Commit Graph

6970 Commits

Author SHA1 Message Date
Maxim Dounin
6559a42013 gRPC: special handling of "trailer only" responses.
The gRPC protocol makes a distinction between HEADERS frame with
the END_STREAM flag set, and a HEADERS frame followed by an empty
DATA frame with the END_STREAM flag.  The latter is not permitted,
and results in errors not being propagated through nginx.  Instead,
gRPC clients complain that "server closed the stream without sending
trailers" (seen in grpc-go) or "13: Received RST_STREAM with error
code 2" (seen in grpc-c).

To fix this, nginx now returns HEADERS with the END_STREAM flag if
the response length is known to be 0, and we are not expecting
any trailer headers to be added.  And the response length is
explicitly set to 0 in the gRPC proxy if we see initial HEADERS frame
with the END_STREAM flag set.
2018-03-17 23:04:26 +03:00
Maxim Dounin
6a0d9e5b2d gRPC: special handling of the TE request header.
According to the gRPC protocol specification, the "TE" header is used
to detect incompatible proxies, and at least grpc-c server rejects
requests without "TE: trailers".

To preserve the logic, we have to pass "TE: trailers" to the backend if
and only if the original request contains "trailers" in the "TE" header.
Note that no other TE values are allowed in HTTP/2, so we have to remove
anything else.
2018-03-17 23:04:25 +03:00
Maxim Dounin
56ad960e7a The gRPC proxy module.
The module allows passing requests to upstream gRPC servers.
The module is built by default as long as HTTP/2 support is compiled in.
Example configuration:

    grpc_pass 127.0.0.1:9000;

Alternatively, the "grpc://" scheme can be used:

    grpc_pass grpc://127.0.0.1:9000;

Keepalive support is available via the upstream keepalive module.  Note
that keepalive connections won't currently work with grpc-go as it fails
to handle SETTINGS_HEADER_TABLE_SIZE.

To use with SSL:

    grpc_pass grpcs://127.0.0.1:9000;

SSL connections use ALPN "h2" when available.  At least grpc-go works fine
without ALPN, so if ALPN is not available we just establish a connection
without it.

Tested with grpc-c++ and grpc-go.
2018-03-17 23:04:24 +03:00
Maxim Dounin
c67124190c Upstream: u->conf->preserve_output flag.
The flag can be used to continue sending request body even after we've
got a response from the backend.  In particular, this is needed for gRPC
proxying of bidirectional streaming RPCs, and also to send control frames
in other forms of RPCs.
2018-03-17 23:04:23 +03:00
Maxim Dounin
7be60194c1 Upstream: u->request_body_blocked flag.
The flag indicates whether last ngx_output_chain() returned NGX_AGAIN
or not.  If the flag is set, we arm the u->conf->send_timeout timer.
The flag complements c->write->ready test, and allows to stop sending
the request body in an output filter due to protocol-specific flow
control.
2018-03-17 23:04:22 +03:00
Maxim Dounin
7ef115a7e8 Upstream: trailers support, u->conf->pass_trailers flag.
Basic trailer headers support allows one to access response trailers
via the $upstream_trailer_* variables.

Additionally, the u->conf->pass_trailers flag was introduced.  When the
flag is set, trailer headers from the upstream response are passed to
the client.  Like normal headers, trailer headers will be hidden
if present in u->conf->hide_headers_hash.
2018-03-17 23:04:21 +03:00
Maxim Dounin
c554dd1434 HTTP/2: externalized various constants and interfaces. 2018-03-17 23:04:20 +03:00
Roman Arutyunyan
b84b67bc0f Style. 2018-03-12 18:38:53 +03:00
Roman Arutyunyan
1a5604bedd Stream ssl_preread: $ssl_preread_alpn_protocols variable.
The variable keeps a comma-separated list of protocol names from ALPN TLS
extension defined by RFC 7301.
2018-03-12 16:03:08 +03:00
Ruslan Ermilov
84d1e7de0c Improved code readablity.
No functional changes.
2018-03-07 18:28:12 +03:00
Maxim Dounin
83dceda868 HTTP/2: unknown frames now logged at info level. 2018-03-05 21:35:13 +03:00
Maxim Dounin
89ad448f57 Style. 2018-03-05 21:35:08 +03:00
Vladimir Homutov
7647372565 Access log: support for disabling escaping (ticket #1450).
Based on patches by Johannes Baiter <johannes.baiter@bsb-muenchen.de>
and Calin Don.
2018-03-01 11:42:55 +03:00
Maxim Dounin
c7e8a6f212 Core: ngx_current_msec now uses monotonic time if available.
When clock_gettime(CLOCK_MONOTONIC) (or faster variants, _FAST on FreeBSD,
and _COARSE on Linux) is available, we now use it for ngx_current_msec.
This should improve handling of timers if system time changes (ticket #189).
2018-03-01 20:25:50 +03:00
Roman Arutyunyan
6e30556127 Postpone filter: prevented uninitialized r->out.
The r->out chain link could be left uninitialized in case of error.
A segfault could happen if the subrequest handler accessed it.
The issue was introduced in commit 20f139e9ffa8.
2018-03-01 18:38:39 +03:00
Roman Arutyunyan
7c5c15a25d Generic subrequests in memory.
Previously, only the upstream response body could be accessed with the
NGX_HTTP_SUBREQUEST_IN_MEMORY feature.  Now any response body from a subrequest
can be saved in a memory buffer.  It is available as a single buffer in r->out
and the buffer size is configured by the subrequest_output_buffer_size
directive.

