nginx.git/src/stream, branch release-1.15.2 nginx Stream ssl_preread: added SSLv2 Client Hello support. 2018-07-18T15:51:25+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-18T15:51:25+00:00 b93931ae8292a485e045c36f963d843a74507d1e In particular, it was not possible to obtain SSLv2 protocol version. 
In particular, it was not possible to obtain SSLv2 protocol version.
SSL: save sessions for upstream peers using a callback function. 2018-07-17T09:53:23+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-17T09:53:23+00:00 d5a27006e03174aa518f6c849d377a130a7c705c In TLSv1.3, NewSessionTicket messages arrive after the handshake and can come at any time. Therefore we use a callback to save the session when we know about it. This approach works for < TLSv1.3 as well. The callback function is set once per location on merge phase. Since SSL_get_session() in BoringSSL returns an unresumable session for TLSv1.3, peer save_session() methods have been updated as well to use a session supplied within the callback. To preserve API, the session is cached in c->ssl->session. It is preferably accessed in save_session() methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers. 
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
Events: moved sockets cloning to ngx_event_init_conf(). 2018-07-12T16:50:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:02+00:00 751bdd3bb2b6ff54be09c37ff328f258fed520fb Previously, listenings sockets were not cloned if the worker_processes directive was specified after "listen ... reuseport". This also simplifies upcoming configuration check on the number of worker connections, as it needs to know the number of listening sockets before cloning. 
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.
Stream ssl_preread: $ssl_preread_protocol variable. 2018-07-11T14:56:51+00:00 Roman Arutyunyan arut@nginx.com 2018-07-11T14:56:51+00:00 a8e38e2a9c1c9f3afb22fdb196e85fb2f28c192c The variable keeps the latest SSL protocol version supported by the client. The variable has the same format as $ssl_protocol. The version is read from the client_version field of ClientHello. If the supported_versions extension is present in the ClientHello, then the version is set to TLSv1.3. 
The variable keeps the latest SSL protocol version supported by the client.
The variable has the same format as $ssl_protocol.

The version is read from the client_version field of ClientHello.  If the
supported_versions extension is present in the ClientHello, then the version
is set to TLSv1.3.
Upstream: ngx_http_upstream_random module. 2018-06-15T08:46:14+00:00 Vladimir Homutov vl@nginx.com 2018-06-15T08:46:14+00:00 0c4ccbea23813a50132df511d4445bc1686dbc2f The module implements random load-balancing algorithm with optional second choice. In the latter case, the best of two servers is chosen, accounting number of connections and server weight. Example: upstream u { random [two [least_conn]]; server 127.0.0.1:8080; server 127.0.0.1:8081; server 127.0.0.1:8082; server 127.0.0.1:8083; } 
The module implements random load-balancing algorithm with optional second
choice.  In the latter case, the best of two servers is chosen, accounting
number of connections and server weight.

Example:

upstream u {
    random [two [least_conn]];

    server 127.0.0.1:8080;
    server 127.0.0.1:8081;
    server 127.0.0.1:8082;
    server 127.0.0.1:8083;
}
Upstream: improved peer selection concurrency for hash and ip_hash. 2018-06-14T04:03:50+00:00 Ruslan Ermilov ru@nginx.com 2018-06-14T04:03:50+00:00 2eab9efbe4050ab471cfa3ed778d751454fcd87d 






Stream: udp streams.
2018-06-04T16:50:00+00:00

Roman Arutyunyan
arut@nginx.com

2018-06-04T16:50:00+00:00

96b6f215b846e59af249892f1c109f3efe92fbc1

Previously, only one client packet could be processed in a udp stream session
even though multiple response packets were supported.  Now multiple packets
coming from the same client address and port are delivered to the same stream
session.

If it's required to maintain a single stream of data, nginx should be
configured in a way that all packets from a client are delivered to the same
worker.  On Linux and DragonFly BSD the "reuseport" parameter should be
specified for this.  Other systems do not currently provide appropriate
mechanisms.  For these systems a single stream of udp packets is only
guaranteed in single-worker configurations.

The proxy_response directive now specifies how many packets are expected in
response to a single client packet.





Previously, only one client packet could be processed in a udp stream session
even though multiple response packets were supported.  Now multiple packets
coming from the same client address and port are delivered to the same stream
session.

If it's required to maintain a single stream of data, nginx should be
configured in a way that all packets from a client are delivered to the same
worker.  On Linux and DragonFly BSD the "reuseport" parameter should be
specified for this.  Other systems do not currently provide appropriate
mechanisms.  For these systems a single stream of udp packets is only
guaranteed in single-worker configurations.

The proxy_response directive now specifies how many packets are expected in
response to a single client packet.







Silenced -Wcast-function-type warnings (closes #1546).
2018-05-07T09:54:37+00:00

Sergey Kandaurov
pluknet@nginx.com

2018-05-07T09:54:37+00:00

68b50f71e193e58ee117ef36f25387cbaa75edf3

Cast to intermediate "void *" to lose compiler knowledge about the original
type and pass the warning.  This is not a real fix but rather a workaround.

Found by gcc8.





Cast to intermediate "void *" to lose compiler knowledge about the original
type and pass the warning.  This is not a real fix but rather a workaround.

Found by gcc8.







SSL: detect "listen ... ssl" without certificates (ticket #178).
2018-04-24T12:29:01+00:00

Maxim Dounin
mdounin@mdounin.ru

2018-04-24T12:29:01+00:00

76be1ea9de13c5e8bb0d9523c6a2ad4009a5d7cf

In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.





In mail and stream modules, no certificate provided is a fatal condition,
much like with the "ssl" and "starttls" directives.

In http, "listen ... ssl" can be used in a non-default server without
certificates as long as there is a certificate in the default one, so
missing certificate is only fatal for default servers.







Stream: set action before each recv/send while proxying.
2018-03-22T15:43:49+00:00

Roman Arutyunyan
arut@nginx.com

2018-03-22T15:43:49+00:00

f39d5e8b33d507f95e800a6d6301da510a72a3af

Now it's clear from log error message if the error occurred on client or
upstream side.





Now it's clear from log error message if the error occurred on client or
upstream side.