nginx.git/src, branch release-1.22.0 nginx Stable branch. 2022-05-23T23:55:29+00:00 Maxim Dounin mdounin@mdounin.ru 2022-05-23T23:55:29+00:00 81ef8fb34093b67552d15e0a8d7da5df2b44886b 






SSL: always renewing tickets with TLSv1.3 (ticket #1892).
2022-01-24T14:18:50+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-01-24T14:18:50+00:00

0a407d7df825689a47ecdea4ae4cd6b2a894cb53

Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.





Chrome only uses TLS session tickets once with TLS 1.3, likely following
RFC 8446 Appendix C.4 recommendation.  With OpenSSL, this works fine with
built-in session tickets, since these are explicitly renewed in case of
TLS 1.3 on each session reuse, but results in only two connections being
reused after an initial handshake when using ssl_session_ticket_key.

Fix is to always renew TLS session tickets in case of TLS 1.3 when using
ssl_session_ticket_key, similarly to how it is done by OpenSSL internally.







Core: simplify reader lock release.
2022-01-20T01:37:34+00:00

Pavel Pautov
p.pautov@f5.com

2022-01-20T01:37:34+00:00

950390108cbb8431845635176c36466653b05487












SSL: free pkey on SSL_CTX_set0_tmp_dh_pkey() failure.
2022-01-17T14:05:12+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-01-17T14:05:12+00:00

429150c1fa78317bdb19de380ce709651dbc042c

The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b





The behaviour was changed in OpenSSL 3.0.1:
https://git.openssl.org/?p=openssl.git;a=commitdiff;h=bf17b7b







Avoid sending "Connection: keep-alive" when shutting down.
2022-01-10T23:23:49+00:00

Maxim Dounin
mdounin@mdounin.ru

2022-01-10T23:23:49+00:00

22d4ff08bbe764997d157690e422d1077f543908

When a worker process is shutting down, keepalive is not used: this is checked
before the ngx_http_set_keepalive() call in ngx_http_finalize_connection().
Yet the "Connection: keep-alive" header was still sent, even if we know that
the worker process is shutting down, potentially resulting in additional
requests being sent to the connection which is going to be closed anyway.
While clients are expected to be able to handle asynchronous close events
(see ticket #1022), it is certainly possible to send the "Connection: close"
header instead, informing the client that the connection is going to be closed
and potentially saving some unneeded work.

With this change, we additionally check for worker process shutdown just
before sending response headers, and disable keepalive accordingly.





When a worker process is shutting down, keepalive is not used: this is checked
before the ngx_http_set_keepalive() call in ngx_http_finalize_connection().
Yet the "Connection: keep-alive" header was still sent, even if we know that
the worker process is shutting down, potentially resulting in additional
requests being sent to the connection which is going to be closed anyway.
While clients are expected to be able to handle asynchronous close events
(see ticket #1022), it is certainly possible to send the "Connection: close"
header instead, informing the client that the connection is going to be closed
and potentially saving some unneeded work.

With this change, we additionally check for worker process shutdown just
before sending response headers, and disable keepalive accordingly.







Events: fixed balancing between workers with EPOLLEXCLUSIVE.
2021-12-29T22:08:46+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-29T22:08:46+00:00

96c342e56035a9676180d03b4659d5b05b9c6b07

Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.





Linux with EPOLLEXCLUSIVE usually notifies only the process which was first
to add the listening socket to the epoll instance.  As a result most of the
connections are handled by the first worker process (ticket #2285).  To fix
this, we re-add the socket periodically, so other workers will get a chance
to accept connections.







Version bump.
2021-12-29T19:59:53+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-29T19:59:53+00:00

614726621797f1267c41f8a8e488eeefff8bdf7f












Support for sendfile(SF_NOCACHE).
2021-12-27T16:49:26+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-27T16:49:26+00:00

1f01183b9e6658749934313fd72f7f16c1918b54

The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.





The SF_NOCACHE flag, introduced in FreeBSD 11 along with the new non-blocking
sendfile() implementation by glebius@, makes it possible to use sendfile()
along with the "directio" directive.







SSL: SSL_sendfile(SF_NODISKIO) support.
2021-12-27T16:48:42+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-27T16:48:42+00:00

2a00e6141f154d77a835e53b6527a1b3225f6f74












Simplified sendfile(SF_NODISKIO) usage.
2021-12-27T16:48:33+00:00

Maxim Dounin
mdounin@mdounin.ru

2021-12-27T16:48:33+00:00

20c35434ef8d185cc70e8d68ef4730ce08f8b7d6

Starting with FreeBSD 11, there is no need to use AIO operations to preload
data into cache for sendfile(SF_NODISKIO) to work.  Instead, sendfile()
handles non-blocking loading data from disk by itself.  It still can, however,
return EBUSY if a page is already being loaded (for example, by a different
process).  If this happens, we now post an event for the next event loop
iteration, so sendfile() is retried "after a short period", as manpage
recommends.

The limit of the number of EBUSY tolerated without any progress is preserved,
but now it does not result in an alert, since on an idle system event loop
iteration might be very short and EBUSY can happen many times in a row.
Instead, SF_NODISKIO is simply disabled for one call once the limit is
reached.

With this change, sendfile(SF_NODISKIO) is now used automatically as long as
sendfile() is enabled, and no longer requires "aio on;".





Starting with FreeBSD 11, there is no need to use AIO operations to preload
data into cache for sendfile(SF_NODISKIO) to work.  Instead, sendfile()
handles non-blocking loading data from disk by itself.  It still can, however,
return EBUSY if a page is already being loaded (for example, by a different
process).  If this happens, we now post an event for the next event loop
iteration, so sendfile() is retried "after a short period", as manpage
recommends.

The limit of the number of EBUSY tolerated without any progress is preserved,
but now it does not result in an alert, since on an idle system event loop
iteration might be very short and EBUSY can happen many times in a row.
Instead, SF_NODISKIO is simply disabled for one call once the limit is
reached.

With this change, sendfile(SF_NODISKIO) is now used automatically as long as
sendfile() is enabled, and no longer requires "aio on;".