diff --git a/.hgtags b/.hgtags
index 8e059a3..0f43222 100644
--- a/.hgtags
+++ b/.hgtags
@@ -433,3 +433,4 @@
 f062e43d74fc2578bb100a9e82a953efa1eb9e4e release-1.15.5
 2351853ce6867b6166823bdf94333c0a76633c0a release-1.15.6
 051a039ce1c7e09144de4a4846669ec7116cecea release-1.15.7
+ee551e3f6dba336c0d875e266d7d55385f379b42 release-1.15.8
diff --git a/BUILD b/BUILD
index e572e13..c99aa32 100644
--- a/BUILD
+++ b/BUILD
@@ -1518,6 +1518,7 @@
     conflicts = [
         "nginx",
         "nginx-common",
+        "nginx-core",
         "endpoints-server-proxy",
     ],
     data = ":nginx-google-data.tar.gz",
@@ -1535,5 +1536,5 @@
     preinst = "@nginx_pkgoss//:debian_preinst",
     prerm = "@nginx_pkgoss//:debian_prerm",
     section = "httpd",
-    version = "1.15.7",
+    version = "1.15.8",
 )
diff --git a/build.bzl b/build.bzl
index 7e5ea28..b91b2b1 100644
--- a/build.bzl
+++ b/build.bzl
@@ -663,7 +663,7 @@
         name = "nginx_pkgoss",
         build_file_content = _PKGOSS_BUILD_FILE.format(nginx = nginx) +
                              _PKGOSS_BUILD_FILE_TAIL,
-        commit = "a0a043cd5bc6ce17124507e4a6241be72c7eaeaa",  # nginx-1.15.7
+        commit = "2456bf617acaa11b06c11481082797909b300f45",  # nginx-1.15.8
         remote = "https://nginx.googlesource.com/nginx-pkgoss",
     )
 
diff --git a/contrib/vim/syntax/nginx.vim b/contrib/vim/syntax/nginx.vim
index 075b19a..6bee7a2 100644
--- a/contrib/vim/syntax/nginx.vim
+++ b/contrib/vim/syntax/nginx.vim
@@ -108,6 +108,7 @@
 syn keyword ngxDirectiveError contained error_page
 syn keyword ngxDirectiveError contained post_action
 
+syn keyword ngxDirectiveDeprecated contained limit_zone
 syn keyword ngxDirectiveDeprecated contained proxy_downstream_buffer
 syn keyword ngxDirectiveDeprecated contained proxy_upstream_buffer
 syn keyword ngxDirectiveDeprecated contained spdy_chunk_size
@@ -118,6 +119,7 @@
 syn keyword ngxDirectiveDeprecated contained spdy_recv_buffer_size
 syn keyword ngxDirectiveDeprecated contained spdy_recv_timeout
 syn keyword ngxDirectiveDeprecated contained spdy_streams_index_size
+syn keyword ngxDirectiveDeprecated contained ssl
 syn keyword ngxDirectiveDeprecated contained upstream_conf
 
 syn keyword ngxDirective contained absolute_redirect
@@ -136,6 +138,7 @@
 syn keyword ngxDirective contained allow
 syn keyword ngxDirective contained ancient_browser
 syn keyword ngxDirective contained ancient_browser_value
+syn keyword ngxDirective contained api
 syn keyword ngxDirective contained auth_basic
 syn keyword ngxDirective contained auth_basic_user_file
 syn keyword ngxDirective contained auth_http
@@ -143,7 +146,11 @@
 syn keyword ngxDirective contained auth_http_pass_client_cert
 syn keyword ngxDirective contained auth_http_timeout
 syn keyword ngxDirective contained auth_jwt
+syn keyword ngxDirective contained auth_jwt_claim_set
+syn keyword ngxDirective contained auth_jwt_header_set
 syn keyword ngxDirective contained auth_jwt_key_file
+syn keyword ngxDirective contained auth_jwt_key_request
+syn keyword ngxDirective contained auth_jwt_leeway
 syn keyword ngxDirective contained auth_request
 syn keyword ngxDirective contained auth_request_set
 syn keyword ngxDirective contained autoindex
@@ -229,6 +236,7 @@
 syn keyword ngxDirective contained fastcgi_request_buffering
 syn keyword ngxDirective contained fastcgi_send_lowat
 syn keyword ngxDirective contained fastcgi_send_timeout
+syn keyword ngxDirective contained fastcgi_socket_keepalive
 syn keyword ngxDirective contained fastcgi_split_path_info
 syn keyword ngxDirective contained fastcgi_store
 syn keyword ngxDirective contained fastcgi_store_access
@@ -255,6 +263,7 @@
 syn keyword ngxDirective contained grpc_read_timeout
 syn keyword ngxDirective contained grpc_send_timeout
 syn keyword ngxDirective contained grpc_set_header
+syn keyword ngxDirective contained grpc_socket_keepalive
 syn keyword ngxDirective contained grpc_ssl_certificate
 syn keyword ngxDirective contained grpc_ssl_certificate_key
 syn keyword ngxDirective contained grpc_ssl_ciphers
@@ -330,6 +339,8 @@
 syn keyword ngxDirective contained keepalive_disable
 syn keyword ngxDirective contained keepalive_requests
 syn keyword ngxDirective contained keepalive_timeout
+syn keyword ngxDirective contained keyval
+syn keyword ngxDirective contained keyval_zone
 syn keyword ngxDirective contained kqueue_changes
 syn keyword ngxDirective contained kqueue_events
 syn keyword ngxDirective contained large_client_header_buffers
@@ -367,6 +378,7 @@
 syn keyword ngxDirective contained memcached_next_upstream_tries
 syn keyword ngxDirective contained memcached_read_timeout
 syn keyword ngxDirective contained memcached_send_timeout
+syn keyword ngxDirective contained memcached_socket_keepalive
 syn keyword ngxDirective contained merge_slashes
 syn keyword ngxDirective contained min_delete_depth
 syn keyword ngxDirective contained mirror
@@ -375,9 +387,9 @@
 syn keyword ngxDirective contained modern_browser_value
 syn keyword ngxDirective contained mp4
 syn keyword ngxDirective contained mp4_buffer_size
-syn keyword ngxDirective contained mp4_max_buffer_size
 syn keyword ngxDirective contained mp4_limit_rate
 syn keyword ngxDirective contained mp4_limit_rate_after
+syn keyword ngxDirective contained mp4_max_buffer_size
 syn keyword ngxDirective contained msie_padding
 syn keyword ngxDirective contained msie_refresh
 syn keyword ngxDirective contained multi_accept
@@ -456,11 +468,13 @@
 syn keyword ngxDirective contained proxy_read_timeout
 syn keyword ngxDirective contained proxy_redirect
 syn keyword ngxDirective contained proxy_request_buffering
+syn keyword ngxDirective contained proxy_requests
 syn keyword ngxDirective contained proxy_responses
 syn keyword ngxDirective contained proxy_send_lowat
 syn keyword ngxDirective contained proxy_send_timeout
 syn keyword ngxDirective contained proxy_set_body
 syn keyword ngxDirective contained proxy_set_header
+syn keyword ngxDirective contained proxy_socket_keepalive
 syn keyword ngxDirective contained proxy_ssl
 syn keyword ngxDirective contained proxy_ssl_certificate
 syn keyword ngxDirective contained proxy_ssl_certificate_key
@@ -481,6 +495,7 @@
 syn keyword ngxDirective contained proxy_timeout
 syn keyword ngxDirective contained proxy_upload_rate
 syn keyword ngxDirective contained queue
+syn keyword ngxDirective contained random
 syn keyword ngxDirective contained random_index
 syn keyword ngxDirective contained read_ahead
 syn keyword ngxDirective contained real_ip_header
@@ -533,6 +548,7 @@
 syn keyword ngxDirective contained scgi_read_timeout
 syn keyword ngxDirective contained scgi_request_buffering
 syn keyword ngxDirective contained scgi_send_timeout
+syn keyword ngxDirective contained scgi_socket_keepalive
 syn keyword ngxDirective contained scgi_store
 syn keyword ngxDirective contained scgi_store_access
 syn keyword ngxDirective contained scgi_temp_file_write_size
@@ -565,7 +581,6 @@
 syn keyword ngxDirective contained ssi_silent_errors
 syn keyword ngxDirective contained ssi_types
 syn keyword ngxDirective contained ssi_value_length
-syn keyword ngxDirective contained ssl
 syn keyword ngxDirective contained ssl_buffer_size
 syn keyword ngxDirective contained ssl_certificate
 syn keyword ngxDirective contained ssl_certificate_key
@@ -573,6 +588,7 @@
 syn keyword ngxDirective contained ssl_client_certificate
 syn keyword ngxDirective contained ssl_crl
 syn keyword ngxDirective contained ssl_dhparam
+syn keyword ngxDirective contained ssl_early_data
 syn keyword ngxDirective contained ssl_ecdh_curve
 syn keyword ngxDirective contained ssl_engine
 syn keyword ngxDirective contained ssl_handshake_timeout
@@ -664,6 +680,7 @@
 syn keyword ngxDirective contained uwsgi_read_timeout
 syn keyword ngxDirective contained uwsgi_request_buffering
 syn keyword ngxDirective contained uwsgi_send_timeout
+syn keyword ngxDirective contained uwsgi_socket_keepalive
 syn keyword ngxDirective contained uwsgi_ssl_certificate
 syn keyword ngxDirective contained uwsgi_ssl_certificate_key
 syn keyword ngxDirective contained uwsgi_ssl_ciphers
@@ -701,6 +718,26 @@
 syn keyword ngxDirective contained xslt_stylesheet
 syn keyword ngxDirective contained xslt_types
 syn keyword ngxDirective contained zone
+syn keyword ngxDirective contained zone_sync
+syn keyword ngxDirective contained zone_sync_buffers
+syn keyword ngxDirective contained zone_sync_connect_retry_interval
+syn keyword ngxDirective contained zone_sync_connect_timeout
+syn keyword ngxDirective contained zone_sync_interval
+syn keyword ngxDirective contained zone_sync_recv_buffer_size
+syn keyword ngxDirective contained zone_sync_server
+syn keyword ngxDirective contained zone_sync_ssl
+syn keyword ngxDirective contained zone_sync_ssl_certificate
+syn keyword ngxDirective contained zone_sync_ssl_certificate_key
+syn keyword ngxDirective contained zone_sync_ssl_ciphers
+syn keyword ngxDirective contained zone_sync_ssl_crl
+syn keyword ngxDirective contained zone_sync_ssl_name
+syn keyword ngxDirective contained zone_sync_ssl_password_file
+syn keyword ngxDirective contained zone_sync_ssl_protocols
+syn keyword ngxDirective contained zone_sync_ssl_server_name
+syn keyword ngxDirective contained zone_sync_ssl_trusted_certificate
+syn keyword ngxDirective contained zone_sync_ssl_verify
+syn keyword ngxDirective contained zone_sync_ssl_verify_depth
+syn keyword ngxDirective contained zone_sync_timeout
 
 " 3rd party modules list taken from
 " https://github.com/freebsd/freebsd-ports/blob/master/www/nginx-devel/Makefile
@@ -876,6 +913,8 @@
 
 " NGINX WebDAV missing commands support (PROPFIND & OPTIONS)
 " https://github.com/arut/nginx-dav-ext-module
+syn keyword ngxDirectiveThirdParty contained dav_ext_lock
+syn keyword ngxDirectiveThirdParty contained dav_ext_lock_zone
 syn keyword ngxDirectiveThirdParty contained dav_ext_methods
 
 " ngx_eval
@@ -895,6 +934,7 @@
 syn keyword ngxDirectiveThirdParty contained fancyindex_exact_size
 syn keyword ngxDirectiveThirdParty contained fancyindex_footer
 syn keyword ngxDirectiveThirdParty contained fancyindex_header
+syn keyword ngxDirectiveThirdParty contained fancyindex_hide_parent_dir
 syn keyword ngxDirectiveThirdParty contained fancyindex_hide_symlinks
 syn keyword ngxDirectiveThirdParty contained fancyindex_ignore
 syn keyword ngxDirectiveThirdParty contained fancyindex_localtime
@@ -937,8 +977,17 @@
 
 " nchan
 " https://github.com/slact/nchan
+syn keyword ngxDirectiveThirdParty contained nchan_access_control_allow_credentials
 syn keyword ngxDirectiveThirdParty contained nchan_access_control_allow_origin
 syn keyword ngxDirectiveThirdParty contained nchan_authorize_request
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_channels
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_message_padding_bytes
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_messages_per_channel_per_minute
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_publisher_distribution
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_subscriber_distribution
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_subscribers_per_channel
+syn keyword ngxDirectiveThirdParty contained nchan_benchmark_time
 syn keyword ngxDirectiveThirdParty contained nchan_channel_event_string
 syn keyword ngxDirectiveThirdParty contained nchan_channel_events_channel_id
 syn keyword ngxDirectiveThirdParty contained nchan_channel_group
@@ -974,15 +1023,19 @@
 syn keyword ngxDirectiveThirdParty contained nchan_pubsub
 syn keyword ngxDirectiveThirdParty contained nchan_pubsub_channel_id
 syn keyword ngxDirectiveThirdParty contained nchan_pubsub_location
+syn keyword ngxDirectiveThirdParty contained nchan_redis_connect_timeout
 syn keyword ngxDirectiveThirdParty contained nchan_redis_fakesub_timer_interval
 syn keyword ngxDirectiveThirdParty contained nchan_redis_idle_channel_cache_timeout
 syn keyword ngxDirectiveThirdParty contained nchan_redis_namespace
+syn keyword ngxDirectiveThirdParty contained nchan_redis_nostore_fastpublish
+syn keyword ngxDirectiveThirdParty contained nchan_redis_optimize_target
 syn keyword ngxDirectiveThirdParty contained nchan_redis_pass
 syn keyword ngxDirectiveThirdParty contained nchan_redis_pass_inheritable
 syn keyword ngxDirectiveThirdParty contained nchan_redis_ping_interval
 syn keyword ngxDirectiveThirdParty contained nchan_redis_publish_msgpacked_max_size
 syn keyword ngxDirectiveThirdParty contained nchan_redis_server
 syn keyword ngxDirectiveThirdParty contained nchan_redis_storage_mode
+syn keyword ngxDirectiveThirdParty contained nchan_redis_subscribe_weights
 syn keyword ngxDirectiveThirdParty contained nchan_redis_url
 syn keyword ngxDirectiveThirdParty contained nchan_redis_wait_after_connecting
 syn keyword ngxDirectiveThirdParty contained nchan_shared_memory_size
@@ -1280,6 +1333,7 @@
 syn keyword ngxDirectiveThirdParty contained lua_package_path
 syn keyword ngxDirectiveThirdParty contained lua_regex_cache_max_entries
 syn keyword ngxDirectiveThirdParty contained lua_regex_match_limit
+syn keyword ngxDirectiveThirdParty contained lua_sa_restart
 syn keyword ngxDirectiveThirdParty contained lua_shared_dict
 syn keyword ngxDirectiveThirdParty contained lua_socket_buffer_size
 syn keyword ngxDirectiveThirdParty contained lua_socket_connect_timeout
@@ -1355,9 +1409,15 @@
 " https://www.phusionpassenger.com/library/config/nginx/reference/
