nginx.git/src/http/modules, branch release-1.21.2 nginx SSL: ciphers now set before loading certificates (ticket #2035). 2021-08-16T19:40:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-08-16T19:40:31+00:00 ce5996cdd1b2e150f645efbc337e5a681dbe241c To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading. 
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.
Improved logging of invalid headers. 2021-06-28T15:01:20+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:20+00:00 7587778a33bea0ce6f203a8c4de18e33f38b9582 In 71edd9192f24 logging of invalid headers which were rejected with the NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client sent invalid header line" message, without any attempts to log the header itself. This patch returns logging of the header up to the invalid character and the character itself. The r->header_end pointer is now properly set in all cases to make logging possible. The same logging is also introduced when parsing headers from upstream servers. 
In 71edd9192f24 logging of invalid headers which were rejected with the
NGX_HTTP_PARSE_INVALID_HEADER error was restricted to just the "client
sent invalid header line" message, without any attempts to log the header
itself.

This patch returns logging of the header up to the invalid character and
the character itself.  The r->header_end pointer is now properly set
in all cases to make logging possible.

The same logging is also introduced when parsing headers from upstream
servers.
Disabled control characters and space in header names. 2021-06-28T15:01:18+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:18+00:00 9ab4d368af63e9c4a0bebc0eda82d668adaa560a Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in header names. The only somewhat valid use is header continuation which nginx never supported and which is explicitly obsolete by RFC 7230. Previously, such headers were considered invalid and were ignored by default (as per ignore_invalid_headers directive). With this change, such headers are unconditionally rejected. It is expected to make nginx more resilient to various attacks, in particular, with ignore_invalid_headers switched off (which is inherently unsecure, though nevertheless sometimes used in the wild). 
Control characters (0x00-0x1f, 0x7f), space, and colon were never allowed in
header names.  The only somewhat valid use is header continuation which nginx
never supported and which is explicitly obsolete by RFC 7230.

Previously, such headers were considered invalid and were ignored by default
(as per ignore_invalid_headers directive).  With this change, such headers
are unconditionally rejected.

It is expected to make nginx more resilient to various attacks, in particular,
with ignore_invalid_headers switched off (which is inherently unsecure, though
nevertheless sometimes used in the wild).
Disabled spaces in URIs (ticket #196). 2021-06-28T15:01:13+00:00 Maxim Dounin mdounin@mdounin.ru 2021-06-28T15:01:13+00:00 05395f4889cf0b66e8d049921ad19f1a08319150 From now on, requests with spaces in URIs are immediately rejected rather than allowed. Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad clients. It is believed that now this behaviour causes more harm than good. 
From now on, requests with spaces in URIs are immediately rejected rather
than allowed.  Spaces were allowed in 31e9677b15a1 (0.8.41) to handle bad
clients.  It is believed that now this behaviour causes more harm than
good.
gRPC: RST_STREAM(NO_ERROR) handling micro-optimization. 2021-06-17T08:44:06+00:00 Sergey Kandaurov pluknet@nginx.com 2021-06-17T08:44:06+00:00 693e4134a51b4fd30689ad1e31e6fdffe5ee1429 After 2096b21fcd10, a single RST_STREAM(NO_ERROR) may not result in an error. This change removes several unnecessary ctx->type checks for such a case. 
After 2096b21fcd10, a single RST_STREAM(NO_ERROR) may not result in an error.
This change removes several unnecessary ctx->type checks for such a case.
gRPC: handling GOAWAY with a higher last stream identifier. 2021-06-17T08:43:55+00:00 Sergey Kandaurov pluknet@nginx.com 2021-06-17T08:43:55+00:00 dcdf7ec096f0998e689b7f0b0f7541e197eeff6a Previously, once received from upstream, it couldn't limit opening additional streams in a cached keepalive connection. 
Previously, once received from upstream, it couldn't limit
opening additional streams in a cached keepalive connection.
Location header escaping in redirects (ticket #882). 2021-05-24T18:55:20+00:00 Ruslan Ermilov ru@nginx.com 2021-05-24T18:55:20+00:00 41a241b3ef74dbbe3d82ab2ebbe682919e4a0b90 The header is escaped in redirects based on request URI or location name (auto redirect). 
The header is escaped in redirects based on request URI or
location name (auto redirect).
Upstream: variables support in certificates. 2021-05-05T23:22:09+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-05T23:22:09+00:00 c7de65228f798c3c5391370fcd2d10032aa6eaf8 






Auth basic: changed alcf->user_file to be a pointer.
2021-05-05T23:22:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-05T23:22:07+00:00

a6bce8c2274c971d4d61b78e002857d1ec69a901

This saves some memory in typical case when auth_basic_user_file is not
explicitly set, and unifies the code with alcf->realm.





This saves some memory in typical case when auth_basic_user_file is not
explicitly set, and unifies the code with alcf->realm.







Changed complex value slots to use NGX_CONF_UNSET_PTR.
2021-05-05T23:22:03+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-05T23:22:03+00:00

4faa84085379346fa1cf322907a1f9b6a7fbd583

With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge complex values.  This change follows much earlier changes in
ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22), and the
change in ngx_conf_set_keyval_slot() (7728:485dba3e2a01, 1.19.4).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.





With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge complex values.  This change follows much earlier changes in
ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22), and the
change in ngx_conf_set_keyval_slot() (7728:485dba3e2a01, 1.19.4).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.