| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This allows to proxy WebSockets by using configuration like this:
location /chat/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Connection upgrade is allowed as long as it was requested by a client
via the Upgrade request header.
|
| |
|
|
| |
Prodded by John Leach.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Note: use of {SHA} passwords is discouraged as {SHA} password scheme is
vulnerable to attacks using rainbow tables. Use of {SSHA}, $apr1$ or
crypt() algorithms as supported by OS is recommended instead.
The {SHA} password scheme support is added to avoid the need of changing
the scheme recorded in password files from {SHA} to {SSHA} because such
a change hides security problem with {SHA} passwords.
Patch by Louis Opter, with minor changes.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
If fastcgi end request record was split between several network packets,
with fastcgi_keep_conn it was possible that connection was saved in incorrect
state (e.g. with padding bytes not yet read).
|
| |
|
|
|
|
| |
Checks for f->padding before state transitions make code hard to follow,
remove them and make sure we always do another loop iteration after
f->state is set to ngx_http_fastcgi_st_padding.
|
| |
|
|
|
|
|
|
|
|
| |
With fastcgi_keep_conn it was possible that connection was closed after
FCGI_STDERR record with zero padding and without any further data read yet.
This happended as f->state was set to ngx_http_fastcgi_st_padding and then
"break" happened, resulting in p->length being set to f->padding, i.e. 0
(which in turn resulted in connection close).
Fix is to make sure we continue the loop after f->state is set.
|
| |
|
|
|
|
|
|
| |
After introduction of chunked request body reading support in 1.3.9 (r4931),
the rb->bufs wasn't set if request body was fully preread while calling the
ngx_http_read_client_request_body() function.
Reported by Yichun Zhang (agentzh).
|
| |
|
|
|
|
| |
Missing calls to ngx_handle_write_event() and ngx_handle_read_event()
resulted in a CPU hog during SSL handshake if an level-triggered event
method (e.g. select) was used.
|
| |
|
|
| |
In some rare cases this can result in a more smooth sending rate.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
According to documentation, calling SSL_write() with num=0 bytes to be sent
results in undefined behavior.
We don't currently call ngx_ssl_send_chain() with empty chain and buffer.
This check handles the case of a chain with total data size that is
a multiple of NGX_SSL_BUFSIZE, and with the special buffer at the end.
In practice such cases resulted in premature connection close and critical
error "SSL_write() failed (SSL:)" in the error log.
|
| |
|
|
| |
No functional changes.
|
| |
|
|
|
| |
Previously, if SSL buffer was not sent we lost information that the data
must be flushed.
|
| |
|
|
|
| |
There is no need to flush next chunk of data if it does not contain a buffer
with the flush or last_buf flags set.
|
| | |
|
| |
|
|
|
|
| |
The "secure_link_secret" directive was always inherited from the outer
configuration level even when "secure_link" and "secure_link_md5" were
specified on the inner level.
|
| |
|
|
|
|
|
| |
A POLLERR signalled by poll() without POLLIN/POLLOUT, as seen on
Linux, would generate both read and write events, but there's no
write event handler for resolver events. A fix is to only call
event handler of an active event.
|
| |
|
|
|
|
|
| |
When using IPv6 databases, IPv4 addresses are looked up as IPv4-mapped
IPv6 addresses.
Mostly based on a patch by Gregor Kališnik (ticket #250).
|
| |
|
|
|
|
| |
Before the patch if proxy_method was specified at http{} level the code
to add trailing space wasn't executed, resulting in incorrect requests
to upstream.
|
| |
|
|
|
|
| |
Log module counterparts are preserved for efficiency.
Based on patch by Kiril Kalchev.
|
| | |
|
| |
|
|
|
|
|
| |
The "proxy_bind", "fastcgi_bind", "uwsgi_bind", "scgi_bind" and
"memcached_bind" directives are now inherited; inherited value
can be reset by the "off" parameter. Duplicate directives are
now detected. Parameter value can now contain variables.
|
| |
|
|
|
|
|
|
|
| |
Upstreams created by "proxy_pass" with IP address and no port were
broken in 1.3.10, by not initializing port in u->sockaddr.
API change: ngx_parse_url() was modified to always initialize port
(in u->sockaddr and in u->port), even for the u->no_resolve case;
ngx_http_upstream() and ngx_http_upstream_add() were adopted.
|
| |
|
|
|
|
|
|
|
| |
The patch saves one EC_KEY_generate_key() call per server{} block by
informing OpenSSL about SSL_OP_SINGLE_ECDH_USE we are going to use before
the SSL_CTX_set_tmp_ecdh() call.
For a configuration file with 10k simple server{} blocks with SSL enabled
this change reduces startup time from 18s to 5s on a slow test box here.
|
| | |
|
| |
|
|
|
|
|
| |
Uninitialized pointer may result in arbitrary segfaults if access_log is used
without buffer and without variables in file path.
Patch by Tatsuhiko Kubo (ticket #268).
|
| | |
|
| |
|
|
|
| |
A failure to detect duplicate "keepalive" directive resulted in
stack exhaustion.
|
| | |
|
| |
|
|
|
|
| |
Previously, "default" was equivalent to specifying 0.0.0.0/0, now
it's equivalent to specifying both 0.0.0.0/0 and ::/0 (if support
for IPv6 is enabled) with the same value.
|
| | |
|
| |
|
|
| |
The "ranges" mode is still limited to IPv4 only.
|
| |
|
|
| |
Based on patch by Thomas Chen (ticket #257).
|
| | |
|
| | |
|
| |
|
|
| |
Note: this requires zlib version 1.2.0.4 or above to work.
|
| | |
|
| |
|
|
|
|
| |
The code refactored in a way to call custom handler that can do appropriate
cleanup work (if any), like flushing buffers, finishing compress streams,
finalizing connections to log daemon, etc..
|
| |
|
|
|
| |
Previously a new buffer was allocated for every "access_log" directive with the
same file path and "buffer=" parameters, while only one buffer per file is used.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The crypt_r() function returns NULL on errors, check it explicitly instead
of assuming errno will remain 0 if there are no errors (per POSIX, the
setting of errno after a successful call to a function is unspecified
unless the description of that function specifies that errno shall not
be modified).
Additionally, dropped unneeded ngx_set_errno(0) and fixed error handling
of memory allocation after normal crypt(), which was inapropriate and
resulted in null pointer dereference on allocation failures.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Configurations like
location /i/ {
image_filter resize 200 200;
image_filter rotate 180;
location /i/foo/ {
image_filter resize 200 200;
}
}
resulted in rotation incorrectly applied in the location /i/foo, without
any way to clear it. Fix is to handle conf->angle/conf->acv consistently
with other filter variables and do not try to inherit them if there are
transformations defined for current location.
|
| |
|
|
|
| |
If 0.0.0.0/32 entry was present and there was no explicit "default",
we failed to add an empty string as a default value.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The image_filter_jpeg_quality, image_filter_sharpen and "image_filter rotate"
were inherited incorrectly if a directive with variables was defined, and
then redefined to a literal value, i.e. in configurations like
image_filter_jpeg_quality $arg_q;
location / {
image_filter_jpeg_quality 50;
}
Patch by Ian Babrou, with minor changes.
|
| | |
|
| | |
|
| | |
|
| | |
|
