Commit Graph

6470 Commits

Author SHA1 Message Date
Ruslan Ermilov
ceccebbb31 Version bump. 2016-02-25 16:28:42 +03:00
Maxim Dounin
56fde51b41 release-1.9.12 tag 2016-02-24 17:53:23 +03:00
Maxim Dounin
25bd52653f nginx-1.9.12-RELEASE 2016-02-24 17:53:22 +03:00
Valentin Bartenev
f72bcf8285 HTTP/2: implemented per request timeouts (closes #626).
Previously, there were only three timeouts used globally for the whole HTTP/2
connection:

 1. Idle timeout for inactivity when there are no streams in processing
    (the "http2_idle_timeout" directive);

 2. Receive timeout for incomplete frames when there are no streams in
    processing (the "http2_recv_timeout" directive);

 3. Send timeout when there are frames waiting in the output queue
    (the "send_timeout" directive on a server level).

Reaching one of these timeouts leads to HTTP/2 connection close.

This left a number of scenarios when a connection can get stuck without any
processing and timeouts:

 1. A client has sent the headers block partially so nginx starts processing
    a new stream but cannot continue without the rest of HEADERS and/or
    CONTINUATION frames;

 2. When nginx waits for the request body;

 3. All streams are stuck on exhausted connection or stream windows.

The first idea that was rejected was to detect when the whole connection
gets stuck because of these situations and set the global receive timeout.
The disadvantage of such approach would be inconsistent behaviour in some
typical use cases.  For example, if a user never replies to the browser's
question about where to save the downloaded file, the stream will be
eventually closed by a timeout.  On the other hand, this will not happen
if there's some activity in other concurrent streams.

Now almost all the request timeouts work like in HTTP/1.x connections, so
the "client_header_timeout", "client_body_timeout", and "send_timeout" are
respected.  These timeouts close the request.

The global timeouts work as before.

Previously, the c->write->delayed flag was abused to avoid setting timeouts on
stream events.  Now, the "active" and "ready" flags are manipulated instead to
control the processing of individual streams.
2016-02-24 15:58:07 +03:00
Valentin Bartenev
4e6a490fa7 HTTP/2: always use temporary pool for processing headers.
This is required for implementing per request timeouts.

Previously, the temporary pool was used only during skipping of
headers and the request pool was used otherwise.  That required
switching of pools if the request was closed while parsing.

It wasn't a problem since the request could be closed only after
the validation of the fully parsed header.  With the per request
timeouts, the request can be closed at any moment, and switching
of pools in the middle of parsing header name or value becomes a
problem.

To overcome this, the temporary pool is now always created and
used.  Special checks are added to keep it when either the stream
is being processed or until header block is fully parsed.
2016-02-24 16:05:47 +03:00
Valentin Bartenev
8b40f1eaec HTTP/2: cleaned up state while closing stream.
Without this the state might keep pointing to already closed stream.
2016-02-24 16:05:46 +03:00
Valentin Bartenev
1d294eea3e Fixed buffer over-read while logging invalid request headers.
Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return
NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character.  In this
case the r->header_end pointer isn't properly initialized, but the log message
in ngx_http_process_request_headers() hasn't been adjusted.  It used the pointer
in size calculation, which might result in up to 2k buffer over-read.

Found with afl-fuzz.
2016-02-24 16:01:23 +03:00
Maxim Dounin
4275d0a8a0 Configure: added "build" target.
The "build" target introduced to do all build-related tasks, and
it is now used in Makefile and in objs/Makefile as a dependency for
the "install" target.

In particular, this resolves problems as observed with dynamic modules
by people trying to do "make install" without calling "make" first.
2016-02-19 18:13:54 +03:00
Maxim Dounin
7b232ef5aa SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
This fixes "called a function you should not call" and
"shutdown while in init" errors as observed with OpenSSL 1.0.2f
due to changes in how OpenSSL handles SSL_shutdown() during
SSL handshakes.
2016-02-19 17:27:30 +03:00
Maxim Dounin
89d3762863 SSL: fixed SSL_shutdown() comment. 2016-02-19 17:27:23 +03:00
Ruslan Ermilov
73f815e489 Headers filter: fixed "add_header ... '' always".
The "always" parameter was ignored if the header value was empty.
2016-02-18 15:49:11 +03:00
Sergey Kandaurov
fef872a9ba Configure: skip building OpenSSL documentation to conserve time.
The install_sw target first appeared in OpenSSL 0.9.7e and is documented since
OpenSSL 1.0.0 as the way to install the OpenSSL software without documentation.
2016-02-19 13:31:55 +03:00
Ruslan Ermilov
6fccc00aa8 Configure: fixed static nginx build with OpenSSL (ticket #903).
Before 7142b04337d6, it was possible to build the OpenSSL library
along with nginx, and link nginx statically with this library
(--with-openssl=DIR --with-ld-opt=-static --with-http_ssl_module).
This was broken on Linux by not adding -ldl after -lcrypto.

The fix also makes it possible to link nginx statically on Linux
with the system OpenSSL library, which never worked before.
2016-02-18 11:39:57 +03:00
Vladimir Homutov
faa96e82d2 Core: added support for more than 64 CPUs in worker_cpu_affinity. 2016-02-18 13:58:49 +03:00
Valentin Bartenev
b5d7d3f024 HTTP/2: added debug logging of response headers.
Because of HPACK compression it's hard to see what headers are actually
sent by the server.
2016-02-16 17:49:14 +03:00
Valentin Bartenev
fcfe483292 HTTP/2: use local pointer instead of r->connection.
No functional changes.
2016-02-16 17:49:14 +03:00
Maxim Dounin
79654d53e3 Core: improved logging on invalid NGINX variable (ticket #900). 2016-02-15 17:41:52 +03:00
Maxim Dounin
cc79e1779a Updated OpenSSL used for win32 builds. 2016-02-13 07:28:14 +03:00
Maxim Dounin
4cfd9ba3c1 Win32: simplified and improved handling of MSVC versions.
Now we always set NGX_CC_NAME to "msvc", and additionally test compiler
version as reported by "cl" in auto/cc/msvc (the same version is also
available via the _MSC_VER define).  In particular, this approach allows
to properly check for C99 variadic macros support, which previously was
not used with MSVC versions not explicitly recognized.

Now unneeded wildcards in NGX_CC_NAME tests for msvc removed accordingly,
as well as unused wildcards for owc and icc.
2016-02-13 06:47:34 +03:00
Valentin Bartenev
822fc91b09 HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).
2016-02-12 16:36:20 +03:00
Valentin Bartenev
531e6fbfd6 HTTP/2: implemented HPACK Huffman encoding for response headers.
This reduces the size of headers by over 30% on average.

Based on the patch by Vlad Krasnov:
http://mailman.nginx.org/pipermail/nginx-devel/2015-December/007682.html
2016-02-11 15:35:36 +03:00
Ruslan Ermilov
3b9b07377b Dynamic modules: fixed a version mismatch message (ticket #898).
Based on a patch by Takashi Takizawa.
2016-02-11 18:46:46 +03:00
Roman Arutyunyan
f1f419fd2c Stream: initialize variable right before using it. 2016-02-11 14:20:26 +03:00
Roman Arutyunyan
1cdd0cc421 Stream: removed useless typedef. 2016-02-11 14:20:22 +03:00
Ruslan Ermilov
6b2e4f336c Dynamic modules: added auth_basic module libs via ngx_module_libs=. 2016-02-10 11:36:25 +03:00
Piotr Sikora
2fe20c9b34 Core: ngx_module_t compatibility with C++.
Changes to NGX_MODULE_V1 and ngx_module_t in 85dea406e18f (1.9.11)
broke all modules written in C++, because ISO C++11 does not allow
conversion from string literal to char *.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-09 16:31:26 -08:00
Maxim Dounin
839c1997d9 Version bump. 2016-02-10 06:23:34 +03:00
Maxim Dounin
37fa0990c8 release-1.9.11 tag 2016-02-09 17:11:57 +03:00
Maxim Dounin
3481888975 nginx-1.9.11-RELEASE 2016-02-09 17:11:56 +03:00
Maxim Dounin
86c82d4376 Dynamic modules: NGX_STREAM define removed.
It's not used and contradicts the idea of dynamic loading.
2016-02-08 18:02:04 +03:00
Valentin Bartenev
c2a00bacac Dynamic modules: added dlsym() to configure test.
It appears that AddressSanitizer in GCC 5 intercepts dlopen() and dlclose()
but not dlsym().
2016-02-05 21:48:25 +03:00
Ruslan Ermilov
4814d78312 Dynamic modules: fixed a copy-n-paste error. 2016-02-05 14:02:54 +03:00
Maxim Dounin
97f59dda09 Dynamic modules.
The auto/module script is extended to understand ngx_module_link=DYNAMIC.
When set, it links the module as a shared object rather than statically
into nginx binary.  The module can later be loaded using the "load_module"
directive.

