nginx.git/src/http/modules, branch release-1.29.3 nginx Fixed compilation warnings on Windows after c93a0c48af87. 2025-10-28T08:11:21+00:00 Roman Arutyunyan arut@nginx.com 2025-10-27T17:16:49+00:00 f04e2b7f6e96a0587f091229272a5f060dbf32c0 






OCSP: fixed invalid type for the 'ssl_ocsp' directive.
2025-10-27T11:05:36+00:00

Roman Semenov
r.semenov@f5.com

2025-10-22T18:24:27+00:00

ce30a1cb0ddce88027e760dc91145af6c6e8eef1












Headers filter: inheritance control for add_header and add_trailer.
2025-10-25T15:46:20+00:00

Roman Arutyunyan
arut@nginx.com

2025-07-14T17:44:05+00:00

c93a0c48af87bbae1568eaf110e207e435bbe0bd

The new directives add_header_inherit and add_trailer_inherit allow
to alter inheritance rules for the values specified in the add_header
and add_trailer directives in a convenient way.

The "merge" parameter enables appending the values from the previous level
to the current level values.

The "off" parameter cancels inheritance of the values from the previous
configuration level, similar to add_header "" (2194e75bb).

The "on" parameter (default) enables the standard inheritance behaviour,
which is to inherit values from the previous level only if there are no
directives on the current level.

The inheritance rules themselves are inherited in a standard way.  Thus,
for example, "add_header_inherit merge;" specified at the top level will
be inherited in all nested levels recursively unless redefined below.





The new directives add_header_inherit and add_trailer_inherit allow
to alter inheritance rules for the values specified in the add_header
and add_trailer directives in a convenient way.

The "merge" parameter enables appending the values from the previous level
to the current level values.

The "off" parameter cancels inheritance of the values from the previous
configuration level, similar to add_header "" (2194e75bb).

The "on" parameter (default) enables the standard inheritance behaviour,
which is to inherit values from the previous level only if there are no
directives on the current level.

The inheritance rules themselves are inherited in a standard way.  Thus,
for example, "add_header_inherit merge;" specified at the top level will
be inherited in all nested levels recursively unless redefined below.







Geo: the "volatile" parameter.
2025-10-24T22:06:54+00:00

Dmitry Plotnikov
d.plotnikov@f5.com

2025-10-21T19:48:36+00:00

ac72ca60c773a9ab6f3c6344ac1f2c03ca2b3201

Similar to map's volatile parameter, creates a non-cacheable geo variable.





Similar to map's volatile parameter, creates a non-cacheable geo variable.







SSL: $ssl_sigalg, $ssl_client_sigalg.
2025-10-24T14:22:32+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-17T16:38:17+00:00

71f8eb52b7746d6d8ddeb6efab5fc115c187be31

Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.





Variables contain the IANA name of the signature scheme[1] used to sign
the TLS handshake.

Variables are only meaningful when using OpenSSL 3.5 and above, with older
versions they are empty.  Moreover, since this data isn't stored in a
serialized session, variables are only available for new sessions.

[1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml

Requested by willmafh.







CONNECT method support for HTTP/1.1.
2025-10-23T14:40:05+00:00

Roman Arutyunyan
arut@nginx.com

2025-09-23T11:03:52+00:00

42ca3a4576a32d0a912b0bba4088b8169f55ab2d

The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.





The change allows modules to use the CONNECT method with HTTP/1.1 requests.
To do so, they need to set the "allow_connect" flag in the core server
configuration.







SSL: disabled using certificate compression with OCSP stapling.
2025-10-08T15:56:41+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-10-02T11:22:24+00:00

25b03d650087b4d653f99a7ce65582ab565c5a44

OCSP response in TLSv1.3 is sent in the Certificate message.  This
is incompatible with pre-compression of the configured certificates.





OCSP response in TLSv1.3 is sent in the Certificate message.  This
is incompatible with pre-compression of the configured certificates.







SNI: using the ClientHello callback.
2025-09-25T15:25:08+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-01-27T20:53:15+00:00

0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2

The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.





The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.







Fixed inaccurate index directive error report.
2025-09-18T14:16:22+00:00

willmafh
willmafh@hotmail.com

2025-09-08T14:03:30+00:00

bc71625dcca1f1cbd0db7450af853feb90ebba85












Auth basic: fixed file descriptor leak on memory allocation error.
2025-08-11T16:57:47+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-08T15:44:27+00:00

034f15bbc251ed72018d8396e7eeb3bf30fd789b

Found by Coverity (CID 1662016).





Found by Coverity (CID 1662016).