Hello community,
here is the log from the commit of package nginx for openSUSE:Factory checked
in at 2018-07-31 16:03:10
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nginx (Old)
and /work/SRC/openSUSE:Factory/.nginx.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx"
Tue Jul 31 16:03:10 2018 rev:27 rq:626497 version:1.15.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2018-07-25
16:13:32.561973708 +0200
+++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2018-07-31
16:03:16.535941760 +0200
@@ -1,0 +2,23 @@
+Mon Jul 30 12:21:26 UTC 2018 - mrueck...@suse.de
+
+- update to 1.15.2
+ - Feature: the $ssl_preread_protocol variable in the
+ ngx_stream_ssl_preread_module.
+ - Feature: now when using the "reset_timedout_connection"
+ directive nginx will reset connections being closed with the
+ 444 code.
+ - Change: a logging level of the "http request", "https proxy
+ request", "unsupported protocol", and "version too low" SSL
+ errors has been lowered from "crit" to "info".
+ - Bugfix: DNS requests were not resent if initial sending of a
+ request failed.
+ - Bugfix: the "reuseport" parameter of the "listen" directive was
+ ignored if the number of worker processes was specified after
+ the "listen" directive.
+ - Bugfix: when using OpenSSL 1.1.0 or newer it was not possible
+ to switch off "ssl_prefer_server_ciphers" in a virtual server
+ if it was switched on in the default server.
+ - Bugfix: SSL session reuse with upstream servers did not work
+ with the TLS 1.3 protocol.
+
+-------------------------------------------------------------------
@@ -4 +27 @@
-- update 1.15.1
+- update to 1.15.1
Old:
----
nginx-1.15.1.tar.gz
nginx-1.15.1.tar.gz.asc
New:
----
nginx-1.15.2.tar.gz
nginx-1.15.2.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nginx.spec ++++++
--- /var/tmp/diff_new_pack.eUOwvh/_old 2018-07-31 16:03:17.535943462 +0200
+++ /var/tmp/diff_new_pack.eUOwvh/_new 2018-07-31 16:03:17.539943470 +0200
@@ -70,7 +70,7 @@
%define ngx_doc_dir %{_datadir}/doc/packages/%{name}
#
Name: nginx
-Version: 1.15.1
+Version: 1.15.2
Release: 0
%define ngx_fancyindex_version 0.4.2
%define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version}
++++++ nginx-1.15.1.tar.gz -> nginx-1.15.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/CHANGES new/nginx-1.15.2/CHANGES
--- old/nginx-1.15.1/CHANGES 2018-07-03 17:07:51.000000000 +0200
+++ new/nginx-1.15.2/CHANGES 2018-07-24 15:11:08.000000000 +0200
@@ -1,4 +1,31 @@
+Changes with nginx 1.15.2 24 Jul 2018
+
+ *) Feature: the $ssl_preread_protocol variable in the
+ ngx_stream_ssl_preread_module.
+
+ *) Feature: now when using the "reset_timedout_connection" directive
+ nginx will reset connections being closed with the 444 code.
+
+ *) Change: a logging level of the "http request", "https proxy request",
+ "unsupported protocol", and "version too low" SSL errors has been
+ lowered from "crit" to "info".
+
+ *) Bugfix: DNS requests were not resent if initial sending of a request
+ failed.
+
+ *) Bugfix: the "reuseport" parameter of the "listen" directive was
+ ignored if the number of worker processes was specified after the
+ "listen" directive.
+
+ *) Bugfix: when using OpenSSL 1.1.0 or newer it was not possible to
+ switch off "ssl_prefer_server_ciphers" in a virtual server if it was
+ switched on in the default server.
+
+ *) Bugfix: SSL session reuse with upstream servers did not work with the
+ TLS 1.3 protocol.
+
+
Changes with nginx 1.15.1 03 Jul 2018
*) Feature: the "random" directive inside the "upstream" block.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/CHANGES.ru new/nginx-1.15.2/CHANGES.ru
--- old/nginx-1.15.1/CHANGES.ru 2018-07-03 17:07:49.000000000 +0200
+++ new/nginx-1.15.2/CHANGES.ru 2018-07-24 15:11:05.000000000 +0200
@@ -1,4 +1,31 @@
+Изменения в nginx 1.15.2 24.07.2018
+
+ *) Добавление: переменная $ssl_preread_protocol в модуле
+ ngx_stream_ssl_preread_module.
+
+ *) Добавление: теперь при использовании директивы
+ reset_timedout_connection nginx сбрасывает соединения, закрываемые с
+ кодом 444.
+
+ *) Изменение: уровень логгирования ошибок SSL "http request", "https
+ proxy request", "unsupported protocol" и "version too low" понижен с
+ уровня crit до info.
+
+ *) Исправление: запросы к DNS-серверу не отправлялись повторно, если при
+ первой попытке отправки происходила ошибка.
+
+ *) Исправление: параметр reuseport директивы listen игнорировался, если
+ количество рабочих процессов было задано после директивы listen.
+
+ *) Исправление: при использовании OpenSSL 1.1.0 и новее директиву
+ ssl_prefer_server_ciphers нельзя было выключить в виртуальном
+ сервере, если она была включена в сервере по умолчанию.
+
+ *) Исправление: повторное использование SSL-сессий к бэкендам не
+ работало с протоколом TLS 1.3.
+
+
Изменения в nginx 1.15.1 03.07.2018
*) Добавление: директива random в блоке upstream.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/core/nginx.h
new/nginx-1.15.2/src/core/nginx.h
--- old/nginx-1.15.1/src/core/nginx.h 2018-07-03 17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/core/nginx.h 2018-07-24 15:11:00.000000000 +0200
@@ -9,8 +9,8 @@
#define _NGINX_H_INCLUDED_
-#define nginx_version 1015001
-#define NGINX_VERSION "1.15.1"
+#define nginx_version 1015002
+#define NGINX_VERSION "1.15.2"
#define NGINX_VER "nginx/" NGINX_VERSION
#ifdef NGX_BUILD
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_connection.c
new/nginx-1.15.2/src/core/ngx_connection.c
--- old/nginx-1.15.1/src/core/ngx_connection.c 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/core/ngx_connection.c 2018-07-24 15:11:00.000000000
+0200
@@ -96,7 +96,7 @@
ngx_int_t
-ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls)
+ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls)
{
#if (NGX_HAVE_REUSEPORT)
@@ -104,20 +104,19 @@
ngx_core_conf_t *ccf;
ngx_listening_t ols;
- if (!ls->reuseport) {
+ if (!ls->reuseport || ls->worker != 0) {
return NGX_OK;
}
ols = *ls;
- ccf = (ngx_core_conf_t *) ngx_get_conf(cf->cycle->conf_ctx,
- ngx_core_module);
+ ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
for (n = 1; n < ccf->worker_processes; n++) {
/* create a socket for each worker process */
- ls = ngx_array_push(&cf->cycle->listening);
+ ls = ngx_array_push(&cycle->listening);
if (ls == NULL) {
return NGX_ERROR;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_connection.h
new/nginx-1.15.2/src/core/ngx_connection.h
--- old/nginx-1.15.1/src/core/ngx_connection.h 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/core/ngx_connection.h 2018-07-24 15:11:00.000000000
+0200
@@ -210,7 +210,7 @@
ngx_listening_t *ngx_create_listening(ngx_conf_t *cf, struct sockaddr
*sockaddr,
socklen_t socklen);
-ngx_int_t ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls);
+ngx_int_t ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls);
ngx_int_t ngx_set_inherited_sockets(ngx_cycle_t *cycle);
ngx_int_t ngx_open_listening_sockets(ngx_cycle_t *cycle);
void ngx_configure_listening_sockets(ngx_cycle_t *cycle);
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/core/ngx_resolver.c
new/nginx-1.15.2/src/core/ngx_resolver.c
--- old/nginx-1.15.1/src/core/ngx_resolver.c 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/core/ngx_resolver.c 2018-07-24 15:11:00.000000000
+0200
@@ -847,7 +847,15 @@
rn->nsrvs = 0;
if (ngx_resolver_send_query(r, rn) != NGX_OK) {
- goto failed;
+
+ /* immediately retry once on failure */
+
+ rn->last_connection++;
+ if (rn->last_connection == r->connections.nelts) {
+ rn->last_connection = 0;
+ }
+
+ (void) ngx_resolver_send_query(r, rn);
}
if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) {
@@ -1051,7 +1059,15 @@
rn->nsrvs = 0;
if (ngx_resolver_send_query(r, rn) != NGX_OK) {
- goto failed;
+
+ /* immediately retry once on failure */
+
+ rn->last_connection++;
+ if (rn->last_connection == r->connections.nelts) {
+ rn->last_connection = 0;
+ }
+
+ (void) ngx_resolver_send_query(r, rn);
}
if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event.c
new/nginx-1.15.2/src/event/ngx_event.c
--- old/nginx-1.15.1/src/event/ngx_event.c 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/event/ngx_event.c 2018-07-24 15:11:00.000000000
+0200
@@ -410,12 +410,52 @@
static char *
ngx_event_init_conf(ngx_cycle_t *cycle, void *conf)
{
+#if (NGX_HAVE_REUSEPORT)
+ ngx_uint_t i;
+ ngx_listening_t *ls;
+#endif
+
if (ngx_get_conf(cycle->conf_ctx, ngx_events_module) == NULL) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
"no \"events\" section in configuration");
return NGX_CONF_ERROR;
}
+ if (cycle->connection_n < cycle->listening.nelts + 1) {
+
+ /*
+ * there should be at least one connection for each listening
+ * socket, plus an additional connection for channel
+ */
+
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+ "%ui worker_connections are not enough "
+ "for %ui listening sockets",
+ cycle->connection_n, cycle->listening.nelts);
+
+ return NGX_CONF_ERROR;
+ }
+
+#if (NGX_HAVE_REUSEPORT)
+
+ ls = cycle->listening.elts;
+ for (i = 0; i < cycle->listening.nelts; i++) {
+
+ if (!ls[i].reuseport || ls[i].worker != 0) {
+ continue;
+ }
+
+ if (ngx_clone_listening(cycle, &ls[i]) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
+ /* cloning may change cycle->listening.elts */
+
+ ls = cycle->listening.elts;
+ }
+
+#endif
+
return NGX_CONF_OK;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event_openssl.c
new/nginx-1.15.2/src/event/ngx_event_openssl.c
--- old/nginx-1.15.1/src/event/ngx_event_openssl.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/event/ngx_event_openssl.c 2018-07-24
15:11:00.000000000 +0200
@@ -24,6 +24,8 @@
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
static void ngx_ssl_passwords_cleanup(void *data);
+static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn,
+ ngx_ssl_session_t *sess);
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
static void ngx_ssl_write_handler(ngx_event_t *wev);
@@ -295,7 +297,7 @@
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
/* only in 0.9.8m+ */
SSL_CTX_clear_options(ssl->ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
@@ -1162,6 +1164,42 @@
ngx_int_t
+ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
+{
+ if (!enable) {
+ return NGX_OK;
+ }
+
+ SSL_CTX_set_session_cache_mode(ssl->ctx,
+ SSL_SESS_CACHE_CLIENT
+ |SSL_SESS_CACHE_NO_INTERNAL);
+
+ SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session);
+
+ return NGX_OK;
+}
+
+
+static int
+ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
+{
+ ngx_connection_t *c;
+
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ if (c->ssl->save_session) {
+ c->ssl->session = sess;
+
+ c->ssl->save_session(c);
+
+ c->ssl->session = NULL;
+ }
+
+ return 0;
+}
+
+
+ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t
flags)
{
ngx_ssl_connection_t *sc;
@@ -1193,6 +1231,10 @@
} else {
SSL_set_accept_state(sc->connection);
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+ SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
+#endif
}
if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
@@ -1206,6 +1248,31 @@
}
+ngx_ssl_session_t *
+ngx_ssl_get_session(ngx_connection_t *c)
+{
+#ifdef TLS1_3_VERSION
+ if (c->ssl->session) {
+ SSL_SESSION_up_ref(c->ssl->session);
+ return c->ssl->session;
+ }
+#endif
+
+ return SSL_get1_session(c->ssl->connection);
+}
+
+
+ngx_ssl_session_t *
+ngx_ssl_get0_session(ngx_connection_t *c)
+{
+ if (c->ssl->session) {
+ return c->ssl->session;
+ }
+
+ return SSL_get0_session(c->ssl->connection);
+}
+
+
ngx_int_t
ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
{
@@ -2062,6 +2129,8 @@
|| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
|| n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
|| n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
+ || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
+ || n == SSL_R_HTTP_REQUEST /* 156 */
|| n == SSL_R_LENGTH_MISMATCH /* 159 */
#ifdef SSL_R_NO_CIPHERS_PASSED
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
@@ -2077,6 +2146,7 @@
|| n == SSL_R_UNEXPECTED_RECORD /* 245 */
|| n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */
|| n == SSL_R_UNKNOWN_PROTOCOL /* 252 */
+ || n == SSL_R_UNSUPPORTED_PROTOCOL /* 258 */
|| n == SSL_R_WRONG_VERSION_NUMBER /* 267 */
|| n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */
#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG
@@ -2093,6 +2163,9 @@
#ifdef SSL_R_INAPPROPRIATE_FALLBACK
|| n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */
#endif
+#ifdef SSL_R_VERSION_TOO_LOW
+ || n == SSL_R_VERSION_TOO_LOW /* 396 */
+#endif
|| n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */
#ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE
|| n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/event/ngx_event_openssl.h
new/nginx-1.15.2/src/event/ngx_event_openssl.h
--- old/nginx-1.15.1/src/event/ngx_event_openssl.h 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/event/ngx_event_openssl.h 2018-07-24
15:11:00.000000000 +0200
@@ -77,6 +77,9 @@
ngx_connection_handler_pt handler;
+ ngx_ssl_session_t *session;
+ ngx_connection_handler_pt save_session;
+
ngx_event_handler_pt saved_read_handler;
ngx_event_handler_pt saved_write_handler;
@@ -168,6 +171,8 @@
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
+ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_uint_t enable);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
@@ -178,7 +183,8 @@
void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
-#define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection)
+ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c);
+ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c);
#define ngx_ssl_free_session SSL_SESSION_free
#define ngx_ssl_get_connection(ssl_conn) \
SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/http/modules/ngx_http_fastcgi_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_fastcgi_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_fastcgi_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_fastcgi_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -3501,7 +3501,7 @@
clcf->handler = ngx_http_fastcgi_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_grpc_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_grpc_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_grpc_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_grpc_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -4525,7 +4525,7 @@
clcf->handler = ngx_http_grpc_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -4627,6 +4627,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, glcf->upstream.ssl,
+ glcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
if (SSL_CTX_set_alpn_protos(glcf->upstream.ssl->ctx,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/http/modules/ngx_http_memcached_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_memcached_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_memcached_module.c
