nginx-devel February 2013

nginx-devel@nginx.org

22 participants
91 discussions

by Maxim Dounin

Hello! Here are patches for OCSP stapling support. Testing and review appreciated. New directives: ssl_trusted_certificate /path/to/file; Specifies a file with CA certificates in the PEM format used for certificate verification. In contrast to ssl_client_certificate, DNs of these certificates aren't sent to a client in CertificateRequest. ssl_stapling on|off; Activates OCSP stapling. ssl_stapling_file /path/to/file; Use predefined OCSP response for stapling, do not query responder. Assumes OCSP response in DER format as produced by "openssl ocsp". ssl_stapling_responder URL; Use specified OCSP responder instead of one found in AIA certificate extension. Example configuration: server { listen 443 ssl; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; ssl_stapling on; ssl_trusted_certificate /path/to/ca.pem; resolver 8.8.8.8; } Known limitations: - Unless externally set OCSP response is used (via the "ssl_stapling_file" directive), stapled response won't be sent in a first connection. This is due to the fact that OCSP responders are currently queried by nginx once it receives connection with certificate_status extension in ClientHello, and due to limitations in OpenSSL API (certificate status callback is blocking). - Cached OCSP responses are currently stored in local process memory (thus each worker process will query OCSP responders independently). This shouldn't be a problem as typical number of worker processes is low, usually set match number of CPUs. - Various timeouts are hardcoded (connect/read/write timeouts are 60s, response is considered to be valid for 1h after loading). Adding configuration directives to control these would be trivial, but it may be a better idea to actually omit them for simplicity. - Only "http://" OCSP responders are recognized. Patch can be found here: http://nginx.org/patches/ocsp-stapling/ Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work. Maxim Dounin

8 years, 10 months

best way to get a 1-second timer-tick?

by Neil Mckee

Hello, I have written a module to implement sFlow in nginx (nginx-sflow-module.googlecode.com). I'm simulating a 1-second timer-tick by assuming that the request handler will be called at least once per second. That's probably a safe assumption for any server that would care about sFlow monitoring, but I expect there's a better way... I tried asking for a timer callback like this: ngx_event_t *ev = ngx_pcalloc(pool, sizeof(ngx_event_t)); ev->hander = ngx_http_sflow_tick_event_hander; ngx_add_timer(ev, 1000); but (like most russian girls) the event never called me back. It looks like I might have to hang this on a file-descriptor somehow, but that's where I'm getting lost. Any pointers would be most appreciated. Neil

8 years, 11 months

[PATCH] Make ngx_http_upstream provide a way to expose errors after sending out the response header

by agentzh

Hello! According to the current implementation of ngx_http_upstream, there is almost no way for 3rd-party output body filters and "post_subrequest" handlers (in the subrequest context) to know if there's any errors while ngx_http_upstream is processing the upstream response body after the response header is sent out (in both the buffered and non-buffered modes). For example, if 1. a read-timeout happens in the middle of the process of reading the upstream response body, 2. or the upstream connection is closed prematurely in the same situation, then ngx_http_upstream will just happily finalize the current request with the status code 0 (i.e., NGX_OK). This issue already affects at least our ngx_srcache and ngx_lua modules (originally reported by Bryan Alger). Here attaches a patch that makes ngx_http_upstream set r->headers_out.status to a new error status code to notify the outside world if there is a problem. Comments will be highly appreciated as always :) Thanks! -agentzh --- nginx-1.2.3/src/http/ngx_http_upstream.c 2012-08-06 10:34:08.000000000 -0700 +++ nginx-1.2.3-patched/src/http/ngx_http_upstream.c 2012-09-09 21:58:04.727761891 -0700 @@ -2383,7 +2383,7 @@ if (c->read->timedout) { ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, 0); + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); return; } @@ -2430,13 +2430,17 @@ if (u->busy_bufs == NULL) { if (u->length == 0 - || upstream->read->eof - || upstream->read->error) + || (upstream->read->eof && u->headers_in.content_length_n == -1)) { ngx_http_upstream_finalize_request(r, u, 0); return; } + if (upstream->read->eof || upstream->read->error) { + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); + return; + } + b->pos = b->start; b->last = b->start; } @@ -2710,7 +2714,16 @@ #if 0 ngx_http_busy_unlock(u->conf->busy_lock, &u->busy_lock); #endif - ngx_http_upstream_finalize_request(r, u, 0); + + if (p->upstream_done + || (p->upstream_eof && u->headers_in.content_length_n == -1)) + { + ngx_http_upstream_finalize_request(r, u, 0); + + } else { + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); + } + return; } } @@ -3073,6 +3086,13 @@ && rc != NGX_HTTP_REQUEST_TIME_OUT && (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE)) { + if (rc == NGX_ERROR) { + r->headers_out.status = NGX_HTTP_INTERNAL_SERVER_ERROR; + + } else { + r->headers_out.status = rc; + } + rc = 0; }

9 years

Nginx Module (I/O block)

by alexander_koch_log

Hi, It is not clear to me how to avoid blocking the nginx reactor loop when creating an nginx module which should perform some long I/O operations and return the response to the client. Or is this handled internally by Nginx? Any hints are appreciated. Thanks, Alex

9 years, 5 months

[nginx] svn commit: r5096 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:41:34 +0000 (Wed, 27 Feb 2013) New Revision: 5096 URL: http://trac.nginx.org/nginx/changeset/5096/nginx Log: SNI: added restriction on requesting host other than negotiated. According to RFC 6066, client is not supposed to request a different server name at the application layer. Server implementations that rely upon these names being equal must validate that a client did not send a different name in HTTP request. Current versions of Apache HTTP server always return 400 "Bad Request" in such cases. There exist implementations however (e.g., SPDY) that rely on being able to request different host names in one connection. Given this, we only reject requests with differing host names if verification of client certificates is enabled in a corresponding server configuration. An example of configuration that might not work as expected: server { listen 433 ssl default; return 404; } server { listen 433 ssl; server_name example.org; ssl_client_certificate org.cert; ssl_verify_client on; } server { listen 433 ssl; server_name example.com; ssl_client_certificate com.cert; ssl_verify_client on; } Previously, a client was able to request example.com by presenting a certificate for example.org, and vice versa. Modified: trunk/src/http/ngx_http_request.c Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:38:54 UTC (rev 5095) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:41:34 UTC (rev 5096) @@ -1872,10 +1872,22 @@ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (hc->ssl_servername) { + ngx_http_ssl_srv_conf_t *sscf; + if (rc == NGX_DECLINED) { cscf = hc->addr_conf->default_server; rc = NGX_OK; } + + sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module); + + if (sscf->verify) { + ngx_log_error(NGX_LOG_INFO, r->connection->log, 0, + "client attempted to request the server name " + "different from that one was negotiated"); + ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST); + return NGX_ERROR; + } } #endif

9 years, 5 months

[nginx] svn commit: r5095 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:38:54 +0000 (Wed, 27 Feb 2013) New Revision: 5095 URL: http://trac.nginx.org/nginx/changeset/5095/nginx Log: SNI: reset to default server if requested host was not found. Not only this is consistent with a case without SNI, but this also prevents abusing configurations that assume that the $host variable is limited to one of the configured names for a server. An example of potentially unsafe configuration: server { listen 443 ssl default_server; ... } server { listen 443; server_name example.com; location / { proxy_pass http://$host; } } Note: it is possible to negotiate "example.com" by SNI, and to request arbitrary host name that does not exist in the configuration above. Modified: trunk/src/http/ngx_http_request.c Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:33:59 UTC (rev 5094) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:38:54 UTC (rev 5095) @@ -1869,6 +1869,17 @@ return NGX_ERROR; } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + + if (hc->ssl_servername) { + if (rc == NGX_DECLINED) { + cscf = hc->addr_conf->default_server; + rc = NGX_OK; + } + } + +#endif + if (rc == NGX_DECLINED) { return NGX_OK; }

9 years, 5 months

[nginx] svn commit: r5094 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:33:59 +0000 (Wed, 27 Feb 2013) New Revision: 5094 URL: http://trac.nginx.org/nginx/changeset/5094/nginx Log: SNI: avoid surplus lookup of virtual server if SNI was used. Modified: trunk/src/http/ngx_http_request.c trunk/src/http/ngx_http_request.h Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:27:15 UTC (rev 5093) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:33:59 UTC (rev 5094) @@ -693,6 +693,13 @@ return SSL_TLSEXT_ERR_NOACK; } + hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t)); + if (hc->ssl_servername == NULL) { + return SSL_TLSEXT_ERR_NOACK; + } + + *hc->ssl_servername = host; + hc->conf_ctx = cscf->ctx; clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module); @@ -1831,6 +1838,28 @@ hc = r->http_connection; +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + + if (hc->ssl_servername) { + if (hc->ssl_servername->len == host->len + && ngx_strncmp(hc->ssl_servername->data, + host->data, host->len) == 0) + { +#if (NGX_PCRE) + if (hc->ssl_servername_regex + && ngx_http_regex_exec(r, hc->ssl_servername_regex, + hc->ssl_servername) != NGX_OK) + { + ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + return NGX_ERROR; + } +#endif + return NGX_OK; + } + } + +#endif + rc = ngx_http_find_virtual_server(r->connection, hc->addr_conf->virtual_names, host, r, &cscf); @@ -1887,6 +1916,8 @@ #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME if (r == NULL) { + ngx_http_connection_t *hc; + for (i = 0; i < virtual_names->nregex; i++) { n = ngx_regex_exec(sn[i].regex->regex, host, NULL, 0); @@ -1896,6 +1927,9 @@ } if (n >= 0) { + hc = c->data; + hc->ssl_servername_regex = sn[i].regex; + *cscfp = sn[i].server; return NGX_OK; } Modified: trunk/src/http/ngx_http_request.h =================================================================== --- trunk/src/http/ngx_http_request.h 2013-02-27 17:27:15 UTC (rev 5093) +++ trunk/src/http/ngx_http_request.h 2013-02-27 17:33:59 UTC (rev 5094) @@ -295,6 +295,13 @@ ngx_http_addr_conf_t *addr_conf; ngx_http_conf_ctx_t *conf_ctx; +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + ngx_str_t *ssl_servername; +#if (NGX_PCRE) + ngx_http_regex_t *ssl_servername_regex; +#endif +#endif + ngx_http_request_t *request; ngx_buf_t **busy;

9 years, 5 months

[nginx] svn commit: r5093 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:27:15 +0000 (Wed, 27 Feb 2013) New Revision: 5093 URL: http://trac.nginx.org/nginx/changeset/5093/nginx Log: Apply server configuration as soon as host is known. Previously, this was done only after the whole request header was parsed, and if an error occurred earlier then the request was processed in the default server (or server chosen by SNI), while r->headers_in.server might be set to the value from the Host: header or host from request line. r->headers_in.server is in turn used for $host variable and in HTTP redirects if "server_name_in_redirect" is disabled. Without the change, configurations that rely on this during error handling are potentially unsafe if SNI is used. This change also allows to use server specific settings of "underscores_in_headers", "ignore_invalid_headers", and "large_client_header_buffers" directives for HTTP requests and HTTPS requests without SNI. Modified: trunk/src/http/ngx_http_request.c Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:21:21 UTC (rev 5092) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:27:15 UTC (rev 5093) @@ -919,13 +919,18 @@ return; } + if (ngx_http_set_virtual_server(r, &host) == NGX_ERROR) { + return; + } + r->headers_in.server = host; } if (r->http_version < NGX_HTTP_VERSION_10) { - if (ngx_http_set_virtual_server(r, &r->headers_in.server) - == NGX_ERROR) + if (r->headers_in.server.len == 0 + && ngx_http_set_virtual_server(r, &r->headers_in.server) + == NGX_ERROR) { return; } @@ -1014,7 +1019,6 @@ } cmcf = ngx_http_get_module_main_conf(r, ngx_http_core_module); - cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); rc = NGX_AGAIN; @@ -1068,6 +1072,9 @@ } } + /* the host header could change the server configuration context */ + cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); + rc = ngx_http_parse_header_line(r, r->header_in, cscf->underscores_in_headers); @@ -1444,6 +1451,10 @@ return NGX_OK; } + if (ngx_http_set_virtual_server(r, &host) == NGX_ERROR) { + return NGX_ERROR; + } + r->headers_in.server = host; return NGX_OK; @@ -1570,7 +1581,10 @@ static ngx_int_t ngx_http_process_request_header(ngx_http_request_t *r) { - if (ngx_http_set_virtual_server(r, &r->headers_in.server) == NGX_ERROR) { + if (r->headers_in.server.len == 0 + && ngx_http_set_virtual_server(r, &r->headers_in.server) + == NGX_ERROR) + { return NGX_ERROR; }

9 years, 5 months

[nginx] svn commit: r5092 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:21:21 +0000 (Wed, 27 Feb 2013) New Revision: 5092 URL: http://trac.nginx.org/nginx/changeset/5092/nginx Log: SSL: do not treat SSL handshake as request. The request object will not be created until SSL handshake is complete. This simplifies adding another connection handler that does not need request object right after handshake (e.g., SPDY). There are also a few more intentional effects: - the "client_header_buffer_size" directive will be taken from the server configuration that was negotiated by SNI; - SSL handshake errors and timeouts are not logged into access log as bad requests; - ngx_ssl_create_connection() is not called until the first byte of ClientHello message was received. This also decreases memory consumption if plain HTTP request is sent to SSL socket. Modified: trunk/src/http/ngx_http_request.c trunk/src/http/ngx_http_request.h Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:16:51 UTC (rev 5091) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:21:21 UTC (rev 5092) @@ -316,6 +316,31 @@ rev->handler = ngx_http_init_request; c->write->handler = ngx_http_empty_handler; +#if (NGX_HTTP_SSL) + { + ngx_http_ssl_srv_conf_t *sscf; + + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); + + if (sscf->enable || hc->addr_conf->ssl) { + + c->log->action = "SSL handshaking"; + + if (hc->addr_conf->ssl && sscf->ssl.ctx == NULL) { + ngx_log_error(NGX_LOG_ERR, c->log, 0, + "no \"ssl_certificate\" is defined " + "in server listening on SSL port"); + ngx_http_close_connection(c); + return; + } + + hc->ssl = 1; + + rev->handler = ngx_http_ssl_handshake; + } + } +#endif + if (rev->ready) { /* the deferred accept(), rtsig, aio, iocp */ @@ -324,7 +349,7 @@ return; } - ngx_http_init_request(rev); + rev->handler(rev); return; } @@ -395,45 +420,8 @@ r->srv_conf = hc->conf_ctx->srv_conf; r->loc_conf = hc->conf_ctx->loc_conf; - rev->handler = ngx_http_process_request_line; r->read_event_handler = ngx_http_block_reading; -#if (NGX_HTTP_SSL) - - { - ngx_http_ssl_srv_conf_t *sscf; - - sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); - if (sscf->enable || hc->addr_conf->ssl) { - - if (c->ssl == NULL) { - - c->log->action = "SSL handshaking"; - - if (hc->addr_conf->ssl && sscf->ssl.ctx == NULL) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "no \"ssl_certificate\" is defined " - "in server listening on SSL port"); - ngx_http_close_connection(c); - return; - } - - if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) - != NGX_OK) - { - ngx_http_close_connection(c); - return; - } - - rev->handler = ngx_http_ssl_handshake; - } - - r->main_filter_need_in_memory = 1; - } - } - -#endif - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); ngx_http_set_connection_log(r->connection, clcf->error_log); @@ -489,6 +477,12 @@ c->single_connection = 1; c->destroyed = 0; +#if (NGX_HTTP_SSL) + if (c->ssl) { + r->main_filter_need_in_memory = 1; + } +#endif + r->main = r; r->count = 1; @@ -519,7 +513,8 @@ (void) ngx_atomic_fetch_add(ngx_stat_requests, 1); #endif - rev->handler(rev); + rev->handler = ngx_http_process_request_line; + ngx_http_process_request_line(rev); } @@ -528,37 +523,48 @@ static void ngx_http_ssl_handshake(ngx_event_t *rev) { - u_char buf[1]; - ssize_t n; - ngx_int_t rc; - ngx_connection_t *c; - ngx_http_request_t *r; + u_char buf[1]; + ssize_t n; + ngx_err_t err; + ngx_int_t rc; + ngx_connection_t *c; + ngx_http_connection_t *hc; + ngx_http_ssl_srv_conf_t *sscf; c = rev->data; - r = c->data; ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, "http check ssl handshake"); if (rev->timedout) { ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); - c->timedout = 1; - ngx_http_close_request(r, NGX_HTTP_REQUEST_TIME_OUT); + ngx_http_close_connection(c); return; } n = recv(c->fd, (char *) buf, 1, MSG_PEEK); - if (n == -1 && ngx_socket_errno == NGX_EAGAIN) { + err = ngx_socket_errno; - if (!rev->timer_set) { - ngx_add_timer(rev, c->listening->post_accept_timeout); - } + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, "http recv(): %d", n); - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); + if (n == -1) { + if (err == NGX_EAGAIN) { + + if (!rev->timer_set) { + ngx_add_timer(rev, c->listening->post_accept_timeout); + } + + if (ngx_handle_read_event(rev, 0) != NGX_OK) { + ngx_http_close_connection(c); + } + + return; } + ngx_connection_error(c, err, "recv() failed"); + ngx_http_close_connection(c); + return; } @@ -567,6 +573,17 @@ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0, "https ssl handshake: 0x%02Xd", buf[0]); + hc = c->data; + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, + ngx_http_ssl_module); + + if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) + != NGX_OK) + { + ngx_http_close_connection(c); + return; + } + rc = ngx_ssl_handshake(c); if (rc == NGX_AGAIN) { @@ -582,27 +599,26 @@ ngx_http_ssl_handshake_handler(c); return; + } - } else { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, - "plain http"); + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0, "plain http"); - r->plain_http = 1; - } + c->log->action = "reading client request line"; + + rev->handler = ngx_http_init_request; + ngx_http_init_request(rev); + + return; } - c->log->action = "reading client request line"; - - rev->handler = ngx_http_process_request_line; - ngx_http_process_request_line(rev); + ngx_log_error(NGX_LOG_INFO, c->log, 0, "client closed connection"); + ngx_http_close_connection(c); } static void ngx_http_ssl_handshake_handler(ngx_connection_t *c) { - ngx_http_request_t *r; - if (c->ssl->handshaked) { /* @@ -617,19 +633,19 @@ c->log->action = "reading client request line"; - c->read->handler = ngx_http_process_request_line; + c->read->handler = ngx_http_init_request; /* STUB: epoll edge */ c->write->handler = ngx_http_empty_handler; - ngx_http_process_request_line(c->read); + ngx_http_init_request(c->read); return; } - r = c->data; + if (c->read->timedout) { + ngx_log_error(NGX_LOG_INFO, c->log, NGX_ETIMEDOUT, "client timed out"); + } - ngx_http_close_request(r, NGX_HTTP_BAD_REQUEST); - - return; + ngx_http_close_connection(c); } #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME @@ -640,7 +656,6 @@ ngx_str_t host; const char *servername; ngx_connection_t *c; - ngx_http_request_t *r; ngx_http_connection_t *hc; ngx_http_ssl_srv_conf_t *sscf; ngx_http_core_loc_conf_t *clcf; @@ -663,15 +678,13 @@ return SSL_TLSEXT_ERR_NOACK; } - r = c->data; - host.data = (u_char *) servername; - if (ngx_http_validate_host(&host, r->pool, 1) != NGX_OK) { + if (ngx_http_validate_host(&host, c->pool, 1) != NGX_OK) { return SSL_TLSEXT_ERR_NOACK; } - hc = r->http_connection; + hc = c->data; if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, NULL, &cscf) @@ -682,14 +695,11 @@ hc->conf_ctx = cscf->ctx; - r->srv_conf = cscf->ctx->srv_conf; - r->loc_conf = cscf->ctx->loc_conf; + clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module); - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - ngx_http_set_connection_log(c, clcf->error_log); - sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); + sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); if (sscf->ssl.ctx) { SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx); @@ -1631,20 +1641,20 @@ c = r->connection; - if (r->plain_http) { - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "client sent plain HTTP request to HTTPS port"); - ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS); - return; - } - #if (NGX_HTTP_SSL) - if (c->ssl) { + if (r->http_connection->ssl) { long rc; X509 *cert; ngx_http_ssl_srv_conf_t *sscf; + if (c->ssl == NULL) { + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "client sent plain HTTP request to HTTPS port"); + ngx_http_finalize_request(r, NGX_HTTP_TO_HTTPS); + return; + } + sscf = ngx_http_get_module_srv_conf(r, ngx_http_ssl_module); if (sscf->verify) { Modified: trunk/src/http/ngx_http_request.h =================================================================== --- trunk/src/http/ngx_http_request.h 2013-02-27 17:16:51 UTC (rev 5091) +++ trunk/src/http/ngx_http_request.h 2013-02-27 17:21:21 UTC (rev 5092) @@ -303,7 +303,8 @@ ngx_buf_t **free; ngx_int_t nfree; - ngx_uint_t pipeline; /* unsigned pipeline:1; */ + unsigned pipeline:1; + unsigned ssl:1; } ngx_http_connection_t; @@ -492,7 +493,6 @@ #endif unsigned pipeline:1; - unsigned plain_http:1; unsigned chunked:1; unsigned header_only:1; unsigned keepalive:1;

9 years, 5 months

[nginx] svn commit: r5091 - trunk/src/http

by vbart＠nginx.com

Author: vbart Date: 2013-02-27 17:16:51 +0000 (Wed, 27 Feb 2013) New Revision: 5091 URL: http://trac.nginx.org/nginx/changeset/5091/nginx Log: Status: do not count connection as reading right after accept(). Before we receive the first bytes, the connection is counted as waiting. This change simplifies further code changes. Modified: trunk/src/http/ngx_http_request.c Modified: trunk/src/http/ngx_http_request.c =================================================================== --- trunk/src/http/ngx_http_request.c 2013-02-27 17:12:48 UTC (rev 5090) +++ trunk/src/http/ngx_http_request.c 2013-02-27 17:16:51 UTC (rev 5091) @@ -316,10 +316,6 @@ rev->handler = ngx_http_init_request; c->write->handler = ngx_http_empty_handler; -#if (NGX_STAT_STUB) - (void) ngx_atomic_fetch_add(ngx_stat_reading, 1); -#endif - if (rev->ready) { /* the deferred accept(), rtsig, aio, iocp */ @@ -335,9 +331,6 @@ ngx_add_timer(rev, c->listening->post_accept_timeout); if (ngx_handle_read_event(rev, 0) != NGX_OK) { -#if (NGX_STAT_STUB) - (void) ngx_atomic_fetch_add(ngx_stat_reading, -1); -#endif ngx_http_close_connection(c); return; } @@ -356,10 +349,6 @@ ngx_http_core_loc_conf_t *clcf; ngx_http_core_main_conf_t *cmcf; -#if (NGX_STAT_STUB) - (void) ngx_atomic_fetch_add(ngx_stat_reading, -1); -#endif - c = rev->data; if (rev->timedout) { @@ -2613,10 +2602,6 @@ ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "pipelined request"); -#if (NGX_STAT_STUB) - (void) ngx_atomic_fetch_add(ngx_stat_reading, 1); -#endif - hc->pipeline = 1; c->log->action = "reading client pipelined request line"; @@ -2859,10 +2844,6 @@ b->last += n; -#if (NGX_STAT_STUB) - (void) ngx_atomic_fetch_add(ngx_stat_reading, 1); -#endif - c->log->handler = ngx_http_log_error; c->log->action = "reading client request line";

9 years, 5 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel February 2013