Commit Graph

6554 Commits

Author SHA1 Message Date
Maxim Dounin
07c914c0cb Modules compatibility: peer.notify.
This callback can be used to notify balancer about various events.
For now, it is only used in nginx-plus.
2016-09-29 18:05:59 +03:00
Ruslan Ermilov
10f419575a Stream: style.
Explicitly initialized peer's max_conns for upstreams created with
variables similar to how it's done in http.
2016-09-29 12:59:13 +03:00
Ruslan Ermilov
f674f32c09 Upstream: max_conns. 2016-09-22 19:32:47 +03:00
Ruslan Ermilov
fd9e74f656 Upstream: removed the quick recovery mechanism.
Its usefulness it questionable, and it interacts badly with max_conns.
2016-09-22 19:32:45 +03:00
Maxim Dounin
4d4542c838 Upstream: introduced u->upstream.
It holds upstream{} block configuration, including ones selected via
run-time lookup using variables.
2016-09-22 19:32:26 +03:00
Maxim Dounin
017cf96c9b Upstream: style. 2016-09-22 19:31:08 +03:00
Maxim Dounin
778c00c415 Upstream: style, ngx_http_upstream_rr_peer_t.next moved. 2016-07-25 16:23:35 +03:00
Konstantin Pavlov
c8526aca25 Perl: pass additional linker options to perl module.
Previously flags passed by --with-ld-opt were not used when building perl
module, which meant hardening flags provided by package build systems were not
applied.
2016-09-20 22:11:23 +03:00
Valentin Bartenev
89f82c1155 Fixed log levels of configuration parsing errors.
All the errors that prevent loading configuration must be printed on the "emerg"
log level.  Previously, nginx might silently fail to load configuration in some
cases as the default log level is "error".
2016-09-20 15:07:16 +03:00
Ruslan Ermilov
1fd83ac0c8 Removed influence of some options on structures. 2016-09-20 12:30:52 +03:00
Vladimir Homutov
f8a9d528df Upstream hash: fixed missing upstream name initialization. 2016-09-16 15:13:24 +03:00
Vladimir Homutov
7f57804fe2 Stream ssl_preread: removed internal macro.
The ngx_log_debug() macro is internal and should not be used.
2016-09-15 15:36:02 +03:00
Vladimir Homutov
5a7afb1b0d Stream: ssl_preread module.
The ssl_preread module extracts information from the SSL Client Hello message
without terminating SSL.  Currently, only $ssl_preread_server_name variable
is supported, which contains server name from the SNI extension.
2016-09-15 14:56:51 +03:00
Vladimir Homutov
704446127e Stream: preread phase.
In this phase, head of a stream is read and analysed before proceeding to the
content phase.  Amount of data read is controlled by the module implementing
the phase, but not more than defined by the "preread_buffer_size" directive.
The time spent on processing preread is controlled by the "preread_timeout"
directive.

The typical preread phase module will parse the beginning of a stream and set
variable that may be used by the content phase, for example to make routing
decision.
2016-09-15 14:56:02 +03:00
Roman Arutyunyan
05a455ff21 Stream: phases. 2016-09-15 14:55:54 +03:00
Roman Arutyunyan
04b9434b18 Stream: filters. 2016-09-15 14:55:46 +03:00
Vladimir Homutov
afa771140b Version bump. 2016-09-15 14:56:26 +03:00
Maxim Dounin
5d4f014aaf release-1.11.4 tag 2016-09-13 18:39:24 +03:00
Maxim Dounin
c6630fb2fd nginx-1.11.4-RELEASE 2016-09-13 18:39:23 +03:00
Maxim Dounin
13bf2759c8 OCSP stapling: fixed using wrong responder with multiple certs. 2016-09-12 20:11:06 +03:00
Sergey Kandaurov
6831af304e SSL: improved session ticket callback error handling.
Prodded by Guido Vranken.
2016-09-12 18:57:42 +03:00
Sergey Kandaurov
b39aa6148f SSL: factored out digest and cipher in session ticket callback.
No functional changes.
2016-09-12 18:57:42 +03:00
Dmitry Volyntsev
d35f95c568 Stream: increase default value for proxy_protocol_timeout to 30s. 2016-09-08 15:51:36 +03:00
Dmitry Volyntsev
fe2774a9d6 Stream: realip module. 2016-09-01 14:45:33 +03:00
Dmitry Volyntsev
a613df5b3f Core: introduced ngx_cidr_match() function. 2016-09-07 13:56:53 +03:00
Dmitry Volyntsev
41e7bda773 Stream: allow using the session context inside handlers.
Previously, it was not possible to use the stream context
inside ngx_stream_init_connection() handlers.  Now, limit_conn,
access handlers, as well as those added later, can create
their own contexts.
2016-09-06 21:28:17 +03:00
Dmitry Volyntsev
7336c4008f Stream: $proxy_protocol_addr and $proxy_protocol_port. 2016-09-06 21:28:16 +03:00
Dmitry Volyntsev
abd1b0a76d Stream: the "proxy_protocol" parameter of the "listen" directive. 2016-09-06 21:28:16 +03:00
Dmitry Volyntsev
87aaac4ac5 Stream: postpone session initialization under accept mutex.
Previously, it was possible that some system calls could be
invoked while holding the accept mutex.  This is clearly
wrong as it prevents incoming connections from being accepted
as quickly as possible.
2016-09-06 21:28:13 +03:00
Vladimir Homutov
68a7b9b5a3 Stream: log module. 2016-09-05 17:50:16 +03:00
Vladimir Homutov
443b52db59 Stream: upstream response time variables.
The $upstream_connect_time, $upstream_first_byte_time and
$upstream_session_time variables keep corresponding times.
2016-09-02 18:27:12 +03:00
Vladimir Homutov
64223df670 Stream: $upstream_bytes_sent and $upstream_bytes_received. 2016-09-02 18:27:08 +03:00
Vladimir Homutov
c6d456da87 Stream: the $upstream_addr variable.
Keeps the full address of the upstream server.  If several servers were
contacted during proxying, their addresses are separated by commas,
e.g. "192.168.1.1:80, 192.168.1.2:80".
2016-09-02 18:27:05 +03:00
Roman Arutyunyan
be6024f9b7 Stream: the $status variable.
The stream session status is one of the following:

