nginx.git/src/stream, branch release-1.11.8 nginx Stream: speed up TCP peer recovery. 2016-12-26T11:27:05+00:00 Roman Arutyunyan arut@nginx.com 2016-12-26T11:27:05+00:00 6dae95a7d499c836f72a585961cb80166ed5fde7 Previously, an unavailable peer was considered recovered after a successful proxy session to this peer. Until then, only a single client connection per fail_timeout was allowed to be proxied to the peer. Since stream sessions can be long, it may take indefinite time for a peer to recover, limiting the ability of the peer to receive new connections. Now, a peer is considered recovered after a successful TCP connection is established to it. Balancers are notified of this event via the notify() callback. 
Previously, an unavailable peer was considered recovered after a successful
proxy session to this peer.  Until then, only a single client connection per
fail_timeout was allowed to be proxied to the peer.

Since stream sessions can be long, it may take indefinite time for a peer to
recover, limiting the ability of the peer to receive new connections.

Now, a peer is considered recovered after a successful TCP connection is
established to it.  Balancers are notified of this event via the notify()
callback.
Limited recursion when evaluating variables. 2016-12-21T19:01:24+00:00 Ruslan Ermilov ru@nginx.com 2016-12-21T19:01:24+00:00 d1f524d0b3e013f23bb9456aa4f2c35916934c27 Unlimited recursion might cause stack exhaustion in some misconfigurations. 
Unlimited recursion might cause stack exhaustion in some misconfigurations.
Stream: client SSL certificates verification support. 2016-12-20T09:05:14+00:00 Vladimir Homutov vl@nginx.com 2016-12-20T09:05:14+00:00 7fab8d046ee170031ad61d4131403e3d5540e98e New directives: "ssl_verify_client", "ssl_verify_depth", "ssl_client_certificate", "ssl_trusted_certificate", and "ssl_crl". New variables: $ssl_client_cert, $ssl_client_raw_cert, $ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial, $ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start, $ssl_client_v_end, and $ssl_client_v_remain. 
New directives: "ssl_verify_client", "ssl_verify_depth",
"ssl_client_certificate", "ssl_trusted_certificate", and
"ssl_crl".

New variables: $ssl_client_cert, $ssl_client_raw_cert,
$ssl_client_s_dn, $ssl_client_i_dn, $ssl_client_serial,
$ssl_client_fingerprint, $ssl_client_verify, $ssl_client_v_start,
$ssl_client_v_end, and $ssl_client_v_remain.
Stream ssl_preread: relaxed SSL version check. 2016-12-19T11:02:39+00:00 Roman Arutyunyan arut@nginx.com 2016-12-19T11:02:39+00:00 393636d79c836e360b14ca99f76996935ee02236 SSL version 3.0 can be specified by the client at the record level for compatibility reasons. Previously, ssl_preread module rejected such connections, presuming they don't have SNI. Now SSL 3.0 is allowed at the record level. 
SSL version 3.0 can be specified by the client at the record level for
compatibility reasons.  Previously, ssl_preread module rejected such
connections, presuming they don't have SNI.  Now SSL 3.0 is allowed at
the record level.
Access log: support for json escaping. 2016-12-15T13:25:42+00:00 Valentin Bartenev vbart@nginx.com 2016-12-15T13:25:42+00:00 c40d8ddc5d907ebd90f85cf362f501d2cf3e05a2 






Map: the "volatile" parameter.
2016-12-08T14:51:49+00:00

Ruslan Ermilov
ru@nginx.com

2016-12-08T14:51:49+00:00

72ace363184d4768627c2fd2b0a5236887cdc036

By default, "map" creates cacheable variables [1].  With this
parameter it creates a non-cacheable variable.

An original idea was to deduce the cacheability of the "map"
variable by checking the cacheability of variables specified
in source and resulting values, but it turned to be too hard.
For example, a cacheable variable can be overridden with the
"set" directive or with the SSI "set" command.  Also, keeping
"map" variables cacheable by default is good for performance
reasons.  This required adding a new parameter.

[1] Before db699978a33f (1.11.0), the cacheability of the
"map" variable could vary depending on the cacheability of
variables specified in resulting values (ticket #1090).
This is believed to be a bug rather than a feature.





By default, "map" creates cacheable variables [1].  With this
parameter it creates a non-cacheable variable.

An original idea was to deduce the cacheability of the "map"
variable by checking the cacheability of variables specified
in source and resulting values, but it turned to be too hard.
For example, a cacheable variable can be overridden with the
"set" directive or with the SSI "set" command.  Also, keeping
"map" variables cacheable by default is good for performance
reasons.  This required adding a new parameter.

[1] Before db699978a33f (1.11.0), the cacheability of the
"map" variable could vary depending on the cacheability of
variables specified in resulting values (ticket #1090).
This is believed to be a bug rather than a feature.







Map: simplified "map" block parser.
2016-12-08T14:29:01+00:00

Ruslan Ermilov
ru@nginx.com

2016-12-08T14:29:01+00:00

41f06845cf5373d6a86e383f946006fd4ee87137

No functional changes.





No functional changes.







SSL: $ssl_curves (ticket #1088).
2016-12-05T19:23:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:23+00:00

551091951a479e2f512062c51bdcc6157a211164

The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.





The variable contains a list of curves as supported by the client.
Known curves are listed by their names, unknown ones are shown
in hex, e.g., "0x001d:prime256v1:secp521r1:secp384r1".

Note that OpenSSL uses session data for SSL_get1_curves(), and
it doesn't store full list of curves supported by the client when
serializing a session.  As a result $ssl_curves is only available
for new sessions (and will be empty for reused ones).

The variable is only meaningful when using OpenSSL 1.0.2 and above.
With older versions the variable is empty.







SSL: $ssl_ciphers (ticket #870).
2016-12-05T19:23:23+00:00

Maxim Dounin
mdounin@mdounin.ru

2016-12-05T19:23:23+00:00

2daf78867bb60bee5e5ca517f20339211391635b

The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.





The variable contains list of ciphers as supported by the client.
Known ciphers are listed by their names, unknown ones are shown
in hex, e.g., ""AES128-SHA:AES256-SHA:0x00ff".

The variable is fully supported only when using OpenSSL 1.0.2 and above.
With older version there is an attempt to provide some information
using SSL_get_shared_ciphers().  It only lists known ciphers though.
Moreover, as OpenSSL uses session data for SSL_get_shared_ciphers(),
and it doesn't store relevant data when serializing a session.  As
a result $ssl_ciphers is only available for new sessions (and not
available for reused ones) when using OpenSSL older than 1.0.2.







Upstream: do not unnecessarily create per-request upstreams.
2016-10-31T15:33:36+00:00

Ruslan Ermilov
ru@nginx.com

2016-10-31T15:33:36+00:00

149fda55f730c38fb9e2c5b63370da92c0ad7c22

If proxy_pass (and friends) with variables evaluates an upstream
specified with literal address, nginx always created a per-request
upstream.

Now, if there's a matching upstream specified in the configuration
(either implicit or explicit), it will be used instead.





If proxy_pass (and friends) with variables evaluates an upstream
specified with literal address, nginx always created a per-request
upstream.

Now, if there's a matching upstream specified in the configuration
(either implicit or explicit), it will be used instead.