Commit Graph

4974 Commits

Author SHA1 Message Date
Maxim Dounin
a6b7cfe967 Fixed "satisfy any" if 403 is returned after 401 (ticket #285).
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.

The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).

Patch by Jan Marc Hoffmann.
2013-10-18 18:13:49 +04:00
Maxim Dounin
6291a29992 Headers filter: empty Cache-Control is no longer added.
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
2013-10-18 18:13:44 +04:00
Maxim Dounin
0ca52adff6 Style. 2013-10-18 18:13:35 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
a8ad0c02cc SSL: SSL_CTX_set_timeout() now always called.
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets.  Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.

Prodded by Piotr Sikora.
2013-10-14 13:59:35 +04:00
Maxim Dounin
87a607a031 SSL: fixed build with OpenSSL 0.9.7.
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
2013-10-14 13:44:09 +04:00
Maxim Dounin
5a63dcc5d7 Limit req: fixed "nodelay" parsing.
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
2013-10-02 15:07:17 +04:00
Maxim Dounin
31d023e53e Upstream: fixed "down" and "backup" parsing.
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
2013-10-02 15:07:15 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Sergey Kandaurov
5bf78d05a0 Version bump. 2013-10-02 11:50:56 +04:00
Maxim Dounin
3c97551955 release-1.5.6 tag 2013-10-01 17:44:51 +04:00
Maxim Dounin
969512a5e0 nginx-1.5.6-RELEASE 2013-10-01 17:44:51 +04:00
Valentin Bartenev
cca2b04f51 SPDY: ignore priority when queuing blocked frames.
With this change all such frames will be added in front of the output queue, and
will be sent first.  It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.

Proposed by Yury Kirpichev.
2013-10-01 00:14:37 +04:00
Valentin Bartenev
4f4963e87e SPDY: set empty write handler during connection finalization.
While ngx_http_spdy_write_handler() should not make any harm with current code,
calling it during finalization of SPDY connection was not intended.
2013-10-01 00:12:30 +04:00
Valentin Bartenev
92b82c80af SPDY: fixed connection leak while waiting for request headers.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for request headers, it was a no-op since the
read event handler had been set to ngx_http_empty_handler().
2013-10-01 00:04:00 +04:00
Valentin Bartenev
6ba03097db SPDY: fixed connection leak while waiting for request body.
If an error occurs in a SPDY connection, the c->error flag is set on every fake
request connection, and its read or write event handler is called, in order to
finalize it.  But while waiting for a request body, it was a no-op since the
read event handler ngx_http_request_handler() calls r->read_event_handler that
had been set to ngx_http_block_reading().
2013-10-01 00:00:57 +04:00
Maxim Dounin
ef8c64acbe Mail: fixed segfault with ssl/starttls at mail{} level and no cert.
A configuration like "mail { starttls on; server {}}" triggered NULL
pointer dereference in ngx_mail_ssl_merge_conf() as conf->file was not set.
2013-09-30 22:10:13 +04:00
Maxim Dounin
aa36cc39a4 Mail: fixed overrun of allocated memory (ticket #411).
Reported by Markus Linnala.
2013-09-30 22:10:08 +04:00
Maxim Dounin
f2b5192c30 Mail: handle smtp multiline replies.
See here for details:

http://nginx.org/pipermail/nginx/2010-August/021713.html
http://nginx.org/pipermail/nginx/2010-August/021784.html
http://nginx.org/pipermail/nginx/2010-August/021785.html
2013-09-30 22:10:03 +04:00
Maxim Dounin
4f6f653f48 Mail: smtp pipelining support.
Basically, this does the following two changes (and corresponding
modifications of related code):

1. Does not reset session buffer unless it's reached it's end, and always
wait for LF to terminate command (even if we detected invalid command).

2. Record command name to make it available for handlers (since now we
can't assume that command starts from s->buffer->start).
2013-09-30 22:09:57 +04:00
Maxim Dounin
f86169ae7b Mail: mail dependencies are now honored while building addons. 2013-09-30 22:09:54 +04:00
Maxim Dounin
32d6035303 Mail: added session close on smtp_greeting_delay violation.
A server MUST send greeting before other replies, while before this
change in case of smtp_greeting_delay violation the 220 greeting was
sent after several 503 replies to commands received before greeting,
resulting in protocol synchronization loss.  Moreover, further commands
were accepted after the greeting.

While closing a connection isn't strictly RFC compliant (RFC 5321
requires servers to wait for a QUIT before closing a connection), it's
probably good enough for practial uses.
2013-09-30 22:09:50 +04:00
Maxim Dounin
af897b7f03 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). 2013-09-27 19:39:33 +04:00
Maxim Dounin
4b2ead8871 FastCGI: non-buffered mode support. 2013-09-27 16:50:40 +04:00
Maxim Dounin
989a71377b Upstream: subrequest_in_memory support for SCGI and uwsgi enabled.
This was missed in 9d59a8eda373 when non-buffered support was added to SCGI
and uwsgi.
2013-09-27 16:50:34 +04:00
Maxim Dounin
c4b5a1fe5e Upstream: subrequest_in_memory fix.
With previous code only part of u->buffer might be emptied in case
of special responses, resulting in partial responses seen by SSI set
in case of simple protocols, or spurious errors like "upstream sent
invalid chunked response" in case of complex ones.
2013-09-27 16:50:26 +04:00
Maxim Dounin
239c4037ce Upstream: proxy_no_cache, fastcgi_no_cache warnings removed. 2013-09-27 16:50:13 +04:00
Piotr Sikora
43736b12de Proxy: added the "proxy_ssl_ciphers" directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-23 15:58:28 -07:00
Maxim Dounin
e11584164f Added ngx_filename_cmp() with "/" sorted to the left.
This patch fixes incorrect handling of auto redirect in configurations
like:

    location /0  { }
    location /a- { }
    location /a/ { proxy_pass ... }

With previously used sorting, this resulted in the following locations
tree (as "-" is less than "/"):

        "/a-"
    "/0"    "/a/"

and a request to "/a" didn't match "/a/" with auto_redirect, as it
didn't traverse relevant tree node during lookup (it tested "/a-",
then "/0", and then falled back to null location).

To preserve locale use for non-ASCII characters on case-insensetive
systems, libc's tolower() used.
2013-09-23 19:37:13 +04:00
Maxim Dounin
d2ef70e97a Caseless location tree construction (ticket #90).
Location tree was always constructed using case-sensitive comparison, even
on case-insensitive systems.  This resulted in incorrect operation if
uppercase letters were used in location directives.  Notably, the
following config:

    location /a { ... }
    location /B { ... }

failed to properly map requests to "/B" into "location /B".
2013-09-23 19:37:06 +04:00
Piotr Sikora
f52a2c7585 SSL: stop loading configs with invalid "ssl_ciphers" values.
While there, remove unnecessary check in ngx_mail_ssl_module.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-22 22:36:11 -07:00
Markus Linnala
35e2bb0efb Core: fix misallocation at ngx_crypt_apr1 (ticket #412).
Found by using auth_basic.t from mdounin nginx-tests under valgrind.

==10470== Invalid write of size 1
==10470==    at 0x43603D: ngx_crypt_to64 (ngx_crypt.c:168)
==10470==    by 0x43648E: ngx_crypt (ngx_crypt.c:153)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==    by 0x456A91: ngx_http_process_request_line (ngx_http_request.c:964)
==10470==    by 0x457097: ngx_http_wait_request_handler (ngx_http_request.c:486)
==10470==    by 0x4411EE: ngx_epoll_process_events (ngx_epoll_module.c:691)
==10470==  Address 0x5866fab is 0 bytes after a block of size 27 alloc'd
==10470==    at 0x4A074CD: malloc (vg_replace_malloc.c:236)
==10470==    by 0x43B251: ngx_alloc (ngx_alloc.c:22)
==10470==    by 0x421B0D: ngx_malloc (ngx_palloc.c:119)
==10470==    by 0x421B65: ngx_pnalloc (ngx_palloc.c:147)
==10470==    by 0x436368: ngx_crypt (ngx_crypt.c:140)
==10470==    by 0x489D8B: ngx_http_auth_basic_crypt_handler (ngx_http_auth_basic_module.c:297)
==10470==    by 0x48A24A: ngx_http_auth_basic_handler (ngx_http_auth_basic_module.c:240)
==10470==    by 0x44EAB9: ngx_http_core_access_phase (ngx_http_core_module.c:1121)
==10470==    by 0x44A822: ngx_http_core_run_phases (ngx_http_core_module.c:895)
==10470==    by 0x44A932: ngx_http_handler (ngx_http_core_module.c:878)
==10470==    by 0x455EEF: ngx_http_process_request (ngx_http_request.c:1852)
==10470==    by 0x456527: ngx_http_process_request_headers (ngx_http_request.c:1283)
==10470==
2013-09-20 17:57:21 +03:00
Andrei Belov
003b2cd720 Proxy: added the "proxy_ssl_protocols" directive. 2013-09-19 18:30:33 +04:00
Piotr Sikora
0a5124502d SSL: fixed possible memory and file descriptor leak on HUP signal.
The problem appeared in 386a06a22c40 (1.3.7).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 16:51:30 -07:00
Piotr Sikora
6e3746c273 MIME: added application/json MIME type.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 12:59:47 -07:00
Sergey Kandaurov
bff2b8d69f Fixed response line formatting with empty reason phrase.
As per RFC 2616 sec 6.1 the response status code is always followed by SP.
2013-09-18 18:53:26 +04:00
Sergey Kandaurov
63b1baa7f1 Version bump. 2013-09-18 18:53:24 +04:00
Maxim Dounin
ebefa15a5c release-1.5.5 tag 2013-09-17 17:31:00 +04:00
Maxim Dounin
f906f7e4f8 nginx-1.5.5-RELEASE 2013-09-17 17:31:00 +04:00
Piotr Sikora
29ea1273fe SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-16 14:24:38 -07:00
Valentin Bartenev
db1532944c Improved check for duplicate path names in ngx_add_path().
The same path names with different "data" context should not be allowed.

In particular it rejects configurations like this:

    proxy_cache_path /var/cache/ keys_zone=one:10m max_size=1g inactive=5m;
    proxy_cache_path /var/cache/ keys_zone=two:20m max_size=4m inactive=30s;
2013-09-16 18:49:23 +04:00
Valentin Bartenev
eb10d8f71e Removed surplus initializations from ngx_conf_set_path_slot().
An instance of ngx_path_t is already zeroed by ngx_pcalloc().
2013-09-16 18:49:22 +04:00
Valentin Bartenev
f0fbcaf098 Use ngx_pcalloc() in ngx_conf_merge_path_value().
It initializes the "data" pointer of ngx_path_t that will be checked after
subsequent changes.
2013-09-16 18:49:10 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
096678ced4 Upstream: use EPOLLRDHUP to check broken connections (ticket #320).
This allows to detect client connection close with pending data on Linux
while processing upstream.
2013-09-16 18:33:39 +04:00
Valentin Bartenev
182a05b9d5 Events: support for EPOLLRDHUP (ticket #320).
Since Linux 2.6.17, epoll is able to report about peer half-closed connection
using special EPOLLRDHUP flag on a read event.
2013-07-12 14:51:07 +04:00
Valentin Bartenev
0f0502064d Events: removed unused flags from the ngx_event_s structure.
They are not used since 708f8bb772ec (pre 0.0.1).
2013-09-05 16:53:02 +04:00
Valentin Bartenev
cf08ba72db Fixed handling of the ready flag with kqueue.
There is nothing to do more when recv() has returned 0,
so we should drop the flag.
2013-09-05 16:53:02 +04:00
Valentin Bartenev
d034e63a11 Return reason phrase for 414.
After 62be77b0608f nginx can return this code.
2013-09-03 21:07:19 +04:00
Maxim Dounin
d33225db58 Upstream: fixed $upstream_response_time format specifiers. 2013-09-04 21:30:09 +04:00