Re: [PATCH] Upstream: style

June 1, 2017, 6:54 am

≫ Next: [nginx] Configure: disabled IP_PKTINFO feature on certain platforms.

≪ Previous: Re: [PATCH] Headers filter: style

$

0

0

Hello!

On Wed, May 31, 2017 at 01:54:05PM -0700, Piotr Sikora via nginx-devel wrote:

> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1496263896 25200
> # Wed May 31 13:51:36 2017 -0700
> # Node ID e7219bf8bc3781d3912a951f09553bb2f0a53b70
> # Parent ab6ef3037840393752d82fac01ea1eb4f972301c
> Upstream: style.
>
> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
>
> diff -r ab6ef3037840 -r e7219bf8bc37 src/http/ngx_http_upstream.c
> --- a/src/http/ngx_http_upstream.c
> +++ b/src/http/ngx_http_upstream.c
> @@ -2729,7 +2729,7 @@ ngx_http_upstream_process_body_in_memory
> rev = c->read;
>
> ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
> - "http upstream process body on memory");
> + "http upstream process body in memory");
>
> if (rev->timedout) {
> ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out");

Committed, thanks.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

---

[nginx] Configure: disabled IP_PKTINFO feature on certain platforms.

June 1, 2017, 7:06 am

≫ Next: Re: [nginx-announce] nginx-1.13.1

≪ Previous: Re: [PATCH] Upstream: style

$

0

0

details: http://hg.nginx.org/nginx/rev/716852cce913
branches:
changeset: 7020:716852cce913
user: Roman Arutyunyan <arut@nginx.com>
date: Thu Jun 01 15:44:23 2017 +0300
description:
Configure: disabled IP_PKTINFO feature on certain platforms.

On Cygwin and NetBSD 7.0+ struct in_pktinfo has no ipi_spec_dst field, which
caused nginx compilation error. Now presence of this field is ensured by the
IP_PKTINFO feature test.

The problem was introduced by dbb0c854e308 (1.13.0).

diffstat:

auto/unix | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)

diffs (15 lines):

diff -r 8ce1a34f160b -r 716852cce913 auto/unix
--- a/auto/unix Thu Jun 01 16:49:14 2017 +0300
+++ b/auto/unix Thu Jun 01 15:44:23 2017 +0300
@@ -428,7 +428,10 @@ ngx_feature_incs="#include <sys/socket.h
#include <netinet/in.h>"
ngx_feature_path=
ngx_feature_libs=
-ngx_feature_test="setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)"
+ngx_feature_test="struct in_pktinfo pkt;
+ pkt.ipi_spec_dst.s_addr = INADDR_ANY;
+ (void) pkt;
+ setsockopt(0, IPPROTO_IP, IP_PKTINFO, NULL, 0)"
. auto/feature


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-announce] nginx-1.13.1

June 1, 2017, 7:30 am

≫ Next: Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

≪ Previous: [nginx] Configure: disabled IP_PKTINFO feature on certain platforms.

$

0

0

Hello Kevin,

The issue is fixed by the following commit:

http://hg.nginx.org/nginx/rev/716852cce913

You may apply this change manually to fix the build.

On Tue, May 30, 2017 at 11:28:16AM -0400, Kevin Worthington wrote:
> Hello!
>
> I am getting this error when trying to build on Cygwin:
>
> -o objs/src/os/unix/ngx_udp_send.o \
> src/os/unix/ngx_udp_send.c
> cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> -D FD_
> SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> -I /us
> r/include/libxml2 -I objs \
> -o objs/src/os/unix/ngx_udp_sendmsg_chain.o \
> src/os/unix/ngx_udp_sendmsg_chain.c
> src/os/unix/ngx_udp_sendmsg_chain.c: In function `ngx_sendmsg':
> src/os/unix/ngx_udp_sendmsg_chain.c:274:16: error: `struct in_pktinfo' has
> no me
> mber named `ipi_spec_dst'
> pkt->ipi_spec_dst = sin->sin_addr;
> ^
> objs/Makefile:847: recipe for target
> 'objs/src/os/unix/ngx_udp_sendmsg_chain.o'
> failed
> make[1]: *** [objs/src/os/unix/ngx_udp_sendmsg_chain.o] Error 1
> make[1]: Leaving directory '/home/kevin.worthington/nginx-1.13.1'
> Makefile:8: recipe for target 'build' failed
> make: *** [build] Error 2
>
> Any help is greatly appreciated. Thanks.
>
> Best regards,
> Kevin
> --
> Kevin Worthington
> kworthington AT gmail DOT com
> https://kevinworthington.com/
> https://twitter.com/kworthington
>
> On Tue, May 30, 2017 at 11:12 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:
>
> > Changes with nginx 1.13.1 30 May
> > 2017
> >
> > *) Feature: now a hostname can be used as the "set_real_ip_from"
> > directive parameter.
> >
> > *) Feature: vim syntax highlighting scripts improvements.
> >
> > *) Feature: the "worker_cpu_affinity" directive now works on DragonFly
> > BSD.
> > Thanks to Sepherosa Ziehau.
> >
> > *) Bugfix: SSL renegotiation on backend connections did not work when
> > using OpenSSL before 1.1.0.
> >
> > *) Workaround: nginx could not be built with Oracle Developer Studio
> > 12.5.
> >
> > *) Workaround: now cache manager ignores long locked cache entries when
> > cleaning cache based on the "max_size" parameter.
> >
> > *) Bugfix: client SSL connections were immediately closed if deferred
> > accept and the "proxy_protocol" parameter of the "listen" directive
> > were used.
> >
> > *) Bugfix: in the "proxy_cache_background_update" directive.
> >
> > *) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY
> > option before an SSL handshake.
> >
> >
> > --
> > Maxim Dounin
> > http://nginx.org/
> > _______________________________________________
> > nginx-announce mailing list
> > nginx-announce@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx-announce
> >

> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx


--
Roman Arutyunyan
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

June 1, 2017, 7:50 am

≫ Next: PSK Support

≪ Previous: Re: [nginx-announce] nginx-1.13.1

$

0

0

On Monday 24 April 2017 15:48:23 Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1493073310 25200
> # Mon Apr 24 15:35:10 2017 -0700
> # Node ID 07adf0a7009c3244de4b795c0c06927f4316a87f
> # Parent 2c4dbcd6f2e4c9c2a1eb8dc1f0d39c99975ae208
> HTTP/2: emit new frames only after applying all SETTINGS params.
>
> Previously, new frames could be emitted in the middle of applying
> new (and already acknowledged) SETTINGS params, which is illegal.
>
> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
>
> diff -r 2c4dbcd6f2e4 -r 07adf0a7009c src/http/v2/ngx_http_v2.c
> --- a/src/http/v2/ngx_http_v2.c
> +++ b/src/http/v2/ngx_http_v2.c
> @@ -1982,7 +1982,9 @@ static u_char *
> ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
> u_char *end)
> {
> - ngx_uint_t id, value;
> + ngx_uint_t id, value, adjustment;

The new initial window size can be lower than the previous one,
so the difference can be negative (that's why the delta parameter
of ngx_http_v2_adjust_windows() is ssize_t).

Please consider the patch below:

diff -r 00015416ae79 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c Mon Apr 24 15:35:10 2017 -0700
+++ b/src/http/v2/ngx_http_v2.c Thu Jun 01 17:45:37 2017 +0300
@@ -1969,7 +1969,8 @@ static u_char *
ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
u_char *end)
{
- ngx_uint_t id, value, adjustment;
+ ssize_t window_delta;
+ ngx_uint_t id, value;

adjustment = 0;

@@ -1997,7 +1998,8 @@ ngx_http_v2_state_settings_params(ngx_ht
NGX_HTTP_V2_FLOW_CTRL_ERROR);
}

- adjustment = value - h2c->init_window;
+ window_delta = value - h2c->init_window;
+
h2c->init_window = value;
break;

@@ -2024,8 +2026,8 @@ ngx_http_v2_state_settings_params(ngx_ht
pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE;
}

- if (adjustment) {
- if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) {
+ if (window_delta) {
+ if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) {
return ngx_http_v2_connection_error(h2c,
NGX_HTTP_V2_INTERNAL_ERROR);
}


wbr, Valentin V. Bartenev

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

PSK Support

June 1, 2017, 10:22 am

≫ Next: [PATCH 1 of 3] PSK: make server certificates optional

≪ Previous: Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

$

0

0

Greetings,

I'm about push 3 patches that add support for PSK TLS cipher suites to nginx and thought it would be good to discuss the feature itself in a separate thread.

First, PSK support is useful in certain environments that are not conducive to a full public key infrastructure. The environment I'm personally working with is the recreational boating market; we are developing a new industry standard that relies on HTTPS, secured by PSK, for much of its underlying security protocol. I think this would also be useful to the IoT market. A quick search shows that some other users have been interested in this feature:

https://forum.nginx.org/read.php?2,272443,272443
https://stackoverflow.com/questions/22513641/pre-shared-keys-tls-psk-nginx-configuration

After applying the patches, one can enable PSK support by adding a few directives to their nginx.conf:

1) "ssl_nocert" -- This disables checks for a certificate within nginx. By default these checks are enabled because most users will need a certificate. This is analogous to the "-nocert" option in the OpenSSL s_server.
2) "ssl_psk_path" -- This is a local folder that contains all of the valid PSKs. Each file in the folder is loaded into memory as a PSK, and its file name is used as the PSK identity. When the client connects it specifies the identity of the PSK it is using for the connection. The server looks up the key using hash of the loaded PSKs and if the keys match then the TLS handshake is successful. Note that the identity of the PSK is made available in the variable $ssl_psk_identity.
3) Add some PSK ciphers to the "ssl_ciphers" directive.

Thanks,

Nate Karstens
Garmin International, Inc.

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH 1 of 3] PSK: make server certificates optional

June 1, 2017, 10:22 am

≫ Next: [PATCH 2 of 3] PSK: add configuration directives

≪ Previous: PSK Support

$

0

0

# HG changeset patch
# User Nate Karstens <nate.karstens@garmin.com>
# Date 1496332504 18000
# Thu Jun 01 10:55:04 2017 -0500
# Node ID a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9
# Parent 716852cce9136d977b81a2d1b8b6f9fbca0dce49
PSK: make server certificates optional

Adds the directive "ssl_nocert" to the ngx_http_ssl_module to allow the
user to indicate that the absence of a certificate is intentional. Any
cipher suites that rely on certificates will not function properly.

Servers that only use PSK will error out without this change.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

diff -r 716852cce913 -r a38066b79d71 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Thu Jun 01 15:44:23 2017 +0300
+++ b/contrib/vim/syntax/nginx.vim Thu Jun 01 10:55:04 2017 -0500
@@ -546,6 +546,7 @@
syn keyword ngxDirective contained ssl_ecdh_curve
syn keyword ngxDirective contained ssl_engine
syn keyword ngxDirective contained ssl_handshake_timeout
+syn keyword ngxDirective contained ssl_nocert
syn keyword ngxDirective contained ssl_password_file
syn keyword ngxDirective contained ssl_prefer_server_ciphers
syn keyword ngxDirective contained ssl_preread
diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 15:44:23 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 10:55:04 2017 -0500
@@ -101,6 +101,13 @@
0,
NULL },

+ { ngx_string("ssl_nocert"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, nocert),
+ NULL },
+
{ ngx_string("ssl_dhparam"),
NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
ngx_conf_set_str_slot,
@@ -546,6 +553,7 @@
sscf->buffer_size = NGX_CONF_UNSET_SIZE;
sscf->verify = NGX_CONF_UNSET_UINT;
sscf->verify_depth = NGX_CONF_UNSET_UINT;
+ sscf->nocert = NGX_CONF_UNSET;
sscf->certificates = NGX_CONF_UNSET_PTR;
sscf->certificate_keys = NGX_CONF_UNSET_PTR;
sscf->passwords = NGX_CONF_UNSET_PTR;
@@ -595,6 +603,7 @@
ngx_conf_merge_uint_value(conf->verify, prev->verify, 0);
ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1);

+ ngx_conf_merge_value(conf->nocert, prev->nocert, 0);
ngx_conf_merge_ptr_value(conf->certificates, prev->certificates, NULL);
ngx_conf_merge_ptr_value(conf->certificate_keys, prev->certificate_keys,
NULL);
@@ -622,50 +631,52 @@

conf->ssl.log = cf->log;

- if (conf->enable) {
+ if (!conf->nocert) {
+ if (conf->enable) {

- if (conf->certificates == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate\" is defined for "
- "the \"ssl\" directive in %s:%ui",
- conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
+ if (conf->certificates == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate\" is defined for "
+ "the \"ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }

- if (conf->certificate_keys == NULL) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined for "
- "the \"ssl\" directive in %s:%ui",
- conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
+ if (conf->certificate_keys == NULL) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined for "
+ "the \"ssl\" directive in %s:%ui",
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }

- if (conf->certificate_keys->nelts < conf->certificates->nelts) {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\" and "
- "the \"ssl\" directive in %s:%ui",
- ((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1,
- conf->file, conf->line);
- return NGX_CONF_ERROR;
- }
+ if (conf->certificate_keys->nelts < conf->certificates->nelts) {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\" and "
+ "the \"ssl\" directive in %s:%ui",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1,
+ conf->file, conf->line);
+ return NGX_CONF_ERROR;
+ }

- } else {
+ } else {

- if (conf->certificates == NULL) {
- return NGX_CONF_OK;
- }
+ if (conf->certificates == NULL) {
+ return NGX_CONF_OK;
+ }

- if (conf->certificate_keys == NULL
- || conf->certificate_keys->nelts < conf->certificates->nelts)
- {
- ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
- "no \"ssl_certificate_key\" is defined "
- "for certificate \"%V\"",
- ((ngx_str_t *) conf->certificates->elts)
- + conf->certificates->nelts - 1);
- return NGX_CONF_ERROR;
+ if (conf->certificate_keys == NULL
+ || conf->certificate_keys->nelts < conf->certificates->nelts)
+ {
+ ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
+ "no \"ssl_certificate_key\" is defined "
+ "for certificate \"%V\"",
+ ((ngx_str_t *) conf->certificates->elts)
+ + conf->certificates->nelts - 1);
+ return NGX_CONF_ERROR;
+ }
}
}

@@ -704,11 +715,15 @@
cln->handler = ngx_ssl_cleanup_ctx;
cln->data = &conf->ssl;

- if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
- conf->certificate_keys, conf->passwords)
- != NGX_OK)
- {
- return NGX_CONF_ERROR;
+ if (conf->certificates && conf->certificate_keys) {
+
+ if (ngx_ssl_certificates(cf, &conf->ssl, conf->certificates,
+ conf->certificate_keys, conf->passwords)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
}

if (ngx_ssl_ciphers(cf, &conf->ssl, &conf->ciphers,
diff -r 716852cce913 -r a38066b79d71 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 15:44:23 2017 +0300
+++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 10:55:04 2017 -0500
@@ -32,6 +32,7 @@

time_t session_timeout;

+ ngx_flag_t nocert;
ngx_array_t *certificates;
ngx_array_t *certificate_keys;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH 2 of 3] PSK: add configuration directives

June 1, 2017, 10:22 am

≫ Next: [PATCH 3 of 3] PSK: add PSK identity variable

≪ Previous: [PATCH 1 of 3] PSK: make server certificates optional

$

0

0

# HG changeset patch
# User Nate Karstens <nate.karstens@garmin.com>
# Date 1496332865 18000
# Thu Jun 01 11:01:05 2017 -0500
# Node ID 7aa7771191d61ef635478460017446bca1f6db55
# Parent a38066b79d71b6ecb62a9f7618afe2cf3ed8a4f9
PSK: add configuration directives

Adds the directive "ssl_psk_dir" to the ngx_http_ssl_module. This
allows the user to specify a folder that contains the set of PSKs
that can be used to form a connection. Each key in the directory
is read into memory and the file name is saved as the key identity.

Also added the "ssl_psk_hash_max_size" and "ssl_psk_hash_bucket_size"
directives to configure the hash that stores PSK data.

This functionality can be easily tested with the OpenSSL s_client
using the "-psk" and "-psk_identity" options.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

diff -r a38066b79d71 -r 7aa7771191d6 contrib/vim/syntax/nginx.vim
--- a/contrib/vim/syntax/nginx.vim Thu Jun 01 10:55:04 2017 -0500
+++ b/contrib/vim/syntax/nginx.vim Thu Jun 01 11:01:05 2017 -0500
@@ -551,6 +551,9 @@
syn keyword ngxDirective contained ssl_prefer_server_ciphers
syn keyword ngxDirective contained ssl_preread
syn keyword ngxDirective contained ssl_protocols
+syn keyword ngxDirective contained ssl_psk_path
+syn keyword ngxDirective contained ssl_psk_hash_bucket_size
+syn keyword ngxDirective contained ssl_psk_hash_max_size
syn keyword ngxDirective contained ssl_session_cache
syn keyword ngxDirective contained ssl_session_ticket_key
syn keyword ngxDirective contained ssl_session_tickets
diff -r a38066b79d71 -r 7aa7771191d6 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Jun 01 10:55:04 2017 -0500
+++ b/src/event/ngx_event_openssl.c Thu Jun 01 11:01:05 2017 -0500
@@ -23,6 +23,8 @@
static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
+static unsigned int ngx_ssl_psk_callback(SSL *ssl, const char *identity,
+ unsigned char *psk, unsigned int max_psk_len);
static void ngx_ssl_passwords_cleanup(void *data);
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
@@ -114,6 +116,7 @@
int ngx_ssl_next_certificate_index;
int ngx_ssl_certificate_name_index;
int ngx_ssl_stapling_index;
+int ngx_ssl_psk_index;


ngx_int_t
@@ -225,6 +228,13 @@
return NGX_ERROR;
}

+ ngx_ssl_psk_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);
+
+ if (ngx_ssl_psk_index == -1) {
+ ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed");
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}

@@ -345,6 +355,7 @@
SSL_CTX_set_read_ahead(ssl->ctx, 1);

SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback);
+ SSL_CTX_set_psk_server_callback(ssl->ctx, ngx_ssl_psk_callback);

return NGX_OK;
}
@@ -875,6 +886,40 @@
}


+static unsigned int ngx_ssl_psk_callback(SSL *ssl, const char *identity,
+ unsigned char *psk, unsigned int max_psk_len)
+{
+ SSL_CTX *ssl_ctx;
+ size_t identity_len;
+ ngx_hash_t *psk_hash;
+ ngx_uint_t key;
+ ngx_str_t *psk_str;
+
+ ssl_ctx = SSL_get_SSL_CTX(ssl);
+ identity_len = strlen(identity);
+
+ psk_hash = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_psk_index);
+ if (psk_hash == NULL) {
+ return 0;
+ }
+
+ key = ngx_hash_key((u_char *)identity, identity_len);
+
+ psk_str = ngx_hash_find(psk_hash, key, (u_char *)identity, identity_len);
+ if (psk_str == NULL) {
+ return 0;
+ }
+
+ if (psk_str->len > max_psk_len) {
+ return 0;
+ }
+
+ ngx_memcpy(psk, psk_str->data, psk_str->len);
+
+ return psk_str->len;
+}
+
+
RSA *
ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export,
int key_length)
@@ -3137,6 +3182,158 @@
#endif


+ngx_int_t
+ngx_ssl_psk_path(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *path,
+ ngx_uint_t psk_hash_max_size, ngx_uint_t psk_hash_bucket_size)
+
+{
+ ngx_err_t err;
+ ngx_uint_t level;
+ ngx_dir_t dir;
+ ngx_file_t file;
+ ssize_t read;
+ ngx_str_t *psk_str;
+ ngx_hash_keys_arrays_t psk_keys;
+ ngx_str_t key;
+ ngx_hash_t *psk_hash;
+ ngx_hash_init_t hash;
+
+ if (path->len == 0) {
+ return NGX_OK;
+ }
+
+ psk_keys.pool = cf->pool;
+ psk_keys.temp_pool = cf->temp_pool;
+
+ ngx_hash_keys_array_init(&psk_keys, NGX_HASH_SMALL);
+
+ if (ngx_open_dir(path, &dir) == NGX_ERROR) {
+ err = ngx_errno;
+
+ level = (err == NGX_ENOENT
+ || err == NGX_ENOTDIR
+ || err == NGX_ENAMETOOLONG
+ || err == NGX_EACCES) ? NGX_LOG_ERR : NGX_LOG_CRIT;
+
+ ngx_ssl_error(level, ssl->log, err,
+ ngx_open_dir_n " \"%s\" failed", path->data);
+
+ return NGX_ERROR;
+ }
+
+ for ( ;; ) {
+ ngx_set_errno(0);
+
+ if (ngx_read_dir(&dir) == NGX_ERROR) {
+ err = ngx_errno;
+
+ if (err == NGX_ENOMOREFILES) {
+ break;
+ }
+
+ ngx_ssl_error(NGX_LOG_CRIT, ssl->log, err,
+ ngx_read_dir_n " \"%V\" failed", &path);
+ return NGX_ERROR;
+ }
+
+ if (!ngx_de_is_file(&dir)) {
+ continue;
+ }
+
+ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ssl->log, 0,
+ "loading PSK from file: \"%s\"", ngx_de_name(&dir));
+
+ file.name.len = ngx_de_namelen(&dir) + 2;
+ file.name.data = ngx_pnalloc(cf->pool, file.name.len);
+ if (file.name.data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_sprintf(file.name.data, "%V/%s%Z", path, ngx_de_name(&dir));
+
+ file.log = ssl->log;
+
+ file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0);
+ if (file.fd == NGX_INVALID_FILE) {
+ err = ngx_errno;
+ ngx_ssl_error(NGX_LOG_CRIT, ssl->log, err,
+ ngx_open_file_n " \"%s\" failed", file.name.data);
+ return NGX_ERROR;
+ }
+
+ if (ngx_fd_info(file.fd, &file.info) == NGX_FILE_ERROR) {
+ ngx_ssl_error(NGX_LOG_CRIT, ssl->log, ngx_errno,
+ ngx_fd_info_n " \"%s\" failed", file.name.data);
+ return NGX_ERROR;
+ }
+
+ psk_str = ngx_palloc(cf->pool, sizeof(ngx_str_t));
+ if (psk_str == NULL) {
+ return NGX_ERROR;
+ }
+
+ psk_str->len = file.info.st_size;
+ psk_str->data = ngx_pnalloc(cf->pool, psk_str->len);
+
+ read = ngx_read_file(&file, psk_str->data, psk_str->len, 0);
+ if (read == NGX_ERROR) {
+ ngx_ssl_error(NGX_LOG_CRIT, ssl->log, ngx_errno,
+ ngx_read_file_n " \"%s\" failed", file.name.data);
+ return NGX_ERROR;
+ }
+
+ if ((size_t)read != psk_str->len) {
+ ngx_ssl_error(NGX_LOG_CRIT, ssl->log, 0,
+ ngx_read_file_n
+ " \"%s\" returned only %z bytes instead of %z",
+ file.name.data, read, psk_str->len);
+ return NGX_ERROR;
+ }
+
+ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, ngx_errno,
+ ngx_close_file_n " \"%s\" failed", file.name.data);
+ }
+
+ ngx_pfree(cf->pool, file.name.data);
+
+ key.data = ngx_de_name(&dir);
+ key.len = ngx_de_namelen(&dir);
+
+ ngx_hash_add_key(&psk_keys, &key, psk_str, NGX_HASH_READONLY_KEY);
+ }
+
+ if (ngx_close_dir(&dir) == NGX_ERROR) {
+ ngx_log_error(NGX_LOG_CRIT, ssl->log, ngx_errno,
+ ngx_close_dir_n " \"%s\" failed", path->data);
+ }
+
+ psk_hash = ngx_palloc(cf->pool, sizeof(ngx_hash_t));
+
+ hash.hash = psk_hash;
+ hash.key = ngx_hash_key;
+ hash.max_size = psk_hash_max_size;
+ hash.bucket_size = psk_hash_bucket_size;
+ hash.name = "psk_hash";
+ hash.pool = cf->pool;
+ hash.temp_pool = cf->temp_pool;
+
+ if (ngx_hash_init(&hash, psk_keys.keys.elts, psk_keys.keys.nelts)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
+ if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_psk_index, psk_hash) == 0) {
+ ngx_ssl_error(NGX_LOG_ALERT, ssl->log, 0,
+ "SSL_CTX_set_ex_data() failed");
+ return NGX_ERROR;
+ }
+
+ return NGX_OK;
+}
+
+
void
ngx_ssl_cleanup_ctx(void *data)
{
diff -r a38066b79d71 -r 7aa7771191d6 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Thu Jun 01 10:55:04 2017 -0500
+++ b/src/event/ngx_event_openssl.h Thu Jun 01 11:01:05 2017 -0500
@@ -171,6 +171,9 @@
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
ngx_array_t *paths);
+ngx_int_t ngx_ssl_psk_path(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *path,
+ ngx_uint_t psk_hash_max_size,
+ ngx_uint_t psk_hash_bucket_size);
ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
ngx_uint_t flags);
@@ -255,6 +258,7 @@
extern int ngx_ssl_next_certificate_index;
extern int ngx_ssl_certificate_name_index;
extern int ngx_ssl_stapling_index;
+extern int ngx_ssl_psk_index;


#endif /* _NGX_EVENT_OPENSSL_H_INCLUDED_ */
diff -r a38066b79d71 -r 7aa7771191d6 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 10:55:04 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:01:05 2017 -0500
@@ -240,6 +240,27 @@
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
NULL },
+
+ { ngx_string("ssl_psk_path"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_str_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_path),
+ NULL },
+
+ { ngx_string("ssl_psk_hash_max_size"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_hash_max_size),
+ NULL },
+
+ { ngx_string("ssl_psk_hash_bucket_size"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_num_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, psk_hash_bucket_size),
+ NULL },

ngx_null_command
};
@@ -546,6 +567,7 @@
* sscf->shm_zone = NULL;
* sscf->stapling_file = { 0, NULL };
* sscf->stapling_responder = { 0, NULL };
+ * sscf->psk_path = { 0, NULL };
*/

sscf->enable = NGX_CONF_UNSET;
@@ -563,6 +585,8 @@
sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
sscf->stapling = NGX_CONF_UNSET;
sscf->stapling_verify = NGX_CONF_UNSET;
+ sscf->psk_hash_max_size = NGX_CONF_UNSET_UINT;
+ sscf->psk_hash_bucket_size = NGX_CONF_UNSET_UINT;

return sscf;
}
@@ -629,6 +653,14 @@
ngx_conf_merge_str_value(conf->stapling_responder,
prev->stapling_responder, "");

+ ngx_conf_merge_str_value(conf->psk_path, prev->psk_path, "");
+ ngx_conf_merge_uint_value(conf->psk_hash_max_size,
+ prev->psk_hash_max_size, 512);
+ ngx_conf_merge_uint_value(conf->psk_hash_bucket_size,
+ prev->psk_hash_bucket_size, 64);
+ conf->psk_hash_bucket_size = ngx_align(conf->psk_hash_bucket_size,
+ ngx_cacheline_size);
+
conf->ssl.log = cf->log;

if (!conf->nocert) {
@@ -815,6 +847,13 @@

}

+ if (ngx_ssl_psk_path(cf, &conf->ssl, &conf->psk_path,
+ conf->psk_hash_max_size, conf->psk_hash_bucket_size)
+ != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
+ }
+
return NGX_CONF_OK;
}

diff -r a38066b79d71 -r 7aa7771191d6 src/http/modules/ngx_http_ssl_module.h
--- a/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 10:55:04 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.h Thu Jun 01 11:01:05 2017 -0500
@@ -56,6 +56,10 @@
ngx_str_t stapling_file;
ngx_str_t stapling_responder;

+ ngx_str_t psk_path;
+ ngx_uint_t psk_hash_max_size;
+ ngx_uint_t psk_hash_bucket_size;
+
u_char *file;
ngx_uint_t line;
} ngx_http_ssl_srv_conf_t;

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[PATCH 3 of 3] PSK: add PSK identity variable

June 1, 2017, 10:22 am

≫ Next: Re: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params

≪ Previous: [PATCH 2 of 3] PSK: add configuration directives

$

0

0

# HG changeset patch
# User Nate Karstens <nate.karstens@garmin.com>
# Date 1496332963 18000
# Thu Jun 01 11:02:43 2017 -0500
# Node ID cb09937f63834ab74b49a76b9b158dd0a5871309
# Parent 7aa7771191d61ef635478460017446bca1f6db55
PSK: add PSK identity variable

Adds the variable $ssl_psk_identity to get the PSK identity
used in a connnection secured with a PSK cipher suite.

Signed-off-by: Nate Karstens <nate.karstens@garmin.com>

diff -r 7aa7771191d6 -r cb09937f6383 src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c Thu Jun 01 11:01:05 2017 -0500
+++ b/src/event/ngx_event_openssl.c Thu Jun 01 11:02:43 2017 -0500
@@ -4286,6 +4286,33 @@
}


+ngx_int_t
+ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
+{
+ const char *identity;
+ size_t len;
+
+ identity = SSL_get_psk_identity(c->ssl->connection);
+
+ if (identity == NULL) {
+ s->len = 0;
+ return NGX_OK;
+ }
+
+ len = ngx_strlen(identity);
+
+ s->data = ngx_pnalloc(pool, len);
+ if (s->data == NULL) {
+ return NGX_ERROR;
+ }
+
+ ngx_memcpy(s->data, identity, len);
+ s->len = len;
+
+ return NGX_OK;
+}
+
+
static time_t
ngx_ssl_parse_time(
#if OPENSSL_VERSION_NUMBER > 0x10100000L
diff -r 7aa7771191d6 -r cb09937f6383 src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h Thu Jun 01 11:01:05 2017 -0500
+++ b/src/event/ngx_event_openssl.h Thu Jun 01 11:02:43 2017 -0500
@@ -235,6 +235,8 @@
ngx_str_t *s);
ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
ngx_str_t *s);
+ngx_int_t ngx_ssl_get_psk_identity(ngx_connection_t *c, ngx_pool_t *pool,
+ ngx_str_t *s);


ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
diff -r 7aa7771191d6 -r cb09937f6383 src/http/modules/ngx_http_ssl_module.c
--- a/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:01:05 2017 -0500
+++ b/src/http/modules/ngx_http_ssl_module.c Thu Jun 01 11:02:43 2017 -0500
@@ -357,6 +357,9 @@
{ ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
(uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },

+ { ngx_string("ssl_psk_identity"), NULL, ngx_http_ssl_variable,
+ (uintptr_t) ngx_ssl_get_psk_identity, NGX_HTTP_VAR_CHANGEABLE, 0 },
+
{ ngx_null_string, NULL, NULL, 0, 0, 0 }
};

________________________________

CONFIDENTIALITY NOTICE: This email and any attachments are for the sole use of the intended recipient(s) and contain information that may be Garmin confidential and/or Garmin legally privileged. If you have received this email in error, please notify the sender by reply email and delete the message. Any disclosure, copying, distribution or use of this communication (including attachments) by someone other than the intended recipient is prohibited. Thank you.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

---

Re: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params

June 1, 2017, 10:24 am

≫ Next: Re: [nginx-announce] nginx-1.13.1

≪ Previous: [PATCH 3 of 3] PSK: add PSK identity variable

$

0

0

On Monday 24 April 2017 15:48:24 Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1493073310 25200
> # Mon Apr 24 15:35:10 2017 -0700
> # Node ID a8cfd4c454ff5433629bfd16444c6c71ee932fa1
> # Parent 07adf0a7009c3244de4b795c0c06927f4316a87f
> HTTP/2: send SETTINGS ACK after applying all SETTINGS params.
>
> This avoids sending unnecessary SETTINGS ACK in case of PROTOCOL_ERROR.
>
> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
>
> diff -r 07adf0a7009c -r a8cfd4c454ff src/http/v2/ngx_http_v2.c
> --- a/src/http/v2/ngx_http_v2.c
> +++ b/src/http/v2/ngx_http_v2.c
> @@ -1972,8 +1972,6 @@ ngx_http_v2_state_settings(ngx_http_v2_c
> return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR);
> }
>
> - ngx_http_v2_send_settings(h2c, 1);
> -
> return ngx_http_v2_state_settings_params(h2c, pos, end);
> }
>
> @@ -2037,6 +2035,8 @@ ngx_http_v2_state_settings_params(ngx_ht
> pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE;
> }
>
> + ngx_http_v2_send_settings(h2c, 1);
> +
> if (adjustment) {
> if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) {
> return ngx_http_v2_connection_error(h2c,


Looks good.

wbr, Valentin V. Bartenev
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [nginx-announce] nginx-1.13.1

June 1, 2017, 10:36 am

≫ Next: Re: Use primes for hashtable size

≪ Previous: Re: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params

$

0

0

I'll give it a try. Thanks Roman!

Best regards,
Kevin
--
Kevin Worthington
kworthington@gmail.com
https://kevinworthington.com/
https://twitter.com/kworthington

On Thu, Jun 1, 2017 at 10:29 AM, Roman Arutyunyan <arut@nginx.com> wrote:

> Hello Kevin,
>
> The issue is fixed by the following commit:
>
> http://hg.nginx.org/nginx/rev/716852cce913
>
> You may apply this change manually to fix the build.
>
> On Tue, May 30, 2017 at 11:28:16AM -0400, Kevin Worthington wrote:
> > Hello!
> >
> > I am getting this error when trying to build on Cygwin:
> >
> > -o objs/src/os/unix/ngx_udp_send.o \
> > src/os/unix/ngx_udp_send.c
> > cc -c -pipe -O -W -Wall -Wpointer-arith -Wno-unused-parameter -Werror -g
> > -D FD_
> > SETSIZE=2048 -I src/core -I src/event -I src/event/modules -I src/os/unix
> > -I /us
> > r/include/libxml2 -I objs \
> > -o objs/src/os/unix/ngx_udp_sendmsg_chain.o \
> > src/os/unix/ngx_udp_sendmsg_chain.c
> > src/os/unix/ngx_udp_sendmsg_chain.c: In function `ngx_sendmsg':
> > src/os/unix/ngx_udp_sendmsg_chain.c:274:16: error: `struct in_pktinfo'
> has
> > no me
> > mber named `ipi_spec_dst'
> > pkt->ipi_spec_dst = sin->sin_addr;
> > ^
> > objs/Makefile:847: recipe for target
> > 'objs/src/os/unix/ngx_udp_sendmsg_chain.o'
> > failed
> > make[1]: *** [objs/src/os/unix/ngx_udp_sendmsg_chain.o] Error 1
> > make[1]: Leaving directory '/home/kevin.worthington/nginx-1.13.1'
> > Makefile:8: recipe for target 'build' failed
> > make: *** [build] Error 2
> >
> > Any help is greatly appreciated. Thanks.
> >
> > Best regards,
> > Kevin
> > --
> > Kevin Worthington
> > kworthington AT gmail DOT com
> > https://kevinworthington.com/
> > https://twitter.com/kworthington
> >
> > On Tue, May 30, 2017 at 11:12 AM, Maxim Dounin <mdounin@mdounin.ru>
> wrote:
> >
> > > Changes with nginx 1.13.1 30 May
> > > 2017
> > >
> > > *) Feature: now a hostname can be used as the "set_real_ip_from"
> > > directive parameter.
> > >
> > > *) Feature: vim syntax highlighting scripts improvements.
> > >
> > > *) Feature: the "worker_cpu_affinity" directive now works on
> DragonFly
> > > BSD.
> > > Thanks to Sepherosa Ziehau.
> > >
> > > *) Bugfix: SSL renegotiation on backend connections did not work
> when
> > > using OpenSSL before 1.1.0.
> > >
> > > *) Workaround: nginx could not be built with Oracle Developer
> Studio
> > > 12.5.
> > >
> > > *) Workaround: now cache manager ignores long locked cache entries
> when
> > > cleaning cache based on the "max_size" parameter.
> > >
> > > *) Bugfix: client SSL connections were immediately closed if
> deferred
> > > accept and the "proxy_protocol" parameter of the "listen"
> directive
> > > were used.
> > >
> > > *) Bugfix: in the "proxy_cache_background_update" directive.
> > >
> > > *) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY
> > > option before an SSL handshake.
> > >
> > >
> > > --
> > > Maxim Dounin
> > > http://nginx.org/
> > > _______________________________________________
> > > nginx-announce mailing list
> > > nginx-announce@nginx.org
> > > http://mailman.nginx.org/mailman/listinfo/nginx-announce
> > >
>
> > _______________________________________________
> > nginx mailing list
> > nginx@nginx.org
> > http://mailman.nginx.org/mailman/listinfo/nginx
>
>
> --
> Roman Arutyunyan
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

Re: Use primes for hashtable size

June 1, 2017, 10:40 am

≫ Next: Return all unfound pages to 444

≪ Previous: Re: [nginx-announce] nginx-1.13.1

$

0

0

Hello!

On Thu, Jun 01, 2017 at 04:54:50PM +0500, Andrew Borodin wrote:

> Hi, Maxim!
>
> 2017-05-30 18:01 GMT+05:00 Maxim Dounin <mdounin@mdounin.ru>:
> >
> > The maximum size of hash table as specified by the hinit->max_size
> > field is indeed maximum size, and not the size of the hash table.
> > Following code in the ngx_hash_init() will try hard to find to
> > find out an optimal hash size for a given set of values within the
> > maximum size specified, and will test all the prime numbers as
> > well.
> >
> > I see no reasons to additionally limit the maximum size to a prime
> > number. If you think there are some, please be more specific.
> >
> > You are right. I've modified patch to checkout primes first, then proceed
> to "hard work" . Also I've kolhozed some perf prove of improvement.
> This test creates a hash table of 5000 semirandom strings (not very random,
> just bytes permutated).
> On my Ubuntu VM without patch hash creation is 92-96ms, with patch it's
> strictly 0. "hard work" search tries about 2k sizes before success, primes
> search hits at second.
>
> Docs say some words about startup speed and I wanted to apply primes
> somewhere, so here we go.

Thanks, though suggested change will certainly modify current
nginx (documented) approach of searching for minimum possible
hash sizes.

It might be a better solution for large hashes though, as
currently optimized by using a larger start size:

if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < 100) {
start = hinit->max_size - 1000;
}

Not sure it is at all needed though, as I don't remember any
"words about startup speed" in the documentation and startup
speed of hashes wasn't a practical problem as far as I remember.

--
Maxim Dounin
http://nginx.org/
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Return all unfound pages to 444

June 1, 2017, 10:51 am

≫ Next: Re: [PATCH 3 of 4] HTTP/2: make SETTINGS ACK frame reusable

≪ Previous: Re: Use primes for hashtable size

$

0

0

I occasionally have issues with certain IP addresses trying to access locations for scripts that have vulnerabilities. You can see some of these below:

GET /bannerslideradmin/adminhtml_bannerslider/index HTTP/1.1"
GET /iwdall/adminhtml_support/index HTTP/1.1
GET /soldtogether/adminhtml_order/index HTTP/1.1

I am running Magento and Nginx 1.13. In my /etc/nginx/sites-enabled/mydomain.com.conf file, I have added the following to block some of the common directories that the scanners are looking for.

# Denied locations require a "^~" to prevent regexes (such as the PHP handler below) from matching
# http://nginx.org/en/docs/http/ngx_http_core_module.html#location
location ^~ /app/ { return 444; }
location ^~ /service-unavailable/ { return 444; }
location ^~ /a2billing/ { return 444; }
location ^~ /sales/guest/form { return 444; }
location ^~ /administrator/ { return 444; }
location ^~ /wp-login.php { return 444; }
location ^~ /wp-admin/ { return 444; }
location ^~ /wp-content/ { return 444; }
location ^~ /wordpress/ { return 444; }
location ^~ /assets/ { return 444; }
location ^~ /plugins/ { return 444; }
location ^~ /wp/ { return 444; }
location ^~ /scripts/ { return 444; }
location ^~ /blog/ { return 444; }
location ^~ /phpmyadmin/ { return 444; }
location ^~ /backup/ { return 444; }
location ^~ /backups/ { return 444; }

This is fine if these match the location of the ones requested. However, there are many more locations that aren't on this list and my website returns a nice and pretty 404 page with the website logo, fancy CSS, javascript and everything else that goes with modern website. This means RAM gets used on the VPS, RAM usage goes up and it gets slower.

I would like to drop all unknown locations to 444 so that no response gets sent back to client and minimal resources used. How can I do this?

Re: [PATCH 3 of 4] HTTP/2: make SETTINGS ACK frame reusable

June 1, 2017, 10:54 am

≫ Next: Re: [PATCH 4 of 4] HTTP/2: don't send SETTINGS ACK before already queued DATA frames

≪ Previous: Return all unfound pages to 444

$

0

0

On Monday 24 April 2017 15:48:25 Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1493073310 25200
> # Mon Apr 24 15:35:10 2017 -0700
> # Node ID b8d7f4a4d5abb4a27a772910358e263d49c618ef
> # Parent a8cfd4c454ff5433629bfd16444c6c71ee932fa1
> HTTP/2: make SETTINGS ACK frame reusable.
>
> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
>
[..]
> @@ -2495,8 +2503,8 @@ ngx_http_v2_send_settings(ngx_http_v2_co
> ngx_http_v2_srv_conf_t *h2scf;
> ngx_http_v2_out_frame_t *frame;
>
> - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
> - "http2 send SETTINGS frame ack:%ui", ack);
> + ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
> + "http2 send SETTINGS frame params:3");
>
[..]

I'm pretty sure that this number will be forgotten to change after
adding new parameters.

Since in another patch you are suggesting to add debug messages to
print each parameter then they will be countable without a problem.

Let it be just:

ngx_log_debug0(NGX_LOG_DEBUG_HTTP, h2c->connection->log, 0,
"http2 send SETTINGS frame");


wbr, Valentin V. Bartenev

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [PATCH 4 of 4] HTTP/2: don't send SETTINGS ACK before already queued DATA frames

June 1, 2017, 10:54 am

≫ Next: Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

≪ Previous: Re: [PATCH 3 of 4] HTTP/2: make SETTINGS ACK frame reusable

$

0

0

On Monday 24 April 2017 15:48:26 Piotr Sikora via nginx-devel wrote:
> # HG changeset patch
> # User Piotr Sikora <piotrsikora@google.com>
> # Date 1493073310 25200
> # Mon Apr 24 15:35:10 2017 -0700
> # Node ID 3624fa075acac110a08c0f1c928c545a58c5801f
> # Parent b8d7f4a4d5abb4a27a772910358e263d49c618ef
> HTTP/2: don't send SETTINGS ACK before already queued DATA frames.
>
> Previously, SETTINGS ACK was sent immediately upon receipt of SETTINGS
> frame, before already queued DATA frames created using old SETTINGS.
>
> This incorrect behavior was source of interoperability issues, because
> peers rely on the fact that new SETTINGS are in effect after receiving
> SETTINGS ACK.
>
> Reported by Feng Li.
>
> Signed-off-by: Piotr Sikora <piotrsikora@google.com>
>
> diff -r b8d7f4a4d5ab -r 3624fa075aca src/http/v2/ngx_http_v2.c
> --- a/src/http/v2/ngx_http_v2.c
> +++ b/src/http/v2/ngx_http_v2.c
> @@ -2043,7 +2043,7 @@ ngx_http_v2_state_settings_params(ngx_ht
> return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_INTERNAL_ERROR);
> }
>
> - ngx_http_v2_queue_blocked_frame(h2c, frame);
> + ngx_http_v2_queue_ordered_frame(h2c, frame);
>
> if (adjustment) {
> if (ngx_http_v2_adjust_windows(h2c, adjustment) != NGX_OK) {
> diff -r b8d7f4a4d5ab -r 3624fa075aca src/http/v2/ngx_http_v2.h
> --- a/src/http/v2/ngx_http_v2.h
> +++ b/src/http/v2/ngx_http_v2.h
> @@ -261,6 +261,15 @@ ngx_http_v2_queue_blocked_frame(ngx_http
> }
>
>
> +static ngx_inline void
> +ngx_http_v2_queue_ordered_frame(ngx_http_v2_connection_t *h2c,
> + ngx_http_v2_out_frame_t *frame)
> +{
> + frame->next = h2c->last_out;
> + h2c->last_out = frame;
> +}
> +
> +
> void ngx_http_v2_init(ngx_event_t *rev);
> void ngx_http_v2_request_headers_init(void);
>

Looks good.

wbr, Valentin V. Bartenev


_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

June 1, 2017, 10:56 am

≫ Next: Re: Use primes for hashtable size

≪ Previous: Re: [PATCH 4 of 4] HTTP/2: don't send SETTINGS ACK before already queued DATA frames

$

0

0

On Thursday 01 June 2017 17:48:25 Valentin V. Bartenev wrote:
> On Monday 24 April 2017 15:48:23 Piotr Sikora via nginx-devel wrote:
> > # HG changeset patch
> > # User Piotr Sikora <piotrsikora@google.com>
> > # Date 1493073310 25200
> > # Mon Apr 24 15:35:10 2017 -0700
> > # Node ID 07adf0a7009c3244de4b795c0c06927f4316a87f
> > # Parent 2c4dbcd6f2e4c9c2a1eb8dc1f0d39c99975ae208
> > HTTP/2: emit new frames only after applying all SETTINGS params.
> >
> > Previously, new frames could be emitted in the middle of applying
> > new (and already acknowledged) SETTINGS params, which is illegal.
> >
> > Signed-off-by: Piotr Sikora <piotrsikora@google.com>
> >
> > diff -r 2c4dbcd6f2e4 -r 07adf0a7009c src/http/v2/ngx_http_v2.c
> > --- a/src/http/v2/ngx_http_v2.c
> > +++ b/src/http/v2/ngx_http_v2.c
> > @@ -1982,7 +1982,9 @@ static u_char *
> > ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
> > u_char *end)
> > {
> > - ngx_uint_t id, value;
> > + ngx_uint_t id, value, adjustment;
>
> The new initial window size can be lower than the previous one,
> so the difference can be negative (that's why the delta parameter
> of ngx_http_v2_adjust_windows() is ssize_t).
>
> Please consider the patch below:
>
> diff -r 00015416ae79 src/http/v2/ngx_http_v2.c
> --- a/src/http/v2/ngx_http_v2.c Mon Apr 24 15:35:10 2017 -0700
> +++ b/src/http/v2/ngx_http_v2.c Thu Jun 01 17:45:37 2017 +0300
> @@ -1969,7 +1969,8 @@ static u_char *
> ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
> u_char *end)
> {
> - ngx_uint_t id, value, adjustment;
> + ssize_t window_delta;
> + ngx_uint_t id, value;
>
> adjustment = 0;
>
[..]

Err.. of course here should be "window_delta = 0;".

wbr, Valentin V. Bartenev
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

---

Re: Use primes for hashtable size

June 1, 2017, 10:58 am

≫ Next: Help! backend tomcat server tries to perform Web Sockets handshake (HTTP 101) but Nginx never returns a response back to the client

≪ Previous: Re: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

$

0

0

2017-06-01 22:39 GMT+05:00 Maxim Dounin <mdounin@mdounin.ru>:
> Thanks, though suggested change will certainly modify current
> nginx (documented) approach of searching for minimum possible
> hash sizes.
>
> It might be a better solution for large hashes though, as
> currently optimized by using a larger start size:
>
> if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < 100) {
> start = hinit->max_size - 1000;
> }

Yeah, maybe put the primes loop under if.

> Not sure it is at all needed though, as I don't remember any
> "words about startup speed" in the documentation and startup
> speed of hashes wasn't a practical problem as far as I remember.


Here https://nginx.ru/en/docs/http/server_names.html
"if nginx’s start time is unacceptably long, try to increase
server_names_hash_bucket_size" It's about allowing more hash
collisions.
But I do not insist, though :) I've done the patch jut for fun

Best regards, Andrey Borodin, Octonica.
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Help! backend tomcat server tries to perform Web Sockets handshake (HTTP 101) but Nginx never returns a response back to the client

June 1, 2017, 12:03 pm

≫ Next: Re: nginx-1.13.1

≪ Previous: Re: Use primes for hashtable size

$

0

0

Hello,

In a Kubernetes cluster, I have an Nginx server acting like a reverse proxy / TLS termination solution that proxypass requests to a backend Tomcat application that has some functionalities powered by Web Sockets (SockJS / Stomp). Unfortunately, the Web Sockets handshake never completes successfully.

On the Client side, in my browser, I can see the following messages in the console:
```
Opening Web Socket...
websockets-0.1.min.js:116 Whoops! Lost connection to https://myhost/stomp
```

Followed by a HTTP 504 Gateway Timeout

websockets-0.1.min.js:72 WebSocket connection to 'wss://myhost/stomp/673/ugvpxc1lwmfjnung/websocket' failed: Error during WebSocket handshake: Unexpected response code: 504

--

On the tomcat side I have the following entry in the access log:
0:0:0:0:0:0:0:1,2017-06-01 16:53:36.915 +0000,4,GET,HTTP/1.1,"/stomp/673/ugvpxc1lwmfjnung/websocket",101,-,O,-,blablablabla,-,-,"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36",-,,-,-,-,-,-,-

Whereas, on the nginx access log I have the corresponding:
10.2.89.0 - - [01/Jun/2017:16:54:41 +0000] "GET /stomp/673/ugvpxc1lwmfjnung/websocket HTTP/1.1" 499 0 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "24.5.136.13"

Now, according to what I've researched, the 499 code is presented when the client closes the connection, but I can't figure out why it would take so long for the response to return to the client. According to the timestamps from these two entries, these two events are separated by ~1 minute. What's going on here?

Here a snippet from my nginx.conf, any assistance at this point is deeply appreciated:

server {
listen 9965 default_server ssl;
listen [::]:9965 default_server ssl;

resolver 127.0.0.1;
server_name _;

ssl_certificate /etc/ssl/certs/certificate.pem;
ssl_certificate_key /etc/ssl/certs/key.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;

client_max_body_size 2000M;

location / {
proxy_read_timeout 900;

proxy_pass_header Server;

proxy_http_version 1.1;
proxy_set_header Host $host;
#proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Upgrade 'websocket';
proxy_set_header Connection "upgrade";

proxy_pass http://localhost:15010;
}

--

Any ideas to troubleshoot this further?

Kindest regards,
--
Marcelo

Re: nginx-1.13.1

June 1, 2017, 12:44 pm

≫ Next: F5 irule to Nginx

≪ Previous: Help! backend tomcat server tries to perform Web Sockets handshake (HTTP 101) but Nginx never returns a response back to the client

$

0

0

Hello Nginx users,

Now available: Nginx 1.13.1 for Windows
https://kevinworthington.com/nginxwin1131
(32-bit and 64-bit versions)

These versions are to support legacy users who are already using Cygwin
based builds of Nginx. Officially supported native Windows binaries are at
nginx.org.

Announcements are also available here:
Twitter http://twitter.com/kworthington
Google+ https://plus.google.com/+KevinWorthington/

Thank you,
Kevin
--
Kevin Worthington
kworthington *@* (gmail] [dot} {com)
http://kevinworthington.com/
http://twitter.com/kworthington
https://plus.google.com/+KevinWorthington/

On Tue, May 30, 2017 at 11:12 AM, Maxim Dounin <mdounin@mdounin.ru> wrote:

> Changes with nginx 1.13.1 30 May
> 2017
>
> *) Feature: now a hostname can be used as the "set_real_ip_from"
> directive parameter.
>
> *) Feature: vim syntax highlighting scripts improvements.
>
> *) Feature: the "worker_cpu_affinity" directive now works on DragonFly
> BSD.
> Thanks to Sepherosa Ziehau.
>
> *) Bugfix: SSL renegotiation on backend connections did not work when
> using OpenSSL before 1.1.0.
>
> *) Workaround: nginx could not be built with Oracle Developer Studio
> 12.5.
>
> *) Workaround: now cache manager ignores long locked cache entries when
> cleaning cache based on the "max_size" parameter.
>
> *) Bugfix: client SSL connections were immediately closed if deferred
> accept and the "proxy_protocol" parameter of the "listen" directive
> were used.
>
> *) Bugfix: in the "proxy_cache_background_update" directive.
>
> *) Workaround: now the "tcp_nodelay" directive sets the TCP_NODELAY
> option before an SSL handshake.
>
>
> --
> Maxim Dounin
> http://nginx.org/
> _______________________________________________
> nginx mailing list
> nginx@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx
>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx

F5 irule to Nginx

June 1, 2017, 1:29 pm

≫ Next: [PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

≪ Previous: Re: nginx-1.13.1

$

0

0

Hi folks!

Long time fan, first time caller!

I am in the middle of trying to migrate away from an F5 BigIP machine to an nginx solution.

Currently I'm stuck with the following irule:

if { [HTTP::status] contains "40" and ( [matchclass $uri ends_with $::images] )} {
log local0. "123 images redirect for status code [HTTP::status] to $uri"
HTTP::redirect "$protocol//123.domain.com/$uri"

This states the following:
- if an HTTP 40x status is returned AND the uri ends with 'images' then redirect to 123.domain.com/$uri

Any help/insight would be appreciated.

Thanks,
me

[PATCH 1 of 4] HTTP/2: emit new frames only after applying all SETTINGS params

June 1, 2017, 2:54 pm

≫ Next: [PATCH 2 of 4] HTTP/2: send SETTINGS ACK after applying all SETTINGS params

≪ Previous: F5 irule to Nginx

$

0

0

# HG changeset patch
# User Piotr Sikora <piotrsikora@google.com>
# Date 1493067124 25200
# Mon Apr 24 13:52:04 2017 -0700
# Node ID 1738ed9658e2a9a12370f4c828761a9fd058935d
# Parent ab6ef3037840393752d82fac01ea1eb4f972301c
HTTP/2: emit new frames only after applying all SETTINGS params.

Previously, new frames could be emitted in the middle of applying
new (and already acknowledged) SETTINGS params, which is illegal.

Signed-off-by: Piotr Sikora <piotrsikora@google.com>

diff -r ab6ef3037840 -r 1738ed9658e2 src/http/v2/ngx_http_v2.c
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@@ -1969,8 +1969,11 @@ static u_char *
ngx_http_v2_state_settings_params(ngx_http_v2_connection_t *h2c, u_char *pos,
u_char *end)
{
+ ssize_t window_delta;
ngx_uint_t id, value;

+ window_delta = 0;
+
while (h2c->state.length) {
if (end - pos < NGX_HTTP_V2_SETTINGS_PARAM_SIZE) {
return ngx_http_v2_state_save(h2c, pos, end,
@@ -1995,12 +1998,7 @@ ngx_http_v2_state_settings_params(ngx_ht
NGX_HTTP_V2_FLOW_CTRL_ERROR);
}

- if (ngx_http_v2_adjust_windows(h2c, value - h2c->init_window)
- != NGX_OK)
- {
- return ngx_http_v2_connection_error(h2c,
- NGX_HTTP_V2_INTERNAL_ERROR);
- }
+ window_delta = value - h2c->init_window;

h2c->init_window = value;
break;
@@ -2028,6 +2026,13 @@ ngx_http_v2_state_settings_params(ngx_ht
pos += NGX_HTTP_V2_SETTINGS_PARAM_SIZE;
}

+ if (window_delta) {
+ if (ngx_http_v2_adjust_windows(h2c, window_delta) != NGX_OK) {
+ return ngx_http_v2_connection_error(h2c,
+ NGX_HTTP_V2_INTERNAL_ERROR);
+ }
+ }
+
return ngx_http_v2_state_complete(h2c, pos, end);
}

_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel