nginx.git/src/http, branch release-1.17.4 nginx HTTP/2: fixed worker_shutdown_timeout. 2019-09-23T12:45:36+00:00 Ruslan Ermilov ru@nginx.com 2019-09-23T12:45:36+00:00 6052881a987fc5cd39c8666a9b39ddfeadc895ee 






HTTP/2: fixed possible alert about left open socket on shutdown.
2019-09-23T12:45:32+00:00

Ruslan Ermilov
ru@nginx.com

2019-09-23T12:45:32+00:00

f878492af35224a4ade84f6f6c15aca2892d3821

This could happen when graceful shutdown configured by worker_shutdown_timeout
times out and is then followed by another timeout such as proxy_read_timeout.
In this case, the HEADERS frame is added to the output queue, but attempt to
send it fails (due to c->error forcibly set during graceful shutdown timeout).
This triggers request finalization which attempts to close the stream.  But the
stream cannot be closed because there is a frame in the output queue, and the
connection cannot be finalized.  This leaves the connection open without any
timer events leading to alert.

The fix is to post write event when sending output queue fails on c->error.
That will finalize the connection.





This could happen when graceful shutdown configured by worker_shutdown_timeout
times out and is then followed by another timeout such as proxy_read_timeout.
In this case, the HEADERS frame is added to the output queue, but attempt to
send it fails (due to c->error forcibly set during graceful shutdown timeout).
This triggers request finalization which attempts to close the stream.  But the
stream cannot be closed because there is a frame in the output queue, and the
connection cannot be finalized.  This leaves the connection open without any
timer events leading to alert.

The fix is to post write event when sending output queue fails on c->error.
That will finalize the connection.







HTTP/2: traffic-based flood detection.
2019-09-18T17:28:12+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-09-18T17:28:12+00:00

af0e284b967d0ecff1abcdce6558ed4635e3e757

With this patch, all traffic over an HTTP/2 connection is counted in
the h2c->total_bytes field, and payload traffic is counted in
the h2c->payload_bytes field.  As long as total traffic is many times
larger than payload traffic, we consider this to be a flood.





With this patch, all traffic over an HTTP/2 connection is counted in
the h2c->total_bytes field, and payload traffic is counted in
the h2c->payload_bytes field.  As long as total traffic is many times
larger than payload traffic, we consider this to be a flood.







HTTP/2: switched back to RST_STREAM with NO_ERROR.
2019-09-18T17:28:09+00:00

Maxim Dounin
mdounin@mdounin.ru

2019-09-18T17:28:09+00:00

4d4201fafd46bb97c29a9c86733331d8e7479f54

In 8df664ebe037, we've switched to maximizing stream window instead
of sending RST_STREAM.  Since then handling of RST_STREAM with NO_ERROR
was fixed at least in Chrome, hence we switch back to using RST_STREAM.

This allows more effective rejecting of large bodies, and also minimizes
non-payload traffic to be accounted in the next patch.





In 8df664ebe037, we've switched to maximizing stream window instead
of sending RST_STREAM.  Since then handling of RST_STREAM with NO_ERROR
was fixed at least in Chrome, hence we switch back to using RST_STREAM.

This allows more effective rejecting of large bodies, and also minimizes
non-payload traffic to be accounted in the next patch.







SSL: fixed ssl_verify_client error message.
2019-09-16T16:26:42+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-09-16T16:26:42+00:00

555dc61b543bb1fbc50f45b58a422f519d7065ce












HTTP/2: close connection on zero WINDOW_UPDATE.
2019-09-10T12:33:38+00:00

Ruslan Ermilov
ru@nginx.com

2019-09-10T12:33:38+00:00

c3f8098712d16e17a6577e203a8c0dc76331a1ee

Don't waste server resources by sending RST_STREAM frames.  Instead,
reject WINDOW_UPDATE frames with invalid zero increment by closing
connection with PROTOCOL_ERROR.





