Commit Graph

4654 Commits

Author SHA1 Message Date
Maxim Dounin
e1d5455a74 Upstream: better detection of connect() failures with kqueue.
Pending EOF might be reported on both read and write events, whichever
comes first, so check both of them.

Patch by Yichun Zhang (agentzh), slightly modified.
2012-11-16 18:29:19 +00:00
Ruslan Ermilov
4d0d2b20ac Upstream: honor the "down" flag for a single server.
If an upstream block was defined with the only server marked as
"down", e.g.

    upstream u {
        server 127.0.0.1:8080 down;
    }

an attempt was made to contact the server despite the "down" flag.
It is believed that immediate 502 response is better in such a
case, and it's also consistent with what is currently done in case
of multiple servers all marked as "down".
2012-11-16 12:18:05 +00:00
Ruslan Ermilov
b67dbca1ca Variables $request_time and $msec.
Log module counterparts are preserved for efficiency.
2012-11-16 09:37:14 +00:00
Ruslan Ermilov
9997aaef70 Fixed setting of CPU affinity on respawn of dead worker processes.
Worker processes are now made aware of their sequential number needed
to select CPU affinity mask.  This replaces a workaround from r4865.
2012-11-16 09:25:52 +00:00
Ruslan Ermilov
5a1d76c9f2 Version bump. 2012-11-16 07:49:41 +00:00
Maxim Dounin
b472997dda release-1.3.8 tag 2012-10-30 13:35:18 +00:00
Maxim Dounin
34241bd43b nginx-1.3.8-RELEASE 2012-10-30 13:34:23 +00:00
Maxim Dounin
8e67fb4226 Event pipe: fixed handling of buf_to_file data.
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
2012-10-30 11:14:24 +00:00
Maxim Dounin
d310eeef3f Style, parentheses instead of braces in misc/GNUMakefile. 2012-10-30 11:09:38 +00:00
Maxim Dounin
1e12e7fa1d Variables $connection and $connection_requests.
Log module counterparts are removed as they aren't used often and
there is no need to preserve them for efficiency.
2012-10-29 17:17:59 +00:00
Maxim Dounin
7b3731862b Resolver: added missing memory allocation error handling. 2012-10-24 14:07:08 +00:00
Valentin Bartenev
09dca40b33 ngx_http_keepalive_handler() is now trying to not keep c->buffer's memory for
idle connections.

This behaviour is consistent with the ngx_http_set_keepalive() function and it
should decrease memory usage in some cases (especially if epoll/rtsig is used).
2012-10-23 14:36:18 +00:00
Andrey Belov
f7b32c479d Core: the "auto" parameter of the "worker_processes" directive.
The parameter will set the number of worker processes to the
autodetected number of available CPU cores.
2012-10-23 09:08:41 +00:00
Maxim Dounin
106dbc8d76 Removed conditional compilation from waitpid() error test.
There are reports that call to a signal handler for an exited process
despite waitpid() already called for the process may happen on Linux
as well.
2012-10-18 14:48:33 +00:00
Maxim Dounin
27b7eb17d0 Gunzip: fixed r->gzip_ok check. 2012-10-18 14:27:40 +00:00
Maxim Dounin
0d7a7e91cf OCSP stapling: properly check if there is ssl.ctx.
This fixes segfault if stapling was enabled in a server without a certificate
configured (and hence no ssl.ctx).
2012-10-05 11:09:14 +00:00
Maxim Dounin
82989420ad Variable $bytes_sent.
It replicates variable $bytes_sent as previously available in log module
only.

Patch by Benjamin Grössing (with minor changes).
2012-10-03 15:25:36 +00:00
Maxim Dounin
a707811a31 Log: $apache_bytes_sent removed.
It was renamed to $body_bytes_sent in nginx 0.3.10 and the old name is
deprecated since then.
2012-10-03 15:25:06 +00:00
Maxim Dounin
c846871ce1 SSL: the "ssl_verify_client" directive parameter "optional_no_ca".
This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
2012-10-03 15:24:08 +00:00
Maxim Dounin
f8cc8969d5 Version bump. 2012-10-03 15:22:18 +00:00
Maxim Dounin
fedc43df15 release-1.3.7 tag 2012-10-02 13:33:58 +00:00
Maxim Dounin
242b85ff40 nginx-1.3.7-RELEASE 2012-10-02 13:33:37 +00:00
Maxim Dounin
7eea509776 OCSP stapling: build fixes.
With the "ssl_stapling_verify" commit build with old OpenSSL libraries
was broken due to incorrect prototype of the ngx_ssl_stapling() function.
One incorrect use of ngx_log_debug() instead of ngx_log_debug2() slipped in
and broke win32 build.
2012-10-01 13:54:13 +00:00
Maxim Dounin
bec2cc5286 OCSP stapling: ssl_stapling_verify directive.
OCSP response verification is now switched off by default to simplify
configuration, and the ssl_stapling_verify allows to switch it on.

Note that for stapling OCSP response verification isn't something required
as it will be done by a client anyway.  But doing verification on a server
allows to mitigate some attack vectors, most notably stop an attacker from
presenting some specially crafted data to all site clients.
2012-10-01 12:53:11 +00:00
Maxim Dounin
3ebbb7d521 OCSP stapling: OCSP_basic_verify() OCSP_TRUSTOTHER flag now used.
This is expected to simplify configuration in a common case when OCSP
response is signed by a certificate already present in ssl_certificate
chain.  This case won't need any extra trusted certificates.
2012-10-01 12:51:27 +00:00
Maxim Dounin
1a07a7f2de OCSP stapling: log error data in ngx_ssl_error().
It's hard to debug OCSP_basic_verify() failures without the actual error
string it records in the error data field.
2012-10-01 12:50:36 +00:00
Maxim Dounin
872563a64d OCSP stapling: check Content-Type.
This will result in better error message in case of incorrect response
from OCSP responder:

... OCSP responder sent invalid "Content-Type" header: "text/plain"
    while requesting certificate status, responder: ...

vs.

... d2i_OCSP_RESPONSE() failed (SSL:
    error:0D07209B:asn1 encoding routines:ASN1_get_object:too long
    error:0D068066:asn1 encoding routines:ASN1_CHECK_TLEN:bad object header
    error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error)
    while requesting certificate status, responder: ...
2012-10-01 12:48:54 +00:00
Maxim Dounin
74ad4494a6 OCSP stapling: loading OCSP responses.
This includes the ssl_stapling_responder directive (defaults to OCSP
responder set in certificate's AIA extension).

OCSP response for a given certificate is requested once we get at least
one connection with certificate_status extension in ClientHello, and
certificate status won't be sent in the connection in question.  This due
to limitations in the OpenSSL API (certificate status callback is blocking).

Note: SSL_CTX_use_certificate_chain_file() was reimplemented as it doesn't
allow to access the certificate loaded via SSL_CTX.
2012-10-01 12:47:55 +00:00
Maxim Dounin
f7ec295fb4 OCSP stapling: the ngx_event_openssl_stapling.c file.
Missed in previous commit.
2012-10-01 12:42:43 +00:00
Maxim Dounin
85c920a0cd OCSP stapling: ssl_stapling_file support.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.

Such file might be produced with openssl like this:

openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
             -url http://ocsp.example.com
2012-10-01 12:41:08 +00:00
Maxim Dounin
3648ba7db8 OCSP stapling: ssl_trusted_certificate directive.
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification.  In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.

Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.

The same applies to a CRL (which is now always loaded).
2012-10-01 12:39:36 +00:00
Maxim Dounin
6a0f47e079 Resolver: cached addresses are returned with random rotation now.
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.

Based on patch by Anton Jouline.
2012-09-28 18:28:38 +00:00
Andrey Belov
8be233c8f2 Correct plural form for "path" in the whole source base. 2012-09-28 13:49:26 +00:00
Andrey Belov
b33a316883 Made sure to initialize the entire ngx_file_t structure.
Found by Coverity.
2012-09-28 13:15:11 +00:00
Maxim Dounin
52b59ebc74 SSL: added version checks for ssl compression workaround.
The SSL_COMP_get_compression_methods() is only available as an API
function in OpenSSL 0.9.8+, require it explicitly to unbreak build
with OpenSSL 0.9.7.
2012-09-27 18:01:06 +00:00
Maxim Dounin
f4f72f9fb5 SSL: fixed compression workaround to remove all methods.
Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
stack from 0 to n, resulting in removal of only even compression methods.

In real life this change is a nop, as there is only one compression method
which is enabled by default in OpenSSL.
2012-09-27 17:59:59 +00:00
Andrey Belov
181d58f9c9 Configure: additional test for ExtUtils::Embed perl module presence.
Now perl configure will correctly fail if ExtUtils::Embed perl module
is not present in the system (found on Amazon Linux AMI, as of
release 2012.03).
2012-09-27 15:01:57 +00:00
Maxim Dounin
8a1a54b0d6 Configure: help updated to list upstream keepalive and least_conn.
Patch by Joshua Zhu.
2012-09-26 16:39:38 +00:00
Maxim Dounin
927643e3e9 Added clearing of cpu_affinity after process spawn.
This fixes unwanted/incorrect cpu_affinity use on dead worker processes
respawn.  While this is not ideal, it's expected to be better when previous
situation where multiple processes were spawn with identical CPU affinity
set.

Reported by Charles Chen.
2012-09-26 16:25:12 +00:00
Maxim Dounin
f4473147e5 Version bump. 2012-09-26 15:52:06 +00:00
Maxim Dounin
b7e4607387 release-1.3.6 tag 2012-09-12 10:41:56 +00:00
Maxim Dounin
3b80194f50 nginx-1.3.6-RELEASE 2012-09-12 10:41:36 +00:00
Maxim Dounin
6fa37a6c3b Updated zlib used for win32 builds. 2012-09-11 13:36:34 +00:00
Maxim Dounin
f5e90ce368 Helper target "win32" to run configure for win32 builds. 2012-09-11 13:17:31 +00:00
Maxim Dounin
27b9435343 Configure: fixed make macros to use parentheses instead of braces.
Parentheses are more portable, in particular they are understood by nmake
while braces aren't.
2012-09-11 12:43:59 +00:00
Valentin Bartenev
a8742ab5f1 Improved 50x error page.
The feature set of the new page:

 - HTML5 compliant;
 - Looks similar to the new "Welcome page" (r4835);
 - Sysadmin hint with a link to the documentation of the "error_log" directive.
2012-09-11 12:37:04 +00:00
Maxim Dounin
8522a2a707 Configure: provide inflate() when building zlib on win32.
It is now needed for gunzip filter.
2012-09-11 12:35:30 +00:00
Maxim Dounin
4b948b49aa Gunzip: removed nginx.h leftover include. 2012-09-11 01:13:23 +00:00
Maxim Dounin
90bd33e8eb Gunzip filter import. 2012-09-10 16:52:47 +00:00
Maxim Dounin
86aee85d2e Gzip static: "always" parameter in "gzip_static" directive.
With "always" gzip static returns gzipped content in all cases, without
checking if client supports it.  It is useful if there are no uncompressed
files on disk anyway.
2012-09-10 16:48:25 +00:00