Permalink
Commits on Feb 17, 2017
Commits on Feb 16, 2017
  1. Trailing space removed.

    mdounin committed Feb 16, 2017
  2. Docs: changes.xslt regenerated.

    mdounin committed Feb 16, 2017
  3. Docs: changes.xml dates converted to ISO 8601 format.

    Dates in ISO 8601 format are in line with what is used in nginx.org news,
    and are generally less ambiguous and easier to work with.
    
    The changes.xml was converted using sed:
    
    $ sed 's/date="\(..\)\.\(..\)\.\(....\)"/date="\3-\2-\1"/g' changes.xml
    
    Appropriate changes to changes.xsls were introduced.
    mdounin committed Feb 16, 2017
  4. Version bump.

    mdounin committed Feb 16, 2017
Commits on Feb 14, 2017
  1. release-1.11.10 tag

    mdounin committed Feb 14, 2017
  2. nginx-1.11.10-RELEASE

    mdounin committed Feb 14, 2017
Commits on Feb 13, 2017
Commits on Feb 10, 2017
  1. Upstream: read handler cleared on upstream finalization.

    With "proxy_ignore_client_abort off" (the default), upstream module changes
    r->read_event_handler to ngx_http_upstream_rd_check_broken_connection().
    If the handler is not cleared during upstream finalization, it can be
    triggered later, causing unexpected effects, if, for example, a request
    was redirected to a different location using error_page or X-Accel-Redirect.
    In particular, it makes "proxy_ignore_client_abort on" non-working after
    a redirection in a configuration like this:
    
        location = / {
            error_page 502 = /error;
            proxy_pass http://127.0.0.1:8082;
        }
    
        location /error {
            proxy_pass http://127.0.0.1:8083;
            proxy_ignore_client_abort on;
        }
    
    It is also known to cause segmentation faults with aio used, see
    http://mailman.nginx.org/pipermail/nginx-ru/2015-August/056570.html.
    
    Fix is to explicitly set r->read_event_handler to ngx_http_block_reading()
    during upstream finalization, similar to how it is done in the request body
    reading code and in the limit_req module.
    mdounin committed Feb 10, 2017
  2. Cache: increased cache header Vary and ETag lengths to 128.

    This allows to store larger ETag values for proxy_cache_revalidate,
    including ones generated as SHA256, and cache responses with longer
    Vary (ticket #826).
    
    In particular, this fixes caching of Amazon S3 responses with CORS
    enabled, which now use "Vary: Origin, Access-Control-Request-Headers,
    Access-Control-Request-Method".
    
    Cache version bumped accordingly.
    mdounin committed Feb 10, 2017
  3. Slice filter: fetch slices in cloned subrequests.

    Previously, slice subrequest location was selected based on request URI.
    If request is then redirected to a new location, its context array is cleared,
    making the slice module loose current slice range information.  This lead to
    broken output.  Now subrequests with the NGX_HTTP_SUBREQUEST_CLONE flag are
    created for slices.  Such subrequests stay in the same location as the parent
    request and keep the right slice context.
    Roman Arutyunyan committed Feb 10, 2017
  4. Upstream: proxy_cache_background_update and friends.

    The directives enable cache updates in subrequests.
    Roman Arutyunyan committed Feb 10, 2017
Commits on Feb 8, 2017
  1. Request body: commented out debug printing of old buffers.

    This is not really needed in practice, and causes excessive debug output
    in some of our tests.
    mdounin committed Feb 8, 2017
Commits on Feb 6, 2017
  1. SSL: clear error queue after OPENSSL_init_ssl().

    The function may leave error in the error queue while returning success,
    e.g., when taking a DSO reference to itself as of OpenSSL 1.1.0d:
    https://git.openssl.org/?p=openssl.git;a=commit;h=4af9f7f
    
    Notably, this fixes alert seen with statically linked OpenSSL on some platforms.
    
    While here, check OPENSSL_init_ssl() return value.
    Sergey Kandaurov committed Feb 6, 2017
Commits on Feb 2, 2017
  1. SSL: fixed ssl_buffer_size on SNI virtual hosts (ticket #1192).

    Previously, buffer size was not changed from the one saved during
    initial ngx_ssl_create_connection(), even if the buffer itself was not
    yet created.  Fix is to change c->ssl->buffer_size in the SNI callback.
    
    Note that it should be also possible to update buffer size even in non-SNI
    virtual hosts as long as the buffer is not yet allocated.  This looks
    like an overcomplication though.
    mdounin committed Feb 2, 2017
Commits on Feb 1, 2017
  1. Configure: removed execute bit from auto/unix.

    Sergey Kandaurov committed Feb 1, 2017
Commits on Jan 31, 2017
  1. Variables: generic prefix variables.

    Dmitry Volyntsev committed Jan 31, 2017
  2. Implemented the "server_tokens build" option.

    Based on a patch by Tom Thorogood.
    Ruslan Ermilov committed Jan 31, 2017
Commits on Jan 27, 2017
Commits on Jan 26, 2017
  1. Version bump.

    vl-homutov committed Jan 26, 2017
Commits on Jan 25, 2017
  1. Upstream: removed compatibility shims from ngx_http_upstream_t.

    The type is no longer modified in NGINX Plus.
    vl-homutov committed Jan 25, 2017
Commits on Jan 24, 2017
  1. release-1.11.9 tag

    mdounin committed Jan 24, 2017
  2. nginx-1.11.9-RELEASE

    mdounin committed Jan 24, 2017
Commits on Jan 20, 2017
  1. Upstream: fixed cache corruption and socket leaks with aio_write.

    The ngx_event_pipe() function wasn't called on write events with
    wev->delayed set.  As a result, threaded writing results weren't
    properly collected in ngx_event_pipe_write_to_downstream() when a
    write event was triggered for a completed write.
    
    Further, this wasn't detected, as p->aio was reset by a thread completion
    handler, and results were later collected in ngx_event_pipe_read_upstream()
    instead of scheduling a new write of additional data.  If this happened
    on the last reading from an upstream, last part of the response was never
    written to the cache file.
    
    Similar problems might also happen in case of timeouts when writing to
    client, as this also results in ngx_event_pipe() not being called on write
    events.  In this scenario socket leaks were observed.
    
    Fix is to check if p->writing is set in ngx_event_pipe_read_upstream(), and
    therefore collect results of previous write operations in case of read events
    as well, similar to how we do so in ngx_event_pipe_write_downstream().
    This is enough to fix the wev->delayed case.  Additionally, we now call
    ngx_event_pipe() from ngx_http_upstream_process_request() if there are
    uncollected write operations (p->writing and !p->aio).  This also fixes
    the wev->timedout case.
    mdounin committed Jan 20, 2017
  2. Removed pthread mutex / conditional variables debug messages.

    These messages doesn't seem to be needed in practice and only make
    debugging logs harder to read.
    mdounin committed Jan 20, 2017
  3. Fixed trailer construction with limit on FreeBSD and macOS.

    The ngx_chain_coalesce_file() function may produce more bytes to send then
    requested in the limit passed, as it aligns the last file position
    to send to memory page boundary.  As a result, (limit - send) may become
    negative.  This resulted in big positive number when converted to size_t
    while calling ngx_output_chain_to_iovec().
    
    Another part of the problem is in ngx_chain_coalesce_file(): it changes cl
    to the next chain link even if the current buffer is only partially sent
    due to limit.
    
    Therefore, if a file buffer was not expected to be fully sent due to limit,
    and was followed by a memory buffer, nginx called sendfile() with a part
    of the file buffer, and the memory buffer in trailer.  If there were enough
    room in the socket buffer, this resulted in a part of the file buffer being
    skipped, and corresponding part of the memory buffer sent instead.
    
    The bug was introduced in 8e903522c17a (1.7.8).  Configurations affected
    are ones using limits, that is, limit_rate and/or sendfile_max_chunk, and
    memory buffers after file ones (may happen when using subrequests or
    with proxying with disk buffering).
    
    Fix is to explicitly check if (send < limit) before constructing trailer
    with ngx_output_chain_to_iovec().  Additionally, ngx_chain_coalesce_file()
    was modified to preserve unfinished file buffers in cl.
    mdounin committed Jan 20, 2017
  4. Improved connection draining with small number of connections.

    Closing up to 32 connections might be too aggressive if worker_connections
    is set to a comparable number (and/or there are only a small number of
    reusable connections).  If an occasional connection shorage happens in
    such a configuration, it leads to closing all reusable connections instead
    of gradually reducing keepalive timeout to a smaller value.  To improve
    granularity in such configurations we now close no more than 1/8 of all
    reusable connections at once.
    
    Suggested by Joel Cunningham.
    mdounin committed Jan 20, 2017
  5. Added cycle parameter to ngx_drain_connections().

    No functional changes, mostly style.
    mdounin committed Jan 20, 2017
Commits on Jan 19, 2017
  1. Stream: client SSL certificates were not checked in some cases.

    If ngx_stream_ssl_init_connection() succeeded immediately, the check was not
    done.
    
    The bug had appeared in 1.11.8 (41cb1b64561d).
    vl-homutov committed Jan 19, 2017
  2. Stream: fixed handling of non-ssl sessions.

    A missing check could cause ngx_stream_ssl_handler() to be applied
    to a non-ssl session, which resulted in a null pointer dereference
    if ssl_verify_client is enabled.
    
    The bug had appeared in 1.11.8 (41cb1b64561d).
    vl-homutov committed Jan 19, 2017
Commits on Dec 22, 2016
  1. Cache: support for stale-while-revalidate and stale-if-error.

    Previously, there was no way to enable the proxy_cache_use_stale behavior by
    reading the backend response.  Now, stale-while-revalidate and stale-if-error
    Cache-Control extensions (RFC 5861) are supported.  They specify, how long a
    stale response can be used when a cache entry is being updated, or in case of
    an error.
    Roman Arutyunyan committed Dec 22, 2016