Commit Graph

4725 Commits

Author SHA1 Message Date
Valentin Bartenev
b5d7d3f024 HTTP/2: added debug logging of response headers.
Because of HPACK compression it's hard to see what headers are actually
sent by the server.
2016-02-16 17:49:14 +03:00
Valentin Bartenev
fcfe483292 HTTP/2: use local pointer instead of r->connection.
No functional changes.
2016-02-16 17:49:14 +03:00
Maxim Dounin
79654d53e3 Core: improved logging on invalid NGINX variable (ticket #900). 2016-02-15 17:41:52 +03:00
Valentin Bartenev
822fc91b09 HTTP/2: fixed undefined behavior in ngx_http_v2_huff_encode().
When the "pending" value is zero, the "buf" will be right shifted
by the width of its type, which results in undefined behavior.

Found by Coverity (CID 1352150).
2016-02-12 16:36:20 +03:00
Valentin Bartenev
531e6fbfd6 HTTP/2: implemented HPACK Huffman encoding for response headers.
This reduces the size of headers by over 30% on average.

Based on the patch by Vlad Krasnov:
http://mailman.nginx.org/pipermail/nginx-devel/2015-December/007682.html
2016-02-11 15:35:36 +03:00
Ruslan Ermilov
3b9b07377b Dynamic modules: fixed a version mismatch message (ticket #898).
Based on a patch by Takashi Takizawa.
2016-02-11 18:46:46 +03:00
Roman Arutyunyan
f1f419fd2c Stream: initialize variable right before using it. 2016-02-11 14:20:26 +03:00
Roman Arutyunyan
1cdd0cc421 Stream: removed useless typedef. 2016-02-11 14:20:22 +03:00
Piotr Sikora
2fe20c9b34 Core: ngx_module_t compatibility with C++.
Changes to NGX_MODULE_V1 and ngx_module_t in 85dea406e18f (1.9.11)
broke all modules written in C++, because ISO C++11 does not allow
conversion from string literal to char *.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-02-09 16:31:26 -08:00
Maxim Dounin
839c1997d9 Version bump. 2016-02-10 06:23:34 +03:00
Maxim Dounin
97f59dda09 Dynamic modules.
The auto/module script is extended to understand ngx_module_link=DYNAMIC.
When set, it links the module as a shared object rather than statically
into nginx binary.  The module can later be loaded using the "load_module"
directive.

New auto/module parameter ngx_module_order allows to define module loading
order in complex cases.  By default the order is set based on ngx_module_type.

3rd party modules can be compiled dynamically using the --add-dynamic-module
configure option, which will preset ngx_module_link to "DYNAMIC" before
calling the module config script.

Win32 support is rudimentary, and only works when using MinGW gcc (which
is able to handle exports/imports automatically).

In collaboration with Ruslan Ermilov.
2016-02-04 20:25:29 +03:00
Maxim Dounin
86cc342a26 Dynamic modules: dlopen() support. 2016-02-04 18:30:21 +03:00
Maxim Dounin
0f67d6355c Dynamic modules: changed ngx_modules to cycle->modules. 2016-02-04 18:30:21 +03:00
Maxim Dounin
7988334570 Dynamic modules: moved module-related stuff to separate files. 2016-02-04 18:30:21 +03:00
Valentin Bartenev
9add42c71e HTTP/2: fixed possible buffer overrun (ticket #893).
Due to greater priority of the unary plus operator over the ternary operator
the expression didn't work as expected.  That might result in one byte less
allocation than needed for the HEADERS frame buffer.
2016-02-04 18:01:04 +03:00
Valentin Bartenev
cb173ff672 HTTP/2: fixed padding handling in HEADERS frame with CONTINUATION. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
8050277acf HTTP/2: fixed request length accounting.
Now it includes not only the received body size,
but the size of headers block as well.
2016-02-02 16:33:55 +03:00
Valentin Bartenev
405f4f99b4 HTTP/2: fixed excessive memory allocation for pool cleanup. 2016-02-02 16:33:55 +03:00
Valentin Bartenev
3351fbe481 HTTP/2: removed unused field from ngx_http_v2_stream_t. 2016-02-02 16:33:55 +03:00
Ruslan Ermilov
c6ed65ce7c Resolver: style.
Use the original query name in error and debug messages when
processing PTR responses.
2015-12-17 17:30:22 +03:00
Ruslan Ermilov
bf269cbc55 Resolver: improved PTR response processing.
The previous code only parsed the first answer, without checking its
type, and required a compressed RR name.

The new code checks the RR type, supports responses with multiple
answers, and doesn't require the RR name to be compressed.

This has a side effect in limited support of CNAME.  If a response
includes both CNAME and PTR RRs, like when recursion is enabled on
the server, PTR RR is handled.

Full CNAME support in PTR response is not implemented in this change.
2015-12-17 17:21:16 +03:00
Ruslan Ermilov
06806aa001 Resolver: style.
Renamed argument in ngx_resolver_process_a() for consistency.
2015-12-17 17:21:12 +03:00
Roman Arutyunyan
cbee15bb6c Resolver: free TCP buffers on resolver cleanup. 2016-02-02 13:42:55 +03:00
Ruslan Ermilov
625481f6f1 Resolver: fixed possible resource leak introduced in 5a16d40c63de.
Found by Coverity (CID 1351175).
2016-02-02 11:35:19 +03:00
Roman Arutyunyan
aa8fa81e42 Resolver: TCP support.
Resend DNS query over TCP once UDP response came truncated.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
c8c44f7478 Resolver: per-request DNS server balancer.
Previously, a global server balancer was used to assign the next DNS server to
send a query to.  That could lead to a non-uniform distribution of servers per
request.  A request could be assigned to the same dead server several times in a
row and wait longer for a valid server or even time out without being processed.

Now each query is sent to all servers sequentially in a circle until a
response is received or timeout expires.  Initial server for each request is
still globally balanced.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
1945fff7bf Resolver: renamed UDP-specific structures, fields and variables.
They will be used for TCP connections as well.
2016-01-28 15:28:20 +03:00
Roman Arutyunyan
52d3601155 Resolver: removed unused field from ngx_resolver_ctx_t. 2016-01-28 15:28:19 +03:00
Roman Arutyunyan
c541b82c21 Version bump. 2016-01-28 15:25:58 +03:00
Ruslan Ermilov
fe89d99796 Resolver: limited CNAME recursion.
Previously, the recursion was only limited for cached responses.
2016-01-26 16:47:14 +03:00
Roman Arutyunyan
a3d42258d9 Resolver: fixed use-after-free memory accesses with CNAME.
When several requests were waiting for a response, then after getting
a CNAME response only the last request's context had the name updated.
Contexts of other requests had the wrong name.  This name was used by
ngx_resolve_name_done() to find the node to remove the request context
from.  When the name was wrong, the request could not be properly
cancelled, its context was freed but stayed linked to the node's waiting
list.  This happened e.g. when the first request was aborted or timed
out before the resolving completed.  When it completed, this triggered
a use-after-free memory access by calling ctx->handler of already freed
request context.  The bug manifests itself by
"could not cancel <name> resolving" alerts in error_log.

When a request was responded with a CNAME, the request context kept
the pointer to the original node's rn->u.cname.  If the original node
expired before the resolving timed out or completed with an error,
this would trigger a use-after-free memory access via ctx->name in
ctx->handler().

The fix is to keep ctx->name unmodified.  The name from context
is no longer used by ngx_resolve_name_done().  Instead, we now keep
the pointer to resolver node to which this request is linked.
Keeping the original name intact also improves logging.
2016-01-26 16:46:59 +03:00
Roman Arutyunyan
b1a110e3a4 Resolver: changed the ngx_resolver_create_*_query() arguments.
No functional changes.

This is needed by the following change.
2016-01-26 16:46:48 +03:00
Ruslan Ermilov
4016e6b1da Resolver: fixed CNAME processing for several requests.
When several requests were waiting for a response, then after getting
a CNAME response only the last request was properly processed, while
others were left waiting.
2016-01-26 16:46:38 +03:00
Ruslan Ermilov
4b581a7c21 Resolver: fixed crashes in timeout handler.
If one or more requests were waiting for a response, then after
getting a CNAME response, the timeout event on the first request
remained active, pointing to the wrong node with an empty
rn->waiting list, and that could cause either null pointer
dereference or use-after-free memory access if this timeout
expired.

