Commit Graph

4114 Commits

Author SHA1 Message Date
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Valentin Bartenev
58e26b88b7 Version bump. 2014-04-24 20:50:10 +04:00
Maxim Dounin
6898a634d3 SSL: explicit handling of empty names.
X509_check_host() can't handle non null-terminated names with zero length,
so make sure to fail before calling it.
2014-04-23 20:31:31 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Maxim Dounin
0fd4f76e68 SSL: added explicit check for ngx_strlchr() result. 2014-04-22 14:02:45 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Maxim Dounin
583821c547 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. 2014-04-18 20:13:14 +04:00
Maxim Dounin
84785d8413 Version bump. 2014-04-18 20:12:53 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
644a43ebd2 Version bump. 2014-04-08 20:11:31 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Maxim Dounin
55bef30474 Win32: fixed shared ssl_session_cache (ticket #528).
In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.
2014-04-07 18:55:57 +04:00
Roman Arutyunyan
5147f8ee6a Mp4: allow end values bigger than track duration.
If start time is within the track but end time is out of it, error
"end time is out mp4 stts samples" is generated.  However it's
better to ignore the error and output the track until its end.
2014-04-01 20:53:18 +04:00
Maxim Dounin
2349a6747d Adjusted default value of types_hash_bucket_size (ticket #352).
The ngx_cacheline_size may be too low on some platforms, resulting
in unexpected hash build problems (as no collisions are tolerated due
to low bucket_size, and max_size isn't big enough to build a hash without
collisions).  These problems aren't fatal anymore but nevertheless
need to be addressed.
2014-03-31 22:47:42 +04:00
Maxim Dounin
8877284863 Core: fixed hash to actually try max_size.
Previously, maximum size of a hash table built was (max_size - 1).
2014-03-31 21:40:35 +04:00
Maxim Dounin
2a620ae109 Core: hash now ignores bucket_size if it hits max_size limit. 2014-03-31 21:40:31 +04:00
Maxim Dounin
23f6689846 Core: slab log_nomem flag.
The flag allows to suppress "ngx_slab_alloc() failed: no memory" messages
from a slab allocator, e.g., if an LRU expiration is used by a consumer
and allocation failures aren't fatal.

The flag is now used in the SSL session cache code, and in the limit_req
module.
2014-03-31 21:38:30 +04:00
Maxim Dounin
8f6958baa9 Win32: fixed cpu hog by cache manager on exit (ticket #514).
The "ngx_quit" may be reset by the worker thread before it's seen
by a ngx_cache_manager_thread(), resulting in an infinite loop.  Make
sure to test ngx_exiting as well.
2014-03-31 21:38:28 +04:00
Maxim Dounin
e042fc9038 Mail: fixed ngx_mail_send() (ticket #519). 2014-03-31 21:38:27 +04:00
Maxim Dounin
3183d7e17b Added #ifndef around NGX_HAVE_CASELESS_FILESYSTEM define.
This brings Cygwin compilation in line with other case-insensitive
systems (notably win32 and OS X) where one can force case sensitivity
using -DNGX_HAVE_CASELESS_FILESYSTEM=0.
2014-03-31 21:38:25 +04:00
Roman Arutyunyan
6f1763213b Mp4: improved logging after adding "end" support.
Despite introducing start and end crop operations existing log
messages still mostly refer only to start.  Logging is improved
to match both cases.

New debug logging is added to track entry count in atoms after
cropping.

Two format type mismatches are fixed as well.
2014-03-31 20:05:53 +04:00
Roman Arutyunyan
70e98eac3e Mp4: fixed seeking to a track end.
When "start" value is equal to a track duration the request
fails with "time is out mp4 stts" like it did before track
duration check was added.  Now such tracks are considered
short and skipped.
2014-03-31 19:52:17 +04:00
Valentin Bartenev
ac5a3cbeee SPDY: detect premature closing of stream.
The SPDY/3.1 specification requires that the server must respond with
a 400 "Bad request" error if the sum of the data frame payload lengths
does not equal the size of the Content-Length header.

This also fixes "zero size buf in output" alert, that might be triggered
if client sends a greater than zero Content-Length header and closes
stream using the FIN flag with an empty request body.
2014-03-28 20:22:57 +04:00
Valentin Bartenev
afb92a8127 SPDY: fixed the DATA frame length handling in case of some errors.
There are a few cases in ngx_http_spdy_state_read_data() related to error
handling when ngx_http_spdy_state_skip() might be called with an inconsistent
state between *pos and sc->length, that leads to violation of frame layout
parsing and resuted in corruption of spdy connection.

Based on a patch by Xiaochen Wang.
2014-03-28 20:05:07 +04:00
Valentin Bartenev
de3c7a825e SPDY: better detect if headers block has wrong entries count.
Previously, only one case was checked: if there's more data to parse
in a r->header_in buffer, but the buffer can be filled to the end by
the last parsed entry, so we also need to check that there's no more
data to inflate.
2014-03-26 18:01:11 +04:00
Valentin Bartenev
042122a066 SPDY: detect premature end of frame while start parsing headers. 2014-03-26 17:43:39 +04:00
Piotr Sikora
ac1617915c Apply underscores_in_headers also to the first character.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-03-24 16:35:44 -07:00
Andrei Belov
b1597fe2ea Increased default value of variables_hash_max_size. 2014-03-25 18:49:28 +04:00
Sergey Kandaurov
2070abf516 Mp4: skipped empty stss atom table in output.
The atom may have no data entries after cropping.

This fixes "zero size buf in output" alerts.
2014-03-24 17:55:10 +04:00
Maxim Dounin
effbf466aa Range filter: single_range flag in request.
If set, it means that response body is going to be in more than one buffer,
hence only range requests with a single range should be honored.

The flag is now used by mp4 and cacheable upstream responses, thus allowing
range requests of mp4 files with start/end, as well as range processing
on a first request to a not-yet-cached files with proxy_cache.

Notably this makes it possible to play mp4 files (with proxy_cache, or with
mp4 module) on iOS devices, as byte-range support is required by Apple.
2014-03-21 19:33:21 +04:00
Roman Arutyunyan
c6ca135923 Mp4: added "end" argument support. 2014-03-20 16:05:19 +04:00
Roman Arutyunyan
7aa8c81002 Mp4: moved atom cropping code out of update functions.
It can now be reused for implementing mp4 end.
2014-03-20 16:05:18 +04:00
Maxim Dounin
ec1211d2f6 SPDY: improved ngx_http_spdy_state_save() again. 2014-03-19 19:30:09 +04:00
Maxim Dounin
898ca36c33 Macros used for initialization in ngx_http_core_init_main_conf(). 2014-03-19 12:57:40 +04:00
Maxim Dounin
062e7a0042 SPDY: improved ngx_http_spdy_state_save() check. 2014-03-19 12:57:39 +04:00
Maxim Dounin
a4d04f01fb SPDY: macro used for recv_buffer_size initialization. 2014-03-19 12:57:32 +04:00
Maxim Dounin
f9b027baab Version bump. 2014-03-18 22:05:05 +04:00
Maxim Dounin
c6c702c329 SPDY: always check size of data to be saved into state buffer. 2014-03-18 17:00:19 +04:00
Roman Arutyunyan
0b5f329784 Added server-side support for PROXY protocol v1 (ticket #355).
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.

This is currently not implemented for mail.
2014-03-17 17:41:24 +04:00
Maxim Dounin
2f917b6d06 FastCGI: f->split_parts reset on request start.
Additionally, make sure to check for errors from ngx_http_parse_header_line()
call after joining saved parts.  There shouldn't be any errors, though
check may help to catch bugs like missing f->split_parts reset.

Reported by Lucas Molas.
2014-03-17 15:34:36 +04:00
Maxim Dounin
8800f0c42b Core: fixed wrong indices in listening sockets compare loops.
Proper use is "ls[i]" and "nls[n]".  Previous code used it wrong in
several places, likely due to cut-n-paste errors.
2014-03-07 15:17:38 +04:00
Sergey Kandaurov
f9e7687e55 Added connection serial number in logging of left open sockets. 2014-03-06 23:15:10 +04:00
Sergey Kandaurov
bd3516e8d9 Fixed format specifier in logging of "c->number". 2014-03-06 18:25:59 +04:00
Roman Arutyunyan
a35c675e71 Version bump. 2014-03-04 23:38:31 +04:00
Valentin Bartenev
0c05e5b55f SPDY: fixed potential integer overflow while parsing headers.
Previously r->header_size was used to store length for a part of
value that represents an individual already parsed HTTP header,
while r->header_end pointed to the end of the whole value.

Instead of storing length of a following name or value as pointer
to a potential end address (r->header_name_end and r->header_end)
that might be overflowed, now r->lowercase_index counter is used
to store remaining length of a following unparsed field.

It also fixes incorrect $body_bytes_sent value if a request is
closed while parsing of the request header.  Since r->header_size
is intended for counting header size, thus abusing it for header
parsing purpose was certainly a bad idea.
2014-03-03 19:24:55 +04:00
Valentin Bartenev
3925c1b110 SPDY: constant number of preallocated structures for headers. 2014-03-03 19:24:54 +04:00
Maxim Dounin
a2a26a7ce1 Request body: avoid potential overflow. 2014-03-03 17:39:53 +04:00
Valentin Bartenev
2c0defac9b Gzip static: fixed NGX_CONF_FLAG misuse. 2014-03-03 17:17:25 +04:00
Maxim Dounin
96af3e9dfb Disabled redirects to named locations if URI is not set.
If something like "error_page 400 @name" is used in a configuration,
a request could be passed to a named location without URI set, and this
in turn might result in segmentation faults or other bad effects
as most of the code assumes URI is set.

With this change nginx will catch such configuration problems in
ngx_http_named_location() and will stop request processing if URI
is not set, returning 500.
2014-02-27 20:36:35 +04:00
Ruslan Ermilov
8aa8365121 Core: allocate enough memory to hold IPv6 text address plus port. 2014-02-22 12:08:31 +04:00
Ruslan Ermilov
9ae40c5b54 Resolver: properly handle connect() failures.
If initial attempt to connect() the UDP socket failed, e.g.
due to network unreachable, no further attempts were made.
2014-02-20 17:27:09 +04:00
Konstantin Pavlov
c539aaf352 Upstream: fixed error message wording. 2014-02-20 13:48:40 +04:00
Ruslan Ermilov
3da53f339d Access: supplemented the obfuscated code with a comment. 2014-02-19 21:45:27 +04:00
Maxim Dounin
5ec277847e Upstream: ngx_post_event() instead of upgraded call (ticket #503).
If a request is finalized in the first call to the
ngx_http_upstream_process_upgraded() function, e.g., because upstream
server closed the connection for some reason, in the second call
the u->peer.connection pointer will be null, resulting in segmentation
fault.

Fix is to avoid second direct call, and post event instead.  This ensures
that ngx_http_upstream_process_upgraded() won't be called again if
a request is finalized.
2014-02-18 17:30:40 +04:00
Roman Arutyunyan
1dc1b0785b Mp4: remove useless leading stsc entry in result mp4.
The fix removes useless stsc entry in result mp4.
If start_sample == n then current stsc entry should be skipped
and the result stsc should start with the next entry.
The reason for that is start_sample starts from 0, not 1.
2014-02-14 15:14:48 +04:00
Maxim Dounin
8f8bf842bc Win32: MSVC 2013 compatibility.
Warnings about GetVersionEx() deprecation silenced.  Precompiled object
linked in.
2014-02-13 16:54:00 +04:00
Valentin Bartenev
b20af091b7 SPDY: fixed reversed priority order in window waiting queue. 2014-02-12 21:02:29 +04:00
Piotr Sikora
60d508ceb9 Upstream: fix $upstream_status variable.
Previously, upstream's status code was overwritten with
cached response's status code when STALE or REVALIDATED
response was sent to the client.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-11 21:54:42 -08:00
Xiaochen Wang
cd358e5a95 SPDY: fixed parsing of http version.
There is an error while parsing multi-digit minor version numbers (e.g.
"HTTP/1.10").
2014-02-11 20:54:16 +08:00
Maxim Dounin
381d507467 SSL: the $ssl_session_reused variable. 2014-02-11 19:20:25 +04:00
Ruslan Ermilov
42c049bd2d Range filter: fixed duplicate charset.
If a proxied response had charset in Content-Type, the
charset was duplicated in a response to client request
with byte ranges.
2014-02-04 17:13:35 +04:00
Piotr Sikora
ab3c0f9250 Use ngx_socket_errno where appropriate.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-02-03 14:17:17 -08:00
Maxim Dounin
07aef702ee Version bump. 2014-02-05 18:51:30 +04:00
Shigeki Ohtsu
38a9a8968d SPDY: fixed parsing of the priority field.
The size of the priority field is increased by one bit in spdy/3,
and now it's a 3-bit field followed by 5 bits of unused space.
But a shift of these bits hasn't been adjusted in 39d7eef2e332
accordingly.
2014-02-04 14:06:23 +09:00
Maxim Dounin
7ac48da41d Core: added ngx_encode_base64url(). 2014-02-04 04:59:21 +04:00
Piotr Sikora
2e57e0609b Core: handle getsockopt(TCP_FASTOPEN) failures.
Linux returns EOPNOTSUPP for non-TCP sockets and ENOPROTOOPT for TCP
sockets, because getsockopt(TCP_FASTOPEN) is not implemented so far.

While there, lower the log level from ALERT to NOTICE to match other
getsockopt() failures.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-30 14:58:21 -08:00
Valentin Bartenev
449e8eeb53 SPDY: protocol implementation switched to spdy/3.1. 2014-01-31 19:17:26 +04:00
Vladimir Homutov
8d97a2e4d7 Fixed false compiler warning.
Newer gcc versions (4.7+) report possible use of uninitialized variable if
nginx is being compiled with -O3.
2014-01-31 14:18:52 +04:00
Ruslan Ermilov
c6d7db2500 Fixed a compile warning introduced by 01e2a5bcdd8f.
On systems with OpenSSL that has NPN support but lacks
ALPN support, some compilers emitted a warning about
possibly uninitialized "data" variable.
2014-01-30 19:13:12 +04:00
Ruslan Ermilov
8d288ec49a Proxy: fixed upstream search by proxy_pass with variables.
If "proxy_pass" is specified with variables, the resulting
hostname is looked up in the list of upstreams defined in
configuration.  The search was case-sensitive, as opposed
to the case of "proxy_pass" specified without variables.
2014-01-30 18:57:11 +04:00
Piotr Sikora
4ae889c9f2 SSL: support ALPN (IETF's successor to NPN).
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-01-28 15:33:49 -08:00
Roman Arutyunyan
d3e0bf306b Mp4: fix seeks to standalone last chunk.
If seek position is within the last track chunk
and that chunk is standalone (stsc entry describes only
this chunk) such seek generates stsc seek error. The
problem is that chunk numbers start with 1, not with 0.
2014-01-29 13:44:15 +04:00
Roman Arutyunyan
88f9b411f0 Mp4: skip tracks shorter than seek position (ticket #414).
Mp4 module does not check movie and track durations when reading
file.  Instead it generates errors when track metadata is shorter
than seek position.  Now such tracks are skipped and movie duration
check is performed at file read stage.
2014-01-29 13:33:45 +04:00
Roman Arutyunyan
870733ebd6 Mp4: fix seeks after the last key frame.
Mp4 module does not allow seeks after the last key frame.  Since
stss atom only contains key frames it's usually shorter than
other track atoms.  That leads to stss seek error when seek
position is close to the end of file.  The fix outputs empty
stss frame instead of generating error.
2014-01-29 13:30:36 +04:00
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Maxim Dounin
1631393f94 SSI: fixed $date_local and $date_gmt without SSI (ticket #230).
If there is no SSI context in a given request at a given time,
the $date_local and $date_gmt variables used "%s" format, instead
of "%A, %d-%b-%Y %H:%M:%S %Z" documented as the default and used
if there is SSI module context and timefmt wasn't modified using
the "config" SSI command.

While use of these variables outside of the SSI evaluation isn't strictly
valid, previous behaviour is certainly inconsistent, hence the fix.
2014-01-28 15:40:45 +04:00
Tatsuhiko Kubo
135dc712c0 Typo fixed. 2014-01-23 22:09:59 +09:00
Maxim Dounin
1ebb44e3e3 SSL: fixed $ssl_session_id possible segfault after 97e3769637a7.
Even during execution of a request it is possible that there will be
no session available, notably in case of renegotiation.  As a result
logging of $ssl_session_id in some cases caused NULL pointer dereference
after revision 97e3769637a7 (1.5.9).  The check added returns an empty
string if there is no session available.
2014-01-23 18:32:26 +04:00
Maxim Dounin
bb40c4ed2f Version bump. 2014-01-23 18:32:25 +04:00
Maxim Dounin
c74e23ba3a Upstream: reading from a client after connection upgrade.
Read event on a client connection might have been disabled during
previous processing, and we at least need to handle events.  Calling
ngx_http_upstream_process_upgraded() is a simpliest way to do it.

Notably this change is needed for select, poll and /dev/poll event
methods.

Previous version of this patch was posted here:
http://mailman.nginx.org/pipermail/nginx/2014-January/041839.html
2014-01-22 16:05:07 +04:00
Maxim Dounin
096bcd03c3 SSL: fixed $ssl_session_id variable.
Previously, it used to contain full session serialized instead of just
a session id, making it almost impossible to use the variable in a safe
way.

Thanks to Ivan Ristić.
2014-01-22 16:05:06 +04:00
Valentin Bartenev
abcbe54219 SPDY: use ngx_queue_t to queue streams for post processing.
It simplifies the code and allows easy reuse the same queue pointer to store
streams in various queues with different requirements.  Future implementation
of SPDY/3.1 will take advantage of this quality.
2014-01-20 20:56:49 +04:00
Valentin Bartenev
3ddf9ccfce SPDY: store the length of frame instead of its whole size.
The "length" value better corresponds with the specification and reduces
confusion about whether frame's header is included in "size" or not.

Also this change simplifies some parts of code, since in more cases the
length of frame is more useful than its actual size, especially considering
that the size of frame header is constant.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
e62156d829 SPDY: use frame->next pointer to chain free frames.
There is no need in separate "free" pointer and like it is for ngx_chain_t
the "next" pointer can be used.  But after this change successfully handled
frame should not be accessed, so the frame handling cycle was improved to
store pointer to the next frame before processing.

Also worth noting that initializing "free" pointer to NULL in the original
code was surplus.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
650984cd20 SPDY: proper handling of all RST_STREAM statuses.
Previously, only stream CANCEL and INTERNAL_ERROR were handled right.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
d055f74178 SPDY: removed state to check first SETTINGS frame.
That code was based on misunderstanding of spdy specification about
configuration applicability in the SETTINGS frames.  The original
interpretation was that configuration is assigned for the whole
SPDY connection, while it is only for the endpoint.

Moreover, the strange thing is that specification forbids multiple
entries in the SETTINGS frame with the same ID even if flags are
different.  As a result, Chrome sends two SETTINGS frames: one with
its own configuration, and another one with configuration stored
for a server (when the FLAG_SETTINGS_PERSIST_VALUE flags were used
by the server).

To simplify implementation we refuse to use the persistent settings
feature and thereby avoid all the complexity related with its proper
support.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
406c0613f5 SPDY: better name for frame entries counter.
The "headers" is not a good term, since it is used not only to count
name/value pairs in the HEADERS block but to count SETTINGS entries too.

Moreover, one name/value pair in HEADERS can contain multiple http headers
with the same name.

No functional changes.
2014-01-22 04:58:19 +04:00
Valentin Bartenev
32bb39c48f SPDY: fixed possible segfault.
While processing a DATA frame, the link to related stream is stored in spdy
connection object as part of connection state.  But this stream can be closed
between receiving parts of the frame.
2014-01-22 04:58:19 +04:00
Ruslan Ermilov
8b7fe56e95 Mail: fixed passing of IPv6 client address in XCLIENT. 2014-01-17 22:06:04 +04:00
Maxim Dounin
0bfb68eea0 Core: improved ngx_reset_pool() (ticket #490).
Previously pool->current wasn't moved back to pool, resulting in blocks
not used for further allocations if pool->current was already moved at the
time of ngx_reset_pool().  Additionally, to preserve logic of moving
pool->current, the p->d.failed counters are now properly cleared.  While
here, pool->chain is also cleared.

This change is essentially a nop with current code, but generally improves
things.
2014-01-17 06:24:53 +04:00
Valentin Bartenev
1ef5553644 SPDY: send output queue after processing of read event.
During the processing of input some control frames can be added to the queue.
And if there were no writing streams at the moment, these control frames might
be left unsent for a long time (or even forever).

This long delay is especially critical for PING replies since a client can
consider connection as broken and then resend exactly the same request over
a new connection, which is not safe in case of non-idempotent HTTP methods.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
82a1ff31f9 SPDY: the SETTINGS frame should be allocated from sc->pool.
There is no reason to allocate it from connection pool that more like just
a bug especially since ngx_http_spdy_settings_frame_handler() already uses
sc->pool to free a chain.
2014-01-15 17:16:38 +04:00
Valentin Bartenev
b2b43ca50f SPDY: fixed possible uninitialized memory access.
The frame->stream pointer should always be initialized for control frames since
the check against it can be performed in ngx_http_spdy_filter_cleanup().
2014-01-15 17:16:38 +04:00
Valentin Bartenev
d143119e3c SPDY: fixed off_t/size_t type conversions on 32 bits platforms.
Parameters of ngx_http_spdy_filter_get_shadow() are changed from size_t to off_t
since the last call of the function may get size and offset from the rest of a
file buffer.  This fixes possible data loss rightfully complained by MSVC on 32
bits systems where off_t is 8 bytes long while size_t is only 4 bytes.

The other two type casts are needed just to suppress warnings about possible
data loss also complained by MSVC but false positive in these cases.
2014-01-15 13:23:31 +04:00
Valentin Bartenev
70c010167f SPDY: fixed build, broken by b7ee1bae0ffa.
False positive warning about the "cl" variable may be uninitialized in
the ngx_http_spdy_filter_get_data_frame() call was suppressed.

It is always initialized either in the "while" cycle or in the following
"if" condition since frame_size cannot be zero.
2014-01-15 01:44:52 +04:00
Valentin Bartenev
8323f317f6 SPDY: added the "spdy_chunk_size" directive. 2014-01-14 16:24:45 +04:00
Valentin Bartenev
b60700f9e9 SPDY: implemented buffers chain splitting.
It fixes "chain too big in spdy filter" alerts, and adds full support for rate
limiting of SPDY streams.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
8c01a95d98 SPDY: body filter was replaced by c->send_chain() function.
It allows to use ngx_http_write_filter() and all its rate limiting logic.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
3d5f501adc SPDY: fixed possible premature close of stream.
The "delayed" flag always should be set if there are unsent frames,
but this might not be the case if ngx_http_spdy_body_filter() was
called with NULL chain.

As a result, the "send_timeout" timer could be set on a stream in
ngx_http_writer().  And if the timeout occurred before all the stream
data has been sent, then the request was finalized with the "client
timed out" error.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
1c56e18733 SPDY: refactored ngx_http_spdy_body_filter().
A local pointer to fake connection is introduced
to slightly reduce further patches.

No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
ac8bb7a9e5 SPDY: elimination of r->blocked counter usage for queuing frames.
It was used to prevent destroying of request object when there are unsent
frames in queue for the stream.  Since it was incremented for each frame
and is only 8 bits long, so it was not very hard to overflow the counter.

