Commit Graph

730 Commits

Author SHA1 Message Date
Roman Arutyunyan
a168b810e2 Stream: ngx_stream_pass_module.
The module allows to pass connections from Stream to other modules such as HTTP
or Mail, as well as back to Stream.  Previously, this was only possible with
proxying.  Connections with preread buffer read out from socket cannot be
passed.

The module allows selective SSL termination based on SNI.

    stream {
        server {
            listen 8000 default_server;
            ssl_preread on;
            ...
        }

        server {
            listen 8000;
            server_name foo.example.com;
            pass 127.0.0.1:8001; # to HTTP
        }

        server {
            listen 8000;
            server_name bar.example.com;
            ...
        }
    }

    http {
        server {
            listen 8001 ssl;
            ...

            location / {
                root html;
            }
        }
    }
2024-02-21 17:36:02 +04:00
Maxim Dounin
bdea5b703f SSL: avoid using OpenSSL config in build directory (ticket #2404).
With this change, the NGX_OPENSSL_NO_CONFIG macro is defined when nginx
is asked to build OpenSSL itself.  And with this macro automatic loading
of OpenSSL configuration (from the build directory) is prevented unless
the OPENSSL_CONF environment variable is explicitly set.

Note that not loading configuration is broken in OpenSSL 1.1.1 and 1.1.1a
(fixed in OpenSSL 1.1.1b, see https://github.com/openssl/openssl/issues/7350).
If nginx is used to compile these OpenSSL versions, configuring nginx with
NGX_OPENSSL_NO_CONFIG explicitly set to 0 might be used as a workaround.
2023-06-21 01:29:53 +03:00
Sergey Kandaurov
6915d2fb2e HTTP/2: removed server push (ticket #2432).
Although it has better implementation status than HTTP/3 server push,
it remains of limited use, with adoption numbers seen as negligible.
Per IETF 102 materials, server push was used only in 0.04% of sessions.
It was considered to be "difficult to use effectively" in RFC 9113.
Its use is further limited by badly matching to fetch/cache/connection
models in browsers, see related discussions linked from [1].

Server push was disabled in Chrome 106 [2].

The http2_push, http2_push_preload, and http2_max_concurrent_pushes
directives are made obsolete.  In particular, this essentially reverts
7201:641306096f5b and 7207:3d2b0b02bd3d.

[1] https://jakearchibald.com/2017/h2-push-tougher-than-i-thought/
[2] https://chromestatus.com/feature/6302414934114304
2023-06-08 16:56:46 +04:00
Roman Arutyunyan
779bfcff5f Stream: removed QUIC support. 2023-05-14 12:05:35 +04:00
Roman Arutyunyan
1465a34067 QUIC: disabled datagram fragmentation.
As per RFC 9000, Section 14:

  UDP datagrams MUST NOT be fragmented at the IP layer.
2023-05-06 16:23:27 +04:00
Sergey Kandaurov
e8fbc96747 Merged with the default branch. 2023-03-29 11:14:25 +04:00
Maxim Dounin
dad6ec3aa6 Win32: OpenSSL compilation for x64 targets with MSVC.
To ensure proper target selection the NGX_MACHINE variable is now set
based on the MSVC compiler output, and the OpenSSL target is set based
on it.

This is not important as long as "no-asm" is used (as in misc/GNUmakefile
and win32 build instructions), but might be beneficial if someone is trying
to build OpenSSL with assembler code.
2023-02-23 18:16:08 +03:00
Maxim Dounin
62b790c331 Win32: i386 now assumed when crossbuilding (ticket #2416).
Previously, NGX_MACHINE was not set when crossbuilding, resulting in
NGX_ALIGNMENT=16 being used in 32-bit builds (if not explicitly set to a
correct value).  This in turn might result in memory corruption in
ngx_palloc() (as there are no usable aligned allocator on Windows, and
normal malloc() is used instead, which provides 8 byte alignment on
32-bit platforms).

To fix this, now i386 machine is set when crossbuilding, so nginx won't
assume strict alignment requirements.
2023-02-23 18:15:59 +03:00
Maxim Dounin
180be97d31 Win32: handling of localized MSVC cl output.
Output examples in English, Russian, and Spanish:

Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86
Оптимизирующий 32-разрядный компилятор Microsoft (R) C/C++ версии 16.00.30319.01 для 80x86
Compilador de optimización de C/C++ de Microsoft (R) versión 16.00.30319.01 para x64

Since most of the words are translated, instead of looking for the words
"Compiler Version" we now search for "C/C++" and the version number.
2023-02-23 18:15:57 +03:00
Maxim Dounin
504ca56686 Win32: removed unneeded wildcard in NGX_CC_NAME test for msvc.
Wildcards for msvc in NGX_CC_NAME tests are not needed since 78f8ac479735.
2023-02-23 18:15:53 +03:00
Roman Arutyunyan
a36ebf7e95 QUIC: OpenSSL compatibility layer.
The change allows to compile QUIC with OpenSSL which lacks BoringSSL QUIC API.

This implementation does not support 0-RTT.
2023-02-22 19:16:53 +04:00
Maxim Dounin
c3edcc17b6 QUIC: improved SO_COOKIE configure test.
In nginx source code the inttypes.h include, if available, is used to define
standard integer types.  Changed the SO_COOKIE configure test to follow this.
2023-01-24 02:57:42 +03:00
Maxim Dounin
ee00085f5c Configure: removed unneeded header from UDP_SEGMENT test. 2023-01-23 05:01:01 +03:00
Maxim Dounin
fb0890aee6 Win32: disabled threads support in OpenSSL builds.
Threads are disabled during UNIX builds (see b329c0ab1a48), and also not
needed for Windows builds.

This used to be the default before OpenSSL 1.1.0.
2022-09-07 00:47:31 +03:00
Sergey Kandaurov
3123fac3e7 Merged with the default branch. 2022-10-20 16:41:36 +04:00
Sergey Kandaurov
c64e2ec1e9 Merged with the default branch. 2022-06-22 18:34:58 +04:00
Sergey Kandaurov
2cb5bdf665 Configure: recognize arm64 machine name as a synonym for aarch64.
In particular, this sets a reasonable cacheline size on FreeBSD and macOS,
which prefer to use this name and both lack _SC_LEVEL1_DCACHE_LINESIZE.
2022-04-29 17:38:01 +04:00
Roman Arutyunyan
9d81ef744c QUIC: separate UDP framework for QUIC.
Previously, QUIC used the existing UDP framework, which was created for UDP in
Stream.  However the way QUIC connections are created and looked up is different
from the way UDP connections in Stream are created and looked up.  Now these
two implementations are decoupled.
2022-04-20 16:01:17 +04:00
Sergey Kandaurov
a767450093 Merged with the default branch. 2022-02-14 10:14:07 +03:00
Vladimir Homutov
05577c18a8 Core: added autotest for UDP segmentation offloading. 2022-01-26 20:40:00 +03:00
Vladimir Homutov
f780297bcf Core: the ngx_event_udp.h header file. 2022-01-25 15:41:48 +03:00
Sergey Kandaurov
f3363a8dbe Merged with the default branch. 2021-12-29 15:17:26 +03:00
Maxim Dounin
20c35434ef Simplified sendfile(SF_NODISKIO) usage.
Starting with FreeBSD 11, there is no need to use AIO operations to preload
data into cache for sendfile(SF_NODISKIO) to work.  Instead, sendfile()
handles non-blocking loading data from disk by itself.  It still can, however,
return EBUSY if a page is already being loaded (for example, by a different
process).  If this happens, we now post an event for the next event loop
iteration, so sendfile() is retried "after a short period", as manpage
recommends.

The limit of the number of EBUSY tolerated without any progress is preserved,
but now it does not result in an alert, since on an idle system event loop
iteration might be very short and EBUSY can happen many times in a row.
Instead, SF_NODISKIO is simply disabled for one call once the limit is
reached.

With this change, sendfile(SF_NODISKIO) is now used automatically as long as
sendfile() is enabled, and no longer requires "aio on;".
2021-12-27 19:48:33 +03:00
Maxim Dounin
c6fec0b027 PCRE2 library support.
The PCRE2 library is now used by default if found, instead of the
original PCRE library.  If needed for some reason, this can be disabled
with the --without-pcre2 configure option.

To make it possible to specify paths to the library and include files
via --with-cc-opt / --with-ld-opt, the library is first tested without
any additional paths and options.  If this fails, the pcre2-config script
is used.

Similarly to the original PCRE library, it is now possible to build PCRE2
from sources with nginx configure, by using the --with-pcre= option.
It automatically detects if PCRE or PCRE2 sources are provided.

Note that compiling PCRE2 10.33 and later requires inttypes.h.  When
compiling on Windows with MSVC, inttypes.h is only available starting
with MSVC 2013.  In older versions some replacement needs to be provided
("echo '#include <stdint.h>' > pcre2-10.xx/src/inttypes.h" is good enough
for MSVC 2010).

The interface on nginx side remains unchanged.
2021-12-25 01:07:15 +03:00
Maxim Dounin
cddb22cefe Configure: simplified PCRE compilation.
Removed ICC-specific PCRE optimizations which tried to link with PCRE
object files instead of the library.  Made compiler-specific code
minimal.
2021-12-25 01:07:14 +03:00
Ruslan Ermilov
363505e806 Moved Huffman coding out of HTTP/2.
ngx_http_v2_huff_decode.c and ngx_http_v2_huff_encode.c are renamed
to ngx_http_huff_decode.c and ngx_http_huff_encode.c.
2021-12-21 07:54:16 +03:00
Ruslan Ermilov
fa4da05854 Merged with the default branch. 2021-12-24 15:53:59 +03:00
Ruslan Ermilov
4374cbfb1e QUIC: removed configure time test for BPF sockhash.
The test verifies kernel version on a build machine,
but actually used kernel may be different.
2021-12-09 15:30:50 +03:00
Ruslan Ermilov
d06f60250e QUIC: configure cleanup.
Renamed and removed some macros.
2021-12-09 15:30:01 +03:00
Roman Arutyunyan
d1bc1da950 HTTP/3: renamed files.
ngx_http_v3_tables.h and ngx_http_v3_tables.c are renamed to
ngx_http_v3_table.h and ngx_http_v3_table.c to better match HTTP/2 code.

ngx_http_v3_streams.h and ngx_http_v3_streams.c are renamed to
ngx_http_v3_uni.h and ngx_http_v3_uni.c to better match their content.
2021-12-07 13:01:28 +03:00
Roman Arutyunyan
731915a0c5 HTTP/3: merged ngx_http_quic_module into ngx_http_v3_module. 2021-12-06 13:02:36 +03:00
Ruslan Ermilov
f2859767d4 Configure: fixed QUIC support test.
OpenSSL library QUIC support cannot be tested at configure time when
using the --with-openssl option so assume it's present if requested.
While here, fixed the error message in case QUIC support is missing.
2021-09-27 10:10:38 +03:00
Ruslan Ermilov
8ce1c2c7e9 Configure: check for QUIC 0-RTT support at compile time. 2021-09-27 10:10:37 +03:00
Ruslan Ermilov
af2121267b Configure: USE_OPENSSL_QUIC=YES implies USE_OPENSSL=YES. 2021-09-21 14:46:30 +03:00
Ruslan Ermilov
cafaea71e9 Configure: ordered directories. 2021-09-21 14:46:25 +03:00
Ruslan Ermilov
3321ca0c83 Configure: simplified condition. 2021-09-21 14:46:17 +03:00
Ruslan Ermilov
bd89c448b7 Removed NGX_OPENSSL_QUIC macro, NGX_QUIC is enough. 2021-09-14 12:09:13 +03:00
Ruslan Ermilov
7a45071cb6 Changed the OpenSSL QUIC support detection.
As was changed in 253cf267f95a.
2021-09-09 15:34:00 +03:00
Vladimir Homutov
e1fbbfaba6 QUIC: better ordering in auto/modules. 2021-08-05 11:13:29 +03:00
Vladimir Homutov
d895a831ae HTTP/3: got rid of HTTP/2 module dependency.
The Huffman encoder/decoder now can be built separately from HTTP/2 module.
2021-08-05 11:09:13 +03:00
Vladimir Homutov
c0764bc3e9 QUIC: added support for segmentation offloading.
To improve output performance, UDP segmentation offloading is used
if available.  If there is a significant amount of data in an output
queue and path is verified, QUIC packets are not sent one-by-one,
but instead are collected in a buffer, which is then passed to kernel
in a single sendmsg call, using UDP GSO.  Such method greatly decreases
number of system calls and thus system load.
2021-07-15 14:22:00 +03:00
Vladimir Homutov
46aa440c66 Core: the ngx_event_udp.h header file. 2021-07-12 16:40:57 +03:00
Roman Arutyunyan
9e05c357cc HTTP/3: moved session initialization to a separate file.
Previously it was in ngx_http_v3_streams.c, but it's unrelated to streams.
2021-05-05 15:15:48 +03:00
Roman Arutyunyan
de75c7e3e2 HTTP/3: separate header files for existing source files. 2021-05-05 15:09:23 +03:00
Vladimir Homutov
c4f5b50c47 QUIC: connection migration.
The patch adds proper transitions between multiple networking addresses that
can be used by a single quic connection. New networking paths are validated
using PATH_CHALLENGE/PATH_RESPONSE frames.
2021-04-29 15:35:02 +03:00
Vladimir Homutov
2fd1aac46d QUIC: separate files for SSL library interfaces. 2021-04-14 14:47:04 +03:00
Vladimir Homutov
e0b73cf6a2 QUIC: separate files for tokens related processing. 2021-04-13 14:41:52 +03:00
Vladimir Homutov
8df0b6bb2c QUIC: separate files for output and ack related processing. 2021-04-13 14:41:20 +03:00
Vladimir Homutov
9326156b8b QUIC: separate files for stream related processing. 2021-04-13 14:40:00 +03:00
Vladimir Homutov
87ca8c087a QUIC: separate files for frames related processing. 2021-04-13 14:38:46 +03:00