Commit Graph

5502 Commits

Author SHA1 Message Date
Sergey Kandaurov
6299f5e914 Avoid left-shifting integers into the sign bit, which is undefined.
Found with UndefinedBehaviorSanitizer.
2016-07-07 21:02:28 +03:00
Vladimir Homutov
dea1e999b8 Stream: resolver. 2016-07-07 13:15:31 +03:00
Ruslan Ermilov
6810b9f148 Use NGX_MAX_PATH_LEVEL where appropriate.
The macro was unused since 0.7.44.
2016-07-06 13:22:29 +03:00
Ruslan Ermilov
5c4ca2ac80 Version bump. 2016-07-06 13:10:06 +03:00
Roman Arutyunyan
a7c6f8c1d7 Stream: return module. 2016-05-18 22:08:49 +03:00
Vladimir Homutov
9721eae1f1 Stream: SSL-related variables. 2016-06-29 12:52:52 +03:00
Vladimir Homutov
cb635b7879 Stream: got rid of pseudo variables.
Stream limit_conn, upstream_hash and proxy modules now use complex values.
2016-06-29 12:46:12 +03:00
Vladimir Homutov
05db6ddfa1 Stream: map module. 2016-06-29 12:46:12 +03:00
Vladimir Homutov
d531cebb79 Stream: core module variables. 2016-06-14 18:28:14 +03:00
Vladimir Homutov
c31773ea60 Stream: variables and script.
This is a port of corresponding http code with unrelated features excluded.
2016-07-04 16:37:36 +03:00
Vladimir Homutov
db5a15d2f9 Stream: added preconfiguration step. 2016-06-15 15:10:24 +03:00
Roman Arutyunyan
c9dae918fd Sub filter: eliminate unnecessary buffering.
Previously, when a buffer was processed by the sub filter, its final bytes
could be buffered by the filter even if they don't match any pattern.
This happened because the Boyer-Moore algorithm, employed by the sub filter
since b9447fc457b4 (1.9.4), matches the last characters of patterns prior to
checking other characters.  If the last character is out of scope, initial
bytes of a potential match are buffered until the last character is available.

Now, after receiving a flush or recycled buffer, the filter performs
additional checks to reduce the number of buffered bytes.  The potential match
is checked against the initial parts of all patterns.  Non-matching bytes are
not buffered.  This improves processing of a chunked response from upstream
by sending the entire chunks without buffering unless a partial match is found
at the end of a chunk.
2016-07-02 15:59:53 +03:00
Roman Arutyunyan
ec70155755 Sub filter: introduced the ngx_http_sub_match() function.
No functional changes.
2016-07-02 15:59:52 +03:00
Maxim Dounin
c60b61a290 Internal md5 and sha1 implementations are now always used.
This reduces the number of moving parts in ABI compatibility checks.
Additionally, it also allows to use OpenSSL in FIPS mode while still
using md5 for non-security tasks.
2016-06-30 18:57:39 +03:00
Ruslan Ermilov
fb6c764921 Removed unused flag accept_context_updated from ngx_event_t.
Also, removed practically unused flag accept_context_updated from
ngx_connection_t.
2016-06-29 14:30:00 +03:00
Roman Arutyunyan
dcf3d20874 Style. 2016-06-27 18:42:29 +03:00
Piotr Sikora
e0b0fa6bf5 HTTP/2: style.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-06-22 13:47:54 -07:00
Roman Arutyunyan
a6048c0e1e Style. 2016-06-22 11:50:02 +03:00
Roman Arutyunyan
82c5230fd1 Stream: use ngx_pcalloc() in ngx_stream_proxy_bind(). 2016-06-22 11:50:02 +03:00
Roman Arutyunyan
9810fd06cb Fixed build on MSVC. 2016-06-20 15:11:50 +03:00
Roman Arutyunyan
4c03c80e12 Stream: set SO_REUSEADDR for UDP upstream sockets.
The option is only set if the socket is bound to a specific port to allow
several such sockets coexist at the same time.  This is required, for example,
when nginx acts as a transparent proxy and receives two datagrams from the same
client in a short time.

The feature is only implemented for Linux.
2016-06-20 12:48:47 +03:00
Roman Arutyunyan
05879309c1 Stream: support for $remote_port in proxy_bind.
The following two types of bind addresses are supported in addition to
$remote_addr and address literals:

- $remote_addr:$remote_port
- [$remote_addr]:$remote_port

In both cases client remote address with port is used in upstream socket bind.
2016-06-20 11:50:44 +03:00
Roman Arutyunyan
8cad1c015f Upstream: support for port in proxy_bind and friends. 2016-06-20 11:50:43 +03:00
Roman Arutyunyan
5b201ac31f Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. 2016-06-20 11:50:39 +03:00
Andrei Belov
72d4e5d793 Set IP_BIND_ADDRESS_NO_PORT socket option for upstream sockets. 2016-06-20 10:41:17 +03:00
Tim Taubert
4f578bfcab SSL: ngx_ssl_ciphers() to set list of ciphers.
This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.
2016-06-15 21:05:30 +01:00
Valentin Bartenev
6e38998bac HTTP/2: fixed the "http request count is zero" alert.
When the stream is terminated the HEADERS frame can still wait in the output
queue.  This frame can't be removed and must be sent to the client anyway,
since HTTP/2 uses stateful compression for headers.  So in order to postpone
closing and freeing memory of such stream the special close stream handler
is set to the write event.  After the HEADERS frame is sent the write event
is called and the stream will be finally closed.

Some events like receiving a RST_STREAM can trigger the read handler of such
stream in closing state and cause unexpected processing that can result in
another attempt to finalize the request.  To prevent it the read handler is
now set to ngx_http_empty_handler.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
bf5f915a01 HTTP/2: avoid adding Content-Length for requests without body.
There is no reason to add the "Content-Length: 0" header to a proxied request
without body if the header isn't presented in the original request.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
cd2085be0c HTTP/2: prevented double termination of a stream.
According to RFC 7540, an endpoint should not send more than one RST_STREAM
frame for any stream.

Also, now all the data frames will be skipped while termination.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
24d9b98900 HTTP/2: fixed a segfault while processing unbuffered upload.
The ngx_http_v2_finalize_connection() closes current stream, but that is an
invalid operation while processing unbuffered upload.  This results in access
to already freed memory, since the upstream module sets a cleanup handler that
also finalizes the request.
2016-06-16 20:55:11 +03:00
Maxim Dounin
ab8504b937 An internal SHA1 implementation. 2016-06-09 16:55:38 +03:00
Otto Kekäläinen
cb963abf03 Fixed spelling. 2016-06-08 08:27:41 +03:00
Valentin Bartenev
46336296e4 Fixed an error log message. 2016-06-07 17:44:20 +03:00
Sergey Kandaurov
ba212375a7 Version bump. 2016-06-07 12:26:34 +03:00
Maxim Dounin
a3d382397a Core: skip special buffers on writing (ticket #981).
A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.
2016-05-31 05:13:30 +03:00
Valentin Bartenev
b6e423b7c0 HTTP/2: unbreak build on MSVC. 2016-05-24 21:54:32 +03:00
Valentin Bartenev
99d2ede934 Version bump. 2016-05-24 21:54:32 +03:00
Maxim Dounin
1a1470b865 Fixed build on MSVC. 2016-05-24 17:43:58 +03:00
Valentin Bartenev
5429140c01 HTTP/2: implemented preread buffer for request body (closes #959).
Previously, the stream's window was kept zero in order to prevent a client
from sending the request body before it was requested (see 887cca40ba6a for
details).  Until such initial window was acknowledged all requests with
data were rejected (see 0aa07850922f for details).

That approach revealed a number of problems:

 1. Some clients (notably MS IE/Edge, Safari, iOS applications) show an error
    or even crash if a stream is rejected;

 2. This requires at least one RTT for every request with body before the
    client receives window update and able to send data.

To overcome these problems the new directive "http2_body_preread_size" is
introduced.  It sets the initial window and configures a special per stream
preread buffer that is used to save all incoming data before the body is
requested and processed.

If the directive's value is lower than the default initial window (65535),
as previously, all streams with data will be rejected until the new window
is acknowledged.  Otherwise, no special processing is used and all requests
with data are welcome right from the connection start.

The default value is chosen to be 64k, which is bigger than the default
initial window.  Setting it to zero is fully complaint to the previous
behavior.
2016-05-24 17:37:52 +03:00
Ruslan Ermilov
adfd0b065c Realip: detect duplicate real_ip_header directive. 2016-05-23 19:17:24 +03:00
Dmitry Volyntsev
06176bce91 Realip: port support in X-Real-IP and X-Forwarded-For.
Now, the module extracts optional port which may accompany an
IP address.  This custom extension is introduced, among other
things, in order to facilitate logging of original client ports.
Addresses with ports are expected to be in the RFC 3986 format,
that is, with IPv6 addresses in square brackets.  E.g.,
"X-Real-IP: [2001:0db8::1]:12345" sets client port ($remote_port)
to 12345.
2016-05-23 18:44:23 +03:00
Dmitry Volyntsev
19140c8c4f Realip: take client port from PROXY protocol header.
Previously, when the client address was changed to the one from
the PROXY protocol header, the client port ($remote_port) was
reset to zero.  Now the client port is also changed to the one
from the PROXY protocol header.
2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
97495b662f Added the $realip_remote_port variable. 2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
f56cf3ddc7 Added the $proxy_protocol_port variable. 2016-05-23 18:44:21 +03:00
Maxim Dounin
5b267a55bc Renamed "u" to "sockaddr" in listen options types. 2016-05-23 16:37:28 +03:00
Ruslan Ermilov
fd064d3b88 Introduced the ngx_sockaddr_t type.
It's properly aligned and can hold any supported sockaddr.
2016-05-23 16:37:20 +03:00
Ruslan Ermilov
d650688ba5 Stream: fixed duplicate listen address detection.
The 6f8254ae61b8 change inadvertently fixed the duplicate port
detection similar to how it was fixed for mail in b2920b517490.
It also revealed another issue: the socket type (tcp vs. udp)
wasn't taken into account.
2016-05-23 12:50:59 +03:00
Ruslan Ermilov
48a16463fa Use ngx_cmp_sockaddr() where appropriate. 2016-05-20 19:10:42 +03:00
Valentin Bartenev
f7673bb50f HTTP/2: the "421 Misdirected Request" response (closes #848).
Since 4fbef397c753 nginx rejects with the 400 error any attempts of
requesting different host over the same connection, if the relevant
virtual server requires verification of a client certificate.

While requesting hosts other than negotiated isn't something legal
in HTTP/1.x, the HTTP/2 specification explicitly permits such requests
for connection reuse and has introduced a special response code 421.

According to RFC 7540 Section 9.1.2 this code can be sent by a server
that is not configured to produce responses for the combination of
scheme and authority that are included in the request URI.  And the
client may retry the request over a different connection.

Now this code is used for requests that aren't authorized in current
connection.  After receiving the 421 response a client will be able
to open a new connection, provide the required certificate and retry
the request.

Unfortunately, not all clients currently are able to handle it well.
Notably Chrome just shows an error, while at least the latest version
of Firefox retries the request over a new connection.
2016-05-20 18:41:17 +03:00
Ruslan Ermilov
61fbcd1cad Belatedly changed the ngx_create_listening() prototype.
The function is called only with "struct sockaddr *" since 0.7.58.
2016-05-20 17:02:04 +03:00
Maxim Dounin
61ec58a9be SSL: removed default DH parameters.
Using the same DH parameters on multiple servers is believed to be subject
to precomputation attacks, see http://weakdh.org/.  Additionally, 1024 bits
are not enough in the modern world as well.  Let users provide their own
DH parameters with the ssl_dhparam directive if they want to use EDH ciphers.

Note that SSL_CTX_set_dh_auto() as provided by OpenSSL 1.1.0 uses fixed
DH parameters from RFC 5114 and RFC 3526, and therefore subject to the same
precomputation attacks.  We avoid using it as well.

This change also fixes compilation with OpenSSL 1.1.0-pre5 (aka Beta 2),
as OpenSSL developers changed their policy after releasing Beta 1 and
broke API once again by making the DH struct opaque (see ticket #860).
2016-05-19 14:46:32 +03:00
Maxim Dounin
3b7dca4bb5 SSL: support for multiple curves (ticket #885).
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
2016-05-19 14:46:32 +03:00
Maxim Dounin
690423e3b2 SSL: style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cfd17ca9ed SSL: error messages style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cf126b98b3 SSL: support for multiple certificates (ticket #814). 2016-05-19 14:46:32 +03:00
Maxim Dounin
798999b63d SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().

SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate.  There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.

Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
2016-05-19 14:46:32 +03:00
Maxim Dounin
e844475905 SSL: made it possible to iterate though all certificates.
A pointer to a previously configured certificate now stored in a certificate.
This makes it possible to iterate though all certificates configured in
the SSL context.  This is now used to configure OCSP stapling for all
certificates, and in ngx_ssl_session_id_context().

As SSL_CTX_use_certificate() frees previously loaded certificate of the same
type, and we have no way to find out if it's the case, X509_free() calls
are now posponed till ngx_ssl_cleanup_ctx().

Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata
using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions.
These are not yet available in all supported versions though, so it's easier
to continue to use exdata for now.
2016-05-19 14:46:32 +03:00
Maxim Dounin
503b3569b9 OCSP stapling: additional function to configure stapling on a cert. 2016-05-19 14:46:32 +03:00
Maxim Dounin
40e075c325 OCSP stapling: staple now extracted via SSL_get_certificate().
This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.
2016-05-19 14:46:32 +03:00
Maxim Dounin
b4276f2447 OCSP stapling: staple now stored in certificate, not SSL context. 2016-05-19 14:46:32 +03:00
Maxim Dounin
825289ff60 OCSP stapling: staple provided in arguments. 2016-05-19 14:46:32 +03:00
Maxim Dounin
e647c47f2a Added overflow checks for version numbers (ticket #762).
Both minor and major versions are now limited to 999 maximum.  In case of
r->http_minor, this limit is already implied by the code.  Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
2016-05-18 16:21:32 +03:00
Maxim Dounin
ce9ff81b32 Events: close descriptors on errors in ngx_epoll_test_rdhup(). 2016-05-18 15:57:30 +03:00
Maxim Dounin
e7c914321b Events: changed ngx_epoll_test_rdhup() to use existing epollfd. 2016-05-18 15:57:29 +03:00
Maxim Dounin
b115a46ee6 Fixed work with --test-build-epoll after f7849bfb6d21. 2016-05-18 15:57:28 +03:00
Maxim Dounin
bf838dc9df Cache: fixed updating bypassed cached errors (ticket #827). 2016-05-16 20:37:38 +03:00
Maxim Dounin
099d74cf3d Dav: return 501 on PUT with ranges (ticket #948). 2016-05-16 20:37:23 +03:00
Valentin Bartenev
7850609cf9 Fixed an error log message about epoll_wait() timeout.
The errno value is unset in case of epoll_wait() timeout.
2016-05-16 16:22:34 +03:00
Valentin Bartenev
12f4367189 Improved EPOLLRDHUP handling.
When it's known that the kernel supports EPOLLRDHUP, there is no need in
additional recv() call to get EOF or error when the flag is absent in the
event generated by the kernel.  A special runtime test is done at startup
to detect if EPOLLRDHUP is actually supported by the kernel because
epoll_ctl() silently ignores unknown flags.

With this knowledge it's now possible to drop the "ready" flag for partial
read.  Previously, the "ready" flag was kept until the recv() returned EOF
or error.  In particular, this change allows the lingering close heuristics
(which relies on the "ready" flag state) to actually work on Linux, and not
wait for more data in most cases.

The "available" flag is now used in the read event with the semantics similar
to the corresponding counter in kqueue.
2016-05-13 17:19:23 +03:00
Dmitry Volyntsev
cbf6ca98bc Map: support of complex values in resulting strings. 2016-05-12 16:43:19 +03:00
Ruslan Ermilov
41d512c069 Removed a surplus condition from ngx_parse_inet6_url().
No functional changes, since the condition was always true.
2016-05-11 17:55:30 +03:00
Valentin Bartenev
66be8c6608 Core: fixed port handling in ngx_parse_inet6_url().
This fixes buffer over-read when no port is specified in cases
similar to 5df5d7d771f6, and catches missing port separator.
2016-05-11 17:55:20 +03:00
Ruslan Ermilov
2a83e5fa6d Removed unused flag unexpected_eof from ngx_connection_t. 2016-04-28 16:30:19 +03:00
Vladimir Homutov
f315b7a924 Variable $request_id.
The variable contains text representation based on random data, usable as
a unique request identifier.
2016-04-26 19:31:46 +03:00
Roman Arutyunyan
be79f5cb16 Upstream: the "transparent" parameter of proxy_bind and friends.
This parameter lets binding the proxy connection to a non-local address.
Upstream will see the connection as coming from that address.
When used with $remote_addr, upstream will accept the connection from real
client address.

Example:

    proxy_bind $remote_addr transparent;
2015-12-18 19:05:27 +03:00
Roman Arutyunyan
77ec993fd7 Stream: prepared proxy_bind to accept parameters. 2016-04-13 15:42:47 +03:00
Roman Arutyunyan
f10bc5a763 Upstream: prepared proxy_bind to accept parameters.
In addition, errors occurred while setting bind address are no longer ignored.
2016-04-13 15:42:46 +03:00
Ruslan Ermilov
438b58f91f Removed some bitrot.
Removed NGX_CONF_MULTI unused since 1.3.4.
Removed ngx_url_t.one_addr unused since 1.3.10.
2016-04-26 18:26:43 +03:00
Ruslan Ermilov
9aca6d4d57 Version bump. 2016-04-26 18:26:18 +03:00
Valentin Bartenev
22285687c9 HTTP/2: send the output queue after emitting WINDOW_UPDATE.
The WINDOW_UPDATE frame could be left in the output queue for an indefinite
period of time resulting in the request timeout.

This might happen if reading of the body was triggered by an event unrelated
to client connection, e.g. by the limit_req timer.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
7458f66675 HTTP/2: skip data frames in case of internal errors.
This prevents possible processing of such frames and triggering
rb->post_handler if an error occurred during r->request_body
initialization.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
f4df08b19d HTTP/2: don't send WINDOW_UPDATE for an empty request body.
Particularly this prevents sending WINDOW_UPDATE with zero delta
which can result in PROTOCOL_ERROR.

Also removed surplus setting of no_flow_control to 0.
2016-04-19 17:38:49 +03:00
Maxim Dounin
eeb72127cf Thread pools: memory barriers in task completion notifications.
The ngx_thread_pool_done object isn't volatile, and at least some
compilers assume that it is permitted to reorder modifications of
volatile and non-volatile objects.  Added appropriate ngx_memory_barrier()
calls to make sure all modifications will happen before the lock is released.

Reported by Mindaugas Rasiukevicius,
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008160.html.
2016-04-19 17:18:28 +03:00
Maxim Dounin
eb38cbda2f HTTP/2: write logs when refusing streams with data.
Refusing streams is known to be incorrectly handled at least by IE, Edge
and Safari.  Make sure to provide appropriate logging to simplify fixing
this in the affected browsers.
2016-04-18 21:18:24 +03:00
Valentin Bartenev
7691b9750e HTTP/2: send WINDOW_UPDATE instead of RST_STREAM with NO_ERROR.
After the 92464ebace8e change, it has been discovered that not all
clients follow the RFC and handle RST_STREAM with NO_ERROR properly.

Notably, Chrome currently interprets it as INTERNAL_ERROR and discards
the response.

As a workaround, instead of RST_STREAM the maximum stream window update
will be sent, which will let client to send up to 2 GB of a request body
data before getting stuck on flow control.  All the received data will
be silently discarded.

See for details:
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008143.html
https://bugs.chromium.org/p/chromium/issues/detail?id=603182
2016-04-14 15:14:15 +03:00
Valentin Bartenev
536b5510d1 HTTP/2: refuse streams with data until SETTINGS is acknowledged.
A client is allowed to send requests before receiving and acknowledging
the SETTINGS frame.  Such a client having a wrong idea about the stream's
could send the request body that nginx isn't ready to process.

The previous behavior was to send RST_STREAM with FLOW_CONTROL_ERROR in
such case, but it didn't allow retrying requests that have been rejected.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
60f0960ab6 HTTP/2: deduplicated some code in ngx_http_v2_state_headers().
No functional changes.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
4c1b9fef65 FastCGI: skip special bufs in buffered request body chain.
This prevents forming empty records out of such buffers.  Particularly it fixes
double end-of-stream records with chunked transfer encoding, or when HTTP/2 is
used and the END_STREAM flag has been sent without data.  In both cases there
is an empty buffer at the end of the request body chain with the "last_buf"
flag set.

The canonical libfcgi, as well as php implementation, tolerates such records,
while the HHVM parser is more strict and drops the connection (ticket #950).
2016-04-11 18:42:34 +03:00
Ruslan Ermilov
400d42437c Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse (as in e444e8f6538b). 2016-04-12 19:01:56 +03:00
Alessandro Ghedini
35f05dd51f Fixed typos. 2016-04-11 16:47:11 +01:00
Ruslan Ermilov
37a3a2b2e8 Removed redundant "u" format specifier.
It is implied for "x" and "X".
2016-04-08 15:03:38 +03:00
Ruslan Ermilov
4d1f67fd91 Simplified ngx_unix_recv() and ngx_readv_chain().
This makes ngx_unix_recv() and ngx_udp_unix_recv() differ minimally.
2016-04-08 16:49:35 +03:00
Valentin Bartenev
dbabc66b68 Merged implementations of ngx_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:41:45 +03:00
Valentin Bartenev
900ef17c47 Fixed small inconsistency in handling EOF among receive functions.
Now all functions always drop the ready flag in this case.
2016-04-08 16:39:49 +03:00
Valentin Bartenev
8e7d8757c6 Merged implementations of ngx_udp_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:38:42 +03:00
Josh Soref
73d27510c0 Fixed spelling. 2016-04-07 11:50:13 +03:00
Ruslan Ermilov
2f9f3453f2 Version bump. 2016-04-07 19:09:42 +03:00
Valentin Bartenev
74ee55ec1b HTTP/2: support for unbuffered upload of request body. 2016-04-01 15:57:10 +03:00
Valentin Bartenev
948eeca222 HTTP/2: rewritten handling of request body.
There are two improvements:

  1. Support for request body filters;

  2. Receiving of request body is started only after
     the ngx_http_read_client_request_body() call.

The last one fixes the problem when the client_max_body_size value might not be
respected from the right location if the location was changed either during the
process of receiving body or after the whole body had been received.
2016-04-01 15:56:03 +03:00
Valentin Bartenev
cedba685a1 HTTP/2: sending RST_STREAM with NO_ERROR to discard request body.
RFC 7540 states that "A server can send a complete response prior to the client
sending an entire request if the response does not depend on any portion of the
request that has not been sent and received.  When this is true, a server MAY
request that the client abort transmission of a request without error by sending
a RST_STREAM with an error code of NO_ERROR after sending a complete response
(i.e., a frame with the END_STREAM flag)."

This should prevent a client from blocking on the stream window, since it isn't
maintained for closed streams.  Currently, quite big initial stream windows are
used, so such blocking is very unlikly, but that will be changed in the further
patches.
2016-04-01 15:56:03 +03:00
Maxim Dounin
7cee215f15 Core: removed incorrect GCC 2.7 check.
It was broken since introduction (__GNU__ instead of __GNUC__) and did
nothing.  Moreover, GCC 2.7 is happy with the normal version of the code.

Reported by Joel Cunningham,
http://mailman.nginx.org/pipermail/nginx-devel/2016-March/007964.html.
2016-04-01 13:17:12 +03:00
Maxim Dounin
2e251b1c34 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
SSLeay_version() and SSLeay() are no longer available if OPENSSL_API_COMPAT
is set to 0x10100000L.  Switched to using OpenSSL_version() instead.

