Commit Graph

3013 Commits

Author SHA1 Message Date
Maxim Dounin
cc74c63d39 Fixed variables prefix comparison.
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
2015-10-19 21:28:17 +03:00
Maxim Dounin
b9e0b9df44 Fixed handling of empty root.
Previously, a configuration with "root" set to an empty string tried test
a character at clcf->root.data[-1].  Additional test added to make sure
this won't happen.

Reported by Markus Linnala, see
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007210.html.
2015-10-19 21:28:02 +03:00
Valentin Bartenev
7d2af13f3a HTTP/2: fixed parsing of literal header fields without indexing. 2015-10-19 16:16:47 +03:00
Valentin Bartenev
20669d1949 HTTP/2: fixed $server_protocol value (ticket #800). 2015-09-28 20:02:05 +03:00
Maxim Dounin
49b17956f9 Style. 2015-09-22 17:09:50 +03:00
Valentin Bartenev
a0d7df93a0 Increased the default number of output buffers.
Since an output buffer can only be used for either reading or sending, small
amounts of data left from the previous operation (due to some limits) must be
sent before nginx will be able to read further into the buffer.  Using only
one output buffer can result in suboptimal behavior that manifests itself in
forming and sending too small chunks of data.  This is particularly painful
with SPDY (or HTTP/2) where each such chunk needs to be prefixed with some
header.

The default flow-control window in HTTP/2 is 64k minus one bytes.  With one
32k output buffer this results is one byte left after exhausting the window.
With two 32k buffers the data will be read into the second free buffer before
sending, thus the minimum output is increased to 32k + 1 bytes which is much
better.
2015-09-15 17:49:15 +03:00
Valentin Bartenev
61e1f16d90 HTTP/2: fixed header block parsing with CONTINUATION frames (#792).
It appears that the CONTINUATION frames don't need to be aligned to bounds of
individual headers.
2015-09-22 01:40:04 +03:00
Valentin Bartenev
a27d0bd00d HTTP/2: fixed HPACK header field parsing. 2015-09-22 01:40:04 +03:00
Roman Arutyunyan
f64ff24451 Sub filter: fixed initialization in http{} level (ticket #791).
If sub_filter directive was only specified at http{} level, sub filter
internal data remained uninitialized.  That would lead to a crash in runtime.
2015-09-21 23:08:34 +03:00
Valentin Bartenev
ee37ff613f The HTTP/2 implementation (RFC 7240, 7241).
The SPDY support is removed, as it's incompatible with the new module.
2015-09-11 20:13:06 +03:00
Maxim Dounin
7930a6c442 Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created.  Example configuration to reproduce the problem:

    location "" {
        location @foo {}
    }

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:04 +03:00
Maxim Dounin
ce05841eef Cache: check the whole cache key in addition to hashes.
This prevents a potential attack that discloses cached data if an attacker
will be able to craft a hash collision between some cache key the attacker
is allowed to access and another cache key with protected data.

See http://mailman.nginx.org/pipermail/nginx-devel/2015-September/007288.html.

Thanks to Gena Makhomed and Sergey Brester.
2015-09-11 17:03:56 +03:00
Roman Arutyunyan
51f714c85d Upstream: fixed cache send error handling.
The value of NGX_ERROR, returned from filter handlers, was treated as a generic
upstream error and changed to NGX_HTTP_INTERNAL_SERVER_ERROR before calling
ngx_http_finalize_request().  This resulted in "header already sent" alert
if header was already sent in filter handlers.

