nginx.git/src/http, branch release-1.3.14 nginx Mp4: fixed handling of too small mdat atoms (ticket #266). 2013-03-04T15:39:03+00:00 Maxim Dounin mdounin@mdounin.ru 2013-03-04T15:39:03+00:00 b502fcb37a1a8cd1a79d43d5f3d215a933c372d9 Patch by Gernot Vormayr (with minor changes). 
Patch by Gernot Vormayr (with minor changes).
Allocate request object from its own pool. 2013-03-01T14:55:42+00:00 Valentin Bartenev vbart@nginx.com 2013-03-01T14:55:42+00:00 fcf003c6f4a5a7c885de0befcd45f4acddefb47b Previously, it was allocated from a connection pool and was selectively freed for an idle keepalive connection. The goal is to put coupled things in one chunk of memory, and to simplify handling of request objects. 
Previously, it was allocated from a connection pool and
was selectively freed for an idle keepalive connection.

The goal is to put coupled things in one chunk of memory,
and to simplify handling of request objects.
SNI: added restriction on requesting host other than negotiated. 2013-02-27T17:41:34+00:00 Valentin Bartenev vbart@nginx.com 2013-02-27T17:41:34+00:00 b720f650bb72118481884657fb6a9bcb1b0f3b11 According to RFC 6066, client is not supposed to request a different server name at the application layer. Server implementations that rely upon these names being equal must validate that a client did not send a different name in HTTP request. Current versions of Apache HTTP server always return 400 "Bad Request" in such cases. There exist implementations however (e.g., SPDY) that rely on being able to request different host names in one connection. Given this, we only reject requests with differing host names if verification of client certificates is enabled in a corresponding server configuration. An example of configuration that might not work as expected: server { listen 433 ssl default; return 404; } server { listen 433 ssl; server_name example.org; ssl_client_certificate org.cert; ssl_verify_client on; } server { listen 433 ssl; server_name example.com; ssl_client_certificate com.cert; ssl_verify_client on; } Previously, a client was able to request example.com by presenting a certificate for example.org, and vice versa. 
According to RFC 6066, client is not supposed to request a different server
name at the application layer.  Server implementations that rely upon these
names being equal must validate that a client did not send a different name
in HTTP request.  Current versions of Apache HTTP server always return 400
"Bad Request" in such cases.

There exist implementations however (e.g., SPDY) that rely on being able to
request different host names in one connection.  Given this, we only reject
requests with differing host names if verification of client certificates
is enabled in a corresponding server configuration.

An example of configuration that might not work as expected:

  server {
      listen 433 ssl default;
      return 404;
  }

  server {
      listen 433 ssl;
      server_name example.org;

      ssl_client_certificate org.cert;
      ssl_verify_client on;
  }

  server {
      listen 433 ssl;
      server_name example.com;

      ssl_client_certificate com.cert;
      ssl_verify_client on;
  }

Previously, a client was able to request example.com by presenting
a certificate for example.org, and vice versa.
SNI: reset to default server if requested host was not found. 2013-02-27T17:38:54+00:00 Valentin Bartenev vbart@nginx.com 2013-02-27T17:38:54+00:00 6000f4ad6d1e5ea69b3e0925217d08401a3d1774 Not only this is consistent with a case without SNI, but this also prevents abusing configurations that assume that the $host variable is limited to one of the configured names for a server. An example of potentially unsafe configuration: server { listen 443 ssl default_server; ... } server { listen 443; server_name example.com; location / { proxy_pass http://$host; } } Note: it is possible to negotiate "example.com" by SNI, and to request arbitrary host name that does not exist in the configuration above. 
Not only this is consistent with a case without SNI, but this also
prevents abusing configurations that assume that the $host variable
is limited to one of the configured names for a server.

An example of potentially unsafe configuration:

  server {
      listen 443 ssl default_server;
      ...
  }

  server {
      listen 443;
      server_name example.com;

      location / {
          proxy_pass http://$host;
      }
  }

Note: it is possible to negotiate "example.com" by SNI, and to request
arbitrary host name that does not exist in the configuration above.
SNI: avoid surplus lookup of virtual server if SNI was used. 2013-02-27T17:33:59+00:00 Valentin Bartenev vbart@nginx.com 2013-02-27T17:33:59+00:00 f61612532cb53e89cd6b27d24c9112a07021b6e3 






Apply server configuration as soon as host is known.
2013-02-27T17:27:15+00:00

Valentin Bartenev
vbart@nginx.com

2013-02-27T17:27:15+00:00

8c4fea17667d63a70e09571e0aa18551765c24c3

Previously, this was done only after the whole request header
was parsed, and if an error occurred earlier then the request
was processed in the default server (or server chosen by SNI),
while r->headers_in.server might be set to the value from the
Host: header or host from request line.

r->headers_in.server is in turn used for $host variable and
in HTTP redirects if "server_name_in_redirect" is disabled.
Without the change, configurations that rely on this during
error handling are potentially unsafe if SNI is used.

This change also allows to use server specific settings of
"underscores_in_headers", "ignore_invalid_headers", and
"large_client_header_buffers" directives for HTTP requests
and HTTPS requests without SNI.





Previously, this was done only after the whole request header
was parsed, and if an error occurred earlier then the request
was processed in the default server (or server chosen by SNI),
while r->headers_in.server might be set to the value from the
Host: header or host from request line.

r->headers_in.server is in turn used for $host variable and
in HTTP redirects if "server_name_in_redirect" is disabled.
Without the change, configurations that rely on this during
error handling are potentially unsafe if SNI is used.

This change also allows to use server specific settings of
"underscores_in_headers", "ignore_invalid_headers", and
"large_client_header_buffers" directives for HTTP requests
and HTTPS requests without SNI.







SSL: do not treat SSL handshake as request.
2013-02-27T17:21:21+00:00

Valentin Bartenev
vbart@nginx.com

2013-02-27T17:21:21+00:00

d281d0ba8b779b591e96ef237ff149e3d521264f

The request object will not be created until SSL handshake is complete.
This simplifies adding another connection handler that does not need
request object right after handshake (e.g., SPDY).

There are also a few more intentional effects:

 - the "client_header_buffer_size" directive will be taken from the
   server configuration that was negotiated by SNI;

 - SSL handshake errors and timeouts are not logged into access log
   as bad requests;

 - ngx_ssl_create_connection() is not called until the first byte of
   ClientHello message was received.  This also decreases memory
   consumption if plain HTTP request is sent to SSL socket.





The request object will not be created until SSL handshake is complete.
This simplifies adding another connection handler that does not need
request object right after handshake (e.g., SPDY).

There are also a few more intentional effects:

 - the "client_header_buffer_size" directive will be taken from the
   server configuration that was negotiated by SNI;

 - SSL handshake errors and timeouts are not logged into access log
   as bad requests;

 - ngx_ssl_create_connection() is not called until the first byte of
   ClientHello message was received.  This also decreases memory
   consumption if plain HTTP request is sent to SSL socket.







Status: do not count connection as reading right after accept().
2013-02-27T17:16:51+00:00

Valentin Bartenev
vbart@nginx.com

2013-02-27T17:16:51+00:00

167aabf2b365073c383a7b80521a90f87d6e0a69

Before we receive the first bytes, the connection is counted
as waiting.

This change simplifies further code changes.





Before we receive the first bytes, the connection is counted
as waiting.

This change simplifies further code changes.







SNI: reuse selected configuration for all requests in a connection.
2013-02-27T17:12:48+00:00

Valentin Bartenev
vbart@nginx.com

2013-02-27T17:12:48+00:00

64932a971437aa0b83966b1c59ff5d603816bb92

Previously, only the first request in a connection was assigned the
configuration selected by SNI.  All subsequent requests initially
used the default server's configuration, ignoring SNI, which was
wrong.

Now all subsequent requests in a connection will initially use the
configuration selected by SNI.  This is done by storing a pointer
to configuration in http connection object.  It points to default
server's configuration initially, but changed upon receipt of SNI.

(The request's configuration can be further refined when parsing
the request line and Host: header.)

This change was not made specific to SNI as it also allows slightly
faster access to configuration without the request object.





Previously, only the first request in a connection was assigned the
configuration selected by SNI.  All subsequent requests initially
used the default server's configuration, ignoring SNI, which was
wrong.

Now all subsequent requests in a connection will initially use the
configuration selected by SNI.  This is done by storing a pointer
to configuration in http connection object.  It points to default
server's configuration initially, but changed upon receipt of SNI.

(The request's configuration can be further refined when parsing
the request line and Host: header.)

This change was not made specific to SNI as it also allows slightly
faster access to configuration without the request object.







SNI: ignore captures in server_name regexes when matching by SNI.
2013-02-27T17:06:52+00:00

Valentin Bartenev
vbart@nginx.com

2013-02-27T17:06:52+00:00

e1d8158b5e7b2cc3c3f0d1b9ed61f94ccb44e3f1

This change helps to decouple ngx_http_ssl_servername() from the request
object.

Note: now we close connection in case of error during server name lookup
for request.  Previously, we did so only for HTTP/0.9 requests.





This change helps to decouple ngx_http_ssl_servername() from the request
object.

Note: now we close connection in case of error during server name lookup
for request.  Previously, we did so only for HTTP/0.9 requests.