Additionally, we now compare version strings instead of version numbers,
and this correctly works for LibreSSL as well.
2016-03-31 23:38:38 +03:00
Sergey Kandaurov
d8fbce1deb SSL: X509 was made opaque in OpenSSL 1.1.0.
To increment reference counters we now use newly introduced X509_up_ref()
function.
2016-03-31 23:38:37 +03:00
Sergey Kandaurov
66feb8c6f0 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. 2016-03-31 23:38:36 +03:00
Maxim Dounin
8fc90404fb SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
OpenSSL removed support for all 40 and 56 bit ciphers.
2016-03-31 23:38:34 +03:00
Maxim Dounin
e6f04424af SSL: initialization changes for OpenSSL 1.1.0.
OPENSSL_config() deprecated in OpenSSL 1.1.0.  Additionally,
SSL_library_init(), SSL_load_error_strings() and OpenSSL_add_all_algorithms()
are no longer available if OPENSSL_API_COMPAT is set to 0x10100000L.

The OPENSSL_init_ssl() function is now used instead with appropriate
arguments to trigger the same behaviour.  The configure test changed to
use SSL_CTX_set_options().

Deinitialization now happens automatically in OPENSSL_cleanup() called
via atexit(3), so we no longer call EVP_cleanup() and ENGINE_cleanup()
directly.
2016-03-31 23:38:33 +03:00
Maxim Dounin
93c2749fae SSL: get_session callback changed in OpenSSL 1.1.0. 2016-03-31 23:38:32 +03:00
Maxim Dounin
0e83d6ac40 SSL: guarded error codes not present in OpenSSL 1.1.0. 2016-03-31 23:38:31 +03:00
Maxim Dounin
bad99ee004 SSL: reasonable version for LibreSSL.
LibreSSL defines OPENSSL_VERSION_NUMBER to 0x20000000L, but uses an old
API derived from OpenSSL at the time LibreSSL forked.  As a result, every
version check we use to test for new API elements in newer OpenSSL versions
requires an explicit check for LibreSSL.

To reduce clutter, redefine OPENSSL_VERSION_NUMBER to 0x1000107fL if
LibreSSL is used.  The same is done by FreeBSD port of LibreSSL.
2016-03-31 23:38:29 +03:00
Ruslan Ermilov
5afd74bed6 Removed the prototype mysql module. 2016-03-31 22:33:26 +03:00
Ruslan Ermilov
5ad6e01b46 Fixed ngx_os_signal_process() prototype. 2016-03-31 22:00:33 +03:00
Sergey Kandaurov
60a6551e1f Fixed ngx_pid_t formatting in ngx_sprintf() and logging. 2016-03-31 02:34:04 +03:00
Sergey Kandaurov
6a716c6123 Fixed format specifiers in ngx_sprintf(). 2016-03-31 02:34:00 +03:00
Sergey Kandaurov
00ef9ff5f0 Fixed logging. 2016-03-31 02:33:57 +03:00
Sergey Kandaurov
53fec2c414 Events: fixed logging. 2016-03-31 02:33:55 +03:00
Sergey Kandaurov
c622ff3b44 Fixed logging with variable field width. 2016-03-31 02:33:53 +03:00
Sergey Kandaurov
2e25f340b8 Fixed logging in close error handling. 2016-03-31 02:33:50 +03:00
Ruslan Ermilov
dd5628fcad Events: fixed test building with eventport on OS X.
Broken in d17f0584006f (1.9.13).
2016-03-30 11:57:28 +03:00
Ruslan Ermilov
7ad57da598 Style. 2016-03-30 11:52:16 +03:00
Ruslan Ermilov
dfbc51a8cc Version bump. 2016-03-30 11:52:07 +03:00
Maxim Dounin
d259032741 Win32: replaced NGX_EXDEV with more appropriate error code.
Correct error code for NGX_EXDEV on Windows is ERROR_NOT_SAME_DEVICE,
"The system cannot move the file to a different disk drive".

Previously used ERROR_WRONG_DISK is about wrong diskette in the drive and
is not appropriate.

There is no real difference though, as MoveFile() is able to copy files
between disk drives, and will fail with ERROR_ACCESS_DENIED when asked
to copy directories.  The ERROR_NOT_SAME_DEVICE error is only used
by MoveFileEx() when called without the MOVEFILE_COPY_ALLOWED flag.
2016-03-29 09:52:15 +03:00
Maxim Dounin
6871615528 Win32: additional error code NGX_EEXIST_FILE (ticket #910).
On Windows there are two possible error codes which correspond to
the EEXIST error code: ERROR_FILE_EXISTS used by CreateFile(CREATE_NEW),
and ERROR_ALREADY_EXISTS used by CreateDirectory().

MoveFile() seems to use both: ERROR_ALREADY_EXISTS when moving within
one filesystem, and ERROR_FILE_EXISTS when copying a file to a different
drive.
2016-03-29 09:51:46 +03:00
Maxim Dounin
4618c03f4c Upstream: proxy_next_upstream non_idempotent.
By default, requests with non-idempotent methods (POST, LOCK, PATCH)
are no longer retried in case of errors if a request was already sent
to a backend.  Previous behaviour can be restored by using
"proxy_next_upstream ... non_idempotent".
2016-03-28 19:50:19 +03:00
Maxim Dounin
5a76856dc2 Upstream: cached connections now tested against next_upstream.
Much like normal connections, cached connections are now tested against
u->conf->next_upstream, and u->state->status is now always set.

This allows to disable additional tries even with upstream keepalive
by using "proxy_next_upstream off".
2016-03-28 19:49:52 +03:00
Ruslan Ermilov
f5fff1eda0 Fixed --test-build-*.
Fixes various aspects of --test-build-devpoll, --test-build-eventport, and
--test-build-epoll.

In particular, if --test-build-devpoll was used on Linux, then "devpoll"
event method would be preferred over "epoll".  Also, wrong definitions of
event macros were chosen.
2016-03-28 19:29:18 +03:00
Roman Arutyunyan
3d791c46f5 Sub filter: fixed allocation alignment. 2016-03-28 13:35:25 +03:00
Piotr Sikora
c3aed0a233 Core: allow strings without null-termination in ngx_parse_url().
This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-26 17:30:27 -08:00
Roman Arutyunyan
030a1f959c Fixed socket inheritance on reload and binary upgrade.
On nginx reload or binary upgrade, an attempt is made to inherit listen sockets
from the previous configuration.  Previously, no check for socket type was made
and the inherited socket could have the wrong type.  On binary upgrade, socket
type was not detected at all.  Wrong socket type could lead to errors on that
socket due to different logic and unsupported syscalls.  For example, a UDP
socket, inherited as TCP, lead to the following error after arrival of a
datagram: "accept() failed (102: Operation not supported on socket)".
2016-03-25 14:10:38 +03:00
Vladimir Homutov
818ebb3492 Stream: additional logging for UDP. 2016-03-18 19:53:22 +03:00
Dmitry Volyntsev
2e6e246794 Win32: fixed build after 384154fc634f. 2016-03-23 18:34:05 +03:00
Roman Arutyunyan
3c48fd7c05 Stream: detect port absence in proxy_pass with IP literal.
This is a clone of http commit 26c127bab5ef.
2016-03-23 17:45:15 +03:00
Dmitry Volyntsev
f625ad7ce8 Resolver: added support for SRV records. 2016-03-23 17:44:36 +03:00
Dmitry Volyntsev
2b2fe92aaa Resolver: do not enable resolve timer if provided timeout is zero. 2016-03-23 17:44:36 +03:00
Dmitry Volyntsev
98f222c6c1 Resolver: introduced valid field in resolver responses.
It hints the amount of time a response could be considered
as valid.
2016-03-23 17:44:36 +03:00
Valentin Bartenev
0f4315f998 Core: introduced the NGX_DEBUG_PALLOC macro.
It allows to turn off accumulation of small pool allocations into a big
preallocated chunk of memory.  This is useful for debugging memory access
with sanitizer, since such accumulation can cover buffer overruns from
being detected.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
9d08bda415 Core: use ngx_palloc_small() to allocate ngx_pool_large_t.
This structure cannot be allocated as a large block anyway, otherwise that will
result in infinite recursion, since each large allocation requires to allocate
another ngx_pool_large_t.

The room for the structure is guaranteed by the NGX_MIN_POOL_SIZE constant.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
21dfe90a4e Core: introduced the ngx_palloc_small() function.
It deduplicates some code for allocations from memory pool.
No functional changes.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
b94eb1dfe6 Core: moved logging before freeing large blocks of pool.
This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.
2016-03-23 17:44:04 +03:00
Maxim Dounin
890ba54497 Backed out server_tokens changes.
Backed out changesets: cf3e75cfa951, 6b72414dfb4f, 602dc42035fe, e5076b96fd01.
2016-03-22 16:58:38 +03:00
Dmitry Volyntsev
24e38323ee Cache: fixed slots accounting error introduced in c9d680b00744. 2016-03-23 14:16:31 +03:00
Ruslan Ermilov
0b768c1435 Reconsidered server_tokens with an empty value.
An empty value will be treated as "off".
2016-03-22 15:52:28 +03:00
Valentin Bartenev
ae5e76ea06 HTTP/2: improved debugging of sending control frames. 2016-03-21 17:04:21 +03:00
Sergey Kandaurov
1a5922008e Events: fixed test building with devpoll and eventport on Linux.
Avoid POLLREMOVE and itimerspec redefinition.
2016-03-21 12:36:36 +03:00
Piotr Sikora
26f669f109 Fix build with -Wmissing-prototypes.
Broken in 5eb4d7541107 (1.9.6), fix somehow missed in 3600bbfb43e3.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-03-18 16:38:08 -07:00
Dmitry Volyntsev
b18ba1e9f6 Cache: added watermark to reduce IO load when keys_zone is full.
When a keys_zone is full then each next request to the cache is
penalized.  That is, the cache has to evict older files to get a
slot from the keys_zone synchronously.  The patch introduces new
behavior in this scenario.  Manager will try to maintain available
free slots in the keys_zone by cleaning old files in the background.
2016-03-18 15:08:21 +03:00
Dmitry Volyntsev
861e75dc20 Cache: report error if slab allocator fails during cache loading. 2016-03-18 14:27:30 +03:00
Maxim Dounin
348f705c00 Threads: writing via threads pools in event pipe.
The "aio_write" directive is introduced, which enables use of aio
for writing.  Currently it is meaningful only with "aio threads".

Note that aio operations can be done by both event pipe and output
chain, so proper mapping between r->aio and p->aio is provided when
calling ngx_event_pipe() and in output filter.

In collaboration with Valentin Bartenev.
2016-03-18 06:44:49 +03:00
Maxim Dounin
10c8c8d6a4 Threads: offloading of temp files writing to thread pools.
The ngx_thread_write_chain_to_file() function introduced, which
uses ngx_file_t thread_handler, thread_ctx and thread_task fields.
The task context structure (ngx_thread_file_ctx_t) is the same for
both reading and writing, and can be safely shared as long as
operations are serialized.

The task->handler field is now always set (and not only when task is
allocated), as the same task can be used with different handlers.

The thread_write flag is introduced in the ngx_temp_file_t structure
to explicitly enable use of ngx_thread_write_chain_to_file() in
ngx_write_chain_to_temp_file() when supported by caller.

In collaboration with Valentin Bartenev.
2016-03-18 06:44:03 +03:00
Maxim Dounin
ac78b26324 Threads: task pointer stored in ngx_file_t.
This simplifies the interface of the ngx_thread_read() function.

Additionally, most of the thread operations now explicitly set
file->thread_task, file->thread_handler and file->thread_ctx,
to facilitate use of thread operations in other places.

(Potential problems remain with sendfile in threads though - it uses
file->thread_handler as set in ngx_output_chain(), and it should not
be overwritten to an incompatible one.)

In collaboration with Valentin Bartenev.
2016-03-18 06:43:52 +03:00
Maxim Dounin
931ce7f02a Fixed timeouts with threaded sendfile() and subrequests.
If a write event happens after sendfile() but before we've got the
sendfile results in the main thread, this write event will be ignored.
And if no more events will happen, the connection will hang.

Removing the events works in the simple cases, but not always, as
in some cases events are added back by an unrelated code.  E.g.,
the upstream module adds write event in the ngx_http_upstream_init()
to track client aborts.

Fix is to use wev->complete instead.  It is now set to 0 before
a sendfile() task is posted, and it is set to 1 once a write event
happens.  If on completion of the sendfile() task wev->complete is 1,
we know that an event happened while we were executing sendfile(), and
the socket is still ready for writing even if sendfile() did not sent
all the data or returned EAGAIN.
2016-03-18 05:04:45 +03:00
Ruslan Ermilov
07fc7dc719 Style. 2016-03-16 14:44:41 +03:00
Maxim Dounin
07a7b57762 Truncation detection in sendfilev() on Solaris.
While sendfilev() is documented to return -1 with EINVAL set
if the file was truncated, at least Solaris 11 silently returns 0,
and this results in CPU hog.  Added a test to complain appropriately
if 0 is returned.
2016-03-15 18:26:59 +03:00
Maxim Dounin
681e735a33 Truncation detection in sendfile() on Linux.
This addresses connection hangs as observed in ticket #504, and
CPU hogs with "aio threads; sendfile on" as reported in the mailing list,
see http://mailman.nginx.org/pipermail/nginx-ru/2016-March/057638.html.

The alert is identical to one used on FreeBSD.
2016-03-15 18:26:17 +03:00
Roman Arutyunyan
2ce791f2cd Stream: UDP proxy. 2016-01-20 19:52:12 +03:00
Roman Arutyunyan
c790f9673d Stream: post first read events from client and upstream.
The main proxy function ngx_stream_proxy_process() can terminate the stream
session.  The code, following it, should check its return code to make sure the
session still exists.  This happens in client and upstream initialization
functions.  Swapping ngx_stream_proxy_process() call with the code, that
follows it, leaves the same problem vice versa.

In future ngx_stream_proxy_process() will call ngx_stream_proxy_next_upstream()
making it too complicated to know if stream session still exists after this
call.

Now ngx_stream_proxy_process() is called from posted event handlers in both
places with no code following it.  The posted event is automatically removed
once session is terminated.
2016-03-15 15:55:23 +03:00
Ruslan Ermilov
8f53f6f626 Win32: fixed build after cf3e75cfa951. 2016-03-15 15:15:30 +03:00
Ruslan Ermilov
3d9ce2d601 Win32: fixed build after cf3e75cfa951. 2016-03-15 15:10:41 +03:00
Ruslan Ermilov
86927c6588 Added variables support to server_tokens.
It can now be set to "off" conditionally, e.g. using the map
directive.

An empty value will disable the emission of the Server: header
and the signature in error messages generated by nginx.

Any other value is treated as "on", meaning that full nginx
version is emitted in the Server: header and error messages
generated by nginx.
2016-03-15 13:36:19 +03:00
Valentin Bartenev
b3c1abdcd8 Fixed handling of EAGAIN with sendfile in threads. 2016-03-14 22:42:35 +03:00
Roman Arutyunyan
2b4a62c2fc Events: fixed error logging in devpoll. 2016-03-15 00:04:04 +03:00
Sergey Kandaurov
db72c6be20 Fixed compilation with -Wmissing-prototypes. 2016-03-14 19:23:23 +03:00
Justin Li
573ec98d24 Upstream: avoid closing client connection in edge case.
If proxy_cache is enabled, and proxy_no_cache tests true, it was previously
possible for the client connection to be closed after a 304. The fix is to
recheck r->header_only after the final cacheability is determined, and end the
request if no longer cacheable.

Example configuration:

proxy_cache foo;
proxy_cache_bypass 1;
proxy_no_cache 1;

If a client sends If-None-Match, and the upstream server returns 200 with a
matching ETag, no body should be returned to the client. At the start of
ngx_http_upstream_send_response proxy_no_cache is not yet tested, thus cacheable
is still 1 and downstream_error is set.

However, by the time the downstream_error check is done in process_request,
proxy_no_cache has been tested and cacheable is set to 0. The client connection
is then closed, regardless of keepalive.
2016-03-08 22:31:55 -05:00
Maxim Dounin
2aa6d7fd65 Upstream: fixed "zero size buf" alerts with cache (ticket #918).
If caching was used, "zero size buf in output" alerts might appear
in logs if a client prematurely closed connection.  Alerts appeared
in the following situation:

- writing to client returned an error, so event pipe
  drained all busy buffers leaving body output filters
  in an invalid state;

- when upstream response was fully received,
  ngx_http_upstream_finalize_request() tried to flush
  all pending data.

Fix is to avoid flushing body if p->downstream_error is set.
2016-03-10 21:58:03 +03:00
Maxim Dounin
00fcc6a987 Copy filter: fixed sendfile aio handlers to set ctx->aio.
Sendfile handlers (aio preload and thread handler) are called within
ctx->output_filter() in ngx_output_chain(), and hence ctx->aio cannot
be set directly in ngx_output_chain().  Meanwhile, it must be set to
make sure loop within ngx_output_chain() will be properly terminated.

There are no known cases that trigger the problem, though in theory
something like aio + sub filter (something that needs body in memory,
and can also free some memory buffers) + sendfile can result in
"task already active" and "second aio post" alerts.

The fix is to set ctx->aio in ngx_http_copy_aio_sendfile_preload()
and ngx_http_copy_thread_handler().

For consistency, ctx->aio is no longer set explicitly in
ngx_output_chain_copy_buf(), as it's now done in
ngx_http_copy_thread_handler().
2016-03-03 21:14:19 +03:00
Maxim Dounin
a6fe512df6 Fixed sendfile in threads (or with aio preload) and subrequests.
If sendfile in threads is used, it is possible that multiple
subrequests will trigger multiple ngx_linux_sendfile_thread() calls,
as operations are only serialized in output chain based on r->aio,
that is, on subrequest level.

This resulted in "task #N already active" alerts, in particular, when
running proxy_store.t with "aio threads; sendfile on;".

Fix is to tolerate duplicate calls, with an additional safety check
that the file is the same as previously used.

The same problem also affects "aio on; sendfile on;" on FreeBSD
(previously known as "aio sendfile;"), where aio->preload_handler()
could be called multiple times due to similar reasons, resulting in
"second aio post" alerts.  Fix is the same as well.

It is also believed that similar problems can arise if a filter
calls the next body filter multiple times for some reason.  These are
mostly theoretical though.
2016-03-03 21:14:12 +03:00
Valentin Bartenev
e243a2d6c2 Introduced the ngx_chain_to_iovec() function.
It's similar to ngx_output_chain_to_iovec() and uses only preallocated memory.
2016-03-03 18:41:05 +03:00
Valentin Bartenev
bc6fcb672c Request body: moved handling of the last part in the save filter.
No functional changes.
2016-03-01 15:18:07 +03:00
Ruslan Ermilov
ea9a2cf2ba Dynamic modules: removed unnecessary initialization.
It became unnecessary after 85dea406e18f.
2016-02-25 16:29:51 +03:00
Ruslan Ermilov
ceccebbb31 Version bump. 2016-02-25 16:28:42 +03:00
Valentin Bartenev
f72bcf8285 HTTP/2: implemented per request timeouts (closes #626).
Previously, there were only three timeouts used globally for the whole HTTP/2
connection:

 1. Idle timeout for inactivity when there are no streams in processing
    (the "http2_idle_timeout" directive);

 2. Receive timeout for incomplete frames when there are no streams in
    processing (the "http2_recv_timeout" directive);

 3. Send timeout when there are frames waiting in the output queue
    (the "send_timeout" directive on a server level).

Reaching one of these timeouts leads to HTTP/2 connection close.

This left a number of scenarios when a connection can get stuck without any
processing and timeouts:

 1. A client has sent the headers block partially so nginx starts processing
    a new stream but cannot continue without the rest of HEADERS and/or
    CONTINUATION frames;

 2. When nginx waits for the request body;

 3. All streams are stuck on exhausted connection or stream windows.

The first idea that was rejected was to detect when the whole connection
gets stuck because of these situations and set the global receive timeout.
The disadvantage of such approach would be inconsistent behaviour in some
typical use cases.  For example, if a user never replies to the browser's
question about where to save the downloaded file, the stream will be
eventually closed by a timeout.  On the other hand, this will not happen
if there's some activity in other concurrent streams.

Now almost all the request timeouts work like in HTTP/1.x connections, so
the "client_header_timeout", "client_body_timeout", and "send_timeout" are
respected.  These timeouts close the request.

The global timeouts work as before.

Previously, the c->write->delayed flag was abused to avoid setting timeouts on
stream events.  Now, the "active" and "ready" flags are manipulated instead to
control the processing of individual streams.
2016-02-24 15:58:07 +03:00
Valentin Bartenev
4e6a490fa7 HTTP/2: always use temporary pool for processing headers.
This is required for implementing per request timeouts.

Previously, the temporary pool was used only during skipping of
headers and the request pool was used otherwise.  That required
switching of pools if the request was closed while parsing.

It wasn't a problem since the request could be closed only after
the validation of the fully parsed header.  With the per request
timeouts, the request can be closed at any moment, and switching
of pools in the middle of parsing header name or value becomes a
problem.

To overcome this, the temporary pool is now always created and
used.  Special checks are added to keep it when either the stream
is being processed or until header block is fully parsed.
2016-02-24 16:05:47 +03:00
Valentin Bartenev
8b40f1eaec HTTP/2: cleaned up state while closing stream.
Without this the state might keep pointing to already closed stream.
2016-02-24 16:05:46 +03:00
Valentin Bartenev
1d294eea3e Fixed buffer over-read while logging invalid request headers.
Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return
NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character.  In this
case the r->header_end pointer isn't properly initialized, but the log message
in ngx_http_process_request_headers() hasn't been adjusted.  It used the pointer
in size calculation, which might result in up to 2k buffer over-read.

Found with afl-fuzz.
2016-02-24 16:01:23 +03:00
Maxim Dounin
7b232ef5aa SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
This fixes "called a function you should not call" and
"shutdown while in init" errors as observed with OpenSSL 1.0.2f
due to changes in how OpenSSL handles SSL_shutdown() during
SSL handshakes.
2016-02-19 17:27:30 +03:00
Maxim Dounin
89d3762863 SSL: fixed SSL_shutdown() comment. 2016-02-19 17:27:23 +03:00
Ruslan Ermilov
73f815e489 Headers filter: fixed "add_header ... '' always".
The "always" parameter was ignored if the header value was empty.
2016-02-18 15:49:11 +03:00
Vladimir Homutov
faa96e82d2 Core: added support for more than 64 CPUs in worker_cpu_affinity. 2016-02-18 13:58:49 +03:00
Valentin Bartenev
b5d7d3f024 HTTP/2: added debug logging of response headers.
Because of HPACK compression it's hard to see what headers are actually
sent by the server.
2016-02-16 17:49:14 +03:00
Valentin Bartenev
fcfe483292 HTTP/2: use local pointer instead of r->connection.
No functional changes.
2016-02-16 17:49:14 +03:00
Maxim Dounin
79654d53e3 Core: improved logging on invalid NGINX variable (ticket #900). 2016-02-15 17:41:52 +03:00
Valentin Bartenev
822fc91b09 HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).
2016-02-12 16:36:20 +03:00
Valentin Bartenev
531e6fbfd6 HTTP/2: implemented HPACK Huffman encoding for response headers.
This reduces the size of headers by over 30% on average.

Based on the patch by Vlad Krasnov:
http://mailman.nginx.org/pipermail/nginx-devel/2015-December/007682.html
2016-02-11 15:35:36 +03:00
Ruslan Ermilov
3b9b07377b Dynamic modules: fixed a version mismatch message (ticket #898).
Based on a patch by Takashi Takizawa.
2016-02-11 18:46:46 +03:00
Roman Arutyunyan
f1f419fd2c Stream: initialize variable right before using it. 2016-02-11 14:20:26 +03:00
Roman Arutyunyan
1cdd0cc421 Stream: removed useless typedef. 2016-02-11 14:20:22 +03:00
Piotr Sikora
2fe20c9b34 Core: ngx_module_t compatibility with C++.
Changes to NGX_MODULE_V1 and ngx_module_t in 85dea406e18f (1.9.11)
broke all modules written in C++, because ISO C++11 does not allow
conversion from string literal to char *.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-09 16:31:26 -08:00
Maxim Dounin
839c1997d9 Version bump. 2016-02-10 06:23:34 +03:00
Maxim Dounin
97f59dda09 Dynamic modules.
The auto/module script is extended to understand ngx_module_link=DYNAMIC.
When set, it links the module as a shared object rather than statically
into nginx binary.  The module can later be loaded using the "load_module"
directive.

New auto/module parameter ngx_module_order allows to define module loading
order in complex cases.  By default the order is set based on ngx_module_type.

3rd party modules can be compiled dynamically using the --add-dynamic-module
configure option, which will preset ngx_module_link to "DYNAMIC" before
calling the module config script.

