nginx-0.2.2-RELEASE import
*) Feature: the "config errmsg" command of the ngx_http_ssi_module.
*) Change: the ngx_http_geo_module variables can be overridden by the
"set" directive.
*) Feature: the "ssl_protocols" and "ssl_prefer_server_ciphers"
directives of the ngx_http_ssl_module and ngx_imap_ssl_module.
*) Bugfix: the ngx_http_autoindex_module did not show correctly the
long file names;
*) Bugfix: the ngx_http_autoindex_module now do not show the files
starting by dot.
*) Bugfix: if the SSL handshake failed then another connection may be
closed too.
Thanks to Rob Mueller.
*) Bugfix: the export versions of MSIE 5.x could not connect via HTTPS.
diff --git a/src/http/modules/ngx_http_autoindex_module.c b/src/http/modules/ngx_http_autoindex_module.c
index fb40669..d5a6b69 100644
--- a/src/http/modules/ngx_http_autoindex_module.c
+++ b/src/http/modules/ngx_http_autoindex_module.c
@@ -271,21 +271,14 @@
len = ngx_de_namelen(&dir);
- if (len == 1 && ngx_de_name(&dir)[0] == '.') {
- continue;
- }
-
- if (len == 2
- && ngx_de_name(&dir)[0] == '.'
- && ngx_de_name(&dir)[1] == '.')
- {
+ if (ngx_de_name(&dir)[0] == '.') {
continue;
}
if (!dir.valid_info) {
- if (dname.len + 1 + len > fname.len) {
- fname.len = dname.len + 1 + len + 32;
+ if (dname.len + 1 + len + 1 > fname.len) {
+ fname.len = dname.len + 1 + len + 1 + 32;
fname.data = ngx_palloc(pool, fname.len);
if (fname.data == NULL) {
@@ -468,7 +461,8 @@
} else {
if (entry[i].dir) {
- b->last = ngx_cpymem(b->last, " -", sizeof(" -") - 1);
+ b->last = ngx_cpymem(b->last, " -",
+ sizeof(" -") - 1);
} else {
length = entry[i].size;
@@ -498,13 +492,14 @@
} else {
size = (ngx_int_t) length;
- scale = ' ';
+ scale = '\0';
}
- b->last = ngx_sprintf(b->last, "%6i", size);
+ if (scale) {
+ b->last = ngx_sprintf(b->last, "%6i%c", size, scale);
- if (scale != ' ') {
- *b->last++ = scale;
+ } else {
+ b->last = ngx_sprintf(b->last, " %6i", size);
}
}
}
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
index 6efac3d..9b317f9 100644
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -293,7 +293,7 @@
NULL },
{ ngx_string("fastcgi_next_upstream"),
- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_ANY,
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_fastcgi_loc_conf_t, upstream.next_upstream),
diff --git a/src/http/modules/ngx_http_geo_module.c b/src/http/modules/ngx_http_geo_module.c
index 834282b..2031a4c 100644
--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@@ -117,7 +117,7 @@
name.data++;
}
- var = ngx_http_add_variable(cf, &name, 0);
+ var = ngx_http_add_variable(cf, &name, NGX_HTTP_VAR_CHANGABLE);
if (var == NULL) {
return NGX_CONF_ERROR;
}
diff --git a/src/http/modules/ngx_http_gzip_filter_module.c b/src/http/modules/ngx_http_gzip_filter_module.c
index c37f79c..012ea45 100644
--- a/src/http/modules/ngx_http_gzip_filter_module.c
+++ b/src/http/modules/ngx_http_gzip_filter_module.c
@@ -181,7 +181,7 @@
&ngx_http_gzip_http_version },
{ ngx_string("gzip_proxied"),
- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_ANY,
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_gzip_conf_t, proxied),
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index c807df9..a7fd741 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -244,7 +244,7 @@
NULL },
{ ngx_string("proxy_next_upstream"),
- NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_ANY,
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_1MORE,
ngx_conf_set_bitmask_slot,
NGX_HTTP_LOC_CONF_OFFSET,
offsetof(ngx_http_proxy_loc_conf_t, upstream.next_upstream),
diff --git a/src/http/modules/ngx_http_ssi_filter_module.c b/src/http/modules/ngx_http_ssi_filter_module.c
index 0f38295..f3eb093 100644
--- a/src/http/modules/ngx_http_ssi_filter_module.c
+++ b/src/http/modules/ngx_http_ssi_filter_module.c
@@ -59,6 +59,7 @@
ngx_uint_t output; /* unsigned output:1; */
ngx_str_t timefmt;
+ ngx_str_t errmsg;
} ngx_http_ssi_ctx_t;
@@ -217,8 +218,6 @@
static u_char ngx_http_ssi_string[] = "<!--";
-static u_char ngx_http_ssi_error_string[] =
- "[an error occurred while processing the directive]";
static ngx_str_t ngx_http_ssi_none = ngx_string("(none)");
@@ -226,7 +225,8 @@
#define NGX_HTTP_SSI_ECHO_VAR 0
#define NGX_HTTP_SSI_ECHO_DEFAULT 1
-#define NGX_HTTP_SSI_CONFIG_TIMEFMT 0
+#define NGX_HTTP_SSI_CONFIG_ERRMSG 0
+#define NGX_HTTP_SSI_CONFIG_TIMEFMT 1
#define NGX_HTTP_SSI_INCLUDE_VIRTUAL 0
#define NGX_HTTP_SSI_INCLUDE_FILE 1
@@ -250,6 +250,7 @@
static ngx_http_ssi_param_t ngx_http_ssi_config_params[] = {
+ { ngx_string("errmsg"), NGX_HTTP_SSI_CONFIG_ERRMSG, 0 },
{ ngx_string("timefmt"), NGX_HTTP_SSI_CONFIG_TIMEFMT, 0 },
{ ngx_null_string, 0, 0 }
};
@@ -347,6 +348,11 @@
ctx->timefmt.len = sizeof("%A, %d-%b-%Y %H:%M:%S %Z") - 1;
ctx->timefmt.data = (u_char *) "%A, %d-%b-%Y %H:%M:%S %Z";
+ ctx->errmsg.len =
+ sizeof("[an error occurred while processing the directive]") - 1;
+ ctx->errmsg.data = (u_char *)
+ "[an error occurred while processing the directive]";
+
r->filter_need_in_memory = 1;
if (r->main == NULL) {
@@ -653,9 +659,8 @@
}
b->memory = 1;
- b->pos = ngx_http_ssi_error_string;
- b->last = ngx_http_ssi_error_string
- + sizeof(ngx_http_ssi_error_string) - 1;
+ b->pos = ctx->errmsg.data;
+ b->last = ctx->errmsg.data + ctx->errmsg.len;
cl->next = NULL;
*ctx->last_out = cl;
@@ -1371,6 +1376,12 @@
ctx->timefmt = *value;
}
+ value = params[NGX_HTTP_SSI_CONFIG_ERRMSG];
+
+ if (value) {
+ ctx->errmsg = *value;
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c
index 130f2b3..bb9a55f 100644
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@@ -8,9 +8,9 @@
#include <ngx_core.h>
#include <ngx_http.h>
-
#define NGX_DEFLAUT_CERTIFICATE "cert.pem"
#define NGX_DEFLAUT_CERTIFICATE_KEY "cert.pem"
+#define NGX_DEFLAUT_CIPHERS "ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP"
static void *ngx_http_ssl_create_srv_conf(ngx_conf_t *cf);
@@ -18,6 +18,14 @@
void *parent, void *child);
+static ngx_conf_bitmask_t ngx_http_ssl_protocols[] = {
+ { ngx_string("SSLv2"), NGX_SSL_SSLv2 },
+ { ngx_string("SSLv3"), NGX_SSL_SSLv3 },
+ { ngx_string("TLSv1"), NGX_SSL_TLSv1 },
+ { ngx_null_string, 0 }
+};
+
+
static ngx_command_t ngx_http_ssl_commands[] = {
{ ngx_string("ssl"),
@@ -41,13 +49,27 @@
offsetof(ngx_http_ssl_srv_conf_t, certificate_key),
NULL },
+ { ngx_string("ssl_protocols"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ ngx_conf_set_bitmask_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, protocols),
+ &ngx_http_ssl_protocols },
+
{ ngx_string("ssl_ciphers"),
- NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_1MORE,
ngx_conf_set_str_slot,
NGX_HTTP_SRV_CONF_OFFSET,
offsetof(ngx_http_ssl_srv_conf_t, ciphers),
NULL },
+ { ngx_string("ssl_prefer_server_ciphers"),
+ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+ ngx_conf_set_flag_slot,
+ NGX_HTTP_SRV_CONF_OFFSET,
+ offsetof(ngx_http_ssl_srv_conf_t, prefer_server_ciphers),
+ NULL },
+
ngx_null_command
};
@@ -99,6 +121,8 @@
/*
* set by ngx_pcalloc():
