nginx.git/src/stream, branch release-1.23.1 nginx Upstream: optimized use of SSL contexts (ticket #1234). 2022-06-28T23:47:45+00:00 Maxim Dounin mdounin@mdounin.ru 2022-06-28T23:47:45+00:00 d791b4aab418b0cbadbaf079fbb9360269d97941 To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy. 
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.
Stream: don't flush empty buffers created for read errors. 2022-05-23T18:29:44+00:00 Aleksei Bavshin a.bavshin@f5.com 2022-05-23T18:29:44+00:00 d7994be44592f0ce9c240406b13020cdc377a9f0 When we generate the last_buf buffer for an UDP upstream recv error, it does not contain any data from the wire. ngx_stream_write_filter attempts to forward it anyways, which is incorrect (e.g., UDP upstream ECONNREFUSED will be translated to an empty packet). This happens because we mark the buffer as both 'flush' and 'last_buf', and ngx_stream_write_filter has special handling for flush with certain types of connections (see d127837c714f, 32b0ba4855a6). The flags are meant to be mutually exclusive, so the fix is to ensure that flush and last_buf are not set at the same time. Reproduction: stream { upstream unreachable { server 127.0.0.1:8880; } server { listen 127.0.0.1:8998 udp; proxy_pass unreachable; } } 1 0.000000000 127.0.0.1 → 127.0.0.1 UDP 47 45588 → 8998 Len=5 2 0.000166300 127.0.0.1 → 127.0.0.1 UDP 47 51149 → 8880 Len=5 3 0.000172600 127.0.0.1 → 127.0.0.1 ICMP 75 Destination unreachable (Port unreachable) 4 0.000202400 127.0.0.1 → 127.0.0.1 UDP 42 8998 → 45588 Len=0 Fixes d127837c714f. 
When we generate the last_buf buffer for an UDP upstream recv error, it does
not contain any data from the wire. ngx_stream_write_filter attempts to forward
it anyways, which is incorrect (e.g., UDP upstream ECONNREFUSED will be
translated to an empty packet).

This happens because we mark the buffer as both 'flush' and 'last_buf', and
ngx_stream_write_filter has special handling for flush with certain types of
connections (see d127837c714f, 32b0ba4855a6).  The flags are meant to be
mutually exclusive, so the fix is to ensure that flush and last_buf are not set
at the same time.

Reproduction:

stream {
    upstream unreachable {
        server     127.0.0.1:8880;
    }
    server {
        listen     127.0.0.1:8998 udp;
        proxy_pass unreachable;
    }
}

1 0.000000000    127.0.0.1 → 127.0.0.1    UDP 47 45588 → 8998 Len=5
2 0.000166300    127.0.0.1 → 127.0.0.1    UDP 47 51149 → 8880 Len=5
3 0.000172600    127.0.0.1 → 127.0.0.1    ICMP 75 Destination unreachable (Port
unreachable)
4 0.000202400    127.0.0.1 → 127.0.0.1    UDP 42 8998 → 45588 Len=0

Fixes d127837c714f.
Upstream: handling of certificates specified as an empty string. 2022-06-07T16:08:57+00:00 Sergey Kandaurov pluknet@nginx.com 2022-06-07T16:08:57+00:00 f08dbefadf083b8546423e35d8d12ba27e46efa8 Now, if the directive is given an empty string, such configuration cancels loading of certificates, in particular, if they would be otherwise inherited from the previous level. This restores previous behaviour, before variables support in certificates was introduced (3ab8e1e2f0f7). 
Now, if the directive is given an empty string, such configuration cancels
loading of certificates, in particular, if they would be otherwise inherited
from the previous level.  This restores previous behaviour, before variables
support in certificates was introduced (3ab8e1e2f0f7).
HTTP/2: made it possible to flush response headers (ticket #1743). 2022-02-02T22:44:38+00:00 Maxim Dounin mdounin@mdounin.ru 2022-02-02T22:44:38+00:00 a52433a04c58821fd95591e474d35995292f1090 Response headers can be buffered in the SSL buffer. But stream's fake connection buffered flag did not reflect this, so any attempts to flush the buffer without sending additional data were stopped by the write filter. It does not seem to be possible to reflect this in fc->buffered though, as we never known if main connection's c->buffered corresponds to the particular stream or not. As such, fc->buffered might prevent request finalization due to sending data on some other stream. Fix is to implement handling of flush buffers when the c->need_flush_buf flag is set, similarly to the existing last buffer handling. The same flag is now used for UDP sockets in the stream module instead of explicit checking of c->type. 
Response headers can be buffered in the SSL buffer.  But stream's fake
connection buffered flag did not reflect this, so any attempts to flush
the buffer without sending additional data were stopped by the write filter.

