Commit Graph

610 Commits

Author SHA1 Message Date
Ruslan Ermilov
769eded732 Resolver: implemented IPv6 name to address resolving. 2013-12-09 10:53:28 +04:00
Ruslan Ermilov
3aeefbcaea Changed resolver API to use ngx_addr_t. 2013-12-06 14:30:27 +04:00
Valentin Bartenev
2576530c51 Use ngx_chain_get_free_buf() in pipe input filters.
No functional changes.
2013-12-11 21:30:38 +04:00
Ruslan Ermilov
675e73e3bd Core: keep the length of the local sockaddr. 2013-12-09 10:14:51 +04:00
Maxim Dounin
067c1d2a4f SSL: fixed c->read->ready handling in ngx_ssl_recv().
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).

More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
2013-11-29 17:16:06 +04:00
Piotr Sikora
79be6a5462 SSL: added ability to set keys used for Session Tickets (RFC5077).
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.

    ssl_session_ticket_key  session_tickets/current.key;
    ssl_session_ticket_key  session_tickets/prev-1h.key;
    ssl_session_ticket_key  session_tickets/prev-2h.key;

Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-10-11 16:05:24 -07:00
Maxim Dounin
a8ad0c02cc SSL: SSL_CTX_set_timeout() now always called.
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets.  Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.

Prodded by Piotr Sikora.
2013-10-14 13:59:35 +04:00
Maxim Dounin
87a607a031 SSL: fixed build with OpenSSL 0.9.7.
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
2013-10-14 13:44:09 +04:00
Sergey Kandaurov
cfb2b55e8d Unused macro and variable removed.
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
2013-10-02 11:51:04 +04:00
Maxim Dounin
af897b7f03 SSL: adjust buffer used by OpenSSL during handshake (ticket #413). 2013-09-27 19:39:33 +04:00
Piotr Sikora
0a5124502d SSL: fixed possible memory and file descriptor leak on HUP signal.
The problem appeared in 386a06a22c40 (1.3.7).

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-18 16:51:30 -07:00
Piotr Sikora
29ea1273fe SSL: guard use of SSL_OP_MSIE_SSLV2_RSA_PADDING.
This option had no effect since 0.9.7h / 0.9.8b and it was removed
in recent OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-09-16 14:24:38 -07:00
Valentin Bartenev
182a05b9d5 Events: support for EPOLLRDHUP (ticket #320).
Since Linux 2.6.17, epoll is able to report about peer half-closed connection
using special EPOLLRDHUP flag on a read event.
2013-07-12 14:51:07 +04:00
Valentin Bartenev
0f0502064d Events: removed unused flags from the ngx_event_s structure.
They are not used since 708f8bb772ec (pre 0.0.1).
2013-09-05 16:53:02 +04:00
Maxim Dounin
3d1e616d0b SSL: clear error queue after SSL_CTX_load_verify_locations().
The SSL_CTX_load_verify_locations() may leave errors in the error queue
while returning success (e.g. if there are duplicate certificates in the file
specified), resulting in "ignoring stale global SSL error" alerts later
at runtime.
2013-09-04 21:17:02 +04:00
Maxim Dounin
48d96ced6f Win32: MinGW GCC compatibility.
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.

With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
2013-09-04 20:48:28 +04:00
Maxim Dounin
74b7a91013 Win32: Borland C compatibility fixes.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).

With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
2013-09-04 20:48:23 +04:00
Valentin Bartenev
231ed198e1 Added the NGX_EBADF define. 2013-09-02 08:07:44 +04:00
Maxim Dounin
51f7761710 Typo fixed. 2013-08-28 02:34:30 +04:00
Maxim Dounin
e3cab76758 Backed out f1a91825730a and 7094bd12c1ff.
While ngx_get_full_name() might have a bit more descriptive arguments,
the ngx_conf_full_name() is generally easier to use when parsing
configuration and limits exposure of cycle->prefix / cycle->conf_prefix
details.
2013-08-20 21:11:19 +04:00
Sergey Kandaurov
e09741ba06 Format specifier fixes in error logging. 2013-08-20 20:47:16 +04:00
Valentin Bartenev
d29d21bade Replaced ngx_conf_full_name() with ngx_get_full_name().
The ngx_get_full_name() function takes more readable arguments list.
2013-08-06 19:58:40 +04:00
Maxim Dounin
be6fbbb47e Event pipe: fixed writing cache header to a temp file.
With previous code the p->temp_file->offset wasn't adjusted if a temp
file was written by the code in ngx_event_pipe_write_to_downstream()
after an EOF, resulting in cache not being used with empty scgi and uwsgi
responses with Content-Length set to 0.

Fix it to call ngx_event_pipe_write_chain_to_temp_file() there instead
of calling ngx_write_chain_to_temp_file() directly.
2013-07-25 14:55:09 +04:00
Vladimir Homutov
af18946d76 Core: extended ngx_sock_ntop() with socklen parameter.
On Linux, sockaddr length is required to process unix socket addresses properly
due to unnamed sockets (which don't have sun_path set at all) and abstract
namespace sockets.
2013-07-11 16:07:25 +04:00
Maxim Dounin
a80cb81604 Win32: accept_mutex now always disabled (ticket #362).
Use of accept mutex on win32 may result in a deadlock if there are multiple
worker_processes configured and the mutex is grabbed by a process which
can't accept connections.
2013-05-31 14:59:26 +04:00
Ruslan Ermilov
2342d86951 OCSP stapling: fixed incorrect debug level. 2013-05-31 13:30:37 +04:00
Piotr Sikora
407c831116 Style: replace SSL *ssl with ngx_ssl_conn_t *ssl_conn.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:45:07 -07:00
Piotr Sikora
c3d20f52d0 Style: remove unnecessary references to HTTP from non-HTTP modules.
No functional changes.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-21 18:43:43 -07:00
Piotr Sikora
1b10a9adf8 OCSP stapling: fix error logging of successful OCSP responses.
Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2013-05-16 15:37:13 -07:00
Maxim Dounin
77d60d2cef Events: backout eventport changes (r5172) for now.
Evenport method needs more work.  Changes in r5172, while being correct,
introduce various new regressions with current code.
2013-04-16 12:58:03 +00:00
Valentin Bartenev
c798029241 Events: fixed typos in two previous commits. 2013-04-12 17:31:08 +00:00
Valentin Bartenev
c6aebf6c74 Events: handle only active events in eventport.
We generate both read and write events if an error event was returned by
port_getn() without POLLIN/POLLOUT, but we should not try to handle inactive
events, they may even have no handler.
2013-04-12 15:04:23 +00:00
Valentin Bartenev
ed9f87c901 Events: protection from stale events in eventport and devpoll.
Stale write event may happen if read and write events was reported both,
and processing of the read event closed descriptor.

