nginx-devel June 2022

nginx-devel@nginx.org

18 participants
77 discussions

by Roman Arutyunyan

- patch #1 adds support for reusable and idle modes for the main QUIC conneciton. They allow to close QUIC connections that have no active request streams when connections are needed for a new client or when nginx worker is shutting down. - patch #2 allows to switch main QUIC connection to reusable and idle modes after handshake and util streams are created. A new callback init_streams() is added for this.

4 days, 2 hours

[PATCH 0 of 2] KTLS / SSL_sendfile() support

by Maxim Dounin

Hello! This patch series add kernel TLS / SSL_sendfile() support. Works on FreeBSD 13.0+ and Linux with kernel 4.13+ (at least 5.2 is recommended, tested with 5.11). The following questions need additional testing/attention: - What about EINTR? Looks like it simply results in SSL_ERROR_WANT_WRITE, so might need extra checking to make sure there will be another write event. - What about SSL_sendfile(), early data and write blocking? Ref. c->ssl->write_blocked, 7431:294162223c7c by pluknet@. Looks like it is not a problem with SSL_sendfile(), but needs further checking. - What about FreeBSD aio sendfile (aka SF_NODISKIO)? Might be easy enough to support. Review and testing appreciated. -- Maxim Dounin

1 week, 2 days

nginx KTLS and HTTP/2 performance degradation

by Lyuben Stoev

Hello, I have tested the nginx with the patch https://hg.nginx.org/nginx/rev/65946a191197 (SSL: SSL_sendfile() support with kernel TLS.) following the nginx blog article https://www.nginx.com/blog/improving-nginx-performance-with-kernel-tls/ And it sort of works, but I have bad performance when making HTTP/2 requests. If I made a HTTP/1.1 request there is 30-35% increase in performance as the Nginx blog article stated, but when I changed the request to use HTTP/2 the request was 40% slower than an ordinary nginx without KTLS enabled. Does anyone have such perfomance degradation with nginx KTLS and HTTP/2? I am using generic setup - Ubuntu 20.04.3 LTS and kernels 5.8.0-63-generic (the same results are with 5.4.0-91-generic). The nginx vritual host is the same as in the Nginx blog article with exception of adding http2 to the listen! OpenSSL 3.0.0 and nginx 1.21.4 are used. The KTLS seems to work, because the strace and debug logs show it. Just the sstrange thing is when using HTTP2, the sendfile syscalls look: write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1418218] => [1426410], 8192) = 8192 write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1426410] => [1434602], 8192) = 8192 write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1434602] => [1442794], 8192) = 8192 write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1442794] => [1450986], 8192) = 8192 write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1450986] => [1459178], 8192) = 8192 write(39, "\0 \0\0\0\0\0\0\1", 9) = 9 sendfile(39, 131, [1459178] => [1467370], 8192) = 8192 It is always 8K and there are thousands of sendfile syscalls.... And when the HTTP/1.1 is used the sendfile syscall changes the window: sendfile(32, 33, [586170368] => [586694656], 487571456) = 524288 sendfile(32, 33, [586694656], 487047168) = -1 EAGAIN (Resource temporarily unavailable) epoll_wait(8, [{EPOLLOUT, {u32=1602391248, u64=94426458393808}}], 512, 59711) = 1 sendfile(32, 33, [586694656] => [594673664], 487047168) = 7979008 sendfile(32, 33, [594673664] => [595001344], 479068160) = 327680 sendfile(32, 33, [595001344], 478740480) = -1 EAGAIN (Resource temporarily unavailable) epoll_wait(8, [{EPOLLOUT, {u32=1602391248, u64=94426458393808}}], 512, 60000) = 1 sendfile(32, 33, [595001344] => [604028928], 478740480) = 9027584 sendfile(32, 33, [604028928] => [604356608], 469712896) = 327680 sendfile(32, 33, [604356608] => [604749824], 469385216) = 393216 sendfile(32, 33, [604749824] => [605192192], 468992000) = 442368 Does anyone receive similar results? root@srv-tests:~# curl --http1.1 --tls13-ciphers TLS_AES_256_GCM_SHA384 https://mytests.local/1G --output /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1024M 100 1024M 0 0 1170M 0 --:--:-- --:--:-- --:--:-- 1168M root@srv-tests:~# curl --http1.1 --tls13-ciphers TLS_AES_256_GCM_SHA384 https://mytests.local/1G --output /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1024M 100 1024M 0 0 1197M 0 --:--:-- --:--:-- --:--:-- 1196M root@srv-tests:~# curl --http2 --tls13-ciphers TLS_AES_256_GCM_SHA384 https://mytests.local/1G --output /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1024M 100 1024M 0 0 340M 0 0:00:03 0:00:03 --:--:-- 340M root@srv-tests:~# curl --http2 --tls13-ciphers TLS_AES_256_GCM_SHA384 https://mytests.local/1G --output /dev/null % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 1024M 100 1024M 0 0 338M 0 0:00:03 0:00:03 --:--:-- 338M srv-prod ~ # h2load -n 1 -c 1 -t 1 https://mytests.local/1G starting benchmark... spawning thread #0: 1 total client(s). 1 total requests TLS Protocol: TLSv1.3 Cipher: TLS_AES_256_GCM_SHA384 Server Temp Key: X25519 253 bits Application protocol: h2 progress: 100% done finished in 7.64s, 0.13 req/s, 134.11MB/s requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx traffic: 1.00GB (1074922031) total, 492B (492) headers (space savings 21.66%), 1.00GB (1073741824) data min max mean sd +/- sd time for request: 7.63s 7.63s 7.63s 0us 100.00% time for connect: 13.46ms 13.46ms 13.46ms 0us 100.00% time to 1st byte: 15.05ms 15.05ms 15.05ms 0us 100.00% req/s : 0.13 0.13 0.13 0.00 100.00% srv-prod ~ # h2load --h1 -n 1 -c 1 -t 1 https://mytests.local/1G starting benchmark... spawning thread #0: 1 total client(s). 1 total requests TLS Protocol: TLSv1.3 Cipher: TLS_AES_256_GCM_SHA384 Server Temp Key: X25519 253 bits Application protocol: http/1.1 progress: 100% done finished in 2.65s, 0.38 req/s, 386.41MB/s requests: 1 total, 1 started, 1 done, 1 succeeded, 0 failed, 0 errored, 0 timeout status codes: 1 2xx, 0 3xx, 0 4xx, 0 5xx traffic: 1.00GB (1073742546) total, 631B (631) headers (space savings 0.00%), 1.00GB (1073741824) data min max mean sd +/- sd time for request: 2.64s 2.64s 2.64s 0us 100.00% time for connect: 13.72ms 13.72ms 13.72ms 0us 100.00% time to 1st byte: 14.86ms 14.86ms 14.86ms 0us 100.00% req/s : 0.38 0.38 0.38 0.00 100.00% With regards, Lyuben Stoev

2 months, 3 weeks

close request

by Dk Jack

Hi, What is the significance of this alert in ngx_http_close_request if (r->count == 0) { ngx_log_error(NGX_LOG_ALERT, c->log, 0, "http request count is zero"); } I am seeing this alert in my logs in some cases. Dk.

4 months

[PATCH 0 of 4] avoid pool allocations

by Roman Arutyunyan

Updated version of the series.

4 months, 1 week

[PATCH 1 of 2] The "ipv4=" parameter of the "resolver" directive

by Sergey Kandaurov

# HG changeset patch # User Ruslan Ermilov <ru(a)nginx.com> # Date 1645589317 -10800 # Wed Feb 23 07:08:37 2022 +0300 # Node ID 04e314eb6b4d20a48c5d7bab0609e1b03b51b406 # Parent fecd73db563fb64108f7669eca419badb2aba633 The "ipv4=" parameter of the "resolver" directive. When set to "off", only IPv6 addresses will be resolved, and no A queries are ever sent (ticket #2196). diff -r fecd73db563f -r 04e314eb6b4d src/core/ngx_resolver.c --- a/src/core/ngx_resolver.c Tue Jun 21 17:25:37 2022 +0300 +++ b/src/core/ngx_resolver.c Wed Feb 23 07:08:37 2022 +0300 @@ -157,6 +157,8 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_ cln->handler = ngx_resolver_cleanup; cln->data = r; + r->ipv4 = 1; + ngx_rbtree_init(&r->name_rbtree, &r->name_sentinel, ngx_resolver_rbtree_insert_value); @@ -225,6 +227,23 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_ } #if (NGX_HAVE_INET6) + if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) { + + if (ngx_strcmp(&names[i].data[5], "on") == 0) { + r->ipv4 = 1; + + } else if (ngx_strcmp(&names[i].data[5], "off") == 0) { + r->ipv4 = 0; + + } else { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid parameter: %V", &names[i]); + return NULL; + } + + continue; + } + if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) { if (ngx_strcmp(&names[i].data[5], "on") == 0) { @@ -273,6 +292,14 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_ } } +#if (NGX_HAVE_INET6) + if (r->ipv4 + r->ipv6 == 0) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "\"ipv4\" and \"ipv6\" cannot both be \"off\""); + return NULL; + } +#endif + if (n && r->connections.nelts == 0) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "no name servers defined"); return NULL; @@ -836,7 +863,7 @@ ngx_resolve_name_locked(ngx_resolver_t * r->last_connection = 0; } - rn->naddrs = (u_short) -1; + rn->naddrs = r->ipv4 ? (u_short) -1 : 0; rn->tcp = 0; #if (NGX_HAVE_INET6) rn->naddrs6 = r->ipv6 ? (u_short) -1 : 0; @@ -1263,7 +1290,7 @@ ngx_resolver_send_query(ngx_resolver_t * rec->log.action = "resolving"; } - if (rn->naddrs == (u_short) -1) { + if (rn->query && rn->naddrs == (u_short) -1) { rc = rn->tcp ? ngx_resolver_send_tcp_query(r, rec, rn->query, rn->qlen) : ngx_resolver_send_udp_query(r, rec, rn->query, rn->qlen); @@ -1765,10 +1792,13 @@ ngx_resolver_process_response(ngx_resolv q = ngx_queue_next(q)) { rn = ngx_queue_data(q, ngx_resolver_node_t, queue); - qident = (rn->query[0] << 8) + rn->query[1]; - - if (qident == ident) { - goto dns_error_name; + + if (rn->query) { + qident = (rn->query[0] << 8) + rn->query[1]; + + if (qident == ident) { + goto dns_error_name; + } } #if (NGX_HAVE_INET6) @@ -3645,7 +3675,7 @@ ngx_resolver_create_name_query(ngx_resol len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t); #if (NGX_HAVE_INET6) - p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len); + p = ngx_resolver_alloc(r, len * (r->ipv4 + r->ipv6)); #else p = ngx_resolver_alloc(r, len); #endif @@ -3654,23 +3684,28 @@ ngx_resolver_create_name_query(ngx_resol } rn->qlen = (u_short) len; - rn->query = p; + + if (r->ipv4) { + rn->query = p; + } #if (NGX_HAVE_INET6) if (r->ipv6) { - rn->query6 = p + len; + rn->query6 = r->ipv4 ? (p + len) : p; } #endif query = (ngx_resolver_hdr_t *) p; - ident = ngx_random(); - - ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, - "resolve: \"%V\" A %i", name, ident & 0xffff); - - query->ident_hi = (u_char) ((ident >> 8) & 0xff); - query->ident_lo = (u_char) (ident & 0xff); + if (r->ipv4) { + ident = ngx_random(); + + ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, + "resolve: \"%V\" A %i", name, ident & 0xffff); + + query->ident_hi = (u_char) ((ident >> 8) & 0xff); + query->ident_lo = (u_char) (ident & 0xff); + } /* recursion query */ query->flags_hi = 1; query->flags_lo = 0; @@ -3731,7 +3766,9 @@ ngx_resolver_create_name_query(ngx_resol p = rn->query6; - ngx_memcpy(p, rn->query, rn->qlen); + if (r->ipv4) { + ngx_memcpy(p, rn->query, rn->qlen); + } query = (ngx_resolver_hdr_t *) p; diff -r fecd73db563f -r 04e314eb6b4d src/core/ngx_resolver.h --- a/src/core/ngx_resolver.h Tue Jun 21 17:25:37 2022 +0300 +++ b/src/core/ngx_resolver.h Wed Feb 23 07:08:37 2022 +0300 @@ -175,8 +175,10 @@ struct ngx_resolver_s { ngx_queue_t srv_expire_queue; ngx_queue_t addr_expire_queue; + unsigned ipv4:1; + #if (NGX_HAVE_INET6) - ngx_uint_t ipv6; /* unsigned ipv6:1; */ + unsigned ipv6:1; ngx_rbtree_t addr6_rbtree; ngx_rbtree_node_t addr6_sentinel; ngx_queue_t addr6_resend_queue;

4 months, 3 weeks

[PATCH] Add ipv4=off option in resolver like ipv6=off (ticket #1330)

by Lukas Lihotzki via nginx-devel

# HG changeset patch # User Lukas Lihotzki <lukas(a)lihotzki.de> # Date 1642618053 -3600 # Wed Jan 19 19:47:33 2022 +0100 # Node ID e9f06dc2d6a4a1aa61c15009b84ceedcaf5983b2 # Parent aeab41dfd2606dd36cabbf01f1472726e27e8aea Add ipv4=off option in resolver like ipv6=off (ticket #1330). IPv6-only hosts (ticket #1330) and upstreams with IPv6 bind address (ticket #1535) need to disable resolving to IPv4 addresses. Ticket #1330 mentions ipv4=off is the proper fix. diff -r aeab41dfd260 -r e9f06dc2d6a4 src/core/ngx_resolver.c --- a/src/core/ngx_resolver.c Mon Jan 17 17:05:12 2022 +0300 +++ b/src/core/ngx_resolver.c Wed Jan 19 19:47:33 2022 +0100 @@ -122,10 +122,13 @@ static ngx_int_t ngx_resolver_cmp_srvs(const void *one, const void *two); #if (NGX_HAVE_INET6) +#define ngx_ipv4_enabled(r) r->ipv4 static void ngx_resolver_rbtree_insert_addr6_value(ngx_rbtree_node_t *temp, ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r, struct in6_addr *addr, uint32_t hash); +#else +#define ngx_ipv4_enabled(r) 1 #endif @@ -175,6 +178,7 @@ ngx_queue_init(&r->addr_expire_queue); #if (NGX_HAVE_INET6) + r->ipv4 = 1; r->ipv6 = 1; ngx_rbtree_init(&r->addr6_rbtree, &r->addr6_sentinel, @@ -225,6 +229,23 @@ } #if (NGX_HAVE_INET6) + if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) { + + if (ngx_strcmp(&names[i].data[5], "on") == 0) { + r->ipv4 = 1; + + } else if (ngx_strcmp(&names[i].data[5], "off") == 0) { + r->ipv4 = 0; + + } else { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid parameter: %V", &names[i]); + return NULL; + } + + continue; + } + if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) { if (ngx_strcmp(&names[i].data[5], "on") == 0) { @@ -273,6 +294,13 @@ } } +#if (NGX_HAVE_INET6) + if (!r->ipv4 && !r->ipv6) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "both ipv4 and ipv6 disabled"); + return NULL; + } +#endif + if (n && r->connections.nelts == 0) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "no name servers defined"); return NULL; @@ -836,7 +864,7 @@ r->last_connection = 0; } - rn->naddrs = (u_short) -1; + rn->naddrs = ngx_ipv4_enabled(r) ? (u_short) -1 : 0; rn->tcp = 0; #if (NGX_HAVE_INET6) rn->naddrs6 = r->ipv6 ? (u_short) -1 : 0; @@ -3644,7 +3672,7 @@ len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t); #if (NGX_HAVE_INET6) - p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len); + p = ngx_resolver_alloc(r, len * (r->ipv4 + r->ipv6)); #else p = ngx_resolver_alloc(r, len); #endif @@ -3657,19 +3685,21 @@ #if (NGX_HAVE_INET6) if (r->ipv6) { - rn->query6 = p + len; + rn->query6 = p + len * r->ipv4; } #endif query = (ngx_resolver_hdr_t *) p; - ident = ngx_random(); - - ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, - "resolve: \"%V\" A %i", name, ident & 0xffff); - - query->ident_hi = (u_char) ((ident >> 8) & 0xff); - query->ident_lo = (u_char) (ident & 0xff); + if (ngx_ipv4_enabled(r)) { + ident = ngx_random(); + + ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0, + "resolve: \"%V\" A %i", name, ident & 0xffff); + + query->ident_hi = (u_char) ((ident >> 8) & 0xff); + query->ident_lo = (u_char) (ident & 0xff); + } /* recursion query */ query->flags_hi = 1; query->flags_lo = 0; diff -r aeab41dfd260 -r e9f06dc2d6a4 src/core/ngx_resolver.h --- a/src/core/ngx_resolver.h Mon Jan 17 17:05:12 2022 +0300 +++ b/src/core/ngx_resolver.h Wed Jan 19 19:47:33 2022 +0100 @@ -176,7 +176,8 @@ ngx_queue_t addr_expire_queue; #if (NGX_HAVE_INET6) - ngx_uint_t ipv6; /* unsigned ipv6:1; */ + unsigned ipv4:1; + unsigned ipv6:1; ngx_rbtree_t addr6_rbtree; ngx_rbtree_node_t addr6_sentinel; ngx_queue_t addr6_resend_queue; _______________________________________________ nginx-devel mailing list -- nginx-devel(a)nginx.org To unsubscribe send an email to nginx-devel-leave(a)nginx.org

5 months

[nginx] Upstream: optimized use of SSL contexts (ticket #1234).

by Sergey Kandaurov

details: https://hg.nginx.org/nginx/rev/9d98d524bd02 branches: changeset: 8053:9d98d524bd02 user: Maxim Dounin <mdounin(a)mdounin.ru> date: Wed Jun 29 02:47:45 2022 +0300 description: Upstream: optimized use of SSL contexts (ticket #1234). To ensure optimal use of memory, SSL contexts for proxying are now inherited from previous levels as long as relevant proxy_ssl_* directives are not redefined. Further, when no proxy_ssl_* directives are redefined in a server block, we now preserve plcf->upstream.ssl in the "http" section configuration to inherit it to all servers. Similar changes made in uwsgi, grpc, and stream proxy. diffstat: src/http/modules/ngx_http_grpc_module.c | 66 +++++++++++++++++++++++++++--- src/http/modules/ngx_http_proxy_module.c | 68 ++++++++++++++++++++++++++++--- src/http/modules/ngx_http_uwsgi_module.c | 66 +++++++++++++++++++++++++++--- src/stream/ngx_stream_proxy_module.c | 64 +++++++++++++++++++++++++++-- 4 files changed, 236 insertions(+), 28 deletions(-) diffs (431 lines): diff -r e210c8942a54 -r 9d98d524bd02 src/http/modules/ngx_http_grpc_module.c --- a/src/http/modules/ngx_http_grpc_module.c Wed Jun 29 02:47:38 2022 +0300 +++ b/src/http/modules/ngx_http_grpc_module.c Wed Jun 29 02:47:45 2022 +0300 @@ -209,6 +209,8 @@ static char *ngx_http_grpc_ssl_password_ ngx_command_t *cmd, void *conf); static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data); +static ngx_int_t ngx_http_grpc_merge_ssl(ngx_conf_t *cf, + ngx_http_grpc_loc_conf_t *conf, ngx_http_grpc_loc_conf_t *prev); static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf); #endif @@ -562,7 +564,7 @@ ngx_http_grpc_handler(ngx_http_request_t ctx->host = glcf->host; #if (NGX_HTTP_SSL) - u->ssl = (glcf->upstream.ssl != NULL); + u->ssl = glcf->ssl; if (u->ssl) { ngx_str_set(&u->schema, "grpcs://"); @@ -4463,6 +4465,10 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t #if (NGX_HTTP_SSL) + if (ngx_http_grpc_merge_ssl(cf, conf, prev) != NGX_OK) { + return NGX_CONF_ERROR; + } + ngx_conf_merge_value(conf->upstream.ssl_session_reuse, prev->upstream.ssl_session_reuse, 1); @@ -4524,7 +4530,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t conf->grpc_values = prev->grpc_values; #if (NGX_HTTP_SSL) - conf->upstream.ssl = prev->upstream.ssl; + conf->ssl = prev->ssl; #endif } @@ -4874,17 +4880,63 @@ ngx_http_grpc_ssl_conf_command_check(ngx static ngx_int_t +ngx_http_grpc_merge_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *conf, + ngx_http_grpc_loc_conf_t *prev) +{ + ngx_uint_t preserve; + + if (conf->ssl_protocols == 0 + && conf->ssl_ciphers.data == NULL + && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_verify == NGX_CONF_UNSET + && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT + && conf->ssl_trusted_certificate.data == NULL + && conf->ssl_crl.data == NULL + && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET + && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) + { + if (prev->upstream.ssl) { + conf->upstream.ssl = prev->upstream.ssl; + return NGX_OK; + } + + preserve = 1; + + } else { + preserve = 0; + } + + conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); + if (conf->upstream.ssl == NULL) { + return NGX_ERROR; + } + + conf->upstream.ssl->log = cf->log; + + /* + * special handling to preserve conf->upstream.ssl + * in the "http" section to inherit it to all servers + */ + + if (preserve) { + prev->upstream.ssl = conf->upstream.ssl; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf) { ngx_pool_cleanup_t *cln; - glcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); - if (glcf->upstream.ssl == NULL) { - return NGX_ERROR; + if (glcf->upstream.ssl->ctx) { + return NGX_OK; } - glcf->upstream.ssl->log = cf->log; - if (ngx_ssl_create(glcf->upstream.ssl, glcf->ssl_protocols, NULL) != NGX_OK) { diff -r e210c8942a54 -r 9d98d524bd02 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Wed Jun 29 02:47:38 2022 +0300 +++ b/src/http/modules/ngx_http_proxy_module.c Wed Jun 29 02:47:45 2022 +0300 @@ -236,6 +236,8 @@ static ngx_int_t ngx_http_proxy_rewrite_ ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless); #if (NGX_HTTP_SSL) +static ngx_int_t ngx_http_proxy_merge_ssl(ngx_conf_t *cf, + ngx_http_proxy_loc_conf_t *conf, ngx_http_proxy_loc_conf_t *prev); static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf); #endif @@ -959,7 +961,7 @@ ngx_http_proxy_handler(ngx_http_request_ ctx->vars = plcf->vars; u->schema = plcf->vars.schema; #if (NGX_HTTP_SSL) - u->ssl = (plcf->upstream.ssl != NULL); + u->ssl = plcf->ssl; #endif } else { @@ -3724,6 +3726,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t #if (NGX_HTTP_SSL) + if (ngx_http_proxy_merge_ssl(cf, conf, prev) != NGX_OK) { + return NGX_CONF_ERROR; + } + ngx_conf_merge_value(conf->upstream.ssl_session_reuse, prev->upstream.ssl_session_reuse, 1); @@ -3857,7 +3863,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t conf->proxy_values = prev->proxy_values; #if (NGX_HTTP_SSL) - conf->upstream.ssl = prev->upstream.ssl; + conf->ssl = prev->ssl; #endif } @@ -4923,16 +4929,62 @@ ngx_http_proxy_ssl_conf_command_check(ng static ngx_int_t +ngx_http_proxy_merge_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf, + ngx_http_proxy_loc_conf_t *prev) +{ + ngx_uint_t preserve; + + if (conf->ssl_protocols == 0 + && conf->ssl_ciphers.data == NULL + && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_verify == NGX_CONF_UNSET + && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT + && conf->ssl_trusted_certificate.data == NULL + && conf->ssl_crl.data == NULL + && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET + && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) + { + if (prev->upstream.ssl) { + conf->upstream.ssl = prev->upstream.ssl; + return NGX_OK; + } + + preserve = 1; + + } else { + preserve = 0; + } + + conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); + if (conf->upstream.ssl == NULL) { + return NGX_ERROR; + } + + conf->upstream.ssl->log = cf->log; + + /* + * special handling to preserve conf->upstream.ssl + * in the "http" section to inherit it to all servers + */ + + if (preserve) { + prev->upstream.ssl = conf->upstream.ssl; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf) { ngx_pool_cleanup_t *cln; - plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); - if (plcf->upstream.ssl == NULL) { - return NGX_ERROR; - } - - plcf->upstream.ssl->log = cf->log; + if (plcf->upstream.ssl->ctx) { + return NGX_OK; + } if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL) != NGX_OK) diff -r e210c8942a54 -r 9d98d524bd02 src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c Wed Jun 29 02:47:38 2022 +0300 +++ b/src/http/modules/ngx_http_uwsgi_module.c Wed Jun 29 02:47:45 2022 +0300 @@ -96,6 +96,8 @@ static char *ngx_http_uwsgi_ssl_password ngx_command_t *cmd, void *conf); static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data); +static ngx_int_t ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, + ngx_http_uwsgi_loc_conf_t *conf, ngx_http_uwsgi_loc_conf_t *prev); static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf); #endif @@ -668,7 +670,7 @@ ngx_http_uwsgi_handler(ngx_http_request_ if (uwcf->uwsgi_lengths == NULL) { #if (NGX_HTTP_SSL) - u->ssl = (uwcf->upstream.ssl != NULL); + u->ssl = uwcf->ssl; if (u->ssl) { ngx_str_set(&u->schema, "suwsgi://"); @@ -1865,6 +1867,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t #if (NGX_HTTP_SSL) + if (ngx_http_uwsgi_merge_ssl(cf, conf, prev) != NGX_OK) { + return NGX_CONF_ERROR; + } + ngx_conf_merge_value(conf->upstream.ssl_session_reuse, prev->upstream.ssl_session_reuse, 1); @@ -1927,7 +1933,7 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t conf->uwsgi_values = prev->uwsgi_values; #if (NGX_HTTP_SSL) - conf->upstream.ssl = prev->upstream.ssl; + conf->ssl = prev->ssl; #endif } @@ -2455,17 +2461,63 @@ ngx_http_uwsgi_ssl_conf_command_check(ng static ngx_int_t +ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *conf, + ngx_http_uwsgi_loc_conf_t *prev) +{ + ngx_uint_t preserve; + + if (conf->ssl_protocols == 0 + && conf->ssl_ciphers.data == NULL + && conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR + && conf->upstream.ssl_verify == NGX_CONF_UNSET + && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT + && conf->ssl_trusted_certificate.data == NULL + && conf->ssl_crl.data == NULL + && conf->upstream.ssl_session_reuse == NGX_CONF_UNSET + && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) + { + if (prev->upstream.ssl) { + conf->upstream.ssl = prev->upstream.ssl; + return NGX_OK; + } + + preserve = 1; + + } else { + preserve = 0; + } + + conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); + if (conf->upstream.ssl == NULL) { + return NGX_ERROR; + } + + conf->upstream.ssl->log = cf->log; + + /* + * special handling to preserve conf->upstream.ssl + * in the "http" section to inherit it to all servers + */ + + if (preserve) { + prev->upstream.ssl = conf->upstream.ssl; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf) { ngx_pool_cleanup_t *cln; - uwcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); - if (uwcf->upstream.ssl == NULL) { - return NGX_ERROR; + if (uwcf->upstream.ssl->ctx) { + return NGX_OK; } - uwcf->upstream.ssl->log = cf->log; - if (ngx_ssl_create(uwcf->upstream.ssl, uwcf->ssl_protocols, NULL) != NGX_OK) { diff -r e210c8942a54 -r 9d98d524bd02 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Wed Jun 29 02:47:38 2022 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Wed Jun 29 02:47:45 2022 +0300 @@ -103,6 +103,8 @@ static void ngx_stream_proxy_ssl_handsha static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c); static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s); static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s); +static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, + ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev); static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf); @@ -801,7 +803,7 @@ ngx_stream_proxy_init_upstream(ngx_strea #if (NGX_STREAM_SSL) - if (pc->type == SOCK_STREAM && pscf->ssl) { + if (pc->type == SOCK_STREAM && pscf->ssl_enable) { if (u->proxy_protocol) { if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) { @@ -2150,6 +2152,10 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf #if (NGX_STREAM_SSL) + if (ngx_stream_proxy_merge_ssl(cf, conf, prev) != NGX_OK) { + return NGX_CONF_ERROR; + } + ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0); ngx_conf_merge_value(conf->ssl_session_reuse, @@ -2199,17 +2205,63 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf #if (NGX_STREAM_SSL) static ngx_int_t +ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf, + ngx_stream_proxy_srv_conf_t *prev) +{ + ngx_uint_t preserve; + + if (conf->ssl_protocols == 0 + && conf->ssl_ciphers.data == NULL + && conf->ssl_certificate == NGX_CONF_UNSET_PTR + && conf->ssl_certificate_key == NGX_CONF_UNSET_PTR + && conf->ssl_passwords == NGX_CONF_UNSET_PTR + && conf->ssl_verify == NGX_CONF_UNSET + && conf->ssl_verify_depth == NGX_CONF_UNSET_UINT + && conf->ssl_trusted_certificate.data == NULL + && conf->ssl_crl.data == NULL + && conf->ssl_session_reuse == NGX_CONF_UNSET + && conf->ssl_conf_commands == NGX_CONF_UNSET_PTR) + { + if (prev->ssl) { + conf->ssl = prev->ssl; + return NGX_OK; + } + + preserve = 1; + + } else { + preserve = 0; + } + + conf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); + if (conf->ssl == NULL) { + return NGX_ERROR; + } + + conf->ssl->log = cf->log; + + /* + * special handling to preserve conf->ssl + * in the "stream" section to inherit it to all servers + */ + + if (preserve) { + prev->ssl = conf->ssl; + } + + return NGX_OK; +} + + +static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf) { ngx_pool_cleanup_t *cln; - pscf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t)); - if (pscf->ssl == NULL) { - return NGX_ERROR; + if (pscf->ssl->ctx) { + return NGX_OK; } - pscf->ssl->log = cf->log; - if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) { return NGX_ERROR; }

5 months, 1 week

[nginx] Version bump.

by Sergey Kandaurov

details: https://hg.nginx.org/nginx/rev/e210c8942a54 branches: changeset: 8052:e210c8942a54 user: Maxim Dounin <mdounin(a)mdounin.ru> date: Wed Jun 29 02:47:38 2022 +0300 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r fecd73db563f -r e210c8942a54 src/core/nginx.h --- a/src/core/nginx.h Tue Jun 21 17:25:37 2022 +0300 +++ b/src/core/nginx.h Wed Jun 29 02:47:38 2022 +0300 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1023000 -#define NGINX_VERSION "1.23.0" +#define nginx_version 1023001 +#define NGINX_VERSION "1.23.1" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD

5 months, 1 week

[njs] Fixed break instruction in a try-catch block.

by Dmitry Volyntsev

details: https://hg.nginx.org/njs/rev/b7c4e0f714a9 branches: changeset: 1902:b7c4e0f714a9 user: Dmitry Volyntsev <xeioex(a)nginx.com> date: Tue Jun 28 23:04:00 2022 -0700 description: Fixed break instruction in a try-catch block. Previously, JUMP offset for a break instruction inside a try-catch block was not set to a correct offset during code generation when a return instruction was present in inner try-catch block. The fix is to update the JUMP offset appropriately. This closes #553 issue on Github. diffstat: src/njs_generator.c | 41 +++++++++++++++++++++++++++++++++- src/test/njs_unit_test.c | 56 +++++++++++++++++++++++++++++++++++++---------- 2 files changed, 83 insertions(+), 14 deletions(-) diffs (140 lines): diff -r 116b09a57817 -r b7c4e0f714a9 src/njs_generator.c --- a/src/njs_generator.c Tue Jun 28 22:36:38 2022 -0700 +++ b/src/njs_generator.c Tue Jun 28 23:04:00 2022 -0700 @@ -4495,6 +4495,11 @@ njs_generate_try_catch(njs_vm_t *vm, njs NJS_GENERATOR_ALL, &ctx->try_exit_label); + /* + * block can be NULL when &ctx->try_exit_label is "@return" + * for outermost try-catch block. + */ + if (block != NULL) { patch = njs_generate_make_exit_patch(vm, block, &ctx->try_exit_label, @@ -4503,6 +4508,26 @@ njs_generate_try_catch(njs_vm_t *vm, njs if (njs_slow_path(patch == NULL)) { return NJS_ERROR; } + + } else { + + /* + * when block == NULL, we still want to patch the "finally" + * instruction break_offset. + */ + + block = njs_generate_find_block(vm, generator->block, + NJS_GENERATOR_ALL, + &no_label); + + if (block != NULL) { + patch = njs_generate_make_exit_patch(vm, block, &no_label, + njs_code_offset(generator, finally) + + offsetof(njs_vmcode_finally_t, break_offset)); + if (njs_slow_path(patch == NULL)) { + return NJS_ERROR; + } + } } } } @@ -4669,8 +4694,7 @@ njs_generate_try_end(njs_vm_t *vm, njs_g * outermost try-catch block. */ block = njs_generate_find_block(vm, generator->block, - NJS_GENERATOR_ALL - | NJS_GENERATOR_TRY, dest_label); + NJS_GENERATOR_ALL, dest_label); if (block != NULL) { patch = njs_generate_make_exit_patch(vm, block, dest_label, njs_code_offset(generator, finally) @@ -4678,6 +4702,19 @@ njs_generate_try_end(njs_vm_t *vm, njs_g if (njs_slow_path(patch == NULL)) { return NJS_ERROR; } + + } else { + + block = njs_generate_find_block(vm, generator->block, + NJS_GENERATOR_ALL, &no_label); + if (block != NULL) { + patch = njs_generate_make_exit_patch(vm, block, &no_label, + njs_code_offset(generator, finally) + + offsetof(njs_vmcode_finally_t, break_offset)); + if (njs_slow_path(patch == NULL)) { + return NJS_ERROR; + } + } } } diff -r 116b09a57817 -r b7c4e0f714a9 src/test/njs_unit_test.c --- a/src/test/njs_unit_test.c Tue Jun 28 22:36:38 2022 -0700 +++ b/src/test/njs_unit_test.c Tue Jun 28 23:04:00 2022 -0700 @@ -3411,20 +3411,52 @@ static njs_unit_test_t njs_test[] = njs_str("a,2") }, { njs_str("function f(n) { " - " var r1 = 0, r2 = 0, r3 = 0;" - " a:{ try { try { " - " if (n == 0) { break a; } " - " if (n == 1) { throw 'a'; } " - " } " - " catch (e) { break a; } finally { r1++; } } " - " catch (e) {} " - " finally { r2++; } " - " r3++; " - " }; " - "return [r1, r2, r3]" - "}; njs.dump([f(0), f(1), f(3)])"), + " var r1 = 0, r2 = 0, r3 = 0;" + " a:{ try { try { " + " if (n == 0) { break a; } " + " if (n == 1) { throw 'a'; } " + " } " + " catch (e) { break a; } finally { r1++; } } " + " catch (e) {} " + " finally { r2++; } " + " r3++; " + " }; " + "return [r1, r2, r3]" + "}; njs.dump([f(0), f(1), f(3)])"), njs_str("[[1,1,0],[1,1,0],[1,1,1]]") }, + + { njs_str("function f(n) {" + " while (1)" + " try {" + " if (n == 0) { break; }" + " if (n == 1) { throw 'a'; }" + "" + " try { return 42; }" + " catch (a) {}" + "" + " } catch (b) { return b; }" + "};" + "njs.dump([f(0), f(1), f(2)])"), + njs_str("[undefined,'a',42]") }, + + { njs_str("function f(n, r) {" + " while (1)" + " try {" + " if (n == 0) { break; }" + " if (n == 1) { throw 'a'; }" + "" + " try { return 42; }" + " catch (a) {}" + " finally { r.push('in');}" + "" + " } catch (b) { return b; }" + " finally { r.push('out'); }" + "};" + "function g(n) { var r = []; return [f(n, r), r]}" + "njs.dump([g(0), g(1), g(2)])"), + njs_str("[[undefined,['out']],['a',['out']],[42,['in','out']]]") }, + /**/ { njs_str("function f() { Object.prototype.toString = 1; };"

5 months, 1 week

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

nginx-devel June 2022