Mercurial > hg > nginx
annotate src/stream/ngx_stream_ssl_module.h @ 9217:6765e5f6d991
Upstream: fixed X-Accel-Redirect handling from cache files.
The X-Accel-Redirect header might appear in cache files if its handling
is ignored with the "proxy_ignore_headers" directive. If the cache file
is later served with different settings, ngx_http_upstream_process_headers()
used to call ngx_http_upstream_finalize_request(NGX_DECLINED), which
is not expected to happen before the cleanup handler is installed and
resulted in ngx_http_finalize_request(NGX_DONE) (after 5994:5abf5af257a7,
nginx 1.7.11), leading to unexpected request counter decrement, "request
count is zero" alerts, and segmentation faults.
Similarly, errors in ngx_http_upstream_process_headers() resulted in
ngx_http_upstream_finalize_request(NGX_HTTP_INTERNAL_SERVER_ERROR) being
called. This is also not expected to happen before the cleanup handler is
installed, and resulted in ngx_http_finalize_request(NGX_DONE) without
proper request finalization.
Fix is to avoid calling ngx_http_upstream_finalize_request() from
ngx_http_upstream_process_headers(), notably when the cleanup handler
is not yet installed. Errors are now simply return NGX_ERROR, so the
caller is responsible for proper finalization by calling either
ngx_http_finalize_request() or ngx_http_upstream_finalize_request().
And X-Accel-Redirect handling now does not call
ngx_http_upstream_finalize_request(NGX_DECLINED) if no cleanup handler
is installed.
Reported by Jiří Setnička
(https://mailman.nginx.org/pipermail/nginx-devel/2024-February/HWLYHOO3DDB3XTFT6X3GRMXIEJ3SJRUA.html).
author | Maxim Dounin <mdounin@mdounin.ru> |
---|---|
date | Tue, 20 Feb 2024 01:23:43 +0300 |
parents | b9e02e9b2f1d |
children |
rev | line source |
---|---|
6115 | 1 |
2 /* | |
3 * Copyright (C) Igor Sysoev | |
4 * Copyright (C) Nginx, Inc. | |
5 */ | |
6 | |
7 | |
8 #ifndef _NGX_STREAM_SSL_H_INCLUDED_ | |
9 #define _NGX_STREAM_SSL_H_INCLUDED_ | |
10 | |
11 | |
12 #include <ngx_config.h> | |
13 #include <ngx_core.h> | |
14 #include <ngx_stream.h> | |
15 | |
16 | |
17 typedef struct { | |
18 ngx_msec_t handshake_timeout; | |
19 | |
20 ngx_flag_t prefer_server_ciphers; | |
21 | |
22 ngx_ssl_t ssl; | |
23 | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6850
diff
changeset
|
24 ngx_uint_t listen; |
6115 | 25 ngx_uint_t protocols; |
26 | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
27 ngx_uint_t verify; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
28 ngx_uint_t verify_depth; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
29 |
6115 | 30 ssize_t builtin_session_cache; |
31 | |
32 time_t session_timeout; | |
33 | |
6550
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
34 ngx_array_t *certificates; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
35 ngx_array_t *certificate_keys; |
51e1f047d15d
SSL: support for multiple certificates (ticket #814).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6115
diff
changeset
|
36 |
7464
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
37 ngx_array_t *certificate_values; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
38 ngx_array_t *certificate_key_values; |
e970de27966a
SSL: dynamic certificate loading in the stream module.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7269
diff
changeset
|
39 |
6115 | 40 ngx_str_t dhparam; |
41 ngx_str_t ecdh_curve; | |
6850
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
42 ngx_str_t client_certificate; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
43 ngx_str_t trusted_certificate; |
41cb1b64561d
Stream: client SSL certificates verification support.
Vladimir Homutov <vl@nginx.com>
parents:
6550
diff
changeset
|
44 ngx_str_t crl; |
7936
b9e02e9b2f1d
Stream: the "ssl_alpn" directive.
Vladimir Homutov <vl@nginx.com>
parents:
7729
diff
changeset
|
45 ngx_str_t alpn; |
6115 | 46 |
47 ngx_str_t ciphers; | |
48 | |
49 ngx_array_t *passwords; | |
7729
3bff3f397c05
SSL: ssl_conf_command directive.
Maxim Dounin <mdounin@mdounin.ru>
parents:
7464
diff
changeset
|
50 ngx_array_t *conf_commands; |
6115 | 51 |
52 ngx_shm_zone_t *shm_zone; | |
53 | |
54 ngx_flag_t session_tickets; | |
55 ngx_array_t *session_ticket_keys; | |
7269
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6850
diff
changeset
|
56 |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6850
diff
changeset
|
57 u_char *file; |
7f955d3b9a0d
SSL: detect "listen ... ssl" without certificates (ticket #178).
Maxim Dounin <mdounin@mdounin.ru>
parents:
6850
diff
changeset
|
58 ngx_uint_t line; |
6115 | 59 } ngx_stream_ssl_conf_t; |
60 | |
61 | |
62 extern ngx_module_t ngx_stream_ssl_module; | |
63 | |
64 | |
65 #endif /* _NGX_STREAM_SSL_H_INCLUDED_ */ |