Win32 support is rudimentary, and only works when using MinGW gcc (which
is able to handle exports/imports automatically).

In collaboration with Ruslan Ermilov.
2016-02-04 20:25:29 +03:00
Maxim Dounin
86cc342a26 Dynamic modules: dlopen() support. 2016-02-04 18:30:21 +03:00
Maxim Dounin
0f67d6355c Dynamic modules: changed ngx_modules to cycle->modules. 2016-02-04 18:30:21 +03:00
Maxim Dounin
7988334570 Dynamic modules: moved module-related stuff to separate files. 2016-02-04 18:30:21 +03:00
Valentin Bartenev
9add42c71e HTTP/2: fixed possible buffer overrun (ticket #893).
Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.
2016-02-04 18:01:04 +03:00
Valentin Bartenev
cb173ff672 HTTP/2: fixed padding handling in HEADERS frame with CONTINUATION. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
8050277acf HTTP/2: fixed request length accounting.
Now it includes not only the received body size,
but the size of headers block as well.
2016-02-02 16:33:55 +03:00
Valentin Bartenev
405f4f99b4 HTTP/2: fixed excessive memory allocation for pool cleanup. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
3351fbe481 HTTP/2: removed unused field from ngx_http_v2_stream_t. 2016-02-02 16:33:55 +03:00
Ruslan Ermilov
c6ed65ce7c Resolver: style.
Use the original query name in error and debug messages when
processing PTR responses.
2015-12-17 17:30:22 +03:00
Ruslan Ermilov
bf269cbc55 Resolver: improved PTR response processing.
The previous code only parsed the first answer, without checking its
type, and required a compressed RR name.

The new code checks the RR type, supports responses with multiple
answers, and doesn't require the RR name to be compressed.

This has a side effect in limited support of CNAME.  If a response
includes both CNAME and PTR RRs, like when recursion is enabled on
the server, PTR RR is handled.

Full CNAME support in PTR response is not implemented in this change.
2015-12-17 17:21:16 +03:00
Ruslan Ermilov
06806aa001 Resolver: style.
Renamed argument in ngx_resolver_process_a() for consistency.
2015-12-17 17:21:12 +03:00
Roman Arutyunyan
cbee15bb6c Resolver: free TCP buffers on resolver cleanup. 2016-02-02 13:42:55 +03:00
Ruslan Ermilov
625481f6f1 Resolver: fixed possible resource leak introduced in 5a16d40c63de.
Found by Coverity (CID 1351175).
2016-02-02 11:35:19 +03:00
Roman Arutyunyan
aa8fa81e42 Resolver: TCP support.
Resend DNS query over TCP once UDP response came truncated.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
c8c44f7478 Resolver: per-request DNS server balancer.
Previously, a global server balancer was used to assign the next DNS server to
send a query to.  That could lead to a non-uniform distribution of servers per
request.  A request could be assigned to the same dead server several times in a
row and wait longer for a valid server or even time out without being processed.

Now each query is sent to all servers sequentially in a circle until a
response is received or timeout expires.  Initial server for each request is
still globally balanced.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
1945fff7bf Resolver: renamed UDP-specific structures, fields and variables.
They will be used for TCP connections as well.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
52d3601155 Resolver: removed unused field from ngx_resolver_ctx_t. 2016-01-28 15:28:19 +03:00
Roman Arutyunyan
c541b82c21 Version bump. 2016-01-28 15:25:58 +03:00
Ruslan Ermilov
fe89d99796 Resolver: limited CNAME recursion.
Previously, the recursion was only limited for cached responses.
2016-01-26 16:47:14 +03:00
Roman Arutyunyan
a3d42258d9 Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
2016-01-26 16:46:59 +03:00
Roman Arutyunyan
b1a110e3a4 Resolver: changed the ngx_resolver_create_*_query() arguments.
No functional changes.

This is needed by the following change.
2016-01-26 16:46:48 +03:00
Ruslan Ermilov
4016e6b1da Resolver: fixed CNAME processing for several requests.
When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.
2016-01-26 16:46:38 +03:00
Ruslan Ermilov
4b581a7c21 Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
2016-01-26 16:46:31 +03:00
Roman Arutyunyan
c44fd4e837 Resolver: fixed possible segmentation fault on DNS format error. 2016-01-26 16:46:18 +03:00
Valentin Bartenev
8a5df8c720 Request body: removed surplus assigment, no functional changes.
Setting rb->bufs to NULL is surplus after ngx_http_write_request_body()
has returned NGX_OK.
2016-01-12 19:19:07 +03:00
Maxim Dounin
d0bf684ab6 Core: worker_cpu_affinity auto.
If enabled, workers are bound to available CPUs, each worker to once CPU
in order.  If there are more workers than available CPUs, remaining are
bound in a loop, starting again from the first available CPU.

The optional mask parameter defines which CPUs are available for automatic
binding.

In collaboration with Vladimir Homutov.
2016-01-11 19:23:17 +03:00
Maxim Dounin
af647a3da2 Upstream: fixed changing method on X-Accel-Redirect.
Previously, only r->method was changed, resulting in handling of a request
as GET within nginx itself, but not in requests to proxied servers.

See http://mailman.nginx.org/pipermail/nginx/2015-December/049518.html.
2016-01-11 19:08:12 +03:00
Maxim Dounin
fda7d021ca Upstream: don't keep connections on early responses (ticket #669). 2015-12-17 16:39:15 +03:00
Maxim Dounin
9973e36944 Fixed PROXY protocol on IPv6 sockets (ticket #858). 2015-12-17 16:39:02 +03:00
Maxim Dounin
852a565be3 Version bump. 2015-12-17 16:38:51 +03:00
Ruslan Ermilov
5e7535df72 Fixed fastcgi_pass with UNIX socket and variables (ticket #855).
This was broken in a93345ee8f52 (1.9.8).
2015-12-09 16:26:59 +03:00
Ruslan Ermilov
fac1f23e5d Version bump. 2015-12-09 14:41:16 +03:00
Roman Arutyunyan
56fda3265b Slice filter: terminate first slice with last_in_chain flag.
This flag makes sub filter flush buffered data and optimizes allocation in copy
filter.
2015-12-08 17:39:56 +03:00
Roman Arutyunyan
5c1f76f0e9 Slice filter: never run subrequests when main request is buffered.
With main request buffered, it's possible, that a slice subrequest will send
output before it.  For example, while main request is waiting for aio read to
complete, a slice subrequest can start an aio operation as well.  The order
in which aio callbacks are called is undetermined.
2015-12-08 17:39:56 +03:00
Sergey Kandaurov
79fcf261d0 SSL: fixed possible segfault on renegotiation (ticket #845).
Skip SSL_CTX_set_tlsext_servername_callback in case of renegotiation.
Do nothing in SNI callback as in this case it will be supplied with
request in c->data which isn't expected and doesn't work this way.

This was broken by b40af2fd1c16 (1.9.6) with OpenSSL master branch and LibreSSL.
2015-12-08 16:59:43 +03:00
Roman Arutyunyan
8ba626ccd7 Slice filter.
Splits a request into subrequests, each providing a specific range of response.
The variable "$slice_range" must be used to set subrequest range and proper
cache key.  The directive "slice" sets slice size.

The following example splits requests into 1-megabyte cacheable subrequests.

server {
    listen 8000;

    location / {
        slice 1m;

        proxy_cache cache;
        proxy_cache_key $uri$is_args$args$slice_range;
        proxy_set_header Range $slice_range;
        proxy_cache_valid 200 206 1h;
        proxy_pass http://127.0.0.1:9000;
    }
}
2015-12-07 16:30:48 +03:00
Roman Arutyunyan
1b478c50de Upstream: fill r->headers_out.content_range from upstream response. 2015-12-07 16:30:47 +03:00
Piotr Sikora
9752706bd4 Core: fix typo in error message.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-12-02 19:17:19 -08:00
Maxim Dounin
6994593478 Style: NGX_PTR_SIZE replaced with sizeof(void *).
The NGX_PTR_SIZE macro is only needed in preprocessor directives where
it's not possible to use sizeof().
2015-12-03 20:06:45 +03:00
Maxim Dounin
af4e89b9a1 Style. 2015-12-02 01:06:54 +03:00
Ruslan Ermilov
362fb6c1d4 Stop emulating a space character after r->method_name.
This is an API change.

The proxy module was modified to not depend on this in 44122bddd9a1.
No known third-party modules seem to depend on this.
2015-11-30 12:54:01 +03:00
Ruslan Ermilov
05a38c7077 Proxy: improved code readability.
Do not assume that space character follows the method name, just pass it
explicitly.

The fuss around it has already proved to be unsafe, see bbdb172f0927 and
http://mailman.nginx.org/pipermail/nginx-ru/2013-January/049692.html for
details.
2015-11-06 15:21:51 +03:00
Ruslan Ermilov
f0f7b437b9 Reduced the number of GET method constants. 2015-11-30 12:04:35 +03:00
Valentin Bartenev
a89548a4e1 Increased the default "connection_pool_size" on 64-bit platforms.
The previous default of 256 bytes isn't enough and results in two
allocations on each accepted connection, which is suboptimal.
2015-11-30 16:27:33 +03:00
Ruslan Ermilov
5ea66922d9 Style: unified request method checks. 2015-11-06 15:22:43 +03:00
Ruslan Ermilov
bfe1987b41 Core: enabled "include" inside http upstreams (ticket #635).
The directive already works inside stream upstream blocks.
2015-11-23 12:40:19 +03:00
Ruslan Ermilov
72b9a317d2 Upstream: fixed "no port" detection in evaluated upstreams.
If an upstream with variables evaluated to address without a port,
then instead of a "no port in upstream" error an attempt was made
to connect() which failed with EADDRNOTAVAIL.
2015-11-21 10:44:07 +03:00
Valentin Bartenev
d862ae8e68 Used the pwritev() syscall for writing files where possible.
It is more effective, because it doesn't require a separate lseek().
2015-11-17 19:01:41 +03:00
Valentin Bartenev
906c4462f8 Moved file writev() handling code to a separate function.
No functional changes.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
a9e62b625b Handled EINTR from write() and pwrite() syscalls.
This is in addition to 6fce16b1fc10.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
9ef4b63328 Adjusted file->sys_offset after the write() syscall.
This fixes suboptimal behavior caused by surplus lseek() for sequential writes
on systems without pwrite().  A consecutive read after write might result in an
error on systems without pread() and pwrite().

Fortunately, at the moment there are no widely used systems without these
syscalls.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
3aef20d257 Version bump. 2015-11-17 19:01:41 +03:00
Ruslan Ermilov
1ce1610763 Realip: the $realip_remote_addr variable. 2015-11-16 16:02:02 +03:00
Valentin Bartenev
a52bbefd84 HTTP/2: reused HEADERS and CONTINUATION frames buffers. 2015-11-13 20:10:50 +03:00
Valentin Bartenev
548e31f608 HTTP/2: fixed handling of output HEADERS frames.
The HEADERS frame is always represented by more than one buffer since
b930e598a199, but the handling code hasn't been adjusted.

Only the first buffer of HEADERS frame was checked and if it had been
sent while others had not, the rest of the frame was dropped, resulting
in broken connection.

Before b930e598a199, the problem could only be seen in case of HEADERS
frame with CONTINUATION.
2015-11-13 20:10:50 +03:00
Valentin Bartenev
8323cd693b HTTP/2: fixed invalid headers handling (ticket #831).
The r->invalid_header flag wasn't reset once an invalid header appeared in a
request, resulting in all subsequent headers in the request were also marked
as invalid.
2015-11-13 20:10:50 +03:00
Roman Arutyunyan
89a049be89 Upstream: proxy_cache_convert_head directive.
The directive toggles conversion of HEAD to GET for cacheable proxy requests.
When disabled, $request_method must be added to cache key for consistency.
By default, HEAD is converted to GET as before.
2015-11-11 15:47:30 +03:00
Valentin Bartenev
93aef089b4 SSL: only select HTTP/2 using NPN if "http2" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using HTTP/2 even if it wasn't
enabled in configuration.
2015-11-05 15:01:09 +03:00
Valentin Bartenev
b22c0e0846 HTTP/2: backed out 16905ecbb49e (ticket #822).
It caused inconsistency between setting "in_closed" flag and the moment when
the last DATA frame was actually read.  As a result, the body buffer might not
be initialized properly in ngx_http_v2_init_request_body(), which led to a
segmentation fault in ngx_http_v2_state_read_data().  Also it might cause
start processing of incomplete body.

This issue could be triggered when the processing of a request was delayed,
e.g. in the limit_req or auth_request modules.
2015-11-05 15:01:01 +03:00
Maxim Dounin
f9cce38e49 Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.
2015-10-30 21:43:30 +03:00
Vladimir Homutov
e7d298f3fc Syslog: added "nohostname" option.
The option disables sending hostname in the syslog message header.  This is
useful with syslog daemons that do not expect it (tickets #677 and #783).
2015-10-26 19:06:42 +03:00
Valentin Bartenev
090c471032 HTTP/2: changed behavior of the "http2_max_field_size" directive.
Now it limits only the maximum length of literal string (either raw or
compressed) in HPACK request header fields.  It's easier to understand
and to describe in the documentation.
2015-10-27 23:16:35 +03:00
Valentin Bartenev
edf30961e6 HTTP/2: fixed spelling. 2015-10-27 23:16:35 +03:00
Valentin Bartenev
5a8b212fd9 Version bump. 2015-10-27 23:16:29 +03:00
Valentin Bartenev
f36f51725a HTTP/2: simplified checking the END_STREAM flag.
No functional changes.
2015-10-26 17:46:28 +03:00
Valentin Bartenev
d418b92cdc HTTP/2: improved the ngx_http_v2_integer_octets(v) macro.
Previously, it didn't work well for 0, 127, and 128, returning less than needed.
2015-10-26 17:46:16 +03:00
Valentin Bartenev
3565680d94 HTTP/2: fixed the NGX_HTTP_V2_MAX_FIELD macro. 2015-10-26 17:46:13 +03:00
Valentin Bartenev
9150c7df1f HTTP/2: fixed splitting of response headers on CONTINUATION frames.
Previous code has been based on assumption that the header block can only be
splitted at the borders of individual headers.  That wasn't the case and might
result in emitting frames bigger than the frame size limit.

The current approach is to split header blocks by the frame size limit.
2015-09-28 02:32:44 +03:00
Valentin Bartenev
60e41c0fb1 HTTP/2: introduced NGX_HTTP_V2_ENCODE_* macros.
No functional changes.
2015-10-26 17:43:08 +03:00
Valentin Bartenev
69e78850fe HTTP/2: simplified producing of the Last-Modified header. 2015-10-26 17:43:08 +03:00
Valentin Bartenev
70c29f05f0 HTTP/2: fixed header block size calculation. 2015-10-26 17:43:08 +03:00
Piotr Sikora
f93aa4d953 HTTP/2: fix handling of connection errors.
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
de4f0eb26b HTTP/2: fix indirect reprioritization.
Previously, streams that were indirectly reprioritized (either because of
a new exclusive dependency on their parent or because of removal of their
parent from the dependency tree), didn't have their pointer to the parent
node updated.

This broke detection of circular dependencies and, as a result, nginx
worker would crash due to stack overflow whenever such dependency was
introduced.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
71a6b600c2 HTTP/2: reject self-dependent streams.
Per RFC7540, a stream cannot depend on itself.

Previously, this requirement was enforced on PRIORITY frames, but not on
HEADERS frames and due to the implementation details nginx worker would
crash (stack overflow) while opening self-dependent stream.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
79a03b3ff6 Core: read/write locks are also required by the Stream module.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-23 18:21:33 -07:00
Valentin Bartenev
c0eb2f0759 HTTP/2: improved error handling while parsing integers.
The case when an integer is out of frame bounds should be checked first
as a more accurate error.
2015-10-20 21:28:38 +03:00
Ruslan Ermilov
c830cf28ae HTTP/2: improved HPACK integer parsing code readability.
No functional changes.
2015-10-20 21:26:38 +03:00
Maxim Dounin
faed7212fe Win32: timer_resolution now ignored with select.
As setitimer() isn't available on Windows, time wasn't updated at all
if timer_resolution was used with the select event method.  Fix is
to ignore timer_resolution in such cases.
2015-10-20 18:16:18 +03:00
Kouhei Sutou
67614b3aa3 Win32: fixed build with MinGW and MinGW-w64 gcc.
This change fixes the "comparison between signed and unsigned integer
expressions" warning, introduced in 5e6142609e48 (1.9.4).
2015-10-17 21:41:02 +09:00
Maxim Dounin
582911c9c2 Style: unneeded casts of cf->args->elts removed. 2015-10-19 23:04:49 +03:00
Maxim Dounin
cc74c63d39 Fixed variables prefix comparison.
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
2015-10-19 21:28:17 +03:00
Maxim Dounin
b9e0b9df44 Fixed handling of empty root.
Previously, a configuration with "root" set to an empty string tried test
a character at clcf->root.data[-1].  Additional test added to make sure
this won't happen.

Reported by Markus Linnala, see
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007210.html.
2015-10-19 21:28:02 +03:00
Maxim Dounin
a6befbb40f SSL: preserve default server context in connection (ticket #235).
This context is needed for shared sessions cache to work in configurations
with multiple virtual servers sharing the same port.  Unfortunately, OpenSSL
does not provide an API to access the session context, thus storing it
separately.

In collaboration with Vladimir Homutov.
2015-10-19 21:22:38 +03:00
Valentin Bartenev
7d2af13f3a HTTP/2: fixed parsing of literal header fields without indexing. 2015-10-19 16:16:47 +03:00
Vladimir Homutov
645697f111 SSL: handled long string truncation in ngx_ssl_error().
If no space left in buffer after adding formatting symbols, error message
could be left without terminating null.  The fix is to output message using
actual length.
2015-10-07 22:19:42 +03:00
Ruslan Ermilov
0079f29326 Stream: delete proxy connection timer after SSL handshake.
The timer remained active and could drop active SSL connection.
2015-10-06 08:57:09 +03:00
Kurtis Nusbaum
470d038671 Extract out version info function.
The code for displaying version info and configuration info seemed to be
cluttering up the main function. I was finding it hard to read main. This
extracts out all of the logic for displaying version and configuration info
into its own function, thus making main easier to read.
2015-07-12 08:31:38 -07:00
Valentin Bartenev
20669d1949 HTTP/2: fixed $server_protocol value (ticket #800). 2015-09-28 20:02:05 +03:00
Maxim Dounin
4bab18f63d SSL: compatibility with OpenSSL master branch.
RAND_pseudo_bytes() is deprecated in the OpenSSL master branch, so the only
use was changed to RAND_bytes().  Access to internal structures is no longer
possible, so now we don't try to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS even
if it's defined.
2015-09-24 17:19:08 +03:00
Maxim Dounin
49766257fe Version bump. 2015-09-24 17:18:42 +03:00
Maxim Dounin
49b17956f9 Style. 2015-09-22 17:09:50 +03:00
Valentin Bartenev
a0d7df93a0 Increased the default number of output buffers.
Since an output buffer can only be used for either reading or sending, small
amounts of data left from the previous operation (due to some limits) must be
sent before nginx will be able to read further into the buffer.  Using only
one output buffer can result in suboptimal behavior that manifests itself in
forming and sending too small chunks of data.  This is particularly painful
with SPDY (or HTTP/2) where each such chunk needs to be prefixed with some
header.

The default flow-control window in HTTP/2 is 64k minus one bytes.  With one
32k output buffer this results is one byte left after exhausting the window.
With two 32k buffers the data will be read into the second free buffer before
sending, thus the minimum output is increased to 32k + 1 bytes which is much
better.
2015-09-15 17:49:15 +03:00
Valentin Bartenev
61e1f16d90 HTTP/2: fixed header block parsing with CONTINUATION frames (#792).
It appears that the CONTINUATION frames don't need to be aligned to bounds of
individual headers.
2015-09-22 01:40:04 +03:00
Valentin Bartenev
a27d0bd00d HTTP/2: fixed HPACK header field parsing. 2015-09-22 01:40:04 +03:00
Roman Arutyunyan
f64ff24451 Sub filter: fixed initialization in http{} level (ticket #791).
If sub_filter directive was only specified at http{} level, sub filter
internal data remained uninitialized.  That would lead to a crash in runtime.
2015-09-21 23:08:34 +03:00
Valentin Bartenev
ee37ff613f The HTTP/2 implementation (RFC 7240, 7241).
The SPDY support is removed, as it's incompatible with the new module.
2015-09-11 20:13:06 +03:00
Maxim Dounin
2c96914312 Core: fixed segfault with null in wildcard hash names.
A configuration like

    server { server_name .foo^@; }
    server { server_name .foo; }

resulted in a segmentation fault during construction of server names hash.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:40 +03:00
Maxim Dounin
7930a6c442 Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created.  Example configuration to reproduce the problem:

    location "" {
        location @foo {}
    }

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:04 +03:00
Maxim Dounin
ce05841eef Cache: check the whole cache key in addition to hashes.
This prevents a potential attack that discloses cached data if an attacker
will be able to craft a hash collision between some cache key the attacker
is allowed to access and another cache key with protected data.

See http://mailman.nginx.org/pipermail/nginx-devel/2015-September/007288.html.

Thanks to Gena Makhomed and Sergey Brester.
2015-09-11 17:03:56 +03:00
Roman Arutyunyan
51f714c85d Upstream: fixed cache send error handling.
The value of NGX_ERROR, returned from filter handlers, was treated as a generic
upstream error and changed to NGX_HTTP_INTERNAL_SERVER_ERROR before calling
ngx_http_finalize_request().  This resulted in "header already sent" alert
if header was already sent in filter handlers.

The problem appeared in 54e9b83d00f0 (1.7.5).
2015-09-03 15:09:21 +03:00
Valentin Bartenev
a38402e306 Fixed building --with-debug, broken by 6fce16b1fc10. 2015-09-02 19:45:40 +03:00
Valentin Bartenev
7dd3f9ee22 Writing to some file systems can be interrupted.
At least such behavior was observed with CephFS, see:
http://mailman.nginx.org/pipermail/nginx/2015-July/048188.html.
2015-09-02 19:26:40 +03:00
Valentin Bartenev
5e0b936a07 Decreased the NGX_HTTP_MAX_SUBREQUESTS limit.
There is no much sense in such a big value since its semantics
has been changed in 06e850859a26 to limit recursive subrequests.
2015-08-31 23:26:33 +03:00
Valentin Bartenev
4ec67cf86f Added protection against r->main->count overflow by subrequests.
This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.
2015-08-31 23:25:16 +03:00
Valentin Bartenev
0d3b15729c Limit recursive subrequests instead of simultaneous. 2015-08-23 21:03:32 +03:00
Valentin Bartenev
fae2488df7 Version bump. 2015-08-23 21:03:29 +03:00
Maxim Dounin
2e004237c5 Perl: prototyping behavior explicitly specified.
When prototyping behavior is not explicitly specified, xsubpp emits
a message to stderr asking to do so (see ticket #608).
2015-08-18 16:26:18 +03:00
Maxim Dounin
a0aea61b50 Perl: fixed warning about "sep" may be used uninitialized. 2015-08-18 16:26:05 +03:00
Maxim Dounin
84b0ad63fb Win32: MSVC 2015 compatibility.
Resolved warnings about declarations that hide previous local declarations.
Warnings about WSASocketA() being deprecated resolved by explicit use of
WSASocketW() instead of WSASocket().  When compiling without IPv6 support,
WinSock deprecated warnings are disabled to allow use of gethostbyname().
2015-08-17 18:09:17 +03:00
Dmitry Volyntsev
1576cd10aa Sub filter: support of variables in the strings to replace. 2015-08-17 17:42:02 +03:00
Dmitry Volyntsev
934b49923c Sub filter: support of multiple strings to replace. 2015-08-17 17:42:02 +03:00
Maxim Dounin
05982ffdf5 Fixed wrong URI after try_files in nested location (ticket #97).
The following configuration with alias, nested location and try_files
resulted in wrong file being used.  Request "/foo/test.gif" tried to
use "/tmp//foo/test.gif" instead of "/tmp/test.gif":

    location /foo/ {
        alias /tmp/;
        location ~ gif {
            try_files $uri =405;
        }
    }

Additionally, rev. c985d90a8d1f introduced a regression if
the "/tmp//foo/test.gif" file was found (ticket #768).  Resulting URI
was set to "gif?/foo/test.gif", as the code used clcf->name of current
location ("location ~ gif") instead of parent one ("location /foo/").

