Re: 502 Bad Gateway
Maxim and anyone else who cares to chime in, I'm still enough of a newbie that I have trouble understanding the error logs. The one for nginx reads the following at the end: 2019/08/12 22:48:51 [error] 8274#8274: *1 upstream sent too big header while reading response header from upstream, client: 192.168.1.133, server: _, request: "GET /nextcloud/index.php HTTP/1.1", upstream: "fastcgi://unix:/var/run/php/php7.2-fpm.sock:", host: "192.168.1.101", referrer: "http://192.168.1.101/nextcloud/; I don't understand how to make the header smaller. I really don't understand what's going on; nginx says it's working, and php shows the phpinfo page, but when I actually try to run an application nothing works! Ken -- Registered Linux user #483005 If you ever think international relations make sense, remember this: because a Serb shot an Austrian in Bosnia, Germany invaded Belgium. ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: 502 Bad Gateway
I am also having this problem on my Linux box I run at home. I had the webserver running perfectly then followed directions to activate virtual hosting. That also started out working perfectly for a while then suddenly I was getting the 502 error when launching anything from the static site. I run Wordpress and Piwigo in frames within my static site. I have tried the sock to :9000 listen option with no change. nginx version: nginx/1.14.2 PHP 7.3.4-2 (cli) (built: Apr 13 2019 19:05:48) ( NTS ) Copyright (c) 1997-2018 The PHP Group Zend Engine v3.3.4, Copyright (c) 1998-2018 Zend Technologies with Zend OPcache v7.3.4-2, Copyright (c) 1999-2018, by Zend Technologies Linux webserver 4.19.0-5-amd64 #1 SMP Debian 4.19.37-5+deb10u2 (2019-08-08) x86_64 Any help would be much appreciated. I am quite the noob when it comes to setting up a raw Linux webserver so am learning as I go. Radjin~ Posted at Nginx Forum: https://forum.nginx.org/read.php?2,285209,285261#msg-285261 ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Релиз Unit 1.9.0
> Есть сервис Pusher, который позволяет раздавать потоки по WebSocket. > Никакой инфраструктуры не нужно. Подозреваю там есть прямые и обратные Так мы тоже самое получаем безплатно и без сторонних сервисов, простой надстройкой nchan + uWebSockets.js Posted at Nginx Forum: https://forum.nginx.org/read.php?21,284362,285260#msg-285260 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Релиз Unit 1.9.0
On 14-08-19 00:00, S.A.N wrote: Нам мешают те же причины что у вас, бизнесу выгодно чтобы мы писали больше бизнес логики и меньше писали инфрастуктурного кода. Есть сервис Pusher, который позволяет раздавать потоки по WebSocket. Никакой инфраструктуры не нужно. Подозреваю там есть прямые и обратные каналы. -- Val ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Релиз Unit 1.9.0
> Что мешает реализовать данную функциональность в приложении? > Например, используя тот же упомянутый uWebSockets.js? Нам мешают те же причины что у вас, бизнесу выгодно чтобы мы писали больше бизнес логики и меньше писали инфрастуктурного кода. Да, можно сделать распределеную систему на Pub/Sub от Redis и uWebSockets.js будет раздавать клиентам сообщения, но это медленей и в лучшем случаи мы сделаем тоже что уже написано в nchan. > Дело в том, что задача достаточно узкоспециализированная Не уверен, из своего опыта даже сложно вспомнить какие задачи помещались в рамки связи один к одному, обычно один ко многим. Даже если у нас один сервер, у него будет множество процессов, два клиента WebSocket законектися к разным процессам, вот уже связь один ко многим. Киллер фича Unit, которой нет в nchan, заключается в том что Unit знает про все application и умеет с ними общатся без сети, это большой потенциал, я бы очень хотел чтобы мои процессы внутри сервера могли общатся через Unit без сети. Posted at Nginx Forum: https://forum.nginx.org/read.php?21,284362,285258#msg-285258 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Nginx + ldap auth
On Mon, Aug 12, 2019 at 04:44:46AM -0400, Danila wrote: Hi there, > Hello i have nginx 1.16.0 and some modules: nginx-auth-ldap, > nginx-dav-ext-module, headers-more-nginx-module, nginx-upload-module. > ldap_server mydomain{ > url > "ldap://mydomain:3268/DC=mydimain,DC=local?sAMAccountName?sub?(objectClass=person)"; > binddn 'admin@mydomain.local'; > binddn_passwd 'adm_pass'; > require valid_user; > } You report that that one works. Note that it does have a binddn and a binddn_passwd. > ldap_server mydomain2{ > url > "ldap://mydomain:3268/DC=mydimain,DC=local?sAMAccountName?sub?(objectClass=person)"; > require user "CN=test,DC=MYDOMAIN,DC=LOCAL"; > group_attribute uniquemember; > group_attribute_is_dn on; > referral on; > } You report that that one fails on the initial bind. It has no binddn and no binddn_passwd. If you copy the matching lines from the other block to here, does that make a difference? (Or: if you remove the bind* lines from the first block, does that one stay working?) Note that nginx-auth-ldap is not in stock-nginx; possibly the documentation for whatever module you are using will have more information. Good luck with it, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Релиз Unit 1.9.0
On Tuesday 13 August 2019 15:16:56 S.A.N wrote: > > Пока не планируем. > > Ясно, но тогда вот что выходит, тем кому нужен WebSocket, как правило нужен > broadcast и возможностость подписать одного клиента к множеству каналов. > Эти задачи уже успешно решены в nchan (модуль Nginx) и для Node.js есть > uWebSockets.js (сишный модуль) к сожалению это означает что Unit в этом > стеке технологий не нужен. [..] Что мешает реализовать данную функциональность в приложении? Например, используя тот же упомянутый uWebSockets.js? Дело в том, что задача достаточно узкоспециализированная, но в то же время требует заметных ресурсов, если взяться реализовывать это внутри Unit-а. Тот же nchan модуль для nginx монструозен. Для сравнения: nchan содержит 34755 строк кода на Си, что составляет почти половину от всей (!) HTTP части nginx c ~60 модулями (75959 строк). -- Валентин Бартенев ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Битые файлы в кеше при gzip ответах
> кеше битые обрезанные файлы, при использовании на бэкенде gzip, тот же > баг Попробуйте выключить настройку в конфигt Nginx sendfile off; Нам это помогло. Posted at Nginx Forum: https://forum.nginx.org/read.php?21,285250,285255#msg-285255 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: Релиз Unit 1.9.0
> Пока не планируем. Ясно, но тогда вот что выходит, тем кому нужен WebSocket, как правило нужен broadcast и возможностость подписать одного клиента к множеству каналов. Эти задачи уже успешно решены в nchan (модуль Nginx) и для Node.js есть uWebSockets.js (сишный модуль) к сожалению это означает что Unit в этом стеке технологий не нужен. Posted at Nginx Forum: https://forum.nginx.org/read.php?21,284362,285254#msg-285254 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
3rd party module move: nginx-openssl-version
This is about a third-party module: nginx-openssl-version and its sudden new home. Back when HeartBleed struck, I wrote an nginx module to provide for configuration to be able to specify a minimum acceptable version of the OpenSSL library and turn non-matches into fatal configuration errors, trading off availability for security. I know that a few people started using it. It's not massively popular, but it is used. My employer at the time was Apcera and the module was published under their GitHub repo. Apcera was purchased a few years ago, and today the new owner suddenly closed all non-fork GitHub repos without notice. A few people have forks; the code has not seen updates, but only because it _works_ and hasn't needed changes. I still routinely build nginx using this module. If there are further changes needed, then I will make my changes available under the same (MIT) license. Since I wrote the code in the first place, I think that I can get away with decreeing that my GitHub fork is now the canonical home. https://github.com/PennockTech/nginx-openssl-version Replace `--add-module` references: old: github.com/apcera/nginx-openssl-version new: github.com/PennockTech/nginx-openssl-version I will submit a wiki PR shortly. Thanks for reading, -Phil ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Релиз Unit 1.9.0
On Tuesday 13 August 2019 14:10:11 S.A.N wrote: > Возможно я не нашел, но в данной версии нет возможности broadcast каналов? > Когда одно сообщения передается множеству WebSocket клиентов и как одного > клиента подписать на множество каналов? > Этого нет в текущей версии или вы не планируете этого делать и данный > функционал нужно будет писать самому на Node.js? > [..] Пока не планируем. -- Валентин Бартенев ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: nginx-1.17.3
> для мобильных клиентов есть (уже) TLS1.3 + early data, TFO (tcp fast > open). > пользуетесь ? TLS1.3 - да early data, TFO - нет, у нас проблема с частыми обрывами конекта в WebSocket, мобил клиенты этому сильно подвержены, из-за TCP... Posted at Nginx Forum: https://forum.nginx.org/read.php?21,285238,285251#msg-285251 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Битые файлы в кеше при gzip ответах
Добрый день, не пойму как исправить ситуацию, nginx иногда хранит в proxy кеше битые обрезанные файлы, при использовании на бэкенде gzip, тот же баг замечен на клаудфлер, иногда в его кеше лешит обрезанный файл, например половина js файла и помогает только сброс кеша и запрос файла еще раз, что бы файл стал полный. Что подкрутить, что бы не выключать gzip и http1.1? В клаудфлере даже замечено то, что половина кэш серверов сохраняет полный файл, половина хранит его обрезанную версию и выдает ее как правильную -- С уважением Толмачев Владислав. tolmachev.v...@gmail.com skype: vladislaviki icq: 274888266 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: nginx-1.17.3
вт, 13 авг. 2019 г. в 23:06, S.A.N : > В вашей дорожней карте, для ветки 1,17 есть в планах имплементация QUIC > (HTTP/3), какие ваши оценки по времени это будет готово в этом году. > И если не сложно скажите как вам QUIC там реально много профита для мобил > клиентов, у нас очень много мобил HTTP клиентов и нам эта тема очень > интересна. > для мобильных клиентов есть (уже) TLS1.3 + early data, TFO (tcp fast open). пользуетесь ? > Спасибо. > > Posted at Nginx Forum: > https://forum.nginx.org/read.php?21,285238,285245#msg-285245 > > ___ > nginx-ru mailing list > nginx-ru@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-ru ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: [nginx-announce] nginx-1.17.3
Hello Nginx users, Now available: Nginx 1.17.3 for Windows https://kevinworthington.com/nginxwin1173 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) https://kevinworthington.com/ https://twitter.com/kworthington On Tue, Aug 13, 2019 at 1:04 PM Maxim Dounin wrote: > Changes with nginx 1.17.313 Aug > 2019 > > *) Security: when using HTTP/2 a client might cause excessive memory >consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, >CVE-2019-9516). > > *) Bugfix: "zero size buf" alerts might appear in logs when using >gzipping; the bug had appeared in 1.17.2. > > *) Bugfix: a segmentation fault might occur in a worker process if the >"resolver" directive was used in SMTP proxy. > > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx-announce mailing list > nginx-annou...@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: [nginx-announce] nginx-1.16.1
Hello Nginx users, Now available: Nginx 1.16.1 for Windows https://kevinworthington.com/nginxwin1161 (32-bit and 64-bit versions) These versions are to support legacy users who are already using Cygwin based builds of Nginx. Officially supported native Windows binaries are at nginx.org. Announcements are also available here: Twitter http://twitter.com/kworthington Thank you, Kevin -- Kevin Worthington kworthington *@* (gmail] [dot} {com) https://kevinworthington.com/ https://twitter.com/kworthington On Tue, Aug 13, 2019 at 1:05 PM Maxim Dounin wrote: > Changes with nginx 1.16.113 Aug > 2019 > > *) Security: when using HTTP/2 a client might cause excessive memory >consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, >CVE-2019-9516). > > > -- > Maxim Dounin > http://nginx.org/ > ___ > nginx-announce mailing list > nginx-annou...@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-announce > ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: Релиз Unit 1.9.0
Возможно я не нашел, но в данной версии нет возможности broadcast каналов? Когда одно сообщения передается множеству WebSocket клиентов и как одного клиента подписать на множество каналов? Этого нет в текущей версии или вы не планируете этого делать и данный функционал нужно будет писать самому на Node.js? Posted at Nginx Forum: https://forum.nginx.org/read.php?21,284362,285246#msg-285246 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
Re: nginx-1.17.3
В вашей дорожней карте, для ветки 1,17 есть в планах имплементация QUIC (HTTP/3), какие ваши оценки по времени это будет готово в этом году. И если не сложно скажите как вам QUIC там реально много профита для мобил клиентов, у нас очень много мобил HTTP клиентов и нам эта тема очень интересна. Спасибо. Posted at Nginx Forum: https://forum.nginx.org/read.php?21,285238,285245#msg-285245 ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
Hello! Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
[nginx-ru-announce] nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
