nginx.git/src/stream, branch release-1.15.8 nginx Geo: fixed handling of AF_UNIX client addresses (ticket #1684). 2018-12-14T15:11:06+00:00 Maxim Dounin mdounin@mdounin.ru 2018-12-14T15:11:06+00:00 ce4a23d144762cfa27c0e4b13f74cada2f7486a8 Previously, AF_UNIX client addresses were handled as AF_INET, leading to unexpected results. 
Previously, AF_UNIX client addresses were handled as AF_INET, leading
to unexpected results.
Negative size buffers detection. 2018-11-26T15:29:56+00:00 Maxim Dounin mdounin@mdounin.ru 2018-11-26T15:29:56+00:00 f4c70589ce2875b67554113dc7fe6efc581444d6 In the past, there were several security issues which resulted in worker process memory disclosure due to buffers with negative size. It looks reasonable to check for such buffers in various places, much like we already check for zero size buffers. While here, removed "#if 1 / #endif" around zero size buffer checks. It looks highly unlikely that we'll disable these checks anytime soon. 
In the past, there were several security issues which resulted in
worker process memory disclosure due to buffers with negative size.
It looks reasonable to check for such buffers in various places,
much like we already check for zero size buffers.

While here, removed "#if 1 / #endif" around zero size buffer checks.
It looks highly unlikely that we'll disable these checks anytime soon.
Upstream: revised upstream response time variables. 2018-11-21T10:40:40+00:00 Vladimir Homutov vl@nginx.com 2018-11-21T10:40:40+00:00 c24146731810f2711da608cd7f3bdca528a3eb14 Variables now do not depend on presence of the HTTP status code in response. If the corresponding event occurred, variables contain time between request creation and the event, and "-" otherwise. Previously, intermediate value of the $upstream_response_time variable held unix timestamp. 
Variables now do not depend on presence of the HTTP status code in response.
If the corresponding event occurred, variables contain time between request
creation and the event, and "-" otherwise.

Previously, intermediate value of the $upstream_response_time variable held
unix timestamp.
Stream: proxy_requests directive. 2018-11-12T13:29:30+00:00 Vladimir Homutov vl@nginx.com 2018-11-12T13:29:30+00:00 41a451e286cb6de9e0a0ad97f91a1dcac17ef68f The directive allows to drop binding between a client and existing UDP stream session after receiving a specified number of packets. First packet from the same client address and port will start a new session. Old session continues to exist and will terminate at moment defined by configuration: either after receiving the expected number of responses, or after timeout, as specified by the "proxy_responses" and/or "proxy_timeout" directives. By default, proxy_requests is zero (disabled). 
The directive allows to drop binding between a client and existing UDP stream
session after receiving a specified number of packets.  First packet from the
same client address and port will start a new session.  Old session continues
to exist and will terminate at moment defined by configuration: either after
receiving the expected number of responses, or after timeout, as specified by
the "proxy_responses" and/or "proxy_timeout" directives.

By default, proxy_requests is zero (disabled).
Stream: session completion check code moved to a separate function. 2018-11-12T09:05:03+00:00 Vladimir Homutov vl@nginx.com 2018-11-12T09:05:03+00:00 abf04ed87abd048c9f6c2de62f6a771bbd923f8a The code refactored to simplify the ngx_stream_proxy_process() function and facilitate adding new session termination conditions. 
The code refactored to simplify the ngx_stream_proxy_process() function
and facilitate adding new session termination conditions.
Upstream: proxy_socket_keepalive and friends. 2018-10-03T11:08:51+00:00 Vladimir Homutov vl@nginx.com 2018-10-03T11:08:51+00:00 1305b8414d22610b0820f6df5841418bf98fc370 The directives enable the use of the SO_KEEPALIVE option on upstream connections. By default, the value is left unchanged. 
The directives enable the use of the SO_KEEPALIVE option on
upstream connections.  By default, the value is left unchanged.
Stream: avoid potential infinite loop at preread phase. 2018-08-29T12:56:42+00:00 Roman Arutyunyan arut@nginx.com 2018-08-29T12:56:42+00:00 d9908c6c9a8ef01b36dc604ace4c00c09135372e Previously the preread phase code ignored NGX_AGAIN value returned from c->recv() and relied only on c->read->ready. But this flag is not reliable and should only be checked for optimization purposes. For example, when using SSL, c->read->ready may be set when no input is available. This can lead to calling preread handler infinitely in a loop. 
Previously the preread phase code ignored NGX_AGAIN value returned from
c->recv() and relied only on c->read->ready.  But this flag is not reliable and
should only be checked for optimization purposes.  For example, when using
SSL, c->read->ready may be set when no input is available.  This can lead to
calling preread handler infinitely in a loop.
Stream ssl_preread: added SSLv2 Client Hello support. 2018-07-18T15:51:25+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-18T15:51:25+00:00 b93931ae8292a485e045c36f963d843a74507d1e In particular, it was not possible to obtain SSLv2 protocol version. 
In particular, it was not possible to obtain SSLv2 protocol version.
SSL: save sessions for upstream peers using a callback function. 2018-07-17T09:53:23+00:00 Sergey Kandaurov pluknet@nginx.com 2018-07-17T09:53:23+00:00 d5a27006e03174aa518f6c849d377a130a7c705c In TLSv1.3, NewSessionTicket messages arrive after the handshake and can come at any time. Therefore we use a callback to save the session when we know about it. This approach works for < TLSv1.3 as well. The callback function is set once per location on merge phase. Since SSL_get_session() in BoringSSL returns an unresumable session for TLSv1.3, peer save_session() methods have been updated as well to use a session supplied within the callback. To preserve API, the session is cached in c->ssl->session. It is preferably accessed in save_session() methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers. 
In TLSv1.3, NewSessionTicket messages arrive after the handshake and
can come at any time.  Therefore we use a callback to save the session
when we know about it.  This approach works for < TLSv1.3 as well.
The callback function is set once per location on merge phase.

Since SSL_get_session() in BoringSSL returns an unresumable session for
TLSv1.3, peer save_session() methods have been updated as well to use a
session supplied within the callback.  To preserve API, the session is
cached in c->ssl->session.  It is preferably accessed in save_session()
methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
Events: moved sockets cloning to ngx_event_init_conf(). 2018-07-12T16:50:02+00:00 Maxim Dounin mdounin@mdounin.ru 2018-07-12T16:50:02+00:00 751bdd3bb2b6ff54be09c37ff328f258fed520fb Previously, listenings sockets were not cloned if the worker_processes directive was specified after "listen ... reuseport". This also simplifies upcoming configuration check on the number of worker connections, as it needs to know the number of listening sockets before cloning. 
Previously, listenings sockets were not cloned if the worker_processes
directive was specified after "listen ... reuseport".

This also simplifies upcoming configuration check on the number
of worker connections, as it needs to know the number of listening
sockets before cloning.