restydoc: updated the bundled version of the LuaJIT docs to the latest.

bugfix: nginx patch: moved the include of resolv.h to after ngx_config.h to avoid compilation failures on FreeBSD.

bugfix: patch: updated safe_resolver_ipv6_option.patch with new offsets to avoid confusing patch while applying.
Signed-off-by: Yichun Zhang (agentzh) <agentzh@gmail.com>

.gitignore

@@ -75,3 +75,4 @@ upload-win32
 html_out/
 TODO
 doc/LuaJIT-2.1/changes.pod
+t/servroot

README.markdown

@@ -10,6 +10,8 @@ Table of Contents
 * [Description](#description)
     * [For Users](#for-users)
     * [For Bundle Maintainers](#for-bundle-maintainers)
+* [Additional Features](#additional-features)
+    * [resolv.conf parsing](#resolvconf-parsing)
 * [Mailing List](#mailing-list)
 * [Report Bugs](#report-bugs)
 * [Copyright & License](#copyright--license)
@@ -61,6 +63,35 @@ sudo dnf install perl dos2unix mercurial
 
 [Back to TOC](#table-of-contents)
 
+Additional Features
+===================
+
+In additional to the standard nginx core features, this bundle also supports the following:
+
+[Back to TOC](#table-of-contents)
+
+resolv.conf parsing
+--------------------
+
+**syntax:** *resolver address ... [valid=time] [ipv6=on|off] [local=on|off|path]*
+
+**default:** *-*
+
+**context:** *http, stream, server, location*
+
+Similar to the [`resolver` directive](https://nginx.org/en/docs/http/ngx_http_core_module.html#resolver)
+in standard nginx core with additional support for parsing additional resolvers from the `resolv.conf` file
+format.
+
+When `local=on`, the standard path of `/etc/resolv.conf` will be used. You may also specify arbitrary
+path to be used for parsing, for example: `local=/tmp/test.conf`.
+
+When `local=off`, parsing will be disabled (this is the default).
+
+This feature is not available on Windows platforms.
+
+[Back to TOC](#table-of-contents)
+
 Mailing List
 ============
 

doc/LuaJIT-2.1/README.pod

@@ -196,6 +196,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file luajit.html
 # 8082 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/contact.pod

@@ -82,6 +82,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file contact.html
 # 2989 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:15 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/ext_c_api.pod

@@ -82,8 +82,8 @@ second argument is either C<0> or a stack index (similar to the other
 Lua/C API functions).
 
 The third argument specifies the mode, which is 'or'ed with a flag. The
-flag can be C<LUAJIT_MODE_OFF> to turn a feature on, C<LUAJIT_MODE_ON>
-to turn a feature off, or C<LUAJIT_MODE_FLUSH> to flush cached code.
+flag can be C<LUAJIT_MODE_OFF> to turn a feature off, C<LUAJIT_MODE_ON>
+to turn a feature on, or C<LUAJIT_MODE_FLUSH> to flush cached code.
 
 The following modes are defined:
 
@@ -170,7 +170,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_c_api.html
 # 6042 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:15 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>
 # Deleting phrasal "code" element (`tt_18) because it has super-phrasal elements (`br_3) as children.

doc/LuaJIT-2.1/ext_ffi.pod

@@ -280,6 +280,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_ffi.html
 # 10336 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/ext_ffi_api.pod

@@ -495,7 +495,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_ffi_api.html
 # 21471 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>
 # Deleting phrasal "code" element (`tt_157) because it has super-phrasal elements (`br_3, `br_4) as children.

doc/LuaJIT-2.1/ext_ffi_semantics.pod

@@ -1019,10 +1019,10 @@ not mix this up: e.g. passing C<"int"> as a string doesn't work in
 place of a type, you'd need to use C<ffi.typeof("int")> instead.
 
 The main use for parameterized types are libraries implementing
-abstract data types (E<rchevron> example), similar to what can be
-achieved with C++ template metaprogramming. Another use case are
-derived types of anonymous structs, which avoids pollution of the
-global struct namespace.
+abstract data types (example), similar to what can be achieved with C++
+template metaprogramming. Another use case are derived types of
+anonymous structs, which avoids pollution of the global struct
+namespace.
 
 Please note that parameterized types are a nice tool and indispensable
 for certain use cases. But you'll want to use them sparingly in regular
@@ -1379,7 +1379,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 
 #Pod::HTML2Pod conversion notes:
 #From file ext_ffi_semantics.html
-# 53769 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+# 53732 bytes of input
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/ext_ffi_tutorial.pod

@@ -616,7 +616,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_ffi_tutorial.html
 # 22557 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>
 # Deleting phrasal "code" element (`tt_100) because it has super-phrasal elements (`br_33, `br_34) as children.

doc/LuaJIT-2.1/ext_jit.pod

@@ -175,7 +175,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_jit.html
 # 5903 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>
 # Deleting phrasal "code" element (`tt_6) because it has super-phrasal elements (`br_2, `br_3) as children.

doc/LuaJIT-2.1/ext_profiler.pod

@@ -353,6 +353,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file ext_profiler.html
 # 13135 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/extensions.pod

@@ -472,6 +472,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file extensions.html
 # 17733 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/faq.pod

@@ -219,6 +219,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file faq.html
 # 7685 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/install.pod

@@ -692,7 +692,7 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file install.html
 # 25250 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>
 # Deleting phrasal "a" element (`a_34) because it has super-phrasal elements (`br_16) as children.

doc/LuaJIT-2.1/running.pod

@@ -416,6 +416,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file running.html
 # 13720 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/LuaJIT-2.1/status.pod

@@ -108,6 +108,6 @@ Copyright E<copy> 2005-2017 Mike Pall E<middot> Contact
 #Pod::HTML2Pod conversion notes:
 #From file status.html
 # 3931 bytes of input
-#Sat May 13 16:35:32 2017 agentzh
+#Mon May 14 13:19:16 2018 agentzh
 # No a_name switch not specified, so will not try to render <a name='...'>
 # No a_href switch not specified, so will not try to render <a href='...'>

doc/README-win32.md

@@ -1,215 +1 @@
-Name
-====
-
-README-win32 - README for the Windows 32-bit build of OpenResty
-
-Description
-===========
-
-The official binary Win32 distribution of OpenResty can be downloaded from the following web page:
-
-https://openresty.org/en/download.html
-
-To start the NGINX server of the nginx server of the Win32 binary distribution of OpenResty:
-
-```bash
-start nginx
-```
-
-You can also specify the `-p PATH/` option to override the default server prefix, as in
-
-```bash
-cd /path/to/my/openresty/app/
-start nginx -p $PWD
-```
-
-Then you can use the `tasklist` command to check the nginx processes running in the background:
-
-```console
-C:\> tasklist /fi "imagename eq nginx.exe"
-
-Image Name                     PID Session Name        Session#    Mem Usage
-========================= ======== ================ =========== ============
-nginx.exe                     4616 Console                    1      7,412 K
-nginx.exe                     5836 Console                    1      7,800 K
-
-```
-
-One of the two processes is the master process while the other is the worker.
-
-If you are using the MSYS bash instead of the `cmd.exe` console, then you should replace the `/fi` option
-with `-fi` in the command above instead.
-
-You can quickly shut down the server like this:
-
-```bash
-nginx -s stop
-```
-
-or gracefully shut it down like this:
-
-```bash
-nginx -s quit
-```
-
-You can also forcibly kill the nginx processes via their PIDs with `taskkill`, as in
-
-```console
-C:\> taskkill /pid 5488 /F
-```
-
-where the PID (5488 in this example) can be found via the aforementioned `tasklist` command.
-
-Again, you should use the form `-pid` and `-F` for the options if you are in an MSYS bash
-session.
-
-Similarly, you can use the `nginx -s reload` command to reload nginx configurations without
-stopping the server. And you can use `nginx -s reopen` to instruct nginx to re-open
-all the log files.
-
-You can run the `resty` script like this:
-
-```console
-C:\> resty -e "ngx.say('Hello, OpenResty!')"
-Hello, OpenResty!
-```
-
-The `resty` command-line utility requires a Perl interpreter installed in your
-system and visible to your PATH environment. Any perl distributions should
-work, including StrawberryPerl, ActivePerl, and MSYS perl (the former two are
-recommended though).
-
-Debugging
-=========
-
-Debug symbosl are enabled even in release builds. So that when things go very wrong,
-one can still debug things with tools like MSYS GDB.
-
-Inclusion of debug symbols make the binary files (`.exe` and `.dll` files) much larger,
-but it generally will not load into memory during normal execution on a modern operating
-system.
-
-Caveats
-=======
-
-The Win32 port of the NGINX core supports the good old `select` IO multiplexing mechanism
-only.
-The I/O Completion Ports (IOCP) feature is *not* supported (yet). So do not use this build
-for production environments with very high concurrency levels.
-
-This Win32 build of OpenResty is mainly for developers who want to develop their applications
-in native Windows environment (though they eventually push the finished work onto a Linux or *BSD box, most of the time).
-
-TODO
-====
-
-* Add support for more than one NGINX worker processes.
-* Add support for concurrent connections more than 1024.
-* Switch to the Microsoft Visual Studio compiler toolchain for better performance and easier binary
-package redistribution.
-* Bundle StrawberryPerl to make command-line utilities like `resty` work out of the box (without
-manually installing a Perl).
-* Deliver an alternative Win32 binary package built with best debuggin capabilities (like enabling
-NGINX debugging logs, disabling C compiler optimizations, and enabling all the assertions and checks).
-* Deliver binary packages for 64-bit Windows (Win64).
-
-Details About The Building Process
-==================================
-
-Usually you do not need to worry about how the Win32 binaries were built on the maintainers''
-side. But if you do, please read on.
-
-The Win32 build of OpenResty is currently built via the MinGW/MSYS toolchain, including
-MinGW gcc 4.8.1, MSYS perl, MSYS bash, MSYS make, and etc. Basically, it is currently built via
- the following cmmands:
-
-```bash
-PCRE=pcre-8.39
-ZLIB=zlib-1.2.8
-OPENSSL=openssl-1.0.2j
-
-mkdir -p objs/lib || exit 1
-cd objs/lib || exit 1
-ls ../../..
-tar -xf ../../../$OPENSSL.tar.gz || exit 1
-tar -xf ../../../$ZLIB.tar.gz || exit 1
-tar -xf ../../../$PCRE.tar.gz || exit 1
-cd ../..
-
-cd objs/lib/$OPENSSL || exit 1
-patch -p1 < ../../../patches/openssl-1.0.2h-sess_set_get_cb_yield.patch || exit 1
-cd ../../..
-
-./configure \
-    --with-cc=gcc \
-    --with-ipv6 \
-    --prefix= \
-    --with-cc-opt='-DFD_SETSIZE=1024' \
-    --sbin-path=nginx.exe \
-    --with-pcre-jit \
-    --without-http_rds_json_module \
-    --without-http_rds_csv_module \
-    --without-lua_rds_parser \
-    --with-ipv6 \
-    --with-stream \
-    --with-stream_ssl_module \
-    --with-http_v2_module \
-    --without-mail_pop3_module \
-    --without-mail_imap_module \
-    --without-mail_smtp_module \
-    --with-http_stub_status_module \
-    --with-http_realip_module \
-    --with-http_addition_module \
-    --with-http_auth_request_module \
-    --with-http_secure_link_module \
-    --with-http_random_index_module \
-    --with-http_gzip_static_module \
-    --with-http_sub_module \
-    --with-http_dav_module \
-    --with-http_flv_module \
-    --with-http_mp4_module \
-    --with-http_gunzip_module \
-    --with-select_module \
-    --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" \
-    --with-pcre=objs/lib/$PCRE \
-    --with-zlib=objs/lib/$ZLIB \
-    --with-openssl=objs/lib/$OPENSSL \
-    -j5 || exit 1
-
-make
-make install
-```
-
-where the dependency library source tarballs for OpenSSL, Zlib, and PCRE are downloaded
-from their official sites, respectively.
-
-We automate these commands in a dedicated shell script named [build-win32.sh](https://github.com/openresty/openresty/blob/master/util/build-win32.sh).
-
-Furthermore, we automate the packaging process of the resulting binaries and supporting files
-with this [package-win32.sh](https://github.com/openresty/openresty/blob/master/util/package-win32.sh)
-script.
-
-Usually you can just download and use the binary distribution of OpenResty without
-installing the build toolchain.
-
-Author
-======
-
-Yichun "agentzh" Zhang <agentzh@gmail.com>, OpenResty Inc.
-
-Copyright & License
-===================
-
-This module is licensed under the BSD license.
-
-Copyright (C) 2015-2016, by Yichun "agentzh" Zhang (章亦春) <agentzh@gmail.com>, OpenResty Inc.
-
-All rights reserved.
-
-Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
-
-* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
-
-* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
-
-THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+See [README-windows](./README-windows.md).

doc/README-windows.md

@@ -0,0 +1,238 @@
+Name
+====
+
+README-windows - README for the official 32-bit and 64-bit Windows builds of OpenResty
+
+Table of Contents
+=================
+
+* [Name](#name)
+* [Description](#description)
+* [Debugging](#debugging)
+* [Caveats](#caveats)
+* [TODO](#todo)
+* [Details About The Building Process](#details-about-the-building-process)
+* [Author](#author)
+* [Copyright & License](#copyright--license)
+
+Description
+===========
+
+The official binary Win32 and Win64 distributions of OpenResty can be downloaded from the following web page:
+
+https://openresty.org/en/download.html
+
+To start the NGINX server of the nginx server of the Win32 binary distribution of OpenResty:
+
+```bash
+start nginx
+```
+
+You can also specify the `-p PATH/` option to override the default server prefix, as in
+
+```bash
+cd /path/to/my/openresty/app/
+start nginx -p $PWD
+```
+
+Then you can use the `tasklist` command to check the nginx processes running in the background:
+
+```console
+C:\> tasklist /fi "imagename eq nginx.exe"
+
+Image Name                     PID Session Name        Session#    Mem Usage
+========================= ======== ================ =========== ============
+nginx.exe                     4616 Console                    1      7,412 K
+nginx.exe                     5836 Console                    1      7,800 K
+
+```
+
+One of the two processes is the master process while the other is the worker.
+
+If you are using the MSYS2 bash instead of the `cmd.exe` console, then you should replace the `/fi` option
+with `-fi` in the command above instead.
+
+You can quickly shut down the server like this:
+
+```bash
+nginx -s stop
+```
+
+or gracefully shut it down like this:
+
+```bash
+nginx -s quit
+```
+
+You can also forcibly kill the nginx processes via their PIDs with `taskkill`, as in
+
+```console
+C:\> taskkill /pid 5488 /F
+```
+
+where the PID (5488 in this example) can be found via the aforementioned `tasklist` command.
+
+Again, you should use the form `-pid` and `-F` for the options if you are in an MSYS2 bash
+session.
+
+Similarly, you can use the `nginx -s reload` command to reload nginx configurations without
+stopping the server. And you can use `nginx -s reopen` to instruct nginx to re-open
+all the log files.
+
+You can run the `resty` script like this:
+
+```console
+C:\> resty -e "ngx.say('Hello, OpenResty!')"
+Hello, OpenResty!
+```
+
+The `resty` command-line utility requires a Perl interpreter installed in your
+system and visible to your PATH environment. Any perl distributions should
+work, including StrawberryPerl, ActivePerl, and MSYS2 perl.
+recommended though).
+
+Debugging
+=========
+
+Debug symbosl are enabled even in release builds. So that when things go very wrong,
+one can still debug things with tools like MSYS2 GDB.
+
+Inclusion of debug symbols make the binary files (`.exe` and `.dll` files) much larger,
+but it generally will not load into memory during normal execution on a modern operating
+system.
+
+Caveats
+=======
+
+The Win32/Win64 port of the NGINX core supports the good old `select` IO multiplexing mechanism
+only.
+The I/O Completion Ports (IOCP) feature is *not* supported (yet). So do not use this build
+for production environments with very high concurrency levels.
+
+This Win32/Win64 build of OpenResty is mainly for developers who want to develop their applications
+in native Windows environment (though they eventually push the finished work onto a Linux or *BSD box, most of the time).
+
+[Back to TOC](#table-of-contents)
+
+TODO
+====
+
+* Add support for more than one NGINX worker processes.
+* Add support for concurrent connections more than 1024.
+* Switch to the Microsoft Visual Studio compiler toolchain for better performance and easier binary
+package redistribution.
+* Bundle StrawberryPerl to make command-line utilities like `resty` work out of the box (without
+manually installing a Perl).
+* Deliver an alternative Win32/Win64 binary package built with best debuggin capabilities (like enabling
+NGINX debugging logs, disabling C compiler optimizations, and enabling all the assertions and checks).
+
+[Back to TOC](#table-of-contents)
+
+Details About The Building Process
+==================================
+
+Usually you do not need to worry about how the Win32/Win64 binaries were built on the maintainers''
+side. But if you do, please read on.
+
+The Win32/Win64 build of OpenResty is currently built via the MSYS2/MinGW toolchain, including
+MinGW gcc 7.2.3, MSYS2 perl 5.24.4, MSYS2 bash, MSYS2 make, and etc. Basically, it is currently built via
+ the following cmmands:
+
+```bash
+PCRE=pcre-8.42
+ZLIB=zlib-1.2.11
+OPENSSL=openssl-1.1.0h
+
+mkdir -p objs/lib || exit 1
+cd objs/lib || exit 1
+ls ../../..
+tar -xf ../../../$OPENSSL.tar.gz || exit 1
+tar -xf ../../../$ZLIB.tar.gz || exit 1
+tar -xf ../../../$PCRE.tar.gz || exit 1
+cd ../..
+
+cd objs/lib/$OPENSSL || exit 1
+patch -p1 < ../../../patches/openssl-1.1.0d-sess_set_get_cb_yield.patch || exit 1
+cd ../../..
+
+./configure \
+    --with-cc=gcc \
+    --with-ipv6 \
+    --prefix= \
+    --with-cc-opt='-DFD_SETSIZE=1024' \
+    --sbin-path=nginx.exe \
+    --with-pcre-jit \
+    --without-http_rds_json_module \
+    --without-http_rds_csv_module \
+    --without-lua_rds_parser \
+    --with-ipv6 \
+    --with-stream \
+    --with-stream_ssl_module \
+    --with-stream_ssl_preread_module \
+    --with-http_v2_module \
+    --without-mail_pop3_module \
+    --without-mail_imap_module \
+    --without-mail_smtp_module \
+    --with-http_stub_status_module \
+    --with-http_realip_module \
+    --with-http_addition_module \
+    --with-http_auth_request_module \
+    --with-http_secure_link_module \
+    --with-http_random_index_module \
+    --with-http_gzip_static_module \
+    --with-http_sub_module \
+    --with-http_dav_module \
+    --with-http_flv_module \
+    --with-http_mp4_module \
+    --with-http_gunzip_module \
+    --with-select_module \
+    --with-luajit-xcflags="-DLUAJIT_NUMMODE=2 -DLUAJIT_ENABLE_LUA52COMPAT" \
+    --with-pcre=objs/lib/$PCRE \
+    --with-zlib=objs/lib/$ZLIB \
+    --with-openssl=objs/lib/$OPENSSL \
+    -j9 || exit 1
+
+make -j9
+make install
+```
+
+where the dependency library source tarballs for OpenSSL, Zlib, and PCRE are downloaded
+from their official sites, respectively.
+
+We automate these commands in a dedicated shell script named [build-win32.sh](https://github.com/openresty/openresty/blob/master/util/build-win32.sh).
+
+Furthermore, we automate the packaging process of the resulting binaries and supporting files
+with this [package-win32.sh](https://github.com/openresty/openresty/blob/master/util/package-win32.sh)
+script.
+
+Usually you can just download and use the binary distribution of OpenResty without
+installing the build toolchain.
+
+[Back to TOC](#table-of-contents)
+
+Author
+======
+
+Yichun "agentzh" Zhang <agentzh@gmail.com>, OpenResty Inc.
+
+[Back to TOC](#table-of-contents)
+
+Copyright & License
+===================
+
+This module is licensed under the BSD license.
+
+Copyright (C) 2015-2018, by Yichun "agentzh" Zhang (章亦春) <agentzh@gmail.com>, OpenResty Inc.
+
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
+
+* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+[Back to TOC](#table-of-contents)
+

html/index.html

@@ -16,7 +16,9 @@
 working. Further configuration is required.</p>
 
 <p>For online documentation and support please refer to
-<a href="https://openresty.org/">openresty.org</a>.<br/></p>
+<a href="https://openresty.org/">openresty.org</a>.<br/>
+Commercial support is available at
+<a href="https://openresty.com/">openresty.com</a>.</p>
 
 <p><em>Thank you for flying OpenResty.</em></p>
 </body>

patches/nginx-1.13.6-balancer_status_code.patch

@@ -1,8 +1,8 @@
 diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
-index 0f6b3ae..56d44fc 100644
+index f8d5707d..6efe0047 100644
 --- a/src/http/ngx_http_upstream.c
 +++ b/src/http/ngx_http_upstream.c
-@@ -1368,6 +1368,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u)
+@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u)
          return;
      }
  
@@ -15,13 +15,58 @@ index 0f6b3ae..56d44fc 100644
  
      if (rc == NGX_BUSY) {
 diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
-index b288f28..9b60e12 100644
+index 3e714e5b..dfbb25e0 100644
 --- a/src/http/ngx_http_upstream.h
 +++ b/src/http/ngx_http_upstream.h
-@@ -418,5 +418,6 @@ extern ngx_module_t        ngx_http_upstream_module;
- extern ngx_conf_bitmask_t  ngx_http_upstream_cache_method_mask[];
+@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t  ngx_http_upstream_cache_method_mask[];
  extern ngx_conf_bitmask_t  ngx_http_upstream_ignore_headers_masks[];
  
-+#define HAVE_BALANCER_STATUS_CODE_PATCH
  
++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
++#define HAVE_BALANCER_STATUS_CODE_PATCH
++#endif
++
++
  #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */
+diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
+index 09d24593..d8b4b584 100644
+--- a/src/stream/ngx_stream.h
++++ b/src/stream/ngx_stream.h
+@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s  ngx_stream_session_t;
+ 
+ 
+ #define NGX_STREAM_OK                        200
++#define NGX_STREAM_SPECIAL_RESPONSE          300
+ #define NGX_STREAM_BAD_REQUEST               400
+ #define NGX_STREAM_FORBIDDEN                 403
+ #define NGX_STREAM_INTERNAL_SERVER_ERROR     500
+diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
+index 818d7329..329dcdc6 100644
+--- a/src/stream/ngx_stream_proxy_module.c
++++ b/src/stream/ngx_stream_proxy_module.c
+@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
+         return;
+     }
+ 
++    if (rc >= NGX_STREAM_SPECIAL_RESPONSE) {
++        ngx_stream_proxy_finalize(s, rc);
++        return;
++    }
++
+     u->state->peer = u->peer.name;
+ 
+     if (rc == NGX_BUSY) {
+diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h
+index 73947f46..21bc0ad7 100644
+--- a/src/stream/ngx_stream_upstream.h
++++ b/src/stream/ngx_stream_upstream.h
+@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf,
+ extern ngx_module_t  ngx_stream_upstream_module;
+ 
+ 
++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
++#define HAVE_BALANCER_STATUS_CODE_PATCH
++#endif
++
++
+ #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */

patches/nginx-1.13.6-init_cycle_pool_release.patch

@@ -0,0 +1,59 @@
+diff -rup nginx-1.13.6/src/core/nginx.c nginx-1.13.6-patched/src/core/nginx.c
+--- nginx-1.13.6/src/core/nginx.c	2017-12-17 00:00:38.136470108 -0800
++++ nginx-1.13.6-patched/src/core/nginx.c	2017-12-16 23:59:51.680958322 -0800
+@@ -186,6 +186,7 @@ static u_char      *ngx_prefix;
+ static u_char      *ngx_conf_file;
+ static u_char      *ngx_conf_params;
+ static char        *ngx_signal;
++ngx_pool_t         *saved_init_cycle_pool = NULL;
+ 
+ 
+ static char **ngx_os_environ;
+@@ -253,6 +254,8 @@ main(int argc, char *const *argv)
+         return 1;
+     }
+ 
++    saved_init_cycle_pool = init_cycle.pool;
++
+     if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) {
+         return 1;
+     }
+diff -rup nginx-1.13.6/src/core/ngx_core.h nginx-1.13.6-patched/src/core/ngx_core.h
+--- nginx-1.13.6/src/core/ngx_core.h	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.13.6-patched/src/core/ngx_core.h	2017-12-16 23:59:51.679958370 -0800
+@@ -108,4 +108,6 @@ void ngx_cpuinfo(void);
+ #define NGX_DISABLE_SYMLINKS_NOTOWNER   2
+ #endif
+ 
++extern ngx_pool_t        *saved_init_cycle_pool;
++
+ #endif /* _NGX_CORE_H_INCLUDED_ */
+diff -rup nginx-1.13.6/src/core/ngx_cycle.c nginx-1.13.6-patched/src/core/ngx_cycle.c
+--- nginx-1.13.6/src/core/ngx_cycle.c	2017-10-10 08:22:51.000000000 -0700
++++ nginx-1.13.6-patched/src/core/ngx_cycle.c	2017-12-16 23:59:51.678958419 -0800
+@@ -748,6 +748,10 @@ old_shm_zone_done:
+ 
+     if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) {
+ 
++        if (ngx_is_init_cycle(old_cycle)) {
++            saved_init_cycle_pool = NULL;
++        }
++
+         ngx_destroy_pool(old_cycle->pool);
+         cycle->old_cycle = NULL;
+ 
+diff -rup nginx-1.13.6/src/os/unix/ngx_process_cycle.c nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c
+--- nginx-1.13.6/src/os/unix/ngx_process_cycle.c	2017-12-17 00:00:38.142469762 -0800
++++ nginx-1.13.6-patched/src/os/unix/ngx_process_cycle.c	2017-12-16 23:59:51.691957791 -0800
+@@ -783,6 +783,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc
+     ngx_exit_cycle.files_n = ngx_cycle->files_n;
+     ngx_cycle = &ngx_exit_cycle;
+ 
++    if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) {
++        ngx_destroy_pool(saved_init_cycle_pool);
++        saved_init_cycle_pool = NULL;
++    }
++
+     ngx_destroy_pool(cycle->pool);
+ 
+     exit(0);

patches/nginx-1.13.6-resolver_conf_parsing.patch

@@ -0,0 +1,263 @@
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index cd55520c..dade1846 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -9,12 +9,26 @@
+ #include <ngx_core.h>
+ #include <ngx_event.h>
+ 
++#if !(NGX_WIN32)
++#include <resolv.h>
++#endif
++
+ 
+ #define NGX_RESOLVER_UDP_SIZE   4096
+ 
+ #define NGX_RESOLVER_TCP_RSIZE  (2 + 65535)
+ #define NGX_RESOLVER_TCP_WSIZE  8192
+ 
++#if !(NGX_WIN32)
++/*
++ * note that 2KB should be more than enough for majority of the
++ * resolv.conf files out there. it also acts as a safety guard to prevent
++ * abuse.
++ */
++#define NGX_RESOLVER_FILE_BUF_SIZE  2048
++#define NGX_RESOLVER_FILE_NAME      "/etc/resolv.conf"
++#endif
++
+ 
+ typedef struct {
+     u_char  ident_hi;
+@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r,
+ #endif
+ 
+ 
++#if !(NGX_WIN32)
++static ngx_int_t
++ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path,
++    size_t path_len)
++{
++    ngx_url_t                        u;
++    ngx_resolver_connection_t       *rec;
++    ngx_fd_t                         fd;
++    ngx_file_t                       file;
++    u_char                           buf[NGX_RESOLVER_FILE_BUF_SIZE];
++    u_char                           ipv6_buf[NGX_INET6_ADDRSTRLEN];
++    ngx_uint_t                       address = 0, j, total = 0;
++    ssize_t                          n, i;
++    enum {
++        sw_nameserver,
++        sw_spaces,
++        sw_address,
++        sw_skip
++    } state;
++
++    file.name.data = path;
++    file.name.len = path_len;
++
++    if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) {
++        return NGX_ERROR;
++    }
++
++    fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY,
++                       NGX_FILE_OPEN, 0);
++
++    if (fd == NGX_INVALID_FILE) {
++        ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno,
++                           ngx_open_file_n " \"%s\" failed", file.name.data);
++
++        return NGX_ERROR;
++    }
++
++    ngx_memzero(&file, sizeof(ngx_file_t));
++
++    file.fd = fd;
++    file.log = cf->log;
++
++    state = sw_nameserver;
++
++    n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0);
++
++    if (n == NGX_ERROR) {
++        ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
++                           ngx_read_file_n " \"%s\" failed", file.name.data);
++    }
++
++    if (ngx_close_file(file.fd) == NGX_FILE_ERROR) {
++        ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno,
++                           ngx_close_file_n " \"%s\" failed", file.name.data);
++    }
++
++    if (n == NGX_ERROR) {
++        return NGX_ERROR;
++    }
++
++    if (n == 0) {
++        return NGX_OK;
++    }
++
++    for (i = 0; i < n && total < MAXNS; /* void */) {
++        if (buf[i] == '#' || buf[i] == ';') {
++            state = sw_skip;
++        }
++
++        switch (state) {
++
++        case sw_nameserver:
++
++            if ((size_t) n - i >= sizeof("nameserver") - 1
++                && ngx_memcmp(buf + i, "nameserver",
++                              sizeof("nameserver") - 1) == 0)
++            {
++                state = sw_spaces;
++                i += sizeof("nameserver") - 1;
++
++                continue;
++            }
++
++            break;
++
++        case sw_spaces:
++            if (buf[i] != '\t' && buf[i] != ' ') {
++                address = i;
++                state = sw_address;
++            }
++
++            break;
++
++        case sw_address:
++
++            if (buf[i] == CR || buf[i] == LF || i == n - 1) {
++                ngx_memzero(&u, sizeof(ngx_url_t));
++
++                u.url.data = buf + address;
++
++                if (i == n - 1 && buf[i] != CR && buf[i] != LF) {
++                    u.url.len = n - address;
++
++                } else {
++                    u.url.len = i - address;
++                }
++
++                u.default_port = 53;
++
++                /* IPv6? */
++                if (ngx_strlchr(u.url.data, u.url.data + u.url.len,
++                                ':') != NULL)
++                {
++                    if (u.url.len + 2 > sizeof(ipv6_buf)) {
++                        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                           "IPv6 resolver address is too long:"
++                                           " \"%V\"", &u.url);
++
++                        return NGX_ERROR;
++                    }
++
++                    ipv6_buf[0] = '[';
++                    ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len);
++                    ipv6_buf[u.url.len + 1] = ']';
++
++                    u.url.data = ipv6_buf;
++                    u.url.len = u.url.len + 2;
++                }
++
++                if (ngx_parse_url(cf->pool, &u) != NGX_OK) {
++                    if (u.err) {
++                        ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                           "%s in resolver \"%V\"",
++                                           u.err, &u.url);
++                    }
++
++                    return NGX_ERROR;
++                }
++
++                rec = ngx_array_push_n(&r->connections, u.naddrs);
++                if (rec == NULL) {
++                    return NGX_ERROR;
++                }
++
++                ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t));
++
++                for (j = 0; j < u.naddrs; j++) {
++                    rec[j].sockaddr = u.addrs[j].sockaddr;
++                    rec[j].socklen = u.addrs[j].socklen;
++                    rec[j].server = u.addrs[j].name;
++                    rec[j].resolver = r;
++                }
++
++                total++;
++
++#if (NGX_DEBUG)
++                /*
++                 * logs with level below NGX_LOG_NOTICE will not be printed
++                 * in this early phase
++                 */
++                ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0,
++                                   "parsed a resolver: \"%V\"", &u.url);
++#endif
++
++                state = sw_nameserver;
++            }
++
++            break;
++
++        case sw_skip:
++            if (buf[i] == CR || buf[i] == LF) {
++                state = sw_nameserver;
++            }
++
++            break;
++        }
++
++        i++;
++    }
++
++    return NGX_OK;
++}
++#endif
++
++
+ ngx_resolver_t *
+ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
+ {
+@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
+         }
+ #endif
+ 
++#if !(NGX_WIN32)
++        if (ngx_strncmp(names[i].data, "local=", 6) == 0) {
++
++            if (ngx_strcmp(&names[i].data[6], "on") == 0) {
++                if (ngx_resolver_read_resolv_conf(cf, r,
++                                                  (u_char *)
++                                                  NGX_RESOLVER_FILE_NAME,
++                                                  sizeof(NGX_RESOLVER_FILE_NAME)
++                                                  - 1)
++                    != NGX_OK)
++                {
++                    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                       "unable to parse local resolver");
++                    return NULL;
++                }
++
++            } else if (ngx_strcmp(&names[i].data[6], "off") != 0) {
++                if (ngx_resolver_read_resolv_conf(cf, r,
++                                                  &names[i].data[6],
++                                                  names[i].len - 6)
++                    != NGX_OK)
++                {
++                    ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
++                                       "unable to parse local resolver");
++                    return NULL;
++                }
++
++            }
++
++            continue;
++        }
++#endif
++
+         ngx_memzero(&u, sizeof(ngx_url_t));
+ 
+         u.url = names[i];

patches/nginx-1.13.6-safe_resolver_ipv6_option.patch

@@ -18,10 +18,11 @@ With this option disappearing in Nginx 1.11.5, this patch would allow such tools
 to assume "ipv6=off" to be safe regardless of ipv6 support in the current
 build.
 
-diff -r a3dc657f4e95 -r 8bf038fe006f src/core/ngx_resolver.c
---- a/src/core/ngx_resolver.c	Thu Dec 15 21:44:34 2016 +0300
-+++ b/src/core/ngx_resolver.c	Thu Dec 15 16:17:01 2016 -0800
-@@ -224,14 +224,22 @@
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index dade1846..5a3f0aa4 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -426,14 +426,22 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
              continue;
          }
  
@@ -45,11 +46,11 @@ diff -r a3dc657f4e95 -r 8bf038fe006f src/core/ngx_resolver.c
  
              } else {
                  ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-@@ -241,7 +249,6 @@
+@@ -443,7 +451,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n)
  
              continue;
          }
 -#endif
  
-         ngx_memzero(&u, sizeof(ngx_url_t));
- 
+ #if !(NGX_WIN32)
+         if (ngx_strncmp(names[i].data, "local=", 6) == 0) {

