Skip to content

Commit

Permalink
update
Browse files Browse the repository at this point in the history
  • Loading branch information
pangpang@hi-nginx.com committed Jul 25, 2022
1 parent 724b06c commit 3081172
Show file tree
Hide file tree
Showing 12 changed files with 354 additions and 43 deletions.
20 changes: 20 additions & 0 deletions CHANGES
Original file line number Diff line number Diff line change
@@ -1,4 +1,24 @@

Changes with nginx 1.23.1 19 Jul 2022

*) Feature: memory usage optimization in configurations with SSL
proxying.

*) Feature: looking up of IPv4 addresses while resolving now can be
disabled with the "ipv4=off" parameter of the "resolver" directive.

*) Change: the logging level of the "bad key share", "bad extension",
"bad cipher", and "bad ecpoint" SSL errors has been lowered from
"crit" to "info".

*) Bugfix: while returning byte ranges nginx did not remove the
"Content-Range" header line if it was present in the original backend
response.

*) Bugfix: a proxied response might be truncated during reconfiguration
on Linux; the bug had appeared in 1.17.5.


Changes with nginx 1.23.0 21 Jun 2022

*) Change in internal API: now header lines are represented as linked
Expand Down
20 changes: 20 additions & 0 deletions CHANGES.ru
Original file line number Diff line number Diff line change
@@ -1,4 +1,24 @@

Изменения в nginx 1.23.1 19.07.2022

*) Добавление: оптимизация использования памяти в конфигурациях с
SSL-проксированием.

*) Добавление: теперь с помощью параметра "ipv4=off" директивы
"resolver" можно запретить поиск IPv4-адресов при преобразовании имён
в адреса.

*) Изменение: уровень логгирования ошибок SSL "bad key share", "bad
extension", "bad cipher" и "bad ecpoint" понижен с уровня crit до
info.

*) Исправление: при возврате диапазонов nginx не удалял строку заголовка
"Content-Range", если она присутствовала в исходном ответе бэкенда.

*) Исправление: проксированный ответ мог быть отправлен не полностью при
переконфигурации на Linux; ошибка появилась в 1.17.5.


Изменения в nginx 1.23.0 21.06.2022

*) Изменение во внутреннем API: теперь строки заголовков представлены
Expand Down
4 changes: 2 additions & 2 deletions src/core/nginx.h
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_


#define nginx_version 1023000
#define NGINX_VERSION "1.23.0"
#define nginx_version 1023001
#define NGINX_VERSION "1.23.1"
#define NGINX_VER "nginx/" NGINX_VERSION

#ifdef NGX_BUILD
Expand Down
60 changes: 47 additions & 13 deletions src/core/ngx_resolver.c
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,8 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
cln->handler = ngx_resolver_cleanup;
cln->data = r;

r->ipv4 = 1;

ngx_rbtree_init(&r->name_rbtree, &r->name_sentinel,
ngx_resolver_rbtree_insert_value);

Expand Down Expand Up @@ -225,6 +227,23 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
}

#if (NGX_HAVE_INET6)
if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) {

if (ngx_strcmp(&names[i].data[5], "on") == 0) {
r->ipv4 = 1;

} else if (ngx_strcmp(&names[i].data[5], "off") == 0) {
r->ipv4 = 0;

} else {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid parameter: %V", &names[i]);
return NULL;
}

continue;
}

if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) {

if (ngx_strcmp(&names[i].data[5], "on") == 0) {
Expand Down Expand Up @@ -273,6 +292,14 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
}
}

#if (NGX_HAVE_INET6)
if (r->ipv4 + r->ipv6 == 0) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"\"ipv4\" and \"ipv6\" cannot both be \"off\"");
return NULL;
}
#endif

if (n && r->connections.nelts == 0) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "no name servers defined");
return NULL;
Expand Down Expand Up @@ -836,7 +863,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx,
r->last_connection = 0;
}

rn->naddrs = (u_short) -1;
rn->naddrs = r->ipv4 ? (u_short) -1 : 0;
rn->tcp = 0;
#if (NGX_HAVE_INET6)
rn->naddrs6 = r->ipv6 ? (u_short) -1 : 0;
Expand Down Expand Up @@ -1263,7 +1290,7 @@ ngx_resolver_send_query(ngx_resolver_t *r, ngx_resolver_node_t *rn)
rec->log.action = "resolving";
}

if (rn->naddrs == (u_short) -1) {
if (rn->query && rn->naddrs == (u_short) -1) {
rc = rn->tcp ? ngx_resolver_send_tcp_query(r, rec, rn->query, rn->qlen)
: ngx_resolver_send_udp_query(r, rec, rn->query, rn->qlen);

Expand Down Expand Up @@ -1765,10 +1792,13 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_char *buf, size_t n,
q = ngx_queue_next(q))
{
rn = ngx_queue_data(q, ngx_resolver_node_t, queue);
qident = (rn->query[0] << 8) + rn->query[1];

if (qident == ident) {
goto dns_error_name;
if (rn->query) {
qident = (rn->query[0] << 8) + rn->query[1];

if (qident == ident) {
goto dns_error_name;
}
}

#if (NGX_HAVE_INET6)
Expand Down Expand Up @@ -3645,7 +3675,7 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t);

#if (NGX_HAVE_INET6)
p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len);
p = ngx_resolver_alloc(r, len * (r->ipv4 + r->ipv6));
#else
p = ngx_resolver_alloc(r, len);
#endif
Expand All @@ -3658,19 +3688,21 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,

#if (NGX_HAVE_INET6)
if (r->ipv6) {
rn->query6 = p + len;
rn->query6 = r->ipv4 ? (p + len) : p;
}
#endif

query = (ngx_resolver_hdr_t *) p;

ident = ngx_random();
if (r->ipv4) {
ident = ngx_random();

ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
"resolve: \"%V\" A %i", name, ident & 0xffff);
ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
"resolve: \"%V\" A %i", name, ident & 0xffff);

query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
}

/* recursion query */
query->flags_hi = 1; query->flags_lo = 0;
Expand Down Expand Up @@ -3731,7 +3763,9 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,

p = rn->query6;

ngx_memcpy(p, rn->query, rn->qlen);
if (r->ipv4) {
ngx_memcpy(p, rn->query, rn->qlen);
}

query = (ngx_resolver_hdr_t *) p;

Expand Down
4 changes: 3 additions & 1 deletion src/core/ngx_resolver.h
Original file line number Diff line number Diff line change
Expand Up @@ -175,8 +175,10 @@ struct ngx_resolver_s {
ngx_queue_t srv_expire_queue;
ngx_queue_t addr_expire_queue;

unsigned ipv4:1;

#if (NGX_HAVE_INET6)
ngx_uint_t ipv6; /* unsigned ipv6:1; */
unsigned ipv6:1;
ngx_rbtree_t addr6_rbtree;
ngx_rbtree_node_t addr6_sentinel;
ngx_queue_t addr6_resend_queue;
Expand Down
12 changes: 12 additions & 0 deletions src/event/ngx_event_openssl.c
Original file line number Diff line number Diff line change
Expand Up @@ -3343,6 +3343,12 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
#ifdef SSL_R_NO_SUITABLE_KEY_SHARE
|| n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
#endif
#ifdef SSL_R_BAD_KEY_SHARE
|| n == SSL_R_BAD_KEY_SHARE /* 108 */
#endif
#ifdef SSL_R_BAD_EXTENSION
|| n == SSL_R_BAD_EXTENSION /* 110 */
#endif
#ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
|| n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
#endif
Expand All @@ -3357,6 +3363,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
#endif
|| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
#ifdef SSL_R_BAD_CIPHER
|| n == SSL_R_BAD_CIPHER /* 186 */
#endif
|| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
Expand Down Expand Up @@ -3391,6 +3400,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
#ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
|| n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */
#endif
#ifdef SSL_R_BAD_ECPOINT
|| n == SSL_R_BAD_ECPOINT /* 306 */
#endif
#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
|| n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
|| n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */
Expand Down
66 changes: 59 additions & 7 deletions src/http/modules/ngx_http_grpc_module.c
Original file line number Diff line number Diff line change
Expand Up @@ -209,6 +209,8 @@ static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_grpc_merge_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *conf, ngx_http_grpc_loc_conf_t *prev);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
Expand Down Expand Up @@ -562,7 +564,7 @@ ngx_http_grpc_handler(ngx_http_request_t *r)
ctx->host = glcf->host;

#if (NGX_HTTP_SSL)
u->ssl = (glcf->upstream.ssl != NULL);
u->ssl = glcf->ssl;

if (u->ssl) {
ngx_str_set(&u->schema, "grpcs://");
Expand Down Expand Up @@ -4463,6 +4465,10 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)

#if (NGX_HTTP_SSL)

if (ngx_http_grpc_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}

ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);

Expand Down Expand Up @@ -4524,7 +4530,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->grpc_values = prev->grpc_values;

#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}

Expand Down Expand Up @@ -4874,16 +4880,62 @@ ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)


static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
ngx_http_grpc_merge_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *conf,
ngx_http_grpc_loc_conf_t *prev)
{
ngx_pool_cleanup_t *cln;
ngx_uint_t preserve;

if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}

glcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (glcf->upstream.ssl == NULL) {
preserve = 1;

} else {
preserve = 0;
}

conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}

glcf->upstream.ssl->log = cf->log;
conf->upstream.ssl->log = cf->log;

/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/

if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}

return NGX_OK;
}


static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
ngx_pool_cleanup_t *cln;

if (glcf->upstream.ssl->ctx) {
return NGX_OK;
}

if (ngx_ssl_create(glcf->upstream.ssl, glcf->ssl_protocols, NULL)
!= NGX_OK)
Expand Down
Loading

0 comments on commit 3081172

Please sign in to comment.