Commit Graph

5502 Commits

Author SHA1 Message Date
Maxim Dounin
4fec72dc8c Fixed segfault with try_files introduced by c985d90a8d1f.
If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.
2015-08-16 10:51:16 +03:00
Sergey Kandaurov
b7da4f5962 Core: fixed potential division by zero when initializing hash.
Found by Clang Static Analyzer.
2015-08-13 16:27:17 +03:00
Sergey Kandaurov
e161b6a46f Core: fixed style in the error message. 2015-08-13 16:27:13 +03:00
Vladimir Homutov
f2d31f8291 Stream: fixed potential error log buffer overrun.
Found by Duan Jiong <djduanjiong@gmail.com>.
2015-08-13 15:55:21 +03:00
Vladimir Homutov
75dcdc2269 Style. 2015-08-12 12:56:59 +03:00
Vladimir Homutov
b537def75e Stream: the "tcp_nodelay" directive. 2015-08-10 12:14:41 +03:00
Valentin Bartenev
50ff8b3c3a Core: idle connections now closed only once on exiting.
Iterating through all connections takes a lot of CPU time, especially
with large number of worker connections configured.  As a result
nginx processes used to consume CPU time during graceful shutdown.
To mitigate this we now only do a full scan for idle connections when
shutdown signal is received.

Transitions of connections to idle ones are now expected to be
avoided if the ngx_exiting flag is set.  The upstream keepalive module
was modified to follow this.
2015-08-11 16:28:55 +03:00
Andrei Belov
9500e19919 Fixed typo in the error message. 2015-08-11 10:28:00 +03:00
Gena Makhomed
97741382b6 Workaround for "configuration file test failed" under OpenVZ.
If nginx was used under OpenVZ and a container with nginx was suspended
and resumed, configuration tests started to fail because of EADDRINUSE
returned from listen() instead of bind():

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
nginx: configuration file /etc/nginx/nginx.conf test failed

With this change EADDRINUSE errors returned by listen() are handled
similarly to errors returned by bind(), and configuration tests work
fine in the same environment:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

More details about OpenVZ suspend/resume bug:
https://bugzilla.openvz.org/show_bug.cgi?id=2470
2015-07-23 14:00:03 -04:00
Roman Arutyunyan
29cebe5d63 Stream: deprecated proxy_downstream_buffer, proxy_upstream_buffer.
The directive proxy_buffer_size should be used instead.
2015-07-30 16:43:48 -07:00
Roman Arutyunyan
96507dabcc Style. 2015-07-29 14:36:36 -07:00
Roman Arutyunyan
3c8aaf830f Stream: added proxy_buffer_size to set the size of data buffers.
Both download and upload buffers now have the same size.  The old directives
proxy_downstream_buffer and proxy_upstream_buffer are removed.
2015-07-29 13:46:26 -07:00
Ruslan Ermilov
6dc03bf1a4 Fixed strict aliasing warnings with old GCC versions. 2015-07-16 14:20:48 +03:00
Maxim Dounin
3cc6000879 Version bump. 2015-07-15 22:56:03 +03:00
Roman Arutyunyan
f1dbcf61a2 Stream: renamed rate limiting directives.
The directive proxy_downstream_limit_rate is now called proxy_upload_rate.
The directive proxy_upstream_limit_rate is now called proxy_download_rate.
2015-07-14 09:38:13 -07:00
Maxim Dounin
3ac176fb86 OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate.  As per RFC 6960, this means
that nextUpdate checks should be bypassed.  Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.

The problem was introduced by 6893a1007a7c (1.9.2).

Reported by Matthew Baldwin.
2015-07-14 01:10:25 +03:00
Maxim Dounin
573810ce36 OCSP stapling: fixed ssl_stapling_file (ticket #769).
Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response
validity checks.  As stapling file is expected to be returned unconditionally,
fix is to set its validity to the maximum supported time.

Reported by Faidon Liambotis.
2015-07-07 16:38:49 +03:00
Valentin Bartenev
cd17f869cf Stream: fixed possible integer overflow in rate limiting. 2015-07-02 17:20:29 +03:00
Roman Arutyunyan
035732696d Stream: fixed MSVC compilation warning.
Thanks to itpp2012.
2015-07-02 17:15:32 +03:00
Roman Arutyunyan
f81ae4e392 Stream: upstream "connected" flag.
Once upstream is connected, the upstream buffer is allocated.  Previously, the
proxy module used the buffer allocation status to check if upstream is
connected.  Now it's enough to check the flag.
2015-06-25 12:36:52 +03:00
Roman Arutyunyan
74942045d5 Stream: upstream and downstream limit rates. 2015-06-23 20:17:48 +03:00
Roman Arutyunyan
62959c9133 Stream: common handler for upstream and downstream. 2015-06-23 20:17:47 +03:00
Piotr Sikora
130396928a Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2015-06-18 03:36:41 -07:00
Ruslan Ermilov
1e94ab0db0 Upstream: fixed shared upstreams on win32. 2015-06-16 00:43:00 +03:00
Vladimir Homutov
14ff3d4f87 Stream: connection limiting module.
stream {
    limit_conn_zone $binary_remote_addr zone=perip:1m;
    limit_conn_log_level error;

    server {
        ...
        limit_conn perip 1;
    }
}
2015-06-18 14:17:30 +03:00
Sergey Kandaurov
f470cd2b89 Resolver: canceled resend timer on empty resend queues.
This is specifically useful on graceful shutdown.
2015-06-17 17:57:34 +03:00
Vladimir Homutov
b7a8f2a08f Disabled duplicate http, mail, and stream blocks.
Such configurations have very limited use, introduce various problems and
are not officially supported.
2015-06-16 23:28:38 +03:00
Vladimir Homutov
9efe6c2243 Version bump. 2015-06-16 23:31:31 +03:00
Vladimir Homutov
4e83d3f7b5 Core: store and dump processed configuration.
If the -T option is passed, additionally to configuration test, configuration
files are output to stdout.

In the debug mode, configuration files are kept in memory and can be accessed
using a debugger.
2015-05-14 18:54:27 +03:00
Vladimir Homutov
42c32b733b Core: added support for writing to stdout. 2015-06-16 15:47:40 +03:00
Roman Arutyunyan
4404c3fd6d Core: renamed ngx_proxy_protocol_parse to ngx_proxy_protocol_read.
The new name is consistent with the ngx_proxy_protocol_write function.
2015-06-16 13:45:19 +03:00
Roman Arutyunyan
3ed1b3b5b0 Stream: client-side PROXY protocol.
The new directive "proxy_protocol" toggles sending out PROXY protocol header
to upstream once connection is established.
2015-06-16 13:45:16 +03:00
Vladimir Homutov
f50f83a2cf Stream: the "proxy_bind" directive. 2015-06-16 09:02:45 +03:00
Maxim Dounin
cb3dcbb81e OCSP stapling: avoid sending expired responses (ticket #425). 2015-06-11 20:42:39 +03:00
Maxim Dounin
9984f3053f Moved ngx_http_parse_time() to core, renamed accordingly.
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time.  In particular, it will be
used for OCSP stapling.

For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
2015-06-11 20:42:31 +03:00
Maxim Dounin
dd41bfd47a Removed unused ngx_http_get_time() declaration. 2015-06-11 20:42:24 +03:00
Vladimir Homutov
8ab1aa612d Stream: access module.
stream {
    server {
        ...
        allow 127.0.0.1;
        deny all;
    }
}
2015-06-04 13:04:12 +03:00
Vladimir Homutov
d56b84b783 Stream: added postconfiguration method to stream modules. 2015-06-09 13:00:45 +03:00
Ruslan Ermilov
c81d7ec158 Mail: listen backlog=. 2015-06-08 23:13:56 +03:00
Ruslan Ermilov
60c654ddf5 Stream: listen backlog=. 2015-06-08 23:13:33 +03:00
Ruslan Ermilov
b72a7b0df3 Mail: embed ngx_mail_listen_t into ngx_mail_conf_addr_t. 2015-06-08 23:11:58 +03:00
Ruslan Ermilov
bfbd0aabd4 Stream: embed ngx_stream_listen_t into ngx_stream_conf_addr_t. 2015-06-08 23:11:42 +03:00
Ruslan Ermilov
14ddadb9ac Stream: fixed "reuseport" to actually work. 2015-06-05 23:03:13 +03:00
Roman Arutyunyan
f5d79ffb82 Upstream keepalive: reduced diffs to the plus version of nginx. 2015-06-04 23:46:44 +03:00
Maxim Dounin
e041efc306 Style. 2015-06-05 17:10:34 +03:00
Sergey Kandaurov
99b2c89404 Event pipe: call ngx_handle_read_event() with a proper flags type.
The change was missed in f69d1aab6a0f.
2015-06-03 19:12:26 +03:00
Valentin Bartenev
66f6ba5c95 Fixed excessive memory usage while parsing configuration.
The b->pos points to the next symbol here.

Reported by ilexshen.
2015-06-01 21:08:56 +03:00
Ruslan Ermilov
087c31e8b2 Fixed bullying style of comments. 2015-05-29 09:26:33 +03:00
Ruslan Ermilov
3de18022d8 Version bump. 2015-05-29 09:26:27 +03:00
Maxim Dounin
724f0f028e Disabled SSLv3 by default (ticket #653). 2015-05-25 17:58:20 +03:00
Maxim Dounin
226647e397 Configure: GNU Hurd properly recognized.
With this change it's no longer needed to pass -D_GNU_SOURCE manually,
and -D_FILE_OFFSET_BITS=64 is set to use 64-bit off_t.

Note that nginx currently fails to work properly with master process
enabled on GNU Hurd, as fcntl(F_SETOWN) returns EOPNOTSUPP for sockets
as of GNU Hurd 0.6.  Additionally, our strerror() preloading doesn't
work well with GNU Hurd, as it uses large numbers for most errors.
2015-05-25 17:58:13 +03:00
Maxim Dounin
b4619182bb Fixed reuseport with accept_mutex. 2015-05-21 19:39:11 +03:00
Ruslan Ermilov
941a6995d7 Upstream: report to error_log when max_fails is reached.
This can be useful to understand why "no live upstreams" happens,
in particular.
2015-05-20 22:44:00 +03:00
Maxim Dounin
f7f1607bf2 The "reuseport" option of the "listen" directive.
When configured, an individual listen socket on a given address is
created for each worker process.  This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance.  As of now it works on Linux and DragonFly BSD.

Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/.  With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.

Based on previous work by Sepherosa Ziehau and Yingqi Lu.
2015-05-20 15:51:56 +03:00
Maxim Dounin
d5c34785bc Simplified ngx_http_init_listening().
There is no need to set "i" to 0, as it's expected to be 0 assuming
the bindings are properly sorted, and we already rely on this when
explicitly set hport->naddrs to 1.  Remaining conditional code is
replaced with identical "hport->naddrs = i + 1".

Identical modifications are done in the mail and stream modules,
in the ngx_mail_optimize_servers() and ngx_stream_optimize_servers()
functions, respectively.

No functional changes.
2015-05-20 15:51:28 +03:00
Maxim Dounin
68b3d28c55 Introduced worker number, ngx_worker. 2015-05-20 15:51:21 +03:00
Valentin Bartenev
9275dc19e6 Core: properly initialized written bytes counter in memory log. 2015-05-19 19:27:07 +03:00
Sergey Kandaurov
3670726bd3 Upstream hash: consistency across little/big endianness. 2015-05-18 16:05:44 +03:00
Ruslan Ermilov
4b9b16d27d Upstream: $upstream_connect_time.
The variable keeps time spent on establishing a connection with
the upstream server.
2015-05-16 01:32:27 +03:00
Ruslan Ermilov
b070e2d713 Upstream: times to obtain header/response are stored as ngx_msec_t. 2015-05-16 01:31:04 +03:00
Igor Sysoev
b55cd3f876 Events: ngx_event_t size reduction by grouping bit fields. 2015-05-15 17:15:33 +03:00
Ruslan Ermilov
91df4f0746 Events: made a failure to create a notification channel non-fatal.
This may happen if eventfd() returns ENOSYS, notably seen on CentOS 5.4.
Such a failure will now just disable the notification mechanism and let
the callers cope with it, instead of failing to start worker processes.
If thread pools are not configured, this can safely be ignored.
2015-05-06 17:04:00 +03:00
Ruslan Ermilov
80781f15b4 Removed the deprecated "imap" directive. 2015-04-29 13:53:24 +03:00
Ruslan Ermilov
3468015e12 Removed the deprecated "so_keepalive" directive. 2015-04-29 13:53:08 +03:00
Ruslan Ermilov
ea2f4d9175 Removed deprecated HTTP directives. 2015-04-29 13:52:49 +03:00
Ruslan Ermilov
3ceffb53fe Removed the deprecated "connections" directive. 2015-04-29 13:52:37 +03:00
Valentin Bartenev
89ad9ea309 Fixed overflow detection in ngx_inet_addr().
Overflow detection of the last octet might not work.

Reported by Sergey Polovko.
2015-04-28 18:55:03 +03:00
Valentin Bartenev
8568baef1f Version bump. 2015-04-28 18:54:48 +03:00
Maxim Dounin
2ec8cfcd7d Win32: shared memory base addresses and remapping.
Two mechanisms are implemented to make it possible to store pointers
in shared memory on Windows, in particular on Windows Vista and later
versions with ASLR:

- The ngx_shm_remap() function added to allow remapping of a shared memory
  zone to the address originally used for it in the master process.  While
  important, it doesn't solve the problem by itself as in many cases it's
  not possible to use the address because of conflicts with other
  allocations.

- We now create mappings at the same address in all processes by starting
  mappings at predefined addresses normally unused by newborn processes.

These two mechanisms combined allow to use shared memory on Windows
almost without problems, including reloads.

Based on the patch by Sergey Brester:
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006836.html
2015-04-27 18:25:42 +03:00
Maxim Dounin
153dbf3877 Win32: fixed shm.handle loss on reload. 2015-04-27 03:44:30 +03:00
Maxim Dounin
c8aa659e45 Core: fixed nginx_shared_zone name. 2015-04-27 03:44:03 +03:00
Vladimir Homutov
4e010c2834 Mail: error_log support. 2015-02-20 15:31:37 +03:00
Vladimir Homutov
df555ffce6 Core: the ngx_set_connection_log() macro.
The http and stream versions of this macro were identical.
2015-04-25 22:44:02 +03:00
Roman Arutyunyan
d61f21c5e8 Merge proxy_protocol setting of listen directives.
It's now enough to specify proxy_protocol option in one listen directive to
enable it in all servers listening on the same address/port.  Previously,
the setting from the first directive was always used.
2015-04-24 10:54:06 +03:00
Ruslan Ermilov
3180f84b60 Removed the "worker_rlimit_sigpending" directive.
It was only needed by the just removed rtsig module.
2015-04-23 14:26:11 +03:00
Ruslan Ermilov
33b8e5bc06 Removed the obsolete rtsig module. 2015-04-23 14:17:40 +03:00
Ruslan Ermilov
c1882d9f3f Removed the obsolete aio module. 2015-04-22 18:57:32 +03:00
Roman Arutyunyan
39386c951c Stream: prevent repeated event notifications after eof.
When client or upstream connection is closed, level-triggered read event
remained active until the end of the session leading to cpu hog.  Now the flag
NGX_CLOSE_EVENT is used to unschedule the event.
2015-04-22 19:55:04 +03:00
Ruslan Ermilov
25ddb49dbe Upstream: allow multiple upstreams to use the same shared zone. 2015-04-22 18:37:34 +03:00
Martin Mlynář
958d4a0b1f Memcached: enabled ranges. 2015-04-21 21:04:36 +02:00
Ruslan Ermilov
673941f81d Upstream: simplified ip_hash and hash peer selection code.
Now that peers are stored as a list, the weighted and unweighted
cases became nearly identical.
2015-04-21 19:09:04 +03:00
Sergey Kandaurov
1ff5515e70 Limit req: removed check for unknown limit_req_zone.
With 48b3d5ddfb03, it's possible to specify limit_req_zone after limit_req.
2015-04-20 16:54:41 +03:00
Sergey Kandaurov
06ff117986 Core: allow shared memory size to be declared after a reference.
For example, this fixes the case when "proxy_cache_path" is specified
after "proxy_cache" that references it.
2015-04-20 16:53:04 +03:00
Ruslan Ermilov
c799c82faa Stream: port from NGINX+. 2015-04-20 13:05:11 +03:00
Ruslan Ermilov
a2dac51398 Upstream: fixed unlocked access to peer->conns. 2015-04-19 22:41:09 +03:00
Ruslan Ermilov
9b411460f9 Replaced the remaining NGX_OLD_THREADS check with NGX_WIN32. 2015-03-26 14:20:51 +03:00
Ruslan Ermilov
bfd2db83a7 Removed NGX_OLD_THREADS from select and poll modules.
These modules can't be compiled on win32.
2015-03-26 14:20:07 +03:00
Ruslan Ermilov
64c5df4b62 Removed "worker_threads" and "thread_stack_size" directives. 2015-03-26 14:15:17 +03:00
Ruslan Ermilov
324e389e17 Removed unused thread-local-storage code. 2015-03-26 14:15:15 +03:00
Ruslan Ermilov
2b0d2f0583 Removed ngx_threaded and related code. 2015-03-26 14:15:13 +03:00
Ruslan Ermilov
7c44e39220 Upstream: get rid of questionable micro-optimization in ip_hash.
If a peer was initially skipped due to max_fails, there's no reason
not to try it again if enough time has passed, and the next_upstream
logic is in action.

This also reduces diffs with NGINX Plus.
2015-04-16 20:09:11 +03:00
Sergey Kandaurov
d72fe76bb1 Core: ensure that ngx_config.h is always included first.
This fixes compilation of various 3rd party modules when nginx is
configured with threads.
2015-04-16 18:18:37 +03:00
Maxim Dounin
4091eb749b Version bump. 2015-04-16 17:26:19 +03:00
Ruslan Ermilov
cf31347ee8 Upstream: the "zone" directive.
Upstreams with the "zone" directive are kept in shared memory,
with a consistent view of all worker processes.
2015-04-14 19:01:25 +03:00
Ruslan Ermilov
b0b7b5a356 Upstreams: locking. 2015-04-14 19:01:23 +03:00
Ruslan Ermilov
3fc23e2542 Core: read/write locks. 2015-03-21 14:05:08 +03:00
Ruslan Ermilov
4d53631022 Upstream: store peers as a linked list.
This is an API change.
2015-04-10 14:48:36 +03:00
Ruslan Ermilov
18fa775b10 Upstream: track the number of active connections to upstreams.
This also simplifies the implementation of the least_conn module.
2015-04-10 13:16:23 +03:00
Ruslan Ermilov
b25f0ddcf1 Fixed build, broken by 8b7f062a3fe6.
Casting a "const char *" to "char *" doesn't work on older gcc versions.
2015-04-16 15:05:40 +03:00
Vladimir Homutov
fd4da89228 Core: added OpenSSL version information to "nginx -V" output. 2015-04-16 12:17:41 +03:00
Vladimir Homutov
513f184098 Version bump. 2015-04-16 12:13:51 +03:00
Ruslan Ermilov
edb0c6ba64 Core: guard against spinlock usage without atomic ops.
The new thread pools code uses spinlocks.
2015-03-26 14:15:06 +03:00
Sergey Kandaurov
38a97edf3a Core: limited levels of subdirectory hierarchy used for temp files.
Similar to ngx_http_file_cache_set_slot(), the last component of file->name
with a fixed length of 10 bytes, as generated in ngx_create_temp_path(), is
used as a source for the names of intermediate subdirectories with each one
taking its own part.  Ensure that the sum of specified levels with slashes
fits into the length (ticket #731).
2015-04-07 01:32:08 +03:00
Sergey Kandaurov
256082c4f8 Core: removed excessive initialization in ngx_conf_set_path_slot().
Level hierarchy is pre-zeroed in ngx_pcalloc() of the surrounding ngx_path_t.
2015-04-07 01:32:07 +03:00
Sergey Kandaurov
eed7d47930 Core: fixed error handling on ngx_conf_full_name() failure. 2015-04-07 01:32:05 +03:00
Ruslan Ermilov
8c82b75127 Upstream: abbreviated SSL handshake may interact badly with Nagle. 2015-04-07 00:07:04 +03:00
Valentin Bartenev
3f72e18908 Request body: always flush buffers if request buffering is off.
This fixes unbuffered proxying to SSL backends, since it prevents
ngx_ssl_send_chain() from accumulation of request body in the SSL
buffer.
2015-04-06 19:20:36 +03:00
Valentin Bartenev
1329c4af80 Used the correct type for the AIO preload handler return value. 2015-04-06 11:22:24 +03:00
Filipe da Silva
95aad2235d OCSP stapling: missing free calls.
Missing call to X509_STORE_CTX_free when X509_STORE_CTX_init fails.
Missing call to OCSP_CERTID_free when OCSP_request_add0_id fails.
Possible leaks in vary particular scenariis of memory shortage.
2015-04-01 15:05:08 +02:00
Valentin Bartenev
355a793b89 Cache: added support for reading of the header in thread pools. 2015-04-01 03:49:17 +03:00
Sergey Kandaurov
99bf1b56ec Fixed invalid access to complex value defined as an empty string.
Found by Valgrind.
2015-03-31 17:45:50 +03:00
Valentin Bartenev
51df7912c4 Events: fixed possible crash on start or reload.
The main thread could wake up and start processing the notify event
before the handler was set.
2015-03-27 21:19:20 +03:00
Valentin Bartenev
3ffbf84a5e Events: made posted events macros safe. 2015-03-27 19:57:15 +03:00
Valentin Bartenev
0e853129ac SPDY: always push pending data.
This helps to avoid suboptimal behavior when a client waits for a control
frame or more data to increase window size, but the frames have been delayed
in the socket buffer.

The delays can be caused by bad interaction between Nagle's algorithm on
nginx side and delayed ACK on the client side or by TCP_CORK/TCP_NOPUSH
if SPDY was working without SSL and sendfile() was used.

The pushing code is now very similar to ngx_http_set_keepalive().
2015-03-23 21:04:13 +03:00
Valentin Bartenev
44586bf5ee SPDY: fixed error handling in ngx_http_spdy_send_output_queue(). 2015-03-23 20:47:46 +03:00
Maxim Dounin
67986d81de Version bump. 2015-03-26 17:36:39 +03:00
Maxim Dounin
5e96e84ffb Proxy: fixed proxy_request_buffering and chunked with preread body.
If any preread body bytes were sent in the first chain, chunk size was
incorrectly added before the whole chain, including header, resulting in
an invalid request sent to upstream.  Fixed to properly add chunk size
after the header.
2015-03-26 02:31:30 +03:00
Maxim Dounin
7ec559df5d Upstream: uwsgi_request_buffering, scgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
f4714d26f0 FastCGI: fastcgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
756997b696 Proxy: proxy_request_buffering chunked support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
2743bb68ee Request body: unbuffered reading.
The r->request_body_no_buffering flag was introduced.  It instructs
client request body reading code to avoid reading the whole body, and
to call post_handler early instead.  The caller should use the
ngx_http_read_unbuffered_request_body() function to read remaining
parts of the body.

Upstream module is now able to use this mode, if configured with
the proxy_request_buffering directive.
2015-03-23 21:09:19 +03:00
Maxim Dounin
d02d2cff9b Request body: filters support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
be99a8801e Request body: moved request body writing to save filter. 2015-03-23 21:09:19 +03:00
Maxim Dounin
d21e644d80 Request body: free chain links in ngx_http_write_request_body(). 2015-03-23 21:09:12 +03:00
Maxim Dounin
4df7aa6f92 Output chain: free chain links in ngx_chain_writer(). 2015-03-23 21:09:05 +03:00
Maxim Dounin
9131eb11c9 Output chain: zero size buf alerts in ngx_chain_writer().
Now we log a "zero size buf in chain writer" alert if we encounter a zero
sized buffer in ngx_chain_writer(), and skip the buffer.
2015-03-23 20:56:58 +03:00
Maxim Dounin
3560af8999 Format specifier fixed for file size of buffers. 2015-03-23 19:28:54 +03:00
Maxim Dounin
58eb93f791 Proxy: fixed proxy_set_body with proxy_cache.
If the last header evaluation resulted in an empty header, the e.skip flag
was set and was not reset when we've switched to evaluation of body_values.
This incorrectly resulted in body values being skipped instead of producing
some correct body as set by proxy_set_body.  Fix is to properly reset
the e.skip flag.

As the problem only appeared if the last potentially non-empty header
happened to be empty, it only manifested itself if proxy_set_body was used
with proxy_cache.
2015-03-23 19:28:54 +03:00
Valentin Bartenev
e87a565aab Thread pools: implemented graceful exiting of threads. 2015-03-23 17:51:21 +03:00
Valentin Bartenev
510c9cdca8 Thread pools: removed unused pointer to memory pool.
No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
cb43696e0c Thread pools: keep waiting tasks mutex in ngx_thread_pool_t.
It's not needed for completed tasks queue since the previous change.

No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
f109a68b4f Thread pools: replaced completed tasks queue mutex with spinlock. 2015-03-23 17:51:21 +03:00
Ruslan Ermilov
07de3f538b Removed stub implementation of win32 mutexes. 2015-03-23 13:52:47 +03:00
Maxim Dounin
47c44355b5 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically
building a certificate chain on the fly if there is no certificate chain
explicitly provided.  Before this change, certificates provided via the
ssl_client_certificate and ssl_trusted_certificate directives were
used by OpenSSL to automatically build certificate chains, resulting
in unexpected (and in some cases unneeded) chains being sent to clients.
2015-03-23 02:42:35 +03:00
Maxim Dounin
a20c6d202e SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
LibreSSL removed support for export ciphers and a call to
SSL_CTX_set_tmp_rsa_callback() results in an error left in the error
queue.  This caused alerts "ignoring stale global SSL error (...called
a function you should not call) while SSL handshaking" on a first connection
in each worker process.
2015-03-23 02:42:34 +03:00
Maxim Dounin
b0d8ff55a1 SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on
new contexts.  This makes sure to clear it to make it possible to use SSLv3
with LibreSSL if enabled in nginx config.

Prodded by Kuramoto Eiji.
2015-03-23 02:42:32 +03:00
Valentin Bartenev
cc569b9252 Core: added cyclic memory buffer support for error_log.
Example of usage:

  error_log memory:16m debug;

This allows to configure debug logging with minimum impact on performance.
It's especially useful when rare crashes are experienced under high load.

The log can be extracted from a coredump using the following gdb script:

  set $log = ngx_cycle->log

  while $log->writer != ngx_log_memory_writer
      set $log = $log->next
  end

  set $buf = (ngx_log_memory_buf_t *) $log->wdata
  dump binary memory debug_log.txt $buf->start $buf->end
2015-03-19 19:29:43 +03:00
Ruslan Ermilov
babd64e344 Removed busy locks. 2015-03-20 06:45:32 +03:00
Ruslan Ermilov
f8d10849ad Removed ngx_connection_t.lock. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
b6029a8a3f Removed unix ngx_threaded and related ngx_process_changes. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
d1ec868e32 Removed old pthread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c84c19f5bf Removed old FreeBSD rfork() thread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c34368715f Thread pools: silence warning on process exit.
Work around pthread_cond_destroy() and pthread_mutex_destroy() returning
EBUSY.  A proper solution would be to ensure all threads are terminated.
2015-03-19 23:20:18 +03:00
Ruslan Ermilov
afe1fcffaa Thread pools: fixed the waiting tasks accounting.
Behave like POSIX semaphores.  If N worker threads are waiting for tasks,
at least that number of tasks should be allowed to be put into the queue.
2015-03-19 13:00:48 +03:00
Ruslan Ermilov
20d07074e3 Thread pools: keep waiting tasks counter in ngx_thread_pool_t.
It's not needed for completed tasks queue.

No functional changes.
2015-03-19 23:19:35 +03:00
Xiaochen Wang
85048c0397 SPDY: fixed format specifier in logging. 2015-03-15 21:46:21 +08:00
Valentin Bartenev
7ed1a9681b Added support for offloading Linux sendfile() in thread pools. 2015-03-14 17:37:30 +03:00
Valentin Bartenev
a7ad493aa6 Added support for offloading read() in thread pools. 2015-03-14 17:37:25 +03:00
Ruslan Ermilov
547c8f601f Events: implemented eventport notification mechanism. 2015-03-14 17:37:21 +03:00
Valentin Bartenev
2b3c01e995 Events: implemented kqueue notification mechanism. 2015-03-14 17:37:16 +03:00
Valentin Bartenev
e10e7a4831 Events: implemented epoll notification mechanism. 2015-03-14 17:37:13 +03:00
Valentin Bartenev
305fc021db Thread pools implementation. 2015-03-14 17:37:07 +03:00
Ruslan Ermilov
83ba5ed2ec Renamed NGX_THREADS to NGX_OLD_THREADS because of deprecation.
It's mostly dead code and the original idea of worker threads has been rejected.
2015-03-04 18:26:25 +03:00
Ruslan Ermilov
4fe0a09942 Overflow detection in ngx_http_parse_chunked(). 2015-03-17 00:26:27 +03:00
Ruslan Ermilov
514cdb190f Overflow detection in ngx_http_range_parse(). 2015-03-17 00:26:24 +03:00
Ruslan Ermilov
a43f1bcf6e Overflow detection in ngx_inet_addr(). 2015-03-17 00:26:22 +03:00
Ruslan Ermilov
3ad3f4ae0a Core: overflow detection in ngx_parse_time() (ticket #732). 2015-03-17 00:26:20 +03:00
Ruslan Ermilov
7943fd374a Refactored ngx_parse_time().
No functional changes.
2015-03-17 00:26:18 +03:00
Ruslan Ermilov
8167ce8537 Core: overflow detection in number parsing functions. 2015-03-17 00:26:15 +03:00
Ruslan Ermilov
309928b941 Core: expose maximum values of time_t and ngx_int_t.
These are needed to detect overflows.
2015-03-17 00:24:34 +03:00
Ruslan Ermilov
db999274ec The "aio" directive parser made smarter.
It now prints meaningful warnings on all platforms.

No functional changes.
2015-03-13 16:42:52 +03:00
Ruslan Ermilov
bcd8123913 Events: fixed typo in the error message. 2015-03-12 23:03:03 +03:00
Ruslan Ermilov
067de7dde1 Deprecated "aio sendfile".
Specifying "sendfile on" along with "aio on" activates the
aio pre-loading mode for sendfile().
2015-03-12 20:06:04 +03:00
Ruslan Ermilov
5e5540f7dc Proxy: use an appropriate error on memory allocation failure. 2015-03-04 08:12:53 +03:00
Ruslan Ermilov
c238150a57 Style: moved ngx_http_ephemeral() macro to ngx_http_request.h. 2015-03-04 08:10:40 +03:00
Ruslan Ermilov
466b3b9250 Style: use %*s format, as in 68d21fd1dc64. 2015-03-04 08:05:38 +03:00
Valentin Bartenev
a9a01e0938 Log: use ngx_cpymem() in a couple of places, no functional changes. 2015-03-04 19:20:30 +03:00
Valentin Bartenev
2f3fb935b4 Upstream keepalive: drop ready flag on EAGAIN from recv(MSG_PEEK).
Keeping the ready flag in this case might results in missing notification of
broken connection until nginx tried to use it again.

While there, stale comment about stale event was removed since this function
is also can be called directly.
2015-03-03 17:48:57 +03:00
Ruslan Ermilov
b384247262 Events: simplified ngx_event_aio_t definition.
No functional changes.
2015-03-03 18:09:13 +03:00
Valentin Bartenev
ea881578a2 Refactored ngx_linux_sendfile_chain() even more.
The code that calls sendfile() was cut into a separate function.
This simplifies EINTR processing, yet is needed for the following
changes that add threads support.
2015-02-27 19:19:08 +03:00
Maxim Dounin
a0d543595d Style.
Noted by Ruslan Ermilov.
2015-03-03 01:15:21 +03:00
Maxim Dounin
14a93c5a15 Upstream: upstream argument in ngx_http_upstream_process_request().
In case of filter finalization, r->upstream might be changed during
the ngx_event_pipe() call.  Added an argument to preserve it while
calling the ngx_http_upstream_process_request() function.
2015-03-02 21:44:42 +03:00
Maxim Dounin
2b032e8df6 Upstream: avoid duplicate finalization.
A request may be already finalized when ngx_http_upstream_finalize_request()
is called, due to filter finalization: after filter finalization upstream
can be finalized via ngx_http_upstream_cleanup(), either from
ngx_http_terminate_request(), or because a new request was initiated
to an upstream.  Then the upstream code will see an error returned from
the filter chain and will call the ngx_http_upstream_finalize_request()
function again.