Don't waste server resources by sending RST_STREAM frames.  Instead,
reject WINDOW_UPDATE frames with invalid zero increment by closing
connection with PROTOCOL_ERROR.







HTTP/2: close connection on frames with self-dependency.
2019-09-10T12:33:37+00:00

Ruslan Ermilov
ru@nginx.com

2019-09-10T12:33:37+00:00

456e213904f36765fb638895a1530996cea28954

Don't waste server resources by sending RST_STREAM frames.  Instead,
reject HEADERS and PRIORITY frames with self-dependency by closing
connection with PROTOCOL_ERROR.





Don't waste server resources by sending RST_STREAM frames.  Instead,
reject HEADERS and PRIORITY frames with self-dependency by closing
connection with PROTOCOL_ERROR.







Fixed "return" with discarding invalid chunked body.
2019-09-04T10:33:51+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-09-04T10:33:51+00:00

5a2ce3f4ee55eb8903aa9481deaaf402d5a2e805

When ngx_http_discard_request_body() call was added to ngx_http_send_response(),
there were no return codes other than NGX_OK and NGX_HTTP_INTERNAL_SERVER_ERROR.
Now it can also return NGX_HTTP_BAD_REQUEST, but ngx_http_send_response() still
incorrectly transforms it to NGX_HTTP_INTERNAL_SERVER_ERROR.

The fix is to propagate ngx_http_discard_request_body() errors.





When ngx_http_discard_request_body() call was added to ngx_http_send_response(),
there were no return codes other than NGX_OK and NGX_HTTP_INTERNAL_SERVER_ERROR.
Now it can also return NGX_HTTP_BAD_REQUEST, but ngx_http_send_response() still
incorrectly transforms it to NGX_HTTP_INTERNAL_SERVER_ERROR.

The fix is to propagate ngx_http_discard_request_body() errors.







Detect runaway chunks in ngx_http_parse_chunked().
2019-09-03T14:26:56+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-09-03T14:26:56+00:00

77c01f10a1ab7796f57ef354fb1f078e09afe2c4

As defined in HTTP/1.1, body chunks have the following ABNF:

   chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF

where chunk-data is a sequence of chunk-size octets.

With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:

4
SEE-THIS-AND-
4
THAT
0





As defined in HTTP/1.1, body chunks have the following ABNF:

   chunk = chunk-size [ chunk-ext ] CRLF chunk-data CRLF

where chunk-data is a sequence of chunk-size octets.

With this change, chunk-data that doesn't end up with CRLF at chunk-size
offset will be treated as invalid, such as in the example provided below:

4
SEE-THIS-AND-
4
THAT
0







HTTP/2: discard remaining request body after redirect.
2019-08-19T12:16:06+00:00

Sergey Kandaurov
pluknet@nginx.com

2019-08-19T12:16:06+00:00

9cb22efa3fe947f8474338b99d389a35da177bb9

Previously, if unbuffered request body reading wasn't finished before
the request was redirected to a different location using error_page
or X-Accel-Redirect, and the request body is read again, this could
lead to disastrous effects, such as a duplicate post_handler call or
"http request count is zero" alert followed by a segmentation fault.

This happened in the following configuration (ticket #1819):

    location / {
        proxy_request_buffering off;
        proxy_pass http://bad;
        proxy_intercept_errors on;
        error_page 502 = /error;
    }

    location /error {
        proxy_pass http://backend;
    }





Previously, if unbuffered request body reading wasn't finished before
the request was redirected to a different location using error_page
or X-Accel-Redirect, and the request body is read again, this could
lead to disastrous effects, such as a duplicate post_handler call or
"http request count is zero" alert followed by a segmentation fault.

This happened in the following configuration (ticket #1819):

    location / {
        proxy_request_buffering off;
        proxy_pass http://bad;
        proxy_intercept_errors on;
        error_page 502 = /error;
    }

    location /error {
        proxy_pass http://backend;
    }