Commit Graph

6970 Commits

Author SHA1 Message Date
Maxim Dounin
8bdbeac736 release-1.13.1 tag 2017-05-30 17:55:23 +03:00
Maxim Dounin
b84e8f713d nginx-1.13.1-RELEASE 2017-05-30 17:55:22 +03:00
Maxim Dounin
6cfbb1c5ae Updated OpenSSL used for win32 builds. 2017-05-30 17:14:00 +03:00
Roman Arutyunyan
d1d48ed844 Fixed background requests with asynchronous operations.
If the main request was finalized while a background request performed an
asynchronous operation, the main request ended up in ngx_http_writer() and was
not finalized until a network event or a timeout.  For example, cache
background update with aio enabled made nginx unable to process further client
requests or close the connection, keeping it open until client closes it.

Now regular finalization of the main request is not suspended because of an
asynchronous operation in another request.

If a background request was terminated while an asynchronous operation was in
progress, background request's write event handler was changed to
ngx_http_request_finalizer() and never called again.

Now, whenever a request is terminated while an asynchronous operation is in
progress, connection error flag is set to make further finalizations of any
request with this connection lead to termination.

These issues appeared in 1aeaae6e9446 (not yet released).
2017-05-29 23:33:38 +03:00
Maxim Dounin
529ce10058 Configure: sched_setaffinity() test moved to auto/unix.
The sched_setaffinity() function was introduced in DragonFly BSD 4.7,
so it is no longer Linux-specific.

Prodded by Sepherosa Ziehau.
2017-05-29 16:48:30 +03:00
Maxim Dounin
0514e14a8b Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.
2017-05-29 16:34:35 +03:00
Maxim Dounin
2db69fed2c SSL: set TCP_NODELAY on SSL connections before handshake.
With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced
in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes
handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688.
Moreover, it is no longer possible to adjust handshake buffers at all now.

To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY
on SSL connections before handshake.  While this still results in sub-optimal
network utilization due to incomplete packets being sent, it seems to be
better than nothing.
2017-05-29 16:34:29 +03:00
Ruslan Ermilov
b66c18d2d5 Introduced ngx_tcp_nodelay(). 2017-05-26 22:52:48 +03:00
Roman Arutyunyan
8644d9491a Background subrequests for cache updates.
Previously, cache background update might not work as expected, making client
wait for it to complete before receiving the final part of a stale response.
This could happen if the response could not be sent to the client socket in one
filter chain call.

Now background cache update is done in a background subrequest.  This type of
subrequest does not block any other subrequests or the main request.
2017-05-25 15:57:59 +03:00
Roman Arutyunyan
c83922b18d Fixed deferred accept with EPOLLRDHUP enabled (ticket #1278).
Previously, the read event of the accepted connection was marked ready, but not
available.  This made EPOLLRDHUP-related code (for example, in ngx_unix_recv())
expect more data from the socket, leading to unexpected behavior.

For example, if SSL, PROXY protocol and deferred accept were enabled on a listen
socket, the client connection was aborted due to unexpected return value of
c->recv().
2017-05-24 13:17:08 +03:00
Valentin Bartenev
cce3934461 HTTP/2: fixed segfault when memory allocation failed.
If allocation of cleanup handler in the HTTP/2 header filter failed, then
a stream might be freed with a HEADERS frame left in the output queue.

Now the HEADERS frame is accounted in the queue before trying to allocate
the cleanup handler.
2017-05-23 20:19:39 +03:00
Maxim Dounin
bfe36ba318 Contrib: proper syntax parsing in vim syntax highlighting.
Instead of highlighting directives in arbitrary positions, proper
parsing of nginx.conf syntax was implemented, matching what nginx does
internally.  This allows vim to correctly highlight various complex cases,
including:

    return 301 http://example.com/path#fragment";

and also avoids highlighting of parameters as directives, as in

    server_name missing.semicolon.example.com
    index index.php;

where "index" is not a directive but a parameter of the "server_name"
directive due to missing semicolon.

Most important downside of this approach seems to be that there is no
easy way to introduce directive-specific parameters.  As such, only "listen"
directive parameters were preserved.
2017-05-22 16:34:47 +03:00
Dmitry Volyntsev
c6df6bf923 Cache: ignore long locked entries during forced expire.
Abnormally exited workers may leave locked cache entries, this can
result in the cache size on disk exceeding max_size and shared memory
exhaustion.

This change mitigates the issue by ignoring locked entries during forced
expire.  It also increases the visibility of the problem by logging such
entries.
2017-05-18 18:39:16 +03:00
Sergey Kandaurov
9359155b2f Upstream: fixed u->headers_in.headers allocation error handling.
Previously, an allocation error resulted in uninitialized memory access
when evaluating $upstream_http_ variables.