To prevent corruption of various upstream data in this situation, make sure
to do nothing but merely call ngx_http_finalize_request().

Prodded by Yichun Zhang, for details see the thread at
http://nginx.org/pipermail/nginx-devel/2015-February/006539.html.
2015-03-02 21:44:32 +03:00
Roman Arutyunyan
46a2236f22 SSL: reset ready flag if recv(MSG_PEEK) found no bytes in socket.
Previously, connection hung after calling ngx_http_ssl_handshake() with
rev->ready set and no bytes in socket to read.  It's possible in at least the
following cases:

 - when processing a connection with expired TCP_DEFER_ACCEPT on Linux
 - after parsing PROXY protocol header if it arrived in a separate TCP packet

Thanks to James Hamlin.
2015-03-02 21:15:46 +03:00
Roman Arutyunyan
f0b5f83378 Cache: do not inherit last_modified and etag from stale response.
When replacing a stale cache entry, its last_modified and etag could be
inherited from the old entry if the response code is not 200 or 206.  Moreover,
etag could be inherited with any response code if it's missing in the new
response.  As a result, the cache entry is left with invalid last_modified or
etag which could lead to broken revalidation.

For example, when a file is deleted from backend, its last_modified is copied to
the new 404 cache entry and is used later for revalidation.  Once the old file
appears again with its original timestamp, revalidation succeeds and the cached
404 response is sent to client instead of the file.

The problem appeared with etags in 44b9ab7752e3 (1.7.3) and affected
last_modified in 1573fc7875fa (1.7.9).
2015-03-02 19:47:13 +03:00
Roman Arutyunyan
bf7d76b943 Upstream hash: speedup consistent hash init.
Repeatedly calling ngx_http_upstream_add_chash_point() to create
the points array in sorted order, is O(n^2) to the total weight.
This can cause nginx startup and reconfigure to be substantially
delayed.  For example, when total weight is 1000, startup takes
5s on a modern laptop.

Replace this with a linear insertion followed by QuickSort and
duplicates removal.  Startup for total weight of 1000 reduces to 40ms.

Based on a patch by Wai Keen Woon.
2015-03-02 18:41:29 +03:00
Sergey Kandaurov
de3adad807 Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.
Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.
2015-02-27 16:28:31 +03:00
Maxim Dounin
faec547771 Mail: client SSL certificates support.
The "ssl_verify_client", "ssl_verify_depth", "ssl_client_certificate",
"ssl_trusted_certificate", and "ssl_crl" directives introduced to control
SSL client certificate verification in mail proxy module.

If there is a certificate, detail of the certificate are passed to
the auth_http script configured via Auth-SSL-Verify, Auth-SSL-Subject,
Auth-SSL-Issuer, Auth-SSL-Serial, Auth-SSL-Fingerprint headers.  If
the auth_http_pass_client_cert directive is set, client certificate
in PEM format will be passed in the Auth-SSL-Cert header (urlencoded).

If there is no required certificate provided during an SSL handshake
or certificate verification fails then a protocol-specific error is
returned after the SSL handshake and the connection is closed.

Based on previous work by Sven Peter, Franck Levionnois and Filipe Da Silva.
2015-02-25 17:48:05 +03:00
Maxim Dounin
78e1a8ed7f Mail: added Auth-SSL header to indicate SSL.
Based on a patch by Filipe da Silva.
2015-02-25 17:47:49 +03:00
Maxim Dounin
52c5ba0f37 Mail: fixed buffer allocation for CRLF after Auth-SMTP-* headers.
There were no buffer overruns in real life as there is extra space
allocated for the Auth-Login-Attempt counter.
2015-02-25 17:47:43 +03:00
Ruslan Ermilov
c2c9a1c03e SSL: account sent bytes in ngx_ssl_write(). 2015-02-24 23:52:47 +03:00
Maxim Dounin
7dd799357d Core: fixed potential buffer overrun when initializing hash.
Initial size as calculated from the number of elements may be bigger
than max_size.  If this happens, make sure to set size to max_size.

Reported by Chris West.
2015-02-24 18:37:14 +03:00
Ruslan Ermilov
a4ce770a89 Cache: reduced diffs to the plus version of nginx.
No functional changes.
2015-02-17 16:27:52 +03:00
Roman Arutyunyan
6337c1d185 Core: make ngx_connection_local_sockaddr() always assign address.
Previously, this function checked for connection local address existence
and returned error if it was missing.  Now a new address is assigned in this
case making it possible to call this function not only for accepted connections.
2015-02-17 14:26:44 +03:00
Valentin Bartenev
0a3d458805 Unbreak building on FreeBSD without file AIO.
It appeared that the NGX_HAVE_AIO_SENDFILE macro was defined regardless of
the "--with-file-aio" configure option and the NGX_HAVE_FILE_AIO macro.

Now they are related.

Additionally, fixed one macro.
2015-02-11 20:00:07 +03:00
Valentin Bartenev
2b8d6ad805 Refactored sendfile() AIO preload.
This reduces layering violation and simplifies the logic of AIO preread, since
it's now triggered by the send chain function itself without falling back to
the copy filter.  The context of AIO operation is now stored per file buffer,
which makes it possible to properly handle cases when multiple buffers come
from different locations, each with its own configuration.
2015-02-11 17:52:15 +03:00
Ruslan Ermilov
2b7e167dbb Mail: fixed the duplicate listen address detection. 2015-01-23 15:23:29 +03:00
Ruslan Ermilov
0b30dec0d3 Mail: fixed a comment. 2015-01-23 15:23:27 +03:00
Ruslan Ermilov
3352461916 Upstream: detect port absence in fastcgi_pass with IP literal.
If fastcgi_pass (or any look-alike that doesn't imply a default
port) is specified as an IP literal (as opposed to a hostname),
port absence was not detected at configuration time and could
result in EADDRNOTAVAIL at run time.

Fixed this in such a way that configs like

http {
    server {
        location / {
            fastcgi_pass 127.0.0.1;
        }
    }

    upstream 127.0.0.1 {
        server 10.0.0.1:12345;
    }
}

still work.  That is, port absence check is delayed until after
we make sure there's no explicit upstream with such a name.
2015-01-22 16:23:32 +03:00
Ruslan Ermilov
917c47a918 Version bump. 2015-02-11 15:51:03 +03:00
Sergey Kandaurov
66c25a7d77 Core: fixed build on Tru64 UNIX.
There was a typo in NGX_EACCES.

Reported by Goetz T. Fischer.
2015-02-10 01:51:08 +03:00
Damien Tournoud
59969c22ce Fixed try_files directory test to match only a directory.
Historically, it was possible to match either a file or directory
in the following configuration:

    location / {
        try_files $uri/ =404;
    }
2015-01-21 00:26:32 +01:00
Roman Arutyunyan
2bae4205ab Core: fixed a race resulting in extra sem_post()'s.
The mtx->wait counter was not decremented if we were able to obtain the lock
right after incrementing it.  This resulted in unneeded sem_post() calls,
eventually leading to EOVERFLOW errors being logged, "sem_post() failed
while wake shmtx (75: Value too large for defined data type)".

To close the race, mtx->wait is now decremented if we obtain the lock right
after incrementing it in ngx_shmtx_lock().  The result can become -1 if a
concurrent ngx_shmtx_unlock() decrements mtx->wait before the added code does.
However, that only leads to one extra iteration in the next call of
ngx_shmtx_lock().
2015-02-04 16:22:43 +03:00
Roman Arutyunyan
cae1b5d63a Core: reverted prefix-based temp files (a9138c35120d).
The use_temp_path http cache feature is now implemented using a separate temp
hierarchy in cache directory.  Prefix-based temp files are no longer needed.
2015-02-02 21:28:09 +03:00
Roman Arutyunyan
f8fecbc94d Cache: added temp_path to file cache.
If use_temp_path is set to off, a subdirectory "temp" is created in the cache
directory.  It's used instead of proxy_temp_path and friends for caching
upstream response.
2015-02-02 19:38:35 +03:00
Roman Arutyunyan
54e14a387f Core: supported directory skipping in ngx_walk_tree().
If pre_tree_handler() returns NGX_DECLINED, the directory is ignored.
2015-02-02 19:38:32 +03:00
Valentin Bartenev
314d0d40e7 Fixed AIO handling in the output chain.
The ctx->aio flag must be taken into account in the short path too.
2015-01-28 21:33:06 +03:00
Igor Sysoev
415c8ec4b4 A bounds check of %N format on Windows.
Thanks to Joe Bialek, Adam Zabrocki and Microsoft Vulnerability Research.
2015-01-27 15:38:15 +03:00
Vladimir Homutov
7e1eba5faa Upstream: $upstream_header_time variable.
Keeps time spent on obtaining the header from an upstream server.  The value is
formatted similar to the $upstream_response_time variable.
2015-01-14 09:03:35 +03:00
Maxim Dounin
a1f330a0a2 Core: added disk_full_time checks to error log. 2015-01-13 19:51:37 +03:00
Maxim Dounin
2754fd3c80 Fixed sendfile() trailers on OS X (8e903522c17a, 1.7.8).
The trailer.count variable was not initialized if there was a header,
resulting in "sendfile() failed (22: Invalid argument)" alerts on OS X
if the "sendfile" directive was used.  The bug was introduced
in 8e903522c17a (1.7.8).
2015-01-13 18:58:23 +03:00
Valentin Bartenev
843fb552ec Upstream: use_temp_path parameter of proxy_cache_path and friends.
When set to "off", temporary files for cacheable responses will be stored
inside cache directory.
2014-12-26 16:22:59 +03:00
Valentin Bartenev
1858857c25 Cache: update variant while setting header.
Some parts of code related to handling variants of a resource moved into
a separate function that is called earlier.  This allows to use cache file
name as a prefix for temporary file in the following patch.
2014-12-26 16:22:56 +03:00
Valentin Bartenev
a54e37edda Core: added prefix-based temporary files.
Now, if the "path" parameter is NULL, ngx_create_temp_file() will use
file->name as a predefined file path prefix.
2014-12-26 16:22:54 +03:00
Valentin Bartenev
c07bebdcd1 Unified handling of ngx_create_temp_file() return value.
The original check for NGX_AGAIN was surplus, since the function returns
only NGX_OK or NGX_ERROR.  Now it looks similar to other places.

No functional changes.
2014-12-26 16:22:50 +03:00
Maxim Dounin
b8ee1ec7d3 Fixed building with musl libc (ticket #685). 2014-12-24 19:01:22 +03:00
Maxim Dounin
fe4b25c731 Version bump. 2014-12-24 18:53:38 +03:00
Valentin Bartenev
7817df480e Upstream: added variables support to proxy_cache and friends. 2014-12-22 12:59:09 +03:00
Valentin Bartenev
b24ad42008 Upstream: preset some cache configuration when bypassing.
No functional changes.
2014-12-22 12:59:06 +03:00
Valentin Bartenev
c40a72761c Upstream: refactored proxy_cache and friends.
The configuration handling code has changed to look similar to the proxy_store
directive and friends.  This simplifies adding variable support in the following
patch.

No functional changes.
2014-12-22 12:59:02 +03:00
Valentin Bartenev
66dcbab7a1 Upstream: mutually exclusive inheritance of "cache" and "store".
Currently, storing and caching mechanisms cannot work together, and a
configuration error is thrown when the proxy_store and proxy_cache
directives (as well as their friends) are configured on the same level.

But configurations like in the example below were allowed and could result
in critical errors in the error log:

    proxy_store on;

    location / {
        proxy_cache one;
    }

Only proxy_store worked in this case.

For more predictable and errorless behavior these directives now prevent
each other from being inherited from the previous level.
2014-12-22 12:58:59 +03:00
Valentin Bartenev
492844dbb1 Upstream: simplified proxy_store and friends configuration code.
This changes internal API related to handling of the "store"
flag in ngx_http_upstream_conf_t.  Previously, a non-null value
of "store_lengths" was enough to enable store functionality with
custom path.  Now, the "store" flag is also required to be set.

No functional changes.
2014-12-22 12:58:56 +03:00
Lukas Tribus
cf92831131 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
The flag was recently removed by BoringSSL.
2014-12-17 15:12:50 +01:00
Valentin Bartenev
16f248ebbb Autoindex: implemented XML output format. 2014-12-12 20:25:42 +03:00
Valentin Bartenev
5453f0afe6 Autoindex: implemented JSON output format. 2014-12-12 20:25:35 +03:00
Valentin Bartenev
921f728526 Autoindex: rendering code moved to a separate function.
No functional changes.
2014-12-12 20:25:28 +03:00
Maxim Dounin
d8c7616074 Headers filter: variables support in expires (ticket #113). 2014-12-11 23:42:11 +03:00
Maxim Dounin
cf21308885 Headers filter: local variables for config, no functional changes. 2014-12-11 23:42:06 +03:00
Valentin Bartenev
fb7d63250e Upstream: fixed inheritance of proxy_store and friends.
The proxy_store, fastcgi_store, scgi_store and uwsgi_store were inherited
incorrectly if a directive with variables was defined, and then redefined
to the "on" value, i.e. in configurations like:

    proxy_store /data/www$upstream_http_x_store;

    location / {
        proxy_store on;
    }
2014-10-09 20:30:11 +04:00
Maxim Dounin
827b2511e6 Proxy: fixed incorrect URI change due to if (ticket #86).
In the following configuration request was sent to a backend without
URI changed to '/' due to if:

    location /proxy-pass-uri {
        proxy_pass http://127.0.0.1:8080/;

        set $true 1;

        if ($true) {
            # nothing
        }
    }

Fix is to inherit conf->location from the location where proxy_pass was
configured, much like it's done with conf->vars.
2014-12-09 18:22:39 +03:00
Maxim Dounin
8d7c6491fe Upstream: fixed unexpected inheritance into limit_except blocks.
The proxy_pass directive and other handlers are not expected to be inherited
into nested locations, but there is a special code to inherit upstream
handlers into limit_except blocks, as well as a configuration into if{}
blocks.  This caused incorrect behaviour in configurations with nested
locations and limit_except blocks, like this:

    location / {
        proxy_pass http://u;

        location /inner/ {
            # no proxy_pass here

            limit_except GET {
                # nothing
            }
        }
    }

In such a configuration the limit_except block inside "location /inner/"
unexpectedly used proxy_pass defined in "location /", while it shouldn't.
Fix is to avoid inheritance of conf->upstream.upstream (and
conf->proxy_lengths) into locations which don't have noname flag.
2014-12-09 18:22:31 +03:00
Maxim Dounin
c863e1b3b5 Upstream: inheritance of proxy_pass and friends (ticket #645).
Instead of independant inheritance of conf->upstream.upstream (proxy_pass
without variables) and conf->proxy_lengths (proxy_pass with variables)
we now test them both and inherit only if neither is set.  Additionally,
SSL context is also inherited only in this case now.

Based on the patch by Alexey Radkov.
2014-12-09 18:21:55 +03:00
Maxim Dounin
88ed2d39af Proxy: the "TE" header now stripped by default (ticket #537). 2014-12-09 18:20:19 +03:00
Piotr Sikora
1ea64b3f8f Cache: send conditional requests only for cached 200/206 responses.
RFC7232 says:

   The 304 (Not Modified) status code indicates that a conditional GET
   or HEAD request has been received and would have resulted in a 200
   (OK) response if it were not for the fact that the condition
   evaluated to false.

which means that there is no reason to send requests with "If-None-Match"
and/or "If-Modified-Since" headers for responses cached with other status
codes.

Also, sending conditional requests for responses cached with other status
codes could result in a strange behavior, e.g. upstream server returning
304 Not Modified for cached 404 Not Found responses, etc.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-26 18:35:37 -08:00
Dmitrii Pichulin
cf5013dd3f SSL: loading certificate keys via ENGINE_load_private_key(). 2014-08-04 11:03:20 +04:00
Maxim Dounin
811281ec36 Version bump. 2014-12-04 16:37:31 +03:00
Maxim Dounin
6d52912a2a Cache: proper wakeup of subrequests.
In case of a cache lock timeout and in the aio handler we now call
r->write_event_handler() instead of a connection write handler,
to make sure to run appropriate subrequest.  Previous code failed to run
inactive subrequests and hence resulted in suboptimal behaviour, see
report by Yichun Zhang:

http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004435.html

(Infinite hang claimed in the report seems impossible without 3rd party
modules, as subrequests will be eventually woken up by the postpone filter.)
2014-12-02 05:54:56 +03:00
Maxim Dounin
10345663c8 Upstream: improved subrequest logging.
To ensure proper logging make sure to set current_request in all event
handlers, including resolve, ssl handshake, cache lock wait timer and
aio read handlers.  A macro ngx_http_set_log_request() introduced to
simplify this.
2014-12-02 05:54:54 +03:00
Sergey Kandaurov
778cc4b42e Access log: restricted "log_format" to "http" level.
Specifying the "log_format" directive on levels other than "http"
is deprecated since 73d37e1ccb91 (1.1.11).
2014-12-01 14:51:36 +03:00
Maxim Dounin
ece388033a Write filter: fixed handling of sync bufs (ticket #132). 2014-11-28 16:58:39 +03:00
Maxim Dounin
7fa89c744a Fixed post_action to not trigger "header already sent" alert.
The alert was introduced in 03ff14058272 (1.5.4), and was triggered on each
post_action invocation.

There is no real need to call header filters in case of post_action,
so return NGX_OK from ngx_http_send_header() if r->post_action is set.
2014-11-28 16:57:50 +03:00
Maxim Dounin
d228fa5093 Typo. 2014-11-28 16:57:23 +03:00
Valentin Bartenev
decaffa805 SPDY: push pending data while closing a stream as with keepalive.
This helps to avoid delays in sending the last chunk of data because
of bad interaction between Nagle's algorithm on nginx side and
delayed ACK on the client side.

Delays could also be caused by TCP_CORK/TCP_NOPUSH if SPDY was
working without SSL and sendfile() was used.
2014-11-21 22:51:49 +03:00
Vladimir Homutov
742b5dd045 Syslog: allowed underscore symbol in tag (ticket #667). 2014-11-20 20:02:21 +03:00
Ruslan Ermilov
ef563debf1 Resolver: fixed debug event logging.
In 954867a2f0a6, we switched to using resolver node as the timer event data.
This broke debug event logging.

Replaced now unused ngx_resolver_ctx_t.ident with ngx_resolver_node_t.ident
so that ngx_event_ident() extracts something sensible when accessing
ngx_resolver_node_t as ngx_connection_t.
2014-11-20 15:24:42 +03:00
Ruslan Ermilov
d4b7b74686 Resolver: fixed use-after-free memory access.
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
2014-11-20 15:24:40 +03:00
Valentin Bartenev
96a62f1396 Style. 2014-11-19 21:46:01 +03:00
Valentin Bartenev
1276d8483e Fixed type of sendfile() return value on Linux.
There was no real problem since the amount of bytes can be sent is limited by
NGX_SENDFILE_MAXSIZE to less than 2G.  But that can be changed in the future
2014-11-19 21:18:13 +03:00
Valentin Bartenev
a301e1a706 Moved writev() handling code to a separate function.
This reduces code duplication and unifies debug logging of the writev() syscall
among various send chain functions.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
79ddab189f Merged conditions in the ngx_*_sendfile_chain() functions.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
d85d459bb2 Moved the code for coalescing file buffers to a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
f00918eab3 Refactored ngx_solaris_sendfilev_chain().
Though ngx_solaris_sendfilev_chain() shouldn't suffer from the problem mentioned
in d1bde5c3c5d2 since currently IOV_MAX on Solaris is 16, but this follows the
change from 3d5717550371 in order to make the code look similar to other systems
and potentially eliminates the problem in the future.
2014-11-19 21:17:11 +03:00
Valentin Bartenev
b29d599c0b Introduced the ngx_output_chain_to_iovec() function.
It deduplicates code of the send chain functions and uses only preallocated
memory, which completely solves the problem mentioned in d1bde5c3c5d2.
2014-10-07 11:38:57 +04:00
Valentin Bartenev
41ed973456 Renamed ngx_handle_sent_chain() to ngx_chain_update_sent().
No functional changes.
2014-11-19 21:16:19 +03:00
Piotr Sikora
3ecac9eaba Cache: add support for Cache-Control's s-maxage response directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-18 17:07:14 -08:00
Roman Arutyunyan
1b79cb211d Proxy: renamed and rearranged fields in proxy configuration.
No functional changes.
2014-11-19 17:33:24 +03:00
Roman Arutyunyan
8898c97dbd Upstream: different header lists for cached and uncached requests.
The upstream modules remove and alter a number of client headers
before sending the request to upstream.  This set of headers is
smaller or even empty when cache is disabled.

It's still possible that a request in a cache-enabled location is
uncached, for example, if cache entry counter is below min_uses.
In this case it's better to alter a smaller set of headers and
pass more client headers to backend unchanged.  One of the benefits
is enabling server-side byte ranges in such requests.
2014-11-19 17:33:23 +03:00
Roman Arutyunyan
bcf6b11a34 Upstream: moved header lists to separate structures.
No functional changes.
2014-11-19 17:33:22 +03:00
Roman Arutyunyan
62dfdf1814 Upstream: moved header initializations to separate functions.
No functional changes.
2014-11-19 17:33:21 +03:00
Roman Arutyunyan
3b33056522 Scgi: do not push redundant NULL element into conf->params. 2014-11-19 17:33:21 +03:00
Roman Arutyunyan
2628cc11d4 Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock.  Requests which failed to acquire
the lock are not allowed to cache the response.
2014-11-18 20:41:12 +03:00
Valentin Bartenev
20d41493d4 SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.
2014-11-07 17:22:19 +03:00
Valentin Bartenev
42b6d57fb5 SPDY: improved debug logging of inflate() calls. 2014-11-07 17:19:12 +03:00
Maxim Dounin
1fd4cd0b96 SSL: logging level of "inappropriate fallback" (ticket #662).
Patch by Erik Dubbelboer.
2014-11-17 16:38:48 +03:00
Toshikuni Fukaya
d9f5baa0b8 Upstream: support named location for X-Accel-Redirect. 2014-11-04 19:56:23 +09:00
Piotr Sikora
a9d9b09103 Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-30 04:30:41 -07:00
Maxim Dounin
fb96936c1a SPDY: fixed "too long header line" logging.
This fixes possible one byte buffer overrun and makes sure ellipsis are
always added, see 21043ce2a005.
2014-11-07 17:38:55 +03:00
Maxim Dounin
e2bc3c11b2 Cache: removed dead store in ngx_http_file_cache_vary_header().
Found by Clang Static Analyzer.
2014-11-05 18:53:26 +03:00
Valentin Bartenev
f9b99baed3 Access log: cancel the flush timer on graceful shutdown.
Previously, it could prevent a worker process from exiting
for up to the configured flush timeout.
2014-08-25 13:41:31 +04:00
Valentin Bartenev
8b30fb7c97 Events: introduced cancelable timers. 2014-08-13 22:45:04 +04:00
Valentin Bartenev
16403bc7b1 Events: simplified cycle in ngx_event_expire_timers(). 2014-08-25 13:37:06 +04:00
Valentin Bartenev
246152c864 Events: removed broken thread support from event timers.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-08-25 13:34:39 +04:00
Sergey Kandaurov
33f5555940 SSL: simplified ssl_password_file error handling.
Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next password.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Reported by Piotr Sikora.
2014-10-24 04:28:00 -07:00
Piotr Sikora
54606d4625 SPDY: stop emitting multiple empty header values.
Previously, nginx would emit empty values in a header with multiple,
NULL-separated values.

This is forbidden by the SPDY specification, which requires headers to
have either a single (possibly empty) value or multiple, NULL-separated
non-empty values.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-27 14:25:56 -07:00
Valentin Bartenev
78dd8b5eda Version bump. 2014-10-28 21:58:49 +03:00
Kouhei Sutou
b3f9a94e6a Win32: made build-able with MinGW-w64 gcc. 2014-10-15 21:15:01 +09:00
Gu Feng
726c5726fb Upstream: limited next_upstream time and tries when resolving DNS.
When got multiple upstream IP addresses using DNS resolving, the number of
upstreams tries and the maxinum time spent for these tries were not affected.
This patch fixed it.
2014-10-27 19:52:03 +08:00
Roman Arutyunyan
cf1e4781a9 Write filter: stored delay in a variable, no functional changes.
The code is now similar to ngx_event_pipe_read_upstream().
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
18e4d042b0 Upstream: proxy_limit_rate and friends.
The directives limit the upstream read rate.  For example,
"proxy_limit_rate 42" limits proxy upstream read rate to
42 bytes per second.
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
0989d63f06 Core: added limit to recv_chain(). 2014-10-28 12:29:58 +03:00
Maxim Dounin
5f625b7df0 Cache: normalization of some Vary headers.
Spaces in Accept-Charset, Accept-Encoding, and Accept-Language headers
are now ignored.  As per syntax of these headers spaces can only appear
in places where they are optional.
2014-10-27 21:14:12 +03:00
Maxim Dounin
6255935e0f Cache: multiple variants of a resource now can be stored.
If a variant stored can't be used to respond to a request, the variant
hash is used as a secondary key.

Additionally, if we previously switched to a secondary key, while storing
a response to cache we check if the variant hash still apply.  If not, we
switch back to the original key, to handle cases when Vary changes.
2014-10-27 21:14:10 +03:00
Maxim Dounin
83f00adc9b Cache: c->reading flag introduced.
It replaces c->buf in checks in ngx_http_file_cache_open(), making it possible
to reopen the file without clearing c->buf.  No functional changes.
2014-10-27 21:14:07 +03:00
Maxim Dounin
1332e76b20 Cache: hash of Vary headers now stored in cache.
To cache responses with Vary, we now calculate hash of headers listed
in Vary, and return the response from cache only if new request headers
match.

As of now, only one variant of the same resource can be stored in cache.
2014-10-27 21:13:58 +03:00
Maxim Dounin
fc785b12a0 Cache: disable caching of responses with Vary (ticket #118).
The "proxy_ignore_header" directive now undersands the "Vary" parameter
to ignore the header as needed.
2014-10-27 21:13:39 +03:00
Maxim Dounin
97e618c556 Gzip, gunzip: flush busy buffers if any.
Previous code resulted in transfer stalls when client happened
to read all the data in buffers at once, while all gzip buffers
were exhausted (but ctx->nomem wasn't set).  Make sure to call
next body filter at least once per call if there are busy buffers.

Additionally, handling of calls with NULL chain was changed to follow
the same logic, i.e., next body filter is only called with NULL chain
if there are busy buffers.  This is expected to fix "output chain is empty"
alerts as reported by some users after c52a761a2029 (1.5.7).
2014-10-15 22:57:23 +04:00
Maxim Dounin
9369cf8df3 Style. 2014-10-14 20:19:36 +04:00
Roman Arutyunyan
2244a5e9cf Upstream: proxy_force_ranges and friends.
The directives enable byte ranges for both cached and uncached
responses regardless of backend headers.
2014-10-14 18:32:01 +04:00
Kouhei Sutou
8ae7751878 Win32: suppressed warnings by "-Werror=sign-compare". 2014-10-11 21:09:29 +09:00
Kouhei Sutou
3df66a632a Win32: fixed wrong type cast.
GetQueuedCompletionStatus() document on MSDN says the
following signature:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa364986.aspx

    BOOL WINAPI GetQueuedCompletionStatus(
      _In_   HANDLE CompletionPort,
      _Out_  LPDWORD lpNumberOfBytes,
      _Out_  PULONG_PTR lpCompletionKey,
      _Out_  LPOVERLAPPED *lpOverlapped,
      _In_   DWORD dwMilliseconds
    );

In the latest specification, the type of the third argument
(lpCompletionKey) is PULONG_PTR not LPDWORD.
2014-10-11 20:56:35 +09:00
Maxim Dounin
c01481a4cb Fixed possible buffer overrun in "too long header line" logging.
Additionally, ellipsis now always added to make it clear that
the header logged is incomplete.

Reported by Daniil Bondarev.
2014-10-08 17:16:04 +04:00
Yichun Zhang
52e4dc2f74 Core: fixed buffer overrun when hash max_size reached. 2014-10-02 12:00:17 -07:00
Piotr Sikora
4a2fba2d46 Upstream: fix $upstream_cache_last_modified variable.
Due to the u->headers_in.last_modified_time not being correctly initialized,
this variable was evaluated to "Thu, 01 Jan 1970 00:00:00 GMT" for responses
cached without the "Last-Modified" header which resulted in subsequent proxy
requests being sent with "If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT"
header.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-01 15:48:53 -07:00
Valentin Bartenev
840b347bb2 Fixed counting of sent bytes in the send chain functions on EINTR.
Previously, a value of the "send" variable wasn't properly adjusted
in a rare case when syscall was interrupted by a signal.  As a result,
these functions could send less data than the limit allows.
2014-08-27 20:51:01 +04:00
Valentin Bartenev
70995077ad Version bump. 2014-10-02 22:36:27 +04:00
Maxim Dounin
403a9efc0c Upstream keepalive: reset c->sent on cached connections.
The c->sent is reset to 0 on each request by server-side http code,
so do the same on client side.  This allows to count number of bytes
sent in a particular request.
2014-09-29 22:27:45 +04:00
Valentin Bartenev
c9fbbc8273 Limit req: reduced number of parameters in the lookup function.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
021a9df15b Limit req: use complex value in limit_req_zone.
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
with nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
98f7d0efb2 Limit conn: aligned field names in structures.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
dd1ae4348a Limit conn: use complex value in limit_conn_zone (ticket #121).
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
to nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
1866f15d7d Limit conn: removed deprecated "limit_zone" directive.
It's deprecated since 260d591cb6a3 (1.1.8).  The "limit_conn_zone" directive
should be used instead.
2014-09-24 21:55:19 +04:00
Vladimir Homutov
27fa3123f9 Syslog: improved error handling of unix domain sockets.
If a syslog daemon is restarted and the unix socket is used, further logging
might stop to work.  In case of send error, socket is closed, forcing
a reconnection at the next logging attempt.
2014-08-26 14:56:54 +04:00
Vladimir Homutov
d79cbf15e6 Syslog: enabled logging of send errors.
The ngx_cycle->log is used when sending the message.  This allows to log syslog
send errors in another log.

Logging to syslog after its cleanup handler has been executed was prohibited.
Previously, this was possible from ngx_destroy_pool(), which resulted in error
messages caused by attempts to write into the closed socket.

The "processing" flag is renamed to "busy" to better match its semantics.
2014-09-01 17:55:07 +04:00
Gu Feng
bba2ce8aae Avoided to add duplicate hash key in ngx_http_types_slot(). 2014-09-17 22:52:02 +08:00
Valentin Bartenev
840d205bac Removed duplicate initialization of the "rev" variable. 2014-09-22 19:48:23 +04:00
Valentin Bartenev
651be6067e Generalized definitions of the number of preallocated iovec's.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
1cbeabfd4c Reduced difference between the send chain functions.
No functional changes.  This follows the change from ad137a80919f.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
0a02bdb249 Merged implementations of ngx_readv_chain().
There's no real need in two separate implementations,
with and without kqueue support.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
77d61350a4 Removed the "complete" variable from various send chain functions.
It was made redundant by the previous change, since the "sent" variable
is no longer modified.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
4aac91049f Moved the code for adjusting sent buffers in a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
8b6f1c7bb0 Fixed writev() debug log message in ngx_darwin_sendfile_chain(). 2014-08-13 15:11:45 +04:00
Roman Arutyunyan
ba1676f267 Upstream: fixed file buffers reinit in ngx_http_upstream_reinit().
Previously, a file buffer start position was reset to the file start.
Now it's reset to the previous file buffer end.  This fixes
reinitialization of requests having multiple successive parts of a
single file.  Such requests are generated by fastcgi module.
2014-09-18 16:37:16 +04:00
Roman Arutyunyan
66876d0b09 FastCGI: fixed start pointers in request buffers.
The start pointers are used in ngx_http_upstream_reinit() to
reinit FastCGI requests.
2014-09-18 16:37:14 +04:00
Valentin Bartenev
a7798de9bd Limit req: don't truncate key value to 255 bytes.
While the module allows to use values up to 65535 bytes as a key,
that actually never worked properly.
2014-09-16 21:12:51 +04:00
Valentin Bartenev
681f74a9ba Version bump. 2014-09-17 12:04:47 +04:00
Maxim Dounin
6ec0f4d85b SSL: session id context now includes certificate hash.
This prevents inappropriate session reuse in unrelated server{}
blocks, while preserving ability to restore sessions on other servers
when using TLS Session Tickets.

Additionally, session context is now set even if there is no session cache
configured.  This is needed as it's also used for TLS Session Tickets.

Thanks to Antoine Delignat-Lavaud and Piotr Sikora.
2014-09-15 17:59:47 +04:00
Valentin Bartenev
152d92b4b7 Access log: fixed the "if=" parameter with buffering (ticket #625).
It might not work if there were more than one "access_log" directives
pointed to the same file and duplicate buffer parameters.
2014-09-13 21:47:13 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Roman Arutyunyan
cfc3db1972 Upstream: included backup peers into peer.tries.
Since peer.tries is never reset it can now be limited if required.
2014-09-12 18:50:46 +04:00
Maxim Dounin
4c7e1a8d85 Upstream keepalive: removed "single" parameter remnants.
The "single" parameter is deprecated and ignored since 5b5c07dee156 (1.3.2).
2014-09-11 20:09:04 +04:00
Maxim Dounin
3a235bf52e Added warning about unset cache keys.
In fastcgi, scgi and uwsgi modules there are no default cache keys, and
using a cache without a cache key set is likely meaningless.
2014-09-11 20:08:52 +04:00
Maxim Dounin
d7d26feba1 Style. 2014-09-11 20:08:45 +04:00
FengGu
b4cb8475b1 Upstream: avoided directly terminating the connection.
When memory allocation failed in ngx_http_upstream_cache(), the connection
would be terminated directly in ngx_http_upstream_init_request().
Return a INTERNAL_SERVER_ERROR response instead.
2014-08-13 14:53:55 +08:00
Maxim Dounin
cb8a0327ab Added ngx_init_setproctitle() return code check.
The ngx_init_setproctitle() function, as used on systems without
setproctitle(3), may fail due to memory allocation errors, and
therefore its return code needs to be checked.

Reported by Markus Linnala.
2014-09-08 21:36:09 +04:00
Maxim Dounin
90df702bf8 Fixed ETag memory allocation error handling.
The etag->hash must be set to 0 to avoid an empty ETag header being
returned with the 500 Internal Server Error page after the memory
allocation failure.

Reported by Markus Linnala.
2014-09-08 21:36:03 +04:00
Maxim Dounin
c5bee22d16 Core: ngx_regex_compile() error handling fixes.
Now we actually return NGX_ERROR on errors, and provide an error
string for memory allocation errors.

Reported by Markus Linnala.
2014-09-08 21:35:53 +04:00
Piotr Sikora
2af7181b3b SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-09-03 14:49:55 -07:00
Roman Arutyunyan
c0b3b9d6ca Upstream: suppressed the file cache slab allocator error messages.
The messages "ngx_slab_alloc() failed: no memory in cache keys zone"
from the file cache slab allocator are suppressed since the allocation
is likely to succeed after the forced expiration of cache nodes.
The second allocation failure is reported.
2014-09-05 18:14:59 +04:00
Valentin Bartenev
37d24e7e3b Events: processing of posted events changed from LIFO to FIFO.
In theory, this can provide a bit better distribution of latencies.

Also it simplifies the code, since ngx_queue_t is now used instead
of custom implementation.
2014-09-01 18:20:18 +04:00
Valentin Bartenev
2a81e05566 Events: removed broken thread support from posted events.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-09-01 18:20:03 +04:00
Valentin Bartenev
3ca3f609cb Mail: initialize the "signature" field of ngx_mail_session_t.
Currently it isn't used, but it can be suitable to distinguish
objects stored in c->data.
2014-09-01 17:50:59 +04:00
Ruslan Ermilov
be6175d49d Upstream: improved configuration parser diagnostics.
Made it clear when the selected balancing method does not
support certain parameters of the "server" directive.
2014-09-01 12:27:38 +04:00
Sergey Kandaurov
967c51c9ff Headers filter: "add_header" with "always" parameter (ticket #98).
If specified, the header field is set regardless of the status code.
2014-08-29 18:00:10 +04:00
Maxim Dounin
31c35adfe1 Variables: updated list of prefixes in ngx_http_rewrite_set(). 2014-08-27 21:38:08 +04:00
Maxim Dounin
8cf734c7b4 Variables: fixed non-indexed access of prefix vars (ticket #600).
Previously, a configuration like

    location / {
        ssi on;
        ssi_types *;
        set $http_foo "bar";
        return 200 '<!--#echo var="http_foo" -->\n';
    }

resulted in NULL pointer dereference in ngx_http_get_variable() as
the variable was explicitly added to the variables hash, but its
get_handler wasn't properly set in the hash.  Fix is to make sure
that get_handler is properly set by ngx_http_variables_init_vars().
2014-08-27 21:38:04 +04:00
Valentin Bartenev
dbcb16ff68 SPDY: added a comment about handling stream with the timer set. 2014-08-18 13:23:45 +04:00
Valentin Bartenev
c425f19daa SPDY: avoid setting timeout on stream events in ngx_http_writer().
The SPDY module doesn't expect timers can be set on stream events for reasons
other than delaying output.  But ngx_http_writer() could add timer on write
event if the delayed flag wasn't set and nginx is waiting for AIO completion.
That could cause delays in sending response over SPDY when file AIO was used.
2014-08-27 20:44:11 +04:00
Ruslan Ermilov
da46eed537 Resolver: notify all waiting requests on timeout.
If a "resolver_timeout" occurs, only the first waiting request
was notified.  Other requests may hang forever.
2014-08-19 15:43:26 +04:00
Ruslan Ermilov
8607e64b83 Stub status: corrected the "stub_status" directive.
The "stub_status" directive does not require an argument.
2014-08-26 17:35:23 +04:00
Valentin Bartenev
9fb2b9287d Sub filter: fixed matching for a single character. 2014-08-25 16:08:55 +04:00
Valentin Bartenev
c7efcf6ba6 Mail: fixed number of arguments allowed in the listen directive. 2014-08-20 13:13:27 +04:00
Valentin Bartenev
8575dc3516 Mail: fixed a comment.
There's no loc_conf in the mail module.
2014-08-20 13:13:27 +04:00
Roman Arutyunyan
a8227724c0 Mp4: use trak->smhd_size in ngx_http_mp4_read_smhd_atom().
Reported by Gang Li.
2014-08-19 14:13:39 +04:00
Sergey Kandaurov
3ed0e11d08 Image filter: downgrade strong etags to weak ones as needed. 2014-08-18 12:03:41 +04:00
Sergey Kandaurov
886ad0e9d3 Fixed typo. 2014-08-15 14:09:29 +04:00
Maxim Dounin
870b962382 Events: removed unused variable in ngx_poll_process_events(). 2014-08-10 17:44:46 +04:00
Yves Crespin
3c0c66c5d8 Events: format specifier fixes. 2014-08-07 15:04:43 +02:00
Yves Crespin
6a58555ca8 Events: changed nevents type to unsigned in poll module. 2014-08-07 14:56:57 +02:00
Tatsuhiko Kubo
12300c2a20 Style: use specified macro instead of magic-number. 2014-08-06 23:58:44 +09:00
Piotr Sikora
b3066b16e1 Perl: NULL-terminate argument list.
perl_parse() function expects argv/argc-style argument list,
which according to the C standard must be NULL-terminated,
that is: argv[argc] == NULL.

This change fixes a crash (SIGSEGV) that could happen because
of the buffer overrun during perl module initialization.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-19 04:16:36 -07:00
Maxim Dounin
8f0f4c10e9 Access log: allowed logs to syslog with "if=" (ticket #596). 2014-08-06 00:22:36 +04:00
Maxim Dounin
4b5876c922 Version bump. 2014-08-05 22:50:25 +04:00
Maxim Dounin
44f45a5466 Mail: discard pipelined commands after SMTP STARTTLS.
The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.
2014-08-05 12:22:07 +04:00
Piotr Sikora
1fe0f6a9b9 Core: exit on ngx_pnalloc() failure.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-08-01 20:39:22 -07:00
Tatsuhiko Kubo
f240215ba6 Style: use ngx_free() instead of free(). 2014-08-03 03:27:39 +09:00
Tatsuhiko Kubo
244a6a28b1 Core: improved ngx_pstrdup() error handling. 2014-08-01 20:04:14 +09:00
Sergey Kandaurov
88132eed54 Status: indentation and style, no functional changes. 2014-08-01 18:36:35 +04:00
FengGu
bfa56738af Dav: ngx_http_map_uri_to_path() errors were not checked.
Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.
2014-07-30 14:45:08 +08:00
Piotr Sikora
9ed633b930 SSL: let it build against LibreSSL.
LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:16 -07:00
Piotr Sikora
0dcfca0301 SSL: let it build against BoringSSL.
This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:15 -07:00
Piotr Sikora
a57394b3e9 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
This is really just a prerequisite for building against BoringSSL,
which doesn't provide either of those features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-28 12:27:57 -07:00
Maxim Dounin
5958181b1e Bigger iovec buffer in ngx_readv_chain().
This helps to reduce likelyhood of memory allocations in ngx_readv_chain(),
which are known to lead to noticeable effects in some cases, see
http://mailman.nginx.org/pipermail/nginx/2014-July/044512.html.
2014-07-28 18:30:19 +04:00
Maxim Dounin
8639e17f94 SSL: misplaced space in debug message. 2014-07-28 18:30:18 +04:00
Maxim Dounin
4b2f12a604 Upstream: SSL handshake timeouts.
Timeout may not be set on an upstream connection when we call
ngx_ssl_handshake() in ngx_http_upstream_ssl_init_connection(),
so make sure to arm it if it's not set.

Based on a patch by Yichun Zhang.
2014-07-28 18:30:14 +04:00
Yichun Zhang
7b24c53efe GeoIP: not all variable fields were initialized.
The ngx_http_geoip_city_float_variable and
ngx_http_geoip_city_int_variable functions did not always initialize
all variable fields like "not_found", which could lead to empty values
for those corresponding nginx variables randomly.
2014-07-25 14:43:29 -07:00
Piotr Sikora
3ba8f2f73d Core: use uppercase hexadecimal digits for percent-encoding.
RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-26 23:39:23 -07:00
Vladimir Homutov
c54899ddfd Core: fixed default log initialization.
The ngx_log_insert() function may invalidate pointer passed to it,
so make sure to don't use it after the ngx_log_insert() call.
2014-07-24 16:25:07 +04:00
Maxim Dounin
248baf4262 Upstream: ngx_http_upstream_store() error handling fixes.
Previously, ngx_http_map_uri_to_path() errors were not checked in
ngx_http_upstream_store().  Moreover, in case of errors temporary
files were not deleted, as u->store was set to 0, preventing cleanup
code in ngx_http_upstream_finalize_request() from removing them.  With
this patch, u->store is set to 0 only if there were no errors.

Reported by Feng Gu.
2014-07-18 20:11:40 +04:00
Maxim Dounin
88d9289f82 Reset of r->uri.len on URI parsing errors.
This ensures that debug logging and the $uri variable (if used in
400 Bad Request processing) will not try to access uninitialized
memory.

Found by Sergey Bobrov.
2014-07-18 20:02:11 +04:00
Ruslan Ermilov
7e52432a05 Resolver: fixed resend on malformed responses.
DNS request resend on malformed responses was broken in 98876ce2a7fd (1.5.8).

Reported by Pramod Korathota.
2014-07-16 10:21:28 +04:00
Piotr Sikora
79c55b2cca SSL: fix build with recent OpenSSL.
X509_check_host() prototype changed recently:
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ced3d91
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=297c67f

Bump version requirement, so that OpenSSL-1.0.2-beta1 uses fallback code.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-09 12:27:15 -07:00
Jianjun Zheng
584692027b Core: bugfix for the ngx_slab_max_size case. 2014-06-18 16:39:59 +08:00
Tatsuhiko Kubo
cc870236b2 Style: use ngx_str_set(). 2014-07-09 23:23:59 +09:00
Tatsuhiko Kubo
ef2b59699a Style: use ngx_str_null(). 2014-07-09 23:22:14 +09:00
Tatsuhiko Kubo
bb4edb5cef Style: use ngx_strlen() instead of strlen(). 2014-07-09 23:20:40 +09:00
Piotr Sikora
12ca9c9c8f SPDY: fix support for headers with multiple values.
Split SPDY header with multiple, NULL-separated values:

    cookie: foo\0bar

into two separate HTTP headers with the same name:

    cookie: foo
    cookie: bar

Even though the logic for this behavior already existed
in the source code, it doesn't look that it ever worked
and SPDY streams with such headers were simply rejected.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 02:17:44 -07:00
Piotr Sikora
ba95686741 Style: fix typo.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a02ca8e173 Style: use ngx_memcpy() instead of memcpy().
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a2229a4035 Style: keep return type and function name on different lines.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
2cfcef5b42 Style: remove whitespace between function name and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
7e7589e746 Style: add whitespace between control statement and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Piotr Sikora
d224ed7eea SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.

The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.

Almost fixes build with -DOPENSSL_NO_SSL_INTERN.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:14 -07:00
Maxim Dounin
ce64398751 SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
The RSA_generate_key() is marked as deprecated and causes build to
fail.  On the other hand, replacement function, RSA_generate_key_ex(),
requires much more code.  Since RSA_generate_key() is only needed
for barely usable EXP ciphers, the #ifdef was added instead.

Prodded by Piotr Sikora.
2014-07-09 04:08:13 +04:00
Piotr Sikora
bd058b9d24 SSL: return temporary RSA key only when the key length matches.
This change is mostly cosmetic, because in practice this callback
is used only for 512-bit RSA keys.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Piotr Sikora
f0e05f3d89 SSL: include correct OpenSSL headers.
Previously, <bn.h>, <dh.h>, <rand.h> and <rsa.h> were pulled in
by <engine.h> using OpenSSL's deprecated interface, which meant
that nginx couldn't have been built with -DOPENSSL_NO_DEPRECATED.

Both <x509.h> and <x509v3.h> are pulled in by <ocsp.h>, but we're
calling X509 functions directly, so let's include those as well.

<crypto.h> is pulled in by virtually everything, but we're calling
CRYPTO_add() directly, so let's include it as well.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Maxim Dounin
098c6bd81f Version bump. 2014-07-09 03:15:00 +04:00
Maxim Dounin
11bbbc051b Win32: ngx_open_dir() and ngx_close_dir() fixes.
The ngx_open_dir() function changed to restore name passed to it.  This
fixes removing destination directory in dav module, as caught by dav.t.
The ngx_close_dir() function introduced to properly convert errors, as
FindClose() returns 0 on error.
2014-07-05 23:29:47 +04:00
Maxim Dounin
d9152910d3 SSL: logging level of "peer closed connection in SSL handshake".
Previously, the NGX_LOG_INFO level was used unconditionally.  This is
correct for client SSL connections, but too low for connections to
upstream servers.  To resolve this, ngx_connection_error() now used
to log this error, it will select logging level appropriately.

With this change, if an upstream connection is closed during SSL
handshake, it is now properly logged at "error" level.
2014-07-04 22:14:36 +04:00
Maxim Dounin
4a75e1a63c Upstream: p->downstream_error instead of closing connection.
Previously, nginx closed client connection in cases when a response body
from upstream was needed to be cached or stored but shouldn't be sent to
the client.  While this is normal for HTTP, it is unacceptable for SPDY.

Fix is to use instead the p->downstream_error flag to prevent nginx from
sending anything downstream.  To make this work, the event pipe code was
modified to properly cache empty responses with the flag set.
2014-07-04 20:47:16 +04:00
Valentin Bartenev
3c2b5e88ab Upstream: fixed handling of write event after sending request.
The ngx_http_upstream_dummy_handler() must be set regardless of
the read event state.  This prevents possible additional call of
ngx_http_upstream_send_request_handler().
2014-07-01 20:52:08 +04:00
Valentin Bartenev
9f8785ae5e SSL: the "ssl_password_file" directive. 2014-06-16 19:43:25 +04:00
Maxim Dounin
9d4de05be4 Core: removed meaningless check from ngx_palloc_block().
The check became meaningless after refactoring in 2a92804f4109.
With the loop currently in place, "current" can't be NULL, hence
the check can be dropped.

Additionally, the local variable "current" was removed to
simplify code, and pool->current now used directly instead.

Found by Coverity (CID 714236).
2014-06-26 03:34:19 +04:00
Maxim Dounin
25250a20d2 Fixed wrong sizeof() in ngx_http_init_locations().
There is no real difference on all known platforms, but it's still wrong.

Found by Coverity (CID 400876).
2014-06-26 03:34:13 +04:00
Maxim Dounin
1a5cdafa82 Core: plugged socket leak during configuration test.
This isn't really important as configuration testing shortly ends with
a process termination which will free all sockets, though Coverity
complains.

Prodded by Coverity (CID 400872).
2014-06-26 03:34:05 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Maxim Dounin
b812961677 Cache: ETag now saved into cache header. 2014-06-26 02:28:23 +04:00
Maxim Dounin
c2e49a4196 Cache: version in cache files.
This allows to change the structure of cache files without spamming logs
with false alerts.
2014-06-26 02:27:21 +04:00
Maxim Dounin
8f9fb9570e Entity tags: explicit flag to skip not modified filter.
Previously, last_modified_time was tested against -1 to check if the
not modified filter should be skipped.  Notably, this prevented nginx
from additional If-Modified-Since (et al.) checks on proxied responses.
Such behaviour is suboptimal in some cases though, as checks are always
skipped on responses from a cache with ETag only (without Last-Modified),
resulting in If-None-Match being ignored in such cases.  Additionally,
it was not possible to return 412 from the If-Unmodified-Since if last
modification time was not known for some reason.

This change introduces explicit r->disable_not_modified flag instead,
which is set by ngx_http_upstream_process_headers().
2014-06-26 02:27:11 +04:00
Maxim Dounin
feb1649049 Entity tags: weak comparison for If-None-Match. 2014-06-26 02:21:20 +04:00
Maxim Dounin
def16742a1 Entity tags: downgrade strong etags to weak ones as needed.
See http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004523.html.
2014-06-26 02:21:01 +04:00
Maxim Dounin
5d477a76fe Upstream: fixed cache revalidation with SSI.
Previous code in ngx_http_upstream_send_response() used last modified time
from r->headers_out.last_modified_time after the header filter chain was
already called.  At this point, last_modified_time may be already cleared,
e.g., with SSI, resulting in incorrect last modified time stored in a
cache file.  Fix is to introduce u->headers_in.last_modified_time instead.
2014-06-26 02:20:09 +04:00
Maxim Dounin
6c25c848cb Upstream: removed unused offset to content_length.
It's not needed since introduction of ngx_http_upstream_content_length()
in 103b0d9afe07.
2014-06-26 02:20:05 +04:00
Maxim Dounin
4e275cc73a Upstream: no need to clear r->headers_out.last_modified_time.
Clearing of the r->headers_out.last_modified_time field if a response
isn't cacheable in ngx_http_upstream_send_response() was introduced
in 3b6afa999c2f, the commit to enable not modified filter for cacheable
responses.  It doesn't make sense though, as at this point header was
already sent, and not modified filter was already executed.  Therefore,
the line was removed to simplify code.
2014-06-26 02:19:58 +04:00
Maxim Dounin
05dfc054f0 Not modified filter: debug log format fixed. 2014-06-26 02:19:55 +04:00
Ruslan Ermilov
02e39a3ecb Upstream: reduced diffs to the plus version of nginx.
No functional changes.
2014-06-20 12:55:41 +04:00
Sergey Kandaurov
80e5163f64 FreeBSD has migrated to Bugzilla. 2014-06-19 13:55:59 +04:00
Ruslan Ermilov
05d717b35d Core: added ngx_slab_calloc() and ngx_slab_calloc_locked().
These functions return zeroed memory, analogous to ngx_pcalloc().
2014-06-04 15:09:19 +04:00
Ruslan Ermilov
d1ba20d0c9 Version bump. 2014-06-18 13:39:20 +04:00
Ruslan Ermilov
20038acbfc Upstream: simplified some code that accesses peers.
No functional changes.
2014-06-12 21:13:24 +04:00
Piotr Sikora
a1a8defb49 Access log: fix default value, broken by cb308813b453.
log->filter ("if" parameter) was uninitialized when the default value
was being used, which would lead to a crash (SIGSEGV) when access_log
directive wasn't specified in the configuration.

Zero-fill the whole structure instead of zeroing fields one-by-one
in order to prevent similar issues in the future.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-03 10:53:48 -07:00
Maxim Dounin
afb4aafc6e Core: slab allocator free pages defragmentation.
Large allocations from a slab pool result in free page blocks being fragmented,
eventually leading to a situation when no further allocation larger than a page
size are possible from the pool.  While this isn't a problem for nginx itself,
it is known to be bad for various 3rd party modules.  Fix is to merge adjacent
blocks of free pages in the ngx_slab_free_pages() function.

Prodded by Wandenberg Peixoto and Yichun Zhang.
2014-06-03 17:53:03 +04:00
Roman Arutyunyan
9b5a17b5e2 Upstream: generic hash module. 2014-06-02 16:16:22 +04:00
Valentin Bartenev
68336e1ede SPDY: fixed operator precedence in uint16/uint32 write macros.
Since the type cast has precedence higher than the bit shift operator,
all values were truncated to 8 bits.

These macros are used to construct header block for SYN_REPLY frame on
platforms with strict alignment requirements.  As a result, any response
that contains a header with name or value longer than 255 bytes was
corrupted on such platforms.
2014-05-29 21:15:19 +04:00
Sergey Kandaurov
0750df4f16 Fixed config parsing of the last try_files parameter.
Do not taste the last parameter against directory, as otherwise it would
result in the trailing slash being cut from the parameter value.

Notably, this prevents an internal redirect to an empty URI
if the parameter is set to the literal slash:

    location / { try_files $uri /; }
2014-05-28 20:18:05 +04:00
Maxim Dounin
e9a70114a2 Configure: added -Wno-deprecated-declarations on OS X.
Previous workaround to avoid warnings on OS X due to deprecated system
OpenSSL library (introduced in a3870ea96ccd) no longer works, as
the MAC_OS_X_VERSION_MIN_REQUIRED macro is ignored on OS X 10.9
if a compiler used supports __attribute__(availability).
2014-05-28 17:41:44 +04:00
Maxim Dounin
ffe21776fa Version bump. 2014-05-28 17:41:33 +04:00
Maxim Dounin
e36718de4b Sub filter: fixed subrequests handling.
In particular, properly output partial match at the end of a subrequest
response (much like we do at the end of a response), and reset/set the
last_in_chain flag as appropriate.

Reported by KAWAHARA Masashi.
2014-05-27 16:37:35 +04:00
Vladimir Homutov
21655ae097 Syslog: fixed message sending on win32. 2014-05-27 15:42:34 +04:00
Vladimir Homutov
8e82f06d3e Syslog: fixed possible resource leak and more verbose logging.
Found by Coverity (CID 1215646).
2014-05-26 23:34:44 +04:00
Ruslan Ermilov
5c17030671 Events: use eventfd() instead of syscall(SYS_eventfd) if possible.
This fixes --with-file-aio support on systems that lack eventfd()
syscall, notably aarch64 Linux.

The syscall(SYS_eventfd) may still be necessary on systems that
have eventfd() syscall in the kernel but lack it in glibc, e.g.
as seen in the current CentOS 5 release.
2014-05-23 16:37:05 +04:00
Roman Arutyunyan
3e279a8eb4 Upstream: fix tries check in ip_hash.
Make two checks for maximum number of tries consistent.
The other one checks '>' condition.
2014-05-23 13:47:05 +04:00
Ruslan Ermilov
7808ac0d42 Mail: output client port number on client connects (ticket #531). 2014-05-22 00:16:17 +04:00
Ruslan Ermilov
056e88ea11 Core: output client port number when logging accept event. 2014-05-22 00:16:09 +04:00
Maxim Dounin
ca02a1020c Mail: added a check for the number of arguments in MAIL/RCPT.
Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.
2014-05-21 21:56:20 +04:00
Vladimir Homutov
493b898ae9 Added syslog support for error_log and access_log directives. 2014-05-12 16:34:15 +04:00
Ruslan Ermilov
1736c180f4 Configure: the --build= option.
If set, its value is output in "nginx -v" and in the error log.
2014-05-20 16:10:07 +04:00
Sergey Budnevitch
27899a923a SSL: $ssl_client_fingerprint variable. 2014-05-20 14:03:03 +04:00
Maxim Dounin
84409ec8e0 Setting $args now invalidates unparsed uri.
Prodded by Yichun Zhang.
2014-05-19 22:45:35 +04:00
Maxim Dounin
4884cd611e Charset filter: fixed charset setting on encoded replies.
If response is gzipped we can't recode response, but in case it's not
needed we still can add charset to Content-Type.

The r->ignore_content_encoding is dropped accordingly, charset with gzip_static
now properly works without any special flags.
2014-05-19 22:45:34 +04:00
Maxim Dounin
ffba0eeefb Fixed alias in regex locations with limit_except/if.
The ngx_http_map_uri_to_path() function used clcf->regex to detect if
it's working within a location given by a regular expression and have
to replace full URI with alias (instead of a part matching the location
prefix).  This is incorrect due to clcf->regex being false in implicit
locations created by if and limit_except.

Fix is to preserve relevant information in clcf->alias instead, by setting
it to NGX_MAX_SIZE_T_VALUE if an alias was specified in a regex location.
2014-05-16 17:42:24 +04:00
Valentin Bartenev
a785be76f6 SPDY: added protection from overrun of the receive buffer. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
3f023a4193 SPDY: added a debug point to the state buffer overflow protection. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
57e5c3e86d SPDY: refactored ngx_http_spdy_state_headers().
This change is similar to d2ac5cf4056d.  Special flag of completeness looks
surplus when there is also a counter of frame bytes left.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
d04a714a6d SPDY: improved logging. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
d51d168066 SPDY: set log action for PROXY protocol only while parsing it.
Handling of PROXY protocol for SPDY connection is currently implemented as
a SPDY state.  And while nginx waiting for PROXY protocol data it continues
to process SPDY connection: initializes zlib context, sends control frames.
2014-05-15 19:22:06 +04:00
Valentin Bartenev
ef51079fe2 SPDY: ngx_http_spdy_state_headers() error handling cleanup.
- Specification-friendly handling of invalid header block or special headers.
   Such errors are not fatal for session and shouldn't lead to connection close;

 - Avoid mix of NGX_HTTP_PARSE_INVALID_REQUEST/NGX_HTTP_PARSE_INVALID_HEADER.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
cf770ddd82 SPDY: improved error handling of header block decompression.
Now cases when decompression failed due to internal error
and when a client sent corrupted data are distinguished.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
ba890408bd SPDY: removed ngx_http_spdy_state_headers_error().
The function just calls ngx_http_spdy_state_headers_skip() most of the time.
There was also an attempt of optimization to stop parsing if the client already
closed connection, but it looks strange and unfinished anyway.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
63ee690751 SPDY: prevented creation of RST_STREAM in protocol error state.
Previously, the frame wasn't sent anyway (and had a wrong status code).
2014-05-15 19:18:26 +04:00
Valentin Bartenev
dfb9a5cb0d SPDY: improved ngx_http_spdy_state_protocol_error().
Now ngx_http_spdy_state_protocol_error() is able to close stream,
so there is no need in a separate call for this.

Also fixed zero status code in logs for some cases.
2014-04-30 20:33:58 +04:00
Valentin Bartenev
d9c25cdf19 SPDY: fixed one case of improper memory allocation error handling.
Now ngx_http_spdy_construct_request_line() doesn't try to finalize request
in case of failed memory allocation.
2014-04-30 02:16:21 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Ruslan Ermilov
9b92f59aef Core: use '\r' for CR and '\n' for LF definitions. 2014-05-14 22:26:05 +04:00
Filipe da Silva
e1a183946f OCSP stapling: missing OCSP request free call. 2014-04-29 22:22:38 +02:00
Maxim Dounin
094bfc6beb Upstream: restored workaround for "if".
The 7022564a9e0e changeset made ineffective workaround from 2464ccebdb52
to avoid NULL pointer dereference with "if".  It is now restored by
moving the u->ssl_name initialization after the check.

Found by Coverity (CID 1210408).
2014-04-30 19:16:55 +04:00
Maxim Dounin
aa28897b22 Core: improved ngx_conf_parse() error handling.
Previous code failed to properly restore cf->conf_file in case of
ngx_close_file() errors, potentially resulting in double free of
cf->conf_file->buffer->start.

Found by Coverity (CID 1087507).
2014-04-30 19:16:49 +04:00
Maxim Dounin
60169aa3a1 Core: fixed error handling in ngx_reopen_files().
Found by Coverity (CID 1087509).
2014-04-30 19:16:40 +04:00
Maxim Dounin
17dad56e4e Cache: added ngx_quit check to ngx_http_file_cache_expire().
While managing big caches it is possible that expiring old cache items
in ngx_http_file_cache_expire() will take a while.  Added a check for
ngx_quit / ngx_terminate to make sure cache manager can be terminated
while in ngx_http_file_cache_expire().
2014-04-30 19:16:35 +04:00
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Valentin Bartenev
58e26b88b7 Version bump. 2014-04-24 20:50:10 +04:00
Maxim Dounin
6898a634d3 SSL: explicit handling of empty names.
X509_check_host() can't handle non null-terminated names with zero length,
so make sure to fail before calling it.
2014-04-23 20:31:31 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Maxim Dounin
0fd4f76e68 SSL: added explicit check for ngx_strlchr() result. 2014-04-22 14:02:45 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Maxim Dounin
583821c547 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. 2014-04-18 20:13:14 +04:00
Maxim Dounin
84785d8413 Version bump. 2014-04-18 20:12:53 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
644a43ebd2 Version bump. 2014-04-08 20:11:31 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Maxim Dounin
55bef30474 Win32: fixed shared ssl_session_cache (ticket #528).
In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.
2014-04-07 18:55:57 +04:00
Roman Arutyunyan
5147f8ee6a Mp4: allow end values bigger than track duration.
If start time is within the track but end time is out of it, error
"end time is out mp4 stts samples" is generated.  However it's
better to ignore the error and output the track until its end.
2014-04-01 20:53:18 +04:00
Maxim Dounin
2349a6747d Adjusted default value of types_hash_bucket_size (ticket #352).
The ngx_cacheline_size may be too low on some platforms, resulting
in unexpected hash build problems (as no collisions are tolerated due
to low bucket_size, and max_size isn't big enough to build a hash without
collisions).  These problems aren't fatal anymore but nevertheless
need to be addressed.
2014-03-31 22:47:42 +04:00
Maxim Dounin
8877284863 Core: fixed hash to actually try max_size.
Previously, maximum size of a hash table built was (max_size - 1).
2014-03-31 21:40:35 +04:00
Maxim Dounin
2a620ae109 Core: hash now ignores bucket_size if it hits max_size limit. 2014-03-31 21:40:31 +04:00
Maxim Dounin
23f6689846 Core: slab log_nomem flag.
The flag allows to suppress "ngx_slab_alloc() failed: no memory" messages
from a slab allocator, e.g., if an LRU expiration is used by a consumer
and allocation failures aren't fatal.

The flag is now used in the SSL session cache code, and in the limit_req
module.
2014-03-31 21:38:30 +04:00
Maxim Dounin
8f6958baa9 Win32: fixed cpu hog by cache manager on exit (ticket #514).
The "ngx_quit" may be reset by the worker thread before it's seen
by a ngx_cache_manager_thread(), resulting in an infinite loop.  Make
sure to test ngx_exiting as well.
2014-03-31 21:38:28 +04:00
Maxim Dounin
e042fc9038 Mail: fixed ngx_mail_send() (ticket #519). 2014-03-31 21:38:27 +04:00
Maxim Dounin
3183d7e17b Added #ifndef around NGX_HAVE_CASELESS_FILESYSTEM define.
This brings Cygwin compilation in line with other case-insensitive
systems (notably win32 and OS X) where one can force case sensitivity
using -DNGX_HAVE_CASELESS_FILESYSTEM=0.
2014-03-31 21:38:25 +04:00
Roman Arutyunyan
6f1763213b Mp4: improved logging after adding "end" support.
Despite introducing start and end crop operations existing log
messages still mostly refer only to start.  Logging is improved
to match both cases.

New debug logging is added to track entry count in atoms after
cropping.

Two format type mismatches are fixed as well.
2014-03-31 20:05:53 +04:00
Roman Arutyunyan
70e98eac3e Mp4: fixed seeking to a track end.
When "start" value is equal to a track duration the request
fails with "time is out mp4 stts" like it did before track
duration check was added.  Now such tracks are considered
short and skipped.
2014-03-31 19:52:17 +04:00
Valentin Bartenev
ac5a3cbeee SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
2014-03-28 20:22:57 +04:00
Valentin Bartenev
afb92a8127 SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.
2014-03-28 20:05:07 +04:00
Valentin Bartenev
de3c7a825e SPDY: better detect if headers block has wrong entries count.
Previously, only one case was checked: if there's more data to parse
in a r->header_in buffer, but the buffer can be filled to the end by
the last parsed entry, so we also need to check that there's no more
data to inflate.
2014-03-26 18:01:11 +04:00
Valentin Bartenev
042122a066 SPDY: detect premature end of frame while start parsing headers. 2014-03-26 17:43:39 +04:00
Piotr Sikora
ac1617915c Apply underscores_in_headers also to the first character.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Andrei Belov
b1597fe2ea Increased default value of variables_hash_max_size. 2014-03-25 18:49:28 +04:00
Sergey Kandaurov
2070abf516 Mp4: skipped empty stss atom table in output.
The atom may have no data entries after cropping.

This fixes "zero size buf in output" alerts.
2014-03-24 17:55:10 +04:00
Maxim Dounin
effbf466aa Range filter: single_range flag in request.
If set, it means that response body is going to be in more than one buffer,
hence only range requests with a single range should be honored.

The flag is now used by mp4 and cacheable upstream responses, thus allowing
range requests of mp4 files with start/end, as well as range processing
on a first request to a not-yet-cached files with proxy_cache.

Notably this makes it possible to play mp4 files (with proxy_cache, or with
mp4 module) on iOS devices, as byte-range support is required by Apple.
2014-03-21 19:33:21 +04:00
Roman Arutyunyan
c6ca135923 Mp4: added "end" argument support. 2014-03-20 16:05:19 +04:00
Roman Arutyunyan
7aa8c81002 Mp4: moved atom cropping code out of update functions.
It can now be reused for implementing mp4 end.
2014-03-20 16:05:18 +04:00
Maxim Dounin
ec1211d2f6 SPDY: improved ngx_http_spdy_state_save() again. 2014-03-19 19:30:09 +04:00
Maxim Dounin
898ca36c33 Macros used for initialization in ngx_http_core_init_main_conf(). 2014-03-19 12:57:40 +04:00
Maxim Dounin
062e7a0042 SPDY: improved ngx_http_spdy_state_save() check. 2014-03-19 12:57:39 +04:00
Maxim Dounin
a4d04f01fb SPDY: macro used for recv_buffer_size initialization. 2014-03-19 12:57:32 +04:00
Maxim Dounin
f9b027baab Version bump. 2014-03-18 22:05:05 +04:00
Maxim Dounin
c6c702c329 SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Roman Arutyunyan
0b5f329784 Added server-side support for PROXY protocol v1 (ticket #355).
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.

This is currently not implemented for mail.
2014-03-17 17:41:24 +04:00
Maxim Dounin
2f917b6d06 FastCGI: f->split_parts reset on request start.
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
2014-03-17 15:34:36 +04:00
Maxim Dounin
8800f0c42b Core: fixed wrong indices in listening sockets compare loops.
Proper use is "ls[i]" and "nls[n]".  Previous code used it wrong in
several places, likely due to cut-n-paste errors.
2014-03-07 15:17:38 +04:00
Sergey Kandaurov
f9e7687e55 Added connection serial number in logging of left open sockets. 2014-03-06 23:15:10 +04:00
Sergey Kandaurov
bd3516e8d9 Fixed format specifier in logging of "c->number". 2014-03-06 18:25:59 +04:00
Roman Arutyunyan
a35c675e71 Version bump. 2014-03-04 23:38:31 +04:00
Valentin Bartenev
0c05e5b55f SPDY: fixed potential integer overflow while parsing headers.
Previously r->header_size was used to store length for a part of
value that represents an individual already parsed HTTP header,
while r->header_end pointed to the end of the whole value.

Instead of storing length of a following name or value as pointer
to a potential end address (r->header_name_end and r->header_end)
that might be overflowed, now r->lowercase_index counter is used
to store remaining length of a following unparsed field.

It also fixes incorrect $body_bytes_sent value if a request is
closed while parsing of the request header.  Since r->header_size
is intended for counting header size, thus abusing it for header
parsing purpose was certainly a bad idea.
2014-03-03 19:24:55 +04:00
Valentin Bartenev
3925c1b110 SPDY: constant number of preallocated structures for headers. 2014-03-03 19:24:54 +04:00
Maxim Dounin
a2a26a7ce1 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Valentin Bartenev
2c0defac9b Gzip static: fixed NGX_CONF_FLAG misuse. 2014-03-03 17:17:25 +04:00
Maxim Dounin
96af3e9dfb Disabled redirects to named locations if URI is not set.
If something like "error_page 400 @name" is used in a configuration,
a request could be passed to a named location without URI set, and this
in turn might result in segmentation faults or other bad effects
as most of the code assumes URI is set.

With this change nginx will catch such configuration problems in
ngx_http_named_location() and will stop request processing if URI
is not set, returning 500.
2014-02-27 20:36:35 +04:00
Ruslan Ermilov
8aa8365121 Core: allocate enough memory to hold IPv6 text address plus port. 2014-02-22 12:08:31 +04:00
Ruslan Ermilov
9ae40c5b54 Resolver: properly handle connect() failures.
If initial attempt to connect() the UDP socket failed, e.g.
due to network unreachable, no further attempts were made.
2014-02-20 17:27:09 +04:00
Konstantin Pavlov
c539aaf352 Upstream: fixed error message wording. 2014-02-20 13:48:40 +04:00
Ruslan Ermilov
3da53f339d Access: supplemented the obfuscated code with a comment. 2014-02-19 21:45:27 +04:00
Maxim Dounin
5ec277847e Upstream: ngx_post_event() instead of upgraded call (ticket #503).
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
2014-02-18 17:30:40 +04:00
Roman Arutyunyan
1dc1b0785b Mp4: remove useless leading stsc entry in result mp4.
The fix removes useless stsc entry in result mp4.
If start_sample == n then current stsc entry should be skipped
and the result stsc should start with the next entry.
The reason for that is start_sample starts from 0, not 1.
2014-02-14 15:14:48 +04:00
Maxim Dounin
8f8bf842bc Win32: MSVC 2013 compatibility.
Warnings about GetVersionEx() deprecation silenced.  Precompiled object
linked in.
2014-02-13 16:54:00 +04:00
Valentin Bartenev
b20af091b7 SPDY: fixed reversed priority order in window waiting queue. 2014-02-12 21:02:29 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Xiaochen Wang
cd358e5a95 SPDY: fixed parsing of http version.
There is an error while parsing multi-digit minor version numbers (e.g.
"HTTP/1.10").
2014-02-11 20:54:16 +08:00
Maxim Dounin
381d507467 SSL: the $ssl_session_reused variable. 2014-02-11 19:20:25 +04:00
Ruslan Ermilov
42c049bd2d Range filter: fixed duplicate charset.
If a proxied response had charset in Content-Type, the
charset was duplicated in a response to client request
with byte ranges.
2014-02-04 17:13:35 +04:00
Piotr Sikora
ab3c0f9250 Use ngx_socket_errno where appropriate.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-03 14:17:17 -08:00
Maxim Dounin
07aef702ee Version bump. 2014-02-05 18:51:30 +04:00
Shigeki Ohtsu
38a9a8968d SPDY: fixed parsing of the priority field.
The size of the priority field is increased by one bit in spdy/3,
and now it's a 3-bit field followed by 5 bits of unused space.
But a shift of these bits hasn't been adjusted in 39d7eef2e332
accordingly.
2014-02-04 14:06:23 +09:00
Maxim Dounin
7ac48da41d Core: added ngx_encode_base64url(). 2014-02-04 04:59:21 +04:00
Piotr Sikora
2e57e0609b Core: handle getsockopt(TCP_FASTOPEN) failures.
Linux returns EOPNOTSUPP for non-TCP sockets and ENOPROTOOPT for TCP
sockets, because getsockopt(TCP_FASTOPEN) is not implemented so far.

While there, lower the log level from ALERT to NOTICE to match other
getsockopt() failures.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-30 14:58:21 -08:00
Valentin Bartenev
449e8eeb53 SPDY: protocol implementation switched to spdy/3.1. 2014-01-31 19:17:26 +04:00
Vladimir Homutov
8d97a2e4d7 Fixed false compiler warning.
Newer gcc versions (4.7+) report possible use of uninitialized variable if
nginx is being compiled with -O3.
2014-01-31 14:18:52 +04:00
Ruslan Ermilov
c6d7db2500 Fixed a compile warning introduced by 01e2a5bcdd8f.
On systems with OpenSSL that has NPN support but lacks
ALPN support, some compilers emitted a warning about
possibly uninitialized "data" variable.
2014-01-30 19:13:12 +04:00
Ruslan Ermilov
8d288ec49a Proxy: fixed upstream search by proxy_pass with variables.
If "proxy_pass" is specified with variables, the resulting
hostname is looked up in the list of upstreams defined in
configuration.  The search was case-sensitive, as opposed
to the case of "proxy_pass" specified without variables.
2014-01-30 18:57:11 +04:00
Piotr Sikora
4ae889c9f2 SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-28 15:33:49 -08:00
Roman Arutyunyan
d3e0bf306b Mp4: fix seeks to standalone last chunk.
If seek position is within the last track chunk
and that chunk is standalone (stsc entry describes only
this chunk) such seek generates stsc seek error. The
problem is that chunk numbers start with 1, not with 0.
2014-01-29 13:44:15 +04:00
Roman Arutyunyan
88f9b411f0 Mp4: skip tracks shorter than seek position (ticket #414).
Mp4 module does not check movie and track durations when reading
file.  Instead it generates errors when track metadata is shorter
than seek position.  Now such tracks are skipped and movie duration
check is performed at file read stage.
2014-01-29 13:33:45 +04:00
Roman Arutyunyan
870733ebd6 Mp4: fix seeks after the last key frame.
Mp4 module does not allow seeks after the last key frame.  Since
stss atom only contains key frames it's usually shorter than
other track atoms.  That leads to stss seek error when seek
position is close to the end of file.  The fix outputs empty
stss frame instead of generating error.
2014-01-29 13:30:36 +04:00
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Maxim Dounin
1631393f94 SSI: fixed $date_local and $date_gmt without SSI (ticket #230).
If there is no SSI context in a given request at a given time,
the $date_local and $date_gmt variables used "%s" format, instead
of "%A, %d-%b-%Y %H:%M:%S %Z" documented as the default and used
if there is SSI module context and timefmt wasn't modified using
the "config" SSI command.

While use of these variables outside of the SSI evaluation isn't strictly
valid, previous behaviour is certainly inconsistent, hence the fix.
2014-01-28 15:40:45 +04:00
Tatsuhiko Kubo
135dc712c0 Typo fixed. 2014-01-23 22:09:59 +09:00
Maxim Dounin
1ebb44e3e3 SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Even during execution of a request it is possible that there will be
no session available, notably in case of renegotiation.  As a result
logging of $ssl_session_id in some cases caused NULL pointer dereference
after revision 97e3769637a7 (1.5.9).  The check added returns an empty
string if there is no session available.
2014-01-23 18:32:26 +04:00
Maxim Dounin
bb40c4ed2f Version bump. 2014-01-23 18:32:25 +04:00
Maxim Dounin
c74e23ba3a Upstream: reading from a client after connection upgrade.
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
2014-01-22 16:05:07 +04:00
Maxim Dounin
096bcd03c3 SSL: fixed $ssl_session_id variable.
Previously, it used to contain full session serialized instead of just
a session id, making it almost impossible to use the variable in a safe
way.

Thanks to Ivan Ristić.
2014-01-22 16:05:06 +04:00
Valentin Bartenev
abcbe54219 SPDY: use ngx_queue_t to queue streams for post processing.
It simplifies the code and allows easy reuse the same queue pointer to store
streams in various queues with different requirements.  Future implementation
of SPDY/3.1 will take advantage of this quality.
2014-01-20 20:56:49 +04:00
Valentin Bartenev
3ddf9ccfce SPDY: store the length of frame instead of its whole size.
The "length" value better corresponds with the specification and reduces
confusion about whether frame's header is included in "size" or not.

Also this change simplifies some parts of code, since in more cases the
length of frame is more useful than its actual size, especially considering
that the size of frame header is constant.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
e62156d829 SPDY: use frame->next pointer to chain free frames.
There is no need in separate "free" pointer and like it is for ngx_chain_t
the "next" pointer can be used.  But after this change successfully handled
frame should not be accessed, so the frame handling cycle was improved to
store pointer to the next frame before processing.

Also worth noting that initializing "free" pointer to NULL in the original
code was surplus.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
650984cd20 SPDY: proper handling of all RST_STREAM statuses.
Previously, only stream CANCEL and INTERNAL_ERROR were handled right.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
d055f74178 SPDY: removed state to check first SETTINGS frame.
That code was based on misunderstanding of spdy specification about
configuration applicability in the SETTINGS frames.  The original
interpretation was that configuration is assigned for the whole
SPDY connection, while it is only for the endpoint.

Moreover, the strange thing is that specification forbids multiple
entries in the SETTINGS frame with the same ID even if flags are
different.  As a result, Chrome sends two SETTINGS frames: one with
its own configuration, and another one with configuration stored
for a server (when the FLAG_SETTINGS_PERSIST_VALUE flags were used
by the server).

To simplify implementation we refuse to use the persistent settings
feature and thereby avoid all the complexity related with its proper
support.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
406c0613f5 SPDY: better name for frame entries counter.
The "headers" is not a good term, since it is used not only to count
name/value pairs in the HEADERS block but to count SETTINGS entries too.

Moreover, one name/value pair in HEADERS can contain multiple http headers
with the same name.

No functional changes.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
32bb39c48f SPDY: fixed possible segfault.
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
2014-01-22 04:58:19 +04:00
Ruslan Ermilov
8b7fe56e95 Mail: fixed passing of IPv6 client address in XCLIENT. 2014-01-17 22:06:04 +04:00
Maxim Dounin
0bfb68eea0 Core: improved ngx_reset_pool() (ticket #490).
Previously pool->current wasn't moved back to pool, resulting in blocks
not used for further allocations if pool->current was already moved at the
time of ngx_reset_pool().  Additionally, to preserve logic of moving
pool->current, the p->d.failed counters are now properly cleared.  While
here, pool->chain is also cleared.

This change is essentially a nop with current code, but generally improves
things.
2014-01-17 06:24:53 +04:00
Valentin Bartenev
1ef5553644 SPDY: send output queue after processing of read event.
During the processing of input some control frames can be added to the queue.
And if there were no writing streams at the moment, these control frames might
be left unsent for a long time (or even forever).

This long delay is especially critical for PING replies since a client can
consider connection as broken and then resend exactly the same request over
a new connection, which is not safe in case of non-idempotent HTTP methods.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
82a1ff31f9 SPDY: the SETTINGS frame should be allocated from sc->pool.
There is no reason to allocate it from connection pool that more like just
a bug especially since ngx_http_spdy_settings_frame_handler() already uses
sc->pool to free a chain.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
b2b43ca50f SPDY: fixed possible uninitialized memory access.
The frame->stream pointer should always be initialized for control frames since
the check against it can be performed in ngx_http_spdy_filter_cleanup().
2014-01-15 17:16:38 +04:00
Valentin Bartenev
d143119e3c SPDY: fixed off_t/size_t type conversions on 32 bits platforms.
Parameters of ngx_http_spdy_filter_get_shadow() are changed from size_t to off_t
since the last call of the function may get size and offset from the rest of a
file buffer.  This fixes possible data loss rightfully complained by MSVC on 32
bits systems where off_t is 8 bytes long while size_t is only 4 bytes.

The other two type casts are needed just to suppress warnings about possible
data loss also complained by MSVC but false positive in these cases.
2014-01-15 13:23:31 +04:00
Valentin Bartenev
70c010167f SPDY: fixed build, broken by b7ee1bae0ffa.
False positive warning about the "cl" variable may be uninitialized in
the ngx_http_spdy_filter_get_data_frame() call was suppressed.

It is always initialized either in the "while" cycle or in the following
"if" condition since frame_size cannot be zero.
2014-01-15 01:44:52 +04:00
Valentin Bartenev
8323f317f6 SPDY: added the "spdy_chunk_size" directive. 2014-01-14 16:24:45 +04:00
Valentin Bartenev
b60700f9e9 SPDY: implemented buffers chain splitting.
It fixes "chain too big in spdy filter" alerts, and adds full support for rate
limiting of SPDY streams.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
8c01a95d98 SPDY: body filter was replaced by c->send_chain() function.
It allows to use ngx_http_write_filter() and all its rate limiting logic.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
3d5f501adc SPDY: fixed possible premature close of stream.
The "delayed" flag always should be set if there are unsent frames,
but this might not be the case if ngx_http_spdy_body_filter() was
called with NULL chain.

As a result, the "send_timeout" timer could be set on a stream in
ngx_http_writer().  And if the timeout occurred before all the stream
data has been sent, then the request was finalized with the "client
timed out" error.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
1c56e18733 SPDY: refactored ngx_http_spdy_body_filter().
A local pointer to fake connection is introduced
to slightly reduce further patches.

No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
ac8bb7a9e5 SPDY: elimination of r->blocked counter usage for queuing frames.
It was used to prevent destroying of request object when there are unsent
frames in queue for the stream.  Since it was incremented for each frame
and is only 8 bits long, so it was not very hard to overflow the counter.

Now the stream->queued counter is checked instead.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
6ddb578b22 SPDY: better name for flag that indicates incomplete frame state.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
00944562ac SPDY: better name for queued frames counter.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
df1d8f78ac SPDY: fixed format specifiers in logging. 2014-01-14 16:24:45 +04:00
Yichun Zhang
2e2c9dba16 Resolver: added support for domain names with a trailing dot. 2014-01-10 11:22:14 -08:00
Maxim Dounin
70b48a491a SSL: fixed ssl_verify_depth to take only one argument. 2014-01-14 15:56:40 +04:00
Dirkjan Bussink
58a240d773 SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
2014-01-10 16:12:40 +01:00
Maxim Dounin
8f702a573a Fixed "zero size buf in output" alerts.
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
2014-01-04 03:32:22 +04:00
Maxim Dounin
eb60e1e26d Win32: support for UTF-16 surrogate pairs (ticket #457). 2014-01-04 03:32:15 +04:00
Maxim Dounin
def37d254a Upstream: Cache-Control preferred over Expires.
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
2014-01-04 03:32:10 +04:00
Maxim Dounin
1029607ac9 Added per-process random seeding (ticket #456). 2014-01-04 03:32:06 +04:00
Maxim Dounin
9a72030c25 Allowed up to two EBUSY errors from sendfile().
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row.  Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
2014-01-04 03:31:58 +04:00
Ruslan Ermilov
2539ce036f Fixed setting of content type in some cases.
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
2013-12-27 19:40:04 +04:00
Valentin Bartenev
2b1156d101 Style: removed surplus semicolons. 2013-12-27 18:47:42 +04:00
Valentin Bartenev
aa22dc707b SPDY: a bit smarter ngx_http_spdy_filter_get_data_frame().
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.

No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
df49024997 SPDY: refactored loop in ngx_http_spdy_body_filter().
No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
75dad742e5 SPDY: fixed possible request hang.
Processing events from upstream connection can result in sending queued frames
from other streams.  In this case such streams were not added to handling queue
and properly handled.

A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
2013-12-26 17:03:16 +04:00
Ruslan Ermilov
9b4a99cf5d Dav: emit a warning about unsafe URI. 2013-12-23 18:12:03 +04:00
Ruslan Ermilov
f7ff5e65d0 Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1 Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
3f36c684a1 Upstream: keep $upstream_http_x_accel_redirect intact.
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
2013-12-23 18:11:46 +04:00
Ruslan Ermilov
bf800822df Fixed the first argument to getsockopt().
While here, always initialize the last argument.
2013-12-19 13:43:18 +04:00
Maxim Dounin
37b7de6df7 SSL: ssl_buffer_size directive. 2013-12-20 16:18:25 +04:00
Vladimir Homutov
c7a0b04665 Upstream: simplified peer selection loop in the "ip_hash" module.
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules.  No functional changes.
2013-12-09 13:43:27 +04:00
Ruslan Ermilov
85e6d211d0 Resolver: use minimum TTL for caching (ticket #329). 2013-12-16 19:12:23 +04:00
Valentin Bartenev
c8f3f9fa12 SPDY: use predefined constant for size of the Stream-ID field.
No functional changes.
2013-12-18 18:39:29 +04:00
Valentin Bartenev
bf3ff5bca7 Version bump. 2013-12-18 18:37:48 +04:00
Ruslan Ermilov
3fd727566a Resolver: lookups are case-insensitive. 2013-12-13 20:49:52 +04:00
Ruslan Ermilov
e0caf51711 The "ipv6=" boolean parameter of the "resolver" directive.
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
2013-12-09 10:53:30 +04:00
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
809bee30b7 Resolver: implemented IPv6 address to name resolving. 2013-12-06 14:30:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
552e15ba1c Resolver: fixed indentation. 2013-12-13 19:22:44 +04:00
Ruslan Ermilov
efd0e0e177 Core: externalized ngx_cmp_sockaddr().
It's also extended with the "cmp_port" argument to indicate
whether ports should be compared as well, or only addresses.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
159486239f Resolver: fixes in PTR processing.
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f57350cd86 Resolver: fixes in A processing.
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f3a271f3fd Resolver: fixed response processing.
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".

Fixed the "zero-length domain name in DNS response" condition.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
23071835a3 Resolver: removed unnecessary casts. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
3d245d4792 Resolver: improved code readability.
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.

Replaced the magic number 12 by the size of the header structure.

The other changes are self-explanatory.
2013-12-06 14:30:27 +04:00
Maxim Dounin
0c585adfd4 Trailing whitespace fix. 2013-12-12 20:28:48 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Valentin Bartenev
7f54528ca0 SPDY: drop the "delayed" flag when finalizing connection.
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.

Found by Xiaochen Wang.
2013-12-10 20:27:33 +04:00
Ruslan Ermilov
fa512fdb76 Fixed handling of UNIX-domain sockets.
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
2013-12-09 10:16:44 +04:00
Ruslan Ermilov
675e73e3bd Core: keep the length of the local sockaddr. 2013-12-09 10:14:51 +04:00
Piotr Sikora
19f475276d Fixed incorrect ngx_str_set() usage, broken in c82b2e020b9f.
Found by Coverity Scan CID 1135525.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-06 16:00:49 -08:00
Maxim Dounin
67b0d16546 Fixed build without SSL, broken by c82b2e020b9f. 2013-12-04 23:13:13 +04:00
Maxim Dounin
24e1db93a8 SSL support in the uwsgi module.
Based on patch by Roberto De Ioris.
2013-12-04 23:01:27 +04:00
Mathew Rodley
84f5c2136e Added support for TCP_FASTOPEN supported in Linux >= 3.7.1.
---
 auto/unix                       | 12 ++++++++++++
 src/core/ngx_connection.c       | 32 ++++++++++++++++++++++++++++++++
 src/core/ngx_connection.h       |  4 ++++
 src/http/ngx_http.c             |  4 ++++
 src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
 src/http/ngx_http_core_module.h |  3 +++
 6 files changed, 76 insertions(+)
2013-12-03 22:07:03 +04:00
Maxim Dounin
a8a7de3f78 Fixed "setfib=" on non-first listening socket. 2013-12-03 21:44:08 +04:00
Vladimir Homutov
71b9cca835 Improved code readablity in ngx_http_upstream_init_round_robin().
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.

No functional changes.
2013-12-03 17:12:16 +04:00
Ruslan Ermilov
0419933283 Fixed null pointer dereference with $upstream_cache_last_modified. 2013-12-03 15:11:24 +04:00
Maxim Dounin
bfda85b6e4 Win32: fixed init_process without master process (ticket #453).
Init process callbacks are called by ngx_worker_thread(), there is no
need to call them in ngx_single_process_cycle().
2013-11-29 17:23:47 +04:00
Maxim Dounin
3dec2b131c Upstream: skip empty cache headers.
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
2013-11-29 17:23:38 +04:00
Maxim Dounin
067c1d2a4f SSL: fixed c->read->ready handling in ngx_ssl_recv().
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).

More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
2013-11-29 17:16:06 +04:00
Maxim Dounin
6b7e88f36b Version bump. 2013-11-29 17:11:36 +04:00
Ruslan Ermilov
d47c435e9e Proper backtracking after space in a request line. 2013-11-19 06:57:58 +04:00
Maxim Dounin
1ac2693a33 Upstream: cache revalidation with conditional requests.
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off.  When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.

As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
2013-11-18 20:48:22 +04:00
Valentin Bartenev
df2fc6a9df SPDY: fixed request hang with the auth request module.
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a.  An attempt to init request body
for subrequests results in hang if the body was not already read.
2013-11-11 18:49:35 +04:00
Maxim Dounin
b0f025f4fe Win32: plugged memory leak. 2013-10-31 18:23:49 +04:00
Maxim Dounin
45075adccf Gunzip: proper error handling on gunzipping an empty response.
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
2013-10-31 04:16:20 +04:00
Maxim Dounin
eea2e1262b Gunzip: "error" logging level on inflate() errors.
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
2013-10-31 04:12:53 +04:00
Maxim Dounin
f1a9f14afe Removed extra allocation for $sent_http_last_modified.
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
2013-10-31 04:02:59 +04:00
Maxim Dounin
869b4f36e5 Auth basic: "info" logging level on no user/password.
This isn't an exceptional condition and normally happens on
first request from a client.
2013-10-31 04:02:21 +04:00
Yichun Zhang
3d3fa2adc6 Gzip, gunzip: flush pending data when incoming chain is NULL. 2013-10-28 15:01:36 -07:00
Maxim Dounin
0eee3b0bc5 Core: handling of getsockopt(TCP_DEFER_ACCEPT) failures.
Recent Linux versions started to return EOPNOTSUPP to getsockopt() calls
on unix sockets, resulting in log pollution on binary upgrade.  Such errors
are silently ignored now.
2013-10-31 04:00:37 +04:00
Piotr Sikora
475832834b Core: apply missed options to sockets added during binary upgrade.
The accept_filter and deferred options were not applied to sockets
that were added to configuration during binary upgrade cycle.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-24 14:18:37 -07:00
Xiaochen Wang
8f3dfde7f7 Upstream: optimize loops in ngx_http_upstream_init_round_robin(). 2013-10-21 18:20:32 +08:00
Maxim Dounin
a6b7cfe967 Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
2013-10-18 18:13:49 +04:00
Maxim Dounin
6291a29992 Headers filter: empty Cache-Control is no longer added.
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
2013-10-18 18:13:44 +04:00
Maxim Dounin
0ca52adff6 Style. 2013-10-18 18:13:35 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
a8ad0c02cc SSL: SSL_CTX_set_timeout() now always called.
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets.  Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.

Prodded by Piotr Sikora.
2013-10-14 13:59:35 +04:00
Maxim Dounin
87a607a031 SSL: fixed build with OpenSSL 0.9.7.
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
2013-10-14 13:44:09 +04:00
Maxim Dounin
5a63dcc5d7 Limit req: fixed "nodelay" parsing.
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
2013-10-02 15:07:17 +04:00
Maxim Dounin
31d023e53e Upstream: fixed "down" and "backup" parsing.
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
2013-10-02 15:07:15 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Sergey Kandaurov
5bf78d05a0 Version bump. 2013-10-02 11:50:56 +04:00
Valentin Bartenev
cca2b04f51 SPDY: ignore priority when queuing blocked frames.
With this change all such frames will be added in front of the output queue, and
will be sent first.  It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.

Proposed by Yury Kirpichev.
2013-10-01 00:14:37 +04:00
Valentin Bartenev
4f4963e87e SPDY: set empty write handler during connection finalization.
While ngx_http_spdy_write_handler() should not make any harm with current code,
calling it during finalization of SPDY connection was not intended.
2013-10-01 00:12:30 +04:00
Valentin Bartenev
92b82c80af SPDY: fixed connection leak while waiting for request headers.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for request headers, it was a no-op since the
read event handler had been set to ngx_http_empty_handler().
2013-10-01 00:04:00 +04:00
Valentin Bartenev
6ba03097db SPDY: fixed connection leak while waiting for request body.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for a request body, it was a no-op since the
read event handler ngx_http_request_handler() calls r->read_event_handler that
had been set to ngx_http_block_reading().
2013-10-01 00:00:57 +04:00
Maxim Dounin
ef8c64acbe Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.
2013-09-30 22:10:13 +04:00
Maxim Dounin
aa36cc39a4 Mail: fixed overrun of allocated memory (ticket #411).
Reported by Markus Linnala.
2013-09-30 22:10:08 +04:00
Maxim Dounin
f2b5192c30 Mail: handle smtp multiline replies.
See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html
2013-09-30 22:10:03 +04:00
Maxim Dounin
4f6f653f48 Mail: smtp pipelining support.
Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).
2013-09-30 22:09:57 +04:00
Maxim Dounin
32d6035303 Mail: added session close on smtp_greeting_delay violation.
A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.
2013-09-30 22:09:50 +04:00
Maxim Dounin
af897b7f03 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). 2013-09-27 19:39:33 +04:00
Maxim Dounin
4b2ead8871 FastCGI: non-buffered mode support. 2013-09-27 16:50:40 +04:00
Maxim Dounin
989a71377b Upstream: subrequest_in_memory support for SCGI and uwsgi enabled.
This was missed in 9d59a8eda373 when non-buffered support was added to SCGI
and uwsgi.
2013-09-27 16:50:34 +04:00
Maxim Dounin
c4b5a1fe5e Upstream: subrequest_in_memory fix.
With previous code only part of u->buffer might be emptied in case
of special responses, resulting in partial responses seen by SSI set
in case of simple protocols, or spurious errors like "upstream sent
invalid chunked response" in case of complex ones.
2013-09-27 16:50:26 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Maxim Dounin
e11584164f Added ngx_filename_cmp() with "/" sorted to the left.
This patch fixes incorrect handling of auto redirect in configurations
like:

    location /0  { }
    location /a- { }
    location /a/ { proxy_pass ... }

With previously used sorting, this resulted in the following locations
tree (as "-" is less than "/"):

        "/a-"
    "/0"    "/a/"

and a request to "/a" didn't match "/a/" with auto_redirect, as it
didn't traverse relevant tree node during lookup (it tested "/a-",
then "/0", and then falled back to null location).

To preserve locale use for non-ASCII characters on case-insensetive
systems, libc's tolower() used.
2013-09-23 19:37:13 +04:00
Maxim Dounin
d2ef70e97a Caseless location tree construction (ticket #90).
Location tree was always constructed using case-sensitive comparison, even
on case-insensitive systems.  This resulted in incorrect operation if
uppercase letters were used in location directives.  Notably, the
following config:

    location /a { ... }
    location /B { ... }

failed to properly map requests to "/B" into "location /B".
2013-09-23 19:37:06 +04:00
Piotr Sikora
f52a2c7585 SSL: stop loading configs with invalid "ssl_ciphers" values.
While there, remove unnecessary check in ngx_mail_ssl_module.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-22 22:36:11 -07:00
Markus Linnala
35e2bb0efb Core: fix misallocation at ngx_crypt_apr1 (ticket #412).
Found by using auth_basic.t from mdounin nginx-tests under valgrind.

==10470== Invalid write of size 1
==10470==    at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470==    by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==    by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470==    by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470==    by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470==  Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470==    by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
2013-09-20 17:57:21 +03:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Piotr Sikora
0a5124502d SSL: fixed possible memory and file descriptor leak on HUP signal.
The problem appeared in 386a06a22c40 (1.3.7).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 16:51:30 -07:00
Sergey Kandaurov
bff2b8d69f Fixed response line formatting with empty reason phrase.
As per RFC 2616 sec 6.1 the response status code is always followed by SP.
2013-09-18 18:53:26 +04:00
Sergey Kandaurov
63b1baa7f1 Version bump. 2013-09-18 18:53:24 +04:00
Piotr Sikora
29ea1273fe SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-16 14:24:38 -07:00
Valentin Bartenev
db1532944c Improved check for duplicate path names in ngx_add_path().
The same path names with different "data" context should not be allowed.

In particular it rejects configurations like this:

    proxy_cache_path /var/cache/ keys_zone=one:10m max_size=1g inactive=5m;
    proxy_cache_path /var/cache/ keys_zone=two:20m max_size=4m inactive=30s;
2013-09-16 18:49:23 +04:00
Valentin Bartenev
eb10d8f71e Removed surplus initializations from ngx_conf_set_path_slot().
An instance of ngx_path_t is already zeroed by ngx_pcalloc().
2013-09-16 18:49:22 +04:00
Valentin Bartenev
f0fbcaf098 Use ngx_pcalloc() in ngx_conf_merge_path_value().
It initializes the "data" pointer of ngx_path_t that will be checked after
subsequent changes.
2013-09-16 18:49:10 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
096678ced4 Upstream: use EPOLLRDHUP to check broken connections (ticket #320).
This allows to detect client connection close with pending data on Linux
while processing upstream.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
182a05b9d5 Events: support for EPOLLRDHUP (ticket #320).
Since Linux 2.6.17, epoll is able to report about peer half-closed connection
using special EPOLLRDHUP flag on a read event.
2013-07-12 14:51:07 +04:00
Valentin Bartenev
0f0502064d Events: removed unused flags from the ngx_event_s structure.
They are not used since 708f8bb772ec (pre 0.0.1).
2013-09-05 16:53:02 +04:00
Valentin Bartenev
cf08ba72db Fixed handling of the ready flag with kqueue.
There is nothing to do more when recv() has returned 0,
so we should drop the flag.
2013-09-05 16:53:02 +04:00
Valentin Bartenev
d034e63a11 Return reason phrase for 414.
After 62be77b0608f nginx can return this code.
2013-09-03 21:07:19 +04:00
Maxim Dounin
d33225db58 Upstream: fixed $upstream_response_time format specifiers. 2013-09-04 21:30:09 +04:00
Maxim Dounin
3d1e616d0b SSL: clear error queue after SSL_CTX_load_verify_locations().
The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.
2013-09-04 21:17:02 +04:00
Maxim Dounin
f108b28038 Fixed incorrect response line on "return 203".
Reported by Weibin Yao,
http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003607.html.
2013-09-04 21:17:01 +04:00
Maxim Dounin
4b189002af Request cleanup code unified, no functional changes.
Additionally, detaching a cleanup chain from a request is a bit more resilent
to various bugs if any.
2013-09-04 21:17:00 +04:00
Maxim Dounin
2b0dba578f Handling of ngx_int_t != intptr_t case.
Casts between pointers and integers produce warnings on size mismatch.  To
silence them, cast to (u)intptr_t should be used.  Prevoiusly, casts to
ngx_(u)int_t were used in some cases, and several ngx_int_t expressions had
no casts.

As of now it's mostly style as ngx_int_t is defined as intptr_t.
2013-09-04 21:16:59 +04:00
Maxim Dounin
5ab74625d6 Win32: $request_time fixed.
On win32, time_t is 64 bits wide by default, and passing an ngx_msec_int_t
argument for %T format specifier doesn't work.  This doesn't manifest itself
on other platforms as time_t and ngx_msec_int_t are usually of the same size.
2013-09-04 20:48:30 +04:00
Maxim Dounin
48d96ced6f Win32: MinGW GCC compatibility.
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.

With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
2013-09-04 20:48:28 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Maxim Dounin
5b37852323 Win32: Open Watcom C compatibility fixes.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines.  Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.

With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:22 +04:00
Valentin Bartenev
42910391cd Disable symlinks: removed recursive call of ngx_file_o_path_info().
It is surplus.
2013-09-02 20:06:03 +04:00
Valentin Bartenev
7b37384140 Disable symlinks: use O_PATH to open path components.
It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain
file descriptors without actually opening files.  Thus made it possible
to traverse path with openat() syscalls without the need to have read
permissions for path components.  It is effectively emulates O_SEARCH
which is missing on Linux.

O_PATH is used in combination with O_RDONLY.  The last one is ignored
if O_PATH is used, but it allows nginx to not fail when it was built on
modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39.
Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used.

Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6.
As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag
that was introduced at the same time as O_PATH.
2013-09-02 08:07:59 +04:00
Valentin Bartenev
231ed198e1 Added the NGX_EBADF define. 2013-09-02 08:07:44 +04:00
Valentin Bartenev
3d7d48e52c Assume the HTTP/1.0 version by default.
It is believed to be better than fallback to HTTP/0.9, because most of
the clients at present time support HTTP/1.0.  It allows nginx to return
error response code for them in cases when it fail to parse request line,
and therefore fail to detect client protocol version.

Even if the client does not support HTTP/1.0, this assumption should not
cause any harm, since from the HTTP/0.9 point of view it still a valid
response.
2013-09-02 03:45:14 +04:00
Maxim Dounin
9f46a9df86 Upstream: setting u->header_sent before ngx_http_upstream_upgrade().
Without u->header_sent set a special response might be generated following
an upgraded connection.  The problem appeared in 1ccdda1f37f3 (1.5.3).
Catched by "header already sent" alerts in 1.5.4 after upstream timeouts.
2013-08-30 21:44:16 +04:00
Valentin Bartenev
6d7ec5009a Referer: fixed hostname buffer overflow check.
Because of premature check the effective buffer size was 255 symbols
while the buffer is able to handle 256.
2013-08-29 22:35:54 +04:00
Sergey Kandaurov
e4209c0269 Referer: "server_names" parsing deferred to merge phase.
This allows to approach "server_name" values specified below the
"valid_referers" directive when used within the "server_names" parameter, e.g.:

    server_name  example.org;
    valid_referers server_names;
    server_name  example.com;

As a bonus, this fixes bogus error with "server_names" specified several times.
2013-08-29 22:35:27 +04:00
Sergey Kandaurov
8658c5b8a1 Referer: fixed server_name regex matching.
The server_name regexes are normally compiled for case-sensitive matching.
This violates case-insensitive obligations in the referer module.  To fix
this, the host string is converted to lower case before matching.

Previously server_name regex was executed against the whole referer string
after dropping the scheme part.  This could led to an improper matching, e.g.:

    server_name ~^localhost$;
    valid_referers server_names;

    Referer: http://localhost/index.html

It was changed to look only at the hostname part.

The server_name regexes are separated into another array to not clash with
regular regexes.
2013-08-29 22:35:26 +04:00
Sergey Kandaurov
3ef0dfa145 Referer: fixed error type usage inconsistency for ngx_http_add*(). 2013-08-29 22:35:26 +04:00
Lanshun Zhou
be23dcb1a1 Image filter: large image handling.
If Content-Length header is not set, and the image size is larger than the
buffer size, client will hang until a timeout occurs.

Now NGX_HTTP_UNSUPPORTED_MEDIA_TYPE is returned immediately.

diff -r d1403de41631 -r 4fae04f332b4
src/http/modules/ngx_http_image_filter_module.c
2013-08-28 00:19:07 +08:00
Maxim Dounin
51f7761710 Typo fixed. 2013-08-28 02:34:30 +04:00
Maxim Dounin
e96092130c Version bump. 2013-08-28 02:34:21 +04:00
Maxim Dounin
d2d8b82b87 Cache: lock timeouts are now logged at info level. 2013-08-23 22:18:54 +04:00
Maxim Dounin
73ec75a974 Upstream: posted requests handling after ssl handshake errors.
Missing call to ngx_http_run_posted_request() resulted in a main request hang
if subrequest's ssl handshake with an upstream server failed for some reason.

Reported by Aviram Cohen.
2013-08-23 22:18:46 +04:00
Maxim Dounin
0f49681f28 Fixed try_files with empty argument (ticket #390). 2013-08-23 22:18:39 +04:00
Sergey Kandaurov
0fea0bf3f7 Added safety belt for the case of sending header twice.
The aforementioned situation is abnormal per se and as such it now forces
request termination with appropriate error message.
2013-07-30 15:04:46 +04:00
Sergey Kandaurov
2b2def7891 Autoindex: improved ngx_de_info() error handling.
This allows to build a directory listing whenever a loop exists in symbolic
link resolution of the path argument.
2013-07-30 11:43:21 +04:00
Sergey Kandaurov
eb3fed9338 Autoindex: return NGX_ERROR on error if headers were sent.
This prevents ngx_http_finalize_request() from issuing
ngx_http_special_response_handler() on a freed context.
2013-07-30 11:43:21 +04:00
Maxim Dounin
92f0126269 Style improved after 12dd27b74117. 2013-08-20 21:33:43 +04:00
Maxim Dounin
e3cab76758 Backed out f1a91825730a and 7094bd12c1ff.
While ngx_get_full_name() might have a bit more descriptive arguments,
the ngx_conf_full_name() is generally easier to use when parsing
configuration and limits exposure of cycle->prefix / cycle->conf_prefix
details.
2013-08-20 21:11:19 +04:00
Maxim Dounin
4c53a38fb5 Auth request module import. 2013-08-21 19:19:47 +04:00
Maxim Dounin
0a6efeee71 Minor ngx_http_parse_request_line() optimization.
Noted by Nils Kuhnhenn.
2013-08-21 12:51:31 +04:00
Sergey Kandaurov
e09741ba06 Format specifier fixes in error logging. 2013-08-20 20:47:16 +04:00
Valentin Bartenev
c189eda9e6 SPDY: alert about activated fake events instead of deleting them.
They refer to the same socket descriptor as our real connection, and
deleting them will stop processing of the connection.

Events of fake connections must not be activated, and if it happened there
is nothing we can do.  The whole processing should be terminated as soon as
possible, but it is not obvious how to do this safely.
2013-08-15 19:16:12 +04:00
Valentin Bartenev
db8a0c8bf1 SPDY: do not reject headers with empty value (ticket #396).
A quote from SPDY draft 2 specification: "The length of each name and
value must be greater than zero.  A receiver of a zero-length name or
value must send a RST_STREAM with code PROTOCOL error."

But it appears that Chrome browser allows sending requests over SPDY/2
connection using JavaScript that contain headers with empty values.

For better compatibility across SPDY clients and to be compliant with
HTTP, such headers are no longer rejected.

Also, it is worth noting that in SPDY draft 3 the statement has been
changed so that it permits empty values for headers.
2013-08-15 19:16:09 +04:00
Valentin Bartenev
3be925b6e3 SPDY: fixed corruption of headers with names longer than 255.
It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.
2013-08-15 19:14:58 +04:00
Valentin Bartenev
ef76fbebd6 Unbreak building on Linux without sendfile64() support.
It was broken in 8e446a2daf48 when the NGX_SENDFILE_LIMIT constant was added
to ngx_linux_sendfile_chain.c having the same name as already defined one in
ngx_linux_config.h.

The newer is needed to overcome a bug in old Linux kernels by limiting the
number of bytes to send per sendfile() syscall.  The older is used with
sendfile() on ancient kernels that works with 32-bit offsets only.

One of these renamed to NGX_SENDFILE_MAXSIZE.
2013-08-15 19:14:33 +04:00
Sergey Kandaurov
9aaf256e40 Referer module: fixed regex matching against HTTPS referers.
When matching a compiled regex against value in the "Referer" header field,
the length was calculated incorrectly for strings that start from "https://".
This might cause matching to fail for regexes with end-of-line anchors.

Patch by Liangbin Li.
2013-08-13 17:47:04 +04:00
Gleb Smirnoff
65e37b4a12 Don't lose pointer to first nonempty buf in ngx_*_sendfile_chain().
In ngx_*_sendfile_chain() when calculating pointer to a first
non-zero sized buf, use "in" as iterator.  This fixes processing
of zero sized buf(s) after EINTR.  Otherwise function can return
zero sized buf to caller, and later ngx_http_write_filter()
logs warning.
2013-08-08 15:06:39 +04:00
Valentin Bartenev
74dfd08957 API change: removed the ngx_conf_full_name() function.
The ngx_get_full_name() should be used instead.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
d29d21bade Replaced ngx_conf_full_name() with ngx_get_full_name().
The ngx_get_full_name() function takes more readable arguments list.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
3c5bd34771 Fixed memory leaks in the root and auth_basic_user_file directives.
If a relative path is set by variables, then the ngx_conf_full_name()
function was called while processing requests, which causes allocations
from the cycle pool.

A new function that takes pool as an argument was introduced.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
1b7bc34218 Image filter: use "application/json" MIME type for JSON output.
As it is defined by RFC 4627, and allows for various browser tools like
JSONView to display JSON well-formatted.
2013-08-05 14:30:03 +04:00
Ruslan Ermilov
3693daa20f Core: guard use of AI_ADDRCONFIG.
Some systems (notably NetBSD and OpenBSD) lack AI_ADDRCONFIG support.

Reported by Piotr Sikora.
2013-08-05 13:44:56 +04:00
Maxim Dounin
4d1b08bb1c Fixed build with signed socklen_t and unix sockets.
This seems to be the case at least under Cygwin, where build was broken
by 05ba5bce31e0 (1.5.3).

Reported by Kevin Worthington,
http://mailman.nginx.org/pipermail/nginx/2013-August/040028.html.
2013-08-05 11:40:33 +04:00
Ruslan Ermilov
7c6971cff3 Core: only resolve address families configured on the local system.
This is done by passing AI_ADDRCONFIG to getaddrinfo().

On Linux, setting net.ipv6.conf.all.disable_ipv6 to 1 will now be
respected.

On FreeBSD, AI_ADDRCONFIG filtering is currently implemented by
attempting to create a datagram socket for the corresponding family,
which succeeds even if the system doesn't in fact have any addresses
of that family configured.  That is, if the system with IPv6 support
in the kernel doesn't have IPv6 addresses configured, AI_ADDRCONFIG
will filter out IPv6 only inside a jail without IPv6 addresses or
with IPv6 disabled.
2013-08-05 10:55:59 +04:00
Valentin Bartenev
3086ab2996 MIME: use "application/javascript" for .js files.
Though there are several MIME types commonly used for JavaScript nowadays,
the most common being "text/javascript", "application/javascript", and
currently used by nginx "application/x-javascript", RFC 4329 prefers
"application/javascript".

The "charset_types" directive's default value was adjusted accordingly.
2013-07-31 23:40:46 +04:00
Sergey Kandaurov
986d3a870d Version bump. 2013-07-31 18:35:57 +04:00
Sergey Kandaurov
ab1c05272a Perl: fixed syntax usage for C preprocessor directives.
As per perlxs, C preprocessor directives should be at the first
non-whitespace of a line to avoid interpreting them as comments.

#if and #endif are moved so that there are no blank lines before them
to retain them as part of the function body.
2013-07-29 17:30:01 +04:00
Ruslan Ermilov
e49d933ebc Upstream: reliably detect connection failures with SSL peers. 2013-07-29 13:23:16 +04:00
Maxim Dounin
5274f023a2 Upstream: no last buffer on errors.
Previously, after sending a header we always sent a last buffer and
finalized a request with code 0, even in case of errors.  In some cases
this resulted in a loss of ability to detect the response wasn't complete
(e.g. if Content-Length was removed from a response by gzip filter).

This change tries to propogate to a client information that a response
isn't complete in such cases.  In particular, with this change we no longer
pretend a returned response is complete if we wasn't able to create
a temporary file.

If an error code suggests the error wasn't fatal, we flush buffered data
and disable keepalive, then finalize request normally.  This allows to to
propogate information about a problem to a client, while still sending all
the data we've got from an upstream.
2013-07-25 15:00:41 +04:00
Maxim Dounin
78aacc838b Upstream: request finalization rework.
No semantic changes expected, though some checks are done differently.
In particular, the r->cached flag is no longer explicitly checked.  Instead,
we relay on u->header_sent not being set if a response is sent from
a cache.
2013-07-25 15:00:29 +04:00
Maxim Dounin
86277254dd Upstream: NGX_HTTP_CLIENT_CLOSED_REQUEST no longer reset to 0.
The NGX_HTTP_CLIENT_CLOSED_REQUEST code is allowed to happen after we
started sending a response (much like NGX_HTTP_REQUEST_TIME_OUT), so there
is no need to reset response code to 0 in this case.
2013-07-25 15:00:25 +04:00
Maxim Dounin
960d0bfe34 Upstream: added check if a response is complete.
Checks were added to both buffered and unbuffered code paths to detect
and complain if a response is incomplete.  Appropriate error codes are
now passed to ngx_http_upstream_finalize_request().

With this change in unbuffered mode we now use u->length set to -1 as an
indicator that EOF is allowed per protocol and used to indicate response
end (much like its with p->length in buffered mode).  Proxy module was
changed to set u->length to 1 (instead of previously used -1) in case of
chunked transfer encoding used to comply with the above.
2013-07-25 15:00:12 +04:00
Maxim Dounin
416b922bd2 Upstream: u->length now defaults to -1 (API change).
That is, by default we assume that response end is signalled by
a connection close.  This seems to be better default, and in line
with u->pipe->length behaviour.

Memcached module was modified accordingly.
2013-07-25 14:58:11 +04:00
Maxim Dounin
187f3948ed Upstream: fixed store/cache of unfinished responses.
In case of upstream eof, only responses with u->pipe->length == -1
are now cached/stored.  This ensures that unfinished chunked responses
are not cached.

Note well - previously used checks for u->headers_in.content_length_n are
preserved.  This provides an additional level of protection if protol data
disagree with Content-Length header provided (e.g., a FastCGI response
is sent with wrong Content-Length, or an incomple SCGI or uwsgi response),
as well as protects from storing of responses to HEAD requests.  This should
be reconsidered if we'll consider caching of responses to HEAD requests.
2013-07-25 14:56:59 +04:00
Maxim Dounin
eafe44ff79 Upstream: replaced u->pipe->temp_file with p->temp_file.
While here, redundant parentheses removed.  No functional changes.
2013-07-25 14:56:49 +04:00
Maxim Dounin
e6122efbfe Upstream: NGX_ERROR after pipe errors. 2013-07-25 14:56:41 +04:00
Maxim Dounin
8536fb79ca Upstream: NGX_HTTP_GATEWAY_TIME_OUT after upstream timeouts.
There is no real difference from previously used 0 as NGX_HTTP_* will
become 0 in ngx_http_upstream_finalize_request(), but the change
preserves information about a timeout a bit longer.  Previous use of
ETIMEDOUT in one place was just wrong.

Note well that with cacheable responses there will be a difference
(code in ngx_http_upstream_finalize_request() will store the error
in cache), though this change doesn't touch cacheable case.
2013-07-25 14:56:20 +04:00
Maxim Dounin
d23dc7d427 Upstream: ngx_http_upstream_finalize_request(NGX_ERROR) on errors.
Previously, ngx_http_upstream_finalize_request(0) was used in most
cases after errors.  While with current code there is no difference,
use of NGX_ERROR allows to pass a bit more information into
ngx_http_upstream_finalize_request().
2013-07-25 14:56:13 +04:00
Maxim Dounin
76e1571749 Upstream: consistent error handling after u->input_filter_init().
In all cases ngx_http_upstream_finalize_request() with NGX_ERROR now used.
Previously used NGX_HTTP_INTERNAL_SERVER_ERROR in the subrequest in memory
case don't cause any harm, but inconsistent with other uses.
2013-07-25 14:56:00 +04:00
Maxim Dounin
9f925b8c77 Upstream: busy lock remnants removed. 2013-07-25 14:55:59 +04:00
Maxim Dounin
ec021eda55 Upstream: stale comments removed. 2013-06-13 19:52:31 +04:00
Maxim Dounin
84d2ecf87e Gzip: clearing of c->buffered if all data are flushed.
This allows to finalize unfinished responses while still sending as
much data as available.
2013-07-25 14:55:32 +04:00
Maxim Dounin
be6fbbb47e Event pipe: fixed writing cache header to a temp file.
With previous code the p->temp_file->offset wasn't adjusted if a temp
file was written by the code in ngx_event_pipe_write_to_downstream()
after an EOF, resulting in cache not being used with empty scgi and uwsgi
responses with Content-Length set to 0.

Fix it to call ngx_event_pipe_write_chain_to_temp_file() there instead
of calling ngx_write_chain_to_temp_file() directly.
2013-07-25 14:55:09 +04:00
Maxim Dounin
f52042498d Fixed ngx_http_test_reading() to finalize request properly.
Previous code called ngx_http_finalize_request() with rc = 0.  This is
ok if a response status was already set, but resulted in "000" being
logged if it wasn't.  In particular this happened with limit_req
if a connection was prematurely closed during limit_req delay.
2013-06-14 20:56:07 +04:00
Maxim Dounin
1936a67647 Sub filter: fixed matching after a partial match.
After a failed partial match we now check if there is another partial
match in previously matched substring to fix cases like "aab" in "aaab".

The ctx->saved string is now always sent if it's present on return
from the ngx_http_sub_parse() function (and reset accordingly).  This
allows to release parts of previously matched data.
2013-07-25 14:54:53 +04:00
Maxim Dounin
ce7a5a0537 Sub filter: fixed incomplete last buffer on partial match.
If a pattern was partially matched at a response end, partially matched
string wasn't send.  E.g., a response "fo" was truncated to an empty response
if partially mathed by a pattern "foo".
2013-07-25 14:54:48 +04:00
Maxim Dounin
68fab7c8c4 Sub filter: flush buffers handling. 2013-07-25 14:54:47 +04:00
Maxim Dounin
8d568c7ae0 Sub filter: switched to ngx_chain_get_free_buf().
No functional changes.
2013-07-25 14:54:45 +04:00
Maxim Dounin
3961ef2318 Sub filter: stale comments removed. 2013-07-25 14:54:43 +04:00
Ruslan Ermilov
02a077b827 On DragonFlyBSD, TCP_KEEPIDLE and TCP_KEEPINTVL are in msecs.
Based on a patch by Sepherosa Ziehau.
2013-07-25 12:46:03 +04:00
Ruslan Ermilov
690e2b33aa Style: reuse one int variable in ngx_configure_listening_sockets().
No functional changes.
2013-07-25 12:46:02 +04:00
Valentin Bartenev
32e167e211 SPDY: fixed segfault with "client_body_in_file_only" enabled.
It is possible to send FLAG_FIN in additional empty data frame, even if it is
known from the content-length header that request body is empty.  And Firefox
actually behaves like this (see ticket #357).

To simplify code we sacrificed our microoptimization that did not work right
due to missing check in the ngx_http_spdy_state_data() function for rb->buf
set to NULL.
2013-07-24 22:24:25 +04:00
Maxim Dounin
809d05769b Xslt: exsltRegisterAll() moved to preconfiguration.
The exsltRegisterAll() needs to be called before XSLT stylesheets
are compiled, else stylesheet compilation hooks will not work.  This
change fixes EXSLT Functions extension.
2013-07-19 15:59:50 +04:00
Valentin Bartenev
615d558843 Events: honor NGX_USE_GREEDY_EVENT when kqueue support is enabled.
Currently this flag is needed for epoll and rtsig, and though these methods
usually present on different platforms than kqueue, nginx can be compiled to
support all of them.
2013-07-13 03:24:30 +04:00
Maxim Dounin
d10251030a Style. 2013-07-11 20:38:27 +04:00
Vladimir Homutov
d79c8abcaa Core: fixed possible use of an uninitialized variable.
The call to ngx_sock_ntop() in ngx_connection_local_sockaddr() might be
performed with the uninitialized "len" variable.  The fix is to initialize
variable to the size of corresponding socket address type.

The issue was introduced in commit 05ba5bce31e0.
2013-07-11 19:50:19 +04:00
Vladimir Homutov
af18946d76 Core: extended ngx_sock_ntop() with socklen parameter.
On Linux, sockaddr length is required to process unix socket addresses properly
due to unnamed sockets (which don't have sun_path set at all) and abstract
namespace sockets.
2013-07-11 16:07:25 +04:00
Gleb Smirnoff
050f74b751 Make macros safe. 2013-07-05 11:42:25 +04:00
Ruslan Ermilov
523191ec89 Upstream: updated list of ngx_event_connect_peer() return values.
ngx_http_upstream_get_keepalive_peer() may return NGX_DONE to
indicate that the cached keepalive connection is reused.
2013-07-03 12:04:13 +04:00
Vladimir Homutov
dd3e13eef0 Core: consolidated log-related code.
The stderr redirection code is moved to ngx_log_redirect_stderr().
The opening of the default log code is moved to ngx_log_open_default().
2013-06-28 17:24:54 +04:00
Maxim Dounin
f41c91511d Version bump. 2013-07-02 20:05:49 +04:00
Maxim Dounin
88fc0f793e Fixed ngx_http_parse_chunked() minimal length calculation.
Minimal data length we expect for further calls was calculated incorrectly
if parsing stopped right after parsing chunk size.  This might in theory
affect clients and/or backends using LF instead of CRLF.

Patch by Dmitry Popov.
2013-06-28 13:55:05 +04:00
Maxim Dounin
982f4de9f0 Fixed build on Linux with x32 ABI.
On Linux x32 inclusion of sys/sysctl.h produces an error.  As sysctl() is
only used by rtsig event method code, which is legacy and not compiled
in by default on modern linuxes, the sys/sysctl.h file now only included
if rtsig support is enabled.

Based on patch by Serguei I. Ivantsov.
2013-06-26 15:47:27 +04:00
Vladimir Homutov
11ff177a9f Core: support several "error_log" directives.
When several "error_log" directives are specified in the same configuration
block, logs are written to all files with a matching log level.

All logs are stored in the singly-linked list that is sorted by log level in
the descending order.

Specific debug levels (NGX_LOG_DEBUG_HTTP,EVENT, etc.) are not supported
if several "error_log" directives are specified.  In this case all logs
will use debug level that has largest absolute value.
2013-06-20 20:47:39 +04:00
Ruslan Ermilov
02cc52554f Simplified ngx_list_create(). 2013-06-19 08:55:08 +04:00
Tatsuhiko Kubo
c974bd7936 Valgrind: another complaint about uninitialized bytes. 2013-06-12 00:41:24 +09:00
Valentin Bartenev
420e41ef09 SPDY: fixed code style, no functional changes. 2013-06-13 16:28:42 +04:00
Vladimir Homutov
aac7f7f464 Core: moved initialization of log level.
The cycle->new_log->log_level should only be initialized by ngx_init_cycle()
if no error logs were found in the configuration.  This move allows to get rid
of extra initialization in ngx_error_log().
2013-06-13 14:50:10 +04:00
Jim Radford
de2ec2c650 SPDY: pass through the full status when available.
Avoid stripping the status text when proxying for compatibility with http.
2013-06-07 13:16:00 -07:00
Maxim Dounin
ddece08218 Perl: fixed r->header_in("Cookie") (ticket #351).
It was broken by X-Forwarded-For related changes in f7fe817c92a2 (1.3.14)
as hh->offset is no longer 0 for Cookie.
2013-06-10 14:35:00 +04:00
Maxim Dounin
dc5c6928fb Fixed debug logging in ngx_http_parse_complex_uri().
The *u previously logged isn't yet initialized at this point, and
Valgrind complains.
2013-06-05 19:45:08 +04:00
Maxim Dounin
2b356db155 Mail: fixed possible uninitialized memory access.
Found by Valgrind.
2013-06-05 19:44:23 +04:00
Maxim Dounin
40c4e7b73c Valgrind: supressed complaints about uninitialized bytes.
Valgrind complains if we pass uninitialized memory to a syscall:

==36492== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==36492==    at 0x6B5E6A: sendmsg (in /usr/lib/system/libsystem_kernel.dylib)
==36492==    by 0x10004288E: ngx_signal_worker_processes (ngx_process_cycle.c:527)
==36492==    by 0x1000417A7: ngx_master_process_cycle (ngx_process_cycle.c:203)
==36492==    by 0x100001F10: main (nginx.c:410)
==36492==  Address 0x7fff5fbff71c is on thread 1's stack

Even initialization of all members of the structure passed isn't enough, as
there is padding which still remains uninitialized and results in Valgrind
complaint.  Note there is no real problem here as data from uninitialized
memory isn't used.
2013-06-05 19:44:22 +04:00
Maxim Dounin
6b95320cf7 Valgrind: sigaction() failure now ignored.
Valgrind intercepts SIGUSR2 in some cases, and nginx might not be able to
start due to sigaction() failure.  If compiled with NGX_VALGRIND defined,
we now ignore the failure of sigaction().
2013-06-05 19:44:20 +04:00
Valentin Bartenev
f6650479c3 Status: the "last_in_chain" flag must be set.
The module always produces only one and obviously the last buffer in chain.
2013-06-05 16:22:40 +04:00
Valentin Bartenev
ba4b4991d1 SPDY: use proper macros for value length and headers counter.
Currently these macros are synonyms, but this may change in the future
(in particular, spdy/3 uses 4 bytes for lengths).
2013-06-05 02:13:52 +04:00
Maxim Dounin
d37a0a2c7a Version bump. 2013-06-04 19:38:20 +04:00
Vladimir Homutov
26489b16e5 Core: fixed handling of "stderr" in error_log.
If "stderr" was specified in one of the "error_log" directives,
stderr is not redirected to the first error_log on startup,
configuration reload, and reopening log files.
2013-06-04 11:27:36 +04:00
Vladimir Homutov
9db2eddd8a Core: fixed stderr redirection on win32 in ngx_reopen_files().
On win32 stderr was not redirected into a file specified by "error_log"
while reopening files.  Fix is to use platform-independent functions to
work with stderr, as already used by ngx_init_cycle() and main() since
rev. d8316f307b6a.
2013-06-03 16:54:28 +04:00
Maxim Dounin
a80cb81604 Win32: accept_mutex now always disabled (ticket #362).
Use of accept mutex on win32 may result in a deadlock if there are multiple
worker_processes configured and the mutex is grabbed by a process which
can't accept connections.
2013-05-31 14:59:26 +04:00
Ruslan Ermilov
2342d86951 OCSP stapling: fixed incorrect debug level. 2013-05-31 13:30:37 +04:00
Ruslan Ermilov
de381f7266 Access: support for UNIX-domain client addresses (ticket #359). 2013-05-30 18:23:05 +04:00
Maxim Dounin
641662e340 Win32: added missing reset of wev->ready on WSAEWOULDBLOCK.
This fixes connection hang with websockets proxy, and likely some other
places as well.
2013-05-29 19:18:22 +04:00
Maxim Dounin
1a983a0c05 Upstream: http_403 support in proxy_next_upstream (and friends).
The parameter is mostly identical to http_404, and is expected to
be used in similar situations.  The 403 code might be returned by
a backend instead of 404 on initial sync of new directories with rsync.

See here for feature request and additional details:
http://mailman.nginx.org/pipermail/nginx-ru/2013-April/050920.html
2013-05-27 16:54:09 +04:00
Maxim Dounin
cc3c0ce870 Xslt: xslt_last_modified directive.
Directive is similar to ssi_last_modified and sub_filter_last_modified
directives introduced by previous commits.
2013-05-24 22:28:09 +04:00
Maxim Dounin
af7e2a9185 Sub filter: sub_filter_last_modified directive.
Directive is similar to ssi_last_modified introduced by previous commit.

Patch by Alexey Kolpakov.
2013-05-24 22:27:30 +04:00
Maxim Dounin
55fcadcfa2 SSI: ssi_last_modified directive.
The "ssi_last_modified" directive allows to preserve Last-Modified header
in SSI responses.  The directive is similar to SSILastModified one available
in Apache:

http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilastmodified

Patch by Alexey Kolpakov.
2013-05-24 22:27:23 +04:00
Valentin Bartenev
c8702948db Core: strengthen configuration syntax checker.
It is now a syntax error if tokens passed to a custom configuration
handler are terminated by "{".

The following incorrect configuration is now properly rejected:

  map $v $v2 {
      a b {
      c d {
      e f {
  }
2013-05-23 20:30:27 +04:00
Ruslan Ermilov
2c0ea0fcc8 Memcached: stricten header validation.
An invalid memcached reply that started with '\n' could cause
segmentation fault.

An invalid memcached reply "VALUE / 0 2\r?ok\r\nEND\r\n" was
considered as a valid response.

In addition, if memcached reports that the key was not found,
set u->headers_in.content_length_n to 0.  This ensures that
ngx_http_memcached_filter() will not be called while previous
code relied on always intercepting 404.  Initialization of
ctx->rest was moved to where it belongs.
2013-05-23 16:26:10 +04:00
Sergey Kandaurov
3be6cc9b2f Use "void" for functions with empty parameter list. 2013-05-23 15:47:58 +04:00
Piotr Sikora
407c831116 Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:45:07 -07:00
Piotr Sikora
c3d20f52d0 Style: remove unnecessary references to HTTP from non-HTTP modules.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:43:43 -07:00
Maxim Dounin
4fd486e68c Referer module: added $invalid_referer to variables hash.
This makes it accessible via dynamic lookup with ngx_http_get_variable()
from Perl, SSI, etc.

Patch by Yichun Zhang (agentzh).
2013-05-22 22:31:53 +04:00
Maxim Dounin
a1ab0dde4a Upstream: fixed fail_timeout and max_fails > 1.
Due to peer->checked always set since rev. c90801720a0c (1.3.0)
by round-robin and least_conn balancers (ip_hash not affected),
the code in ngx_http_upstream_free_round_robin_peer() function
incorrectly reset peer->fails too often.