patches/nginx-1.13.6-socket_cloexec.patch

@@ -0,0 +1,157 @@
+diff --git a/auto/unix b/auto/unix
+index 10835f6c..b5b33bb3 100644
+--- a/auto/unix
++++ b/auto/unix
+@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res;
+                   if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1;
+                   freeaddrinfo(res)'
+ . auto/feature
++
++ngx_feature="SOCK_CLOEXEC support"
++ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC"
++ngx_feature_run=no
++ngx_feature_incs="#include <sys/types.h>
++                  #include <sys/socket.h>"
++ngx_feature_path=
++ngx_feature_libs=
++ngx_feature_test="int fd;
++                  fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);"
++. auto/feature
++
++ngx_feature="FD_CLOEXEC support"
++ngx_feature_name="NGX_HAVE_FD_CLOEXEC"
++ngx_feature_run=no
++ngx_feature_incs="#include <sys/types.h>
++                  #include <sys/socket.h>
++                  #include <fcntl.h>"
++ngx_feature_path=
++ngx_feature_libs=
++ngx_feature_test="int fd;
++                  fd = socket(AF_INET, SOCK_STREAM, 0);
++                  fcntl(fd, F_SETFD, FD_CLOEXEC);"
++. auto/feature
+diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c
+index cd55520c..438e0806 100644
+--- a/src/core/ngx_resolver.c
++++ b/src/core/ngx_resolver.c
+@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
+     ngx_event_t       *rev, *wev;
+     ngx_connection_t  *c;
+ 
++#if (NGX_HAVE_SOCKET_CLOEXEC)
++    s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0);
++
++#else
+     s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0);
+ 
++#endif
++
+     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s);
+ 
+     if (s == (ngx_socket_t) -1) {
+@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec)
+         goto failed;
+     }
+ 
++#if (NGX_HAVE_FD_CLOEXEC)
++    if (ngx_cloexec(s) == -1) {
++        ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno,
++                      ngx_cloexec_n " failed");
++
++        goto failed;
++    }
++#endif
++
+     rev = c->read;
+     wev = c->write;
+ 
+diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c
+index 77563709..5827b9d0 100644
+--- a/src/event/ngx_event_accept.c
++++ b/src/event/ngx_event_accept.c
+@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev)
+ 
+ #if (NGX_HAVE_ACCEPT4)
+         if (use_accept4) {
+-            s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK);
++            s = accept4(lc->fd, &sa.sockaddr, &socklen,
++                        SOCK_NONBLOCK | SOCK_CLOEXEC);
++
+         } else {
+             s = accept(lc->fd, &sa.sockaddr, &socklen);
+         }
+@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev)
+                     ngx_close_accepted_connection(c);
+                     return;
+                 }
++
++#if (NGX_HAVE_FD_CLOEXEC)
++                if (ngx_cloexec(s) == -1) {
++                    ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno,
++                                  ngx_cloexec_n " failed");
++                    ngx_close_accepted_connection(c);
++                    return;
++                }
++#endif
++
+             }
+         }
+ 
+diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c
+index c5bb8068..cf33b1d2 100644
+--- a/src/event/ngx_event_connect.c
++++ b/src/event/ngx_event_connect.c
+@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
+ 
+     type = (pc->type ? pc->type : SOCK_STREAM);
+ 
++#if (NGX_HAVE_SOCKET_CLOEXEC)
++    s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0);
++
++#else
+     s = ngx_socket(pc->sockaddr->sa_family, type, 0);
+ 
++#endif
++
++
+     ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d",
+                    (type == SOCK_STREAM) ? "stream" : "dgram", s);
+ 
+@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc)
+         goto failed;
+     }
+ 
++#if (NGX_HAVE_FD_CLOEXEC)
++    if (ngx_cloexec(s) == -1) {
++        ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno,
++                      ngx_cloexec_n " failed");
++
++        goto failed;
++    }
++#endif
++
+     if (pc->local) {
+ 
+ #if (NGX_HAVE_TRANSPARENT_PROXY)
+diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h
+index fcc51533..d1eebf47 100644
+--- a/src/os/unix/ngx_socket.h
++++ b/src/os/unix/ngx_socket.h
+@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s);
+ 
+ #endif
+ 
++#if (NGX_HAVE_FD_CLOEXEC)
++
++#define ngx_cloexec(s)      fcntl(s, F_SETFD, FD_CLOEXEC)
++#define ngx_cloexec_n       "fcntl(FD_CLOEXEC)"
++
++/* at least FD_CLOEXEC is required to ensure connection fd is closed
++ * after execve */
++#define HAVE_SOCKET_CLOEXEC_PATCH  1
++
++#endif
++
+ int ngx_tcp_nopush(ngx_socket_t s);
+ int ngx_tcp_push(ngx_socket_t s);
+ 

patches/nginx-1.13.6-stream_ssl_preread_no_skip.patch

@@ -0,0 +1,13 @@
+diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
+index e3d11fd9..3717b5fe 100644
+--- a/src/stream/ngx_stream_ssl_preread_module.c
++++ b/src/stream/ngx_stream_ssl_preread_module.c
+@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
+ 
+         rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
+         if (rc != NGX_AGAIN) {
+-            return rc;
++            return rc == NGX_OK ? NGX_DECLINED : rc;
+         }
+ 
+         p += len;

patches/nginx-1.13.8-balancer_status_code.patch

@@ -0,0 +1,72 @@
+diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c
+index f8d5707d..6efe0047 100644
+--- a/src/http/ngx_http_upstream.c
++++ b/src/http/ngx_http_upstream.c
+@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u)
+         return;
+     }
+ 
++    if (rc >= NGX_HTTP_SPECIAL_RESPONSE) {
++        ngx_http_upstream_finalize_request(r, u, rc);
++        return;
++    }
++
+     u->state->peer = u->peer.name;
+ 
+     if (rc == NGX_BUSY) {
+diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h
+index 3e714e5b..dfbb25e0 100644
+--- a/src/http/ngx_http_upstream.h
++++ b/src/http/ngx_http_upstream.h
+@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t  ngx_http_upstream_cache_method_mask[];
+ extern ngx_conf_bitmask_t  ngx_http_upstream_ignore_headers_masks[];
+ 
+ 
++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
++#define HAVE_BALANCER_STATUS_CODE_PATCH
++#endif
++
++
+ #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */
+diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h
+index 09d24593..d8b4b584 100644
+--- a/src/stream/ngx_stream.h
++++ b/src/stream/ngx_stream.h
+@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s  ngx_stream_session_t;
+ 
+ 
+ #define NGX_STREAM_OK                        200
++#define NGX_STREAM_SPECIAL_RESPONSE          300
+ #define NGX_STREAM_BAD_REQUEST               400
+ #define NGX_STREAM_FORBIDDEN                 403
+ #define NGX_STREAM_INTERNAL_SERVER_ERROR     500
+diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c
+index 818d7329..329dcdc6 100644
+--- a/src/stream/ngx_stream_proxy_module.c
++++ b/src/stream/ngx_stream_proxy_module.c
+@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s)
+         return;
+     }
+ 
++    if (rc >= NGX_STREAM_SPECIAL_RESPONSE) {
++        ngx_stream_proxy_finalize(s, rc);
++        return;
++    }
++
+     u->state->peer = u->peer.name;
+ 
+     if (rc == NGX_BUSY) {
+diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h
+index 73947f46..21bc0ad7 100644
+--- a/src/stream/ngx_stream_upstream.h
++++ b/src/stream/ngx_stream_upstream.h
+@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf,
+ extern ngx_module_t  ngx_stream_upstream_module;
+ 
+ 
++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH
++#define HAVE_BALANCER_STATUS_CODE_PATCH
++#endif
++
++
+ #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */

patches/nginx-1.13.8-stream_ssl_preread_no_skip.patch

@@ -0,0 +1,13 @@
+diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c
+index e3d11fd9..3717b5fe 100644
+--- a/src/stream/ngx_stream_ssl_preread_module.c
++++ b/src/stream/ngx_stream_ssl_preread_module.c
+@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s)
+ 
+         rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len);
+         if (rc != NGX_AGAIN) {
+-            return rc;
++            return rc == NGX_OK ? NGX_DECLINED : rc;
+         }
+ 
+         p += len;

patches/openssl-1.1.0c-sess_set_get_cb_yield.patch

@@ -0,0 +1,216 @@
+diff --git a/include/openssl/bio.h b/include/openssl/bio.h
+index 9bc941b25f..4f55f1f825 100644
+--- a/include/openssl/bio.h
++++ b/include/openssl/bio.h
+@@ -220,6 +220,8 @@ void BIO_clear_flags(BIO *b, int flags);
+ /* Returned from the accept BIO when an accept would have blocked */
+ # define BIO_RR_ACCEPT                   0x03
+ 
++# define BIO_RR_SSL_SESSION_LOOKUP       0x04
++
+ /* These are passed by the BIO callback */
+ # define BIO_CB_FREE     0x01
+ # define BIO_CB_READ     0x02
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
+index 86ab9125de..ab617c4055 100644
+--- a/include/openssl/ssl.h
++++ b/include/openssl/ssl.h
+@@ -788,6 +788,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
+ # define SSL_X509_LOOKUP        4
+ # define SSL_ASYNC_PAUSED       5
+ # define SSL_ASYNC_NO_JOBS      6
++# define SSL_SESS_LOOKUP        7
+ 
+ /* These will only be used when doing non-blocking IO */
+ # define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
+@@ -796,6 +797,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
+ # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
+ # define SSL_want_async(s)       (SSL_want(s) == SSL_ASYNC_PAUSED)
+ # define SSL_want_async_job(s)   (SSL_want(s) == SSL_ASYNC_NO_JOBS)
++# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
+ 
+ # define SSL_MAC_FLAG_READ_MAC_STREAM 1
+ # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
+@@ -1028,6 +1030,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+ # define SSL_ERROR_WANT_ACCEPT           8
+ # define SSL_ERROR_WANT_ASYNC            9
+ # define SSL_ERROR_WANT_ASYNC_JOB       10
++# define SSL_ERROR_WANT_SESSION_LOOKUP  11
++# define SSL_ERROR_PENDING_SESSION      11 /* BoringSSL compatibility */
+ # define SSL_CTRL_SET_TMP_DH                     3
+ # define SSL_CTRL_SET_TMP_ECDH                   4
+ # define SSL_CTRL_SET_TMP_DH_CB                  6
+@@ -1424,6 +1428,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
+ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
+ int SSL_SESSION_up_ref(SSL_SESSION *ses);
+ void SSL_SESSION_free(SSL_SESSION *ses);
++SSL_SESSION *SSL_magic_pending_session_ptr(void);
+ __owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
+ __owur int SSL_set_session(SSL *to, SSL_SESSION *session);
+ __owur int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
+diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
+index 3dd09cf52d..7ac370fefc 100644
+--- a/ssl/bio_ssl.c
++++ b/ssl/bio_ssl.c
+@@ -138,6 +138,10 @@ static int ssl_read(BIO *b, char *out, int outl)
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_SSL_X509_LOOKUP;
+         break;
++    case SSL_ERROR_WANT_SESSION_LOOKUP:
++        BIO_set_retry_special(b);
++        retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
++        break;
+     case SSL_ERROR_WANT_ACCEPT:
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_ACCEPT;
+@@ -210,6 +214,10 @@ static int ssl_write(BIO *b, const char *out, int outl)
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_SSL_X509_LOOKUP;
+         break;
++    case SSL_ERROR_WANT_SESSION_LOOKUP:
++        BIO_set_retry_special(b);
++        retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
++        break;
+     case SSL_ERROR_WANT_CONNECT:
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_CONNECT;
+@@ -363,6 +371,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
+             BIO_set_retry_special(b);
+             BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
+             break;
++        case SSL_ERROR_WANT_SESSION_LOOKUP:
++            BIO_set_retry_special(b);
++            BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
++            break;
+         default:
+             break;
+         }
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index bd0fbf8101..fc65b168f0 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2982,6 +2982,9 @@ int SSL_get_error(const SSL *s, int i)
+         if (SSL_want_async_job(s)) {
+             return SSL_ERROR_WANT_ASYNC_JOB;
+         }
++        if (SSL_want_sess_lookup(s)) {
++            return SSL_ERROR_WANT_SESSION_LOOKUP;
++        }
+     }
+ 
+     if (i == 0) {
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index eee1ca1f5b..bffd87335d 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -40,6 +40,8 @@
+ #include <openssl/engine.h>
+ #include "ssl_locl.h"
+ 
++static const char g_pending_session_magic = 0;
++
+ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
+ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
+ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
+@@ -502,6 +504,10 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
+                                              PACKET_remaining(session_id),
+                                              &copy);
+ 
++        if (ret == SSL_magic_pending_session_ptr()) {
++            return -2; /* Retry later */
++        }
++
+         if (ret != NULL) {
+             s->session_ctx->stats.sess_cb_hit++;
+ 
+@@ -877,6 +883,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
+     return s->peer;
+ }
+ 
++SSL_SESSION *SSL_magic_pending_session_ptr(void)
++{
++    return (SSL_SESSION *) &g_pending_session_magic;
++}
++
+ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
+                                 unsigned int sid_ctx_len)
+ {
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index caaf0687b5..baadc1154d 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -581,16 +581,18 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+             }
+ 
+             s->first_packet = 0;
+-            if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
++
++            st->read_state = READ_STATE_PROCESS;
++            /* Fall through */
++
++        case READ_STATE_PROCESS:
++            if (!PACKET_buf_init(&pkt, s->init_msg, s->init_num)) {
+                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                 SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
+                 return SUB_STATE_ERROR;
+             }
+             ret = process_message(s, &pkt);
+ 
+-            /* Discard the packet data */
+-            s->init_num = 0;
+-
+             switch (ret) {
+             case MSG_PROCESS_ERROR:
+                 return SUB_STATE_ERROR;
+@@ -610,6 +612,9 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+                 st->read_state = READ_STATE_HEADER;
+                 break;
+             }
++
++            /* Discard the packet data */
++            s->init_num = 0;
+             break;
+ 
+         case READ_STATE_POST_PROCESS:
+diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
+index 2fca39b0db..b106f4d069 100644
+--- a/ssl/statem/statem.h
++++ b/ssl/statem/statem.h
+@@ -60,6 +60,7 @@ typedef enum {
+ typedef enum {
+     READ_STATE_HEADER,
+     READ_STATE_BODY,
++    READ_STATE_PROCESS,
+     READ_STATE_POST_PROCESS
+ } READ_STATE;
+ 
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index 9327654ce5..f05d0c3dce 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -1165,11 +1165,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+             s->hit = 1;
+         } else if (i == -1) {
+             goto err;
++        } else if (i == -2) {
++            s->rwstate = SSL_SESS_LOOKUP;
++            s->statem.read_state_work = WORK_MORE_A;
++            return MSG_PROCESS_ERROR;
+         } else {
+             /* i == 0 */
+             if (!ssl_get_new_session(s, 1))
+                 goto err;
+         }
++        s->rwstate = SSL_NOTHING;
+     }
+ 
+     if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
+diff --git a/util/libssl.num b/util/libssl.num
+index 200629f74b..e580efd2d2 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -403,3 +403,4 @@ SSL_dane_clear_flags                    403	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_get0_cipher                 404	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_get0_id_context             405	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_set1_id                     406	1_1_0	EXIST::FUNCTION:
++SSL_magic_pending_session_ptr           407	1_1_0	EXIST::FUNCTION:

patches/openssl-1.1.0d-sess_set_get_cb_yield.patch

@@ -0,0 +1,218 @@
+diff --git a/include/openssl/bio.h b/include/openssl/bio.h
+index 9bc941b25f..4f55f1f825 100644
+--- a/include/openssl/bio.h
++++ b/include/openssl/bio.h
+@@ -220,6 +220,8 @@ void BIO_clear_flags(BIO *b, int flags);
+ /* Returned from the accept BIO when an accept would have blocked */
+ # define BIO_RR_ACCEPT                   0x03
+ 
++# define BIO_RR_SSL_SESSION_LOOKUP       0x04
++
+ /* These are passed by the BIO callback */
+ # define BIO_CB_FREE     0x01
+ # define BIO_CB_READ     0x02
+diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
+index 8d75d53eca..55b896bf79 100644
+--- a/include/openssl/ssl.h
++++ b/include/openssl/ssl.h
+@@ -791,6 +791,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
+ # define SSL_X509_LOOKUP        4
+ # define SSL_ASYNC_PAUSED       5
+ # define SSL_ASYNC_NO_JOBS      6
++# define SSL_SESS_LOOKUP        7
+ 
+ /* These will only be used when doing non-blocking IO */
+ # define SSL_want_nothing(s)     (SSL_want(s) == SSL_NOTHING)
+@@ -799,6 +800,7 @@ __owur int SSL_extension_supported(unsigned int ext_type);
+ # define SSL_want_x509_lookup(s) (SSL_want(s) == SSL_X509_LOOKUP)
+ # define SSL_want_async(s)       (SSL_want(s) == SSL_ASYNC_PAUSED)
+ # define SSL_want_async_job(s)   (SSL_want(s) == SSL_ASYNC_NO_JOBS)
++# define SSL_want_sess_lookup(s) (SSL_want(s) == SSL_SESS_LOOKUP)
+ 
+ # define SSL_MAC_FLAG_READ_MAC_STREAM 1
+ # define SSL_MAC_FLAG_WRITE_MAC_STREAM 2
+@@ -1031,6 +1033,8 @@ DECLARE_PEM_rw(SSL_SESSION, SSL_SESSION)
+ # define SSL_ERROR_WANT_ACCEPT           8
+ # define SSL_ERROR_WANT_ASYNC            9
+ # define SSL_ERROR_WANT_ASYNC_JOB       10
++# define SSL_ERROR_WANT_SESSION_LOOKUP  11
++# define SSL_ERROR_PENDING_SESSION      11 /* BoringSSL compatibility */
+ # define SSL_CTRL_SET_TMP_DH                     3
+ # define SSL_CTRL_SET_TMP_ECDH                   4
+ # define SSL_CTRL_SET_TMP_DH_CB                  6
+@@ -1426,6 +1430,7 @@ int SSL_SESSION_print(BIO *fp, const SSL_SESSION *ses);
+ int SSL_SESSION_print_keylog(BIO *bp, const SSL_SESSION *x);
+ int SSL_SESSION_up_ref(SSL_SESSION *ses);
+ void SSL_SESSION_free(SSL_SESSION *ses);
++SSL_SESSION *SSL_magic_pending_session_ptr(void);
+ __owur int i2d_SSL_SESSION(SSL_SESSION *in, unsigned char **pp);
+ __owur int SSL_set_session(SSL *to, SSL_SESSION *session);
+ __owur int SSL_CTX_add_session(SSL_CTX *s, SSL_SESSION *c);
+diff --git a/ssl/bio_ssl.c b/ssl/bio_ssl.c
+index 3dd09cf52d..7ac370fefc 100644
+--- a/ssl/bio_ssl.c
++++ b/ssl/bio_ssl.c
+@@ -138,6 +138,10 @@ static int ssl_read(BIO *b, char *out, int outl)
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_SSL_X509_LOOKUP;
+         break;
++    case SSL_ERROR_WANT_SESSION_LOOKUP:
++        BIO_set_retry_special(b);
++        retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
++        break;
+     case SSL_ERROR_WANT_ACCEPT:
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_ACCEPT;
+@@ -210,6 +214,10 @@ static int ssl_write(BIO *b, const char *out, int outl)
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_SSL_X509_LOOKUP;
+         break;
++    case SSL_ERROR_WANT_SESSION_LOOKUP:
++        BIO_set_retry_special(b);
++        retry_reason = BIO_RR_SSL_SESSION_LOOKUP;
++        break;
+     case SSL_ERROR_WANT_CONNECT:
+         BIO_set_retry_special(b);
+         retry_reason = BIO_RR_CONNECT;
+@@ -363,6 +371,10 @@ static long ssl_ctrl(BIO *b, int cmd, long num, void *ptr)
+             BIO_set_retry_special(b);
+             BIO_set_retry_reason(b, BIO_RR_SSL_X509_LOOKUP);
+             break;
++        case SSL_ERROR_WANT_SESSION_LOOKUP:
++            BIO_set_retry_special(b);
++            BIO_set_retry_reason(b, BIO_RR_SSL_SESSION_LOOKUP);
++            break;
+         default:
+             break;
+         }
+diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
+index 002b2e5847..373484e16b 100644
+--- a/ssl/ssl_lib.c
++++ b/ssl/ssl_lib.c
+@@ -2982,6 +2982,9 @@ int SSL_get_error(const SSL *s, int i)
+         if (SSL_want_async_job(s)) {
+             return SSL_ERROR_WANT_ASYNC_JOB;
+         }
++        if (SSL_want_sess_lookup(s)) {
++            return SSL_ERROR_WANT_SESSION_LOOKUP;
++        }
+     }
+ 
+     if (i == 0) {
+diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c
+index 43cb1d371b..99c5e4990f 100644
+--- a/ssl/ssl_sess.c
++++ b/ssl/ssl_sess.c
+@@ -40,6 +40,8 @@
+ #include <openssl/engine.h>
+ #include "ssl_locl.h"
+ 
++static const char g_pending_session_magic = 0;
++
+ static void SSL_SESSION_list_remove(SSL_CTX *ctx, SSL_SESSION *s);
+ static void SSL_SESSION_list_add(SSL_CTX *ctx, SSL_SESSION *s);
+ static int remove_session_lock(SSL_CTX *ctx, SSL_SESSION *c, int lck);
+@@ -502,6 +504,10 @@ int ssl_get_prev_session(SSL *s, const PACKET *ext, const PACKET *session_id)
+                                              PACKET_remaining(session_id),
+                                              &copy);
+ 
++        if (ret == SSL_magic_pending_session_ptr()) {
++            return -2; /* Retry later */
++        }
++
+         if (ret != NULL) {
+             s->session_ctx->stats.sess_cb_hit++;
+ 
+@@ -886,6 +892,11 @@ X509 *SSL_SESSION_get0_peer(SSL_SESSION *s)
+     return s->peer;
+ }
+ 
++SSL_SESSION *SSL_magic_pending_session_ptr(void)
++{
++    return (SSL_SESSION *) &g_pending_session_magic;
++}
++
+ int SSL_SESSION_set1_id_context(SSL_SESSION *s, const unsigned char *sid_ctx,
+                                 unsigned int sid_ctx_len)
+ {
+diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
+index 512f1e0941..52a335bee9 100644
+--- a/ssl/statem/statem.c
++++ b/ssl/statem/statem.c
+@@ -583,16 +583,18 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+             }
+ 
+             s->first_packet = 0;
+-            if (!PACKET_buf_init(&pkt, s->init_msg, len)) {
++
++            st->read_state = READ_STATE_PROCESS;
++            /* Fall through */
++
++        case READ_STATE_PROCESS:
++            if (!PACKET_buf_init(&pkt, s->init_msg, s->init_num)) {
+                 ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_INTERNAL_ERROR);
+                 SSLerr(SSL_F_READ_STATE_MACHINE, ERR_R_INTERNAL_ERROR);
+                 return SUB_STATE_ERROR;
+             }
+             ret = process_message(s, &pkt);
+ 
+-            /* Discard the packet data */
+-            s->init_num = 0;
+-
+             switch (ret) {
+             case MSG_PROCESS_ERROR:
+                 return SUB_STATE_ERROR;
+@@ -612,6 +614,9 @@ static SUB_STATE_RETURN read_state_machine(SSL *s)
+                 st->read_state = READ_STATE_HEADER;
+                 break;
+             }
++
++            /* Discard the packet data */
++            s->init_num = 0;
+             break;
+ 
+         case READ_STATE_POST_PROCESS:
+diff --git a/ssl/statem/statem.h b/ssl/statem/statem.h
+index 2fca39b0db..b106f4d069 100644
+--- a/ssl/statem/statem.h
++++ b/ssl/statem/statem.h
+@@ -60,6 +60,7 @@ typedef enum {
+ typedef enum {
+     READ_STATE_HEADER,
+     READ_STATE_BODY,
++    READ_STATE_PROCESS,
+     READ_STATE_POST_PROCESS
+ } READ_STATE;
+ 
+diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
+index d36d194b0a..bcf0635172 100644
+--- a/ssl/statem/statem_srvr.c
++++ b/ssl/statem/statem_srvr.c
+@@ -1165,11 +1165,16 @@ MSG_PROCESS_RETURN tls_process_client_hello(SSL *s, PACKET *pkt)
+             s->hit = 1;
+         } else if (i == -1) {
+             goto err;
++        } else if (i == -2) {
++            s->rwstate = SSL_SESS_LOOKUP;
++            s->statem.read_state_work = WORK_MORE_A;
++            return MSG_PROCESS_ERROR;
+         } else {
+             /* i == 0 */
+             if (!ssl_get_new_session(s, 1))
+                 goto err;
+         }
++        s->rwstate = SSL_NOTHING;
+     }
+ 
+     if (ssl_bytes_to_cipher_list(s, &cipher_suites, &(ciphers),
+diff --git a/util/libssl.num b/util/libssl.num
+index 7b9b3c251c..6e9a26133f 100644
+--- a/util/libssl.num
++++ b/util/libssl.num
+@@ -403,5 +403,6 @@ SSL_dane_clear_flags                    403	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_get0_cipher                 404	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_get0_id_context             405	1_1_0	EXIST::FUNCTION:
+ SSL_SESSION_set1_id                     406	1_1_0	EXIST::FUNCTION:
++SSL_magic_pending_session_ptr           407 1_1_0   EXIST::FUNCTION:
+ SSL_COMP_get_id                         412	1_1_0d	EXIST::FUNCTION:
+ SSL_COMP_get0_name                      413	1_1_0d	EXIST::FUNCTION:

t/001-resolver.t

@@ -0,0 +1,382 @@
+# vim:set ft= ts=4 sw=4 et fdm=marker:
+
+use Test::Nginx::Socket::Lua;
+
+#worker_connections(1014);
+#master_process_enabled(1);
+log_level('debug');
+
+repeat_each(1);
+
+plan tests => repeat_each() * (blocks() * 5);
+
+#no_diff();
+no_long_string();
+
+run_tests();
+
+__DATA__
+
+=== TEST 1: use system resolver
+--- config
+    resolver local=on ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- error_log
+parsed a resolver: "
+
+
+
+=== TEST 2: malformed file
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+nameser 8.8.8.8"
+--- request
+GET /t
+--- response_body
+failed to connect to openresty.org: no resolver defined to resolve "openresty.org"
+--- no_error_log
+[error]
+[crit]
+parsed a resolver: "
+
+
+
+=== TEST 3: disabled
+--- config
+    resolver local=off ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+nameser 8.8.8.8"
+--- request
+GET /t
+--- response_body
+failed to connect to openresty.org: no resolver defined to resolve "openresty.org"
+--- no_error_log
+[error]
+[crit]
+parsed a resolver: "
+
+
+
+=== TEST 4: multiple resolvers
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+nameserver 8.8.8.8
+nameserver 8.8.4.4"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"
+
+
+
+=== TEST 5: CRLF
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com\r\nnameserver 8.8.8.8\r\nnameserver 8.8.4.4"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"
+
+
+
+=== TEST 6: CR only, with comments
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+#domain example.com\rnameserver 8.8.8.8\rnameserver 8.8.4.4"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"
+
+
+
+=== TEST 7: spaces and tabs before and after nameserver
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+  \t \t  \tnameserver \t   \t 8.8.8.8
+ \t  \t   \tnameserver\t   \t8.8.4.4"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"
+
+
+
+=== TEST 8: MAXNS is respected (in standard Glibc it is 3)
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+nameserver 208.67.222.222
+nameserver 208.67.220.220"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"
+parsed a resolver: "208.67.222.222"
+
+
+
+
+=== TEST 9: IPv6 is supported
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location = /t {
+        content_by_lua_block {
+            ngx.say("done")
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+nameserver 2001:4860:4860::8888
+nameserver 2001:4860:4860::8844"
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+[crit]
+[error]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "[2001:4860:4860::8888]"
+parsed a resolver: "[2001:4860:4860::8844]"
+
+
+
+=== TEST 10: IPv6 with malformed and long address
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location = /t {
+        content_by_lua_block {
+            ngx.say("done")
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+nameserver 2001:4860:4860::8888:2001:4860:4860::8888:2001
+nameserver 2001:4860:4860::8844"
+--- request
+GET /t
+--- response_body
+done
+--- no_error_log
+[crit]
+[error]
+--- must_die
+--- error_log
+IPv6 resolver address is too long: "2001:4860:4860::8888:2001:4860:4860::8888:2001"
+unable to parse local resolver
+
+
+
+=== TEST 11: new line at the end of the file
+--- config
+    resolver local=../html/resolv.conf ipv6=off;
+    resolver_timeout 5s;
+
+    location /t {
+        content_by_lua_block {
+            local sock = ngx.socket.tcp()
+            local ok, err = sock:connect("openresty.org", 80)
+            if not ok then
+                ngx.say("failed to connect to openresty.org: ", err)
+                return
+            end
+            ngx.say("successfully connected to openresty.org")
+            sock:close()
+        }
+    }
+--- user_files eval
+">>> resolv.conf
+domain example.com
+nameserver 8.8.8.8
+nameserver 8.8.4.4
+"
+--- request
+GET /t
+--- response_body
+successfully connected to openresty.org
+--- no_error_log
+[error]
+[crit]
+--- grep_error_log eval: qr/parsed a resolver: ".+"/
+--- grep_error_log_out
+parsed a resolver: "8.8.8.8"
+parsed a resolver: "8.8.4.4"

util/build-win32.sh

@@ -1,12 +1,13 @@
 #!/bin/bash
 
-PCRE=pcre-8.41
+PCRE=pcre-8.42
 ZLIB=zlib-1.2.11
-OPENSSL=openssl-1.0.2k
+OPENSSL=openssl-1.1.0h
+JOBS=12
 
-# wget https://www.openssl.org/source/openssl-1.0.2k.tar.gz
+# wget https://www.openssl.org/source/openssl-1.1.0h.tar.gz
 # wget http://zlib.net/zlib-1.2.11.tar.gz
-# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.40.tar.gz
+# wget ftp://ftp.csx.cam.ac.uk/pub/software/programming/pcre/pcre-8.42.tar.gz
 
 rm -rf objs || exit 1
 mkdir -p objs/lib || exit 1
@@ -18,7 +19,8 @@ tar -xf ../../../$PCRE.tar.gz || exit 1
 cd ../..
 
 cd objs/lib/$OPENSSL || exit 1
-patch -p1 < ../../../patches/openssl-1.0.2h-sess_set_get_cb_yield.patch || exit 1
+patch -p1 < ../../../patches/openssl-1.1.0d-sess_set_get_cb_yield.patch \
+    || exit 1
 cd ../../..
 
     #--with-openssl-opt="no-asm" \
@@ -36,6 +38,7 @@ cd ../../..
     --with-ipv6 \
     --with-stream \
     --with-stream_ssl_module \
+    --with-stream_ssl_preread_module \
     --with-http_v2_module \
     --without-mail_pop3_module \
     --without-mail_imap_module \
@@ -57,7 +60,7 @@ cd ../../..
     --with-pcre=objs/lib/$PCRE \
     --with-zlib=objs/lib/$ZLIB \
     --with-openssl=objs/lib/$OPENSSL \
-    -j5 || exit 1
-#gmake -j5
-make || exit 1
-make install
+    -j$JOBS || exit 1
+
+make -j$JOBS || exit 1
+exec make install

util/configure

@@ -23,10 +23,6 @@ my $OS = $^O;
 
 my $ngx_dir;
 
-if (-f 'Makefile') {
-    unlink 'Makefile' or die "ERROR: failed to remove existing Makefile: $!\n";
-}
-
 for my $opt (@ARGV) {
     if ($opt =~ /^--platform=(.*)/) {
         $OS = $1;
@@ -296,6 +292,11 @@ for my $opt (@ARGV) {
         my $mod_path = File::Spec->rel2abs($1);
         push @ngx_opts, "--add-module=$mod_path";
 
+    } elsif ($opt =~ /^--add-dynamic-module=(.*)/) {
+
+        my $mod_path = File::Spec->rel2abs($1);
+        push @ngx_opts, "--add-dynamic-module=$mod_path";
+
     } elsif ($opt =~ /^--with-(openssl|pcre|zlib|libatomic|md5|sha1)=(.*)/) {
 
         my ($lib, $path) = ($1, $2);
@@ -331,6 +332,12 @@ if ($platform eq 'msys') {
 
 my $postamble = '';
 
+if ($platform ne 'msys') {
+    if (!$ngx_sbin) {
+        $ngx_sbin = "$ngx_prefix/sbin/nginx";
+    }
+}
+
 my $resty_opts = build_resty_opts(\%resty_opts);
 
 if (@ngx_rpaths) {
@@ -362,10 +369,8 @@ push @make_install_cmds,
     . " \$(DESTDIR)$prefix/site/manifest";
 
 if ($platform ne 'msys') {
-    if (!$ngx_sbin) {
-        $ngx_sbin = "$ngx_prefix/sbin/nginx";
-    }
-    push @make_install_cmds, "ln -sf $ngx_sbin \$(DESTDIR)$prefix/bin/openresty";
+    push @make_install_cmds,
+        "ln -sf $ngx_sbin \$(DESTDIR)$prefix/bin/openresty";
 }
 
 cd '../..'; # to the root
@@ -464,10 +469,12 @@ Type the following commands to build and install:
 _END_
 
     if ($opts->{no_ndk}) {
-        for my $name (qw(set_misc iconv lz_session form_input array_var encrypted_session)) {
+        for my $name (qw(set_misc iconv lz_session form_input array_var
+                         encrypted_session))
+        {
             if (! $opts->{"no_http_$name"}) {
-                warn "WARNING: ngx_http_${name}_module is automatically disabled ",
-                    "because ngx_devel_kit_module is disabled.\n";
+                warn "WARNING: ngx_http_${name}_module is automatically ",
+                     "disabled because ngx_devel_kit_module is disabled.\n";
                 $opts->{"no_http_$name"} = 1;
             }
         }
@@ -493,7 +500,8 @@ _END_
     }
 
     if ($opts->{no_http_ssl} && $opts->{http_ssl}) {
-        die "--with-http_ssl_module conflicts with --without-http_ssl_module.\n";
+        die "--with-http_ssl_module conflicts with --without-http_ssl_module.",
+            "\n";
     }
 
     if (! $opts->{no_http_ssl} && ! $opts->{http_ssl}) {
@@ -502,25 +510,30 @@ _END_
     }
 
     if (! $opts->{http_drizzle} && $opts->{libdrizzle}) {
-        die "The http_drizzle_module is not enabled while --with-libdrizzle is specified.\n";
+        die "The http_drizzle_module is not enabled while --with-libdrizzle ",
+            "is specified.\n";
     }
 
     if (! $opts->{http_postgres} && $opts->{libpq}) {
-        die "The http_postgres_module is not enabled while --with-libpq is specified.\n";
+        die "The http_postgres_module is not enabled while --with-libpq is ",
+            "specified.\n";
     }
 
     if (! $opts->{http_postgres} && $opts->{pg_config}) {
-        die "The http_postgres_module is not enabled while --with-pg_config is specified.\n";
+        die "The http_postgres_module is not enabled while --with-pg_config ",
+            "is specified.\n";
     }
 
     if ($platform eq 'linux' && $opts->{luajit} && ! can_run("ldconfig")) {
-        die "you need to have ldconfig in your PATH env when enabling luajit.\n";
+        die "you need to have ldconfig in your PATH env when enabling luajit.",
+            "\n";
     }
 
     my $opts_line = '';
 
     if ($opts->{debug}) {
-        unshift @ngx_cc_opts, '-DNGX_LUA_USE_ASSERT', '-DNGX_LUA_ABORT_AT_PANIC';
+        unshift @ngx_cc_opts, '-DNGX_LUA_USE_ASSERT',
+            '-DNGX_LUA_ABORT_AT_PANIC';
         $opts_line .= " \\\n  --with-debug";
 
     } else {
@@ -533,7 +546,8 @@ _END_
     }
 
     if (-e 'build') {
-        die "file or directory \"build\" already exists. please remove it first.\n";
+        die "file or directory \"build\" already exists. please remove it ",
+            "first.\n";
     }
     shell "cp -rp bundle/ build";
 
@@ -660,10 +674,14 @@ int main(void) {
             my $comp = ($cc || 'cc');
             my $found;
 
-            if (system("$comp -o $ofile -msse4.2 -c $cfile") == 0 && -s $ofile) {
+            if (system("$comp -o $ofile -msse4.2 -c $cfile") == 0
+                && -s $ofile)
+            {
                 unlink $ofile;
 
-                if (system("$comp -o $ofile -march=native -c $cfile") == 0 && -s $ofile) {
+                if (system("$comp -o $ofile -march=native -c $cfile") == 0
+                    && -s $ofile)
+                {
                     print "INFO: found -msse4.2 in $comp.\n";
                     $found = 1;
                     $luajit_xcflags .= " -msse4.2";
@@ -737,7 +755,8 @@ int main(void) {
 
         if ($platform eq 'msys') {
             $lib = $luajit_root;
-            shell "install -m 0755 src/luajit.exe src/lua51.dll $lib/", $dry_run;
+            shell "install -m 0755 src/luajit.exe src/lua51.dll $lib/",
+                  $dry_run;
 
             my $lua_jit_dir = File::Spec->catfile($luajit_root, "lua", "jit");
             shell "mkdir -p $lua_jit_dir", $dry_run;
@@ -747,20 +766,26 @@ int main(void) {
             $inc = File::Spec->catfile($luajit_root, "include", "luajit-2.1");
             shell "mkdir -p $inc", $dry_run;
 
-            shell "cd src && install -m 0644 lua.h lualib.h lauxlib.h luaconf.h lua.hpp luajit.h $inc/",
+            shell "cd src && install -m 0644 lua.h lualib.h lauxlib.h "
+                  . "luaconf.h lua.hpp luajit.h $inc/",
                   $dry_run;
 
         } else {
-            shell "${make} install$extra_opts PREFIX=$luajit_prefix DESTDIR=$luajit_root/", $dry_run;
+            shell "${make} install$extra_opts PREFIX=$luajit_prefix "
+                  . "DESTDIR=$luajit_root/", $dry_run;
 
             $lib = File::Spec->catfile($luajit_root, $luajit_prefix, "lib");
-            $inc = File::Spec->catfile($luajit_root, $luajit_prefix, "include", "luajit-2.1");
+            $inc = File::Spec->catfile($luajit_root, $luajit_prefix,
+                                       "include", "luajit-2.1");
         }
 
         push @make_cmds, "cd $root_dir/build/$luajit_src && "
             . "\$(MAKE)$extra_opts PREFIX=$luajit_prefix";
 
-        my $abs_luajit_src = File::Spec->rel2abs(File::Spec->catfile($root_dir, "build", $luajit_src), $root_dir);
+        my $abs_luajit_src =
+            File::Spec->rel2abs(File::Spec->catfile($root_dir, "build",
+                                                    $luajit_src),
+                                $root_dir);
 
         if ($platform eq 'msys') {
             push @make_install_cmds, "cd $abs_luajit_src && "
@@ -768,7 +793,8 @@ int main(void) {
 
         } else {
             push @make_install_cmds, "cd $abs_luajit_src && "
-                . "\$(MAKE) install$extra_opts PREFIX=$luajit_prefix DESTDIR=\$(DESTDIR)";
+                . "\$(MAKE) install$extra_opts PREFIX=$luajit_prefix "
+                . "DESTDIR=\$(DESTDIR)";
         }
 
         env LUAJIT_LIB => $lib;
@@ -828,7 +854,8 @@ int main(void) {
         env LUA_LIB => File::Spec->catfile($lua_root, $lua_prefix, "lib");
         env LUA_INC => File::Spec->catfile($lua_root, $lua_prefix, "include");
 
-        push @make_cmds, "cd $root_dir/build/$lua_src && \$(MAKE)$extra_opts $platform";
+        push @make_cmds,
+            "cd $root_dir/build/$lua_src && \$(MAKE)$extra_opts $platform";
 
         push @make_install_cmds, "cd $root_dir/build/$lua_src && "
             . "\$(MAKE) install$extra_opts INSTALL_TOP=\$(DESTDIR)$lua_prefix";
@@ -879,16 +906,19 @@ _EOC_
 
             if ($platform eq 'msys') {
                 my $luajit_root = File::Spec->rel2abs("luajit-root");
-                $extra_opts .= " CJSON_LDFLAGS=\"-shared -L$luajit_root -llua51\"";
+                $extra_opts .=
+                    " CJSON_LDFLAGS=\"-shared -L$luajit_root -llua51\"";
             }
 
             if ($on_solaris) {
                 #$extra_opts .= " INSTALL=$root_dir/build/install";
                 if ($opts->{debug}) {
-                    $extra_opts .= " CJSON_CFLAGS=\"-g -O -fpic -DUSE_INTERNAL_ISINF\"";
+                    $extra_opts .=
+                        " CJSON_CFLAGS=\"-g -O -fpic -DUSE_INTERNAL_ISINF\"";
 
                 } else {
-                    $extra_opts .= " CJSON_CFLAGS=\"-g -fpic -DUSE_INTERNAL_ISINF\"";
+                    $extra_opts .=
+                        " CJSON_CFLAGS=\"-g -fpic -DUSE_INTERNAL_ISINF\"";
                 }
 
             } else {
@@ -900,7 +930,8 @@ _EOC_
             }
 
             if ($platform eq 'macosx') {
-                $extra_opts .= " CJSON_LDFLAGS='-bundle -undefined dynamic_lookup'";
+                $extra_opts .=
+                    " CJSON_LDFLAGS='-bundle -undefined dynamic_lookup'";
             }
 
             if (defined $cc) {
@@ -1030,7 +1061,8 @@ _EOC_
                     die "No $name found";
                 }
 
-                my $extra_opts = " DESTDIR=\$(DESTDIR) LUA_LIB_DIR=$lualib_prefix"
+                my $extra_opts =
+                    " DESTDIR=\$(DESTDIR) LUA_LIB_DIR=$lualib_prefix"
                     ." INSTALL=$root_dir/build/install";
 
                 push @make_install_cmds, "cd $root_dir/build/$dir && " .
@@ -1064,12 +1096,45 @@ _EOC_
         }
         push @make_install_cmds, "cd $root_dir/build/$resty_cli_dir && "
              . "$root_dir/build/install bin/* $target_dir";
+
+        if ($platform ne 'msys') {
+            # patch the resty script:
+
+            print "patching the resty script with hard-coded nginx binary ",
+                  "path...\n";
+
+            my $resty_bin = "$root_dir/build/$resty_cli_dir/bin/resty";
+            open my $in, $resty_bin
+                or die "Cannot open $resty_bin for reading: $!\n";
+            my ($new, $found);
+            while (<$in>) {
+                if (/^my \$nginx_path;$/) {
+                    $found = 1;
+                    $new .= qq/my \$nginx_path = '$ngx_sbin';\n/;
+
+                } else {
+                    $new .= $_;
+                }
+            }
+            close $in;
+
+            if (!$found) {
+                die "failed to patch $resty_bin: the line 'my \$nginx_path' ",
+                    "was not found.\n";
+            }
+
+            open my $out, ">$resty_bin"
+                or die "Cannot open $resty_bin for writing: $!\n";
+            print $out $new;
+            close $out;
+        }
     }
 
     # configure restydoc indexes
 
-    push @make_install_cmds, "cp $root_dir/build/resty.index \$(DESTDIR)$prefix/",
-                             "cp -r $root_dir/build/pod \$(DESTDIR)$prefix/";
+    push @make_install_cmds,
+        "cp $root_dir/build/resty.index \$(DESTDIR)$prefix/",
+        "cp -r $root_dir/build/pod \$(DESTDIR)$prefix/";
 
     # prepare nginx configure line
 
@@ -1310,9 +1375,16 @@ Options directly inherited from nginx
   --with-stream                      enable TCP/UDP proxy module
   --with-stream=dynamic              enable dynamic TCP/UDP proxy module
   --with-stream_ssl_module           enable ngx_stream_ssl_module
+  --with-stream_realip_module        enable ngx_stream_realip_module
+  --with-stream_geoip_module         enable ngx_stream_geoip_module
+  --with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module
+  --with-stream_ssl_preread_module   enable ngx_stream_ssl_preread_module
   --without-stream_limit_conn_module disable ngx_stream_limit_conn_module
   --without-stream_access_module     disable ngx_stream_access_module
+  --without-stream_geo_module        disable ngx_stream_geo_module
   --without-stream_map_module        disable ngx_stream_map_module
+  --without-stream_split_clients_module
+                                     disable ngx_stream_split_clients_module
   --without-stream_return_module     disable ngx_stream_return_module
   --without-stream_upstream_hash_module
                                      disable ngx_stream_upstream_hash_module
@@ -1368,6 +1440,11 @@ _EOC_
 }
 
 sub gen_makefile {
+    if (-f 'Makefile') {
+        unlink 'Makefile' or
+            die "ERROR: failed to remove existing Makefile: $!\n";
+    }
+
     open my $out, ">Makefile" or
         die "Cannot open Makefile for writing: $!\n";
 

util/dist-check

@@ -45,6 +45,13 @@ if ($^O eq 'darwin') {
                . "-I/usr/local/opt/pcre/include/'"
                . " --with-ld-opt='-L/usr/local/opt/openssl/lib/ "
                . "-L/usr/local/opt/pcre/lib/'";
+
+} else {
+    my $ssl_prefix = $ENV{OPENSSL_PREFIX};
+    if (defined $ssl_prefix) {
+        $cfg_opts .= " --with-cc-opt='-I$ssl_prefix/include/' "
+                   . " --with-ld-opt='-L$ssl_prefix/lib/' ";
+    }
 }
 
 my $prefix;

util/mirror-tarballs

@@ -56,6 +56,17 @@ if [ "$answer" = "Y" ]; then
     echo
 fi
 
+answer=`$root/util/ver-ge "$main_ver" 1.13.6`
+if [ "$answer" = "Y" ]; then
+    echo "$info_txt applying the stream_ssl_preread_no_skip patch for nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-stream_ssl_preread_no_skip.patch || exit 1
+    echo
+
+    echo "$info_txt applying the resolver_conf_parsing patch for nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-resolver_conf_parsing.patch || exit 1
+    echo
+fi
+
 answer=`$root/util/ver-ge "$main_ver" 1.5.12`
 if [ "$answer" = "N" ]; then
     echo "$info_txt applying the patch for nginx security advisory (CVE-2014-0133)"
@@ -379,6 +390,12 @@ if [ "$main_ver" = "1.9.7" ]; then
     echo
 fi
 
+if [ "$main_ver" = "1.13.6" ]; then
+    echo "$info_txt applying the init_cycle_pool_release patch for nginx"
+    patch -p1 < $root/patches/nginx-$main_ver-init_cycle_pool_release.patch || exit 1
+    echo
+fi
+
 rm -f *.patch || exit 1
 
 echo "$info_txt applying the always_enable_cc_feature_tests patch to nginx"
@@ -401,6 +418,10 @@ echo "$info_txt applying the safe_resolver_ipv6_option patch for nginx"
 patch -p1 < $root/patches/nginx-$main_ver-safe_resolver_ipv6_option.patch || exit 1
 echo
 
+echo "$info_txt applying the socket_cloexec patch for nginx"
+patch -p1 < $root/patches/nginx-$main_ver-socket_cloexec.patch || exit 1
+echo
+
 cp $root/html/index.html docs/html/ || exit 1
 cp $root/html/50x.html docs/html/ || exit 1
 
@@ -422,7 +443,7 @@ mv openresty-echo-nginx-module-* echo-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.05
+ver=0.06
 $root/util/get-tarball "https://github.com/openresty/xss-nginx-module/tarball/v$ver" -O xss-nginx-module-$ver.tar.gz || exit 1
 tar -xzf xss-nginx-module-$ver.tar.gz || exit 1
 mv openresty-xss-nginx-module-* xss-nginx-module-$ver || exit 1
@@ -430,13 +451,13 @@ mv openresty-xss-nginx-module-* xss-nginx-module-$ver || exit 1
 #################################
 
 ver=0.3.0
-$root/util/get-tarball "https://github.com/simpl/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
+$root/util/get-tarball "https://github.com/simplresty/ngx_devel_kit/tarball/v$ver" -O ngx_devel_kit-$ver.tar.gz
 tar -xzf ngx_devel_kit-$ver.tar.gz || exit 1
-mv simpl-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
+mv simplresty-ngx_devel_kit-* ngx_devel_kit-$ver || exit 1
 
 #################################
 
-ver=0.31
+ver=0.32
 $root/util/get-tarball "https://github.com/openresty/set-misc-nginx-module/tarball/v$ver" -O set-misc-nginx-module-$ver.tar.gz || exit 1
 tar -xzf set-misc-nginx-module-$ver.tar.gz || exit 1
 mv openresty-set-misc-nginx-module-* set-misc-nginx-module-$ver || exit 1
@@ -450,7 +471,7 @@ mv openresty-rds-json-nginx-module-* rds-json-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.08
+ver=0.09
 $root/util/get-tarball "https://github.com/openresty/rds-csv-nginx-module/tarball/v$ver" -O rds-csv-nginx-module-$ver.tar.gz || exit 1
 tar -xzf rds-csv-nginx-module-$ver.tar.gz || exit 1
 mv openresty-rds-csv-nginx-module-* rds-csv-nginx-module-$ver || exit 1
@@ -464,14 +485,14 @@ mv openresty-headers-more-nginx-module-* headers-more-nginx-module-$ver || exit
 
 #################################
 
-ver=0.1.10
+ver=0.1.11
 $root/util/get-tarball "https://github.com/openresty/drizzle-nginx-module/tarball/v$ver" -O drizzle-nginx-module-$ver.tar.gz || exit 1
 tar -xzf drizzle-nginx-module-$ver.tar.gz || exit 1
 mv openresty-drizzle-nginx-module-* drizzle-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.10.11
+ver=0.10.13
 $root/util/get-tarball "https://github.com/openresty/lua-nginx-module/tarball/v$ver" -O lua-nginx-module-$ver.tar.gz || exit 1
 tar -xzf lua-nginx-module-$ver.tar.gz || exit 1
 mv openresty-lua-nginx-module-* ngx_lua-$ver || exit 1
@@ -485,7 +506,7 @@ mv openresty-lua-upstream-nginx-module-* ngx_lua_upstream-$ver || exit 1
 
 #################################
 
-ver=0.0.3
+ver=0.0.5
 $root/util/get-tarball "https://github.com/openresty/stream-lua-nginx-module/tarball/v$ver" -O stream-lua-nginx-module-$ver.tar.gz || exit 1
 tar -xzf stream-lua-nginx-module-$ver.tar.gz || exit 1
 mv openresty-stream-lua-nginx-module-* ngx_stream_lua-$ver || exit 1
@@ -499,7 +520,7 @@ mv openresty-array-var-nginx-module-* array-var-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.18
+ver=0.19
 $root/util/get-tarball "https://github.com/openresty/memc-nginx-module/tarball/v$ver" -O memc-nginx-module-$ver.tar.gz || exit 1
 tar -xzf memc-nginx-module-$ver.tar.gz || exit 1
 mv openresty-memc-nginx-module-* memc-nginx-module-$ver || exit 1
@@ -527,7 +548,7 @@ mv calio-iconv-nginx-module-* iconv-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.07
+ver=0.08
 $root/util/get-tarball "https://github.com/openresty/encrypted-session-nginx-module/tarball/v$ver" -O encrypted-session-nginx-module-$ver.tar.gz || exit 1
 tar -xzf encrypted-session-nginx-module-$ver.tar.gz || exit 1
 mv openresty-encrypted-session-nginx-module-* encrypted-session-nginx-module-$ver || exit 1
@@ -577,14 +598,14 @@ mv FRiCKLE-ngx_coolkit-* ngx_coolkit-$ver || exit 1
 
 #################################
 
-ver=0.14
+ver=0.15
 $root/util/get-tarball "https://github.com/openresty/redis2-nginx-module/tarball/v$ver" -O redis2-nginx-module-$ver.tar.gz || exit 1
 tar -xzf redis2-nginx-module-$ver.tar.gz || exit 1
 mv openresty-redis2-nginx-module-* redis2-nginx-module-$ver || exit 1
 
 #################################
 
-ver=0.20
+ver=0.21
 $root/util/get-tarball "https://github.com/openresty/resty-cli/tarball/v$ver" -O resty-cli-$ver.tar.gz || exit 1
 tar -xzf resty-cli-$ver.tar.gz || exit 1
 mv openresty-resty-cli-* resty-cli-$ver || exit 1
@@ -592,7 +613,7 @@ resty_cli=resty-cli-$ver
 
 #################################
 
-ver=0.0.4
+ver=0.0.5
 $root/util/get-tarball "https://github.com/openresty/opm/tarball/v$ver" -O opm-$ver.tar.gz || exit 1
 tar -xzf opm-$ver.tar.gz || exit 1
 mv openresty-opm-* opm-$ver || exit 1
@@ -625,7 +646,7 @@ mv openresty-opm-* opm-$ver || exit 1
 
 #################################
 
-ver=2.1-20171103
+ver=2.1-20180420
 $root/util/get-tarball "https://github.com/openresty/luajit2/archive/v$ver.tar.gz" -O "LuaJIT-$ver.tar.gz" || exit 1
 tar -xzf LuaJIT-$ver.tar.gz || exit 1
 mv luajit2-* LuaJIT-$ver || exit 1
@@ -646,7 +667,7 @@ cd .. || exit 1
 
 #################################
 
-ver=2.1.0.5
+ver=2.1.0.6
 $root/util/get-tarball "https://github.com/openresty/lua-cjson/archive/$ver.tar.gz" -O "lua-cjson-$ver.tar.gz" || exit 1
 tar -xzf lua-cjson-$ver.tar.gz || exit 1
 #cd lua-cjson-$ver || exit 1
@@ -681,7 +702,7 @@ cd ..
 
 #################################
 
-ver=0.20
+ver=0.21
 $root/util/get-tarball "https://github.com/openresty/lua-resty-dns/tarball/v$ver" -O "lua-resty-dns-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-dns-$ver.tar.gz || exit 1
 mv openresty-lua-resty-dns-* lua-resty-dns-$ver || exit 1
@@ -753,7 +774,7 @@ cd ..
 
 #################################
 
-ver=0.10
+ver=0.11
 $root/util/get-tarball "https://github.com/openresty/lua-resty-string/tarball/v$ver" -O "lua-resty-string-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-string-$ver.tar.gz || exit 1
 mv openresty-lua-resty-string-* lua-resty-string-$ver || exit 1
@@ -789,7 +810,7 @@ cd ..
 
 #################################
 
-ver=0.07
+ver=0.08
 $root/util/get-tarball "https://github.com/openresty/lua-resty-lrucache/tarball/v$ver" -O "lua-resty-lrucache-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-lrucache-$ver.tar.gz || exit 1
 mv openresty-lua-resty-lrucache-* lua-resty-lrucache-$ver || exit 1
@@ -801,7 +822,7 @@ cd ..
 
 #################################
 
-ver=0.1.13
+ver=0.1.15
 $root/util/get-tarball "https://github.com/openresty/lua-resty-core/tarball/v$ver" -O "lua-resty-core-$ver.tar.gz" || exit 1
 tar -xzf lua-resty-core-$ver.tar.gz || exit 1
 mv openresty-lua-resty-core-* lua-resty-core-$ver || exit 1
@@ -835,10 +856,12 @@ mkdir util || exit 1
 cp $root/util/package-win32.sh util/ || exit 1
 cp $root/util/build-win32.sh util/ || exit 1
 cp $root/COPYRIGHT ./ || exit 1
-perl bundle/$resty_cli/bin/md2pod.pl $root/doc/README-win32.md | pod2text > README-win32.txt || exit 1
-unix2dos README-win32.txt || exit 1
+perl bundle/$resty_cli/bin/md2pod.pl $root/doc/README-windows.md | pod2text > README-windows.txt || exit 1
+unix2dos README-windows.txt || exit 1
 mkdir patches/ || exit 1
 cp $root/patches/openssl-1.0.2h-sess_set_get_cb_yield.patch patches/ || exit 1
+cp $root/patches/openssl-1.1.0c-sess_set_get_cb_yield.patch patches/ || exit 1
+cp $root/patches/openssl-1.1.0d-sess_set_get_cb_yield.patch patches/ || exit 1
 
 restydoc_index=$bundle_dir/$resty_cli/bin/restydoc-index
 #restydoc_index=echo

util/package-win32.sh

@@ -1,7 +1,23 @@
 #!/bin/bash
 
+mingw32=/c/msys64/mingw32
+
+info=`uname -a`
+if [[ "$info" == MINGW64* ]]; then
+    arch="win64";
+else
+    if [[ "$info" == MINGW32* ]]; then
+        arch="win32";
+    else
+        echo "Unknown architecture: $info" > /dev/stderr
+        exit 1
+    fi
+fi
+
+echo $arch
+
 name=`pwd|perl -e '$d=<>;$d=~s{.*?/}{}g;$d=~s/$//g;print $d'`
-name="$name-win32"
+name="$name-$arch"
 echo $name
 if [ -d $name ]; then
     rm -rf $name
@@ -9,12 +25,15 @@ fi
 mkdir $name || exit 1
 cp -r resty restydoc restydoc-index nginx.exe luajit.exe lua51.dll lua include lualib html conf logs pod $name/ || exit 1
 cp COPYRIGHT $name/ || exit 1
-cp /c/MinGW/bin/libgcc_s_dw2-1.dll $name/ || exit 1
+if [[ "$arch" == "win32" ]]; then
+    cp $mingw32/bin/libgcc_s_dw2-1.dll $name/ || exit 1
+    cp $mingw32/bin/libwinpthread-1.dll $name/ || exit 1
+fi
 cd $name || exit 1
 PATH=/c/Strawberry/perl/bin:$PATH cmd /c 'pl2bat.bat resty' || exit 1
 PATH=/c/Strawberry/perl/bin:$PATH cmd /c 'pl2bat.bat restydoc' || exit 1
 PATH=/c/Strawberry/perl/bin:$PATH cmd /c 'pl2bat.bat restydoc-index' || exit 1
-cp ../README-win32.txt README.txt
+cp ../README-windows.txt README.txt
 unix2dos conf/* html/*.html resty || exit 1
 cd .. || exit 1
 zip -r $name.zip $name || exit 1

util/ver

@@ -1,7 +1,7 @@
 #!/bin/bash
 
 main_ver=1.13.6
-minor_ver=1
+minor_ver=2
 version=$main_ver.$minor_ver
 echo $version
 

valgrind.suppress

@@ -0,0 +1,209 @@
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Addr1
+   fun:ngx_init_cycle
+   fun:ngx_master_process_cycle
+   fun:main
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Addr4
+   fun:ngx_init_cycle
+   fun:ngx_master_process_cycle
+   fun:main
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:ngx_vslprintf
+   fun:ngx_snprintf
+   fun:ngx_sock_ntop
+   fun:ngx_event_accept
+   fun:ngx_epoll_process_events
+   fun:ngx_process_events_and_timers
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Addr1
+   fun:ngx_vslprintf
+   fun:ngx_snprintf
+   fun:ngx_sock_ntop
+   fun:ngx_event_accept
+}
+{
+   <insert_a_suppression_name_here>
+   exp-sgcheck:SorG
+   fun:ngx_http_lua_ndk_set_var_get
+}
+{
+   <insert_a_suppression_name_here>
+   exp-sgcheck:SorG
+   fun:ngx_http_variables_init_vars
+   fun:ngx_http_block
+}
+{
+   <insert_a_suppression_name_here>
+   exp-sgcheck:SorG
+   fun:ngx_conf_parse
+}
+{
+   <insert_a_suppression_name_here>
+   exp-sgcheck:SorG
+   fun:ngx_vslprintf
+   fun:ngx_log_error_core
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   epoll_ctl(event)
+   fun:epoll_ctl
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:ngx_conf_flush_files
+   fun:ngx_single_process_cycle
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:memcpy
+   fun:ngx_vslprintf
+   fun:ngx_log_error_core
+   fun:ngx_http_charset_header_filter
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   socketcall.setsockopt(optval)
+   fun:setsockopt
+   fun:drizzle_state_connect
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:ngx_conf_flush_files
+   fun:ngx_single_process_cycle
+   fun:main
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Leak
+   fun:malloc
+   fun:ngx_alloc
+   fun:ngx_event_process_init
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   sendmsg(mmsg[0].msg_hdr)
+   fun:sendmmsg
+   fun:__libc_res_nsend
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   sendmsg(msg.msg_iov[0])
+   fun:__sendmsg_nocancel
+   fun:ngx_write_channel
+   fun:ngx_pass_open_channel
+   fun:ngx_start_cache_manager_processes
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:ngx_init_cycle
+   fun:ngx_master_process_cycle
+   fun:main
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   fun:index
+   fun:expand_dynamic_string_token
+   fun:_dl_map_object
+   fun:map_doit
+   fun:_dl_catch_error
+   fun:do_preload
+   fun:dl_main
+   fun:_dl_sysdep_start
+   fun:_dl_start
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   sendmsg(mmsg[0].msg_hdr)
+   fun:sendmmsg
+   fun:__libc_res_nsend
+   fun:__libc_res_nquery
+   fun:__libc_res_nquerydomain
+   fun:__libc_res_nsearch
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Leak
+   match-leak-kinds: definite
+   fun:malloc
+   fun:ngx_alloc
+   fun:ngx_set_environment
+   fun:ngx_single_process_cycle
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Cond
+   obj:*
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Leak
+   match-leak-kinds: definite
+   fun:malloc
+   fun:ngx_alloc
+   fun:ngx_set_environment
+   fun:ngx_worker_process_init
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Leak
+   match-leak-kinds: definite
+   fun:malloc
+   fun:ngx_alloc
+   fun:ngx_create_pool
+   fun:main
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   epoll_pwait(sigmask)
+   fun:epoll_pwait
+   fun:epoll_wait
+   fun:ngx_epoll_process_events
+   fun:ngx_process_events_and_timers
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   epoll_pwait(sigmask)
+   fun:epoll_pwait
+   fun:epoll_wait
+   fun:ngx_epoll_test_rdhup
+   fun:ngx_epoll_init
+   fun:ngx_event_process_init
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   epoll_pwait(sigmask)
+   fun:epoll_pwait
+   fun:ngx_epoll_process_events
+   fun:ngx_process_events_and_timers
+}
+{
+   <insert_a_suppression_name_here>
+   Memcheck:Param
+   epoll_pwait(sigmask)
+   fun:epoll_pwait
+   fun:ngx_epoll_test_rdhup
+   fun:ngx_epoll_init
+   fun:ngx_event_process_init
+}