[PATCH] Grammar fixes

[Ville Skyttä]

# HG changeset patch
# User Ville Skyttä 
# Date 1577258677 -7200
#  Wed Dec 25 09:24:37 2019 +0200
# Node ID f4b83914e4009fb9c528f0318287a76aa0c7326f
# Parent  e99e9b0a8c51d59c7ee665489949d8556565adff
Grammar fixes.

diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -14571,7 +14571,7 @@
 
 
 a segmentation fault might occur in worker process,
-if an "debug_connection" directive was used;
+if a "debug_connection" directive was used;
 the bug had appeared in 0.7.54.
 
 
@@ -15333,7 +15333,7 @@
 теперь возвращается ошибка 403 вместо 500.
 
 
-now if a file specified in a "auth_basic_user_file" directive is absent,
+now if a file specified in an "auth_basic_user_file" directive is absent,
 then the 403 error is returned instead of the 500 one.
 
 
@@ -15990,7 +15990,7 @@
 теперь директива add_header не добавляет пустое значение.
 
 
-now a "add_header" directive does not add an empty value.
+now an "add_header" directive does not add an empty value.
 
 
 
@@ -17769,7 +17769,7 @@
 
 
 a segmentation fault occurred in worker process,
-if big value was used in a "expires" directive.
+if big value was used in an "expires" directive.
 Thanks to Joaquin Cuenca Abela.
 
 
@@ -18443,7 +18443,7 @@
 ошибка появилась в 0.6.11.
 
 
-if the "?" character was in a "error_page" directive, then it was escaped
+if the "?" character was in an "error_page" directive, then it was escape
 in a proxied request;
 the bug had appeared in 0.6.11.
 
@@ -20715,7 +20715,7 @@
 директива post_action могла не работать после неудачного завершения запроса.
 
 
-the "post_action" directive might not run after a unsuccessful completion
+the "post_action" directive might not run after an unsuccessful completion
 of a request.
 
 
diff --git a/src/core/ngx_string.c b/src/core/ngx_string.c
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@@ -519,7 +519,7 @@
  * The glibc counterpart is about 150 lines of the code.
  *
  * For 32-bit numbers and some divisors gcc and icc use
- * a inlined multiplication and shifts.  For example,
+ * inlined multiplication and shifts.  For example,
  * unsigned "i32 / 10" is compiled to
  *
  * (i32 * 0xCCCD) >> 35
diff --git a/src/event/modules/ngx_devpoll_module.c 
b/src/event/modules/ngx_devpoll_module.c
--- a/src/event/modules/ngx_devpoll_module.c
+++ b/src/event/modules/ngx_devpoll_module.c
@@ -88,8 +88,8 @@
 ngx_devpoll_del_event, /* delete an event */
 ngx_devpoll_add_event, /* enable an event */
 ngx_devpoll_del_event, /* disable an event */
-NULL,  /* add an connection */
-NULL,  /* delete an connection */
+NULL,  /* add a connection */
+NULL,  /* delete a connection */
 NULL,  /* trigger a notify */
 ngx_devpoll_process_events,/* process the events */
 ngx_devpoll_init,  /* init the events */
diff --git a/src/event/modules/ngx_epoll_module.c 
b/src/event/modules/ngx_epoll_module.c
--- a/src/event/modules/ngx_epoll_module.c
+++ b/src/event/modules/ngx_epoll_module.c
@@ -186,8 +186,8 @@
 ngx_epoll_del_event, /* delete an event */
 ngx_epoll_add_event, /* enable an event */
 ngx_epoll_del_event, /* disable an event */
-ngx_epoll_add_connection,/* add an connection */
-ngx_epoll_del_connection,/* delete an connection */
+ngx_epoll_add_connection,/* add a connection */
+ngx_epoll_del_connection,/* delete a connection */
 #if (NGX_HAVE_EVENTFD)
 ngx_epoll_notify,/* trigger a notify */
 #else
diff --git a/src/event/modules/ngx_eventport_module.c 
b/src/event/modules/ngx_eventport_module.c
--- a/src/event/modules/ngx_eventport_module.c
+++ b/src/event/modules/ngx_eventport_module.c
@@ -181,8 +181,8 @@
 ngx_eventport_del_event,   /* delete an event */
 ngx_eventport_add_event,   /* enable an event */
 ngx_eventport_del_event,   /* disable an event */
-NULL,  /* add an connection */
-NULL,  /* delete an connection */
+NULL,  /* add a connection */
+NULL,  /* delete a connection */
 ngx_eventport_notify,  /* trigger a notify */
 ngx_eventport_process_events,  /* process the events */
 ngx_eventport_init,/* init the events */
diff --git a/src/event/modules/ngx_iocp_module.c 
b/src/event/modules/ngx_iocp_module.c
--- a/src/event/modules/ngx_iocp_module.c

