Commit Graph

5502 Commits

Author SHA1 Message Date
Roman Arutyunyan
2628cc11d4 Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock.  Requests which failed to acquire
the lock are not allowed to cache the response.
2014-11-18 20:41:12 +03:00
Valentin Bartenev
20d41493d4 SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.
2014-11-07 17:22:19 +03:00
Valentin Bartenev
42b6d57fb5 SPDY: improved debug logging of inflate() calls. 2014-11-07 17:19:12 +03:00
Maxim Dounin
1fd4cd0b96 SSL: logging level of "inappropriate fallback" (ticket #662).
Patch by Erik Dubbelboer.
2014-11-17 16:38:48 +03:00
Toshikuni Fukaya
d9f5baa0b8 Upstream: support named location for X-Accel-Redirect. 2014-11-04 19:56:23 +09:00
Piotr Sikora
a9d9b09103 Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-30 04:30:41 -07:00
Maxim Dounin
fb96936c1a SPDY: fixed "too long header line" logging.
This fixes possible one byte buffer overrun and makes sure ellipsis are
always added, see 21043ce2a005.
2014-11-07 17:38:55 +03:00
Maxim Dounin
e2bc3c11b2 Cache: removed dead store in ngx_http_file_cache_vary_header().
Found by Clang Static Analyzer.
2014-11-05 18:53:26 +03:00
Valentin Bartenev
f9b99baed3 Access log: cancel the flush timer on graceful shutdown.
Previously, it could prevent a worker process from exiting
for up to the configured flush timeout.
2014-08-25 13:41:31 +04:00
Valentin Bartenev
8b30fb7c97 Events: introduced cancelable timers. 2014-08-13 22:45:04 +04:00
Valentin Bartenev
16403bc7b1 Events: simplified cycle in ngx_event_expire_timers(). 2014-08-25 13:37:06 +04:00
Valentin Bartenev
246152c864 Events: removed broken thread support from event timers.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-08-25 13:34:39 +04:00
Sergey Kandaurov
33f5555940 SSL: simplified ssl_password_file error handling.
Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next password.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Reported by Piotr Sikora.
2014-10-24 04:28:00 -07:00
Piotr Sikora
54606d4625 SPDY: stop emitting multiple empty header values.
Previously, nginx would emit empty values in a header with multiple,
NULL-separated values.

This is forbidden by the SPDY specification, which requires headers to
have either a single (possibly empty) value or multiple, NULL-separated
non-empty values.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-27 14:25:56 -07:00
Valentin Bartenev
78dd8b5eda Version bump. 2014-10-28 21:58:49 +03:00
Kouhei Sutou
b3f9a94e6a Win32: made build-able with MinGW-w64 gcc. 2014-10-15 21:15:01 +09:00
Gu Feng
726c5726fb Upstream: limited next_upstream time and tries when resolving DNS.
When got multiple upstream IP addresses using DNS resolving, the number of
upstreams tries and the maxinum time spent for these tries were not affected.
This patch fixed it.
2014-10-27 19:52:03 +08:00
Roman Arutyunyan
cf1e4781a9 Write filter: stored delay in a variable, no functional changes.
The code is now similar to ngx_event_pipe_read_upstream().
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
18e4d042b0 Upstream: proxy_limit_rate and friends.
The directives limit the upstream read rate.  For example,
"proxy_limit_rate 42" limits proxy upstream read rate to
42 bytes per second.
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
0989d63f06 Core: added limit to recv_chain(). 2014-10-28 12:29:58 +03:00
Maxim Dounin
5f625b7df0 Cache: normalization of some Vary headers.
Spaces in Accept-Charset, Accept-Encoding, and Accept-Language headers
are now ignored.  As per syntax of these headers spaces can only appear
in places where they are optional.
2014-10-27 21:14:12 +03:00
Maxim Dounin
6255935e0f Cache: multiple variants of a resource now can be stored.
If a variant stored can't be used to respond to a request, the variant
hash is used as a secondary key.

Additionally, if we previously switched to a secondary key, while storing
a response to cache we check if the variant hash still apply.  If not, we
switch back to the original key, to handle cases when Vary changes.
2014-10-27 21:14:10 +03:00
Maxim Dounin
83f00adc9b Cache: c->reading flag introduced.
It replaces c->buf in checks in ngx_http_file_cache_open(), making it possible
to reopen the file without clearing c->buf.  No functional changes.
2014-10-27 21:14:07 +03:00
Maxim Dounin
1332e76b20 Cache: hash of Vary headers now stored in cache.
To cache responses with Vary, we now calculate hash of headers listed
in Vary, and return the response from cache only if new request headers
match.

As of now, only one variant of the same resource can be stored in cache.
2014-10-27 21:13:58 +03:00
Maxim Dounin
fc785b12a0 Cache: disable caching of responses with Vary (ticket #118).
The "proxy_ignore_header" directive now undersands the "Vary" parameter
to ignore the header as needed.
2014-10-27 21:13:39 +03:00
Maxim Dounin
97e618c556 Gzip, gunzip: flush busy buffers if any.
Previous code resulted in transfer stalls when client happened
to read all the data in buffers at once, while all gzip buffers
were exhausted (but ctx->nomem wasn't set).  Make sure to call
next body filter at least once per call if there are busy buffers.

Additionally, handling of calls with NULL chain was changed to follow
the same logic, i.e., next body filter is only called with NULL chain
if there are busy buffers.  This is expected to fix "output chain is empty"
alerts as reported by some users after c52a761a2029 (1.5.7).
2014-10-15 22:57:23 +04:00
Maxim Dounin
9369cf8df3 Style. 2014-10-14 20:19:36 +04:00
Roman Arutyunyan
2244a5e9cf Upstream: proxy_force_ranges and friends.
The directives enable byte ranges for both cached and uncached
responses regardless of backend headers.
2014-10-14 18:32:01 +04:00
Kouhei Sutou
8ae7751878 Win32: suppressed warnings by "-Werror=sign-compare". 2014-10-11 21:09:29 +09:00
Kouhei Sutou
3df66a632a Win32: fixed wrong type cast.
GetQueuedCompletionStatus() document on MSDN says the
following signature:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa364986.aspx

    BOOL WINAPI GetQueuedCompletionStatus(
      _In_   HANDLE CompletionPort,
      _Out_  LPDWORD lpNumberOfBytes,
      _Out_  PULONG_PTR lpCompletionKey,
      _Out_  LPOVERLAPPED *lpOverlapped,
      _In_   DWORD dwMilliseconds
    );

In the latest specification, the type of the third argument
(lpCompletionKey) is PULONG_PTR not LPDWORD.
2014-10-11 20:56:35 +09:00
Maxim Dounin
c01481a4cb Fixed possible buffer overrun in "too long header line" logging.
Additionally, ellipsis now always added to make it clear that
the header logged is incomplete.

Reported by Daniil Bondarev.
2014-10-08 17:16:04 +04:00
Yichun Zhang
52e4dc2f74 Core: fixed buffer overrun when hash max_size reached. 2014-10-02 12:00:17 -07:00
Piotr Sikora
4a2fba2d46 Upstream: fix $upstream_cache_last_modified variable.
Due to the u->headers_in.last_modified_time not being correctly initialized,
this variable was evaluated to "Thu, 01 Jan 1970 00:00:00 GMT" for responses
cached without the "Last-Modified" header which resulted in subsequent proxy
requests being sent with "If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT"
header.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-01 15:48:53 -07:00
Valentin Bartenev
840b347bb2 Fixed counting of sent bytes in the send chain functions on EINTR.
Previously, a value of the "send" variable wasn't properly adjusted
in a rare case when syscall was interrupted by a signal.  As a result,
these functions could send less data than the limit allows.
2014-08-27 20:51:01 +04:00
Valentin Bartenev
70995077ad Version bump. 2014-10-02 22:36:27 +04:00
Maxim Dounin
403a9efc0c Upstream keepalive: reset c->sent on cached connections.
The c->sent is reset to 0 on each request by server-side http code,
so do the same on client side.  This allows to count number of bytes
sent in a particular request.
2014-09-29 22:27:45 +04:00
Valentin Bartenev
c9fbbc8273 Limit req: reduced number of parameters in the lookup function.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
021a9df15b Limit req: use complex value in limit_req_zone.
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
with nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
98f7d0efb2 Limit conn: aligned field names in structures.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
dd1ae4348a Limit conn: use complex value in limit_conn_zone (ticket #121).
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
to nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
1866f15d7d Limit conn: removed deprecated "limit_zone" directive.
It's deprecated since 260d591cb6a3 (1.1.8).  The "limit_conn_zone" directive
should be used instead.
2014-09-24 21:55:19 +04:00
Vladimir Homutov
27fa3123f9 Syslog: improved error handling of unix domain sockets.
If a syslog daemon is restarted and the unix socket is used, further logging
might stop to work.  In case of send error, socket is closed, forcing
a reconnection at the next logging attempt.
2014-08-26 14:56:54 +04:00
Vladimir Homutov
d79cbf15e6 Syslog: enabled logging of send errors.
The ngx_cycle->log is used when sending the message.  This allows to log syslog
send errors in another log.

Logging to syslog after its cleanup handler has been executed was prohibited.
Previously, this was possible from ngx_destroy_pool(), which resulted in error
messages caused by attempts to write into the closed socket.

The "processing" flag is renamed to "busy" to better match its semantics.
2014-09-01 17:55:07 +04:00
Gu Feng
bba2ce8aae Avoided to add duplicate hash key in ngx_http_types_slot(). 2014-09-17 22:52:02 +08:00
Valentin Bartenev
840d205bac Removed duplicate initialization of the "rev" variable. 2014-09-22 19:48:23 +04:00
Valentin Bartenev
651be6067e Generalized definitions of the number of preallocated iovec's.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
1cbeabfd4c Reduced difference between the send chain functions.
No functional changes.  This follows the change from ad137a80919f.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
0a02bdb249 Merged implementations of ngx_readv_chain().
There's no real need in two separate implementations,
with and without kqueue support.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
77d61350a4 Removed the "complete" variable from various send chain functions.
It was made redundant by the previous change, since the "sent" variable
is no longer modified.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
4aac91049f Moved the code for adjusting sent buffers in a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
8b6f1c7bb0 Fixed writev() debug log message in ngx_darwin_sendfile_chain(). 2014-08-13 15:11:45 +04:00
Roman Arutyunyan
ba1676f267 Upstream: fixed file buffers reinit in ngx_http_upstream_reinit().
Previously, a file buffer start position was reset to the file start.
Now it's reset to the previous file buffer end.  This fixes
reinitialization of requests having multiple successive parts of a
single file.  Such requests are generated by fastcgi module.
2014-09-18 16:37:16 +04:00
Roman Arutyunyan
66876d0b09 FastCGI: fixed start pointers in request buffers.
The start pointers are used in ngx_http_upstream_reinit() to
reinit FastCGI requests.
2014-09-18 16:37:14 +04:00
Valentin Bartenev
a7798de9bd Limit req: don't truncate key value to 255 bytes.
While the module allows to use values up to 65535 bytes as a key,
that actually never worked properly.
2014-09-16 21:12:51 +04:00
Valentin Bartenev
681f74a9ba Version bump. 2014-09-17 12:04:47 +04:00
Maxim Dounin
6ec0f4d85b SSL: session id context now includes certificate hash.
This prevents inappropriate session reuse in unrelated server{}
blocks, while preserving ability to restore sessions on other servers
when using TLS Session Tickets.

Additionally, session context is now set even if there is no session cache
configured.  This is needed as it's also used for TLS Session Tickets.

Thanks to Antoine Delignat-Lavaud and Piotr Sikora.
2014-09-15 17:59:47 +04:00
Valentin Bartenev
152d92b4b7 Access log: fixed the "if=" parameter with buffering (ticket #625).
It might not work if there were more than one "access_log" directives
pointed to the same file and duplicate buffer parameters.
2014-09-13 21:47:13 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Roman Arutyunyan
cfc3db1972 Upstream: included backup peers into peer.tries.
Since peer.tries is never reset it can now be limited if required.
2014-09-12 18:50:46 +04:00
Maxim Dounin
4c7e1a8d85 Upstream keepalive: removed "single" parameter remnants.
The "single" parameter is deprecated and ignored since 5b5c07dee156 (1.3.2).
2014-09-11 20:09:04 +04:00
Maxim Dounin
3a235bf52e Added warning about unset cache keys.
In fastcgi, scgi and uwsgi modules there are no default cache keys, and
using a cache without a cache key set is likely meaningless.
2014-09-11 20:08:52 +04:00
Maxim Dounin
d7d26feba1 Style. 2014-09-11 20:08:45 +04:00
FengGu
b4cb8475b1 Upstream: avoided directly terminating the connection.
When memory allocation failed in ngx_http_upstream_cache(), the connection
would be terminated directly in ngx_http_upstream_init_request().
Return a INTERNAL_SERVER_ERROR response instead.
2014-08-13 14:53:55 +08:00
Maxim Dounin
cb8a0327ab Added ngx_init_setproctitle() return code check.
The ngx_init_setproctitle() function, as used on systems without
setproctitle(3), may fail due to memory allocation errors, and
therefore its return code needs to be checked.

Reported by Markus Linnala.
2014-09-08 21:36:09 +04:00
Maxim Dounin
90df702bf8 Fixed ETag memory allocation error handling.
The etag->hash must be set to 0 to avoid an empty ETag header being
returned with the 500 Internal Server Error page after the memory
allocation failure.

Reported by Markus Linnala.
2014-09-08 21:36:03 +04:00
Maxim Dounin
c5bee22d16 Core: ngx_regex_compile() error handling fixes.
Now we actually return NGX_ERROR on errors, and provide an error
string for memory allocation errors.

Reported by Markus Linnala.
2014-09-08 21:35:53 +04:00
Piotr Sikora
2af7181b3b SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-09-03 14:49:55 -07:00
Roman Arutyunyan
c0b3b9d6ca Upstream: suppressed the file cache slab allocator error messages.
The messages "ngx_slab_alloc() failed: no memory in cache keys zone"
from the file cache slab allocator are suppressed since the allocation
is likely to succeed after the forced expiration of cache nodes.
The second allocation failure is reported.
2014-09-05 18:14:59 +04:00
Valentin Bartenev
37d24e7e3b Events: processing of posted events changed from LIFO to FIFO.
In theory, this can provide a bit better distribution of latencies.

Also it simplifies the code, since ngx_queue_t is now used instead
of custom implementation.
2014-09-01 18:20:18 +04:00
Valentin Bartenev
2a81e05566 Events: removed broken thread support from posted events.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-09-01 18:20:03 +04:00
Valentin Bartenev
3ca3f609cb Mail: initialize the "signature" field of ngx_mail_session_t.
Currently it isn't used, but it can be suitable to distinguish
objects stored in c->data.
2014-09-01 17:50:59 +04:00
Ruslan Ermilov
be6175d49d Upstream: improved configuration parser diagnostics.
Made it clear when the selected balancing method does not
support certain parameters of the "server" directive.
2014-09-01 12:27:38 +04:00
Sergey Kandaurov
967c51c9ff Headers filter: "add_header" with "always" parameter (ticket #98).
If specified, the header field is set regardless of the status code.
2014-08-29 18:00:10 +04:00
Maxim Dounin
31c35adfe1 Variables: updated list of prefixes in ngx_http_rewrite_set(). 2014-08-27 21:38:08 +04:00
Maxim Dounin
8cf734c7b4 Variables: fixed non-indexed access of prefix vars (ticket #600).
Previously, a configuration like

    location / {
        ssi on;
        ssi_types *;
        set $http_foo "bar";
        return 200 '<!--#echo var="http_foo" -->\n';
    }

resulted in NULL pointer dereference in ngx_http_get_variable() as
the variable was explicitly added to the variables hash, but its
get_handler wasn't properly set in the hash.  Fix is to make sure
that get_handler is properly set by ngx_http_variables_init_vars().
2014-08-27 21:38:04 +04:00
Valentin Bartenev
dbcb16ff68 SPDY: added a comment about handling stream with the timer set. 2014-08-18 13:23:45 +04:00
Valentin Bartenev
c425f19daa SPDY: avoid setting timeout on stream events in ngx_http_writer().
The SPDY module doesn't expect timers can be set on stream events for reasons
other than delaying output.  But ngx_http_writer() could add timer on write
event if the delayed flag wasn't set and nginx is waiting for AIO completion.
That could cause delays in sending response over SPDY when file AIO was used.
2014-08-27 20:44:11 +04:00
Ruslan Ermilov
da46eed537 Resolver: notify all waiting requests on timeout.
If a "resolver_timeout" occurs, only the first waiting request
was notified.  Other requests may hang forever.
2014-08-19 15:43:26 +04:00
Ruslan Ermilov
8607e64b83 Stub status: corrected the "stub_status" directive.
The "stub_status" directive does not require an argument.
2014-08-26 17:35:23 +04:00
Valentin Bartenev
9fb2b9287d Sub filter: fixed matching for a single character. 2014-08-25 16:08:55 +04:00
Valentin Bartenev
c7efcf6ba6 Mail: fixed number of arguments allowed in the listen directive. 2014-08-20 13:13:27 +04:00
Valentin Bartenev
8575dc3516 Mail: fixed a comment.
There's no loc_conf in the mail module.
2014-08-20 13:13:27 +04:00
Roman Arutyunyan
a8227724c0 Mp4: use trak->smhd_size in ngx_http_mp4_read_smhd_atom().
Reported by Gang Li.
2014-08-19 14:13:39 +04:00
Sergey Kandaurov
3ed0e11d08 Image filter: downgrade strong etags to weak ones as needed. 2014-08-18 12:03:41 +04:00
Sergey Kandaurov
886ad0e9d3 Fixed typo. 2014-08-15 14:09:29 +04:00
Maxim Dounin
870b962382 Events: removed unused variable in ngx_poll_process_events(). 2014-08-10 17:44:46 +04:00
Yves Crespin
3c0c66c5d8 Events: format specifier fixes. 2014-08-07 15:04:43 +02:00
Yves Crespin
6a58555ca8 Events: changed nevents type to unsigned in poll module. 2014-08-07 14:56:57 +02:00
Tatsuhiko Kubo
12300c2a20 Style: use specified macro instead of magic-number. 2014-08-06 23:58:44 +09:00
Piotr Sikora
b3066b16e1 Perl: NULL-terminate argument list.
perl_parse() function expects argv/argc-style argument list,
which according to the C standard must be NULL-terminated,
that is: argv[argc] == NULL.

This change fixes a crash (SIGSEGV) that could happen because
of the buffer overrun during perl module initialization.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-19 04:16:36 -07:00
Maxim Dounin
8f0f4c10e9 Access log: allowed logs to syslog with "if=" (ticket #596). 2014-08-06 00:22:36 +04:00
Maxim Dounin
4b5876c922 Version bump. 2014-08-05 22:50:25 +04:00
Maxim Dounin
44f45a5466 Mail: discard pipelined commands after SMTP STARTTLS.
The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.
2014-08-05 12:22:07 +04:00
Piotr Sikora
1fe0f6a9b9 Core: exit on ngx_pnalloc() failure.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-08-01 20:39:22 -07:00
Tatsuhiko Kubo
f240215ba6 Style: use ngx_free() instead of free(). 2014-08-03 03:27:39 +09:00
Tatsuhiko Kubo
244a6a28b1 Core: improved ngx_pstrdup() error handling. 2014-08-01 20:04:14 +09:00
Sergey Kandaurov
88132eed54 Status: indentation and style, no functional changes. 2014-08-01 18:36:35 +04:00
FengGu
bfa56738af Dav: ngx_http_map_uri_to_path() errors were not checked.
Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.
2014-07-30 14:45:08 +08:00
Piotr Sikora
9ed633b930 SSL: let it build against LibreSSL.
LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:16 -07:00
Piotr Sikora
0dcfca0301 SSL: let it build against BoringSSL.
This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:15 -07:00
Piotr Sikora
a57394b3e9 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
This is really just a prerequisite for building against BoringSSL,
which doesn't provide either of those features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-28 12:27:57 -07:00
Maxim Dounin
5958181b1e Bigger iovec buffer in ngx_readv_chain().
This helps to reduce likelyhood of memory allocations in ngx_readv_chain(),
which are known to lead to noticeable effects in some cases, see
http://mailman.nginx.org/pipermail/nginx/2014-July/044512.html.
2014-07-28 18:30:19 +04:00
Maxim Dounin
8639e17f94 SSL: misplaced space in debug message. 2014-07-28 18:30:18 +04:00
Maxim Dounin
4b2f12a604 Upstream: SSL handshake timeouts.
Timeout may not be set on an upstream connection when we call
ngx_ssl_handshake() in ngx_http_upstream_ssl_init_connection(),
so make sure to arm it if it's not set.

Based on a patch by Yichun Zhang.
2014-07-28 18:30:14 +04:00
Yichun Zhang
7b24c53efe GeoIP: not all variable fields were initialized.
The ngx_http_geoip_city_float_variable and
ngx_http_geoip_city_int_variable functions did not always initialize
all variable fields like "not_found", which could lead to empty values
for those corresponding nginx variables randomly.
2014-07-25 14:43:29 -07:00
Piotr Sikora
3ba8f2f73d Core: use uppercase hexadecimal digits for percent-encoding.
RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-26 23:39:23 -07:00
Vladimir Homutov
c54899ddfd Core: fixed default log initialization.
The ngx_log_insert() function may invalidate pointer passed to it,
so make sure to don't use it after the ngx_log_insert() call.
2014-07-24 16:25:07 +04:00
Maxim Dounin
248baf4262 Upstream: ngx_http_upstream_store() error handling fixes.
Previously, ngx_http_map_uri_to_path() errors were not checked in
ngx_http_upstream_store().  Moreover, in case of errors temporary
files were not deleted, as u->store was set to 0, preventing cleanup
code in ngx_http_upstream_finalize_request() from removing them.  With
this patch, u->store is set to 0 only if there were no errors.

Reported by Feng Gu.
2014-07-18 20:11:40 +04:00
Maxim Dounin
88d9289f82 Reset of r->uri.len on URI parsing errors.
This ensures that debug logging and the $uri variable (if used in
400 Bad Request processing) will not try to access uninitialized
memory.

Found by Sergey Bobrov.
2014-07-18 20:02:11 +04:00
Ruslan Ermilov
7e52432a05 Resolver: fixed resend on malformed responses.
DNS request resend on malformed responses was broken in 98876ce2a7fd (1.5.8).

Reported by Pramod Korathota.
2014-07-16 10:21:28 +04:00
Piotr Sikora
79c55b2cca SSL: fix build with recent OpenSSL.
X509_check_host() prototype changed recently:
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ced3d91
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=297c67f

Bump version requirement, so that OpenSSL-1.0.2-beta1 uses fallback code.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-09 12:27:15 -07:00
Jianjun Zheng
584692027b Core: bugfix for the ngx_slab_max_size case. 2014-06-18 16:39:59 +08:00
Tatsuhiko Kubo
cc870236b2 Style: use ngx_str_set(). 2014-07-09 23:23:59 +09:00
Tatsuhiko Kubo
ef2b59699a Style: use ngx_str_null(). 2014-07-09 23:22:14 +09:00
Tatsuhiko Kubo
bb4edb5cef Style: use ngx_strlen() instead of strlen(). 2014-07-09 23:20:40 +09:00
Piotr Sikora
12ca9c9c8f SPDY: fix support for headers with multiple values.
Split SPDY header with multiple, NULL-separated values:

    cookie: foo\0bar

into two separate HTTP headers with the same name:

    cookie: foo
    cookie: bar

Even though the logic for this behavior already existed
in the source code, it doesn't look that it ever worked
and SPDY streams with such headers were simply rejected.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 02:17:44 -07:00
Piotr Sikora
ba95686741 Style: fix typo.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a02ca8e173 Style: use ngx_memcpy() instead of memcpy().
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a2229a4035 Style: keep return type and function name on different lines.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
2cfcef5b42 Style: remove whitespace between function name and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
7e7589e746 Style: add whitespace between control statement and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Piotr Sikora
d224ed7eea SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.

The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.

Almost fixes build with -DOPENSSL_NO_SSL_INTERN.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:14 -07:00
Maxim Dounin
ce64398751 SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
The RSA_generate_key() is marked as deprecated and causes build to
fail.  On the other hand, replacement function, RSA_generate_key_ex(),
requires much more code.  Since RSA_generate_key() is only needed
for barely usable EXP ciphers, the #ifdef was added instead.

Prodded by Piotr Sikora.
2014-07-09 04:08:13 +04:00
Piotr Sikora
bd058b9d24 SSL: return temporary RSA key only when the key length matches.
This change is mostly cosmetic, because in practice this callback
is used only for 512-bit RSA keys.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Piotr Sikora
f0e05f3d89 SSL: include correct OpenSSL headers.
Previously, <bn.h>, <dh.h>, <rand.h> and <rsa.h> were pulled in
by <engine.h> using OpenSSL's deprecated interface, which meant
that nginx couldn't have been built with -DOPENSSL_NO_DEPRECATED.

Both <x509.h> and <x509v3.h> are pulled in by <ocsp.h>, but we're
calling X509 functions directly, so let's include those as well.

<crypto.h> is pulled in by virtually everything, but we're calling
CRYPTO_add() directly, so let's include it as well.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Maxim Dounin
098c6bd81f Version bump. 2014-07-09 03:15:00 +04:00
Maxim Dounin
11bbbc051b Win32: ngx_open_dir() and ngx_close_dir() fixes.
The ngx_open_dir() function changed to restore name passed to it.  This
fixes removing destination directory in dav module, as caught by dav.t.
The ngx_close_dir() function introduced to properly convert errors, as
FindClose() returns 0 on error.
2014-07-05 23:29:47 +04:00
Maxim Dounin
d9152910d3 SSL: logging level of "peer closed connection in SSL handshake".
Previously, the NGX_LOG_INFO level was used unconditionally.  This is
correct for client SSL connections, but too low for connections to
upstream servers.  To resolve this, ngx_connection_error() now used
to log this error, it will select logging level appropriately.

With this change, if an upstream connection is closed during SSL
handshake, it is now properly logged at "error" level.
2014-07-04 22:14:36 +04:00
Maxim Dounin
4a75e1a63c Upstream: p->downstream_error instead of closing connection.
Previously, nginx closed client connection in cases when a response body
from upstream was needed to be cached or stored but shouldn't be sent to
the client.  While this is normal for HTTP, it is unacceptable for SPDY.

Fix is to use instead the p->downstream_error flag to prevent nginx from
sending anything downstream.  To make this work, the event pipe code was
modified to properly cache empty responses with the flag set.
2014-07-04 20:47:16 +04:00
Valentin Bartenev
3c2b5e88ab Upstream: fixed handling of write event after sending request.
The ngx_http_upstream_dummy_handler() must be set regardless of
the read event state.  This prevents possible additional call of
ngx_http_upstream_send_request_handler().
2014-07-01 20:52:08 +04:00
Valentin Bartenev
9f8785ae5e SSL: the "ssl_password_file" directive. 2014-06-16 19:43:25 +04:00
Maxim Dounin
9d4de05be4 Core: removed meaningless check from ngx_palloc_block().
The check became meaningless after refactoring in 2a92804f4109.
With the loop currently in place, "current" can't be NULL, hence
the check can be dropped.

Additionally, the local variable "current" was removed to
simplify code, and pool->current now used directly instead.

Found by Coverity (CID 714236).
2014-06-26 03:34:19 +04:00
Maxim Dounin
25250a20d2 Fixed wrong sizeof() in ngx_http_init_locations().
There is no real difference on all known platforms, but it's still wrong.

Found by Coverity (CID 400876).
2014-06-26 03:34:13 +04:00
Maxim Dounin
1a5cdafa82 Core: plugged socket leak during configuration test.
This isn't really important as configuration testing shortly ends with
a process termination which will free all sockets, though Coverity
complains.

Prodded by Coverity (CID 400872).
2014-06-26 03:34:05 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Maxim Dounin
b812961677 Cache: ETag now saved into cache header. 2014-06-26 02:28:23 +04:00
Maxim Dounin
c2e49a4196 Cache: version in cache files.
This allows to change the structure of cache files without spamming logs
with false alerts.
2014-06-26 02:27:21 +04:00
Maxim Dounin
8f9fb9570e Entity tags: explicit flag to skip not modified filter.
Previously, last_modified_time was tested against -1 to check if the
not modified filter should be skipped.  Notably, this prevented nginx
from additional If-Modified-Since (et al.) checks on proxied responses.
Such behaviour is suboptimal in some cases though, as checks are always
skipped on responses from a cache with ETag only (without Last-Modified),
resulting in If-None-Match being ignored in such cases.  Additionally,
it was not possible to return 412 from the If-Unmodified-Since if last
modification time was not known for some reason.

This change introduces explicit r->disable_not_modified flag instead,
which is set by ngx_http_upstream_process_headers().
2014-06-26 02:27:11 +04:00
Maxim Dounin
feb1649049 Entity tags: weak comparison for If-None-Match. 2014-06-26 02:21:20 +04:00
Maxim Dounin
def16742a1 Entity tags: downgrade strong etags to weak ones as needed.
See http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004523.html.
2014-06-26 02:21:01 +04:00
Maxim Dounin
5d477a76fe Upstream: fixed cache revalidation with SSI.
Previous code in ngx_http_upstream_send_response() used last modified time
from r->headers_out.last_modified_time after the header filter chain was
already called.  At this point, last_modified_time may be already cleared,
e.g., with SSI, resulting in incorrect last modified time stored in a
cache file.  Fix is to introduce u->headers_in.last_modified_time instead.
2014-06-26 02:20:09 +04:00
Maxim Dounin
6c25c848cb Upstream: removed unused offset to content_length.
It's not needed since introduction of ngx_http_upstream_content_length()
in 103b0d9afe07.
2014-06-26 02:20:05 +04:00
Maxim Dounin
4e275cc73a Upstream: no need to clear r->headers_out.last_modified_time.
Clearing of the r->headers_out.last_modified_time field if a response
isn't cacheable in ngx_http_upstream_send_response() was introduced
in 3b6afa999c2f, the commit to enable not modified filter for cacheable
responses.  It doesn't make sense though, as at this point header was
already sent, and not modified filter was already executed.  Therefore,
the line was removed to simplify code.
2014-06-26 02:19:58 +04:00
Maxim Dounin
05dfc054f0 Not modified filter: debug log format fixed. 2014-06-26 02:19:55 +04:00
Ruslan Ermilov
02e39a3ecb Upstream: reduced diffs to the plus version of nginx.
No functional changes.
2014-06-20 12:55:41 +04:00
Sergey Kandaurov
80e5163f64 FreeBSD has migrated to Bugzilla. 2014-06-19 13:55:59 +04:00
Ruslan Ermilov
05d717b35d Core: added ngx_slab_calloc() and ngx_slab_calloc_locked().
These functions return zeroed memory, analogous to ngx_pcalloc().
2014-06-04 15:09:19 +04:00
Ruslan Ermilov
d1ba20d0c9 Version bump. 2014-06-18 13:39:20 +04:00
Ruslan Ermilov
20038acbfc Upstream: simplified some code that accesses peers.
No functional changes.
2014-06-12 21:13:24 +04:00
Piotr Sikora
a1a8defb49 Access log: fix default value, broken by cb308813b453.
log->filter ("if" parameter) was uninitialized when the default value
was being used, which would lead to a crash (SIGSEGV) when access_log
directive wasn't specified in the configuration.

Zero-fill the whole structure instead of zeroing fields one-by-one
in order to prevent similar issues in the future.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-03 10:53:48 -07:00
Maxim Dounin
afb4aafc6e Core: slab allocator free pages defragmentation.
Large allocations from a slab pool result in free page blocks being fragmented,
eventually leading to a situation when no further allocation larger than a page
size are possible from the pool.  While this isn't a problem for nginx itself,
it is known to be bad for various 3rd party modules.  Fix is to merge adjacent
blocks of free pages in the ngx_slab_free_pages() function.

Prodded by Wandenberg Peixoto and Yichun Zhang.
2014-06-03 17:53:03 +04:00
Roman Arutyunyan
9b5a17b5e2 Upstream: generic hash module. 2014-06-02 16:16:22 +04:00
Valentin Bartenev
68336e1ede SPDY: fixed operator precedence in uint16/uint32 write macros.
Since the type cast has precedence higher than the bit shift operator,
all values were truncated to 8 bits.

These macros are used to construct header block for SYN_REPLY frame on
platforms with strict alignment requirements.  As a result, any response
that contains a header with name or value longer than 255 bytes was
corrupted on such platforms.
2014-05-29 21:15:19 +04:00
Sergey Kandaurov
0750df4f16 Fixed config parsing of the last try_files parameter.
Do not taste the last parameter against directory, as otherwise it would
result in the trailing slash being cut from the parameter value.

Notably, this prevents an internal redirect to an empty URI
if the parameter is set to the literal slash:

    location / { try_files $uri /; }
2014-05-28 20:18:05 +04:00
Maxim Dounin
e9a70114a2 Configure: added -Wno-deprecated-declarations on OS X.
Previous workaround to avoid warnings on OS X due to deprecated system
OpenSSL library (introduced in a3870ea96ccd) no longer works, as
the MAC_OS_X_VERSION_MIN_REQUIRED macro is ignored on OS X 10.9
if a compiler used supports __attribute__(availability).
2014-05-28 17:41:44 +04:00
Maxim Dounin
ffe21776fa Version bump. 2014-05-28 17:41:33 +04:00
Maxim Dounin
e36718de4b Sub filter: fixed subrequests handling.
In particular, properly output partial match at the end of a subrequest
response (much like we do at the end of a response), and reset/set the
last_in_chain flag as appropriate.

Reported by KAWAHARA Masashi.
2014-05-27 16:37:35 +04:00
Vladimir Homutov
21655ae097 Syslog: fixed message sending on win32. 2014-05-27 15:42:34 +04:00
Vladimir Homutov
8e82f06d3e Syslog: fixed possible resource leak and more verbose logging.
Found by Coverity (CID 1215646).
2014-05-26 23:34:44 +04:00
Ruslan Ermilov
5c17030671 Events: use eventfd() instead of syscall(SYS_eventfd) if possible.
This fixes --with-file-aio support on systems that lack eventfd()
syscall, notably aarch64 Linux.

The syscall(SYS_eventfd) may still be necessary on systems that
have eventfd() syscall in the kernel but lack it in glibc, e.g.
as seen in the current CentOS 5 release.
2014-05-23 16:37:05 +04:00
Roman Arutyunyan
3e279a8eb4 Upstream: fix tries check in ip_hash.
Make two checks for maximum number of tries consistent.
The other one checks '>' condition.
2014-05-23 13:47:05 +04:00
Ruslan Ermilov
7808ac0d42 Mail: output client port number on client connects (ticket #531). 2014-05-22 00:16:17 +04:00
Ruslan Ermilov
056e88ea11 Core: output client port number when logging accept event. 2014-05-22 00:16:09 +04:00
Maxim Dounin
ca02a1020c Mail: added a check for the number of arguments in MAIL/RCPT.
Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.
2014-05-21 21:56:20 +04:00
Vladimir Homutov
493b898ae9 Added syslog support for error_log and access_log directives. 2014-05-12 16:34:15 +04:00
Ruslan Ermilov
1736c180f4 Configure: the --build= option.
If set, its value is output in "nginx -v" and in the error log.
2014-05-20 16:10:07 +04:00
Sergey Budnevitch
27899a923a SSL: $ssl_client_fingerprint variable. 2014-05-20 14:03:03 +04:00
Maxim Dounin
84409ec8e0 Setting $args now invalidates unparsed uri.
Prodded by Yichun Zhang.
2014-05-19 22:45:35 +04:00
Maxim Dounin
4884cd611e Charset filter: fixed charset setting on encoded replies.
If response is gzipped we can't recode response, but in case it's not
needed we still can add charset to Content-Type.

The r->ignore_content_encoding is dropped accordingly, charset with gzip_static
now properly works without any special flags.
2014-05-19 22:45:34 +04:00
Maxim Dounin
ffba0eeefb Fixed alias in regex locations with limit_except/if.
The ngx_http_map_uri_to_path() function used clcf->regex to detect if
it's working within a location given by a regular expression and have
to replace full URI with alias (instead of a part matching the location
prefix).  This is incorrect due to clcf->regex being false in implicit
locations created by if and limit_except.

Fix is to preserve relevant information in clcf->alias instead, by setting
it to NGX_MAX_SIZE_T_VALUE if an alias was specified in a regex location.
2014-05-16 17:42:24 +04:00
Valentin Bartenev
a785be76f6 SPDY: added protection from overrun of the receive buffer. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
3f023a4193 SPDY: added a debug point to the state buffer overflow protection. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
57e5c3e86d SPDY: refactored ngx_http_spdy_state_headers().
This change is similar to d2ac5cf4056d.  Special flag of completeness looks
surplus when there is also a counter of frame bytes left.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
d04a714a6d SPDY: improved logging. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
d51d168066 SPDY: set log action for PROXY protocol only while parsing it.
Handling of PROXY protocol for SPDY connection is currently implemented as
a SPDY state.  And while nginx waiting for PROXY protocol data it continues
to process SPDY connection: initializes zlib context, sends control frames.
2014-05-15 19:22:06 +04:00
Valentin Bartenev
ef51079fe2 SPDY: ngx_http_spdy_state_headers() error handling cleanup.
- Specification-friendly handling of invalid header block or special headers.
   Such errors are not fatal for session and shouldn't lead to connection close;

 - Avoid mix of NGX_HTTP_PARSE_INVALID_REQUEST/NGX_HTTP_PARSE_INVALID_HEADER.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
cf770ddd82 SPDY: improved error handling of header block decompression.
Now cases when decompression failed due to internal error
and when a client sent corrupted data are distinguished.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
ba890408bd SPDY: removed ngx_http_spdy_state_headers_error().
The function just calls ngx_http_spdy_state_headers_skip() most of the time.
There was also an attempt of optimization to stop parsing if the client already
closed connection, but it looks strange and unfinished anyway.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
63ee690751 SPDY: prevented creation of RST_STREAM in protocol error state.
Previously, the frame wasn't sent anyway (and had a wrong status code).
2014-05-15 19:18:26 +04:00
Valentin Bartenev
dfb9a5cb0d SPDY: improved ngx_http_spdy_state_protocol_error().
Now ngx_http_spdy_state_protocol_error() is able to close stream,
so there is no need in a separate call for this.

