Commit Graph

385 Commits

Author SHA1 Message Date
Maxim Dounin
c94c24b177 Fixed TCP_DEFER_ACCEPT handling (ticket #353).
Backed out 05a56ebb084a, as it turns out that kernel can return connections
without any delay if syncookies are used.  This basically means we can't
assume anything about connections returned with deferred accept set.

To solve original problem the 05a56ebb084a tried to solve, i.e. to don't
wait longer than needed if a connection was accepted after deferred accept
timeout, this patch changes a timeout set with setsockopt(TCP_DEFER_ACCEPT)
to 1 second, unconditionally.  This is believed to be enough for speed
improvements, and doesn't imply major changes to timeouts used.

Note that before 2.6.32 connections were dropped after a timeout.  Though
it is believed that 1s is still appropriate for kernels before 2.6.32,
as previously tcp_synack_retries controlled the actual timeout and 1s results
in more than 1 minute actual timeout by default.
2014-01-28 15:40:46 +04:00
Valentin Bartenev
a11050ea4e Use EPOLLRDHUP in ngx_http_test_reading() (ticket #320).
This allows to detect client connection close with pending data when
the ngx_http_test_reading() request event handler is set.
2013-09-16 18:33:39 +04:00
Maxim Dounin
4b189002af Request cleanup code unified, no functional changes.
Additionally, detaching a cleanup chain from a request is a bit more resilent
to various bugs if any.
2013-09-04 21:17:00 +04:00
Valentin Bartenev
3d7d48e52c Assume the HTTP/1.0 version by default.
It is believed to be better than fallback to HTTP/0.9, because most of
the clients at present time support HTTP/1.0.  It allows nginx to return
error response code for them in cases when it fail to parse request line,
and therefore fail to detect client protocol version.

Even if the client does not support HTTP/1.0, this assumption should not
cause any harm, since from the HTTP/0.9 point of view it still a valid
response.
2013-09-02 03:45:14 +04:00
Maxim Dounin
f52042498d Fixed ngx_http_test_reading() to finalize request properly.
Previous code called ngx_http_finalize_request() with rc = 0.  This is
ok if a response status was already set, but resulted in "000" being
logged if it wasn't.  In particular this happened with limit_req
if a connection was prematurely closed during limit_req delay.
2013-06-14 20:56:07 +04:00
Maxim Dounin
885861b683 Fixed lingering_time check.
There are two significant changes in this patch:

1) The <= 0 comparison is done with a signed type.  This fixes the case
   of ngx_time() being larger than r->lingering_time.

2) Calculation of r->lingering_time - ngx_time() is now always done
   in the ngx_msec_t type.  This ensures the calculation is correct
   even if time_t is unsigned and differs in size from ngx_msec_t.

Thanks to Lanshun Zhou.
2013-05-13 17:39:45 +04:00
Maxim Dounin
9cff79927a Fixed build with --with-mail_ssl_module.
If nginx was compiled without --with-http_ssl_module, but with some
other module which uses OpenSSL (e.g. --with-mail_ssl_module), insufficient
preprocessor check resulted in build failure.  The problem was introduced
by e0a3714a36f8 (1.3.14).

Reported by Roman Arutyunyan.
2013-05-11 18:49:30 +04:00
Valentin Bartenev
2686cb4452 Preliminary experimental support for SPDY draft 2. 2013-03-20 10:36:57 +00:00
Valentin Bartenev
fb6f8c4509 URI processing code moved to a separate function.
This allows to reuse it in the upcoming SPDY module.
2013-03-20 09:36:27 +00:00
Valentin Bartenev
23e692b58d Allow to reuse connections that wait their first request.
This should improve behavior under deficiency of connections.

Since SSL handshake usually takes significant amount of time,
we exclude connections from reusable queue during this period
to avoid premature flush of them.
2013-03-15 19:49:54 +00:00
Maxim Dounin
092355b2cc Fixed logging in ngx_http_wait_request_handler().
If c->recv() returns 0 there is no sense in using ngx_socket_errno for
logging, its value meaningless.  (The code in question was copied from
ngx_http_keepalive_handler(), but ngx_socket_errno makes sense there as it's
used as a part of ECONNRESET handling, and the c->recv() call is preceeded
by the ngx_set_socket_errno(0) call.)
2013-03-12 13:38:04 +00:00
Valentin Bartenev
bf23093e10 Refactored ngx_http_init_request().
Now it can be used as the request object factory with minimal impact on the
connection object.  Therefore it was renamed to ngx_http_create_request().
2013-03-07 18:14:27 +00:00
Valentin Bartenev
a32d3f8b6b Removed c->single_connection flag.
The c->single_connection was intended to be used as lock mechanism
to serialize modifications of request object from several threads
working with client and upstream connections.  The flag is redundant
since threads in nginx have never been used that way.
2013-03-07 18:07:16 +00:00
Valentin Bartenev
4815b3b2ee Respect the new behavior of TCP_DEFER_ACCEPT.
In Linux 2.6.32, TCP_DEFER_ACCEPT was changed to accept connections
after the deferring period is finished without any data available.
(Reading from the socket returns EAGAIN in this case.)

Since in nginx TCP_DEFER_ACCEPT is set to "post_accept_timeout", we
do not need to wait longer if deferred accept returns with no data.
2013-03-07 17:59:27 +00:00
Valentin Bartenev
3e5aaee828 Use "client_header_timeout" for all requests in a connection.
Previously, only the first request in a connection used timeout
value from the "client_header_timeout" directive while reading
header.  All subsequent requests used "keepalive_timeout" for
that.

It happened because timeout of the read event was set to the
value of "keepalive_timeout" in ngx_http_set_keepalive(), but
was not removed when the next request arrived.
2013-03-07 17:41:40 +00:00
Valentin Bartenev
a46a3ab68d Create request object only after the first byte was received.
Previously, we always created an object and logged 400 (Bad Request)
in access log if a client closed connection without sending any data.
Such a connection was counted as "reading".

Since it's common for modern browsers to behave like this, it's no
longer considered an error if a client closes connection without
sending any data, and such a connection will be counted as "waiting".

Now, we do not log 400 (Bad Request) and keep memory footprint as
small as possible.
2013-03-07 17:21:50 +00:00
Valentin Bartenev
fcf003c6f4 Allocate request object from its own pool.
Previously, it was allocated from a connection pool and
was selectively freed for an idle keepalive connection.

The goal is to put coupled things in one chunk of memory,
and to simplify handling of request objects.
2013-03-01 14:55:42 +00:00
Valentin Bartenev
b720f650bb SNI: added restriction on requesting host other than negotiated.
According to RFC 6066, client is not supposed to request a different server
name at the application layer.  Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request.  Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.

There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection.  Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.

An example of configuration that might not work as expected:

  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }

Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
2013-02-27 17:41:34 +00:00
Valentin Bartenev
6000f4ad6d SNI: reset to default server if requested host was not found.
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.

An example of potentially unsafe configuration:

  server {
      listen 443 ssl default_server;
      ...
  }

  server {
      listen 443;
      server_name example.com;

      location / {
          proxy_pass http://$host;
      }
  }

Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
2013-02-27 17:38:54 +00:00
Valentin Bartenev
f61612532c SNI: avoid surplus lookup of virtual server if SNI was used. 2013-02-27 17:33:59 +00:00
Valentin Bartenev
8c4fea1766 Apply server configuration as soon as host is known.
Previously, this was done only after the whole request header
was parsed, and if an error occurred earlier then the request
was processed in the default server (or server chosen by SNI),
while r->headers_in.server might be set to the value from the
Host: header or host from request line.

r->headers_in.server is in turn used for $host variable and
in HTTP redirects if "server_name_in_redirect" is disabled.
Without the change, configurations that rely on this during
error handling are potentially unsafe if SNI is used.

This change also allows to use server specific settings of
"underscores_in_headers", "ignore_invalid_headers", and
"large_client_header_buffers" directives for HTTP requests
and HTTPS requests without SNI.
2013-02-27 17:27:15 +00:00
Valentin Bartenev
d281d0ba8b SSL: do not treat SSL handshake as request.
The request object will not be created until SSL handshake is complete.
This simplifies adding another connection handler that does not need
request object right after handshake (e.g., SPDY).

There are also a few more intentional effects:

 - the "client_header_buffer_size" directive will be taken from the
   server configuration that was negotiated by SNI;

 - SSL handshake errors and timeouts are not logged into access log
   as bad requests;

 - ngx_ssl_create_connection() is not called until the first byte of
   ClientHello message was received.  This also decreases memory
   consumption if plain HTTP request is sent to SSL socket.
2013-02-27 17:21:21 +00:00
Valentin Bartenev
167aabf2b3 Status: do not count connection as reading right after accept().
Before we receive the first bytes, the connection is counted
as waiting.

This change simplifies further code changes.
2013-02-27 17:16:51 +00:00
Valentin Bartenev
64932a9714 SNI: reuse selected configuration for all requests in a connection.
Previously, only the first request in a connection was assigned the
configuration selected by SNI.  All subsequent requests initially
used the default server's configuration, ignoring SNI, which was
wrong.

Now all subsequent requests in a connection will initially use the
configuration selected by SNI.  This is done by storing a pointer
to configuration in http connection object.  It points to default
server's configuration initially, but changed upon receipt of SNI.

(The request's configuration can be further refined when parsing
the request line and Host: header.)

This change was not made specific to SNI as it also allows slightly
faster access to configuration without the request object.
2013-02-27 17:12:48 +00:00
Valentin Bartenev
e1d8158b5e SNI: ignore captures in server_name regexes when matching by SNI.
This change helps to decouple ngx_http_ssl_servername() from the request
object.

