All files from this thread

File Name	File Size		Posted by	Date
0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch	3.5 KB	open | download	shankerwangmiao	02/21/2018	Read message

Hi,

I noticed that you have introduced `ngx_event_udp_accept()`, which can
create a separate socket for receiving datagrams from a specific client.
I understand that it is necessary for DTLS servers. However I wonder
why it is also called for normal udp servers.

For udp servers listening on a port below 1024, such call will fail if
the worker processes drop their privilege as a non-root user. The
following patch solves this problem by retaining CAP_NET_BIND_SERVICE
after worker processes change UID.

Cheers,

Miao Wang


> 在 2018年02月21日，22:30，Wang Shanker <shankerwangmiao@gmail.com> 写道：
>
> Hi, of course. I'm implementing RFC8094, which is for transmitting dns
> queries through DTLS. Nginx is used for offloading DTLS encryption and
> the software behind nginx is bind9.
>
> Cheers,
>
> Miao Wang
>
>> 在 2018年02月21日，22:12，Vladimir Homutov <vl@nginx.com> 写道：
>>
>> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote:
>>>
>>> I have tested this patch in my environment. Before the patch is applied,
>>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS
>>> enabled to work the problem around.
>>>
>>
>> Hello,
>> can you please elaborate about your environment? Do you proxy DTLS
>> stream directly to backend, or you perform DTLS offload ?
>> What protocol are you using and which server/client software
>> before/behind nginx?
>>
>> I'm attaching refreshed patch against nginx-1.13.9 for those who are
>> interested to test.
>> <nginx-1.13.9-dtls-experimental.diff>_______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx