nginx.git/src/http, branch release-1.15.2

Fixed invalid access to location defined as an empty string.

2018-07-17T12:30:43+00:00

SSL: save sessions for upstream peers using a callback function.

2018-07-17T09:53:23+00:00

In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.

SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.

2018-07-16T14:47:20+00:00

In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
conditional compilation test on it results in SSL_clear_options()
and SSL_CTX_clear_options() not being used.  Notably, this caused
"ssl_prefer_server_ciphers off" to not work in SNI-based virtual
servers if server preference was switched on in the default server.

It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
explicitly.

Events: moved sockets cloning to ngx_event_init_conf().

2018-07-12T16:50:02+00:00

Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.

Allow resetting connections closed by "return 444" (ticket #905).

2018-07-12T09:50:20+00:00

If reset_timedout_connection is on, TCP connections closed by
"return 444" will be reset instead of a normal close.

Upstream: fixed tcp_nopush with gRPC.

2018-07-02T16:03:04+00:00

With gRPC it is possible that a request sending is blocked due to flow
control.  Moreover, further sending might be only allowed once the
backend sees all the data we've already sent.  With such a backend
it is required to clear the TCP_NOPUSH socket option to make sure all
the data we've sent are actually delivered to the backend.

As such, we now clear TCP_NOPUSH in ngx_http_upstream_send_request()
also on NGX_AGAIN if c->write->ready is set.  This fixes a test (which
waits for all the 64k bytes as per initial window before allowing more
bytes) with sendfile enabled when the body was written to a file
in a different context.

Upstream: fixed unexpected tcp_nopush usage on peer connections.

2018-07-02T16:02:31+00:00

Now tcp_nopush on peer connections is disabled if it is disabled on
the client connection, similar to how we handle c->sendfile.  Previously,
tcp_nopush was always used on upstream connections, regardless of
the "tcp_nopush" directive.

gRPC: clearing buffers in ngx_http_grpc_get_buf().

2018-07-02T16:02:08+00:00

We copy input buffers to our buffers, so various flags might be
unexpectedly set in buffers returned by ngx_chain_get_free_buf().

In particular, the b->in_file flag might be set when the body was
written to a file in a different context.  With sendfile enabled this
in turn might result in protocol corruption if such a buffer was reused
for a control frame.

Make sure to clear buffers and set only fields we really need to be set.

Upstream: ngx_http_upstream_random module.

2018-06-15T08:46:14+00:00

The module implements random load-balancing algorithm with optional second
choice.  In the latter case, the best of two servers is chosen, accounting
number of connections and server weight.

Example:

upstream u {
    random [two [least_conn]];

    server 127.0.0.1:8080;
    server 127.0.0.1:8081;
    server 127.0.0.1:8082;
    server 127.0.0.1:8083;
}

Upstream: improved peer selection concurrency for hash and ip_hash.

2018-06-14T04:03:50+00:00