Fijxu
/
nginx-quic
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merged with the default branch.

This commit is contained in:
Sergey Kandaurov 2022-07-26 19:54:11 +04:00
parent f2bc2e05d0 15d70dbd7d
commit 03b740ba06
12 changed files with 381 additions and 44 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

66
docs/xml/nginx/changes.xml
View File

@ -5,6 +5,72 @@
<change_log title="nginx">
<changes ver="1.23.1" date="2022-07-19">
<change type="feature">
<para lang="ru">
оптимизация использования памяти
в конфигурациях с SSL-проксированием.
</para>
<para lang="en">
memory usage optimization
in configurations with SSL proxying.
</para>
</change>
<change type="feature">
<para lang="ru">
теперь с помощью параметра "ipv4=off" директивы "resolver"
можно запретить поиск IPv4-адресов при преобразовании имён в адреса.
</para>
<para lang="en">
looking up of IPv4 addresses while resolving now can be disabled
with the "ipv4=off" parameter of the "resolver" directive.
</para>
</change>
<change type="change">
<para lang="ru">
уровень логгирования ошибок SSL "bad key share", "bad extension",
"bad cipher" и "bad ecpoint"
понижен с уровня crit до info.
</para>
<para lang="en">
the logging level of the "bad key share", "bad extension",
"bad cipher", and "bad ecpoint" SSL errors
has been lowered from "crit" to "info".
</para>
</change>
<change type="bugfix">
<para lang="ru">
при возврате диапазонов
nginx не удалял строку заголовка "Content-Range",
если она присутствовала в исходном ответе бэкенда.
</para>
<para lang="en">
while returning byte ranges
nginx did not remove the "Content-Range" header line
if it was present in the original backend response.
</para>
</change>
<change type="bugfix">
<para lang="ru">
проксированный ответ мог быть отправлен не полностью
при переконфигурации на Linux;
ошибка появилась в 1.17.5.
</para>
<para lang="en">
a proxied response might be truncated
during reconfiguration on Linux;
the bug had appeared in 1.17.5.
</para>
</change>
</changes>
<changes ver="1.23.0" date="2022-06-21">
<change>

2
misc/GNUmakefile
View File

@ -6,7 +6,7 @@ TEMP = tmp
CC = cl
OBJS = objs.msvc8
OPENSSL = openssl-1.1.1p
OPENSSL = openssl-1.1.1q
ZLIB = zlib-1.2.12
PCRE = pcre2-10.39

4
src/core/nginx.h
View File

@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
#define nginx_version 1023000
#define NGINX_VERSION "1.23.0"
#define nginx_version 1023001
#define NGINX_VERSION "1.23.1"
#define NGINX_VER "nginx/" NGINX_VERSION
#ifdef NGX_BUILD

60
src/core/ngx_resolver.c
View File

@ -157,6 +157,8 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
cln->handler = ngx_resolver_cleanup;
cln->data = r;
r->ipv4 = 1;
ngx_rbtree_init(&r->name_rbtree, &r->name_sentinel,
ngx_resolver_rbtree_insert_value);
@ -225,6 +227,23 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
}
#if (NGX_HAVE_INET6)
if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) {
if (ngx_strcmp(&names[i].data[5], "on") == 0) {
r->ipv4 = 1;
} else if (ngx_strcmp(&names[i].data[5], "off") == 0) {
r->ipv4 = 0;
} else {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"invalid parameter: %V", &names[i]);
return NULL;
}
continue;
}
if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) {
if (ngx_strcmp(&names[i].data[5], "on") == 0) {
@ -273,6 +292,14 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
}
}
#if (NGX_HAVE_INET6)
if (r->ipv4 + r->ipv6 == 0) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
"\"ipv4\" and \"ipv6\" cannot both be \"off\"");
return NULL;
}
#endif
if (n && r->connections.nelts == 0) {
ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "no name servers defined");
return NULL;
@ -836,7 +863,7 @@ ngx_resolve_name_locked(ngx_resolver_t *r, ngx_resolver_ctx_t *ctx,
r->last_connection = 0;
}
rn->naddrs = (u_short) -1;
rn->naddrs = r->ipv4 ? (u_short) -1 : 0;
rn->tcp = 0;
#if (NGX_HAVE_INET6)
rn->naddrs6 = r->ipv6 ? (u_short) -1 : 0;
@ -1263,7 +1290,7 @@ ngx_resolver_send_query(ngx_resolver_t *r, ngx_resolver_node_t *rn)
rec->log.action = "resolving";
}
if (rn->naddrs == (u_short) -1) {
if (rn->query && rn->naddrs == (u_short) -1) {
rc = rn->tcp ? ngx_resolver_send_tcp_query(r, rec, rn->query, rn->qlen)
: ngx_resolver_send_udp_query(r, rec, rn->query, rn->qlen);
@ -1765,10 +1792,13 @@ ngx_resolver_process_response(ngx_resolver_t *r, u_char *buf, size_t n,
q = ngx_queue_next(q))
{
rn = ngx_queue_data(q, ngx_resolver_node_t, queue);
qident = (rn->query[0] << 8) + rn->query[1];
if (qident == ident) {
goto dns_error_name;
if (rn->query) {
qident = (rn->query[0] << 8) + rn->query[1];
if (qident == ident) {
goto dns_error_name;
}
}
#if (NGX_HAVE_INET6)
@ -3645,7 +3675,7 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
len = sizeof(ngx_resolver_hdr_t) + nlen + sizeof(ngx_resolver_qs_t);
#if (NGX_HAVE_INET6)
p = ngx_resolver_alloc(r, r->ipv6 ? len * 2 : len);
p = ngx_resolver_alloc(r, len * (r->ipv4 + r->ipv6));
#else
p = ngx_resolver_alloc(r, len);
#endif
@ -3658,19 +3688,21 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
#if (NGX_HAVE_INET6)
if (r->ipv6) {
rn->query6 = p + len;
rn->query6 = r->ipv4 ? (p + len) : p;
}
#endif
query = (ngx_resolver_hdr_t *) p;
ident = ngx_random();
if (r->ipv4) {
ident = ngx_random();
ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
"resolve: \"%V\" A %i", name, ident & 0xffff);
ngx_log_debug2(NGX_LOG_DEBUG_CORE, r->log, 0,
"resolve: \"%V\" A %i", name, ident & 0xffff);
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
query->ident_hi = (u_char) ((ident >> 8) & 0xff);
query->ident_lo = (u_char) (ident & 0xff);
}
/* recursion query */
query->flags_hi = 1; query->flags_lo = 0;
@ -3731,7 +3763,9 @@ ngx_resolver_create_name_query(ngx_resolver_t *r, ngx_resolver_node_t *rn,
p = rn->query6;
ngx_memcpy(p, rn->query, rn->qlen);
if (r->ipv4) {
ngx_memcpy(p, rn->query, rn->qlen);
}
query = (ngx_resolver_hdr_t *) p;

4
src/core/ngx_resolver.h
View File

@ -175,8 +175,10 @@ struct ngx_resolver_s {
ngx_queue_t srv_expire_queue;
ngx_queue_t addr_expire_queue;
unsigned ipv4:1;
#if (NGX_HAVE_INET6)
ngx_uint_t ipv6; /* unsigned ipv6:1; */
unsigned ipv6:1;
ngx_rbtree_t addr6_rbtree;
ngx_rbtree_node_t addr6_sentinel;
ngx_queue_t addr6_resend_queue;

