Commit Graph

202 Commits

Author SHA1 Message Date
Niklas Keller
c18658e9fe Upstream hash: fall back to round-robin if hash key is empty. 2019-05-23 16:49:22 +03:00
Sergey Kandaurov
c17bc31d41 SSL: removed OpenSSL 0.9.7 compatibility. 2016-04-11 15:46:36 +03:00
Ruslan Ermilov
27b3d3dcca Variables support in proxy_upload_rate and proxy_download_rate. 2019-04-24 16:38:56 +03:00
Ruslan Ermilov
2ace7fc3e6 Added ngx_http_set_complex_value_size_slot().
If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.
2019-04-24 16:38:51 +03:00
Roman Arutyunyan
4e17b93eb6 Multiple addresses in "listen".
Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.
2019-03-15 15:45:56 +03:00
Maxim Dounin
fe43346dc3 SSL: fixed potential leak on memory allocation errors.
If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.
2019-03-03 16:48:39 +03:00
Maxim Dounin
fd97b2a80f SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.
2019-03-03 16:47:44 +03:00
Maxim Dounin
1a30d79c42 SSL: fixed possible segfault with dynamic certificates.
A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.
2019-02-25 21:16:26 +03:00
Maxim Dounin
ecfab06cb2 SSL: adjusted session id context with dynamic certificates.
Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.
2019-02-25 16:42:54 +03:00
Maxim Dounin
fbcb0c8a33 SSL: dynamic certificate loading in the stream module. 2019-02-25 16:42:43 +03:00
Roman Arutyunyan
12645b46e9 Stream: do not split datagrams when limiting proxy rate.
Previously, when using proxy_upload_rate and proxy_download_rate, the buffer
size for reading from a socket could be reduced as a result of rate limiting.
For connection-oriented protocols this behavior is normal since unread data will
normally be read at the next iteration.  But for datagram-oriented protocols
this is not the case, and unread part of the datagram is lost.

Now buffer size is not limited for datagrams.  Rate limiting still works in this
case by delaying the next reading event.
2018-12-27 19:37:34 +03:00
Roman Arutyunyan
36a0713244 Prevented scheduling events on a shared connection.
A shared connection does not own its file descriptor, which means that
ngx_handle_read_event/ngx_handle_write_event calls should do nothing for it.
Currently the c->shared flag is checked in several places in the stream proxy
module prior to calling these functions.  However it was not done everywhere.
Missing checks could lead to calling
ngx_handle_read_event/ngx_handle_write_event on shared connections.

The problem manifested itself when using proxy_upload_rate and resulted in
either duplicate file descriptor error (e.g. with epoll) or incorrect further
udp packet processing (e.g. with kqueue).

The fix is to set and reset the event active flag in a way that prevents
ngx_handle_read_event/ngx_handle_write_event from scheduling socket events.
2019-01-14 20:36:23 +03:00
Maxim Dounin
ce4a23d144 Geo: fixed handling of AF_UNIX client addresses (ticket #1684).
Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.
2018-12-14 18:11:06 +03:00
Maxim Dounin
f4c70589ce Negative size buffers detection.
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
2018-11-26 18:29:56 +03:00
Vladimir Homutov
c241467318 Upstream: revised upstream response time variables.
Variables now do not depend on presence of the HTTP status code in response.
If the corresponding event occurred, variables contain time between request
creation and the event, and "-" otherwise.

Previously, intermediate value of the $upstream_response_time variable held
unix timestamp.
2018-11-21 13:40:40 +03:00
Vladimir Homutov
41a451e286 Stream: proxy_requests directive.
The directive allows to drop binding between a client and existing UDP stream
session after receiving a specified number of packets.  First packet from the
same client address and port will start a new session.  Old session continues
to exist and will terminate at moment defined by configuration: either after
receiving the expected number of responses, or after timeout, as specified by
the "proxy_responses" and/or "proxy_timeout" directives.

