Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).
If we have multiple keyfiles - I like the idea of marking some key as default. On Wed, Oct 2, 2013 at 12:47 PM, Piotr Sikora wrote: > Hello Maxim, > > > As previously noted, the patch description is wrong. It also > > make sense to add some description of the directive added. > > Yeah, will do. > > > This makes the directive unavailable without any meaningfull > > diagnostics if nginx was build with old OpenSSL, which isn't very > > user-friendly. > > I'll fix that, it makes sense to be a bit more user-friendly :) > > > But actually I doubt we at all need an explicit mark for default > > key. Just using first one for encryption would probably be good > > enough. > > I tend to think that being overly explicit isn't always a bad thing. > In this particular case, users would need to know that the first key > on the list is "active/default" while the rest of them is just old > keys, which is an implementation detail and might not be obvious to > everybody. > > > I also think it would be better to don't rely on an explicitly > > written name, which will make automatic key rotation a pain - as > > one will have to update both name in a configuration file and a > > file with keys. E.g. Apache uses a binary file with 48 bytes of > > random data, which is much easier to generate and rotate if > > needed. > > The reason why I went with the key name in nginx.conf is because it > allows users to use a naming scheme for the keys (ex. MMDDHH, if > you rotate keys hourly, etc.) instead of random and meaningless names. > > Having said that, I don't mind pushing key name back to the file. > > > Not sure if this code should be here. Other file operations are > > handled in the ngx_event_openssl.c, and doing the same for session > > tickets might be a good idea as well. Especially if you'll > > consider adding relevant directives to the mail module. > > Sure, sounds reasonable. > > I'll send updated patch in a few days. > > Best regards, > Piotr Sikora > > ___ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel > ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: nginx usptream 302 redirect
Hello! On Wed, Oct 02, 2013 at 03:03:18PM +0300, Anatoli Marinov wrote: > Hello, > Is there an easy way to configure nginx upstream to follow 302 instead of > send them to the browser? The question seems to be off-topic on the nginx-devel@ list. The answer is yes, but you'll need to configure it carefully yourself using the proxy_intercept_errors and error_page 302. -- Maxim Dounin http://nginx.org/en/donation.html ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
nginx usptream 302 redirect
Hello, Is there an easy way to configure nginx upstream to follow 302 instead of send them to the browser? Thanks ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Upstream: fixed "down" and "backup" parsing.
details: http://hg.nginx.org/nginx/rev/16b68c724438 branches: changeset: 5410:16b68c724438 user: Maxim Dounin date: Wed Oct 02 15:07:15 2013 +0400 description: Upstream: fixed "down" and "backup" parsing. Previously arguments starting with "down" or "backup" were considered valid, e.g. "server ... downFOO;". diffstat: src/http/ngx_http_upstream.c | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (21 lines): diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -4701,7 +4701,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, continue; } -if (ngx_strncmp(value[i].data, "backup", 6) == 0) { +if (ngx_strcmp(value[i].data, "backup") == 0) { if (!(uscf->flags & NGX_HTTP_UPSTREAM_BACKUP)) { goto invalid; @@ -4712,7 +4712,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, continue; } -if (ngx_strncmp(value[i].data, "down", 4) == 0) { +if (ngx_strcmp(value[i].data, "down") == 0) { if (!(uscf->flags & NGX_HTTP_UPSTREAM_DOWN)) { goto invalid; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Limit req: fixed "nodelay" parsing.
details: http://hg.nginx.org/nginx/rev/5483d9e77b32 branches: changeset: 5411:5483d9e77b32 user: Maxim Dounin date: Wed Oct 02 15:07:17 2013 +0400 description: Limit req: fixed "nodelay" parsing. Previously arguments starting with "nodelay" were considered valid, e.g. "limit_req ... nodelayFOO;". diffstat: src/http/modules/ngx_http_limit_req_module.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/src/http/modules/ngx_http_limit_req_module.c b/src/http/modules/ngx_http_limit_req_module.c --- a/src/http/modules/ngx_http_limit_req_module.c +++ b/src/http/modules/ngx_http_limit_req_module.c @@ -912,7 +912,7 @@ ngx_http_limit_req(ngx_conf_t *cf, ngx_c continue; } -if (ngx_strncmp(value[i].data, "nodelay", 7) == 0) { +if (ngx_strcmp(value[i].data, "nodelay") == 0) { nodelay = 1; continue; } ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: Distributed SSL session cache
Hello! On Tue, Oct 01, 2013 at 05:37:34PM +0400, kyprizel wrote: > Ok, I don't insist - I just need the functionality. What should I do to get > my patch accepted? :) Piotr's patch is already under review, and I don't think that duplicating efforts make sense. You may want to join the review process instead. -- Maxim Dounin http://nginx.org/en/donation.html ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: [PATCH] SSL: added support for TLS Session Tickets (RFC5077).
Hello Maxim, > As previously noted, the patch description is wrong. It also > make sense to add some description of the directive added. Yeah, will do. > This makes the directive unavailable without any meaningfull > diagnostics if nginx was build with old OpenSSL, which isn't very > user-friendly. I'll fix that, it makes sense to be a bit more user-friendly :) > But actually I doubt we at all need an explicit mark for default > key. Just using first one for encryption would probably be good > enough. I tend to think that being overly explicit isn't always a bad thing. In this particular case, users would need to know that the first key on the list is "active/default" while the rest of them is just old keys, which is an implementation detail and might not be obvious to everybody. > I also think it would be better to don't rely on an explicitly > written name, which will make automatic key rotation a pain - as > one will have to update both name in a configuration file and a > file with keys. E.g. Apache uses a binary file with 48 bytes of > random data, which is much easier to generate and rotate if > needed. The reason why I went with the key name in nginx.conf is because it allows users to use a naming scheme for the keys (ex. MMDDHH, if you rotate keys hourly, etc.) instead of random and meaningless names. Having said that, I don't mind pushing key name back to the file. > Not sure if this code should be here. Other file operations are > handled in the ngx_event_openssl.c, and doing the same for session > tickets might be a good idea as well. Especially if you'll > consider adding relevant directives to the mail module. Sure, sounds reasonable. I'll send updated patch in a few days. Best regards, Piotr Sikora ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Unused macro and variable removed.
details: http://hg.nginx.org/nginx/rev/11599a3d0c7c branches: changeset: 5409:11599a3d0c7c user: Sergey Kandaurov date: Wed Oct 02 11:51:04 2013 +0400 description: Unused macro and variable removed. The macro NGX_HTTP_DAV_COPY_BLOCK is not used since 8101d9101ed8 (0.8.9). The variable ngx_accept_mutex_lock_file was never used. diffstat: src/event/ngx_event.c | 1 - src/http/modules/ngx_http_dav_module.c | 2 -- 2 files changed, 0 insertions(+), 3 deletions(-) diffs (23 lines): diff -r d7a2729623d3 -r 11599a3d0c7c src/event/ngx_event.c --- a/src/event/ngx_event.c Wed Oct 02 11:50:56 2013 +0400 +++ b/src/event/ngx_event.c Wed Oct 02 11:51:04 2013 +0400 @@ -56,7 +56,6 @@ ngx_uint_tngx_accept_events; ngx_uint_tngx_accept_mutex_held; ngx_msec_tngx_accept_mutex_delay; ngx_int_t ngx_accept_disabled; -ngx_file_tngx_accept_mutex_lock_file; #if (NGX_STAT_STUB) diff -r d7a2729623d3 -r 11599a3d0c7c src/http/modules/ngx_http_dav_module.c --- a/src/http/modules/ngx_http_dav_module.cWed Oct 02 11:50:56 2013 +0400 +++ b/src/http/modules/ngx_http_dav_module.cWed Oct 02 11:51:04 2013 +0400 @@ -10,8 +10,6 @@ #include -#define NGX_HTTP_DAV_COPY_BLOCK 65536 - #define NGX_HTTP_DAV_OFF 2 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Version bump.
details: http://hg.nginx.org/nginx/rev/d7a2729623d3 branches: changeset: 5408:d7a2729623d3 user: Sergey Kandaurov date: Wed Oct 02 11:50:56 2013 +0400 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff -r 15056a29841a -r d7a2729623d3 src/core/nginx.h --- a/src/core/nginx.h Tue Oct 01 17:44:51 2013 +0400 +++ b/src/core/nginx.h Wed Oct 02 11:50:56 2013 +0400 @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1005006 -#define NGINX_VERSION "1.5.6" +#define nginx_version 1005007 +#define NGINX_VERSION "1.5.7" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel