Commit Graph

6171 Commits

Author SHA1 Message Date
Maxim Dounin
bdc0b779e5 Upstream: handling of upstream SSL handshake timeouts.
Previously SSL handshake timeouts were not properly logged, and resulted
in 502 errors instead of 504 (ticket #1126).
2016-11-14 17:21:06 +03:00
hucongcong
8f8a07f080 Range filter: only initialize ctx->ranges in main request.
It is not necessary to initialize ctx->ranges in all request, because
ctx->ranges in subrequest will be reassigned to ctx->ranges of main
request.
2016-11-10 10:44:52 +08:00
hucongcong
42298aeb13 Core: slight optimization in ngx_chain_update_chains().
It is not necessary to traverse *busy and link the *out when *out is NULL.
2016-11-10 10:17:53 +08:00
Ruslan Ermilov
8e9f1df637 Style: switch. 2016-11-04 19:12:19 +03:00
Maxim Dounin
f3093695b9 Cache: prefix-based temporary files.
On Linux, the rename syscall can be slow due to a global file system lock,
acquired for the entire rename operation, unless both old and new files are
in the same directory.  To address this temporary files are now created
in the same directory as the expected resulting cache file when using the
"use_temp_path=off" parameter.

This change mostly reverts 99639bfdfa2a and 3281de8142f5, restoring the
behaviour as of a9138c35120d (with minor changes).
2016-11-03 17:10:29 +03:00
Maxim Dounin
5eac3bca41 Upstream: avoid holding a cache node with upgraded connections.
Holding a cache node lock doesn't make sense as we can't use caching
anyway, and results in "ignore long locked inactive cache entry" alerts
if a node is locked for a long time.

The same is done for unbuffered connections, as they can be alive for
a long time as well.
2016-11-03 17:09:32 +03:00
Dmitry Volyntsev
6d9023f7b4 Cache: proxy_cache_max_range_offset and friends.
It configures a threshold in bytes, above which client range
requests are not cached.  In such a case the client's Range
header is passed directly to a proxied server.
2016-11-02 20:05:21 +03:00
Sergey Kandaurov
6917d29d40 HTTP/2: flow control debugging. 2016-11-02 11:47:12 +03:00
Maxim Dounin
0438b60498 Perl: fixed optimization in SSI command handler.
As the pointer to the first argument was tested instead of the argument
itself, array of arguments was always created, even if there were no
arguments.  Fix is to test args[0] instead of args.

Found by Coverity (CID 1356862).
2016-11-01 20:39:21 +03:00
Ruslan Ermilov
5a273f2e90 HTTP/2: slightly improved debugging. 2016-10-31 23:38:51 +03:00
Ruslan Ermilov
d970e099c6 Upstream: removed ngx_http_upstream_srv_conf_t.default_port.
This is an API change.
2016-10-17 14:30:54 +03:00
Ruslan Ermilov
663984fe2f Upstream: don't consider default_port when matching upstreams.
The only thing that default_port comparison did in the current
code is prevented implicit upstreams to the same address/port
from being aliased for http and https, e.g.:

	proxy_pass http://10.0.0.1:12345;
	proxy_pass https://10.0.0.1:12345;

This is inconsistent because it doesn't work for a similar case
with uswgi_pass:

	uwsgi_pass uwsgi://10.0.0.1:12345;
	uwsgi_pass suwsgi://10.0.0.1:12345;

or with an explicit upstream:

	upstream u {
	    server 10.0.0.1:12345;
	}

	proxy_pass http://u;
	proxy_pass https://u;

Before c9059bd5445b, default_port comparison was needed to
differentiate implicit upstreams in

	proxy_pass http://example.com;

and

	proxy_pass https://example.com;

as u->port was not set.
2016-10-17 14:27:45 +03:00
Ruslan Ermilov
1f5d97cbf0 Upstream: consistently initialize explicit upstreams.
When an upstream{} block follows a proxy_pass reference to it,
such an upstream inherited port and default_port settings from
proxy_pass.  This was different from when they came in another
order (see ticket #1059).  Explicit upstreams should not have
port and default_port in any case.

This fixes the following case:

	server { location / { proxy_pass http://u; } ... }
	upstream u { server 127.0.0.1; }
	server { location / { proxy_pass https://u; } ... }

but not the following:

	server { location / { proxy_pass http://u; } ... }
	server { location / { proxy_pass https://u; } ... }
	upstream u { server 127.0.0.1; }
2016-10-17 14:14:02 +03:00
Ruslan Ermilov
149fda55f7 Upstream: do not unnecessarily create per-request upstreams.
If proxy_pass (and friends) with variables evaluates an upstream
specified with literal address, nginx always created a per-request
upstream.

Now, if there's a matching upstream specified in the configuration
(either implicit or explicit), it will be used instead.
2016-10-31 18:33:36 +03:00
Ruslan Ermilov
3fae83a91c Upstream: added the ngx_http_upstream_resolved_t.name field.
This fixes inconsistency in what is stored in the "host" field.
Normally it would contain the "host" part of the parsed URL
(e.g., proxy_pass with variables), but for the case of an
implicit upstream specified with literal address it contained
the text representation of the socket address (that is, host
including port for IP).

Now the "host" field always contains the "host" part of the URL,
while the text representation of the socket address is stored
in the newly added "name" field.

The ngx_http_upstream_create_round_robin_peer() function was
modified accordingly in a way to be compatible with the code
that does not know about the new "name" field.

The "stream" code was similarly modified except for not adding
compatibility in ngx_stream_upstream_create_round_robin_peer().

This change is also a prerequisite for the next change.
2016-10-31 18:33:33 +03:00
Ruslan Ermilov
4e1720b0a2 Upstream: removed unnecessary condition in proxy_eval() and friends.
The first condition added in d3454e719bbb should have just replaced
the second one.
2016-10-31 18:33:31 +03:00
Valentin Bartenev
df9b2b9011 HTTP/2: limited maximum number of requests in connection.
The new directive "http2_max_requests" is introduced.  From users point of
view it works quite similar to "keepalive_requests" but has significantly
bigger default value that is more suitable for HTTP/2.
2016-10-31 16:33:02 +03:00
Maxim Dounin
271d306056 Mp4: introduced custom version of ngx_atofp().
This allows to correctly parse "start" and "end" arguments without
null-termination (ticket #475), and also fixes rounding errors observed
with strtod() when using i387 instructions.
2016-10-27 17:57:16 +03:00
Dmitry Lazurkin
9ea918a41d Proxy: support variables for proxy_method directive. 2016-10-16 18:24:01 +03:00
Dmitry Volyntsev
71c93a8e09 SSL: RFC2253 compliant $ssl_client_s_dn and $ssl_client_i_dn.
Originally, the variables kept a result of X509_NAME_oneline(),
which is, according to the official documentation, a legacy
function.  It produces a non standard output form and has
various quirks and inconsistencies.

The RFC2253 compliant behavior is introduced for these variables.
The original variables are available through $ssl_client_s_dn_legacy
and $ssl_client_i_dn_legacy.
2016-10-21 16:28:39 +03:00
Valentin Bartenev
9ec0b1fe12 Image filter: support for WebP.
In collaboration with Ivan Poluyanov.
2016-10-21 15:18:44 +03:00
Valentin Bartenev
70d0530f88 HTTP/2: graceful shutdown of active connections (closes #1106).
Previously, while shutting down gracefully, the HTTP/2 connections were
closed in transition to idle state after all active streams have been
processed.  That might never happen if the client continued opening new
streams.

Now, nginx sends GOAWAY to all HTTP/2 connections and ignores further
attempts to open new streams.  A worker process will quit as soon as
processing of already opened streams is finished.
2016-10-20 16:15:03 +03:00
Maxim Dounin
9b8b33bd4a SSL: compatibility with BoringSSL.
BoringSSL changed SSL_set_tlsext_host_name() to be a real function
with a (const char *) argument, so it now triggers a warning due to
conversion from (u_char *).  Added an explicit cast to silence the
warning.

Prodded by Piotr Sikora, Alessandro Ghedini.
2016-10-19 18:36:50 +03:00
Vladimir Homutov
33f940534e Core: show file contents only once while dumping configuration.
Files are considered the same if the path used by nginx during parsing matches.
2016-10-18 16:33:38 +03:00
Valentin Bartenev
841737915c SSL: overcame possible buffer over-read in ngx_ssl_error().
It appeared that ERR_error_string_n() cannot handle zero buffer size well enough
and causes over-read.

The problem has also been fixed in OpenSSL:
https://git.openssl.org/?p=openssl.git;h=e5c1361580d8de79682958b04a5f0d262e680f8b
2016-10-18 20:46:06 +03:00
Rob N ★
66c23edf63 Mail: support SASL EXTERNAL (RFC 4422).
This is needed to allow TLS client certificate auth to work. With
ssl_verify_client configured, the auth daemon can choose to allow the
connection to proceed based on the certificate data.

This has been tested with Thunderbird for IMAP only. I've not yet found a
client that will do client certificate auth for POP3 or SMTP, and the method is
not really documented anywhere that I can find. That said, its simple enough
that the way I've done is probably right.
2016-10-08 18:05:00 +11:00
Maxim Dounin
a747089a1d Mail: extensible auth methods in pop3 module. 2016-10-18 19:38:46 +03:00
Maxim Dounin
948a18ed54 Upstream: handling of proxy_set_header at http level.
When headers are set at the "http" level and not redefined in
a server block, we now preserve conf->headers into the "http"
section configuration to inherit it to all servers.

The same applies to conf->headers_cache, though it may not be effective
if no servers use cache at the "server" level as conf->headers_cache
is only initialized if cache is enabled on a given level.

Similar changes made in fastcgi/scgi/uwsgi to preserve conf->params
and conf->params_cache.
2016-10-14 19:48:26 +03:00
Maxim Dounin
97fc4ab790 Proxy: do not create conf->headers_source when not needed. 2016-10-14 19:48:26 +03:00
Maxim Dounin
c541cf70cf Upstream: hide_headers_hash handling at http level.
When headers to hide are set at the "http" level and not redefined in
a server block, we now preserve compiled headers hash into the "http"
section configuration to inherit this hash to all servers.
2016-10-14 19:48:26 +03:00
Maxim Dounin
f5dcb06f28 Upstream: hide_headers_hash inherited regardless of cache settings.
Dependency on cache settings existed prior to 2728c4e4a9ae (0.8.44)
as Set-Cookie header was automatically hidden from responses when
using cache.  This is no longer the case, and hide_headers_hash can
be safely inherited regardless of cache settings.
2016-10-14 19:48:26 +03:00
Maxim Dounin
71841601d2 Style. 2016-10-14 19:48:26 +03:00
Ruslan Ermilov
5e700a702c Cache: cache manager debugging. 2016-10-13 15:50:36 +03:00
Ruslan Ermilov
4009622702 Version bump. 2016-10-13 15:35:48 +03:00
Maxim Dounin
e8cb2a7946 release-1.11.5 tag 2016-10-11 18:03:01 +03:00
Maxim Dounin
06d88ca53b nginx-1.11.5-RELEASE 2016-10-11 18:03:00 +03:00
Maxim Dounin
27930db17c Updated OpenSSL used for win32 builds. 2016-10-11 16:52:48 +03:00
Maxim Dounin
a6cb821090 Modules compatibility: removed dependencies on NGX_MAIL_SSL.
External structures are now identical regardless of mail SSL module
compiled in or not.
2016-10-10 18:44:17 +03:00
Maxim Dounin
78f91756cd Modules compatibility: removed dependencies on NGX_STREAM_SSL.
External structures are now identical regardless of stream SSL module
compiled in or not.
2016-10-10 18:44:17 +03:00
Maxim Dounin
8fd8c32ccf Modules compatibility: compatibility with NGX_HTTP_SSL.
With this change it is now possible to load modules compiled without
the "--with-http_ssl_module" configure option into nginx binary compiled
with it, and vice versa (if a module doesn't use ssl-specific functions),
assuming both use the "--with-compat" option.
2016-10-10 18:44:17 +03:00
Maxim Dounin
844c78556b Modules compatibility: compatibility with NGX_HAVE_FILE_AIO.
With this change it is now possible to load modules compiled without
the "--with-file-aio" configure option into nginx binary compiled with it,
and vice versa, assuming both use the "--with-compat" option.
2016-10-10 18:44:17 +03:00
Maxim Dounin
9f6e8673f4 Modules compatibility: compatibility with NGX_THREADS.
With this change it is now possible to load modules compiled without
the "--with-threads" configure option into nginx binary compiled with it,
and vice versa (if a module does not use thread-specific functions),
assuming both use the "--with-compat" option.
2016-10-10 18:44:17 +03:00
Maxim Dounin
82ec849271 Allowed '-' in method names.
It is used at least by SOAP (M-POST method, defined by RFC 2774) and
by WebDAV versioning (VERSION-CONTROL and BASELINE-CONTROL methods,
defined by RFC 3253).
2016-10-10 16:24:50 +03:00
Maxim Dounin
f594b2bf6d Core: sockaddr lengths now respected by ngx_cmp_sockaddr().
Linux can return AF_UNIX sockaddrs with partially filled sun_path,
resulting in spurious comparison failures and failed binary upgrades.
Added proper checking of the lengths provided.

Reported by Jan Seda,
http://mailman.nginx.org/pipermail/nginx-devel/2016-September/008832.html.
2016-10-10 16:15:41 +03:00
Maxim Dounin
4c4fdc4754 Core: ngx_conf_set_access_slot() user access (ticket #1096).
Previously, user access bits were always set to "rw" unconditionally,
even with "user:r" explicitly specified.  With this change we only add
default user access bits (0600) if they weren't set explicitly.
2016-10-07 16:59:14 +03:00
Maxim Dounin
52892835ef Realip: fixed duplicate processing on redirects (ticket #1098).
Duplicate processing was possible if the address set by realip was
listed in set_realip_from, and there was an internal redirect so module
context was cleared.  This resulted in exactly the same address being set,
so this wasn't a problem before the $realip_remote_addr variable was
introduced, though now results in incorrect $realip_remote_addr being
picked.

Fix is to use ngx_http_realip_get_module_ctx() to look up module context
even if it was cleared.  Additionally, the order of checks was switched to
check the configuration first as it looks more effective.
2016-10-06 23:16:05 +03:00
Sergey Kandaurov
88dc647481 Stream ssl_preread: fixed $ssl_preread_server_name variable.
Made sure to set the variable length only after successful SNI parsing.
2016-10-05 18:11:39 +03:00
Dmitry Volyntsev
b072a6957c Cache: cache manager limits.
The new parameters "manager_files", "manager_sleep"
and "manager_threshold" were added to proxy_cache_path
and friends.

Note that ngx_path_manager_pt was changed to return ngx_msec_t
instead of time_t (API change).
2016-10-05 14:22:30 +03:00
Ruslan Ermilov
f9430de485 Core: use c->log while closing connection.
c->pool is not destroyed here since c52408583801.
2016-10-05 13:57:43 +03:00
Maxim Dounin
3c44339bfe SSL: use X509_check_host() with LibreSSL.
Explicit checks for OPENSSL_VERSION_NUMBER replaced with checks
for X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT, thus allowing X509_check_host()
to be used with other libraries.  In particular, X509_check_host() was
introduced in LibreSSL 2.5.0.
2016-10-04 17:26:45 +03:00