Hi all,
The Wikimedia Foundation has been running nginx-1.9.3 patched for
multi-certificate support for all production TLS traffic for a few
weeks now without incident, for all inbound requests to Wikipedia and
other associated projects of the Foundation.
We initially used the older March variant of Filipe's patches (
http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006734.html
), and last week we switched to using the April 27 variant (
http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006863.html
), which is the last known public variant I'm aware of.
These were in turn based on kyprizel's patch (
http://mailman.nginx.org/pipermail/nginx-devel/2015-March/006668.html
), which was based on Rob's patch from nearly two years ago (
http://mailman.nginx.org/pipermail/nginx-devel/2013-October/004376.html
). It has a long and colorful history at this point :)
We've forward-ported Filipe's Apr 27 variant onto Debian's 1.9.3-1
package. Most of the porting was trivial (offsets / whitespace /
etc). There were a couple of slightly more substantial issues around
the newer OCSP Stapling valid-timestamp checking, and the porting of
the general multi-cert work to the newer stream modules. The
ported/updated variant of the patches we're running is available here
in our repo:
https://github.com/wikimedia/operations-software-nginx/blob/wmf-1.9.3-1/deb…
Our configuration uses a pair of otherwise-identical RSA and ECDSA
keys and an external OCSP ssl_stapling_file (certs are from
GlobalSign, chain/OCSP info is identical in the pair). Our typical
relevant config fragment in the server section looks like this:
------------
ssl_certificate /etc/ssl/localcerts/ecc-uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/ecc-uni.wikimedia.org.key;
ssl_certificate /etc/ssl/localcerts/uni.wikimedia.org.chained.crt;
ssl_certificate_key /etc/ssl/private/uni.wikimedia.org.key;
ssl_stapling on;
ssl_stapling_file /var/cache/ocsp/unified.ocsp;
-------------
Obviously, we'd rather get this work (or something similar) upstreamed
so that we don't have to maintain local patches for this indefinitely,
and so that everyone else can use it easily too. I'm assuming the
reason it wasn't merged in the past is there may be other issues
blocking the merge that just weren't relevant to our particular
configuration, or are just matters of cleanliness or implementation
detail.
I'd be happy to work with whoever on resolving that and getting this
patchset into a merge-able state. Does anyone know what the
outstanding issues were/are? Some of the past list traffic on this is
a bit fragmented.
Thanks,
-- Brandon
# HG changeset patch
# User Corey Kasten <coreykasten(a)gmail.com>
# Date 1456771518 28800
# Mon Feb 29 10:45:18 2016 -0800
# Node ID a2365d15b75c9537efacbef038a67dde693a7f0f
# Parent 8e6f34342eb652046fdfcd0d0677f0d20483c0a5
Skip writing pidfile when old and new paths are equivalent
On an nginx reload, if the pidfile path has changed, the pid is written to the
new path, and the old file is deleted. This behaviour is problematic when the
old path (e.g. /run/nginx.pid) is equivalent to the new path
(e.g. /var/run/nginx.pid), due to the use of a symbolic link (/var/run -> /run).
After deleting the file at the old path, we are left without a .pid file,
since the new and old were actually the same file. The solution employed here
is to check whether the two paths resolve to the same inode via stat(2).
diff -r 8e6f34342eb6 -r a2365d15b75c src/core/ngx_cycle.c
--- a/src/core/ngx_cycle.c Mon Feb 29 18:52:33 2016 +0300
+++ b/src/core/ngx_cycle.c Mon Feb 29 10:45:18 2016 -0800
@@ -15,6 +15,7 @@
ngx_shm_zone_t *shm_zone);
static ngx_int_t ngx_test_lockfile(u_char *file, ngx_log_t *log);
static void ngx_clean_old_cycles(ngx_event_t *ev);
+static int are_same_file(u_char *file1, u_char *file2);
volatile ngx_cycle_t *ngx_cycle;
@@ -322,8 +323,9 @@
old_ccf = (ngx_core_conf_t *) ngx_get_conf(old_cycle->conf_ctx,
ngx_core_module);
- if (ccf->pid.len != old_ccf->pid.len
+ if ((ccf->pid.len != old_ccf->pid.len
|| ngx_strcmp(ccf->pid.data, old_ccf->pid.data) != 0)
+ && !are_same_file(ccf->pid.data, old_ccf->pid.data))
{
/* new pid file name */
@@ -1337,3 +1339,32 @@
ngx_old_cycles.nelts = 0;
}
}
+
+static int
+are_same_file(u_char *file1, u_char *file2)
+{
+#if !(NGX_WIN32)
+ ngx_file_info_t fi1, fi2;
+
+ if (ngx_file_info((const char *) file1, &fi1) == NGX_FILE_ERROR)
+ {
+ return 0;
+ }
+
+ if (ngx_file_info((const char *) file2, &fi2) == NGX_FILE_ERROR)
+ {
+ return 0;
+ }
+
+ if (fi1.st_ino != fi2.st_ino ||
+ major(fi1.st_dev) != major(fi2.st_dev) ||
+ minor(fi1.st_dev) != minor(fi2.st_dev))
+ {
+ return 0;
+ }
+
+ return 1;
+#else
+ return 0;
+#endif
+}
This patch series adds support of swithing off buffering for request body
in HTTP/2 connections proxied to backend. See proxy_request_buffering,
fastcgi_request_buffering, uwsgi_request_buffering, and scgi_request_buffering
directives.
You can appliy these patches to nginx 1.9.12.
Thank you for testing.
wbr, Valentin V. Bartenev
src/http/ngx_http_request_body.c | 109 ++----
src/http/ngx_http_request.h | 3 +
src/http/ngx_http_request_body.c | 26 +-
src/http/v2/ngx_http_v2.c | 541 ++++++++++++++++++--------------------
src/http/v2/ngx_http_v2.h | 3 +-
src/http/v2/ngx_http_v2.c | 15 +-
src/http/ngx_http_request_body.c | 7 +-
src/http/v2/ngx_http_v2.c | 132 +++++++++-
src/http/v2/ngx_http_v2.h | 1 +
9 files changed, 466 insertions(+), 371 deletions(-)
details: http://hg.nginx.org/nginx/rev/35487ea55cb6
branches:
changeset: 6416:35487ea55cb6
user: Ruslan Ermilov <ru(a)nginx.com>
date: Thu Feb 25 15:22:05 2016 +0300
description:
Dynamic modules: make sure to call config.make for dynamic addons.
diffstat:
auto/make | 4 ++--
1 files changed, 2 insertions(+), 2 deletions(-)
diffs (15 lines):
diff -r 107a46bde349 -r 35487ea55cb6 auto/make
--- a/auto/make Thu Feb 25 16:28:42 2016 +0300
+++ b/auto/make Thu Feb 25 15:22:05 2016 +0300
@@ -437,9 +437,9 @@ fi
# the addons config.make
-if test -n "$NGX_ADDONS"; then
+if test -n "$NGX_ADDONS$DYNAMIC_ADDONS"; then
- for ngx_addon_dir in $NGX_ADDONS
+ for ngx_addon_dir in $NGX_ADDONS $DYNAMIC_ADDONS
do
if test -f $ngx_addon_dir/config.make; then
. $ngx_addon_dir/config.make