2018-07-03 17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_memcached_module.c
2018-07-24 15:11:00.000000000 +0200
@@ -707,7 +707,7 @@
clcf->handler = ngx_http_memcached_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/http/modules/ngx_http_proxy_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_proxy_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_proxy_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_proxy_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -3580,7 +3580,7 @@
clcf->handler = ngx_http_proxy_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -4308,6 +4308,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, plcf->upstream.ssl,
+ plcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/http/modules/ngx_http_scgi_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_scgi_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_scgi_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_scgi_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -1857,7 +1857,7 @@
return NGX_CONF_ERROR;
}
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/http/modules/ngx_http_uwsgi_module.c
new/nginx-1.15.2/src/http/modules/ngx_http_uwsgi_module.c
--- old/nginx-1.15.1/src/http/modules/ngx_http_uwsgi_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/modules/ngx_http_uwsgi_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -2144,7 +2144,7 @@
return NGX_CONF_ERROR;
}
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -2391,6 +2391,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, uwcf->upstream.ssl,
+ uwcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http.c
new/nginx-1.15.2/src/http/ngx_http.c
--- old/nginx-1.15.1/src/http/ngx_http.c 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/http/ngx_http.c 2018-07-24 15:11:00.000000000
+0200
@@ -1685,10 +1685,6 @@
break;
}
- if (ngx_clone_listening(cf, ls) != NGX_OK) {
- return NGX_ERROR;
- }
-
addr++;
last--;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http_request.c
new/nginx-1.15.2/src/http/ngx_http_request.c
--- old/nginx-1.15.1/src/http/ngx_http_request.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/ngx_http_request.c 2018-07-24
15:11:00.000000000 +0200
@@ -912,7 +912,7 @@
SSL_set_verify_depth(ssl_conn,
SSL_CTX_get_verify_depth(sscf->ssl.ctx));
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
/* only in 0.9.8m+ */
SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
~SSL_CTX_get_options(sscf->ssl.ctx));
@@ -2353,6 +2353,7 @@
|| rc == NGX_HTTP_NO_CONTENT)
{
if (rc == NGX_HTTP_CLOSE) {
+ c->timedout = 1;
ngx_http_terminate_request(r, rc);
return;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/http/ngx_http_upstream.c
new/nginx-1.15.2/src/http/ngx_http_upstream.c
--- old/nginx-1.15.1/src/http/ngx_http_upstream.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/ngx_http_upstream.c 2018-07-24
15:11:00.000000000 +0200
@@ -187,6 +187,7 @@
static void ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c);
static void ngx_http_upstream_ssl_handshake(ngx_http_request_t *,
ngx_http_upstream_t *u, ngx_connection_t *c);
+static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r,
ngx_http_upstream_t *u, ngx_connection_t *c);
#endif
@@ -1675,6 +1676,8 @@
}
if (u->conf->ssl_session_reuse) {
+ c->ssl->save_session = ngx_http_upstream_ssl_save_session;
+
if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
NGX_HTTP_INTERNAL_SERVER_ERROR);
@@ -1759,10 +1762,6 @@
}
}
- if (u->conf->ssl_session_reuse) {
- u->peer.save_session(&u->peer, u->peer.data);
- }
-
c->write->handler = ngx_http_upstream_handler;
c->read->handler = ngx_http_upstream_handler;
@@ -1782,6 +1781,27 @@
}
+static void
+ngx_http_upstream_ssl_save_session(ngx_connection_t *c)
+{
+ ngx_http_request_t *r;
+ ngx_http_upstream_t *u;
+
+ if (c->idle) {
+ return;
+ }
+
+ r = c->data;
+
+ u = r->upstream;
+ c = r->connection;
+
+ ngx_http_set_log_request(c->log, r);
+
+ u->peer.save_session(&u->peer, u->peer.data);
+}
+
+
static ngx_int_t
ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
ngx_connection_t *c)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/http/ngx_http_upstream_round_robin.c
new/nginx-1.15.2/src/http/ngx_http_upstream_round_robin.c
--- old/nginx-1.15.1/src/http/ngx_http_upstream_round_robin.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/http/ngx_http_upstream_round_robin.c 2018-07-24
15:11:00.000000000 +0200
@@ -744,7 +744,7 @@
if (peers->shpool) {
- ssl_session = SSL_get0_session(pc->connection->ssl->connection);
+ ssl_session = ngx_ssl_get0_session(pc->connection);
if (ssl_session == NULL) {
return;
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/os/unix/ngx_thread.h
new/nginx-1.15.2/src/os/unix/ngx_thread.h
--- old/nginx-1.15.1/src/os/unix/ngx_thread.h 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/os/unix/ngx_thread.h 2018-07-24 15:11:00.000000000
+0200
@@ -47,12 +47,12 @@
#elif (NGX_DARWIN)
typedef uint64_t ngx_tid_t;
-#define NGX_TID_T_FMT "%uA"
+#define NGX_TID_T_FMT "%uL"
#else
typedef uint64_t ngx_tid_t;
-#define NGX_TID_T_FMT "%uA"
+#define NGX_TID_T_FMT "%uL"
#endif
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream.c
new/nginx-1.15.2/src/stream/ngx_stream.c
--- old/nginx-1.15.1/src/stream/ngx_stream.c 2018-07-03 17:07:44.000000000
+0200
+++ new/nginx-1.15.2/src/stream/ngx_stream.c 2018-07-24 15:11:00.000000000
+0200
@@ -538,10 +538,6 @@
break;
}
- if (ngx_clone_listening(cf, ls) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
-
addr++;
last--;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore' old/nginx-1.15.1/src/stream/ngx_stream_proxy_module.c
new/nginx-1.15.2/src/stream/ngx_stream_proxy_module.c
--- old/nginx-1.15.1/src/stream/ngx_stream_proxy_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/stream/ngx_stream_proxy_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -92,6 +92,7 @@
ngx_command_t *cmd, void *conf);
static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
+static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@@ -1008,6 +1009,8 @@
}
if (pscf->ssl_session_reuse) {
+ pc->ssl->save_session = ngx_stream_proxy_ssl_save_session;
+
if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
return;
@@ -1066,11 +1069,6 @@
}
}
- if (pscf->ssl_session_reuse) {
- u = s->upstream;
- u->peer.save_session(&u->peer, u->peer.data);
- }
-
if (pc->write->timer_set) {
ngx_del_timer(pc->write);
}
@@ -1086,6 +1084,19 @@
}
+static void
+ngx_stream_proxy_ssl_save_session(ngx_connection_t *c)
+{
+ ngx_stream_session_t *s;
+ ngx_stream_upstream_t *u;
+
+ s = c->data;
+ u = s->upstream;
+
+ u->peer.save_session(&u->peer, u->peer.data);
+}
+
+
static ngx_int_t
ngx_stream_proxy_ssl_name(ngx_stream_session_t *s)
{
@@ -2051,6 +2062,12 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, pscf->ssl, pscf->ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/stream/ngx_stream_ssl_preread_module.c
new/nginx-1.15.2/src/stream/ngx_stream_ssl_preread_module.c
--- old/nginx-1.15.1/src/stream/ngx_stream_ssl_preread_module.c 2018-07-03
17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/stream/ngx_stream_ssl_preread_module.c 2018-07-24
15:11:00.000000000 +0200
@@ -21,6 +21,7 @@
u_char *pos;
u_char *dst;
u_char buf[4];
+ u_char version[2];
ngx_str_t host;
ngx_str_t alpn;
ngx_log_t *log;
@@ -32,6 +33,8 @@
static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_ssl_preread_parse_record(
ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
+static ngx_int_t ngx_stream_ssl_preread_protocol_variable(
+ ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(
@@ -86,6 +89,9 @@
static ngx_stream_variable_t ngx_stream_ssl_preread_vars[] = {
+ { ngx_string("ssl_preread_protocol"), NULL,
+ ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 },
+
{ ngx_string("ssl_preread_server_name"), NULL,
ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 },
@@ -143,6 +149,14 @@
while (last - p >= 5) {
+ if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) {
+ ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
+ "ssl preread: version 2 ClientHello");
+ ctx->version[0] = p[3];
+ ctx->version[1] = p[4];
+ return NGX_OK;
+ }
+
if (p[0] != 0x16) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: not a handshake");
@@ -196,7 +210,8 @@
enum {
sw_start = 0,
sw_header, /* handshake msg_type, length */
- sw_head_tail, /* version, random */
+ sw_version, /* client_version */
+ sw_random, /* random */
sw_sid_len, /* session_id length */
sw_sid, /* session_id */
sw_cs_len, /* cipher_suites length */
@@ -210,7 +225,8 @@
sw_sni_host, /* SNI host_name */
sw_alpn_len, /* ALPN length */
sw_alpn_proto_len, /* ALPN protocol_name length */
- sw_alpn_proto_data /* ALPN protocol_name */
+ sw_alpn_proto_data, /* ALPN protocol_name */
+ sw_supver_len /* supported_versions length */
} state;
ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
@@ -254,13 +270,19 @@
return NGX_DECLINED;
}
- state = sw_head_tail;
- dst = NULL;
- size = 34;
+ state = sw_version;
+ dst = ctx->version;
+ size = 2;
left = (p[1] << 16) + (p[2] << 8) + p[3];
break;
- case sw_head_tail:
+ case sw_version:
+ state = sw_random;
+ dst = NULL;
+ size = 32;
+ break;
+
+ case sw_random:
state = sw_sid_len;
dst = p;
size = 1;
@@ -334,6 +356,14 @@
break;
}
+ if (p[0] == 0 && p[1] == 43) {
+ /* supported_versions extension */
+ state = sw_supver_len;
+ dst = p;
+ size = 1;
+ break;
+ }
+
state = sw_ext;
dst = NULL;
size = (p[2] << 8) + p[3];
@@ -434,6 +464,19 @@
dst = NULL;
size = 0;
break;
+
+ case sw_supver_len:
+ ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
+ "ssl preread: supported_versions");
+
+ /* set TLSv1.3 */
+ ctx->version[0] = 3;
+ ctx->version[1] = 4;
+
+ state = sw_ext;
+ dst = NULL;
+ size = p[0];
+ break;
}
if (left < size) {
@@ -453,6 +496,62 @@
}
+static ngx_int_t
+ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s,
+ ngx_variable_value_t *v, uintptr_t data)
+{
+ ngx_str_t version;
+ ngx_stream_ssl_preread_ctx_t *ctx;
+
+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
+
+ if (ctx == NULL) {
+ v->not_found = 1;
+ return NGX_OK;
+ }
+
+ /* SSL_get_version() format */
+
+ ngx_str_null(&version);
+
+ switch (ctx->version[0]) {
+ case 0:
+ switch (ctx->version[1]) {
+ case 2:
+ ngx_str_set(&version, "SSLv2");
+ break;
+ }
+ break;
+ case 3:
+ switch (ctx->version[1]) {
+ case 0:
+ ngx_str_set(&version, "SSLv3");
+ break;
+ case 1:
+ ngx_str_set(&version, "TLSv1");
+ break;
+ case 2:
+ ngx_str_set(&version, "TLSv1.1");
+ break;
+ case 3:
+ ngx_str_set(&version, "TLSv1.2");
+ break;
+ case 4:
+ ngx_str_set(&version, "TLSv1.3");
+ break;
+ }
+ }
+
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+ v->len = version.len;
+ v->data = version.data;
+
+ return NGX_OK;
+}
+
+
static ngx_int_t
ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s,
ngx_variable_value_t *v, uintptr_t data)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn'
'--exclude=.svnignore'
old/nginx-1.15.1/src/stream/ngx_stream_upstream_round_robin.c
new/nginx-1.15.2/src/stream/ngx_stream_upstream_round_robin.c
--- old/nginx-1.15.1/src/stream/ngx_stream_upstream_round_robin.c
2018-07-03 17:07:44.000000000 +0200
+++ new/nginx-1.15.2/src/stream/ngx_stream_upstream_round_robin.c
2018-07-24 15:11:00.000000000 +0200
@@ -776,7 +776,7 @@
if (peers->shpool) {
- ssl_session = SSL_get0_session(pc->connection->ssl->connection);
+ ssl_session = ngx_ssl_get0_session(pc->connection);
if (ssl_session == NULL) {
return;
