Nginx Forum - Nginx Development

[PATCH] Style: cleanup. (1 reply)

Piotr Sikora — Tue, 21 May 2013 21:52:01 -0400

# HG changeset patch
# User Piotr Sikora
# Date 1369183181 25200
# Node ID 8f2e7bd395bae3c496639ba48d4683b2a6b796d5
# Parent 1d68b502088c9d6e6603e9699354e36d03d77f9c
Style: cleanup.

Remove unnecessary references to HTTP from non-HTTP modules
and replace SSL * with ngx_ssl_conn_t.

diff -r 1d68b502088c -r 8f2e7bd395ba src/core/ngx_conf_file.h
--- a/src/core/ngx_conf_file.h Tue May 21 21:47:50 2013 +0400
+++ b/src/core/ngx_conf_file.h Tue May 21 17:39:41 2013 -0700
@@ -5,8 +5,8 @@
*/

-#ifndef _NGX_HTTP_CONF_FILE_H_INCLUDED_
-#define _NGX_HTTP_CONF_FILE_H_INCLUDED_
+#ifndef _NGX_CONF_FILE_H_INCLUDED_
+#define _NGX_CONF_FILE_H_INCLUDED_

#include
@@ -337,4 +337,4 @@
extern ngx_module_t *ngx_modules[];

-#endif /* _NGX_HTTP_CONF_FILE_H_INCLUDED_ */
+#endif /* _NGX_CONF_FILE_H_INCLUDED_ */
diff -r 1d68b502088c -r 8f2e7bd395ba src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue May 21 21:47:50 2013 +0400
+++ b/src/event/ngx_event_openssl.c Tue May 21 17:39:41 2013 -0700
@@ -15,7 +15,7 @@
} ngx_openssl_conf_t;

-static int ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
+static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
@@ -342,7 +342,7 @@
{
STACK_OF(X509_NAME) *list;

- SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER,
ngx_http_ssl_verify_callback);
+ SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback);

SSL_CTX_set_verify_depth(ssl->ctx, depth);

@@ -457,7 +457,7 @@

static int
-ngx_http_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
+ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store)
{
#if (NGX_DEBUG)
char *subject, *issuer;
@@ -517,7 +517,7 @@

RSA *
-ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length)
+ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl, int is_export, int key_length)
{
static RSA *key;

diff -r 1d68b502088c -r 8f2e7bd395ba src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue May 21 21:47:50 2013 +0400
+++ b/src/event/ngx_event_openssl.h Tue May 21 17:39:41 2013 -0700
@@ -109,7 +109,8 @@
ngx_str_t *file, ngx_str_t *responder, ngx_uint_t verify);
ngx_int_t ngx_ssl_stapling_resolver(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_resolver_t *resolver, ngx_msec_t resolver_timeout);
-RSA *ngx_ssl_rsa512_key_callback(SSL *ssl, int is_export, int key_length);
+RSA *ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl, int is_export,
+ int key_length);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
diff -r 1d68b502088c -r 8f2e7bd395ba src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c Tue May 21 21:47:50 2013 +0400
+++ b/src/mail/ngx_mail_ssl_module.c Tue May 21 17:39:41 2013 -0700
@@ -25,7 +25,7 @@
void *conf);

-static ngx_conf_enum_t ngx_http_starttls_state[] = {
+static ngx_conf_enum_t ngx_mail_starttls_state[] = {
{ ngx_string("off"), NGX_MAIL_STARTTLS_OFF },
{ ngx_string("on"), NGX_MAIL_STARTTLS_ON },
{ ngx_string("only"), NGX_MAIL_STARTTLS_ONLY },
@@ -58,7 +58,7 @@
ngx_mail_ssl_starttls,
NGX_MAIL_SRV_CONF_OFFSET,
offsetof(ngx_mail_ssl_conf_t, starttls),
- ngx_http_starttls_state },
+ ngx_mail_starttls_state },

{ ngx_string("ssl_certificate"),
NGX_MAIL_MAIN_CONF|NGX_MAIL_SRV_CONF|NGX_CONF_TAKE1,
diff -r 1d68b502088c -r 8f2e7bd395ba src/os/unix/ngx_linux_sendfile_chain.c
--- a/src/os/unix/ngx_linux_sendfile_chain.c Tue May 21 21:47:50 2013 +0400
+++ b/src/os/unix/ngx_linux_sendfile_chain.c Tue May 21 17:39:41 2013 -0700
@@ -181,7 +181,7 @@
} else {
c->tcp_nodelay = NGX_TCP_NODELAY_UNSET;

- ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
+ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
"no tcp_nodelay");
}
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] Making $invalid_referer accessible in Perl (and Lua) (no replies)

agentzh — Tue, 21 May 2013 19:30:01 -0400

Hello!

The $invalid_referer variable is always created with the
NGX_HTTP_VAR_NOHASH flag in ngx_http_referer_module, which
unfortunately prohibits its use in embedded dynamic languages like
Perl and Lua (through the ngx_http_get_variable function).

Below attaches a patch that removes this flag.

This issue was originally reported by Fry-kun.

Thanks!
-agentzh

--- nginx-1.5.0/src/http/modules/ngx_http_referer_module.c 2013-05-06
03:27:10.000000000 -0700
+++ nginx-1.5.0-patched/src/http/modules/ngx_http_referer_module.c
2013-05-21 16:04:49.340286168 -0700
@@ -396,8 +396,7 @@ ngx_http_valid_referers(ngx_conf_t *cf,

ngx_str_set(&name, "invalid_referer");

- var = ngx_http_add_variable(cf, &name,
- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOHASH);
+ var = ngx_http_add_variable(cf, &name, NGX_HTTP_VAR_CHANGEABLE);
if (var == NULL) {
return NGX_CONF_ERROR;
}
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] SNI: add $ssl_servername variable. (no replies)

Piotr Sikora — Tue, 21 May 2013 19:14:00 -0400

# HG changeset patch
# User Piotr Sikora
# Date 1369177341 25200
# Node ID 4d617cb445673c8e3c43d75c240a7d401b394ee8
# Parent 8646199ded31a725bea599aeafc581f9c969872d
SNI: add $ssl_servername variable.

Signed-off-by: Piotr Sikora

diff -r 8646199ded31 -r 4d617cb44567 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Tue May 21 16:02:10 2013 -0700
+++ b/src/event/ngx_event_openssl.c Tue May 21 16:02:21 2013 -0700
@@ -2221,6 +2221,21 @@

ngx_int_t
+ngx_ssl_get_servername(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ if (c->ssl->servername) {
+ *s = *c->ssl->servername;
+ return NGX_OK;
+ }
+#endif
+
+ s->len = 0;
+ return NGX_OK;
+}
+
+
+ngx_int_t
ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
{
int len;
diff -r 8646199ded31 -r 4d617cb44567 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue May 21 16:02:10 2013 -0700
+++ b/src/event/ngx_event_openssl.h Tue May 21 16:02:21 2013 -0700
@@ -146,6 +146,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_servername(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
diff -r 8646199ded31 -r 4d617cb44567 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Tue May 21 16:02:10 2013 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Tue May 21 16:02:21 2013 -0700
@@ -238,6 +238,9 @@
{ ngx_string("ssl_cipher"), NULL, ngx_http_ssl_static_variable,
(uintptr_t) ngx_ssl_get_cipher_name, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_servername"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_servername, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] SNI: store server name in the ngx_ssl_connection_t structure. (no replies)

Piotr Sikora — Tue, 21 May 2013 19:14:00 -0400

# HG changeset patch
# User Piotr Sikora
# Date 1369177330 25200
# Node ID 8646199ded31a725bea599aeafc581f9c969872d
# Parent 4b277448dfd56751c7c88477e78b2ba3cf6ae472
SNI: store server name in the ngx_ssl_connection_t structure.

SNI server name is a property of the SSL connection and there is
no good reason to store it elsewhere.

Also, this makes the stored value accessible by non-HTTP modules.

Signed-off-by: Piotr Sikora

diff -r 4b277448dfd5 -r 8646199ded31 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Tue May 21 16:01:59 2013 -0700
+++ b/src/event/ngx_event_openssl.h Tue May 21 16:02:10 2013 -0700
@@ -43,6 +43,13 @@
ngx_event_handler_pt saved_read_handler;
ngx_event_handler_pt saved_write_handler;

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ ngx_str_t *servername;
+#if (NGX_PCRE)
+ void *servername_regex;
+#endif
+#endif
+
unsigned handshaked:1;
unsigned renegotiation:1;
unsigned buffer:1;
diff -r 4b277448dfd5 -r 8646199ded31 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Tue May 21 16:01:59 2013 -0700
+++ b/src/http/ngx_http_request.c Tue May 21 16:02:10 2013 -0700
@@ -807,12 +807,12 @@
return SSL_TLSEXT_ERR_NOACK;
}

- hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
- if (hc->ssl_servername == NULL) {
+ c->ssl->servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
+ if (c->ssl->servername == NULL) {
return SSL_TLSEXT_ERR_NOACK;
}

- *hc->ssl_servername = host;
+ *c->ssl->servername = host;

if (rc == NGX_DECLINED || hc->conf_ctx == cscf->ctx) {
return SSL_TLSEXT_ERR_OK;
@@ -1954,23 +1954,24 @@
ngx_http_set_virtual_server(ngx_http_request_t *r, ngx_str_t *host)
{
ngx_int_t rc;
+ ngx_connection_t *c;
ngx_http_connection_t *hc;
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;

- hc = r->http_connection;
+ c = r->connection;

#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

- if (hc->ssl_servername) {
- if (hc->ssl_servername->len == host->len
- && ngx_strncmp(hc->ssl_servername->data,
+ if (c->ssl && c->ssl->servername) {
+ if (c->ssl->servername->len == host->len
+ && ngx_strncmp(c->ssl->servername->data,
host->data, host->len) == 0)
{
#if (NGX_PCRE)
- if (hc->ssl_servername_regex
- && ngx_http_regex_exec(r, hc->ssl_servername_regex,
- hc->ssl_servername) != NGX_OK)
+ if (c->ssl->servername_regex
+ && ngx_http_regex_exec(r, c->ssl->servername_regex,
+ c->ssl->servername) != NGX_OK)
{
ngx_http_close_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR);
return NGX_ERROR;
@@ -1982,8 +1983,9 @@

#endif

- rc = ngx_http_find_virtual_server(r->connection,
- hc->addr_conf->virtual_names,
+ hc = r->http_connection;
+
+ rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names,
host, r, &cscf);

if (rc == NGX_ERROR) {
@@ -1993,7 +1995,7 @@

#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

- if (hc->ssl_servername) {
+ if (c->ssl && c->ssl->servername) {
ngx_http_ssl_srv_conf_t *sscf;

if (rc == NGX_DECLINED) {
@@ -2004,7 +2006,7 @@
sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);

if (sscf->verify) {
- ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
+ ngx_log_error(NGX_LOG_INFO, c->log, 0,
"client attempted to request the server name "
"different from that one was negotiated");
ngx_http_finalize_request(r, NGX_HTTP_BAD_REQUEST);
@@ -2023,7 +2025,7 @@

clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);

- ngx_http_set_connection_log(r->connection, clcf->error_log);
+ ngx_http_set_connection_log(c, clcf->error_log);

return NGX_OK;
}
@@ -2060,8 +2062,7 @@

#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)

- if (r == NULL) {
- ngx_http_connection_t *hc;
+ if (r == NULL && c->ssl) {

for (i = 0; i < virtual_names->nregex; i++) {

@@ -2072,8 +2073,7 @@
}

if (n >= 0) {
- hc = c->data;
- hc->ssl_servername_regex = sn[i].regex;
+ c->ssl->servername_regex = sn[i].regex;

*cscfp = sn[i].server;
return NGX_OK;
diff -r 4b277448dfd5 -r 8646199ded31 src/http/ngx_http_request.h
--- a/src/http/ngx_http_request.h Tue May 21 16:01:59 2013 -0700
+++ b/src/http/ngx_http_request.h Tue May 21 16:02:10 2013 -0700
@@ -295,13 +295,6 @@
ngx_http_addr_conf_t *addr_conf;
ngx_http_conf_ctx_t *conf_ctx;

-#if (NGX_HTTP_SSL && defined SSL_CTRL_SET_TLSEXT_HOSTNAME)
- ngx_str_t *ssl_servername;
-#if (NGX_PCRE)
- ngx_http_regex_t *ssl_servername_regex;
-#endif
-#endif
-
ngx_buf_t **busy;
ngx_int_t nbusy;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] SNI: better server name handling. (no replies)

Piotr Sikora — Tue, 21 May 2013 19:12:01 -0400

# HG changeset patch
# User Piotr Sikora
# Date 1369177319 25200
# Node ID 4b277448dfd56751c7c88477e78b2ba3cf6ae472
# Parent 1d68b502088c9d6e6603e9699354e36d03d77f9c
SNI: better server name handling.

Acknowledge acceptance of SNI server name to the OpenSSL library,
which in turn lets the client know that it was accepted (by sending
"server_name" TLS extension in the "ServerHello" handshake message,
as suggested by RFC4366).

Previously, this would happen only in case when requested server name
was on the "server_name" list and either: there were multiple virtual
servers defined for the same listening port or there was at least one
regular expression with captures in the "server_name" directive.

As a consequence, this change also:
1. Preserves requested SNI server name for future use.
2. Avoids unnecessary setting of SSL options if the virtual server
didn't change.
3. Avoids unnecessary lookup of virtual server later on if requested
HTTP server name is the same as requested SNI server name.

Signed-off-by: Piotr Sikora

diff -r 1d68b502088c -r 4b277448dfd5 src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c Tue May 21 21:47:50 2013 +0400
+++ b/src/http/ngx_http_request.c Tue May 21 16:01:59 2013 -0700
@@ -773,6 +773,7 @@
ngx_http_ssl_srv_conf_t *sscf;
ngx_http_core_loc_conf_t *clcf;
ngx_http_core_srv_conf_t *cscf;
+ ngx_int_t rc;

servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);

@@ -799,10 +800,10 @@

hc = c->data;

- if (ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
- NULL, &cscf)
- != NGX_OK)
- {
+ rc = ngx_http_find_virtual_server(c, hc->addr_conf->virtual_names, &host,
+ NULL, &cscf);
+
+ if (rc == NGX_ERROR) {
return SSL_TLSEXT_ERR_NOACK;
}

@@ -813,6 +814,10 @@

*hc->ssl_servername = host;

+ if (rc == NGX_DECLINED || hc->conf_ctx == cscf->ctx) {
+ return SSL_TLSEXT_ERR_OK;
+ }
+
hc->conf_ctx = cscf->ctx;

clcf = ngx_http_get_module_loc_conf(hc->conf_ctx, ngx_http_core_module);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

HttpAccessModule and unix domain sockets (1 reply)

Sorin Manole — Wed, 22 May 2013 09:50:01 -0400

Hi all,

It seems that when using HttpAccessModule directives to deny requests, they
don't seem to work if the server is listening on a unix domain socket. Even
when using deny all.
Can someone confirm and it's not just me making some stupid mistake ?

Now if that is the case, would it be a good idea to add this functionality
to the module ? Maybe add a new parameter like "deny unix" or something ?
Or was this left out on purpose for a reason or another ?

Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Upstream: fixed fail_timeout and max_fails > 1. (no replies)

Maxim Dounin — Tue, 21 May 2013 14:54:01 -0400

details: http://hg.nginx.org/nginx/rev/1d68b502088c
branches:
changeset: 5220:1d68b502088c
user: Maxim Dounin
date: Tue May 21 21:47:50 2013 +0400
description:
Upstream: fixed fail_timeout and max_fails > 1.

Due to peer->checked always set since rev. c90801720a0c (1.3.0)
by round-robin and least_conn balancers (ip_hash not affected),
the code in ngx_http_upstream_free_round_robin_peer() function
incorrectly reset peer->fails too often.

Reported by Dmitry Popov,
http://mailman.nginx.org/pipermail/nginx-devel/2013-May/003720.html

diffstat:

src/http/modules/ngx_http_upstream_least_conn_module.c | 5 ++++-
src/http/ngx_http_upstream_round_robin.c | 5 ++++-
2 files changed, 8 insertions(+), 2 deletions(-)

diffs (30 lines):

diff --git a/src/http/modules/ngx_http_upstream_least_conn_module.c b/src/http/modules/ngx_http_upstream_least_conn_module.c
--- a/src/http/modules/ngx_http_upstream_least_conn_module.c
+++ b/src/http/modules/ngx_http_upstream_least_conn_module.c
@@ -282,7 +282,10 @@ ngx_http_upstream_get_least_conn_peer(ng
}

best->current_weight -= total;
- best->checked = now;
+
+ if (now - best->checked > best->fail_timeout) {
+ best->checked = now;
+ }

pc->sockaddr = best->sockaddr;
pc->socklen = best->socklen;
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -523,7 +523,10 @@ ngx_http_upstream_get_peer(ngx_http_upst
rrp->tried[n] |= m;

best->current_weight -= total;
- best->checked = now;
+
+ if (now - best->checked > best->fail_timeout) {
+ best->checked = now;
+ }

return best;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Mail: missing ngx_ssl_ecdh_curve() call. (no replies)

Maxim Dounin — Tue, 21 May 2013 14:54:01 -0400

details: http://hg.nginx.org/nginx/rev/32fe021911c9
branches:
changeset: 5219:32fe021911c9
user: F. da Silva
date: Fri May 10 16:53:45 2013 +0200
description:
Mail: missing ngx_ssl_ecdh_curve() call.

diffstat:

src/mail/ngx_mail_ssl_module.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diffs (14 lines):

diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c
--- a/src/mail/ngx_mail_ssl_module.c
+++ b/src/mail/ngx_mail_ssl_module.c
@@ -308,6 +308,10 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf,
return NGX_CONF_ERROR;
}

+ if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
ngx_conf_merge_value(conf->builtin_session_cache,
prev->builtin_session_cache, NGX_SSL_NONE_SCACHE);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Fixed error logging. (no replies)

Sergey Kandaurov — Tue, 21 May 2013 09:36:01 -0400

details: http://hg.nginx.org/nginx/rev/f026adb935ad
branches:
changeset: 5218:f026adb935ad
user: Sergey Kandaurov
date: Tue May 21 17:30:19 2013 +0400
description:
Fixed error logging.

