nginx.git/src/http, branch release-1.19.0 nginx HTTP/2: invalid connection preface logging (ticket #1981). 2020-05-25T15:33:42+00:00 Maxim Dounin mdounin@mdounin.ru 2020-05-25T15:33:42+00:00 4056ce4f4ee4d80d41c56af8c1b4fd41b76144c8 Previously, invalid connection preface errors were only logged at debug level, providing no visible feedback, in particular, when a plain text HTTP/2 listening socket is erroneously used for HTTP/1.x connections. Now these are explicitly logged at the info level, much like other client-related errors. 
Previously, invalid connection preface errors were only logged at debug
level, providing no visible feedback, in particular, when a plain text
HTTP/2 listening socket is erroneously used for HTTP/1.x connections.
Now these are explicitly logged at the info level, much like other
client-related errors.
OCSP: certificate status cache. 2020-05-22T14:25:27+00:00 Roman Arutyunyan arut@nginx.com 2020-05-22T14:25:27+00:00 5727f9a1e0cca082eb1f3e599e0453a7a9cfe319 When enabled, certificate status is stored in cache and is used to validate the certificate in future requests. New directive ssl_ocsp_cache is added to configure the cache. 
When enabled, certificate status is stored in cache and is used to validate
the certificate in future requests.

New directive ssl_ocsp_cache is added to configure the cache.
SSL: client certificate validation with OCSP (ticket #1534). 2020-05-22T14:30:12+00:00 Roman Arutyunyan arut@nginx.com 2020-05-22T14:30:12+00:00 60438ae395d83b0f8b21bf667a1e260d60c3f46a OCSP validation for client certificates is enabled by the "ssl_ocsp" directive. OCSP responder can be optionally specified by "ssl_ocsp_responder". When session is reused, peer chain is not available for validation. If the verified chain contains certificates from the peer chain not available at the server, validation will fail. 
OCSP validation for client certificates is enabled by the "ssl_ocsp" directive.
OCSP responder can be optionally specified by "ssl_ocsp_responder".

When session is reused, peer chain is not available for validation.
If the verified chain contains certificates from the peer chain not available
at the server, validation will fail.
Upstream: jump out of loop after matching the status code. 2020-05-13T14:02:47+00:00 Jinhua Tan 312841925@qq.com 2020-05-13T14:02:47+00:00 b47c1f35e2e421bc0e5be67afb897276324c57a4 






Variables: fixed buffer over-read when evaluating "$arg_".
2020-05-08T16:19:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2020-05-08T16:19:16+00:00

41ecd45a5bb78b2214c4515768a51aff0c57eead












gRPC: WINDOW_UPDATE after END_STREAM handling (ticket #1797).
2020-04-23T12:10:26+00:00

Ruslan Ermilov
ru@nginx.com

2020-04-23T12:10:26+00:00

ee9c61b89bcb891575c809e388affd2bb04e9e60

As per https://tools.ietf.org/html/rfc7540#section-6.9,
WINDOW_UPDATE received after a frame with the END_STREAM flag
should be handled and not treated as an error.





As per https://tools.ietf.org/html/rfc7540#section-6.9,
WINDOW_UPDATE received after a frame with the END_STREAM flag
should be handled and not treated as an error.







gRPC: RST_STREAM(NO_ERROR) handling (ticket #1792).
2020-04-23T12:10:24+00:00

Ruslan Ermilov
ru@nginx.com

2020-04-23T12:10:24+00:00

4c8abb84e399f964d6b70f24c6324f261fd4565a

As per https://tools.ietf.org/html/rfc7540#section-8.1,

: A server can send a complete response prior to the client
: sending an entire request if the response does not depend on
: any portion of the request that has not been sent and
: received.  When this is true, a server MAY request that the
: client abort transmission of a request without error by
: sending a RST_STREAM with an error code of NO_ERROR after
: sending a complete response (i.e., a frame with the
: END_STREAM flag).  Clients MUST NOT discard responses as a
: result of receiving such a RST_STREAM, though clients can
: always discard responses at their discretion for other
: reasons.

Previously, RST_STREAM(NO_ERROR) received from upstream after
a frame with the END_STREAM flag was incorrectly treated as an
error.  Now, a single RST_STREAM(NO_ERROR) is properly handled.

This fixes problems observed with modern grpc-c [1], as well
as with the Go gRPC module.

[1] https://github.com/grpc/grpc/pull/1661





As per https://tools.ietf.org/html/rfc7540#section-8.1,

: A server can send a complete response prior to the client
: sending an entire request if the response does not depend on
: any portion of the request that has not been sent and
: received.  When this is true, a server MAY request that the
: client abort transmission of a request without error by
: sending a RST_STREAM with an error code of NO_ERROR after
: sending a complete response (i.e., a frame with the
: END_STREAM flag).  Clients MUST NOT discard responses as a
: result of receiving such a RST_STREAM, though clients can
: always discard responses at their discretion for other
: reasons.

Previously, RST_STREAM(NO_ERROR) received from upstream after
a frame with the END_STREAM flag was incorrectly treated as an
error.  Now, a single RST_STREAM(NO_ERROR) is properly handled.

This fixes problems observed with modern grpc-c [1], as well
as with the Go gRPC module.

[1] https://github.com/grpc/grpc/pull/1661







The new auth_delay directive for delaying unauthorized requests.
2020-04-07T22:02:17+00:00

Ruslan Ermilov
ru@nginx.com

2020-04-07T22:02:17+00:00

b82c08f6102d65a5e5902e6fa85082e184a75003

The request processing is delayed by a timer.  Since nginx updates
internal time once at the start of each event loop iteration, this
normally ensures constant time delay, adding a mitigation from
time-based attacks.

A notable exception to this is the case when there are no additional
events before the timer expires.  To ensure constant-time processing
in this case as well, we trigger an additional event loop iteration
by posting a dummy event for the next event loop iteration.





The request processing is delayed by a timer.  Since nginx updates
internal time once at the start of each event loop iteration, this
normally ensures constant time delay, adding a mitigation from
time-based attacks.

A notable exception to this is the case when there are no additional
events before the timer expires.  To ensure constant-time processing
in this case as well, we trigger an additional event loop iteration
by posting a dummy event for the next event loop iteration.







Auth basic: explicitly zero out password buffer.
2020-03-12T23:12:10+00:00

Ruslan Ermilov
ru@nginx.com

2020-03-12T23:12:10+00:00

65ae8b315211988a821bdc32050768f41571ddae












Simplified subrequest finalization.
2020-02-28T16:54:13+00:00

Roman Arutyunyan
arut@nginx.com

2020-02-28T16:54:13+00:00

76ac67b36f2db9acb2aeb4672f0aeaa8008e7d93

Now it looks similar to what it was before background subrequests were
introduced in 9552758a786e.





Now it looks similar to what it was before background subrequests were
introduced in 9552758a786e.