nginx.git/src/http/modules, branch release-1.17.1 nginx Perl: disabled not_modified filter (ticket #1786). 2019-06-17T16:48:56+00:00 Maxim Dounin mdounin@mdounin.ru 2019-06-17T16:48:56+00:00 d9887ee2ae9069843eed67d5b5ea625a7faeedb1 Embedded perl does not set any request fields needed for conditional requests processing. Further, filter finalization in the not_modified filter can cause segmentation faults due to cleared ctx as in ticket #1786. Before 5fb1e57c758a (1.7.3) the not_modified filter was implicitly disabled for perl responses, as r->headers_out.last_modified_time was -1. This change restores this behaviour by using the explicit r->disable_not_modified flag. Note that this patch doesn't try to address perl module robustness against filter finalization and other errors returned from filter chains. It should be eventually reworked to handle errors instead of ignoring them. 
Embedded perl does not set any request fields needed for conditional
requests processing.  Further, filter finalization in the not_modified
filter can cause segmentation faults due to cleared ctx as in
ticket #1786.

Before 5fb1e57c758a (1.7.3) the not_modified filter was implicitly disabled
for perl responses, as r->headers_out.last_modified_time was -1.  This
change restores this behaviour by using the explicit r->disable_not_modified
flag.

Note that this patch doesn't try to address perl module robustness against
filter finalization and other errors returned from filter chains.  It should
be eventually reworked to handle errors instead of ignoring them.
Limit req: limit_req_dry_run directive. 2019-06-05T16:55:27+00:00 Roman Arutyunyan arut@nginx.com 2019-06-05T16:55:27+00:00 dda58fc63b64227a19657ed92168b9f645c0c86e A new directive limit_req_dry_run allows enabling the dry run mode. In this mode requests are neither rejected nor delayed, but reject/delay status is logged as usual. 
A new directive limit_req_dry_run allows enabling the dry run mode.  In this
mode requests are neither rejected nor delayed, but reject/delay status is
logged as usual.
Upstream hash: fall back to round-robin if hash key is empty. 2019-05-23T13:49:22+00:00 Niklas Keller me@kelunik.com 2019-05-23T13:49:22+00:00 c18658e9fec66b2564a3dcc9a24d401d77a0d986 






Range filter: fixed duplicate last buffers.
2019-05-13T19:44:49+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-05-13T19:44:49+00:00

2015a548214b08be1a556f8b8c447dcb61356448

In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.





In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.







Range filter: fixed loss of incoming chain links.
2019-05-13T19:44:02+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-05-13T19:44:02+00:00

ce0f35317e16c85c1ccae8f3a0a1d6f2426b2e78

Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.





Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.







SSL: fixed potential leak on memory allocation errors.
2019-03-03T13:48:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:48:39+00:00

fe43346dc3151e80dae0acd751f0a94314dcb91c

If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.





If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.







SSL: fixed possible segfault with dynamic certificates.
2019-02-25T18:16:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T18:16:26+00:00

1a30d79c429cb1d4438d592db62cbe701e3b4360

A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.





A virtual server may have no SSL context if it does not have certificates
defined, so we have to use config of the ngx_http_ssl_module from the
SSL context in the certificate callback.  To do so, it is now passed as
the argument of the callback.

The stream module doesn't really need any changes, but was modified as
well to match http code.







SSL: adjusted session id context with dynamic certificates.
2019-02-25T13:42:54+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:54+00:00

ecfab06cb20959219c9aadc2ef59507488e4fa99

Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.





Dynamic certificates re-introduce problem with incorrect session
reuse (AKA "virtual host confusion", CVE-2014-3616), since there are
no server certificates to generate session id context from.

To prevent this, session id context is now generated from ssl_certificate
directives as specified in the configuration.  This approach prevents
incorrect session reuse in most cases, while still allowing sharing
sessions across multiple machines with ssl_session_ticket_key set as
long as configurations are identical.







SSL: passwords support for dynamic certificate loading.
2019-02-25T13:42:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:23+00:00

8772a0e0892e632c37f3b92b1d287ed9b473cb13

Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.





Passwords have to be copied to the configuration pool to be used
at runtime.  Also, to prevent blocking on stdin (with "daemon off;")
an empty password list is provided.

To make things simpler, password handling was modified to allow
an empty array (with 0 elements and elts set to NULL) as an equivalent
of an array with 1 empty password.







SSL: variables support in ssl_certificate and ssl_certificate_key.
2019-02-25T13:42:05+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-02-25T13:42:05+00:00

6e5a731edb6c1b8581c4b6fd2a2bf4ec0e768c24

To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.





To evaluate variables, a request is created in the certificate callback,
and then freed.  To do this without side effects on the stub_status
counters and connection state, an additional function was introduced,
ngx_http_alloc_request().

Only works with OpenSSL 1.0.2+, since there is no SSL_CTX_set_cert_cb()
in older versions.