Re: nginx - get value of the header - x_forwarded_for in Nginx module (Naxsi)

[Marcin Kozlowski]

Thanks.

Works. For the reference, this is the code I used:

  ngx_uint_t n;
  ngx_table_elt_t **h;
  ngx_array_t a;
  a = req->headers_in.x_forwarded_for;
  n = a.nelts;
  h = a.elts;


  for (i = 0; iconnection->log,
  0, "x_forwarded_for: %s", h[i]->value.data);
  }

BTW What would be the best practice in NGINX NASIX module or any other
module to load a file with hundreds entries of IPs (hashmap, or what
structure would be best?) which should be whitelisted later for comparison
in NASIX module logic. Those IP should never be blocked by NAXSI.

When should I load this file in memory, in which component
/module/function/step?

Links to some guides/sample code would be also appreciated.

Thanks,


On Tue, Dec 24, 2019 at 10:37 AM Ruslan Ermilov  wrote:

> On Mon, Dec 23, 2019 at 11:04:43PM +0100, Marcin Kozlowski wrote:
> > Hi List,
> >
> > How to get x_forwarded_for sent in the request in NGINX module (NAXSI in
> > particular):
> >
> > My attempt:
> >
> > ngx_log_error(NGX_LOG_ERR, req->connection->log,
> >   0, "test %s", (char
> *)req->headers_in.x_forwarded_for.elts);
> >
> > The bigger problem I am trying to solve with NAXSI is this:
> >
> >
> https://stackoverflow.com/questions/59453729/naxsi-blacklist-and-whitelist-setup-with-nginx
> >
> > I want to simply create a map and check if X-forwarded-for is on the
> > whitelist and if yes, always allow it.
> >
> > Above does not work. Prints garabge. Why it is (void *) ???
> >
> > Debugging it:
> >
> > $1 = (ngx_http_request_t *) 0xa44df0
> > (gdb) p req->headers_
> > headers_in   headers_out
> > (gdb) p req->headers_in
> > $2 = {headers = {last = 0xa44e60, part = {elts = 0xad4d10, nelts = 7,
> next
> > = 0x0}, size = 48, nalloc = 20,
> > pool = 0xa44da0}, host = 0xad4d10, connection = 0x0,
> if_modified_since
> > = 0x0, if_unmodified_since = 0x0,
> >   if_match = 0x0, if_none_match = 0x0, user_agent = 0xad4d70, referer =
> > 0x0, content_length = 0x0,
> >   content_range = 0x0, content_type = 0x0, range = 0x0, if_range = 0x0,
> > transfer_encoding = 0x0, te = 0x0,
> >   expect = 0x0, upgrade = 0x0, accept_encoding = 0x0, via = 0x0,
> > authorization = 0x0, keep_alive = 0x0,
> >   x_forwarded_for = {elts = 0xa45b98, nelts = 1, size = 8, nalloc = 1,
> pool
> > = 0xa44da0}, x_real_ip = 0x0, user = {
> > len = 0, data = 0x0}, passwd = {len = 0, data = 0x0}, cookies =
> {elts =
> > 0x0, nelts = 0, size = 0, nalloc = 0,
> > pool = 0x0}, server = {len = 32, data = 0xa449a9 "domain.com"},
> > content_length_n = -1,
> >   keep_alive_n = -1, connection_type = 2, chunked = 0, msie = 0, msie6 =
> 0,
> > opera = 0, gecko = 0, chrome = 0,
> >   safari = 0, konqueror = 0}
> > (gdb) p req->headers_in.x_forwarded_for
> > $3 = {elts = 0xa45b98, nelts = 1, size = 8, nalloc = 1, pool = 0xa44da0}
> > (gdb) p req->headers_in.x_forwarded_for .elts
> > $4 = (void *) 0xa45b98
> > (gdb) p req->headers_in.x_forwarded_for.elts
> > $5 = (void *) 0xa45b98
> >
> > What structure is this? Linked List? Why the elts point to garbage, when
> I
> > know the Loadbalancer added the X-Forwarded-for header with value.
>
> It's an array of type ngx_table_elt_t, the number of elements is
> in "nelts".  Please see the handler for the $http_x_forwarded_for
> variable in the ngx_http_variables.c on how to work with it.
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel
>
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Fwd: 1.17.5 regression

