| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The directive allows to specify additional trusted Certificate Authority
certificates to be used during certificate verification. In contrast to
ssl_client_certificate DNs of these cerificates aren't sent to a client
during handshake.
Trusted certificates are loaded regardless of the fact whether client
certificates verification is enabled as the same certificates will be
used for OCSP stapling, during construction of an OCSP request and for
verification of an OCSP response.
The same applies to a CRL (which is now always loaded).
|
|
This ensures balancing when working with dynamically resolved upstream
servers with multiple addresses.
Based on patch by Anton Jouline.
|
|
|
|
Found by Coverity.
|
|
The SSL_COMP_get_compression_methods() is only available as an API
function in OpenSSL 0.9.8+, require it explicitly to unbreak build
with OpenSSL 0.9.7.
|
|
Previous code used sk_SSL_COMP_delete(ssl_comp_methods, i) while iterating
stack from 0 to n, resulting in removal of only even compression methods.
In real life this change is a nop, as there is only one compression method
which is enabled by default in OpenSSL.
|
|
This fixes unwanted/incorrect cpu_affinity use on dead worker processes
respawn. While this is not ideal, it's expected to be better when previous
situation where multiple processes were spawn with identical CPU affinity
set.
Reported by Charles Chen.
|
|
|
|
|
|
|
|
With "always" gzip static returns gzipped content in all cases, without
checking if client supports it. It is useful if there are no uncompressed
files on disk anyway.
|
|
This directive allows to test desired flag as returned by memcached and
sets Content-Encoding to gzip if one found.
This is reimplementation of patch by Tomash Brechko as available on
http://openhack.ru/. It should be a bit more correct though (at least
I think so). In particular, it doesn't try to detect if we are able to
gunzip data, but instead just sets correct Content-Encoding.
|
|
Noted by Gabor Lekeny.
|
|
The rbtree used in ngx_http_limit_req_module has two level of keys, the top is
hash, and the next is the value string itself. However, when inserting a new
node, only hash has been set, while the value string has been left empty.
The bug was introduced in r4419 (1.1.14).
Found by Charles Chen.
|
|
|
|
(closes #201).
|
|
The "include" directive should be able to include multiple files if
given a filename mask. Fixed this to work for "include" directives
inside the "map" or "types" blocks. The "include" directive inside
the "geo" block is still not fixed.
|
|
|
|
The preallocation size was calculated incorrectly and was always 8 due to
sizeof(ngx_radix_tree_t) accidentally used instead of sizeof(ngx_radix_node_t).
|
|
|
|
Found by Coverity.
|
|
|
|
This makes AF_UNIX addresses in mail officially supported.
|
|
IPv6 client connections in mail modules have been supported since r2856.
|
|
For http module this problem was already fixed in r4756.
|
|
The bug had appeared in 0.8.43 (r3653). Patch by Weibin Yao.
|
|
Found by Coverity.
|
|
Previous code incorrectly used ctx->var_values as an array of pointers to
ngx_http_variable_value_t, but the array contains structures, not pointers.
Additionally, ctx->var_values inspection failed to properly set var on
match.
|
|
override the already set "protocol".
|
|
|
|
Found by Coverity.
|
|
We don't have strong reason to inform about any errors
reported by close() call here, and there are no other things
to do with its return value.
Prodded by Coverity.
|
|
The only thing we could potentially do here in case of error
returned is to complain to error log, but we don't have log
structure available here due to interface limitations.
Prodded by Coverity.
|
|
Found by Coverity.
|
|
Ensure that the path supplied always ends with a `/' except when empty.
An empty value now corresponds to the current directory instead of `/'.
|
|
If ngx_time_sigsafe_update() updated only ngx_cached_err_log_time, and
then clock was adjusted backwards, the cached_time[slot].sec might
accidentally match current seconds on next ngx_time_update() call,
resulting in various cached times not being updated.
Fix is to clear the cached_time[slot].sec to explicitly mark cached times
are stale and need updating.
|
|
This fixes warning produced during compilation of the ngx_http_geoip_module
due to const qualifier being discarded.
|
|
|
|
It is available via winetricks which makes it still usable, and has
an old crtdefs.h which uses _CRT_SECURE_NO_DEPRECATE instead of
_CRT_SECURE_NO_WARNINGS to suppress warnings.
Reported by HAYASHI Kentaro,
http://mailman.nginx.org/pipermail/nginx-devel/2012-August/002542.html
|
|
|
|
|
|
There is a general consensus that this change results in better
consistency between different operating systems and differently
tuned operating systems.
Note: this changes the width and meaning of the ipv6only field
of the ngx_listening_t structure. 3rd party modules that create
their own listening sockets might need fixing.
|
|
found.
|
|
Hide headers and pass headers arrays might not be inherited correctly
into a nested location, e.g. in configuration like
server {
proxy_hide_header X-Foo;
location / {
location /nested/ {
proxy_pass_header X-Pad;
}
}
}
the X-Foo header wasn't hidden in the location /nested/.
Reported by Konstantin Svist,
http://mailman.nginx.org/pipermail/nginx-ru/2012-July/047555.html
|
|
|
|
known to be constant with the constant value.
|
|
|
|
|
|
resolved address was used. Now all addresses will be used.
|
|
|
