Commit Graph

3117 Commits

Author SHA1 Message Date
Maxim Dounin
403a9efc0c Upstream keepalive: reset c->sent on cached connections.
The c->sent is reset to 0 on each request by server-side http code,
so do the same on client side.  This allows to count number of bytes
sent in a particular request.
2014-09-29 22:27:45 +04:00
Valentin Bartenev
c9fbbc8273 Limit req: reduced number of parameters in the lookup function.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
021a9df15b Limit req: use complex value in limit_req_zone.
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
with nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
98f7d0efb2 Limit conn: aligned field names in structures.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
dd1ae4348a Limit conn: use complex value in limit_conn_zone (ticket #121).
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
to nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
1866f15d7d Limit conn: removed deprecated "limit_zone" directive.
It's deprecated since 260d591cb6a3 (1.1.8).  The "limit_conn_zone" directive
should be used instead.
2014-09-24 21:55:19 +04:00
Gu Feng
bba2ce8aae Avoided to add duplicate hash key in ngx_http_types_slot(). 2014-09-17 22:52:02 +08:00
Roman Arutyunyan
ba1676f267 Upstream: fixed file buffers reinit in ngx_http_upstream_reinit().
Previously, a file buffer start position was reset to the file start.
Now it's reset to the previous file buffer end.  This fixes
reinitialization of requests having multiple successive parts of a
single file.  Such requests are generated by fastcgi module.
2014-09-18 16:37:16 +04:00
Roman Arutyunyan
66876d0b09 FastCGI: fixed start pointers in request buffers.
The start pointers are used in ngx_http_upstream_reinit() to
reinit FastCGI requests.
2014-09-18 16:37:14 +04:00
Valentin Bartenev
a7798de9bd Limit req: don't truncate key value to 255 bytes.
While the module allows to use values up to 65535 bytes as a key,
that actually never worked properly.
2014-09-16 21:12:51 +04:00
Valentin Bartenev
152d92b4b7 Access log: fixed the "if=" parameter with buffering (ticket #625).
It might not work if there were more than one "access_log" directives
pointed to the same file and duplicate buffer parameters.
2014-09-13 21:47:13 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Roman Arutyunyan
cfc3db1972 Upstream: included backup peers into peer.tries.
Since peer.tries is never reset it can now be limited if required.
2014-09-12 18:50:46 +04:00
Maxim Dounin
4c7e1a8d85 Upstream keepalive: removed "single" parameter remnants.
The "single" parameter is deprecated and ignored since 5b5c07dee156 (1.3.2).
2014-09-11 20:09:04 +04:00
Maxim Dounin
3a235bf52e Added warning about unset cache keys.
In fastcgi, scgi and uwsgi modules there are no default cache keys, and
using a cache without a cache key set is likely meaningless.
2014-09-11 20:08:52 +04:00
Maxim Dounin
d7d26feba1 Style. 2014-09-11 20:08:45 +04:00
FengGu
b4cb8475b1 Upstream: avoided directly terminating the connection.
When memory allocation failed in ngx_http_upstream_cache(), the connection
would be terminated directly in ngx_http_upstream_init_request().
Return a INTERNAL_SERVER_ERROR response instead.
2014-08-13 14:53:55 +08:00
Maxim Dounin
90df702bf8 Fixed ETag memory allocation error handling.
The etag->hash must be set to 0 to avoid an empty ETag header being
returned with the 500 Internal Server Error page after the memory
allocation failure.

Reported by Markus Linnala.
2014-09-08 21:36:03 +04:00
Roman Arutyunyan
c0b3b9d6ca Upstream: suppressed the file cache slab allocator error messages.
The messages "ngx_slab_alloc() failed: no memory in cache keys zone"
from the file cache slab allocator are suppressed since the allocation
is likely to succeed after the forced expiration of cache nodes.
The second allocation failure is reported.
2014-09-05 18:14:59 +04:00
Valentin Bartenev
37d24e7e3b Events: processing of posted events changed from LIFO to FIFO.
In theory, this can provide a bit better distribution of latencies.

Also it simplifies the code, since ngx_queue_t is now used instead
of custom implementation.
2014-09-01 18:20:18 +04:00
Ruslan Ermilov
be6175d49d Upstream: improved configuration parser diagnostics.
Made it clear when the selected balancing method does not
support certain parameters of the "server" directive.
2014-09-01 12:27:38 +04:00
Sergey Kandaurov
967c51c9ff Headers filter: "add_header" with "always" parameter (ticket #98).
If specified, the header field is set regardless of the status code.
2014-08-29 18:00:10 +04:00
Maxim Dounin
31c35adfe1 Variables: updated list of prefixes in ngx_http_rewrite_set(). 2014-08-27 21:38:08 +04:00
Maxim Dounin
8cf734c7b4 Variables: fixed non-indexed access of prefix vars (ticket #600).
Previously, a configuration like

    location / {
        ssi on;
        ssi_types *;
        set $http_foo "bar";
        return 200 '<!--#echo var="http_foo" -->\n';
    }

resulted in NULL pointer dereference in ngx_http_get_variable() as
the variable was explicitly added to the variables hash, but its
get_handler wasn't properly set in the hash.  Fix is to make sure
that get_handler is properly set by ngx_http_variables_init_vars().
2014-08-27 21:38:04 +04:00
Valentin Bartenev
dbcb16ff68 SPDY: added a comment about handling stream with the timer set. 2014-08-18 13:23:45 +04:00
Valentin Bartenev
c425f19daa SPDY: avoid setting timeout on stream events in ngx_http_writer().
The SPDY module doesn't expect timers can be set on stream events for reasons
other than delaying output.  But ngx_http_writer() could add timer on write
event if the delayed flag wasn't set and nginx is waiting for AIO completion.
That could cause delays in sending response over SPDY when file AIO was used.
2014-08-27 20:44:11 +04:00
Ruslan Ermilov
8607e64b83 Stub status: corrected the "stub_status" directive.
The "stub_status" directive does not require an argument.
2014-08-26 17:35:23 +04:00
Valentin Bartenev
9fb2b9287d Sub filter: fixed matching for a single character. 2014-08-25 16:08:55 +04:00
Roman Arutyunyan
a8227724c0 Mp4: use trak->smhd_size in ngx_http_mp4_read_smhd_atom().
Reported by Gang Li.
2014-08-19 14:13:39 +04:00
Sergey Kandaurov
3ed0e11d08 Image filter: downgrade strong etags to weak ones as needed. 2014-08-18 12:03:41 +04:00
Sergey Kandaurov
886ad0e9d3 Fixed typo. 2014-08-15 14:09:29 +04:00
Tatsuhiko Kubo
12300c2a20 Style: use specified macro instead of magic-number. 2014-08-06 23:58:44 +09:00
Piotr Sikora
b3066b16e1 Perl: NULL-terminate argument list.
perl_parse() function expects argv/argc-style argument list,
which according to the C standard must be NULL-terminated,
that is: argv[argc] == NULL.

This change fixes a crash (SIGSEGV) that could happen because
of the buffer overrun during perl module initialization.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-19 04:16:36 -07:00
Maxim Dounin
8f0f4c10e9 Access log: allowed logs to syslog with "if=" (ticket #596). 2014-08-06 00:22:36 +04:00
Sergey Kandaurov
88132eed54 Status: indentation and style, no functional changes. 2014-08-01 18:36:35 +04:00
FengGu
bfa56738af Dav: ngx_http_map_uri_to_path() errors were not checked.
Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.
2014-07-30 14:45:08 +08:00
Maxim Dounin
4b2f12a604 Upstream: SSL handshake timeouts.
Timeout may not be set on an upstream connection when we call
ngx_ssl_handshake() in ngx_http_upstream_ssl_init_connection(),
so make sure to arm it if it's not set.