In practice this might result in "sendfilev() failed (134: ..." or
"writev() failed (134: ..." errors when switching to next upstream server.

See report here:
http://mailman.nginx.org/pipermail/nginx/2013-April/038421.html
2013-04-12 15:02:33 +00:00
Maxim Dounin
3b9e7adcf4 Event connect: don't penalize AF_INET6 connections.
Problems with setsockopt(TCP_NODELAY) and setsockopt(TCP_NOPUSH), as well
as sendfile() syscall on Solaris, are specific to UNIX-domain sockets.
Other address families, i.e. AF_INET and AF_INET6, are fine.
2013-03-27 15:16:45 +00:00
Valentin Bartenev
bac0cb3bbd Status: introduced the "ngx_stat_waiting" counter.
And corresponding variable $connections_waiting was added.

Previously, waiting connections were counted as the difference between
active connections and the sum of reading and writing connections.
That made it impossible to count more than one request in one connection
as reading or writing (as is the case for SPDY).

Also, we no longer count connections in handshake state as waiting.
2013-03-15 20:00:49 +00:00
Maxim Dounin
890ee444ca SSL: retry "sess_id" and "id" allocations.
In case of fully populated SSL session cache with no memory left for
new allocations, ngx_ssl_new_session() will try to expire the oldest
non-expired session and retry, but only in case when slab allocation
fails for "cached_sess", not when slab allocation fails for either
"sess_id" or "id", which can happen for number of reasons and results
in new session not being cached.

Patch fixes this by adding retry logic to "sess_id" & "id" allocations.

Patch by Piotr Sikora.
2013-02-23 11:54:25 +00:00
Maxim Dounin
2887c06fde SSL: fixed ngx_ssl_handshake() with level-triggered event methods.
Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
resulted in a CPU hog during SSL handshake if an level-triggered event
method (e.g. select) was used.
2013-02-01 14:37:43 +00:00
Valentin Bartenev
733e6d2ac6 SSL: take into account data in the buffer while limiting output.
In some rare cases this can result in a more smooth sending rate.
2013-01-28 15:41:12 +00:00
Valentin Bartenev
0f0fac70a1 SSL: avoid calling SSL_write() with zero data size.
According to documentation, calling SSL_write() with num=0 bytes to be sent
results in undefined behavior.

We don't currently call ngx_ssl_send_chain() with empty chain and buffer.
This check handles the case of a chain with total data size that is
a multiple of NGX_SSL_BUFSIZE, and with the special buffer at the end.

In practice such cases resulted in premature connection close and critical
error "SSL_write() failed (SSL:)" in the error log.
2013-01-28 15:40:25 +00:00
Valentin Bartenev
f98b1d2561 SSL: calculation of buffer size moved closer to its usage.
No functional changes.
2013-01-28 15:38:36 +00:00
Valentin Bartenev
0f62e193dc SSL: preservation of flush flag for buffered data.
Previously, if SSL buffer was not sent we lost information that the data
must be flushed.
2013-01-28 15:37:11 +00:00
Valentin Bartenev
c857dade60 SSL: resetting of flush flag after the data was written.
There is no need to flush next chunk of data if it does not contain a buffer
with the flush or last_buf flags set.
2013-01-28 15:35:12 +00:00
Valentin Bartenev
693ba0179e SSL: removed conditions that always hold true. 2013-01-28 15:34:09 +00:00
Ruslan Ermilov
33e934ccc8 Events: fixed null pointer dereference with resolver and poll.
A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on
Linux, would generate both read and write events, but there's no
write event handler for resolver events.  A fix is to only call
event handler of an active event.
2013-01-25 09:59:28 +00:00
Maxim Dounin
041449a3d3 SSL: speedup loading of configs with many ssl servers.
The patch saves one EC_KEY_generate_key() call per server{} block by
informing OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
the SSL_CTX_set_tmp_ecdh() call.

For a configuration file with 10k simple server{} blocks with SSL enabled
this change reduces startup time from 18s to 5s on a slow test box here.
2013-01-09 14:11:48 +00:00
Valentin Bartenev
a6ea2f8f48 Events: added check for duplicate "events" directive. 2013-01-08 14:03:37 +00:00
Maxim Dounin
8e67fb4226 Event pipe: fixed handling of buf_to_file data.
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
2012-10-30 11:14:24 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Maxim Dounin
7eea509776 OCSP stapling: build fixes.
With the "ssl_stapling_verify" commit build with old OpenSSL libraries
was broken due to incorrect prototype of the ngx_ssl_stapling() function.
One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in
and broke win32 build.
2012-10-01 13:54:13 +00:00
Maxim Dounin
bec2cc5286 OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
2012-10-01 12:53:11 +00:00