[Maxim Dounin]

Hello!

On Tue, Dec 24, 2019 at 08:59:46AM -0800, Maksim Yevmenkin wrote:

> > Just to make sure it's known: the patch above was committed after
> > internal review/testing, and it is available as part of the 1.17.7
> > release.
> 
> would it be possible to publish 1.17.7 to  https://github.com/nginx/nginx.git 
> ?

Official repository is at hg.nginx.org/nginx, consider using it 
instead.  Github mirror likely will be fixed as well at some 
point, though no ETA.

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Fwd: 1.17.5 regression

[Maksim Yevmenkin]

hello!

> Just to make sure it's known: the patch above was committed after
> internal review/testing, and it is available as part of the 1.17.7
> release.

would it be possible to publish 1.17.7 to  https://github.com/nginx/nginx.git ?

thanks!
max
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Fwd: 1.17.5 regression

[Gábor Boskovits]

Maxim Dounin  ezt írta (időpont: 2019. dec. 24., K, 17:46):
>
> Hello!
>
> On Tue, Dec 24, 2019 at 04:45:20PM +0100, Gábor Boskovits wrote:
>
> > Maxim Dounin  ezt írta (időpont: 2019. dec. 23., H, 
> > 20:28):
> > >
> > > Hello!
> > >
> > > On Wed, Dec 18, 2019 at 08:24:25PM +0300, Maxim Dounin wrote:
> > >
> > > > On Mon, Dec 16, 2019 at 03:02:37PM +0100, Gábor Boskovits wrote:
> > > >
> > > > > On berlin.guix.gnu.org we observed a regression upon upgrading nginx
> > > > > to 1.17.5. The problem was, when pipelining request to a proxy using
> > > > > tls, we suddenly started to get 408 client timeouts, manifesting in
> > > > > dropped connections. Currently we worked around the issue by
> > > > > downgrading to 1.17.4. I have collected some information about the
> > > > > problem here:
> > > > > https://gitlab.com/g_bor/fix-nginx-tls
> > > > > It contains the logs from the good and the bad version, a full nginx
> > > > > config, some info about how nginx was built. I managed to bisect the
> > > > > problem down to changeset 9d2ad2fb4423, which introduced the problem.
> > > > > Any help in further debuggin this would be greatly appreciated.
> > > >
> > > > Thanks for the report, it indeed looks like a bug introduced
> > > > in 9d2ad2fb4423.
> > > >
> > > > The problem is that c->read->handler is overwritted when switching
> > > > to the next pipelined request, ngx_ssl_next_read_handler() is not
> > > > called, and c->read->ready remains not set.  I'll take a look how
> > > > to fix it properly.
> > >
> > > Please try the following patch:
> > >
> > > # HG changeset patch
> > > # User Maxim Dounin 
> > > # Date 1577129029 -10800
> > > #  Mon Dec 23 22:23:49 2019 +0300
> > > # Node ID c2dc6bfd2a0bce28618ef96b87fbdb63c6010575
> > > # Parent  8e64e11aaca02d50649cd2d9b448508f5b268062
> > > SSL: reworked posted next events.
> > >
> > > Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
> > > on connection read handler being overwritten to set the ready flag
> > > and the amount of available bytes.  This approach is, however, does
> > > not work properly when connection read handler is changed, for example,
> > > when switching to a next pipelined request, and can result in unexpected
> > > connection timeouts, see here:
> > >
> > > http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html
> > >
> > > Fix is to introduce ngx_event_process_posted_next() instead, which
> > > will set ready and available regardless of how event handler is set.
>
> [...]
>
> > Thanks for having a  look at this. I will coordinate with others as
> > when can we schedule a service restart.
> > I will report back with the results soon.
> >
> > I wish you a merry christmas, and thanks for the great work all around the 
> > year!
>
> Just to make sure it's known: the patch above was committed after
> internal review/testing, and it is available as part of the 1.17.7
> release.

Thanks very much for the info.

>
> Merry Christmas!
>
> --
> Maxim Dounin
> http://mdounin.ru/
> ___
> nginx-devel mailing list
> nginx-devel@nginx.org
> http://mailman.nginx.org/mailman/listinfo/nginx-devel


Best regards,
g_bor
-- 
OpenPGP Key Fingerprint: 7988:3B9F:7D6A:4DBF:3719:0367:2506:A96C:CF63:0B21
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Fwd: 1.17.5 regression

[Maxim Dounin]

Hello!

On Tue, Dec 24, 2019 at 04:45:20PM +0100, Gábor Boskovits wrote:

> Maxim Dounin  ezt írta (időpont: 2019. dec. 23., H, 
> 20:28):
> >
> > Hello!
> >
> > On Wed, Dec 18, 2019 at 08:24:25PM +0300, Maxim Dounin wrote:
> >
> > > On Mon, Dec 16, 2019 at 03:02:37PM +0100, Gábor Boskovits wrote:
> > >
> > > > On berlin.guix.gnu.org we observed a regression upon upgrading nginx
> > > > to 1.17.5. The problem was, when pipelining request to a proxy using
> > > > tls, we suddenly started to get 408 client timeouts, manifesting in
> > > > dropped connections. Currently we worked around the issue by
> > > > downgrading to 1.17.4. I have collected some information about the
> > > > problem here:
> > > > https://gitlab.com/g_bor/fix-nginx-tls
> > > > It contains the logs from the good and the bad version, a full nginx
> > > > config, some info about how nginx was built. I managed to bisect the
> > > > problem down to changeset 9d2ad2fb4423, which introduced the problem.
> > > > Any help in further debuggin this would be greatly appreciated.
> > >
> > > Thanks for the report, it indeed looks like a bug introduced
> > > in 9d2ad2fb4423.
> > >
> > > The problem is that c->read->handler is overwritted when switching
> > > to the next pipelined request, ngx_ssl_next_read_handler() is not
> > > called, and c->read->ready remains not set.  I'll take a look how
> > > to fix it properly.
> >
> > Please try the following patch:
> >
> > # HG changeset patch
> > # User Maxim Dounin 
> > # Date 1577129029 -10800
> > #  Mon Dec 23 22:23:49 2019 +0300
> > # Node ID c2dc6bfd2a0bce28618ef96b87fbdb63c6010575
> > # Parent  8e64e11aaca02d50649cd2d9b448508f5b268062
> > SSL: reworked posted next events.
> >
> > Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
> > on connection read handler being overwritten to set the ready flag
> > and the amount of available bytes.  This approach is, however, does
> > not work properly when connection read handler is changed, for example,
> > when switching to a next pipelined request, and can result in unexpected
> > connection timeouts, see here:
> >
> > http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html
> >
> > Fix is to introduce ngx_event_process_posted_next() instead, which
> > will set ready and available regardless of how event handler is set.

[...]

> Thanks for having a  look at this. I will coordinate with others as
> when can we schedule a service restart.
> I will report back with the results soon.
> 
> I wish you a merry christmas, and thanks for the great work all around the 
> year!

Just to make sure it's known: the patch above was committed after 
internal review/testing, and it is available as part of the 1.17.7 
release.

Merry Christmas!