Fix is to use r->uri instead of clcf->name in all cases in the
ngx_http_core_try_files_phase() function.  It is expected to be
already matched and identical to the clcf->name of the right
location.
2015-08-16 10:51:34 +03:00
Maxim Dounin
4fec72dc8c Fixed segfault with try_files introduced by c985d90a8d1f.
If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.
2015-08-16 10:51:16 +03:00
Sergey Kandaurov
b7da4f5962 Core: fixed potential division by zero when initializing hash.
Found by Clang Static Analyzer.
2015-08-13 16:27:17 +03:00
Sergey Kandaurov
e161b6a46f Core: fixed style in the error message. 2015-08-13 16:27:13 +03:00
Vladimir Homutov
f2d31f8291 Stream: fixed potential error log buffer overrun.
Found by Duan Jiong <djduanjiong@gmail.com>.
2015-08-13 15:55:21 +03:00
Vladimir Homutov
75dcdc2269 Style. 2015-08-12 12:56:59 +03:00
Vladimir Homutov
b537def75e Stream: the "tcp_nodelay" directive. 2015-08-10 12:14:41 +03:00
Valentin Bartenev
50ff8b3c3a Core: idle connections now closed only once on exiting.
Iterating through all connections takes a lot of CPU time, especially
with large number of worker connections configured.  As a result
nginx processes used to consume CPU time during graceful shutdown.
To mitigate this we now only do a full scan for idle connections when
shutdown signal is received.

Transitions of connections to idle ones are now expected to be
avoided if the ngx_exiting flag is set.  The upstream keepalive module
was modified to follow this.
2015-08-11 16:28:55 +03:00
Andrei Belov
9500e19919 Fixed typo in the error message. 2015-08-11 10:28:00 +03:00
Gena Makhomed
97741382b6 Workaround for "configuration file test failed" under OpenVZ.
If nginx was used under OpenVZ and a container with nginx was suspended
and resumed, configuration tests started to fail because of EADDRINUSE
returned from listen() instead of bind():

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
nginx: configuration file /etc/nginx/nginx.conf test failed

With this change EADDRINUSE errors returned by listen() are handled
similarly to errors returned by bind(), and configuration tests work
fine in the same environment:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

More details about OpenVZ suspend/resume bug:
https://bugzilla.openvz.org/show_bug.cgi?id=2470
2015-07-23 14:00:03 -04:00
Roman Arutyunyan
29cebe5d63 Stream: deprecated proxy_downstream_buffer, proxy_upstream_buffer.
The directive proxy_buffer_size should be used instead.
2015-07-30 16:43:48 -07:00
Roman Arutyunyan
96507dabcc Style. 2015-07-29 14:36:36 -07:00
Roman Arutyunyan
3c8aaf830f Stream: added proxy_buffer_size to set the size of data buffers.
Both download and upload buffers now have the same size.  The old directives
proxy_downstream_buffer and proxy_upstream_buffer are removed.
2015-07-29 13:46:26 -07:00
Ruslan Ermilov
6dc03bf1a4 Fixed strict aliasing warnings with old GCC versions. 2015-07-16 14:20:48 +03:00
Maxim Dounin
3cc6000879 Version bump. 2015-07-15 22:56:03 +03:00
Roman Arutyunyan
f1dbcf61a2 Stream: renamed rate limiting directives.
The directive proxy_downstream_limit_rate is now called proxy_upload_rate.
The directive proxy_upstream_limit_rate is now called proxy_download_rate.
2015-07-14 09:38:13 -07:00
Maxim Dounin
3ac176fb86 OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate.  As per RFC 6960, this means
that nextUpdate checks should be bypassed.  Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.

The problem was introduced by 6893a1007a7c (1.9.2).

Reported by Matthew Baldwin.
2015-07-14 01:10:25 +03:00
Maxim Dounin
573810ce36 OCSP stapling: fixed ssl_stapling_file (ticket #769).
Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response
validity checks.  As stapling file is expected to be returned unconditionally,
fix is to set its validity to the maximum supported time.

Reported by Faidon Liambotis.
2015-07-07 16:38:49 +03:00
Valentin Bartenev
cd17f869cf Stream: fixed possible integer overflow in rate limiting. 2015-07-02 17:20:29 +03:00
Roman Arutyunyan
035732696d Stream: fixed MSVC compilation warning.
Thanks to itpp2012.
2015-07-02 17:15:32 +03:00
Roman Arutyunyan
f81ae4e392 Stream: upstream "connected" flag.
Once upstream is connected, the upstream buffer is allocated.  Previously, the
proxy module used the buffer allocation status to check if upstream is
connected.  Now it's enough to check the flag.
2015-06-25 12:36:52 +03:00
Roman Arutyunyan
74942045d5 Stream: upstream and downstream limit rates. 2015-06-23 20:17:48 +03:00
Roman Arutyunyan
62959c9133 Stream: common handler for upstream and downstream. 2015-06-23 20:17:47 +03:00
Piotr Sikora
130396928a Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2015-06-18 03:36:41 -07:00
Ruslan Ermilov
1e94ab0db0 Upstream: fixed shared upstreams on win32. 2015-06-16 00:43:00 +03:00
Vladimir Homutov
14ff3d4f87 Stream: connection limiting module.
stream {
    limit_conn_zone $binary_remote_addr zone=perip:1m;
    limit_conn_log_level error;

    server {
        ...
        limit_conn perip 1;
    }
}
2015-06-18 14:17:30 +03:00
Sergey Kandaurov
f470cd2b89 Resolver: canceled resend timer on empty resend queues.
This is specifically useful on graceful shutdown.
2015-06-17 17:57:34 +03:00
Vladimir Homutov
b7a8f2a08f Disabled duplicate http, mail, and stream blocks.
Such configurations have very limited use, introduce various problems and
are not officially supported.
2015-06-16 23:28:38 +03:00
Vladimir Homutov
9efe6c2243 Version bump. 2015-06-16 23:31:31 +03:00
Vladimir Homutov
4e83d3f7b5 Core: store and dump processed configuration.
If the -T option is passed, additionally to configuration test, configuration
files are output to stdout.

In the debug mode, configuration files are kept in memory and can be accessed
using a debugger.
2015-05-14 18:54:27 +03:00
Vladimir Homutov
42c32b733b Core: added support for writing to stdout. 2015-06-16 15:47:40 +03:00
Roman Arutyunyan
4404c3fd6d Core: renamed ngx_proxy_protocol_parse to ngx_proxy_protocol_read.
The new name is consistent with the ngx_proxy_protocol_write function.
2015-06-16 13:45:19 +03:00
Roman Arutyunyan
3ed1b3b5b0 Stream: client-side PROXY protocol.
The new directive "proxy_protocol" toggles sending out PROXY protocol header
to upstream once connection is established.
2015-06-16 13:45:16 +03:00
Vladimir Homutov
f50f83a2cf Stream: the "proxy_bind" directive. 2015-06-16 09:02:45 +03:00
Maxim Dounin
cb3dcbb81e OCSP stapling: avoid sending expired responses (ticket #425). 2015-06-11 20:42:39 +03:00
Maxim Dounin
9984f3053f Moved ngx_http_parse_time() to core, renamed accordingly.
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time.  In particular, it will be
used for OCSP stapling.

For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
2015-06-11 20:42:31 +03:00
Maxim Dounin
dd41bfd47a Removed unused ngx_http_get_time() declaration. 2015-06-11 20:42:24 +03:00
Vladimir Homutov
8ab1aa612d Stream: access module.
stream {
    server {
        ...
        allow 127.0.0.1;
        deny all;
    }
}
2015-06-04 13:04:12 +03:00
Vladimir Homutov
d56b84b783 Stream: added postconfiguration method to stream modules. 2015-06-09 13:00:45 +03:00
Ruslan Ermilov
c81d7ec158 Mail: listen backlog=. 2015-06-08 23:13:56 +03:00
Ruslan Ermilov
60c654ddf5 Stream: listen backlog=. 2015-06-08 23:13:33 +03:00
Ruslan Ermilov
b72a7b0df3 Mail: embed ngx_mail_listen_t into ngx_mail_conf_addr_t. 2015-06-08 23:11:58 +03:00
Ruslan Ermilov
bfbd0aabd4 Stream: embed ngx_stream_listen_t into ngx_stream_conf_addr_t. 2015-06-08 23:11:42 +03:00
Ruslan Ermilov
14ddadb9ac Stream: fixed "reuseport" to actually work. 2015-06-05 23:03:13 +03:00
Roman Arutyunyan
f5d79ffb82 Upstream keepalive: reduced diffs to the plus version of nginx. 2015-06-04 23:46:44 +03:00
Maxim Dounin
e041efc306 Style. 2015-06-05 17:10:34 +03:00
Sergey Kandaurov
99b2c89404 Event pipe: call ngx_handle_read_event() with a proper flags type.
The change was missed in f69d1aab6a0f.
2015-06-03 19:12:26 +03:00
Valentin Bartenev
66f6ba5c95 Fixed excessive memory usage while parsing configuration.
The b->pos points to the next symbol here.

Reported by ilexshen.
2015-06-01 21:08:56 +03:00
Ruslan Ermilov
087c31e8b2 Fixed bullying style of comments. 2015-05-29 09:26:33 +03:00
Ruslan Ermilov
3de18022d8 Version bump. 2015-05-29 09:26:27 +03:00
Maxim Dounin
724f0f028e Disabled SSLv3 by default (ticket #653). 2015-05-25 17:58:20 +03:00
Maxim Dounin
226647e397 Configure: GNU Hurd properly recognized.
With this change it's no longer needed to pass -D_GNU_SOURCE manually,
and -D_FILE_OFFSET_BITS=64 is set to use 64-bit off_t.

Note that nginx currently fails to work properly with master process
enabled on GNU Hurd, as fcntl(F_SETOWN) returns EOPNOTSUPP for sockets
as of GNU Hurd 0.6.  Additionally, our strerror() preloading doesn't
work well with GNU Hurd, as it uses large numbers for most errors.
2015-05-25 17:58:13 +03:00
Maxim Dounin
b4619182bb Fixed reuseport with accept_mutex. 2015-05-21 19:39:11 +03:00
Ruslan Ermilov
941a6995d7 Upstream: report to error_log when max_fails is reached.
This can be useful to understand why "no live upstreams" happens,
in particular.
2015-05-20 22:44:00 +03:00
Maxim Dounin
f7f1607bf2 The "reuseport" option of the "listen" directive.
When configured, an individual listen socket on a given address is
created for each worker process.  This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance.  As of now it works on Linux and DragonFly BSD.

Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/.  With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.

Based on previous work by Sepherosa Ziehau and Yingqi Lu.
2015-05-20 15:51:56 +03:00
Maxim Dounin
d5c34785bc Simplified ngx_http_init_listening().
There is no need to set "i" to 0, as it's expected to be 0 assuming
the bindings are properly sorted, and we already rely on this when
explicitly set hport->naddrs to 1.  Remaining conditional code is
replaced with identical "hport->naddrs = i + 1".

Identical modifications are done in the mail and stream modules,
in the ngx_mail_optimize_servers() and ngx_stream_optimize_servers()
functions, respectively.

No functional changes.
2015-05-20 15:51:28 +03:00
Maxim Dounin
68b3d28c55 Introduced worker number, ngx_worker. 2015-05-20 15:51:21 +03:00
Valentin Bartenev
9275dc19e6 Core: properly initialized written bytes counter in memory log. 2015-05-19 19:27:07 +03:00
Sergey Kandaurov
3670726bd3 Upstream hash: consistency across little/big endianness. 2015-05-18 16:05:44 +03:00
Ruslan Ermilov
4b9b16d27d Upstream: $upstream_connect_time.
The variable keeps time spent on establishing a connection with
the upstream server.
2015-05-16 01:32:27 +03:00
Ruslan Ermilov
b070e2d713 Upstream: times to obtain header/response are stored as ngx_msec_t. 2015-05-16 01:31:04 +03:00
Igor Sysoev
b55cd3f876 Events: ngx_event_t size reduction by grouping bit fields. 2015-05-15 17:15:33 +03:00
Ruslan Ermilov
91df4f0746 Events: made a failure to create a notification channel non-fatal.
This may happen if eventfd() returns ENOSYS, notably seen on CentOS 5.4.
Such a failure will now just disable the notification mechanism and let
the callers cope with it, instead of failing to start worker processes.
If thread pools are not configured, this can safely be ignored.
2015-05-06 17:04:00 +03:00
Ruslan Ermilov
80781f15b4 Removed the deprecated "imap" directive. 2015-04-29 13:53:24 +03:00
Ruslan Ermilov
3468015e12 Removed the deprecated "so_keepalive" directive. 2015-04-29 13:53:08 +03:00
Ruslan Ermilov
ea2f4d9175 Removed deprecated HTTP directives. 2015-04-29 13:52:49 +03:00
Ruslan Ermilov
3ceffb53fe Removed the deprecated "connections" directive. 2015-04-29 13:52:37 +03:00
Valentin Bartenev
89ad9ea309 Fixed overflow detection in ngx_inet_addr().
Overflow detection of the last octet might not work.

Reported by Sergey Polovko.
2015-04-28 18:55:03 +03:00
Valentin Bartenev
8568baef1f Version bump. 2015-04-28 18:54:48 +03:00
Maxim Dounin
2ec8cfcd7d Win32: shared memory base addresses and remapping.
Two mechanisms are implemented to make it possible to store pointers
in shared memory on Windows, in particular on Windows Vista and later
versions with ASLR:

- The ngx_shm_remap() function added to allow remapping of a shared memory
  zone to the address originally used for it in the master process.  While
  important, it doesn't solve the problem by itself as in many cases it's
  not possible to use the address because of conflicts with other
  allocations.

- We now create mappings at the same address in all processes by starting
  mappings at predefined addresses normally unused by newborn processes.

These two mechanisms combined allow to use shared memory on Windows
almost without problems, including reloads.

Based on the patch by Sergey Brester:
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006836.html
2015-04-27 18:25:42 +03:00
Maxim Dounin
153dbf3877 Win32: fixed shm.handle loss on reload. 2015-04-27 03:44:30 +03:00
Maxim Dounin
c8aa659e45 Core: fixed nginx_shared_zone name. 2015-04-27 03:44:03 +03:00
Vladimir Homutov
4e010c2834 Mail: error_log support. 2015-02-20 15:31:37 +03:00
Vladimir Homutov
df555ffce6 Core: the ngx_set_connection_log() macro.
The http and stream versions of this macro were identical.
2015-04-25 22:44:02 +03:00
Roman Arutyunyan
d61f21c5e8 Merge proxy_protocol setting of listen directives.
It's now enough to specify proxy_protocol option in one listen directive to
enable it in all servers listening on the same address/port.  Previously,
the setting from the first directive was always used.
2015-04-24 10:54:06 +03:00
Ruslan Ermilov
3180f84b60 Removed the "worker_rlimit_sigpending" directive.
It was only needed by the just removed rtsig module.
2015-04-23 14:26:11 +03:00
Ruslan Ermilov
33b8e5bc06 Removed the obsolete rtsig module. 2015-04-23 14:17:40 +03:00
Ruslan Ermilov
c1882d9f3f Removed the obsolete aio module. 2015-04-22 18:57:32 +03:00
Roman Arutyunyan
39386c951c Stream: prevent repeated event notifications after eof.
When client or upstream connection is closed, level-triggered read event
remained active until the end of the session leading to cpu hog.  Now the flag
NGX_CLOSE_EVENT is used to unschedule the event.
2015-04-22 19:55:04 +03:00
Ruslan Ermilov
25ddb49dbe Upstream: allow multiple upstreams to use the same shared zone. 2015-04-22 18:37:34 +03:00
Martin Mlynář
958d4a0b1f Memcached: enabled ranges. 2015-04-21 21:04:36 +02:00
Ruslan Ermilov
673941f81d Upstream: simplified ip_hash and hash peer selection code.
Now that peers are stored as a list, the weighted and unweighted
cases became nearly identical.
2015-04-21 19:09:04 +03:00
Sergey Kandaurov
1ff5515e70 Limit req: removed check for unknown limit_req_zone.
With 48b3d5ddfb03, it's possible to specify limit_req_zone after limit_req.
2015-04-20 16:54:41 +03:00
Sergey Kandaurov
06ff117986 Core: allow shared memory size to be declared after a reference.
For example, this fixes the case when "proxy_cache_path" is specified
after "proxy_cache" that references it.
2015-04-20 16:53:04 +03:00
Ruslan Ermilov
c799c82faa Stream: port from NGINX+. 2015-04-20 13:05:11 +03:00
Ruslan Ermilov
a2dac51398 Upstream: fixed unlocked access to peer->conns. 2015-04-19 22:41:09 +03:00
Ruslan Ermilov
9b411460f9 Replaced the remaining NGX_OLD_THREADS check with NGX_WIN32. 2015-03-26 14:20:51 +03:00
Ruslan Ermilov
bfd2db83a7 Removed NGX_OLD_THREADS from select and poll modules.
These modules can't be compiled on win32.
2015-03-26 14:20:07 +03:00
Ruslan Ermilov
64c5df4b62 Removed "worker_threads" and "thread_stack_size" directives. 2015-03-26 14:15:17 +03:00
Ruslan Ermilov
324e389e17 Removed unused thread-local-storage code. 2015-03-26 14:15:15 +03:00
Ruslan Ermilov
2b0d2f0583 Removed ngx_threaded and related code. 2015-03-26 14:15:13 +03:00
Ruslan Ermilov
7c44e39220 Upstream: get rid of questionable micro-optimization in ip_hash.
If a peer was initially skipped due to max_fails, there's no reason
not to try it again if enough time has passed, and the next_upstream
logic is in action.

This also reduces diffs with NGINX Plus.
2015-04-16 20:09:11 +03:00
Sergey Kandaurov
d72fe76bb1 Core: ensure that ngx_config.h is always included first.
This fixes compilation of various 3rd party modules when nginx is
configured with threads.
2015-04-16 18:18:37 +03:00
Maxim Dounin
4091eb749b Version bump. 2015-04-16 17:26:19 +03:00
Ruslan Ermilov
cf31347ee8 Upstream: the "zone" directive.
Upstreams with the "zone" directive are kept in shared memory,
with a consistent view of all worker processes.
2015-04-14 19:01:25 +03:00
Ruslan Ermilov
b0b7b5a356 Upstreams: locking. 2015-04-14 19:01:23 +03:00
Ruslan Ermilov
3fc23e2542 Core: read/write locks. 2015-03-21 14:05:08 +03:00
Ruslan Ermilov
4d53631022 Upstream: store peers as a linked list.
This is an API change.
2015-04-10 14:48:36 +03:00
Ruslan Ermilov
18fa775b10 Upstream: track the number of active connections to upstreams.
This also simplifies the implementation of the least_conn module.
2015-04-10 13:16:23 +03:00
Ruslan Ermilov
b25f0ddcf1 Fixed build, broken by 8b7f062a3fe6.
Casting a "const char *" to "char *" doesn't work on older gcc versions.
2015-04-16 15:05:40 +03:00
Vladimir Homutov
fd4da89228 Core: added OpenSSL version information to "nginx -V" output. 2015-04-16 12:17:41 +03:00
Vladimir Homutov
513f184098 Version bump. 2015-04-16 12:13:51 +03:00
Ruslan Ermilov
edb0c6ba64 Core: guard against spinlock usage without atomic ops.
The new thread pools code uses spinlocks.
2015-03-26 14:15:06 +03:00
Sergey Kandaurov
38a97edf3a Core: limited levels of subdirectory hierarchy used for temp files.
Similar to ngx_http_file_cache_set_slot(), the last component of file->name
with a fixed length of 10 bytes, as generated in ngx_create_temp_path(), is
used as a source for the names of intermediate subdirectories with each one
taking its own part.  Ensure that the sum of specified levels with slashes
fits into the length (ticket #731).
2015-04-07 01:32:08 +03:00
Sergey Kandaurov
256082c4f8 Core: removed excessive initialization in ngx_conf_set_path_slot().
Level hierarchy is pre-zeroed in ngx_pcalloc() of the surrounding ngx_path_t.
2015-04-07 01:32:07 +03:00
Sergey Kandaurov
eed7d47930 Core: fixed error handling on ngx_conf_full_name() failure. 2015-04-07 01:32:05 +03:00
Ruslan Ermilov
8c82b75127 Upstream: abbreviated SSL handshake may interact badly with Nagle. 2015-04-07 00:07:04 +03:00
Valentin Bartenev
3f72e18908 Request body: always flush buffers if request buffering is off.
This fixes unbuffered proxying to SSL backends, since it prevents
ngx_ssl_send_chain() from accumulation of request body in the SSL
buffer.
2015-04-06 19:20:36 +03:00
Valentin Bartenev
1329c4af80 Used the correct type for the AIO preload handler return value. 2015-04-06 11:22:24 +03:00
Filipe da Silva
95aad2235d OCSP stapling: missing free calls.
Missing call to X509_STORE_CTX_free when X509_STORE_CTX_init fails.
Missing call to OCSP_CERTID_free when OCSP_request_add0_id fails.
Possible leaks in vary particular scenariis of memory shortage.
2015-04-01 15:05:08 +02:00
Valentin Bartenev
355a793b89 Cache: added support for reading of the header in thread pools. 2015-04-01 03:49:17 +03:00
Sergey Kandaurov
99bf1b56ec Fixed invalid access to complex value defined as an empty string.
Found by Valgrind.
2015-03-31 17:45:50 +03:00
Valentin Bartenev
51df7912c4 Events: fixed possible crash on start or reload.
The main thread could wake up and start processing the notify event
before the handler was set.
2015-03-27 21:19:20 +03:00
Valentin Bartenev
3ffbf84a5e Events: made posted events macros safe. 2015-03-27 19:57:15 +03:00
Valentin Bartenev
0e853129ac SPDY: always push pending data.
This helps to avoid suboptimal behavior when a client waits for a control
frame or more data to increase window size, but the frames have been delayed
in the socket buffer.

The delays can be caused by bad interaction between Nagle's algorithm on
nginx side and delayed ACK on the client side or by TCP_CORK/TCP_NOPUSH
if SPDY was working without SSL and sendfile() was used.

The pushing code is now very similar to ngx_http_set_keepalive().
2015-03-23 21:04:13 +03:00
Valentin Bartenev
44586bf5ee SPDY: fixed error handling in ngx_http_spdy_send_output_queue(). 2015-03-23 20:47:46 +03:00
Maxim Dounin
67986d81de Version bump. 2015-03-26 17:36:39 +03:00
Maxim Dounin
5e96e84ffb Proxy: fixed proxy_request_buffering and chunked with preread body.
If any preread body bytes were sent in the first chain, chunk size was
incorrectly added before the whole chain, including header, resulting in
an invalid request sent to upstream.  Fixed to properly add chunk size
after the header.
2015-03-26 02:31:30 +03:00
Maxim Dounin
7ec559df5d Upstream: uwsgi_request_buffering, scgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
f4714d26f0 FastCGI: fastcgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
756997b696 Proxy: proxy_request_buffering chunked support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
2743bb68ee Request body: unbuffered reading.
The r->request_body_no_buffering flag was introduced.  It instructs
client request body reading code to avoid reading the whole body, and
to call post_handler early instead.  The caller should use the
ngx_http_read_unbuffered_request_body() function to read remaining
parts of the body.

Upstream module is now able to use this mode, if configured with
the proxy_request_buffering directive.
2015-03-23 21:09:19 +03:00
Maxim Dounin
d02d2cff9b Request body: filters support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
be99a8801e Request body: moved request body writing to save filter. 2015-03-23 21:09:19 +03:00
Maxim Dounin
d21e644d80 Request body: free chain links in ngx_http_write_request_body(). 2015-03-23 21:09:12 +03:00
Maxim Dounin
4df7aa6f92 Output chain: free chain links in ngx_chain_writer(). 2015-03-23 21:09:05 +03:00
Maxim Dounin
9131eb11c9 Output chain: zero size buf alerts in ngx_chain_writer().
Now we log a "zero size buf in chain writer" alert if we encounter a zero
sized buffer in ngx_chain_writer(), and skip the buffer.
2015-03-23 20:56:58 +03:00
Maxim Dounin
3560af8999 Format specifier fixed for file size of buffers. 2015-03-23 19:28:54 +03:00
Maxim Dounin
58eb93f791 Proxy: fixed proxy_set_body with proxy_cache.
If the last header evaluation resulted in an empty header, the e.skip flag
was set and was not reset when we've switched to evaluation of body_values.
This incorrectly resulted in body values being skipped instead of producing
some correct body as set by proxy_set_body.  Fix is to properly reset
the e.skip flag.

