Merge branch 'nginx' (nginx-1.15.2).
Change-Id: If81ddbdb54b6ae218750ced0354d4515c05bfe31
Signed-off-by: Piotr Sikora <piotrsikora@google.com>
diff --git a/.hgtags b/.hgtags
index d6477c0..9b86365 100644
--- a/.hgtags
+++ b/.hgtags
@@ -427,3 +427,4 @@
051e5fa03b92b8a564f6b12debd483d267391e82 release-1.13.12
990b3e885636d763b97ed02d0d2cfc161a4e0c09 release-1.15.0
4189160cb946bb38d0bc0a452b5eb4cdd8979fb5 release-1.15.1
+b234199c7ed8a156a6bb98f7ff58302c857c954f release-1.15.2
diff --git a/BUILD b/BUILD
index 6266d5d..e4da9ec 100644
--- a/BUILD
+++ b/BUILD
@@ -1535,5 +1535,5 @@
preinst = "@nginx_pkgoss//:debian_preinst",
prerm = "@nginx_pkgoss//:debian_prerm",
section = "httpd",
- version = "1.15.1",
+ version = "1.15.2",
)
diff --git a/build.bzl b/build.bzl
index 52e23f6..df5582b 100644
--- a/build.bzl
+++ b/build.bzl
@@ -663,7 +663,7 @@
name = "nginx_pkgoss",
build_file_content = _PKGOSS_BUILD_FILE.format(nginx = nginx) +
_PKGOSS_BUILD_FILE_TAIL,
- commit = "0b2d9e6711220cbafad9ee1263edb0a35ff9944a", # nginx-1.15.1
+ commit = "ab499ede5c83dd70d664b01ad1db58b6f3fd22bf", # nginx-1.15.2
remote = "https://nginx.googlesource.com/nginx-pkgoss",
)
diff --git a/docs/xml/nginx/changes.xml b/docs/xml/nginx/changes.xml
index 6d4c5d9..bb8948d 100644
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@@ -5,6 +5,92 @@
<change_log title="nginx">
+<changes ver="1.15.2" date="2018-07-24">
+
+<change type="feature">
+<para lang="ru">
+переменная $ssl_preread_protocol
+в модуле ngx_stream_ssl_preread_module.
+</para>
+<para lang="en">
+the $ssl_preread_protocol variable
+in the ngx_stream_ssl_preread_module.
+</para>
+</change>
+
+<change type="feature">
+<para lang="ru">
+теперь при использовании директивы reset_timedout_connection
+nginx сбрасывает соединения, закрываемые с кодом 444.
+</para>
+<para lang="en">
+now when using the "reset_timedout_connection" directive
+nginx will reset connections being closed with the 444 code.
+</para>
+</change>
+
+<change type="change">
+<para lang="ru">
+уровень логгирования ошибок SSL "http request", "https proxy request",
+"unsupported protocol" и "version too low"
+понижен с уровня crit до info.
+</para>
+<para lang="en">
+a logging level of the "http request", "https proxy request",
+"unsupported protocol", and "version too low" SSL errors
+has been lowered from "crit" to "info".
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+запросы к DNS-серверу не отправлялись повторно,
+если при первой попытке отправки происходила ошибка.
+</para>
+<para lang="en">
+DNS requests were not resent
+if initial sending of a request failed.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+параметр reuseport директивы listen игнорировался,
+если количество рабочих процессов было задано после директивы listen.
+</para>
+<para lang="en">
+the "reuseport" parameter of the "listen" directive was ignored
+if the number of worker processes was specified after the "listen" directive.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+при использовании OpenSSL 1.1.0 и новее
+директиву ssl_prefer_server_ciphers нельзя было выключить
+в виртуальном сервере, если она была включена в сервере по умолчанию.
+</para>
+<para lang="en">
+when using OpenSSL 1.1.0 or newer
+it was not possible to switch off "ssl_prefer_server_ciphers" in
+a virtual server if it was switched on in the default server.
+</para>
+</change>
+
+<change type="bugfix">
+<para lang="ru">
+повторное использование SSL-сессий к бэкендам
+не работало с протоколом TLS 1.3.
+</para>
+<para lang="en">
+SSL session reuse with upstream servers
+did not work with the TLS 1.3 protocol.
+</para>
+</change>
+
+</changes>
+
+
<changes ver="1.15.1" date="2018-07-03">
<change type="feature">
diff --git a/src/core/nginx.h b/src/core/nginx.h
index 35d8749..5433cbd 100644
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@@ -13,8 +13,8 @@
#define NGINX_NAME "nginx"
#endif
-#define nginx_version 1015001
-#define NGINX_VERSION "1.15.1"
+#define nginx_version 1015002
+#define NGINX_VERSION "1.15.2"
#define NGINX_VER NGINX_NAME "/" NGINX_VERSION
#ifdef NGX_BUILD
diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c
index 61ea4c2..3368253 100644
--- a/src/core/ngx_connection.c
+++ b/src/core/ngx_connection.c
@@ -96,7 +96,7 @@
ngx_int_t
-ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls)
+ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls)
{
#if (NGX_HAVE_REUSEPORT)
@@ -104,20 +104,19 @@
ngx_core_conf_t *ccf;
ngx_listening_t ols;
- if (!ls->reuseport) {
+ if (!ls->reuseport || ls->worker != 0) {
return NGX_OK;
}
ols = *ls;
- ccf = (ngx_core_conf_t *) ngx_get_conf(cf->cycle->conf_ctx,
- ngx_core_module);
+ ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module);
for (n = 1; n < ccf->worker_processes; n++) {
/* create a socket for each worker process */
- ls = ngx_array_push(&cf->cycle->listening);
+ ls = ngx_array_push(&cycle->listening);
if (ls == NULL) {
return NGX_ERROR;
}
diff --git a/src/core/ngx_connection.h b/src/core/ngx_connection.h
index ef07558..5405962 100644
--- a/src/core/ngx_connection.h
+++ b/src/core/ngx_connection.h
@@ -210,7 +210,7 @@
ngx_listening_t *ngx_create_listening(ngx_conf_t *cf, struct sockaddr *sockaddr,
socklen_t socklen);
-ngx_int_t ngx_clone_listening(ngx_conf_t *cf, ngx_listening_t *ls);
+ngx_int_t ngx_clone_listening(ngx_cycle_t *cycle, ngx_listening_t *ls);
ngx_int_t ngx_set_inherited_sockets(ngx_cycle_t *cycle);
ngx_int_t ngx_open_listening_sockets(ngx_cycle_t *cycle);
void ngx_configure_listening_sockets(ngx_cycle_t *cycle);
diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
index d969704..5d7fe31 100644
--- a/src/core/ngx_resolver.c
+++ b/src/core/ngx_resolver.c
@@ -847,7 +847,15 @@
rn->nsrvs = 0;
if (ngx_resolver_send_query(r, rn) != NGX_OK) {
- goto failed;
+
+ /* immediately retry once on failure */
+
+ rn->last_connection++;
+ if (rn->last_connection == r->connections.nelts) {
+ rn->last_connection = 0;
+ }
+
+ (void) ngx_resolver_send_query(r, rn);
}
if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) {
@@ -1051,7 +1059,15 @@
rn->nsrvs = 0;
if (ngx_resolver_send_query(r, rn) != NGX_OK) {
- goto failed;
+
+ /* immediately retry once on failure */
+
+ rn->last_connection++;
+ if (rn->last_connection == r->connections.nelts) {
+ rn->last_connection = 0;
+ }
+
+ (void) ngx_resolver_send_query(r, rn);
}
if (ngx_resolver_set_timeout(r, ctx) != NGX_OK) {
diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c
index 8237fef..32c637d 100644
--- a/src/event/ngx_event.c
+++ b/src/event/ngx_event.c
@@ -410,12 +410,52 @@
static char *
ngx_event_init_conf(ngx_cycle_t *cycle, void *conf)
{
+#if (NGX_HAVE_REUSEPORT)
+ ngx_uint_t i;
+ ngx_listening_t *ls;
+#endif
+
if (ngx_get_conf(cycle->conf_ctx, ngx_events_module) == NULL) {
ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
"no \"events\" section in configuration");
return NGX_CONF_ERROR;
}
+ if (cycle->connection_n < cycle->listening.nelts + 1) {
+
+ /*
+ * there should be at least one connection for each listening
+ * socket, plus an additional connection for channel
+ */
+
+ ngx_log_error(NGX_LOG_EMERG, cycle->log, 0,
+ "%ui worker_connections are not enough "
+ "for %ui listening sockets",
+ cycle->connection_n, cycle->listening.nelts);
+
+ return NGX_CONF_ERROR;
+ }
+
+#if (NGX_HAVE_REUSEPORT)
+
+ ls = cycle->listening.elts;
+ for (i = 0; i < cycle->listening.nelts; i++) {
+
+ if (!ls[i].reuseport || ls[i].worker != 0) {
+ continue;
+ }
+
+ if (ngx_clone_listening(cycle, &ls[i]) != NGX_OK) {
+ return NGX_CONF_ERROR;
+ }
+
+ /* cloning may change cycle->listening.elts */
+
+ ls = cycle->listening.elts;
+ }
+
+#endif
+
return NGX_CONF_OK;
}
diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c
index f53fe24..fd9d5bd 100644
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@@ -24,6 +24,8 @@
static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
int ret);
static void ngx_ssl_passwords_cleanup(void *data);
+static int ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn,
+ ngx_ssl_session_t *sess);
static void ngx_ssl_handshake_handler(ngx_event_t *ev);
static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n);
static void ngx_ssl_write_handler(ngx_event_t *wev);
@@ -295,7 +297,7 @@
SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE);
-#ifdef SSL_CTRL_CLEAR_OPTIONS
+#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
/* only in 0.9.8m+ */
SSL_CTX_clear_options(ssl->ctx,
SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1);
@@ -1185,6 +1187,42 @@
ngx_int_t
+ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_uint_t enable)
+{
+ if (!enable) {
+ return NGX_OK;
+ }
+
+ SSL_CTX_set_session_cache_mode(ssl->ctx,
+ SSL_SESS_CACHE_CLIENT
+ |SSL_SESS_CACHE_NO_INTERNAL);
+
+ SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_client_session);
+
+ return NGX_OK;
+}
+
+
+static int
+ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
+{
+ ngx_connection_t *c;
+
+ c = ngx_ssl_get_connection(ssl_conn);
+
+ if (c->ssl->save_session) {
+ c->ssl->session = sess;
+
+ c->ssl->save_session(c);
+
+ c->ssl->session = NULL;
+ }
+
+ return 0;
+}
+
+
+ngx_int_t
ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
{
ngx_ssl_connection_t *sc;
@@ -1216,6 +1254,10 @@
} else {
SSL_set_accept_state(sc->connection);
+
+#ifdef SSL_OP_NO_RENEGOTIATION
+ SSL_set_options(sc->connection, SSL_OP_NO_RENEGOTIATION);
+#endif
}
if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) {
@@ -1229,6 +1271,31 @@
}
+ngx_ssl_session_t *
+ngx_ssl_get_session(ngx_connection_t *c)
+{
+#ifdef TLS1_3_VERSION
+ if (c->ssl->session) {
+ SSL_SESSION_up_ref(c->ssl->session);
+ return c->ssl->session;
+ }
+#endif
+
+ return SSL_get1_session(c->ssl->connection);
+}
+
+
+ngx_ssl_session_t *
+ngx_ssl_get0_session(ngx_connection_t *c)
+{
+ if (c->ssl->session) {
+ return c->ssl->session;
+ }
+
+ return SSL_get0_session(c->ssl->connection);
+}
+
+
ngx_int_t
ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session)
{
@@ -2085,6 +2152,8 @@
|| n == SSL_R_DIGEST_CHECK_FAILED /* 149 */
|| n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */
|| n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */
+ || n == SSL_R_HTTPS_PROXY_REQUEST /* 155 */
+ || n == SSL_R_HTTP_REQUEST /* 156 */
|| n == SSL_R_LENGTH_MISMATCH /* 159 */
#ifdef SSL_R_NO_CIPHERS_PASSED
|| n == SSL_R_NO_CIPHERS_PASSED /* 182 */
diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h
index 0c8a5c6..3e30905 100644
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@@ -77,6 +77,9 @@
ngx_connection_handler_pt handler;
+ ngx_ssl_session_t *session;
+ ngx_connection_handler_pt save_session;
+
ngx_event_handler_pt saved_read_handler;
ngx_event_handler_pt saved_write_handler;
@@ -170,6 +173,8 @@
ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
+ngx_int_t ngx_ssl_client_session_cache(ngx_conf_t *cf, ngx_ssl_t *ssl,
+ ngx_uint_t enable);
ngx_int_t ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx,
ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout);
ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
@@ -180,7 +185,8 @@
void ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess);
ngx_int_t ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session);
-#define ngx_ssl_get_session(c) SSL_get1_session(c->ssl->connection)
+ngx_ssl_session_t *ngx_ssl_get_session(ngx_connection_t *c);
+ngx_ssl_session_t *ngx_ssl_get0_session(ngx_connection_t *c);
#define ngx_ssl_free_session SSL_SESSION_free
#define ngx_ssl_get_connection(ssl_conn) \
SSL_get_ex_data(ssl_conn, ngx_ssl_connection_index)
diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c
index 3eec1b7..f73ff21 100644
--- a/src/http/modules/ngx_http_fastcgi_module.c
+++ b/src/http/modules/ngx_http_fastcgi_module.c
@@ -3501,7 +3501,7 @@
clcf->handler = ngx_http_fastcgi_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff --git a/src/http/modules/ngx_http_grpc_module.c b/src/http/modules/ngx_http_grpc_module.c
index 0baa85f..7fbf736 100644
--- a/src/http/modules/ngx_http_grpc_module.c
+++ b/src/http/modules/ngx_http_grpc_module.c
@@ -4525,7 +4525,7 @@
clcf->handler = ngx_http_grpc_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -4627,6 +4627,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, glcf->upstream.ssl,
+ glcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
if (SSL_CTX_set_alpn_protos(glcf->upstream.ssl->ctx,
diff --git a/src/http/modules/ngx_http_memcached_module.c b/src/http/modules/ngx_http_memcached_module.c
index 82fa713..2624471 100644
--- a/src/http/modules/ngx_http_memcached_module.c
+++ b/src/http/modules/ngx_http_memcached_module.c
@@ -707,7 +707,7 @@
clcf->handler = ngx_http_memcached_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c
index 37dc9e8..a817b5c 100644
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@@ -3610,7 +3610,7 @@
clcf->handler = ngx_http_proxy_handler;
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -4357,6 +4357,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, plcf->upstream.ssl,
+ plcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c
index 9bd45bd..ab7769a 100644
--- a/src/http/modules/ngx_http_scgi_module.c
+++ b/src/http/modules/ngx_http_scgi_module.c
@@ -1857,7 +1857,7 @@
return NGX_CONF_ERROR;
}
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c
index 238bcf8..0959133 100644
--- a/src/http/modules/ngx_http_uwsgi_module.c
+++ b/src/http/modules/ngx_http_uwsgi_module.c
@@ -2144,7 +2144,7 @@
return NGX_CONF_ERROR;
}
- if (clcf->name.data[clcf->name.len - 1] == '/') {
+ if (clcf->name.len && clcf->name.data[clcf->name.len - 1] == '/') {
clcf->auto_redirect = 1;
}
@@ -2391,6 +2391,13 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, uwcf->upstream.ssl,
+ uwcf->upstream.ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/http/ngx_http.c b/src/http/ngx_http.c
index 9d8b6d7..5e20226 100644
--- a/src/http/ngx_http.c
+++ b/src/http/ngx_http.c
@@ -1685,10 +1685,6 @@
break;
}
- if (ngx_clone_listening(cf, ls) != NGX_OK) {
- return NGX_ERROR;
- }
-
addr++;
last--;
}
diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c
index 657f5cd..02a5075 100644
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@@ -1068,6 +1068,7 @@
SSL_set_verify_depth(ssl_conn, SSL_CTX_get_verify_depth(sscf->ssl.ctx));
#if OPENSSL_VERSION_NUMBER >= 0x009080dfL
+ /* only in 0.9.8m+ */
SSL_clear_options(ssl_conn, SSL_get_options(ssl_conn) &
~SSL_CTX_get_options(sscf->ssl.ctx));
#endif
@@ -2523,6 +2524,7 @@
|| rc == NGX_HTTP_NO_CONTENT)
{
if (rc == NGX_HTTP_CLOSE) {
+ c->timedout = 1;
ngx_http_terminate_request(r, rc);
return;
}
diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
index ca3c2e3..41b4e5e 100644
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@@ -187,6 +187,7 @@
static void ngx_http_upstream_ssl_handshake_handler(ngx_connection_t *c);
static void ngx_http_upstream_ssl_handshake(ngx_http_request_t *,
ngx_http_upstream_t *u, ngx_connection_t *c);
+static void ngx_http_upstream_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r,
ngx_http_upstream_t *u, ngx_connection_t *c);
#endif
@@ -1679,6 +1680,8 @@
}
if (u->conf->ssl_session_reuse) {
+ c->ssl->save_session = ngx_http_upstream_ssl_save_session;
+
if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
ngx_http_upstream_finalize_request(r, u,
NGX_HTTP_INTERNAL_SERVER_ERROR);
@@ -1763,10 +1766,6 @@
}
}
- if (u->conf->ssl_session_reuse) {
- u->peer.save_session(&u->peer, u->peer.data);
- }
-
c->write->handler = ngx_http_upstream_handler;
c->read->handler = ngx_http_upstream_handler;
@@ -1786,6 +1785,27 @@
}
+static void
+ngx_http_upstream_ssl_save_session(ngx_connection_t *c)
+{
+ ngx_http_request_t *r;
+ ngx_http_upstream_t *u;
+
+ if (c->idle) {
+ return;
+ }
+
+ r = c->data;
+
+ u = r->upstream;
+ c = r->connection;
+
+ ngx_http_set_log_request(c->log, r);
+
+ u->peer.save_session(&u->peer, u->peer.data);
+}
+
+
static ngx_int_t
ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u,
ngx_connection_t *c)
diff --git a/src/http/ngx_http_upstream_round_robin.c b/src/http/ngx_http_upstream_round_robin.c
index d4e5a6d..2a08696 100644
--- a/src/http/ngx_http_upstream_round_robin.c
+++ b/src/http/ngx_http_upstream_round_robin.c
@@ -744,7 +744,7 @@
if (peers->shpool) {
- ssl_session = SSL_get0_session(pc->connection->ssl->connection);
+ ssl_session = ngx_ssl_get0_session(pc->connection);
if (ssl_session == NULL) {
return;
diff --git a/src/os/unix/ngx_thread.h b/src/os/unix/ngx_thread.h
index 1b52dd7..e3b5e81 100644
--- a/src/os/unix/ngx_thread.h
+++ b/src/os/unix/ngx_thread.h
@@ -47,12 +47,12 @@
#elif (NGX_DARWIN)
typedef uint64_t ngx_tid_t;
-#define NGX_TID_T_FMT "%uA"
+#define NGX_TID_T_FMT "%uL"
#else
typedef uint64_t ngx_tid_t;
-#define NGX_TID_T_FMT "%uA"
+#define NGX_TID_T_FMT "%uL"
#endif
diff --git a/src/stream/ngx_stream.c b/src/stream/ngx_stream.c
index 0efbda8..4abe387 100644
--- a/src/stream/ngx_stream.c
+++ b/src/stream/ngx_stream.c
@@ -538,10 +538,6 @@
break;
}
- if (ngx_clone_listening(cf, ls) != NGX_OK) {
- return NGX_CONF_ERROR;
- }
-
addr++;
last--;
}
diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
index 792bb77..d0497f5 100644
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@@ -92,6 +92,7 @@
ngx_command_t *cmd, void *conf);
static void ngx_stream_proxy_ssl_init_connection(ngx_stream_session_t *s);
static void ngx_stream_proxy_ssl_handshake(ngx_connection_t *pc);
+static void ngx_stream_proxy_ssl_save_session(ngx_connection_t *c);
static ngx_int_t ngx_stream_proxy_ssl_name(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_proxy_set_ssl(ngx_conf_t *cf,
ngx_stream_proxy_srv_conf_t *pscf);
@@ -1008,6 +1009,8 @@
}
if (pscf->ssl_session_reuse) {
+ pc->ssl->save_session = ngx_stream_proxy_ssl_save_session;
+
if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) {
ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR);
return;
@@ -1066,11 +1069,6 @@
}
}
- if (pscf->ssl_session_reuse) {
- u = s->upstream;
- u->peer.save_session(&u->peer, u->peer.data);
- }
-
if (pc->write->timer_set) {
ngx_del_timer(pc->write);
}
@@ -1086,6 +1084,19 @@
}
+static void
+ngx_stream_proxy_ssl_save_session(ngx_connection_t *c)
+{
+ ngx_stream_session_t *s;
+ ngx_stream_upstream_t *u;
+
+ s = c->data;
+ u = s->upstream;
+
+ u->peer.save_session(&u->peer, u->peer.data);
+}
+
+
static ngx_int_t
ngx_stream_proxy_ssl_name(ngx_stream_session_t *s)
{
@@ -2051,6 +2062,12 @@
}
}
+ if (ngx_ssl_client_session_cache(cf, pscf->ssl, pscf->ssl_session_reuse)
+ != NGX_OK)
+ {
+ return NGX_ERROR;
+ }
+
return NGX_OK;
}
diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
index 62d6524..a236fc5 100644
--- a/src/stream/ngx_stream_ssl_preread_module.c
+++ b/src/stream/ngx_stream_ssl_preread_module.c
@@ -21,6 +21,7 @@
u_char *pos;
u_char *dst;
u_char buf[4];
+ u_char version[2];
ngx_str_t host;
ngx_str_t alpn;
ngx_log_t *log;
@@ -32,6 +33,8 @@
static ngx_int_t ngx_stream_ssl_preread_handler(ngx_stream_session_t *s);
static ngx_int_t ngx_stream_ssl_preread_parse_record(
ngx_stream_ssl_preread_ctx_t *ctx, u_char *pos, u_char *last);
+static ngx_int_t ngx_stream_ssl_preread_protocol_variable(
+ ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_server_name_variable(
ngx_stream_session_t *s, ngx_stream_variable_value_t *v, uintptr_t data);
static ngx_int_t ngx_stream_ssl_preread_alpn_protocols_variable(
@@ -86,6 +89,9 @@
static ngx_stream_variable_t ngx_stream_ssl_preread_vars[] = {
+ { ngx_string("ssl_preread_protocol"), NULL,
+ ngx_stream_ssl_preread_protocol_variable, 0, 0, 0 },
+
{ ngx_string("ssl_preread_server_name"), NULL,
ngx_stream_ssl_preread_server_name_variable, 0, 0, 0 },
@@ -143,6 +149,14 @@
while (last - p >= 5) {
+ if ((p[0] & 0x80) && p[2] == 1 && (p[3] == 0 || p[3] == 3)) {
+ ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
+ "ssl preread: version 2 ClientHello");
+ ctx->version[0] = p[3];
+ ctx->version[1] = p[4];
+ return NGX_OK;
+ }
+
if (p[0] != 0x16) {
ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
"ssl preread: not a handshake");
@@ -196,7 +210,8 @@
enum {
sw_start = 0,
sw_header, /* handshake msg_type, length */
- sw_head_tail, /* version, random */
+ sw_version, /* client_version */
+ sw_random, /* random */
sw_sid_len, /* session_id length */
sw_sid, /* session_id */
sw_cs_len, /* cipher_suites length */
@@ -210,7 +225,8 @@
sw_sni_host, /* SNI host_name */
sw_alpn_len, /* ALPN length */
sw_alpn_proto_len, /* ALPN protocol_name length */
- sw_alpn_proto_data /* ALPN protocol_name */
+ sw_alpn_proto_data, /* ALPN protocol_name */
+ sw_supver_len /* supported_versions length */
} state;
ngx_log_debug2(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
@@ -254,13 +270,19 @@
return NGX_DECLINED;
}
- state = sw_head_tail;
- dst = NULL;
- size = 34;
+ state = sw_version;
+ dst = ctx->version;
+ size = 2;
left = (p[1] << 16) + (p[2] << 8) + p[3];
break;
- case sw_head_tail:
+ case sw_version:
+ state = sw_random;
+ dst = NULL;
+ size = 32;
+ break;
+
+ case sw_random:
state = sw_sid_len;
dst = p;
size = 1;
@@ -334,6 +356,14 @@
break;
}
+ if (p[0] == 0 && p[1] == 43) {
+ /* supported_versions extension */
+ state = sw_supver_len;
+ dst = p;
+ size = 1;
+ break;
+ }
+
state = sw_ext;
dst = NULL;
size = (p[2] << 8) + p[3];
@@ -434,6 +464,19 @@
dst = NULL;
size = 0;
break;
+
+ case sw_supver_len:
+ ngx_log_debug0(NGX_LOG_DEBUG_STREAM, ctx->log, 0,
+ "ssl preread: supported_versions");
+
+ /* set TLSv1.3 */
+ ctx->version[0] = 3;
+ ctx->version[1] = 4;
+
+ state = sw_ext;
+ dst = NULL;
+ size = p[0];
+ break;
}
if (left < size) {
@@ -454,6 +497,62 @@
static ngx_int_t
+ngx_stream_ssl_preread_protocol_variable(ngx_stream_session_t *s,
+ ngx_variable_value_t *v, uintptr_t data)
+{
+ ngx_str_t version;
+ ngx_stream_ssl_preread_ctx_t *ctx;
+
+ ctx = ngx_stream_get_module_ctx(s, ngx_stream_ssl_preread_module);
+
+ if (ctx == NULL) {
+ v->not_found = 1;
+ return NGX_OK;
+ }
+
+ /* SSL_get_version() format */
+
+ ngx_str_null(&version);
+
+ switch (ctx->version[0]) {
+ case 0:
+ switch (ctx->version[1]) {
+ case 2:
+ ngx_str_set(&version, "SSLv2");
+ break;
+ }
+ break;
+ case 3:
+ switch (ctx->version[1]) {
+ case 0:
+ ngx_str_set(&version, "SSLv3");
+ break;
+ case 1:
+ ngx_str_set(&version, "TLSv1");
+ break;
+ case 2:
+ ngx_str_set(&version, "TLSv1.1");
+ break;
+ case 3:
+ ngx_str_set(&version, "TLSv1.2");
+ break;
+ case 4:
+ ngx_str_set(&version, "TLSv1.3");
+ break;
+ }
+ }
+
+ v->valid = 1;
+ v->no_cacheable = 0;
+ v->not_found = 0;
+ v->len = version.len;
+ v->data = version.data;
+
+ return NGX_OK;
+}
+
+
+static ngx_int_t
ngx_stream_ssl_preread_server_name_variable(ngx_stream_session_t *s,
ngx_variable_value_t *v, uintptr_t data)
{
diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c
index e4a6e76..c35e1d0 100644
--- a/src/stream/ngx_stream_upstream_round_robin.c
+++ b/src/stream/ngx_stream_upstream_round_robin.c
@@ -776,7 +776,7 @@
if (peers->shpool) {
- ssl_session = SSL_get0_session(pc->connection->ssl->connection);
+ ssl_session = ngx_ssl_get0_session(pc->connection);
if (ssl_session == NULL) {
return;