 syn keyword ngxDirectiveThirdParty contained passenger_abort_on_startup_error
 syn keyword ngxDirectiveThirdParty contained passenger_abort_websockets_on_process_shutdown
+syn keyword ngxDirectiveThirdParty contained passenger_admin_panel_auth_type
+syn keyword ngxDirectiveThirdParty contained passenger_admin_panel_password
+syn keyword ngxDirectiveThirdParty contained passenger_admin_panel_url
+syn keyword ngxDirectiveThirdParty contained passenger_admin_panel_username
+syn keyword ngxDirectiveThirdParty contained passenger_anonymous_telemetry_proxy
 syn keyword ngxDirectiveThirdParty contained passenger_app_env
 syn keyword ngxDirectiveThirdParty contained passenger_app_file_descriptor_ulimit
 syn keyword ngxDirectiveThirdParty contained passenger_app_group_name
+syn keyword ngxDirectiveThirdParty contained passenger_app_log_file
 syn keyword ngxDirectiveThirdParty contained passenger_app_rights
 syn keyword ngxDirectiveThirdParty contained passenger_app_root
 syn keyword ngxDirectiveThirdParty contained passenger_app_type
@@ -1373,8 +1433,10 @@
 syn keyword ngxDirectiveThirdParty contained passenger_debugger
 syn keyword ngxDirectiveThirdParty contained passenger_default_group
 syn keyword ngxDirectiveThirdParty contained passenger_default_user
+syn keyword ngxDirectiveThirdParty contained passenger_disable_anonymous_telemetry
 syn keyword ngxDirectiveThirdParty contained passenger_disable_security_update_check
 syn keyword ngxDirectiveThirdParty contained passenger_document_root
+syn keyword ngxDirectiveThirdParty contained passenger_dump_config_manifest
 syn keyword ngxDirectiveThirdParty contained passenger_enabled
 syn keyword ngxDirectiveThirdParty contained passenger_env_var
 syn keyword ngxDirectiveThirdParty contained passenger_file_descriptor_log_file
@@ -1402,6 +1464,7 @@
 syn keyword ngxDirectiveThirdParty contained passenger_memory_limit
 syn keyword ngxDirectiveThirdParty contained passenger_meteor_app_settings
 syn keyword ngxDirectiveThirdParty contained passenger_min_instances
+syn keyword ngxDirectiveThirdParty contained passenger_monitor_log_file
 syn keyword ngxDirectiveThirdParty contained passenger_nodejs
 syn keyword ngxDirectiveThirdParty contained passenger_pass_header
 syn keyword ngxDirectiveThirdParty contained passenger_pool_idle_time
@@ -1778,6 +1841,8 @@
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_filter_by_host
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_filter_by_set_key
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_filter_check_duplicate
+syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_filter_max_node
+syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_histogram_buckets
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_limit
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_limit_check_duplicate
 syn keyword ngxDirectiveThirdParty contained vhost_traffic_status_limit_traffic
@@ -1899,11 +1964,11 @@
 
 " ngx_http_accounting_module
 " https://github.com/Lax/ngx_http_accounting_module
-syn keyword ngxDirectiveThirdParty contained http_accounting
-syn keyword ngxDirectiveThirdParty contained http_accounting_id
-syn keyword ngxDirectiveThirdParty contained http_accounting_interval
-syn keyword ngxDirectiveThirdParty contained http_accounting_log
-syn keyword ngxDirectiveThirdParty contained http_accounting_perturb
+syn keyword ngxDirectiveThirdParty contained accounting
+syn keyword ngxDirectiveThirdParty contained accounting_id
+syn keyword ngxDirectiveThirdParty contained accounting_interval
+syn keyword ngxDirectiveThirdParty contained accounting_log
+syn keyword ngxDirectiveThirdParty contained accounting_perturb
 
 " concatenating files in a given context: CSS and JS files usually
 " https://github.com/alibaba/nginx-http-concat
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index 0738e6f..4c471d8 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,82 @@
 <change_log title="nginx">
 
 
+<changes ver="1.15.8" date="2018-12-25">
+
+<change type="feature">
+<para lang="ru">
+переменная $upstream_bytes_sent.<br/>
+Спасибо Piotr Sikora.
+</para>
+<para lang="en">
+the $upstream_bytes_sent variable.<br/>
+Thanks to Piotr Sikora.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+новые директивы в скриптах подсветки синтаксиса для vim.<br/>
+Спасибо Геннадию Махомеду.
+</para>
+<para lang="en">
+new directives in vim syntax highlighting scripts.<br/>
+Thanks to Gena Makhomed.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в директиве proxy_cache_background_update.
+</para>
+<para lang="en">
+in the "proxy_cache_background_update" directive.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в директиве geo при использовании unix domain listen-сокетов.
+</para>
+<para lang="en">
+in the "geo" directive when using unix domain listen sockets.
+</para>
+</change>
+
+<change type="workaround">
+<para lang="ru">
+при использовании директивы ssl_early_data с OpenSSL
+в логах могли появляться сообщения
+"ignoring stale global SSL error ... bad length".
+</para>
+<para lang="en">
+the "ignoring stale global SSL error ... bad length"
+alerts might appear in logs
+when using the "ssl_early_data" directive with OpenSSL.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в nginx/Windows.
+</para>
+<para lang="en">
+in nginx/Windows.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+в модуле ngx_http_autoindex_module на 32-битных платформах.
+</para>
+<para lang="en">
+in the ngx_http_autoindex_module on 32-bit platforms.
+</para>
+</change>
+
+</changes>
+
+
 <changes ver="1.15.7" date="2018-11-27">
 
 <change type="feature">
diff --git a/src/core/nginx.h b/src/core/nginx.h
index 14dc7c9..b130fae 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
 #define NGINX_NAME         "nginx"
 #endif
 
-#define nginx_version      1015007
-#define NGINX_VERSION      "1.15.7"
+#define nginx_version      1015008
+#define NGINX_VERSION      "1.15.8"
 #define NGINX_VER          NGINX_NAME "/" NGINX_VERSION
 
 #ifdef NGX_BUILD
diff --git a/src/core/ngx_file.c b/src/core/ngx_file.c
index 5678030..63ada85 100644
--- a/src/core/ngx_file.c
+++ b/src/core/ngx_file.c
@@ -1017,13 +1017,13 @@
 
         file.len = tree->len + 1 + len;
 
-        if (file.len + NGX_DIR_MASK_LEN > buf.len) {
+        if (file.len > buf.len) {
 
             if (buf.len) {
                 ngx_free(buf.data);
             }
 
-            buf.len = tree->len + 1 + len + NGX_DIR_MASK_LEN;
+            buf.len = tree->len + 1 + len;
 
             buf.data = ngx_alloc(buf.len + 1, ctx->log);
             if (buf.data == NULL) {
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index 5d7fe31..593645d 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -4266,7 +4266,15 @@
     }
 
     if (naddrs == 0) {
-        ctx->state = NGX_RESOLVE_NXDOMAIN;
+        ctx->state = srvs[0].state;
+
+        for (i = 0; i < nsrvs; i++) {
+            if (srvs[i].state == NGX_RESOLVE_NXDOMAIN) {
+                ctx->state = NGX_RESOLVE_NXDOMAIN;
+                break;
+            }
+        }
+
         ctx->valid = ngx_time() + (r->valid ? r->valid : 10);
 
         ctx->handler(ctx);
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index d31f3b7..958483d 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -1862,6 +1862,10 @@
         buf += 1;
     }
 
+    if (c->ssl->write_blocked) {
+        return NGX_AGAIN;
+    }
+
     /*
      * SSL_read_early_data() may return data in parts, so try to read
      * until SSL_read_early_data() would return no data
@@ -2362,6 +2366,11 @@
             ngx_post_event(c->read, &ngx_posted_events);
         }
 
+        if (c->ssl->write_blocked) {
+            c->ssl->write_blocked = 0;
+            ngx_post_event(c->read, &ngx_posted_events);
+        }
+
         c->sent += written;
 
         return written;
@@ -2375,6 +2384,9 @@
 
     if (sslerr == SSL_ERROR_WANT_WRITE) {
 
+        ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0,
+                       "SSL_write_early_data: want write");
+
         if (c->ssl->saved_read_handler) {
 
             c->read->handler = c->ssl->saved_read_handler;
@@ -2388,6 +2400,14 @@
             ngx_post_event(c->read, &ngx_posted_events);
         }
 
+        /*
+         * OpenSSL 1.1.1a fails to handle SSL_read_early_data()
+         * if an SSL_write_early_data() call blocked on writing,
+         * see https://github.com/openssl/openssl/issues/7757
+         */
+
+        c->ssl->write_blocked = 1;
+
         c->write->ready = 0;
         return NGX_AGAIN;
     }
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 3d87c4d..2495e48 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -98,6 +98,7 @@
     unsigned                    try_early_data:1;
     unsigned                    in_early:1;
     unsigned                    early_preread:1;
+    unsigned                    write_blocked:1;
 };
 
 
diff --git a/src/http/modules/ngx_http_autoindex_module.c b/src/http/modules/ngx_http_autoindex_module.c
index d59fba2..082bcb5 100644
--- a/src/http/modules/ngx_http_autoindex_module.c
+++ b/src/http/modules/ngx_http_autoindex_module.c
@@ -186,8 +186,6 @@
         return rc;
     }
 
