Hi Valentin, Sorry, I've sent the mail incidentally before I complete it ;)
ssl_proxy_cores # ./nginx -V
nginx version: nginx/1.10.3
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.4)
built with OpenSSL 1.0.2g 1 Mar 2016 (running with OpenSSL 1.0.2g-fips 1
Mar 2016)
TLS SNI support enabled
configure arguments: --prefix=/cdn/nginx_ssl_proxy --with-cc-opt='-O0 -g
-ggdb -march=core2' --with-debug --with-http_geoip_module
--with-http_realip_module --with-http_ssl_module
--without-http_charset_module --without-http_ssi_module
--without-http_userid_module --without-http_autoindex_module
--without-http_scgi_module --without-http_uwsgi_module
--without-http_fastcgi_module --without-http_limit_conn_module
--without-http_split_clients_module --without-http_limit_req_module
--with-http_stub_status_module --with-http_v2_module
and some variables values :
(gdb) p q
$1 = (ngx_queue_t *) 0x3fb0ab0
(gdb) p * q
$2 = {prev = 0xd3210507e0f72630, next = 0x5f5ded63e9edd904}
(gdb) p h2c->waiting
$3 = {prev = 0x3ac6ea0, next = 0x3fb0ab0}
and here is the config
nginx.conf:
# SSL Proxy config for **************
user cdnuser cdnuser;
worker_processes auto;
pid /cdn/tmp/nginx_ssl_proxy.pid;
#error_log logs/error.nginx.log debug;
error_log /dev/null error;
worker_rlimit_nofile 73728;
worker_rlimit_core 10240M;
working_directory /cdn/tmp/ssl_proxy_cores/;
events {
worker_connections 24576;
use epoll;
}
http {
include mime.types;
default_type application/octet-stream;
reset_timedout_connection on;
client_header_timeout 60s;
client_body_timeout 60s;
send_timeout 60s;
client_header_buffer_size 16k;
large_client_header_buffers 4 16k;
client_body_buffer_size 1k;
client_max_body_size 1k;
connection_pool_size 512;
server_names_hash_bucket_size 4096;
server_names_hash_max_size 4096;
request_pool_size 8k;
output_buffers 1 256k;
postpone_output 1460;
proxy_buffers 8 8k;
sendfile on;
tcp_nopush off;
tcp_nodelay on;
keepalive_timeout 60 20;
keepalive_requests 256;
ignore_invalid_headers on;
recursive_error_pages on;
resolver **********;
resolver_timeout 5s;
#------------------------
# SSL
#------------------------
ssl_ciphers '*************************************';
ssl_prefer_server_ciphers on;
ssl_session_timeout 15m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_session_tickets on;
ssl_stapling on;
ssl_dhparam /cdn/ssl_certs/common/dhparam2048.pem;
ssl_buffer_size 16k;
#------------------------
# GeoIP
#------------------------
geoip_country /usr/share/GeoIP/GeoIP.dat;
set_real_ip_from 127.0.0.1;
real_ip_header X-Forwarded-For;
#------------------------
# Dynamic config stuff
#------------------------
variables_hash_max_size 2048;
variables_hash_bucket_size 256;
#------------------------
# Log Formats
#------------------------
log_format cdn_ssl_log
'``$connection``$connection_requests``$remote_addr``$geoip_city_country_code``$http_host``$request``$status``$request_method``$http_range``$bytes_sent``$body_bytes_sent``$request_time``$http_user_agent``$http_referer``$https``$http2``$sent_http_content_type``$sent_http_content_length``$sent_http_location``$sent_http_connection``$sent_http_keep_alive``$sent_http_transfer_encoding``$sent_http_cache_control``$sent_http_content_range``$sent_http_expires``$tcpinfo_rtt``$tcpinfo_rttvar``$tcpinfo_snd_cwnd``$tcpinfo_rcv_space``$upstream_addr``$upstream_connect_time``$upstream_cache_status``$upstream_status``$upstream_response_time``$upstream_response_length``$server_protocol``$ssl_cipher``$ssl_protocol``$ssl_server_name``$ssl_session_reused`';
access_log syslog:server=**********,tag=rp_ssl_log cdn_ssl_log;
#------------------------
# Default and Main Server
#------------------------
upstream local_rp {
server unix:/cdn/tmp/nginx.sock;
keepalive 16;
}
#------------------------
# *.ssl.ucdn.com server block
#------------------------
server {
listen *:443 ssl http2;
server_name *.ssl.ucdn.com;
ssl_certificate /cdn/ssl_certs/shared/ssl.ucdn.com.crt;
ssl_certificate_key /cdn/ssl_certs/shared/ssl.ucdn.com.key;
proxy_http_version "1.1";
proxy_set_header Connection "";
proxy_intercept_errors on;
proxy_max_temp_file_size 0;
proxy_connect_timeout 10s;
proxy_read_timeout 60s;
proxy_send_timeout 10s;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-CDN-Force-SSL "True";
proxy_set_header X-CDN-HTTP2 "$http2";
proxy_set_header X-CDN-HTTPS "$https";
location / {
proxy_pass http://local_rp;
error_page 301 302 307 = @redir;
}
location @redir {
internal;
set $cdn_upstream_http_location $upstream_http_location;
proxy_pass $cdn_upstream_http_location;
}
}
# other equivalent server blocks
# .
# .
# .
# .
}
On Mon, Mar 13, 2017 at 3:17 PM, Valentin V. Bartenev <vb...@nginx.com>
wrote:
> On Monday 13 March 2017 15:06:17 George . wrote:
> > Hi all,
> >
> > We've found two different coredumps in production machines running 1.10.3
> > handing ssl and http v2 traffic.
> >
> > Here is the backtrace of version compiles with -O0 -g -ggdb
> >
> [..]
>
> Do you use any 3rd-party modules or patches? Could you show
> nginx -V output?
>
> wbr, Valentin V. Bartenev
>
> _______________________________________________
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
_______________________________________________
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
