From 06d446098c2fbc23bb7dc2159568c39db1623c8b Mon Sep 17 00:00:00 2001
From: "Richard W.M. Jones" <rjones@redhat.com>
Date: Thu, 27 Jul 2023 14:27:36 +0100
Subject: [PATCH] curl: Move configuration code to a separate file

Previously making a change to the curl handle configuration involved
updating code across several files.  Centralise this code in one
place.

After this commit, configuration changes only affect
plugins/curl/config.c, although you will still need to change the
documentation in nbdkit-curl-plugin.pod.

This change is just refactoring.  No change in functionality is
intended.

(cherry picked from commit ef762737bcad713f6a55092d88285bdf466a781c)
---
 plugins/curl/Makefile.am |   1 +
 plugins/curl/config.c    | 974 +++++++++++++++++++++++++++++++++++++++
 plugins/curl/curl.c      | 476 +------------------
 plugins/curl/curldefs.h  |  38 +-
 plugins/curl/pool.c      | 455 +-----------------
 5 files changed, 998 insertions(+), 946 deletions(-)
 create mode 100644 plugins/curl/config.c

diff --git a/plugins/curl/Makefile.am b/plugins/curl/Makefile.am
index f5f1cc1a..7529fb2f 100644
--- a/plugins/curl/Makefile.am
+++ b/plugins/curl/Makefile.am
@@ -38,6 +38,7 @@ if HAVE_CURL
 plugin_LTLIBRARIES = nbdkit-curl-plugin.la
 
 nbdkit_curl_plugin_la_SOURCES = \
+	config.c \
 	curldefs.h \
 	curl.c \
 	pool.c \
diff --git a/plugins/curl/config.c b/plugins/curl/config.c
new file mode 100644
index 00000000..742d6080
--- /dev/null
+++ b/plugins/curl/config.c
@@ -0,0 +1,974 @@
+/* nbdkit
+ * Copyright Red Hat
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ * * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *
+ * * Redistributions in binary form must reproduce the above copyright
+ * notice, this list of conditions and the following disclaimer in the
+ * documentation and/or other materials provided with the distribution.
+ *
+ * * Neither the name of Red Hat nor the names of its contributors may be
+ * used to endorse or promote products derived from this software without
+ * specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY RED HAT AND CONTRIBUTORS ''AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO,
+ * THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
+ * PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL RED HAT OR
+ * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
+ * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
+ * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
+ * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
+ * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ */
+
+#include <config.h>
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include <inttypes.h>
+#include <limits.h>
+#include <string.h>
+#include <unistd.h>
+#include <errno.h>
+#include <assert.h>
+
+#include <curl/curl.h>
+
+#include <nbdkit-plugin.h>
+
+#include "ascii-ctype.h"
+#include "ascii-string.h"
+#include "cleanup.h"
+
+#include "curldefs.h"
+
+/* Plugin configuration. */
+const char *url = NULL;         /* required */
+
+static const char *cainfo = NULL;
+static const char *capath = NULL;
+static char *cookie = NULL;
+static const char *cookiefile = NULL;
+static const char *cookiejar = NULL;
+static bool followlocation = true;
+static struct curl_slist *headers = NULL;
+static long http_version = CURL_HTTP_VERSION_NONE;
+static long ipresolve = CURL_IPRESOLVE_WHATEVER;
+static char *password = NULL;
+#ifndef HAVE_CURLOPT_PROTOCOLS_STR
+static long protocols = CURLPROTO_ALL;
+#else
+static const char *protocols = NULL;
+#endif
+static const char *proxy = NULL;
+static char *proxy_password = NULL;
+static const char *proxy_user = NULL;
+static struct curl_slist *resolves = NULL;
+static bool sslverify = true;
+static const char *ssl_cipher_list = NULL;
+static long ssl_version = CURL_SSLVERSION_DEFAULT;
+static const char *tls13_ciphers = NULL;
+static bool tcp_keepalive = false;
+static bool tcp_nodelay = true;
+static uint32_t timeout = 0;
+static const char *unix_socket_path = NULL;
+static const char *user = NULL;
+static const char *user_agent = NULL;
+
+static int debug_cb (CURL *handle, curl_infotype type,
+                     const char *data, size_t size, void *);
+static size_t write_cb (char *ptr, size_t size, size_t nmemb, void *opaque);
+static size_t read_cb (void *ptr, size_t size, size_t nmemb, void *opaque);
+static int get_content_length_accept_range (struct curl_handle *ch);
+static bool try_fallback_GET_method (struct curl_handle *ch);
+static size_t header_cb (void *ptr, size_t size, size_t nmemb, void *opaque);
+static size_t error_cb (char *ptr, size_t size, size_t nmemb, void *opaque);
+
+/* Use '-D curl.verbose=1' to set. */
+NBDKIT_DLL_PUBLIC int curl_debug_verbose = 0;
+
+void
+unload_config (void)
+{
+  free (cookie);
+  if (headers)
+    curl_slist_free_all (headers);
+  free (password);
+  free (proxy_password);
+  if (resolves)
+    curl_slist_free_all (resolves);
+}
+
+#ifndef HAVE_CURLOPT_PROTOCOLS_STR
+/* See <curl/curl.h> */
+static struct { const char *name; long bitmask; } curl_protocols[] = {
+  { "http", CURLPROTO_HTTP },
+  { "https", CURLPROTO_HTTPS },
+  { "ftp", CURLPROTO_FTP },
+  { "ftps", CURLPROTO_FTPS },
+  { "scp", CURLPROTO_SCP },
+  { "sftp", CURLPROTO_SFTP },
+  { "telnet", CURLPROTO_TELNET },
+  { "ldap", CURLPROTO_LDAP },
+  { "ldaps", CURLPROTO_LDAPS },
+  { "dict", CURLPROTO_DICT },
+  { "file", CURLPROTO_FILE },
+  { "tftp", CURLPROTO_TFTP },
+  { "imap", CURLPROTO_IMAP },
+  { "imaps", CURLPROTO_IMAPS },
+  { "pop3", CURLPROTO_POP3 },
+  { "pop3s", CURLPROTO_POP3S },
+  { "smtp", CURLPROTO_SMTP },
+  { "smtps", CURLPROTO_SMTPS },
+  { "rtsp", CURLPROTO_RTSP },
+  { "rtmp", CURLPROTO_RTMP },
+  { "rtmpt", CURLPROTO_RTMPT },
+  { "rtmpe", CURLPROTO_RTMPE },
+  { "rtmpte", CURLPROTO_RTMPTE },
+  { "rtmps", CURLPROTO_RTMPS },
+  { "rtmpts", CURLPROTO_RTMPTS },
+  { "gopher", CURLPROTO_GOPHER },
+#ifdef CURLPROTO_SMB
+  { "smb", CURLPROTO_SMB },
+#endif
+#ifdef CURLPROTO_SMBS
+  { "smbs", CURLPROTO_SMBS },
+#endif
+#ifdef CURLPROTO_MQTT
+  { "mqtt", CURLPROTO_MQTT },
+#endif
+  { NULL }
+};
+
+/* Parse the protocols parameter. */
+static int
+parse_protocols (const char *value)
+{
+  size_t n, i;
+
+  protocols = 0;
+
+  while (*value) {
+    n = strcspn (value, ",");
+    for (i = 0; curl_protocols[i].name != NULL; ++i) {
+      if (strlen (curl_protocols[i].name) == n &&
+          strncmp (value, curl_protocols[i].name, n) == 0) {
+        protocols |= curl_protocols[i].bitmask;
+        goto found;
+      }
+    }
+    nbdkit_error ("protocols: protocol name not found: %.*s", (int) n, value);
+    return -1;
+
+  found:
+    value += n;
+    if (*value == ',')
+      value++;
+  }
+
+  if (protocols == 0) {
+    nbdkit_error ("protocols: empty list of protocols is not allowed");
+    return -1;
+  }
+
+  nbdkit_debug ("curl: protocols: %ld", protocols);
+
+  return 0;
+}
+#endif /* !HAVE_CURLOPT_PROTOCOLS_STR */
+
+/* Called for each key=value passed on the command line. */
+int
+curl_config (const char *key, const char *value)
+{
+  int r;
+
+  if (strcmp (key, "cainfo") == 0) {
+    cainfo = value;
+  }
+
+  else if (strcmp (key, "capath") == 0) {
+    capath =  value;
+  }
+
+  else if (strcmp (key, "connections") == 0) {
+    if (nbdkit_parse_unsigned ("connections", value,
+                               &connections) == -1)
+      return -1;
+    if (connections == 0) {
+      nbdkit_error ("connections parameter must not be 0");
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "cookie") == 0) {
+    free (cookie);
+    if (nbdkit_read_password (value, &cookie) == -1)
+      return -1;
+  }
+
+  else if (strcmp (key, "cookiefile") == 0) {
+    /* Reject cookiefile=- because it will cause libcurl to try to
+     * read from stdin when we connect.
+     */
+    if (strcmp (value, "-") == 0) {
+      nbdkit_error ("cookiefile parameter cannot be \"-\"");
+      return -1;
+    }
+    cookiefile = value;
+  }
+
+  else if (strcmp (key, "cookiejar") == 0) {
+    /* Reject cookiejar=- because it will cause libcurl to try to
+     * write to stdout.
+     */
+    if (strcmp (value, "-") == 0) {
+      nbdkit_error ("cookiejar parameter cannot be \"-\"");
+      return -1;
+    }
+    cookiejar = value;
+  }
+
+  else if (strcmp (key, "cookie-script") == 0) {
+    cookie_script = value;
+  }
+
+  else if (strcmp (key, "cookie-script-renew") == 0) {
+    if (nbdkit_parse_unsigned ("cookie-script-renew", value,
+                               &cookie_script_renew) == -1)
+      return -1;
+  }
+
+  else if (strcmp (key, "followlocation") == 0) {
+    r = nbdkit_parse_bool (value);
+    if (r == -1)
+      return -1;
+    followlocation = r;
+  }
+
+  else if (strcmp (key, "header") == 0) {
+    headers = curl_slist_append (headers, value);
+    if (headers == NULL) {
+      nbdkit_error ("curl_slist_append: %m");
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "header-script") == 0) {
+    header_script = value;
+  }
+
+  else if (strcmp (key, "header-script-renew") == 0) {
+    if (nbdkit_parse_unsigned ("header-script-renew", value,
+                               &header_script_renew) == -1)
+      return -1;
+  }
+
+  else if (strcmp (key, "http-version") == 0) {
+    if (strcmp (value, "none") == 0)
+      http_version = CURL_HTTP_VERSION_NONE;
+    else if (strcmp (value, "1.0") == 0)
+      http_version = CURL_HTTP_VERSION_1_0;
+    else if (strcmp (value, "1.1") == 0)
+      http_version = CURL_HTTP_VERSION_1_1;
+#ifdef HAVE_CURL_HTTP_VERSION_2_0
+    else if (strcmp (value, "2.0") == 0)
+      http_version = CURL_HTTP_VERSION_2_0;
+#endif
+#ifdef HAVE_CURL_HTTP_VERSION_2TLS
+    else if (strcmp (value, "2TLS") == 0)
+      http_version = CURL_HTTP_VERSION_2TLS;
+#endif
+#ifdef HAVE_CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
+    else if (strcmp (value, "2-prior-knowledge") == 0)
+      http_version = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE;
+#endif
+#ifdef HAVE_CURL_HTTP_VERSION_3
+    else if (strcmp (value, "3") == 0)
+      http_version = CURL_HTTP_VERSION_3;
+#endif
+#ifdef HAVE_CURL_HTTP_VERSION_3ONLY
+    else if (strcmp (value, "3only") == 0)
+      http_version = CURL_HTTP_VERSION_3ONLY;
+#endif
+    else {
+      nbdkit_error ("unknown http-version: %s", value);
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "ipresolve") == 0) {
+    if (strcmp (value, "any") == 0 || strcmp (value, "whatever") == 0)
+      ipresolve = CURL_IPRESOLVE_WHATEVER;
+    else if (strcmp (value, "v4") == 0 || strcmp (value, "4") == 0)
+      ipresolve = CURL_IPRESOLVE_V4;
+    else if (strcmp (value, "v6") == 0 || strcmp (value, "6") == 0)
+      ipresolve = CURL_IPRESOLVE_V6;
+    else {
+      nbdkit_error ("unknown ipresolve: %s", value);
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "password") == 0) {
+    free (password);
+    if (nbdkit_read_password (value, &password) == -1)
+      return -1;
+  }
+
+  else if (strcmp (key, "protocols") == 0) {
+#ifndef HAVE_CURLOPT_PROTOCOLS_STR
+    if (parse_protocols (value) == -1)
+      return -1;
+#else
+    protocols = value;
+#endif
+  }
+
+  else if (strcmp (key, "proxy") == 0) {
+    proxy = value;
+  }
+
+  else if (strcmp (key, "proxy-password") == 0) {
+    free (proxy_password);
+    if (nbdkit_read_password (value, &proxy_password) == -1)
+      return -1;
+  }
+
+  else if (strcmp (key, "proxy-user") == 0)
+    proxy_user = value;
+
+  else if (strcmp (key, "resolve") == 0) {
+    resolves = curl_slist_append (headers, value);
+    if (resolves == NULL) {
+      nbdkit_error ("curl_slist_append: %m");
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "sslverify") == 0) {
+    r = nbdkit_parse_bool (value);
+    if (r == -1)
+      return -1;
+    sslverify = r;
+  }
+
+  else if (strcmp (key, "ssl-version") == 0) {
+    if (strcmp (value, "default") == 0)
+      ssl_version = CURL_SSLVERSION_DEFAULT;
+    else if (strcmp (value, "tlsv1") == 0)
+      ssl_version = CURL_SSLVERSION_TLSv1;
+    else if (strcmp (value, "sslv2") == 0)
+      ssl_version = CURL_SSLVERSION_SSLv2;
+    else if (strcmp (value, "sslv3") == 0)
+      ssl_version = CURL_SSLVERSION_SSLv3;
+    else if (strcmp (value, "tlsv1.0") == 0)
+      ssl_version = CURL_SSLVERSION_TLSv1_0;
+    else if (strcmp (value, "tlsv1.1") == 0)
+      ssl_version = CURL_SSLVERSION_TLSv1_1;
+    else if (strcmp (value, "tlsv1.2") == 0)
+      ssl_version = CURL_SSLVERSION_TLSv1_2;
+    else if (strcmp (value, "tlsv1.3") == 0)
+      ssl_version = CURL_SSLVERSION_TLSv1_3;
+#ifdef HAVE_CURL_SSLVERSION_MAX_DEFAULT
+    else if (strcmp (value, "max-default") == 0)
+      ssl_version = CURL_SSLVERSION_MAX_DEFAULT;
+#endif
+#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_0
+    else if (strcmp (value, "max-tlsv1.0") == 0)
+      ssl_version = CURL_SSLVERSION_MAX_TLSv1_0;
+#endif
+#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_1
+    else if (strcmp (value, "max-tlsv1.1") == 0)
+      ssl_version = CURL_SSLVERSION_MAX_TLSv1_1;
+#endif
+#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_2
+    else if (strcmp (value, "max-tlsv1.2") == 0)
+      ssl_version = CURL_SSLVERSION_MAX_TLSv1_2;
+#endif
+#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_3
+    else if (strcmp (value, "max-tlsv1.3") == 0)
+      ssl_version = CURL_SSLVERSION_MAX_TLSv1_3;
+#endif
+    else {
+      nbdkit_error ("unknown ssl-version: %s", value);
+      return -1;
+    }
+  }
+
+  else if (strcmp (key, "ssl-cipher-list") == 0)
+    ssl_cipher_list = value;
+
+  else if (strcmp (key, "tls13-ciphers") == 0)
+    tls13_ciphers = value;
+
+  else if (strcmp (key, "tcp-keepalive") == 0) {
+    r = nbdkit_parse_bool (value);
+    if (r == -1)
+      return -1;
+    tcp_keepalive = r;
+  }
+
+  else if (strcmp (key, "tcp-nodelay") == 0) {
+    r = nbdkit_parse_bool (value);
+    if (r == -1)
+      return -1;
+    tcp_nodelay = r;
+  }
+
+  else if (strcmp (key, "timeout") == 0) {
+    if (nbdkit_parse_uint32_t ("timeout", value, &timeout) == -1)
+      return -1;
+#if LONG_MAX < UINT32_MAX
+    /* C17 5.2.4.2.1 requires that LONG_MAX is at least 2^31 - 1.
+     * However a large positive number might still exceed the limit.
+     */
+    if (timeout > LONG_MAX) {
+      nbdkit_error ("timeout is too large");
+      return -1;
+    }
+#endif
+  }
+
+  else if (strcmp (key, "unix-socket-path") == 0 ||
+           strcmp (key, "unix_socket_path") == 0)
+    unix_socket_path = value;
+
+  else if (strcmp (key, "url") == 0)
+    url = value;
+
+  else if (strcmp (key, "user") == 0)
+    user = value;
+
+  else if (strcmp (key, "user-agent") == 0)
+    user_agent = value;
+
+  else {
+    nbdkit_error ("unknown parameter '%s'", key);
+    return -1;
+  }
+
+  return 0;
+}
+
+/* Check the user did pass a url parameter. */
+int
+curl_config_complete (void)
+{
+  if (url == NULL) {
+    nbdkit_error ("you must supply the url=<URL> parameter "
+                  "after the plugin name on the command line");
+    return -1;
+  }
+
+  if (headers && header_script) {
+    nbdkit_error ("header and header-script cannot be used at the same time");
+    return -1;
+  }
+
+  if (!header_script && header_script_renew) {
+    nbdkit_error ("header-script-renew cannot be used without header-script");
+    return -1;
+  }
+
+  if (cookie && cookie_script) {
+    nbdkit_error ("cookie and cookie-script cannot be used at the same time");
+    return -1;
+  }
+
+  if (!cookie_script && cookie_script_renew) {
+    nbdkit_error ("cookie-script-renew cannot be used without cookie-script");
+    return -1;
+  }
+
+  return 0;
+}
+
+const char *curl_config_help =
+  "cainfo=<CAINFO>            Path to Certificate Authority file.\n"
+  "capath=<CAPATH>            Path to directory with CA certificates.\n"
+  "connections=<N>            Number of libcurl connections to use.\n"
+  "cookie=<COOKIE>            Set HTTP/HTTPS cookies.\n"
+  "cookiefile=                Enable cookie processing.\n"
+  "cookiefile=<FILENAME>      Read cookies from file.\n"
+  "cookiejar=<FILENAME>       Read and write cookies to jar.\n"
+  "cookie-script=<SCRIPT>     Script to set HTTP/HTTPS cookies.\n"
+  "cookie-script-renew=<SECS> Time to renew HTTP/HTTPS cookies.\n"
+  "followlocation=false       Do not follow redirects.\n"
+  "header=<HEADER>            Set HTTP/HTTPS header.\n"
+  "header-script=<SCRIPT>     Script to set HTTP/HTTPS headers.\n"
+  "header-script-renew=<SECS> Time to renew HTTP/HTTPS headers.\n"
+  "http-version=none|...      Force a particular HTTP protocol.\n"
+  "ipresolve=any|v4|v6        Force IPv4 or IPv6.\n"
+  "password=<PASSWORD>        The password for the user account.\n"
+  "protocols=PROTO,PROTO,..   Limit protocols allowed.\n"
+  "proxy=<PROXY>              Set proxy URL.\n"
+  "proxy-password=<PASSWORD>  The proxy password.\n"
+  "proxy-user=<USER>          The proxy user.\n"
+  "resolve=<HOST>:<PORT>:<ADDR> Custom host to IP address resolution.\n"
+  "sslverify=false            Do not verify SSL certificate of remote host.\n"
+  "ssl-cipher-list=C1:C2:..   Specify TLS/SSL cipher suites to be used.\n"
+  "ssl-version=<VERSION>      Specify preferred TLS/SSL version.\n"
+  "tcp-keepalive=true         Enable TCP keepalives.\n"
+  "tcp-nodelay=false          Disable Nagle’s algorithm.\n"
+  "timeout=<TIMEOUT>          Set the timeout for requests (seconds).\n"
+  "tls13-ciphers=C1:C2:..     Specify TLS 1.3 cipher suites to be used.\n"
+  "unix-socket-path=<PATH>    Open Unix domain socket instead of TCP/IP.\n"
+  "url=<URL>       (required) The disk image URL to serve.\n"
+  "user=<USER>                The user to log in as.\n"
+  "user-agent=<USER-AGENT>    Send user-agent header for HTTP/HTTPS."
+  ;
+
+/* Allocate and initialize a new libcurl handle. */
+struct curl_handle *
+allocate_handle (void)
+{
+  struct curl_handle *ch;
+  CURLcode r;
+
+  ch = calloc (1, sizeof *ch);
+  if (ch == NULL) {
+    nbdkit_error ("calloc: %m");
+    free (ch);
+    return NULL;
+  }
+
+  ch->c = curl_easy_init ();
+  if (ch->c == NULL) {
+    nbdkit_error ("curl_easy_init: failed: %m");
+    goto err;
+  }
+
+  if (curl_debug_verbose) {
+    /* NB: Constants must be explicitly long because the parameter is
+     * varargs.
+     */
+    curl_easy_setopt (ch->c, CURLOPT_VERBOSE, 1L);
+    curl_easy_setopt (ch->c, CURLOPT_DEBUGFUNCTION, debug_cb);
+  }
+
+  curl_easy_setopt (ch->c, CURLOPT_ERRORBUFFER, ch->errbuf);
+
+  r = CURLE_OK;
+  if (unix_socket_path) {
+#if HAVE_CURLOPT_UNIX_SOCKET_PATH
+    r = curl_easy_setopt (ch->c, CURLOPT_UNIX_SOCKET_PATH, unix_socket_path);
+#else
+    r = CURLE_UNKNOWN_OPTION;
+#endif
+  }
+  if (r != CURLE_OK) {
+    display_curl_error (ch, r, "curl_easy_setopt: CURLOPT_UNIX_SOCKET_PATH");
+    goto err;
+  }
+
+  /* Set the URL. */
+  r = curl_easy_setopt (ch->c, CURLOPT_URL, url);
+  if (r != CURLE_OK) {
+    display_curl_error (ch, r, "curl_easy_setopt: CURLOPT_URL [%s]", url);
+    goto err;
+  }
+
+  /* Various options we always set.
+   *
+   * NB: Both here and below constants must be explicitly long because
+   * the parameter is varargs.
+   *
+   * For use of CURLOPT_NOSIGNAL see:
+   * https://curl.se/libcurl/c/CURLOPT_NOSIGNAL.html
+   */
+  curl_easy_setopt (ch->c, CURLOPT_NOSIGNAL, 1L);
+  curl_easy_setopt (ch->c, CURLOPT_AUTOREFERER, 1L);
+  if (followlocation)
+    curl_easy_setopt (ch->c, CURLOPT_FOLLOWLOCATION, 1L);
+  curl_easy_setopt (ch->c, CURLOPT_FAILONERROR, 1L);
+
+  /* Options. */
+  if (cainfo) {
+    if (strlen (cainfo) == 0)
+      curl_easy_setopt (ch->c, CURLOPT_CAINFO, NULL);
+    else
+      curl_easy_setopt (ch->c, CURLOPT_CAINFO, cainfo);
+  }
+  if (capath)
+    curl_easy_setopt (ch->c, CURLOPT_CAPATH, capath);
+  if (cookie)
+    curl_easy_setopt (ch->c, CURLOPT_COOKIE, cookie);
+  if (cookiefile)
+    curl_easy_setopt (ch->c, CURLOPT_COOKIEFILE, cookiefile);
+  if (cookiejar)
+    curl_easy_setopt (ch->c, CURLOPT_COOKIEJAR, cookiejar);
+  if (headers)
+    curl_easy_setopt (ch->c, CURLOPT_HTTPHEADER, headers);
+  if (http_version != CURL_HTTP_VERSION_NONE)
+    curl_easy_setopt (ch->c, CURLOPT_HTTP_VERSION, (long) http_version);
+  if (ipresolve != CURL_IPRESOLVE_WHATEVER)
+    curl_easy_setopt (ch->c, CURLOPT_IPRESOLVE, (long) ipresolve);
+
+  if (password)
+    curl_easy_setopt (ch->c, CURLOPT_PASSWORD, password);
+#ifndef HAVE_CURLOPT_PROTOCOLS_STR
+  if (protocols != CURLPROTO_ALL) {
+    curl_easy_setopt (ch->c, CURLOPT_PROTOCOLS, protocols);
+    curl_easy_setopt (ch->c, CURLOPT_REDIR_PROTOCOLS, protocols);
+  }
+#else /* HAVE_CURLOPT_PROTOCOLS_STR (new in 7.85.0) */
+  if (protocols) {
+    curl_easy_setopt (ch->c, CURLOPT_PROTOCOLS_STR, protocols);
+    curl_easy_setopt (ch->c, CURLOPT_REDIR_PROTOCOLS_STR, protocols);
+  }
+#endif /* HAVE_CURLOPT_PROTOCOLS_STR */
+  if (proxy)
+    curl_easy_setopt (ch->c, CURLOPT_PROXY, proxy);
+  if (proxy_password)
+    curl_easy_setopt (ch->c, CURLOPT_PROXYPASSWORD, proxy_password);
+  if (proxy_user)
+    curl_easy_setopt (ch->c, CURLOPT_PROXYUSERNAME, proxy_user);
+  if (!sslverify) {
+    curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYPEER, 0L);
+    curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYHOST, 0L);
+  }
+  if (resolves)
+    curl_easy_setopt (ch->c, CURLOPT_RESOLVE, resolves);
+  if (ssl_version != CURL_SSLVERSION_DEFAULT)
+    curl_easy_setopt (ch->c, CURLOPT_SSLVERSION, (long) ssl_version);
+  if (ssl_cipher_list)
+    curl_easy_setopt (ch->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
+  if (tls13_ciphers) {
+#if (LIBCURL_VERSION_MAJOR > 7) || \
+    (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 61)
+    curl_easy_setopt (ch->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
+#else
+    /* This is not available before curl-7.61 */
+    nbdkit_error ("tls13-ciphers is not supported in this build of "
+                  "nbdkit-curl-plugin");
+    goto err;
+#endif
+  }
+  if (tcp_keepalive)
+    curl_easy_setopt (ch->c, CURLOPT_TCP_KEEPALIVE, 1L);
+  if (!tcp_nodelay)
+    curl_easy_setopt (ch->c, CURLOPT_TCP_NODELAY, 0L);
+  if (timeout > 0)
+    curl_easy_setopt (ch->c, CURLOPT_TIMEOUT, (long) timeout);
+  if (user)
+    curl_easy_setopt (ch->c, CURLOPT_USERNAME, user);
+  if (user_agent)
+    curl_easy_setopt (ch->c, CURLOPT_USERAGENT, user_agent);
+
+  if (get_content_length_accept_range (ch) == -1)
+    goto err;
+
+  /* Get set up for reading and writing. */
+  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, NULL);
+  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, NULL);
+  curl_easy_setopt (ch->c, CURLOPT_WRITEFUNCTION, write_cb);
+  curl_easy_setopt (ch->c, CURLOPT_WRITEDATA, ch);
+  /* These are only used if !readonly but we always register them. */
+  curl_easy_setopt (ch->c, CURLOPT_READFUNCTION, read_cb);
+  curl_easy_setopt (ch->c, CURLOPT_READDATA, ch);
+
+  return ch;
+
+ err:
+  if (ch->c)
+    curl_easy_cleanup (ch->c);
+  free (ch);
+  return NULL;
+}
+
+void
+free_handle (struct curl_handle *ch)
+{
+  curl_easy_cleanup (ch->c);
+  if (ch->headers_copy)
+    curl_slist_free_all (ch->headers_copy);
+  free (ch);
+}
+
+/* When using CURLOPT_VERBOSE, this callback is used to redirect
+ * messages to nbdkit_debug (instead of stderr).
+ */
+static int
+debug_cb (CURL *handle, curl_infotype type,
+          const char *data, size_t size, void *opaque)
+{
+  size_t origsize = size;
+  CLEANUP_FREE char *str;
+
+  /* The data parameter passed is NOT \0-terminated, but also it may
+   * have \n or \r\n line endings.  The only sane way to deal with
+   * this is to copy the string.  (The data strings may also be
+   * multi-line, but we don't deal with that here).
+   */
+  str = malloc (size + 1);
+  if (str == NULL)
+    goto out;
+  memcpy (str, data, size);
+  str[size] = '\0';
+
+  while (size > 0 && (str[size-1] == '\n' || str[size-1] == '\r')) {
+    str[size-1] = '\0';
+    size--;
+  }
+
+  switch (type) {
+  case CURLINFO_TEXT:
+    nbdkit_debug ("%s", str);
+    break;
+  case CURLINFO_HEADER_IN:
+    nbdkit_debug ("S: %s", str);
+    break;
+  case CURLINFO_HEADER_OUT:
+    nbdkit_debug ("C: %s", str);
+    break;
+  default:
+    /* Assume everything else is binary data that we cannot print. */
+    nbdkit_debug ("<data with size=%zu>", origsize);
+  }
+
+ out:
+  return 0;
+}
+
+/* NB: The terminology used by libcurl is confusing!
+ *
+ * WRITEFUNCTION / write_cb is used when reading from the remote server
+ * READFUNCTION / read_cb is used when writing to the remote server.
+ *
+ * We use the same terminology as libcurl here.
+ */
+
+static size_t
+write_cb (char *ptr, size_t size, size_t nmemb, void *opaque)
+{
+  struct curl_handle *ch = opaque;
+  size_t orig_realsize = size * nmemb;
+  size_t realsize = orig_realsize;
+
+  assert (ch->write_buf);
+
+  /* Don't read more than the requested amount of data, even if the
+   * server or libcurl sends more.
+   */
+  if (realsize > ch->write_count)
+    realsize = ch->write_count;
+
+  memcpy (ch->write_buf, ptr, realsize);
+
+  ch->write_count -= realsize;
+  ch->write_buf += realsize;
+
+  return orig_realsize;
+}
+
+static size_t
+read_cb (void *ptr, size_t size, size_t nmemb, void *opaque)
+{
+  struct curl_handle *ch = opaque;
+  size_t realsize = size * nmemb;
+
+  assert (ch->read_buf);
+  if (realsize > ch->read_count)
+    realsize = ch->read_count;
+
+  memcpy (ptr, ch->read_buf, realsize);
+
+  ch->read_count -= realsize;
+  ch->read_buf += realsize;
+
+  return realsize;
+}
+
+/* Get the file size and also whether the remote HTTP server
+ * supports byte ranges.
+ */
+static int
+get_content_length_accept_range (struct curl_handle *ch)
+{
+  CURLcode r;
+  long code;
+#ifdef HAVE_CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+  curl_off_t o;
+#else
+  double d;
+#endif
+
+  /* We must run the scripts if necessary and set headers in the
+   * handle.
+   */
+  if (do_scripts (ch) == -1)
+    return -1;
+
+  /* Set this flag in the handle to false.  The callback should set it
+   * to true if byte ranges are supported, which we check below.
+   */
+  ch->accept_range = false;
+
+  /* No Body, not nobody!  This forces a HEAD request. */
+  curl_easy_setopt (ch->c, CURLOPT_NOBODY, 1L);
+  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, header_cb);
+  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, ch);
+  r = curl_easy_perform (ch->c);
+  update_times (ch->c);
+  if (r != CURLE_OK) {
+    display_curl_error (ch, r,
+                        "problem doing HEAD request to fetch size of URL [%s]",
+                        url);
+
+    /* Get the HTTP status code, if available. */
+    r = curl_easy_getinfo (ch->c, CURLINFO_RESPONSE_CODE, &code);
+    if (r == CURLE_OK)
+      nbdkit_debug ("HTTP status code: %ld", code);
+    else
+      code = -1;
+
+    /* See comment on try_fallback_GET_method below. */
+    if (code != 403 || !try_fallback_GET_method (ch))
+      return -1;
+  }
+
+  /* Get the content length.
+   *
+   * Note there is some subtlety here: For web servers using chunked
+   * encoding, either the Content-Length header will not be present,
+   * or if present it should be ignored.  (For such servers the only
+   * way to find out the true length would be to read all of the
+   * content, which we don't want to do).
+   *
+   * Curl itself resolves this for us.  It will ignore the
+   * Content-Length header if chunked encoding is used, returning the
+   * length as -1 which we check below (see also
+   * curl:lib/http.c:Curl_http_size).
+   */
+#ifdef HAVE_CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
+  r = curl_easy_getinfo (ch->c, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &o);
+  if (r != CURLE_OK) {
+    display_curl_error (ch, r,
+                        "could not get length of remote file [%s]", url);
+    return -1;
+  }
+
+  if (o == -1) {
+    nbdkit_error ("could not get length of remote file [%s], "
+                  "is the URL correct?", url);
+    return -1;
+  }
+
+  ch->exportsize = o;
+#else
+  r = curl_easy_getinfo (ch->c, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &d);
+  if (r != CURLE_OK) {
+    display_curl_error (ch, r,
+                        "could not get length of remote file [%s]", url);
+    return -1;
+  }
+
+  if (d == -1) {
+    nbdkit_error ("could not get length of remote file [%s], "
+                  "is the URL correct?", url);
+    return -1;
+  }
+
+  ch->exportsize = d;
+#endif
+  nbdkit_debug ("content length: %" PRIi64, ch->exportsize);
+
+  /* If this is HTTP, check that byte ranges are supported. */
+  if (ascii_strncasecmp (url, "http://", strlen ("http://")) == 0 ||
+      ascii_strncasecmp (url, "https://", strlen ("https://")) == 0) {
+    if (!ch->accept_range) {
+      nbdkit_error ("server does not support 'range' (byte range) requests");
+      return -1;
+    }
+
+    nbdkit_debug ("accept range supported (for HTTP/HTTPS)");
+  }
+
+  return 0;
+}
+
+/* S3 servers can return 403 Forbidden for HEAD but still respond
+ * to GET, so we give it a second chance in that case.
+ * https://github.com/kubevirt/containerized-data-importer/issues/2737
+ *
+ * This function issues a GET request with a writefunction that always
+ * returns an error, thus effectively getting the headers but
+ * abandoning the transfer as soon as possible after.
+ */
+static bool
+try_fallback_GET_method (struct curl_handle *ch)
+{
+  CURLcode r;
+
+  nbdkit_debug ("attempting to fetch headers using GET method");
+
+  curl_easy_setopt (ch->c, CURLOPT_HTTPGET, 1L);
+  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, header_cb);
+  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, ch);
+  curl_easy_setopt (ch->c, CURLOPT_WRITEFUNCTION, error_cb);
+  curl_easy_setopt (ch->c, CURLOPT_WRITEDATA, ch);
+  r = curl_easy_perform (ch->c);
+  update_times (ch->c);
+
+  /* We expect CURLE_WRITE_ERROR here, but CURLE_OK is possible too
+   * (eg if the remote has zero length).  Other errors might happen
+   * but we ignore them since it is a fallback path.
+   */
+  return r == CURLE_OK || r == CURLE_WRITE_ERROR;
+}
+
+static size_t
+header_cb (void *ptr, size_t size, size_t nmemb, void *opaque)
+{
+  struct curl_handle *ch = opaque;
+  size_t realsize = size * nmemb;
+  const char *header = ptr;
+  const char *end = header + realsize;
+  const char *accept_ranges = "accept-ranges:";
+  const char *bytes = "bytes";
+
+  if (realsize >= strlen (accept_ranges) &&
+      ascii_strncasecmp (header, accept_ranges, strlen (accept_ranges)) == 0) {
+    const char *p = strchr (header, ':') + 1;
+
+    /* Skip whitespace between the header name and value. */
+    while (p < end && *p && ascii_isspace (*p))
+      p++;
+
+    if (end - p >= strlen (bytes)
+        && strncmp (p, bytes, strlen (bytes)) == 0) {
+      /* Check that there is nothing but whitespace after the value. */
+      p += strlen (bytes);
+      while (p < end && *p && ascii_isspace (*p))
+        p++;
+
+      if (p == end || !*p)
+        ch->accept_range = true;
+    }
+  }
+
+  return realsize;
+}
+
+static size_t
+error_cb (char *ptr, size_t size, size_t nmemb, void *opaque)
+{
+#ifdef CURL_WRITEFUNC_ERROR
+  return CURL_WRITEFUNC_ERROR;
+#else
+  return 0; /* in older curl, any size < requested will also be an error */
+#endif
+}
diff --git a/plugins/curl/curl.c b/plugins/curl/curl.c
index 0d1fcfee..99a7e00b 100644
--- a/plugins/curl/curl.c
+++ b/plugins/curl/curl.c
@@ -52,46 +52,10 @@
 
 #include "curldefs.h"
 
-/* Plugin configuration. */
-const char *url = NULL;         /* required */
-
-const char *cainfo = NULL;
-const char *capath = NULL;
-unsigned connections = 4;
-char *cookie = NULL;
-const char *cookiefile = NULL;
-const char *cookiejar = NULL;
 const char *cookie_script = NULL;
 unsigned cookie_script_renew = 0;
-bool followlocation = true;
-struct curl_slist *headers = NULL;
 const char *header_script = NULL;
 unsigned header_script_renew = 0;
-long http_version = CURL_HTTP_VERSION_NONE;
-long ipresolve = CURL_IPRESOLVE_WHATEVER;
-char *password = NULL;
-#ifndef HAVE_CURLOPT_PROTOCOLS_STR
-long protocols = CURLPROTO_ALL;
-#else
-const char *protocols = NULL;
-#endif
-const char *proxy = NULL;
-char *proxy_password = NULL;
-const char *proxy_user = NULL;
-struct curl_slist *resolves = NULL;
-bool sslverify = true;
-const char *ssl_cipher_list = NULL;
-long ssl_version = CURL_SSLVERSION_DEFAULT;
-const char *tls13_ciphers = NULL;
-bool tcp_keepalive = false;
-bool tcp_nodelay = true;
-uint32_t timeout = 0;
-const char *unix_socket_path = NULL;
-const char *user = NULL;
-const char *user_agent = NULL;
-
-/* Use '-D curl.verbose=1' to set. */
-NBDKIT_DLL_PUBLIC int curl_debug_verbose = 0;
 
 static void
 curl_load (void)
@@ -110,438 +74,13 @@ curl_load (void)
 static void
 curl_unload (void)
 {
-  free (cookie);
-  if (headers)
-    curl_slist_free_all (headers);
-  free (password);
-  free (proxy_password);
-  if (resolves)
-    curl_slist_free_all (resolves);
+  unload_config ();
   scripts_unload ();
   unload_pool ();
   display_times ();
   curl_global_cleanup ();
 }
 
-#ifndef HAVE_CURLOPT_PROTOCOLS_STR
-/* See <curl/curl.h> */
-static struct { const char *name; long bitmask; } curl_protocols[] = {
-  { "http", CURLPROTO_HTTP },
-  { "https", CURLPROTO_HTTPS },
-  { "ftp", CURLPROTO_FTP },
-  { "ftps", CURLPROTO_FTPS },
-  { "scp", CURLPROTO_SCP },
-  { "sftp", CURLPROTO_SFTP },
-  { "telnet", CURLPROTO_TELNET },
-  { "ldap", CURLPROTO_LDAP },
-  { "ldaps", CURLPROTO_LDAPS },
-  { "dict", CURLPROTO_DICT },
-  { "file", CURLPROTO_FILE },
-  { "tftp", CURLPROTO_TFTP },
-  { "imap", CURLPROTO_IMAP },
-  { "imaps", CURLPROTO_IMAPS },
-  { "pop3", CURLPROTO_POP3 },
-  { "pop3s", CURLPROTO_POP3S },
-  { "smtp", CURLPROTO_SMTP },
-  { "smtps", CURLPROTO_SMTPS },
-  { "rtsp", CURLPROTO_RTSP },
-  { "rtmp", CURLPROTO_RTMP },
-  { "rtmpt", CURLPROTO_RTMPT },
-  { "rtmpe", CURLPROTO_RTMPE },
-  { "rtmpte", CURLPROTO_RTMPTE },
-  { "rtmps", CURLPROTO_RTMPS },
-  { "rtmpts", CURLPROTO_RTMPTS },
-  { "gopher", CURLPROTO_GOPHER },
-#ifdef CURLPROTO_SMB
-  { "smb", CURLPROTO_SMB },
-#endif
-#ifdef CURLPROTO_SMBS
-  { "smbs", CURLPROTO_SMBS },
-#endif
-#ifdef CURLPROTO_MQTT
-  { "mqtt", CURLPROTO_MQTT },
-#endif
-  { NULL }
-};
-
-/* Parse the protocols parameter. */
-static int
-parse_protocols (const char *value)
-{
-  size_t n, i;
-
-  protocols = 0;
-
-  while (*value) {
-    n = strcspn (value, ",");
-    for (i = 0; curl_protocols[i].name != NULL; ++i) {
-      if (strlen (curl_protocols[i].name) == n &&
-          strncmp (value, curl_protocols[i].name, n) == 0) {
-        protocols |= curl_protocols[i].bitmask;
-        goto found;
-      }
-    }
-    nbdkit_error ("protocols: protocol name not found: %.*s", (int) n, value);
-    return -1;
-
-  found:
-    value += n;
-    if (*value == ',')
-      value++;
-  }
-
-  if (protocols == 0) {
-    nbdkit_error ("protocols: empty list of protocols is not allowed");
-    return -1;
-  }
-
-  nbdkit_debug ("curl: protocols: %ld", protocols);
-
-  return 0;
-}
-#endif /* !HAVE_CURLOPT_PROTOCOLS_STR */
-
-/* Called for each key=value passed on the command line. */
-static int
-curl_config (const char *key, const char *value)
-{
-  int r;
-
-  if (strcmp (key, "cainfo") == 0) {
-    cainfo = value;
-  }
-
-  else if (strcmp (key, "capath") == 0) {
-    capath =  value;
-  }
-
-  else if (strcmp (key, "connections") == 0) {
-    if (nbdkit_parse_unsigned ("connections", value,
-                               &connections) == -1)
-      return -1;
-    if (connections == 0) {
-      nbdkit_error ("connections parameter must not be 0");
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "cookie") == 0) {
-    free (cookie);
-    if (nbdkit_read_password (value, &cookie) == -1)
-      return -1;
-  }
-
-  else if (strcmp (key, "cookiefile") == 0) {
-    /* Reject cookiefile=- because it will cause libcurl to try to
-     * read from stdin when we connect.
-     */
-    if (strcmp (value, "-") == 0) {
-      nbdkit_error ("cookiefile parameter cannot be \"-\"");
-      return -1;
-    }
-    cookiefile = value;
-  }
-
-  else if (strcmp (key, "cookiejar") == 0) {
-    /* Reject cookiejar=- because it will cause libcurl to try to
-     * write to stdout.
-     */
-    if (strcmp (value, "-") == 0) {
-      nbdkit_error ("cookiejar parameter cannot be \"-\"");
-      return -1;
-    }
-    cookiejar = value;
-  }
-
-  else if (strcmp (key, "cookie-script") == 0) {
-    cookie_script = value;
-  }
-
-  else if (strcmp (key, "cookie-script-renew") == 0) {
-    if (nbdkit_parse_unsigned ("cookie-script-renew", value,
-                               &cookie_script_renew) == -1)
-      return -1;
-  }
-
-  else if (strcmp (key, "followlocation") == 0) {
-    r = nbdkit_parse_bool (value);
-    if (r == -1)
-      return -1;
-    followlocation = r;
-  }
-
-  else if (strcmp (key, "header") == 0) {
-    headers = curl_slist_append (headers, value);
-    if (headers == NULL) {
-      nbdkit_error ("curl_slist_append: %m");
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "header-script") == 0) {
-    header_script = value;
-  }
-
-  else if (strcmp (key, "header-script-renew") == 0) {
-    if (nbdkit_parse_unsigned ("header-script-renew", value,
-                               &header_script_renew) == -1)
-      return -1;
-  }
-
-  else if (strcmp (key, "http-version") == 0) {
-    if (strcmp (value, "none") == 0)
-      http_version = CURL_HTTP_VERSION_NONE;
-    else if (strcmp (value, "1.0") == 0)
-      http_version = CURL_HTTP_VERSION_1_0;
-    else if (strcmp (value, "1.1") == 0)
-      http_version = CURL_HTTP_VERSION_1_1;
-#ifdef HAVE_CURL_HTTP_VERSION_2_0
-    else if (strcmp (value, "2.0") == 0)
-      http_version = CURL_HTTP_VERSION_2_0;
-#endif
-#ifdef HAVE_CURL_HTTP_VERSION_2TLS
-    else if (strcmp (value, "2TLS") == 0)
-      http_version = CURL_HTTP_VERSION_2TLS;
-#endif
-#ifdef HAVE_CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE
-    else if (strcmp (value, "2-prior-knowledge") == 0)
-      http_version = CURL_HTTP_VERSION_2_PRIOR_KNOWLEDGE;
-#endif
-#ifdef HAVE_CURL_HTTP_VERSION_3
-    else if (strcmp (value, "3") == 0)
-      http_version = CURL_HTTP_VERSION_3;
-#endif
-#ifdef HAVE_CURL_HTTP_VERSION_3ONLY
-    else if (strcmp (value, "3only") == 0)
-      http_version = CURL_HTTP_VERSION_3ONLY;
-#endif
-    else {
-      nbdkit_error ("unknown http-version: %s", value);
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "ipresolve") == 0) {
-    if (strcmp (value, "any") == 0 || strcmp (value, "whatever") == 0)
-      ipresolve = CURL_IPRESOLVE_WHATEVER;
-    else if (strcmp (value, "v4") == 0 || strcmp (value, "4") == 0)
-      ipresolve = CURL_IPRESOLVE_V4;
-    else if (strcmp (value, "v6") == 0 || strcmp (value, "6") == 0)
-      ipresolve = CURL_IPRESOLVE_V6;
-    else {
-      nbdkit_error ("unknown ipresolve: %s", value);
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "password") == 0) {
-    free (password);
-    if (nbdkit_read_password (value, &password) == -1)
-      return -1;
-  }
-
-  else if (strcmp (key, "protocols") == 0) {
-#ifndef HAVE_CURLOPT_PROTOCOLS_STR
-    if (parse_protocols (value) == -1)
-      return -1;
-#else
-    protocols = value;
-#endif
-  }
-
-  else if (strcmp (key, "proxy") == 0) {
-    proxy = value;
-  }
-
-  else if (strcmp (key, "proxy-password") == 0) {
-    free (proxy_password);
-    if (nbdkit_read_password (value, &proxy_password) == -1)
-      return -1;
-  }
-
-  else if (strcmp (key, "proxy-user") == 0)
-    proxy_user = value;
-
-  else if (strcmp (key, "resolve") == 0) {
-    resolves = curl_slist_append (headers, value);
-    if (resolves == NULL) {
-      nbdkit_error ("curl_slist_append: %m");
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "sslverify") == 0) {
-    r = nbdkit_parse_bool (value);
-    if (r == -1)
-      return -1;
-    sslverify = r;
-  }
-
-  else if (strcmp (key, "ssl-version") == 0) {
-    if (strcmp (value, "default") == 0)
-      ssl_version = CURL_SSLVERSION_DEFAULT;
-    else if (strcmp (value, "tlsv1") == 0)
-      ssl_version = CURL_SSLVERSION_TLSv1;
-    else if (strcmp (value, "sslv2") == 0)
-      ssl_version = CURL_SSLVERSION_SSLv2;
-    else if (strcmp (value, "sslv3") == 0)
-      ssl_version = CURL_SSLVERSION_SSLv3;
-    else if (strcmp (value, "tlsv1.0") == 0)
-      ssl_version = CURL_SSLVERSION_TLSv1_0;
-    else if (strcmp (value, "tlsv1.1") == 0)
-      ssl_version = CURL_SSLVERSION_TLSv1_1;
-    else if (strcmp (value, "tlsv1.2") == 0)
-      ssl_version = CURL_SSLVERSION_TLSv1_2;
-    else if (strcmp (value, "tlsv1.3") == 0)
-      ssl_version = CURL_SSLVERSION_TLSv1_3;
-#ifdef HAVE_CURL_SSLVERSION_MAX_DEFAULT
-    else if (strcmp (value, "max-default") == 0)
-      ssl_version = CURL_SSLVERSION_MAX_DEFAULT;
-#endif
-#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_0
-    else if (strcmp (value, "max-tlsv1.0") == 0)
-      ssl_version = CURL_SSLVERSION_MAX_TLSv1_0;
-#endif
-#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_1
-    else if (strcmp (value, "max-tlsv1.1") == 0)
-      ssl_version = CURL_SSLVERSION_MAX_TLSv1_1;
-#endif
-#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_2
-    else if (strcmp (value, "max-tlsv1.2") == 0)
-      ssl_version = CURL_SSLVERSION_MAX_TLSv1_2;
-#endif
-#ifdef HAVE_CURL_SSLVERSION_MAX_TLSv1_3
-    else if (strcmp (value, "max-tlsv1.3") == 0)
-      ssl_version = CURL_SSLVERSION_MAX_TLSv1_3;
-#endif
-    else {
-      nbdkit_error ("unknown ssl-version: %s", value);
-      return -1;
-    }
-  }
-
-  else if (strcmp (key, "ssl-cipher-list") == 0)
-    ssl_cipher_list = value;
-
-  else if (strcmp (key, "tls13-ciphers") == 0)
-    tls13_ciphers = value;
-
-  else if (strcmp (key, "tcp-keepalive") == 0) {
-    r = nbdkit_parse_bool (value);
-    if (r == -1)
-      return -1;
-    tcp_keepalive = r;
-  }
-
-  else if (strcmp (key, "tcp-nodelay") == 0) {
-    r = nbdkit_parse_bool (value);
-    if (r == -1)
-      return -1;
-    tcp_nodelay = r;
-  }
-
-  else if (strcmp (key, "timeout") == 0) {
-    if (nbdkit_parse_uint32_t ("timeout", value, &timeout) == -1)
-      return -1;
-#if LONG_MAX < UINT32_MAX
-    /* C17 5.2.4.2.1 requires that LONG_MAX is at least 2^31 - 1.
-     * However a large positive number might still exceed the limit.
-     */
-    if (timeout > LONG_MAX) {
-      nbdkit_error ("timeout is too large");
-      return -1;
-    }
-#endif
-  }
-
-  else if (strcmp (key, "unix-socket-path") == 0 ||
-           strcmp (key, "unix_socket_path") == 0)
-    unix_socket_path = value;
-
-  else if (strcmp (key, "url") == 0)
-    url = value;
-
-  else if (strcmp (key, "user") == 0)
-    user = value;
-
-  else if (strcmp (key, "user-agent") == 0)
-    user_agent = value;
-
-  else {
-    nbdkit_error ("unknown parameter '%s'", key);
-    return -1;
-  }
-
-  return 0;
-}
-
-/* Check the user did pass a url parameter. */
-static int
-curl_config_complete (void)
-{
-  if (url == NULL) {
-    nbdkit_error ("you must supply the url=<URL> parameter "
-                  "after the plugin name on the command line");
-    return -1;
-  }
-
-  if (headers && header_script) {
-    nbdkit_error ("header and header-script cannot be used at the same time");
-    return -1;
-  }
-
-  if (!header_script && header_script_renew) {
-    nbdkit_error ("header-script-renew cannot be used without header-script");
-    return -1;
-  }
-
-  if (cookie && cookie_script) {
-    nbdkit_error ("cookie and cookie-script cannot be used at the same time");
-    return -1;
-  }
-
-  if (!cookie_script && cookie_script_renew) {
-    nbdkit_error ("cookie-script-renew cannot be used without cookie-script");
-    return -1;
-  }
-
-  return 0;
-}
-
-#define curl_config_help \
-  "cainfo=<CAINFO>            Path to Certificate Authority file.\n" \
-  "capath=<CAPATH>            Path to directory with CA certificates.\n" \
-  "connections=<N>            Number of libcurl connections to use.\n" \
-  "cookie=<COOKIE>            Set HTTP/HTTPS cookies.\n" \
-  "cookiefile=                Enable cookie processing.\n" \
-  "cookiefile=<FILENAME>      Read cookies from file.\n" \
-  "cookiejar=<FILENAME>       Read and write cookies to jar.\n" \
-  "cookie-script=<SCRIPT>     Script to set HTTP/HTTPS cookies.\n" \
-  "cookie-script-renew=<SECS> Time to renew HTTP/HTTPS cookies.\n" \
-  "followlocation=false       Do not follow redirects.\n" \
-  "header=<HEADER>            Set HTTP/HTTPS header.\n" \
-  "header-script=<SCRIPT>     Script to set HTTP/HTTPS headers.\n" \
-  "header-script-renew=<SECS> Time to renew HTTP/HTTPS headers.\n" \
-  "http-version=none|...      Force a particular HTTP protocol.\n" \
-  "ipresolve=any|v4|v6        Force IPv4 or IPv6.\n" \
-  "password=<PASSWORD>        The password for the user account.\n" \
-  "protocols=PROTO,PROTO,..   Limit protocols allowed.\n" \
-  "proxy=<PROXY>              Set proxy URL.\n" \
-  "proxy-password=<PASSWORD>  The proxy password.\n" \
-  "proxy-user=<USER>          The proxy user.\n" \
-  "resolve=<HOST>:<PORT>:<ADDR> Custom host to IP address resolution.\n" \
-  "sslverify=false            Do not verify SSL certificate of remote host.\n" \
-  "ssl-cipher-list=C1:C2:..   Specify TLS/SSL cipher suites to be used.\n" \
-  "ssl-version=<VERSION>      Specify preferred TLS/SSL version.\n" \
-  "tcp-keepalive=true         Enable TCP keepalives.\n" \
-  "tcp-nodelay=false          Disable Nagle’s algorithm.\n" \
-  "timeout=<TIMEOUT>          Set the timeout for requests (seconds).\n" \
-  "tls13-ciphers=C1:C2:..     Specify TLS 1.3 cipher suites to be used.\n" \
-  "unix-socket-path=<PATH>    Open Unix domain socket instead of TCP/IP.\n" \
-  "url=<URL>       (required) The disk image URL to serve.\n" \
-  "user=<USER>                The user to log in as.\n" \
-  "user-agent=<USER-AGENT>    Send user-agent header for HTTP/HTTPS."
-
 /* Create the per-connection handle. */
 static void *
 curl_open (int readonly)
@@ -704,7 +243,11 @@ static struct nbdkit_plugin plugin = {
   .unload            = curl_unload,
   .config            = curl_config,
   .config_complete   = curl_config_complete,
-  .config_help       = curl_config_help,
+  /* We can't set this here because of an obscure corner of the C
+   * language.  "error: initializer element is not constant".  See
+   * https://stackoverflow.com/questions/3025050
+   */
+  //.config_help       = curl_config_help,
   .magic_config_key  = "url",
   .open              = curl_open,
   .close             = curl_close,
@@ -714,4 +257,11 @@ static struct nbdkit_plugin plugin = {
   .pwrite            = curl_pwrite,
 };
 
+static void set_help (void) __attribute__ ((constructor));
+static void
+set_help (void)
+{
+  plugin.config_help = curl_config_help;
+}
+
 NBDKIT_REGISTER_PLUGIN (plugin)
diff --git a/plugins/curl/curldefs.h b/plugins/curl/curldefs.h
index dd9791aa..9169b256 100644
--- a/plugins/curl/curldefs.h
+++ b/plugins/curl/curldefs.h
@@ -57,40 +57,12 @@
 
 extern const char *url;
 
-extern const char *cainfo;
-extern const char *capath;
 extern unsigned connections;
-extern char *cookie;
-extern const char *cookiefile;
-extern const char *cookiejar;
+
 extern const char *cookie_script;
 extern unsigned cookie_script_renew;
-extern bool followlocation;
-extern struct curl_slist *headers;
 extern const char *header_script;
 extern unsigned header_script_renew;
-extern long http_version;
-extern long ipresolve;
-extern char *password;
-#ifndef HAVE_CURLOPT_PROTOCOLS_STR
-extern long protocols;
-#else
-extern const char *protocols;
-#endif
-extern const char *proxy;
-extern char *proxy_password;
-extern const char *proxy_user;
-extern bool sslverify;
-extern const char *ssl_cipher_list;
-extern long ssl_version;
-extern struct curl_slist *resolves;
-extern const char *tls13_ciphers;
-extern bool tcp_keepalive;
-extern bool tcp_nodelay;
-extern uint32_t timeout;
-extern const char *unix_socket_path;
-extern const char *user;
-extern const char *user_agent;
 
 extern int curl_debug_verbose;
 
@@ -130,6 +102,14 @@ struct curl_handle {
   struct curl_slist *headers_copy;
 };
 
+/* config.c */
+extern int curl_config (const char *key, const char *value);
+extern int curl_config_complete (void);
+extern const char *curl_config_help;
+extern void unload_config (void);
+extern struct curl_handle *allocate_handle (void);
+extern void free_handle (struct curl_handle *);
+
 /* pool.c */
 extern void load_pool (void);
 extern void unload_pool (void);
diff --git a/plugins/curl/pool.c b/plugins/curl/pool.c
index 8db69a71..91e56f07 100644
--- a/plugins/curl/pool.c
+++ b/plugins/curl/pool.c
@@ -52,8 +52,6 @@
 
 #include <nbdkit-plugin.h>
 
-#include "ascii-ctype.h"
-#include "ascii-string.h"
 #include "cleanup.h"
 #include "vector.h"
 
@@ -62,16 +60,7 @@
 /* Use '-D curl.pool=1' to debug handle pool. */
 NBDKIT_DLL_PUBLIC int curl_debug_pool = 0;
 
-static struct curl_handle *allocate_handle (void);
-static void free_handle (struct curl_handle *);
-static int debug_cb (CURL *handle, curl_infotype type,
-                     const char *data, size_t size, void *);
-static size_t write_cb (char *ptr, size_t size, size_t nmemb, void *opaque);
-static size_t read_cb (void *ptr, size_t size, size_t nmemb, void *opaque);
-static int get_content_length_accept_range (struct curl_handle *ch);
-static bool try_fallback_GET_method (struct curl_handle *ch);
-static size_t header_cb (void *ptr, size_t size, size_t nmemb, void *opaque);
-static size_t error_cb (char *ptr, size_t size, size_t nmemb, void *opaque);
+unsigned connections = 4;
 
 /* This lock protects access to the curl_handles vector below. */
 static pthread_mutex_t lock = PTHREAD_MUTEX_INITIALIZER;
@@ -179,445 +168,3 @@ put_handle (struct curl_handle *ch)
   if (waiting > 0)
     pthread_cond_signal (&cond);
 }
-
-/* Allocate and initialize a new libcurl handle. */
-static struct curl_handle *
-allocate_handle (void)
-{
-  struct curl_handle *ch;
-  CURLcode r;
-
-  ch = calloc (1, sizeof *ch);
-  if (ch == NULL) {
-    nbdkit_error ("calloc: %m");
-    free (ch);
-    return NULL;
-  }
-
-  ch->c = curl_easy_init ();
-  if (ch->c == NULL) {
-    nbdkit_error ("curl_easy_init: failed: %m");
-    goto err;
-  }
-
-  if (curl_debug_verbose) {
-    /* NB: Constants must be explicitly long because the parameter is
-     * varargs.
-     */
-    curl_easy_setopt (ch->c, CURLOPT_VERBOSE, 1L);
-    curl_easy_setopt (ch->c, CURLOPT_DEBUGFUNCTION, debug_cb);
-  }
-
-  curl_easy_setopt (ch->c, CURLOPT_ERRORBUFFER, ch->errbuf);
-
-  r = CURLE_OK;
-  if (unix_socket_path) {
-#if HAVE_CURLOPT_UNIX_SOCKET_PATH
-    r = curl_easy_setopt (ch->c, CURLOPT_UNIX_SOCKET_PATH, unix_socket_path);
-#else
-    r = CURLE_UNKNOWN_OPTION;
-#endif
-  }
-  if (r != CURLE_OK) {
-    display_curl_error (ch, r, "curl_easy_setopt: CURLOPT_UNIX_SOCKET_PATH");
-    goto err;
-  }
-
-  /* Set the URL. */
-  r = curl_easy_setopt (ch->c, CURLOPT_URL, url);
-  if (r != CURLE_OK) {
-    display_curl_error (ch, r, "curl_easy_setopt: CURLOPT_URL [%s]", url);
-    goto err;
-  }
-
-  /* Various options we always set.
-   *
-   * NB: Both here and below constants must be explicitly long because
-   * the parameter is varargs.
-   *
-   * For use of CURLOPT_NOSIGNAL see:
-   * https://curl.se/libcurl/c/CURLOPT_NOSIGNAL.html
-   */
-  curl_easy_setopt (ch->c, CURLOPT_NOSIGNAL, 1L);
-  curl_easy_setopt (ch->c, CURLOPT_AUTOREFERER, 1L);
-  if (followlocation)
-    curl_easy_setopt (ch->c, CURLOPT_FOLLOWLOCATION, 1L);
-  curl_easy_setopt (ch->c, CURLOPT_FAILONERROR, 1L);
-
-  /* Options. */
-  if (cainfo) {
-    if (strlen (cainfo) == 0)
-      curl_easy_setopt (ch->c, CURLOPT_CAINFO, NULL);
-    else
-      curl_easy_setopt (ch->c, CURLOPT_CAINFO, cainfo);
-  }
-  if (capath)
-    curl_easy_setopt (ch->c, CURLOPT_CAPATH, capath);
-  if (cookie)
-    curl_easy_setopt (ch->c, CURLOPT_COOKIE, cookie);
-  if (cookiefile)
-    curl_easy_setopt (ch->c, CURLOPT_COOKIEFILE, cookiefile);
-  if (cookiejar)
-    curl_easy_setopt (ch->c, CURLOPT_COOKIEJAR, cookiejar);
-  if (headers)
-    curl_easy_setopt (ch->c, CURLOPT_HTTPHEADER, headers);
-  if (http_version != CURL_HTTP_VERSION_NONE)
-    curl_easy_setopt (ch->c, CURLOPT_HTTP_VERSION, (long) http_version);
-  if (ipresolve != CURL_IPRESOLVE_WHATEVER)
-    curl_easy_setopt (ch->c, CURLOPT_IPRESOLVE, (long) ipresolve);
-
-  if (password)
-    curl_easy_setopt (ch->c, CURLOPT_PASSWORD, password);
-#ifndef HAVE_CURLOPT_PROTOCOLS_STR
-  if (protocols != CURLPROTO_ALL) {
-    curl_easy_setopt (ch->c, CURLOPT_PROTOCOLS, protocols);
-    curl_easy_setopt (ch->c, CURLOPT_REDIR_PROTOCOLS, protocols);
-  }
-#else /* HAVE_CURLOPT_PROTOCOLS_STR (new in 7.85.0) */
-  if (protocols) {
-    curl_easy_setopt (ch->c, CURLOPT_PROTOCOLS_STR, protocols);
-    curl_easy_setopt (ch->c, CURLOPT_REDIR_PROTOCOLS_STR, protocols);
-  }
-#endif /* HAVE_CURLOPT_PROTOCOLS_STR */
-  if (proxy)
-    curl_easy_setopt (ch->c, CURLOPT_PROXY, proxy);
-  if (proxy_password)
-    curl_easy_setopt (ch->c, CURLOPT_PROXYPASSWORD, proxy_password);
-  if (proxy_user)
-    curl_easy_setopt (ch->c, CURLOPT_PROXYUSERNAME, proxy_user);
-  if (!sslverify) {
-    curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYPEER, 0L);
-    curl_easy_setopt (ch->c, CURLOPT_SSL_VERIFYHOST, 0L);
-  }
-  if (resolves)
-    curl_easy_setopt (ch->c, CURLOPT_RESOLVE, resolves);
-  if (ssl_version != CURL_SSLVERSION_DEFAULT)
-    curl_easy_setopt (ch->c, CURLOPT_SSLVERSION, (long) ssl_version);
-  if (ssl_cipher_list)
-    curl_easy_setopt (ch->c, CURLOPT_SSL_CIPHER_LIST, ssl_cipher_list);
-  if (tls13_ciphers) {
-#if (LIBCURL_VERSION_MAJOR > 7) || \
-    (LIBCURL_VERSION_MAJOR == 7 && LIBCURL_VERSION_MINOR >= 61)
-    curl_easy_setopt (ch->c, CURLOPT_TLS13_CIPHERS, tls13_ciphers);
-#else
-    /* This is not available before curl-7.61 */
-    nbdkit_error ("tls13-ciphers is not supported in this build of "
-                  "nbdkit-curl-plugin");
-    goto err;
-#endif
-  }
-  if (tcp_keepalive)
-    curl_easy_setopt (ch->c, CURLOPT_TCP_KEEPALIVE, 1L);
-  if (!tcp_nodelay)
-    curl_easy_setopt (ch->c, CURLOPT_TCP_NODELAY, 0L);
-  if (timeout > 0)
-    curl_easy_setopt (ch->c, CURLOPT_TIMEOUT, (long) timeout);
-  if (user)
-    curl_easy_setopt (ch->c, CURLOPT_USERNAME, user);
-  if (user_agent)
-    curl_easy_setopt (ch->c, CURLOPT_USERAGENT, user_agent);
-
-  if (get_content_length_accept_range (ch) == -1)
-    goto err;
-
-  /* Get set up for reading and writing. */
-  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, NULL);
-  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, NULL);
-  curl_easy_setopt (ch->c, CURLOPT_WRITEFUNCTION, write_cb);
-  curl_easy_setopt (ch->c, CURLOPT_WRITEDATA, ch);
-  /* These are only used if !readonly but we always register them. */
-  curl_easy_setopt (ch->c, CURLOPT_READFUNCTION, read_cb);
-  curl_easy_setopt (ch->c, CURLOPT_READDATA, ch);
-
-  return ch;
-
- err:
-  if (ch->c)
-    curl_easy_cleanup (ch->c);
-  free (ch);
-  return NULL;
-}
-
-static void
-free_handle (struct curl_handle *ch)
-{
-  curl_easy_cleanup (ch->c);
-  if (ch->headers_copy)
-    curl_slist_free_all (ch->headers_copy);
-  free (ch);
-}
-
-/* When using CURLOPT_VERBOSE, this callback is used to redirect
- * messages to nbdkit_debug (instead of stderr).
- */
-static int
-debug_cb (CURL *handle, curl_infotype type,
-          const char *data, size_t size, void *opaque)
-{
-  size_t origsize = size;
-  CLEANUP_FREE char *str;
-
-  /* The data parameter passed is NOT \0-terminated, but also it may
-   * have \n or \r\n line endings.  The only sane way to deal with
-   * this is to copy the string.  (The data strings may also be
-   * multi-line, but we don't deal with that here).
-   */
-  str = malloc (size + 1);
-  if (str == NULL)
-    goto out;
-  memcpy (str, data, size);
-  str[size] = '\0';
-
-  while (size > 0 && (str[size-1] == '\n' || str[size-1] == '\r')) {
-    str[size-1] = '\0';
-    size--;
-  }
-
-  switch (type) {
-  case CURLINFO_TEXT:
-    nbdkit_debug ("%s", str);
-    break;
-  case CURLINFO_HEADER_IN:
-    nbdkit_debug ("S: %s", str);
-    break;
-  case CURLINFO_HEADER_OUT:
-    nbdkit_debug ("C: %s", str);
-    break;
-  default:
-    /* Assume everything else is binary data that we cannot print. */
-    nbdkit_debug ("<data with size=%zu>", origsize);
-  }
-
- out:
-  return 0;
-}
-
-/* NB: The terminology used by libcurl is confusing!
- *
- * WRITEFUNCTION / write_cb is used when reading from the remote server
- * READFUNCTION / read_cb is used when writing to the remote server.
- *
- * We use the same terminology as libcurl here.
- */
-
-static size_t
-write_cb (char *ptr, size_t size, size_t nmemb, void *opaque)
-{
-  struct curl_handle *ch = opaque;
-  size_t orig_realsize = size * nmemb;
-  size_t realsize = orig_realsize;
-
-  assert (ch->write_buf);
-
-  /* Don't read more than the requested amount of data, even if the
-   * server or libcurl sends more.
-   */
-  if (realsize > ch->write_count)
-    realsize = ch->write_count;
-
-  memcpy (ch->write_buf, ptr, realsize);
-
-  ch->write_count -= realsize;
-  ch->write_buf += realsize;
-
-  return orig_realsize;
-}
-
-static size_t
-read_cb (void *ptr, size_t size, size_t nmemb, void *opaque)
-{
-  struct curl_handle *ch = opaque;
-  size_t realsize = size * nmemb;
-
-  assert (ch->read_buf);
-  if (realsize > ch->read_count)
-    realsize = ch->read_count;
-
-  memcpy (ptr, ch->read_buf, realsize);
-
-  ch->read_count -= realsize;
-  ch->read_buf += realsize;
-
-  return realsize;
-}
-
-/* Get the file size and also whether the remote HTTP server
- * supports byte ranges.
- */
-static int
-get_content_length_accept_range (struct curl_handle *ch)
-{
-  CURLcode r;
-  long code;
-#ifdef HAVE_CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
-  curl_off_t o;
-#else
-  double d;
-#endif
-
-  /* We must run the scripts if necessary and set headers in the
-   * handle.
-   */
-  if (do_scripts (ch) == -1)
-    return -1;
-
-  /* Set this flag in the handle to false.  The callback should set it
-   * to true if byte ranges are supported, which we check below.
-   */
-  ch->accept_range = false;
-
-  /* No Body, not nobody!  This forces a HEAD request. */
-  curl_easy_setopt (ch->c, CURLOPT_NOBODY, 1L);
-  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, header_cb);
-  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, ch);
-  r = curl_easy_perform (ch->c);
-  update_times (ch->c);
-  if (r != CURLE_OK) {
-    display_curl_error (ch, r,
-                        "problem doing HEAD request to fetch size of URL [%s]",
-                        url);
-
-    /* Get the HTTP status code, if available. */
-    r = curl_easy_getinfo (ch->c, CURLINFO_RESPONSE_CODE, &code);
-    if (r == CURLE_OK)
-      nbdkit_debug ("HTTP status code: %ld", code);
-    else
-      code = -1;
-
-    /* See comment on try_fallback_GET_method below. */
-    if (code != 403 || !try_fallback_GET_method (ch))
-      return -1;
-  }
-
-  /* Get the content length.
-   *
-   * Note there is some subtlety here: For web servers using chunked
-   * encoding, either the Content-Length header will not be present,
-   * or if present it should be ignored.  (For such servers the only
-   * way to find out the true length would be to read all of the
-   * content, which we don't want to do).
-   *
-   * Curl itself resolves this for us.  It will ignore the
-   * Content-Length header if chunked encoding is used, returning the
-   * length as -1 which we check below (see also
-   * curl:lib/http.c:Curl_http_size).
-   */
-#ifdef HAVE_CURLINFO_CONTENT_LENGTH_DOWNLOAD_T
-  r = curl_easy_getinfo (ch->c, CURLINFO_CONTENT_LENGTH_DOWNLOAD_T, &o);
-  if (r != CURLE_OK) {
-    display_curl_error (ch, r,
-                        "could not get length of remote file [%s]", url);
-    return -1;
-  }
-
-  if (o == -1) {
-    nbdkit_error ("could not get length of remote file [%s], "
-                  "is the URL correct?", url);
-    return -1;
-  }
-
-  ch->exportsize = o;
-#else
-  r = curl_easy_getinfo (ch->c, CURLINFO_CONTENT_LENGTH_DOWNLOAD, &d);
-  if (r != CURLE_OK) {
-    display_curl_error (ch, r,
-                        "could not get length of remote file [%s]", url);
-    return -1;
-  }
-
-  if (d == -1) {
-    nbdkit_error ("could not get length of remote file [%s], "
-                  "is the URL correct?", url);
-    return -1;
-  }
-
-  ch->exportsize = d;
-#endif
-  nbdkit_debug ("content length: %" PRIi64, ch->exportsize);
-
-  /* If this is HTTP, check that byte ranges are supported. */
-  if (ascii_strncasecmp (url, "http://", strlen ("http://")) == 0 ||
-      ascii_strncasecmp (url, "https://", strlen ("https://")) == 0) {
-    if (!ch->accept_range) {
-      nbdkit_error ("server does not support 'range' (byte range) requests");
-      return -1;
-    }
-
-    nbdkit_debug ("accept range supported (for HTTP/HTTPS)");
-  }
-
-  return 0;
-}
-
-/* S3 servers can return 403 Forbidden for HEAD but still respond
- * to GET, so we give it a second chance in that case.
- * https://github.com/kubevirt/containerized-data-importer/issues/2737
- *
- * This function issues a GET request with a writefunction that always
- * returns an error, thus effectively getting the headers but
- * abandoning the transfer as soon as possible after.
- */
-static bool
-try_fallback_GET_method (struct curl_handle *ch)
-{
-  CURLcode r;
-
-  nbdkit_debug ("attempting to fetch headers using GET method");
-
-  curl_easy_setopt (ch->c, CURLOPT_HTTPGET, 1L);
-  curl_easy_setopt (ch->c, CURLOPT_HEADERFUNCTION, header_cb);
-  curl_easy_setopt (ch->c, CURLOPT_HEADERDATA, ch);
-  curl_easy_setopt (ch->c, CURLOPT_WRITEFUNCTION, error_cb);
-  curl_easy_setopt (ch->c, CURLOPT_WRITEDATA, ch);
-  r = curl_easy_perform (ch->c);
-  update_times (ch->c);
-
-  /* We expect CURLE_WRITE_ERROR here, but CURLE_OK is possible too
-   * (eg if the remote has zero length).  Other errors might happen
-   * but we ignore them since it is a fallback path.
-   */
-  return r == CURLE_OK || r == CURLE_WRITE_ERROR;
-}
-
-static size_t
-header_cb (void *ptr, size_t size, size_t nmemb, void *opaque)
-{
-  struct curl_handle *ch = opaque;
-  size_t realsize = size * nmemb;
-  const char *header = ptr;
-  const char *end = header + realsize;
-  const char *accept_ranges = "accept-ranges:";
-  const char *bytes = "bytes";
-
-  if (realsize >= strlen (accept_ranges) &&
-      ascii_strncasecmp (header, accept_ranges, strlen (accept_ranges)) == 0) {
-    const char *p = strchr (header, ':') + 1;
-
-    /* Skip whitespace between the header name and value. */
-    while (p < end && *p && ascii_isspace (*p))
-      p++;
-
-    if (end - p >= strlen (bytes)
-        && strncmp (p, bytes, strlen (bytes)) == 0) {
-      /* Check that there is nothing but whitespace after the value. */
-      p += strlen (bytes);
-      while (p < end && *p && ascii_isspace (*p))
-        p++;
-
-      if (p == end || !*p)
-        ch->accept_range = true;
-    }
-  }
-
-  return realsize;
-}
-
-static size_t
-error_cb (char *ptr, size_t size, size_t nmemb, void *opaque)
-{
-#ifdef CURL_WRITEFUNC_ERROR
-  return CURL_WRITEFUNC_ERROR;
-#else
-  return 0; /* in older curl, any size < requested will also be an error */
-#endif
-}
-- 
2.39.3