Commit Graph

7130 Commits

Author SHA1 Message Date
Maxim Dounin
e4c6918e08 nginx-1.19.2-RELEASE 2020-08-11 17:52:30 +03:00
Maxim Dounin
348bc94086 Core: reusing connections in advance.
Reworked connections reuse, so closing connections is attempted in
advance, as long as number of free connections is less than 1/16 of
worker connections configured.  This ensures that new connections can
be handled even if closing a reusable connection requires some time,
for example, for a lingering close (ticket #2017).

The 1/16 ratio is selected to be smaller than 1/8 used for disabling
accept when working with accept mutex, so nginx will try to balance
new connections to different workers first, and will start reusing
connections only if this won't help.
2020-08-10 18:53:07 +03:00
Maxim Dounin
e240d88d44 Core: added a warning about reusing connections.
Previously, reusing connections happened silently and was only
visible in monitoring systems.  This was shown to be not very user-friendly,
and administrators often didn't realize there were too few connections
available to withstand the load, and configured timeouts (keepalive_timeout
and http2_idle_timeout) were effectively reduced to keep things running.

To provide at least some information about this, a warning is now logged
(at most once per second, to avoid flooding the logs).
2020-08-10 18:52:59 +03:00
Maxim Dounin
eae2b2fdf1 SSL: disabled sending shutdown after ngx_http_test_reading().
Sending shutdown when ngx_http_test_reading() detects the connection is
closed can result in "SSL_shutdown() failed (SSL: ... bad write retry)"
critical log messages if there are blocked writes.

Fix is to avoid sending shutdown via the c->ssl->no_send_shutdown flag,
similarly to how it is done in ngx_http_keepalive_handler() for kqueue
when pending EOF is detected.

Reported by Jan Prachař
(http://mailman.nginx.org/pipermail/nginx-devel/2018-December/011702.html).
2020-08-10 18:52:34 +03:00
Maxim Dounin
1d696cd379 HTTP/2: fixed c->timedout flag on timed out connections.
Without the flag, SSL shutdown is attempted on such connections,
resulting in useless work and/or bogus "SSL_shutdown() failed
(SSL: ... bad write retry)" critical log messages if there are
blocked writes.
2020-08-10 18:52:20 +03:00
Maxim Dounin
e01cdfbd8c SSL: fixed shutdown handling.
Previously, bidirectional shutdown never worked, due to two issues
in the code:

1. The code only tested SSL_ERROR_WANT_READ and SSL_ERROR_WANT_WRITE
   when there was an error in the error queue, which cannot happen.
   The bug was introduced in an attempt to fix unexpected error logging
   as reported with OpenSSL 0.9.8g
   (http://mailman.nginx.org/pipermail/nginx/2008-January/003084.html).

2. The code never called SSL_shutdown() for the second time to wait for
   the peer's close_notify alert.

This change fixes both issues.

Note that after this change bidirectional shutdown is expected to work for
the first time, so c->ssl->no_wait_shutdown now makes a difference.  This
is not a problem for HTTP code which always uses c->ssl->no_wait_shutdown,
but might be a problem for stream and mail code, as well as 3rd party
modules.

To minimize the effect of the change, the timeout, which was used to be 30
seconds and not configurable, though never actually used, is now set to
3 seconds.  It is also expanded to apply to both SSL_ERROR_WANT_READ and
SSL_ERROR_WANT_WRITE, so timeout is properly set if writing to the socket
buffer is not possible.
2020-08-10 18:52:09 +03:00
Maxim Dounin
130a5e7126 Request body: optimized handling of small chunks.
If there is a previous buffer, copy small chunks into it instead of
allocating additional buffer.
2020-08-06 05:02:57 +03:00
Maxim Dounin
150cbb017b Request body: allowed large reads on chunk boundaries.
If some additional data from a pipelined request happens to be
read into the body buffer, we copy it to r->header_in or allocate
an additional large client header buffer for it.
2020-08-06 05:02:55 +03:00
Maxim Dounin
9edc93fe0e Request body: all read data are now sent to filters.
This is a prerequisite for the next change to allow large reads
on chunk boundaries.
2020-08-06 05:02:44 +03:00
Maxim Dounin
bd7dad5b0e Added size check to ngx_http_alloc_large_header_buffer().
This ensures that copying won't write more than the buffer size
even if the buffer comes from hc->free and it is smaller than the large
client header buffer size in the virtual host configuration.  This might
happen if size of large client header buffers is different in name-based
virtual hosts, similarly to the problem with number of buffers fixed
in 6926:e662cbf1b932.
2020-08-06 05:02:22 +03:00
Roman Arutyunyan
cb0e3a2658 QUIC: handle client RESET_STREAM and STOP_SENDING.
For RESET_STREAM the c->read->error flag is set.
For STOP_SENDING the c->write->error flag is set.
2020-08-03 13:31:48 +03:00
Roman Arutyunyan
e97c50cdd6 QUIC: create streams for STREAM_DATA_BLOCKED and MAX_STREAM_DATA.
Creating client-initiated streams is moved from ngx_quic_handle_stream_frame()
to a separate function ngx_quic_create_client_stream().  This function is
responsible for creating streams with lower ids as well.

Also, simplified and fixed initial data buffering in
ngx_quic_handle_stream_frame().  It is now done before calling the initial
handler as the handler can destroy the stream.
2020-08-11 19:10:57 +03:00
Roman Arutyunyan
68c5d80ee5 QUIC: fixed ngx_http_test_reading() for QUIC streams.
Previously this function generated an error trying to figure out if client shut
down the write end of the connection.  The reason for this error was that a
QUIC stream has no socket descriptor.  However checking for eof is not the
right thing to do for an HTTP/3 QUIC stream since HTTP/3 clients are expected
to shut down the write end of the stream after sending the request.

Now the function handles QUIC streams separately.  It checks if c->read->error
is set.  The error flags for c->read and c->write are now set for all streams
when closing the QUIC connection instead of setting the pending_eof flag.
2020-08-11 10:41:39 +03:00
Sergey Kandaurov
e4ca695700 QUIC: fixed ACK Ranges processing.
According to quic-transport draft 29, section 19.3.1:

   The value of the Gap field establishes the largest packet number
   value for the subsequent ACK Range using the following formula:

      largest = previous_smallest - gap - 2

   Thus, given a largest packet number for the range, the smallest value
   is determined by the formula:

      smallest = largest - ack_range

While here, changed min/max to uint64_t for consistency.
2020-08-07 12:34:15 +03:00
Sergey Kandaurov
7d1a1fb6de QUIC: fixed possible use-after-free on stream cleanup.
A QUIC stream could be destroyed by handler while in ngx_quic_stream_input().
To detect this, ngx_quic_find_stream() is used to check that it still exists.

Previously, a stream id was passed to this routine off the frame structure.
In case of stream cleanup, it is freed along with other frames belonging to
the stream on cleanup.  Then, a cleanup handler reuses last frames to update
MAX_STREAMS and serve other purpose.  Thus, ngx_quic_find_stream() is passed
a reused frame with zeroed out part pointed by stream_id.  If a stream with
id 0x0 still exists, this leads to use-after-free.
2020-08-07 12:34:11 +03:00
Sergey Kandaurov
4ded4e3402 QUIC: fixed format specifiers and removed casts. 2020-07-28 18:54:20 +03:00
Sergey Kandaurov
c2e9b362ed QUIC: consistent Stream ID logging format. 2020-07-28 17:11:25 +03:00
Roman Arutyunyan
007a3996cc QUIC: added HTTP/3 directives list to README.
Also removed server push from TODO list.
2020-07-28 15:53:42 +03:00
Maxim Dounin
d2744ad26f FastCGI: fixed zero size buf alerts on extra data (ticket #2018).
After 05e42236e95b (1.19.1) responses with extra data might result in
zero size buffers being generated and "zero size buf" alerts in writer
(if f->rest happened to be 0 when processing additional stdout data).
2020-07-27 16:02:15 +03:00
balus
c3db6f729f Core: enclosed parameters of the ngx_buf.h macros in parentheses. 2020-07-27 13:21:51 +03:00
Sergey Kandaurov
4ee66b3f7b OCSP: fixed certificate reference leak. 2020-07-23 17:31:09 +03:00
Roman Arutyunyan
6d064c94e0 HTTP/3: server pushes.
New directives are added:
- http3_max_concurrent_pushes
- http3_push
- http3_push_preload
2020-07-23 13:41:24 +03:00
Roman Arutyunyan
77384356ce QUIC: limited the number of client-initiated streams.
The limits on active bidi and uni client streams are maintained at their
initial values initial_max_streams_bidi and initial_max_streams_uni by sending
a MAX_STREAMS frame upon each client stream closure.

Also, the following is changed for data arriving to non-existing streams:

- if a stream was already closed, such data is ignored
- when creating a new stream, all streams of the same type with lower ids are
  created too
2020-07-27 19:15:17 +03:00
Roman Arutyunyan
a1f7106bf7 QUIC: limited the number of server-initiated streams.
Also, ngx_quic_create_uni_stream() is replaced with
ngx_quic_open_stream() which is capable of creating a bidi stream.
2020-07-27 18:51:42 +03:00
Roman Arutyunyan
4dd43dfca7 Xslt: disabled ranges.
Previously, the document generated by the xslt filter was always fully sent
to client even if a range was requested and response status was 206 with
appropriate Content-Range.

The xslt module is unable to serve a range because of suspending the header
filter chain.  By the moment full response xml is buffered by the xslt filter,
range header filter is not called yet, but the range body filter has already
been called and did nothing.

The fix is to disable ranges by resetting the r->allow_ranges flag much like
the image filter that employs a similar technique.
2020-07-22 22:16:19 +03:00
Ruslan Ermilov
80daef96f1 Core: close PID file when writing fails.
Reported by Jinhua Tan.
2020-07-21 20:34:29 +03:00
Roman Arutyunyan
5e036a6bef HTTP/3: support $server_protocol variable.
Now it holds "HTTP/3.0".  Previously it was empty.
2020-07-14 16:52:44 +03:00
Roman Arutyunyan
c8a194b29a Style: moved function declarations to match usual code style.
Plus a few other minor style changes.
2020-07-23 11:40:10 +03:00
Roman Arutyunyan
f2368597c2 HTTP/3: renamed server configuration variables from v3cf to h3scf.
Now they are similar to HTTP/2 where they are called h2scf.
2020-07-23 13:12:01 +03:00
Roman Arutyunyan
47ed87f855 HTTP/3: renamed ngx_http_v3.c to ngx_http_v3_encode.c.
The file contains only encoding functions.
2020-07-13 12:38:08 +03:00
Roman Arutyunyan
6d7ddb5471 HTTP/3: encode frame ids with ngx_http_v3_encode_varlen_int().
Even though typically frame ids fit into a single byte, calling
ngx_http_v3_encode_varlen_int() adds to the code clarity.
2020-07-13 12:33:00 +03:00
Roman Arutyunyan
fc5a7234b4 HTTP/3: generate Location response header for absolute redirects. 2020-07-23 12:31:40 +03:00
Roman Arutyunyan
04b2a169a4 HTTP/3: header encoding functions. 2020-07-13 16:00:00 +03:00
Roman Arutyunyan
548d515fba QUIC: updated README to mention "quic" listen parameter. 2020-07-22 13:45:34 +03:00
Sergey Kandaurov
ca0b9871bc QUIC: fixed bulding perl module by reducing header pollution.
The ngx_http_perl_module module doesn't have a notion of including additional
search paths through --with-cc-opt, which results in compile error incomplete
type 'enum ssl_encryption_level_t' when building nginx without QUIC support.
The enum is visible from quic event headers and eventually pollutes ngx_core.h.

The fix is to limit including headers to compile units that are real consumers.
2020-07-22 14:48:49 +03:00
Roman Arutyunyan
5468904e3b SSL: fixed compilation without QUIC after 0d2b2664b41c. 2020-07-22 13:34:48 +03:00
Roman Arutyunyan
cdc0d61ea0 HTTP/3: do not call shutdown() for QUIC streams.
Previously, this triggered an alert "shutdown() failed" in error log.
2020-07-22 11:03:42 +03:00
Roman Arutyunyan
3073ad1381 QUIC: eliminated connection handler argument in ngx_quic_run().
Now c->listening->handler() is called instead.
2020-07-21 23:08:23 +03:00
Roman Arutyunyan
36f2873f6b QUIC: added "quic" listen parameter in Stream.
Also, introduced ngx_stream_quic_module.
2020-07-21 23:08:39 +03:00
Roman Arutyunyan
b813b9ec35 QUIC: added "quic" listen parameter.
The parameter allows processing HTTP/0.9-2 over QUIC.

Also, introduced ngx_http_quic_module and moved QUIC settings there
2020-07-21 23:09:22 +03:00
Roman Arutyunyan
a305de07e9 QUIC: do not verify the selected ALPN protocol.
The right protocol is selected by the HTTP code.  In the QUIC code only verify
that some protocol was selected and trigger an error otherwise.
2020-07-18 00:08:04 +03:00
Roman Arutyunyan
0f1478706d QUIC: fixed stream read event log.
Previously, the main connection log was there.  Now it's the stream connection
log.
2020-07-18 00:08:29 +03:00
Sergey Kandaurov
8d2d2c5f8f Fixed format specifiers. 2020-07-20 15:19:03 +03:00
Vladimir Homutov
91b6487d8d QUIC: added anti-amplification limit.
According to quic-transport draft 29, section 21.12.1.1:

   Prior to validation, endpoints are limited in what they are able to
   send.  During the handshake, a server cannot send more than three
   times the data it receives; clients that initiate new connections or
   migrate to a new network path are limited.
2020-07-16 16:36:02 +03:00
Vladimir Homutov
e05337214e QUIC: added limit of queued data.
The ngx_quic_queue_frame() functions puts a frame into send queue and
schedules a push timer to actually send data.

The patch adds tracking for data amount in the queue and sends data
immediately if amount of data exceeds limit.
2020-07-16 15:02:38 +03:00
Vladimir Homutov
a5fc86c2a2 QUIC: implemented probe timeout (PTO) calculation. 2020-07-16 16:05:44 +03:00
Vladimir Homutov
782a634e38 QUIC: reworked retransmission mechanism.
Instead of timer-based retransmissions with constant packet lifetime,
this patch implements ack-based loss detection and probe timeout
for the cases, when no ack is received, according to the quic-recovery
draft 29.
2020-07-13 17:31:29 +03:00
Vladimir Homutov
230882ba50 QUIC: reworked ngx_quic_send_frames() function.
Instead of returning NGX_DONE/NGX_OK, the function now itself moves
passed frames range into sent queue and sets PTO timer if required.
2020-07-15 15:10:17 +03:00
Vladimir Homutov
395ec44029 QUIC: renaming.
The c->quic->retransmit timer is now called "pto".
The ngx_quic_retransmit() function is renamed to "ngx_quic_detect_lost()".

This is a preparation for the following patches.
2020-07-13 10:07:15 +03:00
Vladimir Homutov
d7ab1bfb7c QUIC: caching c->quic in the ngx_quic_handle_ack_frame() function.
To minimize difference with the following changes.
2020-07-13 10:07:20 +03:00