nginx.git/src/event, branch release-1.2.5 nginx Merge of r4896: event pipe: fixed handling of buf_to_file data. 2012-11-13T11:24:14+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-13T11:24:14+00:00 13cda62555b28dd1afb927705eeff0c5f66cdbaf Input filter might free a buffer if there is no data in it, and in case of first buffer (used for cache header and request header, aka p->buf_to_file) this resulted in cache corruption. Buffer memory was reused to read upstream response before headers were written to disk. Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer start if we were asked to free a buffer used by p->buf_to_file. This fixes occasional cache file corruption, usually resulted in "cache file ... has md5 collision" alerts. Reported by Anatoli Marinov. 
Input filter might free a buffer if there is no data in it, and in case
of first buffer (used for cache header and request header, aka p->buf_to_file)
this resulted in cache corruption.  Buffer memory was reused to read upstream
response before headers were written to disk.

Fix is to avoid moving pointers in ngx_event_pipe_add_free_buf() to a buffer
start if we were asked to free a buffer used by p->buf_to_file.

This fixes occasional cache file corruption, usually resulted
in "cache file ... has md5 collision" alerts.

Reported by Anatoli Marinov.
Merge of r4885: ssl_verify_client optional_no_ca. 2012-11-13T10:42:16+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-13T10:42:16+00:00 71b6604e4465b6aac478f04c3608a6be5c6500e6 SSL: the "ssl_verify_client" directive parameter "optional_no_ca". This parameter allows to don't require certificate to be signed by a trusted CA, e.g. if CA certificate isn't known in advance, like in WebID protocol. Note that it doesn't add any security unless the certificate is actually checked to be trusted by some external means (e.g. by a backend). Patch by Mike Kazantsev, Eric O'Connor. 
SSL: the "ssl_verify_client" directive parameter "optional_no_ca".

This parameter allows to don't require certificate to be signed by
a trusted CA, e.g. if CA certificate isn't known in advance, like in
WebID protocol.

Note that it doesn't add any security unless the certificate is actually
checked to be trusted by some external means (e.g. by a backend).

Patch by Mike Kazantsev, Eric O'Connor.
Merge of r4868, r4869: SSL minor fixes. 2012-11-12T18:00:32+00:00 Maxim Dounin mdounin@mdounin.ru 2012-11-12T18:00:32+00:00 d39777712d97180ff439461813083cbc7892a2a1 *) SSL: fixed compression workaround to remove all methods. Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating stack from 0 to n, resulting in removal of only even compression methods. In real life this change is a nop, as there is only one compression method which is enabled by default in OpenSSL. *) SSL: added version checks for ssl compression workaround. The SSL_COMP_get_compression_methods() is only available as an API function in OpenSSL 0.9.8+, require it explicitly to unbreak build with OpenSSL 0.9.7. 
*) SSL: fixed compression workaround to remove all methods.

   Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
   stack from 0 to n, resulting in removal of only even compression methods.

   In real life this change is a nop, as there is only one compression method
   which is enabled by default in OpenSSL.

*) SSL: added version checks for ssl compression workaround.

   The SSL_COMP_get_compression_methods() is only available as an API
   function in OpenSSL 0.9.8+, require it explicitly to unbreak build
   with OpenSSL 0.9.7.
Merge of r4785, r4795, r4811, r4812, r4816, r4822: coverity. 2012-09-24T18:54:28+00:00 Maxim Dounin mdounin@mdounin.ru 2012-09-24T18:54:28+00:00 191e31938e81f2a59a4ba4dc6b3f4f28bc232187 *) Resolver: fixed possible memory leak in ngx_resolver_create(). *) Explicitly ignore returned value from unlink() in ngx_open_tempfile(). *) Explicitly ignore returned value from close() in ngx_event_core_init_conf(). *) Added three missing checks for NULL after ngx_array_push() calls. *) Crypt: fixed handling of corrupted SSHA entries in password file. *) Mark logically dead code with corresponding comment. Found by / prodded by Coverity. 
*) Resolver: fixed possible memory leak in ngx_resolver_create().

*) Explicitly ignore returned value from unlink() in ngx_open_tempfile().

*) Explicitly ignore returned value from close() in ngx_event_core_init_conf().

*) Added three missing checks for NULL after ngx_array_push() calls.

*) Crypt: fixed handling of corrupted SSHA entries in password file.

*) Mark logically dead code with corresponding comment.

Found by / prodded by Coverity.
Merge of r4764: debug_connection with a domain name change. 2012-08-06T17:13:20+00:00 Maxim Dounin mdounin@mdounin.ru 2012-08-06T17:13:20+00:00 f3959db1e773a7d5fef3009f04b1afb2c2d4c744 When "debug_connection" is configured with a domain name, only the first resolved address was used. Now all addresses will be used. 
When "debug_connection" is configured with a domain name, only the first
resolved address was used.  Now all addresses will be used.
Merge of r4760, r4761: -Wmissing-prototypes. 2012-08-06T17:07:28+00:00 Maxim Dounin mdounin@mdounin.ru 2012-08-06T17:07:28+00:00 20ce4fcbbf7c1504cc520905dfde1b2790011e31 Fixed compilation with -Wmissing-prototypes. Added a commented out -Wmissing-prototypes to CFLAGS. It is commented out to not break builds with 3rd party modules. 
Fixed compilation with -Wmissing-prototypes.  Added a commented
out -Wmissing-prototypes to CFLAGS.  It is commented out to not break
builds with 3rd party modules.
Merge of r4697: disabled gzip in OpenSSL prior to 1.0.0. 2012-07-02T17:25:51+00:00 Maxim Dounin mdounin@mdounin.ru 2012-07-02T17:25:51+00:00 d4ee957632ed27aa26e1351cb3a3bb400fac30d1 Disabled gzip compression in OpenSSL prior to 1.0.0 version. This saves about 522K per connection. 
Disabled gzip compression in OpenSSL prior to 1.0.0 version.
This saves about 522K per connection.
Merge of r4652: ssl without buffer should not set c->buffered. 2012-07-02T15:51:02+00:00 Maxim Dounin mdounin@mdounin.ru 2012-07-02T15:51:02+00:00 fb6e7626f6aa3fb9e627e1a2dbcf1d92dfc99557 Removed mistaken setting of NGX_SSL_BUFFERED flag in ngx_ssl_send_chain() if SSL buffer is not used. 
Removed mistaken setting of NGX_SSL_BUFFERED flag in ngx_ssl_send_chain()
if SSL buffer is not used.
Merge of r4630: fixed c->sent with unbuffered ssl. 2012-06-04T12:00:38+00:00 Maxim Dounin mdounin@mdounin.ru 2012-06-04T12:00:38+00:00 88050e54616809dcaeebbb60ad61d56ddb50e494 Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used. 
Update c->sent in ngx_ssl_send_chain() even if SSL buffer is not used.
Merge of r4614, r4624-r4629, r4631: proxy recursive changes. 2012-06-04T11:58:12+00:00 Maxim Dounin mdounin@mdounin.ru 2012-06-04T11:58:12+00:00 8acd40c4951ca822e2fb4672de9e4f23c6b6a97a *) Added IPv6 and UNIX-domain socket support in "debug_connection" directive. *) New function ngx_http_get_forwarded_addr() to look up real client address. On input it takes an original address, string in the X-Forwarded-For format and its length, list of trusted proxies, and a flag indicating to perform the recursive search. On output it returns NGX_OK and the "deepest" valid address in a chain, or NGX_DECLINED. It supports AF_INET and AF_INET6. Additionally, original address and/or proxy may be specified as AF_UNIX. *) Realip: chains of trusted proxies and IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies, controlled by the "real_ip_recursive" directive (closes #2). It also gets full IPv6 support (closes #44) and canonical value of the $client_addr variable on address change. Example: real_ip_header X-Forwarded-For; set_real_ip_from 127.0.0.0/8; set_real_ip_from ::1; set_real_ip_from unix:; real_ip_recursive on; *) Geo: chains of trusted proxies and partial IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies, controlled by the "proxy_recursive" directive in the "geo" block. It also gets partial IPv6 support: now proxies may be specified with IPv6 addresses. Example: geo $test { ... proxy 127.0.0.1; proxy ::1; proxy_recursive; } There's also a slight change in behavior. When original client address (as specified by the "geo" directive) is one of the trusted proxies, and the value of the X-Forwarded-For request header cannot not be parsed as a valid address, an original client address will be used for lookup. Previously, 255.255.255.255 was used in this case. *) Geoip: trusted proxies support and partial IPv6 support. The module now supports recursive search of client address through the chain of trusted proxies (closes #100), in the same scope as the geo module. Proxies are listed by the "geoip_proxy" directive, recursive search is enabled by the "geoip_proxy_recursive" directive. IPv6 is partially supported: proxies may be specified with IPv6 addresses. Example: geoip_country .../GeoIP.dat; geoip_proxy 127.0.0.1; geoip_proxy ::1; geoip_proxy 10.0.0.0/8; geoip_proxy_recursive on; 
*) Added IPv6 and UNIX-domain socket support in "debug_connection"
   directive.

*) New function ngx_http_get_forwarded_addr() to look up real client
   address.

   On input it takes an original address, string in the X-Forwarded-For format
   and its length, list of trusted proxies, and a flag indicating to perform
   the recursive search.  On output it returns NGX_OK and the "deepest" valid
   address in a chain, or NGX_DECLINED.  It supports AF_INET and AF_INET6.
   Additionally, original address and/or proxy may be specified as AF_UNIX.

*) Realip: chains of trusted proxies and IPv6 support.

   The module now supports recursive search of client address through
   the chain of trusted proxies, controlled by the "real_ip_recursive"
   directive (closes #2).  It also gets full IPv6 support (closes #44)
   and canonical value of the $client_addr variable on address change.

   Example:

       real_ip_header X-Forwarded-For;
       set_real_ip_from 127.0.0.0/8;
       set_real_ip_from ::1;
       set_real_ip_from unix:;
       real_ip_recursive on;

*) Geo: chains of trusted proxies and partial IPv6 support.

   The module now supports recursive search of client address through
   the chain of trusted proxies, controlled by the "proxy_recursive"
   directive in the "geo" block.  It also gets partial IPv6 support:
   now proxies may be specified with IPv6 addresses.

   Example:

       geo $test {
           ...
           proxy 127.0.0.1;
           proxy ::1;
           proxy_recursive;
       }

   There's also a slight change in behavior.  When original client
   address (as specified by the "geo" directive) is one of the
   trusted proxies, and the value of the X-Forwarded-For request
   header cannot not be parsed as a valid address, an original client
   address will be used for lookup.  Previously, 255.255.255.255 was
   used in this case.

*) Geoip: trusted proxies support and partial IPv6 support.

   The module now supports recursive search of client address through the
   chain of trusted proxies (closes #100), in the same scope as the geo
   module.  Proxies are listed by the "geoip_proxy" directive, recursive
   search is enabled by the "geoip_proxy_recursive" directive.  IPv6 is
   partially supported: proxies may be specified with IPv6 addresses.

   Example:

        geoip_country .../GeoIP.dat;
        geoip_proxy 127.0.0.1;
        geoip_proxy ::1;
        geoip_proxy 10.0.0.0/8;
        geoip_proxy_recursive on;