nginx.git/src/event, branch release-1.0.7 nginx Merging r4011, r4012, r4136: 2011-09-30T14:30:01+00:00 Igor Sysoev igor@sysoev.ru 2011-09-30T14:30:01+00:00 0b0360a582b95a15821656663ee00f606d6d5611 Proxy related fixes: *) Fixing cpu hog with all upstream servers marked "down". The following configuration causes nginx to hog cpu due to infinite loop in ngx_http_upstream_get_peer(): upstream backend { server 127.0.0.1:8080 down; server 127.0.0.1:8080 down; } server { ... location / { proxy_pass http://backend; } } Make sure we don't loop infinitely in ngx_http_upstream_get_peer() but stop after resetting peer weights once. Return 0 if we are stuck. This is guaranteed to work as peer 0 always exists, and eventually ngx_http_upstream_get_round_robin_peer() will do the right thing falling back to backup servers or returning NGX_BUSY. *) Upstream: properly allocate memory for tried flags. Previous allocation only took into account number of non-backup servers, and this caused memory corruption with many backup servers. See report here: http://mailman.nginx.org/pipermail/nginx/2011-May/026531.html *) Fix of cpu hog in event pipe. If client closed connection in ngx_event_pipe_write_to_downstream(), buffers in the "out" chain were lost. This caused cpu hog if all available buffers were in the "out" chain. Fix is to call ngx_chain_update_chains() before checking return code of output filter to avoid loosing buffers in the "out" chain. Note that this situation (all available buffers in the "out" chain) isn't normal, it should be prevented by busy buffers limit. Though right now it may happen with complex protocols like fastcgi. This should be addressed separately. 
Proxy related fixes:

*) Fixing cpu hog with all upstream servers marked "down".

The following configuration causes nginx to hog cpu due to infinite loop
in ngx_http_upstream_get_peer():

    upstream backend {
        server 127.0.0.1:8080 down;
        server 127.0.0.1:8080 down;
    }

    server {
       ...
       location / {
           proxy_pass http://backend;
       }
    }

Make sure we don't loop infinitely in ngx_http_upstream_get_peer() but stop
after resetting peer weights once.

Return 0 if we are stuck.  This is guaranteed to work as peer 0 always exists,
and eventually ngx_http_upstream_get_round_robin_peer() will do the right
thing falling back to backup servers or returning NGX_BUSY.

*) Upstream: properly allocate memory for tried flags.

Previous allocation only took into account number of non-backup servers, and
this caused memory corruption with many backup servers.

See report here:
http://mailman.nginx.org/pipermail/nginx/2011-May/026531.html

*) Fix of cpu hog in event pipe.

If client closed connection in ngx_event_pipe_write_to_downstream(), buffers
in the "out" chain were lost.  This caused cpu hog if all available buffers
were in the "out" chain.  Fix is to call ngx_chain_update_chains() before
checking return code of output filter to avoid loosing buffers in the "out"
chain.

Note that this situation (all available buffers in the "out" chain) isn't
normal, it should be prevented by busy buffers limit.  Though right now it
may happen with complex protocols like fastcgi.  This should be addressed
separately.
Merging r4130, r4131, r4135: 2011-09-30T14:12:53+00:00 Igor Sysoev igor@sysoev.ru 2011-09-30T14:12:53+00:00 287e2cae6dcce09bcfa464e87edd65c602811d16 Linux AIO related fixes: *) Fixing Linux AIO syscalls return value handling: syscall(2) uses usual libc convention, it returns -1 on error and sets errno. Obsolete _syscall(2) returns negative value of error. *) Fixing Linux AIO initiatialization: AIO operations are disabled if kernel does not support them. Previously worker just exited. *) The "worker_aio_requests" directive. The default value is 32 AIO simultaneous requests per worker. Previously they were hardcoded to 1024, and it was too large, since Linux allocated them early on io_setup(), but not on request itself. So with default value of /proc/sys/fs/aio-max-nr equal to 65536 only 64 worker processes could be run simultaneously. 32 AIO requests are enough for modern disks even if server runs only 1 worker. 
Linux AIO related fixes:

*) Fixing Linux AIO syscalls return value handling:
syscall(2) uses usual libc convention, it returns -1 on error and
sets errno. Obsolete _syscall(2) returns negative value of error.

*) Fixing Linux AIO initiatialization: AIO operations are disabled
if kernel does not support them.  Previously worker just exited.

*) The "worker_aio_requests" directive.

The default value is 32 AIO simultaneous requests per worker. Previously
they were hardcoded to 1024, and it was too large, since Linux allocated
them early on io_setup(), but not on request itself. So with default value
of /proc/sys/fs/aio-max-nr equal to 65536 only 64 worker processes could
be run simultaneously. 32 AIO requests are enough for modern disks even if
server runs only 1 worker.
Merging r4010, r4065: 2011-09-30T13:42:59+00:00 Igor Sysoev igor@sysoev.ru 2011-09-30T13:42:59+00:00 86553d2e0a955c97846e621fb62a4d3550982ab1 SSL related fixes: *) Fixing proxy_set_body and proxy_pass_request_body with SSL. Flush flag wasn't set in constructed buffer and this prevented any data from being actually sent to upstream due to SSL buffering. Make sure we always set flush in the last buffer we are going to sent. See here for report: http://nginx.org/pipermail/nginx-ru/2011-June/041552.html *) Proper SSL shutdown handling. If connection has unsent alerts, SSL_shutdown() tries to send them even if SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN) was used. This can be prevented by SSL_set_quiet_shutdown(). SSL_set_shutdown() is required nevertheless to preserve session. 
SSL related fixes:

*) Fixing proxy_set_body and proxy_pass_request_body with SSL.

Flush flag wasn't set in constructed buffer and this prevented any data
from being actually sent to upstream due to SSL buffering.  Make sure
we always set flush in the last buffer we are going to sent.

See here for report:
http://nginx.org/pipermail/nginx-ru/2011-June/041552.html

*) Proper SSL shutdown handling.

If connection has unsent alerts, SSL_shutdown() tries to send them even
if SSL_set_shutdown(SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN) was used.
This can be prevented by SSL_set_quiet_shutdown().  SSL_set_shutdown()
is required nevertheless to preserve session.
Merging r3933, r4154: 2011-09-30T13:36:33+00:00 Igor Sysoev igor@sysoev.ru 2011-09-30T13:36:33+00:00 4918eb4407b5edf62fe2add6aa140052e2d59e3d A new fix for the case when ssl_session_cache defined, but ssl is not enabled in any server. The previous r1033 does not help when unused zone becomes used after reconfiguration, so it is backed out. The initial thought was to make SSL modules independed from SSL implementation and to keep OpenSSL code dependance as much as in separate files. 
A new fix for the case when ssl_session_cache defined, but ssl is not
enabled in any server. The previous r1033 does not help when unused zone
becomes used after reconfiguration, so it is backed out.

The initial thought was to make SSL modules independed from SSL implementation
and to keep OpenSSL code dependance as much as in separate files.
Merge of r3960, r3961, r3962, r3963, r3965: 2011-08-29T12:35:53+00:00 Igor Sysoev igor@sysoev.ru 2011-08-29T12:35:53+00:00 6bf8152c6cf9aef27609e51645a452e229c67588 SSL related fixes: *) MSIE export versions are rare now, so RSA 512 key is generated on demand and is shared among all hosts instead of pregenerating for every HTTPS host on configuraiton phase. This decreases start time for configuration with large number of HTTPS hosts. *) ECDHE support; patch by Adrian Kotelba *) fix build by gcc46 with -Wunused-value option *) fix SSL connection issues on platforms with 32-bit off_t *) do not try to reuse and save a SSL session for a peer created on the fly by ngx_http_upstream_create_round_robin_peer(), since the peer lives only during request so the saved SSL session will never be used again and just causes memory leak 
SSL related fixes:

*) MSIE export versions are rare now, so RSA 512 key is generated on demand
   and is shared among all hosts instead of pregenerating for every HTTPS host
   on configuraiton phase. This decreases start time for configuration with
   large number of HTTPS hosts.
*) ECDHE support; patch by Adrian Kotelba
*) fix build by gcc46 with -Wunused-value option
*) fix SSL connection issues on platforms with 32-bit off_t
*) do not try to reuse and save a SSL session for a peer created on the fly
   by ngx_http_upstream_create_round_robin_peer(), since the peer lives
   only during request so the saved SSL session will never be used again
   and just causes memory leak
use POSIX semaphores in shmtx instead of sched_yield() 2011-05-10T11:39:13+00:00 Igor Sysoev igor@sysoev.ru 2011-05-10T11:39:13+00:00 e2c8ad71221ebcf5ca6331811118f9a6d18aec45 number of spinlock spins are increased twice 
number of spinlock spins are increased twice
fix building by gcc 4.6 without --with-debug 2011-04-23T17:25:06+00:00 Igor Sysoev igor@sysoev.ru 2011-04-23T17:25:06+00:00 efde3eb92e00cd8d181ac13b8f5a2f58ec4c0460 






fix building on Fedora 14
2011-01-20T12:33:17+00:00

Igor Sysoev
igor@sysoev.ru

2011-01-20T12:33:17+00:00

3d86ad3f9526283f6c035439e6cedda9b2437e41

patch by Kirill A. Korinskiy





patch by Kirill A. Korinskiy







remove SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG becuase of CVE-2010-4180
2010-12-06T11:17:03+00:00

Igor Sysoev
igor@sysoev.ru

2010-12-06T11:17:03+00:00

3e3ee60b99f41cdc15f3651f0a917217977157c1












fix building by msvc8 introduced by the previous commit
2010-12-02T14:20:51+00:00

Igor Sysoev
igor@sysoev.ru

2010-12-02T14:20:51+00:00

0c39c274129b1f7efe36f6b51dc16bb4a0eddad1