Re: encrypted client hello (ECH) question

Pretty cool. I'm still reading up on each but can this also be done for https termination? Is the SSL pre-read limitation the main issue there? On Thu, 1 Jun 2023, 9:31 pm Stephen Farrell, wrote: > > Hi all, > > I've been working on implementing TLS encrypted client hello > (ECH, [1]) in the

Re: Thread Pool memory ownership

- Mathew On Wed, 31 May 2023, 12:15 pm Maxim Dounin, wrote: > Hello! > > On Wed, May 31, 2023 at 01:26:35AM +1000, Mathew Heard wrote: > > > I've been going through the threadpool code for native modules in an > > attempt to fix a third party module with what appears to be a

Thread Pool memory ownership

Hi, I've been going through the threadpool code for native modules in an attempt to fix a third party module with what appears to be a use-after free error looking for inspiration. I thought I would see a strategy to prevent thread pool tasks that are in the queue for processing being freed when

Re: [PATCH] Add ssl_provider directive (ticket #2449)

But the way have you benchmarked this? On Sun, 5 Mar 2023, 11:55 am Nick Bogdanov, wrote: > # HG changeset patch > # User Nick Bogdanov > # Date 1677975659 28800 > # Sat Mar 04 16:20:59 2023 -0800 > # Node ID 8cb34ae16de2408cbe91832194baac6ae299f251 > # Parent

Re: [PATCH] fix weakness by logging of broken header by incorect proxy protocol (IDS/IPS/LOG-analysis)

I really like the making safe of the error log as opposed to truncation. The more information logged in cases like this the better. Alternatively what about something that indicates further data was truncated? On Wed, 28 Sep 2022, 21:07 Dipl. Ing. Sergey Brester via nginx-devel, <

Re: [nginx] PCRE2 and PCRE binary compatibility.

By the way have you seen sregex ? Given its built with many of the same principles as nginx and PREG(1/2) compatible maybe it might be of interest? And Merry Christmas for those who celebrate. On Sat, 25 Dec 2021 at 09:11, Maxim Dounin wrote: > > details:

Re: [PATCH] Add io_uring support in AIO(async io) module

If there are performance regressions perhaps these could be documented in the events documentation. Something along the lines of a recommended minimum kernel. On Thu, 26 Aug 2021 at 11:48, Zhao, Ping wrote: > > Hi Maxim, > > It's been long time and I lost the mail thread. Is it now the good time

Re: [PATCH] Rename referrer to referer in error log

I'm just a user of nginx making a comment. Simple patch, valuable find, potentially far reaching annoyance. On Thu, 8 Jul 2021, 7:33 pm Jérémie Drouet, wrote: > Ok, so what should I do now? Does it mean it cannot be done? > > On Thu, Jul 8, 2021 at 11:31 AM Mathew Heard wrote: > &g

Re: [PATCH] Rename referrer to referer in error log

This should be a major release patch. It's breaking for everyone passing the error log. On Thu, 8 Jul 2021, 7:17 pm Jeremie Drouet, wrote: > # HG changeset patch > # User Jeremie Drouet > # Date 1625150632 -7200 > # Thu Jul 01 16:43:52 2021 +0200 > # Node ID

Re: Adding a second TLS implementation

Kevin, BoringSSL is already for the most part supported (in code, if not officially) if I am not mistaken On Thu, 11 Feb 2021 at 12:02, Kevin Burke wrote: > Hi, > There has been a recent push by some members of the security community to > try to make more critical code run in memory safe

Re: [PATCH 8 of 8] new io_uring event module

SoYun, Interesting patchset. Have you by chance also tested proxy_pass / fastcgi_pass performance? I'd be interested to know if the significant performance improvement was due to filesystem interaction or socket. Regards, Mathew On Tue, 24 Nov 2020 at 19:43, SoYun Seong wrote: > # HG

Trac #915 - "Upgrade" header should not be proxied over h2

Hi All, If anyone else is searching for a better solution to this bug (perhaps in Apache) the following nginx patch works for me https://github.com/splitice/nginx/commit/a91fdb43793f006bda06d980a89fd1dfb428ebee Tested on 3 different ios devices and an Apache h2 backend.

Re: SO_REUSEPORT

Maxim, Which patches / modules would you consider highly questionable? On Sat, May 4, 2019 at 10:15 AM Maxim Dounin wrote: > Hello! > > On Sat, May 04, 2019 at 09:02:20AM +1000, Mathew Heard wrote: > > [...] > > > It is a reduced version (less additional module

Re: SO_REUSEPORT

triggering binary reloads is not enough, something has to happen between them and I'm not yet sure what. On Sat, May 4, 2019 at 8:52 AM Maxim Dounin wrote: > Hello! > > On Thu, May 02, 2019 at 08:51:41PM +1000, Mathew Heard wrote: > > > Got a little bit further and confirmed

Re: SO_REUSEPORT

on; master_process on; 2800 is nginx.old, also (nginx/1.15.8) as we did 2 builds with slightly different compile options. The processes do not respond to nice kill signals, only a -9 was able to kill it. On Wed, Apr 24, 2019 at 10:38 AM Mathew Heard wrote: > Yesterday one of my techs repor

Re: SO_REUSEPORT

Yesterday one of my techs reported that a production server had a nginx worker sitting at 99.9% CPU usage in top and not accepting new connections (but getting it's share distributed due to SO_REUSEPORT). I thought this might be related. The workers age was significantly older than it's peers so

Re: SO_REUSEPORT

2019 at 1:13 AM Maxim Dounin wrote: > Hello! > > On Fri, Feb 01, 2019 at 11:04:50AM +1100, Mathew Heard wrote: > > > Hit a rather strange issue today on a production service where during a > > configuration reload (evident by the worker processes in the process of

Re: SO_REUSEPORT

No I did not change the number of workers, or anything core. The configuration change would have been related to a specific server block (add/remove/update) as carried out by our tooling. On Sat, Feb 2, 2019 at 1:04 AM Valentin V. Bartenev wrote: > On Friday 01 February 2019 11:04:50 Mat

Re: Use primes for hashtable size

, 2017 at 9:46 PM, Maxim Dounin <mdou...@mdounin.ru> wrote: > Hello! > > On Fri, Jun 02, 2017 at 10:56:31AM +1000, Mathew Heard wrote: > > > If this actually yields a decrease in start time while not introducing > > other effects we would use it. Our start time of a

Re: Use primes for hashtable size

If this actually yields a decrease in start time while not introducing other effects we would use it. Our start time of a couple minutes is annoying at times. On Fri, Jun 2, 2017 at 3:57 AM, Andrew Borodin wrote: > 2017-06-01 22:39 GMT+05:00 Maxim Dounin