Commit Graph

5048 Commits

Author SHA1 Message Date
Vladimir Homutov
64223df670 Stream: $upstream_bytes_sent and $upstream_bytes_received. 2016-09-02 18:27:08 +03:00
Vladimir Homutov
c6d456da87 Stream: the $upstream_addr variable.
Keeps the full address of the upstream server.  If several servers were
contacted during proxying, their addresses are separated by commas,
e.g. "192.168.1.1:80, 192.168.1.2:80".
2016-09-02 18:27:05 +03:00
Roman Arutyunyan
be6024f9b7 Stream: the $status variable.
The stream session status is one of the following:

200 - normal completion
403 - access forbidden
500 - internal server error
502 - bad gateway
503 - limit conn
2016-08-11 20:22:23 +03:00
Maxim Dounin
ea9a1d745b Event pipe: do not set file's thread_handler if not needed.
This fixes a problem with aio threads and sendfile with aio_write switched
off, as observed with range requests after fc72784b1f52 (1.9.13).  Potential
problems with sendfile in threads were previously described in 9fd738b85fad,
and this seems to be one of them.

The problem occurred as file's thread_handler was set to NULL by event pipe
code after a sendfile thread task was scheduled.  As a result, no sendfile
completion code was executed, and the same buffer was additionally sent
using non-threaded sendfile.  Fix is to avoid modifying file's thread_handler
if aio_write is switched off.

Note that with "aio_write on" it is still possible that sendfile will use
thread_handler as set by event pipe.  This is believed to be safe though,
as handlers used are compatible.
2016-09-01 20:05:23 +03:00
Maxim Dounin
4e8a73adaa Event pipe: process data after recv_chain() errors.
When c->recv_chain() returns an error, it is possible that we already
have some data previously read, e.g., in preread buffer.  And in some
cases it may be even a complete response.  Changed c->recv_chain() error
handling to process the data, much like it is already done if kevent
reports about an error.

This change, in particular, fixes processing of small responses
when an upstream fails to properly close a connection with lingering and
therefore the connection is reset, but the response is already fully
obtained by nginx (see ticket #1037).
2016-09-01 18:29:55 +03:00
Roman Arutyunyan
c6ba4aae38 Realip: fixed uninitialized memory access.
Previously, the realip module could be left with uninitialized context after an
error in the ngx_http_realip_set_addr() function.  That context could be later
accessed by $realip_remote_addr and $realip_remote_port variable handlers.
2016-09-01 14:33:51 +03:00
Vladimir Homutov
048ee94130 Stream: the $protocol variable.
The variable keeps protocol used by the client, "TCP" or "UDP".
2016-08-26 15:33:07 +03:00
Vladimir Homutov
f04b65358e Stream: the $session_time variable.
The variable keeps time spent on processing the stream session.
2016-08-26 15:33:04 +03:00
Vladimir Homutov
1258126f0c Stream: the $bytes_received variable.
The variable keeps the number of bytes received from the client.
2016-08-26 15:33:02 +03:00
Piotr Sikora
14b1b6e10a Thread pools: create threads in detached state.
This prevents theoretical resource leak, since those threads are never joined.

Found with ThreadSanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-08-15 05:52:04 -07:00
Sergey Kandaurov
78031177f4 Geo: fixed indentation. 2016-08-25 12:59:39 +03:00
Ruslan Ermilov
9208875db1 Geo: fixed warnings when removing nonexistent ranges.
geo $geo {
    ranges;

    10.0.0.0-10.0.0.255 test;

    delete 10.0.1.0-10.0.1.255;     # should warn

    delete 10.0.0.0-10.0.0.255;
    delete 10.0.0.0-10.0.0.255;     # should warn
}
2016-08-23 15:59:42 +03:00
Ruslan Ermilov
20de5f14e5 Geo: fixed insertion of ranges specified in descending order. 2016-08-23 15:59:14 +03:00
Ruslan Ermilov
f927ab882a Geo: fixed removing a range in certain cases.
If the range includes two or more /16 networks and does
not start at the /16 boundary, the last subrange was not
removed (see 91cff7f97a50 for details).
2016-08-23 15:59:06 +03:00
Ruslan Ermilov
36e1c887db Geo: fixed overflow when iterating over ranges. 2016-08-23 15:57:29 +03:00
Sergey Kandaurov
218c8d493f SSL: adopted session ticket handling for OpenSSL 1.1.0.
Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function
to indicate that a new session ticket is created, as per documentation.
Until 1.1.0, OpenSSL didn't make a distinction between non-negative
return values.

See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details.
2016-08-22 18:53:21 +03:00
Piotr Sikora
c7c5c43c04 SSL: remove no longer needed workaround for BoringSSL.
BoringSSL added a no-op stub for OPENSSL_config() on 2016-01-26.

Requested by David Benjamin.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-08-18 14:49:48 -07:00
Ruslan Ermilov
d4f7011688 Events: fixed setting of IP_BIND_ADDRESS_NO_PORT/SO_REUSEADDR.
The IP_BIND_ADDRESS_NO_PORT option is set on upstream sockets
if proxy_bind does not specify a port.  The SO_REUSEADDR option
is set on UDP upstream sockets if proxy_bind specifies a port.

Due to checking of the wrong port, IP_BIND_ADDRESS_NO_PORT was
never set, and SO_REUSEPORT was always set.
2016-08-22 11:40:10 +03:00
Roman Arutyunyan
dabbf30377 Ensure "listen" exists in a mail or stream server (ticket #1049). 2016-08-17 11:26:51 +03:00
Roman Arutyunyan
eecc68ce17 Fixed wrong type of the "line" field.
The new type ngx_uint_t was supposed when formatting the line number.
2016-08-18 17:13:07 +03:00
Valentin Bartenev
535550b406 Geo: fixed access to already freed memory.
Previously, in "ranges" mode when all added ranges were deleted,
the ctx.high.low[i] was left pointing to a temporary array.
2016-08-18 17:11:03 +03:00
Vladimir Homutov
50ba1a2cde Upstream: the $upstream_bytes_received variable.
Unlike $upstream_response_length that only counts the body size,
the new variable also counts the size of response header and data
received after switching protocols when proxying WebSockets.
2016-08-10 16:46:39 +03:00
Ruslan Ermilov
47e72bf7e0 Simplified extraction of current time. 2016-08-08 17:11:29 +03:00
Sergey Kandaurov
af9e72533a SSL: guarded SSL_R_NO_CIPHERS_PASSED not present in OpenSSL 1.1.0.
It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6).  It was
not used since OpenSSL 1.0.1n and 1.0.2b.
2016-08-08 13:44:49 +03:00
Ruslan Ermilov
42f6e1f78e Always seed PRNG with PID, seconds, and milliseconds. 2016-08-04 23:43:10 +03:00
Ruslan Ermilov
31389e4921 Fixed undefined behavior when left shifting signed integer. 2016-08-04 23:42:00 +03:00
Ruslan Ermilov
e62a16e8f6 Win32: added per-thread random seeding.
The change in b91bcba29351 was not enough to fix random() seeding.
On Windows, the srand() seeds the PRNG only in the current thread,
and worse, is not inherited from the calling thread.  Due to this,
worker threads were not properly seeded.

Reported by Marc Bevand.
2016-08-04 01:15:41 +03:00
Vladimir Homutov
38ca99cf98 Stream: fixed build without stream_ssl_module (ticket #1032). 2016-07-26 19:34:12 +03:00
Vladimir Homutov
386e3e80bb Version bump. 2016-07-26 19:07:18 +03:00
Vladimir Homutov
161fcf4bdd Fixed regex captures handling without PCRE.
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.

Found with AddressSanitizer.
2016-07-06 14:33:40 +03:00
Vladimir Homutov
74305af672 Stream: variables in proxy_pass and proxy_ssl_name. 2016-06-14 18:29:46 +03:00
Valentin Bartenev
a85edfeef6 HTTP/2: flushing of the SSL buffer in transition to the idle state.
It fixes potential connection leak if some unsent data was left in the SSL
buffer.  Particularly, that could happen when a client canceled the stream
after the HEADERS frame has already been created.  In this case no other
frames might be produced and the HEADERS frame alone didn't flush the buffer.
2016-07-19 20:34:17 +03:00
Valentin Bartenev
3c81c08cea HTTP/2: refactored ngx_http_v2_send_output_queue().
Now it returns NGX_AGAIN if there's still data to be sent.
2016-07-19 20:34:02 +03:00
Valentin Bartenev
3b2f54bc2e HTTP/2: fixed send timer handling.
Checking for return value of c->send_chain() isn't sufficient since there
are data can be left in the SSL buffer.  Now the wew->ready flag is used
instead.

In particular, this fixed a connection leak in cases when all streams were
closed, but there's still some data to be sent in the SSL buffer and the
client forgot about the connection.
2016-07-19 20:31:09 +03:00
Valentin Bartenev
ce6eb33d15 HTTP/2: avoid sending output queue if there's nothing to send.
Particularly this fixes alerts on OS X and NetBSD systems when HTTP/2 is
configured over plain TCP sockets.

On these systems calling writev() with no data leads to EINVAL errors
being logged as "writev() failed (22: Invalid argument) while processing
HTTP/2 connection".
2016-07-19 20:30:21 +03:00
Valentin Bartenev
da852aa468 HTTP/2: always handle streams in error state.
Previously, a stream could be closed by timeout if it was canceled
while its send window was exhausted.
2016-07-19 20:22:44 +03:00
Valentin Bartenev
19de85a4d7 HTTP/2: prevented output of the HEADERS frame for canceled streams.
It's useless to generate HEADERS if the stream has been canceled already.
2016-07-19 20:22:44 +03:00
Valentin Bartenev
ab5401d204 HTTP/2: always send GOAWAY while worker is shutting down.
Previously, if the worker process exited, GOAWAY was sent to connections in
idle state, but connections with active streams were closed without GOAWAY.
2016-07-19 20:22:44 +03:00
Valentin Bartenev
5c2dd3913a Events: support for EPOLLEXCLUSIVE.
This flag appeared in Linux 4.5 and is useful for avoiding thundering herd
problem.

The current Linux kernel implementation walks the list of exclusive waiters,
and queues an event to each epfd, until it finds the first waiter that has
threads blocked on it via epoll_wait().
2016-07-15 15:18:57 +03:00
Valentin Bartenev
b60534e0d8 Style: sorted epoll flags. 2016-07-15 15:18:57 +03:00
Valentin Bartenev
46dd747c9e Events: the "accept_mutex" directive is turned off by default.
Now it is believed that the accept mutex brings more harm than benefits.
Especially in various benchmarks it often results in situation where only
one worker grabs all connections.
2016-07-15 15:18:57 +03:00
Vladimir Homutov
6c2b086d0e Stream: split_clients module. 2016-07-12 17:34:52 +03:00
Vladimir Homutov
bb790f5d30 Stream: geo module. 2016-06-30 16:12:50 +03:00
Vladimir Homutov
4cf0e28483 Stream: geoip module. 2016-07-12 17:34:43 +03:00
Vladimir Homutov
e1308338a9 Stream: style. 2016-07-12 17:34:40 +03:00
Sergey Kandaurov
586ef968f9 HTTP/2: avoid left-shifting signed integer into the sign bit.
On non-aligned platforms, properly cast argument before left-shifting it in
ngx_http_v2_parse_uint32 that is used with u_char.  Otherwise it propagates
to int to hold the value and can step over the sign bit.  Usually, on known
compilers, this results in negation.  Furthermore, a subsequent store into a
wider type, that is ngx_uint_t on 64-bit platforms, results in sign-extension.

In practice, this can be observed in debug log as a very large exclusive bit
value, when client sent PRIORITY frame with exclusive bit set:

: *14 http2 PRIORITY frame sid:5 on 1 excl:8589934591 weight:17

Found with UndefinedBehaviorSanitizer.
2016-07-07 21:03:21 +03:00
Sergey Kandaurov
6299f5e914 Avoid left-shifting integers into the sign bit, which is undefined.
Found with UndefinedBehaviorSanitizer.
2016-07-07 21:02:28 +03:00
Vladimir Homutov
dea1e999b8 Stream: resolver. 2016-07-07 13:15:31 +03:00
Ruslan Ermilov
6810b9f148 Use NGX_MAX_PATH_LEVEL where appropriate.
The macro was unused since 0.7.44.
2016-07-06 13:22:29 +03:00
Ruslan Ermilov
5c4ca2ac80 Version bump. 2016-07-06 13:10:06 +03:00
Roman Arutyunyan
a7c6f8c1d7 Stream: return module. 2016-05-18 22:08:49 +03:00
Vladimir Homutov
9721eae1f1 Stream: SSL-related variables. 2016-06-29 12:52:52 +03:00
Vladimir Homutov
cb635b7879 Stream: got rid of pseudo variables.
Stream limit_conn, upstream_hash and proxy modules now use complex values.
2016-06-29 12:46:12 +03:00
Vladimir Homutov
05db6ddfa1 Stream: map module. 2016-06-29 12:46:12 +03:00
Vladimir Homutov
d531cebb79 Stream: core module variables. 2016-06-14 18:28:14 +03:00
Vladimir Homutov
c31773ea60 Stream: variables and script.
This is a port of corresponding http code with unrelated features excluded.
2016-07-04 16:37:36 +03:00
Vladimir Homutov
db5a15d2f9 Stream: added preconfiguration step. 2016-06-15 15:10:24 +03:00
Roman Arutyunyan
c9dae918fd Sub filter: eliminate unnecessary buffering.
Previously, when a buffer was processed by the sub filter, its final bytes
could be buffered by the filter even if they don't match any pattern.
This happened because the Boyer-Moore algorithm, employed by the sub filter
since b9447fc457b4 (1.9.4), matches the last characters of patterns prior to
checking other characters.  If the last character is out of scope, initial
bytes of a potential match are buffered until the last character is available.

Now, after receiving a flush or recycled buffer, the filter performs
additional checks to reduce the number of buffered bytes.  The potential match
is checked against the initial parts of all patterns.  Non-matching bytes are
not buffered.  This improves processing of a chunked response from upstream
by sending the entire chunks without buffering unless a partial match is found
at the end of a chunk.
2016-07-02 15:59:53 +03:00
Roman Arutyunyan
ec70155755 Sub filter: introduced the ngx_http_sub_match() function.
No functional changes.
2016-07-02 15:59:52 +03:00
Maxim Dounin
c60b61a290 Internal md5 and sha1 implementations are now always used.
This reduces the number of moving parts in ABI compatibility checks.
Additionally, it also allows to use OpenSSL in FIPS mode while still
using md5 for non-security tasks.
2016-06-30 18:57:39 +03:00
Ruslan Ermilov
fb6c764921 Removed unused flag accept_context_updated from ngx_event_t.
Also, removed practically unused flag accept_context_updated from
ngx_connection_t.
2016-06-29 14:30:00 +03:00
Roman Arutyunyan
dcf3d20874 Style. 2016-06-27 18:42:29 +03:00
Piotr Sikora
e0b0fa6bf5 HTTP/2: style.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-06-22 13:47:54 -07:00
Roman Arutyunyan
a6048c0e1e Style. 2016-06-22 11:50:02 +03:00
Roman Arutyunyan
82c5230fd1 Stream: use ngx_pcalloc() in ngx_stream_proxy_bind(). 2016-06-22 11:50:02 +03:00
Roman Arutyunyan
9810fd06cb Fixed build on MSVC. 2016-06-20 15:11:50 +03:00
Roman Arutyunyan
4c03c80e12 Stream: set SO_REUSEADDR for UDP upstream sockets.
The option is only set if the socket is bound to a specific port to allow
several such sockets coexist at the same time.  This is required, for example,
when nginx acts as a transparent proxy and receives two datagrams from the same
client in a short time.

The feature is only implemented for Linux.
2016-06-20 12:48:47 +03:00
Roman Arutyunyan
05879309c1 Stream: support for $remote_port in proxy_bind.
The following two types of bind addresses are supported in addition to
$remote_addr and address literals:

- $remote_addr:$remote_port
- [$remote_addr]:$remote_port

In both cases client remote address with port is used in upstream socket bind.
2016-06-20 11:50:44 +03:00
Roman Arutyunyan
8cad1c015f Upstream: support for port in proxy_bind and friends. 2016-06-20 11:50:43 +03:00
Roman Arutyunyan
5b201ac31f Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. 2016-06-20 11:50:39 +03:00
Andrei Belov
72d4e5d793 Set IP_BIND_ADDRESS_NO_PORT socket option for upstream sockets. 2016-06-20 10:41:17 +03:00
Tim Taubert
4f578bfcab SSL: ngx_ssl_ciphers() to set list of ciphers.
This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.
2016-06-15 21:05:30 +01:00
Valentin Bartenev
6e38998bac HTTP/2: fixed the "http request count is zero" alert.
When the stream is terminated the HEADERS frame can still wait in the output
queue.  This frame can't be removed and must be sent to the client anyway,
since HTTP/2 uses stateful compression for headers.  So in order to postpone
closing and freeing memory of such stream the special close stream handler
is set to the write event.  After the HEADERS frame is sent the write event
is called and the stream will be finally closed.

Some events like receiving a RST_STREAM can trigger the read handler of such
stream in closing state and cause unexpected processing that can result in
another attempt to finalize the request.  To prevent it the read handler is
now set to ngx_http_empty_handler.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
bf5f915a01 HTTP/2: avoid adding Content-Length for requests without body.
There is no reason to add the "Content-Length: 0" header to a proxied request
without body if the header isn't presented in the original request.

Thanks to Amazon.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
cd2085be0c HTTP/2: prevented double termination of a stream.
According to RFC 7540, an endpoint should not send more than one RST_STREAM
frame for any stream.

Also, now all the data frames will be skipped while termination.
2016-06-16 20:55:11 +03:00
Valentin Bartenev
24d9b98900 HTTP/2: fixed a segfault while processing unbuffered upload.
The ngx_http_v2_finalize_connection() closes current stream, but that is an
invalid operation while processing unbuffered upload.  This results in access
to already freed memory, since the upstream module sets a cleanup handler that
also finalizes the request.
2016-06-16 20:55:11 +03:00
Maxim Dounin
ab8504b937 An internal SHA1 implementation. 2016-06-09 16:55:38 +03:00
Otto Kekäläinen
cb963abf03 Fixed spelling. 2016-06-08 08:27:41 +03:00
Valentin Bartenev
46336296e4 Fixed an error log message. 2016-06-07 17:44:20 +03:00
Sergey Kandaurov
ba212375a7 Version bump. 2016-06-07 12:26:34 +03:00
Maxim Dounin
a3d382397a Core: skip special buffers on writing (ticket #981).
A special last buffer with cl->buf->pos set to NULL can be present in
a chain when writing request body if chunked encoding was used.  This
resulted in a NULL pointer dereference if it happened to be the only
buffer left after a do...while loop iteration in ngx_write_chain_to_file().

The problem originally appeared in nginx 1.3.9 with chunked encoding
support.  Additionally, rev. 3832b608dc8d (nginx 1.9.13) changed the
minimum number of buffers to trigger this from IOV_MAX (typically 1024)
to NGX_IOVS_PREALLOCATE (typically 64).

Fix is to skip such buffers in ngx_chain_to_iovec(), much like it is
done in other places.
2016-05-31 05:13:30 +03:00
Valentin Bartenev
b6e423b7c0 HTTP/2: unbreak build on MSVC. 2016-05-24 21:54:32 +03:00
Valentin Bartenev
99d2ede934 Version bump. 2016-05-24 21:54:32 +03:00
Maxim Dounin
1a1470b865 Fixed build on MSVC. 2016-05-24 17:43:58 +03:00
Valentin Bartenev
5429140c01 HTTP/2: implemented preread buffer for request body (closes #959).
Previously, the stream's window was kept zero in order to prevent a client
from sending the request body before it was requested (see 887cca40ba6a for
details).  Until such initial window was acknowledged all requests with
data were rejected (see 0aa07850922f for details).

That approach revealed a number of problems:

 1. Some clients (notably MS IE/Edge, Safari, iOS applications) show an error
    or even crash if a stream is rejected;

 2. This requires at least one RTT for every request with body before the
    client receives window update and able to send data.

To overcome these problems the new directive "http2_body_preread_size" is
introduced.  It sets the initial window and configures a special per stream
preread buffer that is used to save all incoming data before the body is
requested and processed.

If the directive's value is lower than the default initial window (65535),
as previously, all streams with data will be rejected until the new window
is acknowledged.  Otherwise, no special processing is used and all requests
with data are welcome right from the connection start.

The default value is chosen to be 64k, which is bigger than the default
initial window.  Setting it to zero is fully complaint to the previous
behavior.
2016-05-24 17:37:52 +03:00
Ruslan Ermilov
adfd0b065c Realip: detect duplicate real_ip_header directive. 2016-05-23 19:17:24 +03:00
Dmitry Volyntsev
06176bce91 Realip: port support in X-Real-IP and X-Forwarded-For.
Now, the module extracts optional port which may accompany an
IP address.  This custom extension is introduced, among other
things, in order to facilitate logging of original client ports.
Addresses with ports are expected to be in the RFC 3986 format,
that is, with IPv6 addresses in square brackets.  E.g.,
"X-Real-IP: [2001:0db8::1]:12345" sets client port ($remote_port)
to 12345.
2016-05-23 18:44:23 +03:00
Dmitry Volyntsev
19140c8c4f Realip: take client port from PROXY protocol header.
Previously, when the client address was changed to the one from
the PROXY protocol header, the client port ($remote_port) was
reset to zero.  Now the client port is also changed to the one
from the PROXY protocol header.
2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
97495b662f Added the $realip_remote_port variable. 2016-05-23 18:44:22 +03:00
Dmitry Volyntsev
f56cf3ddc7 Added the $proxy_protocol_port variable. 2016-05-23 18:44:21 +03:00
Maxim Dounin
5b267a55bc Renamed "u" to "sockaddr" in listen options types. 2016-05-23 16:37:28 +03:00
Ruslan Ermilov
fd064d3b88 Introduced the ngx_sockaddr_t type.
It's properly aligned and can hold any supported sockaddr.
2016-05-23 16:37:20 +03:00
Ruslan Ermilov
d650688ba5 Stream: fixed duplicate listen address detection.
The 6f8254ae61b8 change inadvertently fixed the duplicate port
detection similar to how it was fixed for mail in b2920b517490.
It also revealed another issue: the socket type (tcp vs. udp)
wasn't taken into account.
2016-05-23 12:50:59 +03:00
Ruslan Ermilov
48a16463fa Use ngx_cmp_sockaddr() where appropriate. 2016-05-20 19:10:42 +03:00
Valentin Bartenev
f7673bb50f HTTP/2: the "421 Misdirected Request" response (closes #848).
Since 4fbef397c753 nginx rejects with the 400 error any attempts of
requesting different host over the same connection, if the relevant
virtual server requires verification of a client certificate.

While requesting hosts other than negotiated isn't something legal
in HTTP/1.x, the HTTP/2 specification explicitly permits such requests
for connection reuse and has introduced a special response code 421.

According to RFC 7540 Section 9.1.2 this code can be sent by a server
that is not configured to produce responses for the combination of
scheme and authority that are included in the request URI.  And the
client may retry the request over a different connection.

Now this code is used for requests that aren't authorized in current
connection.  After receiving the 421 response a client will be able
to open a new connection, provide the required certificate and retry
the request.

Unfortunately, not all clients currently are able to handle it well.
Notably Chrome just shows an error, while at least the latest version
of Firefox retries the request over a new connection.
2016-05-20 18:41:17 +03:00
Ruslan Ermilov
61fbcd1cad Belatedly changed the ngx_create_listening() prototype.
The function is called only with "struct sockaddr *" since 0.7.58.
2016-05-20 17:02:04 +03:00
Maxim Dounin
61ec58a9be SSL: removed default DH parameters.
Using the same DH parameters on multiple servers is believed to be subject
to precomputation attacks, see http://weakdh.org/.  Additionally, 1024 bits
are not enough in the modern world as well.  Let users provide their own
DH parameters with the ssl_dhparam directive if they want to use EDH ciphers.

Note that SSL_CTX_set_dh_auto() as provided by OpenSSL 1.1.0 uses fixed
DH parameters from RFC 5114 and RFC 3526, and therefore subject to the same
precomputation attacks.  We avoid using it as well.

This change also fixes compilation with OpenSSL 1.1.0-pre5 (aka Beta 2),
as OpenSSL developers changed their policy after releasing Beta 1 and
broke API once again by making the DH struct opaque (see ticket #860).
2016-05-19 14:46:32 +03:00
Maxim Dounin
3b7dca4bb5 SSL: support for multiple curves (ticket #885).
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
2016-05-19 14:46:32 +03:00
Maxim Dounin
690423e3b2 SSL: style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cfd17ca9ed SSL: error messages style. 2016-05-19 14:46:32 +03:00
Maxim Dounin
cf126b98b3 SSL: support for multiple certificates (ticket #814). 2016-05-19 14:46:32 +03:00
Maxim Dounin
798999b63d SSL: support for per-certificate chains.
The SSL_CTX_add0_chain_cert() function as introduced in OpenSSL 1.0.2 now
used instead of SSL_CTX_add_extra_chain_cert().

SSL_CTX_add_extra_chain_cert() adds extra certs for all certificates
in the context, while SSL_CTX_add0_chain_cert() only to a particular
certificate.  There is no difference unless multiple certificates are used,
though it is important when using multiple certificates.

Additionally, SSL_CTX_select_current_cert() is now called before using
a chain to make sure correct chain will be returned.
2016-05-19 14:46:32 +03:00
Maxim Dounin
e844475905 SSL: made it possible to iterate though all certificates.
A pointer to a previously configured certificate now stored in a certificate.
This makes it possible to iterate though all certificates configured in
the SSL context.  This is now used to configure OCSP stapling for all
certificates, and in ngx_ssl_session_id_context().

As SSL_CTX_use_certificate() frees previously loaded certificate of the same
type, and we have no way to find out if it's the case, X509_free() calls
are now posponed till ngx_ssl_cleanup_ctx().

Note that in OpenSSL 1.0.2+ this can be done without storing things in exdata
using the SSL_CTX_set_current_cert() and SSL_CTX_get0_certificate() functions.
These are not yet available in all supported versions though, so it's easier
to continue to use exdata for now.
2016-05-19 14:46:32 +03:00
Maxim Dounin
503b3569b9 OCSP stapling: additional function to configure stapling on a cert. 2016-05-19 14:46:32 +03:00
Maxim Dounin
40e075c325 OCSP stapling: staple now extracted via SSL_get_certificate().
This makes it possible to properly return OCSP staple with multiple
certificates configured.

Note that it only works properly in OpenSSL 1.0.1d+, 1.0.0k, 0.9.8y+.
In older versions SSL_get_certificate() fails to return correct certificate
when the certificate status callback is called.
2016-05-19 14:46:32 +03:00
Maxim Dounin
b4276f2447 OCSP stapling: staple now stored in certificate, not SSL context. 2016-05-19 14:46:32 +03:00
Maxim Dounin
825289ff60 OCSP stapling: staple provided in arguments. 2016-05-19 14:46:32 +03:00
Maxim Dounin
e647c47f2a Added overflow checks for version numbers (ticket #762).
Both minor and major versions are now limited to 999 maximum.  In case of
r->http_minor, this limit is already implied by the code.  Major version,
r->http_major, in theory can be up to 65535 with current code, but such
values are very unlikely to become real (and, additionally, such values
are not allowed by RFC 7230), so the same test was used for r->http_major.
2016-05-18 16:21:32 +03:00
Maxim Dounin
ce9ff81b32 Events: close descriptors on errors in ngx_epoll_test_rdhup(). 2016-05-18 15:57:30 +03:00
Maxim Dounin
e7c914321b Events: changed ngx_epoll_test_rdhup() to use existing epollfd. 2016-05-18 15:57:29 +03:00
Maxim Dounin
b115a46ee6 Fixed work with --test-build-epoll after f7849bfb6d21. 2016-05-18 15:57:28 +03:00
Maxim Dounin
bf838dc9df Cache: fixed updating bypassed cached errors (ticket #827). 2016-05-16 20:37:38 +03:00
Maxim Dounin
099d74cf3d Dav: return 501 on PUT with ranges (ticket #948). 2016-05-16 20:37:23 +03:00
Valentin Bartenev
7850609cf9 Fixed an error log message about epoll_wait() timeout.
The errno value is unset in case of epoll_wait() timeout.
2016-05-16 16:22:34 +03:00
Valentin Bartenev
12f4367189 Improved EPOLLRDHUP handling.
When it's known that the kernel supports EPOLLRDHUP, there is no need in
additional recv() call to get EOF or error when the flag is absent in the
event generated by the kernel.  A special runtime test is done at startup
to detect if EPOLLRDHUP is actually supported by the kernel because
epoll_ctl() silently ignores unknown flags.

With this knowledge it's now possible to drop the "ready" flag for partial
read.  Previously, the "ready" flag was kept until the recv() returned EOF
or error.  In particular, this change allows the lingering close heuristics
(which relies on the "ready" flag state) to actually work on Linux, and not
wait for more data in most cases.

The "available" flag is now used in the read event with the semantics similar
to the corresponding counter in kqueue.
2016-05-13 17:19:23 +03:00
Dmitry Volyntsev
cbf6ca98bc Map: support of complex values in resulting strings. 2016-05-12 16:43:19 +03:00
Ruslan Ermilov
41d512c069 Removed a surplus condition from ngx_parse_inet6_url().
No functional changes, since the condition was always true.
2016-05-11 17:55:30 +03:00
Valentin Bartenev
66be8c6608 Core: fixed port handling in ngx_parse_inet6_url().
This fixes buffer over-read when no port is specified in cases
similar to 5df5d7d771f6, and catches missing port separator.
2016-05-11 17:55:20 +03:00
Ruslan Ermilov
2a83e5fa6d Removed unused flag unexpected_eof from ngx_connection_t. 2016-04-28 16:30:19 +03:00
Vladimir Homutov
f315b7a924 Variable $request_id.
The variable contains text representation based on random data, usable as
a unique request identifier.
2016-04-26 19:31:46 +03:00
Roman Arutyunyan
be79f5cb16 Upstream: the "transparent" parameter of proxy_bind and friends.
This parameter lets binding the proxy connection to a non-local address.
Upstream will see the connection as coming from that address.
When used with $remote_addr, upstream will accept the connection from real
client address.

Example:

    proxy_bind $remote_addr transparent;
2015-12-18 19:05:27 +03:00
Roman Arutyunyan
77ec993fd7 Stream: prepared proxy_bind to accept parameters. 2016-04-13 15:42:47 +03:00
Roman Arutyunyan
f10bc5a763 Upstream: prepared proxy_bind to accept parameters.
In addition, errors occurred while setting bind address are no longer ignored.
2016-04-13 15:42:46 +03:00
Ruslan Ermilov
438b58f91f Removed some bitrot.
Removed NGX_CONF_MULTI unused since 1.3.4.
Removed ngx_url_t.one_addr unused since 1.3.10.
2016-04-26 18:26:43 +03:00
Ruslan Ermilov
9aca6d4d57 Version bump. 2016-04-26 18:26:18 +03:00
Valentin Bartenev
22285687c9 HTTP/2: send the output queue after emitting WINDOW_UPDATE.
The WINDOW_UPDATE frame could be left in the output queue for an indefinite
period of time resulting in the request timeout.

This might happen if reading of the body was triggered by an event unrelated
to client connection, e.g. by the limit_req timer.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
7458f66675 HTTP/2: skip data frames in case of internal errors.
This prevents possible processing of such frames and triggering
rb->post_handler if an error occurred during r->request_body
initialization.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
f4df08b19d HTTP/2: don't send WINDOW_UPDATE for an empty request body.
Particularly this prevents sending WINDOW_UPDATE with zero delta
which can result in PROTOCOL_ERROR.

Also removed surplus setting of no_flow_control to 0.
2016-04-19 17:38:49 +03:00
Maxim Dounin
eeb72127cf Thread pools: memory barriers in task completion notifications.
The ngx_thread_pool_done object isn't volatile, and at least some
compilers assume that it is permitted to reorder modifications of
volatile and non-volatile objects.  Added appropriate ngx_memory_barrier()
calls to make sure all modifications will happen before the lock is released.

Reported by Mindaugas Rasiukevicius,
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008160.html.
2016-04-19 17:18:28 +03:00
Maxim Dounin
eb38cbda2f HTTP/2: write logs when refusing streams with data.
Refusing streams is known to be incorrectly handled at least by IE, Edge
and Safari.  Make sure to provide appropriate logging to simplify fixing
this in the affected browsers.
2016-04-18 21:18:24 +03:00
Valentin Bartenev
7691b9750e HTTP/2: send WINDOW_UPDATE instead of RST_STREAM with NO_ERROR.
After the 92464ebace8e change, it has been discovered that not all
clients follow the RFC and handle RST_STREAM with NO_ERROR properly.

Notably, Chrome currently interprets it as INTERNAL_ERROR and discards
the response.

As a workaround, instead of RST_STREAM the maximum stream window update
will be sent, which will let client to send up to 2 GB of a request body
data before getting stuck on flow control.  All the received data will
be silently discarded.

See for details:
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008143.html
https://bugs.chromium.org/p/chromium/issues/detail?id=603182
2016-04-14 15:14:15 +03:00
Valentin Bartenev
536b5510d1 HTTP/2: refuse streams with data until SETTINGS is acknowledged.
A client is allowed to send requests before receiving and acknowledging
the SETTINGS frame.  Such a client having a wrong idea about the stream's
could send the request body that nginx isn't ready to process.

The previous behavior was to send RST_STREAM with FLOW_CONTROL_ERROR in
such case, but it didn't allow retrying requests that have been rejected.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
60f0960ab6 HTTP/2: deduplicated some code in ngx_http_v2_state_headers().
No functional changes.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
4c1b9fef65 FastCGI: skip special bufs in buffered request body chain.
This prevents forming empty records out of such buffers.  Particularly it fixes
double end-of-stream records with chunked transfer encoding, or when HTTP/2 is
used and the END_STREAM flag has been sent without data.  In both cases there
is an empty buffer at the end of the request body chain with the "last_buf"
flag set.

The canonical libfcgi, as well as php implementation, tolerates such records,
while the HHVM parser is more strict and drops the connection (ticket #950).
2016-04-11 18:42:34 +03:00
Ruslan Ermilov
400d42437c Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse (as in e444e8f6538b). 2016-04-12 19:01:56 +03:00
Alessandro Ghedini
35f05dd51f Fixed typos. 2016-04-11 16:47:11 +01:00
Ruslan Ermilov
37a3a2b2e8 Removed redundant "u" format specifier.
It is implied for "x" and "X".
2016-04-08 15:03:38 +03:00
Ruslan Ermilov
4d1f67fd91 Simplified ngx_unix_recv() and ngx_readv_chain().
This makes ngx_unix_recv() and ngx_udp_unix_recv() differ minimally.
2016-04-08 16:49:35 +03:00
Valentin Bartenev
dbabc66b68 Merged implementations of ngx_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:41:45 +03:00
Valentin Bartenev
900ef17c47 Fixed small inconsistency in handling EOF among receive functions.
Now all functions always drop the ready flag in this case.
2016-04-08 16:39:49 +03:00
Valentin Bartenev
8e7d8757c6 Merged implementations of ngx_udp_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:38:42 +03:00
Josh Soref
73d27510c0 Fixed spelling. 2016-04-07 11:50:13 +03:00
Ruslan Ermilov
2f9f3453f2 Version bump. 2016-04-07 19:09:42 +03:00
Valentin Bartenev
74ee55ec1b HTTP/2: support for unbuffered upload of request body. 2016-04-01 15:57:10 +03:00
Valentin Bartenev
948eeca222 HTTP/2: rewritten handling of request body.
There are two improvements:

  1. Support for request body filters;

  2. Receiving of request body is started only after
     the ngx_http_read_client_request_body() call.

The last one fixes the problem when the client_max_body_size value might not be
respected from the right location if the location was changed either during the
process of receiving body or after the whole body had been received.
2016-04-01 15:56:03 +03:00
Valentin Bartenev
cedba685a1 HTTP/2: sending RST_STREAM with NO_ERROR to discard request body.
RFC 7540 states that "A server can send a complete response prior to the client
sending an entire request if the response does not depend on any portion of the
request that has not been sent and received.  When this is true, a server MAY
request that the client abort transmission of a request without error by sending
a RST_STREAM with an error code of NO_ERROR after sending a complete response
(i.e., a frame with the END_STREAM flag)."

