nginx.git/src, branch release-1.23.1 nginx Events: fixed EPOLLRDHUP with FIONREAD (ticket #2367). 2022-07-15T12:19:32+00:00 Maxim Dounin mdounin@mdounin.ru 2022-07-15T12:19:32+00:00 39b84d7a52c2d367d6baba85521c3e7cd0271961 When reading exactly rev->available bytes, rev->available might become 0 after FIONREAD usage introduction in efd71d49bde0. On the next call of ngx_readv_chain() on systems with EPOLLRDHUP this resulted in return without any actions, that is, with rev->ready set, and this in turn resulted in no timers set in event pipe, leading to socket leaks. Fix is to reset rev->ready in ngx_readv_chain() when returning due to rev->available being 0 with EPOLLRDHUP, much like it is already done in ngx_unix_recv(). This ensures that if rev->available will become 0, on systems with EPOLLRDHUP support appropriate EPOLLRDHUP-specific handling will happen on the next ngx_readv_chain() call. While here, also synced ngx_readv_chain() to match ngx_unix_recv() and reset rev->ready when returning due to rev->available being 0 with kqueue. This is mostly cosmetic change, as rev->ready is anyway reset when rev->available is set to 0. 
When reading exactly rev->available bytes, rev->available might become 0
after FIONREAD usage introduction in efd71d49bde0.  On the next call of
ngx_readv_chain() on systems with EPOLLRDHUP this resulted in return without
any actions, that is, with rev->ready set, and this in turn resulted in no
timers set in event pipe, leading to socket leaks.

Fix is to reset rev->ready in ngx_readv_chain() when returning due to
rev->available being 0 with EPOLLRDHUP, much like it is already done in
ngx_unix_recv().  This ensures that if rev->available will become 0, on
systems with EPOLLRDHUP support appropriate EPOLLRDHUP-specific handling
will happen on the next ngx_readv_chain() call.

While here, also synced ngx_readv_chain() to match ngx_unix_recv() and
reset rev->ready when returning due to rev->available being 0 with kqueue.
This is mostly cosmetic change, as rev->ready is anyway reset when
rev->available is set to 0.
Range filter: clearing of pre-existing Content-Range headers. 2022-07-15T04:01:44+00:00 Maxim Dounin mdounin@mdounin.ru 2022-07-15T04:01:44+00:00 f35475c083d4cfe56647b66387b60c55e25c27d0 Some servers might emit Content-Range header on 200 responses, and this does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range header has no meaning for status codes other than 206 and 416. Previously this resulted in duplicate Content-Range headers in nginx responses handled by the range filter. Fix is to clear pre-existing headers. 
Some servers might emit Content-Range header on 200 responses, and this
does not seem to contradict RFC 9110: as per RFC 9110, the Content-Range
header has no meaning for status codes other than 206 and 416.  Previously
this resulted in duplicate Content-Range headers in nginx responses handled
by the range filter.  Fix is to clear pre-existing headers.
Resolver: fixed memory leak for the "ipv4=off" case. 2022-07-14T17:26:54+00:00 Sergey Kandaurov pluknet@nginx.com 2022-07-14T17:26:54+00:00 14341ce2377d38a268261e0fec65b6915ae6e95e This change partially reverts 2a77754cd9fe to properly free rn->query. Found by Coverity (CID 1507244). 
This change partially reverts 2a77754cd9fe to properly free rn->query.

Found by Coverity (CID 1507244).
The "ipv4=" parameter of the "resolver" directive. 2022-07-12T17:44:02+00:00 Ruslan Ermilov ru@nginx.com 2022-07-12T17:44:02+00:00 5178da4f94fbae1daec2800bc7fd74cd2923c5bd When set to "off", only IPv6 addresses will be resolved, and no A queries are ever sent (ticket #2196). 
When set to "off", only IPv6 addresses will be resolved, and no
A queries are ever sent (ticket #2196).
SSL: logging levels of various errors added in OpenSSL 1.1.1. 2022-07-12T12:55:22+00:00 Maxim Dounin mdounin@mdounin.ru 2022-07-12T12:55:22+00:00 ea46b22dfb56137afc7463bc0383e52ff27c7905 Starting with OpenSSL 1.1.1, various additional errors can be reported by OpenSSL in case of client-related issues, most notably during TLSv1.3 handshakes. In particular, SSL_R_BAD_KEY_SHARE ("bad key share"), SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"), SSL_R_BAD_ECPOINT ("bad ecpoint"). These are now logged at the "info" level. 
Starting with OpenSSL 1.1.1, various additional errors can be reported
by OpenSSL in case of client-related issues, most notably during TLSv1.3
handshakes.  In particular, SSL_R_BAD_KEY_SHARE ("bad key share"),
SSL_R_BAD_EXTENSION ("bad extension"), SSL_R_BAD_CIPHER ("bad cipher"),
SSL_R_BAD_ECPOINT ("bad ecpoint").  These are now logged at the "info"
level.
Upstream: optimized use of SSL contexts (ticket #1234). 2022-06-28T23:47:45+00:00 Maxim Dounin mdounin@mdounin.ru 2022-06-28T23:47:45+00:00 d791b4aab418b0cbadbaf079fbb9360269d97941 To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy. 
To ensure optimal use of memory, SSL contexts for proxying are now
inherited from previous levels as long as relevant proxy_ssl_* directives
are not redefined.

Further, when no proxy_ssl_* directives are redefined in a server block,
we now preserve plcf->upstream.ssl in the "http" section configuration
to inherit it to all servers.

Similar changes made in uwsgi, grpc, and stream proxy.
Version bump. 2022-06-28T23:47:38+00:00 Maxim Dounin mdounin@mdounin.ru 2022-06-28T23:47:38+00:00 225a2c1b4a83d5813140a474716de8c33a9bbc2d 






Perl: removed unused variables, forgotten in ef6a3a99a81a.
2022-06-14T06:39:58+00:00

Sergey Kandaurov
pluknet@nginx.com

2022-06-14T06:39:58+00:00

21506a2f851c9dbff4bee67fe5b6d199c83c799a












Resolver: make TCP write timer event cancelable.
2022-06-02T03:17:23+00:00

Aleksei Bavshin
a.bavshin@f5.com

2022-06-02T03:17:23+00:00

f2fcc03d3aa6f0e0a457a994dbc743b5b63ad035

Similar to 70e65bf8dfd7, the change is made to ensure that the ability to
cancel resolver tasks is fully controlled by the caller.  As mentioned in the
referenced commit, it is safe to make this timer cancelable because resolve
tasks can have their own timeouts that are not cancelable.

The scenario where this may become a problem is a periodic background resolve
task (not tied to a specific request or a client connection), which receives a
response with short TTL, large enough to warrant fallback to a TCP query.
With each event loop wakeup, we either have a previously set write timer
instance or schedule a new one.  The non-cancelable write timer can delay or
block graceful shutdown of a worker even if the ngx_resolver_ctx_t->cancelable
flag is set by the API user, and there are no other tasks or connections.

We use the resolver API in this way to maintain the list of upstream server
addresses specified with the 'resolve' parameter, and there could be third-party
modules implementing similar logic.





Similar to 70e65bf8dfd7, the change is made to ensure that the ability to
cancel resolver tasks is fully controlled by the caller.  As mentioned in the
referenced commit, it is safe to make this timer cancelable because resolve
tasks can have their own timeouts that are not cancelable.

The scenario where this may become a problem is a periodic background resolve
task (not tied to a specific request or a client connection), which receives a
response with short TTL, large enough to warrant fallback to a TCP query.
With each event loop wakeup, we either have a previously set write timer
instance or schedule a new one.  The non-cancelable write timer can delay or
block graceful shutdown of a worker even if the ngx_resolver_ctx_t->cancelable
flag is set by the API user, and there are no other tasks or connections.

We use the resolver API in this way to maintain the list of upstream server
addresses specified with the 'resolve' parameter, and there could be third-party
modules implementing similar logic.







Stream: don't flush empty buffers created for read errors.
2022-05-23T18:29:44+00:00

Aleksei Bavshin
a.bavshin@f5.com

2022-05-23T18:29:44+00:00

d7994be44592f0ce9c240406b13020cdc377a9f0

When we generate the last_buf buffer for an UDP upstream recv error, it does
not contain any data from the wire. ngx_stream_write_filter attempts to forward
it anyways, which is incorrect (e.g., UDP upstream ECONNREFUSED will be
translated to an empty packet).

This happens because we mark the buffer as both 'flush' and 'last_buf', and
ngx_stream_write_filter has special handling for flush with certain types of
connections (see d127837c714f, 32b0ba4855a6).  The flags are meant to be
mutually exclusive, so the fix is to ensure that flush and last_buf are not set
at the same time.

Reproduction:

stream {
    upstream unreachable {
        server     127.0.0.1:8880;
    }
    server {
        listen     127.0.0.1:8998 udp;
        proxy_pass unreachable;
    }
}

1 0.000000000    127.0.0.1 → 127.0.0.1    UDP 47 45588 → 8998 Len=5
2 0.000166300    127.0.0.1 → 127.0.0.1    UDP 47 51149 → 8880 Len=5
3 0.000172600    127.0.0.1 → 127.0.0.1    ICMP 75 Destination unreachable (Port
unreachable)
4 0.000202400    127.0.0.1 → 127.0.0.1    UDP 42 8998 → 45588 Len=0

Fixes d127837c714f.





When we generate the last_buf buffer for an UDP upstream recv error, it does
not contain any data from the wire. ngx_stream_write_filter attempts to forward
it anyways, which is incorrect (e.g., UDP upstream ECONNREFUSED will be
translated to an empty packet).

This happens because we mark the buffer as both 'flush' and 'last_buf', and
ngx_stream_write_filter has special handling for flush with certain types of
connections (see d127837c714f, 32b0ba4855a6).  The flags are meant to be
mutually exclusive, so the fix is to ensure that flush and last_buf are not set
at the same time.

Reproduction:

stream {
    upstream unreachable {
        server     127.0.0.1:8880;
    }
    server {
        listen     127.0.0.1:8998 udp;
        proxy_pass unreachable;
    }
}

1 0.000000000    127.0.0.1 → 127.0.0.1    UDP 47 45588 → 8998 Len=5
2 0.000166300    127.0.0.1 → 127.0.0.1    UDP 47 51149 → 8880 Len=5
3 0.000172600    127.0.0.1 → 127.0.0.1    ICMP 75 Destination unreachable (Port
unreachable)
4 0.000202400    127.0.0.1 → 127.0.0.1    UDP 42 8998 → 45588 Len=0

Fixes d127837c714f.