Commit Graph

5682 Commits

Author SHA1 Message Date
Roman Arutyunyan
be79f5cb16 Upstream: the "transparent" parameter of proxy_bind and friends.
This parameter lets binding the proxy connection to a non-local address.
Upstream will see the connection as coming from that address.
When used with $remote_addr, upstream will accept the connection from real
client address.

Example:

    proxy_bind $remote_addr transparent;
2015-12-18 19:05:27 +03:00
Roman Arutyunyan
77ec993fd7 Stream: prepared proxy_bind to accept parameters. 2016-04-13 15:42:47 +03:00
Roman Arutyunyan
f10bc5a763 Upstream: prepared proxy_bind to accept parameters.
In addition, errors occurred while setting bind address are no longer ignored.
2016-04-13 15:42:46 +03:00
Ruslan Ermilov
438b58f91f Removed some bitrot.
Removed NGX_CONF_MULTI unused since 1.3.4.
Removed ngx_url_t.one_addr unused since 1.3.10.
2016-04-26 18:26:43 +03:00
Ruslan Ermilov
9aca6d4d57 Version bump. 2016-04-26 18:26:18 +03:00
Maxim Dounin
693af240f5 release-1.9.15 tag 2016-04-19 19:02:37 +03:00
Maxim Dounin
7a719646fa nginx-1.9.15-RELEASE 2016-04-19 19:02:37 +03:00
Valentin Bartenev
22285687c9 HTTP/2: send the output queue after emitting WINDOW_UPDATE.
The WINDOW_UPDATE frame could be left in the output queue for an indefinite
period of time resulting in the request timeout.

This might happen if reading of the body was triggered by an event unrelated
to client connection, e.g. by the limit_req timer.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
7458f66675 HTTP/2: skip data frames in case of internal errors.
This prevents possible processing of such frames and triggering
rb->post_handler if an error occurred during r->request_body
initialization.
2016-04-19 17:38:49 +03:00
Valentin Bartenev
f4df08b19d HTTP/2: don't send WINDOW_UPDATE for an empty request body.
Particularly this prevents sending WINDOW_UPDATE with zero delta
which can result in PROTOCOL_ERROR.

Also removed surplus setting of no_flow_control to 0.
2016-04-19 17:38:49 +03:00
Maxim Dounin
eeb72127cf Thread pools: memory barriers in task completion notifications.
The ngx_thread_pool_done object isn't volatile, and at least some
compilers assume that it is permitted to reorder modifications of
volatile and non-volatile objects.  Added appropriate ngx_memory_barrier()
calls to make sure all modifications will happen before the lock is released.

Reported by Mindaugas Rasiukevicius,
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008160.html.
2016-04-19 17:18:28 +03:00
Maxim Dounin
eb38cbda2f HTTP/2: write logs when refusing streams with data.
Refusing streams is known to be incorrectly handled at least by IE, Edge
and Safari.  Make sure to provide appropriate logging to simplify fixing
this in the affected browsers.
2016-04-18 21:18:24 +03:00
Valentin Bartenev
7691b9750e HTTP/2: send WINDOW_UPDATE instead of RST_STREAM with NO_ERROR.
After the 92464ebace8e change, it has been discovered that not all
clients follow the RFC and handle RST_STREAM with NO_ERROR properly.

Notably, Chrome currently interprets it as INTERNAL_ERROR and discards
the response.

As a workaround, instead of RST_STREAM the maximum stream window update
will be sent, which will let client to send up to 2 GB of a request body
data before getting stuck on flow control.  All the received data will
be silently discarded.

See for details:
http://mailman.nginx.org/pipermail/nginx-devel/2016-April/008143.html
https://bugs.chromium.org/p/chromium/issues/detail?id=603182
2016-04-14 15:14:15 +03:00
Valentin Bartenev
536b5510d1 HTTP/2: refuse streams with data until SETTINGS is acknowledged.
A client is allowed to send requests before receiving and acknowledging
the SETTINGS frame.  Such a client having a wrong idea about the stream's
could send the request body that nginx isn't ready to process.

The previous behavior was to send RST_STREAM with FLOW_CONTROL_ERROR in
such case, but it didn't allow retrying requests that have been rejected.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
60f0960ab6 HTTP/2: deduplicated some code in ngx_http_v2_state_headers().
No functional changes.
2016-04-14 15:14:15 +03:00
Valentin Bartenev
4c1b9fef65 FastCGI: skip special bufs in buffered request body chain.
This prevents forming empty records out of such buffers.  Particularly it fixes
double end-of-stream records with chunked transfer encoding, or when HTTP/2 is
used and the END_STREAM flag has been sent without data.  In both cases there
is an empty buffer at the end of the request body chain with the "last_buf"
flag set.

The canonical libfcgi, as well as php implementation, tolerates such records,
while the HHVM parser is more strict and drops the connection (ticket #950).
2016-04-11 18:42:34 +03:00
Ruslan Ermilov
400d42437c Fixed NGX_CONF_TAKE1/NGX_CONF_FLAG misuse (as in e444e8f6538b). 2016-04-12 19:01:56 +03:00
Alessandro Ghedini
35f05dd51f Fixed typos. 2016-04-11 16:47:11 +01:00
Ruslan Ermilov
37a3a2b2e8 Removed redundant "u" format specifier.
It is implied for "x" and "X".
2016-04-08 15:03:38 +03:00
Ruslan Ermilov
4d1f67fd91 Simplified ngx_unix_recv() and ngx_readv_chain().
This makes ngx_unix_recv() and ngx_udp_unix_recv() differ minimally.
2016-04-08 16:49:35 +03:00
Valentin Bartenev
dbabc66b68 Merged implementations of ngx_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:41:45 +03:00
Valentin Bartenev
900ef17c47 Fixed small inconsistency in handling EOF among receive functions.
Now all functions always drop the ready flag in this case.
2016-04-08 16:39:49 +03:00
Valentin Bartenev
8e7d8757c6 Merged implementations of ngx_udp_unix_recv().
There's no real need in two separate implementations,
with and without kqueue support.
2016-04-08 16:38:42 +03:00
Josh Soref
73d27510c0 Fixed spelling. 2016-04-07 11:50:13 +03:00
Ruslan Ermilov
2f9f3453f2 Version bump. 2016-04-07 19:09:42 +03:00
Maxim Dounin
cfdb370caf release-1.9.14 tag 2016-04-05 17:57:08 +03:00
Maxim Dounin
6a41502457 nginx-1.9.14-RELEASE 2016-04-05 17:57:08 +03:00
Maxim Dounin
5fd9cfa376 Compatibility with FreeBSD 2.2.9.
Added (RTLD_NOW | RTLD_GLOBAL) to dlopen() test.  There is no RTLD_GLOBAL
on FreeBSD 2.2.9.

Added uint32_t test, with fallback to u_int32_t, similar to uint64_t one.
Added fallback to u_int32_t in in_addr_t test.

With these changes it is now possible to compile nginx on FreeBSD 2.2.9
with only few minor warnings (assuming -Wno-error).
2016-04-01 16:38:31 +03:00
Maxim Dounin
cab0ac3d50 Configure: improved multiple types handling in auto/types/typedef. 2016-04-01 16:38:30 +03:00
Maxim Dounin
622d152b9f Configure: fixed autotest source code logging.
Fixed a regression introduced in rev. 434548349838 that prevented
auto/types/sizeof and auto/types/typedef properly reporting autotest
source code to autoconf.err in case of test failure.
2016-04-01 16:38:28 +03:00
Valentin Bartenev
74ee55ec1b HTTP/2: support for unbuffered upload of request body. 2016-04-01 15:57:10 +03:00
Valentin Bartenev
948eeca222 HTTP/2: rewritten handling of request body.
There are two improvements:

  1. Support for request body filters;

  2. Receiving of request body is started only after
     the ngx_http_read_client_request_body() call.

The last one fixes the problem when the client_max_body_size value might not be
respected from the right location if the location was changed either during the
process of receiving body or after the whole body had been received.
2016-04-01 15:56:03 +03:00
Valentin Bartenev
cedba685a1 HTTP/2: sending RST_STREAM with NO_ERROR to discard request body.
RFC 7540 states that "A server can send a complete response prior to the client
sending an entire request if the response does not depend on any portion of the
request that has not been sent and received.  When this is true, a server MAY
request that the client abort transmission of a request without error by sending
a RST_STREAM with an error code of NO_ERROR after sending a complete response
(i.e., a frame with the END_STREAM flag)."

This should prevent a client from blocking on the stream window, since it isn't
maintained for closed streams.  Currently, quite big initial stream windows are
used, so such blocking is very unlikly, but that will be changed in the further
patches.
2016-04-01 15:56:03 +03:00
Maxim Dounin
7cee215f15 Core: removed incorrect GCC 2.7 check.
It was broken since introduction (__GNU__ instead of __GNUC__) and did
nothing.  Moreover, GCC 2.7 is happy with the normal version of the code.

Reported by Joel Cunningham,
http://mailman.nginx.org/pipermail/nginx-devel/2016-March/007964.html.
2016-04-01 13:17:12 +03:00
Maxim Dounin
316d4aca71 Trailing space fix. 2016-04-01 04:17:00 +03:00
Maxim Dounin
2e251b1c34 SSL: SSLeay_version() is deprecated in OpenSSL 1.1.0.
SSLeay_version() and SSLeay() are no longer available if OPENSSL_API_COMPAT
is set to 0x10100000L.  Switched to using OpenSSL_version() instead.

Additionally, we now compare version strings instead of version numbers,
and this correctly works for LibreSSL as well.
2016-03-31 23:38:38 +03:00
Sergey Kandaurov
d8fbce1deb SSL: X509 was made opaque in OpenSSL 1.1.0.
To increment reference counters we now use newly introduced X509_up_ref()
function.
2016-03-31 23:38:37 +03:00
Sergey Kandaurov
66feb8c6f0 SSL: EVP_MD_CTX was made opaque in OpenSSL 1.1.0. 2016-03-31 23:38:36 +03:00
Maxim Dounin
8fc90404fb SSL: RSA_generate_key() is deprecated in OpenSSL 1.1.0.
OpenSSL removed support for all 40 and 56 bit ciphers.
2016-03-31 23:38:34 +03:00
Maxim Dounin
e6f04424af SSL: initialization changes for OpenSSL 1.1.0.
OPENSSL_config() deprecated in OpenSSL 1.1.0.  Additionally,
SSL_library_init(), SSL_load_error_strings() and OpenSSL_add_all_algorithms()
are no longer available if OPENSSL_API_COMPAT is set to 0x10100000L.

The OPENSSL_init_ssl() function is now used instead with appropriate
arguments to trigger the same behaviour.  The configure test changed to
use SSL_CTX_set_options().

Deinitialization now happens automatically in OPENSSL_cleanup() called
via atexit(3), so we no longer call EVP_cleanup() and ENGINE_cleanup()
directly.
2016-03-31 23:38:33 +03:00
Maxim Dounin
93c2749fae SSL: get_session callback changed in OpenSSL 1.1.0. 2016-03-31 23:38:32 +03:00
Maxim Dounin
0e83d6ac40 SSL: guarded error codes not present in OpenSSL 1.1.0. 2016-03-31 23:38:31 +03:00
Maxim Dounin
bad99ee004 SSL: reasonable version for LibreSSL.
LibreSSL defines OPENSSL_VERSION_NUMBER to 0x20000000L, but uses an old
API derived from OpenSSL at the time LibreSSL forked.  As a result, every
version check we use to test for new API elements in newer OpenSSL versions
requires an explicit check for LibreSSL.

To reduce clutter, redefine OPENSSL_VERSION_NUMBER to 0x1000107fL if
LibreSSL is used.  The same is done by FreeBSD port of LibreSSL.
2016-03-31 23:38:29 +03:00
Ruslan Ermilov
5afd74bed6 Removed the prototype mysql module. 2016-03-31 22:33:26 +03:00
Ruslan Ermilov
5ad6e01b46 Fixed ngx_os_signal_process() prototype. 2016-03-31 22:00:33 +03:00
Sergey Kandaurov
60a6551e1f Fixed ngx_pid_t formatting in ngx_sprintf() and logging. 2016-03-31 02:34:04 +03:00
Sergey Kandaurov
6a716c6123 Fixed format specifiers in ngx_sprintf(). 2016-03-31 02:34:00 +03:00
Sergey Kandaurov
00ef9ff5f0 Fixed logging. 2016-03-31 02:33:57 +03:00
Sergey Kandaurov
53fec2c414 Events: fixed logging. 2016-03-31 02:33:55 +03:00
Sergey Kandaurov
c622ff3b44 Fixed logging with variable field width. 2016-03-31 02:33:53 +03:00