_threads,
940     }, {
941         .name       = nxt_string("hooks"),
942         .type       = NXT_CONF_VLDT_STRING
943     },
944 
945     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
946 };
947 
948 
949 static nxt_conf_vldt_object_t  nxt_conf_vldt_java_members[] = {
950     {
951         .name       = nxt_string("classpath"),
952         .type       = NXT_CONF_VLDT_ARRAY,
953         .validator  = nxt_conf_vldt_array_iterator,
954         .u.array    = nxt_conf_vldt_java_classpath,
955     }, {
956         .name       = nxt_string("webapp"),
957         .type       = NXT_CONF_VLDT_STRING,
958         .flags      = NXT_CONF_VLDT_REQUIRED,
959     }, {
960         .name       = nxt_string("options"),
961         .type       = NXT_CONF_VLDT_ARRAY,
962         .validator  = nxt_conf_vldt_array_iterator,
963         .u.array    = nxt_conf_vldt_java_option,
964     }, {
965         .name       = nxt_string("unit_jars"),
966         .type       = NXT_CONF_VLDT_STRING,
967     }, {
968         .name       = nxt_string("threads"),
969         .type       = NXT_CONF_VLDT_INTEGER,
970         .validator  = nxt_conf_vldt_threads,
971     }, {
972         .name       = nxt_string("thread_stack_size"),
973         .type       = NXT_CONF_VLDT_INTEGER,
974         .validator  = nxt_conf_vldt_thread_stack_size,
975     },
976 
977     NXT_CONF_VLDT_NEXT(nxt_conf_vldt_common_members)
978 };
979 
980 
981 static nxt_conf_vldt_object_t  nxt_conf_vldt_common_members[] = {
982     {
983         .name       = nxt_string("type"),
984         .type       = NXT_CONF_VLDT_STRING,
985     }, {
986         .name       = nxt_string("limits"),
987         .type       = NXT_CONF_VLDT_OBJECT,
988         .validator  = nxt_conf_vldt_object,
989         .u.members  = nxt_conf_vldt_app_limits_members,
990     }, {
991         .name       = nxt_string("processes"),
992         .type       = NXT_CONF_VLDT_INTEGER | NXT_CONF_VLDT_OBJECT,
993         .validator  = nxt_conf_vldt_processes,
994         .u.members  = nxt_conf_vldt_app_processes_members,
995     }, {
996         .name       = nxt_string("user"),
997         .type       = NXT_CONF_VLDT_STRING,
998     }, {
999         .name       = nxt_string("group"),
1000         .type       = NXT_CONF_VLDT_STRING,
1001     }, {
1002         .name       = nxt_string("working_directory"),
1003         .type       = NXT_CONF_VLDT_STRING,
1004     }, {
1005         .name       = nxt_string("environment"),
1006         .type       = NXT_CONF_VLDT_OBJECT,
1007         .validator  = nxt_conf_vldt_object_iterator,
1008         .u.object   = nxt_conf_vldt_environment,
1009     }, {
1010         .name       = nxt_string("isolation"),
1011         .type       = NXT_CONF_VLDT_OBJECT,
1012         .validator  = nxt_conf_vldt_isolation,
1013         .u.members  = nxt_conf_vldt_app_isolation_members,
1014     },
1015 
1016     NXT_CONF_VLDT_END
1017 };
1018 
1019 
1020 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_limits_members[] = {
1021     {
1022         .name       = nxt_string("timeout"),
1023         .type       = NXT_CONF_VLDT_INTEGER,
1024     }, {
1025         .name       = nxt_string("requests"),
1026         .type       = NXT_CONF_VLDT_INTEGER,
1027     }, {
1028         .name       = nxt_string("shm"),
1029         .type       = NXT_CONF_VLDT_INTEGER,
1030     },
1031 
1032     NXT_CONF_VLDT_END
1033 };
1034 
1035 
1036 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_processes_members[] = {
1037     {
1038         .name       = nxt_string("spare"),
1039         .type       = NXT_CONF_VLDT_INTEGER,
1040     }, {
1041         .name       = nxt_string("max"),
1042         .type       = NXT_CONF_VLDT_INTEGER,
1043     }, {
1044         .name       = nxt_string("idle_timeout"),
1045         .type       = NXT_CONF_VLDT_INTEGER,
1046     },
1047 
1048     NXT_CONF_VLDT_END
1049 };
1050 
1051 
1052 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_isolation_members[] = {
1053     {
1054         .name       = nxt_string("namespaces"),
1055         .type       = NXT_CONF_VLDT_OBJECT,
1056         .validator  = nxt_conf_vldt_clone_namespaces,
1057         .u.members  = nxt_conf_vldt_app_namespaces_members,
1058     },
1059 
1060 #if (NXT_HAVE_CLONE_NEWUSER)
1061     {
1062         .name       = nxt_string("uidmap"),
1063         .type       = NXT_CONF_VLDT_ARRAY,
1064         .validator  = nxt_conf_vldt_array_iterator,
1065         .u.array    = nxt_conf_vldt_clone_uidmap,
1066     }, {
1067         .name       = nxt_string("gidmap"),
1068         .type       = NXT_CONF_VLDT_ARRAY,
1069         .validator  = nxt_conf_vldt_array_iterator,
1070         .u.array    = nxt_conf_vldt_clone_gidmap,
1071     },
1072 #endif
1073 
1074 #if (NXT_HAVE_ISOLATION_ROOTFS)
1075     {
1076         .name       = nxt_string("rootfs"),
1077         .type       = NXT_CONF_VLDT_STRING,
1078     }, {
1079         .name       = nxt_string("automount"),
1080         .type       = NXT_CONF_VLDT_OBJECT,
1081         .validator  = nxt_conf_vldt_object,
1082         .u.members  = nxt_conf_vldt_app_automount_members,
1083     },
1084 #endif
1085 
1086 #if (NXT_HAVE_PR_SET_NO_NEW_PRIVS)
1087     {
1088         .name       = nxt_string("new_privs"),
1089         .type       = NXT_CONF_VLDT_BOOLEAN,
1090     },
1091 #endif
1092 
1093     NXT_CONF_VLDT_END
1094 };
1095 
1096 
1097 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_namespaces_members[] = {
1098 
1099 #if (NXT_HAVE_CLONE_NEWUSER)
1100     {
1101         .name       = nxt_string("credential"),
1102         .type       = NXT_CONF_VLDT_BOOLEAN,
1103     },
1104 #endif
1105 
1106 #if (NXT_HAVE_CLONE_NEWPID)
1107     {
1108         .name       = nxt_string("pid"),
1109         .type       = NXT_CONF_VLDT_BOOLEAN,
1110     },
1111 #endif
1112 
1113 #if (NXT_HAVE_CLONE_NEWNET)
1114     {
1115         .name       = nxt_string("network"),
1116         .type       = NXT_CONF_VLDT_BOOLEAN,
1117     },
1118 #endif
1119 
1120 #if (NXT_HAVE_CLONE_NEWNS)
1121     {
1122         .name       = nxt_string("mount"),
1123         .type       = NXT_CONF_VLDT_BOOLEAN,
1124     },
1125 #endif
1126 
1127 #if (NXT_HAVE_CLONE_NEWUTS)
1128     {
1129         .name       = nxt_string("uname"),
1130         .type       = NXT_CONF_VLDT_BOOLEAN,
1131     },
1132 #endif
1133 
1134 #if (NXT_HAVE_CLONE_NEWCGROUP)
1135     {
1136         .name       = nxt_string("cgroup"),
1137         .type       = NXT_CONF_VLDT_BOOLEAN,
1138     },
1139 #endif
1140 
1141     NXT_CONF_VLDT_END
1142 };
1143 
1144 
1145 #if (NXT_HAVE_ISOLATION_ROOTFS)
1146 
1147 static nxt_conf_vldt_object_t  nxt_conf_vldt_app_automount_members[] = {
1148     {
1149         .name       = nxt_string("language_deps"),
1150         .type       = NXT_CONF_VLDT_BOOLEAN,
1151     }, {
1152         .name       = nxt_string("tmpfs"),
1153         .type       = NXT_CONF_VLDT_BOOLEAN,
1154     }, {
1155         .name       = nxt_string("procfs"),
1156         .type       = NXT_CONF_VLDT_BOOLEAN,
1157     },
1158 
1159     NXT_CONF_VLDT_END
1160 };
1161 
1162 #endif
1163 
1164 
1165 #if (NXT_HAVE_CLONE_NEWUSER)
1166 
1167 static nxt_conf_vldt_object_t nxt_conf_vldt_app_procmap_members[] = {
1168     {
1169         .name       = nxt_string("container"),
1170         .type       = NXT_CONF_VLDT_INTEGER,
1171     }, {
1172         .name       = nxt_string("host"),
1173         .type       = NXT_CONF_VLDT_INTEGER,
1174     }, {
1175         .name       = nxt_string("size"),
1176         .type       = NXT_CONF_VLDT_INTEGER,
1177     },
1178 
1179     NXT_CONF_VLDT_END
1180 };
1181 
1182 #endif
1183 
1184 
1185 static nxt_conf_vldt_object_t  nxt_conf_vldt_upstream_members[] = {
1186     {
1187         .name       = nxt_string("servers"),
1188         .type       = NXT_CONF_VLDT_OBJECT,
1189         .validator  = nxt_conf_vldt_object_iterator,
1190         .u.object   = nxt_conf_vldt_server,
1191     },
1192 
1193     NXT_CONF_VLDT_END
1194 };
1195 
1196 
1197 static nxt_conf_vldt_object_t  nxt_conf_vldt_upstream_server_members[] = {
1198     {
1199         .name       = nxt_string("weight"),
1200         .type       = NXT_CONF_VLDT_NUMBER,
1201         .validator  = nxt_conf_vldt_server_weight,
1202     },
1203 
1204     NXT_CONF_VLDT_END
1205 };
1206 
1207 
1208 nxt_int_t
1209 nxt_conf_validate(nxt_conf_validation_t *vldt)
1210 {
1211     nxt_int_t  ret;
1212 
1213     vldt->var_fields = nxt_array_create(vldt->pool, 4, sizeof(nxt_var_field_t));
