unit.git/src, branch 1.25.0-1 Universal Web Application Server Added TLS session tickets support. 2021-08-17T23:52:32+00:00 Andrey Suvorov a.suvorov@f5.com 2021-08-17T23:52:32+00:00 e0aa132172f03fe7c31484ce7d301813b5dacb89 






Introduced the generic API nxt_buf_dummy_completion().
2021-08-12T09:39:00+00:00

Zhidao HONG
z.hong@f5.com

2021-08-12T09:39:00+00:00

48a9399f23b9aaa2c9e5deb8013c58313e76740e

No functional changes.





No functional changes.







Log: renamed related variables "log" as "_log" to prevent conflicts.
2021-08-12T09:41:21+00:00

Zhidao HONG
z.hong@f5.com

2021-08-12T09:41:21+00:00

598f1493f6cbcd2a680b4f01ca7490e06092f5e2












Router: client IP address replacement.
2021-08-12T08:23:16+00:00

Oisin Canty
o.canty@f5.com

2021-08-12T08:23:16+00:00

ca373aaccd276fb412e59557a3971a8d06ada0f8

This commit introduces the replacement of the client address based on the value
of a specified HTTP header.  This is intended for use when Unit is placed
behind a reverse proxy like nginx or a CDN.

You must specify the source addresses of the trusted proxies.  This can be
accomplished with any valid IP pattern supported by Unit's match block:

["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"]

The feature is configured per listener.

The client address replacement functionality only operates when there is a
source IP match and the specified header is present.  Typically this would be
an 'X-Forwarded-For' header.

{
    "listeners": {
        "127.0.0.1:8080": {
            "client_ip": {
                "header": "X-Forwarded-For",
                "source": [
                    "10.0.0.0/8"
                ]
            },
            "pass": "applications/my_app"
        },
    }
}

If a request occurs and Unit receives a header like below:

"X-Forwarded-For: 84.123.23.23"

By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR
will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8.

If Unit runs behind consecutive reverse proxies and receives a header similar
to the following:

"X-Forwarded-For: 84.123.23.23, 10.0.0.254"

You will need to enable "recursive" checking, which walks the header from
last address to first and chooses the first non-trusted address it finds.

{
    "listeners": {
        "127.0.0.1:8080": {
            "client_ip": {
                "header": "X-Forwarded-For",
                "source": [
                    "10.0.0.0/8"
                ]
                "recursive": true,
            },
            "pass": "applications/my_app"
        },
    }
}

If a connection from 10.0.0.0/8 occurs, the chain is walked.  Here, 10.0.0.254
is also a trusted address so the client address will be replaced with
84.123.23.23.

If all IP addresses in the header are trusted, the client address is set to
the first address in the header:

If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1",
the client address will be replaced with 10.0.0.3.





This commit introduces the replacement of the client address based on the value
of a specified HTTP header.  This is intended for use when Unit is placed
behind a reverse proxy like nginx or a CDN.

You must specify the source addresses of the trusted proxies.  This can be
accomplished with any valid IP pattern supported by Unit's match block:

["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"]

The feature is configured per listener.

The client address replacement functionality only operates when there is a
source IP match and the specified header is present.  Typically this would be
an 'X-Forwarded-For' header.

{
    "listeners": {
        "127.0.0.1:8080": {
            "client_ip": {
                "header": "X-Forwarded-For",
                "source": [
                    "10.0.0.0/8"
                ]
            },
            "pass": "applications/my_app"
        },
    }
}

If a request occurs and Unit receives a header like below:

"X-Forwarded-For: 84.123.23.23"

By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR
will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8.

If Unit runs behind consecutive reverse proxies and receives a header similar
to the following:

"X-Forwarded-For: 84.123.23.23, 10.0.0.254"

You will need to enable "recursive" checking, which walks the header from
last address to first and chooses the first non-trusted address it finds.

{
    "listeners": {
        "127.0.0.1:8080": {
            "client_ip": {
                "header": "X-Forwarded-For",
                "source": [
                    "10.0.0.0/8"
                ]
                "recursive": true,
            },
            "pass": "applications/my_app"
        },
    }
}

If a connection from 10.0.0.0/8 occurs, the chain is walked.  Here, 10.0.0.254
is also a trusted address so the client address will be replaced with
84.123.23.23.

If all IP addresses in the header are trusted, the client address is set to
the first address in the header:

If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1",
the client address will be replaced with 10.0.0.3.







Introduced nxt_sockaddr_parse_optport() for addresses w/o ports.
2021-08-12T08:23:09+00:00

Oisin Canty
o.canty@f5.com

2021-08-12T08:23:09+00:00

73ea6a1c3a7a4a7f3ab14230b80e783e57a7d830












Python: fixing misprint in error message.
2021-08-09T07:15:00+00:00

Max Romanov
max.romanov@nginx.com

2021-08-09T07:15:00+00:00

3580842d34f8543f7bb41551f7a0dec8723289a8












Router: fixed crash when matching an empty address pattern array.
2021-08-05T16:00:01+00:00

Oisin Canty
o.canty@f5.com

2021-08-05T16:00:01+00:00

60cf1399611ae1b2728492c94ff57a4a044774b4

A crash would occur when the router tried to match an
against an empty address pattern array.

The following configuration was used to reproduce the
issue:

{
    "listeners": {
        "127.0.0.1:8082": {
            "pass": "routes"
        }
    },
    "routes": [
        {
            "match": {
                "source": []
            },
            "action": {
                "return": 200
            }
        }
    ]
}





A crash would occur when the router tried to match an
against an empty address pattern array.

The following configuration was used to reproduce the
issue:

{
    "listeners": {
        "127.0.0.1:8082": {
            "pass": "routes"
        }
    },
    "routes": [
        {
            "match": {
                "source": []
            },
            "action": {
                "return": 200
            }
        }
    ]
}







Router: fixed segmentation fault.
2021-08-02T04:30:38+00:00

Zhidao HONG
z.hong@f5.com

2021-08-02T04:30:38+00:00

d16cf0416784db82147ee5aaad1054840d028e7d

In the case that routes or upstreams is empty and the pass option is a variable.
If the resolved pass is routes or upstreams, a segment error occurred.





In the case that routes or upstreams is empty and the pass option is a variable.
If the resolved pass is routes or upstreams, a segment error occurred.







Fixed dead assignments.
2021-08-03T10:59:27+00:00

Max Romanov
max.romanov@nginx.com

2021-08-03T10:59:27+00:00

db03dfad6745a7d87d784ac51ed2d52e1c50a557

Found by Clang Static Analyzer.





Found by Clang Static Analyzer.







Application restart introduced.
2021-07-29T16:50:39+00:00

Max Romanov
max.romanov@nginx.com

2021-07-29T16:50:39+00:00

fa9fb29be221e0393562831a9e3bcba416652f60

When processing a restart request, the router sends a QUIT message to all
existing processes of the application.  Then, a new shared application port is
created to ensure that new requests won't be handled by the old processes of
the application.





When processing a restart request, the router sends a QUIT message to all
existing processes of the application.  Then, a new shared application port is
created to ensure that new requests won't be handled by the old processes of
the application.