nginx.git/src/stream, branch release-1.13.5 nginx SSL: the $ssl_client_escaped_cert variable (ticket #857). 2017-08-22T12:18:10+00:00 Maxim Dounin mdounin@mdounin.ru 2017-08-22T12:18:10+00:00 50a0f25c60bcc0fb46efcab00985c200c08c2b2f This variable contains URL-encoded client SSL certificate. In contrast to $ssl_client_cert, it doesn't depend on deprecated header continuation. The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting variable can be safely used not only in headers, but also as a request argument. The $ssl_client_cert variable should be considered deprecated now. The $ssl_client_raw_cert variable will be eventually renambed back to $ssl_client_cert. 
This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.
Fixed calls to ngx_open_file() in certain places. 2017-08-09T12:03:27+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T12:03:27+00:00 b986b4314bb4f8fdcbcfe93c89a659d3d18691bc Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect" error on win32 when using the ssl_session_ticket_key directive or loading a binary geo base. On UNIX, this change is a no-op. 
Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.
Style. 2017-08-09T11:59:46+00:00 Sergey Kandaurov pluknet@nginx.com 2017-08-09T11:59:46+00:00 32c7bd5102571ec20e45f620d2916e612e3b2016 






Upstream: copy peer data in shared memory.
2017-08-04T14:03:10+00:00

Ruslan Ermilov
ru@nginx.com

2017-08-04T14:03:10+00:00

c9a81b29b5a7699f3c25c83b6ee9e0c2a07f5f79

This, in addition to 1eb753aa8e5e, fixes "upstream zone" on Windows.





This, in addition to 1eb753aa8e5e, fixes "upstream zone" on Windows.







Upstream zone: store peers->name and its data in shared memory.
2017-08-01T16:12:10+00:00

Ruslan Ermilov
ru@nginx.com

2017-08-01T16:12:10+00:00

d846f27638525f478ea07f5574b5569ce2ab1ac2

The shared objects should generally be allocated from shared memory.
While peers->name and the data it points to allocated from cf->pool
happened to work on UNIX, it broke on Windows.  On UNIX this worked
only because the shared memory zone for upstreams is re-created for
every new configuration.

But on Windows, a worker process does not inherit the address space
of the master process, so the peers->name pointed to data allocated
from cf->pool by the master process, and was invalid.





The shared objects should generally be allocated from shared memory.
While peers->name and the data it points to allocated from cf->pool
happened to work on UNIX, it broke on Windows.  On UNIX this worked
only because the shared memory zone for upstreams is re-created for
every new configuration.

But on Windows, a worker process does not inherit the address space
of the master process, so the peers->name pointed to data allocated
from cf->pool by the master process, and was invalid.







Variables: macros for null variables.
2017-08-01T11:28:33+00:00

Ruslan Ermilov
ru@nginx.com

2017-08-01T11:28:33+00:00

b992f7259ba4763178f9d394b320bcc5de88818b

No functional changes.





No functional changes.







Style: changed checks of ngx_ssl_create_connection() to != NGX_OK.
2017-05-29T13:34:35+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-05-29T13:34:35+00:00

0514e14a8bbd8e5977712c892b53aa471a91fcb5

In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.





In http these checks were changed in a6d6d762c554, though mail module
was missed at that time.  Since then, the stream module was introduced
based on mail, using "== NGX_ERROR" check.







SSL: set TCP_NODELAY on SSL connections before handshake.
2017-05-29T13:34:29+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-05-29T13:34:29+00:00

2db69fed2c200a4f4017e82bc9239f22dfac846f

With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced
in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes
handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688.
Moreover, it is no longer possible to adjust handshake buffers at all now.

To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY
on SSL connections before handshake.  While this still results in sub-optimal
network utilization due to incomplete packets being sent, it seems to be
better than nothing.





With OpenSSL 1.1.0+, the workaround for handshake buffer size as introduced
in a720f0b0e083 (ticket #413) no longer works, as OpenSSL no longer exposes
handshake buffers, see https://github.com/openssl/openssl/commit/2e7dc7cd688.
Moreover, it is no longer possible to adjust handshake buffers at all now.

To avoid additional RTT if handshake uses more than 4k we now set TCP_NODELAY
on SSL connections before handshake.  While this still results in sub-optimal
network utilization due to incomplete packets being sent, it seems to be
better than nothing.







Introduced ngx_tcp_nodelay().
2017-05-26T19:52:48+00:00

Ruslan Ermilov
ru@nginx.com

2017-05-26T19:52:48+00:00

b66c18d2d50c53b063cd14a2c3e4c8ff8b1b22a5












Realip: allow hostnames in set_real_ip_from (ticket #1180).
2017-05-15T14:17:01+00:00

Ruslan Ermilov
ru@nginx.com

2017-05-15T14:17:01+00:00

a464d07f0a3fd8afd37ce7135e7c678e3604a30c