Commit Graph

7793 Commits

Author SHA1 Message Date
Roman Arutyunyan
7f0fdd4e14 Style. 2021-12-29 15:33:51 +03:00
Sergey Kandaurov
f3363a8dbe Merged with the default branch. 2021-12-29 15:17:26 +03:00
Maxim Dounin
054944feb3 release-1.21.5 tag 2021-12-28 18:28:38 +03:00
Maxim Dounin
3a7d332aef nginx-1.21.5-RELEASE 2021-12-28 18:28:37 +03:00
Maxim Dounin
d34c7b9fb0 Updated OpenSSL and PCRE used for win32 builds. 2021-12-28 17:56:16 +03:00
Maxim Dounin
1f01183b9e Support for sendfile(SF_NOCACHE).
The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.
2021-12-27 19:49:26 +03:00
Maxim Dounin
2a00e6141f SSL: SSL_sendfile(SF_NODISKIO) support. 2021-12-27 19:48:42 +03:00
Maxim Dounin
20c35434ef Simplified sendfile(SF_NODISKIO) usage.
Starting with FreeBSD 11, there is no need to use AIO operations to preload
data into cache for sendfile(SF_NODISKIO) to work.  Instead, sendfile()
handles non-blocking loading data from disk by itself.  It still can, however,
return EBUSY if a page is already being loaded (for example, by a different
process).  If this happens, we now post an event for the next event loop
iteration, so sendfile() is retried "after a short period", as manpage
recommends.

The limit of the number of EBUSY tolerated without any progress is preserved,
but now it does not result in an alert, since on an idle system event loop
iteration might be very short and EBUSY can happen many times in a row.
Instead, SF_NODISKIO is simply disabled for one call once the limit is
reached.

With this change, sendfile(SF_NODISKIO) is now used automatically as long as
sendfile() is enabled, and no longer requires "aio on;".
2021-12-27 19:48:33 +03:00
Maxim Dounin
f0a5ce136d Removed "aio sendfile", deprecated since 1.7.11. 2021-12-27 19:47:05 +03:00
Vladimir Homutov
fa21bf0cc7 QUIC: got rid of ngx_quic_create_temp_socket().
It was mostly copy of the ngx_quic_listen().  Now ngx_quic_listen() no
longer generates server id and increments seqnum.  Instead, the server
id is generated when the socket is created.

The ngx_quic_alloc_socket() function is renamed to ngx_quic_create_socket().
2021-12-27 13:49:56 +03:00
Ruslan Ermilov
05a32b5ec4 Fixed a mismerge in 5c86189a1c1b. 2021-12-28 15:01:02 +03:00
Roman Arutyunyan
3662e0c83b QUIC: renamed input handling functions.
Now these functions have names ngx_quic_handle_XXX():

  - ngx_quic_process_stateless_reset() -> ngx_quic_handle_stateless_reset()
  - ngx_quic_input() -> ngx_quic_handle_datagram()
  - ngx_quic_process_packet() -> ngx_quic_handle_packet()
  - ngx_quic_process_payload() -> ngx_quic_handle_payload()
2021-12-27 16:15:28 +03:00
Roman Arutyunyan
cf96432910 QUIC: fixed format specifier after 6ccf3867959a. 2021-12-28 13:50:01 +03:00
Vladimir Homutov
bef80e70f6 QUIC: fixed config test with bpf (ticket #2292).
The SO_REUSEPORT socket option is not set during configuration testing,
thus making the further module initialization impossible and meaningless.
2021-12-28 13:24:58 +03:00
Maxim Dounin
d5f1f169bc Core: added NGX_REGEX_MULTILINE for 3rd party modules.
Notably, NAXSI is known to misuse ngx_regex_compile() with rc.options set
to PCRE_CASELESS | PCRE_MULTILINE.  With PCRE2 support, and notably binary
compatibility changes, it is no longer possible to set PCRE[2]_MULTILINE
option without using proper interface.  To facilitate correct usage,
this change adds the NGX_REGEX_MULTILINE option.
2021-12-25 01:07:18 +03:00
Maxim Dounin
931acbf5bc PCRE2 and PCRE binary compatibility.
With this change, dynamic modules using nginx regex interface can be used
regardless of the variant of the PCRE library nginx was compiled with.

If a module is compiled with different PCRE library variant, in case of
ngx_regex_exec() errors it will report wrong function name in error
messages.  This is believed to be tolerable, given that fixing this will
require interface changes.
2021-12-25 01:07:16 +03:00
Maxim Dounin
c6fec0b027 PCRE2 library support.
The PCRE2 library is now used by default if found, instead of the
original PCRE library.  If needed for some reason, this can be disabled
with the --without-pcre2 configure option.

To make it possible to specify paths to the library and include files
via --with-cc-opt / --with-ld-opt, the library is first tested without
any additional paths and options.  If this fails, the pcre2-config script
is used.

Similarly to the original PCRE library, it is now possible to build PCRE2
from sources with nginx configure, by using the --with-pcre= option.
It automatically detects if PCRE or PCRE2 sources are provided.

Note that compiling PCRE2 10.33 and later requires inttypes.h.  When
compiling on Windows with MSVC, inttypes.h is only available starting
with MSVC 2013.  In older versions some replacement needs to be provided
("echo '#include <stdint.h>' > pcre2-10.xx/src/inttypes.h" is good enough
for MSVC 2010).

The interface on nginx side remains unchanged.
2021-12-25 01:07:15 +03:00
Maxim Dounin
cddb22cefe Configure: simplified PCRE compilation.
Removed ICC-specific PCRE optimizations which tried to link with PCRE
object files instead of the library.  Made compiler-specific code
minimal.
2021-12-25 01:07:14 +03:00
Maxim Dounin
28f8caac37 Core: ngx_regex.c style cleanup.
Notably, ngx_pcre_pool and ngx_pcre_studies are renamed to ngx_regex_pool
and ngx_regex_studies, respectively.
2021-12-25 01:07:12 +03:00
Maxim Dounin
09268f58b4 Core: fixed ngx_pcre_studies cleanup.
If a configuration parsing fails for some reason, ngx_regex_module_init()
is not called, and ngx_pcre_studies remained set despite the fact that
the pool it was allocated from is already freed.  This might result in
a segmentation fault during runtime regular expression compilation, such
as in SSI, for example, in the single process mode, or if a worker process
died and was respawned from a master process in such an inconsistent state.

Fix is to clear ngx_pcre_studies from the pool cleanup handler (which is
anyway used to free JIT-compiled patterns).
2021-12-25 01:07:10 +03:00
Roman Arutyunyan
cd278da5e7 QUIC: refactored buffer allocation, spliting and freeing.
Previously, buffer lists was used to track used buffers.  Now reference
counter is used instead.  The new implementation is simpler and faster with
many buffer clones.
2021-12-24 18:39:22 +03:00
Ruslan Ermilov
363505e806 Moved Huffman coding out of HTTP/2.
ngx_http_v2_huff_decode.c and ngx_http_v2_huff_encode.c are renamed
to ngx_http_huff_decode.c and ngx_http_huff_encode.c.
2021-12-21 07:54:16 +03:00
Gena Makhomed
b5d022e797 Contrib: vim syntax, update core and 3rd party module directives. 2021-12-20 20:02:48 +02:00
Roman Arutyunyan
703be8c8f6 QUIC: removed ngx_quic_copy_chain().
The function is unused.
2021-12-16 17:07:11 +03:00
Roman Arutyunyan
4d79f94221 QUIC: renamed buffer-related functions.
ngx_quic_alloc_buf() -> ngx_quic_alloc_chain(),
ngx_quic_free_bufs() -> ngx_quic_free_chain(),
ngx_quic_trim_bufs() -> ngx_quic_trim_chain()
2021-12-16 17:06:35 +03:00
Roman Arutyunyan
baea97bc54 QUIC: refactored ngx_quic_order_bufs() and ngx_quic_split_bufs().
They are replaced with ngx_quic_write_chain() and ngx_quic_read_chain().
These functions represent the API to data buffering.

The first function adds data of given size at given offset to the buffer.
Now it returns the unwritten part of the chain similar to c->send_chain().

The second function returns data of given size from the beginning of the buffer.
Its second argument and return value are swapped compared to
ngx_quic_split_bufs() to better match ngx_quic_write_chain().

Added, returned and stored data are regular ngx_chain_t/ngx_buf_t chains.
Missing data is marked with b->sync flag.

The functions are now used in both send and recv data chains in QUIC streams.
2021-12-24 18:17:23 +03:00
Roman Arutyunyan
97b34a01e2 QUIC: avoid excessive buffer allocations in stream output.
Previously, when a few bytes were send to a QUIC stream by the application, a
4K buffer was allocated for these bytes.  Then a STREAM frame was created and
that entire buffer was used as data for that frame.  The frame with the buffer
were in use up until the frame was acked by client.  Meanwhile, when more
bytes were send to the stream, more buffers were allocated and assigned as
data to newer STREAM frames.  In this scenario most buffer memory is unused.

Now the unused part of the stream output buffer is available for further
stream output while earlier parts of the buffer are waiting to be acked.
This is achieved by splitting the output buffer.
2021-12-24 18:13:51 +03:00
Vladimir Homutov
541ec50c42 QUIC: got rid of excessive "qsock" argument in ngx_quic_output.c.
The output is always sent to the active path, which is stored in the
quic connection.  There is no need to pass it in arguments.

When output has to be send to to a specific path (in rare cases, such as
path probing), a separate method exists (ngx_quic_frame_sendto()).
2021-12-27 13:52:57 +03:00
Vladimir Homutov
cb273ddf91 QUIC: refactored ngx_quic_validate_path().
The function now accepts path argument, as suggested by the name. Socket is
not really needed inside.
2021-12-16 11:49:08 +03:00
Vladimir Homutov
93230cd8cf QUIC: added missing check for backup path existence. 2021-12-16 11:42:28 +03:00
Ruslan Ermilov
fa4da05854 Merged with the default branch. 2021-12-24 15:53:59 +03:00
Roman Arutyunyan
3341a85076 QUIC: added path limiting function ngx_quic_path_limit(). 2021-12-14 16:24:20 +03:00
Vladimir Homutov
10fd8be86d QUIC: decoupled path state and limitation status.
The path validation status and anti-amplification limit status is actually
two different variables.  It is possible that validating path should not
be limited (for example, when re-validating former path).
2021-12-13 09:48:33 +03:00
Vladimir Homutov
a31745499b QUIC: improved path validation.
Previously, path was considered valid during arbitrary selected 10m timeout
since validation.  This is quite not what RFC 9000 says; the relevant
part is:

    An endpoint MAY skip validation of a peer address if that
    address has been seen recently.

The patch considers a path to be 'recently seen' if packets were received
during idle timeout.  If a packet is received from the path that was seen
not so recently, such path is considered new, and anti-amplification
restrictions apply.
2021-12-13 17:27:29 +03:00
Roman Arutyunyan
6e7f192804 QUIC: write and full stream shutdown support.
Full stream shutdown is now called from stream cleanup handler instead of
explicitly sending frames.
2021-12-13 14:49:42 +03:00
Roman Arutyunyan
6ea39f03ae QUIC: simplified stream initialization.
After creation, a client stream is added to qc->streams.uninitialized queue.
After initialization it's removed from the queue.  If a stream is never
initialized, it is freed in ngx_quic_close_streams().  Stream initializer
is now set as read event handler in stream connection.

Previously qc->streams.uninitialized was used only for delayed stream
initialization.

The change makes it possible not to handle separately the case of a new stream
in stream-related frame handlers.  It makes these handlers simpler since new
streams and existing streams are now handled by the same code.
2021-12-10 19:43:50 +03:00
Maxim Dounin
83e92a2edd HTTP/2: fixed sendfile() aio handling.
With sendfile() in threads ("aio threads; sendfile on;"), client connection
can block on writing, waiting for sendfile() to complete.  In HTTP/2 this
might result in the request hang, since an attempt to continue processing
in thread event handler will call request's write event handler, which
is usually stopped by ngx_http_v2_send_chain(): it does nothing if there
are no additional data and stream->queued is set.  Further, HTTP/2 resets
stream's c->write->ready to 0 if writing blocks, so just fixing
ngx_http_v2_send_chain() is not enough.

Can be reproduced with test suite on Linux with:

TEST_NGINX_GLOBALS_HTTP="aio threads; sendfile on;" prove h2*.t

The following tests currently fail: h2_keepalive.t, h2_priority.t,
h2_proxy_max_temp_file_size.t, h2.t, h2_trailers.t.

Similarly, sendfile() with AIO preloading on FreeBSD can block as well,
with similar results.  This is, however, harder to reproduce, especially
on modern FreeBSD systems, since sendfile() usually does not return EBUSY.

Fix is to modify ngx_http_v2_send_chain() so it actually tries to send
data to the main connection when called, and to make sure that
c->write->ready is set by the relevant event handlers.
2021-11-25 22:02:10 +03:00
Maxim Dounin
2361e98a34 HTTP/2: fixed "task already active" with sendfile in threads.
With sendfile in threads, "task already active" alerts might appear in logs
if a write event happens on the main HTTP/2 connection, triggering a sendfile
in threads while another thread operation is already running.  Observed
with "aio threads; aio_write on; sendfile on;" and with thread event handlers
modified to post a write event to the main HTTP/2 connection (though can
happen without any modifications).

Similarly, sendfile() with AIO preloading on FreeBSD can trigger duplicate
aio operation, resulting in "second aio post" alerts.  This is, however,
harder to reproduce, especially on modern FreeBSD systems, since sendfile()
usually does not return EBUSY.

Fix is to avoid starting a sendfile operation if other thread operation
is active by checking r->aio in the thread handler (and, similarly, in
aio preload handler).  The added check also makes duplicate calls protection
redundant, so it is removed.
2021-11-25 22:02:05 +03:00
Roman Arutyunyan
59312ddac1 QUIC: post stream events instead of calling their handlers.
This potentially reduces the number of handler calls.
2021-11-23 21:39:51 +03:00
Ruslan Ermilov
4374cbfb1e QUIC: removed configure time test for BPF sockhash.
The test verifies kernel version on a build machine,
but actually used kernel may be different.
2021-12-09 15:30:50 +03:00
Ruslan Ermilov
d06f60250e QUIC: configure cleanup.
Renamed and removed some macros.
2021-12-09 15:30:01 +03:00
Vladimir Homutov
3ab900cbd9 QUIC: added missing frame initialization.
Currently, all used fields are initialized, but usage may change in future.
2021-12-06 11:04:55 +03:00
Vladimir Homutov
b61447d436 QUIC: refactored ngx_quic_frame_sendto() function.
The function now takes path as an argument to deal with associated
restrictions and update sent counter.
2021-12-09 12:40:14 +03:00
Sergey Kandaurov
702a0986f3 QUIC: fixed e06283038ec8 mis-merge.
The NGX_HTTP_QUIC macro was removed in 33226ac61076.
2021-12-09 11:15:25 +03:00
Sergey Kandaurov
dea9a208c3 HTTP/3: cleanup after "listen .. quic" removal in be08b858086a. 2021-12-08 17:04:56 +03:00
Vladimir Homutov
09286ac7d9 QUIC: updated README.
The ngx_http_quic_module is merged to ngx_http_v3_module.
The $quic variable no longer exists, it is replaced with $http3 variable.
2021-12-07 16:07:47 +03:00
Sergey Kandaurov
a42a62fc58 QUIC: clear SSL_OP_ENABLE_MIDDLEBOX_COMPAT on SSL context switch.
The SSL_OP_ENABLE_MIDDLEBOX_COMPAT option is provided by QuicTLS and enabled
by default in the newly created SSL contexts.  SSL_set_quic_method() is used
to clear it, which is required for SSL handshake to work on QUIC connections.
Switching context in the ngx_http_ssl_servername() SNI callback overrides SSL
options from the new SSL context.  This results in the option set again.
Fix is to explicitly clear it when switching to another SSL context.

Initially reported here (in Russian):
http://mailman.nginx.org/pipermail/nginx-ru/2021-November/063989.html
2021-12-07 15:49:51 +03:00
Sergey Kandaurov
9860a82b19 HTTP/3: avoid sending stream cancellation for pushed streams. 2021-12-07 15:49:30 +03:00
Sergey Kandaurov
1bd3cae959 QUIC: converted ngx_quic_keys_set_encryption_secret() to NGX codes.
While here, removed check for encryption level zero, redundant by its nature.
2021-12-07 15:42:10 +03:00
Roman Arutyunyan
d1bc1da950 HTTP/3: renamed files.
ngx_http_v3_tables.h and ngx_http_v3_tables.c are renamed to
ngx_http_v3_table.h and ngx_http_v3_table.c to better match HTTP/2 code.

ngx_http_v3_streams.h and ngx_http_v3_streams.c are renamed to
ngx_http_v3_uni.h and ngx_http_v3_uni.c to better match their content.
2021-12-07 13:01:28 +03:00