nginx.git/src/http, branch release-1.19.5 nginx gRPC: RST_STREAM(NO_ERROR) handling after "trailer only" responses. 2020-11-19T02:41:16+00:00 Pavel Pautov p.pautov@f5.com 2020-11-19T02:41:16+00:00 671cbc18409ec726a540b5cfc0f88bbdc5dba2f1 Similarly to the problem fixed in 2096b21fcd10 (ticket #1792), when a "trailer only" gRPC response (that is, a response with the END_STREAM flag in the HEADERS frame) was immediately followed by RST_STREAM(NO_ERROR) in the data preread along with the response header, RST_STREAM wasn't properly skipped and caused "upstream rejected request with error 0" errors. Observed with "unknown service" gRPC errors returned by grpc-go. Fix is to set ctx->done if we are going to parse additional data, so the RST_STREAM(NO_ERROR) is properly skipped. Additionally, now ngx_http_grpc_filter() will complain about frames sent for closed stream if there are any. 
Similarly to the problem fixed in 2096b21fcd10 (ticket #1792),
when a "trailer only" gRPC response (that is, a response with the
END_STREAM flag in the HEADERS frame) was immediately followed by
RST_STREAM(NO_ERROR) in the data preread along with the response
header, RST_STREAM wasn't properly skipped and caused "upstream
rejected request with error 0" errors.
Observed with "unknown service" gRPC errors returned by grpc-go.

Fix is to set ctx->done if we are going to parse additional data,
so the RST_STREAM(NO_ERROR) is properly skipped.  Additionally, now
ngx_http_grpc_filter() will complain about frames sent for closed
stream if there are any.
Request body: removed error assumption (ticket #2058). 2020-11-09T19:41:54+00:00 Maxim Dounin mdounin@mdounin.ru 2020-11-09T19:41:54+00:00 a3b5ccd0566e618635303309dd8592aa4cfd7eaf Before introduction of request body filter in 42d9beeb22db, the only possible return code from the ngx_http_request_body_filter() call without actual buffers was NGX_HTTP_INTERNAL_SERVER_ERROR, and the code in ngx_http_read_client_request_body() hardcoded the only possible error to simplify the code of initial call to set rb->rest. This is no longer true after introduction of request body filters though, as a request body filter might need to return other errors, such as 403. Fix is to preserve the error code actually returned by the call instead of assuming 500. 
Before introduction of request body filter in 42d9beeb22db, the only
possible return code from the ngx_http_request_body_filter() call
without actual buffers was NGX_HTTP_INTERNAL_SERVER_ERROR, and
the code in ngx_http_read_client_request_body() hardcoded the only
possible error to simplify the code of initial call to set rb->rest.

This is no longer true after introduction of request body filters though,
as a request body filter might need to return other errors, such as 403.
Fix is to preserve the error code actually returned by the call
instead of assuming 500.
Request body: improved logging. 2020-11-09T19:40:53+00:00 Maxim Dounin mdounin@mdounin.ru 2020-11-09T19:40:53+00:00 8ed303c055ee003285231b6d781bfe2dd9c0d3d1 Added logging before returning NGX_HTTP_INTERNAL_SERVER_ERROR if there are busy buffers after a request body flush. This should never happen with current code, though bugs can be introduced by 3rd party modules. Make sure debugging will be easy enough. 
Added logging before returning NGX_HTTP_INTERNAL_SERVER_ERROR if there
are busy buffers after a request body flush.  This should never happen
with current code, though bugs can be introduced by 3rd party modules.
Make sure debugging will be easy enough.
SSL: fixed non-working SSL shutdown on lingering close. 2020-11-06T20:44:54+00:00 Ruslan Ermilov ru@nginx.com 2020-11-06T20:44:54+00:00 ad2b9944b012699c225d75e63aeadf61d9ce3367 When doing lingering close, the socket was first shut down for writing, so SSL shutdown initiated after lingering close was not able to send the close_notify alerts (ticket #2056). The fix is to call ngx_ssl_shutdown() before shutting down the socket. 
When doing lingering close, the socket was first shut down for writing,
so SSL shutdown initiated after lingering close was not able to send
the close_notify alerts (ticket #2056).

The fix is to call ngx_ssl_shutdown() before shutting down the socket.
Removed dead code from ngx_http_set_keepalive(). 2020-11-06T20:44:47+00:00 Ruslan Ermilov ru@nginx.com 2020-11-06T20:44:47+00:00 aad0d1bf1cab58a1b1e1499485e63b7a15ab183c The code removed became dead after 98f03cd8d6cc (0.8.14), circa when the request reference counting was introduced. 
The code removed became dead after 98f03cd8d6cc (0.8.14),
circa when the request reference counting was introduced.
Core: added format specifiers to output binary data as hex. 2020-10-28T07:56:11+00:00 Vladimir Homutov vl@nginx.com 2020-10-28T07:56:11+00:00 3c0427373381097a9e25ccc2cb46bbc1ccac87a2 Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase) or "X" (uppercase) to output corresponding data in hexadecimal format. In collaboration with Maxim Dounin. 
Now "s", "V", and "v" format specifiers may be prefixed with "x" (lowercase)
or "X" (uppercase) to output corresponding data in hexadecimal format.

In collaboration with Maxim Dounin.
SSL: ssl_reject_handshake directive (ticket #195). 2020-10-22T15:02:28+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:02:28+00:00 9cdb278454367448366354f2786b36c1fef1f92e In some cases it might be needed to reject SSL handshake based on SNI server name provided, for example, to make sure an invalid certificate is not returned to clients trying to contact a name-based virtual server without SSL configured. Previously, a "ssl_ciphers aNULL;" was used for this. This workaround, however, is not compatible with TLSv1.3, in particular, when using BoringSSL, where it is not possible to configure TLSv1.3 ciphers at all. With this change, the ssl_reject_handshake directive is introduced, which instructs nginx to reject SSL handshakes with an "unrecognized_name" alert in a particular server block. For example, to reject handshake with names other than example.com, one can use the following configuration: server { listen 443 ssl; ssl_reject_handshake on; } server { listen 443 ssl; server_name example.com; ssl_certificate example.com.crt; ssl_certificate_key example.com.key; } The following configuration can be used to reject all SSL handshakes without SNI server name provided: server { listen 443 ssl; ssl_reject_handshake on; } server { listen 443 ssl; server_name ~^; ssl_certificate example.crt; ssl_certificate_key example.key; } Additionally, the ssl_reject_handshake directive makes configuring certificates for the default server block optional. If no certificates are configured in the default server for a given listening socket, certificates must be defined in all non-default server blocks with the listening socket in question. 
In some cases it might be needed to reject SSL handshake based on SNI
server name provided, for example, to make sure an invalid certificate
is not returned to clients trying to contact a name-based virtual server
without SSL configured.  Previously, a "ssl_ciphers aNULL;" was used for
this.  This workaround, however, is not compatible with TLSv1.3, in
particular, when using BoringSSL, where it is not possible to configure
TLSv1.3 ciphers at all.

With this change, the ssl_reject_handshake directive is introduced,
which instructs nginx to reject SSL handshakes with an "unrecognized_name"
alert in a particular server block.

For example, to reject handshake with names other than example.com,
one can use the following configuration:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name example.com;
        ssl_certificate example.com.crt;
        ssl_certificate_key example.com.key;
    }

The following configuration can be used to reject all SSL handshakes
without SNI server name provided:

    server {
        listen 443 ssl;
        ssl_reject_handshake on;
    }

    server {
        listen 443 ssl;
        server_name ~^;
        ssl_certificate example.crt;
        ssl_certificate_key example.key;
    }

Additionally, the ssl_reject_handshake directive makes configuring
certificates for the default server block optional.  If no certificates
are configured in the default server for a given listening socket,
certificates must be defined in all non-default server blocks with
the listening socket in question.
Upstream: proxy_ssl_conf_command and friends. 2020-10-22T15:00:23+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:23+00:00 9a72ac799c69e98d792da6f1c29efdf508512ca3 Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command, uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later, when connecting to upstream servers with SSL. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). 
Similarly to ssl_conf_command, proxy_ssl_conf_command (grpc_ssl_conf_command,
uwsgi_ssl_conf_command) can be used to set arbitrary OpenSSL configuration
parameters as long as nginx is compiled with OpenSSL 1.0.2 or later,
when connecting to upstream servers with SSL.  Full list of available
configuration commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).
SSL: ssl_conf_command directive. 2020-10-22T15:00:22+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:22+00:00 ac9c1622822260f81edcf582887a5f0271c2c4c6 With the ssl_conf_command directive it is now possible to set arbitrary OpenSSL configuration parameters as long as nginx is compiled with OpenSSL 1.0.2 or later. Full list of available configuration commands can be found in the SSL_CONF_cmd manual page (https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html). In particular, this allows configuring PrioritizeChaCha option (ticket #1445): ssl_conf_command Options PrioritizeChaCha; It can be also used to configure TLSv1.3 ciphers in OpenSSL, which fails to configure them via the SSL_CTX_set_cipher_list() interface (ticket #1529): ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256; Configuration commands are applied after nginx own configuration for SSL, so they can be used to override anything set by nginx. Note though that configuring OpenSSL directly with ssl_conf_command might result in a behaviour nginx does not expect, and should be done with care. 
With the ssl_conf_command directive it is now possible to set
arbitrary OpenSSL configuration parameters as long as nginx is compiled
with OpenSSL 1.0.2 or later.  Full list of available configuration
commands can be found in the SSL_CONF_cmd manual page
(https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html).

In particular, this allows configuring PrioritizeChaCha option
(ticket #1445):

    ssl_conf_command Options PrioritizeChaCha;

It can be also used to configure TLSv1.3 ciphers in OpenSSL,
which fails to configure them via the SSL_CTX_set_cipher_list()
interface (ticket #1529):

    ssl_conf_command Ciphersuites TLS_CHACHA20_POLY1305_SHA256;

Configuration commands are applied after nginx own configuration
for SSL, so they can be used to override anything set by nginx.
Note though that configuring OpenSSL directly with ssl_conf_command
might result in a behaviour nginx does not expect, and should be
done with care.
Core: ngx_conf_set_keyval_slot() now accepts NGX_CONF_UNSET_PTR. 2020-10-22T15:00:20+00:00 Maxim Dounin mdounin@mdounin.ru 2020-10-22T15:00:20+00:00 af05f05f91ef0295d875871d4ab3c1a1226ad108 With this change, it is now possible to use ngx_conf_merge_ptr_value() to merge keyval arrays. This change actually follows much earlier changes in ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot() in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22). To preserve compatibility with existing 3rd party modules, both NULL and NGX_CONF_UNSET_PTR are accepted for now. 
With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge keyval arrays.  This change actually follows much earlier
changes in ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.