Commit Graph

3093 Commits

Author SHA1 Message Date
Ruslan Ermilov
fc55962698 Fixed two minor bugs in "types" parsing code. 2011-10-12 09:36:21 +00:00
Ruslan Ermilov
b5c3336e3e Fixed grammar in a comment. 2011-10-12 09:34:53 +00:00
Ruslan Ermilov
dce7a0c00f Replaced magic constants representing default values of some directives
with appropriate #define's.
2011-10-12 09:33:43 +00:00
Ruslan Ermilov
51a2423633 Stylistic change in checking the boolean expression. 2011-10-12 09:27:34 +00:00
Igor Sysoev
bfe7be45b8 Preallocating exact number of default MIME types entries. 2011-10-12 09:19:57 +00:00
Ruslan Ermilov
c8fdda4c2f Removed old warning that suggested to use "server_name_in_redirect off"
(now the default) in place of no longer supported "server_name *".
2011-10-12 07:20:20 +00:00
Maxim Dounin
b8203e46a0 Additional headers for proxy/fastcgi/uwsgi/scgi_ignore_headers.
Now the following headers may be ignored as well: X-Accel-Limit-Rate,
X-Accel-Buffering, X-Accel-Charset.
2011-10-11 18:10:49 +00:00
Maxim Dounin
012e6b6378 Handling of Content-Encoding set from perl.
This fixes double gzipping in case of gzip filter being enabled while perl
returns already gzipped response.
2011-10-11 18:01:38 +00:00
Maxim Dounin
0f5f4cb180 Fix for socket leak with "aio sendfile" and "limit_rate".
Second aio post happened when timer set by limit_rate expired while we have
aio request in flight, resulting in "second aio post" alert and socket leak.

The patch adds actual protection from aio calls with r->aio already set to
aio sendfile code in ngx_http_copy_filter().  This should fix other cases
as well, e.g. when sending buffered to disk upstream replies while still
talking to upstream.

The ngx_http_writer() is also fixed to handle the above case (though it's
mostly optimization now).

Reported by Oleksandr V. Typlyns'kyi.
2011-10-11 18:00:23 +00:00
Maxim Dounin
b7af402cc4 Fix for connection drops with AIO.
Connections serving content with AIO to fast clients were dropped with
"client timed out" messages after send_timeout from response start.
2011-10-11 17:58:51 +00:00
Maxim Dounin
5cc1fb1d5b Autoindex: escape html in file names. 2011-10-11 17:57:41 +00:00
Maxim Dounin
6226fe3512 Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped.  This resulted in effectively truncated links as '?' indicates
query string start.

This is an updated version of the patch originally posted at [1].  It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986.  This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.

[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html

Reported by Konstantin Leonov.
2011-10-11 17:56:51 +00:00
Maxim Dounin
e3d6c5a33c Improved access log escaping to better protect other software.
Some character sets (notably ISO-8859-1) have C1 control characters in
upper half, make sure to escape them.

Reported by Jesus Olmos Gonzalez.
2011-10-11 17:54:38 +00:00
Igor Sysoev
0d19f020ba Fixing directive name in error message if types hash size is not enough. 2011-10-11 11:11:44 +00:00
Igor Sysoev
840ef3980c Fixing mp4 module seeking on 32-bit platforms. 2011-10-11 10:12:44 +00:00
Ruslan Ermilov
2fdb547f3a Fixed macro name. 2011-10-10 08:38:28 +00:00
Igor Sysoev
94b5460c70 Releasing memory of idle SSL connection. This saves about 34K per SSL
connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.
2011-10-07 12:15:20 +00:00
Igor Sysoev
95084f7e1c Disabling SSL compression. This saves about 300K per SSL connection.
The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.
2011-10-07 10:59:02 +00:00
Igor Sysoev
3f34960fde Version bump. 2011-10-07 10:41:13 +00:00
Ruslan Ermilov
a610127fe3 Improved ngx_parse_time() code readability. 2011-10-07 08:03:16 +00:00
Ruslan Ermilov
6e86fb02d6 Tweaked error messages. 2011-10-07 07:57:24 +00:00
Igor Sysoev
ab0078a4c8 Version bump. 2011-10-05 13:13:25 +00:00
Maxim Dounin
20139ff13a Fixed cache bypass caching of non-cacheable replies (ticket #21).
If cache was bypassed with proxy_cache_bypass, cache-controlling headers
(Cache-Control, Expires) wasn't considered and response was cached even
if it was actually non-cacheable.

