Commit Graph

2658 Commits

Author SHA1 Message Date
Maxim Dounin
c29837fc4d Request body: properly handle events while discarding body.
An attempt to call ngx_handle_read_event() before actually reading
data from a socket might result in read event being disabled, which is
wrong.  Catched by body.t test on Solaris.
2012-11-21 00:57:56 +00:00
Maxim Dounin
e1bd52041b Request body: fixed socket leak on errors.
The r->main->count reference counter was always incremented in
ngx_http_read_client_request_body(), while it is only needs to be
incremented on positive returns.
2012-11-21 00:57:16 +00:00
Maxim Dounin
5da61375cd Request body: code duplication reduced, no functional changes.
The r->request_body_in_file_only with empty body case is now handled in
ngx_http_write_request_body().
2012-11-21 00:55:50 +00:00
Maxim Dounin
743922a2ce Request body: $request_body variable generalization.
The $request_body variable was assuming there can't be more than two
buffers.  While this is currently true due to request body reading
implementation details, this is not a good thing to depend on and may
change in the future.
2012-11-21 00:55:06 +00:00
Maxim Dounin
ab5ac3b095 Request body: fixed "501 Not Implemented" error handling.
It is not about "Method" but a generic message, and is expected to be used
e.g. if specified Transfer-Encoding is not supported.  Fixed message to
match RFC 2616.

Additionally, disable keepalive on such errors as we won't be able to read
request body correctly if we don't understand Transfer-Encoding used.
2012-11-21 00:54:01 +00:00
Maxim Dounin
248bc41893 Dav: fixed segfault on PUT if body was already read (ticket #238).
If request body reading happens with different options it's possible
that there will be no r->request_body->temp_file available (or even
no r->request_body available if body was discarded).  Return internal
server error in this case instead of committing suicide by dereferencing
a null pointer.
2012-11-21 00:51:37 +00:00
Maxim Dounin
246cbd21ce Trailing whitespace fix. 2012-11-17 00:36:44 +00:00
Maxim Dounin
e1d5455a74 Upstream: better detection of connect() failures with kqueue.
Pending EOF might be reported on both read and write events, whichever
comes first, so check both of them.

Patch by Yichun Zhang (agentzh), slightly modified.
2012-11-16 18:29:19 +00:00
Ruslan Ermilov
4d0d2b20ac Upstream: honor the "down" flag for a single server.
If an upstream block was defined with the only server marked as
"down", e.g.

    upstream u {
        server 127.0.0.1:8080 down;
    }

an attempt was made to contact the server despite the "down" flag.
It is believed that immediate 502 response is better in such a
case, and it's also consistent with what is currently done in case
of multiple servers all marked as "down".
2012-11-16 12:18:05 +00:00
Ruslan Ermilov
b67dbca1ca Variables $request_time and $msec.
Log module counterparts are preserved for efficiency.
2012-11-16 09:37:14 +00:00
Ruslan Ermilov
5a1d76c9f2 Version bump. 2012-11-16 07:49:41 +00:00
Maxim Dounin
8e67fb4226 Event pipe: fixed handling of buf_to_file data.
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
2012-10-30 11:14:24 +00:00
Maxim Dounin
1e12e7fa1d Variables $connection and $connection_requests.
Log module counterparts are removed as they aren't used often and
there is no need to preserve them for efficiency.
2012-10-29 17:17:59 +00:00
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Maxim Dounin
27b7eb17d0 Gunzip: fixed r->gzip_ok check. 2012-10-18 14:27:40 +00:00
Maxim Dounin
0d7a7e91cf OCSP stapling: properly check if there is ssl.ctx.
This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).
2012-10-05 11:09:14 +00:00
Maxim Dounin
82989420ad Variable $bytes_sent.
It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).
2012-10-03 15:25:36 +00:00
Maxim Dounin
a707811a31 Log: $apache_bytes_sent removed.
It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.
2012-10-03 15:25:06 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Maxim Dounin
f8cc8969d5 Version bump. 2012-10-03 15:22:18 +00:00
Maxim Dounin
bec2cc5286 OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
2012-10-01 12:53:11 +00:00
Maxim Dounin
74ad4494a6 OCSP stapling: loading OCSP responses.
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
2012-10-01 12:47:55 +00:00
Maxim Dounin
85c920a0cd OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
             -url http://ocsp.example.com
2012-10-01 12:41:08 +00:00
Maxim Dounin
3648ba7db8 OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
2012-10-01 12:39:36 +00:00
Maxim Dounin
f4473147e5 Version bump. 2012-09-26 15:52:06 +00:00
Maxim Dounin
4b948b49aa Gunzip: removed nginx.h leftover include. 2012-09-11 01:13:23 +00:00
Maxim Dounin
90bd33e8eb Gunzip filter import. 2012-09-10 16:52:47 +00:00
Maxim Dounin
86aee85d2e Gzip static: "always" parameter in "gzip_static" directive.
With "always" gzip static returns gzipped content in all cases, without
checking if client supports it.  It is useful if there are no uncompressed
files on disk anyway.
2012-09-10 16:48:25 +00:00
Maxim Dounin
23a959615e Memcached: memcached_gzip_flag directive.
This directive allows to test desired flag as returned by memcached and
sets Content-Encoding to gzip if one found.

This is reimplementation of patch by Tomash Brechko as available on
http://openhack.ru/.  It should be a bit more correct though (at least
I think so).  In particular, it doesn't try to detect if we are able to
gunzip data, but instead just sets correct Content-Encoding.
2012-09-10 16:43:49 +00:00
Maxim Dounin
5867c81fe6 Write filter: replaced unneeded loop with one to free chains.
Noted by Gabor Lekeny.
2012-09-05 15:06:47 +00:00
Valentin Bartenev
605a0ab2e1 Limit req: fix of rbtree node insertion on hash collisions.
The rbtree used in ngx_http_limit_req_module has two level of keys, the top is
hash, and the next is the value string itself. However, when inserting a new
node, only hash has been set, while the value string has been left empty.

The bug was introduced in r4419 (1.1.14).

Found by Charles Chen.
2012-09-03 12:55:50 +00:00
Ruslan Ermilov
d469482cda Fixed strict aliasing bugs when dealing with IPv4-mapped IPv6 addresses
(closes #201).
2012-08-30 14:58:11 +00:00
Ruslan Ermilov
da4ffd8955 Fixed the "include" directive.
The "include" directive should be able to include multiple files if
given a filename mask.  Fixed this to work for "include" directives
inside the "map" or "types" blocks.  The "include" directive inside
the "geo" block is still not fixed.
2012-08-28 13:31:01 +00:00
Ruslan Ermilov
43f6163063 Version bump. 2012-08-27 14:21:41 +00:00
Andrey Belov
b69f284383 Mark logically dead code with corresponding comment.
Found by Coverity.
2012-08-17 15:35:50 +00:00
Maxim Dounin
572bca7b83 Mp4: removed restriction to avc1/mp4a formats (ticket #194). 2012-08-17 11:02:35 +00:00
Maxim Dounin
5425263436 Geo: fixed handling of ranges without default set.
The bug had appeared in 0.8.43 (r3653).  Patch by Weibin Yao.
2012-08-16 13:01:41 +00:00
Maxim Dounin
3587e2be23 Map: fixed optimization of variables as values.
Previous code incorrectly used ctx->var_values as an array of pointers to
ngx_http_variable_value_t, but the array contains structures, not pointers.
Additionally, ctx->var_values inspection failed to properly set var on
match.
2012-08-16 10:58:18 +00:00
Valentin Bartenev
86dd5bde45 Added three missing checks for NULL after ngx_array_push() calls.
Found by Coverity.
2012-08-08 12:03:46 +00:00
Maxim Dounin
beaed67996 Whitespace fix. 2012-08-03 09:00:25 +00:00
Ruslan Ermilov
15ab0460ce Version bump. 2012-07-31 21:47:56 +00:00
Ruslan Ermilov
deaf22d220 Core: ipv6only is now on by default.
There is a general consensus that this change results in better
consistency between different operating systems and differently
tuned operating systems.

Note: this changes the width and meaning of the ipv6only field
of the ngx_listening_t structure.  3rd party modules that create
their own listening sockets might need fixing.
2012-07-30 12:27:06 +00:00
Valentin Bartenev
9c8f3d86b4 ngx_http_find_virtual_server() should return NGX_DECLINED if virtual server not
found.
2012-07-30 11:42:03 +00:00
Maxim Dounin
21be49ae59 Upstream: hide_headers/pass_headers inheritance fix.
Hide headers and pass headers arrays might not be inherited correctly
into a nested location, e.g. in configuration like

    server {
        proxy_hide_header X-Foo;
        location / {
            location /nested/ {
                proxy_pass_header X-Pad;
            }
        }
    }

the X-Foo header wasn't hidden in the location /nested/.

Reported by Konstantin Svist,
http://mailman.nginx.org/pipermail/nginx-ru/2012-July/047555.html
2012-07-30 10:35:26 +00:00
Ruslan Ermilov
1c31039d1e Improved diagnostics when a directive is specified in the wrong context. 2012-07-29 19:59:06 +00:00
Ruslan Ermilov
45d2ae646b Slight optimization in ngx_http_upstream_add(): replaced an expression
known to be constant with the constant value.
2012-07-29 19:44:09 +00:00
Ruslan Ermilov
b163010872 ngx_http_upstream_add() should return NULL if an error occurs. 2012-07-29 19:38:25 +00:00
Ruslan Ermilov
1efcca36cc Fixed compilation with -Wmissing-prototypes. 2012-07-24 15:09:54 +00:00
Ruslan Ermilov
54ab41f27b Fixed debugging messages to account that limit_zone was renamed to limit_conn. 2012-07-20 08:21:59 +00:00
Ruslan Ermilov
1fd21c48bb Fixed sorting of listen addresses so that wildcard address is always at
the end (closes #187).  Failure to do so could result in several listen
sockets to be created instead of only one listening on wildcard address.

Reported by Roman Odaisky.
2012-07-17 04:47:34 +00:00
Ruslan Ermilov
e30a8f90fc Version bump. 2012-07-17 04:42:38 +00:00
Maxim Dounin
e3acbc6bbb Entity tags: empty etags handling in If-Range.
Entity tag may be of length 2 as per RFC 2616, i.e. double quotes only.
Pointed out by Ruslan Ermilov.
2012-07-09 17:04:37 +00:00
Maxim Dounin
1b77858ac5 Entity tags: the "etag" directive.
It allows to disable generation of nginx's own entity tags, while
still handling ETags in cache properly.  This may be useful e.g.
if one want to serve static files from servers with different ETag
generation algorithms.
2012-07-09 14:53:42 +00:00
Maxim Dounin
eb7c38a49a Entity tags: set for static respones. 2012-07-09 00:13:06 +00:00
Maxim Dounin
8b00c87c38 Entity tags: handling in add_header.
Notably this allows to clear ETag if one want to for some reason.
2012-07-07 21:24:01 +00:00
Maxim Dounin
c96c4196f3 Entity tags: clear on entity changes. 2012-07-07 21:22:27 +00:00
Maxim Dounin
9c17e4cb66 Entity tags: support in If-Range header. 2012-07-07 21:21:15 +00:00
Maxim Dounin
13eb6898aa Entity tags: basic support in not modified filter.
This includes handling of ETag headers (if present in a response) with
basic support for If-Match, If-None-Match conditionals in not modified
filter.

Note that the "r->headers_out.last_modified_time == -1" check in the not
modified filter is left as is intentionally.  It's to prevent handling
of If-* headers in case of proxy without cache (much like currently
done with If-Modified-Since).
2012-07-07 21:20:27 +00:00
Maxim Dounin
a9456d55ab Not modified filter: tests separated from actions.
This makes code more extendable.  The only functional change is when
If-Modified-Since and If-Unmodified-Since are specified together, the
case which is explicitly left undefined by RFC 2616.  The new behaviour
is to respect them both, which seems better.
2012-07-07 21:18:30 +00:00
Maxim Dounin
4199620461 Added Last-Modified parsing in add_header.
This allows to use last modified time set in If-Range checks.  Code
simplified to improve readability.
2012-07-07 21:16:51 +00:00
Maxim Dounin
63d7ab16ff Fixed If-Range with unknown last modified time.
If modification time isn't known, skip range processing and return full
entity body instead of just ignoring If-Range.  Ignoring If-Range isn't
safe as client will assume entity wasn't changed since time specified.
2012-07-07 21:16:21 +00:00
Andrey Belov
3d87bcf9ae Corrected $request_length calculation for pipelined requests. 2012-07-06 04:27:06 +00:00
Maxim Dounin
3484e6d21c Reset r->uri_changed in a named location (ticket #184). 2012-07-03 11:30:05 +00:00
Ruslan Ermilov
f9c03b49eb map: strip final dot before looking up in a map of hostnames.
(closes #182)
2012-06-29 20:33:26 +00:00
Ruslan Ermilov
56cb80834c Version bump. 2012-06-29 11:03:01 +00:00
Maxim Dounin
a83578384c Mp4: fixed build on win32 after r4689. 2012-06-26 12:31:40 +00:00
Ruslan Ermilov
8c861f06c8 Fixed a harmless error in spelling of "Connection: close" when computing
the response header length.
2012-06-25 13:08:25 +00:00
Ruslan Ermilov
42444811b9 Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
2012-06-21 11:02:22 +00:00
Ruslan Ermilov
36a931aba6 Added IPv6 support to ip_hash. 2012-06-19 12:36:54 +00:00
Maxim Dounin
29844cd55c Upstream keepalive: "single" parameter deprecated.
The original idea was to optimize edge cases in case of interchangeable
backends, i.e. don't establish a new connection if we have any one
cached.  This causes more harm than good though, as it screws up
underlying balancer's idea about backends used and may result in
various unexpected problems.
2012-06-18 14:23:42 +00:00
Maxim Dounin
859dc4ce01 Mp4: fixed streaming if moov atom is at buffer edge. 2012-06-18 14:02:20 +00:00
Maxim Dounin
e1e2e2eb3a Mp4: fixed non-keyframe seeks in some cases (ticket #175).
Number of entries in stsc atom was wrong if we've added an entry to
split a chunk.

Additionally, there is no need to add an entry if we are going to split
last chunk in an entry, it's enough to update the entry we already have.
Previously new entry was added and old one was left as is, resulting in
incorrect entry with zero chunks which might confuse some software.
2012-06-18 14:01:18 +00:00
Andrey Belov
0cf52376fb Style fix. 2012-06-18 13:51:20 +00:00
Andrey Belov
e91b210b56 New core variable: $status.
Contains response status code as a 3-digit integer
(with leading zeroes if necessary), or one of the following values:

    000 - response status code has not yet been assigned
    009 - HTTP/0.9 request is being processed
2012-06-18 13:43:44 +00:00
Ruslan Ermilov
b9feaa8dd9 Version bump. 2012-06-18 11:07:44 +00:00
Ruslan Ermilov
d4353c6fd3 Fixed spelling of "endianness", and called it "byte ordering" in the
user visible part.
2012-06-08 09:41:55 +00:00
Maxim Dounin
0d7720ddc0 Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
2012-06-05 13:38:27 +00:00
Maxim Dounin
f83598a359 Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/".  Do the same
when working on Windows.  Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
2012-06-05 13:37:29 +00:00
Maxim Dounin
4888969baa Upstream: least_conn compilation fixes.
Removed duplicate call of ngx_http_upstream_init_round_robin_peer()
overlooked during code changes.  Rewritten "return lcp->free_rr_peer(...)"
as MSVC doesn't like it.
2012-06-04 00:00:28 +00:00
Maxim Dounin
1ba6ecd4f3 Upstream: weights support in ip_hash balancer. 2012-06-03 23:22:41 +00:00
Maxim Dounin
4cb4e8d179 Upstream: least_conn balancer module. 2012-06-03 23:21:26 +00:00
Valentin Bartenev
d8ec4910ce Fixed returned value handling from the cookie rewrite handler.
If the "proxy_cookie_domain" or "proxy_cookie_path" directive is used and there
are no matches in Set-Cookie header then ngx_http_proxy_rewrite_cookie() returns
NGX_DECLINED to indicate that the header was not rewritten. Returning this value
further from the upstream headers copy handler resulted in 500 error response.

See here for report:
http://mailman.nginx.org/pipermail/nginx/2012-May/033858.html
2012-05-30 12:30:03 +00:00
Ruslan Ermilov
94d8df6098 geoip: got rid of ugly casts when calling ngx_free().
This is done by removing the "const" qualifier from the common return
type of handler functions returning either "const char *" or "char *".
2012-05-29 09:19:51 +00:00
Ruslan Ermilov
49fbd88466 Fixed broken build. 2012-05-28 14:20:04 +00:00
Ruslan Ermilov
9fbd0d7c1d Fixed memory leak if $geoip_org variable was used.
Patch by Denis F. Latypoff (slightly modified).
2012-05-28 13:17:48 +00:00
Ruslan Ermilov
526fd681b5 Fixed the reuse of parsed DTDs and XSLTs.
Patch by Kuramoto Eiji.
2012-05-24 07:35:12 +00:00
Maxim Dounin
a272b2da28 Fixed warning during nginx.xs compilation. 2012-05-23 10:36:12 +00:00
Maxim Dounin
34229e9d4d Fixed core variables dynamic access after reconfiguration.
If variable was indexed in previous configuration but not in current
one, the NGX_HTTP_VAR_INDEXED flag was left set and confused
ngx_http_get_variable().

Patch by Yichun Zhang (agentzh), slightly modified.
2012-05-17 18:10:34 +00:00
Maxim Dounin
d2143f11cb Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
Example configuration to reproduce:

    location /image/ {
        error_page 415 = /zero;
        image_filter crop 100 100;
        proxy_pass http://127.0.0.1:8080;
        proxy_store on;
    }

    location /zero {
        return 204;
    }

The problem appeared if upstream returned (big enough) non-image file,
causing 415 to be generated by image filter.
2012-05-17 17:41:40 +00:00
Ruslan Ermilov
1b4397443f Zero padded the returned and logged HTTP status code, and fixed possible
buffer overrun in $status handling.
2012-05-16 13:27:04 +00:00
Ruslan Ermilov
befc111d4f Capped the status code that may be returned with "return" and "try_files". 2012-05-16 13:22:03 +00:00
Ruslan Ermilov
10c205a1b3 Added syntax checking of the second parameter of the "split_clients" directive. 2012-05-16 13:14:53 +00:00
Ruslan Ermilov
6888516b2b Version bump. 2012-05-16 13:09:39 +00:00
Ruslan Ermilov
e3bb319e34 Fixed win32 build after changes in r4624. 2012-05-15 08:10:59 +00:00
Ruslan Ermilov
9a79c3431a Reverted previous attempt to fix complation warning introduced in
r4624 and actually fixed it.
2012-05-14 15:52:37 +00:00
Ruslan Ermilov
d4ba06c31a geoip: trusted proxies support and partial IPv6 support.
The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module.  Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive.  IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:
    geoip_country .../GeoIP.dat;
    geoip_proxy 127.0.0.1;
    geoip_proxy ::1;
    geoip_proxy 10.0.0.0/8;
    geoip_proxy_recursive on;
2012-05-14 14:00:17 +00:00
Ruslan Ermilov
69521ddebf geo: chains of trusted proxies and partial IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block.  It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:
    geo $test {
        ...
        proxy 127.0.0.1;
        proxy ::1;
        proxy_recursive;
    }

There's also a slight change in behavior.  When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup.  Previously, 255.255.255.255 was
used in this case.
2012-05-14 13:53:22 +00:00
Ruslan Ermilov
11a8e26d29 Fixed compilation warning introduced in r4624. 2012-05-14 13:15:22 +00:00
Ruslan Ermilov
7627530b50 realip: chains of trusted proxies and IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2).  It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.

Example:
    real_ip_header X-Forwarded-For;
    set_real_ip_from 127.0.0.0/8;
    set_real_ip_from ::1;
    set_real_ip_from unix:;
    real_ip_recursive on;
2012-05-14 12:41:03 +00:00
Ruslan Ermilov
8e5dc474e5 New function ngx_http_get_forwarded_addr() to look up real client address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search.  On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED.  It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
2012-05-14 12:27:41 +00:00
Maxim Dounin
4d5759e098 Upstream: fixed ip_hash rebalancing with the "down" flag.
Due to weight being set to 0 for down peers, order of peers after sorting
wasn't the same as without the "down" flag (with down peers at the end),
resulting in client rebalancing for clients on other servers.  The only
rebalancing which should happen after adding "down" to a server is one
for clients on the server.

The problem was introduced in r1377 (which fixed endless loop by setting
weight to 0 for down servers).  The loop is no longer possible with new
smooth algorithm, so preserving original weight is safe.
2012-05-14 09:58:07 +00:00
Maxim Dounin
52327e0627 Upstream: smooth weighted round-robin balancing.
For edge case weights like { 5, 1, 1 } we now produce { a, a, b, a, c, a, a }
sequence instead of { c, b, a, a, a, a, a } produced previously.

Algorithm is as follows: on each peer selection we increase current_weight
of each eligible peer by its weight, select peer with greatest current_weight
and reduce its current_weight by total number of weight points distributed
among peers.

In case of { 5, 1, 1 } weights this gives the following sequence of
current_weight's:

     a  b  c
     0  0  0  (initial state)

     5  1  1  (a selected)
    -2  1  1

     3  2  2  (a selected)
    -4  2  2

     1  3  3  (b selected)
     1 -4  3

     6 -3  4  (a selected)
    -1 -3  4

     4 -2  5  (c selected)
     4 -2 -2

     9 -1 -1  (a selected)
     2 -1 -1

     7  0  0  (a selected)
     0  0  0

To preserve weight reduction in case of failures the effective_weight
variable was introduced, which usually matches peer's weight, but is
reduced temporarily on peer failures.

This change also fixes loop with backup servers and proxy_next_upstream
http_404 (ticket #47), and skipping alive upstreams in some cases if there
are multiple dead ones (ticket #64).
2012-05-14 09:57:20 +00:00
Maxim Dounin
e302ed6fc3 Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.

See here for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html

Patch by Yichun Zhang (agentzh).
2012-05-14 09:48:05 +00:00
Maxim Dounin
74d939974d Rewrite: fixed escaping and possible segfault (ticket #162).
The following code resulted in incorrect escaping of uri and possible
segfault:

    location / {
        rewrite ^(.*) $1?c=$1;
        return 200 "$uri";
    }

If there were arguments in a rewrite's replacement string, and length was
actually calculated (due to duplicate captures as in the example above,
or variables present), the is_args flag was set and incorrectly copied
after length calculation.  This resulted in escaping applied to the uri part
of the replacement, resulting in incorrect escaping.  Additionally, buffer
was allocated without escaping expected, thus this also resulted in buffer
overrun and possible segfault.
2012-05-11 13:19:22 +00:00
Maxim Dounin
9114f08863 Fastcgi: fixed padding handling on fixed-size records.
Padding was incorrectly ignored on end request, empty stdout and stderr
fastcgi records.  This resulted in protocol desynchronization if fastcgi
application used these records with padding for some reason.

Reported by Ilia Vinokurov.
2012-05-11 13:14:58 +00:00
Maxim Dounin
b34f84d8de Added r->state reset on fastcgi/scgi/uwsgi request start.
Failing to do so results in problems if 400 or 414 requests are
redirected to fastcgi/scgi/uwsgi upstream, as well as after invalid
headers got from upstream.  This was already fixed for proxy in r3478,
but fastcgi (the only affected protocol at that time) was missed.

Reported by Matthieu Tourne.
2012-05-11 13:09:24 +00:00
Maxim Dounin
e0e1c4567c Added write event handler reset in ngx_http_named_location().
On internal redirects this happens via ngx_http_handler() call, which is
not called on named location redirect.  As a result incorrect write handler
remained (if previously set) and this might cause incorrect behaviour (likely
request hang).

Patch by Yichun Zhang (agentzh).
2012-05-04 11:35:22 +00:00
Valentin Bartenev
a0025f2d81 Removed surplus condition. 2012-04-27 10:48:42 +00:00
Andrey Belov
eeec229e3e Allows particular modules to handle subrequests properly. 2012-04-26 13:06:27 +00:00
Maxim Dounin
6ad02389c3 Version bump. 2012-04-26 11:20:29 +00:00
Maxim Dounin
d68dd358e1 Version bump. 2012-04-23 12:54:14 +00:00
Maxim Dounin
c7bb162ffe Proxy: added ctx checking to input filters.
The proxy module context may be NULL in case of filter finalization
(e.g. by image_filter) followed by an internal redirect.  This needs
some better handling, but for now just check if ctx is still here.
2012-04-23 10:40:01 +00:00
Maxim Dounin
8b89c882ce Image filter: compare aspect ratio more accurately during crop.
Previously used fixed-point calculation caused wrong code path selection
in some cases, resulting in incorrect image size.

See here for report:
http://mailman.nginx.org/pipermail/nginx-devel/2012-April/002123.html
2012-04-21 19:02:21 +00:00
Maxim Dounin
e8fe3ce098 Fixed segfault with try_files (ticket #152).
The problem occured if first uri in try_files was shorter than request uri,
resulting in reserve being 0 and hence allocation skipped.  The bug was
introduced in r4584 (1.1.19).
2012-04-19 15:48:03 +00:00
Maxim Dounin
9e2f86cfc0 Fixed log->action after ssl handshake. 2012-04-16 13:05:20 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
e6724ebe54 Version bump. 2012-04-12 16:34:59 +00:00
Maxim Dounin
7ae525bd90 Mp4: sanity checks cleanup. 2012-04-12 12:18:14 +00:00
Ruslan Ermilov
3f25e12517 Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
2012-04-12 09:19:14 +00:00
Ruslan Ermilov
62b937b333 Fixed directives inheritance. 2012-04-11 09:56:30 +00:00
Maxim Dounin
b9c226abe0 Access module: fixed inheritance of allow/deny ipv6 rules.
Previous (incorrect) behaviour was to inherit ipv6 rules separately from
ipv4 ones.  Now all rules are either inherited (if there are no rules
defined at current level) or not (if there are any rules defined).
2012-04-10 13:25:53 +00:00
Igor Sysoev
3ef52765c8 Fixed debug logging. 2012-04-10 11:28:59 +00:00
Igor Sysoev
654a56e06a Fixed previous commit. 2012-04-10 11:27:43 +00:00
Igor Sysoev
cbc51bb295 Fixed mp4 module seek. 2012-04-10 11:21:47 +00:00
Ruslan Ermilov
47a04aaa27 Fixed spelling in multiline C comments. 2012-04-03 07:37:31 +00:00
Maxim Dounin
a5d4f66ad6 Upstream: reject upstreams without normal servers.
Such upstreams cause CPU hog later in the code as number of peers isn't
expected to be 0.  Currently this may happen either if there are only backup
servers defined in an upstream block, or if server with ipv6 address used
in an upstream block.
2012-04-02 21:29:35 +00:00
Maxim Dounin
525e1f75e4 Version bump. 2012-04-02 21:28:31 +00:00
Ruslan Ermilov
b4ab3ddf9d Corrected spelling of error message (ticket #136). 2012-03-29 19:47:27 +00:00
Ruslan Ermilov
feda353cb3 Replaced ngx_http_realip_from_t with ngx_in_cidr_t. 2012-03-28 09:29:09 +00:00
Ruslan Ermilov
52fcfd042e Fixed calculation of range boundaries. 2012-03-28 06:50:23 +00:00
Maxim Dounin
5d5c866bee Xslt: parser options now set with xmlCtxtUseOptions().
Note that "ctxt->loadsubset = 1" previously used isn't really correct as
ctxt->loadsubset is a bitfield now.  The use of xmlCtxtUseOptions() with
XML_PARSE_DTDLOAD is believed to be a better way to do the same thing.

Patch by Laurence Rowe.
2012-03-28 01:56:49 +00:00
Maxim Dounin
36aef0c383 Fixed unconditional MAX_PATH usage (ticket #22).
POSIX doesn't require it to be defined, and Debian GNU/Hurd doesn't define
it.  Note that if there is no MAX_PATH defined we have to use realpath()
with NULL argument and free() the result.
2012-03-27 16:42:34 +00:00
Maxim Dounin
1aa5fbb1a8 Added xslt_param and xslt_string_param directives.
Based on patch by Samuel Behan.
2012-03-22 10:44:00 +00:00
Maxim Dounin
3333c6c7c8 Fixed off-by-one in xslt parameter parsing.
The problem was introduced in 0.7.44 (r2589) during conversion to complex
values.  Previously string.len included space for terminating NUL, but
with complex values it doesn't.
2012-03-22 10:43:33 +00:00
Maxim Dounin
ae11f08cad Restricted keepalive_disable safari to OS X only.
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.

Prodded by Piotr Sikora.
2012-03-22 10:42:27 +00:00
Maxim Dounin
dc863179a3 Removed safari from keepalive_disable default.
The bug in question is likely already fixed (though unfortunately we have
no information available as Apple's bugtracker isn't open), and the
workaround seems to be too pessimistic for modern versions of Safari
as well as other webkit-based browsers pretending to be Safari.
2012-03-22 10:41:29 +00:00
Ruslan Ermilov
d4b1e5f58b If we inserted "Last-Modified" in r->headers_out.headers, don't
forget to set the r->headers_out.last_modified pointer to it.
2012-03-21 07:35:43 +00:00
Ruslan Ermilov
89467caf43 Minor ngx_http_headers_filter_module.c code cleanup.
- Removed "hash" element from ngx_http_header_val_t which was always 1.
- Replaced NGX_HTTP_EXPIRES_* with ngx_http_expires_t enum type.
- Added prototype for ngx_http_add_header()
- Simplified ngx_http_set_last_modified().
2012-03-21 06:19:11 +00:00
Maxim Konovalov
acf6c79ac7 For the sake of case/switch code readability, 'fall through'
comments added.
2012-03-19 14:57:29 +00:00
Ruslan Ermilov
926ded6f4c Implemented $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, and
$tcpinfo_rcv_space variables.  Supported on Linux and FreeBSD.
2012-03-16 19:15:33 +00:00
Ruslan Ermilov
5d1d368cf4 Local variable "ngx_http_next_filter" renamed to "ngx_http_next_body_filter"
for consistency with other modules.
2012-03-15 20:08:58 +00:00
Ruslan Ermilov
849e3b09ae The "error_log" directive specified in the "http", "server", and
"location" sections now understands the special "stderr" parameter.
It was already treated specially when specified in the main section.
2012-03-15 20:04:50 +00:00
Ruslan Ermilov
091f6ffce6 Slight optimization in ngx_http_get_variable_index(). 2012-03-15 19:41:35 +00:00
Ruslan Ermilov
06733ae8cf - New variable: $connection_requests.
- While here, fixed format specifier for $connection.
2012-03-15 19:37:32 +00:00
Maxim Dounin
d694ff7798 Version bump. 2012-03-15 17:43:54 +00:00
Maxim Dounin
d1ed97b18b Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems.  They are now unconditionally rejected.
2012-03-15 11:27:57 +00:00
Maxim Dounin
eb526b7d7d Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.
2012-03-15 11:27:12 +00:00
Maxim Dounin
030e235ec7 Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer.  Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.

While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.

Reported by Matthew Daley.
2012-03-15 11:23:07 +00:00
Maxim Dounin
205394e6f9 Uwsgi: merged r->http_version fixes from scgi module.
Fixed incorrect use of r->http_version (r4372).  Removed duplicate function
declaration (r4373).  Removed error if there is no Status header (r4374).
2012-03-15 11:21:54 +00:00
Maxim Dounin
ee187436af Whitespace fixes. 2012-03-05 18:09:06 +00:00
Maxim Dounin
382499aa1f Version bump. 2012-03-05 18:06:15 +00:00
Maxim Dounin
a95c85e78a Raised simultaneous subrequest limit from 50 to 200.
It wasn't enforced for a long time, and there are reports that people
use up to 100 simultaneous subrequests now.  As this is a safety limit
to prevent loops, it's raised accordingly.
2012-02-28 14:54:23 +00:00
Ruslan Ermilov
b74f8ffce4 Fixed spelling in single-line comments. 2012-02-28 11:31:05 +00:00
Maxim Dounin
7ca6c1ff78 Fix of rbtree lookup on hash collisions.
Previous code incorrectly assumed that nodes with identical keys are linked
together.  This might not be true after tree rebalance.

Patch by Lanshun Zhou.
2012-02-27 22:15:39 +00:00
Valentin Bartenev
5c95f88503 Disable symlinks: added the "from=" parameter to the "disable_symlinks"
directive.
2012-02-27 16:54:10 +00:00
Valentin Bartenev
0e05ca0404 Disable symlinks: initialization of the "disable_symlinks" field in
ngx_open_file_info_t moved to a separate function.

This is preparation for the "from=" parameter implementation of the
"disable_symlinks" directive.
2012-02-27 16:51:28 +00:00
Ruslan Ermilov
1c57fb8790 Added support for the 307 Temporary Redirect. 2012-02-27 11:43:40 +00:00
Ruslan Ermilov
09422e632f Renamed constants and fixed off-by-one error in "msie_padding on" handling. 2012-02-22 16:23:29 +00:00
Maxim Dounin
3c00e341ea Version bump. 2012-02-20 19:12:48 +00:00
Andrey Belov
8ce8f6667f Support for disable_symlinks in various modules. 2012-02-13 16:32:21 +00:00
Andrey Belov
bd1e719bf9 Added disable_symlinks directive.
To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.

To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().

As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not.  Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).

Default value is off, i.e. symlinks are allowed.
2012-02-13 16:29:04 +00:00
Maxim Dounin
9f38b20db5 Time parsing cleanup.
Nuke NGX_PARSE_LARGE_TIME, it's not used since 0.6.30.  The only error
ngx_parse_time() can currently return is NGX_ERROR, check it explicitly
and make sure to cast it to appropriate type (either time_t or ngx_msec_t)
to avoid signedness warnings on platforms with unsigned time_t (notably QNX).
2012-02-13 15:41:11 +00:00
Maxim Dounin
8cb7134f49 Fixed build with embedded perl and --with-openssl. 2012-02-13 15:38:48 +00:00
Maxim Dounin
7dff998495 Core: protection from cycles with named locations and post_action.
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }
2012-02-13 15:35:48 +00:00
Maxim Dounin
1b0ad6ee72 Core: protection from subrequest loops.
Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html
2012-02-13 15:33:08 +00:00
Maxim Dounin
947fc03ca3 Variables: honor no_cacheable for not_found variables.
Variables with the "not_found" flag set follow the same rules as ones with
the "valid" flag set.  Make sure ngx_http_get_flushed_variable() will flush
non-cacheable variables with the "not_found" flag set.

This fixes at least one known problem with $args not available in a subrequest
(with args) when there were no args in the main request and $args variable was
queried in the main request (reported by Laurence Rowe aka elro on irc).

Also this eliminates unneeded call to ngx_http_get_indexed_variable() in
cacheable case (as it will return cached value anyway).
2012-02-13 15:31:07 +00:00
Maxim Dounin
01c133cda4 Fix for proxy_store leaving temporary files for subrequests.
Temporary files might not be removed if the "proxy_store" or "fastcgi_store"
directives were used for subrequests (e.g. ssi includes) and client closed
connection prematurely.

Non-active subrequests are finalized out of the control of the upstream
module when client closes a connection.  As a result, the code to remove
unfinished temporary files in ngx_http_upstream_process_request() wasn't
executed.

Fix is to move relevant code into ngx_http_upstream_finalize_request() which
is called in all cases, either directly or via the cleanup handler.
2012-02-13 15:28:19 +00:00
Maxim Dounin
71ce7a13ed Gzip filter: handling of empty flush buffers.
Empty flush buffers are legitimate and may happen e.g. due to $r->flush()
calls in embedded perl.  If there are no data buffered in zlib, deflate()
will return Z_BUF_ERROR (i.e. no progress possible) without adding anything
to output.  Don't treat Z_BUF_ERROR as fatal and correctly send empty flush
buffer if we have no data in output at all.

See this thread for details:
http://mailman.nginx.org/pipermail/nginx/2010-November/023693.html
2012-02-13 15:23:43 +00:00
Maxim Dounin
37c6228d43 Removed r->cache/r->cached dependencies in range filter.
This is a layering violation, use correct offset calculations instead.
2012-02-13 15:20:49 +00:00
Valentin Bartenev
a113cb3543 Proxy: added the "proxy_cookie_path" directive. 2012-02-13 11:08:05 +00:00
Valentin Bartenev
e9df2d6f46 Proxy: added the "proxy_cookie_domain" directive. 2012-02-13 11:04:45 +00:00
Valentin Bartenev
b3e3b2e75a Upstream: added callback hook for the "Set-Cookie" header.
No functional changes.
2012-02-13 11:01:58 +00:00
Valentin Bartenev
85551e58fe Proxy: generic regex related code from the "proxy_redirect" directive moved
to a separate function.

No functional changes.
2012-02-13 11:00:08 +00:00
Valentin Bartenev
7c611aa186 Proxy: generic rewrite code from the "proxy_redirect" handlers moved to a
separate function with trivial optimization.

No functional changes.
2012-02-13 10:56:09 +00:00
Valentin Bartenev
582dac116d Proxy: renamed some "proxy_redirect" related declarations to a more general and
reusable.

No functional changes.
2012-02-13 10:42:44 +00:00
Maxim Dounin
060b92451b Upstream: fixed "too big header" check.
If header filter postponed processing of a header by returning NGX_AGAIN
and not moved u->buffer->pos, previous check incorrectly assumed there
is additional space and did another recv() with zero-size buffer.  This
resulted in "upstream prematurely closed connection" error instead
of correct "upstream sent too big header" one.

Patch by Feibo Li.
2012-02-10 14:31:04 +00:00
Valentin Bartenev
9e8708cbd6 Limit conn: returned to the old behavior of using the first actual limit on
the way.

It was unintentionally changed in r4272, so that it could only limit the first
location where the processing of the request has reached PREACCESS phase.
2012-02-10 10:48:58 +00:00
Valentin Bartenev
e35ff2a08c Fixed module name in comment. It was forgotten in r4281. 2012-02-10 09:56:37 +00:00
Maxim Dounin
0f3d6715e7 Version bump. 2012-02-09 16:18:02 +00:00
Maxim Dounin
11cc9dac44 Limit req: unbreak compilation with MSVC. 2012-01-30 13:19:25 +00:00
Valentin Bartenev
3feafa765f Fixed proxy_redirect off inheritance.
Example configuration to reproduce:

  server {
      proxy_redirect off;

      location / {
          proxy_pass http://localhost:8000;
          proxy_redirect http://localhost:8000/ /;

          location ~ \.php$ {
              proxy_pass http://localhost:8000;
              # proxy_redirect must be inherited from the level above,
              # but instead it was switched off here
          }
      }
  }
2012-01-30 11:22:56 +00:00
Valentin Bartenev
b06200f3dc Limit req: support for multiple "limit_req" limits. 2012-01-30 10:17:56 +00:00
Valentin Bartenev
73d0b6a721 Limit req: number of cleanup calls reduced.
Doing a cleanup before every lookup seems to be too aggressive. It can lead to
premature removal of the nodes still usable, which increases the amount of work
under a mutex lock and therefore decreases performance.

In order to improve cleanup behavior, cleanup function call has been moved right
before the allocation of a new node.
2012-01-30 10:01:39 +00:00
Valentin Bartenev
8dab3b5a39 Limit req: allocation and initialization of a new node moved to the lookup
function.

No functional changes.
2012-01-30 09:41:49 +00:00
Valentin Bartenev
5f5205ba87 Limit req: improved error handling when parsing "zone" parameter of
"limit_req_zone" directive; minimum size of zone is increased.

Previously an unsigned variable was used to keep the return value of
ngx_parse_size() function, which led to an incorrect zone size if NGX_ERROR
was returned.

The new code has been taken from the "limit_conn_zone" directive.
2012-01-30 09:26:08 +00:00
Valentin Bartenev
d4dbf6ad59 Limit req: error messages fixed. 2012-01-30 09:02:29 +00:00
Maxim Dounin
b3e461e63c Fixed AIO error handling on FreeBSD.
The aio_return() must be called regardless of the error returned by
aio_error().  Not calling it resulted in various problems up to segmentation
faults (as AIO events are level-triggered and were reported again and again).

Additionally, in "aio sendfile" case r->blocked was incremented in case of
error returned from ngx_file_aio_read(), thus causing request hangs.
2012-01-30 07:39:47 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Maxim Konovalov
8e1ef760da Version bump. 2012-01-18 15:04:17 +00:00
Maxim Dounin
9572920af0 Fixed handling of mp4 above 2G and 32bit offsets (ticket #84). 2012-01-16 11:03:27 +00:00
Maxim Dounin
2c55914a9f Fixed proxy_cache_use_stale in "no live upstreams" case. 2012-01-16 11:01:52 +00:00
Maxim Dounin
4efcbce328 Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1
(-beta1 was recently released).  This change makes it possible to disable
these protocols and/or enable them without other protocols.
2012-01-11 11:15:00 +00:00
Maxim Dounin
f2ef9db230 Fixed limit_req burst/nodelay inheritance (ticket #76).
The problem was introduced in r4381 (1.1.12).
2012-01-11 11:09:05 +00:00
Valentin Bartenev
b8ef9d9255 Fixed: proxy_redirect with regex might broke Refresh header.
The problem was localized in ngx_http_proxy_rewrite_redirect_regex() handler
function which did not take into account prefix when overwriting header value.
2012-01-10 15:09:45 +00:00
Maxim Dounin
11f09dd07d Version bump. 2011-12-27 11:56:48 +00:00
Maxim Dounin
947bdfa7fe Fixed build without debug. 2011-12-26 11:33:11 +00:00
Maxim Dounin
da8a43dee9 Cache lock support for fastcgi, scgi, uwsgi. 2011-12-26 11:16:19 +00:00
Maxim Dounin
822fe46934 Cache locks initial implementation.
New directives: proxy_cache_lock on/off, proxy_cache_lock_timeout.  With
proxy_cache_lock set to on, only one request will be allowed to go to
upstream for a particular cache item.  Others will wait for a response
to appear in cache (or cache lock released) up to proxy_cache_lock_timeout.

Waiting requests will recheck if they have cached response ready (or are
allowed to run) every 500ms.

Note: we intentionally don't intercept NGX_DECLINED possibly returned by
ngx_http_file_cache_read().  This needs more work (possibly safe, but needs
further investigation).  Anyway, it's exceptional situation.

Note: probably there should be a way to disable caching of responses
if there is already one request fetching resource to cache (without waiting
at all).  Two possible ways include another cache lock option ("no_cache")
or using proxy_no_cache with some supplied variable.

Note: probably there should be a way to lock updating requests as well.  For
now "proxy_cache_use_stale updating" is available.
2011-12-26 11:15:23 +00:00
Maxim Dounin
0c88994a03 Fixed interaction of limit_rate and sendfile_max_chunk.
It's possible that configured limit_rate will permit more bytes per
single operation than sendfile_max_chunk.  To protect disk from takeover
by a single client it is necessary to apply sendfile_max_chunk as a limit
regardless of configured limit_rate.

See here for report (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2010-March/032806.html
2011-12-26 10:51:24 +00:00
Maxim Dounin
41a77d183c Fixed throughput problems with large limit_rate.
Previous attempt to fix this was in r1658 (0.6.18), though that one wasn't
enough (it was a noop).
2011-12-26 10:49:57 +00:00
Maxim Dounin
6a56732e98 Fixed mp4 if first entry in stsc was skipped (ticket #72).
If first entry in stsc atom was skipped, and seek was to chunk boundary,
than first_chunk in the generated stsc table wasn't set to 1.
2011-12-26 10:49:03 +00:00
Valentin Bartenev
b65597ecd5 SSI: added regex captures support in the expression of the "if" command. 2011-12-25 20:08:37 +00:00
Valentin Bartenev
39f01e526f Fixed limit_conn_log_level/limit_req_log_level inheritance.
The directives did not work if there were no limit_conn/limit_req specified on
the same level.
2011-12-25 19:32:31 +00:00
Maxim Dounin
aa4492612b Proxy: made proxy_pass with variables more consistent.
If proxy_pass was used with variables and there was no URI component,
nginx always used unparsed URI.  This isn't consistent with "no variables"
case, where e.g. rewrites are applied even if there is no URI component.

Fix is to use the same logic in both cases, i.e. only use unparsed URI if
it's valid and request is the main one.
2011-12-23 16:04:09 +00:00
Maxim Dounin
d79f4523f8 Added clearing of r->valid_unparsed_uri on internal redirects.
This resolves issue with try_files (see ticket #70), configuration like

   location / { try_files $uri /index.php; }
   location /index.php { proxy_pass http://backend; }

caused nginx to use original request uri in a request to a backend.

Historically, not clearing of the r->valid_unparsed_uri on internal redirect
was a feature: it allowed to pass the same request to (another) upstream
server via error_page redirection.  Since then named locations appeared
though, and it's time to start resetting r->valid_unparsed_uri on internal
redirects.  Configurations still using this feature should be converted
to use named locations instead.

Patch by Lanshun Zhou.
2011-12-19 14:11:48 +00:00
Valentin Bartenev
c5968a998c SSI bugfix: the "if" command did not work inside the "block" command and
produced parsing errors.
2011-12-19 13:28:22 +00:00
Maxim Dounin
8a85ab8e20 Scgi: removed error if there is no Status header.
The SCGI specification doesn't specify format of the response, and assuming
CGI specs should be used there is no reason to complain.  RFC 3875
explicitly states that "A Status header field is optional, and status
200 'OK' is assumed if it is omitted".
2011-12-19 11:25:40 +00:00
Maxim Dounin
32e2038026 Scgi: removed duplicate function declaration. 2011-12-19 11:24:32 +00:00
Maxim Dounin
4d1e32d9d8 Fixed incorrect use of r->http_version in scgi module.
The r->http_version is a version of client's request, and modules must
not set it unless they are really willing to downgrade protocol version
used for a response (i.e. to HTTP/0.9 if no response headers are available).
In neither case r->http_version may be upgraded.

The former code downgraded response from HTTP/1.1 to HTTP/1.0 for no reason,
causing various problems (see ticket #66).  It was also possible that
HTTP/0.9 requests were upgraded to HTTP/1.0.
2011-12-19 11:23:16 +00:00
Maxim Dounin
afb7f22c03 Version bump. 2011-12-19 11:21:46 +00:00
Maxim Dounin
614a7ef18d Cache: only complain on long locked entries.
There have been multiple reports of cases where a real locked entry was
removed, resulting in a segmentation fault later in a worker which locked
the entry.  It looks like default inactive timeout isn't enough in real
life.

For now just ignore such locked entries, and move them to the top of the
inactive queue to allow processing of other entries.
2011-12-12 10:49:14 +00:00
Maxim Dounin
64a9f70092 Cache: handling of cache files with long headers.
There are two possible situations which can lead to this: response was
cached with bigger proxy_buffer_size value (and nginx was restared since
then, i.e. shared memory zone content was lost), or due to the race in
the cache update code (see [1]) we've end up with fcn->body_start from
a different response stored in shared memory zone.

[1] http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001287.html
2011-12-12 10:47:48 +00:00
Maxim Dounin
b839e6febb Cache: obsolete code removed.
The ngx_http_cache() and ngx_http_no_cache_set_slot() functions were replaced
by ngx_http_test_predicates() and ngx_http_set_predicate_slot() in 0.8.46 and
no longer used since then.
2011-12-12 10:46:43 +00:00
Ruslan Ermilov
f28b7e8ef3 Renamed some constants to improve readability, no functional changes. 2011-12-12 10:45:05 +00:00
Valentin Bartenev
0be9554bda Proxy: added variables and regexp support to the first parameter of
the "proxy_redirect" directive.
2011-12-12 09:02:29 +00:00
Valentin Bartenev
8d3ef1a3b3 Fixed: some of $sent_http_* variables may contain header entries that actually
haven't been sent to a client.

The ngx_http_variable_headers() and ngx_http_variable_unknown_header() functions
did not ignore response header entries with zero "hash" field.

Thanks to Yichun Zhang (agentzh).
2011-12-09 16:17:12 +00:00
Valentin Bartenev
247332a1e2 Added the $https variable. 2011-12-09 14:38:11 +00:00
Valentin Bartenev
df54c36d90 SCGI: added "if_not_empty" flag support to the "scgi_param" directive. 2011-12-09 14:03:06 +00:00
Valentin Bartenev
582b5319b7 uwsgi: added "if_not_empty" flag support to the "uwsgi_param" directive. 2011-12-09 13:47:04 +00:00
Valentin Bartenev
a826eb6720 FastCGI: added "if_not_empty" flag support to the "fastcgi_param" directive. 2011-12-09 13:32:51 +00:00
Valentin Bartenev
50546b26d9 Added the ngx_http_upstream_param_set_slot(). 2011-12-09 13:19:57 +00:00
Ruslan Ermilov
59a2b77039 - Improved error message when parsing of the "buffer" parameter of the
"access_log" directive fails.

- Added a warning if "log_format" is used in contexts other than "http".
2011-12-06 21:07:10 +00:00
Maxim Dounin
8618370487 Fix for read_head with try_files and open_file_cache.
The of.read_ahead wasn't set in try_files code path, causing read_ahead
directive to be a nop if try_files and open_file_cache were used.
2011-12-06 13:23:37 +00:00
Maxim Dounin
08f2256b29 Version bump. 2011-12-06 13:22:32 +00:00
Valentin Bartenev
92edf47ff9 Added the "so_keepalive=" parameter to the "listen" directive.
The "so_keepalive" directive in mail module was deprecated.

Thanks to Vsevolod Stakhov for initial work.
2011-12-05 08:06:15 +00:00
Maxim Dounin
b99492595c Version bump. 2011-11-29 17:25:31 +00:00
Maxim Dounin
1d13c0dd34 Allowed add_header for proxied 206 replies.
It was working for nginx's own 206 replies as they are seen as 200 in the
headers filter module (range filter goes later in the headers filter chain),
but not for proxied replies.
2011-11-28 10:00:47 +00:00
Valentin Bartenev
1373558163 Added support for IP-literal in the Host header and request line (ticket #1).
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.

The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:

 - Host part is now delimited either by the first colon or by the end of string
   if there's no colon. Previously the last colon was used as delimiter which
   allowed substitution of a port number in the $host variable.
   (e.g. Host: 127.0.0.1:9000:80)

 - Fixed stripping of the ending dot in the Host header when the host was also
   followed by a port number.
   (e.g. Host: nginx.com.:80)

 - Fixed upper case characters detection. Previously it was broken which led to
   wasting memory and CPU.
2011-11-28 09:15:33 +00:00
Ruslan Ermilov
1e5f239170 Fixed "rotate" to always work when combined with "resize/crop". 2011-11-23 10:22:44 +00:00
Ruslan Ermilov
ca2cce23cc Cosmetics. 2011-11-23 10:16:30 +00:00
Igor Sysoev
79df789b47 Fix of mp4 module seeking. 2011-11-23 07:22:15 +00:00
Maxim Dounin
0560ae55bc Fixed segfault on ssl servers without cert with SNI (ticket #54).
Non-default servers may not have ssl context created if there are no
certificate defined.  Make sure to check if ssl context present before
using it.
2011-11-22 16:27:45 +00:00
Ruslan Ermilov
1725621e8a Fixed "keepalive_disable".
Patch by Alexander Usov.  The bug has been introduced in r4267.
2011-11-21 07:31:59 +00:00
Maxim Dounin
e0c1a63028 Upstream: don't cache unfinished responses.
Check if received data length match Content-Length header (if present),
don't cache response if no match found.  This prevents caching of corrupted
response in case of premature connection close by upstream.
2011-11-18 15:09:08 +00:00
Maxim Dounin
5eef168a22 Fixed flv header to match specification.
Used "\x5" in 5th byte to claim presence of both audio and video.  Used
previous tag size 0 in the beginning of the flv body (bytes 10 .. 13) as
required by specification (see http://www.adobe.com/devnet/f4v.html).

Patch by Piotr Sikora.
2011-11-18 14:41:01 +00:00
Valentin Bartenev
963315aca0 Fixed incorrect counting the length of headers in a SCGI request. 2011-11-16 12:51:27 +00:00
Maxim Dounin
2fd9b49334 Version bump. 2011-11-15 20:33:37 +00:00
Igor Sysoev
dd4490c4e4 Fix of "Content-Length" header of MP4 response if start argument was used.
Patch by Piotr Sikora.
2011-11-14 14:42:48 +00:00
Valentin Bartenev
255e20ad21 Renamed ngx_http_limit_zone_module to ngx_http_limit_conn_module. 2011-11-14 14:04:42 +00:00
Maxim Dounin
030523dff0 Fixed fastcgi/scgi/uwsgi_param inheritance.
The following problems were fixed:

1. Directive fastcgi_cache affected headers sent to backends in unrelated
   servers / locations (see ticket #45).

2. If-Unmodified-Since, If-Match and If-Range headers were sent to backends
   if fastcgi_cache was used.

3. Cache-related headers were sent to backends if there were no fastcgi_param
   directives and fastcgi_cache was used at server level.
2011-11-14 13:26:18 +00:00
Maxim Dounin
ca01f46103 Separate functions to merge fastcgi/scgi/uwsgi params.
No functional changes.
2011-11-14 13:24:43 +00:00
Maxim Dounin
86a851907b Fixed Upgrade header clearing with proxy_cache.
This was missed in proxy HTTP/1.1 support commit (r4127).
2011-11-14 13:21:10 +00:00
Maxim Dounin
962727b259 Fixed proxy_set_header inheritance with proxy_set_body. 2011-11-14 13:19:56 +00:00
Maxim Dounin
b5984de06b Fixed proxy_set_header inheritance with proxy_cache (ticket #45).
Headers cleared with cache enabled (If-Modified-Since etc.) might be cleared
in unrelated servers/locations without proxy_cache enabled if proxy_cache was
used in some server/location.

Example config which triggered the problem:

    proxy_set_header X-Test "test";
    server { location /1 { proxy_cache name; proxy_pass ... } }
    server { location /2 { proxy_pass ... } }

Another one:

    server {
        proxy_cache name;
        location /1 { proxy_pass ... }
        location /2 { proxy_cache off; proxy_pass ... }
    }

In both cases If-Modified-Since header wasn't sent to backend in location /2.

Fix is to not modify conf->headers_source, but instead merge user-supplied
headers from conf->headers_source and default headers (either cache or not)
into separate headers_merged array.
2011-11-14 13:18:15 +00:00
Sergey Budnevitch
66a60a62cc Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse. 2011-11-14 09:12:15 +00:00
Valentin Bartenev
1dbd331849 Limit zone: added the "limit_conn_zone" directive.
It supersedes old "limit_zone" directive (deprecated accordingly) and uses
syntax consistent with the "limit_req_zone" directive.
2011-11-10 16:25:08 +00:00
Valentin Bartenev
aaf5a5772f Limit zone: support for multiple "limit_conn" limits. 2011-11-10 16:08:13 +00:00
Valentin Bartenev
54660dcf74 Limit zone: rbtree lookup moved to a separate function.
No functional changes.
2011-11-10 15:51:55 +00:00
Ruslan Ermilov
2f37fbc8f9 Changed error message to be more appropriate in the imaginary
"open_file_cache max=0" case.
2011-11-10 09:13:09 +00:00
Igor Sysoev
d0bcad3445 Fix of "keepalive_disable" directive. 2011-11-08 13:48:23 +00:00
Igor Sysoev
a8963fbbcf The "image_filter_sharpen" directive. 2011-11-08 13:17:14 +00:00
Igor Sysoev
ff2bee1fa9 Ancient incomplete ngx_http_status_module removal. 2011-11-01 15:16:28 +00:00
Igor Sysoev
0d03a44aab Version bump. 2011-11-01 15:10:46 +00:00
Maxim Dounin
ca495238bd Fixed segfault on configuration testing with ssl (ticket #37).
The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:

http {
    ssl on;
    server {
    }
}
2011-10-31 09:57:14 +00:00
Igor Sysoev
620718102b Support of several servers in the "resolver" directive.
Patch by Kirill A. Korinskiy.
2011-10-24 16:09:05 +00:00
Maxim Dounin
b167c46ca2 Fixed "expires @time" with unknown last modified time (ticket #32). 2011-10-17 17:32:08 +00:00
Maxim Dounin
81b43370d5 Fixed "expires @00h". 2011-10-17 17:30:18 +00:00
Igor Sysoev
6242f77617 Version bump. 2011-10-17 15:39:59 +00:00
Maxim Dounin
31f5a59fae Added clearing of modules' contexts in ngx_http_named_location().
Patch by Yichun Zhang (agentzh).
2011-10-15 21:42:03 +00:00
Igor Sysoev
d51bcf6f63 Skipping location rewrite phase for server null location. 2011-10-13 12:43:22 +00:00
Maxim Dounin
b713e480ca Better recheck of dead upstream servers.
Previously nginx used to mark backend again as live as soon as fail_timeout
passes (10s by default) since last failure.  On the other hand, detecting
dead backend takes up to 60s (proxy_connect_timeout) in typical situation
"backend is down and doesn't respond to any packets".  This resulted in
suboptimal behaviour in the above situation (up to 23% of requests were
directed to dead backend with default settings).

More detailed description of the problem may be found here (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2011-August/042172.html

Fix is to only allow one request after fail_timeout passes, and
mark backend as "live" only if this request succeeds.

Note that with new code backend will not be marked "live" unless "check"
request is completed, and this may take a while in some specific workloads
(e.g. streaming).  This is believed to be acceptable.
2011-10-12 14:22:48 +00:00
Maxim Dounin
72df0f400a Clear old Location header (if any) while adding a new one.
This prevents incorrect behaviour when another redirect is issued within
error_page 302 handler.
2011-10-12 13:28:03 +00:00
Maxim Dounin
8650c1eb24 Wording fix, "many data" is incorrect.
Noted by Piotr Sikora.
2011-10-12 13:24:59 +00:00
Ruslan Ermilov
fc55962698 Fixed two minor bugs in "types" parsing code. 2011-10-12 09:36:21 +00:00
Ruslan Ermilov
b5c3336e3e Fixed grammar in a comment. 2011-10-12 09:34:53 +00:00
Ruslan Ermilov
dce7a0c00f Replaced magic constants representing default values of some directives
with appropriate #define's.
2011-10-12 09:33:43 +00:00
Ruslan Ermilov
51a2423633 Stylistic change in checking the boolean expression. 2011-10-12 09:27:34 +00:00
Igor Sysoev
bfe7be45b8 Preallocating exact number of default MIME types entries. 2011-10-12 09:19:57 +00:00
Ruslan Ermilov
c8fdda4c2f Removed old warning that suggested to use "server_name_in_redirect off"
(now the default) in place of no longer supported "server_name *".
2011-10-12 07:20:20 +00:00
Maxim Dounin
b8203e46a0 Additional headers for proxy/fastcgi/uwsgi/scgi_ignore_headers.
Now the following headers may be ignored as well: X-Accel-Limit-Rate,
X-Accel-Buffering, X-Accel-Charset.
2011-10-11 18:10:49 +00:00
Maxim Dounin
012e6b6378 Handling of Content-Encoding set from perl.
This fixes double gzipping in case of gzip filter being enabled while perl
returns already gzipped response.
2011-10-11 18:01:38 +00:00
Maxim Dounin
0f5f4cb180 Fix for socket leak with "aio sendfile" and "limit_rate".
Second aio post happened when timer set by limit_rate expired while we have
aio request in flight, resulting in "second aio post" alert and socket leak.

The patch adds actual protection from aio calls with r->aio already set to
aio sendfile code in ngx_http_copy_filter().  This should fix other cases
as well, e.g. when sending buffered to disk upstream replies while still
talking to upstream.

The ngx_http_writer() is also fixed to handle the above case (though it's
mostly optimization now).

Reported by Oleksandr V. Typlyns'kyi.
2011-10-11 18:00:23 +00:00
Maxim Dounin
b7af402cc4 Fix for connection drops with AIO.
Connections serving content with AIO to fast clients were dropped with
"client timed out" messages after send_timeout from response start.
2011-10-11 17:58:51 +00:00
Maxim Dounin
5cc1fb1d5b Autoindex: escape html in file names. 2011-10-11 17:57:41 +00:00
Maxim Dounin
6226fe3512 Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped.  This resulted in effectively truncated links as '?' indicates
query string start.

This is an updated version of the patch originally posted at [1].  It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986.  This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.

[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html

Reported by Konstantin Leonov.
2011-10-11 17:56:51 +00:00
Maxim Dounin
e3d6c5a33c Improved access log escaping to better protect other software.
Some character sets (notably ISO-8859-1) have C1 control characters in
upper half, make sure to escape them.

Reported by Jesus Olmos Gonzalez.
2011-10-11 17:54:38 +00:00
Igor Sysoev
0d19f020ba Fixing directive name in error message if types hash size is not enough. 2011-10-11 11:11:44 +00:00
Igor Sysoev
840ef3980c Fixing mp4 module seeking on 32-bit platforms. 2011-10-11 10:12:44 +00:00
Ruslan Ermilov
2fdb547f3a Fixed macro name. 2011-10-10 08:38:28 +00:00
Igor Sysoev
3f34960fde Version bump. 2011-10-07 10:41:13 +00:00
Ruslan Ermilov
6e86fb02d6 Tweaked error messages. 2011-10-07 07:57:24 +00:00
Igor Sysoev
ab0078a4c8 Version bump. 2011-10-05 13:13:25 +00:00
Maxim Dounin
20139ff13a Fixed cache bypass caching of non-cacheable replies (ticket #21).
If cache was bypassed with proxy_cache_bypass, cache-controlling headers
(Cache-Control, Expires) wasn't considered and response was cached even
if it was actually non-cacheable.

Patch by John Ferlito.
2011-10-05 10:14:21 +00:00
Maxim Dounin
3aba768855 Added uwsgi_buffering and scgi_buffering directives.
Patch by Peter Smit.
2011-09-30 11:53:27 +00:00
Igor Sysoev
f3ae6a6102 Using strtod() instead of atofp() to support a lot of digits after dot in
"start" parameter value.
2011-09-30 09:18:28 +00:00
Igor Sysoev
a40e7eed30 Fix of building on platforms with 32-bit off_t. (closed #23) 2011-09-29 15:19:36 +00:00
Maxim Dounin
5cc90f309d Fixed segmentation fault with empty config on Windows.
See here for report:
http://mailman.nginx.org/pipermail/nginx-ru/2011-September/043288.html
2011-09-27 12:07:09 +00:00
Maxim Dounin
554768dabb Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993). 2011-09-27 12:06:07 +00:00
Maxim Dounin
886c6295ee Better handling of late upstream creation.
Configuration with duplicate upstream blocks defined after first use, i.e.
like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend { ... }
    upstream backend { ... }

now correctly results in "duplicate upstream" error.

Additionally, upstream blocks defined after first use now handle various
server directive parameters ("weight", "max_fails", etc.).  Previously
configuration like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend {
        server 127.0.0.1 max_fails=5;
    }

incorrectly resulted in "invalid parameter "max_fails=5"" error.
2011-09-27 11:18:51 +00:00
Maxim Dounin
b16918ed08 Cache: fix for sending of stale responses.
For normal cached responses ngx_http_cache_send() sends last buffer and then
request finalized via ngx_http_finalize_request() call, i.e. everything is
ok.

But for stale responses (i.e. when upstream died, but we have something in
cache) the same ngx_http_cache_send() sends last buffer, but then in
ngx_http_upstream_finalize_request() another last buffer is send.  This
causes duplicate final chunk to appear if chunked encoding is used (and
resulting problems with keepalive connections and so on).

Fix this by not sending in ngx_http_upstream_finalize_request()
another last buffer if we know response was from cache.
2011-09-27 11:17:11 +00:00
Maxim Dounin
84c58a30e6 Cache: fix for sending of empty responses.
Revert wrong fix for empty responses introduced in 0.8.31 and apply new one,
rewritten to match things done by static module as close as possible.
2011-09-27 11:15:35 +00:00
Maxim Dounin
4a3884ae56 Incorrect special case for "return 204" removed.
The special case in question leads to replies without body in
configuration like

    location / { error_page 404 /zero; return 404; }
    location /zero { return 204; }

while replies with empty body are expected per protocol specs.

Correct one will look like

    if (status == NGX_HTTP_NO_CONTENT) {

        rc = ngx_http_send_header(r);

        if (rc == NGX_ERROR || r->header_only) {
            return rc;
        }

        return ngx_http_send_special(r, NGX_HTTP_LAST);
    }

though it looks like it's better to drop this special case at all.
2011-09-27 11:14:02 +00:00
Maxim Dounin
77ca973d11 Fix for "return 202" not discarding body.
Big POST (not fully preread) to a

    location / {
        return 202;
    }

resulted in incorrect behaviour due to "return" code path not calling
ngx_http_discard_request_body().  The same applies to all "return" used
with 2xx/3xx codes except 201 and 204, and to all "return ... text" uses.

Fix is to add ngx_http_discard_request_body() call to ngx_http_send_response()
function where it looks appropriate.  Discard body call from emtpy gif module
removed as it's now redundant.

Reported by Pyry Hakulinen, see
http://mailman.nginx.org/pipermail/nginx/2011-August/028503.html
2011-09-27 11:13:00 +00:00
Maxim Dounin
ad5ef15e08 Fix for double content when return is used in error_page handler.
Test case:

   location / {
       error_page 405 /nope;
       return 405;
   }

   location /nope {
       return 200;
   }

This is expected to return 405 with empty body, but in 0.8.42+ will return
builtin 405 error page as well (though not counted in Content-Length, thus
breaking protocol).

Fix is to use status provided by rewrite script execution in case
it's less than NGX_HTTP_BAD_REQUEST even if r->error_status set.  This
check is in line with one in ngx_http_script_return_code().

Note that this patch also changes behaviour for "return 302 ..." and
"rewrite ... redirect" used as error handler.  E.g.

    location / {
        error_page 405 /redirect;
        return 405;
    }

    location /redirect {
        rewrite ^ http://example.com/;
    }

will actually return redirect to "http://example.com/" instead of builtin 405
error page with meaningless Location header.  This looks like correct change
and it's in line with what happens on e.g. directory redirects in error
handlers.
2011-09-27 11:11:30 +00:00
Maxim Dounin
bfb42ad97c Fix for incorrect 201 replies from dav module.
Replies with 201 code contain body, and we should clearly indicate it's
empty if it's empty.  Before 0.8.32 chunked was explicitly disabled for
201 replies and as a result empty body was indicated by connection close
(not perfect, but worked).  Since 0.8.32 chunked is enabled, and this
causes incorrect responses from dav module when HTTP/1.1 is used: with
"Transfer-Encoding: chunked" but no chunks at all.

Fix is to actually return empty body in special response handler instead
of abusing r->header_only flag.

See here for initial report:
http://mailman.nginx.org/pipermail/nginx-ru/2010-October/037535.html
2011-09-27 11:09:55 +00:00
Maxim Dounin
5c56f20ae7 Proxy: logging levels tuned, double logging fixed. 2011-09-25 20:04:20 +00:00
Maxim Dounin
aa12f3c7f3 Proxy: whitespaces after chunk size allowed.
Whitespaces after chunk size seems to be be allowed by the "implied *LWS" rule
and emitted by some servers.
2011-09-25 20:03:27 +00:00
Maxim Dounin
28b001f897 Upstream: clearing of u->peer.connection on close.
This fixes crashes observed with some 3rd party balancer modules.  Standard
balancer modules (round-robin and ip hash) explicitly set pc->connection
(aka u->peer.connection) to NULL and aren't affected.
2011-09-25 20:00:36 +00:00
Ruslan Ermilov
b1565cf96b Fixed error message. 2011-09-23 20:15:27 +00:00
Maxim Dounin
afe2e3d082 Fix of separate pool for upstream connections (r4117).
Pool may not be created if connection was created but rejected in connect()
call.  Make sure to check if it is here before trying to destroy it.
2011-09-20 10:00:46 +00:00