Permalink
Switch branches/tags
Commits on Aug 10, 2018
  1. Upstream keepalive: keepalive_requests directive.

    mdounin committed Aug 10, 2018
    The directive configures maximum number of requests allowed on
    a connection kept in the cache.  Once a connection reaches the number
    of requests configured, it is no longer saved to the cache.
    The default is 100.
    
    Much like keepalive_requests for client connections, this is mostly
    a safeguard to make sure connections are closed periodically and the
    memory allocated from the connection pool is freed.
  2. Upstream keepalive: keepalive_timeout directive.

    mdounin committed Aug 10, 2018
    The directive configures maximum time a connection can be kept in the
    cache.  By configuring a time which is smaller than the corresponding
    timeout on the backend side one can avoid the race between closing
    a connection by the backend and nginx trying to use the same connection
    to send a request at the same time.
  3. SSL: fixed build with LibreSSL 2.8.0 (ticket #1605).

    mdounin committed Aug 10, 2018
    LibreSSL 2.8.0 "added const annotations to many existing APIs from OpenSSL,
    making interoperability easier for downstream applications".  This includes
    the const change in the SSL_CTX_sess_set_get_cb() callback function (see
    9dd43f4ef67e), which breaks compilation.
    
    To fix this, added a condition on how we redefine OPENSSL_VERSION_NUMBER
    when working with LibreSSL (see 382fc7069e3a).  With LibreSSL 2.8.0,
    we now set OPENSSL_VERSION_NUMBER to 0x1010000fL (OpenSSL 1.1.0), so the
    appropriate conditions in the code will use "const" as it happens with
    OpenSSL 1.1.0 and later versions.
  4. A link to the error_log directive on nginx.org removed.

    maximkonovalov committed Aug 10, 2018
    It makes more harm than good for users and nginx.org
    infrastructure.
Commits on Aug 9, 2018
  1. HTTP/2: workaround for clients which fail on table size updates.

    mdounin committed Aug 9, 2018
    There are clients which cannot handle HPACK's dynamic table size updates
    as added in 12cadc4669a7 (1.13.6).  Notably, old versions of OkHttp library
    are known to fail on it (ticket #1397).
    
    This change makes it possible to work with such clients by only sending
    dynamic table size updates in response to SETTINGS_HEADER_TABLE_SIZE.  As
    a downside, clients which do not use SETTINGS_HEADER_TABLE_SIZE will
    continue to maintain default 4k table.
  2. Skipping spaces in configuration files (ticket #1557).

    mdounin committed Aug 9, 2018
    Previously, a chunk of spaces larger than NGX_CONF_BUFFER (4096 bytes)
    resulted in the "too long parameter" error during parsing such a
    configuration.  This was because the code only set start and start_line
    on non-whitespace characters, and hence adjacent whitespace characters
    were preserved when reading additional data from the configuration file.
    Fix is to always move start and start_line if the last character was
    a space.
Commits on Aug 6, 2018
  1. SSL: support for TLSv1.3 early data with BoringSSL.

    mdounin committed Aug 6, 2018
    Early data AKA 0-RTT mode is enabled as long as "ssl_early_data on" is
    specified in the configuration (default is off).
    
    The $ssl_early_data variable evaluates to "1" if the SSL handshake
    isn't yet completed, and can be used to set the Early-Data header as
    per draft-ietf-httpbis-replay-04.
  2. SSL: enabled TLSv1.3 with BoringSSL.

    mdounin committed Aug 6, 2018
    BoringSSL currently requires SSL_CTX_set_max_proto_version(TLS1_3_VERSION)
    to be able to enable TLS 1.3.  This is because by default max protocol
    version is set to TLS 1.2, and the SSL_OP_NO_* options are merely used
    as a blacklist within the version range specified using the
    SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
    functions.
    
    With this change, we now call SSL_CTX_set_max_proto_version() with an
    explicit maximum version set.  This enables TLS 1.3 with BoringSSL.
    As a side effect, this change also limits maximum protocol version to
    the newest protocol we know about, TLS 1.3.  This seems to be a good
    change, as enabling unknown protocols might have unexpected results.
    
    Additionally, we now explicitly call SSL_CTX_set_min_proto_version()
    with 0.  This is expected to help with Debian system-wide default
    of MinProtocol set to TLSv1.2, see
    http://mailman.nginx.org/pipermail/nginx-ru/2017-October/060411.html.
    
    Note that there is no SSL_CTX_set_min_proto_version macro in BoringSSL,
    so we call SSL_CTX_set_min_proto_version() and SSL_CTX_set_max_proto_version()
    as long as the TLS1_3_VERSION macro is defined.
Commits on Aug 2, 2018
  1. Dav: removed dead store after 8e7a5de61664.

    Sergey Kandaurov
    Sergey Kandaurov committed Aug 2, 2018
    Found by Clang Static Analyzer.
Commits on Jul 31, 2018
  1. Dav: changed COPY of a file to preserve access mask.

    mdounin committed Jul 31, 2018
    The behaviour is now in line with COPY of a directory with contents,
    which preserves access masks on individual files, as well as the "cp"
    command.
    
    Requested by Roman Arutyunyan.
  2. Dav: changed ngx_copy_file() to preserve access and mtime.

    mdounin committed Jul 31, 2018
    This fixes wrong permissions and file time after cross-device MOVE
    in the DAV module (ticket #1577).  Broken in 8101d9101ed8 (0.8.9) when
    cross-device copying was introduced in ngx_ext_rename_file().
    
    With this change, ngx_copy_file() always calls ngx_set_file_time(),
    either with the time provided, or with the time from the original file.
    This is considered acceptable given that copying the file is costly anyway,
    and optimizing cases when we do not need to preserve time will require
    interface changes.
  3. Dav: fixed ngx_copy_file() to truncate destination file.

    mdounin committed Jul 31, 2018
    Previously, ngx_open_file(NGX_FILE_CREATE_OR_OPEN) was used, resulting
    in destination file being partially rewritten if exists.  Notably,
    this affected WebDAV COPY command (ticket #1576).
Commits on Jul 24, 2018
  1. Configure: fixed compiler warnings with "-Wall -Wextra".

    Sergey Kandaurov
    Sergey Kandaurov committed Jul 24, 2018
  2. Version bump.

    Sergey Kandaurov
    Sergey Kandaurov committed Jul 24, 2018
  3. release-1.15.2 tag

    mdounin committed Jul 24, 2018
  4. nginx-1.15.2-RELEASE

    mdounin committed Jul 24, 2018
Commits on Jul 22, 2018
  1. Fixed NGX_TID_T_FMT format specification for uint64_t.

    mdounin committed Jul 22, 2018
    Previously, "%uA" was used, which corresponds to ngx_atomic_uint_t.
    Size of ngx_atomic_uint_t can be easily different from uint64_t,
    leading to undefined results.
Commits on Jul 18, 2018
  1. Stream ssl_preread: added SSLv2 Client Hello support.

    Sergey Kandaurov
    Sergey Kandaurov committed Jul 18, 2018
    In particular, it was not possible to obtain SSLv2 protocol version.
Commits on Jul 17, 2018
  1. Fixed invalid access to location defined as an empty string.

    Ruslan Ermilov
    Ruslan Ermilov committed Jul 17, 2018
  2. SSL: save sessions for upstream peers using a callback function.

    Sergey Kandaurov
    Sergey Kandaurov committed Jul 17, 2018
    In TLSv1.3, NewSessionTicket messages arrive after the handshake and
    can come at any time.  Therefore we use a callback to save the session
    when we know about it.  This approach works for < TLSv1.3 as well.
    The callback function is set once per location on merge phase.
    
    Since SSL_get_session() in BoringSSL returns an unresumable session for
    TLSv1.3, peer save_session() methods have been updated as well to use a
    session supplied within the callback.  To preserve API, the session is
    cached in c->ssl->session.  It is preferably accessed in save_session()
    methods by ngx_ssl_get_session() and ngx_ssl_get0_session() wrappers.
Commits on Jul 16, 2018
  1. SSL: use of the SSL_OP_NO_RENEGOTIATION option (ticket #1376).

    mdounin committed Jul 16, 2018
    The SSL_OP_NO_RENEGOTIATION option is available in OpenSSL 1.1.0h+ and can
    save some CPU cycles on renegotiation attempts.
  2. SSL: fixed SSL_clear_options() usage with OpenSSL 1.1.0+.

    mdounin committed Jul 16, 2018
    In OpenSSL 1.1.0 the SSL_CTRL_CLEAR_OPTIONS macro was removed, so
    conditional compilation test on it results in SSL_clear_options()
    and SSL_CTX_clear_options() not being used.  Notably, this caused
    "ssl_prefer_server_ciphers off" to not work in SNI-based virtual
    servers if server preference was switched on in the default server.
    
    It looks like the only possible fix is to test OPENSSL_VERSION_NUMBER
    explicitly.
  3. SSL: logging levels of "unsupported protocol", "version too low".

    mdounin committed Jul 16, 2018
    Starting with OpenSSL 1.1.0, SSL_R_UNSUPPORTED_PROTOCOL instead of
    SSL_R_UNKNOWN_PROTOCOL is reported when a protocol is disabled via
    an SSL_OP_NO_* option.
    
    Additionally, SSL_R_VERSION_TOO_LOW is reported when using MinProtocol
    or when seclevel checks (as set by @SECLEVEL=n in the cipher string)
    rejects a protocol, and this is what happens with SSLv3 and @SECLEVEL=1,
    which is the default.
    
    There is also the SSL_R_VERSION_TOO_HIGH error code, but it looks like
    it is not possible to trigger it.
Commits on Jul 12, 2018
  1. Events: added configuration check on the number of connections.

    mdounin committed Jul 12, 2018
    There should be at least one worker connection for each listening socket,
    plus an additional connection for channel between worker and master,
    or starting worker processes will fail.
  2. Events: moved sockets cloning to ngx_event_init_conf().

    mdounin committed Jul 12, 2018
    Previously, listenings sockets were not cloned if the worker_processes
    directive was specified after "listen ... reuseport".
    
    This also simplifies upcoming configuration check on the number
    of worker connections, as it needs to know the number of listening
    sockets before cloning.
  3. Allow resetting connections closed by "return 444" (ticket #905).

    Ruslan Ermilov
    Ruslan Ermilov committed Jul 12, 2018
    If reset_timedout_connection is on, TCP connections closed by
    "return 444" will be reset instead of a normal close.
Commits on Jul 11, 2018
  1. Stream ssl_preread: $ssl_preread_protocol variable.

    arut committed Jul 11, 2018
    The variable keeps the latest SSL protocol version supported by the client.
    The variable has the same format as $ssl_protocol.
    
    The version is read from the client_version field of ClientHello.  If the
    supported_versions extension is present in the ClientHello, then the version
    is set to TLSv1.3.
Commits on Jul 5, 2018
  1. Resolver: retry sending queries on errors (ticket #1511).

    mdounin committed Jul 5, 2018
    Errors when sending UDP datagrams can happen, e.g., when local IP address
    changes (see fa0e093b64d7), or an unavailable DNS server on the LAN can cause
    send() to fail with EHOSTDOWN on BSD systems.  If this happens during
    initial query, retry sending immediately, to a different DNS server when
    possible.  If this is not enough, allow normal resend to happen by ignoring
    the return code of the second ngx_resolver_send_query() call, much like we
    do in ngx_resolver_resend().
  2. SSL: logging level of "https proxy request" errors.

    mdounin committed Jul 5, 2018
    The "http request" and "https proxy request" errors cannot happen
    with HTTP due to pre-handshake checks in ngx_http_ssl_handshake(),
    but can happen when SSL is used in stream and mail modules.
  3. Version bump.

    mdounin committed Jul 5, 2018
Commits on Jul 3, 2018
  1. release-1.15.1 tag

    mdounin committed Jul 3, 2018
  2. nginx-1.15.1-RELEASE

    mdounin committed Jul 3, 2018
Commits on Jul 2, 2018
  1. Upstream: fixed tcp_nopush with gRPC.

    mdounin committed Jul 2, 2018
    With gRPC it is possible that a request sending is blocked due to flow
    control.  Moreover, further sending might be only allowed once the
    backend sees all the data we've already sent.  With such a backend
    it is required to clear the TCP_NOPUSH socket option to make sure all
    the data we've sent are actually delivered to the backend.
    
    As such, we now clear TCP_NOPUSH in ngx_http_upstream_send_request()
    also on NGX_AGAIN if c->write->ready is set.  This fixes a test (which
    waits for all the 64k bytes as per initial window before allowing more
    bytes) with sendfile enabled when the body was written to a file
    in a different context.
  2. Upstream: fixed unexpected tcp_nopush usage on peer connections.

    mdounin committed Jul 2, 2018
    Now tcp_nopush on peer connections is disabled if it is disabled on
    the client connection, similar to how we handle c->sendfile.  Previously,
    tcp_nopush was always used on upstream connections, regardless of
    the "tcp_nopush" directive.