nginx.git/src/http, branch release-1.21.0 nginx Location header escaping in redirects (ticket #882). 2021-05-24T18:55:20+00:00 Ruslan Ermilov ru@nginx.com 2021-05-24T18:55:20+00:00 41a241b3ef74dbbe3d82ab2ebbe682919e4a0b90 The header is escaped in redirects based on request URI or location name (auto redirect). 
The header is escaped in redirects based on request URI or
location name (auto redirect).
Fixed log action when using SSL certificates with variables. 2021-05-24T15:23:42+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-24T15:23:42+00:00 52d0ec7d1799cc67452c32052e96b8cdace0c7b7 When variables are used in ssl_certificate or ssl_certificate_key, a request is created in the certificate callback to evaluate the variables, and then freed. Freeing it, however, updates c->log->action to "closing request", resulting in confusing error messages like "client timed out ... while closing request" when a client times out during the SSL handshake. Fix is to restore c->log->action after calling ngx_http_free_request(). 
When variables are used in ssl_certificate or ssl_certificate_key, a request
is created in the certificate callback to evaluate the variables, and then
freed.  Freeing it, however, updates c->log->action to "closing request",
resulting in confusing error messages like "client timed out ... while
closing request" when a client times out during the SSL handshake.

Fix is to restore c->log->action after calling ngx_http_free_request().
Upstream: variables support in certificates. 2021-05-05T23:22:09+00:00 Maxim Dounin mdounin@mdounin.ru 2021-05-05T23:22:09+00:00 c7de65228f798c3c5391370fcd2d10032aa6eaf8 






Auth basic: changed alcf->user_file to be a pointer.
2021-05-05T23:22:07+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-05T23:22:07+00:00

a6bce8c2274c971d4d61b78e002857d1ec69a901

This saves some memory in typical case when auth_basic_user_file is not
explicitly set, and unifies the code with alcf->realm.





This saves some memory in typical case when auth_basic_user_file is not
explicitly set, and unifies the code with alcf->realm.







Changed complex value slots to use NGX_CONF_UNSET_PTR.
2021-05-05T23:22:03+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-05-05T23:22:03+00:00

4faa84085379346fa1cf322907a1f9b6a7fbd583

With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge complex values.  This change follows much earlier changes in
ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22), and the
change in ngx_conf_set_keyval_slot() (7728:485dba3e2a01, 1.19.4).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.





With this change, it is now possible to use ngx_conf_merge_ptr_value()
to merge complex values.  This change follows much earlier changes in
ngx_conf_merge_ptr_value() and ngx_conf_set_str_array_slot()
in 1452:cd586e963db0 (0.6.10) and 1701:40d004d95d88 (0.6.22), and the
change in ngx_conf_set_keyval_slot() (7728:485dba3e2a01, 1.19.4).

To preserve compatibility with existing 3rd party modules, both NULL
and NGX_CONF_UNSET_PTR are accepted for now.







Changed keepalive_requests default to 1000 (ticket #2155).
2021-04-07T21:16:30+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-07T21:16:30+00:00

eb52de83114e8d98722cd17ec8435c47956b6315

It turns out no browsers implement HTTP/2 GOAWAY handling properly, and
large enough number of resources on a page results in failures to load
some resources.  In particular, Chrome seems to experience errors if
loading of all resources requires more than 1 connection (while it
is usually able to retry requests at least once, even with 2 connections
there are occasional failures for some reason), Safari if loading requires
more than 3 connections, and Firefox if loading requires more than 10
connections (can be configured with network.http.request.max-attempts,
defaults to 10).

It does not seem to be possible to resolve this on nginx side, even strict
limiting of maximum concurrency does not help, and loading issues seems to
be triggered by merely queueing of a request for a particular connection.
The only available mitigation seems to use higher keepalive_requests value.

The new default is 1000 and matches previously used default for
http2_max_requests.  It is expected to be enough for 99.98% of the pages
(https://httparchive.org/reports/state-of-the-web?start=latest#reqTotal)
even in Chrome.





