Commit Graph

5790 Commits

Author SHA1 Message Date
Roman Arutyunyan
5b201ac31f Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. 2016-06-20 11:50:39 +03:00
Andrei Belov
72d4e5d793 Set IP_BIND_ADDRESS_NO_PORT socket option for upstream sockets. 2016-06-20 10:41:17 +03:00
Tim Taubert
4f578bfcab SSL: ngx_ssl_ciphers() to set list of ciphers.
This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.
2016-06-15 21:05:30 +01:00
Valentin Bartenev
6e38998bac HTTP/2: fixed the "http request count is zero" alert.
When the stream is terminated the HEADERS frame can still wait in the output
queue.  This frame can't be removed and must be sent to the client anyway,
since HTTP/2 uses stateful compression for headers.  So in order to postpone
closing and freeing memory of such stream the special close stream handler
is set to the write event.  After the HEADERS frame is sent the write event
is called and the stream will be finally closed.

Some events like receiving a RST_STREAM can trigger the read handler of such
stream in closing state and cause unexpected processing that can result in
another attempt to finalize the request.  To prevent it the read handler is
now set to ngx_http_empty_handler.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
bf5f915a01 HTTP/2: avoid adding Content-Length for requests without body.
There is no reason to add the "Content-Length: 0" header to a proxied request
without body if the header isn't presented in the original request.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
cd2085be0c HTTP/2: prevented double termination of a stream.
According to RFC 7540, an endpoint should not send more than one RST_STREAM
frame for any stream.

Also, now all the data frames will be skipped while termination.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
24d9b98900 HTTP/2: fixed a segfault while processing unbuffered upload.
The ngx_http_v2_finalize_connection() closes current stream, but that is an
invalid operation while processing unbuffered upload.  This results in access
to already freed memory, since the upstream module sets a cleanup handler that
also finalizes the request.
2016-06-16 20:55:11 +03:00
Maxim Dounin
ab8504b937 An internal SHA1 implementation. 2016-06-09 16:55:38 +03:00
Otto Kekäläinen
cb963abf03 Fixed spelling. 2016-06-08 08:27:41 +03:00
Valentin Bartenev
46336296e4 Fixed an error log message. 2016-06-07 17:44:20 +03:00
Sergey Kandaurov
5d9419704f Configure: revised GCC version processing.
Now GCC 6 and onwards will use -Wno-unused-parameter.
2016-06-07 12:15:56 +03:00
Sergey Kandaurov
ba212375a7 Version bump. 2016-06-07 12:26:34 +03:00
Maxim Dounin
fbe634d14c release-1.11.1 tag 2016-05-31 16:43:49 +03:00
Maxim Dounin
757aee99b8 nginx-1.11.1-RELEASE 2016-05-31 16:43:49 +03:00
Maxim Dounin
a3d382397a Core: skip special buffers on writing (ticket #981).
A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.
2016-05-31 05:13:30 +03:00
Maxim Dounin
9f0253e1e2 Trailing spaces removed. 2016-05-30 18:09:41 +03:00
Valentin Bartenev
b6e423b7c0 HTTP/2: unbreak build on MSVC. 2016-05-24 21:54:32 +03:00
Valentin Bartenev
99d2ede934 Version bump. 2016-05-24 21:54:32 +03:00
Maxim Dounin
b8482f8175 release-1.11.0 tag 2016-05-24 18:54:42 +03:00
Maxim Dounin
f694e2afd3 nginx-1.11.0-RELEASE 2016-05-24 18:54:41 +03:00
Maxim Dounin
849851f45d Updated OpenSSL used for win32 builds. 2016-05-24 17:44:01 +03:00
Maxim Dounin
1a1470b865 Fixed build on MSVC. 2016-05-24 17:43:58 +03:00
Valentin Bartenev
5429140c01 HTTP/2: implemented preread buffer for request body (closes #959).
Previously, the stream's window was kept zero in order to prevent a client
from sending the request body before it was requested (see 887cca40ba6a for
details).  Until such initial window was acknowledged all requests with
data were rejected (see 0aa07850922f for details).

That approach revealed a number of problems:

 1. Some clients (notably MS IE/Edge, Safari, iOS applications) show an error
    or even crash if a stream is rejected;

 2. This requires at least one RTT for every request with body before the
    client receives window update and able to send data.

To overcome these problems the new directive "http2_body_preread_size" is
introduced.  It sets the initial window and configures a special per stream
preread buffer that is used to save all incoming data before the body is
requested and processed.

If the directive's value is lower than the default initial window (65535),
as previously, all streams with data will be rejected until the new window
is acknowledged.  Otherwise, no special processing is used and all requests
with data are welcome right from the connection start.