Reported by Dmitry Popov,
http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003720.html
2013-05-21 21:47:50 +04:00
F. da Silva
2b1779b916 Mail: missing ngx_ssl_ecdh_curve() call. 2013-05-10 16:53:45 +02:00
Sergey Kandaurov
8ef3374a5a Fixed error logging.
The provided argument list didn't follow a used format string.
2013-05-21 17:30:19 +04:00
Ruslan Ermilov
76c1d58a46 Upstream: slightly optimized ngx_http_upstream_process_header(). 2013-05-21 12:54:27 +04:00
Ruslan Ermilov
5b57d01365 Upstream: made the assignment more obvious.
No functional changes.
2013-05-21 12:54:26 +04:00
Piotr Sikora
1b10a9adf8 OCSP stapling: fix error logging of successful OCSP responses.
Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-16 15:37:13 -07:00
Filipe Da Silva
8597218f38 Mail: removed surplus ngx_close_connection() call.
It is already called for a peer connection a few lines above.
2013-05-09 10:54:28 +02:00
Ruslan Ermilov
c9c4e39be6 Upstream keepalive: slightly simplified code. 2013-05-15 15:04:49 +04:00
Maxim Dounin
330ebdc8fe Proxy: clear script engine used to calculate lengths.
Previous code is believed to be safe, but might access uninitialized
memory (e.g., e->quote).
2013-05-15 12:23:44 +04:00
Maxim Dounin
885861b683 Fixed lingering_time check.
There are two significant changes in this patch:

1) The <= 0 comparison is done with a signed type.  This fixes the case
   of ngx_time() being larger than r->lingering_time.

2) Calculation of r->lingering_time - ngx_time() is now always done
   in the ngx_msec_t type.  This ensures the calculation is correct
   even if time_t is unsigned and differs in size from ngx_msec_t.

Thanks to Lanshun Zhou.
2013-05-13 17:39:45 +04:00
Ruslan Ermilov
dcdf9eed8d Upstream: allow to intercept responses with status 300.
This fixes an omission made in 9e7926763f87 where all 3XX statuses
were allowed for "error_page".
2013-05-13 14:10:22 +04:00
Piotr Sikora
b5fd7d5041 PCRE: retain input pattern for all regular expressions.
Previously, input pattern was kept only for regular expressions
with named captures, which resulted in error log entries without
input pattern for PCRE errors that occured while processing
regular expressions without them.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-02 03:26:36 -07:00
Maxim Dounin
a38455a7f3 Proxy: $proxy_internal_body_length fixed.
The $proxy_internal_body_length value might change during request lifetime,
notably if proxy_set_body used, and use of a cached value might result in
incorrect upstream requests.

Patch by Lanshun Zhou.
2013-05-11 21:12:24 +04:00
Maxim Dounin
9564f6513b Mp4: indentation and style, no functional changes. 2013-05-11 18:49:49 +04:00
Maxim Dounin
c3dea40b45 Added r->limit_rate_after.
As of now, it allows to better control bandwidth limiting from additional
modules.  It is also expected to be used to add variables support to
the limit_rate_after directive.
2013-05-11 18:49:42 +04:00
Maxim Dounin
9cff79927a Fixed build with --with-mail_ssl_module.
If nginx was compiled without --with-http_ssl_module, but with some
other module which uses OpenSSL (e.g. --with-mail_ssl_module), insufficient
preprocessor check resulted in build failure.  The problem was introduced
by e0a3714a36f8 (1.3.14).

Reported by Roman Arutyunyan.
2013-05-11 18:49:30 +04:00
Maxim Dounin
ff724933c2 Request body: fixed r->count increment on allocation failure. 2013-05-11 18:49:19 +04:00
Maxim Dounin
8e35221f9a Perl: extra "return" removed. 2013-05-11 18:48:56 +04:00
Maxim Dounin
22c9e34b75 Version bump. 2013-05-11 18:43:28 +04:00
Maxim Dounin
818807d71e Fixed chunk size parsing. 2013-05-06 14:03:24 +04:00
Ruslan Ermilov
9014efdadf Proxy: allocate $proxy_internal_body_length from request pool. 2013-04-29 18:58:58 +04:00
Ruslan Ermilov
8bc3ed7604 Version bump. 2013-04-29 18:06:58 +04:00
Maxim Dounin
39d9871bc8 Version bump. 2013-04-24 13:03:43 +00:00
Valentin Bartenev
670d42859d SPDY: set NGX_TCP_NODELAY_DISABLED for fake connections.
This is to avoid setting the TCP_NODELAY flag on SPDY socket in
ngx_http_upstream_send_response().  The latter works per request,
but in SPDY case it might affect other streams in connection.
2013-04-23 10:15:49 +00:00
Maxim Dounin
e584341792 Perl: request body handling fixed.
As of 1.3.9, chunked request body may be available with
r->headers_in.content_length_n <= 0.  Additionally, request body
may be in multiple buffers even if r->request_body_in_single_buf
was requested.
2013-04-23 10:04:12 +00:00
Maxim Dounin
9d4e3c3612 Configure: fixed perl Makefile generation (ticket #334).
Dependancy tracking introduced in r5169 were not handled absolute path
names properly.  Absolute names might appear in CORE_DEPS if --with-openssl
or --with-pcre configure arguments are used to build OpenSSL/PCRE
libraries.

Additionally, revert part of r5169 to set NGX_INCS from Makefile
variables.  Makefile variables have $ngx_include_opt in them, which
might result in wrong include paths being used.  As a side effect,
this also restores build with --with-http_perl_module and --without-http
at the same time.
2013-04-19 12:19:57 +00:00
Ruslan Ermilov
ba4f2702bc Version bump. 2013-04-18 14:16:44 +00:00
Maxim Dounin
77d60d2cef Events: backout eventport changes (r5172) for now.
Evenport method needs more work.  Changes in r5172, while being correct,
introduce various new regressions with current code.
2013-04-16 12:58:03 +00:00
Maxim Dounin
0dee57d865 Request body: only read body in main request (ticket #330).
Before 1.3.9 an attempt to read body in a subrequest only caused problems
if body wasn't already read or discarded in a main request.  Starting with
1.3.9 it might also cause problems if body was discarded by a main request
before subrequest start.

Fix is to just ignore attempts to read request body in a subrequest, which
looks like right thing to do anyway.
2013-04-16 10:14:59 +00:00
Ruslan Ermilov
7ea00fb58c Upstream: warn if multiple non-stackable balancers are installed. 2013-04-12 19:12:13 +00:00
Valentin Bartenev
c798029241 Events: fixed typos in two previous commits. 2013-04-12 17:31:08 +00:00
Valentin Bartenev
c6aebf6c74 Events: handle only active events in eventport.
We generate both read and write events if an error event was returned by
port_getn() without POLLIN/POLLOUT, but we should not try to handle inactive
events, they may even have no handler.
2013-04-12 15:04:23 +00:00
Valentin Bartenev
ed9f87c901 Events: protection from stale events in eventport and devpoll.
Stale write event may happen if read and write events was reported both,
and processing of the read event closed descriptor.

In practice this might result in "sendfilev() failed (134: ..." or
"writev() failed (134: ..." errors when switching to next upstream server.

See report here:
http://mailman.nginx.org/pipermail/nginx/2013-April/038421.html
2013-04-12 15:02:33 +00:00
Sergey Kandaurov
7a7650aeb1 Upstream: fixed $upstream_response_length without buffering.
Reported by Piotr Sikora.
2013-04-11 13:49:13 +00:00
Maxim Dounin
c63b826d8b Configure: fixed nginx.so rebuild (broken by r5145).
To avoid further breaks it's now done properly, all the dependencies
are now passed to Makefile.PL.  While here, fixed include list passed to
Makefile.PL to use Makefile variables rather than a list expanded during
configure.
2013-04-10 17:07:44 +00:00
Valentin Bartenev
e297091c28 Upstream: removed surplus ngx_resolve_name_done() call.
It will be called in ngx_http_upstream_finalize_request().
2013-04-04 14:19:06 +00:00
Valentin Bartenev
d88dffbf1a Limit req: rate should be non-zero.
Specifying zero rate caused division by zero when calculating delays.
2013-04-03 14:13:35 +00:00
Ruslan Ermilov
600f9d3ea8 Pass PCRE_CASELESS to pcre_compile() for caseless matching.
Previously, we sometimes passed constant value 1 that happens to
match PCRE_CASELESS and thus was harmless.
2013-03-29 08:47:37 +00:00
Ruslan Ermilov
a861b0dbb1 Simplified nginx version maintenance.
It's no longer necessary to update src/http/modules/perl/nginx.pm
when version is bumped, as it's now derived from src/core/nginx.h.
2013-03-28 08:47:06 +00:00
Maxim Dounin
cc0e56370d Upstream: fixed tcp_nodelay with connection upgrade (ticket #325). 2013-03-27 15:18:34 +00:00
Maxim Dounin
3b9e7adcf4 Event connect: don't penalize AF_INET6 connections.
Problems with setsockopt(TCP_NODELAY) and setsockopt(TCP_NOPUSH), as well
as sendfile() syscall on Solaris, are specific to UNIX-domain sockets.
Other address families, i.e. AF_INET and AF_INET6, are fine.
2013-03-27 15:16:45 +00:00
Maxim Dounin
c2bb76515b Version bump. 2013-03-27 15:15:34 +00:00
Valentin Bartenev
604e18fb2c Use NGX_FILE_ERROR for handling file operations errors.
On Win32 platforms 0 is used to indicate errors in file operations, so
comparing against -1 is not portable.

This was not much of an issue in patched code, since only ngx_fd_info() test
is actually reachable on Win32 and in worst case it might result in bogus
error log entry.

Patch by Piotr Sikora.
2013-03-25 15:49:11 +00:00
Ruslan Ermilov
ea327f13f1 Upstream: removed rudiments of upstream connection caching.
This functionality is now provided by ngx_http_upstream_keepalive_module.
2013-03-25 14:51:44 +00:00
Ruslan Ermilov
4d9fdd86f7 Upstream: removed sorting of upstream servers.
Sorting of upstream servers by their weights is not required by
current balancing algorithms.

This will likely change mapping to backends served by ip_hash
weighted upstreams.
2013-03-25 13:41:30 +00:00
Ruslan Ermilov
4f2d6513dc Mail: IPv6 backends (ticket #323). 2013-03-25 13:38:59 +00:00
Ruslan Ermilov
2fd8b271c4 Upstream: removed double-free workarounds in peer.free() methods. 2013-03-25 13:16:55 +00:00
Ruslan Ermilov
46b469a8ee Upstream: only call peer.free() if peer.get() selected a peer. 2013-03-25 13:14:49 +00:00
Ruslan Ermilov
275a35c2d0 Split clients: check length when parsing configuration. 2013-03-21 16:06:53 +00:00
Ruslan Ermilov
0ce62130cb Removed unused ngx_http_clear_variable() macro. 2013-03-21 16:06:13 +00:00
Ruslan Ermilov
d1c285e297 Fixed language in a comment preceding ngx_http_index_handler(). 2013-03-21 16:05:35 +00:00
Ruslan Ermilov
64fe190fa0 Moved ngx_array_t definition from ngx_core.h to ngx_array.h. 2013-03-21 16:04:09 +00:00
Ruslan Ermilov
56fce56f4f Use NGX_DEFAULT_POOL_SIZE macro where appropriate. 2013-03-21 16:03:24 +00:00
Ruslan Ermilov
7b80e43389 Simplified ngx_array_create(). 2013-03-21 15:52:52 +00:00
Ruslan Ermilov
9e5f617d66 Core: fixed resource leak if binary upgrade fails due to no memory.
Found by Coverity (CID 992320).
2013-03-20 18:07:25 +00:00
Valentin Bartenev
2686cb4452 Preliminary experimental support for SPDY draft 2. 2013-03-20 10:36:57 +00:00
Valentin Bartenev
cf64a6c536 Win32: disabled MSVC warning about '\0' not fitting into array.
We believe that this warning produces more inconvience than real benefit.
Here is an example to trigger:

  u_char a[4] = "test";
2013-03-20 10:18:26 +00:00
Valentin Bartenev
fb6f8c4509 URI processing code moved to a separate function.
This allows to reuse it in the upcoming SPDY module.
2013-03-20 09:36:27 +00:00
Ruslan Ermilov
fd8b7d2f33 Image filter: the "image_filter_interlace" directive.
Patch by Ian Babrou, with minor changes.
2013-03-19 08:13:48 +00:00
Maxim Dounin
d7db87e6d9 The limit_req_status and limit_conn_status directives.
Patch by Nick Marden, with minor changes.
2013-03-18 14:50:29 +00:00
Ruslan Ermilov
5a7661e581 Core: guard against failed allocation during binary upgrade.
Patch by Piotr Sikora.
2013-03-18 07:13:57 +00:00
Valentin Bartenev
bac0cb3bbd Status: introduced the "ngx_stat_waiting" counter.
And corresponding variable $connections_waiting was added.

Previously, waiting connections were counted as the difference between
active connections and the sum of reading and writing connections.
That made it impossible to count more than one request in one connection
as reading or writing (as is the case for SPDY).

Also, we no longer count connections in handshake state as waiting.
2013-03-15 20:00:49 +00:00
Valentin Bartenev
23e692b58d Allow to reuse connections that wait their first request.
This should improve behavior under deficiency of connections.

Since SSL handshake usually takes significant amount of time,
we exclude connections from reusable queue during this period
to avoid premature flush of them.
2013-03-15 19:49:54 +00:00
Maxim Dounin
3f70ddcfc6 Upstream: fixed previous commit.
Store r->connection on stack to make sure it's still available if request
finalization happens to actually free request memory.
2013-03-14 16:22:43 +00:00
Maxim Dounin
c49abd2317 Upstream: call ngx_http_run_posted_requests() on resolve errors.
If proxy_pass to a host with dynamic resolution was used to handle
a subrequest, and host resolution failed, the main request wasn't run
till something else happened on the connection.  E.g. request to "/zzz"
with the following configuration hanged:

    addition_types *;
    resolver 8.8.8.8;

    location /test {
        set $ihost xxx;
        proxy_pass http://$ihost;
    }

    location /zzz {
      add_after_body /test;
      return 200 "test";
    }

Report and original version of the patch by Lanshun Zhou,
http://mailman.nginx.org/pipermail/nginx-devel/2013-March/003476.html.
2013-03-14 12:37:54 +00:00
Maxim Dounin
4641497e9c Request body: avoid linking rb->buf to r->header_in.
Code to reuse of r->request_body->buf in upstream module assumes it's
dedicated buffer, hence after 1.3.9 (r4931) it might reuse r->header_in
if client_body_in_file_only was set, resulting in original request
corruption.  It is considered to be safer to always create a dedicated
buffer for rb->bufs to avoid such problems.
2013-03-14 12:30:26 +00:00
Maxim Dounin
545cfd1fd3 Request body: next upstream fix.
After introduction of chunked request body handling in 1.3.9 (r4931),
r->request_body->bufs buffers have b->start pointing to original buffer
start (and b->pos pointing to real data of this particular buffer).

While this is ok as per se, it caused bad things (usually original request
headers included before the request body) after reinit of the request
chain in ngx_http_upstream_reinit() while sending the request to a next
upstream server (which used to do b->pos = b->start for each buffer
in the request chain).

Patch by Piotr Sikora.
2013-03-14 12:28:53 +00:00
Maxim Dounin
092355b2cc Fixed logging in ngx_http_wait_request_handler().
If c->recv() returns 0 there is no sense in using ngx_socket_errno for
logging, its value meaningless.  (The code in question was copied from
ngx_http_keepalive_handler(), but ngx_socket_errno makes sense there as it's
used as a part of ECONNRESET handling, and the c->recv() call is preceeded
by the ngx_set_socket_errno(0) call.)
2013-03-12 13:38:04 +00:00
Valentin Bartenev
f1b6e47b74 Removed unused prototype of ngx_http_find_server_conf().
This function prototype and its implementation was added in r90,
but the implementation was removed in r97.
2013-03-11 14:44:56 +00:00
Valentin Bartenev
b8cba361f7 Gzip: fixed setting of NGX_HTTP_GZIP_BUFFERED.
In r2411 setting of NGX_HTTP_GZIP_BUFFERED in c->buffered was moved from
ngx_http_gzip_filter_deflate_start() to ngx_http_gzip_filter_buffer() since
it was always called first.  But in r2543 the "postpone_gzipping" directive
was introduced, and if postponed gzipping is disabled (the default setting),
ngx_http_gzip_filter_buffer() is not called at all.

We must always set NGX_HTTP_GZIP_BUFFERED after the start of compression
since there is always a trailer that is buffered.

There are no known cases when it leads to any problem with current code.
But we already had troubles in upcoming SPDY implementation.
2013-03-11 11:19:58 +00:00
Valentin Bartenev
8fbef4841f SSL: Next Protocol Negotiation extension support.
Not only this is useful for the upcoming SPDY support, but it can
also help to improve HTTPS performance by enabling TLS False Start
in Chrome/Chromium browsers [1].  So, we always enable NPN for HTTPS
if it is supported by OpenSSL.

[1] http://www.imperialviolet.org/2012/04/11/falsestart.html
2013-03-07 18:21:28 +00:00
Valentin Bartenev
bf23093e10 Refactored ngx_http_init_request().
Now it can be used as the request object factory with minimal impact on the
connection object.  Therefore it was renamed to ngx_http_create_request().
2013-03-07 18:14:27 +00:00
Valentin Bartenev
a32d3f8b6b Removed c->single_connection flag.
The c->single_connection was intended to be used as lock mechanism
to serialize modifications of request object from several threads
working with client and upstream connections.  The flag is redundant
since threads in nginx have never been used that way.
2013-03-07 18:07:16 +00:00
Valentin Bartenev
4815b3b2ee Respect the new behavior of TCP_DEFER_ACCEPT.
In Linux 2.6.32, TCP_DEFER_ACCEPT was changed to accept connections
after the deferring period is finished without any data available.
(Reading from the socket returns EAGAIN in this case.)

Since in nginx TCP_DEFER_ACCEPT is set to "post_accept_timeout", we
do not need to wait longer if deferred accept returns with no data.
2013-03-07 17:59:27 +00:00
Valentin Bartenev
3e5aaee828 Use "client_header_timeout" for all requests in a connection.
Previously, only the first request in a connection used timeout
value from the "client_header_timeout" directive while reading
header.  All subsequent requests used "keepalive_timeout" for
that.

It happened because timeout of the read event was set to the
value of "keepalive_timeout" in ngx_http_set_keepalive(), but
was not removed when the next request arrived.
2013-03-07 17:41:40 +00:00
Valentin Bartenev
a46a3ab68d Create request object only after the first byte was received.
Previously, we always created an object and logged 400 (Bad Request)
in access log if a client closed connection without sending any data.
Such a connection was counted as "reading".

Since it's common for modern browsers to behave like this, it's no
longer considered an error if a client closes connection without
sending any data, and such a connection will be counted as "waiting".

Now, we do not log 400 (Bad Request) and keep memory footprint as
small as possible.
2013-03-07 17:21:50 +00:00
Valentin Bartenev
1e1b93b51f Version bump. 2013-03-07 17:07:04 +00:00
Maxim Dounin
b502fcb37a Mp4: fixed handling of too small mdat atoms (ticket #266).
Patch by Gernot Vormayr (with minor changes).
2013-03-04 15:39:03 +00:00
Valentin Bartenev
fcf003c6f4 Allocate request object from its own pool.
Previously, it was allocated from a connection pool and
was selectively freed for an idle keepalive connection.

The goal is to put coupled things in one chunk of memory,
and to simplify handling of request objects.
2013-03-01 14:55:42 +00:00
Valentin Bartenev
b720f650bb SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer.  Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request.  Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.

There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection.  Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.

An example of configuration that might not work as expected:

  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }

Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
2013-02-27 17:41:34 +00:00
Valentin Bartenev
6000f4ad6d SNI: reset to default server if requested host was not found.
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.

An example of potentially unsafe configuration:

  server {
      listen 443 ssl default_server;
      ...
  }

  server {
      listen 443;
      server_name example.com;

      location / {
          proxy_pass http://$host;
      }
  }

Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
2013-02-27 17:38:54 +00:00
Valentin Bartenev
f61612532c SNI: avoid surplus lookup of virtual server if SNI was used. 2013-02-27 17:33:59 +00:00
Valentin Bartenev
8c4fea1766 Apply server configuration as soon as host is known.
Previously, this was done only after the whole request header
was parsed, and if an error occurred earlier then the request
was processed in the default server (or server chosen by SNI),
while r->headers_in.server might be set to the value from the
Host: header or host from request line.

r->headers_in.server is in turn used for $host variable and
in HTTP redirects if "server_name_in_redirect" is disabled.
Without the change, configurations that rely on this during
error handling are potentially unsafe if SNI is used.

This change also allows to use server specific settings of
"underscores_in_headers", "ignore_invalid_headers", and
"large_client_header_buffers" directives for HTTP requests
and HTTPS requests without SNI.
2013-02-27 17:27:15 +00:00
Valentin Bartenev
d281d0ba8b SSL: do not treat SSL handshake as request.
The request object will not be created until SSL handshake is complete.
This simplifies adding another connection handler that does not need
request object right after handshake (e.g., SPDY).

There are also a few more intentional effects:

 - the "client_header_buffer_size" directive will be taken from the
   server configuration that was negotiated by SNI;

 - SSL handshake errors and timeouts are not logged into access log
   as bad requests;

 - ngx_ssl_create_connection() is not called until the first byte of
   ClientHello message was received.  This also decreases memory
   consumption if plain HTTP request is sent to SSL socket.
2013-02-27 17:21:21 +00:00
Valentin Bartenev
167aabf2b3 Status: do not count connection as reading right after accept().
Before we receive the first bytes, the connection is counted
as waiting.

This change simplifies further code changes.
2013-02-27 17:16:51 +00:00
Valentin Bartenev
64932a9714 SNI: reuse selected configuration for all requests in a connection.
Previously, only the first request in a connection was assigned the
configuration selected by SNI.  All subsequent requests initially
used the default server's configuration, ignoring SNI, which was
wrong.

Now all subsequent requests in a connection will initially use the
configuration selected by SNI.  This is done by storing a pointer
to configuration in http connection object.  It points to default
server's configuration initially, but changed upon receipt of SNI.

(The request's configuration can be further refined when parsing
the request line and Host: header.)

This change was not made specific to SNI as it also allows slightly
faster access to configuration without the request object.
2013-02-27 17:12:48 +00:00
Valentin Bartenev
e1d8158b5e SNI: ignore captures in server_name regexes when matching by SNI.
This change helps to decouple ngx_http_ssl_servername() from the request
object.

Note: now we close connection in case of error during server name lookup
for request.  Previously, we did so only for HTTP/0.9 requests.
2013-02-27 17:06:52 +00:00
Valentin Bartenev
8ca4dff8c8 Changed interface of ngx_http_validate_host(). 2013-02-27 17:03:14 +00:00
Valentin Bartenev
b314102ff1 Introduced the ngx_http_set_connection_log() macro.
No functional changes.
2013-02-27 16:56:47 +00:00
Valentin Bartenev
508afb8cf5 The default server lookup is now done only once per connection.
Previously, it was done for every request in a connection.
2013-02-27 16:53:01 +00:00
Ruslan Ermilov
67a68720b7 Correctly handle multiple X-Forwarded-For headers (ticket #106). 2013-02-27 13:29:50 +00:00
Ruslan Ermilov
40ea120b34 Fixed separator in $sent_http_cache_control.
In case multiple "Cache-Control" headers are sent to a client,
multiple values in $sent_http_cache_control were incorrectly
split by a semicolon.  Now they are split by a comma.
2013-02-27 13:22:20 +00:00
Valentin Bartenev
f1d5d03eee Fixed potential segfault in ngx_http_keepalive_handler().
In case of error in the read event handling we close a connection
by calling ngx_http_close_connection(), that also destroys connection
pool. Thereafter, an attempt to free a buffer (added in r4892) that
was allocated from the pool could cause SIGSEGV and is meaningless
as well (the buffer already freed with the pool).
2013-02-23 13:23:48 +00:00
Maxim Dounin
890ee444ca SSL: retry "sess_id" and "id" allocations.
In case of fully populated SSL session cache with no memory left for
new allocations, ngx_ssl_new_session() will try to expire the oldest
non-expired session and retry, but only in case when slab allocation
fails for "cached_sess", not when slab allocation fails for either
"sess_id" or "id", which can happen for number of reasons and results
in new session not being cached.

Patch fixes this by adding retry logic to "sess_id" & "id" allocations.

Patch by Piotr Sikora.
2013-02-23 11:54:25 +00:00
Maxim Dounin
56bc5f250b Trailing whitespace fix. 2013-02-23 11:50:42 +00:00
Andrey Belov
284a7dbb30 Introduced variables in ngx_http_stub_status module.
Three new variables were added: $connections_active, $connections_reading
and $connections_writing.
2013-02-21 23:31:57 +00:00
Maxim Dounin
208fc03e7c Connection upgrade support in uwsgi and scgi modules.
Prodded by Roberto De Ioris.
2013-02-20 16:41:05 +00:00
Valentin Bartenev
59db08a6fc Removed zero termination of shm zone names.
It was added in r2717 and no longer needed since r2721,
where the termination was added to ngx_shm_alloc() and
ngx_init_zone_pool().  So then it only corrupts error
messages about ivalid zones.
2013-02-19 17:48:45 +00:00
Valentin Bartenev
a98305e363 Version bump. 2013-02-19 17:45:12 +00:00
Maxim Dounin
82d48e1eba Proxy: fixed do_write handling in previous commit.
As rightfully complained by MSVC, do_write variable was used uninitialized.
Correct fix is to set it's initial value based on event happened.
2013-02-18 15:08:46 +00:00
Maxim Dounin
08a73b4aad Proxy: support for connection upgrade (101 Switching Protocols).
This allows to proxy WebSockets by using configuration like this:

    location /chat/ {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Connection upgrade is allowed as long as it was requested by a client
via the Upgrade request header.
2013-02-18 13:50:52 +00:00
Maxim Dounin
d2c9f4554f Fixed false memset warning on Linux with -O3 (ticket #275).
Prodded by John Leach.
2013-02-13 14:39:46 +00:00
Maxim Dounin
a2b987e79f Added support for {SHA} passwords (ticket #50).
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables.  Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.

The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.

Patch by Louis Opter, with minor changes.
2013-02-07 12:09:56 +00:00
Maxim Dounin
6cb9bbe71c Version bump. 2013-02-07 12:09:09 +00:00
Ruslan Ermilov
75e5d13ec6 GeoIP: removed pseudo-support of "proxy" and "netspeed" databases. 2013-02-04 16:44:22 +00:00
Maxim Dounin
aad0a1dba6 FastCGI: proper handling of split fastcgi end request.
If fastcgi end request record was split between several network packets,
with fastcgi_keep_conn it was possible that connection was saved in incorrect
state (e.g. with padding bytes not yet read).
2013-02-01 14:41:50 +00:00
Maxim Dounin
e8efec0e5e FastCGI: unconditional state transitions.
Checks for f->padding before state transitions make code hard to follow,
remove them and make sure we always do another loop iteration after
f->state is set to ngx_http_fastcgi_st_padding.
2013-02-01 14:41:07 +00:00
Maxim Dounin
1c5fce7518 FastCGI: fixed wrong connection close with fastcgi_keep_conn.
With fastcgi_keep_conn it was possible that connection was closed after
FCGI_STDERR record with zero padding and without any further data read yet.
This happended as f->state was set to ngx_http_fastcgi_st_padding and then
"break" happened, resulting in p->length being set to f->padding, i.e. 0
(which in turn resulted in connection close).

Fix is to make sure we continue the loop after f->state is set.
2013-02-01 14:40:19 +00:00
Maxim Dounin
e97e4124e3 Request body: fixed client_body_in_file_only.
After introduction of chunked request body reading support in 1.3.9 (r4931),
the rb->bufs wasn't set if request body was fully preread while calling the
ngx_http_read_client_request_body() function.

Reported by Yichun Zhang (agentzh).
2013-02-01 14:38:18 +00:00
Maxim Dounin
2887c06fde SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
resulted in a CPU hog during SSL handshake if an level-triggered event
method (e.g. select) was used.
2013-02-01 14:37:43 +00:00
Valentin Bartenev
733e6d2ac6 SSL: take into account data in the buffer while limiting output.
In some rare cases this can result in a more smooth sending rate.
2013-01-28 15:41:12 +00:00
Valentin Bartenev
0f0fac70a1 SSL: avoid calling SSL_write() with zero data size.
According to documentation, calling SSL_write() with num=0 bytes to be sent
results in undefined behavior.

We don't currently call ngx_ssl_send_chain() with empty chain and buffer.
This check handles the case of a chain with total data size that is
a multiple of NGX_SSL_BUFSIZE, and with the special buffer at the end.

In practice such cases resulted in premature connection close and critical
error "SSL_write() failed (SSL:)" in the error log.
2013-01-28 15:40:25 +00:00
Valentin Bartenev
f98b1d2561 SSL: calculation of buffer size moved closer to its usage.
No functional changes.
2013-01-28 15:38:36 +00:00
Valentin Bartenev
0f62e193dc SSL: preservation of flush flag for buffered data.
Previously, if SSL buffer was not sent we lost information that the data
must be flushed.
2013-01-28 15:37:11 +00:00
Valentin Bartenev
c857dade60 SSL: resetting of flush flag after the data was written.
There is no need to flush next chunk of data if it does not contain a buffer
with the flush or last_buf flags set.
2013-01-28 15:35:12 +00:00
Valentin Bartenev
693ba0179e SSL: removed conditions that always hold true. 2013-01-28 15:34:09 +00:00
Ruslan Ermilov
4b46b7fc5b Secure_link: fixed configuration inheritance.
The "secure_link_secret" directive was always inherited from the outer
configuration level even when "secure_link" and "secure_link_md5" were
specified on the inner level.
2013-01-28 14:42:07 +00:00
Ruslan Ermilov
33e934ccc8 Events: fixed null pointer dereference with resolver and poll.
A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on
Linux, would generate both read and write events, but there's no
write event handler for resolver events.  A fix is to only call
event handler of an active event.
2013-01-25 09:59:28 +00:00
Ruslan Ermilov
db5e48d9b8 GeoIP: IPv6 support.
When using IPv6 databases, IPv4 addresses are looked up as IPv4-mapped
IPv6 addresses.

Mostly based on a patch by Gregor Kališnik (ticket #250).
2013-01-24 16:15:51 +00:00
Maxim Dounin
aa0b86fb4d Proxy: fixed proxy_method to always add space.
Before the patch if proxy_method was specified at http{} level the code
to add trailing space wasn't executed, resulting in incorrect requests
to upstream.
2013-01-22 12:36:00 +00:00
Ruslan Ermilov
19e2ef77c2 Variables $pipe, $request_length, $time_iso8601, and $time_local.
Log module counterparts are preserved for efficiency.

Based on patch by Kiril Kalchev.
2013-01-21 13:15:29 +00:00
Ruslan Ermilov
e493f9ad4e Version bump. 2013-01-17 09:55:36 +00:00
Ruslan Ermilov
5d143ca864 Fixed and improved the "*_bind" directives of proxying modules.
The "proxy_bind", "fastcgi_bind", "uwsgi_bind", "scgi_bind" and
"memcached_bind" directives are now inherited; inherited value
can be reset by the "off" parameter.  Duplicate directives are
now detected.  Parameter value can now contain variables.
2013-01-16 09:42:57 +00:00
Ruslan Ermilov
a2a229193a Fixed "proxy_pass" with IP address and no port (ticket #276).
Upstreams created by "proxy_pass" with IP address and no port were
broken in 1.3.10, by not initializing port in u->sockaddr.

API change: ngx_parse_url() was modified to always initialize port
(in u->sockaddr and in u->port), even for the u->no_resolve case;
ngx_http_upstream() and ngx_http_upstream_add() were adopted.
2013-01-10 12:58:55 +00:00
Maxim Dounin
041449a3d3 SSL: speedup loading of configs with many ssl servers.
The patch saves one EC_KEY_generate_key() call per server{} block by
informing OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
the SSL_CTX_set_tmp_ecdh() call.

For a configuration file with 10k simple server{} blocks with SSL enabled
this change reduces startup time from 18s to 5s on a slow test box here.
2013-01-09 14:11:48 +00:00
Valentin Bartenev
a6ea2f8f48 Events: added check for duplicate "events" directive. 2013-01-08 14:03:37 +00:00
Valentin Bartenev
ff2e304223 The data pointer in ngx_open_file_t objects must be initialized.
Uninitialized pointer may result in arbitrary segfaults if access_log is used
without buffer and without variables in file path.

Patch by Tatsuhiko Kubo (ticket #268).
2013-01-08 14:01:57 +00:00
Ruslan Ermilov
92d571dd71 Geo: improved code readability. 2012-12-27 21:35:47 +00:00
Ruslan Ermilov
f8a6de481c Upstream keepalive: detect duplicate "keepalive" directive.
A failure to detect duplicate "keepalive" directive resulted in
stack exhaustion.
2012-12-26 14:46:06 +00:00
Ruslan Ermilov
0a668faba4 Version bump. 2012-12-26 09:29:37 +00:00
Ruslan Ermilov
f2c8704fd0 Geo: made "default" affect both IPv4 and IPv6 when using prefixes.
Previously, "default" was equivalent to specifying 0.0.0.0/0, now
it's equivalent to specifying both 0.0.0.0/0 and ::/0 (if support
for IPv6 is enabled) with the same value.
2012-12-26 05:03:51 +00:00
Ruslan Ermilov
98129de874 Geo: properly initialize ngx_cidr_t when dealing with "default". 2012-12-25 10:00:39 +00:00
Ruslan Ermilov
3d87688bc6 Geo: IPv6 support.
The "ranges" mode is still limited to IPv4 only.
2012-12-25 08:21:56 +00:00
Valentin Bartenev
dd46cc659a Upstream: fixed state resetting when switching to backup servers.
Based on patch by Thomas Chen (ticket #257).
2012-12-25 08:02:21 +00:00
Valentin Bartenev
cb90df084f Fixed HEAD requests handling when proxying is used (closes #261). 2012-12-24 17:32:53 +00:00
Ruslan Ermilov
2189c87aa7 Trailing whitespace fix. 2012-12-24 16:40:55 +00:00
Valentin Bartenev
70d1a45c7c Access log: the "gzip" parameter of the "access_log" directive.
Note: this requires zlib version 1.2.0.4 or above to work.
2012-12-23 19:09:33 +00:00
Valentin Bartenev
fcdb4655aa Access log: the "flush" parameter of the "access_log" directive. 2012-12-23 15:51:47 +00:00
Valentin Bartenev
a8ffed5751 Reopening log files code moved to a separate function.
The code refactored in a way to call custom handler that can do appropriate
cleanup work (if any), like flushing buffers, finishing compress streams,
finalizing connections to log daemon, etc..
2012-12-23 15:36:52 +00:00
Valentin Bartenev
df71cd1125 Access log: fixed redundant buffer reallocation.
Previously a new buffer was allocated for every "access_log" directive with the
same file path and "buffer=" parameters, while only one buffer per file is used.
2012-12-23 15:27:55 +00:00
Ruslan Ermilov
7c4068d349 Properly initialize "struct in6_addr" with zeroes. 2012-12-22 20:03:38 +00:00
Maxim Dounin
4b6f8dcd2a Core: crypt_r() error handling fixed.
The crypt_r() function returns NULL on errors, check it explicitly instead
of assuming errno will remain 0 if there are no errors (per POSIX, the
setting of errno after a successful call to a function is unspecified
unless the description of that function specifies that errno shall not
be modified).

Additionally, dropped unneeded ngx_set_errno(0) and fixed error handling
of memory allocation after normal crypt(), which was inapropriate and
resulted in null pointer dereference on allocation failures.
2012-12-21 16:13:03 +00:00
Maxim Dounin
f25549210d Image filter: fixed image_filter rotate inheritance.
Configurations like

    location /i/ {
        image_filter resize 200 200;
        image_filter rotate 180;

        location /i/foo/ {
            image_filter resize 200 200;
        }
   }

resulted in rotation incorrectly applied in the location /i/foo, without
any way to clear it.  Fix is to handle conf->angle/conf->acv consistently
with other filter variables and do not try to inherit them if there are
transformations defined for current location.
2012-12-21 15:07:45 +00:00
Ruslan Ermilov
f1819242fc Geo: ensure that default entry is always present.
If 0.0.0.0/32 entry was present and there was no explicit "default",
we failed to add an empty string as a default value.
2012-12-21 08:46:52 +00:00
Ruslan Ermilov
a0caa70c98 There's no need to normalize address returned by ngx_ptocidr(). 2012-12-21 08:44:39 +00:00
Maxim Dounin
717acb74a7 Image filter: configuration inheritance fixes.
The image_filter_jpeg_quality, image_filter_sharpen and "image_filter rotate"
were inherited incorrectly if a directive with variables was defined, and
then redefined to a literal value, i.e. in configurations like

    image_filter_jpeg_quality $arg_q;

    location / {
        image_filter_jpeg_quality 50;
    }

Patch by Ian Babrou, with minor changes.
2012-12-20 19:04:28 +00:00
Ruslan Ermilov
f4b9d89103 Brought the link to ngx_http_perl_module documentation up to date. 2012-12-20 15:34:37 +00:00
Ruslan Ermilov
d03ea4d842 Fixed return type of internal function that allocates radix tree nodes. 2012-12-20 11:16:03 +00:00
Ruslan Ermilov
7ae79fb8e7 Let "add_header" affect 201 responses (ticket #125). 2012-12-19 10:33:56 +00:00
Ruslan Ermilov
30390ea492 Slightly optimized code that handles special headers in "add_header". 2012-12-19 10:30:45 +00:00
Maxim Dounin
4bad9d0505 Avoid sending "100 Continue" on 413 Request Entity Too Large.
Patch by Igor Sysoev.
2012-12-18 18:39:39 +00:00
Ruslan Ermilov
c865f8dfa2 Added checks that disallow adding a variable with an empty name.
Added variable name syntax checks to "geo" and "map" directives.
2012-12-17 19:03:33 +00:00
Ruslan Ermilov
b8a90c6903 Implemented IPv6 support for URLs specified using domain names.
This includes "debug_connection", upstreams, "proxy_pass", etc.
(ticket #92)

To preserve compatibility, "listen" specified with a domain name
selects the first IPv4 address, if available.  If not available,
the first IPv6 address will be used (ticket #186).
2012-12-17 12:08:53 +00:00
Ruslan Ermilov
2f8c1b73b8 Fixed URL parsing code.
The URL parsing code is not expected to initialize port from default port
when in "no_resolve" mode.  This got broken in r4671 for the case of IPv6
literals.
2012-12-17 09:44:46 +00:00
Ruslan Ermilov
bbf7043fe7 Simplified URL parsing code.
Except for the "listen" directive, "*" specified as a hostname is
no longer treated specially.
2012-12-17 09:31:53 +00:00
Ruslan Ermilov
18a7e1b359 Geo: fixed the "ranges" without ranges case.
The following configuration returned an empty value for $geo:

    geo $geo {
        ranges;
        default default;
    }
2012-12-14 19:56:03 +00:00
Ruslan Ermilov
cd04ca3546 Geo: improved ngx_http_geo_block() code readability. 2012-12-14 19:35:37 +00:00
Valentin Bartenev
fac3b341da Fixed handling of ngx_write_fd() and ngx_read_fd() errors.
The ngx_write_fd() and ngx_read_fd() functions return -1 in case of error,
so the incorrect comparison with NGX_FILE_ERROR (which is 0 on windows
platforms) might result in inaccurate error message in the error log.

Also the ngx_errno global variable is being set only if the returned value
is -1.
2012-12-14 15:24:24 +00:00
Valentin Bartenev
e86279e9f3 Gzip: fixed zlib memLevel adjusting.
An incorrect memLevel (lower than 1) might be passed to deflateInit2() if the
"gzip_hash" directive is set to a value less than the value of "gzip_window"
directive. This resulted in "deflateInit2() failed: -2" alert and an empty
reply.
2012-12-14 15:17:58 +00:00
Maxim Dounin
658296290c Upstream: fixed SIGSEGV with the "if" directive.
Configuration like

    location / {
        set $true 1;

        if ($true) {
            proxy_pass http://backend;
        }

        if ($true) {
            # nothing
        }
    }

resulted in segmentation fault due to NULL pointer dereference as the
upstream configuration wasn't initialized in an implicit location created
by the last if(), but the r->content_handler was set due to first if().

Instead of committing a suicide by dereferencing a NULL pointer, return
500 (Internal Server Error) in such cases, i.e. if uscf is NULL.  Better
fix would be to avoid such cases by fixing the "if" directive handling,
but it's out of scope of this patch.

Prodded by Piotr Sikora.
2012-12-13 16:05:59 +00:00
Ruslan Ermilov
ba290091cf Fixed variable syntax checking in "set", "geo", "limit_conn_zone",
and "perl_set" directives.
2012-12-13 15:05:19 +00:00
Maxim Dounin
b3430993f1 Proxy: better error message about unexpected data.
Requested by Igor Sysoev.
2012-12-13 13:45:39 +00:00
Valentin Bartenev
1a6ed2e3b1 Limit rate: fixed integer overflow in limit calculation (ticket #256).
Patch by Alexey Antropov.
2012-12-12 14:48:48 +00:00
Ruslan Ermilov
1596399e82 The "auth_basic" directive gained support of variables. 2012-12-10 13:11:11 +00:00
Ruslan Ermilov
73fb7e878f Allow the complex value to be defined as an empty string.
This makes conversion from strings to complex values possible
without the loss of functionality.
2012-12-06 23:03:53 +00:00
Ruslan Ermilov
8e8201486c Xslt: prevented infinite loop.
If XSLT transformation failed and error 500 was handled in the same
location, an infinite loop occured that exhausted the stack.
2012-12-06 21:22:58 +00:00
Ruslan Ermilov
760c55a702 Fixed build with embedded perl in certain setups (ticket #48). 2012-12-03 16:00:26 +00:00
Ruslan Ermilov
f707bea0ee Fixed the NGX_SOCKADDR_STRLEN macro definition.
The ngx_sock_ntop() function, when told to print both address and port,
prints IPv6 address in square brackets, followed by colon and port.
2012-11-30 11:26:50 +00:00
Maxim Dounin
b63da701e5 Core: removed GLOB_NOSORT glob option.
This will result in alphabetical sorting of included files if
the "include" directive with wildcards is used.

Note that the behaviour is now different from that on Windows, where
alphabetical sorting is not guaranteed for FindFirsFile()/FindNextFile()
(used to be alphabetical on NTFS, but not on FAT).

Approved by Igor Sysoev, prodded by many.
2012-11-29 23:15:41 +00:00
Maxim Dounin
ea1ff4199d Version bump. 2012-11-29 23:13:18 +00:00
Maxim Dounin
0c563970be Gunzip: added missing ngx_http_clear_etag(). 2012-11-26 21:30:45 +00:00
Maxim Dounin
1469b51451 Core: fixed ngx_write_chain_to_file() with IOV_MAX reached.
Catched by dav_chunked.t on Solaris.  In released versions this might
potentially result in corruption of complex protocol responses if they
were written to disk and there were more distinct buffers than IOV_MAX
in a single write.
2012-11-26 21:19:57 +00:00
Maxim Dounin
e769544a7d Request body: block write events while reading body.
If write events are not blocked, an extra write event might happen for
various reasons (e.g. as a result of a http pipelining), resulting in
incorrect body being passed to a post handler.

The problem manifested itself with the dav module only, as this is
the only module which reads the body from a content phase handler (in
contrast to exclusive content handlers like proxy).  Additionally, dav
module used to dump core in such situations due to ticket #238.

See reports here:

http://mailman.nginx.org/pipermail/nginx-devel/2012-November/002981.html
http://serverfault.com/questions/449195/nginx-webdav-server-with-auth-request
2012-11-26 18:01:49 +00:00
Maxim Dounin
aa955a2097 Request body: error checking fixes, negative rb->rest handling.
Negative rb->rest can't happen with current code, but it's good to have
it handled anyway.

Found by Coverity (CID 744846, 744847, 744848).
2012-11-26 18:01:08 +00:00
Maxim Dounin
c4a4a6a5d8 Request body: improved handling of incorrect chunked request body.
While discarding chunked request body in some cases after detecting
request body corruption no error was returned, while it was possible
to correctly return 400 Bad Request.  If error is detected too late,
make sure to properly close connection.

Additionally, in ngx_http_special_response_handler() don't return body
of 500 Internal Server Error to a client if ngx_http_discard_request_body()
fails, but disable keepalive and continue.
2012-11-26 18:00:14 +00:00
Maxim Dounin
61feb90d74 Request body: fixed discard of chunked request body.
Even if there is no preread data, make sure to always call
ngx_http_discard_request_body_filter() in case of chunked request
body to initialize r->headers_in.content_length_n for later use.
2012-11-26 17:59:30 +00:00
Ruslan Ermilov
a94a101c79 Core: don't reuse shared memory zone that changed ownership (ticket #210).
nginx doesn't allow the same shared memory zone to be used for different
purposes, but failed to check this on reconfiguration.  If a shared memory
zone was used for another purpose in the new configuration, nginx attempted
to reuse it and crashed.
2012-11-23 12:43:58 +00:00
Ruslan Ermilov
9f385870f6 Fixed location of debug message in ngx_shmtx_lock(). 2012-11-21 14:23:26 +00:00
Maxim Dounin
542b60a35a Request body: unbreak build without debug. 2012-11-21 01:40:11 +00:00
Maxim Dounin
5fc85439d0 Request body: chunked transfer encoding support. 2012-11-21 01:08:11 +00:00
Maxim Dounin
d60b8d10f0 Request body: recalculate size of a request body in scgi module.
This allows to handle requests with chunked body by scgi module, and
also simplifies handling of various request body modifications.
2012-11-21 01:06:53 +00:00
Maxim Dounin
0ce5a3aa18 Request body: $content_length variable to honor real body size.
This allows to handle requests with chunked body by fastcgi and uwsgi
modules, and also simplifies handling of various request body modifications.
2012-11-21 01:05:08 +00:00
Maxim Dounin
9a483c8373 Request body: always use calculated size of a request body in proxy.
This allows to handle requests with chunked body, and also simplifies
handling of various request body modifications.
2012-11-21 01:03:48 +00:00
Maxim Dounin
6ddf23bdc4 Request body: adjust b->pos when chunked parsing done.
This is a nop for the current code, though will allow to correctly parse
pipelined requests.
2012-11-21 01:02:56 +00:00
Maxim Dounin
df74d88156 Request body: chunked parsing moved to ngx_http_parse.c from proxy.
No functional changes.
2012-11-21 00:59:16 +00:00
Maxim Dounin
c29837fc4d Request body: properly handle events while discarding body.
An attempt to call ngx_handle_read_event() before actually reading
data from a socket might result in read event being disabled, which is
wrong.  Catched by body.t test on Solaris.
2012-11-21 00:57:56 +00:00
Maxim Dounin
e1bd52041b Request body: fixed socket leak on errors.
The r->main->count reference counter was always incremented in
ngx_http_read_client_request_body(), while it is only needs to be
incremented on positive returns.
2012-11-21 00:57:16 +00:00
Maxim Dounin
5da61375cd Request body: code duplication reduced, no functional changes.
The r->request_body_in_file_only with empty body case is now handled in
ngx_http_write_request_body().
2012-11-21 00:55:50 +00:00
Maxim Dounin
743922a2ce Request body: $request_body variable generalization.
The $request_body variable was assuming there can't be more than two
buffers.  While this is currently true due to request body reading
implementation details, this is not a good thing to depend on and may
change in the future.
2012-11-21 00:55:06 +00:00
Maxim Dounin
ab5ac3b095 Request body: fixed "501 Not Implemented" error handling.
It is not about "Method" but a generic message, and is expected to be used
e.g. if specified Transfer-Encoding is not supported.  Fixed message to
match RFC 2616.

Additionally, disable keepalive on such errors as we won't be able to read
request body correctly if we don't understand Transfer-Encoding used.
2012-11-21 00:54:01 +00:00
Maxim Dounin
d228cf3638 Core: added debug logging of writev() in ngx_write_chain_to_file(). 2012-11-21 00:52:35 +00:00
Maxim Dounin
248bc41893 Dav: fixed segfault on PUT if body was already read (ticket #238).
If request body reading happens with different options it's possible
that there will be no r->request_body->temp_file available (or even
no r->request_body available if body was discarded).  Return internal
server error in this case instead of committing suicide by dereferencing
a null pointer.
2012-11-21 00:51:37 +00:00
Igor Sysoev
da130acfbe Fixed failure to start cache manager and cache loader processes
if there were more than 512 listening sockets in configuration.
2012-11-20 13:37:55 +00:00
Maxim Dounin
246cbd21ce Trailing whitespace fix. 2012-11-17 00:36:44 +00:00
Maxim Dounin
e1d5455a74 Upstream: better detection of connect() failures with kqueue.
Pending EOF might be reported on both read and write events, whichever
comes first, so check both of them.

Patch by Yichun Zhang (agentzh), slightly modified.
2012-11-16 18:29:19 +00:00
Ruslan Ermilov
4d0d2b20ac Upstream: honor the "down" flag for a single server.
If an upstream block was defined with the only server marked as
"down", e.g.

    upstream u {
        server 127.0.0.1:8080 down;
    }

an attempt was made to contact the server despite the "down" flag.
It is believed that immediate 502 response is better in such a
case, and it's also consistent with what is currently done in case
of multiple servers all marked as "down".
2012-11-16 12:18:05 +00:00
Ruslan Ermilov
b67dbca1ca Variables $request_time and $msec.
Log module counterparts are preserved for efficiency.
2012-11-16 09:37:14 +00:00
Ruslan Ermilov
9997aaef70 Fixed setting of CPU affinity on respawn of dead worker processes.
Worker processes are now made aware of their sequential number needed
to select CPU affinity mask.  This replaces a workaround from r4865.
2012-11-16 09:25:52 +00:00
Ruslan Ermilov
5a1d76c9f2 Version bump. 2012-11-16 07:49:41 +00:00
Maxim Dounin
8e67fb4226 Event pipe: fixed handling of buf_to_file data.
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
2012-10-30 11:14:24 +00:00
Maxim Dounin
1e12e7fa1d Variables $connection and $connection_requests.
Log module counterparts are removed as they aren't used often and
there is no need to preserve them for efficiency.
2012-10-29 17:17:59 +00:00
Maxim Dounin
7b3731862b Resolver: added missing memory allocation error handling. 2012-10-24 14:07:08 +00:00
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Andrey Belov
f7b32c479d Core: the "auto" parameter of the "worker_processes" directive.
The parameter will set the number of worker processes to the
autodetected number of available CPU cores.
2012-10-23 09:08:41 +00:00
Maxim Dounin
106dbc8d76 Removed conditional compilation from waitpid() error test.
There are reports that call to a signal handler for an exited process
despite waitpid() already called for the process may happen on Linux
as well.
2012-10-18 14:48:33 +00:00
Maxim Dounin
27b7eb17d0 Gunzip: fixed r->gzip_ok check. 2012-10-18 14:27:40 +00:00
Maxim Dounin
0d7a7e91cf OCSP stapling: properly check if there is ssl.ctx.
This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).
2012-10-05 11:09:14 +00:00
Maxim Dounin
82989420ad Variable $bytes_sent.
It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).
2012-10-03 15:25:36 +00:00
Maxim Dounin
a707811a31 Log: $apache_bytes_sent removed.
It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.
2012-10-03 15:25:06 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Maxim Dounin
f8cc8969d5 Version bump. 2012-10-03 15:22:18 +00:00
Maxim Dounin
7eea509776 OCSP stapling: build fixes.
With the "ssl_stapling_verify" commit build with old OpenSSL libraries
was broken due to incorrect prototype of the ngx_ssl_stapling() function.
One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in
and broke win32 build.
2012-10-01 13:54:13 +00:00
Maxim Dounin
bec2cc5286 OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
2012-10-01 12:53:11 +00:00
Maxim Dounin
3ebbb7d521 OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.
2012-10-01 12:51:27 +00:00
Maxim Dounin
1a07a7f2de OCSP stapling: log error data in ngx_ssl_error().
It's hard to debug OCSP_basic_verify() failures without the actual error
string it records in the error data field.
2012-10-01 12:50:36 +00:00
Maxim Dounin
872563a64d OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...
2012-10-01 12:48:54 +00:00
Maxim Dounin
74ad4494a6 OCSP stapling: loading OCSP responses.
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
2012-10-01 12:47:55 +00:00
Maxim Dounin
f7ec295fb4 OCSP stapling: the ngx_event_openssl_stapling.c file.
Missed in previous commit.
2012-10-01 12:42:43 +00:00
Maxim Dounin
85c920a0cd OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
             -url http://ocsp.example.com
2012-10-01 12:41:08 +00:00
Maxim Dounin
3648ba7db8 OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
2012-10-01 12:39:36 +00:00
Maxim Dounin
6a0f47e079 Resolver: cached addresses are returned with random rotation now.
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.

Based on patch by Anton Jouline.
2012-09-28 18:28:38 +00:00
Andrey Belov
8be233c8f2 Correct plural form for "path" in the whole source base. 2012-09-28 13:49:26 +00:00
Andrey Belov
b33a316883 Made sure to initialize the entire ngx_file_t structure.
Found by Coverity.
2012-09-28 13:15:11 +00:00
Maxim Dounin
52b59ebc74 SSL: added version checks for ssl compression workaround.
The SSL_COMP_get_compression_methods() is only available as an API
function in OpenSSL 0.9.8+, require it explicitly to unbreak build
with OpenSSL 0.9.7.
2012-09-27 18:01:06 +00:00
Maxim Dounin
f4f72f9fb5 SSL: fixed compression workaround to remove all methods.
Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
stack from 0 to n, resulting in removal of only even compression methods.

In real life this change is a nop, as there is only one compression method
which is enabled by default in OpenSSL.
2012-09-27 17:59:59 +00:00
Maxim Dounin
927643e3e9 Added clearing of cpu_affinity after process spawn.
This fixes unwanted/incorrect cpu_affinity use on dead worker processes
respawn.  While this is not ideal, it's expected to be better when previous
situation where multiple processes were spawn with identical CPU affinity
set.

Reported by Charles Chen.
2012-09-26 16:25:12 +00:00
Maxim Dounin
f4473147e5 Version bump. 2012-09-26 15:52:06 +00:00
Maxim Dounin
4b948b49aa Gunzip: removed nginx.h leftover include. 2012-09-11 01:13:23 +00:00
Maxim Dounin
90bd33e8eb Gunzip filter import. 2012-09-10 16:52:47 +00:00
Maxim Dounin
86aee85d2e Gzip static: "always" parameter in "gzip_static" directive.
With "always" gzip static returns gzipped content in all cases, without
checking if client supports it.  It is useful if there are no uncompressed
files on disk anyway.
2012-09-10 16:48:25 +00:00
Maxim Dounin
23a959615e Memcached: memcached_gzip_flag directive.
This directive allows to test desired flag as returned by memcached and
sets Content-Encoding to gzip if one found.

This is reimplementation of patch by Tomash Brechko as available on
http://openhack.ru/.  It should be a bit more correct though (at least
I think so).  In particular, it doesn't try to detect if we are able to
gunzip data, but instead just sets correct Content-Encoding.
2012-09-10 16:43:49 +00:00
Maxim Dounin
5867c81fe6 Write filter: replaced unneeded loop with one to free chains.
Noted by Gabor Lekeny.
2012-09-05 15:06:47 +00:00
Valentin Bartenev
605a0ab2e1 Limit req: fix of rbtree node insertion on hash collisions.
The rbtree used in ngx_http_limit_req_module has two level of keys, the top is
hash, and the next is the value string itself. However, when inserting a new
node, only hash has been set, while the value string has been left empty.

The bug was introduced in r4419 (1.1.14).

Found by Charles Chen.
2012-09-03 12:55:50 +00:00
Ruslan Ermilov
9d6d33a561 Fixed overflow if ngx_slab_alloc() is called with very big "size" argument. 2012-08-30 15:09:21 +00:00
Ruslan Ermilov
d469482cda Fixed strict aliasing bugs when dealing with IPv4-mapped IPv6 addresses
(closes #201).
2012-08-30 14:58:11 +00:00
Ruslan Ermilov
da4ffd8955 Fixed the "include" directive.
The "include" directive should be able to include multiple files if
given a filename mask.  Fixed this to work for "include" directives
inside the "map" or "types" blocks.  The "include" directive inside
the "geo" block is still not fixed.
2012-08-28 13:31:01 +00:00
Ruslan Ermilov
43f6163063 Version bump. 2012-08-27 14:21:41 +00:00
Maxim Dounin
c22b87b2e4 Radix tree preallocation fix.
The preallocation size was calculated incorrectly and was always 8 due to
sizeof(ngx_radix_tree_t) accidentally used instead of sizeof(ngx_radix_node_t).
2012-08-18 23:17:58 +00:00
Maxim Dounin
83e35f6f22 Whitespace fix. 2012-08-18 23:04:39 +00:00
Andrey Belov
b69f284383 Mark logically dead code with corresponding comment.
Found by Coverity.
2012-08-17 15:35:50 +00:00
Maxim Dounin
572bca7b83 Mp4: removed restriction to avc1/mp4a formats (ticket #194). 2012-08-17 11:02:35 +00:00
Ruslan Ermilov
53b8514f2d Mail: fixed handling of AF_UNIX addresses in "listen".
This makes AF_UNIX addresses in mail officially supported.
2012-08-17 05:21:28 +00:00
Ruslan Ermilov
ff3236e7a7 Removed a stale "AF_INET only" comment.
IPv6 client connections in mail modules have been supported since r2856.
2012-08-17 05:14:19 +00:00
Ruslan Ermilov
f12c7563e2 Mail: fixed sorting of listen addresses (ticket #187).
For http module this problem was already fixed in r4756.
2012-08-17 05:08:42 +00:00
Maxim Dounin
5425263436 Geo: fixed handling of ranges without default set.
The bug had appeared in 0.8.43 (r3653).  Patch by Weibin Yao.
2012-08-16 13:01:41 +00:00
Maxim Dounin
89bd5f038a Crypt: fixed handling of corrupted SSHA entries in password file.
Found by Coverity.
2012-08-16 12:05:58 +00:00
Maxim Dounin
3587e2be23 Map: fixed optimization of variables as values.
Previous code incorrectly used ctx->var_values as an array of pointers to
ngx_http_variable_value_t, but the array contains structures, not pointers.
Additionally, ctx->var_values inspection failed to properly set var on
match.
2012-08-16 10:58:18 +00:00
Ruslan Ermilov
9aac01a76e mail_core: don't let the well-known port in the "listen" directive to
override the already set "protocol".
2012-08-15 11:30:24 +00:00
Ruslan Ermilov
89ad2e91e5 Corrected the directive name in the ngx_mail_auth_http_module error message. 2012-08-15 11:17:55 +00:00
Valentin Bartenev
86dd5bde45 Added three missing checks for NULL after ngx_array_push() calls.
Found by Coverity.
2012-08-08 12:03:46 +00:00
Andrey Belov
2af80d5fab Explicitly ignore returned value from close() in ngx_event_core_init_conf().
We don't have strong reason to inform about any errors
reported by close() call here, and there are no other things
to do with its return value.

Prodded by Coverity.
2012-08-07 13:57:04 +00:00
Andrey Belov
66e9525e84 Explicitly ignore returned value from unlink() in ngx_open_tempfile().
The only thing we could potentially do here in case of error
returned is to complain to error log, but we don't have log
structure available here due to interface limitations.

Prodded by Coverity.
2012-08-06 16:06:59 +00:00
Maxim Dounin
42a75bba53 Resolver: fixed possible memory leak in ngx_resolver_create().
Found by Coverity.
2012-08-06 10:48:09 +00:00
Ruslan Ermilov
8ed4929a26 Fixed the -p parameter handling.
Ensure that the path supplied always ends with a `/' except when empty.
An empty value now corresponds to the current directory instead of `/'.
2012-08-03 12:52:32 +00:00
Maxim Dounin
25197b3229 Fixed possible use of old cached times if runtime went backwards.
If ngx_time_sigsafe_update() updated only ngx_cached_err_log_time, and
then clock was adjusted backwards, the cached_time[slot].sec might
accidentally match current seconds on next ngx_time_update() call,
resulting in various cached times not being updated.

Fix is to clear the cached_time[slot].sec to explicitly mark cached times
are stale and need updating.
2012-08-03 09:10:39 +00:00
Maxim Dounin
d053bacb9c Added "const" to ngx_memcpy() with NGX_MEMCPY_LIMIT defined.
This fixes warning produced during compilation of the ngx_http_geoip_module
due to const qualifier being discarded.
2012-08-03 09:07:30 +00:00
Maxim Dounin
beaed67996 Whitespace fix. 2012-08-03 09:00:25 +00:00
Maxim Dounin
c722e8a5bf Win32: fixed build with Visual Studio 2005 Express.
It is available via winetricks which makes it still usable, and has
an old crtdefs.h which uses _CRT_SECURE_NO_DEPRECATE instead of
_CRT_SECURE_NO_WARNINGS to suppress warnings.

Reported by HAYASHI Kentaro,
http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002542.html
2012-08-02 12:53:07 +00:00
Andrey Belov
1c42128e50 Reorder checks in ngx_shared_memory_add() for more consistent error messages. 2012-08-01 14:37:08 +00:00
Ruslan Ermilov
15ab0460ce Version bump. 2012-07-31 21:47:56 +00:00
Ruslan Ermilov
deaf22d220 Core: ipv6only is now on by default.
There is a general consensus that this change results in better
consistency between different operating systems and differently
tuned operating systems.

Note: this changes the width and meaning of the ipv6only field
of the ngx_listening_t structure.  3rd party modules that create
their own listening sockets might need fixing.
2012-07-30 12:27:06 +00:00
Valentin Bartenev
9c8f3d86b4 ngx_http_find_virtual_server() should return NGX_DECLINED if virtual server not
found.
2012-07-30 11:42:03 +00:00
Maxim Dounin
21be49ae59 Upstream: hide_headers/pass_headers inheritance fix.
Hide headers and pass headers arrays might not be inherited correctly
into a nested location, e.g. in configuration like

    server {
        proxy_hide_header X-Foo;
        location / {
            location /nested/ {
                proxy_pass_header X-Pad;
            }
        }
    }

the X-Foo header wasn't hidden in the location /nested/.

Reported by Konstantin Svist,
http://mailman.nginx.org/pipermail/nginx-ru/2012-July/047555.html
2012-07-30 10:35:26 +00:00
Ruslan Ermilov
1c31039d1e Improved diagnostics when a directive is specified in the wrong context. 2012-07-29 19:59:06 +00:00
Ruslan Ermilov
45d2ae646b Slight optimization in ngx_http_upstream_add(): replaced an expression
known to be constant with the constant value.
2012-07-29 19:44:09 +00:00
Ruslan Ermilov
b163010872 ngx_http_upstream_add() should return NULL if an error occurs. 2012-07-29 19:38:25 +00:00
Ruslan Ermilov
01f07bde7e Reduced the number of preprocessor directives. 2012-07-26 14:47:42 +00:00
Ruslan Ermilov
cfe194ef59 When "debug_connection" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
2012-07-24 17:40:06 +00:00
Ruslan Ermilov
1efcca36cc Fixed compilation with -Wmissing-prototypes. 2012-07-24 15:09:54 +00:00
Maxim Dounin
9d5f5a0c76 Win32: fixed cpu hog after process startup failure.
If ngx_spawn_process() failed while starting a process, the process
handle was closed but left non-NULL in the ngx_processes[] array.
The handle later was used in WaitForMultipleObjects() (if there
were multiple worker processes configured and at least one worker
process was started successfully), resulting in infinite loop.

Reported by Ricardo V G:
http://mailman.nginx.org/pipermail/nginx-devel/2012-July/002494.html
2012-07-23 16:37:24 +00:00
Ruslan Ermilov
54ab41f27b Fixed debugging messages to account that limit_zone was renamed to limit_conn. 2012-07-20 08:21:59 +00:00
Ruslan Ermilov
1fd21c48bb Fixed sorting of listen addresses so that wildcard address is always at
the end (closes #187).  Failure to do so could result in several listen
sockets to be created instead of only one listening on wildcard address.

Reported by Roman Odaisky.
2012-07-17 04:47:34 +00:00
Ruslan Ermilov
e30a8f90fc Version bump. 2012-07-17 04:42:38 +00:00
Maxim Dounin
e3acbc6bbb Entity tags: empty etags handling in If-Range.
Entity tag may be of length 2 as per RFC 2616, i.e. double quotes only.
Pointed out by Ruslan Ermilov.
2012-07-09 17:04:37 +00:00
Maxim Dounin
1b77858ac5 Entity tags: the "etag" directive.
It allows to disable generation of nginx's own entity tags, while
still handling ETags in cache properly.  This may be useful e.g.
if one want to serve static files from servers with different ETag
generation algorithms.
2012-07-09 14:53:42 +00:00
Maxim Dounin
eb7c38a49a Entity tags: set for static respones. 2012-07-09 00:13:06 +00:00
Maxim Dounin
8b00c87c38 Entity tags: handling in add_header.
Notably this allows to clear ETag if one want to for some reason.
2012-07-07 21:24:01 +00:00
Maxim Dounin
c96c4196f3 Entity tags: clear on entity changes. 2012-07-07 21:22:27 +00:00
Maxim Dounin
9c17e4cb66 Entity tags: support in If-Range header. 2012-07-07 21:21:15 +00:00
Maxim Dounin
13eb6898aa Entity tags: basic support in not modified filter.
This includes handling of ETag headers (if present in a response) with
basic support for If-Match, If-None-Match conditionals in not modified
filter.

Note that the "r->headers_out.last_modified_time == -1" check in the not
modified filter is left as is intentionally.  It's to prevent handling
of If-* headers in case of proxy without cache (much like currently
done with If-Modified-Since).
2012-07-07 21:20:27 +00:00
Maxim Dounin
a9456d55ab Not modified filter: tests separated from actions.
This makes code more extendable.  The only functional change is when
If-Modified-Since and If-Unmodified-Since are specified together, the
case which is explicitly left undefined by RFC 2616.  The new behaviour
is to respect them both, which seems better.
2012-07-07 21:18:30 +00:00
Maxim Dounin
4199620461 Added Last-Modified parsing in add_header.
This allows to use last modified time set in If-Range checks.  Code
simplified to improve readability.
2012-07-07 21:16:51 +00:00
Maxim Dounin
63d7ab16ff Fixed If-Range with unknown last modified time.
If modification time isn't known, skip range processing and return full
entity body instead of just ignoring If-Range.  Ignoring If-Range isn't
safe as client will assume entity wasn't changed since time specified.
2012-07-07 21:16:21 +00:00
Andrey Belov
3d87bcf9ae Corrected $request_length calculation for pipelined requests. 2012-07-06 04:27:06 +00:00
Ruslan Ermilov
bbfc96c703 Fixed typo in a function name. 2012-07-03 13:06:40 +00:00
Ruslan Ermilov
2219c566d7 Made sure to initialize the entire "struct flock" allocated on stack. 2012-07-03 13:05:18 +00:00
Maxim Dounin
3484e6d21c Reset r->uri_changed in a named location (ticket #184). 2012-07-03 11:30:05 +00:00
Ruslan Ermilov
f9c03b49eb map: strip final dot before looking up in a map of hostnames.
(closes #182)
2012-06-29 20:33:26 +00:00
Ruslan Ermilov
56cb80834c Version bump. 2012-06-29 11:03:01 +00:00
Maxim Dounin
a83578384c Mp4: fixed build on win32 after r4689. 2012-06-26 12:31:40 +00:00
Maxim Dounin
c6d5225e5b Style. 2012-06-25 18:09:38 +00:00
Ruslan Ermilov
8c861f06c8 Fixed a harmless error in spelling of "Connection: close" when computing
the response header length.
2012-06-25 13:08:25 +00:00
Ruslan Ermilov
42444811b9 Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
2012-06-21 11:02:22 +00:00
Igor Sysoev
992a4d11da Disabled gzip compression in OpenSSL prior to 1.0.0 version.
This saves about 522K per connection.
2012-06-20 12:55:28 +00:00
Ruslan Ermilov
36a931aba6 Added IPv6 support to ip_hash. 2012-06-19 12:36:54 +00:00
Maxim Dounin
29844cd55c Upstream keepalive: "single" parameter deprecated.
The original idea was to optimize edge cases in case of interchangeable
backends, i.e. don't establish a new connection if we have any one
cached.  This causes more harm than good though, as it screws up
underlying balancer's idea about backends used and may result in
various unexpected problems.
2012-06-18 14:23:42 +00:00
Maxim Dounin
91c654debc Fixed return type of ngx_strerror_init(). 2012-06-18 14:12:03 +00:00
Maxim Dounin
97f7bf25c9 Fixed "sendmsg() failed" alerts on HP-UX.
HP-UX needs _HPUX_ALT_XOPEN_SOCKET_API to be defined to be able to
use various POSIX versions of networking functions.  Notably sendmsg()
resulted in "sendmsg() failed (9: Bad file number)" alerts without it.

See xopen_networking(7) for more details.
2012-06-18 14:11:29 +00:00
Maxim Dounin
a769c530ff Fixed segfault with poll and resolver used.
Poll event method needs ngx_cycle->files to work, and use of ngx_exit_cycle
without files set caused null pointer dereference in resolver's cleanup
on udp socket close.
2012-06-18 14:10:50 +00:00
Maxim Dounin
40a366c5a8 Fixed handling of conflicting wildcard server names.
With previous code wildcard names were added to hash even if conflict
was detected.  This resulted in identical names in hash and segfault
later in ngx_hash_wildcard_init().
2012-06-18 14:06:00 +00:00
Maxim Dounin
859dc4ce01 Mp4: fixed streaming if moov atom is at buffer edge. 2012-06-18 14:02:20 +00:00
Maxim Dounin
e1e2e2eb3a Mp4: fixed non-keyframe seeks in some cases (ticket #175).
Number of entries in stsc atom was wrong if we've added an entry to
split a chunk.

Additionally, there is no need to add an entry if we are going to split
last chunk in an entry, it's enough to update the entry we already have.
Previously new entry was added and old one was left as is, resulting in
incorrect entry with zero chunks which might confuse some software.
2012-06-18 14:01:18 +00:00
Andrey Belov
0cf52376fb Style fix. 2012-06-18 13:51:20 +00:00
Andrey Belov
e91b210b56 New core variable: $status.
Contains response status code as a 3-digit integer
(with leading zeroes if necessary), or one of the following values:

    000 - response status code has not yet been assigned
    009 - HTTP/0.9 request is being processed
2012-06-18 13:43:44 +00:00
Ruslan Ermilov
2c49af818b When "resolver" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
2012-06-18 12:46:05 +00:00
Ruslan Ermilov
da8bb22634 Fixed crash in ngx_resolver_cleanup_tree().
If sending a DNS request fails with an error (e.g., when mistakenly trying
to send it to a local IP broadcast), such a request is not deleted if there
are clients waiting on it.  However, it was still erroneously removed from
the queue.  Later ngx_resolver_cleanup_tree() attempted to remove it from
the queue again that resulted in a NULL pointer dereference.
2012-06-18 12:30:45 +00:00
Ruslan Ermilov
b9feaa8dd9 Version bump. 2012-06-18 11:07:44 +00:00
Ruslan Ermilov
d4353c6fd3 Fixed spelling of "endianness", and called it "byte ordering" in the
user visible part.
2012-06-08 09:41:55 +00:00
Maxim Dounin
0d7720ddc0 Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
2012-06-05 13:38:27 +00:00
Maxim Dounin
f83598a359 Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/".  Do the same
when working on Windows.  Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
2012-06-05 13:37:29 +00:00
Maxim Dounin
db80a7adfc Win32: disallowed access to various non-canonical name variants.
This includes trailings dots and spaces, NTFS streams (and short names, as
previously checked).  The checks are now also done in ngx_file_info(), thus
allowing to use the "try_files" directive to protect external scripts.
2012-06-05 13:36:09 +00:00
Ruslan Ermilov
ac7f704931 Support for IPv6 literals and an optional port in resolver. 2012-06-04 14:23:27 +00:00
Maxim Dounin
596226f6f7 Support for IPv6 literals in proxy_pass and so on. 2012-06-04 14:07:34 +00:00
Maxim Dounin
4888969baa Upstream: least_conn compilation fixes.
Removed duplicate call of ngx_http_upstream_init_round_robin_peer()
overlooked during code changes.  Rewritten "return lcp->free_rr_peer(...)"
as MSVC doesn't like it.
2012-06-04 00:00:28 +00:00
Maxim Dounin
1ba6ecd4f3 Upstream: weights support in ip_hash balancer. 2012-06-03 23:22:41 +00:00
Maxim Dounin
4cb4e8d179 Upstream: least_conn balancer module. 2012-06-03 23:21:26 +00:00
Maxim Dounin
01f1e4d1dc Resolver: fixed format specification.
Patch by Yichun Zhang (agentzh).
2012-06-03 23:18:24 +00:00
Ruslan Ermilov
887f514e9f Code reduction (no functional changes). 2012-06-01 11:35:09 +00:00
Valentin Bartenev
2195eb554b Removed mistaken setting of NGX_SSL_BUFFERED flag in ngx_ssl_send_chain()
if SSL buffer is not used.
2012-05-30 12:43:27 +00:00
Valentin Bartenev
d8ec4910ce Fixed returned value handling from the cookie rewrite handler.
If the "proxy_cookie_domain" or "proxy_cookie_path" directive is used and there
are no matches in Set-Cookie header then ngx_http_proxy_rewrite_cookie() returns
NGX_DECLINED to indicate that the header was not rewritten. Returning this value
further from the upstream headers copy handler resulted in 500 error response.

See here for report:
http://mailman.nginx.org/pipermail/nginx/2012-May/033858.html
2012-05-30 12:30:03 +00:00
Ruslan Ermilov
94d8df6098 geoip: got rid of ugly casts when calling ngx_free().
This is done by removing the "const" qualifier from the common return
type of handler functions returning either "const char *" or "char *".
2012-05-29 09:19:51 +00:00
Ruslan Ermilov
49fbd88466 Fixed broken build. 2012-05-28 14:20:04 +00:00
Ruslan Ermilov
9fbd0d7c1d Fixed memory leak if $geoip_org variable was used.
Patch by Denis F. Latypoff (slightly modified).
2012-05-28 13:17:48 +00:00
Ruslan Ermilov
526fd681b5 Fixed the reuse of parsed DTDs and XSLTs.
Patch by Kuramoto Eiji.
2012-05-24 07:35:12 +00:00
Maxim Dounin
e1133ca60e Fixed compilation with -DNGX_DEBUG_MALLOC on FreeBSD 10.
After jemalloc 3.0.0 import there is no _malloc_options symbol, it has
been replaced with the malloc_conf one with a different syntax.
2012-05-23 15:07:01 +00:00
Maxim Dounin
a272b2da28 Fixed warning during nginx.xs compilation. 2012-05-23 10:36:12 +00:00
Ruslan Ermilov
d2e005c39d Fixed potential null pointer dereference in ngx_resolver_create().
While here, improved error message.
2012-05-22 13:12:14 +00:00
Ruslan Ermilov
d230df40b2 Removed historical and now redundant syntax pre-checks in ngx_parse_url(). 2012-05-21 10:55:10 +00:00
Maxim Dounin
34229e9d4d Fixed core variables dynamic access after reconfiguration.
If variable was indexed in previous configuration but not in current
one, the NGX_HTTP_VAR_INDEXED flag was left set and confused
ngx_http_get_variable().

Patch by Yichun Zhang (agentzh), slightly modified.
2012-05-17 18:10:34 +00:00
Maxim Dounin
d2143f11cb Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
Example configuration to reproduce:

    location /image/ {
        error_page 415 = /zero;
        image_filter crop 100 100;
        proxy_pass http://127.0.0.1:8080;
        proxy_store on;
    }

    location /zero {
        return 204;
    }

The problem appeared if upstream returned (big enough) non-image file,
causing 415 to be generated by image filter.
2012-05-17 17:41:40 +00:00
Valentin Bartenev
1c168c7875 Fixed the ngx_regex.h header file compatibility with C++. 2012-05-17 13:47:04 +00:00
Ruslan Ermilov
1b4397443f Zero padded the returned and logged HTTP status code, and fixed possible
buffer overrun in $status handling.
2012-05-16 13:27:04 +00:00
Ruslan Ermilov
befc111d4f Capped the status code that may be returned with "return" and "try_files". 2012-05-16 13:22:03 +00:00
Ruslan Ermilov
10c205a1b3 Added syntax checking of the second parameter of the "split_clients" directive. 2012-05-16 13:14:53 +00:00
Ruslan Ermilov
6888516b2b Version bump. 2012-05-16 13:09:39 +00:00
Ruslan Ermilov
e3bb319e34 Fixed win32 build after changes in r4624. 2012-05-15 08:10:59 +00:00
Valentin Bartenev
0215fcc9b8 Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used. 2012-05-14 16:30:33 +00:00
Ruslan Ermilov
9a79c3431a Reverted previous attempt to fix complation warning introduced in
r4624 and actually fixed it.
2012-05-14 15:52:37 +00:00
Ruslan Ermilov
d4ba06c31a geoip: trusted proxies support and partial IPv6 support.
The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module.  Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive.  IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:
    geoip_country .../GeoIP.dat;
    geoip_proxy 127.0.0.1;
    geoip_proxy ::1;
    geoip_proxy 10.0.0.0/8;
    geoip_proxy_recursive on;
2012-05-14 14:00:17 +00:00
Ruslan Ermilov
69521ddebf geo: chains of trusted proxies and partial IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block.  It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:
    geo $test {
        ...
        proxy 127.0.0.1;
        proxy ::1;
        proxy_recursive;
    }

There's also a slight change in behavior.  When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup.  Previously, 255.255.255.255 was
used in this case.
2012-05-14 13:53:22 +00:00
Ruslan Ermilov
11a8e26d29 Fixed compilation warning introduced in r4624. 2012-05-14 13:15:22 +00:00
Ruslan Ermilov
7627530b50 realip: chains of trusted proxies and IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2).  It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.

Example:
    real_ip_header X-Forwarded-For;
    set_real_ip_from 127.0.0.0/8;
    set_real_ip_from ::1;
    set_real_ip_from unix:;
    real_ip_recursive on;
2012-05-14 12:41:03 +00:00
Ruslan Ermilov
8e5dc474e5 New function ngx_http_get_forwarded_addr() to look up real client address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search.  On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED.  It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
2012-05-14 12:27:41 +00:00
Maxim Dounin
4d5759e098 Upstream: fixed ip_hash rebalancing with the "down" flag.
Due to weight being set to 0 for down peers, order of peers after sorting
wasn't the same as without the "down" flag (with down peers at the end),
resulting in client rebalancing for clients on other servers.  The only
rebalancing which should happen after adding "down" to a server is one
for clients on the server.

The problem was introduced in r1377 (which fixed endless loop by setting
weight to 0 for down servers).  The loop is no longer possible with new
smooth algorithm, so preserving original weight is safe.
2012-05-14 09:58:07 +00:00
Maxim Dounin
52327e0627 Upstream: smooth weighted round-robin balancing.
For edge case weights like { 5, 1, 1 } we now produce { a, a, b, a, c, a, a }
sequence instead of { c, b, a, a, a, a, a } produced previously.

Algorithm is as follows: on each peer selection we increase current_weight
of each eligible peer by its weight, select peer with greatest current_weight
and reduce its current_weight by total number of weight points distributed
among peers.

In case of { 5, 1, 1 } weights this gives the following sequence of
current_weight's:

     a  b  c
     0  0  0  (initial state)

     5  1  1  (a selected)
    -2  1  1

     3  2  2  (a selected)
    -4  2  2

     1  3  3  (b selected)
     1 -4  3

     6 -3  4  (a selected)
    -1 -3  4

     4 -2  5  (c selected)
     4 -2 -2

     9 -1 -1  (a selected)
     2 -1 -1

     7  0  0  (a selected)
     0  0  0

To preserve weight reduction in case of failures the effective_weight
variable was introduced, which usually matches peer's weight, but is
reduced temporarily on peer failures.

This change also fixes loop with backup servers and proxy_next_upstream
http_404 (ticket #47), and skipping alive upstreams in some cases if there
are multiple dead ones (ticket #64).
2012-05-14 09:57:20 +00:00
Maxim Dounin
e302ed6fc3 Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.

See here for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html

Patch by Yichun Zhang (agentzh).
2012-05-14 09:48:05 +00:00
Maxim Dounin
7d863c0181 Resolver: protection from duplicate responses.
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname.  The opposite (i.e. CNAME got after A) might cause
similar problems as well.
2012-05-14 09:13:45 +00:00
Maxim Dounin
0e3b423dc6 Accept moderation in case of EMFILE/ENFILE.
In case of EMFILE/ENFILE returned from accept() we disable accept events,
and (in case of no accept mutex used) arm timer to re-enable them later.
With accept mutex we just drop it, and rely on normal accept mutex handling
to re-enable accept events once it's acquired again.

As we now handle errors in question, logging level was changed to "crit"
(instead of "alert" used for unknown errors).

Note: the code might call ngx_enable_accept_events() multiple times if
there are many listen sockets.  The ngx_enable_accept_events() function was
modified to check if connection is already active (via c->read->active) and
skip it then, thus making multiple calls safe.
2012-05-11 13:33:06 +00:00
Maxim Dounin
74d939974d Rewrite: fixed escaping and possible segfault (ticket #162).
The following code resulted in incorrect escaping of uri and possible
segfault:

    location / {
        rewrite ^(.*) $1?c=$1;
        return 200 "$uri";
    }

If there were arguments in a rewrite's replacement string, and length was
actually calculated (due to duplicate captures as in the example above,
or variables present), the is_args flag was set and incorrectly copied
after length calculation.  This resulted in escaping applied to the uri part
of the replacement, resulting in incorrect escaping.  Additionally, buffer
was allocated without escaping expected, thus this also resulted in buffer
overrun and possible segfault.
2012-05-11 13:19:22 +00:00
Maxim Dounin
9114f08863 Fastcgi: fixed padding handling on fixed-size records.
Padding was incorrectly ignored on end request, empty stdout and stderr
fastcgi records.  This resulted in protocol desynchronization if fastcgi
application used these records with padding for some reason.

Reported by Ilia Vinokurov.
2012-05-11 13:14:58 +00:00
Maxim Dounin
b34f84d8de Added r->state reset on fastcgi/scgi/uwsgi request start.
Failing to do so results in problems if 400 or 414 requests are
redirected to fastcgi/scgi/uwsgi upstream, as well as after invalid
headers got from upstream.  This was already fixed for proxy in r3478,
but fastcgi (the only affected protocol at that time) was missed.

Reported by Matthieu Tourne.
2012-05-11 13:09:24 +00:00
Maxim Dounin
e0e1c4567c Added write event handler reset in ngx_http_named_location().
On internal redirects this happens via ngx_http_handler() call, which is
not called on named location redirect.  As a result incorrect write handler
remained (if previously set) and this might cause incorrect behaviour (likely
request hang).

Patch by Yichun Zhang (agentzh).
2012-05-04 11:35:22 +00:00
Ruslan Ermilov
700364f62d debug_connection: added the IPv6 and UNIX-domain socket support. 2012-04-29 22:02:18 +00:00
Valentin Bartenev
a0025f2d81 Removed surplus condition. 2012-04-27 10:48:42 +00:00
Andrey Belov
eeec229e3e Allows particular modules to handle subrequests properly. 2012-04-26 13:06:27 +00:00
Ruslan Ermilov
487ba70126 Fixed segmentation fault in ngx_resolver_create_name_query().
If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.

Reported by Lanshun Zhou.
2012-04-26 12:58:42 +00:00
Maxim Dounin
6ad02389c3 Version bump. 2012-04-26 11:20:29 +00:00
Maxim Dounin
d68dd358e1 Version bump. 2012-04-23 12:54:14 +00:00
Igor Sysoev
c7bb66a9a3 Fix of "%f" format handling.
ngx_sprintf("%.2f", 0.999) incorrectly resulted in "0.100" instead of "1.00".
2012-04-23 11:11:32 +00:00
Maxim Dounin
c7bb162ffe Proxy: added ctx checking to input filters.
The proxy module context may be NULL in case of filter finalization
(e.g. by image_filter) followed by an internal redirect.  This needs
some better handling, but for now just check if ctx is still here.
2012-04-23 10:40:01 +00:00
Maxim Dounin
8b89c882ce Image filter: compare aspect ratio more accurately during crop.
Previously used fixed-point calculation caused wrong code path selection
in some cases, resulting in incorrect image size.

See here for report:
http://mailman.nginx.org/pipermail/nginx-devel/2012-April/002123.html
2012-04-21 19:02:21 +00:00
Maxim Dounin
e8fe3ce098 Fixed segfault with try_files (ticket #152).
The problem occured if first uri in try_files was shorter than request uri,
resulting in reserve being 0 and hence allocation skipped.  The bug was
introduced in r4584 (1.1.19).
2012-04-19 15:48:03 +00:00
Maxim Dounin
a73ce28e0a Fixed master exit if there is no events section (ticket #150).
Instead of checking if there is events{} section present in configuration
in init_module handler we now do the same in init_conf handler.  This
allows master process to detect incorrect configuration early and
reject it.
2012-04-18 14:47:10 +00:00
Ruslan Ermilov
e9a7f4f5f6 Don't silently ignore the last line of configuration file that
consists solely of one unterminated token (inspired by #150).
2012-04-18 13:30:43 +00:00
Maxim Dounin
0abb0bce5f Fixed ngx_readv_chain() to honor IOV_MAX (ticket #14).
Not using full chain passed is ok as consumers are expected to check
event's ready flag to determine if another call is needed, not the
returned size.
2012-04-17 09:13:58 +00:00
Maxim Dounin
578c02f3a1 IOV_MAX handling microoptimization.
We now stop on IOV_MAX iovec entries only if we are going to add new one,
i.e. next buffer can't be coalesced into last iovec.

This also fixes incorrect checks for trailer creation on FreeBSD and
Mac OS X, header.nelts was checked instead of trailer.nelts.
2012-04-17 09:13:15 +00:00
Maxim Dounin
96d73e291f Fixed loop in ngx_writev_chain() and ngx_solaris_sendfilev_chain().
The "complete" flag wasn't cleared on loop iteration start, resulting in
broken behaviour if there were more than IOV_MAX buffers and first
iteration was fully completed (and hence the "complete" flag was set
to 1).
2012-04-17 09:10:50 +00:00
Maxim Dounin
9e2f86cfc0 Fixed log->action after ssl handshake. 2012-04-16 13:05:20 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
e6724ebe54 Version bump. 2012-04-12 16:34:59 +00:00
Maxim Dounin
7ae525bd90 Mp4: sanity checks cleanup. 2012-04-12 12:18:14 +00:00
Ruslan Ermilov
3995395dcb Reduced the number of lines of code in ngx_inet_addr(). 2012-04-12 10:20:33 +00:00
Ruslan Ermilov
3f25e12517 Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
2012-04-12 09:19:14 +00:00
Ruslan Ermilov
a5bb616af4 Improved readability of the code that produces bitmask from prefix.
In collaboration with Maxim Dounin.
2012-04-11 17:18:15 +00:00
Ruslan Ermilov
62b937b333 Fixed directives inheritance. 2012-04-11 09:56:30 +00:00
Maxim Dounin
b9c226abe0 Access module: fixed inheritance of allow/deny ipv6 rules.
Previous (incorrect) behaviour was to inherit ipv6 rules separately from
ipv4 ones.  Now all rules are either inherited (if there are no rules
defined at current level) or not (if there are any rules defined).
2012-04-10 13:25:53 +00:00
Igor Sysoev
3ef52765c8 Fixed debug logging. 2012-04-10 11:28:59 +00:00
Igor Sysoev
654a56e06a Fixed previous commit. 2012-04-10 11:27:43 +00:00
Igor Sysoev
cbc51bb295 Fixed mp4 module seek. 2012-04-10 11:21:47 +00:00
Maxim Dounin
baa239c487 Fixed signed integer overflows in timer code (ticket #145).
Integer overflow is undefined behaviour in C and this indeed caused
problems on Solaris/SPARC (at least in some cases).  Fix is to
subtract unsigned integers instead, and then cast result to a signed
one, which is implementation-defined behaviour and used to work.

Strictly speaking, we should compare (unsigned) result with the maximum
value of the corresponding signed integer type instead, this will be
defined behaviour.  This will require much more changes though, and
considered to be overkill for now.
2012-04-06 23:46:09 +00:00
Andrey Belov
bd6d421816 Comment fixed. 2012-04-05 19:49:34 +00:00
Maxim Konovalov
13d5d85861 Style: the function type should be on a line by itself
preceding the function.  No functional changes.
2012-04-05 15:32:43 +00:00
Ruslan Ermilov
bffbbeb73f In ngx_ptocidr(), check that the supplied prefix length is within
the allowed range.
2012-04-03 08:22:00 +00:00
Ruslan Ermilov
47a04aaa27 Fixed spelling in multiline C comments. 2012-04-03 07:37:31 +00:00
Maxim Dounin
7744472c8e Win32: improved ngx_mutex_init() stub (ticket #138).
This allows to run nginx with "master_process off" under Windows.
2012-04-02 21:31:45 +00:00
Maxim Dounin
9063bc8713 Win32: fixed memory allocation for shmem name (ticket #134). 2012-04-02 21:30:58 +00:00
Maxim Dounin
a5d4f66ad6 Upstream: reject upstreams without normal servers.
Such upstreams cause CPU hog later in the code as number of peers isn't
expected to be 0.  Currently this may happen either if there are only backup
servers defined in an upstream block, or if server with ipv6 address used
in an upstream block.
2012-04-02 21:29:35 +00:00
Maxim Dounin
525e1f75e4 Version bump. 2012-04-02 21:28:31 +00:00
Ruslan Ermilov
b4ab3ddf9d Corrected spelling of error message (ticket #136). 2012-03-29 19:47:27 +00:00
Maxim Dounin
889ad51f17 Fixed win32 build after realpath changes in r4559. 2012-03-28 13:04:39 +00:00
Ruslan Ermilov
feda353cb3 Replaced ngx_http_realip_from_t with ngx_in_cidr_t. 2012-03-28 09:29:09 +00:00
Ruslan Ermilov
52fcfd042e Fixed calculation of range boundaries. 2012-03-28 06:50:23 +00:00
Maxim Dounin
5d5c866bee Xslt: parser options now set with xmlCtxtUseOptions().
Note that "ctxt->loadsubset = 1" previously used isn't really correct as
ctxt->loadsubset is a bitfield now.  The use of xmlCtxtUseOptions() with
XML_PARSE_DTDLOAD is believed to be a better way to do the same thing.

Patch by Laurence Rowe.
2012-03-28 01:56:49 +00:00
Maxim Dounin
36aef0c383 Fixed unconditional MAX_PATH usage (ticket #22).
POSIX doesn't require it to be defined, and Debian GNU/Hurd doesn't define
it.  Note that if there is no MAX_PATH defined we have to use realpath()
with NULL argument and free() the result.
2012-03-27 16:42:34 +00:00
Maxim Dounin
7b2b17a6b3 Added explicit include of time.h.
Most of the systems have it included due to namespace pollution, but
relying on this is a bad idea.  Explicit include is required for at least
Debian GNU/Hurd.
2012-03-27 16:37:43 +00:00
Maxim Dounin
e34ff16f67 Resolver: added missing sanity checking when creating name queries.
Found by Veracode.
2012-03-22 11:57:18 +00:00
Maxim Dounin
8e6728ef13 Win32: added missing call to srand().
Found by Veracode.
2012-03-22 10:45:08 +00:00
Maxim Dounin
1aa5fbb1a8 Added xslt_param and xslt_string_param directives.
Based on patch by Samuel Behan.
2012-03-22 10:44:00 +00:00
Maxim Dounin
3333c6c7c8 Fixed off-by-one in xslt parameter parsing.
The problem was introduced in 0.7.44 (r2589) during conversion to complex
values.  Previously string.len included space for terminating NUL, but
with complex values it doesn't.
2012-03-22 10:43:33 +00:00
Maxim Dounin
ae11f08cad Restricted keepalive_disable safari to OS X only.
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.

Prodded by Piotr Sikora.
2012-03-22 10:42:27 +00:00
Maxim Dounin
dc863179a3 Removed safari from keepalive_disable default.
The bug in question is likely already fixed (though unfortunately we have
no information available as Apple's bugtracker isn't open), and the
workaround seems to be too pessimistic for modern versions of Safari
as well as other webkit-based browsers pretending to be Safari.
2012-03-22 10:41:29 +00:00
Ruslan Ermilov
fbd32d4d19 worker_cpu_affinity: cleaned up Linux implementation, added FreeBSD support. 2012-03-21 13:58:51 +00:00
Ruslan Ermilov
d4b1e5f58b If we inserted "Last-Modified" in r->headers_out.headers, don't
forget to set the r->headers_out.last_modified pointer to it.
2012-03-21 07:35:43 +00:00
Ruslan Ermilov
89467caf43 Minor ngx_http_headers_filter_module.c code cleanup.
- Removed "hash" element from ngx_http_header_val_t which was always 1.
- Replaced NGX_HTTP_EXPIRES_* with ngx_http_expires_t enum type.
- Added prototype for ngx_http_add_header()
- Simplified ngx_http_set_last_modified().
2012-03-21 06:19:11 +00:00
Maxim Konovalov
acf6c79ac7 For the sake of case/switch code readability, 'fall through'
comments added.
2012-03-19 14:57:29 +00:00
Ruslan Ermilov
926ded6f4c Implemented $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, and
$tcpinfo_rcv_space variables.  Supported on Linux and FreeBSD.
2012-03-16 19:15:33 +00:00
Ruslan Ermilov
5d1d368cf4 Local variable "ngx_http_next_filter" renamed to "ngx_http_next_body_filter"
for consistency with other modules.
2012-03-15 20:08:58 +00:00
Ruslan Ermilov
849e3b09ae The "error_log" directive specified in the "http", "server", and
"location" sections now understands the special "stderr" parameter.
It was already treated specially when specified in the main section.
2012-03-15 20:04:50 +00:00
Ruslan Ermilov
091f6ffce6 Slight optimization in ngx_http_get_variable_index(). 2012-03-15 19:41:35 +00:00
Ruslan Ermilov
06733ae8cf - New variable: $connection_requests.
- While here, fixed format specifier for $connection.
2012-03-15 19:37:32 +00:00
Maxim Dounin
d694ff7798 Version bump. 2012-03-15 17:43:54 +00:00
Maxim Dounin
d1ed97b18b Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems.  They are now unconditionally rejected.
2012-03-15 11:27:57 +00:00
Maxim Dounin
eb526b7d7d Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.
2012-03-15 11:27:12 +00:00
Maxim Dounin
030e235ec7 Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer.  Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.

While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.

Reported by Matthew Daley.
2012-03-15 11:23:07 +00:00
Maxim Dounin
205394e6f9 Uwsgi: merged r->http_version fixes from scgi module.
Fixed incorrect use of r->http_version (r4372).  Removed duplicate function
declaration (r4373).  Removed error if there is no Status header (r4374).
2012-03-15 11:21:54 +00:00
Maxim Dounin
ee187436af Whitespace fixes. 2012-03-05 18:09:06 +00:00
Maxim Dounin
382499aa1f Version bump. 2012-03-05 18:06:15 +00:00
Maxim Dounin
a95c85e78a Raised simultaneous subrequest limit from 50 to 200.
It wasn't enforced for a long time, and there are reports that people
use up to 100 simultaneous subrequests now.  As this is a safety limit
to prevent loops, it's raised accordingly.
2012-02-28 14:54:23 +00:00
Maxim Dounin
db402276e1 Added msleep() on reload to allow new processes to start.
This is expected to ensure smoother operation on reload (and with less
chance of listen queue overflows).

Prodded by Igor Sysoev.
2012-02-28 11:40:18 +00:00
Ruslan Ermilov
b74f8ffce4 Fixed spelling in single-line comments. 2012-02-28 11:31:05 +00:00
Maxim Dounin
c66a1e7a17 Workaround for fs_size on ZFS (ticket #46).
ZFS reports incorrect st_blocks until file settles on disk, and this
may take a while (i.e. just after creation of a file the st_blocks value
is incorrect).  As a workaround we now use st_blocks only if
st_blocks * 512 > st_size, this should fix ZFS problems while still
preserving accuracy for other filesystems.

The problem had appeared in r3900 (1.0.1).
2012-02-28 11:09:02 +00:00
Maxim Dounin
7ca6c1ff78 Fix of rbtree lookup on hash collisions.
Previous code incorrectly assumed that nodes with identical keys are linked
together.  This might not be true after tree rebalance.

Patch by Lanshun Zhou.
2012-02-27 22:15:39 +00:00
Maxim Dounin
53d9677de4 Fixed null pointer dereference in resolver (ticket #91).
The cycle->new_log.file may not be set before config parsing finished if
there are no error_log directive defined at global level.  Fix is to
copy it after config parsing.

Patch by Roman Arutyunyan.
2012-02-27 16:57:02 +00:00
Valentin Bartenev
5c95f88503 Disable symlinks: added the "from=" parameter to the "disable_symlinks"
directive.
2012-02-27 16:54:10 +00:00