nginx.git/auto, branch release-1.14.1 nginx Configure: restored "no-threads" in OpenSSL builds. 2018-03-22T12:56:07+00:00 Maxim Dounin mdounin@mdounin.ru 2018-03-22T12:56:07+00:00 78386faf7ee21ecc17db6e90a226c5bd54526f82 This was previously used, but was incorrectly removed in 83d54192e97b while removing old threads remnants. Instead of using it conditionally when threads are not used, we now set in unconditionally, as even with thread pools enabled we never call OpenSSL functions in threads. This fixes resulting binary when using --with-openssl with OpenSSL 1.1.0+ and without -lpthread linked (notably on FreeBSD without PCRE). 
This was previously used, but was incorrectly removed in 83d54192e97b
while removing old threads remnants.  Instead of using it conditionally
when threads are not used, we now set in unconditionally, as even with
thread pools enabled we never call OpenSSL functions in threads.

This fixes resulting binary when using --with-openssl with OpenSSL 1.1.0+
and without -lpthread linked (notably on FreeBSD without PCRE).
Configure: fixed static compilation with OpenSSL 1.1.1. 2018-03-22T12:55:57+00:00 Maxim Dounin mdounin@mdounin.ru 2018-03-22T12:55:57+00:00 90ca1071b77b0fbb4373ae052b1242023295513f OpenSSL now uses pthread_atfork(), and this requires -lpthread on Linux to compile. Introduced NGX_LIBPTHREAD to add it as appropriate, similar to existing NGX_LIBDL. 
OpenSSL now uses pthread_atfork(), and this requires -lpthread on Linux
to compile.  Introduced NGX_LIBPTHREAD to add it as appropriate, similar
to existing NGX_LIBDL.
Configure: added gRPC module help message. 2018-03-19T09:41:36+00:00 Sergey Kandaurov pluknet@nginx.com 2018-03-19T09:41:36+00:00 8dfb87d6bb71174b3c10326492e90a6fe96e4012 






The gRPC proxy module.
2018-03-17T20:04:24+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-03-17T20:04:24+00:00

56ad960e7a3d4cf16c03ff231616a76c4834e548

The module allows passing requests to upstream gRPC servers.
The module is built by default as long as HTTP/2 support is compiled in.
Example configuration:

    grpc_pass 127.0.0.1:9000;

Alternatively, the "grpc://" scheme can be used:

    grpc_pass grpc://127.0.0.1:9000;

Keepalive support is available via the upstream keepalive module.  Note
that keepalive connections won't currently work with grpc-go as it fails
to handle SETTINGS_HEADER_TABLE_SIZE.

To use with SSL:

    grpc_pass grpcs://127.0.0.1:9000;

SSL connections use ALPN "h2" when available.  At least grpc-go works fine
without ALPN, so if ALPN is not available we just establish a connection
without it.

Tested with grpc-c++ and grpc-go.





The module allows passing requests to upstream gRPC servers.
The module is built by default as long as HTTP/2 support is compiled in.
Example configuration:

    grpc_pass 127.0.0.1:9000;

Alternatively, the "grpc://" scheme can be used:

    grpc_pass grpc://127.0.0.1:9000;

Keepalive support is available via the upstream keepalive module.  Note
that keepalive connections won't currently work with grpc-go as it fails
to handle SETTINGS_HEADER_TABLE_SIZE.

To use with SSL:

    grpc_pass grpcs://127.0.0.1:9000;

SSL connections use ALPN "h2" when available.  At least grpc-go works fine
without ALPN, so if ALPN is not available we just establish a connection
without it.

Tested with grpc-c++ and grpc-go.







HTTP/2: externalized various constants and interfaces.
2018-03-17T20:04:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-03-17T20:04:20+00:00

c554dd1434e1378ac5f83a97b6d250b772941498












Core: ngx_current_msec now uses monotonic time if available.
2018-03-01T17:25:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-03-01T17:25:50+00:00

c7e8a6f2123c653b63ed8013a805eddff502b9ee

When clock_gettime(CLOCK_MONOTONIC) (or faster variants, _FAST on FreeBSD,
and _COARSE on Linux) is available, we now use it for ngx_current_msec.
This should improve handling of timers if system time changes (ticket #189).





When clock_gettime(CLOCK_MONOTONIC) (or faster variants, _FAST on FreeBSD,
and _COARSE on Linux) is available, we now use it for ngx_current_msec.
This should improve handling of timers if system time changes (ticket #189).







HTTP/2: push additional request headers (closes #1478).
2018-02-15T14:51:32+00:00

Ruslan Ermilov
ru@nginx.com

2018-02-15T14:51:32+00:00

2437532e7fdb6f8900b05740058342e4d635a2e5

The Accept-Encoding, Accept-Language, and User-Agent header fields
are now copied from the original request to pushed requests.





The Accept-Encoding, Accept-Language, and User-Agent header fields
are now copied from the original request to pushed requests.







Fixed capabilities version.
2017-12-19T16:00:27+00:00

Roman Arutyunyan
arut@nginx.com

2017-12-19T16:00:27+00:00

ce45ded2a8c1b0c0e601779bcc3e54668a14e271

Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3.  With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted.  As a
result, random stack memory was accessed and random capabilities were requested
by the worker.  This sometimes caused capset() errors.  Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead.  This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).





Previously, capset(2) was called with the 64-bit capabilities version
_LINUX_CAPABILITY_VERSION_3.  With this version Linux kernel expected two
copies of struct __user_cap_data_struct, while only one was submitted.  As a
result, random stack memory was accessed and random capabilities were requested
by the worker.  This sometimes caused capset() errors.  Now the 32-bit version
_LINUX_CAPABILITY_VERSION_1 is used instead.  This is OK since CAP_NET_RAW is
a 32-bit capability (CAP_NET_RAW = 13).







Improved the capabilities feature detection.
2017-12-18T18:09:39+00:00

Roman Arutyunyan
arut@nginx.com

2017-12-18T18:09:39+00:00

0e92c213f51bae95605c19dfee843902e7c8a0ad

Previously included file sys/capability.h mentioned in capset(2) man page,
belongs to the libcap-dev package, which may not be installed on some Linux
systems when compiling nginx.  This prevented the capabilities feature from
being detected and compiled on that systems.

Now linux/capability.h system header is included instead.  Since capset()
declaration is located in sys/capability.h, now capset() syscall is defined
explicitly in code using the SYS_capset constant, similarly to other
Linux-specific features in nginx.





Previously included file sys/capability.h mentioned in capset(2) man page,
belongs to the libcap-dev package, which may not be installed on some Linux
systems when compiling nginx.  This prevented the capabilities feature from
being detected and compiled on that systems.

Now linux/capability.h system header is included instead.  Since capset()
declaration is located in sys/capability.h, now capset() syscall is defined
explicitly in code using the SYS_capset constant, similarly to other
Linux-specific features in nginx.







Retain CAP_NET_RAW capability for transparent proxying.
2017-12-13T17:40:53+00:00

Roman Arutyunyan
arut@nginx.com

2017-12-13T17:40:53+00:00

752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5

The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.

The feature is only available in Linux.





The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.

The feature is only available in Linux.