Hello! В реализации HTTP/2 в nginx было обнаружено несколько проблем безопасности, которые могут приводить к чрезмерному потреблению памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). Проблемам подвержен nginx, собранный с модулем ngx_http_v2_module (по умолчанию не собирается), если в конфигурационном файле используется параметр http2 директивы listen. Проблемам подвержен nginx 1.9.5 - 1.17.2. Проблемы исправлены в nginx 1.17.3, 1.16.1. Спасибо Jonathan Looney из Netflix за обнаружение проблем. -- Maxim Dounin http://nginx.org/ ___ nginx-ru-announce mailing list nginx-ru-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru-announce
[nginx-ru-announce] nginx-1.17.3
Изменения в nginx 1.17.3 13.08.2019 *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное потребление памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Исправление: при использовании сжатия в логах могли появляться сообщения "zero size buf"; ошибка появилась в 1.17.2. *) Исправление: при использовании директивы resolver в SMTP прокси-сервере в рабочем процессе мог произойти segmentation fault. -- Maxim Dounin http://nginx.org/ ___ nginx-ru-announce mailing list nginx-ru-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru-announce
[nginx-announce] nginx-1.16.1
Changes with nginx 1.16.113 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). -- Maxim Dounin http://nginx.org/ ___ nginx-announce mailing list nginx-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-announce
[nginx-announce] nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
Hello! Several security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the "http2" option of the "listen" directive is used in a configuration file. The issues affect nginx 1.9.5 - 1.17.2. The issues are fixed in nginx 1.17.3, 1.16.1. Thanks to Jonathan Looney from Netflix for discovering these issues. -- Maxim Dounin http://nginx.org/ ___ nginx-announce mailing list nginx-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-announce
nginx-1.16.1
Changes with nginx 1.16.113 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
[nginx] HTTP/2: limited number of PRIORITY frames.
details: https://hg.nginx.org/nginx/rev/a23a7e6edac4 branches: stable-1.16 changeset: 7556:a23a7e6edac4 user: Ruslan Ermilov date: Tue Aug 13 15:43:40 2019 +0300 description: HTTP/2: limited number of PRIORITY frames. Fixed excessive CPU usage caused by a peer that continuously shuffles priority of streams. Fix is to limit the number of PRIORITY frames. diffstat: src/http/v2/ngx_http_v2.c | 10 ++ src/http/v2/ngx_http_v2.h | 1 + 2 files changed, 11 insertions(+), 0 deletions(-) diffs (45 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev) h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); h2c->concurrent_pushes = h2scf->concurrent_pushes; +h2c->priority_limit = h2scf->concurrent_streams; h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); if (h2c->pool == NULL) { @@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_c return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } +if (--h2c->priority_limit == 0) { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent too many PRIORITY frames"); + +return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); +} + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, ngx_http_v2_state_priority); @@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_co h2c->processing++; } +h2c->priority_limit += h2scf->concurrent_streams; + return stream; } diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { ngx_uint_t processing; ngx_uint_t frames; ngx_uint_t idle; +ngx_uint_t priority_limit; ngx_uint_t pushing; ngx_uint_t concurrent_pushes; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] nginx-1.16.1-RELEASE
details: https://hg.nginx.org/nginx/rev/123647025f4a branches: stable-1.16 changeset: 7557:123647025f4a user: Maxim Dounin date: Tue Aug 13 15:51:42 2019 +0300 description: nginx-1.16.1-RELEASE diffstat: docs/xml/nginx/changes.xml | 18 ++ 1 files changed, 18 insertions(+), 0 deletions(-) diffs (28 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,24 @@ + + + + +при использовании HTTP/2 клиент мог вызвать +чрезмерное потребление памяти и ресурсов процессора +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + +when using HTTP/2 a client might cause +excessive memory consumption and CPU usage +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + + + + + ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
nginx-1.17.3
Changes with nginx 1.17.313 Aug 2019 *) Security: when using HTTP/2 a client might cause excessive memory consumption and CPU usage (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Bugfix: "zero size buf" alerts might appear in logs when using gzipping; the bug had appeared in 1.17.2. *) Bugfix: a segmentation fault might occur in a worker process if the "resolver" directive was used in SMTP proxy. -- Maxim Dounin http://nginx.org/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
nginx-1.17.3
Изменения в nginx 1.17.3 13.08.2019 *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное потребление памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). *) Исправление: при использовании сжатия в логах могли появляться сообщения "zero size buf"; ошибка появилась в 1.17.2. *) Исправление: при использовании директивы resolver в SMTP прокси-сервере в рабочем процессе мог произойти segmentation fault. -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
[nginx] release-1.16.1 tag
details: https://hg.nginx.org/nginx/rev/f65ceadcbb2b branches: stable-1.16 changeset: 7558:f65ceadcbb2b user: Maxim Dounin date: Tue Aug 13 15:51:43 2019 +0300 description: release-1.16.1 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -439,3 +439,4 @@ 75f5c7f628411c79c7044102049f7ab4f7a246e7 5155d0296a5ef9841f035920527ffdb771076b44 release-1.15.11 0130ca3d58437b3c7c707c813d530c68da9a release-1.15.12 abd40ce603fa49b2b8b1cca622c96093b1e14275 release-1.16.0 +123647025f4a0d3e8c0f869c1ab1f61b924d59e3 release-1.16.1 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
nginx security advisory (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516)
Hello! В реализации HTTP/2 в nginx было обнаружено несколько проблем безопасности, которые могут приводить к чрезмерному потреблению памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). Проблемам подвержен nginx, собранный с модулем ngx_http_v2_module (по умолчанию не собирается), если в конфигурационном файле используется параметр http2 директивы listen. Проблемам подвержен nginx 1.9.5 - 1.17.2. Проблемы исправлены в nginx 1.17.3, 1.16.1. Спасибо Jonathan Looney из Netflix за обнаружение проблем. -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
nginx-1.16.1
Изменения в nginx 1.16.1 13.08.2019 *) Безопасность: при использовании HTTP/2 клиент мог вызвать чрезмерное потребление памяти и ресурсов процессора (CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). -- Maxim Dounin http://nginx.org/ ___ nginx-ru mailing list nginx-ru@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-ru
[nginx] HTTP/2: limited number of DATA frames.