12
src/event/ngx_event_openssl.c
View File

@ -3350,6 +3350,12 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
#ifdef SSL_R_NO_SUITABLE_KEY_SHARE
|| n == SSL_R_NO_SUITABLE_KEY_SHARE /* 101 */
#endif
#ifdef SSL_R_BAD_KEY_SHARE
|| n == SSL_R_BAD_KEY_SHARE /* 108 */
#endif
#ifdef SSL_R_BAD_EXTENSION
|| n == SSL_R_BAD_EXTENSION /* 110 */
#endif
#ifdef SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM
|| n == SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM /* 118 */
#endif
@ -3364,6 +3370,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
#endif
|| n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */
#ifdef SSL_R_BAD_CIPHER
|| n == SSL_R_BAD_CIPHER /* 186 */
#endif
|| n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */
|| n == SSL_R_NO_SHARED_CIPHER /* 193 */
|| n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */
@ -3398,6 +3407,9 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
#ifdef SSL_R_APPLICATION_DATA_ON_SHUTDOWN
|| n == SSL_R_APPLICATION_DATA_ON_SHUTDOWN /* 291 */
#endif
#ifdef SSL_R_BAD_ECPOINT
|| n == SSL_R_BAD_ECPOINT /* 306 */
#endif
#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
|| n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */
|| n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */

66
src/http/modules/ngx_http_grpc_module.c
View File

@ -209,6 +209,8 @@ static char *ngx_http_grpc_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_grpc_merge_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *conf, ngx_http_grpc_loc_conf_t *prev);
static ngx_int_t ngx_http_grpc_set_ssl(ngx_conf_t *cf,
ngx_http_grpc_loc_conf_t *glcf);
#endif
@ -562,7 +564,7 @@ ngx_http_grpc_handler(ngx_http_request_t *r)
ctx->host = glcf->host;
#if (NGX_HTTP_SSL)
u->ssl = (glcf->upstream.ssl != NULL);
u->ssl = glcf->ssl;
if (u->ssl) {
ngx_str_set(&u->schema, "grpcs://");
@ -4463,6 +4465,10 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
#if (NGX_HTTP_SSL)
if (ngx_http_grpc_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);
@ -4524,7 +4530,7 @@ ngx_http_grpc_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->grpc_values = prev->grpc_values;
#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}
@ -4873,18 +4879,64 @@ ngx_http_grpc_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
}
static ngx_int_t
ngx_http_grpc_merge_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *conf,
ngx_http_grpc_loc_conf_t *prev)
{
ngx_uint_t preserve;
if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}
preserve = 1;
} else {
preserve = 0;
}
conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}
conf->upstream.ssl->log = cf->log;
/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/
if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}
return NGX_OK;
}
static ngx_int_t
ngx_http_grpc_set_ssl(ngx_conf_t *cf, ngx_http_grpc_loc_conf_t *glcf)
{
ngx_pool_cleanup_t *cln;
glcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (glcf->upstream.ssl == NULL) {
return NGX_ERROR;
if (glcf->upstream.ssl->ctx) {
return NGX_OK;
}
glcf->upstream.ssl->log = cf->log;
if (ngx_ssl_create(glcf->upstream.ssl, glcf->ssl_protocols, NULL)
!= NGX_OK)
{

66
src/http/modules/ngx_http_proxy_module.c
View File

@ -236,6 +236,8 @@ static ngx_int_t ngx_http_proxy_rewrite_regex(ngx_conf_t *cf,
ngx_http_proxy_rewrite_t *pr, ngx_str_t *regex, ngx_uint_t caseless);
#if (NGX_HTTP_SSL)
static ngx_int_t ngx_http_proxy_merge_ssl(ngx_conf_t *cf,
ngx_http_proxy_loc_conf_t *conf, ngx_http_proxy_loc_conf_t *prev);
static ngx_int_t ngx_http_proxy_set_ssl(ngx_conf_t *cf,
ngx_http_proxy_loc_conf_t *plcf);
#endif
@ -959,7 +961,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
ctx->vars = plcf->vars;
u->schema = plcf->vars.schema;
#if (NGX_HTTP_SSL)
u->ssl = (plcf->upstream.ssl != NULL);
u->ssl = plcf->ssl;
#endif
} else {
@ -3724,6 +3726,10 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
#if (NGX_HTTP_SSL)
if (ngx_http_proxy_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);
@ -3857,7 +3863,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->proxy_values = prev->proxy_values;
#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}
@ -4922,18 +4928,64 @@ ngx_http_proxy_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
}
static ngx_int_t
ngx_http_proxy_merge_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
ngx_http_proxy_loc_conf_t *prev)
{
ngx_uint_t preserve;
if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}
preserve = 1;
} else {
preserve = 0;
}
conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}
conf->upstream.ssl->log = cf->log;
/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/
if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}
return NGX_OK;
}
static ngx_int_t
ngx_http_proxy_set_ssl(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *plcf)
{
ngx_pool_cleanup_t *cln;
plcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (plcf->upstream.ssl == NULL) {
return NGX_ERROR;
if (plcf->upstream.ssl->ctx) {
return NGX_OK;
}
plcf->upstream.ssl->log = cf->log;
if (ngx_ssl_create(plcf->upstream.ssl, plcf->ssl_protocols, NULL)
!= NGX_OK)
{

13
src/http/modules/ngx_http_range_filter_module.c
View File

@ -425,6 +425,10 @@ ngx_http_range_singlepart_header(ngx_http_request_t *r,
return NGX_ERROR;
}
if (r->headers_out.content_range) {
r->headers_out.content_range->hash = 0;
}
r->headers_out.content_range = content_range;
content_range->hash = 1;
@ -582,6 +586,11 @@ ngx_http_range_multipart_header(ngx_http_request_t *r,
r->headers_out.content_length = NULL;
}
if (r->headers_out.content_range) {
r->headers_out.content_range->hash = 0;
r->headers_out.content_range = NULL;
}
return ngx_http_next_header_filter(r);
}
@ -598,6 +607,10 @@ ngx_http_range_not_satisfiable(ngx_http_request_t *r)
return NGX_ERROR;
}
if (r->headers_out.content_range) {
r->headers_out.content_range->hash = 0;
}
r->headers_out.content_range = content_range;
content_range->hash = 1;

66
src/http/modules/ngx_http_uwsgi_module.c
View File

@ -96,6 +96,8 @@ static char *ngx_http_uwsgi_ssl_password_file(ngx_conf_t *cf,
ngx_command_t *cmd, void *conf);
static char *ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post,
void *data);
static ngx_int_t ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *conf, ngx_http_uwsgi_loc_conf_t *prev);
static ngx_int_t ngx_http_uwsgi_set_ssl(ngx_conf_t *cf,
ngx_http_uwsgi_loc_conf_t *uwcf);
#endif
@ -668,7 +670,7 @@ ngx_http_uwsgi_handler(ngx_http_request_t *r)
if (uwcf->uwsgi_lengths == NULL) {
#if (NGX_HTTP_SSL)
u->ssl = (uwcf->upstream.ssl != NULL);
u->ssl = uwcf->ssl;
if (u->ssl) {
ngx_str_set(&u->schema, "suwsgi://");
@ -1865,6 +1867,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
#if (NGX_HTTP_SSL)
if (ngx_http_uwsgi_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->upstream.ssl_session_reuse,
prev->upstream.ssl_session_reuse, 1);
@ -1927,7 +1933,7 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
conf->uwsgi_values = prev->uwsgi_values;
#if (NGX_HTTP_SSL)
conf->upstream.ssl = prev->upstream.ssl;
conf->ssl = prev->ssl;
#endif
}
@ -2454,18 +2460,64 @@ ngx_http_uwsgi_ssl_conf_command_check(ngx_conf_t *cf, void *post, void *data)
}
static ngx_int_t
ngx_http_uwsgi_merge_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *conf,
ngx_http_uwsgi_loc_conf_t *prev)
{
ngx_uint_t preserve;
if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->upstream.ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->upstream.ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->upstream.ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->upstream.ssl) {
conf->upstream.ssl = prev->upstream.ssl;
return NGX_OK;
}
preserve = 1;
} else {
preserve = 0;
}
conf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->upstream.ssl == NULL) {
return NGX_ERROR;
}
conf->upstream.ssl->log = cf->log;
/*
* special handling to preserve conf->upstream.ssl
* in the "http" section to inherit it to all servers
*/
if (preserve) {
prev->upstream.ssl = conf->upstream.ssl;
}
return NGX_OK;
}
static ngx_int_t
ngx_http_uwsgi_set_ssl(ngx_conf_t *cf, ngx_http_uwsgi_loc_conf_t *uwcf)
{
ngx_pool_cleanup_t *cln;
uwcf->upstream.ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (uwcf->upstream.ssl == NULL) {
return NGX_ERROR;
if (uwcf->upstream.ssl->ctx) {
return NGX_OK;
}
uwcf->upstream.ssl->log = cf->log;
if (ngx_ssl_create(uwcf->upstream.ssl, uwcf->ssl_protocols, NULL)
!= NGX_OK)
{

2
src/os/unix/ngx_readv_chain.c
View File

@ -46,6 +46,7 @@ ngx_readv_chain(ngx_connection_t *c, ngx_chain_t *chain, off_t limit)
return 0;
} else {
rev->ready = 0;
return NGX_AGAIN;
}
}
@ -63,6 +64,7 @@ ngx_readv_chain(ngx_connection_t *c, ngx_chain_t *chain, off_t limit)
rev->pending_eof, rev->available);
if (rev->available == 0 && !rev->pending_eof) {
rev->ready = 0;
return NGX_AGAIN;
}
}

64
src/stream/ngx_stream_proxy_module.c
View File

@ -103,6 +103,8 @@ static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_ssl_certificate(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_merge_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *conf, ngx_stream_proxy_srv_conf_t *prev);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@ -801,7 +803,7 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s)
#if (NGX_STREAM_SSL)
if (pc->type == SOCK_STREAM && pscf->ssl) {
if (pc->type == SOCK_STREAM && pscf->ssl_enable) {
if (u->proxy_protocol) {
if (ngx_stream_proxy_send_proxy_protocol(s) != NGX_OK) {
@ -2165,6 +2167,10 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
#if (NGX_STREAM_SSL)
if (ngx_stream_proxy_merge_ssl(cf, conf, prev) != NGX_OK) {
return NGX_CONF_ERROR;
}
ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0);
ngx_conf_merge_value(conf->ssl_session_reuse,
@ -2213,18 +2219,64 @@ ngx_stream_proxy_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
#if (NGX_STREAM_SSL)
static ngx_int_t
ngx_stream_proxy_merge_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *conf,
ngx_stream_proxy_srv_conf_t *prev)
{
ngx_uint_t preserve;
if (conf->ssl_protocols == 0
&& conf->ssl_ciphers.data == NULL
&& conf->ssl_certificate == NGX_CONF_UNSET_PTR
&& conf->ssl_certificate_key == NGX_CONF_UNSET_PTR
&& conf->ssl_passwords == NGX_CONF_UNSET_PTR
&& conf->ssl_verify == NGX_CONF_UNSET
&& conf->ssl_verify_depth == NGX_CONF_UNSET_UINT
&& conf->ssl_trusted_certificate.data == NULL
&& conf->ssl_crl.data == NULL
&& conf->ssl_session_reuse == NGX_CONF_UNSET
&& conf->ssl_conf_commands == NGX_CONF_UNSET_PTR)
{
if (prev->ssl) {
conf->ssl = prev->ssl;
return NGX_OK;
}
preserve = 1;
} else {
preserve = 0;
}
conf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (conf->ssl == NULL) {
return NGX_ERROR;
}
conf->ssl->log = cf->log;
/*
* special handling to preserve conf->ssl
* in the "stream" section to inherit it to all servers
*/
if (preserve) {
prev->ssl = conf->ssl;
}
return NGX_OK;
}
static ngx_int_t
ngx_stream_proxy_set_ssl(ngx_conf_t *cf, ngx_stream_proxy_srv_conf_t *pscf)
{
ngx_pool_cleanup_t *cln;
pscf->ssl = ngx_pcalloc(cf->pool, sizeof(ngx_ssl_t));
if (pscf->ssl == NULL) {
return NGX_ERROR;
if (pscf->ssl->ctx) {
return NGX_OK;
}
pscf->ssl->log = cf->log;
if (ngx_ssl_create(pscf->ssl, pscf->ssl_protocols, NULL) != NGX_OK) {
return NGX_ERROR;
}