nginx.git/src/stream, branch release-1.13.8 nginx Retain CAP_NET_RAW capability for transparent proxying. 2017-12-13T17:40:53+00:00 Roman Arutyunyan arut@nginx.com 2017-12-13T17:40:53+00:00 752f66bf7d70fae2bf05fbf5941ff4be52b2b9a5 The capability is retained automatically in unprivileged worker processes after changing UID if transparent proxying is enabled at least once in nginx configuration. The feature is only available in Linux. 
The capability is retained automatically in unprivileged worker processes after
changing UID if transparent proxying is enabled at least once in nginx
configuration.

The feature is only available in Linux.
Fixed worker_shutdown_timeout in various cases. 2017-11-20T13:31:07+00:00 Maxim Dounin mdounin@mdounin.ru 2017-11-20T13:31:07+00:00 b32cb6b61079d2eff69c89e0e718a79258507717 The ngx_http_upstream_process_upgraded() did not handle c->close request, and upgraded connections do not use the write filter. As a result, worker_shutdown_timeout did not affect upgraded connections (ticket #1419). Fix is to handle c->close in the ngx_http_request_handler() function, thus covering most of the possible cases in http handling. Additionally, mail proxying did not handle neither c->close nor c->error, and thus worker_shutdown_timeout did not work for mail connections. Fix is to add c->close handling to ngx_mail_proxy_handler(). Also, added explicit handling of c->close to stream proxy, ngx_stream_proxy_process_connection(). This improves worker_shutdown_timeout handling in stream, it will no longer wait for some data being transferred in a connection before closing it, and will also provide appropriate logging at the "info" level. 
The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.
Upstream hash: reordered peer checks. 2017-10-05T14:43:05+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-05T14:43:05+00:00 53d655f89407af017cd193fd4d8d82118c9c2c80 This slightly reduces cost of selecting a peer if all or almost all peers failed, see ticket #1030. There should be no measureable difference with other workloads. 
This slightly reduces cost of selecting a peer if all or almost all peers
failed, see ticket #1030.  There should be no measureable difference with
other workloads.
Upstream hash: limited number of tries in consistent case. 2017-10-05T14:42:59+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-05T14:42:59+00:00 a10ec2db91b448029968025d23155e9c383f522d While this may result in non-ideal distribution of requests if nginx won't be able to select a server in a reasonable number of attempts, this still looks better than severe performance degradation observed if there is no limit and there are many points configured (ticket #1030). This is also in line with what we do for other hash balancing methods. 
While this may result in non-ideal distribution of requests if nginx
won't be able to select a server in a reasonable number of attempts,
this still looks better than severe performance degradation observed
if there is no limit and there are many points configured (ticket #1030).
This is also in line with what we do for other hash balancing methods.
Fixed handling of unix sockets in $binary_remote_addr. 2017-10-04T18:19:42+00:00 Maxim Dounin mdounin@mdounin.ru 2017-10-04T18:19:42+00:00 41d8ea8c8d268555d3cbd8dd2ab32dcc06658209 Previously, unix sockets were treated as AF_INET ones, and this may result in buffer overread on Linux, where unbound unix sockets have 2-byte addresses. Note that it is not correct to use just sun_path as a binary representation for unix sockets. This will result in an empty string for unbound unix sockets, and thus behaviour of limit_req and limit_conn will change when switching from $remote_addr to $binary_remote_addr. As such, normal text representation is used. Reported by Stephan Dollberg. 
Previously, unix sockets were treated as AF_INET ones, and this may
result in buffer overread on Linux, where unbound unix sockets have
2-byte addresses.

Note that it is not correct to use just sun_path as a binary representation
for unix sockets.  This will result in an empty string for unbound unix
sockets, and thus behaviour of limit_req and limit_conn will change when
switching from $remote_addr to $binary_remote_addr.  As such, normal text
representation is used.

Reported by Stephan Dollberg.
Modules compatibility: down flag promoted to a bitmask. 2017-09-22T19:49:42+00:00 Ruslan Ermilov ru@nginx.com 2017-09-22T19:49:42+00:00 e7738ce82d1836440fafa9d20dde6c9a28d4ecf4 It is to be used as a bitmask with various bits set/reset when appropriate. 63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and ngx_stream_upstream_rr_peer_t.down. 
It is to be used as a bitmask with various bits set/reset when appropriate.
63b8b157b776 made a similar change to ngx_http_upstream_rr_peer_t.down and
ngx_stream_upstream_rr_peer_t.down.
Style. 2017-09-22T15:37:49+00:00 Ruslan Ermilov ru@nginx.com 2017-09-22T15:37:49+00:00 ccd7e1037ef627b8103df9f565e25e3e1795bf8d 






Do not use the obsolete NGX_SOCKADDRLEN macro.
2017-09-22T10:10:49+00:00

Ruslan Ermilov
ru@nginx.com

2017-09-22T10:10:49+00:00

0cda728c6f9a7bb789d5e1b9123f6654f408c5e9

The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.





The change in ac120e797d28 re-used the macro which was made obsolete
in adf25b8d0431.







Stream: fixed logging UDP upstream timeout.
2017-09-12T10:44:04+00:00

Roman Arutyunyan
arut@nginx.com

2017-09-12T10:44:04+00:00

c36a3c0cba7082f4b4933e90eef986e49e3eea98

Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.





Previously, when the first UDP response packet was not received from the
proxied server within proxy_timeout, no error message was logged before
switching to the next upstream.  Additionally, when one of succeeding response
packets was not received within the timeout, the timeout error had low severity
because it was logged as a client connection error as opposed to upstream
connection error.







Stream: relaxed next upstream condition (ticket #1317).
2017-09-11T12:32:31+00:00

Roman Arutyunyan
arut@nginx.com

2017-09-11T12:32:31+00:00

15f81e0bbf42d8bc6e70a06800720eb9d927efdd

When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.





When switching to a next upstream, some buffers could be stuck in the middle
of the filter chain.  A condition existed that raised an error when this
happened.  As it turned out, this condition prevented switching to a next
upstream if ssl preread was used with the TCP protocol (see the ticket).

In fact, the condition does not make sense for TCP, since after successful
connection to an upstream switching to another upstream never happens.  As for
UDP, the issue with stuck buffers is unlikely to happen, but is still possible.
Specifically, if a filter delays sending data to upstream.

The condition can be relaxed to only check the "buffered" bitmask of the
upstream connection.  The new condition is simpler and fixes the ticket issue
as well.  Additionally, the upstream_out chain is now reset for UDP prior to
connecting to a new upstream to prevent repeating the client data twice.