nginx.git/src/http, branch release-1.17.0 nginx SSL: removed OpenSSL 0.9.7 compatibility. 2016-04-11T12:46:36+00:00 Sergey Kandaurov pluknet@nginx.com 2016-04-11T12:46:36+00:00 c17bc31d41a0372002115899a2c64e89aeca7e7d 






Range filter: fixed duplicate last buffers.
2019-05-13T19:44:49+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-05-13T19:44:49+00:00

2015a548214b08be1a556f8b8c447dcb61356448

In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.





In ngx_http_range_singlepart_body() special buffers where passed
unmodified, including ones after the end of the range.  As such,
if the last buffer of a response was sent separately as a special
buffer, two buffers with b->last_buf set were present in the response.

In particular, this might result in a duplicate final chunk when using
chunked transfer encoding (normally range filter and chunked transfer
encoding are not used together, but this may happen if there are trailers
in the response).  This also likely to cause problems in HTTP/2.

Fix is to skip all special buffers after we've sent the last part of
the range requested.  These special buffers are not meaningful anyway,
since we set b->last_buf in the buffer with the last part of the range,
and everything is expected to be flushed due to it.

Additionally, ngx_http_next_body_filter() is now called even
if no buffers are to be passed to it.  This ensures that various
write events are properly propagated through the filter chain.  In
particular, this fixes test failures observed with the above change
and aio enabled.







Range filter: fixed loss of incoming chain links.
2019-05-13T19:44:02+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-05-13T19:44:02+00:00

ce0f35317e16c85c1ccae8f3a0a1d6f2426b2e78

Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.





Filters are not allowed to change incoming chain links, and should allocate
their own links if any modifications are needed.  Nevertheless
ngx_http_range_singlepart_body() modified incoming chain links in some
cases, notably at the end of the requested range.

No problems caused by this are currently known, mostly because of
limited number of possible modifications and the position of the range
body filter in the filter chain.  Though this behaviour is clearly incorrect
and tests demonstrate that it can at least cause some proxy buffers being
lost when using proxy_force_ranges, leading to less effective handling
of responses.

Fix is to always allocate new chain links in ngx_http_range_singlepart_body().
Links are explicitly freed to ensure constant memory usage with long-lived
requests.







Variables support in limit_rate and limit_rate_after (ticket #293).
2019-04-24T13:38:54+00:00

Ruslan Ermilov
ru@nginx.com

2019-04-24T13:38:54+00:00

0e2653877eaa60d3cbc0c8fffd72434871670543












Added ngx_http_set_complex_value_size_slot().
2019-04-24T13:38:51+00:00

Ruslan Ermilov
ru@nginx.com

2019-04-24T13:38:51+00:00

2ace7fc3e683fcfa44ff9c355face60983db7eae

If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.





If a complex value is expected to be of type size_t, and the compiled
value is constant, the constant size_t value is remembered at compile
time.

The value is accessed through ngx_http_complex_value_size() which
either returns the remembered constant or evaluates the expression
and parses it as size_t.







Multiple addresses in "listen".
2019-03-15T12:45:56+00:00

Roman Arutyunyan
arut@nginx.com

2019-03-15T12:45:56+00:00

4e17b93eb6787e99a4023f20f8c391284f86bbf3

Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.





Previously only one address was used by the listen directive handler even if
host name resolved to multiple addresses.  Now a separate listening socket is
created for each address.







SSL: moved c->ssl->handshaked check in server name callback.
2019-03-05T13:34:19+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-05T13:34:19+00:00

0ad4393e30c119d250415cb769e3d8bc8dce5186

Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello.  As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.





Server name callback is always called by OpenSSL, even
if server_name extension is not present in ClientHello.  As such,
checking c->ssl->handshaked before the SSL_get_servername() result
should help to more effectively prevent renegotiation in
OpenSSL 1.1.0 - 1.1.0g, where neither SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS
nor SSL_OP_NO_RENEGOTIATION is available.







SSL: fixed potential leak on memory allocation errors.
2019-03-03T13:48:39+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:48:39+00:00

fe43346dc3151e80dae0acd751f0a94314dcb91c

If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.





If ngx_pool_cleanup_add() fails, we have to clean just created SSL context
manually, thus appropriate call added.

Additionally, ngx_pool_cleanup_add() moved closer to ngx_ssl_create() in
the ngx_http_ssl_module, to make sure there are no leaks due to intermediate
code.







SSL: server name callback changed to return fatal errors.
2019-03-03T13:48:06+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:48:06+00:00

99d7bb690924e60e9e03096ac5e507111f7c182d

Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.

Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.





Notably this affects various allocation errors, and should generally
improve things if an allocation error actually happens during a callback.

Depending on the OpenSSL version, returning an error can result in
either SSL_R_CALLBACK_FAILED or SSL_R_CLIENTHELLO_TLSEXT error from
SSL_do_handshake(), so both errors were switched to the "info" level.







SSL: server name callback changed to return SSL_TLSEXT_ERR_OK.
2019-03-03T13:47:44+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-03-03T13:47:44+00:00

fd97b2a80f678b9bf372d9a6537e5d4db51188ae

OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.





OpenSSL 1.1.1 does not save server name to the session if server name
callback returns anything but SSL_TLSEXT_ERR_OK, thus breaking
the $ssl_server_name variable in resumed sessions.

Since $ssl_server_name can be used even if we've selected the default
server and there are no other servers, it looks like the only viable
solution is to always return SSL_TLSEXT_ERR_OK regardless of the actual
result.

To fix things in the stream module as well, added a dummy server name
callback which always returns SSL_TLSEXT_ERR_OK.