It does not seem to be possible to reflect this in fc->buffered though, as
we never known if main connection's c->buffered corresponds to the particular
stream or not.  As such, fc->buffered might prevent request finalization
due to sending data on some other stream.

Fix is to implement handling of flush buffers when the c->need_flush_buf
flag is set, similarly to the existing last buffer handling.  The same
flag is now used for UDP sockets in the stream module instead of explicit
checking of c->type.
SSL: $ssl_curve (ticket #2135). 2021-11-01T15:09:34+00:00 Sergey Kandaurov pluknet@nginx.com 2021-11-01T15:09:34+00:00 5c3249964403356601e64ab701f2e563a1f98630 The variable contains a negotiated curve used for the handshake key exchange process. Known curves are listed by their names, unknown ones are shown in hex. Note that for resumed sessions in TLSv1.2 and older protocols, $ssl_curve contains the curve used during the initial handshake, while in TLSv1.3 it contains the curve used during the session resumption (see the SSL_get_negotiated_group manual page for details). The variable is only meaningful when using OpenSSL 3.0 and above. With older versions the variable is empty. 
The variable contains a negotiated curve used for the handshake key
exchange process.  Known curves are listed by their names, unknown
ones are shown in hex.

Note that for resumed sessions in TLSv1.2 and older protocols,
$ssl_curve contains the curve used during the initial handshake,
while in TLSv1.3 it contains the curve used during the session
resumption (see the SSL_get_negotiated_group manual page for
details).

The variable is only meaningful when using OpenSSL 3.0 and above.
With older versions the variable is empty.
Style: added missing "static" specifiers. 2021-10-21T15:43:13+00:00 Maxim Dounin mdounin@mdounin.ru 2021-10-21T15:43:13+00:00 3ab1b64463cfc1cea5209f159d8fe3797328be51 Mostly found by gcc -Wtraditional, per "non-static declaration of ... follows static declaration [-Wtraditional]" warnings. 
Mostly found by gcc -Wtraditional, per "non-static declaration of ...
follows static declaration [-Wtraditional]" warnings.
Stream: the "ssl_alpn" directive. 2021-10-19T09:19:59+00:00 Vladimir Homutov vl@nginx.com 2021-10-19T09:19:59+00:00 df472eecc043700275ecae2655206163c786f758 The directive sets the server list of supported application protocols and requires one of this protocols to be negotiated if client is using ALPN. 
The directive sets the server list of supported application protocols
and requires one of this protocols to be negotiated if client is using
ALPN.
SSL: added $ssl_alpn_protocol variable. 2021-10-14T08:46:23+00:00 Vladimir Homutov vl@nginx.com 2021-10-14T08:46:23+00:00 a9f4f25b72c39653795dfb4b1f13b55625fb9fbc The variable contains protocol selected by ALPN during handshake and is empty otherwise. 
The variable contains protocol selected by ALPN during handshake and
is empty otherwise.
Stream: added half-close support. 2021-09-22T07:20:00+00:00 Vladimir Homutov vl@nginx.com 2021-09-22T07:20:00+00:00 e56ba23158b8466d108fd4d571bd7d9a88f2a473 The "proxy_half_close" directive enables handling of TCP half close. If enabled, connection to proxied server is kept open until both read ends get EOF. Write end shutdown is properly transmitted via proxy. 
The "proxy_half_close" directive enables handling of TCP half close.  If
enabled, connection to proxied server is kept open until both read ends get
EOF.  Write end shutdown is properly transmitted via proxy.
SSL: ciphers now set before loading certificates (ticket #2035). 2021-08-16T19:40:31+00:00 Maxim Dounin mdounin@mdounin.ru 2021-08-16T19:40:31+00:00 ce5996cdd1b2e150f645efbc337e5a681dbe241c To load old/weak server or client certificates it might be needed to adjust the security level, as introduced in OpenSSL 1.1.0. This change ensures that ciphers are set before loading the certificates, so security level changes via the cipher string apply to certificate loading. 
To load old/weak server or client certificates it might be needed to adjust
the security level, as introduced in OpenSSL 1.1.0.  This change ensures that
ciphers are set before loading the certificates, so security level changes
via the cipher string apply to certificate loading.