The problem appeared in 54e9b83d00f0 (1.7.5).
2015-09-03 15:09:21 +03:00
Valentin Bartenev
5e0b936a07 Decreased the NGX_HTTP_MAX_SUBREQUESTS limit.
There is no much sense in such a big value since its semantics
has been changed in 06e850859a26 to limit recursive subrequests.
2015-08-31 23:26:33 +03:00
Valentin Bartenev
4ec67cf86f Added protection against r->main->count overflow by subrequests.
This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.
2015-08-31 23:25:16 +03:00
Valentin Bartenev
0d3b15729c Limit recursive subrequests instead of simultaneous. 2015-08-23 21:03:32 +03:00
Maxim Dounin
2e004237c5 Perl: prototyping behavior explicitly specified.
When prototyping behavior is not explicitly specified, xsubpp emits
a message to stderr asking to do so (see ticket #608).
2015-08-18 16:26:18 +03:00
Maxim Dounin
a0aea61b50 Perl: fixed warning about "sep" may be used uninitialized. 2015-08-18 16:26:05 +03:00
Maxim Dounin
84b0ad63fb Win32: MSVC 2015 compatibility.
Resolved warnings about declarations that hide previous local declarations.
Warnings about WSASocketA() being deprecated resolved by explicit use of
WSASocketW() instead of WSASocket().  When compiling without IPv6 support,
WinSock deprecated warnings are disabled to allow use of gethostbyname().
2015-08-17 18:09:17 +03:00
Dmitry Volyntsev
1576cd10aa Sub filter: support of variables in the strings to replace. 2015-08-17 17:42:02 +03:00
Dmitry Volyntsev
934b49923c Sub filter: support of multiple strings to replace. 2015-08-17 17:42:02 +03:00
Maxim Dounin
05982ffdf5 Fixed wrong URI after try_files in nested location (ticket #97).
The following configuration with alias, nested location and try_files
resulted in wrong file being used.  Request "/foo/test.gif" tried to
use "/tmp//foo/test.gif" instead of "/tmp/test.gif":

    location /foo/ {
        alias /tmp/;
        location ~ gif {
            try_files $uri =405;
        }
    }

Additionally, rev. c985d90a8d1f introduced a regression if
the "/tmp//foo/test.gif" file was found (ticket #768).  Resulting URI
was set to "gif?/foo/test.gif", as the code used clcf->name of current
location ("location ~ gif") instead of parent one ("location /foo/").

Fix is to use r->uri instead of clcf->name in all cases in the
ngx_http_core_try_files_phase() function.  It is expected to be
already matched and identical to the clcf->name of the right
location.
2015-08-16 10:51:34 +03:00
Maxim Dounin
4fec72dc8c Fixed segfault with try_files introduced by c985d90a8d1f.
If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.
2015-08-16 10:51:16 +03:00
Valentin Bartenev
50ff8b3c3a Core: idle connections now closed only once on exiting.
Iterating through all connections takes a lot of CPU time, especially
with large number of worker connections configured.  As a result
nginx processes used to consume CPU time during graceful shutdown.
To mitigate this we now only do a full scan for idle connections when
shutdown signal is received.

Transitions of connections to idle ones are now expected to be
avoided if the ngx_exiting flag is set.  The upstream keepalive module
was modified to follow this.
2015-08-11 16:28:55 +03:00
Ruslan Ermilov
6dc03bf1a4 Fixed strict aliasing warnings with old GCC versions. 2015-07-16 14:20:48 +03:00
Ruslan Ermilov
1e94ab0db0 Upstream: fixed shared upstreams on win32. 2015-06-16 00:43:00 +03:00
Vladimir Homutov
b7a8f2a08f Disabled duplicate http, mail, and stream blocks.
Such configurations have very limited use, introduce various problems and
are not officially supported.
2015-06-16 23:28:38 +03:00
Roman Arutyunyan
4404c3fd6d Core: renamed ngx_proxy_protocol_parse to ngx_proxy_protocol_read.
The new name is consistent with the ngx_proxy_protocol_write function.
2015-06-16 13:45:19 +03:00
Maxim Dounin
9984f3053f Moved ngx_http_parse_time() to core, renamed accordingly.
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time.  In particular, it will be
used for OCSP stapling.