As the problem only appeared if the last potentially non-empty header
happened to be empty, it only manifested itself if proxy_set_body was used
with proxy_cache.
2015-03-23 19:28:54 +03:00
Valentin Bartenev
e87a565aab Thread pools: implemented graceful exiting of threads. 2015-03-23 17:51:21 +03:00
Valentin Bartenev
510c9cdca8 Thread pools: removed unused pointer to memory pool.
No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
cb43696e0c Thread pools: keep waiting tasks mutex in ngx_thread_pool_t.
It's not needed for completed tasks queue since the previous change.

No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
f109a68b4f Thread pools: replaced completed tasks queue mutex with spinlock. 2015-03-23 17:51:21 +03:00
Ruslan Ermilov
07de3f538b Removed stub implementation of win32 mutexes. 2015-03-23 13:52:47 +03:00
Maxim Dounin
47c44355b5 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically
building a certificate chain on the fly if there is no certificate chain
explicitly provided.  Before this change, certificates provided via the
ssl_client_certificate and ssl_trusted_certificate directives were
used by OpenSSL to automatically build certificate chains, resulting
in unexpected (and in some cases unneeded) chains being sent to clients.
2015-03-23 02:42:35 +03:00
Maxim Dounin
a20c6d202e SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
LibreSSL removed support for export ciphers and a call to
SSL_CTX_set_tmp_rsa_callback() results in an error left in the error
queue.  This caused alerts "ignoring stale global SSL error (...called
a function you should not call) while SSL handshaking" on a first connection
in each worker process.
2015-03-23 02:42:34 +03:00
Maxim Dounin
b0d8ff55a1 SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on
new contexts.  This makes sure to clear it to make it possible to use SSLv3
with LibreSSL if enabled in nginx config.

Prodded by Kuramoto Eiji.
2015-03-23 02:42:32 +03:00
Valentin Bartenev
cc569b9252 Core: added cyclic memory buffer support for error_log.
Example of usage:

  error_log memory:16m debug;

This allows to configure debug logging with minimum impact on performance.
It's especially useful when rare crashes are experienced under high load.

The log can be extracted from a coredump using the following gdb script:

  set $log = ngx_cycle->log

  while $log->writer != ngx_log_memory_writer
      set $log = $log->next
  end

  set $buf = (ngx_log_memory_buf_t *) $log->wdata
  dump binary memory debug_log.txt $buf->start $buf->end
2015-03-19 19:29:43 +03:00
Ruslan Ermilov
babd64e344 Removed busy locks. 2015-03-20 06:45:32 +03:00
Ruslan Ermilov
f8d10849ad Removed ngx_connection_t.lock. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
b6029a8a3f Removed unix ngx_threaded and related ngx_process_changes. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
d1ec868e32 Removed old pthread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c84c19f5bf Removed old FreeBSD rfork() thread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c34368715f Thread pools: silence warning on process exit.
Work around pthread_cond_destroy() and pthread_mutex_destroy() returning
EBUSY.  A proper solution would be to ensure all threads are terminated.
2015-03-19 23:20:18 +03:00
Ruslan Ermilov
afe1fcffaa Thread pools: fixed the waiting tasks accounting.
Behave like POSIX semaphores.  If N worker threads are waiting for tasks,
at least that number of tasks should be allowed to be put into the queue.
2015-03-19 13:00:48 +03:00
Ruslan Ermilov
20d07074e3 Thread pools: keep waiting tasks counter in ngx_thread_pool_t.
It's not needed for completed tasks queue.

No functional changes.
2015-03-19 23:19:35 +03:00
Xiaochen Wang
85048c0397 SPDY: fixed format specifier in logging. 2015-03-15 21:46:21 +08:00
Valentin Bartenev
7ed1a9681b Added support for offloading Linux sendfile() in thread pools. 2015-03-14 17:37:30 +03:00
Valentin Bartenev
a7ad493aa6 Added support for offloading read() in thread pools. 2015-03-14 17:37:25 +03:00
Ruslan Ermilov
547c8f601f Events: implemented eventport notification mechanism. 2015-03-14 17:37:21 +03:00
Valentin Bartenev
2b3c01e995 Events: implemented kqueue notification mechanism. 2015-03-14 17:37:16 +03:00
Valentin Bartenev
e10e7a4831 Events: implemented epoll notification mechanism. 2015-03-14 17:37:13 +03:00
Valentin Bartenev
305fc021db Thread pools implementation. 2015-03-14 17:37:07 +03:00
Ruslan Ermilov
83ba5ed2ec Renamed NGX_THREADS to NGX_OLD_THREADS because of deprecation.
It's mostly dead code and the original idea of worker threads has been rejected.
2015-03-04 18:26:25 +03:00
Ruslan Ermilov
4fe0a09942 Overflow detection in ngx_http_parse_chunked(). 2015-03-17 00:26:27 +03:00
Ruslan Ermilov
514cdb190f Overflow detection in ngx_http_range_parse(). 2015-03-17 00:26:24 +03:00
Ruslan Ermilov
a43f1bcf6e Overflow detection in ngx_inet_addr(). 2015-03-17 00:26:22 +03:00
Ruslan Ermilov
3ad3f4ae0a Core: overflow detection in ngx_parse_time() (ticket #732). 2015-03-17 00:26:20 +03:00
Ruslan Ermilov
7943fd374a Refactored ngx_parse_time().
No functional changes.
2015-03-17 00:26:18 +03:00
Ruslan Ermilov
8167ce8537 Core: overflow detection in number parsing functions. 2015-03-17 00:26:15 +03:00
Ruslan Ermilov
309928b941 Core: expose maximum values of time_t and ngx_int_t.
These are needed to detect overflows.
2015-03-17 00:24:34 +03:00
Ruslan Ermilov
db999274ec The "aio" directive parser made smarter.
It now prints meaningful warnings on all platforms.

No functional changes.
2015-03-13 16:42:52 +03:00
Ruslan Ermilov
bcd8123913 Events: fixed typo in the error message. 2015-03-12 23:03:03 +03:00
Ruslan Ermilov
067de7dde1 Deprecated "aio sendfile".
Specifying "sendfile on" along with "aio on" activates the
aio pre-loading mode for sendfile().
2015-03-12 20:06:04 +03:00
Ruslan Ermilov
5e5540f7dc Proxy: use an appropriate error on memory allocation failure. 2015-03-04 08:12:53 +03:00
Ruslan Ermilov
c238150a57 Style: moved ngx_http_ephemeral() macro to ngx_http_request.h. 2015-03-04 08:10:40 +03:00
Ruslan Ermilov
466b3b9250 Style: use %*s format, as in 68d21fd1dc64. 2015-03-04 08:05:38 +03:00
Valentin Bartenev
a9a01e0938 Log: use ngx_cpymem() in a couple of places, no functional changes. 2015-03-04 19:20:30 +03:00
Valentin Bartenev
2f3fb935b4 Upstream keepalive: drop ready flag on EAGAIN from recv(MSG_PEEK).
Keeping the ready flag in this case might results in missing notification of
broken connection until nginx tried to use it again.

While there, stale comment about stale event was removed since this function
is also can be called directly.
2015-03-03 17:48:57 +03:00
Ruslan Ermilov
b384247262 Events: simplified ngx_event_aio_t definition.
No functional changes.
2015-03-03 18:09:13 +03:00
Valentin Bartenev
ea881578a2 Refactored ngx_linux_sendfile_chain() even more.
The code that calls sendfile() was cut into a separate function.
This simplifies EINTR processing, yet is needed for the following
changes that add threads support.
2015-02-27 19:19:08 +03:00
Maxim Dounin
a0d543595d Style.
Noted by Ruslan Ermilov.
2015-03-03 01:15:21 +03:00
Maxim Dounin
14a93c5a15 Upstream: upstream argument in ngx_http_upstream_process_request().
In case of filter finalization, r->upstream might be changed during
the ngx_event_pipe() call.  Added an argument to preserve it while
calling the ngx_http_upstream_process_request() function.
2015-03-02 21:44:42 +03:00
Maxim Dounin
2b032e8df6 Upstream: avoid duplicate finalization.
A request may be already finalized when ngx_http_upstream_finalize_request()
is called, due to filter finalization: after filter finalization upstream
can be finalized via ngx_http_upstream_cleanup(), either from
ngx_http_terminate_request(), or because a new request was initiated
to an upstream.  Then the upstream code will see an error returned from
the filter chain and will call the ngx_http_upstream_finalize_request()
function again.

To prevent corruption of various upstream data in this situation, make sure
to do nothing but merely call ngx_http_finalize_request().

Prodded by Yichun Zhang, for details see the thread at
http://nginx.org/pipermail/nginx-devel/2015-February/006539.html.
2015-03-02 21:44:32 +03:00
Roman Arutyunyan
46a2236f22 SSL: reset ready flag if recv(MSG_PEEK) found no bytes in socket.
Previously, connection hung after calling ngx_http_ssl_handshake() with
rev->ready set and no bytes in socket to read.  It's possible in at least the
following cases:

 - when processing a connection with expired TCP_DEFER_ACCEPT on Linux
 - after parsing PROXY protocol header if it arrived in a separate TCP packet

Thanks to James Hamlin.
2015-03-02 21:15:46 +03:00
Roman Arutyunyan
f0b5f83378 Cache: do not inherit last_modified and etag from stale response.
When replacing a stale cache entry, its last_modified and etag could be
inherited from the old entry if the response code is not 200 or 206.  Moreover,
etag could be inherited with any response code if it's missing in the new
response.  As a result, the cache entry is left with invalid last_modified or
etag which could lead to broken revalidation.

For example, when a file is deleted from backend, its last_modified is copied to
the new 404 cache entry and is used later for revalidation.  Once the old file
appears again with its original timestamp, revalidation succeeds and the cached
404 response is sent to client instead of the file.

The problem appeared with etags in 44b9ab7752e3 (1.7.3) and affected
last_modified in 1573fc7875fa (1.7.9).
2015-03-02 19:47:13 +03:00
Roman Arutyunyan
bf7d76b943 Upstream hash: speedup consistent hash init.
Repeatedly calling ngx_http_upstream_add_chash_point() to create
the points array in sorted order, is O(n^2) to the total weight.
This can cause nginx startup and reconfigure to be substantially
delayed.  For example, when total weight is 1000, startup takes
5s on a modern laptop.

Replace this with a linear insertion followed by QuickSort and
duplicates removal.  Startup for total weight of 1000 reduces to 40ms.

Based on a patch by Wai Keen Woon.
2015-03-02 18:41:29 +03:00
Sergey Kandaurov
de3adad807 Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.
Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.
2015-02-27 16:28:31 +03:00
Maxim Dounin
faec547771 Mail: client SSL certificates support.
The "ssl_verify_client", "ssl_verify_depth", "ssl_client_certificate",
"ssl_trusted_certificate", and "ssl_crl" directives introduced to control
SSL client certificate verification in mail proxy module.

If there is a certificate, detail of the certificate are passed to
the auth_http script configured via Auth-SSL-Verify, Auth-SSL-Subject,
Auth-SSL-Issuer, Auth-SSL-Serial, Auth-SSL-Fingerprint headers.  If
the auth_http_pass_client_cert directive is set, client certificate
in PEM format will be passed in the Auth-SSL-Cert header (urlencoded).

If there is no required certificate provided during an SSL handshake
or certificate verification fails then a protocol-specific error is
returned after the SSL handshake and the connection is closed.

Based on previous work by Sven Peter, Franck Levionnois and Filipe Da Silva.
2015-02-25 17:48:05 +03:00
Maxim Dounin
78e1a8ed7f Mail: added Auth-SSL header to indicate SSL.
Based on a patch by Filipe da Silva.
2015-02-25 17:47:49 +03:00
Maxim Dounin
52c5ba0f37 Mail: fixed buffer allocation for CRLF after Auth-SMTP-* headers.
There were no buffer overruns in real life as there is extra space
allocated for the Auth-Login-Attempt counter.
2015-02-25 17:47:43 +03:00
Ruslan Ermilov
c2c9a1c03e SSL: account sent bytes in ngx_ssl_write(). 2015-02-24 23:52:47 +03:00
Maxim Dounin
7dd799357d Core: fixed potential buffer overrun when initializing hash.
Initial size as calculated from the number of elements may be bigger
than max_size.  If this happens, make sure to set size to max_size.

Reported by Chris West.
2015-02-24 18:37:14 +03:00
Ruslan Ermilov
a4ce770a89 Cache: reduced diffs to the plus version of nginx.
No functional changes.
2015-02-17 16:27:52 +03:00
Roman Arutyunyan
6337c1d185 Core: make ngx_connection_local_sockaddr() always assign address.
Previously, this function checked for connection local address existence
and returned error if it was missing.  Now a new address is assigned in this
case making it possible to call this function not only for accepted connections.
2015-02-17 14:26:44 +03:00
Valentin Bartenev
0a3d458805 Unbreak building on FreeBSD without file AIO.
It appeared that the NGX_HAVE_AIO_SENDFILE macro was defined regardless of
the "--with-file-aio" configure option and the NGX_HAVE_FILE_AIO macro.

Now they are related.

Additionally, fixed one macro.
2015-02-11 20:00:07 +03:00
Valentin Bartenev
2b8d6ad805 Refactored sendfile() AIO preload.
This reduces layering violation and simplifies the logic of AIO preread, since
it's now triggered by the send chain function itself without falling back to
the copy filter.  The context of AIO operation is now stored per file buffer,
which makes it possible to properly handle cases when multiple buffers come
from different locations, each with its own configuration.
2015-02-11 17:52:15 +03:00
Ruslan Ermilov
2b7e167dbb Mail: fixed the duplicate listen address detection. 2015-01-23 15:23:29 +03:00
Ruslan Ermilov
0b30dec0d3 Mail: fixed a comment. 2015-01-23 15:23:27 +03:00
Ruslan Ermilov
3352461916 Upstream: detect port absence in fastcgi_pass with IP literal.
If fastcgi_pass (or any look-alike that doesn't imply a default
port) is specified as an IP literal (as opposed to a hostname),
port absence was not detected at configuration time and could
result in EADDRNOTAVAIL at run time.

Fixed this in such a way that configs like

http {
    server {
        location / {
            fastcgi_pass 127.0.0.1;
        }
    }

    upstream 127.0.0.1 {
        server 10.0.0.1:12345;
    }
}

still work.  That is, port absence check is delayed until after
we make sure there's no explicit upstream with such a name.
2015-01-22 16:23:32 +03:00
Ruslan Ermilov
917c47a918 Version bump. 2015-02-11 15:51:03 +03:00
Sergey Kandaurov
66c25a7d77 Core: fixed build on Tru64 UNIX.
There was a typo in NGX_EACCES.

Reported by Goetz T. Fischer.
2015-02-10 01:51:08 +03:00
Damien Tournoud
59969c22ce Fixed try_files directory test to match only a directory.
Historically, it was possible to match either a file or directory
in the following configuration:

    location / {
        try_files $uri/ =404;
    }
2015-01-21 00:26:32 +01:00
Roman Arutyunyan
2bae4205ab Core: fixed a race resulting in extra sem_post()'s.
The mtx->wait counter was not decremented if we were able to obtain the lock
right after incrementing it.  This resulted in unneeded sem_post() calls,
eventually leading to EOVERFLOW errors being logged, "sem_post() failed
while wake shmtx (75: Value too large for defined data type)".

To close the race, mtx->wait is now decremented if we obtain the lock right
after incrementing it in ngx_shmtx_lock().  The result can become -1 if a
concurrent ngx_shmtx_unlock() decrements mtx->wait before the added code does.
However, that only leads to one extra iteration in the next call of
ngx_shmtx_lock().
2015-02-04 16:22:43 +03:00
Roman Arutyunyan
cae1b5d63a Core: reverted prefix-based temp files (a9138c35120d).
The use_temp_path http cache feature is now implemented using a separate temp
hierarchy in cache directory.  Prefix-based temp files are no longer needed.
2015-02-02 21:28:09 +03:00
Roman Arutyunyan
f8fecbc94d Cache: added temp_path to file cache.
If use_temp_path is set to off, a subdirectory "temp" is created in the cache
directory.  It's used instead of proxy_temp_path and friends for caching
upstream response.
2015-02-02 19:38:35 +03:00
Roman Arutyunyan
54e14a387f Core: supported directory skipping in ngx_walk_tree().
If pre_tree_handler() returns NGX_DECLINED, the directory is ignored.
2015-02-02 19:38:32 +03:00
Valentin Bartenev
314d0d40e7 Fixed AIO handling in the output chain.
The ctx->aio flag must be taken into account in the short path too.
2015-01-28 21:33:06 +03:00
Igor Sysoev
415c8ec4b4 A bounds check of %N format on Windows.
Thanks to Joe Bialek, Adam Zabrocki and Microsoft Vulnerability Research.
2015-01-27 15:38:15 +03:00
Vladimir Homutov
7e1eba5faa Upstream: $upstream_header_time variable.
Keeps time spent on obtaining the header from an upstream server.  The value is
formatted similar to the $upstream_response_time variable.
2015-01-14 09:03:35 +03:00
Maxim Dounin
a1f330a0a2 Core: added disk_full_time checks to error log. 2015-01-13 19:51:37 +03:00
Maxim Dounin
2754fd3c80 Fixed sendfile() trailers on OS X (8e903522c17a, 1.7.8).
The trailer.count variable was not initialized if there was a header,
resulting in "sendfile() failed (22: Invalid argument)" alerts on OS X
if the "sendfile" directive was used.  The bug was introduced
in 8e903522c17a (1.7.8).
2015-01-13 18:58:23 +03:00
Valentin Bartenev
843fb552ec Upstream: use_temp_path parameter of proxy_cache_path and friends.
When set to "off", temporary files for cacheable responses will be stored
inside cache directory.
2014-12-26 16:22:59 +03:00
Valentin Bartenev
1858857c25 Cache: update variant while setting header.
Some parts of code related to handling variants of a resource moved into
a separate function that is called earlier.  This allows to use cache file
name as a prefix for temporary file in the following patch.
2014-12-26 16:22:56 +03:00
Valentin Bartenev
a54e37edda Core: added prefix-based temporary files.
Now, if the "path" parameter is NULL, ngx_create_temp_file() will use
file->name as a predefined file path prefix.
2014-12-26 16:22:54 +03:00
Valentin Bartenev
c07bebdcd1 Unified handling of ngx_create_temp_file() return value.
The original check for NGX_AGAIN was surplus, since the function returns
only NGX_OK or NGX_ERROR.  Now it looks similar to other places.

No functional changes.
2014-12-26 16:22:50 +03:00
Maxim Dounin
b8ee1ec7d3 Fixed building with musl libc (ticket #685). 2014-12-24 19:01:22 +03:00
Maxim Dounin
fe4b25c731 Version bump. 2014-12-24 18:53:38 +03:00
Valentin Bartenev
7817df480e Upstream: added variables support to proxy_cache and friends. 2014-12-22 12:59:09 +03:00
Valentin Bartenev
b24ad42008 Upstream: preset some cache configuration when bypassing.
No functional changes.
2014-12-22 12:59:06 +03:00
Valentin Bartenev
c40a72761c Upstream: refactored proxy_cache and friends.
The configuration handling code has changed to look similar to the proxy_store
directive and friends.  This simplifies adding variable support in the following
patch.

No functional changes.
2014-12-22 12:59:02 +03:00
Valentin Bartenev
66dcbab7a1 Upstream: mutually exclusive inheritance of "cache" and "store".
Currently, storing and caching mechanisms cannot work together, and a
configuration error is thrown when the proxy_store and proxy_cache
directives (as well as their friends) are configured on the same level.

But configurations like in the example below were allowed and could result
in critical errors in the error log:

    proxy_store on;

    location / {
        proxy_cache one;
    }

Only proxy_store worked in this case.

For more predictable and errorless behavior these directives now prevent
each other from being inherited from the previous level.
2014-12-22 12:58:59 +03:00
Valentin Bartenev
492844dbb1 Upstream: simplified proxy_store and friends configuration code.
This changes internal API related to handling of the "store"
flag in ngx_http_upstream_conf_t.  Previously, a non-null value
of "store_lengths" was enough to enable store functionality with
custom path.  Now, the "store" flag is also required to be set.

No functional changes.
2014-12-22 12:58:56 +03:00
Lukas Tribus
cf92831131 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
The flag was recently removed by BoringSSL.
2014-12-17 15:12:50 +01:00
Valentin Bartenev
16f248ebbb Autoindex: implemented XML output format. 2014-12-12 20:25:42 +03:00
Valentin Bartenev
5453f0afe6 Autoindex: implemented JSON output format. 2014-12-12 20:25:35 +03:00
Valentin Bartenev
921f728526 Autoindex: rendering code moved to a separate function.
No functional changes.
2014-12-12 20:25:28 +03:00
Maxim Dounin
d8c7616074 Headers filter: variables support in expires (ticket #113). 2014-12-11 23:42:11 +03:00
Maxim Dounin
cf21308885 Headers filter: local variables for config, no functional changes. 2014-12-11 23:42:06 +03:00
Valentin Bartenev
fb7d63250e Upstream: fixed inheritance of proxy_store and friends.
The proxy_store, fastcgi_store, scgi_store and uwsgi_store were inherited
incorrectly if a directive with variables was defined, and then redefined
to the "on" value, i.e. in configurations like:

    proxy_store /data/www$upstream_http_x_store;

    location / {
        proxy_store on;
    }
2014-10-09 20:30:11 +04:00
Maxim Dounin
827b2511e6 Proxy: fixed incorrect URI change due to if (ticket #86).
In the following configuration request was sent to a backend without
URI changed to '/' due to if:

    location /proxy-pass-uri {
        proxy_pass http://127.0.0.1:8080/;

        set $true 1;

        if ($true) {
            # nothing
        }
    }

Fix is to inherit conf->location from the location where proxy_pass was
configured, much like it's done with conf->vars.
2014-12-09 18:22:39 +03:00
Maxim Dounin
8d7c6491fe Upstream: fixed unexpected inheritance into limit_except blocks.
The proxy_pass directive and other handlers are not expected to be inherited
into nested locations, but there is a special code to inherit upstream
handlers into limit_except blocks, as well as a configuration into if{}
blocks.  This caused incorrect behaviour in configurations with nested
locations and limit_except blocks, like this:

    location / {
        proxy_pass http://u;

        location /inner/ {
            # no proxy_pass here

            limit_except GET {
                # nothing
            }
        }
    }

In such a configuration the limit_except block inside "location /inner/"
unexpectedly used proxy_pass defined in "location /", while it shouldn't.
Fix is to avoid inheritance of conf->upstream.upstream (and
conf->proxy_lengths) into locations which don't have noname flag.
2014-12-09 18:22:31 +03:00
Maxim Dounin
c863e1b3b5 Upstream: inheritance of proxy_pass and friends (ticket #645).
Instead of independant inheritance of conf->upstream.upstream (proxy_pass
without variables) and conf->proxy_lengths (proxy_pass with variables)
we now test them both and inherit only if neither is set.  Additionally,
SSL context is also inherited only in this case now.

Based on the patch by Alexey Radkov.
2014-12-09 18:21:55 +03:00
Maxim Dounin
88ed2d39af Proxy: the "TE" header now stripped by default (ticket #537). 2014-12-09 18:20:19 +03:00
Piotr Sikora
1ea64b3f8f Cache: send conditional requests only for cached 200/206 responses.
RFC7232 says:

   The 304 (Not Modified) status code indicates that a conditional GET
   or HEAD request has been received and would have resulted in a 200
   (OK) response if it were not for the fact that the condition
   evaluated to false.

which means that there is no reason to send requests with "If-None-Match"
and/or "If-Modified-Since" headers for responses cached with other status
codes.

