nginx-devel December 2011

nginx-devel@nginx.org

18 participants
92 discussions

by Neil Mckee

Hello, I have written a module to implement sFlow in nginx (nginx-sflow-module.googlecode.com). I'm simulating a 1-second timer-tick by assuming that the request handler will be called at least once per second. That's probably a safe assumption for any server that would care about sFlow monitoring, but I expect there's a better way... I tried asking for a timer callback like this: ngx_event_t *ev = ngx_pcalloc(pool, sizeof(ngx_event_t)); ev->hander = ngx_http_sflow_tick_event_hander; ngx_add_timer(ev, 1000); but (like most russian girls) the event never called me back. It looks like I might have to hang this on a file-descriptor somehow, but that's where I'm getting lost. Any pointers would be most appreciated. Neil

9 years, 2 months

totally transparent proxying with nginx on openbsd

by David Gwynne

openbsd has a setsockopt option called SO_BINDANY that allows a process to bind to any ip address, even if it is not local to the system. the patch below uses it to allow nginx to connect to a backend server using the ip of the client making the request. my main goal here is to allow the backend server to know the ip of the client actually making the request without having to look at extra hhtp headers i thought id throw this out there to get some help since this is my first attempt at tweaking nginx. there are a few issues with this implementation: 1. it is completely specific to openbsd. 2. it needs root privileges to use the SO_BINDANY sockopt. 3. im not sure if connections to backends are cached. if so then it is probable that a different client will reuse a previous clients proxy connection, so it will appear that the same client made both requests to the backend. to use this you just configure nginx to run as root and add "proxy_transparent on" to the sections you want this feature enabled on. you will need to add appropriate "pass out proto tcp divert-reply" rules to pf for the SO_BINDANY sockopt to work too. if anyone has some tips on how to handle problems 2 and 3 i would be grateful. cheers, dlg --- src/event/ngx_event_connect.c.orig Thu Nov 26 04:03:59 2009 +++ src/event/ngx_event_connect.c Thu Oct 28 23:22:37 2010 @@ -11,7 +11,7 @@ ngx_int_t -ngx_event_connect_peer(ngx_peer_connection_t *pc) +ngx_event_connect_peer(ngx_peer_connection_t *pc, ngx_connection_t *cc) { int rc; ngx_int_t event; @@ -20,6 +20,7 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) ngx_socket_t s; ngx_event_t *rev, *wev; ngx_connection_t *c; + int bindany; rc = pc->get(pc, pc->data); if (rc != NGX_OK) { @@ -46,6 +47,40 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) } return NGX_ERROR; + } + + if (cc != NULL) { + bindany = 1; + if (setsockopt(s, SOL_SOCKET, SO_BINDANY, + &bindany, sizeof(bindany)) == -1) + { + ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, + "setsockopt(SO_BINDANY) failed"); + + ngx_free_connection(c); + + if (ngx_close_socket(s) == -1) { + ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, + ngx_close_socket_n " failed"); + } + + return NGX_ERROR; + } + + if (bind(s, cc->sockaddr, cc->socklen) == -1) + { + ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, + "bind() failed"); + + ngx_free_connection(c); + + if (ngx_close_socket(s) == -1) { + ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, + ngx_close_socket_n " failed"); + } + + return NGX_ERROR; + } } if (pc->rcvbuf) { --- src/event/ngx_event_connect.h.orig Tue Nov 3 01:24:02 2009 +++ src/event/ngx_event_connect.h Thu Oct 28 23:22:37 2010 @@ -68,7 +68,8 @@ struct ngx_peer_connection_s { }; -ngx_int_t ngx_event_connect_peer(ngx_peer_connection_t *pc); +ngx_int_t ngx_event_connect_peer(ngx_peer_connection_t *pc, + ngx_connection_t *cc); ngx_int_t ngx_event_get_peer(ngx_peer_connection_t *pc, void *data); --- src/http/modules/ngx_http_proxy_module.c.orig Mon May 24 21:01:05 2010 +++ src/http/modules/ngx_http_proxy_module.c Thu Oct 28 23:42:10 2010 @@ -71,6 +71,7 @@ typedef struct { ngx_http_proxy_vars_t vars; ngx_flag_t redirect; + ngx_flag_t transparent; ngx_uint_t headers_hash_max_size; ngx_uint_t headers_hash_bucket_size; @@ -196,6 +197,13 @@ static ngx_command_t ngx_http_proxy_commands[] = { 0, NULL }, + { ngx_string("proxy_transparent"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, transparent), + NULL }, + { ngx_string("proxy_store"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_http_proxy_store, @@ -626,6 +634,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r) u->abort_request = ngx_http_proxy_abort_request; u->finalize_request = ngx_http_proxy_finalize_request; r->state = 0; + r->transparent = (plcf->transparent == 1); if (plcf->redirects) { u->rewrite_redirect = ngx_http_proxy_rewrite_redirect; @@ -1940,6 +1949,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf) conf->upstream.cyclic_temp_file = 0; conf->redirect = NGX_CONF_UNSET; + conf->transparent = NGX_CONF_UNSET; conf->upstream.change_buffering = 1; conf->headers_hash_max_size = NGX_CONF_UNSET_UINT; @@ -2214,6 +2224,8 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *pa } } } + + ngx_conf_merge_value(conf->transparent, prev->transparent, 0); /* STUB */ if (prev->proxy_lengths) { --- src/http/ngx_http_request.h.orig Mon May 24 22:35:10 2010 +++ src/http/ngx_http_request.h Thu Oct 28 23:22:37 2010 @@ -511,6 +511,8 @@ struct ngx_http_request_s { unsigned stat_writing:1; #endif + unsigned transparent:1; + /* used to parse HTTP headers */ ngx_uint_t state; --- src/http/ngx_http_upstream.c.orig Mon May 24 22:35:10 2010 +++ src/http/ngx_http_upstream.c Thu Oct 28 23:22:37 2010 @@ -1066,7 +1066,8 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_h u->state->response_sec = tp->sec; u->state->response_msec = tp->msec; - rc = ngx_event_connect_peer(&u->peer); + rc = ngx_event_connect_peer(&u->peer, r->transparent ? + r->connection : NULL); ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "http upstream connect: %i", rc); --- src/mail/ngx_mail_auth_http_module.c.orig Fri May 14 19:56:37 2010 +++ src/mail/ngx_mail_auth_http_module.c Thu Oct 28 23:22:37 2010 @@ -191,7 +191,7 @@ ngx_mail_auth_http_init(ngx_mail_session_t *s) ctx->peer.log = s->connection->log; ctx->peer.log_error = NGX_ERROR_ERR; - rc = ngx_event_connect_peer(&ctx->peer); + rc = ngx_event_connect_peer(&ctx->peer, NULL); if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { if (ctx->peer.connection) { --- src/mail/ngx_mail_proxy_module.c.orig Thu Oct 28 23:32:15 2010 +++ src/mail/ngx_mail_proxy_module.c Thu Oct 28 23:30:53 2010 @@ -147,7 +147,7 @@ ngx_mail_proxy_init(ngx_mail_session_t *s, ngx_addr_t p->upstream.log = s->connection->log; p->upstream.log_error = NGX_ERROR_ERR; - rc = ngx_event_connect_peer(&p->upstream); + rc = ngx_event_connect_peer(&p->upstream, NULL); if (rc == NGX_ERROR || rc == NGX_BUSY || rc == NGX_DECLINED) { ngx_mail_proxy_internal_server_error(s);

9 years, 10 months

Re: Does anyone plan to develop the feature of openssl' OCSP stapling?

by Rob Stradling

On November 25, 2010 04:42AM Weibin Yao wrote: > Hi everyone, > > I think the the feature of OCSP stapling[1] is very useful for the > browser blocked by the OCSP request. And the feature has supported since > openssl 0.9.8g. Apache's mod_ssl has also added this patch in the > development branch[2]. > > Does anyone have the plan to develop this feature? Hi. The CAs and Browsers represented in the CA/Browser Forum (http://cabforum.org/forum.html) are growing increasingly interested in encouraging wider adoption of OCSP Stapling. Since nobody else has replied to this thread, I presume that OCSP Stapling is not currently a priority for the core nginx developers. So, I've started having a go at writing a patch. I'm basing it heavily on Dr Steve Henson's OCSP Stapling code that was first included in Apache httpd 2.3.3 [3]. I'd like to ask a few questions before I proceed any further: 1. If I am able to complete my patch, are you likely to review/commit it? Or is OCSP Stapling the sort of feature that you'd prefer to only let a core nginx developer work on? 2. I was under the impression that nginx started life as a fork of Apache httpd, but I don't see any messages along the lines of "This product includes software developed by the Apache Group..." in the source code. Is nginx 100% *not* a derivative work of Apache httpd? 3. Steve Henson's code is presumably licensed under ASL 2.0 [4], which presumably means that my patch would be classed as a "Derivative Work" subject to various conditions (see the "4. Redistribution" section in ASL 2.0). Would this prevent you from accepting it? (Since ASL 2.0 says "nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions", perhaps I should ask Steve Henson if he would be willing to contribute the same code to nginx under a different licence). Thanks for your help. [3]. http://svn.apache.org/viewvc?view=revision&revision=829619 [4]. http://www.apache.org/licenses/LICENSE-2.0 > Thanks. > > [1]. http://en.wikipedia.org/wiki/OCSP_Stapling > [2]. https://issues.apache.org/bugzilla/show_bug.cgi?id=43822 > > -- > Weibin Yao Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online

10 years, 5 months

[nginx] svn commit: r4328 - trunk/src/http/modules

by ru＠nginx.com

Author: ru Date: 2011-12-06 21:07:10 +0000 (Tue, 06 Dec 2011) New Revision: 4328 Log: - Improved error message when parsing of the "buffer" parameter of the "access_log" directive fails. - Added a warning if "log_format" is used in contexts other than "http". Modified: trunk/src/http/modules/ngx_http_log_module.c Modified: trunk/src/http/modules/ngx_http_log_module.c =================================================================== --- trunk/src/http/modules/ngx_http_log_module.c 2011-12-06 15:49:40 UTC (rev 4327) +++ trunk/src/http/modules/ngx_http_log_module.c 2011-12-06 21:07:10 UTC (rev 4328) @@ -971,7 +971,7 @@ if (buf == NGX_ERROR) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[3]); + "invalid buffer value \"%V\"", &name); return NGX_CONF_ERROR; } @@ -1004,6 +1004,12 @@ ngx_uint_t i; ngx_http_log_fmt_t *fmt; + if (cf->cmd_type != NGX_HTTP_MAIN_CONF) { + ngx_conf_log_error(NGX_LOG_WARN, cf, 0, + "the \"log_format\" directive may be used " + "only on \"http\" level"); + } + value = cf->args->elts; fmt = lmcf->formats.elts;

10 years, 6 months

[PATCH] Fix ./configure script for less error-forgiving compilers

by Piotr Sikora

Hi Igor, attached patch fixes ./configure script for less error-forgiving compilers (like LLVM/clang) when they are used with -Werror option. auto/types/sizeof: - printf() is defined in missing <stdio.h> header, - sizeof() returns size_t type, which has different signedness on different operating systems (hence %z). auto/unix: - setproctitle() is defined in <stdlib.h> on both: NetBSD and OpenBSD. Best regards, Piotr Sikora < piotr.sikora(a)frickle.com >

10 years, 8 months

[nginx] svn commit: r4397 - trunk/auto/lib/pcre

by vbart＠nginx.com

Author: vbart Date: 2011-12-29 15:58:53 +0000 (Thu, 29 Dec 2011) New Revision: 4397 Modified: trunk/auto/lib/pcre/conf Log: Fixed configure with system PCRE library on Solaris. The bug has been introduced in r4389. Modified: trunk/auto/lib/pcre/conf =================================================================== --- trunk/auto/lib/pcre/conf 2011-12-29 15:36:07 UTC (rev 4396) +++ trunk/auto/lib/pcre/conf 2011-12-29 15:58:53 UTC (rev 4397) @@ -165,7 +165,7 @@ PCRE=YES fi - if [ $PCRE == YES ]; then + if [ $PCRE = YES ]; then ngx_feature="PCRE JIT support" ngx_feature_name="NGX_HAVE_PCRE_JIT" ngx_feature_test="int jit = 0;

10 years, 11 months

[nginx] svn commit: r4396 - trunk/auto/cc

by maxim＠nginx.com

Author: maxim Date: 2011-12-29 15:36:07 +0000 (Thu, 29 Dec 2011) New Revision: 4396 Log: Some questionable optomizations flags for icc were removed in order to simplify support of its future versions. Modified: trunk/auto/cc/icc Modified: trunk/auto/cc/icc =================================================================== --- trunk/auto/cc/icc 2011-12-28 13:30:56 UTC (rev 4395) +++ trunk/auto/cc/icc 2011-12-29 15:36:07 UTC (rev 4396) @@ -2,7 +2,7 @@ # Copyright (C) Igor Sysoev -# Intel C++ compiler 7.1, 8.0, 8.1, 9.0 +# Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1 NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \ | sed -e 's/^.* Version $[^ ]*$ *Build.*$/\1/'` @@ -15,32 +15,7 @@ # optimizations CFLAGS="$CFLAGS -O" -# inline the functions declared with __inline -#CFLAGS="$CFLAGS -Ob1" -# inline any function, at the compiler's discretion -CFLAGS="$CFLAGS -Ob2" -# multi-file IP optimizations -case "$NGX_ICC_VER" in - 9.*) - IPO="-ipo" - ;; - - # 8.1.38 under FreeBSD can not link -ipo - 8.1) - IPO="-ip" - ;; - - *) - IPO="-ipo -ipo_obj" - ;; -esac - -# single-file IP optimizations -#IPO="-ip" - -CFLAGS="$CFLAGS $IPO" -CORE_LINK="$CORE_LINK $IPO" CORE_LINK="$CORE_LINK -opt_report_file=$NGX_OBJS/opt_report_file" @@ -64,15 +39,15 @@ CFLAGS="$CFLAGS $CPU_OPT" if [ ".$PCRE_OPT" = "." ]; then - PCRE_OPT="-O $IPO $CPU_OPT" + PCRE_OPT="-O $CPU_OPT" fi if [ ".$MD5_OPT" = "." ]; then - MD5_OPT="-O $IPO $CPU_OPT" + MD5_OPT="-O $CPU_OPT" fi if [ ".$ZLIB_OPT" = "." ]; then - ZLIB_OPT="-O $IPO $CPU_OPT" + ZLIB_OPT="-O $CPU_OPT" fi

10 years, 11 months

Cross Compiling Nginx

by Doug Kehn

Hi All, I'm cross compiling Nginx for an ARM Cortex A8 processor. Attached is a patch for review which allows Nginx to be cross compiled. I believe the patch is generic enough to allow Nginx to be cross compiled in any cross compile environment. I also don't believe that I've broken any existing functionality. After applying the patch, Nginx can be cross compiled with: ./configure \--prefix= \ --crossbuild=Linux:$(ARCH) \ --with-cc-opt="$(CFLAGS)" \ --with-ld-opt="$(LDFLAGS)" \ --with-endian=$(ENDIAN) \ --with-int=4 \ --with-long=4 \ --with-long-long=8 \ --with-ptr-size=4 \ --with-sig-atomic-t=4 \ --with-size-t=4 \ --with-off-t=4 \ --with-time-t=4 \ --with-sys-nerr=132 make In my case $(ARCH) = arm, $(ENDIAN) = little, and $(CFLAGS)/$(LDFLAGS) are set according to my environment. The variable sizes were determined empirically by cross compiling a simple program and executing on the target. Regards, ...doug

10 years, 11 months

[nginx] svn commit: r4395 - trunk/docs/xml/nginx

by mdounin＠mdounin.ru

Author: mdounin Date: 2011-12-28 13:30:56 +0000 (Wed, 28 Dec 2011) New Revision: 4395 Log: Fixed punctuation. Modified: trunk/docs/xml/nginx/changes.xml Modified: trunk/docs/xml/nginx/changes.xml =================================================================== --- trunk/docs/xml/nginx/changes.xml 2011-12-27 12:39:11 UTC (rev 4394) +++ trunk/docs/xml/nginx/changes.xml 2011-12-28 13:30:56 UTC (rev 4395) @@ -14,12 +14,12 @@ <change type="change"> <para lang="ru"> после перенаправления запроса с помощью директивы error_page -директива proxy_pass без URI теперь использует изменённый URI; +директива proxy_pass без URI теперь использует изменённый URI. Спасибо Lanshun Zhou. </para> <para lang="en"> a "proxy_pass" directive without URI part now uses changed URI -after redirection with the "error_page" directive; +after redirection with the "error_page" directive. Thanks to Lanshun Zhou. </para> </change> @@ -107,12 +107,12 @@ <change type="bugfix"> <para lang="ru"> после перенаправления запроса с помощью директивы try_files -директива proxy_pass без URI могла использовать URI исходного запроса; +директива proxy_pass без URI могла использовать URI исходного запроса. Спасибо Lanshun Zhou. </para> <para lang="en"> a "proxy_pass" directive without URI part might use original request -after redirection with the "try_files" directive; +after redirection with the "try_files" directive. Thanks to Lanshun Zhou. </para> </change>

10 years, 11 months

[nginx] svn commit: r4394 - trunk/misc

by sb＠waeme.net

Author: fabler Date: 2011-12-27 12:39:11 +0000 (Tue, 27 Dec 2011) New Revision: 4394 Log: libraries versions updated Modified: trunk/misc/GNUmakefile Modified: trunk/misc/GNUmakefile =================================================================== --- trunk/misc/GNUmakefile 2011-12-27 12:35:52 UTC (rev 4393) +++ trunk/misc/GNUmakefile 2011-12-27 12:39:11 UTC (rev 4394) @@ -6,9 +6,9 @@ REPO = $(shell svn info | sed -n 's/^Repository Root: //p') OBJS = objs.msvc8 -OPENSSL = openssl-1.0.0d -ZLIB = zlib-1.2.3 -PCRE = pcre-7.9 +OPENSSL = openssl-1.0.0e +ZLIB = zlib-1.2.5 +PCRE = pcre-8.12 release:

10 years, 11 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel December 2011