# HG changeset patch # User Igor Sysoev # Date 1326657600 -14400 # Node ID 5a4401b9551b03b8f6e903a6648bc9ad718fc05e # Parent e1296af53cc049396fb9b8771cba430d4dc00fe4 nginx 1.1.13 *) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the "ssl_protocols" directive. *) Bugfix: the "limit_req" directive parameters were not inherited correctly; the bug had appeared in 1.1.12. *) Bugfix: the "proxy_redirect" directive incorrectly processed "Refresh" header if regular expression were used. *) Bugfix: the "proxy_cache_use_stale" directive with "error" parameter did not return answer from cache if there were no live upstreams. *) Bugfix: the "worker_cpu_affinity" directive might not work. *) Bugfix: nginx could not be built on Solaris; the bug had appeared in 1.1.12. *) Bugfix: in the ngx_http_mp4_module. diff --git a/CHANGES b/CHANGES --- a/CHANGES +++ b/CHANGES @@ -1,8 +1,30 @@ +Changes with nginx 1.1.13 16 Jan 2012 + + *) Feature: the "TLSv1.1" and "TLSv1.2" parameters of the + "ssl_protocols" directive. + + *) Bugfix: the "limit_req" directive parameters were not inherited + correctly; the bug had appeared in 1.1.12. + + *) Bugfix: the "proxy_redirect" directive incorrectly processed + "Refresh" header if regular expression were used. + + *) Bugfix: the "proxy_cache_use_stale" directive with "error" parameter + did not return answer from cache if there were no live upstreams. + + *) Bugfix: the "worker_cpu_affinity" directive might not work. + + *) Bugfix: nginx could not be built on Solaris; the bug had appeared in + 1.1.12. + + *) Bugfix: in the ngx_http_mp4_module. + + Changes with nginx 1.1.12 26 Dec 2011 *) Change: a "proxy_pass" directive without URI part now uses changed - URI after redirection with the "error_page" directive; + URI after redirection with the "error_page" directive. Thanks to Lanshun Zhou. *) Feature: the "proxy/fastcgi/scgi/uwsgi_cache_lock", @@ -28,7 +50,7 @@ Changes with nginx 1.1.12 original request URI if variables were used. *) Bugfix: a "proxy_pass" directive without URI part might use original - request after redirection with the "try_files" directive; + request after redirection with the "try_files" directive. Thanks to Lanshun Zhou. *) Bugfix: in the ngx_http_scgi_module. diff --git a/CHANGES.ru b/CHANGES.ru --- a/CHANGES.ru +++ b/CHANGES.ru @@ -1,9 +1,31 @@ +Изменения в nginx 1.1.13 16.01.2012 + + *) Добавление: параметры TLSv1.1 и TLSv1.2 в директиве ssl_protocols. + + *) Исправление: параметры директивы limit_req наследовались некорректно; + ошибка появилась в 1.1.12. + + *) Исправление: директива proxy_redirect некорректно обрабатывала + заголовк Refresh при использовании регулярных выражений. + + *) Исправление: директива proxy_cache_use_stale с параметром error не + возвращала ответ из кэша, если все бекенды были признаны + неработающими. + + *) Исправление: директива worker_cpu_affinity могла не работать. + + *) Исправление: nginx не собирался на Solaris; ошибка появилась в + 1.1.12. + + *) Исправление: в модуле ngx_http_mp4_module. + + Изменения в nginx 1.1.12 26.12.2011 *) Изменение: после перенаправления запроса с помощью директивы error_page директива proxy_pass без URI теперь использует изменённый - URI; + URI. Спасибо Lanshun Zhou. *) Добавление: директивы proxy/fastcgi/scgi/uwsgi_cache_lock, @@ -30,7 +52,7 @@ *) Исправление: после перенаправления запроса с помощью директивы try_files директива proxy_pass без URI могла использовать URI - исходного запроса; + исходного запроса. Спасибо Lanshun Zhou. *) Исправление: в модуле ngx_http_scgi_module. diff --git a/LICENSE b/LICENSE --- a/LICENSE +++ b/LICENSE @@ -1,5 +1,5 @@ /* - * Copyright (C) 2002-2011 Igor Sysoev + * Copyright (C) 2002-2012 Igor Sysoev * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions diff --git a/auto/cc/icc b/auto/cc/icc --- a/auto/cc/icc +++ b/auto/cc/icc @@ -2,7 +2,7 @@ # Copyright (C) Igor Sysoev -# Intel C++ compiler 7.1, 8.0, 8.1, 9.0 +# Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1 NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \ | sed -e 's/^.* Version \([^ ]*\) *Build.*$/\1/'` @@ -15,32 +15,7 @@ have=NGX_COMPILER value="\"Intel C Compi # optimizations CFLAGS="$CFLAGS -O" -# inline the functions declared with __inline -#CFLAGS="$CFLAGS -Ob1" -# inline any function, at the compiler's discretion -CFLAGS="$CFLAGS -Ob2" -# multi-file IP optimizations -case "$NGX_ICC_VER" in - 9.*) - IPO="-ipo" - ;; - - # 8.1.38 under FreeBSD can not link -ipo - 8.1) - IPO="-ip" - ;; - - *) - IPO="-ipo -ipo_obj" - ;; -esac - -# single-file IP optimizations -#IPO="-ip" - -CFLAGS="$CFLAGS $IPO" -CORE_LINK="$CORE_LINK $IPO" CORE_LINK="$CORE_LINK -opt_report_file=$NGX_OBJS/opt_report_file" @@ -64,15 +39,15 @@ esac CFLAGS="$CFLAGS $CPU_OPT" if [ ".$PCRE_OPT" = "." ]; then - PCRE_OPT="-O $IPO $CPU_OPT" + PCRE_OPT="-O $CPU_OPT" fi if [ ".$MD5_OPT" = "." ]; then - MD5_OPT="-O $IPO $CPU_OPT" + MD5_OPT="-O $CPU_OPT" fi if [ ".$ZLIB_OPT" = "." ]; then - ZLIB_OPT="-O $IPO $CPU_OPT" + ZLIB_OPT="-O $CPU_OPT" fi diff --git a/auto/lib/pcre/conf b/auto/lib/pcre/conf --- a/auto/lib/pcre/conf +++ b/auto/lib/pcre/conf @@ -165,7 +165,7 @@ else PCRE=YES fi - if [ $PCRE == YES ]; then + if [ $PCRE = YES ]; then ngx_feature="PCRE JIT support" ngx_feature_name="NGX_HAVE_PCRE_JIT" ngx_feature_test="int jit = 0; diff --git a/src/core/nginx.h b/src/core/nginx.h --- a/src/core/nginx.h +++ b/src/core/nginx.h @@ -8,8 +8,8 @@ #define _NGINX_H_INCLUDED_ -#define nginx_version 1001011 -#define NGINX_VERSION "1.1.12" +#define nginx_version 1001013 +#define NGINX_VERSION "1.1.13" #define NGINX_VER "nginx/" NGINX_VERSION #define NGINX_VAR "NGINX" diff --git a/src/core/ngx_hash.c b/src/core/ngx_hash.c --- a/src/core/ngx_hash.c +++ b/src/core/ngx_hash.c @@ -277,7 +277,7 @@ ngx_hash_init(ngx_hash_init_t *hinit, ng start = nelts / (bucket_size / (2 * sizeof(void *))); start = start ? start : 1; - if (hinit->max_size > 10000 && hinit->max_size / nelts < 100) { + if (hinit->max_size > 10000 && nelts && hinit->max_size / nelts < 100) { start = hinit->max_size - 1000; } diff --git a/src/core/ngx_log.h b/src/core/ngx_log.h --- a/src/core/ngx_log.h +++ b/src/core/ngx_log.h @@ -121,15 +121,38 @@ void ngx_cdecl ngx_log_debug_core(ngx_lo #if (NGX_HAVE_VARIADIC_MACROS) -#define ngx_log_debug0 ngx_log_debug -#define ngx_log_debug1 ngx_log_debug -#define ngx_log_debug2 ngx_log_debug -#define ngx_log_debug3 ngx_log_debug -#define ngx_log_debug4 ngx_log_debug -#define ngx_log_debug5 ngx_log_debug -#define ngx_log_debug6 ngx_log_debug -#define ngx_log_debug7 ngx_log_debug -#define ngx_log_debug8 ngx_log_debug +#define ngx_log_debug0(level, log, err, fmt) \ + ngx_log_debug(level, log, err, fmt) + +#define ngx_log_debug1(level, log, err, fmt, arg1) \ + ngx_log_debug(level, log, err, fmt, arg1) + +#define ngx_log_debug2(level, log, err, fmt, arg1, arg2) \ + ngx_log_debug(level, log, err, fmt, arg1, arg2) + +#define ngx_log_debug3(level, log, err, fmt, arg1, arg2, arg3) \ + ngx_log_debug(level, log, err, fmt, arg1, arg2, arg3) + +#define ngx_log_debug4(level, log, err, fmt, arg1, arg2, arg3, arg4) \ + ngx_log_debug(level, log, err, fmt, arg1, arg2, arg3, arg4) + +#define ngx_log_debug5(level, log, err, fmt, arg1, arg2, arg3, arg4, arg5) \ + ngx_log_debug(level, log, err, fmt, arg1, arg2, arg3, arg4, arg5) + +#define ngx_log_debug6(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6) \ + ngx_log_debug(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6) + +#define ngx_log_debug7(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6, arg7) \ + ngx_log_debug(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6, arg7) + +#define ngx_log_debug8(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8) \ + ngx_log_debug(level, log, err, fmt, \ + arg1, arg2, arg3, arg4, arg5, arg6, arg7, arg8) #else /* NO VARIADIC MACROS */ diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -78,18 +78,6 @@ ngx_module_t ngx_openssl_module = { }; -static long ngx_ssl_protocols[] = { - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_TLSv1, - SSL_OP_NO_TLSv1, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv3, - SSL_OP_NO_SSLv2, - 0, -}; - - int ngx_ssl_connection_index; int ngx_ssl_server_conf_index; int ngx_ssl_session_cache_index; @@ -171,9 +159,25 @@ ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_ SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - if (ngx_ssl_protocols[protocols >> 1] != 0) { - SSL_CTX_set_options(ssl->ctx, ngx_ssl_protocols[protocols >> 1]); + if (!(protocols & NGX_SSL_SSLv2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); + } + if (!(protocols & NGX_SSL_SSLv3)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); + } + if (!(protocols & NGX_SSL_TLSv1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); } +#ifdef SSL_OP_NO_TLSv1_1 + if (!(protocols & NGX_SSL_TLSv1_1)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); + } +#endif +#ifdef SSL_OP_NO_TLSv1_2 + if (!(protocols & NGX_SSL_TLSv1_2)) { + SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); + } +#endif #ifdef SSL_OP_NO_COMPRESSION SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -81,9 +81,11 @@ typedef struct { -#define NGX_SSL_SSLv2 2 -#define NGX_SSL_SSLv3 4 -#define NGX_SSL_TLSv1 8 +#define NGX_SSL_SSLv2 0x0002 +#define NGX_SSL_SSLv3 0x0004 +#define NGX_SSL_TLSv1 0x0008 +#define NGX_SSL_TLSv1_1 0x0010 +#define NGX_SSL_TLSv1_2 0x0020 #define NGX_SSL_BUFFER 1 diff --git a/src/http/modules/ngx_http_fastcgi_module.c b/src/http/modules/ngx_http_fastcgi_module.c --- a/src/http/modules/ngx_http_fastcgi_module.c +++ b/src/http/modules/ngx_http_fastcgi_module.c @@ -2314,6 +2314,10 @@ ngx_http_fastcgi_merge_loc_conf(ngx_conf |NGX_HTTP_UPSTREAM_FT_OFF; } + if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_ERROR) { + conf->upstream.cache_use_stale |= NGX_HTTP_UPSTREAM_FT_NOLIVE; + } + if (conf->upstream.cache_methods == 0) { conf->upstream.cache_methods = prev->upstream.cache_methods; } diff --git a/src/http/modules/ngx_http_limit_req_module.c b/src/http/modules/ngx_http_limit_req_module.c --- a/src/http/modules/ngx_http_limit_req_module.c +++ b/src/http/modules/ngx_http_limit_req_module.c @@ -570,6 +570,8 @@ ngx_http_limit_req_merge_conf(ngx_conf_t if (conf->shm_zone == NULL) { conf->shm_zone = prev->shm_zone; + conf->burst = prev->burst; + conf->nodelay = prev->nodelay; } ngx_conf_merge_uint_value(conf->limit_log_level, prev->limit_log_level, diff --git a/src/http/modules/ngx_http_mp4_module.c b/src/http/modules/ngx_http_mp4_module.c --- a/src/http/modules/ngx_http_mp4_module.c +++ b/src/http/modules/ngx_http_mp4_module.c @@ -165,10 +165,10 @@ typedef struct { ((u_char *) (p))[7] = n4 #define ngx_mp4_get_32value(p) \ - ( (((u_char *) (p))[0] << 24) \ - + (((u_char *) (p))[1] << 16) \ - + (((u_char *) (p))[2] << 8) \ - + (((u_char *) (p))[3]) ) + ( ((uint32_t) ((u_char *) (p))[0] << 24) \ + + ( ((u_char *) (p))[1] << 16) \ + + ( ((u_char *) (p))[2] << 8) \ + + ( ((u_char *) (p))[3]) ) #define ngx_mp4_set_32value(p, n) \ ((u_char *) (p))[0] = (u_char) ((n) >> 24); \ diff --git a/src/http/modules/ngx_http_proxy_module.c b/src/http/modules/ngx_http_proxy_module.c --- a/src/http/modules/ngx_http_proxy_module.c +++ b/src/http/modules/ngx_http_proxy_module.c @@ -2348,6 +2348,8 @@ static ngx_int_t ngx_http_proxy_rewrite_redirect_regex(ngx_http_request_t *r, ngx_table_elt_t *h, size_t prefix, ngx_http_proxy_redirect_t *pr) { + size_t len; + u_char *data; ngx_str_t redirect, replacement; redirect.len = h->value.len - prefix; @@ -2361,7 +2363,23 @@ ngx_http_proxy_rewrite_redirect_regex(ng return NGX_ERROR; } - h->value = replacement; + if (!prefix) { + h->value = replacement; + return NGX_OK; + } + + len = prefix + replacement.len; + + data = ngx_pnalloc(r->pool, len); + if (data == NULL) { + return NGX_ERROR; + } + + ngx_memcpy(data, h->value.data, prefix); + ngx_memcpy(data + prefix, replacement.data, replacement.len); + + h->value.len = len; + h->value.data = data; return NGX_OK; } @@ -2667,17 +2685,21 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t (NGX_CONF_BITMASK_SET |NGX_HTTP_UPSTREAM_FT_OFF)); + if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_OFF) { + conf->upstream.cache_use_stale = NGX_CONF_BITMASK_SET + |NGX_HTTP_UPSTREAM_FT_OFF; + } + + if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_ERROR) { + conf->upstream.cache_use_stale |= NGX_HTTP_UPSTREAM_FT_NOLIVE; + } + if (conf->upstream.cache_methods == 0) { conf->upstream.cache_methods = prev->upstream.cache_methods; } conf->upstream.cache_methods |= NGX_HTTP_GET|NGX_HTTP_HEAD; - if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_OFF) { - conf->upstream.cache_use_stale = NGX_CONF_BITMASK_SET - |NGX_HTTP_UPSTREAM_FT_OFF; - } - ngx_conf_merge_ptr_value(conf->upstream.cache_bypass, prev->upstream.cache_bypass, NULL); @@ -3580,7 +3602,9 @@ ngx_http_proxy_set_ssl(ngx_conf_t *cf, n plcf->upstream.ssl->log = cf->log; if (ngx_ssl_create(plcf->upstream.ssl, - NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1, NULL) + NGX_SSL_SSLv2|NGX_SSL_SSLv3|NGX_SSL_TLSv1 + |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2, + NULL) != NGX_OK) { return NGX_ERROR; diff --git a/src/http/modules/ngx_http_scgi_module.c b/src/http/modules/ngx_http_scgi_module.c --- a/src/http/modules/ngx_http_scgi_module.c +++ b/src/http/modules/ngx_http_scgi_module.c @@ -1286,6 +1286,10 @@ ngx_http_scgi_merge_loc_conf(ngx_conf_t |NGX_HTTP_UPSTREAM_FT_OFF; } + if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_ERROR) { + conf->upstream.cache_use_stale |= NGX_HTTP_UPSTREAM_FT_NOLIVE; + } + if (conf->upstream.cache_methods == 0) { conf->upstream.cache_methods = prev->upstream.cache_methods; } diff --git a/src/http/modules/ngx_http_ssl_module.c b/src/http/modules/ngx_http_ssl_module.c --- a/src/http/modules/ngx_http_ssl_module.c +++ b/src/http/modules/ngx_http_ssl_module.c @@ -37,6 +37,8 @@ static ngx_conf_bitmask_t ngx_http_ssl_ { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, + { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, { ngx_null_string, 0 } }; @@ -364,7 +366,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t * prev->prefer_server_ciphers, 0); ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, - (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); + (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 + |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); ngx_conf_merge_uint_value(conf->verify, prev->verify, 0); ngx_conf_merge_uint_value(conf->verify_depth, prev->verify_depth, 1); diff --git a/src/http/modules/ngx_http_uwsgi_module.c b/src/http/modules/ngx_http_uwsgi_module.c --- a/src/http/modules/ngx_http_uwsgi_module.c +++ b/src/http/modules/ngx_http_uwsgi_module.c @@ -1338,6 +1338,10 @@ ngx_http_uwsgi_merge_loc_conf(ngx_conf_t |NGX_HTTP_UPSTREAM_FT_OFF; } + if (conf->upstream.cache_use_stale & NGX_HTTP_UPSTREAM_FT_ERROR) { + conf->upstream.cache_use_stale |= NGX_HTTP_UPSTREAM_FT_NOLIVE; + } + if (conf->upstream.cache_methods == 0) { conf->upstream.cache_methods = prev->upstream.cache_methods; } diff --git a/src/http/modules/perl/nginx.pm b/src/http/modules/perl/nginx.pm --- a/src/http/modules/perl/nginx.pm +++ b/src/http/modules/perl/nginx.pm @@ -48,7 +48,7 @@ our @EXPORT = qw( HTTP_INSUFFICIENT_STORAGE ); -our $VERSION = '1.1.12'; +our $VERSION = '1.1.13'; require XSLoader; XSLoader::load('nginx', $VERSION); diff --git a/src/mail/ngx_mail_ssl_module.c b/src/mail/ngx_mail_ssl_module.c --- a/src/mail/ngx_mail_ssl_module.c +++ b/src/mail/ngx_mail_ssl_module.c @@ -37,6 +37,8 @@ static ngx_conf_bitmask_t ngx_mail_ssl_ { ngx_string("SSLv2"), NGX_SSL_SSLv2 }, { ngx_string("SSLv3"), NGX_SSL_SSLv3 }, { ngx_string("TLSv1"), NGX_SSL_TLSv1 }, + { ngx_string("TLSv1.1"), NGX_SSL_TLSv1_1 }, + { ngx_string("TLSv1.2"), NGX_SSL_TLSv1_2 }, { ngx_null_string, 0 } }; @@ -206,7 +208,8 @@ ngx_mail_ssl_merge_conf(ngx_conf_t *cf, prev->prefer_server_ciphers, 0); ngx_conf_merge_bitmask_value(conf->protocols, prev->protocols, - (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1)); + (NGX_CONF_BITMASK_SET|NGX_SSL_SSLv3|NGX_SSL_TLSv1 + |NGX_SSL_TLSv1_1|NGX_SSL_TLSv1_2)); ngx_conf_merge_str_value(conf->certificate, prev->certificate, ""); ngx_conf_merge_str_value(conf->certificate_key, prev->certificate_key, ""); diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c --- a/src/os/unix/ngx_process_cycle.c +++ b/src/os/unix/ngx_process_cycle.c @@ -914,7 +914,10 @@ ngx_worker_process_init(ngx_cycle_t *cyc ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "sched_setaffinity(0x%08Xl)", cpu_affinity); - if (sched_setaffinity(0, 32, (cpu_set_t *) &cpu_affinity) == -1) { + if (sched_setaffinity(0, sizeof(cpu_affinity), + (cpu_set_t *) &cpu_affinity) + == -1) + { ngx_log_error(NGX_LOG_ALERT, cycle->log, ngx_errno, "sched_setaffinity(0x%08Xl) failed", cpu_affinity); }