*
+ * scf->protocols = 0;
+
* scf->certificate.len = 0;
* scf->certificate.data = NULL;
* scf->certificate_key.len = 0;
@@ -108,6 +132,7 @@
*/
scf->enable = NGX_CONF_UNSET;
+ scf->prefer_server_ciphers = NGX_CONF_UNSET;
return scf;
}
@@ -125,101 +150,60 @@
return NGX_CONF_OK;
}
+ ngx_conf_merge_value(conf->prefer_server_ciphers,
+ prev->prefer_server_ciphers, 0);
+
+ ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols,
+ (NGX_CONF_BITMASK_SET
+ |NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1));
+
ngx_conf_merge_str_value(conf->certificate, prev->certificate,
- NGX_DEFLAUT_CERTIFICATE);
+ NGX_DEFLAUT_CERTIFICATE);
ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key,
- NGX_DEFLAUT_CERTIFICATE_KEY);
+ NGX_DEFLAUT_CERTIFICATE_KEY);
- ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, "");
+ ngx_conf_merge_str_value(conf->ciphers, prev->ciphers, NGX_DEFLAUT_CIPHERS);
- /* TODO: configure methods */
+ conf->ssl.log = cf->log;
- conf->ssl_ctx = SSL_CTX_new(SSLv23_server_method());
-
- if (conf->ssl_ctx == NULL) {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "SSL_CTX_new() failed");
+ if (ngx_ssl_create(&conf->ssl, conf->protocols) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, conf->ssl_ctx)
- == NULL)
+ if (ngx_pool_cleanup_add(cf->pool, ngx_ssl_cleanup_ctx, &conf->ssl) == NULL)
{
return NGX_CONF_ERROR;
}
-
- if (conf->ciphers.len) {
- if (SSL_CTX_set_cipher_list(conf->ssl_ctx,
- (const char *) conf->ciphers.data) == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_set_cipher_list(\"%V\") failed",
- &conf->ciphers);
- }
+ if (ngx_ssl_certificate(&conf->ssl, conf->certificate.data,
+ conf->certificate_key.data) != NGX_OK)
+ {
+ return NGX_CONF_ERROR;
}
- if (SSL_CTX_use_certificate_chain_file(conf->ssl_ctx,
- (char *) conf->certificate.data) == 0)
+ if (SSL_CTX_set_cipher_list(conf->ssl.ctx,
+ (const char *) conf->ciphers.data) == 0)
{
ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_use_certificate_chain_file(\"%s\") failed",
- conf->certificate.data);
+ "SSL_CTX_set_cipher_list(\"%V\") failed",
+ &conf->ciphers);
+ }
+
+ if (conf->prefer_server_ciphers) {
+ SSL_CTX_set_options(conf->ssl.ctx, SSL_OP_CIPHER_SERVER_PREFERENCE);
+ }
+
+ /* a temporary 512-bit RSA key is required for export versions of MSIE */
+ if (ngx_ssl_generate_rsa512_key(&conf->ssl) != NGX_OK) {
return NGX_CONF_ERROR;
}
- if (SSL_CTX_use_PrivateKey_file(conf->ssl_ctx,
- (char *) conf->certificate_key.data,
- SSL_FILETYPE_PEM) == 0)
- {
- ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0,
- "SSL_CTX_use_PrivateKey_file(\"%s\") failed",
- conf->certificate_key.data);
- return NGX_CONF_ERROR;
- }
+ SSL_CTX_set_session_cache_mode(conf->ssl.ctx, SSL_SESS_CACHE_SERVER);
- SSL_CTX_set_options(conf->ssl_ctx, SSL_OP_ALL);
-
- SSL_CTX_set_mode(conf->ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
-
- SSL_CTX_set_read_ahead(conf->ssl_ctx, 1);
-
- SSL_CTX_set_session_cache_mode(conf->ssl_ctx, SSL_SESS_CACHE_SERVER);
-
- SSL_CTX_set_session_id_context(conf->ssl_ctx, ngx_http_session_id_ctx,
+ SSL_CTX_set_session_id_context(conf->ssl.ctx, ngx_http_session_id_ctx,
sizeof(ngx_http_session_id_ctx) - 1);
return NGX_CONF_OK;
}
-
-
-#if 0
-
-/* how to enumrate server' configs */
-
-static ngx_int_t
-ngx_http_ssl_init_process(ngx_cycle_t *cycle)
-{
- ngx_uint_t i;
- ngx_http_ssl_srv_conf_t *sscf;
- ngx_http_core_srv_conf_t **cscfp;
- ngx_http_core_main_conf_t *cmcf;
-