Based on a patch by Yichun Zhang.
2014-07-28 18:30:14 +04:00
Yichun Zhang
7b24c53efe GeoIP: not all variable fields were initialized.
The ngx_http_geoip_city_float_variable and
ngx_http_geoip_city_int_variable functions did not always initialize
all variable fields like "not_found", which could lead to empty values
for those corresponding nginx variables randomly.
2014-07-25 14:43:29 -07:00
Maxim Dounin
248baf4262 Upstream: ngx_http_upstream_store() error handling fixes.
Previously, ngx_http_map_uri_to_path() errors were not checked in
ngx_http_upstream_store().  Moreover, in case of errors temporary
files were not deleted, as u->store was set to 0, preventing cleanup
code in ngx_http_upstream_finalize_request() from removing them.  With
this patch, u->store is set to 0 only if there were no errors.

Reported by Feng Gu.
2014-07-18 20:11:40 +04:00
Maxim Dounin
88d9289f82 Reset of r->uri.len on URI parsing errors.
This ensures that debug logging and the $uri variable (if used in
400 Bad Request processing) will not try to access uninitialized
memory.

Found by Sergey Bobrov.
2014-07-18 20:02:11 +04:00
Tatsuhiko Kubo
cc870236b2 Style: use ngx_str_set(). 2014-07-09 23:23:59 +09:00
Piotr Sikora
12ca9c9c8f SPDY: fix support for headers with multiple values.
Split SPDY header with multiple, NULL-separated values:

    cookie: foo\0bar

into two separate HTTP headers with the same name:

    cookie: foo
    cookie: bar

Even though the logic for this behavior already existed
in the source code, it doesn't look that it ever worked
and SPDY streams with such headers were simply rejected.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 02:17:44 -07:00
Piotr Sikora
2cfcef5b42 Style: remove whitespace between function name and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
7e7589e746 Style: add whitespace between control statement and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Piotr Sikora
d224ed7eea SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.

The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.

Almost fixes build with -DOPENSSL_NO_SSL_INTERN.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:14 -07:00
Maxim Dounin
4a75e1a63c Upstream: p->downstream_error instead of closing connection.
Previously, nginx closed client connection in cases when a response body
from upstream was needed to be cached or stored but shouldn't be sent to
the client.  While this is normal for HTTP, it is unacceptable for SPDY.

Fix is to use instead the p->downstream_error flag to prevent nginx from
sending anything downstream.  To make this work, the event pipe code was
modified to properly cache empty responses with the flag set.
2014-07-04 20:47:16 +04:00
Valentin Bartenev
3c2b5e88ab Upstream: fixed handling of write event after sending request.
The ngx_http_upstream_dummy_handler() must be set regardless of
the read event state.  This prevents possible additional call of
ngx_http_upstream_send_request_handler().
2014-07-01 20:52:08 +04:00
Valentin Bartenev
9f8785ae5e SSL: the "ssl_password_file" directive. 2014-06-16 19:43:25 +04:00
Maxim Dounin
25250a20d2 Fixed wrong sizeof() in ngx_http_init_locations().
There is no real difference on all known platforms, but it's still wrong.

Found by Coverity (CID 400876).
2014-06-26 03:34:13 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Maxim Dounin
b812961677 Cache: ETag now saved into cache header. 2014-06-26 02:28:23 +04:00
Maxim Dounin
c2e49a4196 Cache: version in cache files.
This allows to change the structure of cache files without spamming logs
with false alerts.
2014-06-26 02:27:21 +04:00
Maxim Dounin
8f9fb9570e Entity tags: explicit flag to skip not modified filter.
Previously, last_modified_time was tested against -1 to check if the
not modified filter should be skipped.  Notably, this prevented nginx
from additional If-Modified-Since (et al.) checks on proxied responses.
Such behaviour is suboptimal in some cases though, as checks are always
skipped on responses from a cache with ETag only (without Last-Modified),
resulting in If-None-Match being ignored in such cases.  Additionally,
it was not possible to return 412 from the If-Unmodified-Since if last
modification time was not known for some reason.

This change introduces explicit r->disable_not_modified flag instead,
which is set by ngx_http_upstream_process_headers().
2014-06-26 02:27:11 +04:00
Maxim Dounin
feb1649049 Entity tags: weak comparison for If-None-Match. 2014-06-26 02:21:20 +04:00
Maxim Dounin
def16742a1 Entity tags: downgrade strong etags to weak ones as needed.
See http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004523.html.
2014-06-26 02:21:01 +04:00
Maxim Dounin
5d477a76fe Upstream: fixed cache revalidation with SSI.
Previous code in ngx_http_upstream_send_response() used last modified time
from r->headers_out.last_modified_time after the header filter chain was
already called.  At this point, last_modified_time may be already cleared,
e.g., with SSI, resulting in incorrect last modified time stored in a
cache file.  Fix is to introduce u->headers_in.last_modified_time instead.
2014-06-26 02:20:09 +04:00
Maxim Dounin
6c25c848cb Upstream: removed unused offset to content_length.
It's not needed since introduction of ngx_http_upstream_content_length()
in 103b0d9afe07.
2014-06-26 02:20:05 +04:00
Maxim Dounin
4e275cc73a Upstream: no need to clear r->headers_out.last_modified_time.
Clearing of the r->headers_out.last_modified_time field if a response
isn't cacheable in ngx_http_upstream_send_response() was introduced
in 3b6afa999c2f, the commit to enable not modified filter for cacheable
responses.  It doesn't make sense though, as at this point header was
already sent, and not modified filter was already executed.  Therefore,
the line was removed to simplify code.
2014-06-26 02:19:58 +04:00
Maxim Dounin
05dfc054f0 Not modified filter: debug log format fixed. 2014-06-26 02:19:55 +04:00
Ruslan Ermilov
02e39a3ecb Upstream: reduced diffs to the plus version of nginx.
No functional changes.
2014-06-20 12:55:41 +04:00
Ruslan Ermilov
05d717b35d Core: added ngx_slab_calloc() and ngx_slab_calloc_locked().
These functions return zeroed memory, analogous to ngx_pcalloc().
2014-06-04 15:09:19 +04:00
Ruslan Ermilov
20038acbfc Upstream: simplified some code that accesses peers.
No functional changes.
2014-06-12 21:13:24 +04:00
Piotr Sikora
a1a8defb49 Access log: fix default value, broken by cb308813b453.
log->filter ("if" parameter) was uninitialized when the default value
was being used, which would lead to a crash (SIGSEGV) when access_log
directive wasn't specified in the configuration.

Zero-fill the whole structure instead of zeroing fields one-by-one
in order to prevent similar issues in the future.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-03 10:53:48 -07:00
Roman Arutyunyan
9b5a17b5e2 Upstream: generic hash module. 2014-06-02 16:16:22 +04:00
Valentin Bartenev
68336e1ede SPDY: fixed operator precedence in uint16/uint32 write macros.
Since the type cast has precedence higher than the bit shift operator,
all values were truncated to 8 bits.

These macros are used to construct header block for SYN_REPLY frame on
platforms with strict alignment requirements.  As a result, any response
that contains a header with name or value longer than 255 bytes was
corrupted on such platforms.
2014-05-29 21:15:19 +04:00
Sergey Kandaurov
0750df4f16 Fixed config parsing of the last try_files parameter.
Do not taste the last parameter against directory, as otherwise it would
result in the trailing slash being cut from the parameter value.

Notably, this prevents an internal redirect to an empty URI
if the parameter is set to the literal slash:

    location / { try_files $uri /; }
2014-05-28 20:18:05 +04:00
Maxim Dounin
e36718de4b Sub filter: fixed subrequests handling.
In particular, properly output partial match at the end of a subrequest
response (much like we do at the end of a response), and reset/set the
last_in_chain flag as appropriate.

