aboutsummaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAge
...
* Mp4: prevent chunk index underflow.Roman Arutyunyan2024-11-21
| | | | | | | | | | | | | | | When cropping stsc atom, it's assumed that chunk index is never 0. Based on this assumption, start_chunk and end_chunk are calculated by subtracting 1 from it. If chunk index is zero, start_chunk or end_chunk may underflow, which will later trigger "start/end time is out mp4 stco chunks" error. The change adds an explicit check for zero chunk index to avoid underflow and report a proper error. Zero chunk index is explicitly banned in ISO/IEC 14496-12, 8.7.4 Sample To Chunk Box. It's also implicitly banned in QuickTime File Format specification. Description of chunk offset table references "Chunk 1" as the first table element.
* Mp4: unordered stsc chunks error for the final chunk.Roman Arutyunyan2024-11-21
| | | | | | | | | | | | | | Currently an error is triggered if any of the chunk runs in stsc are unordered. This however does not include the final chunk run, which ends with trak->chunks + 1. The previous chunk index can be larger leading to a 32-bit overflow. This could allow to skip the validity check "if (start_sample > n)". This could later lead to a large trak->start_chunk/trak->end_chunk, which would be caught later in ngx_http_mp4_update_stco_atom() or ngx_http_mp4_update_co64_atom(). While there are no implications of the validity check being avoided, the change still adds a check to ensure the final chunk run is ordered, to produce a meaningful error and avoid a potential integer overflow.
* Mp4: fixed handling an empty run of chunks in stsc atom.Roman Arutyunyan2024-11-21
| | | | | | | | | | | A specially crafted mp4 file with an empty run of chunks in the stsc atom and a large value for samples per chunk for that run, combined with a specially crafted request, allowed to store that large value in prev_samples and later in trak->end_chunk_samples while in ngx_http_mp4_crop_stsc_data(). Later in ngx_http_mp4_update_stsz_atom() this could result in buffer overread while calculating trak->end_chunk_samples_size. Now the value of samples per chunk specified for an empty run is ignored.
* Fixed missing double quote.Nathan Mentze2024-11-20
|
* SSL: error message default in object caching API.Sergey Kandaurov2024-11-19
| | | | | This change initializes the "err" variable, used to produce a meaningful diagnostics on error path, to a good safe value.
* On DragonFly BSD 5.8+, TCP_KEEPIDLE and TCP_KEEPINTVL are in secs.Andy Pan2024-11-19
|
* Fixed link to contributing guidelines.Dan Callahan2024-11-12
| | | | | | Absolute paths in links end up being rooted at github.com. The contributing guidelines link is broken unless we use the full URL. Also, remove superfluous "monospace formatting" for the link.
* Uwsgi: added create_loc_conf comments.Sergey Kandaurov2024-11-12
|
* SCGI: added create_loc_conf comments.Sergey Kandaurov2024-11-12
|
* FastCGI: fixed create_loc_conf comments after 05b1a8f1e.Sergey Kandaurov2024-11-12
|
* SSL: fixed MSVC compilation after ebd18ec1812b.蕭澧邦2024-11-11
| | | | | MSVC generates a compilation error in case #if/#endif is used in a macro parameter.
* Upstream: copy upstream zone DNS valid time during config reload.Mini Hawthorne2024-11-07
| | | | | | | | | | Previously, all upstream DNS entries would be immediately re-resolved on config reload. With a large number of upstreams, this creates a spike of DNS resolution requests. These spikes can overwhelm the DNS server or cause drops on the network. This patch retains the TTL of previous resolutions across reloads by copying each upstream's name's expiry time across configuration cycles. As a result, no additional resolutions are needed.
* Upstream: per-upstream resolver.Vladimir Homutov2024-11-07
| | | | The "resolver" and "resolver_timeout" directives can now be specified directly in the "upstream" block.
* Upstream: pre-resolve servers on reload.Ruslan Ermilov2024-11-07
| | | | | | | | After configuration is reloaded, it may take some time for the re-resolvable upstream servers to resolve and become available as peers. During this time, client requests might get dropped. Such servers are now pre-resolved using the "cache" of already resolved peers from the old shared memory zone.
* Core: inheritance of non-reusable shared memory zones.Ruslan Ermilov2024-11-07
| | | | When re-creating a non-reusable zone, make the pointer to the old zone available during the new zone initialization.
* Upstream: construct upstream peers from DNS SRV records.Dmitry Volyntsev2024-11-07
|
* Upstream: re-resolvable servers.Ruslan Ermilov2024-11-07
| | | | | | | | | | | | | | | | | | | | | | | | | Specifying the upstream server by a hostname together with the "resolve" parameter will make the hostname to be periodically resolved, and upstream servers added/removed as necessary. This requires a "resolver" at the "http" configuration block. The "resolver_timeout" parameter also affects when the failed DNS requests will be attempted again. Responses with NXDOMAIN will be attempted again in 10 seconds. Upstream has a configuration generation number that is incremented each time servers are added/removed to the primary/backup list. This number is remembered by the peer.init method, and if peer.get detects a change in configuration, it returns NGX_BUSY. Each server has a reference counter. It is incremented by peer.get and decremented by peer.free. When a server is removed, it is removed from the list of servers and is marked as "zombie". The memory allocated by a zombie peer is freed only when its reference count becomes zero. Co-authored-by: Roman Arutyunyan <arut@nginx.com> Co-authored-by: Sergey Kandaurov <pluknet@nginx.com> Co-authored-by: Vladimir Homutov <vl@nginx.com>
* SSL: disabled TLSv1 and TLSv1.1 by default.Sergey Kandaurov2024-10-31
| | | | | | | | | | | | | | | TLSv1 and TLSv1.1 are formally deprecated and forbidden to negotiate due to insufficient security reasons outlined in RFC 8996. TLSv1 and TLSv1.1 are disabled in BoringSSL e95b0cad9 and LibreSSL 3.8.1 in the way they cannot be enabled in nginx configuration. In OpenSSL 3.0, they are only permitted at security level 0 (disabled by default). The support is dropped in Chrome 84, Firefox 78, and deprecated in Safari. This change disables TLSv1 and TLSv1.1 by default for OpenSSL 1.0.1 and newer, where TLSv1.2 support is available. For older library versions, which do not have alternatives, these protocol versions remain enabled.
* Updated security policy to include disclosure details.jzebor-at-f52024-10-21
|
* Configure: MSVC compatibility with PCRE2 10.43.Thierry Bastian2024-10-15
|
* QUIC: prevent deleted stream frame retransmissions.nandsky2024-10-08
| | | | | | | Since a2a513b93cae, stream frames no longer need to be retransmitted after it was deleted. The frames which were retransmitted before, could be stream data frames sent prior to a RESET_STREAM. Such retransmissions are explicitly prohibited by RFC 9000, Section 19.4.
* Version bump.Sergey Kandaurov2024-10-08
|
* nginx-1.27.2-RELEASErelease-1.27.2Sergey Kandaurov2024-10-02
|
* Updated OpenSSL used for win32 builds.Sergey Kandaurov2024-10-02
|
* SSL: caching CA certificates.Sergey Kandaurov2024-10-01
| | | | | | | This can potentially provide a large amount of savings, because CA certificates can be quite large. Based on previous work by Mini Hawthorne.
* SSL: caching CRLs.Sergey Kandaurov2024-10-01
| | | | Based on previous work by Mini Hawthorne.
* SSL: caching certificate keys.Sergey Kandaurov2024-10-01
| | | | | | | EVP_KEY objects are a reference-counted container for key material, shallow copies and OpenSSL stack management aren't needed as with certificates. Based on previous work by Mini Hawthorne.