By default, proxy_requests is zero (disabled).
2018-11-12 16:29:30 +03:00
Vladimir Homutov
abf04ed87a Stream: session completion check code moved to a separate function.
The code refactored to simplify the ngx_stream_proxy_process() function
and facilitate adding new session termination conditions.
2018-11-12 12:05:03 +03:00
Vladimir Homutov
1305b8414d Upstream: proxy_socket_keepalive and friends.
The directives enable the use of the SO_KEEPALIVE option on
upstream connections.  By default, the value is left unchanged.
2018-10-03 14:08:51 +03:00
Roman Arutyunyan
d9908c6c9a Stream: avoid potential infinite loop at preread phase.
Previously the preread phase code ignored NGX_AGAIN value returned from
c->recv() and relied only on c->read->ready.  But this flag is not reliable and
should only be checked for optimization purposes.  For example, when using
SSL, c->read->ready may be set when no input is available.  This can lead to
calling preread handler infinitely in a loop.
2018-08-29 15:56:42 +03:00
Sergey Kandaurov
b93931ae82 Stream ssl_preread: added SSLv2 Client Hello support.
In particular, it was not possible to obtain SSLv2 protocol version.
2018-07-18 18:51:25 +03:00
Sergey Kandaurov
d5a27006e0 SSL: save sessions for upstream peers using a callback function.
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
2018-07-17 12:53:23 +03:00
Maxim Dounin
751bdd3bb2 Events: moved sockets cloning to ngx_event_init_conf().
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.
2018-07-12 19:50:02 +03:00
Roman Arutyunyan
a8e38e2a9c Stream ssl_preread: $ssl_preread_protocol variable.
The variable keeps the latest SSL protocol version supported by the client.
The variable has the same format as $ssl_protocol.

The version is read from the client_version field of ClientHello.  If the
supported_versions extension is present in the ClientHello, then the version
is set to TLSv1.3.
2018-07-11 17:56:51 +03:00
Vladimir Homutov
0c4ccbea23 Upstream: ngx_http_upstream_random module.
The module implements random load-balancing algorithm with optional second
choice.  In the latter case, the best of two servers is chosen, accounting
number of connections and server weight.

Example:

upstream u {
    random [two [least_conn]];

    server 127.0.0.1:8080;
    server 127.0.0.1:8081;
    server 127.0.0.1:8082;
    server 127.0.0.1:8083;
}
2018-06-15 11:46:14 +03:00
Ruslan Ermilov
2eab9efbe4 Upstream: improved peer selection concurrency for hash and ip_hash. 2018-06-14 07:03:50 +03:00
Roman Arutyunyan
96b6f215b8 Stream: udp streams.
Previously, only one client packet could be processed in a udp stream session
even though multiple response packets were supported.  Now multiple packets
coming from the same client address and port are delivered to the same stream
session.

If it's required to maintain a single stream of data, nginx should be
configured in a way that all packets from a client are delivered to the same
worker.  On Linux and DragonFly BSD the "reuseport" parameter should be
specified for this.  Other systems do not currently provide appropriate
mechanisms.  For these systems a single stream of udp packets is only
guaranteed in single-worker configurations.

The proxy_response directive now specifies how many packets are expected in
response to a single client packet.
2018-06-04 19:50:00 +03:00
Sergey Kandaurov
68b50f71e1 Silenced -Wcast-function-type warnings (closes #1546).
Cast to intermediate "void *" to lose compiler knowledge about the original
type and pass the warning.  This is not a real fix but rather a workaround.

Found by gcc8.
2018-05-07 09:54:37 +00:00
Maxim Dounin
76be1ea9de SSL: detect "listen ... ssl" without certificates (ticket #178).
In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.
2018-04-24 15:29:01 +03:00
Roman Arutyunyan
f39d5e8b33 Stream: set action before each recv/send while proxying.
Now it's clear from log error message if the error occurred on client or
upstream side.
2018-03-22 18:43:49 +03:00
Roman Arutyunyan
b84b67bc0f Style. 2018-03-12 18:38:53 +03:00
Roman Arutyunyan
1a5604bedd Stream ssl_preread: $ssl_preread_alpn_protocols variable.
The variable keeps a comma-separated list of protocol names from ALPN TLS
extension defined by RFC 7301.
2018-03-12 16:03:08 +03:00
Ruslan Ermilov
84d1e7de0c Improved code readablity.
No functional changes.
2018-03-07 18:28:12 +03:00
Maxim Dounin
89ad448f57 Style. 2018-03-05 21:35:08 +03:00
Vladimir Homutov
7647372565 Access log: support for disabling escaping (ticket #1450).
Based on patches by Johannes Baiter <johannes.baiter@bsb-muenchen.de>
and Calin Don.
2018-03-01 11:42:55 +03:00
Sergey Kandaurov
b3b4a98a5c Geo: fixed indentation. 2018-02-21 17:26:00 +03:00
Ruslan Ermilov
7a45918e0b Geo: optimized configuration parser.
If the geo block parser has failed, doing more things is pointless.
2018-02-21 15:50:43 +03:00
Ruslan Ermilov
f98a8c4db6 Geo: fixed memory allocation error handling (closes #1482).
If during configuration parsing of the geo directive the memory
allocation has failed, pool used to parse configuration inside
the block, and sometimes the temporary pool were not destroyed.
2018-02-21 15:50:42 +03:00
Sergey Kandaurov
57dde2ab37 SSL: using default server context in session remove (closes #1464).
This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.
2018-01-30 17:46:31 +03:00
Roman Arutyunyan
752f66bf7d Retain CAP_NET_RAW capability for transparent proxying.
The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.

The feature is only available in Linux.
2017-12-13 20:40:53 +03:00
Maxim Dounin
b32cb6b610 Fixed worker_shutdown_timeout in various cases.
The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.
2017-11-20 16:31:07 +03:00
Maxim Dounin
53d655f894 Upstream hash: reordered peer checks.
This slightly reduces cost of selecting a peer if all or almost all peers
failed, see ticket #1030.  There should be no measureable difference with
other workloads.
2017-10-05 17:43:05 +03:00
Maxim Dounin
a10ec2db91 Upstream hash: limited number of tries in consistent case.
While this may result in non-ideal distribution of requests if nginx
won't be able to select a server in a reasonable number of attempts,
this still looks better than severe performance degradation observed
if there is no limit and there are many points configured (ticket #1030).
This is also in line with what we do for other hash balancing methods.
2017-10-05 17:42:59 +03:00
Maxim Dounin
41d8ea8c8d Fixed handling of unix sockets in $binary_remote_addr.
Previously, unix sockets were treated as AF_INET ones, and this may
result in buffer overread on Linux, where unbound unix sockets have
2-byte addresses.

Note that it is not correct to use just sun_path as a binary representation
for unix sockets.  This will result in an empty string for unbound unix
sockets, and thus behaviour of limit_req and limit_conn will change when
switching from $remote_addr to $binary_remote_addr.  As such, normal text
representation is used.

Reported by Stephan Dollberg.
2017-10-04 21:19:42 +03:00
Ruslan Ermilov
e7738ce82d Modules compatibility: down flag promoted to a bitmask.
It is to be used as a bitmask with various bits set/reset when appropriate.
63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and
ngx_stream_upstream_rr_peer_t.down.
2017-09-22 22:49:42 +03:00
Ruslan Ermilov
ccd7e1037e Style. 2017-09-22 18:37:49 +03:00
Ruslan Ermilov
0cda728c6f Do not use the obsolete NGX_SOCKADDRLEN macro.
The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.
2017-09-22 13:10:49 +03:00
Roman Arutyunyan
c36a3c0cba Stream: fixed logging UDP upstream timeout.
Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.
2017-09-12 13:44:04 +03:00
Roman Arutyunyan
15f81e0bbf Stream: relaxed next upstream condition (ticket #1317).
When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.
2017-09-11 15:32:31 +03:00
Maxim Dounin
50a0f25c60 SSL: the $ssl_client_escaped_cert variable (ticket #857).
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
2017-08-22 15:18:10 +03:00
Sergey Kandaurov
b986b4314b Fixed calls to ngx_open_file() in certain places.
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
2017-08-09 15:03:27 +03:00