On a related note, see r->headers_out.headers cleanup work in 0cdee26605f3.
2017-05-18 14:17:00 +03:00
Maxim Dounin
84fdff7930 Configure: recent Sun C versions. 2017-05-15 20:09:44 +03:00
Maxim Dounin
38e87ea041 Configure: disabled gcc atomics with Sun C (ticket #1261).
Oracle Developer Studio 12.5 introduced GCC-compatible __sync builtins.
Unfortunately, these builtins are neither GCC-compatible (they generate
warnings when used with volatile), nor working (unexpectedly fail on
unpredictable combinations of code layout and compiler flags).  As such,
the gcc builtin atomic operations configure test explicitly disabled when
compiling with Sun C.
2017-05-15 20:09:43 +03:00
Maxim Dounin
e1725761cb Configure: style. 2017-05-15 20:09:40 +03:00
Ruslan Ermilov
a464d07f0a Realip: allow hostnames in set_real_ip_from (ticket #1180). 2017-05-15 17:17:01 +03:00
Ruslan Ermilov
b313bc4bd3 Access: simplified rule parser code. 2017-05-15 17:16:32 +03:00
Sergey Kandaurov
9961198879 SSL: allowed renegotiation in client mode with OpenSSL < 1.1.0.
In ac9b1df5b246 (1.13.0) we attempted to allow renegotiation in client mode,
but when using OpenSSL 1.0.2 or older versions it was additionally disabled
by SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
2017-05-03 15:15:56 +03:00
Maxim Dounin
8449f750e6 Added missing "fall through" comments (ticket #1259).
Found by gcc7 (-Wimplicit-fallthrough).
2017-04-27 16:57:18 +03:00
Ruslan Ermilov
8ae2bc9320 Don't pretend we support HTTP major versions >1 as HTTP/1.1. 2017-04-25 23:39:13 +03:00
Ruslan Ermilov
53e63ff7c3 Version bump. 2017-04-25 23:39:06 +03:00
Maxim Dounin
47835ea6af release-1.13.0 tag 2017-04-25 17:18:22 +03:00
Maxim Dounin
0cb7be3c71 nginx-1.13.0-RELEASE 2017-04-25 17:18:21 +03:00
Valentin Bartenev
55b37eff8f HTTP/2: reduced difference to HTTP/1.x in reading request body.
Particularly, this eliminates difference in behavior for requests without body
and deduplicates code.

Prodded by Piotr Sikora.
2017-04-24 14:17:13 +03:00
Valentin Bartenev
d35c83a325 HTTP/2: rejecting zero WINDOW_UPDATE with PROTOCOL_ERROR.
It's required by RFC 7540.  While there is no real harm from such frames,
that should help to detect broken clients.

Based on a patch by Piotr Sikora.
2017-04-24 14:16:57 +03:00
Sergey Kandaurov
beaaeb9f9e Gzip static: use an appropriate error on memory allocation failure. 2017-04-20 18:26:38 +03:00
Sergey Kandaurov
9ecf842864 Cleaned up r->headers_out.headers allocation error handling.
If initialization of a header failed for some reason after ngx_list_push(),
leaving the header as is can result in uninitialized memory access by
the header filter or the log module.  The fix is to clear partially
initialized headers in case of errors.

For the Cache-Control header, the fix is to postpone pushing
r->headers_out.cache_control until its value is completed.
2017-04-20 18:26:37 +03:00
Igor Sysoev
30e26a8c57 Core: signal sender pid logging. 2017-04-20 13:58:16 +03:00
Sergey Kandaurov
cb7427d86c Sub filter: restored ngx_http_set_ctx() at the proper place.
Previously, ngx_http_sub_header_filter() could fail with a partially
initialized context, later accessed in ngx_http_sub_body_filter()
if called from the perl content handler.

The issue had appeared in 2c045e5b8291 (1.9.4).

A better fix would be to handle ngx_http_send_header() errors in
the perl module, though this doesn't seem to be easy enough.
2017-04-18 19:55:23 +03:00
Sergey Kandaurov
e8c579a187 SSL: compatibility with OpenSSL master branch.
The SSL_CTRL_SET_CURVES_LIST macro is removed in the OpenSSL master branch.
SSL_CTX_set1_curves_list is preserved as compatibility with previous versions.
2017-04-18 16:08:46 +03:00
Sergey Kandaurov
36be79301e SSL: disabled renegotiation detection in client mode.
CVE-2009-3555 is no longer relevant and mitigated by the renegotiation
info extension (secure renegotiation).  On the other hand, unexpected
renegotiation still introduces potential security risks, and hence we do
not allow renegotiation on the server side, as we never request renegotiation.

On the client side the situation is different though.  There are backends
which explicitly request renegotiation, and disabled renegotiation
introduces interoperability problems.  This change allows renegotiation
on the client side, and fixes interoperability problems as observed with
such backends (ticket #872).

Additionally, with TLSv1.3 the SSL_CB_HANDSHAKE_START flag is currently set
by OpenSSL when receiving a NewSessionTicket message, and was detected by
nginx as a renegotiation attempt.  This looks like a bug in OpenSSL, though
this change also allows better interoperability till the problem is fixed.
2017-04-18 16:08:44 +03:00
Sergey Kandaurov
9a37eb3a62 SSL: added support for TLSv1.3 in ssl_protocols directive.
Support for the TLSv1.3 protocol will be introduced in OpenSSL 1.1.1.
2017-04-18 15:12:38 +03:00
Roman Arutyunyan
05841adfb2 Set UDP datagram source address (ticket #1239).
Previously, the source IP address of a response UDP datagram could differ from
the original datagram destination address.  This could happen if the server UDP
socket is bound to a wildcard address and the network interface chosen to output
the response packet has a different default address than the destination address
of the original packet.  For example, if two addresses from the same network are
configured on an interface.

Now source address is set explicitly if a response is sent for a server UDP
socket bound to a wildcard address.
2017-04-11 16:41:53 +03:00
Sergey Kandaurov
62b20ce87a Core: removed extra ngx_alloc() and ngx_calloc() prototypes. 2017-04-18 13:01:19 +03:00
Sergey Kandaurov
97210c717d Enabled IPV6_RECVPKTINFO / IPV6_PKTINFO on macOS.
This change allows setting the destination IPv6 address of a UDP datagram
received on a wildcard socket.
2017-04-17 14:42:12 +03:00
Simon Leblanc
8ee2de5e9c Added support for the "308 Permanent Redirect" (ticket #877). 2017-04-11 03:13:46 +02:00
Vladimir Homutov
a965e1d766 Mail: configurable socket buffer sizes.
The "rcvbuf" and "sndbuf" parameters are now supported by
the "listen" directive.
2017-04-03 17:30:34 +03:00
Vladimir Homutov
9f7b557673 Stream: configurable socket buffer sizes.
The "rcvbuf" and "sndbuf" parameters are now supported by
the "listen" directive.
2017-04-03 17:29:19 +03:00
Valentin Bartenev
97cb30370f Core: improved JSON escaping.
Two-character representations are now used for \b, \f, \n, \r, and \t.
2017-04-12 22:47:57 +03:00
Ruslan Ermilov
cac361718c Use ngx_calloc_buf() where appropriate. 2017-04-12 22:21:04 +03:00
Ruslan Ermilov
f947167442 Version bump. 2017-04-12 22:14:24 +03:00
Maxim Dounin
becdcaef00 release-1.11.13 tag 2017-04-04 18:01:57 +03:00
Maxim Dounin
3290884abb nginx-1.11.13-RELEASE 2017-04-04 18:01:57 +03:00
Piotr Sikora
ca1a5057e2 Upstream: allow recovery from "429 Too Many Requests" response.
This change adds "http_429" parameter to "proxy_next_upstream" for
retrying rate-limited requests, and to "proxy_cache_use_stale" for
serving stale cached responses after being rate-limited.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-24 02:48:03 -07:00
Piotr Sikora
c3ce606652 Added support for "429 Too Many Requests" response (RFC6585).
This change adds reason phrase in status line and pretty response body
when "429" status code is used in "return", "limit_conn_status" and/or
"limit_req_status" directives.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2017-03-24 02:48:03 -07:00
hucongcong
9ac9fe2f3e Fixed type. 2017-04-03 14:29:40 +08:00
Roman Arutyunyan
c31239ffb4 Slice filter: prevented slice redirection (ticket #1219).
When a slice subrequest was redirected to a new location, its context was lost.
After its completion, a new slice subrequest for the same slice was created.
This could lead to infinite loop.  Now the slice module makes sure each slice
subrequest starts output with the slice context available.
2017-03-31 21:47:56 +03:00
Roman Arutyunyan
8c9a66298c Slice filter: allowed at most one subrequest at a time.
Previously, if slice main request write handler was called while a slice
subrequest was running, a new subrequest for the same slice was started.
2017-03-28 14:03:57 +03:00