Commit Graph

7810 Commits

Author SHA1 Message Date
Maxim Dounin
83dceda868 HTTP/2: unknown frames now logged at info level. 2018-03-05 21:35:13 +03:00
Maxim Dounin
89ad448f57 Style. 2018-03-05 21:35:08 +03:00
Vladimir Homutov
7647372565 Access log: support for disabling escaping (ticket #1450).
Based on patches by Johannes Baiter <johannes.baiter@bsb-muenchen.de>
and Calin Don.
2018-03-01 11:42:55 +03:00
Maxim Dounin
c7e8a6f212 Core: ngx_current_msec now uses monotonic time if available.
When clock_gettime(CLOCK_MONOTONIC) (or faster variants, _FAST on FreeBSD,
and _COARSE on Linux) is available, we now use it for ngx_current_msec.
This should improve handling of timers if system time changes (ticket #189).
2018-03-01 20:25:50 +03:00
Roman Arutyunyan
6e30556127 Postpone filter: prevented uninitialized r->out.
The r->out chain link could be left uninitialized in case of error.
A segfault could happen if the subrequest handler accessed it.
The issue was introduced in commit 20f139e9ffa8.
2018-03-01 18:38:39 +03:00
Roman Arutyunyan
7c5c15a25d Generic subrequests in memory.
Previously, only the upstream response body could be accessed with the
NGX_HTTP_SUBREQUEST_IN_MEMORY feature.  Now any response body from a subrequest
can be saved in a memory buffer.  It is available as a single buffer in r->out
and the buffer size is configured by the subrequest_output_buffer_size
directive.

Upstream, proxy and fastcgi code used to handle the old-style feature is
removed.
2018-02-28 16:56:58 +03:00
Vladimir Homutov
2d9db482aa Modules compatibility: additional upstream metrics. 2018-02-22 17:25:43 +03:00
Vadim Filimonov
f607032e0c Auth basic: prevent null character in error log (ticket #1494). 2018-02-26 16:52:20 +02:00
Roman Arutyunyan
dd7dba520c Generate error for unsupported IPv6 transparent proxy.
On some platforms (for example, Linux with glibc 2.12-2.25) IPv4 transparent
proxying is available, but IPv6 transparent proxying is not.  The entire feature
is enabled in this case and NGX_HAVE_TRANSPARENT_PROXY macro is set to 1.
Previously, an attempt to enable transparency for an IPv6 socket was silently
ignored in this case and was usually followed by a bind(2) EADDRNOTAVAIL error
(ticket #1487).  Now the error is generated for unavailable IPv6 transparent
proxy.
2018-02-22 13:16:21 +03:00
Ruslan Ermilov
bcda92e843 HTTP/2: style.
Unified the style of validity checks in ngx_http_v2_validate_header().
2018-02-22 12:42:29 +03:00
Sergey Kandaurov
b3b4a98a5c Geo: fixed indentation. 2018-02-21 17:26:00 +03:00
Ruslan Ermilov
7a45918e0b Geo: optimized configuration parser.
If the geo block parser has failed, doing more things is pointless.
2018-02-21 15:50:43 +03:00
Ruslan Ermilov
f98a8c4db6 Geo: fixed memory allocation error handling (closes #1482).
If during configuration parsing of the geo directive the memory
allocation has failed, pool used to parse configuration inside
the block, and sometimes the temporary pool were not destroyed.
2018-02-21 15:50:42 +03:00
Ruslan Ermilov
864d93965b Version bump. 2018-02-21 15:50:35 +03:00
Maxim Dounin
89f4129f56 release-1.13.9 tag 2018-02-20 17:08:49 +03:00
Maxim Dounin
22adf80c4a nginx-1.13.9-RELEASE 2018-02-20 17:08:48 +03:00
Maxim Dounin
9e2cd6282f HTTP/2: precalculate hash for "Cookie".
There is no need to calculate hashes of static strings at runtime.  The
ngx_hash() macro can be used to do it during compilation instead, similarly
to how it is done in ngx_http_proxy_module.c for "Server" and "Date" headers.
2018-02-15 19:06:22 +03:00
Ruslan Ermilov
89661c0e7d HTTP/2: fixed ngx_http_v2_push_stream() allocation error handling.
In particular, if a stream object allocation failed, and a client sent
the PRIORITY frame for this stream, ngx_http_v2_set_dependency() could
dereference a null pointer while trying to re-parent a dependency node.
2018-02-15 17:51:37 +03:00
Ruslan Ermilov
2437532e7f HTTP/2: push additional request headers (closes #1478).
The Accept-Encoding, Accept-Language, and User-Agent header fields
are now copied from the original request to pushed requests.
2018-02-15 17:51:32 +03:00
Ruslan Ermilov
8a84dd4f32 Expose more headers with NGX_HTTP_HEADERS. 2018-02-15 17:51:26 +03:00
Vladimir Homutov
9d00f9e449 Core: added a stub for additional zone configuration. 2018-02-15 16:08:05 +03:00
Sergey Kandaurov
5e28302dfc HTTP/2: style. 2018-02-15 02:34:16 +03:00
Ruslan Ermilov
c32d9d28fd HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).
2018-02-09 23:20:08 +03:00
Ruslan Ermilov
09eb20c8a7 HTTP/2: fixed build with -Werror=unused-but-set-variable. 2018-02-08 12:11:30 +03:00
Ruslan Ermilov
6e52265b42 HTTP/2: server push.
Resources to be pushed are configured with the "http2_push" directive.

Also, preload links from the Link response headers, as described in
https://www.w3.org/TR/preload/#server-push-http-2, can be pushed, if
enabled with the "http2_push_preload" directive.

Only relative URIs with absolute paths can be pushed.

The number of concurrent pushes is normally limited by a client, but
cannot exceed a hard limit set by the "http2_max_concurrent_pushes"
directive.
2018-02-08 09:55:03 +03:00
Ruslan Ermilov
ac3c8ff364 HTTP/2: changed prototypes of request pseudo-headers parsers.
No functional changes.
2018-02-08 09:54:49 +03:00
Ruslan Ermilov
8590d9d615 Basic support of the Link response header. 2018-02-08 09:54:18 +03:00
Roman Arutyunyan
d31d547dba Dav: added error logging.
Previously, when request body was not available or was previously read in
memory rather than a file, client received HTTP 500 error, but no explanation
was logged in error log.  This could happen, for example, if request body was
read or discarded prior to error_page redirect, or if mirroring was enabled
along with dav.
2018-02-07 16:44:29 +03:00
Sergey Kandaurov
bde18907ac HTTP/2: removed unused field from ngx_http_v2_stream_t. 2018-02-06 20:02:59 +03:00
Gena Makhomed
776869a974 Contrib: vim syntax, update 3rd party module directives.
Add new directives for 3rd party modules.
2018-02-01 11:15:14 +02:00
Gena Makhomed
b0f53dd0eb Contrib: vim syntax, update core module directives.
"match" is block directive, "upstream_conf" is deprecated
by patch http://hg.nginx.org/nginx.org/rev/27c53e1cb4b6
2018-02-01 11:09:35 +02:00
Ruslan Ermilov
c8f46e070f Upstream: removed X-Powered-By from the list of special headers.
After 1e720b0be7ec, it's neither specially processed nor copied
when redirecting with X-Accel-Redirect.
2018-01-30 22:23:58 +03:00
Sergey Kandaurov
57dde2ab37 SSL: using default server context in session remove (closes #1464).
This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.
2018-01-30 17:46:31 +03:00
Ruslan Ermilov
2213695368 HTTP/2: finalize request as bad if parsing of pseudo-headers fails.
This is in line when the required pseudo-headers are missing, and
avoids spurious zero statuses in access.log.
2018-01-30 14:44:31 +03:00
Ruslan Ermilov
0b8b91f45f HTTP/2: more style, comments, and debugging. 2018-01-29 16:06:33 +03:00
Ruslan Ermilov
34cf5d5e6a HTTP/2: handle duplicate INITIAL_WINDOW_SIZE settings. 2018-01-29 15:54:36 +03:00
Ruslan Ermilov
63a4dab7b0 Fixed --test-build-eventport on macOS 10.12 and later.
In macOS 10.12, CLOCK_REALTIME and clockid_t were added, but not timer_t.
2018-01-16 13:52:03 +03:00
Maxim Dounin
3377c00119 Upstream: fixed "header already sent" alerts on backend errors.
Following ad3f342f14ba046c (1.9.13), it is possible that a request where
header was already sent will be finalized with NGX_HTTP_BAD_GATEWAY,
triggering an attempt to return additional error response and the
"header already sent" alert as a result.

In particular, it is trivial to reproduce the problem with a HEAD request
and caching enabled.  With caching enabled nginx will change HEAD to GET
and will set u->pipe->downstream_error to suppress sending the response
body to the client.  When a backend-related error occurs (for example,
proxy_read_timeout expires), ngx_http_finalize_upstream_request() will
be called with NGX_HTTP_BAD_GATEWAY.  After ad3f342f14ba046c this will
result in ngx_http_finalize_request(NGX_HTTP_BAD_GATEWAY).

Fix is to move u->pipe->downstream_error handling to a later point,
where all special response codes are changed to NGX_ERROR.

Reported by Jan Prachar,
http://mailman.nginx.org/pipermail/nginx-devel/2018-January/010737.html.
2018-01-11 21:43:49 +03:00
Maxim Dounin
9b81d3b1bb Year 2018. 2018-01-11 21:43:24 +03:00
Gena Makhomed
b87240dded Contrib: vim syntax, update core module directives.
Removed non-existent directives and directive redefinitions.
2017-12-28 12:01:05 +02:00
Gena Makhomed
28b53b7546 Contrib: vim syntax, update 3rd party module directives.
3rd party modules list synchronized with FreeBSD nginx-devel port.
2017-12-28 11:49:44 +02:00
Maxim Dounin
742f413e91 Version bump. 2017-12-30 00:15:07 +03:00
Maxim Dounin
196c1a0cb4 release-1.13.8 tag 2017-12-26 19:01:12 +03:00
Maxim Dounin
3860a5e6c9 nginx-1.13.8-RELEASE 2017-12-26 19:01:11 +03:00
Maxim Dounin
9402b81547 Updated OpenSSL used for win32 builds. 2017-12-26 17:48:49 +03:00
Gena Makhomed
44c16b2e70 Contrib: vim syntax, listen options. 2017-12-25 18:30:01 +02:00
Gena Makhomed
6e0d2f898d Contrib: vim syntax, update core module directives. 2017-12-25 17:57:01 +02:00
Maxim Dounin
9bc0ced4a7 Contrib: updated vim syntax rules for variables.
Non-quoted parameters are allowed to contain variables in curly brackets
(see d91a8c4ac6bb), so vim syntax rules were adjusted accordingly.
2017-12-25 19:41:00 +03:00
Roman Arutyunyan
0ad556fe59 Allowed configuration token to start with a variable.
Specifically, it is now allowed to start with a variable expression with braces:
${name}.  The opening curly bracket in such a token was previously considered
the start of a new block.  Variables located anywhere else in a token worked
fine: foo${name}.
2017-12-21 13:29:40 +03:00
Roman Arutyunyan
ce45ded2a8 Fixed capabilities version.
Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3.  With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted.  As a
result, random stack memory was accessed and random capabilities were requested
by the worker.  This sometimes caused capset() errors.  Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead.  This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).
2017-12-19 19:00:27 +03:00