Commit Graph

353 Commits

Author SHA1 Message Date
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Valentin Bartenev
9c8f3d86b4 ngx_http_find_virtual_server() should return NGX_DECLINED if virtual server not
found.
2012-07-30 11:42:03 +00:00
Maxim Dounin
13eb6898aa Entity tags: basic support in not modified filter.
This includes handling of ETag headers (if present in a response) with
basic support for If-Match, If-None-Match conditionals in not modified
filter.

Note that the "r->headers_out.last_modified_time == -1" check in the not
modified filter is left as is intentionally.  It's to prevent handling
of If-* headers in case of proxy without cache (much like currently
done with If-Modified-Since).
2012-07-07 21:20:27 +00:00
Andrey Belov
3d87bcf9ae Corrected $request_length calculation for pipelined requests. 2012-07-06 04:27:06 +00:00
Ruslan Ermilov
42444811b9 Fixed compile-time conditionals used to detect if X-Forwarded-For support
is needed.
2012-06-21 11:02:22 +00:00
Maxim Dounin
0d7720ddc0 Win32: uris with ":$" are now rejected.
There are too many problems with special NTFS streams, notably "::$data",
"::$index_allocation" and ":$i30:$index_allocation".

For now we don't reject all URIs with ":" like Apache does as there are no
good reasons seen yet, and there are multiple programs using it in URLs
(e.g. MediaWiki).
2012-06-05 13:38:27 +00:00
Maxim Dounin
d2143f11cb Fixed segfault with filter_finalize introduced in r4621 (1.3.0).
Example configuration to reproduce:

    location /image/ {
        error_page 415 = /zero;
        image_filter crop 100 100;
        proxy_pass http://127.0.0.1:8080;
        proxy_store on;
    }

    location /zero {
        return 204;
    }

The problem appeared if upstream returned (big enough) non-image file,
causing 415 to be generated by image filter.
2012-05-17 17:41:40 +00:00
Maxim Dounin
e302ed6fc3 Fixed possible request hang with filter finalization.
With r->filter_finalize set the ngx_http_finalize_connection() wasn't
called from ngx_http_finalize_request() called with NGX_OK, resulting in
r->main->count not being decremented, thus causing request hang in some
rare situations.

See here for more details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-May/002190.html

Patch by Yichun Zhang (agentzh).
2012-05-14 09:48:05 +00:00
Valentin Bartenev
a0025f2d81 Removed surplus condition. 2012-04-27 10:48:42 +00:00
Maxim Dounin
9e2f86cfc0 Fixed log->action after ssl handshake. 2012-04-16 13:05:20 +00:00
Ruslan Ermilov
43d2b1c045 Fixed grammar in error messages. 2012-04-12 19:35:41 +00:00
Maxim Dounin
ae11f08cad Restricted keepalive_disable safari to OS X only.
The problem doesn't affect non-Apple systems for sure, and many pretend
to be Safari now.

Prodded by Piotr Sikora.
2012-03-22 10:42:27 +00:00
Maxim Dounin
7dff998495 Core: protection from cycles with named locations and post_action.
Now redirects to named locations are counted against normal uri changes
limit, and post_action respects this limit as well.  As a result at least
the following (bad) configurations no longer trigger infinite cycles:

1. Post action which recursively triggers post action:

    location / {
        post_action /index.html;
    }

2. Post action pointing to nonexistent named location:

    location / {
        post_action @nonexistent;
    }

3. Recursive error page for 500 (Internal Server Error) pointing to
   a nonexistent named location:

    location / {
        recursive_error_pages on;
        error_page 500 @nonexistent;
        return 500;
    }
2012-02-13 15:35:48 +00:00
Maxim Dounin
1b0ad6ee72 Core: protection from subrequest loops.
Without the protection, subrequest loop results in r->count overflow and
SIGSEGV.  Protection was broken in 0.7.25.

Note that this also limits number of parallel subrequests.  This
wasn't exactly the case before 0.7.25 as local subrequests were
completed directly.

See here for details:
http://nginx.org/pipermail/nginx-ru/2010-February/032184.html
2012-02-13 15:33:08 +00:00
Maxim Konovalov
f8d59e33f3 Copyright updated. 2012-01-18 15:07:43 +00:00
Valentin Bartenev
1373558163 Added support for IP-literal in the Host header and request line (ticket #1).
Additional parsing logic added to correctly handle RFC 3986 compliant IPv6 and
IPvFuture characters enclosed in square brackets.

The host validation was completely rewritten. The behavior for non IP literals
was changed in a more proper and safer way:

 - Host part is now delimited either by the first colon or by the end of string
   if there's no colon. Previously the last colon was used as delimiter which
   allowed substitution of a port number in the $host variable.
   (e.g. Host: 127.0.0.1:9000:80)

 - Fixed stripping of the ending dot in the Host header when the host was also
   followed by a port number.
   (e.g. Host: nginx.com.:80)

 - Fixed upper case characters detection. Previously it was broken which led to
   wasting memory and CPU.
2011-11-28 09:15:33 +00:00
Maxim Dounin
0560ae55bc Fixed segfault on ssl servers without cert with SNI (ticket #54).
Non-default servers may not have ssl context created if there are no
certificate defined.  Make sure to check if ssl context present before
using it.
2011-11-22 16:27:45 +00:00
Maxim Dounin
0f5f4cb180 Fix for socket leak with "aio sendfile" and "limit_rate".
Second aio post happened when timer set by limit_rate expired while we have
aio request in flight, resulting in "second aio post" alert and socket leak.

The patch adds actual protection from aio calls with r->aio already set to
aio sendfile code in ngx_http_copy_filter().  This should fix other cases
as well, e.g. when sending buffered to disk upstream replies while still
talking to upstream.

The ngx_http_writer() is also fixed to handle the above case (though it's
mostly optimization now).

Reported by Oleksandr V. Typlyns'kyi.
2011-10-11 18:00:23 +00:00
Maxim Dounin
b7af402cc4 Fix for connection drops with AIO.
Connections serving content with AIO to fast clients were dropped with
"client timed out" messages after send_timeout from response start.
2011-10-11 17:58:51 +00:00
Maxim Dounin
fbc51e4c44 Better handling of various per-server ssl options with SNI.
SSL_set_SSL_CTX() doesn't touch values cached within ssl connection
structure, it only changes certificates (at least as of now, OpenSSL
1.0.0d and earlier).

As a result settings like ssl_verify_client, ssl_verify_depth,
ssl_prefer_server_ciphers are only configurable on per-socket basis while
with SNI it should be possible to specify them different for two servers
listening on the same socket.

Workaround is to explicitly re-apply settings we care about from context
to ssl connection in servername callback.

Note that SSL_clear_options() is only available in OpenSSL 0.9.8m+.  I.e.
with older versions it is not possible to clear ssl_prefer_server_ciphers
option if it's set in default server for a socket.
2011-08-23 14:36:31 +00:00
Igor Sysoev
21fd22d089 always set timer in discard body handler, this fixes the cases
when request for static file is redirected by error_page to an SSI page

patch by Maxim Dounin
2011-08-01 13:52:54 +00:00
Igor Sysoev
2505587b4d lingering_close "off|on|always"
patch by Maxim Dounin
2011-08-01 13:26:55 +00:00
Igor Sysoev
41c8a1d27f do not send RST on normal lingering close read timeout,
if reset_timedout_connection is on

patch by Maxim Dounin
2011-08-01 13:08:03 +00:00
Igor Sysoev
2f3668b59b enable lingering close for pipelined requests
patch by Maxim Dounin
2011-08-01 11:08:57 +00:00
Igor Sysoev
6652cc5962 Accept-Encoding refactoring: remove ancient MSIE 4.x test for gzip 2011-07-30 06:20:06 +00:00
Igor Sysoev
4956ac5108 reuse keepalive connections if there are no free worker connections
patch by Maxim Dounin
2011-04-04 12:26:53 +00:00
Igor Sysoev
26cf2c96ea introduce 494 code "Request Header Too Large" 2011-01-20 10:37:58 +00:00
Igor Sysoev
ec4df838c8 "If-Unmodified-Since" support 2010-12-06 11:11:05 +00:00
Igor Sysoev
a5ee005a27 fix recognition of SSLv2 Client Hello Packet large than 255 bytes 2010-07-05 13:35:20 +00:00
Igor Sysoev
da7b5e15de allow spaces in URI 2010-06-15 09:31:19 +00:00
Igor Sysoev
04e1156d2e test default NTFS stream "::$DATA" 2010-06-04 15:37:49 +00:00
Igor Sysoev
8164f329fe disable keepalive for Safari:
https://bugs.webkit.org/show_bug.cgi?id=5760
2010-02-01 12:01:01 +00:00
Igor Sysoev
77860d74a5 skip URI trailing spaces under Win32 2010-01-28 14:09:28 +00:00
Igor Sysoev
918ef947da Fix segfault when while discarding body a write event handler is called,
runs ngx_http_core_run_phases(), and starts a request processing again.
The write event has clear type and remained in a keepalive connection.
The bug was introduced in r3050.
2010-01-28 08:33:24 +00:00
Igor Sysoev
c05f20ec2e regex named captures 2009-11-16 12:19:02 +00:00
Igor Sysoev
bdc154bb73 r->chrome 2009-11-12 14:23:18 +00:00
Igor Sysoev
51aa6dec4d fix segfault if there is single large_client_header_buffers
and a request line fills it completely
2009-11-03 18:12:20 +00:00
Igor Sysoev
663e957957 do not run regex for empty host name since regex always fails in this case,
the bug had been introduced in r2196
2009-10-22 09:48:42 +00:00
Igor Sysoev
cd8b43cde7 rename core_srv_conf fields to more understandable default_server and server 2009-10-21 16:52:10 +00:00
Igor Sysoev
2a634f5342 fix r3218:
Initially building lists of ports, addresses, and server names had been
placed at final configuration stage, because complete set of the "listen"s
and the "server_names" were required for this operation. r3218 broke it,
because the "listen"s go usually first in configuration, and
cscf->server_names is empty at this stage, therefore no virtual names
were configured.

Now server configurations are stored in array for each address:port
to configure virtual names. Also regex captures flag is moved from
server names to core server configuration.
2009-10-21 16:27:48 +00:00
Igor Sysoev
e418e0661c fix two previous commits: an early parallel body discarding completion
disables incomplete ngx_http_writer()
2009-10-20 11:48:28 +00:00
Igor Sysoev
9a1f0ac730 allow discarding body while a long response transfer 2009-10-19 16:13:38 +00:00
Igor Sysoev
801a35df3c restore discard body handler after ngx_http_set_writer() set it to
ngx_http_test_reading(), the bug was introduced in r3050
2009-10-19 16:12:13 +00:00
Igor Sysoev
2495c4d50b add lingering timeout if a response is short and a request body is being
discarded, the bug was introduced in r3050
2009-10-19 14:08:09 +00:00
Igor Sysoev
2d24d749e4 clear r->keepalive to disable preventively calling
ngx_http_set_keepalive() while request cleanup
2009-10-02 11:30:47 +00:00
Igor Sysoev
689064b91a log 499 instead 0, the bug was introduced in r3050 2009-09-30 12:05:08 +00:00
Igor Sysoev
f63a48ce7e update the previous commit: use ngx_strlow() 2009-09-24 13:23:25 +00:00
Igor Sysoev
6749e92938 $host is always in low case:
*) move low case convertation from ngx_http_find_virtual_server()
   to ngx_http_validate_host()
*) add in ngx_http_validate_host() capability to copy host name in the pool
   allocated memory
2009-09-24 13:15:50 +00:00
Igor Sysoev
7386cf58a7 fix request counter for post_action, the bug was introduced in r3050 2009-09-21 18:34:22 +00:00