nginx.git/src/http/modules, branch release-1.20.1 nginx Changed keepalive_requests default to 1000 (ticket #2155). 2021-04-07T21:16:30+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-07T21:16:30+00:00 eb52de83114e8d98722cd17ec8435c47956b6315 It turns out no browsers implement HTTP/2 GOAWAY handling properly, and large enough number of resources on a page results in failures to load some resources. In particular, Chrome seems to experience errors if loading of all resources requires more than 1 connection (while it is usually able to retry requests at least once, even with 2 connections there are occasional failures for some reason), Safari if loading requires more than 3 connections, and Firefox if loading requires more than 10 connections (can be configured with network.http.request.max-attempts, defaults to 10). It does not seem to be possible to resolve this on nginx side, even strict limiting of maximum concurrency does not help, and loading issues seems to be triggered by merely queueing of a request for a particular connection. The only available mitigation seems to use higher keepalive_requests value. The new default is 1000 and matches previously used default for http2_max_requests. It is expected to be enough for 99.98% of the pages (https://httparchive.org/reports/state-of-the-web?start=latest#reqTotal) even in Chrome. 
It turns out no browsers implement HTTP/2 GOAWAY handling properly, and
large enough number of resources on a page results in failures to load
some resources.  In particular, Chrome seems to experience errors if
loading of all resources requires more than 1 connection (while it
is usually able to retry requests at least once, even with 2 connections
there are occasional failures for some reason), Safari if loading requires
more than 3 connections, and Firefox if loading requires more than 10
connections (can be configured with network.http.request.max-attempts,
defaults to 10).

It does not seem to be possible to resolve this on nginx side, even strict
limiting of maximum concurrency does not help, and loading issues seems to
be triggered by merely queueing of a request for a particular connection.
The only available mitigation seems to use higher keepalive_requests value.

The new default is 1000 and matches previously used default for
http2_max_requests.  It is expected to be enough for 99.98% of the pages
(https://httparchive.org/reports/state-of-the-web?start=latest#reqTotal)
even in Chrome.
Introduced the "keepalive_time" directive. 2021-04-07T21:15:48+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-07T21:15:48+00:00 d9996d6f27150bfb9c9c00d77fac940712aa1d28 Similar to lingering_time, it limits total connection lifetime before keepalive is switched off. The default is 1 hour, which is close to the total maximum connection lifetime possible with default keepalive_requests and keepalive_timeout. 
Similar to lingering_time, it limits total connection lifetime before
keepalive is switched off.  The default is 1 hour, which is close to
the total maximum connection lifetime possible with default
keepalive_requests and keepalive_timeout.
Gzip: updated handling of zlib variant from Intel. 2021-04-05T01:07:17+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-05T01:07:17+00:00 4af67214ad3d7f0f525bea777d5a43aa7a702ecf In current versions (all versions based on zlib 1.2.11, at least since 2018) it no longer uses 64K hash and does not force window bits to 13 if it is less than 13. That is, it needs just 16 bytes more memory than normal zlib, so these bytes are simply added to the normal size calculation. 
In current versions (all versions based on zlib 1.2.11, at least
since 2018) it no longer uses 64K hash and does not force window
bits to 13 if it is less than 13.  That is, it needs just 16 bytes
more memory than normal zlib, so these bytes are simply added to
the normal size calculation.
Gzip: support for zlib-ng. 2021-04-05T01:06:58+00:00 Maxim Dounin mdounin@mdounin.ru 2021-04-05T01:06:58+00:00 e3797a66a3d8213b5c34cafca5a8882b152fc2c2 






Fixed handling of already closed connections.
2021-03-28T14:45:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-03-28T14:45:39+00:00

179c79ce8afd459acffa50e6dabc60b0b7d9a014

In limit_req, auth_delay, and upstream code to check for broken
connections, tests for possible connection close by the client
did not work if the connection was already closed when relevant
event handler was set.  This happened because there were no additional
events in case of edge-triggered event methods, and read events
were disabled in case of level-triggered ones.

Fix is to explicitly post a read event if the c->read->ready flag
is set.





In limit_req, auth_delay, and upstream code to check for broken
connections, tests for possible connection close by the client
did not work if the connection was already closed when relevant
event handler was set.  This happened because there were no additional
events in case of edge-triggered event methods, and read events
were disabled in case of level-triggered ones.

Fix is to explicitly post a read event if the c->read->ready flag
is set.







gRPC: fixed handling of padding on DATA frames.
2021-03-23T13:52:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-03-23T13:52:23+00:00

11477fb633ddaf299f9be01f43aac322056d98dc

The response size check introduced in 39501ce97e29 did not take into
account possible padding on DATA frames, resulting in incorrect
"upstream sent response body larger than indicated content length" errors
if upstream server used padding in responses with known length.

Fix is to check the actual size of response buffers produced by the code,
similarly to how it is done in other protocols, instead of checking
the size of DATA frames.

Reported at:
http://mailman.nginx.org/pipermail/nginx-devel/2021-March/013907.html





The response size check introduced in 39501ce97e29 did not take into
account possible padding on DATA frames, resulting in incorrect
"upstream sent response body larger than indicated content length" errors
if upstream server used padding in responses with known length.

Fix is to check the actual size of response buffers produced by the code,
similarly to how it is done in other protocols, instead of checking
the size of DATA frames.

Reported at:
http://mailman.nginx.org/pipermail/nginx-devel/2021-March/013907.html







SSL: fixed build by Sun C with old OpenSSL versions.
2021-03-05T14:16:13+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-03-05T14:16:13+00:00

797ac536fe2cc0a311a72ddb861784f320991beb

Sun C complains about "statement not reached" if a "return" is followed
by additional statements.





Sun C complains about "statement not reached" if a "return" is followed
by additional statements.







Proxy: variables support in "proxy_cookie_flags" flags.
2021-03-01T21:58:24+00:00

Ruslan Ermilov
ru@nginx.com

2021-03-01T21:58:24+00:00

a38a8438b8116d4f3674ea8a0cb194a8fb3f5622












Removed incorrect optimization of HEAD requests.
2021-01-19T17:21:12+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-01-19T17:21:12+00:00

d2c0b9a6c7b0757d5d55db36b1ae656bba056a8c

The stub status module and ngx_http_send_response() (used by the empty gif
module and the "return" directive) incorrectly assumed that responding
to HEAD requests always results in r->header_only being set.  This is not
true, and results in incorrect behaviour, for example, in the following
configuration:

   location / {
       image_filter size;
       return 200 test;
   }

Fix is to remove this incorrect micro-optimization from both stub status
module and ngx_http_send_response().

Reported by Chris Newton.





The stub status module and ngx_http_send_response() (used by the empty gif
module and the "return" directive) incorrectly assumed that responding
to HEAD requests always results in r->header_only being set.  This is not
true, and results in incorrect behaviour, for example, in the following
configuration:

   location / {
       image_filter size;
       return 200 test;
   }

Fix is to remove this incorrect micro-optimization from both stub status
module and ngx_http_send_response().

Reported by Chris Newton.







Upstream: fixed zero size buf alerts on extra data (ticket #2117).
2021-01-12T13:59:31+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-01-12T13:59:31+00:00

e1ca9851220bb6d5f8e6b967635078f35a423c7c

After 7675:9afa45068b8f and 7678:bffcc5af1d72 (1.19.1), during non-buffered
simple proxying, responses with extra data might result in zero size buffers
being generated and "zero size buf" alerts in writer.  This bug is similar
to the one with FastCGI proxying fixed in 7689:da8d758aabeb.

In non-buffered mode, normally the filter function is not called if
u->length is already 0, since u->length is checked after each call of
the filter function.  There is a case when this can happen though: if
the response length is 0, and there are pre-read response body data left
after reading response headers.  As such, a check for u->length is needed
at the start of non-buffered filter functions, similar to the one
for p->length present in buffered filter functions.

Appropriate checks added to the existing non-buffered copy filters
in the upstream (used by scgi and uwsgi proxying) and proxy modules.





After 7675:9afa45068b8f and 7678:bffcc5af1d72 (1.19.1), during non-buffered
simple proxying, responses with extra data might result in zero size buffers
being generated and "zero size buf" alerts in writer.  This bug is similar
to the one with FastCGI proxying fixed in 7689:da8d758aabeb.

In non-buffered mode, normally the filter function is not called if
u->length is already 0, since u->length is checked after each call of
the filter function.  There is a case when this can happen though: if
the response length is 0, and there are pre-read response body data left
after reading response headers.  As such, a check for u->length is needed
at the start of non-buffered filter functions, similar to the one
for p->length present in buffered filter functions.

Appropriate checks added to the existing non-buffered copy filters
in the upstream (used by scgi and uwsgi proxying) and proxy modules.