Hello community, here is the log from the commit of package nginx for openSUSE:Factory checked in at 2018-11-12 09:43:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nginx (Old) and /work/SRC/openSUSE:Factory/.nginx.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nginx" Mon Nov 12 09:43:32 2018 rev:31 rq:647696 version:1.15.6 Changes: -------- --- /work/SRC/openSUSE:Factory/nginx/nginx.changes 2018-11-09 07:55:08.723661279 +0100 +++ /work/SRC/openSUSE:Factory/.nginx.new/nginx.changes 2018-11-12 09:44:13.888936754 +0100 @@ -1,0 +2,18 @@ +Thu Nov 8 11:53:50 UTC 2018 - [email protected] + +- update to 1.15.6 + - Security: when using HTTP/2 a client might cause excessive memory + consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). + - Security: processing of a specially crafted mp4 file with the + ngx_http_mp4_module might result in worker process memory disclosure + (CVE-2018-16845). + - Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", + "grpc_socket_keepalive", "memcached_socket_keepalive", + "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives. + - Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL + 1.1.1, the TLS 1.3 protocol was always enabled. + - Bugfix: working with gRPC backends might result in excessive memory + consumption. +- Fix vim-plugin-nginx rpm group. + +------------------------------------------------------------------- @@ -6,0 +25,19 @@ + +- update to 1.15.4 + - Feature: now the "ssl_early_data" directive can be used with OpenSSL. + - Bugfix: in the ngx_http_uwsgi_module. + - Bugfix: connections with some gRPC backends might not be cached when + using the "keepalive" directive. + - Bugfix: a socket leak might occur when using the "error_page" + directive to redirect early request processing errors, notably errors + with code 400. + - Bugfix: the "return" directive did not change the response code when + returning errors if the request was redirected by the "error_page" + directive. + - Bugfix: standard error pages and responses of the + ngx_http_autoindex_module module used the "bgcolor" attribute, and + might be displayed incorrectly when using custom color settings in + browsers. + - Change: the logging level of the "no suitable key share" and "no + suitable signature algorithm" SSL errors has been lowered from "crit" + to "info". Old: ---- nginx-1.15.5.tar.gz nginx-1.15.5.tar.gz.asc New: ---- nginx-1.15.6.tar.gz nginx-1.15.6.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nginx.spec ++++++ --- /var/tmp/diff_new_pack.tZTI8T/_old 2018-11-12 09:44:14.880935241 +0100 +++ /var/tmp/diff_new_pack.tZTI8T/_new 2018-11-12 09:44:14.880935241 +0100 @@ -70,7 +70,7 @@ %define ngx_doc_dir %{_datadir}/doc/packages/%{name} # Name: nginx -Version: 1.15.5 +Version: 1.15.6 Release: 0 %define ngx_fancyindex_version 0.4.2 %define ngx_fancyindex_module_path ngx-fancyindex-%{ngx_fancyindex_version} @@ -153,7 +153,7 @@ %package -n vim-plugin-nginx Summary: VIM support for nginx config files -Group: Productivity/Editors/Vi +Group: Productivity/Text/Editors %if 0%{?suse_version} > 1110 BuildArch: noarch %endif ++++++ nginx-1.15.5.tar.gz -> nginx-1.15.6.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/CHANGES new/nginx-1.15.6/CHANGES --- old/nginx-1.15.5/CHANGES 2018-10-02 17:13:59.000000000 +0200 +++ new/nginx-1.15.6/CHANGES 2018-11-06 14:32:17.000000000 +0100 @@ -1,4 +1,24 @@ +Changes with nginx 1.15.6 06 Nov 2018 + + *) Security: when using HTTP/2 a client might cause excessive memory + consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844). + + *) Security: processing of a specially crafted mp4 file with the + ngx_http_mp4_module might result in worker process memory disclosure + (CVE-2018-16845). + + *) Feature: the "proxy_socket_keepalive", "fastcgi_socket_keepalive", + "grpc_socket_keepalive", "memcached_socket_keepalive", + "scgi_socket_keepalive", and "uwsgi_socket_keepalive" directives. + + *) Bugfix: if nginx was built with OpenSSL 1.1.0 and used with OpenSSL + 1.1.1, the TLS 1.3 protocol was always enabled. + + *) Bugfix: working with gRPC backends might result in excessive memory + consumption. + + Changes with nginx 1.15.5 02 Oct 2018 *) Bugfix: a segmentation fault might occur in a worker process when diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/CHANGES.ru new/nginx-1.15.6/CHANGES.ru --- old/nginx-1.15.5/CHANGES.ru 2018-10-02 17:13:57.000000000 +0200 +++ new/nginx-1.15.6/CHANGES.ru 2018-11-06 14:32:14.000000000 +0100 @@ -1,4 +1,26 @@ +Изменения в nginx 1.15.6 06.11.2018 + + *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное + потреблению памяти (CVE-2018-16843) и ресурсов процессора + (CVE-2018-16844). + + *) Безопасность: при обработке специально созданного mp4-файла модулем + ngx_http_mp4_module содержимое памяти рабочего процесса могло быть + отправлено клиенту (CVE-2018-16845). + + *) Добавление: директивы proxy_socket_keepalive, + fastcgi_socket_keepalive, grpc_socket_keepalive, + memcached_socket_keepalive, scgi_socket_keepalive и + uwsgi_socket_keepalive. + + *) Исправление: если nginx был собран с OpenSSL 1.1.0, а использовался с + OpenSSL 1.1.1, протокол TLS 1.3 всегда был разрешён. + + *) Исправление: при работе с gRPC-бэкендами могло расходоваться большое + количество памяти. + + Изменения в nginx 1.15.5 02.10.2018 *) Исправление: при использовании OpenSSL 1.1.0h и новее в рабочем diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/core/nginx.h new/nginx-1.15.6/src/core/nginx.h --- old/nginx-1.15.5/src/core/nginx.h 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/core/nginx.h 2018-11-06 14:32:09.000000000 +0100 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1015005 -#define NGINX_VERSION "1.15.5" +#define nginx_version 1015006 +#define NGINX_VERSION "1.15.6" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/event/ngx_event.h new/nginx-1.15.6/src/event/ngx_event.h --- old/nginx-1.15.5/src/event/ngx_event.h 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/event/ngx_event.h 2018-11-06 14:32:09.000000000 +0100 @@ -499,7 +499,7 @@ #define ngx_event_get_conf(conf_ctx, module) \ - (*(ngx_get_conf(conf_ctx, ngx_events_module))) [module.ctx_index]; + (*(ngx_get_conf(conf_ctx, ngx_events_module))) [module.ctx_index] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/event/ngx_event_connect.c new/nginx-1.15.6/src/event/ngx_event_connect.c --- old/nginx-1.15.5/src/event/ngx_event_connect.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/event/ngx_event_connect.c 2018-11-06 14:32:09.000000000 +0100 @@ -20,7 +20,7 @@ ngx_int_t ngx_event_connect_peer(ngx_peer_connection_t *pc) { - int rc, type; + int rc, type, value; #if (NGX_HAVE_IP_BIND_ADDRESS_NO_PORT || NGX_LINUX) in_port_t port; #endif @@ -73,6 +73,18 @@ } } + if (pc->so_keepalive) { + value = 1; + + if (setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, + (const void *) &value, sizeof(int)) + == -1) + { + ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, + "setsockopt(SO_KEEPALIVE) failed, ignored"); + } + } + if (ngx_nonblocking(s) == -1) { ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, ngx_nonblocking_n " failed"); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/event/ngx_event_connect.h new/nginx-1.15.6/src/event/ngx_event_connect.h --- old/nginx-1.15.5/src/event/ngx_event_connect.h 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/event/ngx_event_connect.h 2018-11-06 14:32:09.000000000 +0100 @@ -62,6 +62,7 @@ unsigned cached:1; unsigned transparent:1; + unsigned so_keepalive:1; /* ngx_connection_log_error_e */ unsigned log_error:2; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/event/ngx_event_openssl.c new/nginx-1.15.6/src/event/ngx_event_openssl.c --- old/nginx-1.15.5/src/event/ngx_event_openssl.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/event/ngx_event_openssl.c 2018-11-06 14:32:09.000000000 +0100 @@ -345,6 +345,11 @@ } #endif +#ifdef SSL_CTX_set_min_proto_version + SSL_CTX_set_min_proto_version(ssl->ctx, 0); + SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_2_VERSION); +#endif + #ifdef TLS1_3_VERSION SSL_CTX_set_min_proto_version(ssl->ctx, 0); SSL_CTX_set_max_proto_version(ssl->ctx, TLS1_3_VERSION); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_fastcgi_module.c new/nginx-1.15.6/src/http/modules/ngx_http_fastcgi_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_fastcgi_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_fastcgi_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -286,6 +286,13 @@ offsetof(ngx_http_fastcgi_loc_conf_t, upstream.local), NULL }, + { ngx_string("fastcgi_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_fastcgi_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("fastcgi_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -2721,6 +2728,7 @@ conf->upstream.force_ranges = NGX_CONF_UNSET; conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -2824,6 +2832,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_msec_value(conf->upstream.connect_timeout, prev->upstream.connect_timeout, 60000); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_grpc_module.c new/nginx-1.15.6/src/http/modules/ngx_http_grpc_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_grpc_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_grpc_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -78,6 +78,9 @@ ngx_uint_t id; + ngx_uint_t pings; + ngx_uint_t settings; + ssize_t send_window; size_t recv_window; @@ -248,6 +251,13 @@ offsetof(ngx_http_grpc_loc_conf_t, upstream.local), NULL }, + { ngx_string("grpc_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_grpc_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("grpc_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -3577,6 +3587,12 @@ ctx->rest); return NGX_ERROR; } + + if (ctx->free == NULL && ctx->settings++ > 1000) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "upstream sent too many settings frames"); + return NGX_ERROR; + } } for (p = b->pos; p < last; p++) { @@ -3729,6 +3745,12 @@ "upstream sent ping frame with ack flag"); return NGX_ERROR; } + + if (ctx->free == NULL && ctx->pings++ > 1000) { + ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, + "upstream sent too many ping frames"); + return NGX_ERROR; + } } for (p = b->pos; p < last; p++) { @@ -4150,6 +4172,7 @@ */ conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -4205,6 +4228,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_uint_value(conf->upstream.next_upstream_tries, prev->upstream.next_upstream_tries, 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_memcached_module.c new/nginx-1.15.6/src/http/modules/ngx_http_memcached_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_memcached_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_memcached_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -67,6 +67,13 @@ offsetof(ngx_http_memcached_loc_conf_t, upstream.local), NULL }, + { ngx_string("memcached_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_memcached_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("memcached_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -595,6 +602,7 @@ */ conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.next_upstream_tries = NGX_CONF_UNSET_UINT; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -634,6 +642,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_uint_value(conf->upstream.next_upstream_tries, prev->upstream.next_upstream_tries, 0); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_mp4_module.c new/nginx-1.15.6/src/http/modules/ngx_http_mp4_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_mp4_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_mp4_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -942,6 +942,13 @@ atom_size = ngx_mp4_get_64value(atom_header + 8); atom_header_size = sizeof(ngx_mp4_atom_header64_t); + if (atom_size < sizeof(ngx_mp4_atom_header64_t)) { + ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, + "\"%s\" mp4 atom is too small:%uL", + mp4->file.name.data, atom_size); + return NGX_ERROR; + } + } else { ngx_log_error(NGX_LOG_ERR, mp4->file.log, 0, "\"%s\" mp4 atom is too small:%uL", diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_proxy_module.c new/nginx-1.15.6/src/http/modules/ngx_http_proxy_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_proxy_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_proxy_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -324,6 +324,13 @@ offsetof(ngx_http_proxy_loc_conf_t, upstream.local), NULL }, + { ngx_string("proxy_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_proxy_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("proxy_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -2833,6 +2840,7 @@ conf->upstream.force_ranges = NGX_CONF_UNSET; conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -2953,6 +2961,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_msec_value(conf->upstream.connect_timeout, prev->upstream.connect_timeout, 60000); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_scgi_module.c new/nginx-1.15.6/src/http/modules/ngx_http_scgi_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_scgi_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_scgi_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -143,6 +143,13 @@ offsetof(ngx_http_scgi_loc_conf_t, upstream.local), NULL }, + { ngx_string("scgi_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_scgi_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("scgi_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -1200,6 +1207,7 @@ conf->upstream.force_ranges = NGX_CONF_UNSET; conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -1298,6 +1306,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_msec_value(conf->upstream.connect_timeout, prev->upstream.connect_timeout, 60000); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/modules/ngx_http_uwsgi_module.c new/nginx-1.15.6/src/http/modules/ngx_http_uwsgi_module.c --- old/nginx-1.15.5/src/http/modules/ngx_http_uwsgi_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/modules/ngx_http_uwsgi_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -204,6 +204,13 @@ offsetof(ngx_http_uwsgi_loc_conf_t, upstream.local), NULL }, + { ngx_string("uwsgi_socket_keepalive"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_HTTP_LOC_CONF_OFFSET, + offsetof(ngx_http_uwsgi_loc_conf_t, upstream.socket_keepalive), + NULL }, + { ngx_string("uwsgi_connect_timeout"), NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -1413,6 +1420,7 @@ conf->upstream.force_ranges = NGX_CONF_UNSET; conf->upstream.local = NGX_CONF_UNSET_PTR; + conf->upstream.socket_keepalive = NGX_CONF_UNSET; conf->upstream.connect_timeout = NGX_CONF_UNSET_MSEC; conf->upstream.send_timeout = NGX_CONF_UNSET_MSEC; @@ -1519,6 +1527,9 @@ ngx_conf_merge_ptr_value(conf->upstream.local, prev->upstream.local, NULL); + ngx_conf_merge_value(conf->upstream.socket_keepalive, + prev->upstream.socket_keepalive, 0); + ngx_conf_merge_msec_value(conf->upstream.connect_timeout, prev->upstream.connect_timeout, 60000); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/ngx_http_file_cache.c new/nginx-1.15.6/src/http/ngx_http_file_cache.c --- old/nginx-1.15.5/src/http/ngx_http_file_cache.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/ngx_http_file_cache.c 2018-11-06 14:32:09.000000000 +0100 @@ -2418,23 +2418,32 @@ p = (u_char *) ngx_strchr(name.data, ':'); - if (p) { - name.len = p - name.data; + if (p == NULL) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid keys zone size \"%V\"", &value[i]); + return NGX_CONF_ERROR; + } + + name.len = p - name.data; - p++; + s.data = p + 1; + s.len = value[i].data + value[i].len - s.data; - s.len = value[i].data + value[i].len - p; - s.data = p; + size = ngx_parse_size(&s); + + if (size == NGX_ERROR) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "invalid keys zone size \"%V\"", &value[i]); + return NGX_CONF_ERROR; + } - size = ngx_parse_size(&s); - if (size > 8191) { - continue; - } + if (size < (ssize_t) (2 * ngx_pagesize)) { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, + "keys zone \"%V\" is too small", &value[i]); + return NGX_CONF_ERROR; } - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid keys zone size \"%V\"", &value[i]); - return NGX_CONF_ERROR; + continue; } if (ngx_strncmp(value[i].data, "inactive=", 9) == 0) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/ngx_http_upstream.c new/nginx-1.15.6/src/http/ngx_http_upstream.c --- old/nginx-1.15.5/src/http/ngx_http_upstream.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/ngx_http_upstream.c 2018-11-06 14:32:09.000000000 +0100 @@ -628,6 +628,10 @@ return; } + if (u->conf->socket_keepalive) { + u->peer.so_keepalive = 1; + } + clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); u->output.alignment = clcf->directio_alignment; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/ngx_http_upstream.h new/nginx-1.15.6/src/http/ngx_http_upstream.h --- old/nginx-1.15.5/src/http/ngx_http_upstream.h 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/ngx_http_upstream.h 2018-11-06 14:32:09.000000000 +0100 @@ -188,6 +188,7 @@ ngx_array_t *pass_headers; ngx_http_upstream_local_t *local; + ngx_flag_t socket_keepalive; #if (NGX_HTTP_CACHE) ngx_shm_zone_t *cache_zone; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/v2/ngx_http_v2.c new/nginx-1.15.6/src/http/v2/ngx_http_v2.c --- old/nginx-1.15.5/src/http/v2/ngx_http_v2.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/v2/ngx_http_v2.c 2018-11-06 14:32:09.000000000 +0100 @@ -662,6 +662,7 @@ h2c->pool = NULL; h2c->free_frames = NULL; + h2c->frames = 0; h2c->free_fake_connections = NULL; #if (NGX_HTTP_SSL) @@ -2895,7 +2896,7 @@ frame->blocked = 0; - } else { + } else if (h2c->frames < 10000) { pool = h2c->pool ? h2c->pool : h2c->connection->pool; frame = ngx_pcalloc(pool, sizeof(ngx_http_v2_out_frame_t)); @@ -2919,6 +2920,15 @@ frame->last = frame->first; frame->handler = ngx_http_v2_frame_handler; + + h2c->frames++; + + } else { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + + h2c->connection->error = 1; + return NULL; } #if (NGX_DEBUG) @@ -4501,12 +4511,19 @@ #endif - c->destroyed = 0; - ngx_reusable_connection(c, 0); - h2scf = ngx_http_get_module_srv_conf(h2c->http_connection->conf_ctx, ngx_http_v2_module); + if (h2c->idle++ > 10 * h2scf->max_requests) { + ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_NO_ERROR); + return; + } + + c->destroyed = 0; + ngx_reusable_connection(c, 0); + h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); if (h2c->pool == NULL) { ngx_http_v2_finalize_connection(h2c, NGX_HTTP_V2_INTERNAL_ERROR); diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/http/v2/ngx_http_v2.h new/nginx-1.15.6/src/http/v2/ngx_http_v2.h --- old/nginx-1.15.5/src/http/v2/ngx_http_v2.h 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/http/v2/ngx_http_v2.h 2018-11-06 14:32:09.000000000 +0100 @@ -120,6 +120,8 @@ ngx_http_connection_t *http_connection; ngx_uint_t processing; + ngx_uint_t frames; + ngx_uint_t idle; ngx_uint_t pushing; ngx_uint_t concurrent_pushes; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/nginx-1.15.5/src/stream/ngx_stream_proxy_module.c new/nginx-1.15.6/src/stream/ngx_stream_proxy_module.c --- old/nginx-1.15.5/src/stream/ngx_stream_proxy_module.c 2018-10-02 17:13:52.000000000 +0200 +++ new/nginx-1.15.6/src/stream/ngx_stream_proxy_module.c 2018-11-06 14:32:09.000000000 +0100 @@ -31,6 +31,7 @@ ngx_flag_t next_upstream; ngx_flag_t proxy_protocol; ngx_stream_upstream_local_t *local; + ngx_flag_t socket_keepalive; #if (NGX_STREAM_SSL) ngx_flag_t ssl_enable; @@ -136,6 +137,13 @@ 0, NULL }, + { ngx_string("proxy_socket_keepalive"), + NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG, + ngx_conf_set_flag_slot, + NGX_STREAM_SRV_CONF_OFFSET, + offsetof(ngx_stream_proxy_srv_conf_t, socket_keepalive), + NULL }, + { ngx_string("proxy_connect_timeout"), NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1, ngx_conf_set_msec_slot, @@ -388,6 +396,10 @@ return; } + if (pscf->socket_keepalive) { + u->peer.so_keepalive = 1; + } + u->peer.type = c->type; u->start_sec = ngx_time(); @@ -1898,6 +1910,7 @@ conf->next_upstream = NGX_CONF_UNSET; conf->proxy_protocol = NGX_CONF_UNSET; conf->local = NGX_CONF_UNSET_PTR; + conf->socket_keepalive = NGX_CONF_UNSET; #if (NGX_STREAM_SSL) conf->ssl_enable = NGX_CONF_UNSET; @@ -1948,6 +1961,9 @@ ngx_conf_merge_ptr_value(conf->local, prev->local, NULL); + ngx_conf_merge_value(conf->socket_keepalive, + prev->socket_keepalive, 0); + #if (NGX_STREAM_SSL) ngx_conf_merge_value(conf->ssl_enable, prev->ssl_enable, 0);
