nginx.git/src/http/modules, branch release-1.21.6 nginx Moved Huffman coding out of HTTP/2. 2021-12-21T04:54:16+00:00 Ruslan Ermilov ru@nginx.com 2021-12-21T04:54:16+00:00 363505e806feebb7ceb1f9edb0e3f75c1253384f ngx_http_v2_huff_decode.c and ngx_http_v2_huff_encode.c are renamed to ngx_http_huff_decode.c and ngx_http_huff_encode.c. 
ngx_http_v2_huff_decode.c and ngx_http_v2_huff_encode.c are renamed
to ngx_http_huff_decode.c and ngx_http_huff_encode.c.
SSL: $ssl_curve (ticket #2135). 2021-11-01T15:09:34+00:00 Sergey Kandaurov pluknet@nginx.com 2021-11-01T15:09:34+00:00 5c3249964403356601e64ab701f2e563a1f98630 The variable contains a negotiated curve used for the handshake key exchange process. Known curves are listed by their names, unknown ones are shown in hex. Note that for resumed sessions in TLSv1.2 and older protocols, $ssl_curve contains the curve used during the initial handshake, while in TLSv1.3 it contains the curve used during the session resumption (see the SSL_get_negotiated_group manual page for details). The variable is only meaningful when using OpenSSL 3.0 and above. With older versions the variable is empty. 
The variable contains a negotiated curve used for the handshake key
exchange process.  Known curves are listed by their names, unknown
ones are shown in hex.

Note that for resumed sessions in TLSv1.2 and older protocols,
$ssl_curve contains the curve used during the initial handshake,
while in TLSv1.3 it contains the curve used during the session
resumption (see the SSL_get_negotiated_group manual page for
details).

The variable is only meaningful when using OpenSSL 3.0 and above.
With older versions the variable is empty.
Mp4: mp4_start_key_frame directive. 2021-10-28T11:14:25+00:00 Roman Arutyunyan arut@nginx.com 2021-10-28T11:14:25+00:00 7927071ee26ff6313301b744a90240dccbc836db The directive enables including all frames from start time to the most recent key frame in the result. Those frames are removed from presentation timeline using mp4 edit lists. Edit lists are currently supported by popular players and browsers such as Chrome, Safari, QuickTime and ffmpeg. Among those not supporting them properly is Firefox[1]. Based on a patch by Tracey Jaquith, Internet Archive. [1] https://bugzilla.mozilla.org/show_bug.cgi?id=1735300 
The directive enables including all frames from start time to the most recent
key frame in the result.  Those frames are removed from presentation timeline
using mp4 edit lists.

Edit lists are currently supported by popular players and browsers such as
Chrome, Safari, QuickTime and ffmpeg.  Among those not supporting them properly
is Firefox[1].

Based on a patch by Tracey Jaquith, Internet Archive.

[1] https://bugzilla.mozilla.org/show_bug.cgi?id=1735300
Mp4: added ngx_http_mp4_update_mdhd_atom() function. 2021-10-28T10:11:31+00:00 Roman Arutyunyan arut@nginx.com 2021-10-28T10:11:31+00:00 27cdfe30f7505361c31e4d3b2d0d21adaae803c4 The function updates the duration field of mdhd atom. Previously it was updated in ngx_http_mp4_read_mdhd_atom(). The change makes it possible to alter track duration as a result of processing track frames. 
The function updates the duration field of mdhd atom.  Previously it was
updated in ngx_http_mp4_read_mdhd_atom().  The change makes it possible to
alter track duration as a result of processing track frames.
HTTP: connections with wrong ALPN protocols are now rejected. 2021-10-20T06:50:02+00:00 Vladimir Homutov vl@nginx.com 2021-10-20T06:50:02+00:00 ebb6f7d6563f51ae8325e3c0f10e9c5a91004fda This is a recommended behavior by RFC 7301 and is useful for mitigation of protocol confusion attacks [1]. To avoid possible negative effects, list of supported protocols was extended to include all possible HTTP protocol ALPN IDs registered by IANA [2], i.e. "http/1.0" and "http/0.9". [1] https://alpaca-attack.com/ [2] https://www.iana.org/assignments/tls-extensiontype-values/ 
This is a recommended behavior by RFC 7301 and is useful
for mitigation of protocol confusion attacks [1].

To avoid possible negative effects, list of supported protocols
was extended to include all possible HTTP protocol ALPN IDs
registered by IANA [2], i.e. "http/1.0" and "http/0.9".

[1] https://alpaca-attack.com/
[2] https://www.iana.org/assignments/tls-extensiontype-values/
SSL: added $ssl_alpn_protocol variable. 2021-10-14T08:46:23+00:00 Vladimir Homutov vl@nginx.com 2021-10-14T08:46:23+00:00 a9f4f25b72c39653795dfb4b1f13b55625fb9fbc The variable contains protocol selected by ALPN during handshake and is empty otherwise. 
The variable contains protocol selected by ALPN during handshake and
is empty otherwise.
HTTP/2: removed support for NPN. 2021-10-15T07:02:15+00:00 Vladimir Homutov vl@nginx.com 2021-10-15T07:02:15+00:00 1db517fb71aed6d6fffc8347086f89eb29b83dea NPN was replaced with ALPN, published as RFC 7301 in July 2014. It used to negotiate SPDY (and, in transition, HTTP/2). NPN supported appeared in OpenSSL 1.0.1. It does not work with TLSv1.3 [1]. ALPN is supported since OpenSSL 1.0.2. The NPN support was dropped in Firefox 53 [2] and Chrome 51 [3]. [1] https://github.com/openssl/openssl/issues/3665. [2] https://bugzilla.mozilla.org/show_bug.cgi?id=1248198 [3] https://www.chromestatus.com/feature/5767920709795840 
NPN was replaced with ALPN, published as RFC 7301 in July 2014.
It used to negotiate SPDY (and, in transition, HTTP/2).

NPN supported appeared in OpenSSL 1.0.1. It does not work with TLSv1.3 [1].
ALPN is supported since OpenSSL 1.0.2.

The NPN support was dropped in Firefox 53 [2] and Chrome 51 [3].

[1] https://github.com/openssl/openssl/issues/3665.
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=1248198
[3] https://www.chromestatus.com/feature/5767920709795840
Upstream: fixed logging level of upstream invalid header errors. 2021-10-18T13:46:59+00:00 Maxim Dounin mdounin@mdounin.ru 2021-10-18T13:46:59+00:00 dde319ee0c9de26a6f104feb062cfffaa32c16c0 In b87b7092cedb (nginx 1.21.1), logging level of "upstream sent invalid header" errors was accidentally changed to "info". This change restores the "error" level, which is a proper logging level for upstream-side errors. 
In b87b7092cedb (nginx 1.21.1), logging level of "upstream sent invalid
header" errors was accidentally changed to "info".  This change restores
the "error" level, which is a proper logging level for upstream-side
errors.
Proxy: disabled keepalive on extra data in non-buffered mode. 2021-10-08T02:23:11+00:00 Awdhesh Mathpal mathpal@amazon.com 2021-10-08T02:23:11+00:00 2a88047ac1a88fbe6038a822e0f1b67af847c998 The u->keepalive flag is initialized early if the response has no body (or an empty body), and needs to be reset if there are any extra data, similarly to how it is done in ngx_http_proxy_copy_filter(). Missed in 83c4622053b0. 
The u->keepalive flag is initialized early if the response has no body
(or an empty body), and needs to be reset if there are any extra data,
similarly to how it is done in ngx_http_proxy_copy_filter().  Missed
in 83c4622053b0.
SSL: ciphers now set before loading certificates (ticket #2035). 2021-08-16T19:40:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-08-16T19:40:31+00:00 ce5996cdd1b2e150f645efbc337e5a681dbe241c To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading. 
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.