If several requests were waiting for a response, and the first
request terminated (e.g., due to client closing a connection),
other requests were left without a timeout and could potentially
wait indefinitely.

This is fixed by introducing per-request independent timeouts.
This change also reverts 954867a2f0a6 and 5004210e8c78.
2016-01-26 16:46:31 +03:00
Roman Arutyunyan
c44fd4e837 Resolver: fixed possible segmentation fault on DNS format error. 2016-01-26 16:46:18 +03:00
Valentin Bartenev
8a5df8c720 Request body: removed surplus assigment, no functional changes.
Setting rb->bufs to NULL is surplus after ngx_http_write_request_body()
has returned NGX_OK.
2016-01-12 19:19:07 +03:00
Maxim Dounin
d0bf684ab6 Core: worker_cpu_affinity auto.
If enabled, workers are bound to available CPUs, each worker to once CPU
in order.  If there are more workers than available CPUs, remaining are
bound in a loop, starting again from the first available CPU.

The optional mask parameter defines which CPUs are available for automatic
binding.

In collaboration with Vladimir Homutov.
2016-01-11 19:23:17 +03:00
Maxim Dounin
af647a3da2 Upstream: fixed changing method on X-Accel-Redirect.
Previously, only r->method was changed, resulting in handling of a request
as GET within nginx itself, but not in requests to proxied servers.

See http://mailman.nginx.org/pipermail/nginx/2015-December/049518.html.
2016-01-11 19:08:12 +03:00
Maxim Dounin
fda7d021ca Upstream: don't keep connections on early responses (ticket #669). 2015-12-17 16:39:15 +03:00
Maxim Dounin
9973e36944 Fixed PROXY protocol on IPv6 sockets (ticket #858). 2015-12-17 16:39:02 +03:00
Maxim Dounin
852a565be3 Version bump. 2015-12-17 16:38:51 +03:00
Ruslan Ermilov
5e7535df72 Fixed fastcgi_pass with UNIX socket and variables (ticket #855).
This was broken in a93345ee8f52 (1.9.8).
2015-12-09 16:26:59 +03:00
Ruslan Ermilov
fac1f23e5d Version bump. 2015-12-09 14:41:16 +03:00
Roman Arutyunyan
56fda3265b Slice filter: terminate first slice with last_in_chain flag.
This flag makes sub filter flush buffered data and optimizes allocation in copy
filter.
2015-12-08 17:39:56 +03:00
Roman Arutyunyan
5c1f76f0e9 Slice filter: never run subrequests when main request is buffered.
With main request buffered, it's possible, that a slice subrequest will send
output before it.  For example, while main request is waiting for aio read to
complete, a slice subrequest can start an aio operation as well.  The order
in which aio callbacks are called is undetermined.
2015-12-08 17:39:56 +03:00
Sergey Kandaurov
79fcf261d0 SSL: fixed possible segfault on renegotiation (ticket #845).
Skip SSL_CTX_set_tlsext_servername_callback in case of renegotiation.
Do nothing in SNI callback as in this case it will be supplied with
request in c->data which isn't expected and doesn't work this way.

This was broken by b40af2fd1c16 (1.9.6) with OpenSSL master branch and LibreSSL.
2015-12-08 16:59:43 +03:00
Roman Arutyunyan
8ba626ccd7 Slice filter.
Splits a request into subrequests, each providing a specific range of response.
The variable "$slice_range" must be used to set subrequest range and proper
cache key.  The directive "slice" sets slice size.

The following example splits requests into 1-megabyte cacheable subrequests.

server {
    listen 8000;

    location / {
        slice 1m;

        proxy_cache cache;
        proxy_cache_key $uri$is_args$args$slice_range;
        proxy_set_header Range $slice_range;
        proxy_cache_valid 200 206 1h;
        proxy_pass http://127.0.0.1:9000;
    }
}
2015-12-07 16:30:48 +03:00
Roman Arutyunyan
1b478c50de Upstream: fill r->headers_out.content_range from upstream response. 2015-12-07 16:30:47 +03:00
Piotr Sikora
9752706bd4 Core: fix typo in error message.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-12-02 19:17:19 -08:00
Maxim Dounin
6994593478 Style: NGX_PTR_SIZE replaced with sizeof(void *).
The NGX_PTR_SIZE macro is only needed in preprocessor directives where
it's not possible to use sizeof().
2015-12-03 20:06:45 +03:00
Maxim Dounin
af4e89b9a1 Style. 2015-12-02 01:06:54 +03:00
Ruslan Ermilov
362fb6c1d4 Stop emulating a space character after r->method_name.
This is an API change.

The proxy module was modified to not depend on this in 44122bddd9a1.
No known third-party modules seem to depend on this.
2015-11-30 12:54:01 +03:00
Ruslan Ermilov
05a38c7077 Proxy: improved code readability.
Do not assume that space character follows the method name, just pass it
explicitly.

The fuss around it has already proved to be unsafe, see bbdb172f0927 and
http://mailman.nginx.org/pipermail/nginx-ru/2013-January/049692.html for
details.
2015-11-06 15:21:51 +03:00
Ruslan Ermilov
f0f7b437b9 Reduced the number of GET method constants. 2015-11-30 12:04:35 +03:00
Valentin Bartenev
a89548a4e1 Increased the default "connection_pool_size" on 64-bit platforms.
The previous default of 256 bytes isn't enough and results in two
allocations on each accepted connection, which is suboptimal.
2015-11-30 16:27:33 +03:00
Ruslan Ermilov
5ea66922d9 Style: unified request method checks. 2015-11-06 15:22:43 +03:00
Ruslan Ermilov
bfe1987b41 Core: enabled "include" inside http upstreams (ticket #635).
The directive already works inside stream upstream blocks.
2015-11-23 12:40:19 +03:00
Ruslan Ermilov
72b9a317d2 Upstream: fixed "no port" detection in evaluated upstreams.
If an upstream with variables evaluated to address without a port,
then instead of a "no port in upstream" error an attempt was made
to connect() which failed with EADDRNOTAVAIL.
2015-11-21 10:44:07 +03:00
Valentin Bartenev
d862ae8e68 Used the pwritev() syscall for writing files where possible.
It is more effective, because it doesn't require a separate lseek().
2015-11-17 19:01:41 +03:00
Valentin Bartenev
906c4462f8 Moved file writev() handling code to a separate function.
No functional changes.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
a9e62b625b Handled EINTR from write() and pwrite() syscalls.
This is in addition to 6fce16b1fc10.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
9ef4b63328 Adjusted file->sys_offset after the write() syscall.
This fixes suboptimal behavior caused by surplus lseek() for sequential writes
on systems without pwrite().  A consecutive read after write might result in an
error on systems without pread() and pwrite().

Fortunately, at the moment there are no widely used systems without these
syscalls.
2015-11-17 19:01:41 +03:00
Valentin Bartenev
3aef20d257 Version bump. 2015-11-17 19:01:41 +03:00
Ruslan Ermilov
1ce1610763 Realip: the $realip_remote_addr variable. 2015-11-16 16:02:02 +03:00
Valentin Bartenev
a52bbefd84 HTTP/2: reused HEADERS and CONTINUATION frames buffers. 2015-11-13 20:10:50 +03:00
Valentin Bartenev
548e31f608 HTTP/2: fixed handling of output HEADERS frames.
The HEADERS frame is always represented by more than one buffer since
b930e598a199, but the handling code hasn't been adjusted.

Only the first buffer of HEADERS frame was checked and if it had been
sent while others had not, the rest of the frame was dropped, resulting
in broken connection.

Before b930e598a199, the problem could only be seen in case of HEADERS
frame with CONTINUATION.
2015-11-13 20:10:50 +03:00
Valentin Bartenev
8323cd693b HTTP/2: fixed invalid headers handling (ticket #831).
The r->invalid_header flag wasn't reset once an invalid header appeared in a
request, resulting in all subsequent headers in the request were also marked
as invalid.
2015-11-13 20:10:50 +03:00
Roman Arutyunyan
89a049be89 Upstream: proxy_cache_convert_head directive.
The directive toggles conversion of HEAD to GET for cacheable proxy requests.
When disabled, $request_method must be added to cache key for consistency.
By default, HEAD is converted to GET as before.
2015-11-11 15:47:30 +03:00
Valentin Bartenev
93aef089b4 SSL: only select HTTP/2 using NPN if "http2" is enabled.
OpenSSL doesn't check if the negotiated protocol has been announced.
As a result, the client might force using HTTP/2 even if it wasn't
enabled in configuration.
2015-11-05 15:01:09 +03:00
Valentin Bartenev
b22c0e0846 HTTP/2: backed out 16905ecbb49e (ticket #822).
It caused inconsistency between setting "in_closed" flag and the moment when
the last DATA frame was actually read.  As a result, the body buffer might not
be initialized properly in ngx_http_v2_init_request_body(), which led to a
segmentation fault in ngx_http_v2_state_read_data().  Also it might cause
start processing of incomplete body.

This issue could be triggered when the processing of a request was delayed,
e.g. in the limit_req or auth_request modules.
2015-11-05 15:01:01 +03:00
Maxim Dounin
f9cce38e49 Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m".  The bug manifested
itself when the expires directive was used with variables.

Found by Roman Arutyunyan.
2015-10-30 21:43:30 +03:00
Vladimir Homutov
e7d298f3fc Syslog: added "nohostname" option.
The option disables sending hostname in the syslog message header.  This is
useful with syslog daemons that do not expect it (tickets #677 and #783).
2015-10-26 19:06:42 +03:00
Valentin Bartenev
090c471032 HTTP/2: changed behavior of the "http2_max_field_size" directive.
Now it limits only the maximum length of literal string (either raw or
compressed) in HPACK request header fields.  It's easier to understand
and to describe in the documentation.
2015-10-27 23:16:35 +03:00
Valentin Bartenev
edf30961e6 HTTP/2: fixed spelling. 2015-10-27 23:16:35 +03:00
Valentin Bartenev
5a8b212fd9 Version bump. 2015-10-27 23:16:29 +03:00
Valentin Bartenev
f36f51725a HTTP/2: simplified checking the END_STREAM flag.
No functional changes.
2015-10-26 17:46:28 +03:00
Valentin Bartenev
d418b92cdc HTTP/2: improved the ngx_http_v2_integer_octets(v) macro.
Previously, it didn't work well for 0, 127, and 128, returning less than needed.
2015-10-26 17:46:16 +03:00
Valentin Bartenev
3565680d94 HTTP/2: fixed the NGX_HTTP_V2_MAX_FIELD macro. 2015-10-26 17:46:13 +03:00
Valentin Bartenev
9150c7df1f HTTP/2: fixed splitting of response headers on CONTINUATION frames.
Previous code has been based on assumption that the header block can only be
splitted at the borders of individual headers.  That wasn't the case and might
result in emitting frames bigger than the frame size limit.

The current approach is to split header blocks by the frame size limit.
2015-09-28 02:32:44 +03:00
Valentin Bartenev
60e41c0fb1 HTTP/2: introduced NGX_HTTP_V2_ENCODE_* macros.
No functional changes.
2015-10-26 17:43:08 +03:00
Valentin Bartenev
69e78850fe HTTP/2: simplified producing of the Last-Modified header. 2015-10-26 17:43:08 +03:00
Valentin Bartenev
70c29f05f0 HTTP/2: fixed header block size calculation. 2015-10-26 17:43:08 +03:00
Piotr Sikora
f93aa4d953 HTTP/2: fix handling of connection errors.
Previously, nginx worker would crash because of a double free
if client disconnected or timed out before sending all headers.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
de4f0eb26b HTTP/2: fix indirect reprioritization.
Previously, streams that were indirectly reprioritized (either because of
a new exclusive dependency on their parent or because of removal of their
parent from the dependency tree), didn't have their pointer to the parent
node updated.

This broke detection of circular dependencies and, as a result, nginx
worker would crash due to stack overflow whenever such dependency was
introduced.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
71a6b600c2 HTTP/2: reject self-dependent streams.
Per RFC7540, a stream cannot depend on itself.

Previously, this requirement was enforced on PRIORITY frames, but not on
HEADERS frames and due to the implementation details nginx worker would
crash (stack overflow) while opening self-dependent stream.

Found with afl-fuzz.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-01 20:25:55 -07:00
Piotr Sikora
79a03b3ff6 Core: read/write locks are also required by the Stream module.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2015-10-23 18:21:33 -07:00
Valentin Bartenev
c0eb2f0759 HTTP/2: improved error handling while parsing integers.
The case when an integer is out of frame bounds should be checked first
as a more accurate error.
2015-10-20 21:28:38 +03:00
Ruslan Ermilov
c830cf28ae HTTP/2: improved HPACK integer parsing code readability.
No functional changes.
2015-10-20 21:26:38 +03:00
Maxim Dounin
faed7212fe Win32: timer_resolution now ignored with select.
As setitimer() isn't available on Windows, time wasn't updated at all
if timer_resolution was used with the select event method.  Fix is
to ignore timer_resolution in such cases.
2015-10-20 18:16:18 +03:00
Kouhei Sutou
67614b3aa3 Win32: fixed build with MinGW and MinGW-w64 gcc.
This change fixes the "comparison between signed and unsigned integer
expressions" warning, introduced in 5e6142609e48 (1.9.4).
2015-10-17 21:41:02 +09:00
Maxim Dounin
582911c9c2 Style: unneeded casts of cf->args->elts removed. 2015-10-19 23:04:49 +03:00
Maxim Dounin
cc74c63d39 Fixed variables prefix comparison.
Variable names are not null-terminated, so using ngx_strncmp() without
extra length checks is wrong.

Reported by Markus Linnala,
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007211.html.
2015-10-19 21:28:17 +03:00
Maxim Dounin
b9e0b9df44 Fixed handling of empty root.
Previously, a configuration with "root" set to an empty string tried test
a character at clcf->root.data[-1].  Additional test added to make sure
this won't happen.

Reported by Markus Linnala, see
http://mailman.nginx.org/pipermail/nginx-devel/2015-August/007210.html.
2015-10-19 21:28:02 +03:00
Maxim Dounin
a6befbb40f SSL: preserve default server context in connection (ticket #235).
This context is needed for shared sessions cache to work in configurations
with multiple virtual servers sharing the same port.  Unfortunately, OpenSSL
does not provide an API to access the session context, thus storing it
separately.

In collaboration with Vladimir Homutov.
2015-10-19 21:22:38 +03:00
Valentin Bartenev
7d2af13f3a HTTP/2: fixed parsing of literal header fields without indexing. 2015-10-19 16:16:47 +03:00
Vladimir Homutov
645697f111 SSL: handled long string truncation in ngx_ssl_error().
If no space left in buffer after adding formatting symbols, error message
could be left without terminating null.  The fix is to output message using
actual length.
2015-10-07 22:19:42 +03:00
Ruslan Ermilov
0079f29326 Stream: delete proxy connection timer after SSL handshake.
The timer remained active and could drop active SSL connection.
2015-10-06 08:57:09 +03:00
Kurtis Nusbaum
470d038671 Extract out version info function.
The code for displaying version info and configuration info seemed to be
cluttering up the main function. I was finding it hard to read main. This
extracts out all of the logic for displaying version and configuration info
into its own function, thus making main easier to read.
2015-07-12 08:31:38 -07:00
Valentin Bartenev
20669d1949 HTTP/2: fixed $server_protocol value (ticket #800). 2015-09-28 20:02:05 +03:00
Maxim Dounin
4bab18f63d SSL: compatibility with OpenSSL master branch.
RAND_pseudo_bytes() is deprecated in the OpenSSL master branch, so the only
use was changed to RAND_bytes().  Access to internal structures is no longer
possible, so now we don't try to set SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS even
if it's defined.
2015-09-24 17:19:08 +03:00
Maxim Dounin
49766257fe Version bump. 2015-09-24 17:18:42 +03:00
Maxim Dounin
49b17956f9 Style. 2015-09-22 17:09:50 +03:00
Valentin Bartenev
a0d7df93a0 Increased the default number of output buffers.
Since an output buffer can only be used for either reading or sending, small
amounts of data left from the previous operation (due to some limits) must be
sent before nginx will be able to read further into the buffer.  Using only
one output buffer can result in suboptimal behavior that manifests itself in
forming and sending too small chunks of data.  This is particularly painful
with SPDY (or HTTP/2) where each such chunk needs to be prefixed with some
header.

The default flow-control window in HTTP/2 is 64k minus one bytes.  With one
32k output buffer this results is one byte left after exhausting the window.
With two 32k buffers the data will be read into the second free buffer before
sending, thus the minimum output is increased to 32k + 1 bytes which is much
better.
2015-09-15 17:49:15 +03:00
Valentin Bartenev
61e1f16d90 HTTP/2: fixed header block parsing with CONTINUATION frames (#792).
It appears that the CONTINUATION frames don't need to be aligned to bounds of
individual headers.
2015-09-22 01:40:04 +03:00
Valentin Bartenev
a27d0bd00d HTTP/2: fixed HPACK header field parsing. 2015-09-22 01:40:04 +03:00
Roman Arutyunyan
f64ff24451 Sub filter: fixed initialization in http{} level (ticket #791).
If sub_filter directive was only specified at http{} level, sub filter
internal data remained uninitialized.  That would lead to a crash in runtime.
2015-09-21 23:08:34 +03:00
Valentin Bartenev
ee37ff613f The HTTP/2 implementation (RFC 7240, 7241).
The SPDY support is removed, as it's incompatible with the new module.
2015-09-11 20:13:06 +03:00
Maxim Dounin
2c96914312 Core: fixed segfault with null in wildcard hash names.
A configuration like

    server { server_name .foo^@; }
    server { server_name .foo; }

resulted in a segmentation fault during construction of server names hash.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:40 +03:00
Maxim Dounin
7930a6c442 Fixed segfault with incorrect location nesting.
A configuration with a named location inside a zero-length prefix
or regex location used to trigger a segmentation fault, as
ngx_http_core_location() failed to properly detect if a nested location
was created.  Example configuration to reproduce the problem:

    location "" {
        location @foo {}
    }

Fix is to not rely on a parent location name length, but rather check
command type we are currently parsing.

Identical fix is also applied to ngx_http_rewrite_if(), which used to
incorrectly assume the "if" directive is on server{} level in such
locations.

Reported by Markus Linnala.
Found with afl-fuzz.
2015-09-11 17:04:04 +03:00
Maxim Dounin
ce05841eef Cache: check the whole cache key in addition to hashes.
This prevents a potential attack that discloses cached data if an attacker
will be able to craft a hash collision between some cache key the attacker
is allowed to access and another cache key with protected data.

See http://mailman.nginx.org/pipermail/nginx-devel/2015-September/007288.html.

Thanks to Gena Makhomed and Sergey Brester.
2015-09-11 17:03:56 +03:00
Roman Arutyunyan
51f714c85d Upstream: fixed cache send error handling.
The value of NGX_ERROR, returned from filter handlers, was treated as a generic
upstream error and changed to NGX_HTTP_INTERNAL_SERVER_ERROR before calling
ngx_http_finalize_request().  This resulted in "header already sent" alert
if header was already sent in filter handlers.

The problem appeared in 54e9b83d00f0 (1.7.5).
2015-09-03 15:09:21 +03:00
Valentin Bartenev
a38402e306 Fixed building --with-debug, broken by 6fce16b1fc10. 2015-09-02 19:45:40 +03:00
Valentin Bartenev
7dd3f9ee22 Writing to some file systems can be interrupted.
At least such behavior was observed with CephFS, see:
http://mailman.nginx.org/pipermail/nginx/2015-July/048188.html.
2015-09-02 19:26:40 +03:00
Valentin Bartenev
5e0b936a07 Decreased the NGX_HTTP_MAX_SUBREQUESTS limit.
There is no much sense in such a big value since its semantics
has been changed in 06e850859a26 to limit recursive subrequests.
2015-08-31 23:26:33 +03:00
Valentin Bartenev
4ec67cf86f Added protection against r->main->count overflow by subrequests.
This overflow has become possible after the change in 06e850859a26,
since concurrent subrequests are not limited now and each of them is
counted in r->main->count.
2015-08-31 23:25:16 +03:00
Valentin Bartenev
0d3b15729c Limit recursive subrequests instead of simultaneous. 2015-08-23 21:03:32 +03:00
Valentin Bartenev
fae2488df7 Version bump. 2015-08-23 21:03:29 +03:00
Maxim Dounin
2e004237c5 Perl: prototyping behavior explicitly specified.
When prototyping behavior is not explicitly specified, xsubpp emits
a message to stderr asking to do so (see ticket #608).
2015-08-18 16:26:18 +03:00
Maxim Dounin
a0aea61b50 Perl: fixed warning about "sep" may be used uninitialized. 2015-08-18 16:26:05 +03:00
Maxim Dounin
84b0ad63fb Win32: MSVC 2015 compatibility.
Resolved warnings about declarations that hide previous local declarations.
Warnings about WSASocketA() being deprecated resolved by explicit use of
WSASocketW() instead of WSASocket().  When compiling without IPv6 support,
WinSock deprecated warnings are disabled to allow use of gethostbyname().
2015-08-17 18:09:17 +03:00
Dmitry Volyntsev
1576cd10aa Sub filter: support of variables in the strings to replace. 2015-08-17 17:42:02 +03:00
Dmitry Volyntsev
934b49923c Sub filter: support of multiple strings to replace. 2015-08-17 17:42:02 +03:00
Maxim Dounin
05982ffdf5 Fixed wrong URI after try_files in nested location (ticket #97).
The following configuration with alias, nested location and try_files
resulted in wrong file being used.  Request "/foo/test.gif" tried to
use "/tmp//foo/test.gif" instead of "/tmp/test.gif":

    location /foo/ {
        alias /tmp/;
        location ~ gif {
            try_files $uri =405;
        }
    }

Additionally, rev. c985d90a8d1f introduced a regression if
the "/tmp//foo/test.gif" file was found (ticket #768).  Resulting URI
was set to "gif?/foo/test.gif", as the code used clcf->name of current
location ("location ~ gif") instead of parent one ("location /foo/").

Fix is to use r->uri instead of clcf->name in all cases in the
ngx_http_core_try_files_phase() function.  It is expected to be
already matched and identical to the clcf->name of the right
location.
2015-08-16 10:51:34 +03:00
Maxim Dounin
4fec72dc8c Fixed segfault with try_files introduced by c985d90a8d1f.
If alias was used in a location given by a regular expression,
nginx used to do wrong thing in try_files if a location name (i.e.,
regular expression) was an exact prefix of URI.  The following
configuration triggered a segmentation fault on a request to "/mail":

    location ~ /mail {
        alias /path/to/directory;
        try_files $uri =404;
    }

Reported by Per Hansson.
2015-08-16 10:51:16 +03:00
Sergey Kandaurov
b7da4f5962 Core: fixed potential division by zero when initializing hash.
Found by Clang Static Analyzer.
2015-08-13 16:27:17 +03:00
Sergey Kandaurov
e161b6a46f Core: fixed style in the error message. 2015-08-13 16:27:13 +03:00
Vladimir Homutov
f2d31f8291 Stream: fixed potential error log buffer overrun.
Found by Duan Jiong <djduanjiong@gmail.com>.
2015-08-13 15:55:21 +03:00
Vladimir Homutov
75dcdc2269 Style. 2015-08-12 12:56:59 +03:00
Vladimir Homutov
b537def75e Stream: the "tcp_nodelay" directive. 2015-08-10 12:14:41 +03:00
Valentin Bartenev
50ff8b3c3a Core: idle connections now closed only once on exiting.
Iterating through all connections takes a lot of CPU time, especially
with large number of worker connections configured.  As a result
nginx processes used to consume CPU time during graceful shutdown.
To mitigate this we now only do a full scan for idle connections when
shutdown signal is received.

Transitions of connections to idle ones are now expected to be
avoided if the ngx_exiting flag is set.  The upstream keepalive module
was modified to follow this.
2015-08-11 16:28:55 +03:00
Andrei Belov
9500e19919 Fixed typo in the error message. 2015-08-11 10:28:00 +03:00
Gena Makhomed
97741382b6 Workaround for "configuration file test failed" under OpenVZ.
If nginx was used under OpenVZ and a container with nginx was suspended
and resumed, configuration tests started to fail because of EADDRINUSE
returned from listen() instead of bind():

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use)
nginx: configuration file /etc/nginx/nginx.conf test failed

With this change EADDRINUSE errors returned by listen() are handled
similarly to errors returned by bind(), and configuration tests work
fine in the same environment:

# nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

More details about OpenVZ suspend/resume bug:
https://bugzilla.openvz.org/show_bug.cgi?id=2470
2015-07-23 14:00:03 -04:00
Roman Arutyunyan
29cebe5d63 Stream: deprecated proxy_downstream_buffer, proxy_upstream_buffer.
The directive proxy_buffer_size should be used instead.
2015-07-30 16:43:48 -07:00
Roman Arutyunyan
96507dabcc Style. 2015-07-29 14:36:36 -07:00
Roman Arutyunyan
3c8aaf830f Stream: added proxy_buffer_size to set the size of data buffers.
Both download and upload buffers now have the same size.  The old directives
proxy_downstream_buffer and proxy_upstream_buffer are removed.
2015-07-29 13:46:26 -07:00
Ruslan Ermilov
6dc03bf1a4 Fixed strict aliasing warnings with old GCC versions. 2015-07-16 14:20:48 +03:00
Maxim Dounin
3cc6000879 Version bump. 2015-07-15 22:56:03 +03:00
Roman Arutyunyan
f1dbcf61a2 Stream: renamed rate limiting directives.
The directive proxy_downstream_limit_rate is now called proxy_upload_rate.
The directive proxy_upstream_limit_rate is now called proxy_download_rate.
2015-07-14 09:38:13 -07:00
Maxim Dounin
3ac176fb86 OCSP stapling: fixed segfault without nextUpdate.
OCSP responses may contain no nextUpdate.  As per RFC 6960, this means
that nextUpdate checks should be bypassed.  Handle this gracefully by
using NGX_MAX_TIME_T_VALUE as "valid" in such a case.

The problem was introduced by 6893a1007a7c (1.9.2).

Reported by Matthew Baldwin.
2015-07-14 01:10:25 +03:00
Maxim Dounin
573810ce36 OCSP stapling: fixed ssl_stapling_file (ticket #769).
Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response
validity checks.  As stapling file is expected to be returned unconditionally,
fix is to set its validity to the maximum supported time.

Reported by Faidon Liambotis.
2015-07-07 16:38:49 +03:00
Valentin Bartenev
cd17f869cf Stream: fixed possible integer overflow in rate limiting. 2015-07-02 17:20:29 +03:00
Roman Arutyunyan
035732696d Stream: fixed MSVC compilation warning.
Thanks to itpp2012.
2015-07-02 17:15:32 +03:00
Roman Arutyunyan
f81ae4e392 Stream: upstream "connected" flag.
Once upstream is connected, the upstream buffer is allocated.  Previously, the
proxy module used the buffer allocation status to check if upstream is
connected.  Now it's enough to check the flag.
2015-06-25 12:36:52 +03:00
Roman Arutyunyan
74942045d5 Stream: upstream and downstream limit rates. 2015-06-23 20:17:48 +03:00
Roman Arutyunyan
62959c9133 Stream: common handler for upstream and downstream. 2015-06-23 20:17:47 +03:00
Piotr Sikora
130396928a Stream: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2015-06-18 03:36:41 -07:00
Ruslan Ermilov
1e94ab0db0 Upstream: fixed shared upstreams on win32. 2015-06-16 00:43:00 +03:00
Vladimir Homutov
14ff3d4f87 Stream: connection limiting module.
stream {
    limit_conn_zone $binary_remote_addr zone=perip:1m;
    limit_conn_log_level error;

    server {
        ...
        limit_conn perip 1;
    }
}
2015-06-18 14:17:30 +03:00
Sergey Kandaurov
f470cd2b89 Resolver: canceled resend timer on empty resend queues.
This is specifically useful on graceful shutdown.
2015-06-17 17:57:34 +03:00
Vladimir Homutov
b7a8f2a08f Disabled duplicate http, mail, and stream blocks.
Such configurations have very limited use, introduce various problems and
are not officially supported.
2015-06-16 23:28:38 +03:00
Vladimir Homutov
9efe6c2243 Version bump. 2015-06-16 23:31:31 +03:00
Vladimir Homutov
4e83d3f7b5 Core: store and dump processed configuration.
If the -T option is passed, additionally to configuration test, configuration
files are output to stdout.

In the debug mode, configuration files are kept in memory and can be accessed
using a debugger.
2015-05-14 18:54:27 +03:00
Vladimir Homutov
42c32b733b Core: added support for writing to stdout. 2015-06-16 15:47:40 +03:00
Roman Arutyunyan
4404c3fd6d Core: renamed ngx_proxy_protocol_parse to ngx_proxy_protocol_read.
The new name is consistent with the ngx_proxy_protocol_write function.
2015-06-16 13:45:19 +03:00
Roman Arutyunyan
3ed1b3b5b0 Stream: client-side PROXY protocol.
The new directive "proxy_protocol" toggles sending out PROXY protocol header
to upstream once connection is established.
2015-06-16 13:45:16 +03:00
Vladimir Homutov
f50f83a2cf Stream: the "proxy_bind" directive. 2015-06-16 09:02:45 +03:00
Maxim Dounin
cb3dcbb81e OCSP stapling: avoid sending expired responses (ticket #425). 2015-06-11 20:42:39 +03:00
Maxim Dounin
9984f3053f Moved ngx_http_parse_time() to core, renamed accordingly.
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time.  In particular, it will be
used for OCSP stapling.

For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
2015-06-11 20:42:31 +03:00
Maxim Dounin
dd41bfd47a Removed unused ngx_http_get_time() declaration. 2015-06-11 20:42:24 +03:00
Vladimir Homutov
8ab1aa612d Stream: access module.
stream {
    server {
        ...
        allow 127.0.0.1;
        deny all;
    }
}
2015-06-04 13:04:12 +03:00
Vladimir Homutov
d56b84b783 Stream: added postconfiguration method to stream modules. 2015-06-09 13:00:45 +03:00
Ruslan Ermilov
c81d7ec158 Mail: listen backlog=. 2015-06-08 23:13:56 +03:00
Ruslan Ermilov
60c654ddf5 Stream: listen backlog=. 2015-06-08 23:13:33 +03:00
Ruslan Ermilov
b72a7b0df3 Mail: embed ngx_mail_listen_t into ngx_mail_conf_addr_t. 2015-06-08 23:11:58 +03:00
Ruslan Ermilov
bfbd0aabd4 Stream: embed ngx_stream_listen_t into ngx_stream_conf_addr_t. 2015-06-08 23:11:42 +03:00
Ruslan Ermilov
14ddadb9ac Stream: fixed "reuseport" to actually work. 2015-06-05 23:03:13 +03:00
Roman Arutyunyan
f5d79ffb82 Upstream keepalive: reduced diffs to the plus version of nginx. 2015-06-04 23:46:44 +03:00
Maxim Dounin
e041efc306 Style. 2015-06-05 17:10:34 +03:00
Sergey Kandaurov
99b2c89404 Event pipe: call ngx_handle_read_event() with a proper flags type.
The change was missed in f69d1aab6a0f.
2015-06-03 19:12:26 +03:00
Valentin Bartenev
66f6ba5c95 Fixed excessive memory usage while parsing configuration.
The b->pos points to the next symbol here.

Reported by ilexshen.
2015-06-01 21:08:56 +03:00
Ruslan Ermilov
087c31e8b2 Fixed bullying style of comments. 2015-05-29 09:26:33 +03:00
Ruslan Ermilov
3de18022d8 Version bump. 2015-05-29 09:26:27 +03:00
Maxim Dounin
724f0f028e Disabled SSLv3 by default (ticket #653). 2015-05-25 17:58:20 +03:00
Maxim Dounin
226647e397 Configure: GNU Hurd properly recognized.
With this change it's no longer needed to pass -D_GNU_SOURCE manually,
and -D_FILE_OFFSET_BITS=64 is set to use 64-bit off_t.

Note that nginx currently fails to work properly with master process
enabled on GNU Hurd, as fcntl(F_SETOWN) returns EOPNOTSUPP for sockets
as of GNU Hurd 0.6.  Additionally, our strerror() preloading doesn't
work well with GNU Hurd, as it uses large numbers for most errors.
2015-05-25 17:58:13 +03:00
Maxim Dounin
b4619182bb Fixed reuseport with accept_mutex. 2015-05-21 19:39:11 +03:00
Ruslan Ermilov
941a6995d7 Upstream: report to error_log when max_fails is reached.
This can be useful to understand why "no live upstreams" happens,
in particular.
2015-05-20 22:44:00 +03:00
Maxim Dounin
f7f1607bf2 The "reuseport" option of the "listen" directive.
When configured, an individual listen socket on a given address is
created for each worker process.  This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance.  As of now it works on Linux and DragonFly BSD.

Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/.  With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.

Based on previous work by Sepherosa Ziehau and Yingqi Lu.
2015-05-20 15:51:56 +03:00
Maxim Dounin
d5c34785bc Simplified ngx_http_init_listening().
There is no need to set "i" to 0, as it's expected to be 0 assuming
the bindings are properly sorted, and we already rely on this when
explicitly set hport->naddrs to 1.  Remaining conditional code is
replaced with identical "hport->naddrs = i + 1".

Identical modifications are done in the mail and stream modules,
in the ngx_mail_optimize_servers() and ngx_stream_optimize_servers()
functions, respectively.

No functional changes.
2015-05-20 15:51:28 +03:00
Maxim Dounin
68b3d28c55 Introduced worker number, ngx_worker. 2015-05-20 15:51:21 +03:00
Valentin Bartenev
9275dc19e6 Core: properly initialized written bytes counter in memory log. 2015-05-19 19:27:07 +03:00
Sergey Kandaurov
3670726bd3 Upstream hash: consistency across little/big endianness. 2015-05-18 16:05:44 +03:00
Ruslan Ermilov
4b9b16d27d Upstream: $upstream_connect_time.
The variable keeps time spent on establishing a connection with
the upstream server.
2015-05-16 01:32:27 +03:00
Ruslan Ermilov
b070e2d713 Upstream: times to obtain header/response are stored as ngx_msec_t. 2015-05-16 01:31:04 +03:00
Igor Sysoev
b55cd3f876 Events: ngx_event_t size reduction by grouping bit fields. 2015-05-15 17:15:33 +03:00
Ruslan Ermilov
91df4f0746 Events: made a failure to create a notification channel non-fatal.
This may happen if eventfd() returns ENOSYS, notably seen on CentOS 5.4.
Such a failure will now just disable the notification mechanism and let
the callers cope with it, instead of failing to start worker processes.
If thread pools are not configured, this can safely be ignored.
2015-05-06 17:04:00 +03:00
Ruslan Ermilov
80781f15b4 Removed the deprecated "imap" directive. 2015-04-29 13:53:24 +03:00
Ruslan Ermilov
3468015e12 Removed the deprecated "so_keepalive" directive. 2015-04-29 13:53:08 +03:00
Ruslan Ermilov
ea2f4d9175 Removed deprecated HTTP directives. 2015-04-29 13:52:49 +03:00
Ruslan Ermilov
3ceffb53fe Removed the deprecated "connections" directive. 2015-04-29 13:52:37 +03:00
Valentin Bartenev
89ad9ea309 Fixed overflow detection in ngx_inet_addr().
Overflow detection of the last octet might not work.

Reported by Sergey Polovko.
2015-04-28 18:55:03 +03:00
Valentin Bartenev
8568baef1f Version bump. 2015-04-28 18:54:48 +03:00
Maxim Dounin
2ec8cfcd7d Win32: shared memory base addresses and remapping.
Two mechanisms are implemented to make it possible to store pointers
in shared memory on Windows, in particular on Windows Vista and later
versions with ASLR:

- The ngx_shm_remap() function added to allow remapping of a shared memory
  zone to the address originally used for it in the master process.  While
  important, it doesn't solve the problem by itself as in many cases it's
  not possible to use the address because of conflicts with other
  allocations.

- We now create mappings at the same address in all processes by starting
  mappings at predefined addresses normally unused by newborn processes.

These two mechanisms combined allow to use shared memory on Windows
almost without problems, including reloads.

Based on the patch by Sergey Brester:
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006836.html
2015-04-27 18:25:42 +03:00
Maxim Dounin
153dbf3877 Win32: fixed shm.handle loss on reload. 2015-04-27 03:44:30 +03:00
Maxim Dounin
c8aa659e45 Core: fixed nginx_shared_zone name. 2015-04-27 03:44:03 +03:00
Vladimir Homutov
4e010c2834 Mail: error_log support. 2015-02-20 15:31:37 +03:00
Vladimir Homutov
df555ffce6 Core: the ngx_set_connection_log() macro.
The http and stream versions of this macro were identical.
2015-04-25 22:44:02 +03:00
Roman Arutyunyan
d61f21c5e8 Merge proxy_protocol setting of listen directives.
It's now enough to specify proxy_protocol option in one listen directive to
enable it in all servers listening on the same address/port.  Previously,
the setting from the first directive was always used.
2015-04-24 10:54:06 +03:00
Ruslan Ermilov
3180f84b60 Removed the "worker_rlimit_sigpending" directive.
It was only needed by the just removed rtsig module.
2015-04-23 14:26:11 +03:00
Ruslan Ermilov
33b8e5bc06 Removed the obsolete rtsig module. 2015-04-23 14:17:40 +03:00
Ruslan Ermilov
c1882d9f3f Removed the obsolete aio module. 2015-04-22 18:57:32 +03:00
Roman Arutyunyan
39386c951c Stream: prevent repeated event notifications after eof.
When client or upstream connection is closed, level-triggered read event
remained active until the end of the session leading to cpu hog.  Now the flag
NGX_CLOSE_EVENT is used to unschedule the event.
2015-04-22 19:55:04 +03:00
Ruslan Ermilov
25ddb49dbe Upstream: allow multiple upstreams to use the same shared zone. 2015-04-22 18:37:34 +03:00
Martin Mlynář
958d4a0b1f Memcached: enabled ranges. 2015-04-21 21:04:36 +02:00
Ruslan Ermilov
673941f81d Upstream: simplified ip_hash and hash peer selection code.
Now that peers are stored as a list, the weighted and unweighted
cases became nearly identical.
2015-04-21 19:09:04 +03:00
Sergey Kandaurov
1ff5515e70 Limit req: removed check for unknown limit_req_zone.
With 48b3d5ddfb03, it's possible to specify limit_req_zone after limit_req.
2015-04-20 16:54:41 +03:00
Sergey Kandaurov
06ff117986 Core: allow shared memory size to be declared after a reference.
For example, this fixes the case when "proxy_cache_path" is specified
after "proxy_cache" that references it.
2015-04-20 16:53:04 +03:00
Ruslan Ermilov
c799c82faa Stream: port from NGINX+. 2015-04-20 13:05:11 +03:00
Ruslan Ermilov
a2dac51398 Upstream: fixed unlocked access to peer->conns. 2015-04-19 22:41:09 +03:00
Ruslan Ermilov
9b411460f9 Replaced the remaining NGX_OLD_THREADS check with NGX_WIN32. 2015-03-26 14:20:51 +03:00
Ruslan Ermilov
bfd2db83a7 Removed NGX_OLD_THREADS from select and poll modules.
These modules can't be compiled on win32.
2015-03-26 14:20:07 +03:00
Ruslan Ermilov
64c5df4b62 Removed "worker_threads" and "thread_stack_size" directives. 2015-03-26 14:15:17 +03:00
Ruslan Ermilov
324e389e17 Removed unused thread-local-storage code. 2015-03-26 14:15:15 +03:00
Ruslan Ermilov
2b0d2f0583 Removed ngx_threaded and related code. 2015-03-26 14:15:13 +03:00
Ruslan Ermilov
7c44e39220 Upstream: get rid of questionable micro-optimization in ip_hash.
If a peer was initially skipped due to max_fails, there's no reason
not to try it again if enough time has passed, and the next_upstream
logic is in action.