* SSL: caching certificates.Sergey Kandaurov2024-10-01
| | | | | | | | | | Certificate chains are now loaded once. The certificate cache provides each chain as a unique stack of reference counted elements. This shallow copy is required because OpenSSL stacks aren't reference counted. Based on previous work by Mini Hawthorne.
* SSL: object caching.Sergey Kandaurov2024-10-01
| | | | | | | | | | Added ngx_openssl_cache_module, which indexes a type-aware object cache. It maps an id to a unique instance, and provides references to it, which are dropped when the cycle's pool is destroyed. The cache will be used in subsequent patches. Based on previous work by Mini Hawthorne.
* SSL: moved certificate storage out of exdata.Sergey Kandaurov2024-10-01
| | | | | | | | Instead of cross-linking the objects using exdata, pointers to configured certificates are now stored in ngx_ssl_t, and OCSP staples are now accessed with rbtree in it. This allows sharing these objects between SSL contexts. Based on previous work by Mini Hawthorne.
* Fixed a typo of bpf makefile debug option.tzssangglass2024-09-24
|
* Added new primary README.md file.Michael Vernik2024-09-20
|
* SSL: optional ssl_client_certificate for ssl_verify_client.Sergey Kandaurov2024-09-20
| | | | | | | | | | | | | | | | | | | | | | | | | Starting from TLSv1.1 (as seen since draft-ietf-tls-rfc2246-bis-00), the "certificate_authorities" field grammar of the CertificateRequest message was redone to allow no distinguished names. In TLSv1.3, with the restructured CertificateRequest message, this can be similarly done by optionally including the "certificate_authorities" extension. This allows to avoid sending DNs at all. In practice, aside from published TLS specifications, all supported SSL/TLS libraries allow to request client certificates with an empty DN list for any protocol version. For instance, when operating in TLSv1, this results in sending the "certificate_authorities" list as a zero-length vector, which corresponds to the TLSv1.1 specification. Such behaviour goes back to SSLeay. The change relaxes the requirement to specify at least one trusted CA certificate in the ssl_client_certificate directive, which resulted in sending DNs of these certificates (closes #142). Instead, all trusted CA certificates can be specified now using the ssl_trusted_certificate directive if needed. A notable difference that certificates specified in ssl_trusted_certificate are always loaded remains (see 3648ba7db). Co-authored-by: Praveen Chaudhary <praveenc@nvidia.com>
* Proxy: proxy_pass_trailers directive.Sergey Kandaurov2024-09-13
| | | | The directive allows to pass upstream response trailers to client.
* Fixed a typo in win-utf.Shaikh Yaser2024-09-06
|
* Added CI based on GitHub Actions.Konstantin Pavlov2024-09-04
| | | | | | | Pushes to master and stable branches will result in buildbot-like checks on multiple OSes and architectures. Pull requests will be checked on a public Ubuntu GitHub runner.
* Added GitHub templates.Maryna Herasimovich2024-09-04
|
* Added contributing guidelines.Maryna Herasimovich2024-09-03
|
* Added security policy.Maryna Herasimovich2024-09-02
|
* Added Code of Conduct.Maryna Herasimovich2024-09-02
|
* Removed C-style comments from LICENSE.Roman Arutyunyan2024-08-30
|
* Moved LICENSE and README to root.Roman Arutyunyan2024-08-30
|
* Switched GNUmakefile from hg to git.Roman Arutyunyan2024-08-30
|
* Removed .hgtags file.Roman Arutyunyan2024-08-30
|
* Stream: OCSP stapling.Sergey Kandaurov2024-08-22
|
* Stream: client certificate validation with OCSP.Sergey Kandaurov2024-08-22
|
* Version bump.Sergey Kandaurov2024-08-20
|
* release-1.27.1 tagSergey Kandaurov2024-08-12
|
* nginx-1.27.1-RELEASErelease-1.27.1Sergey Kandaurov2024-08-12
|
* Updated OpenSSL used for win32 builds.Sergey Kandaurov2024-08-12
|