Hi,
I noticed that you have introduced `ngx_event_udp_accept()`, which can
create a separate socket for receiving datagrams from a specific client.
I understand that it is necessary for DTLS servers. However I wonder
why it is also called for normal udp servers.
For udp servers listening on a port below 1024, such call will fail if
the worker processes drop their privilege as a non-root user. The
following patch solves this problem by retaining CAP_NET_BIND_SERVICE
after worker processes change UID.
Cheers,
Miao Wang
> 在 2018年02月21日,22:30,Wang Shanker <shankerwangmiao@gmail.com> 写道:
>
> Hi, of course. I'm implementing RFC8094, which is for transmitting dns
> queries through DTLS. Nginx is used for offloading DTLS encryption and
> the software behind nginx is bind9.
>
> Cheers,
>
> Miao Wang
>
>> 在 2018年02月21日,22:12,Vladimir Homutov <vl@nginx.com> 写道:
>>
>> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>>>
>>> I have tested this patch in my environment. Before the patch is applied,
>>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>>> enabled to work the problem around.
>>>
>>
>> Hello,
>> can you please elaborate about your environment? Do you proxy DTLS
>> stream directly to backend, or you perform DTLS offload ?
>> What protocol are you using and which server/client software
>> before/behind nginx?
>>
>> I'm attaching refreshed patch against nginx-1.13.9 for those who are
>> interested to test.
>> <nginx-1.13.9-dtls-experimental.diff>_______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
Attachments:
open |
download -
0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch
(3.5 KB)