Commit Graph

6289 Commits

Author SHA1 Message Date
Sergey Kandaurov
5e28302dfc HTTP/2: style. 2018-02-15 02:34:16 +03:00
Ruslan Ermilov
c32d9d28fd HTTP/2: fixed null pointer dereference with server push.
r->headers_in.host can be NULL in ngx_http_v2_push_resource().

This happens when a request is terminated with 400 before the :authority
or Host header is parsed, and either pushing is enabled on the server{}
level or error_page 400 redirects to a location with pushes configured.

Found by Coverity (CID 1429156).
2018-02-09 23:20:08 +03:00
Ruslan Ermilov
09eb20c8a7 HTTP/2: fixed build with -Werror=unused-but-set-variable. 2018-02-08 12:11:30 +03:00
Ruslan Ermilov
6e52265b42 HTTP/2: server push.
Resources to be pushed are configured with the "http2_push" directive.

Also, preload links from the Link response headers, as described in
https://www.w3.org/TR/preload/#server-push-http-2, can be pushed, if
enabled with the "http2_push_preload" directive.

Only relative URIs with absolute paths can be pushed.

The number of concurrent pushes is normally limited by a client, but
cannot exceed a hard limit set by the "http2_max_concurrent_pushes"
directive.
2018-02-08 09:55:03 +03:00
Ruslan Ermilov
ac3c8ff364 HTTP/2: changed prototypes of request pseudo-headers parsers.
No functional changes.
2018-02-08 09:54:49 +03:00
Ruslan Ermilov
8590d9d615 Basic support of the Link response header. 2018-02-08 09:54:18 +03:00
Roman Arutyunyan
d31d547dba Dav: added error logging.
Previously, when request body was not available or was previously read in
memory rather than a file, client received HTTP 500 error, but no explanation
was logged in error log.  This could happen, for example, if request body was
read or discarded prior to error_page redirect, or if mirroring was enabled
along with dav.
2018-02-07 16:44:29 +03:00
Sergey Kandaurov
bde18907ac HTTP/2: removed unused field from ngx_http_v2_stream_t. 2018-02-06 20:02:59 +03:00
Gena Makhomed
776869a974 Contrib: vim syntax, update 3rd party module directives.
Add new directives for 3rd party modules.
2018-02-01 11:15:14 +02:00
Gena Makhomed
b0f53dd0eb Contrib: vim syntax, update core module directives.
"match" is block directive, "upstream_conf" is deprecated
by patch http://hg.nginx.org/nginx.org/rev/27c53e1cb4b6
2018-02-01 11:09:35 +02:00
Ruslan Ermilov
c8f46e070f Upstream: removed X-Powered-By from the list of special headers.
After 1e720b0be7ec, it's neither specially processed nor copied
when redirecting with X-Accel-Redirect.
2018-01-30 22:23:58 +03:00
Sergey Kandaurov
57dde2ab37 SSL: using default server context in session remove (closes #1464).
This fixes segfault in configurations with multiple virtual servers sharing
the same port, where a non-default virtual server block misses certificate.
2018-01-30 17:46:31 +03:00
Ruslan Ermilov
2213695368 HTTP/2: finalize request as bad if parsing of pseudo-headers fails.
This is in line when the required pseudo-headers are missing, and
avoids spurious zero statuses in access.log.
2018-01-30 14:44:31 +03:00
Ruslan Ermilov
0b8b91f45f HTTP/2: more style, comments, and debugging. 2018-01-29 16:06:33 +03:00
Ruslan Ermilov
34cf5d5e6a HTTP/2: handle duplicate INITIAL_WINDOW_SIZE settings. 2018-01-29 15:54:36 +03:00
Ruslan Ermilov
63a4dab7b0 Fixed --test-build-eventport on macOS 10.12 and later.
In macOS 10.12, CLOCK_REALTIME and clockid_t were added, but not timer_t.
2018-01-16 13:52:03 +03:00
Maxim Dounin
3377c00119 Upstream: fixed "header already sent" alerts on backend errors.
Following ad3f342f14ba046c (1.9.13), it is possible that a request where
header was already sent will be finalized with NGX_HTTP_BAD_GATEWAY,
triggering an attempt to return additional error response and the
"header already sent" alert as a result.

In particular, it is trivial to reproduce the problem with a HEAD request
and caching enabled.  With caching enabled nginx will change HEAD to GET
and will set u->pipe->downstream_error to suppress sending the response
body to the client.  When a backend-related error occurs (for example,
proxy_read_timeout expires), ngx_http_finalize_upstream_request() will
be called with NGX_HTTP_BAD_GATEWAY.  After ad3f342f14ba046c this will
result in ngx_http_finalize_request(NGX_HTTP_BAD_GATEWAY).

Fix is to move u->pipe->downstream_error handling to a later point,
where all special response codes are changed to NGX_ERROR.

Reported by Jan Prachar,
http://mailman.nginx.org/pipermail/nginx-devel/2018-January/010737.html.
2018-01-11 21:43:49 +03:00
Maxim Dounin
9b81d3b1bb Year 2018. 2018-01-11 21:43:24 +03:00
Gena Makhomed
b87240dded Contrib: vim syntax, update core module directives.
Removed non-existent directives and directive redefinitions.
2017-12-28 12:01:05 +02:00
Gena Makhomed
28b53b7546 Contrib: vim syntax, update 3rd party module directives.
3rd party modules list synchronized with FreeBSD nginx-devel port.
2017-12-28 11:49:44 +02:00
Maxim Dounin
742f413e91 Version bump. 2017-12-30 00:15:07 +03:00
Maxim Dounin
196c1a0cb4 release-1.13.8 tag 2017-12-26 19:01:12 +03:00
Maxim Dounin
3860a5e6c9 nginx-1.13.8-RELEASE 2017-12-26 19:01:11 +03:00
Maxim Dounin
9402b81547 Updated OpenSSL used for win32 builds. 2017-12-26 17:48:49 +03:00
Gena Makhomed
44c16b2e70 Contrib: vim syntax, listen options. 2017-12-25 18:30:01 +02:00
Gena Makhomed
6e0d2f898d Contrib: vim syntax, update core module directives. 2017-12-25 17:57:01 +02:00
Maxim Dounin
9bc0ced4a7 Contrib: updated vim syntax rules for variables.
Non-quoted parameters are allowed to contain variables in curly brackets
(see d91a8c4ac6bb), so vim syntax rules were adjusted accordingly.
2017-12-25 19:41:00 +03:00
Roman Arutyunyan
0ad556fe59 Allowed configuration token to start with a variable.
Specifically, it is now allowed to start with a variable expression with braces:
${name}.  The opening curly bracket in such a token was previously considered
the start of a new block.  Variables located anywhere else in a token worked
fine: foo${name}.
2017-12-21 13:29:40 +03:00
Roman Arutyunyan
ce45ded2a8 Fixed capabilities version.
Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3.  With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted.  As a
result, random stack memory was accessed and random capabilities were requested
by the worker.  This sometimes caused capset() errors.  Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead.  This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).
2017-12-19 19:00:27 +03:00
Roman Arutyunyan
0e92c213f5 Improved the capabilities feature detection.
Previously included file sys/capability.h mentioned in capset(2) man page,
belongs to the libcap-dev package, which may not be installed on some Linux
systems when compiling nginx.  This prevented the capabilities feature from
being detected and compiled on that systems.

Now linux/capability.h system header is included instead.  Since capset()
declaration is located in sys/capability.h, now capset() syscall is defined
explicitly in code using the SYS_capset constant, similarly to other
Linux-specific features in nginx.
2017-12-18 21:09:39 +03:00
Roman Arutyunyan
752f66bf7d Retain CAP_NET_RAW capability for transparent proxying.
The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.

The feature is only available in Linux.
2017-12-13 20:40:53 +03:00
Debayan Ghosh
d2d737e70b Use sysconf to determine cacheline size at runtime.
Determine cacheline size at runtime if supported
using sysconf(_SC_LEVEL1_DCACHE_LINESIZE). In case not supported,
fallback to compile time defaults.
2017-12-11 16:28:11 +00:00
Debayan Ghosh
b75f419b2c Configure: set default cacheline size to 64 for aarch64 platforms. 2017-12-11 15:05:35 +00:00
Maxim Dounin
40f1c48b53 Configure: fixed SO_BINDANY comment. 2017-12-07 17:09:36 +03:00
Maxim Dounin
6ff1340262 Configure: moved IP_BIND_ADDRESS_NO_PORT test.
In 2c7b488a61fb, IP_BIND_ADDRESS_NO_PORT test was accidentally placed
between SO_BINDANY, IP_TRANSPARENT, and IP_BINDANY tests.  Moved it after
these tests.
2017-12-07 17:09:33 +03:00
Roman Arutyunyan
6754a40466 Proxy: escape explicit space in URI in default cache key.
If the flag space_in_uri is set, the URI in HTTP upstream request is escaped to
convert space to %20.  However this flag is not checked while creating the
default cache key.  This leads to different cache keys for requests
'/foo bar' and '/foo%20bar', while the upstream requests are identical.

Additionally, the change fixes background cache updates when the client URI
contains unescaped space.  Default cache key in a subrequest is always based on
escaped URI, while the main request may not escape it.  As a result, background
cache update subrequest may update a different cache entry.
2017-11-20 20:50:35 +03:00
Roman Arutyunyan
891908cd0c Inherit valid_unparsed_uri in cloned subrequests (ticket #1430).
Inheriting this flag will make the cloned subrequest behave consistently with
the parent.  Specifically, the upstream HTTP request and cache key created by
the proxy module may depend directly on unparsed_uri if valid_unparsed_uri flag
is set.  Previously, the flag was zero for cloned requests, which could make
background update proxy a request different than its parent and cache the result
with a different key.  For example, if client URI contained the escaped slash
character %2F, it was used as is by the proxy module in the main request, but
was unescaped in the subrequests.

Similar problems exist in the slice module.
2017-11-20 21:11:19 +03:00
Roman Arutyunyan
de11c2ad09 Proxy: simplified conditions of using unparsed uri.
Previously, the unparsed uri was explicitly allowed to be used only by the main
request.  However the valid_unparsed_uri flag is nonzero only in the main
request, which makes the main request check pointless.
2017-11-20 13:47:17 +03:00
Patryk Lesiewicz
7b3f187bc6 Upstream: flush low-level buffers on write retry.
If the data to write is bigger than what the socket can send, and the
reminder is smaller than NGX_SSL_BUFSIZE, then SSL_write() fails with
SSL_ERROR_WANT_WRITE. The reminder of payload however is successfully
copied to the low-level buffer and all the output chain buffers are
flushed. This means that retry logic doesn't work because
ngx_http_upstream_process_non_buffered_request() checks only if there's
anything in the output chain buffers and ignores the fact that something
may be buffered in low-level parts of the stack.

Signed-off-by: Patryk Lesiewicz <patryk@google.com>
2017-12-01 15:59:14 -08:00
Roman Arutyunyan
e13268714f Upstream keepalive: clean read delayed flag in stored connections.
If a connection with the read delayed flag set was stored in the keepalive
cache, and after picking it from the cache a read timer was set on that
connection, this timer was considered a delay timer rather than a socket read
event timer as expected.  The latter timeout is usually much longer than the
former, which caused a significant delay in request processing.

The issue manifested itself with proxy_limit_rate and upstream keepalive
enabled and exists since 973ee2276300 (1.7.7) when proxy_limit_rate was
introduced.
2017-11-28 14:00:00 +03:00
Maxim Dounin
53e5a746bf Autoindex: discard request body (ticket #1439). 2017-12-04 17:30:02 +03:00
Sergey Kandaurov
e3baa90da9 Removed unused FreeBSD-specific definitions in ngx_posix_config.h. 2017-11-28 13:09:54 +03:00
Ruslan Ermilov
afad219175 Fixed "changing binary" when reaper is not init.
On some systems, it's possible that reaper of orphaned processes is
set to something other than "init" process.  On such systems, the
changing binary procedure did not work.

The fix is to check if PPID has changed, instead of assuming it's
always 1 for orphaned processes.
2017-11-28 12:00:24 +03:00
Maxim Dounin
7a7fc708fb Configure: fixed clang detection on MINIX.
As per POSIX, basic regular expressions have no alternations, and the
interpretation of the "\|" construct is undefined.  At least on MINIX
and Solaris grep interprets "\|" as literal "|", and not as an alternation
as GNU grep does.  Removed such constructs introduced in f1daa0356a1d.
This fixes clang detection on MINIX.
2017-11-23 16:33:40 +03:00
Maxim Dounin
3656f2eb63 Version bump. 2017-11-23 16:32:58 +03:00
Maxim Dounin
f1107e183d release-1.13.7 tag 2017-11-21 18:09:44 +03:00
Maxim Dounin
249208c9a5 nginx-1.13.7-RELEASE 2017-11-21 18:09:43 +03:00
Maxim Dounin
8e646df77a Updated OpenSSL used for win32 builds. 2017-11-21 17:32:12 +03:00
Maxim Dounin
b32cb6b610 Fixed worker_shutdown_timeout in various cases.
The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.
2017-11-20 16:31:07 +03:00
Maxim Dounin
f1c4853ea1 Gzip: support for a zlib variant from Intel.
A zlib variant from Intel as available from https://github.com/jtkukunas/zlib
uses 64K hash instead of scaling it from the specified memory level, and
also uses 16-byte padding in one of the window-sized memory buffers, and can
force window bits to 13 if compression level is set to 1 and appropriate
compile options are used.  As a result, nginx complained with "gzip filter
failed to use preallocated memory" alerts.

This change improves deflate_state allocation detection by testing that
items is 1 (deflate_state is the only allocation where items is 1).
Additionally, on first failure to use preallocated memory we now assume
that we are working with the Intel's modified zlib, and switch to using
appropriate preallocations.  If this does not help, we complain with the
usual alerts.

Previous version of this patch was published at
http://mailman.nginx.org/pipermail/nginx/2014-July/044568.html.
The zlib variant in question is used by default in ClearLinux from Intel,
see http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060421.html,
http://mailman.nginx.org/pipermail/nginx-ru/2017-November/060544.html.
2017-11-18 04:03:27 +03:00