Also fixed zero status code in logs for some cases.
2014-04-30 20:33:58 +04:00
Valentin Bartenev
d9c25cdf19 SPDY: fixed one case of improper memory allocation error handling.
Now ngx_http_spdy_construct_request_line() doesn't try to finalize request
in case of failed memory allocation.
2014-04-30 02:16:21 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Ruslan Ermilov
9b92f59aef Core: use '\r' for CR and '\n' for LF definitions. 2014-05-14 22:26:05 +04:00
Filipe da Silva
e1a183946f OCSP stapling: missing OCSP request free call. 2014-04-29 22:22:38 +02:00
Maxim Dounin
094bfc6beb Upstream: restored workaround for "if".
The 7022564a9e0e changeset made ineffective workaround from 2464ccebdb52
to avoid NULL pointer dereference with "if".  It is now restored by
moving the u->ssl_name initialization after the check.

Found by Coverity (CID 1210408).
2014-04-30 19:16:55 +04:00
Maxim Dounin
aa28897b22 Core: improved ngx_conf_parse() error handling.
Previous code failed to properly restore cf->conf_file in case of
ngx_close_file() errors, potentially resulting in double free of
cf->conf_file->buffer->start.

Found by Coverity (CID 1087507).
2014-04-30 19:16:49 +04:00
Maxim Dounin
60169aa3a1 Core: fixed error handling in ngx_reopen_files().
Found by Coverity (CID 1087509).
2014-04-30 19:16:40 +04:00
Maxim Dounin
17dad56e4e Cache: added ngx_quit check to ngx_http_file_cache_expire().
While managing big caches it is possible that expiring old cache items
in ngx_http_file_cache_expire() will take a while.  Added a check for
ngx_quit / ngx_terminate to make sure cache manager can be terminated
while in ngx_http_file_cache_expire().
2014-04-30 19:16:35 +04:00
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Valentin Bartenev
58e26b88b7 Version bump. 2014-04-24 20:50:10 +04:00
Maxim Dounin
6898a634d3 SSL: explicit handling of empty names.
X509_check_host() can't handle non null-terminated names with zero length,
so make sure to fail before calling it.
2014-04-23 20:31:31 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Maxim Dounin
0fd4f76e68 SSL: added explicit check for ngx_strlchr() result. 2014-04-22 14:02:45 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Maxim Dounin
583821c547 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. 2014-04-18 20:13:14 +04:00
Maxim Dounin
84785d8413 Version bump. 2014-04-18 20:12:53 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
644a43ebd2 Version bump. 2014-04-08 20:11:31 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Maxim Dounin
55bef30474 Win32: fixed shared ssl_session_cache (ticket #528).
In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.
2014-04-07 18:55:57 +04:00
Roman Arutyunyan
5147f8ee6a Mp4: allow end values bigger than track duration.
If start time is within the track but end time is out of it, error
"end time is out mp4 stts samples" is generated.  However it's
better to ignore the error and output the track until its end.
2014-04-01 20:53:18 +04:00
Maxim Dounin
2349a6747d Adjusted default value of types_hash_bucket_size (ticket #352).
The ngx_cacheline_size may be too low on some platforms, resulting
in unexpected hash build problems (as no collisions are tolerated due
to low bucket_size, and max_size isn't big enough to build a hash without
collisions).  These problems aren't fatal anymore but nevertheless
need to be addressed.
2014-03-31 22:47:42 +04:00
Maxim Dounin
8877284863 Core: fixed hash to actually try max_size.
Previously, maximum size of a hash table built was (max_size - 1).
2014-03-31 21:40:35 +04:00
Maxim Dounin
2a620ae109 Core: hash now ignores bucket_size if it hits max_size limit. 2014-03-31 21:40:31 +04:00
Maxim Dounin
23f6689846 Core: slab log_nomem flag.
The flag allows to suppress "ngx_slab_alloc() failed: no memory" messages
from a slab allocator, e.g., if an LRU expiration is used by a consumer
and allocation failures aren't fatal.

The flag is now used in the SSL session cache code, and in the limit_req
module.
2014-03-31 21:38:30 +04:00
Maxim Dounin
8f6958baa9 Win32: fixed cpu hog by cache manager on exit (ticket #514).
The "ngx_quit" may be reset by the worker thread before it's seen
by a ngx_cache_manager_thread(), resulting in an infinite loop.  Make
sure to test ngx_exiting as well.
2014-03-31 21:38:28 +04:00
Maxim Dounin
e042fc9038 Mail: fixed ngx_mail_send() (ticket #519). 2014-03-31 21:38:27 +04:00
Maxim Dounin
3183d7e17b Added #ifndef around NGX_HAVE_CASELESS_FILESYSTEM define.
This brings Cygwin compilation in line with other case-insensitive
systems (notably win32 and OS X) where one can force case sensitivity
using -DNGX_HAVE_CASELESS_FILESYSTEM=0.
2014-03-31 21:38:25 +04:00
Roman Arutyunyan
6f1763213b Mp4: improved logging after adding "end" support.
Despite introducing start and end crop operations existing log
messages still mostly refer only to start.  Logging is improved
to match both cases.

New debug logging is added to track entry count in atoms after
cropping.

Two format type mismatches are fixed as well.
2014-03-31 20:05:53 +04:00
Roman Arutyunyan
70e98eac3e Mp4: fixed seeking to a track end.
When "start" value is equal to a track duration the request
fails with "time is out mp4 stts" like it did before track
duration check was added.  Now such tracks are considered
short and skipped.
2014-03-31 19:52:17 +04:00
Valentin Bartenev
ac5a3cbeee SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
2014-03-28 20:22:57 +04:00
Valentin Bartenev
afb92a8127 SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.
2014-03-28 20:05:07 +04:00
Valentin Bartenev
de3c7a825e SPDY: better detect if headers block has wrong entries count.
Previously, only one case was checked: if there's more data to parse
in a r->header_in buffer, but the buffer can be filled to the end by
the last parsed entry, so we also need to check that there's no more
data to inflate.
2014-03-26 18:01:11 +04:00
Valentin Bartenev
042122a066 SPDY: detect premature end of frame while start parsing headers. 2014-03-26 17:43:39 +04:00
Piotr Sikora
ac1617915c Apply underscores_in_headers also to the first character.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Andrei Belov
b1597fe2ea Increased default value of variables_hash_max_size. 2014-03-25 18:49:28 +04:00
Sergey Kandaurov
2070abf516 Mp4: skipped empty stss atom table in output.
The atom may have no data entries after cropping.

This fixes "zero size buf in output" alerts.
2014-03-24 17:55:10 +04:00
Maxim Dounin
effbf466aa Range filter: single_range flag in request.
If set, it means that response body is going to be in more than one buffer,
hence only range requests with a single range should be honored.

The flag is now used by mp4 and cacheable upstream responses, thus allowing
range requests of mp4 files with start/end, as well as range processing
on a first request to a not-yet-cached files with proxy_cache.

Notably this makes it possible to play mp4 files (with proxy_cache, or with
mp4 module) on iOS devices, as byte-range support is required by Apple.
2014-03-21 19:33:21 +04:00
Roman Arutyunyan
c6ca135923 Mp4: added "end" argument support. 2014-03-20 16:05:19 +04:00
Roman Arutyunyan
7aa8c81002 Mp4: moved atom cropping code out of update functions.
It can now be reused for implementing mp4 end.
2014-03-20 16:05:18 +04:00
Maxim Dounin
ec1211d2f6 SPDY: improved ngx_http_spdy_state_save() again. 2014-03-19 19:30:09 +04:00
Maxim Dounin
898ca36c33 Macros used for initialization in ngx_http_core_init_main_conf(). 2014-03-19 12:57:40 +04:00
Maxim Dounin
062e7a0042 SPDY: improved ngx_http_spdy_state_save() check. 2014-03-19 12:57:39 +04:00
Maxim Dounin
a4d04f01fb SPDY: macro used for recv_buffer_size initialization. 2014-03-19 12:57:32 +04:00
Maxim Dounin
f9b027baab Version bump. 2014-03-18 22:05:05 +04:00
Maxim Dounin
c6c702c329 SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Roman Arutyunyan
0b5f329784 Added server-side support for PROXY protocol v1 (ticket #355).
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.

This is currently not implemented for mail.
2014-03-17 17:41:24 +04:00
Maxim Dounin
2f917b6d06 FastCGI: f->split_parts reset on request start.
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
2014-03-17 15:34:36 +04:00
Maxim Dounin
8800f0c42b Core: fixed wrong indices in listening sockets compare loops.
Proper use is "ls[i]" and "nls[n]".  Previous code used it wrong in
several places, likely due to cut-n-paste errors.
2014-03-07 15:17:38 +04:00
Sergey Kandaurov
f9e7687e55 Added connection serial number in logging of left open sockets. 2014-03-06 23:15:10 +04:00
Sergey Kandaurov
bd3516e8d9 Fixed format specifier in logging of "c->number". 2014-03-06 18:25:59 +04:00
Roman Arutyunyan
a35c675e71 Version bump. 2014-03-04 23:38:31 +04:00
Valentin Bartenev
0c05e5b55f SPDY: fixed potential integer overflow while parsing headers.
Previously r->header_size was used to store length for a part of
value that represents an individual already parsed HTTP header,
while r->header_end pointed to the end of the whole value.

Instead of storing length of a following name or value as pointer
to a potential end address (r->header_name_end and r->header_end)
that might be overflowed, now r->lowercase_index counter is used
to store remaining length of a following unparsed field.

It also fixes incorrect $body_bytes_sent value if a request is
closed while parsing of the request header.  Since r->header_size
is intended for counting header size, thus abusing it for header
parsing purpose was certainly a bad idea.
2014-03-03 19:24:55 +04:00
Valentin Bartenev
3925c1b110 SPDY: constant number of preallocated structures for headers. 2014-03-03 19:24:54 +04:00
Maxim Dounin
a2a26a7ce1 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Valentin Bartenev
2c0defac9b Gzip static: fixed NGX_CONF_FLAG misuse. 2014-03-03 17:17:25 +04:00
Maxim Dounin
96af3e9dfb Disabled redirects to named locations if URI is not set.
If something like "error_page 400 @name" is used in a configuration,
a request could be passed to a named location without URI set, and this
in turn might result in segmentation faults or other bad effects
as most of the code assumes URI is set.

With this change nginx will catch such configuration problems in
ngx_http_named_location() and will stop request processing if URI
is not set, returning 500.
2014-02-27 20:36:35 +04:00
Ruslan Ermilov
8aa8365121 Core: allocate enough memory to hold IPv6 text address plus port. 2014-02-22 12:08:31 +04:00
Ruslan Ermilov
9ae40c5b54 Resolver: properly handle connect() failures.
If initial attempt to connect() the UDP socket failed, e.g.
due to network unreachable, no further attempts were made.
2014-02-20 17:27:09 +04:00
Konstantin Pavlov
c539aaf352 Upstream: fixed error message wording. 2014-02-20 13:48:40 +04:00
Ruslan Ermilov
3da53f339d Access: supplemented the obfuscated code with a comment. 2014-02-19 21:45:27 +04:00
Maxim Dounin
5ec277847e Upstream: ngx_post_event() instead of upgraded call (ticket #503).
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
2014-02-18 17:30:40 +04:00
Roman Arutyunyan
1dc1b0785b Mp4: remove useless leading stsc entry in result mp4.
The fix removes useless stsc entry in result mp4.
If start_sample == n then current stsc entry should be skipped
and the result stsc should start with the next entry.
The reason for that is start_sample starts from 0, not 1.
2014-02-14 15:14:48 +04:00
Maxim Dounin
8f8bf842bc Win32: MSVC 2013 compatibility.
Warnings about GetVersionEx() deprecation silenced.  Precompiled object
linked in.
2014-02-13 16:54:00 +04:00
Valentin Bartenev
b20af091b7 SPDY: fixed reversed priority order in window waiting queue. 2014-02-12 21:02:29 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Xiaochen Wang
cd358e5a95 SPDY: fixed parsing of http version.
There is an error while parsing multi-digit minor version numbers (e.g.
"HTTP/1.10").
2014-02-11 20:54:16 +08:00
Maxim Dounin
381d507467 SSL: the $ssl_session_reused variable. 2014-02-11 19:20:25 +04:00
Ruslan Ermilov
42c049bd2d Range filter: fixed duplicate charset.
If a proxied response had charset in Content-Type, the
charset was duplicated in a response to client request
with byte ranges.
2014-02-04 17:13:35 +04:00
Piotr Sikora
ab3c0f9250 Use ngx_socket_errno where appropriate.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-03 14:17:17 -08:00
Maxim Dounin
07aef702ee Version bump. 2014-02-05 18:51:30 +04:00
Shigeki Ohtsu
38a9a8968d SPDY: fixed parsing of the priority field.
The size of the priority field is increased by one bit in spdy/3,
and now it's a 3-bit field followed by 5 bits of unused space.
But a shift of these bits hasn't been adjusted in 39d7eef2e332
accordingly.
2014-02-04 14:06:23 +09:00
Maxim Dounin
7ac48da41d Core: added ngx_encode_base64url(). 2014-02-04 04:59:21 +04:00
Piotr Sikora
2e57e0609b Core: handle getsockopt(TCP_FASTOPEN) failures.
Linux returns EOPNOTSUPP for non-TCP sockets and ENOPROTOOPT for TCP
sockets, because getsockopt(TCP_FASTOPEN) is not implemented so far.

While there, lower the log level from ALERT to NOTICE to match other
getsockopt() failures.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-30 14:58:21 -08:00
Valentin Bartenev
449e8eeb53 SPDY: protocol implementation switched to spdy/3.1. 2014-01-31 19:17:26 +04:00
Vladimir Homutov
8d97a2e4d7 Fixed false compiler warning.
Newer gcc versions (4.7+) report possible use of uninitialized variable if
nginx is being compiled with -O3.
2014-01-31 14:18:52 +04:00
Ruslan Ermilov
c6d7db2500 Fixed a compile warning introduced by 01e2a5bcdd8f.
On systems with OpenSSL that has NPN support but lacks
ALPN support, some compilers emitted a warning about
possibly uninitialized "data" variable.
2014-01-30 19:13:12 +04:00
Ruslan Ermilov
8d288ec49a Proxy: fixed upstream search by proxy_pass with variables.
If "proxy_pass" is specified with variables, the resulting
hostname is looked up in the list of upstreams defined in
configuration.  The search was case-sensitive, as opposed
to the case of "proxy_pass" specified without variables.
2014-01-30 18:57:11 +04:00
Piotr Sikora
4ae889c9f2 SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-28 15:33:49 -08:00
Roman Arutyunyan
d3e0bf306b Mp4: fix seeks to standalone last chunk.
If seek position is within the last track chunk
and that chunk is standalone (stsc entry describes only
this chunk) such seek generates stsc seek error. The
problem is that chunk numbers start with 1, not with 0.
2014-01-29 13:44:15 +04:00
Roman Arutyunyan
88f9b411f0 Mp4: skip tracks shorter than seek position (ticket #414).
Mp4 module does not check movie and track durations when reading
file.  Instead it generates errors when track metadata is shorter
than seek position.  Now such tracks are skipped and movie duration
check is performed at file read stage.
2014-01-29 13:33:45 +04:00
Roman Arutyunyan
870733ebd6 Mp4: fix seeks after the last key frame.
Mp4 module does not allow seeks after the last key frame.  Since
stss atom only contains key frames it's usually shorter than
other track atoms.  That leads to stss seek error when seek
position is close to the end of file.  The fix outputs empty
stss frame instead of generating error.
2014-01-29 13:30:36 +04:00
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Maxim Dounin
1631393f94 SSI: fixed $date_local and $date_gmt without SSI (ticket #230).
If there is no SSI context in a given request at a given time,
the $date_local and $date_gmt variables used "%s" format, instead
of "%A, %d-%b-%Y %H:%M:%S %Z" documented as the default and used
if there is SSI module context and timefmt wasn't modified using
the "config" SSI command.

While use of these variables outside of the SSI evaluation isn't strictly
valid, previous behaviour is certainly inconsistent, hence the fix.
2014-01-28 15:40:45 +04:00
Tatsuhiko Kubo
135dc712c0 Typo fixed. 2014-01-23 22:09:59 +09:00
Maxim Dounin
1ebb44e3e3 SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Even during execution of a request it is possible that there will be
no session available, notably in case of renegotiation.  As a result
logging of $ssl_session_id in some cases caused NULL pointer dereference
after revision 97e3769637a7 (1.5.9).  The check added returns an empty
string if there is no session available.
2014-01-23 18:32:26 +04:00
Maxim Dounin
bb40c4ed2f Version bump. 2014-01-23 18:32:25 +04:00
Maxim Dounin
c74e23ba3a Upstream: reading from a client after connection upgrade.
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
2014-01-22 16:05:07 +04:00
Maxim Dounin
096bcd03c3 SSL: fixed $ssl_session_id variable.
Previously, it used to contain full session serialized instead of just
a session id, making it almost impossible to use the variable in a safe
way.

Thanks to Ivan Ristić.
2014-01-22 16:05:06 +04:00
Valentin Bartenev
abcbe54219 SPDY: use ngx_queue_t to queue streams for post processing.
It simplifies the code and allows easy reuse the same queue pointer to store
streams in various queues with different requirements.  Future implementation
of SPDY/3.1 will take advantage of this quality.
2014-01-20 20:56:49 +04:00
Valentin Bartenev
3ddf9ccfce SPDY: store the length of frame instead of its whole size.
The "length" value better corresponds with the specification and reduces
confusion about whether frame's header is included in "size" or not.

Also this change simplifies some parts of code, since in more cases the
length of frame is more useful than its actual size, especially considering
that the size of frame header is constant.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
e62156d829 SPDY: use frame->next pointer to chain free frames.
There is no need in separate "free" pointer and like it is for ngx_chain_t
the "next" pointer can be used.  But after this change successfully handled
frame should not be accessed, so the frame handling cycle was improved to
store pointer to the next frame before processing.

Also worth noting that initializing "free" pointer to NULL in the original
code was surplus.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
650984cd20 SPDY: proper handling of all RST_STREAM statuses.
Previously, only stream CANCEL and INTERNAL_ERROR were handled right.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
d055f74178 SPDY: removed state to check first SETTINGS frame.
That code was based on misunderstanding of spdy specification about
configuration applicability in the SETTINGS frames.  The original
interpretation was that configuration is assigned for the whole
SPDY connection, while it is only for the endpoint.

Moreover, the strange thing is that specification forbids multiple
entries in the SETTINGS frame with the same ID even if flags are
different.  As a result, Chrome sends two SETTINGS frames: one with
its own configuration, and another one with configuration stored
for a server (when the FLAG_SETTINGS_PERSIST_VALUE flags were used
by the server).

To simplify implementation we refuse to use the persistent settings
feature and thereby avoid all the complexity related with its proper
support.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
406c0613f5 SPDY: better name for frame entries counter.
The "headers" is not a good term, since it is used not only to count
name/value pairs in the HEADERS block but to count SETTINGS entries too.

Moreover, one name/value pair in HEADERS can contain multiple http headers
with the same name.

No functional changes.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
32bb39c48f SPDY: fixed possible segfault.
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
2014-01-22 04:58:19 +04:00
Ruslan Ermilov
8b7fe56e95 Mail: fixed passing of IPv6 client address in XCLIENT. 2014-01-17 22:06:04 +04:00
Maxim Dounin
0bfb68eea0 Core: improved ngx_reset_pool() (ticket #490).
Previously pool->current wasn't moved back to pool, resulting in blocks
not used for further allocations if pool->current was already moved at the
time of ngx_reset_pool().  Additionally, to preserve logic of moving
pool->current, the p->d.failed counters are now properly cleared.  While
here, pool->chain is also cleared.

This change is essentially a nop with current code, but generally improves
things.
2014-01-17 06:24:53 +04:00
Valentin Bartenev
1ef5553644 SPDY: send output queue after processing of read event.
During the processing of input some control frames can be added to the queue.
And if there were no writing streams at the moment, these control frames might
be left unsent for a long time (or even forever).

This long delay is especially critical for PING replies since a client can
consider connection as broken and then resend exactly the same request over
a new connection, which is not safe in case of non-idempotent HTTP methods.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
82a1ff31f9 SPDY: the SETTINGS frame should be allocated from sc->pool.
There is no reason to allocate it from connection pool that more like just
a bug especially since ngx_http_spdy_settings_frame_handler() already uses
sc->pool to free a chain.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
b2b43ca50f SPDY: fixed possible uninitialized memory access.
The frame->stream pointer should always be initialized for control frames since
the check against it can be performed in ngx_http_spdy_filter_cleanup().
2014-01-15 17:16:38 +04:00
Valentin Bartenev
d143119e3c SPDY: fixed off_t/size_t type conversions on 32 bits platforms.
Parameters of ngx_http_spdy_filter_get_shadow() are changed from size_t to off_t
since the last call of the function may get size and offset from the rest of a
file buffer.  This fixes possible data loss rightfully complained by MSVC on 32
bits systems where off_t is 8 bytes long while size_t is only 4 bytes.

The other two type casts are needed just to suppress warnings about possible
data loss also complained by MSVC but false positive in these cases.
2014-01-15 13:23:31 +04:00
Valentin Bartenev
70c010167f SPDY: fixed build, broken by b7ee1bae0ffa.
False positive warning about the "cl" variable may be uninitialized in
the ngx_http_spdy_filter_get_data_frame() call was suppressed.

It is always initialized either in the "while" cycle or in the following
"if" condition since frame_size cannot be zero.
2014-01-15 01:44:52 +04:00
Valentin Bartenev
8323f317f6 SPDY: added the "spdy_chunk_size" directive. 2014-01-14 16:24:45 +04:00
Valentin Bartenev
b60700f9e9 SPDY: implemented buffers chain splitting.
It fixes "chain too big in spdy filter" alerts, and adds full support for rate
limiting of SPDY streams.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
8c01a95d98 SPDY: body filter was replaced by c->send_chain() function.
It allows to use ngx_http_write_filter() and all its rate limiting logic.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
3d5f501adc SPDY: fixed possible premature close of stream.
The "delayed" flag always should be set if there are unsent frames,
but this might not be the case if ngx_http_spdy_body_filter() was
called with NULL chain.

As a result, the "send_timeout" timer could be set on a stream in
ngx_http_writer().  And if the timeout occurred before all the stream
data has been sent, then the request was finalized with the "client
timed out" error.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
1c56e18733 SPDY: refactored ngx_http_spdy_body_filter().
A local pointer to fake connection is introduced
to slightly reduce further patches.

No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
ac8bb7a9e5 SPDY: elimination of r->blocked counter usage for queuing frames.
It was used to prevent destroying of request object when there are unsent
frames in queue for the stream.  Since it was incremented for each frame
and is only 8 bits long, so it was not very hard to overflow the counter.

Now the stream->queued counter is checked instead.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
6ddb578b22 SPDY: better name for flag that indicates incomplete frame state.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
00944562ac SPDY: better name for queued frames counter.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
df1d8f78ac SPDY: fixed format specifiers in logging. 2014-01-14 16:24:45 +04:00
Yichun Zhang
2e2c9dba16 Resolver: added support for domain names with a trailing dot. 2014-01-10 11:22:14 -08:00
Maxim Dounin
70b48a491a SSL: fixed ssl_verify_depth to take only one argument. 2014-01-14 15:56:40 +04:00
Dirkjan Bussink
58a240d773 SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
2014-01-10 16:12:40 +01:00
Maxim Dounin
8f702a573a Fixed "zero size buf in output" alerts.
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
2014-01-04 03:32:22 +04:00
Maxim Dounin
eb60e1e26d Win32: support for UTF-16 surrogate pairs (ticket #457). 2014-01-04 03:32:15 +04:00
Maxim Dounin
def37d254a Upstream: Cache-Control preferred over Expires.
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
2014-01-04 03:32:10 +04:00
Maxim Dounin
1029607ac9 Added per-process random seeding (ticket #456). 2014-01-04 03:32:06 +04:00
Maxim Dounin
9a72030c25 Allowed up to two EBUSY errors from sendfile().
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row.  Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
2014-01-04 03:31:58 +04:00
Ruslan Ermilov
2539ce036f Fixed setting of content type in some cases.
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
2013-12-27 19:40:04 +04:00
Valentin Bartenev
2b1156d101 Style: removed surplus semicolons. 2013-12-27 18:47:42 +04:00
Valentin Bartenev
aa22dc707b SPDY: a bit smarter ngx_http_spdy_filter_get_data_frame().
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.

No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
df49024997 SPDY: refactored loop in ngx_http_spdy_body_filter().
No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
75dad742e5 SPDY: fixed possible request hang.
Processing events from upstream connection can result in sending queued frames
from other streams.  In this case such streams were not added to handling queue
and properly handled.

A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
2013-12-26 17:03:16 +04:00
Ruslan Ermilov
9b4a99cf5d Dav: emit a warning about unsafe URI. 2013-12-23 18:12:03 +04:00
Ruslan Ermilov
f7ff5e65d0 Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1 Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
3f36c684a1 Upstream: keep $upstream_http_x_accel_redirect intact.
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
2013-12-23 18:11:46 +04:00
Ruslan Ermilov
bf800822df Fixed the first argument to getsockopt().
While here, always initialize the last argument.
2013-12-19 13:43:18 +04:00
Maxim Dounin
37b7de6df7 SSL: ssl_buffer_size directive. 2013-12-20 16:18:25 +04:00
Vladimir Homutov
c7a0b04665 Upstream: simplified peer selection loop in the "ip_hash" module.
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules.  No functional changes.
2013-12-09 13:43:27 +04:00
Ruslan Ermilov
85e6d211d0 Resolver: use minimum TTL for caching (ticket #329). 2013-12-16 19:12:23 +04:00
Valentin Bartenev
c8f3f9fa12 SPDY: use predefined constant for size of the Stream-ID field.
No functional changes.
2013-12-18 18:39:29 +04:00
Valentin Bartenev
bf3ff5bca7 Version bump. 2013-12-18 18:37:48 +04:00
Ruslan Ermilov
3fd727566a Resolver: lookups are case-insensitive. 2013-12-13 20:49:52 +04:00
Ruslan Ermilov
e0caf51711 The "ipv6=" boolean parameter of the "resolver" directive.
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
2013-12-09 10:53:30 +04:00
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
809bee30b7 Resolver: implemented IPv6 address to name resolving. 2013-12-06 14:30:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
552e15ba1c Resolver: fixed indentation. 2013-12-13 19:22:44 +04:00
Ruslan Ermilov
efd0e0e177 Core: externalized ngx_cmp_sockaddr().
It's also extended with the "cmp_port" argument to indicate
whether ports should be compared as well, or only addresses.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
159486239f Resolver: fixes in PTR processing.
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f57350cd86 Resolver: fixes in A processing.
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f3a271f3fd Resolver: fixed response processing.
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".

Fixed the "zero-length domain name in DNS response" condition.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
23071835a3 Resolver: removed unnecessary casts. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
3d245d4792 Resolver: improved code readability.
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.

Replaced the magic number 12 by the size of the header structure.

The other changes are self-explanatory.
2013-12-06 14:30:27 +04:00
Maxim Dounin
0c585adfd4 Trailing whitespace fix. 2013-12-12 20:28:48 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Valentin Bartenev
7f54528ca0 SPDY: drop the "delayed" flag when finalizing connection.
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.

Found by Xiaochen Wang.
2013-12-10 20:27:33 +04:00
Ruslan Ermilov
fa512fdb76 Fixed handling of UNIX-domain sockets.
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
2013-12-09 10:16:44 +04:00
Ruslan Ermilov
675e73e3bd Core: keep the length of the local sockaddr. 2013-12-09 10:14:51 +04:00
Piotr Sikora
19f475276d Fixed incorrect ngx_str_set() usage, broken in c82b2e020b9f.
Found by Coverity Scan CID 1135525.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-06 16:00:49 -08:00
Maxim Dounin
67b0d16546 Fixed build without SSL, broken by c82b2e020b9f. 2013-12-04 23:13:13 +04:00
Maxim Dounin
24e1db93a8 SSL support in the uwsgi module.
Based on patch by Roberto De Ioris.
2013-12-04 23:01:27 +04:00
Mathew Rodley
84f5c2136e Added support for TCP_FASTOPEN supported in Linux >= 3.7.1.
---
 auto/unix                       | 12 ++++++++++++
 src/core/ngx_connection.c       | 32 ++++++++++++++++++++++++++++++++
 src/core/ngx_connection.h       |  4 ++++
 src/http/ngx_http.c             |  4 ++++
 src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
 src/http/ngx_http_core_module.h |  3 +++
 6 files changed, 76 insertions(+)
2013-12-03 22:07:03 +04:00
Maxim Dounin
a8a7de3f78 Fixed "setfib=" on non-first listening socket. 2013-12-03 21:44:08 +04:00
Vladimir Homutov
71b9cca835 Improved code readablity in ngx_http_upstream_init_round_robin().
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.

No functional changes.
2013-12-03 17:12:16 +04:00
Ruslan Ermilov
0419933283 Fixed null pointer dereference with $upstream_cache_last_modified. 2013-12-03 15:11:24 +04:00
Maxim Dounin
bfda85b6e4 Win32: fixed init_process without master process (ticket #453).
Init process callbacks are called by ngx_worker_thread(), there is no
need to call them in ngx_single_process_cycle().
2013-11-29 17:23:47 +04:00
Maxim Dounin
3dec2b131c Upstream: skip empty cache headers.
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
2013-11-29 17:23:38 +04:00
Maxim Dounin
067c1d2a4f SSL: fixed c->read->ready handling in ngx_ssl_recv().
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).

More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
2013-11-29 17:16:06 +04:00
Maxim Dounin
6b7e88f36b Version bump. 2013-11-29 17:11:36 +04:00
Ruslan Ermilov
d47c435e9e Proper backtracking after space in a request line. 2013-11-19 06:57:58 +04:00
Maxim Dounin
1ac2693a33 Upstream: cache revalidation with conditional requests.
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off.  When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.

As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
2013-11-18 20:48:22 +04:00
Valentin Bartenev
df2fc6a9df SPDY: fixed request hang with the auth request module.
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a.  An attempt to init request body
for subrequests results in hang if the body was not already read.
2013-11-11 18:49:35 +04:00
Maxim Dounin
b0f025f4fe Win32: plugged memory leak. 2013-10-31 18:23:49 +04:00
Maxim Dounin
45075adccf Gunzip: proper error handling on gunzipping an empty response.
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
2013-10-31 04:16:20 +04:00
Maxim Dounin
eea2e1262b Gunzip: "error" logging level on inflate() errors.
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
2013-10-31 04:12:53 +04:00
Maxim Dounin
f1a9f14afe Removed extra allocation for $sent_http_last_modified.
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
2013-10-31 04:02:59 +04:00
Maxim Dounin
869b4f36e5 Auth basic: "info" logging level on no user/password.
This isn't an exceptional condition and normally happens on
first request from a client.
2013-10-31 04:02:21 +04:00
Yichun Zhang
3d3fa2adc6 Gzip, gunzip: flush pending data when incoming chain is NULL. 2013-10-28 15:01:36 -07:00
Maxim Dounin
0eee3b0bc5 Core: handling of getsockopt(TCP_DEFER_ACCEPT) failures.
Recent Linux versions started to return EOPNOTSUPP to getsockopt() calls
on unix sockets, resulting in log pollution on binary upgrade.  Such errors
are silently ignored now.
2013-10-31 04:00:37 +04:00
Piotr Sikora
475832834b Core: apply missed options to sockets added during binary upgrade.
The accept_filter and deferred options were not applied to sockets
that were added to configuration during binary upgrade cycle.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-24 14:18:37 -07:00
Xiaochen Wang
8f3dfde7f7 Upstream: optimize loops in ngx_http_upstream_init_round_robin(). 2013-10-21 18:20:32 +08:00
Maxim Dounin
a6b7cfe967 Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
2013-10-18 18:13:49 +04:00
Maxim Dounin
6291a29992 Headers filter: empty Cache-Control is no longer added.
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
2013-10-18 18:13:44 +04:00
Maxim Dounin
0ca52adff6 Style. 2013-10-18 18:13:35 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
a8ad0c02cc SSL: SSL_CTX_set_timeout() now always called.
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets.  Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.

Prodded by Piotr Sikora.
2013-10-14 13:59:35 +04:00
Maxim Dounin
87a607a031 SSL: fixed build with OpenSSL 0.9.7.
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
2013-10-14 13:44:09 +04:00
Maxim Dounin
5a63dcc5d7 Limit req: fixed "nodelay" parsing.
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
2013-10-02 15:07:17 +04:00
Maxim Dounin
31d023e53e Upstream: fixed "down" and "backup" parsing.
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
2013-10-02 15:07:15 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Sergey Kandaurov
5bf78d05a0 Version bump. 2013-10-02 11:50:56 +04:00
Valentin Bartenev
cca2b04f51 SPDY: ignore priority when queuing blocked frames.
With this change all such frames will be added in front of the output queue, and
will be sent first.  It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.

Proposed by Yury Kirpichev.
2013-10-01 00:14:37 +04:00
Valentin Bartenev
4f4963e87e SPDY: set empty write handler during connection finalization.
While ngx_http_spdy_write_handler() should not make any harm with current code,
calling it during finalization of SPDY connection was not intended.
2013-10-01 00:12:30 +04:00
Valentin Bartenev
92b82c80af SPDY: fixed connection leak while waiting for request headers.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for request headers, it was a no-op since the
read event handler had been set to ngx_http_empty_handler().
2013-10-01 00:04:00 +04:00
Valentin Bartenev
6ba03097db SPDY: fixed connection leak while waiting for request body.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for a request body, it was a no-op since the
read event handler ngx_http_request_handler() calls r->read_event_handler that
had been set to ngx_http_block_reading().
2013-10-01 00:00:57 +04:00
Maxim Dounin
ef8c64acbe Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.
2013-09-30 22:10:13 +04:00
Maxim Dounin
aa36cc39a4 Mail: fixed overrun of allocated memory (ticket #411).
Reported by Markus Linnala.
2013-09-30 22:10:08 +04:00
Maxim Dounin
f2b5192c30 Mail: handle smtp multiline replies.
See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html
2013-09-30 22:10:03 +04:00
Maxim Dounin
4f6f653f48 Mail: smtp pipelining support.
Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).
2013-09-30 22:09:57 +04:00
Maxim Dounin
32d6035303 Mail: added session close on smtp_greeting_delay violation.
A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.
2013-09-30 22:09:50 +04:00
Maxim Dounin
af897b7f03 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). 2013-09-27 19:39:33 +04:00
Maxim Dounin
4b2ead8871 FastCGI: non-buffered mode support. 2013-09-27 16:50:40 +04:00
Maxim Dounin
989a71377b Upstream: subrequest_in_memory support for SCGI and uwsgi enabled.
This was missed in 9d59a8eda373 when non-buffered support was added to SCGI
and uwsgi.
2013-09-27 16:50:34 +04:00
Maxim Dounin
c4b5a1fe5e Upstream: subrequest_in_memory fix.
With previous code only part of u->buffer might be emptied in case
of special responses, resulting in partial responses seen by SSI set
in case of simple protocols, or spurious errors like "upstream sent
invalid chunked response" in case of complex ones.
2013-09-27 16:50:26 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Maxim Dounin
e11584164f Added ngx_filename_cmp() with "/" sorted to the left.
This patch fixes incorrect handling of auto redirect in configurations
like:

    location /0  { }
    location /a- { }
    location /a/ { proxy_pass ... }

With previously used sorting, this resulted in the following locations
tree (as "-" is less than "/"):

        "/a-"
    "/0"    "/a/"

and a request to "/a" didn't match "/a/" with auto_redirect, as it
didn't traverse relevant tree node during lookup (it tested "/a-",
then "/0", and then falled back to null location).

To preserve locale use for non-ASCII characters on case-insensetive
systems, libc's tolower() used.
2013-09-23 19:37:13 +04:00
Maxim Dounin
d2ef70e97a Caseless location tree construction (ticket #90).
Location tree was always constructed using case-sensitive comparison, even
on case-insensitive systems.  This resulted in incorrect operation if
uppercase letters were used in location directives.  Notably, the
following config:

    location /a { ... }
    location /B { ... }

failed to properly map requests to "/B" into "location /B".
2013-09-23 19:37:06 +04:00
Piotr Sikora
f52a2c7585 SSL: stop loading configs with invalid "ssl_ciphers" values.
While there, remove unnecessary check in ngx_mail_ssl_module.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-22 22:36:11 -07:00
Markus Linnala
35e2bb0efb Core: fix misallocation at ngx_crypt_apr1 (ticket #412).
Found by using auth_basic.t from mdounin nginx-tests under valgrind.

==10470== Invalid write of size 1
==10470==    at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470==    by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==    by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470==    by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470==    by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470==  Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470==    by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
2013-09-20 17:57:21 +03:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Piotr Sikora
0a5124502d SSL: fixed possible memory and file descriptor leak on HUP signal.
The problem appeared in 386a06a22c40 (1.3.7).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 16:51:30 -07:00
Sergey Kandaurov
bff2b8d69f Fixed response line formatting with empty reason phrase.
As per RFC 2616 sec 6.1 the response status code is always followed by SP.
2013-09-18 18:53:26 +04:00
Sergey Kandaurov
63b1baa7f1 Version bump. 2013-09-18 18:53:24 +04:00
Piotr Sikora
29ea1273fe SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-16 14:24:38 -07:00
Valentin Bartenev
db1532944c Improved check for duplicate path names in ngx_add_path().
The same path names with different "data" context should not be allowed.

In particular it rejects configurations like this:

    proxy_cache_path /var/cache/ keys_zone=one:10m max_size=1g inactive=5m;
    proxy_cache_path /var/cache/ keys_zone=two:20m max_size=4m inactive=30s;
2013-09-16 18:49:23 +04:00
Valentin Bartenev
eb10d8f71e Removed surplus initializations from ngx_conf_set_path_slot().
An instance of ngx_path_t is already zeroed by ngx_pcalloc().
2013-09-16 18:49:22 +04:00
Valentin Bartenev
f0fbcaf098 Use ngx_pcalloc() in ngx_conf_merge_path_value().
It initializes the "data" pointer of ngx_path_t that will be checked after
subsequent changes.
2013-09-16 18:49:10 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
096678ced4 Upstream: use EPOLLRDHUP to check broken connections (ticket #320).
This allows to detect client connection close with pending data on Linux
while processing upstream.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
182a05b9d5 Events: support for EPOLLRDHUP (ticket #320).
Since Linux 2.6.17, epoll is able to report about peer half-closed connection
using special EPOLLRDHUP flag on a read event.
2013-07-12 14:51:07 +04:00
Valentin Bartenev
0f0502064d Events: removed unused flags from the ngx_event_s structure.
They are not used since 708f8bb772ec (pre 0.0.1).
2013-09-05 16:53:02 +04:00
Valentin Bartenev
cf08ba72db Fixed handling of the ready flag with kqueue.
There is nothing to do more when recv() has returned 0,
so we should drop the flag.
2013-09-05 16:53:02 +04:00
Valentin Bartenev
d034e63a11 Return reason phrase for 414.
After 62be77b0608f nginx can return this code.
2013-09-03 21:07:19 +04:00
Maxim Dounin
d33225db58 Upstream: fixed $upstream_response_time format specifiers. 2013-09-04 21:30:09 +04:00
Maxim Dounin
3d1e616d0b SSL: clear error queue after SSL_CTX_load_verify_locations().
The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.
2013-09-04 21:17:02 +04:00
Maxim Dounin
f108b28038 Fixed incorrect response line on "return 203".
Reported by Weibin Yao,
http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003607.html.
2013-09-04 21:17:01 +04:00
Maxim Dounin
4b189002af Request cleanup code unified, no functional changes.
Additionally, detaching a cleanup chain from a request is a bit more resilent
to various bugs if any.
2013-09-04 21:17:00 +04:00
Maxim Dounin
2b0dba578f Handling of ngx_int_t != intptr_t case.
Casts between pointers and integers produce warnings on size mismatch.  To
silence them, cast to (u)intptr_t should be used.  Prevoiusly, casts to
ngx_(u)int_t were used in some cases, and several ngx_int_t expressions had
no casts.