1214     if (nxt_slow_path(vldt->var_fields == NULL)) {
1215         return NXT_ERROR;
1216     }
1217 
1218     ret = nxt_conf_vldt_type(vldt, NULL, vldt->conf, NXT_CONF_VLDT_OBJECT);
1219     if (ret != NXT_OK) {
1220         return ret;
1221     }
1222 
1223     return nxt_conf_vldt_object(vldt, vldt->conf, nxt_conf_vldt_root_members);
1224 }
1225 
1226 
1227 #define NXT_CONF_VLDT_ANY_TYPE_STR                                            \
1228     "either a null, a boolean, an integer, "                                  \
1229     "a number, a string, an array, or an object"
1230 
1231 
1232 static nxt_int_t
1233 nxt_conf_vldt_type(nxt_conf_validation_t *vldt, nxt_str_t *name,
1234     nxt_conf_value_t *value, nxt_conf_vldt_type_t type)
1235 {
1236     u_char      *p;
1237     nxt_str_t   expected;
1238     nxt_bool_t  comma;
1239     nxt_uint_t  value_type, n, t;
1240     u_char      buf[nxt_length(NXT_CONF_VLDT_ANY_TYPE_STR)];
1241 
1242     static nxt_str_t  type_name[] = {
1243         nxt_string("a null"),
1244         nxt_string("a boolean"),
1245         nxt_string("an integer number"),
1246         nxt_string("a fractional number"),
1247         nxt_string("a string"),
1248         nxt_string("an array"),
1249         nxt_string("an object"),
1250     };
1251 
1252     value_type = nxt_conf_type(value);
1253 
1254     if ((1 << value_type) & type) {
1255         return NXT_OK;
1256     }
1257 
1258     p = buf;
1259 
1260     n = nxt_popcount(type);
1261 
1262     if (n > 1) {
1263         p = nxt_cpymem(p, "either ", 7);
1264     }
1265 
1266     comma = (n > 2);
1267 
1268     for ( ;; ) {
1269         t = __builtin_ffs(type) - 1;
1270 
1271         p = nxt_cpymem(p, type_name[t].start, type_name[t].length);
1272 
1273         n--;
1274 
1275         if (n == 0) {
1276             break;
1277         }
1278 
1279         if (comma) {
1280             *p++ = ',';
1281         }
1282 
1283         if (n == 1) {
1284             p = nxt_cpymem(p, " or", 3);
1285         }
1286 
1287         *p++ = ' ';
1288 
1289         type = type & ~(1 << t);
1290     }
1291 
1292     expected.length = p - buf;
1293     expected.start = buf;
1294 
1295     if (name == NULL) {
1296         return nxt_conf_vldt_error(vldt,
1297                                    "The configuration must be %V, but not %V.",
1298                                    &expected, &type_name[value_type]);
1299     }
1300 
1301     return nxt_conf_vldt_error(vldt,
1302                                "The \"%V\" value must be %V, but not %V.",
1303                                name, &expected, &type_name[value_type]);
1304 }
1305 
1306 
1307 static nxt_int_t
1308 nxt_conf_vldt_error(nxt_conf_validation_t *vldt, const char *fmt, ...)
1309 {
1310     u_char   *p, *end;
1311     size_t   size;
1312     va_list  args;
1313     u_char   error[NXT_MAX_ERROR_STR];
1314 
1315     va_start(args, fmt);
1316     end = nxt_vsprintf(error, error + NXT_MAX_ERROR_STR, fmt, args);
1317     va_end(args);
1318 
1319     size = end - error;
1320 
1321     p = nxt_mp_nget(vldt->pool, size);
1322     if (p == NULL) {
1323         return NXT_ERROR;
1324     }
1325 
1326     nxt_memcpy(p, error, size);
1327 
1328     vldt->error.length = size;
1329     vldt->error.start = p;
1330 
1331     return NXT_DECLINED;
1332 }
1333 
1334 
1335 nxt_inline nxt_int_t
1336 nxt_conf_vldt_unsupported(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1337     void *data)
1338 {
1339     return nxt_conf_vldt_error(vldt, "Unit is built without the \"%s\" "
1340                                      "option support.", data);
1341 }
1342 
1343 
1344 static nxt_int_t
1345 nxt_conf_vldt_var(nxt_conf_validation_t *vldt, nxt_str_t *name,
1346     nxt_str_t *value)
1347 {
1348     u_char  error[NXT_MAX_ERROR_STR];
1349 
1350     if (nxt_var_test(value, vldt->var_fields, error) != NXT_OK) {
1351         return nxt_conf_vldt_error(vldt, "%s in the \"%V\" value.",
1352                                    error, name);
1353     }
1354 
1355     return NXT_OK;
1356 }
1357 
1358 
1359 typedef struct {
1360     nxt_mp_t      *pool;
1361     nxt_str_t     *type;
1362     nxt_lvlhsh_t  hash;
1363 } nxt_conf_vldt_mtypes_ctx_t;
1364 
1365 
1366 static nxt_int_t
1367 nxt_conf_vldt_mtypes(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1368     void *data)
1369 {
1370     nxt_int_t                   ret;
1371     nxt_conf_vldt_mtypes_ctx_t  ctx;
1372 
1373     ctx.pool = nxt_mp_create(1024, 128, 256, 32);
1374     if (nxt_slow_path(ctx.pool == NULL)) {
1375         return NXT_ERROR;
1376     }
1377 
1378     nxt_lvlhsh_init(&ctx.hash);
1379 
1380     vldt->ctx = &ctx;
1381 
1382     ret = nxt_conf_vldt_object_iterator(vldt, value,
1383                                         &nxt_conf_vldt_mtypes_type);
1384 
1385     vldt->ctx = NULL;
1386 
1387     nxt_mp_destroy(ctx.pool);
1388 
1389     return ret;
1390 }
1391 
1392 
1393 static nxt_int_t
1394 nxt_conf_vldt_mtypes_type(nxt_conf_validation_t *vldt, nxt_str_t *name,
1395     nxt_conf_value_t *value)
1396 {
1397     nxt_int_t                   ret;
1398     nxt_conf_vldt_mtypes_ctx_t  *ctx;
1399 
1400     ret = nxt_conf_vldt_type(vldt, name, value,
1401                              NXT_CONF_VLDT_STRING|NXT_CONF_VLDT_ARRAY);
1402     if (ret != NXT_OK) {
1403         return ret;
1404     }
1405 
1406     ctx = vldt->ctx;
1407 
1408     ctx->type = nxt_mp_get(ctx->pool, sizeof(nxt_str_t));
1409     if (nxt_slow_path(ctx->type == NULL)) {
1410         return NXT_ERROR;
1411     }
1412 
1413     *ctx->type = *name;
1414 
1415     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
1416         return nxt_conf_vldt_array_iterator(vldt, value,
1417                                             &nxt_conf_vldt_mtypes_extension);
1418     }
1419 
1420     /* NXT_CONF_STRING */
1421 
1422     return nxt_conf_vldt_mtypes_extension(vldt, value);
1423 }
1424 
1425 
1426 static nxt_int_t
1427 nxt_conf_vldt_mtypes_extension(nxt_conf_validation_t *vldt,
1428     nxt_conf_value_t *value)
1429 {
1430     nxt_str_t                   exten, *dup_type;
1431     nxt_conf_vldt_mtypes_ctx_t  *ctx;
1432 
1433     ctx = vldt->ctx;
1434 
1435     if (nxt_conf_type(value) != NXT_CONF_STRING) {
1436         return nxt_conf_vldt_error(vldt, "The \"%V\" MIME type array must "
1437                                    "contain only strings.", ctx->type);
1438     }
1439 
1440     nxt_conf_get_string(value, &exten);
1441 
1442     if (exten.length == 0) {
1443         return nxt_conf_vldt_error(vldt, "An empty file extension for "
1444                                          "the \"%V\" MIME type.", ctx->type);
1445     }
1446 
1447     dup_type = nxt_http_static_mtype_get(&ctx->hash, &exten);
1448 
1449     if (dup_type->length != 0) {
1450         return nxt_conf_vldt_error(vldt, "The \"%V\" file extension has been "
1451                                          "declared for \"%V\" and \"%V\" "
1452                                          "MIME types at the same time.",
1453                                          &exten, dup_type, ctx->type);
1454     }
1455 
1456     return nxt_http_static_mtypes_hash_add(ctx->pool, &ctx->hash, &exten,
1457                                            ctx->type);
1458 }
1459 
1460 
1461 static nxt_int_t
1462 nxt_conf_vldt_listener(nxt_conf_validation_t *vldt, nxt_str_t *name,
1463     nxt_conf_value_t *value)
1464 {
1465     nxt_int_t       ret;
1466     nxt_sockaddr_t  *sa;
1467 
1468     sa = nxt_sockaddr_parse(vldt->pool, name);
1469     if (nxt_slow_path(sa == NULL)) {
1470         return nxt_conf_vldt_error(vldt,
1471                                    "The listener address \"%V\" is invalid.",
1472                                    name);
1473     }
1474 
1475     ret = nxt_conf_vldt_type(vldt, name, value, NXT_CONF_VLDT_OBJECT);
1476     if (ret != NXT_OK) {
1477         return ret;
1478     }
1479 
1480     return nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_listener_members);
1481 }
1482 
1483 
1484 static nxt_int_t
1485 nxt_conf_vldt_action(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1486     void *data)
1487 {
1488     nxt_uint_t              i;
1489     nxt_conf_value_t        *action;
1490     nxt_conf_vldt_object_t  *members;
1491 
1492     static struct {
1493         nxt_str_t               name;
1494         nxt_conf_vldt_object_t  *members;
1495 
1496     } actions[] = {
1497         { nxt_string("pass"), nxt_conf_vldt_pass_action_members },
1498         { nxt_string("return"), nxt_conf_vldt_return_action_members },
1499         { nxt_string("share"), nxt_conf_vldt_share_action_members },
1500         { nxt_string("proxy"), nxt_conf_vldt_proxy_action_members },
1501     };
1502 
1503     members = NULL;
1504 
1505     for (i = 0; i < nxt_nitems(actions); i++) {
1506         action = nxt_conf_get_object_member(value, &actions[i].name, NULL);
1507 
1508         if (action == NULL) {
1509             continue;
1510         }
1511 
1512         if (members != NULL) {
1513             return nxt_conf_vldt_error(vldt, "The \"action\" object must have "
1514                                        "just one of \"pass\", \"return\", "
1515                                        "\"share\", or \"proxy\" options set.");
1516         }
1517 
1518         members = actions[i].members;
1519     }
1520 
1521     if (members == NULL) {
1522         return nxt_conf_vldt_error(vldt, "The \"action\" object must have "
1523                                    "either \"pass\", \"return\", \"share\", "
1524                                    "or \"proxy\" option set.");
1525     }
1526 
1527     return nxt_conf_vldt_object(vldt, value, members);
1528 }
1529 
1530 
1531 static nxt_int_t
1532 nxt_conf_vldt_pass(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1533     void *data)
1534 {
1535     nxt_str_t  pass;
1536     nxt_int_t  ret;
1537     nxt_str_t  segments[3];
1538 
1539     static nxt_str_t  targets_str = nxt_string("targets");
1540 
1541     nxt_conf_get_string(value, &pass);
1542 
1543     ret = nxt_http_pass_segments(vldt->pool, &pass, segments, 3);
1544 
1545     if (ret != NXT_OK) {
1546         if (ret == NXT_DECLINED) {
1547             return nxt_conf_vldt_error(vldt, "Request \"pass\" value \"%V\" "
1548                                        "is invalid.", &pass);
1549         }
1550 
1551         return NXT_ERROR;
1552     }
1553 
1554     if (nxt_str_eq(&segments[0], "applications", 12)) {
1555 
1556         if (segments[1].length == 0) {
1557             goto error;
1558         }
1559 
1560         value = nxt_conf_get_object_member(vldt->conf, &segments[0], NULL);
1561 
1562         if (value == NULL) {
1563             goto error;
1564         }
1565 
1566         value = nxt_conf_get_object_member(value, &segments[1], NULL);
1567 
1568         if (value == NULL) {
1569             goto error;
1570         }
1571 
1572         if (segments[2].length > 0) {
1573             value = nxt_conf_get_object_member(value, &targets_str, NULL);
1574 
1575             if (value == NULL) {
1576                 goto error;
1577             }
1578 
1579             value = nxt_conf_get_object_member(value, &segments[2], NULL);
1580 
1581             if (value == NULL) {
1582                 goto error;
1583             }
1584         }
1585 
1586         return NXT_OK;
1587     }
1588 
1589     if (nxt_str_eq(&segments[0], "upstreams", 9)) {
1590 
1591         if (segments[1].length == 0 || segments[2].length != 0) {
1592             goto error;
1593         }
1594 
1595         value = nxt_conf_get_object_member(vldt->conf, &segments[0], NULL);
1596 
1597         if (value == NULL) {
1598             goto error;
1599         }
1600 
1601         value = nxt_conf_get_object_member(value, &segments[1], NULL);
1602 
1603         if (value == NULL) {
1604             goto error;
1605         }
1606 
1607         return NXT_OK;
1608     }
1609 
1610     if (nxt_str_eq(&segments[0], "routes", 6)) {
1611 
1612         if (segments[2].length != 0) {
1613             goto error;
1614         }
1615 
1616         value = nxt_conf_get_object_member(vldt->conf, &segments[0], NULL);
1617 
1618         if (value == NULL) {
1619             goto error;
1620         }
1621 
1622         if (segments[1].length == 0) {
1623             if (nxt_conf_type(value) != NXT_CONF_ARRAY) {
1624                 goto error;
1625             }
1626 
1627             return NXT_OK;
1628         }
1629 
1630         if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
1631             goto error;
1632         }
1633 
1634         value = nxt_conf_get_object_member(value, &segments[1], NULL);
1635 
1636         if (value == NULL) {
1637             goto error;
1638         }
1639 
1640         return NXT_OK;
1641     }
1642 
1643 error:
1644 
1645     return nxt_conf_vldt_error(vldt, "Request \"pass\" points to invalid "
1646                                "location \"%V\".", &pass);
1647 }
1648 
1649 
1650 static nxt_int_t
1651 nxt_conf_vldt_return(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1652     void *data)
1653 {
1654     int64_t  status;
1655 
1656     status = nxt_conf_get_number(value);
1657 
1658     if (status < NXT_HTTP_INVALID || status > NXT_HTTP_STATUS_MAX) {
1659         return nxt_conf_vldt_error(vldt, "The \"return\" value is out of "
1660                                    "allowed HTTP status code range 0-999.");
1661     }
1662 
1663     return NXT_OK;
1664 }
1665 
1666 
1667 static nxt_int_t
1668 nxt_conf_vldt_share(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1669     void *data)
1670 {
1671     u_char     *p;
1672     nxt_str_t  name, temp;
1673 
1674     static nxt_str_t  uri = nxt_string("$uri");
1675 
1676     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
1677         if (nxt_conf_array_elements_count(value) == 0) {
1678             return nxt_conf_vldt_error(vldt, "The \"share\" array "
1679                                        "must contain at least one element.");
1680         }
1681 
1682         return nxt_conf_vldt_array_iterator(vldt, value,
1683                                             &nxt_conf_vldt_share_element);
1684     }
1685 
1686     /* NXT_CONF_STRING */
1687 
1688     if (vldt->ver < 12600) {
1689         nxt_conf_get_string(value, &name);
1690 
1691         temp.length = name.length + uri.length;
1692 
1693         temp.start = nxt_mp_get(vldt->conf_pool, temp.length);
1694         if (nxt_slow_path(temp.start == NULL)) {
1695             return NXT_ERROR;
1696         }
1697 
1698         p = nxt_cpymem(temp.start, name.start, name.length);
1699         nxt_memcpy(p, uri.start, uri.length);
1700 
1701         nxt_conf_set_string(value, &temp);
1702     }
1703 
1704     return nxt_conf_vldt_share_element(vldt, value);
1705 }
1706 
1707 
1708 static nxt_int_t
1709 nxt_conf_vldt_share_element(nxt_conf_validation_t *vldt,
1710     nxt_conf_value_t *value)
1711 {
1712     nxt_str_t  str;
1713 
1714     static nxt_str_t  share = nxt_string("share");
1715 
1716     if (nxt_conf_type(value) != NXT_CONF_STRING) {
1717         return nxt_conf_vldt_error(vldt, "The \"share\" array must "
1718                                    "contain only string values.");
1719     }
1720 
1721     nxt_conf_get_string(value, &str);
1722 
1723     if (nxt_is_var(&str)) {
1724         return nxt_conf_vldt_var(vldt, &share, &str);
1725     }
1726 
1727     return NXT_OK;
1728 }
1729 
1730 
1731 static nxt_int_t
1732 nxt_conf_vldt_proxy(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1733     void *data)
1734 {
1735     nxt_str_t       name;
1736     nxt_sockaddr_t  *sa;
1737 
1738     nxt_conf_get_string(value, &name);
1739 
1740     if (nxt_str_start(&name, "http://", 7)) {
1741         name.length -= 7;
1742         name.start += 7;
1743 
1744         sa = nxt_sockaddr_parse(vldt->pool, &name);
1745         if (sa != NULL) {
1746             return NXT_OK;
1747         }
1748     }
1749 
1750     return nxt_conf_vldt_error(vldt, "The \"proxy\" address is invalid \"%V\"",
1751                                &name);
1752 }
1753 
1754 
1755 static nxt_int_t
1756 nxt_conf_vldt_python(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1757     void *data)
1758 {
1759     nxt_conf_value_t  *targets;
1760 
1761     static nxt_str_t  targets_str = nxt_string("targets");
1762 
1763     targets = nxt_conf_get_object_member(value, &targets_str, NULL);
1764 
1765     if (targets != NULL) {
1766         return nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_python_members);
1767     }
1768 
1769     return nxt_conf_vldt_object(vldt, value,
1770                                 nxt_conf_vldt_python_notargets_members);
1771 }
1772 
1773 
1774 static nxt_int_t
1775 nxt_conf_vldt_python_path(nxt_conf_validation_t *vldt,
1776     nxt_conf_value_t *value, void *data)
1777 {
1778     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
1779         return nxt_conf_vldt_array_iterator(vldt, value,
1780                                             &nxt_conf_vldt_python_path_element);
1781     }
1782 
1783     /* NXT_CONF_STRING */
1784 
1785     return NXT_OK;
1786 }
1787 
1788 
1789 static nxt_int_t
1790 nxt_conf_vldt_python_path_element(nxt_conf_validation_t *vldt,
1791     nxt_conf_value_t *value)
1792 {
1793     if (nxt_conf_type(value) != NXT_CONF_STRING) {
1794         return nxt_conf_vldt_error(vldt, "The \"path\" array must contain "
1795                                    "only string values.");
1796     }
1797 
1798     return NXT_OK;
1799 }
1800 
1801 
1802 static nxt_int_t
1803 nxt_conf_vldt_python_protocol(nxt_conf_validation_t *vldt,
1804     nxt_conf_value_t *value, void *data)
1805 {
1806     nxt_str_t  proto;
1807 
1808     static const nxt_str_t  wsgi = nxt_string("wsgi");
1809     static const nxt_str_t  asgi = nxt_string("asgi");
1810 
1811     nxt_conf_get_string(value, &proto);
1812 
1813     if (nxt_strstr_eq(&proto, &wsgi) || nxt_strstr_eq(&proto, &asgi)) {
1814         return NXT_OK;
1815     }
1816 
1817     return nxt_conf_vldt_error(vldt, "The \"protocol\" can either be "
1818                                      "\"wsgi\" or \"asgi\".");
1819 }
1820 
1821 
1822 static nxt_int_t
1823 nxt_conf_vldt_threads(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1824     void *data)
1825 {
1826     int64_t  threads;
1827 
1828     threads = nxt_conf_get_number(value);
1829 
1830     if (threads < 1) {
1831         return nxt_conf_vldt_error(vldt, "The \"threads\" number must be "
1832                                    "equal to or greater than 1.");
1833     }
1834 
1835     if (threads > NXT_INT32_T_MAX) {
1836         return nxt_conf_vldt_error(vldt, "The \"threads\" number must "
1837                                    "not exceed %d.", NXT_INT32_T_MAX);
1838     }
1839 
1840     return NXT_OK;
1841 }
1842 
1843 
1844 static nxt_int_t
1845 nxt_conf_vldt_thread_stack_size(nxt_conf_validation_t *vldt,
1846     nxt_conf_value_t *value, void *data)
1847 {
1848     int64_t  size, min_size;
1849 
1850     size = nxt_conf_get_number(value);
1851     min_size = sysconf(_SC_THREAD_STACK_MIN);
1852 
1853     if (size < min_size) {
1854         return nxt_conf_vldt_error(vldt, "The \"thread_stack_size\" number "
1855                                    "must be equal to or greater than %d.",
1856                                    min_size);
1857     }
1858 
1859     if ((size % nxt_pagesize) != 0) {
1860         return nxt_conf_vldt_error(vldt, "The \"thread_stack_size\" number "
1861                              "must be a multiple of the system page size (%d).",
1862                              nxt_pagesize);
1863     }
1864 
1865     return NXT_OK;
1866 }
1867 
1868 
1869 static nxt_int_t
1870 nxt_conf_vldt_routes(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
1871     void *data)
1872 {
1873     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
1874         return nxt_conf_vldt_array_iterator(vldt, value,
1875                                             &nxt_conf_vldt_route);
1876     }
1877 
1878     /* NXT_CONF_OBJECT */
1879 
1880     return nxt_conf_vldt_object_iterator(vldt, value,
1881                                          &nxt_conf_vldt_routes_member);
1882 }
1883 
1884 
1885 static nxt_int_t
1886 nxt_conf_vldt_routes_member(nxt_conf_validation_t *vldt, nxt_str_t *name,
1887     nxt_conf_value_t *value)
1888 {
1889     nxt_int_t  ret;
1890 
1891     ret = nxt_conf_vldt_type(vldt, name, value, NXT_CONF_VLDT_ARRAY);
1892 
1893     if (ret != NXT_OK) {
1894         return ret;
1895     }
1896 
1897     return nxt_conf_vldt_array_iterator(vldt, value, &nxt_conf_vldt_route);
1898 }
1899 
1900 
1901 static nxt_int_t
1902 nxt_conf_vldt_route(nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
1903 {
1904     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
1905         return nxt_conf_vldt_error(vldt, "The \"routes\" array must contain "
1906                                    "only object values.");
1907     }
1908 
1909     return nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_route_members);
1910 }
1911 
1912 
1913 static nxt_int_t
1914 nxt_conf_vldt_match_patterns(nxt_conf_validation_t *vldt,
1915     nxt_conf_value_t *value, void *data)
1916 {
1917     nxt_int_t  ret;
1918 
1919     vldt->ctx = data;
1920 
1921     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
1922         ret = nxt_conf_vldt_array_iterator(vldt, value,
1923                                            &nxt_conf_vldt_match_pattern);
1924 
1925     } else {
1926         /* NXT_CONF_STRING */
1927         ret = nxt_conf_vldt_match_pattern(vldt, value);
1928     }
1929 
1930     vldt->ctx = NULL;
1931 
1932     return ret;
1933 }
1934 
1935 
1936 static nxt_int_t
1937 nxt_conf_vldt_match_pattern(nxt_conf_validation_t *vldt,
1938     nxt_conf_value_t *value)
1939 {
1940     nxt_str_t        pattern;
1941     nxt_uint_t       i, first, last;
1942 #if (NXT_HAVE_REGEX)
1943     nxt_regex_t      *re;
1944     nxt_regex_err_t  err;
1945 #endif
1946 
1947     if (nxt_conf_type(value) != NXT_CONF_STRING) {
1948         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for \"%s\" "
1949                                    "must be strings.", vldt->ctx);
1950     }
1951 
1952     nxt_conf_get_string(value, &pattern);
1953 
1954     if (pattern.length == 0) {
1955         return NXT_OK;
1956     }
1957 
1958     first = (pattern.start[0] == '!');
1959 
1960     if (first < pattern.length && pattern.start[first] == '~') {
1961 #if (NXT_HAVE_REGEX)
1962         pattern.start += first + 1;
1963         pattern.length -= first + 1;
1964 
1965         re = nxt_regex_compile(vldt->pool, &pattern, &err);
1966         if (nxt_slow_path(re == NULL)) {
1967             if (err.offset < pattern.length) {
1968                 return nxt_conf_vldt_error(vldt, "Invalid regular expression: "
1969                                            "%s at offset %d",
1970                                            err.msg, err.offset);
1971             }
1972 
1973             return nxt_conf_vldt_error(vldt, "Invalid regular expression: %s",
1974                                        err.msg);
1975         }
1976 
1977         return NXT_OK;
1978 #else
1979         return nxt_conf_vldt_error(vldt, "Unit is built without support of "
1980                                    "regular expressions: \"--no-regex\" "
1981                                    "./configure option was set.");
1982 #endif
1983     }
1984 
1985     last = pattern.length - 1;
1986 
1987     for (i = first; i < last; i++) {
1988         if (pattern.start[i] == '*' && pattern.start[i + 1] == '*') {
1989             return nxt_conf_vldt_error(vldt, "The \"match\" pattern must "
1990                                        "not contain double \"*\" markers.");
1991         }
1992     }
1993 
1994     return NXT_OK;
1995 }
1996 
1997 
1998 static nxt_int_t nxt_conf_vldt_match_encoded_patterns_sets(
1999     nxt_conf_validation_t *vldt, nxt_conf_value_t *value, void *data)
2000 {
2001     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
2002         return nxt_conf_vldt_array_iterator(vldt, value,
2003                                      &nxt_conf_vldt_match_encoded_patterns_set);
2004     }
2005 
2006     /* NXT_CONF_OBJECT */
2007 
2008     return nxt_conf_vldt_match_encoded_patterns_set(vldt, value);
2009 }
2010 
2011 
2012 static nxt_int_t nxt_conf_vldt_match_encoded_patterns_set(
2013     nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
2014 {
2015     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
2016         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for "
2017                                    "\"arguments\" must be an object.");
2018     }
2019 
2020     return nxt_conf_vldt_object_iterator(vldt, value,
2021                               &nxt_conf_vldt_match_encoded_patterns_set_member);
2022 }
2023 
2024 
2025 static nxt_int_t
2026 nxt_conf_vldt_match_encoded_patterns_set_member(nxt_conf_validation_t *vldt,
2027     nxt_str_t *name, nxt_conf_value_t *value)
2028 {
2029     u_char  *p, *end;
2030 
2031     if (nxt_slow_path(name->length == 0)) {
2032         return nxt_conf_vldt_error(vldt, "The \"match\" pattern objects must "
2033                                    "not contain empty member names.");
2034     }
2035 
2036     p = nxt_mp_nget(vldt->pool, name->length);
2037     if (nxt_slow_path(p == NULL)) {
2038         return NXT_ERROR;
2039     }
2040 
2041     end = nxt_decode_uri(p, name->start, name->length);
2042     if (nxt_slow_path(end == NULL)) {
2043         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for "
2044                                    "\"arguments\" is encoded but is invalid.");
2045     }
2046 
2047     return nxt_conf_vldt_match_encoded_patterns(vldt, value,
2048                                                 (void *) "arguments");
2049 }
2050 
2051 
2052 static nxt_int_t
2053 nxt_conf_vldt_match_encoded_patterns(nxt_conf_validation_t *vldt,
2054     nxt_conf_value_t *value, void *data)
2055 {
2056     nxt_int_t  ret;
2057 
2058     vldt->ctx = data;
2059 
2060     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
2061         ret = nxt_conf_vldt_array_iterator(vldt, value,
2062                                           &nxt_conf_vldt_match_encoded_pattern);
2063 
2064     } else {
2065         /* NXT_CONF_STRING */
2066         ret = nxt_conf_vldt_match_encoded_pattern(vldt, value);
2067     }
2068 
2069     vldt->ctx = NULL;
2070 
2071     return ret;
2072 }
2073 
2074 
2075 static nxt_int_t
2076 nxt_conf_vldt_match_encoded_pattern(nxt_conf_validation_t *vldt,
2077     nxt_conf_value_t *value)
2078 {
2079     u_char     *p, *end;
2080     nxt_int_t  ret;
2081     nxt_str_t  pattern;
2082 
2083     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2084         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for \"%s\" "
2085                                    "must be a string.", vldt->ctx);
2086     }
2087 
2088     ret = nxt_conf_vldt_match_pattern(vldt, value);
2089     if (nxt_slow_path(ret != NXT_OK)) {
2090         return ret;
2091     }
2092 
2093     nxt_conf_get_string(value, &pattern);
2094 
2095     p = nxt_mp_nget(vldt->pool, pattern.length);
2096     if (nxt_slow_path(p == NULL)) {
2097         return NXT_ERROR;
2098     }
2099 
2100     end = nxt_decode_uri(p, pattern.start, pattern.length);
2101     if (nxt_slow_path(end == NULL)) {
2102         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for \"%s\" "
2103                                    "is encoded but is invalid.", vldt->ctx);
2104     }
2105 
2106     return NXT_OK;
2107 }
2108 
2109 
2110 static nxt_int_t
2111 nxt_conf_vldt_match_addrs(nxt_conf_validation_t *vldt,
2112     nxt_conf_value_t *value, void *data)
2113 {
2114     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
2115         return nxt_conf_vldt_array_iterator(vldt, value,
2116                                             &nxt_conf_vldt_match_addr);
2117     }
2118 
2119     return nxt_conf_vldt_match_addr(vldt, value);
2120 }
2121 
2122 
2123 static nxt_int_t
2124 nxt_conf_vldt_match_addr(nxt_conf_validation_t *vldt,
2125     nxt_conf_value_t *value)
2126 {
2127     nxt_http_route_addr_pattern_t  pattern;
2128 
2129     switch (nxt_http_route_addr_pattern_parse(vldt->pool, &pattern, value)) {
2130 
2131     case NXT_OK:
2132         return NXT_OK;
2133 
2134     case NXT_ADDR_PATTERN_PORT_ERROR:
2135         return nxt_conf_vldt_error(vldt, "The \"address\" port an invalid "
2136                                          "port.");
2137 
2138     case NXT_ADDR_PATTERN_CV_TYPE_ERROR:
2139         return nxt_conf_vldt_error(vldt, "The \"match\" pattern for "
2140                                          "\"address\" must be a string.");
2141 
2142     case NXT_ADDR_PATTERN_LENGTH_ERROR:
2143         return nxt_conf_vldt_error(vldt, "The \"address\" is too short.");
2144 
2145     case NXT_ADDR_PATTERN_FORMAT_ERROR:
2146         return nxt_conf_vldt_error(vldt, "The \"address\" format is invalid.");
2147 
2148     case NXT_ADDR_PATTERN_RANGE_OVERLAP_ERROR:
2149         return nxt_conf_vldt_error(vldt, "The \"address\" range is "
2150                                          "overlapping.");
2151 
2152     case NXT_ADDR_PATTERN_CIDR_ERROR:
2153         return nxt_conf_vldt_error(vldt, "The \"address\" has an invalid CIDR "
2154                                          "prefix.");
2155 
2156     case NXT_ADDR_PATTERN_NO_IPv6_ERROR:
2157         return nxt_conf_vldt_error(vldt, "The \"address\" does not support "
2158                                          "IPv6 with your configuration.");
2159 
2160     case NXT_ADDR_PATTERN_NO_UNIX_ERROR:
2161         return nxt_conf_vldt_error(vldt, "The \"address\" does not support "
2162                                          "UNIX domain sockets with your "
2163                                          "configuration.");
2164 
2165     default:
2166         return nxt_conf_vldt_error(vldt, "The \"address\" has an unknown "
2167                                          "format.");
2168     }
2169 }
2170 
2171 
2172 static nxt_int_t
2173 nxt_conf_vldt_match_scheme_pattern(nxt_conf_validation_t *vldt,
2174     nxt_conf_value_t *value, void *data)
2175 {
2176     nxt_str_t  scheme;
2177 
2178     static const nxt_str_t  http = nxt_string("http");
2179     static const nxt_str_t  https = nxt_string("https");
2180 
2181     nxt_conf_get_string(value, &scheme);
2182 
2183     if (nxt_strcasestr_eq(&scheme, &http)
2184         || nxt_strcasestr_eq(&scheme, &https))
2185     {
2186         return NXT_OK;
2187     }
2188 
2189     return nxt_conf_vldt_error(vldt, "The \"scheme\" can either be "
2190                                      "\"http\" or \"https\".");
2191 }
2192 
2193 
2194 static nxt_int_t
2195 nxt_conf_vldt_match_patterns_sets(nxt_conf_validation_t *vldt,
2196     nxt_conf_value_t *value, void *data)
2197 {
2198     nxt_int_t  ret;
2199 
2200     vldt->ctx = data;
2201 
2202     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
2203         ret = nxt_conf_vldt_array_iterator(vldt, value,
2204                                            &nxt_conf_vldt_match_patterns_set);
2205 
2206     } else {
2207         /* NXT_CONF_OBJECT */
2208         ret = nxt_conf_vldt_match_patterns_set(vldt, value);
2209     }
2210 
2211     vldt->ctx = NULL;
2212 
2213     return ret;
2214 }
2215 
2216 
2217 static nxt_int_t
2218 nxt_conf_vldt_match_patterns_set(nxt_conf_validation_t *vldt,
2219     nxt_conf_value_t *value)
2220 {
2221     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
2222         return nxt_conf_vldt_error(vldt, "The \"match\" patterns for "
2223                                    "\"%s\" must be objects.", vldt->ctx);
2224     }
2225 
2226     return nxt_conf_vldt_object_iterator(vldt, value,
2227                                      &nxt_conf_vldt_match_patterns_set_member);
2228 }
2229 
2230 
2231 static nxt_int_t
2232 nxt_conf_vldt_match_patterns_set_member(nxt_conf_validation_t *vldt,
2233     nxt_str_t *name, nxt_conf_value_t *value)
2234 {
2235     if (name->length == 0) {
2236         return nxt_conf_vldt_error(vldt, "The \"match\" pattern objects must "
2237                                    "not contain empty member names.");
2238     }
2239 
2240     return nxt_conf_vldt_match_patterns(vldt, value, vldt->ctx);
2241 }
2242 
2243 
2244 #if (NXT_TLS)
2245 
2246 static nxt_int_t
2247 nxt_conf_vldt_certificate(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2248     void *data)
2249 {
2250     if (nxt_conf_type(value) == NXT_CONF_ARRAY) {
2251         if (nxt_conf_array_elements_count(value) == 0) {
2252             return nxt_conf_vldt_error(vldt, "The \"certificate\" array "
2253                                        "must contain at least one element.");
2254         }
2255 
2256         return nxt_conf_vldt_array_iterator(vldt, value,
2257                                             &nxt_conf_vldt_certificate_element);
2258     }
2259 
2260     /* NXT_CONF_STRING */
2261 
2262     return nxt_conf_vldt_certificate_element(vldt, value);
2263 }
2264 
2265 
2266 static nxt_int_t
2267 nxt_conf_vldt_certificate_element(nxt_conf_validation_t *vldt,
2268     nxt_conf_value_t *value)
2269 {
2270     nxt_str_t         name;
2271     nxt_conf_value_t  *cert;
2272 
2273     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2274         return nxt_conf_vldt_error(vldt, "The \"certificate\" array must "
2275                                    "contain only string values.");
2276     }
2277 
2278     nxt_conf_get_string(value, &name);
2279 
2280     cert = nxt_cert_info_get(&name);
2281 
2282     if (cert == NULL) {
2283         return nxt_conf_vldt_error(vldt, "Certificate \"%V\" is not found.",
2284                                    &name);
2285     }
2286 
2287     return NXT_OK;
2288 }
2289 
2290 
2291 #if (NXT_HAVE_OPENSSL_CONF_CMD)
2292 
2293 static nxt_int_t
2294 nxt_conf_vldt_object_conf_commands(nxt_conf_validation_t *vldt,
2295     nxt_conf_value_t *value, void *data)
2296 {
2297     uint32_t          index;
2298     nxt_int_t         ret;
2299     nxt_str_t         name;
2300     nxt_conf_value_t  *member;
2301 
2302     index = 0;
2303 
2304     for ( ;; ) {
2305         member = nxt_conf_next_object_member(value, &name, &index);
2306 
2307         if (member == NULL) {
2308             break;
2309         }
2310 
2311         ret = nxt_conf_vldt_type(vldt, &name, member, NXT_CONF_VLDT_STRING);
2312         if (ret != NXT_OK) {
2313             return ret;
2314         }
2315     }
2316 
2317     return NXT_OK;
2318 }
2319 
2320 #endif
2321 
2322 #endif
2323 
2324 
2325 static nxt_int_t
2326 nxt_conf_vldt_app_name(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2327     void *data)
2328 {
2329     nxt_str_t         name;
2330     nxt_conf_value_t  *apps, *app;
2331 
2332     static nxt_str_t  apps_str = nxt_string("applications");
2333 
2334     nxt_conf_get_string(value, &name);
2335 
2336     apps = nxt_conf_get_object_member(vldt->conf, &apps_str, NULL);
2337 
2338     if (nxt_slow_path(apps == NULL)) {
2339         goto error;
2340     }
2341 
2342     app = nxt_conf_get_object_member(apps, &name, NULL);
2343 
2344     if (nxt_slow_path(app == NULL)) {
2345         goto error;
2346     }
2347 
2348     return NXT_OK;
2349 
2350 error:
2351 
2352     return nxt_conf_vldt_error(vldt, "Listening socket is assigned for "
2353                                      "a non existing application \"%V\".",
2354                                      &name);
2355 }
2356 
2357 
2358 static nxt_int_t
2359 nxt_conf_vldt_forwarded(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2360     void *data)
2361 {
2362     nxt_conf_value_t  *client_ip, *protocol;
2363 
2364     static nxt_str_t  client_ip_str = nxt_string("client_ip");
2365     static nxt_str_t  protocol_str = nxt_string("protocol");
2366 
2367     client_ip = nxt_conf_get_object_member(value, &client_ip_str, NULL);
2368     protocol = nxt_conf_get_object_member(value, &protocol_str, NULL);
2369 
2370     if (client_ip == NULL && protocol == NULL) {
2371         return nxt_conf_vldt_error(vldt, "The \"forwarded\" object must have "
2372                                    "either \"client_ip\" or \"protocol\" "
2373                                    "option set.");
2374     }
2375 
2376     return nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_forwarded_members);
2377 }
2378 
2379 
2380 static nxt_int_t
2381 nxt_conf_vldt_app(nxt_conf_validation_t *vldt, nxt_str_t *name,
2382     nxt_conf_value_t *value)
2383 {
2384     nxt_int_t              ret;
2385     nxt_str_t              type;
2386     nxt_thread_t           *thread;
2387     nxt_conf_value_t       *type_value;
2388     nxt_app_lang_module_t  *lang;
2389 
2390     static nxt_str_t  type_str = nxt_string("type");
2391 
2392     static struct {
2393         nxt_conf_vldt_handler_t  validator;
2394         nxt_conf_vldt_object_t   *members;
2395 
2396     } types[] = {
2397         { nxt_conf_vldt_object, nxt_conf_vldt_external_members },
2398         { nxt_conf_vldt_python, NULL },
2399         { nxt_conf_vldt_php,    NULL },
2400         { nxt_conf_vldt_object, nxt_conf_vldt_perl_members },
2401         { nxt_conf_vldt_object, nxt_conf_vldt_ruby_members },
2402         { nxt_conf_vldt_object, nxt_conf_vldt_java_members },
2403     };
2404 
2405     ret = nxt_conf_vldt_type(vldt, name, value, NXT_CONF_VLDT_OBJECT);
2406 
2407     if (ret != NXT_OK) {
2408         return ret;
2409     }
2410 
2411     type_value = nxt_conf_get_object_member(value, &type_str, NULL);
2412 
2413     if (type_value == NULL) {
2414         return nxt_conf_vldt_error(vldt,
2415                            "Application must have the \"type\" property set.");
2416     }
2417 
2418     ret = nxt_conf_vldt_type(vldt, &type_str, type_value, NXT_CONF_VLDT_STRING);
2419 
2420     if (ret != NXT_OK) {
2421         return ret;
2422     }
2423 
2424     nxt_conf_get_string(type_value, &type);
2425 
2426     thread = nxt_thread();
2427 
2428     lang = nxt_app_lang_module(thread->runtime, &type);
2429     if (lang == NULL) {
2430         return nxt_conf_vldt_error(vldt,
2431                                    "The module to run \"%V\" is not found "
2432                                    "among the available application modules.",
2433                                    &type);
2434     }
2435 
2436     return types[lang->type].validator(vldt, value, types[lang->type].members);
2437 }
2438 
2439 
2440 static nxt_int_t
2441 nxt_conf_vldt_object(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2442     void *data)
2443 {
2444     uint32_t                index;
2445     nxt_int_t               ret;
2446     nxt_str_t               name, var;
2447     nxt_conf_value_t        *member;
2448     nxt_conf_vldt_object_t  *vals;
2449 
2450     vals = data;
2451 
2452     for ( ;; ) {
2453         if (vals->name.length == 0) {
2454 
2455             if (vals->u.members != NULL) {
2456                 vals = vals->u.members;
2457                 continue;
2458             }
2459 
2460             break;
2461         }
2462 
2463         if (vals->flags & NXT_CONF_VLDT_REQUIRED) {
2464             member = nxt_conf_get_object_member(value, &vals->name, NULL);
2465 
2466             if (member == NULL) {
2467                 return nxt_conf_vldt_error(vldt, "Required parameter \"%V\" "
2468                                            "is missing.", &vals->name);
2469             }
2470         }
2471 
2472         vals++;
2473     }
2474 
2475     index = 0;
2476 
2477     for ( ;; ) {
2478         member = nxt_conf_next_object_member(value, &name, &index);
2479 
2480         if (member == NULL) {
2481             return NXT_OK;
2482         }
2483 
2484         vals = data;
2485 
2486         for ( ;; ) {
2487             if (vals->name.length == 0) {
2488 
2489                 if (vals->u.members != NULL) {
2490                     vals = vals->u.members;
2491                     continue;
2492                 }
2493 
2494                 return nxt_conf_vldt_error(vldt, "Unknown parameter \"%V\".",
2495                                            &name);
2496             }
2497 
2498             if (!nxt_strstr_eq(&vals->name, &name)) {
2499                 vals++;
2500                 continue;
2501             }
2502 
2503             if (vals->flags & NXT_CONF_VLDT_VAR
2504                 && nxt_conf_type(member) == NXT_CONF_STRING)
2505             {
2506                 nxt_conf_get_string(member, &var);
2507 
2508                 if (nxt_is_var(&var)) {
2509                     ret = nxt_conf_vldt_var(vldt, &name, &var);
2510                     if (ret != NXT_OK) {
2511                         return ret;
2512                     }
2513 
2514                     break;
2515                 }
2516             }
2517 
2518             ret = nxt_conf_vldt_type(vldt, &name, member, vals->type);
2519             if (ret != NXT_OK) {
2520                 return ret;
2521             }
2522 
2523             if (vals->validator != NULL) {
2524                 ret = vals->validator(vldt, member, vals->u.members);
2525 
2526                 if (ret != NXT_OK) {
2527                     return ret;
2528                 }
2529             }
2530 
2531             break;
2532         }
2533     }
2534 }
2535 
2536 
2537 typedef struct {
2538     int64_t  spare;
2539     int64_t  max;
2540     int64_t  idle_timeout;
2541 } nxt_conf_vldt_processes_conf_t;
2542 
2543 
2544 static nxt_conf_map_t  nxt_conf_vldt_processes_conf_map[] = {
2545     {
2546         nxt_string("spare"),
2547         NXT_CONF_MAP_INT64,
2548         offsetof(nxt_conf_vldt_processes_conf_t, spare),
2549     },
2550 
2551     {
2552         nxt_string("max"),
2553         NXT_CONF_MAP_INT64,
2554         offsetof(nxt_conf_vldt_processes_conf_t, max),
2555     },
2556 
2557     {
2558         nxt_string("idle_timeout"),
2559         NXT_CONF_MAP_INT64,
2560         offsetof(nxt_conf_vldt_processes_conf_t, idle_timeout),
2561     },
2562 };
2563 
2564 
2565 static nxt_int_t
2566 nxt_conf_vldt_processes(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2567     void *data)
2568 {
2569     int64_t                         int_value;
2570     nxt_int_t                       ret;
2571     nxt_conf_vldt_processes_conf_t  proc;
2572 
2573     if (nxt_conf_type(value) == NXT_CONF_NUMBER) {
2574         int_value = nxt_conf_get_number(value);
2575 
2576         if (int_value < 1) {
2577             return nxt_conf_vldt_error(vldt, "The \"processes\" number must be "
2578                                        "equal to or greater than 1.");
2579         }
2580 
2581         if (int_value > NXT_INT32_T_MAX) {
2582             return nxt_conf_vldt_error(vldt, "The \"processes\" number must "
2583                                        "not exceed %d.", NXT_INT32_T_MAX);
2584         }
2585 
2586         return NXT_OK;
2587     }
2588 
2589     ret = nxt_conf_vldt_object(vldt, value, data);
2590     if (ret != NXT_OK) {
2591         return ret;
2592     }
2593 
2594     proc.spare = 0;
2595     proc.max = 1;
2596     proc.idle_timeout = 15;
2597 
2598     ret = nxt_conf_map_object(vldt->pool, value,
2599                               nxt_conf_vldt_processes_conf_map,
2600                               nxt_nitems(nxt_conf_vldt_processes_conf_map),
2601                               &proc);
2602     if (ret != NXT_OK) {
2603         return ret;
2604     }
2605 
2606     if (proc.spare < 0) {
2607         return nxt_conf_vldt_error(vldt, "The \"spare\" number must not be "
2608                                    "negative.");
2609     }
2610 
2611     if (proc.spare > NXT_INT32_T_MAX) {
2612         return nxt_conf_vldt_error(vldt, "The \"spare\" number must not "
2613                                    "exceed %d.", NXT_INT32_T_MAX);
2614     }
2615 
2616     if (proc.max < 1) {
2617         return nxt_conf_vldt_error(vldt, "The \"max\" number must be equal "
2618                                    "to or greater than 1.");
2619     }
2620 
2621     if (proc.max > NXT_INT32_T_MAX) {
2622         return nxt_conf_vldt_error(vldt, "The \"max\" number must not "
2623                                    "exceed %d.", NXT_INT32_T_MAX);
2624     }
2625 
2626     if (proc.max < proc.spare) {
2627         return nxt_conf_vldt_error(vldt, "The \"spare\" number must be "
2628                                    "less than or equal to \"max\".");
2629     }
2630 
2631     if (proc.idle_timeout < 0) {
2632         return nxt_conf_vldt_error(vldt, "The \"idle_timeout\" number must not "
2633                                    "be negative.");
2634     }
2635 
2636     if (proc.idle_timeout > NXT_INT32_T_MAX / 1000) {
2637         return nxt_conf_vldt_error(vldt, "The \"idle_timeout\" number must not "
2638                                    "exceed %d.", NXT_INT32_T_MAX / 1000);
2639     }
2640 
2641     return NXT_OK;
2642 }
2643 
2644 
2645 static nxt_int_t
2646 nxt_conf_vldt_object_iterator(nxt_conf_validation_t *vldt,
2647     nxt_conf_value_t *value, void *data)
2648 {
2649     uint32_t                index;
2650     nxt_int_t               ret;
2651     nxt_str_t               name;
2652     nxt_conf_value_t        *member;
2653     nxt_conf_vldt_member_t  validator;
2654 
2655     validator = (nxt_conf_vldt_member_t) data;
2656     index = 0;
2657 
2658     for ( ;; ) {
2659         member = nxt_conf_next_object_member(value, &name, &index);
2660 
2661         if (member == NULL) {
2662             return NXT_OK;
2663         }
2664 
2665         ret = validator(vldt, &name, member);
2666 
2667         if (ret != NXT_OK) {
2668             return ret;
2669         }
2670     }
2671 }
2672 
2673 
2674 static nxt_int_t
2675 nxt_conf_vldt_array_iterator(nxt_conf_validation_t *vldt,
2676     nxt_conf_value_t *value, void *data)
2677 {
2678     uint32_t                 index;
2679     nxt_int_t                ret;
2680     nxt_conf_value_t         *element;
2681     nxt_conf_vldt_element_t  validator;
2682 
2683     validator = (nxt_conf_vldt_element_t) data;
2684 
2685     for (index = 0; /* void */ ; index++) {
2686         element = nxt_conf_get_array_element(value, index);
2687 
2688         if (element == NULL) {
2689             return NXT_OK;
2690         }
2691 
2692         ret = validator(vldt, element);
2693 
2694         if (ret != NXT_OK) {
2695             return ret;
2696         }
2697     }
2698 }
2699 
2700 
2701 static nxt_int_t
2702 nxt_conf_vldt_environment(nxt_conf_validation_t *vldt, nxt_str_t *name,
2703     nxt_conf_value_t *value)
2704 {
2705     nxt_str_t  str;
2706 
2707     if (name->length == 0) {
2708         return nxt_conf_vldt_error(vldt,
2709                                    "The environment name must not be empty.");
2710     }
2711 
2712     if (nxt_memchr(name->start, '\0', name->length) != NULL) {
2713         return nxt_conf_vldt_error(vldt, "The environment name must not "
2714                                    "contain null character.");
2715     }
2716 
2717     if (nxt_memchr(name->start, '=', name->length) != NULL) {
2718         return nxt_conf_vldt_error(vldt, "The environment name must not "
2719                                    "contain '=' character.");
2720     }
2721 
2722     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2723         return nxt_conf_vldt_error(vldt, "The \"%V\" environment value must be "
2724                                    "a string.", name);
2725     }
2726 
2727     nxt_conf_get_string(value, &str);
2728 
2729     if (nxt_memchr(str.start, '\0', str.length) != NULL) {
2730         return nxt_conf_vldt_error(vldt, "The \"%V\" environment value must "
2731                                    "not contain null character.", name);
2732     }
2733 
2734     return NXT_OK;
2735 }
2736 
2737 
2738 static nxt_int_t
2739 nxt_conf_vldt_targets_exclusive(nxt_conf_validation_t *vldt,
2740     nxt_conf_value_t *value, void *data)
2741 {
2742     return nxt_conf_vldt_error(vldt, "The \"%s\" option is mutually exclusive "
2743                                "with the \"targets\" object.", data);
2744 }
2745 
2746 
2747 static nxt_int_t
2748 nxt_conf_vldt_targets(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2749     void *data)
2750 {
2751     nxt_int_t   ret;
2752     nxt_uint_t  n;
2753 
2754     n = nxt_conf_object_members_count(value);
2755 
2756     if (n > 254) {
2757         return nxt_conf_vldt_error(vldt, "The \"targets\" object must not "
2758                                    "contain more than 254 members.");
2759     }
2760 
2761     vldt->ctx = data;
2762 
2763     ret = nxt_conf_vldt_object_iterator(vldt, value, &nxt_conf_vldt_target);
2764 
2765     vldt->ctx = NULL;
2766 
2767     return ret;
2768 }
2769 
2770 
2771 static nxt_int_t
2772 nxt_conf_vldt_target(nxt_conf_validation_t *vldt, nxt_str_t *name,
2773     nxt_conf_value_t *value)
2774 {
2775     if (name->length == 0) {
2776         return nxt_conf_vldt_error(vldt,
2777                                    "The target name must not be empty.");
2778     }
2779 
2780     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
2781         return nxt_conf_vldt_error(vldt, "The \"%V\" target must be "
2782                                    "an object.", name);
2783     }
2784 
2785     return nxt_conf_vldt_object(vldt, value, vldt->ctx);
2786 }
2787 
2788 
2789 static nxt_int_t
2790 nxt_conf_vldt_clone_namespaces(nxt_conf_validation_t *vldt,
2791     nxt_conf_value_t *value, void *data)
2792 {
2793     return nxt_conf_vldt_object(vldt, value, data);
2794 }
2795 
2796 
2797 static nxt_int_t
2798 nxt_conf_vldt_isolation(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2799     void *data)
2800 {
2801     return nxt_conf_vldt_object(vldt, value, data);
2802 }
2803 
2804 
2805 #if (NXT_HAVE_CLONE_NEWUSER)
2806 
2807 typedef struct {
2808     nxt_int_t container;
2809     nxt_int_t host;
2810     nxt_int_t size;
2811 } nxt_conf_vldt_clone_procmap_conf_t;
2812 
2813 
2814 static nxt_conf_map_t nxt_conf_vldt_clone_procmap_conf_map[] = {
2815     {
2816         nxt_string("container"),
2817         NXT_CONF_MAP_INT32,
2818         offsetof(nxt_conf_vldt_clone_procmap_conf_t, container),
2819     },
2820 
2821     {
2822         nxt_string("host"),
2823         NXT_CONF_MAP_INT32,
2824         offsetof(nxt_conf_vldt_clone_procmap_conf_t, host),
2825     },
2826 
2827     {
2828         nxt_string("size"),
2829         NXT_CONF_MAP_INT32,
2830         offsetof(nxt_conf_vldt_clone_procmap_conf_t, size),
2831     },
2832 
2833 };
2834 
2835 
2836 static nxt_int_t
2837 nxt_conf_vldt_clone_procmap(nxt_conf_validation_t *vldt, const char *mapfile,
2838         nxt_conf_value_t *value)
2839 {
2840     nxt_int_t                           ret;
2841     nxt_conf_vldt_clone_procmap_conf_t  procmap;
2842 
2843     procmap.container = -1;
2844     procmap.host = -1;
2845     procmap.size = -1;
2846 
2847     ret = nxt_conf_map_object(vldt->pool, value,
2848                               nxt_conf_vldt_clone_procmap_conf_map,
2849                               nxt_nitems(nxt_conf_vldt_clone_procmap_conf_map),
2850                               &procmap);
2851     if (ret != NXT_OK) {
2852         return ret;
2853     }
2854 
2855     if (procmap.container == -1) {
2856         return nxt_conf_vldt_error(vldt, "The %s requires the "
2857                 "\"container\" field set.", mapfile);
2858     }
2859 
2860     if (procmap.host == -1) {
2861         return nxt_conf_vldt_error(vldt, "The %s requires the "
2862                 "\"host\" field set.", mapfile);
2863     }
2864 
2865     if (procmap.size == -1) {
2866         return nxt_conf_vldt_error(vldt, "The %s requires the "
2867                 "\"size\" field set.", mapfile);
2868     }
2869 
2870     return NXT_OK;
2871 }
2872 
2873 
2874 static nxt_int_t
2875 nxt_conf_vldt_clone_uidmap(nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
2876 {
2877     nxt_int_t  ret;
2878 
2879     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
2880         return nxt_conf_vldt_error(vldt, "The \"uidmap\" array "
2881                                    "must contain only object values.");
2882     }
2883 
2884     ret = nxt_conf_vldt_object(vldt, value,
2885                                (void *) nxt_conf_vldt_app_procmap_members);
2886     if (nxt_slow_path(ret != NXT_OK)) {
2887         return ret;
2888     }
2889 
2890     return nxt_conf_vldt_clone_procmap(vldt, "uid_map", value);
2891 }
2892 
2893 
2894 static nxt_int_t
2895 nxt_conf_vldt_clone_gidmap(nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
2896 {
2897     nxt_int_t ret;
2898 
2899     if (nxt_conf_type(value) != NXT_CONF_OBJECT) {
2900         return nxt_conf_vldt_error(vldt, "The \"gidmap\" array "
2901                                    "must contain only object values.");
2902     }
2903 
2904     ret = nxt_conf_vldt_object(vldt, value,
2905                                (void *) nxt_conf_vldt_app_procmap_members);
2906     if (nxt_slow_path(ret != NXT_OK)) {
2907         return ret;
2908     }
2909 
2910     return nxt_conf_vldt_clone_procmap(vldt, "gid_map", value);
2911 }
2912 
2913 #endif
2914 
2915 
2916 static nxt_int_t
2917 nxt_conf_vldt_argument(nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
2918 {
2919     nxt_str_t  str;
2920 
2921     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2922         return nxt_conf_vldt_error(vldt, "The \"arguments\" array "
2923                                    "must contain only string values.");
2924     }
2925 
2926     nxt_conf_get_string(value, &str);
2927 
2928     if (nxt_memchr(str.start, '\0', str.length) != NULL) {
2929         return nxt_conf_vldt_error(vldt, "The \"arguments\" array must not "
2930                                    "contain strings with null character.");
2931     }
2932 
2933     return NXT_OK;
2934 }
2935 
2936 
2937 static nxt_int_t
2938 nxt_conf_vldt_php(nxt_conf_validation_t *vldt, nxt_conf_value_t *value,
2939     void *data)
2940 {
2941     nxt_conf_value_t  *targets;
2942 
2943     static nxt_str_t  targets_str = nxt_string("targets");
2944 
2945     targets = nxt_conf_get_object_member(value, &targets_str, NULL);
2946 
2947     if (targets != NULL) {
2948         return nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_php_members);
2949     }
2950 
2951     return nxt_conf_vldt_object(vldt, value,
2952                                 nxt_conf_vldt_php_notargets_members);
2953 }
2954 
2955 
2956 static nxt_int_t
2957 nxt_conf_vldt_php_option(nxt_conf_validation_t *vldt, nxt_str_t *name,
2958     nxt_conf_value_t *value)
2959 {
2960     if (name->length == 0) {
2961         return nxt_conf_vldt_error(vldt,
2962                                    "The PHP option name must not be empty.");
2963     }
2964 
2965     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2966         return nxt_conf_vldt_error(vldt, "The \"%V\" PHP option must be "
2967                                    "a string.", name);
2968     }
2969 
2970     return NXT_OK;
2971 }
2972 
2973 
2974 static nxt_int_t
2975 nxt_conf_vldt_java_classpath(nxt_conf_validation_t *vldt,
2976     nxt_conf_value_t *value)
2977 {
2978     nxt_str_t  str;
2979 
2980     if (nxt_conf_type(value) != NXT_CONF_STRING) {
2981         return nxt_conf_vldt_error(vldt, "The \"classpath\" array "
2982                                    "must contain only string values.");
2983     }
2984 
2985     nxt_conf_get_string(value, &str);
2986 
2987     if (nxt_memchr(str.start, '\0', str.length) != NULL) {
2988         return nxt_conf_vldt_error(vldt, "The \"classpath\" array must not "
2989                                    "contain strings with null character.");
2990     }
2991 
2992     return NXT_OK;
2993 }
2994 
2995 
2996 static nxt_int_t
2997 nxt_conf_vldt_java_option(nxt_conf_validation_t *vldt, nxt_conf_value_t *value)
2998 {
2999     nxt_str_t  str;
3000 
3001     if (nxt_conf_type(value) != NXT_CONF_STRING) {
3002         return nxt_conf_vldt_error(vldt, "The \"options\" array "
3003                                    "must contain only string values.");
3004     }
3005 
3006     nxt_conf_get_string(value, &str);
3007 
3008     if (nxt_memchr(str.start, '\0', str.length) != NULL) {
3009         return nxt_conf_vldt_error(vldt, "The \"options\" array must not "
3010                                    "contain strings with null character.");
3011     }
3012 
3013     return NXT_OK;
3014 }
3015 
3016 
3017 static nxt_int_t
3018 nxt_conf_vldt_upstream(nxt_conf_validation_t *vldt, nxt_str_t *name,
3019     nxt_conf_value_t *value)
3020 {
3021     nxt_int_t         ret;
3022     nxt_conf_value_t  *conf;
3023 
3024     static nxt_str_t  servers = nxt_string("servers");
3025 
3026     ret = nxt_conf_vldt_type(vldt, name, value, NXT_CONF_VLDT_OBJECT);
3027 
3028     if (ret != NXT_OK) {
3029         return ret;
3030     }
3031 
3032     ret = nxt_conf_vldt_object(vldt, value, nxt_conf_vldt_upstream_members);
3033 
3034     if (ret != NXT_OK) {
3035         return ret;
3036     }
3037 
3038     conf = nxt_conf_get_object_member(value, &servers, NULL);
3039     if (conf == NULL) {
3040         return nxt_conf_vldt_error(vldt, "The \"%V\" upstream must contain "
3041                                    "\"servers\" object value.", name);
3042     }
3043 
3044     return NXT_OK;
3045 }
3046 
3047 
3048 static nxt_int_t
3049 nxt_conf_vldt_server(nxt_conf_validation_t *vldt, nxt_str_t *name,
3050     nxt_conf_value_t *value)
3051 {
3052     nxt_int_t       ret;
3053     nxt_sockaddr_t  *sa;
3054 
3055     ret = nxt_conf_vldt_type(vldt, name, value, NXT_CONF_VLDT_OBJECT);
3056 
3057     if (ret != NXT_OK) {
3058         return ret;
3059     }
3060 
3061     sa = nxt_sockaddr_parse(vldt->pool, name);
3062 
3063     if (sa == NULL) {
3064         return nxt_conf_vldt_error(vldt, "The \"%V\" is not valid "
3065                                    "server address.", name);
3066     }
3067 
3068     return nxt_conf_vldt_object(vldt, value,
3069                                 nxt_conf_vldt_upstream_server_members);
3070 }
3071 
3072 
3073 static nxt_int_t
3074 nxt_conf_vldt_server_weight(nxt_conf_validation_t *vldt,
3075     nxt_conf_value_t *value, void *data)
3076 {
3077     double  num_value;
3078 
3079     num_value = nxt_conf_get_number(value);
3080 
3081     if (num_value < 0) {
3082         return nxt_conf_vldt_error(vldt, "The \"weight\" number must be "
3083                                    "positive.");
3084     }
3085 
3086     if (num_value > 1000000) {
3087         return nxt_conf_vldt_error(vldt, "The \"weight\" number must "
3088                                    "not exceed 1,000,000");
3089     }
3090 
3091     return NXT_OK;
3092 }
3093