The default value is chosen to be 64k, which is bigger than the default
initial window.  Setting it to zero is fully complaint to the previous
behavior.
2016-05-24 17:37:52 +03:00
Ruslan Ermilov
adfd0b065c Realip: detect duplicate real_ip_header directive. 2016-05-23 19:17:24 +03:00
Dmitry Volyntsev
06176bce91 Realip: port support in X-Real-IP and X-Forwarded-For.
Now, the module extracts optional port which may accompany an
IP address.  This custom extension is introduced, among other
things, in order to facilitate logging of original client ports.
Addresses with ports are expected to be in the RFC 3986 format,
that is, with IPv6 addresses in square brackets.  E.g.,
"X-Real-IP: [2001:0db8::1]:12345" sets client port ($remote_port)
to 12345.
2016-05-23 18:44:23 +03:00
Dmitry Volyntsev
19140c8c4f Realip: take client port from PROXY protocol header.
Previously, when the client address was changed to the one from
the PROXY protocol header, the client port ($remote_port) was
reset to zero.  Now the client port is also changed to the one
from the PROXY protocol header.
2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
97495b662f Added the $realip_remote_port variable. 2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
f56cf3ddc7 Added the $proxy_protocol_port variable. 2016-05-23 18:44:21 +03:00
Maxim Dounin
5b267a55bc Renamed "u" to "sockaddr" in listen options types. 2016-05-23 16:37:28 +03:00
Ruslan Ermilov
fd064d3b88 Introduced the ngx_sockaddr_t type.
It's properly aligned and can hold any supported sockaddr.
2016-05-23 16:37:20 +03:00
Ruslan Ermilov
d650688ba5 Stream: fixed duplicate listen address detection.
The 6f8254ae61b8 change inadvertently fixed the duplicate port
detection similar to how it was fixed for mail in b2920b517490.
It also revealed another issue: the socket type (tcp vs. udp)
wasn't taken into account.
2016-05-23 12:50:59 +03:00
Ruslan Ermilov
48a16463fa Use ngx_cmp_sockaddr() where appropriate. 2016-05-20 19:10:42 +03:00
Valentin Bartenev
f7673bb50f HTTP/2: the "421 Misdirected Request" response (closes #848).
Since 4fbef397c753 nginx rejects with the 400 error any attempts of
requesting different host over the same connection, if the relevant
virtual server requires verification of a client certificate.

While requesting hosts other than negotiated isn't something legal
in HTTP/1.x, the HTTP/2 specification explicitly permits such requests
for connection reuse and has introduced a special response code 421.

According to RFC 7540 Section 9.1.2 this code can be sent by a server
that is not configured to produce responses for the combination of
scheme and authority that are included in the request URI.  And the
client may retry the request over a different connection.

Now this code is used for requests that aren't authorized in current
connection.  After receiving the 421 response a client will be able
to open a new connection, provide the required certificate and retry
the request.

Unfortunately, not all clients currently are able to handle it well.
Notably Chrome just shows an error, while at least the latest version
of Firefox retries the request over a new connection.
2016-05-20 18:41:17 +03:00
Ruslan Ermilov
61fbcd1cad Belatedly changed the ngx_create_listening() prototype.
The function is called only with "struct sockaddr *" since 0.7.58.
2016-05-20 17:02:04 +03:00
Maxim Dounin
61ec58a9be SSL: removed default DH parameters.
Using the same DH parameters on multiple servers is believed to be subject
to precomputation attacks, see http://weakdh.org/.  Additionally, 1024 bits
are not enough in the modern world as well.  Let users provide their own
DH parameters with the ssl_dhparam directive if they want to use EDH ciphers.

Note that SSL_CTX_set_dh_auto() as provided by OpenSSL 1.1.0 uses fixed
DH parameters from RFC 5114 and RFC 3526, and therefore subject to the same
precomputation attacks.  We avoid using it as well.

This change also fixes compilation with OpenSSL 1.1.0-pre5 (aka Beta 2),
as OpenSSL developers changed their policy after releasing Beta 1 and
broke API once again by making the DH struct opaque (see ticket #860).
2016-05-19 14:46:32 +03:00
Maxim Dounin
3b7dca4bb5 SSL: support for multiple curves (ticket #885).
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
2016-05-19 14:46:32 +03:00
Maxim Dounin
690423e3b2 SSL: style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cfd17ca9ed SSL: error messages style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cf126b98b3 SSL: support for multiple certificates (ticket #814). 2016-05-19 14:46:32 +03:00
Maxim Dounin
798999b63d SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().

SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate.  There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.

Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
2016-05-19 14:46:32 +03:00
Maxim Dounin
e844475905 SSL: made it possible to iterate though all certificates.
A pointer to a previously configured certificate now stored in a certificate.
This makes it possible to iterate though all certificates configured in
the SSL context.  This is now used to configure OCSP stapling for all
certificates, and in ngx_ssl_session_id_context().

As SSL_CTX_use_certificate() frees previously loaded certificate of the same
type, and we have no way to find out if it's the case, X509_free() calls
are now posponed till ngx_ssl_cleanup_ctx().

Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata
using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions.
These are not yet available in all supported versions though, so it's easier
to continue to use exdata for now.
2016-05-19 14:46:32 +03:00
Maxim Dounin
503b3569b9 OCSP stapling: additional function to configure stapling on a cert. 2016-05-19 14:46:32 +03:00
Maxim Dounin
40e075c325 OCSP stapling: staple now extracted via SSL_get_certificate().
This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.
2016-05-19 14:46:32 +03:00
Maxim Dounin
b4276f2447 OCSP stapling: staple now stored in certificate, not SSL context. 2016-05-19 14:46:32 +03:00
Maxim Dounin
825289ff60 OCSP stapling: staple provided in arguments. 2016-05-19 14:46:32 +03:00
Maxim Dounin
e647c47f2a Added overflow checks for version numbers (ticket #762).
Both minor and major versions are now limited to 999 maximum.  In case of
r->http_minor, this limit is already implied by the code.  Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
2016-05-18 16:21:32 +03:00
Maxim Dounin
ce9ff81b32 Events: close descriptors on errors in ngx_epoll_test_rdhup(). 2016-05-18 15:57:30 +03:00
Maxim Dounin
e7c914321b Events: changed ngx_epoll_test_rdhup() to use existing epollfd. 2016-05-18 15:57:29 +03:00
Maxim Dounin
b115a46ee6 Fixed work with --test-build-epoll after f7849bfb6d21. 2016-05-18 15:57:28 +03:00
Maxim Dounin
bf838dc9df Cache: fixed updating bypassed cached errors (ticket #827). 2016-05-16 20:37:38 +03:00