Also, sending conditional requests for responses cached with other status
codes could result in a strange behavior, e.g. upstream server returning
304 Not Modified for cached 404 Not Found responses, etc.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-26 18:35:37 -08:00
Dmitrii Pichulin
cf5013dd3f SSL: loading certificate keys via ENGINE_load_private_key(). 2014-08-04 11:03:20 +04:00
Maxim Dounin
811281ec36 Version bump. 2014-12-04 16:37:31 +03:00
Maxim Dounin
6d52912a2a Cache: proper wakeup of subrequests.
In case of a cache lock timeout and in the aio handler we now call
r->write_event_handler() instead of a connection write handler,
to make sure to run appropriate subrequest.  Previous code failed to run
inactive subrequests and hence resulted in suboptimal behaviour, see
report by Yichun Zhang:

http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004435.html

(Infinite hang claimed in the report seems impossible without 3rd party
modules, as subrequests will be eventually woken up by the postpone filter.)
2014-12-02 05:54:56 +03:00
Maxim Dounin
10345663c8 Upstream: improved subrequest logging.
To ensure proper logging make sure to set current_request in all event
handlers, including resolve, ssl handshake, cache lock wait timer and
aio read handlers.  A macro ngx_http_set_log_request() introduced to
simplify this.
2014-12-02 05:54:54 +03:00
Sergey Kandaurov
778cc4b42e Access log: restricted "log_format" to "http" level.
Specifying the "log_format" directive on levels other than "http"
is deprecated since 73d37e1ccb91 (1.1.11).
2014-12-01 14:51:36 +03:00
Maxim Dounin
ece388033a Write filter: fixed handling of sync bufs (ticket #132). 2014-11-28 16:58:39 +03:00
Maxim Dounin
7fa89c744a Fixed post_action to not trigger "header already sent" alert.
The alert was introduced in 03ff14058272 (1.5.4), and was triggered on each
post_action invocation.

There is no real need to call header filters in case of post_action,
so return NGX_OK from ngx_http_send_header() if r->post_action is set.
2014-11-28 16:57:50 +03:00
Maxim Dounin
d228fa5093 Typo. 2014-11-28 16:57:23 +03:00
Valentin Bartenev
decaffa805 SPDY: push pending data while closing a stream as with keepalive.
This helps to avoid delays in sending the last chunk of data because
of bad interaction between Nagle's algorithm on nginx side and
delayed ACK on the client side.

Delays could also be caused by TCP_CORK/TCP_NOPUSH if SPDY was
working without SSL and sendfile() was used.
2014-11-21 22:51:49 +03:00
Vladimir Homutov
742b5dd045 Syslog: allowed underscore symbol in tag (ticket #667). 2014-11-20 20:02:21 +03:00
Ruslan Ermilov
ef563debf1 Resolver: fixed debug event logging.
In 954867a2f0a6, we switched to using resolver node as the timer event data.
This broke debug event logging.

Replaced now unused ngx_resolver_ctx_t.ident with ngx_resolver_node_t.ident
so that ngx_event_ident() extracts something sensible when accessing
ngx_resolver_node_t as ngx_connection_t.
2014-11-20 15:24:42 +03:00
Ruslan Ermilov
d4b7b74686 Resolver: fixed use-after-free memory access.
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
2014-11-20 15:24:40 +03:00
Valentin Bartenev
96a62f1396 Style. 2014-11-19 21:46:01 +03:00
Valentin Bartenev
1276d8483e Fixed type of sendfile() return value on Linux.
There was no real problem since the amount of bytes can be sent is limited by
NGX_SENDFILE_MAXSIZE to less than 2G.  But that can be changed in the future
2014-11-19 21:18:13 +03:00
Valentin Bartenev
a301e1a706 Moved writev() handling code to a separate function.
This reduces code duplication and unifies debug logging of the writev() syscall
among various send chain functions.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
79ddab189f Merged conditions in the ngx_*_sendfile_chain() functions.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
d85d459bb2 Moved the code for coalescing file buffers to a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
f00918eab3 Refactored ngx_solaris_sendfilev_chain().
Though ngx_solaris_sendfilev_chain() shouldn't suffer from the problem mentioned
in d1bde5c3c5d2 since currently IOV_MAX on Solaris is 16, but this follows the
change from 3d5717550371 in order to make the code look similar to other systems
and potentially eliminates the problem in the future.
2014-11-19 21:17:11 +03:00
Valentin Bartenev
b29d599c0b Introduced the ngx_output_chain_to_iovec() function.
It deduplicates code of the send chain functions and uses only preallocated
memory, which completely solves the problem mentioned in d1bde5c3c5d2.
2014-10-07 11:38:57 +04:00
Valentin Bartenev
41ed973456 Renamed ngx_handle_sent_chain() to ngx_chain_update_sent().
No functional changes.
2014-11-19 21:16:19 +03:00
Piotr Sikora
3ecac9eaba Cache: add support for Cache-Control's s-maxage response directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-18 17:07:14 -08:00
Roman Arutyunyan
1b79cb211d Proxy: renamed and rearranged fields in proxy configuration.
No functional changes.
2014-11-19 17:33:24 +03:00
Roman Arutyunyan
8898c97dbd Upstream: different header lists for cached and uncached requests.
The upstream modules remove and alter a number of client headers
before sending the request to upstream.  This set of headers is
smaller or even empty when cache is disabled.

It's still possible that a request in a cache-enabled location is
uncached, for example, if cache entry counter is below min_uses.
In this case it's better to alter a smaller set of headers and
pass more client headers to backend unchanged.  One of the benefits
is enabling server-side byte ranges in such requests.
2014-11-19 17:33:23 +03:00
Roman Arutyunyan
bcf6b11a34 Upstream: moved header lists to separate structures.
No functional changes.
2014-11-19 17:33:22 +03:00
Roman Arutyunyan
62dfdf1814 Upstream: moved header initializations to separate functions.
No functional changes.
2014-11-19 17:33:21 +03:00
Roman Arutyunyan
3b33056522 Scgi: do not push redundant NULL element into conf->params. 2014-11-19 17:33:21 +03:00
Roman Arutyunyan
2628cc11d4 Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock.  Requests which failed to acquire
the lock are not allowed to cache the response.
2014-11-18 20:41:12 +03:00
Valentin Bartenev
20d41493d4 SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.
2014-11-07 17:22:19 +03:00
Valentin Bartenev
42b6d57fb5 SPDY: improved debug logging of inflate() calls. 2014-11-07 17:19:12 +03:00
Maxim Dounin
1fd4cd0b96 SSL: logging level of "inappropriate fallback" (ticket #662).
Patch by Erik Dubbelboer.
2014-11-17 16:38:48 +03:00
Toshikuni Fukaya
d9f5baa0b8 Upstream: support named location for X-Accel-Redirect. 2014-11-04 19:56:23 +09:00
Piotr Sikora
a9d9b09103 Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-30 04:30:41 -07:00
Maxim Dounin
fb96936c1a SPDY: fixed "too long header line" logging.
This fixes possible one byte buffer overrun and makes sure ellipsis are
always added, see 21043ce2a005.
2014-11-07 17:38:55 +03:00
Maxim Dounin
e2bc3c11b2 Cache: removed dead store in ngx_http_file_cache_vary_header().
Found by Clang Static Analyzer.
2014-11-05 18:53:26 +03:00
Valentin Bartenev
f9b99baed3 Access log: cancel the flush timer on graceful shutdown.
Previously, it could prevent a worker process from exiting
for up to the configured flush timeout.
2014-08-25 13:41:31 +04:00
Valentin Bartenev
8b30fb7c97 Events: introduced cancelable timers. 2014-08-13 22:45:04 +04:00
Valentin Bartenev
16403bc7b1 Events: simplified cycle in ngx_event_expire_timers(). 2014-08-25 13:37:06 +04:00
Valentin Bartenev
246152c864 Events: removed broken thread support from event timers.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-08-25 13:34:39 +04:00
Sergey Kandaurov
33f5555940 SSL: simplified ssl_password_file error handling.
Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next password.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Reported by Piotr Sikora.
2014-10-24 04:28:00 -07:00
Piotr Sikora
54606d4625 SPDY: stop emitting multiple empty header values.
Previously, nginx would emit empty values in a header with multiple,
NULL-separated values.

This is forbidden by the SPDY specification, which requires headers to
have either a single (possibly empty) value or multiple, NULL-separated
non-empty values.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-27 14:25:56 -07:00
Valentin Bartenev
78dd8b5eda Version bump. 2014-10-28 21:58:49 +03:00
Kouhei Sutou
b3f9a94e6a Win32: made build-able with MinGW-w64 gcc. 2014-10-15 21:15:01 +09:00
Gu Feng
726c5726fb Upstream: limited next_upstream time and tries when resolving DNS.
When got multiple upstream IP addresses using DNS resolving, the number of
upstreams tries and the maxinum time spent for these tries were not affected.
This patch fixed it.
2014-10-27 19:52:03 +08:00
Roman Arutyunyan
cf1e4781a9 Write filter: stored delay in a variable, no functional changes.
The code is now similar to ngx_event_pipe_read_upstream().
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
18e4d042b0 Upstream: proxy_limit_rate and friends.
The directives limit the upstream read rate.  For example,
"proxy_limit_rate 42" limits proxy upstream read rate to
42 bytes per second.
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
0989d63f06 Core: added limit to recv_chain(). 2014-10-28 12:29:58 +03:00
Maxim Dounin
5f625b7df0 Cache: normalization of some Vary headers.
Spaces in Accept-Charset, Accept-Encoding, and Accept-Language headers
are now ignored.  As per syntax of these headers spaces can only appear
in places where they are optional.
2014-10-27 21:14:12 +03:00
Maxim Dounin
6255935e0f Cache: multiple variants of a resource now can be stored.
If a variant stored can't be used to respond to a request, the variant
hash is used as a secondary key.

Additionally, if we previously switched to a secondary key, while storing
a response to cache we check if the variant hash still apply.  If not, we
switch back to the original key, to handle cases when Vary changes.
2014-10-27 21:14:10 +03:00
Maxim Dounin
83f00adc9b Cache: c->reading flag introduced.
It replaces c->buf in checks in ngx_http_file_cache_open(), making it possible
to reopen the file without clearing c->buf.  No functional changes.
2014-10-27 21:14:07 +03:00
Maxim Dounin
1332e76b20 Cache: hash of Vary headers now stored in cache.
To cache responses with Vary, we now calculate hash of headers listed
in Vary, and return the response from cache only if new request headers
match.

As of now, only one variant of the same resource can be stored in cache.
2014-10-27 21:13:58 +03:00
Maxim Dounin
fc785b12a0 Cache: disable caching of responses with Vary (ticket #118).
The "proxy_ignore_header" directive now undersands the "Vary" parameter
to ignore the header as needed.
2014-10-27 21:13:39 +03:00
Maxim Dounin
97e618c556 Gzip, gunzip: flush busy buffers if any.
Previous code resulted in transfer stalls when client happened
to read all the data in buffers at once, while all gzip buffers
were exhausted (but ctx->nomem wasn't set).  Make sure to call
next body filter at least once per call if there are busy buffers.

Additionally, handling of calls with NULL chain was changed to follow
the same logic, i.e., next body filter is only called with NULL chain
if there are busy buffers.  This is expected to fix "output chain is empty"
alerts as reported by some users after c52a761a2029 (1.5.7).
2014-10-15 22:57:23 +04:00
Maxim Dounin
9369cf8df3 Style. 2014-10-14 20:19:36 +04:00
Roman Arutyunyan
2244a5e9cf Upstream: proxy_force_ranges and friends.
The directives enable byte ranges for both cached and uncached
responses regardless of backend headers.
2014-10-14 18:32:01 +04:00
Kouhei Sutou
8ae7751878 Win32: suppressed warnings by "-Werror=sign-compare". 2014-10-11 21:09:29 +09:00
Kouhei Sutou
3df66a632a Win32: fixed wrong type cast.
GetQueuedCompletionStatus() document on MSDN says the
following signature:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa364986.aspx

    BOOL WINAPI GetQueuedCompletionStatus(
      _In_   HANDLE CompletionPort,
      _Out_  LPDWORD lpNumberOfBytes,
      _Out_  PULONG_PTR lpCompletionKey,
      _Out_  LPOVERLAPPED *lpOverlapped,
      _In_   DWORD dwMilliseconds
    );

In the latest specification, the type of the third argument
(lpCompletionKey) is PULONG_PTR not LPDWORD.
2014-10-11 20:56:35 +09:00
Maxim Dounin
c01481a4cb Fixed possible buffer overrun in "too long header line" logging.
Additionally, ellipsis now always added to make it clear that
the header logged is incomplete.

Reported by Daniil Bondarev.
2014-10-08 17:16:04 +04:00
Yichun Zhang
52e4dc2f74 Core: fixed buffer overrun when hash max_size reached. 2014-10-02 12:00:17 -07:00
Piotr Sikora
4a2fba2d46 Upstream: fix $upstream_cache_last_modified variable.
Due to the u->headers_in.last_modified_time not being correctly initialized,
this variable was evaluated to "Thu, 01 Jan 1970 00:00:00 GMT" for responses
cached without the "Last-Modified" header which resulted in subsequent proxy
requests being sent with "If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT"
header.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-01 15:48:53 -07:00
Valentin Bartenev
840b347bb2 Fixed counting of sent bytes in the send chain functions on EINTR.
Previously, a value of the "send" variable wasn't properly adjusted
in a rare case when syscall was interrupted by a signal.  As a result,
these functions could send less data than the limit allows.
2014-08-27 20:51:01 +04:00
Valentin Bartenev
70995077ad Version bump. 2014-10-02 22:36:27 +04:00
Maxim Dounin
403a9efc0c Upstream keepalive: reset c->sent on cached connections.
The c->sent is reset to 0 on each request by server-side http code,
so do the same on client side.  This allows to count number of bytes
sent in a particular request.
2014-09-29 22:27:45 +04:00
Valentin Bartenev
c9fbbc8273 Limit req: reduced number of parameters in the lookup function.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
021a9df15b Limit req: use complex value in limit_req_zone.
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
with nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
98f7d0efb2 Limit conn: aligned field names in structures.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
dd1ae4348a Limit conn: use complex value in limit_conn_zone (ticket #121).
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
to nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
1866f15d7d Limit conn: removed deprecated "limit_zone" directive.
It's deprecated since 260d591cb6a3 (1.1.8).  The "limit_conn_zone" directive
should be used instead.
2014-09-24 21:55:19 +04:00
Vladimir Homutov
27fa3123f9 Syslog: improved error handling of unix domain sockets.
If a syslog daemon is restarted and the unix socket is used, further logging
might stop to work.  In case of send error, socket is closed, forcing
a reconnection at the next logging attempt.
2014-08-26 14:56:54 +04:00
Vladimir Homutov
d79cbf15e6 Syslog: enabled logging of send errors.
The ngx_cycle->log is used when sending the message.  This allows to log syslog
send errors in another log.

Logging to syslog after its cleanup handler has been executed was prohibited.
Previously, this was possible from ngx_destroy_pool(), which resulted in error
messages caused by attempts to write into the closed socket.

The "processing" flag is renamed to "busy" to better match its semantics.
2014-09-01 17:55:07 +04:00
Gu Feng
bba2ce8aae Avoided to add duplicate hash key in ngx_http_types_slot(). 2014-09-17 22:52:02 +08:00
Valentin Bartenev
840d205bac Removed duplicate initialization of the "rev" variable. 2014-09-22 19:48:23 +04:00
Valentin Bartenev
651be6067e Generalized definitions of the number of preallocated iovec's.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
1cbeabfd4c Reduced difference between the send chain functions.
No functional changes.  This follows the change from ad137a80919f.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
0a02bdb249 Merged implementations of ngx_readv_chain().
There's no real need in two separate implementations,
with and without kqueue support.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
77d61350a4 Removed the "complete" variable from various send chain functions.
It was made redundant by the previous change, since the "sent" variable
is no longer modified.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
4aac91049f Moved the code for adjusting sent buffers in a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
8b6f1c7bb0 Fixed writev() debug log message in ngx_darwin_sendfile_chain(). 2014-08-13 15:11:45 +04:00
Roman Arutyunyan
ba1676f267 Upstream: fixed file buffers reinit in ngx_http_upstream_reinit().
Previously, a file buffer start position was reset to the file start.
Now it's reset to the previous file buffer end.  This fixes
reinitialization of requests having multiple successive parts of a
single file.  Such requests are generated by fastcgi module.
2014-09-18 16:37:16 +04:00
Roman Arutyunyan
66876d0b09 FastCGI: fixed start pointers in request buffers.
The start pointers are used in ngx_http_upstream_reinit() to
reinit FastCGI requests.
2014-09-18 16:37:14 +04:00
Valentin Bartenev
a7798de9bd Limit req: don't truncate key value to 255 bytes.
While the module allows to use values up to 65535 bytes as a key,
that actually never worked properly.
2014-09-16 21:12:51 +04:00
Valentin Bartenev
681f74a9ba Version bump. 2014-09-17 12:04:47 +04:00
Maxim Dounin
6ec0f4d85b SSL: session id context now includes certificate hash.
This prevents inappropriate session reuse in unrelated server{}
blocks, while preserving ability to restore sessions on other servers
when using TLS Session Tickets.

Additionally, session context is now set even if there is no session cache
configured.  This is needed as it's also used for TLS Session Tickets.

Thanks to Antoine Delignat-Lavaud and Piotr Sikora.
2014-09-15 17:59:47 +04:00
Valentin Bartenev
152d92b4b7 Access log: fixed the "if=" parameter with buffering (ticket #625).
It might not work if there were more than one "access_log" directives
pointed to the same file and duplicate buffer parameters.
2014-09-13 21:47:13 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Roman Arutyunyan
cfc3db1972 Upstream: included backup peers into peer.tries.
Since peer.tries is never reset it can now be limited if required.
2014-09-12 18:50:46 +04:00
Maxim Dounin
4c7e1a8d85 Upstream keepalive: removed "single" parameter remnants.
The "single" parameter is deprecated and ignored since 5b5c07dee156 (1.3.2).
2014-09-11 20:09:04 +04:00
Maxim Dounin
3a235bf52e Added warning about unset cache keys.
In fastcgi, scgi and uwsgi modules there are no default cache keys, and
using a cache without a cache key set is likely meaningless.
2014-09-11 20:08:52 +04:00
Maxim Dounin
d7d26feba1 Style. 2014-09-11 20:08:45 +04:00
FengGu
b4cb8475b1 Upstream: avoided directly terminating the connection.
When memory allocation failed in ngx_http_upstream_cache(), the connection
would be terminated directly in ngx_http_upstream_init_request().
Return a INTERNAL_SERVER_ERROR response instead.
2014-08-13 14:53:55 +08:00
Maxim Dounin
cb8a0327ab Added ngx_init_setproctitle() return code check.
The ngx_init_setproctitle() function, as used on systems without
setproctitle(3), may fail due to memory allocation errors, and
therefore its return code needs to be checked.

Reported by Markus Linnala.
2014-09-08 21:36:09 +04:00
Maxim Dounin
90df702bf8 Fixed ETag memory allocation error handling.
The etag->hash must be set to 0 to avoid an empty ETag header being
returned with the 500 Internal Server Error page after the memory
allocation failure.

Reported by Markus Linnala.
2014-09-08 21:36:03 +04:00
Maxim Dounin
c5bee22d16 Core: ngx_regex_compile() error handling fixes.
Now we actually return NGX_ERROR on errors, and provide an error
string for memory allocation errors.

Reported by Markus Linnala.
2014-09-08 21:35:53 +04:00
Piotr Sikora
2af7181b3b SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-09-03 14:49:55 -07:00
Roman Arutyunyan
c0b3b9d6ca Upstream: suppressed the file cache slab allocator error messages.
The messages "ngx_slab_alloc() failed: no memory in cache keys zone"
from the file cache slab allocator are suppressed since the allocation
is likely to succeed after the forced expiration of cache nodes.
The second allocation failure is reported.
2014-09-05 18:14:59 +04:00
Valentin Bartenev
37d24e7e3b Events: processing of posted events changed from LIFO to FIFO.
In theory, this can provide a bit better distribution of latencies.

Also it simplifies the code, since ngx_queue_t is now used instead
of custom implementation.
2014-09-01 18:20:18 +04:00
Valentin Bartenev
2a81e05566 Events: removed broken thread support from posted events.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-09-01 18:20:03 +04:00
Valentin Bartenev
3ca3f609cb Mail: initialize the "signature" field of ngx_mail_session_t.
Currently it isn't used, but it can be suitable to distinguish
objects stored in c->data.
2014-09-01 17:50:59 +04:00
Ruslan Ermilov
be6175d49d Upstream: improved configuration parser diagnostics.
Made it clear when the selected balancing method does not
support certain parameters of the "server" directive.
2014-09-01 12:27:38 +04:00
Sergey Kandaurov
967c51c9ff Headers filter: "add_header" with "always" parameter (ticket #98).
If specified, the header field is set regardless of the status code.
2014-08-29 18:00:10 +04:00
Maxim Dounin
31c35adfe1 Variables: updated list of prefixes in ngx_http_rewrite_set(). 2014-08-27 21:38:08 +04:00
Maxim Dounin
8cf734c7b4 Variables: fixed non-indexed access of prefix vars (ticket #600).
Previously, a configuration like

    location / {
        ssi on;
        ssi_types *;
        set $http_foo "bar";
        return 200 '<!--#echo var="http_foo" -->\n';
    }

resulted in NULL pointer dereference in ngx_http_get_variable() as
the variable was explicitly added to the variables hash, but its
get_handler wasn't properly set in the hash.  Fix is to make sure
that get_handler is properly set by ngx_http_variables_init_vars().
2014-08-27 21:38:04 +04:00
Valentin Bartenev
dbcb16ff68 SPDY: added a comment about handling stream with the timer set. 2014-08-18 13:23:45 +04:00
Valentin Bartenev
c425f19daa SPDY: avoid setting timeout on stream events in ngx_http_writer().
The SPDY module doesn't expect timers can be set on stream events for reasons
other than delaying output.  But ngx_http_writer() could add timer on write
event if the delayed flag wasn't set and nginx is waiting for AIO completion.
That could cause delays in sending response over SPDY when file AIO was used.
2014-08-27 20:44:11 +04:00
Ruslan Ermilov
da46eed537 Resolver: notify all waiting requests on timeout.
If a "resolver_timeout" occurs, only the first waiting request
was notified.  Other requests may hang forever.
2014-08-19 15:43:26 +04:00
Ruslan Ermilov
8607e64b83 Stub status: corrected the "stub_status" directive.
The "stub_status" directive does not require an argument.
2014-08-26 17:35:23 +04:00
Valentin Bartenev
9fb2b9287d Sub filter: fixed matching for a single character. 2014-08-25 16:08:55 +04:00
Valentin Bartenev
c7efcf6ba6 Mail: fixed number of arguments allowed in the listen directive. 2014-08-20 13:13:27 +04:00
Valentin Bartenev
8575dc3516 Mail: fixed a comment.
There's no loc_conf in the mail module.
2014-08-20 13:13:27 +04:00
Roman Arutyunyan
a8227724c0 Mp4: use trak->smhd_size in ngx_http_mp4_read_smhd_atom().
Reported by Gang Li.
2014-08-19 14:13:39 +04:00
Sergey Kandaurov
3ed0e11d08 Image filter: downgrade strong etags to weak ones as needed. 2014-08-18 12:03:41 +04:00
Sergey Kandaurov
886ad0e9d3 Fixed typo. 2014-08-15 14:09:29 +04:00
Maxim Dounin
870b962382 Events: removed unused variable in ngx_poll_process_events(). 2014-08-10 17:44:46 +04:00
Yves Crespin
3c0c66c5d8 Events: format specifier fixes. 2014-08-07 15:04:43 +02:00
Yves Crespin
6a58555ca8 Events: changed nevents type to unsigned in poll module. 2014-08-07 14:56:57 +02:00
Tatsuhiko Kubo
12300c2a20 Style: use specified macro instead of magic-number. 2014-08-06 23:58:44 +09:00
Piotr Sikora
b3066b16e1 Perl: NULL-terminate argument list.
perl_parse() function expects argv/argc-style argument list,
which according to the C standard must be NULL-terminated,
that is: argv[argc] == NULL.

