nginx.git/src/http, branch release-1.19.4 nginx SSL: ssl_reject_handshake directive (ticket #195). 2020-10-22T15:02:28+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:02:28+00:00 9cdb278454367448366354f2786b36c1fef1f92e In some cases it might be needed to reject SSL handshake based on SNI server name provided, for example, to make sure an invalid certificate is not returned to clients trying to contact a name-based virtual server without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for this. This workaround, however, is not compatible with TLSv1.3, in particular, when using BoringSSL, where it is not possible to configure TLSv1.3 ciphers at all. With this change, the ssl_reject_handshake directive is introduced, which instructs nginx to reject SSL handshakes with an "unrecognized_name" alert in a particular server block. For example, to reject handshake with names other than example.com, one can use the following configuration: server { listen 443 ssl; ssl_reject_handshake on; } server { listen 443 ssl; server_name example.com; ssl_certificate example.com.crt; ssl_certificate_key example.com.key; } The following configuration can be used to reject all SSL handshakes without SNI server name provided: server { listen 443 ssl; ssl_reject_handshake on; } server { listen 443 ssl; server_name ~^; ssl_certificate example.crt; ssl_certificate_key example.key; } Additionally, the ssl_reject_handshake directive makes configuring certificates for the default server block optional. If no certificates are configured in the default server for a given listening socket, certificates must be defined in all non-default server blocks with the listening socket in question. 
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured.  Previously, a "ssl_ciphers aNULL;" was used for
this.  This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.

With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.

For example, to reject handshake with names other than example.com,
one can use the following configuration:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name example.com;
        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;
    }

The following configuration can be used to reject all SSL handshakes
without SNI server name provided:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name ~^;
        ssl_certificate example.crt;
        ssl_certificate_key example.key;
    }

Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional.  If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
Upstream: proxy_ssl_conf_command and friends. 2020-10-22T15:00:23+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:23+00:00 9a72ac799c69e98d792da6f1c29efdf508512ca3 Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command, uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later, when connecting to upstream servers with SSL. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). 
Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command,
uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration
parameters as long as nginx is compiled with OpenSSL 1.0.2 or later,
when connecting to upstream servers with SSL.  Full list of available
configuration commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
SSL: ssl_conf_command directive. 2020-10-22T15:00:22+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:22+00:00 ac9c1622822260f81edcf582887a5f0271c2c4c6 With the ssl_conf_command directive it is now possible to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). In particular, this allows configuring PrioritizeChaCha option (ticket #1445): ssl_conf_command Options PrioritizeChaCha; It can be also used to configure TLSv1.3 ciphers in OpenSSL, which fails to configure them via the SSL_CTX_set_cipher_list() interface (ticket #1529): ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; Configuration commands are applied after nginx own configuration for SSL, so they can be used to override anything set by nginx. Note though that configuring OpenSSL directly with ssl_conf_command might result in a behaviour nginx does not expect, and should be done with care. 
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
Core: ngx_conf_set_keyval_slot() now accepts NGX_CONF_UNSET_PTR. 2020-10-22T15:00:20+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:20+00:00 af05f05f91ef0295d875871d4ab3c1a1226ad108 With this change, it is now possible to use ngx_conf_merge_ptr_value() to merge keyval arrays. This change actually follows much earlier changes in ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot() in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22). To preserve compatibility with existing 3rd party modules, both NULL and NGX_CONF_UNSET_PTR are accepted for now. 
With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge keyval arrays.  This change actually follows much earlier
changes in ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.
Limit req: unlocking of nodes on complex value errors. 2020-10-08T14:44:34+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-08T14:44:34+00:00 9381ecb1854cca89a936ffbaeb82f40ec13d7f41 Previously, if there were multiple limits configured, errors in ngx_http_complex_value() during processing of a non-first limit resulted in reference count leak in shared memory nodes of already processed limits. Fix is to explicity unlock relevant nodes, much like we do when rejecting requests. 
Previously, if there were multiple limits configured, errors in
ngx_http_complex_value() during processing of a non-first limit
resulted in reference count leak in shared memory nodes of already
processed limits.  Fix is to explicity unlock relevant nodes, much
like we do when rejecting requests.
Proxy: error checking for array init, missed in 7716:d6a5e14aa3e4. 2020-09-29T12:54:09+00:00 Maxim Dounin mdounin@mdounin.ru 2020-09-29T12:54:09+00:00 e64f7fe7c903e6994defb21db0b9667dbec7c20d Found by Coverity (CID 1467637). 
Found by Coverity (CID 1467637).
Userid: userid_flags fixup. 2020-09-29T12:52:18+00:00 Maxim Dounin mdounin@mdounin.ru 2020-09-29T12:52:18+00:00 718d589091a1c653595f9b210bba132c43dd2c75 In 7717:e3e8b8234f05, the 1st bit was incorrectly used. It shouldn't be used for bitmask values, as it is used by NGX_CONF_BITMASK_SET. Additionally, special value "off" added to make it possible to clear inherited userid_flags value. 
In 7717:e3e8b8234f05, the 1st bit was incorrectly used.  It shouldn't
be used for bitmask values, as it is used by NGX_CONF_BITMASK_SET.

Additionally, special value "off" added to make it possible to clear
inherited userid_flags value.
Userid: userid_flags directive to set cookie flags. 2020-09-28T14:07:48+00:00 Maxim Dounin mdounin@mdounin.ru 2020-09-28T14:07:48+00:00 c511f3de3eb34641d85005b48683e4fc88f92ec5 






Proxy: added the "proxy_cookie_flags" directive.
2020-09-27T20:21:11+00:00

Ruslan Ermilov
ru@nginx.com

2020-09-27T20:21:11+00:00

21b903f8e31f722c104d425ce01c22614761fdd2












Proxy: changed interface of some internal functions.
2020-09-27T20:21:10+00:00

Ruslan Ermilov
ru@nginx.com

2020-09-27T20:21:10+00:00

8b3f778cbc33aabd410381ce4a8bbfd193b23372

This is in preparation for the next change.

Also, moved optimization from ngx_http_proxy_rewrite_regex_handler()
to ngx_http_proxy_rewrite().





This is in preparation for the next change.

Also, moved optimization from ngx_http_proxy_rewrite_regex_handler()
to ngx_http_proxy_rewrite().