Commit Graph

7799 Commits

Author SHA1 Message Date
Ruslan Ermilov
366f131c38 Slab: simplified some math.
No functional changes.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
12abb66c41 Slab: simplified allocation from slots.
Removed code that would cause an endless loop, and removed condition
check that is always false.  The first page in the slot list is
guaranteed to satisfy an allocation.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
16de9fc3b5 Slab: fixed the number of pages calculation.
When estimating the number of pages, do not count memory for slots.
In some cases this gives one extra usable memory page.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
4cf89436d1 Slab: added comment about list heads. 2016-12-07 22:25:37 +03:00
Ruslan Ermilov
86f846a8bb Slab: improved code readability.
No functional changes.
2016-12-07 22:25:37 +03:00
Maxim Dounin
23946be384 Core: fixed environment on exit.
On exit environment allocated from a pool is no longer available, leading
to a segmentation fault if, for example, a library tries to use it from
an atexit() handler.

Fix is to allocate environment via ngx_alloc() instead, and explicitly
free it using a pool cleanup handler if it's no longer used (e.g., on
configuration reload).
2016-12-07 19:03:31 +03:00
Maxim Dounin
0a90c428b8 Perl: removed special environment handling for the perl module.
In Perl 5.8.6 the default was switched to use putenv() when used as
embedded library unless "PL_use_safe_putenv = 0" is explicitly used
in the code.  Therefore, for modern versions of Perl it is no longer
necessary to restore previous environment when calling perl_destruct().
2016-12-07 19:03:26 +03:00
Maxim Dounin
408e49fed6 Perl: added PERL_SET_INTERP().
For Perl compiled with threads, without PERL_SET_INTERP() the PL_curinterp
remains set to the first interpreter created (that is, one created at
original start).  As a result after a reload Perl thinks that operations
are done withing a thread, and, most notably, denies to change environment.

For example, the following code properly works on original start,
but fails after a reload:

    perl 'sub {
        my $r = shift;

        $r->send_http_header("text/plain");

        $ENV{TZ} = "UTC";
        $r->print("tz: " . $ENV{TZ} . " (localtime " . (localtime()) . ")\n");
        $ENV{TZ} = "Europe/Moscow";
        $r->print("tz: " . $ENV{TZ} . " (localtime " . (localtime()) . ")\n");

        return OK;
    }';

To fix this, PERL_SET_INTERP() added anywhere where PERL_SET_CONTEXT()
was previously used.

Note that PERL_SET_INTERP() doesn't seem to be documented anywhere.
Yet it is used in some other software, and also seems to be the only
solution possible.
2016-12-07 19:03:19 +03:00
Sergey Kandaurov
fcb2e2864e Fixed spelling of logical AND operator, no functional changes.
Found by PVS-Studio.
2016-12-07 13:54:30 +03:00
hucongcong
8b8b6f41e6 Mp4: fixed setting wrong mdat atom size in very rare cases.
Atom size is the sum of atom header size and atom data size. The
specification says that the first 4 bytes are set to one when
the atom size is greater than the maximum unsigned 32-bit value.
Which means atom header size should be considered when the
comparison takes place between atom data size and 0xffffffff.
2016-11-22 13:40:08 +08:00
Maxim Dounin
551091951a SSL: $ssl_curves (ticket #1088).
The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.
2016-12-05 22:23:23 +03:00
Maxim Dounin
2daf78867b SSL: $ssl_ciphers (ticket #870).
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
2016-12-05 22:23:23 +03:00
Maxim Dounin
53092ad782 SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. 2016-12-05 22:23:23 +03:00
Maxim Dounin
919f536329 SSL: $ssl_client_verify extended with a failure reason.
Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.
2016-12-05 22:23:22 +03:00
Maxim Dounin
27bcceb24b OCSP stapling: improved error logging context.
It now logs the IP address of the responder used (if it's already known),
as well as the certificate name.
2016-12-05 22:23:22 +03:00
Maxim Dounin
af07f8d093 OCSP stapling: added certificate name to warnings. 2016-12-05 22:23:22 +03:00
Maxim Dounin
0a1290b739 OCSP stapling: added http response status logging. 2016-12-05 22:23:22 +03:00
Maxim Dounin
d80352c759 OCSP stapling: style. 2016-12-05 22:23:22 +03:00
Ruslan Ermilov
cdd0cd6e2c Slab: improved double free detection.
Previously, an attempt to double free the starting page of the
free range was not detected.
2016-12-03 10:01:39 +03:00
Ruslan Ermilov
34b41a70a6 Slab: always show the requested allocation size in debug messages.
Previously, allocations smaller than min_size were shown as min_size.
2016-12-03 10:01:03 +03:00
Ruslan Ermilov
3df657f6fd Slab: style.
Removed redundant parentheses.  No functional changes.
2016-12-03 09:55:40 +03:00
Dmitry Volyntsev
433fdbf8b6 Events: improved error event handling for UDP sockets.
Normally, the epoll module calls the read and write handlers depending
on whether EPOLLIN and EPOLLOUT are reported by epoll_wait().  No error
processing is done in the module, the handlers are expected to get an
error when doing I/O.