The provided argument list didn't follow a used format string.

diffstat:

src/http/modules/ngx_http_autoindex_module.c | 2 +-
src/http/ngx_http_postpone_filter_module.c | 6 ++----
2 files changed, 3 insertions(+), 5 deletions(-)

diffs (35 lines):

diff -r ddba4e308ecc -r f026adb935ad src/http/modules/ngx_http_autoindex_module.c
--- a/src/http/modules/ngx_http_autoindex_module.c Tue May 21 12:54:27 2013 +0400
+++ b/src/http/modules/ngx_http_autoindex_module.c Tue May 21 17:30:19 2013 +0400
@@ -357,7 +357,7 @@ ngx_http_autoindex_handler(ngx_http_requ

if (ngx_close_dir(&dir) == NGX_ERROR) {
ngx_log_error(NGX_LOG_ALERT, r->connection->log, ngx_errno,
- ngx_close_dir_n " \"%s\" failed", &path);
+ ngx_close_dir_n " \"%V\" failed", &path);
}

escape_html = ngx_escape_html(NULL, r->uri.data, r->uri.len);
diff -r ddba4e308ecc -r f026adb935ad src/http/ngx_http_postpone_filter_module.c
--- a/src/http/ngx_http_postpone_filter_module.c Tue May 21 12:54:27 2013 +0400
+++ b/src/http/ngx_http_postpone_filter_module.c Tue May 21 17:30:19 2013 +0400
@@ -70,8 +70,7 @@ ngx_http_postpone_filter(ngx_http_reques
#if 0
/* TODO: SSI may pass NULL */
ngx_log_error(NGX_LOG_ALERT, c->log, 0,
- "http postpone filter NULL inactive request",
- &r->uri, &r->args);
+ "http postpone filter NULL inactive request");
#endif

return NGX_OK;
@@ -108,8 +107,7 @@ ngx_http_postpone_filter(ngx_http_reques

if (pr->out == NULL) {
ngx_log_error(NGX_LOG_ALERT, c->log, 0,
- "http postpone filter NULL output",
- &r->uri, &r->args);
+ "http postpone filter NULL output");

} else {
ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0,

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Upstream: slightly optimized ngx_http_upstream_process_h... (no replies)

Ruslan Ermilov — Tue, 21 May 2013 05:00:00 -0400

details: http://hg.nginx.org/nginx/rev/ddba4e308ecc
branches:
changeset: 5217:ddba4e308ecc
user: Ruslan Ermilov
date: Tue May 21 12:54:27 2013 +0400
description:
Upstream: slightly optimized ngx_http_upstream_process_header().

diffstat:

src/http/ngx_http_upstream.c | 10 +++++-----
1 files changed, 5 insertions(+), 5 deletions(-)

diffs (20 lines):

diff -r 4a40163772a1 -r ddba4e308ecc src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Tue May 21 12:54:26 2013 +0400
+++ b/src/http/ngx_http_upstream.c Tue May 21 12:54:27 2013 +0400
@@ -1709,11 +1709,11 @@ ngx_http_upstream_process_header(ngx_htt
ngx_http_upstream_finalize_request(r, u, NGX_ERROR);
return;
}
-
- if (u->length == 0) {
- ngx_http_upstream_finalize_request(r, u, 0);
- return;
- }
+ }
+
+ if (u->length == 0) {
+ ngx_http_upstream_finalize_request(r, u, 0);
+ return;
}

u->read_event_handler = ngx_http_upstream_process_body_in_memory;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Upstream: made the assignment more obvious. (no replies)

Ruslan Ermilov — Tue, 21 May 2013 05:00:00 -0400

details: http://hg.nginx.org/nginx/rev/4a40163772a1
branches:
changeset: 5216:4a40163772a1
user: Ruslan Ermilov
date: Tue May 21 12:54:26 2013 +0400
description:
Upstream: made the assignment more obvious.

No functional changes.

diffstat:

src/http/ngx_http_upstream.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff -r cfab1e7e4ac2 -r 4a40163772a1 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Thu May 16 15:37:13 2013 -0700
+++ b/src/http/ngx_http_upstream.c Tue May 21 12:54:26 2013 +0400
@@ -1701,7 +1701,7 @@ ngx_http_upstream_process_header(ngx_htt
n = u->buffer.last - u->buffer.pos;

if (n) {
- u->buffer.last -= n;
+ u->buffer.last = u->buffer.pos;

u->state->response_length += n;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

unsubscribe (no replies)

靳春孟 — Tue, 21 May 2013 01:16:00 -0400

unsubscribe

靳春孟
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

unsubscribe (no replies)

靳春孟 — Tue, 21 May 2013 01:14:01 -0400

unsubscribe
---------------------------------------------------------------------------------------------------
Confidentiality Notice: The information contained in this e-mail and any accompanying attachment(s)
is intended only for the use of the intended recipient and may be confidential and/or privileged of
Neusoft Corporation, its subsidiaries and/or its affiliates. If any reader of this communication is
not the intended recipient, unauthorized use, forwarding, printing, storing, disclosure or copying
is strictly prohibited, and may be unlawful.If you have received this communication in error,please
immediately notify the sender by return e-mail, and delete the original message and all copies from
your system. Thank you.
---------------------------------------------------------------------------------------------------
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] New variable: $ssl_sni_host (no replies)

Christian Marie — Mon, 20 May 2013 23:10:01 -0400

Patch attached adds a new variable, $ssl_sni_host.

I would find this quite useful as there is no other way of knowing for sure
which host a request is directed at (at the SSL layer), as the HTTP HOST header
can be wrong.