Patch by John Ferlito.
2011-10-05 10:14:21 +00:00
Maxim Dounin
3aba768855 Added uwsgi_buffering and scgi_buffering directives.
Patch by Peter Smit.
2011-09-30 11:53:27 +00:00
Igor Sysoev
f3ae6a6102 Using strtod() instead of atofp() to support a lot of digits after dot in
"start" parameter value.
2011-09-30 09:18:28 +00:00
Igor Sysoev
a40e7eed30 Fix of building on platforms with 32-bit off_t. (closed #23) 2011-09-29 15:19:36 +00:00
Maxim Dounin
5cc90f309d Fixed segmentation fault with empty config on Windows.
See here for report:
http://mailman.nginx.org/pipermail/nginx-ru/2011-September/043288.html
2011-09-27 12:07:09 +00:00
Maxim Dounin
554768dabb Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993). 2011-09-27 12:06:07 +00:00
Maxim Dounin
886c6295ee Better handling of late upstream creation.
Configuration with duplicate upstream blocks defined after first use, i.e.
like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend { ... }
    upstream backend { ... }

now correctly results in "duplicate upstream" error.

Additionally, upstream blocks defined after first use now handle various
server directive parameters ("weight", "max_fails", etc.).  Previously
configuration like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend {
        server 127.0.0.1 max_fails=5;
    }

incorrectly resulted in "invalid parameter "max_fails=5"" error.
2011-09-27 11:18:51 +00:00
Maxim Dounin
b16918ed08 Cache: fix for sending of stale responses.
For normal cached responses ngx_http_cache_send() sends last buffer and then
request finalized via ngx_http_finalize_request() call, i.e. everything is
ok.

But for stale responses (i.e. when upstream died, but we have something in
cache) the same ngx_http_cache_send() sends last buffer, but then in
ngx_http_upstream_finalize_request() another last buffer is send.  This
causes duplicate final chunk to appear if chunked encoding is used (and
resulting problems with keepalive connections and so on).

Fix this by not sending in ngx_http_upstream_finalize_request()
another last buffer if we know response was from cache.
2011-09-27 11:17:11 +00:00
Maxim Dounin
84c58a30e6 Cache: fix for sending of empty responses.
Revert wrong fix for empty responses introduced in 0.8.31 and apply new one,
rewritten to match things done by static module as close as possible.
2011-09-27 11:15:35 +00:00
Maxim Dounin
4a3884ae56 Incorrect special case for "return 204" removed.
The special case in question leads to replies without body in
configuration like

    location / { error_page 404 /zero; return 404; }
    location /zero { return 204; }

while replies with empty body are expected per protocol specs.

Correct one will look like

    if (status == NGX_HTTP_NO_CONTENT) {

        rc = ngx_http_send_header(r);

        if (rc == NGX_ERROR || r->header_only) {
            return rc;
        }

        return ngx_http_send_special(r, NGX_HTTP_LAST);
    }

though it looks like it's better to drop this special case at all.
2011-09-27 11:14:02 +00:00
Maxim Dounin
77ca973d11 Fix for "return 202" not discarding body.
Big POST (not fully preread) to a

    location / {
        return 202;
    }

resulted in incorrect behaviour due to "return" code path not calling
ngx_http_discard_request_body().  The same applies to all "return" used
with 2xx/3xx codes except 201 and 204, and to all "return ... text" uses.

Fix is to add ngx_http_discard_request_body() call to ngx_http_send_response()
function where it looks appropriate.  Discard body call from emtpy gif module
removed as it's now redundant.

Reported by Pyry Hakulinen, see
http://mailman.nginx.org/pipermail/nginx/2011-August/028503.html
2011-09-27 11:13:00 +00:00
Maxim Dounin
ad5ef15e08 Fix for double content when return is used in error_page handler.
Test case:

   location / {
       error_page 405 /nope;
       return 405;
   }

   location /nope {
       return 200;
   }

This is expected to return 405 with empty body, but in 0.8.42+ will return
builtin 405 error page as well (though not counted in Content-Length, thus
breaking protocol).

Fix is to use status provided by rewrite script execution in case
it's less than NGX_HTTP_BAD_REQUEST even if r->error_status set.  This
check is in line with one in ngx_http_script_return_code().