Note: now we close connection in case of error during server name lookup
for request.  Previously, we did so only for HTTP/0.9 requests.
2013-02-27 17:06:52 +00:00
Valentin Bartenev
8ca4dff8c8 Changed interface of ngx_http_validate_host(). 2013-02-27 17:03:14 +00:00
Valentin Bartenev
b314102ff1 Introduced the ngx_http_set_connection_log() macro.
No functional changes.
2013-02-27 16:56:47 +00:00
Valentin Bartenev
508afb8cf5 The default server lookup is now done only once per connection.
Previously, it was done for every request in a connection.
2013-02-27 16:53:01 +00:00
Ruslan Ermilov
67a68720b7 Correctly handle multiple X-Forwarded-For headers (ticket #106). 2013-02-27 13:29:50 +00:00
Valentin Bartenev
f1d5d03eee Fixed potential segfault in ngx_http_keepalive_handler().
In case of error in the read event handling we close a connection
by calling ngx_http_close_connection(), that also destroys connection
pool. Thereafter, an attempt to free a buffer (added in r4892) that
was allocated from the pool could cause SIGSEGV and is meaningless
as well (the buffer already freed with the pool).
2013-02-23 13:23:48 +00:00
Maxim Dounin
08a73b4aad Proxy: support for connection upgrade (101 Switching Protocols).
This allows to proxy WebSockets by using configuration like this:

    location /chat/ {
        proxy_pass http://backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

Connection upgrade is allowed as long as it was requested by a client
via the Upgrade request header.
2013-02-18 13:50:52 +00:00
Maxim Dounin
5fc85439d0 Request body: chunked transfer encoding support. 2012-11-21 01:08:11 +00:00
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Valentin Bartenev
9c8f3d86b4 ngx_http_find_virtual_server() should return NGX_DECLINED if virtual server not
found.
2012-07-30 11:42:03 +00:00
Maxim Dounin
13eb6898aa Entity tags: basic support in not modified filter.
This includes handling of ETag headers (if present in a response) with
basic support for If-Match, If-None-Match conditionals in not modified
filter.

Note that the "r->headers_out.last_modified_time == -1" check in the not
modified filter is left as is intentionally.  It's to prevent handling
of If-* headers in case of proxy without cache (much like currently
done with If-Modified-Since).
2012-07-07 21:20:27 +00:00
Andrey Belov
3d87bcf9ae Corrected $request_length calculation for pipelined requests. 2012-07-06 04:27:06 +00:00
Ruslan Ermilov
42444811b9 Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
2012-06-21 11:02:22 +00:00
Maxim Dounin
0d7720ddc0 Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
2012-06-05 13:38:27 +00:00
Maxim Dounin
d2143f11cb Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
Example configuration to reproduce:

    location /image/ {
        error_page 415 = /zero;
        image_filter crop 100 100;
        proxy_pass http://127.0.0.1:8080;
        proxy_store on;
    }

    location /zero {
        return 204;
    }

The problem appeared if upstream returned (big enough) non-image file,
causing 415 to be generated by image filter.
2012-05-17 17:41:40 +00:00
Maxim Dounin
e302ed6fc3 Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.

See here for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html

Patch by Yichun Zhang (agentzh).
2012-05-14 09:48:05 +00:00
Valentin Bartenev
a0025f2d81 Removed surplus condition. 2012-04-27 10:48:42 +00:00
Maxim Dounin
9e2f86cfc0 Fixed log->action after ssl handshake. 2012-04-16 13:05:20 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
ae11f08cad Restricted keepalive_disable safari to OS X only.
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.

Prodded by Piotr Sikora.
2012-03-22 10:42:27 +00:00
Maxim Dounin
7dff998495 Core: protection from cycles with named locations and post_action.
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }
2012-02-13 15:35:48 +00:00
Maxim Dounin
1b0ad6ee72 Core: protection from subrequest loops.
Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html
2012-02-13 15:33:08 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Valentin Bartenev
1373558163 Added support for IP-literal in the Host header and request line (ticket #1).
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.

The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:

 - Host part is now delimited either by the first colon or by the end of string
   if there's no colon. Previously the last colon was used as delimiter which
   allowed substitution of a port number in the $host variable.
   (e.g. Host: 127.0.0.1:9000:80)

 - Fixed stripping of the ending dot in the Host header when the host was also
   followed by a port number.
   (e.g. Host: nginx.com.:80)

 - Fixed upper case characters detection. Previously it was broken which led to
   wasting memory and CPU.
2011-11-28 09:15:33 +00:00
Maxim Dounin
0560ae55bc Fixed segfault on ssl servers without cert with SNI (ticket #54).
Non-default servers may not have ssl context created if there are no
certificate defined.  Make sure to check if ssl context present before
using it.
2011-11-22 16:27:45 +00:00