Upstream, proxy and fastcgi code used to handle the old-style feature is
removed.
2018-02-28 16:56:58 +03:00
Vladimir Homutov
2d9db482aa Modules compatibility: additional upstream metrics. 2018-02-22 17:25:43 +03:00
Vadim Filimonov
f607032e0c Auth basic: prevent null character in error log (ticket #1494). 2018-02-26 16:52:20 +02:00
Roman Arutyunyan
dd7dba520c Generate error for unsupported IPv6 transparent proxy.
On some platforms (for example, Linux with glibc 2.12-2.25) IPv4 transparent
proxying is available, but IPv6 transparent proxying is not.  The entire feature
is enabled in this case and NGX_HAVE_TRANSPARENT_PROXY macro is set to 1.
Previously, an attempt to enable transparency for an IPv6 socket was silently
ignored in this case and was usually followed by a bind(2) EADDRNOTAVAIL error
(ticket #1487).  Now the error is generated for unavailable IPv6 transparent
proxy.
2018-02-22 13:16:21 +03:00
Ruslan Ermilov
bcda92e843 HTTP/2: style.
Unified the style of validity checks in ngx_http_v2_validate_header().
2018-02-22 12:42:29 +03:00
Sergey Kandaurov
b3b4a98a5c Geo: fixed indentation. 2018-02-21 17:26:00 +03:00
Ruslan Ermilov
7a45918e0b Geo: optimized configuration parser.
If the geo block parser has failed, doing more things is pointless.
2018-02-21 15:50:43 +03:00
Ruslan Ermilov
f98a8c4db6 Geo: fixed memory allocation error handling (closes #1482).
If during configuration parsing of the geo directive the memory
allocation has failed, pool used to parse configuration inside
the block, and sometimes the temporary pool were not destroyed.
2018-02-21 15:50:42 +03:00
Ruslan Ermilov
864d93965b Version bump. 2018-02-21 15:50:35 +03:00
Maxim Dounin
89f4129f56 release-1.13.9 tag 2018-02-20 17:08:49 +03:00
Maxim Dounin
22adf80c4a nginx-1.13.9-RELEASE 2018-02-20 17:08:48 +03:00
Maxim Dounin
9e2cd6282f HTTP/2: precalculate hash for "Cookie".
There is no need to calculate hashes of static strings at runtime.  The
ngx_hash() macro can be used to do it during compilation instead, similarly
to how it is done in ngx_http_proxy_module.c for "Server" and "Date" headers.
2018-02-15 19:06:22 +03:00
Ruslan Ermilov
89661c0e7d HTTP/2: fixed ngx_http_v2_push_stream() allocation error handling.
In particular, if a stream object allocation failed, and a client sent
the PRIORITY frame for this stream, ngx_http_v2_set_dependency() could
dereference a null pointer while trying to re-parent a dependency node.
2018-02-15 17:51:37 +03:00
Ruslan Ermilov
2437532e7f HTTP/2: push additional request headers (closes #1478).
The Accept-Encoding, Accept-Language, and User-Agent header fields
are now copied from the original request to pushed requests.
2018-02-15 17:51:32 +03:00
Ruslan Ermilov
8a84dd4f32 Expose more headers with NGX_HTTP_HEADERS. 2018-02-15 17:51:26 +03:00
Vladimir Homutov
9d00f9e449 Core: added a stub for additional zone configuration. 2018-02-15 16:08:05 +03:00
Sergey Kandaurov
5e28302dfc HTTP/2: style. 2018-02-15 02:34:16 +03:00
Ruslan Ermilov
c32d9d28fd HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).
2018-02-09 23:20:08 +03:00
Ruslan Ermilov
09eb20c8a7 HTTP/2: fixed build with -Werror=unused-but-set-variable. 2018-02-08 12:11:30 +03:00
Ruslan Ermilov
6e52265b42 HTTP/2: server push.
Resources to be pushed are configured with the "http2_push" directive.

Also, preload links from the Link response headers, as described in
https://www.w3.org/TR/preload/#server-push-http-2, can be pushed, if
enabled with the "http2_push_preload" directive.

Only relative URIs with absolute paths can be pushed.

The number of concurrent pushes is normally limited by a client, but
cannot exceed a hard limit set by the "http2_max_concurrent_pushes"
directive.
2018-02-08 09:55:03 +03:00
Ruslan Ermilov
ac3c8ff364 HTTP/2: changed prototypes of request pseudo-headers parsers.
No functional changes.
2018-02-08 09:54:49 +03:00
Ruslan Ermilov
8590d9d615 Basic support of the Link response header. 2018-02-08 09:54:18 +03:00
Roman Arutyunyan
d31d547dba Dav: added error logging.
Previously, when request body was not available or was previously read in
memory rather than a file, client received HTTP 500 error, but no explanation
was logged in error log.  This could happen, for example, if request body was
read or discarded prior to error_page redirect, or if mirroring was enabled
along with dav.
2018-02-07 16:44:29 +03:00
Sergey Kandaurov
bde18907ac HTTP/2: removed unused field from ngx_http_v2_stream_t. 2018-02-06 20:02:59 +03:00
Gena Makhomed
776869a974 Contrib: vim syntax, update 3rd party module directives.
Add new directives for 3rd party modules.
2018-02-01 11:15:14 +02:00
Gena Makhomed
b0f53dd0eb Contrib: vim syntax, update core module directives.
"match" is block directive, "upstream_conf" is deprecated
by patch http://hg.nginx.org/nginx.org/rev/27c53e1cb4b6
2018-02-01 11:09:35 +02:00
Ruslan Ermilov
c8f46e070f Upstream: removed X-Powered-By from the list of special headers.
After 1e720b0be7ec, it's neither specially processed nor copied
when redirecting with X-Accel-Redirect.
2018-01-30 22:23:58 +03:00
Sergey Kandaurov
57dde2ab37 SSL: using default server context in session remove (closes #1464).
This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.
2018-01-30 17:46:31 +03:00
Ruslan Ermilov
2213695368 HTTP/2: finalize request as bad if parsing of pseudo-headers fails.
This is in line when the required pseudo-headers are missing, and
avoids spurious zero statuses in access.log.
2018-01-30 14:44:31 +03:00
Ruslan Ermilov
0b8b91f45f HTTP/2: more style, comments, and debugging. 2018-01-29 16:06:33 +03:00
Ruslan Ermilov
34cf5d5e6a HTTP/2: handle duplicate INITIAL_WINDOW_SIZE settings. 2018-01-29 15:54:36 +03:00
Ruslan Ermilov
63a4dab7b0 Fixed --test-build-eventport on macOS 10.12 and later.
In macOS 10.12, CLOCK_REALTIME and clockid_t were added, but not timer_t.
2018-01-16 13:52:03 +03:00
Maxim Dounin
3377c00119 Upstream: fixed "header already sent" alerts on backend errors.
Following ad3f342f14ba046c (1.9.13), it is possible that a request where
header was already sent will be finalized with NGX_HTTP_BAD_GATEWAY,
triggering an attempt to return additional error response and the
"header already sent" alert as a result.

In particular, it is trivial to reproduce the problem with a HEAD request
and caching enabled.  With caching enabled nginx will change HEAD to GET
and will set u->pipe->downstream_error to suppress sending the response
body to the client.  When a backend-related error occurs (for example,
proxy_read_timeout expires), ngx_http_finalize_upstream_request() will
be called with NGX_HTTP_BAD_GATEWAY.  After ad3f342f14ba046c this will
result in ngx_http_finalize_request(NGX_HTTP_BAD_GATEWAY).

Fix is to move u->pipe->downstream_error handling to a later point,
where all special response codes are changed to NGX_ERROR.

Reported by Jan Prachar,
http://mailman.nginx.org/pipermail/nginx-devel/2018-January/010737.html.
2018-01-11 21:43:49 +03:00
Maxim Dounin
9b81d3b1bb Year 2018. 2018-01-11 21:43:24 +03:00
Gena Makhomed
b87240dded Contrib: vim syntax, update core module directives.
Removed non-existent directives and directive redefinitions.
2017-12-28 12:01:05 +02:00