This should prevent a client from blocking on the stream window, since it isn't
maintained for closed streams.  Currently, quite big initial stream windows are
used, so such blocking is very unlikly, but that will be changed in the further
patches.
2016-04-01 15:56:03 +03:00
Maxim Dounin
7cee215f15 Core: removed incorrect GCC 2.7 check.
It was broken since introduction (__GNU__ instead of __GNUC__) and did
nothing.  Moreover, GCC 2.7 is happy with the normal version of the code.

Reported by Joel Cunningham,
http://mailman.nginx.org/pipermail/nginx-devel/2016-March/007964.html.
2016-04-01 13:17:12 +03:00
Maxim Dounin
2e251b1c34 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
SSLeay_version() and SSLeay() are no longer available if OPENSSL_API_COMPAT
is set to 0x10100000L.  Switched to using OpenSSL_version() instead.

Additionally, we now compare version strings instead of version numbers,
and this correctly works for LibreSSL as well.
2016-03-31 23:38:38 +03:00
Sergey Kandaurov
d8fbce1deb SSL: X509 was made opaque in OpenSSL 1.1.0.
To increment reference counters we now use newly introduced X509_up_ref()
function.
2016-03-31 23:38:37 +03:00
Sergey Kandaurov
66feb8c6f0 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. 2016-03-31 23:38:36 +03:00
Maxim Dounin
8fc90404fb SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
OpenSSL removed support for all 40 and 56 bit ciphers.
2016-03-31 23:38:34 +03:00
Maxim Dounin
e6f04424af SSL: initialization changes for OpenSSL 1.1.0.
OPENSSL_config() deprecated in OpenSSL 1.1.0.  Additionally,
SSL_library_init(), SSL_load_error_strings() and OpenSSL_add_all_algorithms()
are no longer available if OPENSSL_API_COMPAT is set to 0x10100000L.

The OPENSSL_init_ssl() function is now used instead with appropriate
arguments to trigger the same behaviour.  The configure test changed to
use SSL_CTX_set_options().

Deinitialization now happens automatically in OPENSSL_cleanup() called
via atexit(3), so we no longer call EVP_cleanup() and ENGINE_cleanup()
directly.
2016-03-31 23:38:33 +03:00
Maxim Dounin
93c2749fae SSL: get_session callback changed in OpenSSL 1.1.0. 2016-03-31 23:38:32 +03:00
Maxim Dounin
0e83d6ac40 SSL: guarded error codes not present in OpenSSL 1.1.0. 2016-03-31 23:38:31 +03:00
Maxim Dounin
bad99ee004 SSL: reasonable version for LibreSSL.
LibreSSL defines OPENSSL_VERSION_NUMBER to 0x20000000L, but uses an old
API derived from OpenSSL at the time LibreSSL forked.  As a result, every
version check we use to test for new API elements in newer OpenSSL versions
requires an explicit check for LibreSSL.

To reduce clutter, redefine OPENSSL_VERSION_NUMBER to 0x1000107fL if
LibreSSL is used.  The same is done by FreeBSD port of LibreSSL.
2016-03-31 23:38:29 +03:00
Ruslan Ermilov
5afd74bed6 Removed the prototype mysql module. 2016-03-31 22:33:26 +03:00
Ruslan Ermilov
5ad6e01b46 Fixed ngx_os_signal_process() prototype. 2016-03-31 22:00:33 +03:00
Sergey Kandaurov
60a6551e1f Fixed ngx_pid_t formatting in ngx_sprintf() and logging. 2016-03-31 02:34:04 +03:00
Sergey Kandaurov
6a716c6123 Fixed format specifiers in ngx_sprintf(). 2016-03-31 02:34:00 +03:00
Sergey Kandaurov
00ef9ff5f0 Fixed logging. 2016-03-31 02:33:57 +03:00
Sergey Kandaurov
53fec2c414 Events: fixed logging. 2016-03-31 02:33:55 +03:00
Sergey Kandaurov
c622ff3b44 Fixed logging with variable field width. 2016-03-31 02:33:53 +03:00
Sergey Kandaurov
2e25f340b8 Fixed logging in close error handling. 2016-03-31 02:33:50 +03:00
Ruslan Ermilov
dd5628fcad Events: fixed test building with eventport on OS X.
Broken in d17f0584006f (1.9.13).
2016-03-30 11:57:28 +03:00
Ruslan Ermilov
7ad57da598 Style. 2016-03-30 11:52:16 +03:00
Ruslan Ermilov
dfbc51a8cc Version bump. 2016-03-30 11:52:07 +03:00
Maxim Dounin
d259032741 Win32: replaced NGX_EXDEV with more appropriate error code.
Correct error code for NGX_EXDEV on Windows is ERROR_NOT_SAME_DEVICE,
"The system cannot move the file to a different disk drive".

Previously used ERROR_WRONG_DISK is about wrong diskette in the drive and
is not appropriate.

There is no real difference though, as MoveFile() is able to copy files
between disk drives, and will fail with ERROR_ACCESS_DENIED when asked
to copy directories.  The ERROR_NOT_SAME_DEVICE error is only used
by MoveFileEx() when called without the MOVEFILE_COPY_ALLOWED flag.
2016-03-29 09:52:15 +03:00
Maxim Dounin
6871615528 Win32: additional error code NGX_EEXIST_FILE (ticket #910).
On Windows there are two possible error codes which correspond to
the EEXIST error code: ERROR_FILE_EXISTS used by CreateFile(CREATE_NEW),
and ERROR_ALREADY_EXISTS used by CreateDirectory().

MoveFile() seems to use both: ERROR_ALREADY_EXISTS when moving within
one filesystem, and ERROR_FILE_EXISTS when copying a file to a different
drive.
2016-03-29 09:51:46 +03:00
Maxim Dounin
4618c03f4c Upstream: proxy_next_upstream non_idempotent.
By default, requests with non-idempotent methods (POST, LOCK, PATCH)
are no longer retried in case of errors if a request was already sent
to a backend.  Previous behaviour can be restored by using
"proxy_next_upstream ... non_idempotent".
2016-03-28 19:50:19 +03:00
Maxim Dounin
5a76856dc2 Upstream: cached connections now tested against next_upstream.
Much like normal connections, cached connections are now tested against
u->conf->next_upstream, and u->state->status is now always set.

This allows to disable additional tries even with upstream keepalive
by using "proxy_next_upstream off".
2016-03-28 19:49:52 +03:00
Ruslan Ermilov
f5fff1eda0 Fixed --test-build-*.
Fixes various aspects of --test-build-devpoll, --test-build-eventport, and
--test-build-epoll.

In particular, if --test-build-devpoll was used on Linux, then "devpoll"
event method would be preferred over "epoll".  Also, wrong definitions of
event macros were chosen.
2016-03-28 19:29:18 +03:00
Roman Arutyunyan
3d791c46f5 Sub filter: fixed allocation alignment. 2016-03-28 13:35:25 +03:00
Piotr Sikora
c3aed0a233 Core: allow strings without null-termination in ngx_parse_url().
This fixes buffer over-read while using variables in the "proxy_pass",
"fastcgi_pass", "scgi_pass", and "uwsgi_pass" directives, where result
of string evaluation isn't null-terminated.

Found with MemorySanitizer.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-26 17:30:27 -08:00
Roman Arutyunyan
030a1f959c Fixed socket inheritance on reload and binary upgrade.
On nginx reload or binary upgrade, an attempt is made to inherit listen sockets
from the previous configuration.  Previously, no check for socket type was made
and the inherited socket could have the wrong type.  On binary upgrade, socket
type was not detected at all.  Wrong socket type could lead to errors on that
socket due to different logic and unsupported syscalls.  For example, a UDP
socket, inherited as TCP, lead to the following error after arrival of a
datagram: "accept() failed (102: Operation not supported on socket)".
2016-03-25 14:10:38 +03:00
Vladimir Homutov
818ebb3492 Stream: additional logging for UDP. 2016-03-18 19:53:22 +03:00
Dmitry Volyntsev
2e6e246794 Win32: fixed build after 384154fc634f. 2016-03-23 18:34:05 +03:00
Roman Arutyunyan
3c48fd7c05 Stream: detect port absence in proxy_pass with IP literal.
This is a clone of http commit 26c127bab5ef.
2016-03-23 17:45:15 +03:00
Dmitry Volyntsev
f625ad7ce8 Resolver: added support for SRV records. 2016-03-23 17:44:36 +03:00
Dmitry Volyntsev
2b2fe92aaa Resolver: do not enable resolve timer if provided timeout is zero. 2016-03-23 17:44:36 +03:00
Dmitry Volyntsev
98f222c6c1 Resolver: introduced valid field in resolver responses.
It hints the amount of time a response could be considered
as valid.
2016-03-23 17:44:36 +03:00
Valentin Bartenev
0f4315f998 Core: introduced the NGX_DEBUG_PALLOC macro.
It allows to turn off accumulation of small pool allocations into a big
preallocated chunk of memory.  This is useful for debugging memory access
with sanitizer, since such accumulation can cover buffer overruns from
being detected.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
9d08bda415 Core: use ngx_palloc_small() to allocate ngx_pool_large_t.
This structure cannot be allocated as a large block anyway, otherwise that will
result in infinite recursion, since each large allocation requires to allocate
another ngx_pool_large_t.

The room for the structure is guaranteed by the NGX_MIN_POOL_SIZE constant.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
21dfe90a4e Core: introduced the ngx_palloc_small() function.
It deduplicates some code for allocations from memory pool.
No functional changes.
2016-03-23 17:44:04 +03:00
Valentin Bartenev
b94eb1dfe6 Core: moved logging before freeing large blocks of pool.
This fixes use-after-free memory access with enabled debug log
when pool->log is allocated as a large block.
2016-03-23 17:44:04 +03:00
Maxim Dounin
890ba54497 Backed out server_tokens changes.
Backed out changesets: cf3e75cfa951, 6b72414dfb4f, 602dc42035fe, e5076b96fd01.
2016-03-22 16:58:38 +03:00
Dmitry Volyntsev
24e38323ee Cache: fixed slots accounting error introduced in c9d680b00744. 2016-03-23 14:16:31 +03:00
Ruslan Ermilov
0b768c1435 Reconsidered server_tokens with an empty value.
An empty value will be treated as "off".
2016-03-22 15:52:28 +03:00
Valentin Bartenev
ae5e76ea06 HTTP/2: improved debugging of sending control frames. 2016-03-21 17:04:21 +03:00
Sergey Kandaurov
1a5922008e Events: fixed test building with devpoll and eventport on Linux.
Avoid POLLREMOVE and itimerspec redefinition.
2016-03-21 12:36:36 +03:00
Piotr Sikora
26f669f109 Fix build with -Wmissing-prototypes.
Broken in 5eb4d7541107 (1.9.6), fix somehow missed in 3600bbfb43e3.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-03-18 16:38:08 -07:00
Dmitry Volyntsev
b18ba1e9f6 Cache: added watermark to reduce IO load when keys_zone is full.
When a keys_zone is full then each next request to the cache is
penalized.  That is, the cache has to evict older files to get a
slot from the keys_zone synchronously.  The patch introduces new
behavior in this scenario.  Manager will try to maintain available
free slots in the keys_zone by cleaning old files in the background.
2016-03-18 15:08:21 +03:00
Dmitry Volyntsev
861e75dc20 Cache: report error if slab allocator fails during cache loading. 2016-03-18 14:27:30 +03:00
Maxim Dounin
348f705c00 Threads: writing via threads pools in event pipe.
The "aio_write" directive is introduced, which enables use of aio
for writing.  Currently it is meaningful only with "aio threads".

Note that aio operations can be done by both event pipe and output
chain, so proper mapping between r->aio and p->aio is provided when
calling ngx_event_pipe() and in output filter.

In collaboration with Valentin Bartenev.
2016-03-18 06:44:49 +03:00
Maxim Dounin
10c8c8d6a4 Threads: offloading of temp files writing to thread pools.
The ngx_thread_write_chain_to_file() function introduced, which
uses ngx_file_t thread_handler, thread_ctx and thread_task fields.
The task context structure (ngx_thread_file_ctx_t) is the same for
both reading and writing, and can be safely shared as long as
operations are serialized.

The task->handler field is now always set (and not only when task is
allocated), as the same task can be used with different handlers.

The thread_write flag is introduced in the ngx_temp_file_t structure
to explicitly enable use of ngx_thread_write_chain_to_file() in
ngx_write_chain_to_temp_file() when supported by caller.

