| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
No functional changes.
|
|
|
|
|
|
This adds support so it's possible to explicitly disable SSL Session
Tickets. In order to have good Forward Secrecy support either the
session ticket key has to be reloaded by using nginx' binary upgrade
process or using an external key file and reloading the configuration.
This directive adds another possibility to have good support by
disabling session tickets altogether.
If session tickets are enabled and the process lives for a long a time,
an attacker can grab the session ticket from the process and use that to
decrypt any traffic that occured during the entire lifetime of the
process.
|
|
If a request had an empty request body (with Content-Length: 0), and there
were preread data available (e.g., due to a pipelined request in the buffer),
the "zero size buf in output" alert might be logged while proxying the
request to an upstream.
Similar alerts appeared with client_body_in_file_only if a request had an
empty request body.
|
|
Not really a strict check (as X-Accel-Expires might be ignored or
contain invalid value), but quite simple to implement and better
than what we have now.
|
|
Fallback to synchronous sendfile() now only done on 3rd EBUSY without
any progress in a row. Not falling back is believed to be better
in case of occasional EBUSY, though protection is still needed to
make sure there will be no infinite loop.
|
|
This fixes content type set in stub_status and autoindex responses
to be usable in content type checks made by filter modules, such
as charset and sub filters.
|
|
|
|
There is no need to pass FLAG_FIN as a separate argument since it can always be
detected from the last_buf flag of the last frame buffer.
No functional changes.
|
|
No functional changes.
|
|
Processing events from upstream connection can result in sending queued frames
from other streams. In this case such streams were not added to handling queue
and properly handled.
A global per connection flag was replaced by a per stream flag that indicates
currently sending stream while all other streams can be added to handling
queue.
|
|
|
|
This fixes handling of escaped URIs in X-Accel-Redirect (ticket #316),
SSI (ticket #240), and DAV.
|
|
The following URIs were considered safe: "..", "../foo", and "/foo/..".
|
|
When processing the X-Accel-Redirect header, the value of the
$upstream_http_x_accel_redirect variable was also overwritten.
|
|
|
|
Conditions for skipping ineligible peers are rewritten to make adding of new
conditions simpler and be in line with the "round_robin" and "least_conn"
modules. No functional changes.
|
|
No functional changes.
|
|
|
|
|
|
|
|
No functional changes.
|
|
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.
Found by Xiaochen Wang.
|
|
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
|
|
Found by Coverity Scan CID 1135525.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
|
|
Based on patch by Roberto De Ioris.
|
|
---
auto/unix | 12 ++++++++++++
src/core/ngx_connection.c | 32 ++++++++++++++++++++++++++++++++
src/core/ngx_connection.h | 4 ++++
src/http/ngx_http.c | 4 ++++
src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
src/http/ngx_http_core_module.h | 3 +++
6 files changed, 76 insertions(+)
|
|
|
|
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.
No functional changes.
|
|
|
|
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
|
|
|
|
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off. When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.
As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
|
|
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a. An attempt to init request body
for subrequests results in hang if the body was not already read.
|
|
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
|
|
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
|
|
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
|
|
This isn't an exceptional condition and normally happens on
first request from a client.
|
|
|
|
|
|
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.
The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).
Patch by Jan Marc Hoffmann.
|
|
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
|
|
|
|
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
|
|
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
|
|
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
|
|
With this change all such frames will be added in front of the output queue, and
will be sent first. It prevents HOL blocking when response with higher priority
is blocked by response with lower priority in the middle of the queue because
the order of their SYN_REPLY frames cannot be changed.
Proposed by Yury Kirpichev.
|