-    /* NGX_DIR_MASK_LEN is lesser than NGX_HTTP_AUTOINDEX_PREALLOCATE */
-
     last = ngx_http_map_uri_to_path(r, &path, &root,
                                     NGX_HTTP_AUTOINDEX_PREALLOCATE);
     if (last == NULL) {
@@ -436,7 +434,7 @@
 {
     u_char                         *last, scale;
     off_t                           length;
-    size_t                          len, char_len, escape_html;
+    size_t                          len, entry_len, char_len, escape_html;
     ngx_tm_t                        tm;
     ngx_buf_t                      *b;
     ngx_int_t                       size;
@@ -501,17 +499,23 @@
             entry[i].utf_len = entry[i].name.len;
         }
 
-        len += sizeof("<a href=\"") - 1
-            + entry[i].name.len + entry[i].escape
-            + 1                                          /* 1 is for "/" */
-            + sizeof("\">") - 1
-            + entry[i].name.len - entry[i].utf_len
-            + entry[i].escape_html
-            + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof("&gt;") - 2
-            + sizeof("</a>") - 1
-            + sizeof(" 28-Sep-1970 12:00 ") - 1
-            + 20                                         /* the file size */
-            + 2;
+        entry_len = sizeof("<a href=\"") - 1
+                  + entry[i].name.len + entry[i].escape
+                  + 1                                    /* 1 is for "/" */
+                  + sizeof("\">") - 1
+                  + entry[i].name.len - entry[i].utf_len
+                  + entry[i].escape_html
+                  + NGX_HTTP_AUTOINDEX_NAME_LEN + sizeof("&gt;") - 2
+                  + sizeof("</a>") - 1
+                  + sizeof(" 28-Sep-1970 12:00 ") - 1
+                  + 20                                   /* the file size */
+                  + 2;
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);
@@ -699,7 +703,7 @@
 ngx_http_autoindex_json(ngx_http_request_t *r, ngx_array_t *entries,
     ngx_str_t *callback)
 {
-    size_t                       len;
+    size_t                       len, entry_len;
     ngx_buf_t                   *b;
     ngx_uint_t                   i;
     ngx_http_autoindex_entry_t  *entry;
@@ -716,15 +720,21 @@
         entry[i].escape = ngx_escape_json(NULL, entry[i].name.data,
                                           entry[i].name.len);
 
-        len += sizeof("{  }," CRLF) - 1
-            + sizeof("\"name\":\"\"") - 1
-            + entry[i].name.len + entry[i].escape
-            + sizeof(", \"type\":\"directory\"") - 1
-            + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
+        entry_len = sizeof("{  }," CRLF) - 1
+                  + sizeof("\"name\":\"\"") - 1
+                  + entry[i].name.len + entry[i].escape
+                  + sizeof(", \"type\":\"directory\"") - 1
+                  + sizeof(", \"mtime\":\"Wed, 31 Dec 1986 10:00:00 GMT\"") - 1;
 
         if (entry[i].file) {
-            len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
+            entry_len += sizeof(", \"size\":") - 1 + NGX_OFF_T_LEN;
         }
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);
@@ -843,7 +853,7 @@
 static ngx_buf_t *
 ngx_http_autoindex_xml(ngx_http_request_t *r, ngx_array_t *entries)
 {
-    size_t                          len;
+    size_t                          len, entry_len;
     ngx_tm_t                        tm;
     ngx_buf_t                      *b;
     ngx_str_t                       type;
@@ -861,13 +871,19 @@
         entry[i].escape = ngx_escape_html(NULL, entry[i].name.data,
                                           entry[i].name.len);
 
-        len += sizeof("<directory></directory>" CRLF) - 1
-            + entry[i].name.len + entry[i].escape
-            + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
+        entry_len = sizeof("<directory></directory>" CRLF) - 1
+                  + entry[i].name.len + entry[i].escape
+                  + sizeof(" mtime=\"1986-12-31T10:00:00Z\"") - 1;
 
         if (entry[i].file) {
-            len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
+            entry_len += sizeof(" size=\"\"") - 1 + NGX_OFF_T_LEN;
         }
+
+        if (len > NGX_MAX_SIZE_T_VALUE - entry_len) {
+            return NULL;
+        }
+
+        len += entry_len;
     }
 
