Commit Graph

4638 Commits

Author SHA1 Message Date
Ruslan Ermilov
ea2f4d9175 Removed deprecated HTTP directives. 2015-04-29 13:52:49 +03:00
Ruslan Ermilov
3ceffb53fe Removed the deprecated "connections" directive. 2015-04-29 13:52:37 +03:00
Valentin Bartenev
89ad9ea309 Fixed overflow detection in ngx_inet_addr().
Overflow detection of the last octet might not work.

Reported by Sergey Polovko.
2015-04-28 18:55:03 +03:00
Valentin Bartenev
8568baef1f Version bump. 2015-04-28 18:54:48 +03:00
Maxim Dounin
2ec8cfcd7d Win32: shared memory base addresses and remapping.
Two mechanisms are implemented to make it possible to store pointers
in shared memory on Windows, in particular on Windows Vista and later
versions with ASLR:

- The ngx_shm_remap() function added to allow remapping of a shared memory
  zone to the address originally used for it in the master process.  While
  important, it doesn't solve the problem by itself as in many cases it's
  not possible to use the address because of conflicts with other
  allocations.

- We now create mappings at the same address in all processes by starting
  mappings at predefined addresses normally unused by newborn processes.

These two mechanisms combined allow to use shared memory on Windows
almost without problems, including reloads.

Based on the patch by Sergey Brester:
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006836.html
2015-04-27 18:25:42 +03:00
Maxim Dounin
153dbf3877 Win32: fixed shm.handle loss on reload. 2015-04-27 03:44:30 +03:00
Maxim Dounin
c8aa659e45 Core: fixed nginx_shared_zone name. 2015-04-27 03:44:03 +03:00
Vladimir Homutov
4e010c2834 Mail: error_log support. 2015-02-20 15:31:37 +03:00
Vladimir Homutov
df555ffce6 Core: the ngx_set_connection_log() macro.
The http and stream versions of this macro were identical.
2015-04-25 22:44:02 +03:00
Roman Arutyunyan
d61f21c5e8 Merge proxy_protocol setting of listen directives.
It's now enough to specify proxy_protocol option in one listen directive to
enable it in all servers listening on the same address/port.  Previously,
the setting from the first directive was always used.
2015-04-24 10:54:06 +03:00
Ruslan Ermilov
3180f84b60 Removed the "worker_rlimit_sigpending" directive.
It was only needed by the just removed rtsig module.
2015-04-23 14:26:11 +03:00
Ruslan Ermilov
33b8e5bc06 Removed the obsolete rtsig module. 2015-04-23 14:17:40 +03:00
Ruslan Ermilov
c1882d9f3f Removed the obsolete aio module. 2015-04-22 18:57:32 +03:00
Roman Arutyunyan
39386c951c Stream: prevent repeated event notifications after eof.
When client or upstream connection is closed, level-triggered read event
remained active until the end of the session leading to cpu hog.  Now the flag
NGX_CLOSE_EVENT is used to unschedule the event.
2015-04-22 19:55:04 +03:00
Ruslan Ermilov
25ddb49dbe Upstream: allow multiple upstreams to use the same shared zone. 2015-04-22 18:37:34 +03:00
Martin Mlynář
958d4a0b1f Memcached: enabled ranges. 2015-04-21 21:04:36 +02:00
Ruslan Ermilov
673941f81d Upstream: simplified ip_hash and hash peer selection code.
Now that peers are stored as a list, the weighted and unweighted
cases became nearly identical.
2015-04-21 19:09:04 +03:00
Sergey Kandaurov
1ff5515e70 Limit req: removed check for unknown limit_req_zone.
With 48b3d5ddfb03, it's possible to specify limit_req_zone after limit_req.
2015-04-20 16:54:41 +03:00
Sergey Kandaurov
06ff117986 Core: allow shared memory size to be declared after a reference.
For example, this fixes the case when "proxy_cache_path" is specified
after "proxy_cache" that references it.
2015-04-20 16:53:04 +03:00
Ruslan Ermilov
c799c82faa Stream: port from NGINX+. 2015-04-20 13:05:11 +03:00
Ruslan Ermilov
a2dac51398 Upstream: fixed unlocked access to peer->conns. 2015-04-19 22:41:09 +03:00
Ruslan Ermilov
9b411460f9 Replaced the remaining NGX_OLD_THREADS check with NGX_WIN32. 2015-03-26 14:20:51 +03:00
Ruslan Ermilov
bfd2db83a7 Removed NGX_OLD_THREADS from select and poll modules.
These modules can't be compiled on win32.
2015-03-26 14:20:07 +03:00
Ruslan Ermilov
64c5df4b62 Removed "worker_threads" and "thread_stack_size" directives. 2015-03-26 14:15:17 +03:00
Ruslan Ermilov
324e389e17 Removed unused thread-local-storage code. 2015-03-26 14:15:15 +03:00
Ruslan Ermilov
2b0d2f0583 Removed ngx_threaded and related code. 2015-03-26 14:15:13 +03:00
Ruslan Ermilov
7c44e39220 Upstream: get rid of questionable micro-optimization in ip_hash.
If a peer was initially skipped due to max_fails, there's no reason
not to try it again if enough time has passed, and the next_upstream
logic is in action.

This also reduces diffs with NGINX Plus.
2015-04-16 20:09:11 +03:00
Sergey Kandaurov
d72fe76bb1 Core: ensure that ngx_config.h is always included first.
This fixes compilation of various 3rd party modules when nginx is
configured with threads.
2015-04-16 18:18:37 +03:00
Maxim Dounin
4091eb749b Version bump. 2015-04-16 17:26:19 +03:00
Ruslan Ermilov
cf31347ee8 Upstream: the "zone" directive.
Upstreams with the "zone" directive are kept in shared memory,
with a consistent view of all worker processes.
2015-04-14 19:01:25 +03:00
Ruslan Ermilov
b0b7b5a356 Upstreams: locking. 2015-04-14 19:01:23 +03:00
Ruslan Ermilov
3fc23e2542 Core: read/write locks. 2015-03-21 14:05:08 +03:00
Ruslan Ermilov
4d53631022 Upstream: store peers as a linked list.
This is an API change.
2015-04-10 14:48:36 +03:00
Ruslan Ermilov
18fa775b10 Upstream: track the number of active connections to upstreams.
This also simplifies the implementation of the least_conn module.
2015-04-10 13:16:23 +03:00
Ruslan Ermilov
b25f0ddcf1 Fixed build, broken by 8b7f062a3fe6.
Casting a "const char *" to "char *" doesn't work on older gcc versions.
2015-04-16 15:05:40 +03:00
Vladimir Homutov
fd4da89228 Core: added OpenSSL version information to "nginx -V" output. 2015-04-16 12:17:41 +03:00
Vladimir Homutov
513f184098 Version bump. 2015-04-16 12:13:51 +03:00
Ruslan Ermilov
edb0c6ba64 Core: guard against spinlock usage without atomic ops.
The new thread pools code uses spinlocks.
2015-03-26 14:15:06 +03:00
Sergey Kandaurov
38a97edf3a Core: limited levels of subdirectory hierarchy used for temp files.
Similar to ngx_http_file_cache_set_slot(), the last component of file->name
with a fixed length of 10 bytes, as generated in ngx_create_temp_path(), is
used as a source for the names of intermediate subdirectories with each one
taking its own part.  Ensure that the sum of specified levels with slashes
fits into the length (ticket #731).
2015-04-07 01:32:08 +03:00
Sergey Kandaurov
256082c4f8 Core: removed excessive initialization in ngx_conf_set_path_slot().
Level hierarchy is pre-zeroed in ngx_pcalloc() of the surrounding ngx_path_t.
2015-04-07 01:32:07 +03:00
Sergey Kandaurov
eed7d47930 Core: fixed error handling on ngx_conf_full_name() failure. 2015-04-07 01:32:05 +03:00
Ruslan Ermilov
8c82b75127 Upstream: abbreviated SSL handshake may interact badly with Nagle. 2015-04-07 00:07:04 +03:00
Valentin Bartenev
3f72e18908 Request body: always flush buffers if request buffering is off.
This fixes unbuffered proxying to SSL backends, since it prevents
ngx_ssl_send_chain() from accumulation of request body in the SSL
buffer.
2015-04-06 19:20:36 +03:00
Valentin Bartenev
1329c4af80 Used the correct type for the AIO preload handler return value. 2015-04-06 11:22:24 +03:00
Filipe da Silva
95aad2235d OCSP stapling: missing free calls.
Missing call to X509_STORE_CTX_free when X509_STORE_CTX_init fails.
Missing call to OCSP_CERTID_free when OCSP_request_add0_id fails.
Possible leaks in vary particular scenariis of memory shortage.
2015-04-01 15:05:08 +02:00
Valentin Bartenev
355a793b89 Cache: added support for reading of the header in thread pools. 2015-04-01 03:49:17 +03:00
Sergey Kandaurov
99bf1b56ec Fixed invalid access to complex value defined as an empty string.
Found by Valgrind.
2015-03-31 17:45:50 +03:00
Valentin Bartenev
51df7912c4 Events: fixed possible crash on start or reload.
The main thread could wake up and start processing the notify event
before the handler was set.
2015-03-27 21:19:20 +03:00
Valentin Bartenev
3ffbf84a5e Events: made posted events macros safe. 2015-03-27 19:57:15 +03:00
Valentin Bartenev
0e853129ac SPDY: always push pending data.
This helps to avoid suboptimal behavior when a client waits for a control
frame or more data to increase window size, but the frames have been delayed
in the socket buffer.

The delays can be caused by bad interaction between Nagle's algorithm on
nginx side and delayed ACK on the client side or by TCP_CORK/TCP_NOPUSH
if SPDY was working without SSL and sendfile() was used.

The pushing code is now very similar to ngx_http_set_keepalive().
2015-03-23 21:04:13 +03:00
Valentin Bartenev
44586bf5ee SPDY: fixed error handling in ngx_http_spdy_send_output_queue(). 2015-03-23 20:47:46 +03:00
Maxim Dounin
67986d81de Version bump. 2015-03-26 17:36:39 +03:00
Maxim Dounin
5e96e84ffb Proxy: fixed proxy_request_buffering and chunked with preread body.
If any preread body bytes were sent in the first chain, chunk size was
incorrectly added before the whole chain, including header, resulting in
an invalid request sent to upstream.  Fixed to properly add chunk size
after the header.
2015-03-26 02:31:30 +03:00
Maxim Dounin
7ec559df5d Upstream: uwsgi_request_buffering, scgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
f4714d26f0 FastCGI: fastcgi_request_buffering. 2015-03-23 21:09:19 +03:00
Maxim Dounin
756997b696 Proxy: proxy_request_buffering chunked support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
2743bb68ee Request body: unbuffered reading.
The r->request_body_no_buffering flag was introduced.  It instructs
client request body reading code to avoid reading the whole body, and
to call post_handler early instead.  The caller should use the
ngx_http_read_unbuffered_request_body() function to read remaining
parts of the body.

Upstream module is now able to use this mode, if configured with
the proxy_request_buffering directive.
2015-03-23 21:09:19 +03:00
Maxim Dounin
d02d2cff9b Request body: filters support. 2015-03-23 21:09:19 +03:00
Maxim Dounin
be99a8801e Request body: moved request body writing to save filter. 2015-03-23 21:09:19 +03:00
Maxim Dounin
d21e644d80 Request body: free chain links in ngx_http_write_request_body(). 2015-03-23 21:09:12 +03:00
Maxim Dounin
4df7aa6f92 Output chain: free chain links in ngx_chain_writer(). 2015-03-23 21:09:05 +03:00
Maxim Dounin
9131eb11c9 Output chain: zero size buf alerts in ngx_chain_writer().
Now we log a "zero size buf in chain writer" alert if we encounter a zero
sized buffer in ngx_chain_writer(), and skip the buffer.
2015-03-23 20:56:58 +03:00
Maxim Dounin
3560af8999 Format specifier fixed for file size of buffers. 2015-03-23 19:28:54 +03:00
Maxim Dounin
58eb93f791 Proxy: fixed proxy_set_body with proxy_cache.
If the last header evaluation resulted in an empty header, the e.skip flag
was set and was not reset when we've switched to evaluation of body_values.
This incorrectly resulted in body values being skipped instead of producing
some correct body as set by proxy_set_body.  Fix is to properly reset
the e.skip flag.

As the problem only appeared if the last potentially non-empty header
happened to be empty, it only manifested itself if proxy_set_body was used
with proxy_cache.
2015-03-23 19:28:54 +03:00
Valentin Bartenev
e87a565aab Thread pools: implemented graceful exiting of threads. 2015-03-23 17:51:21 +03:00
Valentin Bartenev
510c9cdca8 Thread pools: removed unused pointer to memory pool.
No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
cb43696e0c Thread pools: keep waiting tasks mutex in ngx_thread_pool_t.
It's not needed for completed tasks queue since the previous change.

No functional changes.
2015-03-23 17:51:21 +03:00
Valentin Bartenev
f109a68b4f Thread pools: replaced completed tasks queue mutex with spinlock. 2015-03-23 17:51:21 +03:00
Ruslan Ermilov
07de3f538b Removed stub implementation of win32 mutexes. 2015-03-23 13:52:47 +03:00
Maxim Dounin
47c44355b5 SSL: use of SSL_MODE_NO_AUTO_CHAIN.
The SSL_MODE_NO_AUTO_CHAIN mode prevents OpenSSL from automatically
building a certificate chain on the fly if there is no certificate chain
explicitly provided.  Before this change, certificates provided via the
ssl_client_certificate and ssl_trusted_certificate directives were
used by OpenSSL to automatically build certificate chains, resulting
in unexpected (and in some cases unneeded) chains being sent to clients.
2015-03-23 02:42:35 +03:00
Maxim Dounin
a20c6d202e SSL: avoid SSL_CTX_set_tmp_rsa_callback() call with LibreSSL.
LibreSSL removed support for export ciphers and a call to
SSL_CTX_set_tmp_rsa_callback() results in an error left in the error
queue.  This caused alerts "ignoring stale global SSL error (...called
a function you should not call) while SSL handshaking" on a first connection
in each worker process.
2015-03-23 02:42:34 +03:00
Maxim Dounin
b0d8ff55a1 SSL: clear protocol options.
LibreSSL 2.1.1+ started to set SSL_OP_NO_SSLv3 option by default on
new contexts.  This makes sure to clear it to make it possible to use SSLv3
with LibreSSL if enabled in nginx config.

Prodded by Kuramoto Eiji.
2015-03-23 02:42:32 +03:00
Valentin Bartenev
cc569b9252 Core: added cyclic memory buffer support for error_log.
Example of usage:

  error_log memory:16m debug;

This allows to configure debug logging with minimum impact on performance.
It's especially useful when rare crashes are experienced under high load.

The log can be extracted from a coredump using the following gdb script:

  set $log = ngx_cycle->log

  while $log->writer != ngx_log_memory_writer
      set $log = $log->next
  end

  set $buf = (ngx_log_memory_buf_t *) $log->wdata
  dump binary memory debug_log.txt $buf->start $buf->end
2015-03-19 19:29:43 +03:00
Ruslan Ermilov
babd64e344 Removed busy locks. 2015-03-20 06:45:32 +03:00
Ruslan Ermilov
f8d10849ad Removed ngx_connection_t.lock. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
b6029a8a3f Removed unix ngx_threaded and related ngx_process_changes. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
d1ec868e32 Removed old pthread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c84c19f5bf Removed old FreeBSD rfork() thread implementation. 2015-03-20 06:43:19 +03:00
Ruslan Ermilov
c34368715f Thread pools: silence warning on process exit.
Work around pthread_cond_destroy() and pthread_mutex_destroy() returning
EBUSY.  A proper solution would be to ensure all threads are terminated.
2015-03-19 23:20:18 +03:00
Ruslan Ermilov
afe1fcffaa Thread pools: fixed the waiting tasks accounting.
Behave like POSIX semaphores.  If N worker threads are waiting for tasks,
at least that number of tasks should be allowed to be put into the queue.
2015-03-19 13:00:48 +03:00
Ruslan Ermilov
20d07074e3 Thread pools: keep waiting tasks counter in ngx_thread_pool_t.
It's not needed for completed tasks queue.

No functional changes.
2015-03-19 23:19:35 +03:00
Xiaochen Wang
85048c0397 SPDY: fixed format specifier in logging. 2015-03-15 21:46:21 +08:00
Valentin Bartenev
7ed1a9681b Added support for offloading Linux sendfile() in thread pools. 2015-03-14 17:37:30 +03:00
Valentin Bartenev
a7ad493aa6 Added support for offloading read() in thread pools. 2015-03-14 17:37:25 +03:00
Ruslan Ermilov
547c8f601f Events: implemented eventport notification mechanism. 2015-03-14 17:37:21 +03:00
Valentin Bartenev
2b3c01e995 Events: implemented kqueue notification mechanism. 2015-03-14 17:37:16 +03:00
Valentin Bartenev
e10e7a4831 Events: implemented epoll notification mechanism. 2015-03-14 17:37:13 +03:00
Valentin Bartenev
305fc021db Thread pools implementation. 2015-03-14 17:37:07 +03:00
Ruslan Ermilov
83ba5ed2ec Renamed NGX_THREADS to NGX_OLD_THREADS because of deprecation.
It's mostly dead code and the original idea of worker threads has been rejected.
2015-03-04 18:26:25 +03:00
Ruslan Ermilov
4fe0a09942 Overflow detection in ngx_http_parse_chunked(). 2015-03-17 00:26:27 +03:00
Ruslan Ermilov
514cdb190f Overflow detection in ngx_http_range_parse(). 2015-03-17 00:26:24 +03:00
Ruslan Ermilov
a43f1bcf6e Overflow detection in ngx_inet_addr(). 2015-03-17 00:26:22 +03:00
Ruslan Ermilov
3ad3f4ae0a Core: overflow detection in ngx_parse_time() (ticket #732). 2015-03-17 00:26:20 +03:00
Ruslan Ermilov
7943fd374a Refactored ngx_parse_time().
No functional changes.
2015-03-17 00:26:18 +03:00
Ruslan Ermilov
8167ce8537 Core: overflow detection in number parsing functions. 2015-03-17 00:26:15 +03:00
Ruslan Ermilov
309928b941 Core: expose maximum values of time_t and ngx_int_t.
These are needed to detect overflows.
2015-03-17 00:24:34 +03:00
Ruslan Ermilov
db999274ec The "aio" directive parser made smarter.
It now prints meaningful warnings on all platforms.

No functional changes.
2015-03-13 16:42:52 +03:00
Ruslan Ermilov
bcd8123913 Events: fixed typo in the error message. 2015-03-12 23:03:03 +03:00
Ruslan Ermilov
067de7dde1 Deprecated "aio sendfile".
Specifying "sendfile on" along with "aio on" activates the
aio pre-loading mode for sendfile().
2015-03-12 20:06:04 +03:00
Ruslan Ermilov
5e5540f7dc Proxy: use an appropriate error on memory allocation failure. 2015-03-04 08:12:53 +03:00
Ruslan Ermilov
c238150a57 Style: moved ngx_http_ephemeral() macro to ngx_http_request.h. 2015-03-04 08:10:40 +03:00
Ruslan Ermilov
466b3b9250 Style: use %*s format, as in 68d21fd1dc64. 2015-03-04 08:05:38 +03:00
Valentin Bartenev
a9a01e0938 Log: use ngx_cpymem() in a couple of places, no functional changes. 2015-03-04 19:20:30 +03:00
Valentin Bartenev
2f3fb935b4 Upstream keepalive: drop ready flag on EAGAIN from recv(MSG_PEEK).
Keeping the ready flag in this case might results in missing notification of
broken connection until nginx tried to use it again.

While there, stale comment about stale event was removed since this function
is also can be called directly.
2015-03-03 17:48:57 +03:00
Ruslan Ermilov
b384247262 Events: simplified ngx_event_aio_t definition.
No functional changes.
2015-03-03 18:09:13 +03:00
Valentin Bartenev
ea881578a2 Refactored ngx_linux_sendfile_chain() even more.
The code that calls sendfile() was cut into a separate function.
This simplifies EINTR processing, yet is needed for the following
changes that add threads support.
2015-02-27 19:19:08 +03:00
Maxim Dounin
a0d543595d Style.
Noted by Ruslan Ermilov.
2015-03-03 01:15:21 +03:00
Maxim Dounin
14a93c5a15 Upstream: upstream argument in ngx_http_upstream_process_request().
In case of filter finalization, r->upstream might be changed during
the ngx_event_pipe() call.  Added an argument to preserve it while
calling the ngx_http_upstream_process_request() function.
2015-03-02 21:44:42 +03:00
Maxim Dounin
2b032e8df6 Upstream: avoid duplicate finalization.
A request may be already finalized when ngx_http_upstream_finalize_request()
is called, due to filter finalization: after filter finalization upstream
can be finalized via ngx_http_upstream_cleanup(), either from
ngx_http_terminate_request(), or because a new request was initiated
to an upstream.  Then the upstream code will see an error returned from
the filter chain and will call the ngx_http_upstream_finalize_request()
function again.

To prevent corruption of various upstream data in this situation, make sure
to do nothing but merely call ngx_http_finalize_request().

Prodded by Yichun Zhang, for details see the thread at
http://nginx.org/pipermail/nginx-devel/2015-February/006539.html.
2015-03-02 21:44:32 +03:00
Roman Arutyunyan
46a2236f22 SSL: reset ready flag if recv(MSG_PEEK) found no bytes in socket.
Previously, connection hung after calling ngx_http_ssl_handshake() with
rev->ready set and no bytes in socket to read.  It's possible in at least the
following cases:

 - when processing a connection with expired TCP_DEFER_ACCEPT on Linux
 - after parsing PROXY protocol header if it arrived in a separate TCP packet

Thanks to James Hamlin.
2015-03-02 21:15:46 +03:00
Roman Arutyunyan
f0b5f83378 Cache: do not inherit last_modified and etag from stale response.
When replacing a stale cache entry, its last_modified and etag could be
inherited from the old entry if the response code is not 200 or 206.  Moreover,
etag could be inherited with any response code if it's missing in the new
response.  As a result, the cache entry is left with invalid last_modified or
etag which could lead to broken revalidation.

For example, when a file is deleted from backend, its last_modified is copied to
the new 404 cache entry and is used later for revalidation.  Once the old file
appears again with its original timestamp, revalidation succeeds and the cached
404 response is sent to client instead of the file.

The problem appeared with etags in 44b9ab7752e3 (1.7.3) and affected
last_modified in 1573fc7875fa (1.7.9).
2015-03-02 19:47:13 +03:00
Roman Arutyunyan
bf7d76b943 Upstream hash: speedup consistent hash init.
Repeatedly calling ngx_http_upstream_add_chash_point() to create
the points array in sorted order, is O(n^2) to the total weight.
This can cause nginx startup and reconfigure to be substantially
delayed.  For example, when total weight is 1000, startup takes
5s on a modern laptop.

Replace this with a linear insertion followed by QuickSort and
duplicates removal.  Startup for total weight of 1000 reduces to 40ms.

Based on a patch by Wai Keen Woon.
2015-03-02 18:41:29 +03:00
Sergey Kandaurov
de3adad807 Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.
Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.
2015-02-27 16:28:31 +03:00
Maxim Dounin
faec547771 Mail: client SSL certificates support.
The "ssl_verify_client", "ssl_verify_depth", "ssl_client_certificate",
"ssl_trusted_certificate", and "ssl_crl" directives introduced to control
SSL client certificate verification in mail proxy module.

If there is a certificate, detail of the certificate are passed to
the auth_http script configured via Auth-SSL-Verify, Auth-SSL-Subject,
Auth-SSL-Issuer, Auth-SSL-Serial, Auth-SSL-Fingerprint headers.  If
the auth_http_pass_client_cert directive is set, client certificate
in PEM format will be passed in the Auth-SSL-Cert header (urlencoded).

If there is no required certificate provided during an SSL handshake
or certificate verification fails then a protocol-specific error is
returned after the SSL handshake and the connection is closed.

Based on previous work by Sven Peter, Franck Levionnois and Filipe Da Silva.
2015-02-25 17:48:05 +03:00
Maxim Dounin
78e1a8ed7f Mail: added Auth-SSL header to indicate SSL.
Based on a patch by Filipe da Silva.
2015-02-25 17:47:49 +03:00
Maxim Dounin
52c5ba0f37 Mail: fixed buffer allocation for CRLF after Auth-SMTP-* headers.
There were no buffer overruns in real life as there is extra space
allocated for the Auth-Login-Attempt counter.
2015-02-25 17:47:43 +03:00
Ruslan Ermilov
c2c9a1c03e SSL: account sent bytes in ngx_ssl_write(). 2015-02-24 23:52:47 +03:00
Maxim Dounin
7dd799357d Core: fixed potential buffer overrun when initializing hash.
Initial size as calculated from the number of elements may be bigger
than max_size.  If this happens, make sure to set size to max_size.

Reported by Chris West.
2015-02-24 18:37:14 +03:00
Ruslan Ermilov
a4ce770a89 Cache: reduced diffs to the plus version of nginx.
No functional changes.
2015-02-17 16:27:52 +03:00
Roman Arutyunyan
6337c1d185 Core: make ngx_connection_local_sockaddr() always assign address.
Previously, this function checked for connection local address existence
and returned error if it was missing.  Now a new address is assigned in this
case making it possible to call this function not only for accepted connections.
2015-02-17 14:26:44 +03:00
Valentin Bartenev
0a3d458805 Unbreak building on FreeBSD without file AIO.
It appeared that the NGX_HAVE_AIO_SENDFILE macro was defined regardless of
the "--with-file-aio" configure option and the NGX_HAVE_FILE_AIO macro.

Now they are related.

Additionally, fixed one macro.
2015-02-11 20:00:07 +03:00
Valentin Bartenev
2b8d6ad805 Refactored sendfile() AIO preload.
This reduces layering violation and simplifies the logic of AIO preread, since
it's now triggered by the send chain function itself without falling back to
the copy filter.  The context of AIO operation is now stored per file buffer,
which makes it possible to properly handle cases when multiple buffers come
from different locations, each with its own configuration.
2015-02-11 17:52:15 +03:00
Ruslan Ermilov
2b7e167dbb Mail: fixed the duplicate listen address detection. 2015-01-23 15:23:29 +03:00
Ruslan Ermilov
0b30dec0d3 Mail: fixed a comment. 2015-01-23 15:23:27 +03:00
Ruslan Ermilov
3352461916 Upstream: detect port absence in fastcgi_pass with IP literal.
If fastcgi_pass (or any look-alike that doesn't imply a default
port) is specified as an IP literal (as opposed to a hostname),
port absence was not detected at configuration time and could
result in EADDRNOTAVAIL at run time.

Fixed this in such a way that configs like

http {
    server {
        location / {
            fastcgi_pass 127.0.0.1;
        }
    }

    upstream 127.0.0.1 {
        server 10.0.0.1:12345;
    }
}

still work.  That is, port absence check is delayed until after
we make sure there's no explicit upstream with such a name.
2015-01-22 16:23:32 +03:00
Ruslan Ermilov
917c47a918 Version bump. 2015-02-11 15:51:03 +03:00
Sergey Kandaurov
66c25a7d77 Core: fixed build on Tru64 UNIX.
There was a typo in NGX_EACCES.

Reported by Goetz T. Fischer.
2015-02-10 01:51:08 +03:00
Damien Tournoud
59969c22ce Fixed try_files directory test to match only a directory.
Historically, it was possible to match either a file or directory
in the following configuration:

    location / {
        try_files $uri/ =404;
    }
2015-01-21 00:26:32 +01:00
Roman Arutyunyan
2bae4205ab Core: fixed a race resulting in extra sem_post()'s.
The mtx->wait counter was not decremented if we were able to obtain the lock
right after incrementing it.  This resulted in unneeded sem_post() calls,
eventually leading to EOVERFLOW errors being logged, "sem_post() failed
while wake shmtx (75: Value too large for defined data type)".

To close the race, mtx->wait is now decremented if we obtain the lock right
after incrementing it in ngx_shmtx_lock().  The result can become -1 if a
concurrent ngx_shmtx_unlock() decrements mtx->wait before the added code does.
However, that only leads to one extra iteration in the next call of
ngx_shmtx_lock().
2015-02-04 16:22:43 +03:00
Roman Arutyunyan
cae1b5d63a Core: reverted prefix-based temp files (a9138c35120d).
The use_temp_path http cache feature is now implemented using a separate temp
hierarchy in cache directory.  Prefix-based temp files are no longer needed.
2015-02-02 21:28:09 +03:00
Roman Arutyunyan
f8fecbc94d Cache: added temp_path to file cache.
If use_temp_path is set to off, a subdirectory "temp" is created in the cache
directory.  It's used instead of proxy_temp_path and friends for caching
upstream response.
2015-02-02 19:38:35 +03:00
Roman Arutyunyan
54e14a387f Core: supported directory skipping in ngx_walk_tree().
If pre_tree_handler() returns NGX_DECLINED, the directory is ignored.
2015-02-02 19:38:32 +03:00
Valentin Bartenev
314d0d40e7 Fixed AIO handling in the output chain.
The ctx->aio flag must be taken into account in the short path too.
2015-01-28 21:33:06 +03:00
Igor Sysoev
415c8ec4b4 A bounds check of %N format on Windows.
Thanks to Joe Bialek, Adam Zabrocki and Microsoft Vulnerability Research.
2015-01-27 15:38:15 +03:00
Vladimir Homutov
7e1eba5faa Upstream: $upstream_header_time variable.
Keeps time spent on obtaining the header from an upstream server.  The value is
formatted similar to the $upstream_response_time variable.
2015-01-14 09:03:35 +03:00
Maxim Dounin
a1f330a0a2 Core: added disk_full_time checks to error log. 2015-01-13 19:51:37 +03:00
Maxim Dounin
2754fd3c80 Fixed sendfile() trailers on OS X (8e903522c17a, 1.7.8).
The trailer.count variable was not initialized if there was a header,
resulting in "sendfile() failed (22: Invalid argument)" alerts on OS X
if the "sendfile" directive was used.  The bug was introduced
in 8e903522c17a (1.7.8).
2015-01-13 18:58:23 +03:00
Valentin Bartenev
843fb552ec Upstream: use_temp_path parameter of proxy_cache_path and friends.
When set to "off", temporary files for cacheable responses will be stored
inside cache directory.
2014-12-26 16:22:59 +03:00
Valentin Bartenev
1858857c25 Cache: update variant while setting header.
Some parts of code related to handling variants of a resource moved into
a separate function that is called earlier.  This allows to use cache file
name as a prefix for temporary file in the following patch.
2014-12-26 16:22:56 +03:00
Valentin Bartenev
a54e37edda Core: added prefix-based temporary files.
Now, if the "path" parameter is NULL, ngx_create_temp_file() will use
file->name as a predefined file path prefix.
2014-12-26 16:22:54 +03:00
Valentin Bartenev
c07bebdcd1 Unified handling of ngx_create_temp_file() return value.
The original check for NGX_AGAIN was surplus, since the function returns
only NGX_OK or NGX_ERROR.  Now it looks similar to other places.

No functional changes.
2014-12-26 16:22:50 +03:00
Maxim Dounin
b8ee1ec7d3 Fixed building with musl libc (ticket #685). 2014-12-24 19:01:22 +03:00
Maxim Dounin
fe4b25c731 Version bump. 2014-12-24 18:53:38 +03:00
Valentin Bartenev
7817df480e Upstream: added variables support to proxy_cache and friends. 2014-12-22 12:59:09 +03:00
Valentin Bartenev
b24ad42008 Upstream: preset some cache configuration when bypassing.
No functional changes.
2014-12-22 12:59:06 +03:00
Valentin Bartenev
c40a72761c Upstream: refactored proxy_cache and friends.
The configuration handling code has changed to look similar to the proxy_store
directive and friends.  This simplifies adding variable support in the following
patch.

No functional changes.
2014-12-22 12:59:02 +03:00
Valentin Bartenev
66dcbab7a1 Upstream: mutually exclusive inheritance of "cache" and "store".
Currently, storing and caching mechanisms cannot work together, and a
configuration error is thrown when the proxy_store and proxy_cache
directives (as well as their friends) are configured on the same level.

But configurations like in the example below were allowed and could result
in critical errors in the error log:

    proxy_store on;

    location / {
        proxy_cache one;
    }

Only proxy_store worked in this case.

For more predictable and errorless behavior these directives now prevent
each other from being inherited from the previous level.
2014-12-22 12:58:59 +03:00
Valentin Bartenev
492844dbb1 Upstream: simplified proxy_store and friends configuration code.
This changes internal API related to handling of the "store"
flag in ngx_http_upstream_conf_t.  Previously, a non-null value
of "store_lengths" was enough to enable store functionality with
custom path.  Now, the "store" flag is also required to be set.

No functional changes.
2014-12-22 12:58:56 +03:00
Lukas Tribus
cf92831131 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
The flag was recently removed by BoringSSL.
2014-12-17 15:12:50 +01:00
Valentin Bartenev
16f248ebbb Autoindex: implemented XML output format. 2014-12-12 20:25:42 +03:00
Valentin Bartenev
5453f0afe6 Autoindex: implemented JSON output format. 2014-12-12 20:25:35 +03:00
Valentin Bartenev
921f728526 Autoindex: rendering code moved to a separate function.
No functional changes.
2014-12-12 20:25:28 +03:00
Maxim Dounin
d8c7616074 Headers filter: variables support in expires (ticket #113). 2014-12-11 23:42:11 +03:00
Maxim Dounin
cf21308885 Headers filter: local variables for config, no functional changes. 2014-12-11 23:42:06 +03:00
Valentin Bartenev
fb7d63250e Upstream: fixed inheritance of proxy_store and friends.
The proxy_store, fastcgi_store, scgi_store and uwsgi_store were inherited
incorrectly if a directive with variables was defined, and then redefined
to the "on" value, i.e. in configurations like:

    proxy_store /data/www$upstream_http_x_store;

    location / {
        proxy_store on;
    }
2014-10-09 20:30:11 +04:00
Maxim Dounin
827b2511e6 Proxy: fixed incorrect URI change due to if (ticket #86).
In the following configuration request was sent to a backend without
URI changed to '/' due to if:

    location /proxy-pass-uri {
        proxy_pass http://127.0.0.1:8080/;

        set $true 1;

        if ($true) {
            # nothing
        }
    }

Fix is to inherit conf->location from the location where proxy_pass was
configured, much like it's done with conf->vars.
2014-12-09 18:22:39 +03:00
Maxim Dounin
8d7c6491fe Upstream: fixed unexpected inheritance into limit_except blocks.
The proxy_pass directive and other handlers are not expected to be inherited
into nested locations, but there is a special code to inherit upstream
handlers into limit_except blocks, as well as a configuration into if{}
blocks.  This caused incorrect behaviour in configurations with nested
locations and limit_except blocks, like this:

    location / {
        proxy_pass http://u;

        location /inner/ {
            # no proxy_pass here

            limit_except GET {
                # nothing
            }
        }
    }

In such a configuration the limit_except block inside "location /inner/"
unexpectedly used proxy_pass defined in "location /", while it shouldn't.
Fix is to avoid inheritance of conf->upstream.upstream (and
conf->proxy_lengths) into locations which don't have noname flag.
2014-12-09 18:22:31 +03:00
Maxim Dounin
c863e1b3b5 Upstream: inheritance of proxy_pass and friends (ticket #645).
Instead of independant inheritance of conf->upstream.upstream (proxy_pass
without variables) and conf->proxy_lengths (proxy_pass with variables)
we now test them both and inherit only if neither is set.  Additionally,
SSL context is also inherited only in this case now.

Based on the patch by Alexey Radkov.
2014-12-09 18:21:55 +03:00
Maxim Dounin
88ed2d39af Proxy: the "TE" header now stripped by default (ticket #537). 2014-12-09 18:20:19 +03:00
Piotr Sikora
1ea64b3f8f Cache: send conditional requests only for cached 200/206 responses.
RFC7232 says:

   The 304 (Not Modified) status code indicates that a conditional GET
   or HEAD request has been received and would have resulted in a 200
   (OK) response if it were not for the fact that the condition
   evaluated to false.

which means that there is no reason to send requests with "If-None-Match"
and/or "If-Modified-Since" headers for responses cached with other status
codes.

Also, sending conditional requests for responses cached with other status
codes could result in a strange behavior, e.g. upstream server returning
304 Not Modified for cached 404 Not Found responses, etc.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-26 18:35:37 -08:00
Dmitrii Pichulin
cf5013dd3f SSL: loading certificate keys via ENGINE_load_private_key(). 2014-08-04 11:03:20 +04:00
Maxim Dounin
811281ec36 Version bump. 2014-12-04 16:37:31 +03:00
Maxim Dounin
6d52912a2a Cache: proper wakeup of subrequests.
In case of a cache lock timeout and in the aio handler we now call
r->write_event_handler() instead of a connection write handler,
to make sure to run appropriate subrequest.  Previous code failed to run
inactive subrequests and hence resulted in suboptimal behaviour, see
report by Yichun Zhang:

http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004435.html

(Infinite hang claimed in the report seems impossible without 3rd party
modules, as subrequests will be eventually woken up by the postpone filter.)
2014-12-02 05:54:56 +03:00
Maxim Dounin
10345663c8 Upstream: improved subrequest logging.
To ensure proper logging make sure to set current_request in all event
handlers, including resolve, ssl handshake, cache lock wait timer and
aio read handlers.  A macro ngx_http_set_log_request() introduced to
simplify this.
2014-12-02 05:54:54 +03:00
Sergey Kandaurov
778cc4b42e Access log: restricted "log_format" to "http" level.
Specifying the "log_format" directive on levels other than "http"
is deprecated since 73d37e1ccb91 (1.1.11).
2014-12-01 14:51:36 +03:00
Maxim Dounin
ece388033a Write filter: fixed handling of sync bufs (ticket #132). 2014-11-28 16:58:39 +03:00
Maxim Dounin
7fa89c744a Fixed post_action to not trigger "header already sent" alert.
The alert was introduced in 03ff14058272 (1.5.4), and was triggered on each
post_action invocation.

There is no real need to call header filters in case of post_action,
so return NGX_OK from ngx_http_send_header() if r->post_action is set.
2014-11-28 16:57:50 +03:00
Maxim Dounin
d228fa5093 Typo. 2014-11-28 16:57:23 +03:00
Valentin Bartenev
decaffa805 SPDY: push pending data while closing a stream as with keepalive.
This helps to avoid delays in sending the last chunk of data because
of bad interaction between Nagle's algorithm on nginx side and
delayed ACK on the client side.

Delays could also be caused by TCP_CORK/TCP_NOPUSH if SPDY was
working without SSL and sendfile() was used.
2014-11-21 22:51:49 +03:00
Vladimir Homutov
742b5dd045 Syslog: allowed underscore symbol in tag (ticket #667). 2014-11-20 20:02:21 +03:00
Ruslan Ermilov
ef563debf1 Resolver: fixed debug event logging.
In 954867a2f0a6, we switched to using resolver node as the timer event data.
This broke debug event logging.

Replaced now unused ngx_resolver_ctx_t.ident with ngx_resolver_node_t.ident
so that ngx_event_ident() extracts something sensible when accessing
ngx_resolver_node_t as ngx_connection_t.
2014-11-20 15:24:42 +03:00
Ruslan Ermilov
d4b7b74686 Resolver: fixed use-after-free memory access.
In 954867a2f0a6, we switched to using resolver node as the
timer event data, so make sure we do not free resolver node
memory until the corresponding timer is deleted.
2014-11-20 15:24:40 +03:00
Valentin Bartenev
96a62f1396 Style. 2014-11-19 21:46:01 +03:00
Valentin Bartenev
1276d8483e Fixed type of sendfile() return value on Linux.
There was no real problem since the amount of bytes can be sent is limited by
NGX_SENDFILE_MAXSIZE to less than 2G.  But that can be changed in the future
2014-11-19 21:18:13 +03:00
Valentin Bartenev
a301e1a706 Moved writev() handling code to a separate function.
This reduces code duplication and unifies debug logging of the writev() syscall
among various send chain functions.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
79ddab189f Merged conditions in the ngx_*_sendfile_chain() functions.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
d85d459bb2 Moved the code for coalescing file buffers to a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
f00918eab3 Refactored ngx_solaris_sendfilev_chain().
Though ngx_solaris_sendfilev_chain() shouldn't suffer from the problem mentioned
in d1bde5c3c5d2 since currently IOV_MAX on Solaris is 16, but this follows the
change from 3d5717550371 in order to make the code look similar to other systems
and potentially eliminates the problem in the future.
2014-11-19 21:17:11 +03:00
Valentin Bartenev
b29d599c0b Introduced the ngx_output_chain_to_iovec() function.
It deduplicates code of the send chain functions and uses only preallocated
memory, which completely solves the problem mentioned in d1bde5c3c5d2.
2014-10-07 11:38:57 +04:00
Valentin Bartenev
41ed973456 Renamed ngx_handle_sent_chain() to ngx_chain_update_sent().
No functional changes.
2014-11-19 21:16:19 +03:00
Piotr Sikora
3ecac9eaba Cache: add support for Cache-Control's s-maxage response directive.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-11-18 17:07:14 -08:00
Roman Arutyunyan
1b79cb211d Proxy: renamed and rearranged fields in proxy configuration.
No functional changes.
2014-11-19 17:33:24 +03:00
Roman Arutyunyan
8898c97dbd Upstream: different header lists for cached and uncached requests.
The upstream modules remove and alter a number of client headers
before sending the request to upstream.  This set of headers is
smaller or even empty when cache is disabled.

It's still possible that a request in a cache-enabled location is
uncached, for example, if cache entry counter is below min_uses.
In this case it's better to alter a smaller set of headers and
pass more client headers to backend unchanged.  One of the benefits
is enabling server-side byte ranges in such requests.
2014-11-19 17:33:23 +03:00
Roman Arutyunyan
bcf6b11a34 Upstream: moved header lists to separate structures.
No functional changes.
2014-11-19 17:33:22 +03:00
Roman Arutyunyan
62dfdf1814 Upstream: moved header initializations to separate functions.
No functional changes.
2014-11-19 17:33:21 +03:00
Roman Arutyunyan
3b33056522 Scgi: do not push redundant NULL element into conf->params. 2014-11-19 17:33:21 +03:00
Roman Arutyunyan
2628cc11d4 Cache: proxy_cache_lock_age and friends.
Once this age is reached, the cache lock is discarded and another
request can acquire the lock.  Requests which failed to acquire
the lock are not allowed to cache the response.
2014-11-18 20:41:12 +03:00
Valentin Bartenev
20d41493d4 SPDY: fixed check for too long header name or value.
For further progress a new buffer must be at least two bytes larger than
the remaining unparsed data.  One more byte is needed for null-termination
and another one for further progress.  Otherwise inflate() fails with
Z_BUF_ERROR.
2014-11-07 17:22:19 +03:00
Valentin Bartenev
42b6d57fb5 SPDY: improved debug logging of inflate() calls. 2014-11-07 17:19:12 +03:00
Maxim Dounin
1fd4cd0b96 SSL: logging level of "inappropriate fallback" (ticket #662).
Patch by Erik Dubbelboer.
2014-11-17 16:38:48 +03:00
Toshikuni Fukaya
d9f5baa0b8 Upstream: support named location for X-Accel-Redirect. 2014-11-04 19:56:23 +09:00
Piotr Sikora
a9d9b09103 Upstream: add "proxy_ssl_certificate" and friends.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-30 04:30:41 -07:00
Maxim Dounin
fb96936c1a SPDY: fixed "too long header line" logging.
This fixes possible one byte buffer overrun and makes sure ellipsis are
always added, see 21043ce2a005.
2014-11-07 17:38:55 +03:00
Maxim Dounin
e2bc3c11b2 Cache: removed dead store in ngx_http_file_cache_vary_header().
Found by Clang Static Analyzer.
2014-11-05 18:53:26 +03:00
Valentin Bartenev
f9b99baed3 Access log: cancel the flush timer on graceful shutdown.
Previously, it could prevent a worker process from exiting
for up to the configured flush timeout.
2014-08-25 13:41:31 +04:00
Valentin Bartenev
8b30fb7c97 Events: introduced cancelable timers. 2014-08-13 22:45:04 +04:00
Valentin Bartenev
16403bc7b1 Events: simplified cycle in ngx_event_expire_timers(). 2014-08-25 13:37:06 +04:00
Valentin Bartenev
246152c864 Events: removed broken thread support from event timers.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-08-25 13:34:39 +04:00
Sergey Kandaurov
33f5555940 SSL: simplified ssl_password_file error handling.
Instead of collecting a number of the possible SSL_CTX_use_PrivateKey_file()
error codes that becomes more and more difficult with the rising variety of
OpenSSL versions and its derivatives, just continue with the next password.

Multiple passwords in a single ssl_password_file feature was broken after
recent OpenSSL changes (commit 4aac102f75b517bdb56b1bcfd0a856052d559f6e).

Affected OpenSSL releases: 0.9.8zc, 1.0.0o, 1.0.1j and 1.0.2-beta3.

Reported by Piotr Sikora.
2014-10-24 04:28:00 -07:00
Piotr Sikora
54606d4625 SPDY: stop emitting multiple empty header values.
Previously, nginx would emit empty values in a header with multiple,
NULL-separated values.

This is forbidden by the SPDY specification, which requires headers to
have either a single (possibly empty) value or multiple, NULL-separated
non-empty values.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-27 14:25:56 -07:00
Valentin Bartenev
78dd8b5eda Version bump. 2014-10-28 21:58:49 +03:00
Kouhei Sutou
b3f9a94e6a Win32: made build-able with MinGW-w64 gcc. 2014-10-15 21:15:01 +09:00
Gu Feng
726c5726fb Upstream: limited next_upstream time and tries when resolving DNS.
When got multiple upstream IP addresses using DNS resolving, the number of
upstreams tries and the maxinum time spent for these tries were not affected.
This patch fixed it.
2014-10-27 19:52:03 +08:00
Roman Arutyunyan
cf1e4781a9 Write filter: stored delay in a variable, no functional changes.
The code is now similar to ngx_event_pipe_read_upstream().
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
18e4d042b0 Upstream: proxy_limit_rate and friends.
The directives limit the upstream read rate.  For example,
"proxy_limit_rate 42" limits proxy upstream read rate to
42 bytes per second.
2014-10-28 12:29:59 +03:00
Roman Arutyunyan
0989d63f06 Core: added limit to recv_chain(). 2014-10-28 12:29:58 +03:00
Maxim Dounin
5f625b7df0 Cache: normalization of some Vary headers.
Spaces in Accept-Charset, Accept-Encoding, and Accept-Language headers
are now ignored.  As per syntax of these headers spaces can only appear
in places where they are optional.
2014-10-27 21:14:12 +03:00
Maxim Dounin
6255935e0f Cache: multiple variants of a resource now can be stored.
If a variant stored can't be used to respond to a request, the variant
hash is used as a secondary key.

Additionally, if we previously switched to a secondary key, while storing
a response to cache we check if the variant hash still apply.  If not, we
switch back to the original key, to handle cases when Vary changes.
2014-10-27 21:14:10 +03:00
Maxim Dounin
83f00adc9b Cache: c->reading flag introduced.
It replaces c->buf in checks in ngx_http_file_cache_open(), making it possible
to reopen the file without clearing c->buf.  No functional changes.
2014-10-27 21:14:07 +03:00
Maxim Dounin
1332e76b20 Cache: hash of Vary headers now stored in cache.
To cache responses with Vary, we now calculate hash of headers listed
in Vary, and return the response from cache only if new request headers
match.

As of now, only one variant of the same resource can be stored in cache.
2014-10-27 21:13:58 +03:00
Maxim Dounin
fc785b12a0 Cache: disable caching of responses with Vary (ticket #118).
The "proxy_ignore_header" directive now undersands the "Vary" parameter
to ignore the header as needed.
2014-10-27 21:13:39 +03:00
Maxim Dounin
97e618c556 Gzip, gunzip: flush busy buffers if any.
Previous code resulted in transfer stalls when client happened
to read all the data in buffers at once, while all gzip buffers
were exhausted (but ctx->nomem wasn't set).  Make sure to call
next body filter at least once per call if there are busy buffers.

Additionally, handling of calls with NULL chain was changed to follow
the same logic, i.e., next body filter is only called with NULL chain
if there are busy buffers.  This is expected to fix "output chain is empty"
alerts as reported by some users after c52a761a2029 (1.5.7).
2014-10-15 22:57:23 +04:00
Maxim Dounin
9369cf8df3 Style. 2014-10-14 20:19:36 +04:00
Roman Arutyunyan
2244a5e9cf Upstream: proxy_force_ranges and friends.
The directives enable byte ranges for both cached and uncached
responses regardless of backend headers.
2014-10-14 18:32:01 +04:00
Kouhei Sutou
8ae7751878 Win32: suppressed warnings by "-Werror=sign-compare". 2014-10-11 21:09:29 +09:00
Kouhei Sutou
3df66a632a Win32: fixed wrong type cast.
GetQueuedCompletionStatus() document on MSDN says the
following signature:

    http://msdn.microsoft.com/en-us/library/windows/desktop/aa364986.aspx

    BOOL WINAPI GetQueuedCompletionStatus(
      _In_   HANDLE CompletionPort,
      _Out_  LPDWORD lpNumberOfBytes,
      _Out_  PULONG_PTR lpCompletionKey,
      _Out_  LPOVERLAPPED *lpOverlapped,
      _In_   DWORD dwMilliseconds
    );

In the latest specification, the type of the third argument
(lpCompletionKey) is PULONG_PTR not LPDWORD.
2014-10-11 20:56:35 +09:00
Maxim Dounin
c01481a4cb Fixed possible buffer overrun in "too long header line" logging.
Additionally, ellipsis now always added to make it clear that
the header logged is incomplete.

Reported by Daniil Bondarev.
2014-10-08 17:16:04 +04:00
Yichun Zhang
52e4dc2f74 Core: fixed buffer overrun when hash max_size reached. 2014-10-02 12:00:17 -07:00
Piotr Sikora
4a2fba2d46 Upstream: fix $upstream_cache_last_modified variable.
Due to the u->headers_in.last_modified_time not being correctly initialized,
this variable was evaluated to "Thu, 01 Jan 1970 00:00:00 GMT" for responses
cached without the "Last-Modified" header which resulted in subsequent proxy
requests being sent with "If-Modified-Since: Thu, 01 Jan 1970 00:00:00 GMT"
header.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-10-01 15:48:53 -07:00
Valentin Bartenev
840b347bb2 Fixed counting of sent bytes in the send chain functions on EINTR.
Previously, a value of the "send" variable wasn't properly adjusted
in a rare case when syscall was interrupted by a signal.  As a result,
these functions could send less data than the limit allows.
2014-08-27 20:51:01 +04:00
Valentin Bartenev
70995077ad Version bump. 2014-10-02 22:36:27 +04:00
Maxim Dounin
403a9efc0c Upstream keepalive: reset c->sent on cached connections.
The c->sent is reset to 0 on each request by server-side http code,
so do the same on client side.  This allows to count number of bytes
sent in a particular request.
2014-09-29 22:27:45 +04:00
Valentin Bartenev
c9fbbc8273 Limit req: reduced number of parameters in the lookup function.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
021a9df15b Limit req: use complex value in limit_req_zone.
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
with nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
98f7d0efb2 Limit conn: aligned field names in structures.
No functional changes.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
dd1ae4348a Limit conn: use complex value in limit_conn_zone (ticket #121).
One intentional side effect of this change is that key is allowed only
in the first position.  Previously, it was possible to specify the key
variable at any position, but that was never documented, and is contrary
to nginx configuration practice for positional parameters.
2014-09-24 21:55:19 +04:00
Valentin Bartenev
1866f15d7d Limit conn: removed deprecated "limit_zone" directive.
It's deprecated since 260d591cb6a3 (1.1.8).  The "limit_conn_zone" directive
should be used instead.
2014-09-24 21:55:19 +04:00
Vladimir Homutov
27fa3123f9 Syslog: improved error handling of unix domain sockets.
If a syslog daemon is restarted and the unix socket is used, further logging
might stop to work.  In case of send error, socket is closed, forcing
a reconnection at the next logging attempt.
2014-08-26 14:56:54 +04:00
Vladimir Homutov
d79cbf15e6 Syslog: enabled logging of send errors.
The ngx_cycle->log is used when sending the message.  This allows to log syslog
send errors in another log.

Logging to syslog after its cleanup handler has been executed was prohibited.
Previously, this was possible from ngx_destroy_pool(), which resulted in error
messages caused by attempts to write into the closed socket.

The "processing" flag is renamed to "busy" to better match its semantics.
2014-09-01 17:55:07 +04:00
Gu Feng
bba2ce8aae Avoided to add duplicate hash key in ngx_http_types_slot(). 2014-09-17 22:52:02 +08:00
Valentin Bartenev
840d205bac Removed duplicate initialization of the "rev" variable. 2014-09-22 19:48:23 +04:00
Valentin Bartenev
651be6067e Generalized definitions of the number of preallocated iovec's.
No functional changes.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
1cbeabfd4c Reduced difference between the send chain functions.
No functional changes.  This follows the change from ad137a80919f.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
0a02bdb249 Merged implementations of ngx_readv_chain().
There's no real need in two separate implementations,
with and without kqueue support.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
77d61350a4 Removed the "complete" variable from various send chain functions.
It was made redundant by the previous change, since the "sent" variable
is no longer modified.
2014-08-13 15:11:45 +04:00
Valentin Bartenev
4aac91049f Moved the code for adjusting sent buffers in a separate function. 2014-08-13 15:11:45 +04:00
Valentin Bartenev
8b6f1c7bb0 Fixed writev() debug log message in ngx_darwin_sendfile_chain(). 2014-08-13 15:11:45 +04:00
Roman Arutyunyan
ba1676f267 Upstream: fixed file buffers reinit in ngx_http_upstream_reinit().
Previously, a file buffer start position was reset to the file start.
Now it's reset to the previous file buffer end.  This fixes
reinitialization of requests having multiple successive parts of a
single file.  Such requests are generated by fastcgi module.
2014-09-18 16:37:16 +04:00
Roman Arutyunyan
66876d0b09 FastCGI: fixed start pointers in request buffers.
The start pointers are used in ngx_http_upstream_reinit() to
reinit FastCGI requests.
2014-09-18 16:37:14 +04:00
Valentin Bartenev
a7798de9bd Limit req: don't truncate key value to 255 bytes.
While the module allows to use values up to 65535 bytes as a key,
that actually never worked properly.
2014-09-16 21:12:51 +04:00
Valentin Bartenev
681f74a9ba Version bump. 2014-09-17 12:04:47 +04:00
Maxim Dounin
6ec0f4d85b SSL: session id context now includes certificate hash.
This prevents inappropriate session reuse in unrelated server{}
blocks, while preserving ability to restore sessions on other servers
when using TLS Session Tickets.

Additionally, session context is now set even if there is no session cache
configured.  This is needed as it's also used for TLS Session Tickets.

Thanks to Antoine Delignat-Lavaud and Piotr Sikora.
2014-09-15 17:59:47 +04:00
Valentin Bartenev
152d92b4b7 Access log: fixed the "if=" parameter with buffering (ticket #625).
It might not work if there were more than one "access_log" directives
pointed to the same file and duplicate buffer parameters.
2014-09-13 21:47:13 +04:00
Roman Arutyunyan
02ce6c415f Upstream: limited next_upstream time and tries (ticket #544).
The new directives {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_tries
and {proxy,fastcgi,scgi,uwsgi,memcached}_next_upstream_timeout limit
the number of upstreams tried and the maximum time spent for these tries
when searching for a valid upstream.
2014-09-12 18:50:47 +04:00
Roman Arutyunyan
cfc3db1972 Upstream: included backup peers into peer.tries.
Since peer.tries is never reset it can now be limited if required.
2014-09-12 18:50:46 +04:00
Maxim Dounin
4c7e1a8d85 Upstream keepalive: removed "single" parameter remnants.
The "single" parameter is deprecated and ignored since 5b5c07dee156 (1.3.2).
2014-09-11 20:09:04 +04:00
Maxim Dounin
3a235bf52e Added warning about unset cache keys.
In fastcgi, scgi and uwsgi modules there are no default cache keys, and
using a cache without a cache key set is likely meaningless.
2014-09-11 20:08:52 +04:00
Maxim Dounin
d7d26feba1 Style. 2014-09-11 20:08:45 +04:00
FengGu
b4cb8475b1 Upstream: avoided directly terminating the connection.
When memory allocation failed in ngx_http_upstream_cache(), the connection
would be terminated directly in ngx_http_upstream_init_request().
Return a INTERNAL_SERVER_ERROR response instead.
2014-08-13 14:53:55 +08:00
Maxim Dounin
cb8a0327ab Added ngx_init_setproctitle() return code check.
The ngx_init_setproctitle() function, as used on systems without
setproctitle(3), may fail due to memory allocation errors, and
therefore its return code needs to be checked.

Reported by Markus Linnala.
2014-09-08 21:36:09 +04:00
Maxim Dounin
90df702bf8 Fixed ETag memory allocation error handling.
The etag->hash must be set to 0 to avoid an empty ETag header being
returned with the 500 Internal Server Error page after the memory
allocation failure.

Reported by Markus Linnala.
2014-09-08 21:36:03 +04:00
Maxim Dounin
c5bee22d16 Core: ngx_regex_compile() error handling fixes.
Now we actually return NGX_ERROR on errors, and provide an error
string for memory allocation errors.

Reported by Markus Linnala.
2014-09-08 21:35:53 +04:00
Piotr Sikora
2af7181b3b SSL: guard use of all SSL options for bug workarounds.
Some of the OpenSSL forks (read: BoringSSL) started removing unused,
no longer necessary and/or not really working bug workarounds along
with the SSL options and defines for them.

Instead of fixing nginx build after each removal, be proactive
and guard use of all SSL options for bug workarounds.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-09-03 14:49:55 -07:00
Roman Arutyunyan
c0b3b9d6ca Upstream: suppressed the file cache slab allocator error messages.
The messages "ngx_slab_alloc() failed: no memory in cache keys zone"
from the file cache slab allocator are suppressed since the allocation
is likely to succeed after the forced expiration of cache nodes.
The second allocation failure is reported.
2014-09-05 18:14:59 +04:00
Valentin Bartenev
37d24e7e3b Events: processing of posted events changed from LIFO to FIFO.
In theory, this can provide a bit better distribution of latencies.

Also it simplifies the code, since ngx_queue_t is now used instead
of custom implementation.
2014-09-01 18:20:18 +04:00
Valentin Bartenev
2a81e05566 Events: removed broken thread support from posted events.
It's mostly dead code.  And the idea of thread support for this task has
been deprecated.
2014-09-01 18:20:03 +04:00
Valentin Bartenev
3ca3f609cb Mail: initialize the "signature" field of ngx_mail_session_t.
Currently it isn't used, but it can be suitable to distinguish
objects stored in c->data.
2014-09-01 17:50:59 +04:00
Ruslan Ermilov
be6175d49d Upstream: improved configuration parser diagnostics.
Made it clear when the selected balancing method does not
support certain parameters of the "server" directive.
2014-09-01 12:27:38 +04:00
Sergey Kandaurov
967c51c9ff Headers filter: "add_header" with "always" parameter (ticket #98).
If specified, the header field is set regardless of the status code.
2014-08-29 18:00:10 +04:00
Maxim Dounin
31c35adfe1 Variables: updated list of prefixes in ngx_http_rewrite_set(). 2014-08-27 21:38:08 +04:00
Maxim Dounin
8cf734c7b4 Variables: fixed non-indexed access of prefix vars (ticket #600).
Previously, a configuration like

    location / {
        ssi on;
        ssi_types *;
        set $http_foo "bar";
        return 200 '<!--#echo var="http_foo" -->\n';
    }

resulted in NULL pointer dereference in ngx_http_get_variable() as
the variable was explicitly added to the variables hash, but its
get_handler wasn't properly set in the hash.  Fix is to make sure
that get_handler is properly set by ngx_http_variables_init_vars().
2014-08-27 21:38:04 +04:00
Valentin Bartenev
dbcb16ff68 SPDY: added a comment about handling stream with the timer set. 2014-08-18 13:23:45 +04:00
Valentin Bartenev
c425f19daa SPDY: avoid setting timeout on stream events in ngx_http_writer().
The SPDY module doesn't expect timers can be set on stream events for reasons
other than delaying output.  But ngx_http_writer() could add timer on write
event if the delayed flag wasn't set and nginx is waiting for AIO completion.
That could cause delays in sending response over SPDY when file AIO was used.
2014-08-27 20:44:11 +04:00
Ruslan Ermilov
da46eed537 Resolver: notify all waiting requests on timeout.
If a "resolver_timeout" occurs, only the first waiting request
was notified.  Other requests may hang forever.
2014-08-19 15:43:26 +04:00
Ruslan Ermilov
8607e64b83 Stub status: corrected the "stub_status" directive.
The "stub_status" directive does not require an argument.
2014-08-26 17:35:23 +04:00
Valentin Bartenev
9fb2b9287d Sub filter: fixed matching for a single character. 2014-08-25 16:08:55 +04:00
Valentin Bartenev
c7efcf6ba6 Mail: fixed number of arguments allowed in the listen directive. 2014-08-20 13:13:27 +04:00
Valentin Bartenev
8575dc3516 Mail: fixed a comment.
There's no loc_conf in the mail module.
2014-08-20 13:13:27 +04:00
Roman Arutyunyan
a8227724c0 Mp4: use trak->smhd_size in ngx_http_mp4_read_smhd_atom().
Reported by Gang Li.
2014-08-19 14:13:39 +04:00
Sergey Kandaurov
3ed0e11d08 Image filter: downgrade strong etags to weak ones as needed. 2014-08-18 12:03:41 +04:00
Sergey Kandaurov
886ad0e9d3 Fixed typo. 2014-08-15 14:09:29 +04:00
Maxim Dounin
870b962382 Events: removed unused variable in ngx_poll_process_events(). 2014-08-10 17:44:46 +04:00
Yves Crespin
3c0c66c5d8 Events: format specifier fixes. 2014-08-07 15:04:43 +02:00
Yves Crespin
6a58555ca8 Events: changed nevents type to unsigned in poll module. 2014-08-07 14:56:57 +02:00
Tatsuhiko Kubo
12300c2a20 Style: use specified macro instead of magic-number. 2014-08-06 23:58:44 +09:00
Piotr Sikora
b3066b16e1 Perl: NULL-terminate argument list.
perl_parse() function expects argv/argc-style argument list,
which according to the C standard must be NULL-terminated,
that is: argv[argc] == NULL.

This change fixes a crash (SIGSEGV) that could happen because
of the buffer overrun during perl module initialization.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-19 04:16:36 -07:00
Maxim Dounin
8f0f4c10e9 Access log: allowed logs to syslog with "if=" (ticket #596). 2014-08-06 00:22:36 +04:00
Maxim Dounin
4b5876c922 Version bump. 2014-08-05 22:50:25 +04:00
Maxim Dounin
44f45a5466 Mail: discard pipelined commands after SMTP STARTTLS.
The bug had appeared in nginx 1.5.6 (04e43d03e153).

Reported by Chris Boulton.
2014-08-05 12:22:07 +04:00
Piotr Sikora
1fe0f6a9b9 Core: exit on ngx_pnalloc() failure.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-08-01 20:39:22 -07:00
Tatsuhiko Kubo
f240215ba6 Style: use ngx_free() instead of free(). 2014-08-03 03:27:39 +09:00
Tatsuhiko Kubo
244a6a28b1 Core: improved ngx_pstrdup() error handling. 2014-08-01 20:04:14 +09:00
Sergey Kandaurov
88132eed54 Status: indentation and style, no functional changes. 2014-08-01 18:36:35 +04:00
FengGu
bfa56738af Dav: ngx_http_map_uri_to_path() errors were not checked.
Once error occured, it could lead to use uninitialized variables to log,
even more segmentation fault.
2014-07-30 14:45:08 +08:00
Piotr Sikora
9ed633b930 SSL: let it build against LibreSSL.
LibreSSL developers decided that LibreSSL is OpenSSL-2.0.0, so tests
for OpenSSL-1.0.2+ are now passing, even though the library doesn't
provide functions that are expected from that version of OpenSSL.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:16 -07:00
Piotr Sikora
0dcfca0301 SSL: let it build against BoringSSL.
This change adds support for using BoringSSL as a drop-in replacement
for OpenSSL without adding support for any of the BoringSSL-specific
features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-30 04:32:15 -07:00
Piotr Sikora
a57394b3e9 SSL: fix build with OPENSSL_NO_ENGINE and/or OPENSSL_NO_OCSP.
This is really just a prerequisite for building against BoringSSL,
which doesn't provide either of those features.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-28 12:27:57 -07:00
Maxim Dounin
5958181b1e Bigger iovec buffer in ngx_readv_chain().
This helps to reduce likelyhood of memory allocations in ngx_readv_chain(),
which are known to lead to noticeable effects in some cases, see
http://mailman.nginx.org/pipermail/nginx/2014-July/044512.html.
2014-07-28 18:30:19 +04:00
Maxim Dounin
8639e17f94 SSL: misplaced space in debug message. 2014-07-28 18:30:18 +04:00
Maxim Dounin
4b2f12a604 Upstream: SSL handshake timeouts.
Timeout may not be set on an upstream connection when we call
ngx_ssl_handshake() in ngx_http_upstream_ssl_init_connection(),
so make sure to arm it if it's not set.

Based on a patch by Yichun Zhang.
2014-07-28 18:30:14 +04:00
Yichun Zhang
7b24c53efe GeoIP: not all variable fields were initialized.
The ngx_http_geoip_city_float_variable and
ngx_http_geoip_city_int_variable functions did not always initialize
all variable fields like "not_found", which could lead to empty values
for those corresponding nginx variables randomly.
2014-07-25 14:43:29 -07:00
Piotr Sikora
3ba8f2f73d Core: use uppercase hexadecimal digits for percent-encoding.
RFC3986 says that, for consistency, URI producers and normalizers
should use uppercase hexadecimal digits for all percent-encodings.

This is also what modern web browsers and other tools use.

Using lowercase hexadecimal digits makes it harder to interact with
those tools in case when use of the percent-encoded URI is required,
for example when $request_uri is part of the cache key.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-26 23:39:23 -07:00
Vladimir Homutov
c54899ddfd Core: fixed default log initialization.
The ngx_log_insert() function may invalidate pointer passed to it,
so make sure to don't use it after the ngx_log_insert() call.
2014-07-24 16:25:07 +04:00
Maxim Dounin
248baf4262 Upstream: ngx_http_upstream_store() error handling fixes.
Previously, ngx_http_map_uri_to_path() errors were not checked in
ngx_http_upstream_store().  Moreover, in case of errors temporary
files were not deleted, as u->store was set to 0, preventing cleanup
code in ngx_http_upstream_finalize_request() from removing them.  With
this patch, u->store is set to 0 only if there were no errors.

Reported by Feng Gu.
2014-07-18 20:11:40 +04:00
Maxim Dounin
88d9289f82 Reset of r->uri.len on URI parsing errors.
This ensures that debug logging and the $uri variable (if used in
400 Bad Request processing) will not try to access uninitialized
memory.

Found by Sergey Bobrov.
2014-07-18 20:02:11 +04:00
Ruslan Ermilov
7e52432a05 Resolver: fixed resend on malformed responses.
DNS request resend on malformed responses was broken in 98876ce2a7fd (1.5.8).

Reported by Pramod Korathota.
2014-07-16 10:21:28 +04:00
Piotr Sikora
79c55b2cca SSL: fix build with recent OpenSSL.
X509_check_host() prototype changed recently:
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=ced3d91
- http://git.openssl.org/gitweb/?p=openssl.git;a=commitdiff;h=297c67f

Bump version requirement, so that OpenSSL-1.0.2-beta1 uses fallback code.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-09 12:27:15 -07:00
Jianjun Zheng
584692027b Core: bugfix for the ngx_slab_max_size case. 2014-06-18 16:39:59 +08:00
Tatsuhiko Kubo
cc870236b2 Style: use ngx_str_set(). 2014-07-09 23:23:59 +09:00
Tatsuhiko Kubo
ef2b59699a Style: use ngx_str_null(). 2014-07-09 23:22:14 +09:00
Tatsuhiko Kubo
bb4edb5cef Style: use ngx_strlen() instead of strlen(). 2014-07-09 23:20:40 +09:00
Piotr Sikora
12ca9c9c8f SPDY: fix support for headers with multiple values.
Split SPDY header with multiple, NULL-separated values:

    cookie: foo\0bar

into two separate HTTP headers with the same name:

    cookie: foo
    cookie: bar

Even though the logic for this behavior already existed
in the source code, it doesn't look that it ever worked
and SPDY streams with such headers were simply rejected.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 02:17:44 -07:00
Piotr Sikora
ba95686741 Style: fix typo.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a02ca8e173 Style: use ngx_memcpy() instead of memcpy().
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
a2229a4035 Style: keep return type and function name on different lines.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
2cfcef5b42 Style: remove whitespace between function name and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:14 -07:00
Piotr Sikora
7e7589e746 Style: add whitespace between control statement and parentheses.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-08 03:03:13 -07:00
Piotr Sikora
d224ed7eea SSL: stop accessing SSL_SESSION's fields directly.
SSL_SESSION struct is internal part of the OpenSSL library and it's fields
should be accessed via API (when exposed), not directly.

