Commit Graph

7822 Commits

Author SHA1 Message Date
Sergey Kandaurov
025fa0374e Merged with the default branch. 2022-01-25 23:42:48 +03:00
Maxim Dounin
60ca13f988 release-1.21.6 tag 2022-01-25 18:03:52 +03:00
Maxim Dounin
97a111c0c0 nginx-1.21.6-RELEASE 2022-01-25 18:03:51 +03:00
Vladimir Homutov
264dd955cb QUIC: fixed macro style. 2022-01-25 15:48:05 +03:00
Roman Arutyunyan
c403822674 QUIC: fixed chain returned from ngx_quic_write_chain().
Previously, when input ended on a QUIC buffer boundary, input chain was not
advanced to the next buffer.  As a result, ngx_quic_write_chain() returned
a chain with an empty buffer instead of NULL.  This broke HTTP write filter,
preventing it from closing the HTTP request and eventually timing out.

Now input chain is always advanced to a buffer that has data, before checking
QUIC buffer boundary condition.
2022-01-25 09:45:50 +03:00
Maxim Dounin
0a407d7df8 SSL: always renewing tickets with TLSv1.3 (ticket #1892).
Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.
2022-01-24 17:18:50 +03:00
Maxim Dounin
7ba3063952 Contrib: vim syntax adjusted to save cpoptions (ticket #2276).
Line continuation as used in the syntax file might be broken if "compatible"
is set or "C" is added to cpoptions.  Fix is to set the "cpoptions" option
to vim default value at script start and restore it later, see
":help use-cpo-save".
2022-01-22 00:28:51 +03:00
Vladimir Homutov
a0aa287d13 QUIC: removed stale declaration.
The ngx_quic_get_unconnected_socket() was removed in 1e2f4e9c8195.
2022-01-21 11:41:39 +03:00
Vladimir Homutov
67b9f081d0 QUIC: avoid logging error in case of version negotiation.
Previously, "early error" message was logged in this case.
2022-01-23 21:29:36 +03:00
Vladimir Homutov
a816af6e1b QUIC: additional limit for probing packets.
RFC 9000, 9.3.  Responding to Connection Migration:
    An endpoint only changes the address to which it sends packets in
    response to the highest-numbered non-probing packet.

The patch extends this requirement to probing packets.  Although it may
seem excessive, it helps with mitigation of reply attacks (when an off-path
attacker has copied packet with PATH_CHALLENGE and uses different
addresses to exhaust available connection ids).
2022-01-20 22:00:25 +03:00
Pavel Pautov
950390108c Core: simplify reader lock release. 2022-01-19 17:37:34 -08:00
Vladimir Homutov
8a4a267d74 QUIC: reworked migration handling.
The quic connection now holds active, backup and probe paths instead
of sockets.  The number of migration paths is now limited and cannot
be inflated by a bad client or an attacker.

The client id is now associated with path rather than socket. This allows
to simplify processing of output and connection ids handling.

New migration abandons any previously started migrations.  This allows to
free consumed client ids and request new for use in future migrations and
make progress in case when connection id limit is hit during migration.

A path now can be revalidated without losing its state.

The patch also fixes various issues with NAT rebinding case handling:
    - paths are now validated (previously, there was no validation
      and paths were left in limited state)
    - attempt to reuse id on different path is now again verified
      (this was broken in 40445fc7c403)
    - former path is now validated in case of apparent migration
2022-01-19 22:39:24 +03:00
Vladimir Homutov
1f97aa71ec QUIC: the "quic_active_connection_id_limit" directive.
The directive sets corresponding transport parameter and limits number of
created client ids.
2022-01-18 12:49:55 +03:00
Sergey Kandaurov
429150c1fa SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b
2022-01-17 17:05:12 +03:00
Roman Arutyunyan
8a67a56091 QUIC: introduced function ngx_quic_split_chain().
The function splits a buffer at given offset.  The function is now
called from ngx_quic_read_chain() and ngx_quic_write_chain(), which
simplifies both functions.
2022-01-17 14:39:04 +03:00
Roman Arutyunyan
6844eeb9c9 QUIC: fixed format specifier after 3789f4a56d65. 2022-01-16 00:28:13 +03:00
Roman Arutyunyan
2ba20e3451 QUIC: return written size from ngx_quic_write_chain().
This allows to escape calculating it before calling the function.
2022-01-13 11:34:42 +03:00
Sergey Kandaurov
2f28342e08 README: documented QuicTLS support. 2022-01-13 16:56:07 +03:00
Sergey Kandaurov
bd4a26c164 QUIC: removed ngx_send_lowat() check for QUIC connections.
After 9ae239d2547d, ngx_quic_handle_write_event() no longer runs into
ngx_send_lowat() for QUIC connections, so the check became excessive.
It is assumed that external modules operating with SO_SNDLOWAT
(I'm not aware of any) should do this check on their own.
2022-01-13 15:57:21 +03:00
Sergey Kandaurov
a7a3a8cc17 HTTP/3: removed useless warning regarding OpenSSL library.
After 0e6528551f26, it became impossible to run into this path.
2022-01-13 15:57:15 +03:00
Roman Arutyunyan
35fc2eb247 QUIC: fixed handling stream input buffers.
Previously, ngx_quic_write_chain() treated each input buffer as a memory
buffer, which is not always the case.  Special buffers were not skipped, which
is especially important when hitting the input byte limit.

The issue manifested itself with ngx_quic_write_chain() returning a non-empty
chain consisting of a special last_buf buffer when called from QUIC stream
send_chain().  In order for this to happen, input byte limit should be equal to
the chain length, and the input chain should end with an empty last_buf buffer.
An easy way to achieve this is the following:

  location /empty {
      return 200;
  }

When this non-empty chain was returned from send_chain(), it signalled to the
caller that input was blocked, while in fact it wasn't.  This prevented HTTP
request from finalization, which prevented QUIC from sending STREAM FIN to
the client.  The QUIC stream was then reset after a timeout.

Now special buffers are skipped and send_chain() returns NULL in the case
above, which signals to the caller a successful operation.

Also, original byte limit is now passed to ngx_quic_write_chain() from
send_chain() instead of actual chain length to make sure it's never zero.
2022-01-13 11:23:53 +03:00
Roman Arutyunyan
a6120a9bc5 QUIC: fixed handling STREAM FIN.
Previously, when a STREAM FIN frame with no data bytes was received after all
prior stream data were already read by the application layer, the frame was
ignored and eof was not reported to the application.
2022-01-11 18:57:02 +03:00
Roman Arutyunyan
38cfe35779 HTTP/3: set c->error on read error in ngx_http_test_reading().
Similar to other error/eof cases.
2022-01-12 11:57:46 +03:00
Roman Arutyunyan
5ab94d4219 HTTP/3: simplified code. 2022-01-12 11:57:06 +03:00
Roman Arutyunyan
109166e4fa QUIC: modified HTTP version test.
The new condition produces smaller diff to the default branch and is similar to
HTTP/2 case.
2022-01-12 11:54:39 +03:00
Maxim Dounin
22d4ff08bb Avoid sending "Connection: keep-alive" when shutting down.
When a worker process is shutting down, keepalive is not used: this is checked
before the ngx_http_set_keepalive() call in ngx_http_finalize_connection().
Yet the "Connection: keep-alive" header was still sent, even if we know that
the worker process is shutting down, potentially resulting in additional
requests being sent to the connection which is going to be closed anyway.
While clients are expected to be able to handle asynchronous close events
(see ticket #1022), it is certainly possible to send the "Connection: close"
header instead, informing the client that the connection is going to be closed
and potentially saving some unneeded work.

With this change, we additionally check for worker process shutdown just
before sending response headers, and disable keepalive accordingly.
2022-01-11 02:23:49 +03:00
Sergey Kandaurov
b1356ade07 HTTP/3: improved processing of multiple Cookie field lines.
As per draft-ietf-quic-http, 4.1.1.2, and similar to HTTP/2 specification,
they ought to be concatenated.  This closely follows ngx_http_v2_module.
2021-12-30 12:59:32 +03:00
Maxim Dounin
96c342e560 Events: fixed balancing between workers with EPOLLEXCLUSIVE.
Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.
2021-12-30 01:08:46 +03:00
Maxim Dounin
6147266217 Version bump. 2021-12-29 22:59:53 +03:00
Roman Arutyunyan
7f0fdd4e14 Style. 2021-12-29 15:33:51 +03:00
Sergey Kandaurov
f3363a8dbe Merged with the default branch. 2021-12-29 15:17:26 +03:00
Maxim Dounin
054944feb3 release-1.21.5 tag 2021-12-28 18:28:38 +03:00
Maxim Dounin
3a7d332aef nginx-1.21.5-RELEASE 2021-12-28 18:28:37 +03:00
Maxim Dounin
d34c7b9fb0 Updated OpenSSL and PCRE used for win32 builds. 2021-12-28 17:56:16 +03:00
Maxim Dounin
1f01183b9e Support for sendfile(SF_NOCACHE).
The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.
2021-12-27 19:49:26 +03:00
Maxim Dounin
2a00e6141f SSL: SSL_sendfile(SF_NODISKIO) support. 2021-12-27 19:48:42 +03:00
Maxim Dounin
20c35434ef Simplified sendfile(SF_NODISKIO) usage.
Starting with FreeBSD 11, there is no need to use AIO operations to preload
data into cache for sendfile(SF_NODISKIO) to work.  Instead, sendfile()
handles non-blocking loading data from disk by itself.  It still can, however,
return EBUSY if a page is already being loaded (for example, by a different
process).  If this happens, we now post an event for the next event loop
iteration, so sendfile() is retried "after a short period", as manpage
recommends.

The limit of the number of EBUSY tolerated without any progress is preserved,
but now it does not result in an alert, since on an idle system event loop
iteration might be very short and EBUSY can happen many times in a row.
Instead, SF_NODISKIO is simply disabled for one call once the limit is
reached.

With this change, sendfile(SF_NODISKIO) is now used automatically as long as
sendfile() is enabled, and no longer requires "aio on;".
2021-12-27 19:48:33 +03:00
Maxim Dounin
f0a5ce136d Removed "aio sendfile", deprecated since 1.7.11. 2021-12-27 19:47:05 +03:00
Vladimir Homutov
fa21bf0cc7 QUIC: got rid of ngx_quic_create_temp_socket().
It was mostly copy of the ngx_quic_listen().  Now ngx_quic_listen() no
longer generates server id and increments seqnum.  Instead, the server
id is generated when the socket is created.

The ngx_quic_alloc_socket() function is renamed to ngx_quic_create_socket().
2021-12-27 13:49:56 +03:00
Ruslan Ermilov
05a32b5ec4 Fixed a mismerge in 5c86189a1c1b. 2021-12-28 15:01:02 +03:00
Roman Arutyunyan
3662e0c83b QUIC: renamed input handling functions.
Now these functions have names ngx_quic_handle_XXX():

  - ngx_quic_process_stateless_reset() -> ngx_quic_handle_stateless_reset()
  - ngx_quic_input() -> ngx_quic_handle_datagram()
  - ngx_quic_process_packet() -> ngx_quic_handle_packet()
  - ngx_quic_process_payload() -> ngx_quic_handle_payload()
2021-12-27 16:15:28 +03:00
Roman Arutyunyan
cf96432910 QUIC: fixed format specifier after 6ccf3867959a. 2021-12-28 13:50:01 +03:00
Vladimir Homutov
bef80e70f6 QUIC: fixed config test with bpf (ticket #2292).
The SO_REUSEPORT socket option is not set during configuration testing,
thus making the further module initialization impossible and meaningless.
2021-12-28 13:24:58 +03:00
Maxim Dounin
d5f1f169bc Core: added NGX_REGEX_MULTILINE for 3rd party modules.
Notably, NAXSI is known to misuse ngx_regex_compile() with rc.options set
to PCRE_CASELESS | PCRE_MULTILINE.  With PCRE2 support, and notably binary
compatibility changes, it is no longer possible to set PCRE[2]_MULTILINE
option without using proper interface.  To facilitate correct usage,
this change adds the NGX_REGEX_MULTILINE option.
2021-12-25 01:07:18 +03:00
Maxim Dounin
931acbf5bc PCRE2 and PCRE binary compatibility.
With this change, dynamic modules using nginx regex interface can be used
regardless of the variant of the PCRE library nginx was compiled with.

If a module is compiled with different PCRE library variant, in case of
ngx_regex_exec() errors it will report wrong function name in error
messages.  This is believed to be tolerable, given that fixing this will
require interface changes.
2021-12-25 01:07:16 +03:00
Maxim Dounin
c6fec0b027 PCRE2 library support.
The PCRE2 library is now used by default if found, instead of the
original PCRE library.  If needed for some reason, this can be disabled
with the --without-pcre2 configure option.

To make it possible to specify paths to the library and include files
via --with-cc-opt / --with-ld-opt, the library is first tested without
any additional paths and options.  If this fails, the pcre2-config script
is used.

Similarly to the original PCRE library, it is now possible to build PCRE2
from sources with nginx configure, by using the --with-pcre= option.
It automatically detects if PCRE or PCRE2 sources are provided.

Note that compiling PCRE2 10.33 and later requires inttypes.h.  When
compiling on Windows with MSVC, inttypes.h is only available starting
with MSVC 2013.  In older versions some replacement needs to be provided
("echo '#include <stdint.h>' > pcre2-10.xx/src/inttypes.h" is good enough
for MSVC 2010).

The interface on nginx side remains unchanged.
2021-12-25 01:07:15 +03:00
Maxim Dounin
cddb22cefe Configure: simplified PCRE compilation.
Removed ICC-specific PCRE optimizations which tried to link with PCRE
object files instead of the library.  Made compiler-specific code
minimal.
2021-12-25 01:07:14 +03:00
Maxim Dounin
28f8caac37 Core: ngx_regex.c style cleanup.
Notably, ngx_pcre_pool and ngx_pcre_studies are renamed to ngx_regex_pool
and ngx_regex_studies, respectively.
2021-12-25 01:07:12 +03:00
Maxim Dounin
09268f58b4 Core: fixed ngx_pcre_studies cleanup.
If a configuration parsing fails for some reason, ngx_regex_module_init()
is not called, and ngx_pcre_studies remained set despite the fact that
the pool it was allocated from is already freed.  This might result in
a segmentation fault during runtime regular expression compilation, such
as in SSI, for example, in the single process mode, or if a worker process
died and was respawned from a master process in such an inconsistent state.

Fix is to clear ngx_pcre_studies from the pool cleanup handler (which is
anyway used to free JIT-compiled patterns).
2021-12-25 01:07:10 +03:00
Roman Arutyunyan
cd278da5e7 QUIC: refactored buffer allocation, spliting and freeing.
Previously, buffer lists was used to track used buffers.  Now reference
counter is used instead.  The new implementation is simpler and faster with
many buffer clones.
2021-12-24 18:39:22 +03:00