-- 
Maxim Dounin
http://mdounin.ru/
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

Re: Fwd: 1.17.5 regression

[Gábor Boskovits]

Hello Maxim,

Maxim Dounin  ezt írta (időpont: 2019. dec. 23., H, 20:28):
>
> Hello!
>
> On Wed, Dec 18, 2019 at 08:24:25PM +0300, Maxim Dounin wrote:
>
> > On Mon, Dec 16, 2019 at 03:02:37PM +0100, Gábor Boskovits wrote:
> >
> > > On berlin.guix.gnu.org we observed a regression upon upgrading nginx
> > > to 1.17.5. The problem was, when pipelining request to a proxy using
> > > tls, we suddenly started to get 408 client timeouts, manifesting in
> > > dropped connections. Currently we worked around the issue by
> > > downgrading to 1.17.4. I have collected some information about the
> > > problem here:
> > > https://gitlab.com/g_bor/fix-nginx-tls
> > > It contains the logs from the good and the bad version, a full nginx
> > > config, some info about how nginx was built. I managed to bisect the
> > > problem down to changeset 9d2ad2fb4423, which introduced the problem.
> > > Any help in further debuggin this would be greatly appreciated.
> >
> > Thanks for the report, it indeed looks like a bug introduced
> > in 9d2ad2fb4423.
> >
> > The problem is that c->read->handler is overwritted when switching
> > to the next pipelined request, ngx_ssl_next_read_handler() is not
> > called, and c->read->ready remains not set.  I'll take a look how
> > to fix it properly.
>
> Please try the following patch:
>
> # HG changeset patch
> # User Maxim Dounin 
> # Date 1577129029 -10800
> #  Mon Dec 23 22:23:49 2019 +0300
> # Node ID c2dc6bfd2a0bce28618ef96b87fbdb63c6010575
> # Parent  8e64e11aaca02d50649cd2d9b448508f5b268062
> SSL: reworked posted next events.
>
> Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
> on connection read handler being overwritten to set the ready flag
> and the amount of available bytes.  This approach is, however, does
> not work properly when connection read handler is changed, for example,
> when switching to a next pipelined request, and can result in unexpected
> connection timeouts, see here:
>
> http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html
>
> Fix is to introduce ngx_event_process_posted_next() instead, which
> will set ready and available regardless of how event handler is set.
>
> diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
> --- a/src/event/ngx_event.c
> +++ b/src/event/ngx_event.c
> @@ -238,8 +238,6 @@ ngx_process_events_and_timers(ngx_cycle_
>  }
>
>  if (!ngx_queue_empty(_posted_next_events)) {
> -ngx_queue_add(_posted_events, _posted_next_events);
> -ngx_queue_init(_posted_next_events);
>  timer = 0;
>  }
>
> @@ -263,6 +261,7 @@ ngx_process_events_and_timers(ngx_cycle_
>  }
>
>  ngx_event_process_posted(cycle, _posted_events);
> +ngx_event_process_posted_next(cycle, _posted_next_events);
>  }
>
>
> diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
> --- a/src/event/ngx_event_openssl.c
> +++ b/src/event/ngx_event_openssl.c
> @@ -43,7 +43,6 @@ static ssize_t ngx_ssl_recv_early(ngx_co
>  #endif
>  static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
>  static void ngx_ssl_write_handler(ngx_event_t *wev);
> -static void ngx_ssl_next_read_handler(ngx_event_t *rev);
>  #ifdef SSL_READ_EARLY_DATA_SUCCESS
>  static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data,
>  size_t size);
> @@ -2018,11 +2017,6 @@ ngx_ssl_recv(ngx_connection_t *c, u_char
>  c->read->available = 0;
>  c->read->ready = 0;
>
> -if (c->ssl->next_read_handler == NULL) {
> -c->ssl->next_read_handler = c->read->handler;
> -c->read->handler = ngx_ssl_next_read_handler;
> -}
> -
>  ngx_post_event(c->read, _posted_next_events);
>  }
>
> @@ -2328,31 +2322,6 @@ ngx_ssl_write_handler(ngx_event_t *wev)
>  }
>
>
> -static void
> -ngx_ssl_next_read_handler(ngx_event_t *rev)
> -{
> -ngx_connection_t  *c;
> -
> -c = rev->data;
> -
> -ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL next read handler");
> -
> -rev->handler = c->ssl->next_read_handler;
> -c->ssl->next_read_handler = NULL;
> -
> -if (!rev->ready) {
> -rev->ready = 1;
> -rev->available = -1;
> -}
> -
> -if (rev->posted) {
> -ngx_delete_posted_event(rev);
> -}
> -
> -rev->handler(rev);
> -}
> -
> -
>  /*
>   * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
>   * before the SSL_write() call to decrease a SSL overhead.
> diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
> --- a/src/event/ngx_event_openssl.h
> +++ b/src/event/ngx_event_openssl.h
> @@ -86,7 +86,6 @@ struct ngx_ssl_connection_s {
>
>  ngx_event_handler_ptsaved_read_handler;
>  ngx_event_handler_ptsaved_write_handler;
> -ngx_event_handler_ptnext_read_handler;
>
>  u_char  

