nginx-devel October 2015

nginx-devel@nginx.org

32 participants
62 discussions

[PATCH] Remove auto/lib/test, unused since nginx-0.1.2

by Piotr Sikora

# HG changeset patch # User Piotr Sikora <piotrsikora(a)google.com> # Date 1445649693 25200 # Fri Oct 23 18:21:33 2015 -0700 # Node ID a8be1943bde3ea151ade97149856684db4066fe3 # Parent ee16fb0db905cfb858a929374cf623cdf1a0f9d3 Remove auto/lib/test, unused since nginx-0.1.2. Signed-off-by: Piotr Sikora <piotrsikora(a)google.com> diff -r ee16fb0db905 -r a8be1943bde3 auto/lib/test --- a/auto/lib/test +++ /dev/null @@ -1,40 +0,0 @@ - -# Copyright (C) Igor Sysoev -# Copyright (C) Nginx, Inc. - - -echo $ngx_n "checking for $ngx_lib ...$ngx_c" - -cat << END >> $NGX_AUTOCONF_ERR - ----------------------------------------- -checking for $ngx_lib - -END - -ngx_found=no - -cat << END > $NGX_AUTOTEST.c - -$ngx_lib_incs - -int main() { - $ngx_lib_test; - return 0; -} - - -eval "$CC $cc_test_flags $ngx_lib_cflags \ - -o $NGX_AUTOTEST $NGX_AUTOTEST.c $ngx_libs \ - >> $NGX_ERR 2>&1" - -if [ -x $NGX_AUTOTEST ]; then - echo " found" - - ngx_found=yes - -else - echo " not found" -fi - -rm -rf $NGX_AUTOTEST*

6 years, 1 month

Multiple certificate support revisited

by Brandon Black

Hi all, The Wikimedia Foundation has been running nginx-1.9.3 patched for multi-certificate support for all production TLS traffic for a few weeks now without incident, for all inbound requests to Wikipedia and other associated projects of the Foundation. We initially used the older March variant of Filipe's patches ( http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006734.html ), and last week we switched to using the April 27 variant ( http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006863.html ), which is the last known public variant I'm aware of. These were in turn based on kyprizel's patch ( http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006668.html ), which was based on Rob's patch from nearly two years ago ( http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html ). It has a long and colorful history at this point :) We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1 package. Most of the porting was trivial (offsets / whitespace / etc). There were a couple of slightly more substantial issues around the newer OCSP Stapling valid-timestamp checking, and the porting of the general multi-cert work to the newer stream modules. The ported/updated variant of the patches we're running is available here in our repo: https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/deb… Our configuration uses a pair of otherwise-identical RSA and ECDSA keys and an external OCSP ssl_stapling_file (certs are from GlobalSign, chain/OCSP info is identical in the pair). Our typical relevant config fragment in the server section looks like this: ------------ ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt; ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key; ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt; ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key; ssl_stapling on; ssl_stapling_file /var/cache/ocsp/unified.ocsp; ------------- Obviously, we'd rather get this work (or something similar) upstreamed so that we don't have to maintain local patches for this indefinitely, and so that everyone else can use it easily too. I'm assuming the reason it wasn't merged in the past is there may be other issues blocking the merge that just weren't relevant to our particular configuration, or are just matters of cleanliness or implementation detail. I'd be happy to work with whoever on resolving that and getting this patchset into a merge-able state. Does anyone know what the outstanding issues were/are? Some of the past list traffic on this is a bit fragmented. Thanks, -- Brandon

6 years, 3 months

ngx_ext_rename_file: remove the target file if ngx_copy_file() fails

by Mindaugas Rasiukevicius

Hi, Some background: nginx 1.9.2, used as a cache, can get into the state when it stops evicting the objects and eventually stops caching without being able to recover. This happens when the disk is full. Consider the following nginx.conf fragment: proxy_cache_path /cache/nginx levels=1:2 keys_zone=c3:4096m max_size=8500g inactive=30d use_temp_path=on; proxy_temp_path /cache/nginx-tmp 1 2; The disk is filled because the workers have been fetching the data from the backend faster than the cache manager is able to evict: $ df -h | grep cache /dev/sdb1 8.7T 8.7T 16M 100% /cache tmpfs 2.0G 0 2.0G 0% /cache/nginx-tmp Since /cache and /cache/nginx-tmp are separate mount points, nginx has to perform copy instead of rename. The copy functions fails due to ENOSPC, but the ngx_ext_rename_file() does not clean up the failed target. At this point, based on ngx_http_file_cache_sh_t::size, the cache manager believes that the 8.5 TB threshold has not been crossed and nginx fails to recover. Please find the patch attached. -- Mindaugas