If an error event is reported without EPOLLIN and EPOLLOUT, the module
set both EPOLLIN and EPOLLOUT to ensure the error event is handled at
least in one active handler.

This works well unless the error is delivered along with only one of
EPOLLIN or EPOLLOUT, and the corresponding handler does not do any I/O.
For example, it happened when getting EPOLLERR|EPOLLOUT from
epoll_wait() upon receiving "ICMP port unreachable" while proxying UDP.
As the write handler had nothing to send it was not able to detect and
log an error, and did not switch to the next upstream.

The fix is to unconditionally set EPOLLIN and EPOLLOUT in case of an
error event.  In the aforementioned case, this causes the read handler
to be called which does recv() and detects an error.

In addition to the epoll module, analogous changes were made in
devpoll/eventport/poll.
2016-11-21 16:03:42 +03:00
Valentin Bartenev
89f92b3243 HTTP/2: fixed saving preread buffer to temp file (ticket #1143).
Previously, a request body bigger than "client_body_buffer_size" wasn't written
into a temporary file if it has been pre-read entirely.  The preread buffer
is freed after processing, thus subsequent use of it might result in sending
corrupted body or cause a segfault.
2016-11-28 19:19:21 +03:00
Maxim Dounin
4c6e31a857 Configure: honor dependencies of dynamic modules.
Dependencies of dynamic modules are added to NGX_ADDON_DEPS (and
it is now used for dynamic modules) to be in line with what happens
in case of static compilation.

To avoid duplication, MAIL_DEPS and STREAM_DEPS are no longer passed
to auto/module when these modules are compiled as dynamic ones.  Mail
and stream dependencies are handled explicitly via corresponding
variables.
2016-11-21 16:49:19 +03:00
Maxim Dounin
a91f2b0382 Version bump. 2016-11-21 16:49:17 +03:00
Maxim Dounin
971518f931 release-1.11.6 tag 2016-11-15 18:11:46 +03:00
Maxim Dounin
c42249a5d0 nginx-1.11.6-RELEASE 2016-11-15 18:11:46 +03:00
Maxim Dounin
a18340cfca Fixed a typo, removed an empty line. 2016-11-14 21:55:44 +03:00
Maxim Dounin
bdc0b779e5 Upstream: handling of upstream SSL handshake timeouts.
Previously SSL handshake timeouts were not properly logged, and resulted
in 502 errors instead of 504 (ticket #1126).
2016-11-14 17:21:06 +03:00
hucongcong
8f8a07f080 Range filter: only initialize ctx->ranges in main request.
It is not necessary to initialize ctx->ranges in all request, because
ctx->ranges in subrequest will be reassigned to ctx->ranges of main
request.
2016-11-10 10:44:52 +08:00
hucongcong
42298aeb13 Core: slight optimization in ngx_chain_update_chains().
It is not necessary to traverse *busy and link the *out when *out is NULL.
2016-11-10 10:17:53 +08:00
Ruslan Ermilov
8e9f1df637 Style: switch. 2016-11-04 19:12:19 +03:00
Maxim Dounin
f3093695b9 Cache: prefix-based temporary files.
On Linux, the rename syscall can be slow due to a global file system lock,
acquired for the entire rename operation, unless both old and new files are
in the same directory.  To address this temporary files are now created
in the same directory as the expected resulting cache file when using the
"use_temp_path=off" parameter.

This change mostly reverts 99639bfdfa2a and 3281de8142f5, restoring the
behaviour as of a9138c35120d (with minor changes).
2016-11-03 17:10:29 +03:00
Maxim Dounin
5eac3bca41 Upstream: avoid holding a cache node with upgraded connections.
Holding a cache node lock doesn't make sense as we can't use caching
anyway, and results in "ignore long locked inactive cache entry" alerts
if a node is locked for a long time.

The same is done for unbuffered connections, as they can be alive for
a long time as well.
2016-11-03 17:09:32 +03:00
Dmitry Volyntsev
6d9023f7b4 Cache: proxy_cache_max_range_offset and friends.
It configures a threshold in bytes, above which client range
requests are not cached.  In such a case the client's Range
header is passed directly to a proxied server.
2016-11-02 20:05:21 +03:00
Sergey Kandaurov
6917d29d40 HTTP/2: flow control debugging. 2016-11-02 11:47:12 +03:00
Maxim Dounin
0438b60498 Perl: fixed optimization in SSI command handler.
As the pointer to the first argument was tested instead of the argument
itself, array of arguments was always created, even if there were no
arguments.  Fix is to test args[0] instead of args.

Found by Coverity (CID 1356862).
2016-11-01 20:39:21 +03:00
Ruslan Ermilov
5a273f2e90 HTTP/2: slightly improved debugging. 2016-10-31 23:38:51 +03:00
Ruslan Ermilov
d970e099c6 Upstream: removed ngx_http_upstream_srv_conf_t.default_port.
This is an API change.
2016-10-17 14:30:54 +03:00
Ruslan Ermilov
663984fe2f Upstream: don't consider default_port when matching upstreams.
The only thing that default_port comparison did in the current
code is prevented implicit upstreams to the same address/port
from being aliased for http and https, e.g.:

	proxy_pass http://10.0.0.1:12345;
	proxy_pass https://10.0.0.1:12345;

This is inconsistent because it doesn't work for a similar case
with uswgi_pass:

	uwsgi_pass uwsgi://10.0.0.1:12345;
	uwsgi_pass suwsgi://10.0.0.1:12345;

or with an explicit upstream:

	upstream u {
	    server 10.0.0.1:12345;
	}

	proxy_pass http://u;
	proxy_pass https://u;

Before c9059bd5445b, default_port comparison was needed to
differentiate implicit upstreams in

	proxy_pass http://example.com;

and

	proxy_pass https://example.com;

as u->port was not set.
2016-10-17 14:27:45 +03:00
Ruslan Ermilov
1f5d97cbf0 Upstream: consistently initialize explicit upstreams.
When an upstream{} block follows a proxy_pass reference to it,
such an upstream inherited port and default_port settings from
proxy_pass.  This was different from when they came in another
order (see ticket #1059).  Explicit upstreams should not have
port and default_port in any case.

This fixes the following case:

	server { location / { proxy_pass http://u; } ... }
	upstream u { server 127.0.0.1; }
	server { location / { proxy_pass https://u; } ... }

but not the following:

	server { location / { proxy_pass http://u; } ... }
	server { location / { proxy_pass https://u; } ... }
	upstream u { server 127.0.0.1; }
2016-10-17 14:14:02 +03:00
Ruslan Ermilov
149fda55f7 Upstream: do not unnecessarily create per-request upstreams.
If proxy_pass (and friends) with variables evaluates an upstream
specified with literal address, nginx always created a per-request
upstream.

Now, if there's a matching upstream specified in the configuration
(either implicit or explicit), it will be used instead.
2016-10-31 18:33:36 +03:00
Ruslan Ermilov
3fae83a91c Upstream: added the ngx_http_upstream_resolved_t.name field.
This fixes inconsistency in what is stored in the "host" field.
Normally it would contain the "host" part of the parsed URL
(e.g., proxy_pass with variables), but for the case of an
implicit upstream specified with literal address it contained
the text representation of the socket address (that is, host
including port for IP).

Now the "host" field always contains the "host" part of the URL,
while the text representation of the socket address is stored
in the newly added "name" field.

The ngx_http_upstream_create_round_robin_peer() function was
modified accordingly in a way to be compatible with the code
that does not know about the new "name" field.

The "stream" code was similarly modified except for not adding
compatibility in ngx_stream_upstream_create_round_robin_peer().

This change is also a prerequisite for the next change.
2016-10-31 18:33:33 +03:00
Ruslan Ermilov
4e1720b0a2 Upstream: removed unnecessary condition in proxy_eval() and friends.
The first condition added in d3454e719bbb should have just replaced
the second one.
2016-10-31 18:33:31 +03:00
Valentin Bartenev
df9b2b9011 HTTP/2: limited maximum number of requests in connection.
The new directive "http2_max_requests" is introduced.  From users point of
view it works quite similar to "keepalive_requests" but has significantly
bigger default value that is more suitable for HTTP/2.
2016-10-31 16:33:02 +03:00
Maxim Dounin
271d306056 Mp4: introduced custom version of ngx_atofp().
This allows to correctly parse "start" and "end" arguments without
null-termination (ticket #475), and also fixes rounding errors observed
with strtod() when using i387 instructions.
2016-10-27 17:57:16 +03:00
Dmitry Lazurkin
9ea918a41d Proxy: support variables for proxy_method directive. 2016-10-16 18:24:01 +03:00
Dmitry Volyntsev
71c93a8e09 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.
2016-10-21 16:28:39 +03:00
Valentin Bartenev
9ec0b1fe12 Image filter: support for WebP.
In collaboration with Ivan Poluyanov.
2016-10-21 15:18:44 +03:00
Valentin Bartenev
70d0530f88 HTTP/2: graceful shutdown of active connections (closes #1106).
Previously, while shutting down gracefully, the HTTP/2 connections were
closed in transition to idle state after all active streams have been
processed.  That might never happen if the client continued opening new
streams.

Now, nginx sends GOAWAY to all HTTP/2 connections and ignores further
attempts to open new streams.  A worker process will quit as soon as
processing of already opened streams is finished.
2016-10-20 16:15:03 +03:00