From pkamenic at redhat.com Wed Jul 1 13:36:04 2015 From: pkamenic at redhat.com (Petra Kamenickova) Date: Wed, 1 Jul 2015 09:36:04 -0400 (EDT) Subject: Satisfy directive behaviour In-Reply-To: <1478700607.36775970.1435757725616.JavaMail.zimbra@redhat.com> Message-ID: <1557558240.36776392.1435757764099.JavaMail.zimbra@redhat.com> Hi! I'm working on custom PAM module which could be used as an authorization support for authentication modules (e.g. ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure I fully get the interactions between and within phases in nginx. My background is Apache HTTP Server so that might have twisted my expectations. I have noticed that satisfy directive behaves slightly different than Apache's satisfy - nginx checks every module in access phase and the first successful invocation stops any subsequent checks whereas Apache's satisfy checks host based access vs. other access modules. It has some implications especially for authentication and authorization implications. What would be the best way to make sure that authorization phases that need authentication to be run gets that authentication executed, even with satisfy any? The post access phase looks like a good place for authorization but it seems custom modules cannot really be added to this phase. So... is it possible to add somehow my module handler into post access phase without changing the core module? Or is there any way how to keep my module in access phase but skip the satisfy check for that module? I would be grateful for any help! -- Petra Kamenickova From serg.brester at sebres.de Wed Jul 1 14:55:05 2015 From: serg.brester at sebres.de (Sergey Brester) Date: Wed, 01 Jul 2015 16:55:05 +0200 Subject: Satisfy directive behaviour In-Reply-To: <1557558240.36776392.1435757764099.JavaMail.zimbra@redhat.com> References: <1557558240.36776392.1435757764099.JavaMail.zimbra@redhat.com> Message-ID: <0277a9cf5a95e5e2e7c5ad9da5cc3c40@sebres.de> Hi, Look at module "auth_request" (http://nginx.org/en/docs/http/ngx_http_auth_request_module.html). Good working solution at the moment is to use auth_request module together with some external auth-daemon. You can avoid many problems, e.g. with async/sync handling etc. Using that I have already successful realized many authentication methods (inclusively NTLM/Negotiate for windows). If you have to realize anything doing handshake, you can use a variable $connection or combination "$connection:$remote_addr:$remote_port" as identifier for your connect with persistent authentication. Regards, sebres. 01.07.2015 15:36, Petra Kamenickova: > Hi! > > I'm working on custom PAM module which could be used as an > authorization support for authentication modules (e.g. > ngx_http_auth_spnego_module) and I ran into few problems. I'm not sure > I fully get the interactions between and within > phases in nginx. My background is Apache HTTP Server so that might have > twisted my expectations. > > I have noticed that satisfy directive behaves slightly different than > Apache's satisfy - nginx checks every module in access phase and the > first successful invocation stops any subsequent checks whereas > Apache's satisfy checks host based access vs. other access modules. It > has some implications especially for authentication and authorization > implications. What would be the best way to make sure that > authorization phases that need authentication to be run gets that > authentication executed, even with satisfy any? > > The post access phase looks like a good place for authorization but it > seems custom modules cannot really be added to this phase. So... is it > possible to add somehow my module handler into post access phase > without changing the core module? Or is there any way how to keep my > module in access phase but skip the satisfy check for that module? > > I would be grateful for any help! > > -- > Petra Kamenickova > > _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel [1] Links: ------ [1] http://mailman.nginx.org/mailman/listinfo/nginx-devel From arut at nginx.com Thu Jul 2 14:16:49 2015 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 02 Jul 2015 14:16:49 +0000 Subject: [nginx] Stream: fixed MSVC compilation warning. Message-ID: details: http://hg.nginx.org/nginx/rev/fdfdcad62875 branches: changeset: 6203:fdfdcad62875 user: Roman Arutyunyan date: Thu Jul 02 17:15:32 2015 +0300 description: Stream: fixed MSVC compilation warning. Thanks to itpp2012. diffstat: src/stream/ngx_stream_proxy_module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r 6345822f0abb -r fdfdcad62875 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Thu Jun 25 12:36:52 2015 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Thu Jul 02 17:15:32 2015 +0300 @@ -1063,7 +1063,7 @@ ngx_stream_proxy_process(ngx_stream_sess } if (size > (size_t) limit) { - size = limit; + size = (size_t) limit; } } From vbart at nginx.com Thu Jul 2 14:21:00 2015 From: vbart at nginx.com (Valentin Bartenev) Date: Thu, 02 Jul 2015 14:21:00 +0000 Subject: [nginx] Stream: fixed possible integer overflow in rate limiting. Message-ID: details: http://hg.nginx.org/nginx/rev/114d1f8cdcab branches: changeset: 6204:114d1f8cdcab user: Valentin Bartenev date: Thu Jul 02 17:20:29 2015 +0300 description: Stream: fixed possible integer overflow in rate limiting. diffstat: src/stream/ngx_stream_proxy_module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff -r fdfdcad62875 -r 114d1f8cdcab src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Thu Jul 02 17:15:32 2015 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Thu Jul 02 17:20:29 2015 +0300 @@ -1062,7 +1062,7 @@ ngx_stream_proxy_process(ngx_stream_sess break; } - if (size > (size_t) limit) { + if ((off_t) size > limit) { size = (size_t) limit; } } From nginx at shadowhunt.de Fri Jul 3 11:46:40 2015 From: nginx at shadowhunt.de (Alexander Dreweke) Date: Fri, 3 Jul 2015 13:46:40 +0200 Subject: Missing Mime-Types Message-ID: <20150703114639.GB12675@shadowhunt.de> Hi webfonts are often distributed in various formats, so each platform can pick their preferred format[1]. Currently mime-types for woff2, ttf and oft fonts are missing[2]. Further the mime-type for html5 caching manifest is missing to[3]. [1]: https://github.com/choffmeister/roboto-fontface-bower/tree/develop/fonts [2]: http://www.iana.org/assignments/media-types/application/font-sfnt [3]: http://www.iana.org/assignments/media-types/text/cache-manifest Please find attached my patch for the default mime.types definitions. cu Alex -------------- next part -------------- A non-text attachment was scrubbed... Name: mime.diff Type: text/x-diff Size: 837 bytes Desc: not available URL: From kellyjameskane at hawknetworks.com Sat Jul 4 19:05:03 2015 From: kellyjameskane at hawknetworks.com (Kelly Kane) Date: Sat, 4 Jul 2015 12:05:03 -0700 Subject: OpenSSL needs `make depend` for certain build options Message-ID: # HG changeset patch # User Kelly Kane # Date 1436031726 25200 # Sat Jul 04 10:42:06 2015 -0700 # Node ID ded8ac7d639ef8cf26cb350fa7ef98 665fa60019 # Parent 114d1f8cdcabe5c7552b518c4d7ac0a7e98930c1 OpenSSL requires `make depend` for some build options. OpenSSL requires `make depend` for some build options. Blindly call it just in case. diff -r 114d1f8cdcab -r ded8ac7d639e auto/lib/openssl/make --- a/auto/lib/openssl/make Thu Jul 02 17:20:29 2015 +0300 +++ b/auto/lib/openssl/make Sat Jul 04 10:42:06 2015 -0700 @@ -52,6 +52,7 @@ cd $OPENSSL \\ && if [ -f Makefile ]; then \$(MAKE) clean; fi \\ && ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\ + && \$(MAKE) depend \\ && \$(MAKE) \\ && \$(MAKE) install LIBDIR=lib -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Mon Jul 6 00:00:50 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 6 Jul 2015 03:00:50 +0300 Subject: patch to allow loading PKCS #11 URLs In-Reply-To: <1435152377.14697.45.camel@redhat.com> References: <1434721788.3290.23.camel@redhat.com> <20150619140707.GY26357@mdounin.ru> <1434724788.3290.28.camel@redhat.com> <20150622011131.GH26357@mdounin.ru> <1434963962.3453.19.camel@redhat.com> <1435152377.14697.45.camel@redhat.com> Message-ID: <20150706000050.GB1656@mdounin.ru> Hello! On Wed, Jun 24, 2015 at 03:26:17PM +0200, Nikos Mavrogiannopoulos wrote: > On Mon, 2015-06-22 at 11:06 +0200, Nikos Mavrogiannopoulos wrote: > > > > > The current support relies on engine_pkcs11, which is a 3rd party > > module (not in openssl distribution). It should be future-proof to > > have > > a way to load PKCS #11 modules which is independent of the backend > > used > > by nginx. So you could change the internal backend (for example to > > use > > libp11 directly), without requiring all nginx users to change their > > configuration files and remove the "engine:pkcs11:" part from their > > keys. > > To add to this, it seems that the current PKCS #11 support in nginx is > broken. It will only work with softhsm which is a simplistic soft > module. Hardware HSMs, and more advanced soft HSMs like caml-crush > require strict PKCS #11 adherence which neither engine_pkcs11 or nginx > have. That is, they require the reinitialization of any open PKCS #11 > modules and object handles after a fork. > > I think, the simplest way is to solve that within engine_pkcs11 with an > atfork handler and reinitialization on re-use... but that would be > quite messy. > > For more info see: > https://bugzilla.redhat.com/show_bug.cgi?id=1235284 > https://github.com/ANSSI-FR/caml-crush/issues/15 Yes, this was already discussed in the thread here: http://mailman.nginx.org/pipermail/nginx-devel/2015-April/006783.html This is believed to be a problem in engine_pkcs11, and should be fixed there. From nginx point of view it just uses keys from an engine, and it's engine responsibility to handle any details, including any reinitialization after fork() if needed. -- Maxim Dounin http://nginx.org/ From piotr at cloudflare.com Mon Jul 6 03:13:33 2015 From: piotr at cloudflare.com (Piotr Sikora) Date: Sun, 5 Jul 2015 20:13:33 -0700 Subject: [PATCH] Core: add $nginx_build variable In-Reply-To: <3bbe405ecafcec573957.1435117022@Piotrs-MacBook-Pro.local> References: <3bbe405ecafcec573957.1435117022@Piotrs-MacBook-Pro.local> Message-ID: Hey guys, On Tue, Jun 23, 2015 at 8:37 PM, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1435116970 25200 > # Tue Jun 23 20:36:10 2015 -0700 > # Node ID 3bbe405ecafcec573957a5afd9f2a75be19d52f0 > # Parent 24488e6db782e24b9a30ba31f0b719204e582918 > Core: add $nginx_build variable. Any plans to include this? Best regards, Piotr Sikora From mdounin at mdounin.ru Mon Jul 6 12:07:57 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 6 Jul 2015 15:07:57 +0300 Subject: [PATCH] Core: add $nginx_build variable In-Reply-To: References: <3bbe405ecafcec573957.1435117022@Piotrs-MacBook-Pro.local> Message-ID: <20150706120757.GC1656@mdounin.ru> Hello! On Sun, Jul 05, 2015 at 08:13:33PM -0700, Piotr Sikora wrote: > Hey guys, > > On Tue, Jun 23, 2015 at 8:37 PM, Piotr Sikora wrote: > > # HG changeset patch > > # User Piotr Sikora > > # Date 1435116970 25200 > > # Tue Jun 23 20:36:10 2015 -0700 > > # Node ID 3bbe405ecafcec573957a5afd9f2a75be19d52f0 > > # Parent 24488e6db782e24b9a30ba31f0b719204e582918 > > Core: add $nginx_build variable. > > Any plans to include this? I've just returned from a vacation and currently looking though mail backlog. I'll look into this and other patches as time permits. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Tue Jul 7 14:06:28 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 07 Jul 2015 14:06:28 +0000 Subject: [nginx] OCSP stapling: fixed ssl_stapling_file (ticket #769). Message-ID: details: http://hg.nginx.org/nginx/rev/dcae651b2a0c branches: changeset: 6205:dcae651b2a0c user: Maxim Dounin date: Tue Jul 07 16:38:49 2015 +0300 description: OCSP stapling: fixed ssl_stapling_file (ticket #769). Broken by 6893a1007a7c (1.9.2) during introduction of strict OCSP response validity checks. As stapling file is expected to be returned unconditionally, fix is to set its validity to the maximum supported time. Reported by Faidon Liambotis. diffstat: src/event/ngx_event_openssl_stapling.c | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (11 lines): diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -245,6 +245,7 @@ ngx_ssl_stapling_file(ngx_conf_t *cf, ng staple->staple.data = buf; staple->staple.len = len; + staple->valid = NGX_MAX_TIME_T_VALUE; return NGX_OK; From mdounin at mdounin.ru Wed Jul 8 12:30:10 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 8 Jul 2015 15:30:10 +0300 Subject: Missing Mime-Types In-Reply-To: <20150703114639.GB12675@shadowhunt.de> References: <20150703114639.GB12675@shadowhunt.de> Message-ID: <20150708123010.GL1656@mdounin.ru> Hello! On Fri, Jul 03, 2015 at 01:46:40PM +0200, Alexander Dreweke wrote: > Hi > > webfonts are often distributed in various formats, so each platform can > pick their preferred format[1]. > > Currently mime-types for woff2, ttf and oft fonts are missing[2]. > Further the mime-type for html5 caching manifest is missing to[3]. We don't try to keep all possible extensions in our mime.types file - rather, we list most popular file extensions there. If needed, the list can be easily extended locally. > [1]: https://github.com/choffmeister/roboto-fontface-bower/tree/develop/fonts > [2]: http://www.iana.org/assignments/media-types/application/font-sfnt > [3]: http://www.iana.org/assignments/media-types/text/cache-manifest > > Please find attached my patch for the default mime.types definitions. > > cu > Alex > diff --git c/conf/mime.types w/conf/mime.types > index 89be9a4..a928b71 100644 > --- c/conf/mime.types > +++ w/conf/mime.types > @@ -14,6 +14,7 @@ types { > text/vnd.sun.j2me.app-descriptor jad; > text/vnd.wap.wml wml; > text/x-component htc; > + text/cache-manifest appcache manifest; Both "appcache" and "manifest" extensions doesn't seem to be defined by any standard (or at least convention). And the "manifest" extension seems to be widely used for other things. > > image/png png; > image/tiff tif tiff; > @@ -25,6 +26,8 @@ types { > image/webp webp; > > application/font-woff woff; > + application/font-woff2 woff2; As far as I understand, no MIME type yet registered for WOFF2, and once registered, it's likely to be font/woff2, not application/font-woff2, see current working draft at http://www.w3.org/TR/WOFF2/. > + application/font-sfnt ttf oft; Not sure if we should add anything beyond woff (and woff2 once registered). > application/java-archive jar war ear; > application/json json; > application/mac-binhex40 hqx; -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Jul 8 14:22:17 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 8 Jul 2015 17:22:17 +0300 Subject: OpenSSL needs `make depend` for certain build options In-Reply-To: References: Message-ID: <20150708142217.GN1656@mdounin.ru> Hello! On Sat, Jul 04, 2015 at 12:05:03PM -0700, Kelly Kane wrote: > # HG changeset patch > # User Kelly Kane > # Date 1436031726 25200 > # Sat Jul 04 10:42:06 2015 -0700 > # Node ID ded8ac7d639ef8cf26cb350fa7ef98 > 665fa60019 > # Parent 114d1f8cdcabe5c7552b518c4d7ac0a7e98930c1 > OpenSSL requires `make depend` for some build options. > > OpenSSL requires `make depend` for some build options. Blindly call it just > in case. > > diff -r 114d1f8cdcab -r ded8ac7d639e auto/lib/openssl/make > --- a/auto/lib/openssl/make Thu Jul 02 17:20:29 2015 +0300 > +++ b/auto/lib/openssl/make Sat Jul 04 10:42:06 2015 -0700 > @@ -52,6 +52,7 @@ > cd $OPENSSL \\ > && if [ -f Makefile ]; then \$(MAKE) clean; fi \\ > && ./config --prefix=$ngx_prefix no-shared $OPENSSL_OPT \\ > + && \$(MAKE) depend \\ > && \$(MAKE) \\ > && \$(MAKE) install LIBDIR=lib Given the fact that "make depend" isn't cheap, completely undocumented and rarely needed - I would rather not. If needed, one can build OpenSSL manually, without using the --with-openssl shortcut. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Wed Jul 8 16:33:32 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 8 Jul 2015 19:33:32 +0300 Subject: [PATCH] Add support for tcp_user_timeout in http listen directive In-Reply-To: <20150629225525.GG12581@hexapodia.org> References: <20150629225525.GG12581@hexapodia.org> Message-ID: <20150708163332.GP1656@mdounin.ru> Hello! On Mon, Jun 29, 2015 at 03:55:25PM -0700, Andy Isaacson wrote: > # HG changeset patch > # User Andy Isaacson > # Date 1435618451 25200 > # Mon Jun 29 15:54:11 2015 -0700 > # Node ID c11304760218324ea55de7250a613af8f13e431b > # Parent b95e70ae6bcdbae99a967df01e1011839f19ee0e > Add support for tcp_user_timeout in http listen directive > > This commit adds support for a new tcp_user_timeout= > parameter to the listen directive. When enabled and set to a value > greater than zero, the TCP_USER_TIMEOUT sockopt is set. From tcp(7): > > This specifies the maximum amount of time in milliseconds > that transmitted data may remain unacknowledged before TCP > will forcibly close the corresponding connection and return > ETIMEDOUT to the application. > > Without this capability, a HTTP longpoll connection can remain active > for up to 950 seconds after the last ACK from the client. > > Note that the tcp_user_timeout value is specified in (integer) seconds, > but the setsockopt API is specified in milliseconds. > > This capability is similar to the systemwide configuration > net.ipv4.tcp_retries2 on Linux, but more flexible and per-socket. It would be a good idea to clarify expected use cases and how it's different from SO_KEEPALIVE / TCP_KEEPCNT / TCP_KEEPIDLE / TCP_KEEPINTVL we already have. > > diff -r b95e70ae6bcd -r c11304760218 auto/unix > --- a/auto/unix Thu Sep 05 16:53:02 2013 +0400 > +++ b/auto/unix Mon Jun 29 15:54:11 2015 -0700 > @@ -330,6 +330,18 @@ > . auto/feature > > > +ngx_feature="TCP_USER_TIMEOUT" > +ngx_feature_name="NGX_HAVE_TCP_USER_TIMEOUT" > +ngx_feature_run=no > +ngx_feature_incs="#include > + #include > + #include " > +ngx_feature_path= > +ngx_feature_libs= > +ngx_feature_test="setsockopt(0, IPPROTO_TCP, TCP_USER_TIMEOUT, NULL, 0)" > +. auto/feature > + > + Probably putting the test after the TCP_KEEPIDLE test would be more logical. > ngx_feature="TCP_KEEPIDLE" > ngx_feature_name="NGX_HAVE_KEEPALIVE_TUNABLE" > ngx_feature_run=no > diff -r b95e70ae6bcd -r c11304760218 src/core/ngx_connection.h > --- a/src/core/ngx_connection.h Thu Sep 05 16:53:02 2013 +0400 > +++ b/src/core/ngx_connection.h Mon Jun 29 15:54:11 2015 -0700 > @@ -80,6 +80,10 @@ > int setfib; > #endif > > +#if (NGX_HAVE_TCP_USER_TIMEOUT) > + int tcp_user_timeout; > +#endif > + > }; > > > diff -r b95e70ae6bcd -r c11304760218 src/event/ngx_event_accept.c > --- a/src/event/ngx_event_accept.c Thu Sep 05 16:53:02 2013 +0400 > +++ b/src/event/ngx_event_accept.c Mon Jun 29 15:54:11 2015 -0700 > @@ -284,6 +284,23 @@ > } > } > > +#if (NGX_HAVE_TCP_USER_TIMEOUT) > +#ifdef TCP_USER_TIMEOUT > + if (ls->tcp_user_timeout) { > + int value = ls->tcp_user_timeout; > + > + if (setsockopt(s, IPPROTO_TCP, TCP_USER_TIMEOUT, &value, > + sizeof(int)) > + == -1) > + { > + ngx_log_error(NGX_LOG_ALERT, log, ngx_socket_errno, > + "setsockopt(TCP_USER_TIMEOUT, %d) for %V failed", > + value, c->addr_text); > + } > + } > +#endif > +#endif > + > #if (NGX_DEBUG) > { > This looks like a very wrong file to put the code. The option should be set on a listening socket instead. Doing an extra syscall on each accept() is clearly bad idea. There is no need to check if the TCP_USER_TIMEOUT macro is defined twice. It's already tested by the configure test, and there is no need to test it again. Please add [diff] showfunc = true to your ~/.hgrc to simplify review. > diff -r b95e70ae6bcd -r c11304760218 src/http/ngx_http.c > --- a/src/http/ngx_http.c Thu Sep 05 16:53:02 2013 +0400 > +++ b/src/http/ngx_http.c Mon Jun 29 15:54:11 2015 -0700 > @@ -1800,6 +1800,10 @@ > ls->deferred_accept = addr->opt.deferred_accept; > #endif > > +#if (NGX_HAVE_TCP_USER_TIMEOUT && defined TCP_USER_TIMEOUT) > + ls->tcp_user_timeout = addr->opt.tcp_user_timeout; > +#endif > + > #if (NGX_HAVE_INET6 && defined IPV6_V6ONLY) > ls->ipv6only = addr->opt.ipv6only; > #endif > diff -r b95e70ae6bcd -r c11304760218 src/http/ngx_http_core_module.c > --- a/src/http/ngx_http_core_module.c Thu Sep 05 16:53:02 2013 +0400 > +++ b/src/http/ngx_http_core_module.c Mon Jun 29 15:54:11 2015 -0700 > @@ -4085,6 +4085,31 @@ > continue; > } > > + if (ngx_strncmp(value[n].data, "tcp_user_timeout=", 17) == 0) { > +#if (NGX_HAVE_TCP_USER_TIMEOUT && defined TCP_USER_TIMEOUT) > + int timeout_sec = ngx_atoi(value[n].data + 17, value[n].len - 17); > + > + /* > + * convert from seconds (in config file) to milliseconds (for > + * setsockopt) > + */ > + lsopt.tcp_user_timeout = timeout_sec * 1000; Consider using ngx_parse_time() instead. > + > + if (lsopt.tcp_user_timeout < 0) { > + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, > + "Invalid tcp_user_timeout \"%V\"", The message doesn't match style of other messages. > + &value[n]); > + return NGX_CONF_ERROR; > + } > +#else > + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, > + "tcp_user_timeout \"%V\" is not supported on " The "%V" is useless here. > + "this platform, ignored", > + &value[n]); > +#endif > + continue; > + } > + > if (ngx_strcmp(value[n].data, "deferred") == 0) { > #if (NGX_HAVE_DEFERRED_ACCEPT && defined TCP_DEFER_ACCEPT) > lsopt.deferred_accept = 1; > diff -r b95e70ae6bcd -r c11304760218 src/http/ngx_http_core_module.h > --- a/src/http/ngx_http_core_module.h Thu Sep 05 16:53:02 2013 +0400 > +++ b/src/http/ngx_http_core_module.h Mon Jun 29 15:54:11 2015 -0700 > @@ -102,6 +102,10 @@ > ngx_uint_t deferred_accept; > #endif > > +#if (NGX_HAVE_TCP_USER_TIMEOUT && defined TCP_USER_TIMEOUT) > + int tcp_user_timeout; > +#endif > + The field ordering is type-based here. Consider putting this somewhere after tcp_keepidle instead. > u_char addr[NGX_SOCKADDR_STRLEN + 1]; > } ngx_http_listen_opt_t; > > -- Maxim Dounin http://nginx.org/ From rmind at noxt.eu Thu Jul 9 13:10:48 2015 From: rmind at noxt.eu (Mindaugas Rasiukevicius) Date: Thu, 9 Jul 2015 14:10:48 +0100 Subject: ngx_ext_rename_file: remove the target file if ngx_copy_file() fails Message-ID: <20150709141048.f42bc4b73ec7edcd661207c4@noxt.eu> Hi, Some background: nginx 1.9.2, used as a cache, can get into the state when it stops evicting the objects and eventually stops caching without being able to recover. This happens when the disk is full. Consider the following nginx.conf fragment: proxy_cache_path /cache/nginx levels=1:2 keys_zone=c3:4096m max_size=8500g inactive=30d use_temp_path=on; proxy_temp_path /cache/nginx-tmp 1 2; The disk is filled because the workers have been fetching the data from the backend faster than the cache manager is able to evict: $ df -h | grep cache /dev/sdb1 8.7T 8.7T 16M 100% /cache tmpfs 2.0G 0 2.0G 0% /cache/nginx-tmp Since /cache and /cache/nginx-tmp are separate mount points, nginx has to perform copy instead of rename. The copy functions fails due to ENOSPC, but the ngx_ext_rename_file() does not clean up the failed target. At this point, based on ngx_http_file_cache_sh_t::size, the cache manager believes that the 8.5 TB threshold has not been crossed and nginx fails to recover. Please find the patch attached. -- Mindaugas -------------- next part -------------- An embedded and charset-unspecified text was scrubbed... Name: ngx_ext_rename_file.patch URL: From baldwinm at amazon.com Thu Jul 9 18:53:12 2015 From: baldwinm at amazon.com (Baldwin, Matthew) Date: Thu, 9 Jul 2015 18:53:12 +0000 Subject: Prevent derefencing NULL pointer when OCSP body contains no nextUpdate element Message-ID: Hi! If nextUpdate is NULL when processing an OCSP response, nginx will core with SIGSEGV in ngx_ssl_stapling_time when calling ASN1_GENERALIZEDTIME_print The following patch against nginx-1.9.2 prevents this: diff -rupN a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c 2015-06-16 14:49:43.000000000 +0000 +++ b/src/event/ngx_event_openssl_stapling.c 2015-07-09 17:16:24.337289920 +0000 @@ -636,6 +636,12 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc goto error; } + if (nextupdate == NULL) { + ngx_log_error(NGX_LOG_ERR, ctx->log, 0, + "NULL nextUpdate time in certificate status"); + goto error; + } + valid = ngx_ssl_stapling_time(nextupdate); if (valid == (time_t) NGX_ERROR) { ngx_log_error(NGX_LOG_ERR, ctx->log, 0, From piotr at cloudflare.com Fri Jul 10 22:09:58 2015 From: piotr at cloudflare.com (Piotr Sikora) Date: Fri, 10 Jul 2015 15:09:58 -0700 Subject: [PATCH] Cache: re-fetch responses cached with invalid HTTP header Message-ID: <596ce484f8b5519df880.1436566198@Piotrs-MacBook-Pro.local> # HG changeset patch # User Piotr Sikora # Date 1436566103 25200 # Fri Jul 10 15:08:23 2015 -0700 # Node ID 596ce484f8b5519df8803754f093e37b26806699 # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd Cache: re-fetch responses cached with invalid HTTP header. Previously, such responses would be read into the buffer, fail, then nginx would connect to the upstream to fetch new response, but that response would be read into the same buffer, after the invalid response, leading to a persistent failure state. This patch resets buffer, so that the new response can be used. Signed-off-by: Piotr Sikora diff -r dcae651b2a0c -r 596ce484f8b5 src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Tue Jul 07 16:38:49 2015 +0300 +++ b/src/http/ngx_http_upstream.c Fri Jul 10 15:08:23 2015 -0700 @@ -843,6 +843,20 @@ return rc; } + u->cache_status = NGX_HTTP_CACHE_MISS; + + /* fall through */ + + case NGX_DECLINED: + + if ((size_t) (u->buffer.end - u->buffer.start) < u->conf->buffer_size) { + u->buffer.start = NULL; + + } else { + u->buffer.pos = u->buffer.start + c->header_start; + u->buffer.last = u->buffer.pos; + } + break; case NGX_HTTP_CACHE_STALE: @@ -853,18 +867,6 @@ break; - case NGX_DECLINED: - - if ((size_t) (u->buffer.end - u->buffer.start) < u->conf->buffer_size) { - u->buffer.start = NULL; - - } else { - u->buffer.pos = u->buffer.start + c->header_start; - u->buffer.last = u->buffer.pos; - } - - break; - case NGX_HTTP_CACHE_SCARCE: u->cacheable = 0; From klnusbaum at gmail.com Sun Jul 12 15:51:36 2015 From: klnusbaum at gmail.com (Kurtis Nusbaum) Date: Sun, 12 Jul 2015 08:51:36 -0700 Subject: [PATCH] Extract out version info function Message-ID: <8d31439f186889335c5f.1436716296@Bender.local> # HG changeset patch # User Kurtis Nusbaum # Date 1436715098 25200 # Sun Jul 12 08:31:38 2015 -0700 # Node ID 8d31439f186889335c5fd6d14be70c55e5b99fbc # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd Extract out version info function The code for displaying version info and configuration info seemed to be cluttering up the main function. I was finding it hard to read main. This extracts out all of the logic for displaying version and configuration info into its own function, thus making main easier to read. diff -r dcae651b2a0c -r 8d31439f1868 src/core/nginx.c --- a/src/core/nginx.c Tue Jul 07 16:38:49 2015 +0300 +++ b/src/core/nginx.c Sun Jul 12 08:31:38 2015 -0700 @@ -9,7 +9,7 @@ #include #include - +static void ngx_display_version_info(); static ngx_int_t ngx_add_inherited_sockets(ngx_cycle_t *cycle); static ngx_int_t ngx_get_options(int argc, char *const *argv); static ngx_int_t ngx_process_options(ngx_cycle_t *cycle); @@ -194,68 +194,11 @@ } if (ngx_show_version) { - ngx_write_stderr("nginx version: " NGINX_VER_BUILD NGX_LINEFEED); + ngx_display_version_info(); + } - if (ngx_show_help) { - ngx_write_stderr( - "Usage: nginx [-?hvVtTq] [-s signal] [-c filename] " - "[-p prefix] [-g directives]" NGX_LINEFEED - NGX_LINEFEED - "Options:" NGX_LINEFEED - " -?,-h : this help" NGX_LINEFEED - " -v : show version and exit" NGX_LINEFEED - " -V : show version and configure options then exit" - NGX_LINEFEED - " -t : test configuration and exit" NGX_LINEFEED - " -T : test configuration, dump it and exit" - NGX_LINEFEED - " -q : suppress non-error messages " - "during configuration testing" NGX_LINEFEED - " -s signal : send signal to a master process: " - "stop, quit, reopen, reload" NGX_LINEFEED -#ifdef NGX_PREFIX - " -p prefix : set prefix path (default: " - NGX_PREFIX ")" NGX_LINEFEED -#else - " -p prefix : set prefix path (default: NONE)" NGX_LINEFEED -#endif - " -c filename : set configuration file (default: " - NGX_CONF_PATH ")" NGX_LINEFEED - " -g directives : set global directives out of configuration " - "file" NGX_LINEFEED NGX_LINEFEED - ); - } - - if (ngx_show_configure) { - -#ifdef NGX_COMPILER - ngx_write_stderr("built by " NGX_COMPILER NGX_LINEFEED); -#endif - -#if (NGX_SSL) - if (SSLeay() == SSLEAY_VERSION_NUMBER) { - ngx_write_stderr("built with " OPENSSL_VERSION_TEXT - NGX_LINEFEED); - } else { - ngx_write_stderr("built with " OPENSSL_VERSION_TEXT - " (running with "); - ngx_write_stderr((char *) (uintptr_t) - SSLeay_version(SSLEAY_VERSION)); - ngx_write_stderr(")" NGX_LINEFEED); - } -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - ngx_write_stderr("TLS SNI support enabled" NGX_LINEFEED); -#else - ngx_write_stderr("TLS SNI support disabled" NGX_LINEFEED); -#endif -#endif - - ngx_write_stderr("configure arguments:" NGX_CONFIGURE NGX_LINEFEED); - } - - if (!ngx_test_config) { - return 0; - } + if (ngx_show_version && !ngx_test_config) { + return 0; } /* TODO */ ngx_max_sockets = -1; @@ -418,6 +361,68 @@ return 0; } +static void +ngx_display_version_info() +{ + ngx_write_stderr("nginx version: " NGINX_VER_BUILD NGX_LINEFEED); + + if (ngx_show_help) { + ngx_write_stderr( + "Usage: nginx [-?hvVtTq] [-s signal] [-c filename] " + "[-p prefix] [-g directives]" NGX_LINEFEED + NGX_LINEFEED + "Options:" NGX_LINEFEED + " -?,-h : this help" NGX_LINEFEED + " -v : show version and exit" NGX_LINEFEED + " -V : show version and configure options then exit" + NGX_LINEFEED + " -t : test configuration and exit" NGX_LINEFEED + " -T : test configuration, dump it and exit" + NGX_LINEFEED + " -q : suppress non-error messages " + "during configuration testing" NGX_LINEFEED + " -s signal : send signal to a master process: " + "stop, quit, reopen, reload" NGX_LINEFEED +#ifdef NGX_PREFIX + " -p prefix : set prefix path (default: " + NGX_PREFIX ")" NGX_LINEFEED +#else + " -p prefix : set prefix path (default: NONE)" NGX_LINEFEED +#endif + " -c filename : set configuration file (default: " + NGX_CONF_PATH ")" NGX_LINEFEED + " -g directives : set global directives out of configuration " + "file" NGX_LINEFEED NGX_LINEFEED + ); + } + + if (ngx_show_configure) { + +#ifdef NGX_COMPILER + ngx_write_stderr("built by " NGX_COMPILER NGX_LINEFEED); +#endif + +#if (NGX_SSL) + if (SSLeay() == SSLEAY_VERSION_NUMBER) { + ngx_write_stderr("built with " OPENSSL_VERSION_TEXT + NGX_LINEFEED); + } else { + ngx_write_stderr("built with " OPENSSL_VERSION_TEXT + " (running with "); + ngx_write_stderr((char *) (uintptr_t) + SSLeay_version(SSLEAY_VERSION)); + ngx_write_stderr(")" NGX_LINEFEED); + } +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME + ngx_write_stderr("TLS SNI support enabled" NGX_LINEFEED); +#else + ngx_write_stderr("TLS SNI support disabled" NGX_LINEFEED); +#endif +#endif + + ngx_write_stderr("configure arguments:" NGX_CONFIGURE NGX_LINEFEED); + } +} static ngx_int_t ngx_add_inherited_sockets(ngx_cycle_t *cycle) From mdounin at mdounin.ru Mon Jul 13 17:35:11 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Jul 2015 20:35:11 +0300 Subject: Prevent derefencing NULL pointer when OCSP body contains no nextUpdate element In-Reply-To: References: Message-ID: <20150713173511.GH93501@mdounin.ru> Hello! On Thu, Jul 09, 2015 at 06:53:12PM +0000, Baldwin, Matthew wrote: > Hi! > > If nextUpdate is NULL when processing an OCSP response, nginx > will core with SIGSEGV in ngx_ssl_stapling_time when calling > ASN1_GENERALIZEDTIME_print > > The following patch against nginx-1.9.2 prevents this: Thanks for the report. It looks like at least RFC 6960 allows OCSP responses without nextUpdate, so I would suggest something like this to handle such responses instead: # HG changeset patch # User Maxim Dounin # Date 1436808659 -10800 # Mon Jul 13 20:30:59 2015 +0300 # Node ID 92b6f9dd1e7a66a5b34987b9e637450b4a3d8f37 # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd OCSP stapling: fixed segfault without nextUpdate. OCSP responses may not contain nextUpdate. As per RFC 6960, this means that nextUpdate checks should be bypassed. Handle this gracefully by using NGX_MAX_TIME_T_VALUE as "valid" in such a case. The problem was introduced by 6893a1007a7c (1.9.2). Reported by Matthew Baldwin. diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -637,11 +637,16 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc goto error; } - valid = ngx_ssl_stapling_time(nextupdate); - if (valid == (time_t) NGX_ERROR) { - ngx_log_error(NGX_LOG_ERR, ctx->log, 0, - "invalid nextUpdate time in certificate status"); - goto error; + if (nextupdate) { + valid = ngx_ssl_stapling_time(nextupdate); + if (valid == (time_t) NGX_ERROR) { + ngx_log_error(NGX_LOG_ERR, ctx->log, 0, + "invalid nextUpdate time in certificate status"); + goto error; + } + + } else { + valid = NGX_MAX_TIME_T_VALUE; } OCSP_CERTID_free(id); -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jul 13 17:58:40 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Jul 2015 20:58:40 +0300 Subject: [PATCH] Extract out version info function In-Reply-To: <8d31439f186889335c5f.1436716296@Bender.local> References: <8d31439f186889335c5f.1436716296@Bender.local> Message-ID: <20150713175840.GI93501@mdounin.ru> Hello! On Sun, Jul 12, 2015 at 08:51:36AM -0700, Kurtis Nusbaum wrote: In general I agree with the change, please see below for some nitpicking. > # HG changeset patch > # User Kurtis Nusbaum > # Date 1436715098 25200 > # Sun Jul 12 08:31:38 2015 -0700 > # Node ID 8d31439f186889335c5fd6d14be70c55e5b99fbc > # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd > Extract out version info function Trailing dot, please. > > The code for displaying version info and configuration info seemed to be cluttering up the > main function. I was finding it hard to read main. This extracts out all of the logic > for displaying version and configuration info into its own function, thus making > main easier to read. No more than 80 chars, please. > > diff -r dcae651b2a0c -r 8d31439f1868 src/core/nginx.c > --- a/src/core/nginx.c Tue Jul 07 16:38:49 2015 +0300 > +++ b/src/core/nginx.c Sun Jul 12 08:31:38 2015 -0700 > @@ -9,7 +9,7 @@ > #include > #include > > - > +static void ngx_display_version_info(); > static ngx_int_t ngx_add_inherited_sockets(ngx_cycle_t *cycle); > static ngx_int_t ngx_get_options(int argc, char *const *argv); > static ngx_int_t ngx_process_options(ngx_cycle_t *cycle); Two empty strings are intentional, see http://nginx.org/en/docs/contributing_changes.html. The "ngx_show_version_info()" name will probably be a bit better, as it's more in line with the "ngx_show_version" name used for the corresponding variable. > @@ -194,68 +194,11 @@ > } > > if (ngx_show_version) { > - ngx_write_stderr("nginx version: " NGINX_VER_BUILD NGX_LINEFEED); > + ngx_display_version_info(); > + } > > - if (ngx_show_help) { > - ngx_write_stderr( > - "Usage: nginx [-?hvVtTq] [-s signal] [-c filename] " > - "[-p prefix] [-g directives]" NGX_LINEFEED > - NGX_LINEFEED > - "Options:" NGX_LINEFEED > - " -?,-h : this help" NGX_LINEFEED > - " -v : show version and exit" NGX_LINEFEED > - " -V : show version and configure options then exit" > - NGX_LINEFEED > - " -t : test configuration and exit" NGX_LINEFEED > - " -T : test configuration, dump it and exit" > - NGX_LINEFEED > - " -q : suppress non-error messages " > - "during configuration testing" NGX_LINEFEED > - " -s signal : send signal to a master process: " > - "stop, quit, reopen, reload" NGX_LINEFEED > -#ifdef NGX_PREFIX > - " -p prefix : set prefix path (default: " > - NGX_PREFIX ")" NGX_LINEFEED > -#else > - " -p prefix : set prefix path (default: NONE)" NGX_LINEFEED > -#endif > - " -c filename : set configuration file (default: " > - NGX_CONF_PATH ")" NGX_LINEFEED > - " -g directives : set global directives out of configuration " > - "file" NGX_LINEFEED NGX_LINEFEED > - ); > - } > - > - if (ngx_show_configure) { > - > -#ifdef NGX_COMPILER > - ngx_write_stderr("built by " NGX_COMPILER NGX_LINEFEED); > -#endif > - > -#if (NGX_SSL) > - if (SSLeay() == SSLEAY_VERSION_NUMBER) { > - ngx_write_stderr("built with " OPENSSL_VERSION_TEXT > - NGX_LINEFEED); > - } else { > - ngx_write_stderr("built with " OPENSSL_VERSION_TEXT > - " (running with "); > - ngx_write_stderr((char *) (uintptr_t) > - SSLeay_version(SSLEAY_VERSION)); > - ngx_write_stderr(")" NGX_LINEFEED); > - } > -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME > - ngx_write_stderr("TLS SNI support enabled" NGX_LINEFEED); > -#else > - ngx_write_stderr("TLS SNI support disabled" NGX_LINEFEED); > -#endif > -#endif > - > - ngx_write_stderr("configure arguments:" NGX_CONFIGURE NGX_LINEFEED); > - } > - > - if (!ngx_test_config) { > - return 0; > - } > + if (ngx_show_version && !ngx_test_config) { > + return 0; > } I think that separate if() here isn't a good move, it would be better to keep it the "if (!ngx_test_config)" test inside "if (ngx_show_version)". > > /* TODO */ ngx_max_sockets = -1; > @@ -418,6 +361,68 @@ > return 0; > } > > +static void > +ngx_display_version_info() There should be two empty lines between functions. > +{ > + ngx_write_stderr("nginx version: " NGINX_VER_BUILD NGX_LINEFEED); > + > + if (ngx_show_help) { > + ngx_write_stderr( > + "Usage: nginx [-?hvVtTq] [-s signal] [-c filename] " > + "[-p prefix] [-g directives]" NGX_LINEFEED > + NGX_LINEFEED > + "Options:" NGX_LINEFEED > + " -?,-h : this help" NGX_LINEFEED > + " -v : show version and exit" NGX_LINEFEED > + " -V : show version and configure options then exit" > + NGX_LINEFEED > + " -t : test configuration and exit" NGX_LINEFEED > + " -T : test configuration, dump it and exit" > + NGX_LINEFEED > + " -q : suppress non-error messages " > + "during configuration testing" NGX_LINEFEED > + " -s signal : send signal to a master process: " > + "stop, quit, reopen, reload" NGX_LINEFEED > +#ifdef NGX_PREFIX > + " -p prefix : set prefix path (default: " > + NGX_PREFIX ")" NGX_LINEFEED > +#else > + " -p prefix : set prefix path (default: NONE)" NGX_LINEFEED > +#endif > + " -c filename : set configuration file (default: " > + NGX_CONF_PATH ")" NGX_LINEFEED > + " -g directives : set global directives out of configuration " > + "file" NGX_LINEFEED NGX_LINEFEED > + ); > + } > + > + if (ngx_show_configure) { > + > +#ifdef NGX_COMPILER > + ngx_write_stderr("built by " NGX_COMPILER NGX_LINEFEED); > +#endif > + > +#if (NGX_SSL) > + if (SSLeay() == SSLEAY_VERSION_NUMBER) { > + ngx_write_stderr("built with " OPENSSL_VERSION_TEXT > + NGX_LINEFEED); > + } else { > + ngx_write_stderr("built with " OPENSSL_VERSION_TEXT > + " (running with "); > + ngx_write_stderr((char *) (uintptr_t) > + SSLeay_version(SSLEAY_VERSION)); > + ngx_write_stderr(")" NGX_LINEFEED); > + } > +#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME > + ngx_write_stderr("TLS SNI support enabled" NGX_LINEFEED); > +#else > + ngx_write_stderr("TLS SNI support disabled" NGX_LINEFEED); > +#endif > +#endif > + > + ngx_write_stderr("configure arguments:" NGX_CONFIGURE NGX_LINEFEED); > + } Some of the lines above need to be adjusted to the new indentation, in some cases line wrapping is no longer needed. > +} > > static ngx_int_t > ngx_add_inherited_sockets(ngx_cycle_t *cycle) Again, two empty lines. -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jul 13 18:25:42 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Jul 2015 21:25:42 +0300 Subject: [PATCH] Core: add $nginx_build variable In-Reply-To: <3bbe405ecafcec573957.1435117022@Piotrs-MacBook-Pro.local> References: <3bbe405ecafcec573957.1435117022@Piotrs-MacBook-Pro.local> Message-ID: <20150713182542.GK93501@mdounin.ru> Hello! On Tue, Jun 23, 2015 at 08:37:02PM -0700, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1435116970 25200 > # Tue Jun 23 20:36:10 2015 -0700 > # Node ID 3bbe405ecafcec573957a5afd9f2a75be19d52f0 > # Parent 24488e6db782e24b9a30ba31f0b719204e582918 > Core: add $nginx_build variable. Do you think it's needs to be added? What's expected use case? The NGX_BUILD macro was introduced for "nginx -V" output, to make it easier to identify particular builds by name instead of looking into configure arguments. Not sure how do you expect it to be useable as a variable. (Me and arut@ are currently in SF. Please drop me a note if you'd like to drink some beer with us.) -- Maxim Dounin http://nginx.org/ From baldwinm at amazon.com Mon Jul 13 19:19:39 2015 From: baldwinm at amazon.com (Baldwin, Matthew) Date: Mon, 13 Jul 2015 19:19:39 +0000 Subject: Prevent derefencing NULL pointer when OCSP body contains no nextUpdate element In-Reply-To: <20150713173511.GH93501@mdounin.ru> References: <20150713173511.GH93501@mdounin.ru> Message-ID: <1e5dd229aaf5487ea7319ede94fb0a79@EX13D07UWB004.ant.amazon.com> Hi! Thanks, I think that makes sense. Matthew -----Original Message----- From: nginx-devel [mailto:nginx-devel-bounces at nginx.org] On Behalf Of Maxim Dounin Sent: Monday, July 13, 2015 10:35 AM To: nginx-devel at nginx.org Subject: Re: Prevent derefencing NULL pointer when OCSP body contains no nextUpdate element Hello! On Thu, Jul 09, 2015 at 06:53:12PM +0000, Baldwin, Matthew wrote: > Hi! > > If nextUpdate is NULL when processing an OCSP response, nginx will > core with SIGSEGV in ngx_ssl_stapling_time when calling > ASN1_GENERALIZEDTIME_print > > The following patch against nginx-1.9.2 prevents this: Thanks for the report. It looks like at least RFC 6960 allows OCSP responses without nextUpdate, so I would suggest something like this to handle such responses instead: # HG changeset patch # User Maxim Dounin # Date 1436808659 -10800 # Mon Jul 13 20:30:59 2015 +0300 # Node ID 92b6f9dd1e7a66a5b34987b9e637450b4a3d8f37 # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd OCSP stapling: fixed segfault without nextUpdate. OCSP responses may not contain nextUpdate. As per RFC 6960, this means that nextUpdate checks should be bypassed. Handle this gracefully by using NGX_MAX_TIME_T_VALUE as "valid" in such a case. The problem was introduced by 6893a1007a7c (1.9.2). Reported by Matthew Baldwin. diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -637,11 +637,16 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc goto error; } - valid = ngx_ssl_stapling_time(nextupdate); - if (valid == (time_t) NGX_ERROR) { - ngx_log_error(NGX_LOG_ERR, ctx->log, 0, - "invalid nextUpdate time in certificate status"); - goto error; + if (nextupdate) { + valid = ngx_ssl_stapling_time(nextupdate); + if (valid == (time_t) NGX_ERROR) { + ngx_log_error(NGX_LOG_ERR, ctx->log, 0, + "invalid nextUpdate time in certificate status"); + goto error; + } + + } else { + valid = NGX_MAX_TIME_T_VALUE; } OCSP_CERTID_free(id); -- Maxim Dounin http://nginx.org/ _______________________________________________ nginx-devel mailing list nginx-devel at nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel From mdounin at mdounin.ru Mon Jul 13 20:10:55 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Jul 2015 23:10:55 +0300 Subject: [PATCH] Cache: re-fetch responses cached with invalid HTTP header In-Reply-To: <596ce484f8b5519df880.1436566198@Piotrs-MacBook-Pro.local> References: <596ce484f8b5519df880.1436566198@Piotrs-MacBook-Pro.local> Message-ID: <20150713201055.GL93501@mdounin.ru> Hello! On Fri, Jul 10, 2015 at 03:09:58PM -0700, Piotr Sikora wrote: > # HG changeset patch > # User Piotr Sikora > # Date 1436566103 25200 > # Fri Jul 10 15:08:23 2015 -0700 > # Node ID 596ce484f8b5519df8803754f093e37b26806699 > # Parent dcae651b2a0cbd3de2f1fd5cf5b8c72627db94fd > Cache: re-fetch responses cached with invalid HTTP header. > > Previously, such responses would be read into the buffer, fail, > then nginx would connect to the upstream to fetch new response, > but that response would be read into the same buffer, after the > invalid response, leading to a persistent failure state. > > This patch resets buffer, so that the new response can be used. > > Signed-off-by: Piotr Sikora > > diff -r dcae651b2a0c -r 596ce484f8b5 src/http/ngx_http_upstream.c > --- a/src/http/ngx_http_upstream.c Tue Jul 07 16:38:49 2015 +0300 > +++ b/src/http/ngx_http_upstream.c Fri Jul 10 15:08:23 2015 -0700 > @@ -843,6 +843,20 @@ > return rc; > } > > + u->cache_status = NGX_HTTP_CACHE_MISS; > + > + /* fall through */ > + > + case NGX_DECLINED: > + > + if ((size_t) (u->buffer.end - u->buffer.start) < u->conf->buffer_size) { > + u->buffer.start = NULL; > + > + } else { > + u->buffer.pos = u->buffer.start + c->header_start; > + u->buffer.last = u->buffer.pos; > + } > + > break; > > case NGX_HTTP_CACHE_STALE: This change doesn't looks sufficient to properly handle the problem. At least I see duplicate headers in a first response when the code is triggered: $ curl -i http://127.0.0.1:8080/ HTTP/1.1 200 OK Server: nginx/1.9.3 Date: Mon, 13 Jul 2015 20:03:10 GMT Content-Type: text/html Content-Length: 1047 Connection: keep-alive Last-Modified: Mon, 13 Feb 2012 01:20:52 GMT ETag: "4f386574-417" Last-Modified: Mon, 13 Feb 2012 01:20:52 GMT ETag: "4f386574-417" Accept-Ranges: bytes I haven't digged into details, but likely it's because headers from a cached invalid response were already pushed to r->headers_out. It might be better idea to actually implement what's already marked as TODO in ngx_http_upstream_cache_send(). /* TODO: delete file */ -- Maxim Dounin http://nginx.org/ From mdounin at mdounin.ru Mon Jul 13 23:04:15 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 13 Jul 2015 23:04:15 +0000 Subject: [nginx] OCSP stapling: fixed segfault without nextUpdate. Message-ID: details: http://hg.nginx.org/nginx/rev/595b179e429f branches: changeset: 6206:595b179e429f user: Maxim Dounin date: Tue Jul 14 01:10:25 2015 +0300 description: OCSP stapling: fixed segfault without nextUpdate. OCSP responses may contain no nextUpdate. As per RFC 6960, this means that nextUpdate checks should be bypassed. Handle this gracefully by using NGX_MAX_TIME_T_VALUE as "valid" in such a case. The problem was introduced by 6893a1007a7c (1.9.2). Reported by Matthew Baldwin. diffstat: src/event/ngx_event_openssl_stapling.c | 15 ++++++++++----- 1 files changed, 10 insertions(+), 5 deletions(-) diffs (25 lines): diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c --- a/src/event/ngx_event_openssl_stapling.c +++ b/src/event/ngx_event_openssl_stapling.c @@ -637,11 +637,16 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc goto error; } - valid = ngx_ssl_stapling_time(nextupdate); - if (valid == (time_t) NGX_ERROR) { - ngx_log_error(NGX_LOG_ERR, ctx->log, 0, - "invalid nextUpdate time in certificate status"); - goto error; + if (nextupdate) { + valid = ngx_ssl_stapling_time(nextupdate); + if (valid == (time_t) NGX_ERROR) { + ngx_log_error(NGX_LOG_ERR, ctx->log, 0, + "invalid nextUpdate time in certificate status"); + goto error; + } + + } else { + valid = NGX_MAX_TIME_T_VALUE; } OCSP_CERTID_free(id); From mdounin at mdounin.ru Tue Jul 14 07:16:21 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 14 Jul 2015 07:16:21 +0000 Subject: [nginx] Updated OpenSSL used for win32 builds. Message-ID: details: http://hg.nginx.org/nginx/rev/8bd97db72074 branches: changeset: 6207:8bd97db72074 user: Maxim Dounin date: Tue Jul 14 10:13:51 2015 +0300 description: Updated OpenSSL used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -5,7 +5,7 @@ NGINX = nginx-$(VER) TEMP = tmp OBJS = objs.msvc8 -OPENSSL = openssl-1.0.1o +OPENSSL = openssl-1.0.1p ZLIB = zlib-1.2.8 PCRE = pcre-8.35 From arut at nginx.com Tue Jul 14 16:40:17 2015 From: arut at nginx.com (Roman Arutyunyan) Date: Tue, 14 Jul 2015 16:40:17 +0000 Subject: [nginx] Stream: renamed rate limiting directives. Message-ID: details: http://hg.nginx.org/nginx/rev/7a14a0d754ad branches: changeset: 6208:7a14a0d754ad user: Roman Arutyunyan date: Tue Jul 14 09:38:13 2015 -0700 description: Stream: renamed rate limiting directives. The directive proxy_downstream_limit_rate is now called proxy_upload_rate. The directive proxy_upstream_limit_rate is now called proxy_download_rate. diffstat: src/stream/ngx_stream_proxy_module.c | 28 ++++++++++++++-------------- 1 files changed, 14 insertions(+), 14 deletions(-) diffs (91 lines): diff -r 8bd97db72074 -r 7a14a0d754ad src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Tue Jul 14 10:13:51 2015 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Tue Jul 14 09:38:13 2015 -0700 @@ -18,9 +18,9 @@ typedef struct { ngx_msec_t timeout; ngx_msec_t next_upstream_timeout; size_t downstream_buf_size; - size_t downstream_limit_rate; + size_t upload_rate; size_t upstream_buf_size; - size_t upstream_limit_rate; + size_t download_rate; ngx_uint_t next_upstream_tries; ngx_flag_t next_upstream; ngx_flag_t proxy_protocol; @@ -134,11 +134,11 @@ static ngx_command_t ngx_stream_proxy_c offsetof(ngx_stream_proxy_srv_conf_t, downstream_buf_size), NULL }, - { ngx_string("proxy_downstream_limit_rate"), + { ngx_string("proxy_upload_rate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_size_slot, NGX_STREAM_SRV_CONF_OFFSET, - offsetof(ngx_stream_proxy_srv_conf_t, downstream_limit_rate), + offsetof(ngx_stream_proxy_srv_conf_t, upload_rate), NULL }, { ngx_string("proxy_upstream_buffer"), @@ -148,11 +148,11 @@ static ngx_command_t ngx_stream_proxy_c offsetof(ngx_stream_proxy_srv_conf_t, upstream_buf_size), NULL }, - { ngx_string("proxy_upstream_limit_rate"), + { ngx_string("proxy_download_rate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_size_slot, NGX_STREAM_SRV_CONF_OFFSET, - offsetof(ngx_stream_proxy_srv_conf_t, upstream_limit_rate), + offsetof(ngx_stream_proxy_srv_conf_t, download_rate), NULL }, { ngx_string("proxy_next_upstream"), @@ -1010,14 +1010,14 @@ ngx_stream_proxy_process(ngx_stream_sess src = pc; dst = c; b = &u->upstream_buf; - limit_rate = pscf->upstream_limit_rate; + limit_rate = pscf->download_rate; received = &u->received; } else { src = c; dst = pc; b = &u->downstream_buf; - limit_rate = pscf->downstream_limit_rate; + limit_rate = pscf->upload_rate; received = &s->received; } @@ -1296,9 +1296,9 @@ ngx_stream_proxy_create_srv_conf(ngx_con conf->timeout = NGX_CONF_UNSET_MSEC; conf->next_upstream_timeout = NGX_CONF_UNSET_MSEC; conf->downstream_buf_size = NGX_CONF_UNSET_SIZE; - conf->downstream_limit_rate = NGX_CONF_UNSET_SIZE; + conf->upload_rate = NGX_CONF_UNSET_SIZE; conf->upstream_buf_size = NGX_CONF_UNSET_SIZE; - conf->upstream_limit_rate = NGX_CONF_UNSET_SIZE; + conf->download_rate = NGX_CONF_UNSET_SIZE; conf->next_upstream_tries = NGX_CONF_UNSET_UINT; conf->next_upstream = NGX_CONF_UNSET; conf->proxy_protocol = NGX_CONF_UNSET; @@ -1335,14 +1335,14 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf ngx_conf_merge_size_value(conf->downstream_buf_size, prev->downstream_buf_size, 16384); - ngx_conf_merge_size_value(conf->downstream_limit_rate, - prev->downstream_limit_rate, 0); + ngx_conf_merge_size_value(conf->upload_rate, + prev->upload_rate, 0); ngx_conf_merge_size_value(conf->upstream_buf_size, prev->upstream_buf_size, 16384); - ngx_conf_merge_size_value(conf->upstream_limit_rate, - prev->upstream_limit_rate, 0); + ngx_conf_merge_size_value(conf->download_rate, + prev->download_rate, 0); ngx_conf_merge_uint_value(conf->next_upstream_tries, prev->next_upstream_tries, 0); From mdounin at mdounin.ru Tue Jul 14 16:44:46 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 14 Jul 2015 16:44:46 +0000 Subject: [nginx] Updated PCRE used for win32 builds. Message-ID: details: http://hg.nginx.org/nginx/rev/eb20c490ac19 branches: changeset: 6209:eb20c490ac19 user: Maxim Dounin date: Tue Jul 14 19:44:19 2015 +0300 description: Updated PCRE used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -7,7 +7,7 @@ TEMP = tmp OBJS = objs.msvc8 OPENSSL = openssl-1.0.1p ZLIB = zlib-1.2.8 -PCRE = pcre-8.35 +PCRE = pcre-8.37 release: export From mdounin at mdounin.ru Tue Jul 14 17:00:54 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 14 Jul 2015 17:00:54 +0000 Subject: [nginx] nginx-1.9.3-RELEASE Message-ID: details: http://hg.nginx.org/nginx/rev/e27a21560129 branches: changeset: 6210:e27a21560129 user: Maxim Dounin date: Tue Jul 14 19:46:05 2015 +0300 description: nginx-1.9.3-RELEASE diffstat: docs/xml/nginx/changes.xml | 91 ++++++++++++++++++++++++++++++++++++++++++++++ 1 files changed, 91 insertions(+), 0 deletions(-) diffs (101 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,97 @@ + + + + +????????????? ????? http, mail ? stream ?????? ?????????. + + +duplicate "http", "mail", and "stream" blocks are now disallowed. + + + + + +??????????? ?????????? ?????????? ? ?????? stream. + + +connection limiting in the stream module. + + + + + +??????????? ???????? ? ?????? stream. + + +data rate limiting in the stream module. + + + + + +????????? zone ? ????? upstream ?? ???????? ?? Windows. + + +the "zone" directive inside the "upstream" block did not work on Windows. + + + + + +????????????? ? LibreSSL ? ?????? stream.
+??????? Piotr Sikora. + + +compatibility with LibreSSL in the stream module.
+Thanks to Piotr Sikora. + + + + + +? ????????? --builddir ? configure.
+??????? Piotr Sikora. + + +in the "--builddir" configure parameter.
+Thanks to Piotr Sikora. + + + + + +????????? ssl_stapling_file ?? ????????; +?????? ????????? ? 1.9.2.
+??????? Faidon Liambotis ? Brandon Black. + + +the "ssl_stapling_file" directive did not work; +the bug had appeared in 1.9.2.
+Thanks to Faidon Liambotis and Brandon Black. + + + + + +??? ????????????? ????????? ssl_stapling +? ??????? ???????? ??? ????????? segmentation fault; +?????? ????????? ? 1.9.2.
+??????? Matthew Baldwin. + + +a segmentation fault might occur in a worker process +if the "ssl_stapling" directive was used; +the bug had appeared in 1.9.2.
+Thanks to Matthew Baldwin. + + + + + + From mdounin at mdounin.ru Tue Jul 14 17:00:57 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Tue, 14 Jul 2015 17:00:57 +0000 Subject: [nginx] release-1.9.3 tag Message-ID: details: http://hg.nginx.org/nginx/rev/37305b7ba48b branches: changeset: 6211:37305b7ba48b user: Maxim Dounin date: Tue Jul 14 19:46:05 2015 +0300 description: release-1.9.3 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -385,3 +385,4 @@ 3ef00a71f56420a9c3e9cec311c9a2109a015d67 53d850fe292f157d2fb999c52788ec1dc53c91ed release-1.9.0 884a967c369f73ab16ea859670d690fb094d3850 release-1.9.1 3a32d6e7404a79a0973bcd8d0b83181c5bf66074 release-1.9.2 +e27a215601292872f545a733859e06d01af1017d release-1.9.3 From nmav at redhat.com Wed Jul 15 06:21:25 2015 From: nmav at redhat.com (Nikos Mavrogiannopoulos) Date: Wed, 15 Jul 2015 08:21:25 +0200 Subject: enhanced pkcs11 patch [was: patch to allow loading PKCS #11 URLs] In-Reply-To: <1434721788.3290.23.camel@redhat.com> References: <1434721788.3290.23.camel@redhat.com> Message-ID: <1436941285.10255.9.camel@redhat.com> On Fri, 2015-06-19 at 15:49 +0200, Nikos Mavrogiannopoulos wrote: > Hello, > The attached patch allows loading PKCS #11 URLs in the > ssl_certificate_key. The attached patch set enhances that support by allowing PKCS #11 URLs in the certificate field as well. As it is now nginx can work with arbitrary hardware security modules using libp11 and engine_pkcs11 from their git repositories. That allows both certificate and key directives to be used with PKCS #11 objects as: ssl_certificate "pkcs11:model=..." ssl_certificate_key "pkcs11:model=" (that simplifies loading of certificates which are stored inside the module). regards, Nikos -------------- next part -------------- A non-text attachment was scrubbed... Name: pkcs11.patch Type: text/x-patch Size: 8808 bytes Desc: not available URL: From mdounin at mdounin.ru Wed Jul 15 20:04:36 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 15 Jul 2015 20:04:36 +0000 Subject: [nginx] Version bump. Message-ID: details: http://hg.nginx.org/nginx/rev/b2325f839c5f branches: changeset: 6212:b2325f839c5f user: Maxim Dounin date: Wed Jul 15 22:56:03 2015 +0300 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1009003 -#define NGINX_VERSION "1.9.3" +#define nginx_version 1009004 +#define NGINX_VERSION "1.9.4" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD From mdounin at mdounin.ru Wed Jul 15 20:04:38 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 15 Jul 2015 20:04:38 +0000 Subject: [nginx] Modify changes doc to acknowledge Lu is from Intel Message-ID: details: http://hg.nginx.org/nginx/rev/7cad953621d4 branches: changeset: 6213:7cad953621d4 user: Andrew Hutchings date: Wed Jul 15 20:43:41 2015 +0100 description: Modify changes doc to acknowledge Lu is from Intel diffstat: docs/xml/nginx/changes.xml | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (17 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -202,11 +202,11 @@ some long deprecated directives are not ???????? reuseport ????????? listen.
-??????? Sepherosa Ziehau ? Yingqi Lu. +??????? Yingqi Lu ?? Intel ? Sepherosa Ziehau. the "reuseport" parameter of the "listen" directive.
-Thanks to Sepherosa Ziehau and Yingqi Lu. +Thanks to Yingqi Lu at Intel and Sepherosa Ziehau. From sabithksme at gmail.com Wed Jul 15 23:17:50 2015 From: sabithksme at gmail.com (sabith ks) Date: Wed, 15 Jul 2015 23:17:50 +0000 Subject: newrelic binding support in nginx Message-ID: Hi Team, Has anyone explored binding to newrelic from nginx ? We are using nginx as the server on cloudfoundry, where we dont have "sudo" permissions to install nr-agent ? This is my first time post to mailing list, please let me know in case further details are required from my side. --Thanks Sabith sabithksme at gmail.com -- Thanks Sabith 408.896.6261 Mail send from portable device, excuse for any typos -------------- next part -------------- An HTML attachment was scrubbed... URL: From defan at nginx.com Thu Jul 16 06:57:04 2015 From: defan at nginx.com (Andrei Belov) Date: Thu, 16 Jul 2015 09:57:04 +0300 Subject: newrelic binding support in nginx In-Reply-To: References: Message-ID: Hello Sabith, could you please direct this question to the newrelic-support at nginx.com email? I've just added your email to the whitelist. Thanks! PS: this mailing list is for nginx development related questions only. > On 16 Jul 2015, at 02:17, sabith ks wrote: > > Hi Team, > > Has anyone explored binding to newrelic from nginx ? > > We are using nginx as the server on cloudfoundry, where we dont have "sudo" permissions to install nr-agent ? > > This is my first time post to mailing list, please let me know in case further details are required from my side. > > > --Thanks > Sabith > sabithksme at gmail.com > -- > Thanks > Sabith > 408.896.6261 > Mail send from portable device, excuse for any typos _______________________________________________ > nginx-devel mailing list > nginx-devel at nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From acacio.centeno at azion.com Thu Jul 16 22:07:28 2015 From: acacio.centeno at azion.com (=?UTF-8?Q?Ac=C3=A1cio_Centeno?=) Date: Thu, 16 Jul 2015 19:07:28 -0300 Subject: Newbie: Shmem constructor not being called after reload Message-ID: Hello, On Emiller's guide to Nginx [1] it's stated that the shared memory constructor would receive a previously allocated data pointer as a second parameter upon a restart, so the constructor could reuse this area and avoid losing the data. I've searched the forum archives using [2] and found the thread [3], that stated this behavior too. I've written a module that creates a shared memory area on a command initialization (a location configuration) and the constructor is properly called when Nginx starts. The area is created and I can use it effectively. But when I issue a "nginx -s reload", the constructor is not called at all, and I loose the data that was previously on the shared memory. I'm wondering what I'm doing wrong. Is it because I'm calling ngx_shared_memory_add on a location configuration? This is what I'm doing: static ngx_command_t ngx_http_mod_tutorial_commands[] = { { ngx_string("tutorial"), NGX_HTTP_LOC_CONF | NGX_CONF_NOARGS, ngx_http_mod_tutorial_enable, 0, 0, NULL }, ... static char * ngx_http_mod_tutorial_enable(ngx_conf_t *cf, ngx_command_t *cmd, void *_) { ... conf->shm_zone = ngx_shared_memory_add( cf, shm_name, 2 * ngx_pagesize, &ngx_http_mod_tutorial_module); if (!conf->shm_zone) { ngx_conf_log_error(NGX_LOG_ERR, cf, 0, "Could not create shm."); return NGX_CONF_ERROR; } conf->shm_zone->init = ngx_http_mod_tutorial_init_shm_zone; ... static ngx_int_t ngx_http_mod_tutorial_init_shm_zone(ngx_shm_zone_t *shm_zone, void *data) { ... fprintf(stderr, "SHM_ZONE %p\n", data); if (data) { shm_zone->data = data; return NGX_OK; } ... The message to stderr is printed when Nginx starts, but not after a reload, that's why I know that the constructor is not being called again. Also, I have a counter on the shared area and it's value is reset after a reload. Any thoughts? [1] http://www.evanmiller.org/nginx-modules-guide-advanced.html#shm [2] http://forum.nginx.org/search.php?29,search=shared+memory,author=,page=1,match_type=ALL,match_dates=0,match_forum=29,match_threads=0 [3] http://forum.nginx.org/read.php?29,229836,229836#msg-229836 Best regards, Ac?cio Centeno Software Engineering Azion Technologies Porto Alegre, Brasil +55 51 3012 3005 | +55 51 8118 9947 Miami, USA +1 305 704 8816 Quaisquer informa??es contidas neste e-mail e anexos podem ser confidenciais e privilegiadas, protegidas por sigilo legal. Qualquer forma de utiliza??o deste documento depende de autoriza??o do emissor, sujeito as penalidades cab?veis. Any information in this e-mail and attachments may be confidential and privileged, protected by legal confidentiality. The use of this document require authorization by the issuer, subject to penalties. -------------- next part -------------- An HTML attachment was scrubbed... URL: From mdounin at mdounin.ru Thu Jul 16 22:31:44 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Fri, 17 Jul 2015 01:31:44 +0300 Subject: Newbie: Shmem constructor not being called after reload In-Reply-To: References: Message-ID: <20150716223144.GX93501@mdounin.ru> Hello! On Thu, Jul 16, 2015 at 07:07:28PM -0300, Ac?cio Centeno wrote: [...] > The message to stderr is printed when Nginx starts, but not after a reload, > that's why I know that the constructor is not being called again. Also, I > have a counter on the shared area and it's value is reset after a reload. > > Any thoughts? First of all, you need some other method for debugging, or a way to make sure that stderr is not closed in your particular setup. Normally nginx closes stderr while becoming a daemon, so it's expected that printing to stderr won't work. Normally one should use ngx_log_error() and/or ngx_log_debugN() to print log and/or debug messages. -- Maxim Dounin http://nginx.org/ From ru at nginx.com Mon Jul 20 12:24:16 2015 From: ru at nginx.com (Ruslan Ermilov) Date: Mon, 20 Jul 2015 12:24:16 +0000 Subject: [nginx] Fixed strict aliasing warnings with old GCC versions. Message-ID: details: http://hg.nginx.org/nginx/rev/341e4303d25b branches: changeset: 6214:341e4303d25b user: Ruslan Ermilov date: Thu Jul 16 14:20:48 2015 +0300 description: Fixed strict aliasing warnings with old GCC versions. diffstat: src/http/modules/ngx_http_upstream_zone_module.c | 2 +- src/stream/ngx_stream_upstream_zone_module.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diffs (24 lines): diff -r 7cad953621d4 -r 341e4303d25b src/http/modules/ngx_http_upstream_zone_module.c --- a/src/http/modules/ngx_http_upstream_zone_module.c Wed Jul 15 20:43:41 2015 +0100 +++ b/src/http/modules/ngx_http_upstream_zone_module.c Thu Jul 16 14:20:48 2015 +0300 @@ -159,7 +159,7 @@ ngx_http_upstream_init_zone(ngx_shm_zone /* copy peers to shared memory */ - peersp = (ngx_http_upstream_rr_peers_t **) &shpool->data; + peersp = (ngx_http_upstream_rr_peers_t **) (void *) &shpool->data; for (i = 0; i < umcf->upstreams.nelts; i++) { uscf = uscfp[i]; diff -r 7cad953621d4 -r 341e4303d25b src/stream/ngx_stream_upstream_zone_module.c --- a/src/stream/ngx_stream_upstream_zone_module.c Wed Jul 15 20:43:41 2015 +0100 +++ b/src/stream/ngx_stream_upstream_zone_module.c Thu Jul 16 14:20:48 2015 +0300 @@ -155,7 +155,7 @@ ngx_stream_upstream_init_zone(ngx_shm_zo /* copy peers to shared memory */ - peersp = (ngx_stream_upstream_rr_peers_t **) &shpool->data; + peersp = (ngx_stream_upstream_rr_peers_t **) (void *) &shpool->data; for (i = 0; i < umcf->upstreams.nelts; i++) { uscf = uscfp[i]; From ondrej.novy at firma.seznam.cz Mon Jul 20 16:12:31 2015 From: ondrej.novy at firma.seznam.cz (ondrej.novy at firma.seznam.cz) Date: Mon, 20 Jul 2015 18:12:31 +0200 (CEST) Subject: [PATCH] geoip_check_cache option Message-ID: <20150720161231.8F2B51D779@hypnos.ondrej.org> # HG changeset patch # User Ondrej Novy # Date 1435152464 -7200 # Wed Jun 24 15:27:44 2015 +0200 # Node ID 4c77bf00ab889d1b120892ec8b707f4717941791 # Parent 24488e6db782e24b9a30ba31f0b719204e582918 geoip_check_cache option. Allow to enable GEOIP_CHECK_CACHE option in GeoIP lib. When enabled this lib checks for changes of DB every second and reload it if needed. diff -r 24488e6db782 -r 4c77bf00ab88 contrib/vim/syntax/nginx.vim --- a/contrib/vim/syntax/nginx.vim Tue Jun 23 20:17:48 2015 +0300 +++ b/contrib/vim/syntax/nginx.vim Wed Jun 24 15:27:44 2015 +0200 @@ -167,6 +167,7 @@ syn keyword ngxDirective geoip_org syn keyword ngxDirective geoip_proxy syn keyword ngxDirective geoip_proxy_recursive +syn keyword ngxDirective geoip_check_cache syn keyword ngxDirective google_perftools_profiles syn keyword ngxDirective gunzip syn keyword ngxDirective gunzip_buffers diff -r 24488e6db782 -r 4c77bf00ab88 src/http/modules/ngx_http_geoip_module.c --- a/src/http/modules/ngx_http_geoip_module.c Tue Jun 23 20:17:48 2015 +0300 +++ b/src/http/modules/ngx_http_geoip_module.c Wed Jun 24 15:27:44 2015 +0200 @@ -24,6 +24,7 @@ GeoIP *city; ngx_array_t *proxies; /* array of ngx_cidr_t */ ngx_flag_t proxy_recursive; + ngx_flag_t check_cache; #if (NGX_HAVE_GEOIP_V6) unsigned country_v6:1; unsigned org_v6:1; @@ -131,6 +132,13 @@ offsetof(ngx_http_geoip_conf_t, proxy_recursive), NULL }, + { ngx_string("geoip_check_cache"), + NGX_HTTP_MAIN_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_MAIN_CONF_OFFSET, + offsetof(ngx_http_geoip_conf_t, check_cache), + NULL }, + ngx_null_command }; @@ -649,6 +657,7 @@ } conf->proxy_recursive = NGX_CONF_UNSET; + conf->check_cache = NGX_CONF_UNSET; cln = ngx_pool_cleanup_add(cf->pool, 0); if (cln == NULL) { @@ -668,6 +677,7 @@ ngx_http_geoip_conf_t *gcf = conf; ngx_conf_init_value(gcf->proxy_recursive, 0); + ngx_conf_init_value(gcf->check_cache, 0); return NGX_CONF_OK; } @@ -686,7 +696,8 @@ value = cf->args->elts; - gcf->country = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE); + gcf->country = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE | + gcf->check_cache ? GEOIP_CHECK_CACHE : 0); if (gcf->country == NULL) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, @@ -741,7 +752,8 @@ value = cf->args->elts; - gcf->org = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE); + gcf->org = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE | + gcf->check_cache ? GEOIP_CHECK_CACHE : 0); if (gcf->org == NULL) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, @@ -802,7 +814,8 @@ value = cf->args->elts; - gcf->city = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE); + gcf->city = GeoIP_open((char *) value[1].data, GEOIP_MEMORY_CACHE | + gcf->check_cache ? GEOIP_CHECK_CACHE : 0); if (gcf->city == NULL) { ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, From vbart at nginx.com Mon Jul 20 16:44:40 2015 From: vbart at nginx.com (Valentin V. Bartenev) Date: Mon, 20 Jul 2015 19:44:40 +0300 Subject: [PATCH] geoip_check_cache option In-Reply-To: <20150720161231.8F2B51D779@hypnos.ondrej.org> References: <20150720161231.8F2B51D779@hypnos.ondrej.org> Message-ID: <71873564.RdCM3GkVOP@vbart-workstation> On Monday 20 July 2015 18:12:31 ondrej.novy at firma.seznam.cz wrote: > # HG changeset patch > # User Ondrej Novy > # Date 1435152464 -7200 > # Wed Jun 24 15:27:44 2015 +0200 > # Node ID 4c77bf00ab889d1b120892ec8b707f4717941791 > # Parent 24488e6db782e24b9a30ba31f0b719204e582918 > geoip_check_cache option. > > Allow to enable GEOIP_CHECK_CACHE option in GeoIP lib. When enabled > this lib checks for changes of DB every second and reload it if needed. > [..] Why do you need this option? What problem are you trying to solve? wbr, Valentin V. Bartenev From Ondrej.Novy at firma.seznam.cz Mon Jul 20 17:42:10 2015 From: Ondrej.Novy at firma.seznam.cz (Novy, Ondrej) Date: Mon, 20 Jul 2015 17:42:10 +0000 Subject: [PATCH] geoip_check_cache option In-Reply-To: <71873564.RdCM3GkVOP@vbart-workstation> References: <20150720161231.8F2B51D779@hypnos.ondrej.org> <71873564.RdCM3GkVOP@vbart-workstation> Message-ID: 20. 7. 2015 v 18:44, Valentin V. Bartenev >: Why do you need this option? What problem are you trying to solve? I want to reload GeoIP database everytime it?s changed, without signaling or restarting nginx. Ond?ej Nov? vedouc? t?mu v?voje gsm: +420 777 963 207 Ondrej.Novy at firma.seznam.cz http://www.seznam.cz/ Seznam.cz, a.s., Business park - Lond?nsk? n?m. 856/2, 639 00 Brno -------------- next part -------------- An HTML attachment was scrubbed... URL: From vbart at nginx.com Tue Jul 21 13:13:36 2015 From: vbart at nginx.com (Valentin V. Bartenev) Date: Tue, 21 Jul 2015 16:13:36 +0300 Subject: [PATCH] geoip_check_cache option In-Reply-To: References: <20150720161231.8F2B51D779@hypnos.ondrej.org> <71873564.RdCM3GkVOP@vbart-workstation> Message-ID: <2630790.UhOCK8EoKB@vbart-workstation> On Monday 20 July 2015 17:42:10 Novy, Ondrej wrote: > > 20. 7. 2015 v 18:44, Valentin V. Bartenev >: > Why do you need this option? What problem are you trying to solve? > > I want to reload GeoIP database everytime it?s changed, without signaling or restarting nginx. > [..] What's the problem with signaling nginx to reload configuration? I'm asking because you're suggesting a patch that adds another configuration option which potentially can affect performance. So you should have a good explanation why you cannot use configuration reload for updating GeoIP database. wbr, Valentin V. Bartenev From Ondrej.Novy at firma.seznam.cz Tue Jul 21 13:23:32 2015 From: Ondrej.Novy at firma.seznam.cz (Novy, Ondrej) Date: Tue, 21 Jul 2015 13:23:32 +0000 Subject: [PATCH] geoip_check_cache option In-Reply-To: <2630790.UhOCK8EoKB@vbart-workstation> References: <20150720161231.8F2B51D779@hypnos.ondrej.org> <71873564.RdCM3GkVOP@vbart-workstation> <2630790.UhOCK8EoKB@vbart-workstation> Message-ID: <730ED656-EFC0-49B5-AA18-928075E739EA@firma.seznam.cz> Hi, 21. 7. 2015 v 15:13, Valentin V. Bartenev >: What's the problem with signaling nginx to reload configuration? It?s use-case problem for us. We have geoip-data (deb) package, which contains GeoIP database. This package is universal, and don?t know usage of contained database. It?s not logical to do ngnix reload in post-install script in this package, because it?s general package. Auto reload of database is better solution in this situation. I'm asking because you're suggesting a patch that adds another configuration option which potentially can affect performance. that?s true. But shouldn?t this decision be on admin? If it?s option in GeoIP lib, why not allow to use it in nginx? Ond?ej Nov? -------------- next part -------------- An HTML attachment was scrubbed... URL: From rmind at noxt.eu Tue Jul 21 22:05:50 2015 From: rmind at noxt.eu (Mindaugas Rasiukevicius) Date: Tue, 21 Jul 2015 23:05:50 +0100 Subject: ngx_ext_rename_file: remove the target file if ngx_copy_file() fails In-Reply-To: <20150709141048.f42bc4b73ec7edcd661207c4@noxt.eu> References: <20150709141048.f42bc4b73ec7edcd661207c4@noxt.eu> Message-ID: <20150721230550.221978201e6e57d0768b35d7@noxt.eu> Hi, I have seen this did not get into the 1.9.3 release. Any chance of including the patch to 1.9.4? Thanks. Mindaugas Rasiukevicius wrote: > ... > > Please find the patch attached. > -- Mindaugas From bartw at xs4all.nl Wed Jul 22 04:53:13 2015 From: bartw at xs4all.nl (Bart Warmerdam) Date: Wed, 22 Jul 2015 06:53:13 +0200 Subject: Empty host header on http 1.1 results in invalid host header logging in error.log Message-ID: Hello, Why does nginx logs an info log a message like ...client sent invalid host header while reading client request headers... request: "GET /keepalive.html HTTP/1.1", host: "" if the host header is empty. According to the http 1.1 specification it is legal to send an empty host header so it should not log this message since the header is not invalid. So the requests contains the host header but without a value. The call also results in a 400 instead of a 2xx or 3xx response. Regards, B. curl -v -H "Host: " http://someserver/keepalive.html * Trying xx.xx.xx.xx... * Connected to someserver (xx.xx.xx.xx) port 80 (#0) > GET /keepalive.html HTTP/1.1 > Host: > User-Agent: curl/7.43.0 > Accept: */* > < HTTP/1.1 400 Bad Request < Date: Wed, 22 Jul 2015 04:50:51 GMT < Content-Type: text/html < Content-Length: 1214 < Connection: close < ETag: "55ae9a88-4be" < From mdounin at mdounin.ru Wed Jul 22 18:18:34 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Wed, 22 Jul 2015 21:18:34 +0300 Subject: Empty host header on http 1.1 results in invalid host header logging in error.log In-Reply-To: References: Message-ID: <20150722181834.GC1500@mdounin.ru> Hello! On Wed, Jul 22, 2015 at 06:53:13AM +0200, Bart Warmerdam wrote: > Why does nginx logs an info log a message like ...client sent invalid host > header while reading client request headers... request: "GET /keepalive.html > HTTP/1.1", host: "" > if the host header is empty. According to the http 1.1 specification it is > legal to send an empty host header so it should not log this message since > the header is not invalid. So the requests contains the host header but > without a value. The call also results in a 400 instead of a 2xx or 3xx > response. Empty host names are illegal as per RFC 2616 and RFC 2396 it uses to define URIs. http://tools.ietf.org/html/rfc2616#section-14.23: Host = "Host" ":" host [ ":" port ] ; Section 3.2.2 http://tools.ietf.org/html/rfc2396#section-3.2.2: host = hostname | IPv4address hostname = *( domainlabel "." ) toplabel [ "." ] domainlabel = alphanum | alphanum *( alphanum | "-" ) alphanum toplabel = alpha | alpha *( alphanum | "-" ) alphanum IPv4address = 1*digit "." 1*digit "." 1*digit "." 1*digit Empty host names are only allowed as per newer RFC 3986. This is not something nginx was adapted to allow though. May be it should. -- Maxim Dounin http://nginx.org/ From ascanio.alba7 at gmail.com Sat Jul 25 16:20:25 2015 From: ascanio.alba7 at gmail.com (Anthony Alba) Date: Sun, 26 Jul 2015 00:20:25 +0800 Subject: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail Message-ID: Hi developers, I am using nginx with an OpenSSL engine (Safenet Luna) which is a wrapper over PKCS#11. The handles return by ENGINE_load_private_key cannot be used in child processes, aka, workers due to PKCS#11, thus causing SSL connection errors. The private key seems to be loaded in ngx_ssl_certificate(); is there a way to tell nginx to call this function per child process? Thanks From mdounin at mdounin.ru Sun Jul 26 19:25:24 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Sun, 26 Jul 2015 22:25:24 +0300 Subject: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail In-Reply-To: References: Message-ID: <20150726192523.GF19190@mdounin.ru> Hello! On Sun, Jul 26, 2015 at 12:20:25AM +0800, Anthony Alba wrote: > Hi developers, > > I am using nginx with an OpenSSL engine (Safenet Luna) which is a > wrapper over PKCS#11. > > The handles return by ENGINE_load_private_key cannot be used in child > processes, aka, workers due to PKCS#11, thus causing SSL connection > errors. > > The private key seems to be loaded in ngx_ssl_certificate(); is there > a way to tell nginx to call this function per child process? That's not something nginx is expected to do. It's the engine responsibility to properly handle fork() calls. This was alrady discussed in this list at least twice. -- Maxim Dounin http://nginx.org/ From burik666 at gmail.com Mon Jul 27 14:14:39 2015 From: burik666 at gmail.com (Andrey Burov) Date: Mon, 27 Jul 2015 17:14:39 +0300 Subject: [PATCH] auth_request: add support 407 response Message-ID: <45362796f681e0d10781.1438006479@burik-work> # HG changeset patch # User Andrey Burov # Date 1438003704 -10800 # Mon Jul 27 16:28:24 2015 +0300 # Node ID 45362796f681e0d107810ba20781a859e6c03cf5 # Parent 341e4303d25be159d4773b819d0ec055ba711afb auth_request: add support 407 response Receive "Proxy-Authenticate" header for the 407 response from subrequest. diff -r 341e4303d25b -r 45362796f681 src/http/modules/ngx_http_auth_request_module.c --- a/src/http/modules/ngx_http_auth_request_module.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/modules/ngx_http_auth_request_module.c Mon Jul 27 16:28:24 2015 +0300 @@ -161,6 +161,29 @@ return ctx->status; } + if (ctx->status == NGX_HTTP_PROXY_UNAUTHORIZED) { + sr = ctx->subrequest; + + h = sr->headers_out.proxy_authenticate; + + if (!h && sr->upstream) { + h = sr->upstream->headers_in.proxy_authenticate; + } + + if (h) { + ho = ngx_list_push(&r->headers_out.headers); + if (ho == NULL) { + return NGX_ERROR; + } + + *ho = *h; + + r->headers_out.proxy_authenticate = ho; + } + + return ctx->status; + } + if (ctx->status >= NGX_HTTP_OK && ctx->status < NGX_HTTP_SPECIAL_RESPONSE) { diff -r 341e4303d25b -r 45362796f681 src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_request.h Mon Jul 27 16:28:24 2015 +0300 @@ -86,6 +86,7 @@ #define NGX_HTTP_FORBIDDEN 403 #define NGX_HTTP_NOT_FOUND 404 #define NGX_HTTP_NOT_ALLOWED 405 +#define NGX_HTTP_PROXY_UNAUTHORIZED 407 #define NGX_HTTP_REQUEST_TIME_OUT 408 #define NGX_HTTP_CONFLICT 409 #define NGX_HTTP_LENGTH_REQUIRED 411 @@ -256,6 +257,7 @@ ngx_table_elt_t *content_range; ngx_table_elt_t *accept_ranges; ngx_table_elt_t *www_authenticate; + ngx_table_elt_t *proxy_authenticate; ngx_table_elt_t *expires; ngx_table_elt_t *etag; diff -r 341e4303d25b -r 45362796f681 src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_upstream.c Mon Jul 27 16:28:24 2015 +0300 @@ -216,6 +216,11 @@ offsetof(ngx_http_upstream_headers_in_t, www_authenticate), ngx_http_upstream_copy_header_line, 0, 0 }, + { ngx_string("Proxy-Authenticate"), + ngx_http_upstream_process_header_line, + offsetof(ngx_http_upstream_headers_in_t, proxy_authenticate), + ngx_http_upstream_copy_header_line, 0, 0 }, + { ngx_string("Location"), ngx_http_upstream_process_header_line, offsetof(ngx_http_upstream_headers_in_t, location), diff -r 341e4303d25b -r 45362796f681 src/http/ngx_http_upstream.h --- a/src/http/ngx_http_upstream.h Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_upstream.h Mon Jul 27 16:28:24 2015 +0300 @@ -256,6 +256,7 @@ ngx_table_elt_t *location; ngx_table_elt_t *accept_ranges; ngx_table_elt_t *www_authenticate; + ngx_table_elt_t *proxy_authenticate; ngx_table_elt_t *transfer_encoding; ngx_table_elt_t *vary; From mdounin at mdounin.ru Mon Jul 27 17:38:03 2015 From: mdounin at mdounin.ru (Maxim Dounin) Date: Mon, 27 Jul 2015 20:38:03 +0300 Subject: [PATCH] auth_request: add support 407 response In-Reply-To: <45362796f681e0d10781.1438006479@burik-work> References: <45362796f681e0d10781.1438006479@burik-work> Message-ID: <20150727173803.GM19190@mdounin.ru> Hello! On Mon, Jul 27, 2015 at 05:14:39PM +0300, Andrey Burov wrote: > # HG changeset patch > # User Andrey Burov > # Date 1438003704 -10800 > # Mon Jul 27 16:28:24 2015 +0300 > # Node ID 45362796f681e0d107810ba20781a859e6c03cf5 > # Parent 341e4303d25be159d4773b819d0ec055ba711afb > auth_request: add support 407 response > > Receive "Proxy-Authenticate" header for the 407 response from subrequest. I would rather say no, as nginx isn't a forward proxy and 407 responses is not something it's expected to return. -- Maxim Dounin http://nginx.org/ From ahutchings at nginx.com Tue Jul 28 08:43:43 2015 From: ahutchings at nginx.com (Andrew Hutchings) Date: Tue, 28 Jul 2015 09:43:43 +0100 Subject: Nginx GitHub mirror Message-ID: <55B740BF.5050803@nginx.com> Hi all, You may or may not be aware that we have recently made some changes to the Nginx GitHub account and trees (https://github.com/nginx). Before I go into details I should make it clear that the primary location for Nginx code will be the Mercurial repositories (http://hg.nginx.org/). The GitHub trees are more for convenience to the community. On to the details: The original GitHub tree basically contained the release tarballs extracted. This has been moved to https://github.com/nginx/nginx-releases and has been deprecated with no more updates. If there is demand to resurrect it we can do this but for now it will sit idle for people who have already forked it. There is a new GitHub tree which is a mirror of the main Mercurial repository: https://github.com/nginx/nginx This is currently updated hourly from one of my servers here in the UK. It cannot accept pull requests and any pull request will be automatically closed with instructions on how to contribute (another hourly script does this). We hope this helps developers that are more familiar with git than mercurial to access the bleeding-edge code. If anyone has any questions please feel free to field them to me. Happy Tuesday everyone! :) Kind Regards -- Andrew Hutchings (LinuxJedi) Senior Developer Advocate Nginx Inc. From jonh.wendell at gmail.com Wed Jul 29 20:15:24 2015 From: jonh.wendell at gmail.com (Jonh Wendell) Date: Wed, 29 Jul 2015 17:15:24 -0300 Subject: [PATCH] Add log variables $http_all and $sent_http_all Message-ID: <2412f965360cdbf9d152.1438200924@jwendell> src/http/ngx_http_header_filter_module.c | 5 + src/http/ngx_http_request.h | 2 + src/http/ngx_http_variables.c | 92 ++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+), 0 deletions(-) # HG changeset patch # User Jonh Wendell # Date 1438199955 10800 # Wed Jul 29 16:59:15 2015 -0300 # Node ID 2412f965360cdbf9d15280e8ee9fa1a28a3c86ca # Parent 341e4303d25be159d4773b819d0ec055ba711afb Add log variables $http_all and $sent_http_all These are meant to log the entire request and response headers, respectively. There are cases when we want to log the whole request (or response) headers, for example, when we don't know in advance the field the client sends. Currently we must know exactly the header fields we want to log. This patch adds these two variables that contains $http_all: all request headers as received from client $sent_http_all: all response headers as sent to the client Closes #426. diff -r 341e4303d25b -r 2412f965360c src/http/ngx_http_header_filter_module.c --- a/src/http/ngx_http_header_filter_module.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_header_filter_module.c Wed Jul 29 16:59:15 2015 -0300 @@ -608,6 +608,11 @@ ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, "%*s", (size_t) (b->last - b->pos), b->pos); + /* prepare the complete headers for eventual logging - strip out the last "\r\n" */ + r->headers_out.final_response.len = b->last - b->pos - (sizeof(CRLF) - 1); + r->headers_out.final_response.data = ngx_palloc(r->pool, r->headers_out.final_response.len); + ngx_memcpy(r->headers_out.final_response.data, b->pos, r->headers_out.final_response.len); + /* the end of HTTP header */ *b->last++ = CR; *b->last++ = LF; diff -r 341e4303d25b -r 2412f965360c src/http/ngx_http_request.h --- a/src/http/ngx_http_request.h Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_request.h Wed Jul 29 16:59:15 2015 -0300 @@ -272,6 +272,8 @@ off_t content_length_n; time_t date_time; time_t last_modified_time; + + ngx_str_t final_response; } ngx_http_headers_out_t; diff -r 341e4303d25b -r 2412f965360c src/http/ngx_http_variables.c --- a/src/http/ngx_http_variables.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/ngx_http_variables.c Wed Jul 29 16:59:15 2015 -0300 @@ -100,6 +100,10 @@ ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_status(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_http_all(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); +static ngx_int_t ngx_http_variable_sent_http_all(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data); static ngx_int_t ngx_http_variable_sent_content_type(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); @@ -174,6 +178,9 @@ { ngx_string("http_cookie"), NULL, ngx_http_variable_cookies, offsetof(ngx_http_request_t, headers_in.cookies), 0, 0 }, + { ngx_string("http_all"), NULL, ngx_http_variable_http_all, 0, 0, 0 }, + { ngx_string("sent_http_all"), NULL, ngx_http_variable_sent_http_all, 0, 0, 0 }, + { ngx_string("content_length"), NULL, ngx_http_variable_content_length, 0, 0, 0 }, @@ -1712,6 +1719,91 @@ static ngx_int_t +ngx_http_variable_sent_http_all(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data) +{ + v->len = r->headers_out.final_response.len; + v->data = r->headers_out.final_response.data; + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + + return NGX_OK; +} + + +static ngx_int_t +ngx_http_variable_http_all(ngx_http_request_t *r, + ngx_http_variable_value_t *v, uintptr_t data) +{ + ngx_uint_t i; + ngx_list_part_t *part; + ngx_table_elt_t *header; + u_char *buf; + + v->len = 0; + + part = &r->headers_in.headers.part; + header = part->elts; + for (i = 0; /* void */ ; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + v->len += header[i].key.len + header[i].value.len + sizeof(": \r\n") - 1; + } + + buf = ngx_pnalloc(r->pool, v->len); + if (buf == NULL) { + return NGX_ERROR; + } + v->data = buf; + + part = &r->headers_in.headers.part; + header = part->elts; + for (i = 0; /* void */ ; i++) { + + if (i >= part->nelts) { + if (part->next == NULL) { + break; + } + + part = part->next; + header = part->elts; + i = 0; + } + + if (header[i].hash == 0) { + continue; + } + + buf = ngx_sprintf(buf, "%V: %V\r\n", &header[i].key, &header[i].value); + } + + if (v->len > 0) { + v->len -= sizeof(CRLF) - 1; + } + + v->valid = 1; + v->no_cacheable = 0; + v->not_found = 0; + + return NGX_OK; +} + + +static ngx_int_t ngx_http_variable_sent_content_type(ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data) { From gmm at csdoc.com Wed Jul 29 22:44:15 2015 From: gmm at csdoc.com (Gena Makhomed) Date: Thu, 30 Jul 2015 01:44:15 +0300 Subject: [PATCH] Workaround for "configuration file test failed" under OpenVZ Message-ID: <55B9573F.9010901@csdoc.com> # HG changeset patch # User Gena Makhomed # Date 1437674403 14400 # Thu Jul 23 14:00:03 2015 -0400 # Node ID 57ac65580b5bba0cb4bb61dca9d63daec0ceb14c # Parent 341e4303d25be159d4773b819d0ec055ba711afb Workaround for "configuration file test failed" under OpenVZ. nginx configuration test failed: # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use) nginx: configuration file /etc/nginx/nginx.conf test failed ...if nginx used under OpenVZ and container with nginx was suspended and resumed. After this patch - nginx configuration test works fine under same environment: # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful PS More details about OpenVZ suspend/resume bug: https://bugzilla.openvz.org/show_bug.cgi?id=2470 diff -r 341e4303d25b -r 57ac65580b5b src/core/ngx_connection.c --- a/src/core/ngx_connection.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/core/ngx_connection.c Thu Jul 23 14:00:03 2015 -0400 @@ -567,9 +567,13 @@ #endif if (listen(s, ls[i].backlog) == -1) { - ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno, - "listen() to %V, backlog %d failed", - &ls[i].addr_text, ls[i].backlog); + err = ngx_socket_errno; + + if (err != NGX_EADDRINUSE || !ngx_test_config) { + ngx_log_error(NGX_LOG_EMERG, log, err, + "listen() to %V, backlog %d failed", + &ls[i].addr_text, ls[i].backlog); + } if (ngx_close_socket(s) == -1) { ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno, @@ -577,7 +581,15 @@ &ls[i].addr_text); } - return NGX_ERROR; + if (err != NGX_EADDRINUSE) { + return NGX_ERROR; + } + + if (!ngx_test_config) { + failed = 1; + } + + continue; } ls[i].listen = 1; -------------- next part -------------- # HG changeset patch # User Gena Makhomed # Date 1437674403 14400 # Thu Jul 23 14:00:03 2015 -0400 # Node ID 57ac65580b5bba0cb4bb61dca9d63daec0ceb14c # Parent 341e4303d25be159d4773b819d0ec055ba711afb Workaround for "configuration file test failed" under OpenVZ. nginx configuration test failed: # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: [emerg] listen() to 0.0.0.0:80, backlog 511 failed (98: Address already in use) nginx: configuration file /etc/nginx/nginx.conf test failed ...if nginx used under OpenVZ and container with nginx was suspended and resumed. After this patch - nginx configuration test works fine under same environment: # nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: configuration file /etc/nginx/nginx.conf test is successful PS More details about OpenVZ suspend/resume bug: https://bugzilla.openvz.org/show_bug.cgi?id=2470 diff -r 341e4303d25b -r 57ac65580b5b src/core/ngx_connection.c --- a/src/core/ngx_connection.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/core/ngx_connection.c Thu Jul 23 14:00:03 2015 -0400 @@ -567,9 +567,13 @@ #endif if (listen(s, ls[i].backlog) == -1) { - ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno, - "listen() to %V, backlog %d failed", - &ls[i].addr_text, ls[i].backlog); + err = ngx_socket_errno; + + if (err != NGX_EADDRINUSE || !ngx_test_config) { + ngx_log_error(NGX_LOG_EMERG, log, err, + "listen() to %V, backlog %d failed", + &ls[i].addr_text, ls[i].backlog); + } if (ngx_close_socket(s) == -1) { ngx_log_error(NGX_LOG_EMERG, log, ngx_socket_errno, @@ -577,7 +581,15 @@ &ls[i].addr_text); } - return NGX_ERROR; + if (err != NGX_EADDRINUSE) { + return NGX_ERROR; + } + + if (!ngx_test_config) { + failed = 1; + } + + continue; } ls[i].listen = 1; From bondarev at amazon.com Wed Jul 29 23:28:40 2015 From: bondarev at amazon.com (Bondarev, Daniil) Date: Wed, 29 Jul 2015 23:28:40 +0000 Subject: [PATCH] Set Content-Length to 0 when proxying requests with discarded body Message-ID: <1438212518122.2639@amazon.com> Hello, We have a use case where we need to discard request body before proxying request to the upstream. To do this we call ngx_http_discard_request_body, but it uses r->headers_in.content_length_n to store the amount of data nginx wants to receive next time, so it won't be 0 until nginx read all bytes from the client. So if proxy_request_buffering is set to off, nginx ends up sending non-0 Content-Length header to the upstream without a body. The following patch fixes this behavior. # HG changeset patch # User Daniil Bondarev # Date 1438119116 25200 # Node ID ddefee93b698b9261a147a08f42a07810efa2dab # Parent 341e4303d25be159d4773b819d0ec055ba711afb Set Content-Length to 0 when proxying requests with discarded body diff -r 341e4303d25b -r ddefee93b698 src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/http/modules/ngx_http_proxy_module.c Tue Jul 28 14:31:56 2015 -0700 @@ -1221,6 +1221,9 @@ ctx->internal_body_length = body_len; len += body_len; + } else if (r->discard_body) { + ctx->internal_body_length = 0; + } else if (r->headers_in.chunked && r->reading_body) { ctx->internal_body_length = -1; ctx->internal_chunked = 1; From gzchenym at 126.com Thu Jul 30 03:56:04 2015 From: gzchenym at 126.com (chen) Date: Thu, 30 Jul 2015 11:56:04 +0800 (CST) Subject: [RFC] event/openssl: Add dynamic record size support for serving ssl trafic In-Reply-To: References: <34abb03e.16155.14d244dae6f.Coremail.gzchenym@126.com> Message-ID: <4b203a14.19f44.14edd1a4879.Coremail.gzchenym@126.com> Hi wmark I have read your post in nginx forum, I think the getsockopt(2) call at connection init process will cause cpu spike if for example 100K clients try to connect to the server at the same time. But what you will get from the &mss return from the kernel are exactly the same 99.9 percent of th e time. I have already take that into account when I design that patch, so I make it hard-coded. And BTW what did you mean by "sending two result s in better catching parts"? Regard YM At 2015-06-03 02:14:45, "W-Mark Kubacki" wrote: >2015-06-02 3:04 GMT+02:00 SplitIce : >> From memory SSL_CIPHER_is_AES is a BoringSSL addition isnt it? I did a quick >> look over the OpenSSL source and it does not seem like its been added >> either. >> >> I havent had a chance to compile this yet to confirm it, but if correct then >> this is not compatible with OpenSSL and possibly other SSL libraries. > >My bad. It's a draft and, as you've found out, can be trivially fixed. > >https://github.com/openssl/openssl/blob/c3d734701cd57575856bf9b542446811518dd28c/ssl/ssl_ciph.c#L596-L615 > >https://boringssl.googlesource.com/boringssl/+/4d4bff89bb8ec345d289412f0f7f135c6e51b1a6%5E!/ > >-- >Mark > >_______________________________________________ >nginx-devel mailing list >nginx-devel at nginx.org >http://mailman.nginx.org/mailman/listinfo/nginx-devel -------------- next part -------------- An HTML attachment was scrubbed... URL: From arut at nginx.com Thu Jul 30 17:45:10 2015 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 30 Jul 2015 17:45:10 +0000 Subject: [nginx] Stream: added proxy_buffer_size to set the size of data ... Message-ID: details: http://hg.nginx.org/nginx/rev/8ee6a08ea3eb branches: changeset: 6215:8ee6a08ea3eb user: Roman Arutyunyan date: Wed Jul 29 13:46:26 2015 -0700 description: Stream: added proxy_buffer_size to set the size of data buffers. Both download and upload buffers now have the same size. The old directives proxy_downstream_buffer and proxy_upstream_buffer are removed. diffstat: src/stream/ngx_stream_proxy_module.c | 34 +++++++++++----------------------- 1 files changed, 11 insertions(+), 23 deletions(-) diffs (114 lines): diff -r 341e4303d25b -r 8ee6a08ea3eb src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Thu Jul 16 14:20:48 2015 +0300 +++ b/src/stream/ngx_stream_proxy_module.c Wed Jul 29 13:46:26 2015 -0700 @@ -17,9 +17,8 @@ typedef struct { ngx_msec_t connect_timeout; ngx_msec_t timeout; ngx_msec_t next_upstream_timeout; - size_t downstream_buf_size; + size_t buffer_size; size_t upload_rate; - size_t upstream_buf_size; size_t download_rate; ngx_uint_t next_upstream_tries; ngx_flag_t next_upstream; @@ -127,11 +126,11 @@ static ngx_command_t ngx_stream_proxy_c offsetof(ngx_stream_proxy_srv_conf_t, timeout), NULL }, - { ngx_string("proxy_downstream_buffer"), + { ngx_string("proxy_buffer_size"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_size_slot, NGX_STREAM_SRV_CONF_OFFSET, - offsetof(ngx_stream_proxy_srv_conf_t, downstream_buf_size), + offsetof(ngx_stream_proxy_srv_conf_t, buffer_size), NULL }, { ngx_string("proxy_upload_rate"), @@ -141,13 +140,6 @@ static ngx_command_t ngx_stream_proxy_c offsetof(ngx_stream_proxy_srv_conf_t, upload_rate), NULL }, - { ngx_string("proxy_upstream_buffer"), - NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, - ngx_conf_set_size_slot, - NGX_STREAM_SRV_CONF_OFFSET, - offsetof(ngx_stream_proxy_srv_conf_t, upstream_buf_size), - NULL }, - { ngx_string("proxy_download_rate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_size_slot, @@ -358,14 +350,14 @@ ngx_stream_proxy_handler(ngx_stream_sess u->proxy_protocol = pscf->proxy_protocol; u->start_sec = ngx_time(); - p = ngx_pnalloc(c->pool, pscf->downstream_buf_size); + p = ngx_pnalloc(c->pool, pscf->buffer_size); if (p == NULL) { ngx_stream_proxy_finalize(s, NGX_ERROR); return; } u->downstream_buf.start = p; - u->downstream_buf.end = p + pscf->downstream_buf_size; + u->downstream_buf.end = p + pscf->buffer_size; u->downstream_buf.pos = p; u->downstream_buf.last = p; @@ -376,7 +368,7 @@ ngx_stream_proxy_handler(ngx_stream_sess #if (NGX_STREAM_SSL) && pscf->ssl == NULL #endif - && pscf->downstream_buf_size >= NGX_PROXY_PROTOCOL_MAX_HEADER + && pscf->buffer_size >= NGX_PROXY_PROTOCOL_MAX_HEADER ) { /* optimization for a typical case */ @@ -513,14 +505,14 @@ ngx_stream_proxy_init_upstream(ngx_strea c->log->action = "proxying connection"; - p = ngx_pnalloc(c->pool, pscf->upstream_buf_size); + p = ngx_pnalloc(c->pool, pscf->buffer_size); if (p == NULL) { ngx_stream_proxy_finalize(s, NGX_ERROR); return; } u->upstream_buf.start = p; - u->upstream_buf.end = p + pscf->upstream_buf_size; + u->upstream_buf.end = p + pscf->buffer_size; u->upstream_buf.pos = p; u->upstream_buf.last = p; @@ -1295,9 +1287,8 @@ ngx_stream_proxy_create_srv_conf(ngx_con conf->connect_timeout = NGX_CONF_UNSET_MSEC; conf->timeout = NGX_CONF_UNSET_MSEC; conf->next_upstream_timeout = NGX_CONF_UNSET_MSEC; - conf->downstream_buf_size = NGX_CONF_UNSET_SIZE; + conf->buffer_size = NGX_CONF_UNSET_SIZE; conf->upload_rate = NGX_CONF_UNSET_SIZE; - conf->upstream_buf_size = NGX_CONF_UNSET_SIZE; conf->download_rate = NGX_CONF_UNSET_SIZE; conf->next_upstream_tries = NGX_CONF_UNSET_UINT; conf->next_upstream = NGX_CONF_UNSET; @@ -1332,15 +1323,12 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf ngx_conf_merge_msec_value(conf->next_upstream_timeout, prev->next_upstream_timeout, 0); - ngx_conf_merge_size_value(conf->downstream_buf_size, - prev->downstream_buf_size, 16384); + ngx_conf_merge_size_value(conf->buffer_size, + prev->buffer_size, 16384); ngx_conf_merge_size_value(conf->upload_rate, prev->upload_rate, 0); - ngx_conf_merge_size_value(conf->upstream_buf_size, - prev->upstream_buf_size, 16384); - ngx_conf_merge_size_value(conf->download_rate, prev->download_rate, 0); From arut at nginx.com Thu Jul 30 17:45:13 2015 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 30 Jul 2015 17:45:13 +0000 Subject: [nginx] Style. Message-ID: details: http://hg.nginx.org/nginx/rev/543f10fe34d2 branches: changeset: 6216:543f10fe34d2 user: Roman Arutyunyan date: Wed Jul 29 14:36:36 2015 -0700 description: Style. diffstat: src/stream/ngx_stream_proxy_module.c | 3 +-- 1 files changed, 1 insertions(+), 2 deletions(-) diffs (13 lines): diff -r 8ee6a08ea3eb -r 543f10fe34d2 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Wed Jul 29 13:46:26 2015 -0700 +++ b/src/stream/ngx_stream_proxy_module.c Wed Jul 29 14:36:36 2015 -0700 @@ -368,8 +368,7 @@ ngx_stream_proxy_handler(ngx_stream_sess #if (NGX_STREAM_SSL) && pscf->ssl == NULL #endif - && pscf->buffer_size >= NGX_PROXY_PROTOCOL_MAX_HEADER - ) + && pscf->buffer_size >= NGX_PROXY_PROTOCOL_MAX_HEADER) { /* optimization for a typical case */ From arut at nginx.com Thu Jul 30 23:44:42 2015 From: arut at nginx.com (Roman Arutyunyan) Date: Thu, 30 Jul 2015 23:44:42 +0000 Subject: [nginx] Stream: deprecated proxy_downstream_buffer, proxy_upstre... Message-ID: details: http://hg.nginx.org/nginx/rev/b544f8e0d921 branches: changeset: 6217:b544f8e0d921 user: Roman Arutyunyan date: Thu Jul 30 16:43:48 2015 -0700 description: Stream: deprecated proxy_downstream_buffer, proxy_upstream_buffer. The directive proxy_buffer_size should be used instead. diffstat: src/stream/ngx_stream_proxy_module.c | 23 +++++++++++++++++++++++ 1 files changed, 23 insertions(+), 0 deletions(-) diffs (40 lines): diff -r 543f10fe34d2 -r b544f8e0d921 src/stream/ngx_stream_proxy_module.c --- a/src/stream/ngx_stream_proxy_module.c Wed Jul 29 14:36:36 2015 -0700 +++ b/src/stream/ngx_stream_proxy_module.c Thu Jul 30 16:43:48 2015 -0700 @@ -96,6 +96,15 @@ static ngx_conf_bitmask_t ngx_stream_pr #endif +static ngx_conf_deprecated_t ngx_conf_deprecated_proxy_downstream_buffer = { + ngx_conf_deprecated, "proxy_downstream_buffer", "proxy_buffer_size" +}; + +static ngx_conf_deprecated_t ngx_conf_deprecated_proxy_upstream_buffer = { + ngx_conf_deprecated, "proxy_upstream_buffer", "proxy_buffer_size" +}; + + static ngx_command_t ngx_stream_proxy_commands[] = { { ngx_string("proxy_pass"), @@ -133,6 +142,20 @@ static ngx_command_t ngx_stream_proxy_c offsetof(ngx_stream_proxy_srv_conf_t, buffer_size), NULL }, + { ngx_string("proxy_downstream_buffer"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_size_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, buffer_size), + &ngx_conf_deprecated_proxy_downstream_buffer }, + + { ngx_string("proxy_upstream_buffer"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, + ngx_conf_set_size_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, buffer_size), + &ngx_conf_deprecated_proxy_upstream_buffer }, + { ngx_string("proxy_upload_rate"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_size_slot, From nmav at redhat.com Fri Jul 31 14:37:00 2015 From: nmav at redhat.com (Nikos Mavrogiannopoulos) Date: Fri, 31 Jul 2015 16:37:00 +0200 Subject: OpenSSL PKCS#11 Engine cannot be reused in child process, worker SSL sessions fail In-Reply-To: References: Message-ID: <1438353420.6514.34.camel@redhat.com> On Sun, 2015-07-26 at 00:20 +0800, Anthony Alba wrote: > Hi developers, > > I am using nginx with an OpenSSL engine (Safenet Luna) which is a > wrapper over PKCS#11. > The handles return by ENGINE_load_private_key cannot be used in child > processes, aka, workers due to PKCS#11, thus causing SSL connection > errors. Unfortunately nginx doesn't have direct support for PKCS #11 and relies on the very primitive engine_pkcs11 which doesn't have work (yet) with applications that fork. To make that work you need to get engine_pkcs11, and libp11 from their git repositories [0], [1] and apply [2] on top. I have a tracker for these issues at: https://bugzilla.redhat.com/show_bug.cgi?id=1236526 regards, Nikos [0]. https://github.com/OpenSC/engine_pkcs11 [1]. https://github.com/OpenSC/libp11 [2]. https://github.com/OpenSC/libp11/pull/27