| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
It's properly aligned and can hold any supported sockaddr.
|
|
The 6f8254ae61b8 change inadvertently fixed the duplicate port
detection similar to how it was fixed for mail in b2920b517490.
It also revealed another issue: the socket type (tcp vs. udp)
wasn't taken into account.
|
|
|
|
OpenSSL 1.0.2+ allows configuring a curve list instead of a single curve
previously supported. This allows use of different curves depending on
what client supports (as available via the elliptic_curves extension),
and also allows use of different curves in an ECDHE key exchange and
in the ECDSA certificate.
The special value "auto" was introduced (now the default for ssl_ecdh_curve),
which means "use an internal list of curves as available in the OpenSSL
library used". For versions prior to OpenSSL 1.0.2 it maps to "prime256v1"
as previously used. The default in 1.0.2b+ prefers prime256v1 as well
(and X25519 in OpenSSL 1.1.0+).
As client vs. server preference of curves is controlled by the
same option as used for ciphers (SSL_OP_CIPHER_SERVER_PREFERENCE),
the ssl_prefer_server_ciphers directive now controls both.
|
|
|
|
This parameter lets binding the proxy connection to a non-local address.
Upstream will see the connection as coming from that address.
When used with $remote_addr, upstream will accept the connection from real
client address.
Example:
proxy_bind $remote_addr transparent;
|
|
|
|
OpenSSL removed support for all 40 and 56 bit ciphers.
|
|
|
|
|
|
|
|
This is a clone of http commit 26c127bab5ef.
|
|
|
|
The main proxy function ngx_stream_proxy_process() can terminate the stream
session. The code, following it, should check its return code to make sure the
session still exists. This happens in client and upstream initialization
functions. Swapping ngx_stream_proxy_process() call with the code, that
follows it, leaves the same problem vice versa.
In future ngx_stream_proxy_process() will call ngx_stream_proxy_next_upstream()
making it too complicated to know if stream session still exists after this
call.
Now ngx_stream_proxy_process() is called from posted event handlers in both
places with no code following it. The posted event is automatically removed
once session is terminated.
|
|
|
|
|
|
|
|
|
|
The timer remained active and could drop active SSL connection.
|
|
Resolved warnings about declarations that hide previous local declarations.
Warnings about WSASocketA() being deprecated resolved by explicit use of
WSASocketW() instead of WSASocket(). When compiling without IPv6 support,
WinSock deprecated warnings are disabled to allow use of gethostbyname().
|
|
Found by Duan Jiong <djduanjiong@gmail.com>.
|
|
|
|
|
|
The directive proxy_buffer_size should be used instead.
|
|
|
|
Both download and upload buffers now have the same size. The old directives
proxy_downstream_buffer and proxy_upstream_buffer are removed.
|
|
|
|
The directive proxy_downstream_limit_rate is now called proxy_upload_rate.
The directive proxy_upstream_limit_rate is now called proxy_download_rate.
|
|
|
|
Thanks to itpp2012.
|
|
Once upstream is connected, the upstream buffer is allocated. Previously, the
proxy module used the buffer allocation status to check if upstream is
connected. Now it's enough to check the flag.
|
|
|
|
|
|
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
|
|
stream {
limit_conn_zone $binary_remote_addr zone=perip:1m;
limit_conn_log_level error;
server {
...
limit_conn perip 1;
}
}
|
|
Such configurations have very limited use, introduce various problems and
are not officially supported.
|
|
The new directive "proxy_protocol" toggles sending out PROXY protocol header
to upstream once connection is established.
|
|
|
|
stream {
server {
...
allow 127.0.0.1;
deny all;
}
}
|
|
|
|
|
|
|
|
|
|
|
|
This can be useful to understand why "no live upstreams" happens,
in particular.
|
|
When configured, an individual listen socket on a given address is
created for each worker process. This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance. As of now it works on Linux and DragonFly BSD.
Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/. With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.
Based on previous work by Sepherosa Ziehau and Yingqi Lu.
|
|
There is no need to set "i" to 0, as it's expected to be 0 assuming
the bindings are properly sorted, and we already rely on this when
explicitly set hport->naddrs to 1. Remaining conditional code is
replaced with identical "hport->naddrs = i + 1".
Identical modifications are done in the mail and stream modules,
in the ngx_mail_optimize_servers() and ngx_stream_optimize_servers()
functions, respectively.
No functional changes.
|
|
|