This change fixes a crash (SIGSEGV) that could happen because
of the buffer overrun during perl module initialization.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-19 04:16:36 -07:00
Maxim Dounin
8f0f4c10e9 Access log: allowed logs to syslog with "if=" (ticket #596). 2014-08-06 00:22:36 +04:00
Maxim Dounin
4b5876c922 Version bump. 2014-08-05 22:50:25 +04:00
Maxim Dounin
44f45a5466 Mail: discard pipelined commands after SMTP STARTTLS.
The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.
2014-08-05 12:22:07 +04:00
Piotr Sikora
1fe0f6a9b9 Core: exit on ngx_pnalloc() failure.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-08-01 20:39:22 -07:00
Tatsuhiko Kubo
f240215ba6 Style: use ngx_free() instead of free(). 2014-08-03 03:27:39 +09:00
Tatsuhiko Kubo
244a6a28b1 Core: improved ngx_pstrdup() error handling. 2014-08-01 20:04:14 +09:00
Sergey Kandaurov
88132eed54 Status: indentation and style, no functional changes. 2014-08-01 18:36:35 +04:00
FengGu
bfa56738af Dav: ngx_http_map_uri_to_path() errors were not checked.
Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.
2014-07-30 14:45:08 +08:00
Piotr Sikora
9ed633b930 SSL: let it build against LibreSSL.
LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:16 -07:00
Piotr Sikora
0dcfca0301 SSL: let it build against BoringSSL.
This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:15 -07:00
Piotr Sikora
a57394b3e9 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
This is really just a prerequisite for building against BoringSSL,
which doesn't provide either of those features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-28 12:27:57 -07:00
Maxim Dounin
5958181b1e Bigger iovec buffer in ngx_readv_chain().
This helps to reduce likelyhood of memory allocations in ngx_readv_chain(),
which are known to lead to noticeable effects in some cases, see
http://mailman.nginx.org/pipermail/nginx/2014-July/044512.html.
2014-07-28 18:30:19 +04:00
Maxim Dounin
8639e17f94 SSL: misplaced space in debug message. 2014-07-28 18:30:18 +04:00
Maxim Dounin
4b2f12a604 Upstream: SSL handshake timeouts.
Timeout may not be set on an upstream connection when we call
ngx_ssl_handshake() in ngx_http_upstream_ssl_init_connection(),
so make sure to arm it if it's not set.

Based on a patch by Yichun Zhang.
2014-07-28 18:30:14 +04:00
Yichun Zhang
7b24c53efe GeoIP: not all variable fields were initialized.
The ngx_http_geoip_city_float_variable and
ngx_http_geoip_city_int_variable functions did not always initialize
all variable fields like "not_found", which could lead to empty values
for those corresponding nginx variables randomly.
2014-07-25 14:43:29 -07:00
Piotr Sikora
3ba8f2f73d Core: use uppercase hexadecimal digits for percent-encoding.
RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-26 23:39:23 -07:00
Vladimir Homutov
c54899ddfd Core: fixed default log initialization.
The ngx_log_insert() function may invalidate pointer passed to it,
so make sure to don't use it after the ngx_log_insert() call.
2014-07-24 16:25:07 +04:00
Maxim Dounin
248baf4262 Upstream: ngx_http_upstream_store() error handling fixes.
Previously, ngx_http_map_uri_to_path() errors were not checked in
ngx_http_upstream_store().  Moreover, in case of errors temporary
files were not deleted, as u->store was set to 0, preventing cleanup
code in ngx_http_upstream_finalize_request() from removing them.  With
this patch, u->store is set to 0 only if there were no errors.

Reported by Feng Gu.
2014-07-18 20:11:40 +04:00
Maxim Dounin
88d9289f82 Reset of r->uri.len on URI parsing errors.
This ensures that debug logging and the $uri variable (if used in
400 Bad Request processing) will not try to access uninitialized
memory.

Found by Sergey Bobrov.
2014-07-18 20:02:11 +04:00
Ruslan Ermilov
7e52432a05 Resolver: fixed resend on malformed responses.
DNS request resend on malformed responses was broken in 98876ce2a7fd (1.5.8).

Reported by Pramod Korathota.
2014-07-16 10:21:28 +04:00
Piotr Sikora
79c55b2cca SSL: fix build with recent OpenSSL.
X509_check_host() prototype changed recently:
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ced3d91
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=297c67f

Bump version requirement, so that OpenSSL-1.0.2-beta1 uses fallback code.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-09 12:27:15 -07:00
Jianjun Zheng
584692027b Core: bugfix for the ngx_slab_max_size case. 2014-06-18 16:39:59 +08:00
Tatsuhiko Kubo
cc870236b2 Style: use ngx_str_set(). 2014-07-09 23:23:59 +09:00
Tatsuhiko Kubo
ef2b59699a Style: use ngx_str_null(). 2014-07-09 23:22:14 +09:00
Tatsuhiko Kubo
bb4edb5cef Style: use ngx_strlen() instead of strlen(). 2014-07-09 23:20:40 +09:00
Piotr Sikora
12ca9c9c8f SPDY: fix support for headers with multiple values.
Split SPDY header with multiple, NULL-separated values:

    cookie: foo\0bar

into two separate HTTP headers with the same name:

    cookie: foo
    cookie: bar

Even though the logic for this behavior already existed
in the source code, it doesn't look that it ever worked
and SPDY streams with such headers were simply rejected.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 02:17:44 -07:00
Piotr Sikora
ba95686741 Style: fix typo.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a02ca8e173 Style: use ngx_memcpy() instead of memcpy().
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a2229a4035 Style: keep return type and function name on different lines.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
2cfcef5b42 Style: remove whitespace between function name and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
7e7589e746 Style: add whitespace between control statement and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Piotr Sikora
d224ed7eea SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.

The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.

Almost fixes build with -DOPENSSL_NO_SSL_INTERN.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:14 -07:00
Maxim Dounin
ce64398751 SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
The RSA_generate_key() is marked as deprecated and causes build to
fail.  On the other hand, replacement function, RSA_generate_key_ex(),
requires much more code.  Since RSA_generate_key() is only needed
for barely usable EXP ciphers, the #ifdef was added instead.

Prodded by Piotr Sikora.
2014-07-09 04:08:13 +04:00
Piotr Sikora
bd058b9d24 SSL: return temporary RSA key only when the key length matches.
This change is mostly cosmetic, because in practice this callback
is used only for 512-bit RSA keys.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Piotr Sikora
f0e05f3d89 SSL: include correct OpenSSL headers.
Previously, <bn.h>, <dh.h>, <rand.h> and <rsa.h> were pulled in
by <engine.h> using OpenSSL's deprecated interface, which meant
that nginx couldn't have been built with -DOPENSSL_NO_DEPRECATED.

Both <x509.h> and <x509v3.h> are pulled in by <ocsp.h>, but we're
calling X509 functions directly, so let's include those as well.

<crypto.h> is pulled in by virtually everything, but we're calling
CRYPTO_add() directly, so let's include it as well.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Maxim Dounin
098c6bd81f Version bump. 2014-07-09 03:15:00 +04:00
Maxim Dounin
11bbbc051b Win32: ngx_open_dir() and ngx_close_dir() fixes.
The ngx_open_dir() function changed to restore name passed to it.  This
fixes removing destination directory in dav module, as caught by dav.t.
The ngx_close_dir() function introduced to properly convert errors, as
FindClose() returns 0 on error.
2014-07-05 23:29:47 +04:00
Maxim Dounin
d9152910d3 SSL: logging level of "peer closed connection in SSL handshake".
Previously, the NGX_LOG_INFO level was used unconditionally.  This is
correct for client SSL connections, but too low for connections to
upstream servers.  To resolve this, ngx_connection_error() now used
to log this error, it will select logging level appropriately.

With this change, if an upstream connection is closed during SSL
handshake, it is now properly logged at "error" level.
2014-07-04 22:14:36 +04:00
Maxim Dounin
4a75e1a63c Upstream: p->downstream_error instead of closing connection.
Previously, nginx closed client connection in cases when a response body
from upstream was needed to be cached or stored but shouldn't be sent to
the client.  While this is normal for HTTP, it is unacceptable for SPDY.

Fix is to use instead the p->downstream_error flag to prevent nginx from
sending anything downstream.  To make this work, the event pipe code was
modified to properly cache empty responses with the flag set.
2014-07-04 20:47:16 +04:00
Valentin Bartenev
3c2b5e88ab Upstream: fixed handling of write event after sending request.
The ngx_http_upstream_dummy_handler() must be set regardless of
the read event state.  This prevents possible additional call of
ngx_http_upstream_send_request_handler().
2014-07-01 20:52:08 +04:00
Valentin Bartenev
9f8785ae5e SSL: the "ssl_password_file" directive. 2014-06-16 19:43:25 +04:00
Maxim Dounin
9d4de05be4 Core: removed meaningless check from ngx_palloc_block().
The check became meaningless after refactoring in 2a92804f4109.
With the loop currently in place, "current" can't be NULL, hence
the check can be dropped.

Additionally, the local variable "current" was removed to
simplify code, and pool->current now used directly instead.

Found by Coverity (CID 714236).
2014-06-26 03:34:19 +04:00
Maxim Dounin
25250a20d2 Fixed wrong sizeof() in ngx_http_init_locations().
There is no real difference on all known platforms, but it's still wrong.

Found by Coverity (CID 400876).
2014-06-26 03:34:13 +04:00
Maxim Dounin
1a5cdafa82 Core: plugged socket leak during configuration test.
This isn't really important as configuration testing shortly ends with
a process termination which will free all sockets, though Coverity
complains.

Prodded by Coverity (CID 400872).
2014-06-26 03:34:05 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Maxim Dounin
b812961677 Cache: ETag now saved into cache header. 2014-06-26 02:28:23 +04:00
Maxim Dounin
c2e49a4196 Cache: version in cache files.
This allows to change the structure of cache files without spamming logs
with false alerts.
2014-06-26 02:27:21 +04:00
Maxim Dounin
8f9fb9570e Entity tags: explicit flag to skip not modified filter.
Previously, last_modified_time was tested against -1 to check if the
not modified filter should be skipped.  Notably, this prevented nginx
from additional If-Modified-Since (et al.) checks on proxied responses.
Such behaviour is suboptimal in some cases though, as checks are always
skipped on responses from a cache with ETag only (without Last-Modified),
resulting in If-None-Match being ignored in such cases.  Additionally,
it was not possible to return 412 from the If-Unmodified-Since if last
modification time was not known for some reason.

This change introduces explicit r->disable_not_modified flag instead,
which is set by ngx_http_upstream_process_headers().
2014-06-26 02:27:11 +04:00
Maxim Dounin
feb1649049 Entity tags: weak comparison for If-None-Match. 2014-06-26 02:21:20 +04:00
Maxim Dounin
def16742a1 Entity tags: downgrade strong etags to weak ones as needed.
See http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004523.html.
2014-06-26 02:21:01 +04:00
Maxim Dounin
5d477a76fe Upstream: fixed cache revalidation with SSI.
Previous code in ngx_http_upstream_send_response() used last modified time
from r->headers_out.last_modified_time after the header filter chain was
already called.  At this point, last_modified_time may be already cleared,
e.g., with SSI, resulting in incorrect last modified time stored in a
cache file.  Fix is to introduce u->headers_in.last_modified_time instead.
2014-06-26 02:20:09 +04:00
Maxim Dounin
6c25c848cb Upstream: removed unused offset to content_length.
It's not needed since introduction of ngx_http_upstream_content_length()
in 103b0d9afe07.
2014-06-26 02:20:05 +04:00
Maxim Dounin
4e275cc73a Upstream: no need to clear r->headers_out.last_modified_time.
Clearing of the r->headers_out.last_modified_time field if a response
isn't cacheable in ngx_http_upstream_send_response() was introduced
in 3b6afa999c2f, the commit to enable not modified filter for cacheable
responses.  It doesn't make sense though, as at this point header was
already sent, and not modified filter was already executed.  Therefore,
the line was removed to simplify code.
2014-06-26 02:19:58 +04:00
Maxim Dounin
05dfc054f0 Not modified filter: debug log format fixed. 2014-06-26 02:19:55 +04:00
Ruslan Ermilov
02e39a3ecb Upstream: reduced diffs to the plus version of nginx.
No functional changes.
2014-06-20 12:55:41 +04:00
Sergey Kandaurov
80e5163f64 FreeBSD has migrated to Bugzilla. 2014-06-19 13:55:59 +04:00
Ruslan Ermilov
05d717b35d Core: added ngx_slab_calloc() and ngx_slab_calloc_locked().
These functions return zeroed memory, analogous to ngx_pcalloc().
2014-06-04 15:09:19 +04:00
Ruslan Ermilov
d1ba20d0c9 Version bump. 2014-06-18 13:39:20 +04:00
Ruslan Ermilov
20038acbfc Upstream: simplified some code that accesses peers.
No functional changes.
2014-06-12 21:13:24 +04:00
Piotr Sikora
a1a8defb49 Access log: fix default value, broken by cb308813b453.
log->filter ("if" parameter) was uninitialized when the default value
was being used, which would lead to a crash (SIGSEGV) when access_log
directive wasn't specified in the configuration.

Zero-fill the whole structure instead of zeroing fields one-by-one
in order to prevent similar issues in the future.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-03 10:53:48 -07:00
Maxim Dounin
afb4aafc6e Core: slab allocator free pages defragmentation.
Large allocations from a slab pool result in free page blocks being fragmented,
eventually leading to a situation when no further allocation larger than a page
size are possible from the pool.  While this isn't a problem for nginx itself,
it is known to be bad for various 3rd party modules.  Fix is to merge adjacent
blocks of free pages in the ngx_slab_free_pages() function.

Prodded by Wandenberg Peixoto and Yichun Zhang.
2014-06-03 17:53:03 +04:00
Roman Arutyunyan
9b5a17b5e2 Upstream: generic hash module. 2014-06-02 16:16:22 +04:00
Valentin Bartenev
68336e1ede SPDY: fixed operator precedence in uint16/uint32 write macros.
Since the type cast has precedence higher than the bit shift operator,
all values were truncated to 8 bits.

These macros are used to construct header block for SYN_REPLY frame on
platforms with strict alignment requirements.  As a result, any response
that contains a header with name or value longer than 255 bytes was
corrupted on such platforms.
2014-05-29 21:15:19 +04:00
Sergey Kandaurov
0750df4f16 Fixed config parsing of the last try_files parameter.
Do not taste the last parameter against directory, as otherwise it would
result in the trailing slash being cut from the parameter value.

Notably, this prevents an internal redirect to an empty URI
if the parameter is set to the literal slash:

    location / { try_files $uri /; }
2014-05-28 20:18:05 +04:00
Maxim Dounin
e9a70114a2 Configure: added -Wno-deprecated-declarations on OS X.
Previous workaround to avoid warnings on OS X due to deprecated system
OpenSSL library (introduced in a3870ea96ccd) no longer works, as
the MAC_OS_X_VERSION_MIN_REQUIRED macro is ignored on OS X 10.9
if a compiler used supports __attribute__(availability).
2014-05-28 17:41:44 +04:00
Maxim Dounin
ffe21776fa Version bump. 2014-05-28 17:41:33 +04:00
Maxim Dounin
e36718de4b Sub filter: fixed subrequests handling.
In particular, properly output partial match at the end of a subrequest
response (much like we do at the end of a response), and reset/set the
last_in_chain flag as appropriate.

Reported by KAWAHARA Masashi.
2014-05-27 16:37:35 +04:00
Vladimir Homutov
21655ae097 Syslog: fixed message sending on win32. 2014-05-27 15:42:34 +04:00
Vladimir Homutov
8e82f06d3e Syslog: fixed possible resource leak and more verbose logging.
Found by Coverity (CID 1215646).
2014-05-26 23:34:44 +04:00
Ruslan Ermilov
5c17030671 Events: use eventfd() instead of syscall(SYS_eventfd) if possible.
This fixes --with-file-aio support on systems that lack eventfd()
syscall, notably aarch64 Linux.

The syscall(SYS_eventfd) may still be necessary on systems that
have eventfd() syscall in the kernel but lack it in glibc, e.g.
as seen in the current CentOS 5 release.
2014-05-23 16:37:05 +04:00
Roman Arutyunyan
3e279a8eb4 Upstream: fix tries check in ip_hash.
Make two checks for maximum number of tries consistent.
The other one checks '>' condition.
2014-05-23 13:47:05 +04:00
Ruslan Ermilov
7808ac0d42 Mail: output client port number on client connects (ticket #531). 2014-05-22 00:16:17 +04:00
Ruslan Ermilov
056e88ea11 Core: output client port number when logging accept event. 2014-05-22 00:16:09 +04:00
Maxim Dounin
ca02a1020c Mail: added a check for the number of arguments in MAIL/RCPT.
Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.
2014-05-21 21:56:20 +04:00
Vladimir Homutov
493b898ae9 Added syslog support for error_log and access_log directives. 2014-05-12 16:34:15 +04:00
Ruslan Ermilov
1736c180f4 Configure: the --build= option.
If set, its value is output in "nginx -v" and in the error log.
2014-05-20 16:10:07 +04:00
Sergey Budnevitch
27899a923a SSL: $ssl_client_fingerprint variable. 2014-05-20 14:03:03 +04:00
Maxim Dounin
84409ec8e0 Setting $args now invalidates unparsed uri.
Prodded by Yichun Zhang.
2014-05-19 22:45:35 +04:00
Maxim Dounin
4884cd611e Charset filter: fixed charset setting on encoded replies.
If response is gzipped we can't recode response, but in case it's not
needed we still can add charset to Content-Type.

The r->ignore_content_encoding is dropped accordingly, charset with gzip_static
now properly works without any special flags.
2014-05-19 22:45:34 +04:00
Maxim Dounin
ffba0eeefb Fixed alias in regex locations with limit_except/if.
The ngx_http_map_uri_to_path() function used clcf->regex to detect if
it's working within a location given by a regular expression and have
to replace full URI with alias (instead of a part matching the location
prefix).  This is incorrect due to clcf->regex being false in implicit
locations created by if and limit_except.

Fix is to preserve relevant information in clcf->alias instead, by setting
it to NGX_MAX_SIZE_T_VALUE if an alias was specified in a regex location.
2014-05-16 17:42:24 +04:00
Valentin Bartenev
a785be76f6 SPDY: added protection from overrun of the receive buffer. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
3f023a4193 SPDY: added a debug point to the state buffer overflow protection. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
57e5c3e86d SPDY: refactored ngx_http_spdy_state_headers().
This change is similar to d2ac5cf4056d.  Special flag of completeness looks
surplus when there is also a counter of frame bytes left.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
d04a714a6d SPDY: improved logging. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
d51d168066 SPDY: set log action for PROXY protocol only while parsing it.
Handling of PROXY protocol for SPDY connection is currently implemented as
a SPDY state.  And while nginx waiting for PROXY protocol data it continues
to process SPDY connection: initializes zlib context, sends control frames.
2014-05-15 19:22:06 +04:00
Valentin Bartenev
ef51079fe2 SPDY: ngx_http_spdy_state_headers() error handling cleanup.
- Specification-friendly handling of invalid header block or special headers.
   Such errors are not fatal for session and shouldn't lead to connection close;

 - Avoid mix of NGX_HTTP_PARSE_INVALID_REQUEST/NGX_HTTP_PARSE_INVALID_HEADER.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
cf770ddd82 SPDY: improved error handling of header block decompression.
Now cases when decompression failed due to internal error
and when a client sent corrupted data are distinguished.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
ba890408bd SPDY: removed ngx_http_spdy_state_headers_error().
The function just calls ngx_http_spdy_state_headers_skip() most of the time.
There was also an attempt of optimization to stop parsing if the client already
closed connection, but it looks strange and unfinished anyway.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
63ee690751 SPDY: prevented creation of RST_STREAM in protocol error state.
Previously, the frame wasn't sent anyway (and had a wrong status code).
2014-05-15 19:18:26 +04:00
Valentin Bartenev
dfb9a5cb0d SPDY: improved ngx_http_spdy_state_protocol_error().
Now ngx_http_spdy_state_protocol_error() is able to close stream,
so there is no need in a separate call for this.

Also fixed zero status code in logs for some cases.
2014-04-30 20:33:58 +04:00
Valentin Bartenev
d9c25cdf19 SPDY: fixed one case of improper memory allocation error handling.
Now ngx_http_spdy_construct_request_line() doesn't try to finalize request
in case of failed memory allocation.
2014-04-30 02:16:21 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Ruslan Ermilov
9b92f59aef Core: use '\r' for CR and '\n' for LF definitions. 2014-05-14 22:26:05 +04:00
Filipe da Silva
e1a183946f OCSP stapling: missing OCSP request free call. 2014-04-29 22:22:38 +02:00
Maxim Dounin
094bfc6beb Upstream: restored workaround for "if".
The 7022564a9e0e changeset made ineffective workaround from 2464ccebdb52
to avoid NULL pointer dereference with "if".  It is now restored by
moving the u->ssl_name initialization after the check.

Found by Coverity (CID 1210408).
2014-04-30 19:16:55 +04:00
Maxim Dounin
aa28897b22 Core: improved ngx_conf_parse() error handling.
Previous code failed to properly restore cf->conf_file in case of
ngx_close_file() errors, potentially resulting in double free of
cf->conf_file->buffer->start.

Found by Coverity (CID 1087507).
2014-04-30 19:16:49 +04:00
Maxim Dounin
60169aa3a1 Core: fixed error handling in ngx_reopen_files().
Found by Coverity (CID 1087509).
2014-04-30 19:16:40 +04:00
Maxim Dounin
17dad56e4e Cache: added ngx_quit check to ngx_http_file_cache_expire().
While managing big caches it is possible that expiring old cache items
in ngx_http_file_cache_expire() will take a while.  Added a check for
ngx_quit / ngx_terminate to make sure cache manager can be terminated
while in ngx_http_file_cache_expire().
2014-04-30 19:16:35 +04:00
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Valentin Bartenev
58e26b88b7 Version bump. 2014-04-24 20:50:10 +04:00
Maxim Dounin
6898a634d3 SSL: explicit handling of empty names.
X509_check_host() can't handle non null-terminated names with zero length,
so make sure to fail before calling it.
2014-04-23 20:31:31 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Maxim Dounin
0fd4f76e68 SSL: added explicit check for ngx_strlchr() result. 2014-04-22 14:02:45 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Maxim Dounin
583821c547 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. 2014-04-18 20:13:14 +04:00
Maxim Dounin
84785d8413 Version bump. 2014-04-18 20:12:53 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
644a43ebd2 Version bump. 2014-04-08 20:11:31 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Maxim Dounin
55bef30474 Win32: fixed shared ssl_session_cache (ticket #528).
In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.
2014-04-07 18:55:57 +04:00
Roman Arutyunyan
5147f8ee6a Mp4: allow end values bigger than track duration.
If start time is within the track but end time is out of it, error
"end time is out mp4 stts samples" is generated.  However it's
better to ignore the error and output the track until its end.
2014-04-01 20:53:18 +04:00
Maxim Dounin
2349a6747d Adjusted default value of types_hash_bucket_size (ticket #352).
The ngx_cacheline_size may be too low on some platforms, resulting
in unexpected hash build problems (as no collisions are tolerated due
to low bucket_size, and max_size isn't big enough to build a hash without
collisions).  These problems aren't fatal anymore but nevertheless
need to be addressed.
2014-03-31 22:47:42 +04:00
Maxim Dounin
8877284863 Core: fixed hash to actually try max_size.
Previously, maximum size of a hash table built was (max_size - 1).
2014-03-31 21:40:35 +04:00
Maxim Dounin
2a620ae109 Core: hash now ignores bucket_size if it hits max_size limit. 2014-03-31 21:40:31 +04:00
Maxim Dounin
23f6689846 Core: slab log_nomem flag.
The flag allows to suppress "ngx_slab_alloc() failed: no memory" messages
from a slab allocator, e.g., if an LRU expiration is used by a consumer
and allocation failures aren't fatal.

The flag is now used in the SSL session cache code, and in the limit_req
module.
2014-03-31 21:38:30 +04:00
Maxim Dounin
8f6958baa9 Win32: fixed cpu hog by cache manager on exit (ticket #514).
The "ngx_quit" may be reset by the worker thread before it's seen
by a ngx_cache_manager_thread(), resulting in an infinite loop.  Make
sure to test ngx_exiting as well.
2014-03-31 21:38:28 +04:00
Maxim Dounin
e042fc9038 Mail: fixed ngx_mail_send() (ticket #519). 2014-03-31 21:38:27 +04:00
Maxim Dounin
3183d7e17b Added #ifndef around NGX_HAVE_CASELESS_FILESYSTEM define.
This brings Cygwin compilation in line with other case-insensitive
systems (notably win32 and OS X) where one can force case sensitivity
using -DNGX_HAVE_CASELESS_FILESYSTEM=0.
2014-03-31 21:38:25 +04:00
Roman Arutyunyan
6f1763213b Mp4: improved logging after adding "end" support.
Despite introducing start and end crop operations existing log
messages still mostly refer only to start.  Logging is improved
to match both cases.

New debug logging is added to track entry count in atoms after
cropping.

Two format type mismatches are fixed as well.
2014-03-31 20:05:53 +04:00
Roman Arutyunyan
70e98eac3e Mp4: fixed seeking to a track end.
When "start" value is equal to a track duration the request
fails with "time is out mp4 stts" like it did before track
duration check was added.  Now such tracks are considered
short and skipped.
2014-03-31 19:52:17 +04:00
Valentin Bartenev
ac5a3cbeee SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
2014-03-28 20:22:57 +04:00
Valentin Bartenev
afb92a8127 SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.
2014-03-28 20:05:07 +04:00
Valentin Bartenev
de3c7a825e SPDY: better detect if headers block has wrong entries count.
Previously, only one case was checked: if there's more data to parse
in a r->header_in buffer, but the buffer can be filled to the end by
the last parsed entry, so we also need to check that there's no more
data to inflate.
2014-03-26 18:01:11 +04:00
Valentin Bartenev
042122a066 SPDY: detect premature end of frame while start parsing headers. 2014-03-26 17:43:39 +04:00
Piotr Sikora
ac1617915c Apply underscores_in_headers also to the first character.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Andrei Belov
b1597fe2ea Increased default value of variables_hash_max_size. 2014-03-25 18:49:28 +04:00
Sergey Kandaurov
2070abf516 Mp4: skipped empty stss atom table in output.
The atom may have no data entries after cropping.

This fixes "zero size buf in output" alerts.
2014-03-24 17:55:10 +04:00
Maxim Dounin
effbf466aa Range filter: single_range flag in request.
If set, it means that response body is going to be in more than one buffer,
hence only range requests with a single range should be honored.

The flag is now used by mp4 and cacheable upstream responses, thus allowing
range requests of mp4 files with start/end, as well as range processing
on a first request to a not-yet-cached files with proxy_cache.

Notably this makes it possible to play mp4 files (with proxy_cache, or with
mp4 module) on iOS devices, as byte-range support is required by Apple.
2014-03-21 19:33:21 +04:00
Roman Arutyunyan
c6ca135923 Mp4: added "end" argument support. 2014-03-20 16:05:19 +04:00
Roman Arutyunyan
7aa8c81002 Mp4: moved atom cropping code out of update functions.
It can now be reused for implementing mp4 end.
2014-03-20 16:05:18 +04:00
Maxim Dounin
ec1211d2f6 SPDY: improved ngx_http_spdy_state_save() again. 2014-03-19 19:30:09 +04:00
Maxim Dounin
898ca36c33 Macros used for initialization in ngx_http_core_init_main_conf(). 2014-03-19 12:57:40 +04:00
Maxim Dounin
062e7a0042 SPDY: improved ngx_http_spdy_state_save() check. 2014-03-19 12:57:39 +04:00
Maxim Dounin
a4d04f01fb SPDY: macro used for recv_buffer_size initialization. 2014-03-19 12:57:32 +04:00
Maxim Dounin
f9b027baab Version bump. 2014-03-18 22:05:05 +04:00
Maxim Dounin
c6c702c329 SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Roman Arutyunyan
0b5f329784 Added server-side support for PROXY protocol v1 (ticket #355).
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.

This is currently not implemented for mail.
2014-03-17 17:41:24 +04:00
Maxim Dounin
2f917b6d06 FastCGI: f->split_parts reset on request start.
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
2014-03-17 15:34:36 +04:00
Maxim Dounin
8800f0c42b Core: fixed wrong indices in listening sockets compare loops.
Proper use is "ls[i]" and "nls[n]".  Previous code used it wrong in
several places, likely due to cut-n-paste errors.
2014-03-07 15:17:38 +04:00
Sergey Kandaurov
f9e7687e55 Added connection serial number in logging of left open sockets. 2014-03-06 23:15:10 +04:00
Sergey Kandaurov
bd3516e8d9 Fixed format specifier in logging of "c->number". 2014-03-06 18:25:59 +04:00
Roman Arutyunyan
a35c675e71 Version bump. 2014-03-04 23:38:31 +04:00
Valentin Bartenev
0c05e5b55f SPDY: fixed potential integer overflow while parsing headers.
Previously r->header_size was used to store length for a part of
value that represents an individual already parsed HTTP header,
while r->header_end pointed to the end of the whole value.

Instead of storing length of a following name or value as pointer
to a potential end address (r->header_name_end and r->header_end)
that might be overflowed, now r->lowercase_index counter is used
to store remaining length of a following unparsed field.

It also fixes incorrect $body_bytes_sent value if a request is
closed while parsing of the request header.  Since r->header_size
is intended for counting header size, thus abusing it for header
parsing purpose was certainly a bad idea.
2014-03-03 19:24:55 +04:00
Valentin Bartenev
3925c1b110 SPDY: constant number of preallocated structures for headers. 2014-03-03 19:24:54 +04:00
Maxim Dounin
a2a26a7ce1 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Valentin Bartenev
2c0defac9b Gzip static: fixed NGX_CONF_FLAG misuse. 2014-03-03 17:17:25 +04:00
Maxim Dounin
96af3e9dfb Disabled redirects to named locations if URI is not set.
If something like "error_page 400 @name" is used in a configuration,
a request could be passed to a named location without URI set, and this
in turn might result in segmentation faults or other bad effects
as most of the code assumes URI is set.

With this change nginx will catch such configuration problems in
ngx_http_named_location() and will stop request processing if URI
is not set, returning 500.
2014-02-27 20:36:35 +04:00
Ruslan Ermilov
8aa8365121 Core: allocate enough memory to hold IPv6 text address plus port. 2014-02-22 12:08:31 +04:00
Ruslan Ermilov
9ae40c5b54 Resolver: properly handle connect() failures.
If initial attempt to connect() the UDP socket failed, e.g.
due to network unreachable, no further attempts were made.
2014-02-20 17:27:09 +04:00
Konstantin Pavlov
c539aaf352 Upstream: fixed error message wording. 2014-02-20 13:48:40 +04:00
Ruslan Ermilov
3da53f339d Access: supplemented the obfuscated code with a comment. 2014-02-19 21:45:27 +04:00
Maxim Dounin
5ec277847e Upstream: ngx_post_event() instead of upgraded call (ticket #503).
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
2014-02-18 17:30:40 +04:00
Roman Arutyunyan
1dc1b0785b Mp4: remove useless leading stsc entry in result mp4.
The fix removes useless stsc entry in result mp4.
If start_sample == n then current stsc entry should be skipped
and the result stsc should start with the next entry.
The reason for that is start_sample starts from 0, not 1.
2014-02-14 15:14:48 +04:00
Maxim Dounin
8f8bf842bc Win32: MSVC 2013 compatibility.
Warnings about GetVersionEx() deprecation silenced.  Precompiled object
linked in.
2014-02-13 16:54:00 +04:00
Valentin Bartenev
b20af091b7 SPDY: fixed reversed priority order in window waiting queue. 2014-02-12 21:02:29 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Xiaochen Wang
cd358e5a95 SPDY: fixed parsing of http version.
There is an error while parsing multi-digit minor version numbers (e.g.
"HTTP/1.10").
2014-02-11 20:54:16 +08:00
Maxim Dounin
381d507467 SSL: the $ssl_session_reused variable. 2014-02-11 19:20:25 +04:00
Ruslan Ermilov
42c049bd2d Range filter: fixed duplicate charset.
If a proxied response had charset in Content-Type, the
charset was duplicated in a response to client request
with byte ranges.
2014-02-04 17:13:35 +04:00
Piotr Sikora
ab3c0f9250 Use ngx_socket_errno where appropriate.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-03 14:17:17 -08:00
Maxim Dounin
07aef702ee Version bump. 2014-02-05 18:51:30 +04:00
Shigeki Ohtsu
38a9a8968d SPDY: fixed parsing of the priority field.
The size of the priority field is increased by one bit in spdy/3,
and now it's a 3-bit field followed by 5 bits of unused space.
But a shift of these bits hasn't been adjusted in 39d7eef2e332
accordingly.
2014-02-04 14:06:23 +09:00
Maxim Dounin
7ac48da41d Core: added ngx_encode_base64url(). 2014-02-04 04:59:21 +04:00
Piotr Sikora
2e57e0609b Core: handle getsockopt(TCP_FASTOPEN) failures.
Linux returns EOPNOTSUPP for non-TCP sockets and ENOPROTOOPT for TCP
sockets, because getsockopt(TCP_FASTOPEN) is not implemented so far.

While there, lower the log level from ALERT to NOTICE to match other
getsockopt() failures.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-30 14:58:21 -08:00
Valentin Bartenev
449e8eeb53 SPDY: protocol implementation switched to spdy/3.1. 2014-01-31 19:17:26 +04:00
Vladimir Homutov
8d97a2e4d7 Fixed false compiler warning.
Newer gcc versions (4.7+) report possible use of uninitialized variable if
nginx is being compiled with -O3.
2014-01-31 14:18:52 +04:00
Ruslan Ermilov
c6d7db2500 Fixed a compile warning introduced by 01e2a5bcdd8f.
On systems with OpenSSL that has NPN support but lacks
ALPN support, some compilers emitted a warning about
possibly uninitialized "data" variable.
2014-01-30 19:13:12 +04:00
Ruslan Ermilov
8d288ec49a Proxy: fixed upstream search by proxy_pass with variables.
If "proxy_pass" is specified with variables, the resulting
hostname is looked up in the list of upstreams defined in
configuration.  The search was case-sensitive, as opposed
to the case of "proxy_pass" specified without variables.
2014-01-30 18:57:11 +04:00
Piotr Sikora
4ae889c9f2 SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-28 15:33:49 -08:00
Roman Arutyunyan
d3e0bf306b Mp4: fix seeks to standalone last chunk.
If seek position is within the last track chunk
and that chunk is standalone (stsc entry describes only
this chunk) such seek generates stsc seek error. The
problem is that chunk numbers start with 1, not with 0.
2014-01-29 13:44:15 +04:00
Roman Arutyunyan
88f9b411f0 Mp4: skip tracks shorter than seek position (ticket #414).
Mp4 module does not check movie and track durations when reading
file.  Instead it generates errors when track metadata is shorter
than seek position.  Now such tracks are skipped and movie duration
check is performed at file read stage.
2014-01-29 13:33:45 +04:00
Roman Arutyunyan
870733ebd6 Mp4: fix seeks after the last key frame.
Mp4 module does not allow seeks after the last key frame.  Since
stss atom only contains key frames it's usually shorter than
other track atoms.  That leads to stss seek error when seek
position is close to the end of file.  The fix outputs empty
stss frame instead of generating error.
2014-01-29 13:30:36 +04:00
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Maxim Dounin
1631393f94 SSI: fixed $date_local and $date_gmt without SSI (ticket #230).
If there is no SSI context in a given request at a given time,
the $date_local and $date_gmt variables used "%s" format, instead
of "%A, %d-%b-%Y %H:%M:%S %Z" documented as the default and used
if there is SSI module context and timefmt wasn't modified using
the "config" SSI command.

While use of these variables outside of the SSI evaluation isn't strictly
valid, previous behaviour is certainly inconsistent, hence the fix.
2014-01-28 15:40:45 +04:00
Tatsuhiko Kubo
135dc712c0 Typo fixed. 2014-01-23 22:09:59 +09:00
Maxim Dounin
1ebb44e3e3 SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Even during execution of a request it is possible that there will be
no session available, notably in case of renegotiation.  As a result
logging of $ssl_session_id in some cases caused NULL pointer dereference
after revision 97e3769637a7 (1.5.9).  The check added returns an empty
string if there is no session available.
2014-01-23 18:32:26 +04:00
Maxim Dounin
bb40c4ed2f Version bump. 2014-01-23 18:32:25 +04:00
Maxim Dounin
c74e23ba3a Upstream: reading from a client after connection upgrade.
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
2014-01-22 16:05:07 +04:00
Maxim Dounin
096bcd03c3 SSL: fixed $ssl_session_id variable.
Previously, it used to contain full session serialized instead of just
a session id, making it almost impossible to use the variable in a safe
way.

Thanks to Ivan Ristić.
2014-01-22 16:05:06 +04:00
Valentin Bartenev
abcbe54219 SPDY: use ngx_queue_t to queue streams for post processing.
It simplifies the code and allows easy reuse the same queue pointer to store
streams in various queues with different requirements.  Future implementation
of SPDY/3.1 will take advantage of this quality.
2014-01-20 20:56:49 +04:00
Valentin Bartenev
3ddf9ccfce SPDY: store the length of frame instead of its whole size.
The "length" value better corresponds with the specification and reduces
confusion about whether frame's header is included in "size" or not.

Also this change simplifies some parts of code, since in more cases the
length of frame is more useful than its actual size, especially considering
that the size of frame header is constant.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
e62156d829 SPDY: use frame->next pointer to chain free frames.
There is no need in separate "free" pointer and like it is for ngx_chain_t
the "next" pointer can be used.  But after this change successfully handled
frame should not be accessed, so the frame handling cycle was improved to
store pointer to the next frame before processing.

Also worth noting that initializing "free" pointer to NULL in the original
code was surplus.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
650984cd20 SPDY: proper handling of all RST_STREAM statuses.
Previously, only stream CANCEL and INTERNAL_ERROR were handled right.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
d055f74178 SPDY: removed state to check first SETTINGS frame.
That code was based on misunderstanding of spdy specification about
configuration applicability in the SETTINGS frames.  The original
interpretation was that configuration is assigned for the whole
SPDY connection, while it is only for the endpoint.

Moreover, the strange thing is that specification forbids multiple
entries in the SETTINGS frame with the same ID even if flags are
different.  As a result, Chrome sends two SETTINGS frames: one with
its own configuration, and another one with configuration stored
for a server (when the FLAG_SETTINGS_PERSIST_VALUE flags were used
by the server).

To simplify implementation we refuse to use the persistent settings
feature and thereby avoid all the complexity related with its proper
support.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
406c0613f5 SPDY: better name for frame entries counter.
The "headers" is not a good term, since it is used not only to count
name/value pairs in the HEADERS block but to count SETTINGS entries too.

Moreover, one name/value pair in HEADERS can contain multiple http headers
with the same name.

No functional changes.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
32bb39c48f SPDY: fixed possible segfault.
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
2014-01-22 04:58:19 +04:00
Ruslan Ermilov
8b7fe56e95 Mail: fixed passing of IPv6 client address in XCLIENT. 2014-01-17 22:06:04 +04:00
Maxim Dounin
0bfb68eea0 Core: improved ngx_reset_pool() (ticket #490).
Previously pool->current wasn't moved back to pool, resulting in blocks
not used for further allocations if pool->current was already moved at the
time of ngx_reset_pool().  Additionally, to preserve logic of moving
pool->current, the p->d.failed counters are now properly cleared.  While
here, pool->chain is also cleared.

This change is essentially a nop with current code, but generally improves
things.
2014-01-17 06:24:53 +04:00
Valentin Bartenev
1ef5553644 SPDY: send output queue after processing of read event.
During the processing of input some control frames can be added to the queue.
And if there were no writing streams at the moment, these control frames might
be left unsent for a long time (or even forever).

This long delay is especially critical for PING replies since a client can
consider connection as broken and then resend exactly the same request over
a new connection, which is not safe in case of non-idempotent HTTP methods.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
82a1ff31f9 SPDY: the SETTINGS frame should be allocated from sc->pool.
There is no reason to allocate it from connection pool that more like just
a bug especially since ngx_http_spdy_settings_frame_handler() already uses
sc->pool to free a chain.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
b2b43ca50f SPDY: fixed possible uninitialized memory access.
The frame->stream pointer should always be initialized for control frames since
the check against it can be performed in ngx_http_spdy_filter_cleanup().
2014-01-15 17:16:38 +04:00
Valentin Bartenev
d143119e3c SPDY: fixed off_t/size_t type conversions on 32 bits platforms.
Parameters of ngx_http_spdy_filter_get_shadow() are changed from size_t to off_t
since the last call of the function may get size and offset from the rest of a
file buffer.  This fixes possible data loss rightfully complained by MSVC on 32
bits systems where off_t is 8 bytes long while size_t is only 4 bytes.

The other two type casts are needed just to suppress warnings about possible
data loss also complained by MSVC but false positive in these cases.
2014-01-15 13:23:31 +04:00
Valentin Bartenev
70c010167f SPDY: fixed build, broken by b7ee1bae0ffa.
False positive warning about the "cl" variable may be uninitialized in
the ngx_http_spdy_filter_get_data_frame() call was suppressed.

It is always initialized either in the "while" cycle or in the following
"if" condition since frame_size cannot be zero.
2014-01-15 01:44:52 +04:00
Valentin Bartenev
8323f317f6 SPDY: added the "spdy_chunk_size" directive. 2014-01-14 16:24:45 +04:00
Valentin Bartenev
b60700f9e9 SPDY: implemented buffers chain splitting.
It fixes "chain too big in spdy filter" alerts, and adds full support for rate
limiting of SPDY streams.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
8c01a95d98 SPDY: body filter was replaced by c->send_chain() function.
It allows to use ngx_http_write_filter() and all its rate limiting logic.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
3d5f501adc SPDY: fixed possible premature close of stream.
The "delayed" flag always should be set if there are unsent frames,
but this might not be the case if ngx_http_spdy_body_filter() was
called with NULL chain.

As a result, the "send_timeout" timer could be set on a stream in
ngx_http_writer().  And if the timeout occurred before all the stream
data has been sent, then the request was finalized with the "client
timed out" error.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
1c56e18733 SPDY: refactored ngx_http_spdy_body_filter().
A local pointer to fake connection is introduced
to slightly reduce further patches.

No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
ac8bb7a9e5 SPDY: elimination of r->blocked counter usage for queuing frames.
It was used to prevent destroying of request object when there are unsent
frames in queue for the stream.  Since it was incremented for each frame
and is only 8 bits long, so it was not very hard to overflow the counter.

Now the stream->queued counter is checked instead.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
6ddb578b22 SPDY: better name for flag that indicates incomplete frame state.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
00944562ac SPDY: better name for queued frames counter.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
df1d8f78ac SPDY: fixed format specifiers in logging. 2014-01-14 16:24:45 +04:00
Yichun Zhang
2e2c9dba16 Resolver: added support for domain names with a trailing dot. 2014-01-10 11:22:14 -08:00
Maxim Dounin
70b48a491a SSL: fixed ssl_verify_depth to take only one argument. 2014-01-14 15:56:40 +04:00
Dirkjan Bussink
58a240d773 SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
2014-01-10 16:12:40 +01:00
Maxim Dounin
8f702a573a Fixed "zero size buf in output" alerts.
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
2014-01-04 03:32:22 +04:00
Maxim Dounin
eb60e1e26d Win32: support for UTF-16 surrogate pairs (ticket #457). 2014-01-04 03:32:15 +04:00
Maxim Dounin
def37d254a Upstream: Cache-Control preferred over Expires.
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
2014-01-04 03:32:10 +04:00
Maxim Dounin
1029607ac9 Added per-process random seeding (ticket #456). 2014-01-04 03:32:06 +04:00
Maxim Dounin
9a72030c25 Allowed up to two EBUSY errors from sendfile().
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row.  Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
2014-01-04 03:31:58 +04:00
Ruslan Ermilov
2539ce036f Fixed setting of content type in some cases.
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
2013-12-27 19:40:04 +04:00
Valentin Bartenev
2b1156d101 Style: removed surplus semicolons. 2013-12-27 18:47:42 +04:00
Valentin Bartenev
aa22dc707b SPDY: a bit smarter ngx_http_spdy_filter_get_data_frame().
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.

No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
df49024997 SPDY: refactored loop in ngx_http_spdy_body_filter().
No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
75dad742e5 SPDY: fixed possible request hang.
Processing events from upstream connection can result in sending queued frames
from other streams.  In this case such streams were not added to handling queue
and properly handled.

A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
2013-12-26 17:03:16 +04:00
Ruslan Ermilov
9b4a99cf5d Dav: emit a warning about unsafe URI. 2013-12-23 18:12:03 +04:00
Ruslan Ermilov
f7ff5e65d0 Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1 Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
3f36c684a1 Upstream: keep $upstream_http_x_accel_redirect intact.
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
2013-12-23 18:11:46 +04:00
Ruslan Ermilov
bf800822df Fixed the first argument to getsockopt().
While here, always initialize the last argument.
2013-12-19 13:43:18 +04:00
Maxim Dounin
37b7de6df7 SSL: ssl_buffer_size directive. 2013-12-20 16:18:25 +04:00
Vladimir Homutov
c7a0b04665 Upstream: simplified peer selection loop in the "ip_hash" module.
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules.  No functional changes.
2013-12-09 13:43:27 +04:00
Ruslan Ermilov
85e6d211d0 Resolver: use minimum TTL for caching (ticket #329). 2013-12-16 19:12:23 +04:00
Valentin Bartenev
c8f3f9fa12 SPDY: use predefined constant for size of the Stream-ID field.
No functional changes.
2013-12-18 18:39:29 +04:00
Valentin Bartenev
bf3ff5bca7 Version bump. 2013-12-18 18:37:48 +04:00
Ruslan Ermilov
3fd727566a Resolver: lookups are case-insensitive. 2013-12-13 20:49:52 +04:00
Ruslan Ermilov
e0caf51711 The "ipv6=" boolean parameter of the "resolver" directive.
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
2013-12-09 10:53:30 +04:00
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
809bee30b7 Resolver: implemented IPv6 address to name resolving. 2013-12-06 14:30:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
552e15ba1c Resolver: fixed indentation. 2013-12-13 19:22:44 +04:00
Ruslan Ermilov
efd0e0e177 Core: externalized ngx_cmp_sockaddr().
It's also extended with the "cmp_port" argument to indicate
whether ports should be compared as well, or only addresses.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
159486239f Resolver: fixes in PTR processing.
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f57350cd86 Resolver: fixes in A processing.
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f3a271f3fd Resolver: fixed response processing.
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".

Fixed the "zero-length domain name in DNS response" condition.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
23071835a3 Resolver: removed unnecessary casts. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
3d245d4792 Resolver: improved code readability.
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.

Replaced the magic number 12 by the size of the header structure.

The other changes are self-explanatory.
2013-12-06 14:30:27 +04:00
Maxim Dounin
0c585adfd4 Trailing whitespace fix. 2013-12-12 20:28:48 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Valentin Bartenev
7f54528ca0 SPDY: drop the "delayed" flag when finalizing connection.
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.

Found by Xiaochen Wang.
2013-12-10 20:27:33 +04:00
Ruslan Ermilov
fa512fdb76 Fixed handling of UNIX-domain sockets.
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
2013-12-09 10:16:44 +04:00
Ruslan Ermilov
675e73e3bd Core: keep the length of the local sockaddr. 2013-12-09 10:14:51 +04:00
Piotr Sikora
19f475276d Fixed incorrect ngx_str_set() usage, broken in c82b2e020b9f.
Found by Coverity Scan CID 1135525.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-06 16:00:49 -08:00
Maxim Dounin
67b0d16546 Fixed build without SSL, broken by c82b2e020b9f. 2013-12-04 23:13:13 +04:00
Maxim Dounin
24e1db93a8 SSL support in the uwsgi module.
Based on patch by Roberto De Ioris.
2013-12-04 23:01:27 +04:00
Mathew Rodley
84f5c2136e Added support for TCP_FASTOPEN supported in Linux >= 3.7.1.
---
 auto/unix                       | 12 ++++++++++++
 src/core/ngx_connection.c       | 32 ++++++++++++++++++++++++++++++++
 src/core/ngx_connection.h       |  4 ++++
 src/http/ngx_http.c             |  4 ++++
 src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
 src/http/ngx_http_core_module.h |  3 +++
 6 files changed, 76 insertions(+)
2013-12-03 22:07:03 +04:00