6 years, 9 months

[PATCH] Configure: remove redundant NGX_OPENSSL_MD5

by Piotr Sikora

# HG changeset patch # User Piotr Sikora <piotrsikora(a)google.com> # Date 1445649693 25200 # Fri Oct 23 18:21:33 2015 -0700 # Node ID 84b5500257121c6bd3e1c0e778cfde8915bf3fcc # Parent 7435401242d6dbfdb4b42339ab2d96ed30d397a7 Configure: remove redundant NGX_OPENSSL_MD5. Previously, both NGX_OPENSSL_MD5 and NGX_HAVE_OPENSSL_MD5_H had to be defined. While there, add missing _H to NGX_HAVE_OPENSSL_MD5. Signed-off-by: Piotr Sikora <piotrsikora(a)google.com> diff -r 7435401242d6 -r 84b550025712 auto/lib/conf --- a/auto/lib/conf +++ b/auto/lib/conf @@ -29,7 +29,6 @@ if [ $USE_MD5 = YES ]; then if [ $USE_OPENSSL = YES ]; then have=NGX_HAVE_OPENSSL_MD5_H . auto/have - have=NGX_OPENSSL_MD5 . auto/have have=NGX_HAVE_MD5 . auto/have MD5=YES MD5_LIB=OpenSSL diff -r 7435401242d6 -r 84b550025712 auto/lib/md5/conf --- a/auto/lib/md5/conf +++ b/auto/lib/md5/conf @@ -8,8 +8,7 @@ if [ $MD5 != NONE ]; then if grep MD5_Init $MD5/md5.h 2>&1 >/dev/null; then # OpenSSL md5 OPENSSL_MD5=YES - have=NGX_HAVE_OPENSSL_MD5 . auto/have - have=NGX_OPENSSL_MD5 . auto/have + have=NGX_HAVE_OPENSSL_MD5_H . auto/have else # rsaref md5 OPENSSL_MD5=NO @@ -79,7 +78,6 @@ else # OpenSSL crypto library ngx_feature="md5 in system OpenSSL crypto library" - ngx_feature_name="NGX_OPENSSL_MD5" ngx_feature_incs="#include <openssl/md5.h>" ngx_feature_libs="-lcrypto" ngx_feature_test="MD5_CTX md5; MD5_Init(&md5)" @@ -89,7 +87,6 @@ else if [ $ngx_found = yes ]; then have=NGX_HAVE_OPENSSL_MD5_H . auto/have - have=NGX_HAVE_MD5 . auto/have fi fi diff -r 7435401242d6 -r 84b550025712 src/core/ngx_md5.h --- a/src/core/ngx_md5.h +++ b/src/core/ngx_md5.h @@ -25,7 +25,7 @@ typedef MD5_CTX ngx_md5_t; -#if (NGX_OPENSSL_MD5) +#if (NGX_HAVE_OPENSSL_MD5_H) #define ngx_md5_init MD5_Init #define ngx_md5_update MD5_Update

6 years, 9 months

[PATCH] Configure: remove redundant NGX_OPENSSL

by Piotr Sikora

# HG changeset patch # User Piotr Sikora <piotrsikora(a)google.com> # Date 1445649693 25200 # Fri Oct 23 18:21:33 2015 -0700 # Node ID 7435401242d6dbfdb4b42339ab2d96ed30d397a7 # Parent 8c25beef3cc4f7d3b88c8718bd24f02b1bc39d35 Configure: remove redundant NGX_OPENSSL. Previously, both NGX_OPENSSL (used to init library and include headers) and NGX_SSL (used in rest of the source code) had to be defined. Signed-off-by: Piotr Sikora <piotrsikora(a)google.com> diff -r 8c25beef3cc4 -r 7435401242d6 auto/lib/openssl/conf --- a/auto/lib/openssl/conf +++ b/auto/lib/openssl/conf @@ -8,7 +8,6 @@ if [ $OPENSSL != NONE ]; then case "$CC" in cl | bcc32) - have=NGX_OPENSSL . auto/have have=NGX_SSL . auto/have CFLAGS="$CFLAGS -DNO_SYS_TYPES_H" @@ -25,7 +24,6 @@ if [ $OPENSSL != NONE ]; then ;; *) - have=NGX_OPENSSL . auto/have have=NGX_SSL . auto/have CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include" @@ -47,7 +45,7 @@ else OPENSSL=NO ngx_feature="OpenSSL library" - ngx_feature_name="NGX_OPENSSL" + ngx_feature_name="NGX_SSL" ngx_feature_run=no ngx_feature_incs="#include <openssl/ssl.h>" ngx_feature_path= @@ -104,7 +102,6 @@ else fi if [ $ngx_found = yes ]; then - have=NGX_SSL . auto/have CORE_LIBS="$CORE_LIBS $ngx_feature_libs $NGX_LIBDL" OPENSSL=YES fi diff -r 8c25beef3cc4 -r 7435401242d6 src/core/nginx.c --- a/src/core/nginx.c +++ b/src/core/nginx.c @@ -218,7 +218,7 @@ main(int argc, char *const *argv) } /* STUB */ -#if (NGX_OPENSSL) +#if (NGX_SSL) ngx_ssl_init(log); #endif diff -r 8c25beef3cc4 -r 7435401242d6 src/core/ngx_core.h --- a/src/core/ngx_core.h +++ b/src/core/ngx_core.h @@ -77,7 +77,7 @@ typedef void (*ngx_connection_handler_pt #include <ngx_inet.h> #include <ngx_cycle.h> #include <ngx_resolver.h> -#if (NGX_OPENSSL) +#if (NGX_SSL) #include <ngx_event_openssl.h> #endif #include <ngx_process_cycle.h>

6 years, 9 months

Opera issue

by Mateusz Gruszczyński

Hi everyone, I have a little trouble with the operation of HTTP / 2 Opera browser For Mozilla FF and Chrome all OK. ( http://prntscr.com/8xlrln ) In Opera I have an error in the style of "not received data." -> http://prntscr.com/8xlr5j VHost-> http://pastebin.com/CqJqnvmG Server CNF -> http://pastebin.com/QMtHN4a3 NGINX packets-> http://pastebin.com/MDKrErmH Tested on a verified certificate and is the same thing. Version Opera 32.0 (Windows 8.1) Does anyone have a solution? It may be for Opera to disable http/2 and the rest have included? -- Pozdrawiam || Best regards Mateusz Gruszczyński linuxiarz.pl

6 years, 9 months

Processing responses of unbounded sizes from upstream servers

by Maxime Henrion

Hello all, I am currently developing a module that has to send a number of subrequests to upstream servers, and aggregate them through application logic. I am currently doing that through a post-subrequest handler, using the NGX_HTTP_SUBREQUEST_IN_MEMORY flag. My problem is that it is possible to receive very large responses from the upstream servers, and I end up with the "upstream buffer is too small" error, even after bumping the buffer sizes a number of times. It is my understanding that if I drop this subrequest flag, nginx wouldn't try to make the response fit in a single buffer anymore, but then I have no idea how to get at that buffer chain - my post-subrequest handler only knows about the single buffer in the upstream structure and I haven't been able to locate a piece of code that would do things differently. I suppose it would be possible to use an output filter instead of a post-subrequest handler for that use case, would that make sense? And last but not least, if I go down that road, can I just move my module "declaration" to the HTTP_AUX_FILTER_MODULES variable (from HTTP_MODULES), and still have the rest of module work fine, or will I need to use a second module for that? Thanks a lot in advance! Maxime

6 years, 9 months

[nginx] Fixed ngx_parse_time() out of bounds access (ticket #821).

by Maxim Dounin

details: http://hg.nginx.org/nginx/rev/4ccb37b04454 branches: changeset: 6287:4ccb37b04454 user: Maxim Dounin <mdounin(a)mdounin.ru> date: Fri Oct 30 21:43:30 2015 +0300 description: Fixed ngx_parse_time() out of bounds access (ticket #821). The code failed to ensure that "s" is within the buffer passed for parsing when checking for "ms", and this resulted in unexpected errors when parsing non-null-terminated strings with trailing "m". The bug manifested itself when the expires directive was used with variables. Found by Roman Arutyunyan. diffstat: src/core/ngx_parse.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c --- a/src/core/ngx_parse.c +++ b/src/core/ngx_parse.c @@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint break; case 'm': - if (*p == 's') { + if (p < last && *p == 's') { if (is_sec || step >= st_msec) { return NGX_ERROR; }

6 years, 9 months

Syslog Unix socket patch

by Nils Hermansson

# HG changeset patch # User Nils Hermansson <3tnica(a)gmail.com> # Date 1445625283 -7200 # Fri Oct 23 20:34:43 2015 +0200 # Node ID 868fc6b3bf69be611118c597578e749c65698b8c # Parent ee16fb0db905cfb858a929374cf623cdf1a0f9d3 Most standard syslog facilicties do not expect hostname when logging to Unix Sockets. This patch removes hostname from syslog message when logging to Unix Socket. Tested on rsyslog and syslog-ng diff -r ee16fb0db905 -r 868fc6b3bf69 src/core/ngx_syslog.c --- a/src/core/ngx_syslog.c Tue Oct 20 21:28:38 2015 +0300 +++ b/src/core/ngx_syslog.c Fri Oct 23 20:34:43 2015 +0200 @@ -219,9 +219,17 @@ ngx_uint_t pri; pri = peer->facility * 8 + peer->severity; - - return ngx_sprintf(buf, "<%ui>%V %V %V: ", pri, &ngx_cached_syslog_time, +#if (NGX_HAVE_UNIX_DOMAIN) + if (peer->server.sockaddr->sa_family == AF_UNIX) { + return ngx_sprintf(buf, "<%ui>%V %V: ", pri, &ngx_cached_syslog_time, + &peer->tag); + } else { +#endif + return ngx_sprintf(buf, "<%ui>%V %V %V: ", pri, &ngx_cached_syslog_time, &ngx_cycle->hostname, &peer->tag); +#if (NGX_HAVE_UNIX_DOMAIN) + } +#endif }

6 years, 9 months

[nginx] Syslog: added "nohostname" option.

by Vladimir Homutov

details: http://hg.nginx.org/nginx/rev/a6a2016b8e31 branches: changeset: 6286:a6a2016b8e31 user: Vladimir Homutov <vl(a)nginx.com> date: Mon Oct 26 19:06:42 2015 +0300 description: Syslog: added "nohostname" option. The option disables sending hostname in the syslog message header. This is useful with syslog daemons that do not expect it (tickets #677 and #783). diffstat: src/core/ngx_syslog.c | 8 ++++++++ src/core/ngx_syslog.h | 3 ++- 2 files changed, 10 insertions(+), 1 deletions(-) diffs (38 lines): diff -r 1f26bf65b1bc -r a6a2016b8e31 src/core/ngx_syslog.c --- a/src/core/ngx_syslog.c Tue Oct 27 23:16:35 2015 +0300 +++ b/src/core/ngx_syslog.c Mon Oct 26 19:06:42 2015 +0300 @@ -194,6 +194,9 @@ ngx_syslog_parse_args(ngx_conf_t *cf, ng peer->tag.data = p + 4; peer->tag.len = len - 4; + } else if (len == 10 && ngx_strncmp(p, "nohostname", 10) == 0) { + peer->nohostname = 1; + } else { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "unknown syslog parameter \"%s\"", p); @@ -220,6 +223,11 @@ ngx_syslog_add_header(ngx_syslog_peer_t pri = peer->facility * 8 + peer->severity; + if (peer->nohostname) { + return ngx_sprintf(buf, "<%ui>%V %V: ", pri, &ngx_cached_syslog_time, + &peer->tag); + } + return ngx_sprintf(buf, "<%ui>%V %V %V: ", pri, &ngx_cached_syslog_time, &ngx_cycle->hostname, &peer->tag); } diff -r 1f26bf65b1bc -r a6a2016b8e31 src/core/ngx_syslog.h --- a/src/core/ngx_syslog.h Tue Oct 27 23:16:35 2015 +0300 +++ b/src/core/ngx_syslog.h Mon Oct 26 19:06:42 2015 +0300 @@ -16,7 +16,8 @@ typedef struct { ngx_addr_t server; ngx_connection_t conn; - ngx_uint_t busy; /* unsigned busy:1; */ + unsigned busy:1; + unsigned nohostname:1; } ngx_syslog_peer_t;

6 years, 9 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel October 2015