This also reduces diffs with NGINX Plus.
2015-04-16 20:09:11 +03:00
Sergey Kandaurov
d72fe76bb1 Core: ensure that ngx_config.h is always included first.
This fixes compilation of various 3rd party modules when nginx is
configured with threads.
2015-04-16 18:18:37 +03:00
Maxim Dounin
4091eb749b Version bump. 2015-04-16 17:26:19 +03:00
Ruslan Ermilov
cf31347ee8 Upstream: the "zone" directive.
Upstreams with the "zone" directive are kept in shared memory,
with a consistent view of all worker processes.
2015-04-14 19:01:25 +03:00
Ruslan Ermilov
b0b7b5a356 Upstreams: locking. 2015-04-14 19:01:23 +03:00
Ruslan Ermilov
3fc23e2542 Core: read/write locks. 2015-03-21 14:05:08 +03:00
Ruslan Ermilov
4d53631022 Upstream: store peers as a linked list.
This is an API change.
2015-04-10 14:48:36 +03:00
Ruslan Ermilov
18fa775b10 Upstream: track the number of active connections to upstreams.
This also simplifies the implementation of the least_conn module.
2015-04-10 13:16:23 +03:00
Ruslan Ermilov
b25f0ddcf1 Fixed build, broken by 8b7f062a3fe6.
Casting a "const char *" to "char *" doesn't work on older gcc versions.
2015-04-16 15:05:40 +03:00
Vladimir Homutov
fd4da89228 Core: added OpenSSL version information to "nginx -V" output. 2015-04-16 12:17:41 +03:00
Vladimir Homutov
513f184098 Version bump. 2015-04-16 12:13:51 +03:00
Ruslan Ermilov
edb0c6ba64 Core: guard against spinlock usage without atomic ops.
The new thread pools code uses spinlocks.
2015-03-26 14:15:06 +03:00
Sergey Kandaurov
38a97edf3a Core: limited levels of subdirectory hierarchy used for temp files.
Similar to ngx_http_file_cache_set_slot(), the last component of file->name
with a fixed length of 10 bytes, as generated in ngx_create_temp_path(), is
used as a source for the names of intermediate subdirectories with each one
taking its own part.  Ensure that the sum of specified levels with slashes
fits into the length (ticket #731).
2015-04-07 01:32:08 +03:00
Sergey Kandaurov
256082c4f8 Core: removed excessive initialization in ngx_conf_set_path_slot().
Level hierarchy is pre-zeroed in ngx_pcalloc() of the surrounding ngx_path_t.
2015-04-07 01:32:07 +03:00
Sergey Kandaurov
eed7d47930 Core: fixed error handling on ngx_conf_full_name() failure. 2015-04-07 01:32:05 +03:00
Ruslan Ermilov
8c82b75127 Upstream: abbreviated SSL handshake may interact badly with Nagle. 2015-04-07 00:07:04 +03:00
Valentin Bartenev
3f72e18908 Request body: always flush buffers if request buffering is off.
This fixes unbuffered proxying to SSL backends, since it prevents
ngx_ssl_send_chain() from accumulation of request body in the SSL
buffer.
2015-04-06 19:20:36 +03:00
Valentin Bartenev
1329c4af80 Used the correct type for the AIO preload handler return value. 2015-04-06 11:22:24 +03:00
Filipe da Silva
95aad2235d OCSP stapling: missing free calls.
Missing call to X509_STORE_CTX_free when X509_STORE_CTX_init fails.
Missing call to OCSP_CERTID_free when OCSP_request_add0_id fails.
Possible leaks in vary particular scenariis of memory shortage.
2015-04-01 15:05:08 +02:00
Valentin Bartenev
355a793b89 Cache: added support for reading of the header in thread pools. 2015-04-01 03:49:17 +03:00
Sergey Kandaurov
99bf1b56ec Fixed invalid access to complex value defined as an empty string.
Found by Valgrind.
2015-03-31 17:45:50 +03:00
Valentin Bartenev
51df7912c4 Events: fixed possible crash on start or reload.
The main thread could wake up and start processing the notify event
before the handler was set.
2015-03-27 21:19:20 +03:00
Valentin Bartenev
3ffbf84a5e Events: made posted events macros safe. 2015-03-27 19:57:15 +03:00
Valentin Bartenev
0e853129ac SPDY: always push pending data.
This helps to avoid suboptimal behavior when a client waits for a control
frame or more data to increase window size, but the frames have been delayed
in the socket buffer.

The delays can be caused by bad interaction between Nagle's algorithm on
nginx side and delayed ACK on the client side or by TCP_CORK/TCP_NOPUSH
if SPDY was working without SSL and sendfile() was used.

The pushing code is now very similar to ngx_http_set_keepalive().
2015-03-23 21:04:13 +03:00
Valentin Bartenev
44586bf5ee SPDY: fixed error handling in ngx_http_spdy_send_output_queue(). 2015-03-23 20:47:46 +03:00
Maxim Dounin
67986d81de Version bump. 2015-03-26 17:36:39 +03:00
Maxim Dounin
5e96e84ffb Proxy: fixed proxy_request_buffering and chunked with preread body.
If any preread body bytes were sent in the first chain, chunk size was
incorrectly added before the whole chain, including header, resulting in
an invalid request sent to upstream.  Fixed to properly add chunk size
after the header.
2015-03-26 02:31:30 +03:00
Maxim Dounin
7ec559df5d Upstream: uwsgi_request_buffering, scgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
f4714d26f0 FastCGI: fastcgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
756997b696 Proxy: proxy_request_buffering chunked support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
2743bb68ee Request body: unbuffered reading.
The r->request_body_no_buffering flag was introduced.  It instructs
client request body reading code to avoid reading the whole body, and
to call post_handler early instead.  The caller should use the
ngx_http_read_unbuffered_request_body() function to read remaining
parts of the body.

Upstream module is now able to use this mode, if configured with
the proxy_request_buffering directive.
2015-03-23 21:09:19 +03:00
Maxim Dounin
d02d2cff9b Request body: filters support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
be99a8801e Request body: moved request body writing to save filter. 2015-03-23 21:09:19 +03:00
Maxim Dounin
d21e644d80 Request body: free chain links in ngx_http_write_request_body(). 2015-03-23 21:09:12 +03:00
Maxim Dounin
4df7aa6f92 Output chain: free chain links in ngx_chain_writer(). 2015-03-23 21:09:05 +03:00
Maxim Dounin
9131eb11c9 Output chain: zero size buf alerts in ngx_chain_writer().
Now we log a "zero size buf in chain writer" alert if we encounter a zero
sized buffer in ngx_chain_writer(), and skip the buffer.
2015-03-23 20:56:58 +03:00
Maxim Dounin
3560af8999 Format specifier fixed for file size of buffers. 2015-03-23 19:28:54 +03:00
Maxim Dounin
58eb93f791 Proxy: fixed proxy_set_body with proxy_cache.
If the last header evaluation resulted in an empty header, the e.skip flag
was set and was not reset when we've switched to evaluation of body_values.
This incorrectly resulted in body values being skipped instead of producing
some correct body as set by proxy_set_body.  Fix is to properly reset
the e.skip flag.

As the problem only appeared if the last potentially non-empty header
happened to be empty, it only manifested itself if proxy_set_body was used
with proxy_cache.
2015-03-23 19:28:54 +03:00
Valentin Bartenev
e87a565aab Thread pools: implemented graceful exiting of threads. 2015-03-23 17:51:21 +03:00
Valentin Bartenev
510c9cdca8 Thread pools: removed unused pointer to memory pool.
No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
cb43696e0c Thread pools: keep waiting tasks mutex in ngx_thread_pool_t.
It's not needed for completed tasks queue since the previous change.

No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
f109a68b4f Thread pools: replaced completed tasks queue mutex with spinlock. 2015-03-23 17:51:21 +03:00
Ruslan Ermilov
07de3f538b Removed stub implementation of win32 mutexes. 2015-03-23 13:52:47 +03:00
Maxim Dounin
47c44355b5 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically
building a certificate chain on the fly if there is no certificate chain
explicitly provided.  Before this change, certificates provided via the
ssl_client_certificate and ssl_trusted_certificate directives were
used by OpenSSL to automatically build certificate chains, resulting
in unexpected (and in some cases unneeded) chains being sent to clients.
2015-03-23 02:42:35 +03:00
Maxim Dounin
a20c6d202e SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
LibreSSL removed support for export ciphers and a call to
SSL_CTX_set_tmp_rsa_callback() results in an error left in the error
queue.  This caused alerts "ignoring stale global SSL error (...called
a function you should not call) while SSL handshaking" on a first connection
in each worker process.
2015-03-23 02:42:34 +03:00
Maxim Dounin
b0d8ff55a1 SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on
new contexts.  This makes sure to clear it to make it possible to use SSLv3
with LibreSSL if enabled in nginx config.

Prodded by Kuramoto Eiji.
2015-03-23 02:42:32 +03:00
Valentin Bartenev
cc569b9252 Core: added cyclic memory buffer support for error_log.
Example of usage:

  error_log memory:16m debug;

This allows to configure debug logging with minimum impact on performance.
It's especially useful when rare crashes are experienced under high load.

