nginx.git/src/http, branch release-1.29.2 nginx Upstream: overflow detection in Cache-Control delta-seconds. 2025-09-26T12:50:13+00:00 Sergey Kandaurov pluknet@nginx.com 2025-09-10T14:39:52+00:00 8255bd29ac9a7bcdc317a8889420554e00d435cb Overflowing calculations are now aligned to the greatest positive integer as specified in RFC 9111, Section 1.2.2. 
Overflowing calculations are now aligned to the greatest positive integer
as specified in RFC 9111, Section 1.2.2.
SNI: support for early ClientHello callback with BoringSSL. 2025-09-25T15:25:08+00:00 Sergey Kandaurov pluknet@nginx.com 2025-09-22T15:55:16+00:00 7f9ced0ce0d70ae60f46ef3ed759efa75e711db4 This brings feature parity with OpenSSL after the previous change, making it possible to set SSL protocols per virtual server. 
This brings feature parity with OpenSSL after the previous change,
making it possible to set SSL protocols per virtual server.
SNI: using the ClientHello callback. 2025-09-25T15:25:08+00:00 Sergey Kandaurov pluknet@nginx.com 2025-01-27T20:53:15+00:00 0373fe5d98c1515640e74fa6f4d32fac1f1d3ab2 The change introduces an SNI based virtual server selection during early ClientHello processing. The callback is available since OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour is kept. Using the ClientHello callback sets a reasonable processing order for the "server_name" TLS extension. Notably, session resumption decision now happens after applying server configuration chosen by SNI, useful with enabled verification of client certificates, which brings consistency with BoringSSL behaviour. The change supersedes and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions. In addition, since the callback is invoked prior to the protocol version negotiation, this makes it possible to set "ssl_protocols" on a per-virtual server basis. To keep the $ssl_server_name variable working with TLSv1.2 resumed sessions, as previously fixed in fd97b2a80, a limited server name callback is preserved in order to acknowledge the extension. Note that to allow third-party modules to properly chain the call to ngx_ssl_client_hello_callback(), the servername callback function is passed through exdata. 
The change introduces an SNI based virtual server selection during
early ClientHello processing.  The callback is available since
OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour
is kept.

Using the ClientHello callback sets a reasonable processing order
for the "server_name" TLS extension.  Notably, session resumption
decision now happens after applying server configuration chosen by
SNI, useful with enabled verification of client certificates, which
brings consistency with BoringSSL behaviour.  The change supersedes
and reverts a fix made in 46b9f5d38 for TLSv1.3 resumed sessions.

In addition, since the callback is invoked prior to the protocol
version negotiation, this makes it possible to set "ssl_protocols"
on a per-virtual server basis.

To keep the $ssl_server_name variable working with TLSv1.2 resumed
sessions, as previously fixed in fd97b2a80, a limited server name
callback is preserved in order to acknowledge the extension.

Note that to allow third-party modules to properly chain the call to
ngx_ssl_client_hello_callback(), the servername callback function is
passed through exdata.
Fixed inaccurate index directive error report. 2025-09-18T14:16:22+00:00 willmafh willmafh@hotmail.com 2025-09-08T14:03:30+00:00 bc71625dcca1f1cbd0db7450af853feb90ebba85 






Auth basic: fixed file descriptor leak on memory allocation error.
2025-08-11T16:57:47+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-08-08T15:44:27+00:00

034f15bbc251ed72018d8396e7eeb3bf30fd789b

Found by Coverity (CID 1662016).





Found by Coverity (CID 1662016).







SSL: support for compressed server certificates with OpenSSL.
2025-08-03T15:15:16+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-09T15:02:09+00:00

251444fcf4434bfddbe3394a568c51d4f7bd857f

The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.





The ssl_certificate_compression directive allows to send compressed
server certificates.  In OpenSSL, they are pre-compressed on startup.
To simplify configuration, the SSL_OP_NO_TX_CERTIFICATE_COMPRESSION
option is automatically cleared if certificates were pre-compressed.

SSL_CTX_compress_certs() may return an error in legitimate cases,
e.g., when none of compression algorithms is available or if the
resulting compressed size is larger than the original one, thus it
is silently ignored.

Certificate compression is supported in Chrome with brotli only,
in Safari with zlib only, and in Firefox with all listed algorithms.
It is supported since Ubuntu 24.10, which has OpenSSL with enabled
zlib and zstd support.

The actual list of algorithms supported in OpenSSL depends on how
the library was configured; it can be brotli, zlib, zstd as listed
in RFC 8879.







Updated ngx_http_process_multi_header_lines() comments.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-31T17:31:27+00:00

f4005126d78d19f1efd4f8fb4cad916d8976d97a

Missed in fcf4331a0.





Missed in fcf4331a0.







HTTP/3: improved invalid ":authority" error message.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-30T13:43:44+00:00

372659114ed9b7a406093890ec2bdf437925ce64












Made ngx_http_process_request_header() static again.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T11:56:37+00:00

4d857aaf435975d3c34e41d7a9cb50c0f87879ec

The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.





The function contains mostly HTTP/1.x specific request processing,
which has no use in other protocols.  After the previous change in
HTTP/2, it can now be hidden.

This is an API change.







HTTP/2: fixed handling of the ":authority" header.
2025-08-03T06:07:07+00:00

Sergey Kandaurov
pluknet@nginx.com

2025-07-23T10:54:07+00:00

ede5623b1529131fcc3f994e6a6f0692954fa26b

Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".





Previously, it misused the Host header processing resulting in
400 (Bad Request) errors for a valid request that contains both
":authority" and Host headers with the same value, treating it
after 37984f0be as if client sent more than one Host header.
Such an overly strict handling violates RFC 9113.

The fix is to process ":authority" as a distinct header, similarly
to processing an authority component in the HTTP/1.x request line.
This allows to disambiguate and compare Host and ":authority"
values after all headers were processed.

With this change, the ngx_http_process_request_header() function
can no longer be used here, certain parts were inlined similar to
the HTTP/3 module.

To provide compatibility for misconfigurations that use $http_host
to return the value of the ":authority" header, the Host header,
if missing, is now reconstructed from ":authority".