nginx.git/src/http/modules, branch release-1.11.3 nginx Avoid left-shifting integers into the sign bit, which is undefined. 2016-07-07T18:02:28+00:00 Sergey Kandaurov pluknet@nginx.com 2016-07-07T18:02:28+00:00 6299f5e9149483251bbbcc8ad26cf29b6109e75c Found with UndefinedBehaviorSanitizer. 
Found with UndefinedBehaviorSanitizer.
Sub filter: eliminate unnecessary buffering. 2016-07-02T12:59:53+00:00 Roman Arutyunyan arut@nginx.com 2016-07-02T12:59:53+00:00 c9dae918fdf370367e2dfd92f3b19853783c9fc9 Previously, when a buffer was processed by the sub filter, its final bytes could be buffered by the filter even if they don't match any pattern. This happened because the Boyer-Moore algorithm, employed by the sub filter since b9447fc457b4 (1.9.4), matches the last characters of patterns prior to checking other characters. If the last character is out of scope, initial bytes of a potential match are buffered until the last character is available. Now, after receiving a flush or recycled buffer, the filter performs additional checks to reduce the number of buffered bytes. The potential match is checked against the initial parts of all patterns. Non-matching bytes are not buffered. This improves processing of a chunked response from upstream by sending the entire chunks without buffering unless a partial match is found at the end of a chunk. 
Previously, when a buffer was processed by the sub filter, its final bytes
could be buffered by the filter even if they don't match any pattern.
This happened because the Boyer-Moore algorithm, employed by the sub filter
since b9447fc457b4 (1.9.4), matches the last characters of patterns prior to
checking other characters.  If the last character is out of scope, initial
bytes of a potential match are buffered until the last character is available.

Now, after receiving a flush or recycled buffer, the filter performs
additional checks to reduce the number of buffered bytes.  The potential match
is checked against the initial parts of all patterns.  Non-matching bytes are
not buffered.  This improves processing of a chunked response from upstream
by sending the entire chunks without buffering unless a partial match is found
at the end of a chunk.
Sub filter: introduced the ngx_http_sub_match() function. 2016-07-02T12:59:52+00:00 Roman Arutyunyan arut@nginx.com 2016-07-02T12:59:52+00:00 ec7015575559f4e54cf3fc542437489ab6741264 No functional changes. 
No functional changes.
Introduced ngx_inet_get_port() and ngx_inet_set_port() functions. 2016-06-20T08:50:39+00:00 Roman Arutyunyan arut@nginx.com 2016-06-20T08:50:39+00:00 5b201ac31f968d13f1165e7f29967e5826ccb9a1 






SSL: ngx_ssl_ciphers() to set list of ciphers.
2016-06-15T20:05:30+00:00

Tim Taubert
tim@timtaubert.de

2016-06-15T20:05:30+00:00

4f578bfcab740fcfbbb8824822803ad9b3f176cc

This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.





This patch moves various OpenSSL-specific function calls into the
OpenSSL module and introduces ngx_ssl_ciphers() to make nginx more
crypto-library-agnostic.







Realip: detect duplicate real_ip_header directive.
2016-05-23T16:17:24+00:00

Ruslan Ermilov
ru@nginx.com

2016-05-23T16:17:24+00:00

adfd0b065cca23d2ca61ad43c5b8fdaa23957da9












Realip: take client port from PROXY protocol header.
2016-05-23T15:44:22+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-05-23T15:44:22+00:00

19140c8c4f7f16747df4a7e3bf4299a6a8d75a81

Previously, when the client address was changed to the one from
the PROXY protocol header, the client port ($remote_port) was
reset to zero.  Now the client port is also changed to the one
from the PROXY protocol header.





Previously, when the client address was changed to the one from
the PROXY protocol header, the client port ($remote_port) was
reset to zero.  Now the client port is also changed to the one
from the PROXY protocol header.







Added the $realip_remote_port variable.
2016-05-23T15:44:22+00:00

Dmitry Volyntsev
xeioex@nginx.com

2016-05-23T15:44:22+00:00

97495b662f378bad2a9df05d4c4b4e0977b1d309












Introduced the ngx_sockaddr_t type.
2016-05-23T13:37:20+00:00

Ruslan Ermilov
ru@nginx.com

2016-05-23T13:37:20+00:00

fd064d3b88e59ee71aec508687403539b01d643c

It's properly aligned and can hold any supported sockaddr.





It's properly aligned and can hold any supported sockaddr.







SSL: support for multiple curves (ticket #885).
2016-05-19T11:46:32+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-05-19T11:46:32+00:00

3b7dca4bb5b0938addd48dd5261a0b61d849f8f3

OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.





OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported.  This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.

The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used".  For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used.  The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).

As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.