In collaboration with Valentin Bartenev.
2016-03-18 06:44:03 +03:00
Maxim Dounin
ac78b26324 Threads: task pointer stored in ngx_file_t.
This simplifies the interface of the ngx_thread_read() function.

Additionally, most of the thread operations now explicitly set
file->thread_task, file->thread_handler and file->thread_ctx,
to facilitate use of thread operations in other places.

(Potential problems remain with sendfile in threads though - it uses
file->thread_handler as set in ngx_output_chain(), and it should not
be overwritten to an incompatible one.)

In collaboration with Valentin Bartenev.
2016-03-18 06:43:52 +03:00
Maxim Dounin
931ce7f02a Fixed timeouts with threaded sendfile() and subrequests.
If a write event happens after sendfile() but before we've got the
sendfile results in the main thread, this write event will be ignored.
And if no more events will happen, the connection will hang.

Removing the events works in the simple cases, but not always, as
in some cases events are added back by an unrelated code.  E.g.,
the upstream module adds write event in the ngx_http_upstream_init()
to track client aborts.

Fix is to use wev->complete instead.  It is now set to 0 before
a sendfile() task is posted, and it is set to 1 once a write event
happens.  If on completion of the sendfile() task wev->complete is 1,
we know that an event happened while we were executing sendfile(), and
the socket is still ready for writing even if sendfile() did not sent
all the data or returned EAGAIN.
2016-03-18 05:04:45 +03:00
Ruslan Ermilov
07fc7dc719 Style. 2016-03-16 14:44:41 +03:00
Maxim Dounin
07a7b57762 Truncation detection in sendfilev() on Solaris.
While sendfilev() is documented to return -1 with EINVAL set
if the file was truncated, at least Solaris 11 silently returns 0,
and this results in CPU hog.  Added a test to complain appropriately
if 0 is returned.
2016-03-15 18:26:59 +03:00
Maxim Dounin
681e735a33 Truncation detection in sendfile() on Linux.
This addresses connection hangs as observed in ticket #504, and
CPU hogs with "aio threads; sendfile on" as reported in the mailing list,
see http://mailman.nginx.org/pipermail/nginx-ru/2016-March/057638.html.

The alert is identical to one used on FreeBSD.
2016-03-15 18:26:17 +03:00
Roman Arutyunyan
2ce791f2cd Stream: UDP proxy. 2016-01-20 19:52:12 +03:00
Roman Arutyunyan
c790f9673d Stream: post first read events from client and upstream.
The main proxy function ngx_stream_proxy_process() can terminate the stream
session.  The code, following it, should check its return code to make sure the
session still exists.  This happens in client and upstream initialization
functions.  Swapping ngx_stream_proxy_process() call with the code, that
follows it, leaves the same problem vice versa.

In future ngx_stream_proxy_process() will call ngx_stream_proxy_next_upstream()
making it too complicated to know if stream session still exists after this
call.

Now ngx_stream_proxy_process() is called from posted event handlers in both
places with no code following it.  The posted event is automatically removed
once session is terminated.
2016-03-15 15:55:23 +03:00
Ruslan Ermilov
8f53f6f626 Win32: fixed build after cf3e75cfa951. 2016-03-15 15:15:30 +03:00
Ruslan Ermilov
3d9ce2d601 Win32: fixed build after cf3e75cfa951. 2016-03-15 15:10:41 +03:00
Ruslan Ermilov
86927c6588 Added variables support to server_tokens.
It can now be set to "off" conditionally, e.g. using the map
directive.

An empty value will disable the emission of the Server: header
and the signature in error messages generated by nginx.

Any other value is treated as "on", meaning that full nginx
version is emitted in the Server: header and error messages
generated by nginx.
2016-03-15 13:36:19 +03:00
Valentin Bartenev
b3c1abdcd8 Fixed handling of EAGAIN with sendfile in threads. 2016-03-14 22:42:35 +03:00
Roman Arutyunyan
2b4a62c2fc Events: fixed error logging in devpoll. 2016-03-15 00:04:04 +03:00
Sergey Kandaurov
db72c6be20 Fixed compilation with -Wmissing-prototypes. 2016-03-14 19:23:23 +03:00
Justin Li
573ec98d24 Upstream: avoid closing client connection in edge case.
If proxy_cache is enabled, and proxy_no_cache tests true, it was previously
possible for the client connection to be closed after a 304. The fix is to
recheck r->header_only after the final cacheability is determined, and end the
request if no longer cacheable.

Example configuration:

proxy_cache foo;
proxy_cache_bypass 1;
proxy_no_cache 1;

If a client sends If-None-Match, and the upstream server returns 200 with a
matching ETag, no body should be returned to the client. At the start of
ngx_http_upstream_send_response proxy_no_cache is not yet tested, thus cacheable
is still 1 and downstream_error is set.

However, by the time the downstream_error check is done in process_request,
proxy_no_cache has been tested and cacheable is set to 0. The client connection
is then closed, regardless of keepalive.
2016-03-08 22:31:55 -05:00
Maxim Dounin
2aa6d7fd65 Upstream: fixed "zero size buf" alerts with cache (ticket #918).
If caching was used, "zero size buf in output" alerts might appear
in logs if a client prematurely closed connection.  Alerts appeared
in the following situation:

- writing to client returned an error, so event pipe
  drained all busy buffers leaving body output filters
  in an invalid state;

- when upstream response was fully received,
  ngx_http_upstream_finalize_request() tried to flush
  all pending data.

Fix is to avoid flushing body if p->downstream_error is set.
2016-03-10 21:58:03 +03:00
Maxim Dounin
00fcc6a987 Copy filter: fixed sendfile aio handlers to set ctx->aio.
Sendfile handlers (aio preload and thread handler) are called within
ctx->output_filter() in ngx_output_chain(), and hence ctx->aio cannot
be set directly in ngx_output_chain().  Meanwhile, it must be set to
make sure loop within ngx_output_chain() will be properly terminated.

There are no known cases that trigger the problem, though in theory
something like aio + sub filter (something that needs body in memory,
and can also free some memory buffers) + sendfile can result in
"task already active" and "second aio post" alerts.

The fix is to set ctx->aio in ngx_http_copy_aio_sendfile_preload()
and ngx_http_copy_thread_handler().

For consistency, ctx->aio is no longer set explicitly in
ngx_output_chain_copy_buf(), as it's now done in
ngx_http_copy_thread_handler().
2016-03-03 21:14:19 +03:00
Maxim Dounin
a6fe512df6 Fixed sendfile in threads (or with aio preload) and subrequests.
If sendfile in threads is used, it is possible that multiple
subrequests will trigger multiple ngx_linux_sendfile_thread() calls,
as operations are only serialized in output chain based on r->aio,
that is, on subrequest level.

This resulted in "task #N already active" alerts, in particular, when
running proxy_store.t with "aio threads; sendfile on;".

Fix is to tolerate duplicate calls, with an additional safety check
that the file is the same as previously used.

The same problem also affects "aio on; sendfile on;" on FreeBSD
(previously known as "aio sendfile;"), where aio->preload_handler()
could be called multiple times due to similar reasons, resulting in
"second aio post" alerts.  Fix is the same as well.

It is also believed that similar problems can arise if a filter
calls the next body filter multiple times for some reason.  These are
mostly theoretical though.
2016-03-03 21:14:12 +03:00
Valentin Bartenev
e243a2d6c2 Introduced the ngx_chain_to_iovec() function.
It's similar to ngx_output_chain_to_iovec() and uses only preallocated memory.
2016-03-03 18:41:05 +03:00
Valentin Bartenev
bc6fcb672c Request body: moved handling of the last part in the save filter.
No functional changes.
2016-03-01 15:18:07 +03:00
Ruslan Ermilov
ea9a2cf2ba Dynamic modules: removed unnecessary initialization.
It became unnecessary after 85dea406e18f.
2016-02-25 16:29:51 +03:00
Ruslan Ermilov
ceccebbb31 Version bump. 2016-02-25 16:28:42 +03:00
Valentin Bartenev
f72bcf8285 HTTP/2: implemented per request timeouts (closes #626).
Previously, there were only three timeouts used globally for the whole HTTP/2
connection:

 1. Idle timeout for inactivity when there are no streams in processing
    (the "http2_idle_timeout" directive);

 2. Receive timeout for incomplete frames when there are no streams in
    processing (the "http2_recv_timeout" directive);

 3. Send timeout when there are frames waiting in the output queue
    (the "send_timeout" directive on a server level).

Reaching one of these timeouts leads to HTTP/2 connection close.

This left a number of scenarios when a connection can get stuck without any
processing and timeouts:

 1. A client has sent the headers block partially so nginx starts processing
    a new stream but cannot continue without the rest of HEADERS and/or
    CONTINUATION frames;

 2. When nginx waits for the request body;

 3. All streams are stuck on exhausted connection or stream windows.

The first idea that was rejected was to detect when the whole connection
gets stuck because of these situations and set the global receive timeout.
The disadvantage of such approach would be inconsistent behaviour in some
typical use cases.  For example, if a user never replies to the browser's
question about where to save the downloaded file, the stream will be
eventually closed by a timeout.  On the other hand, this will not happen
if there's some activity in other concurrent streams.

Now almost all the request timeouts work like in HTTP/1.x connections, so
the "client_header_timeout", "client_body_timeout", and "send_timeout" are
respected.  These timeouts close the request.

The global timeouts work as before.

Previously, the c->write->delayed flag was abused to avoid setting timeouts on
stream events.  Now, the "active" and "ready" flags are manipulated instead to
control the processing of individual streams.
2016-02-24 15:58:07 +03:00
Valentin Bartenev
4e6a490fa7 HTTP/2: always use temporary pool for processing headers.
This is required for implementing per request timeouts.

Previously, the temporary pool was used only during skipping of
headers and the request pool was used otherwise.  That required
switching of pools if the request was closed while parsing.

It wasn't a problem since the request could be closed only after
the validation of the fully parsed header.  With the per request
timeouts, the request can be closed at any moment, and switching
of pools in the middle of parsing header name or value becomes a
problem.

To overcome this, the temporary pool is now always created and
used.  Special checks are added to keep it when either the stream
is being processed or until header block is fully parsed.
2016-02-24 16:05:47 +03:00
Valentin Bartenev
8b40f1eaec HTTP/2: cleaned up state while closing stream.
Without this the state might keep pointing to already closed stream.
2016-02-24 16:05:46 +03:00
Valentin Bartenev
1d294eea3e Fixed buffer over-read while logging invalid request headers.
Since 667aaf61a778 (1.1.17) the ngx_http_parse_header_line() function can return
NGX_HTTP_PARSE_INVALID_HEADER when a header contains NUL character.  In this
case the r->header_end pointer isn't properly initialized, but the log message
in ngx_http_process_request_headers() hasn't been adjusted.  It used the pointer
in size calculation, which might result in up to 2k buffer over-read.

Found with afl-fuzz.
2016-02-24 16:01:23 +03:00
Maxim Dounin
7b232ef5aa SSL: avoid calling SSL_shutdown() during handshake (ticket #901).
This fixes "called a function you should not call" and
"shutdown while in init" errors as observed with OpenSSL 1.0.2f
due to changes in how OpenSSL handles SSL_shutdown() during
SSL handshakes.
2016-02-19 17:27:30 +03:00
Maxim Dounin
89d3762863 SSL: fixed SSL_shutdown() comment. 2016-02-19 17:27:23 +03:00
Ruslan Ermilov
73f815e489 Headers filter: fixed "add_header ... '' always".
The "always" parameter was ignored if the header value was empty.
2016-02-18 15:49:11 +03:00
Vladimir Homutov
faa96e82d2 Core: added support for more than 64 CPUs in worker_cpu_affinity. 2016-02-18 13:58:49 +03:00
Valentin Bartenev
b5d7d3f024 HTTP/2: added debug logging of response headers.
Because of HPACK compression it's hard to see what headers are actually
sent by the server.
2016-02-16 17:49:14 +03:00
Valentin Bartenev
fcfe483292 HTTP/2: use local pointer instead of r->connection.
No functional changes.
2016-02-16 17:49:14 +03:00
Maxim Dounin
79654d53e3 Core: improved logging on invalid NGINX variable (ticket #900). 2016-02-15 17:41:52 +03:00
Valentin Bartenev
822fc91b09 HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).
2016-02-12 16:36:20 +03:00
Valentin Bartenev
531e6fbfd6 HTTP/2: implemented HPACK Huffman encoding for response headers.
This reduces the size of headers by over 30% on average.