Now the stream->queued counter is checked instead.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
6ddb578b22 SPDY: better name for flag that indicates incomplete frame state.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
00944562ac SPDY: better name for queued frames counter.
No functional changes.
2014-01-14 16:24:45 +04:00
Valentin Bartenev
df1d8f78ac SPDY: fixed format specifiers in logging. 2014-01-14 16:24:45 +04:00
Yichun Zhang
2e2c9dba16 Resolver: added support for domain names with a trailing dot. 2014-01-10 11:22:14 -08:00
Maxim Dounin
70b48a491a SSL: fixed ssl_verify_depth to take only one argument. 2014-01-14 15:56:40 +04:00
Dirkjan Bussink
58a240d773 SSL: ssl_session_tickets directive.
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.

If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
2014-01-10 16:12:40 +01:00
Maxim Dounin
8f702a573a Fixed "zero size buf in output" alerts.
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.

Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
2014-01-04 03:32:22 +04:00
Maxim Dounin
eb60e1e26d Win32: support for UTF-16 surrogate pairs (ticket #457). 2014-01-04 03:32:15 +04:00
Maxim Dounin
def37d254a Upstream: Cache-Control preferred over Expires.
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
2014-01-04 03:32:10 +04:00
Maxim Dounin
1029607ac9 Added per-process random seeding (ticket #456). 2014-01-04 03:32:06 +04:00
Maxim Dounin
9a72030c25 Allowed up to two EBUSY errors from sendfile().
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row.  Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
2014-01-04 03:31:58 +04:00
Ruslan Ermilov
2539ce036f Fixed setting of content type in some cases.
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
2013-12-27 19:40:04 +04:00
Valentin Bartenev
2b1156d101 Style: removed surplus semicolons. 2013-12-27 18:47:42 +04:00
Valentin Bartenev
aa22dc707b SPDY: a bit smarter ngx_http_spdy_filter_get_data_frame().
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.

No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
df49024997 SPDY: refactored loop in ngx_http_spdy_body_filter().
No functional changes.
2013-12-26 17:03:16 +04:00
Valentin Bartenev
75dad742e5 SPDY: fixed possible request hang.
Processing events from upstream connection can result in sending queued frames
from other streams.  In this case such streams were not added to handling queue
and properly handled.

A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
2013-12-26 17:03:16 +04:00
Ruslan Ermilov
9b4a99cf5d Dav: emit a warning about unsafe URI. 2013-12-23 18:12:03 +04:00
Ruslan Ermilov
f7ff5e65d0 Teach ngx_http_parse_unsafe_uri() how to unescape URIs.
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
2013-12-23 18:12:00 +04:00
Ruslan Ermilov
336bcb22d1 Detect more unsafe URIs in ngx_http_parse_unsafe_uri().
The following URIs were considered safe: "..", "../foo", and "/foo/..".
2013-12-23 18:11:56 +04:00
Ruslan Ermilov
3f36c684a1 Upstream: keep $upstream_http_x_accel_redirect intact.
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
2013-12-23 18:11:46 +04:00
Ruslan Ermilov
bf800822df Fixed the first argument to getsockopt().
While here, always initialize the last argument.
2013-12-19 13:43:18 +04:00
Maxim Dounin
37b7de6df7 SSL: ssl_buffer_size directive. 2013-12-20 16:18:25 +04:00
Vladimir Homutov
c7a0b04665 Upstream: simplified peer selection loop in the "ip_hash" module.
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules.  No functional changes.
2013-12-09 13:43:27 +04:00
Ruslan Ermilov
85e6d211d0 Resolver: use minimum TTL for caching (ticket #329). 2013-12-16 19:12:23 +04:00
Valentin Bartenev
c8f3f9fa12 SPDY: use predefined constant for size of the Stream-ID field.
No functional changes.
2013-12-18 18:39:29 +04:00
Valentin Bartenev
bf3ff5bca7 Version bump. 2013-12-18 18:37:48 +04:00
Ruslan Ermilov
3fd727566a Resolver: lookups are case-insensitive. 2013-12-13 20:49:52 +04:00
Ruslan Ermilov
e0caf51711 The "ipv6=" boolean parameter of the "resolver" directive.
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
2013-12-09 10:53:30 +04:00
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
809bee30b7 Resolver: implemented IPv6 address to name resolving. 2013-12-06 14:30:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
552e15ba1c Resolver: fixed indentation. 2013-12-13 19:22:44 +04:00
Ruslan Ermilov
efd0e0e177 Core: externalized ngx_cmp_sockaddr().
It's also extended with the "cmp_port" argument to indicate
whether ports should be compared as well, or only addresses.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
159486239f Resolver: fixes in PTR processing.
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f57350cd86 Resolver: fixes in A processing.
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
f3a271f3fd Resolver: fixed response processing.
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".

Fixed the "zero-length domain name in DNS response" condition.
2013-12-06 14:30:27 +04:00
Ruslan Ermilov
23071835a3 Resolver: removed unnecessary casts. 2013-12-06 14:30:27 +04:00
Ruslan Ermilov
3d245d4792 Resolver: improved code readability.
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.

Replaced the magic number 12 by the size of the header structure.

The other changes are self-explanatory.
2013-12-06 14:30:27 +04:00
Maxim Dounin
0c585adfd4 Trailing whitespace fix. 2013-12-12 20:28:48 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Valentin Bartenev
7f54528ca0 SPDY: drop the "delayed" flag when finalizing connection.
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.

Found by Xiaochen Wang.
2013-12-10 20:27:33 +04:00
Ruslan Ermilov
fa512fdb76 Fixed handling of UNIX-domain sockets.
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
2013-12-09 10:16:44 +04:00
Ruslan Ermilov
675e73e3bd Core: keep the length of the local sockaddr. 2013-12-09 10:14:51 +04:00
Piotr Sikora
19f475276d Fixed incorrect ngx_str_set() usage, broken in c82b2e020b9f.
Found by Coverity Scan CID 1135525.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-12-06 16:00:49 -08:00
Maxim Dounin
67b0d16546 Fixed build without SSL, broken by c82b2e020b9f. 2013-12-04 23:13:13 +04:00
Maxim Dounin
24e1db93a8 SSL support in the uwsgi module.
Based on patch by Roberto De Ioris.
2013-12-04 23:01:27 +04:00
Mathew Rodley
84f5c2136e Added support for TCP_FASTOPEN supported in Linux >= 3.7.1.
---
 auto/unix                       | 12 ++++++++++++
 src/core/ngx_connection.c       | 32 ++++++++++++++++++++++++++++++++
 src/core/ngx_connection.h       |  4 ++++
 src/http/ngx_http.c             |  4 ++++
 src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
 src/http/ngx_http_core_module.h |  3 +++
 6 files changed, 76 insertions(+)
2013-12-03 22:07:03 +04:00
Maxim Dounin
a8a7de3f78 Fixed "setfib=" on non-first listening socket. 2013-12-03 21:44:08 +04:00
Vladimir Homutov
71b9cca835 Improved code readablity in ngx_http_upstream_init_round_robin().
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.

No functional changes.
2013-12-03 17:12:16 +04:00
Ruslan Ermilov
0419933283 Fixed null pointer dereference with $upstream_cache_last_modified. 2013-12-03 15:11:24 +04:00
Maxim Dounin
bfda85b6e4 Win32: fixed init_process without master process (ticket #453).
Init process callbacks are called by ngx_worker_thread(), there is no
need to call them in ngx_single_process_cycle().
2013-11-29 17:23:47 +04:00
Maxim Dounin
3dec2b131c Upstream: skip empty cache headers.
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
2013-11-29 17:23:38 +04:00
Maxim Dounin
067c1d2a4f SSL: fixed c->read->ready handling in ngx_ssl_recv().
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).

More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
2013-11-29 17:16:06 +04:00
Maxim Dounin
6b7e88f36b Version bump. 2013-11-29 17:11:36 +04:00
Ruslan Ermilov
d47c435e9e Proper backtracking after space in a request line. 2013-11-19 06:57:58 +04:00
Maxim Dounin
1ac2693a33 Upstream: cache revalidation with conditional requests.
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off.  When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.

As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
2013-11-18 20:48:22 +04:00
Valentin Bartenev
df2fc6a9df SPDY: fixed request hang with the auth request module.
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a.  An attempt to init request body
for subrequests results in hang if the body was not already read.
2013-11-11 18:49:35 +04:00
Maxim Dounin
b0f025f4fe Win32: plugged memory leak. 2013-10-31 18:23:49 +04:00
Maxim Dounin
45075adccf Gunzip: proper error handling on gunzipping an empty response.
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
2013-10-31 04:16:20 +04:00
Maxim Dounin
eea2e1262b Gunzip: "error" logging level on inflate() errors.
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
2013-10-31 04:12:53 +04:00
Maxim Dounin
f1a9f14afe Removed extra allocation for $sent_http_last_modified.
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
2013-10-31 04:02:59 +04:00
Maxim Dounin
869b4f36e5 Auth basic: "info" logging level on no user/password.
This isn't an exceptional condition and normally happens on
first request from a client.
2013-10-31 04:02:21 +04:00
Yichun Zhang
3d3fa2adc6 Gzip, gunzip: flush pending data when incoming chain is NULL. 2013-10-28 15:01:36 -07:00
Maxim Dounin
0eee3b0bc5 Core: handling of getsockopt(TCP_DEFER_ACCEPT) failures.
Recent Linux versions started to return EOPNOTSUPP to getsockopt() calls
on unix sockets, resulting in log pollution on binary upgrade.  Such errors
are silently ignored now.
2013-10-31 04:00:37 +04:00
Piotr Sikora
475832834b Core: apply missed options to sockets added during binary upgrade.
The accept_filter and deferred options were not applied to sockets
that were added to configuration during binary upgrade cycle.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-24 14:18:37 -07:00
Xiaochen Wang
8f3dfde7f7 Upstream: optimize loops in ngx_http_upstream_init_round_robin(). 2013-10-21 18:20:32 +08:00
Maxim Dounin
a6b7cfe967 Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
2013-10-18 18:13:49 +04:00
Maxim Dounin
6291a29992 Headers filter: empty Cache-Control is no longer added.
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
2013-10-18 18:13:44 +04:00
Maxim Dounin
0ca52adff6 Style. 2013-10-18 18:13:35 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
a8ad0c02cc SSL: SSL_CTX_set_timeout() now always called.
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets.  Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.

Prodded by Piotr Sikora.
2013-10-14 13:59:35 +04:00
Maxim Dounin
87a607a031 SSL: fixed build with OpenSSL 0.9.7.
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
2013-10-14 13:44:09 +04:00
Maxim Dounin
5a63dcc5d7 Limit req: fixed "nodelay" parsing.
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
2013-10-02 15:07:17 +04:00
Maxim Dounin
31d023e53e Upstream: fixed "down" and "backup" parsing.
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
2013-10-02 15:07:15 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Sergey Kandaurov
5bf78d05a0 Version bump. 2013-10-02 11:50:56 +04:00
Valentin Bartenev
cca2b04f51 SPDY: ignore priority when queuing blocked frames.
With this change all such frames will be added in front of the output queue, and
will be sent first.  It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.

Proposed by Yury Kirpichev.
2013-10-01 00:14:37 +04:00
Valentin Bartenev
4f4963e87e SPDY: set empty write handler during connection finalization.
While ngx_http_spdy_write_handler() should not make any harm with current code,
calling it during finalization of SPDY connection was not intended.
2013-10-01 00:12:30 +04:00
Valentin Bartenev
92b82c80af SPDY: fixed connection leak while waiting for request headers.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for request headers, it was a no-op since the
read event handler had been set to ngx_http_empty_handler().
2013-10-01 00:04:00 +04:00
Valentin Bartenev
6ba03097db SPDY: fixed connection leak while waiting for request body.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for a request body, it was a no-op since the
read event handler ngx_http_request_handler() calls r->read_event_handler that
had been set to ngx_http_block_reading().
2013-10-01 00:00:57 +04:00
Maxim Dounin
ef8c64acbe Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.
2013-09-30 22:10:13 +04:00
Maxim Dounin
aa36cc39a4 Mail: fixed overrun of allocated memory (ticket #411).
Reported by Markus Linnala.
2013-09-30 22:10:08 +04:00
Maxim Dounin
f2b5192c30 Mail: handle smtp multiline replies.
See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html
2013-09-30 22:10:03 +04:00
Maxim Dounin
4f6f653f48 Mail: smtp pipelining support.
Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).
2013-09-30 22:09:57 +04:00
Maxim Dounin
32d6035303 Mail: added session close on smtp_greeting_delay violation.
A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.
2013-09-30 22:09:50 +04:00
Maxim Dounin
af897b7f03 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). 2013-09-27 19:39:33 +04:00
Maxim Dounin
4b2ead8871 FastCGI: non-buffered mode support. 2013-09-27 16:50:40 +04:00
Maxim Dounin
989a71377b Upstream: subrequest_in_memory support for SCGI and uwsgi enabled.
This was missed in 9d59a8eda373 when non-buffered support was added to SCGI
and uwsgi.
2013-09-27 16:50:34 +04:00
Maxim Dounin
c4b5a1fe5e Upstream: subrequest_in_memory fix.
With previous code only part of u->buffer might be emptied in case
of special responses, resulting in partial responses seen by SSI set
in case of simple protocols, or spurious errors like "upstream sent
invalid chunked response" in case of complex ones.
2013-09-27 16:50:26 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Maxim Dounin
e11584164f Added ngx_filename_cmp() with "/" sorted to the left.
This patch fixes incorrect handling of auto redirect in configurations
like:

    location /0  { }
    location /a- { }
    location /a/ { proxy_pass ... }

With previously used sorting, this resulted in the following locations
tree (as "-" is less than "/"):

        "/a-"
    "/0"    "/a/"

and a request to "/a" didn't match "/a/" with auto_redirect, as it
didn't traverse relevant tree node during lookup (it tested "/a-",
then "/0", and then falled back to null location).

To preserve locale use for non-ASCII characters on case-insensetive
systems, libc's tolower() used.
2013-09-23 19:37:13 +04:00
Maxim Dounin
d2ef70e97a Caseless location tree construction (ticket #90).
Location tree was always constructed using case-sensitive comparison, even
on case-insensitive systems.  This resulted in incorrect operation if
uppercase letters were used in location directives.  Notably, the
following config:

    location /a { ... }
    location /B { ... }

failed to properly map requests to "/B" into "location /B".
2013-09-23 19:37:06 +04:00
Piotr Sikora
f52a2c7585 SSL: stop loading configs with invalid "ssl_ciphers" values.
While there, remove unnecessary check in ngx_mail_ssl_module.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-22 22:36:11 -07:00
Markus Linnala
35e2bb0efb Core: fix misallocation at ngx_crypt_apr1 (ticket #412).
Found by using auth_basic.t from mdounin nginx-tests under valgrind.

==10470== Invalid write of size 1
==10470==    at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470==    by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==    by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470==    by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470==    by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470==  Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470==    by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
2013-09-20 17:57:21 +03:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Piotr Sikora
0a5124502d SSL: fixed possible memory and file descriptor leak on HUP signal.
The problem appeared in 386a06a22c40 (1.3.7).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 16:51:30 -07:00
Sergey Kandaurov
bff2b8d69f Fixed response line formatting with empty reason phrase.
As per RFC 2616 sec 6.1 the response status code is always followed by SP.
2013-09-18 18:53:26 +04:00
Sergey Kandaurov
63b1baa7f1 Version bump. 2013-09-18 18:53:24 +04:00
Piotr Sikora
29ea1273fe SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-16 14:24:38 -07:00
Valentin Bartenev
db1532944c Improved check for duplicate path names in ngx_add_path().
The same path names with different "data" context should not be allowed.

In particular it rejects configurations like this:

    proxy_cache_path /var/cache/ keys_zone=one:10m max_size=1g inactive=5m;
    proxy_cache_path /var/cache/ keys_zone=two:20m max_size=4m inactive=30s;
2013-09-16 18:49:23 +04:00
Valentin Bartenev
eb10d8f71e Removed surplus initializations from ngx_conf_set_path_slot().
An instance of ngx_path_t is already zeroed by ngx_pcalloc().
2013-09-16 18:49:22 +04:00
Valentin Bartenev
f0fbcaf098 Use ngx_pcalloc() in ngx_conf_merge_path_value().
It initializes the "data" pointer of ngx_path_t that will be checked after
subsequent changes.
2013-09-16 18:49:10 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
096678ced4 Upstream: use EPOLLRDHUP to check broken connections (ticket #320).
This allows to detect client connection close with pending data on Linux
while processing upstream.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
182a05b9d5 Events: support for EPOLLRDHUP (ticket #320).
Since Linux 2.6.17, epoll is able to report about peer half-closed connection
using special EPOLLRDHUP flag on a read event.
2013-07-12 14:51:07 +04:00
Valentin Bartenev
0f0502064d Events: removed unused flags from the ngx_event_s structure.
They are not used since 708f8bb772ec (pre 0.0.1).
2013-09-05 16:53:02 +04:00
Valentin Bartenev
cf08ba72db Fixed handling of the ready flag with kqueue.
There is nothing to do more when recv() has returned 0,
so we should drop the flag.
2013-09-05 16:53:02 +04:00
Valentin Bartenev
d034e63a11 Return reason phrase for 414.
After 62be77b0608f nginx can return this code.
2013-09-03 21:07:19 +04:00
Maxim Dounin
d33225db58 Upstream: fixed $upstream_response_time format specifiers. 2013-09-04 21:30:09 +04:00
Maxim Dounin
3d1e616d0b SSL: clear error queue after SSL_CTX_load_verify_locations().
The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.
2013-09-04 21:17:02 +04:00
Maxim Dounin
f108b28038 Fixed incorrect response line on "return 203".
Reported by Weibin Yao,
http://mailman.nginx.org/pipermail/nginx-devel/2013-April/003607.html.
2013-09-04 21:17:01 +04:00
Maxim Dounin
4b189002af Request cleanup code unified, no functional changes.
Additionally, detaching a cleanup chain from a request is a bit more resilent
to various bugs if any.
2013-09-04 21:17:00 +04:00
Maxim Dounin
2b0dba578f Handling of ngx_int_t != intptr_t case.
Casts between pointers and integers produce warnings on size mismatch.  To
silence them, cast to (u)intptr_t should be used.  Prevoiusly, casts to
ngx_(u)int_t were used in some cases, and several ngx_int_t expressions had
no casts.

As of now it's mostly style as ngx_int_t is defined as intptr_t.
2013-09-04 21:16:59 +04:00
Maxim Dounin
5ab74625d6 Win32: $request_time fixed.
On win32, time_t is 64 bits wide by default, and passing an ngx_msec_int_t
argument for %T format specifier doesn't work.  This doesn't manifest itself
on other platforms as time_t and ngx_msec_int_t are usually of the same size.
2013-09-04 20:48:30 +04:00
Maxim Dounin
48d96ced6f Win32: MinGW GCC compatibility.
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.

With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
2013-09-04 20:48:28 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Maxim Dounin
5b37852323 Win32: Open Watcom C compatibility fixes.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines.  Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.

With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:22 +04:00
Valentin Bartenev
42910391cd Disable symlinks: removed recursive call of ngx_file_o_path_info().
It is surplus.
2013-09-02 20:06:03 +04:00
Valentin Bartenev
7b37384140 Disable symlinks: use O_PATH to open path components.
It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain
file descriptors without actually opening files.  Thus made it possible
to traverse path with openat() syscalls without the need to have read
permissions for path components.  It is effectively emulates O_SEARCH
which is missing on Linux.

O_PATH is used in combination with O_RDONLY.  The last one is ignored
if O_PATH is used, but it allows nginx to not fail when it was built on
modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39.
Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used.

Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6.
As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag
that was introduced at the same time as O_PATH.
2013-09-02 08:07:59 +04:00
Valentin Bartenev
231ed198e1 Added the NGX_EBADF define. 2013-09-02 08:07:44 +04:00
Valentin Bartenev
3d7d48e52c Assume the HTTP/1.0 version by default.
It is believed to be better than fallback to HTTP/0.9, because most of
the clients at present time support HTTP/1.0.  It allows nginx to return
error response code for them in cases when it fail to parse request line,
and therefore fail to detect client protocol version.

Even if the client does not support HTTP/1.0, this assumption should not
cause any harm, since from the HTTP/0.9 point of view it still a valid
response.
2013-09-02 03:45:14 +04:00
Maxim Dounin
9f46a9df86 Upstream: setting u->header_sent before ngx_http_upstream_upgrade().
Without u->header_sent set a special response might be generated following
an upgraded connection.  The problem appeared in 1ccdda1f37f3 (1.5.3).
Catched by "header already sent" alerts in 1.5.4 after upstream timeouts.
2013-08-30 21:44:16 +04:00
Valentin Bartenev
6d7ec5009a Referer: fixed hostname buffer overflow check.
Because of premature check the effective buffer size was 255 symbols
while the buffer is able to handle 256.
2013-08-29 22:35:54 +04:00
Sergey Kandaurov
e4209c0269 Referer: "server_names" parsing deferred to merge phase.
This allows to approach "server_name" values specified below the
"valid_referers" directive when used within the "server_names" parameter, e.g.:

    server_name  example.org;
    valid_referers server_names;
    server_name  example.com;

As a bonus, this fixes bogus error with "server_names" specified several times.
2013-08-29 22:35:27 +04:00
Sergey Kandaurov
8658c5b8a1 Referer: fixed server_name regex matching.
The server_name regexes are normally compiled for case-sensitive matching.
This violates case-insensitive obligations in the referer module.  To fix
this, the host string is converted to lower case before matching.

Previously server_name regex was executed against the whole referer string
after dropping the scheme part.  This could led to an improper matching, e.g.:

    server_name ~^localhost$;
    valid_referers server_names;

    Referer: http://localhost/index.html

It was changed to look only at the hostname part.

The server_name regexes are separated into another array to not clash with
regular regexes.
2013-08-29 22:35:26 +04:00
Sergey Kandaurov
3ef0dfa145 Referer: fixed error type usage inconsistency for ngx_http_add*(). 2013-08-29 22:35:26 +04:00
Lanshun Zhou
be23dcb1a1 Image filter: large image handling.
If Content-Length header is not set, and the image size is larger than the
buffer size, client will hang until a timeout occurs.

Now NGX_HTTP_UNSUPPORTED_MEDIA_TYPE is returned immediately.

diff -r d1403de41631 -r 4fae04f332b4
src/http/modules/ngx_http_image_filter_module.c
2013-08-28 00:19:07 +08:00
Maxim Dounin
51f7761710 Typo fixed. 2013-08-28 02:34:30 +04:00
Maxim Dounin
e96092130c Version bump. 2013-08-28 02:34:21 +04:00
Maxim Dounin
d2d8b82b87 Cache: lock timeouts are now logged at info level. 2013-08-23 22:18:54 +04:00
Maxim Dounin
73ec75a974 Upstream: posted requests handling after ssl handshake errors.
Missing call to ngx_http_run_posted_request() resulted in a main request hang
if subrequest's ssl handshake with an upstream server failed for some reason.

Reported by Aviram Cohen.
2013-08-23 22:18:46 +04:00
Maxim Dounin
0f49681f28 Fixed try_files with empty argument (ticket #390). 2013-08-23 22:18:39 +04:00
Sergey Kandaurov
0fea0bf3f7 Added safety belt for the case of sending header twice.
The aforementioned situation is abnormal per se and as such it now forces
request termination with appropriate error message.
2013-07-30 15:04:46 +04:00
Sergey Kandaurov
2b2def7891 Autoindex: improved ngx_de_info() error handling.
This allows to build a directory listing whenever a loop exists in symbolic
link resolution of the path argument.
2013-07-30 11:43:21 +04:00