- cmcf = ngx_http_cycle_get_module_main_conf(cycle, ngx_http_core_module);
-
- cscfp = cmcf->servers.elts;
-
- for (i = 0; i < cmcf->servers.nelts; i++) {
- sscf = cscfp[i]->ctx->srv_conf[ngx_http_ssl_module.ctx_index];
-
- if (sscf->enable) {
- cscfp[i]->recv = ngx_ssl_recv;
- cscfp[i]->send_chain = ngx_ssl_send_chain;
- }
- }
-
- return NGX_OK;
-}
-
-#endif
diff --git a/src/http/modules/ngx_http_ssl_module.h b/src/http/modules/ngx_http_ssl_module.h
index acb0aee..a705635 100644
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@@ -15,12 +15,17 @@
typedef struct {
ngx_flag_t enable;
+
+ ngx_ssl_t ssl;
+
+ ngx_flag_t prefer_server_ciphers;
+
+ ngx_uint_t protocols;
+
ngx_str_t certificate;
ngx_str_t certificate_key;
ngx_str_t ciphers;
-
- ngx_ssl_ctx_t *ssl_ctx;
} ngx_http_ssl_srv_conf_t;
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index cb3937c..0e6613b 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -49,6 +49,7 @@
#if (NGX_HTTP_SSL)
static void ngx_http_ssl_handshake(ngx_event_t *rev);
+static void ngx_http_ssl_handshake_handler(ngx_connection_t *c);
static void ngx_http_ssl_close_handler(ngx_event_t *ev);
#endif
@@ -359,7 +360,7 @@
if (sscf->enable) {
if (c->ssl == NULL) {
- if (ngx_ssl_create_connection(sscf->ssl_ctx, c, NGX_SSL_BUFFER)
+ if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER)
== NGX_ERROR)
{
ngx_http_close_connection(c);
@@ -367,16 +368,6 @@
}
rev->handler = ngx_http_ssl_handshake;
-
- /*
- * The majority of browsers do not send the "close notify" alert.
- * Among them are MSIE, Mozilla, Netscape 4, Konqueror, and Links.
- * And what is more, MSIE ignores the server's alert.
- *
- * Opera always sends the alert.
- */
-
- c->ssl->no_rcv_shut = 1;
}
r->main_filter_need_in_memory = 1;
@@ -491,21 +482,16 @@
ngx_log_debug1(NGX_LOG_DEBUG_HTTP, rev->log, 0,
"https ssl handshake: 0x%02Xd", buf[0]);
- c->recv = ngx_ssl_recv;
- c->send = ngx_ssl_write;
- c->send_chain = ngx_ssl_send_chain;
-
rc = ngx_ssl_handshake(c);
- if (rc == NGX_ERROR) {
- ngx_http_close_request(r, NGX_HTTP_BAD_REQUEST);
- ngx_http_close_connection(r->connection);
+ if (rc == NGX_AGAIN) {
+ c->ssl->handler = ngx_http_ssl_handshake_handler;
return;
}
- if (rc != NGX_OK) {
- return;
- }
+ ngx_http_ssl_handshake_handler(c);
+
+ return;
} else {
ngx_log_debug0(NGX_LOG_DEBUG_HTTP, rev->log, 0,
@@ -519,6 +505,41 @@
ngx_http_process_request_line(rev);
}
+
+static void
+ngx_http_ssl_handshake_handler(ngx_connection_t *c)
+{
+ ngx_http_request_t *r;
+
+ if (c->ssl->handshaked) {
+
+ /*
+ * The majority of browsers do not send the "close notify" alert.
+ * Among them are MSIE, old Mozilla, Netscape 4, Konqueror,
+ * and Links. And what is more, MSIE ignores the server's alert.
+ *
+ * Opera and recent Mozilla send the alert.
+ */
+
+ c->ssl->no_wait_shutdown = 1;
+
+ c->read->handler = ngx_http_process_request_line;
+ /* STUB: epoll edge */ c->write->handler = ngx_http_empty_handler;
+
+ ngx_http_process_request_line(c->read);
+
+ return;
+ }
+
+ r = c->data;
+
+ ngx_http_close_request(r, NGX_HTTP_BAD_REQUEST);
+ ngx_http_close_connection(r->connection);
+
+ return;
+}
+
+
#endif
@@ -1290,7 +1311,7 @@
#if 0
/* MSIE ignores the SSL "close notify" alert */
if (c->ssl) {
- r->connection->ssl->no_send_shut = 1;
+ c->ssl->no_send_shutdown = 1;
}
#endif
}
@@ -2126,7 +2147,7 @@
"keepalive connection", &c->addr_text);
#if (NGX_HTTP_SSL)
if (c->ssl) {
- c->ssl->no_send_shut = 1;
+ c->ssl->no_send_shutdown = 1;
}
#endif
ngx_http_close_connection(c);
