DTLS patches
Wang Shanker
shankerwangmiao at gmail.com
Wed Feb 21 14:44:00 UTC 2018
Hi,
I noticed that you have introduced `ngx_event_udp_accept()`, which can
create a separate socket for receiving datagrams from a specific client.
I understand that it is necessary for DTLS servers. However I wonder
why it is also called for normal udp servers.
For udp servers listening on a port below 1024, such call will fail if
the worker processes drop their privilege as a non-root user. The
following patch solves this problem by retaining CAP_NET_BIND_SERVICE
after worker processes change UID.
Cheers,
Miao Wang
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch
Type: application/octet-stream
Size: 3605 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20180221/01c29a98/attachment.obj>
-------------- next part --------------
> ? 2018?02?21??22:30?Wang Shanker <shankerwangmiao at gmail.com> ???
>
> Hi, of course. I'm implementing RFC8094, which is for transmitting dns
> queries through DTLS. Nginx is used for offloading DTLS encryption and
> the software behind nginx is bind9.
>
> Cheers,
>
> Miao Wang
>
>> ? 2018?02?21??22:12?Vladimir Homutov <vl at nginx.com> ???
>>
>> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>>>
>>> I have tested this patch in my environment. Before the patch is applied,
>>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>>> enabled to work the problem around.
>>>
>>
>> Hello,
>> can you please elaborate about your environment? Do you proxy DTLS
>> stream directly to backend, or you perform DTLS offload ?
>> What protocol are you using and which server/client software
>> before/behind nginx?
>>
>> I'm attaching refreshed patch against nginx-1.13.9 for those who are
>> interested to test.
>> <nginx-1.13.9-dtls-experimental.diff>_______________________________________________
>> nginx mailing list
>> nginx at nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
More information about the nginx
mailing list