adding ip counting and connection_add logic

14 files changed, 1564 insertions, 99 deletions

diff --git a/src/gnutls/setup_connection.c b/src/gnutls/setup_connection.c
new file mode 100644
index 00000000..c789613d
--- /dev/null
+++ b/src/gnutls/setup_connection.c
@@ -0,0 +1,57 @@
+
+
+setup_connection ()
+{
+        connection->tls_state = MHD_TLS_CONN_INIT;
+      MHD_set_https_callbacks (connection);
+      gnutls_init (&connection->tls_session,
+                   GNUTLS_SERVER
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030402)
+                   | GNUTLS_NO_SIGNAL
+#endif /* GNUTLS_VERSION_NUMBER >= 0x030402 */
+#if GNUTLS_VERSION_MAJOR >= 3
+                   | GNUTLS_NONBLOCK
+#endif /* GNUTLS_VERSION_MAJOR >= 3*/
+                  );
+      gnutls_priority_set (connection->tls_session,
+                           daemon->priority_cache);
+      switch (daemon->cred_type)
+        {
+          /* set needed credentials for certificate authentication. */
+        case GNUTLS_CRD_CERTIFICATE:
+          gnutls_credentials_set (connection->tls_session,
+                                  GNUTLS_CRD_CERTIFICATE,
+                                  daemon->x509_cred);
+          break;
+        default:
+#ifdef HAVE_MESSAGES
+          MHD_DLOG (connection->daemon,
+                    _("Failed to setup TLS credentials: unknown credential type %d\n"),
+                    daemon->cred_type);
+#endif
+          MHD_socket_close_chk_ (client_socket);
+          MHD_ip_limit_del (daemon,
+                            addr,
+                            addrlen);
+          free (connection);
+          MHD_PANIC (_("Unknown credential type"));
+#if EINVAL
+          errno = EINVAL;
+#endif
+          return MHD_NO;
+        }
+#if (GNUTLS_VERSION_NUMBER+0 >= 0x030109) && !defined(_WIN64)
+      gnutls_transport_set_int (connection->tls_session, (int)(client_socket));
+#else  /* GnuTLS before 3.1.9 or Win x64 */
+      gnutls_transport_set_ptr (connection->tls_session, (gnutls_transport_ptr_t)(intptr_t)(client_socket));
+#endif /* GnuTLS before 3.1.9 */
+#ifdef MHD_TLSLIB_NEED_PUSH_FUNC
+      gnutls_transport_set_push_function (connection->tls_session, MHD_tls_push_func_);
+#endif /* MHD_TLSLIB_NEED_PUSH_FUNC */
+      if (daemon->https_mem_trust)
+          gnutls_certificate_server_set_request (connection->tls_session,
+                                                 GNUTLS_CERT_REQUEST);
+#else  /* ! HTTPS_SUPPORT */
+      return NULL;
+
+}
diff --git a/src/gnutls/teardown_connection.c b/src/gnutls/teardown_connection.c
new file mode 100644
index 00000000..0156955b
--- /dev/null
+++ b/src/gnutls/teardown_connection.c
@@ -0,0 +1,4 @@
+teardown_connection ()
+{
+  gnutls_deinit (connection->tls_session);
+}
diff --git a/src/include/microhttpd2.h b/src/include/microhttpd2.h
index ebb8f00a..91b0074b 100644
--- a/src/include/microhttpd2.h
+++ b/src/include/microhttpd2.h
@@ -348,6 +348,80 @@ enum MHD_StatusCode
    */
   MHD_SC_NO_TIMEOUT = 10001,
 
+  /**
+   * Informational event, we accepted a connection.
+   */
+  MHD_SC_CONNECTION_ACCEPTED = 10002,
+
+  /**
+   * Informational event, thread processing connection termiantes.
+   */
+  MHD_SC_THREAD_TERMINATING = 10003,
+
+  
+  /**
+   * Resource limit in terms of number of parallel connections
+   * hit.
+   */
+  MHD_SC_LIMIT_CONNECTIONS_REACHED = 30000,
+
+  /**
+   * accept() returned transient error.
+   */
+  MHD_SC_ACCEPT_FAILED_EAGAIN = 30001,
+
+  /**
+   * We failed to allocate memory for poll() syscall.
+   * (May be transient.)
+   */
+  MHD_SC_POLL_MALLOC_FAILURE = 30002,
+
+  /**
+   * The operation failed because the respective
+   * daemon is already too deep inside of the shutdown 
+   * activity.
+   */
+  MHD_SC_DAEMON_ALREADY_SHUTDOWN = 30003,
+
+  /**
+   * We failed to start a thread.
+   */
+  MHD_SC_THREAD_LAUNCH_FAILURE = 30004,
+
+  /**
+   * The operation failed because we either have no
+   * listen socket or were already quiesced.
+   */
+  MHD_SC_DAEMON_ALREADY_QUIESCED = 30005,
+
+  /**
+   * The operation failed because client disconnected
+   * faster than we could accept().
+   */
+  MHD_SC_ACCEPT_FAST_DISCONNECT = 30006,
+
+  /**
+   * Operating resource limits hit on accept().
+   */
+  MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED = 30007,
+
+  /**
+   * Connection was refused by accept policy callback.
+   */
+  MHD_SC_ACCEPT_POLICY_REJECTED = 30008,
+
+  /**
+   * We failed to allocate memory for the connection.
+   * (May be transient.)
+   */
+  MHD_SC_CONNECTION_MALLOC_FAILURE = 30009,
+
+  /**
+   * We failed to allocate memory for the connection's memory pool.
+   * (May be transient.)
+   */
+  MHD_SC_POOL_MALLOC_FAILURE = 30010,
+  
 
   /**
    * MHD does not support the requested combination of
@@ -362,21 +436,27 @@ enum MHD_StatusCode
   MHD_SC_SYSCALL_QUIESCE_REQUIRES_ITC = 40001,
 
   /**
-   * This build of MHD does not support TLS, but the application
-   * requested TLS.
+   * We failed to bind the listen socket.
    */
-  MHD_SC_TLS_DISABLED = 50000,
+  MHD_SC_LISTEN_SOCKET_BIND_FAILED = 40002,
 
   /**
    * The application requested an unsupported TLS backend to be used.
    */
-  MHD_SC_TLS_BACKEND_UNSUPPORTED = 50001,
+  MHD_SC_TLS_BACKEND_UNSUPPORTED = 40003,
 
   /**
    * The application requested a TLS cipher suite which is not
    * supported by the selected backend.
    */
-  MHD_SC_TLS_CIPHERS_INVALID = 50002,
+  MHD_SC_TLS_CIPHERS_INVALID = 40004,
+
+  
+  /**
+   * This build of MHD does not support TLS, but the application
+   * requested TLS.
+   */
+  MHD_SC_TLS_DISABLED = 50000,
   
   /**
    * The application attempted to setup TLS paramters before
@@ -467,11 +547,6 @@ enum MHD_StatusCode
   MHD_SC_LISTEN_DUAL_STACK_CONFIGURATION_NOT_SUPPORTED = 50018,
 
   /**
-   * We failed to bind the listen socket.
-   */
-  MHD_SC_LISTEN_SOCKET_BIND_FAILED = 50019,
-
-  /**
    * Failed to enable TCP FAST OPEN option.
    */
   MHD_SC_FAST_OPEN_FAILURE = 50020,
@@ -519,12 +594,10 @@ enum MHD_StatusCode
   MHD_SC_UPGRADE_ON_DAEMON_WITH_UPGRADE_DISALLOWED = 50028,
 
   /**
-   * Queueing a response failed because the respective
-   * daemon is already too deep inside of the shutdown 
-   * activity and the reponse cannot be sent any longer.
+   * Failed to signal via ITC channel.
    */
-  MHD_SC_DAEMON_ALREADY_SHUTDOWN = 50029,
-
+  MHD_SC_ITC_USE_FAILED = 50029,
+  
   /**
    * We failed to initialize the main thread for listening.
    */
@@ -539,11 +612,6 @@ enum MHD_StatusCode
    * We failed to add a socket to the epoll() set.
    */
   MHD_SC_EPOLL_CTL_ADD_FAILED = 50032,
-
-  /**
-   * We failed to start a thread.
-   */
-  MHD_SC_THREAD_LAUNCH_FAILURE = 50033,
   
   /**
    * We failed to create control socket for the epoll().
@@ -608,12 +676,13 @@ enum MHD_StatusCode
    * (should never happen).
    */
   MHD_SC_UNEXPECTED_POLL_ERROR = 50044,
-
+  
   /**
-   * We failed to allocate memory for poll() syscall.
+   * We failed to configure accepted socket
+   * to not use a signal pipe.
    */
-  MHD_SC_POLL_MALLOC_FAILURE = 50045,
-
+  MHD_SC_ACCEPT_CONFIGURE_NOSIGPIPE_FAILED = 50045,
+  
   /**
    * Encountered an unexpected error from epoll_wait()
    * (should never happen).
@@ -625,6 +694,35 @@ enum MHD_StatusCode
    */
   MHD_SC_EPOLL_FD_INVALID = 50047,
 
+  /**
+   * We failed to configure accepted socket
+   * to be non-inheritable.
+   */
+  MHD_SC_ACCEPT_CONFIGURE_NOINHERIT_FAILED = 50048,
+
+  /**
+   * We failed to configure accepted socket
+   * to be non-blocking.
+   */
+  MHD_SC_ACCEPT_CONFIGURE_NONBLOCKING_FAILED = 50049,
+
+  /**
+   * accept() returned non-transient error.
+   */
+  MHD_SC_ACCEPT_FAILED_UNEXPECTEDLY = 50050,
+
+  /**
+   * Operating resource limits hit on accept() while
+   * zero connections are active. Oopsie.
+   */
+  MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED_INSTANTLY = 50051,
+
+  /**
+   * Failed to add IP address to per-IP counter for
+   * some reason.
+   */
+  MHD_SC_IP_COUNTER_FAILURE = 50052,
+  
 };
 
 
diff --git a/src/include/microhttpd_tls.h b/src/include/microhttpd_tls.h
index f8e5bd51..e59b983b 100644
--- a/src/include/microhttpd_tls.h
+++ b/src/include/microhttpd_tls.h
@@ -89,6 +89,10 @@ struct MHD_TLS_Plugin
   struct MHD_TLS_ConnectionState *
   (*setup_connection)(void *cls,
                       ...);
+
+  void
+  (*teardown_connection)(void *cls,
+                         struct MHD_TLS_ConnectionState *cs);
   
   /**
    * TODO: More functions here....
diff --git a/src/lib/Makefile.am b/src/lib/Makefile.am
index e5ea0d13..a1241cc8 100644
--- a/src/lib/Makefile.am
+++ b/src/lib/Makefile.am
@@ -58,14 +58,15 @@ libmicrohttpd_la_SOURCES = \
   action_parse_post.c \
   action_process_upload.c \
   action_suspend.c \
+  connection_add.c connection_add.h \
   connection_info.c \
   connection_options.c \
-  daemon_add_connection.c \
   daemon_create.c \
   daemon_destroy.c \
   daemon_epoll.c daemon_epoll.h \
   daemon_get_timeout.c \
   daemon_info.c \
+  daemon_ip_limit.c daemon_ip_limit.h \
   daemon_options.c \
   daemon_poll.c daemon_poll.h \
   daemon_run.c \
diff --git a/src/lib/connection_add.c b/src/lib/connection_add.c
new file mode 100644
index 00000000..8d4f12ad
--- /dev/null
+++ b/src/lib/connection_add.c
@@ -0,0 +1,978 @@
+/*
+  This file is part of libmicrohttpd
+  Copyright (C) 2007-2018 Daniel Pittman and Christian Grothoff
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+/**
+ * @file lib/connection_add.c
+ * @brief functions to add connection to our active set
+ * @author Christian Grothoff
+ */
+#include "internal.h"
+#include "connection_add.h"
+#include "daemon_ip_limit.h"
+
+
+/**
+ * Main function of the thread that handles an individual
+ * connection when #MHD_USE_THREAD_PER_CONNECTION is set.
+ *
+ * @param data the `struct MHD_Connection` this thread will handle
+ * @return always 0
+ */
+static MHD_THRD_RTRN_TYPE_ MHD_THRD_CALL_SPEC_
+thread_main_handle_connection (void *data)
+{
+  struct MHD_Connection *con = data;
+  struct MHD_Daemon *daemon = con->daemon;
+  int num_ready;
+  fd_set rs;
+  fd_set ws;
+  fd_set es;
+  MHD_socket maxsock;
+  struct timeval tv;
+  struct timeval *tvp;
+  time_t now;
+#if WINDOWS
+#ifdef HAVE_POLL
+  int extra_slot;
+#endif /* HAVE_POLL */
+#define EXTRA_SLOTS 1
+#else  /* !WINDOWS */
+#define EXTRA_SLOTS 0
+#endif /* !WINDOWS */
+#ifdef HAVE_POLL
+  struct pollfd p[1 + EXTRA_SLOTS];
+#endif
+#undef EXTRA_SLOTS
+#ifdef HAVE_POLL
+  const bool use_poll = (MHD_ELS_POLL == daemon->event_loop_syscall);
+#else  /* ! HAVE_POLL */
+  const bool use_poll = false;
+#endif /* ! HAVE_POLL */
+  bool was_suspended = false;
+  
+  MHD_thread_init_(&con->pid);
+
+  while ( (! daemon->shutdown) &&
+          (MHD_REQUEST_CLOSED != con->request.state) )
+    {
+      const time_t timeout = daemon->connection_default_timeout;
+#ifdef UPGRADE_SUPPORT
+      struct MHD_UpgradeResponseHandle * const urh = con->request.urh;
+#else  /* ! UPGRADE_SUPPORT */
+      static const void * const urh = NULL;
+#endif /* ! UPGRADE_SUPPORT */
+
+      if ( (con->suspended) &&
+           (NULL == urh) )
+        {
+          /* Connection was suspended, wait for resume. */
+          was_suspended = true;
+          if (! use_poll)
+            {
+              FD_ZERO (&rs);
+              if (! MHD_add_to_fd_set_ (MHD_itc_r_fd_ (daemon->itc),
+                                        &rs,
+                                        NULL,
+                                        FD_SETSIZE))
+                {
+  #ifdef HAVE_MESSAGES
+                  MHD_DLOG (con->daemon,
+                            MHD_SC_SOCKET_OUTSIDE_OF_FDSET_RANGE,
+                            _("Failed to add FD to fd_set\n"));
+  #endif
+                  goto exit;
+                }
+              if (0 > MHD_SYS_select_ (MHD_itc_r_fd_ (daemon->itc) + 1,
+                                       &rs,
+                                       NULL,
+                                       NULL,
+                                       NULL))
+                {
+                  const int err = MHD_socket_get_error_();
+
+                  if (MHD_SCKT_ERR_IS_EINTR_(err))
+                    continue;
+#ifdef HAVE_MESSAGES
+                  MHD_DLOG (con->daemon,
+                            MHD_SC_UNEXPECTED_SELECT_ERROR,
+                            _("Error during select (%d): `%s'\n"),
+                            err,
+                            MHD_socket_strerr_ (err));
+#endif
+                  break;
+                }
+            }
+#ifdef HAVE_POLL
+          else /* use_poll */
+            {
+              p[0].events = POLLIN;
+              p[0].fd = MHD_itc_r_fd_ (daemon->itc);
+              p[0].revents = 0;
+              if (0 > MHD_sys_poll_ (p,
+                                     1,
+                                     -1))
+                {
+                  if (MHD_SCKT_LAST_ERR_IS_(MHD_SCKT_EINTR_))
+                    continue;
+#ifdef HAVE_MESSAGES
+                  MHD_DLOG (con->daemon,
+                            MHD_SC_UNEXPECTED_POLL_ERROR,
+                            _("Error during poll: `%s'\n"),
+                            MHD_socket_last_strerr_ ());
+#endif
+                  break;
+                }
+            }
+#endif /* HAVE_POLL */
+          MHD_itc_clear_ (daemon->itc);
+          continue; /* Check again for resume. */
+        } /* End of "suspended" branch. */
+
+      if (was_suspended)
+        {
+          MHD_update_last_activity_ (con); /* Reset timeout timer. */
+          /* Process response queued during suspend and update states. */
+          MHD_connection_handle_idle (con);
+          was_suspended = false;
+        }
+
+      tvp = NULL;
+
+      if ( (MHD_EVENT_LOOP_INFO_BLOCK == con->request.event_loop_info)
+#ifdef HTTPS_SUPPORT
+           || ( (con->tls_read_ready) &&
+                (MHD_EVENT_LOOP_INFO_READ == con->request.event_loop_info) )
+#endif /* HTTPS_SUPPORT */
+         )
+        {
+          /* do not block: more data may be inside of TLS buffers waiting or
+           * application must provide response data */
+          tv.tv_sec = 0;
+          tv.tv_usec = 0;
+          tvp = &tv;
+        }
+      if ( (NULL == tvp) &&
+           (timeout > 0) )
+        {
+          now = MHD_monotonic_sec_counter();
+          if (now - con->last_activity > timeout)
+            tv.tv_sec = 0;
+          else
+            {
+              const time_t seconds_left = timeout - (now - con->last_activity);
+#if !defined(_WIN32) || defined(__CYGWIN__)
+              tv.tv_sec = seconds_left;
+#else  /* _WIN32 && !__CYGWIN__ */
+              if (seconds_left > TIMEVAL_TV_SEC_MAX)
+                tv.tv_sec = TIMEVAL_TV_SEC_MAX;
+              else
+                tv.tv_sec = (_MHD_TIMEVAL_TV_SEC_TYPE) seconds_left;
+#endif /* _WIN32 && ! __CYGWIN__  */
+            }
+          tv.tv_usec = 0;
+          tvp = &tv;
+        }
+      if (! use_poll)
+        {
+          /* use select */
+          bool err_state = false;
+
+          FD_ZERO (&rs);
+          FD_ZERO (&ws);
+          FD_ZERO (&es);
+          maxsock = MHD_INVALID_SOCKET;
+          switch (con->request.event_loop_info)
+            {
+            case MHD_EVENT_LOOP_INFO_READ:
+              if (! MHD_add_to_fd_set_ (con->socket_fd,
+                                        &rs,
+                                        &maxsock,
+                                        FD_SETSIZE))
+                err_state = true;
+              break;
+            case MHD_EVENT_LOOP_INFO_WRITE:
+              if (! MHD_add_to_fd_set_ (con->socket_fd,
+                                        &ws,
+                                        &maxsock,
+                                        FD_SETSIZE))
+                err_state = true;
+              break;
+            case MHD_EVENT_LOOP_INFO_BLOCK:
+              if (! MHD_add_to_fd_set_ (con->socket_fd,
+                                        &es,
+                                        &maxsock,
+                                        FD_SETSIZE))
+                err_state = true;
+              break;
+            case MHD_EVENT_LOOP_INFO_CLEANUP:
+              /* how did we get here!? */
+              goto exit;
+            }
+#if WINDOWS
+          if (MHD_ITC_IS_VALID_(daemon->itc) )
+            {
+              if (! MHD_add_to_fd_set_ (MHD_itc_r_fd_ (daemon->itc),
+                                        &rs,
+                                        &maxsock,
+                                        FD_SETSIZE))
+                err_state = 1;
+            }
+#endif
+            if (err_state)
+              {
+#ifdef HAVE_MESSAGES
+                MHD_DLOG (con->daemon,
+                          MHD_SC_SOCKET_OUTSIDE_OF_FDSET_RANGE,
+                          _("Failed to add FD to fd_set\n"));
+#endif
+                goto exit;
+              }
+
+          num_ready = MHD_SYS_select_ (maxsock + 1,
+                                       &rs,
+                                       &ws,
+                                       NULL,
+                                       tvp);
+          if (num_ready < 0)
+            {
+              const int err = MHD_socket_get_error_();
+
+              if (MHD_SCKT_ERR_IS_EINTR_(err))
+                continue;
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (con->daemon,
+                        MHD_SC_UNEXPECTED_SELECT_ERROR,
+                        _("Error during select (%d): `%s'\n"),
+                        err,
+                        MHD_socket_strerr_ (err));
+#endif
+              break;
+            }
+#if WINDOWS
+          /* Clear ITC before other processing so additional
+           * signals will trigger select() again */
+          if ( (MHD_ITC_IS_VALID_(daemon->itc)) &&
+               (FD_ISSET (MHD_itc_r_fd_ (daemon->itc),
+                          &rs)) )
+            MHD_itc_clear_ (daemon->itc);
+#endif
+          if (MHD_NO ==
+              call_handlers (con,
+                             FD_ISSET (con->socket_fd,
+                                       &rs),
+                             FD_ISSET (con->socket_fd,
+                                       &ws),
+                             FD_ISSET (con->socket_fd,
+                                       &es)) )
+            goto exit;
+        }
+#ifdef HAVE_POLL
+      else
+        {
+          /* use poll */
+          memset (&p,
+                  0,
+                  sizeof (p));
+          p[0].fd = con->socket_fd;
+          switch (con->request.event_loop_info)
+            {
+            case MHD_EVENT_LOOP_INFO_READ:
+              p[0].events |= POLLIN | MHD_POLL_EVENTS_ERR_DISC;
+              break;
+            case MHD_EVENT_LOOP_INFO_WRITE:
+              p[0].events |= POLLOUT | MHD_POLL_EVENTS_ERR_DISC;
+              break;
+            case MHD_EVENT_LOOP_INFO_BLOCK:
+              p[0].events |= MHD_POLL_EVENTS_ERR_DISC;
+              break;
+            case MHD_EVENT_LOOP_INFO_CLEANUP:
+              /* how did we get here!? */
+              goto exit;
+            }
+#if WINDOWS
+          extra_slot = 0;
+          if (MHD_ITC_IS_VALID_(daemon->itc))
+            {
+              p[1].events |= POLLIN;
+              p[1].fd = MHD_itc_r_fd_ (daemon->itc);
+              p[1].revents = 0;
+              extra_slot = 1;
+            }
+#endif
+          if (MHD_sys_poll_ (p,
+#if WINDOWS
+                             1 + extra_slot,
+#else
+                             1,
+#endif
+                             (NULL == tvp) ? -1 : tv.tv_sec * 1000) < 0)
+            {
+              if (MHD_SCKT_LAST_ERR_IS_(MHD_SCKT_EINTR_))
+                continue;
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (con->daemon,
+                        MHD_SC_UNEXPECTED_POLL_ERROR,
+                        _("Error during poll: `%s'\n"),
+                        MHD_socket_last_strerr_ ());
+#endif
+              break;
+            }
+#if WINDOWS
+          /* Clear ITC before other processing so additional
+           * signals will trigger poll() again */
+          if ( (MHD_ITC_IS_VALID_(daemon->itc)) &&
+               (0 != (p[1].revents & (POLLERR | POLLHUP | POLLIN))) )
+            MHD_itc_clear_ (daemon->itc);
+#endif
+          if (MHD_NO ==
+              call_handlers (con,
+                             0 != (p[0].revents & POLLIN),
+                             0 != (p[0].revents & POLLOUT),
+                             0 != (p[0].revents & (POLLERR | MHD_POLL_REVENTS_ERR_DISC))))
+            goto exit;
+        }
+#endif
+#ifdef UPGRADE_SUPPORT
+      if (MHD_REQUEST_UPGRADE == con->request.state)
+        {
+          /* Normal HTTP processing is finished,
+           * notify application. */
+          if ( (NULL != con->request.response->termination_cb) &&
+               (con->request.client_aware) )
+            con->request.response->termination_cb
+              (con->request.response->termination_cb_cls,
+               MHD_REQUEST_TERMINATED_COMPLETED_OK,
+               con->request.client_context);
+          con->request.client_aware = false;
+
+          thread_main_connection_upgrade (con);
+          /* MHD_connection_finish_forward_() was called by thread_main_connection_upgrade(). */
+
+          /* "Upgraded" data will not be used in this thread from this point. */
+          con->request.urh->clean_ready = true;
+          /* If 'urh->was_closed' set to true, connection will be
+           * moved immediately to cleanup list. Otherwise connection
+           * will stay in suspended list until 'urh' will be marked
+           * with 'was_closed' by application. */
+          MHD_resume_connection (con);
+
+          /* skip usual clean up  */
+          return (MHD_THRD_RTRN_TYPE_) 0;
+        }
+#endif /* UPGRADE_SUPPORT */
+    }
+  if (MHD_REQUEST_IN_CLEANUP != con->request.state)
+    {
+#if DEBUG_CLOSE
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (con->daemon,
+                MHD_SC_THREAD_TERMINATING,
+                _("Processing thread terminating. Closing connection\n"));
+#endif
+#endif
+      if (MHD_REQUEST_CLOSED != con->request.state)
+        MHD_connection_close_ (con,
+                               (daemon->shutdown) ?
+                               MHD_REQUEST_TERMINATED_DAEMON_SHUTDOWN:
+                               MHD_REQUEST_TERMINATED_WITH_ERROR);
+      MHD_connection_handle_idle (con);
+    }
+exit:
+  if (NULL != con->request.response)
+    {
+      MHD_response_queue_for_destroy (con->request.response);
+      con->request.response = NULL;
+    }
+
+  if (MHD_INVALID_SOCKET != con->socket_fd)
+    {
+      shutdown (con->socket_fd,
+                SHUT_WR);
+      /* 'socket_fd' can be used in other thread to signal shutdown.
+       * To avoid data races, do not close socket here. Daemon will
+       * use more connections only after cleanup anyway. */
+    }
+  return (MHD_THRD_RTRN_TYPE_) 0;
+}
+
+
+/**
+ * Add another client connection to the set of connections
+ * managed by MHD.  This API is usually not needed (since
+ * MHD will accept inbound connections on the server socket).
+ * Use this API in special cases, for example if your HTTP
+ * server is behind NAT and needs to connect out to the
+ * HTTP client.
+ *
+ * The given client socket will be managed (and closed!) by MHD after
+ * this call and must no longer be used directly by the application
+ * afterwards.
+ *
+ * @param daemon daemon that manages the connection
+ * @param client_socket socket to manage (MHD will expect
+ *        to receive an HTTP request from this socket next).
+ * @param addr IP address of the client
+ * @param addrlen number of bytes in @a addr
+ * @param external_add perform additional operations needed due
+ *        to the application calling us directly
+ * @param non_blck indicate that socket in non-blocking mode
+ * @return #MHD_SC_OK on success
+ */
+static enum MHD_StatusCode
+internal_add_connection (struct MHD_Daemon *daemon,
+                         MHD_socket client_socket,
+                         const struct sockaddr *addr,
+                         socklen_t addrlen,
+                         bool external_add,
+                         bool non_blck)
+{
+  enum MHD_StatusCode sc;
+  struct MHD_Connection *connection;
+  int eno = 0;
+
+  /* Direct add to master daemon could happen only with "external" add mode. */
+  mhd_assert ( (NULL == daemon->worker_pool) ||
+               (external_add) );
+  if ( (external_add) &&
+       (NULL != daemon->worker_pool) )
+    {
+      unsigned int i;
+
+      /* have a pool, try to find a pool with capacity; we use the
+         socket as the initial offset into the pool for load
+         balancing */
+      for (i = 0; i < daemon->worker_pool_size; ++i)
+        {
+          struct MHD_Daemon * const worker =
+                &daemon->worker_pool[(i + client_socket) % daemon->worker_pool_size];
+          if (worker->connections < worker->global_connection_limit)
+            return internal_add_connection (worker,
+                                            client_socket,
+                                            addr,
+                                            addrlen,
+                                            true,
+                                            non_blck);
+        }
+      /* all pools are at their connection limit, must refuse */
+      MHD_socket_close_chk_ (client_socket);
+#if ENFILE
+      errno = ENFILE;
+#endif
+      return MHD_SC_LIMIT_CONNECTIONS_REACHED;
+    }
+
+  if ( (! MHD_SCKT_FD_FITS_FDSET_(client_socket,
+                                  NULL)) &&
+       (MHD_ELS_SELECT == daemon->event_loop_syscall) )
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_SOCKET_OUTSIDE_OF_FDSET_RANGE,
+                _("Socket descriptor larger than FD_SETSIZE: %d > %d\n"),
+                (int) client_socket,
+                (int) FD_SETSIZE);
+#endif
+      MHD_socket_close_chk_ (client_socket);
+#if EINVAL
+      errno = EINVAL;
+#endif
+      return MHD_SC_SOCKET_OUTSIDE_OF_FDSET_RANGE;
+    }
+
+#ifdef MHD_socket_nosignal_
+  if (! MHD_socket_nosignal_ (client_socket))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_CONFIGURE_NOSIGPIPE_FAILED,
+                _("Failed to set SO_NOSIGPIPE on accepted socket: %s\n"),
+                MHD_socket_last_strerr_());
+#endif
+#ifndef MSG_NOSIGNAL
+      /* Cannot use socket as it can produce SIGPIPE. */
+#ifdef ENOTSOCK
+      errno = ENOTSOCK;
+#endif /* ENOTSOCK */
+      return MHD_SC_ACCEPT_CONFIGURE_NOSIGPIPE_FAILED;
+#endif /* ! MSG_NOSIGNAL */
+    }
+#endif /* MHD_socket_nosignal_ */
+
+
+#ifdef HAVE_MESSAGES
+#if DEBUG_CONNECT
+  MHD_DLOG (daemon,
+            MHD_SC_CONNECTION_ACCEPTED,
+            _("Accepted connection on socket %d\n"),
+            client_socket);
+#endif
+#endif
+  if ( (daemon->connections == daemon->global_connection_limit) ||
+       (MHD_NO == MHD_ip_limit_add (daemon,
+                                    addr,
+                                    addrlen)) )
+    {
+      /* above connection limit - reject */
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_LIMIT_CONNECTIONS_REACHED,
+                _("Server reached connection limit. Closing inbound connection.\n"));
+#endif
+      MHD_socket_close_chk_ (client_socket);
+#if ENFILE
+      errno = ENFILE;
+#endif
+      return MHD_SC_LIMIT_CONNECTIONS_REACHED;
+    }
+
+  /* apply connection acceptance policy if present */
+  if ( (NULL != daemon->accept_policy_cb) &&
+       (MHD_NO ==
+        daemon->accept_policy_cb (daemon->accept_policy_cb_cls,
+                                  addr,
+                                  addrlen)) )
+    {
+#if DEBUG_CLOSE
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_POLICY_REJECTED,
+                _("Connection rejected by application. Closing connection.\n"));
+#endif
+#endif
+      MHD_socket_close_chk_ (client_socket);
+      MHD_ip_limit_del (daemon,
+                        addr,
+                        addrlen);
+#if EACCESS
+      errno = EACCESS;
+#endif
+      return MHD_SC_ACCEPT_POLICY_REJECTED;
+    }
+
+  if (NULL ==
+      (connection = MHD_calloc_ (1,
+                                 sizeof (struct MHD_Connection))))
+    {
+      eno = errno;
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_CONNECTION_MALLOC_FAILURE,
+                "Error allocating memory: %s\n",
+                MHD_strerror_ (errno));
+#endif
+      MHD_socket_close_chk_ (client_socket);
+      MHD_ip_limit_del (daemon,
+                        addr,
+                        addrlen);
+      errno = eno;
+      return MHD_SC_CONNECTION_MALLOC_FAILURE;
+    }
+  connection->request.pool
+    = MHD_pool_create (daemon->connection_memory_limit_b);
+  if (NULL == connection->request.pool)
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_POOL_MALLOC_FAILURE,
+                _("Error allocating memory: %s\n"),
+                MHD_strerror_ (errno));
+#endif
+      MHD_socket_close_chk_ (client_socket);
+      MHD_ip_limit_del (daemon,
+                        addr,
+                        addrlen);
+      free (connection);
+#if ENOMEM
+      errno = ENOMEM;
+#endif
+      return MHD_SC_POOL_MALLOC_FAILURE;
+    }
+
+  connection->connection_timeout = daemon->connection_default_timeout;
+  memcpy (&connection->addr,
+          addr,
+          addrlen);
+  connection->addr_len = addrlen;
+  connection->socket_fd = client_socket;
+  connection->sk_nonblck = non_blck;
+  connection->daemon = daemon;
+  connection->last_activity = MHD_monotonic_sec_counter();
+
+#ifdef HTTPS_SUPPORT
+  if (NULL != daemon->tls_api)
+    {
+      connection->tls_cs
+        = daemon->tls_api->setup_connection (daemon->tls_api->cls,
+                                             NULL /* FIXME */);
+      if (NULL == connection->tls_cs)
+        {
+          eno = EINVAL;
+          sc = -1; // FIXME!
+          goto cleanup;
+        }
+    }
+  else
+#endif /* ! HTTPS_SUPPORT */
+    /* set default connection handlers  */
+    MHD_set_http_callbacks_ (connection);
+
+  MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);
+  /* Firm check under lock. */
+  if (daemon->connections >= daemon->global_connection_limit)
+    {
+      MHD_mutex_unlock_chk_ (&daemon->cleanup_connection_mutex);
+      /* above connection limit - reject */
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_LIMIT_CONNECTIONS_REACHED,
+                _("Server reached connection limit. Closing inbound connection.\n"));
+#endif
+#if ENFILE
+      eno = ENFILE;
+#endif
+      sc = MHD_SC_LIMIT_CONNECTIONS_REACHED;
+      goto cleanup;
+    }
+  daemon->connections++;
+  if (MHD_TM_THREAD_PER_CONNECTION != daemon->threading_model)
+    {
+      XDLL_insert (daemon->normal_timeout_head,
+                   daemon->normal_timeout_tail,
+                   connection);
+    }
+  DLL_insert (daemon->connections_head,
+              daemon->connections_tail,
+              connection);
+  MHD_mutex_unlock_chk_ (&daemon->cleanup_connection_mutex);
+
+  if (NULL != daemon->notify_connection_cb)
+    daemon->notify_connection_cb (daemon->notify_connection_cb_cls,
+                                  connection,
+                                  MHD_CONNECTION_NOTIFY_STARTED);
+
+  /* attempt to create handler thread */
+  if (MHD_TM_THREAD_PER_CONNECTION == daemon->threading_model)
+    {
+      if (! MHD_create_named_thread_ (&connection->pid,
+                                      "MHD-connection",
+                                      daemon->thread_stack_limit_b,
+                                      &thread_main_handle_connection,
+                                      connection))
+        {
+          eno = errno;
+#ifdef HAVE_MESSAGES
+          MHD_DLOG (daemon,
+                    MHD_SC_THREAD_LAUNCH_FAILURE,
+                    "Failed to create a thread: %s\n",
+                    MHD_strerror_ (eno));
+#endif
+          sc = MHD_SC_THREAD_LAUNCH_FAILURE;
+          goto cleanup;
+        }
+    }
+  else
+    {
+      connection->pid = daemon->pid;
+    }
+#ifdef EPOLL_SUPPORT
+  if (MHD_ELS_EPOLL == daemon->event_loop_syscall)
+    {
+      if ( (! daemon->enable_turbo) ||
+           (external_add))
+        { /* Do not manipulate EReady DL-list in 'external_add' mode. */
+          struct epoll_event event;
+
+          event.events = EPOLLIN | EPOLLOUT | EPOLLPRI | EPOLLET;
+          event.data.ptr = connection;
+          if (0 != epoll_ctl (daemon->epoll_fd,
+                              EPOLL_CTL_ADD,
+                              client_socket,
+                              &event))
+            {
+              eno = errno;
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (daemon,
+                        MHD_SC_EPOLL_CTL_ADD_FAILED,
+                        _("Call to epoll_ctl failed: %s\n"),
+                        MHD_socket_last_strerr_ ());
+#endif
+              sc = MHD_SC_EPOLL_CTL_ADD_FAILED;
+              goto cleanup;
+            }
+          connection->epoll_state |= MHD_EPOLL_STATE_IN_EPOLL_SET;
+        }
+      else
+        {
+          connection->epoll_state |= MHD_EPOLL_STATE_READ_READY | MHD_EPOLL_STATE_WRITE_READY
+            | MHD_EPOLL_STATE_IN_EREADY_EDLL;
+          EDLL_insert (daemon->eready_head,
+                       daemon->eready_tail,
+                       connection);
+        }
+    }
+  else /* This 'else' is combined with next 'if'. */
+#endif
+  if ( (MHD_TM_THREAD_PER_CONNECTION != daemon->threading_model) &&
+       (external_add) &&
+       (MHD_ITC_IS_VALID_(daemon->itc)) &&
+       (! MHD_itc_activate_ (daemon->itc,
+                             "n")) )
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ITC_USE_FAILED,
+                _("Failed to signal new connection via inter-thread communication channel."));
+#endif
+      sc = MHD_SC_ITC_USE_FAILED;
+    }
+  return MHD_SC_OK;
+  
+ cleanup:
+  if (NULL != daemon->notify_connection_cb)
+    daemon->notify_connection_cb (daemon->notify_connection_cb_cls,
+                                  connection,
+                                  MHD_CONNECTION_NOTIFY_CLOSED);
+#ifdef HTTPS_SUPPORT
+ if (NULL != connection->tls_cs)
+   daemon->tls_api->teardown_connection (daemon->tls_api->cls,
+                                         connection->tls_cs);
+#endif /* HTTPS_SUPPORT */
+  MHD_socket_close_chk_ (client_socket);
+  MHD_ip_limit_del (daemon,
+                    addr,
+                    addrlen);
+  MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);
+  if (MHD_TM_THREAD_PER_CONNECTION != daemon->threading_model) 
+    {
+      XDLL_remove (daemon->normal_timeout_head,
+                   daemon->normal_timeout_tail,
+                   connection);
+    }
+  DLL_remove (daemon->connections_head,
+              daemon->connections_tail,
+              connection);
+  MHD_mutex_unlock_chk_ (&daemon->cleanup_connection_mutex);
+  MHD_pool_destroy (connection->request.pool);
+  free (connection);
+  if (0 != eno)
+    errno = eno;
+  else
+    errno  = EINVAL;
+  return sc;
+}
+
+
+/**
+ * Add another client connection to the set of connections managed by
+ * MHD.  This API is usually not needed (since MHD will accept inbound
+ * connections on the server socket).  Use this API in special cases,
+ * for example if your HTTP server is behind NAT and needs to connect
+ * out to the HTTP client, or if you are building a proxy.
+ *
+ * If you use this API in conjunction with a internal select or a
+ * thread pool, you must set the option #MHD_USE_ITC to ensure that
+ * the freshly added connection is immediately processed by MHD.
+ *
+ * The given client socket will be managed (and closed!) by MHD after
+ * this call and must no longer be used directly by the application
+ * afterwards.
+ *
+ * @param daemon daemon that manages the connection
+ * @param client_socket socket to manage (MHD will expect
+ *        to receive an HTTP request from this socket next).
+ * @param addr IP address of the client
+ * @param addrlen number of bytes in @a addr
+ * @return #MHD_YES on success, #MHD_NO if this daemon could
+ *        not handle the connection (i.e. malloc() failed, etc).
+ *        The socket will be closed in any case; `errno` is
+ *        set to indicate further details about the error.
+ * @ingroup specialized
+ */
+enum MHD_StatusCode
+MHD_daemon_add_connection (struct MHD_Daemon *daemon,
+                           MHD_socket client_socket,
+                           const struct sockaddr *addr,
+                           socklen_t addrlen)
+{
+  bool sk_nonbl;
+
+  if (! MHD_socket_nonblocking_ (client_socket))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_CONFIGURE_NONBLOCKING_FAILED,
+                _("Failed to set nonblocking mode on new client socket: %s\n"),
+                MHD_socket_last_strerr_());
+#endif
+      sk_nonbl = false;
+    }
+  else
+    {
+      sk_nonbl = true;
+    }
+  
+  if ( (daemon->enable_turbo) &&
+       (! MHD_socket_noninheritable_ (client_socket)) )
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_CONFIGURE_NOINHERIT_FAILED,
+                _("Failed to set noninheritable mode on new client socket.\n"));
+#endif
+    }
+  return internal_add_connection (daemon,
+                                  client_socket,
+                                  addr,
+                                  addrlen,
+                                  true,
+                                  sk_nonbl);
+}
+
+
+/**
+ * Accept an incoming connection and create the MHD_Connection object
+ * for it.  This function also enforces policy by way of checking with
+ * the accept policy callback.  @remark To be called only from thread
+ * that process daemon's select()/poll()/etc.
+ *
+ * @param daemon handle with the listen socket
+ * @return #MHD_SC_OK on success
+ */
+enum MHD_StatusCode
+MHD_accept_connection_ (struct MHD_Daemon *daemon)
+{
+  struct sockaddr_storage addrstorage;
+  struct sockaddr *addr = (struct sockaddr *) &addrstorage;
+  socklen_t addrlen;
+  MHD_socket s;
+  MHD_socket fd;
+  bool sk_nonbl;
+
+  addrlen = sizeof (addrstorage);
+  memset (addr,
+          0,
+          sizeof (addrstorage));
+  if ( (MHD_INVALID_SOCKET == (fd = daemon->listen_socket)) ||
+       (daemon->was_quiesced) )
+    return MHD_SC_DAEMON_ALREADY_QUIESCED;
+#ifdef USE_ACCEPT4
+  s = accept4 (fd,
+               addr,
+               &addrlen,
+               MAYBE_SOCK_CLOEXEC | MAYBE_SOCK_NONBLOCK);
+  sk_nonbl = (0 != MAYBE_SOCK_NONBLOCK);
+#else  /* ! USE_ACCEPT4 */
+  s = accept (fd,
+              addr,
+              &addrlen);
+  sk_nonbl = false;
+#endif /* ! USE_ACCEPT4 */
+  if ( (MHD_INVALID_SOCKET == s) ||
+       (addrlen <= 0) )
+    {
+      const int err = MHD_socket_get_error_ ();
+
+      /* This could be a common occurance with multiple worker threads */
+      if (MHD_SCKT_ERR_IS_ (err,
+                            MHD_SCKT_EINVAL_))
+        return MHD_SC_DAEMON_ALREADY_SHUTDOWN; /* can happen during shutdown, let's hope this is the cause... */
+      if (MHD_SCKT_ERR_IS_DISCNN_BEFORE_ACCEPT_(err))
+        return MHD_SC_ACCEPT_FAST_DISCONNECT; /* do not print error if client just disconnected early */
+      if (MHD_SCKT_ERR_IS_EAGAIN_ (err) )
+        return MHD_SC_ACCEPT_FAILED_EAGAIN;
+      if (MHD_INVALID_SOCKET != s)
+        {
+          MHD_socket_close_chk_ (s);
+        }
+      if ( MHD_SCKT_ERR_IS_LOW_RESOURCES_ (err) )
+        {
+          /* system/process out of resources */
+          if (0 == daemon->connections)
+            {
+#ifdef HAVE_MESSAGES
+              /* Not setting 'at_limit' flag, as there is no way it
+                 would ever be cleared.  Instead trying to produce
+                 bit fat ugly warning. */
+              MHD_DLOG (daemon,
+                        MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED_INSTANTLY,
+                        _("Hit process or system resource limit at FIRST connection. This is really bad as there is no sane way to proceed. Will try busy waiting for system resources to become magically available.\n"));
+#endif
+              return MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED_INSTANTLY;
+            }
+          else
+            {
+              MHD_mutex_lock_chk_ (&daemon->cleanup_connection_mutex);
+              daemon->at_limit = true;
+              MHD_mutex_unlock_chk_ (&daemon->cleanup_connection_mutex);
+#ifdef HAVE_MESSAGES
+              MHD_DLOG (daemon,
+                        MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED,
+                        _("Hit process or system resource limit at %u connections, temporarily suspending accept(). Consider setting a lower MHD_OPTION_CONNECTION_LIMIT.\n"),
+                        (unsigned int) daemon->connections);
+#endif
+              return MHD_SC_ACCEPT_SYSTEM_LIMIT_REACHED;
+            }
+        }
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_FAILED_UNEXPECTEDLY,
+                _("Error accepting connection: %s\n"),
+                MHD_socket_strerr_(err));
+#endif
+      return MHD_SC_ACCEPT_FAILED_UNEXPECTEDLY;
+    }
+#if !defined(USE_ACCEPT4) || !defined(HAVE_SOCK_NONBLOCK)
+  if (! MHD_socket_nonblocking_ (s))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_CONFIGURE_NONBLOCKING_FAILED,
+                _("Failed to set nonblocking mode on incoming connection socket: %s\n"),
+                MHD_socket_last_strerr_());
+#endif
+    }
+  else
+    sk_nonbl = true;
+#endif /* !USE_ACCEPT4 || !HAVE_SOCK_NONBLOCK */
+#if !defined(USE_ACCEPT4) || !defined(SOCK_CLOEXEC)
+  if (! MHD_socket_noninheritable_ (s))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_ACCEPT_CONFIGURE_NOINHERIT_FAILED,
+                _("Failed to set noninheritable mode on incoming connection socket.\n"));
+#endif
+    }
+#endif /* !USE_ACCEPT4 || !SOCK_CLOEXEC */
+#ifdef HAVE_MESSAGES
+#if DEBUG_CONNECT
+  MHD_DLOG (daemon,
+            MHD_SC_CONNECTION_ACCEPTED,
+            _("Accepted connection on socket %d\n"),
+            s);
+#endif
+#endif
+  return internal_add_connection (daemon,
+                                  s,
+                                  addr,
+                                  addrlen,
+                                  false,
+                                  sk_nonbl);
+}
+
+/* end of connection_add.c */
diff --git a/src/lib/connection_add.h b/src/lib/connection_add.h
new file mode 100644
index 00000000..6957fd77
--- /dev/null
+++ b/src/lib/connection_add.h
@@ -0,0 +1,41 @@
+/*
+  This file is part of libmicrohttpd
+  Copyright (C) 2007-2018 Daniel Pittman and Christian Grothoff
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+/**
+ * @file lib/connection_add.h
+ * @brief functions to add connection to our active set
+ * @author Christian Grothoff
+ */
+
+#ifndef CONNECTION_ADD_H
+#define CONNECTION_ADD_H
+
+/**
+ * Accept an incoming connection and create the MHD_Connection object
+ * for it.  This function also enforces policy by way of checking with
+ * the accept policy callback.  @remark To be called only from thread
+ * that process daemon's select()/poll()/etc.
+ *
+ * @param daemon handle with the listen socket
+ * @return #MHD_SC_OK on success 
+ */
+enum MHD_StatusCode
+MHD_accept_connection_ (struct MHD_Daemon *daemon)
+  MHD_NONNULL (1);
+
+#endif
diff --git a/src/lib/daemon_add_connection.c b/src/lib/daemon_add_connection.c
deleted file mode 100644
index 30492d7c..00000000
--- a/src/lib/daemon_add_connection.c
+++ /dev/null
@@ -1,63 +0,0 @@
-/*
-  This file is part of libmicrohttpd
-  Copyright (C) 2007-2018 Daniel Pittman and Christian Grothoff
-
-  This library is free software; you can redistribute it and/or
-  modify it under the terms of the GNU Lesser General Public
-  License as published by the Free Software Foundation; either
-  version 2.1 of the License, or (at your option) any later version.
-
-  This library is distributed in the hope that it will be useful,
-  but WITHOUT ANY WARRANTY; without even the implied warranty of
-  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-  Lesser General Public License for more details.
-
-  You should have received a copy of the GNU Lesser General Public
-  License along with this library; if not, write to the Free Software
-  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
-*/
-
-/**
- * @file lib/daemon_add_connection.c
- * @brief main functions to add a connection to be managed by a daemon
- * @author Christian Grothoff
- */
-#include "internal.h"
-
-
-/**
- * Add another client connection to the set of connections managed by
- * MHD.  This API is usually not needed (since MHD will accept inbound
- * connections on the server socket).  Use this API in special cases,
- * for example if your HTTP server is behind NAT and needs to connect
- * out to the HTTP client, or if you are building a proxy.
- *
- * If you use this API in conjunction with a internal select or a
- * thread pool, you must set the option
- * #MHD_USE_ITC to ensure that the freshly added
- * connection is immediately processed by MHD.
- *
- * The given client socket will be managed (and closed!) by MHD after
- * this call and must no longer be used directly by the application
- * afterwards.
- *
- * @param daemon daemon that manages the connection
- * @param client_socket socket to manage (MHD will expect
- *        to receive an HTTP request from this socket next).
- * @param addr IP address of the client
- * @param addrlen number of bytes in @a addr
- * @return #MHD_SC_OK on success
- *        The socket will be closed in any case; `errno` is
- *        set to indicate further details about the error.
- * @ingroup specialized
- */
-_MHD_EXTERN enum MHD_StatusCode
-MHD_daemon_add_connection (struct MHD_Daemon *daemon,
-                           MHD_socket client_socket,
-                           const struct sockaddr *addr,
-                           socklen_t addrlen)
-{
-  return -1;
-}
-
-/* end of daemon_add_connection.c */
diff --git a/src/lib/daemon_epoll.c b/src/lib/daemon_epoll.c
index 2acb3cc6..49f15307 100644
--- a/src/lib/daemon_epoll.c
+++ b/src/lib/daemon_epoll.c
@@ -385,7 +385,7 @@ MHD_daemon_epoll_ (struct MHD_Daemon *daemon,
                    * be accepted on next turn (level trigger is used for listen
                    * socket). */
                   while ( (MHD_YES ==
-                           MHD_accept_connection (daemon)) &&
+                           MHD_accept_connection_ (daemon)) &&
                           (series_length < 10) &&
                           (daemon->connections < daemon->global_connection_limit) &&
                           (! daemon->at_limit) )
diff --git a/src/lib/daemon_ip_limit.c b/src/lib/daemon_ip_limit.c
new file mode 100644
index 00000000..f33b8193
--- /dev/null
+++ b/src/lib/daemon_ip_limit.c
@@ -0,0 +1,280 @@
+/*
+  This file is part of libmicrohttpd
+  Copyright (C) 2007-2018 Daniel Pittman and Christian Grothoff
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+/**
+ * @file lib/daemon_ip_limit.c
+ * @brief counting of connections per IP
+ * @author Christian Grothoff
+ */
+#include "internal.h"
+#include "daemon_ip_limit.h"
+
+/**
+ * Maintain connection count for single address.
+ */
+struct MHD_IPCount
+{
+  /**
+   * Address family. AF_INET or AF_INET6 for now.
+   */
+  int family;
+
+  /**
+   * Actual address.
+   */
+  union
+  {
+    /**
+     * IPv4 address.
+     */
+    struct in_addr ipv4;
+#if HAVE_INET6
+    /**
+     * IPv6 address.
+     */
+    struct in6_addr ipv6;
+#endif
+  } addr;
+
+  /**
+   * Counter.
+   */
+  unsigned int count;
+};
+
+
+/**
+ * Lock shared structure for IP connection counts and connection DLLs.
+ *
+ * @param daemon handle to daemon where lock is
+ */
+static void
+MHD_ip_count_lock (struct MHD_Daemon *daemon)
+{
+  MHD_mutex_lock_chk_(&daemon->per_ip_connection_mutex);
+}
+
+
+/**
+ * Unlock shared structure for IP connection counts and connection DLLs.
+ *
+ * @param daemon handle to daemon where lock is
+ */
+static void
+MHD_ip_count_unlock (struct MHD_Daemon *daemon)
+{
+  MHD_mutex_unlock_chk_(&daemon->per_ip_connection_mutex);
+}
+
+
+/**
+ * Tree comparison function for IP addresses (supplied to tsearch() family).
+ * We compare everything in the struct up through the beginning of the
+ * 'count' field.
+ *
+ * @param a1 first address to compare
+ * @param a2 second address to compare
+ * @return -1, 0 or 1 depending on result of compare
+ */
+static int
+MHD_ip_addr_compare (const void *a1,
+                     const void *a2)
+{
+  return memcmp (a1,
+                 a2,
+                 offsetof (struct MHD_IPCount,
+                           count));
+}
+
+
+/**
+ * Parse address and initialize @a key using the address.
+ *
+ * @param addr address to parse
+ * @param addrlen number of bytes in @a addr
+ * @param key where to store the parsed address
+ * @return #MHD_YES on success and #MHD_NO otherwise (e.g., invalid address type)
+ */
+static int
+MHD_ip_addr_to_key (const struct sockaddr *addr,
+                    socklen_t addrlen,
+                    struct MHD_IPCount *key)
+{
+  memset(key,
+         0,
+         sizeof(*key));
+
+  /* IPv4 addresses */
+  if (sizeof (struct sockaddr_in) == addrlen)
+    {
+      const struct sockaddr_in *addr4 = (const struct sockaddr_in*) addr;
+
+      key->family = AF_INET;
+      memcpy (&key->addr.ipv4,
+              &addr4->sin_addr,
+              sizeof(addr4->sin_addr));
+      return MHD_YES;
+    }
+
+#if HAVE_INET6
+  /* IPv6 addresses */
+  if (sizeof (struct sockaddr_in6) == addrlen)
+    {
+      const struct sockaddr_in6 *addr6 = (const struct sockaddr_in6*) addr;
+
+      key->family = AF_INET6;
+      memcpy (&key->addr.ipv6,
+              &addr6->sin6_addr,
+              sizeof(addr6->sin6_addr));
+      return MHD_YES;
+    }
+#endif
+
+  /* Some other address */
+  return MHD_NO;
+}
+
+
+/**
+ * Check if IP address is over its limit in terms of the number
+ * of allowed concurrent connections.  If the IP is still allowed,
+ * increments the connection counter.
+ *
+ * @param daemon handle to daemon where connection counts are tracked
+ * @param addr address to add (or increment counter)
+ * @param addrlen number of bytes in @a addr
+ * @return Return #MHD_YES if IP below limit, #MHD_NO if IP has surpassed limit.
+ *   Also returns #MHD_NO if fails to allocate memory.
+ */
+int
+MHD_ip_limit_add (struct MHD_Daemon *daemon,
+                  const struct sockaddr *addr,
+                  socklen_t addrlen)
+{
+  struct MHD_IPCount *key;
+  void **nodep;
+  void *node;
+  int result;
+
+  daemon = MHD_get_master (daemon);
+  /* Ignore if no connection limit assigned */
+  if (0 == daemon->ip_connection_limit)
+    return MHD_YES;
+
+  if (NULL == (key = malloc (sizeof(*key))))
+    return MHD_NO;
+
+  /* Initialize key */
+  if (MHD_NO == MHD_ip_addr_to_key (addr,
+                                    addrlen,
+                                    key))
+    {
+      /* Allow unhandled address types through */
+      free (key);
+      return MHD_YES;
+    }
+  MHD_ip_count_lock (daemon);
+
+  /* Search for the IP address */
+  if (NULL == (nodep = tsearch (key,
+                                &daemon->per_ip_connection_count,
+                                &MHD_ip_addr_compare)))
+    {
+#ifdef HAVE_MESSAGES
+      MHD_DLOG (daemon,
+                MHD_SC_IP_COUNTER_FAILURE,
+                _("Failed to add IP connection count node\n"));
+#endif
+      MHD_ip_count_unlock (daemon);
+      free (key);
+      return MHD_NO;
+    }
+  node = *nodep;
+  /* If we got an existing node back, free the one we created */
+  if (node != key)
+    free(key);
+  key = (struct MHD_IPCount *) node;
+  /* Test if there is room for another connection; if so,
+   * increment count */
+  result = (key->count < daemon->ip_connection_limit) ? MHD_YES : MHD_NO;
+  if (MHD_YES == result)
+    ++key->count;
+
+  MHD_ip_count_unlock (daemon);
+  return result;
+}
+
+
+/**
+ * Decrement connection count for IP address, removing from table
+ * count reaches 0.
+ *
+ * @param daemon handle to daemon where connection counts are tracked
+ * @param addr address to remove (or decrement counter)
+ * @param addrlen number of bytes in @a addr
+ */
+void
+MHD_ip_limit_del (struct MHD_Daemon *daemon,
+                  const struct sockaddr *addr,
+                  socklen_t addrlen)
+{
+  struct MHD_IPCount search_key;
+  struct MHD_IPCount *found_key;
+  void **nodep;
+
+  daemon = MHD_get_master (daemon);
+  /* Ignore if no connection limit assigned */
+  if (0 == daemon->ip_connection_limit)
+    return;
+  /* Initialize search key */
+  if (MHD_NO == MHD_ip_addr_to_key (addr,
+                                    addrlen,
+                                    &search_key))
+    return;
+
+  MHD_ip_count_lock (daemon);
+
+  /* Search for the IP address */
+  if (NULL == (nodep = tfind (&search_key,
+                              &daemon->per_ip_connection_count,
+                              &MHD_ip_addr_compare)))
+    {
+      /* Something's wrong if we couldn't find an IP address
+       * that was previously added */
+      MHD_PANIC (_("Failed to find previously-added IP address\n"));
+    }
+  found_key = (struct MHD_IPCount *) *nodep;
+  /* Validate existing count for IP address */
+  if (0 == found_key->count)
+    {
+      MHD_PANIC (_("Previously-added IP address had counter of zero\n"));
+    }
+  /* Remove the node entirely if count reduces to 0 */
+  if (0 == --found_key->count)
+    {
+      tdelete (found_key,
+               &daemon->per_ip_connection_count,
+               &MHD_ip_addr_compare);
+      free (found_key);
+    }
+
+  MHD_ip_count_unlock (daemon);
+}
+
+/* end of daemon_ip_limit.c */
diff --git a/src/lib/daemon_ip_limit.h b/src/lib/daemon_ip_limit.h
new file mode 100644
index 00000000..5f22db05
--- /dev/null
+++ b/src/lib/daemon_ip_limit.h
@@ -0,0 +1,60 @@
+/*
+  This file is part of libmicrohttpd
+  Copyright (C) 2007-2018 Daniel Pittman and Christian Grothoff
+
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation; either
+  version 2.1 of the License, or (at your option) any later version.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+/**
+ * @file lib/daemon_ip_limit.h
+ * @brief counting of connections per IP
+ * @author Christian Grothoff
+ */
+
+#ifndef DAEMON_IP_LIMIT_H
+#define DAEMON_IP_LIMIT_H
+
+/**
+ * Check if IP address is over its limit in terms of the number
+ * of allowed concurrent connections.  If the IP is still allowed,
+ * increments the connection counter.
+ *
+ * @param daemon handle to daemon where connection counts are tracked
+ * @param addr address to add (or increment counter)
+ * @param addrlen number of bytes in @a addr
+ * @return Return #MHD_YES if IP below limit, #MHD_NO if IP has surpassed limit.
+ *   Also returns #MHD_NO if fails to allocate memory.
+ */
+int
+MHD_ip_limit_add (struct MHD_Daemon *daemon,
+                  const struct sockaddr *addr,
+                  socklen_t addrlen)
+  MHD_NONNULL (1,2);
+
+
+/**
+ * Decrement connection count for IP address, removing from table
+ * count reaches 0.
+ *
+ * @param daemon handle to daemon where connection counts are tracked
+ * @param addr address to remove (or decrement counter)
+ * @param addrlen number of bytes in @a addr
+ */
+void
+MHD_ip_limit_del (struct MHD_Daemon *daemon,
+                  const struct sockaddr *addr,
+                  socklen_t addrlen)
+  MHD_NONNULL (1,2);
+
+#endif
diff --git a/src/lib/daemon_poll.c b/src/lib/daemon_poll.c
index 118c0579..d5660715 100644
--- a/src/lib/daemon_poll.c
+++ b/src/lib/daemon_poll.c
@@ -333,7 +333,7 @@ MHD_daemon_poll_all_ (struct MHD_Daemon *daemon,
     /* handle 'listen' FD */
     if ( (-1 != poll_listen) &&
          (0 != (p[poll_listen].revents & POLLIN)) )
-      (void) MHD_accept_connection (daemon);
+      (void) MHD_accept_connection_ (daemon);
 
     free(p);
   }
@@ -418,7 +418,7 @@ MHD_daemon_poll_listen_socket_ (struct MHD_Daemon *daemon,
     return MHD_SC_DAEMON_ALREADY_SHUTDOWN;
   if ( (-1 != poll_listen) &&
        (0 != (p[poll_listen].revents & POLLIN)) )
-    (void) MHD_accept_connection (daemon);
+    (void) MHD_accept_connection_ (daemon);
   return MHD_SC_OK;
 }
 #endif
diff --git a/src/lib/daemon_select.c b/src/lib/daemon_select.c
index f61ba36a..abd6eacf 100644
--- a/src/lib/daemon_select.c
+++ b/src/lib/daemon_select.c
@@ -425,7 +425,7 @@ internal_run_from_select (struct MHD_Daemon *daemon,
        (! daemon->was_quiesced) &&
        (FD_ISSET (ds,
                   read_fd_set)) )
-    (void) MHD_accept_connection (daemon);
+    (void) MHD_accept_connection_ (daemon);
 
   if (MHD_TM_THREAD_PER_CONNECTION != daemon->threading_model)
     {
diff --git a/src/lib/internal.h b/src/lib/internal.h
index 92b5b511..1e95698e 100644
--- a/src/lib/internal.h
+++ b/src/lib/internal.h
@@ -429,7 +429,7 @@ struct MHD_Request
    * response (which maybe shared between requests) and the IP
    * address (which persists across individual requests).
    */
-  struct MemoryPool *pool;
+  struct MemoryPool *pool; // FIXME: keep with connnection!
 
   /**
    * We allow the main application to associate some pointer with the
@@ -515,12 +515,6 @@ struct MHD_Request
 #endif /* UPGRADE_SUPPORT */
 
   /**
-   * Thread handle for this connection (if we are using
-   * one thread per connection).
-   */
-  MHD_thread_handle_ID_ pid;
-
-  /**
    * Size of @e read_buffer (in bytes).  This value indicates
    * how many bytes we're willing to read into the buffer;
    * the real buffer is one byte longer to allow for
@@ -760,6 +754,12 @@ struct MHD_Connection
   struct MHD_Request request;
 
   /**
+   * Thread handle for this connection (if we are using
+   * one thread per connection).
+   */
+  MHD_thread_handle_ID_ pid;
+
+  /**
    * Foreign address (of length @e addr_len). 
    */
   struct sockaddr_storage addr;
@@ -1218,6 +1218,11 @@ struct MHD_Daemon
    */
   struct MHD_Connection *cleanup_tail;
 
+  /**
+   * Table storing number of connections per IP
+   */
+  void *per_ip_connection_count;
+
 #ifdef EPOLL_SUPPORT
   /**
    * Head of EDLL of connections ready for processing (in epoll mode).