nginx.git/src/http/modules, branch release-1.19.1 nginx gRPC: generate error when response size is wrong. 2020-07-06T15:36:25+00:00 Maxim Dounin mdounin@mdounin.ru 2020-07-06T15:36:25+00:00 5348706fe607c2b6704b52078cba77ee8fa298b8 As long as the "Content-Length" header is given, we now make sure it exactly matches the size of the response. If it doesn't, the response is considered malformed and must not be forwarded (https://tools.ietf.org/html/rfc7540#section-8.1.2.6). While it is not really possible to "not forward" the response which is already being forwarded, we generate an error instead, which is the closest equivalent. Previous behaviour was to pass everything to the client, but this seems to be suboptimal and causes issues (ticket #1695). Also this directly contradicts HTTP/2 specification requirements. Note that the new behaviour for the gRPC proxy is more strict than that applied in other variants of proxying. This is intentional, as HTTP/2 specification requires us to do so, while in other types of proxying malformed responses from backends are well known and historically tolerated. 
As long as the "Content-Length" header is given, we now make sure
it exactly matches the size of the response.  If it doesn't,
the response is considered malformed and must not be forwarded
(https://tools.ietf.org/html/rfc7540#section-8.1.2.6).  While it
is not really possible to "not forward" the response which is already
being forwarded, we generate an error instead, which is the closest
equivalent.

Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Also this
directly contradicts HTTP/2 specification requirements.

Note that the new behaviour for the gRPC proxy is more strict than that
applied in other variants of proxying.  This is intentional, as HTTP/2
specification requires us to do so, while in other types of proxying
malformed responses from backends are well known and historically
tolerated.
FastCGI: protection from responses with wrong length. 2020-07-06T15:36:23+00:00 Maxim Dounin mdounin@mdounin.ru 2020-07-06T15:36:23+00:00 1194ba36a0685efb0818d28dad5ef518949c910b Previous behaviour was to pass everything to the client, but this seems to be suboptimal and causes issues (ticket #1695). Fix is to drop extra data instead, as it naturally happens in most clients. Additionally, we now also issue a warning if the response is too short, and make sure the fact it is truncated is propagated to the client. The u->error flag is introduced to make it possible to propagate the error to the client in case of unbuffered proxying. For responses to HEAD requests there is an exception: we do allow both responses without body and responses with body matching the Content-Length header. 
Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.

Additionally, we now also issue a warning if the response is too
short, and make sure the fact it is truncated is propagated to the
client.  The u->error flag is introduced to make it possible to
propagate the error to the client in case of unbuffered proxying.

For responses to HEAD requests there is an exception: we do allow
both responses without body and responses with body matching the
Content-Length header.
Upstream: drop extra data sent by upstream. 2020-07-06T15:36:22+00:00 Maxim Dounin mdounin@mdounin.ru 2020-07-06T15:36:22+00:00 dfcfcc5a881bf4b349f74c9a0a04da2d861f02bf Previous behaviour was to pass everything to the client, but this seems to be suboptimal and causes issues (ticket #1695). Fix is to drop extra data instead, as it naturally happens in most clients. This change covers generic buffered and unbuffered filters as used in the scgi and uwsgi modules. Appropriate input filter init handlers are provided by the scgi and uwsgi modules to set corresponding lengths. Note that for responses to HEAD requests there is an exception: we do allow any response length. This is because responses to HEAD requests might be actual full responses, and it is up to nginx to remove the response body. If caching is enabled, only full responses matching the Content-Length header will be cached (see b779728b180c). 
Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.

This change covers generic buffered and unbuffered filters as used
in the scgi and uwsgi modules.  Appropriate input filter init
handlers are provided by the scgi and uwsgi modules to set corresponding
lengths.

Note that for responses to HEAD requests there is an exception:
we do allow any response length.  This is because responses to HEAD
requests might be actual full responses, and it is up to nginx
to remove the response body.  If caching is enabled, only full
responses matching the Content-Length header will be cached
(see b779728b180c).
Proxy: style. 2020-07-06T15:36:21+00:00 Maxim Dounin mdounin@mdounin.ru 2020-07-06T15:36:21+00:00 7f2490c43cec0367c94e9e0a3881f4e5e32063de 






Proxy: detection of data after final chunk.
2020-07-06T15:36:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-07-06T15:36:20+00:00

156e193408f8c1847f911b8758aa315d71c52211

Previously, additional data after final chunk was either ignored
(in the same buffer, or during unbuffered proxying) or sent to the
client (in the next buffer already if it was already read from the
socket).  Now additional data are properly detected and ignored
in all cases.  Additionally, a warning is now logged and keepalive
is disabled in the connection.





Previously, additional data after final chunk was either ignored
(in the same buffer, or during unbuffered proxying) or sent to the
client (in the next buffer already if it was already read from the
socket).  Now additional data are properly detected and ignored
in all cases.  Additionally, a warning is now logged and keepalive
is disabled in the connection.







Proxy: drop extra data sent by upstream.
2020-07-06T15:36:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-07-06T15:36:19+00:00

a2abe31a85c030d14aabcbe1f13ef6cc538e86fa

Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.





Previous behaviour was to pass everything to the client, but this
seems to be suboptimal and causes issues (ticket #1695).  Fix is to
drop extra data instead, as it naturally happens in most clients.







Memcached: protect from too long responses.
2020-07-06T15:36:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2020-07-06T15:36:17+00:00

b835b571846abb13b995498e7ee36fe0f4aaa3bf

If a memcached response was followed by a correct trailer, and then
the NUL character followed by some extra data - this was accepted by
the trailer checking code.  This in turn resulted in ctx->rest underflow
and caused negative size buffer on the next reading from the upstream,
followed by the "negative size buf in writer" alert.

Fix is to always check for too long responses, so a correct trailer cannot
be followed by extra data.





If a memcached response was followed by a correct trailer, and then
the NUL character followed by some extra data - this was accepted by
the trailer checking code.  This in turn resulted in ctx->rest underflow
and caused negative size buffer on the next reading from the upstream,
followed by the "negative size buf in writer" alert.

Fix is to always check for too long responses, so a correct trailer cannot
be followed by extra data.







Correctly flush request body to uwsgi with SSL.
2020-06-15T21:35:26+00:00

Quantum
quantum2048@gmail.com

2020-06-15T21:35:26+00:00

2afc050bd0e59d1ae5391c962e4c6c83120e8ebf

The flush flag was not set when forwarding the request body to the uwsgi
server. When using uwsgi_pass suwsgi://..., this causes the uwsgi server
to wait indefinitely for the request body and eventually time out due to
SSL buffering.

This is essentially the same change as 4009:3183165283cc, which was made
to ngx_http_proxy_module.c.

This will fix the uwsgi bug https://github.com/unbit/uwsgi/issues/1490.





The flush flag was not set when forwarding the request body to the uwsgi
server. When using uwsgi_pass suwsgi://..., this causes the uwsgi server
to wait indefinitely for the request body and eventually time out due to
SSL buffering.

This is essentially the same change as 4009:3183165283cc, which was made
to ngx_http_proxy_module.c.

This will fix the uwsgi bug https://github.com/unbit/uwsgi/issues/1490.







OCSP: certificate status cache.
2020-05-22T14:25:27+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:25:27+00:00

5727f9a1e0cca082eb1f3e599e0453a7a9cfe319

When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.





When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.







SSL: client certificate validation with OCSP (ticket #1534).
2020-05-22T14:30:12+00:00

Roman Arutyunyan
arut@nginx.com

2020-05-22T14:30:12+00:00

60438ae395d83b0f8b21bf667a1e260d60c3f46a

OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.





OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.