:
Hello!
On Wed, Apr 22, 2015 at 09:45:45AM +0200, Sergey Brester wrote:
enclosed you will find an attached changeset, that fixes a ASLR/DEP problem
on windows platforms (example Win 7/2008 x64). To find shared addr offset
with ASLR, we have successful used the same resp. similar solution
Hi,
enclosed you will find an attached changeset, that fixes a ASLR/DEP
problem on windows platforms (example Win 7/2008 x64).
To find shared addr offset with ASLR, we have successful used the same
resp. similar solution on various open source projects (ex.: postgresql
etc.). Also nginx
Hi,
enclosed you will find an attached changeset, that allows more than one
authentication challenge - multiple authenticate response-header
[rfc2616 sec14.47].
Implemented for auth_request and http upstream (ex. backends).
If you want to support it in your own authentication module, just
Am 29.04.2015 15:48, schrieb Maxim Dounin:
Hello!
On Wed, Apr 29, 2015 at 09:18:11AM +0200, Sergey Brester wrote:
Hi, enclosed you will find an attached changeset, that: - allows to fast use
of named location in sub requests, such as auth_request, etc. Currently no
named location
. ???
Am 27.04.2015 03:25, schrieb Maxim Dounin:
Hello!
On Fri, Apr 24, 2015 at 01:21:41AM +0200, Sergey Brester wrote:
Hello, There are lots of style problems which need cleanup. The newer,
nginx-style compliant version of changeset (shmem fix2.patch) was already
posted to nginx-devel
/2d549c958cf4fa53eeacec13b410946bbe053544
[3]
--
Am 27.04.2015 03:25, schrieb Maxim Dounin:
Hello!
On Fri, Apr 24, 2015 at 01:21:41AM +0200, Sergey Brester wrote:
Hello, There are lots of style problems which need cleanup. The newer,
nginx-style compliant version of changeset (shmem fix2.patch) was already
Am 30.04.2015 15:55, schrieb Maxim Dounin:
Hello!
On Wed, Apr 29, 2015 at 07:22:51PM +0200, Sergey Brester wrote:
[...]
And how it's expected to be processed in a named location if r-uri is
@...? Function ngx_http_core_find_named_location if location was found
set r-loc_conf
Hi all,
I've found that use of post_action @named_post always (each time)
closes a upstream connection (despite of keepalive).
I've been using fastcgi in @named_post. I think it belong somehow to
r-header_only=1,
because fastcgi request does not wait for end-request record from
fastcgi,
so
Hi,
It is a mercurial (hg) repo, for contribution to it please read hier:
http://nginx.org/en/docs/contributing_changes.html
Short, it should be a changeset (created with hg export)...
BTW: I don't know, will nginx developers want it, but if even not (and
you have possibly a github
Hello!
On Thu, May 07, 2015 at 12:51:33PM +0200, Sergey Brester wrote:
Hi all, I've found that use of post_action @named_post always (each
time) closes a upstream connection (despite of keepalive).
In short:
- post_action is a dirty hack and undocumented on purpose, avoid
using
It was never documented, and will never be documented. Well, may
be we'll add something like post_action: don't use it unless you
understand what are you doing to let people know that this
directive should not be used.
It's a proper pity if that some day gets the chop :(
Because I see no really
Hi,
Back to my wish to fix a problem with multiple workers under windows...
Since we successful implemented shared memory on windows, it may be used
for proper sharing a socket descriptor for multiple workers.
Possible scenario can be found in this MSDN-article:
09.06.2015 15:43, Sergey Brester:
09.06.2015 14:44, Maxim Dounin:
I don't see how CreateProcess() bInheritHandles affects handles
created by worker processes. It is documented to only control whether
inheritable handles will be inherited by a new process or not. Either
way, worker processes
Hi,
enclosed you will find an amend fix as replacement to
_sb-win-multi-worker-add-3.patch (just forgotten to save after
renaming NGX_SINGLE_WORKER - NGX_CONF_UNSET_PTR, before it was
commited).
18.06.2015 21:55, Maxim Dounin:
As I already tried to explain, the approach with inherited
Hi,
I've forgotten to free the shmem, thus enclosed an amendment with
clean-up, relative last changeset.
Regards,
sebres.
10.06.2015 21:48, Sergey Brester:
Hi,
enclosed you will find an attached changeset, that contains fix for windows
issue with multiple workers (once listening
Hi,
enclosed you will find an attached changeset, that contains fix for
windows issue with multiple workers (once listening - only one made any
work).
If someone needs a git version of it:
https://github.com/sebres/nginx/pull/1/files [1]
Here [2] you may find a benchmark comparison for
Hi,
enclosed a further changeset with backwards compatibility to 1 worker
processing (without inheritance as before fix), if single worker
configured + a little bit code review.
P.S. github updated also.
Regards,
sebres.
11.06.2015 15:03, Sergey Brester:
Hi,
I've forgotten
).
Please tell me your decision.
Regards,
sebres.
Am 17.06.2015 16:52, schrieb Maxim Dounin:
Hello!
On Wed, Jun 17, 2015 at 04:01:17PM +0200, Sergey Brester wrote:
Hmm, strange - almost same code, but it does not work... only first
child can accept connections.
Have you tried exactly the code
the WSADuplicateSocket function.
Regards,
sebres.
.
Am 17.06.2015 04:27, schrieb Maxim Dounin:
Hello!
On Wed, Jun 10, 2015 at 09:48:28PM +0200, Sergey Brester wrote:
[...]
@Maxim Dounin: 1) your suggested way with shared handle and
bInheritHandle does not work, because of: [quote] Sockets. No error
Hi,
It's called fastcgi multiplexing and nginx currently does not implement
that (and I don't know .
There were already several discussions about that, so read here, please.
[22]
Short, very fast fastcgi processing may be implemented without
multiplexing (should be event-driven also).
Hi,
Look at module auth_request
(http://nginx.org/en/docs/http/ngx_http_auth_request_module.html).
Good working solution at the moment is to use auth_request module
together with some external auth-daemon.
You can avoid many problems, e.g. with async/sync handling etc.
Using that I have
Hi,
You can try to use `ngx_http_subrequest` (don't know how good it works
for not an nginx location (or named location)).
For example see some module used that (ex.:
https://github.com/sebres/nginx/blob/hg-mirror/src/http/modules/ngx_http_auth_request_module.c#L189).
You can also try to
developers say about this.
But ... it is my decision about.
In any case, I believe it is not very complex to create a similar
functionality as (replacement) module, if "post_action" will be removed
later from nginx standard bundle.
> Rergard,
>
> Julien
Regards,
Serg G.
On 04.09.2015 20:10, Maxim Dounin wrote:
For sure this is something that can be done. The question remains
though: how often collisions are observed in practice, is it make
sense to do anything additional to protect from collisions and
spend resources on it? Even considering only md5, without
On 04.09.2015 21:43, Maxim Dounin wrote:
No one yet happened. And likely won't ever happen, as md5 is a
good hash function 128 bits wide, and it took many years to find
even a single collision of md5.
You confuse good for "collision-search algorithms" with a good in the
sense of the
I have tried - I give up (it makes no sense),
I have a my own fork (to make everything right there).
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel
On 06.09.2015 02:08, Maxim Dounin wrote:
Well, not, I don't confuse anything. For sure, brute force attack
on a 128 bit hash requires approximately 2^64 attempts.
That is, a single nginx instance with 2^64 cached resources will
likely show up a collision. But that's not a number of resources
On 08.09.2015 01:17, Gena Makhomed wrote:
There is no obscurity here. Value of proxy_cache_key is known,
hash function is known, nginx sources is open and available.
If value of proxy_cache_key is known and attackers can generate it, what
do you want to protect with some hash value?
If
On 07.09.2015 21:29, Gena Makhomed wrote:
Using MurmurHash is not good idea, because attacker
can easy make collisions and invalidate popular entries
from cache, and this technology can be used for DDoS attacks.
(even in case if only one site exists on server with nginx cache)
Using secure
The patch sounds not bad at all, but I would have also removed the
calculation and verification of crc32... Makes no sense, if either way
the keys would be compared.
___
nginx-devel mailing list
nginx-devel@nginx.org
/sebres/nginx/pull/2 [2]
Below you can find a TCL-code to test strings (hex), that produce an md5
collision (with an example with one collision):
https://github.com/sebres/misc/blob/tcl-test-hash-collision/tcl/hash-collision.tcl
[3]
Regards,
sebres.
On 10.09.2015 11:57, Sergey Brester wrote
On 10.09.2015 17:33, Maxim Dounin wrote:
Hello!
On Thu, Sep 10, 2015 at 05:07:36PM +0200, Sergey Brester wrote:
Leave header format unchanged (I mean changes in header file
'src/http/ngx_http_cache.h'), but not calculate and not compare crc32
(unused / reserved up to "change cache h
On 10.09.2015 18:59, Maxim Dounin wrote:
unexpected alerts are certainly a bad thing and shouldn't happen.
But only in case of downgrade to prev version...
___
nginx-devel mailing list
nginx-devel@nginx.org
or the people using github - here is my PR as fix for all 3 issues (3
commits), merged in my mod-branch:
https://github.com/sebres/nginx/pull/8
Regargs,
sebres
___
14.06.2016 16:50, Sergey Brester wrote:
Hi,
enclosed you'll find a changeset with
Thanks, looks like a valid win32-related problem. See below for
comments about the patch.
And why you come to this conclusion?
As this is a win32-only problem, please clearly describe this in
commit log. E.g., use "Win32: " prefix in the summary line.
Please also describe that this is
A little bit off-topic, but which benefits you think, you will get using
cross process compiled regexp?
The compiling of regex is normally fast operation, that will be done
only once (even jit), and can be done in each worker.
What I cannot imagine, is the sharing of the result of regexp
The NGX_HTTP_CACHE_SCARCE is intended to signal to the caller that
min_uses was not yet reached, and that's why the request will not
use cache. And that's the only case where NGX_HTTP_CACHE_SCARCE
is used. Semantics of the error case your are trying to add here
is quite different. This will be an
Hi,
It's normally no proper way to read a body within REWRITE phase (I think
you mean body of something like POST request).
The request body will be typically read resp. upstreamed first if
location will be processed (after all of the phases, including a rewrite
also).
But you can use
Hi,
you can use "auth_request" (see
http://nginx.org/en/docs/http/ngx_http_auth_request_module.html)
that can take full authorization control you wanted, e. g. authorize via
your own internal location to some backend (ruby, etc.), additionally
you can use there all features nginx supported,
Hi,
If you want parse/modify request data before you pass it to upstream,
take a look at NGINX-UPLOAD-MODULE, that do it similar way you may need
- reads request (POST/multipart), save file-data into temp-file(s), and
rewrite arguments pointing to this new file(s).
If you want rather to do
Unfortunately, the question is ambiguous.
You can put it into the structure, you initialized `mycf =
ngx_pcalloc(cf->pool, size)`,
where cf is `ngx_conf_t *cf`, if you want to save it per location.
Then you can get it in the handler, using `mycf =
ngx_http_get_module_loc_conf(r,
So you want something like?
location = /healthcheck.gif {
empty_gif;
}
And it does not work?
1. if you've installed nginx via distribution and your nginx version is
larger as 1.9 (which supports dynamic modules), you can just install the
modules via yum. If not, you should use nginx-extra
Although you've used a wrong list for your question (this is development
mailing list not a forum for howto's),
but because I've ATM a free minute, here you go:
You CANNOT use variables in nginx location [2] uri-pattern (no matter
regexp or static URI),
so the following code:
```
location
Hmm...
>From _The Linux Programming Interface: A Linux and UNIX System
Programming Handbook_ [2]:
Nonblocking mode can be used with devices (e.g., terminals and
pseudoterminals), pipes, FIFOs, and sockets. (Because file descriptors
for pipes and sockets are not obtained using open(), we
Looks like [efd71d49bde0 [2]] could be indeed responsible for that:
I see at least one state where rev->ready could remain 1 (after
rev->available gets 0) e. g. deviation between blocks
[efd71d49bde0#l10.8 [3]] and [efd71d49bde0#l11.8 [4]] where first did
not reset rev->ready and for example
It looks like your service defined in auth_http doesn't answer (or no
listener on 127.0.0.1 port 9000?)...
try netstat (in cmd as admin):
netstat /nabo
netstat /nabo | grep -A 1 ":9000b"
and check whether the listener on port 9000 is bound to 127.0.0.1 (or it
is 0.0.0.0 only?) and it is
Yury
>
> -
>
> FROM: nginx-devel on behalf of Yury Shpakov
>
> SENT: Friday, February 14, 2020 6:08 PM
> TO: Sergey Brester
> CC: nginx-devel@nginx.org
> SUBJECT: Re: nginx for Windows - WSASend() socket error 10057
>
> So what is the mea
127.0.0.2 Auth-Port: 143
> === === ===
>
> However I'm still experiencing the same issue (in log file):
>
> === === ===
> 2020/02/13 16:29:24 [notice] 35048#26192: signal process started
>
> 2020/02/13 16:29:34 [error] 31732#22720: *1 WSASend() failed (10057: A
> r
Am 27.02.2020 12:47, schrieb Maxim Dounin:
> Further, I don't see what you are trying to debug here. As I see
> from the messages in this thread, the issue was lack of IPv6
> listener while using an IPv6 address in auth_http, and it is
> already resolved.
Well, as for the initial issue -
You could do it similar proxy module is buffering the response, for
instance see proxy_buffering [2] directive:
_When buffering is enabled, nginx receives a response from the proxied
server as soon as possible, saving it into the buffers set by the
proxy_buffer_size [3] and proxy_buffers [4]
mise and set a
> callback), so it also returns to nginx to complete the subrequest.
>
> On 04/05/2021 16:32, Dipl. Ing. Sergey Brester wrote:
>
> Hi,
>
> see how the directive mirror [2] or post_action doing this.
>
> Also take a look at njs [3], how it can make a
Hi,
see how the directive mirror [2] or post_action doing this.
Also take a look at njs [3], how it can make a detached subrequest.
Regards,
Serg.
04.05.2021 16:11, Alfred Sawaya wrote:
> Hello,
>
> I am currently converting an Apache module to Nginx. This module uses
> subrequests
Hi,
I have a question: how an upstream could be properly "detached" from
request in case it gets closed by client?
Some time ago I have implemented a FastCGI multiplexing for nginx, which
would work pretty well, excepting the case if a request gets closed by
client side. In such a case
Just for the record (and probably to reopen this discussion again).
https://github.com/PhilipHazel/pcre2/issues/26 [3] shows a heavy bug in
PCRE library (it is not safe to use it anymore, at least without jit) as
well as the statement of the PCRE developer regarding the end of life
for PCRE.
To unsubscribe send an email to nginx-devel-le...@nginx.org
Sergey Brester
--Stop the pathetic Hypocrisy
24.02.2022 13:51, Ranier Vilela wrote:
> Hi,
>
> Please unsubscribe me from the Nginx mail list.
>
> Ranier Vilela
&
Hi,
firstly please don't use nginx-devel for such questions, this is a
developer mailing list and reserved for developers only purposes.
Furthermore it is not nginx related question at all. The browsers handle
#-chars as an internal jump to the anchor by ID of element on page, so
nginx (or
Hi,
Function ngx_slprintf is conditionally async-signal safe (unless you'd
use the same buffer, supplied as first argument, or free such buffer or
some of the arguments in signal handler, because the function is not
atomic and can be interrupted by a signal).
However regarding the function
Hi Maxim,
it is pity to hear such news...
I have few comments and questions about, which I enclosed inline
below...
Regards,
Serg.
14.02.2024 19:03, Maxim Dounin wrote:
Hello!
As you probably know, F5 closed Moscow office in 2022, and I no
longer work for F5 since then. Still, we've
Hi,
it seems that the question of precedence of non-conditional _return_
directive vs nested _location_s is not really clear,
or rather some constellations (like fallback) are impossible or else the
configuration may look weird.
For instance:
server {
server_name ...;
location ~
OK,
regarding the "fallback" location, this one can be used (empty -
shortest match):
location "" {
return 444;
}
Regards,
Serg.
24.08.2022 19:38, Sergey Brester via nginx-devel wrote:
> Hi,
>
> it seems that the question of precedence of non-conditi
Sure, this was also my first intention. Just after all I thought the
whole buffer
could be better in order to provide a possibility to debug for someone
searching
for a bug. But there are another aids that would help, so indeed let it
be so.
As for the rest, well it is surely a subject of
Hi,
below is a patch to fix a weakness by logging of broken header by
incorrect proxy protocol.
If some service (IDS/IPS) analyzing or monitoring log-file, regularly
formatted lines may be simply confused with lines written not escaped
directly from buffer supplied from foreign source.
Not
Well, it is impossible if you'd use some memory blocks allocated by
nginx within main request.
The memory allocated inside the request is released on request end.
An example how one can implement non-blocking delay can you see in
https://github.com/openresty/echo-nginx-module#echo_sleep [2].
Enclosed few thoughts to the subject:
- since it is very rare situation that one needs only a memcpy without
to know whether previous alloc may fail
(e. g. some of pointers were NULL), me too thinks that the caller
should be responsible for the check.
So I would not extend ngx_memcpy or
64 matches
Mail list logo