Note that this patch also changes behaviour for "return 302 ..." and
"rewrite ... redirect" used as error handler.  E.g.

    location / {
        error_page 405 /redirect;
        return 405;
    }

    location /redirect {
        rewrite ^ http://example.com/;
    }

will actually return redirect to "http://example.com/" instead of builtin 405
error page with meaningless Location header.  This looks like correct change
and it's in line with what happens on e.g. directory redirects in error
handlers.
2011-09-27 11:11:30 +00:00
Maxim Dounin
bfb42ad97c Fix for incorrect 201 replies from dav module.
Replies with 201 code contain body, and we should clearly indicate it's
empty if it's empty.  Before 0.8.32 chunked was explicitly disabled for
201 replies and as a result empty body was indicated by connection close
(not perfect, but worked).  Since 0.8.32 chunked is enabled, and this
causes incorrect responses from dav module when HTTP/1.1 is used: with
"Transfer-Encoding: chunked" but no chunks at all.

Fix is to actually return empty body in special response handler instead
of abusing r->header_only flag.

See here for initial report:
http://mailman.nginx.org/pipermail/nginx-ru/2010-October/037535.html
2011-09-27 11:09:55 +00:00
Maxim Dounin
5c56f20ae7 Proxy: logging levels tuned, double logging fixed. 2011-09-25 20:04:20 +00:00
Maxim Dounin
aa12f3c7f3 Proxy: whitespaces after chunk size allowed.
Whitespaces after chunk size seems to be be allowed by the "implied *LWS" rule
and emitted by some servers.
2011-09-25 20:03:27 +00:00
Maxim Dounin
28b001f897 Upstream: clearing of u->peer.connection on close.
This fixes crashes observed with some 3rd party balancer modules.  Standard
balancer modules (round-robin and ip hash) explicitly set pc->connection
(aka u->peer.connection) to NULL and aren't affected.
2011-09-25 20:00:36 +00:00
Ruslan Ermilov
b1565cf96b Fixed error message. 2011-09-23 20:15:27 +00:00
Maxim Dounin
afe2e3d082 Fix of separate pool for upstream connections (r4117).
Pool may not be created if connection was created but rejected in connect()
call.  Make sure to check if it is here before trying to destroy it.
2011-09-20 10:00:46 +00:00
Maxim Dounin
265e51aa0b Fixed loss of chain links in ngx_event_pipe_read_upstream(). 2011-09-20 09:56:35 +00:00
Maxim Dounin
d1b9a0388d Fixed loss of chain links in fastcgi module. 2011-09-20 09:56:05 +00:00
Maxim Dounin
e4dab80e80 Fix of cpu hog in event pipe.
If client closed connection in ngx_event_pipe_write_to_downstream(), buffers
in the "out" chain were lost.  This caused cpu hog if all available buffers
were in the "out" chain.  Fix is to call ngx_chain_update_chains() before
checking return code of output filter to avoid loosing buffers in the "out"
chain.

Note that this situation (all available buffers in the "out" chain) isn't
normal, it should be prevented by busy buffers limit.  Though right now it
may happen with complex protocols like fastcgi.  This should be addressed
separately.
2011-09-20 09:55:27 +00:00
Igor Sysoev
c8df23cb29 The "worker_aio_requests" directive.
The default value is 32 AIO simultaneous requests per worker. Previously
they were hardcoded to 1024, and it was too large, since Linux allocated
them early on io_setup(), but not on request itself. So with default value
of /proc/sys/fs/aio-max-nr equal to 65536 only 64 worker processes could
be run simultaneously. 32 AIO requests are enough for modern disks even if
server runs only 1 worker.
2011-09-20 07:30:09 +00:00
Ruslan Ermilov
a823c550e4 Replaced "can not" with "cannot" and "could not" in a bunch of places.
Fixed nearby grammar errors.
2011-09-19 14:48:29 +00:00
Ruslan Ermilov
3b7ed02583 Cosmetics: replaced NGX_CONF_TAKE1 to NGX_CONF_FLAG for "sendfile"
and "chunked_transfer_encoding" directives, to be in line with all
directives taking a boolean argument.  Both flags will ensure that
a directive takes one argument.
2011-09-19 12:41:13 +00:00
Ruslan Ermilov
5d4aed0175 Overhauled diagnostic messages. 2011-09-19 12:37:22 +00:00
Igor Sysoev
aa997c0289 Fixing Linux AIO initiatialization: AIO operations are disabled if kernel
does not support them.  Previously worker just exited.
2011-09-16 13:41:52 +00:00
Igor Sysoev
4134b48b68 Fixing Linux AIO syscalls return value handling:
syscall(2) uses usual libc convention, it returns -1 on error and
sets errno. Obsolete _syscall(2) returns negative value of error.

Thanks to Hagai Avrahami.
2011-09-16 12:43:16 +00:00
Maxim Dounin
c6353a5654 Trailing space fix. 2011-09-16 12:08:52 +00:00
Maxim Dounin
44002e541f Upstream keepalive module. 2011-09-15 19:28:18 +00:00
Maxim Dounin
2fe0a7a0f6 Proxy: basic HTTP/1.1 support (including keepalive).
By default we still send requests using HTTP/1.0.  This may be changed with
new proxy_http_version directive.
2011-09-15 19:23:20 +00:00
Maxim Dounin
f2fcf11b25 Protocol version parsing in ngx_http_parse_status_line().
Once we know protocol version, set u->headers_in.connection_close to indicate
implicitly assumed connection close with HTTP before 1.1.
2011-09-15 19:22:35 +00:00
Maxim Dounin
f84c69a301 Upstream: Connection header processing. 2011-09-15 19:21:19 +00:00
Maxim Dounin
4686f30a0c Upstream: Transfer-Encoding header processing. 2011-09-15 19:20:08 +00:00
Maxim Dounin
2da36b30c3 Keepalive support in fastcgi.
By default follow the old behaviour, i.e. FASTCGI_KEEP_CONN flag isn't set
in request and application is responsible for closing connection once request
is done.  To keep connections alive fastcgi_keep_conn must be activated.
2011-09-15 19:05:23 +00:00
Maxim Dounin
05552a23a2 Keepalive support in memcached. 2011-09-15 19:04:25 +00:00
Maxim Dounin
2d6be3fe93 Upstream: keepalive flag.
This patch introduces r->upstream->keepalive flag, which is set by protocol
handlers if connection to upstream is in good state and can be kept alive.
2011-09-15 19:03:15 +00:00
Maxim Dounin
a746bab7c1 Upstream: pipe length and input_filter_init in buffered mode.
As long as ngx_event_pipe() has more data read from upstream than specified
in p->length it's passed to input filter even if buffer isn't yet full.  This
allows to process data with known length without relying on connection close
to signal data end.

By default p->length is set to -1 in upstream module, i.e. end of data is
indicated by connection close.  To set it from per-protocol handlers upstream
input_filter_init() now called in buffered mode (as well as in
unbuffered mode).
2011-09-15 19:00:47 +00:00
Maxim Dounin
ffe4f11417 Upstream: r->upstream->length type change to off_t.
Previous use of size_t may cause wierd effects on 32bit platforms with certain
big responses transferred in unbuffered mode.

Nuke "if (size > u->length)" check as it's not usefull anyway (preread
body data isn't subject to this check) and now requires additional check
for u->length being positive.
2011-09-15 18:43:19 +00:00
Maxim Dounin
e19f005daf Upstream: content_length_n API change.
We no longer use r->headers_out.content_length_n as a primary source of
backend's response length.  Instead we parse response length to
u->headers_in.content_length_n and copy to r->headers_out.content_length_n
when needed.
2011-09-15 18:33:43 +00:00
Maxim Dounin
360ed25d65 Upstream: separate pool for peer connections.
This is required to support persistent https connections as various ssl
structures are allocated from connection's pool.
2011-09-15 18:21:24 +00:00
Maxim Dounin
c42c70f478 Workaround for cpu hog on errors with cached connections.
Just doing another connect isn't safe as peer.get() may expect peer.tries
to be strictly positive (this is the case e.g. with round robin with multiple
upstream servers).  Increment peer.tries to at least avoid cpu hog in
round robin balancer (with the patch alert will be seen instead).

This is not enough to fully address the problem though, hence TODO.  We
should be able to inform balancer that the error wasn't considered fatal
and it may make sense to retry the same peer.
2011-09-15 18:12:58 +00:00
Maxim Dounin
d7c2673d3f API change: ngx_chain_update_chains() now requires pool.
The ngx_chain_update_chains() needs pool to free chain links used for buffers
with non-matching tags.  Providing one helps to reduce memory consumption
for long-lived requests.
2011-09-15 16:03:17 +00:00
Maxim Dounin
a890b313f3 Buffers reuse in chunked filter.
There were 2 buffers allocated on each buffer chain sent through chunked
filter (one buffer for chunk size, another one for trailing CRLF, about
120 bytes in total on 32-bit platforms).  This resulted in large memory
consumption with long-lived requests sending many buffer chains.  Usual
example of problematic scenario is streaming though proxy with
proxy_buffering set to off.

Introduced buffers reuse reduces memory consumption in the above problematic
scenario.

See here for initial report:
http://mailman.nginx.org/pipermail/nginx/2010-April/019814.html
2011-09-15 15:25:42 +00:00
Igor Sysoev
57b4fdb6c8 MP4 co64 atom support added. 2011-09-15 13:23:03 +00:00
Igor Sysoev
c940f5fc99 Fix of struct field name. 2011-09-15 05:15:16 +00:00
Igor Sysoev
1fc9a8dec6 Style fix. 2011-09-14 15:26:11 +00:00
Igor Sysoev
acdac73688 Fixing building by gcc-4.7. 2011-09-14 15:25:46 +00:00
Igor Sysoev
4a383594fb Version bump. 2011-09-14 15:20:01 +00:00
Igor Sysoev
9c5d25179c Fix of the previous commit: is_directio flag processing introduced in r4077
is still worthwhile.
2011-09-14 14:28:55 +00:00
Igor Sysoev
7ffb73c6b7 Bugfix: open_file_cache did not update file info on retest.
If file inode was not changed, cached file information was not updated
on retest.  As a result stale information might be cached forever if file
attributes was changed and/or file was extended.

This fix also makes obsolete r4077 change of is_directio flag handling,
since this flag is updated together with other file information.
2011-09-14 14:12:35 +00:00
Igor Sysoev
2cc42b74c7 Skipping traks with unsupported media formats. 2011-09-14 14:04:41 +00:00
Igor Sysoev
dcea2ce7d1 Fix of case when start sample does not reside on chunk boundary. 2011-09-14 05:16:20 +00:00
Ruslan Ermilov
59efbc4bcb In Mac OS X Lion, Apple deprecated the use of the system OpenSSL library
in favour of their CommonCrypto library.  This change adds a work-around
that allows nginx to still be built on Lion with OpenSSL.
2011-09-13 09:18:43 +00:00
Igor Sysoev
f824fb47fe Fix of debug message format. 2011-09-12 15:15:00 +00:00
Igor Sysoev
d44855067d Fix of codec debug message. 2011-09-12 14:54:28 +00:00
Igor Sysoev
3d9ae84bf9 Fix of error message. 2011-09-12 14:46:06 +00:00
Igor Sysoev
7e8ee656a8 Fix of error message. 2011-09-12 13:06:22 +00:00
Igor Sysoev
e07a3577a9 mp4_max_moov_size directive has been renamed to mp4_max_buffer_size. 2011-09-12 09:38:04 +00:00
Igor Sysoev
b1c79a449e bugfix of r4086: nginx could not be built without debug log. 2011-09-09 11:56:49 +00:00
Igor Sysoev
5d01ac5af3 Bugfix of r4086: directio was always enabled if mp4 file was sent as is. 2011-09-09 11:13:55 +00:00
Igor Sysoev
dde4d7e300 ngx_http_mp4_module 2011-09-09 10:22:34 +00:00
Maxim Dounin
4f65a05d18 Bugfix: open_file_cache lost is_directio flag.
On file retest open_file_cache lost is_directio if file wasn't changed.
This caused unaligned operations under Linux to fail with EINVAL.
It wasn't noticeable with AIO though, as errors wasn't properly logged.
2011-09-05 16:36:19 +00:00
Igor Sysoev
3a73e50498 Version bump. 2011-09-05 16:26:51 +00:00
Maxim Dounin
bfbbfc85df Bugfix: read event was not blocked after reading body.
Read event should be blocked after reading body, else undefined behaviour
might occur on additional client activity.  This fixes segmentation faults
observed with proxy_ignore_client_abort set.
2011-09-05 12:43:31 +00:00
Maxim Dounin
82854d0d78 Proper setting of read->eof in pipe code.
Setting read->eof to 0 seems to be just a typo.  It appeared in
nginx-0.0.1-2003-10-28-18:45:41 import (r164), while identical code in
ngx_recv.c introduced in the same import do actually set read->eof to 1.

Failure to set read->eof to 1 results in EOF not being generally detectable
from connection flags.  On the other hand, kqueue won't report any read
events on such a connection since we use EV_CLEAR.  This resulted in read
timeouts if such connection was cached and used for another request.
2011-09-01 15:10:41 +00:00
Maxim Dounin
a9e3c65d22 Proper SSL shutdown handling.
If connection has unsent alerts, SSL_shutdown() tries to send them even
if SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN) was used.
This can be prevented by SSL_set_quiet_shutdown().  SSL_set_shutdown()
is required nevertheless to preserve session.
2011-09-01 13:49:36 +00:00
Igor Sysoev
09be2f18c5 Now if client requests more ranges than "max_ranges" permits,
nginx disables ranges and returns just the source response.
2011-09-01 13:03:55 +00:00
Igor Sysoev
f560419c54 The "max_ranges" directive.
"max_ranges 0" disables ranges support at all,
"max_ranges 1" allows the single range, etc.
By default number of ranges is unlimited, to be precise, 2^31-1.
2011-08-31 09:40:55 +00:00
Igor Sysoev
e81c293289 Style fix: removal of tabs introduced in the previous commit. 2011-08-31 09:26:07 +00:00
Igor Sysoev
65b1592d02 *) fix of r4060: start value should be tested after the "found" label;
*) optimization: start value may be tested against end value only,
   since end value here may not be greater than content_length.
2011-08-30 20:34:58 +00:00
Igor Sysoev
1f3280bae2 Unsatisfiable range with start value greater than content length
was not properly skipped. The bug has been introduced in r4057.
2011-08-30 14:25:35 +00:00
Igor Sysoev
e766153451 ngx_http_range_parse() should be static. 2011-08-30 13:07:33 +00:00
Igor Sysoev
9162057731 Ranges processing small optimization. 2011-08-30 13:06:12 +00:00
Igor Sysoev
451df22b3f Now unsatisfiable ranges are processed according to RFC 2616. 2011-08-30 13:01:55 +00:00
Igor Sysoev
584703b84a Ranges processing small optimization. 2011-08-30 12:45:24 +00:00
Igor Sysoev
f2575bd878 Style fix. 2011-08-30 12:28:01 +00:00
Igor Sysoev
c2c3e3105f Now if total size of all ranges is greater than source response size,
then nginx disables ranges and returns just the source response.
This fix should not affect well-behaving applications but will defeat
DoS attempts exploiting malicious byte ranges.
2011-08-26 09:42:50 +00:00
Igor Sysoev
8b2bf08165 Cache size accounting fix: actual cache size on disk was less than
needed by sum of sizes of files loaded by worker processes themselves
while cache loader was running.

The bug has been introduced in r3900.
2011-08-25 17:29:34 +00:00
Maxim Dounin
fbc51e4c44 Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).

As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.

Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.

Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+.  I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
2011-08-23 14:36:31 +00:00
Igor Sysoev
631fa929d3 Version bump. 2011-08-23 14:22:34 +00:00
Igor Sysoev
566dfe0c7f SIGWINCH/NOACCEPT signal is disabled now in non-daemon mode.
Non-daemon mode is currently used by supervisord, daemontools and so on
or during debugging. The NOACCEPT signal is only used for online upgrade
which is not supported when nginx is run under supervisord, etc.,
so this change should not break existant setups.
2011-08-22 12:34:48 +00:00
Igor Sysoev
0d18687b03 The change in adaptive loader behaviour introduced in r3975:
now cache loader processes either as many files as specified by loader_files
or works no more than time specified by loader_threshold during each iteration.

loader_threshold was previously used to decrease loader_files or
to increase loader_timeout and this might eventually result in
downgrading loader_files to 1 and increasing loader_timeout to large values
causing loading cache for forever.
2011-08-22 10:16:49 +00:00
Maxim Dounin
de1a3e1e0c Fix buffer overrun under Windows. 2011-08-22 10:07:27 +00:00
Maxim Dounin
ec8186c733 Move SO_ACCEPTFILTER and TCP_DEFER_ACCEPT checks into configure.
NetBSD 5.0+ has SO_ACCEPTFILTER support merged from FreeBSD, and having
accept filter check in FreeBSD-specific ngx_freebsd_config.h prevents it
from being used on NetBSD.  Therefore move the check into configure (and
do the same for Linux-specific TCP_DEFER_ACCEPT, just to be in line).
2011-08-21 11:37:37 +00:00
Maxim Dounin
5a52d67a08 Fix ignored headers handling in fastcgi/scgi/uwsgi.
The bug had appeared in r3561 (fastcgi), r3638 (scgi), r3567 (uwsgi).
2011-08-19 20:11:39 +00:00
Maxim Dounin
65c32b255d Complain on invalid log levels.
Previously only first log level was required to be correct, while error_log
directive in fact accepts list of levels (e.g. one may specify "error_log ...
debug_core debug_http;").  This resulted in (avoidable) wierd behaviour on
missing semicolon after error_log directive, e.g.

    error_log /path/to/log info
    index index.php;

silently skipped index directive and it's arguments (trying to interpret
them as log levels without checking to be correct).
2011-08-18 21:48:13 +00:00
Maxim Dounin
b7fcb430c1 Upstream: properly allocate memory for tried flags.
Previous allocation only took into account number of non-backup servers, and
this caused memory corruption with many backup servers.

See report here:
http://mailman.nginx.org/pipermail/nginx/2011-May/026531.html
2011-08-18 17:04:52 +00:00
Maxim Dounin
624fbe94a2 Fixing cpu hog with all upstream servers marked "down".
The following configuration causes nginx to hog cpu due to infinite loop
in ngx_http_upstream_get_peer():

    upstream backend {
        server 127.0.0.1:8080 down;
        server 127.0.0.1:8080 down;
    }

    server {
       ...
       location / {
           proxy_pass http://backend;
       }
    }

Make sure we don't loop infinitely in ngx_http_upstream_get_peer() but stop
after resetting peer weights once.

Return 0 if we are stuck.  This is guaranteed to work as peer 0 always exists,
and eventually ngx_http_upstream_get_round_robin_peer() will do the right
thing falling back to backup servers or returning NGX_BUSY.
2011-08-18 16:52:38 +00:00
Maxim Dounin
9bc8fc4602 Fixing proxy_set_body and proxy_pass_request_body with SSL.
Flush flag wasn't set in constructed buffer and this prevented any data
from being actually sent to upstream due to SSL buffering.  Make sure
we always set flush in the last buffer we are going to sent.

See here for report:
http://nginx.org/pipermail/nginx-ru/2011-June/041552.html
2011-08-18 16:34:24 +00:00
Igor Sysoev
c4ff39ae2b Fix names of the referer hash size directives introduced in r3940. 2011-08-18 16:27:30 +00:00
Maxim Dounin
b09ceca261 Fix body with request_body_in_single_buf.
If there were preread data and request body was big enough first part
of the request body was duplicated.

See report here:
http://mailman.nginx.org/pipermail/nginx/2011-July/027756.html
2011-08-18 15:52:00 +00:00
Maxim Dounin
f48b451195 Correctly set body if it's preread and there are extra data.
Previously all available data was used as body, resulting in garbage after
real body e.g. in case of pipelined requests.  Make sure to use only as many
bytes as request's Content-Length specifies.
2011-08-18 15:27:57 +00:00
Igor Sysoev
de236d3a2c fix gzip quantity: "q=0." and "q=1." are valid values according to RFC 2011-08-05 08:51:29 +00:00
Igor Sysoev
48d17bca94 refactor gzip quantity introduced in r3981: it ignored "q=1.000" 2011-08-04 14:50:59 +00:00
Igor Sysoev
dfd81a23b2 A new fix for the case when ssl_session_cache defined, but ssl is not
enabled in any server. The previous r1033 does not help when unused zone
becomes used after reconfiguration, so it is backed out.

The initial thought was to make SSL modules independed from SSL implementation
and to keep OpenSSL code dependance as much as in separate files.
2011-08-04 11:12:30 +00:00
Igor Sysoev
c42be75569 removal of error message about %name log_format parameters,
they have been deleted long ago in 0.5.0-RELEASE
2011-08-03 16:01:36 +00:00
Igor Sysoev
7cce1cacaa fix typo introduced in r3985 2011-08-02 12:43:01 +00:00
Igor Sysoev
475a5dfcf1 bump version 2011-08-02 12:39:38 +00:00
Igor Sysoev
72a96bfdcb fix r3981 again for case "Accept-Encoding: gzip" 2011-08-01 14:38:09 +00:00
Igor Sysoev
21fd22d089 always set timer in discard body handler, this fixes the cases
when request for static file is redirected by error_page to an SSI page

patch by Maxim Dounin
2011-08-01 13:52:54 +00:00
Igor Sysoev
2505587b4d lingering_close "off|on|always"
patch by Maxim Dounin
2011-08-01 13:26:55 +00:00
Igor Sysoev
41c8a1d27f do not send RST on normal lingering close read timeout,
if reset_timedout_connection is on

patch by Maxim Dounin
2011-08-01 13:08:03 +00:00
Igor Sysoev
bd7dfe44c5 fix r3981 for case "Accept-Encoding: gzip" 2011-08-01 11:21:46 +00:00
Igor Sysoev
2f3668b59b enable lingering close for pipelined requests
patch by Maxim Dounin
2011-08-01 11:08:57 +00:00
Igor Sysoev
721f47ed3c Accept-Encoding refactoring: "gzip; q=0" support 2011-08-01 11:02:12 +00:00
Igor Sysoev
d743a2339e Accept-Encoding refactoring: test first the most common case "gzip," 2011-07-30 07:34:12 +00:00
Igor Sysoev
6652cc5962 Accept-Encoding refactoring: remove ancient MSIE 4.x test for gzip 2011-07-30 06:20:06 +00:00
Igor Sysoev
c9468026e7 test length of proxy_pass with variables
patch by Lanshun Zhou
2011-07-30 06:11:46 +00:00
Igor Sysoev
c2f852c260 update r3945 with more descriptive error message 2011-07-29 15:33:03 +00:00
Igor Sysoev
922f106582 loader_files, loader_sleep, and loader_threshold 2011-07-29 15:09:02 +00:00
Igor Sysoev
d5a25a4b97 set correct configuration file values while adding path
patch by Maxim Dounin
2011-07-25 10:22:38 +00:00
Igor Sysoev
1850ce09a1 rename ngx_http_file_cache_manager_sleep() to ngx_http_file_cache_loader_sleep()
and do not use it all in cache manager: this is a vestige of the times when
cache manager loaded cache
2011-07-25 09:45:00 +00:00
Igor Sysoev
d8ce166e2e do not close connection if cache file is too small: replace it with valid one 2011-07-24 20:04:47 +00:00
Igor Sysoev
c2cafadfa5 elimination of reading cache files by cache loader 2011-07-24 19:46:53 +00:00
Igor Sysoev
92161bac79 fix r3968 2011-07-24 19:43:52 +00:00
Igor Sysoev
6cb6fc4a09 update the previous commit:
removing dependencies on file uniq since WIN32_FIND_DATA has no such field
2011-07-24 17:36:26 +00:00
Igor Sysoev
c1250b6a49 The cache loader performs two tasks: inserting cache objects in inactivity
list and evaluating total cache size. Reading just directory is enough for
this purpose. Elimination of reading cache files saves at least one disk I/O
operation per file.

Preparation for elimination of reading cache files by cache loader:
removing dependencies on the reading:
*) cache node valid_sec and valid_msec are used only for caching errors;
*) upstream buffer size can be used instead of cache node body_start.
2011-07-24 16:47:31 +00:00
Igor Sysoev
bb389f6111 fuse two if's in one condition 2011-07-24 16:10:06 +00:00
Igor Sysoev
64d024605a style fix 2011-07-24 16:06:24 +00:00
Igor Sysoev
08b597592f do not try to reuse and save a SSL session for a peer created on the fly
by ngx_http_upstream_create_round_robin_peer(), since the peer lives
only during request so the saved SSL session will never be used again
and just causes memory leak

patch by Maxim Dounin
2011-07-22 16:30:17 +00:00
Igor Sysoev
a3741fb24d finalizing with rc == 0 in unbuffered proxy mode caused nginx to wait
for another send_timeout before actually closing client's connection
if client timed out while still talking to upstream server

patch by Maxim Dounin
2011-07-22 13:30:16 +00:00
Igor Sysoev
b0b6bcedfc fix SSL connection issues on platforms with 32-bit off_t
patch by Maxim Dounin
2011-07-22 12:53:04 +00:00
Igor Sysoev
a7ed0951e3 fix build by gcc46 with -Wunused-value option
patch by Maxim Dounin
2011-07-22 10:43:50 +00:00
Igor Sysoev
f39642a907 ECDHE support
patch by Adrian Kotelba
2011-07-20 15:42:40 +00:00
Igor Sysoev
e61ba26744 MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
2011-07-20 12:59:24 +00:00
Igor Sysoev
2551f4a55d bump version: 1.1.0 development version 2011-07-20 09:29:25 +00:00
Igor Sysoev
6c3c3bbe42 fix segfault if cache key is larger than upstream buffer size
patch by Lanshun Zhou
2011-07-19 11:24:16 +00:00
Igor Sysoev
82afb9cc86 $uid_reset 2011-07-19 11:21:50 +00:00