BBlack has uploaded a new change for review. (
https://gerrit.wikimedia.org/r/386195 )
Change subject: new patch: configurable ssl_do_wait_shutdown
......................................................................
new patch: configurable ssl_do_wait_shutdown
Change-Id: Ib2369818ad18643235a67602271bfd9890b15a0c
---
A debian/patches/0700-do-wait-shutdown.patch
M debian/patches/series
2 files changed, 78 insertions(+), 0 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/software/nginx
refs/changes/95/386195/1
diff --git a/debian/patches/0700-do-wait-shutdown.patch
b/debian/patches/0700-do-wait-shutdown.patch
new file mode 100644
index 0000000..4503cc9
--- /dev/null
+++ b/debian/patches/0700-do-wait-shutdown.patch
@@ -0,0 +1,77 @@
+diff --git a/src/http/modules/ngx_http_ssl_module.c
b/src/http/modules/ngx_http_ssl_module.c
+index 7d62176e0..4ee20fc47 100644
+--- a/src/http/modules/ngx_http_ssl_module.c
++++ b/src/http/modules/ngx_http_ssl_module.c
+@@ -234,6 +234,13 @@ static ngx_command_t ngx_http_ssl_commands[] = {
+ offsetof(ngx_http_ssl_srv_conf_t, stapling_verify),
+ NULL },
+
++ { ngx_string("ssl_do_wait_shutdown"),
++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
++ ngx_conf_set_flag_slot,
++ NGX_HTTP_SRV_CONF_OFFSET,
++ offsetof(ngx_http_ssl_srv_conf_t, do_wait_shutdown),
++ NULL },
++
+ ngx_null_command
+ };
+
+@@ -559,6 +566,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
+ sscf->session_ticket_keys = NGX_CONF_UNSET_PTR;
+ sscf->stapling = NGX_CONF_UNSET;
+ sscf->stapling_verify = NGX_CONF_UNSET;
++ sscf->do_wait_shutdown = NGX_CONF_UNSET;
+
+ return sscf;
+ }
+@@ -624,6 +632,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent,
void *child)
+ ngx_conf_merge_str_value(conf->stapling_responder,
+ prev->stapling_responder, "");
+
++ ngx_conf_merge_value(conf->do_wait_shutdown, prev->do_wait_shutdown, 0);
++
+ conf->ssl.log = cf->log;
+
+ if (conf->enable) {
+diff --git a/src/http/modules/ngx_http_ssl_module.h
b/src/http/modules/ngx_http_ssl_module.h
+index 57f5941d4..94021cea2 100644
+--- a/src/http/modules/ngx_http_ssl_module.h
++++ b/src/http/modules/ngx_http_ssl_module.h
+@@ -57,6 +57,8 @@ typedef struct {
+
+ u_char *file;
+ ngx_uint_t line;
++
++ ngx_flag_t do_wait_shutdown;
+ } ngx_http_ssl_srv_conf_t;
+
+
+diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
+index de1b20270..77ecf3f6e 100644
+--- a/src/http/ngx_http_request.c
++++ b/src/http/ngx_http_request.c
+@@ -777,6 +777,8 @@ static void
+ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+ {
+ if (c->ssl->handshaked) {
++ ngx_http_connection_t *hc;
++ ngx_http_ssl_srv_conf_t *sscf;
+
+ /*
+ * The majority of browsers do not send the "close notify" alert.
+@@ -786,7 +788,14 @@ ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+ * Opera and recent Mozilla send the alert.
+ */
+
+- c->ssl->no_wait_shutdown = 1;
++ /*
++ * Experiment: configurable as "ssl_do_wait_shutdown on;" to try
++ * waiting on the close notifications and avoiding RST.
++ */
++ hc = c->data;
++ sscf = ngx_http_get_module_srv_conf(hc->conf_ctx,
ngx_http_ssl_module);
++ if (!sscf->do_wait_shutdown)
++ c->ssl->no_wait_shutdown = 1;
+
+ #if (NGX_HTTP_V2
\
+ && (defined TLSEXT_TYPE_application_layer_protocol_negotiation
\
diff --git a/debian/patches/series b/debian/patches/series
index 5fd5e46..9aad26c 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -4,3 +4,4 @@
0500-ssl-curve.patch
0600-stapling-multi-file.patch
0660-version-too-low.patch
+0700-do-wait-shutdown.patch
--
To view, visit https://gerrit.wikimedia.org/r/386195
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib2369818ad18643235a67602271bfd9890b15a0c
Gerrit-PatchSet: 1
Gerrit-Project: operations/software/nginx
Gerrit-Branch: wmf-1.13
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