Based on the patch by Vlad Krasnov:
http://mailman.nginx.org/pipermail/nginx-devel/2015-December/007682.html
2016-02-11 15:35:36 +03:00
Ruslan Ermilov
3b9b07377b Dynamic modules: fixed a version mismatch message (ticket #898).
Based on a patch by Takashi Takizawa.
2016-02-11 18:46:46 +03:00
Roman Arutyunyan
f1f419fd2c Stream: initialize variable right before using it. 2016-02-11 14:20:26 +03:00
Roman Arutyunyan
1cdd0cc421 Stream: removed useless typedef. 2016-02-11 14:20:22 +03:00
Piotr Sikora
2fe20c9b34 Core: ngx_module_t compatibility with C++.
Changes to NGX_MODULE_V1 and ngx_module_t in 85dea406e18f (1.9.11)
broke all modules written in C++, because ISO C++11 does not allow
conversion from string literal to char *.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-09 16:31:26 -08:00
Maxim Dounin
839c1997d9 Version bump. 2016-02-10 06:23:34 +03:00
Maxim Dounin
97f59dda09 Dynamic modules.
The auto/module script is extended to understand ngx_module_link=DYNAMIC.
When set, it links the module as a shared object rather than statically
into nginx binary.  The module can later be loaded using the "load_module"
directive.

New auto/module parameter ngx_module_order allows to define module loading
order in complex cases.  By default the order is set based on ngx_module_type.

3rd party modules can be compiled dynamically using the --add-dynamic-module
configure option, which will preset ngx_module_link to "DYNAMIC" before
calling the module config script.

Win32 support is rudimentary, and only works when using MinGW gcc (which
is able to handle exports/imports automatically).

In collaboration with Ruslan Ermilov.
2016-02-04 20:25:29 +03:00
Maxim Dounin
86cc342a26 Dynamic modules: dlopen() support. 2016-02-04 18:30:21 +03:00
Maxim Dounin
0f67d6355c Dynamic modules: changed ngx_modules to cycle->modules. 2016-02-04 18:30:21 +03:00
Maxim Dounin
7988334570 Dynamic modules: moved module-related stuff to separate files. 2016-02-04 18:30:21 +03:00
Valentin Bartenev
9add42c71e HTTP/2: fixed possible buffer overrun (ticket #893).
Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.
2016-02-04 18:01:04 +03:00
Valentin Bartenev
cb173ff672 HTTP/2: fixed padding handling in HEADERS frame with CONTINUATION. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
8050277acf HTTP/2: fixed request length accounting.
Now it includes not only the received body size,
but the size of headers block as well.
2016-02-02 16:33:55 +03:00
Valentin Bartenev
405f4f99b4 HTTP/2: fixed excessive memory allocation for pool cleanup. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
3351fbe481 HTTP/2: removed unused field from ngx_http_v2_stream_t. 2016-02-02 16:33:55 +03:00
Ruslan Ermilov
c6ed65ce7c Resolver: style.
Use the original query name in error and debug messages when
processing PTR responses.
2015-12-17 17:30:22 +03:00
Ruslan Ermilov
bf269cbc55 Resolver: improved PTR response processing.
The previous code only parsed the first answer, without checking its
type, and required a compressed RR name.

The new code checks the RR type, supports responses with multiple
answers, and doesn't require the RR name to be compressed.

This has a side effect in limited support of CNAME.  If a response
includes both CNAME and PTR RRs, like when recursion is enabled on
the server, PTR RR is handled.

Full CNAME support in PTR response is not implemented in this change.
2015-12-17 17:21:16 +03:00
Ruslan Ermilov
06806aa001 Resolver: style.
Renamed argument in ngx_resolver_process_a() for consistency.
2015-12-17 17:21:12 +03:00
Roman Arutyunyan
cbee15bb6c Resolver: free TCP buffers on resolver cleanup. 2016-02-02 13:42:55 +03:00
Ruslan Ermilov
625481f6f1 Resolver: fixed possible resource leak introduced in 5a16d40c63de.
Found by Coverity (CID 1351175).
2016-02-02 11:35:19 +03:00
Roman Arutyunyan
aa8fa81e42 Resolver: TCP support.
Resend DNS query over TCP once UDP response came truncated.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
c8c44f7478 Resolver: per-request DNS server balancer.
Previously, a global server balancer was used to assign the next DNS server to
send a query to.  That could lead to a non-uniform distribution of servers per
request.  A request could be assigned to the same dead server several times in a
row and wait longer for a valid server or even time out without being processed.

Now each query is sent to all servers sequentially in a circle until a
response is received or timeout expires.  Initial server for each request is
still globally balanced.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
1945fff7bf Resolver: renamed UDP-specific structures, fields and variables.
They will be used for TCP connections as well.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
52d3601155 Resolver: removed unused field from ngx_resolver_ctx_t. 2016-01-28 15:28:19 +03:00
Roman Arutyunyan
c541b82c21 Version bump. 2016-01-28 15:25:58 +03:00
Ruslan Ermilov
fe89d99796 Resolver: limited CNAME recursion.
Previously, the recursion was only limited for cached responses.
2016-01-26 16:47:14 +03:00
Roman Arutyunyan
a3d42258d9 Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
2016-01-26 16:46:59 +03:00
Roman Arutyunyan
b1a110e3a4 Resolver: changed the ngx_resolver_create_*_query() arguments.
No functional changes.

This is needed by the following change.
2016-01-26 16:46:48 +03:00
Ruslan Ermilov
4016e6b1da Resolver: fixed CNAME processing for several requests.
When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.
2016-01-26 16:46:38 +03:00
Ruslan Ermilov
4b581a7c21 Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
2016-01-26 16:46:31 +03:00
Roman Arutyunyan
c44fd4e837 Resolver: fixed possible segmentation fault on DNS format error. 2016-01-26 16:46:18 +03:00
Valentin Bartenev
8a5df8c720 Request body: removed surplus assigment, no functional changes.
Setting rb->bufs to NULL is surplus after ngx_http_write_request_body()
has returned NGX_OK.
2016-01-12 19:19:07 +03:00
Maxim Dounin
d0bf684ab6 Core: worker_cpu_affinity auto.
If enabled, workers are bound to available CPUs, each worker to once CPU
in order.  If there are more workers than available CPUs, remaining are
bound in a loop, starting again from the first available CPU.

The optional mask parameter defines which CPUs are available for automatic
binding.

In collaboration with Vladimir Homutov.
2016-01-11 19:23:17 +03:00
Maxim Dounin
af647a3da2 Upstream: fixed changing method on X-Accel-Redirect.
Previously, only r->method was changed, resulting in handling of a request
as GET within nginx itself, but not in requests to proxied servers.

See http://mailman.nginx.org/pipermail/nginx/2015-December/049518.html.
2016-01-11 19:08:12 +03:00
Maxim Dounin
fda7d021ca Upstream: don't keep connections on early responses (ticket #669). 2015-12-17 16:39:15 +03:00
Maxim Dounin
9973e36944 Fixed PROXY protocol on IPv6 sockets (ticket #858). 2015-12-17 16:39:02 +03:00
Maxim Dounin
852a565be3 Version bump. 2015-12-17 16:38:51 +03:00
Ruslan Ermilov
5e7535df72 Fixed fastcgi_pass with UNIX socket and variables (ticket #855).
This was broken in a93345ee8f52 (1.9.8).
2015-12-09 16:26:59 +03:00
Ruslan Ermilov
fac1f23e5d Version bump. 2015-12-09 14:41:16 +03:00
Roman Arutyunyan
56fda3265b Slice filter: terminate first slice with last_in_chain flag.
This flag makes sub filter flush buffered data and optimizes allocation in copy
filter.
2015-12-08 17:39:56 +03:00
Roman Arutyunyan
5c1f76f0e9 Slice filter: never run subrequests when main request is buffered.
With main request buffered, it's possible, that a slice subrequest will send
output before it.  For example, while main request is waiting for aio read to
complete, a slice subrequest can start an aio operation as well.  The order
in which aio callbacks are called is undetermined.
2015-12-08 17:39:56 +03:00
Sergey Kandaurov
79fcf261d0 SSL: fixed possible segfault on renegotiation (ticket #845).
Skip SSL_CTX_set_tlsext_servername_callback in case of renegotiation.
Do nothing in SNI callback as in this case it will be supplied with
request in c->data which isn't expected and doesn't work this way.

This was broken by b40af2fd1c16 (1.9.6) with OpenSSL master branch and LibreSSL.
2015-12-08 16:59:43 +03:00
Roman Arutyunyan
8ba626ccd7 Slice filter.
Splits a request into subrequests, each providing a specific range of response.
The variable "$slice_range" must be used to set subrequest range and proper
cache key.  The directive "slice" sets slice size.

The following example splits requests into 1-megabyte cacheable subrequests.

server {
    listen 8000;

    location / {
        slice 1m;

        proxy_cache cache;
        proxy_cache_key $uri$is_args$args$slice_range;
        proxy_set_header Range $slice_range;
        proxy_cache_valid 200 206 1h;
        proxy_pass http://127.0.0.1:9000;
    }
}
2015-12-07 16:30:48 +03:00
Roman Arutyunyan
1b478c50de Upstream: fill r->headers_out.content_range from upstream response. 2015-12-07 16:30:47 +03:00
Piotr Sikora
9752706bd4 Core: fix typo in error message.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-12-02 19:17:19 -08:00
Maxim Dounin
6994593478 Style: NGX_PTR_SIZE replaced with sizeof(void *).
The NGX_PTR_SIZE macro is only needed in preprocessor directives where
it's not possible to use sizeof().
2015-12-03 20:06:45 +03:00
Maxim Dounin
af4e89b9a1 Style. 2015-12-02 01:06:54 +03:00
Ruslan Ermilov
362fb6c1d4 Stop emulating a space character after r->method_name.
This is an API change.

The proxy module was modified to not depend on this in 44122bddd9a1.
No known third-party modules seem to depend on this.
2015-11-30 12:54:01 +03:00
Ruslan Ermilov
05a38c7077 Proxy: improved code readability.
Do not assume that space character follows the method name, just pass it
explicitly.

The fuss around it has already proved to be unsafe, see bbdb172f0927 and
http://mailman.nginx.org/pipermail/nginx-ru/2013-January/049692.html for
details.
2015-11-06 15:21:51 +03:00
Ruslan Ermilov
f0f7b437b9 Reduced the number of GET method constants. 2015-11-30 12:04:35 +03:00
Valentin Bartenev
a89548a4e1 Increased the default "connection_pool_size" on 64-bit platforms.
The previous default of 256 bytes isn't enough and results in two
allocations on each accepted connection, which is suboptimal.
2015-11-30 16:27:33 +03:00
Ruslan Ermilov
5ea66922d9 Style: unified request method checks. 2015-11-06 15:22:43 +03:00
Ruslan Ermilov
bfe1987b41 Core: enabled "include" inside http upstreams (ticket #635).
The directive already works inside stream upstream blocks.
2015-11-23 12:40:19 +03:00
Ruslan Ermilov
72b9a317d2 Upstream: fixed "no port" detection in evaluated upstreams.
If an upstream with variables evaluated to address without a port,
then instead of a "no port in upstream" error an attempt was made
to connect() which failed with EADDRNOTAVAIL.
2015-11-21 10:44:07 +03:00
Valentin Bartenev
d862ae8e68 Used the pwritev() syscall for writing files where possible.
It is more effective, because it doesn't require a separate lseek().
2015-11-17 19:01:41 +03:00
Valentin Bartenev
906c4462f8 Moved file writev() handling code to a separate function.
No functional changes.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
a9e62b625b Handled EINTR from write() and pwrite() syscalls.
This is in addition to 6fce16b1fc10.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
9ef4b63328 Adjusted file->sys_offset after the write() syscall.
This fixes suboptimal behavior caused by surplus lseek() for sequential writes
on systems without pwrite().  A consecutive read after write might result in an
error on systems without pread() and pwrite().

Fortunately, at the moment there are no widely used systems without these
syscalls.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
3aef20d257 Version bump. 2015-11-17 19:01:41 +03:00
Ruslan Ermilov
1ce1610763 Realip: the $realip_remote_addr variable. 2015-11-16 16:02:02 +03:00
Valentin Bartenev
a52bbefd84 HTTP/2: reused HEADERS and CONTINUATION frames buffers. 2015-11-13 20:10:50 +03:00
Valentin Bartenev
548e31f608 HTTP/2: fixed handling of output HEADERS frames.
The HEADERS frame is always represented by more than one buffer since
b930e598a199, but the handling code hasn't been adjusted.

Only the first buffer of HEADERS frame was checked and if it had been
sent while others had not, the rest of the frame was dropped, resulting
in broken connection.

Before b930e598a199, the problem could only be seen in case of HEADERS
frame with CONTINUATION.
2015-11-13 20:10:50 +03:00
Valentin Bartenev
8323cd693b HTTP/2: fixed invalid headers handling (ticket #831).
The r->invalid_header flag wasn't reset once an invalid header appeared in a
request, resulting in all subsequent headers in the request were also marked
as invalid.
2015-11-13 20:10:50 +03:00
Roman Arutyunyan
89a049be89 Upstream: proxy_cache_convert_head directive.
The directive toggles conversion of HEAD to GET for cacheable proxy requests.
When disabled, $request_method must be added to cache key for consistency.
By default, HEAD is converted to GET as before.
2015-11-11 15:47:30 +03:00
Valentin Bartenev
93aef089b4 SSL: only select HTTP/2 using NPN if "http2" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using HTTP/2 even if it wasn't
enabled in configuration.
2015-11-05 15:01:09 +03:00
Valentin Bartenev
b22c0e0846 HTTP/2: backed out 16905ecbb49e (ticket #822).
It caused inconsistency between setting "in_closed" flag and the moment when
the last DATA frame was actually read.  As a result, the body buffer might not
be initialized properly in ngx_http_v2_init_request_body(), which led to a
segmentation fault in ngx_http_v2_state_read_data().  Also it might cause
start processing of incomplete body.

This issue could be triggered when the processing of a request was delayed,
e.g. in the limit_req or auth_request modules.
2015-11-05 15:01:01 +03:00
Maxim Dounin
f9cce38e49 Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.
2015-10-30 21:43:30 +03:00
Vladimir Homutov
e7d298f3fc Syslog: added "nohostname" option.
The option disables sending hostname in the syslog message header.  This is
useful with syslog daemons that do not expect it (tickets #677 and #783).
2015-10-26 19:06:42 +03:00
Valentin Bartenev
090c471032 HTTP/2: changed behavior of the "http2_max_field_size" directive.
Now it limits only the maximum length of literal string (either raw or
compressed) in HPACK request header fields.  It's easier to understand
and to describe in the documentation.
2015-10-27 23:16:35 +03:00
Valentin Bartenev
edf30961e6 HTTP/2: fixed spelling. 2015-10-27 23:16:35 +03:00
Valentin Bartenev
5a8b212fd9 Version bump. 2015-10-27 23:16:29 +03:00
Valentin Bartenev
f36f51725a HTTP/2: simplified checking the END_STREAM flag.
No functional changes.
2015-10-26 17:46:28 +03:00
Valentin Bartenev
d418b92cdc HTTP/2: improved the ngx_http_v2_integer_octets(v) macro.
Previously, it didn't work well for 0, 127, and 128, returning less than needed.
2015-10-26 17:46:16 +03:00
Valentin Bartenev
3565680d94 HTTP/2: fixed the NGX_HTTP_V2_MAX_FIELD macro. 2015-10-26 17:46:13 +03:00
Valentin Bartenev
9150c7df1f HTTP/2: fixed splitting of response headers on CONTINUATION frames.
Previous code has been based on assumption that the header block can only be
splitted at the borders of individual headers.  That wasn't the case and might
result in emitting frames bigger than the frame size limit.

The current approach is to split header blocks by the frame size limit.
2015-09-28 02:32:44 +03:00
Valentin Bartenev
60e41c0fb1 HTTP/2: introduced NGX_HTTP_V2_ENCODE_* macros.
No functional changes.
2015-10-26 17:43:08 +03:00
Valentin Bartenev
69e78850fe HTTP/2: simplified producing of the Last-Modified header. 2015-10-26 17:43:08 +03:00
Valentin Bartenev
70c29f05f0 HTTP/2: fixed header block size calculation. 2015-10-26 17:43:08 +03:00
Piotr Sikora
f93aa4d953 HTTP/2: fix handling of connection errors.
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
de4f0eb26b HTTP/2: fix indirect reprioritization.
Previously, streams that were indirectly reprioritized (either because of
a new exclusive dependency on their parent or because of removal of their
parent from the dependency tree), didn't have their pointer to the parent
node updated.

This broke detection of circular dependencies and, as a result, nginx
worker would crash due to stack overflow whenever such dependency was
introduced.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
71a6b600c2 HTTP/2: reject self-dependent streams.
Per RFC7540, a stream cannot depend on itself.

Previously, this requirement was enforced on PRIORITY frames, but not on
HEADERS frames and due to the implementation details nginx worker would
crash (stack overflow) while opening self-dependent stream.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
79a03b3ff6 Core: read/write locks are also required by the Stream module.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-23 18:21:33 -07:00
Valentin Bartenev
c0eb2f0759 HTTP/2: improved error handling while parsing integers.
The case when an integer is out of frame bounds should be checked first
as a more accurate error.
2015-10-20 21:28:38 +03:00
Ruslan Ermilov
c830cf28ae HTTP/2: improved HPACK integer parsing code readability.
No functional changes.
2015-10-20 21:26:38 +03:00
Maxim Dounin
faed7212fe Win32: timer_resolution now ignored with select.
As setitimer() isn't available on Windows, time wasn't updated at all
if timer_resolution was used with the select event method.  Fix is
to ignore timer_resolution in such cases.
2015-10-20 18:16:18 +03:00
Kouhei Sutou
67614b3aa3 Win32: fixed build with MinGW and MinGW-w64 gcc.
This change fixes the "comparison between signed and unsigned integer
expressions" warning, introduced in 5e6142609e48 (1.9.4).
2015-10-17 21:41:02 +09:00
Maxim Dounin
582911c9c2 Style: unneeded casts of cf->args->elts removed. 2015-10-19 23:04:49 +03:00
Maxim Dounin
cc74c63d39 Fixed variables prefix comparison.
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
2015-10-19 21:28:17 +03:00
Maxim Dounin
b9e0b9df44 Fixed handling of empty root.
Previously, a configuration with "root" set to an empty string tried test
a character at clcf->root.data[-1].  Additional test added to make sure
this won't happen.

Reported by Markus Linnala, see
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007210.html.
2015-10-19 21:28:02 +03:00
Maxim Dounin
a6befbb40f SSL: preserve default server context in connection (ticket #235).
This context is needed for shared sessions cache to work in configurations
with multiple virtual servers sharing the same port.  Unfortunately, OpenSSL
does not provide an API to access the session context, thus storing it
separately.

In collaboration with Vladimir Homutov.
2015-10-19 21:22:38 +03:00
Valentin Bartenev
7d2af13f3a HTTP/2: fixed parsing of literal header fields without indexing. 2015-10-19 16:16:47 +03:00
Vladimir Homutov
645697f111 SSL: handled long string truncation in ngx_ssl_error().
If no space left in buffer after adding formatting symbols, error message
could be left without terminating null.  The fix is to output message using
actual length.
2015-10-07 22:19:42 +03:00
Ruslan Ermilov
0079f29326 Stream: delete proxy connection timer after SSL handshake.
The timer remained active and could drop active SSL connection.
2015-10-06 08:57:09 +03:00
Kurtis Nusbaum
470d038671 Extract out version info function.
The code for displaying version info and configuration info seemed to be
cluttering up the main function. I was finding it hard to read main. This
extracts out all of the logic for displaying version and configuration info
into its own function, thus making main easier to read.
2015-07-12 08:31:38 -07:00
Valentin Bartenev
20669d1949 HTTP/2: fixed $server_protocol value (ticket #800). 2015-09-28 20:02:05 +03:00
Maxim Dounin
4bab18f63d SSL: compatibility with OpenSSL master branch.
RAND_pseudo_bytes() is deprecated in the OpenSSL master branch, so the only
use was changed to RAND_bytes().  Access to internal structures is no longer
possible, so now we don't try to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS even
if it's defined.
2015-09-24 17:19:08 +03:00
Maxim Dounin
49766257fe Version bump. 2015-09-24 17:18:42 +03:00
Maxim Dounin
49b17956f9 Style. 2015-09-22 17:09:50 +03:00
Valentin Bartenev
a0d7df93a0 Increased the default number of output buffers.
Since an output buffer can only be used for either reading or sending, small
amounts of data left from the previous operation (due to some limits) must be
sent before nginx will be able to read further into the buffer.  Using only
one output buffer can result in suboptimal behavior that manifests itself in
forming and sending too small chunks of data.  This is particularly painful
with SPDY (or HTTP/2) where each such chunk needs to be prefixed with some
header.

The default flow-control window in HTTP/2 is 64k minus one bytes.  With one
32k output buffer this results is one byte left after exhausting the window.
With two 32k buffers the data will be read into the second free buffer before
sending, thus the minimum output is increased to 32k + 1 bytes which is much
better.
2015-09-15 17:49:15 +03:00
Valentin Bartenev
61e1f16d90 HTTP/2: fixed header block parsing with CONTINUATION frames (#792).
It appears that the CONTINUATION frames don't need to be aligned to bounds of
individual headers.
2015-09-22 01:40:04 +03:00
Valentin Bartenev
a27d0bd00d HTTP/2: fixed HPACK header field parsing. 2015-09-22 01:40:04 +03:00
Roman Arutyunyan
f64ff24451 Sub filter: fixed initialization in http{} level (ticket #791).
If sub_filter directive was only specified at http{} level, sub filter
internal data remained uninitialized.  That would lead to a crash in runtime.
2015-09-21 23:08:34 +03:00
Valentin Bartenev
ee37ff613f The HTTP/2 implementation (RFC 7240, 7241).
The SPDY support is removed, as it's incompatible with the new module.
2015-09-11 20:13:06 +03:00
Maxim Dounin
2c96914312 Core: fixed segfault with null in wildcard hash names.
A configuration like

    server { server_name .foo^@; }
    server { server_name .foo; }

resulted in a segmentation fault during construction of server names hash.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:40 +03:00
Maxim Dounin
7930a6c442 Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created.  Example configuration to reproduce the problem:

    location "" {
        location @foo {}
    }

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:04 +03:00
Maxim Dounin
ce05841eef Cache: check the whole cache key in addition to hashes.
This prevents a potential attack that discloses cached data if an attacker
will be able to craft a hash collision between some cache key the attacker
is allowed to access and another cache key with protected data.

See http://mailman.nginx.org/pipermail/nginx-devel/2015-September/007288.html.

Thanks to Gena Makhomed and Sergey Brester.
2015-09-11 17:03:56 +03:00
Roman Arutyunyan
51f714c85d Upstream: fixed cache send error handling.
The value of NGX_ERROR, returned from filter handlers, was treated as a generic
upstream error and changed to NGX_HTTP_INTERNAL_SERVER_ERROR before calling
ngx_http_finalize_request().  This resulted in "header already sent" alert
if header was already sent in filter handlers.