The log can be extracted from a coredump using the following gdb script:

  set $log = ngx_cycle->log

  while $log->writer != ngx_log_memory_writer
      set $log = $log->next
  end

  set $buf = (ngx_log_memory_buf_t *) $log->wdata
  dump binary memory debug_log.txt $buf->start $buf->end
2015-03-19 19:29:43 +03:00
Ruslan Ermilov
babd64e344 Removed busy locks. 2015-03-20 06:45:32 +03:00
Ruslan Ermilov
f8d10849ad Removed ngx_connection_t.lock. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
b6029a8a3f Removed unix ngx_threaded and related ngx_process_changes. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
d1ec868e32 Removed old pthread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c84c19f5bf Removed old FreeBSD rfork() thread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c34368715f Thread pools: silence warning on process exit.
Work around pthread_cond_destroy() and pthread_mutex_destroy() returning
EBUSY.  A proper solution would be to ensure all threads are terminated.
2015-03-19 23:20:18 +03:00
Ruslan Ermilov
afe1fcffaa Thread pools: fixed the waiting tasks accounting.
Behave like POSIX semaphores.  If N worker threads are waiting for tasks,
at least that number of tasks should be allowed to be put into the queue.
2015-03-19 13:00:48 +03:00
Ruslan Ermilov
20d07074e3 Thread pools: keep waiting tasks counter in ngx_thread_pool_t.
It's not needed for completed tasks queue.

No functional changes.
2015-03-19 23:19:35 +03:00
Xiaochen Wang
85048c0397 SPDY: fixed format specifier in logging. 2015-03-15 21:46:21 +08:00
Valentin Bartenev
7ed1a9681b Added support for offloading Linux sendfile() in thread pools. 2015-03-14 17:37:30 +03:00
Valentin Bartenev
a7ad493aa6 Added support for offloading read() in thread pools. 2015-03-14 17:37:25 +03:00
Ruslan Ermilov
547c8f601f Events: implemented eventport notification mechanism. 2015-03-14 17:37:21 +03:00
Valentin Bartenev
2b3c01e995 Events: implemented kqueue notification mechanism. 2015-03-14 17:37:16 +03:00
Valentin Bartenev
e10e7a4831 Events: implemented epoll notification mechanism. 2015-03-14 17:37:13 +03:00
Valentin Bartenev
305fc021db Thread pools implementation. 2015-03-14 17:37:07 +03:00
Ruslan Ermilov
83ba5ed2ec Renamed NGX_THREADS to NGX_OLD_THREADS because of deprecation.
It's mostly dead code and the original idea of worker threads has been rejected.
2015-03-04 18:26:25 +03:00
Ruslan Ermilov
4fe0a09942 Overflow detection in ngx_http_parse_chunked(). 2015-03-17 00:26:27 +03:00
Ruslan Ermilov
514cdb190f Overflow detection in ngx_http_range_parse(). 2015-03-17 00:26:24 +03:00
Ruslan Ermilov
a43f1bcf6e Overflow detection in ngx_inet_addr(). 2015-03-17 00:26:22 +03:00
Ruslan Ermilov
3ad3f4ae0a Core: overflow detection in ngx_parse_time() (ticket #732). 2015-03-17 00:26:20 +03:00
Ruslan Ermilov
7943fd374a Refactored ngx_parse_time().
No functional changes.
2015-03-17 00:26:18 +03:00
Ruslan Ermilov
8167ce8537 Core: overflow detection in number parsing functions. 2015-03-17 00:26:15 +03:00
Ruslan Ermilov
309928b941 Core: expose maximum values of time_t and ngx_int_t.
These are needed to detect overflows.
2015-03-17 00:24:34 +03:00
Ruslan Ermilov
db999274ec The "aio" directive parser made smarter.
It now prints meaningful warnings on all platforms.

No functional changes.
2015-03-13 16:42:52 +03:00
Ruslan Ermilov
bcd8123913 Events: fixed typo in the error message. 2015-03-12 23:03:03 +03:00
Ruslan Ermilov
067de7dde1 Deprecated "aio sendfile".
Specifying "sendfile on" along with "aio on" activates the
aio pre-loading mode for sendfile().
2015-03-12 20:06:04 +03:00
Ruslan Ermilov
5e5540f7dc Proxy: use an appropriate error on memory allocation failure. 2015-03-04 08:12:53 +03:00
Ruslan Ermilov
c238150a57 Style: moved ngx_http_ephemeral() macro to ngx_http_request.h. 2015-03-04 08:10:40 +03:00
Ruslan Ermilov
466b3b9250 Style: use %*s format, as in 68d21fd1dc64. 2015-03-04 08:05:38 +03:00
Valentin Bartenev
a9a01e0938 Log: use ngx_cpymem() in a couple of places, no functional changes. 2015-03-04 19:20:30 +03:00
Valentin Bartenev
2f3fb935b4 Upstream keepalive: drop ready flag on EAGAIN from recv(MSG_PEEK).
Keeping the ready flag in this case might results in missing notification of
broken connection until nginx tried to use it again.

While there, stale comment about stale event was removed since this function
is also can be called directly.
2015-03-03 17:48:57 +03:00
Ruslan Ermilov
b384247262 Events: simplified ngx_event_aio_t definition.
No functional changes.
2015-03-03 18:09:13 +03:00
Valentin Bartenev
ea881578a2 Refactored ngx_linux_sendfile_chain() even more.
The code that calls sendfile() was cut into a separate function.
This simplifies EINTR processing, yet is needed for the following
changes that add threads support.
2015-02-27 19:19:08 +03:00
Maxim Dounin
a0d543595d Style.
Noted by Ruslan Ermilov.
2015-03-03 01:15:21 +03:00
Maxim Dounin
14a93c5a15 Upstream: upstream argument in ngx_http_upstream_process_request().
In case of filter finalization, r->upstream might be changed during
the ngx_event_pipe() call.  Added an argument to preserve it while
calling the ngx_http_upstream_process_request() function.
2015-03-02 21:44:42 +03:00
Maxim Dounin
2b032e8df6 Upstream: avoid duplicate finalization.
A request may be already finalized when ngx_http_upstream_finalize_request()
is called, due to filter finalization: after filter finalization upstream
can be finalized via ngx_http_upstream_cleanup(), either from
ngx_http_terminate_request(), or because a new request was initiated
to an upstream.  Then the upstream code will see an error returned from
the filter chain and will call the ngx_http_upstream_finalize_request()
function again.

To prevent corruption of various upstream data in this situation, make sure
to do nothing but merely call ngx_http_finalize_request().

Prodded by Yichun Zhang, for details see the thread at
http://nginx.org/pipermail/nginx-devel/2015-February/006539.html.
2015-03-02 21:44:32 +03:00
Roman Arutyunyan
46a2236f22 SSL: reset ready flag if recv(MSG_PEEK) found no bytes in socket.
Previously, connection hung after calling ngx_http_ssl_handshake() with
rev->ready set and no bytes in socket to read.  It's possible in at least the
following cases:

 - when processing a connection with expired TCP_DEFER_ACCEPT on Linux
 - after parsing PROXY protocol header if it arrived in a separate TCP packet

Thanks to James Hamlin.
2015-03-02 21:15:46 +03:00
Roman Arutyunyan
f0b5f83378 Cache: do not inherit last_modified and etag from stale response.
When replacing a stale cache entry, its last_modified and etag could be
inherited from the old entry if the response code is not 200 or 206.  Moreover,
etag could be inherited with any response code if it's missing in the new
response.  As a result, the cache entry is left with invalid last_modified or
etag which could lead to broken revalidation.

For example, when a file is deleted from backend, its last_modified is copied to
the new 404 cache entry and is used later for revalidation.  Once the old file
appears again with its original timestamp, revalidation succeeds and the cached
404 response is sent to client instead of the file.

The problem appeared with etags in 44b9ab7752e3 (1.7.3) and affected
last_modified in 1573fc7875fa (1.7.9).
2015-03-02 19:47:13 +03:00
Roman Arutyunyan
bf7d76b943 Upstream hash: speedup consistent hash init.
Repeatedly calling ngx_http_upstream_add_chash_point() to create
the points array in sorted order, is O(n^2) to the total weight.
This can cause nginx startup and reconfigure to be substantially
delayed.  For example, when total weight is 1000, startup takes
5s on a modern laptop.

Replace this with a linear insertion followed by QuickSort and
duplicates removal.  Startup for total weight of 1000 reduces to 40ms.

Based on a patch by Wai Keen Woon.
2015-03-02 18:41:29 +03:00
Sergey Kandaurov
de3adad807 Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.
Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.
2015-02-27 16:28:31 +03:00