New auto/module parameter ngx_module_order allows to define module loading
order in complex cases.  By default the order is set based on ngx_module_type.

3rd party modules can be compiled dynamically using the --add-dynamic-module
configure option, which will preset ngx_module_link to "DYNAMIC" before
calling the module config script.

Win32 support is rudimentary, and only works when using MinGW gcc (which
is able to handle exports/imports automatically).

In collaboration with Ruslan Ermilov.
2016-02-04 20:25:29 +03:00
Maxim Dounin
0805ba14e7 Dynamic modules: auto/module script.
This script simplifies configuration of additional modules,
including 3rd party ones.  The script is extensible, and
will be used to introduce dynamic linking of modules in upcoming
changes.

3rd party module config scripts are called with ngx_module_link
preset to "ADDON" - this allows config scripts to call auto/module
without ngx_module_link explicitly defined, as well as testing if
new interface is in place if compatibility with older nginx versions
is desired.

In collaboration with Ruslan Ermilov.
2016-02-04 18:30:21 +03:00
Maxim Dounin
359803e457 Dynamic modules: introduced HTTP_INIT_FILTER_MODULES.
Additionally, HTTP_HEADERS_FILTER_MODULE now added to HTTP_FILTER_MODULES.
This avoids explict use of modules at the later stages, now only module
lists are used.  This will be needed in later patches.
2016-02-04 18:30:21 +03:00
Maxim Dounin
86cc342a26 Dynamic modules: dlopen() support. 2016-02-04 18:30:21 +03:00
Maxim Dounin
0f67d6355c Dynamic modules: changed ngx_modules to cycle->modules. 2016-02-04 18:30:21 +03:00
Maxim Dounin
7988334570 Dynamic modules: moved module-related stuff to separate files. 2016-02-04 18:30:21 +03:00
Valentin Bartenev
9add42c71e HTTP/2: fixed possible buffer overrun (ticket #893).
Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.
2016-02-04 18:01:04 +03:00
Valentin Bartenev
cb173ff672 HTTP/2: fixed padding handling in HEADERS frame with CONTINUATION. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
8050277acf HTTP/2: fixed request length accounting.
Now it includes not only the received body size,
but the size of headers block as well.
2016-02-02 16:33:55 +03:00
Valentin Bartenev
405f4f99b4 HTTP/2: fixed excessive memory allocation for pool cleanup. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
3351fbe481 HTTP/2: removed unused field from ngx_http_v2_stream_t. 2016-02-02 16:33:55 +03:00
Ruslan Ermilov
c6ed65ce7c Resolver: style.
Use the original query name in error and debug messages when
processing PTR responses.
2015-12-17 17:30:22 +03:00
Ruslan Ermilov
bf269cbc55 Resolver: improved PTR response processing.
The previous code only parsed the first answer, without checking its
type, and required a compressed RR name.

The new code checks the RR type, supports responses with multiple
answers, and doesn't require the RR name to be compressed.

This has a side effect in limited support of CNAME.  If a response
includes both CNAME and PTR RRs, like when recursion is enabled on
the server, PTR RR is handled.

Full CNAME support in PTR response is not implemented in this change.
2015-12-17 17:21:16 +03:00
Ruslan Ermilov
06806aa001 Resolver: style.
Renamed argument in ngx_resolver_process_a() for consistency.
2015-12-17 17:21:12 +03:00
Roman Arutyunyan
cbee15bb6c Resolver: free TCP buffers on resolver cleanup. 2016-02-02 13:42:55 +03:00
Ruslan Ermilov
625481f6f1 Resolver: fixed possible resource leak introduced in 5a16d40c63de.
Found by Coverity (CID 1351175).
2016-02-02 11:35:19 +03:00
Roman Arutyunyan
aa8fa81e42 Resolver: TCP support.
Resend DNS query over TCP once UDP response came truncated.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
c8c44f7478 Resolver: per-request DNS server balancer.
Previously, a global server balancer was used to assign the next DNS server to
send a query to.  That could lead to a non-uniform distribution of servers per
request.  A request could be assigned to the same dead server several times in a
row and wait longer for a valid server or even time out without being processed.

Now each query is sent to all servers sequentially in a circle until a
response is received or timeout expires.  Initial server for each request is
still globally balanced.
2016-01-28 15:28:20 +03:00