details: https://hg.nginx.org/nginx/rev/99b6733876c4 branches: stable-1.16 changeset: 7555:99b6733876c4 user: Ruslan Ermilov date: Tue Aug 13 15:43:36 2019 +0300 description: HTTP/2: limited number of DATA frames. Fixed excessive memory growth and CPU usage if stream windows are manipulated in a way that results in generating many small DATA frames. Fix is to limit the number of simultaneously allocated DATA frames. diffstat: src/http/v2/ngx_http_v2.c | 2 ++ src/http/v2/ngx_http_v2.h | 2 ++ src/http/v2/ngx_http_v2_filter_module.c | 22 +- 3 files changed, 21 insertions(+), 5 deletions(-) diffs (67 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_str */ pool = stream->pool; +h2c->frames -= stream->frames; + ngx_http_free_request(stream->request, rc); if (pool != h2c->state.pool) { diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { ngx_buf_t *preread; +ngx_uint_t frames; + ngx_http_v2_out_frame_t *free_frames; ngx_chain_t *free_frame_headers; ngx_chain_t *free_bufs; diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -1663,22 +1663,34 @@ static ngx_http_v2_out_frame_t * ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, size_t len, ngx_chain_t *first, ngx_chain_t *last) { -u_charflags; -ngx_buf_t*buf; -ngx_chain_t *cl; -ngx_http_v2_out_frame_t *frame; +u_char flags; +ngx_buf_t *buf; +ngx_chain_t *cl; +ngx_http_v2_out_frame_t *frame; +ngx_http_v2_connection_t *h2c; frame = stream->free_frames; +h2c = stream->connection; if (frame) { stream->free_frames = frame->next; -} else { +} else if (h2c->frames < 1) { frame = ngx_palloc(stream->request->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { return NULL; } + +stream->frames++; +h2c->frames++; + +} else { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + +h2c->connection->error = 1; +return NULL; } flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] HTTP/2: reject zero length headers with PROTOCOL_ERROR.
details: https://hg.nginx.org/nginx/rev/b19cd299f37c branches: stable-1.16 changeset: 7554:b19cd299f37c user: Sergey Kandaurov date: Tue Aug 13 15:43:32 2019 +0300 description: HTTP/2: reject zero length headers with PROTOCOL_ERROR. Fixed uncontrolled memory growth if peer sends a stream of headers with a 0-length header name and 0-length header value. Fix is to reject headers with zero name length. diffstat: src/http/v2/ngx_http_v2.c | 12 1 files changed, 8 insertions(+), 4 deletions(-) diffs (29 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_htt header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.data = h2c->state.field_start; +if (header->name.len == 0) { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent zero header name length"); + +return ngx_http_v2_connection_error(h2c, +NGX_HTTP_V2_PROTOCOL_ERROR); +} + return ngx_http_v2_state_field_len(h2c, pos, end); } @@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_req ngx_uint_t i; ngx_http_core_srv_conf_t *cscf; -if (header->name.len == 0) { -return NGX_ERROR; -} - r->invalid_header = 0; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Updated OpenSSL used for win32 builds.
details: https://hg.nginx.org/nginx/rev/9544d6ed9017 branches: stable-1.16 changeset: 7553:9544d6ed9017 user: Maxim Dounin date: Tue Jun 25 04:47:43 2019 +0300 description: Updated OpenSSL used for win32 builds. diffstat: misc/GNUmakefile | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diffs (12 lines): diff --git a/misc/GNUmakefile b/misc/GNUmakefile --- a/misc/GNUmakefile +++ b/misc/GNUmakefile @@ -6,7 +6,7 @@ TEMP = tmp CC = cl OBJS = objs.msvc8 -OPENSSL = openssl-1.1.1b +OPENSSL = openssl-1.1.1c ZLIB = zlib-1.2.11 PCRE = pcre-8.43 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] Version bump.
details: https://hg.nginx.org/nginx/rev/9eede9b069f5 branches: stable-1.16 changeset: 7552:9eede9b069f5 user: Maxim Dounin date: Tue Aug 13 15:48:39 2019 +0300 description: Version bump. diffstat: src/core/nginx.h | 4 ++-- 1 files changed, 2 insertions(+), 2 deletions(-) diffs (14 lines): diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -9,8 +9,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1016000 -#define NGINX_VERSION "1.16.0" +#define nginx_version 1016001 +#define NGINX_VERSION "1.16.1" #define NGINX_VER "nginx/" NGINX_VERSION #ifdef NGX_BUILD ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] nginx-1.17.3-RELEASE
details: https://hg.nginx.org/nginx/rev/ed4303aa1b31 branches: changeset: 7550:ed4303aa1b31 user: Maxim Dounin date: Tue Aug 13 15:45:56 2019 +0300 description: nginx-1.17.3-RELEASE diffstat: docs/xml/nginx/changes.xml | 40 1 files changed, 40 insertions(+), 0 deletions(-) diffs (50 lines): diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml --- a/docs/xml/nginx/changes.xml +++ b/docs/xml/nginx/changes.xml @@ -5,6 +5,46 @@ + + + + +при использовании HTTP/2 клиент мог вызвать +чрезмерное потребление памяти и ресурсов процессора +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + +when using HTTP/2 a client might cause +excessive memory consumption and CPU usage +(CVE-2019-9511, CVE-2019-9513, CVE-2019-9516). + + + + + +при использовании сжатия в логах могли появляться сообщения "zero size buf"; +ошибка появилась в 1.17.2. + + +"zero size buf" alerts might appear in logs when using gzipping; +the bug had appeared in 1.17.2. + + + + + +при использовании директивы resolver в SMTP прокси-сервере +в рабочем процессе мог произойти segmentation fault. + + +a segmentation fault might occur in a worker process +if the "resolver" directive was used in SMTP proxy. + + + + + + ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] release-1.17.3 tag
details: https://hg.nginx.org/nginx/rev/d30b1a99fcd0 branches: changeset: 7551:d30b1a99fcd0 user: Maxim Dounin date: Tue Aug 13 15:45:57 2019 +0300 description: release-1.17.3 tag diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff --git a/.hgtags b/.hgtags --- a/.hgtags +++ b/.hgtags @@ -441,3 +441,4 @@ 0130ca3d58437b3c7c707c813d530c68da9a 054c1c46395caff79bb4caf16f40b331f71bb6dd release-1.17.0 7816bd7dabf6ee86c53c073b90a7143161546e06 release-1.17.1 2fc9f853a6b7cd29dc84e0af2ed3cf78e0da6ca8 release-1.17.2 +ed4303aa1b31a9aad5440640c0840d9d0af45fed release-1.17.3 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] HTTP/2: limited number of PRIORITY frames.