     b = ngx_create_temp_buf(r->pool, len);
diff --git a/src/http/modules/ngx_http_geo_module.c b/src/http/modules/ngx_http_geo_module.c
index c11bafa..153b6aa 100644
--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@@ -215,6 +215,13 @@
         break;
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+    case AF_UNIX:
+        vv = (ngx_http_variable_value_t *)
+                  ngx_radix32tree_find(ctx->u.trees.tree, INADDR_NONE);
+        break;
+#endif
+
     default: /* AF_INET */
         sin = (struct sockaddr_in *) addr.sockaddr;
         inaddr = ntohl(sin->sin_addr.s_addr);
@@ -277,6 +284,12 @@
             break;
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+        case AF_UNIX:
+            inaddr = INADDR_NONE;
+            break;
+#endif
+
         default: /* AF_INET */
             sin = (struct sockaddr_in *) addr.sockaddr;
             inaddr = ntohl(sin->sin_addr.s_addr);
diff --git a/src/http/modules/ngx_http_random_index_module.c b/src/http/modules/ngx_http_random_index_module.c
index b47ee4f..ed00ad5 100644
--- a/src/http/modules/ngx_http_random_index_module.c
+++ b/src/http/modules/ngx_http_random_index_module.c
@@ -98,7 +98,7 @@
     }
 
 #if (NGX_HAVE_D_TYPE)
-    len = NGX_DIR_MASK_LEN;
+    len = 0;
 #else
     len = NGX_HTTP_RANDOM_INDEX_PREALLOCATE;
 #endif
diff --git a/src/http/modules/ngx_http_userid_filter_module.c b/src/http/modules/ngx_http_userid_filter_module.c
index a1a5493..31cf402 100644
--- a/src/http/modules/ngx_http_userid_filter_module.c
+++ b/src/http/modules/ngx_http_userid_filter_module.c
@@ -545,6 +545,13 @@
 
                 break;
 #endif
+
+#if (NGX_HAVE_UNIX_DOMAIN)
+            case AF_UNIX:
+                ctx->uid_set[0] = 0;
+                break;
+#endif
+
             default: /* AF_INET */
                 sin = (struct sockaddr_in *) c->local_sockaddr;
                 ctx->uid_set[0] = sin->sin_addr.s_addr;
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c
index b27dcb2..b9afec6 100644
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -2386,6 +2386,14 @@
         sr->phase_handler = r->phase_handler;
         sr->write_event_handler = ngx_http_core_run_phases;
 
+#if (NGX_PCRE)
+        sr->ncaptures = r->ncaptures;
+        sr->captures = r->captures;
+        sr->captures_data = r->captures_data;
+        sr->realloc_captures = 1;
+        r->realloc_captures = 1;
+#endif
+
         ngx_http_update_location_config(sr);
     }
 
diff --git a/src/http/ngx_http_request.h b/src/http/ngx_http_request.h
index 1dd2505..dd6f85e 100644
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@@ -499,6 +499,10 @@
     unsigned                          gzip_vary:1;
 #endif
 
+#if (NGX_PCRE)
+    unsigned                          realloc_captures:1;
+#endif
+
     unsigned                          proxy:1;
     unsigned                          bypass_cache:1;
     unsigned                          no_cache:1;
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index fdfd3c6..7356bd1 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -162,8 +162,8 @@
     ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_upstream_response_time_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_upstream_bytes_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_upstream_response_length_variable(
+    ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_upstream_header_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_upstream_trailer_variable(ngx_http_request_t *r,
@@ -402,15 +402,15 @@
       NGX_HTTP_VAR_NOCACHEABLE, 0 },
 
     { ngx_string("upstream_response_length"), NULL,
-      ngx_http_upstream_bytes_variable, 0,
+      ngx_http_upstream_response_length_variable, 0,
       NGX_HTTP_VAR_NOCACHEABLE, 0 },
 
     { ngx_string("upstream_bytes_received"), NULL,
-      ngx_http_upstream_bytes_variable, 1,
+      ngx_http_upstream_response_length_variable, 1,
       NGX_HTTP_VAR_NOCACHEABLE, 0 },
 
     { ngx_string("upstream_bytes_sent"), NULL,
-      ngx_http_upstream_bytes_variable, 2,
+      ngx_http_upstream_response_length_variable, 2,
       NGX_HTTP_VAR_NOCACHEABLE, 0 },
 
 #if (NGX_HTTP_CACHE)
@@ -4142,12 +4142,12 @@
     ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
                    "http next upstream, %xi", ft_type);
 
-    if (u->state && u->state->bytes_sent == 0 && u->peer.connection) {
-        u->state->bytes_sent = u->peer.connection->sent;
-    }
-
     if (u->peer.sockaddr) {
 
+        if (u->peer.connection) {
+            u->state->bytes_sent = u->peer.connection->sent;
+        }
+
         if (ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_403
             || ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_404)
         {
@@ -4332,7 +4332,7 @@
             u->state->response_length = u->pipe->read_length;
         }
 
-        if (u->state->bytes_sent == 0 && u->peer.connection) {
+        if (u->peer.connection) {
             u->state->bytes_sent = u->peer.connection->sent;
         }
     }
@@ -5484,7 +5484,7 @@
 
 
 static ngx_int_t
-ngx_http_upstream_bytes_variable(ngx_http_request_t *r,
+ngx_http_upstream_response_length_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data)
 {
     u_char                     *p;
@@ -5515,12 +5515,12 @@
 
     for ( ;; ) {
 
-        if (data == 2) {
-            p = ngx_sprintf(p, "%O", state[i].bytes_sent);
-
-        } else if (data == 1) {
+        if (data == 1) {
             p = ngx_sprintf(p, "%O", state[i].bytes_received);
 
+        } else if (data == 2) {
+            p = ngx_sprintf(p, "%O", state[i].bytes_sent);
+
         } else {
             p = ngx_sprintf(p, "%O", state[i].response_length);
         }
diff --git a/src/http/ngx_http_variables.c b/src/http/ngx_http_variables.c
index e886abc..ebe9902 100644
--- a/src/http/ngx_http_variables.c
+++ b/src/http/ngx_http_variables.c
@@ -2504,7 +2504,9 @@
     if (re->ncaptures) {
         len = cmcf->ncaptures;
 
-        if (r->captures == NULL) {
+        if (r->captures == NULL || r->realloc_captures) {
+            r->realloc_captures = 0;
+
             r->captures = ngx_palloc(r->pool, len * sizeof(int));
             if (r->captures == NULL) {
                 return NGX_ERROR;
diff --git a/src/os/unix/ngx_files.h b/src/os/unix/ngx_files.h
index 07872b1..383e38e 100644
--- a/src/os/unix/ngx_files.h
+++ b/src/os/unix/ngx_files.h
@@ -213,9 +213,6 @@
 #endif
 
 
-#define NGX_DIR_MASK_LEN         0
-
-
 ngx_int_t ngx_open_dir(ngx_str_t *name, ngx_dir_t *dir);
 #define ngx_open_dir_n           "opendir()"
 
diff --git a/src/os/win32/ngx_files.c b/src/os/win32/ngx_files.c
index 55d7f76..0b131b5 100644
--- a/src/os/win32/ngx_files.c
+++ b/src/os/win32/ngx_files.c
@@ -427,16 +427,31 @@
 ngx_int_t
 ngx_open_dir(ngx_str_t *name, ngx_dir_t *dir)
 {
-    ngx_cpystrn(name->data + name->len, NGX_DIR_MASK, NGX_DIR_MASK_LEN + 1);
+    u_char     *pattern, *p;
+    ngx_err_t   err;
 
-    dir->dir = FindFirstFile((const char *) name->data, &dir->finddata);
-
-    name->data[name->len] = '\0';
-
-    if (dir->dir == INVALID_HANDLE_VALUE) {
+    pattern = malloc(name->len + 3);
+    if (pattern == NULL) {
         return NGX_ERROR;
     }
 
+    p = ngx_cpymem(pattern, name->data, name->len);
+
+    *p++ = '/';
+    *p++ = '*';
+    *p = '\0';
+
+    dir->dir = FindFirstFile((const char *) pattern, &dir->finddata);
+
+    if (dir->dir == INVALID_HANDLE_VALUE) {
+        err = ngx_errno;
+        ngx_free(pattern);
+        ngx_set_errno(err);
+        return NGX_ERROR;
+    }
+
+    ngx_free(pattern);
+
     dir->valid_info = 1;
     dir->ready = 1;
 
diff --git a/src/os/win32/ngx_files.h b/src/os/win32/ngx_files.h
index 895daea..6eb720e 100644
--- a/src/os/win32/ngx_files.h
+++ b/src/os/win32/ngx_files.h
@@ -181,9 +181,6 @@
 #define NGX_HAVE_MAX_PATH           1
 #define NGX_MAX_PATH                MAX_PATH
 
-#define NGX_DIR_MASK                (u_char *) "/*"
-#define NGX_DIR_MASK_LEN            2
-
 
 ngx_int_t ngx_open_dir(ngx_str_t *name, ngx_dir_t *dir);
 #define ngx_open_dir_n              "FindFirstFile()"
diff --git a/src/stream/ngx_stream_geo_module.c b/src/stream/ngx_stream_geo_module.c
index 83f7fb4..4b4cad8 100644
--- a/src/stream/ngx_stream_geo_module.c
+++ b/src/stream/ngx_stream_geo_module.c
@@ -206,6 +206,13 @@
         break;
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+    case AF_UNIX:
+        vv = (ngx_stream_variable_value_t *)
+                  ngx_radix32tree_find(ctx->u.trees.tree, INADDR_NONE);
+        break;
+#endif
+
     default: /* AF_INET */
         sin = (struct sockaddr_in *) addr.sockaddr;
         inaddr = ntohl(sin->sin_addr.s_addr);
@@ -268,6 +275,12 @@
             break;
 #endif
 
+#if (NGX_HAVE_UNIX_DOMAIN)
+        case AF_UNIX:
+            inaddr = INADDR_NONE;
+            break;
+#endif
+
         default: /* AF_INET */
             sin = (struct sockaddr_in *) addr.sockaddr;
             inaddr = ntohl(sin->sin_addr.s_addr);