200 - normal completion
403 - access forbidden
500 - internal server error
502 - bad gateway
503 - limit conn
2016-08-11 20:22:23 +03:00
Maxim Dounin
ea9a1d745b Event pipe: do not set file's thread_handler if not needed.
This fixes a problem with aio threads and sendfile with aio_write switched
off, as observed with range requests after fc72784b1f52 (1.9.13).  Potential
problems with sendfile in threads were previously described in 9fd738b85fad,
and this seems to be one of them.

The problem occurred as file's thread_handler was set to NULL by event pipe
code after a sendfile thread task was scheduled.  As a result, no sendfile
completion code was executed, and the same buffer was additionally sent
using non-threaded sendfile.  Fix is to avoid modifying file's thread_handler
if aio_write is switched off.

Note that with "aio_write on" it is still possible that sendfile will use
thread_handler as set by event pipe.  This is believed to be safe though,
as handlers used are compatible.
2016-09-01 20:05:23 +03:00
Maxim Dounin
4e8a73adaa Event pipe: process data after recv_chain() errors.
When c->recv_chain() returns an error, it is possible that we already
have some data previously read, e.g., in preread buffer.  And in some
cases it may be even a complete response.  Changed c->recv_chain() error
handling to process the data, much like it is already done if kevent
reports about an error.

This change, in particular, fixes processing of small responses
when an upstream fails to properly close a connection with lingering and
therefore the connection is reset, but the response is already fully
obtained by nginx (see ticket #1037).
2016-09-01 18:29:55 +03:00
Roman Arutyunyan
c6ba4aae38 Realip: fixed uninitialized memory access.
Previously, the realip module could be left with uninitialized context after an
error in the ngx_http_realip_set_addr() function.  That context could be later
accessed by $realip_remote_addr and $realip_remote_port variable handlers.
2016-09-01 14:33:51 +03:00
Vladimir Homutov
048ee94130 Stream: the $protocol variable.
The variable keeps protocol used by the client, "TCP" or "UDP".
2016-08-26 15:33:07 +03:00
Vladimir Homutov
f04b65358e Stream: the $session_time variable.
The variable keeps time spent on processing the stream session.
2016-08-26 15:33:04 +03:00
Vladimir Homutov
1258126f0c Stream: the $bytes_received variable.
The variable keeps the number of bytes received from the client.
2016-08-26 15:33:02 +03:00
Piotr Sikora
14b1b6e10a Thread pools: create threads in detached state.
This prevents theoretical resource leak, since those threads are never joined.

Found with ThreadSanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-08-15 05:52:04 -07:00
Sergey Kandaurov
78031177f4 Geo: fixed indentation. 2016-08-25 12:59:39 +03:00
Maxim Dounin
0b97b1ec6f Contrib: unicode2nginx compatibility with recent Perl versions.
In recent Perl versions unpack("C*") unpacks wide characters by default,
likely since perl 5.10 (seen at least in perl 5.20).  Replaced with
unpack("U0C*") instead to unpack bytes.

While here, improved style and updated my email.
2016-08-24 15:53:17 +03:00
Ruslan Ermilov
9208875db1 Geo: fixed warnings when removing nonexistent ranges.
geo $geo {
    ranges;

    10.0.0.0-10.0.0.255 test;

    delete 10.0.1.0-10.0.1.255;     # should warn

    delete 10.0.0.0-10.0.0.255;
    delete 10.0.0.0-10.0.0.255;     # should warn
}
2016-08-23 15:59:42 +03:00
Ruslan Ermilov
20de5f14e5 Geo: fixed insertion of ranges specified in descending order. 2016-08-23 15:59:14 +03:00
Ruslan Ermilov
f927ab882a Geo: fixed removing a range in certain cases.
If the range includes two or more /16 networks and does
not start at the /16 boundary, the last subrange was not
removed (see 91cff7f97a50 for details).
2016-08-23 15:59:06 +03:00
Ruslan Ermilov
36e1c887db Geo: fixed overflow when iterating over ranges. 2016-08-23 15:57:29 +03:00
Sergey Kandaurov
218c8d493f SSL: adopted session ticket handling for OpenSSL 1.1.0.
Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function
to indicate that a new session ticket is created, as per documentation.
Until 1.1.0, OpenSSL didn't make a distinction between non-negative
return values.

See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details.
2016-08-22 18:53:21 +03:00
Piotr Sikora
c7c5c43c04 SSL: remove no longer needed workaround for BoringSSL.
BoringSSL added a no-op stub for OPENSSL_config() on 2016-01-26.

Requested by David Benjamin.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-08-18 14:49:48 -07:00
Ruslan Ermilov
d4f7011688 Events: fixed setting of IP_BIND_ADDRESS_NO_PORT/SO_REUSEADDR.
The IP_BIND_ADDRESS_NO_PORT option is set on upstream sockets
if proxy_bind does not specify a port.  The SO_REUSEADDR option
is set on UDP upstream sockets if proxy_bind specifies a port.

Due to checking of the wrong port, IP_BIND_ADDRESS_NO_PORT was
never set, and SO_REUSEPORT was always set.
2016-08-22 11:40:10 +03:00