As of now it's mostly style as ngx_int_t is defined as intptr_t.
2013-09-04 21:16:59 +04:00
Maxim Dounin
5ab74625d6 Win32: $request_time fixed.
On win32, time_t is 64 bits wide by default, and passing an ngx_msec_int_t
argument for %T format specifier doesn't work.  This doesn't manifest itself
on other platforms as time_t and ngx_msec_int_t are usually of the same size.
2013-09-04 20:48:30 +04:00
Maxim Dounin
48d96ced6f Win32: MinGW GCC compatibility.
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.

With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
2013-09-04 20:48:28 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Maxim Dounin
5b37852323 Win32: Open Watcom C compatibility fixes.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines.  Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.

With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:22 +04:00
Valentin Bartenev
42910391cd Disable symlinks: removed recursive call of ngx_file_o_path_info().
It is surplus.
2013-09-02 20:06:03 +04:00
Valentin Bartenev
7b37384140 Disable symlinks: use O_PATH to open path components.
It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain
file descriptors without actually opening files.  Thus made it possible
to traverse path with openat() syscalls without the need to have read
permissions for path components.  It is effectively emulates O_SEARCH
which is missing on Linux.

O_PATH is used in combination with O_RDONLY.  The last one is ignored
if O_PATH is used, but it allows nginx to not fail when it was built on
modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39.
Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used.

Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6.
As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag
that was introduced at the same time as O_PATH.
2013-09-02 08:07:59 +04:00
Valentin Bartenev
231ed198e1 Added the NGX_EBADF define. 2013-09-02 08:07:44 +04:00
Valentin Bartenev
3d7d48e52c Assume the HTTP/1.0 version by default.
It is believed to be better than fallback to HTTP/0.9, because most of
the clients at present time support HTTP/1.0.  It allows nginx to return
error response code for them in cases when it fail to parse request line,
and therefore fail to detect client protocol version.

Even if the client does not support HTTP/1.0, this assumption should not
cause any harm, since from the HTTP/0.9 point of view it still a valid
response.
2013-09-02 03:45:14 +04:00
Maxim Dounin
9f46a9df86 Upstream: setting u->header_sent before ngx_http_upstream_upgrade().
Without u->header_sent set a special response might be generated following
an upgraded connection.  The problem appeared in 1ccdda1f37f3 (1.5.3).
Catched by "header already sent" alerts in 1.5.4 after upstream timeouts.
2013-08-30 21:44:16 +04:00
Valentin Bartenev
6d7ec5009a Referer: fixed hostname buffer overflow check.
Because of premature check the effective buffer size was 255 symbols
while the buffer is able to handle 256.
2013-08-29 22:35:54 +04:00
Sergey Kandaurov
e4209c0269 Referer: "server_names" parsing deferred to merge phase.
This allows to approach "server_name" values specified below the
"valid_referers" directive when used within the "server_names" parameter, e.g.:

    server_name  example.org;
    valid_referers server_names;
    server_name  example.com;

As a bonus, this fixes bogus error with "server_names" specified several times.
2013-08-29 22:35:27 +04:00
Sergey Kandaurov
8658c5b8a1 Referer: fixed server_name regex matching.
The server_name regexes are normally compiled for case-sensitive matching.
This violates case-insensitive obligations in the referer module.  To fix
this, the host string is converted to lower case before matching.

Previously server_name regex was executed against the whole referer string
after dropping the scheme part.  This could led to an improper matching, e.g.:

    server_name ~^localhost$;
    valid_referers server_names;

    Referer: http://localhost/index.html

It was changed to look only at the hostname part.

The server_name regexes are separated into another array to not clash with
regular regexes.
2013-08-29 22:35:26 +04:00
Sergey Kandaurov
3ef0dfa145 Referer: fixed error type usage inconsistency for ngx_http_add*(). 2013-08-29 22:35:26 +04:00
Lanshun Zhou
be23dcb1a1 Image filter: large image handling.
If Content-Length header is not set, and the image size is larger than the
buffer size, client will hang until a timeout occurs.

Now NGX_HTTP_UNSUPPORTED_MEDIA_TYPE is returned immediately.

diff -r d1403de41631 -r 4fae04f332b4
src/http/modules/ngx_http_image_filter_module.c
2013-08-28 00:19:07 +08:00
Maxim Dounin
51f7761710 Typo fixed. 2013-08-28 02:34:30 +04:00
Maxim Dounin
e96092130c Version bump. 2013-08-28 02:34:21 +04:00
Maxim Dounin
d2d8b82b87 Cache: lock timeouts are now logged at info level. 2013-08-23 22:18:54 +04:00
Maxim Dounin
73ec75a974 Upstream: posted requests handling after ssl handshake errors.
Missing call to ngx_http_run_posted_request() resulted in a main request hang
if subrequest's ssl handshake with an upstream server failed for some reason.

Reported by Aviram Cohen.
2013-08-23 22:18:46 +04:00
Maxim Dounin
0f49681f28 Fixed try_files with empty argument (ticket #390). 2013-08-23 22:18:39 +04:00
Sergey Kandaurov
0fea0bf3f7 Added safety belt for the case of sending header twice.
The aforementioned situation is abnormal per se and as such it now forces
request termination with appropriate error message.
2013-07-30 15:04:46 +04:00
Sergey Kandaurov
2b2def7891 Autoindex: improved ngx_de_info() error handling.
This allows to build a directory listing whenever a loop exists in symbolic
link resolution of the path argument.
2013-07-30 11:43:21 +04:00
Sergey Kandaurov
eb3fed9338 Autoindex: return NGX_ERROR on error if headers were sent.
This prevents ngx_http_finalize_request() from issuing
ngx_http_special_response_handler() on a freed context.
2013-07-30 11:43:21 +04:00
Maxim Dounin
92f0126269 Style improved after 12dd27b74117. 2013-08-20 21:33:43 +04:00
Maxim Dounin
e3cab76758 Backed out f1a91825730a and 7094bd12c1ff.
While ngx_get_full_name() might have a bit more descriptive arguments,
the ngx_conf_full_name() is generally easier to use when parsing
configuration and limits exposure of cycle->prefix / cycle->conf_prefix
details.
2013-08-20 21:11:19 +04:00
Maxim Dounin
4c53a38fb5 Auth request module import. 2013-08-21 19:19:47 +04:00
Maxim Dounin
0a6efeee71 Minor ngx_http_parse_request_line() optimization.
Noted by Nils Kuhnhenn.
2013-08-21 12:51:31 +04:00
Sergey Kandaurov
e09741ba06 Format specifier fixes in error logging. 2013-08-20 20:47:16 +04:00
Valentin Bartenev
c189eda9e6 SPDY: alert about activated fake events instead of deleting them.
They refer to the same socket descriptor as our real connection, and
deleting them will stop processing of the connection.

Events of fake connections must not be activated, and if it happened there
is nothing we can do.  The whole processing should be terminated as soon as
possible, but it is not obvious how to do this safely.
2013-08-15 19:16:12 +04:00
Valentin Bartenev
db8a0c8bf1 SPDY: do not reject headers with empty value (ticket #396).
A quote from SPDY draft 2 specification: "The length of each name and
value must be greater than zero.  A receiver of a zero-length name or
value must send a RST_STREAM with code PROTOCOL error."

But it appears that Chrome browser allows sending requests over SPDY/2
connection using JavaScript that contain headers with empty values.

For better compatibility across SPDY clients and to be compliant with
HTTP, such headers are no longer rejected.

Also, it is worth noting that in SPDY draft 3 the statement has been
changed so that it permits empty values for headers.
2013-08-15 19:16:09 +04:00
Valentin Bartenev
3be925b6e3 SPDY: fixed corruption of headers with names longer than 255.
It is a bad idea to put zero byte in position where the length of
the next header name can be stored before it was parsed.
2013-08-15 19:14:58 +04:00
Valentin Bartenev
ef76fbebd6 Unbreak building on Linux without sendfile64() support.
It was broken in 8e446a2daf48 when the NGX_SENDFILE_LIMIT constant was added
to ngx_linux_sendfile_chain.c having the same name as already defined one in
ngx_linux_config.h.

The newer is needed to overcome a bug in old Linux kernels by limiting the
number of bytes to send per sendfile() syscall.  The older is used with
sendfile() on ancient kernels that works with 32-bit offsets only.

One of these renamed to NGX_SENDFILE_MAXSIZE.
2013-08-15 19:14:33 +04:00
Sergey Kandaurov
9aaf256e40 Referer module: fixed regex matching against HTTPS referers.
When matching a compiled regex against value in the "Referer" header field,
the length was calculated incorrectly for strings that start from "https://".
This might cause matching to fail for regexes with end-of-line anchors.

Patch by Liangbin Li.
2013-08-13 17:47:04 +04:00
Gleb Smirnoff
65e37b4a12 Don't lose pointer to first nonempty buf in ngx_*_sendfile_chain().
In ngx_*_sendfile_chain() when calculating pointer to a first
non-zero sized buf, use "in" as iterator.  This fixes processing
of zero sized buf(s) after EINTR.  Otherwise function can return
zero sized buf to caller, and later ngx_http_write_filter()
logs warning.
2013-08-08 15:06:39 +04:00
Valentin Bartenev
74dfd08957 API change: removed the ngx_conf_full_name() function.
The ngx_get_full_name() should be used instead.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
d29d21bade Replaced ngx_conf_full_name() with ngx_get_full_name().
The ngx_get_full_name() function takes more readable arguments list.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
3c5bd34771 Fixed memory leaks in the root and auth_basic_user_file directives.
If a relative path is set by variables, then the ngx_conf_full_name()
function was called while processing requests, which causes allocations
from the cycle pool.

A new function that takes pool as an argument was introduced.
2013-08-06 19:58:40 +04:00
Valentin Bartenev
1b7bc34218 Image filter: use "application/json" MIME type for JSON output.
As it is defined by RFC 4627, and allows for various browser tools like
JSONView to display JSON well-formatted.
2013-08-05 14:30:03 +04:00
Ruslan Ermilov
3693daa20f Core: guard use of AI_ADDRCONFIG.
Some systems (notably NetBSD and OpenBSD) lack AI_ADDRCONFIG support.

Reported by Piotr Sikora.
2013-08-05 13:44:56 +04:00
Maxim Dounin
4d1b08bb1c Fixed build with signed socklen_t and unix sockets.
This seems to be the case at least under Cygwin, where build was broken
by 05ba5bce31e0 (1.5.3).

Reported by Kevin Worthington,
http://mailman.nginx.org/pipermail/nginx/2013-August/040028.html.
2013-08-05 11:40:33 +04:00
Ruslan Ermilov
7c6971cff3 Core: only resolve address families configured on the local system.
This is done by passing AI_ADDRCONFIG to getaddrinfo().

On Linux, setting net.ipv6.conf.all.disable_ipv6 to 1 will now be
respected.

On FreeBSD, AI_ADDRCONFIG filtering is currently implemented by
attempting to create a datagram socket for the corresponding family,
which succeeds even if the system doesn't in fact have any addresses
of that family configured.  That is, if the system with IPv6 support
in the kernel doesn't have IPv6 addresses configured, AI_ADDRCONFIG
will filter out IPv6 only inside a jail without IPv6 addresses or
with IPv6 disabled.
2013-08-05 10:55:59 +04:00
Valentin Bartenev
3086ab2996 MIME: use "application/javascript" for .js files.
Though there are several MIME types commonly used for JavaScript nowadays,
the most common being "text/javascript", "application/javascript", and
currently used by nginx "application/x-javascript", RFC 4329 prefers
"application/javascript".

The "charset_types" directive's default value was adjusted accordingly.
2013-07-31 23:40:46 +04:00
Sergey Kandaurov
986d3a870d Version bump. 2013-07-31 18:35:57 +04:00
Sergey Kandaurov
ab1c05272a Perl: fixed syntax usage for C preprocessor directives.
As per perlxs, C preprocessor directives should be at the first
non-whitespace of a line to avoid interpreting them as comments.

#if and #endif are moved so that there are no blank lines before them
to retain them as part of the function body.
2013-07-29 17:30:01 +04:00
Ruslan Ermilov
e49d933ebc Upstream: reliably detect connection failures with SSL peers. 2013-07-29 13:23:16 +04:00
Maxim Dounin
5274f023a2 Upstream: no last buffer on errors.
Previously, after sending a header we always sent a last buffer and
finalized a request with code 0, even in case of errors.  In some cases
this resulted in a loss of ability to detect the response wasn't complete
(e.g. if Content-Length was removed from a response by gzip filter).

This change tries to propogate to a client information that a response
isn't complete in such cases.  In particular, with this change we no longer
pretend a returned response is complete if we wasn't able to create
a temporary file.

If an error code suggests the error wasn't fatal, we flush buffered data
and disable keepalive, then finalize request normally.  This allows to to
propogate information about a problem to a client, while still sending all
the data we've got from an upstream.
2013-07-25 15:00:41 +04:00
Maxim Dounin
78aacc838b Upstream: request finalization rework.
No semantic changes expected, though some checks are done differently.
In particular, the r->cached flag is no longer explicitly checked.  Instead,
we relay on u->header_sent not being set if a response is sent from
a cache.
2013-07-25 15:00:29 +04:00
Maxim Dounin
86277254dd Upstream: NGX_HTTP_CLIENT_CLOSED_REQUEST no longer reset to 0.
The NGX_HTTP_CLIENT_CLOSED_REQUEST code is allowed to happen after we
started sending a response (much like NGX_HTTP_REQUEST_TIME_OUT), so there
is no need to reset response code to 0 in this case.
2013-07-25 15:00:25 +04:00
Maxim Dounin
960d0bfe34 Upstream: added check if a response is complete.
Checks were added to both buffered and unbuffered code paths to detect
and complain if a response is incomplete.  Appropriate error codes are
now passed to ngx_http_upstream_finalize_request().

With this change in unbuffered mode we now use u->length set to -1 as an
indicator that EOF is allowed per protocol and used to indicate response
end (much like its with p->length in buffered mode).  Proxy module was
changed to set u->length to 1 (instead of previously used -1) in case of
chunked transfer encoding used to comply with the above.
2013-07-25 15:00:12 +04:00
Maxim Dounin
416b922bd2 Upstream: u->length now defaults to -1 (API change).
That is, by default we assume that response end is signalled by
a connection close.  This seems to be better default, and in line
with u->pipe->length behaviour.

Memcached module was modified accordingly.
2013-07-25 14:58:11 +04:00
Maxim Dounin
187f3948ed Upstream: fixed store/cache of unfinished responses.
In case of upstream eof, only responses with u->pipe->length == -1
are now cached/stored.  This ensures that unfinished chunked responses
are not cached.

Note well - previously used checks for u->headers_in.content_length_n are
preserved.  This provides an additional level of protection if protol data
disagree with Content-Length header provided (e.g., a FastCGI response
is sent with wrong Content-Length, or an incomple SCGI or uwsgi response),
as well as protects from storing of responses to HEAD requests.  This should
be reconsidered if we'll consider caching of responses to HEAD requests.
2013-07-25 14:56:59 +04:00
Maxim Dounin
eafe44ff79 Upstream: replaced u->pipe->temp_file with p->temp_file.
While here, redundant parentheses removed.  No functional changes.
2013-07-25 14:56:49 +04:00
Maxim Dounin
e6122efbfe Upstream: NGX_ERROR after pipe errors. 2013-07-25 14:56:41 +04:00
Maxim Dounin
8536fb79ca Upstream: NGX_HTTP_GATEWAY_TIME_OUT after upstream timeouts.
There is no real difference from previously used 0 as NGX_HTTP_* will
become 0 in ngx_http_upstream_finalize_request(), but the change
preserves information about a timeout a bit longer.  Previous use of
ETIMEDOUT in one place was just wrong.

Note well that with cacheable responses there will be a difference
(code in ngx_http_upstream_finalize_request() will store the error
in cache), though this change doesn't touch cacheable case.
2013-07-25 14:56:20 +04:00
Maxim Dounin
d23dc7d427 Upstream: ngx_http_upstream_finalize_request(NGX_ERROR) on errors.
Previously, ngx_http_upstream_finalize_request(0) was used in most
cases after errors.  While with current code there is no difference,
use of NGX_ERROR allows to pass a bit more information into
ngx_http_upstream_finalize_request().
2013-07-25 14:56:13 +04:00
Maxim Dounin
76e1571749 Upstream: consistent error handling after u->input_filter_init().
In all cases ngx_http_upstream_finalize_request() with NGX_ERROR now used.
Previously used NGX_HTTP_INTERNAL_SERVER_ERROR in the subrequest in memory
case don't cause any harm, but inconsistent with other uses.
2013-07-25 14:56:00 +04:00
Maxim Dounin
9f925b8c77 Upstream: busy lock remnants removed. 2013-07-25 14:55:59 +04:00
Maxim Dounin
ec021eda55 Upstream: stale comments removed. 2013-06-13 19:52:31 +04:00
Maxim Dounin
84d2ecf87e Gzip: clearing of c->buffered if all data are flushed.
This allows to finalize unfinished responses while still sending as
much data as available.
2013-07-25 14:55:32 +04:00
Maxim Dounin
be6fbbb47e Event pipe: fixed writing cache header to a temp file.
With previous code the p->temp_file->offset wasn't adjusted if a temp
file was written by the code in ngx_event_pipe_write_to_downstream()
after an EOF, resulting in cache not being used with empty scgi and uwsgi
responses with Content-Length set to 0.

Fix it to call ngx_event_pipe_write_chain_to_temp_file() there instead
of calling ngx_write_chain_to_temp_file() directly.
2013-07-25 14:55:09 +04:00
Maxim Dounin
f52042498d Fixed ngx_http_test_reading() to finalize request properly.
Previous code called ngx_http_finalize_request() with rc = 0.  This is
ok if a response status was already set, but resulted in "000" being
logged if it wasn't.  In particular this happened with limit_req
if a connection was prematurely closed during limit_req delay.
2013-06-14 20:56:07 +04:00
Maxim Dounin
1936a67647 Sub filter: fixed matching after a partial match.
After a failed partial match we now check if there is another partial
match in previously matched substring to fix cases like "aab" in "aaab".

The ctx->saved string is now always sent if it's present on return
from the ngx_http_sub_parse() function (and reset accordingly).  This
allows to release parts of previously matched data.
2013-07-25 14:54:53 +04:00
Maxim Dounin
ce7a5a0537 Sub filter: fixed incomplete last buffer on partial match.
If a pattern was partially matched at a response end, partially matched
string wasn't send.  E.g., a response "fo" was truncated to an empty response
if partially mathed by a pattern "foo".
2013-07-25 14:54:48 +04:00
Maxim Dounin
68fab7c8c4 Sub filter: flush buffers handling. 2013-07-25 14:54:47 +04:00
Maxim Dounin
8d568c7ae0 Sub filter: switched to ngx_chain_get_free_buf().
No functional changes.
2013-07-25 14:54:45 +04:00
Maxim Dounin
3961ef2318 Sub filter: stale comments removed. 2013-07-25 14:54:43 +04:00
Ruslan Ermilov
02a077b827 On DragonFlyBSD, TCP_KEEPIDLE and TCP_KEEPINTVL are in msecs.
Based on a patch by Sepherosa Ziehau.
2013-07-25 12:46:03 +04:00
Ruslan Ermilov
690e2b33aa Style: reuse one int variable in ngx_configure_listening_sockets().
No functional changes.
2013-07-25 12:46:02 +04:00
Valentin Bartenev
32e167e211 SPDY: fixed segfault with "client_body_in_file_only" enabled.
It is possible to send FLAG_FIN in additional empty data frame, even if it is
known from the content-length header that request body is empty.  And Firefox
actually behaves like this (see ticket #357).

To simplify code we sacrificed our microoptimization that did not work right
due to missing check in the ngx_http_spdy_state_data() function for rb->buf
set to NULL.
2013-07-24 22:24:25 +04:00
Maxim Dounin
809d05769b Xslt: exsltRegisterAll() moved to preconfiguration.
The exsltRegisterAll() needs to be called before XSLT stylesheets
are compiled, else stylesheet compilation hooks will not work.  This
change fixes EXSLT Functions extension.
2013-07-19 15:59:50 +04:00
Valentin Bartenev
615d558843 Events: honor NGX_USE_GREEDY_EVENT when kqueue support is enabled.
Currently this flag is needed for epoll and rtsig, and though these methods
usually present on different platforms than kqueue, nginx can be compiled to
support all of them.
2013-07-13 03:24:30 +04:00
Maxim Dounin
d10251030a Style. 2013-07-11 20:38:27 +04:00
Vladimir Homutov
d79c8abcaa Core: fixed possible use of an uninitialized variable.
The call to ngx_sock_ntop() in ngx_connection_local_sockaddr() might be
performed with the uninitialized "len" variable.  The fix is to initialize
variable to the size of corresponding socket address type.

The issue was introduced in commit 05ba5bce31e0.
2013-07-11 19:50:19 +04:00
Vladimir Homutov
af18946d76 Core: extended ngx_sock_ntop() with socklen parameter.
On Linux, sockaddr length is required to process unix socket addresses properly
due to unnamed sockets (which don't have sun_path set at all) and abstract
namespace sockets.
2013-07-11 16:07:25 +04:00
Gleb Smirnoff
050f74b751 Make macros safe. 2013-07-05 11:42:25 +04:00
Ruslan Ermilov
523191ec89 Upstream: updated list of ngx_event_connect_peer() return values.
ngx_http_upstream_get_keepalive_peer() may return NGX_DONE to
indicate that the cached keepalive connection is reused.
2013-07-03 12:04:13 +04:00
Vladimir Homutov
dd3e13eef0 Core: consolidated log-related code.
The stderr redirection code is moved to ngx_log_redirect_stderr().
The opening of the default log code is moved to ngx_log_open_default().
2013-06-28 17:24:54 +04:00
Maxim Dounin
f41c91511d Version bump. 2013-07-02 20:05:49 +04:00
Maxim Dounin
88fc0f793e Fixed ngx_http_parse_chunked() minimal length calculation.
Minimal data length we expect for further calls was calculated incorrectly
if parsing stopped right after parsing chunk size.  This might in theory
affect clients and/or backends using LF instead of CRLF.

Patch by Dmitry Popov.
2013-06-28 13:55:05 +04:00
Maxim Dounin
982f4de9f0 Fixed build on Linux with x32 ABI.
On Linux x32 inclusion of sys/sysctl.h produces an error.  As sysctl() is
only used by rtsig event method code, which is legacy and not compiled
in by default on modern linuxes, the sys/sysctl.h file now only included
if rtsig support is enabled.

Based on patch by Serguei I. Ivantsov.
2013-06-26 15:47:27 +04:00
Vladimir Homutov
11ff177a9f Core: support several "error_log" directives.
When several "error_log" directives are specified in the same configuration
block, logs are written to all files with a matching log level.

All logs are stored in the singly-linked list that is sorted by log level in
the descending order.

Specific debug levels (NGX_LOG_DEBUG_HTTP,EVENT, etc.) are not supported
if several "error_log" directives are specified.  In this case all logs
will use debug level that has largest absolute value.
2013-06-20 20:47:39 +04:00
Ruslan Ermilov
02cc52554f Simplified ngx_list_create(). 2013-06-19 08:55:08 +04:00
Tatsuhiko Kubo
c974bd7936 Valgrind: another complaint about uninitialized bytes. 2013-06-12 00:41:24 +09:00
Valentin Bartenev
420e41ef09 SPDY: fixed code style, no functional changes. 2013-06-13 16:28:42 +04:00
Vladimir Homutov
aac7f7f464 Core: moved initialization of log level.
The cycle->new_log->log_level should only be initialized by ngx_init_cycle()
if no error logs were found in the configuration.  This move allows to get rid
of extra initialization in ngx_error_log().
2013-06-13 14:50:10 +04:00
Jim Radford
de2ec2c650 SPDY: pass through the full status when available.
Avoid stripping the status text when proxying for compatibility with http.
2013-06-07 13:16:00 -07:00
Maxim Dounin
ddece08218 Perl: fixed r->header_in("Cookie") (ticket #351).
It was broken by X-Forwarded-For related changes in f7fe817c92a2 (1.3.14)
as hh->offset is no longer 0 for Cookie.
2013-06-10 14:35:00 +04:00
Maxim Dounin
dc5c6928fb Fixed debug logging in ngx_http_parse_complex_uri().
The *u previously logged isn't yet initialized at this point, and
Valgrind complains.
2013-06-05 19:45:08 +04:00
Maxim Dounin
2b356db155 Mail: fixed possible uninitialized memory access.
Found by Valgrind.
2013-06-05 19:44:23 +04:00
Maxim Dounin
40c4e7b73c Valgrind: supressed complaints about uninitialized bytes.
Valgrind complains if we pass uninitialized memory to a syscall:

==36492== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==36492==    at 0x6B5E6A: sendmsg (in /usr/lib/system/libsystem_kernel.dylib)
==36492==    by 0x10004288E: ngx_signal_worker_processes (ngx_process_cycle.c:527)
==36492==    by 0x1000417A7: ngx_master_process_cycle (ngx_process_cycle.c:203)
==36492==    by 0x100001F10: main (nginx.c:410)
==36492==  Address 0x7fff5fbff71c is on thread 1's stack

Even initialization of all members of the structure passed isn't enough, as
there is padding which still remains uninitialized and results in Valgrind
complaint.  Note there is no real problem here as data from uninitialized
memory isn't used.
2013-06-05 19:44:22 +04:00
Maxim Dounin
6b95320cf7 Valgrind: sigaction() failure now ignored.
Valgrind intercepts SIGUSR2 in some cases, and nginx might not be able to
start due to sigaction() failure.  If compiled with NGX_VALGRIND defined,
we now ignore the failure of sigaction().
2013-06-05 19:44:20 +04:00
Valentin Bartenev
f6650479c3 Status: the "last_in_chain" flag must be set.
The module always produces only one and obviously the last buffer in chain.
2013-06-05 16:22:40 +04:00
Valentin Bartenev
ba4b4991d1 SPDY: use proper macros for value length and headers counter.
Currently these macros are synonyms, but this may change in the future
(in particular, spdy/3 uses 4 bytes for lengths).
2013-06-05 02:13:52 +04:00
Maxim Dounin
d37a0a2c7a Version bump. 2013-06-04 19:38:20 +04:00
Vladimir Homutov
26489b16e5 Core: fixed handling of "stderr" in error_log.
If "stderr" was specified in one of the "error_log" directives,
stderr is not redirected to the first error_log on startup,
configuration reload, and reopening log files.
2013-06-04 11:27:36 +04:00
Vladimir Homutov
9db2eddd8a Core: fixed stderr redirection on win32 in ngx_reopen_files().
On win32 stderr was not redirected into a file specified by "error_log"
while reopening files.  Fix is to use platform-independent functions to
work with stderr, as already used by ngx_init_cycle() and main() since
rev. d8316f307b6a.
2013-06-03 16:54:28 +04:00
Maxim Dounin
a80cb81604 Win32: accept_mutex now always disabled (ticket #362).
Use of accept mutex on win32 may result in a deadlock if there are multiple
worker_processes configured and the mutex is grabbed by a process which
can't accept connections.
2013-05-31 14:59:26 +04:00
Ruslan Ermilov
2342d86951 OCSP stapling: fixed incorrect debug level. 2013-05-31 13:30:37 +04:00
Ruslan Ermilov
de381f7266 Access: support for UNIX-domain client addresses (ticket #359). 2013-05-30 18:23:05 +04:00
Maxim Dounin
641662e340 Win32: added missing reset of wev->ready on WSAEWOULDBLOCK.
This fixes connection hang with websockets proxy, and likely some other
places as well.
2013-05-29 19:18:22 +04:00
Maxim Dounin
1a983a0c05 Upstream: http_403 support in proxy_next_upstream (and friends).
The parameter is mostly identical to http_404, and is expected to
be used in similar situations.  The 403 code might be returned by
a backend instead of 404 on initial sync of new directories with rsync.

See here for feature request and additional details:
http://mailman.nginx.org/pipermail/nginx-ru/2013-April/050920.html
2013-05-27 16:54:09 +04:00
Maxim Dounin
cc3c0ce870 Xslt: xslt_last_modified directive.
Directive is similar to ssi_last_modified and sub_filter_last_modified
directives introduced by previous commits.
2013-05-24 22:28:09 +04:00
Maxim Dounin
af7e2a9185 Sub filter: sub_filter_last_modified directive.
Directive is similar to ssi_last_modified introduced by previous commit.

Patch by Alexey Kolpakov.
2013-05-24 22:27:30 +04:00
Maxim Dounin
55fcadcfa2 SSI: ssi_last_modified directive.
The "ssi_last_modified" directive allows to preserve Last-Modified header
in SSI responses.  The directive is similar to SSILastModified one available
in Apache:

http://httpd.apache.org/docs/2.4/mod/mod_include.html#ssilastmodified

Patch by Alexey Kolpakov.
2013-05-24 22:27:23 +04:00
Valentin Bartenev
c8702948db Core: strengthen configuration syntax checker.
It is now a syntax error if tokens passed to a custom configuration
handler are terminated by "{".

The following incorrect configuration is now properly rejected:

  map $v $v2 {
      a b {
      c d {
      e f {
  }
2013-05-23 20:30:27 +04:00
Ruslan Ermilov
2c0ea0fcc8 Memcached: stricten header validation.
An invalid memcached reply that started with '\n' could cause
segmentation fault.

An invalid memcached reply "VALUE / 0 2\r?ok\r\nEND\r\n" was
considered as a valid response.

In addition, if memcached reports that the key was not found,
set u->headers_in.content_length_n to 0.  This ensures that
ngx_http_memcached_filter() will not be called while previous
code relied on always intercepting 404.  Initialization of
ctx->rest was moved to where it belongs.
2013-05-23 16:26:10 +04:00
Sergey Kandaurov
3be6cc9b2f Use "void" for functions with empty parameter list. 2013-05-23 15:47:58 +04:00
Piotr Sikora
407c831116 Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:45:07 -07:00
Piotr Sikora
c3d20f52d0 Style: remove unnecessary references to HTTP from non-HTTP modules.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:43:43 -07:00
Maxim Dounin
4fd486e68c Referer module: added $invalid_referer to variables hash.
This makes it accessible via dynamic lookup with ngx_http_get_variable()
from Perl, SSI, etc.

Patch by Yichun Zhang (agentzh).
2013-05-22 22:31:53 +04:00
Maxim Dounin
a1ab0dde4a Upstream: fixed fail_timeout and max_fails > 1.
Due to peer->checked always set since rev. c90801720a0c (1.3.0)
by round-robin and least_conn balancers (ip_hash not affected),
the code in ngx_http_upstream_free_round_robin_peer() function
incorrectly reset peer->fails too often.

Reported by Dmitry Popov,
http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003720.html
2013-05-21 21:47:50 +04:00
F. da Silva
2b1779b916 Mail: missing ngx_ssl_ecdh_curve() call. 2013-05-10 16:53:45 +02:00
Sergey Kandaurov
8ef3374a5a Fixed error logging.
The provided argument list didn't follow a used format string.
2013-05-21 17:30:19 +04:00
Ruslan Ermilov
76c1d58a46 Upstream: slightly optimized ngx_http_upstream_process_header(). 2013-05-21 12:54:27 +04:00
Ruslan Ermilov
5b57d01365 Upstream: made the assignment more obvious.
No functional changes.
2013-05-21 12:54:26 +04:00
Piotr Sikora
1b10a9adf8 OCSP stapling: fix error logging of successful OCSP responses.
Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-16 15:37:13 -07:00
Filipe Da Silva
8597218f38 Mail: removed surplus ngx_close_connection() call.
It is already called for a peer connection a few lines above.
2013-05-09 10:54:28 +02:00
Ruslan Ermilov
c9c4e39be6 Upstream keepalive: slightly simplified code. 2013-05-15 15:04:49 +04:00
Maxim Dounin
330ebdc8fe Proxy: clear script engine used to calculate lengths.
Previous code is believed to be safe, but might access uninitialized
memory (e.g., e->quote).
2013-05-15 12:23:44 +04:00
Maxim Dounin
885861b683 Fixed lingering_time check.
There are two significant changes in this patch:

1) The <= 0 comparison is done with a signed type.  This fixes the case
   of ngx_time() being larger than r->lingering_time.

2) Calculation of r->lingering_time - ngx_time() is now always done
   in the ngx_msec_t type.  This ensures the calculation is correct
   even if time_t is unsigned and differs in size from ngx_msec_t.

Thanks to Lanshun Zhou.
2013-05-13 17:39:45 +04:00
Ruslan Ermilov
dcdf9eed8d Upstream: allow to intercept responses with status 300.
This fixes an omission made in 9e7926763f87 where all 3XX statuses
were allowed for "error_page".
2013-05-13 14:10:22 +04:00
Piotr Sikora
b5fd7d5041 PCRE: retain input pattern for all regular expressions.
Previously, input pattern was kept only for regular expressions
with named captures, which resulted in error log entries without
input pattern for PCRE errors that occured while processing
regular expressions without them.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-02 03:26:36 -07:00
Maxim Dounin
a38455a7f3 Proxy: $proxy_internal_body_length fixed.
The $proxy_internal_body_length value might change during request lifetime,
notably if proxy_set_body used, and use of a cached value might result in
incorrect upstream requests.

Patch by Lanshun Zhou.
2013-05-11 21:12:24 +04:00
Maxim Dounin
9564f6513b Mp4: indentation and style, no functional changes. 2013-05-11 18:49:49 +04:00
Maxim Dounin
c3dea40b45 Added r->limit_rate_after.
As of now, it allows to better control bandwidth limiting from additional
modules.  It is also expected to be used to add variables support to
the limit_rate_after directive.
2013-05-11 18:49:42 +04:00
Maxim Dounin
9cff79927a Fixed build with --with-mail_ssl_module.
If nginx was compiled without --with-http_ssl_module, but with some
other module which uses OpenSSL (e.g. --with-mail_ssl_module), insufficient
preprocessor check resulted in build failure.  The problem was introduced
by e0a3714a36f8 (1.3.14).

Reported by Roman Arutyunyan.
2013-05-11 18:49:30 +04:00
Maxim Dounin
ff724933c2 Request body: fixed r->count increment on allocation failure. 2013-05-11 18:49:19 +04:00
Maxim Dounin
8e35221f9a Perl: extra "return" removed. 2013-05-11 18:48:56 +04:00
Maxim Dounin
22c9e34b75 Version bump. 2013-05-11 18:43:28 +04:00
Maxim Dounin
818807d71e Fixed chunk size parsing. 2013-05-06 14:03:24 +04:00
Ruslan Ermilov
9014efdadf Proxy: allocate $proxy_internal_body_length from request pool. 2013-04-29 18:58:58 +04:00
Ruslan Ermilov
8bc3ed7604 Version bump. 2013-04-29 18:06:58 +04:00
Maxim Dounin
39d9871bc8 Version bump. 2013-04-24 13:03:43 +00:00
Valentin Bartenev
670d42859d SPDY: set NGX_TCP_NODELAY_DISABLED for fake connections.
This is to avoid setting the TCP_NODELAY flag on SPDY socket in
ngx_http_upstream_send_response().  The latter works per request,
but in SPDY case it might affect other streams in connection.
2013-04-23 10:15:49 +00:00
Maxim Dounin
e584341792 Perl: request body handling fixed.
As of 1.3.9, chunked request body may be available with
r->headers_in.content_length_n <= 0.  Additionally, request body
may be in multiple buffers even if r->request_body_in_single_buf
was requested.
2013-04-23 10:04:12 +00:00
Maxim Dounin
9d4e3c3612 Configure: fixed perl Makefile generation (ticket #334).
Dependancy tracking introduced in r5169 were not handled absolute path
names properly.  Absolute names might appear in CORE_DEPS if --with-openssl
or --with-pcre configure arguments are used to build OpenSSL/PCRE
libraries.

Additionally, revert part of r5169 to set NGX_INCS from Makefile
variables.  Makefile variables have $ngx_include_opt in them, which
might result in wrong include paths being used.  As a side effect,
this also restores build with --with-http_perl_module and --without-http
at the same time.
2013-04-19 12:19:57 +00:00
Ruslan Ermilov
ba4f2702bc Version bump. 2013-04-18 14:16:44 +00:00
Maxim Dounin
77d60d2cef Events: backout eventport changes (r5172) for now.
Evenport method needs more work.  Changes in r5172, while being correct,
introduce various new regressions with current code.
2013-04-16 12:58:03 +00:00
Maxim Dounin
0dee57d865 Request body: only read body in main request (ticket #330).
Before 1.3.9 an attempt to read body in a subrequest only caused problems
if body wasn't already read or discarded in a main request.  Starting with
1.3.9 it might also cause problems if body was discarded by a main request
before subrequest start.

Fix is to just ignore attempts to read request body in a subrequest, which
looks like right thing to do anyway.
2013-04-16 10:14:59 +00:00
Ruslan Ermilov
7ea00fb58c Upstream: warn if multiple non-stackable balancers are installed. 2013-04-12 19:12:13 +00:00
Valentin Bartenev
c798029241 Events: fixed typos in two previous commits. 2013-04-12 17:31:08 +00:00
Valentin Bartenev
c6aebf6c74 Events: handle only active events in eventport.
We generate both read and write events if an error event was returned by
port_getn() without POLLIN/POLLOUT, but we should not try to handle inactive
events, they may even have no handler.
2013-04-12 15:04:23 +00:00
Valentin Bartenev
ed9f87c901 Events: protection from stale events in eventport and devpoll.
Stale write event may happen if read and write events was reported both,
and processing of the read event closed descriptor.

In practice this might result in "sendfilev() failed (134: ..." or
"writev() failed (134: ..." errors when switching to next upstream server.

See report here:
http://mailman.nginx.org/pipermail/nginx/2013-April/038421.html
2013-04-12 15:02:33 +00:00
Sergey Kandaurov
7a7650aeb1 Upstream: fixed $upstream_response_length without buffering.
Reported by Piotr Sikora.
2013-04-11 13:49:13 +00:00
Maxim Dounin
c63b826d8b Configure: fixed nginx.so rebuild (broken by r5145).
To avoid further breaks it's now done properly, all the dependencies
are now passed to Makefile.PL.  While here, fixed include list passed to
Makefile.PL to use Makefile variables rather than a list expanded during
configure.
2013-04-10 17:07:44 +00:00
Valentin Bartenev
e297091c28 Upstream: removed surplus ngx_resolve_name_done() call.
It will be called in ngx_http_upstream_finalize_request().
2013-04-04 14:19:06 +00:00
Valentin Bartenev
d88dffbf1a Limit req: rate should be non-zero.
Specifying zero rate caused division by zero when calculating delays.
2013-04-03 14:13:35 +00:00
Ruslan Ermilov
600f9d3ea8 Pass PCRE_CASELESS to pcre_compile() for caseless matching.
Previously, we sometimes passed constant value 1 that happens to
match PCRE_CASELESS and thus was harmless.
2013-03-29 08:47:37 +00:00
Ruslan Ermilov
a861b0dbb1 Simplified nginx version maintenance.
It's no longer necessary to update src/http/modules/perl/nginx.pm
when version is bumped, as it's now derived from src/core/nginx.h.
2013-03-28 08:47:06 +00:00
Maxim Dounin
cc0e56370d Upstream: fixed tcp_nodelay with connection upgrade (ticket #325). 2013-03-27 15:18:34 +00:00
Maxim Dounin
3b9e7adcf4 Event connect: don't penalize AF_INET6 connections.
Problems with setsockopt(TCP_NODELAY) and setsockopt(TCP_NOPUSH), as well
as sendfile() syscall on Solaris, are specific to UNIX-domain sockets.
Other address families, i.e. AF_INET and AF_INET6, are fine.
2013-03-27 15:16:45 +00:00
Maxim Dounin
c2bb76515b Version bump. 2013-03-27 15:15:34 +00:00
Valentin Bartenev
604e18fb2c Use NGX_FILE_ERROR for handling file operations errors.
On Win32 platforms 0 is used to indicate errors in file operations, so
comparing against -1 is not portable.

This was not much of an issue in patched code, since only ngx_fd_info() test
is actually reachable on Win32 and in worst case it might result in bogus
error log entry.

Patch by Piotr Sikora.
2013-03-25 15:49:11 +00:00
Ruslan Ermilov
ea327f13f1 Upstream: removed rudiments of upstream connection caching.
This functionality is now provided by ngx_http_upstream_keepalive_module.
2013-03-25 14:51:44 +00:00
Ruslan Ermilov
4d9fdd86f7 Upstream: removed sorting of upstream servers.
Sorting of upstream servers by their weights is not required by
current balancing algorithms.

This will likely change mapping to backends served by ip_hash
weighted upstreams.
2013-03-25 13:41:30 +00:00
Ruslan Ermilov
4f2d6513dc Mail: IPv6 backends (ticket #323). 2013-03-25 13:38:59 +00:00
Ruslan Ermilov
2fd8b271c4 Upstream: removed double-free workarounds in peer.free() methods. 2013-03-25 13:16:55 +00:00
Ruslan Ermilov
46b469a8ee Upstream: only call peer.free() if peer.get() selected a peer. 2013-03-25 13:14:49 +00:00
Ruslan Ermilov
275a35c2d0 Split clients: check length when parsing configuration. 2013-03-21 16:06:53 +00:00
Ruslan Ermilov
0ce62130cb Removed unused ngx_http_clear_variable() macro. 2013-03-21 16:06:13 +00:00
Ruslan Ermilov
d1c285e297 Fixed language in a comment preceding ngx_http_index_handler(). 2013-03-21 16:05:35 +00:00
Ruslan Ermilov
64fe190fa0 Moved ngx_array_t definition from ngx_core.h to ngx_array.h. 2013-03-21 16:04:09 +00:00
Ruslan Ermilov
56fce56f4f Use NGX_DEFAULT_POOL_SIZE macro where appropriate. 2013-03-21 16:03:24 +00:00
Ruslan Ermilov
7b80e43389 Simplified ngx_array_create(). 2013-03-21 15:52:52 +00:00
Ruslan Ermilov
9e5f617d66 Core: fixed resource leak if binary upgrade fails due to no memory.
Found by Coverity (CID 992320).
2013-03-20 18:07:25 +00:00
Valentin Bartenev
2686cb4452 Preliminary experimental support for SPDY draft 2. 2013-03-20 10:36:57 +00:00
Valentin Bartenev
cf64a6c536 Win32: disabled MSVC warning about '\0' not fitting into array.
We believe that this warning produces more inconvience than real benefit.
Here is an example to trigger:

  u_char a[4] = "test";
2013-03-20 10:18:26 +00:00
Valentin Bartenev
fb6f8c4509 URI processing code moved to a separate function.
This allows to reuse it in the upcoming SPDY module.
2013-03-20 09:36:27 +00:00
Ruslan Ermilov
fd8b7d2f33 Image filter: the "image_filter_interlace" directive.
Patch by Ian Babrou, with minor changes.
2013-03-19 08:13:48 +00:00
Maxim Dounin
d7db87e6d9 The limit_req_status and limit_conn_status directives.
Patch by Nick Marden, with minor changes.
2013-03-18 14:50:29 +00:00
Ruslan Ermilov
5a7661e581 Core: guard against failed allocation during binary upgrade.
Patch by Piotr Sikora.
2013-03-18 07:13:57 +00:00
Valentin Bartenev
bac0cb3bbd Status: introduced the "ngx_stat_waiting" counter.
And corresponding variable $connections_waiting was added.

Previously, waiting connections were counted as the difference between
active connections and the sum of reading and writing connections.
That made it impossible to count more than one request in one connection
as reading or writing (as is the case for SPDY).

Also, we no longer count connections in handshake state as waiting.
2013-03-15 20:00:49 +00:00
Valentin Bartenev
23e692b58d Allow to reuse connections that wait their first request.
This should improve behavior under deficiency of connections.

Since SSL handshake usually takes significant amount of time,
we exclude connections from reusable queue during this period
to avoid premature flush of them.
2013-03-15 19:49:54 +00:00
Maxim Dounin
3f70ddcfc6 Upstream: fixed previous commit.
Store r->connection on stack to make sure it's still available if request
finalization happens to actually free request memory.
2013-03-14 16:22:43 +00:00
Maxim Dounin
c49abd2317 Upstream: call ngx_http_run_posted_requests() on resolve errors.
If proxy_pass to a host with dynamic resolution was used to handle
a subrequest, and host resolution failed, the main request wasn't run
till something else happened on the connection.  E.g. request to "/zzz"
with the following configuration hanged:

    addition_types *;
    resolver 8.8.8.8;

    location /test {
        set $ihost xxx;
        proxy_pass http://$ihost;
    }

    location /zzz {
      add_after_body /test;
      return 200 "test";
    }

Report and original version of the patch by Lanshun Zhou,
http://mailman.nginx.org/pipermail/nginx-devel/2013-March/003476.html.
2013-03-14 12:37:54 +00:00
Maxim Dounin
4641497e9c Request body: avoid linking rb->buf to r->header_in.
Code to reuse of r->request_body->buf in upstream module assumes it's
dedicated buffer, hence after 1.3.9 (r4931) it might reuse r->header_in
if client_body_in_file_only was set, resulting in original request
corruption.  It is considered to be safer to always create a dedicated
buffer for rb->bufs to avoid such problems.
2013-03-14 12:30:26 +00:00
Maxim Dounin
545cfd1fd3 Request body: next upstream fix.
After introduction of chunked request body handling in 1.3.9 (r4931),
r->request_body->bufs buffers have b->start pointing to original buffer
start (and b->pos pointing to real data of this particular buffer).

While this is ok as per se, it caused bad things (usually original request
headers included before the request body) after reinit of the request
chain in ngx_http_upstream_reinit() while sending the request to a next
upstream server (which used to do b->pos = b->start for each buffer
in the request chain).

Patch by Piotr Sikora.
2013-03-14 12:28:53 +00:00
Maxim Dounin
092355b2cc Fixed logging in ngx_http_wait_request_handler().
If c->recv() returns 0 there is no sense in using ngx_socket_errno for
logging, its value meaningless.  (The code in question was copied from
ngx_http_keepalive_handler(), but ngx_socket_errno makes sense there as it's
used as a part of ECONNRESET handling, and the c->recv() call is preceeded
by the ngx_set_socket_errno(0) call.)
2013-03-12 13:38:04 +00:00
Valentin Bartenev
f1b6e47b74 Removed unused prototype of ngx_http_find_server_conf().
This function prototype and its implementation was added in r90,
but the implementation was removed in r97.
2013-03-11 14:44:56 +00:00
Valentin Bartenev
b8cba361f7 Gzip: fixed setting of NGX_HTTP_GZIP_BUFFERED.
In r2411 setting of NGX_HTTP_GZIP_BUFFERED in c->buffered was moved from
ngx_http_gzip_filter_deflate_start() to ngx_http_gzip_filter_buffer() since
it was always called first.  But in r2543 the "postpone_gzipping" directive
was introduced, and if postponed gzipping is disabled (the default setting),
ngx_http_gzip_filter_buffer() is not called at all.

We must always set NGX_HTTP_GZIP_BUFFERED after the start of compression
since there is always a trailer that is buffered.

There are no known cases when it leads to any problem with current code.
But we already had troubles in upcoming SPDY implementation.
2013-03-11 11:19:58 +00:00
Valentin Bartenev
8fbef4841f SSL: Next Protocol Negotiation extension support.
Not only this is useful for the upcoming SPDY support, but it can
also help to improve HTTPS performance by enabling TLS False Start
in Chrome/Chromium browsers [1].  So, we always enable NPN for HTTPS
if it is supported by OpenSSL.

[1] http://www.imperialviolet.org/2012/04/11/falsestart.html
2013-03-07 18:21:28 +00:00
Valentin Bartenev
bf23093e10 Refactored ngx_http_init_request().
Now it can be used as the request object factory with minimal impact on the
connection object.  Therefore it was renamed to ngx_http_create_request().
2013-03-07 18:14:27 +00:00
Valentin Bartenev
a32d3f8b6b Removed c->single_connection flag.
The c->single_connection was intended to be used as lock mechanism
to serialize modifications of request object from several threads
working with client and upstream connections.  The flag is redundant
since threads in nginx have never been used that way.
2013-03-07 18:07:16 +00:00
Valentin Bartenev
4815b3b2ee Respect the new behavior of TCP_DEFER_ACCEPT.
In Linux 2.6.32, TCP_DEFER_ACCEPT was changed to accept connections
after the deferring period is finished without any data available.
(Reading from the socket returns EAGAIN in this case.)

Since in nginx TCP_DEFER_ACCEPT is set to "post_accept_timeout", we
do not need to wait longer if deferred accept returns with no data.
2013-03-07 17:59:27 +00:00
Valentin Bartenev
3e5aaee828 Use "client_header_timeout" for all requests in a connection.
Previously, only the first request in a connection used timeout
value from the "client_header_timeout" directive while reading
header.  All subsequent requests used "keepalive_timeout" for
that.

It happened because timeout of the read event was set to the
value of "keepalive_timeout" in ngx_http_set_keepalive(), but
was not removed when the next request arrived.
2013-03-07 17:41:40 +00:00
Valentin Bartenev
a46a3ab68d Create request object only after the first byte was received.
Previously, we always created an object and logged 400 (Bad Request)
in access log if a client closed connection without sending any data.
Such a connection was counted as "reading".

Since it's common for modern browsers to behave like this, it's no
longer considered an error if a client closes connection without
sending any data, and such a connection will be counted as "waiting".

Now, we do not log 400 (Bad Request) and keep memory footprint as
small as possible.
2013-03-07 17:21:50 +00:00
Valentin Bartenev
1e1b93b51f Version bump. 2013-03-07 17:07:04 +00:00
Maxim Dounin
b502fcb37a Mp4: fixed handling of too small mdat atoms (ticket #266).
Patch by Gernot Vormayr (with minor changes).
2013-03-04 15:39:03 +00:00
Valentin Bartenev
fcf003c6f4 Allocate request object from its own pool.
Previously, it was allocated from a connection pool and
was selectively freed for an idle keepalive connection.

The goal is to put coupled things in one chunk of memory,
and to simplify handling of request objects.
2013-03-01 14:55:42 +00:00
Valentin Bartenev
b720f650bb SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer.  Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request.  Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.

There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection.  Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.

An example of configuration that might not work as expected:

  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }

Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
2013-02-27 17:41:34 +00:00
Valentin Bartenev
6000f4ad6d SNI: reset to default server if requested host was not found.
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.

An example of potentially unsafe configuration:

  server {
      listen 443 ssl default_server;
      ...
  }

  server {
      listen 443;
      server_name example.com;

      location / {
          proxy_pass http://$host;
      }
  }

Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
2013-02-27 17:38:54 +00:00
Valentin Bartenev
f61612532c SNI: avoid surplus lookup of virtual server if SNI was used. 2013-02-27 17:33:59 +00:00
Valentin Bartenev
8c4fea1766 Apply server configuration as soon as host is known.
Previously, this was done only after the whole request header
was parsed, and if an error occurred earlier then the request
was processed in the default server (or server chosen by SNI),
while r->headers_in.server might be set to the value from the
Host: header or host from request line.

r->headers_in.server is in turn used for $host variable and
in HTTP redirects if "server_name_in_redirect" is disabled.
Without the change, configurations that rely on this during
error handling are potentially unsafe if SNI is used.

This change also allows to use server specific settings of
"underscores_in_headers", "ignore_invalid_headers", and
"large_client_header_buffers" directives for HTTP requests
and HTTPS requests without SNI.
2013-02-27 17:27:15 +00:00
Valentin Bartenev
d281d0ba8b SSL: do not treat SSL handshake as request.
The request object will not be created until SSL handshake is complete.
This simplifies adding another connection handler that does not need
request object right after handshake (e.g., SPDY).

There are also a few more intentional effects:

 - the "client_header_buffer_size" directive will be taken from the
   server configuration that was negotiated by SNI;

 - SSL handshake errors and timeouts are not logged into access log
   as bad requests;

 - ngx_ssl_create_connection() is not called until the first byte of
   ClientHello message was received.  This also decreases memory
   consumption if plain HTTP request is sent to SSL socket.
2013-02-27 17:21:21 +00:00
Valentin Bartenev
167aabf2b3 Status: do not count connection as reading right after accept().
Before we receive the first bytes, the connection is counted
as waiting.

This change simplifies further code changes.
2013-02-27 17:16:51 +00:00
Valentin Bartenev
64932a9714 SNI: reuse selected configuration for all requests in a connection.
Previously, only the first request in a connection was assigned the
configuration selected by SNI.  All subsequent requests initially
used the default server's configuration, ignoring SNI, which was
wrong.

Now all subsequent requests in a connection will initially use the
configuration selected by SNI.  This is done by storing a pointer
to configuration in http connection object.  It points to default
server's configuration initially, but changed upon receipt of SNI.

(The request's configuration can be further refined when parsing
the request line and Host: header.)

This change was not made specific to SNI as it also allows slightly
faster access to configuration without the request object.
2013-02-27 17:12:48 +00:00
Valentin Bartenev
e1d8158b5e SNI: ignore captures in server_name regexes when matching by SNI.
This change helps to decouple ngx_http_ssl_servername() from the request
object.

Note: now we close connection in case of error during server name lookup
for request.  Previously, we did so only for HTTP/0.9 requests.
2013-02-27 17:06:52 +00:00
Valentin Bartenev
8ca4dff8c8 Changed interface of ngx_http_validate_host(). 2013-02-27 17:03:14 +00:00
Valentin Bartenev
b314102ff1 Introduced the ngx_http_set_connection_log() macro.
No functional changes.
2013-02-27 16:56:47 +00:00
Valentin Bartenev
508afb8cf5 The default server lookup is now done only once per connection.
Previously, it was done for every request in a connection.
2013-02-27 16:53:01 +00:00
Ruslan Ermilov
67a68720b7 Correctly handle multiple X-Forwarded-For headers (ticket #106). 2013-02-27 13:29:50 +00:00
Ruslan Ermilov
40ea120b34 Fixed separator in $sent_http_cache_control.
In case multiple "Cache-Control" headers are sent to a client,
multiple values in $sent_http_cache_control were incorrectly
split by a semicolon.  Now they are split by a comma.
2013-02-27 13:22:20 +00:00
Valentin Bartenev
f1d5d03eee Fixed potential segfault in ngx_http_keepalive_handler().
In case of error in the read event handling we close a connection
by calling ngx_http_close_connection(), that also destroys connection
pool. Thereafter, an attempt to free a buffer (added in r4892) that
was allocated from the pool could cause SIGSEGV and is meaningless
as well (the buffer already freed with the pool).
2013-02-23 13:23:48 +00:00
Maxim Dounin
890ee444ca SSL: retry "sess_id" and "id" allocations.
In case of fully populated SSL session cache with no memory left for
new allocations, ngx_ssl_new_session() will try to expire the oldest
non-expired session and retry, but only in case when slab allocation
fails for "cached_sess", not when slab allocation fails for either
"sess_id" or "id", which can happen for number of reasons and results
in new session not being cached.

Patch fixes this by adding retry logic to "sess_id" & "id" allocations.

Patch by Piotr Sikora.
2013-02-23 11:54:25 +00:00
Maxim Dounin
56bc5f250b Trailing whitespace fix. 2013-02-23 11:50:42 +00:00
Andrey Belov
284a7dbb30 Introduced variables in ngx_http_stub_status module.
Three new variables were added: $connections_active, $connections_reading
and $connections_writing.
2013-02-21 23:31:57 +00:00
Maxim Dounin
208fc03e7c Connection upgrade support in uwsgi and scgi modules.
Prodded by Roberto De Ioris.
2013-02-20 16:41:05 +00:00
Valentin Bartenev
59db08a6fc Removed zero termination of shm zone names.
It was added in r2717 and no longer needed since r2721,
where the termination was added to ngx_shm_alloc() and
ngx_init_zone_pool().  So then it only corrupts error
messages about ivalid zones.
2013-02-19 17:48:45 +00:00
Valentin Bartenev
a98305e363 Version bump. 2013-02-19 17:45:12 +00:00
Maxim Dounin
82d48e1eba Proxy: fixed do_write handling in previous commit.
As rightfully complained by MSVC, do_write variable was used uninitialized.
Correct fix is to set it's initial value based on event happened.
2013-02-18 15:08:46 +00:00
Maxim Dounin
08a73b4aad Proxy: support for connection upgrade (101 Switching Protocols).
This allows to proxy WebSockets by using configuration like this:

    location /chat/ {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Connection upgrade is allowed as long as it was requested by a client
via the Upgrade request header.
2013-02-18 13:50:52 +00:00
Maxim Dounin
d2c9f4554f Fixed false memset warning on Linux with -O3 (ticket #275).
Prodded by John Leach.
2013-02-13 14:39:46 +00:00
Maxim Dounin
a2b987e79f Added support for {SHA} passwords (ticket #50).
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables.  Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.

The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.

Patch by Louis Opter, with minor changes.
2013-02-07 12:09:56 +00:00
Maxim Dounin
6cb9bbe71c Version bump. 2013-02-07 12:09:09 +00:00
Ruslan Ermilov
75e5d13ec6 GeoIP: removed pseudo-support of "proxy" and "netspeed" databases. 2013-02-04 16:44:22 +00:00
Maxim Dounin
aad0a1dba6 FastCGI: proper handling of split fastcgi end request.
If fastcgi end request record was split between several network packets,
with fastcgi_keep_conn it was possible that connection was saved in incorrect
state (e.g. with padding bytes not yet read).
2013-02-01 14:41:50 +00:00
Maxim Dounin
e8efec0e5e FastCGI: unconditional state transitions.
Checks for f->padding before state transitions make code hard to follow,
remove them and make sure we always do another loop iteration after
f->state is set to ngx_http_fastcgi_st_padding.
2013-02-01 14:41:07 +00:00
Maxim Dounin
1c5fce7518 FastCGI: fixed wrong connection close with fastcgi_keep_conn.
With fastcgi_keep_conn it was possible that connection was closed after
FCGI_STDERR record with zero padding and without any further data read yet.
This happended as f->state was set to ngx_http_fastcgi_st_padding and then
"break" happened, resulting in p->length being set to f->padding, i.e. 0
(which in turn resulted in connection close).

Fix is to make sure we continue the loop after f->state is set.
2013-02-01 14:40:19 +00:00
Maxim Dounin
e97e4124e3 Request body: fixed client_body_in_file_only.
After introduction of chunked request body reading support in 1.3.9 (r4931),
the rb->bufs wasn't set if request body was fully preread while calling the
ngx_http_read_client_request_body() function.

Reported by Yichun Zhang (agentzh).
2013-02-01 14:38:18 +00:00
Maxim Dounin
2887c06fde SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
resulted in a CPU hog during SSL handshake if an level-triggered event
method (e.g. select) was used.
2013-02-01 14:37:43 +00:00
Valentin Bartenev
733e6d2ac6 SSL: take into account data in the buffer while limiting output.
In some rare cases this can result in a more smooth sending rate.
2013-01-28 15:41:12 +00:00
Valentin Bartenev
0f0fac70a1 SSL: avoid calling SSL_write() with zero data size.
According to documentation, calling SSL_write() with num=0 bytes to be sent
results in undefined behavior.

We don't currently call ngx_ssl_send_chain() with empty chain and buffer.
This check handles the case of a chain with total data size that is
a multiple of NGX_SSL_BUFSIZE, and with the special buffer at the end.

In practice such cases resulted in premature connection close and critical
error "SSL_write() failed (SSL:)" in the error log.
2013-01-28 15:40:25 +00:00
Valentin Bartenev
f98b1d2561 SSL: calculation of buffer size moved closer to its usage.
No functional changes.
2013-01-28 15:38:36 +00:00
Valentin Bartenev
0f62e193dc SSL: preservation of flush flag for buffered data.
Previously, if SSL buffer was not sent we lost information that the data
must be flushed.
2013-01-28 15:37:11 +00:00
Valentin Bartenev
c857dade60 SSL: resetting of flush flag after the data was written.
There is no need to flush next chunk of data if it does not contain a buffer
with the flush or last_buf flags set.
2013-01-28 15:35:12 +00:00
Valentin Bartenev
693ba0179e SSL: removed conditions that always hold true. 2013-01-28 15:34:09 +00:00
Ruslan Ermilov
4b46b7fc5b Secure_link: fixed configuration inheritance.
The "secure_link_secret" directive was always inherited from the outer
configuration level even when "secure_link" and "secure_link_md5" were
specified on the inner level.
2013-01-28 14:42:07 +00:00
Ruslan Ermilov
33e934ccc8 Events: fixed null pointer dereference with resolver and poll.
A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on
Linux, would generate both read and write events, but there's no
write event handler for resolver events.  A fix is to only call
event handler of an active event.
2013-01-25 09:59:28 +00:00
Ruslan Ermilov
db5e48d9b8 GeoIP: IPv6 support.
When using IPv6 databases, IPv4 addresses are looked up as IPv4-mapped
IPv6 addresses.

Mostly based on a patch by Gregor Kališnik (ticket #250).
2013-01-24 16:15:51 +00:00
Maxim Dounin
aa0b86fb4d Proxy: fixed proxy_method to always add space.
Before the patch if proxy_method was specified at http{} level the code
to add trailing space wasn't executed, resulting in incorrect requests
to upstream.
2013-01-22 12:36:00 +00:00
Ruslan Ermilov
19e2ef77c2 Variables $pipe, $request_length, $time_iso8601, and $time_local.
Log module counterparts are preserved for efficiency.

Based on patch by Kiril Kalchev.
2013-01-21 13:15:29 +00:00
Ruslan Ermilov
e493f9ad4e Version bump. 2013-01-17 09:55:36 +00:00
Ruslan Ermilov
5d143ca864 Fixed and improved the "*_bind" directives of proxying modules.
The "proxy_bind", "fastcgi_bind", "uwsgi_bind", "scgi_bind" and
"memcached_bind" directives are now inherited; inherited value
can be reset by the "off" parameter.  Duplicate directives are
now detected.  Parameter value can now contain variables.
2013-01-16 09:42:57 +00:00
Ruslan Ermilov
a2a229193a Fixed "proxy_pass" with IP address and no port (ticket #276).
Upstreams created by "proxy_pass" with IP address and no port were
broken in 1.3.10, by not initializing port in u->sockaddr.

API change: ngx_parse_url() was modified to always initialize port
(in u->sockaddr and in u->port), even for the u->no_resolve case;
ngx_http_upstream() and ngx_http_upstream_add() were adopted.
2013-01-10 12:58:55 +00:00
Maxim Dounin
041449a3d3 SSL: speedup loading of configs with many ssl servers.
The patch saves one EC_KEY_generate_key() call per server{} block by
informing OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
the SSL_CTX_set_tmp_ecdh() call.

For a configuration file with 10k simple server{} blocks with SSL enabled
this change reduces startup time from 18s to 5s on a slow test box here.
2013-01-09 14:11:48 +00:00
Valentin Bartenev
a6ea2f8f48 Events: added check for duplicate "events" directive. 2013-01-08 14:03:37 +00:00
Valentin Bartenev
ff2e304223 The data pointer in ngx_open_file_t objects must be initialized.
Uninitialized pointer may result in arbitrary segfaults if access_log is used
without buffer and without variables in file path.

Patch by Tatsuhiko Kubo (ticket #268).
2013-01-08 14:01:57 +00:00
Ruslan Ermilov
92d571dd71 Geo: improved code readability. 2012-12-27 21:35:47 +00:00
Ruslan Ermilov
f8a6de481c Upstream keepalive: detect duplicate "keepalive" directive.
A failure to detect duplicate "keepalive" directive resulted in
stack exhaustion.
2012-12-26 14:46:06 +00:00
Ruslan Ermilov
0a668faba4 Version bump. 2012-12-26 09:29:37 +00:00
Ruslan Ermilov
f2c8704fd0 Geo: made "default" affect both IPv4 and IPv6 when using prefixes.
Previously, "default" was equivalent to specifying 0.0.0.0/0, now
it's equivalent to specifying both 0.0.0.0/0 and ::/0 (if support
for IPv6 is enabled) with the same value.
2012-12-26 05:03:51 +00:00
Ruslan Ermilov
98129de874 Geo: properly initialize ngx_cidr_t when dealing with "default". 2012-12-25 10:00:39 +00:00
Ruslan Ermilov
3d87688bc6 Geo: IPv6 support.
The "ranges" mode is still limited to IPv4 only.
2012-12-25 08:21:56 +00:00
Valentin Bartenev
dd46cc659a Upstream: fixed state resetting when switching to backup servers.
Based on patch by Thomas Chen (ticket #257).
2012-12-25 08:02:21 +00:00
Valentin Bartenev
cb90df084f Fixed HEAD requests handling when proxying is used (closes #261). 2012-12-24 17:32:53 +00:00
Ruslan Ermilov
2189c87aa7 Trailing whitespace fix. 2012-12-24 16:40:55 +00:00
Valentin Bartenev
70d1a45c7c Access log: the "gzip" parameter of the "access_log" directive.
Note: this requires zlib version 1.2.0.4 or above to work.
2012-12-23 19:09:33 +00:00
Valentin Bartenev
fcdb4655aa Access log: the "flush" parameter of the "access_log" directive. 2012-12-23 15:51:47 +00:00
Valentin Bartenev
a8ffed5751 Reopening log files code moved to a separate function.
The code refactored in a way to call custom handler that can do appropriate
cleanup work (if any), like flushing buffers, finishing compress streams,
finalizing connections to log daemon, etc..
2012-12-23 15:36:52 +00:00
Valentin Bartenev
df71cd1125 Access log: fixed redundant buffer reallocation.
Previously a new buffer was allocated for every "access_log" directive with the
same file path and "buffer=" parameters, while only one buffer per file is used.
2012-12-23 15:27:55 +00:00
Ruslan Ermilov
7c4068d349 Properly initialize "struct in6_addr" with zeroes. 2012-12-22 20:03:38 +00:00
Maxim Dounin
4b6f8dcd2a Core: crypt_r() error handling fixed.
The crypt_r() function returns NULL on errors, check it explicitly instead
of assuming errno will remain 0 if there are no errors (per POSIX, the
setting of errno after a successful call to a function is unspecified
unless the description of that function specifies that errno shall not
be modified).

Additionally, dropped unneeded ngx_set_errno(0) and fixed error handling
of memory allocation after normal crypt(), which was inapropriate and
resulted in null pointer dereference on allocation failures.
2012-12-21 16:13:03 +00:00
Maxim Dounin
f25549210d Image filter: fixed image_filter rotate inheritance.
Configurations like

    location /i/ {
        image_filter resize 200 200;
        image_filter rotate 180;

        location /i/foo/ {
            image_filter resize 200 200;
        }
   }

resulted in rotation incorrectly applied in the location /i/foo, without
any way to clear it.  Fix is to handle conf->angle/conf->acv consistently
with other filter variables and do not try to inherit them if there are
transformations defined for current location.
2012-12-21 15:07:45 +00:00
Ruslan Ermilov
f1819242fc Geo: ensure that default entry is always present.
If 0.0.0.0/32 entry was present and there was no explicit "default",
we failed to add an empty string as a default value.
2012-12-21 08:46:52 +00:00
Ruslan Ermilov
a0caa70c98 There's no need to normalize address returned by ngx_ptocidr(). 2012-12-21 08:44:39 +00:00
Maxim Dounin
717acb74a7 Image filter: configuration inheritance fixes.
The image_filter_jpeg_quality, image_filter_sharpen and "image_filter rotate"
were inherited incorrectly if a directive with variables was defined, and
then redefined to a literal value, i.e. in configurations like

    image_filter_jpeg_quality $arg_q;

    location / {
        image_filter_jpeg_quality 50;
    }

Patch by Ian Babrou, with minor changes.
2012-12-20 19:04:28 +00:00
Ruslan Ermilov
f4b9d89103 Brought the link to ngx_http_perl_module documentation up to date. 2012-12-20 15:34:37 +00:00
Ruslan Ermilov
d03ea4d842 Fixed return type of internal function that allocates radix tree nodes. 2012-12-20 11:16:03 +00:00
Ruslan Ermilov
7ae79fb8e7 Let "add_header" affect 201 responses (ticket #125). 2012-12-19 10:33:56 +00:00
Ruslan Ermilov
30390ea492 Slightly optimized code that handles special headers in "add_header". 2012-12-19 10:30:45 +00:00
Maxim Dounin
4bad9d0505 Avoid sending "100 Continue" on 413 Request Entity Too Large.
Patch by Igor Sysoev.
2012-12-18 18:39:39 +00:00
Ruslan Ermilov
c865f8dfa2 Added checks that disallow adding a variable with an empty name.
Added variable name syntax checks to "geo" and "map" directives.
2012-12-17 19:03:33 +00:00
Ruslan Ermilov
b8a90c6903 Implemented IPv6 support for URLs specified using domain names.
This includes "debug_connection", upstreams, "proxy_pass", etc.
(ticket #92)

To preserve compatibility, "listen" specified with a domain name
selects the first IPv4 address, if available.  If not available,
the first IPv6 address will be used (ticket #186).
2012-12-17 12:08:53 +00:00
Ruslan Ermilov
2f8c1b73b8 Fixed URL parsing code.
The URL parsing code is not expected to initialize port from default port
when in "no_resolve" mode.  This got broken in r4671 for the case of IPv6
literals.
2012-12-17 09:44:46 +00:00
Ruslan Ermilov
bbf7043fe7 Simplified URL parsing code.
Except for the "listen" directive, "*" specified as a hostname is
no longer treated specially.
2012-12-17 09:31:53 +00:00
Ruslan Ermilov
18a7e1b359 Geo: fixed the "ranges" without ranges case.
The following configuration returned an empty value for $geo:

    geo $geo {
        ranges;
        default default;
    }
2012-12-14 19:56:03 +00:00
Ruslan Ermilov
cd04ca3546 Geo: improved ngx_http_geo_block() code readability. 2012-12-14 19:35:37 +00:00
Valentin Bartenev
fac3b341da Fixed handling of ngx_write_fd() and ngx_read_fd() errors.
The ngx_write_fd() and ngx_read_fd() functions return -1 in case of error,
so the incorrect comparison with NGX_FILE_ERROR (which is 0 on windows
platforms) might result in inaccurate error message in the error log.

Also the ngx_errno global variable is being set only if the returned value
is -1.
2012-12-14 15:24:24 +00:00
Valentin Bartenev
e86279e9f3 Gzip: fixed zlib memLevel adjusting.
An incorrect memLevel (lower than 1) might be passed to deflateInit2() if the
"gzip_hash" directive is set to a value less than the value of "gzip_window"
directive. This resulted in "deflateInit2() failed: -2" alert and an empty
reply.
2012-12-14 15:17:58 +00:00
Maxim Dounin
658296290c Upstream: fixed SIGSEGV with the "if" directive.
Configuration like

    location / {
        set $true 1;

        if ($true) {
            proxy_pass http://backend;
        }

        if ($true) {
            # nothing
        }
    }

resulted in segmentation fault due to NULL pointer dereference as the
upstream configuration wasn't initialized in an implicit location created
by the last if(), but the r->content_handler was set due to first if().

Instead of committing a suicide by dereferencing a NULL pointer, return
500 (Internal Server Error) in such cases, i.e. if uscf is NULL.  Better
fix would be to avoid such cases by fixing the "if" directive handling,
but it's out of scope of this patch.

Prodded by Piotr Sikora.
2012-12-13 16:05:59 +00:00
Ruslan Ermilov
ba290091cf Fixed variable syntax checking in "set", "geo", "limit_conn_zone",
and "perl_set" directives.
2012-12-13 15:05:19 +00:00
Maxim Dounin
b3430993f1 Proxy: better error message about unexpected data.
Requested by Igor Sysoev.
2012-12-13 13:45:39 +00:00
Valentin Bartenev
1a6ed2e3b1 Limit rate: fixed integer overflow in limit calculation (ticket #256).
Patch by Alexey Antropov.
2012-12-12 14:48:48 +00:00
Ruslan Ermilov
1596399e82 The "auth_basic" directive gained support of variables. 2012-12-10 13:11:11 +00:00
Ruslan Ermilov
73fb7e878f Allow the complex value to be defined as an empty string.
This makes conversion from strings to complex values possible
without the loss of functionality.
2012-12-06 23:03:53 +00:00
Ruslan Ermilov
8e8201486c Xslt: prevented infinite loop.
If XSLT transformation failed and error 500 was handled in the same
location, an infinite loop occured that exhausted the stack.
2012-12-06 21:22:58 +00:00
Ruslan Ermilov
760c55a702 Fixed build with embedded perl in certain setups (ticket #48). 2012-12-03 16:00:26 +00:00
Ruslan Ermilov
f707bea0ee Fixed the NGX_SOCKADDR_STRLEN macro definition.
The ngx_sock_ntop() function, when told to print both address and port,
prints IPv6 address in square brackets, followed by colon and port.
2012-11-30 11:26:50 +00:00
Maxim Dounin
b63da701e5 Core: removed GLOB_NOSORT glob option.
This will result in alphabetical sorting of included files if
the "include" directive with wildcards is used.

Note that the behaviour is now different from that on Windows, where
alphabetical sorting is not guaranteed for FindFirsFile()/FindNextFile()
(used to be alphabetical on NTFS, but not on FAT).

Approved by Igor Sysoev, prodded by many.
2012-11-29 23:15:41 +00:00
Maxim Dounin
ea1ff4199d Version bump. 2012-11-29 23:13:18 +00:00
Maxim Dounin
0c563970be Gunzip: added missing ngx_http_clear_etag(). 2012-11-26 21:30:45 +00:00
Maxim Dounin
1469b51451 Core: fixed ngx_write_chain_to_file() with IOV_MAX reached.
Catched by dav_chunked.t on Solaris.  In released versions this might
potentially result in corruption of complex protocol responses if they
were written to disk and there were more distinct buffers than IOV_MAX
in a single write.
2012-11-26 21:19:57 +00:00
Maxim Dounin
e769544a7d Request body: block write events while reading body.
If write events are not blocked, an extra write event might happen for
various reasons (e.g. as a result of a http pipelining), resulting in
incorrect body being passed to a post handler.

The problem manifested itself with the dav module only, as this is
the only module which reads the body from a content phase handler (in
contrast to exclusive content handlers like proxy).  Additionally, dav
module used to dump core in such situations due to ticket #238.

See reports here:

http://mailman.nginx.org/pipermail/nginx-devel/2012-November/002981.html
http://serverfault.com/questions/449195/nginx-webdav-server-with-auth-request
2012-11-26 18:01:49 +00:00
Maxim Dounin
aa955a2097 Request body: error checking fixes, negative rb->rest handling.
Negative rb->rest can't happen with current code, but it's good to have
it handled anyway.

Found by Coverity (CID 744846, 744847, 744848).
2012-11-26 18:01:08 +00:00
Maxim Dounin
c4a4a6a5d8 Request body: improved handling of incorrect chunked request body.
While discarding chunked request body in some cases after detecting
request body corruption no error was returned, while it was possible
to correctly return 400 Bad Request.  If error is detected too late,
make sure to properly close connection.

Additionally, in ngx_http_special_response_handler() don't return body
of 500 Internal Server Error to a client if ngx_http_discard_request_body()
fails, but disable keepalive and continue.
2012-11-26 18:00:14 +00:00
Maxim Dounin
61feb90d74 Request body: fixed discard of chunked request body.
Even if there is no preread data, make sure to always call
ngx_http_discard_request_body_filter() in case of chunked request
body to initialize r->headers_in.content_length_n for later use.
2012-11-26 17:59:30 +00:00
Ruslan Ermilov
a94a101c79 Core: don't reuse shared memory zone that changed ownership (ticket #210).
nginx doesn't allow the same shared memory zone to be used for different
purposes, but failed to check this on reconfiguration.  If a shared memory
zone was used for another purpose in the new configuration, nginx attempted
to reuse it and crashed.
2012-11-23 12:43:58 +00:00
Ruslan Ermilov
9f385870f6 Fixed location of debug message in ngx_shmtx_lock(). 2012-11-21 14:23:26 +00:00
Maxim Dounin
542b60a35a Request body: unbreak build without debug. 2012-11-21 01:40:11 +00:00
Maxim Dounin
5fc85439d0 Request body: chunked transfer encoding support. 2012-11-21 01:08:11 +00:00
Maxim Dounin
d60b8d10f0 Request body: recalculate size of a request body in scgi module.
This allows to handle requests with chunked body by scgi module, and
also simplifies handling of various request body modifications.
2012-11-21 01:06:53 +00:00
Maxim Dounin
0ce5a3aa18 Request body: $content_length variable to honor real body size.
This allows to handle requests with chunked body by fastcgi and uwsgi
modules, and also simplifies handling of various request body modifications.
2012-11-21 01:05:08 +00:00
Maxim Dounin
9a483c8373 Request body: always use calculated size of a request body in proxy.
This allows to handle requests with chunked body, and also simplifies
handling of various request body modifications.
2012-11-21 01:03:48 +00:00
Maxim Dounin
6ddf23bdc4 Request body: adjust b->pos when chunked parsing done.
This is a nop for the current code, though will allow to correctly parse
pipelined requests.
2012-11-21 01:02:56 +00:00
Maxim Dounin
df74d88156 Request body: chunked parsing moved to ngx_http_parse.c from proxy.
No functional changes.
2012-11-21 00:59:16 +00:00
Maxim Dounin
c29837fc4d Request body: properly handle events while discarding body.
An attempt to call ngx_handle_read_event() before actually reading
data from a socket might result in read event being disabled, which is
wrong.  Catched by body.t test on Solaris.
2012-11-21 00:57:56 +00:00
Maxim Dounin
e1bd52041b Request body: fixed socket leak on errors.
The r->main->count reference counter was always incremented in
ngx_http_read_client_request_body(), while it is only needs to be
incremented on positive returns.
2012-11-21 00:57:16 +00:00
Maxim Dounin
5da61375cd Request body: code duplication reduced, no functional changes.
The r->request_body_in_file_only with empty body case is now handled in
ngx_http_write_request_body().
2012-11-21 00:55:50 +00:00
Maxim Dounin
743922a2ce Request body: $request_body variable generalization.
The $request_body variable was assuming there can't be more than two
buffers.  While this is currently true due to request body reading
implementation details, this is not a good thing to depend on and may
change in the future.
2012-11-21 00:55:06 +00:00
Maxim Dounin
ab5ac3b095 Request body: fixed "501 Not Implemented" error handling.
It is not about "Method" but a generic message, and is expected to be used
e.g. if specified Transfer-Encoding is not supported.  Fixed message to
match RFC 2616.

Additionally, disable keepalive on such errors as we won't be able to read
request body correctly if we don't understand Transfer-Encoding used.
2012-11-21 00:54:01 +00:00
Maxim Dounin
d228cf3638 Core: added debug logging of writev() in ngx_write_chain_to_file(). 2012-11-21 00:52:35 +00:00
Maxim Dounin
248bc41893 Dav: fixed segfault on PUT if body was already read (ticket #238).
If request body reading happens with different options it's possible
that there will be no r->request_body->temp_file available (or even
no r->request_body available if body was discarded).  Return internal
server error in this case instead of committing suicide by dereferencing
a null pointer.
2012-11-21 00:51:37 +00:00
Igor Sysoev
da130acfbe Fixed failure to start cache manager and cache loader processes
if there were more than 512 listening sockets in configuration.
2012-11-20 13:37:55 +00:00
Maxim Dounin
246cbd21ce Trailing whitespace fix. 2012-11-17 00:36:44 +00:00
Maxim Dounin
e1d5455a74 Upstream: better detection of connect() failures with kqueue.
Pending EOF might be reported on both read and write events, whichever
comes first, so check both of them.

Patch by Yichun Zhang (agentzh), slightly modified.
2012-11-16 18:29:19 +00:00
Ruslan Ermilov
4d0d2b20ac Upstream: honor the "down" flag for a single server.
If an upstream block was defined with the only server marked as
"down", e.g.

    upstream u {
        server 127.0.0.1:8080 down;
    }

an attempt was made to contact the server despite the "down" flag.
It is believed that immediate 502 response is better in such a
case, and it's also consistent with what is currently done in case
of multiple servers all marked as "down".
2012-11-16 12:18:05 +00:00
Ruslan Ermilov
b67dbca1ca Variables $request_time and $msec.
Log module counterparts are preserved for efficiency.
2012-11-16 09:37:14 +00:00
Ruslan Ermilov
9997aaef70 Fixed setting of CPU affinity on respawn of dead worker processes.
Worker processes are now made aware of their sequential number needed
to select CPU affinity mask.  This replaces a workaround from r4865.
2012-11-16 09:25:52 +00:00
Ruslan Ermilov
5a1d76c9f2 Version bump. 2012-11-16 07:49:41 +00:00
Maxim Dounin
8e67fb4226 Event pipe: fixed handling of buf_to_file data.
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
2012-10-30 11:14:24 +00:00
Maxim Dounin
1e12e7fa1d Variables $connection and $connection_requests.
Log module counterparts are removed as they aren't used often and
there is no need to preserve them for efficiency.
2012-10-29 17:17:59 +00:00
Maxim Dounin
7b3731862b Resolver: added missing memory allocation error handling. 2012-10-24 14:07:08 +00:00
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Andrey Belov
f7b32c479d Core: the "auto" parameter of the "worker_processes" directive.
The parameter will set the number of worker processes to the
autodetected number of available CPU cores.
2012-10-23 09:08:41 +00:00
Maxim Dounin
106dbc8d76 Removed conditional compilation from waitpid() error test.
There are reports that call to a signal handler for an exited process
despite waitpid() already called for the process may happen on Linux
as well.
2012-10-18 14:48:33 +00:00
Maxim Dounin
27b7eb17d0 Gunzip: fixed r->gzip_ok check. 2012-10-18 14:27:40 +00:00
Maxim Dounin
0d7a7e91cf OCSP stapling: properly check if there is ssl.ctx.
This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).
2012-10-05 11:09:14 +00:00
Maxim Dounin
82989420ad Variable $bytes_sent.
It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).
2012-10-03 15:25:36 +00:00
Maxim Dounin
a707811a31 Log: $apache_bytes_sent removed.
It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.
2012-10-03 15:25:06 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Maxim Dounin
f8cc8969d5 Version bump. 2012-10-03 15:22:18 +00:00
Maxim Dounin
7eea509776 OCSP stapling: build fixes.
With the "ssl_stapling_verify" commit build with old OpenSSL libraries
was broken due to incorrect prototype of the ngx_ssl_stapling() function.
One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in
and broke win32 build.
2012-10-01 13:54:13 +00:00
Maxim Dounin
bec2cc5286 OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
2012-10-01 12:53:11 +00:00
Maxim Dounin
3ebbb7d521 OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.
2012-10-01 12:51:27 +00:00
Maxim Dounin
1a07a7f2de OCSP stapling: log error data in ngx_ssl_error().
It's hard to debug OCSP_basic_verify() failures without the actual error
string it records in the error data field.
2012-10-01 12:50:36 +00:00
Maxim Dounin
872563a64d OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...
2012-10-01 12:48:54 +00:00
Maxim Dounin
74ad4494a6 OCSP stapling: loading OCSP responses.
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
2012-10-01 12:47:55 +00:00
Maxim Dounin
f7ec295fb4 OCSP stapling: the ngx_event_openssl_stapling.c file.
Missed in previous commit.
2012-10-01 12:42:43 +00:00
Maxim Dounin
85c920a0cd OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
             -url http://ocsp.example.com
2012-10-01 12:41:08 +00:00
Maxim Dounin
3648ba7db8 OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
2012-10-01 12:39:36 +00:00
Maxim Dounin
6a0f47e079 Resolver: cached addresses are returned with random rotation now.
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.

Based on patch by Anton Jouline.
2012-09-28 18:28:38 +00:00
Andrey Belov
8be233c8f2 Correct plural form for "path" in the whole source base. 2012-09-28 13:49:26 +00:00
Andrey Belov
b33a316883 Made sure to initialize the entire ngx_file_t structure.
Found by Coverity.
2012-09-28 13:15:11 +00:00
Maxim Dounin
52b59ebc74 SSL: added version checks for ssl compression workaround.
The SSL_COMP_get_compression_methods() is only available as an API
function in OpenSSL 0.9.8+, require it explicitly to unbreak build
with OpenSSL 0.9.7.
2012-09-27 18:01:06 +00:00
Maxim Dounin
f4f72f9fb5 SSL: fixed compression workaround to remove all methods.
Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
stack from 0 to n, resulting in removal of only even compression methods.

In real life this change is a nop, as there is only one compression method
which is enabled by default in OpenSSL.
2012-09-27 17:59:59 +00:00
Maxim Dounin
927643e3e9 Added clearing of cpu_affinity after process spawn.
This fixes unwanted/incorrect cpu_affinity use on dead worker processes
respawn.  While this is not ideal, it's expected to be better when previous
situation where multiple processes were spawn with identical CPU affinity
set.

Reported by Charles Chen.
2012-09-26 16:25:12 +00:00
Maxim Dounin
f4473147e5 Version bump. 2012-09-26 15:52:06 +00:00
Maxim Dounin
4b948b49aa Gunzip: removed nginx.h leftover include. 2012-09-11 01:13:23 +00:00
Maxim Dounin
90bd33e8eb Gunzip filter import. 2012-09-10 16:52:47 +00:00
Maxim Dounin
86aee85d2e Gzip static: "always" parameter in "gzip_static" directive.
With "always" gzip static returns gzipped content in all cases, without
checking if client supports it.  It is useful if there are no uncompressed
files on disk anyway.
2012-09-10 16:48:25 +00:00
Maxim Dounin
23a959615e Memcached: memcached_gzip_flag directive.
This directive allows to test desired flag as returned by memcached and
sets Content-Encoding to gzip if one found.

This is reimplementation of patch by Tomash Brechko as available on
http://openhack.ru/.  It should be a bit more correct though (at least
I think so).  In particular, it doesn't try to detect if we are able to
gunzip data, but instead just sets correct Content-Encoding.
2012-09-10 16:43:49 +00:00
Maxim Dounin
5867c81fe6 Write filter: replaced unneeded loop with one to free chains.
Noted by Gabor Lekeny.
2012-09-05 15:06:47 +00:00
Valentin Bartenev
605a0ab2e1 Limit req: fix of rbtree node insertion on hash collisions.
The rbtree used in ngx_http_limit_req_module has two level of keys, the top is
hash, and the next is the value string itself. However, when inserting a new
node, only hash has been set, while the value string has been left empty.

The bug was introduced in r4419 (1.1.14).

Found by Charles Chen.
2012-09-03 12:55:50 +00:00
Ruslan Ermilov
9d6d33a561 Fixed overflow if ngx_slab_alloc() is called with very big "size" argument. 2012-08-30 15:09:21 +00:00
Ruslan Ermilov
d469482cda Fixed strict aliasing bugs when dealing with IPv4-mapped IPv6 addresses
(closes #201).
2012-08-30 14:58:11 +00:00
Ruslan Ermilov
da4ffd8955 Fixed the "include" directive.
The "include" directive should be able to include multiple files if
given a filename mask.  Fixed this to work for "include" directives
inside the "map" or "types" blocks.  The "include" directive inside
the "geo" block is still not fixed.
2012-08-28 13:31:01 +00:00
Ruslan Ermilov
43f6163063 Version bump. 2012-08-27 14:21:41 +00:00
Maxim Dounin
c22b87b2e4 Radix tree preallocation fix.
The preallocation size was calculated incorrectly and was always 8 due to
sizeof(ngx_radix_tree_t) accidentally used instead of sizeof(ngx_radix_node_t).
2012-08-18 23:17:58 +00:00
Maxim Dounin
83e35f6f22 Whitespace fix. 2012-08-18 23:04:39 +00:00
Andrey Belov
b69f284383 Mark logically dead code with corresponding comment.
Found by Coverity.
2012-08-17 15:35:50 +00:00
Maxim Dounin
572bca7b83 Mp4: removed restriction to avc1/mp4a formats (ticket #194). 2012-08-17 11:02:35 +00:00
Ruslan Ermilov
53b8514f2d Mail: fixed handling of AF_UNIX addresses in "listen".
This makes AF_UNIX addresses in mail officially supported.
2012-08-17 05:21:28 +00:00
Ruslan Ermilov
ff3236e7a7 Removed a stale "AF_INET only" comment.
IPv6 client connections in mail modules have been supported since r2856.
2012-08-17 05:14:19 +00:00
Ruslan Ermilov
f12c7563e2 Mail: fixed sorting of listen addresses (ticket #187).
For http module this problem was already fixed in r4756.
2012-08-17 05:08:42 +00:00
Maxim Dounin
5425263436 Geo: fixed handling of ranges without default set.
The bug had appeared in 0.8.43 (r3653).  Patch by Weibin Yao.
2012-08-16 13:01:41 +00:00
Maxim Dounin
89bd5f038a Crypt: fixed handling of corrupted SSHA entries in password file.
Found by Coverity.
2012-08-16 12:05:58 +00:00
Maxim Dounin
3587e2be23 Map: fixed optimization of variables as values.
Previous code incorrectly used ctx->var_values as an array of pointers to
ngx_http_variable_value_t, but the array contains structures, not pointers.
Additionally, ctx->var_values inspection failed to properly set var on
match.
2012-08-16 10:58:18 +00:00
Ruslan Ermilov
9aac01a76e mail_core: don't let the well-known port in the "listen" directive to
override the already set "protocol".
2012-08-15 11:30:24 +00:00
Ruslan Ermilov
89ad2e91e5 Corrected the directive name in the ngx_mail_auth_http_module error message. 2012-08-15 11:17:55 +00:00
Valentin Bartenev
86dd5bde45 Added three missing checks for NULL after ngx_array_push() calls.
Found by Coverity.
2012-08-08 12:03:46 +00:00
Andrey Belov
2af80d5fab Explicitly ignore returned value from close() in ngx_event_core_init_conf().
We don't have strong reason to inform about any errors
reported by close() call here, and there are no other things
to do with its return value.

Prodded by Coverity.
2012-08-07 13:57:04 +00:00
Andrey Belov
66e9525e84 Explicitly ignore returned value from unlink() in ngx_open_tempfile().
The only thing we could potentially do here in case of error
returned is to complain to error log, but we don't have log
structure available here due to interface limitations.

Prodded by Coverity.
2012-08-06 16:06:59 +00:00
Maxim Dounin
42a75bba53 Resolver: fixed possible memory leak in ngx_resolver_create().
Found by Coverity.
2012-08-06 10:48:09 +00:00
Ruslan Ermilov
8ed4929a26 Fixed the -p parameter handling.
Ensure that the path supplied always ends with a `/' except when empty.
An empty value now corresponds to the current directory instead of `/'.
2012-08-03 12:52:32 +00:00
Maxim Dounin
25197b3229 Fixed possible use of old cached times if runtime went backwards.
If ngx_time_sigsafe_update() updated only ngx_cached_err_log_time, and
then clock was adjusted backwards, the cached_time[slot].sec might
accidentally match current seconds on next ngx_time_update() call,
resulting in various cached times not being updated.

Fix is to clear the cached_time[slot].sec to explicitly mark cached times
are stale and need updating.
2012-08-03 09:10:39 +00:00
Maxim Dounin
d053bacb9c Added "const" to ngx_memcpy() with NGX_MEMCPY_LIMIT defined.
This fixes warning produced during compilation of the ngx_http_geoip_module
due to const qualifier being discarded.
2012-08-03 09:07:30 +00:00
Maxim Dounin
beaed67996 Whitespace fix. 2012-08-03 09:00:25 +00:00
Maxim Dounin
c722e8a5bf Win32: fixed build with Visual Studio 2005 Express.
It is available via winetricks which makes it still usable, and has
an old crtdefs.h which uses _CRT_SECURE_NO_DEPRECATE instead of
_CRT_SECURE_NO_WARNINGS to suppress warnings.

Reported by HAYASHI Kentaro,
http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002542.html
2012-08-02 12:53:07 +00:00
Andrey Belov
1c42128e50 Reorder checks in ngx_shared_memory_add() for more consistent error messages. 2012-08-01 14:37:08 +00:00
Ruslan Ermilov
15ab0460ce Version bump. 2012-07-31 21:47:56 +00:00
Ruslan Ermilov
deaf22d220 Core: ipv6only is now on by default.
There is a general consensus that this change results in better
consistency between different operating systems and differently
tuned operating systems.

Note: this changes the width and meaning of the ipv6only field
of the ngx_listening_t structure.  3rd party modules that create
their own listening sockets might need fixing.
2012-07-30 12:27:06 +00:00
Valentin Bartenev
9c8f3d86b4 ngx_http_find_virtual_server() should return NGX_DECLINED if virtual server not
found.
2012-07-30 11:42:03 +00:00
Maxim Dounin
21be49ae59 Upstream: hide_headers/pass_headers inheritance fix.
Hide headers and pass headers arrays might not be inherited correctly
into a nested location, e.g. in configuration like

    server {
        proxy_hide_header X-Foo;
        location / {
            location /nested/ {
                proxy_pass_header X-Pad;
            }
        }
    }

the X-Foo header wasn't hidden in the location /nested/.

Reported by Konstantin Svist,
http://mailman.nginx.org/pipermail/nginx-ru/2012-July/047555.html
2012-07-30 10:35:26 +00:00
Ruslan Ermilov
1c31039d1e Improved diagnostics when a directive is specified in the wrong context. 2012-07-29 19:59:06 +00:00
Ruslan Ermilov
45d2ae646b Slight optimization in ngx_http_upstream_add(): replaced an expression
known to be constant with the constant value.
2012-07-29 19:44:09 +00:00
Ruslan Ermilov
b163010872 ngx_http_upstream_add() should return NULL if an error occurs. 2012-07-29 19:38:25 +00:00
Ruslan Ermilov
01f07bde7e Reduced the number of preprocessor directives. 2012-07-26 14:47:42 +00:00
Ruslan Ermilov
cfe194ef59 When "debug_connection" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
2012-07-24 17:40:06 +00:00
Ruslan Ermilov
1efcca36cc Fixed compilation with -Wmissing-prototypes. 2012-07-24 15:09:54 +00:00
Maxim Dounin
9d5f5a0c76 Win32: fixed cpu hog after process startup failure.
If ngx_spawn_process() failed while starting a process, the process
handle was closed but left non-NULL in the ngx_processes[] array.
The handle later was used in WaitForMultipleObjects() (if there
were multiple worker processes configured and at least one worker
process was started successfully), resulting in infinite loop.

Reported by Ricardo V G:
http://mailman.nginx.org/pipermail/nginx-devel/2012-July/002494.html
2012-07-23 16:37:24 +00:00
Ruslan Ermilov
54ab41f27b Fixed debugging messages to account that limit_zone was renamed to limit_conn. 2012-07-20 08:21:59 +00:00
Ruslan Ermilov
1fd21c48bb Fixed sorting of listen addresses so that wildcard address is always at
the end (closes #187).  Failure to do so could result in several listen
sockets to be created instead of only one listening on wildcard address.

Reported by Roman Odaisky.
2012-07-17 04:47:34 +00:00
Ruslan Ermilov
e30a8f90fc Version bump. 2012-07-17 04:42:38 +00:00
Maxim Dounin
e3acbc6bbb Entity tags: empty etags handling in If-Range.
Entity tag may be of length 2 as per RFC 2616, i.e. double quotes only.
Pointed out by Ruslan Ermilov.
2012-07-09 17:04:37 +00:00
Maxim Dounin
1b77858ac5 Entity tags: the "etag" directive.
It allows to disable generation of nginx's own entity tags, while
still handling ETags in cache properly.  This may be useful e.g.
if one want to serve static files from servers with different ETag
generation algorithms.
2012-07-09 14:53:42 +00:00
Maxim Dounin
eb7c38a49a Entity tags: set for static respones. 2012-07-09 00:13:06 +00:00
Maxim Dounin
8b00c87c38 Entity tags: handling in add_header.
Notably this allows to clear ETag if one want to for some reason.
2012-07-07 21:24:01 +00:00
Maxim Dounin
c96c4196f3 Entity tags: clear on entity changes. 2012-07-07 21:22:27 +00:00
Maxim Dounin
9c17e4cb66 Entity tags: support in If-Range header. 2012-07-07 21:21:15 +00:00
Maxim Dounin
13eb6898aa Entity tags: basic support in not modified filter.
This includes handling of ETag headers (if present in a response) with
basic support for If-Match, If-None-Match conditionals in not modified
filter.

Note that the "r->headers_out.last_modified_time == -1" check in the not
modified filter is left as is intentionally.  It's to prevent handling
of If-* headers in case of proxy without cache (much like currently
done with If-Modified-Since).
2012-07-07 21:20:27 +00:00
Maxim Dounin
a9456d55ab Not modified filter: tests separated from actions.
This makes code more extendable.  The only functional change is when
If-Modified-Since and If-Unmodified-Since are specified together, the
case which is explicitly left undefined by RFC 2616.  The new behaviour
is to respect them both, which seems better.
2012-07-07 21:18:30 +00:00
Maxim Dounin
4199620461 Added Last-Modified parsing in add_header.
This allows to use last modified time set in If-Range checks.  Code
simplified to improve readability.
2012-07-07 21:16:51 +00:00
Maxim Dounin
63d7ab16ff Fixed If-Range with unknown last modified time.
If modification time isn't known, skip range processing and return full
entity body instead of just ignoring If-Range.  Ignoring If-Range isn't
safe as client will assume entity wasn't changed since time specified.
2012-07-07 21:16:21 +00:00
Andrey Belov
3d87bcf9ae Corrected $request_length calculation for pipelined requests. 2012-07-06 04:27:06 +00:00
Ruslan Ermilov
bbfc96c703 Fixed typo in a function name. 2012-07-03 13:06:40 +00:00
Ruslan Ermilov
2219c566d7 Made sure to initialize the entire "struct flock" allocated on stack. 2012-07-03 13:05:18 +00:00
Maxim Dounin
3484e6d21c Reset r->uri_changed in a named location (ticket #184). 2012-07-03 11:30:05 +00:00
Ruslan Ermilov
f9c03b49eb map: strip final dot before looking up in a map of hostnames.
(closes #182)
2012-06-29 20:33:26 +00:00
Ruslan Ermilov
56cb80834c Version bump. 2012-06-29 11:03:01 +00:00
Maxim Dounin
a83578384c Mp4: fixed build on win32 after r4689. 2012-06-26 12:31:40 +00:00
Maxim Dounin
c6d5225e5b Style. 2012-06-25 18:09:38 +00:00
Ruslan Ermilov
8c861f06c8 Fixed a harmless error in spelling of "Connection: close" when computing
the response header length.
2012-06-25 13:08:25 +00:00
Ruslan Ermilov
42444811b9 Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
2012-06-21 11:02:22 +00:00
Igor Sysoev
992a4d11da Disabled gzip compression in OpenSSL prior to 1.0.0 version.
This saves about 522K per connection.
2012-06-20 12:55:28 +00:00
Ruslan Ermilov
36a931aba6 Added IPv6 support to ip_hash. 2012-06-19 12:36:54 +00:00
Maxim Dounin
29844cd55c Upstream keepalive: "single" parameter deprecated.
The original idea was to optimize edge cases in case of interchangeable
backends, i.e. don't establish a new connection if we have any one
cached.  This causes more harm than good though, as it screws up
underlying balancer's idea about backends used and may result in
various unexpected problems.
2012-06-18 14:23:42 +00:00
Maxim Dounin
91c654debc Fixed return type of ngx_strerror_init(). 2012-06-18 14:12:03 +00:00
Maxim Dounin
97f7bf25c9 Fixed "sendmsg() failed" alerts on HP-UX.
HP-UX needs _HPUX_ALT_XOPEN_SOCKET_API to be defined to be able to
use various POSIX versions of networking functions.  Notably sendmsg()
resulted in "sendmsg() failed (9: Bad file number)" alerts without it.

See xopen_networking(7) for more details.
2012-06-18 14:11:29 +00:00
Maxim Dounin
a769c530ff Fixed segfault with poll and resolver used.
Poll event method needs ngx_cycle->files to work, and use of ngx_exit_cycle
without files set caused null pointer dereference in resolver's cleanup
on udp socket close.
2012-06-18 14:10:50 +00:00
Maxim Dounin
40a366c5a8 Fixed handling of conflicting wildcard server names.
With previous code wildcard names were added to hash even if conflict
was detected.  This resulted in identical names in hash and segfault
later in ngx_hash_wildcard_init().
2012-06-18 14:06:00 +00:00
Maxim Dounin
859dc4ce01 Mp4: fixed streaming if moov atom is at buffer edge. 2012-06-18 14:02:20 +00:00
Maxim Dounin
e1e2e2eb3a Mp4: fixed non-keyframe seeks in some cases (ticket #175).
Number of entries in stsc atom was wrong if we've added an entry to
split a chunk.

Additionally, there is no need to add an entry if we are going to split
last chunk in an entry, it's enough to update the entry we already have.
Previously new entry was added and old one was left as is, resulting in
incorrect entry with zero chunks which might confuse some software.
2012-06-18 14:01:18 +00:00
Andrey Belov
0cf52376fb Style fix. 2012-06-18 13:51:20 +00:00
Andrey Belov
e91b210b56 New core variable: $status.
Contains response status code as a 3-digit integer
(with leading zeroes if necessary), or one of the following values:

    000 - response status code has not yet been assigned
    009 - HTTP/0.9 request is being processed
2012-06-18 13:43:44 +00:00
Ruslan Ermilov
2c49af818b When "resolver" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
2012-06-18 12:46:05 +00:00
Ruslan Ermilov
da8bb22634 Fixed crash in ngx_resolver_cleanup_tree().
If sending a DNS request fails with an error (e.g., when mistakenly trying
to send it to a local IP broadcast), such a request is not deleted if there
are clients waiting on it.  However, it was still erroneously removed from
the queue.  Later ngx_resolver_cleanup_tree() attempted to remove it from
the queue again that resulted in a NULL pointer dereference.
2012-06-18 12:30:45 +00:00
Ruslan Ermilov
b9feaa8dd9 Version bump. 2012-06-18 11:07:44 +00:00
Ruslan Ermilov
d4353c6fd3 Fixed spelling of "endianness", and called it "byte ordering" in the
user visible part.
2012-06-08 09:41:55 +00:00
Maxim Dounin
0d7720ddc0 Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
2012-06-05 13:38:27 +00:00
Maxim Dounin
f83598a359 Win32: normalization of trailing dot inside uri.
Windows treats "/directory./" identical to "/directory/".  Do the same
when working on Windows.  Note that the behaviour is different from one
with last path component (where multiple spaces and dots are ignored by
Windows).
2012-06-05 13:37:29 +00:00
Maxim Dounin
db80a7adfc Win32: disallowed access to various non-canonical name variants.
This includes trailings dots and spaces, NTFS streams (and short names, as
previously checked).  The checks are now also done in ngx_file_info(), thus
allowing to use the "try_files" directive to protect external scripts.
2012-06-05 13:36:09 +00:00
Ruslan Ermilov
ac7f704931 Support for IPv6 literals and an optional port in resolver. 2012-06-04 14:23:27 +00:00
Maxim Dounin
596226f6f7 Support for IPv6 literals in proxy_pass and so on. 2012-06-04 14:07:34 +00:00
Maxim Dounin
4888969baa Upstream: least_conn compilation fixes.
Removed duplicate call of ngx_http_upstream_init_round_robin_peer()
overlooked during code changes.  Rewritten "return lcp->free_rr_peer(...)"
as MSVC doesn't like it.
2012-06-04 00:00:28 +00:00
Maxim Dounin
1ba6ecd4f3 Upstream: weights support in ip_hash balancer. 2012-06-03 23:22:41 +00:00
Maxim Dounin
4cb4e8d179 Upstream: least_conn balancer module. 2012-06-03 23:21:26 +00:00
Maxim Dounin
01f1e4d1dc Resolver: fixed format specification.
Patch by Yichun Zhang (agentzh).
2012-06-03 23:18:24 +00:00
Ruslan Ermilov
887f514e9f Code reduction (no functional changes). 2012-06-01 11:35:09 +00:00
Valentin Bartenev
2195eb554b Removed mistaken setting of NGX_SSL_BUFFERED flag in ngx_ssl_send_chain()
if SSL buffer is not used.
2012-05-30 12:43:27 +00:00
Valentin Bartenev
d8ec4910ce Fixed returned value handling from the cookie rewrite handler.
If the "proxy_cookie_domain" or "proxy_cookie_path" directive is used and there
are no matches in Set-Cookie header then ngx_http_proxy_rewrite_cookie() returns
NGX_DECLINED to indicate that the header was not rewritten. Returning this value
further from the upstream headers copy handler resulted in 500 error response.

See here for report:
http://mailman.nginx.org/pipermail/nginx/2012-May/033858.html
2012-05-30 12:30:03 +00:00
Ruslan Ermilov
94d8df6098 geoip: got rid of ugly casts when calling ngx_free().
This is done by removing the "const" qualifier from the common return
type of handler functions returning either "const char *" or "char *".
2012-05-29 09:19:51 +00:00
Ruslan Ermilov
49fbd88466 Fixed broken build. 2012-05-28 14:20:04 +00:00
Ruslan Ermilov
9fbd0d7c1d Fixed memory leak if $geoip_org variable was used.
Patch by Denis F. Latypoff (slightly modified).
2012-05-28 13:17:48 +00:00
Ruslan Ermilov
526fd681b5 Fixed the reuse of parsed DTDs and XSLTs.
Patch by Kuramoto Eiji.
2012-05-24 07:35:12 +00:00
Maxim Dounin
e1133ca60e Fixed compilation with -DNGX_DEBUG_MALLOC on FreeBSD 10.
After jemalloc 3.0.0 import there is no _malloc_options symbol, it has
been replaced with the malloc_conf one with a different syntax.
2012-05-23 15:07:01 +00:00
Maxim Dounin
a272b2da28 Fixed warning during nginx.xs compilation. 2012-05-23 10:36:12 +00:00
Ruslan Ermilov
d2e005c39d Fixed potential null pointer dereference in ngx_resolver_create().
While here, improved error message.
2012-05-22 13:12:14 +00:00
Ruslan Ermilov
d230df40b2 Removed historical and now redundant syntax pre-checks in ngx_parse_url(). 2012-05-21 10:55:10 +00:00
Maxim Dounin
34229e9d4d Fixed core variables dynamic access after reconfiguration.
If variable was indexed in previous configuration but not in current
one, the NGX_HTTP_VAR_INDEXED flag was left set and confused
ngx_http_get_variable().

Patch by Yichun Zhang (agentzh), slightly modified.
2012-05-17 18:10:34 +00:00
Maxim Dounin
d2143f11cb Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
Example configuration to reproduce:

    location /image/ {
        error_page 415 = /zero;
        image_filter crop 100 100;
        proxy_pass http://127.0.0.1:8080;
        proxy_store on;
    }

    location /zero {
        return 204;
    }

The problem appeared if upstream returned (big enough) non-image file,
causing 415 to be generated by image filter.
2012-05-17 17:41:40 +00:00
Valentin Bartenev
1c168c7875 Fixed the ngx_regex.h header file compatibility with C++. 2012-05-17 13:47:04 +00:00
Ruslan Ermilov
1b4397443f Zero padded the returned and logged HTTP status code, and fixed possible
buffer overrun in $status handling.
2012-05-16 13:27:04 +00:00
Ruslan Ermilov
befc111d4f Capped the status code that may be returned with "return" and "try_files". 2012-05-16 13:22:03 +00:00
Ruslan Ermilov
10c205a1b3 Added syntax checking of the second parameter of the "split_clients" directive. 2012-05-16 13:14:53 +00:00
Ruslan Ermilov
6888516b2b Version bump. 2012-05-16 13:09:39 +00:00
Ruslan Ermilov
e3bb319e34 Fixed win32 build after changes in r4624. 2012-05-15 08:10:59 +00:00
Valentin Bartenev
0215fcc9b8 Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used. 2012-05-14 16:30:33 +00:00
Ruslan Ermilov
9a79c3431a Reverted previous attempt to fix complation warning introduced in
r4624 and actually fixed it.
2012-05-14 15:52:37 +00:00
Ruslan Ermilov
d4ba06c31a geoip: trusted proxies support and partial IPv6 support.
The module now supports recursive search of client address through the
chain of trusted proxies (closes #100), in the same scope as the geo
module.  Proxies are listed by the "geoip_proxy" directive, recursive
search is enabled by the "geoip_proxy_recursive" directive.  IPv6 is
partially supported: proxies may be specified with IPv6 addresses.

Example:
    geoip_country .../GeoIP.dat;
    geoip_proxy 127.0.0.1;
    geoip_proxy ::1;
    geoip_proxy 10.0.0.0/8;
    geoip_proxy_recursive on;
2012-05-14 14:00:17 +00:00
Ruslan Ermilov
69521ddebf geo: chains of trusted proxies and partial IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "proxy_recursive"
directive in the "geo" block.  It also gets partial IPv6 support:
now proxies may be specified with IPv6 addresses.

Example:
    geo $test {
        ...
        proxy 127.0.0.1;
        proxy ::1;
        proxy_recursive;
    }

There's also a slight change in behavior.  When original client
address (as specified by the "geo" directive) is one of the
trusted proxies, and the value of the X-Forwarded-For request
header cannot not be parsed as a valid address, an original client
address will be used for lookup.  Previously, 255.255.255.255 was
used in this case.
2012-05-14 13:53:22 +00:00
Ruslan Ermilov
11a8e26d29 Fixed compilation warning introduced in r4624. 2012-05-14 13:15:22 +00:00
Ruslan Ermilov
7627530b50 realip: chains of trusted proxies and IPv6 support.
The module now supports recursive search of client address through
the chain of trusted proxies, controlled by the "real_ip_recursive"
directive (closes #2).  It also gets full IPv6 support (closes #44)
and canonical value of the $client_addr variable on address change.

Example:
    real_ip_header X-Forwarded-For;
    set_real_ip_from 127.0.0.0/8;
    set_real_ip_from ::1;
    set_real_ip_from unix:;
    real_ip_recursive on;
2012-05-14 12:41:03 +00:00
Ruslan Ermilov
8e5dc474e5 New function ngx_http_get_forwarded_addr() to look up real client address.
On input it takes an original address, string in the X-Forwarded-For format
and its length, list of trusted proxies, and a flag indicating to perform
the recursive search.  On output it returns NGX_OK and the "deepest" valid
address in a chain, or NGX_DECLINED.  It supports AF_INET and AF_INET6.
Additionally, original address and/or proxy may be specified as AF_UNIX.
2012-05-14 12:27:41 +00:00
Maxim Dounin
4d5759e098 Upstream: fixed ip_hash rebalancing with the "down" flag.
Due to weight being set to 0 for down peers, order of peers after sorting
wasn't the same as without the "down" flag (with down peers at the end),
resulting in client rebalancing for clients on other servers.  The only
rebalancing which should happen after adding "down" to a server is one
for clients on the server.

The problem was introduced in r1377 (which fixed endless loop by setting
weight to 0 for down servers).  The loop is no longer possible with new
smooth algorithm, so preserving original weight is safe.
2012-05-14 09:58:07 +00:00
Maxim Dounin
52327e0627 Upstream: smooth weighted round-robin balancing.
For edge case weights like { 5, 1, 1 } we now produce { a, a, b, a, c, a, a }
sequence instead of { c, b, a, a, a, a, a } produced previously.

Algorithm is as follows: on each peer selection we increase current_weight
of each eligible peer by its weight, select peer with greatest current_weight
and reduce its current_weight by total number of weight points distributed
among peers.

In case of { 5, 1, 1 } weights this gives the following sequence of
current_weight's:

     a  b  c
     0  0  0  (initial state)

     5  1  1  (a selected)
    -2  1  1

     3  2  2  (a selected)
    -4  2  2

     1  3  3  (b selected)
     1 -4  3

     6 -3  4  (a selected)
    -1 -3  4

     4 -2  5  (c selected)
     4 -2 -2

     9 -1 -1  (a selected)
     2 -1 -1

     7  0  0  (a selected)
     0  0  0

To preserve weight reduction in case of failures the effective_weight
variable was introduced, which usually matches peer's weight, but is
reduced temporarily on peer failures.

This change also fixes loop with backup servers and proxy_next_upstream
http_404 (ticket #47), and skipping alive upstreams in some cases if there
are multiple dead ones (ticket #64).
2012-05-14 09:57:20 +00:00
Maxim Dounin
e302ed6fc3 Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.

See here for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html

Patch by Yichun Zhang (agentzh).
2012-05-14 09:48:05 +00:00
Maxim Dounin
7d863c0181 Resolver: protection from duplicate responses.
If we already had CNAME in resolver node (i.e. rn->cnlen and rn->u.cname
set), and got additional response with A record, it resulted in rn->cnlen
set and rn->u.cname overwritten by rn->u.addr (or rn->u.addrs), causing
segmentation fault later in ngx_resolver_free_node() on an attempt to free
overwritten rn->u.cname.  The opposite (i.e. CNAME got after A) might cause
similar problems as well.
2012-05-14 09:13:45 +00:00
Maxim Dounin
0e3b423dc6 Accept moderation in case of EMFILE/ENFILE.
In case of EMFILE/ENFILE returned from accept() we disable accept events,
and (in case of no accept mutex used) arm timer to re-enable them later.
With accept mutex we just drop it, and rely on normal accept mutex handling
to re-enable accept events once it's acquired again.

As we now handle errors in question, logging level was changed to "crit"
(instead of "alert" used for unknown errors).

Note: the code might call ngx_enable_accept_events() multiple times if
there are many listen sockets.  The ngx_enable_accept_events() function was
modified to check if connection is already active (via c->read->active) and
skip it then, thus making multiple calls safe.
2012-05-11 13:33:06 +00:00
Maxim Dounin
74d939974d Rewrite: fixed escaping and possible segfault (ticket #162).
The following code resulted in incorrect escaping of uri and possible
segfault:

    location / {
        rewrite ^(.*) $1?c=$1;
        return 200 "$uri";
    }

If there were arguments in a rewrite's replacement string, and length was
actually calculated (due to duplicate captures as in the example above,
or variables present), the is_args flag was set and incorrectly copied
after length calculation.  This resulted in escaping applied to the uri part
of the replacement, resulting in incorrect escaping.  Additionally, buffer
was allocated without escaping expected, thus this also resulted in buffer
overrun and possible segfault.
2012-05-11 13:19:22 +00:00
Maxim Dounin
9114f08863 Fastcgi: fixed padding handling on fixed-size records.
Padding was incorrectly ignored on end request, empty stdout and stderr
fastcgi records.  This resulted in protocol desynchronization if fastcgi
application used these records with padding for some reason.

Reported by Ilia Vinokurov.
2012-05-11 13:14:58 +00:00
Maxim Dounin
b34f84d8de Added r->state reset on fastcgi/scgi/uwsgi request start.
Failing to do so results in problems if 400 or 414 requests are
redirected to fastcgi/scgi/uwsgi upstream, as well as after invalid
headers got from upstream.  This was already fixed for proxy in r3478,
but fastcgi (the only affected protocol at that time) was missed.

Reported by Matthieu Tourne.
2012-05-11 13:09:24 +00:00
Maxim Dounin
e0e1c4567c Added write event handler reset in ngx_http_named_location().
On internal redirects this happens via ngx_http_handler() call, which is
not called on named location redirect.  As a result incorrect write handler
remained (if previously set) and this might cause incorrect behaviour (likely
request hang).

Patch by Yichun Zhang (agentzh).
2012-05-04 11:35:22 +00:00
Ruslan Ermilov
700364f62d debug_connection: added the IPv6 and UNIX-domain socket support. 2012-04-29 22:02:18 +00:00
Valentin Bartenev
a0025f2d81 Removed surplus condition. 2012-04-27 10:48:42 +00:00
Andrey Belov
eeec229e3e Allows particular modules to handle subrequests properly. 2012-04-26 13:06:27 +00:00
Ruslan Ermilov
487ba70126 Fixed segmentation fault in ngx_resolver_create_name_query().
If name passed for resolution was { 0, NULL } (e.g. as a result
of name server returning CNAME pointing to ".") pointer wrapped
to (void *) -1 resulting in segmentation fault on an attempt to
dereference it.

Reported by Lanshun Zhou.
2012-04-26 12:58:42 +00:00
Maxim Dounin
6ad02389c3 Version bump. 2012-04-26 11:20:29 +00:00
Maxim Dounin
d68dd358e1 Version bump. 2012-04-23 12:54:14 +00:00
Igor Sysoev
c7bb66a9a3 Fix of "%f" format handling.
ngx_sprintf("%.2f", 0.999) incorrectly resulted in "0.100" instead of "1.00".
2012-04-23 11:11:32 +00:00
Maxim Dounin
c7bb162ffe Proxy: added ctx checking to input filters.
The proxy module context may be NULL in case of filter finalization
(e.g. by image_filter) followed by an internal redirect.  This needs
some better handling, but for now just check if ctx is still here.
2012-04-23 10:40:01 +00:00
Maxim Dounin
8b89c882ce Image filter: compare aspect ratio more accurately during crop.
Previously used fixed-point calculation caused wrong code path selection
in some cases, resulting in incorrect image size.

See here for report:
http://mailman.nginx.org/pipermail/nginx-devel/2012-April/002123.html
2012-04-21 19:02:21 +00:00
Maxim Dounin
e8fe3ce098 Fixed segfault with try_files (ticket #152).
The problem occured if first uri in try_files was shorter than request uri,
resulting in reserve being 0 and hence allocation skipped.  The bug was
introduced in r4584 (1.1.19).
2012-04-19 15:48:03 +00:00
Maxim Dounin
a73ce28e0a Fixed master exit if there is no events section (ticket #150).
Instead of checking if there is events{} section present in configuration
in init_module handler we now do the same in init_conf handler.  This
allows master process to detect incorrect configuration early and
reject it.
2012-04-18 14:47:10 +00:00
Ruslan Ermilov
e9a7f4f5f6 Don't silently ignore the last line of configuration file that
consists solely of one unterminated token (inspired by #150).
2012-04-18 13:30:43 +00:00
Maxim Dounin
0abb0bce5f Fixed ngx_readv_chain() to honor IOV_MAX (ticket #14).
Not using full chain passed is ok as consumers are expected to check
event's ready flag to determine if another call is needed, not the
returned size.
2012-04-17 09:13:58 +00:00
Maxim Dounin
578c02f3a1 IOV_MAX handling microoptimization.
We now stop on IOV_MAX iovec entries only if we are going to add new one,
i.e. next buffer can't be coalesced into last iovec.

This also fixes incorrect checks for trailer creation on FreeBSD and
Mac OS X, header.nelts was checked instead of trailer.nelts.
2012-04-17 09:13:15 +00:00
Maxim Dounin
96d73e291f Fixed loop in ngx_writev_chain() and ngx_solaris_sendfilev_chain().
The "complete" flag wasn't cleared on loop iteration start, resulting in
broken behaviour if there were more than IOV_MAX buffers and first
iteration was fully completed (and hence the "complete" flag was set
to 1).
2012-04-17 09:10:50 +00:00
Maxim Dounin
9e2f86cfc0 Fixed log->action after ssl handshake. 2012-04-16 13:05:20 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
e6724ebe54 Version bump. 2012-04-12 16:34:59 +00:00
Maxim Dounin
7ae525bd90 Mp4: sanity checks cleanup. 2012-04-12 12:18:14 +00:00
Ruslan Ermilov
3995395dcb Reduced the number of lines of code in ngx_inet_addr(). 2012-04-12 10:20:33 +00:00
Ruslan Ermilov
3f25e12517 Fixed buffer overflow when long URI is processed by "try_files" in
regex location with "alias" (fixes ticket #135).
2012-04-12 09:19:14 +00:00
Ruslan Ermilov
a5bb616af4 Improved readability of the code that produces bitmask from prefix.
In collaboration with Maxim Dounin.
2012-04-11 17:18:15 +00:00
Ruslan Ermilov
62b937b333 Fixed directives inheritance. 2012-04-11 09:56:30 +00:00
Maxim Dounin
b9c226abe0 Access module: fixed inheritance of allow/deny ipv6 rules.
Previous (incorrect) behaviour was to inherit ipv6 rules separately from
ipv4 ones.  Now all rules are either inherited (if there are no rules
defined at current level) or not (if there are any rules defined).
2012-04-10 13:25:53 +00:00
Igor Sysoev
3ef52765c8 Fixed debug logging. 2012-04-10 11:28:59 +00:00
Igor Sysoev
654a56e06a Fixed previous commit. 2012-04-10 11:27:43 +00:00
Igor Sysoev
cbc51bb295 Fixed mp4 module seek. 2012-04-10 11:21:47 +00:00
Maxim Dounin
baa239c487 Fixed signed integer overflows in timer code (ticket #145).
Integer overflow is undefined behaviour in C and this indeed caused
problems on Solaris/SPARC (at least in some cases).  Fix is to
subtract unsigned integers instead, and then cast result to a signed
one, which is implementation-defined behaviour and used to work.

Strictly speaking, we should compare (unsigned) result with the maximum
value of the corresponding signed integer type instead, this will be
defined behaviour.  This will require much more changes though, and
considered to be overkill for now.
2012-04-06 23:46:09 +00:00
Andrey Belov
bd6d421816 Comment fixed. 2012-04-05 19:49:34 +00:00
Maxim Konovalov
13d5d85861 Style: the function type should be on a line by itself
preceding the function.  No functional changes.
2012-04-05 15:32:43 +00:00
Ruslan Ermilov
bffbbeb73f In ngx_ptocidr(), check that the supplied prefix length is within
the allowed range.
2012-04-03 08:22:00 +00:00
Ruslan Ermilov
47a04aaa27 Fixed spelling in multiline C comments. 2012-04-03 07:37:31 +00:00
Maxim Dounin
7744472c8e Win32: improved ngx_mutex_init() stub (ticket #138).
This allows to run nginx with "master_process off" under Windows.
2012-04-02 21:31:45 +00:00
Maxim Dounin
9063bc8713 Win32: fixed memory allocation for shmem name (ticket #134). 2012-04-02 21:30:58 +00:00
Maxim Dounin
a5d4f66ad6 Upstream: reject upstreams without normal servers.
Such upstreams cause CPU hog later in the code as number of peers isn't
expected to be 0.  Currently this may happen either if there are only backup
servers defined in an upstream block, or if server with ipv6 address used
in an upstream block.
2012-04-02 21:29:35 +00:00
Maxim Dounin
525e1f75e4 Version bump. 2012-04-02 21:28:31 +00:00
Ruslan Ermilov
b4ab3ddf9d Corrected spelling of error message (ticket #136). 2012-03-29 19:47:27 +00:00
Maxim Dounin
889ad51f17 Fixed win32 build after realpath changes in r4559. 2012-03-28 13:04:39 +00:00
Ruslan Ermilov
feda353cb3 Replaced ngx_http_realip_from_t with ngx_in_cidr_t. 2012-03-28 09:29:09 +00:00
Ruslan Ermilov
52fcfd042e Fixed calculation of range boundaries. 2012-03-28 06:50:23 +00:00
Maxim Dounin
5d5c866bee Xslt: parser options now set with xmlCtxtUseOptions().
Note that "ctxt->loadsubset = 1" previously used isn't really correct as
ctxt->loadsubset is a bitfield now.  The use of xmlCtxtUseOptions() with
XML_PARSE_DTDLOAD is believed to be a better way to do the same thing.

Patch by Laurence Rowe.
2012-03-28 01:56:49 +00:00
Maxim Dounin
36aef0c383 Fixed unconditional MAX_PATH usage (ticket #22).
POSIX doesn't require it to be defined, and Debian GNU/Hurd doesn't define
it.  Note that if there is no MAX_PATH defined we have to use realpath()
with NULL argument and free() the result.
2012-03-27 16:42:34 +00:00
Maxim Dounin
7b2b17a6b3 Added explicit include of time.h.
Most of the systems have it included due to namespace pollution, but
relying on this is a bad idea.  Explicit include is required for at least
Debian GNU/Hurd.
2012-03-27 16:37:43 +00:00
Maxim Dounin
e34ff16f67 Resolver: added missing sanity checking when creating name queries.
Found by Veracode.
2012-03-22 11:57:18 +00:00
Maxim Dounin
8e6728ef13 Win32: added missing call to srand().
Found by Veracode.
2012-03-22 10:45:08 +00:00
Maxim Dounin
1aa5fbb1a8 Added xslt_param and xslt_string_param directives.
Based on patch by Samuel Behan.
2012-03-22 10:44:00 +00:00
Maxim Dounin
3333c6c7c8 Fixed off-by-one in xslt parameter parsing.
The problem was introduced in 0.7.44 (r2589) during conversion to complex
values.  Previously string.len included space for terminating NUL, but
with complex values it doesn't.
2012-03-22 10:43:33 +00:00
Maxim Dounin
ae11f08cad Restricted keepalive_disable safari to OS X only.
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.

Prodded by Piotr Sikora.
2012-03-22 10:42:27 +00:00
Maxim Dounin
dc863179a3 Removed safari from keepalive_disable default.
The bug in question is likely already fixed (though unfortunately we have
no information available as Apple's bugtracker isn't open), and the
workaround seems to be too pessimistic for modern versions of Safari
as well as other webkit-based browsers pretending to be Safari.
2012-03-22 10:41:29 +00:00
Ruslan Ermilov
fbd32d4d19 worker_cpu_affinity: cleaned up Linux implementation, added FreeBSD support. 2012-03-21 13:58:51 +00:00
Ruslan Ermilov
d4b1e5f58b If we inserted "Last-Modified" in r->headers_out.headers, don't
forget to set the r->headers_out.last_modified pointer to it.
2012-03-21 07:35:43 +00:00
Ruslan Ermilov
89467caf43 Minor ngx_http_headers_filter_module.c code cleanup.
- Removed "hash" element from ngx_http_header_val_t which was always 1.
- Replaced NGX_HTTP_EXPIRES_* with ngx_http_expires_t enum type.
- Added prototype for ngx_http_add_header()
- Simplified ngx_http_set_last_modified().
2012-03-21 06:19:11 +00:00
Maxim Konovalov
acf6c79ac7 For the sake of case/switch code readability, 'fall through'
comments added.
2012-03-19 14:57:29 +00:00
Ruslan Ermilov
926ded6f4c Implemented $tcpinfo_rtt, $tcpinfo_rttvar, $tcpinfo_snd_cwnd, and
$tcpinfo_rcv_space variables.  Supported on Linux and FreeBSD.
2012-03-16 19:15:33 +00:00
Ruslan Ermilov
5d1d368cf4 Local variable "ngx_http_next_filter" renamed to "ngx_http_next_body_filter"
for consistency with other modules.
2012-03-15 20:08:58 +00:00
Ruslan Ermilov
849e3b09ae The "error_log" directive specified in the "http", "server", and
"location" sections now understands the special "stderr" parameter.
It was already treated specially when specified in the main section.
2012-03-15 20:04:50 +00:00
Ruslan Ermilov
091f6ffce6 Slight optimization in ngx_http_get_variable_index(). 2012-03-15 19:41:35 +00:00
Ruslan Ermilov
06733ae8cf - New variable: $connection_requests.
- While here, fixed format specifier for $connection.
2012-03-15 19:37:32 +00:00
Maxim Dounin
d694ff7798 Version bump. 2012-03-15 17:43:54 +00:00
Maxim Dounin
d1ed97b18b Headers with null character are now rejected.
Headers with NUL character aren't allowed by HTTP standard and may cause
various security problems.  They are now unconditionally rejected.
2012-03-15 11:27:57 +00:00
Maxim Dounin
eb526b7d7d Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.
2012-03-15 11:27:12 +00:00
Maxim Dounin
030e235ec7 Fixed ssi and perl interaction.
Embedded perl module assumes there is a space for terminating NUL character,
make sure to provide it in all situations by allocating one extra byte for
value buffer.  Default ssi_value_length is reduced accordingly to
preserve 256 byte allocations.

While here, fixed another one byte value buffer overrun possible in
ssi_quoted_symbol_state.

Reported by Matthew Daley.
2012-03-15 11:23:07 +00:00
Maxim Dounin
205394e6f9 Uwsgi: merged r->http_version fixes from scgi module.
Fixed incorrect use of r->http_version (r4372).  Removed duplicate function
declaration (r4373).  Removed error if there is no Status header (r4374).
2012-03-15 11:21:54 +00:00
Maxim Dounin
ee187436af Whitespace fixes. 2012-03-05 18:09:06 +00:00
Maxim Dounin
382499aa1f Version bump. 2012-03-05 18:06:15 +00:00
Maxim Dounin
a95c85e78a Raised simultaneous subrequest limit from 50 to 200.
It wasn't enforced for a long time, and there are reports that people
use up to 100 simultaneous subrequests now.  As this is a safety limit
to prevent loops, it's raised accordingly.
2012-02-28 14:54:23 +00:00
Maxim Dounin
db402276e1 Added msleep() on reload to allow new processes to start.
This is expected to ensure smoother operation on reload (and with less
chance of listen queue overflows).

Prodded by Igor Sysoev.
2012-02-28 11:40:18 +00:00
Ruslan Ermilov
b74f8ffce4 Fixed spelling in single-line comments. 2012-02-28 11:31:05 +00:00
Maxim Dounin
c66a1e7a17 Workaround for fs_size on ZFS (ticket #46).
ZFS reports incorrect st_blocks until file settles on disk, and this
may take a while (i.e. just after creation of a file the st_blocks value
is incorrect).  As a workaround we now use st_blocks only if
st_blocks * 512 > st_size, this should fix ZFS problems while still
preserving accuracy for other filesystems.

The problem had appeared in r3900 (1.0.1).
2012-02-28 11:09:02 +00:00
Maxim Dounin
7ca6c1ff78 Fix of rbtree lookup on hash collisions.
Previous code incorrectly assumed that nodes with identical keys are linked
together.  This might not be true after tree rebalance.

Patch by Lanshun Zhou.
2012-02-27 22:15:39 +00:00
Maxim Dounin
53d9677de4 Fixed null pointer dereference in resolver (ticket #91).
The cycle->new_log.file may not be set before config parsing finished if
there are no error_log directive defined at global level.  Fix is to
copy it after config parsing.

Patch by Roman Arutyunyan.
2012-02-27 16:57:02 +00:00
Valentin Bartenev
5c95f88503 Disable symlinks: added the "from=" parameter to the "disable_symlinks"
directive.
2012-02-27 16:54:10 +00:00
Valentin Bartenev
0e05ca0404 Disable symlinks: initialization of the "disable_symlinks" field in
ngx_open_file_info_t moved to a separate function.

This is preparation for the "from=" parameter implementation of the
"disable_symlinks" directive.
2012-02-27 16:51:28 +00:00
Valentin Bartenev
346791187f Disable symlinks: added the "from" parameter support to the open file cache. 2012-02-27 16:46:57 +00:00
Ruslan Ermilov
1c57fb8790 Added support for the 307 Temporary Redirect. 2012-02-27 11:43:40 +00:00
Ruslan Ermilov
09422e632f Renamed constants and fixed off-by-one error in "msie_padding on" handling. 2012-02-22 16:23:29 +00:00
Maxim Dounin
b5d0d7a232 Event pipe: fixed buffer loss in p->length case.
With previous code raw buffer might be lost if p->input_filter() was called
on a buffer without any data and used ngx_event_pipe_add_free_buf() to
return it to the free list.  This eventually might cause "all buffers busy"
problem, resulting in segmentation fault due to null pointer dereference in
ngx_event_pipe_write_chain_to_temp_file().

In ngx_event_pipe_add_free_buf() the buffer was added to the list start
due to pos == last, and then "p->free_raw_bufs = cl->next" in
ngx_event_pipe_read_upstream() dropped both chain links to the buffer
from the p->free_raw_bufs list.

Fix is to move "p->free_raw_bufs = cl->next" before calling the
p->input_filter().
2012-02-22 11:28:53 +00:00
Valentin Bartenev
86c5513ecb Disable symlinks: use O_SEARCH|O_DIRECTORY to open path components. 2012-02-21 15:10:13 +00:00
Valentin Bartenev
15b3173c5e Disable symlinks: don't allow creating or truncating a file via a symlink in
the last path component if "if_not_owner" parameter is used.

To prevent race condition we have to open a file before checking its owner and
there's no way to change access flags for already opened file descriptor, so
we disable symlinks for the last path component at all if flags allow creating
or truncating the file.
2012-02-21 15:04:41 +00:00
Valentin Bartenev
8c27e6429a Disable symlinks: cleanups once again.
In collaboration with Ruslan Ermilov.
2012-02-21 15:01:25 +00:00
Maxim Dounin
7ba66f42a0 Disable symlinks: added explicit cast of AT_FDCWD (ticket #111).
Solaris has AT_FDCWD defined to unsigned value, and comparison of a file
descriptor with it causes warnings in modern versions of gcc.  Explicitly
cast AT_FDCWD to ngx_fd_t to resolve these warnings.
2012-02-20 19:14:35 +00:00
Maxim Dounin
6bb86e3d58 Disable symlinks: error handling cleanup again. 2012-02-20 19:14:07 +00:00
Maxim Dounin
3c00e341ea Version bump. 2012-02-20 19:12:48 +00:00
Maxim Dounin
32b000bad7 Disable symlinks: fixed edge cases of path handling.
This includes non-absolute pathnames, multiple slashes and trailing
slashes.  In collaboration with Valentin Bartenev.
2012-02-15 12:18:55 +00:00
Maxim Dounin
04015a48ca Disable symlinks: cleanup error handling.
Notably this fixes NGX_INVALID_FILE/NGX_FILE_ERROR mess, and adds
logging of close() errors.  In collaboration with Valentin Bartenev.
2012-02-15 12:17:24 +00:00
Andrey Belov
8ce8f6667f Support for disable_symlinks in various modules. 2012-02-13 16:32:21 +00:00
Andrey Belov
bd1e719bf9 Added disable_symlinks directive.
To completely disable symlinks (disable_symlinks on)
we use openat(O_NOFOLLOW) for each path component
to avoid races.

To allow symlinks with the same owner (disable_symlinks if_not_owner),
use openat() (followed by fstat()) and fstatat(AT_SYMLINK_NOFOLLOW),
and then compare uids between fstat() and fstatat().

As there is a race between openat() and fstatat() we don't
know if openat() in fact opened symlink or not.  Therefore,
we have to compare uids even if fstatat() reports the opened
component isn't a symlink (as we don't know whether it was
symlink during openat() or not).

Default value is off, i.e. symlinks are allowed.
2012-02-13 16:29:04 +00:00
Andrey Belov
32c8df44d5 Changed ngx_open_and_stat_file() to use ngx_str_t.
No functional changes.
2012-02-13 16:16:45 +00:00
Andrey Belov
71205c3fbc Added openat()/fstatat(). 2012-02-13 16:13:21 +00:00
Maxim Dounin
9f38b20db5 Time parsing cleanup.
Nuke NGX_PARSE_LARGE_TIME, it's not used since 0.6.30.  The only error
ngx_parse_time() can currently return is NGX_ERROR, check it explicitly
and make sure to cast it to appropriate type (either time_t or ngx_msec_t)
to avoid signedness warnings on platforms with unsigned time_t (notably QNX).
2012-02-13 15:41:11 +00:00
Maxim Dounin
8cb7134f49 Fixed build with embedded perl and --with-openssl. 2012-02-13 15:38:48 +00:00
Maxim Dounin
7dff998495 Core: protection from cycles with named locations and post_action.
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }
2012-02-13 15:35:48 +00:00
Maxim Dounin
1b0ad6ee72 Core: protection from subrequest loops.
Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html
2012-02-13 15:33:08 +00:00
Maxim Dounin
947fc03ca3 Variables: honor no_cacheable for not_found variables.
Variables with the "not_found" flag set follow the same rules as ones with
the "valid" flag set.  Make sure ngx_http_get_flushed_variable() will flush
non-cacheable variables with the "not_found" flag set.

This fixes at least one known problem with $args not available in a subrequest
(with args) when there were no args in the main request and $args variable was
queried in the main request (reported by Laurence Rowe aka elro on irc).

Also this eliminates unneeded call to ngx_http_get_indexed_variable() in
cacheable case (as it will return cached value anyway).
2012-02-13 15:31:07 +00:00
Maxim Dounin
01c133cda4 Fix for proxy_store leaving temporary files for subrequests.
Temporary files might not be removed if the "proxy_store" or "fastcgi_store"
directives were used for subrequests (e.g. ssi includes) and client closed
connection prematurely.

Non-active subrequests are finalized out of the control of the upstream
module when client closes a connection.  As a result, the code to remove
unfinished temporary files in ngx_http_upstream_process_request() wasn't
executed.

Fix is to move relevant code into ngx_http_upstream_finalize_request() which
is called in all cases, either directly or via the cleanup handler.
2012-02-13 15:28:19 +00:00
Maxim Dounin
71ce7a13ed Gzip filter: handling of empty flush buffers.
Empty flush buffers are legitimate and may happen e.g. due to $r->flush()
calls in embedded perl.  If there are no data buffered in zlib, deflate()
will return Z_BUF_ERROR (i.e. no progress possible) without adding anything
to output.  Don't treat Z_BUF_ERROR as fatal and correctly send empty flush
buffer if we have no data in output at all.

See this thread for details:
http://mailman.nginx.org/pipermail/nginx/2010-November/023693.html
2012-02-13 15:23:43 +00:00
Maxim Dounin
37c6228d43 Removed r->cache/r->cached dependencies in range filter.
This is a layering violation, use correct offset calculations instead.
2012-02-13 15:20:49 +00:00
Valentin Bartenev
a113cb3543 Proxy: added the "proxy_cookie_path" directive. 2012-02-13 11:08:05 +00:00
Valentin Bartenev
e9df2d6f46 Proxy: added the "proxy_cookie_domain" directive. 2012-02-13 11:04:45 +00:00
Valentin Bartenev
b3e3b2e75a Upstream: added callback hook for the "Set-Cookie" header.
No functional changes.
2012-02-13 11:01:58 +00:00
Valentin Bartenev
85551e58fe Proxy: generic regex related code from the "proxy_redirect" directive moved
to a separate function.

No functional changes.
2012-02-13 11:00:08 +00:00
Valentin Bartenev
7c611aa186 Proxy: generic rewrite code from the "proxy_redirect" handlers moved to a
separate function with trivial optimization.

No functional changes.
2012-02-13 10:56:09 +00:00
Valentin Bartenev
582dac116d Proxy: renamed some "proxy_redirect" related declarations to a more general and
reusable.

No functional changes.
2012-02-13 10:42:44 +00:00
Maxim Dounin
060b92451b Upstream: fixed "too big header" check.
If header filter postponed processing of a header by returning NGX_AGAIN
and not moved u->buffer->pos, previous check incorrectly assumed there
is additional space and did another recv() with zero-size buffer.  This
resulted in "upstream prematurely closed connection" error instead
of correct "upstream sent too big header" one.

Patch by Feibo Li.
2012-02-10 14:31:04 +00:00
Valentin Bartenev
891b43db32 Added ngx_ncpu detection for most *nix platforms.
This inaccurate detection by using sysconf(_SC_NPROCESSORS_ONLN) can improve
usage of the mutex lock optimization on multicore systems.
2012-02-10 11:24:19 +00:00
Valentin Bartenev
9e8708cbd6 Limit conn: returned to the old behavior of using the first actual limit on
the way.

It was unintentionally changed in r4272, so that it could only limit the first
location where the processing of the request has reached PREACCESS phase.
2012-02-10 10:48:58 +00:00
Valentin Bartenev
e35ff2a08c Fixed module name in comment. It was forgotten in r4281. 2012-02-10 09:56:37 +00:00
Maxim Dounin
0f3d6715e7 Version bump. 2012-02-09 16:18:02 +00:00
Maxim Dounin
11cc9dac44 Limit req: unbreak compilation with MSVC. 2012-01-30 13:19:25 +00:00
Valentin Bartenev
fbf7a0a48a Fixed memory leak on HUP signal when PCRE JIT was used.
The PCRE JIT compiler uses mmap to allocate memory for its executable codes, so
we have to explicitly call the pcre_free_study() function to free this memory.
2012-01-30 12:53:57 +00:00
Valentin Bartenev
3feafa765f Fixed proxy_redirect off inheritance.
Example configuration to reproduce:

  server {
      proxy_redirect off;

      location / {
          proxy_pass http://localhost:8000;
          proxy_redirect http://localhost:8000/ /;

          location ~ \.php$ {
              proxy_pass http://localhost:8000;
              # proxy_redirect must be inherited from the level above,
              # but instead it was switched off here
          }
      }
  }
2012-01-30 11:22:56 +00:00
Maxim Dounin
4a23bc5705 Fixed error handling in ngx_event_connect_peer().
Previously if ngx_add_event() failed a connection was freed two times (once
in the ngx_event_connect_peer(), and again by a caller) as pc->connection was
left set.  Fix is to always use ngx_close_connection() to close connection
properly and set pc->connection to NULL on errors.

Patch by Piotr Sikora.
2012-01-30 11:12:52 +00:00
Valentin Bartenev
b06200f3dc Limit req: support for multiple "limit_req" limits. 2012-01-30 10:17:56 +00:00
Valentin Bartenev
73d0b6a721 Limit req: number of cleanup calls reduced.
Doing a cleanup before every lookup seems to be too aggressive. It can lead to
premature removal of the nodes still usable, which increases the amount of work
under a mutex lock and therefore decreases performance.

In order to improve cleanup behavior, cleanup function call has been moved right
before the allocation of a new node.
2012-01-30 10:01:39 +00:00
Valentin Bartenev
8dab3b5a39 Limit req: allocation and initialization of a new node moved to the lookup
function.

No functional changes.
2012-01-30 09:41:49 +00:00
Valentin Bartenev
5f5205ba87 Limit req: improved error handling when parsing "zone" parameter of
"limit_req_zone" directive; minimum size of zone is increased.

Previously an unsigned variable was used to keep the return value of
ngx_parse_size() function, which led to an incorrect zone size if NGX_ERROR
was returned.

The new code has been taken from the "limit_conn_zone" directive.
2012-01-30 09:26:08 +00:00
Valentin Bartenev
d4dbf6ad59 Limit req: error messages fixed. 2012-01-30 09:02:29 +00:00
Maxim Dounin
b3e461e63c Fixed AIO error handling on FreeBSD.
The aio_return() must be called regardless of the error returned by
aio_error().  Not calling it resulted in various problems up to segmentation
faults (as AIO events are level-triggered and were reported again and again).

Additionally, in "aio sendfile" case r->blocked was incremented in case of
error returned from ngx_file_aio_read(), thus causing request hangs.
2012-01-30 07:39:47 +00:00
Maxim Dounin
90a7a8f5d9 Removed ENGINE_load_builtin_engines() call.
It's already called by OPENSSL_config().  Calling it again causes some
openssl engines (notably GOST) to corrupt memory, as they don't expect
to be created more than once.
2012-01-30 07:38:27 +00:00
Valentin Bartenev
94992aa62e Fixed grammar in PCRE JIT error log message. 2012-01-24 10:20:42 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Maxim Konovalov
8e1ef760da Version bump. 2012-01-18 15:04:17 +00:00
Maxim Konovalov
4fb388107b Version bump. 2012-01-18 14:33:17 +00:00
Valentin Bartenev
363a0c53e7 Fixed division by zero exception in ngx_hash_init().
The ngx_hash_init() function did not expect call with zero elements count,
which caused FPE error on configs with an empty "types" block in http context
and "types_hash_max_size" > 10000.

Example configuration to reproduce:

  events { }

  http {
          types_hash_max_size 10001;
          types {}
          server {}
  }
2012-01-16 12:42:07 +00:00
Maxim Dounin
b904676b5e Fixed sched_setaffinity(2) to correctly pass size.
Second argument (cpusetsize) is size in bytes, not in bits.  Previously
used constant 32 resulted in reading of uninitialized memory and caused
EINVAL to be returned on some Linux kernels.
2012-01-16 11:13:48 +00:00
Maxim Dounin
9572920af0 Fixed handling of mp4 above 2G and 32bit offsets (ticket #84). 2012-01-16 11:03:27 +00:00
Maxim Dounin
2c55914a9f Fixed proxy_cache_use_stale in "no live upstreams" case. 2012-01-16 11:01:52 +00:00
Maxim Dounin
4efcbce328 Added support for TLSv1.1, TLSv1.2 in ssl_protocols directive.
Support for TLSv1.1 and TLSv1.2 protocols was introduced in OpenSSL 1.0.1
(-beta1 was recently released).  This change makes it possible to disable
these protocols and/or enable them without other protocols.
2012-01-11 11:15:00 +00:00
Maxim Dounin
f2ef9db230 Fixed limit_req burst/nodelay inheritance (ticket #76).
The problem was introduced in r4381 (1.1.12).
2012-01-11 11:09:05 +00:00
Valentin Bartenev
b8ef9d9255 Fixed: proxy_redirect with regex might broke Refresh header.
The problem was localized in ngx_http_proxy_rewrite_redirect_regex() handler
function which did not take into account prefix when overwriting header value.
2012-01-10 15:09:45 +00:00
Ruslan Ermilov
d55ce18c95 Changed ngx_log_debugN() macros to verify the number of arguments
when built with debugging.
2012-01-10 07:28:32 +00:00
Maxim Dounin
11f09dd07d Version bump. 2011-12-27 11:56:48 +00:00
Valentin Bartenev
bc5191c7bc Added support for regex study and PCRE JIT (ticket #41) optimizations on
configuration phase.
2011-12-26 13:10:36 +00:00
Maxim Dounin
947bdfa7fe Fixed build without debug. 2011-12-26 11:33:11 +00:00
Maxim Dounin
da8a43dee9 Cache lock support for fastcgi, scgi, uwsgi. 2011-12-26 11:16:19 +00:00
Maxim Dounin
822fe46934 Cache locks initial implementation.
New directives: proxy_cache_lock on/off, proxy_cache_lock_timeout.  With
proxy_cache_lock set to on, only one request will be allowed to go to
upstream for a particular cache item.  Others will wait for a response
to appear in cache (or cache lock released) up to proxy_cache_lock_timeout.

Waiting requests will recheck if they have cached response ready (or are
allowed to run) every 500ms.

Note: we intentionally don't intercept NGX_DECLINED possibly returned by
ngx_http_file_cache_read().  This needs more work (possibly safe, but needs
further investigation).  Anyway, it's exceptional situation.

Note: probably there should be a way to disable caching of responses
if there is already one request fetching resource to cache (without waiting
at all).  Two possible ways include another cache lock option ("no_cache")
or using proxy_no_cache with some supplied variable.

Note: probably there should be a way to lock updating requests as well.  For
now "proxy_cache_use_stale updating" is available.
2011-12-26 11:15:23 +00:00
Maxim Dounin
0c88994a03 Fixed interaction of limit_rate and sendfile_max_chunk.
It's possible that configured limit_rate will permit more bytes per
single operation than sendfile_max_chunk.  To protect disk from takeover
by a single client it is necessary to apply sendfile_max_chunk as a limit
regardless of configured limit_rate.

See here for report (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2010-March/032806.html
2011-12-26 10:51:24 +00:00
Maxim Dounin
41a77d183c Fixed throughput problems with large limit_rate.
Previous attempt to fix this was in r1658 (0.6.18), though that one wasn't
enough (it was a noop).
2011-12-26 10:49:57 +00:00
Maxim Dounin
6a56732e98 Fixed mp4 if first entry in stsc was skipped (ticket #72).
If first entry in stsc atom was skipped, and seek was to chunk boundary,
than first_chunk in the generated stsc table wasn't set to 1.
2011-12-26 10:49:03 +00:00
Valentin Bartenev
b65597ecd5 SSI: added regex captures support in the expression of the "if" command. 2011-12-25 20:08:37 +00:00
Valentin Bartenev
39f01e526f Fixed limit_conn_log_level/limit_req_log_level inheritance.
The directives did not work if there were no limit_conn/limit_req specified on
the same level.
2011-12-25 19:32:31 +00:00
Maxim Dounin
aa4492612b Proxy: made proxy_pass with variables more consistent.
If proxy_pass was used with variables and there was no URI component,
nginx always used unparsed URI.  This isn't consistent with "no variables"
case, where e.g. rewrites are applied even if there is no URI component.

Fix is to use the same logic in both cases, i.e. only use unparsed URI if
it's valid and request is the main one.
2011-12-23 16:04:09 +00:00
Maxim Dounin
d79f4523f8 Added clearing of r->valid_unparsed_uri on internal redirects.
This resolves issue with try_files (see ticket #70), configuration like

   location / { try_files $uri /index.php; }
   location /index.php { proxy_pass http://backend; }

caused nginx to use original request uri in a request to a backend.

Historically, not clearing of the r->valid_unparsed_uri on internal redirect
was a feature: it allowed to pass the same request to (another) upstream
server via error_page redirection.  Since then named locations appeared
though, and it's time to start resetting r->valid_unparsed_uri on internal
redirects.  Configurations still using this feature should be converted
to use named locations instead.

Patch by Lanshun Zhou.
2011-12-19 14:11:48 +00:00
Valentin Bartenev
c5968a998c SSI bugfix: the "if" command did not work inside the "block" command and
produced parsing errors.
2011-12-19 13:28:22 +00:00
Maxim Dounin
8a85ab8e20 Scgi: removed error if there is no Status header.
The SCGI specification doesn't specify format of the response, and assuming
CGI specs should be used there is no reason to complain.  RFC 3875
explicitly states that "A Status header field is optional, and status
200 'OK' is assumed if it is omitted".
2011-12-19 11:25:40 +00:00
Maxim Dounin
32e2038026 Scgi: removed duplicate function declaration. 2011-12-19 11:24:32 +00:00
Maxim Dounin
4d1e32d9d8 Fixed incorrect use of r->http_version in scgi module.
The r->http_version is a version of client's request, and modules must
not set it unless they are really willing to downgrade protocol version
used for a response (i.e. to HTTP/0.9 if no response headers are available).
In neither case r->http_version may be upgraded.

The former code downgraded response from HTTP/1.1 to HTTP/1.0 for no reason,
causing various problems (see ticket #66).  It was also possible that
HTTP/0.9 requests were upgraded to HTTP/1.0.
2011-12-19 11:23:16 +00:00
Maxim Dounin
afb7f22c03 Version bump. 2011-12-19 11:21:46 +00:00
Maxim Dounin
614a7ef18d Cache: only complain on long locked entries.
There have been multiple reports of cases where a real locked entry was
removed, resulting in a segmentation fault later in a worker which locked
the entry.  It looks like default inactive timeout isn't enough in real
life.

For now just ignore such locked entries, and move them to the top of the
inactive queue to allow processing of other entries.
2011-12-12 10:49:14 +00:00
Maxim Dounin
64a9f70092 Cache: handling of cache files with long headers.
There are two possible situations which can lead to this: response was
cached with bigger proxy_buffer_size value (and nginx was restared since
then, i.e. shared memory zone content was lost), or due to the race in
the cache update code (see [1]) we've end up with fcn->body_start from
a different response stored in shared memory zone.

[1] http://mailman.nginx.org/pipermail/nginx-devel/2011-September/001287.html
2011-12-12 10:47:48 +00:00
Maxim Dounin
b839e6febb Cache: obsolete code removed.
The ngx_http_cache() and ngx_http_no_cache_set_slot() functions were replaced
by ngx_http_test_predicates() and ngx_http_set_predicate_slot() in 0.8.46 and
no longer used since then.
2011-12-12 10:46:43 +00:00
Ruslan Ermilov
f28b7e8ef3 Renamed some constants to improve readability, no functional changes. 2011-12-12 10:45:05 +00:00
Valentin Bartenev
0be9554bda Proxy: added variables and regexp support to the first parameter of
the "proxy_redirect" directive.
2011-12-12 09:02:29 +00:00
Maxim Dounin
ae0e919135 Microoptimization of sendfile(2) usage under FreeBSD.
FreeBSD kernel checks headers/trailers pointer against NULL, not
corresponding count.  Passing NULL if there are no headers/trailers
helps to avoid unneeded work in kernel, as well as unexpected 0 bytes
GIO in traces.
2011-12-11 16:30:42 +00:00
Valentin Bartenev
8d3ef1a3b3 Fixed: some of $sent_http_* variables may contain header entries that actually
haven't been sent to a client.

The ngx_http_variable_headers() and ngx_http_variable_unknown_header() functions
did not ignore response header entries with zero "hash" field.

Thanks to Yichun Zhang (agentzh).
2011-12-09 16:17:12 +00:00
Valentin Bartenev
247332a1e2 Added the $https variable. 2011-12-09 14:38:11 +00:00
Valentin Bartenev
df54c36d90 SCGI: added "if_not_empty" flag support to the "scgi_param" directive. 2011-12-09 14:03:06 +00:00
Valentin Bartenev
582b5319b7 uwsgi: added "if_not_empty" flag support to the "uwsgi_param" directive. 2011-12-09 13:47:04 +00:00
Valentin Bartenev
a826eb6720 FastCGI: added "if_not_empty" flag support to the "fastcgi_param" directive. 2011-12-09 13:32:51 +00:00
Valentin Bartenev
50546b26d9 Added the ngx_http_upstream_param_set_slot(). 2011-12-09 13:19:57 +00:00
Ruslan Ermilov
59a2b77039 - Improved error message when parsing of the "buffer" parameter of the
"access_log" directive fails.