Possibly somewhat related to: http://trac.nginx.org/nginx/ticket/229

I should mention that I don't intend for this to be a drop in replacement for
$http_host, though that could very well work with proxy_pass.
# HG changeset patch
# User Christian Marie
# Date 1369104447 -36000
# Tue May 21 12:47:27 2013 +1000
# Node ID aad7765348785a6e3958ea7594dc77e67a1119f5
# Parent cfab1e7e4ac2f0d17199ee1d49ac4647b63746d3
Add new $ssl_sni_host ngx_http_ssl_variable.

Useful when using SNI and multiple vhosts or proxy backends, as $http_host can
be entirely arbitrary.

diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.c Tue May 21 12:47:27 2013 +1000
@@ -2496,6 +2496,33 @@
}

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t
+ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ const char *host;
+
+ host = SSL_get_servername(c->ssl->connection, TLSEXT_NAMETYPE_host_name);
+ if (host == NULL) {
+ return NGX_ERROR;
+ }
+
+ s->len = ngx_strlen(host);
+ if (s->len == 0) {
+ return NGX_ERROR;
+ }
+
+ s->data = ngx_pnalloc(pool, s->len);
+ if(s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(s->data, host, s->len);
+ return NGX_OK;
+}
+#endif
+
+
static void *
ngx_openssl_create_conf(ngx_cycle_t *cycle)
{
diff -r cfab1e7e4ac2 -r aad776534878 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl.h Tue May 21 12:47:27 2013 +1000
@@ -153,6 +153,10 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ngx_int_t ngx_ssl_get_sni_host(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);
+#endif

ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r cfab1e7e4ac2 -r aad776534878 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu May 16 15:37:13 2013 -0700
+++ b/src/http/modules/ngx_http_ssl_module.c Tue May 21 12:47:27 2013 +1000
@@ -260,6 +260,11 @@
{ ngx_string("ssl_client_verify"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_verify, NGX_HTTP_VAR_CHANGEABLE, 0 },

+#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
+ { ngx_string("ssl_sni_host"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_sni_host, NGX_HTTP_VAR_CHANGEABLE, 0 },
+#endif
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] Limit req: pointer init order issue (1 reply)

Filipe Da Silva — Mon, 20 May 2013 18:30:01 -0400

Hello,

It's a tiny issue as only the next test code about 'shm' is broken.

That's my last patch for the moment.

Regards.
Filipe DA SILVA
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] ngx_mail_ssl_module / ecdh_curve (3 replies)

Filipe Da Silva — Tue, 21 May 2013 14:54:01 -0400

Hello ,

Please find attach a two lines patch about ecdh_curve setting in
mail_ssl_module.

This setting is not applied, although it is declared and parsed from
nginx.conf file

I see this lack in 1.2.0 version too.

Rgds,
Filipe DA SILVA
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[BUG?]fail_timeout/max_fails: code doesn't do what doc says (5 replies)

Dmitry Popov — Tue, 21 May 2013 09:56:01 -0400

Hi.

http://wiki.nginx.org/HttpUpstreamModule says
max_fails = NUMBER - number of unsuccessful attempts at communicating with the
server within the time period (assigned by parameter fail_timeout) after which
it is considered inoperative ...
fail_timeout = TIME - the time during which must occur *max_fails* number of
unsuccessful attempts at communication with the server that would cause the
server to be considered inoperative ...

However, as we may see from code (ngx_http_upstream_get_peer and
ngx_http_upstream_free_round_robin_peer
from src/http/ngx_http_upstream_round_robin.c) the logic is not as described:
(simplified code)
get_peer:
if (fails >= max_fails && now <= fail_timeout + checked)
skip
...
checked = now
free_peer:
if (request_failed)
fails++
accessed = now
checked = now
else
if (accessed < checked)
fails = 0

1) So, fail_timeout is never used while peer is gaining fails (until
fails >= max_fails);
2) This algorithm always resets fails count if first request inside new second
succeeds; it always increases fails count if first request fails. So, a lot
depends on first (inside a second) request; I don't think it's a desired
behaviour.
3) I'm not sure if "accessed" is a good name for a field that contains last
fail timestamp.

I don't know where an error is (in doc or code) and I don't know how you (nginx
devs) wanted it to work so I don't have any constructive ideas, sorry.

--
Dmitry Popov
Highloadlab

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] OCSP stapling: fix error logging of successful OCSP resp... (no replies)

Maxim Dounin — Fri, 17 May 2013 09:42:05 -0400

details: http://hg.nginx.org/nginx/rev/cfab1e7e4ac2
branches:
changeset: 5215:cfab1e7e4ac2
user: Piotr Sikora
date: Thu May 16 15:37:13 2013 -0700
description:
OCSP stapling: fix error logging of successful OCSP responses.

Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora

diffstat:

src/event/ngx_event_openssl_stapling.c | 5 ++---
1 files changed, 2 insertions(+), 3 deletions(-)

diffs (21 lines):

diff --git a/src/event/ngx_event_openssl_stapling.c b/src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c
+++ b/src/event/ngx_event_openssl_stapling.c
@@ -611,15 +611,14 @@ ngx_ssl_stapling_ocsp_handler(ngx_ssl_oc
!= 1)
{
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status not found in the OCSP response",
- n, OCSP_response_status_str(n));
+ "certificate status not found in the OCSP response");
goto error;
}

if (n != V_OCSP_CERTSTATUS_GOOD) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status \"%s\" in the OCSP response",
- n, OCSP_cert_status_str(n));
+ OCSP_cert_status_str(n));
goto error;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] OCSP stapling: better handling of successful OCSP responses. (5 replies)

Piotr Sikora — Tue, 21 May 2013 20:20:01 -0400

changeset: 5216:4fb8fac2b2f5
user: Piotr Sikora
date: Thu May 16 15:37:24 2013 -0700
files: src/event/ngx_event_openssl_stapling.c
description:
OCSP stapling: better handling of successful OCSP responses.

All successful OCSP responseses, regardless of the certificate status,
should be cached and used for OCSP stapling.

While there, log the certificate's common name and revocation reason,
because certificate status alone isn't very useful information.

Signed-off-by: Piotr Sikora

diff -r cfab1e7e4ac2 -r 4fb8fac2b2f5 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:24 2013 -0700
@@ -529,7 +529,7 @@
const
#endif
u_char *p;
- int n;
+ int n, r, idx;
size_t len;
ngx_str_t response;
X509_STORE *store;
@@ -539,6 +539,10 @@
OCSP_BASICRESP *basic;
ngx_ssl_stapling_t *staple;
ASN1_GENERALIZEDTIME *thisupdate, *nextupdate;
+ X509_NAME *name;
+ X509_NAME_ENTRY *entry;
+ ASN1_STRING *str;
+ ngx_str_t s;

staple = ctx->data;
ocsp = NULL;
@@ -606,7 +610,7 @@
goto error;
}

- if (OCSP_resp_find_status(basic, id, &n, NULL, NULL,
+ if (OCSP_resp_find_status(basic, id, &n, &r, NULL,
&thisupdate, &nextupdate)
!= 1)
{
@@ -615,19 +619,43 @@
goto error;
}

- if (n != V_OCSP_CERTSTATUS_GOOD) {
- ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status \"%s\" in the OCSP response",
- OCSP_cert_status_str(n));
- goto error;
- }
-
if (OCSP_check_validity(thisupdate, nextupdate, 300, -1) != 1) {
ngx_ssl_error(NGX_LOG_ERR, ctx->log, 0,
"OCSP_check_validity() failed");
goto error;
}

+ if (n != V_OCSP_CERTSTATUS_GOOD) {
+ ngx_str_set(&s, "unknown");
+
+ if (ctx->cert) {
+ name = X509_get_subject_name(ctx->cert);
+ if (name) {
+ idx = X509_NAME_get_index_by_NID(name, NID_commonName, -1);
+ if (idx != -1) {
+ entry = X509_NAME_get_entry(name, idx);
+ if (entry) {
+ str = X509_NAME_ENTRY_get_data(entry);
+ s.data = ASN1_STRING_data(str);
+ s.len = ASN1_STRING_length(str);
+ }
+ }
+ }
+ }
+
+ if (n == V_OCSP_CERTSTATUS_REVOKED && r != -1) {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" (reason: \"%s\") in the "
+ "OCSP response for \"%V\"",
+ OCSP_cert_status_str(n), OCSP_crl_reason_str(r), &s);
+
+ } else {
+ ngx_log_error(NGX_LOG_WARN, ctx->log, 0,
+ "certificate status \"%s\" in the OCSP response "
+ "for \"%V\"", OCSP_cert_status_str(n), &s);
+ }
+ }
+
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(basic);
OCSP_RESPONSE_free(ocsp);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH] OCSP stapling: fix error logging of successful OCSP responses. (2 replies)

Piotr Sikora — Fri, 17 May 2013 09:14:01 -0400

changeset: 5215:cfab1e7e4ac2
user: Piotr Sikora
date: Thu May 16 15:37:13 2013 -0700
files: src/event/ngx_event_openssl_stapling.c
description:
OCSP stapling: fix error logging of successful OCSP responses.

Due to a bad argument list, nginx worker would crash (SIGSEGV) while
trying to log the fact that it received OCSP response with "revoked"
or "unknown" certificate status.

While there, fix similar (but non-crashing) error a few lines above.

Signed-off-by: Piotr Sikora

diff -r 2220de0521ca -r cfab1e7e4ac2 src/event/ngx_event_openssl_stapling.c
--- a/src/event/ngx_event_openssl_stapling.c Thu May 09 10:54:28 2013 +0200
+++ b/src/event/ngx_event_openssl_stapling.c Thu May 16 15:37:13 2013 -0700
@@ -611,15 +611,14 @@
!= 1)
{
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
- "certificate status not found in the OCSP response",
- n, OCSP_response_status_str(n));
+ "certificate status not found in the OCSP response");
goto error;
}

if (n != V_OCSP_CERTSTATUS_GOOD) {
ngx_log_error(NGX_LOG_ERR, ctx->log, 0,
"certificate status \"%s\" in the OCSP response",
- n, OCSP_cert_status_str(n));
+ OCSP_cert_status_str(n));
goto error;
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Mail: removed surplus ngx_close_connection() call. (no replies)

Valentin Bartenev — Wed, 15 May 2013 16:38:00 -0400

details: http://hg.nginx.org/nginx/rev/2220de0521ca
branches:
changeset: 5214:2220de0521ca
user: Filipe Da Silva
date: Thu May 09 10:54:28 2013 +0200
description:
Mail: removed surplus ngx_close_connection() call.

It is already called for a peer connection a few lines above.

diffstat:

src/mail/ngx_mail_auth_http_module.c | 1 -
1 files changed, 0 insertions(+), 1 deletions(-)

diffs (11 lines):

diff -r 822b82191940 -r 2220de0521ca src/mail/ngx_mail_auth_http_module.c
--- a/src/mail/ngx_mail_auth_http_module.c Wed May 15 15:04:49 2013 +0400
+++ b/src/mail/ngx_mail_auth_http_module.c Thu May 09 10:54:28 2013 +0200
@@ -699,7 +699,6 @@ ngx_mail_auth_http_process_headers(ngx_m

p = ngx_pnalloc(s->connection->pool, ctx->err.len);
if (p == NULL) {
- ngx_close_connection(ctx->peer.connection);
ngx_destroy_pool(ctx->pool);
ngx_mail_session_internal_server_error(s);
return;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Upstream keepalive: slightly simplified code. (no replies)

Ruslan Ermilov — Wed, 15 May 2013 07:06:00 -0400

details: http://hg.nginx.org/nginx/rev/822b82191940
branches:
changeset: 5213:822b82191940
user: Ruslan Ermilov
date: Wed May 15 15:04:49 2013 +0400
description:
Upstream keepalive: slightly simplified code.

diffstat:

src/http/modules/ngx_http_upstream_keepalive_module.c | 7 ++-----
1 files changed, 2 insertions(+), 5 deletions(-)

diffs (31 lines):

diff -r 09dbd363050a -r 822b82191940 src/http/modules/ngx_http_upstream_keepalive_module.c
--- a/src/http/modules/ngx_http_upstream_keepalive_module.c Thu Apr 25 17:41:45 2013 +0400
+++ b/src/http/modules/ngx_http_upstream_keepalive_module.c Wed May 15 15:04:49 2013 +0400
@@ -81,7 +81,7 @@ static ngx_command_t ngx_http_upstream_
{ ngx_string("keepalive"),
NGX_HTTP_UPS_CONF|NGX_CONF_TAKE12,
ngx_http_upstream_keepalive,
- 0,
+ NGX_HTTP_SRV_CONF_OFFSET,
0,
NULL },

@@ -481,7 +481,7 @@ static char *
ngx_http_upstream_keepalive(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
{
ngx_http_upstream_srv_conf_t *uscf;
- ngx_http_upstream_keepalive_srv_conf_t *kcf;
+ ngx_http_upstream_keepalive_srv_conf_t *kcf = conf;

ngx_int_t n;
ngx_str_t *value;
@@ -489,9 +489,6 @@ ngx_http_upstream_keepalive(ngx_conf_t *

uscf = ngx_http_conf_get_module_srv_conf(cf, ngx_http_upstream_module);

- kcf = ngx_http_conf_upstream_srv_conf(uscf,
- ngx_http_upstream_keepalive_module);
-
if (kcf->original_init_upstream) {
return "is duplicate";
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Removed vestiges of SVN. (no replies)

Ruslan Ermilov — Wed, 15 May 2013 07:06:00 -0400

details: http://hg.nginx.org/nginx/rev/09dbd363050a
branches:
changeset: 5212:09dbd363050a
user: Ruslan Ermilov
date: Thu Apr 25 17:41:45 2013 +0400
description:
Removed vestiges of SVN.

diffstat:

misc/GNUmakefile | 31 ++-----------------------------
misc/README | 3 ---
2 files changed, 2 insertions(+), 32 deletions(-)

diffs (64 lines):

diff -r ecd762770729 -r 09dbd363050a misc/GNUmakefile
--- a/misc/GNUmakefile Wed May 15 12:23:44 2013 +0400
+++ b/misc/GNUmakefile Thu Apr 25 17:41:45 2013 +0400
@@ -3,7 +3,6 @@ VER = $(shell grep 'define NGINX_VERSIO
| sed -e 's/^.*"$.*$".*/\1/')
NGINX = nginx-$(VER)
TEMP = tmp
-REPO = $(shell svn info | sed -n 's/^Repository Root: //p')

OBJS = objs.msvc8
OPENSSL = openssl-1.0.1e
@@ -38,40 +37,14 @@ release: export

export:
rm -rf $(TEMP)
-
- if [ -d .svn ]; then \
- svn export -rHEAD . $(TEMP)/$(NGINX); \
- else \
- hg archive -X '.hg*' $(TEMP)/$(NGINX); \
- fi
+ hg archive -X '.hg*' $(TEMP)/$(NGINX)

RELEASE:
- if [ -d .svn ]; then \
- $(MAKE) -f misc/GNUmakefile RELEASE.svn; \
- else \
- $(MAKE) -f misc/GNUmakefile RELEASE.hg; \
- fi
-
- $(MAKE) -f misc/GNUmakefile release
-
-
-RELEASE.hg:
hg ci -m nginx-$(VER)-RELEASE
hg tag -m "release-$(VER) tag" release-$(VER)

-
-RELEASE.svn:
- test -d $(TEMP) || mkdir -p $(TEMP)
-
- echo "nginx-$(VER)-RELEASE" > $(TEMP)/message
- svn ci -F $(TEMP)/message
-
- echo "release-$(VER) tag" > $(TEMP)/message
- svn copy $(REPO)/trunk $(REPO)/tags/release-$(VER) \
- -F $(TEMP)/message
-
- svn up
+ $(MAKE) -f misc/GNUmakefile release

win32:
diff -r ecd762770729 -r 09dbd363050a misc/README
--- a/misc/README Wed May 15 12:23:44 2013 +0400
+++ b/misc/README Thu Apr 25 17:41:45 2013 +0400
@@ -1,6 +1,3 @@
-
-GNUmakefile, in svn it is available since 0.4.0 only.
-

make -f misc/GNUmakefile release

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Proxy: clear script engine used to calculate lengths. (no replies)

Maxim Dounin — Wed, 15 May 2013 05:22:01 -0400

details: http://hg.nginx.org/nginx/rev/ecd762770729
branches:
changeset: 5211:ecd762770729
user: Maxim Dounin
date: Wed May 15 12:23:44 2013 +0400
description:
Proxy: clear script engine used to calculate lengths.

Previous code is believed to be safe, but might access uninitialized
memory (e.g., e->quote).

diffstat:

src/http/modules/ngx_http_proxy_module.c | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)

diffs (12 lines):

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -993,6 +993,8 @@ ngx_http_proxy_create_request(ngx_http_r

len += uri_len;

+ ngx_memzero(&le, sizeof(ngx_http_script_engine_t));
+
ngx_http_script_flush_no_cacheable_variables(r, plcf->flushes);

if (plcf->body_set_len) {

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Fixed lingering_time check. (no replies)

Maxim Dounin — Mon, 13 May 2013 10:26:01 -0400

details: http://hg.nginx.org/nginx/rev/ea2ba6dbe361
branches:
changeset: 5210:ea2ba6dbe361
user: Maxim Dounin
date: Mon May 13 17:39:45 2013 +0400
description:
Fixed lingering_time check.

There are two significant changes in this patch:

1) The <= 0 comparison is done with a signed type. This fixes the case
of ngx_time() being larger than r->lingering_time.

2) Calculation of r->lingering_time - ngx_time() is now always done
in the ngx_msec_t type. This ensures the calculation is correct
even if time_t is unsigned and differs in size from ngx_msec_t.

Thanks to Lanshun Zhou.

diffstat:

src/http/ngx_http_request.c | 4 ++--
src/http/ngx_http_request_body.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)

diffs (29 lines):

diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -3166,8 +3166,8 @@ ngx_http_lingering_close_handler(ngx_eve
return;
}

- timer = (ngx_msec_t) (r->lingering_time - ngx_time());
- if (timer <= 0) {
+ timer = (ngx_msec_t) r->lingering_time - (ngx_msec_t) ngx_time();
+ if ((ngx_msec_int_t) timer <= 0) {
ngx_http_close_request(r, 0);
return;
}
diff --git a/src/http/ngx_http_request_body.c b/src/http/ngx_http_request_body.c
--- a/src/http/ngx_http_request_body.c
+++ b/src/http/ngx_http_request_body.c
@@ -570,9 +570,9 @@ ngx_http_discarded_request_body_handler(
}

if (r->lingering_time) {
- timer = (ngx_msec_t) (r->lingering_time - ngx_time());
+ timer = (ngx_msec_t) r->lingering_time - (ngx_msec_t) ngx_time();

- if (timer <= 0) {
+ if ((ngx_msec_int_t) timer <= 0) {
r->discard_body = 0;
r->lingering_close = 0;
ngx_http_finalize_request(r, NGX_ERROR);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Upstream: allow to intercept responses with status 300. (no replies)

Ruslan Ermilov — Mon, 13 May 2013 08:46:00 -0400

details: http://hg.nginx.com/nginx/rev/07e515e65984
branches:
changeset: 5209:07e515e65984
user: Ruslan Ermilov
date: Mon May 13 14:10:22 2013 +0400
description:
Upstream: allow to intercept responses with status 300.

This fixes an omission made in 9e7926763f87 where all 3XX statuses
were allowed for "error_page".

diffstat:

src/http/ngx_http_upstream.c | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)

diffs (12 lines):

diff -r a64c8a5da336 -r 07e515e65984 src/http/ngx_http_upstream.c
--- a/src/http/ngx_http_upstream.c Thu May 02 03:26:36 2013 -0700
+++ b/src/http/ngx_http_upstream.c Mon May 13 14:10:22 2013 +0400
@@ -1660,7 +1660,7 @@ ngx_http_upstream_process_header(ngx_htt

/* rc == NGX_OK */

- if (u->headers_in.status_n > NGX_HTTP_SPECIAL_RESPONSE) {
+ if (u->headers_in.status_n >= NGX_HTTP_SPECIAL_RESPONSE) {

if (r->subrequest_in_memory) {
u->buffer.last = u->buffer.pos;

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Fixed chunk size parsing. (no replies)

Maxim Dounin — Mon, 13 May 2013 07:30:00 -0400

details: http://hg.nginx.com/nginx/rev/abfe9e6e72cb
branches: stable-1.2
changeset: 5206:abfe9e6e72cb
user: Maxim Dounin
date: Mon May 13 13:19:28 2013 +0400
description:
Fixed chunk size parsing.

diffstat:

src/http/modules/ngx_http_proxy_module.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)

diffs (14 lines):

diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -1865,6 +1865,10 @@ data:

}

+ if (ctx->size < 0 || ctx->length < 0) {
+ goto invalid;
+ }
+
return rc;

done:

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] release-1.2.9 tag (no replies)

Maxim Dounin — Mon, 13 May 2013 07:30:00 -0400

details: http://hg.nginx.com/nginx/rev/9c3c460f8a05
branches: stable-1.2
changeset: 5208:9c3c460f8a05
user: Maxim Dounin
date: Mon May 13 14:43:06 2013 +0400
description:
release-1.2.9 tag

diffstat:

.hgtags | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)

diffs (8 lines):

diff --git a/.hgtags b/.hgtags
--- a/.hgtags
+++ b/.hgtags
@@ -343,3 +343,4 @@ d763d5c9a13395fb78100f7c2d63c2323541f210
eb1043eaedacddb1bbada27822527049b99bde6d release-1.2.6
a58e268f6c081f671667c0c929f0c5cec3e80958 release-1.2.7
d50f390fa97eb9871622666b40703d497d65925e release-1.2.8
+0e80c5bf5e1bb42a6491fea5340a16e51cd37bb8 release-1.2.9

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] nginx-1.2.9-RELEASE (no replies)

Maxim Dounin — Mon, 13 May 2013 07:30:00 -0400

details: http://hg.nginx.com/nginx/rev/0e80c5bf5e1b
branches: stable-1.2
changeset: 5207:0e80c5bf5e1b
user: Maxim Dounin
date: Mon May 13 14:41:51 2013 +0400
description:
nginx-1.2.9-RELEASE

diffstat:

docs/xml/nginx/changes.xml | 18 ++++++++++++++++++
1 files changed, 18 insertions(+), 0 deletions(-)

diffs (28 lines):

diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,24 @@

+
+
+
+
+содержимое памяти рабочего процесса могло быть отправлено клиенту,
+если HTTP-бэкенд возвращал специально созданный ответ (CVE-2013-2070);
+ошибка появилась в 1.1.4.
+
+
+contents of worker process memory might be sent to a client
+if HTTP backend returned specially crafted response (CVE-2013-2070);
+the bug had appeared in 1.1.4.
+
+
+
+
+
+

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] Version bump. (2 replies)

Maxim Dounin — Mon, 13 May 2013 08:12:00 -0400

details: http://hg.nginx.com/nginx/rev/6082e0ab3d89
branches: stable-1.2
changeset: 5205:6082e0ab3d89
user: Maxim Dounin
date: Mon May 13 13:18:31 2013 +0400
description:
Version bump.

diffstat:

src/core/nginx.h | 4 ++--
src/http/modules/perl/nginx.pm | 2 +-
2 files changed, 3 insertions(+), 3 deletions(-)

diffs (26 lines):

diff --git a/src/core/nginx.h b/src/core/nginx.h
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_

-#define nginx_version 1002008
-#define NGINX_VERSION "1.2.8"
+#define nginx_version 1002009
+#define NGINX_VERSION "1.2.9"
#define NGINX_VER "nginx/" NGINX_VERSION

#define NGINX_VAR "NGINX"
diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm
--- a/src/http/modules/perl/nginx.pm
+++ b/src/http/modules/perl/nginx.pm
@@ -50,7 +50,7 @@ our @EXPORT = qw(
HTTP_INSUFFICIENT_STORAGE
);

-our $VERSION = '1.2.8';
+our $VERSION = '1.2.9';

require XSLoader;
XSLoader::load('nginx', $VERSION);

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel