Hi all,
The Wikimedia Foundation has been running nginx-1.9.3 patched for
multi-certificate support for all production TLS traffic for a few
weeks now without incident, for all inbound requests to Wikipedia and
other associated projects of the Foundation.
We initially used the older March variant of Filipe's patches (
http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006734.html
), and last week we switched to using the April 27 variant (
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006863.html
), which is the last known public variant I'm aware of.
These were in turn based on kyprizel's patch (
http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006668.html
), which was based on Rob's patch from nearly two years ago (
http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html
). It has a long and colorful history at this point :)
We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we're running is available here
in our repo:
https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/deb…
Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:
------------
ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key;
ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key;
ssl_stapling on;
ssl_stapling_file /var/cache/ocsp/unified.ocsp;
-------------
Obviously, we'd rather get this work (or something similar) upstreamed
so that we don't have to maintain local patches for this indefinitely,
and so that everyone else can use it easily too. I'm assuming the
reason it wasn't merged in the past is there may be other issues
blocking the merge that just weren't relevant to our particular
configuration, or are just matters of cleanliness or implementation
detail.
I'd be happy to work with whoever on resolving that and getting this
patchset into a merge-able state. Does anyone know what the
outstanding issues were/are? Some of the past list traffic on this is
a bit fragmented.
Thanks,
-- Brandon
Hi,
Some background: nginx 1.9.2, used as a cache, can get into the state
when it stops evicting the objects and eventually stops caching without
being able to recover. This happens when the disk is full. Consider the
following nginx.conf fragment:
proxy_cache_path /cache/nginx levels=1:2
keys_zone=c3:4096m max_size=8500g
inactive=30d use_temp_path=on;
proxy_temp_path /cache/nginx-tmp 1 2;
The disk is filled because the workers have been fetching the data from
the backend faster than the cache manager is able to evict:
$ df -h | grep cache
/dev/sdb1 8.7T 8.7T 16M 100% /cache
tmpfs 2.0G 0 2.0G 0% /cache/nginx-tmp
Since /cache and /cache/nginx-tmp are separate mount points, nginx has to
perform copy instead of rename. The copy functions fails due to ENOSPC,
but the ngx_ext_rename_file() does not clean up the failed target. At this
point, based on ngx_http_file_cache_sh_t::size, the cache manager believes
that the 8.5 TB threshold has not been crossed and nginx fails to recover.
Please find the patch attached.
--
Mindaugas
Hi everyone, I have a little trouble with the operation of HTTP / 2 Opera browser
For Mozilla FF and Chrome all OK. ( http://prntscr.com/8xlrln )
In Opera I have an error in the style of "not received data." -> http://prntscr.com/8xlr5j
VHost-> http://pastebin.com/CqJqnvmG
Server CNF -> http://pastebin.com/QMtHN4a3
NGINX packets-> http://pastebin.com/MDKrErmH
Tested on a verified certificate and is the same thing.
Version Opera 32.0 (Windows 8.1)
Does anyone have a solution?
It may be for Opera to disable http/2 and the rest have included?
--
Pozdrawiam || Best regards
Mateusz Gruszczyński
linuxiarz.pl
Hello all,
I am currently developing a module that has to send a number of subrequests to upstream servers, and aggregate them through application logic. I am currently doing that through a post-subrequest handler, using the NGX_HTTP_SUBREQUEST_IN_MEMORY flag. My problem is that it is possible to receive very large responses from the upstream servers, and I end up with the "upstream buffer is too small" error, even after bumping the buffer sizes a number of times.
It is my understanding that if I drop this subrequest flag, nginx wouldn't try to make the response fit in a single buffer anymore, but then I have no idea how to get at that buffer chain - my post-subrequest handler only knows about the single buffer in the upstream structure and I haven't been able to locate a piece of code that would do things differently.
I suppose it would be possible to use an output filter instead of a post-subrequest handler for that use case, would that make sense? And last but not least, if I go down that road, can I just move my module "declaration" to the HTTP_AUX_FILTER_MODULES variable (from HTTP_MODULES), and still have the rest of module work fine, or will I need to use a second module for that?
Thanks a lot in advance!
Maxime
details: http://hg.nginx.org/nginx/rev/4ccb37b04454
branches:
changeset: 6287:4ccb37b04454
user: Maxim Dounin <mdounin(a)mdounin.ru>
date: Fri Oct 30 21:43:30 2015 +0300
description:
Fixed ngx_parse_time() out of bounds access (ticket #821).
The code failed to ensure that "s" is within the buffer passed for
parsing when checking for "ms", and this resulted in unexpected errors when
parsing non-null-terminated strings with trailing "m". The bug manifested
itself when the expires directive was used with variables.
Found by Roman Arutyunyan.
diffstat:
src/core/ngx_parse.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diffs (12 lines):
diff --git a/src/core/ngx_parse.c b/src/core/ngx_parse.c
--- a/src/core/ngx_parse.c
+++ b/src/core/ngx_parse.c
@@ -188,7 +188,7 @@ ngx_parse_time(ngx_str_t *line, ngx_uint
break;
case 'm':
- if (*p == 's') {
+ if (p < last && *p == 's') {
if (is_sec || step >= st_msec) {
return NGX_ERROR;
}