Commit Graph

6025 Commits

Author SHA1 Message Date
Ruslan Ermilov
f021706729 Fixed missing "Location" field with some relative redirects.
Relative redirects did not work with directory redirects and
auto redirects issued by nginx.
2016-12-22 11:58:52 +03:00
Ruslan Ermilov
dd70e74197 Core: relative redirects (closes #1000).
The current version of HTTP/1.1 standard allows relative references in
redirects (https://tools.ietf.org/html/rfc7231#section-7.1.2).

Allow this form for redirects generated by nginx by introducing the new
directive absolute_redirect.
2016-12-21 23:10:51 +03:00
Ruslan Ermilov
d1f524d0b3 Limited recursion when evaluating variables.
Unlimited recursion might cause stack exhaustion in some misconfigurations.
2016-12-21 22:01:24 +03:00
Vladimir Homutov
7fab8d046e Stream: client SSL certificates verification support.
New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.
2016-12-20 12:05:14 +03:00
Roman Arutyunyan
393636d79c Stream ssl_preread: relaxed SSL version check.
SSL version 3.0 can be specified by the client at the record level for
compatibility reasons.  Previously, ssl_preread module rejected such
connections, presuming they don't have SNI.  Now SSL 3.0 is allowed at
the record level.
2016-12-19 14:02:39 +03:00
Ruslan Ermilov
853c208fc9 Configure: detect nginx version for nginx.pm at make time. 2016-12-16 19:54:37 +03:00
Dmitry Volyntsev
b69a35ffb1 Resolver: fixed handling of partially resolved SRV.
The resolver handles SRV requests in two stages.  In the first
stage it gets all SRV RRs, and in the second stage it resolves
the names from SRV RRs into addresses.

Previously, if a response to an SRV request was cached, the
queries to resolve names were not limited by a timeout.  If a
response to any of these queries was not received, the SRV
request could never complete.

If a response to an SRV request was not cached, and some of the
queries to resolve names timed out, NGX_RESOLVE_TIMEDOUT was
returned instead of successfully resolved addresses.

To fix both issues, resolving of names is now always limited by
a timeout.
2016-12-16 18:21:55 +03:00
Dmitry Volyntsev
e114960e53 Resolver: fixed a race between parallel name and addr resolves.
Previously, ngx_resolve_name() and ngx_resolve_addr() may have
rescheduled the resend timer while it was already in progress.
2016-12-16 18:21:55 +03:00
Dmitry Volyntsev
6b18bb541e Resolver: fixed possible premature stop of the resend timer.
Previously, ngx_resolve_name_done() and ngx_resolve_addr_done()
may have stopped the resend timer prematurely while srv_resend_queue
was not empty.
2016-12-16 18:21:42 +03:00
Ruslan Ermilov
3a8532219a Resolver: fixed possible use-after-free in worker on fast shutdown.
The fix in a3dc657f4e95 was incomplete.
2016-12-16 14:53:28 +03:00
Ruslan Ermilov
523aee98fc Resolver: fixed possible use-after-free in worker on fast shutdown. 2016-12-15 21:44:34 +03:00
Maxim Dounin
3294292b66 SSL: backed out changeset e7cb5deb951d, reimplemented properly.
Changeset e7cb5deb951d breaks build on CentOS 5 with "dereferencing
type-punned pointer will break strict-aliasing rules" warning.  It is
backed out.

Instead, to keep builds with BoringSSL happy, type of the "value"
variable changed to "char *", and an explicit cast added before calling
ngx_parse_http_time().
2016-12-15 19:00:23 +03:00
Piotr Sikora
592dbcc315 SSL: fix call to BIO_get_mem_data().
Fixes build with BoringSSL.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>
2016-12-13 14:19:30 -08:00
Valentin Bartenev
c40d8ddc5d Access log: support for json escaping. 2016-12-15 16:25:42 +03:00
Armin Grodon
7040eee08a Contrib: added 'commentstring' for vim-commentary support. 2016-12-13 00:49:44 +01:00
Ruslan Ermilov
7d34042e4a The size of cmcf->phase_engine.handlers explained. 2016-12-13 22:00:49 +03:00
Ruslan Ermilov
2fbe04c487 Version bump. 2016-12-13 22:00:42 +03:00
Maxim Dounin
60064e4f51 release-1.11.7 tag 2016-12-13 18:21:23 +03:00
Maxim Dounin
e61dc2584b nginx-1.11.7-RELEASE 2016-12-13 18:21:23 +03:00
Valentin Bartenev
27c7ed683b HTTP/2: prevented creating temp files for requests without body.
The problem was introduced by 52bd8cc17f34.
2016-12-10 13:23:38 +03:00
Valentin Bartenev
5d496d467d HTTP/2: fixed posted streams handling.
A bug was introduced by 82efcedb310b that could lead to timing out of
responses or segmentation fault, when accept_mutex was enabled.

The output queue in HTTP/2 can contain frames from different streams.
When the queue is sent, all related write handlers need to be called.
In order to do so, the streams were added to the h2c->posted queue
after handling sent frames.  Then this queue was processed in
ngx_http_v2_write_handler().

If accept_mutex is enabled, the event's "ready" flag is set but its
handler is not called immediately.  Instead, the event is added to
the ngx_posted_events queue.  At the same time in this queue can be
events from upstream connections.  Such events can result in sending
output queue before ngx_http_v2_write_handler() is triggered.  And
at the time ngx_http_v2_write_handler() is called, the output queue
can be already empty with some streams added to h2c->posted.

But after 82efcedb310b, these streams weren't processed if all frames
have already been sent and the output queue was empty.  This might lead
to a situation when a number of streams were get stuck in h2c->posted
queue for a long time.  Eventually these streams might get closed by
the send timeout.

In the worst case this might also lead to a segmentation fault, if
already freed stream was left in the h2c->posted queue.  This could
happen if one of the streams was terminated but wasn't closed, due to
the HEADERS frame or a partially sent DATA frame left in the output
queue.  If this happened the ngx_http_v2_filter_cleanup() handler
removed the stream from the h2c->waiting or h2c->posted queue on
termination stage, before the frame has been sent, and the stream
was again added to the h2c->posted queue after the frame was sent.

In order to fix all these problems and simplify the code, write
events of fake stream connections are now added to ngx_posted_events
instead of using a custom h2c->posted queue.
2016-11-28 20:58:14 +03:00
Ruslan Ermilov
72ace36318 Map: the "volatile" parameter.
By default, "map" creates cacheable variables [1].  With this
parameter it creates a non-cacheable variable.

An original idea was to deduce the cacheability of the "map"
variable by checking the cacheability of variables specified
in source and resulting values, but it turned to be too hard.
For example, a cacheable variable can be overridden with the
"set" directive or with the SSI "set" command.  Also, keeping
"map" variables cacheable by default is good for performance
reasons.  This required adding a new parameter.

[1] Before db699978a33f (1.11.0), the cacheability of the
"map" variable could vary depending on the cacheability of
variables specified in resulting values (ticket #1090).
This is believed to be a bug rather than a feature.
2016-12-08 17:51:49 +03:00
Ruslan Ermilov
41f06845cf Map: simplified "map" block parser.
No functional changes.
2016-12-08 17:29:01 +03:00
Ruslan Ermilov
7ef8ca24b5 Slab: commented bitmap initialization for small allocations. 2016-12-08 17:22:07 +03:00
Ruslan Ermilov
5abd39a197 Slab: free pages statistics. 2016-12-07 22:25:37 +03:00
Ruslan Ermilov
9ccf719be6 Slab: slots statistics.
For each slot, the number of total and used entries, as well as
the number of allocation requests and failures, are tracked.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
366f131c38 Slab: simplified some math.
No functional changes.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
12abb66c41 Slab: simplified allocation from slots.
Removed code that would cause an endless loop, and removed condition
check that is always false.  The first page in the slot list is
guaranteed to satisfy an allocation.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
16de9fc3b5 Slab: fixed the number of pages calculation.
When estimating the number of pages, do not count memory for slots.
In some cases this gives one extra usable memory page.
2016-12-07 22:25:37 +03:00
Ruslan Ermilov
4cf89436d1 Slab: added comment about list heads. 2016-12-07 22:25:37 +03:00
Ruslan Ermilov
86f846a8bb Slab: improved code readability.
No functional changes.
2016-12-07 22:25:37 +03:00
Maxim Dounin
23946be384 Core: fixed environment on exit.
On exit environment allocated from a pool is no longer available, leading
to a segmentation fault if, for example, a library tries to use it from
an atexit() handler.

Fix is to allocate environment via ngx_alloc() instead, and explicitly
free it using a pool cleanup handler if it's no longer used (e.g., on
configuration reload).
2016-12-07 19:03:31 +03:00
Maxim Dounin
0a90c428b8 Perl: removed special environment handling for the perl module.
In Perl 5.8.6 the default was switched to use putenv() when used as
embedded library unless "PL_use_safe_putenv = 0" is explicitly used
in the code.  Therefore, for modern versions of Perl it is no longer
necessary to restore previous environment when calling perl_destruct().
2016-12-07 19:03:26 +03:00
Maxim Dounin
408e49fed6 Perl: added PERL_SET_INTERP().
For Perl compiled with threads, without PERL_SET_INTERP() the PL_curinterp
remains set to the first interpreter created (that is, one created at
original start).  As a result after a reload Perl thinks that operations
are done withing a thread, and, most notably, denies to change environment.

For example, the following code properly works on original start,
but fails after a reload:

    perl 'sub {
        my $r = shift;

        $r->send_http_header("text/plain");

        $ENV{TZ} = "UTC";
        $r->print("tz: " . $ENV{TZ} . " (localtime " . (localtime()) . ")\n");
        $ENV{TZ} = "Europe/Moscow";
        $r->print("tz: " . $ENV{TZ} . " (localtime " . (localtime()) . ")\n");

        return OK;
    }';

To fix this, PERL_SET_INTERP() added anywhere where PERL_SET_CONTEXT()
was previously used.

Note that PERL_SET_INTERP() doesn't seem to be documented anywhere.
Yet it is used in some other software, and also seems to be the only
solution possible.
2016-12-07 19:03:19 +03:00
Sergey Kandaurov
fcb2e2864e Fixed spelling of logical AND operator, no functional changes.
Found by PVS-Studio.
2016-12-07 13:54:30 +03:00
hucongcong
8b8b6f41e6 Mp4: fixed setting wrong mdat atom size in very rare cases.
Atom size is the sum of atom header size and atom data size. The
specification says that the first 4 bytes are set to one when
the atom size is greater than the maximum unsigned 32-bit value.
Which means atom header size should be considered when the
comparison takes place between atom data size and 0xffffffff.
2016-11-22 13:40:08 +08:00
Maxim Dounin
551091951a SSL: $ssl_curves (ticket #1088).
The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.
2016-12-05 22:23:23 +03:00
Maxim Dounin
2daf78867b SSL: $ssl_ciphers (ticket #870).
The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.
2016-12-05 22:23:23 +03:00
Maxim Dounin
53092ad782 SSL: $ssl_client_v_start, $ssl_client_v_end, $ssl_client_v_remain. 2016-12-05 22:23:23 +03:00
Maxim Dounin
919f536329 SSL: $ssl_client_verify extended with a failure reason.
Now in case of a verification failure $ssl_client_verify contains
"FAILED:<reason>", similar to Apache's SSL_CLIENT_VERIFY, e.g.,
"FAILED:certificate has expired".

Detailed description of possible errors can be found in the verify(1)
manual page as provided by OpenSSL.
2016-12-05 22:23:22 +03:00
Maxim Dounin
27bcceb24b OCSP stapling: improved error logging context.
It now logs the IP address of the responder used (if it's already known),
as well as the certificate name.
2016-12-05 22:23:22 +03:00
Maxim Dounin
af07f8d093 OCSP stapling: added certificate name to warnings. 2016-12-05 22:23:22 +03:00
Maxim Dounin
0a1290b739 OCSP stapling: added http response status logging. 2016-12-05 22:23:22 +03:00
Maxim Dounin
d80352c759 OCSP stapling: style. 2016-12-05 22:23:22 +03:00
Ruslan Ermilov
cdd0cd6e2c Slab: improved double free detection.
Previously, an attempt to double free the starting page of the
free range was not detected.
2016-12-03 10:01:39 +03:00
Ruslan Ermilov
34b41a70a6 Slab: always show the requested allocation size in debug messages.
Previously, allocations smaller than min_size were shown as min_size.
2016-12-03 10:01:03 +03:00
Ruslan Ermilov
3df657f6fd Slab: style.
Removed redundant parentheses.  No functional changes.
2016-12-03 09:55:40 +03:00
Dmitry Volyntsev
433fdbf8b6 Events: improved error event handling for UDP sockets.
Normally, the epoll module calls the read and write handlers depending
on whether EPOLLIN and EPOLLOUT are reported by epoll_wait().  No error
processing is done in the module, the handlers are expected to get an
error when doing I/O.

If an error event is reported without EPOLLIN and EPOLLOUT, the module
set both EPOLLIN and EPOLLOUT to ensure the error event is handled at
least in one active handler.

This works well unless the error is delivered along with only one of
EPOLLIN or EPOLLOUT, and the corresponding handler does not do any I/O.
For example, it happened when getting EPOLLERR|EPOLLOUT from
epoll_wait() upon receiving "ICMP port unreachable" while proxying UDP.
As the write handler had nothing to send it was not able to detect and
log an error, and did not switch to the next upstream.

The fix is to unconditionally set EPOLLIN and EPOLLOUT in case of an
error event.  In the aforementioned case, this causes the read handler
to be called which does recv() and detects an error.

In addition to the epoll module, analogous changes were made in
devpoll/eventport/poll.
2016-11-21 16:03:42 +03:00
Valentin Bartenev
89f92b3243 HTTP/2: fixed saving preread buffer to temp file (ticket #1143).
Previously, a request body bigger than "client_body_buffer_size" wasn't written
into a temporary file if it has been pre-read entirely.  The preread buffer
is freed after processing, thus subsequent use of it might result in sending
corrupted body or cause a segfault.
2016-11-28 19:19:21 +03:00
Maxim Dounin
4c6e31a857 Configure: honor dependencies of dynamic modules.
Dependencies of dynamic modules are added to NGX_ADDON_DEPS (and
it is now used for dynamic modules) to be in line with what happens
in case of static compilation.

To avoid duplication, MAIL_DEPS and STREAM_DEPS are no longer passed
to auto/module when these modules are compiled as dynamic ones.  Mail
and stream dependencies are handled explicitly via corresponding
variables.
2016-11-21 16:49:19 +03:00