From borodin at octonica.com Thu Jun 1 11:54:50 2017 From: borodin at octonica.com (Andrew Borodin) Date: Thu, 1 Jun 2017 16:54:50 +0500 Subject: Use primes for hashtable size In-Reply-To: <20170530130137.GT55433@mdounin.ru> References: <20170530130137.GT55433@mdounin.ru> Message-ID: Hi, Maxim! 2017-05-30 18:01 GMT+05:00 Maxim Dounin : > > The maximum size of hash table as specified by the hinit->max_size > field is indeed maximum size, and not the size of the hash table. > Following code in the ngx_hash_init() will try hard to find to > find out an optimal hash size for a given set of values within the > maximum size specified, and will test all the prime numbers as > well. > > I see no reasons to additionally limit the maximum size to a prime > number. If you think there are some, please be more specific. > > You are right. I've modified patch to checkout primes first, then proceed to "hard work" . Also I've kolhozed some perf prove of improvement. This test creates a hash table of 5000 semirandom strings (not very random, just bytes permutated). On my Ubuntu VM without patch hash creation is 92-96ms, with patch it's strictly 0. "hard work" search tries about 2k sizes before success, primes search hits at second. Docs say some words about startup speed and I wanted to apply primes somewhere, so here we go. Best regards, Andrey Borodin. -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- diff --git a/src/core/ngx_hash.c b/src/core/ngx_hash.c index 1944c7a21d..4e733c4625 100644 --- a/src/core/ngx_hash.c +++ b/src/core/ngx_hash.c @@ -244,6 +244,152 @@ ngx_hash_find_combined(ngx_hash_combined_t *hash, ngx_uint_t key, u_char *name, return NULL; } +static ngx_uint_t ngx_hash_min_prime(ngx_uint_t value) { + static ngx_uint_t primes[] = + { + 3, + 7, + 11, + 17, + 23, + 29, + 37, + 47, + 59, + 71, + 89, + 107, + 131, + 163, + 197, + 239, + 293, + 353, + 431, + 521, + 631, + 761, + 919, + 1103, + 1327, + 1597, + 1931, + 2333, + 2801, + 3371, + 4049, + 4861, + 5839, + 7013, + 8419, + 10103, + 12143, + 14591, + 17519, + 21023, + 25229, + 30293, + 36353, + 43627, + 52361, + 62851, + 75431, + 90523, + 108631, + 130363, + 156437, + 187751, + 225307, + 270371, + 324449, + 389357, + 467237, + 560689, + 672827, + 807403, + 968897, + 1162687, + 1395263, + 1674319, + 2009191, + 2411033, + 2893249, + 3471899, + 4166287, + 4999559, + 5999471, + 7199369, + 7919311, + 8711267, + 9582409, + 10540661, + 11594729, + 12754219, + 14029643, + 15432619, + 16975891, + 18673483, + 20540831, + 22594919, + 24854419, + 27339863, + 30073853, + 33081239, + 36389369, + 40028333, + 44031179, + 48434303, + 53277769, + 58605563, + 64466147, + 70912783, + 78004061, + 85804471, + 94384919, + 103823417, + 114205771, + 125626351, + 138189017, + 152007971, + 167208817, + 183929719, + 202322693, + 222554977, + 244810487, + 269291537, + 296220709, + 325842779, + 358427071, + 394269781, + 433696759, + 477066449, + 524773133, + 577250461, + 634975519, + 698473099, + 768320467, + 845152513, + 929667799, + 1022634581, + 1124898043, + 1237387859, + 1361126671, + 1497239377, + 1646963321, + 1811659669, + 1992825643, + }; + + for (size_t i = 0; i < sizeof(primes)/sizeof(*primes); ++i) + { + ngx_uint_t prime = primes[i]; + if (prime > value) + { + return prime; + } + } + return value; +} #define NGX_HASH_ELT_SIZE(name) \ (sizeof(void *) + ngx_align((name)->key.len + 2, sizeof(void *))) @@ -283,6 +429,36 @@ ngx_hash_init(ngx_hash_init_t *hinit, ngx_hash_key_t *names, ngx_uint_t nelts) bucket_size = hinit->bucket_size - sizeof(void *); + /* + * For hash size check primes first, then try others. + * There cannot be more than log(max_size) primes to test + */ + + for (size = ngx_hash_min_prime(nelts); size <= hinit->max_size; size = ngx_hash_min_prime(size)) { + + ngx_memzero(test, size * sizeof(u_short)); + + for (n = 0; n < nelts; n++) { + if (names[n].key.data == NULL) { + continue; + } + + key = names[n].key_hash % size; + test[key] = (u_short) (test[key] + NGX_HASH_ELT_SIZE(&names[n])); + + if (test[key] > (u_short) bucket_size) { + goto next_prime; + } + } + + goto found; + + next_prime: + + continue; + } + + start = nelts / (bucket_size / (2 * sizeof(void *))); start = start ? start : 1; -------------- next part -------------- diff --git a/src/core/nginx.c b/src/core/nginx.c index abaa50d618..904a11fb76 100644 --- a/src/core/nginx.c +++ b/src/core/nginx.c @@ -8,6 +8,8 @@ #include #include #include +#include +#include static void ngx_show_version_info(void); @@ -282,6 +284,49 @@ main(int argc, char *const *argv) } cycle = ngx_init_cycle(&init_cycle); + + + /* Here will be hash tests */ + { + size_t elementscount = 5000; + ngx_hash_t hashx; + ngx_hash_key_t *elements; + ngx_hash_init_t hash; + struct rusage start,end; + ngx_log_stderr(0,"doing tests"); + + + elements = ngx_alloc(sizeof(ngx_hash_key_t)*elementscount,log); + + hash.hash = &hashx; + hash.key = ngx_hash_key; + hash.max_size = 10000; + hash.bucket_size = 64; + hash.name = "test_hash"; + hash.pool = ngx_create_pool(NGX_CYCLE_POOL_SIZE, log); + hash.temp_pool = NULL; + + srand(42); + for(size_t i=0;i>4)%16); + ((u_char*)elements[i].key.data)[2] = 'a' + ((i>>8)%16); + ((u_char*)elements[i].key.data)[0] = 'a' + ((i>>16)%16); + elements[i].key_hash = ngx_hash_key(elements[i].key.data,4); + } + + ngx_log_stderr(0, "before init"); + getrusage(RUSAGE_SELF,&start); + ngx_hash_init(&hash, elements , elementscount); + getrusage(RUSAGE_SELF,&end); + ngx_log_stderr(0, "after init"); + ngx_log_stderr(0, "time %d",end.ru_utime.tv_usec - start.ru_utime.tv_usec); + return 0; + } + if (cycle == NULL) { if (ngx_test_config) { ngx_log_stderr(0, "configuration file %s test failed", @@ -317,6 +362,7 @@ main(int argc, char *const *argv) return 0; } + if (ngx_signal) { return ngx_signal_process(cycle, ngx_signal); } From mdounin at mdounin.ru Thu Jun 1 13:52:24 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 01 Jun 2017 13:52:24 +0000 Subject: [nginx] Headers filter: style. Message-ID: details: http://hg.nginx.org/nginx/rev/057ec63be834 branches: changeset: 7017:057ec63be834 user: Piotr Sikora date: Wed May 31 13:51:35 2017 -0700 description: Headers filter: style. Signed-off-by: Piotr Sikora diffstat: src/http/modules/ngx_http_headers_filter_module.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (21 lines): diff --git a/src/http/modules/ngx_http_headers_filter_module.c b/src/http/modules/ngx_http_headers_filter_module.c --- a/src/http/modules/ngx_http_headers_filter_module.c +++ b/src/http/modules/ngx_http_headers_filter_module.c @@ -98,7 +98,7 @@ static ngx_command_t ngx_http_headers_f ngx_http_headers_expires, NGX_HTTP_LOC_CONF_OFFSET, 0, - NULL}, + NULL }, { ngx_string("add_header"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF @@ -106,7 +106,7 @@ static ngx_command_t ngx_http_headers_f ngx_http_headers_add, NGX_HTTP_LOC_CONF_OFFSET, 0, - NULL}, + NULL }, ngx_null_command }; From mdounin at mdounin.ru Thu Jun 1 13:52:27 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 01 Jun 2017 13:52:27 +0000 Subject: [nginx] Upstream: style. Message-ID: details: http://hg.nginx.org/nginx/rev/610a219b28f6 branches: changeset: 7018:610a219b28f6 user: Piotr Sikora date: Wed May 31 13:51:36 2017 -0700 description: Upstream: style. Signed-off-by: Piotr Sikora diffstat: src/http/ngx_http_upstream.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -2729,7 +2729,7 @@ ngx_http_upstream_process_body_in_memory rev = c->read; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process body on memory"); + "http upstream process body in memory"); if (rev->timedout) { ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); From mdounin at mdounin.ru Thu Jun 1 13:52:30 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 01 Jun 2017 13:52:30 +0000 Subject: [nginx] Style. Message-ID: details: http://hg.nginx.org/nginx/rev/8ce1a34f160b branches: changeset: 7019:8ce1a34f160b user: Maxim Dounin date: Thu Jun 01 16:49:14 2017 +0300 description: Style. diffstat: src/os/unix/ngx_udp_sendmsg_chain.c | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) diffs (20 lines): diff --git a/src/os/unix/ngx_udp_sendmsg_chain.c b/src/os/unix/ngx_udp_sendmsg_chain.c --- a/src/os/unix/ngx_udp_sendmsg_chain.c +++ b/src/os/unix/ngx_udp_sendmsg_chain.c @@ -206,13 +206,13 @@ ngx_sendmsg(ngx_connection_t *c, ngx_iov #if (NGX_HAVE_MSGHDR_MSG_CONTROL) #if (NGX_HAVE_IP_SENDSRCADDR) - u_char msg_control[CMSG_SPACE(sizeof(struct in_addr))]; + u_char msg_control[CMSG_SPACE(sizeof(struct in_addr))]; #elif (NGX_HAVE_IP_PKTINFO) - u_char msg_control[CMSG_SPACE(sizeof(struct in_pktinfo))]; + u_char msg_control[CMSG_SPACE(sizeof(struct in_pktinfo))]; #endif #if (NGX_HAVE_INET6 && NGX_HAVE_IPV6_RECVPKTINFO) - u_char msg_control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; + u_char msg_control6[CMSG_SPACE(sizeof(struct in6_pktinfo))]; #endif #endif From mdounin at mdounin.ru Thu Jun 1 13:52:42 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 1 Jun 2017 16:52:42 +0300 Subject: [PATCH] Headers filter: style In-Reply-To: <057ec63be834988b6435.1496264040@piotrsikora.sfo.corp.google.com> References: <057ec63be834988b6435.1496264040@piotrsikora.sfo.corp.google.com> Message-ID: <20170601135242.GK55433@mdounin.ru> Hello! On Wed, May 31, 2017 at 01:54:00PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1496263895 25200 > # Wed May 31 13:51:35 2017 -0700 > # Node ID 057ec63be834988b6435b4ef64a1c3bd0cc23959 > # Parent ab6ef3037840393752d82fac01ea1eb4f972301c > Headers filter: style. > > Signed-off-by: Piotr Sikora > > diff -r ab6ef3037840 -r 057ec63be834 src/http/modules/ngx_http_headers_filter_module.c > --- a/src/http/modules/ngx_http_headers_filter_module.c > +++ b/src/http/modules/ngx_http_headers_filter_module.c > @@ -98,7 +98,7 @@ static ngx_command_t ngx_http_headers_f > ngx_http_headers_expires, > NGX_HTTP_LOC_CONF_OFFSET, > 0, > - NULL}, > + NULL }, > > { ngx_string("add_header"), > NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF > @@ -106,7 +106,7 @@ static ngx_command_t ngx_http_headers_f > ngx_http_headers_add, > NGX_HTTP_LOC_CONF_OFFSET, > 0, > - NULL}, > + NULL }, > > ngx_null_command > }; Committed, thanks. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Jun 1 13:52:54 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 1 Jun 2017 16:52:54 +0300 Subject: [PATCH] Upstream: style In-Reply-To: References: Message-ID: <20170601135254.GL55433@mdounin.ru> Hello! On Wed, May 31, 2017 at 01:54:05PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1496263896 25200 > # Wed May 31 13:51:36 2017 -0700 > # Node ID e7219bf8bc3781d3912a951f09553bb2f0a53b70 > # Parent ab6ef3037840393752d82fac01ea1eb4f972301c > Upstream: style. > > Signed-off-by: Piotr Sikora > > diff -r ab6ef3037840 -r e7219bf8bc37 src/http/ngx_http_upstream.c > --- a/src/http/ngx_http_upstream.c > +++ b/src/http/ngx_http_upstream.c > @@ -2729,7 +2729,7 @@ ngx_http_upstream_process_body_in_memory > rev = c->read; > > ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, > - "http upstream process body on memory"); > + "http upstream process body in memory"); > > if (rev->timedout) { > ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); Committed, thanks. -- Maxim Dounin http://nginx.org/ From arut at nginx.com Thu Jun 1 14:05:18 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 01 Jun 2017 14:05:18 +0000 Subject: [nginx] Configure: disabled IP_PKTINFO feature on certain platforms. Message-ID: details: http://hg.nginx.org/nginx/rev/716852cce913 branches: changeset: 7020:716852cce913 user: Roman Arutyunyan date: Thu Jun 01 15:44:23 2017 +0300 description: Configure: disabled IP_PKTINFO feature on certain platforms. On Cygwin and NetBSD 7.0+ struct in_pktinfo has no ipi_spec_dst field, which caused nginx compilation error. Now presence of this field is ensured by the IP_PKTINFO feature test. The problem was introduced by dbb0c854e308 (1.13.0). diffstat: auto/unix | 5 ++++- 1 files changed, 4 insertions(+), 1 deletions(-) diffs (15 lines): diff -r 8ce1a34f160b -r 716852cce913 auto/unix --- a/auto/unix Thu Jun 01 16:49:14 2017 +0300 +++ b/auto/unix Thu Jun 01 15:44:23 2017 +0300 @@ -428,7 +428,10 @@ ngx_feature_incs="#include " ngx_feature_path= ngx_feature_libs= -ngx_feature_test="setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)" +ngx_feature_test="struct in_pktinfo pkt; + pkt.ipi_spec_dst.s_addr = INADDR_ANY; + (void) pkt; + setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)" . auto/feature From vbart at nginx.com Thu Jun 1 14:48:25 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 01 Jun 2017 17:48:25 +0300 Subject: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params In-Reply-To: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: <8753794.qGPzJ25FTB@vbart-workstation> On Monday 24 April 2017 15:48:23 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493073310 25200 > # Mon Apr 24 15:35:10 2017 -0700 > # Node ID 07adf0a7009c3244de4b795c0c06927f4316a87f > # Parent 2c4dbcd6f2e4c9c2a1eb8dc1f0d39c99975ae208 > HTTP/2: emit new frames only after applying all SETTINGS params. > > Previously, new frames could be emitted in the middle of applying > new (and already acknowledged) SETTINGS params, which is illegal. > > Signed-off-by: Piotr Sikora > > diff -r 2c4dbcd6f2e4 -r 07adf0a7009c src/http/v2/ngx_http_v2.c > --- a/src/http/v2/ngx_http_v2.c > +++ b/src/http/v2/ngx_http_v2.c > @@ -1982,7 +1982,9 @@ static u_char * > ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, > u_char *end) > { > - ngx_uint_t id, value; > + ngx_uint_t id, value, adjustment; The new initial window size can be lower than the previous one, so the difference can be negative (that's why the delta parameter of ngx_http_v2_adjust_windows() is ssize_t). Please consider the patch below: diff -r 00015416ae79 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Mon Apr 24 15:35:10 2017 -0700 +++ b/src/http/v2/ngx_http_v2.c Thu Jun 01 17:45:37 2017 +0300 @@ -1969,7 +1969,8 @@ static u_char * ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { - ngx_uint_t id, value, adjustment; + ssize_t window_delta; + ngx_uint_t id, value; adjustment = 0; @@ -1997,7 +1998,8 @@ ngx_http_v2_state_settings_params(ngx_ht NGX_HTTP_V2_FLOW_CTRL_ERROR); } - adjustment = value - h2c->init_window; + window_delta = value - h2c->init_window; + h2c->init_window = value; break; @@ -2024,8 +2026,8 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } - if (adjustment) { - if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) { + if (window_delta) { + if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); } wbr, Valentin V. Bartenev From Nate.Karstens at garmin.com Thu Jun 1 17:20:53 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Thu, 1 Jun 2017 17:20:53 +0000 Subject: PSK Support Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> Greetings, I'm about push 3 patches that add support for PSK TLS cipher suites to nginx and thought it would be good to discuss the feature itself in a separate thread. First, PSK support is useful in certain environments that are not conducive to a full public key infrastructure. The environment I'm personally working with is the recreational boating market; we are developing a new industry standard that relies on HTTPS, secured by PSK, for much of its underlying security protocol. I think this would also be useful to the IoT market. A quick search shows that some other users have been interested in this feature: https://forum.nginx.org/read.php?2,272443,272443 https://stackoverflow.com/questions/22513641/pre-shared-keys-tls-psk-nginx-configuration After applying the patches, one can enable PSK support by adding a few directives to their nginx.conf: 1) "ssl_nocert" -- This disables checks for a certificate within nginx. By default these checks are enabled because most users will need a certificate. This is analogous to the "-nocert" option in the OpenSSL s_server. 2) "ssl_psk_path" -- This is a local folder that contains all of the valid PSKs. Each file in the folder is loaded into memory as a PSK, and its file name is used as the PSK identity. When the client connects it specifies the identity of the PSK it is using for the connection. The server looks up the key using hash of the loaded PSKs and if the keys match then the TLS handshake is successful. Note that the identity of the PSK is made available in the variable $ssl_psk_identity. 3) Add some PSK ciphers to the "ssl_ciphers" directive. Thanks, Nate Karstens Garmin International, Inc. ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From Nate.Karstens at garmin.com Thu Jun 1 17:21:01 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Thu, 1 Jun 2017 17:21:01 +0000 Subject: [PATCH 1 of 3] PSK: make server certificates optional Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7F1@OLAWPA-EXMB04.ad.garmin.com> # HG changeset patch # User Nate Karstens # Date 1496332504 18000 # Thu Jun 01 10:55:04 2017 -0500 # Node ID a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 PSK: make server certificates optional Adds the directive "ssl_nocert" to the ngx_http_ssl_module to allow the user to indicate that the absence of a certificate is intentional. Any cipher suites that rely on certificates will not function properly. Servers that only use PSK will error out without this change. Signed-off-by: Nate Karstens diff -r 716852cce913 -r a38066b79d71 contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim Thu Jun 01 15:44:23 2017 +0300 +++ b/contrib/vim/syntax/nginx.vim Thu Jun 01 10:55:04 2017 -0500 @@ -546,6 +546,7 @@ syn keyword ngxDirective contained ssl_ecdh_curve syn keyword ngxDirective contained ssl_engine syn keyword ngxDirective contained ssl_handshake_timeout +syn keyword ngxDirective contained ssl_nocert syn keyword ngxDirective contained ssl_password_file syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 15:44:23 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 10:55:04 2017 -0500 @@ -101,6 +101,13 @@ 0, NULL }, + { ngx_string("ssl_nocert"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, nocert), + NULL }, + { ngx_string("ssl_dhparam"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_str_slot, @@ -546,6 +553,7 @@ sscf->buffer_size = NGX_CONF_UNSET_SIZE; sscf->verify = NGX_CONF_UNSET_UINT; sscf->verify_depth = NGX_CONF_UNSET_UINT; + sscf->nocert = NGX_CONF_UNSET; sscf->certificates = NGX_CONF_UNSET_PTR; sscf->certificate_keys = NGX_CONF_UNSET_PTR; sscf->passwords = NGX_CONF_UNSET_PTR; @@ -595,6 +603,7 @@ ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); + ngx_conf_merge_value(conf->nocert, prev->nocert, 0); ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL); ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys, NULL); @@ -622,50 +631,52 @@ conf->ssl.log = cf->log; - if (conf->enable) { + if (!conf->nocert) { + if (conf->enable) { - if (conf->certificates == NULL) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate\" is defined for " - "the \"ssl\" directive in %s:%ui", - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificates == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate\" is defined for " + "the \"ssl\" directive in %s:%ui", + conf->file, conf->line); + return NGX_CONF_ERROR; + } - if (conf->certificate_keys == NULL) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined for " - "the \"ssl\" directive in %s:%ui", - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificate_keys == NULL) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined for " + "the \"ssl\" directive in %s:%ui", + conf->file, conf->line); + return NGX_CONF_ERROR; + } - if (conf->certificate_keys->nelts < conf->certificates->nelts) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined " - "for certificate \"%V\" and " - "the \"ssl\" directive in %s:%ui", - ((ngx_str_t *) conf->certificates->elts) - + conf->certificates->nelts - 1, - conf->file, conf->line); - return NGX_CONF_ERROR; - } + if (conf->certificate_keys->nelts < conf->certificates->nelts) { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined " + "for certificate \"%V\" and " + "the \"ssl\" directive in %s:%ui", + ((ngx_str_t *) conf->certificates->elts) + + conf->certificates->nelts - 1, + conf->file, conf->line); + return NGX_CONF_ERROR; + } - } else { + } else { - if (conf->certificates == NULL) { - return NGX_CONF_OK; - } + if (conf->certificates == NULL) { + return NGX_CONF_OK; + } - if (conf->certificate_keys == NULL - || conf->certificate_keys->nelts < conf->certificates->nelts) - { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "no \"ssl_certificate_key\" is defined " - "for certificate \"%V\"", - ((ngx_str_t *) conf->certificates->elts) - + conf->certificates->nelts - 1); - return NGX_CONF_ERROR; + if (conf->certificate_keys == NULL + || conf->certificate_keys->nelts < conf->certificates->nelts) + { + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "no \"ssl_certificate_key\" is defined " + "for certificate \"%V\"", + ((ngx_str_t *) conf->certificates->elts) + + conf->certificates->nelts - 1); + return NGX_CONF_ERROR; + } } } @@ -704,11 +715,15 @@ cln->handler = ngx_ssl_cleanup_ctx; cln->data = &conf->ssl; - if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, - conf->certificate_keys, conf->passwords) - != NGX_OK) - { - return NGX_CONF_ERROR; + if (conf->certificates && conf->certificate_keys) { + + if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates, + conf->certificate_keys, conf->passwords) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + } if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers, diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 15:44:23 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 10:55:04 2017 -0500 @@ -32,6 +32,7 @@ time_t session_timeout; + ngx_flag_t nocert; ngx_array_t *certificates; ngx_array_t *certificate_keys; ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From Nate.Karstens at garmin.com Thu Jun 1 17:21:18 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Thu, 1 Jun 2017 17:21:18 +0000 Subject: [PATCH 2 of 3] PSK: add configuration directives Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7FE@OLAWPA-EXMB04.ad.garmin.com> # HG changeset patch # User Nate Karstens # Date 1496332865 18000 # Thu Jun 01 11:01:05 2017 -0500 # Node ID 7aa7771191d61ef635478460017446bca1f6db55 # Parent a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9 PSK: add configuration directives Adds the directive "ssl_psk_dir" to the ngx_http_ssl_module. This allows the user to specify a folder that contains the set of PSKs that can be used to form a connection. Each key in the directory is read into memory and the file name is saved as the key identity. Also added the "ssl_psk_hash_max_size" and "ssl_psk_hash_bucket_size" directives to configure the hash that stores PSK data. This functionality can be easily tested with the OpenSSL s_client using the "-psk" and "-psk_identity" options. Signed-off-by: Nate Karstens diff -r a38066b79d71 -r 7aa7771191d6 contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim Thu Jun 01 10:55:04 2017 -0500 +++ b/contrib/vim/syntax/nginx.vim Thu Jun 01 11:01:05 2017 -0500 @@ -551,6 +551,9 @@ syn keyword ngxDirective contained ssl_prefer_server_ciphers syn keyword ngxDirective contained ssl_preread syn keyword ngxDirective contained ssl_protocols +syn keyword ngxDirective contained ssl_psk_path +syn keyword ngxDirective contained ssl_psk_hash_bucket_size +syn keyword ngxDirective contained ssl_psk_hash_max_size syn keyword ngxDirective contained ssl_session_cache syn keyword ngxDirective contained ssl_session_ticket_key syn keyword ngxDirective contained ssl_session_tickets diff -r a38066b79d71 -r 7aa7771191d6 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Thu Jun 01 10:55:04 2017 -0500 +++ b/src/event/ngx_event_openssl.c Thu Jun 01 11:01:05 2017 -0500 @@ -23,6 +23,8 @@ static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret); +static unsigned int ngx_ssl_psk_callback(SSL *ssl, const char *identity, + unsigned char *psk, unsigned int max_psk_len); static void ngx_ssl_passwords_cleanup(void *data); static void ngx_ssl_handshake_handler(ngx_event_t *ev); static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); @@ -114,6 +116,7 @@ int ngx_ssl_next_certificate_index; int ngx_ssl_certificate_name_index; int ngx_ssl_stapling_index; +int ngx_ssl_psk_index; ngx_int_t @@ -225,6 +228,13 @@ return NGX_ERROR; } + ngx_ssl_psk_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); + + if (ngx_ssl_psk_index == -1) { + ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); + return NGX_ERROR; + } + return NGX_OK; } @@ -345,6 +355,7 @@ SSL_CTX_set_read_ahead(ssl->ctx, 1); SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); + SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback); return NGX_OK; } @@ -875,6 +886,40 @@ } +static unsigned int ngx_ssl_psk_callback(SSL *ssl, const char *identity, + unsigned char *psk, unsigned int max_psk_len) +{ + SSL_CTX *ssl_ctx; + size_t identity_len; + ngx_hash_t *psk_hash; + ngx_uint_t key; + ngx_str_t *psk_str; + + ssl_ctx = SSL_get_SSL_CTX(ssl); + identity_len = strlen(identity); + + psk_hash = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index); + if (psk_hash == NULL) { + return 0; + } + + key = ngx_hash_key((u_char *)identity, identity_len); + + psk_str = ngx_hash_find(psk_hash, key, (u_char *)identity, identity_len); + if (psk_str == NULL) { + return 0; + } + + if (psk_str->len > max_psk_len) { + return 0; + } + + ngx_memcpy(psk, psk_str->data, psk_str->len); + + return psk_str->len; +} + + RSA * ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, int key_length) @@ -3137,6 +3182,158 @@ #endif +ngx_int_t +ngx_ssl_psk_path(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *path, + ngx_uint_t psk_hash_max_size, ngx_uint_t psk_hash_bucket_size) + +{ + ngx_err_t err; + ngx_uint_t level; + ngx_dir_t dir; + ngx_file_t file; + ssize_t read; + ngx_str_t *psk_str; + ngx_hash_keys_arrays_t psk_keys; + ngx_str_t key; + ngx_hash_t *psk_hash; + ngx_hash_init_t hash; + + if (path->len == 0) { + return NGX_OK; + } + + psk_keys.pool = cf->pool; + psk_keys.temp_pool = cf->temp_pool; + + ngx_hash_keys_array_init(&psk_keys, NGX_HASH_SMALL); + + if (ngx_open_dir(path, &dir) == NGX_ERROR) { + err = ngx_errno; + + level = (err == NGX_ENOENT + || err == NGX_ENOTDIR + || err == NGX_ENAMETOOLONG + || err == NGX_EACCES) ? NGX_LOG_ERR : NGX_LOG_CRIT; + + ngx_ssl_error(level, ssl->log, err, + ngx_open_dir_n " \"%s\" failed", path->data); + + return NGX_ERROR; + } + + for ( ;; ) { + ngx_set_errno(0); + + if (ngx_read_dir(&dir) == NGX_ERROR) { + err = ngx_errno; + + if (err == NGX_ENOMOREFILES) { + break; + } + + ngx_ssl_error(NGX_LOG_CRIT, ssl->log, err, + ngx_read_dir_n " \"%V\" failed", &path); + return NGX_ERROR; + } + + if (!ngx_de_is_file(&dir)) { + continue; + } + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ssl->log, 0, + "loading PSK from file: \"%s\"", ngx_de_name(&dir)); + + file.name.len = ngx_de_namelen(&dir) + 2; + file.name.data = ngx_pnalloc(cf->pool, file.name.len); + if (file.name.data == NULL) { + return NGX_ERROR; + } + + ngx_sprintf(file.name.data, "%V/%s%Z", path, ngx_de_name(&dir)); + + file.log = ssl->log; + + file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0); + if (file.fd == NGX_INVALID_FILE) { + err = ngx_errno; + ngx_ssl_error(NGX_LOG_CRIT, ssl->log, err, + ngx_open_file_n " \"%s\" failed", file.name.data); + return NGX_ERROR; + } + + if (ngx_fd_info(file.fd, &file.info) == NGX_FILE_ERROR) { + ngx_ssl_error(NGX_LOG_CRIT, ssl->log, ngx_errno, + ngx_fd_info_n " \"%s\" failed", file.name.data); + return NGX_ERROR; + } + + psk_str = ngx_palloc(cf->pool, sizeof(ngx_str_t)); + if (psk_str == NULL) { + return NGX_ERROR; + } + + psk_str->len = file.info.st_size; + psk_str->data = ngx_pnalloc(cf->pool, psk_str->len); + + read = ngx_read_file(&file, psk_str->data, psk_str->len, 0); + if (read == NGX_ERROR) { + ngx_ssl_error(NGX_LOG_CRIT, ssl->log, ngx_errno, + ngx_read_file_n " \"%s\" failed", file.name.data); + return NGX_ERROR; + } + + if ((size_t)read != psk_str->len) { + ngx_ssl_error(NGX_LOG_CRIT, ssl->log, 0, + ngx_read_file_n + " \"%s\" returned only %z bytes instead of %z", + file.name.data, read, psk_str->len); + return NGX_ERROR; + } + + if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { + ngx_ssl_error(NGX_LOG_ALERT, ssl->log, ngx_errno, + ngx_close_file_n " \"%s\" failed", file.name.data); + } + + ngx_pfree(cf->pool, file.name.data); + + key.data = ngx_de_name(&dir); + key.len = ngx_de_namelen(&dir); + + ngx_hash_add_key(&psk_keys, &key, psk_str, NGX_HASH_READONLY_KEY); + } + + if (ngx_close_dir(&dir) == NGX_ERROR) { + ngx_log_error(NGX_LOG_CRIT, ssl->log, ngx_errno, + ngx_close_dir_n " \"%s\" failed", path->data); + } + + psk_hash = ngx_palloc(cf->pool, sizeof(ngx_hash_t)); + + hash.hash = psk_hash; + hash.key = ngx_hash_key; + hash.max_size = psk_hash_max_size; + hash.bucket_size = psk_hash_bucket_size; + hash.name = "psk_hash"; + hash.pool = cf->pool; + hash.temp_pool = cf->temp_pool; + + if (ngx_hash_init(&hash, psk_keys.keys.elts, psk_keys.keys.nelts) + != NGX_OK) + { + return NGX_ERROR; + } + + if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, psk_hash) == 0) { + ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0, + "SSL_CTX_set_ex_data() failed"); + return NGX_ERROR; + } + + return NGX_OK; +} + + void ngx_ssl_cleanup_ctx(void *data) { diff -r a38066b79d71 -r 7aa7771191d6 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Thu Jun 01 10:55:04 2017 -0500 +++ b/src/event/ngx_event_openssl.h Thu Jun 01 11:01:05 2017 -0500 @@ -171,6 +171,9 @@ ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout); ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths); +ngx_int_t ngx_ssl_psk_path(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *path, + ngx_uint_t psk_hash_max_size, + ngx_uint_t psk_hash_bucket_size); ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags); @@ -255,6 +258,7 @@ extern int ngx_ssl_next_certificate_index; extern int ngx_ssl_certificate_name_index; extern int ngx_ssl_stapling_index; +extern int ngx_ssl_psk_index; #endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */ diff -r a38066b79d71 -r 7aa7771191d6 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 10:55:04 2017 -0500 +++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:01:05 2017 -0500 @@ -240,6 +240,27 @@ NGX_HTTP_SRV_CONF_OFFSET, offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + + { ngx_string("ssl_psk_path"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_str_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_path), + NULL }, + + { ngx_string("ssl_psk_hash_max_size"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_hash_max_size), + NULL }, + + { ngx_string("ssl_psk_hash_bucket_size"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_num_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, psk_hash_bucket_size), + NULL }, ngx_null_command }; @@ -546,6 +567,7 @@ * sscf->shm_zone = NULL; * sscf->stapling_file = { 0, NULL }; * sscf->stapling_responder = { 0, NULL }; + * sscf->psk_path = { 0, NULL }; */ sscf->enable = NGX_CONF_UNSET; @@ -563,6 +585,8 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->psk_hash_max_size = NGX_CONF_UNSET_UINT; + sscf->psk_hash_bucket_size = NGX_CONF_UNSET_UINT; return sscf; } @@ -629,6 +653,14 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_str_value(conf->psk_path, prev->psk_path, ""); + ngx_conf_merge_uint_value(conf->psk_hash_max_size, + prev->psk_hash_max_size, 512); + ngx_conf_merge_uint_value(conf->psk_hash_bucket_size, + prev->psk_hash_bucket_size, 64); + conf->psk_hash_bucket_size = ngx_align(conf->psk_hash_bucket_size, + ngx_cacheline_size); + conf->ssl.log = cf->log; if (!conf->nocert) { @@ -815,6 +847,13 @@ } + if (ngx_ssl_psk_path(cf, &conf->ssl, &conf->psk_path, + conf->psk_hash_max_size, conf->psk_hash_bucket_size) + != NGX_OK) + { + return NGX_CONF_ERROR; + } + return NGX_CONF_OK; } diff -r a38066b79d71 -r 7aa7771191d6 src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 10:55:04 2017 -0500 +++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 11:01:05 2017 -0500 @@ -56,6 +56,10 @@ ngx_str_t stapling_file; ngx_str_t stapling_responder; + ngx_str_t psk_path; + ngx_uint_t psk_hash_max_size; + ngx_uint_t psk_hash_bucket_size; + u_char *file; ngx_uint_t line; } ngx_http_ssl_srv_conf_t; ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From Nate.Karstens at garmin.com Thu Jun 1 17:21:35 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Thu, 1 Jun 2017 17:21:35 +0000 Subject: [PATCH 3 of 3] PSK: add PSK identity variable Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15B80E@OLAWPA-EXMB04.ad.garmin.com> # HG changeset patch # User Nate Karstens # Date 1496332963 18000 # Thu Jun 01 11:02:43 2017 -0500 # Node ID cb09937f63834ab74b49a76b9b158dd0a5871309 # Parent 7aa7771191d61ef635478460017446bca1f6db55 PSK: add PSK identity variable Adds the variable $ssl_psk_identity to get the PSK identity used in a connnection secured with a PSK cipher suite. Signed-off-by: Nate Karstens diff -r 7aa7771191d6 -r cb09937f6383 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c Thu Jun 01 11:01:05 2017 -0500 +++ b/src/event/ngx_event_openssl.c Thu Jun 01 11:02:43 2017 -0500 @@ -4286,6 +4286,33 @@ } +ngx_int_t +ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) +{ + const char *identity; + size_t len; + + identity = SSL_get_psk_identity(c->ssl->connection); + + if (identity == NULL) { + s->len = 0; + return NGX_OK; + } + + len = ngx_strlen(identity); + + s->data = ngx_pnalloc(pool, len); + if (s->data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(s->data, identity, len); + s->len = len; + + return NGX_OK; +} + + static time_t ngx_ssl_parse_time( #if OPENSSL_VERSION_NUMBER > 0x10100000L diff -r 7aa7771191d6 -r cb09937f6383 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h Thu Jun 01 11:01:05 2017 -0500 +++ b/src/event/ngx_event_openssl.h Thu Jun 01 11:02:43 2017 -0500 @@ -235,6 +235,8 @@ ngx_str_t *s); ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s); +ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, + ngx_str_t *s); ngx_int_t ngx_ssl_handshake(ngx_connection_t *c); diff -r 7aa7771191d6 -r cb09937f6383 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:01:05 2017 -0500 +++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:02:43 2017 -0500 @@ -357,6 +357,9 @@ { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable, (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable, + (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 }, + { ngx_null_string, NULL, NULL, 0, 0, 0 } }; ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From vbart at nginx.com Thu Jun 1 17:22:13 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 01 Jun 2017 20:22:13 +0300 Subject: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params In-Reply-To: References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: <1519381.o8kJVBhGLJ@vbart-workstation> On Monday 24 April 2017 15:48:24 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493073310 25200 > # Mon Apr 24 15:35:10 2017 -0700 > # Node ID a8cfd4c454ff5433629bfd16444c6c71ee932fa1 > # Parent 07adf0a7009c3244de4b795c0c06927f4316a87f > HTTP/2: send SETTINGS ACK after applying all SETTINGS params. > > This avoids sending unnecessary SETTINGS ACK in case of PROTOCOL_ERROR. > > Signed-off-by: Piotr Sikora > > diff -r 07adf0a7009c -r a8cfd4c454ff src/http/v2/ngx_http_v2.c > --- a/src/http/v2/ngx_http_v2.c > +++ b/src/http/v2/ngx_http_v2.c > @@ -1972,8 +1972,6 @@ ngx_http_v2_state_settings(ngx_http_v2_c > return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); > } > > - ngx_http_v2_send_settings(h2c, 1); > - > return ngx_http_v2_state_settings_params(h2c, pos, end); > } > > @@ -2037,6 +2035,8 @@ ngx_http_v2_state_settings_params(ngx_ht > pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; > } > > + ngx_http_v2_send_settings(h2c, 1); > + > if (adjustment) { > if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) { > return ngx_http_v2_connection_error(h2c, Looks good. wbr, Valentin V. Bartenev From mdounin at mdounin.ru Thu Jun 1 17:39:51 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 1 Jun 2017 20:39:51 +0300 Subject: Use primes for hashtable size In-Reply-To: References: <20170530130137.GT55433@mdounin.ru> Message-ID: <20170601173951.GO55433@mdounin.ru> Hello! On Thu, Jun 01, 2017 at 04:54:50PM +0500, Andrew Borodin wrote: > Hi, Maxim! > > 2017-05-30 18:01 GMT+05:00 Maxim Dounin : > > > > The maximum size of hash table as specified by the hinit->max_size > > field is indeed maximum size, and not the size of the hash table. > > Following code in the ngx_hash_init() will try hard to find to > > find out an optimal hash size for a given set of values within the > > maximum size specified, and will test all the prime numbers as > > well. > > > > I see no reasons to additionally limit the maximum size to a prime > > number. If you think there are some, please be more specific. > > > > You are right. I've modified patch to checkout primes first, then proceed > to "hard work" . Also I've kolhozed some perf prove of improvement. > This test creates a hash table of 5000 semirandom strings (not very random, > just bytes permutated). > On my Ubuntu VM without patch hash creation is 92-96ms, with patch it's > strictly 0. "hard work" search tries about 2k sizes before success, primes > search hits at second. > > Docs say some words about startup speed and I wanted to apply primes > somewhere, so here we go. Thanks, though suggested change will certainly modify current nginx (documented) approach of searching for minimum possible hash sizes. It might be a better solution for large hashes though, as currently optimized by using a larger start size: if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < 100) { start = hinit->max_size - 1000; } Not sure it is at all needed though, as I don't remember any "words about startup speed" in the documentation and startup speed of hashes wasn't a practical problem as far as I remember. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Thu Jun 1 17:51:59 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 01 Jun 2017 20:51:59 +0300 Subject: [PATCH 3 of 4] HTTP/2: make SETTINGS ACK frame reusable In-Reply-To: References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: <22008327.Bf6S9Lx5iZ@vbart-workstation> On Monday 24 April 2017 15:48:25 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493073310 25200 > # Mon Apr 24 15:35:10 2017 -0700 > # Node ID b8d7f4a4d5abb4a27a772910358e263d49c618ef > # Parent a8cfd4c454ff5433629bfd16444c6c71ee932fa1 > HTTP/2: make SETTINGS ACK frame reusable. > > Signed-off-by: Piotr Sikora > [..] > @@ -2495,8 +2503,8 @@ ngx_http_v2_send_settings(ngx_http_v2_co > ngx_http_v2_srv_conf_t *h2scf; > ngx_http_v2_out_frame_t *frame; > > - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, > - "http2 send SETTINGS frame ack:%ui", ack); > + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, > + "http2 send SETTINGS frame params:3"); > [..] I'm pretty sure that this number will be forgotten to change after adding new parameters. Since in another patch you are suggesting to add debug messages to print each parameter then they will be countable without a problem. Let it be just: ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, "http2 send SETTINGS frame"); wbr, Valentin V. Bartenev From vbart at nginx.com Thu Jun 1 17:52:38 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 01 Jun 2017 20:52:38 +0300 Subject: [PATCH 4 of 4] HTTP/2: don't send SETTINGS ACK before already queued DATA frames In-Reply-To: <3624fa075acac110a08c.1493074106@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> <3624fa075acac110a08c.1493074106@piotrsikora.sfo.corp.google.com> Message-ID: <3026243.Ae8Ev985dJ@vbart-workstation> On Monday 24 April 2017 15:48:26 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493073310 25200 > # Mon Apr 24 15:35:10 2017 -0700 > # Node ID 3624fa075acac110a08c0f1c928c545a58c5801f > # Parent b8d7f4a4d5abb4a27a772910358e263d49c618ef > HTTP/2: don't send SETTINGS ACK before already queued DATA frames. > > Previously, SETTINGS ACK was sent immediately upon receipt of SETTINGS > frame, before already queued DATA frames created using old SETTINGS. > > This incorrect behavior was source of interoperability issues, because > peers rely on the fact that new SETTINGS are in effect after receiving > SETTINGS ACK. > > Reported by Feng Li. > > Signed-off-by: Piotr Sikora > > diff -r b8d7f4a4d5ab -r 3624fa075aca src/http/v2/ngx_http_v2.c > --- a/src/http/v2/ngx_http_v2.c > +++ b/src/http/v2/ngx_http_v2.c > @@ -2043,7 +2043,7 @@ ngx_http_v2_state_settings_params(ngx_ht > return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); > } > > - ngx_http_v2_queue_blocked_frame(h2c, frame); > + ngx_http_v2_queue_ordered_frame(h2c, frame); > > if (adjustment) { > if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) { > diff -r b8d7f4a4d5ab -r 3624fa075aca src/http/v2/ngx_http_v2.h > --- a/src/http/v2/ngx_http_v2.h > +++ b/src/http/v2/ngx_http_v2.h > @@ -261,6 +261,15 @@ ngx_http_v2_queue_blocked_frame(ngx_http > } > > > +static ngx_inline void > +ngx_http_v2_queue_ordered_frame(ngx_http_v2_connection_t *h2c, > + ngx_http_v2_out_frame_t *frame) > +{ > + frame->next = h2c->last_out; > + h2c->last_out = frame; > +} > + > + > void ngx_http_v2_init(ngx_event_t *rev); > void ngx_http_v2_request_headers_init(void); > Looks good. wbr, Valentin V. Bartenev From vbart at nginx.com Thu Jun 1 17:54:54 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 01 Jun 2017 20:54:54 +0300 Subject: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params In-Reply-To: <8753794.qGPzJ25FTB@vbart-workstation> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> <8753794.qGPzJ25FTB@vbart-workstation> Message-ID: <2363492.pM8K820MxA@vbart-workstation> On Thursday 01 June 2017 17:48:25 Valentin V. Bartenev wrote: > On Monday 24 April 2017 15:48:23 Piotr Sikora via nginx-devel wrote: > > # HG changeset patch > > # User Piotr Sikora > > # Date 1493073310 25200 > > # Mon Apr 24 15:35:10 2017 -0700 > > # Node ID 07adf0a7009c3244de4b795c0c06927f4316a87f > > # Parent 2c4dbcd6f2e4c9c2a1eb8dc1f0d39c99975ae208 > > HTTP/2: emit new frames only after applying all SETTINGS params. > > > > Previously, new frames could be emitted in the middle of applying > > new (and already acknowledged) SETTINGS params, which is illegal. > > > > Signed-off-by: Piotr Sikora > > > > diff -r 2c4dbcd6f2e4 -r 07adf0a7009c src/http/v2/ngx_http_v2.c > > --- a/src/http/v2/ngx_http_v2.c > > +++ b/src/http/v2/ngx_http_v2.c > > @@ -1982,7 +1982,9 @@ static u_char * > > ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, > > u_char *end) > > { > > - ngx_uint_t id, value; > > + ngx_uint_t id, value, adjustment; > > The new initial window size can be lower than the previous one, > so the difference can be negative (that's why the delta parameter > of ngx_http_v2_adjust_windows() is ssize_t). > > Please consider the patch below: > > diff -r 00015416ae79 src/http/v2/ngx_http_v2.c > --- a/src/http/v2/ngx_http_v2.c Mon Apr 24 15:35:10 2017 -0700 > +++ b/src/http/v2/ngx_http_v2.c Thu Jun 01 17:45:37 2017 +0300 > @@ -1969,7 +1969,8 @@ static u_char * > ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, > u_char *end) > { > - ngx_uint_t id, value, adjustment; > + ssize_t window_delta; > + ngx_uint_t id, value; > > adjustment = 0; > [..] Err.. of course here should be "window_delta = 0;". wbr, Valentin V. Bartenev From borodin at octonica.com Thu Jun 1 17:57:09 2017 From: borodin at octonica.com (Andrew Borodin) Date: Thu, 1 Jun 2017 22:57:09 +0500 Subject: Use primes for hashtable size In-Reply-To: <20170601173951.GO55433@mdounin.ru> References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru> Message-ID: 2017-06-01 22:39 GMT+05:00 Maxim Dounin : > Thanks, though suggested change will certainly modify current > nginx (documented) approach of searching for minimum possible > hash sizes. > > It might be a better solution for large hashes though, as > currently optimized by using a larger start size: > > if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < 100) { > start = hinit->max_size - 1000; > } Yeah, maybe put the primes loop under if. > Not sure it is at all needed though, as I don't remember any > "words about startup speed" in the documentation and startup > speed of hashes wasn't a practical problem as far as I remember. Here https://nginx.ru/en/docs/http/server_names.html "if nginx?s start time is unacceptably long, try to increase server_names_hash_bucket_size" It's about allowing more hash collisions. But I do not insist, though :) I've done the patch jut for fun Best regards, Andrey Borodin, Octonica. From piotrsikora at google.com Thu Jun 1 21:51:58 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Thu, 01 Jun 2017 14:51:58 -0700 Subject: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params In-Reply-To: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: <1738ed9658e2a9a12370.1496353918@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1493067124 25200 # Mon Apr 24 13:52:04 2017 -0700 # Node ID 1738ed9658e2a9a12370f4c828761a9fd058935d # Parent ab6ef3037840393752d82fac01ea1eb4f972301c HTTP/2: emit new frames only after applying all SETTINGS params. Previously, new frames could be emitted in the middle of applying new (and already acknowledged) SETTINGS params, which is illegal. Signed-off-by: Piotr Sikora diff -r ab6ef3037840 -r 1738ed9658e2 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1969,8 +1969,11 @@ static u_char * ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { + ssize_t window_delta; ngx_uint_t id, value; + window_delta = 0; + while (h2c->state.length) { if (end - pos < NGX_HTTP_V2_SETTINGS_PARAM_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, @@ -1995,12 +1998,7 @@ ngx_http_v2_state_settings_params(ngx_ht NGX_HTTP_V2_FLOW_CTRL_ERROR); } - if (ngx_http_v2_adjust_windows(h2c, value - h2c->init_window) - != NGX_OK) - { - return ngx_http_v2_connection_error(h2c, - NGX_HTTP_V2_INTERNAL_ERROR); - } + window_delta = value - h2c->init_window; h2c->init_window = value; break; @@ -2028,6 +2026,13 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } + if (window_delta) { + if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_INTERNAL_ERROR); + } + } + return ngx_http_v2_state_complete(h2c, pos, end); } From piotrsikora at google.com Thu Jun 1 21:51:59 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Thu, 01 Jun 2017 14:51:59 -0700 Subject: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params In-Reply-To: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: # HG changeset patch # User Piotr Sikora # Date 1493067147 25200 # Mon Apr 24 13:52:27 2017 -0700 # Node ID d61e944f55e70a5a25c8a79bfc5c167b7f22d62e # Parent 1738ed9658e2a9a12370f4c828761a9fd058935d HTTP/2: send SETTINGS ACK after applying all SETTINGS params. This avoids sending unnecessary SETTINGS ACK in case of PROTOCOL_ERROR. Signed-off-by: Piotr Sikora diff -r 1738ed9658e2 -r d61e944f55e7 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1959,8 +1959,6 @@ ngx_http_v2_state_settings(ngx_http_v2_c return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } - ngx_http_v2_send_settings(h2c, 1); - return ngx_http_v2_state_settings_params(h2c, pos, end); } @@ -2026,6 +2024,8 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } + ngx_http_v2_send_settings(h2c, 1); + if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { return ngx_http_v2_connection_error(h2c, From piotrsikora at google.com Thu Jun 1 21:52:00 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Thu, 01 Jun 2017 14:52:00 -0700 Subject: [PATCH 3 of 4] HTTP/2: make SETTINGS ACK frame reusable In-Reply-To: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: # HG changeset patch # User Piotr Sikora # Date 1493067017 25200 # Mon Apr 24 13:50:17 2017 -0700 # Node ID e00ba13ce421685981db6a98831409a234cc1e62 # Parent d61e944f55e70a5a25c8a79bfc5c167b7f22d62e HTTP/2: make SETTINGS ACK frame reusable. Signed-off-by: Piotr Sikora diff -r d61e944f55e7 -r e00ba13ce421 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -28,6 +28,7 @@ #define NGX_HTTP_V2_HTTP_1_1_REQUIRED 0xd /* frame sizes */ +#define NGX_HTTP_V2_SETTINGS_ACK_SIZE 0 #define NGX_HTTP_V2_RST_STREAM_SIZE 4 #define NGX_HTTP_V2_PRIORITY_SIZE 5 #define NGX_HTTP_V2_PING_SIZE 8 @@ -128,8 +129,7 @@ static ngx_http_v2_node_t *ngx_http_v2_g #define ngx_http_v2_index_size(h2scf) (h2scf->streams_index_mask + 1) #define ngx_http_v2_index(h2scf, sid) ((sid >> 1) & h2scf->streams_index_mask) -static ngx_int_t ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, - ngx_uint_t ack); +static ngx_int_t ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c); static ngx_int_t ngx_http_v2_settings_frame_handler( ngx_http_v2_connection_t *h2c, ngx_http_v2_out_frame_t *frame); static ngx_int_t ngx_http_v2_send_window_update(ngx_http_v2_connection_t *h2c, @@ -269,7 +269,7 @@ ngx_http_v2_init(ngx_event_t *rev) return; } - if (ngx_http_v2_send_settings(h2c, 0) == NGX_ERROR) { + if (ngx_http_v2_send_settings(h2c) == NGX_ERROR) { ngx_http_close_connection(c); return; } @@ -1967,8 +1967,9 @@ static u_char * ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { - ssize_t window_delta; - ngx_uint_t id, value; + ssize_t window_delta; + ngx_uint_t id, value; + ngx_http_v2_out_frame_t *frame; window_delta = 0; @@ -2024,7 +2025,14 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } - ngx_http_v2_send_settings(h2c, 1); + frame = ngx_http_v2_get_frame(h2c, NGX_HTTP_V2_SETTINGS_ACK_SIZE, + NGX_HTTP_V2_SETTINGS_FRAME, + NGX_HTTP_V2_ACK_FLAG, 0); + if (frame == NULL) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } + + ngx_http_v2_queue_blocked_frame(h2c, frame); if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { @@ -2476,7 +2484,7 @@ ngx_http_v2_parse_int(ngx_http_v2_connec static ngx_int_t -ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack) +ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c) { size_t len; ngx_buf_t *buf; @@ -2484,8 +2492,8 @@ ngx_http_v2_send_settings(ngx_http_v2_co ngx_http_v2_srv_conf_t *h2scf; ngx_http_v2_out_frame_t *frame; - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2 send SETTINGS frame ack:%ui", ack); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, + "http2 send SETTINGS frame"); frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { @@ -2497,7 +2505,7 @@ ngx_http_v2_send_settings(ngx_http_v2_co return NGX_ERROR; } - len = ack ? 