[nginx] nginx-1.17.7-RELEASE

[Maxim Dounin]

details:   https://hg.nginx.org/nginx/rev/e56295fe0ea7
branches:  
changeset: 7613:e56295fe0ea7
user:  Maxim Dounin 
date:  Tue Dec 24 18:00:09 2019 +0300
description:
nginx-1.17.7-RELEASE

diffstat:

 docs/xml/nginx/changes.xml |  84 ++
 1 files changed, 84 insertions(+), 0 deletions(-)

diffs (94 lines):

diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,90 @@
 
 
 
+
+
+
+
+на старте или во время переконфигурации мог произойти segmentation fault,
+если в конфигурации использовалась
+директива rewrite с пустой строкой замены.
+
+
+a segmentation fault might occur on start or during reconfiguration
+if the "rewrite" directive with an empty replacement string
+was used in the configuration.
+
+
+
+
+
+в рабочем процессе мог произойти segmentation fault,
+если директива break использовалась совместно с директивой alias
+или директивой proxy_pass с URI.
+
+
+a segmentation fault might occur in a worker process 
+if the "break" directive was used with the "alias" directive
+or with the "proxy_pass" directive with a URI.
+
+
+
+
+
+строка Location заголовка ответа могла содержать мусор,
+если URI запроса был изменён на URI, содержащий нулевой символ.
+
+
+the "Location" response header line might contain garbage
+if the request URI was rewritten to the one containing a null character.
+
+
+
+
+
+при возврате перенаправлений с помощью директивы error_page
+запросы с телом обрабатывались некорректно;
+ошибка появилась в 0.7.12.
+
+
+requests with bodies were handled incorrectly
+when returning redirections with the "error_page" directive;
+the bug had appeared in 0.7.12.
+
+
+
+
+
+утечки сокетов при использовании HTTP/2.
+
+
+socket leak when using HTTP/2.
+
+
+
+
+
+при обработке pipelined-запросов по SSL-соединению мог произойти таймаут;
+ошибка появилась в 1.17.5.
+
+
+a timeout might occur while handling pipelined requests in an SSL connection;
+the bug had appeared in 1.17.5.
+
+
+
+
+
+в модуле ngx_http_dav_module.
+
+
+in the ngx_http_dav_module.
+
+
+
+
+
+
 
 
 
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] release-1.17.7 tag

[Maxim Dounin]

details:   https://hg.nginx.org/nginx/rev/e99e9b0a8c51
branches:  
changeset: 7614:e99e9b0a8c51
user:  Maxim Dounin 
date:  Tue Dec 24 18:00:09 2019 +0300
description:
release-1.17.7 tag

diffstat:

 .hgtags |  1 +
 1 files changed, 1 insertions(+), 0 deletions(-)

diffs (8 lines):

diff --git a/.hgtags b/.hgtags
--- a/.hgtags
+++ b/.hgtags
@@ -445,3 +445,4 @@ ed4303aa1b31a9aad5440640c0840d9d0af45fed
 ce2ced3856909f36f8130c99eaa4dbdbae636ddc release-1.17.4
 9af0dddbddb2c368bfedd2801bc100ffad01e19b release-1.17.5
 de68d0d94320cbf033599c6f3ca37e5335c67fd7 release-1.17.6
+e56295fe0ea76bf53b06bffa77a2d3a9a335cb8c release-1.17.7
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel

[nginx] SSL: reworked posted next events.

[Maxim Dounin]

details:   https://hg.nginx.org/nginx/rev/1ce3f01a4355
branches:  
changeset: 7612:1ce3f01a4355
user:  Maxim Dounin 
date:  Tue Dec 24 17:24:59 2019 +0300
description:
SSL: reworked posted next events.

Introduced in 9d2ad2fb4423 available bytes handling in SSL relied
on connection read handler being overwritten to set the ready flag
and the amount of available bytes.  This approach is, however, does
not work properly when connection read handler is changed, for example,
when switching to a next pipelined request, and can result in unexpected
connection timeouts, see here:

http://mailman.nginx.org/pipermail/nginx-devel/2019-December/012825.html

Fix is to introduce ngx_event_process_posted_next() instead, which
will set ready and available regardless of how event handler is set.

diffstat:

 src/event/ngx_event.c |   3 +--
 src/event/ngx_event_openssl.c |  31 ---
 src/event/ngx_event_openssl.h |   1 -
 src/event/ngx_event_posted.c  |  26 ++
 src/event/ngx_event_posted.h  |   1 +
 5 files changed, 28 insertions(+), 34 deletions(-)

diffs (130 lines):

diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -238,8 +238,6 @@ ngx_process_events_and_timers(ngx_cycle_
 }
 
 if (!ngx_queue_empty(_posted_next_events)) {
-ngx_queue_add(_posted_events, _posted_next_events);
-ngx_queue_init(_posted_next_events);
 timer = 0;
 }
 
@@ -263,6 +261,7 @@ ngx_process_events_and_timers(ngx_cycle_
 }
 
 ngx_event_process_posted(cycle, _posted_events);
+ngx_event_process_posted_next(cycle, _posted_next_events);
 }
 
 
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -43,7 +43,6 @@ static ssize_t ngx_ssl_recv_early(ngx_co
 #endif
 static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
 static void ngx_ssl_write_handler(ngx_event_t *wev);
-static void ngx_ssl_next_read_handler(ngx_event_t *rev);
 #ifdef SSL_READ_EARLY_DATA_SUCCESS
 static ssize_t ngx_ssl_write_early(ngx_connection_t *c, u_char *data,
 size_t size);
@@ -2018,11 +2017,6 @@ ngx_ssl_recv(ngx_connection_t *c, u_char
 c->read->available = 0;
 c->read->ready = 0;
 
-if (c->ssl->next_read_handler == NULL) {
-c->ssl->next_read_handler = c->read->handler;
-c->read->handler = ngx_ssl_next_read_handler;
-}
-
 ngx_post_event(c->read, _posted_next_events);
 }
 
@@ -2328,31 +2322,6 @@ ngx_ssl_write_handler(ngx_event_t *wev)
 }
 
 
-static void
-ngx_ssl_next_read_handler(ngx_event_t *rev)
-{
-ngx_connection_t  *c;
-
-c = rev->data;
-
-ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL next read handler");
-
-rev->handler = c->ssl->next_read_handler;
-c->ssl->next_read_handler = NULL;
-
-if (!rev->ready) {
-rev->ready = 1;
-rev->available = -1;
-}
-
-if (rev->posted) {
-ngx_delete_posted_event(rev);
-}
-
-rev->handler(rev);
-}
-
-
 /*
  * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer
  * before the SSL_write() call to decrease a SSL overhead.
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -86,7 +86,6 @@ struct ngx_ssl_connection_s {
 
 ngx_event_handler_ptsaved_read_handler;
 ngx_event_handler_ptsaved_write_handler;
-ngx_event_handler_ptnext_read_handler;
 
 u_char  early_buf;
 
diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c
--- a/src/event/ngx_event_posted.c
+++ b/src/event/ngx_event_posted.c
@@ -34,3 +34,29 @@ ngx_event_process_posted(ngx_cycle_t *cy
 ev->handler(ev);
 }
 }
+
+
+void
+ngx_event_process_posted_next(ngx_cycle_t *cycle, ngx_queue_t *posted)
+{
+ngx_queue_t  *q;
+ngx_event_t  *ev;
+
+while (!ngx_queue_empty(posted)) {
+
+q = ngx_queue_head(posted);
+ev = ngx_queue_data(q, ngx_event_t, queue);
+
+ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0,
+  "posted next event %p", ev);
+
+ngx_delete_posted_event(ev);
+
+if (!ev->ready) {
+ev->ready = 1;
+ev->available = -1;
+}
+
+ev->handler(ev);
+}
+}
diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h
--- a/src/event/ngx_event_posted.h
+++ b/src/event/ngx_event_posted.h
@@ -39,6 +39,7 @@
 
 
 void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted);
+void ngx_event_process_posted_next(ngx_cycle_t *cycle, ngx_queue_t *posted);
 
 
 extern ngx_queue_t  ngx_posted_accept_events;

Re: nginx - get value of the header - x_forwarded_for in Nginx module (Naxsi)

[Ruslan Ermilov]

On Mon, Dec 23, 2019 at 11:04:43PM +0100, Marcin Kozlowski wrote:
> Hi List,
> 
> How to get x_forwarded_for sent in the request in NGINX module (NAXSI in
> particular):
> 
> My attempt:
> 
> ngx_log_error(NGX_LOG_ERR, req->connection->log,
>   0, "test %s", (char *)req->headers_in.x_forwarded_for.elts);
> 
> The bigger problem I am trying to solve with NAXSI is this:
> 
> https://stackoverflow.com/questions/59453729/naxsi-blacklist-and-whitelist-setup-with-nginx
> 
> I want to simply create a map and check if X-forwarded-for is on the
> whitelist and if yes, always allow it.
> 
> Above does not work. Prints garabge. Why it is (void *) ???
> 
> Debugging it:
> 
> $1 = (ngx_http_request_t *) 0xa44df0
> (gdb) p req->headers_
> headers_in   headers_out
> (gdb) p req->headers_in
> $2 = {headers = {last = 0xa44e60, part = {elts = 0xad4d10, nelts = 7, next
> = 0x0}, size = 48, nalloc = 20,
> pool = 0xa44da0}, host = 0xad4d10, connection = 0x0, if_modified_since
> = 0x0, if_unmodified_since = 0x0,
>   if_match = 0x0, if_none_match = 0x0, user_agent = 0xad4d70, referer =
> 0x0, content_length = 0x0,
>   content_range = 0x0, content_type = 0x0, range = 0x0, if_range = 0x0,
> transfer_encoding = 0x0, te = 0x0,
>   expect = 0x0, upgrade = 0x0, accept_encoding = 0x0, via = 0x0,
> authorization = 0x0, keep_alive = 0x0,
>   x_forwarded_for = {elts = 0xa45b98, nelts = 1, size = 8, nalloc = 1, pool
> = 0xa44da0}, x_real_ip = 0x0, user = {
> len = 0, data = 0x0}, passwd = {len = 0, data = 0x0}, cookies = {elts =
> 0x0, nelts = 0, size = 0, nalloc = 0,
> pool = 0x0}, server = {len = 32, data = 0xa449a9 "domain.com"},
> content_length_n = -1,
>   keep_alive_n = -1, connection_type = 2, chunked = 0, msie = 0, msie6 = 0,
> opera = 0, gecko = 0, chrome = 0,
>   safari = 0, konqueror = 0}
> (gdb) p req->headers_in.x_forwarded_for
> $3 = {elts = 0xa45b98, nelts = 1, size = 8, nalloc = 1, pool = 0xa44da0}
> (gdb) p req->headers_in.x_forwarded_for .elts
> $4 = (void *) 0xa45b98
> (gdb) p req->headers_in.x_forwarded_for.elts
> $5 = (void *) 0xa45b98
> 
> What structure is this? Linked List? Why the elts point to garbage, when I
> know the Loadbalancer added the X-Forwarded-for header with value.

It's an array of type ngx_table_elt_t, the number of elements is
in "nelts".  Please see the handler for the $http_x_forwarded_for
variable in the ngx_http_variables.c on how to work with it.
___
nginx-devel mailing list
nginx-devel@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx-devel