It turns out no browsers implement HTTP/2 GOAWAY handling properly, and
large enough number of resources on a page results in failures to load
some resources.  In particular, Chrome seems to experience errors if
loading of all resources requires more than 1 connection (while it
is usually able to retry requests at least once, even with 2 connections
there are occasional failures for some reason), Safari if loading requires
more than 3 connections, and Firefox if loading requires more than 10
connections (can be configured with network.http.request.max-attempts,
defaults to 10).

It does not seem to be possible to resolve this on nginx side, even strict
limiting of maximum concurrency does not help, and loading issues seems to
be triggered by merely queueing of a request for a particular connection.
The only available mitigation seems to use higher keepalive_requests value.

The new default is 1000 and matches previously used default for
http2_max_requests.  It is expected to be enough for 99.98% of the pages
(https://httparchive.org/reports/state-of-the-web?start=latest#reqTotal)
even in Chrome.







Added $connection_time variable.
2021-04-07T21:16:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-07T21:16:17+00:00

497acbd0ed4b3f289bde11de207efb0abd1f6fa6












Introduced the "keepalive_time" directive.
2021-04-07T21:15:48+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-07T21:15:48+00:00

d9996d6f27150bfb9c9c00d77fac940712aa1d28

Similar to lingering_time, it limits total connection lifetime before
keepalive is switched off.  The default is 1 hour, which is close to
the total maximum connection lifetime possible with default
keepalive_requests and keepalive_timeout.





Similar to lingering_time, it limits total connection lifetime before
keepalive is switched off.  The default is 1 hour, which is close to
the total maximum connection lifetime possible with default
keepalive_requests and keepalive_timeout.







HTTP/2: relaxed PRIORITY frames limit.
2021-04-06T23:03:29+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-06T23:03:29+00:00

5599731c00bd152f765c7cea24a7d257bf13320c

Firefox uses several idle streams for PRIORITY frames[1], and
"http2_max_concurrent_streams 1;" results in "client sent too many
PRIORITY frames" errors when a connection is established by Firefox.

Fix is to relax the PRIORITY frames limit to use at least 100 as
the initial value (which is the recommended by the HTTP/2 protocol
minimum limit on the number of concurrent streams, so it is not
unreasonable for clients to assume that similar number of idle streams
can be used for prioritization).

[1] https://hg.mozilla.org/mozilla-central/file/32a9e6e145d6e3071c3993a20bb603a2f388722b/netwerk/protocol/http/Http2Stream.cpp#l1270





Firefox uses several idle streams for PRIORITY frames[1], and
"http2_max_concurrent_streams 1;" results in "client sent too many
PRIORITY frames" errors when a connection is established by Firefox.

Fix is to relax the PRIORITY frames limit to use at least 100 as
the initial value (which is the recommended by the HTTP/2 protocol
minimum limit on the number of concurrent streams, so it is not
unreasonable for clients to assume that similar number of idle streams
can be used for prioritization).

[1] https://hg.mozilla.org/mozilla-central/file/32a9e6e145d6e3071c3993a20bb603a2f388722b/netwerk/protocol/http/Http2Stream.cpp#l1270







Gzip: updated handling of zlib variant from Intel.
2021-04-05T01:07:17+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-04-05T01:07:17+00:00

4af67214ad3d7f0f525bea777d5a43aa7a702ecf

In current versions (all versions based on zlib 1.2.11, at least
since 2018) it no longer uses 64K hash and does not force window
bits to 13 if it is less than 13.  That is, it needs just 16 bytes
more memory than normal zlib, so these bytes are simply added to
the normal size calculation.





In current versions (all versions based on zlib 1.2.11, at least
since 2018) it no longer uses 64K hash and does not force window
bits to 13 if it is less than 13.  That is, it needs just 16 bytes
more memory than normal zlib, so these bytes are simply added to
the normal size calculation.