Commit Graph

5240 Commits

Author SHA1 Message Date
Roman Arutyunyan
f0b5f83378 Cache: do not inherit last_modified and etag from stale response.
When replacing a stale cache entry, its last_modified and etag could be
inherited from the old entry if the response code is not 200 or 206.  Moreover,
etag could be inherited with any response code if it's missing in the new
response.  As a result, the cache entry is left with invalid last_modified or
etag which could lead to broken revalidation.

For example, when a file is deleted from backend, its last_modified is copied to
the new 404 cache entry and is used later for revalidation.  Once the old file
appears again with its original timestamp, revalidation succeeds and the cached
404 response is sent to client instead of the file.

The problem appeared with etags in 44b9ab7752e3 (1.7.3) and affected
last_modified in 1573fc7875fa (1.7.9).
2015-03-02 19:47:13 +03:00
Roman Arutyunyan
bf7d76b943 Upstream hash: speedup consistent hash init.
Repeatedly calling ngx_http_upstream_add_chash_point() to create
the points array in sorted order, is O(n^2) to the total weight.
This can cause nginx startup and reconfigure to be substantially
delayed.  For example, when total weight is 1000, startup takes
5s on a modern laptop.

Replace this with a linear insertion followed by QuickSort and
duplicates removal.  Startup for total weight of 1000 reduces to 40ms.

Based on a patch by Wai Keen Woon.
2015-03-02 18:41:29 +03:00
Sergey Kandaurov
de3adad807 Mail: don't emit Auth-SSL-Verify with disabled ssl_verify_client.
Previously, the Auth-SSL-Verify header with the "NONE" value was always passed
to the auth_http script if verification of client certificates is disabled.
2015-02-27 16:28:31 +03:00
Maxim Dounin
faec547771 Mail: client SSL certificates support.
The "ssl_verify_client", "ssl_verify_depth", "ssl_client_certificate",
"ssl_trusted_certificate", and "ssl_crl" directives introduced to control
SSL client certificate verification in mail proxy module.

If there is a certificate, detail of the certificate are passed to
the auth_http script configured via Auth-SSL-Verify, Auth-SSL-Subject,
Auth-SSL-Issuer, Auth-SSL-Serial, Auth-SSL-Fingerprint headers.  If
the auth_http_pass_client_cert directive is set, client certificate
in PEM format will be passed in the Auth-SSL-Cert header (urlencoded).

If there is no required certificate provided during an SSL handshake
or certificate verification fails then a protocol-specific error is
returned after the SSL handshake and the connection is closed.

Based on previous work by Sven Peter, Franck Levionnois and Filipe Da Silva.
2015-02-25 17:48:05 +03:00
Maxim Dounin
78e1a8ed7f Mail: added Auth-SSL header to indicate SSL.
Based on a patch by Filipe da Silva.
2015-02-25 17:47:49 +03:00
Maxim Dounin
52c5ba0f37 Mail: fixed buffer allocation for CRLF after Auth-SMTP-* headers.
There were no buffer overruns in real life as there is extra space
allocated for the Auth-Login-Attempt counter.
2015-02-25 17:47:43 +03:00
Ruslan Ermilov
c2c9a1c03e SSL: account sent bytes in ngx_ssl_write(). 2015-02-24 23:52:47 +03:00
Maxim Dounin
7dd799357d Core: fixed potential buffer overrun when initializing hash.
Initial size as calculated from the number of elements may be bigger
than max_size.  If this happens, make sure to set size to max_size.

Reported by Chris West.
2015-02-24 18:37:14 +03:00
Ruslan Ermilov
a4ce770a89 Cache: reduced diffs to the plus version of nginx.
No functional changes.
2015-02-17 16:27:52 +03:00
Roman Arutyunyan
6337c1d185 Core: make ngx_connection_local_sockaddr() always assign address.
Previously, this function checked for connection local address existence
and returned error if it was missing.  Now a new address is assigned in this
case making it possible to call this function not only for accepted connections.
2015-02-17 14:26:44 +03:00
Sergey Kandaurov
7f3f7fec77 Configure: typo fixed. 2015-02-11 20:18:55 +03:00
Valentin Bartenev
0a3d458805 Unbreak building on FreeBSD without file AIO.
It appeared that the NGX_HAVE_AIO_SENDFILE macro was defined regardless of
the "--with-file-aio" configure option and the NGX_HAVE_FILE_AIO macro.

Now they are related.

Additionally, fixed one macro.
2015-02-11 20:00:07 +03:00
Valentin Bartenev
2b8d6ad805 Refactored sendfile() AIO preload.
This reduces layering violation and simplifies the logic of AIO preread, since
it's now triggered by the send chain function itself without falling back to
the copy filter.  The context of AIO operation is now stored per file buffer,
which makes it possible to properly handle cases when multiple buffers come
from different locations, each with its own configuration.
2015-02-11 17:52:15 +03:00
Ruslan Ermilov
2b7e167dbb Mail: fixed the duplicate listen address detection. 2015-01-23 15:23:29 +03:00
Ruslan Ermilov
0b30dec0d3 Mail: fixed a comment. 2015-01-23 15:23:27 +03:00
Ruslan Ermilov
3352461916 Upstream: detect port absence in fastcgi_pass with IP literal.
If fastcgi_pass (or any look-alike that doesn't imply a default
port) is specified as an IP literal (as opposed to a hostname),
port absence was not detected at configuration time and could
result in EADDRNOTAVAIL at run time.

Fixed this in such a way that configs like

http {
    server {
        location / {
            fastcgi_pass 127.0.0.1;
        }
    }

    upstream 127.0.0.1 {
        server 10.0.0.1:12345;
    }
}

still work.  That is, port absence check is delayed until after
we make sure there's no explicit upstream with such a name.
2015-01-22 16:23:32 +03:00
Ruslan Ermilov
917c47a918 Version bump. 2015-02-11 15:51:03 +03:00
Maxim Dounin
c470bd85d1 release-1.7.10 tag 2015-02-10 17:33:32 +03:00
Maxim Dounin
4d163851c7 nginx-1.7.10-RELEASE 2015-02-10 17:33:32 +03:00
Maxim Dounin
c28ca06c1b Updated OpenSSL used for win32 builds. 2015-02-10 16:54:12 +03:00
Sergey Kandaurov
66c25a7d77 Core: fixed build on Tru64 UNIX.
There was a typo in NGX_EACCES.

Reported by Goetz T. Fischer.
2015-02-10 01:51:08 +03:00
Damien Tournoud
59969c22ce Fixed try_files directory test to match only a directory.
Historically, it was possible to match either a file or directory
in the following configuration:

    location / {
        try_files $uri/ =404;
    }
2015-01-21 00:26:32 +01:00
Roman Arutyunyan
2bae4205ab Core: fixed a race resulting in extra sem_post()'s.
The mtx->wait counter was not decremented if we were able to obtain the lock
right after incrementing it.  This resulted in unneeded sem_post() calls,
eventually leading to EOVERFLOW errors being logged, "sem_post() failed
while wake shmtx (75: Value too large for defined data type)".

To close the race, mtx->wait is now decremented if we obtain the lock right
after incrementing it in ngx_shmtx_lock().  The result can become -1 if a
concurrent ngx_shmtx_unlock() decrements mtx->wait before the added code does.
However, that only leads to one extra iteration in the next call of
ngx_shmtx_lock().
2015-02-04 16:22:43 +03:00
Roman Arutyunyan
cae1b5d63a Core: reverted prefix-based temp files (a9138c35120d).
The use_temp_path http cache feature is now implemented using a separate temp
hierarchy in cache directory.  Prefix-based temp files are no longer needed.
2015-02-02 21:28:09 +03:00
Roman Arutyunyan
f8fecbc94d Cache: added temp_path to file cache.
If use_temp_path is set to off, a subdirectory "temp" is created in the cache
directory.  It's used instead of proxy_temp_path and friends for caching
upstream response.
2015-02-02 19:38:35 +03:00
Roman Arutyunyan
54e14a387f Core: supported directory skipping in ngx_walk_tree().
If pre_tree_handler() returns NGX_DECLINED, the directory is ignored.
2015-02-02 19:38:32 +03:00
Valentin Bartenev
314d0d40e7 Fixed AIO handling in the output chain.
The ctx->aio flag must be taken into account in the short path too.
2015-01-28 21:33:06 +03:00
Igor Sysoev
415c8ec4b4 A bounds check of %N format on Windows.
Thanks to Joe Bialek, Adam Zabrocki and Microsoft Vulnerability Research.
2015-01-27 15:38:15 +03:00
Vladimir Homutov
7e1eba5faa Upstream: $upstream_header_time variable.
Keeps time spent on obtaining the header from an upstream server.  The value is
formatted similar to the $upstream_response_time variable.
2015-01-14 09:03:35 +03:00
Valentin Bartenev
3149ddd320 Year 2015. 2015-01-13 20:13:16 +03:00
Maxim Dounin
a1f330a0a2 Core: added disk_full_time checks to error log. 2015-01-13 19:51:37 +03:00
Maxim Dounin
2754fd3c80 Fixed sendfile() trailers on OS X (8e903522c17a, 1.7.8).
The trailer.count variable was not initialized if there was a header,
resulting in "sendfile() failed (22: Invalid argument)" alerts on OS X
if the "sendfile" directive was used.  The bug was introduced
in 8e903522c17a (1.7.8).
2015-01-13 18:58:23 +03:00
Valentin Bartenev
843fb552ec Upstream: use_temp_path parameter of proxy_cache_path and friends.
When set to "off", temporary files for cacheable responses will be stored
inside cache directory.
2014-12-26 16:22:59 +03:00
Valentin Bartenev
1858857c25 Cache: update variant while setting header.
Some parts of code related to handling variants of a resource moved into
a separate function that is called earlier.  This allows to use cache file
name as a prefix for temporary file in the following patch.
2014-12-26 16:22:56 +03:00
Valentin Bartenev
a54e37edda Core: added prefix-based temporary files.
Now, if the "path" parameter is NULL, ngx_create_temp_file() will use
file->name as a predefined file path prefix.
2014-12-26 16:22:54 +03:00
Valentin Bartenev
c07bebdcd1 Unified handling of ngx_create_temp_file() return value.
The original check for NGX_AGAIN was surplus, since the function returns
only NGX_OK or NGX_ERROR.  Now it looks similar to other places.

No functional changes.
2014-12-26 16:22:50 +03:00
Maxim Dounin
cb6f338a8c Trailing space fix. 2014-12-24 19:02:58 +03:00
Maxim Dounin
b8ee1ec7d3 Fixed building with musl libc (ticket #685). 2014-12-24 19:01:22 +03:00
Maxim Dounin
fe4b25c731 Version bump. 2014-12-24 18:53:38 +03:00
Maxim Dounin
efa5e372b7 release-1.7.9 tag 2014-12-23 18:28:38 +03:00
Maxim Dounin
9eb555c9c9 nginx-1.7.9-RELEASE 2014-12-23 18:28:37 +03:00
Valentin Bartenev
7817df480e Upstream: added variables support to proxy_cache and friends. 2014-12-22 12:59:09 +03:00
Valentin Bartenev
b24ad42008 Upstream: preset some cache configuration when bypassing.
No functional changes.
2014-12-22 12:59:06 +03:00
Valentin Bartenev
c40a72761c Upstream: refactored proxy_cache and friends.
The configuration handling code has changed to look similar to the proxy_store
directive and friends.  This simplifies adding variable support in the following
patch.

No functional changes.
2014-12-22 12:59:02 +03:00
Valentin Bartenev
66dcbab7a1 Upstream: mutually exclusive inheritance of "cache" and "store".
Currently, storing and caching mechanisms cannot work together, and a
configuration error is thrown when the proxy_store and proxy_cache
directives (as well as their friends) are configured on the same level.

But configurations like in the example below were allowed and could result
in critical errors in the error log:

    proxy_store on;

    location / {
        proxy_cache one;
    }

Only proxy_store worked in this case.

For more predictable and errorless behavior these directives now prevent
each other from being inherited from the previous level.
2014-12-22 12:58:59 +03:00
Valentin Bartenev
492844dbb1 Upstream: simplified proxy_store and friends configuration code.
This changes internal API related to handling of the "store"
flag in ngx_http_upstream_conf_t.  Previously, a non-null value
of "store_lengths" was enough to enable store functionality with
custom path.  Now, the "store" flag is also required to be set.

No functional changes.
2014-12-22 12:58:56 +03:00
Lukas Tribus
cf92831131 SSL: safeguard use of SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS.
The flag was recently removed by BoringSSL.
2014-12-17 15:12:50 +01:00
Valentin Bartenev
16f248ebbb Autoindex: implemented XML output format. 2014-12-12 20:25:42 +03:00
Valentin Bartenev
5453f0afe6 Autoindex: implemented JSON output format. 2014-12-12 20:25:35 +03:00
Valentin Bartenev
921f728526 Autoindex: rendering code moved to a separate function.
No functional changes.
2014-12-12 20:25:28 +03:00