0 : (sizeof(uint16_t) + sizeof(uint32_t)) * 3; + len = NGX_HTTP_V2_SETTINGS_PARAM_SIZE * 3; buf = ngx_create_temp_buf(h2c->pool, NGX_HTTP_V2_FRAME_HEADER_SIZE + len); if (buf == NULL) { @@ -2521,28 +2529,26 @@ ngx_http_v2_send_settings(ngx_http_v2_co buf->last = ngx_http_v2_write_len_and_type(buf->last, len, NGX_HTTP_V2_SETTINGS_FRAME); - *buf->last++ = ack ? NGX_HTTP_V2_ACK_FLAG : NGX_HTTP_V2_NO_FLAG; + *buf->last++ = NGX_HTTP_V2_NO_FLAG; buf->last = ngx_http_v2_write_sid(buf->last, 0); - if (!ack) { - h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, - ngx_http_v2_module); - - buf->last = ngx_http_v2_write_uint16(buf->last, - NGX_HTTP_V2_MAX_STREAMS_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, - h2scf->concurrent_streams); - - buf->last = ngx_http_v2_write_uint16(buf->last, + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, + ngx_http_v2_module); + + buf->last = ngx_http_v2_write_uint16(buf->last, + NGX_HTTP_V2_MAX_STREAMS_SETTING); + buf->last = ngx_http_v2_write_uint32(buf->last, + h2scf->concurrent_streams); + + buf->last = ngx_http_v2_write_uint16(buf->last, NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, h2scf->preread_size); - - buf->last = ngx_http_v2_write_uint16(buf->last, - NGX_HTTP_V2_MAX_FRAME_SIZE_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, - NGX_HTTP_V2_MAX_FRAME_SIZE); - } + buf->last = ngx_http_v2_write_uint32(buf->last, h2scf->preread_size); + + buf->last = ngx_http_v2_write_uint16(buf->last, + NGX_HTTP_V2_MAX_FRAME_SIZE_SETTING); + buf->last = ngx_http_v2_write_uint32(buf->last, + NGX_HTTP_V2_MAX_FRAME_SIZE); ngx_http_v2_queue_blocked_frame(h2c, frame); From piotrsikora at google.com Thu Jun 1 21:52:01 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Thu, 01 Jun 2017 14:52:01 -0700 Subject: [PATCH 4 of 4] HTTP/2: don't send SETTINGS ACK before already queued DATA frames In-Reply-To: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> Message-ID: <26c9e95a73295a344d39.1496353921@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1493067070 25200 # Mon Apr 24 13:51:10 2017 -0700 # Node ID 26c9e95a73295a344d39ac5e6d62787d26989c82 # Parent e00ba13ce421685981db6a98831409a234cc1e62 HTTP/2: don't send SETTINGS ACK before already queued DATA frames. Previously, SETTINGS ACK was sent immediately upon receipt of SETTINGS frame, before already queued DATA frames created using old SETTINGS. This incorrect behavior was source of interoperability issues, because peers rely on the fact that new SETTINGS are in effect after receiving SETTINGS ACK. Reported by Feng Li. Signed-off-by: Piotr Sikora diff -r e00ba13ce421 -r 26c9e95a7329 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -2032,7 +2032,7 @@ ngx_http_v2_state_settings_params(ngx_ht return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); } - ngx_http_v2_queue_blocked_frame(h2c, frame); + ngx_http_v2_queue_ordered_frame(h2c, frame); if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { diff -r e00ba13ce421 -r 26c9e95a7329 src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -261,6 +261,15 @@ ngx_http_v2_queue_blocked_frame(ngx_http } +static ngx_inline void +ngx_http_v2_queue_ordered_frame(ngx_http_v2_connection_t *h2c, + ngx_http_v2_out_frame_t *frame) +{ + frame->next = h2c->last_out; + h2c->last_out = frame; +} + + void ngx_http_v2_init(ngx_event_t *rev); void ngx_http_v2_request_headers_init(void); From piotrsikora at google.com Thu Jun 1 21:55:06 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Thu, 1 Jun 2017 14:55:06 -0700 Subject: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params In-Reply-To: <8753794.qGPzJ25FTB@vbart-workstation> References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> <8753794.qGPzJ25FTB@vbart-workstation> Message-ID: Hey Valentin, > The new initial window size can be lower than the previous one, > so the difference can be negative (that's why the delta parameter > of ngx_http_v2_adjust_windows() is ssize_t). Oops, good catch, thanks! Funnily enough, the original patch worked just fine (at least on systems where size of ssize_t was equal to size of ngx_uint_t), since the value would overflow and result in the same negative number when casted to ssize_t. I updated patchset with suggested changes, please take a look. Best regards, Piotr Sikora From mat999 at gmail.com Fri Jun 2 00:56:31 2017 From: mat999 at gmail.com (Mathew Heard) Date: Fri, 2 Jun 2017 10:56:31 +1000 Subject: Use primes for hashtable size In-Reply-To: References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru> Message-ID: If this actually yields a decrease in start time while not introducing other effects we would use it. Our start time of a couple minutes is annoying at times. On Fri, Jun 2, 2017 at 3:57 AM, Andrew Borodin wrote: > 2017-06-01 22:39 GMT+05:00 Maxim Dounin : > > Thanks, though suggested change will certainly modify current > > nginx (documented) approach of searching for minimum possible > > hash sizes. > > > > It might be a better solution for large hashes though, as > > currently optimized by using a larger start size: > > > > if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < > 100) { > > start = hinit->max_size - 1000; > > } > > Yeah, maybe put the primes loop under if. > > > Not sure it is at all needed though, as I don't remember any > > "words about startup speed" in the documentation and startup > > speed of hashes wasn't a practical problem as far as I remember. > > > Here https://nginx.ru/en/docs/http/server_names.html > "if nginx?s start time is unacceptably long, try to increase > server_names_hash_bucket_size" It's about allowing more hash > collisions. > But I do not insist, though :) I've done the patch jut for fun > > Best regards, Andrey Borodin, Octonica. > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From tommy.lindgren at gmail.com Fri Jun 2 03:43:38 2017 From: tommy.lindgren at gmail.com (Tommy Lindgren) Date: Fri, 02 Jun 2017 11:43:38 +0800 Subject: [PATCH] Dav: dav_request_buffering directive Message-ID: <149637501849.29398.12944513697412060423@argon> Hi, Currently the webdav module writes the request body to a temporary file and moves it to destination filepath once upload is complete. The patch below introduces dav_request_buffering. Default is "on". If "off", the request body will be written directly to destination filepath (unless destination file already exists, in which case 409 is returned). Rationale: We work with a system where http clients can upload large files (>100 GB, think raw uncompressed HD footage). We want to use nginx + the dav module for this. However, other clients want to access the uploaded files as soon as possible (even if the upload is still running). Thus we implemented "dav_request_buffering off". To make sure a client can't overwrite arbitrary files we protect the location with the secure_link module, i.e. the system has previously handed out a secure upload url (with unique filename to avoid collisions) to the client. Implementation details: The name "dav_request_buffering" is supposed to be analogous with "proxy_request_buffering" which hopefully make sense even though the implementation is very different. We extend ngx_http_request_s with request_body_temp_name, which the dav module sets when dav_request_buffering is off, and then ngx_create_temp_file writes directly to this filepath. request_body_in_clean_file is not set in this case. In other words, we instruct nginx core to write the "temporary" file to the final destination directly. Any chance seeing this patch/feature merged? Thanks, Tommy # HG changeset patch # User Tommy Lindgren # Date 1496048257 -7200 # Mon May 29 10:57:37 2017 +0200 # Node ID 4f4a483ca56229b7690f5d305bf056027005c7f2 # Parent ed1101bbf19f1edf300665b6398cd66d45b71577 Dav: introduced dav_request_buffering directive By default the dav module writes the request body to a temporary file and moves it to destination filepath when upload is complete. If dav_request_buffering is "off", the request body will be written directly to destination filepath (unless destination file already exists, in which case 409 is returned). diff --git a/src/core/ngx_file.c b/src/core/ngx_file.c --- a/src/core/ngx_file.c +++ b/src/core/ngx_file.c @@ -150,6 +150,22 @@ ngx_create_temp_file(ngx_file_t *file, n ngx_pool_cleanup_t *cln; ngx_pool_cleanup_file_t *clnf; + if (file->name.data != NULL) { + file->fd = ngx_open_tempfile(file->name.data, 1, access); + + ngx_log_debug1(NGX_LOG_DEBUG_CORE, file->log, 0, + "forced temp fd:%d", file->fd); + + if (file->fd == NGX_INVALID_FILE) { + ngx_log_error(NGX_LOG_ERR, file->log, ngx_errno, + ngx_open_tempfile_n " \"%s\" failed", + file->name.data); + return NGX_ERROR; + } + + return NGX_OK; + } + if (file->name.len) { name = file->name; levels = 0; diff --git a/src/http/modules/ngx_http_dav_module.c b/src/http/modules/ngx_http_dav_module.c --- a/src/http/modules/ngx_http_dav_module.c +++ b/src/http/modules/ngx_http_dav_module.c @@ -23,6 +23,7 @@ typedef struct { ngx_uint_t access; ngx_uint_t min_delete_depth; ngx_flag_t create_full_put_path; + ngx_flag_t dav_request_buffering; } ngx_http_dav_loc_conf_t; @@ -104,6 +105,13 @@ static ngx_command_t ngx_http_dav_comma offsetof(ngx_http_dav_loc_conf_t, access), NULL }, + { ngx_string("dav_request_buffering"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_dav_loc_conf_t, dav_request_buffering), + NULL }, + ngx_null_command }; @@ -142,8 +150,12 @@ ngx_module_t ngx_http_dav_module = { static ngx_int_t ngx_http_dav_handler(ngx_http_request_t *r) { + size_t root; + ngx_str_t path; ngx_int_t rc; ngx_http_dav_loc_conf_t *dlcf; + ngx_file_info_t fi; + ngx_err_t err; dlcf = ngx_http_get_module_loc_conf(r, ngx_http_dav_module); @@ -169,10 +181,39 @@ ngx_http_dav_handler(ngx_http_request_t r->request_body_in_file_only = 1; r->request_body_in_persistent_file = 1; - r->request_body_in_clean_file = 1; r->request_body_file_group_access = 1; r->request_body_file_log_level = 0; + if (dlcf->dav_request_buffering) { + r->request_body_in_clean_file = 1; + } else { + if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + if (ngx_file_info(path.data, &fi) != NGX_FILE_ERROR) { + return NGX_HTTP_CONFLICT; + } + + if (dlcf->create_full_put_path) { + err = ngx_create_full_path(path.data, ngx_dir_access(dlcf->access)); + if (err) { + ngx_log_error(NGX_LOG_CRIT, r->connection->log, err, + ngx_create_dir_n " \"%s\" failed", path.data); + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + } + + r->request_body_temp_name.len = path.len; + r->request_body_temp_name.data = ngx_pnalloc(r->pool, path.len + 1); + + if (r->request_body_temp_name.data == NULL) { + return NGX_HTTP_INTERNAL_SERVER_ERROR; + } + + ngx_memcpy(r->request_body_temp_name.data, path.data, path.len); + } + rc = ngx_http_read_client_request_body(r, ngx_http_dav_put_handler); if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { @@ -213,6 +254,16 @@ ngx_http_dav_put_handler(ngx_http_reques ngx_ext_rename_file_t ext; ngx_http_dav_loc_conf_t *dlcf; + dlcf = ngx_http_get_module_loc_conf(r, ngx_http_dav_module); + + if (!dlcf->dav_request_buffering) { + r->headers_out.content_length_n = 0; + r->headers_out.status = NGX_HTTP_CREATED; + r->header_only = 1; + ngx_http_finalize_request(r, ngx_http_send_header(r)); + return; + } + if (r->request_body == NULL || r->request_body->temp_file == NULL) { ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return; @@ -251,8 +302,6 @@ ngx_http_dav_put_handler(ngx_http_reques } } - dlcf = ngx_http_get_module_loc_conf(r, ngx_http_dav_module); - ext.access = dlcf->access; ext.path_access = dlcf->access; ext.time = -1; @@ -1115,6 +1164,7 @@ ngx_http_dav_create_loc_conf(ngx_conf_t conf->min_delete_depth = NGX_CONF_UNSET_UINT; conf->access = NGX_CONF_UNSET_UINT; conf->create_full_put_path = NGX_CONF_UNSET; + conf->dav_request_buffering = NGX_CONF_UNSET; return conf; } @@ -1137,6 +1187,9 @@ ngx_http_dav_merge_loc_conf(ngx_conf_t * ngx_conf_merge_value(conf->create_full_put_path, prev->create_full_put_path, 0); + ngx_conf_merge_value(conf->dav_request_buffering, + prev->dav_request_buffering, 1); + return NGX_CONF_OK; } diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -481,6 +481,7 @@ struct ngx_http_request_s { unsigned request_body_file_group_access:1; unsigned request_body_file_log_level:3; unsigned request_body_no_buffering:1; + ngx_str_t request_body_temp_name; unsigned subrequest_in_memory:1; unsigned waited:1; diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c --- a/src/http/ngx_http_request_body.c +++ b/src/http/ngx_http_request_body.c @@ -450,6 +450,7 @@ ngx_http_write_request_body(ngx_http_req tf->file.fd = NGX_INVALID_FILE; tf->file.log = r->connection->log; tf->path = clcf->client_body_temp_path; + tf->file.name = r->request_body_temp_name; tf->pool = r->pool; tf->warn = "a client request body is buffered to a temporary file"; tf->log_level = r->request_body_file_log_level; From piotrsikora at google.com Fri Jun 2 09:04:08 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 02:04:08 -0700 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: References: Message-ID: <52201fff87e8c5a09628.1496394248@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID 52201fff87e8c5a096287cf206cdcc14c0d81ce7 # Parent e84aa49c5bc7a3250d4844b581e4bf3ed42db5f5 Headers filter: added "add_trailer" directive. Trailers added using this directive are evaluated after response body is processed by output filters (but before it's written to the wire), so it's possible to use variables calculated from the response body as the trailer value. Signed-off-by: Piotr Sikora diff -r e84aa49c5bc7 -r 52201fff87e8 src/http/modules/ngx_http_headers_filter_module.c --- a/src/http/modules/ngx_http_headers_filter_module.c +++ b/src/http/modules/ngx_http_headers_filter_module.c @@ -48,6 +48,7 @@ typedef struct { time_t expires_time; ngx_http_complex_value_t *expires_value; ngx_array_t *headers; + ngx_array_t *trailers; } ngx_http_headers_conf_t; @@ -72,6 +73,8 @@ static char *ngx_http_headers_expires(ng void *conf); static char *ngx_http_headers_add(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char *ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); static ngx_http_set_header_t ngx_http_set_headers[] = { @@ -108,6 +111,14 @@ static ngx_command_t ngx_http_headers_f 0, NULL }, + { ngx_string("add_trailer"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE23, + ngx_http_headers_add_trailer, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL }, + ngx_null_command }; @@ -144,20 +155,30 @@ ngx_module_t ngx_http_headers_filter_mo static ngx_http_output_header_filter_pt ngx_http_next_header_filter; +static ngx_http_output_body_filter_pt ngx_http_next_body_filter; static ngx_int_t ngx_http_headers_filter(ngx_http_request_t *r) { - ngx_str_t value; - ngx_uint_t i, safe_status; - ngx_http_header_val_t *h; - ngx_http_headers_conf_t *conf; + u_char *p, *data; + size_t len; + ngx_str_t value; + ngx_uint_t i, safe_status; + ngx_table_elt_t *t; + ngx_http_header_val_t *h; + ngx_http_headers_conf_t *conf; + ngx_http_core_loc_conf_t *clcf; + + if (r != r->main) { + return ngx_http_next_header_filter(r); + } conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); - if ((conf->expires == NGX_HTTP_EXPIRES_OFF && conf->headers == NULL) - || r != r->main) + if (conf->expires == NGX_HTTP_EXPIRES_OFF + && conf->headers == NULL + && conf->trailers == NULL) { return ngx_http_next_header_filter(r); } @@ -206,11 +227,162 @@ ngx_http_headers_filter(ngx_http_request } } + if (conf->trailers) { + + if (r->header_only + || r->headers_out.status == NGX_HTTP_NOT_MODIFIED + || r->headers_out.status == NGX_HTTP_NO_CONTENT + || r->headers_out.status < NGX_HTTP_OK + || r->method == NGX_HTTP_HEAD) + { + return ngx_http_next_header_filter(r); + } + + if (r->http_version < NGX_HTTP_VERSION_20) { + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + if (!clcf->chunked_transfer_encoding) { + return ngx_http_next_header_filter(r); + } + } + + len = 0; + + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (h[i].value.value.len) { + len += h[i].key.len + sizeof(", ") - 1; + } + } + + if (len == 0) { + return ngx_http_next_header_filter(r); + } + + len -= sizeof(", ") - 1; + + data = ngx_pnalloc(r->pool, len); + if (data == NULL) { + return NGX_ERROR; + } + + t = ngx_list_push(&r->headers_out.headers); + if (t == NULL) { + return NGX_ERROR; + } + + p = data; + + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (h[i].value.value.len) { + p = ngx_copy(p, h[i].key.data, h[i].key.len); + + if (p == data + len) { + break; + } + + *p++ = ','; *p++ = ' '; + } + } + + ngx_str_set(&t->key, "Trailer"); + t->value.data = data; + t->value.len = len; + t->hash = 1; + + r->expect_trailers = 1; + } + return ngx_http_next_header_filter(r); } static ngx_int_t +ngx_http_trailers_filter(ngx_http_request_t *r, ngx_chain_t *in) +{ + ngx_str_t value; + ngx_uint_t i, safe_status; + ngx_chain_t *cl; + ngx_table_elt_t *t; + ngx_http_header_val_t *h; + ngx_http_headers_conf_t *conf; + + conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); + + if (in == NULL + || conf->trailers == NULL + || !r->expect_trailers + || r->header_only) + { + return ngx_http_next_body_filter(r, in); + } + + for (cl = in; cl; cl = cl->next) { + if (cl->buf->last_buf) { + break; + } + } + + if (cl == NULL) { + return ngx_http_next_body_filter(r, in); + } + + switch (r->headers_out.status) { + + case NGX_HTTP_OK: + case NGX_HTTP_CREATED: + case NGX_HTTP_PARTIAL_CONTENT: + case NGX_HTTP_MOVED_PERMANENTLY: + case NGX_HTTP_MOVED_TEMPORARILY: + case NGX_HTTP_SEE_OTHER: + case NGX_HTTP_TEMPORARY_REDIRECT: + safe_status = 1; + break; + + default: + safe_status = 0; + break; + } + + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (ngx_http_complex_value(r, &h[i].value, &value) != NGX_OK) { + return NGX_ERROR; + } + + if (value.len) { + t = ngx_list_push(&r->headers_out.trailers); + if (t == NULL) { + return NGX_ERROR; + } + + t->key = h[i].key; + t->value = value; + t->hash = 1; + } + } + + return ngx_http_next_body_filter(r, in); +} + + +static ngx_int_t ngx_http_set_expires(ngx_http_request_t *r, ngx_http_headers_conf_t *conf) { char *err; @@ -557,6 +729,7 @@ ngx_http_headers_create_conf(ngx_conf_t * set by ngx_pcalloc(): * * conf->headers = NULL; + * conf->trailers = NULL; * conf->expires_time = 0; * conf->expires_value = NULL; */ @@ -587,6 +760,10 @@ ngx_http_headers_merge_conf(ngx_conf_t * conf->headers = prev->headers; } + if (conf->trailers == NULL) { + conf->trailers = prev->trailers; + } + return NGX_CONF_OK; } @@ -597,6 +774,9 @@ ngx_http_headers_filter_init(ngx_conf_t ngx_http_next_header_filter = ngx_http_top_header_filter; ngx_http_top_header_filter = ngx_http_headers_filter; + ngx_http_next_body_filter = ngx_http_top_body_filter; + ngx_http_top_body_filter = ngx_http_trailers_filter; + return NGX_OK; } @@ -741,3 +921,63 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx return NGX_CONF_OK; } + + +static char * +ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_headers_conf_t *hcf = conf; + + ngx_str_t *value; + ngx_http_header_val_t *hv; + ngx_http_compile_complex_value_t ccv; + + value = cf->args->elts; + + if (hcf->trailers == NULL) { + hcf->trailers = ngx_array_create(cf->pool, 1, + sizeof(ngx_http_header_val_t)); + if (hcf->trailers == NULL) { + return NGX_CONF_ERROR; + } + } + + hv = ngx_array_push(hcf->trailers); + if (hv == NULL) { + return NGX_CONF_ERROR; + } + + hv->key = value[1]; + hv->handler = NULL; + hv->offset = 0; + hv->always = 0; + + if (value[2].len == 0) { + ngx_memzero(&hv->value, sizeof(ngx_http_complex_value_t)); + + } else { + ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); + + ccv.cf = cf; + ccv.value = &value[2]; + ccv.complex_value = &hv->value; + + if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { + return NGX_CONF_ERROR; + } + } + + if (cf->args->nelts == 3) { + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[3].data, "always") != 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid parameter \"%V\"", &value[3]); + return NGX_CONF_ERROR; + } + + hv->always = 1; + + return NGX_CONF_OK; +} From piotrsikora at google.com Fri Jun 2 09:04:06 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 02:04:06 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: References: Message-ID: # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID b0a910ad494158427ba102bdac71ce01d0667f72 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Added support for trailers in HTTP responses. Example: ngx_table_elt_t *h; h = ngx_list_push(&r->headers_out.trailers); if (h == NULL) { return NGX_ERROR; } ngx_str_set(&h->key, "Fun"); ngx_str_set(&h->value, "with trailers"); h->hash = ngx_hash_key_lc(h->key.data, h->key.len); The code above adds "Fun: with trailers" trailer to the response to the request with "TE: trailers" header (which indicates support for trailers). Modules that want to emit trailers must set r->expect_trailers = 1, otherwise they are going to be ignored. This change also adds $sent_trailer_* variables. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r b0a910ad4941 src/http/modules/ngx_http_chunked_filter_module.c --- a/src/http/modules/ngx_http_chunked_filter_module.c +++ b/src/http/modules/ngx_http_chunked_filter_module.c @@ -17,6 +17,8 @@ typedef struct { static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_uint_t emit_crlf); static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { @@ -69,28 +71,31 @@ ngx_http_chunked_header_filter(ngx_http_ return ngx_http_next_header_filter(r); } - if (r->headers_out.content_length_n == -1) { + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + if (clcf->chunked_transfer_encoding && r->expect_trailers) { + ngx_http_clear_content_length(r); + r->chunked = 1; + + } else if (r->headers_out.content_length_n == -1) { if (r->http_version < NGX_HTTP_VERSION_11) { r->keepalive = 0; + } else if (clcf->chunked_transfer_encoding) { + r->chunked = 1; + } else { - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + r->keepalive = 0; + } + } - if (clcf->chunked_transfer_encoding) { - r->chunked = 1; + if (r->chunked) { + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_filter_ctx_t)); + if (ctx == NULL) { + return NGX_ERROR; + } - ctx = ngx_pcalloc(r->pool, - sizeof(ngx_http_chunked_filter_ctx_t)); - if (ctx == NULL) { - return NGX_ERROR; - } - - ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); - - } else { - r->keepalive = 0; - } - } + ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); } return ngx_http_next_header_filter(r); @@ -179,28 +184,38 @@ ngx_http_chunked_body_filter(ngx_http_re } if (cl->buf->last_buf) { - tl = ngx_chain_get_free_buf(r->pool, &ctx->free); - if (tl == NULL) { - return NGX_ERROR; + + if (r->expect_trailers) { + tl = ngx_http_chunked_create_trailers(r, size ? 1 : 0); + + } else { + tl = NULL; } - b = tl->buf; + if (tl == NULL) { + tl = ngx_chain_get_free_buf(r->pool, &ctx->free); + if (tl == NULL) { + return NGX_ERROR; + } - b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; - b->temporary = 0; - b->memory = 1; - b->last_buf = 1; - b->pos = (u_char *) CRLF "0" CRLF CRLF; - b->last = b->pos + 7; + b = tl->buf; - cl->buf->last_buf = 0; + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; + b->temporary = 0; + b->memory = 1; + b->last_buf = 1; + b->pos = (u_char *) CRLF "0" CRLF CRLF; + b->last = b->pos + 7; + + cl->buf->last_buf = 0; + + if (size == 0) { + b->pos += 2; + } + } *ll = tl; - if (size == 0) { - b->pos += 2; - } - } else if (size > 0) { tl = ngx_chain_get_free_buf(r->pool, &ctx->free); if (tl == NULL) { @@ -230,6 +245,118 @@ ngx_http_chunked_body_filter(ngx_http_re } +static ngx_chain_t * +ngx_http_chunked_create_trailers(ngx_http_request_t *r, ngx_uint_t emit_crlf) +{ + size_t len; + ngx_buf_t *b; + ngx_uint_t i; + ngx_chain_t *cl; + ngx_list_part_t *part; + ngx_table_elt_t *header; + ngx_http_chunked_filter_ctx_t *ctx; + + len = 0; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + len += header[i].key.len + sizeof(": ") - 1 + + header[i].value.len + sizeof(CRLF) - 1; + } + + if (len == 0) { + return NULL; + } + + if (emit_crlf) { + len += sizeof(CRLF) - 1; + } + + len += sizeof("0") - 1 + sizeof(CRLF) - 1 + sizeof(CRLF) - 1; + + ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module); + + cl = ngx_chain_get_free_buf(r->pool, &ctx->free); + if (cl == NULL) { + return NULL; + } + + b = cl->buf; + + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; + b->temporary = 0; + b->memory = 1; + b->last_buf = 1; + + b->start = ngx_palloc(r->pool, len); + if (b->start == NULL) { + return NULL; + } + + b->end = b->last + len; + b->pos = b->start; + b->last = b->start; + + if (emit_crlf) { + *b->last++ = CR; *b->last++ = LF; + } + + *b->last++ = '0'; + *b->last++ = CR; *b->last++ = LF; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http trailer: \"%V: %V\"", + &header[i].key, &header[i].value); + + b->last = ngx_copy(b->last, header[i].key.data, header[i].key.len); + *b->last++ = ':'; *b->last++ = ' '; + + b->last = ngx_copy(b->last, header[i].value.data, header[i].value.len); + *b->last++ = CR; *b->last++ = LF; + } + + *b->last++ = CR; *b->last++ = LF; + + return cl; +} + + static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf) { diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2484,6 +2484,13 @@ ngx_http_subrequest(ngx_http_request_t * return NGX_ERROR; } + if (ngx_list_init(&sr->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + return NGX_ERROR; + } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); sr->main_conf = cscf->ctx->main_conf; sr->srv_conf = cscf->ctx->srv_conf; diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -562,6 +562,14 @@ ngx_http_create_request(ngx_connection_t return NULL; } + if (ngx_list_init(&r->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + ngx_destroy_pool(r->pool); + return NULL; + } + r->ctx = ngx_pcalloc(r->pool, sizeof(void *) * ngx_http_max_module); if (r->ctx == NULL) { ngx_destroy_pool(r->pool); diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -252,6 +252,7 @@ typedef struct { typedef struct { ngx_list_t headers; + ngx_list_t trailers; ngx_uint_t status; ngx_str_t status_line; @@ -514,6 +515,7 @@ struct ngx_http_request_s { unsigned pipeline:1; unsigned chunked:1; unsigned header_only:1; + unsigned expect_trailers:1; unsigned keepalive:1; unsigned lingering_close:1; unsigned discard_body:1; diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_variables.c --- a/src/http/ngx_http_variables.c +++ b/src/http/ngx_http_variables.c @@ -38,6 +38,8 @@ static ngx_int_t ngx_http_variable_unkno ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_unknown_header_out(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_request_line(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_cookie(ngx_http_request_t *r, @@ -365,6 +367,9 @@ static ngx_http_variable_t ngx_http_cor { ngx_string("sent_http_"), NULL, ngx_http_variable_unknown_header_out, 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("sent_trailer_"), NULL, ngx_http_variable_unknown_trailer_out, + 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("cookie_"), NULL, ngx_http_variable_cookie, 0, NGX_HTTP_VAR_PREFIX, 0 }, @@ -934,6 +939,16 @@ ngx_http_variable_unknown_header_out(ngx } +static ngx_int_t +ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data) +{ + return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, + &r->headers_out.trailers.part, + sizeof("sent_trailer_") - 1); +} + + ngx_int_t ngx_http_variable_unknown_header(ngx_http_variable_value_t *v, ngx_str_t *var, ngx_list_part_t *part, size_t prefix) From piotrsikora at google.com Fri Jun 2 09:04:07 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 02:04:07 -0700 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: References: Message-ID: # HG changeset patch # User Piotr Sikora # Date 1493191954 25200 # Wed Apr 26 00:32:34 2017 -0700 # Node ID e84aa49c5bc7a3250d4844b581e4bf3ed42db5f5 # Parent b0a910ad494158427ba102bdac71ce01d0667f72 HTTP/2: added support for trailers in HTTP responses. Signed-off-by: Piotr Sikora diff -r b0a910ad4941 -r e84aa49c5bc7 src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -50,13 +50,17 @@ #define NGX_HTTP_V2_SERVER_INDEX 54 #define NGX_HTTP_V2_VARY_INDEX 59 +#define NGX_HTTP_V2_FRAME_ERROR (ngx_http_v2_out_frame_t *) -1 + static u_char *ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower); static u_char *ngx_http_v2_write_int(u_char *pos, ngx_uint_t prefix, ngx_uint_t value); static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame( - ngx_http_request_t *r, u_char *pos, u_char *end); + ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin); +static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame( + ngx_http_request_t *r); static ngx_chain_t *ngx_http_v2_send_chain(ngx_connection_t *fc, ngx_chain_t *in, off_t limit); @@ -612,7 +616,7 @@ ngx_http_v2_header_filter(ngx_http_reque header[i].value.len, tmp); } - frame = ngx_http_v2_create_headers_frame(r, start, pos); + frame = ngx_http_v2_create_headers_frame(r, start, pos, r->header_only); if (frame == NULL) { return NGX_ERROR; } @@ -636,6 +640,126 @@ ngx_http_v2_header_filter(ngx_http_reque } +static ngx_http_v2_out_frame_t * +ngx_http_v2_create_trailers_frame(ngx_http_request_t *r) +{ + u_char *pos, *start, *tmp; + size_t len, tmp_len; + ngx_uint_t i; + ngx_list_part_t *part; + ngx_table_elt_t *header; + ngx_http_v2_out_frame_t *frame; + + len = 0; + tmp_len = 0; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer name: \"%V\"", + &header[i].key); + + return NGX_HTTP_V2_FRAME_ERROR; + } + + if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer value: \"%V: %V\"", + &header[i].key, &header[i].value); + + return NGX_HTTP_V2_FRAME_ERROR; + } + + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; + + if (header[i].key.len > tmp_len) { + tmp_len = header[i].key.len; + } + + if (header[i].value.len > tmp_len) { + tmp_len = header[i].value.len; + } + } + + if (len == 0) { + return NULL; + } + + tmp = ngx_palloc(r->pool, tmp_len); + pos = ngx_pnalloc(r->pool, len); + + if (pos == NULL || tmp == NULL) { + return NGX_HTTP_V2_FRAME_ERROR; + } + + start = pos; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + +#if (NGX_DEBUG) + if (r->connection->log->log_level & NGX_LOG_DEBUG_HTTP) { + ngx_strlow(tmp, header[i].key.data, header[i].key.len); + + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http2 output trailer: \"%*s: %V\"", + header[i].key.len, tmp, &header[i].value); + } +#endif + + *pos++ = 0; + + pos = ngx_http_v2_write_name(pos, header[i].key.data, + header[i].key.len, tmp); + + pos = ngx_http_v2_write_value(pos, header[i].value.data, + header[i].value.len, tmp); + } + + frame = ngx_http_v2_create_headers_frame(r, start, pos, 1); + if (frame == NULL) { + return NGX_HTTP_V2_FRAME_ERROR; + } + + return frame; +} + + static u_char * ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower) @@ -686,7 +810,7 @@ ngx_http_v2_write_int(u_char *pos, ngx_u static ngx_http_v2_out_frame_t * ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos, - u_char *end) + u_char *end, ngx_uint_t fin) { u_char type, flags; size_t rest, frame_size; @@ -707,12 +831,12 @@ ngx_http_v2_create_headers_frame(ngx_htt frame->stream = stream; frame->length = rest; frame->blocked = 1; - frame->fin = r->header_only; + frame->fin = fin; ll = &frame->first; type = NGX_HTTP_V2_HEADERS_FRAME; - flags = r->header_only ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; + flags = fin ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; frame_size = stream->connection->frame_size; for ( ;; ) { @@ -776,7 +900,7 @@ ngx_http_v2_create_headers_frame(ngx_htt continue; } - b->last_buf = r->header_only; + b->last_buf = fin; cl->next = NULL; frame->last = cl; @@ -798,7 +922,7 @@ ngx_http_v2_send_chain(ngx_connection_t ngx_http_request_t *r; ngx_http_v2_stream_t *stream; ngx_http_v2_loc_conf_t *h2lcf; - ngx_http_v2_out_frame_t *frame; + ngx_http_v2_out_frame_t *frame, *trailers; ngx_http_v2_connection_t *h2c; r = fc->data; @@ -872,6 +996,8 @@ ngx_http_v2_send_chain(ngx_connection_t frame_size = (h2lcf->chunk_size < h2c->frame_size) ? h2lcf->chunk_size : h2c->frame_size; + trailers = NULL; + #if (NGX_SUPPRESS_WARN) cl = NULL; #endif @@ -934,17 +1060,36 @@ ngx_http_v2_send_chain(ngx_connection_t size -= rest; } - frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, cl); - if (frame == NULL) { - return NGX_CHAIN_ERROR; + if (cl->buf->last_buf && r->expect_trailers) { + trailers = ngx_http_v2_create_trailers_frame(r); + if (trailers == NGX_HTTP_V2_FRAME_ERROR) { + return NGX_CHAIN_ERROR; + } + + if (trailers) { + cl->buf->last_buf = 0; + } } - ngx_http_v2_queue_frame(h2c, frame); + if (frame_size || cl->buf->last_buf) { + frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, + cl); + if (frame == NULL) { + return NGX_CHAIN_ERROR; + } - h2c->send_window -= frame_size; + ngx_http_v2_queue_frame(h2c, frame); - stream->send_window -= frame_size; - stream->queued++; + h2c->send_window -= frame_size; + + stream->send_window -= frame_size; + stream->queued++; + } + + if (trailers) { + ngx_http_v2_queue_frame(h2c, trailers); + stream->queued++; + } if (in == NULL) { break; From piotrsikora at google.com Fri Jun 2 09:05:47 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 02:05:47 -0700 Subject: [PATCH 1 of 3] HTTP: add support for trailers in HTTP responses In-Reply-To: <20170503140018.GN43932@mdounin.ru> References: <8af81a0d66c0f69bcf50.1491211931@piotrsikora.sfo.corp.google.com> <20170421174201.GA43932@mdounin.ru> <20170427184623.GD43932@mdounin.ru> <20170503140018.GN43932@mdounin.ru> Message-ID: Hey Maxim, > In your patch, you test r->expect_trailers in two places in > chunked filter: > > 1. when you decide whether to use chunked encoding or not, in > ngx_http_chunked_header_filter(); > > 2. when you generate trailer, in ngx_http_chunked_body_filter(). > > I mostly agree with (1) (I would like see it configurable too, but > it's probably up to a module which adds trailers to decide, so > don't belong to this particular patch), but don't see any reasons > for (2). This is done to avoid unexpected behavior when r->expect_trailers isn't set, i.e. if module added trailers, but didn't set r->expect_trailers, then without (2) trailers would be emitted only if Content-Encoding was already chunked, but not otherwise. Testing r->expect_trailers in both (1) and (2) ensures that Trailers are emitted in consistent manner, without depending on unrelated factors, like gzip support by the client, etc. > Certainly merging is a bad idea either. May be the solution would > be avoid sending trailers for header-only requests consistently > for both HTTP/1.1 and HTTP/2. Done, I removed trailers from headers-only HTTP/2 responses. As mentioned earlier, I also removed "TE: trailers" requirement and merged whole trailer-part into one buffer, in case of trailers. Best regards, Piotr Sikora From piotrsikora at google.com Fri Jun 2 09:10:07 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 02:10:07 -0700 Subject: [PATCH 2 of 3] Headers filter: add "add_trailer" directive In-Reply-To: <20170421174207.GB43932@mdounin.ru> References: <5bab17ebe2b1f8ec42cf.1491211932@piotrsikora.sfo.corp.google.com> <20170421174207.GB43932@mdounin.ru> Message-ID: Hey Maxim, > This introduces a layering violation between the headers filter > and the chunked filter. I moved trailer generation to headers filter, let me know if that works for you. Unfortunately, because of that change, trailers are evaluated earlier in the process, and some variables from body filters that run after headers filter (like $gzip_ratio) are not usable anymore. > There should be a space between "NULL" and "}". It might worth > fixing the style in previously exiting directives in a separate > commit. Done. > Predicting conditions which will result in header-only response > looks really fragile. As well as checks for chunked transfer > encoding. Sending "Trailer" header in responses that cannot have response body is known to result in interoperability issues, so I'd rather leave it, see: https://github.com/nodejs/node/issues/2842 > Note: this can result in an access to uninitialized memory if > ngx_pnalloc() fails and $sent_http_trailer used in logs. Fixed. > Note that at this point we do not know if the trailer in question > is going to be present in the particular response or not, as > trailers with empty values are not returned (and this is often > used to only return some headers in some responses, at least with > add_header). But we know that it might be present. "Trailer" header is an indicator. > It might be a better idea to avoid generating the > "Trailer" header automatically and let users to control this with > add_header instead, and/or introduce an option to control this. That sounds like a terrible idea, which will result in always missing "Trailer" header. > Note well that with the approach taken it will be very > inconvenient for other modules to add their own trailers, due to > both a) layering violation introduced, which makes headers filter > special, and b) no easy way to add anything to the Trailer header > generated. This is well-formatted header, so other modules can emit their own "Trailer" headers, or append to it. Also, I'm don't see how this is different from virtually any other header in NGINX. > There is no need to set hash for output headers, just t->hash = 1 > is good enough. Actually, it's not "good enough". Using "hash = 1" has absolutely no performance benefit and it results in full search instead of simple hash comparison during header lookup, because some headers won't have hash set to proper value. Anyway, I'm going set it to "1" to avoid side-tracking this discussion. Best regards, Piotr Sikora From piotrsikora at google.com Fri Jun 2 09:15:30 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 02:15:30 -0700 Subject: [PATCH 3 of 3] Upstream: add support for trailers in HTTP responses In-Reply-To: <20170421174211.GC43932@mdounin.ru> References: <488c59bd49dcb1503144.1491211933@piotrsikora.sfo.corp.google.com> <20170421174211.GC43932@mdounin.ru> Message-ID: Hey Maxim, > Overral, this patch looks at most half-ready, as it doesn't even > try to implement sending trailers (r->expect_trailers is never > set), lacks any support for trailers in the cache, and so on. Actually, it's pretty much ready... r->expect_trailers is supposed to be set by upstream modules (i.e. proxy or 3rd-party upstream module), and not by the upstream module itself. But I can see how it can be hard to review only part of the feature, so I'm going to drop this for now (mostly to speed up the turnaround of code reviews), and I'll send this later, along HTTP/2 patchset that uses those changes. Best regards, Piotr Sikora From pluknet at nginx.com Fri Jun 2 09:56:29 2017 From: pluknet at nginx.com (Sergey Kandaurov) Date: Fri, 02 Jun 2017 09:56:29 +0000 Subject: [nginx] Configure: enabled rpath for NetBSD. Message-ID: details: http://hg.nginx.org/nginx/rev/639e48c382a6 branches: changeset: 7021:639e48c382a6 user: Sergey Kandaurov date: Fri Jun 02 12:55:31 2017 +0300 description: Configure: enabled rpath for NetBSD. diffstat: auto/os/conf | 8 ++++++++ 1 files changed, 8 insertions(+), 0 deletions(-) diffs (18 lines): diff -r 716852cce913 -r 639e48c382a6 auto/os/conf --- a/auto/os/conf Thu Jun 01 15:44:23 2017 +0300 +++ b/auto/os/conf Fri Jun 02 12:55:31 2017 +0300 @@ -41,6 +41,14 @@ case "$NGX_PLATFORM" in ' ;; + NetBSD:*) + CORE_INCS="$UNIX_INCS" + CORE_DEPS="$UNIX_DEPS $POSIX_DEPS" + CORE_SRCS="$UNIX_SRCS" + + NGX_RPATH=YES + ;; + HP-UX:*) # HP/UX have=NGX_HPUX . auto/have_headers From mdounin at mdounin.ru Fri Jun 2 11:46:03 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 2 Jun 2017 14:46:03 +0300 Subject: Use primes for hashtable size In-Reply-To: References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru>

Message-ID: <20170602114603.GR55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 10:56:31AM +1000, Mathew Heard wrote: > If this actually yields a decrease in start time while not introducing > other effects we would use it. Our start time of a couple minutes is > annoying at times. Do you have any details of what contributes to the start time in your case? In general, nginx trades start time to faster operation once started, and trying to build minimal hash is an example of this practice. If it results in unacceptable start times we certainly should optimize it, though I don't think I've seen such cases in my practice. Most time-consuming things during start I've seen so far are: - multiple DNS names in the configuration and slow system resolver; - multiple SSL certificates; - very large geo{} maps. -- Maxim Dounin http://nginx.org/ From mat999 at gmail.com Fri Jun 2 11:50:18 2017 From: mat999 at gmail.com (Mathew Heard) Date: Fri, 2 Jun 2017 21:50:18 +1000 Subject: Use primes for hashtable size In-Reply-To: <20170602114603.GR55433@mdounin.ru> References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru>

<20170602114603.GR55433@mdounin.ru> Message-ID: We are loading around 10,000 - 15,000 server_names per server. We also have a fair number of SSL certificates and at-least one big geo map as well which probably do contribute. At around 2,000 - 3,000 we hit our first issues with server_name and had to alter the hash table max. Which brought the loading speed back up (which has slowly regressed as we got bigger) Honestly I don't consider it unacceptable, but if this patch comes with no runtime performance penalty why wouldnt we want it? There are advantages to faster startup (incident recovery, quicker reconfiguration etc) On Fri, Jun 2, 2017 at 9:46 PM, Maxim Dounin wrote: > Hello! > > On Fri, Jun 02, 2017 at 10:56:31AM +1000, Mathew Heard wrote: > > > If this actually yields a decrease in start time while not introducing > > other effects we would use it. Our start time of a couple minutes is > > annoying at times. > > Do you have any details of what contributes to the start time in > your case? > > In general, nginx trades start time to faster operation once > started, and trying to build minimal hash is an example of this > practice. If it results in unacceptable start times we certainly > should optimize it, though I don't think I've seen such cases in > my practice. > > Most time-consuming things during start I've seen so far are: > > - multiple DNS names in the configuration and slow system > resolver; > > - multiple SSL certificates; > > - very large geo{} maps. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Jun 2 12:08:26 2017 From: vbart at nginx.com (Valentin Bartenev) Date: Fri, 02 Jun 2017 12:08:26 +0000 Subject: [nginx] HTTP/2: emit new frames only after applying all SETTINGS params. Message-ID: details: http://hg.nginx.org/nginx/rev/645ed7112a01 branches: changeset: 7022:645ed7112a01 user: Piotr Sikora date: Fri Jun 02 15:05:20 2017 +0300 description: HTTP/2: emit new frames only after applying all SETTINGS params. Previously, new frames could be emitted in the middle of applying new (and already acknowledged) SETTINGS params, which is illegal. Signed-off-by: Piotr Sikora diffstat: src/http/v2/ngx_http_v2.c | 17 +++++++++++------ 1 files changed, 11 insertions(+), 6 deletions(-) diffs (43 lines): diff -r 639e48c382a6 -r 645ed7112a01 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Jun 02 12:55:31 2017 +0300 +++ b/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:20 2017 +0300 @@ -1969,8 +1969,11 @@ static u_char * ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { + ssize_t window_delta; ngx_uint_t id, value; + window_delta = 0; + while (h2c->state.length) { if (end - pos < NGX_HTTP_V2_SETTINGS_PARAM_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, @@ -1995,12 +1998,7 @@ ngx_http_v2_state_settings_params(ngx_ht NGX_HTTP_V2_FLOW_CTRL_ERROR); } - if (ngx_http_v2_adjust_windows(h2c, value - h2c->init_window) - != NGX_OK) - { - return ngx_http_v2_connection_error(h2c, - NGX_HTTP_V2_INTERNAL_ERROR); - } + window_delta = value - h2c->init_window; h2c->init_window = value; break; @@ -2028,6 +2026,13 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } + if (window_delta) { + if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { + return ngx_http_v2_connection_error(h2c, + NGX_HTTP_V2_INTERNAL_ERROR); + } + } + return ngx_http_v2_state_complete(h2c, pos, end); } From vbart at nginx.com Fri Jun 2 12:08:29 2017 From: vbart at nginx.com (Valentin Bartenev) Date: Fri, 02 Jun 2017 12:08:29 +0000 Subject: [nginx] HTTP/2: send SETTINGS ACK after applying all SETTINGS params. Message-ID: details: http://hg.nginx.org/nginx/rev/859d80f57aab branches: changeset: 7023:859d80f57aab user: Piotr Sikora date: Fri Jun 02 15:05:24 2017 +0300 description: HTTP/2: send SETTINGS ACK after applying all SETTINGS params. This avoids sending unnecessary SETTINGS ACK in case of PROTOCOL_ERROR. Signed-off-by: Piotr Sikora diffstat: src/http/v2/ngx_http_v2.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (21 lines): diff -r 645ed7112a01 -r 859d80f57aab src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:20 2017 +0300 +++ b/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:24 2017 +0300 @@ -1959,8 +1959,6 @@ ngx_http_v2_state_settings(ngx_http_v2_c return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } - ngx_http_v2_send_settings(h2c, 1); - return ngx_http_v2_state_settings_params(h2c, pos, end); } @@ -2026,6 +2024,8 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } + ngx_http_v2_send_settings(h2c, 1); + if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { return ngx_http_v2_connection_error(h2c, From vbart at nginx.com Fri Jun 2 12:08:31 2017 From: vbart at nginx.com (Valentin Bartenev) Date: Fri, 02 Jun 2017 12:08:31 +0000 Subject: [nginx] HTTP/2: make SETTINGS ACK frame reusable. Message-ID: details: http://hg.nginx.org/nginx/rev/79de0d2aa432 branches: changeset: 7024:79de0d2aa432 user: Piotr Sikora date: Fri Jun 02 15:05:28 2017 +0300 description: HTTP/2: make SETTINGS ACK frame reusable. Signed-off-by: Piotr Sikora diffstat: src/http/v2/ngx_http_v2.c | 62 +++++++++++++++++++++++++--------------------- 1 files changed, 34 insertions(+), 28 deletions(-) diffs (132 lines): diff -r 859d80f57aab -r 79de0d2aa432 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:24 2017 +0300 +++ b/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:28 2017 +0300 @@ -28,6 +28,7 @@ #define NGX_HTTP_V2_HTTP_1_1_REQUIRED 0xd /* frame sizes */ +#define NGX_HTTP_V2_SETTINGS_ACK_SIZE 0 #define NGX_HTTP_V2_RST_STREAM_SIZE 4 #define NGX_HTTP_V2_PRIORITY_SIZE 5 #define NGX_HTTP_V2_PING_SIZE 8 @@ -128,8 +129,7 @@ static ngx_http_v2_node_t *ngx_http_v2_g #define ngx_http_v2_index_size(h2scf) (h2scf->streams_index_mask + 1) #define ngx_http_v2_index(h2scf, sid) ((sid >> 1) & h2scf->streams_index_mask) -static ngx_int_t ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, - ngx_uint_t ack); +static ngx_int_t ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c); static ngx_int_t ngx_http_v2_settings_frame_handler( ngx_http_v2_connection_t *h2c, ngx_http_v2_out_frame_t *frame); static ngx_int_t ngx_http_v2_send_window_update(ngx_http_v2_connection_t *h2c, @@ -269,7 +269,7 @@ ngx_http_v2_init(ngx_event_t *rev) return; } - if (ngx_http_v2_send_settings(h2c, 0) == NGX_ERROR) { + if (ngx_http_v2_send_settings(h2c) == NGX_ERROR) { ngx_http_close_connection(c); return; } @@ -1967,8 +1967,9 @@ static u_char * ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos, u_char *end) { - ssize_t window_delta; - ngx_uint_t id, value; + ssize_t window_delta; + ngx_uint_t id, value; + ngx_http_v2_out_frame_t *frame; window_delta = 0; @@ -2024,7 +2025,14 @@ ngx_http_v2_state_settings_params(ngx_ht pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE; } - ngx_http_v2_send_settings(h2c, 1); + frame = ngx_http_v2_get_frame(h2c, NGX_HTTP_V2_SETTINGS_ACK_SIZE, + NGX_HTTP_V2_SETTINGS_FRAME, + NGX_HTTP_V2_ACK_FLAG, 0); + if (frame == NULL) { + return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); + } + + ngx_http_v2_queue_blocked_frame(h2c, frame); if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { @@ -2476,7 +2484,7 @@ ngx_http_v2_parse_int(ngx_http_v2_connec static ngx_int_t -ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c, ngx_uint_t ack) +ngx_http_v2_send_settings(ngx_http_v2_connection_t *h2c) { size_t len; ngx_buf_t *buf; @@ -2484,8 +2492,8 @@ ngx_http_v2_send_settings(ngx_http_v2_co ngx_http_v2_srv_conf_t *h2scf; ngx_http_v2_out_frame_t *frame; - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, - "http2 send SETTINGS frame ack:%ui", ack); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0, + "http2 send SETTINGS frame"); frame = ngx_palloc(h2c->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { @@ -2497,7 +2505,7 @@ ngx_http_v2_send_settings(ngx_http_v2_co return NGX_ERROR; } - len = ack ? 0 : (sizeof(uint16_t) + sizeof(uint32_t)) * 3; + len = NGX_HTTP_V2_SETTINGS_PARAM_SIZE * 3; buf = ngx_create_temp_buf(h2c->pool, NGX_HTTP_V2_FRAME_HEADER_SIZE + len); if (buf == NULL) { @@ -2521,28 +2529,26 @@ ngx_http_v2_send_settings(ngx_http_v2_co buf->last = ngx_http_v2_write_len_and_type(buf->last, len, NGX_HTTP_V2_SETTINGS_FRAME); - *buf->last++ = ack ? NGX_HTTP_V2_ACK_FLAG : NGX_HTTP_V2_NO_FLAG; + *buf->last++ = NGX_HTTP_V2_NO_FLAG; buf->last = ngx_http_v2_write_sid(buf->last, 0); - if (!ack) { - h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, - ngx_http_v2_module); - - buf->last = ngx_http_v2_write_uint16(buf->last, - NGX_HTTP_V2_MAX_STREAMS_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, - h2scf->concurrent_streams); - - buf->last = ngx_http_v2_write_uint16(buf->last, + h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, + ngx_http_v2_module); + + buf->last = ngx_http_v2_write_uint16(buf->last, + NGX_HTTP_V2_MAX_STREAMS_SETTING); + buf->last = ngx_http_v2_write_uint32(buf->last, + h2scf->concurrent_streams); + + buf->last = ngx_http_v2_write_uint16(buf->last, NGX_HTTP_V2_INIT_WINDOW_SIZE_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, h2scf->preread_size); - - buf->last = ngx_http_v2_write_uint16(buf->last, - NGX_HTTP_V2_MAX_FRAME_SIZE_SETTING); - buf->last = ngx_http_v2_write_uint32(buf->last, - NGX_HTTP_V2_MAX_FRAME_SIZE); - } + buf->last = ngx_http_v2_write_uint32(buf->last, h2scf->preread_size); + + buf->last = ngx_http_v2_write_uint16(buf->last, + NGX_HTTP_V2_MAX_FRAME_SIZE_SETTING); + buf->last = ngx_http_v2_write_uint32(buf->last, + NGX_HTTP_V2_MAX_FRAME_SIZE); ngx_http_v2_queue_blocked_frame(h2c, frame); From vbart at nginx.com Fri Jun 2 12:08:34 2017 From: vbart at nginx.com (Valentin Bartenev) Date: Fri, 02 Jun 2017 12:08:34 +0000 Subject: [nginx] HTTP/2: don't send SETTINGS ACK before already queued DATA frames. Message-ID: details: http://hg.nginx.org/nginx/rev/7206c3630310 branches: changeset: 7025:7206c3630310 user: Piotr Sikora date: Fri Jun 02 15:05:32 2017 +0300 description: HTTP/2: don't send SETTINGS ACK before already queued DATA frames. Previously, SETTINGS ACK was sent immediately upon receipt of SETTINGS frame, before already queued DATA frames created using old SETTINGS. This incorrect behavior was source of interoperability issues, because peers rely on the fact that new SETTINGS are in effect after receiving SETTINGS ACK. Reported by Feng Li. Signed-off-by: Piotr Sikora diffstat: src/http/v2/ngx_http_v2.c | 2 +- src/http/v2/ngx_http_v2.h | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletions(-) diffs (31 lines): diff -r 79de0d2aa432 -r 7206c3630310 src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:28 2017 +0300 +++ b/src/http/v2/ngx_http_v2.c Fri Jun 02 15:05:32 2017 +0300 @@ -2032,7 +2032,7 @@ ngx_http_v2_state_settings_params(ngx_ht return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR); } - ngx_http_v2_queue_blocked_frame(h2c, frame); + ngx_http_v2_queue_ordered_frame(h2c, frame); if (window_delta) { if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) { diff -r 79de0d2aa432 -r 7206c3630310 src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h Fri Jun 02 15:05:28 2017 +0300 +++ b/src/http/v2/ngx_http_v2.h Fri Jun 02 15:05:32 2017 +0300 @@ -261,6 +261,15 @@ ngx_http_v2_queue_blocked_frame(ngx_http } +static ngx_inline void +ngx_http_v2_queue_ordered_frame(ngx_http_v2_connection_t *h2c, + ngx_http_v2_out_frame_t *frame) +{ + frame->next = h2c->last_out; + h2c->last_out = frame; +} + + void ngx_http_v2_init(ngx_event_t *rev); void ngx_http_v2_request_headers_init(void); From vbart at nginx.com Fri Jun 2 12:11:06 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 02 Jun 2017 15:11:06 +0300 Subject: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params In-Reply-To: References: <07adf0a7009c3244de4b.1493074103@piotrsikora.sfo.corp.google.com> <8753794.qGPzJ25FTB@vbart-workstation> Message-ID: <2128928.XChoDM9hEe@vbart-workstation> On Thursday 01 June 2017 14:55:06 Piotr Sikora via nginx-devel wrote: > Hey Valentin, > > > The new initial window size can be lower than the previous one, > > so the difference can be negative (that's why the delta parameter > > of ngx_http_v2_adjust_windows() is ssize_t). > > Oops, good catch, thanks! > > Funnily enough, the original patch worked just fine (at least on > systems where size of ssize_t was equal to size of ngx_uint_t), since > the value would overflow and result in the same negative number when > casted to ssize_t. > > I updated patchset with suggested changes, please take a look. > The whole patchset was committed. Thank you. wbr, Valentin V. Bartenev From mdounin at mdounin.ru Fri Jun 2 12:30:35 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 2 Jun 2017 15:30:35 +0300 Subject: [PATCH 1 of 3] HTTP: add support for trailers in HTTP responses In-Reply-To: References: <8af81a0d66c0f69bcf50.1491211931@piotrsikora.sfo.corp.google.com> <20170421174201.GA43932@mdounin.ru> <20170427184623.GD43932@mdounin.ru> <20170503140018.GN43932@mdounin.ru> Message-ID: <20170602123035.GT55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 02:05:47AM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > In your patch, you test r->expect_trailers in two places in > > chunked filter: > > > > 1. when you decide whether to use chunked encoding or not, in > > ngx_http_chunked_header_filter(); > > > > 2. when you generate trailer, in ngx_http_chunked_body_filter(). > > > > I mostly agree with (1) (I would like see it configurable too, but > > it's probably up to a module which adds trailers to decide, so > > don't belong to this particular patch), but don't see any reasons > > for (2). > > This is done to avoid unexpected behavior when r->expect_trailers > isn't set, i.e. if module added trailers, but didn't set > r->expect_trailers, then without (2) trailers would be emitted only if > Content-Encoding was already chunked, but not otherwise. > > Testing r->expect_trailers in both (1) and (2) ensures that Trailers > are emitted in consistent manner, without depending on unrelated > factors, like gzip support by the client, etc. I see two problems here: a. There may be use cases when forcing chunked encoding is not desired, but emitting trailers if it is used still makes sense. b. Nothing stops modules from changing r->expect_trailers when the response header was already sent and it is already too late to switch to chunked transfer encoding. Moreover, this will naturally happen with any module which is simply following the requirement to set r->expect_trailers to 1 as in your commit log. So (a) makes (2) excessively limiting, and (b) makes it useless. -- Maxim Dounin http://nginx.org/ From aricos at protonmail.com Fri Jun 2 13:25:31 2017 From: aricos at protonmail.com (Aris) Date: Fri, 02 Jun 2017 09:25:31 -0400 Subject: NGINX-RTMP: control/redirect/publisher command example Message-ID: Hi! I'm trying to redirect an input stream in app live to app forward using the control/redirect/publisher command without any success. Here is my conf file. application live { live on; allow publish all; allow play all; } application forward { live on; allow publish all; allow play all; push rtmp://localhost:8080/live/test05; } Could anyone give an example on how to use control/redirect/publisher command for the above config? Thanks. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Fri Jun 2 15:36:07 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 2 Jun 2017 18:36:07 +0300 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: References: Message-ID: <20170602153607.GU55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 02:04:06AM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1490351854 25200 > # Fri Mar 24 03:37:34 2017 -0700 > # Node ID b0a910ad494158427ba102bdac71ce01d0667f72 > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Added support for trailers in HTTP responses. > > Example: > > ngx_table_elt_t *h; > > h = ngx_list_push(&r->headers_out.trailers); > if (h == NULL) { > return NGX_ERROR; > } > > ngx_str_set(&h->key, "Fun"); > ngx_str_set(&h->value, "with trailers"); > h->hash = ngx_hash_key_lc(h->key.data, h->key.len); > > The code above adds "Fun: with trailers" trailer to the response to > the request with "TE: trailers" header (which indicates support for > trailers). Note: the "TE: trailers" requirement is no longer present in the code. > > Modules that want to emit trailers must set r->expect_trailers = 1, > otherwise they are going to be ignored. > > This change also adds $sent_trailer_* variables. > > Signed-off-by: Piotr Sikora > > diff -r 716852cce913 -r b0a910ad4941 src/http/modules/ngx_http_chunked_filter_module.c > --- a/src/http/modules/ngx_http_chunked_filter_module.c > +++ b/src/http/modules/ngx_http_chunked_filter_module.c > @@ -17,6 +17,8 @@ typedef struct { > > > static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); > +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r, > + ngx_uint_t emit_crlf); > > > static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { > @@ -69,28 +71,31 @@ ngx_http_chunked_header_filter(ngx_http_ > return ngx_http_next_header_filter(r); > } > > - if (r->headers_out.content_length_n == -1) { > + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > + > + if (clcf->chunked_transfer_encoding && r->expect_trailers) { > + ngx_http_clear_content_length(r); > + r->chunked = 1; > + This code results in using chunked encoding for HTTP/1.0 when trailers are expected. Such behaviour is explicitly forbidden by the HTTP/1.1 specification, and will very likely result in problems (we've seen lots of such problems with broken backends when there were no HTTP/1.1 support in the proxy module). Something like this should be a better solution: if (r->headers_out.content_length_n == -1 || r->expect_trailers) { clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); if (r->http_version >= NGX_HTTP_VERSION_11 && clcf->chunked_transfer_encoding) { if (r->expect_trailers) { ngx_http_clear_content_length(r); } r->chunked = 1; ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_filter_ctx_t)); if (ctx == NULL) { return NGX_ERROR; } ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); } else if (r->headers_out.content_length_n == -1) { r->keepalive = 0; } } > + } else if (r->headers_out.content_length_n == -1) { > if (r->http_version < NGX_HTTP_VERSION_11) { > r->keepalive = 0; > > + } else if (clcf->chunked_transfer_encoding) { > + r->chunked = 1; > + > } else { > - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > + r->keepalive = 0; > + } > + } > > - if (clcf->chunked_transfer_encoding) { > - r->chunked = 1; > + if (r->chunked) { > + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_filter_ctx_t)); > + if (ctx == NULL) { > + return NGX_ERROR; > + } > > - ctx = ngx_pcalloc(r->pool, > - sizeof(ngx_http_chunked_filter_ctx_t)); > - if (ctx == NULL) { > - return NGX_ERROR; > - } > - > - ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); > - > - } else { > - r->keepalive = 0; > - } > - } > + ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); > } > > return ngx_http_next_header_filter(r); > @@ -179,28 +184,38 @@ ngx_http_chunked_body_filter(ngx_http_re > } > > if (cl->buf->last_buf) { > - tl = ngx_chain_get_free_buf(r->pool, &ctx->free); > - if (tl == NULL) { > - return NGX_ERROR; > + > + if (r->expect_trailers) { > + tl = ngx_http_chunked_create_trailers(r, size ? 1 : 0); See the previous thread about the r->expect_trailers test here. > + > + } else { > + tl = NULL; > } > > - b = tl->buf; > + if (tl == NULL) { > + tl = ngx_chain_get_free_buf(r->pool, &ctx->free); > + if (tl == NULL) { > + return NGX_ERROR; > + } Instead of providing two separate code paths for "with trailer headers" and "without trailer headers", it might be better and more readable to generate last-chunk in one function regardless of whether trailer headers are present or not. It will also make error handling better: as of now, an allocation error in ngx_http_chunked_create_trailers() will result in "no trailers" code path being tried instead of returning an unconditional error. > > - b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; > - b->temporary = 0; > - b->memory = 1; > - b->last_buf = 1; > - b->pos = (u_char *) CRLF "0" CRLF CRLF; > - b->last = b->pos + 7; > + b = tl->buf; > > - cl->buf->last_buf = 0; > + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; > + b->temporary = 0; > + b->memory = 1; > + b->last_buf = 1; > + b->pos = (u_char *) CRLF "0" CRLF CRLF; > + b->last = b->pos + 7; > + > + cl->buf->last_buf = 0; > + > + if (size == 0) { > + b->pos += 2; > + } > + } > > *ll = tl; > > - if (size == 0) { > - b->pos += 2; > - } > - > } else if (size > 0) { > tl = ngx_chain_get_free_buf(r->pool, &ctx->free); > if (tl == NULL) { > @@ -230,6 +245,118 @@ ngx_http_chunked_body_filter(ngx_http_re > } > > > +static ngx_chain_t * > +ngx_http_chunked_create_trailers(ngx_http_request_t *r, ngx_uint_t emit_crlf) > +{ > + size_t len; > + ngx_buf_t *b; > + ngx_uint_t i; > + ngx_chain_t *cl; > + ngx_list_part_t *part; > + ngx_table_elt_t *header; > + ngx_http_chunked_filter_ctx_t *ctx; > + > + len = 0; > + > + part = &r->headers_out.trailers.part; > + header = part->elts; > + > + for (i = 0; /* void */; i++) { > + > + if (i >= part->nelts) { > + if (part->next == NULL) { > + break; > + } > + > + part = part->next; > + header = part->elts; > + i = 0; > + } > + > + if (header[i].hash == 0) { > + continue; > + } > + > + len += header[i].key.len + sizeof(": ") - 1 > + + header[i].value.len + sizeof(CRLF) - 1; > + } > + > + if (len == 0) { > + return NULL; See above, generating here an empty last-chunk might be better approach. > + } > + > + if (emit_crlf) { > + len += sizeof(CRLF) - 1; > + } It might worth to always add CRLF, and skip it in the ngx_http_chunked_body_filter() filter if not needed. > + > + len += sizeof("0") - 1 + sizeof(CRLF) - 1 + sizeof(CRLF) - 1; There is no need to write sizeof() so many times, just len += sizeof(CRLF "0" CRLF CRLF) - 1; would be enough. > + > + ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module); > + > + cl = ngx_chain_get_free_buf(r->pool, &ctx->free); > + if (cl == NULL) { > + return NULL; > + } > + > + b = cl->buf; > + > + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; > + b->temporary = 0; > + b->memory = 1; > + b->last_buf = 1; > + > + b->start = ngx_palloc(r->pool, len); > + if (b->start == NULL) { > + return NULL; > + } > + > + b->end = b->last + len; > + b->pos = b->start; > + b->last = b->start; > + > + if (emit_crlf) { > + *b->last++ = CR; *b->last++ = LF; > + } > + > + *b->last++ = '0'; > + *b->last++ = CR; *b->last++ = LF; > + > + part = &r->headers_out.trailers.part; > + header = part->elts; > + > + for (i = 0; /* void */; i++) { > + > + if (i >= part->nelts) { > + if (part->next == NULL) { > + break; > + } > + > + part = part->next; > + header = part->elts; > + i = 0; > + } > + > + if (header[i].hash == 0) { > + continue; > + } > + > + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, > + "http trailer: \"%V: %V\"", > + &header[i].key, &header[i].value); > + > + b->last = ngx_copy(b->last, header[i].key.data, header[i].key.len); > + *b->last++ = ':'; *b->last++ = ' '; > + > + b->last = ngx_copy(b->last, header[i].value.data, header[i].value.len); > + *b->last++ = CR; *b->last++ = LF; > + } > + > + *b->last++ = CR; *b->last++ = LF; > + > + return cl; > +} > + > + > static ngx_int_t > ngx_http_chunked_filter_init(ngx_conf_t *cf) > { > diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_core_module.c > --- a/src/http/ngx_http_core_module.c > +++ b/src/http/ngx_http_core_module.c > @@ -2484,6 +2484,13 @@ ngx_http_subrequest(ngx_http_request_t * > return NGX_ERROR; > } > > + if (ngx_list_init(&sr->headers_out.trailers, r->pool, 4, > + sizeof(ngx_table_elt_t)) > + != NGX_OK) > + { > + return NGX_ERROR; > + } > + > cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); > sr->main_conf = cscf->ctx->main_conf; > sr->srv_conf = cscf->ctx->srv_conf; > diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_request.c > --- a/src/http/ngx_http_request.c > +++ b/src/http/ngx_http_request.c > @@ -562,6 +562,14 @@ ngx_http_create_request(ngx_connection_t > return NULL; > } > > + if (ngx_list_init(&r->headers_out.trailers, r->pool, 4, > + sizeof(ngx_table_elt_t)) > + != NGX_OK) > + { > + ngx_destroy_pool(r->pool); > + return NULL; > + } > + > r->ctx = ngx_pcalloc(r->pool, sizeof(void *) * ngx_http_max_module); > if (r->ctx == NULL) { > ngx_destroy_pool(r->pool); > diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_request.h > --- a/src/http/ngx_http_request.h > +++ b/src/http/ngx_http_request.h > @@ -252,6 +252,7 @@ typedef struct { > > typedef struct { > ngx_list_t headers; > + ngx_list_t trailers; > > ngx_uint_t status; > ngx_str_t status_line; > @@ -514,6 +515,7 @@ struct ngx_http_request_s { > unsigned pipeline:1; > unsigned chunked:1; > unsigned header_only:1; > + unsigned expect_trailers:1; > unsigned keepalive:1; > unsigned lingering_close:1; > unsigned discard_body:1; > diff -r 716852cce913 -r b0a910ad4941 src/http/ngx_http_variables.c > --- a/src/http/ngx_http_variables.c > +++ b/src/http/ngx_http_variables.c > @@ -38,6 +38,8 @@ static ngx_int_t ngx_http_variable_unkno > ngx_http_variable_value_t *v, uintptr_t data); > static ngx_int_t ngx_http_variable_unknown_header_out(ngx_http_request_t *r, > ngx_http_variable_value_t *v, uintptr_t data); > +static ngx_int_t ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, > + ngx_http_variable_value_t *v, uintptr_t data); > static ngx_int_t ngx_http_variable_request_line(ngx_http_request_t *r, > ngx_http_variable_value_t *v, uintptr_t data); > static ngx_int_t ngx_http_variable_cookie(ngx_http_request_t *r, > @@ -365,6 +367,9 @@ static ngx_http_variable_t ngx_http_cor > { ngx_string("sent_http_"), NULL, ngx_http_variable_unknown_header_out, > 0, NGX_HTTP_VAR_PREFIX, 0 }, > > + { ngx_string("sent_trailer_"), NULL, ngx_http_variable_unknown_trailer_out, > + 0, NGX_HTTP_VAR_PREFIX, 0 }, > + > { ngx_string("cookie_"), NULL, ngx_http_variable_cookie, > 0, NGX_HTTP_VAR_PREFIX, 0 }, > > @@ -934,6 +939,16 @@ ngx_http_variable_unknown_header_out(ngx > } > > > +static ngx_int_t > +ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, > + ngx_http_variable_value_t *v, uintptr_t data) > +{ > + return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, > + &r->headers_out.trailers.part, > + sizeof("sent_trailer_") - 1); > +} > + > + > ngx_int_t > ngx_http_variable_unknown_header(ngx_http_variable_value_t *v, ngx_str_t *var, > ngx_list_part_t *part, size_t prefix) > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Fri Jun 2 16:20:39 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 2 Jun 2017 19:20:39 +0300 Subject: [PATCH 2 of 3] Headers filter: add "add_trailer" directive In-Reply-To: References: <5bab17ebe2b1f8ec42cf.1491211932@piotrsikora.sfo.corp.google.com> <20170421174207.GB43932@mdounin.ru> Message-ID: <20170602162039.GV55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 02:10:07AM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > This introduces a layering violation between the headers filter > > and the chunked filter. > > I moved trailer generation to headers filter, let me know if that works for you. > > Unfortunately, because of that change, trailers are evaluated earlier > in the process, and some variables from body filters that run after > headers filter (like $gzip_ratio) are not usable anymore. This looks better. If there is a need to evaluate trailers later, a separate module could be added to a later stage, like it is done with ngx_http_range_header_filter vs. ngx_http_range_body_filter. [...] > > Predicting conditions which will result in header-only response > > looks really fragile. As well as checks for chunked transfer > > encoding. > > Sending "Trailer" header in responses that cannot have response body > is known to result in interoperability issues, so I'd rather leave it, > see: > https://github.com/nodejs/node/issues/2842 So may be not generating "Trailer" is a way to go? It doesn't seem to be really needed. (Just for the record, with the first patch fixed to avoid using chunked with HTTP/1.0, the "Trailer" header is expectedly still added with HTTP/1.0. This confirms the idea that the approach choosen is somewhat fragile.) [...] > > Note that at this point we do not know if the trailer in question > > is going to be present in the particular response or not, as > > trailers with empty values are not returned (and this is often > > used to only return some headers in some responses, at least with > > add_header). > > But we know that it might be present. > > "Trailer" header is an indicator. The question is: if we need this indicator to be sent to a particular client. For example, if you are using trailers to pass additional logging information to your own frontends, and use something like geo $mine { 127.0.0.1/8 1; } map $mine $x_request_time { 1 $request_time; } add_trailer X-Response-Time $x_request_time; to send the information to your frontends, but not other clients, you probably don't want the X-Response-Time trailer to be indicated to other clients. > > It might be a better idea to avoid generating the > > "Trailer" header automatically and let users to control this with > > add_header instead, and/or introduce an option to control this. > > That sounds like a terrible idea, which will result in always missing > "Trailer" header. Acutally I don't see how it's a problem, given that "Trailer" is not something required. Moreover, it seems to be not needed or even harmful in most of the use cases discussed. [...] -- Maxim Dounin http://nginx.org/ From piotrsikora at google.com Sat Jun 3 03:32:26 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 20:32:26 -0700 Subject: [PATCH 1 of 3] HTTP: add support for trailers in HTTP responses In-Reply-To: <20170602123035.GT55433@mdounin.ru> References: <8af81a0d66c0f69bcf50.1491211931@piotrsikora.sfo.corp.google.com> <20170421174201.GA43932@mdounin.ru> <20170427184623.GD43932@mdounin.ru> <20170503140018.GN43932@mdounin.ru> <20170602123035.GT55433@mdounin.ru> Message-ID: Hey Maxim, > I see two problems here: > > a. There may be use cases when forcing chunked encoding is not > desired, but emitting trailers if it is used still makes sense. Like what, exactly? Also, gzip module forces chunked encoding and it works just fine. I don't see why are you making this such a big deal out of this. > b. Nothing stops modules from changing r->expect_trailers when the > response header was already sent and it is already too late to > switch to chunked transfer encoding. Moreover, this will > naturally happen with any module which is simply following the > requirement to set r->expect_trailers to 1 as in your commit log. Same is true for majority of ngx_http_request_t fields, i.e. bad things can happen if some module misuses them. > So (a) makes (2) excessively limiting, and (b) makes it useless. I disagree. Removing this check results in less consistent behavior and doesn't solve any real problems. Having said that, I'm going to remove it, since I don't want to spend another few months arguing about this... Best regards, Piotr Sikora From piotrsikora at google.com Sat Jun 3 03:32:31 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 20:32:31 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: <20170602153607.GU55433@mdounin.ru> References: <20170602153607.GU55433@mdounin.ru> Message-ID: Hey Maxim, > Note: the "TE: trailers" requirement is no longer present in the > code. Good catch, thanks! > This code results in using chunked encoding for HTTP/1.0 when > trailers are expected. Such behaviour is explicitly forbidden by > the HTTP/1.1 specification, and will very likely result in > problems (we've seen lots of such problems with broken backends > when there were no HTTP/1.1 support in the proxy module). Oops, this regression is a result of removal of r->accept_trailers, which previously disallowed trailers in HTTP/1.0 requests. > Something like this should be a better solution: > > if (r->headers_out.content_length_n == -1 > || r->expect_trailers) > { > clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); > > if (r->http_version >= NGX_HTTP_VERSION_11 > && clcf->chunked_transfer_encoding) > { > if (r->expect_trailers) { > ngx_http_clear_content_length(r); > } > > r->chunked = 1; > > ctx = ngx_pcalloc(r->pool, > sizeof(ngx_http_chunked_filter_ctx_t)); > if (ctx == NULL) { > return NGX_ERROR; > } > > ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); > > } else if (r->headers_out.content_length_n == -1) { > r->keepalive = 0; > } > } Applied with small style changes. > Instead of providing two separate code paths for "with trailer > headers" and "without trailer headers", it might be better and > more readable to generate last-chunk in one function regardless of > whether trailer headers are present or not. > > It will also make error handling better: as of now, an allocation > error in ngx_http_chunked_create_trailers() will result in "no > trailers" code path being tried instead of returning an > unconditional error. Done. > There is no need to write sizeof() so many times, just > > len += sizeof(CRLF "0" CRLF CRLF) - 1; > > would be enough. Done. Best regards, Piotr Sikora From piotrsikora at google.com Sat Jun 3 03:33:45 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 20:33:45 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: References: Message-ID: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID 41c09a2fd90410e25ad8515793bd48028001c954 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Added support for trailers in HTTP responses. Example: ngx_table_elt_t *h; h = ngx_list_push(&r->headers_out.trailers); if (h == NULL) { return NGX_ERROR; } ngx_str_set(&h->key, "Fun"); ngx_str_set(&h->value, "with trailers"); h->hash = ngx_hash_key_lc(h->key.data, h->key.len); The code above adds "Fun: with trailers" trailer to the response. Modules that want to emit trailers must set r->expect_trailers = 1 in header filter, otherwise they might not be emitted for HTTP/1.1 responses that aren't already chunked. This change also adds $sent_trailer_* variables. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r 41c09a2fd904 src/http/modules/ngx_http_chunked_filter_module.c --- a/src/http/modules/ngx_http_chunked_filter_module.c +++ b/src/http/modules/ngx_http_chunked_filter_module.c @@ -17,6 +17,7 @@ typedef struct { static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r); static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { @@ -69,27 +70,28 @@ ngx_http_chunked_header_filter(ngx_http_ return ngx_http_next_header_filter(r); } - if (r->headers_out.content_length_n == -1) { - if (r->http_version < NGX_HTTP_VERSION_11) { + if (r->headers_out.content_length_n == -1 || r->expect_trailers) { + + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + if (r->http_version >= NGX_HTTP_VERSION_11 + && clcf->chunked_transfer_encoding) + { + if (r->expect_trailers) { + ngx_http_clear_content_length(r); + } + + r->chunked = 1; + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_filter_ctx_t)); + if (ctx == NULL) { + return NGX_ERROR; + } + + ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); + + } else if (r->headers_out.content_length_n == -1) { r->keepalive = 0; - - } else { - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->chunked_transfer_encoding) { - r->chunked = 1; - - ctx = ngx_pcalloc(r->pool, - sizeof(ngx_http_chunked_filter_ctx_t)); - if (ctx == NULL) { - return NGX_ERROR; - } - - ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); - - } else { - r->keepalive = 0; - } } } @@ -179,26 +181,17 @@ ngx_http_chunked_body_filter(ngx_http_re } if (cl->buf->last_buf) { - tl = ngx_chain_get_free_buf(r->pool, &ctx->free); + tl = ngx_http_chunked_create_trailers(r); if (tl == NULL) { return NGX_ERROR; } - b = tl->buf; - - b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; - b->temporary = 0; - b->memory = 1; - b->last_buf = 1; - b->pos = (u_char *) CRLF "0" CRLF CRLF; - b->last = b->pos + 7; - cl->buf->last_buf = 0; *ll = tl; if (size == 0) { - b->pos += 2; + tl->buf->pos += 2; } } else if (size > 0) { @@ -230,6 +223,105 @@ ngx_http_chunked_body_filter(ngx_http_re } +static ngx_chain_t * +ngx_http_chunked_create_trailers(ngx_http_request_t *r) +{ + size_t len; + ngx_buf_t *b; + ngx_uint_t i; + ngx_chain_t *cl; + ngx_list_part_t *part; + ngx_table_elt_t *header; + ngx_http_chunked_filter_ctx_t *ctx; + + len = sizeof(CRLF "0" CRLF CRLF) - 1; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + len += header[i].key.len + sizeof(": ") - 1 + + header[i].value.len + sizeof(CRLF) - 1; + } + + ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module); + + cl = ngx_chain_get_free_buf(r->pool, &ctx->free); + if (cl == NULL) { + return NULL; + } + + b = cl->buf; + + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; + b->temporary = 0; + b->memory = 1; + b->last_buf = 1; + + b->start = ngx_palloc(r->pool, len); + if (b->start == NULL) { + return NULL; + } + + b->end = b->last + len; + b->pos = b->start; + b->last = b->start; + + *b->last++ = CR; *b->last++ = LF; + *b->last++ = '0'; + *b->last++ = CR; *b->last++ = LF; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http trailer: \"%V: %V\"", + &header[i].key, &header[i].value); + + b->last = ngx_copy(b->last, header[i].key.data, header[i].key.len); + *b->last++ = ':'; *b->last++ = ' '; + + b->last = ngx_copy(b->last, header[i].value.data, header[i].value.len); + *b->last++ = CR; *b->last++ = LF; + } + + *b->last++ = CR; *b->last++ = LF; + + return cl; +} + + static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf) { diff -r 716852cce913 -r 41c09a2fd904 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2484,6 +2484,13 @@ ngx_http_subrequest(ngx_http_request_t * return NGX_ERROR; } + if (ngx_list_init(&sr->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + return NGX_ERROR; + } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); sr->main_conf = cscf->ctx->main_conf; sr->srv_conf = cscf->ctx->srv_conf; diff -r 716852cce913 -r 41c09a2fd904 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -562,6 +562,14 @@ ngx_http_create_request(ngx_connection_t return NULL; } + if (ngx_list_init(&r->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + ngx_destroy_pool(r->pool); + return NULL; + } + r->ctx = ngx_pcalloc(r->pool, sizeof(void *) * ngx_http_max_module); if (r->ctx == NULL) { ngx_destroy_pool(r->pool); diff -r 716852cce913 -r 41c09a2fd904 src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -252,6 +252,7 @@ typedef struct { typedef struct { ngx_list_t headers; + ngx_list_t trailers; ngx_uint_t status; ngx_str_t status_line; @@ -514,6 +515,7 @@ struct ngx_http_request_s { unsigned pipeline:1; unsigned chunked:1; unsigned header_only:1; + unsigned expect_trailers:1; unsigned keepalive:1; unsigned lingering_close:1; unsigned discard_body:1; diff -r 716852cce913 -r 41c09a2fd904 src/http/ngx_http_variables.c --- a/src/http/ngx_http_variables.c +++ b/src/http/ngx_http_variables.c @@ -38,6 +38,8 @@ static ngx_int_t ngx_http_variable_unkno ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_unknown_header_out(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_request_line(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_cookie(ngx_http_request_t *r, @@ -365,6 +367,9 @@ static ngx_http_variable_t ngx_http_cor { ngx_string("sent_http_"), NULL, ngx_http_variable_unknown_header_out, 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("sent_trailer_"), NULL, ngx_http_variable_unknown_trailer_out, + 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("cookie_"), NULL, ngx_http_variable_cookie, 0, NGX_HTTP_VAR_PREFIX, 0 }, @@ -934,6 +939,16 @@ ngx_http_variable_unknown_header_out(ngx } +static ngx_int_t +ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data) +{ + return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, + &r->headers_out.trailers.part, + sizeof("sent_trailer_") - 1); +} + + ngx_int_t ngx_http_variable_unknown_header(ngx_http_variable_value_t *v, ngx_str_t *var, ngx_list_part_t *part, size_t prefix) From piotrsikora at google.com Sat Jun 3 03:33:46 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 20:33:46 -0700 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: References: Message-ID: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1493191954 25200 # Wed Apr 26 00:32:34 2017 -0700 # Node ID 8d74ff6c2015180f5c1f399f492214d7d0a52b3f # Parent 41c09a2fd90410e25ad8515793bd48028001c954 HTTP/2: added support for trailers in HTTP responses. Signed-off-by: Piotr Sikora diff -r 41c09a2fd904 -r 8d74ff6c2015 src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -50,13 +50,17 @@ #define NGX_HTTP_V2_SERVER_INDEX 54 #define NGX_HTTP_V2_VARY_INDEX 59 +#define NGX_HTTP_V2_FRAME_ERROR (ngx_http_v2_out_frame_t *) -1 + static u_char *ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower); static u_char *ngx_http_v2_write_int(u_char *pos, ngx_uint_t prefix, ngx_uint_t value); static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame( - ngx_http_request_t *r, u_char *pos, u_char *end); + ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin); +static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame( + ngx_http_request_t *r); static ngx_chain_t *ngx_http_v2_send_chain(ngx_connection_t *fc, ngx_chain_t *in, off_t limit); @@ -612,7 +616,7 @@ ngx_http_v2_header_filter(ngx_http_reque header[i].value.len, tmp); } - frame = ngx_http_v2_create_headers_frame(r, start, pos); + frame = ngx_http_v2_create_headers_frame(r, start, pos, r->header_only); if (frame == NULL) { return NGX_ERROR; } @@ -636,6 +640,126 @@ ngx_http_v2_header_filter(ngx_http_reque } +static ngx_http_v2_out_frame_t * +ngx_http_v2_create_trailers_frame(ngx_http_request_t *r) +{ + u_char *pos, *start, *tmp; + size_t len, tmp_len; + ngx_uint_t i; + ngx_list_part_t *part; + ngx_table_elt_t *header; + ngx_http_v2_out_frame_t *frame; + + len = 0; + tmp_len = 0; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer name: \"%V\"", + &header[i].key); + + return NGX_HTTP_V2_FRAME_ERROR; + } + + if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer value: \"%V: %V\"", + &header[i].key, &header[i].value); + + return NGX_HTTP_V2_FRAME_ERROR; + } + + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; + + if (header[i].key.len > tmp_len) { + tmp_len = header[i].key.len; + } + + if (header[i].value.len > tmp_len) { + tmp_len = header[i].value.len; + } + } + + if (len == 0) { + return NULL; + } + + tmp = ngx_palloc(r->pool, tmp_len); + pos = ngx_pnalloc(r->pool, len); + + if (pos == NULL || tmp == NULL) { + return NGX_HTTP_V2_FRAME_ERROR; + } + + start = pos; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + +#if (NGX_DEBUG) + if (r->connection->log->log_level & NGX_LOG_DEBUG_HTTP) { + ngx_strlow(tmp, header[i].key.data, header[i].key.len); + + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http2 output trailer: \"%*s: %V\"", + header[i].key.len, tmp, &header[i].value); + } +#endif + + *pos++ = 0; + + pos = ngx_http_v2_write_name(pos, header[i].key.data, + header[i].key.len, tmp); + + pos = ngx_http_v2_write_value(pos, header[i].value.data, + header[i].value.len, tmp); + } + + frame = ngx_http_v2_create_headers_frame(r, start, pos, 1); + if (frame == NULL) { + return NGX_HTTP_V2_FRAME_ERROR; + } + + return frame; +} + + static u_char * ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower) @@ -686,7 +810,7 @@ ngx_http_v2_write_int(u_char *pos, ngx_u static ngx_http_v2_out_frame_t * ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos, - u_char *end) + u_char *end, ngx_uint_t fin) { u_char type, flags; size_t rest, frame_size; @@ -707,12 +831,12 @@ ngx_http_v2_create_headers_frame(ngx_htt frame->stream = stream; frame->length = rest; frame->blocked = 1; - frame->fin = r->header_only; + frame->fin = fin; ll = &frame->first; type = NGX_HTTP_V2_HEADERS_FRAME; - flags = r->header_only ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; + flags = fin ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; frame_size = stream->connection->frame_size; for ( ;; ) { @@ -776,7 +900,7 @@ ngx_http_v2_create_headers_frame(ngx_htt continue; } - b->last_buf = r->header_only; + b->last_buf = fin; cl->next = NULL; frame->last = cl; @@ -798,7 +922,7 @@ ngx_http_v2_send_chain(ngx_connection_t ngx_http_request_t *r; ngx_http_v2_stream_t *stream; ngx_http_v2_loc_conf_t *h2lcf; - ngx_http_v2_out_frame_t *frame; + ngx_http_v2_out_frame_t *frame, *trailers; ngx_http_v2_connection_t *h2c; r = fc->data; @@ -872,6 +996,8 @@ ngx_http_v2_send_chain(ngx_connection_t frame_size = (h2lcf->chunk_size < h2c->frame_size) ? h2lcf->chunk_size : h2c->frame_size; + trailers = NULL; + #if (NGX_SUPPRESS_WARN) cl = NULL; #endif @@ -934,17 +1060,36 @@ ngx_http_v2_send_chain(ngx_connection_t size -= rest; } - frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, cl); - if (frame == NULL) { - return NGX_CHAIN_ERROR; + if (cl->buf->last_buf) { + trailers = ngx_http_v2_create_trailers_frame(r); + if (trailers == NGX_HTTP_V2_FRAME_ERROR) { + return NGX_CHAIN_ERROR; + } + + if (trailers) { + cl->buf->last_buf = 0; + } } - ngx_http_v2_queue_frame(h2c, frame); + if (frame_size || cl->buf->last_buf) { + frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, + cl); + if (frame == NULL) { + return NGX_CHAIN_ERROR; + } - h2c->send_window -= frame_size; + ngx_http_v2_queue_frame(h2c, frame); - stream->send_window -= frame_size; - stream->queued++; + h2c->send_window -= frame_size; + + stream->send_window -= frame_size; + stream->queued++; + } + + if (trailers) { + ngx_http_v2_queue_frame(h2c, trailers); + stream->queued++; + } if (in == NULL) { break; From piotrsikora at google.com Sat Jun 3 03:33:47 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 02 Jun 2017 20:33:47 -0700 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: References: Message-ID: # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID acdc80c0d4ef8aa2519e2882ff1a3bd4a316ad81 # Parent 8d74ff6c2015180f5c1f399f492214d7d0a52b3f Headers filter: added "add_trailer" directive. Trailers added using this directive are evaluated after response body is processed by output filters (but before it's written to the wire), so it's possible to use variables calculated from the response body as the trailer value. Signed-off-by: Piotr Sikora diff -r 8d74ff6c2015 -r acdc80c0d4ef src/http/modules/ngx_http_headers_filter_module.c --- a/src/http/modules/ngx_http_headers_filter_module.c +++ b/src/http/modules/ngx_http_headers_filter_module.c @@ -48,6 +48,7 @@ typedef struct { time_t expires_time; ngx_http_complex_value_t *expires_value; ngx_array_t *headers; + ngx_array_t *trailers; } ngx_http_headers_conf_t; @@ -72,6 +73,8 @@ static char *ngx_http_headers_expires(ng void *conf); static char *ngx_http_headers_add(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); +static char *ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); static ngx_http_set_header_t ngx_http_set_headers[] = { @@ -108,6 +111,14 @@ static ngx_command_t ngx_http_headers_f 0, NULL }, + { ngx_string("add_trailer"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE23, + ngx_http_headers_add_trailer, + NGX_HTTP_LOC_CONF_OFFSET, + 0, + NULL }, + ngx_null_command }; @@ -144,6 +155,7 @@ ngx_module_t ngx_http_headers_filter_mo static ngx_http_output_header_filter_pt ngx_http_next_header_filter; +static ngx_http_output_body_filter_pt ngx_http_next_body_filter; static ngx_int_t @@ -154,10 +166,15 @@ ngx_http_headers_filter(ngx_http_request ngx_http_header_val_t *h; ngx_http_headers_conf_t *conf; + if (r != r->main) { + return ngx_http_next_header_filter(r); + } + conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); - if ((conf->expires == NGX_HTTP_EXPIRES_OFF && conf->headers == NULL) - || r != r->main) + if (conf->expires == NGX_HTTP_EXPIRES_OFF + && conf->headers == NULL + && conf->trailers == NULL) { return ngx_http_next_header_filter(r); } @@ -206,11 +223,103 @@ ngx_http_headers_filter(ngx_http_request } } + if (conf->trailers) { + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (h[i].value.value.len) { + r->expect_trailers = 1; + break; + } + } + } + return ngx_http_next_header_filter(r); } static ngx_int_t +ngx_http_trailers_filter(ngx_http_request_t *r, ngx_chain_t *in) +{ + ngx_str_t value; + ngx_uint_t i, safe_status; + ngx_chain_t *cl; + ngx_table_elt_t *t; + ngx_http_header_val_t *h; + ngx_http_headers_conf_t *conf; + + conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); + + if (in == NULL + || conf->trailers == NULL + || !r->expect_trailers + || r->header_only) + { + return ngx_http_next_body_filter(r, in); + } + + for (cl = in; cl; cl = cl->next) { + if (cl->buf->last_buf) { + break; + } + } + + if (cl == NULL) { + return ngx_http_next_body_filter(r, in); + } + + switch (r->headers_out.status) { + + case NGX_HTTP_OK: + case NGX_HTTP_CREATED: + case NGX_HTTP_NO_CONTENT: + case NGX_HTTP_PARTIAL_CONTENT: + case NGX_HTTP_MOVED_PERMANENTLY: + case NGX_HTTP_MOVED_TEMPORARILY: + case NGX_HTTP_SEE_OTHER: + case NGX_HTTP_NOT_MODIFIED: + case NGX_HTTP_TEMPORARY_REDIRECT: + case NGX_HTTP_PERMANENT_REDIRECT: + safe_status = 1; + break; + + default: + safe_status = 0; + break; + } + + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (ngx_http_complex_value(r, &h[i].value, &value) != NGX_OK) { + return NGX_ERROR; + } + + if (value.len) { + t = ngx_list_push(&r->headers_out.trailers); + if (t == NULL) { + return NGX_ERROR; + } + + t->key = h[i].key; + t->value = value; + t->hash = 1; + } + } + + return ngx_http_next_body_filter(r, in); +} + + +static ngx_int_t ngx_http_set_expires(ngx_http_request_t *r, ngx_http_headers_conf_t *conf) { char *err; @@ -557,6 +666,7 @@ ngx_http_headers_create_conf(ngx_conf_t * set by ngx_pcalloc(): * * conf->headers = NULL; + * conf->trailers = NULL; * conf->expires_time = 0; * conf->expires_value = NULL; */ @@ -587,6 +697,10 @@ ngx_http_headers_merge_conf(ngx_conf_t * conf->headers = prev->headers; } + if (conf->trailers == NULL) { + conf->trailers = prev->trailers; + } + return NGX_CONF_OK; } @@ -597,6 +711,9 @@ ngx_http_headers_filter_init(ngx_conf_t ngx_http_next_header_filter = ngx_http_top_header_filter; ngx_http_top_header_filter = ngx_http_headers_filter; + ngx_http_next_body_filter = ngx_http_top_body_filter; + ngx_http_top_body_filter = ngx_http_trailers_filter; + return NGX_OK; } @@ -741,3 +858,63 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx return NGX_CONF_OK; } + + +static char * +ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) +{ + ngx_http_headers_conf_t *hcf = conf; + + ngx_str_t *value; + ngx_http_header_val_t *hv; + ngx_http_compile_complex_value_t ccv; + + value = cf->args->elts; + + if (hcf->trailers == NULL) { + hcf->trailers = ngx_array_create(cf->pool, 1, + sizeof(ngx_http_header_val_t)); + if (hcf->trailers == NULL) { + return NGX_CONF_ERROR; + } + } + + hv = ngx_array_push(hcf->trailers); + if (hv == NULL) { + return NGX_CONF_ERROR; + } + + hv->key = value[1]; + hv->handler = NULL; + hv->offset = 0; + hv->always = 0; + + if (value[2].len == 0) { + ngx_memzero(&hv->value, sizeof(ngx_http_complex_value_t)); + + } else { + ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); + + ccv.cf = cf; + ccv.value = &value[2]; + ccv.complex_value = &hv->value; + + if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { + return NGX_CONF_ERROR; + } + } + + if (cf->args->nelts == 3) { + return NGX_CONF_OK; + } + + if (ngx_strcmp(value[3].data, "always") != 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid parameter \"%V\"", &value[3]); + return NGX_CONF_ERROR; + } + + hv->always = 1; + + return NGX_CONF_OK; +} From piotrsikora at google.com Sat Jun 3 03:32:35 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Fri, 2 Jun 2017 20:32:35 -0700 Subject: [PATCH 2 of 3] Headers filter: add "add_trailer" directive In-Reply-To: <20170602162039.GV55433@mdounin.ru> References: <5bab17ebe2b1f8ec42cf.1491211932@piotrsikora.sfo.corp.google.com> <20170421174207.GB43932@mdounin.ru> <20170602162039.GV55433@mdounin.ru> Message-ID: Hey Maxim, > (Just for the record, with the first patch fixed to avoid using > chunked with HTTP/1.0, the "Trailer" header is expectedly still > added with HTTP/1.0. This confirms the idea that the approach > choosen is somewhat fragile.) It confirms no such thing. The only thing it confirms is that making major changes during code review for a code that was written almost a year ago is an error-prone process. > The question is: if we need this indicator to be sent to a > particular client. > > For example, if you are using trailers to pass additional logging > information to your own frontends, and use something like > > geo $mine { > 127.0.0.1/8 1; > } > > map $mine $x_request_time { > 1 $request_time; > } > > add_trailer X-Response-Time $x_request_time; > > to send the information to your frontends, but not other clients, > you probably don't want the X-Response-Time trailer to be > indicated to other clients. In such setup, clients would probably talk to frontends. > Acutally I don't see how it's a problem, given that "Trailer" is > not something required. Moreover, it seems to be not needed or > even harmful in most of the use cases discussed. I don't think it's harmful, but I'm not aware of any clients that _require_ "Trailer" header, so I'm going to skip this whole discussion and just remove it. You might always re-add it later if needed. Best regards, Piotr Sikora From borodin at octonica.com Sat Jun 3 06:00:44 2017 From: borodin at octonica.com (Andrew Borodin) Date: Sat, 3 Jun 2017 11:00:44 +0500 Subject: Use primes for hashtable size In-Reply-To: <20170602114603.GR55433@mdounin.ru> References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru>

<20170602114603.GR55433@mdounin.ru> Message-ID: Hello world! 2017-06-02 16:46 GMT+05:00 Maxim Dounin : > Hello! > > On Fri, Jun 02, 2017 at 10:56:31AM +1000, Mathew Heard wrote: > >> If this actually yields a decrease in start time while not introducing >> other effects we would use it. Our start time of a couple minutes is >> annoying at times. > > Do you have any details of what contributes to the start time in > your case? > > In general, nginx trades start time to faster operation once > started, and trying to build minimal hash is an example of this > practice. If it results in unacceptable start times we certainly > should optimize it, though I don't think I've seen such cases in > my practice. > > Most time-consuming things during start I've seen so far are: > > - multiple DNS names in the configuration and slow system > resolver; > > - multiple SSL certificates; > > - very large geo{} maps. Mathew could you plz make some profiling? As I see it: 1. htop during nginx start, if you see spikes of CPU proceed to 2, else end; 2. perf top during nginx start, if you see ngx_hash_init proceed to 3, else send here top slow functions 3. measure ngxinx start time with and without this patch Maybe, we could crunch some of these 2 minutes of startup. Thank you for help. Best regards, Andrey Borodin, Octonica. From piotrsikora at google.com Sun Jun 4 03:03:57 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Sat, 03 Jun 2017 20:03:57 -0700 Subject: [PATCH] Proxy: always emit "Host" header first Message-ID: # HG changeset patch # User Piotr Sikora # Date 1489618489 25200 # Wed Mar 15 15:54:49 2017 -0700 # Node ID e472b23fdc387943ea90fb2f0ae415d9d104edc7 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Proxy: always emit "Host" header first. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r e472b23fdc38 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -3412,7 +3412,7 @@ ngx_http_proxy_init_headers(ngx_conf_t * uintptr_t *code; ngx_uint_t i; ngx_array_t headers_names, headers_merged; - ngx_keyval_t *src, *s, *h; + ngx_keyval_t *host, *src, *s, *h; ngx_hash_key_t *hk; ngx_hash_init_t hash; ngx_http_script_compile_t sc; @@ -3444,11 +3444,33 @@ ngx_http_proxy_init_headers(ngx_conf_t * return NGX_ERROR; } + h = default_headers; + + if (h->key.len != sizeof("Host") - 1 + || ngx_strcasecmp(h->key.data, (u_char *) "Host") != 0) + { + return NGX_ERROR; + } + + host = ngx_array_push(&headers_merged); + if (host == NULL) { + return NGX_ERROR; + } + + *host = *h++; + if (conf->headers_source) { src = conf->headers_source->elts; for (i = 0; i < conf->headers_source->nelts; i++) { + if (src[i].key.len == sizeof("Host") - 1 + && ngx_strcasecmp(src[i].key.data, (u_char *) "Host") == 0) + { + *host = src[i]; + continue; + } + s = ngx_array_push(&headers_merged); if (s == NULL) { return NGX_ERROR; @@ -3458,8 +3480,6 @@ ngx_http_proxy_init_headers(ngx_conf_t * } } - h = default_headers; - while (h->key.len) { src = headers_merged.elts; From piotrsikora at google.com Sun Jun 4 03:04:00 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Sat, 03 Jun 2017 20:04:00 -0700 Subject: [PATCH] Proxy: split configured header names and values Message-ID: # HG changeset patch # User Piotr Sikora # Date 1489618535 25200 # Wed Mar 15 15:55:35 2017 -0700 # Node ID ff79d6887fc92d0344eac3e87339583265241e36 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Proxy: split configured header names and values. Previously, each configured header was represented in one of two ways, depending on whether or not its value included any variables. If the value didn't include any variables, then it would be represented as as a single script that contained complete header line with HTTP/1.1 delimiters, i.e.: "Header: value\r\n" But if the value included any variables, then it would be represented as a series of three scripts: first contained header name and the ":" delimiter, second evaluated to header value, and third contained only "\r\n", i.e.: "Header:" "$value" "\r\n" This commit changes that, so that each configured header is represented as a series of two scripts: first contains only header name, and second contains (or evaluates to) only header value, i.e.: "Header" "$value" or "Header" "value" This not only makes things more consistent, but also allows header name and value to be accessed separately. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r ff79d6887fc9 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -1144,6 +1144,7 @@ static ngx_int_t ngx_http_proxy_create_request(ngx_http_request_t *r) { size_t len, uri_len, loc_len, body_len; + size_t key_len, val_len; uintptr_t escape; ngx_buf_t *b; ngx_str_t method; @@ -1258,10 +1259,17 @@ ngx_http_proxy_create_request(ngx_http_r le.flushed = 1; while (*(uintptr_t *) le.ip) { - while (*(uintptr_t *) le.ip) { + lcode = *(ngx_http_script_len_code_pt *) le.ip; + key_len = lcode(&le); + + for (val_len = 0; *(uintptr_t *) le.ip; val_len += lcode(&le)) { lcode = *(ngx_http_script_len_code_pt *) le.ip; - len += lcode(&le); } + + if (val_len) { + len += key_len + sizeof(": ") - 1 + val_len + sizeof(CRLF) - 1; + } + le.ip += sizeof(uintptr_t); } @@ -1363,28 +1371,32 @@ ngx_http_proxy_create_request(ngx_http_r while (*(uintptr_t *) le.ip) { lcode = *(ngx_http_script_len_code_pt *) le.ip; - - /* skip the header line name length */ (void) lcode(&le); - if (*(ngx_http_script_len_code_pt *) le.ip) { - - for (len = 0; *(uintptr_t *) le.ip; len += lcode(&le)) { - lcode = *(ngx_http_script_len_code_pt *) le.ip; - } - - e.skip = (len == sizeof(CRLF) - 1) ? 1 : 0; - - } else { - e.skip = 0; + for (val_len = 0; *(uintptr_t *) le.ip; val_len += lcode(&le)) { + lcode = *(ngx_http_script_len_code_pt *) le.ip; } le.ip += sizeof(uintptr_t); + e.skip = (val_len == 0) ? 1 : 0; + + code = *(ngx_http_script_code_pt *) e.ip; + code((ngx_http_script_engine_t *) &e); + + if (!e.skip) { + *e.pos++ = ':'; *e.pos++ = ' '; + } + while (*(uintptr_t *) e.ip) { code = *(ngx_http_script_code_pt *) e.ip; code((ngx_http_script_engine_t *) &e); } + + if (!e.skip) { + *e.pos++ = CR; *e.pos++ = LF; + } + e.ip += sizeof(uintptr_t); } @@ -3498,6 +3510,30 @@ ngx_http_proxy_init_headers(ngx_conf_t * continue; } + copy = ngx_array_push_n(headers->lengths, + sizeof(ngx_http_script_copy_code_t)); + if (copy == NULL) { + return NGX_ERROR; + } + + copy->code = (ngx_http_script_code_pt) ngx_http_script_copy_len_code; + copy->len = src[i].key.len; + + size = (sizeof(ngx_http_script_copy_code_t) + + src[i].key.len + sizeof(uintptr_t) - 1) + & ~(sizeof(uintptr_t) - 1); + + copy = ngx_array_push_n(headers->values, size); + if (copy == NULL) { + return NGX_ERROR; + } + + copy->code = ngx_http_script_copy_code; + copy->len = src[i].key.len; + + p = (u_char *) copy + sizeof(ngx_http_script_copy_code_t); + ngx_memcpy(p, src[i].key.data, src[i].key.len); + if (ngx_http_script_variables_count(&src[i].value) == 0) { copy = ngx_array_push_n(headers->lengths, sizeof(ngx_http_script_copy_code_t)); @@ -3507,14 +3543,10 @@ ngx_http_proxy_init_headers(ngx_conf_t * copy->code = (ngx_http_script_code_pt) ngx_http_script_copy_len_code; - copy->len = src[i].key.len + sizeof(": ") - 1 - + src[i].value.len + sizeof(CRLF) - 1; - + copy->len = src[i].value.len; size = (sizeof(ngx_http_script_copy_code_t) - + src[i].key.len + sizeof(": ") - 1 - + src[i].value.len + sizeof(CRLF) - 1 - + sizeof(uintptr_t) - 1) + + src[i].value.len + sizeof(uintptr_t) - 1) & ~(sizeof(uintptr_t) - 1); copy = ngx_array_push_n(headers->values, size); @@ -3523,45 +3555,12 @@ ngx_http_proxy_init_headers(ngx_conf_t * } copy->code = ngx_http_script_copy_code; - copy->len = src[i].key.len + sizeof(": ") - 1 - + src[i].value.len + sizeof(CRLF) - 1; + copy->len = src[i].value.len; p = (u_char *) copy + sizeof(ngx_http_script_copy_code_t); - - p = ngx_cpymem(p, src[i].key.data, src[i].key.len); - *p++ = ':'; *p++ = ' '; - p = ngx_cpymem(p, src[i].value.data, src[i].value.len); - *p++ = CR; *p = LF; + ngx_memcpy(p, src[i].value.data, src[i].value.len); } else { - copy = ngx_array_push_n(headers->lengths, - sizeof(ngx_http_script_copy_code_t)); - if (copy == NULL) { - return NGX_ERROR; - } - - copy->code = (ngx_http_script_code_pt) - ngx_http_script_copy_len_code; - copy->len = src[i].key.len + sizeof(": ") - 1; - - - size = (sizeof(ngx_http_script_copy_code_t) - + src[i].key.len + sizeof(": ") - 1 + sizeof(uintptr_t) - 1) - & ~(sizeof(uintptr_t) - 1); - - copy = ngx_array_push_n(headers->values, size); - if (copy == NULL) { - return NGX_ERROR; - } - - copy->code = ngx_http_script_copy_code; - copy->len = src[i].key.len + sizeof(": ") - 1; - - p = (u_char *) copy + sizeof(ngx_http_script_copy_code_t); - p = ngx_cpymem(p, src[i].key.data, src[i].key.len); - *p++ = ':'; *p = ' '; - - ngx_memzero(&sc, sizeof(ngx_http_script_compile_t)); sc.cf = cf; @@ -3573,33 +3572,6 @@ ngx_http_proxy_init_headers(ngx_conf_t * if (ngx_http_script_compile(&sc) != NGX_OK) { return NGX_ERROR; } - - - copy = ngx_array_push_n(headers->lengths, - sizeof(ngx_http_script_copy_code_t)); - if (copy == NULL) { - return NGX_ERROR; - } - - copy->code = (ngx_http_script_code_pt) - ngx_http_script_copy_len_code; - copy->len = sizeof(CRLF) - 1; - - - size = (sizeof(ngx_http_script_copy_code_t) - + sizeof(CRLF) - 1 + sizeof(uintptr_t) - 1) - & ~(sizeof(uintptr_t) - 1); - - copy = ngx_array_push_n(headers->values, size); - if (copy == NULL) { - return NGX_ERROR; - } - - copy->code = ngx_http_script_copy_code; - copy->len = sizeof(CRLF) - 1; - - p = (u_char *) copy + sizeof(ngx_http_script_copy_code_t); - *p++ = CR; *p = LF; } code = ngx_array_push_n(headers->lengths, sizeof(uintptr_t)); From piotrsikora at google.com Sun Jun 4 03:04:02 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Sat, 03 Jun 2017 20:04:02 -0700 Subject: [PATCH] Proxy: add "proxy_ssl_alpn" directive Message-ID: <7733d946e2651a2486a5.1496545442@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1489621682 25200 # Wed Mar 15 16:48:02 2017 -0700 # Node ID 7733d946e2651a2486a53d912703e2dfaea30421 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Proxy: add "proxy_ssl_alpn" directive. ALPN is used here only to indicate which version of the HTTP protocol is going to be used and we doesn't verify that upstream agreed to it. Please note that upstream is allowed to reject SSL connection with a fatal "no_application_protocol" alert if it doesn't support it. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r 7733d946e265 src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -654,6 +654,29 @@ ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_ ngx_int_t +ngx_ssl_alpn_protos(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *protos) +{ +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + + if (SSL_CTX_set_alpn_protos(ssl->ctx, protos->data, protos->len) != 0) { + ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, + "SSL_CTX_set_alpn_protos() failed"); + return NGX_ERROR; + } + + return NGX_OK; + +#else + + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, + "nginx was built with OpenSSL that lacks ALPN support"); + return NGX_ERROR; + +#endif +} + + +ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth) { diff -r 716852cce913 -r 7733d946e265 src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -153,6 +153,8 @@ ngx_int_t ngx_ssl_certificate(ngx_conf_t ngx_str_t *cert, ngx_str_t *key, ngx_array_t *passwords); ngx_int_t ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, ngx_uint_t prefer_server_ciphers); +ngx_int_t ngx_ssl_alpn_protos(ngx_conf_t *cf, ngx_ssl_t *ssl, + ngx_str_t *protos); ngx_int_t ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, ngx_int_t depth); ngx_int_t ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, diff -r 716852cce913 -r 7733d946e265 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -652,6 +652,13 @@ static ngx_command_t ngx_http_proxy_com offsetof(ngx_http_proxy_loc_conf_t, ssl_ciphers), NULL }, + { ngx_string("proxy_ssl_alpn"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.ssl_alpn), + NULL }, + { ngx_string("proxy_ssl_name"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_http_set_complex_value_slot, @@ -2882,6 +2889,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_ conf->upstream.intercept_errors = NGX_CONF_UNSET; #if (NGX_HTTP_SSL) + conf->upstream.ssl_alpn = NGX_CONF_UNSET; conf->upstream.ssl_session_reuse = NGX_CONF_UNSET; conf->upstream.ssl_server_name = NGX_CONF_UNSET; conf->upstream.ssl_verify = NGX_CONF_UNSET; @@ -3212,6 +3220,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t conf->upstream.ssl_name = prev->upstream.ssl_name; } + ngx_conf_merge_value(conf->upstream.ssl_alpn, + prev->upstream.ssl_alpn, 0); ngx_conf_merge_value(conf->upstream.ssl_server_name, prev->upstream.ssl_server_name, 0); ngx_conf_merge_value(conf->upstream.ssl_verify, @@ -4320,6 +4330,7 @@ ngx_http_proxy_lowat_check(ngx_conf_t *c static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) { + ngx_str_t alpn; ngx_pool_cleanup_t *cln; plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); @@ -4366,6 +4377,24 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n return NGX_ERROR; } + if (plcf->upstream.ssl_alpn) { + + switch (plcf->http_version) { + + case NGX_HTTP_VERSION_10: + ngx_str_set(&alpn, NGX_HTTP_10_ALPN_ADVERTISE); + break; + + case NGX_HTTP_VERSION_11: + ngx_str_set(&alpn, NGX_HTTP_11_ALPN_ADVERTISE); + break; + } + + if (ngx_ssl_alpn_protos(cf, plcf->upstream.ssl, &alpn) != NGX_OK) { + return NGX_ERROR; + } + } + if (plcf->upstream.ssl_verify) { if (plcf->ssl_trusted_certificate.len == 0) { ngx_log_error(NGX_LOG_EMERG, cf->log, 0, diff -r 716852cce913 -r 7733d946e265 src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -17,8 +17,6 @@ typedef ngx_int_t (*ngx_ssl_variable_han #define NGX_DEFAULT_CIPHERS "HIGH:!aNULL:!MD5" #define NGX_DEFAULT_ECDH_CURVE "auto" -#define NGX_HTTP_NPN_ADVERTISE "\x08http/1.1" - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation static int ngx_http_ssl_alpn_select(ngx_ssl_conn_t *ssl_conn, diff -r 716852cce913 -r 7733d946e265 src/http/ngx_http.h --- a/src/http/ngx_http.h +++ b/src/http/ngx_http.h @@ -13,6 +13,11 @@ #include +#define NGX_HTTP_10_ALPN_ADVERTISE "\x08http/1.0" +#define NGX_HTTP_11_ALPN_ADVERTISE "\x08http/1.1" +#define NGX_HTTP_NPN_ADVERTISE NGX_HTTP_11_ALPN_ADVERTISE + + typedef struct ngx_http_request_s ngx_http_request_t; typedef struct ngx_http_upstream_s ngx_http_upstream_t; typedef struct ngx_http_cache_s ngx_http_cache_t; diff -r 716852cce913 -r 7733d946e265 src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h +++ b/src/http/ngx_http_upstream.h @@ -224,6 +224,7 @@ typedef struct { #if (NGX_HTTP_SSL || NGX_COMPAT) ngx_ssl_t *ssl; + ngx_flag_t ssl_alpn; ngx_flag_t ssl_session_reuse; ngx_http_complex_value_t *ssl_name; From piotrsikora at google.com Sun Jun 4 03:04:05 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Sat, 03 Jun 2017 20:04:05 -0700 Subject: [PATCH] Upstream: ignore read-readiness if request wasn't sent Message-ID: # HG changeset patch # User Piotr Sikora # Date 1491296505 25200 # Tue Apr 04 02:01:45 2017 -0700 # Node ID bff5ac3da350d8d9225d4204d8aded90fb670f3f # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Upstream: ignore read-readiness if request wasn't sent. Signed-off-by: Piotr Sikora diff -r 716852cce913 -r bff5ac3da350 src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -2179,8 +2179,12 @@ ngx_http_upstream_process_header(ngx_htt return; } - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); + if (!u->request_sent) { + if (ngx_http_upstream_test_connect(c) != NGX_OK) { + ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); + return; + } + return; } From piotrsikora at google.com Sun Jun 4 03:04:07 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Sat, 03 Jun 2017 20:04:07 -0700 Subject: [PATCH] Output chain: propagate flush and last_buf flags to send_chain() Message-ID: <2a48b9b6e67d91594c17.1496545447@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1491708381 25200 # Sat Apr 08 20:26:21 2017 -0700 # Node ID 2a48b9b6e67d91594c1787ebf721daebf5f88c91 # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 Output chain: propagate flush and last_buf flags to send_chain(). Signed-off-by: Piotr Sikora diff -r 716852cce913 -r 2a48b9b6e67d src/core/ngx_output_chain.c --- a/src/core/ngx_output_chain.c +++ b/src/core/ngx_output_chain.c @@ -658,6 +658,7 @@ ngx_chain_writer(void *data, ngx_chain_t ngx_chain_writer_ctx_t *ctx = data; off_t size; + ngx_uint_t flush; ngx_chain_t *cl, *ln, *chain; ngx_connection_t *c; @@ -689,9 +690,10 @@ ngx_chain_writer(void *data, ngx_chain_t size += ngx_buf_size(in->buf); - ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0, - "chain writer buf fl:%d s:%uO", - in->buf->flush, ngx_buf_size(in->buf)); + ngx_log_debug3(NGX_LOG_DEBUG_CORE, c->log, 0, + "chain writer buf fl:%d l:%d s:%uO", + in->buf->flush, in->buf->last_buf, + ngx_buf_size(in->buf)); cl = ngx_alloc_chain_link(ctx->pool); if (cl == NULL) { @@ -707,6 +709,8 @@ ngx_chain_writer(void *data, ngx_chain_t ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, "chain writer in: %p", ctx->out); + flush = 0; + for (cl = ctx->out; cl; cl = cl->next) { #if 1 @@ -732,9 +736,13 @@ ngx_chain_writer(void *data, ngx_chain_t #endif size += ngx_buf_size(cl->buf); + + if (cl->buf->flush || cl->buf->last_buf) { + flush = 1; + } } - if (size == 0 && !c->buffered) { + if (size == 0 && !flush && !c->buffered) { return NGX_OK; } From borodin at octonica.com Sun Jun 4 18:22:43 2017 From: borodin at octonica.com (Andrew Borodin) Date: Sun, 4 Jun 2017 23:22:43 +0500 Subject: Use primes for hashtable size In-Reply-To: References: <20170530130137.GT55433@mdounin.ru> <20170601173951.GO55433@mdounin.ru>

<20170602114603.GR55433@mdounin.ru> Message-ID: 2017-06-04 8:35 GMT+05:00 Mathew Heard : > Sorry as the slow starts only occur on the production servers, and I don't > have the time currently to try and replicate elsewhere I can't profile it. > > I know a portion is from the hashtable size as we have gradually increased > it over the years with a positive effect on startup time. Last we tested > setting the bucket size to 128 yields a startup time decrease, but a slight > runtime performance decrease. OK. This seems reasonable. Are your hash sizes more than 10000? In it's present form, patch can radically reduce time to create hashtable, but withdraws guaranty about minimum possible hashtable size. But, for numbers more than 10k there is no such guarantee already, and, actually, patch can produce more compact hashtable. Hence, there is no downsides of using fast size search for tables larger than 10k entries. Will this form of a patch be viable to you? Best regards, Andrey Borodin. From xeioex at nginx.com Mon Jun 5 12:03:42 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Mon, 05 Jun 2017 12:03:42 +0000 Subject: [njs] Fixed possible buffer overrun during numbers parsing. Message-ID: details: http://hg.nginx.org/njs/rev/a782bc08b927 branches: changeset: 350:a782bc08b927 user: Dmitry Volyntsev date: Wed May 31 20:42:15 2017 +0300 description: Fixed possible buffer overrun during numbers parsing. diffstat: njs/njs_number.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 559d256dd65b -r a782bc08b927 njs/njs_number.c --- a/njs/njs_number.c Wed May 31 20:36:01 2017 +0300 +++ b/njs/njs_number.c Wed May 31 20:42:15 2017 +0300 @@ -101,7 +101,7 @@ njs_number_dec_parse(u_char **start, u_c p++; } - if (*p == '.') { + if (p < end && *p == '.') { frac = 0; scale = 1; From xeioex at nginx.com Mon Jun 5 12:03:43 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Mon, 05 Jun 2017 12:03:43 +0000 Subject: [njs] Added support of scientific notation literals. Message-ID: details: http://hg.nginx.org/njs/rev/02a59fe82c7a branches: changeset: 351:02a59fe82c7a user: Dmitry Volyntsev date: Mon Jun 05 14:59:28 2017 +0300 description: Added support of scientific notation literals. diffstat: njs/njs_number.c | 46 +++++++++++++++++- njs/test/njs_unit_test.c | 110 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 152 insertions(+), 4 deletions(-) diffs (197 lines): diff -r a782bc08b927 -r 02a59fe82c7a njs/njs_number.c --- a/njs/njs_number.c Wed May 31 20:42:15 2017 +0300 +++ b/njs/njs_number.c Mon Jun 05 14:59:28 2017 +0300 @@ -80,10 +80,9 @@ njs_value_to_index(njs_value_t *value) double njs_number_dec_parse(u_char **start, u_char *end) { - u_char c, *p; - double num, frac, scale; - - /* TODO: "1e2" */ + u_char c, *e, *p; + double num, frac, scale, exponent; + nxt_bool_t minus; p = *start; @@ -121,6 +120,45 @@ njs_number_dec_parse(u_char **start, u_c num += frac / scale; } + e = p + 1; + + if (e < end && (*p == 'e' || *p == 'E')) { + minus = 0; + + if (e + 1 < end) { + if (*e == '-') { + e++; + minus = 1; + + } else if (*e == '+') { + e++; + } + } + + /* Values below '0' become >= 208. */ + c = *e - '0'; + + if (nxt_fast_path(c <= 9)) { + exponent = c; + p = e + 1; + + while (p < end) { + /* Values below '0' become >= 208. */ + c = *p - '0'; + + if (nxt_slow_path(c > 9)) { + break; + } + + exponent = exponent * 10 + c; + p++; + } + + exponent = minus ? -exponent : exponent; + num = num * pow(10.0, exponent); + } + } + *start = p; return num; diff -r a782bc08b927 -r 02a59fe82c7a njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Wed May 31 20:42:15 2017 +0300 +++ b/njs/test/njs_unit_test.c Mon Jun 05 14:59:28 2017 +0300 @@ -150,6 +150,62 @@ static njs_unit_test_t njs_test[] = { nxt_string("\n +1"), nxt_string("1") }, + /* Scientific notation. */ + + { nxt_string("0e0"), + nxt_string("0") }, + + { nxt_string("0.0e0"), + nxt_string("0") }, + + { nxt_string("1e0"), + nxt_string("1") }, + + { nxt_string("1e1"), + nxt_string("10") }, + + { nxt_string("1.e01"), + nxt_string("10") }, + + { nxt_string("5.7e1"), + nxt_string("57") }, + + { nxt_string("5.7e-1"), + nxt_string("0.570000") }, + + { nxt_string("-5.7e-1"), + nxt_string("-0.570000") }, + + { nxt_string("1.1e-01"), + nxt_string("0.110000") }, + + { nxt_string("5.7e-2"), + nxt_string("0.057000") }, + + { nxt_string("1.1e+01"), + nxt_string("11") }, + + { nxt_string("1e9"), + nxt_string("1000000000") }, + + { nxt_string("1.0e308"), + nxt_string("1e+308") }, + + { nxt_string("1e"), + nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, + + { nxt_string("1.e"), + nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, + + { nxt_string("1e+"), + nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, + + { nxt_string("1.e-"), + nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, + + { nxt_string("1eZ"), + nxt_string("SyntaxError: Unexpected token \"eZ\" in 1") }, + /* Indexes. */ { nxt_string("var a = []; a[-1] = 2; a[-1] == a['-1']"), @@ -299,6 +355,33 @@ static njs_unit_test_t njs_test[] = { nxt_string("5 - '0x2 z'"), nxt_string("NaN") }, + { nxt_string("12 - '5.7e1'"), + nxt_string("-45") }, + + { nxt_string("12 - '5.e1'"), + nxt_string("-38") }, + + { nxt_string("12 - '5.7e+01'"), + nxt_string("-45") }, + + { nxt_string("12 - '5.7e-01'"), + nxt_string("11.43") }, + + { nxt_string("12 - ' 5.7e1 '"), + nxt_string("-45") }, + + { nxt_string("12 - '5.7e'"), + nxt_string("NaN") }, + + { nxt_string("12 - '5.7e+'"), + nxt_string("NaN") }, + + { nxt_string("12 - '5.7e-'"), + nxt_string("NaN") }, + + { nxt_string("12 - ' 5.7e1 z'"), + nxt_string("NaN") }, + { nxt_string("5 - '0x'"), nxt_string("NaN") }, @@ -7210,6 +7293,33 @@ static njs_unit_test_t njs_test[] = { nxt_string("parseFloat('Infinit')"), nxt_string("NaN") }, + { nxt_string("parseFloat('5.7e1')"), + nxt_string("57") }, + + { nxt_string("parseFloat('-5.7e-1')"), + nxt_string("-0.570000") }, + + { nxt_string("parseFloat('-5.e-1')"), + nxt_string("-0.500000") }, + + { nxt_string("parseFloat('5.7e+01')"), + nxt_string("57") }, + + { nxt_string("parseFloat(' 5.7e+01abc')"), + nxt_string("57") }, + + { nxt_string("parseFloat('-5.7e-1abc')"), + nxt_string("-0.570000") }, + + { nxt_string("parseFloat('-5.7e')"), + nxt_string("-5.7") }, + + { nxt_string("parseFloat('-5.7e+')"), + nxt_string("-5.7") }, + + { nxt_string("parseFloat('-5.7e+abc')"), + nxt_string("-5.7") }, + /* Trick: number to boolean. */ { nxt_string("var a = 0; !!a"), From mdounin at mdounin.ru Mon Jun 5 13:09:16 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 5 Jun 2017 16:09:16 +0300 Subject: PSK Support In-Reply-To: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> Message-ID: <20170605130916.GX55433@mdounin.ru> Hello! On Thu, Jun 01, 2017 at 05:20:53PM +0000, Karstens, Nate wrote: > Greetings, > > I'm about push 3 patches that add support for PSK TLS cipher > suites to nginx and thought it would be good to discuss the > feature itself in a separate thread. > > First, PSK support is useful in certain environments that are > not conducive to a full public key infrastructure. The > environment I'm personally working with is the recreational > boating market; we are developing a new industry standard that > relies on HTTPS, secured by PSK, for much of its underlying > security protocol. I think this would also be useful to the IoT > market. A quick search shows that some other users have been > interested in this feature: > > https://forum.nginx.org/read.php?2,272443,272443 > https://stackoverflow.com/questions/22513641/pre-shared-keys-tls-psk-nginx-configuration I have mixed feelings about PSK. On the one hand, it is expected to be better for constrained devices and also may have various performance benefits for internal connections. On the other hand, using a shared key is a big step backwards compared to public-key cryptography. > After applying the patches, one can enable PSK support by adding > a few directives to their nginx.conf: > > 1) "ssl_nocert" -- This disables checks for a certificate within > nginx. By default these checks are enabled because most users > will need a certificate. This is analogous to the "-nocert" > option in the OpenSSL s_server. > 2) "ssl_psk_path" -- This is a local folder that contains all of > the valid PSKs. Each file in the folder is loaded into memory as > a PSK, and its file name is used as the PSK identity. When the > client connects it specifies the identity of the PSK it is using > for the connection. The server looks up the key using hash of > the loaded PSKs and if the keys match then the TLS handshake is > successful. Note that the identity of the PSK is made available > in the variable $ssl_psk_identity. > 3) Add some PSK ciphers to the "ssl_ciphers" directive. Some comments, in no particular order: - the "ssl_nocert" directive looks strange / unneeded, there should be a better way to do this (ssl_certificate with a special value "off"? just assume a certificate is not needed if there are PSK secrets? always require a certificate, and let users who don't need specify a dummy one?); - "ssl_psk_path" seems to be overcomplicated, and yet non-flexible as any change to keys requires configuration reloads; - the only server software with PSK support seems to be stunnel, it might be good to be compatible with the form it uses for PSK secrets (a file with "IDENTITY:KEY" lines); - probably eventually there should be a proxy_ssl_* counterpart, though it is perfectly ok to don't have it for now. -- Maxim Dounin http://nginx.org/ From Nate.Karstens at garmin.com Mon Jun 5 14:08:15 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Mon, 5 Jun 2017 14:08:15 +0000 Subject: PSK Support In-Reply-To: <20170605130916.GX55433@mdounin.ru> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> <20170605130916.GX55433@mdounin.ru> Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> Maxim, Thanks for the reply. I understand your concerns about PSK. We discussed it quite a bit, but ultimately decided that a PKI was not practical for our environment. We have to rely on the end user to configure security and any solution using PKI would be so difficult to work with that they just wouldn't bother with security at all. I considered some alternatives on the "ssl_nocert" option. My preference would have been to analyze the supported cipher suites (from "ssl_ciphers") and determine if any include a PSK, but it does not look like OpenSSL exposes APIs to accomplish this. Using a dummy certificate seemed more complicated than the other two suggestions you had (using "ssl_certificate" with a value of "off" or disabling the tests if there are PSK secrets), so I'd prefer one of those two. What is your preference? One advantage of the PSK path concept is that it provides a lot of flexibility. It allows, for example, multiple applications to each independently manage their own PSKs without the need to coordinate changes to a single file (note that in this scenario each application would want to use $ssl_psk_identity to check the key). stunnel uses a single file and seems to assume that keys will be ASCII strings. Its format, for example, would not allow NUL to appear in the string, as that would terminate the key early and, at best, lead to a reduced key size. I might be mistaken, but wouldn't changing a certificate also require reloading the configuration? Do you have some ideas on how this could be done without requiring a reload? I agree on the proxy_ssl_* directives; the same could probably be said for the mail and stream SSL modules. Regards, Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Monday, June 05, 2017 8:09 AM To: nginx-devel at nginx.org Subject: Re: PSK Support Hello! On Thu, Jun 01, 2017 at 05:20:53PM +0000, Karstens, Nate wrote: > Greetings, > > I'm about push 3 patches that add support for PSK TLS cipher suites to > nginx and thought it would be good to discuss the feature itself in a > separate thread. > > First, PSK support is useful in certain environments that are not > conducive to a full public key infrastructure. The environment I'm > personally working with is the recreational boating market; we are > developing a new industry standard that relies on HTTPS, secured by > PSK, for much of its underlying security protocol. I think this would > also be useful to the IoT market. A quick search shows that some other > users have been interested in this feature: > > https://forum.nginx.org/read.php?2,272443,272443 > https://stackoverflow.com/questions/22513641/pre-shared-keys-tls-psk-n > ginx-configuration I have mixed feelings about PSK. On the one hand, it is expected to be better for constrained devices and also may have various performance benefits for internal connections. On the other hand, using a shared key is a big step backwards compared to public-key cryptography. > After applying the patches, one can enable PSK support by adding a few > directives to their nginx.conf: > > 1) "ssl_nocert" -- This disables checks for a certificate within > nginx. By default these checks are enabled because most users will > need a certificate. This is analogous to the "-nocert" > option in the OpenSSL s_server. > 2) "ssl_psk_path" -- This is a local folder that contains all of the > valid PSKs. Each file in the folder is loaded into memory as a PSK, > and its file name is used as the PSK identity. When the client > connects it specifies the identity of the PSK it is using for the > connection. The server looks up the key using hash of the loaded PSKs > and if the keys match then the TLS handshake is successful. Note that > the identity of the PSK is made available in the variable > $ssl_psk_identity. > 3) Add some PSK ciphers to the "ssl_ciphers" directive. Some comments, in no particular order: - the "ssl_nocert" directive looks strange / unneeded, there should be a better way to do this (ssl_certificate with a special value "off"? just assume a certificate is not needed if there are PSK secrets? always require a certificate, and let users who don't need specify a dummy one?); - "ssl_psk_path" seems to be overcomplicated, and yet non-flexible as any change to keys requires configuration reloads; - the only server software with PSK support seems to be stunnel, it might be good to be compatible with the form it uses for PSK secrets (a file with "IDENTITY:KEY" lines); - probably eventually there should be a proxy_ssl_* counterpart, though it is perfectly ok to don't have it for now. -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From mdounin at mdounin.ru Mon Jun 5 16:29:40 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 5 Jun 2017 19:29:40 +0300 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> References: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> Message-ID: <20170605162940.GY55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 08:33:45PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1490351854 25200 > # Fri Mar 24 03:37:34 2017 -0700 > # Node ID 41c09a2fd90410e25ad8515793bd48028001c954 > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Added support for trailers in HTTP responses. > > Example: > > ngx_table_elt_t *h; > > h = ngx_list_push(&r->headers_out.trailers); > if (h == NULL) { > return NGX_ERROR; > } > > ngx_str_set(&h->key, "Fun"); > ngx_str_set(&h->value, "with trailers"); > h->hash = ngx_hash_key_lc(h->key.data, h->key.len); > > The code above adds "Fun: with trailers" trailer to the response. > > Modules that want to emit trailers must set r->expect_trailers = 1 > in header filter, otherwise they might not be emitted for HTTP/1.1 > responses that aren't already chunked. > > This change also adds $sent_trailer_* variables. > > Signed-off-by: Piotr Sikora Overall looks good, see some additional comments below. > > diff -r 716852cce913 -r 41c09a2fd904 src/http/modules/ngx_http_chunked_filter_module.c > --- a/src/http/modules/ngx_http_chunked_filter_module.c > +++ b/src/http/modules/ngx_http_chunked_filter_module.c > @@ -17,6 +17,7 @@ typedef struct { > > > static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); > +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r); > > > static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { > @@ -69,27 +70,28 @@ ngx_http_chunked_header_filter(ngx_http_ > return ngx_http_next_header_filter(r); > } > > - if (r->headers_out.content_length_n == -1) { > - if (r->http_version < NGX_HTTP_VERSION_11) { > + if (r->headers_out.content_length_n == -1 || r->expect_trailers) { > + I actually think that using two lines as initially suggested is more readable and more in line with current style. YMMV. - if (r->headers_out.content_length_n == -1 || r->expect_trailers) { - + if (r->headers_out.content_length_n == -1 + || r->expect_trailers) + { [...] > @@ -230,6 +223,105 @@ ngx_http_chunked_body_filter(ngx_http_re > } > > > +static ngx_chain_t * > +ngx_http_chunked_create_trailers(ngx_http_request_t *r) > +{ [...] > + len += header[i].key.len + sizeof(": ") - 1 > + + header[i].value.len + sizeof(CRLF) - 1; > + } > + > + ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module); Usual approach is to pass context into internal functions if needed and already available in the calling functions. static ngx_chain_t * -ngx_http_chunked_create_trailers(ngx_http_request_t *r) +ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_http_chunked_filter_ctx_t *ctx) { (and more, see full patch below) > + > + cl = ngx_chain_get_free_buf(r->pool, &ctx->free); > + if (cl == NULL) { > + return NULL; > + } > + > + b = cl->buf; > + > + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; > + b->temporary = 0; > + b->memory = 1; > + b->last_buf = 1; > + > + b->start = ngx_palloc(r->pool, len); > + if (b->start == NULL) { > + return NULL; > + } I would prefer to preserve the typical code path (when there are no trailers) without an extra allocation. It looks like it would be as trivail as: @@ -273,14 +273,18 @@ ngx_http_chunked_create_trailers(ngx_htt b->memory = 1; b->last_buf = 1; + if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { + b->pos = (u_char *) CRLF "0" CRLF CRLF; + b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; + return cl; + } + b->start = ngx_palloc(r->pool, len); if (b->start == NULL) { return NULL; } Note well that b->start is intentionally not touched in the previous code. As buffers are reused, b->start, if set, is expected to point to a chunk of memory big enough to contain "0000000000000000" CRLF, as allocated in the ngx_http_chunked_body_filter(). While this is not critical in this particular code path, as last-chunk is expected to be only created once, the resulting code is confusing: while it provides b->tag to make the buffer reusable, it doesn't maintain required invariant on b->start. Trivial solution would be to avoid setting b->start / b->end as it was done in the previous code and still done in the CRLF case. - b->start = ngx_palloc(r->pool, len); - if (b->start == NULL) { + b->pos = ngx_palloc(r->pool, len); + if (b->pos == NULL) { return NULL; } - b->end = b->last + len; - b->pos = b->start; - b->last = b->start; + b->last = b->pos; Full patch with the above comments: diff --git a/src/http/modules/ngx_http_chunked_filter_module.c b/src/http/modules/ngx_http_chunked_filter_module.c --- a/src/http/modules/ngx_http_chunked_filter_module.c +++ b/src/http/modules/ngx_http_chunked_filter_module.c @@ -17,7 +17,8 @@ typedef struct { static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); -static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r); +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_http_chunked_filter_ctx_t *ctx); static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { @@ -70,8 +71,9 @@ ngx_http_chunked_header_filter(ngx_http_ return ngx_http_next_header_filter(r); } - if (r->headers_out.content_length_n == -1 || r->expect_trailers) { - + if (r->headers_out.content_length_n == -1 + || r->expect_trailers) + { clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); if (r->http_version >= NGX_HTTP_VERSION_11 @@ -181,7 +183,7 @@ ngx_http_chunked_body_filter(ngx_http_re } if (cl->buf->last_buf) { - tl = ngx_http_chunked_create_trailers(r); + tl = ngx_http_chunked_create_trailers(r, ctx); if (tl == NULL) { return NGX_ERROR; } @@ -224,15 +226,15 @@ ngx_http_chunked_body_filter(ngx_http_re static ngx_chain_t * -ngx_http_chunked_create_trailers(ngx_http_request_t *r) +ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_http_chunked_filter_ctx_t *ctx) { - size_t len; - ngx_buf_t *b; - ngx_uint_t i; - ngx_chain_t *cl; - ngx_list_part_t *part; - ngx_table_elt_t *header; - ngx_http_chunked_filter_ctx_t *ctx; + size_t len; + ngx_buf_t *b; + ngx_uint_t i; + ngx_chain_t *cl; + ngx_list_part_t *part; + ngx_table_elt_t *header; len = sizeof(CRLF "0" CRLF CRLF) - 1; @@ -259,8 +261,6 @@ ngx_http_chunked_create_trailers(ngx_htt + header[i].value.len + sizeof(CRLF) - 1; } - ctx = ngx_http_get_module_ctx(r, ngx_http_chunked_filter_module); - cl = ngx_chain_get_free_buf(r->pool, &ctx->free); if (cl == NULL) { return NULL; @@ -273,14 +273,18 @@ ngx_http_chunked_create_trailers(ngx_htt b->memory = 1; b->last_buf = 1; - b->start = ngx_palloc(r->pool, len); - if (b->start == NULL) { + if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { + b->pos = (u_char *) CRLF "0" CRLF CRLF; + b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; + return cl; + } + + b->pos = ngx_palloc(r->pool, len); + if (b->pos == NULL) { return NULL; } - b->end = b->last + len; - b->pos = b->start; - b->last = b->start; + b->last = b->pos; *b->last++ = CR; *b->last++ = LF; *b->last++ = '0'; -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jun 5 17:52:45 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 5 Jun 2017 20:52:45 +0300 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: References: Message-ID: <20170605175245.GZ55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 08:33:47PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1490351854 25200 > # Fri Mar 24 03:37:34 2017 -0700 > # Node ID acdc80c0d4ef8aa2519e2882ff1a3bd4a316ad81 > # Parent 8d74ff6c2015180f5c1f399f492214d7d0a52b3f > Headers filter: added "add_trailer" directive. > > Trailers added using this directive are evaluated after response body > is processed by output filters (but before it's written to the wire), > so it's possible to use variables calculated from the response body > as the trailer value. > > Signed-off-by: Piotr Sikora Overall looks good, see some comments below. [...] > @@ -206,11 +223,103 @@ ngx_http_headers_filter(ngx_http_request > } > } > > + if (conf->trailers) { > + h = conf->trailers->elts; > + for (i = 0; i < conf->trailers->nelts; i++) { > + > + if (!safe_status && !h[i].always) { > + continue; > + } > + > + if (h[i].value.value.len) { > + r->expect_trailers = 1; > + break; > + } It doesn't look like "if (h[i].value.value.len)" is needed here. It is either true, or the "add_trailer" directive is nop and we already know this while parsing the configuration. - if (h[i].value.value.len) { - r->expect_trailers = 1; - break; - } + r->expect_trailers = 1; + break; [...] > @@ -741,3 +858,63 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx > > return NGX_CONF_OK; > } > + > + > +static char * > +ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) > +{ > + ngx_http_headers_conf_t *hcf = conf; > + > + ngx_str_t *value; > + ngx_http_header_val_t *hv; > + ngx_http_compile_complex_value_t ccv; > + > + value = cf->args->elts; > + > + if (hcf->trailers == NULL) { > + hcf->trailers = ngx_array_create(cf->pool, 1, > + sizeof(ngx_http_header_val_t)); > + if (hcf->trailers == NULL) { > + return NGX_CONF_ERROR; > + } > + } > + > + hv = ngx_array_push(hcf->trailers); > + if (hv == NULL) { > + return NGX_CONF_ERROR; > + } [...] It looks like the ngx_http_headers_add_trailer() function is almost exact copy of the ngx_http_headers_add(). It might worth to use single function to handle both directives. diff --git a/src/http/modules/ngx_http_headers_filter_module.c b/src/http/modules/ngx_http_headers_filter_module.c --- a/src/http/modules/ngx_http_headers_filter_module.c +++ b/src/http/modules/ngx_http_headers_filter_module.c @@ -73,8 +73,6 @@ static char *ngx_http_headers_expires(ng void *conf); static char *ngx_http_headers_add(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); -static char *ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); static ngx_http_set_header_t ngx_http_set_headers[] = { @@ -108,15 +106,15 @@ static ngx_command_t ngx_http_headers_f |NGX_CONF_TAKE23, ngx_http_headers_add, NGX_HTTP_LOC_CONF_OFFSET, - 0, + offsetof(ngx_http_headers_conf_t, headers), NULL }, { ngx_string("add_trailer"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF |NGX_CONF_TAKE23, - ngx_http_headers_add_trailer, + ngx_http_headers_add, NGX_HTTP_LOC_CONF_OFFSET, - 0, + offsetof(ngx_http_headers_conf_t, trailers), NULL }, ngx_null_command @@ -231,10 +229,8 @@ ngx_http_headers_filter(ngx_http_request continue; } - if (h[i].value.value.len) { - r->expect_trailers = 1; - break; - } + r->expect_trailers = 1; + break; } } @@ -791,42 +787,49 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx { ngx_http_headers_conf_t *hcf = conf; - ngx_str_t *value; - ngx_uint_t i; - ngx_http_header_val_t *hv; - ngx_http_set_header_t *set; - ngx_http_compile_complex_value_t ccv; + ngx_str_t *value; + ngx_uint_t i; + ngx_array_t **headers; + ngx_http_header_val_t *hv; + ngx_http_set_header_t *set; + ngx_http_compile_complex_value_t ccv; value = cf->args->elts; - if (hcf->headers == NULL) { - hcf->headers = ngx_array_create(cf->pool, 1, - sizeof(ngx_http_header_val_t)); - if (hcf->headers == NULL) { + headers = (ngx_array_t **) ((char *) hcf + cmd->offset); + + if (*headers == NULL) { + *headers = ngx_array_create(cf->pool, 1, + sizeof(ngx_http_header_val_t)); + if (*headers == NULL) { return NGX_CONF_ERROR; } } - hv = ngx_array_push(hcf->headers); + hv = ngx_array_push(*headers); if (hv == NULL) { return NGX_CONF_ERROR; } hv->key = value[1]; - hv->handler = ngx_http_add_header; + hv->handler = NULL; hv->offset = 0; hv->always = 0; - set = ngx_http_set_headers; - for (i = 0; set[i].name.len; i++) { - if (ngx_strcasecmp(value[1].data, set[i].name.data) != 0) { - continue; + if (headers == &hcf->headers) { + hv->handler = ngx_http_add_header; + + set = ngx_http_set_headers; + for (i = 0; set[i].name.len; i++) { + if (ngx_strcasecmp(value[1].data, set[i].name.data) != 0) { + continue; + } + + hv->offset = set[i].offset; + hv->handler = set[i].handler; + + break; } - - hv->offset = set[i].offset; - hv->handler = set[i].handler; - - break; } if (value[2].len == 0) { @@ -858,63 +861,3 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx return NGX_CONF_OK; } - - -static char * -ngx_http_headers_add_trailer(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -{ - ngx_http_headers_conf_t *hcf = conf; - - ngx_str_t *value; - ngx_http_header_val_t *hv; - ngx_http_compile_complex_value_t ccv; - - value = cf->args->elts; - - if (hcf->trailers == NULL) { - hcf->trailers = ngx_array_create(cf->pool, 1, - sizeof(ngx_http_header_val_t)); - if (hcf->trailers == NULL) { - return NGX_CONF_ERROR; - } - } - - hv = ngx_array_push(hcf->trailers); - if (hv == NULL) { - return NGX_CONF_ERROR; - } - - hv->key = value[1]; - hv->handler = NULL; - hv->offset = 0; - hv->always = 0; - - if (value[2].len == 0) { - ngx_memzero(&hv->value, sizeof(ngx_http_complex_value_t)); - - } else { - ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); - - ccv.cf = cf; - ccv.value = &value[2]; - ccv.complex_value = &hv->value; - - if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { - return NGX_CONF_ERROR; - } - } - - if (cf->args->nelts == 3) { - return NGX_CONF_OK; - } - - if (ngx_strcmp(value[3].data, "always") != 0) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[3]); - return NGX_CONF_ERROR; - } - - hv->always = 1; - - return NGX_CONF_OK; -} -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jun 5 18:00:47 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 5 Jun 2017 21:00:47 +0300 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> References: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> Message-ID: <20170605180047.GA55433@mdounin.ru> Hello! On Fri, Jun 02, 2017 at 08:33:46PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493191954 25200 > # Wed Apr 26 00:32:34 2017 -0700 > # Node ID 8d74ff6c2015180f5c1f399f492214d7d0a52b3f > # Parent 41c09a2fd90410e25ad8515793bd48028001c954 > HTTP/2: added support for trailers in HTTP responses. > > Signed-off-by: Piotr Sikora I've asked Valentin to look into this part. Hopefully he'll be able to do so in a couple of days. [...] -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jun 5 18:39:45 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 5 Jun 2017 21:39:45 +0300 Subject: PSK Support In-Reply-To: <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> <20170605130916.GX55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> Message-ID: <20170605183944.GB55433@mdounin.ru> Hello! On Mon, Jun 05, 2017 at 02:08:15PM +0000, Karstens, Nate wrote: > Maxim, > > Thanks for the reply. I understand your concerns about PSK. We > discussed it quite a bit, but ultimately decided that a PKI was > not practical for our environment. We have to rely on the end > user to configure security and any solution using PKI would be > so difficult to work with that they just wouldn't bother with > security at all. Ok, understood. I think that PSK can be a reasonable alternative to using plain http in many cases. > I considered some alternatives on the "ssl_nocert" option. My > preference would have been to analyze the supported cipher > suites (from "ssl_ciphers") and determine if any include a PSK, > but it does not look like OpenSSL exposes APIs to accomplish > this. By default, nginx uses "HIGH:!aNULL:!MD5" as ciphers list, and this includes various PSK ciphers as well, so this approach doesn't look working even if there were appropriate APIs. > Using a dummy certificate seemed more complicated than the > other two suggestions you had (using "ssl_certificate" with a > value of "off" or disabling the tests if there are PSK secrets), > so I'd prefer one of those two. What is your preference? Using a dummy certificate has an obvious benefit of not requiring any changes to the code, and might actually be a good starting option. Disabling the tests with PSK secrets might not work as expected when they are defined at the http{} level. Using "ssl_certificate off" is obviously most explicit of all options, but I would rather consider a dummy certificate instead for now, as long as there are no other downsides. > One advantage of the PSK path concept is that it provides a lot > of flexibility. It allows, for example, multiple applications to > each independently manage their own PSKs without the need to > coordinate changes to a single file (note that in this scenario > each application would want to use $ssl_psk_identity to check > the key). On the one hand, it is a plus. On the other - it is a nightmare when something goes wrong. I would rather avoid such approach. > stunnel uses a single file and seems to assume that > keys will be ASCII strings. Its format, for example, would not > allow NUL to appear in the string, as that would terminate the > key early and, at best, lead to a reduced key size. Yes, and stunnel author considers this to be a feature, see https://www.stunnel.org/pipermail/stunnel-users/2015-October/005275.html. If you are targeting end-users, it might be actually easier to use sufficiently long printable keys then arbitrary binary strings. > I might be mistaken, but wouldn't changing a certificate also > require reloading the configuration? Do you have some ideas on > how this could be done without requiring a reload? Yes, changing a certificate requires a reload. But the "path" concept is generally used in SSL where appropriate filesystem lookups are done on the fly, in contrast to loading a file into memory and then working with the data from memory. Consider "openssl verify -CApath" vs. "openssl verify -CAfile". Additionally, PSK keys look much more dynamic than certificates, as adding a user requires configuration changes. With PKI, you don't need any certificate changes on the server to add a user. With PSK, you have to add a key to introduce a new user. Overall, PSK seems to be very close to basic authentication, and it might worth looking how it is implemented in the auth_basic module (in short: the password file is searched on each request). -- Maxim Dounin http://nginx.org/ From piotrsikora at google.com Tue Jun 6 04:56:03 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Mon, 5 Jun 2017 21:56:03 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: <20170605162940.GY55433@mdounin.ru> References: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> <20170605162940.GY55433@mdounin.ru> Message-ID: Hey Maxim, > I would prefer to preserve the typical code path (when there are no > trailers) without an extra allocation. It looks like it would be > as trivail as: > > @@ -273,14 +273,18 @@ ngx_http_chunked_create_trailers(ngx_htt > b->memory = 1; > b->last_buf = 1; > > + if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { > + b->pos = (u_char *) CRLF "0" CRLF CRLF; > + b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; > + return cl; > + } Sounds good, but the if statement reads a bit weird. What about this instead, even though it might be a bit more expensive? @@ -236,7 +236,7 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, ngx_list_part_t *part; ngx_table_elt_t *header; - len = sizeof(CRLF "0" CRLF CRLF) - 1; + len = 0; part = &r->headers_out.trailers.part; header = part->elts; @@ -273,12 +273,14 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, b->memory = 1; b->last_buf = 1; - if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { + if (len == 0) { b->pos = (u_char *) CRLF "0" CRLF CRLF; b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; return cl; } + len += sizeof(CRLF "0" CRLF CRLF) - 1; + b->pos = ngx_palloc(r->pool, len); if (b->pos == NULL) { return NULL; Best regards, Piotr Sikora From piotrsikora at google.com Tue Jun 6 04:59:45 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Mon, 5 Jun 2017 21:59:45 -0700 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: <20170605175245.GZ55433@mdounin.ru> References: <20170605175245.GZ55433@mdounin.ru> Message-ID: Hey Maxim, > It doesn't look like "if (h[i].value.value.len)" is needed here. > It is either true, or the "add_trailer" directive is nop and we > already know this while parsing the configuration. > > - if (h[i].value.value.len) { > - r->expect_trailers = 1; > - break; > - } > + r->expect_trailers = 1; > + break; Well, both "add_header" and "add_trailer" allow setting something like: add_trailer Empty ""; which will get added to headers / trailers list. I've added this extra check to avoid forcing chunked encoding with such configuration. Maybe we should reject it during configuration instead, or ignore this case and let it force chunked encoding? Which one do you prefer? Best regards, Piotr Sikora From maxim at nginx.com Tue Jun 6 07:26:12 2017 From: maxim at nginx.com (Maxim Konovalov) Date: Tue, 6 Jun 2017 10:26:12 +0300 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: <20170605180047.GA55433@mdounin.ru> References: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> <20170605180047.GA55433@mdounin.ru> Message-ID: <7b105922-9797-1cf2-9fc4-882f7a0591c9@nginx.com> On 05/06/2017 21:00, Maxim Dounin wrote: > Hello! > > On Fri, Jun 02, 2017 at 08:33:46PM -0700, Piotr Sikora via nginx-devel wrote: > >> # HG changeset patch >> # User Piotr Sikora >> # Date 1493191954 25200 >> # Wed Apr 26 00:32:34 2017 -0700 >> # Node ID 8d74ff6c2015180f5c1f399f492214d7d0a52b3f >> # Parent 41c09a2fd90410e25ad8515793bd48028001c954 >> HTTP/2: added support for trailers in HTTP responses. >> >> Signed-off-by: Piotr Sikora > > I've asked Valentin to look into this part. Hopefully he'll be > able to do so in a couple of days. > > [...] > To be precise and to avoid confusion: Valentin is on the conf today so expect his feedback this week. -- Maxim Konovalov From orgads at gmail.com Tue Jun 6 10:57:39 2017 From: orgads at gmail.com (Orgad Shaneh) Date: Tue, 6 Jun 2017 13:57:39 +0300 Subject: [PATCH] Fix compilation on MinGW64 Message-ID: I already proposed a similar patch (without MSYS) on November, but it was unnoticed since then. --- auto/configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto/configure b/auto/configure index ceff15e4..107c2b5f 100755 --- a/auto/configure +++ b/auto/configure @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; case "$NGX_SYSTEM" in - MINGW32_*) + MINGW32_*|MINGW64_*|MSYS_*) NGX_PLATFORM=win32 ;; esac -- 2.13.0.windows.1.7.g80a6209eb5 From orgads at gmail.com Tue Jun 6 10:58:17 2017 From: orgads at gmail.com (Orgad Shaneh) Date: Tue, 6 Jun 2017 13:58:17 +0300 Subject: [PATCH] Use .exe for binaries for all win32 compilers Message-ID: --- auto/cc/conf | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/auto/cc/conf b/auto/cc/conf index afbca62b..19a231aa 100644 --- a/auto/cc/conf +++ b/auto/cc/conf @@ -144,7 +144,9 @@ fi CFLAGS="$CFLAGS $NGX_CC_OPT" NGX_TEST_LD_OPT="$NGX_LD_OPT" -if [ "$NGX_PLATFORM" != win32 ]; then +if [ "$NGX_PLATFORM" = win32 ]; then + ngx_binext=".exe" +else if test -n "$NGX_LD_OPT"; then ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" -- 2.13.0.windows.1.7.g80a6209eb5 From mdounin at mdounin.ru Tue Jun 6 12:25:54 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 15:25:54 +0300 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: References: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> <20170605162940.GY55433@mdounin.ru> Message-ID: <20170606122554.GD55433@mdounin.ru> Hello! On Mon, Jun 05, 2017 at 09:56:03PM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > I would prefer to preserve the typical code path (when there are no > > trailers) without an extra allocation. It looks like it would be > > as trivail as: > > > > @@ -273,14 +273,18 @@ ngx_http_chunked_create_trailers(ngx_htt > > b->memory = 1; > > b->last_buf = 1; > > > > + if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { > > + b->pos = (u_char *) CRLF "0" CRLF CRLF; > > + b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; > > + return cl; > > + } > > Sounds good, but the if statement reads a bit weird. > > What about this instead, even though it might be a bit more expensive? > > @@ -236,7 +236,7 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, > ngx_list_part_t *part; > ngx_table_elt_t *header; > > - len = sizeof(CRLF "0" CRLF CRLF) - 1; > + len = 0; > > part = &r->headers_out.trailers.part; > header = part->elts; > @@ -273,12 +273,14 @@ ngx_http_chunked_create_trailers(ngx_http_request_t *r, > b->memory = 1; > b->last_buf = 1; > > - if (len == sizeof(CRLF "0" CRLF CRLF) - 1) { > + if (len == 0) { > b->pos = (u_char *) CRLF "0" CRLF CRLF; > b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; > return cl; > } > > + len += sizeof(CRLF "0" CRLF CRLF) - 1; > + > b->pos = ngx_palloc(r->pool, len); > if (b->pos == NULL) { > return NULL; I've tried this as well, and decided that "if (len == sizeof(...))" is slightly more readable, and also produces smaller patch to your code. No strict preference though, feel free to use any variant you think is better. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jun 6 12:35:30 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 15:35:30 +0300 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: References: <20170605175245.GZ55433@mdounin.ru> Message-ID: <20170606123530.GE55433@mdounin.ru> Hello! On Mon, Jun 05, 2017 at 09:59:45PM -0700, Piotr Sikora via nginx-devel wrote: > Hey Maxim, > > > It doesn't look like "if (h[i].value.value.len)" is needed here. > > It is either true, or the "add_trailer" directive is nop and we > > already know this while parsing the configuration. > > > > - if (h[i].value.value.len) { > > - r->expect_trailers = 1; > > - break; > > - } > > + r->expect_trailers = 1; > > + break; > > Well, both "add_header" and "add_trailer" allow setting something like: > > add_trailer Empty ""; > > which will get added to headers / trailers list. > > I've added this extra check to avoid forcing chunked encoding with > such configuration. > > Maybe we should reject it during configuration instead, or ignore this > case and let it force chunked encoding? Which one do you prefer? I think it is perfectly ok to ignore this and let if force chunked encoding (and this is what the suggested change does). -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jun 6 14:11:39 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 17:11:39 +0300 Subject: [PATCH] Fix compilation on MinGW64 In-Reply-To: References: Message-ID: <20170606141139.GI55433@mdounin.ru> Hello! On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > I already proposed a similar patch (without MSYS) on November, but it > was unnoticed since then. > --- > auto/configure | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/auto/configure b/auto/configure > index ceff15e4..107c2b5f 100755 > --- a/auto/configure > +++ b/auto/configure > @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then > NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; > > case "$NGX_SYSTEM" in > - MINGW32_*) > + MINGW32_*|MINGW64_*|MSYS_*) > NGX_PLATFORM=win32 > ;; > esac > -- > 2.13.0.windows.1.7.g80a6209eb5 A review of your previous patch can be found here: http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html It still applies. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jun 6 14:12:29 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 17:12:29 +0300 Subject: [PATCH] Use .exe for binaries for all win32 compilers In-Reply-To: References: Message-ID: <20170606141229.GJ55433@mdounin.ru> Hello! On Tue, Jun 06, 2017 at 01:58:17PM +0300, Orgad Shaneh wrote: > --- > auto/cc/conf | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/auto/cc/conf b/auto/cc/conf > index afbca62b..19a231aa 100644 > --- a/auto/cc/conf > +++ b/auto/cc/conf > @@ -144,7 +144,9 @@ fi > CFLAGS="$CFLAGS $NGX_CC_OPT" > NGX_TEST_LD_OPT="$NGX_LD_OPT" > > -if [ "$NGX_PLATFORM" != win32 ]; then > +if [ "$NGX_PLATFORM" = win32 ]; then > + ngx_binext=".exe" > +else > > if test -n "$NGX_LD_OPT"; then > ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" > -- > 2.13.0.windows.1.7.g80a6209eb5 http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html -- Maxim Dounin http://nginx.org/ From orgads at gmail.com Tue Jun 6 14:47:54 2017 From: orgads at gmail.com (Orgad Shaneh) Date: Tue, 6 Jun 2017 17:47:54 +0300 Subject: [PATCH] Configure: Fix compilation on MSYS2 / MinGW64 Message-ID: --- auto/configure | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/auto/configure b/auto/configure index ceff15e4..107c2b5f 100755 --- a/auto/configure +++ b/auto/configure @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; case "$NGX_SYSTEM" in - MINGW32_*) + MINGW32_*|MINGW64_*|MSYS_*) NGX_PLATFORM=win32 ;; esac -- 2.13.0.windows.1.7.g80a6209eb5 From orgads at gmail.com Tue Jun 6 14:48:39 2017 From: orgads at gmail.com (Orgad Shaneh) Date: Tue, 6 Jun 2017 17:48:39 +0300 Subject: [PATCH] Fix compilation on MinGW64 In-Reply-To: <20170606141139.GI55433@mdounin.ru> References: <20170606141139.GI55433@mdounin.ru> Message-ID: On Tue, Jun 6, 2017 at 5:11 PM, Maxim Dounin wrote: > Hello! > > On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > >> I already proposed a similar patch (without MSYS) on November, but it >> was unnoticed since then. >> --- >> auto/configure | 2 +- >> 1 file changed, 1 insertion(+), 1 deletion(-) >> >> diff --git a/auto/configure b/auto/configure >> index ceff15e4..107c2b5f 100755 >> --- a/auto/configure >> +++ b/auto/configure >> @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then >> NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; >> >> case "$NGX_SYSTEM" in >> - MINGW32_*) >> + MINGW32_*|MINGW64_*|MSYS_*) >> NGX_PLATFORM=win32 >> ;; >> esac >> -- >> 2.13.0.windows.1.7.g80a6209eb5 > > A review of your previous patch can be found here: > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html > > It still applies. > > -- > Maxim Dounin > http://nginx.org/ > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel Thanks. I wasn't aware that I should stay subscribed to receive replies. Posted a fixed patch (using Git, I hope you don't mind). - Orgad From orgads at gmail.com Tue Jun 6 14:54:01 2017 From: orgads at gmail.com (Orgad Shaneh) Date: Tue, 6 Jun 2017 17:54:01 +0300 Subject: [PATCH] Use .exe for binaries for all win32 compilers In-Reply-To: <20170606141229.GJ55433@mdounin.ru> References: <20170606141229.GJ55433@mdounin.ru> Message-ID: > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html Thanks. It is needed with MSYS2 / gcc. Proposing a new patch: --- auto/cc/bcc | 1 - auto/cc/conf | 7 ++++++- auto/cc/msvc | 1 - auto/cc/owc | 1 - 4 files changed, 6 insertions(+), 4 deletions(-) diff --git a/auto/cc/bcc b/auto/cc/bcc index ec82e60f..e990a9f7 100644 --- a/auto/cc/bcc +++ b/auto/cc/bcc @@ -62,7 +62,6 @@ ngx_include_opt="-I" ngx_objout="-o" ngx_binout="-e" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@&&| ' diff --git a/auto/cc/conf b/auto/cc/conf index afbca62b..7e1186b5 100644 --- a/auto/cc/conf +++ b/auto/cc/conf @@ -14,9 +14,14 @@ ngx_pic_opt="-fPIC" ngx_objout="-o " ngx_binout="-o " ngx_objext="o" -ngx_binext= ngx_modext=".so" +if [ "$NGX_PLATFORM" = win32 ]; then + ngx_binext=".exe" +else + ngx_binext= +fi + ngx_long_start= ngx_long_end= diff --git a/auto/cc/msvc b/auto/cc/msvc index 4eef1010..82572529 100644 --- a/auto/cc/msvc +++ b/auto/cc/msvc @@ -142,7 +142,6 @@ ngx_pic_opt= ngx_objout="-Fo" ngx_binout="-Fe" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@<< ' diff --git a/auto/cc/owc b/auto/cc/owc index a063aa34..f7fd88c9 100644 --- a/auto/cc/owc +++ b/auto/cc/owc @@ -84,7 +84,6 @@ ngx_include_opt="-i=" ngx_objout="-fo" ngx_binout="-fe=" ngx_objext="obj" -ngx_binext=".exe" ngx_regex_dirsep='\\' ngx_dirsep="\\" -- 2.13.0.windows.1.7.g80a6209eb5 From mdounin at mdounin.ru Tue Jun 6 16:51:57 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 19:51:57 +0300 Subject: [PATCH] Fix compilation on MinGW64 In-Reply-To: References: <20170606141139.GI55433@mdounin.ru> Message-ID: <20170606165157.GK55433@mdounin.ru> Hello! On Tue, Jun 06, 2017 at 05:48:39PM +0300, Orgad Shaneh wrote: > On Tue, Jun 6, 2017 at 5:11 PM, Maxim Dounin wrote: > > Hello! > > > > On Tue, Jun 06, 2017 at 01:57:39PM +0300, Orgad Shaneh wrote: > > > >> I already proposed a similar patch (without MSYS) on November, but it > >> was unnoticed since then. > >> --- > >> auto/configure | 2 +- > >> 1 file changed, 1 insertion(+), 1 deletion(-) > >> > >> diff --git a/auto/configure b/auto/configure > >> index ceff15e4..107c2b5f 100755 > >> --- a/auto/configure > >> +++ b/auto/configure > >> @@ -36,7 +36,7 @@ if test -z "$NGX_PLATFORM"; then > >> NGX_PLATFORM="$NGX_SYSTEM:$NGX_RELEASE:$NGX_MACHINE"; > >> > >> case "$NGX_SYSTEM" in > >> - MINGW32_*) > >> + MINGW32_*|MINGW64_*|MSYS_*) > >> NGX_PLATFORM=win32 > >> ;; > >> esac > >> -- > >> 2.13.0.windows.1.7.g80a6209eb5 > > > > A review of your previous patch can be found here: > > > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009233.html > > > > It still applies. > > > > -- > > Maxim Dounin > > http://nginx.org/ > > _______________________________________________ > > nginx-devel mailing list > > nginx-devel at nginx.org > > http://mailman.nginx.org/mailman/listinfo/nginx-devel > > Thanks. I wasn't aware that I should stay subscribed to receive replies. You can unsubscribe and/or switch to write-only mode, but unless you've used Mail-Followup-To in your messages there will be no direct replies. > Posted a fixed patch (using Git, I hope you don't mind). Mercurial is really preferred, though I was able to import this particular patch. Queued with a couple of style fixes you've missed, thanks. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jun 6 17:09:52 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 6 Jun 2017 20:09:52 +0300 Subject: [PATCH] Use .exe for binaries for all win32 compilers In-Reply-To: References: <20170606141229.GJ55433@mdounin.ru> Message-ID: <20170606170952.GL55433@mdounin.ru> Hello! On Tue, Jun 06, 2017 at 05:54:01PM +0300, Orgad Shaneh wrote: > > http://mailman.nginx.org/pipermail/nginx-devel/2016-December/009234.html > > Thanks. It is needed with MSYS2 / gcc. Proposing a new patch: > > --- > auto/cc/bcc | 1 - > auto/cc/conf | 7 ++++++- > auto/cc/msvc | 1 - > auto/cc/owc | 1 - > 4 files changed, 6 insertions(+), 4 deletions(-) > > diff --git a/auto/cc/bcc b/auto/cc/bcc > index ec82e60f..e990a9f7 100644 > --- a/auto/cc/bcc > +++ b/auto/cc/bcc > @@ -62,7 +62,6 @@ ngx_include_opt="-I" > ngx_objout="-o" > ngx_binout="-e" > ngx_objext="obj" > -ngx_binext=".exe" > > ngx_long_start='@&&| > ' > diff --git a/auto/cc/conf b/auto/cc/conf > index afbca62b..7e1186b5 100644 > --- a/auto/cc/conf > +++ b/auto/cc/conf > @@ -14,9 +14,14 @@ ngx_pic_opt="-fPIC" > ngx_objout="-o " > ngx_binout="-o " > ngx_objext="o" > -ngx_binext= > ngx_modext=".so" > > +if [ "$NGX_PLATFORM" = win32 ]; then > + ngx_binext=".exe" > +else > + ngx_binext= > +fi > + > ngx_long_start= > ngx_long_end= > Looking more at this I tend to think that a better place would be to redefine it in auto/os/win32, like this: diff --git a/auto/os/win32 b/auto/os/win32 --- a/auto/os/win32 +++ b/auto/os/win32 @@ -13,6 +13,7 @@ NGX_ICONS="$NGX_WIN32_ICONS" SELECT_SRCS=$WIN32_SELECT_SRCS ngx_pic_opt= +ngx_binext=".exe" case "$NGX_CC_NAME" in Full patch modified accordingly provided below. Please test if it works for you. # HG changeset patch # User Orgad Shaneh # Date 1496767054 -10800 # Tue Jun 06 19:37:34 2017 +0300 # Node ID 6c9b1238cf5c99ffc5a8a449ce738606e312350e # Parent 23bea7aaebe287722ec5b5252e145da55d7906a9 Configure: use .exe for binaries for all win32 compilers. diff --git a/auto/cc/bcc b/auto/cc/bcc --- a/auto/cc/bcc +++ b/auto/cc/bcc @@ -62,7 +62,6 @@ ngx_include_opt="-I" ngx_objout="-o" ngx_binout="-e" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@&&| ' diff --git a/auto/cc/msvc b/auto/cc/msvc --- a/auto/cc/msvc +++ b/auto/cc/msvc @@ -142,7 +142,6 @@ ngx_pic_opt= ngx_objout="-Fo" ngx_binout="-Fe" ngx_objext="obj" -ngx_binext=".exe" ngx_long_start='@<< ' diff --git a/auto/cc/owc b/auto/cc/owc --- a/auto/cc/owc +++ b/auto/cc/owc @@ -84,7 +84,6 @@ ngx_include_opt="-i=" ngx_objout="-fo" ngx_binout="-fe=" ngx_objext="obj" -ngx_binext=".exe" ngx_regex_dirsep='\\' ngx_dirsep="\\" diff --git a/auto/os/win32 b/auto/os/win32 --- a/auto/os/win32 +++ b/auto/os/win32 @@ -13,6 +13,7 @@ NGX_ICONS="$NGX_WIN32_ICONS" SELECT_SRCS=$WIN32_SELECT_SRCS ngx_pic_opt= +ngx_binext=".exe" case "$NGX_CC_NAME" in -- Maxim Dounin http://nginx.org/ From Nate.Karstens at garmin.com Wed Jun 7 05:02:52 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Wed, 7 Jun 2017 05:02:52 +0000 Subject: PSK Support In-Reply-To: <20170605183944.GB55433@mdounin.ru> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> <20170605130916.GX55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> <20170605183944.GB55433@mdounin.ru> Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15CE05@OLAWPA-EXMB04.ad.garmin.com> Maxim, The biggest downside that I can see to the dummy certificate approach is documentation. Using a dummy certificate wasn't immediately obvious to me, though perhaps my familiarity with OpenSSL's "nocert" option may have affected that. Which do you think would be easier for the user to find in the documentation: 1) a description of the dummy certificate approach under the "ssl_certificate" directive, 2) a separate directive ("ssl_nocert"), or 3) an explicit option to the "ssl_certificate" directive (e.g., " Syntax: ssl_certificate file | off;")? I'm OK with changing it to read from a password file (formatted in a manner similar to stunnel) that is searched as needed (an "ssl_psk_file" directive). Would it be OK to support multiple files and stipulate that files are searched in the order that they are included in nginx.conf? Can we support both ASCII and binary PSKs? RFC 4279 section 5.4 seems to require both types, and I need binary keys for my application :). Maybe a parameter to the "ssl_psk_file" directive could indicate how the PSKs are stored in the file? Thanks, Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Monday, June 05, 2017 1:40 PM To: nginx-devel at nginx.org Subject: Re: PSK Support Hello! On Mon, Jun 05, 2017 at 02:08:15PM +0000, Karstens, Nate wrote: > Maxim, > > Thanks for the reply. I understand your concerns about PSK. We > discussed it quite a bit, but ultimately decided that a PKI was not > practical for our environment. We have to rely on the end user to > configure security and any solution using PKI would be so difficult to > work with that they just wouldn't bother with security at all. Ok, understood. I think that PSK can be a reasonable alternative to using plain http in many cases. > I considered some alternatives on the "ssl_nocert" option. My > preference would have been to analyze the supported cipher suites > (from "ssl_ciphers") and determine if any include a PSK, but it does > not look like OpenSSL exposes APIs to accomplish this. By default, nginx uses "HIGH:!aNULL:!MD5" as ciphers list, and this includes various PSK ciphers as well, so this approach doesn't look working even if there were appropriate APIs. > Using a dummy certificate seemed more complicated than the other two > suggestions you had (using "ssl_certificate" with a value of "off" or > disabling the tests if there are PSK secrets), so I'd prefer one of > those two. What is your preference? Using a dummy certificate has an obvious benefit of not requiring any changes to the code, and might actually be a good starting option. Disabling the tests with PSK secrets might not work as expected when they are defined at the http{} level. Using "ssl_certificate off" is obviously most explicit of all options, but I would rather consider a dummy certificate instead for now, as long as there are no other downsides. > One advantage of the PSK path concept is that it provides a lot of > flexibility. It allows, for example, multiple applications to each > independently manage their own PSKs without the need to coordinate > changes to a single file (note that in this scenario each application > would want to use $ssl_psk_identity to check the key). On the one hand, it is a plus. On the other - it is a nightmare when something goes wrong. I would rather avoid such approach. > stunnel uses a single file and seems to assume that keys will be ASCII > strings. Its format, for example, would not allow NUL to appear in the > string, as that would terminate the key early and, at best, lead to a > reduced key size. Yes, and stunnel author considers this to be a feature, see https://www.stunnel.org/pipermail/stunnel-users/2015-October/005275.html. If you are targeting end-users, it might be actually easier to use sufficiently long printable keys then arbitrary binary strings. > I might be mistaken, but wouldn't changing a certificate also require > reloading the configuration? Do you have some ideas on how this could > be done without requiring a reload? Yes, changing a certificate requires a reload. But the "path" concept is generally used in SSL where appropriate filesystem lookups are done on the fly, in contrast to loading a file into memory and then working with the data from memory. Consider "openssl verify -CApath" vs. "openssl verify -CAfile". Additionally, PSK keys look much more dynamic than certificates, as adding a user requires configuration changes. With PKI, you don't need any certificate changes on the server to add a user. With PSK, you have to add a key to introduce a new user. Overall, PSK seems to be very close to basic authentication, and it might worth looking how it is implemented in the auth_basic module (in short: the password file is searched on each request). -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From tommy.lindgren at gmail.com Wed Jun 7 10:38:59 2017 From: tommy.lindgren at gmail.com (Tommy Lindgren) Date: Wed, 07 Jun 2017 18:38:59 +0800 Subject: Implement support for serving growing files Message-ID: <149683193947.29398.17315132378386264450@argon> Hi, I want nginx to serve growing files, i.e. if mtime was changed recently the response transfer-encoding should be chunked and when nginx hits EOF it waits a bit to see if more data is written to the file. Any new data is transparently written to the client. When file hasn't been updated for X seconds, the request is closed. As far as I can tell there's no such support. Any hints how to implement this? Can I solve this using a header/body filter module? Or I need some kind of streaming-ish module? Any existing module that is suitable to use as a starting point? Thanks, Tommy From xeioex at nginx.com Wed Jun 7 11:16:53 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 07 Jun 2017 11:16:53 +0000 Subject: [njs] Object.keys() method. Message-ID: details: http://hg.nginx.org/njs/rev/fb703c8f4292 branches: changeset: 352:fb703c8f4292 user: Dmitry Volyntsev date: Wed Jun 07 14:12:23 2017 +0300 description: Object.keys() method. diffstat: njs/njs_object.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++ njs/njs_vm.h | 13 ++++++ njs/test/njs_unit_test.c | 19 ++++++++ 3 files changed, 133 insertions(+), 0 deletions(-) diffs (178 lines): diff -r 02a59fe82c7a -r fb703c8f4292 njs/njs_object.c --- a/njs/njs_object.c Mon Jun 05 14:59:28 2017 +0300 +++ b/njs/njs_object.c Wed Jun 07 14:12:23 2017 +0300 @@ -19,7 +19,9 @@ #include #include #include +#include #include +#include #include @@ -318,6 +320,97 @@ njs_object_create(njs_vm_t *vm, njs_valu } +static njs_ret_t +njs_object_keys(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, + njs_index_t unused) +{ + size_t size; + uint32_t i, n, keys_length, array_length; + njs_value_t *value; + njs_array_t *keys, *array; + nxt_lvlhsh_t *hash; + njs_object_prop_t *prop; + nxt_lvlhsh_each_t lhe; + + if (nargs < 2 || !njs_is_object(&args[1])) { + vm->exception = &njs_exception_type_error; + return NXT_ERROR; + } + + keys_length = 0; + array_length = 0; + + if (njs_is_array(&args[1])) { + array = args[1].data.u.array; + array_length = array->length; + + for (i = 0; i < array_length; i++) { + if (njs_is_valid(&array->start[i])) { + keys_length++; + } + } + } + + memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); + lhe.proto = &njs_object_hash_proto; + + hash = &args[1].data.u.object->hash; + + for ( ;; ) { + prop = nxt_lvlhsh_each(hash, &lhe); + + if (prop == NULL) { + break; + } + + if (prop->enumerable) { + keys_length++; + } + } + + keys = njs_array_alloc(vm, keys_length, NJS_ARRAY_SPARE); + if (nxt_slow_path(keys == NULL)) { + return NXT_ERROR; + } + + n = 0; + + for (i = 0; i < array_length; i++) { + if (njs_is_valid(&array->start[i])) { + value = &keys->start[n++]; + /* + * The maximum array index is 4294967294, so + * it can be stored as a short string inside value. + */ + size = snprintf((char *) njs_string_short_start(value), + NJS_STRING_SHORT, "%u", i); + njs_string_short_set(value, size, size); + } + } + + memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); + lhe.proto = &njs_object_hash_proto; + + for ( ;; ) { + prop = nxt_lvlhsh_each(hash, &lhe); + + if (prop == NULL) { + break; + } + + if (prop->enumerable) { + njs_string_copy(&keys->start[n++], &prop->name); + } + } + + vm->retval.data.u.array = keys; + vm->retval.type = NJS_ARRAY; + vm->retval.data.truth = 1; + + return NXT_OK; +} + + /* * The __proto__ property of booleans, numbers and strings primitives, * of objects created by Boolean(), Number(), and String() constructors, @@ -456,6 +549,14 @@ static const njs_object_prop_t njs_obje .name = njs_string("create"), .value = njs_native_function(njs_object_create, 0, 0), }, + + /* Object.keys(). */ + { + .type = NJS_METHOD, + .name = njs_string("keys"), + .value = njs_native_function(njs_object_keys, 0, + NJS_SKIP_ARG, NJS_OBJECT_ARG), + }, }; diff -r 02a59fe82c7a -r fb703c8f4292 njs/njs_vm.h --- a/njs/njs_vm.h Mon Jun 05 14:59:28 2017 +0300 +++ b/njs/njs_vm.h Wed Jun 07 14:12:23 2017 +0300 @@ -408,6 +408,19 @@ typedef njs_ret_t (*njs_vmcode_operation #define njs_string_truth(value, size) +#define njs_string_short_start(value) \ + (value)->short_string.start + + +#define njs_string_short_set(value, _size, _length) \ + do { \ + (value)->type = NJS_STRING; \ + njs_string_truth(value, _size); \ + (value)->short_string.size = _size; \ + (value)->short_string.length = _length; \ + } while (0) + + #define njs_is_primitive(value) \ ((value)->type <= NJS_STRING) diff -r 02a59fe82c7a -r fb703c8f4292 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Mon Jun 05 14:59:28 2017 +0300 +++ b/njs/test/njs_unit_test.c Wed Jun 07 14:12:23 2017 +0300 @@ -5843,6 +5843,25 @@ static njs_unit_test_t njs_test[] = { nxt_string("var o = Object.create(null); '__proto__' in o"), nxt_string("false") }, + { nxt_string("var o = {a:1, b:2, c:3};" + "Object.keys(o)"), + nxt_string("a,b,c") }, + + { nxt_string("var a = []; a.one = 7; Object.keys(a)"), + nxt_string("one") }, + + { nxt_string("var a = [,,]; a.one = 7; Object.keys(a)"), + nxt_string("one") }, + + { nxt_string("var a = [,6,,3]; a.one = 7; Object.keys(a)"), + nxt_string("1,3,one") }, + + { nxt_string("Object.keys('a')"), + nxt_string("TypeError") }, + + { nxt_string("Object.keys(1)"), + nxt_string("TypeError") }, + { nxt_string("var d = new Date(''); d +' '+ d.getTime()"), nxt_string("Invalid Date NaN") }, From xeioex at nginx.com Wed Jun 7 12:45:10 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 07 Jun 2017 12:45:10 +0000 Subject: [njs] Fixed building by GCC 4.2. Message-ID: details: http://hg.nginx.org/njs/rev/7196ac334d64 branches: changeset: 353:7196ac334d64 user: Dmitry Volyntsev date: Wed Jun 07 15:45:01 2017 +0300 description: Fixed building by GCC 4.2. diffstat: njs/njs_object.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff -r fb703c8f4292 -r 7196ac334d64 njs/njs_object.c --- a/njs/njs_object.c Wed Jun 07 14:12:23 2017 +0300 +++ b/njs/njs_object.c Wed Jun 07 15:45:01 2017 +0300 @@ -337,6 +337,7 @@ njs_object_keys(njs_vm_t *vm, njs_value_ return NXT_ERROR; } + array = NULL; keys_length = 0; array_length = 0; From hucong.c at foxmail.com Wed Jun 7 14:00:26 2017 From: hucong.c at foxmail.com (=?utf-8?B?6IOh6IGqIChodWNjKQ==?=) Date: Wed, 7 Jun 2017 22:00:26 +0800 Subject: nginx development guide In-Reply-To: <93394254-72e9-35aa-4644-ff0d5d12f282@nginx.com> References: <20170213093825.GA27852@vlpc.nginx.com> <93394254-72e9-35aa-4644-ff0d5d12f282@nginx.com> Message-ID: Hello, There are two possible errors in http://nginx.org/en/docs/dev/development_guide.html#http_load_balancing >init(r, us) ? initializes per-request ngx_http_upstream_peer_t.peer (not to be confused with the >ngx_http_upstream_srv_conf_t.peer described above which is per-upstream) structure that is used >for load balancing. It will be passed as data argument to all callbacks that deal with server selection. Maybe is "initializes some fields (data, get, free, etc.) of per-request ngx_http_upstream_t.peer (...) " >When nginx has to pass a request to another host for processing, it uses a configured load balancing method >to obtain an address to connect to. The method is taken from the ngx_http_upstream_peer_t.peer object of >type ngx_peer_connection_t: It should be "The method is taken from the ngx_http_upstream_t.peer object of type ngx_peer_connection_t:" ------------------ Original ------------------ From: "Maxim Konovalov";; Date: Apr 20, 2017 To: "nginx-devel"; Subject: Re: nginx development guide Hello, On 13/02/2017 12:38, Vladimir Homutov wrote: > Hello all! > > We are glad to share with first results of our ongoing efforts to create > documentation for nginx developers: the development guide document [1]. > > The guide is not yet 100% complete and more parts to follow. > > Of course, your feedback is welcome. > > [1] http://nginx.org/en/docs/dev/development_guide.html We added a bunch of new content recently. Feedbacks/comments are welcome. -- Maxim Konovalov _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel From zelenkov at nginx.com Wed Jun 7 14:50:02 2017 From: zelenkov at nginx.com (Andrey Zelenkov) Date: Wed, 07 Jun 2017 14:50:02 +0000 Subject: [njs] Fixed zero basis handling for scientific notation. Message-ID: details: http://hg.nginx.org/njs/rev/2cba0bd90189 branches: changeset: 354:2cba0bd90189 user: Andrey Zelenkov date: Wed Jun 07 16:36:13 2017 +0300 description: Fixed zero basis handling for scientific notation. diffstat: njs/njs_number.c | 6 ++++-- njs/test/njs_unit_test.c | 6 ++++++ 2 files changed, 10 insertions(+), 2 deletions(-) diffs (32 lines): diff -r 7196ac334d64 -r 2cba0bd90189 njs/njs_number.c --- a/njs/njs_number.c Wed Jun 07 15:45:01 2017 +0300 +++ b/njs/njs_number.c Wed Jun 07 16:36:13 2017 +0300 @@ -154,8 +154,10 @@ njs_number_dec_parse(u_char **start, u_c p++; } - exponent = minus ? -exponent : exponent; - num = num * pow(10.0, exponent); + if (num != 0) { + exponent = minus ? -exponent : exponent; + num = num * pow(10.0, exponent); + } } } diff -r 7196ac334d64 -r 2cba0bd90189 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Wed Jun 07 15:45:01 2017 +0300 +++ b/njs/test/njs_unit_test.c Wed Jun 07 16:36:13 2017 +0300 @@ -191,6 +191,12 @@ static njs_unit_test_t njs_test[] = { nxt_string("1.0e308"), nxt_string("1e+308") }, + { nxt_string("0e309"), + nxt_string("0") }, + + { nxt_string("0e-309"), + nxt_string("0") }, + { nxt_string("1e"), nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, From zelenkov at nginx.com Wed Jun 7 14:50:04 2017 From: zelenkov at nginx.com (Andrey Zelenkov) Date: Wed, 07 Jun 2017 14:50:04 +0000 Subject: [njs] More scientific notation tests. Message-ID: details: http://hg.nginx.org/njs/rev/edf64bf9677c branches: changeset: 355:edf64bf9677c user: Andrey Zelenkov date: Wed Jun 07 16:36:17 2017 +0300 description: More scientific notation tests. diffstat: njs/test/njs_unit_test.c | 6 ++++++ 1 files changed, 6 insertions(+), 0 deletions(-) diffs (16 lines): diff -r 2cba0bd90189 -r edf64bf9677c njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Wed Jun 07 16:36:13 2017 +0300 +++ b/njs/test/njs_unit_test.c Wed Jun 07 16:36:17 2017 +0300 @@ -197,6 +197,12 @@ static njs_unit_test_t njs_test[] = { nxt_string("0e-309"), nxt_string("0") }, + { nxt_string("1e309"), + nxt_string("Infinity") }, + + { nxt_string("-1e309"), + nxt_string("-Infinity") }, + { nxt_string("1e"), nxt_string("SyntaxError: Unexpected token \"e\" in 1") }, From xeioex at nginx.com Wed Jun 7 14:59:38 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Wed, 07 Jun 2017 14:59:38 +0000 Subject: [njs] Object.defineProperty() method. Message-ID: details: http://hg.nginx.org/njs/rev/a0bc58cc65d5 branches: changeset: 356:a0bc58cc65d5 user: Dmitry Volyntsev date: Wed Jun 07 17:57:40 2017 +0300 description: Object.defineProperty() method. diffstat: njs/njs_object.c | 112 +++++++++++++++++++++++++++++++++++++++++++++++ njs/njs_object_hash.h | 51 +++++++++++++++++++++ njs/njs_vm.c | 4 +- njs/test/njs_unit_test.c | 58 ++++++++++++++++++++++++ 4 files changed, 224 insertions(+), 1 deletions(-) diffs (291 lines): diff -r edf64bf9677c -r a0bc58cc65d5 njs/njs_object.c --- a/njs/njs_object.c Wed Jun 07 16:36:17 2017 +0300 +++ b/njs/njs_object.c Wed Jun 07 17:57:40 2017 +0300 @@ -412,6 +412,109 @@ njs_object_keys(njs_vm_t *vm, njs_value_ } +static njs_ret_t +njs_object_define_property(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, + njs_index_t unused) +{ + nxt_int_t ret; + nxt_str_t key; + njs_value_t *name; + njs_object_t *object, *descriptor; + njs_object_prop_t *prop, *pr; + nxt_lvlhsh_query_t lhq, pq; + + if (nargs < 4 || !njs_is_object(&args[1]) || !njs_is_object(&args[3])) { + vm->exception = &njs_exception_type_error; + return NXT_ERROR; + } + + object = args[1].data.u.object; + name = &args[2]; + descriptor = args[3].data.u.object; + + if (name->short_string.size != NJS_STRING_LONG) { + key.start = name->short_string.start; + key.length = name->short_string.length; + + } else { + key.start = name->data.u.string->start; + key.length = name->data.string_size; + } + + lhq.key = key; + lhq.key_hash = nxt_djb_hash(key.start, key.length); + lhq.proto = &njs_object_hash_proto; + + ret = nxt_lvlhsh_find(&object->hash, &lhq); + + if (ret != NXT_OK) { + prop = njs_object_prop_alloc(vm, name); + + if (nxt_slow_path(prop == NULL)) { + return NXT_ERROR; + } + + prop->configurable = 0; + prop->enumerable = 0; + prop->writable = 0; + + lhq.value = prop; + + } else { + prop = lhq.value; + } + + pq.key = nxt_string_value("value"); + pq.key_hash = NJS_VALUE_HASH; + pq.proto = &njs_object_hash_proto; + + pr = njs_object_property(vm, descriptor, &pq); + + if (pr != NULL) { + prop->value = pr->value; + } + + pq.key = nxt_string_value("configurable"); + pq.key_hash = NJS_CONFIGURABLE_HASH; + + pr = njs_object_property(vm, descriptor, &pq); + + if (pr != NULL) { + prop->configurable = pr->value.data.truth; + } + + pq.key = nxt_string_value("enumerable"); + pq.key_hash = NJS_ENUMERABLE_HASH; + + pr = njs_object_property(vm, descriptor, &pq); + + if (pr != NULL) { + prop->enumerable = pr->value.data.truth; + } + + pq.key = nxt_string_value("writable"); + pq.key_hash = NJS_WRITABABLE_HASH; + + pr = njs_object_property(vm, descriptor, &pq); + + if (pr != NULL) { + prop->writable = pr->value.data.truth; + } + + lhq.replace = 0; + lhq.pool = vm->mem_cache_pool; + + ret = nxt_lvlhsh_insert(&object->hash, &lhq); + if (nxt_slow_path(ret != NXT_OK)) { + return NXT_ERROR; + } + + vm->retval = args[1]; + + return NXT_OK; +} + + /* * The __proto__ property of booleans, numbers and strings primitives, * of objects created by Boolean(), Number(), and String() constructors, @@ -558,6 +661,15 @@ static const njs_object_prop_t njs_obje .value = njs_native_function(njs_object_keys, 0, NJS_SKIP_ARG, NJS_OBJECT_ARG), }, + + /* Object.defineProperty(). */ + { + .type = NJS_METHOD, + .name = njs_string("defineProperty"), + .value = njs_native_function(njs_object_define_property, 0, + NJS_SKIP_ARG, NJS_OBJECT_ARG, + NJS_STRING_ARG, NJS_OBJECT_ARG), + }, }; diff -r edf64bf9677c -r a0bc58cc65d5 njs/njs_object_hash.h --- a/njs/njs_object_hash.h Wed Jun 07 16:36:17 2017 +0300 +++ b/njs/njs_object_hash.h Wed Jun 07 17:57:40 2017 +0300 @@ -8,6 +8,22 @@ #define _NJS_OBJECT_HASH_H_INCLUDED_ +#define NJS_CONFIGURABLE_HASH \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add(NXT_DJB_HASH_INIT, \ + 'c'), 'o'), 'n'), 'f'), 'i'), 'g'), 'u'), 'r'), 'a'), 'b'), 'l'), 'e') + + #define NJS_CONSTRUCTOR_HASH \ nxt_djb_hash_add( \ nxt_djb_hash_add( \ @@ -23,6 +39,20 @@ 'c'), 'o'), 'n'), 's'), 't'), 'r'), 'u'), 'c'), 't'), 'o'), 'r') +#define NJS_ENUMERABLE_HASH \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add(NXT_DJB_HASH_INIT, \ + 'e'), 'n'), 'u'), 'm'), 'e'), 'r'), 'a'), 'b'), 'l'), 'e') + + #define NJS_INDEX_HASH \ nxt_djb_hash_add( \ nxt_djb_hash_add( \ @@ -74,6 +104,15 @@ 't'), 'o'), 'S'), 't'), 'r'), 'i'), 'n'), 'g') +#define NJS_VALUE_HASH \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add(NXT_DJB_HASH_INIT, \ + 'v'), 'a'), 'l'), 'u'), 'e') + + #define NJS_VALUE_OF_HASH \ nxt_djb_hash_add( \ nxt_djb_hash_add( \ @@ -100,4 +139,16 @@ 't'), 'o'), 'I'), 'S'), 'O'), 'S'), 't'), 'r'), 'i'), 'n'), 'g') +#define NJS_WRITABABLE_HASH \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add( \ + nxt_djb_hash_add(NXT_DJB_HASH_INIT, \ + 'w'), 'r'), 'i'), 't'), 'a'), 'b'), 'l'), 'e') + + #endif /* _NJS_OBJECT_HASH_H_INCLUDED_ */ diff -r edf64bf9677c -r a0bc58cc65d5 njs/njs_vm.c --- a/njs/njs_vm.c Wed Jun 07 16:36:17 2017 +0300 +++ b/njs/njs_vm.c Wed Jun 07 17:57:40 2017 +0300 @@ -746,7 +746,9 @@ njs_vmcode_property_set(njs_vm_t *vm, nj return ret; } - prop->value = *value; + if (prop->writable) { + prop->value = *value; + } return sizeof(njs_vmcode_prop_set_t); } diff -r edf64bf9677c -r a0bc58cc65d5 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Wed Jun 07 16:36:17 2017 +0300 +++ b/njs/test/njs_unit_test.c Wed Jun 07 17:57:40 2017 +0300 @@ -5874,6 +5874,64 @@ static njs_unit_test_t njs_test[] = { nxt_string("Object.keys(1)"), nxt_string("TypeError") }, + { nxt_string("var o = {}; Object.defineProperty(o, 'a', {}); o.a"), + nxt_string("undefined") }, + + { nxt_string("Object.defineProperty({}, 'a', {value:1})"), + nxt_string("[object Object]") }, + + { nxt_string("var o = {}; Object.defineProperty(o, 'a', {value:1}); o.a"), + nxt_string("1") }, + + { nxt_string("var o = {a:1, c:2}; Object.defineProperty(o, 'b', {});" + "Object.keys(o)"), + nxt_string("a,c") }, + + { nxt_string("var o = {a:1, c:2};" + "Object.defineProperty(o, 'b', {enumerable:false});" + "Object.keys(o)"), + nxt_string("a,c") }, + + { nxt_string("var o = {a:1, c:3};" + "Object.defineProperty(o, 'b', {enumerable:true});" + "Object.keys(o)"), + nxt_string("a,c,b") }, + + { nxt_string("var o = {}; Object.defineProperty(o, 'a', {}); o.a = 1; o.a"), + nxt_string("undefined") }, + + { nxt_string("var o = {}; Object.defineProperty(o, 'a', {writable:false});" + "o.a = 1; o.a"), + nxt_string("undefined") }, + + { nxt_string("var o = {}; Object.defineProperty(o, 'a', {writable:true});" + "o.a = 1; o.a"), + nxt_string("1") }, + + { nxt_string("var o = {};" + "Object.defineProperty(o, 'a', {value:1}); delete o.a; o.a"), + nxt_string("1") }, + + { nxt_string("var o = {};" + "Object.defineProperty(o, 'a', {value:1, configurable:true});" + "delete o.a; o.a"), + nxt_string("undefined") }, + + { nxt_string("var o = {};" + "Object.defineProperty(o, 'a', {value:1, configurable:false});" + "delete o.a; o.a"), + nxt_string("1") }, + + { nxt_string("var o = {};" + "Object.defineProperty(o, 'a', Object.create({value:2})); o.a"), + nxt_string("2") }, + + { nxt_string("var o = {}; Object.defineProperty()"), + nxt_string("TypeError") }, + + { nxt_string("var o = {}; Object.defineProperty(o)"), + nxt_string("TypeError") }, + { nxt_string("var d = new Date(''); d +' '+ d.getTime()"), nxt_string("Invalid Date NaN") }, From pluknet at nginx.com Wed Jun 7 15:51:51 2017 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 07 Jun 2017 15:51:51 +0000 Subject: [nginx] SSI: return NGX_ERROR when timefmt memory allocation failed. Message-ID: details: http://hg.nginx.org/nginx/rev/e699e6b6d76c branches: changeset: 7026:e699e6b6d76c user: Sergey Kandaurov date: Wed Jun 07 15:21:42 2017 +0300 description: SSI: return NGX_ERROR when timefmt memory allocation failed. Previously, when using NGX_HTTP_SSI_ERROR, error was ignored in ssi processing, thus timefmt could be accessed later in ngx_http_ssi_date_gmt_local_variable() as part of "set" handler, or NULL format pointer could be passed to strftime(). diffstat: src/http/modules/ngx_http_ssi_filter_module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 7206c3630310 -r e699e6b6d76c src/http/modules/ngx_http_ssi_filter_module.c --- a/src/http/modules/ngx_http_ssi_filter_module.c Fri Jun 02 15:05:32 2017 +0300 +++ b/src/http/modules/ngx_http_ssi_filter_module.c Wed Jun 07 15:21:42 2017 +0300 @@ -2388,7 +2388,7 @@ ngx_http_ssi_config(ngx_http_request_t * ctx->timefmt.len = value->len; ctx->timefmt.data = ngx_pnalloc(r->pool, value->len + 1); if (ctx->timefmt.data == NULL) { - return NGX_HTTP_SSI_ERROR; + return NGX_ERROR; } ngx_cpystrn(ctx->timefmt.data, value->data, value->len + 1); From pluknet at nginx.com Wed Jun 7 15:51:54 2017 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 07 Jun 2017 15:51:54 +0000 Subject: [nginx] Fixed segfault in try_files with nested location. Message-ID: details: http://hg.nginx.org/nginx/rev/6d0e0d982ec0 branches: changeset: 7027:6d0e0d982ec0 user: Sergey Kandaurov date: Wed Jun 07 18:46:35 2017 +0300 description: Fixed segfault in try_files with nested location. If memory allocation of a new r->uri.data storage failed, reset its length as well. Request URI is used in ngx_http_finalize_request() for debug logging. diffstat: src/http/ngx_http_core_module.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff -r e699e6b6d76c -r 6d0e0d982ec0 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Wed Jun 07 15:21:42 2017 +0300 +++ b/src/http/ngx_http_core_module.c Wed Jun 07 18:46:35 2017 +0300 @@ -1353,6 +1353,7 @@ ngx_http_core_try_files_phase(ngx_http_r r->uri.len = alias + path.len; r->uri.data = ngx_pnalloc(r->pool, r->uri.len); if (r->uri.data == NULL) { + r->uri.len = 0; ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); return NGX_OK; } From pluknet at nginx.com Wed Jun 7 15:51:56 2017 From: pluknet at nginx.com (Sergey Kandaurov) Date: Wed, 07 Jun 2017 15:51:56 +0000 Subject: [nginx] Userid: ngx_http_get_indexed_variable() error handling. Message-ID: details: http://hg.nginx.org/nginx/rev/e6f399a176e7 branches: changeset: 7028:e6f399a176e7 user: Sergey Kandaurov date: Wed Jun 07 18:46:36 2017 +0300 description: Userid: ngx_http_get_indexed_variable() error handling. When evaluating a mapped $reset_uid variable in the userid filter, if get_handler set to ngx_http_map_variable() returned an error, this previously resulted in a NULL pointer dereference. diffstat: src/http/modules/ngx_http_userid_filter_module.c | 4 ++++ 1 files changed, 4 insertions(+), 0 deletions(-) diffs (14 lines): diff -r 6d0e0d982ec0 -r e6f399a176e7 src/http/modules/ngx_http_userid_filter_module.c --- a/src/http/modules/ngx_http_userid_filter_module.c Wed Jun 07 18:46:35 2017 +0300 +++ b/src/http/modules/ngx_http_userid_filter_module.c Wed Jun 07 18:46:36 2017 +0300 @@ -472,6 +472,10 @@ ngx_http_userid_create_uid(ngx_http_requ vv = ngx_http_get_indexed_variable(r, ngx_http_userid_reset_index); + if (vv == NULL || vv->not_found) { + return NGX_ERROR; + } + if (vv->len == 0 || (vv->len == 1 && vv->data[0] == '0')) { if (conf->mark == '\0' From vl at nginx.com Wed Jun 7 16:42:06 2017 From: vl at nginx.com (Vladimir Homutov) Date: Wed, 7 Jun 2017 19:42:06 +0300 Subject: nginx development guide In-Reply-To: References: <20170213093825.GA27852@vlpc.nginx.com> <93394254-72e9-35aa-4644-ff0d5d12f282@nginx.com> Message-ID: <51e8e0e1-3862-6e51-55e4-730d71f4ab3a@nginx.com> 07.06.2017 17:00, ?? (hucc) ?????: > Hello, > > There are two possible errors in > http://nginx.org/en/docs/dev/development_guide.html#http_load_balancing > >> init(r, us) ? initializes per-request ngx_http_upstream_peer_t.peer (not to be confused with the >> ngx_http_upstream_srv_conf_t.peer described above which is per-upstream) structure that is used >> for load balancing. It will be passed as data argument to all callbacks that deal with server selection. > > Maybe is "initializes some fields (data, get, free, etc.) of per-request ngx_http_upstream_t.peer (...) " this details are described below in the text > >> When nginx has to pass a request to another host for processing, it uses a configured load balancing method >> to obtain an address to connect to. The method is taken from the ngx_http_upstream_peer_t.peer object of >> type ngx_peer_connection_t: > > It should be "The method is taken from the ngx_http_upstream_t.peer object of type ngx_peer_connection_t:" thanks, fixed From mdounin at mdounin.ru Wed Jun 7 18:13:27 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 7 Jun 2017 21:13:27 +0300 Subject: PSK Support In-Reply-To: <145451D4E6785E4DA4DFA353A58CB7B2015E15CE05@OLAWPA-EXMB04.ad.garmin.com> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> <20170605130916.GX55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> <20170605183944.GB55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15CE05@OLAWPA-EXMB04.ad.garmin.com> Message-ID: <20170607181327.GS55433@mdounin.ru> Hello! On Wed, Jun 07, 2017 at 05:02:52AM +0000, Karstens, Nate wrote: > Maxim, > > The biggest downside that I can see to the dummy certificate > approach is documentation. Using a dummy certificate wasn't > immediately obvious to me, though perhaps my familiarity with > OpenSSL's "nocert" option may have affected that. Which do you > think would be easier for the user to find in the documentation: > 1) a description of the dummy certificate approach under the > "ssl_certificate" directive, 2) a separate directive > ("ssl_nocert"), or 3) an explicit option to the > "ssl_certificate" directive (e.g., " Syntax: ssl_certificate > file | off;")? In most cases, normal users won't need PSK at all, or will use it combined with certificates anyway. Describing in the documentation that "if you need to use PSK only, you still have to configure a certificate" doesn't looks like a big problem to me. Note well that there is a side problem with "listen ... ssl" used in server block but no ssl_certificate configured for the server. As of now, it is not reported during configuration parsing and may result in non-obvious behaviour in some cases, see ticket #178 (https://trac.nginx.org/nginx/ticket/178). This is a separate problem though, and it can't be fixed with the changes suggested. On the other hand, properly fixing it will greatly improve user experience in many cases, including PSK. > I'm OK with changing it to read from a password file (formatted > in a manner similar to stunnel) that is searched as needed (an > "ssl_psk_file" directive). Would it be OK to support multiple > files and stipulate that files are searched in the order that > they are included in nginx.conf? I don't think that supporting multiple files is a good idea, a single one should be enough. Possible alternative names: - "ssl_psk_secrets", similar to the one used by stunnel; - "ssl_pre_shared_keys". Not sure if these are better though. > Can we support both ASCII and binary PSKs? RFC 4279 section 5.4 > seems to require both types, and I need binary keys for my > application :). Maybe a parameter to the "ssl_psk_file" > directive could indicate how the PSKs are stored in the file? We can consider providing an alternative form to allow arbitrary keys, e.g., by using hex-encoded keys. This can be done using some explicit prefix, something like this: identity:key identity:0x6b6579 identity:{HEX}6b6579 (The last variant is in line with "{scheme}data" syntax as used in auth_basic_user_file. Not sure if we need it here, just "0x" might be easier.) -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Wed Jun 7 19:16:17 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Wed, 07 Jun 2017 22:16:17 +0300 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> References: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> Message-ID: <8319246.PdA5WZVuiQ@vbart-workstation> On Friday 02 June 2017 20:33:46 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1493191954 25200 > # Wed Apr 26 00:32:34 2017 -0700 > # Node ID 8d74ff6c2015180f5c1f399f492214d7d0a52b3f > # Parent 41c09a2fd90410e25ad8515793bd48028001c954 > HTTP/2: added support for trailers in HTTP responses. > > Signed-off-by: Piotr Sikora > > diff -r 41c09a2fd904 -r 8d74ff6c2015 src/http/v2/ngx_http_v2_filter_module.c > --- a/src/http/v2/ngx_http_v2_filter_module.c > +++ b/src/http/v2/ngx_http_v2_filter_module.c > @@ -50,13 +50,17 @@ > #define NGX_HTTP_V2_SERVER_INDEX 54 > #define NGX_HTTP_V2_VARY_INDEX 59 > > +#define NGX_HTTP_V2_FRAME_ERROR (ngx_http_v2_out_frame_t *) -1 > + > > static u_char *ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, > u_char *tmp, ngx_uint_t lower); > static u_char *ngx_http_v2_write_int(u_char *pos, ngx_uint_t prefix, > ngx_uint_t value); > static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame( > - ngx_http_request_t *r, u_char *pos, u_char *end); > + ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin); > +static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame( > + ngx_http_request_t *r); > > static ngx_chain_t *ngx_http_v2_send_chain(ngx_connection_t *fc, > ngx_chain_t *in, off_t limit); > @@ -612,7 +616,7 @@ ngx_http_v2_header_filter(ngx_http_reque > header[i].value.len, tmp); > } > > - frame = ngx_http_v2_create_headers_frame(r, start, pos); > + frame = ngx_http_v2_create_headers_frame(r, start, pos, r->header_only); > if (frame == NULL) { > return NGX_ERROR; > } > @@ -636,6 +640,126 @@ ngx_http_v2_header_filter(ngx_http_reque > } > > > +static ngx_http_v2_out_frame_t * > +ngx_http_v2_create_trailers_frame(ngx_http_request_t *r) > +{ [..] > + > + frame = ngx_http_v2_create_headers_frame(r, start, pos, 1); > + if (frame == NULL) { > + return NGX_HTTP_V2_FRAME_ERROR; > + } > + > + return frame; > +} It's better to keep return values consistent with ngx_http_v2_create_headers_frame() and introduce NGX_HTTP_V2_NO_TRAILERS instead of NGX_HTTP_V2_FRAME_ERROR. [..] > @@ -934,17 +1060,36 @@ ngx_http_v2_send_chain(ngx_connection_t > size -= rest; > } > > - frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, cl); > - if (frame == NULL) { > - return NGX_CHAIN_ERROR; > + if (cl->buf->last_buf) { > + trailers = ngx_http_v2_create_trailers_frame(r); > + if (trailers == NGX_HTTP_V2_FRAME_ERROR) { > + return NGX_CHAIN_ERROR; > + } > + > + if (trailers) { > + cl->buf->last_buf = 0; > + } > } > > - ngx_http_v2_queue_frame(h2c, frame); > + if (frame_size || cl->buf->last_buf) { > + frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, > + cl); > + if (frame == NULL) { > + return NGX_CHAIN_ERROR; > + } > > - h2c->send_window -= frame_size; > + ngx_http_v2_queue_frame(h2c, frame); > > - stream->send_window -= frame_size; > - stream->queued++; > + h2c->send_window -= frame_size; > + > + stream->send_window -= frame_size; > + stream->queued++; > + } > + > + if (trailers) { > + ngx_http_v2_queue_frame(h2c, trailers); > + stream->queued++; > + } > > if (in == NULL) { > break; There's no reason to check "trailers" on each iteration. I think you can put it inside the "if (in == NULL)" condition. Please consider the changes below. wbr, Valentin V. Bartenev diff -r 0e2f2f8b5c9b src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c Wed Apr 26 00:32:34 2017 -0700 +++ b/src/http/v2/ngx_http_v2_filter_module.c Wed Jun 07 22:10:04 2017 +0300 @@ -50,7 +50,7 @@ #define NGX_HTTP_V2_SERVER_INDEX 54 #define NGX_HTTP_V2_VARY_INDEX 59 -#define NGX_HTTP_V2_FRAME_ERROR (ngx_http_v2_out_frame_t *) -1 +#define NGX_HTTP_V2_NO_TRAILERS (ngx_http_v2_out_frame_t *) -1 static u_char *ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, @@ -643,12 +643,11 @@ ngx_http_v2_header_filter(ngx_http_reque static ngx_http_v2_out_frame_t * ngx_http_v2_create_trailers_frame(ngx_http_request_t *r) { - u_char *pos, *start, *tmp; - size_t len, tmp_len; - ngx_uint_t i; - ngx_list_part_t *part; - ngx_table_elt_t *header; - ngx_http_v2_out_frame_t *frame; + u_char *pos, *start, *tmp; + size_t len, tmp_len; + ngx_uint_t i; + ngx_list_part_t *part; + ngx_table_elt_t *header; len = 0; tmp_len = 0; @@ -677,7 +676,7 @@ ngx_http_v2_create_trailers_frame(ngx_ht "too long response trailer name: \"%V\"", &header[i].key); - return NGX_HTTP_V2_FRAME_ERROR; + return NULL; } if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { @@ -685,7 +684,7 @@ ngx_http_v2_create_trailers_frame(ngx_ht "too long response trailer value: \"%V: %V\"", &header[i].key, &header[i].value); - return NGX_HTTP_V2_FRAME_ERROR; + return NULL; } len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len @@ -701,14 +700,14 @@ ngx_http_v2_create_trailers_frame(ngx_ht } if (len == 0) { - return NULL; + return NGX_HTTP_V2_NO_TRAILERS; } tmp = ngx_palloc(r->pool, tmp_len); pos = ngx_pnalloc(r->pool, len); if (pos == NULL || tmp == NULL) { - return NGX_HTTP_V2_FRAME_ERROR; + return NULL; } start = pos; @@ -751,12 +750,7 @@ ngx_http_v2_create_trailers_frame(ngx_ht header[i].value.len, tmp); } - frame = ngx_http_v2_create_headers_frame(r, start, pos, 1); - if (frame == NULL) { - return NGX_HTTP_V2_FRAME_ERROR; - } - - return frame; + return ngx_http_v2_create_headers_frame(r, start, pos, 1); } @@ -996,7 +990,7 @@ ngx_http_v2_send_chain(ngx_connection_t frame_size = (h2lcf->chunk_size < h2c->frame_size) ? h2lcf->chunk_size : h2c->frame_size; - trailers = NULL; + trailers = NGX_HTTP_V2_NO_TRAILERS; #if (NGX_SUPPRESS_WARN) cl = NULL; @@ -1062,18 +1056,18 @@ ngx_http_v2_send_chain(ngx_connection_t if (cl->buf->last_buf) { trailers = ngx_http_v2_create_trailers_frame(r); - if (trailers == NGX_HTTP_V2_FRAME_ERROR) { + if (trailers == NULL) { return NGX_CHAIN_ERROR; } - if (trailers) { + if (trailers != NGX_HTTP_V2_NO_TRAILERS) { cl->buf->last_buf = 0; } } if (frame_size || cl->buf->last_buf) { - frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, - cl); + frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, + out, cl); if (frame == NULL) { return NGX_CHAIN_ERROR; } @@ -1086,12 +1080,13 @@ ngx_http_v2_send_chain(ngx_connection_t stream->queued++; } - if (trailers) { - ngx_http_v2_queue_frame(h2c, trailers); - stream->queued++; - } + if (in == NULL) { - if (in == NULL) { + if (trailers != NGX_HTTP_V2_NO_TRAILERS) { + ngx_http_v2_queue_frame(h2c, trailers); + stream->queued++; + } + break; } From hongzhidao at gmail.com Thu Jun 8 04:07:29 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Thu, 8 Jun 2017 12:07:29 +0800 Subject: [nginx] support http2 per server Message-ID: Hi! Now, http2 is enabled globally for 'listen' directive with ip:port. It seems it's possible to enable by server with sni, alpn, npn. Take a look, please. diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Wed Jun 07 12:17:34 2017 -0400 @@ -234,6 +234,13 @@ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_h2"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_http_ssl_enable, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, h2), + NULL }, + ngx_null_command }; @@ -343,16 +350,17 @@ unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { - unsigned int srvlen; - unsigned char *srv; + unsigned int srvlen; + unsigned char *srv; #if (NGX_DEBUG) - unsigned int i; + unsigned int i; #endif #if (NGX_HTTP_V2) - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) - ngx_connection_t *c; + ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); #endif @@ -367,8 +375,9 @@ #if (NGX_HTTP_V2) hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -411,11 +420,13 @@ #if (NGX_HTTP_V2) { - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { *out = (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -555,6 +566,7 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->h2 = NGX_CONF_UNSET; return sscf; } @@ -620,6 +632,8 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_value(conf->h2, prev->h2, 0); + conf->ssl.log = cf->log; if (conf->enable) { diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Wed Jun 07 12:17:34 2017 -0400 @@ -57,6 +57,8 @@ u_char *file; ngx_uint_t line; + + ngx_flag_t h2; } ngx_http_ssl_srv_conf_t; Thanks. B.R. -------------- next part -------------- An HTML attachment was scrubbed... URL: From hongzhidao at gmail.com Thu Jun 8 06:59:19 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Thu, 8 Jun 2017 14:59:19 +0800 Subject: [nginx] support http2 per server In-Reply-To: References: Message-ID: Sorry for the typo. diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Wed Jun 07 12:17:34 2017 -0400 @@ -234,6 +234,13 @@ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_h2"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, h2), + NULL }, + ngx_null_command }; @@ -343,16 +350,17 @@ unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { - unsigned int srvlen; - unsigned char *srv; + unsigned int srvlen; + unsigned char *srv; #if (NGX_DEBUG) - unsigned int i; + unsigned int i; #endif #if (NGX_HTTP_V2) - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) - ngx_connection_t *c; + ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); #endif @@ -367,8 +375,9 @@ #if (NGX_HTTP_V2) hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -411,11 +420,13 @@ #if (NGX_HTTP_V2) { - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { *out = (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -555,6 +566,7 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->h2 = NGX_CONF_UNSET; return sscf; } @@ -620,6 +632,8 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_value(conf->h2, prev->h2, 0); + conf->ssl.log = cf->log; if (conf->enable) { diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Wed Jun 07 12:17:34 2017 -0400 @@ -57,6 +57,8 @@ u_char *file; ngx_uint_t line; + + ngx_flag_t h2; } ngx_http_ssl_srv_conf_t; On Thu, Jun 8, 2017 at 12:07 PM, ??? wrote: > Hi! > Now, http2 is enabled globally for 'listen' directive with ip:port. > It seems it's possible to enable by server with sni, alpn, npn. > Take a look, please. > > diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.c > --- a/src/http/modules/ngx_http_ssl_module.c Mon May 29 23:33:38 2017 > +0300 > +++ b/src/http/modules/ngx_http_ssl_module.c Wed Jun 07 12:17:34 2017 > -0400 > @@ -234,6 +234,13 @@ > offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), > NULL }, > > + { ngx_string("ssl_h2"), > + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, > + ngx_http_ssl_enable, > + NGX_HTTP_SRV_CONF_OFFSET, > + offsetof(ngx_http_ssl_srv_conf_t, h2), > + NULL }, > + > ngx_null_command > }; > > @@ -343,16 +350,17 @@ > unsigned char *outlen, const unsigned char *in, unsigned int inlen, > void *arg) > { > - unsigned int srvlen; > - unsigned char *srv; > + unsigned int srvlen; > + unsigned char *srv; > #if (NGX_DEBUG) > - unsigned int i; > + unsigned int i; > #endif > #if (NGX_HTTP_V2) > - ngx_http_connection_t *hc; > + ngx_http_connection_t *hc; > + ngx_http_ssl_srv_conf_t *sscf; > #endif > #if (NGX_HTTP_V2 || NGX_DEBUG) > - ngx_connection_t *c; > + ngx_connection_t *c; > > c = ngx_ssl_get_connection(ssl_conn); > #endif > @@ -367,8 +375,9 @@ > > #if (NGX_HTTP_V2) > hc = c->data; > + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, > ngx_http_ssl_module); > > - if (hc->addr_conf->http2) { > + if (hc->addr_conf->http2 && sscf->h2) { > srv = > (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE > NGX_HTTP_NPN_ADVERTISE; > srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE > NGX_HTTP_NPN_ADVERTISE) - 1; > @@ -411,11 +420,13 @@ > > #if (NGX_HTTP_V2) > { > - ngx_http_connection_t *hc; > + ngx_http_connection_t *hc; > + ngx_http_ssl_srv_conf_t *sscf; > > hc = c->data; > + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, > ngx_http_ssl_module); > > - if (hc->addr_conf->http2) { > + if (hc->addr_conf->http2 && sscf->h2) { > *out = > (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE > NGX_HTTP_NPN_ADVERTISE; > *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE > NGX_HTTP_NPN_ADVERTISE) - 1; > @@ -555,6 +566,7 @@ > sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; > sscf->stapling = NGX_CONF_UNSET; > sscf->stapling_verify = NGX_CONF_UNSET; > + sscf->h2 = NGX_CONF_UNSET; > > return sscf; > } > @@ -620,6 +632,8 @@ > ngx_conf_merge_str_value(conf->stapling_responder, > prev->stapling_responder, ""); > > + ngx_conf_merge_value(conf->h2, prev->h2, 0); > + > conf->ssl.log = cf->log; > > if (conf->enable) { > diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.h > --- a/src/http/modules/ngx_http_ssl_module.h Mon May 29 23:33:38 2017 > +0300 > +++ b/src/http/modules/ngx_http_ssl_module.h Wed Jun 07 12:17:34 2017 > -0400 > @@ -57,6 +57,8 @@ > > u_char *file; > ngx_uint_t line; > + > + ngx_flag_t h2; > } ngx_http_ssl_srv_conf_t; > > Thanks. > B.R. > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Thu Jun 8 11:19:07 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Thu, 08 Jun 2017 11:19:07 +0000 Subject: [njs] Object.prototype.hasOwnProperty() method. Message-ID: details: http://hg.nginx.org/njs/rev/692ad3557d58 branches: changeset: 357:692ad3557d58 user: Dmitry Volyntsev date: Thu Jun 08 14:18:37 2017 +0300 description: Object.prototype.hasOwnProperty() method. diffstat: njs/njs_object.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ njs/njs_vm.h | 13 ++++++++++++ njs/test/njs_unit_test.c | 42 ++++++++++++++++++++++++++++++++++++++++ 3 files changed, 105 insertions(+), 0 deletions(-) diffs (142 lines): diff -r a0bc58cc65d5 -r 692ad3557d58 njs/njs_object.c --- a/njs/njs_object.c Wed Jun 07 17:57:40 2017 +0300 +++ b/njs/njs_object.c Thu Jun 08 14:18:37 2017 +0300 @@ -882,6 +882,49 @@ found: } +static njs_ret_t +njs_object_prototype_has_own_property(njs_vm_t *vm, njs_value_t *args, + nxt_uint_t nargs, njs_index_t unused) +{ + uint32_t index; + nxt_int_t ret; + njs_array_t *array; + const njs_value_t *retval; + nxt_lvlhsh_query_t lhq; + + retval = &njs_string_false; + + if (njs_is_object(&args[0])) { + + if (njs_is_array(&args[0])) { + array = args[0].data.u.array; + index = njs_string_to_index(&args[1]); + + if (index < array->length && njs_is_valid(&array->start[index])) { + retval = &njs_string_true; + goto done; + } + } + + njs_string_get(&args[1], &lhq.key); + lhq.key_hash = nxt_djb_hash(lhq.key.start, lhq.key.length); + lhq.proto = &njs_object_hash_proto; + + ret = nxt_lvlhsh_find(&args[0].data.u.object->hash, &lhq); + + if (ret == NXT_OK) { + retval = &njs_string_true; + } + } + +done: + + vm->retval = *retval; + + return NXT_OK; +} + + static const njs_object_prop_t njs_object_prototype_properties[] = { { @@ -907,6 +950,13 @@ static const njs_object_prop_t njs_obje .name = njs_string("toString"), .value = njs_native_function(njs_object_prototype_to_string, 0, 0), }, + + { + .type = NJS_METHOD, + .name = njs_string("hasOwnProperty"), + .value = njs_native_function(njs_object_prototype_has_own_property, 0, + NJS_OBJECT_ARG, NJS_STRING_ARG), + }, }; diff -r a0bc58cc65d5 -r 692ad3557d58 njs/njs_vm.h --- a/njs/njs_vm.h Wed Jun 07 17:57:40 2017 +0300 +++ b/njs/njs_vm.h Thu Jun 08 14:18:37 2017 +0300 @@ -408,6 +408,19 @@ typedef njs_ret_t (*njs_vmcode_operation #define njs_string_truth(value, size) +#define njs_string_get(value, str) \ + do { \ + if ((value)->short_string.size != NJS_STRING_LONG) { \ + (str)->length = (value)->short_string.size; \ + (str)->start = (value)->short_string.start; \ + \ + } else { \ + (str)->length = (value)->data.string_size; \ + (str)->start = (value)->data.u.string->start; \ + } \ + } while (0) + + #define njs_string_short_start(value) \ (value)->short_string.start diff -r a0bc58cc65d5 -r 692ad3557d58 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Wed Jun 07 17:57:40 2017 +0300 +++ b/njs/test/njs_unit_test.c Thu Jun 08 14:18:37 2017 +0300 @@ -5932,6 +5932,48 @@ static njs_unit_test_t njs_test[] = { nxt_string("var o = {}; Object.defineProperty(o)"), nxt_string("TypeError") }, + { nxt_string("var o = {a:1}; o.hasOwnProperty('a')"), + nxt_string("true") }, + + { nxt_string("var o = Object.create({a:2}); o.hasOwnProperty('a')"), + nxt_string("false") }, + + { nxt_string("var o = {a:1}; o.hasOwnProperty('b')"), + nxt_string("false") }, + + { nxt_string("var a = []; a.hasOwnProperty('0')"), + nxt_string("false") }, + + { nxt_string("var a = [,,]; a.hasOwnProperty('0')"), + nxt_string("false") }, + + { nxt_string("var a = [3,,]; a.hasOwnProperty('0')"), + nxt_string("true") }, + + { nxt_string("var a = [,4]; a.hasOwnProperty('1')"), + nxt_string("true") }, + + { nxt_string("var a = [3,4]; a.hasOwnProperty('2')"), + nxt_string("false") }, + + { nxt_string("var a = [3,4]; a.one = 1; a.hasOwnProperty('one')"), + nxt_string("true") }, + + { nxt_string("var o = {a:1}; o.hasOwnProperty(o)"), + nxt_string("false") }, + + { nxt_string("var o = {a:1}; o.hasOwnProperty(1)"), + nxt_string("false") }, + + { nxt_string("var o = {a:1}; o.hasOwnProperty()"), + nxt_string("false") }, + + { nxt_string("1..hasOwnProperty('b')"), + nxt_string("false") }, + + { nxt_string("'s'.hasOwnProperty('b')"), + nxt_string("false") }, + { nxt_string("var d = new Date(''); d +' '+ d.getTime()"), nxt_string("Invalid Date NaN") }, From vbart at nginx.com Thu Jun 8 14:17:20 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 17:17:20 +0300 Subject: [nginx] support http2 per server In-Reply-To: References: Message-ID: <2402328.DdJ9xUFFzf@vbart-workstation> On Thursday 08 June 2017 12:07:29 ??? wrote: > Hi! > Now, http2 is enabled globally for 'listen' directive with ip:port. > It seems it's possible to enable by server with sni, alpn, npn. > Take a look, please. > [..] How will "sni, alpn, npn" prevent browser from asking other virtual servers using already opened HTTP/2 connection? wbr, Valentin V. Bartenev From vbart at nginx.com Thu Jun 8 15:17:38 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 18:17:38 +0300 Subject: [PATCH] HTTP/2: reject HTTP/2 requests with "Connection" header In-Reply-To: References: Message-ID: <42772973.0zRm91nVQn@vbart-workstation> On Sunday 26 March 2017 01:41:18 Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1490516709 25200 > # Sun Mar 26 01:25:09 2017 -0700 > # Node ID b8daccea5fde213d4b7a10fa9f57070ab3b6a1ec > # Parent 22be63bf21edaa1b8ea916c7d8cd4e5fe4892061 > HTTP/2: reject HTTP/2 requests with "Connection" header. > > While there, populate r->headers_in.connection. > > Signed-off-by: Piotr Sikora > > diff -r 22be63bf21ed -r b8daccea5fde src/http/ngx_http_request.c > --- a/src/http/ngx_http_request.c > +++ b/src/http/ngx_http_request.c > @@ -1659,6 +1659,22 @@ static ngx_int_t > ngx_http_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, > ngx_uint_t offset) > { > + if (r->headers_in.connection == NULL) { > + r->headers_in.connection = h; > + } > + > +#if (NGX_HTTP_V2) > + > + if (r->http_version >= NGX_HTTP_VERSION_20) { > + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, > + "client sent HTTP/2 request with \"Connection\" header"); > + > + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); > + return NGX_ERROR; > + } > + > +#endif > + > if (ngx_strcasestrn(h->value.data, "close", 5 - 1)) { > r->headers_in.connection_type = NGX_HTTP_CONNECTION_CLOSE; > Since HTTP/2 is a separate protocol and not just GET / HTTP/2.0, so the r->stream pointer should be tested instead (like in many other places). wbr, Valentin V. Bartenev From hongzhidao at gmail.com Thu Jun 8 15:19:23 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Thu, 8 Jun 2017 23:19:23 +0800 Subject: [nginx] support http2 per server In-Reply-To: <2402328.DdJ9xUFFzf@vbart-workstation> References: <2402328.DdJ9xUFFzf@vbart-workstation> Message-ID: It sounds right. According to the same situation, how does http2 protocol force other virtual servers to process certificate (ssl handshake). Example: server { listen 443 http2; a.com; ssl_certi....; } server { listen 443 http2; b.com; ssl_certi....; } We assume sni is 'a.com', then the connection contains different requests with different domains. That b.com will escape from ssl handshake. In fact, we need it to do the ssl handshake. Thanks. On Thu, Jun 8, 2017 at 10:17 PM, Valentin V. Bartenev wrote: > On Thursday 08 June 2017 12:07:29 ??? wrote: > > Hi! > > Now, http2 is enabled globally for 'listen' directive with ip:port. > > It seems it's possible to enable by server with sni, alpn, npn. > > Take a look, please. > > > [..] > > How will "sni, alpn, npn" prevent browser from asking other virtual > servers using already opened HTTP/2 connection? > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Thu Jun 8 15:25:10 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 18:25:10 +0300 Subject: [nginx] support http2 per server In-Reply-To: References: <2402328.DdJ9xUFFzf@vbart-workstation> Message-ID: <2643497.seJtDEk1sC@vbart-workstation> On Thursday 08 June 2017 23:19:23 ??? wrote: > It sounds right. > > According to the same situation, how does http2 protocol force other > virtual servers to process certificate (ssl handshake). > > Example: > > server { > listen 443 http2; > a.com; > ssl_certi....; > } > > server { > listen 443 http2; > b.com; > ssl_certi....; > } > > We assume sni is 'a.com', then the connection contains different requests > with different domains. > That b.com will escape from ssl handshake. In fact, we need it to do the > ssl handshake. > > Thanks. > It is called "Connection Reuse" in HTTP/2: https://tools.ietf.org/html/rfc7540#section-9.1.1 wbr, Valentin V. Bartenev From hongzhidao at gmail.com Thu Jun 8 16:08:06 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Fri, 9 Jun 2017 00:08:06 +0800 Subject: [nginx] support http2 per server In-Reply-To: <2643497.seJtDEk1sC@vbart-workstation> References: <2402328.DdJ9xUFFzf@vbart-workstation> <2643497.seJtDEk1sC@vbart-workstation> Message-ID: " For "https" resources, connection reuse additionally depends on having a certificate that is valid for the host in the URI. The certificate presented by the server MUST satisfy any checks that the client would perform when forming a new TLS connection for the host in the URI. " It seems the brower can prevent the unreasonable behavior. In reallity, It still exist some clients that dosen't perfom well in http2. So it's kind of valuable to enable http2 by server. It's not a good idea the put the patch in nginx, Can you help to check the patch whether contains serious problem? Maybe it's helpful for other guys. Thanks again. On Thu, Jun 8, 2017 at 11:25 PM, Valentin V. Bartenev wrote: > On Thursday 08 June 2017 23:19:23 ??? wrote: > > It sounds right. > > > > According to the same situation, how does http2 protocol force other > > virtual servers to process certificate (ssl handshake). > > > > Example: > > > > server { > > listen 443 http2; > > a.com; > > ssl_certi....; > > } > > > > server { > > listen 443 http2; > > b.com; > > ssl_certi....; > > } > > > > We assume sni is 'a.com', then the connection contains different > requests > > with different domains. > > That b.com will escape from ssl handshake. In fact, we need it to do the > > ssl handshake. > > > > Thanks. > > > > It is called "Connection Reuse" in HTTP/2: > https://tools.ietf.org/html/rfc7540#section-9.1.1 > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Jun 8 16:08:20 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 8 Jun 2017 19:08:20 +0300 Subject: [PATCH] Proxy: always emit "Host" header first In-Reply-To: References: Message-ID: <20170608160820.GW55433@mdounin.ru> Hello! On Sat, Jun 03, 2017 at 08:03:57PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1489618489 25200 > # Wed Mar 15 15:54:49 2017 -0700 > # Node ID e472b23fdc387943ea90fb2f0ae415d9d104edc7 > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Proxy: always emit "Host" header first. > > Signed-off-by: Piotr Sikora > > diff -r 716852cce913 -r e472b23fdc38 src/http/modules/ngx_http_proxy_module.c > --- a/src/http/modules/ngx_http_proxy_module.c > +++ b/src/http/modules/ngx_http_proxy_module.c > @@ -3412,7 +3412,7 @@ ngx_http_proxy_init_headers(ngx_conf_t * > uintptr_t *code; > ngx_uint_t i; > ngx_array_t headers_names, headers_merged; > - ngx_keyval_t *src, *s, *h; > + ngx_keyval_t *host, *src, *s, *h; > ngx_hash_key_t *hk; > ngx_hash_init_t hash; > ngx_http_script_compile_t sc; > @@ -3444,11 +3444,33 @@ ngx_http_proxy_init_headers(ngx_conf_t * > return NGX_ERROR; > } > > + h = default_headers; > + > + if (h->key.len != sizeof("Host") - 1 > + || ngx_strcasecmp(h->key.data, (u_char *) "Host") != 0) > + { > + return NGX_ERROR; > + } > + > + host = ngx_array_push(&headers_merged); > + if (host == NULL) { > + return NGX_ERROR; > + } > + > + *host = *h++; > + > if (conf->headers_source) { > > src = conf->headers_source->elts; > for (i = 0; i < conf->headers_source->nelts; i++) { > > + if (src[i].key.len == sizeof("Host") - 1 > + && ngx_strcasecmp(src[i].key.data, (u_char *) "Host") == 0) > + { > + *host = src[i]; > + continue; > + } > + > s = ngx_array_push(&headers_merged); > if (s == NULL) { > return NGX_ERROR; > @@ -3458,8 +3480,6 @@ ngx_http_proxy_init_headers(ngx_conf_t * > } > } > > - h = default_headers; > - > while (h->key.len) { > > src = headers_merged.elts; I don't think I like this. Trying to prioritize headers based on some mostly external knowledge in a function which is intended to merge headers user-supplied and default headers doesn't look wise. Not to mention that it depends on the "Host" header being first in the default headers lists. Instead, consider the following variants: - emitting default headers first, than user-supplied ones; - emitting the Host header separately from other headers, via a dedicated code in ngx_http_proxy_create_request(). Note well that I'm not really sure that any of the above variants is in fact better than the current behaviour. The current behaviour is to follow header order specified in the configuration, and it makes it possible to redefine order of standard headers if needed. I suspect this and other patches you've send at the same time are in fact parts of your work to introduce HTTP/2 support to upstream servers. Please consider submitting a patch series with the whole feature instead. Individual patches which doesn't make much sense by its own are hard to review, and are likely to be rejected. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Jun 8 16:19:50 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 8 Jun 2017 19:19:50 +0300 Subject: [PATCH] Upstream: ignore read-readiness if request wasn't sent In-Reply-To: References: Message-ID: <20170608161950.GX55433@mdounin.ru> Hello! On Sat, Jun 03, 2017 at 08:04:05PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1491296505 25200 > # Tue Apr 04 02:01:45 2017 -0700 > # Node ID bff5ac3da350d8d9225d4204d8aded90fb670f3f > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Upstream: ignore read-readiness if request wasn't sent. > > Signed-off-by: Piotr Sikora > > diff -r 716852cce913 -r bff5ac3da350 src/http/ngx_http_upstream.c > --- a/src/http/ngx_http_upstream.c > +++ b/src/http/ngx_http_upstream.c > @@ -2179,8 +2179,12 @@ ngx_http_upstream_process_header(ngx_htt > return; > } > > - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { > - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); > + if (!u->request_sent) { > + if (ngx_http_upstream_test_connect(c) != NGX_OK) { > + ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); > + return; > + } > + > return; > } This change looks wrong, as 1) a response may happen to be received even before we've sent a request - for example, the other side may simply close the connection for its own reasons; 2) in the resulting code we return from a read event handler without calling ngx_handle_read_event(), and this will result in CPU hog when used with level-triggered events. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Jun 8 16:29:56 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 8 Jun 2017 19:29:56 +0300 Subject: [PATCH] Output chain: propagate flush and last_buf flags to send_chain() In-Reply-To: <2a48b9b6e67d91594c17.1496545447@piotrsikora.sfo.corp.google.com> References: <2a48b9b6e67d91594c17.1496545447@piotrsikora.sfo.corp.google.com> Message-ID: <20170608162956.GY55433@mdounin.ru> Hello! On Sat, Jun 03, 2017 at 08:04:07PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1491708381 25200 > # Sat Apr 08 20:26:21 2017 -0700 > # Node ID 2a48b9b6e67d91594c1787ebf721daebf5f88c91 > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Output chain: propagate flush and last_buf flags to send_chain(). > > Signed-off-by: Piotr Sikora > > diff -r 716852cce913 -r 2a48b9b6e67d src/core/ngx_output_chain.c > --- a/src/core/ngx_output_chain.c > +++ b/src/core/ngx_output_chain.c > @@ -658,6 +658,7 @@ ngx_chain_writer(void *data, ngx_chain_t > ngx_chain_writer_ctx_t *ctx = data; > > off_t size; > + ngx_uint_t flush; > ngx_chain_t *cl, *ln, *chain; > ngx_connection_t *c; > > @@ -689,9 +690,10 @@ ngx_chain_writer(void *data, ngx_chain_t > > size += ngx_buf_size(in->buf); > > - ngx_log_debug2(NGX_LOG_DEBUG_CORE, c->log, 0, > - "chain writer buf fl:%d s:%uO", > - in->buf->flush, ngx_buf_size(in->buf)); > + ngx_log_debug3(NGX_LOG_DEBUG_CORE, c->log, 0, > + "chain writer buf fl:%d l:%d s:%uO", > + in->buf->flush, in->buf->last_buf, > + ngx_buf_size(in->buf)); > > cl = ngx_alloc_chain_link(ctx->pool); > if (cl == NULL) { > @@ -707,6 +709,8 @@ ngx_chain_writer(void *data, ngx_chain_t > ngx_log_debug1(NGX_LOG_DEBUG_CORE, c->log, 0, > "chain writer in: %p", ctx->out); > > + flush = 0; > + > for (cl = ctx->out; cl; cl = cl->next) { > > #if 1 > @@ -732,9 +736,13 @@ ngx_chain_writer(void *data, ngx_chain_t > #endif > > size += ngx_buf_size(cl->buf); > + > + if (cl->buf->flush || cl->buf->last_buf) { > + flush = 1; > + } > } > > - if (size == 0 && !c->buffered) { > + if (size == 0 && !flush && !c->buffered) { > return NGX_OK; > } This is not normally needed, especially in case of flush. If you think it is - please clarify how do you expect to use it. Note well that in HTTP/2-related code the special flag c->need_last_buf is used to indicate that a (fake) connection needs an information about last_buf, thus allowing HTTP/2 c->send_chain() wrapper to add its own framing. If the goal is the same, please consider using the same approach. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Thu Jun 8 16:32:08 2017 From: mdounin at mdounin.ru (Maxim Dounin) Date: Thu, 8 Jun 2017 19:32:08 +0300 Subject: [PATCH] Proxy: add "proxy_ssl_alpn" directive In-Reply-To: <7733d946e2651a2486a5.1496545442@piotrsikora.sfo.corp.google.com> References: <7733d946e2651a2486a5.1496545442@piotrsikora.sfo.corp.google.com> Message-ID: <20170608163207.GZ55433@mdounin.ru> Hello! On Sat, Jun 03, 2017 at 08:04:02PM -0700, Piotr Sikora via nginx-devel wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1489621682 25200 > # Wed Mar 15 16:48:02 2017 -0700 > # Node ID 7733d946e2651a2486a53d912703e2dfaea30421 > # Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49 > Proxy: add "proxy_ssl_alpn" directive. > > ALPN is used here only to indicate which version of the HTTP protocol > is going to be used and we doesn't verify that upstream agreed to it. > > Please note that upstream is allowed to reject SSL connection with a > fatal "no_application_protocol" alert if it doesn't support it. > > Signed-off-by: Piotr Sikora It doesn't look like this patch make sense by its own. If this patch is a part of a larger work, please consider submitting a patch series with the whole feature instead. Individual patches which doesn't make much sense by its own are hard to review, and are likely to be rejected. -- Maxim Dounin http://nginx.org/ From vbart at nginx.com Thu Jun 8 17:09:14 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 20:09:14 +0300 Subject: [nginx] support http2 per server In-Reply-To: References: <2643497.seJtDEk1sC@vbart-workstation> Message-ID: <2417822.uuLYJAc3k0@vbart-workstation> On Friday 09 June 2017 00:08:06 ??? wrote: > " > > For "https" resources, connection reuse additionally depends on > having a certificate that is valid for the host in the URI. The > certificate presented by the server MUST satisfy any checks that the > client would perform when forming a new TLS connection for the host > in the URI. > > " > > > It seems the brower can prevent the unreasonable behavior. > > > In reallity, It still exist some clients that dosen't perfom well in http2. > > So it's kind of valuable to enable http2 by server. > > > It's not a good idea the put the patch in nginx, > > Can you help to check the patch whether contains serious problem? > > > Maybe it's helpful for other guys. > > > Thanks again. > [..] The most serious problem with the patch, that it gives an illusion that HTTP/2 can be enabled per virtual server basis, but in fact it doesn't prevent requests to any server on particular listen socket using already existing HTTP/2 connection. Also please note that with your patch clients are still able to negotiate HTTP/2 even if nginx doesn't announce it. I don't see any other serious problems. wbr, Valentin V. Bartenev From hongzhidao at gmail.com Thu Jun 8 17:17:14 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Fri, 9 Jun 2017 01:17:14 +0800 Subject: [nginx] support http2 per server In-Reply-To: <2417822.uuLYJAc3k0@vbart-workstation> References: <2643497.seJtDEk1sC@vbart-workstation> <2417822.uuLYJAc3k0@vbart-workstation> Message-ID: Thanks. On Fri, Jun 9, 2017 at 1:09 AM, Valentin V. Bartenev wrote: > On Friday 09 June 2017 00:08:06 ??? wrote: > > " > > > > For "https" resources, connection reuse additionally depends on > > having a certificate that is valid for the host in the URI. The > > certificate presented by the server MUST satisfy any checks that the > > client would perform when forming a new TLS connection for the host > > in the URI. > > > > " > > > > > > It seems the brower can prevent the unreasonable behavior. > > > > > > In reallity, It still exist some clients that dosen't perfom well in > http2. > > > > So it's kind of valuable to enable http2 by server. > > > > > > It's not a good idea the put the patch in nginx, > > > > Can you help to check the patch whether contains serious problem? > > > > > > Maybe it's helpful for other guys. > > > > > > Thanks again. > > > [..] > > The most serious problem with the patch, that it gives an illusion > that HTTP/2 can be enabled per virtual server basis, but in fact it > doesn't prevent requests to any server on particular listen socket > using already existing HTTP/2 connection. > > Also please note that with your patch clients are still able to > negotiate HTTP/2 even if nginx doesn't announce it. > > I don't see any other serious problems. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Neil.Craig at bbc.co.uk Thu Jun 8 17:20:42 2017 From: Neil.Craig at bbc.co.uk (Neil Craig) Date: Thu, 8 Jun 2017 17:20:42 +0000 Subject: [nginx] support http2 per server In-Reply-To: References: <2643497.seJtDEk1sC@vbart-workstation> <2417822.uuLYJAc3k0@vbart-workstation>, Message-ID: <856E1199-1263-491E-9AF9-36FF241E95DB@bbc.co.uk> WRT the below, he H2 RFC includes a new status code to deal with thus, 421: https://tools.ietf.org/html/rfc7540#section-9.1.2 Client support is poor right no so it'd be good if sending 421 was optional perhaps. Cheers Sent from my iPhone On 8 Jun 2017, at 18:17, ??? > wrote: Thanks. On Fri, Jun 9, 2017 at 1:09 AM, Valentin V. Bartenev > wrote: On Friday 09 June 2017 00:08:06 ??? wrote: > " > > For "https" resources, connection reuse additionally depends on > having a certificate that is valid for the host in the URI. The > certificate presented by the server MUST satisfy any checks that the > client would perform when forming a new TLS connection for the host > in the URI. > > " > > > It seems the brower can prevent the unreasonable behavior. > > > In reallity, It still exist some clients that dosen't perfom well in http2. > > So it's kind of valuable to enable http2 by server. > > > It's not a good idea the put the patch in nginx, > > Can you help to check the patch whether contains serious problem? > > > Maybe it's helpful for other guys. > > > Thanks again. > [..] The most serious problem with the patch, that it gives an illusion that HTTP/2 can be enabled per virtual server basis, but in fact it doesn't prevent requests to any server on particular listen socket using already existing HTTP/2 connection. Also please note that with your patch clients are still able to negotiate HTTP/2 even if nginx doesn't announce it. I don't see any other serious problems. wbr, Valentin V. Bartenev _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Thu Jun 8 17:45:18 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 20:45:18 +0300 Subject: [PATCH] HTTP/2: reject HTTP/2 requests without ":scheme" pseudo-header In-Reply-To: References: <6bb029b1df11662ba11e.1490517677@piotrsikora.sfo.corp.google.com> <17543215.oua5ZIKEOg@vbart-workstation> Message-ID: <2695745.s2C5zqsLaN@vbart-workstation> On Wednesday 31 May 2017 15:48:34 Piotr Sikora via nginx-devel wrote: > Hey Valentin, > > > As the 1.11 branch is going to be stable soon, it's a good idea to postpone > > any changes that explicitly affect interoperability (at least till 1.13). > > Any thoughts on this now that 1.12 branched? > [..] If there will be no other objections against the change, I'll commit this patch next week. wbr, Valentin V. Bartenev From vbart at nginx.com Thu Jun 8 18:31:19 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Thu, 08 Jun 2017 21:31:19 +0300 Subject: [PATCH] HTTP/2: add debug logging of control frames In-Reply-To: References: <06d6418afe6e73604aea.1491275620@piotrsikora.sfo.corp.google.com>

Message-ID: <6088549.Je3sRdAShv@vbart-workstation> On Tuesday 30 May 2017 14:21:05 Piotr Sikora via nginx-devel wrote: > Hey Valentin, > > > What do you suggest instead? All 3 params in the same line? > > > > http2 send SETTINGS frame MAX_CONCURRENT_STREAMS:%ui > > INITIAL_WINDOW_SIZE:%uz MAX_FRAME_SIZE:%ud > > > > What about receiving part, then? Do you want to put all 6 params in > > the same line? > > > > http2 recv SETTINGS frame HEADER_TABLE_SIZE:%ui (ignored) > > ENABLE_PUSH:%ui (ignored) MAX_CONCURRENT_STREAMS:%ui (ignored) > > INITIAL_WINDOW_SIZE:%ui MAX_FRAME_SIZE:%ui MAX_HEADER_LIST_SIZE:%ui > > (ignored) > > > > It makes this way less readable, IMHO. > > Ping. > Ok, I've already resigned myself to multiline output, but don't let it look like an another SETTINGS frame. IMHO, something like that will be good enough: http2 send SETTINGS frame http2 SETTINGS param MAX_CONCURRENT_STREAMS: 100 http2 SETTINGS param INITIAL_WINDOW_SIZE: 65536 http2 SETTINGS param MAX_FRAME_SIZE: 16777215 wbr, Valentin V. Bartenev From Nate.Karstens at garmin.com Fri Jun 9 03:40:15 2017 From: Nate.Karstens at garmin.com (Karstens, Nate) Date: Fri, 9 Jun 2017 03:40:15 +0000 Subject: PSK Support In-Reply-To: <20170607181327.GS55433@mdounin.ru> References: <145451D4E6785E4DA4DFA353A58CB7B2015E15B7E3@OLAWPA-EXMB04.ad.garmin.com> <20170605130916.GX55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15C57F@OLAWPA-EXMB04.ad.garmin.com> <20170605183944.GB55433@mdounin.ru> <145451D4E6785E4DA4DFA353A58CB7B2015E15CE05@OLAWPA-EXMB04.ad.garmin.com> <20170607181327.GS55433@mdounin.ru> Message-ID: <145451D4E6785E4DA4DFA353A58CB7B2015E15DA0A@OLAWPA-EXMB04.ad.garmin.com> Maxim, OK, we can skip the patch for turning off the certificate warnings (and just use a dummy certificate) and just support a single PSK file. The {HEX} prefix seems OK. I think it would also be good to support an {ASC}. It is unlikely that anyone would have an ASCII-based PSK that starts with {HEX}, but using {ASC} would provide a way to make prevent that case. Also, instead of referring to text-based PSKs as ASCII, maybe they should be UTF8-encoded and referred to as {TXT}? Nate -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Wednesday, June 07, 2017 1:13 PM To: nginx-devel at nginx.org Subject: Re: PSK Support Hello! On Wed, Jun 07, 2017 at 05:02:52AM +0000, Karstens, Nate wrote: > Maxim, > > The biggest downside that I can see to the dummy certificate approach > is documentation. Using a dummy certificate wasn't immediately obvious > to me, though perhaps my familiarity with OpenSSL's "nocert" option > may have affected that. Which do you think would be easier for the > user to find in the documentation: > 1) a description of the dummy certificate approach under the > "ssl_certificate" directive, 2) a separate directive ("ssl_nocert"), > or 3) an explicit option to the "ssl_certificate" directive (e.g., " > Syntax: ssl_certificate file | off;")? In most cases, normal users won't need PSK at all, or will use it combined with certificates anyway. Describing in the documentation that "if you need to use PSK only, you still have to configure a certificate" doesn't looks like a big problem to me. Note well that there is a side problem with "listen ... ssl" used in server block but no ssl_certificate configured for the server. As of now, it is not reported during configuration parsing and may result in non-obvious behaviour in some cases, see ticket #178 (https://trac.nginx.org/nginx/ticket/178). This is a separate problem though, and it can't be fixed with the changes suggested. On the other hand, properly fixing it will greatly improve user experience in many cases, including PSK. > I'm OK with changing it to read from a password file (formatted in a > manner similar to stunnel) that is searched as needed (an > "ssl_psk_file" directive). Would it be OK to support multiple files > and stipulate that files are searched in the order that they are > included in nginx.conf? I don't think that supporting multiple files is a good idea, a single one should be enough. Possible alternative names: - "ssl_psk_secrets", similar to the one used by stunnel; - "ssl_pre_shared_keys". Not sure if these are better though. > Can we support both ASCII and binary PSKs? RFC 4279 section 5.4 seems > to require both types, and I need binary keys for my application :). > Maybe a parameter to the "ssl_psk_file" > directive could indicate how the PSKs are stored in the file? We can consider providing an alternative form to allow arbitrary keys, e.g., by using hex-encoded keys. This can be done using some explicit prefix, something like this: identity:key identity:0x6b6579 identity:{HEX}6b6579 (The last variant is in line with "{scheme}data" syntax as used in auth_basic_user_file. Not sure if we need it here, just "0x" might be easier.) -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel ________________________________ CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you. From hongzhidao at gmail.com Fri Jun 9 05:40:23 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Fri, 9 Jun 2017 13:40:23 +0800 Subject: [nginx] support http2 per server In-Reply-To: <2417822.uuLYJAc3k0@vbart-workstation> References: <2643497.seJtDEk1sC@vbart-workstation> <2417822.uuLYJAc3k0@vbart-workstation> Message-ID: Hi, Valentin. " Also please note that with your patch clients are still able to negotiate HTTP/2 even if nginx doesn't announce it. " Two points: 1. The patch forbids the clients explicitly not support HTTP/2 doing v2 ( ngx_http_v2_init). How to follow you mean of "with the patch, clients are still able to negotiate HTTP/2" 2. "even if nginx doesn't announce it" Is it related to nginx? On Fri, Jun 9, 2017 at 1:09 AM, Valentin V. Bartenev wrote: > On Friday 09 June 2017 00:08:06 ??? wrote: > > " > > > > For "https" resources, connection reuse additionally depends on > > having a certificate that is valid for the host in the URI. The > > certificate presented by the server MUST satisfy any checks that the > > client would perform when forming a new TLS connection for the host > > in the URI. > > > > " > > > > > > It seems the brower can prevent the unreasonable behavior. > > > > > > In reallity, It still exist some clients that dosen't perfom well in > http2. > > > > So it's kind of valuable to enable http2 by server. > > > > > > It's not a good idea the put the patch in nginx, > > > > Can you help to check the patch whether contains serious problem? > > > > > > Maybe it's helpful for other guys. > > > > > > Thanks again. > > > [..] > > The most serious problem with the patch, that it gives an illusion > that HTTP/2 can be enabled per virtual server basis, but in fact it > doesn't prevent requests to any server on particular listen socket > using already existing HTTP/2 connection. > > Also please note that with your patch clients are still able to > negotiate HTTP/2 even if nginx doesn't announce it. > > I don't see any other serious problems. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Fri Jun 9 11:45:28 2017 From: vbart at nginx.com (Valentin V. Bartenev) Date: Fri, 09 Jun 2017 14:45:28 +0300 Subject: [nginx] support http2 per server In-Reply-To: References: <2417822.uuLYJAc3k0@vbart-workstation> Message-ID: <2058364.S2bnstnO8o@vbart-laptop> On Friday 09 June 2017 13:40:23 ??? wrote: > Hi, Valentin. > > " > Also please note that with your patch clients are still able to > negotiate HTTP/2 even if nginx doesn't announce it. > " > > Two points: > 1. The patch forbids the clients explicitly not support HTTP/2 doing v2 ( > ngx_http_v2_init). > How to follow you mean of "with the patch, clients are still able to > negotiate HTTP/2" > 2. "even if nginx doesn't announce it" > Is it related to nginx? > [..] Your patch prevents advertising the protocol using ALPN and NPN, but selecting protocol happens here (this part of code isn't touched): http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_request.c#l808 In case of NPN, client can select protocol even if it hasn't been advertised by the server. wbr, Valentin V. Bartenev From hongzhidao at gmail.com Fri Jun 9 12:26:03 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Fri, 9 Jun 2017 20:26:03 +0800 Subject: [nginx] support http2 per server In-Reply-To: <2058364.S2bnstnO8o@vbart-laptop> References: <2417822.uuLYJAc3k0@vbart-workstation> <2058364.S2bnstnO8o@vbart-laptop> Message-ID: Get it, thanks. On Fri, Jun 9, 2017 at 7:45 PM, Valentin V. Bartenev wrote: > On Friday 09 June 2017 13:40:23 ??? wrote: > > Hi, Valentin. > > > > " > > Also please note that with your patch clients are still able to > > negotiate HTTP/2 even if nginx doesn't announce it. > > " > > > > Two points: > > 1. The patch forbids the clients explicitly not support HTTP/2 doing v2 ( > > ngx_http_v2_init). > > How to follow you mean of "with the patch, clients are still able to > > negotiate HTTP/2" > > 2. "even if nginx doesn't announce it" > > Is it related to nginx? > > > [..] > > Your patch prevents advertising the protocol using ALPN and NPN, but > selecting protocol happens here (this part of code isn't touched): > http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_request.c#l808 > > In case of NPN, client can select protocol even if it hasn't been > advertised by the server. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > -------------- next part -------------- An HTML attachment was scrubbed... URL: From hongzhidao at gmail.com Fri Jun 9 12:56:38 2017 From: hongzhidao at gmail.com (=?UTF-8?B?5rSq5b+X6YGT?=) Date: Fri, 9 Jun 2017 20:56:38 +0800 Subject: [nginx] support http2 per server In-Reply-To: References: <2417822.uuLYJAc3k0@vbart-workstation> <2058364.S2bnstnO8o@vbart-laptop> Message-ID: Hi, Valentin. Please confirm again, thanks. diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.c Fri Jun 09 07:15:50 2017 -0400 @@ -234,6 +234,13 @@ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify), NULL }, + { ngx_string("ssl_h2"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG, + ngx_http_ssl_enable, + NGX_HTTP_SRV_CONF_OFFSET, + offsetof(ngx_http_ssl_srv_conf_t, h2), + NULL }, + ngx_null_command }; @@ -343,16 +350,17 @@ unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) { - unsigned int srvlen; - unsigned char *srv; + unsigned int srvlen; + unsigned char *srv; #if (NGX_DEBUG) - unsigned int i; + unsigned int i; #endif #if (NGX_HTTP_V2) - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; #endif #if (NGX_HTTP_V2 || NGX_DEBUG) - ngx_connection_t *c; + ngx_connection_t *c; c = ngx_ssl_get_connection(ssl_conn); #endif @@ -367,8 +375,9 @@ #if (NGX_HTTP_V2) hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { srv = (unsigned char *) NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; srvlen = sizeof(NGX_HTTP_V2_ALPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -411,11 +420,13 @@ #if (NGX_HTTP_V2) { - ngx_http_connection_t *hc; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (hc->addr_conf->http2) { + if (hc->addr_conf->http2 && sscf->h2) { *out = (unsigned char *) NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE; *outlen = sizeof(NGX_HTTP_V2_NPN_ADVERTISE NGX_HTTP_NPN_ADVERTISE) - 1; @@ -555,6 +566,7 @@ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR; sscf->stapling = NGX_CONF_UNSET; sscf->stapling_verify = NGX_CONF_UNSET; + sscf->h2 = NGX_CONF_UNSET; return sscf; } @@ -620,6 +632,8 @@ ngx_conf_merge_str_value(conf->stapling_responder, prev->stapling_responder, ""); + ngx_conf_merge_value(conf->h2, prev->h2, 0); + conf->ssl.log = cf->log; if (conf->enable) { diff -r 5e05118678af src/http/modules/ngx_http_ssl_module.h --- a/src/http/modules/ngx_http_ssl_module.h Mon May 29 23:33:38 2017 +0300 +++ b/src/http/modules/ngx_http_ssl_module.h Fri Jun 09 07:15:50 2017 -0400 @@ -57,6 +57,8 @@ u_char *file; ngx_uint_t line; + + ngx_flag_t h2; } ngx_http_ssl_srv_conf_t; diff -r 5e05118678af src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Mon May 29 23:33:38 2017 +0300 +++ b/src/http/ngx_http_request.c Fri Jun 09 07:15:50 2017 -0400 @@ -784,9 +784,10 @@ && (defined TLSEXT_TYPE_application_layer_protocol_negotiation \ || defined TLSEXT_TYPE_next_proto_neg)) { - unsigned int len; - const unsigned char *data; - ngx_http_connection_t *hc; + unsigned int len; + const unsigned char *data; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; hc = c->data; @@ -805,9 +806,14 @@ SSL_get0_next_proto_negotiated(c->ssl->connection, &data, &len); #endif - if (len == 2 && data[0] == 'h' && data[1] == '2') { - ngx_http_v2_init(c->read); - return; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + + if (sscf->h2) { + + if (len == 2 && data[0] == 'h' && data[1] == '2') { + ngx_http_v2_init(c->read); + return; + } } } } -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Fri Jun 9 14:23:02 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 09 Jun 2017 14:23:02 +0000 Subject: [njs] Use njs_string_get() where appropriate. Message-ID: details: http://hg.nginx.org/njs/rev/065bf91227a1 branches: changeset: 358:065bf91227a1 user: Dmitry Volyntsev date: Fri Jun 09 17:22:27 2017 +0300 description: Use njs_string_get() where appropriate. diffstat: njs/njs_date.c | 8 ++++---- njs/njs_number.c | 6 +++--- njs/njs_object.c | 18 +++--------------- njs/njs_regexp.c | 14 ++++++++------ njs/njs_string.c | 44 ++++++++++++++++++++++---------------------- 5 files changed, 40 insertions(+), 50 deletions(-) diffs (288 lines): diff -r 692ad3557d58 -r 065bf91227a1 njs/njs_date.c --- a/njs/njs_date.c Thu Jun 08 14:18:37 2017 +0300 +++ b/njs/njs_date.c Fri Jun 09 17:22:27 2017 +0300 @@ -306,15 +306,15 @@ njs_date_string_parse(njs_value_t *date) { int ext, ms, ms_length, skipped; double time; + nxt_str_t string; struct tm tm; nxt_bool_t sign, week, utc; const u_char *p, *next, *end; - njs_string_prop_t string; - - (void) njs_string_prop(&string, date); + + njs_string_get(date, &string); p = string.start; - end = p + string.size; + end = p + string.length; if (nxt_slow_path(p >= end)) { return NAN; diff -r 692ad3557d58 -r 065bf91227a1 njs/njs_number.c --- a/njs/njs_number.c Thu Jun 08 14:18:37 2017 +0300 +++ b/njs/njs_number.c Fri Jun 09 17:22:27 2017 +0300 @@ -741,15 +741,15 @@ njs_number_parse_int(njs_vm_t *vm, njs_v u_char *p, *end; int64_t n; uint8_t radix; + nxt_str_t string; nxt_bool_t minus, test_prefix; - njs_string_prop_t string; num = NAN; if (nargs > 1) { - (void) njs_string_prop(&string, &args[1]); + njs_string_get(&args[1], &string); - end = string.start + string.size; + end = string.start + string.length; for (p = string.start; p < end; p++) { if (*p != ' ') { diff -r 692ad3557d58 -r 065bf91227a1 njs/njs_object.c --- a/njs/njs_object.c Thu Jun 08 14:18:37 2017 +0300 +++ b/njs/njs_object.c Fri Jun 09 17:22:27 2017 +0300 @@ -417,8 +417,6 @@ njs_object_define_property(njs_vm_t *vm, njs_index_t unused) { nxt_int_t ret; - nxt_str_t key; - njs_value_t *name; njs_object_t *object, *descriptor; njs_object_prop_t *prop, *pr; nxt_lvlhsh_query_t lhq, pq; @@ -429,26 +427,16 @@ njs_object_define_property(njs_vm_t *vm, } object = args[1].data.u.object; - name = &args[2]; descriptor = args[3].data.u.object; - if (name->short_string.size != NJS_STRING_LONG) { - key.start = name->short_string.start; - key.length = name->short_string.length; - - } else { - key.start = name->data.u.string->start; - key.length = name->data.string_size; - } - - lhq.key = key; - lhq.key_hash = nxt_djb_hash(key.start, key.length); + njs_string_get(&args[2], &lhq.key); + lhq.key_hash = nxt_djb_hash(lhq.key.start, lhq.key.length); lhq.proto = &njs_object_hash_proto; ret = nxt_lvlhsh_find(&object->hash, &lhq); if (ret != NXT_OK) { - prop = njs_object_prop_alloc(vm, name); + prop = njs_object_prop_alloc(vm, &args[2]); if (nxt_slow_path(prop == NULL)) { return NXT_ERROR; diff -r 692ad3557d58 -r 065bf91227a1 njs/njs_regexp.c --- a/njs/njs_regexp.c Thu Jun 08 14:18:37 2017 +0300 +++ b/njs/njs_regexp.c Fri Jun 09 17:22:27 2017 +0300 @@ -87,7 +87,7 @@ njs_ret_t njs_regexp_constructor(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { - njs_string_prop_t string; + nxt_str_t string; njs_regexp_flags_t flags; flags = 0; @@ -96,13 +96,14 @@ njs_regexp_constructor(njs_vm_t *vm, njs case 1: string.start = NULL; - string.size = 0; + string.length = 0; break; default: - (void) njs_string_prop(&string, &args[2]); + njs_string_get(&args[2], &string); - flags = njs_regexp_flags(&string.start, string.start + string.size, 1); + flags = njs_regexp_flags(&string.start, string.start + string.length, + 1); if (nxt_slow_path(flags < 0)) { return NXT_ERROR; } @@ -110,11 +111,12 @@ njs_regexp_constructor(njs_vm_t *vm, njs /* Fall through. */ case 2: - (void) njs_string_prop(&string, &args[1]); + njs_string_get(&args[1], &string); break; } - return njs_regexp_create(vm, &vm->retval, string.start, string.size, flags); + return njs_regexp_create(vm, &vm->retval, string.start, string.length, + flags); } diff -r 692ad3557d58 -r 065bf91227a1 njs/njs_string.c --- a/njs/njs_string.c Thu Jun 08 14:18:37 2017 +0300 +++ b/njs/njs_string.c Fri Jun 09 17:22:27 2017 +0300 @@ -1940,15 +1940,15 @@ static njs_ret_t njs_string_prototype_match(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { + nxt_str_t string; njs_ret_t ret; njs_value_t arguments[2]; - njs_string_prop_t string; njs_regexp_pattern_t *pattern; arguments[1] = args[0]; string.start = NULL; - string.size = 0; + string.length = 0; if (nargs > 1) { @@ -1970,13 +1970,13 @@ njs_string_prototype_match(njs_vm_t *vm, if (njs_is_string(&args[1])) { /* string1.match(string2) is the same as /string2/.exec(string1). */ - (void) njs_string_prop(&string, &args[1]); + njs_string_get(&args[1], &string); } /* A void value. */ } - ret = njs_regexp_create(vm, &arguments[0], string.start, string.size, 0); + ret = njs_regexp_create(vm, &arguments[0], string.start, string.length, 0); if (nxt_slow_path(ret != NXT_OK)) { return ret; } @@ -2559,19 +2559,19 @@ njs_string_replace_search(njs_vm_t *vm, u_char *p, *end; size_t size; njs_ret_t ret; - njs_string_prop_t search; - - (void) njs_string_prop(&search, &args[1]); + nxt_str_t search; + + njs_string_get(&args[1], &search); p = r->part[0].start; - end = (p + r->part[0].size) - (search.size - 1); + end = (p + r->part[0].size) - (search.length - 1); do { - if (memcmp(p, search.start, search.size) == 0) { + if (memcmp(p, search.start, search.length) == 0) { if (r->substitutions != NULL) { captures[0] = p - r->part[0].start; - captures[1] = captures[0] + search.size; + captures[1] = captures[0] + search.length; ret = njs_string_replace_substitute(vm, r, captures); if (nxt_slow_path(ret != NXT_OK)) { @@ -2579,9 +2579,9 @@ njs_string_replace_search(njs_vm_t *vm, } } else { - r->part[2].start = p + search.size; + r->part[2].start = p + search.length; size = p - r->part[0].start; - r->part[2].size = r->part[0].size - size - search.size; + r->part[2].size = r->part[0].size - size - search.length; r->part[0].size = size; njs_set_invalid(&r->part[2].value); @@ -3344,17 +3344,17 @@ njs_string_encode(njs_vm_t *vm, njs_valu { u_char byte, *src, *dst; size_t n, size; - njs_string_prop_t string; + nxt_str_t string; static const u_char hex[16] = "0123456789ABCDEF"; nxt_prefetch(escape); - (void) njs_string_prop(&string, value); + njs_string_get(value, &string); src = string.start; n = 0; - for (size = string.size; size != 0; size--) { + for (size = string.length; size != 0; size--) { byte = *src++; if ((escape[byte >> 5] & ((uint32_t) 1 << (byte & 0x1f))) != 0) { @@ -3368,14 +3368,14 @@ njs_string_encode(njs_vm_t *vm, njs_valu return NXT_OK; } - size = string.size + n; + size = string.length + n; dst = njs_string_alloc(vm, &vm->retval, size, size); if (nxt_slow_path(dst == NULL)) { return NXT_ERROR; } - size = string.size; + size = string.length; src = string.start; do { @@ -3477,8 +3477,8 @@ njs_string_decode(njs_vm_t *vm, njs_valu u_char byte, *start, *src, *dst; size_t n; ssize_t size, length; + nxt_str_t string; nxt_bool_t utf8; - njs_string_prop_t string; static const int8_t hex[256] nxt_aligned(32) = @@ -3504,12 +3504,12 @@ njs_string_decode(njs_vm_t *vm, njs_valu nxt_prefetch(&hex['0']); nxt_prefetch(reserve); - (void) njs_string_prop(&string, value); + njs_string_get(value, &string); src = string.start; n = 0; - for (size = string.size; size != 0; size--) { + for (size = string.length; size != 0; size--) { byte = *src++; if (byte == '%') { @@ -3543,7 +3543,7 @@ njs_string_decode(njs_vm_t *vm, njs_valu return NXT_OK; } - n = string.size - n; + n = string.length - n; start = njs_string_alloc(vm, &vm->retval, n, n); if (nxt_slow_path(start == NULL)) { @@ -3552,7 +3552,7 @@ njs_string_decode(njs_vm_t *vm, njs_valu utf8 = 0; dst = start; - size = string.size; + size = string.length; src = string.start; do { From xeioex at nginx.com Fri Jun 9 14:55:39 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 09 Jun 2017 14:55:39 +0000 Subject: [njs] Object.getPrototypeOf() method. Message-ID: details: http://hg.nginx.org/njs/rev/e49777448f84 branches: changeset: 359:e49777448f84 user: Dmitry Volyntsev date: Fri Jun 09 17:55:08 2017 +0300 description: Object.getPrototypeOf() method. diffstat: njs/njs_object.c | 22 ++++++++++++++++++++++ njs/test/njs_unit_test.c | 18 ++++++++++++++++++ 2 files changed, 40 insertions(+), 0 deletions(-) diffs (67 lines): diff -r 065bf91227a1 -r e49777448f84 njs/njs_object.c --- a/njs/njs_object.c Fri Jun 09 17:22:27 2017 +0300 +++ b/njs/njs_object.c Fri Jun 09 17:55:08 2017 +0300 @@ -503,6 +503,20 @@ njs_object_define_property(njs_vm_t *vm, } +static njs_ret_t +njs_object_get_prototype_of(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, + njs_index_t unused) +{ + if (nargs > 1 && njs_is_object(&args[1])) { + njs_object_prototype_get_proto(vm, &args[1]); + return NXT_OK; + } + + vm->exception = &njs_exception_type_error; + return NXT_ERROR; +} + + /* * The __proto__ property of booleans, numbers and strings primitives, * of objects created by Boolean(), Number(), and String() constructors, @@ -658,6 +672,14 @@ static const njs_object_prop_t njs_obje NJS_SKIP_ARG, NJS_OBJECT_ARG, NJS_STRING_ARG, NJS_OBJECT_ARG), }, + + /* Object.getPrototypeOf(). */ + { + .type = NJS_METHOD, + .name = njs_string("getPrototypeOf"), + .value = njs_native_function(njs_object_get_prototype_of, 0, + NJS_SKIP_ARG, NJS_OBJECT_ARG), + }, }; diff -r 065bf91227a1 -r e49777448f84 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Fri Jun 09 17:22:27 2017 +0300 +++ b/njs/test/njs_unit_test.c Fri Jun 09 17:55:08 2017 +0300 @@ -5974,6 +5974,24 @@ static njs_unit_test_t njs_test[] = { nxt_string("'s'.hasOwnProperty('b')"), nxt_string("false") }, + { nxt_string("var p = { a:5 }; var o = Object.create(p);" + "Object.getPrototypeOf(o) === p"), + nxt_string("true") }, + + { nxt_string("var p = { a:5 }; var o = Object.create(p);" + "Object.getPrototypeOf(o) === o.__proto__"), + nxt_string("true") }, + + { nxt_string("var o = Object.create(Object.prototype);" + "Object.getPrototypeOf(o) === Object.prototype"), + nxt_string("true") }, + + { nxt_string("Object.getPrototypeOf(1)"), + nxt_string("TypeError") }, + + { nxt_string("Object.getPrototypeOf('a')"), + nxt_string("TypeError") }, + { nxt_string("var d = new Date(''); d +' '+ d.getTime()"), nxt_string("Invalid Date NaN") }, From xeioex at nginx.com Fri Jun 9 14:55:42 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 09 Jun 2017 14:55:42 +0000 Subject: [njs] Object.prototype.isPrototypeOf() method. Message-ID: details: http://hg.nginx.org/njs/rev/740823b9f444 branches: changeset: 360:740823b9f444 user: Dmitry Volyntsev date: Fri Jun 09 17:55:21 2017 +0300 description: Object.prototype.isPrototypeOf() method. diffstat: njs/njs_object.c | 37 +++++++++++++++++++++++++++++++++++++ njs/test/njs_unit_test.c | 25 +++++++++++++++++++++++++ 2 files changed, 62 insertions(+), 0 deletions(-) diffs (89 lines): diff -r e49777448f84 -r 740823b9f444 njs/njs_object.c --- a/njs/njs_object.c Fri Jun 09 17:55:08 2017 +0300 +++ b/njs/njs_object.c Fri Jun 09 17:55:21 2017 +0300 @@ -935,6 +935,36 @@ done: } +static njs_ret_t +njs_object_prototype_is_prototype_of(njs_vm_t *vm, njs_value_t *args, + nxt_uint_t nargs, njs_index_t unused) +{ + njs_object_t *object, *proto; + const njs_value_t *retval; + + retval = &njs_string_false; + + if (njs_is_object(&args[0]) && njs_is_object(&args[1])) { + proto = args[0].data.u.object; + object = args[1].data.u.object; + + do { + object = object->__proto__; + + if (object == proto) { + retval = &njs_string_true; + break; + } + + } while (object != NULL); + } + + vm->retval = *retval; + + return NXT_OK; +} + + static const njs_object_prop_t njs_object_prototype_properties[] = { { @@ -967,6 +997,13 @@ static const njs_object_prop_t njs_obje .value = njs_native_function(njs_object_prototype_has_own_property, 0, NJS_OBJECT_ARG, NJS_STRING_ARG), }, + + { + .type = NJS_METHOD, + .name = njs_string("isPrototypeOf"), + .value = njs_native_function(njs_object_prototype_is_prototype_of, 0, + NJS_OBJECT_ARG, NJS_OBJECT_ARG), + }, }; diff -r e49777448f84 -r 740823b9f444 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Fri Jun 09 17:55:08 2017 +0300 +++ b/njs/test/njs_unit_test.c Fri Jun 09 17:55:21 2017 +0300 @@ -5992,6 +5992,31 @@ static njs_unit_test_t njs_test[] = { nxt_string("Object.getPrototypeOf('a')"), nxt_string("TypeError") }, + { nxt_string("var p = {}; var o = Object.create(p);" + "p.isPrototypeOf(o)"), + nxt_string("true") }, + + { nxt_string("var pp = {}; var p = Object.create(pp);" + "var o = Object.create(p);" + "pp.isPrototypeOf(o)"), + nxt_string("true") }, + + { nxt_string("var p = {}; var o = Object.create(p);" + "o.isPrototypeOf(p)"), + nxt_string("false") }, + + { nxt_string("var p = {}; var o = Object.create(p);" + "o.isPrototypeOf()"), + nxt_string("false") }, + + { nxt_string("var p = {}; var o = Object.create(p);" + "o.isPrototypeOf(1)"), + nxt_string("false") }, + + { nxt_string("var p = {}; var o = Object.create(p);" + "1..isPrototypeOf(p)"), + nxt_string("false") }, + { nxt_string("var d = new Date(''); d +' '+ d.getTime()"), nxt_string("Invalid Date NaN") }, From xeioex at nginx.com Fri Jun 9 17:28:44 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Fri, 09 Jun 2017 17:28:44 +0000 Subject: [njs] Object.defineProperties() method. Message-ID: details: http://hg.nginx.org/njs/rev/499ed5aa4f98 branches: changeset: 361:499ed5aa4f98 user: Dmitry Volyntsev date: Fri Jun 09 20:28:15 2017 +0300 description: Object.defineProperties() method. diffstat: njs/njs_object.c | 85 ++++++++++++++++++++++++++++++++++++++++++----- njs/test/njs_unit_test.c | 21 +++++++++++ nxt/nxt_lvlhsh.h | 6 +++ 3 files changed, 103 insertions(+), 9 deletions(-) diffs (177 lines): diff -r 740823b9f444 -r 499ed5aa4f98 njs/njs_object.c --- a/njs/njs_object.c Fri Jun 09 17:55:21 2017 +0300 +++ b/njs/njs_object.c Fri Jun 09 20:28:15 2017 +0300 @@ -26,6 +26,8 @@ static nxt_int_t njs_object_hash_test(nxt_lvlhsh_query_t *lhq, void *data); +static njs_ret_t njs_define_property(njs_vm_t *vm, njs_object_t *object, + njs_value_t *name, njs_object_t *descriptor); nxt_noinline njs_object_t * @@ -416,27 +418,85 @@ static njs_ret_t njs_object_define_property(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, njs_index_t unused) { - nxt_int_t ret; - njs_object_t *object, *descriptor; - njs_object_prop_t *prop, *pr; - nxt_lvlhsh_query_t lhq, pq; + nxt_int_t ret; if (nargs < 4 || !njs_is_object(&args[1]) || !njs_is_object(&args[3])) { vm->exception = &njs_exception_type_error; return NXT_ERROR; } + ret = njs_define_property(vm, args[1].data.u.object, &args[2], + args[3].data.u.object); + + if (nxt_slow_path(ret != NXT_OK)) { + return NXT_ERROR; + } + + vm->retval = args[1]; + + return NXT_OK; +} + + +static njs_ret_t +njs_object_define_properties(njs_vm_t *vm, njs_value_t *args, nxt_uint_t nargs, + njs_index_t unused) +{ + nxt_int_t ret; + nxt_lvlhsh_t *hash; + njs_object_t *object; + nxt_lvlhsh_each_t lhe; + njs_object_prop_t *prop; + + if (nargs < 3 || !njs_is_object(&args[1]) || !njs_is_object(&args[2])) { + vm->exception = &njs_exception_type_error; + return NXT_ERROR; + } + + nxt_lvlhsh_each_init(&lhe, &njs_object_hash_proto); + object = args[1].data.u.object; - descriptor = args[3].data.u.object; + hash = &args[2].data.u.object->hash; - njs_string_get(&args[2], &lhq.key); + for ( ;; ) { + prop = nxt_lvlhsh_each(hash, &lhe); + + if (prop == NULL) { + break; + } + + if (prop->enumerable && njs_is_object(&prop->value)) { + ret = njs_define_property(vm, object, &prop->name, + prop->value.data.u.object); + + if (nxt_slow_path(ret != NXT_OK)) { + return NXT_ERROR; + } + } + } + + vm->retval = args[1]; + + return NXT_OK; +} + + +static njs_ret_t +njs_define_property(njs_vm_t *vm, njs_object_t *object, njs_value_t *name, + njs_object_t *descriptor) +{ + nxt_int_t ret; + njs_object_prop_t *prop, *pr; + nxt_lvlhsh_query_t lhq, pq; + + njs_string_get(name, &lhq.key); lhq.key_hash = nxt_djb_hash(lhq.key.start, lhq.key.length); lhq.proto = &njs_object_hash_proto; ret = nxt_lvlhsh_find(&object->hash, &lhq); if (ret != NXT_OK) { - prop = njs_object_prop_alloc(vm, &args[2]); + prop = njs_object_prop_alloc(vm, name); if (nxt_slow_path(prop == NULL)) { return NXT_ERROR; @@ -497,8 +557,6 @@ njs_object_define_property(njs_vm_t *vm, return NXT_ERROR; } - vm->retval = args[1]; - return NXT_OK; } @@ -673,6 +731,15 @@ static const njs_object_prop_t njs_obje NJS_STRING_ARG, NJS_OBJECT_ARG), }, + /* Object.defineProperties(). */ + { + .type = NJS_METHOD, + .name = njs_long_string("defineProperties"), + .value = njs_native_function(njs_object_define_properties, 0, + NJS_SKIP_ARG, NJS_OBJECT_ARG, + NJS_OBJECT_ARG), + }, + /* Object.getPrototypeOf(). */ { .type = NJS_METHOD, diff -r 740823b9f444 -r 499ed5aa4f98 njs/test/njs_unit_test.c --- a/njs/test/njs_unit_test.c Fri Jun 09 17:55:21 2017 +0300 +++ b/njs/test/njs_unit_test.c Fri Jun 09 20:28:15 2017 +0300 @@ -5932,6 +5932,27 @@ static njs_unit_test_t njs_test[] = { nxt_string("var o = {}; Object.defineProperty(o)"), nxt_string("TypeError") }, + { nxt_string("var o = Object.defineProperties({}, {a:{value:1}}); o.a"), + nxt_string("1") }, + + { nxt_string("var o = Object.defineProperties({}, {a:{enumerable:true}, b:{enumerable:true}});" + "Object.keys(o)"), + nxt_string("a,b") }, + + { nxt_string("var desc = Object.defineProperty({b:{value:1, enumerable:true}}, 'a', {});" + "var o = Object.defineProperties({}, desc);" + "Object.keys(o)"), + nxt_string("b") }, + + { nxt_string("var o = Object.defineProperties({a:1}, {}); o.a"), + nxt_string("1") }, + + { nxt_string("Object.defineProperties(1, {})"), + nxt_string("TypeError") }, + + { nxt_string("Object.defineProperties({}, 1)"), + nxt_string("TypeError") }, + { nxt_string("var o = {a:1}; o.hasOwnProperty('a')"), nxt_string("true") }, diff -r 740823b9f444 -r 499ed5aa4f98 nxt/nxt_lvlhsh.h --- a/nxt/nxt_lvlhsh.h Fri Jun 09 17:55:21 2017 +0300 +++ b/nxt/nxt_lvlhsh.h Fri Jun 09 20:28:15 2017 +0300 @@ -173,6 +173,12 @@ typedef struct { } nxt_lvlhsh_each_t; +#define nxt_lvlhsh_each_init(lhe, _proto) \ + do { \ + memset(lhe, 0, sizeof(nxt_lvlhsh_each_t)); \ + (lhe)->proto = _proto; \ + } while (0) + NXT_EXPORT void *nxt_lvlhsh_each(nxt_lvlhsh_t *lh, nxt_lvlhsh_each_t *le); From paulyang.inf at gmail.com Fri Jun 9 18:05:39 2017 From: paulyang.inf at gmail.com (Paul Yang) Date: Sat, 10 Jun 2017 02:05:39 +0800 Subject: [nginx] support http2 per server In-Reply-To: References: <2417822.uuLYJAc3k0@vbart-workstation> <2058364.S2bnstnO8o@vbart-laptop> Message-ID: > On 9 Jun 2017, at 20:26, ??? wrote: > > Get it, thanks. > > On Fri, Jun 9, 2017 at 7:45 PM, Valentin V. Bartenev wrote: > On Friday 09 June 2017 13:40:23 ??? wrote: > > Hi, Valentin. > > > > " > > Also please note that with your patch clients are still able to > > negotiate HTTP/2 even if nginx doesn't announce it. > > " > > > > Two points: > > 1. The patch forbids the clients explicitly not support HTTP/2 doing v2 ( > > ngx_http_v2_init). > > How to follow you mean of "with the patch, clients are still able to > > negotiate HTTP/2" > > 2. "even if nginx doesn't announce it" > > Is it related to nginx? > > > [..] > > Your patch prevents advertising the protocol using ALPN and NPN, but > selecting protocol happens here (this part of code isn't touched): > http://hg.nginx.org/nginx/file/tip/src/http/ngx_http_request.c#l808 > > In case of NPN, client can select protocol even if it hasn't been > advertised by the server. Hmmm, interesting feature of NPN. > > wbr, Valentin V. Bartenev > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel From george at ucdn.com Mon Jun 12 07:02:16 2017 From: george at ucdn.com (George .) Date: Mon, 12 Jun 2017 10:02:16 +0300 Subject: slice module issue if redirected origin and have have fist slice Message-ID: ??Hi, I've discovered following strange issue with http_slice_module If I have a named location for internal 302 redirect and caching one slice makes further request for whole object to brake upstream redirected request (missing Rage header, see frame 254 in the attached capture ? slice_redirect_problem.pcapng ? ). If there is no cached slice everything is okey (2nd capture? slice_redirect_no_problem.pcapng ?) Problem appears in main branch and also nginx/1.12 ... and may be in all versions nginx version: nginx/1.13.2 built by gcc 4.9.2 (Debian 4.9.2-10) configure arguments: --prefix=/home/george/run/nginx_hg --with-http_slice_module nginx.conf user cdnuser cdnuser; worker_processes 1; error_log logs/error.log debug; events { worker_connections 1024; } http { include mime.types; default_type application/octet-stream; sendfile on; tcp_nopush on; proxy_cache_path /home/george/run/nginx_hg/cache/ keys_zone=zone_uid_default:4m levels=2:1 inactive=360d max_size=18329m; # our redirecting origin server { listen 8081; return 302 $scheme://127.0.0.1:8082$request_uri; } # our final origin server { listen 8082; add_header Cache-Control "max-age=3600"; root /home/george/run/nginx_hg/root; } server { listen 8080; server_name localhost; recursive_error_pages on; proxy_intercept_errors on; location / { slice 4m; proxy_cache zone_uid_default; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_pass http://localhost:8081; error_page 301 302 307 = @fetch_from_redirected_origin; } location @fetch_from_redirected_origin { slice 4m; internal; set $my_upstream_http_location $upstream_http_location; proxy_cache zone_uid_default; proxy_cache_key $uri$is_args$args$slice_range; proxy_set_header Range $slice_range; proxy_pass $my_upstream_http_location; } } } How to reproduce: 1. Create some empty object in our emulated origin mkdir /home/george/run/nginx_hg/root dd if=/dev/zero of=/home/george/run/nginx_hg/root/some_object bs=64M count=1 2. Ask our caching proxy for one 4m slice, so it will be cached curl -v -r 0-4194303 "http://127.0.0.1:8080/some_object" --header "Host: localhost" -o /dev/null 3. See it really there george at george ~/run/nginx_hg $ head /home/george/run/nginx_hg/cache/81/c/00214df7041ea53dd335ed5b055bfc81 ?:Y?:Y??:YV??r ? "593aa9cb-4000000" KEY: /some_objectbytes=0-4194303 HTTP/1.1 206 Partial Content Server: nginx/1.13.2 Date: Fri, 09 Jun 2017 14:16:20 GMT Content-Type: application/octet-stream Content-Length: 4194304 Last-Modified: Fri, 09 Jun 2017 13:59:39 GMT Connection: close ETag: "593aa9cb-4000000" 4. This time request the whole object curl -v "http://127.0.0.1:8080/some_object" --header "Host: localhost" -o /dev/null ?? -------------- next part -------------- An HTML attachment was scrubbed... URL: From xeioex at nginx.com Tue Jun 13 11:34:55 2017 From: xeioex at nginx.com (Dmitry Volyntsev) Date: Tue, 13 Jun 2017 11:34:55 +0000 Subject: [njs] Using nxt_lvlhsh_each_init() where appropriate. Message-ID: details: http://hg.nginx.org/njs/rev/096d526744d5 branches: changeset: 362:096d526744d5 user: Dmitry Volyntsev date: Tue Jun 13 14:33:51 2017 +0300 description: Using nxt_lvlhsh_each_init() where appropriate. diffstat: njs/njs_generator.c | 3 +-- njs/njs_object.c | 6 ++---- njs/njs_variable.c | 9 +++------ njs/njs_vm.c | 3 +-- nxt/test/lvlhsh_unit_test.c | 3 +-- 5 files changed, 8 insertions(+), 16 deletions(-) diffs (95 lines): diff -r 499ed5aa4f98 -r 096d526744d5 njs/njs_generator.c --- a/njs/njs_generator.c Fri Jun 09 20:28:15 2017 +0300 +++ b/njs/njs_generator.c Tue Jun 13 14:33:51 2017 +0300 @@ -2112,8 +2112,7 @@ njs_generate_argument_closures(njs_parse return; } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_variables_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_variables_hash_proto); do { var = nxt_lvlhsh_each(&node->scope->variables, &lhe); diff -r 499ed5aa4f98 -r 096d526744d5 njs/njs_object.c --- a/njs/njs_object.c Fri Jun 09 20:28:15 2017 +0300 +++ b/njs/njs_object.c Tue Jun 13 14:33:51 2017 +0300 @@ -354,8 +354,7 @@ njs_object_keys(njs_vm_t *vm, njs_value_ } } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_object_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_object_hash_proto); hash = &args[1].data.u.object->hash; @@ -391,8 +390,7 @@ njs_object_keys(njs_vm_t *vm, njs_value_ } } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_object_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_object_hash_proto); for ( ;; ) { prop = nxt_lvlhsh_each(hash, &lhe); diff -r 499ed5aa4f98 -r 096d526744d5 njs/njs_variable.c --- a/njs/njs_variable.c Fri Jun 09 20:28:15 2017 +0300 +++ b/njs/njs_variable.c Tue Jun 13 14:33:51 2017 +0300 @@ -245,8 +245,7 @@ njs_variables_scope_reference(njs_vm_t * return NXT_ERROR; } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_variables_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_variables_hash_proto); for ( ;; ) { node = nxt_lvlhsh_each(&scope->references, &lhe); @@ -501,8 +500,7 @@ njs_vm_export_functions(njs_vm_t *vm) n = 1; - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_variables_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_variables_hash_proto); for ( ;; ) { var = nxt_lvlhsh_each(&vm->variables_hash, &lhe); @@ -522,8 +520,7 @@ njs_vm_export_functions(njs_vm_t *vm) return NULL; } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &njs_variables_hash_proto; + nxt_lvlhsh_each_init(&lhe, &njs_variables_hash_proto); ex = export; diff -r 499ed5aa4f98 -r 096d526744d5 njs/njs_vm.c --- a/njs/njs_vm.c Fri Jun 09 20:28:15 2017 +0300 +++ b/njs/njs_vm.c Tue Jun 13 14:33:51 2017 +0300 @@ -1207,8 +1207,7 @@ njs_vmcode_property_foreach(njs_vm_t *vm vm->retval.data.u.next = next; - memset(&next->lhe, 0, sizeof(nxt_lvlhsh_each_t)); - next->lhe.proto = &njs_object_hash_proto; + nxt_lvlhsh_each_init(&next->lhe, &njs_object_hash_proto); next->index = -1; if (njs_is_array(object) && object->data.u.array->length != 0) { diff -r 499ed5aa4f98 -r 096d526744d5 nxt/test/lvlhsh_unit_test.c --- a/nxt/test/lvlhsh_unit_test.c Fri Jun 09 20:28:15 2017 +0300 +++ b/nxt/test/lvlhsh_unit_test.c Tue Jun 13 14:33:51 2017 +0300 @@ -236,8 +236,7 @@ lvlhsh_unit_test(nxt_uint_t n) } } - memset(&lhe, 0, sizeof(nxt_lvlhsh_each_t)); - lhe.proto = &lvlhsh_proto; + nxt_lvlhsh_each_init(&lhe, &lvlhsh_proto); for (i = 0; i < n + 1; i++) { if (nxt_lvlhsh_each(&lh, &lhe) == NULL) { From arut at nginx.com Tue Jun 13 11:44:48 2017 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 13 Jun 2017 14:44:48 +0300 Subject: slice module issue if redirected origin and have have fist slice In-Reply-To: References: Message-ID: <20170613114448.GQ77454@Romans-MacBook-Air.local> Hi George, On Mon, Jun 12, 2017 at 10:02:16AM +0300, George . wrote: > ??Hi, > I've discovered following strange issue with http_slice_module > If I have a named location for internal 302 redirect and caching one slice > makes further request for whole object to brake upstream redirected request > (missing Rage header, see frame 254 in the attached capture ? > slice_redirect_problem.pcapng > > ? ). What happens is: - client requests 0-4m - nginx creates the request for the 1st slice and proxies it to 8081 - after receiving 302, the request is redirected to @fetch_from_redirected_origin and the first slice is saved in the cache Note that in @fetch_from_redirected_origin there's a completely separate slice context. By this time nginx only knows what client sent. Previous slice context is completely lost as well as all other modules' contexts. Coincidentally, it does what you expect because only the first slice was requested. Then you request the entire file: - client request the entire file - first slice is sent from the cache - nginx creates a subrequest for the 2nd slice: 4m-8m and proxies it to 8081 - after receiving 302, the subrequest is redirected to @fetch_from_redirected_origin After the redirect nginx does not have any idea that it should fetch the second slice. Moreover, the $slice_range variable is not filled with actual range when first accessed in a subrequest (after error_page redirect it looks like the first access), so it remains empty. That's why the entire file is requested. But even if the variable was valid, that would still be bad since the slice context is lost after error_page redirect. You would get the whole file here instead of 4m-8m range. The takeaway is you should avoid using the slice module with redirects (error_page, X-Accel-Redirect) for fetching slices. Instead you should proxy directly to the origin server. > If there is no cached slice everything is okey (2nd capture? > slice_redirect_no_problem.pcapng > > ?) No, it's not ok. The first redirect to @fetch_from_redirected_origin leads to caching all file slices instead of the first one. > Problem appears in main branch and also nginx/1.12 ... and may be in all > versions > > nginx version: nginx/1.13.2 > built by gcc 4.9.2 (Debian 4.9.2-10) > configure arguments: --prefix=/home/george/run/nginx_hg > --with-http_slice_module > > > > > nginx.conf > user cdnuser cdnuser; > worker_processes 1; > > error_log logs/error.log debug; > > events { > worker_connections 1024; > } > > > http { > include mime.types; > default_type application/octet-stream; > > > sendfile on; > tcp_nopush on; > > proxy_cache_path /home/george/run/nginx_hg/cache/ > keys_zone=zone_uid_default:4m levels=2:1 inactive=360d max_size=18329m; > > # our redirecting origin > server { > listen 8081; > > return 302 $scheme://127.0.0.1:8082$request_uri; > } > > # our final origin > server { > listen 8082; > add_header Cache-Control "max-age=3600"; > root /home/george/run/nginx_hg/root; > } > > server { > listen 8080; > server_name localhost; > > recursive_error_pages on; > proxy_intercept_errors on; > > > location / { > slice 4m; > proxy_cache zone_uid_default; > proxy_cache_key $uri$is_args$args$slice_range; > proxy_set_header Range $slice_range; > > proxy_pass http://localhost:8081; > > error_page 301 302 307 = @fetch_from_redirected_origin; > } > > location @fetch_from_redirected_origin { > slice 4m; > > internal; > > set $my_upstream_http_location $upstream_http_location; > > proxy_cache zone_uid_default; > proxy_cache_key $uri$is_args$args$slice_range; > proxy_set_header Range $slice_range; > > proxy_pass $my_upstream_http_location; > } > } > } > > > How to reproduce: > > 1. Create some empty object in our emulated origin > mkdir /home/george/run/nginx_hg/root > dd if=/dev/zero of=/home/george/run/nginx_hg/root/some_object bs=64M > count=1 > > 2. Ask our caching proxy for one 4m slice, so it will be cached > curl -v -r 0-4194303 "http://127.0.0.1:8080/some_object" --header "Host: > localhost" -o /dev/null > > 3. See it really there > george at george ~/run/nginx_hg $ head > /home/george/run/nginx_hg/cache/81/c/00214df7041ea53dd335ed5b055bfc81 > ?:Y?:Y??:YV??r ? "593aa9cb-4000000" > KEY: /some_objectbytes=0-4194303 > HTTP/1.1 206 Partial Content > Server: nginx/1.13.2 > Date: Fri, 09 Jun 2017 14:16:20 GMT > Content-Type: application/octet-stream > Content-Length: 4194304 > Last-Modified: Fri, 09 Jun 2017 13:59:39 GMT > Connection: close > ETag: "593aa9cb-4000000" > > 4. This time request the whole object > curl -v "http://127.0.0.1:8080/some_object" --header "Host: localhost" -o > /dev/null > > > ?? > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -- Roman Arutyunyan From piotrsikora at google.com Tue Jun 13 12:19:54 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:54 -0700 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: <07a5d26b49f04425ff54.1497356393@piotrsikora.sfo.corp.google.com> References: <07a5d26b49f04425ff54.1497356393@piotrsikora.sfo.corp.google.com> Message-ID: <73f67e06ab103e0368d1.1497356394@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID 73f67e06ab103e0368d1810c6f8cac5c70c4e246 # Parent 07a5d26b49f04425ff54cc998f885aa987b7823f HTTP/2: added support for trailers in HTTP responses. Signed-off-by: Piotr Sikora diff -r 07a5d26b49f0 -r 73f67e06ab10 src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -50,13 +50,17 @@ #define NGX_HTTP_V2_SERVER_INDEX 54 #define NGX_HTTP_V2_VARY_INDEX 59 +#define NGX_HTTP_V2_NO_TRAILERS (ngx_http_v2_out_frame_t *) -1 + static u_char *ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower); static u_char *ngx_http_v2_write_int(u_char *pos, ngx_uint_t prefix, ngx_uint_t value); static ngx_http_v2_out_frame_t *ngx_http_v2_create_headers_frame( - ngx_http_request_t *r, u_char *pos, u_char *end); + ngx_http_request_t *r, u_char *pos, u_char *end, ngx_uint_t fin); +static ngx_http_v2_out_frame_t *ngx_http_v2_create_trailers_frame( + ngx_http_request_t *r); static ngx_chain_t *ngx_http_v2_send_chain(ngx_connection_t *fc, ngx_chain_t *in, off_t limit); @@ -612,7 +616,7 @@ ngx_http_v2_header_filter(ngx_http_reque header[i].value.len, tmp); } - frame = ngx_http_v2_create_headers_frame(r, start, pos); + frame = ngx_http_v2_create_headers_frame(r, start, pos, r->header_only); if (frame == NULL) { return NGX_ERROR; } @@ -636,6 +640,118 @@ ngx_http_v2_header_filter(ngx_http_reque } +static ngx_http_v2_out_frame_t * +ngx_http_v2_create_trailers_frame(ngx_http_request_t *r) +{ + u_char *pos, *start, *tmp; + size_t len, tmp_len; + ngx_uint_t i; + ngx_list_part_t *part; + ngx_table_elt_t *header; + + len = 0; + tmp_len = 0; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + if (header[i].key.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer name: \"%V\"", + &header[i].key); + return NULL; + } + + if (header[i].value.len > NGX_HTTP_V2_MAX_FIELD) { + ngx_log_error(NGX_LOG_WARN, r->connection->log, 0, + "too long response trailer value: \"%V: %V\"", + &header[i].key, &header[i].value); + return NULL; + } + + len += 1 + NGX_HTTP_V2_INT_OCTETS + header[i].key.len + + NGX_HTTP_V2_INT_OCTETS + header[i].value.len; + + if (header[i].key.len > tmp_len) { + tmp_len = header[i].key.len; + } + + if (header[i].value.len > tmp_len) { + tmp_len = header[i].value.len; + } + } + + if (len == 0) { + return NGX_HTTP_V2_NO_TRAILERS; + } + + tmp = ngx_palloc(r->pool, tmp_len); + pos = ngx_pnalloc(r->pool, len); + + if (pos == NULL || tmp == NULL) { + return NULL; + } + + start = pos; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + +#if (NGX_DEBUG) + if (r->connection->log->log_level & NGX_LOG_DEBUG_HTTP) { + ngx_strlow(tmp, header[i].key.data, header[i].key.len); + + ngx_log_debug3(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http2 output trailer: \"%*s: %V\"", + header[i].key.len, tmp, &header[i].value); + } +#endif + + *pos++ = 0; + + pos = ngx_http_v2_write_name(pos, header[i].key.data, + header[i].key.len, tmp); + + pos = ngx_http_v2_write_value(pos, header[i].value.data, + header[i].value.len, tmp); + } + + return ngx_http_v2_create_headers_frame(r, start, pos, 1); +} + + static u_char * ngx_http_v2_string_encode(u_char *dst, u_char *src, size_t len, u_char *tmp, ngx_uint_t lower) @@ -686,7 +802,7 @@ ngx_http_v2_write_int(u_char *pos, ngx_u static ngx_http_v2_out_frame_t * ngx_http_v2_create_headers_frame(ngx_http_request_t *r, u_char *pos, - u_char *end) + u_char *end, ngx_uint_t fin) { u_char type, flags; size_t rest, frame_size; @@ -707,12 +823,12 @@ ngx_http_v2_create_headers_frame(ngx_htt frame->stream = stream; frame->length = rest; frame->blocked = 1; - frame->fin = r->header_only; + frame->fin = fin; ll = &frame->first; type = NGX_HTTP_V2_HEADERS_FRAME; - flags = r->header_only ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; + flags = fin ? NGX_HTTP_V2_END_STREAM_FLAG : NGX_HTTP_V2_NO_FLAG; frame_size = stream->connection->frame_size; for ( ;; ) { @@ -776,7 +892,7 @@ ngx_http_v2_create_headers_frame(ngx_htt continue; } - b->last_buf = r->header_only; + b->last_buf = fin; cl->next = NULL; frame->last = cl; @@ -798,7 +914,7 @@ ngx_http_v2_send_chain(ngx_connection_t ngx_http_request_t *r; ngx_http_v2_stream_t *stream; ngx_http_v2_loc_conf_t *h2lcf; - ngx_http_v2_out_frame_t *frame; + ngx_http_v2_out_frame_t *frame, *trailers; ngx_http_v2_connection_t *h2c; r = fc->data; @@ -872,6 +988,8 @@ ngx_http_v2_send_chain(ngx_connection_t frame_size = (h2lcf->chunk_size < h2c->frame_size) ? h2lcf->chunk_size : h2c->frame_size; + trailers = NGX_HTTP_V2_NO_TRAILERS; + #if (NGX_SUPPRESS_WARN) cl = NULL; #endif @@ -934,19 +1052,39 @@ ngx_http_v2_send_chain(ngx_connection_t size -= rest; } - frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, out, cl); - if (frame == NULL) { - return NGX_CHAIN_ERROR; + if (cl->buf->last_buf) { + trailers = ngx_http_v2_create_trailers_frame(r); + if (trailers == NULL) { + return NGX_CHAIN_ERROR; + } + + if (trailers != NGX_HTTP_V2_NO_TRAILERS) { + cl->buf->last_buf = 0; + } } - ngx_http_v2_queue_frame(h2c, frame); + if (frame_size || cl->buf->last_buf) { + frame = ngx_http_v2_filter_get_data_frame(stream, frame_size, + out, cl); + if (frame == NULL) { + return NGX_CHAIN_ERROR; + } - h2c->send_window -= frame_size; + ngx_http_v2_queue_frame(h2c, frame); - stream->send_window -= frame_size; - stream->queued++; + h2c->send_window -= frame_size; + + stream->send_window -= frame_size; + stream->queued++; + } if (in == NULL) { + + if (trailers != NGX_HTTP_V2_NO_TRAILERS) { + ngx_http_v2_queue_frame(h2c, trailers); + stream->queued++; + } + break; } From piotrsikora at google.com Tue Jun 13 12:19:53 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:53 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses Message-ID: <07a5d26b49f04425ff54.1497356393@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID 07a5d26b49f04425ff54cc998f885aa987b7823f # Parent e6f399a176e7cae0fa08f1183d31315bce3b9ecb Added support for trailers in HTTP responses. Example: ngx_table_elt_t *h; h = ngx_list_push(&r->headers_out.trailers); if (h == NULL) { return NGX_ERROR; } ngx_str_set(&h->key, "Fun"); ngx_str_set(&h->value, "with trailers"); h->hash = ngx_hash_key_lc(h->key.data, h->key.len); The code above adds "Fun: with trailers" trailer to the response. Modules that want to emit trailers must set r->expect_trailers = 1 in header filter, otherwise they might not be emitted for HTTP/1.1 responses that aren't already chunked. This change also adds $sent_trailer_* variables. Signed-off-by: Piotr Sikora diff -r e6f399a176e7 -r 07a5d26b49f0 src/http/modules/ngx_http_chunked_filter_module.c --- a/src/http/modules/ngx_http_chunked_filter_module.c +++ b/src/http/modules/ngx_http_chunked_filter_module.c @@ -17,6 +17,8 @@ typedef struct { static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf); +static ngx_chain_t *ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_http_chunked_filter_ctx_t *ctx); static ngx_http_module_t ngx_http_chunked_filter_module_ctx = { @@ -69,27 +71,29 @@ ngx_http_chunked_header_filter(ngx_http_ return ngx_http_next_header_filter(r); } - if (r->headers_out.content_length_n == -1) { - if (r->http_version < NGX_HTTP_VERSION_11) { + if (r->headers_out.content_length_n == -1 + || r->expect_trailers) + { + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + if (r->http_version >= NGX_HTTP_VERSION_11 + && clcf->chunked_transfer_encoding) + { + if (r->expect_trailers) { + ngx_http_clear_content_length(r); + } + + r->chunked = 1; + + ctx = ngx_pcalloc(r->pool, sizeof(ngx_http_chunked_filter_ctx_t)); + if (ctx == NULL) { + return NGX_ERROR; + } + + ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); + + } else if (r->headers_out.content_length_n == -1) { r->keepalive = 0; - - } else { - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->chunked_transfer_encoding) { - r->chunked = 1; - - ctx = ngx_pcalloc(r->pool, - sizeof(ngx_http_chunked_filter_ctx_t)); - if (ctx == NULL) { - return NGX_ERROR; - } - - ngx_http_set_ctx(r, ctx, ngx_http_chunked_filter_module); - - } else { - r->keepalive = 0; - } } } @@ -179,26 +183,17 @@ ngx_http_chunked_body_filter(ngx_http_re } if (cl->buf->last_buf) { - tl = ngx_chain_get_free_buf(r->pool, &ctx->free); + tl = ngx_http_chunked_create_trailers(r, ctx); if (tl == NULL) { return NGX_ERROR; } - b = tl->buf; - - b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; - b->temporary = 0; - b->memory = 1; - b->last_buf = 1; - b->pos = (u_char *) CRLF "0" CRLF CRLF; - b->last = b->pos + 7; - cl->buf->last_buf = 0; *ll = tl; if (size == 0) { - b->pos += 2; + tl->buf->pos += 2; } } else if (size > 0) { @@ -230,6 +225,109 @@ ngx_http_chunked_body_filter(ngx_http_re } +static ngx_chain_t * +ngx_http_chunked_create_trailers(ngx_http_request_t *r, + ngx_http_chunked_filter_ctx_t *ctx) +{ + size_t len; + ngx_buf_t *b; + ngx_uint_t i; + ngx_chain_t *cl; + ngx_list_part_t *part; + ngx_table_elt_t *header; + + len = 0; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + len += header[i].key.len + sizeof(": ") - 1 + + header[i].value.len + sizeof(CRLF) - 1; + } + + cl = ngx_chain_get_free_buf(r->pool, &ctx->free); + if (cl == NULL) { + return NULL; + } + + b = cl->buf; + + b->tag = (ngx_buf_tag_t) &ngx_http_chunked_filter_module; + b->temporary = 0; + b->memory = 1; + b->last_buf = 1; + + if (len == 0) { + b->pos = (u_char *) CRLF "0" CRLF CRLF; + b->last = b->pos + sizeof(CRLF "0" CRLF CRLF) - 1; + return cl; + } + + len += sizeof(CRLF "0" CRLF CRLF) - 1; + + b->pos = ngx_palloc(r->pool, len); + if (b->pos == NULL) { + return NULL; + } + + b->last = b->pos; + + *b->last++ = CR; *b->last++ = LF; + *b->last++ = '0'; + *b->last++ = CR; *b->last++ = LF; + + part = &r->headers_out.trailers.part; + header = part->elts; + + for (i = 0; /* void */; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, + "http trailer: \"%V: %V\"", + &header[i].key, &header[i].value); + + b->last = ngx_copy(b->last, header[i].key.data, header[i].key.len); + *b->last++ = ':'; *b->last++ = ' '; + + b->last = ngx_copy(b->last, header[i].value.data, header[i].value.len); + *b->last++ = CR; *b->last++ = LF; + } + + *b->last++ = CR; *b->last++ = LF; + + return cl; +} + + static ngx_int_t ngx_http_chunked_filter_init(ngx_conf_t *cf) { diff -r e6f399a176e7 -r 07a5d26b49f0 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c +++ b/src/http/ngx_http_core_module.c @@ -2485,6 +2485,13 @@ ngx_http_subrequest(ngx_http_request_t * return NGX_ERROR; } + if (ngx_list_init(&sr->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + return NGX_ERROR; + } + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); sr->main_conf = cscf->ctx->main_conf; sr->srv_conf = cscf->ctx->srv_conf; diff -r e6f399a176e7 -r 07a5d26b49f0 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -562,6 +562,14 @@ ngx_http_create_request(ngx_connection_t return NULL; } + if (ngx_list_init(&r->headers_out.trailers, r->pool, 4, + sizeof(ngx_table_elt_t)) + != NGX_OK) + { + ngx_destroy_pool(r->pool); + return NULL; + } + r->ctx = ngx_pcalloc(r->pool, sizeof(void *) * ngx_http_max_module); if (r->ctx == NULL) { ngx_destroy_pool(r->pool); diff -r e6f399a176e7 -r 07a5d26b49f0 src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -252,6 +252,7 @@ typedef struct { typedef struct { ngx_list_t headers; + ngx_list_t trailers; ngx_uint_t status; ngx_str_t status_line; @@ -514,6 +515,7 @@ struct ngx_http_request_s { unsigned pipeline:1; unsigned chunked:1; unsigned header_only:1; + unsigned expect_trailers:1; unsigned keepalive:1; unsigned lingering_close:1; unsigned discard_body:1; diff -r e6f399a176e7 -r 07a5d26b49f0 src/http/ngx_http_variables.c --- a/src/http/ngx_http_variables.c +++ b/src/http/ngx_http_variables.c @@ -38,6 +38,8 @@ static ngx_int_t ngx_http_variable_unkno ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_unknown_header_out(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_request_line(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_cookie(ngx_http_request_t *r, @@ -365,6 +367,9 @@ static ngx_http_variable_t ngx_http_cor { ngx_string("sent_http_"), NULL, ngx_http_variable_unknown_header_out, 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("sent_trailer_"), NULL, ngx_http_variable_unknown_trailer_out, + 0, NGX_HTTP_VAR_PREFIX, 0 }, + { ngx_string("cookie_"), NULL, ngx_http_variable_cookie, 0, NGX_HTTP_VAR_PREFIX, 0 }, @@ -934,6 +939,16 @@ ngx_http_variable_unknown_header_out(ngx } +static ngx_int_t +ngx_http_variable_unknown_trailer_out(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data) +{ + return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, + &r->headers_out.trailers.part, + sizeof("sent_trailer_") - 1); +} + + ngx_int_t ngx_http_variable_unknown_header(ngx_http_variable_value_t *v, ngx_str_t *var, ngx_list_part_t *part, size_t prefix) From piotrsikora at google.com Tue Jun 13 12:19:55 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:55 -0700 Subject: [PATCH 3 of 3] Headers filter: added "add_trailer" directive In-Reply-To: <07a5d26b49f04425ff54.1497356393@piotrsikora.sfo.corp.google.com> References: <07a5d26b49f04425ff54.1497356393@piotrsikora.sfo.corp.google.com> Message-ID: <46150fb672e7b92cfbe6.1497356395@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490351854 25200 # Fri Mar 24 03:37:34 2017 -0700 # Node ID 46150fb672e7b92cfbe678bad71df187fcb25ae6 # Parent 73f67e06ab103e0368d1810c6f8cac5c70c4e246 Headers filter: added "add_trailer" directive. Trailers added using this directive are evaluated after response body is processed by output filters (but before it's written to the wire), so it's possible to use variables calculated from the response body as the trailer value. Signed-off-by: Piotr Sikora diff -r 73f67e06ab10 -r 46150fb672e7 src/http/modules/ngx_http_headers_filter_module.c --- a/src/http/modules/ngx_http_headers_filter_module.c +++ b/src/http/modules/ngx_http_headers_filter_module.c @@ -48,6 +48,7 @@ typedef struct { time_t expires_time; ngx_http_complex_value_t *expires_value; ngx_array_t *headers; + ngx_array_t *trailers; } ngx_http_headers_conf_t; @@ -105,7 +106,15 @@ static ngx_command_t ngx_http_headers_f |NGX_CONF_TAKE23, ngx_http_headers_add, NGX_HTTP_LOC_CONF_OFFSET, - 0, + offsetof(ngx_http_headers_conf_t, headers), + NULL }, + + { ngx_string("add_trailer"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE23, + ngx_http_headers_add, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_headers_conf_t, trailers), NULL }, ngx_null_command @@ -144,6 +153,7 @@ ngx_module_t ngx_http_headers_filter_mo static ngx_http_output_header_filter_pt ngx_http_next_header_filter; +static ngx_http_output_body_filter_pt ngx_http_next_body_filter; static ngx_int_t @@ -154,10 +164,15 @@ ngx_http_headers_filter(ngx_http_request ngx_http_header_val_t *h; ngx_http_headers_conf_t *conf; + if (r != r->main) { + return ngx_http_next_header_filter(r); + } + conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); - if ((conf->expires == NGX_HTTP_EXPIRES_OFF && conf->headers == NULL) - || r != r->main) + if (conf->expires == NGX_HTTP_EXPIRES_OFF + && conf->headers == NULL + && conf->trailers == NULL) { return ngx_http_next_header_filter(r); } @@ -206,11 +221,101 @@ ngx_http_headers_filter(ngx_http_request } } + if (conf->trailers) { + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + r->expect_trailers = 1; + break; + } + } + return ngx_http_next_header_filter(r); } static ngx_int_t +ngx_http_trailers_filter(ngx_http_request_t *r, ngx_chain_t *in) +{ + ngx_str_t value; + ngx_uint_t i, safe_status; + ngx_chain_t *cl; + ngx_table_elt_t *t; + ngx_http_header_val_t *h; + ngx_http_headers_conf_t *conf; + + conf = ngx_http_get_module_loc_conf(r, ngx_http_headers_filter_module); + + if (in == NULL + || conf->trailers == NULL + || !r->expect_trailers + || r->header_only) + { + return ngx_http_next_body_filter(r, in); + } + + for (cl = in; cl; cl = cl->next) { + if (cl->buf->last_buf) { + break; + } + } + + if (cl == NULL) { + return ngx_http_next_body_filter(r, in); + } + + switch (r->headers_out.status) { + + case NGX_HTTP_OK: + case NGX_HTTP_CREATED: + case NGX_HTTP_NO_CONTENT: + case NGX_HTTP_PARTIAL_CONTENT: + case NGX_HTTP_MOVED_PERMANENTLY: + case NGX_HTTP_MOVED_TEMPORARILY: + case NGX_HTTP_SEE_OTHER: + case NGX_HTTP_NOT_MODIFIED: + case NGX_HTTP_TEMPORARY_REDIRECT: + case NGX_HTTP_PERMANENT_REDIRECT: + safe_status = 1; + break; + + default: + safe_status = 0; + break; + } + + h = conf->trailers->elts; + for (i = 0; i < conf->trailers->nelts; i++) { + + if (!safe_status && !h[i].always) { + continue; + } + + if (ngx_http_complex_value(r, &h[i].value, &value) != NGX_OK) { + return NGX_ERROR; + } + + if (value.len) { + t = ngx_list_push(&r->headers_out.trailers); + if (t == NULL) { + return NGX_ERROR; + } + + t->key = h[i].key; + t->value = value; + t->hash = 1; + } + } + + return ngx_http_next_body_filter(r, in); +} + + +static ngx_int_t ngx_http_set_expires(ngx_http_request_t *r, ngx_http_headers_conf_t *conf) { char *err; @@ -557,6 +662,7 @@ ngx_http_headers_create_conf(ngx_conf_t * set by ngx_pcalloc(): * * conf->headers = NULL; + * conf->trailers = NULL; * conf->expires_time = 0; * conf->expires_value = NULL; */ @@ -587,6 +693,10 @@ ngx_http_headers_merge_conf(ngx_conf_t * conf->headers = prev->headers; } + if (conf->trailers == NULL) { + conf->trailers = prev->trailers; + } + return NGX_CONF_OK; } @@ -597,6 +707,9 @@ ngx_http_headers_filter_init(ngx_conf_t ngx_http_next_header_filter = ngx_http_top_header_filter; ngx_http_top_header_filter = ngx_http_headers_filter; + ngx_http_next_body_filter = ngx_http_top_body_filter; + ngx_http_top_body_filter = ngx_http_trailers_filter; + return NGX_OK; } @@ -674,42 +787,49 @@ ngx_http_headers_add(ngx_conf_t *cf, ngx { ngx_http_headers_conf_t *hcf = conf; - ngx_str_t *value; - ngx_uint_t i; - ngx_http_header_val_t *hv; - ngx_http_set_header_t *set; - ngx_http_compile_complex_value_t ccv; + ngx_str_t *value; + ngx_uint_t i; + ngx_array_t **headers; + ngx_http_header_val_t *hv; + ngx_http_set_header_t *set; + ngx_http_compile_complex_value_t ccv; value = cf->args->elts; - if (hcf->headers == NULL) { - hcf->headers = ngx_array_create(cf->pool, 1, - sizeof(ngx_http_header_val_t)); - if (hcf->headers == NULL) { + headers = (ngx_array_t **) ((char *) hcf + cmd->offset); + + if (*headers == NULL) { + *headers = ngx_array_create(cf->pool, 1, + sizeof(ngx_http_header_val_t)); + if (*headers == NULL) { return NGX_CONF_ERROR; } } - hv = ngx_array_push(hcf->headers); + hv = ngx_array_push(*headers); if (hv == NULL) { return NGX_CONF_ERROR; } hv->key = value[1]; - hv->handler = ngx_http_add_header; + hv->handler = NULL; hv->offset = 0; hv->always = 0; - set = ngx_http_set_headers; - for (i = 0; set[i].name.len; i++) { - if (ngx_strcasecmp(value[1].data, set[i].name.data) != 0) { - continue; + if (headers == &hcf->headers) { + hv->handler = ngx_http_add_header; + + set = ngx_http_set_headers; + for (i = 0; set[i].name.len; i++) { + if (ngx_strcasecmp(value[1].data, set[i].name.data) != 0) { + continue; + } + + hv->offset = set[i].offset; + hv->handler = set[i].handler; + + break; } - - hv->offset = set[i].offset; - hv->handler = set[i].handler; - - break; } if (value[2].len == 0) { From piotrsikora at google.com Tue Jun 13 12:19:45 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:45 -0700 Subject: [PATCH 1 of 4] HTTP/2: reject HTTP/2 requests with "Connection" header Message-ID: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490516709 25200 # Sun Mar 26 01:25:09 2017 -0700 # Node ID 10c3f4c37f96ef496eff859b6f6815817e79455a # Parent e6f399a176e7cae0fa08f1183d31315bce3b9ecb HTTP/2: reject HTTP/2 requests with "Connection" header. While there, populate r->headers_in.connection. Signed-off-by: Piotr Sikora diff -r e6f399a176e7 -r 10c3f4c37f96 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -1678,6 +1678,22 @@ static ngx_int_t ngx_http_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset) { + if (r->headers_in.connection == NULL) { + r->headers_in.connection = h; + } + +#if (NGX_HTTP_V2) + + if (r->stream) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP/2 request with \"Connection\" header"); + + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + +#endif + if (ngx_strcasestrn(h->value.data, "close", 5 - 1)) { r->headers_in.connection_type = NGX_HTTP_CONNECTION_CLOSE; From piotrsikora at google.com Tue Jun 13 12:19:46 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:46 -0700 Subject: [PATCH 2 of 4] HTTP/2: reject HTTP/2 requests with invalid "TE" header value In-Reply-To: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> References: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> Message-ID: <349648a6f91f9bd5cc80.1497356386@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490516709 25200 # Sun Mar 26 01:25:09 2017 -0700 # Node ID 349648a6f91f9bd5cc80d22390b95c2239a8bfb3 # Parent 10c3f4c37f96ef496eff859b6f6815817e79455a HTTP/2: reject HTTP/2 requests with invalid "TE" header value. Signed-off-by: Piotr Sikora diff -r 10c3f4c37f96 -r 349648a6f91f src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -27,6 +27,8 @@ static ngx_int_t ngx_http_process_host(n ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); +static ngx_int_t ngx_http_process_te(ngx_http_request_t *r, + ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); @@ -128,6 +130,10 @@ ngx_http_header_t ngx_http_headers_in[] offsetof(ngx_http_headers_in_t, if_range), ngx_http_process_unique_header_line }, + { ngx_string("TE"), + offsetof(ngx_http_headers_in_t, te), + ngx_http_process_te }, + { ngx_string("Transfer-Encoding"), offsetof(ngx_http_headers_in_t, transfer_encoding), ngx_http_process_header_line }, @@ -1706,6 +1712,37 @@ ngx_http_process_connection(ngx_http_req static ngx_int_t +ngx_http_process_te(ngx_http_request_t *r, ngx_table_elt_t *h, + ngx_uint_t offset) +{ + if (r->headers_in.te == NULL) { + r->headers_in.te = h; + } + + if (h->value.len == sizeof("trailers") - 1 + && ngx_memcmp(h->value.data, "trailers", sizeof("trailers") - 1) == 0) + { + return NGX_OK; + } + +#if (NGX_HTTP_V2) + + if (r->stream) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP/2 request with invalid header value: " + "\"TE: %V\"", &h->value); + + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + +#endif + + return NGX_OK; +} + + +static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset) { diff -r 10c3f4c37f96 -r 349648a6f91f src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -196,6 +196,7 @@ typedef struct { ngx_table_elt_t *range; ngx_table_elt_t *if_range; + ngx_table_elt_t *te; ngx_table_elt_t *transfer_encoding; ngx_table_elt_t *expect; ngx_table_elt_t *upgrade; From piotrsikora at google.com Tue Jun 13 12:19:47 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:47 -0700 Subject: [PATCH 3 of 4] HTTP/2: reject HTTP/2 requests with "Transfer-Encoding" header In-Reply-To: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> References: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> Message-ID: <6263d68cb96042d8f897.1497356387@piotrsikora.sfo.corp.google.com> # HG changeset patch # User Piotr Sikora # Date 1490516709 25200 # Sun Mar 26 01:25:09 2017 -0700 # Node ID 6263d68cb96042d8f8974a4a3945226227ce13b9 # Parent 349648a6f91f9bd5cc80d22390b95c2239a8bfb3 HTTP/2: reject HTTP/2 requests with "Transfer-Encoding" header. Signed-off-by: Piotr Sikora diff -r 349648a6f91f -r 6263d68cb960 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -29,6 +29,8 @@ static ngx_int_t ngx_http_process_connec ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_te(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); +static ngx_int_t ngx_http_process_transfer_encoding(ngx_http_request_t *r, + ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); @@ -136,7 +138,7 @@ ngx_http_header_t ngx_http_headers_in[] { ngx_string("Transfer-Encoding"), offsetof(ngx_http_headers_in_t, transfer_encoding), - ngx_http_process_header_line }, + ngx_http_process_transfer_encoding }, { ngx_string("Expect"), offsetof(ngx_http_headers_in_t, expect), @@ -1743,6 +1745,49 @@ ngx_http_process_te(ngx_http_request_t * static ngx_int_t +ngx_http_process_transfer_encoding(ngx_http_request_t *r, ngx_table_elt_t *h, + ngx_uint_t offset) +{ + if (r->headers_in.transfer_encoding == NULL) { + r->headers_in.transfer_encoding = h; + } + +#if (NGX_HTTP_V2) + + if (r->stream) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP/2 request with \"Transfer-Encoding\" " + "header"); + + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + +#endif + + if (h->value.len == 7 + && ngx_strncasecmp(h->value.data, (u_char *) "chunked", 7) == 0) + { + r->headers_in.chunked = 1; + return NGX_OK; + } + + if (h->value.len != 8 + || ngx_strncasecmp(h->value.data, (u_char *) "identity", 8) != 0) + { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent unknown \"Transfer-Encoding: %V\" header", + &h->value); + + ngx_http_finalize_request(r, NGX_HTTP_NOT_IMPLEMENTED); + return NGX_ERROR; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset) { @@ -1881,25 +1926,9 @@ ngx_http_process_request_header(ngx_http return NGX_ERROR; } - if (r->headers_in.transfer_encoding) { - if (r->headers_in.transfer_encoding->value.len == 7 - && ngx_strncasecmp(r->headers_in.transfer_encoding->value.data, - (u_char *) "chunked", 7) == 0) - { - r->headers_in.content_length = NULL; - r->headers_in.content_length_n = -1; - r->headers_in.chunked = 1; - - } else if (r->headers_in.transfer_encoding->value.len != 8 - || ngx_strncasecmp(r->headers_in.transfer_encoding->value.data, - (u_char *) "identity", 8) != 0) - { - ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, - "client sent unknown \"Transfer-Encoding\": \"%V\"", - &r->headers_in.transfer_encoding->value); - ngx_http_finalize_request(r, NGX_HTTP_NOT_IMPLEMENTED); - return NGX_ERROR; - } + if (r->headers_in.chunked) { + r->headers_in.content_length = NULL; + r->headers_in.content_length_n = -1; } if (r->headers_in.connection_type == NGX_HTTP_CONNECTION_KEEP_ALIVE) { From piotrsikora at google.com Tue Jun 13 12:19:48 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:19:48 -0700 Subject: [PATCH 4 of 4] HTTP/2: reject HTTP/2 requests with connection-specific headers In-Reply-To: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> References: <10c3f4c37f96ef496eff.1497356385@piotrsikora.sfo.corp.google.com> Message-ID: # HG changeset patch # User Piotr Sikora # Date 1490516709 25200 # Sun Mar 26 01:25:09 2017 -0700 # Node ID e2abc3bc3fc12b788d2631d3c47215acdc4ebbe6 # Parent 6263d68cb96042d8f8974a4a3945226227ce13b9 HTTP/2: reject HTTP/2 requests with connection-specific headers. Signed-off-by: Piotr Sikora diff -r 6263d68cb960 -r e2abc3bc3fc1 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c @@ -19,6 +19,8 @@ static ngx_int_t ngx_http_alloc_large_he static ngx_int_t ngx_http_process_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); +static ngx_int_t ngx_http_process_http1_header_line(ngx_http_request_t *r, + ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_unique_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset); static ngx_int_t ngx_http_process_multi_header_lines(ngx_http_request_t *r, @@ -146,7 +148,7 @@ ngx_http_header_t ngx_http_headers_in[] { ngx_string("Upgrade"), offsetof(ngx_http_headers_in_t, upgrade), - ngx_http_process_header_line }, + ngx_http_process_http1_header_line }, #if (NGX_HTTP_GZIP) { ngx_string("Accept-Encoding"), @@ -161,8 +163,13 @@ ngx_http_header_t ngx_http_headers_in[] offsetof(ngx_http_headers_in_t, authorization), ngx_http_process_unique_header_line }, - { ngx_string("Keep-Alive"), offsetof(ngx_http_headers_in_t, keep_alive), - ngx_http_process_header_line }, + { ngx_string("Keep-Alive"), + offsetof(ngx_http_headers_in_t, keep_alive), + ngx_http_process_http1_header_line }, + + { ngx_string("Proxy-Connection"), + offsetof(ngx_http_headers_in_t, proxy_connection), + ngx_http_process_http1_header_line }, #if (NGX_HTTP_X_FORWARDED_FOR) { ngx_string("X-Forwarded-For"), @@ -1618,6 +1625,35 @@ ngx_http_process_header_line(ngx_http_re static ngx_int_t +ngx_http_process_http1_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, + ngx_uint_t offset) +{ + ngx_table_elt_t **ph; + + ph = (ngx_table_elt_t **) ((char *) &r->headers_in + offset); + + if (*ph == NULL) { + *ph = h; + } + +#if (NGX_HTTP_V2) + + if (r->stream) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client sent HTTP/2 request with \"%V\" header", + &h->key); + + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } + +#endif + + return NGX_OK; +} + + +static ngx_int_t ngx_http_process_unique_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, ngx_uint_t offset) { diff -r 6263d68cb960 -r e2abc3bc3fc1 src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h +++ b/src/http/ngx_http_request.h @@ -209,6 +209,7 @@ typedef struct { ngx_table_elt_t *authorization; ngx_table_elt_t *keep_alive; + ngx_table_elt_t *proxy_connection; #if (NGX_HTTP_X_FORWARDED_FOR) ngx_array_t x_forwarded_for; From piotrsikora at google.com Tue Jun 13 12:21:56 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:21:56 -0700 Subject: [PATCH 1 of 3] Added support for trailers in HTTP responses In-Reply-To: <20170606122554.GD55433@mdounin.ru> References: <41c09a2fd90410e25ad8.1496460825@piotrsikora.sfo.corp.google.com> <20170605162940.GY55433@mdounin.ru> <20170606122554.GD55433@mdounin.ru> Message-ID: Hey Maxim, > I've tried this as well, and decided that "if (len == > sizeof(...))" is slightly more readable, and also produces smaller > patch to your code. No strict preference though, feel free to > use any variant you think is better. I've ended up using "if (len == 0) { ... }" in the end, but applied rest of you changes. Thanks! Best regards, Piotr Sikora From piotrsikora at google.com Tue Jun 13 12:24:31 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:24:31 -0700 Subject: [PATCH 2 of 3] HTTP/2: added support for trailers in HTTP responses In-Reply-To: <8319246.PdA5WZVuiQ@vbart-workstation> References: <8d74ff6c2015180f5c1f.1496460826@piotrsikora.sfo.corp.google.com> <8319246.PdA5WZVuiQ@vbart-workstation> Message-ID: Hey Valentin, > It's better to keep return values consistent with > ngx_http_v2_create_headers_frame() and introduce > NGX_HTTP_V2_NO_TRAILERS instead of NGX_HTTP_V2_FRAME_ERROR. NGX_HTTP_V2_NO_TRAILERS feels a bit weird, but whatever works for you is fine. > There's no reason to check "trailers" on each iteration. > I think you can put it inside the "if (in == NULL)" condition. Good catch, thanks! > Please consider the changes below. Applied (with removed empty lines between error message and "return NULL"). Thanks! Best regards, Piotr Sikora From piotrsikora at google.com Tue Jun 13 12:30:22 2017 From: piotrsikora at google.com (Piotr Sikora) Date: Tue, 13 Jun 2017 05:30:22 -0700 Subject: [PATCH] HTTP/2: reject HTTP/2 requests with "Connection" header In-Reply-To: <42772973.0zRm91nVQn@vbart-workstation> References: <42772973.0zRm91nVQn@vbart-workstation> Message-ID: