nginx.git/src, branch release-1.13.7 nginx Fixed worker_shutdown_timeout in various cases. 2017-11-20T13:31:07+00:00 Maxim Dounin mdounin@mdounin.ru 2017-11-20T13:31:07+00:00 b32cb6b61079d2eff69c89e0e718a79258507717 The ngx_http_upstream_process_upgraded() did not handle c->close request, and upgraded connections do not use the write filter. As a result, worker_shutdown_timeout did not affect upgraded connections (ticket #1419). Fix is to handle c->close in the ngx_http_request_handler() function, thus covering most of the possible cases in http handling. Additionally, mail proxying did not handle neither c->close nor c->error, and thus worker_shutdown_timeout did not work for mail connections. Fix is to add c->close handling to ngx_mail_proxy_handler(). Also, added explicit handling of c->close to stream proxy, ngx_stream_proxy_process_connection(). This improves worker_shutdown_timeout handling in stream, it will no longer wait for some data being transferred in a connection before closing it, and will also provide appropriate logging at the "info" level. 
The ngx_http_upstream_process_upgraded() did not handle c->close request,
and upgraded connections do not use the write filter.  As a result,
worker_shutdown_timeout did not affect upgraded connections (ticket #1419).
Fix is to handle c->close in the ngx_http_request_handler() function, thus
covering most of the possible cases in http handling.

Additionally, mail proxying did not handle neither c->close nor c->error,
and thus worker_shutdown_timeout did not work for mail connections.  Fix is
to add c->close handling to ngx_mail_proxy_handler().

Also, added explicit handling of c->close to stream proxy,
ngx_stream_proxy_process_connection().  This improves worker_shutdown_timeout
handling in stream, it will no longer wait for some data being transferred
in a connection before closing it, and will also provide appropriate
logging at the "info" level.
Gzip: support for a zlib variant from Intel. 2017-11-18T01:03:27+00:00 Maxim Dounin mdounin@mdounin.ru 2017-11-18T01:03:27+00:00 f1c4853ea1a981073b067cd1356febd08b86f898 A zlib variant from Intel as available from https://github.com/jtkukunas/zlib uses 64K hash instead of scaling it from the specified memory level, and also uses 16-byte padding in one of the window-sized memory buffers, and can force window bits to 13 if compression level is set to 1 and appropriate compile options are used. As a result, nginx complained with "gzip filter failed to use preallocated memory" alerts. This change improves deflate_state allocation detection by testing that items is 1 (deflate_state is the only allocation where items is 1). Additionally, on first failure to use preallocated memory we now assume that we are working with the Intel's modified zlib, and switch to using appropriate preallocations. If this does not help, we complain with the usual alerts. Previous version of this patch was published at http://mailman.nginx.org/pipermail/nginx/2014-July/044568.html. The zlib variant in question is used by default in ClearLinux from Intel, see http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060421.html, http://mailman.nginx.org/pipermail/nginx-ru/2017-November/060544.html. 
A zlib variant from Intel as available from https://github.com/jtkukunas/zlib
uses 64K hash instead of scaling it from the specified memory level, and
also uses 16-byte padding in one of the window-sized memory buffers, and can
force window bits to 13 if compression level is set to 1 and appropriate
compile options are used.  As a result, nginx complained with "gzip filter
failed to use preallocated memory" alerts.

This change improves deflate_state allocation detection by testing that
items is 1 (deflate_state is the only allocation where items is 1).
Additionally, on first failure to use preallocated memory we now assume
that we are working with the Intel's modified zlib, and switch to using
appropriate preallocations.  If this does not help, we complain with the
usual alerts.

Previous version of this patch was published at
http://mailman.nginx.org/pipermail/nginx/2014-July/044568.html.
The zlib variant in question is used by default in ClearLinux from Intel,
see http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060421.html,
http://mailman.nginx.org/pipermail/nginx-ru/2017-November/060544.html.
Xslt: fixed parameters parsing (ticket #1416). 2017-11-16T10:20:47+00:00 Ruslan Ermilov ru@nginx.com 2017-11-16T10:20:47+00:00 cdbdbbd8423ab96c89c034d879b16b1a931eb38a If parameters were specified in xslt_stylesheet without variables, any request except the first would cause an internal server error. 
If parameters were specified in xslt_stylesheet without variables,
any request except the first would cause an internal server error.
SSI: fixed type. 2017-10-26T16:30:38+00:00 hucongcong hucong.c@foxmail.com 2017-10-26T16:30:38+00:00 d303a95594fdbca28b241e53d0346d5965cfd757 






FastCGI: adjust buffer position when parsing incomplete records.
2017-11-09T12:35:20+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-11-09T12:35:20+00:00

cfc8c28259b3fd59f2517ac4830a08e8a9925148

Previously, nginx failed to move buffer position when parsing an incomplete
record header, and due to this wasn't be able to continue parsing once
remaining bytes of the record header were received.

This can affect response header parsing, potentially generating spurious errors
like "upstream sent unexpected FastCGI request id high byte: 1 while reading
response header from upstream".  While this is very unlikely, since usually
record headers are written in a single buffer, this still can happen in real
life, for example, if a record header will be split across two TCP packets
and the second packet will be delayed.

This does not affect non-buffered response body proxying, due to "buf->pos =
buf->last;" at the start of the ngx_http_fastcgi_non_buffered_filter()
function.  Also this does not affect buffered response body proxying, as
each input buffer is only passed to the filter once.





Previously, nginx failed to move buffer position when parsing an incomplete
record header, and due to this wasn't be able to continue parsing once
remaining bytes of the record header were received.

This can affect response header parsing, potentially generating spurious errors
like "upstream sent unexpected FastCGI request id high byte: 1 while reading
response header from upstream".  While this is very unlikely, since usually
record headers are written in a single buffer, this still can happen in real
life, for example, if a record header will be split across two TCP packets
and the second packet will be delayed.

This does not affect non-buffered response body proxying, due to "buf->pos =
buf->last;" at the start of the ngx_http_fastcgi_non_buffered_filter()
function.  Also this does not affect buffered response body proxying, as
each input buffer is only passed to the filter once.







Core: free shared memory zones only after reconfiguration.
2017-10-17T16:52:16+00:00

Maxim Dounin
mdounin@mdounin.ru

2017-10-17T16:52:16+00:00

9cb9ce78b1d81ccdbcd123ccc3dab295b836a174

This is what usually happens for zones no longer used in the new
configuration, but zones where size or tag were changed were freed
when creating new memory zones.  If reconfiguration failed (for
example, due to a conflicting listening socket), this resulted in a
segmentation fault in the master process.

Reported by Zhihua Cao,
http://mailman.nginx.org/pipermail/nginx-devel/2017-October/010536.html.





This is what usually happens for zones no longer used in the new
configuration, but zones where size or tag were changed were freed
when creating new memory zones.  If reconfiguration failed (for
example, due to a conflicting listening socket), this resulted in a
segmentation fault in the master process.

Reported by Zhihua Cao,
http://mailman.nginx.org/pipermail/nginx-devel/2017-October/010536.html.







Postpone filter: handled ngx_http_postpone_filter_add() failures.
2017-10-16T10:13:25+00:00

Sergey Kandaurov
pluknet@nginx.com

2017-10-16T10:13:25+00:00

fdbf551602c3cca974d722ab36caeb191a19746c

In particular, if ngx_http_postpone_filter_add() fails in ngx_chain_add_copy(),
the output chain of the postponed request was left in an invalid state.





In particular, if ngx_http_postpone_filter_add() fails in ngx_chain_add_copy(),
the output chain of the postponed request was left in an invalid state.







Fixed type of ngx_conf_t.handler_conf.
2017-10-12T21:32:26+00:00

Ruslan Ermilov
ru@nginx.com

2017-10-12T21:32:26+00:00

77c7875a7b18ccca1ebae1757b9246c9b3b55bf9

The type should have been changed in c9b243802a17 along with
changing ngx_conf_handler_pt.





The type should have been changed in c9b243802a17 along with
changing ngx_conf_handler_pt.







SSL: include <openssl/hmac.h>.
2017-10-11T22:43:50+00:00

Alessandro Ghedini
alessandro@ghedini.me

2017-10-11T22:43:50+00:00

5fee8f76b529e38ec0ba6e7e81e26be3e3e85548

This header carries the definition of HMAC_Init_ex(). In OpenSSL this
header is included by <openssl/ssl.h>, but it's not so in BoringSSL.

It's probably a good idea to explicitly include this header anyway,
regardless of whether it's included by other headers or not.





This header carries the definition of HMAC_Init_ex(). In OpenSSL this
header is included by <openssl/ssl.h>, but it's not so in BoringSSL.

It's probably a good idea to explicitly include this header anyway,
regardless of whether it's included by other headers or not.







Upstream: disabled upgrading in subrequests.
2017-10-11T14:38:21+00:00

Roman Arutyunyan
arut@nginx.com

2017-10-11T14:38:21+00:00

80f2e8f656267251c7d053307b82a382f5bb7744

Upgrading an upstream connection is usually followed by reading from the client
which a subrequest is not allowed to do.  Moreover, accessing the header_in
request field while processing upgraded connection ends up with a null pointer
dereference since the header_in buffer is only created for the the main request.





Upgrading an upstream connection is usually followed by reading from the client
which a subrequest is not allowed to do.  Moreover, accessing the header_in
request field while processing upgraded connection ends up with a null pointer
dereference since the header_in buffer is only created for the the main request.