nginx-devel May 2013

nginx-devel@nginx.org

25 participants
64 discussions

by Maxim Dounin

Hello! Here are patches for OCSP stapling support. Testing and review appreciated. New directives: ssl_trusted_certificate /path/to/file; Specifies a file with CA certificates in the PEM format used for certificate verification. In contrast to ssl_client_certificate, DNs of these certificates aren't sent to a client in CertificateRequest. ssl_stapling on|off; Activates OCSP stapling. ssl_stapling_file /path/to/file; Use predefined OCSP response for stapling, do not query responder. Assumes OCSP response in DER format as produced by "openssl ocsp". ssl_stapling_responder URL; Use specified OCSP responder instead of one found in AIA certificate extension. Example configuration: server { listen 443 ssl; ssl_certificate /path/to/cert.pem; ssl_certificate_key /path/to/key.pem; ssl_stapling on; ssl_trusted_certificate /path/to/ca.pem; resolver 8.8.8.8; } Known limitations: - Unless externally set OCSP response is used (via the "ssl_stapling_file" directive), stapled response won't be sent in a first connection. This is due to the fact that OCSP responders are currently queried by nginx once it receives connection with certificate_status extension in ClientHello, and due to limitations in OpenSSL API (certificate status callback is blocking). - Cached OCSP responses are currently stored in local process memory (thus each worker process will query OCSP responders independently). This shouldn't be a problem as typical number of worker processes is low, usually set match number of CPUs. - Various timeouts are hardcoded (connect/read/write timeouts are 60s, response is considered to be valid for 1h after loading). Adding configuration directives to control these would be trivial, but it may be a better idea to actually omit them for simplicity. - Only "http://" OCSP responders are recognized. Patch can be found here: http://nginx.org/patches/ocsp-stapling/ Thanks to Comodo, DigiCert and GlobalSign for sponsoring this work. Maxim Dounin

9 years, 2 months

best way to get a 1-second timer-tick?

by Neil Mckee

Hello, I have written a module to implement sFlow in nginx (nginx-sflow-module.googlecode.com). I'm simulating a 1-second timer-tick by assuming that the request handler will be called at least once per second. That's probably a safe assumption for any server that would care about sFlow monitoring, but I expect there's a better way... I tried asking for a timer callback like this: ngx_event_t *ev = ngx_pcalloc(pool, sizeof(ngx_event_t)); ev->hander = ngx_http_sflow_tick_event_hander; ngx_add_timer(ev, 1000); but (like most russian girls) the event never called me back. It looks like I might have to hang this on a file-descriptor somehow, but that's where I'm getting lost. Any pointers would be most appreciated. Neil

9 years, 3 months

[PATCH] Make ngx_http_upstream provide a way to expose errors after sending out the response header

by agentzh

Hello! According to the current implementation of ngx_http_upstream, there is almost no way for 3rd-party output body filters and "post_subrequest" handlers (in the subrequest context) to know if there's any errors while ngx_http_upstream is processing the upstream response body after the response header is sent out (in both the buffered and non-buffered modes). For example, if 1. a read-timeout happens in the middle of the process of reading the upstream response body, 2. or the upstream connection is closed prematurely in the same situation, then ngx_http_upstream will just happily finalize the current request with the status code 0 (i.e., NGX_OK). This issue already affects at least our ngx_srcache and ngx_lua modules (originally reported by Bryan Alger). Here attaches a patch that makes ngx_http_upstream set r->headers_out.status to a new error status code to notify the outside world if there is a problem. Comments will be highly appreciated as always :) Thanks! -agentzh --- nginx-1.2.3/src/http/ngx_http_upstream.c 2012-08-06 10:34:08.000000000 -0700 +++ nginx-1.2.3-patched/src/http/ngx_http_upstream.c 2012-09-09 21:58:04.727761891 -0700 @@ -2383,7 +2383,7 @@ if (c->read->timedout) { ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, 0); + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); return; } @@ -2430,13 +2430,17 @@ if (u->busy_bufs == NULL) { if (u->length == 0 - || upstream->read->eof - || upstream->read->error) + || (upstream->read->eof && u->headers_in.content_length_n == -1)) { ngx_http_upstream_finalize_request(r, u, 0); return; } + if (upstream->read->eof || upstream->read->error) { + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); + return; + } + b->pos = b->start; b->last = b->start; } @@ -2710,7 +2714,16 @@ #if 0 ngx_http_busy_unlock(u->conf->busy_lock, &u->busy_lock); #endif - ngx_http_upstream_finalize_request(r, u, 0); + + if (p->upstream_done + || (p->upstream_eof && u->headers_in.content_length_n == -1)) + { + ngx_http_upstream_finalize_request(r, u, 0); + + } else { + ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); + } + return; } } @@ -3073,6 +3086,13 @@ && rc != NGX_HTTP_REQUEST_TIME_OUT && (rc == NGX_ERROR || rc >= NGX_HTTP_SPECIAL_RESPONSE)) { + if (rc == NGX_ERROR) { + r->headers_out.status = NGX_HTTP_INTERNAL_SERVER_ERROR; + + } else { + r->headers_out.status = rc; + } + rc = 0; }

9 years, 4 months

[PATCH] SNI: better server name handling.

by Piotr Sikora

# HG changeset patch # User Piotr Sikora <piotr(a)cloudflare.com> # Date 1369177319 25200 # Node ID 4b277448dfd56751c7c88477e78b2ba3cf6ae472 # Parent 1d68b502088c9d6e6603e9699354e36d03d77f9c SNI: better server name handling. Acknowledge acceptance of SNI server name to the OpenSSL library, which in turn lets the client know that it was accepted (by sending "server_name" TLS extension in the "ServerHello" handshake message, as suggested by RFC4366). Previously, this would happen only in case when requested server name was on the "server_name" list and either: there were multiple virtual servers defined for the same listening port or there was at least one regular expression with captures in the "server_name" directive. As a consequence, this change also: 1. Preserves requested SNI server name for future use. 2. Avoids unnecessary setting of SSL options if the virtual server didn't change. 3. Avoids unnecessary lookup of virtual server later on if requested HTTP server name is the same as requested SNI server name. Signed-off-by: Piotr Sikora <piotr(a)cloudflare.com> diff -r 1d68b502088c -r 4b277448dfd5 src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Tue May 21 21:47:50 2013 +0400 +++ b/src/http/ngx_http_request.c Tue May 21 16:01:59 2013 -0700 @@ -773,6 +773,7 @@ ngx_http_ssl_srv_conf_t *sscf; ngx_http_core_loc_conf_t *clcf; ngx_http_core_srv_conf_t *cscf; + ngx_int_t rc; servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name); @@ -799,10 +800,10 @@ hc = c->data; - if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, - NULL, &cscf) - != NGX_OK) - { + rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host, + NULL, &cscf); + + if (rc == NGX_ERROR) { return SSL_TLSEXT_ERR_NOACK; } @@ -813,6 +814,10 @@ *hc->ssl_servername = host; + if (rc == NGX_DECLINED || hc->conf_ctx == cscf->ctx) { + return SSL_TLSEXT_ERR_OK; + } + hc->conf_ctx = cscf->ctx; clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

9 years, 4 months

[PATCH] SPDY: Allow returning the full status line

by Jim Radford

# HG changeset patch # User Jim Radford <radford(a)galvanix.com> # Date 1369948357 25200 # Node ID 5b75a45ba4deae4b0047357d9bdad7472a83ea3d # Parent 00dbfac67e48a8fe20802287b6fca50950178b8b SPDY: Allow returning the full status line diff -r 00dbfac67e48 -r 5b75a45ba4de src/http/ngx_http_spdy_filter_module.c --- a/src/http/ngx_http_spdy_filter_module.c Thu May 30 18:23:05 2013 +0400 +++ b/src/http/ngx_http_spdy_filter_module.c Thu May 30 14:12:37 2013 -0700 @@ -304,8 +304,14 @@ last = ngx_http_spdy_nv_write_val(last, "HTTP/1.1"); last = ngx_http_spdy_nv_write_name(last, "status"); - last = ngx_spdy_frame_write_uint16(last, 3); - last = ngx_sprintf(last, "%03ui", r->headers_out.status); + if (r->headers_out.status_line.len) { + last = ngx_http_spdy_nv_write_vlen(last, r->headers_out.status_line.len); + last = ngx_cpymem(last, r->headers_out.status_line.data, + r->headers_out.status_line.len); + } else { + last = ngx_spdy_frame_write_uint16(last, 3); + last = ngx_sprintf(last, "%03ui", r->headers_out.status); + } count = 2;

9 years, 6 months

Function in Filter/Handler Chain Doing Actual Sending?

by Zorceta Moshak

Hi there, I'm about to put some traffic stats code into the nginx core, as I'm going to let the traffic go into specific user's "iptables" statistics by setuid() rather than creating a filter counting bytes,for other toys are already going thru iptables. The problem is,that I can't figure out where's the point......Evan Miller's articles?Read,but still not clear about how to go thru the chain.In "ngx_http_write_handler" found the struct "connection" has a pointer to function "send_chain" that might be,but can't find it anywhere.I'm not that kind waiting for a LMGIFY link(although Google doesn't help either),but I gracefully appreciate if you can tell it.Thanks a looooooooooooot!! Yours, Zorceta Moshak

9 years, 6 months

[nginx] Win32: accept_mutex now always disabled (ticket #362).

by Maxim Dounin

details: http://hg.nginx.org/nginx/rev/c9fe549b127b branches: changeset: 5235:c9fe549b127b user: Maxim Dounin <mdounin(a)mdounin.ru> date: Fri May 31 14:59:26 2013 +0400 description: Win32: accept_mutex now always disabled (ticket #362). Use of accept mutex on win32 may result in a deadlock if there are multiple worker_processes configured and the mutex is grabbed by a process which can't accept connections. diffstat: src/event/ngx_event.c | 11 +++++++++++ 1 files changed, 11 insertions(+), 0 deletions(-) diffs (21 lines): diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c --- a/src/event/ngx_event.c +++ b/src/event/ngx_event.c @@ -607,6 +607,17 @@ ngx_event_process_init(ngx_cycle_t *cycl ngx_use_accept_mutex = 0; } +#if (NGX_WIN32) + + /* + * disable accept mutex on win32 as it may cause deadlock if + * grabbed by a process which can't accept connections + */ + + ngx_use_accept_mutex = 0; + +#endif + #if (NGX_THREADS) ngx_posted_events_mutex = ngx_mutex_init(cycle->log, 0); if (ngx_posted_events_mutex == NULL) {

9 years, 6 months

[nginx] OCSP stapling: fixed incorrect debug level.

by Ruslan Ermilov

details: http://hg.nginx.org/nginx/rev/a855ae7e6377 branches: changeset: 5234:a855ae7e6377 user: Ruslan Ermilov <ru(a)nginx.com> date: Fri May 31 13:30:37 2013 +0400 description: OCSP stapling: fixed incorrect debug level. diffstat: src/event/ngx_event_openssl_stapling.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 00dbfac67e48 -r a855ae7e6377 src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c Thu May 30 18:23:05 2013 +0400 +++ b/src/event/ngx_event_openssl_stapling.c Fri May 31 13:30:37 2013 +0400 @@ -822,7 +822,7 @@ ngx_ssl_ocsp_resolve_handler(ngx_resolve ngx_uint_t i; struct sockaddr_in *sin; - ngx_log_debug0(NGX_LOG_ALERT, ctx->log, 0, + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ctx->log, 0, "ssl ocsp resolve handler"); if (resolve->state) {

9 years, 6 months

[nginx] Access: support for UNIX-domain client addresses (ticket...

by Ruslan Ermilov

details: http://hg.nginx.org/nginx/rev/00dbfac67e48 branches: changeset: 5233:00dbfac67e48 user: Ruslan Ermilov <ru(a)nginx.com> date: Thu May 30 18:23:05 2013 +0400 description: Access: support for UNIX-domain client addresses (ticket #359). diffstat: src/http/modules/ngx_http_access_module.c | 170 +++++++++++++++++++++-------- 1 files changed, 123 insertions(+), 47 deletions(-) diffs (248 lines): diff -r 53eb1e67e432 -r 00dbfac67e48 src/http/modules/ngx_http_access_module.c --- a/src/http/modules/ngx_http_access_module.c Wed May 29 19:18:22 2013 +0400 +++ b/src/http/modules/ngx_http_access_module.c Thu May 30 18:23:05 2013 +0400 @@ -26,11 +26,22 @@ typedef struct { #endif +#if (NGX_HAVE_UNIX_DOMAIN) + +typedef struct { + ngx_uint_t deny; /* unsigned deny:1; */ +} ngx_http_access_rule_un_t; + +#endif + typedef struct { ngx_array_t *rules; /* array of ngx_http_access_rule_t */ #if (NGX_HAVE_INET6) ngx_array_t *rules6; /* array of ngx_http_access_rule6_t */ #endif +#if (NGX_HAVE_UNIX_DOMAIN) + ngx_array_t *rules_un; /* array of ngx_http_access_rule_un_t */ +#endif } ngx_http_access_loc_conf_t; @@ -41,6 +52,10 @@ static ngx_int_t ngx_http_access_inet(ng static ngx_int_t ngx_http_access_inet6(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf, u_char *p); #endif +#if (NGX_HAVE_UNIX_DOMAIN) +static ngx_int_t ngx_http_access_unix(ngx_http_request_t *r, + ngx_http_access_loc_conf_t *alcf); +#endif static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny); static char *ngx_http_access_rule(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); @@ -144,6 +159,19 @@ ngx_http_access_handler(ngx_http_request return ngx_http_access_inet6(r, alcf, p); } + break; + +#endif + +#if (NGX_HAVE_UNIX_DOMAIN) + + case AF_UNIX: + if (alcf->rules_un) { + return ngx_http_access_unix(r, alcf); + } + + break; + #endif } @@ -221,6 +249,25 @@ ngx_http_access_inet6(ngx_http_request_t #endif +#if (NGX_HAVE_UNIX_DOMAIN) + +static ngx_int_t +ngx_http_access_unix(ngx_http_request_t *r, ngx_http_access_loc_conf_t *alcf) +{ + ngx_uint_t i; + ngx_http_access_rule_un_t *rule_un; + + rule_un = alcf->rules_un->elts; + for (i = 0; i < alcf->rules_un->nelts; i++) { + return ngx_http_access_found(r, rule_un[i].deny); + } + + return NGX_DECLINED; +} + +#endif + + static ngx_int_t ngx_http_access_found(ngx_http_request_t *r, ngx_uint_t deny) { @@ -246,13 +293,16 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx { ngx_http_access_loc_conf_t *alcf = conf; - ngx_int_t rc; - ngx_uint_t all; - ngx_str_t *value; - ngx_cidr_t cidr; - ngx_http_access_rule_t *rule; + ngx_int_t rc; + ngx_uint_t all; + ngx_str_t *value; + ngx_cidr_t cidr; + ngx_http_access_rule_t *rule; #if (NGX_HAVE_INET6) - ngx_http_access_rule6_t *rule6; + ngx_http_access_rule6_t *rule6; +#endif +#if (NGX_HAVE_UNIX_DOMAIN) + ngx_http_access_rule_un_t *rule_un; #endif ngx_memzero(&cidr, sizeof(ngx_cidr_t)); @@ -263,7 +313,19 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx if (!all) { +#if (NGX_HAVE_UNIX_DOMAIN) + + if (value[1].len == 5 && ngx_strcmp(value[1].data, "unix:") == 0) { + cidr.family = AF_UNIX; + rc = NGX_OK; + + } else { + rc = ngx_ptocidr(&value[1], &cidr); + } + +#else rc = ngx_ptocidr(&value[1], &cidr); +#endif if (rc == NGX_ERROR) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, @@ -277,37 +339,7 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx } } - switch (cidr.family) { - -#if (NGX_HAVE_INET6) - case AF_INET6: - case 0: /* all */ - - if (alcf->rules6 == NULL) { - alcf->rules6 = ngx_array_create(cf->pool, 4, - sizeof(ngx_http_access_rule6_t)); - if (alcf->rules6 == NULL) { - return NGX_CONF_ERROR; - } - } - - rule6 = ngx_array_push(alcf->rules6); - if (rule6 == NULL) { - return NGX_CONF_ERROR; - } - - rule6->mask = cidr.u.in6.mask; - rule6->addr = cidr.u.in6.addr; - rule6->deny = (value[0].data[0] == 'd') ? 1 : 0; - - if (!all) { - break; - } - - /* "all" passes through */ -#endif - - default: /* AF_INET */ + if (cidr.family == AF_INET || all) { if (alcf->rules == NULL) { alcf->rules = ngx_array_create(cf->pool, 4, @@ -327,6 +359,48 @@ ngx_http_access_rule(ngx_conf_t *cf, ngx rule->deny = (value[0].data[0] == 'd') ? 1 : 0; } +#if (NGX_HAVE_INET6) + if (cidr.family == AF_INET6 || all) { + + if (alcf->rules6 == NULL) { + alcf->rules6 = ngx_array_create(cf->pool, 4, + sizeof(ngx_http_access_rule6_t)); + if (alcf->rules6 == NULL) { + return NGX_CONF_ERROR; + } + } + + rule6 = ngx_array_push(alcf->rules6); + if (rule6 == NULL) { + return NGX_CONF_ERROR; + } + + rule6->mask = cidr.u.in6.mask; + rule6->addr = cidr.u.in6.addr; + rule6->deny = (value[0].data[0] == 'd') ? 1 : 0; + } +#endif + +#if (NGX_HAVE_UNIX_DOMAIN) + if (cidr.family == AF_UNIX || all) { + + if (alcf->rules_un == NULL) { + alcf->rules_un = ngx_array_create(cf->pool, 1, + sizeof(ngx_http_access_rule_un_t)); + if (alcf->rules_un == NULL) { + return NGX_CONF_ERROR; + } + } + + rule_un = ngx_array_push(alcf->rules_un); + if (rule_un == NULL) { + return NGX_CONF_ERROR; + } + + rule_un->deny = (value[0].data[0] == 'd') ? 1 : 0; + } +#endif + return NGX_CONF_OK; } @@ -351,21 +425,23 @@ ngx_http_access_merge_loc_conf(ngx_conf_ ngx_http_access_loc_conf_t *prev = parent; ngx_http_access_loc_conf_t *conf = child; + if (conf->rules == NULL #if (NGX_HAVE_INET6) - - if (conf->rules == NULL && conf->rules6 == NULL) { + && conf->rules6 == NULL +#endif +#if (NGX_HAVE_UNIX_DOMAIN) + && conf->rules_un == NULL +#endif + ) { conf->rules = prev->rules; +#if (NGX_HAVE_INET6) conf->rules6 = prev->rules6; +#endif +#if (NGX_HAVE_UNIX_DOMAIN) + conf->rules_un = prev->rules_un; +#endif } -#else - - if (conf->rules == NULL) { - conf->rules = prev->rules; - } - -#endif - return NGX_CONF_OK; }

9 years, 6 months

[nginx] Win32: added missing reset of wev->ready on WSAEWOULDBLOCK.

by Maxim Dounin

details: http://hg.nginx.org/nginx/rev/53eb1e67e432 branches: changeset: 5232:53eb1e67e432 user: Maxim Dounin <mdounin(a)mdounin.ru> date: Wed May 29 19:18:22 2013 +0400 description: Win32: added missing reset of wev->ready on WSAEWOULDBLOCK. This fixes connection hang with websockets proxy, and likely some other places as well. diffstat: src/os/win32/ngx_wsasend.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff --git a/src/os/win32/ngx_wsasend.c b/src/os/win32/ngx_wsasend.c --- a/src/os/win32/ngx_wsasend.c +++ b/src/os/win32/ngx_wsasend.c @@ -54,6 +54,7 @@ ngx_wsasend(ngx_connection_t *c, u_char if (err == WSAEWOULDBLOCK) { ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, err, "WSASend() not ready"); + wev->ready = 0; return NGX_AGAIN; }

9 years, 6 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel May 2013