Commit Graph

203 Commits

Author SHA1 Message Date
Maxim Dounin
8d7c6491fe Upstream: fixed unexpected inheritance into limit_except blocks.
The proxy_pass directive and other handlers are not expected to be inherited
into nested locations, but there is a special code to inherit upstream
handlers into limit_except blocks, as well as a configuration into if{}
blocks.  This caused incorrect behaviour in configurations with nested
locations and limit_except blocks, like this:

    location / {
        proxy_pass http://u;

        location /inner/ {
            # no proxy_pass here

            limit_except GET {
                # nothing
            }
        }
    }

In such a configuration the limit_except block inside "location /inner/"
unexpectedly used proxy_pass defined in "location /", while it shouldn't.
Fix is to avoid inheritance of conf->upstream.upstream (and
conf->proxy_lengths) into locations which don't have noname flag.
2014-12-09 18:22:31 +03:00
Maxim Dounin
c863e1b3b5 Upstream: inheritance of proxy_pass and friends (ticket #645).
Instead of independant inheritance of conf->upstream.upstream (proxy_pass
without variables) and conf->proxy_lengths (proxy_pass with variables)
we now test them both and inherit only if neither is set.  Additionally,
SSL context is also inherited only in this case now.

Based on the patch by Alexey Radkov.
2014-12-09 18:21:55 +03:00
Maxim Dounin
88ed2d39af Proxy: the "TE" header now stripped by default (ticket #537). 2014-12-09 18:20:19 +03:00
Roman Arutyunyan
1b79cb211d Proxy: renamed and rearranged fields in proxy configuration.
No functional changes.
2014-11-19 17:33:24 +03:00
Roman Arutyunyan
8898c97dbd Upstream: different header lists for cached and uncached requests.
The upstream modules remove and alter a number of client headers
before sending the request to upstream.  This set of headers is
smaller or even empty when cache is disabled.

It's still possible that a request in a cache-enabled location is
uncached, for example, if cache entry counter is below min_uses.
In this case it's better to alter a smaller set of headers and
pass more client headers to backend unchanged.  One of the benefits
is enabling server-side byte ranges in such requests.
2014-11-19 17:33:23 +03:00
Roman Arutyunyan
bcf6b11a34 Upstream: moved header lists to separate structures.
No functional changes.
2014-11-19 17:33:22 +03:00
Roman Arutyunyan
62dfdf1814 Upstream: moved header initializations to separate functions.
No functional changes.
2014-11-19 17:33:21 +03:00
Roman Arutyunyan
2628cc11d4 Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock.  Requests which failed to acquire
the lock are not allowed to cache the response.
2014-11-18 20:41:12 +03:00
Piotr Sikora
a9d9b09103 Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-30 04:30:41 -07:00
Roman Arutyunyan
18e4d042b0 Upstream: proxy_limit_rate and friends.
The directives limit the upstream read rate.  For example,
"proxy_limit_rate 42" limits proxy upstream read rate to
42 bytes per second.
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
2244a5e9cf Upstream: proxy_force_ranges and friends.
The directives enable byte ranges for both cached and uncached
responses regardless of backend headers.
2014-10-14 18:32:01 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Maxim Dounin
1ac2693a33 Upstream: cache revalidation with conditional requests.
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off.  When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.

As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
2013-11-18 20:48:22 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Maxim Dounin
960d0bfe34 Upstream: added check if a response is complete.
Checks were added to both buffered and unbuffered code paths to detect
and complain if a response is incomplete.  Appropriate error codes are
now passed to ngx_http_upstream_finalize_request().

With this change in unbuffered mode we now use u->length set to -1 as an
indicator that EOF is allowed per protocol and used to indicate response
end (much like its with p->length in buffered mode).  Proxy module was
changed to set u->length to 1 (instead of previously used -1) in case of
chunked transfer encoding used to comply with the above.
2013-07-25 15:00:12 +04:00
Maxim Dounin
1a983a0c05 Upstream: http_403 support in proxy_next_upstream (and friends).
The parameter is mostly identical to http_404, and is expected to
be used in similar situations.  The 403 code might be returned by
a backend instead of 404 on initial sync of new directories with rsync.

See here for feature request and additional details:
http://mailman.nginx.org/pipermail/nginx-ru/2013-April/050920.html
2013-05-27 16:54:09 +04:00
Maxim Dounin
330ebdc8fe Proxy: clear script engine used to calculate lengths.
Previous code is believed to be safe, but might access uninitialized
memory (e.g., e->quote).
2013-05-15 12:23:44 +04:00
Maxim Dounin
a38455a7f3 Proxy: $proxy_internal_body_length fixed.
The $proxy_internal_body_length value might change during request lifetime,
notably if proxy_set_body used, and use of a cached value might result in
incorrect upstream requests.

Patch by Lanshun Zhou.
2013-05-11 21:12:24 +04:00
Ruslan Ermilov
9014efdadf Proxy: allocate $proxy_internal_body_length from request pool. 2013-04-29 18:58:58 +04:00
Ruslan Ermilov
67a68720b7 Correctly handle multiple X-Forwarded-For headers (ticket #106). 2013-02-27 13:29:50 +00:00
Maxim Dounin
08a73b4aad Proxy: support for connection upgrade (101 Switching Protocols).
This allows to proxy WebSockets by using configuration like this:

    location /chat/ {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Connection upgrade is allowed as long as it was requested by a client
via the Upgrade request header.
2013-02-18 13:50:52 +00:00
Maxim Dounin
aa0b86fb4d Proxy: fixed proxy_method to always add space.
Before the patch if proxy_method was specified at http{} level the code
to add trailing space wasn't executed, resulting in incorrect requests
to upstream.
2013-01-22 12:36:00 +00:00
Ruslan Ermilov
5d143ca864 Fixed and improved the "*_bind" directives of proxying modules.
The "proxy_bind", "fastcgi_bind", "uwsgi_bind", "scgi_bind" and
"memcached_bind" directives are now inherited; inherited value
can be reset by the "off" parameter.  Duplicate directives are
now detected.  Parameter value can now contain variables.
2013-01-16 09:42:57 +00:00
Maxim Dounin
b3430993f1 Proxy: better error message about unexpected data.
Requested by Igor Sysoev.
2012-12-13 13:45:39 +00:00
Ruslan Ermilov
73fb7e878f Allow the complex value to be defined as an empty string.
This makes conversion from strings to complex values possible
without the loss of functionality.
2012-12-06 23:03:53 +00:00
Maxim Dounin
9a483c8373 Request body: always use calculated size of a request body in proxy.
This allows to handle requests with chunked body, and also simplifies
handling of various request body modifications.
2012-11-21 01:03:48 +00:00
Maxim Dounin
df74d88156 Request body: chunked parsing moved to ngx_http_parse.c from proxy.
No functional changes.
2012-11-21 00:59:16 +00:00
Maxim Dounin
c7bb162ffe Proxy: added ctx checking to input filters.
The proxy module context may be NULL in case of filter finalization
(e.g. by image_filter) followed by an internal redirect.  This needs
some better handling, but for now just check if ctx is still here.
2012-04-23 10:40:01 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
eb526b7d7d Fixed incorrect ngx_cpystrn() usage in ngx_http_*_process_header().
This resulted in a disclosure of previously freed memory if upstream
server returned specially crafted response, potentially exposing
sensitive information.

Reported by Matthew Daley.
2012-03-15 11:27:12 +00:00
Ruslan Ermilov
b74f8ffce4 Fixed spelling in single-line comments. 2012-02-28 11:31:05 +00:00
Valentin Bartenev
a113cb3543 Proxy: added the "proxy_cookie_path" directive. 2012-02-13 11:08:05 +00:00
Valentin Bartenev
e9df2d6f46 Proxy: added the "proxy_cookie_domain" directive. 2012-02-13 11:04:45 +00:00
Valentin Bartenev
85551e58fe Proxy: generic regex related code from the "proxy_redirect" directive moved
to a separate function.

No functional changes.
2012-02-13 11:00:08 +00:00
Valentin Bartenev
7c611aa186 Proxy: generic rewrite code from the "proxy_redirect" handlers moved to a
separate function with trivial optimization.

No functional changes.
2012-02-13 10:56:09 +00:00
Valentin Bartenev
582dac116d Proxy: renamed some "proxy_redirect" related declarations to a more general and
reusable.

No functional changes.
2012-02-13 10:42:44 +00:00
Valentin Bartenev
3feafa765f Fixed proxy_redirect off inheritance.
Example configuration to reproduce:

  server {
      proxy_redirect off;

      location / {
          proxy_pass http://localhost:8000;
          proxy_redirect http://localhost:8000/ /;

          location ~ \.php$ {
              proxy_pass http://localhost:8000;
              # proxy_redirect must be inherited from the level above,
              # but instead it was switched off here
          }
      }
  }
2012-01-30 11:22:56 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Maxim Dounin
2c55914a9f Fixed proxy_cache_use_stale in "no live upstreams" case. 2012-01-16 11:01:52 +00:00