nginx.git, branch tunnel nginx HTTP CONNECT proxy. 2025-05-25T18:16:04+00:00 Roman Arutyunyan arut@nginx.com 2025-05-20T11:33:20+00:00 d76e3d301644cfc6a2d914976b6098eb98b9e5b9 HTTP CONNECT method is now supported in HTTP/1 connections. It's disabled in all currently existing standard modules. A new variable $port is added that contains the port passed by client in HTTP CONNECT. The $host variable contains the host part. A new module ngx_http_tunnel module is added which establishes a tunnel to a backend. It supports the newly added HTTP CONNECT method and can be used to set up an HTTP CONNECT proxy. As recommended by RFC 9110, proxy target should be restricted to ensure safe proxying: : Proxies that support CONNECT SHOULD restrict its use to a limited set : of known ports or a configurable list of safe request targets. Example config: server { listen 8000; resolver dns.example.com; map $port $tun_port { 80 1; 443 1; } map $host $tun_host { hostnames; example.com 1; *.example.org 1; } map $tun_port$tun_host $tun { 11 $host:$port; } location / { tunnel_pass $tun; } } Request: $ curl -px 127.0.0.1:8000 http://example.com 
HTTP CONNECT method is now supported in HTTP/1 connections.  It's disabled
in all currently existing standard modules.  A new variable $port is added
that contains the port passed by client in HTTP CONNECT.  The $host
variable contains the host part.

A new module ngx_http_tunnel module is added which establishes a tunnel
to a backend.  It supports the newly added HTTP CONNECT method and can be
used to set up an HTTP CONNECT proxy.

As recommended by RFC 9110, proxy target should be restricted to ensure
safe proxying:

: Proxies that support CONNECT SHOULD restrict its use to a limited set
: of known ports or a configurable list of safe request targets.

Example config:

    server {
        listen 8000;

        resolver dns.example.com;

        map $port $tun_port {
            80             1;
            443            1;
        }

        map $host $tun_host {
            hostnames;

            example.com    1;
            *.example.org  1;
        }

        map $tun_port$tun_host $tun {
            11             $host:$port;
        }

        location / {
            tunnel_pass $tun;
        }
    }

Request:

    $ curl -px 127.0.0.1:8000 http://example.com
QUIC: using QUIC API introduced in OpenSSL 3.5. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-02-13T13:00:56+00:00 6a134dfd4888fc3850d22294687cfb3940994c69 Similarly to the QUIC API originated in BoringSSL, this API allows to register custom TLS callbacks for an external QUIC implementation. See the SSL_set_quic_tls_cbs manual page for details. Due to a different approach used in OpenSSL 3.5, handling of CRYPTO frames was streamlined to always write an incoming CRYPTO buffer to the crypto context. Using SSL_provide_quic_data(), this results in transient allocation of chain links and buffers for CRYPTO frames received in order. Testing didn't reveal performance degradation of QUIC handshakes, https://github.com/nginx/nginx/pull/646 provides specific results. 
Similarly to the QUIC API originated in BoringSSL, this API allows
to register custom TLS callbacks for an external QUIC implementation.
See the SSL_set_quic_tls_cbs manual page for details.

Due to a different approach used in OpenSSL 3.5, handling of CRYPTO
frames was streamlined to always write an incoming CRYPTO buffer to
the crypto context.  Using SSL_provide_quic_data(), this results in
transient allocation of chain links and buffers for CRYPTO frames
received in order.  Testing didn't reveal performance degradation of
QUIC handshakes, https://github.com/nginx/nginx/pull/646 provides
specific results.
QUIC: better approach for premature handshake completion. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-15T21:10:11+00:00 1d4d2f2c962c33aafdd8f79d9fc50b7cacf05e24 Using SSL_in_init() to inspect a handshake state was replaced with SSL_is_init_finished(). This represents a more complete fix to the BoringSSL issue addressed in 22671b37e. This provides awareness of the early data handshake state when using OpenSSL 3.5 TLS callbacks in 0-RTT enabled configurations, which, in particular, is used to avoid premature completion of the initial TLS handshake, before required client handshake messages are received. This is a non-functional change when using BoringSSL. It supersedes testing non-positive SSL_do_handshake() results in all supported SSL libraries, hence simplified. In preparation for using OpenSSL 3.5 TLS callbacks. 
Using SSL_in_init() to inspect a handshake state was replaced with
SSL_is_init_finished().  This represents a more complete fix to the
BoringSSL issue addressed in 22671b37e.

This provides awareness of the early data handshake state when using
OpenSSL 3.5 TLS callbacks in 0-RTT enabled configurations, which, in
particular, is used to avoid premature completion of the initial TLS
handshake, before required client handshake messages are received.

This is a non-functional change when using BoringSSL.  It supersedes
testing non-positive SSL_do_handshake() results in all supported SSL
libraries, hence simplified.

In preparation for using OpenSSL 3.5 TLS callbacks.
QUIC: ssl_encryption_level_t abstraction layer. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-06T11:58:17+00:00 bcb9d3fd2cc88eee23a5da854a0e2aa5c5b688d7 Encryption level values are decoupled from ssl_encryption_level_t, which is now limited to BoringSSL QUIC callbacks, with mappings provided. Although the values match, this provides a technically safe approach, in particular, to access protection level sized arrays. In preparation for using OpenSSL 3.5 TLS callbacks. 
Encryption level values are decoupled from ssl_encryption_level_t,
which is now limited to BoringSSL QUIC callbacks, with mappings
provided.  Although the values match, this provides a technically
safe approach, in particular, to access protection level sized arrays.

In preparation for using OpenSSL 3.5 TLS callbacks.
QUIC: factored out SSL_provide_quic_data() to the helper function. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-21T16:32:48+00:00 9857578f15352ec248813f5b3e58ca55dc82f967 It is now called from ngx_quic_handle_crypto_frame(), prior to proceeding with the handshake. With this logic removed, the handshake function is renamed to ngx_quic_handshake() to better match ngx_ssl_handshake(). 
It is now called from ngx_quic_handle_crypto_frame(), prior to proceeding
with the handshake.  With this logic removed, the handshake function is
renamed to ngx_quic_handshake() to better match ngx_ssl_handshake().
QUIC: defined SSL API macros in a single place. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-20T23:54:45+00:00 e561f7dbcfc27f5f648e5151de0796e691cbc1b0 All definitions now set in ngx_event_quic.h, this includes moving NGX_QUIC_OPENSSL_COMPAT from autotests to compile time. Further, to improve code readability, a new NGX_QUIC_QUICTLS_API macro is used for QuicTLS that provides old BoringSSL QUIC API. 
All definitions now set in ngx_event_quic.h, this includes moving
NGX_QUIC_OPENSSL_COMPAT from autotests to compile time.  Further,
to improve code readability, a new NGX_QUIC_QUICTLS_API macro is
used for QuicTLS that provides old BoringSSL QUIC API.
QUIC: logging missing mandatory TLS extensions only once. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-06T14:57:01+00:00 54e6b7cfeeae50f708398468078094fd309828e0 Previously, they might be logged on every add_handshake_data callback invocation when using OpenSSL compat layer and processing coalesced handshake messages. Further, the ALPN error message is adjusted to signal the missing extension. Possible reasons were previously narrowed down with ebb6f7d65 changes in the ALPN callback that is invoked earlier in the handshake. 
Previously, they might be logged on every add_handshake_data
callback invocation when using OpenSSL compat layer and processing
coalesced handshake messages.

Further, the ALPN error message is adjusted to signal the missing
extension.  Possible reasons were previously narrowed down with
ebb6f7d65 changes in the ALPN callback that is invoked earlier in
the handshake.
QUIC: reset qc->error to zero again. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-14T19:33:00+00:00 5d7fd4a7e3025e8600bb029742a0a28bf4ca9eec Following the previous change that removed posting a close event in OpenSSL compat layer, now ngx_quic_close_connection() is always called on error path with either NGX_ERROR or qc->error set. This allows to remove a special value -1 served as a missing error, which simplifies the code. Partially reverts d3fb12d77. Also, this improves handling of the draining connection state, which consists of posting a close event with NGX_OK and no qc->error set, where it was previously converted to NGX_QUIC_ERR_INTERNAL_ERROR. Notably, this is rather a cosmetic fix, because drained connections do not send any packets including CONNECTION_CLOSE, and qc->error is not otherwise used. 
Following the previous change that removed posting a close event
in OpenSSL compat layer, now ngx_quic_close_connection() is always
called on error path with either NGX_ERROR or qc->error set.

This allows to remove a special value -1 served as a missing error,
which simplifies the code.  Partially reverts d3fb12d77.

Also, this improves handling of the draining connection state, which
consists of posting a close event with NGX_OK and no qc->error set,
where it was previously converted to NGX_QUIC_ERR_INTERNAL_ERROR.
Notably, this is rather a cosmetic fix, because drained connections
do not send any packets including CONNECTION_CLOSE, and qc->error
is not otherwise used.
QUIC: adjusted handling of callback errors. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-13T16:12:10+00:00 7468a10b62276be4adee0fcd6aaf6244270984ab Changed handshake callbacks to always return success. This allows to avoid logging SSL_do_handshake() errors with empty or cryptic "internal error" OpenSSL error messages at the inappropriate "crit" log level. Further, connections with failed callbacks are closed now right away when using OpenSSL compat layer. This change supersedes and reverts c37fdcdd1, with the conditions to check callbacks invocation kept to slightly improve code readability of control flow; they are optimized out in the resulting assembly code. 
Changed handshake callbacks to always return success.  This allows to avoid
logging SSL_do_handshake() errors with empty or cryptic "internal error"
OpenSSL error messages at the inappropriate "crit" log level.

Further, connections with failed callbacks are closed now right away when
using OpenSSL compat layer.  This change supersedes and reverts c37fdcdd1,
with the conditions to check callbacks invocation kept to slightly improve
code readability of control flow; they are optimized out in the resulting
assembly code.
QUIC: logging of SSL library errors. 2025-05-23T11:00:47+00:00 Sergey Kandaurov pluknet@nginx.com 2025-05-21T15:55:31+00:00 47f96993f669543c6cb4979dd3f680ad01314ee5 Logging level for such errors, which should not normally happen, is changed to NGX_LOG_ALERT, and ngx_log_error() is replaced with ngx_ssl_error() for consistency with the rest of the code. 
Logging level for such errors, which should not normally happen,
is changed to NGX_LOG_ALERT, and ngx_log_error() is replaced with
ngx_ssl_error() for consistency with the rest of the code.