details: https://hg.nginx.org/nginx/rev/45415228990b branches: changeset: 7549:45415228990b user: Ruslan Ermilov date: Tue Aug 13 15:43:40 2019 +0300 description: HTTP/2: limited number of PRIORITY frames. Fixed excessive CPU usage caused by a peer that continuously shuffles priority of streams. Fix is to limit the number of PRIORITY frames. diffstat: src/http/v2/ngx_http_v2.c | 10 ++ src/http/v2/ngx_http_v2.h | 1 + 2 files changed, 11 insertions(+), 0 deletions(-) diffs (45 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -273,6 +273,7 @@ ngx_http_v2_init(ngx_event_t *rev) h2scf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_v2_module); h2c->concurrent_pushes = h2scf->concurrent_pushes; +h2c->priority_limit = h2scf->concurrent_streams; h2c->pool = ngx_create_pool(h2scf->pool_size, h2c->connection->log); if (h2c->pool == NULL) { @@ -1804,6 +1805,13 @@ ngx_http_v2_state_priority(ngx_http_v2_c return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_SIZE_ERROR); } +if (--h2c->priority_limit == 0) { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent too many PRIORITY frames"); + +return ngx_http_v2_connection_error(h2c, NGX_HTTP_V2_ENHANCE_YOUR_CALM); +} + if (end - pos < NGX_HTTP_V2_PRIORITY_SIZE) { return ngx_http_v2_state_save(h2c, pos, end, ngx_http_v2_state_priority); @@ -3120,6 +3128,8 @@ ngx_http_v2_create_stream(ngx_http_v2_co h2c->processing++; } +h2c->priority_limit += h2scf->concurrent_streams; + return stream; } diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -122,6 +122,7 @@ struct ngx_http_v2_connection_s { ngx_uint_t processing; ngx_uint_t frames; ngx_uint_t idle; +ngx_uint_t priority_limit; ngx_uint_t pushing; ngx_uint_t concurrent_pushes; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] HTTP/2: reject zero length headers with PROTOCOL_ERROR.
details: https://hg.nginx.org/nginx/rev/4f4b83f00cf1 branches: changeset: 7547:4f4b83f00cf1 user: Sergey Kandaurov date: Tue Aug 13 15:43:32 2019 +0300 description: HTTP/2: reject zero length headers with PROTOCOL_ERROR. Fixed uncontrolled memory growth if peer sends a stream of headers with a 0-length header name and 0-length header value. Fix is to reject headers with zero name length. diffstat: src/http/v2/ngx_http_v2.c | 12 1 files changed, 8 insertions(+), 4 deletions(-) diffs (29 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -1546,6 +1546,14 @@ ngx_http_v2_state_process_header(ngx_htt header->name.len = h2c->state.field_end - h2c->state.field_start; header->name.data = h2c->state.field_start; +if (header->name.len == 0) { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "client sent zero header name length"); + +return ngx_http_v2_connection_error(h2c, +NGX_HTTP_V2_PROTOCOL_ERROR); +} + return ngx_http_v2_state_field_len(h2c, pos, end); } @@ -3249,10 +3257,6 @@ ngx_http_v2_validate_header(ngx_http_req ngx_uint_t i; ngx_http_core_srv_conf_t *cscf; -if (header->name.len == 0) { -return NGX_ERROR; -} - r->invalid_header = 0; cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module); ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[nginx] HTTP/2: limited number of DATA frames.
details: https://hg.nginx.org/nginx/rev/99257b06b0bd branches: changeset: 7548:99257b06b0bd user: Ruslan Ermilov date: Tue Aug 13 15:43:36 2019 +0300 description: HTTP/2: limited number of DATA frames. Fixed excessive memory growth and CPU usage if stream windows are manipulated in a way that results in generating many small DATA frames. Fix is to limit the number of simultaneously allocated DATA frames. diffstat: src/http/v2/ngx_http_v2.c | 2 ++ src/http/v2/ngx_http_v2.h | 2 ++ src/http/v2/ngx_http_v2_filter_module.c | 22 +- 3 files changed, 21 insertions(+), 5 deletions(-) diffs (67 lines): diff --git a/src/http/v2/ngx_http_v2.c b/src/http/v2/ngx_http_v2.c --- a/src/http/v2/ngx_http_v2.c +++ b/src/http/v2/ngx_http_v2.c @@ -4369,6 +4369,8 @@ ngx_http_v2_close_stream(ngx_http_v2_str */ pool = stream->pool; +h2c->frames -= stream->frames; + ngx_http_free_request(stream->request, rc); if (pool != h2c->state.pool) { diff --git a/src/http/v2/ngx_http_v2.h b/src/http/v2/ngx_http_v2.h --- a/src/http/v2/ngx_http_v2.h +++ b/src/http/v2/ngx_http_v2.h @@ -192,6 +192,8 @@ struct ngx_http_v2_stream_s { ngx_buf_t *preread; +ngx_uint_t frames; + ngx_http_v2_out_frame_t *free_frames; ngx_chain_t *free_frame_headers; ngx_chain_t *free_bufs; diff --git a/src/http/v2/ngx_http_v2_filter_module.c b/src/http/v2/ngx_http_v2_filter_module.c --- a/src/http/v2/ngx_http_v2_filter_module.c +++ b/src/http/v2/ngx_http_v2_filter_module.c @@ -1669,22 +1669,34 @@ static ngx_http_v2_out_frame_t * ngx_http_v2_filter_get_data_frame(ngx_http_v2_stream_t *stream, size_t len, ngx_chain_t *first, ngx_chain_t *last) { -u_charflags; -ngx_buf_t*buf; -ngx_chain_t *cl; -ngx_http_v2_out_frame_t *frame; +u_char flags; +ngx_buf_t *buf; +ngx_chain_t *cl; +ngx_http_v2_out_frame_t *frame; +ngx_http_v2_connection_t *h2c; frame = stream->free_frames; +h2c = stream->connection; if (frame) { stream->free_frames = frame->next; -} else { +} else if (h2c->frames < 1) { frame = ngx_palloc(stream->request->pool, sizeof(ngx_http_v2_out_frame_t)); if (frame == NULL) { return NULL; } + +stream->frames++; +h2c->frames++; + +} else { +ngx_log_error(NGX_LOG_INFO, h2c->connection->log, 0, + "http2 flood detected"); + +h2c->connection->error = 1; +return NULL; } flags = last->buf->last_buf ? NGX_HTTP_V2_END_STREAM_FLAG : 0; ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
njs-0.3.4
Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release proceeds to extend the coverage of ECMAScript specifications. Apart from specs conformance fuzzing under Memory-Sanitizer is introduced which allowed to catch new types of bugs. Notable new features: - Shorthand method names (ES2015): : > ({foo(){return 123}}).foo() // ({foo:function(){return 123}}) : 123 - Computed property names (ES2015) : > ({['b' + 'ar']:123}).bar : 123 - added getter/setter literal support: : > ({get foo(){return 123}}).foo : 123 : > ({get ['f' + 'oo'](){return 123}}).foo : 123 You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - Presentation: https://youtu.be/Jc_L6UffFOs Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.3.4 13 Aug 2019 Core: *) Feature: added Object shorthand methods and computed property names. Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. *) Feature: added getter/setter literal support. Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. *) Feature: added fs.renameSync(). *) Feature: added String.prototype.trimStart() and String.prototype.trimEnd(). *) Improvement: added memory-sanitizer support. *) Improvement: Unicode case tables updated to version 12.1. *) Improvement: added UTF8 validation for string literals. *) Bugfix: fixed reading files with zero size in fs.readFileSync(). *) Bugfix: extended the list of space separators in String.prototype.trim(). *) Bugfix: fixed using of uninitialized value in String.prototype.padStart(). *) Bugfix: fixed String.prototype.replace() for '$0' and '$&' replacement string. *) Bugfix: fixed String.prototype.replace() for byte strings with regex argument. *) Bugfix: fixed global match in String.prototype.replace() with regexp argument. *) Bugfix: fixed Array.prototype.slice() for primitive types. *) Bugfix: fixed heap-buffer-overflow while importing module. *) Bugfix: fixed UTF-8 character escaping. *) Bugfix: fixed Object.values() and Object.entries() for shared objects. *) Bugfix: fixed uninitialized memory access in String.prototype.match(). *) Bugfix: fixed String.prototype.match() for byte strings with regex argument. *) Bugfix: fixed Array.prototype.lastIndexOf() with undefined arguments. *) Bugfix: fixed String.prototype.substring() with empty substring. *) Bugfix: fixed invalid memory access in String.prototype.substring(). *) Bugfix: fixed String.fromCharCode() for code points > 65535 and NaN. *) Bugfix: fixed String.prototype.toLowerCase() and String.prototype.toUpperCase(). *) Bugfix: fixed Error() constructor with no arguments. *) Bugfix: fixed "in" operator for values with accessor descriptors. *) Bugfix: fixed Object.defineProperty() for non-boolean descriptor props. *) Bugfix: fixed Error.prototype.toString() with UTF8 string properties. *) Bugfix: fixed Error.prototype.toString() with non-string values for "name" and "message". ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
[nginx-announce] njs-0.3.4
Hello, I'm glad to announce a new release of NGINX JavaScript module (njs). This release proceeds to extend the coverage of ECMAScript specifications. Apart from specs conformance fuzzing under Memory-Sanitizer is introduced which allowed to catch new types of bugs. Notable new features: - Shorthand method names (ES2015): : > ({foo(){return 123}}).foo() // ({foo:function(){return 123}}) : 123 - Computed property names (ES2015) : > ({['b' + 'ar']:123}).bar : 123 - added getter/setter literal support: : > ({get foo(){return 123}}).foo : 123 : > ({get ['f' + 'oo'](){return 123}}).foo : 123 You can learn more about njs: - Overview and introduction: http://nginx.org/en/docs/njs/ - Presentation: https://youtu.be/Jc_L6UffFOs Feel free to try it and give us feedback on: - Github: https://github.com/nginx/njs/issues - Mailing list: http://mailman.nginx.org/mailman/listinfo/nginx-devel Changes with njs 0.3.4 13 Aug 2019 Core: *) Feature: added Object shorthand methods and computed property names. Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. *) Feature: added getter/setter literal support. Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. *) Feature: added fs.renameSync(). *) Feature: added String.prototype.trimStart() and String.prototype.trimEnd(). *) Improvement: added memory-sanitizer support. *) Improvement: Unicode case tables updated to version 12.1. *) Improvement: added UTF8 validation for string literals. *) Bugfix: fixed reading files with zero size in fs.readFileSync(). *) Bugfix: extended the list of space separators in String.prototype.trim(). *) Bugfix: fixed using of uninitialized value in String.prototype.padStart(). *) Bugfix: fixed String.prototype.replace() for '$0' and '$&' replacement string. *) Bugfix: fixed String.prototype.replace() for byte strings with regex argument. *) Bugfix: fixed global match in String.prototype.replace() with regexp argument. *) Bugfix: fixed Array.prototype.slice() for primitive types. *) Bugfix: fixed heap-buffer-overflow while importing module. *) Bugfix: fixed UTF-8 character escaping. *) Bugfix: fixed Object.values() and Object.entries() for shared objects. *) Bugfix: fixed uninitialized memory access in String.prototype.match(). *) Bugfix: fixed String.prototype.match() for byte strings with regex argument. *) Bugfix: fixed Array.prototype.lastIndexOf() with undefined arguments. *) Bugfix: fixed String.prototype.substring() with empty substring. *) Bugfix: fixed invalid memory access in String.prototype.substring(). *) Bugfix: fixed String.fromCharCode() for code points > 65535 and NaN. *) Bugfix: fixed String.prototype.toLowerCase() and String.prototype.toUpperCase(). *) Bugfix: fixed Error() constructor with no arguments. *) Bugfix: fixed "in" operator for values with accessor descriptors. *) Bugfix: fixed Object.defineProperty() for non-boolean descriptor props. *) Bugfix: fixed Error.prototype.toString() with UTF8 string properties. *) Bugfix: fixed Error.prototype.toString() with non-string values for "name" and "message". ___ nginx-announce mailing list nginx-announce@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-announce
Re: Can we use JWT authentication with Nginx Open source version?
