Commit Graph

264 Commits

Author SHA1 Message Date
lijunlong 02dcc85dbe upgrade nginx core to 1.23.0. 2022-06-27 08:43:46 +08:00
Johnny Wang a7142a8934
bugfix: fixed typo in no-pool patch of 1.21.4. (#799) 2021-12-22 12:09:58 +08:00
Johnny Wang 7e1cf985cf
bugfix: check if the worker_connections is 0 before privileged agent spawning. (#786)
The core dump may occur during initialization

    Program terminated with signal SIGSEGV, Segmentation fault.
    #0  0x0000000000441711 in ngx_event_process_init (cycle=0x1e93cc0) at src/event/ngx_event.c:807
    801         i = cycle->connection_n;
    802         next = NULL;
    803
    804         do {
    805             i--;
    806
    807             c[i].data = next;
    #1  0x000000000044abb9 in ngx_worker_process_init (cycle=cycle@entry=0x1e93cc0, worker=worker@entry=-1) at src/os/unix/ngx_process_cycle.c:968
2021-11-09 14:23:33 +08:00
lijunlong 7df6239881 upgrade the nginx core to 1.21.4. 2021-11-05 11:59:23 +08:00
Johnny Wang 5c7ad29352
upgrade the nginx core to 1.21.3. (#779) 2021-10-26 16:07:59 +08:00
Zhefeng Chen 9fa420424a patches: added the nginx-1.19.9-ssl_client_hello_cb_yield patch. 2021-09-20 18:31:15 +08:00
Johnny Wang 1befa30baa
upgraded ngx_http_redis module to 0.3.9. (#754) 2021-08-13 14:01:00 +08:00
wangyao c93ef77262
change: introduce a new patch for privileged agent process connections. (#751) 2021-07-19 18:34:46 +08:00
Yao Wang 174f72b95c feature: add config ability for privileged connections number. 2021-07-13 12:47:57 +08:00
Johnny Wang 4b5ec7edd7
bugfix: applied the patch for security advisory to NGINX cores >= 0.6.18 and <= 1.20.0 (CVE-2021-23017). (#739) 2021-05-28 10:25:01 +08:00
Johnny Wang 1562e11be5
upgraded the nginx core to 1.19.9. (#717) 2021-04-01 18:20:03 +08:00
Johnny Wang 3abb2c7fae
upgraded the nginx core to 1.19.8. (#715) 2021-03-29 12:36:42 +08:00
Yichun Zhang (agentzh) 275739cf1f upgraded the nginx core to 1.19.3. 2020-09-29 20:58:19 -07:00
Yichun Zhang (agentzh) 5d118a38a6 upgrade the nginx core to 1.19.2. 2020-09-28 12:42:57 -07:00
root 50717794af bugfix: nginx would crash when receiving SIGHUP in the single process mode.
Signed-off-by: Yichun Zhang (agentzh) <yichun@openresty.com>
2020-06-29 22:59:05 -07:00
lijunlong 6985198d46 bugfix: ngx_http_static_module: the 'Locatoin' response header value was not properly encoded by URI rules.
This may impose security vulnerabilities for Location values from
untrusted sources.

The corresponding tests are in the lua-nginx-module repo.
2020-06-25 16:50:22 -07:00
Thibault Charbonnier 4b5cb7a546 patches: added the openssl-1.1.1f-sess_set_get_cb_yield patch. 2020-03-31 17:06:26 -07:00
Yichun Zhang (agentzh) 7dfeed5921 win32/win64: added new patch to fix openssl compilation on windows via the mingw64 toolchain. 2020-03-19 20:06:42 -07:00
Thibault Charbonnier 721d7dacc4 patches: added the openssl-1.1.1e-sess_set_get_cb_yield patch. 2020-03-18 21:48:45 -07:00
Thibault Charbonnier c1a0a9ad8f bugfix: fixed a memory leak in the OpenSSL 1.1.1 sess_set_get_cb_yield patch.
This memory leak was found by running the Valgrind testing mode against
lua-resty-core's `ssl-session-fetch.t` test suite:

    TEST 5: yield during doing handshake with client which uses low version OpenSSL

    ==16956== 64 (32 direct, 32 indirect) bytes in 1 blocks are definitely lost in loss record 5 of 15
    ==16956== at 0x4C2B002: malloc (vg_replace_malloc.c:298)
    ==16956== by 0x5FFC868: CRYPTO_malloc (mem.c:222)
    ==16956== by 0x5FFC96F: CRYPTO_zalloc (mem.c:230)
    ==16956== by 0x603C54A: OPENSSL_sk_new_reserve (stack.c:209)
    ==16956== by 0x603C597: OPENSSL_sk_new_null (stack.c:118)
    ==16956== by 0x5C94A86: sk_SSL_CIPHER_new_null (ssl.h:960)
    ==16956== by 0x5C94A86: bytes_to_cipher_list (ssl_lib.c:5361)
    ==16956== by 0x5CB52E9: tls_early_post_process_client_hello (statem_srvr.c:1713)
    ==16956== by 0x5CB52E9: tls_post_process_client_hello (statem_srvr.c:2231)
    ==16956== by 0x5CB6F39: ossl_statem_server_post_process_message (statem_srvr.c:1218)
    ==16956== by 0x5CA4C11: read_state_machine (statem.c:664)
    ==16956== by 0x5CA4C11: state_machine (statem.c:434)
    ==16956== by 0x5CA538A: ossl_statem_accept (statem.c:255)
    ==16956== by 0x5C91759: SSL_do_handshake (ssl_lib.c:3609)
    ==16956== by 0x45456B: ngx_ssl_handshake (ngx_event_openssl.c:1606)
    ==16956== by 0x4698D3: ngx_http_ssl_handshake (ngx_http_request.c:751)
    ==16956== by 0x44ECA8: ngx_epoll_process_events (ngx_epoll_module.c:901)
    ==16956== by 0x443E94: ngx_process_events_and_timers (ngx_event.c:257)
    ==16956== by 0x44DC25: ngx_single_process_cycle (ngx_process_cycle.c:333)
    ==16956== by 0x4236AB: main (nginx.c:382)
    ==16956==
    {
    <insert_a_suppression_name_here>
    Memcheck:Leak
    match-leak-kinds: definite
    fun:malloc
    fun:CRYPTO_malloc
    fun:CRYPTO_zalloc
    fun:OPENSSL_sk_new_reserve
    fun:OPENSSL_sk_new_null
    fun:sk_SSL_CIPHER_new_null
    fun:bytes_to_cipher_list
    fun:tls_early_post_process_client_hello
    fun:tls_post_process_client_hello
    fun:ossl_statem_server_post_process_message
    fun:read_state_machine
    fun:state_machine
    fun:ossl_statem_accept
    fun:SSL_do_handshake
    fun:ngx_ssl_handshake
    fun:ngx_http_ssl_handshake
    fun:ngx_epoll_process_events
    fun:ngx_process_events_and_timers
    fun:ngx_single_process_cycle
    fun:main
    }

    ==16956== 368 (32 direct, 336 indirect) bytes in 1 blocks are definitely lost in loss record 8 of 15
    ==16956== at 0x4C2B002: malloc (vg_replace_malloc.c:298)
    ==16956== by 0x5FFC868: CRYPTO_malloc (mem.c:222)
    ==16956== by 0x5FFC96F: CRYPTO_zalloc (mem.c:230)
    ==16956== by 0x603C54A: OPENSSL_sk_new_reserve (stack.c:209)
    ==16956== by 0x603C597: OPENSSL_sk_new_null (stack.c:118)
    ==16956== by 0x5C94A79: sk_SSL_CIPHER_new_null (ssl.h:960)
    ==16956== by 0x5C94A79: bytes_to_cipher_list (ssl_lib.c:5360)
    ==16956== by 0x5CB52E9: tls_early_post_process_client_hello (statem_srvr.c:1713)
    ==16956== by 0x5CB52E9: tls_post_process_client_hello (statem_srvr.c:2231)
    ==16956== by 0x5CB6F39: ossl_statem_server_post_process_message (statem_srvr.c:1218)
    ==16956== by 0x5CA4C11: read_state_machine (statem.c:664)
    ==16956== by 0x5CA4C11: state_machine (statem.c:434)
    ==16956== by 0x5CA538A: ossl_statem_accept (statem.c:255)
    ==16956== by 0x5C91759: SSL_do_handshake (ssl_lib.c:3609)
    ==16956== by 0x45456B: ngx_ssl_handshake (ngx_event_openssl.c:1606)
    ==16956== by 0x4698D3: ngx_http_ssl_handshake (ngx_http_request.c:751)
    ==16956== by 0x44ECA8: ngx_epoll_process_events (ngx_epoll_module.c:901)
    ==16956== by 0x443E94: ngx_process_events_and_timers (ngx_event.c:257)
    ==16956== by 0x44DC25: ngx_single_process_cycle (ngx_process_cycle.c:333)
    ==16956== by 0x4236AB: main (nginx.c:382)
    ==16956==
    {
    <insert_a_suppression_name_here>
    Memcheck:Leak
    match-leak-kinds: definite
    fun:malloc
    fun:CRYPTO_malloc
    fun:CRYPTO_zalloc
    fun:OPENSSL_sk_new_reserve
    fun:OPENSSL_sk_new_null
    fun:sk_SSL_CIPHER_new_null
    fun:bytes_to_cipher_list
    fun:tls_early_post_process_client_hello
    fun:tls_post_process_client_hello
    fun:ossl_statem_server_post_process_message
    fun:read_state_machine
    fun:state_machine
    fun:ossl_statem_accept
    fun:SSL_do_handshake
    fun:ngx_ssl_handshake
    fun:ngx_http_ssl_handshake
    fun:ngx_epoll_process_events
    fun:ngx_process_events_and_timers
    fun:ngx_single_process_cycle
    fun:main
    }
2020-02-05 15:24:20 -08:00
Thibault Charbonnier 28f76c1d27 upgraded the NGINX core to 1.17.8. 2020-01-22 16:02:49 -08:00
Thibault Charbonnier 268229af83 misc: removed the gcc-maybe-uninitialized-warning patch.
This was fixed in the 1.5.10 release. We unconditionally remove it since
we only support NGINX cores 1.6.0 and above.
2020-01-21 11:25:56 -08:00
Yichun Zhang (agentzh) f17fe6edc1 change: we no longer maintain the nginx dtrace patch. 2020-01-02 20:35:41 -08:00
Thibault Charbonnier bad7098d88 patches: added the nginx-1.17.4 patches. 2019-09-27 11:31:52 -07:00
Thibault Charbonnier 59e4ef5c23 bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2019-9511 CVE-2019-9513 CVE-2019-9516). 2019-08-14 11:39:47 -07:00
Thibault Charbonnier 80ba3892c6 bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2018-16843 CVE-2018-16844). 2019-08-14 11:39:47 -07:00
Datong Sun d5f48a8b75 bugfix: applied the patch for security advisory to NGINX cores < 1.14.1 and < 1.15.6 (CVE-2018-16845).
Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
2019-08-13 11:56:19 -07:00
spacewander cf7516fcbc optimize: added an NGINX core patch to ensure unused listening fds are closed when 'reuseport' is used.
When `reuseport` is enabled in the `listen` directive, Nginx will create
a listening fd for each worker process in the master process.

These fds will be inherited by the worker processes, but most of them
are unused. For example, considering we have 32 listening ip:port
configurations and 64 worker processes, each worker process will inherit
2048 (32 * 64) listening fds, but only 32 fds are used. By closing the
unused fds, this change could save up to 2016 (32 * 63) fds in a worker
process.

It doesn't affect the listening socket, since there is only one used fd
which associates to the socket with or without this change.

Co-authored-by: Thibault Charbonnier <thibaultcha@me.com>
2019-08-05 18:54:51 -07:00
spacewander 34918a30c3 bugfix: support yielding in 'certificate_by_lua_*' when 'ssl_early_data' is on.
Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
2019-07-17 16:25:50 -07:00
spacewander 2e480157a3 feature: supported OpenSSL 1.1.1 by upgrading the OpenSSL patch.
Previously, we used the OpenSSL 1.1.1 ClientHello callback to do ssl
session fetching non-blockingly. However, this way cannot handle an edge
case: the ssl session resumption via session ticket might fail, and the
client fallbacks to session ID resumption. The ClientHello callback is
run too early to know if the client will fallback to use session ID
resumption.

Therefore, we have to take back the OpenSSL sess_set_get_cb_yield patch
and upgrade it to adapt OpenSSL 1.1.1.

Thanks Yongjian Xu and crasyangel for their help.

See 08e9e50.

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
2019-07-17 11:03:34 -07:00
Thibault Charbonnier a51fa56086 change: renamed the 'ssl_pending_session' patch to 'ssl_sess_cb_yield' for NGINX cores 1.17.1 and above.
Its naming is now aligned with the `ssl_cert_cb_yield` patch.

See 08e9e50 for details on why this renaming was reverted for the 1.15.8
version of this patch.
2019-07-11 11:38:57 -07:00
Thibault Charbonnier cef09e553f
upgraded the nginx core to 1.17.1. 2019-07-11 11:29:40 -07:00
Thibault Charbonnier 08e9e50782 Revert "feature: updated the NGINX patches for async SSL session fetching to support OpenSSL 1.1.1."
This reverts commit 9e834398de.

Support for OpenSSL 1.1.1 will come with the 1.17.1 series of NGINX
patches. Since no other 1.15.8.* releases are planned, we are reverting
the state of the 1.15.8 patches to that of the 1.15.8.1 release.
2019-07-02 11:55:50 -07:00
spacewander 9e834398de feature: updated the NGINX patches for async SSL session fetching to support OpenSSL 1.1.1.
The patch was also renamed from `ssl_pending_session.patch` to
`ssl_sess_cb_yield.patch` (similarly to the existing
`ssl_cert_cb_yield.patch` one).

Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
2019-06-04 16:40:22 -07:00
Yichun Zhang (agentzh) bf2e5697e1 bugfix: win32/win64: the error log buffer size was merely 2048 bytes (now updated to 4096 bytes).
applied the win32_max_err_str patch for the nginx core.
2019-05-08 14:46:56 -07:00
Yichun Zhang (agentzh) ed32897702 bugfix: added an openssl patch to fix the parallel build regression in openssl 1.1.0j. 2019-03-02 01:41:24 -08:00
spacewander 2879e59e7b feature: updated the socket_cloexec patches to support the ngx.pipe API.
Signed-off-by: Thibault Charbonnier <thibaultcha@me.com>
2019-01-29 17:45:47 -08:00
Yichun Zhang (agentzh) 8c8d51663e upgraded the nginx core 1.15.8. 2019-01-18 14:33:32 -08:00
Yichun Zhang (agentzh) b91001a87e upgraded the nginx core to 1.15.6. 2018-11-13 11:42:43 -08:00
Yichun Zhang (agentzh) f58e6eb013 upgraded the nginx core to 1.15.5. 2018-10-29 16:05:53 -07:00
Yichun Zhang (agentzh) a245ff1644 fixed the patch file name to be more consistent with other patches. 2018-09-17 20:21:09 -07:00
Yuansheng 17384566bb bugfix: nginx did not destroy the cycle memory pool before the daemon process exits.
This is to make the nginx ASAN or Valgrind clean in daemon mode. It is
also meaningful when we have more sophisticated cleanup work needed in
the configuration initialization phase and handlers like init_by_lua*.
2018-09-17 20:12:17 -07:00
Datong Sun f0e621b0c4 bugfix: nginx patch: do not build resolver parsing feature under Windows.
bugfix: nginx patch: moved the include of resolv.h to after ngx_config.h to avoid compilation failures on FreeBSD.

bugfix: patch: updated safe_resolver_ipv6_option.patch with new offsets to avoid confusing patch while applying.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-04-20 17:55:54 -07:00
Datong Sun ff89bf3ea1 resolv.conf: fixed a bug that when a newline character is present at the end of the resolv.conf file, the parser incorrectly included such newline in the parsed address.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-03-30 12:21:19 -07:00
spacewander a4f399b3ac feature: added the socket_cloexec patch to ensure most of the nginx connections could be closed before child process terminates.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-03-27 13:46:01 -07:00
Datong Sun 3d8b33f0e8 feature: added a patch for the nginx core to add the "local=/path/to/resolv.conf" option to the standard "resolver" config directive.
This can enable the use of system-level nameserver configurations of
/etc/resolv.conf, for example, in nginx's own nonblocking DNS resolver.

Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-03-16 16:19:19 -07:00
Datong Sun 93f785eed6 feature: added patches to the nginx core to make sure ngx_stream_ssl_preread_module will not skip the rest of the preread phase when SNI server name parsing was successful.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-01-14 22:40:09 -08:00
Datong Sun 30fa60ad5d patches: updated 1.13.6 balancer_status_code.patch and added patch for 1.13.8 as well.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-01-09 17:52:04 -08:00
spacewander ee6b26e347 feature: added the sess_set_get_cb_yield patch for OpenSSL 1.1.0d and beyond.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-01-05 23:38:32 -08:00
spacewander a0dc14761a feature: added the sess_set_get_cb_yield patch for OpenSSL 1.1.0c and beyond.
The patch is based on

https://patch-diff.githubusercontent.com/raw/openssl/openssl/pull/1588.patch,

with some minor modifications.

Thanks Alessandro Ghedini for the ground work.

Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>
2018-01-05 14:41:47 -08:00