nginx.git/src/stream, branch release-1.13.6 nginx Upstream hash: reordered peer checks. 2017-10-05T14:43:05+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-05T14:43:05+00:00 53d655f89407af017cd193fd4d8d82118c9c2c80 This slightly reduces cost of selecting a peer if all or almost all peers failed, see ticket #1030. There should be no measureable difference with other workloads. 
This slightly reduces cost of selecting a peer if all or almost all peers
failed, see ticket #1030.  There should be no measureable difference with
other workloads.
Upstream hash: limited number of tries in consistent case. 2017-10-05T14:42:59+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-05T14:42:59+00:00 a10ec2db91b448029968025d23155e9c383f522d While this may result in non-ideal distribution of requests if nginx won't be able to select a server in a reasonable number of attempts, this still looks better than severe performance degradation observed if there is no limit and there are many points configured (ticket #1030). This is also in line with what we do for other hash balancing methods. 
While this may result in non-ideal distribution of requests if nginx
won't be able to select a server in a reasonable number of attempts,
this still looks better than severe performance degradation observed
if there is no limit and there are many points configured (ticket #1030).
This is also in line with what we do for other hash balancing methods.
Fixed handling of unix sockets in $binary_remote_addr. 2017-10-04T18:19:42+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-04T18:19:42+00:00 41d8ea8c8d268555d3cbd8dd2ab32dcc06658209 Previously, unix sockets were treated as AF_INET ones, and this may result in buffer overread on Linux, where unbound unix sockets have 2-byte addresses. Note that it is not correct to use just sun_path as a binary representation for unix sockets. This will result in an empty string for unbound unix sockets, and thus behaviour of limit_req and limit_conn will change when switching from $remote_addr to $binary_remote_addr. As such, normal text representation is used. Reported by Stephan Dollberg. 
Previously, unix sockets were treated as AF_INET ones, and this may
result in buffer overread on Linux, where unbound unix sockets have
2-byte addresses.

Note that it is not correct to use just sun_path as a binary representation
for unix sockets.  This will result in an empty string for unbound unix
sockets, and thus behaviour of limit_req and limit_conn will change when
switching from $remote_addr to $binary_remote_addr.  As such, normal text
representation is used.

Reported by Stephan Dollberg.
Modules compatibility: down flag promoted to a bitmask. 2017-09-22T19:49:42+00:00 Ruslan Ermilov ru@nginx.com 2017-09-22T19:49:42+00:00 e7738ce82d1836440fafa9d20dde6c9a28d4ecf4 It is to be used as a bitmask with various bits set/reset when appropriate. 63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and ngx_stream_upstream_rr_peer_t.down. 
It is to be used as a bitmask with various bits set/reset when appropriate.
63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and
ngx_stream_upstream_rr_peer_t.down.
Style. 2017-09-22T15:37:49+00:00 Ruslan Ermilov ru@nginx.com 2017-09-22T15:37:49+00:00 ccd7e1037ef627b8103df9f565e25e3e1795bf8d 






Do not use the obsolete NGX_SOCKADDRLEN macro.
2017-09-22T10:10:49+00:00

Ruslan Ermilov
ru@nginx.com

2017-09-22T10:10:49+00:00

0cda728c6f9a7bb789d5e1b9123f6654f408c5e9

The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.





The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.







Stream: fixed logging UDP upstream timeout.
2017-09-12T10:44:04+00:00

Roman Arutyunyan
arut@nginx.com

2017-09-12T10:44:04+00:00

c36a3c0cba7082f4b4933e90eef986e49e3eea98

Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.





Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.







Stream: relaxed next upstream condition (ticket #1317).
2017-09-11T12:32:31+00:00

Roman Arutyunyan
arut@nginx.com

2017-09-11T12:32:31+00:00

15f81e0bbf42d8bc6e70a06800720eb9d927efdd

When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.





When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.







SSL: the $ssl_client_escaped_cert variable (ticket #857).
2017-08-22T12:18:10+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-08-22T12:18:10+00:00

50a0f25c60bcc0fb46efcab00985c200c08c2b2f

This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.





This variable contains URL-encoded client SSL certificate.  In contrast
to $ssl_client_cert, it doesn't depend on deprecated header continuation.
The NGX_ESCAPE_URI_COMPONENT variant of encoding is used, so the resulting
variable can be safely used not only in headers, but also as a request
argument.

The $ssl_client_cert variable should be considered deprecated now.
The $ssl_client_raw_cert variable will be eventually renambed back
to $ssl_client_cert.







Fixed calls to ngx_open_file() in certain places.
2017-08-09T12:03:27+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-08-09T12:03:27+00:00

b986b4314bb4f8fdcbcfe93c89a659d3d18691bc

Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.





Pass NGX_FILE_OPEN to ngx_open_file() to fix "The parameter is incorrect"
error on win32 when using the ssl_session_ticket_key directive or loading
a binary geo base.  On UNIX, this change is a no-op.