On Mon, Aug 12, 2019 at 01:14:46AM -0400, blason wrote: Hi there, > I was referring lot of other articles on internet and seems that jwt > authentication is only possible with Nginx plus version; wondering if this > is possible with Nginx Open source version as well? When I search in Google for "nginx jwt", the first few results are on nginx.com domains which eventually refer to http://nginx.org/en/docs/http/ngx_http_auth_jwt_module.html which says it is in the commercial subscription. The next few results are on github.com domains; one is a third-party module which claims to "do" jwt; and another is a Lua script that does the same in conjunction with the "openresty" distribution of nginx. Perhaps one of those can be used to do what you want? Good luck with it, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
Re: How to get nginx + uwsgi to exec, not display, perl cgi script?
On Mon, Aug 12, 2019 at 09:37:49AM -0700, ko...@mailc.net wrote: Hi there, > I run Nginx as my webserver. Usually with PHP, using fpm. > > Gitweb's gitweb.cgi looks like it needs perl CGI. > > For perl cgi I'm trying to get it working with UWSGI, Why? UWSGI and CGI are different things. For what it's worth, when I search Google for "nginx gitweb", the first few results all suggest to use "fastcgi". (Which is also different from CGI; but there are some well-known fastcgi-wrapper services that handle those differences.) When I search for "nginx gitweb uwsgi" there are not a lot of immediately-obviously-relevant results. So if the aim is "run gitweb, behind nginx", then probably "use fastcgi" is the path of least resistance. If the aim is to use uwsgi, then you will probably want to investigate how to make *this* cgi script accessible via the uwsgi protocol -- maybe there is a generic uwsgi/cgi wrapping tool; or maybe this cgi script has a works-with-another-protocol mode. Good luck with it, f -- Francis Dalyfran...@daoine.org ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
[njs] Added detection of address sanitizer.
details: https://hg.nginx.org/njs/rev/ab443df0d924 branches: changeset: 1126:ab443df0d924 user: Dmitry Volyntsev date: Tue Aug 13 16:04:10 2019 +0300 description: Added detection of address sanitizer. diffstat: auto/clang | 20 src/test/njs_unit_test.c | 4 ++-- 2 files changed, 22 insertions(+), 2 deletions(-) diffs (51 lines): diff -r 21b7a2d31852 -r ab443df0d924 auto/clang --- a/auto/clangTue Aug 13 15:15:42 2019 +0300 +++ b/auto/clangTue Aug 13 16:04:10 2019 +0300 @@ -291,6 +291,26 @@ njs_feature_test="int n __attribute__ (( . auto/feature +njs_feature="Address sanitizer" +njs_feature_name=NJS_HAVE_ADDRESS_SANITIZER +njs_feature_run=no +njs_feature_path= +njs_feature_libs= +njs_feature_test="int main(void) { + return + #ifdef __SANITIZE_ADDRESS__ + 0; + #else + #if defined(__has_feature) + #if __has_feature(address_sanitizer) + 0; + #endif + #endif + #endif + }" +. auto/feature + + njs_feature="Memory sanitizer" njs_feature_name=NJS_HAVE_MEMORY_SANITIZER njs_feature_run=yes diff -r 21b7a2d31852 -r ab443df0d924 src/test/njs_unit_test.c --- a/src/test/njs_unit_test.c Tue Aug 13 15:15:42 2019 +0300 +++ b/src/test/njs_unit_test.c Tue Aug 13 16:04:10 2019 +0300 @@ -4163,7 +4163,7 @@ static njs_unit_test_t njs_test[] = "Array.prototype.fill.call(o, 2).a"), njs_str("4") }, -#if (!NJS_HAVE_MEMORY_SANITIZER) /* MSAN limits stack size */ +#if (!NJS_HAVE_ADDRESS_SANITIZER && !NJS_HAVE_MEMORY_SANITIZER) /* limited stack size */ { njs_str("var o = Object({length: 3});" "Object.defineProperty(o, '0', {set: function(v){this[0] = 2 * v}});" "Array.prototype.fill.call(o, 2)"), @@ -6421,7 +6421,7 @@ static njs_unit_test_t njs_test[] = { njs_str("{ function f() {} { var f }}"), njs_str("SyntaxError: \"f\" has already been declared in 1") }, -#if (!NJS_HAVE_MEMORY_SANITIZER) /* MSAN limits stack size */ +#if (!NJS_HAVE_ADDRESS_SANITIZER && !NJS_HAVE_MEMORY_SANITIZER) /* limited stack size */ { njs_str("function f() { return f() } f()"), njs_str("RangeError: Maximum call stack size exceeded") }, #endif ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[njs] Added tag 0.3.4 for changeset 8eadbb3a7c7b
details: https://hg.nginx.org/njs/rev/b55b9f92036f branches: changeset: 1128:b55b9f92036f user: Dmitry Volyntsev date: Tue Aug 13 16:13:53 2019 +0300 description: Added tag 0.3.4 for changeset 8eadbb3a7c7b diffstat: .hgtags | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diffs (8 lines): diff -r 8eadbb3a7c7b -r b55b9f92036f .hgtags --- a/.hgtags Tue Aug 13 16:13:28 2019 +0300 +++ b/.hgtags Tue Aug 13 16:13:53 2019 +0300 @@ -27,3 +27,4 @@ 1935ab4643fdaec5b4a8c36070f4d2cb8e3799d7 ebfbdb8d8fe2f640d880359575657cb53e38328f 0.3.1 82101d50fff6e4c7a92c0542a3d6026ff7e462fb 0.3.2 c65a4be9867d434ca449a18d868305d5dcd5b91b 0.3.3 +8eadbb3a7c7b7c3426f73adabfa251cd9d296752 0.3.4 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[njs] Fixed dead store assignment in njs_fs_rename_sync().
details: https://hg.nginx.org/njs/rev/21b7a2d31852 branches: changeset: 1125:21b7a2d31852 user: Dmitry Volyntsev date: Tue Aug 13 15:15:42 2019 +0300 description: Fixed dead store assignment in njs_fs_rename_sync(). Found by clang static analyzer. diffstat: src/njs_fs.c | 38 +++--- 1 files changed, 11 insertions(+), 27 deletions(-) diffs (92 lines): diff -r 5f2162f7c3df -r 21b7a2d31852 src/njs_fs.c --- a/src/njs_fs.c Mon Aug 12 21:04:50 2019 +0300 +++ b/src/njs_fs.c Tue Aug 13 15:15:42 2019 +0300 @@ -273,12 +273,8 @@ done: } if (description != 0) { -ret = njs_fs_error(vm, syscall, description, [1], errn, - [1]); - -if (njs_slow_path(ret != NJS_OK)) { -return NJS_ERROR; -} +(void) njs_fs_error(vm, syscall, description, [1], errn, +[1]); njs_set_undefined([2]); @@ -497,10 +493,8 @@ done: } if (description != 0) { -(void) njs_fs_error(vm, syscall, description, [1], errn, +return njs_fs_error(vm, syscall, description, [1], errn, >retval); - -return NJS_ERROR; } return NJS_OK; @@ -714,12 +708,8 @@ done: } if (description != 0) { -ret = njs_fs_error(vm, syscall, description, [1], errn, - [1]); - -if (njs_slow_path(ret != NJS_OK)) { -return NJS_ERROR; -} +(void) njs_fs_error(vm, syscall, description, [1], errn, +[1]); } else { njs_set_undefined([1]); @@ -891,12 +881,8 @@ done: } if (description != 0) { -ret = njs_fs_error(vm, syscall, description, [1], errn, - >retval); - -if (njs_slow_path(ret != NJS_OK)) { -return NJS_ERROR; -} +return njs_fs_error(vm, syscall, description, [1], errn, +>retval); } else { njs_set_undefined(>retval); @@ -935,9 +921,8 @@ njs_fs_rename_sync(njs_vm_t *vm, njs_val ret = rename(old_path, new_path); if (njs_slow_path(ret != 0)) { -ret = njs_fs_error(vm, "rename", strerror(errno), NULL, errno, - >retval); -return NJS_ERROR; +return njs_fs_error(vm, "rename", strerror(errno), NULL, errno, +>retval); } njs_set_undefined(>retval); @@ -972,9 +957,8 @@ njs_fs_fd_read(njs_vm_t *vm, njs_value_t n = read(fd, p, end - p); if (njs_slow_path(n < 0)) { -(void) njs_fs_error(vm, "read", strerror(errno), path, errno, +return njs_fs_error(vm, "read", strerror(errno), path, errno, >retval); -return NJS_ERROR; } p += n; @@ -1101,7 +1085,7 @@ njs_fs_error(njs_vm_t *vm, const char *s njs_set_type_object(retval, error, NJS_OBJECT_ERROR); -return NJS_OK; +return NJS_ERROR; } ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
[njs] Version 0.3.4.
details: https://hg.nginx.org/njs/rev/8eadbb3a7c7b branches: changeset: 1127:8eadbb3a7c7b user: Dmitry Volyntsev date: Tue Aug 13 16:13:28 2019 +0300 description: Version 0.3.4. diffstat: CHANGES | 79 + 1 files changed, 79 insertions(+), 0 deletions(-) diffs (86 lines): diff -r ab443df0d924 -r 8eadbb3a7c7b CHANGES --- a/CHANGES Tue Aug 13 16:04:10 2019 +0300 +++ b/CHANGES Tue Aug 13 16:13:28 2019 +0300 @@ -1,3 +1,82 @@ + +Changes with njs 0.3.4 13 Aug 2019 + +Core: +*) Feature: added Object shorthand methods and computed property + names. Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. + +*) Feature: added getter/setter literal support. + Thanks to 洪志道 (Hong Zhi Dao) and Artem S. Povalyukhin. + +*) Feature: added fs.renameSync(). + +*) Feature: added String.prototype.trimStart() and + String.prototype.trimEnd(). + +*) Improvement: added memory-sanitizer support. + +*) Improvement: Unicode case tables updated to version 12.1. + +*) Improvement: added UTF8 validation for string literals. + +*) Bugfix: fixed reading files with zero size in fs.readFileSync(). + +*) Bugfix: extended the list of space separators in + String.prototype.trim(). + +*) Bugfix: fixed using of uninitialized value in + String.prototype.padStart(). + +*) Bugfix: fixed String.prototype.replace() for '$0' and '$&' + replacement string. + +*) Bugfix: fixed String.prototype.replace() for byte strings with + regex argument. + +*) Bugfix: fixed global match in String.prototype.replace() + with regexp argument. + +*) Bugfix: fixed Array.prototype.slice() for primitive types. + +*) Bugfix: fixed heap-buffer-overflow while importing module. + +*) Bugfix: fixed UTF-8 character escaping. + +*) Bugfix: fixed Object.values() and Object.entries() for shared + objects. + +*) Bugfix: fixed uninitialized memory access in + String.prototype.match(). + +*) Bugfix: fixed String.prototype.match() for byte strings with + regex argument. + +*) Bugfix: fixed Array.prototype.lastIndexOf() with undefined + arguments. + +*) Bugfix: fixed String.prototype.substring() with empty substring. + +*) Bugfix: fixed invalid memory access in + String.prototype.substring(). + +*) Bugfix: fixed String.fromCharCode() for code points > 65535 + and NaN. + +*) Bugfix: fixed String.prototype.toLowerCase() and + String.prototype.toUpperCase(). + +*) Bugfix: fixed Error() constructor with no arguments. + +*) Bugfix: fixed "in" operator for values with accessor descriptors. + +*) Bugfix: fixed Object.defineProperty() for non-boolean descriptor + props. + +*) Bugfix: fixed Error.prototype.toString() with UTF8 string + properties. + +*) Bugfix: fixed Error.prototype.toString() with non-string values + for "name" and "message". Changes with njs 0.3.3 25 Jun 2019 ___ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
Re: 502 Bad Gateway
Hello! On Mon, Aug 12, 2019 at 11:35:12PM -0400, Ken Wright wrote: > I'm running nginx 1.14.0 on Ubuntu Server 18.04 with PHP 7.2.19 and as > of this morning I'm getting 502 errors when I try to log into Nextcloud > (16.0.3, if it matters). I know I've seen fixes for 502 before, but > nothing I've been able to find thus far has helped. Further information > available on request, if anyone wants to help. Thanks in advance! The 502 error suggests that your backend isn't responding properly. nginx error log might contain some additional details about the problem, though in general you have to look into what's happened with your backend and how to fix it. -- Maxim Dounin http://mdounin.ru/ ___ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx