| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
When set to "off", only IPv4 addresses will be resolved,
and no AAAA queries are ever sent.
|
|
|
|
|
|
|
|
|
|
It's also extended with the "cmp_port" argument to indicate
whether ports should be compared as well, or only addresses.
|
|
Verify that class of RR is "IN".
Verify that RR data length is non-zero.
|
|
Verify that class of RR is "IN".
Verify that RR data length is exactly four octets.
Correctly shift to the next RR if RR type is unknown.
|
|
Stricten response header checks: ensure that reserved bits are zeroes,
and that the opcode is "standard query".
Fixed the "zero-length domain name in DNS response" condition.
|
|
|
|
Renamed ngx_resolver_query_t to ngx_resolver_hdr_t as it describes
the header that is common to DNS queries and answers.
Replaced the magic number 12 by the size of the header structure.
The other changes are self-explanatory.
|
|
|
|
No functional changes.
|
|
This flag in SPDY fake write events serves the same purposes as the "ready"
flag in real events, and it must be dropped if request needs to be handled.
Otherwise, it can prevent the request from finalization if ngx_http_writer()
was set, which results in a connection leak.
Found by Xiaochen Wang.
|
|
When evaluating $local_port, $server_port, and $server_addr,
UNIX-domain sockets were mistakenly interpreted as IPv4 sockets.
|
|
|
|
Found by Coverity Scan CID 1135525.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
|
|
Based on patch by Roberto De Ioris.
|
|
---
auto/unix | 12 ++++++++++++
src/core/ngx_connection.c | 32 ++++++++++++++++++++++++++++++++
src/core/ngx_connection.h | 4 ++++
src/http/ngx_http.c | 4 ++++
src/http/ngx_http_core_module.c | 21 +++++++++++++++++++++
src/http/ngx_http_core_module.h | 3 +++
6 files changed, 76 insertions(+)
|
|
|
|
Changed initialization order of the peer structure in one of the
cases to be in line with the rest.
No functional changes.
|
|
|
|
Init process callbacks are called by ngx_worker_thread(), there is no
need to call them in ngx_single_process_cycle().
|
|
Notably this fixes HTTP_IF_MODIFIED_SINCE which was always sent with
cache enabled in fastcgi/scgi/uwsgi after 43ccaf8e8728.
|
|
If c->read->ready was reset, but later some data were read from a socket
buffer due to a call to ngx_ssl_recv(), the c->read->ready flag should
be restored if not all data were read from OpenSSL buffers (as kernel
won't notify us about the data anymore).
More details are available here:
http://mailman.nginx.org/pipermail/nginx/2013-November/041178.html
|
|
|
|
|
|
The following new directives are introduced: proxy_cache_revalidate,
fastcgi_cache_revalidate, scgi_cache_revalidate, uwsgi_cache_revalidate.
Default is off. When set to on, they enable cache revalidation using
conditional requests with If-Modified-Since for expired cache items.
As of now, no attempts are made to merge headers given in a 304 response
during cache revalidation with headers previously stored in a cache item.
Headers in a 304 response are only used to calculate new validity time
of a cache item.
|
|
We should just call post_handler() when subrequest wants to read body, like
it happens for HTTP since rev. f458156fd46a. An attempt to init request body
for subrequests results in hang if the body was not already read.
|
|
|
|
With previous code, an empty (malformed) response resulted in a request
finalized without sending anything to a client.
|
|
Errors can easily happen due to broken upstream responses, there is no
need to log them at "alert" level.
|
|
There is no need to allocate memory for "Last-Modified: " string,
the variable only contains date itself.
|
|
This isn't an exceptional condition and normally happens on
first request from a client.
|
|
|
|
Recent Linux versions started to return EOPNOTSUPP to getsockopt() calls
on unix sockets, resulting in log pollution on binary upgrade. Such errors
are silently ignored now.
|
|
The accept_filter and deferred options were not applied to sockets
that were added to configuration during binary upgrade cycle.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
|
|
The 403 (Forbidden) should not overwrite 401 (Unauthorized) as the
latter should be returned with the WWW-Authenticate header to request
authentication by a client.
The problem could be triggered with 3rd party modules and the "deny"
directive, or with auth_basic and auth_request which returns 403
(in 1.5.4+).
Patch by Jan Marc Hoffmann.
|
|
Much like with other headers, "add_header Cache-Control $value;" no longer
results in anything added to response headers if $value evaluates to an
empty string.
|
|
|
|
In order to support key rollover, ssl_session_ticket_key can be defined
multiple times. The first key will be used to issue and resume Session
Tickets, while the rest will be used only to resume them.
ssl_session_ticket_key session_tickets/current.key;
ssl_session_ticket_key session_tickets/prev-1h.key;
ssl_session_ticket_key session_tickets/prev-2h.key;
Please note that nginx supports Session Tickets even without explicit
configuration of the keys and this feature should be only used in setups
where SSL traffic is distributed across multiple nginx servers.
Signed-off-by: Piotr Sikora <piotr@cloudflare.com>
|
|
The timeout set is used by OpenSSL as a hint for clients in TLS Session
Tickets. Previous code resulted in a default timeout (5m) used for TLS
Sessions Tickets if there was no session cache configured.
Prodded by Piotr Sikora.
|
|
SSL_get_rbio() and SSL_get_wbio() functions used to get non-const pointer
in OpenSSL 0.9.7, hence an explicit cast added to drop const qualifier.
|
|
Previously arguments starting with "nodelay" were considered valid,
e.g. "limit_req ... nodelayFOO;".
|
|
Previously arguments starting with "down" or "backup" were considered
valid, e.g. "server ... downFOO;".
|
|
The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9).
The variable ngx_accept_mutex_lock_file was never used.
|
|
|