The unfortunate side-effect of this change is that we're losing reference
count that used to be printed at the debug log level, but this seems to be
an acceptable trade-off.

Almost fixes build with -DOPENSSL_NO_SSL_INTERN.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:14 -07:00
Maxim Dounin
ce64398751 SSL: fixed build with OPENSSL_NO_DEPRECATED defined.
The RSA_generate_key() is marked as deprecated and causes build to
fail.  On the other hand, replacement function, RSA_generate_key_ex(),
requires much more code.  Since RSA_generate_key() is only needed
for barely usable EXP ciphers, the #ifdef was added instead.

Prodded by Piotr Sikora.
2014-07-09 04:08:13 +04:00
Piotr Sikora
bd058b9d24 SSL: return temporary RSA key only when the key length matches.
This change is mostly cosmetic, because in practice this callback
is used only for 512-bit RSA keys.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Piotr Sikora
f0e05f3d89 SSL: include correct OpenSSL headers.
Previously, <bn.h>, <dh.h>, <rand.h> and <rsa.h> were pulled in
by <engine.h> using OpenSSL's deprecated interface, which meant
that nginx couldn't have been built with -DOPENSSL_NO_DEPRECATED.

Both <x509.h> and <x509v3.h> are pulled in by <ocsp.h>, but we're
calling X509 functions directly, so let's include those as well.

<crypto.h> is pulled in by virtually everything, but we're calling
CRYPTO_add() directly, so let's include it as well.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-07-06 16:41:13 -07:00
Maxim Dounin
098c6bd81f Version bump. 2014-07-09 03:15:00 +04:00
Maxim Dounin
11bbbc051b Win32: ngx_open_dir() and ngx_close_dir() fixes.
The ngx_open_dir() function changed to restore name passed to it.  This
fixes removing destination directory in dav module, as caught by dav.t.
The ngx_close_dir() function introduced to properly convert errors, as
FindClose() returns 0 on error.
2014-07-05 23:29:47 +04:00
Maxim Dounin
d9152910d3 SSL: logging level of "peer closed connection in SSL handshake".
Previously, the NGX_LOG_INFO level was used unconditionally.  This is
correct for client SSL connections, but too low for connections to
upstream servers.  To resolve this, ngx_connection_error() now used
to log this error, it will select logging level appropriately.

With this change, if an upstream connection is closed during SSL
handshake, it is now properly logged at "error" level.
2014-07-04 22:14:36 +04:00
Maxim Dounin
4a75e1a63c Upstream: p->downstream_error instead of closing connection.
Previously, nginx closed client connection in cases when a response body
from upstream was needed to be cached or stored but shouldn't be sent to
the client.  While this is normal for HTTP, it is unacceptable for SPDY.

Fix is to use instead the p->downstream_error flag to prevent nginx from
sending anything downstream.  To make this work, the event pipe code was
modified to properly cache empty responses with the flag set.
2014-07-04 20:47:16 +04:00
Valentin Bartenev
3c2b5e88ab Upstream: fixed handling of write event after sending request.
The ngx_http_upstream_dummy_handler() must be set regardless of
the read event state.  This prevents possible additional call of
ngx_http_upstream_send_request_handler().
2014-07-01 20:52:08 +04:00
Valentin Bartenev
9f8785ae5e SSL: the "ssl_password_file" directive. 2014-06-16 19:43:25 +04:00
Maxim Dounin
9d4de05be4 Core: removed meaningless check from ngx_palloc_block().
The check became meaningless after refactoring in 2a92804f4109.
With the loop currently in place, "current" can't be NULL, hence
the check can be dropped.

Additionally, the local variable "current" was removed to
simplify code, and pool->current now used directly instead.

Found by Coverity (CID 714236).
2014-06-26 03:34:19 +04:00
Maxim Dounin
25250a20d2 Fixed wrong sizeof() in ngx_http_init_locations().
There is no real difference on all known platforms, but it's still wrong.

Found by Coverity (CID 400876).
2014-06-26 03:34:13 +04:00
Maxim Dounin
1a5cdafa82 Core: plugged socket leak during configuration test.
This isn't really important as configuration testing shortly ends with
a process termination which will free all sockets, though Coverity
complains.

Prodded by Coverity (CID 400872).
2014-06-26 03:34:05 +04:00
Maxim Dounin
46ac5c760c Upstream: cache revalidation using If-None-Match. 2014-06-26 02:35:01 +04:00
Maxim Dounin
b812961677 Cache: ETag now saved into cache header. 2014-06-26 02:28:23 +04:00
Maxim Dounin
c2e49a4196 Cache: version in cache files.
This allows to change the structure of cache files without spamming logs
with false alerts.
2014-06-26 02:27:21 +04:00
Maxim Dounin
8f9fb9570e Entity tags: explicit flag to skip not modified filter.
Previously, last_modified_time was tested against -1 to check if the
not modified filter should be skipped.  Notably, this prevented nginx
from additional If-Modified-Since (et al.) checks on proxied responses.
Such behaviour is suboptimal in some cases though, as checks are always
skipped on responses from a cache with ETag only (without Last-Modified),
resulting in If-None-Match being ignored in such cases.  Additionally,
it was not possible to return 412 from the If-Unmodified-Since if last
modification time was not known for some reason.

This change introduces explicit r->disable_not_modified flag instead,
which is set by ngx_http_upstream_process_headers().
2014-06-26 02:27:11 +04:00
Maxim Dounin
feb1649049 Entity tags: weak comparison for If-None-Match. 2014-06-26 02:21:20 +04:00
Maxim Dounin
def16742a1 Entity tags: downgrade strong etags to weak ones as needed.
See http://mailman.nginx.org/pipermail/nginx-devel/2013-November/004523.html.
2014-06-26 02:21:01 +04:00
Maxim Dounin
5d477a76fe Upstream: fixed cache revalidation with SSI.
Previous code in ngx_http_upstream_send_response() used last modified time
from r->headers_out.last_modified_time after the header filter chain was
already called.  At this point, last_modified_time may be already cleared,
e.g., with SSI, resulting in incorrect last modified time stored in a
cache file.  Fix is to introduce u->headers_in.last_modified_time instead.
2014-06-26 02:20:09 +04:00
Maxim Dounin
6c25c848cb Upstream: removed unused offset to content_length.
It's not needed since introduction of ngx_http_upstream_content_length()
in 103b0d9afe07.
2014-06-26 02:20:05 +04:00
Maxim Dounin
4e275cc73a Upstream: no need to clear r->headers_out.last_modified_time.
Clearing of the r->headers_out.last_modified_time field if a response
isn't cacheable in ngx_http_upstream_send_response() was introduced
in 3b6afa999c2f, the commit to enable not modified filter for cacheable
responses.  It doesn't make sense though, as at this point header was
already sent, and not modified filter was already executed.  Therefore,
the line was removed to simplify code.
2014-06-26 02:19:58 +04:00
Maxim Dounin
05dfc054f0 Not modified filter: debug log format fixed. 2014-06-26 02:19:55 +04:00
Ruslan Ermilov
02e39a3ecb Upstream: reduced diffs to the plus version of nginx.
No functional changes.
2014-06-20 12:55:41 +04:00
Sergey Kandaurov
80e5163f64 FreeBSD has migrated to Bugzilla. 2014-06-19 13:55:59 +04:00
Ruslan Ermilov
05d717b35d Core: added ngx_slab_calloc() and ngx_slab_calloc_locked().
These functions return zeroed memory, analogous to ngx_pcalloc().
2014-06-04 15:09:19 +04:00
Ruslan Ermilov
d1ba20d0c9 Version bump. 2014-06-18 13:39:20 +04:00
Ruslan Ermilov
20038acbfc Upstream: simplified some code that accesses peers.
No functional changes.
2014-06-12 21:13:24 +04:00
Piotr Sikora
a1a8defb49 Access log: fix default value, broken by cb308813b453.
log->filter ("if" parameter) was uninitialized when the default value
was being used, which would lead to a crash (SIGSEGV) when access_log
directive wasn't specified in the configuration.

Zero-fill the whole structure instead of zeroing fields one-by-one
in order to prevent similar issues in the future.

Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
2014-06-03 10:53:48 -07:00
Maxim Dounin
afb4aafc6e Core: slab allocator free pages defragmentation.
Large allocations from a slab pool result in free page blocks being fragmented,
eventually leading to a situation when no further allocation larger than a page
size are possible from the pool.  While this isn't a problem for nginx itself,
it is known to be bad for various 3rd party modules.  Fix is to merge adjacent
blocks of free pages in the ngx_slab_free_pages() function.

Prodded by Wandenberg Peixoto and Yichun Zhang.
2014-06-03 17:53:03 +04:00
Roman Arutyunyan
9b5a17b5e2 Upstream: generic hash module. 2014-06-02 16:16:22 +04:00
Valentin Bartenev
68336e1ede SPDY: fixed operator precedence in uint16/uint32 write macros.
Since the type cast has precedence higher than the bit shift operator,
all values were truncated to 8 bits.

These macros are used to construct header block for SYN_REPLY frame on
platforms with strict alignment requirements.  As a result, any response
that contains a header with name or value longer than 255 bytes was
corrupted on such platforms.
2014-05-29 21:15:19 +04:00
Sergey Kandaurov
0750df4f16 Fixed config parsing of the last try_files parameter.
Do not taste the last parameter against directory, as otherwise it would
result in the trailing slash being cut from the parameter value.

Notably, this prevents an internal redirect to an empty URI
if the parameter is set to the literal slash:

    location / { try_files $uri /; }
2014-05-28 20:18:05 +04:00
Maxim Dounin
e9a70114a2 Configure: added -Wno-deprecated-declarations on OS X.
Previous workaround to avoid warnings on OS X due to deprecated system
OpenSSL library (introduced in a3870ea96ccd) no longer works, as
the MAC_OS_X_VERSION_MIN_REQUIRED macro is ignored on OS X 10.9
if a compiler used supports __attribute__(availability).
2014-05-28 17:41:44 +04:00
Maxim Dounin
ffe21776fa Version bump. 2014-05-28 17:41:33 +04:00
Maxim Dounin
e36718de4b Sub filter: fixed subrequests handling.
In particular, properly output partial match at the end of a subrequest
response (much like we do at the end of a response), and reset/set the
last_in_chain flag as appropriate.

Reported by KAWAHARA Masashi.
2014-05-27 16:37:35 +04:00
Vladimir Homutov
21655ae097 Syslog: fixed message sending on win32. 2014-05-27 15:42:34 +04:00
Vladimir Homutov
8e82f06d3e Syslog: fixed possible resource leak and more verbose logging.
Found by Coverity (CID 1215646).
2014-05-26 23:34:44 +04:00
Ruslan Ermilov
5c17030671 Events: use eventfd() instead of syscall(SYS_eventfd) if possible.
This fixes --with-file-aio support on systems that lack eventfd()
syscall, notably aarch64 Linux.

The syscall(SYS_eventfd) may still be necessary on systems that
have eventfd() syscall in the kernel but lack it in glibc, e.g.
as seen in the current CentOS 5 release.
2014-05-23 16:37:05 +04:00
Roman Arutyunyan
3e279a8eb4 Upstream: fix tries check in ip_hash.
Make two checks for maximum number of tries consistent.
The other one checks '>' condition.
2014-05-23 13:47:05 +04:00
Ruslan Ermilov
7808ac0d42 Mail: output client port number on client connects (ticket #531). 2014-05-22 00:16:17 +04:00
Ruslan Ermilov
056e88ea11 Core: output client port number when logging accept event. 2014-05-22 00:16:09 +04:00
Maxim Dounin
ca02a1020c Mail: added a check for the number of arguments in MAIL/RCPT.
Missed during introduction of the SMTP pipelining support (04e43d03e153,
1.5.6).  Previously, the check wasn't needed as s->buffer was used directly
and the number of arguments didn't matter.

Reported by Svyatoslav Nikolsky.
2014-05-21 21:56:20 +04:00
Vladimir Homutov
493b898ae9 Added syslog support for error_log and access_log directives. 2014-05-12 16:34:15 +04:00
Ruslan Ermilov
1736c180f4 Configure: the --build= option.
If set, its value is output in "nginx -v" and in the error log.
2014-05-20 16:10:07 +04:00
Sergey Budnevitch
27899a923a SSL: $ssl_client_fingerprint variable. 2014-05-20 14:03:03 +04:00
Maxim Dounin
84409ec8e0 Setting $args now invalidates unparsed uri.
Prodded by Yichun Zhang.
2014-05-19 22:45:35 +04:00
Maxim Dounin
4884cd611e Charset filter: fixed charset setting on encoded replies.
If response is gzipped we can't recode response, but in case it's not
needed we still can add charset to Content-Type.

The r->ignore_content_encoding is dropped accordingly, charset with gzip_static
now properly works without any special flags.
2014-05-19 22:45:34 +04:00
Maxim Dounin
ffba0eeefb Fixed alias in regex locations with limit_except/if.
The ngx_http_map_uri_to_path() function used clcf->regex to detect if
it's working within a location given by a regular expression and have
to replace full URI with alias (instead of a part matching the location
prefix).  This is incorrect due to clcf->regex being false in implicit
locations created by if and limit_except.

Fix is to preserve relevant information in clcf->alias instead, by setting
it to NGX_MAX_SIZE_T_VALUE if an alias was specified in a regex location.
2014-05-16 17:42:24 +04:00
Valentin Bartenev
a785be76f6 SPDY: added protection from overrun of the receive buffer. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
3f023a4193 SPDY: added a debug point to the state buffer overflow protection. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
57e5c3e86d SPDY: refactored ngx_http_spdy_state_headers().
This change is similar to d2ac5cf4056d.  Special flag of completeness looks
surplus when there is also a counter of frame bytes left.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
d04a714a6d SPDY: improved logging. 2014-04-30 20:34:20 +04:00
Valentin Bartenev
d51d168066 SPDY: set log action for PROXY protocol only while parsing it.
Handling of PROXY protocol for SPDY connection is currently implemented as
a SPDY state.  And while nginx waiting for PROXY protocol data it continues
to process SPDY connection: initializes zlib context, sends control frames.
2014-05-15 19:22:06 +04:00
Valentin Bartenev
ef51079fe2 SPDY: ngx_http_spdy_state_headers() error handling cleanup.
- Specification-friendly handling of invalid header block or special headers.
   Such errors are not fatal for session and shouldn't lead to connection close;

 - Avoid mix of NGX_HTTP_PARSE_INVALID_REQUEST/NGX_HTTP_PARSE_INVALID_HEADER.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
cf770ddd82 SPDY: improved error handling of header block decompression.
Now cases when decompression failed due to internal error
and when a client sent corrupted data are distinguished.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
ba890408bd SPDY: removed ngx_http_spdy_state_headers_error().
The function just calls ngx_http_spdy_state_headers_skip() most of the time.
There was also an attempt of optimization to stop parsing if the client already
closed connection, but it looks strange and unfinished anyway.
2014-04-30 20:34:20 +04:00
Valentin Bartenev
63ee690751 SPDY: prevented creation of RST_STREAM in protocol error state.
Previously, the frame wasn't sent anyway (and had a wrong status code).
2014-05-15 19:18:26 +04:00
Valentin Bartenev
dfb9a5cb0d SPDY: improved ngx_http_spdy_state_protocol_error().
Now ngx_http_spdy_state_protocol_error() is able to close stream,
so there is no need in a separate call for this.

Also fixed zero status code in logs for some cases.
2014-04-30 20:33:58 +04:00
Valentin Bartenev
d9c25cdf19 SPDY: fixed one case of improper memory allocation error handling.
Now ngx_http_spdy_construct_request_line() doesn't try to finalize request
in case of failed memory allocation.
2014-04-30 02:16:21 +04:00
Ruslan Ermilov
5a3d4410cc Style: use %N instead of '\n' where appropriate. 2014-05-14 22:26:30 +04:00
Ruslan Ermilov
9b92f59aef Core: use '\r' for CR and '\n' for LF definitions. 2014-05-14 22:26:05 +04:00
Filipe da Silva
e1a183946f OCSP stapling: missing OCSP request free call. 2014-04-29 22:22:38 +02:00
Maxim Dounin
094bfc6beb Upstream: restored workaround for "if".
The 7022564a9e0e changeset made ineffective workaround from 2464ccebdb52
to avoid NULL pointer dereference with "if".  It is now restored by
moving the u->ssl_name initialization after the check.

Found by Coverity (CID 1210408).
2014-04-30 19:16:55 +04:00
Maxim Dounin
aa28897b22 Core: improved ngx_conf_parse() error handling.
Previous code failed to properly restore cf->conf_file in case of
ngx_close_file() errors, potentially resulting in double free of
cf->conf_file->buffer->start.

Found by Coverity (CID 1087507).
2014-04-30 19:16:49 +04:00
Maxim Dounin
60169aa3a1 Core: fixed error handling in ngx_reopen_files().
Found by Coverity (CID 1087509).
2014-04-30 19:16:40 +04:00
Maxim Dounin
17dad56e4e Cache: added ngx_quit check to ngx_http_file_cache_expire().
While managing big caches it is possible that expiring old cache items
in ngx_http_file_cache_expire() will take a while.  Added a check for
ngx_quit / ngx_terminate to make sure cache manager can be terminated
while in ngx_http_file_cache_expire().
2014-04-30 19:16:35 +04:00
Vladimir Homutov
ed6780aaf1 Upstream: added the "$upstream_cookie_<name>" variables. 2014-04-29 12:28:41 +04:00
Valentin Bartenev
b53306815e Proxy: fixed possible uninitialized memory access.
The ngx_http_proxy_rewrite_cookie() function expects the value of the
"Set-Cookie" header to be null-terminated, and for headers obtained
from proxied server it is usually true.

Now the ngx_http_proxy_rewrite() function preserves the null character
while rewriting headers.

This fixes accessing memory outside of rewritten value if both the
"proxy_cookie_path" and "proxy_cookie_domain" directives are used in
the same location.
2013-11-18 03:06:45 +04:00
Valentin Bartenev
58e26b88b7 Version bump. 2014-04-24 20:50:10 +04:00
Maxim Dounin
6898a634d3 SSL: explicit handling of empty names.
X509_check_host() can't handle non null-terminated names with zero length,
so make sure to fail before calling it.
2014-04-23 20:31:31 +04:00
Ruslan Ermilov
e0e811d601 Upstream: for ssl name, non-aligned memory allocation is enough. 2014-04-22 18:56:49 +04:00
Maxim Dounin
0fd4f76e68 SSL: added explicit check for ngx_strlchr() result. 2014-04-22 14:02:45 +04:00
Valentin Bartenev
f79908af6e SPDY: avoid sending RST_STREAM on WINDOW_UPDATE with unknown SID.
There's a race condition between closing a stream by one endpoint
and sending a WINDOW_UPDATE frame by another.  So it would be better
to just skip such frames for unknown streams, like is already done
for the DATA frames.
2014-04-21 19:21:17 +04:00
Valentin Bartenev
a57959b6cd SPDY: Stream-ID restrictions according to specification. 2014-04-21 18:59:53 +04:00
Maxim Dounin
cae1bd3831 Upstream: uwsgi_ssl_name, uwsgi_ssl_verify, and so on.
Just a merge of proxy_ssl_name, proxy_ssl_verify commits into uwsgi module,
code is identical.
2014-04-18 20:13:32 +04:00
Maxim Dounin
27475dd7ee Upstream: proxy_ssl_verify and friends. 2014-04-18 20:13:30 +04:00
Maxim Dounin
59ef4a3417 Upstream: proxy_ssl_name and proxy_ssl_server_name directives.
These directives allow to switch on Server Name Indication (SNI) while
connecting to upstream servers.

By default, proxy_ssl_server_name is currently off (that is, no SNI) and
proxy_ssl_name is set to a host used in the proxy_pass directive.
2014-04-18 20:13:28 +04:00
Maxim Dounin
93eb94d622 Upstream: plugged potential memory leak on reload.
The SSL_CTX_set_cipher_list() may fail if there are no valid ciphers
specified in proxy_ssl_ciphers / uwsgi_ssl_ciphers, resulting in
SSL context leak.

In theory, ngx_pool_cleanup_add() may fail too, but this case is
intentionally left out for now as it's almost impossible and proper fix
will require changes to http ssl and mail ssl code as well.
2014-04-18 20:13:24 +04:00
Maxim Dounin
6c9c973aa7 SSL: $ssl_server_name variable. 2014-04-18 20:13:21 +04:00
Maxim Dounin
583821c547 SSL: fixed misuse of NGX_LOG_DEBUG_HTTP. 2014-04-18 20:13:14 +04:00
Maxim Dounin
84785d8413 Version bump. 2014-04-18 20:12:53 +04:00
Sergey Kandaurov
7cf53e11f5 Access log: the "if" parameter of the "access_log" directive.
The parameter value specifies a condition under which the request is logged.
2014-04-15 21:32:56 +04:00
Valentin Bartenev
c69cabed1d SPDY: fixed typo in log message. 2014-04-16 11:40:42 +04:00
Valentin Bartenev
013449be01 Fixed missing "static" in declaration of ngx_http_gzip_quantity(). 2014-04-16 11:40:38 +04:00
Valentin Bartenev
7da40e6a99 SPDY: moved a variable initialization near to its check.
This should prevent attempts of using pointer before it was checked, since
all modern compilers are able to spot access to uninitialized variable.

No functional changes.
2014-04-09 18:15:32 +04:00
Valentin Bartenev
5d3f84e4e1 SPDY: fixed arguments supplied for an error message. 2014-04-08 20:12:30 +04:00
Valentin Bartenev
644a43ebd2 Version bump. 2014-04-08 20:11:31 +04:00
Valentin Bartenev
5cf11ab2e0 SPDY: avoid creating flush frames.
Previously, an empty frame object was created for an output chain that contains
only sync or flush empty buffers.  But since 39d7eef2e332 every DATA frame has
the flush flag set on its last buffer, so there's no need any more in additional
flush buffers in the output queue and they can be skipped.

Note that such flush frames caused an incorrect $body_bytes_sent value.
2014-04-07 23:35:33 +04:00
Valentin Bartenev
a547f4ac15 SPDY: consistently handle control frames with unknown type.
The SPDY draft 2 specification requires that if an endpoint receives a
control frame for a type it does not recognize, it must ignore the frame.
But the 3 and 3.1 drafts don't seem to declare any behavior for such case.
Then sticking with the previous draft in this matter looks to be right.

But previously, only 8 least significant bits of the type field were
parsed while the rest of 16 bits of the field were checked against zero.
Though there are no known frame types bigger than 255, this resulted in
inconsistency in handling of such frames: they were not recognized as
valid frames at all, and the connection was closed.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
108e4d94e4 SPDY: refactored ngx_http_spdy_state_read_data().
There's no more need in a separate indicator of frame completeness
after d74889fbf06d.
2014-04-07 19:27:56 +04:00
Valentin Bartenev
b2cd520673 SPDY: better detect premature closing of stream.
Following a24f88eff684, now the case when the FIN flag is set in SYN_STREAM
is also covered.
2014-04-07 19:27:56 +04:00
Maxim Dounin
55bef30474 Win32: fixed shared ssl_session_cache (ticket #528).
In a worker process shm_zone->data was set to NULL instead of a proper value
extracted from shared memory.
2014-04-07 18:55:57 +04:00