For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
2015-06-11 20:42:31 +03:00
Maxim Dounin
dd41bfd47a Removed unused ngx_http_get_time() declaration. 2015-06-11 20:42:24 +03:00
Roman Arutyunyan
f5d79ffb82 Upstream keepalive: reduced diffs to the plus version of nginx. 2015-06-04 23:46:44 +03:00
Maxim Dounin
724f0f028e Disabled SSLv3 by default (ticket #653). 2015-05-25 17:58:20 +03:00
Ruslan Ermilov
941a6995d7 Upstream: report to error_log when max_fails is reached.
This can be useful to understand why "no live upstreams" happens,
in particular.
2015-05-20 22:44:00 +03:00
Maxim Dounin
f7f1607bf2 The "reuseport" option of the "listen" directive.
When configured, an individual listen socket on a given address is
created for each worker process.  This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance.  As of now it works on Linux and DragonFly BSD.

Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/.  With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.

Based on previous work by Sepherosa Ziehau and Yingqi Lu.
2015-05-20 15:51:56 +03:00
Maxim Dounin
d5c34785bc Simplified ngx_http_init_listening().
There is no need to set "i" to 0, as it's expected to be 0 assuming
the bindings are properly sorted, and we already rely on this when
explicitly set hport->naddrs to 1.  Remaining conditional code is
replaced with identical "hport->naddrs = i + 1".

Identical modifications are done in the mail and stream modules,
in the ngx_mail_optimize_servers() and ngx_stream_optimize_servers()
functions, respectively.

No functional changes.
2015-05-20 15:51:28 +03:00
Sergey Kandaurov
3670726bd3 Upstream hash: consistency across little/big endianness. 2015-05-18 16:05:44 +03:00
Ruslan Ermilov
4b9b16d27d Upstream: $upstream_connect_time.
The variable keeps time spent on establishing a connection with
the upstream server.
2015-05-16 01:32:27 +03:00
Ruslan Ermilov
b070e2d713 Upstream: times to obtain header/response are stored as ngx_msec_t. 2015-05-16 01:31:04 +03:00
Ruslan Ermilov
ea2f4d9175 Removed deprecated HTTP directives. 2015-04-29 13:52:49 +03:00
Vladimir Homutov
df555ffce6 Core: the ngx_set_connection_log() macro.
The http and stream versions of this macro were identical.
2015-04-25 22:44:02 +03:00
Roman Arutyunyan
d61f21c5e8 Merge proxy_protocol setting of listen directives.
It's now enough to specify proxy_protocol option in one listen directive to
enable it in all servers listening on the same address/port.  Previously,
the setting from the first directive was always used.
2015-04-24 10:54:06 +03:00
Ruslan Ermilov
33b8e5bc06 Removed the obsolete rtsig module. 2015-04-23 14:17:40 +03:00
Ruslan Ermilov
c1882d9f3f Removed the obsolete aio module. 2015-04-22 18:57:32 +03:00
Ruslan Ermilov
25ddb49dbe Upstream: allow multiple upstreams to use the same shared zone. 2015-04-22 18:37:34 +03:00
Martin Mlynář
958d4a0b1f Memcached: enabled ranges. 2015-04-21 21:04:36 +02:00
Ruslan Ermilov
673941f81d Upstream: simplified ip_hash and hash peer selection code.
Now that peers are stored as a list, the weighted and unweighted
cases became nearly identical.
2015-04-21 19:09:04 +03:00
Sergey Kandaurov
1ff5515e70 Limit req: removed check for unknown limit_req_zone.
With 48b3d5ddfb03, it's possible to specify limit_req_zone after limit_req.
2015-04-20 16:54:41 +03:00
Ruslan Ermilov
a2dac51398 Upstream: fixed unlocked access to peer->conns. 2015-04-19 22:41:09 +03:00
Ruslan Ermilov
7c44e39220 Upstream: get rid of questionable micro-optimization in ip_hash.
If a peer was initially skipped due to max_fails, there's no reason
not to try it again if enough time has passed, and the next_upstream
logic is in action.

This also reduces diffs with NGINX Plus.
2015-04-16 20:09:11 +03:00
Ruslan Ermilov
cf31347ee8 Upstream: the "zone" directive.
Upstreams with the "zone" directive are kept in shared memory,
with a consistent view of all worker processes.
2015-04-14 19:01:25 +03:00