nginx: src/stream/ngx_stream_ssl

annotate src/stream/ngx_stream_ssl_module.h @ 9217:6765e5f6d991

Upstream: fixed X-Accel-Redirect handling from cache files. The X-Accel-Redirect header might appear in cache files if its handling is ignored with the "proxy_ignore_headers" directive. If the cache file is later served with different settings, ngx_http_upstream_process_headers() used to call ngx_http_upstream_finalize_request(NGX_DECLINED), which is not expected to happen before the cleanup handler is installed and resulted in ngx_http_finalize_request(NGX_DONE) (after 5994:5abf5af257a7, nginx 1.7.11), leading to unexpected request counter decrement, "request count is zero" alerts, and segmentation faults. Similarly, errors in ngx_http_upstream_process_headers() resulted in ngx_http_upstream_finalize_request(NGX_HTTP_INTERNAL_SERVER_ERROR) being called. This is also not expected to happen before the cleanup handler is installed, and resulted in ngx_http_finalize_request(NGX_DONE) without proper request finalization. Fix is to avoid calling ngx_http_upstream_finalize_request() from ngx_http_upstream_process_headers(), notably when the cleanup handler is not yet installed. Errors are now simply return NGX_ERROR, so the caller is responsible for proper finalization by calling either ngx_http_finalize_request() or ngx_http_upstream_finalize_request(). And X-Accel-Redirect handling now does not call ngx_http_upstream_finalize_request(NGX_DECLINED) if no cleanup handler is installed. Reported by Jiří Setnička (https://mailman.nginx.org/pipermail/nginx-devel/2024-February/HWLYHOO3DDB3XTFT6X3GRMXIEJ3SJRUA.html).

author	Maxim Dounin <mdounin@mdounin.ru>
date	Tue, 20 Feb 2024 01:23:43 +0300
parents	b9e02e9b2f1d
children

rev	line source
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	1
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	2 /*
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	3 * Copyright (C) Igor Sysoev
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	4 * Copyright (C) Nginx, Inc.
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	5 */
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	6
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	7
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	8 #ifndef _NGX_STREAM_SSL_H_INCLUDED_
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	9 #define _NGX_STREAM_SSL_H_INCLUDED_
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	10
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	11
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	12 #include <ngx_config.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	13 #include <ngx_core.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	14 #include <ngx_stream.h>
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	15
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	16
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	17 typedef struct {
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	18 ngx_msec_t handshake_timeout;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	19
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	20 ngx_flag_t prefer_server_ciphers;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	21
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	22 ngx_ssl_t ssl;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	23
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 6850 diff changeset	24 ngx_uint_t listen;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	25 ngx_uint_t protocols;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	26
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	27 ngx_uint_t verify;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	28 ngx_uint_t verify_depth;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	29
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	30 ssize_t builtin_session_cache;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	31
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	32 time_t session_timeout;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	33
6550 51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6115 diff changeset	34 ngx_array_t *certificates;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6115 diff changeset	35 ngx_array_t *certificate_keys;
51e1f047d15d SSL: support for multiple certificates (ticket #814). Maxim Dounin <mdounin@mdounin.ru> parents: 6115 diff changeset	36
7464 e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	37 ngx_array_t *certificate_values;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	38 ngx_array_t *certificate_key_values;
e970de27966a SSL: dynamic certificate loading in the stream module. Maxim Dounin <mdounin@mdounin.ru> parents: 7269 diff changeset	39
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	40 ngx_str_t dhparam;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	41 ngx_str_t ecdh_curve;
6850 41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	42 ngx_str_t client_certificate;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	43 ngx_str_t trusted_certificate;
41cb1b64561d Stream: client SSL certificates verification support. Vladimir Homutov <vl@nginx.com> parents: 6550 diff changeset	44 ngx_str_t crl;
7936 b9e02e9b2f1d Stream: the "ssl_alpn" directive. Vladimir Homutov <vl@nginx.com> parents: 7729 diff changeset	45 ngx_str_t alpn;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	46
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	47 ngx_str_t ciphers;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	48
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	49 ngx_array_t *passwords;
7729 3bff3f397c05 SSL: ssl_conf_command directive. Maxim Dounin <mdounin@mdounin.ru> parents: 7464 diff changeset	50 ngx_array_t *conf_commands;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	51
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	52 ngx_shm_zone_t *shm_zone;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	53
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	54 ngx_flag_t session_tickets;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	55 ngx_array_t *session_ticket_keys;
7269 7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 6850 diff changeset	56
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 6850 diff changeset	57 u_char *file;
7f955d3b9a0d SSL: detect "listen ... ssl" without certificates (ticket #178). Maxim Dounin <mdounin@mdounin.ru> parents: 6850 diff changeset	58 ngx_uint_t line;
6115 61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	59 } ngx_stream_ssl_conf_t;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	60
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	61
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	62 extern ngx_module_t ngx_stream_ssl_module;
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	63
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	64
61d7ae76647d Stream: port from NGINX+. Ruslan Ermilov <ru@nginx.com> parents: diff changeset	65 #endif /* _NGX_STREAM_SSL_H_INCLUDED_ */

Mercurial > hg > nginx

annotate src/stream/ngx_stream_ssl_module.h @ 9217:6765e5f6d991