The problem appeared in 54e9b83d00f0 (1.7.5).
2015-09-03 15:09:21 +03:00
Valentin Bartenev
a38402e306 Fixed building --with-debug, broken by 6fce16b1fc10. 2015-09-02 19:45:40 +03:00
Valentin Bartenev
7dd3f9ee22 Writing to some file systems can be interrupted.
At least such behavior was observed with CephFS, see:
http://mailman.nginx.org/pipermail/nginx/2015-July/048188.html.
2015-09-02 19:26:40 +03:00
Valentin Bartenev
5e0b936a07 Decreased the NGX_HTTP_MAX_SUBREQUESTS limit.
There is no much sense in such a big value since its semantics
has been changed in 06e850859a26 to limit recursive subrequests.
2015-08-31 23:26:33 +03:00
Valentin Bartenev
4ec67cf86f Added protection against r->main->count overflow by subrequests.
This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.
2015-08-31 23:25:16 +03:00
Valentin Bartenev
0d3b15729c Limit recursive subrequests instead of simultaneous. 2015-08-23 21:03:32 +03:00
Valentin Bartenev
fae2488df7 Version bump. 2015-08-23 21:03:29 +03:00
Maxim Dounin
2e004237c5 Perl: prototyping behavior explicitly specified.
When prototyping behavior is not explicitly specified, xsubpp emits
a message to stderr asking to do so (see ticket #608).
2015-08-18 16:26:18 +03:00
Maxim Dounin
a0aea61b50 Perl: fixed warning about "sep" may be used uninitialized. 2015-08-18 16:26:05 +03:00
Maxim Dounin
84b0ad63fb Win32: MSVC 2015 compatibility.
Resolved warnings about declarations that hide previous local declarations.
Warnings about WSASocketA() being deprecated resolved by explicit use of
WSASocketW() instead of WSASocket().  When compiling without IPv6 support,
WinSock deprecated warnings are disabled to allow use of gethostbyname().
2015-08-17 18:09:17 +03:00
Dmitry Volyntsev
1576cd10aa Sub filter: support of variables in the strings to replace. 2015-08-17 17:42:02 +03:00
Dmitry Volyntsev
934b49923c Sub filter: support of multiple strings to replace. 2015-08-17 17:42:02 +03:00
Maxim Dounin
05982ffdf5 Fixed wrong URI after try_files in nested location (ticket #97).
The following configuration with alias, nested location and try_files
resulted in wrong file being used.  Request "/foo/test.gif" tried to
use "/tmp//foo/test.gif" instead of "/tmp/test.gif":

    location /foo/ {
        alias /tmp/;
        location ~ gif {
            try_files $uri =405;
        }
    }

Additionally, rev. c985d90a8d1f introduced a regression if
the "/tmp//foo/test.gif" file was found (ticket #768).  Resulting URI
was set to "gif?/foo/test.gif", as the code used clcf->name of current
location ("location ~ gif") instead of parent one ("location /foo/").

Fix is to use r->uri instead of clcf->name in all cases in the
ngx_http_core_try_files_phase() function.  It is expected to be
already matched and identical to the clcf->name of the right
location.
2015-08-16 10:51:34 +03:00
Maxim Dounin
4fec72dc8c Fixed segfault with try_files introduced by c985d90a8d1f.
If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.
2015-08-16 10:51:16 +03:00
Sergey Kandaurov
b7da4f5962 Core: fixed potential division by zero when initializing hash.
Found by Clang Static Analyzer.
2015-08-13 16:27:17 +03:00
Sergey Kandaurov
e161b6a46f Core: fixed style in the error message. 2015-08-13 16:27:13 +03:00
Vladimir Homutov
f2d31f8291 Stream: fixed potential error log buffer overrun.
Found by Duan Jiong <djduanjiong@gmail.com>.
2015-08-13 15:55:21 +03:00
Vladimir Homutov
75dcdc2269 Style. 2015-08-12 12:56:59 +03:00
Vladimir Homutov
b537def75e Stream: the "tcp_nodelay" directive. 2015-08-10 12:14:41 +03:00
Valentin Bartenev
50ff8b3c3a Core: idle connections now closed only once on exiting.
Iterating through all connections takes a lot of CPU time, especially
with large number of worker connections configured.  As a result
nginx processes used to consume CPU time during graceful shutdown.
To mitigate this we now only do a full scan for idle connections when
shutdown signal is received.

Transitions of connections to idle ones are now expected to be
avoided if the ngx_exiting flag is set.  The upstream keepalive module
was modified to follow this.
2015-08-11 16:28:55 +03:00
Andrei Belov
9500e19919 Fixed typo in the error message. 2015-08-11 10:28:00 +03:00
Gena Makhomed
97741382b6 Workaround for "configuration file test failed" under OpenVZ.
If nginx was used under OpenVZ and a container with nginx was suspended
and resumed, configuration tests started to fail because of EADDRINUSE
returned from listen() instead of bind():

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
nginx: configuration file /etc/nginx/nginx.conf test failed

With this change EADDRINUSE errors returned by listen() are handled
similarly to errors returned by bind(), and configuration tests work
fine in the same environment:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

More details about OpenVZ suspend/resume bug:
https://bugzilla.openvz.org/show_bug.cgi?id=2470
2015-07-23 14:00:03 -04:00
Roman Arutyunyan
29cebe5d63 Stream: deprecated proxy_downstream_buffer, proxy_upstream_buffer.
The directive proxy_buffer_size should be used instead.
2015-07-30 16:43:48 -07:00
Roman Arutyunyan
96507dabcc Style. 2015-07-29 14:36:36 -07:00
Roman Arutyunyan
3c8aaf830f Stream: added proxy_buffer_size to set the size of data buffers.
Both download and upload buffers now have the same size.  The old directives
proxy_downstream_buffer and proxy_upstream_buffer are removed.
2015-07-29 13:46:26 -07:00
Ruslan Ermilov
6dc03bf1a4 Fixed strict aliasing warnings with old GCC versions. 2015-07-16 14:20:48 +03:00
Maxim Dounin
3cc6000879 Version bump. 2015-07-15 22:56:03 +03:00
Roman Arutyunyan
f1dbcf61a2 Stream: renamed rate limiting directives.
The directive proxy_downstream_limit_rate is now called proxy_upload_rate.
The directive proxy_upstream_limit_rate is now called proxy_download_rate.
2015-07-14 09:38:13 -07:00
Maxim Dounin
3ac176fb86 OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate.  As per RFC 6960, this means
that nextUpdate checks should be bypassed.  Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.

The problem was introduced by 6893a1007a7c (1.9.2).

Reported by Matthew Baldwin.
2015-07-14 01:10:25 +03:00
Maxim Dounin
573810ce36 OCSP stapling: fixed ssl_stapling_file (ticket #769).
Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response
validity checks.  As stapling file is expected to be returned unconditionally,
fix is to set its validity to the maximum supported time.

Reported by Faidon Liambotis.
2015-07-07 16:38:49 +03:00
Valentin Bartenev
cd17f869cf Stream: fixed possible integer overflow in rate limiting. 2015-07-02 17:20:29 +03:00
Roman Arutyunyan
035732696d Stream: fixed MSVC compilation warning.
Thanks to itpp2012.
2015-07-02 17:15:32 +03:00
Roman Arutyunyan
f81ae4e392 Stream: upstream "connected" flag.
Once upstream is connected, the upstream buffer is allocated.  Previously, the
proxy module used the buffer allocation status to check if upstream is
connected.  Now it's enough to check the flag.
2015-06-25 12:36:52 +03:00
Roman Arutyunyan
74942045d5 Stream: upstream and downstream limit rates. 2015-06-23 20:17:48 +03:00
Roman Arutyunyan
62959c9133 Stream: common handler for upstream and downstream. 2015-06-23 20:17:47 +03:00
Piotr Sikora
130396928a Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2015-06-18 03:36:41 -07:00
Ruslan Ermilov
1e94ab0db0 Upstream: fixed shared upstreams on win32. 2015-06-16 00:43:00 +03:00
Vladimir Homutov
14ff3d4f87 Stream: connection limiting module.
stream {
    limit_conn_zone $binary_remote_addr zone=perip:1m;
    limit_conn_log_level error;

    server {
        ...
        limit_conn perip 1;
    }
}
2015-06-18 14:17:30 +03:00
Sergey Kandaurov
f470cd2b89 Resolver: canceled resend timer on empty resend queues.
This is specifically useful on graceful shutdown.
2015-06-17 17:57:34 +03:00
Vladimir Homutov
b7a8f2a08f Disabled duplicate http, mail, and stream blocks.
Such configurations have very limited use, introduce various problems and
are not officially supported.
2015-06-16 23:28:38 +03:00
Vladimir Homutov
9efe6c2243 Version bump. 2015-06-16 23:31:31 +03:00
Vladimir Homutov
4e83d3f7b5 Core: store and dump processed configuration.
If the -T option is passed, additionally to configuration test, configuration
files are output to stdout.

In the debug mode, configuration files are kept in memory and can be accessed
using a debugger.
2015-05-14 18:54:27 +03:00
Vladimir Homutov
42c32b733b Core: added support for writing to stdout. 2015-06-16 15:47:40 +03:00
Roman Arutyunyan
4404c3fd6d Core: renamed ngx_proxy_protocol_parse to ngx_proxy_protocol_read.
The new name is consistent with the ngx_proxy_protocol_write function.
2015-06-16 13:45:19 +03:00
Roman Arutyunyan
3ed1b3b5b0 Stream: client-side PROXY protocol.
The new directive "proxy_protocol" toggles sending out PROXY protocol header
to upstream once connection is established.
2015-06-16 13:45:16 +03:00
Vladimir Homutov
f50f83a2cf Stream: the "proxy_bind" directive. 2015-06-16 09:02:45 +03:00
Maxim Dounin
cb3dcbb81e OCSP stapling: avoid sending expired responses (ticket #425). 2015-06-11 20:42:39 +03:00
Maxim Dounin
9984f3053f Moved ngx_http_parse_time() to core, renamed accordingly.
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time.  In particular, it will be
used for OCSP stapling.

For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
2015-06-11 20:42:31 +03:00
Maxim Dounin
dd41bfd47a Removed unused ngx_http_get_time() declaration. 2015-06-11 20:42:24 +03:00
Vladimir Homutov
8ab1aa612d Stream: access module.
stream {
    server {
        ...
        allow 127.0.0.1;
        deny all;
    }
}
2015-06-04 13:04:12 +03:00
Vladimir Homutov
d56b84b783 Stream: added postconfiguration method to stream modules. 2015-06-09 13:00:45 +03:00
Ruslan Ermilov
c81d7ec158 Mail: listen backlog=. 2015-06-08 23:13:56 +03:00
Ruslan Ermilov
60c654ddf5 Stream: listen backlog=. 2015-06-08 23:13:33 +03:00
Ruslan Ermilov
b72a7b0df3 Mail: embed ngx_mail_listen_t into ngx_mail_conf_addr_t. 2015-06-08 23:11:58 +03:00
Ruslan Ermilov
bfbd0aabd4 Stream: embed ngx_stream_listen_t into ngx_stream_conf_addr_t. 2015-06-08 23:11:42 +03:00
Ruslan Ermilov
14ddadb9ac Stream: fixed "reuseport" to actually work. 2015-06-05 23:03:13 +03:00
Roman Arutyunyan
f5d79ffb82 Upstream keepalive: reduced diffs to the plus version of nginx. 2015-06-04 23:46:44 +03:00
Maxim Dounin
e041efc306 Style. 2015-06-05 17:10:34 +03:00
Sergey Kandaurov
99b2c89404 Event pipe: call ngx_handle_read_event() with a proper flags type.
The change was missed in f69d1aab6a0f.
2015-06-03 19:12:26 +03:00
Valentin Bartenev
66f6ba5c95 Fixed excessive memory usage while parsing configuration.
The b->pos points to the next symbol here.

Reported by ilexshen.
2015-06-01 21:08:56 +03:00
Ruslan Ermilov
087c31e8b2 Fixed bullying style of comments. 2015-05-29 09:26:33 +03:00
Ruslan Ermilov
3de18022d8 Version bump. 2015-05-29 09:26:27 +03:00
Maxim Dounin
724f0f028e Disabled SSLv3 by default (ticket #653). 2015-05-25 17:58:20 +03:00
Maxim Dounin
226647e397 Configure: GNU Hurd properly recognized.
With this change it's no longer needed to pass -D_GNU_SOURCE manually,
and -D_FILE_OFFSET_BITS=64 is set to use 64-bit off_t.

Note that nginx currently fails to work properly with master process
enabled on GNU Hurd, as fcntl(F_SETOWN) returns EOPNOTSUPP for sockets
as of GNU Hurd 0.6.  Additionally, our strerror() preloading doesn't
work well with GNU Hurd, as it uses large numbers for most errors.
2015-05-25 17:58:13 +03:00
Maxim Dounin
b4619182bb Fixed reuseport with accept_mutex. 2015-05-21 19:39:11 +03:00
Ruslan Ermilov
941a6995d7 Upstream: report to error_log when max_fails is reached.
This can be useful to understand why "no live upstreams" happens,
in particular.
2015-05-20 22:44:00 +03:00
Maxim Dounin
f7f1607bf2 The "reuseport" option of the "listen" directive.
When configured, an individual listen socket on a given address is
created for each worker process.  This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance.  As of now it works on Linux and DragonFly BSD.

Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/.  With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.

Based on previous work by Sepherosa Ziehau and Yingqi Lu.
2015-05-20 15:51:56 +03:00