nginx-devel January 2019

nginx-devel@nginx.org

19 participants
68 discussions

by Maxim Dounin

Hello! On Tue, Sep 18, 2018 at 08:12:20AM -0400, Thomas Ward wrote: > Downstream in Ubuntu, it has been proposed to demote pcre3 and > use pcre2 instead as it is newer. > https://trac.nginx.org/nginx/ticket/720 shows it was marked 4 > years ago that NGINX does not support pcre2. Are there any > plans to use pcre2 instead of pcre3? There are no immediate plans. When we last checked, there were no problems with PCRE, but PCRE2 wasn't available in most distributions we support, making the switch mostly meaningless. Also, it looks like PCRE2 is still not supported even by Exim, which is the parent project of PCRE and PCRE2: https://bugs.exim.org/show_bug.cgi?id=1878 As such, adding PCRE2 support to nginx looks premature. -- Maxim Dounin http://mdounin.ru/

10 months

cache: move open to thread pool

by Ka-Hing Cheung

commit 0bcfefa040abdff674047c15701d237ff16a5f2b Author: Ka-Hing Cheung <kahing(a)cloudflare.com> Date: Fri Aug 3 13:37:58 2018 -0700 move open to thread pool At cloudflare we found that open() can block a long time, especially at p99 and p999. Moving it to thread pool improved overall p99 by 6x or so during peak time. This has the side effect of disabling nginx's open_file_cache when "aio threads" is turned on. For us we found that to have no impact (probably because we have way too many files for open file cache to be effective anyway). thread pool does increase CPU usage somewhat but we have not measured difference in CPU usage for stock "aio threads" compared to after this patch. Only the cache hit open() is moved to thread pool. We wrote more about it here: https://blog.cloudflare.com/how-we-scaled-nginx-and-saved-the-world-54-year… diff --git src/core/ngx_open_file_cache.c src/core/ngx_open_file_cache.c index b23ee78d..9177ebfd 100644 --- src/core/ngx_open_file_cache.c +++ src/core/ngx_open_file_cache.c @@ -35,8 +35,6 @@ static ngx_fd_t ngx_open_file_wrapper(ngx_str_t *name, ngx_int_t access, ngx_log_t *log); static ngx_int_t ngx_file_info_wrapper(ngx_str_t *name, ngx_open_file_info_t *of, ngx_file_info_t *fi, ngx_log_t *log); -static ngx_int_t ngx_open_and_stat_file(ngx_str_t *name, - ngx_open_file_info_t *of, ngx_log_t *log); static void ngx_open_file_add_event(ngx_open_file_cache_t *cache, ngx_cached_open_file_t *file, ngx_open_file_info_t *of, ngx_log_t *log); static void ngx_open_file_cleanup(void *data); @@ -836,7 +834,7 @@ ngx_file_info_wrapper(ngx_str_t *name, ngx_open_file_info_t *of, } -static ngx_int_t +ngx_int_t ngx_open_and_stat_file(ngx_str_t *name, ngx_open_file_info_t *of, ngx_log_t *log) { diff --git src/core/ngx_open_file_cache.h src/core/ngx_open_file_cache.h index d119c129..94b4d552 100644 --- src/core/ngx_open_file_cache.h +++ src/core/ngx_open_file_cache.h @@ -124,6 +124,8 @@ ngx_open_file_cache_t *ngx_open_file_cache_init(ngx_pool_t *pool, ngx_uint_t max, time_t inactive); ngx_int_t ngx_open_cached_file(ngx_open_file_cache_t *cache, ngx_str_t *name, ngx_open_file_info_t *of, ngx_pool_t *pool); +ngx_int_t ngx_open_and_stat_file(ngx_str_t *name, + ngx_open_file_info_t *of, ngx_log_t *log); #endif /* _NGX_OPEN_FILE_CACHE_H_INCLUDED_ */ diff --git src/http/ngx_http_cache.h src/http/ngx_http_cache.h index f9e96640..2910f6a1 100644 --- src/http/ngx_http_cache.h +++ src/http/ngx_http_cache.h @@ -114,6 +114,7 @@ struct ngx_http_cache_s { unsigned exists:1; unsigned temp_file:1; unsigned purged:1; + unsigned opening:1; unsigned reading:1; unsigned secondary:1; unsigned background:1; diff --git src/http/ngx_http_file_cache.c src/http/ngx_http_file_cache.c index 56866fa4..9cb110bf 100644 --- src/http/ngx_http_file_cache.c +++ src/http/ngx_http_file_cache.c @@ -18,6 +18,10 @@ static void ngx_http_file_cache_lock_wait(ngx_http_request_t *r, ngx_http_cache_t *c); static ngx_int_t ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c); +static ngx_int_t ngx_http_file_cache_aio_open(ngx_http_request_t *r, + ngx_http_cache_t *c, ngx_int_t *rv); +static ngx_int_t ngx_http_file_cache_do_aio_open(ngx_http_request_t *r, + ngx_http_cache_t *c, ngx_open_file_info_t *of, ngx_int_t *rv); static ssize_t ngx_http_file_cache_aio_read(ngx_http_request_t *r, ngx_http_cache_t *c); #if (NGX_HAVE_FILE_AIO) @@ -268,9 +272,7 @@ ngx_http_file_cache_open(ngx_http_request_t *r) ngx_uint_t test; ngx_http_cache_t *c; ngx_pool_cleanup_t *cln; - ngx_open_file_info_t of; ngx_http_file_cache_t *cache; - ngx_http_core_loc_conf_t *clcf; c = r->cache; @@ -278,6 +280,10 @@ ngx_http_file_cache_open(ngx_http_request_t *r) return NGX_AGAIN; } + if (c->opening) { + return ngx_http_file_cache_aio_open(r, c, &rv); + } + if (c->reading) { return ngx_http_file_cache_read(r, c); } @@ -343,23 +349,33 @@ ngx_http_file_cache_open(ngx_http_request_t *r) goto done; } - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + return ngx_http_file_cache_aio_open(r, c, &rv); - ngx_memzero(&of, sizeof(ngx_open_file_info_t)); +done: - of.uniq = c->uniq; - of.valid = clcf->open_file_cache_valid; - of.min_uses = clcf->open_file_cache_min_uses; - of.events = clcf->open_file_cache_events; - of.directio = NGX_OPEN_FILE_DIRECTIO_OFF; - of.read_ahead = clcf->read_ahead; + if (rv == NGX_DECLINED) { + return ngx_http_file_cache_lock(r, c); + } - if (ngx_open_cached_file(clcf->open_file_cache, &c->file.name, &of, r->pool) - != NGX_OK) - { - switch (of.err) { + return rv; +} + +static ngx_int_t +ngx_http_file_cache_aio_open(ngx_http_request_t *r, ngx_http_cache_t *c, + ngx_int_t *rv) +{ + ngx_int_t rc; + ngx_open_file_info_t of; + ngx_http_file_cache_t *cache = c->file_cache; - case 0: + rc = ngx_http_file_cache_do_aio_open(r, c, &of, rv); + if (rc == NGX_AGAIN) { + return rc; + } + + if (rc != NGX_OK) { + switch (of.err) { + case NGX_OK: return NGX_ERROR; case NGX_ENOENT: @@ -391,14 +407,13 @@ ngx_http_file_cache_open(ngx_http_request_t *r) done: - if (rv == NGX_DECLINED) { + if (*rv == NGX_DECLINED) { return ngx_http_file_cache_lock(r, c); } - return rv; + return *rv; } - static ngx_int_t ngx_http_file_cache_lock(ngx_http_request_t *r, ngx_http_cache_t *c) { @@ -663,6 +678,127 @@ ngx_http_file_cache_read(ngx_http_request_t *r, ngx_http_cache_t *c) } +#if (NGX_THREADS) +typedef struct { + ngx_str_t name; + ngx_pool_t *pool; + ngx_open_file_info_t of; + ngx_int_t rv; +} ngx_thread_file_open_ctx_t; + +static void +ngx_http_file_cache_thread_open_handler(void *data, ngx_log_t *log) +{ + ngx_thread_file_open_ctx_t *ctx = data; + ngx_pool_t *pool = ctx->pool; + ngx_open_file_info_t *of = &ctx->of; + ngx_pool_cleanup_t *cln; + ngx_pool_cleanup_file_t *clnf; + ngx_int_t rc; + + ngx_log_debug0(NGX_LOG_DEBUG_CORE, log, 0, "thread read handler"); + + cln = ngx_pool_cleanup_add(pool, sizeof(ngx_pool_cleanup_file_t)); + if (cln == NULL) { + ctx->of.err = NGX_ERROR; + return; + } + + of->fd = NGX_INVALID_FILE; + + rc = ngx_open_and_stat_file(&ctx->name, of, pool->log); + if (rc == NGX_OK && !of->is_dir) { + cln->handler = ngx_pool_cleanup_file; + clnf = cln->data; + + clnf->fd = of->fd; + clnf->name = ctx->name.data; + clnf->log = pool->log; + } +} + + +static ngx_int_t +ngx_http_file_cache_thread_open(ngx_http_cache_t *c, ngx_open_file_info_t *of, + ngx_int_t *rv, ngx_pool_t *pool) +{ + ngx_thread_task_t *task; + ngx_thread_file_open_ctx_t *ctx; + ngx_file_t *file = &c->file; + + task = file->thread_task; + + if (task == NULL) { + task = ngx_thread_task_alloc(pool, sizeof(ngx_thread_file_open_ctx_t)); + if (task == NULL) { + return NGX_ERROR; + } + + file->thread_task = task; + } + + ctx = task->ctx; + + if (task->event.complete) { + task->event.complete = 0; + + *of = ctx->of; + *rv = ctx->rv; + return of->err; + } + + task->handler = ngx_http_file_cache_thread_open_handler; + + ctx->pool = pool; + ctx->name = file->name; + ctx->of = *of; + ctx->rv = *rv; + + if (file->thread_handler(task, file) != NGX_OK) { + return NGX_ERROR; + } + + return NGX_AGAIN; +} +#endif + +static ngx_int_t +ngx_http_file_cache_do_aio_open(ngx_http_request_t *r, ngx_http_cache_t *c, + ngx_open_file_info_t *of, ngx_int_t *rv) +{ + ngx_http_core_loc_conf_t *clcf; + + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); + + ngx_memzero(of, sizeof(ngx_open_file_info_t)); + + of->uniq = c->uniq; + of->valid = clcf->open_file_cache_valid; + of->min_uses = clcf->open_file_cache_min_uses; + of->events = clcf->open_file_cache_events; + of->directio = NGX_OPEN_FILE_DIRECTIO_OFF; + of->read_ahead = clcf->read_ahead; + +#if (NGX_THREADS) + if (clcf->aio == NGX_HTTP_AIO_THREADS) { + ngx_int_t rc; + + c->file.thread_task = c->thread_task; + c->file.thread_handler = ngx_http_cache_thread_handler; + c->file.thread_ctx = r; + + rc = ngx_http_file_cache_thread_open(c, of, rv, r->pool); + + c->thread_task = c->file.thread_task; + c->opening = (rc == NGX_AGAIN); + + return rc; + } +#endif + + return ngx_open_cached_file(clcf->open_file_cache, &c->file.name, of, r->pool); +} + static ssize_t ngx_http_file_cache_aio_read(ngx_http_request_t *r, ngx_http_cache_t *c) {

1 year

[PATCH] Apply cache locking behaviour to stale cache entries.

by Elliot Thomas

Hello, This patch applies cache locking behaviour to stale cache entries, so in the case where the *_cache_lock directives are used, the same locking behaviour is used for stale content as it is for new entries. Previously, this was only done for new cache entries. (see: http://mailman.nginx.org/pipermail/nginx/2016-January/049734.html) This is useful when serving stale content is not permissable but sending many requests upstream is undesriable. This patch exposes the ngx_http_file_cache_lock function; this function is then called in ngx_http_upstream if a cache entry has expired. I have attached two versions of this patch, a "minimal" one that avoids changes where not strictly necessary, and a "cleaner" version which is more invasive but (in my opinion) cleaner. Both patches cause no (additional) failures in the nginx test suite. I tested with as many modules as I could reasonably enable. Additionally, a colleague will add tests for this new behaviour in a follow-up patch. Regards, Elliot. ----------------------------- http://www.bbc.co.uk This e-mail (and any attachments) is confidential and may contain personal views which are not the views of the BBC unless specifically stated. If you have received it in error, please delete it from your system. Do not use, copy or disclose the information in any way nor act in reliance on it and notify the sender immediately. Please note that the BBC monitors e-mails sent or received. Further communication will signify your consent to this. -----------------------------

3 years, 2 months

limit_rate_after support variables

by Miroslav Novy

# HG changeset patch # User Miroslav Nový <miranovy(a)gmail.com> # Date 1534234559 0 # Tue Aug 14 08:15:59 2018 +0000 # Node ID 1a8327b50f7844cbe68226f54de60632189327f4 # Parent 70c6b08973a02551612da4a4273757dc77c70ae2 limit_rate_after support variables Example of use: location / { root /var/www/default/; index index.html index.htm; set $my_limit_rate_after 2m; limit_rate_after $my_limit_rate_after; limit_rate 2k; access_by_lua_block { ngx.var.my_limit_rate_after = '10m' } } diff -r 70c6b08973a0 -r 1a8327b50f78 src/http/ngx_http_core_module.c --- a/src/http/ngx_http_core_module.c Fri Aug 10 21:54:46 2018 +0300 +++ b/src/http/ngx_http_core_module.c Tue Aug 14 08:15:59 2018 +0000 @@ -487,7 +487,7 @@ { ngx_string("limit_rate_after"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF |NGX_CONF_TAKE1, - ngx_conf_set_size_slot, + ngx_http_set_complex_value_slot, NGX_HTTP_LOC_CONF_OFFSET, offsetof(ngx_http_core_loc_conf_t, limit_rate_after), NULL }, @@ -3364,6 +3364,7 @@ * clcf->alias = 0; * clcf->gzip_proxied = 0; * clcf->keepalive_disable = 0; + * clcf->limit_rate_after = NULL; */ clcf->client_max_body_size = NGX_CONF_UNSET; @@ -3393,7 +3394,6 @@ clcf->send_lowat = NGX_CONF_UNSET_SIZE; clcf->postpone_output = NGX_CONF_UNSET_SIZE; clcf->limit_rate = NGX_CONF_UNSET_SIZE; - clcf->limit_rate_after = NGX_CONF_UNSET_SIZE; clcf->keepalive_timeout = NGX_CONF_UNSET_MSEC; clcf->keepalive_header = NGX_CONF_UNSET; clcf->keepalive_requests = NGX_CONF_UNSET_UINT; @@ -3623,8 +3623,8 @@ ngx_conf_merge_size_value(conf->postpone_output, prev->postpone_output, 1460); ngx_conf_merge_size_value(conf->limit_rate, prev->limit_rate, 0); - ngx_conf_merge_size_value(conf->limit_rate_after, prev->limit_rate_after, - 0); + ngx_conf_merge_ptr_value(conf->limit_rate_after, prev->limit_rate_after, + NULL); ngx_conf_merge_msec_value(conf->keepalive_timeout, prev->keepalive_timeout, 75000); ngx_conf_merge_sec_value(conf->keepalive_header, diff -r 70c6b08973a0 -r 1a8327b50f78 src/http/ngx_http_core_module.h --- a/src/http/ngx_http_core_module.h Fri Aug 10 21:54:46 2018 +0300 +++ b/src/http/ngx_http_core_module.h Tue Aug 14 08:15:59 2018 +0000 @@ -351,7 +351,7 @@ size_t send_lowat; /* send_lowat */ size_t postpone_output; /* postpone_output */ size_t limit_rate; /* limit_rate */ - size_t limit_rate_after; /* limit_rate_after */ + ngx_http_complex_value_t *limit_rate_after; /* limit_rate_after */ size_t sendfile_max_chunk; /* sendfile_max_chunk */ size_t read_ahead; /* read_ahead */ size_t subrequest_output_buffer_size; diff -r 70c6b08973a0 -r 1a8327b50f78 src/http/ngx_http_write_filter_module.c --- a/src/http/ngx_http_write_filter_module.c Fri Aug 10 21:54:46 2018 +0300 +++ b/src/http/ngx_http_write_filter_module.c Tue Aug 14 08:15:59 2018 +0000 @@ -220,7 +220,26 @@ if (r->limit_rate) { if (r->limit_rate_after == 0) { - r->limit_rate_after = clcf->limit_rate_after; + r->limit_rate_after = 0; + + if (clcf->limit_rate_after != NULL) { + ngx_str_t res; + size_t st; + + if (ngx_http_complex_value(r, clcf->limit_rate_after, &res) + != NGX_OK) + { + return NGX_ERROR; + } + + st = ngx_parse_size(&res); + if (st != (size_t) NGX_ERROR) { + r->limit_rate_after = st; + } else { + ngx_log_error(NGX_LOG_ALERT, c->log, 0, + "limit_rate_after has bad value"); + } + } } limit = (off_t) r->limit_rate * (ngx_time() - r->start_sec + 1)

3 years, 5 months

[PATCH] better constrain IP-literal validation in ngx_http_validate_host()

by Terence Honles

# HG changeset patch # User Terence Honles <terence(a)honles.com> # Date 1542840079 28800 # Wed Nov 21 14:41:19 2018 -0800 # Node ID 0763519f3dcce2c68ccd8894dcc02a4d6114b4c2 # Parent be5cb9c67c05ccaf22dab7abba78aa4c1545a8ee better constrain IP-literal validation in ngx_http_validate_host() The existing validation in ngx_http_validate_host() would allow a IP-literal such as "[127.0.0.1]" which is invalid according to RFC 3986 (See Appendix A. for the Collected ABNF). This format is intended for IPv6 and IPv-future not IPv4. The following changeset does the following: - Terminates the validation loop if the state is `sw_rest` (If checking this every character outweighs the benefit of early termination it can be omitted). - If a "." is found in an IPv6 literal or immediately after the initial "[" the hostname is determined to be invalid. - If a "[" is found at any position other than the first character the hostname is determined to be invalid. - Adds a "sw_literal_start" state which branches to "sw_literal_ip_v6" or "sw_literal_ip_future" depending if the character "v" is found at the start of the IP-literal. - If a non hex character (and not ":" because of the explicit case statement) is found in an IPv6 literal the hostname is determined to be invalid. - If the validation loop has not ended in either the "sw_usual" or "sw_rest" state the hostname is determined to be invalid (This will occur in an unterminated IP-literal) This changeset *does not* aim to validate IPv-future as it is currently very permissive and there is no pressing need for this validation. diff -r be5cb9c67c05 -r 0763519f3dcc src/http/ngx_http_request.c --- a/src/http/ngx_http_request.c Wed Nov 21 20:23:16 2018 +0300 +++ b/src/http/ngx_http_request.c Wed Nov 21 14:41:19 2018 -0800 @@ -1958,12 +1958,14 @@ static ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc) { - u_char *h, ch; + u_char *h, c, ch; size_t i, dot_pos, host_len; enum { sw_usual = 0, - sw_literal, + sw_literal_start, + sw_literal_ip_v6, + sw_literal_ip_future, sw_rest } state; @@ -1974,13 +1976,16 @@ state = sw_usual; - for (i = 0; i < host->len; i++) { + for (i = 0; i < host->len && state != sw_rest; i++) { ch = h[i]; switch (ch) { case '.': - if (dot_pos == i - 1) { + if (state == sw_literal_start + || state == sw_literal_ip_v6 + || dot_pos == i - 1) + { return NGX_DECLINED; } dot_pos = i; @@ -1995,12 +2000,14 @@ case '[': if (i == 0) { - state = sw_literal; + state = sw_literal_start; + } else { + return NGX_DECLINED; } break; case ']': - if (state == sw_literal) { + if (state == sw_literal_ip_v6 || state == sw_literal_ip_future) { host_len = i + 1; state = sw_rest; } @@ -2015,6 +2022,17 @@ return NGX_DECLINED; } + if (state == sw_literal_start) { + state = ch == 'v' ? sw_literal_ip_future : sw_literal_ip_v6; + } + + if (state == sw_literal_ip_v6) { + c = (u_char) (ch | 0x20); + if (!((ch >= '0' && ch <= '9') || (c >= 'a' || c <= 'f'))) { + return NGX_DECLINED; + } + } + if (ch >= 'A' && ch <= 'Z') { alloc = 1; } @@ -2023,6 +2041,10 @@ } } + if (state != sw_usual && state != sw_rest) { + return NGX_DECLINED; + } + if (dot_pos == host_len - 1) { host_len--; }

3 years, 5 months

GeoIP dependency on GeoIP Legacy databases?

by Thomas Ward

A bug report originated on Debian [1] about the GeoIP module that's shipped with NGINX's source code. It makes note that the GeoIP database in Legacy format is not available, deprecated in 2018 and discontinued as of 2019. This means that non-paying customers can't get the database files. [2] Does this impact the geoip module shipped with NGINX as the Legacy databases are no longer available and discontinued? If so, does NGINX have a timeline to replace this or provide alternate mechanisms? Thomas [1]: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=921034 [2]: https://support.maxmind.com/geolite-legacy-discontinuation-notice/

3 years, 6 months

[nginx] SSL: separate checks for errors in ngx_ssl_read_password_file().

by Maxim Dounin

details: https://hg.nginx.org/nginx/rev/e72c8a8a8b10 branches: changeset: 7454:e72c8a8a8b10 user: Maxim Dounin <mdounin(a)mdounin.ru> date: Thu Jan 31 19:36:51 2019 +0300 description: SSL: separate checks for errors in ngx_ssl_read_password_file(). Checking multiple errors at once is a bad practice, as in general it is not guaranteed that an object can be used after the error. In this particular case, checking errors after multiple allocations can result in excessive errors being logged when there is no memory available. diffstat: src/event/ngx_event_openssl.c | 9 ++++++--- 1 files changed, 6 insertions(+), 3 deletions(-) diffs (20 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -947,10 +947,13 @@ ngx_ssl_read_password_file(ngx_conf_t *c return NULL; } + passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); + if (passwords == NULL) { + return NULL; + } + cln = ngx_pool_cleanup_add(cf->temp_pool, 0); - passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); - - if (cln == NULL || passwords == NULL) { + if (cln == NULL) { return NULL; }

3 years, 6 months

[nginx] SSL: explicitly zero out session ticket keys.

by Maxim Dounin

details: https://hg.nginx.org/nginx/rev/873150addfeb branches: changeset: 7453:873150addfeb user: Ruslan Ermilov <ru(a)nginx.com> date: Thu Jan 31 19:28:07 2019 +0300 description: SSL: explicitly zero out session ticket keys. diffstat: src/event/ngx_event_openssl.c | 24 ++++++++++++++++++++++++ 1 files changed, 24 insertions(+), 0 deletions(-) diffs (69 lines): diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -68,6 +68,7 @@ static void ngx_ssl_session_rbtree_inser static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, HMAC_CTX *hctx, int enc); +static void ngx_ssl_session_ticket_keys_cleanup(void *data); #endif #ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT @@ -3455,6 +3456,7 @@ ngx_ssl_session_ticket_keys(ngx_conf_t * ngx_uint_t i; ngx_array_t *keys; ngx_file_info_t fi; + ngx_pool_cleanup_t *cln; ngx_ssl_session_ticket_key_t *key; if (paths == NULL) { @@ -3467,6 +3469,14 @@ ngx_ssl_session_ticket_keys(ngx_conf_t * return NGX_ERROR; } + cln = ngx_pool_cleanup_add(cf->pool, 0); + if (cln == NULL) { + return NGX_ERROR; + } + + cln->handler = ngx_ssl_session_ticket_keys_cleanup; + cln->data = keys; + path = paths->elts; for (i = 0; i < paths->nelts; i++) { @@ -3538,6 +3548,8 @@ ngx_ssl_session_ticket_keys(ngx_conf_t * ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, ngx_close_file_n " \"%V\" failed", &file.name); } + + ngx_explicit_memzero(&buf, 80); } if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) @@ -3568,6 +3580,8 @@ failed: ngx_close_file_n " \"%V\" failed", &file.name); } + ngx_explicit_memzero(&buf, 80); + return NGX_ERROR; } @@ -3696,6 +3710,16 @@ ngx_ssl_session_ticket_key_callback(ngx_ } } + +static void +ngx_ssl_session_ticket_keys_cleanup(void *data) +{ + ngx_array_t *keys = data; + + ngx_explicit_memzero(keys->elts, + keys->nelts * sizeof(ngx_ssl_session_ticket_key_t)); +} + #else ngx_int_t

3 years, 6 months

[nginx] Modules compatibility: down flag in ngx_peer_connection_t.

by Roman Arutyunyan

details: https://hg.nginx.org/nginx/rev/570d8c626eea branches: changeset: 7452:570d8c626eea user: Roman Arutyunyan <arut(a)nginx.com> date: Thu Jan 31 17:25:03 2019 +0300 description: Modules compatibility: down flag in ngx_peer_connection_t. diffstat: src/event/ngx_event_connect.h | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff -r d864ee67b5ae -r 570d8c626eea src/event/ngx_event_connect.h --- a/src/event/ngx_event_connect.h Tue Dec 25 15:26:58 2018 +0300 +++ b/src/event/ngx_event_connect.h Thu Jan 31 17:25:03 2019 +0300 @@ -63,6 +63,7 @@ struct ngx_peer_connection_s { unsigned cached:1; unsigned transparent:1; unsigned so_keepalive:1; + unsigned down:1; /* ngx_connection_log_error_e */ unsigned log_error:2;

3 years, 6 months

[nginx] Use %s for errors returned from configuration parsing handlers.

by Ruslan Ermilov

details: https://hg.nginx.org/nginx/rev/d864ee67b5ae branches: changeset: 7451:d864ee67b5ae user: Ruslan Ermilov <ru(a)nginx.com> date: Tue Dec 25 15:26:58 2018 +0300 description: Use %s for errors returned from configuration parsing handlers. diffstat: src/core/ngx_conf_file.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 2d9ab7717e23 -r d864ee67b5ae src/core/ngx_conf_file.c --- a/src/core/ngx_conf_file.c Wed Jan 30 19:28:27 2019 +0300 +++ b/src/core/ngx_conf_file.c Tue Dec 25 15:26:58 2018 +0300 @@ -310,7 +310,7 @@ ngx_conf_parse(ngx_conf_t *cf, ngx_str_t goto failed; } - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, rv); + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "%s", rv); goto failed; }

3 years, 6 months

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel January 2019