| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
| |
The $upstream_connect_time, $upstream_first_byte_time and
$upstream_session_time variables keep corresponding times.
|
| | |
|
| |
|
|
|
|
| |
Keeps the full address of the upstream server. If several servers were
contacted during proxying, their addresses are separated by commas,
e.g. "192.168.1.1:80, 192.168.1.2:80".
|
| |
|
|
|
|
|
|
|
|
| |
The stream session status is one of the following:
200 - normal completion
403 - access forbidden
500 - internal server error
502 - bad gateway
503 - limit conn
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This fixes a problem with aio threads and sendfile with aio_write switched
off, as observed with range requests after fc72784b1f52 (1.9.13). Potential
problems with sendfile in threads were previously described in 9fd738b85fad,
and this seems to be one of them.
The problem occurred as file's thread_handler was set to NULL by event pipe
code after a sendfile thread task was scheduled. As a result, no sendfile
completion code was executed, and the same buffer was additionally sent
using non-threaded sendfile. Fix is to avoid modifying file's thread_handler
if aio_write is switched off.
Note that with "aio_write on" it is still possible that sendfile will use
thread_handler as set by event pipe. This is believed to be safe though,
as handlers used are compatible.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
When c->recv_chain() returns an error, it is possible that we already
have some data previously read, e.g., in preread buffer. And in some
cases it may be even a complete response. Changed c->recv_chain() error
handling to process the data, much like it is already done if kevent
reports about an error.
This change, in particular, fixes processing of small responses
when an upstream fails to properly close a connection with lingering and
therefore the connection is reset, but the response is already fully
obtained by nginx (see ticket #1037).
|
| |
|
|
|
|
| |
Previously, the realip module could be left with uninitialized context after an
error in the ngx_http_realip_set_addr() function. That context could be later
accessed by $realip_remote_addr and $realip_remote_port variable handlers.
|
| |
|
|
| |
The variable keeps protocol used by the client, "TCP" or "UDP".
|
| |
|
|
| |
The variable keeps time spent on processing the stream session.
|
| |
|
|
| |
The variable keeps the number of bytes received from the client.
|
| |
|
|
|
|
|
|
| |
This prevents theoretical resource leak, since those threads are never joined.
Found with ThreadSanitizer.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
geo $geo {
ranges;
10.0.0.0-10.0.0.255 test;
delete 10.0.1.0-10.0.1.255; # should warn
delete 10.0.0.0-10.0.0.255;
delete 10.0.0.0-10.0.0.255; # should warn
}
|
| | |
|
| |
|
|
|
|
| |
If the range includes two or more /16 networks and does
not start at the /16 boundary, the last subrange was not
removed (see 91cff7f97a50 for details).
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Return 1 in the SSL_CTX_set_tlsext_ticket_key_cb() callback function
to indicate that a new session ticket is created, as per documentation.
Until 1.1.0, OpenSSL didn't make a distinction between non-negative
return values.
See https://git.openssl.org/?p=openssl.git;a=commitdiff;h=5c753de for details.
|
| |
|
|
|
|
|
|
| |
BoringSSL added a no-op stub for OPENSSL_config() on 2016-01-26.
Requested by David Benjamin.
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
|
| |
|
|
|
|
|
|
|
| |
The IP_BIND_ADDRESS_NO_PORT option is set on upstream sockets
if proxy_bind does not specify a port. The SO_REUSEADDR option
is set on UDP upstream sockets if proxy_bind specifies a port.
Due to checking of the wrong port, IP_BIND_ADDRESS_NO_PORT was
never set, and SO_REUSEPORT was always set.
|
| | |
|
| |
|
|
| |
The new type ngx_uint_t was supposed when formatting the line number.
|
| |
|
|
|
| |
Previously, in "ranges" mode when all added ranges were deleted,
the ctx.high.low[i] was left pointing to a temporary array.
|
| |
|
|
|
|
| |
Unlike $upstream_response_length that only counts the body size,
the new variable also counts the size of response header and data
received after switching protocols when proxying WebSockets.
|
| | |
|
| |
|
|
|
| |
It was removed in OpenSSL 1.1.0 Beta 3 (pre-release 6). It was
not used since OpenSSL 1.0.1n and 1.0.2b.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The change in b91bcba29351 was not enough to fix random() seeding.
On Windows, the srand() seeds the PRNG only in the current thread,
and worse, is not inherited from the calling thread. Due to this,
worker threads were not properly seeded.
Reported by Marc Bevand.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
If PCRE is disabled, captures were treated as normal variables in
ngx_http_script_compile(), while code calculating flushes array length in
ngx_http_compile_complex_value() did not account captures as variables.
This could lead to write outside of the array boundary when setting
last element to -1.
Found with AddressSanitizer.
|
| | |
|
| |
|
|
|
|
|
| |
It fixes potential connection leak if some unsent data was left in the SSL
buffer. Particularly, that could happen when a client canceled the stream
after the HEADERS frame has already been created. In this case no other
frames might be produced and the HEADERS frame alone didn't flush the buffer.
|
| |
|
|
| |
Now it returns NGX_AGAIN if there's still data to be sent.
|
| |
|
|
|
|
|
|
|
|
| |
Checking for return value of c->send_chain() isn't sufficient since there
are data can be left in the SSL buffer. Now the wew->ready flag is used
instead.
In particular, this fixed a connection leak in cases when all streams were
closed, but there's still some data to be sent in the SSL buffer and the
client forgot about the connection.
|
| |
|
|
|
|
|
|
|
| |
Particularly this fixes alerts on OS X and NetBSD systems when HTTP/2 is
configured over plain TCP sockets.
On these systems calling writev() with no data leads to EINVAL errors
being logged as "writev() failed (22: Invalid argument) while processing
HTTP/2 connection".
|
| |
|
|
|
| |
Previously, a stream could be closed by timeout if it was canceled
while its send window was exhausted.
|
| |
|
|
| |
It's useless to generate HEADERS if the stream has been canceled already.
|
| |
|
|
|
| |
Previously, if the worker process exited, GOAWAY was sent to connections in
idle state, but connections with active streams were closed without GOAWAY.
|
| |
|
|
|
|
|
|
|
| |
This flag appeared in Linux 4.5 and is useful for avoiding thundering herd
problem.
The current Linux kernel implementation walks the list of exclusive waiters,
and queues an event to each epfd, until it finds the first waiter that has
threads blocked on it via epoll_wait().
|
| | |
|
| |
|
|
|
|
| |
Now it is believed that the accept mutex brings more harm than benefits.
Especially in various benchmarks it often results in situation where only
one worker grabs all connections.
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On non-aligned platforms, properly cast argument before left-shifting it in
ngx_http_v2_parse_uint32 that is used with u_char. Otherwise it propagates
to int to hold the value and can step over the sign bit. Usually, on known
compilers, this results in negation. Furthermore, a subsequent store into a
wider type, that is ngx_uint_t on 64-bit platforms, results in sign-extension.
In practice, this can be observed in debug log as a very large exclusive bit
value, when client sent PRIORITY frame with exclusive bit set:
: *14 http2 PRIORITY frame sid:5 on 1 excl:8589934591 weight:17
Found with UndefinedBehaviorSanitizer.
|
| |
|
|
| |
Found with UndefinedBehaviorSanitizer.
|
| | |
|
| |
|
|
| |
The macro was unused since 0.7.44.
|