Reported by KAWAHARA Masashi.
2014-05-27 16:37:35 +04:00
Roman Arutyunyan
3e279a8eb4 Upstream: fix tries check in ip_hash.
Make two checks for maximum number of tries consistent.
The other one checks '>' condition.
2014-05-23 13:47:05 +04:00
Vladimir Homutov
493b898ae9 Added syslog support for error_log and access_log directives. 2014-05-12 16:34:15 +04:00
Sergey Budnevitch
27899a923a SSL: $ssl_client_fingerprint variable. 2014-05-20 14:03:03 +04:00
Maxim Dounin
84409ec8e0 Setting $args now invalidates unparsed uri.
Prodded by Yichun Zhang.
2014-05-19 22:45:35 +04:00
Maxim Dounin
4884cd611e Charset filter: fixed charset setting on encoded replies.
If response is gzipped we can't recode response, but in case it's not
needed we still can add charset to Content-Type.

The r->ignore_content_encoding is dropped accordingly, charset with gzip_static
now properly works without any special flags.
2014-05-19 22:45:34 +04:00
Maxim Dounin
ffba0eeefb Fixed alias in regex locations with limit_except/if.
The ngx_http_map_uri_to_path() function used clcf->regex to detect if
it's working within a location given by a regular expression and have
to replace full URI with alias (instead of a part matching the location
prefix).  This is incorrect due to clcf->regex being false in implicit
locations created by if and limit_except.

Fix is to preserve relevant information in clcf->alias instead, by setting
it to NGX_MAX_SIZE_T_VALUE if an alias was specified in a regex location.
2014-05-16 17:42:24 +04:00
Valentin Bartenev
a785be76f6 SPDY: added protection from overrun of the receive buffer. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
3f023a4193 SPDY: added a debug point to the state buffer overflow protection. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
57e5c3e86d SPDY: refactored ngx_http_spdy_state_headers().
This change is similar to d2ac5cf4056d.  Special flag of completeness looks
surplus when there is also a counter of frame bytes left.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
d04a714a6d SPDY: improved logging. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
d51d168066 SPDY: set log action for PROXY protocol only while parsing it.
Handling of PROXY protocol for SPDY connection is currently implemented as
a SPDY state.  And while nginx waiting for PROXY protocol data it continues
to process SPDY connection: initializes zlib context, sends control frames.
2014-05-15 19:22:06 +04:00
Valentin Bartenev
ef51079fe2 SPDY: ngx_http_spdy_state_headers() error handling cleanup.
- Specification-friendly handling of invalid header block or special headers.
   Such errors are not fatal for session and shouldn't lead to connection close;

 - Avoid mix of NGX_HTTP_PARSE_INVALID_REQUEST/NGX_HTTP_PARSE_INVALID_HEADER.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
cf770ddd82 SPDY: improved error handling of header block decompression.
Now cases when decompression failed due to internal error
and when a client sent corrupted data are distinguished.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
ba890408bd SPDY: removed ngx_http_spdy_state_headers_error().
The function just calls ngx_http_spdy_state_headers_skip() most of the time.
There was also an attempt of optimization to stop parsing if the client already
closed connection, but it looks strange and unfinished anyway.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
63ee690751 SPDY: prevented creation of RST_STREAM in protocol error state.
Previously, the frame wasn't sent anyway (and had a wrong status code).
2014-05-15 19:18:26 +04:00
Valentin Bartenev
dfb9a5cb0d SPDY: improved ngx_http_spdy_state_protocol_error().
Now ngx_http_spdy_state_protocol_error() is able to close stream,
so there is no need in a separate call for this.

Also fixed zero status code in logs for some cases.
2014-04-30 20:33:58 +04:00
Valentin Bartenev
d9c25cdf19 SPDY: fixed one case of improper memory allocation error handling.
Now ngx_http_spdy_construct_request_line() doesn't try to finalize request
in case of failed memory allocation.
2014-04-30 02:16:21 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Maxim Dounin
094bfc6beb Upstream: restored workaround for "if".
The 7022564a9e0e changeset made ineffective workaround from 2464ccebdb52
to avoid NULL pointer dereference with "if".  It is now restored by
moving the u->ssl_name initialization after the check.

Found by Coverity (CID 1210408).
2014-04-30 19:16:55 +04:00
Maxim Dounin
17dad56e4e Cache: added ngx_quit check to ngx_http_file_cache_expire().
While managing big caches it is possible that expiring old cache items
in ngx_http_file_cache_expire() will take a while.  Added a check for
ngx_quit / ngx_terminate to make sure cache manager can be terminated
while in ngx_http_file_cache_expire().
2014-04-30 19:16:35 +04:00
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Roman Arutyunyan
5147f8ee6a Mp4: allow end values bigger than track duration.
If start time is within the track but end time is out of it, error
"end time is out mp4 stts samples" is generated.  However it's
better to ignore the error and output the track until its end.
2014-04-01 20:53:18 +04:00
Maxim Dounin
2349a6747d Adjusted default value of types_hash_bucket_size (ticket #352).
The ngx_cacheline_size may be too low on some platforms, resulting
in unexpected hash build problems (as no collisions are tolerated due
to low bucket_size, and max_size isn't big enough to build a hash without
collisions).  These problems aren't fatal anymore but nevertheless
need to be addressed.
2014-03-31 22:47:42 +04:00
Maxim Dounin
23f6689846 Core: slab log_nomem flag.
The flag allows to suppress "ngx_slab_alloc() failed: no memory" messages
from a slab allocator, e.g., if an LRU expiration is used by a consumer
and allocation failures aren't fatal.

The flag is now used in the SSL session cache code, and in the limit_req
module.
2014-03-31 21:38:30 +04:00
Roman Arutyunyan
6f1763213b Mp4: improved logging after adding "end" support.
Despite introducing start and end crop operations existing log
messages still mostly refer only to start.  Logging is improved
to match both cases.

New debug logging is added to track entry count in atoms after
cropping.

Two format type mismatches are fixed as well.
2014-03-31 20:05:53 +04:00
Roman Arutyunyan
70e98eac3e Mp4: fixed seeking to a track end.
When "start" value is equal to a track duration the request
fails with "time is out mp4 stts" like it did before track
duration check was added.  Now such tracks are considered
short and skipped.
2014-03-31 19:52:17 +04:00
Valentin Bartenev
ac5a3cbeee SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
2014-03-28 20:22:57 +04:00
Valentin Bartenev
afb92a8127 SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.
2014-03-28 20:05:07 +04:00
Valentin Bartenev
de3c7a825e SPDY: better detect if headers block has wrong entries count.
Previously, only one case was checked: if there's more data to parse
in a r->header_in buffer, but the buffer can be filled to the end by
the last parsed entry, so we also need to check that there's no more
data to inflate.
2014-03-26 18:01:11 +04:00
Valentin Bartenev
042122a066 SPDY: detect premature end of frame while start parsing headers. 2014-03-26 17:43:39 +04:00
Piotr Sikora
ac1617915c Apply underscores_in_headers also to the first character.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Andrei Belov
b1597fe2ea Increased default value of variables_hash_max_size. 2014-03-25 18:49:28 +04:00
Sergey Kandaurov
2070abf516 Mp4: skipped empty stss atom table in output.
The atom may have no data entries after cropping.

This fixes "zero size buf in output" alerts.
2014-03-24 17:55:10 +04:00
Maxim Dounin
effbf466aa Range filter: single_range flag in request.
If set, it means that response body is going to be in more than one buffer,
hence only range requests with a single range should be honored.

The flag is now used by mp4 and cacheable upstream responses, thus allowing
range requests of mp4 files with start/end, as well as range processing
on a first request to a not-yet-cached files with proxy_cache.

Notably this makes it possible to play mp4 files (with proxy_cache, or with
mp4 module) on iOS devices, as byte-range support is required by Apple.
2014-03-21 19:33:21 +04:00
Roman Arutyunyan
c6ca135923 Mp4: added "end" argument support. 2014-03-20 16:05:19 +04:00
Roman Arutyunyan
7aa8c81002 Mp4: moved atom cropping code out of update functions.
It can now be reused for implementing mp4 end.
2014-03-20 16:05:18 +04:00
Maxim Dounin
ec1211d2f6 SPDY: improved ngx_http_spdy_state_save() again. 2014-03-19 19:30:09 +04:00
Maxim Dounin
898ca36c33 Macros used for initialization in ngx_http_core_init_main_conf(). 2014-03-19 12:57:40 +04:00
Maxim Dounin
062e7a0042 SPDY: improved ngx_http_spdy_state_save() check. 2014-03-19 12:57:39 +04:00
Maxim Dounin
a4d04f01fb SPDY: macro used for recv_buffer_size initialization. 2014-03-19 12:57:32 +04:00
Maxim Dounin
c6c702c329 SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Roman Arutyunyan
0b5f329784 Added server-side support for PROXY protocol v1 (ticket #355).
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.

This is currently not implemented for mail.
2014-03-17 17:41:24 +04:00
Maxim Dounin
2f917b6d06 FastCGI: f->split_parts reset on request start.
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
2014-03-17 15:34:36 +04:00
Valentin Bartenev
0c05e5b55f SPDY: fixed potential integer overflow while parsing headers.
Previously r->header_size was used to store length for a part of
value that represents an individual already parsed HTTP header,
while r->header_end pointed to the end of the whole value.

Instead of storing length of a following name or value as pointer
to a potential end address (r->header_name_end and r->header_end)
that might be overflowed, now r->lowercase_index counter is used
to store remaining length of a following unparsed field.

It also fixes incorrect $body_bytes_sent value if a request is
closed while parsing of the request header.  Since r->header_size
is intended for counting header size, thus abusing it for header
parsing purpose was certainly a bad idea.
2014-03-03 19:24:55 +04:00
Valentin Bartenev
3925c1b110 SPDY: constant number of preallocated structures for headers. 2014-03-03 19:24:54 +04:00
Maxim Dounin
a2a26a7ce1 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Valentin Bartenev
2c0defac9b Gzip static: fixed NGX_CONF_FLAG misuse. 2014-03-03 17:17:25 +04:00
Maxim Dounin
96af3e9dfb Disabled redirects to named locations if URI is not set.
If something like "error_page 400 @name" is used in a configuration,
a request could be passed to a named location without URI set, and this
in turn might result in segmentation faults or other bad effects
as most of the code assumes URI is set.

With this change nginx will catch such configuration problems in
ngx_http_named_location() and will stop request processing if URI
is not set, returning 500.
2014-02-27 20:36:35 +04:00
Konstantin Pavlov
c539aaf352 Upstream: fixed error message wording. 2014-02-20 13:48:40 +04:00
Ruslan Ermilov
3da53f339d Access: supplemented the obfuscated code with a comment. 2014-02-19 21:45:27 +04:00
Maxim Dounin
5ec277847e Upstream: ngx_post_event() instead of upgraded call (ticket #503).
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
2014-02-18 17:30:40 +04:00
Roman Arutyunyan
1dc1b0785b Mp4: remove useless leading stsc entry in result mp4.
The fix removes useless stsc entry in result mp4.
If start_sample == n then current stsc entry should be skipped
and the result stsc should start with the next entry.
The reason for that is start_sample starts from 0, not 1.
2014-02-14 15:14:48 +04:00
Valentin Bartenev
b20af091b7 SPDY: fixed reversed priority order in window waiting queue. 2014-02-12 21:02:29 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Xiaochen Wang
cd358e5a95 SPDY: fixed parsing of http version.
There is an error while parsing multi-digit minor version numbers (e.g.
"HTTP/1.10").
2014-02-11 20:54:16 +08:00
Maxim Dounin
381d507467 SSL: the $ssl_session_reused variable. 2014-02-11 19:20:25 +04:00
Ruslan Ermilov
42c049bd2d Range filter: fixed duplicate charset.
If a proxied response had charset in Content-Type, the
charset was duplicated in a response to client request
with byte ranges.
2014-02-04 17:13:35 +04:00
Piotr Sikora
ab3c0f9250 Use ngx_socket_errno where appropriate.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-03 14:17:17 -08:00
Shigeki Ohtsu
38a9a8968d SPDY: fixed parsing of the priority field.
The size of the priority field is increased by one bit in spdy/3,
and now it's a 3-bit field followed by 5 bits of unused space.
But a shift of these bits hasn't been adjusted in 39d7eef2e332
accordingly.
2014-02-04 14:06:23 +09:00
Valentin Bartenev
449e8eeb53 SPDY: protocol implementation switched to spdy/3.1. 2014-01-31 19:17:26 +04:00
Vladimir Homutov
8d97a2e4d7 Fixed false compiler warning.
Newer gcc versions (4.7+) report possible use of uninitialized variable if
nginx is being compiled with -O3.
2014-01-31 14:18:52 +04:00
Ruslan Ermilov
c6d7db2500 Fixed a compile warning introduced by 01e2a5bcdd8f.
On systems with OpenSSL that has NPN support but lacks
ALPN support, some compilers emitted a warning about
possibly uninitialized "data" variable.
2014-01-30 19:13:12 +04:00
Ruslan Ermilov
8d288ec49a Proxy: fixed upstream search by proxy_pass with variables.
If "proxy_pass" is specified with variables, the resulting
hostname is looked up in the list of upstreams defined in
configuration.  The search was case-sensitive, as opposed
to the case of "proxy_pass" specified without variables.
2014-01-30 18:57:11 +04:00
Piotr Sikora
4ae889c9f2 SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-28 15:33:49 -08:00
Roman Arutyunyan
d3e0bf306b Mp4: fix seeks to standalone last chunk.
If seek position is within the last track chunk
and that chunk is standalone (stsc entry describes only
this chunk) such seek generates stsc seek error. The
problem is that chunk numbers start with 1, not with 0.
2014-01-29 13:44:15 +04:00
Roman Arutyunyan
88f9b411f0 Mp4: skip tracks shorter than seek position (ticket #414).
Mp4 module does not check movie and track durations when reading
file.  Instead it generates errors when track metadata is shorter
than seek position.  Now such tracks are skipped and movie duration
check is performed at file read stage.
2014-01-29 13:33:45 +04:00
Roman Arutyunyan
870733ebd6 Mp4: fix seeks after the last key frame.
Mp4 module does not allow seeks after the last key frame.  Since
stss atom only contains key frames it's usually shorter than
other track atoms.  That leads to stss seek error when seek
position is close to the end of file.  The fix outputs empty
stss frame instead of generating error.
2014-01-29 13:30:36 +04:00
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Maxim Dounin
1631393f94 SSI: fixed $date_local and $date_gmt without SSI (ticket #230).
If there is no SSI context in a given request at a given time,
the $date_local and $date_gmt variables used "%s" format, instead
of "%A, %d-%b-%Y %H:%M:%S %Z" documented as the default and used
if there is SSI module context and timefmt wasn't modified using
the "config" SSI command.

While use of these variables outside of the SSI evaluation isn't strictly
valid, previous behaviour is certainly inconsistent, hence the fix.
2014-01-28 15:40:45 +04:00
Tatsuhiko Kubo
135dc712c0 Typo fixed. 2014-01-23 22:09:59 +09:00
Maxim Dounin
c74e23ba3a Upstream: reading from a client after connection upgrade.
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
2014-01-22 16:05:07 +04:00
Valentin Bartenev
abcbe54219 SPDY: use ngx_queue_t to queue streams for post processing.
It simplifies the code and allows easy reuse the same queue pointer to store
streams in various queues with different requirements.  Future implementation
of SPDY/3.1 will take advantage of this quality.
2014-01-20 20:56:49 +04:00
Valentin Bartenev
3ddf9ccfce SPDY: store the length of frame instead of its whole size.
The "length" value better corresponds with the specification and reduces
confusion about whether frame's header is included in "size" or not.

Also this change simplifies some parts of code, since in more cases the
length of frame is more useful than its actual size, especially considering
that the size of frame header is constant.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
e62156d829 SPDY: use frame->next pointer to chain free frames.
There is no need in separate "free" pointer and like it is for ngx_chain_t
the "next" pointer can be used.  But after this change successfully handled
frame should not be accessed, so the frame handling cycle was improved to
store pointer to the next frame before processing.

Also worth noting that initializing "free" pointer to NULL in the original
code was surplus.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
650984cd20 SPDY: proper handling of all RST_STREAM statuses.
Previously, only stream CANCEL and INTERNAL_ERROR were handled right.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
d055f74178 SPDY: removed state to check first SETTINGS frame.
That code was based on misunderstanding of spdy specification about
configuration applicability in the SETTINGS frames.  The original
interpretation was that configuration is assigned for the whole
SPDY connection, while it is only for the endpoint.

Moreover, the strange thing is that specification forbids multiple
entries in the SETTINGS frame with the same ID even if flags are
different.  As a result, Chrome sends two SETTINGS frames: one with
its own configuration, and another one with configuration stored
for a server (when the FLAG_SETTINGS_PERSIST_VALUE flags were used
by the server).

To simplify implementation we refuse to use the persistent settings
feature and thereby avoid all the complexity related with its proper
support.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
406c0613f5 SPDY: better name for frame entries counter.
The "headers" is not a good term, since it is used not only to count
name/value pairs in the HEADERS block but to count SETTINGS entries too.

Moreover, one name/value pair in HEADERS can contain multiple http headers
with the same name.

No functional changes.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
32bb39c48f SPDY: fixed possible segfault.
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
1ef5553644 SPDY: send output queue after processing of read event.
During the processing of input some control frames can be added to the queue.
And if there were no writing streams at the moment, these control frames might
be left unsent for a long time (or even forever).

This long delay is especially critical for PING replies since a client can
consider connection as broken and then resend exactly the same request over
a new connection, which is not safe in case of non-idempotent HTTP methods.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
82a1ff31f9 SPDY: the SETTINGS frame should be allocated from sc->pool.
There is no reason to allocate it from connection pool that more like just
a bug especially since ngx_http_spdy_settings_frame_handler() already uses
sc->pool to free a chain.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
b2b43ca50f SPDY: fixed possible uninitialized memory access.
The frame->stream pointer should always be initialized for control frames since
the check against it can be performed in ngx_http_spdy_filter_cleanup().
2014-01-15 17:16:38 +04:00
Valentin Bartenev
d143119e3c SPDY: fixed off_t/size_t type conversions on 32 bits platforms.
Parameters of ngx_http_spdy_filter_get_shadow() are changed from size_t to off_t
since the last call of the function may get size and offset from the rest of a
file buffer.  This fixes possible data loss rightfully complained by MSVC on 32
bits systems where off_t is 8 bytes long while size_t is only 4 bytes.

The other two type casts are needed just to suppress warnings about possible
data loss also complained by MSVC but false positive in these cases.
2014-01-15 13:23:31 +04:00
Valentin Bartenev
70c010167f SPDY: fixed build, broken by b7ee1bae0ffa.
False positive warning about the "cl" variable may be uninitialized in
the ngx_http_spdy_filter_get_data_frame() call was suppressed.

It is always initialized either in the "while" cycle or in the following
"if" condition since frame_size cannot be zero.
2014-01-15 01:44:52 +04:00
Valentin Bartenev
8323f317f6 SPDY: added the "spdy_chunk_size" directive. 2014-01-14 16:24:45 +04:00
Valentin Bartenev
b60700f9e9 SPDY: implemented buffers chain splitting.
It fixes "chain too big in spdy filter" alerts, and adds full support for rate
limiting of SPDY streams.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
8c01a95d98 SPDY: body filter was replaced by c->send_chain() function.
It allows to use ngx_http_write_filter() and all its rate limiting logic.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
3d5f501adc SPDY: fixed possible premature close of stream.
The "delayed" flag always should be set if there are unsent frames,
but this might not be the case if ngx_http_spdy_body_filter() was
called with NULL chain.

As a result, the "send_timeout" timer could be set on a stream in
ngx_http_writer().  And if the timeout occurred before all the stream
data has been sent, then the request was finalized with the "client
timed out" error.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
1c56e18733 SPDY: refactored ngx_http_spdy_body_filter().
A local pointer to fake connection is introduced
to slightly reduce further patches.

No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
ac8bb7a9e5 SPDY: elimination of r->blocked counter usage for queuing frames.
It was used to prevent destroying of request object when there are unsent
frames in queue for the stream.  Since it was incremented for each frame
and is only 8 bits long, so it was not very hard to overflow the counter.

Now the stream->queued counter is checked instead.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
6ddb578b22 SPDY: better name for flag that indicates incomplete frame state.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
00944562ac SPDY: better name for queued frames counter.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
df1d8f78ac SPDY: fixed format specifiers in logging. 2014-01-14 16:24:45 +04:00
Maxim Dounin
70b48a491a SSL: fixed ssl_verify_depth to take only one argument. 2014-01-14 15:56:40 +04:00
Dirkjan Bussink
58a240d773 SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
2014-01-10 16:12:40 +01:00
Maxim Dounin
8f702a573a Fixed "zero size buf in output" alerts.
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
2014-01-04 03:32:22 +04:00
Maxim Dounin
def37d254a Upstream: Cache-Control preferred over Expires.
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
2014-01-04 03:32:10 +04:00
Maxim Dounin
9a72030c25 Allowed up to two EBUSY errors from sendfile().
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row.  Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
2014-01-04 03:31:58 +04:00
Ruslan Ermilov
2539ce036f Fixed setting of content type in some cases.
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
2013-12-27 19:40:04 +04:00
Valentin Bartenev
2b1156d101 Style: removed surplus semicolons. 2013-12-27 18:47:42 +04:00
Valentin Bartenev
aa22dc707b SPDY: a bit smarter ngx_http_spdy_filter_get_data_frame().
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.

No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
df49024997 SPDY: refactored loop in ngx_http_spdy_body_filter().
No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
75dad742e5 SPDY: fixed possible request hang.
Processing events from upstream connection can result in sending queued frames
from other streams.  In this case such streams were not added to handling queue
and properly handled.

A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
2013-12-26 17:03:16 +04:00
Ruslan Ermilov
9b4a99cf5d Dav: emit a warning about unsafe URI. 2013-12-23 18:12:03 +04:00
Ruslan Ermilov
f7ff5e65d0 Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1 Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
3f36c684a1 Upstream: keep $upstream_http_x_accel_redirect intact.
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
2013-12-23 18:11:46 +04:00
Maxim Dounin
37b7de6df7 SSL: ssl_buffer_size directive. 2013-12-20 16:18:25 +04:00
Vladimir Homutov
c7a0b04665 Upstream: simplified peer selection loop in the "ip_hash" module.
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules.  No functional changes.
2013-12-09 13:43:27 +04:00
Valentin Bartenev
c8f3f9fa12 SPDY: use predefined constant for size of the Stream-ID field.
No functional changes.
2013-12-18 18:39:29 +04:00
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Maxim Dounin
0c585adfd4 Trailing whitespace fix. 2013-12-12 20:28:48 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Valentin Bartenev
7f54528ca0 SPDY: drop the "delayed" flag when finalizing connection.
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.

Found by Xiaochen Wang.
2013-12-10 20:27:33 +04:00
Ruslan Ermilov
fa512fdb76 Fixed handling of UNIX-domain sockets.
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
2013-12-09 10:16:44 +04:00
Piotr Sikora
19f475276d Fixed incorrect ngx_str_set() usage, broken in c82b2e020b9f.
Found by Coverity Scan CID 1135525.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-06 16:00:49 -08:00
Maxim Dounin
67b0d16546 Fixed build without SSL, broken by c82b2e020b9f. 2013-12-04 23:13:13 +04:00
Maxim Dounin
24e1db93a8 SSL support in the uwsgi module.
Based on patch by Roberto De Ioris.
2013-12-04 23:01:27 +04:00
Mathew Rodley
84f5c2136e Added support for TCP_FASTOPEN supported in Linux >= 3.7.1.
---
 auto/unix                       | 12 ++++++++++++
 src/core/ngx_connection.c       | 32 ++++++++++++++++++++++++++++++++
 src/core/ngx_connection.h       |  4 ++++
 src/http/ngx_http.c             |  4 ++++
 src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
 src/http/ngx_http_core_module.h |  3 +++
 6 files changed, 76 insertions(+)
2013-12-03 22:07:03 +04:00
Maxim Dounin
a8a7de3f78 Fixed "setfib=" on non-first listening socket. 2013-12-03 21:44:08 +04:00
Vladimir Homutov
71b9cca835 Improved code readablity in ngx_http_upstream_init_round_robin().
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.

No functional changes.
2013-12-03 17:12:16 +04:00
Ruslan Ermilov
0419933283 Fixed null pointer dereference with $upstream_cache_last_modified. 2013-12-03 15:11:24 +04:00
Maxim Dounin
3dec2b131c Upstream: skip empty cache headers.
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
2013-11-29 17:23:38 +04:00
Ruslan Ermilov
d47c435e9e Proper backtracking after space in a request line. 2013-11-19 06:57:58 +04:00
Maxim Dounin
1ac2693a33 Upstream: cache revalidation with conditional requests.
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off.  When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.

As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
2013-11-18 20:48:22 +04:00
Valentin Bartenev
df2fc6a9df SPDY: fixed request hang with the auth request module.
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a.  An attempt to init request body
for subrequests results in hang if the body was not already read.
2013-11-11 18:49:35 +04:00
Maxim Dounin
45075adccf Gunzip: proper error handling on gunzipping an empty response.
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
2013-10-31 04:16:20 +04:00
Maxim Dounin
eea2e1262b Gunzip: "error" logging level on inflate() errors.
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
2013-10-31 04:12:53 +04:00
Maxim Dounin
f1a9f14afe Removed extra allocation for $sent_http_last_modified.
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
2013-10-31 04:02:59 +04:00
Maxim Dounin
869b4f36e5 Auth basic: "info" logging level on no user/password.
This isn't an exceptional condition and normally happens on
first request from a client.
2013-10-31 04:02:21 +04:00
Yichun Zhang
3d3fa2adc6 Gzip, gunzip: flush pending data when incoming chain is NULL. 2013-10-28 15:01:36 -07:00
Xiaochen Wang
8f3dfde7f7 Upstream: optimize loops in ngx_http_upstream_init_round_robin(). 2013-10-21 18:20:32 +08:00
Maxim Dounin
a6b7cfe967 Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
2013-10-18 18:13:49 +04:00
Maxim Dounin
6291a29992 Headers filter: empty Cache-Control is no longer added.
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
2013-10-18 18:13:44 +04:00
Maxim Dounin
0ca52adff6 Style. 2013-10-18 18:13:35 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
5a63dcc5d7 Limit req: fixed "nodelay" parsing.
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
2013-10-02 15:07:17 +04:00
Maxim Dounin
31d023e53e Upstream: fixed "down" and "backup" parsing.
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
2013-10-02 15:07:15 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Valentin Bartenev
cca2b04f51 SPDY: ignore priority when queuing blocked frames.
With this change all such frames will be added in front of the output queue, and
will be sent first.  It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.

Proposed by Yury Kirpichev.
2013-10-01 00:14:37 +04:00
Valentin Bartenev
4f4963e87e SPDY: set empty write handler during connection finalization.
While ngx_http_spdy_write_handler() should not make any harm with current code,
calling it during finalization of SPDY connection was not intended.
2013-10-01 00:12:30 +04:00
Valentin Bartenev
92b82c80af SPDY: fixed connection leak while waiting for request headers.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for request headers, it was a no-op since the
read event handler had been set to ngx_http_empty_handler().
2013-10-01 00:04:00 +04:00
Valentin Bartenev
6ba03097db SPDY: fixed connection leak while waiting for request body.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for a request body, it was a no-op since the
read event handler ngx_http_request_handler() calls r->read_event_handler that
had been set to ngx_http_block_reading().
2013-10-01 00:00:57 +04:00
Maxim Dounin
4b2ead8871 FastCGI: non-buffered mode support. 2013-09-27 16:50:40 +04:00
Maxim Dounin
989a71377b Upstream: subrequest_in_memory support for SCGI and uwsgi enabled.
This was missed in 9d59a8eda373 when non-buffered support was added to SCGI
and uwsgi.
2013-09-27 16:50:34 +04:00
Maxim Dounin
c4b5a1fe5e Upstream: subrequest_in_memory fix.
With previous code only part of u->buffer might be emptied in case
of special responses, resulting in partial responses seen by SSI set
in case of simple protocols, or spurious errors like "upstream sent
invalid chunked response" in case of complex ones.
2013-09-27 16:50:26 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Maxim Dounin
d2ef70e97a Caseless location tree construction (ticket #90).
Location tree was always constructed using case-sensitive comparison, even
on case-insensitive systems.  This resulted in incorrect operation if
uppercase letters were used in location directives.  Notably, the
following config:

    location /a { ... }
    location /B { ... }

failed to properly map requests to "/B" into "location /B".
2013-09-23 19:37:06 +04:00
Piotr Sikora
f52a2c7585 SSL: stop loading configs with invalid "ssl_ciphers" values.
While there, remove unnecessary check in ngx_mail_ssl_module.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-22 22:36:11 -07:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Sergey Kandaurov
bff2b8d69f Fixed response line formatting with empty reason phrase.
As per RFC 2616 sec 6.1 the response status code is always followed by SP.
2013-09-18 18:53:26 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
096678ced4 Upstream: use EPOLLRDHUP to check broken connections (ticket #320).
This allows to detect client connection close with pending data on Linux
while processing upstream.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
d034e63a11 Return reason phrase for 414.
After 62be77b0608f nginx can return this code.
2013-09-03 21:07:19 +04:00
Maxim Dounin
d33225db58 Upstream: fixed $upstream_response_time format specifiers. 2013-09-04 21:30:09 +04:00
Maxim Dounin
f108b28038 Fixed incorrect response line on "return 203".
Reported by Weibin Yao,
http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003607.html.
2013-09-04 21:17:01 +04:00
Maxim Dounin
4b189002af Request cleanup code unified, no functional changes.
Additionally, detaching a cleanup chain from a request is a bit more resilent
to various bugs if any.
2013-09-04 21:17:00 +04:00
Maxim Dounin
2b0dba578f Handling of ngx_int_t != intptr_t case.
Casts between pointers and integers produce warnings on size mismatch.  To
silence them, cast to (u)intptr_t should be used.  Prevoiusly, casts to
ngx_(u)int_t were used in some cases, and several ngx_int_t expressions had
no casts.

As of now it's mostly style as ngx_int_t is defined as intptr_t.
2013-09-04 21:16:59 +04:00
Maxim Dounin
5ab74625d6 Win32: $request_time fixed.
On win32, time_t is 64 bits wide by default, and passing an ngx_msec_int_t
argument for %T format specifier doesn't work.  This doesn't manifest itself
on other platforms as time_t and ngx_msec_int_t are usually of the same size.
2013-09-04 20:48:30 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Maxim Dounin
5b37852323 Win32: Open Watcom C compatibility fixes.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines.  Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.

With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:22 +04:00
Valentin Bartenev
3d7d48e52c Assume the HTTP/1.0 version by default.
It is believed to be better than fallback to HTTP/0.9, because most of
the clients at present time support HTTP/1.0.  It allows nginx to return
error response code for them in cases when it fail to parse request line,
and therefore fail to detect client protocol version.

Even if the client does not support HTTP/1.0, this assumption should not
cause any harm, since from the HTTP/0.9 point of view it still a valid
response.
2013-09-02 03:45:14 +04:00
Maxim Dounin
9f46a9df86 Upstream: setting u->header_sent before ngx_http_upstream_upgrade().
Without u->header_sent set a special response might be generated following
an upgraded connection.  The problem appeared in 1ccdda1f37f3 (1.5.3).
Catched by "header already sent" alerts in 1.5.4 after upstream timeouts.
2013-08-30 21:44:16 +04:00
Valentin Bartenev
6d7ec5009a Referer: fixed hostname buffer overflow check.
Because of premature check the effective buffer size was 255 symbols
while the buffer is able to handle 256.
2013-08-29 22:35:54 +04:00
Sergey Kandaurov
e4209c0269 Referer: "server_names" parsing deferred to merge phase.
This allows to approach "server_name" values specified below the
"valid_referers" directive when used within the "server_names" parameter, e.g.:

    server_name  example.org;
    valid_referers server_names;
    server_name  example.com;

As a bonus, this fixes bogus error with "server_names" specified several times.
2013-08-29 22:35:27 +04:00
Sergey Kandaurov
8658c5b8a1 Referer: fixed server_name regex matching.
The server_name regexes are normally compiled for case-sensitive matching.
This violates case-insensitive obligations in the referer module.  To fix
this, the host string is converted to lower case before matching.

Previously server_name regex was executed against the whole referer string
after dropping the scheme part.  This could led to an improper matching, e.g.:

    server_name ~^localhost$;
    valid_referers server_names;

    Referer: http://localhost/index.html

It was changed to look only at the hostname part.

The server_name regexes are separated into another array to not clash with
regular regexes.
2013-08-29 22:35:26 +04:00
Sergey Kandaurov
3ef0dfa145 Referer: fixed error type usage inconsistency for ngx_http_add*(). 2013-08-29 22:35:26 +04:00
Lanshun Zhou
be23dcb1a1 Image filter: large image handling.
If Content-Length header is not set, and the image size is larger than the
buffer size, client will hang until a timeout occurs.

Now NGX_HTTP_UNSUPPORTED_MEDIA_TYPE is returned immediately.

diff -r d1403de41631 -r 4fae04f332b4
src/http/modules/ngx_http_image_filter_module.c
2013-08-28 00:19:07 +08:00
Maxim Dounin
d2d8b82b87 Cache: lock timeouts are now logged at info level. 2013-08-23 22:18:54 +04:00
Maxim Dounin
73ec75a974 Upstream: posted requests handling after ssl handshake errors.
Missing call to ngx_http_run_posted_request() resulted in a main request hang
if subrequest's ssl handshake with an upstream server failed for some reason.

Reported by Aviram Cohen.
2013-08-23 22:18:46 +04:00
Maxim Dounin
0f49681f28 Fixed try_files with empty argument (ticket #390). 2013-08-23 22:18:39 +04:00
Sergey Kandaurov
0fea0bf3f7 Added safety belt for the case of sending header twice.
The aforementioned situation is abnormal per se and as such it now forces
request termination with appropriate error message.
2013-07-30 15:04:46 +04:00
Sergey Kandaurov
2b2def7891 Autoindex: improved ngx_de_info() error handling.
This allows to build a directory listing whenever a loop exists in symbolic
link resolution of the path argument.
2013-07-30 11:43:21 +04:00
Sergey Kandaurov
eb3fed9338 Autoindex: return NGX_ERROR on error if headers were sent.
This prevents ngx_http_finalize_request() from issuing
ngx_http_special_response_handler() on a freed context.
2013-07-30 11:43:21 +04:00
Maxim Dounin
92f0126269 Style improved after 12dd27b74117. 2013-08-20 21:33:43 +04:00
Maxim Dounin
e3cab76758 Backed out f1a91825730a and 7094bd12c1ff.
While ngx_get_full_name() might have a bit more descriptive arguments,
the ngx_conf_full_name() is generally easier to use when parsing
configuration and limits exposure of cycle->prefix / cycle->conf_prefix
details.
2013-08-20 21:11:19 +04:00
Maxim Dounin
4c53a38fb5 Auth request module import. 2013-08-21 19:19:47 +04:00
Maxim Dounin
0a6efeee71 Minor ngx_http_parse_request_line() optimization.
Noted by Nils Kuhnhenn.
2013-08-21 12:51:31 +04:00
Sergey Kandaurov
e09741ba06 Format specifier fixes in error logging. 2013-08-20 20:47:16 +04:00
Valentin Bartenev
c189eda9e6 SPDY: alert about activated fake events instead of deleting them.
They refer to the same socket descriptor as our real connection, and
deleting them will stop processing of the connection.

Events of fake connections must not be activated, and if it happened there
is nothing we can do.  The whole processing should be terminated as soon as
possible, but it is not obvious how to do this safely.
2013-08-15 19:16:12 +04:00
Valentin Bartenev
db8a0c8bf1 SPDY: do not reject headers with empty value (ticket #396).
A quote from SPDY draft 2 specification: "The length of each name and
value must be greater than zero.  A receiver of a zero-length name or
value must send a RST_STREAM with code PROTOCOL error."

But it appears that Chrome browser allows sending requests over SPDY/2
connection using JavaScript that contain headers with empty values.

For better compatibility across SPDY clients and to be compliant with
HTTP, such headers are no longer rejected.

Also, it is worth noting that in SPDY draft 3 the statement has been
changed so that it permits empty values for headers.
2013-08-15 19:16:09 +04:00
Valentin Bartenev
3be925b6e3 SPDY: fixed corruption of headers with names longer than 255.
It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.
2013-08-15 19:14:58 +04:00
Sergey Kandaurov
9aaf256e40 Referer module: fixed regex matching against HTTPS referers.
When matching a compiled regex against value in the "Referer" header field,
the length was calculated incorrectly for strings that start from "https://".
This might cause matching to fail for regexes with end-of-line anchors.

Patch by Liangbin Li.
2013-08-13 17:47:04 +04:00
Valentin Bartenev
d29d21bade Replaced ngx_conf_full_name() with ngx_get_full_name().
The ngx_get_full_name() function takes more readable arguments list.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
3c5bd34771 Fixed memory leaks in the root and auth_basic_user_file directives.
If a relative path is set by variables, then the ngx_conf_full_name()
function was called while processing requests, which causes allocations
from the cycle pool.

A new function that takes pool as an argument was introduced.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
1b7bc34218 Image filter: use "application/json" MIME type for JSON output.
As it is defined by RFC 4627, and allows for various browser tools like
JSONView to display JSON well-formatted.
2013-08-05 14:30:03 +04:00
Valentin Bartenev
3086ab2996 MIME: use "application/javascript" for .js files.
Though there are several MIME types commonly used for JavaScript nowadays,
the most common being "text/javascript", "application/javascript", and
currently used by nginx "application/x-javascript", RFC 4329 prefers
"application/javascript".

The "charset_types" directive's default value was adjusted accordingly.
2013-07-31 23:40:46 +04:00
Sergey Kandaurov
ab1c05272a Perl: fixed syntax usage for C preprocessor directives.
As per perlxs, C preprocessor directives should be at the first
non-whitespace of a line to avoid interpreting them as comments.

#if and #endif are moved so that there are no blank lines before them
to retain them as part of the function body.
2013-07-29 17:30:01 +04:00
Ruslan Ermilov
e49d933ebc Upstream: reliably detect connection failures with SSL peers. 2013-07-29 13:23:16 +04:00
Maxim Dounin
5274f023a2 Upstream: no last buffer on errors.
Previously, after sending a header we always sent a last buffer and
finalized a request with code 0, even in case of errors.  In some cases
this resulted in a loss of ability to detect the response wasn't complete
(e.g. if Content-Length was removed from a response by gzip filter).

This change tries to propogate to a client information that a response
isn't complete in such cases.  In particular, with this change we no longer
pretend a returned response is complete if we wasn't able to create
a temporary file.

If an error code suggests the error wasn't fatal, we flush buffered data
and disable keepalive, then finalize request normally.  This allows to to
propogate information about a problem to a client, while still sending all
the data we've got from an upstream.
2013-07-25 15:00:41 +04:00
Maxim Dounin
78aacc838b Upstream: request finalization rework.
No semantic changes expected, though some checks are done differently.
In particular, the r->cached flag is no longer explicitly checked.  Instead,
we relay on u->header_sent not being set if a response is sent from
a cache.
2013-07-25 15:00:29 +04:00
Maxim Dounin
86277254dd Upstream: NGX_HTTP_CLIENT_CLOSED_REQUEST no longer reset to 0.
The NGX_HTTP_CLIENT_CLOSED_REQUEST code is allowed to happen after we
started sending a response (much like NGX_HTTP_REQUEST_TIME_OUT), so there
is no need to reset response code to 0 in this case.
2013-07-25 15:00:25 +04:00
Maxim Dounin
960d0bfe34 Upstream: added check if a response is complete.
Checks were added to both buffered and unbuffered code paths to detect
and complain if a response is incomplete.  Appropriate error codes are
now passed to ngx_http_upstream_finalize_request().

With this change in unbuffered mode we now use u->length set to -1 as an
indicator that EOF is allowed per protocol and used to indicate response
end (much like its with p->length in buffered mode).  Proxy module was
changed to set u->length to 1 (instead of previously used -1) in case of
chunked transfer encoding used to comply with the above.
2013-07-25 15:00:12 +04:00
Maxim Dounin
416b922bd2 Upstream: u->length now defaults to -1 (API change).
That is, by default we assume that response end is signalled by
a connection close.  This seems to be better default, and in line
with u->pipe->length behaviour.

Memcached module was modified accordingly.
2013-07-25 14:58:11 +04:00
Maxim Dounin
187f3948ed Upstream: fixed store/cache of unfinished responses.
In case of upstream eof, only responses with u->pipe->length == -1
are now cached/stored.  This ensures that unfinished chunked responses
are not cached.

Note well - previously used checks for u->headers_in.content_length_n are
preserved.  This provides an additional level of protection if protol data
disagree with Content-Length header provided (e.g., a FastCGI response
is sent with wrong Content-Length, or an incomple SCGI or uwsgi response),
as well as protects from storing of responses to HEAD requests.  This should
be reconsidered if we'll consider caching of responses to HEAD requests.
2013-07-25 14:56:59 +04:00
Maxim Dounin
eafe44ff79 Upstream: replaced u->pipe->temp_file with p->temp_file.
While here, redundant parentheses removed.  No functional changes.
2013-07-25 14:56:49 +04:00
Maxim Dounin
e6122efbfe Upstream: NGX_ERROR after pipe errors. 2013-07-25 14:56:41 +04:00
Maxim Dounin
8536fb79ca Upstream: NGX_HTTP_GATEWAY_TIME_OUT after upstream timeouts.
There is no real difference from previously used 0 as NGX_HTTP_* will
become 0 in ngx_http_upstream_finalize_request(), but the change
preserves information about a timeout a bit longer.  Previous use of
ETIMEDOUT in one place was just wrong.

Note well that with cacheable responses there will be a difference
(code in ngx_http_upstream_finalize_request() will store the error
in cache), though this change doesn't touch cacheable case.
2013-07-25 14:56:20 +04:00
Maxim Dounin
d23dc7d427 Upstream: ngx_http_upstream_finalize_request(NGX_ERROR) on errors.
Previously, ngx_http_upstream_finalize_request(0) was used in most
cases after errors.  While with current code there is no difference,
use of NGX_ERROR allows to pass a bit more information into
ngx_http_upstream_finalize_request().
2013-07-25 14:56:13 +04:00
Maxim Dounin
76e1571749 Upstream: consistent error handling after u->input_filter_init().
In all cases ngx_http_upstream_finalize_request() with NGX_ERROR now used.
Previously used NGX_HTTP_INTERNAL_SERVER_ERROR in the subrequest in memory
case don't cause any harm, but inconsistent with other uses.
2013-07-25 14:56:00 +04:00
Maxim Dounin
9f925b8c77 Upstream: busy lock remnants removed. 2013-07-25 14:55:59 +04:00
Maxim Dounin
ec021eda55 Upstream: stale comments removed. 2013-06-13 19:52:31 +04:00
Maxim Dounin
84d2ecf87e Gzip: clearing of c->buffered if all data are flushed.
This allows to finalize unfinished responses while still sending as
much data as available.
2013-07-25 14:55:32 +04:00
Maxim Dounin
f52042498d Fixed ngx_http_test_reading() to finalize request properly.
Previous code called ngx_http_finalize_request() with rc = 0.  This is
ok if a response status was already set, but resulted in "000" being
logged if it wasn't.  In particular this happened with limit_req
if a connection was prematurely closed during limit_req delay.
2013-06-14 20:56:07 +04:00
Maxim Dounin
1936a67647 Sub filter: fixed matching after a partial match.
After a failed partial match we now check if there is another partial
match in previously matched substring to fix cases like "aab" in "aaab".

The ctx->saved string is now always sent if it's present on return
from the ngx_http_sub_parse() function (and reset accordingly).  This
allows to release parts of previously matched data.
2013-07-25 14:54:53 +04:00
Maxim Dounin
ce7a5a0537 Sub filter: fixed incomplete last buffer on partial match.
If a pattern was partially matched at a response end, partially matched
string wasn't send.  E.g., a response "fo" was truncated to an empty response
if partially mathed by a pattern "foo".
2013-07-25 14:54:48 +04:00
Maxim Dounin
68fab7c8c4 Sub filter: flush buffers handling. 2013-07-25 14:54:47 +04:00
Maxim Dounin
8d568c7ae0 Sub filter: switched to ngx_chain_get_free_buf().
No functional changes.
2013-07-25 14:54:45 +04:00
Maxim Dounin
3961ef2318 Sub filter: stale comments removed. 2013-07-25 14:54:43 +04:00
Valentin Bartenev
32e167e211 SPDY: fixed segfault with "client_body_in_file_only" enabled.
It is possible to send FLAG_FIN in additional empty data frame, even if it is
known from the content-length header that request body is empty.  And Firefox
actually behaves like this (see ticket #357).

To simplify code we sacrificed our microoptimization that did not work right
due to missing check in the ngx_http_spdy_state_data() function for rb->buf
set to NULL.
2013-07-24 22:24:25 +04:00
Maxim Dounin
809d05769b Xslt: exsltRegisterAll() moved to preconfiguration.
The exsltRegisterAll() needs to be called before XSLT stylesheets
are compiled, else stylesheet compilation hooks will not work.  This
change fixes EXSLT Functions extension.
2013-07-19 15:59:50 +04:00
Maxim Dounin
d10251030a Style. 2013-07-11 20:38:27 +04:00
Vladimir Homutov
af18946d76 Core: extended ngx_sock_ntop() with socklen parameter.
On Linux, sockaddr length is required to process unix socket addresses properly
due to unnamed sockets (which don't have sun_path set at all) and abstract
namespace sockets.
2013-07-11 16:07:25 +04:00
Ruslan Ermilov
523191ec89 Upstream: updated list of ngx_event_connect_peer() return values.
ngx_http_upstream_get_keepalive_peer() may return NGX_DONE to
indicate that the cached keepalive connection is reused.
2013-07-03 12:04:13 +04:00