- Added a warning if "log_format" is used in contexts other than "http".
2011-12-06 21:07:10 +00:00
Valentin Bartenev
5ee62edffe Removed unused function ngx_regex_capture_count().
The function has been unused since r3326.
2011-12-06 15:49:40 +00:00
Maxim Dounin
8618370487 Fix for read_head with try_files and open_file_cache.
The of.read_ahead wasn't set in try_files code path, causing read_ahead
directive to be a nop if try_files and open_file_cache were used.
2011-12-06 13:23:37 +00:00
Maxim Dounin
08f2256b29 Version bump. 2011-12-06 13:22:32 +00:00
Valentin Bartenev
92edf47ff9 Added the "so_keepalive=" parameter to the "listen" directive.
The "so_keepalive" directive in mail module was deprecated.

Thanks to Vsevolod Stakhov for initial work.
2011-12-05 08:06:15 +00:00
Maxim Dounin
c09d65b179 Fixed AIO on Linux, broken in r4306.
Events from eventfd do not have c->write set, and the stale event
check added in r4306 causes null pointer dereference.
2011-11-29 17:27:13 +00:00
Maxim Dounin
b99492595c Version bump. 2011-11-29 17:25:31 +00:00
Maxim Dounin
a4484b1369 Added (void) as we intentionally ignore returned values.
Requested by Igor Sysoev.
2011-11-28 11:01:42 +00:00
Maxim Dounin
1d13c0dd34 Allowed add_header for proxied 206 replies.
It was working for nginx's own 206 replies as they are seen as 200 in the
headers filter module (range filter goes later in the headers filter chain),
but not for proxied replies.
2011-11-28 10:00:47 +00:00
Valentin Bartenev
1373558163 Added support for IP-literal in the Host header and request line (ticket #1).
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.

The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:

 - Host part is now delimited either by the first colon or by the end of string
   if there's no colon. Previously the last colon was used as delimiter which
   allowed substitution of a port number in the $host variable.
   (e.g. Host: 127.0.0.1:9000:80)

 - Fixed stripping of the ending dot in the Host header when the host was also
   followed by a port number.
   (e.g. Host: nginx.com.:80)

 - Fixed upper case characters detection. Previously it was broken which led to
   wasting memory and CPU.
2011-11-28 09:15:33 +00:00
Maxim Dounin
1b9b19d7e2 Added escaping of double quotes in ngx_escape_html().
Patch by Zaur Abasmirzoev.
2011-11-25 16:36:02 +00:00
Maxim Dounin
13717da19e Unlock of shared memory zones on process crash.
If process exited abnormally while holding lock on some shared memory zone -
unlock it.  It may be not safe thing to do (as crash with lock held may
result in corrupted shared memory structure, and other processes will
subsequently crash while trying to access shared data), therefore complain
loudly if unlock succeeds.
2011-11-23 14:09:19 +00:00
Maxim Dounin
ddb7cd1c41 Fixed build without atomic operations. 2011-11-23 14:07:06 +00:00
Maxim Dounin
91ecc8f43c Added shmtx interface to forcibly unlock mutexes.
It is currently used from master process on abnormal worker termination to
unlock accept mutex (unlocking of accept mutex was broken in 1.0.2).  It is
expected to be used in the future to unlock other mutexes as well.

Shared mutex code was rewritten to make this possible in a safe way, i.e.
with a check if lock was actually held by the exited process.  We again use
pid to lock mutex, and use separate atomic variable for a count of processes
waiting in sem_wait().
2011-11-23 13:55:38 +00:00
Ruslan Ermilov
1e5f239170 Fixed "rotate" to always work when combined with "resize/crop". 2011-11-23 10:22:44 +00:00
Ruslan Ermilov
ca2cce23cc Cosmetics. 2011-11-23 10:16:30 +00:00
Igor Sysoev
79df789b47 Fix of mp4 module seeking. 2011-11-23 07:22:15 +00:00
Maxim Dounin
7f59728d5b Protection from stale write events in epoll.
Stale write event may happen if epoll_wait() reported both read and write
events, and processing of the read event closed descriptor.

Patch by Yichun Zhang (agentzh).
2011-11-22 17:02:21 +00:00
Maxim Dounin
0560ae55bc Fixed segfault on ssl servers without cert with SNI (ticket #54).
Non-default servers may not have ssl context created if there are no
certificate defined.  Make sure to check if ssl context present before
using it.
2011-11-22 16:27:45 +00:00
Ruslan Ermilov
1725621e8a Fixed "keepalive_disable".
Patch by Alexander Usov.  The bug has been introduced in r4267.
2011-11-21 07:31:59 +00:00
Maxim Konovalov
f61b7b3a83 FreeBSD 10-current has recently gotten POSIX_FADV_* macros.
A fix for the broken build applied.

Patch from Igor Sysoev.
2011-11-18 18:42:00 +00:00
Maxim Dounin
e0c1a63028 Upstream: don't cache unfinished responses.
Check if received data length match Content-Length header (if present),
don't cache response if no match found.  This prevents caching of corrupted
response in case of premature connection close by upstream.
2011-11-18 15:09:08 +00:00
Maxim Dounin
5eef168a22 Fixed flv header to match specification.
Used "\x5" in 5th byte to claim presence of both audio and video.  Used
previous tag size 0 in the beginning of the flv body (bytes 10 .. 13) as
required by specification (see http://www.adobe.com/devnet/f4v.html).

Patch by Piotr Sikora.
2011-11-18 14:41:01 +00:00
Ruslan Ermilov
777879c832 Silenced a warning for some compilers. 2011-11-16 13:27:33 +00:00
Ruslan Ermilov
bec516bec9 Now nginx uses TTL of a DNS response when calculating cache validity.
Previously it used a hardcoded value of 300 seconds.  Also added the
"valid=" parameter to the "resolver" directive that can be used to
override the cache validity time.

Patch by Kirill A. Korinskiy with minor changes.
2011-11-16 13:11:39 +00:00
Valentin Bartenev
963315aca0 Fixed incorrect counting the length of headers in a SCGI request. 2011-11-16 12:51:27 +00:00
Maxim Dounin
2b24a67268 Fixed handling of SIGWINCH/NOACCEPT signal.
After first upgrade it was ignored since r4020 (1.1.1, 1.0.9) as
ngx_daemonized wasn't set.
2011-11-15 20:35:41 +00:00
Maxim Dounin
2fd9b49334 Version bump. 2011-11-15 20:33:37 +00:00
Igor Sysoev
07bb4ed971 Introduction of simple ngx_write_stderr() instead of ngx_log_stderr()
for output of ./configure options, etc., since ngx_log_stderr() output
length is limited by 2048 characters defined as NGX_MAX_ERROR_STR.
2011-11-14 14:59:00 +00:00
Igor Sysoev
dd4490c4e4 Fix of "Content-Length" header of MP4 response if start argument was used.
Patch by Piotr Sikora.
2011-11-14 14:42:48 +00:00
Valentin Bartenev
255e20ad21 Renamed ngx_http_limit_zone_module to ngx_http_limit_conn_module. 2011-11-14 14:04:42 +00:00
Maxim Dounin
80e3cba5fd Reverted incorrect change in internal md5 (part of r3928). 2011-11-14 13:38:02 +00:00
Maxim Dounin
030523dff0 Fixed fastcgi/scgi/uwsgi_param inheritance.
The following problems were fixed:

1. Directive fastcgi_cache affected headers sent to backends in unrelated
   servers / locations (see ticket #45).

2. If-Unmodified-Since, If-Match and If-Range headers were sent to backends
   if fastcgi_cache was used.

3. Cache-related headers were sent to backends if there were no fastcgi_param
   directives and fastcgi_cache was used at server level.
2011-11-14 13:26:18 +00:00
Maxim Dounin
ca01f46103 Separate functions to merge fastcgi/scgi/uwsgi params.
No functional changes.
2011-11-14 13:24:43 +00:00
Maxim Dounin
86a851907b Fixed Upgrade header clearing with proxy_cache.
This was missed in proxy HTTP/1.1 support commit (r4127).
2011-11-14 13:21:10 +00:00
Maxim Dounin
962727b259 Fixed proxy_set_header inheritance with proxy_set_body. 2011-11-14 13:19:56 +00:00
Maxim Dounin
b5984de06b Fixed proxy_set_header inheritance with proxy_cache (ticket #45).
Headers cleared with cache enabled (If-Modified-Since etc.) might be cleared
in unrelated servers/locations without proxy_cache enabled if proxy_cache was
used in some server/location.

Example config which triggered the problem:

    proxy_set_header X-Test "test";
    server { location /1 { proxy_cache name; proxy_pass ... } }
    server { location /2 { proxy_pass ... } }

Another one:

    server {
        proxy_cache name;
        location /1 { proxy_pass ... }
        location /2 { proxy_cache off; proxy_pass ... }
    }

In both cases If-Modified-Since header wasn't sent to backend in location /2.

Fix is to not modify conf->headers_source, but instead merge user-supplied
headers from conf->headers_source and default headers (either cache or not)
into separate headers_merged array.
2011-11-14 13:18:15 +00:00
Sergey Budnevitch
66a60a62cc Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse. 2011-11-14 09:12:15 +00:00
Valentin Bartenev
1dbd331849 Limit zone: added the "limit_conn_zone" directive.
It supersedes old "limit_zone" directive (deprecated accordingly) and uses
syntax consistent with the "limit_req_zone" directive.
2011-11-10 16:25:08 +00:00
Valentin Bartenev
aaf5a5772f Limit zone: support for multiple "limit_conn" limits. 2011-11-10 16:08:13 +00:00
Valentin Bartenev
54660dcf74 Limit zone: rbtree lookup moved to a separate function.
No functional changes.
2011-11-10 15:51:55 +00:00
Ruslan Ermilov
2f37fbc8f9 Changed error message to be more appropriate in the imaginary
"open_file_cache max=0" case.
2011-11-10 09:13:09 +00:00
Igor Sysoev
eb499bab59 Fixed compression pointer processing in DNS response greater than 255 bytes.
Thanks to Ben Hawkes.
2011-11-09 13:54:07 +00:00
Igor Sysoev
d0bcad3445 Fix of "keepalive_disable" directive. 2011-11-08 13:48:23 +00:00
Igor Sysoev
a8963fbbcf The "image_filter_sharpen" directive. 2011-11-08 13:17:14 +00:00
Igor Sysoev
ff2bee1fa9 Ancient incomplete ngx_http_status_module removal. 2011-11-01 15:16:28 +00:00
Igor Sysoev
0d03a44aab Version bump. 2011-11-01 15:10:46 +00:00
Igor Sysoev
a2ffa56106 Silently ignoring a stale global SSL error left after disabled renegotiation. 2011-10-31 14:30:03 +00:00
Maxim Dounin
ca495238bd Fixed segfault on configuration testing with ssl (ticket #37).
The following config caused segmentation fault due to conf->file not
being properly set if "ssl on" was inherited from the http level:

http {
    ssl on;
    server {
    }
}
2011-10-31 09:57:14 +00:00
Maxim Dounin
0d59500343 Event pipe: reduced number of file buffers used.
If possible we now just extend already present file buffer in p->out chain
instead of keeping ngx_buf_t for each buffer we've flushed to disk.  This
saves about 120 bytes of memory per buffer flushed to disk, and resolves
high CPU usage observed in edge cases (due to coalescing these buffers on
send).
2011-10-31 09:54:55 +00:00
Maxim Dounin
59205ce109 Event pipe: fixes for complex protocols.
1. In ngx_event_pipe_write_chain_to_temp_file() make sure to fully write
   all shadow buffers up to last_shadow.  With this change recycled buffers
   cannot appear in p->out anymore.  This also fixes segmentation faults
   observed due to ngx_event_pipe_write_chain_to_temp() not freeing any
   raw buffers while still returning NGX_OK.

2. In ngx_event_pipe_write_to_downstream() we now properly check for busy
   size as a size of buffers, not a size of data in these buffers.  This
   fixes situations where all available buffers became busy (including
   segmentation faults due to this).

3. The ngx_event_pipe_free_shadow_raw_buf() function is dropped.  It's
   incorrect and not needed.
2011-10-31 09:53:16 +00:00
Igor Sysoev
59695881ce Decrease of log level of some SSL handshake errors. 2011-10-25 15:04:09 +00:00
Ruslan Ermilov
f12d6ceb65 Fixed port range checking. 2011-10-25 13:48:43 +00:00
Ruslan Ermilov
c5762451a9 Fixed range checking for the "somaxconn" sysctl. 2011-10-25 13:48:05 +00:00
Igor Sysoev
620718102b Support of several servers in the "resolver" directive.
Patch by Kirill A. Korinskiy.
2011-10-24 16:09:05 +00:00
Igor Sysoev
ba71972b21 Using of junk value in slab allocator similar to modern FreeBSD values. 2011-10-24 15:50:19 +00:00
Igor Sysoev
efc6ecab82 malloc() debugging on MacOSX. 2011-10-24 15:46:48 +00:00
Igor Sysoev
b9c859e6d5 FreeBSD's MALLOC_OPTIONS must be set before any malloc() call.
The bug has been introduced in r3799.
2011-10-24 12:59:01 +00:00
Maxim Dounin
ce61ff9c45 Fixed another return in unix ngx_write_chain_to_file().
Previous patch missed special case for one iovec, it needs total bytes
written to be returned as well.
2011-10-21 11:04:46 +00:00
Maxim Dounin
aecb2eda13 Fixed unix ngx_write_chain_to_file() to return total bytes written.
Previously result of last iteration's writev() was returned.  This was
unnoticed as return value was only used if chain contained only one or
two buffers.
2011-10-20 12:40:26 +00:00
Igor Sysoev
5f81070523 Fixing conflict with SDK off_t definition. 2011-10-20 07:12:45 +00:00
Igor Sysoev
1472e7964b Recent SDKs allow to build IPV6 only for Windows XP or above. 2011-10-20 07:00:04 +00:00
Maxim Dounin
b167c46ca2 Fixed "expires @time" with unknown last modified time (ticket #32). 2011-10-17 17:32:08 +00:00
Maxim Dounin
81b43370d5 Fixed "expires @00h". 2011-10-17 17:30:18 +00:00
Igor Sysoev
6242f77617 Version bump. 2011-10-17 15:39:59 +00:00
Maxim Dounin
31f5a59fae Added clearing of modules' contexts in ngx_http_named_location().
Patch by Yichun Zhang (agentzh).
2011-10-15 21:42:03 +00:00
Maxim Dounin
ba76a89d4b Fixed utf8 decode (ticket #25).
Patch by Alexey Kuts.
2011-10-13 13:56:41 +00:00
Igor Sysoev
d51bcf6f63 Skipping location rewrite phase for server null location. 2011-10-13 12:43:22 +00:00
Maxim Dounin
b713e480ca Better recheck of dead upstream servers.
Previously nginx used to mark backend again as live as soon as fail_timeout
passes (10s by default) since last failure.  On the other hand, detecting
dead backend takes up to 60s (proxy_connect_timeout) in typical situation
"backend is down and doesn't respond to any packets".  This resulted in
suboptimal behaviour in the above situation (up to 23% of requests were
directed to dead backend with default settings).

More detailed description of the problem may be found here (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2011-August/042172.html

Fix is to only allow one request after fail_timeout passes, and
mark backend as "live" only if this request succeeds.

Note that with new code backend will not be marked "live" unless "check"
request is completed, and this may take a while in some specific workloads
(e.g. streaming).  This is believed to be acceptable.
2011-10-12 14:22:48 +00:00
Maxim Dounin
72df0f400a Clear old Location header (if any) while adding a new one.
This prevents incorrect behaviour when another redirect is issued within
error_page 302 handler.
2011-10-12 13:28:03 +00:00
Maxim Dounin
8650c1eb24 Wording fix, "many data" is incorrect.
Noted by Piotr Sikora.
2011-10-12 13:24:59 +00:00
Ruslan Ermilov
fc55962698 Fixed two minor bugs in "types" parsing code. 2011-10-12 09:36:21 +00:00
Ruslan Ermilov
b5c3336e3e Fixed grammar in a comment. 2011-10-12 09:34:53 +00:00
Ruslan Ermilov
dce7a0c00f Replaced magic constants representing default values of some directives
with appropriate #define's.
2011-10-12 09:33:43 +00:00
Ruslan Ermilov
51a2423633 Stylistic change in checking the boolean expression. 2011-10-12 09:27:34 +00:00
Igor Sysoev
bfe7be45b8 Preallocating exact number of default MIME types entries. 2011-10-12 09:19:57 +00:00
Ruslan Ermilov
c8fdda4c2f Removed old warning that suggested to use "server_name_in_redirect off"
(now the default) in place of no longer supported "server_name *".
2011-10-12 07:20:20 +00:00
Maxim Dounin
b8203e46a0 Additional headers for proxy/fastcgi/uwsgi/scgi_ignore_headers.
Now the following headers may be ignored as well: X-Accel-Limit-Rate,
X-Accel-Buffering, X-Accel-Charset.
2011-10-11 18:10:49 +00:00
Maxim Dounin
012e6b6378 Handling of Content-Encoding set from perl.
This fixes double gzipping in case of gzip filter being enabled while perl
returns already gzipped response.
2011-10-11 18:01:38 +00:00
Maxim Dounin
0f5f4cb180 Fix for socket leak with "aio sendfile" and "limit_rate".
Second aio post happened when timer set by limit_rate expired while we have
aio request in flight, resulting in "second aio post" alert and socket leak.

The patch adds actual protection from aio calls with r->aio already set to
aio sendfile code in ngx_http_copy_filter().  This should fix other cases
as well, e.g. when sending buffered to disk upstream replies while still
talking to upstream.

The ngx_http_writer() is also fixed to handle the above case (though it's
mostly optimization now).

Reported by Oleksandr V. Typlyns'kyi.
2011-10-11 18:00:23 +00:00
Maxim Dounin
b7af402cc4 Fix for connection drops with AIO.
Connections serving content with AIO to fast clients were dropped with
"client timed out" messages after send_timeout from response start.
2011-10-11 17:58:51 +00:00
Maxim Dounin
5cc1fb1d5b Autoindex: escape html in file names. 2011-10-11 17:57:41 +00:00
Maxim Dounin
6226fe3512 Autoindex: escape '?' in file names.
For files with '?' in their names autoindex generated links with '?' not
escaped.  This resulted in effectively truncated links as '?' indicates
query string start.

This is an updated version of the patch originally posted at [1].  It
introduces generic NGX_ESCAPE_URI_COMPONENT which escapes everything but
unreserved characters as per RFC 3986.  This approach also renders unneeded
special colon processing (as colon is percent-encoded now), it's dropped
accordingly.

[1] http://nginx.org/pipermail/nginx-devel/2010-February/000112.html

Reported by Konstantin Leonov.
2011-10-11 17:56:51 +00:00
Maxim Dounin
e3d6c5a33c Improved access log escaping to better protect other software.
Some character sets (notably ISO-8859-1) have C1 control characters in
upper half, make sure to escape them.

Reported by Jesus Olmos Gonzalez.
2011-10-11 17:54:38 +00:00
Igor Sysoev
0d19f020ba Fixing directive name in error message if types hash size is not enough. 2011-10-11 11:11:44 +00:00
Igor Sysoev
840ef3980c Fixing mp4 module seeking on 32-bit platforms. 2011-10-11 10:12:44 +00:00
Ruslan Ermilov
2fdb547f3a Fixed macro name. 2011-10-10 08:38:28 +00:00
Igor Sysoev
94b5460c70 Releasing memory of idle SSL connection. This saves about 34K per SSL
connection. The SSL_MODE_RELEASE_BUFFERS option is available since
OpenSSL 1.0.0d.
2011-10-07 12:15:20 +00:00
Igor Sysoev
95084f7e1c Disabling SSL compression. This saves about 300K per SSL connection.
The SSL_OP_NO_COMPRESSION option is available since OpenSSL 1.0.0.
2011-10-07 10:59:02 +00:00
Igor Sysoev
3f34960fde Version bump. 2011-10-07 10:41:13 +00:00
Ruslan Ermilov
a610127fe3 Improved ngx_parse_time() code readability. 2011-10-07 08:03:16 +00:00
Ruslan Ermilov
6e86fb02d6 Tweaked error messages. 2011-10-07 07:57:24 +00:00
Igor Sysoev
ab0078a4c8 Version bump. 2011-10-05 13:13:25 +00:00
Maxim Dounin
20139ff13a Fixed cache bypass caching of non-cacheable replies (ticket #21).
If cache was bypassed with proxy_cache_bypass, cache-controlling headers
(Cache-Control, Expires) wasn't considered and response was cached even
if it was actually non-cacheable.

Patch by John Ferlito.
2011-10-05 10:14:21 +00:00
Maxim Dounin
3aba768855 Added uwsgi_buffering and scgi_buffering directives.
Patch by Peter Smit.
2011-09-30 11:53:27 +00:00
Igor Sysoev
f3ae6a6102 Using strtod() instead of atofp() to support a lot of digits after dot in
"start" parameter value.
2011-09-30 09:18:28 +00:00
Igor Sysoev
a40e7eed30 Fix of building on platforms with 32-bit off_t. (closed #23) 2011-09-29 15:19:36 +00:00
Maxim Dounin
5cc90f309d Fixed segmentation fault with empty config on Windows.
See here for report:
http://mailman.nginx.org/pipermail/nginx-ru/2011-September/043288.html
2011-09-27 12:07:09 +00:00
Maxim Dounin
554768dabb Fix for "ssl_session_cache builtin" (broken since 1.1.1, r3993). 2011-09-27 12:06:07 +00:00
Maxim Dounin
886c6295ee Better handling of late upstream creation.
Configuration with duplicate upstream blocks defined after first use, i.e.
like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend { ... }
    upstream backend { ... }

now correctly results in "duplicate upstream" error.

Additionally, upstream blocks defined after first use now handle various
server directive parameters ("weight", "max_fails", etc.).  Previously
configuration like

    server {
        ...
        location / {
            proxy_pass http://backend;
        }
    }

    upstream backend {
        server 127.0.0.1 max_fails=5;
    }

incorrectly resulted in "invalid parameter "max_fails=5"" error.
2011-09-27 11:18:51 +00:00
Maxim Dounin
b16918ed08 Cache: fix for sending of stale responses.
For normal cached responses ngx_http_cache_send() sends last buffer and then
request finalized via ngx_http_finalize_request() call, i.e. everything is
ok.

But for stale responses (i.e. when upstream died, but we have something in
cache) the same ngx_http_cache_send() sends last buffer, but then in
ngx_http_upstream_finalize_request() another last buffer is send.  This
causes duplicate final chunk to appear if chunked encoding is used (and
resulting problems with keepalive connections and so on).

Fix this by not sending in ngx_http_upstream_finalize_request()
another last buffer if we know response was from cache.
2011-09-27 11:17:11 +00:00
Maxim Dounin
84c58a30e6 Cache: fix for sending of empty responses.
Revert wrong fix for empty responses introduced in 0.8.31 and apply new one,
rewritten to match things done by static module as close as possible.
2011-09-27 11:15:35 +00:00
Maxim Dounin
4a3884ae56 Incorrect special case for "return 204" removed.
The special case in question leads to replies without body in
configuration like

    location / { error_page 404 /zero; return 404; }
    location /zero { return 204; }

while replies with empty body are expected per protocol specs.

Correct one will look like

    if (status == NGX_HTTP_NO_CONTENT) {

        rc = ngx_http_send_header(r);

        if (rc == NGX_ERROR || r->header_only) {
            return rc;
        }

        return ngx_http_send_special(r, NGX_HTTP_LAST);
    }

though it looks like it's better to drop this special case at all.
2011-09-27 11:14:02 +00:00
Maxim Dounin
77ca973d11 Fix for "return 202" not discarding body.
Big POST (not fully preread) to a

    location / {
        return 202;
    }

resulted in incorrect behaviour due to "return" code path not calling
ngx_http_discard_request_body().  The same applies to all "return" used
with 2xx/3xx codes except 201 and 204, and to all "return ... text" uses.

Fix is to add ngx_http_discard_request_body() call to ngx_http_send_response()
function where it looks appropriate.  Discard body call from emtpy gif module
removed as it's now redundant.

Reported by Pyry Hakulinen, see
http://mailman.nginx.org/pipermail/nginx/2011-August/028503.html
2011-09-27 11:13:00 +00:00
Maxim Dounin
ad5ef15e08 Fix for double content when return is used in error_page handler.
Test case:

   location / {
       error_page 405 /nope;
       return 405;
   }

   location /nope {
       return 200;
   }

This is expected to return 405 with empty body, but in 0.8.42+ will return
builtin 405 error page as well (though not counted in Content-Length, thus
breaking protocol).

Fix is to use status provided by rewrite script execution in case
it's less than NGX_HTTP_BAD_REQUEST even if r->error_status set.  This
check is in line with one in ngx_http_script_return_code().

Note that this patch also changes behaviour for "return 302 ..." and
"rewrite ... redirect" used as error handler.  E.g.

    location / {
        error_page 405 /redirect;
        return 405;
    }

    location /redirect {
        rewrite ^ http://example.com/;
    }

will actually return redirect to "http://example.com/" instead of builtin 405
error page with meaningless Location header.  This looks like correct change
and it's in line with what happens on e.g. directory redirects in error
handlers.
2011-09-27 11:11:30 +00:00
Maxim Dounin
bfb42ad97c Fix for incorrect 201 replies from dav module.
Replies with 201 code contain body, and we should clearly indicate it's
empty if it's empty.  Before 0.8.32 chunked was explicitly disabled for
201 replies and as a result empty body was indicated by connection close
(not perfect, but worked).  Since 0.8.32 chunked is enabled, and this
causes incorrect responses from dav module when HTTP/1.1 is used: with
"Transfer-Encoding: chunked" but no chunks at all.

Fix is to actually return empty body in special response handler instead
of abusing r->header_only flag.

See here for initial report:
http://mailman.nginx.org/pipermail/nginx-ru/2010-October/037535.html
2011-09-27 11:09:55 +00:00
Maxim Dounin
5c56f20ae7 Proxy: logging levels tuned, double logging fixed. 2011-09-25 20:04:20 +00:00
Maxim Dounin
aa12f3c7f3 Proxy: whitespaces after chunk size allowed.
Whitespaces after chunk size seems to be be allowed by the "implied *LWS" rule
and emitted by some servers.
2011-09-25 20:03:27 +00:00
Maxim Dounin
28b001f897 Upstream: clearing of u->peer.connection on close.
This fixes crashes observed with some 3rd party balancer modules.  Standard
balancer modules (round-robin and ip hash) explicitly set pc->connection
(aka u->peer.connection) to NULL and aren't affected.
2011-09-25 20:00:36 +00:00
Ruslan Ermilov
b1565cf96b Fixed error message. 2011-09-23 20:15:27 +00:00
Maxim Dounin
afe2e3d082 Fix of separate pool for upstream connections (r4117).
Pool may not be created if connection was created but rejected in connect()
call.  Make sure to check if it is here before trying to destroy it.
2011-09-20 10:00:46 +00:00
Maxim Dounin
265e51aa0b Fixed loss of chain links in ngx_event_pipe_read_upstream(). 2011-09-20 09:56:35 +00:00
Maxim Dounin
d1b9a0388d Fixed loss of chain links in fastcgi module. 2011-09-20 09:56:05 +00:00
Maxim Dounin
e4dab80e80 Fix of cpu hog in event pipe.
If client closed connection in ngx_event_pipe_write_to_downstream(), buffers
in the "out" chain were lost.  This caused cpu hog if all available buffers
were in the "out" chain.  Fix is to call ngx_chain_update_chains() before
checking return code of output filter to avoid loosing buffers in the "out"
chain.

Note that this situation (all available buffers in the "out" chain) isn't
normal, it should be prevented by busy buffers limit.  Though right now it
may happen with complex protocols like fastcgi.  This should be addressed
separately.
2011-09-20 09:55:27 +00:00
Igor Sysoev
c8df23cb29 The "worker_aio_requests" directive.
The default value is 32 AIO simultaneous requests per worker. Previously
they were hardcoded to 1024, and it was too large, since Linux allocated
them early on io_setup(), but not on request itself. So with default value
of /proc/sys/fs/aio-max-nr equal to 65536 only 64 worker processes could
be run simultaneously. 32 AIO requests are enough for modern disks even if
server runs only 1 worker.
2011-09-20 07:30:09 +00:00
Ruslan Ermilov
a823c550e4 Replaced "can not" with "cannot" and "could not" in a bunch of places.
Fixed nearby grammar errors.
2011-09-19 14:48:29 +00:00
Ruslan Ermilov
3b7ed02583 Cosmetics: replaced NGX_CONF_TAKE1 to NGX_CONF_FLAG for "sendfile"
and "chunked_transfer_encoding" directives, to be in line with all
directives taking a boolean argument.  Both flags will ensure that
a directive takes one argument.
2011-09-19 12:41:13 +00:00
Ruslan Ermilov
5d4aed0175 Overhauled diagnostic messages. 2011-09-19 12:37:22 +00:00
Igor Sysoev
aa997c0289 Fixing Linux AIO initiatialization: AIO operations are disabled if kernel
does not support them.  Previously worker just exited.
2011-09-16 13:41:52 +00:00
Igor Sysoev
4134b48b68 Fixing Linux AIO syscalls return value handling:
syscall(2) uses usual libc convention, it returns -1 on error and
sets errno. Obsolete _syscall(2) returns negative value of error.

Thanks to Hagai Avrahami.
2011-09-16 12:43:16 +00:00
Maxim Dounin
c6353a5654 Trailing space fix. 2011-09-16 12:08:52 +00:00
Maxim Dounin
44002e541f Upstream keepalive module. 2011-09-15 19:28:18 +00:00
Maxim Dounin
2fe0a7a0f6 Proxy: basic HTTP/1.1 support (including keepalive).
By default we still send requests using HTTP/1.0.  This may be changed with
new proxy_http_version directive.
2011-09-15 19:23:20 +00:00
Maxim Dounin
f2fcf11b25 Protocol version parsing in ngx_http_parse_status_line().
Once we know protocol version, set u->headers_in.connection_close to indicate
implicitly assumed connection close with HTTP before 1.1.
2011-09-15 19:22:35 +00:00
Maxim Dounin
f84c69a301 Upstream: Connection header processing. 2011-09-15 19:21:19 +00:00
Maxim Dounin
4686f30a0c Upstream: Transfer-Encoding header processing. 2011-09-15 19:20:08 +00:00
Maxim Dounin
2da36b30c3 Keepalive support in fastcgi.
By default follow the old behaviour, i.e. FASTCGI_KEEP_CONN flag isn't set
in request and application is responsible for closing connection once request
is done.  To keep connections alive fastcgi_keep_conn must be activated.
2011-09-15 19:05:23 +00:00
Maxim Dounin
05552a23a2 Keepalive support in memcached. 2011-09-15 19:04:25 +00:00
Maxim Dounin
2d6be3fe93 Upstream: keepalive flag.
This patch introduces r->upstream->keepalive flag, which is set by protocol
handlers if connection to upstream is in good state and can be kept alive.
2011-09-15 19:03:15 +00:00
Maxim Dounin
a746bab7c1 Upstream: pipe length and input_filter_init in buffered mode.
As long as ngx_event_pipe() has more data read from upstream than specified
in p->length it's passed to input filter even if buffer isn't yet full.  This
allows to process data with known length without relying on connection close
to signal data end.

By default p->length is set to -1 in upstream module, i.e. end of data is
indicated by connection close.  To set it from per-protocol handlers upstream
input_filter_init() now called in buffered mode (as well as in
unbuffered mode).
2011-09-15 19:00:47 +00:00
Maxim Dounin
ffe4f11417 Upstream: r->upstream->length type change to off_t.
Previous use of size_t may cause wierd effects on 32bit platforms with certain
big responses transferred in unbuffered mode.

Nuke "if (size > u->length)" check as it's not usefull anyway (preread
body data isn't subject to this check) and now requires additional check
for u->length being positive.
2011-09-15 18:43:19 +00:00
Maxim Dounin
e19f005daf Upstream: content_length_n API change.
We no longer use r->headers_out.content_length_n as a primary source of
backend's response length.  Instead we parse response length to
u->headers_in.content_length_n and copy to r->headers_out.content_length_n
when needed.
2011-09-15 18:33:43 +00:00
Maxim Dounin
360ed25d65 Upstream: separate pool for peer connections.
This is required to support persistent https connections as various ssl
structures are allocated from connection's pool.
2011-09-15 18:21:24 +00:00
Maxim Dounin
c42c70f478 Workaround for cpu hog on errors with cached connections.
Just doing another connect isn't safe as peer.get() may expect peer.tries
to be strictly positive (this is the case e.g. with round robin with multiple
upstream servers).  Increment peer.tries to at least avoid cpu hog in
round robin balancer (with the patch alert will be seen instead).

This is not enough to fully address the problem though, hence TODO.  We
should be able to inform balancer that the error wasn't considered fatal
and it may make sense to retry the same peer.
2011-09-15 18:12:58 +00:00
Maxim Dounin
d7c2673d3f API change: ngx_chain_update_chains() now requires pool.
The ngx_chain_update_chains() needs pool to free chain links used for buffers
with non-matching tags.  Providing one helps to reduce memory consumption
for long-lived requests.
2011-09-15 16:03:17 +00:00
Maxim Dounin
a890b313f3 Buffers reuse in chunked filter.
There were 2 buffers allocated on each buffer chain sent through chunked
filter (one buffer for chunk size, another one for trailing CRLF, about
120 bytes in total on 32-bit platforms).  This resulted in large memory
consumption with long-lived requests sending many buffer chains.  Usual
example of problematic scenario is streaming though proxy with
proxy_buffering set to off.

Introduced buffers reuse reduces memory consumption in the above problematic
scenario.

See here for initial report:
http://mailman.nginx.org/pipermail/nginx/2010-April/019814.html
2011-09-15 15:25:42 +00:00
Igor Sysoev
57b4fdb6c8 MP4 co64 atom support added. 2011-09-15 13:23:03 +00:00
Igor Sysoev
c940f5fc99 Fix of struct field name. 2011-09-15 05:15:16 +00:00
Igor Sysoev
1fc9a8dec6 Style fix. 2011-09-14 15:26:11 +00:00
Igor Sysoev
acdac73688 Fixing building by gcc-4.7. 2011-09-14 15:25:46 +00:00
Igor Sysoev
4a383594fb Version bump. 2011-09-14 15:20:01 +00:00
Igor Sysoev
9c5d25179c Fix of the previous commit: is_directio flag processing introduced in r4077
is still worthwhile.
2011-09-14 14:28:55 +00:00
Igor Sysoev
7ffb73c6b7 Bugfix: open_file_cache did not update file info on retest.
If file inode was not changed, cached file information was not updated
on retest.  As a result stale information might be cached forever if file
attributes was changed and/or file was extended.

This fix also makes obsolete r4077 change of is_directio flag handling,
since this flag is updated together with other file information.
2011-09-14 14:12:35 +00:00
Igor Sysoev
2cc42b74c7 Skipping traks with unsupported media formats. 2011-09-14 14:04:41 +00:00
Igor Sysoev
dcea2ce7d1 Fix of case when start sample does not reside on chunk boundary. 2011-09-14 05:16:20 +00:00
Ruslan Ermilov
59efbc4bcb In Mac OS X Lion, Apple deprecated the use of the system OpenSSL library
in favour of their CommonCrypto library.  This change adds a work-around
that allows nginx to still be built on Lion with OpenSSL.
2011-09-13 09:18:43 +00:00
Igor Sysoev
f824fb47fe Fix of debug message format. 2011-09-12 15:15:00 +00:00
Igor Sysoev
d44855067d Fix of codec debug message. 2011-09-12 14:54:28 +00:00
Igor Sysoev
3d9ae84bf9 Fix of error message. 2011-09-12 14:46:06 +00:00
Igor Sysoev
7e8ee656a8 Fix of error message. 2011-09-12 13:06:22 +00:00
Igor Sysoev
e07a3577a9 mp4_max_moov_size directive has been renamed to mp4_max_buffer_size. 2011-09-12 09:38:04 +00:00
Igor Sysoev
b1c79a449e bugfix of r4086: nginx could not be built without debug log. 2011-09-09 11:56:49 +00:00
Igor Sysoev
5d01ac5af3 Bugfix of r4086: directio was always enabled if mp4 file was sent as is. 2011-09-09 11:13:55 +00:00
Igor Sysoev
dde4d7e300 ngx_http_mp4_module 2011-09-09 10:22:34 +00:00
Maxim Dounin
4f65a05d18 Bugfix: open_file_cache lost is_directio flag.
On file retest open_file_cache lost is_directio if file wasn't changed.
This caused unaligned operations under Linux to fail with EINVAL.
It wasn't noticeable with AIO though, as errors wasn't properly logged.
2011-09-05 16:36:19 +00:00
Igor Sysoev
3a73e50498 Version bump. 2011-09-05 16:26:51 +00:00
Maxim Dounin
bfbbfc85df Bugfix: read event was not blocked after reading body.
Read event should be blocked after reading body, else undefined behaviour
might occur on additional client activity.  This fixes segmentation faults
observed with proxy_ignore_client_abort set.
2011-09-05 12:43:31 +00:00
Maxim Dounin
82854d0d78 Proper setting of read->eof in pipe code.
Setting read->eof to 0 seems to be just a typo.  It appeared in
nginx-0.0.1-2003-10-28-18:45:41 import (r164), while identical code in
ngx_recv.c introduced in the same import do actually set read->eof to 1.

Failure to set read->eof to 1 results in EOF not being generally detectable
from connection flags.  On the other hand, kqueue won't report any read
events on such a connection since we use EV_CLEAR.  This resulted in read
timeouts if such connection was cached and used for another request.
2011-09-01 15:10:41 +00:00
Maxim Dounin
a9e3c65d22 Proper SSL shutdown handling.
If connection has unsent alerts, SSL_shutdown() tries to send them even
if SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN) was used.
This can be prevented by SSL_set_quiet_shutdown().  SSL_set_shutdown()
is required nevertheless to preserve session.
2011-09-01 13:49:36 +00:00
Igor Sysoev
09be2f18c5 Now if client requests more ranges than "max_ranges" permits,
nginx disables ranges and returns just the source response.
2011-09-01 13:03:55 +00:00
Igor Sysoev
f560419c54 The "max_ranges" directive.
"max_ranges 0" disables ranges support at all,
"max_ranges 1" allows the single range, etc.
By default number of ranges is unlimited, to be precise, 2^31-1.
2011-08-31 09:40:55 +00:00
Igor Sysoev
e81c293289 Style fix: removal of tabs introduced in the previous commit. 2011-08-31 09:26:07 +00:00
Igor Sysoev
65b1592d02 *) fix of r4060: start value should be tested after the "found" label;
*) optimization: start value may be tested against end value only,
   since end value here may not be greater than content_length.
2011-08-30 20:34:58 +00:00
Igor Sysoev
1f3280bae2 Unsatisfiable range with start value greater than content length
was not properly skipped. The bug has been introduced in r4057.
2011-08-30 14:25:35 +00:00
Igor Sysoev
e766153451 ngx_http_range_parse() should be static. 2011-08-30 13:07:33 +00:00
Igor Sysoev
9162057731 Ranges processing small optimization. 2011-08-30 13:06:12 +00:00
Igor Sysoev
451df22b3f Now unsatisfiable ranges are processed according to RFC 2616. 2011-08-30 13:01:55 +00:00
Igor Sysoev
584703b84a Ranges processing small optimization. 2011-08-30 12:45:24 +00:00
Igor Sysoev
f2575bd878 Style fix. 2011-08-30 12:28:01 +00:00
Igor Sysoev
c2c3e3105f Now if total size of all ranges is greater than source response size,
then nginx disables ranges and returns just the source response.
This fix should not affect well-behaving applications but will defeat
DoS attempts exploiting malicious byte ranges.
2011-08-26 09:42:50 +00:00
Igor Sysoev
8b2bf08165 Cache size accounting fix: actual cache size on disk was less than
needed by sum of sizes of files loaded by worker processes themselves
while cache loader was running.

The bug has been introduced in r3900.
2011-08-25 17:29:34 +00:00
Maxim Dounin
fbc51e4c44 Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).

As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.

Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.

Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+.  I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
2011-08-23 14:36:31 +00:00
Igor Sysoev
631fa929d3 Version bump. 2011-08-23 14:22:34 +00:00
Igor Sysoev
566dfe0c7f SIGWINCH/NOACCEPT signal is disabled now in non-daemon mode.
Non-daemon mode is currently used by supervisord, daemontools and so on
or during debugging. The NOACCEPT signal is only used for online upgrade
which is not supported when nginx is run under supervisord, etc.,
so this change should not break existant setups.
2011-08-22 12:34:48 +00:00
Igor Sysoev
0d18687b03 The change in adaptive loader behaviour introduced in r3975:
now cache loader processes either as many files as specified by loader_files
or works no more than time specified by loader_threshold during each iteration.

loader_threshold was previously used to decrease loader_files or
to increase loader_timeout and this might eventually result in
downgrading loader_files to 1 and increasing loader_timeout to large values
causing loading cache for forever.
2011-08-22 10:16:49 +00:00
Maxim Dounin
de1a3e1e0c Fix buffer overrun under Windows. 2011-08-22 10:07:27 +00:00
Maxim Dounin
ec8186c733 Move SO_ACCEPTFILTER and TCP_DEFER_ACCEPT checks into configure.
NetBSD 5.0+ has SO_ACCEPTFILTER support merged from FreeBSD, and having
accept filter check in FreeBSD-specific ngx_freebsd_config.h prevents it
from being used on NetBSD.  Therefore move the check into configure (and
do the same for Linux-specific TCP_DEFER_ACCEPT, just to be in line).
2011-08-21 11:37:37 +00:00
Maxim Dounin
5a52d67a08 Fix ignored headers handling in fastcgi/scgi/uwsgi.
The bug had appeared in r3561 (fastcgi), r3638 (scgi), r3567 (uwsgi).
2011-08-19 20:11:39 +00:00
Maxim Dounin
65c32b255d Complain on invalid log levels.
Previously only first log level was required to be correct, while error_log
directive in fact accepts list of levels (e.g. one may specify "error_log ...
debug_core debug_http;").  This resulted in (avoidable) wierd behaviour on
missing semicolon after error_log directive, e.g.

    error_log /path/to/log info
    index index.php;

silently skipped index directive and it's arguments (trying to interpret
them as log levels without checking to be correct).
2011-08-18 21:48:13 +00:00
Maxim Dounin
b7fcb430c1 Upstream: properly allocate memory for tried flags.
Previous allocation only took into account number of non-backup servers, and
this caused memory corruption with many backup servers.

See report here:
http://mailman.nginx.org/pipermail/nginx/2011-May/026531.html
2011-08-18 17:04:52 +00:00
Maxim Dounin
624fbe94a2 Fixing cpu hog with all upstream servers marked "down".
The following configuration causes nginx to hog cpu due to infinite loop
in ngx_http_upstream_get_peer():

    upstream backend {
        server 127.0.0.1:8080 down;
        server 127.0.0.1:8080 down;
    }

    server {
       ...
       location / {
           proxy_pass http://backend;
       }
    }

Make sure we don't loop infinitely in ngx_http_upstream_get_peer() but stop
after resetting peer weights once.

Return 0 if we are stuck.  This is guaranteed to work as peer 0 always exists,
and eventually ngx_http_upstream_get_round_robin_peer() will do the right
thing falling back to backup servers or returning NGX_BUSY.
2011-08-18 16:52:38 +00:00
Maxim Dounin
9bc8fc4602 Fixing proxy_set_body and proxy_pass_request_body with SSL.
Flush flag wasn't set in constructed buffer and this prevented any data
from being actually sent to upstream due to SSL buffering.  Make sure
we always set flush in the last buffer we are going to sent.

See here for report:
http://nginx.org/pipermail/nginx-ru/2011-June/041552.html
2011-08-18 16:34:24 +00:00
Igor Sysoev
c4ff39ae2b Fix names of the referer hash size directives introduced in r3940. 2011-08-18 16:27:30 +00:00
Maxim Dounin
b09ceca261 Fix body with request_body_in_single_buf.
If there were preread data and request body was big enough first part
of the request body was duplicated.

See report here:
http://mailman.nginx.org/pipermail/nginx/2011-July/027756.html
2011-08-18 15:52:00 +00:00
Maxim Dounin
f48b451195 Correctly set body if it's preread and there are extra data.
Previously all available data was used as body, resulting in garbage after
real body e.g. in case of pipelined requests.  Make sure to use only as many
bytes as request's Content-Length specifies.
2011-08-18 15:27:57 +00:00
Igor Sysoev
de236d3a2c fix gzip quantity: "q=0." and "q=1." are valid values according to RFC 2011-08-05 08:51:29 +00:00
Igor Sysoev
48d17bca94 refactor gzip quantity introduced in r3981: it ignored "q=1.000" 2011-08-04 14:50:59 +00:00
Igor Sysoev
dfd81a23b2 A new fix for the case when ssl_session_cache defined, but ssl is not
enabled in any server. The previous r1033 does not help when unused zone
becomes used after reconfiguration, so it is backed out.

The initial thought was to make SSL modules independed from SSL implementation
and to keep OpenSSL code dependance as much as in separate files.
2011-08-04 11:12:30 +00:00
Igor Sysoev
c42be75569 removal of error message about %name log_format parameters,
they have been deleted long ago in 0.5.0-RELEASE
2011-08-03 16:01:36 +00:00
Igor Sysoev
7cce1cacaa fix typo introduced in r3985 2011-08-02 12:43:01 +00:00
Igor Sysoev
475a5dfcf1 bump version 2011-08-02 12:39:38 +00:00
Igor Sysoev
72a96bfdcb fix r3981 again for case "Accept-Encoding: gzip" 2011-08-01 14:38:09 +00:00
Igor Sysoev
21fd22d089 always set timer in discard body handler, this fixes the cases
when request for static file is redirected by error_page to an SSI page

patch by Maxim Dounin
2011-08-01 13:52:54 +00:00
Igor Sysoev
2505587b4d lingering_close "off|on|always"
patch by Maxim Dounin
2011-08-01 13:26:55 +00:00
Igor Sysoev
41c8a1d27f do not send RST on normal lingering close read timeout,
if reset_timedout_connection is on

patch by Maxim Dounin
2011-08-01 13:08:03 +00:00
Igor Sysoev
bd7dfe44c5 fix r3981 for case "Accept-Encoding: gzip" 2011-08-01 11:21:46 +00:00
Igor Sysoev
2f3668b59b enable lingering close for pipelined requests
patch by Maxim Dounin
2011-08-01 11:08:57 +00:00
Igor Sysoev
721f47ed3c Accept-Encoding refactoring: "gzip; q=0" support 2011-08-01 11:02:12 +00:00
Igor Sysoev
d743a2339e Accept-Encoding refactoring: test first the most common case "gzip," 2011-07-30 07:34:12 +00:00
Igor Sysoev
6652cc5962 Accept-Encoding refactoring: remove ancient MSIE 4.x test for gzip 2011-07-30 06:20:06 +00:00
Igor Sysoev
c9468026e7 test length of proxy_pass with variables
patch by Lanshun Zhou
2011-07-30 06:11:46 +00:00
Igor Sysoev
c2f852c260 update r3945 with more descriptive error message 2011-07-29 15:33:03 +00:00
Igor Sysoev
922f106582 loader_files, loader_sleep, and loader_threshold 2011-07-29 15:09:02 +00:00
Igor Sysoev
d5a25a4b97 set correct configuration file values while adding path
patch by Maxim Dounin
2011-07-25 10:22:38 +00:00
Igor Sysoev
1850ce09a1 rename ngx_http_file_cache_manager_sleep() to ngx_http_file_cache_loader_sleep()
and do not use it all in cache manager: this is a vestige of the times when
cache manager loaded cache
2011-07-25 09:45:00 +00:00
Igor Sysoev
d8ce166e2e do not close connection if cache file is too small: replace it with valid one 2011-07-24 20:04:47 +00:00
Igor Sysoev
c2cafadfa5 elimination of reading cache files by cache loader 2011-07-24 19:46:53 +00:00
Igor Sysoev
92161bac79 fix r3968 2011-07-24 19:43:52 +00:00
Igor Sysoev
6cb6fc4a09 update the previous commit:
removing dependencies on file uniq since WIN32_FIND_DATA has no such field
2011-07-24 17:36:26 +00:00
Igor Sysoev
c1250b6a49 The cache loader performs two tasks: inserting cache objects in inactivity
list and evaluating total cache size. Reading just directory is enough for
this purpose. Elimination of reading cache files saves at least one disk I/O
operation per file.

Preparation for elimination of reading cache files by cache loader:
removing dependencies on the reading:
*) cache node valid_sec and valid_msec are used only for caching errors;
*) upstream buffer size can be used instead of cache node body_start.
2011-07-24 16:47:31 +00:00
Igor Sysoev
bb389f6111 fuse two if's in one condition 2011-07-24 16:10:06 +00:00
Igor Sysoev
64d024605a style fix 2011-07-24 16:06:24 +00:00
Igor Sysoev
08b597592f do not try to reuse and save a SSL session for a peer created on the fly
by ngx_http_upstream_create_round_robin_peer(), since the peer lives
only during request so the saved SSL session will never be used again
and just causes memory leak

patch by Maxim Dounin
2011-07-22 16:30:17 +00:00
Igor Sysoev
a3741fb24d finalizing with rc == 0 in unbuffered proxy mode caused nginx to wait
for another send_timeout before actually closing client's connection
if client timed out while still talking to upstream server

patch by Maxim Dounin
2011-07-22 13:30:16 +00:00
Igor Sysoev
b0b6bcedfc fix SSL connection issues on platforms with 32-bit off_t
patch by Maxim Dounin
2011-07-22 12:53:04 +00:00
Igor Sysoev
a7ed0951e3 fix build by gcc46 with -Wunused-value option
patch by Maxim Dounin
2011-07-22 10:43:50 +00:00
Igor Sysoev
f39642a907 ECDHE support
patch by Adrian Kotelba
2011-07-20 15:42:40 +00:00
Igor Sysoev
e61ba26744 MSIE export versions are rare now, so RSA 512 key is generated on demand
and is shared among all hosts instead of pregenerating for every HTTPS host
on configuraiton phase. This decreases start time for configuration with
large number of HTTPS hosts.
2011-07-20 12:59:24 +00:00
Igor Sysoev
2551f4a55d bump version: 1.1.0 development version 2011-07-20 09:29:25 +00:00
Igor Sysoev
6c3c3bbe42 fix segfault if cache key is larger than upstream buffer size
patch by Lanshun Zhou
2011-07-19 11:24:16 +00:00
Igor Sysoev
82afb9cc86 $uid_reset 2011-07-19 11:21:50 +00:00
Igor Sysoev
a0202f26c6 fix r3756: release lock to allow other process to delete cache node
patch by Maxim Dounin
2011-07-19 10:35:02 +00:00
Igor Sysoev
99f2b9e063 fix building by MSVC 2011-07-18 15:00:05 +00:00
Igor Sysoev
87ee007022 revert r3935 and fix "stalled cache updating" alert
by freeing cache at upstream finalize phase
patch by Maxim Dounin
2011-06-28 13:26:08 +00:00
Igor Sysoev
f58154db2f referer_hash_max_size and referer_hash_bucket_size directives
patch by Witold Filipczyk
2011-06-28 10:40:44 +00:00
Igor Sysoev
8d7b1d222e use !aNULL to disable all anonymous cipher suites
patch by Rob Stradling
2011-06-27 15:47:51 +00:00
Igor Sysoev
0a860a1c1d bump version 2011-06-27 15:34:44 +00:00
Igor Sysoev
1788ec0c48 fix "stalled cache updating" alert,
when non-cachable HEAD response did not not free an expired cache node
2011-06-01 08:02:34 +00:00
Igor Sysoev
5343bf3221 revert r3875 since now map uses case sensetive regexes by default 2011-05-30 14:24:17 +00:00
Igor Sysoev
53d05b969b change ngx_http_map_find(): use case sensitive regexes 2011-05-30 12:36:17 +00:00
Igor Sysoev
36aadf7eba fix building on FreeBSD 6 or earlier against system md5 2011-05-27 13:30:53 +00:00
Igor Sysoev
e620fdac65 make built-in ngx_md5_update() interface consistent with other implemenations 2011-05-27 10:00:46 +00:00
Igor Sysoev
c4793b6505 fix building --without-http_auth_basic_module,
the bug has been introduced in r3923
2011-05-26 07:32:48 +00:00
Igor Sysoev
ce2229e2f7 bump version 2011-05-26 07:31:40 +00:00
Igor Sysoev
5dc5945ccf "$apr1", "{PLAIN}", and "{SSHA}" password methods in auth basic module
patch by Maxim Dounin
2011-05-16 14:54:50 +00:00
Igor Sysoev
ffc7271250 fix testing IPv4 address mapped to IPv6, when only IPv6 access rules are defined 2011-05-16 14:01:23 +00:00
Igor Sysoev
529b5f1938 support IPv4 mapped to IPv6 in geo module 2011-05-16 13:54:42 +00:00
Igor Sysoev
dd39f60014 support IPv4 mapped to IPv6 in geoip module 2011-05-16 13:50:58 +00:00
Igor Sysoev
868db976d7 fix debug logging 2011-05-13 10:06:56 +00:00
Igor Sysoev
0d6283918f fix a broken cached response if bypass/no_cache directive values are different,
the bug has been introduced in r3700
2011-05-13 10:05:38 +00:00
Igor Sysoev
50733a53ec geoip_org
patch by Alexander Uskov
2011-05-11 09:34:21 +00:00
Igor Sysoev
20b52bec63 fix typo 2011-05-11 09:25:37 +00:00
Igor Sysoev
dc336358ab bump version 2011-05-11 09:19:48 +00:00
Igor Sysoev
49ae93034d gdImageCopyRotated() may images of even height or width
patch by Adam Bocim
2011-05-10 12:04:57 +00:00
Igor Sysoev
e2c8ad7122 use POSIX semaphores in shmtx instead of sched_yield()
number of spinlock spins are increased twice
2011-05-10 11:39:13 +00:00
Igor Sysoev
e691d94a39 bump version 2011-05-04 12:20:32 +00:00
Igor Sysoev
eecc540da8 test zero value in an "if" directive consistently with predicates fixed in r3894
thanks to Maxim Dounin
2011-05-03 09:52:27 +00:00
Igor Sysoev
2bd01a0f01 revert r3864, it may cause kernel panic on some kernels while working with IPv6 2011-04-23 17:27:55 +00:00
Igor Sysoev
efde3eb92e fix building by gcc 4.6 without --with-debug 2011-04-23 17:25:06 +00:00
Igor Sysoev
c37192b537 style fix: remove trailing spaces 2011-04-23 13:11:17 +00:00
Igor Sysoev
ef1f33b0db Use more precise stat.st_blocks to account cache size on Unix
instead of file length rounded to a file system block size.
There is no similar way on Windows, so rounding to a cache->bsize is kept.
2011-04-22 10:06:43 +00:00
Igor Sysoev
64efecc2b5 allow to use $upstream_... variables in SSI 2011-04-21 10:07:07 +00:00
Igor Sysoev
423ee58e76 fix r3713
thanks to Igor A. Valcov
2011-04-19 12:29:16 +00:00
Igor Sysoev
b3451785fe an internal MD5 implemenation
patch by Maxim Dounin
2011-04-15 15:58:06 +00:00
Igor Sysoev
9813a1999c fix segfault in IPv6 parsing while processing invalid IPv4 address X.YYYY.Z
patch by Maxim Dounin
2011-04-15 13:50:27 +00:00
Igor Sysoev
14fe2dd94a values starting with '0' were incorrectly assumed to be false
patch by Maxim Dounin
2011-04-15 12:24:18 +00:00
Igor Sysoev
432760ee4d use MurmurHash2 for split_clients, because
its distribution is much better than CRC32's one
2011-04-15 10:59:57 +00:00
Igor Sysoev
42f1e1cb96 ngx_murmur_hash2() 2011-04-15 10:59:24 +00:00
Igor Sysoev
0bd0b2894c bump version 2011-04-15 10:58:44 +00:00
Igor Sysoev
d63104eea4 use memmove() in appropriate places 2011-04-12 08:02:46 +00:00
Igor Sysoev
d80bcbcd0f "satisfy any" disabled custom 401 error page 2011-04-11 14:17:31 +00:00
Igor Sysoev
711eeb8514 fix CPU hog in cache manager
patch by Maxim Dounin
2011-04-08 15:27:53 +00:00
Igor Sysoev
ea38fe54bd fix "image_filter rotate 180" and crop case
the bug has been introduced in r3879
2011-04-07 09:12:30 +00:00
Igor Sysoev
f352259dd6 bump version 2011-04-07 09:08:52 +00:00
Igor Sysoev
4956ac5108 reuse keepalive connections if there are no free worker connections
patch by Maxim Dounin
2011-04-04 12:26:53 +00:00
Igor Sysoev
fde7d51392 fix case when a host in fastcgi_pass, scgi_pass, and uwsgi_pass
is given by expression and refers to a defined upstream
2011-04-04 10:43:21 +00:00
Igor Sysoev
450c981ab9 image filter rotate
patch by Adam Bocim
2011-04-04 09:57:32 +00:00
Igor Sysoev
b8fb0a15a2 bump version 2011-04-04 09:46:00 +00:00
Igor Sysoev
921ac21acf map tests values in low case only, so caseless regex has no sense 2011-03-21 15:18:59 +00:00
Igor Sysoev
c9d671cd81 $time_iso8601 log variable
patch by Michael Lustfield
2011-03-16 15:46:57 +00:00
Igor Sysoev
0519b43a77 allow regex as "map" parameter 2011-03-16 15:32:31 +00:00
Igor Sysoev
32c73df97a remove semicolon, because it is already in "nginx: " prefix 2011-02-21 11:47:28 +00:00
Igor Sysoev
22434e4c72 fix warnings 2011-02-21 11:44:26 +00:00
Igor Sysoev
2a526d4969 bump version 2011-02-21 10:03:28 +00:00
Igor Sysoev
d53c836214 fix u->one_addr handling in ngx_inet_resolve_host()
patch by Maxim Dounin
2011-02-17 15:01:16 +00:00
Igor Sysoev
95899a3f19 use backlog -1 on Linux
thanks to Andrei Nigmatulin
2011-02-17 14:14:50 +00:00
Igor Sysoev
b2492255f8 always test proxy_redirect with slash, this fixes a case when nginx uses
proxy_pass "http://www", upstream redirects to "http://www.host/uri",
and nginx rewrites it as ".host/uri"
patch by Maxim Dounin
2011-02-17 11:54:35 +00:00
Igor Sysoev
4d6db4a7ab set current atime while setting mtime
patch by Andrei Nigmatulin
2011-02-11 08:02:35 +00:00
Igor Sysoev
64d5f9ba26 fix "error_page 497 https://" case
patch by Maxim Dounin
the bug has been introduced in r3782
2011-02-01 16:18:55 +00:00
Igor Sysoev
eb1a344dd3 utf8 parameter of geoip_country and geoip_city
patch by Denis F. Latypoff
2011-01-27 12:51:59 +00:00
Igor Sysoev
ab54e21633 bump version 2011-01-27 12:43:11 +00:00
Igor Sysoev
8dbc8a97dd server_name $hostname 2011-01-20 15:31:24 +00:00
Igor Sysoev
d19c93d127 style fix: remove trailing spaces 2011-01-20 15:29:53 +00:00
Igor Sysoev
cfc5c25589 move setting conf->server_name in merge phase 2011-01-20 15:15:50 +00:00
Igor Sysoev
cc878dc6ac use SwitchToThread() instead of Sleep(0), because the later
may not yield control, if there is no thread with higher priority
2011-01-20 13:06:21 +00:00
Igor Sysoev
3d86ad3f95 fix building on Fedora 14
patch by Kirill A. Korinskiy
2011-01-20 12:33:17 +00:00
Igor Sysoev
8e8251a317 fix large stderr handling without http cache
patch by Maxim Dounin
the bug has been introduced in r3461
2011-01-20 12:23:00 +00:00
Igor Sysoev
26cf2c96ea introduce 494 code "Request Header Too Large" 2011-01-20 10:37:58 +00:00
Igor Sysoev
87f744c24b use boolean expression instead of "if" 2010-12-15 14:10:33 +00:00
Igor Sysoev
f00e81d75a rename NGX_HTTP_OWN_CODES to NGX_HTTP_NGINX_CODES 2010-12-14 23:04:26 +00:00
Igor Sysoev
dc61c0a153 bump version 2010-12-14 22:54:04 +00:00
Igor Sysoev
2567c92ace allow "env" to work in the single process mode 2010-12-13 10:55:15 +00:00
Igor Sysoev
5644c43caf always run regex in server_name to get captures for IPv6 addresses,
the same fix for IPv4 addresses has been made in r2584
2010-12-12 21:13:27 +00:00
Igor Sysoev
1fdb004f52 test wildcard tail hash existance for IPv6 addresses,
the same fix for IPv4 addresses has been made in r2581
2010-12-12 21:10:59 +00:00
Igor Sysoev
7c2611a231 style fix 2010-12-12 20:11:31 +00:00
Igor Sysoev
076ad1672b remove semicolon, because it is already in "nginx: " prefix 2010-12-11 10:59:26 +00:00
Igor Sysoev
5491139caf bump version 2010-12-06 14:40:40 +00:00
Igor Sysoev
3e3ee60b99 remove SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG becuase of CVE-2010-4180 2010-12-06 11:17:03 +00:00
Igor Sysoev
ec4df838c8 "If-Unmodified-Since" support 2010-12-06 11:11:05 +00:00
Igor Sysoev
0c39c27412 fix building by msvc8 introduced by the previous commit 2010-12-02 14:20:51 +00:00
Igor Sysoev
a07d6ec39f fallback to accept() if accept4() is not implemented,
the issue has been introduced in r3787
2010-12-02 10:05:41 +00:00
Igor Sysoev
86ffd9b10f bump version 2010-11-30 13:26:21 +00:00
Igor Sysoev
f5798d8c0d fix comment 2010-11-29 19:41:53 +00:00
Igor Sysoev
bd4c8e88ee revert processing NGX_OK in rewrite phase changed in r3798,
this broke "return 204" and "return code text"
2010-11-29 19:40:54 +00:00
Igor Sysoev
c219a6f7d0 bump version 2010-11-29 19:39:26 +00:00
Igor Sysoev
c19b848976 add "nginx: " prefix when logging to the stderr 2010-11-29 15:01:06 +00:00
Igor Sysoev
a979d9fb30 move ngx_strerror_init() at the very start 2010-11-29 15:00:02 +00:00
Igor Sysoev
8c6144f022 revert processing NGX_OK and NGX_DONE in rewrite phase changed in r3634 2010-11-29 14:01:17 +00:00
Igor Sysoev
d4b08c9134 allocate last zero byte in ngx_crypt() 2010-11-29 09:23:25 +00:00
Igor Sysoev
f83d6cf0f7 style fix 2010-11-26 13:58:28 +00:00
Igor Sysoev
02677300d1 fix building by icc8 2010-11-26 13:36:36 +00:00
Igor Sysoev
6946ed75b6 keepalive_disable 2010-11-26 12:40:56 +00:00
Igor Sysoev
97d32cb169 allow variable as "map" value 2010-11-26 12:25:51 +00:00
Igor Sysoev
07335d89df use "\" to escape "default", "include", and "hostnames" values instead of "!" 2010-11-25 15:36:24 +00:00
Igor Sysoev
04e145d2da allow empty value as "map" parameter 2010-11-25 15:24:29 +00:00
Igor Sysoev
67e6bafc90 allow expressions in the first "map" parameter 2010-11-25 15:22:43 +00:00
Igor Sysoev
7f31a2098d use copied strerror() messages and autoconfigured sys_nerr value 2010-11-25 11:04:03 +00:00
Igor Sysoev
40747ad861 Linux accept4() support 2010-11-25 10:15:04 +00:00
Igor Sysoev
601ca7cd6e bump version 2010-11-24 13:41:37 +00:00
Igor Sysoev
a64b716b22 allow override redirect status in error_page 2010-10-18 10:14:00 +00:00
Igor Sysoev
c5d1790e1d change order of limit_req lookup result processing 2010-10-14 09:20:01 +00:00
Igor Sysoev
622721a598 an excess was logged as 0.000 if requests were limited without delay:
*) use a real excess value instead of non-updated limit_req rbtree node field,
*) move inactivity queue handling inside ngx_http_limit_req_lookup()
   since the node is not required outside the lookup function;

the bug has been introduced in r3184
2010-10-13 20:58:41 +00:00
Igor Sysoev
824856fc10 always update an aio_senfile connection flag accodring to a current
location configuration, this clears the flag for requests passed
via a keep-alive connection
2010-10-12 12:18:39 +00:00
Igor Sysoev
3bff22f2e2 update event flags after successful io_submit() 2010-10-12 12:11:11 +00:00
Igor Sysoev
89eae52df8 file AIO read may be posted inside loop 2010-10-12 12:06:52 +00:00
Igor Sysoev
7087d5d72a add default listen port at the end of server block parsing instead of
merge phase: otherwise the first server without an listen directive
did not become the default server if there was no explicit default server;
the bug has been introduced in r3218
2010-10-11 18:48:18 +00:00
Igor Sysoev
21dba41f5b fix testing, the bug has been introduced in r3218 2010-10-08 11:42:05 +00:00
Igor Sysoev
5fffff997f gzip_disable degradation 2010-10-04 15:03:00 +00:00
Igor Sysoev
81aa52829a ngx_http_degraded() 2010-10-04 14:59:41 +00:00
Igor Sysoev
61d5e5e67f bump version 2010-10-04 13:50:09 +00:00
Igor Sysoev
bfec9887ce nginx uses SSL mode for a listen socket with any option set,
the bug has been introduced in r3765
2010-09-28 06:50:52 +00:00
Igor Sysoev
a397c7faaa bump version 2010-09-28 06:46:58 +00:00
Igor Sysoev
f79878e5d9 allow duplicate listen ssl options 2010-09-27 11:48:12 +00:00
Igor Sysoev
49ac2b2b45 decrease resolver errors level to error 2010-09-27 11:23:45 +00:00
Igor Sysoev
8c70e67f7b worker_rlimit_core should be off_t 2010-09-15 15:24:21 +00:00
Igor Sysoev
9a62648f7b fix typo 2010-09-13 12:44:43 +00:00
Igor Sysoev
12f4da4695 discard "secure_link_expires on|off" 2010-09-06 14:19:18 +00:00
Igor Sysoev
c13a4098b7 bump version 2010-09-06 11:07:07 +00:00
Igor Sysoev
94e9aaa8ad new ngx_http_secure_link_module with secure_link, secure_link_md5, and
secure_link_expires
2010-09-02 14:37:16 +00:00
Igor Sysoev
a256afd064 fix race condition if during reconfiguration two cache managers try
to delete old inactive entries: one of them removes a entry just locked by
other manager from the queue and the rbtree as long inactive entry,
causes the latter manager to segfault leaving cache mutex locked,
the bug has been introduced in r3727
2010-09-02 14:31:47 +00:00
Igor Sysoev
3730543c26 gzip_disable msie6 ignored other patterns 2010-09-02 14:02:57 +00:00
Igor Sysoev
31e6fc82cc gzip_disable compiled always the first pattern only 2010-09-02 14:01:58 +00:00
Igor Sysoev
4db3b3e2c4 gzip_disable msie6 did not inherited if nginx was built without PCRE 2010-09-02 13:54:28 +00:00
Igor Sysoev
8a9f761927 add "Global\" prefix for signal events 2010-09-02 13:49:05 +00:00
Igor Sysoev
2cb30f153f the -q switch 2010-09-02 13:43:02 +00:00
Igor Sysoev
f7dd767e57 if a location is specified by regex, then always compile an "alias",
even into one static string script: this elimates testing this
too specific case inside ngx_http_map_uri_to_path()
2010-08-26 12:33:08 +00:00
Igor Sysoev
f380df5e20 bump version 2010-08-25 12:30:08 +00:00
Igor Sysoev
d39b9ec19d image_filter_jpeg_quality supports variables 2010-08-06 15:55:05 +00:00
Igor Sysoev
7268cc8c6e zero fcn->updating after node allocation 2010-08-04 13:34:23 +00:00
Igor Sysoev
2b74841a4f error status codes could be cached for next request only,
the bug has been introduced in r3712
2010-08-04 12:55:27 +00:00
Igor Sysoev
541d8c698a we can free GeoIPRecord just after GeoIP_region_name_by_code(),
because it returns a statically allocated string
2010-08-03 18:38:08 +00:00
Igor Sysoev
a999586594 fix segfault, the bug has been introduced in r3738 2010-08-03 18:27:56 +00:00
Igor Sysoev
6dd6aefaa7 bump version 2010-08-03 18:24:18 +00:00
Igor Sysoev
395f35e5fa $geoip_region_name 2010-08-03 15:01:34 +00:00
Igor Sysoev
dc87ab5a69 $geoip_dma_code and $geoip_area_code 2010-08-03 14:19:49 +00:00
Igor Sysoev
41212d27fa fix fastcgi_split_path_info, if URI was not fully captured 2010-08-03 13:35:48 +00:00
Igor Sysoev
81cd5e4f6f *) make code consistent to fastcgi, etc
*) remove STUB comment
2010-08-03 12:59:14 +00:00
Igor Sysoev
e4994fbacb use NULL instead of 0 2010-08-03 12:53:06 +00:00
Igor Sysoev
b16b8ddae6 delete surplus assignment 2010-08-03 09:42:53 +00:00
Igor Sysoev
90f95522a5 inherit proxy_pass, fastcgi_pass, uwsgi_pass, scgi_pass inside
a limit_except block if no handler was defined for the block
2010-08-03 09:24:25 +00:00
Igor Sysoev
0ec5492189 ngx_http_conf_get_module_srv_conf() and ngx_http_conf_get_module_loc_conf()
may be used at merge phase
2010-08-02 15:28:04 +00:00
Igor Sysoev
6d9d07b16a fix directive type 2010-08-02 12:47:52 +00:00
Igor Sysoev
029299aaa4 change logic slightly 2010-08-02 12:34:15 +00:00
Igor Sysoev
c7b2e2a570 change order 2010-08-02 12:32:33 +00:00
Igor Sysoev
2108fabea2 *) delete cache key node after a cache file removal
*) move fileless cache key node removal in ngx_http_file_cache_delete()
2010-08-02 12:27:58 +00:00
Igor Sysoev
0e0e0af51b escape ";" in arguments 2010-07-30 13:25:19 +00:00
Igor Sysoev
1cd46b88a4 count cache key node usage for cached error statuses 2010-07-30 12:41:55 +00:00
Igor Sysoev
09ce1e2d89 do not free unused cache node if cache min_uses > 1,
the bug has been introduced in r3695, r3708, r3711
2010-07-30 10:20:08 +00:00
Igor Sysoev
10f8d5d74e return 415 on too big image in image filter 2010-07-29 15:40:03 +00:00
Igor Sysoev
7c50789e2a change default server_name_in_redirect value to off,
since default server_name is empty
2010-07-29 10:01:31 +00:00
Igor Sysoev
a69cf2d005 use an empty name as default server_name instread of hostname 2010-07-29 10:00:04 +00:00
Igor Sysoev
e8cf60da34 allow server_name "" as the first name 2010-07-29 09:55:54 +00:00
Igor Sysoev
6b45b065fe decrease SSL handshake error level to info 2010-07-29 09:30:15 +00:00
Igor Sysoev
6f2796af04 bump version 2010-07-29 08:10:22 +00:00
Igor Sysoev
9135a0e022 move debug logging inside ngx_http_file_cache_free() 2010-07-28 15:56:56 +00:00
Igor Sysoev
14c95f99ac fix $request_time for subrequests 2010-07-28 15:51:50 +00:00
Igor Sysoev
406a68003c several changes in cache cleanup handling:
*) now ngx_http_file_cache_cleanup() uses ngx_http_file_cache_free()
*) ngx_http_file_cache_free() interface has been changed to accept r->cache
   ngx_http_file_cache_cleanup() must use r->cache, but not r, because
   there can be several r->cache's during request processing, r->cache may
   be NULL at request finalising, etc.
*) test if updating request does not complete correctly
2010-07-28 15:49:34 +00:00
Igor Sysoev
18b36e5035 fix r3708 and r3695: valid_sec is set only for caching error status codes 2010-07-27 19:11:17 +00:00
Igor Sysoev
6af21b7cda fix r3707: cache node should be freed be a response is not cached 2010-07-27 15:26:33 +00:00
Igor Sysoev
3cf3100977 fix typo 2010-07-27 13:04:13 +00:00
Igor Sysoev
4b7637adb6 fix r3695: this commit
*) freed valid keys zone node
*) and did not decrease cache size, so cache manager process ete CPU time,
   if cache checking max_size was enabled
2010-07-27 11:22:59 +00:00
Igor Sysoev
f297d0dd27 an intercepted error code was not cached 2010-07-19 15:31:46 +00:00
Igor Sysoev
cc963cd7e2 style fix 2010-07-19 15:29:16 +00:00
Igor Sysoev
b1327bd842 initialize r->cache->file.fd with NGX_INVALID_FILE 2010-07-19 15:28:22 +00:00
Igor Sysoev
1daef7d1b0 bump version 2010-07-19 15:27:06 +00:00
Igor Sysoev
47f5f947bc add warnings for proxy_no_cache and fastcgi_no_cache 2010-07-19 09:55:43 +00:00
Igor Sysoev
f7d659aa52 proxy_cache_pass, fastcgi_cache_bypass, uwsgi_cache_bypass, scgi_cache_bypass 2010-07-19 09:36:04 +00:00
Igor Sysoev
6a47b43234 rename ngx_http_file_cache_create() to ngx_http_file_cache_new() 2010-07-16 10:01:49 +00:00
Igor Sysoev
9aa3d7f667 ngx_http_file_cache_create() 2010-07-15 14:01:02 +00:00
Igor Sysoev
9e9cbee81e ngx_http_file_cache_name() 2010-07-15 13:46:32 +00:00
Igor Sysoev
0e73a5bfb7 style fix 2010-07-15 13:10:05 +00:00
Igor Sysoev
85992f9eb3 delete empty cache zone node if we could not get response to cache 2010-07-15 13:08:51 +00:00
Igor Sysoev
4769d10604 fix scgi_no_cache and uwsgi_no_cache initialization 2010-07-14 11:29:19 +00:00
Igor Sysoev
f3870c66df use ngx_http_test_predicates(), ngx_http_set_predicate_slot()
delete ngx_http_cache(), ngx_http_no_cache_set_slot()
2010-07-14 11:15:45 +00:00
Igor Sysoev
7fc29052e8 ngx_http_test_predicates(), ngx_http_set_predicate_slot() 2010-07-14 11:13:59 +00:00
Igor Sysoev
e48f042f40 bump version 2010-07-14 11:09:56 +00:00
Igor Sysoev
5a19097c9b allow setfib=0 2010-07-13 10:17:09 +00:00
Igor Sysoev
618703b5b6 use xmlSAXHandler._private field to store xslt filter context 2010-07-12 12:52:01 +00:00
Igor Sysoev
a2d9995ca1 fix building by msvc7 2010-07-08 16:17:11 +00:00
Igor Sysoev
f9dd541edb fix typo 2010-07-08 14:02:09 +00:00
Igor Sysoev
40b4ba1663 style fix 2010-07-08 13:49:21 +00:00
Igor Sysoev
7aa1f5bf4a update r->buffered after processing SSI command,
the bug has been probably introduced in r2378
2010-07-07 10:17:19 +00:00
Igor Sysoev
a2e846242f bump version 2010-07-07 10:09:44 +00:00
Igor Sysoev
0bd7a7d894 listen setfib=X 2010-07-05 13:49:16 +00:00
Igor Sysoev
1a5d7553da fix case of partially matched patterns on buffer border in sub_filter 2010-07-05 13:45:10 +00:00
Igor Sysoev
a5ee005a27 fix recognition of SSLv2 Client Hello Packet large than 255 bytes 2010-07-05 13:35:20 +00:00
Igor Sysoev
802bc23574 try to use C99 variadic macros first:
AIX 5.3's XL C has problems with GCC style variadic macros
2010-07-05 13:02:25 +00:00
Igor Sysoev
ee37271a0f fix building by owc12: GetLongPathName() is available since Win2K only 2010-07-05 12:47:35 +00:00
Igor Sysoev
497c13774d HP/UX uses EWOULDBLOCK instead of EAGAIN 2010-07-03 20:16:55 +00:00
Igor Sysoev
0cb0c67e3a do not use a cache headers set to hide 2010-07-02 10:05:40 +00:00
Igor Sysoev
0bd1809f05 treat Set-Cookie as a header that forbids caching 2010-07-02 09:49:27 +00:00
Igor Sysoev
9a00d69413 update the previous commit 2010-07-02 09:28:50 +00:00