Merge branch 'master' into segfault-xquic-cert_cb

alibaba · Jul 27, 2023 · 9f9fad1 · 9f9fad1
2 parents 187b10b + 5cef159
commit 9f9fad1
Show file tree

Hide file tree

Showing 14 changed files with 471 additions and 48 deletions.
diff --git a/.github/workflows/test-ntls.yml b/.github/workflows/test-ntls.yml
@@ -77,6 +77,7 @@ jobs:
             --with-openssl=../Tongsuo \
             --with-openssl-opt="--api=1.1.1 enable-ntls" \
             --with-http_ssl_module \
+            --with-http_v2_module \
             --with-stream \
             --with-stream_ssl_module \
             --with-stream_sni

diff --git a/CHANGES b/CHANGES
@@ -1,14 +1,156 @@
-Changes with nginx 1.22.1                                        19 Oct 2022
+Changes with nginx 1.24.0                                        11 Apr 2023
+
+    *) 1.24.x stable branch.
+
+
+Changes with nginx 1.23.4                                        28 Mar 2023
+
+    *) Change: now TLSv1.3 protocol is enabled by default.
+
+    *) Change: now nginx issues a warning if protocol parameters of a
+       listening socket are redefined.
+
+    *) Change: now nginx closes connections with lingering if pipelining was
+       used by the client.
+
+    *) Feature: byte ranges support in the ngx_http_gzip_static_module.
+
+    *) Bugfix: port ranges in the "listen" directive did not work; the bug
+       had appeared in 1.23.3.
+       Thanks to Valentin Bartenev.
+
+    *) Bugfix: incorrect location might be chosen to process a request if a
+       prefix location longer than 255 characters was used in the
+       configuration.
+
+    *) Bugfix: non-ASCII characters in file names on Windows were not
+       supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
+       and the "include" directive.
+
+    *) Change: the logging level of the "data length too long", "length too
+       short", "bad legacy version", "no shared signature algorithms", "bad
+       digest length", "missing sigalgs extension", "encrypted length too
+       long", "bad length", "bad key update", "mixed handshake and non
+       handshake data", "ccs received early", "data between ccs and
+       finished", "packet length too long", "too many warn alerts", "record
+       too small", and "got a fin before a ccs" SSL errors has been lowered
+       from "crit" to "info".
+
+    *) Bugfix: a socket leak might occur when using HTTP/2 and the
+       "error_page" directive to redirect errors with code 400.
+
+    *) Bugfix: messages about logging to syslog errors did not contain
+       information that the errors happened while logging to syslog.
+       Thanks to Safar Safarly.
+
+    *) Workaround: "gzip filter failed to use preallocated memory" alerts
+       appeared in logs when using zlib-ng.
+
+    *) Bugfix: in the mail proxy server.
+
+
+Changes with nginx 1.23.3                                        13 Dec 2022
+
+    *) Bugfix: an error might occur when reading PROXY protocol version 2
+       header with large number of TLVs.
+
+    *) Bugfix: a segmentation fault might occur in a worker process if SSI
+       was used to process subrequests created by other modules.
+       Thanks to Ciel Zhao.
+
+    *) Workaround: when a hostname used in the "listen" directive resolves
+       to multiple addresses, nginx now ignores duplicates within these
+       addresses.
+
+    *) Bugfix: nginx might hog CPU during unbuffered proxying if SSL
+       connections to backends were used.
+
+
+Changes with nginx 1.23.2                                        19 Oct 2022
 
     *) Security: processing of a specially crafted mp4 file by the
        ngx_http_mp4_module might cause a worker process crash, worker
        process memory disclosure, or might have potential other impact
        (CVE-2022-41741, CVE-2022-41742).
 
+    *) Feature: the "$proxy_protocol_tlv_..." variables.
+
+    *) Feature: TLS session tickets encryption keys are now automatically
+       rotated when using shared memory in the "ssl_session_cache"
+       directive.
+
+    *) Change: the logging level of the "bad record type" SSL errors has
+       been lowered from "crit" to "info".
+       Thanks to Murilo Andrade.
+
+    *) Change: now when using shared memory in the "ssl_session_cache"
+       directive the "could not allocate new session" errors are logged at
+       the "warn" level instead of "alert" and not more often than once per
+       second.
+
+    *) Bugfix: nginx/Windows could not be built with OpenSSL 3.0.x.
+
+    *) Bugfix: in logging of the PROXY protocol errors.
+       Thanks to Sergey Brester.
+
+    *) Workaround: shared memory from the "ssl_session_cache" directive was
+       spent on sessions using TLS session tickets when using TLSv1.3 with
+       OpenSSL.
+
+    *) Workaround: timeout specified with the "ssl_session_timeout"
+       directive did not work when using TLSv1.3 with OpenSSL or BoringSSL.
+
+
+Changes with nginx 1.23.1                                        19 Jul 2022
+
+    *) Feature: memory usage optimization in configurations with SSL
+       proxying.
+
+    *) Feature: looking up of IPv4 addresses while resolving now can be
+       disabled with the "ipv4=off" parameter of the "resolver" directive.
+
+    *) Change: the logging level of the "bad key share", "bad extension",
+       "bad cipher", and "bad ecpoint" SSL errors has been lowered from
+       "crit" to "info".
+
+    *) Bugfix: while returning byte ranges nginx did not remove the
+       "Content-Range" header line if it was present in the original backend
+       response.
+
+    *) Bugfix: a proxied response might be truncated during reconfiguration
+       on Linux; the bug had appeared in 1.17.5.
 
-Changes with nginx 1.22.0                                        24 May 2022
 
-    *) 1.22.x stable branch.
+Changes with nginx 1.23.0                                        21 Jun 2022
+
+    *) Change in internal API: now header lines are represented as linked
+       lists.
+
+    *) Change: now nginx combines arbitrary header lines with identical
+       names when sending to FastCGI, SCGI, and uwsgi backends, in the
+       $r->header_in() method of the ngx_http_perl_module, and during lookup
+       of the "$http_...", "$sent_http_...", "$sent_trailer_...",
+       "$upstream_http_...", and "$upstream_trailer_..." variables.
+
+    *) Bugfix: if there were multiple "Vary" header lines in the backend
+       response, nginx only used the last of them when caching.
+
+    *) Bugfix: if there were multiple "WWW-Authenticate" header lines in the
+       backend response and errors with code 401 were intercepted or the
+       "auth_request" directive was used, nginx only sent the first of the
+       header lines to the client.
+
+    *) Change: the logging level of the "application data after close
+       notify" SSL errors has been lowered from "crit" to "info".
+
+    *) Bugfix: connections might hang if nginx was built on Linux 2.6.17 or
+       newer, but was used on systems without EPOLLRDHUP support, notably
+       with epoll emulation layers; the bug had appeared in 1.17.5.
+       Thanks to Marcus Ball.
+
+    *) Bugfix: nginx did not cache the response if the "Expires" response
+       header line disabled caching, but following "Cache-Control" header
+       line enabled caching.
 
 
 Changes with nginx 1.21.6                                        25 Jan 2022
@@ -398,11 +540,6 @@ Changes with nginx 1.19.0                                        26 May 2020
     *) Bugfix: connections with incorrect HTTP/2 preface were not logged.
 
 
-Changes with nginx 1.18.0                                        21 Apr 2020
-
-    *) 1.18.x stable branch.
-
-
 Changes with nginx 1.17.10                                       14 Apr 2020
 
     *) Feature: the "auth_delay" directive.
@@ -592,16 +729,12 @@ Changes with nginx 1.17.0                                        21 May 2019
 
     *) Bugfix: in byte ranges processing.
 
-Changes with nginx 1.16.0                                        23 Apr 2019
-
-    *) 1.16.x stable branch.
-
 
 Changes with nginx 1.15.12                                       16 Apr 2019
 
     *) Bugfix: a segmentation fault might occur in a worker process if
-variables were used in the "ssl_certificate" or "ssl_certificate_key"
-directives and OCSP stapling was enabled.
+       variables were used in the "ssl_certificate" or "ssl_certificate_key"
+       directives and OCSP stapling was enabled.
 
 
 Changes with nginx 1.15.11                                       09 Apr 2019
@@ -612,18 +745,19 @@ Changes with nginx 1.15.11                                       09 Apr 2019
 Changes with nginx 1.15.10                                       26 Mar 2019
 
     *) Change: when using a hostname in the "listen" directive nginx now
-creates listening sockets for all addresses the hostname resolves to
-(previously, only the first address was used).
+       creates listening sockets for all addresses the hostname resolves to
+       (previously, only the first address was used).
 
     *) Feature: port ranges in the "listen" directive.
 
     *) Feature: loading of SSL certificates and secret keys from variables.
 
     *) Workaround: the $ssl_server_name variable might be empty when using
-OpenSSL 1.1.1.
+       OpenSSL 1.1.1.
 
     *) Bugfix: nginx/Windows could not be built with Visual Studio 2015 or
-newer; the bug had appeared in 1.15.9.
+       newer; the bug had appeared in 1.15.9.
+
 
 Changes with nginx 1.15.9                                        26 Feb 2019
 
@@ -8907,4 +9041,3 @@ Changes with nginx 0.1.1                                         11 Oct 2004
 Changes with nginx 0.1.0                                         04 Oct 2004
 
     *) The first public version.
-
diff --git a/README.markdown b/README.markdown
@@ -1,14 +1,26 @@
+<h1 align="center" style="border-bottom: none">
+    <br>Tengine
+</h1>
 
-Introduction [![Build Status](https://github.com/alibaba/tengine/actions/workflows/ci.yml/badge.svg)](https://github.com/alibaba/tengine/actions/workflows/ci.yml)
-============
+<p align="center">Visit <a href="https://tengine.taobao.org" target="_blank">tengine.taobao.org</a> for the full documentation,
+examples and guides.</p>
 
+<div align="center">
+
+[![GitHub license](https://img.shields.io/github/license/alibaba/tengine.svg)](https://github.com/alibaba/tengine/blob/main/LICENSE)
+[![GitHub stars](https://img.shields.io/github/stars/alibaba/tengine.svg)](https://github.com/alibaba/tengine/stargazers)
+[![GitHub stars](https://img.shields.io/badge/contributions-welcome-orange.svg)](https://github.com/alibaba/tengine/blob/main/CONTRIBUTING.md)
+[![Build Status](https://github.com/alibaba/tengine/actions/workflows/ci.yml/badge.svg)](https://github.com/alibaba/tengine/actions/workflows/ci.yml)
+
+</div>
+
+
+## Introduction
 Tengine is a web server originated by [Taobao](http://en.wikipedia.org/wiki/Taobao), the largest e-commerce website in Asia. It is based on the [Nginx](http://nginx.org) HTTP server and has many advanced features. Tengine has proven to be very stable and efficient on some of the top 100 websites in the world, including [taobao.com](http://www.taobao.com) and [tmall.com](http://www.tmall.com).
 
 Tengine has been an open source project since December 2011. It is being actively developed by the Tengine team, whose core members are from Taobao, Sogou and other Internet companies. Tengine is a community effort and everyone is encouraged to [get involved](https://github.com/alibaba/tengine).
 
-Features
-========
-
+## Features
 * All features of nginx-1.24.0 are inherited, i.e., it is 100% compatible with nginx.
 * Dynamically reconfigure the servers, locations and upstreams without reloading or restarting worker processes with [tengine-ingress](https://github.com/alibaba/tengine-ingress).
 * HTTP/3 support (QUIC v1 and draft-29) with [xquic](https://github.com/alibaba/xquic).
@@ -35,29 +47,32 @@ Features
 * Expiration times can be specified for certain MIME types.
 * ...
 
-Installation
-============
-
+## Installation
 Tengine can be downloaded at [http://tengine.taobao.org/download/tengine.tar.gz](http://tengine.taobao.org/download/tengine.tar.gz). You can also checkout the latest source code from GitHub at [https://github.com/alibaba/tengine](https://github.com/alibaba/tengine)
 
 To install Tengine, just follow these three steps:
-
-    $ ./configure
-    $ make
-    # make install
+```bash
+./configure
+make
+sudo make install
+```
 
 By default, it will be installed to _/usr/local/nginx_. You can use the __'--prefix'__ option to specify the root directory.
 If you want to know all the _'configure'_ options, you should run __'./configure --help'__ for help.
 
-Documentation
-=============
-
+## Documentation
 The homepage of Tengine is at [http://tengine.taobao.org/](http://tengine.taobao.org/)
 You can access [http://tengine.taobao.org/documentation.html](http://tengine.taobao.org/documentation.html) for more information.
 
-Contact
-=============
-
+## Contact
 [https://github.com/alibaba/tengine/issues](https://github.com/alibaba/tengine/issues)
 
 Dingtalk user group: 23394285
+
+## License
+
+[BSD-2-Clause License](https://github.com/alibaba/tengine/blob/master/LICENSE)
+
+<h1 align="center" style="border-bottom: none">
+    <a href="https://tengine.taobao.org" target="_blank"><img alt="Tengine" src="/docs/image/tengine-logo.png"></a>
+</h1>
diff --git a/docs/image/tengine-logo.png b/docs/image/tengine-logo.png
diff --git a/modules/mod_xudp/ngx_xudp_module.c b/modules/mod_xudp/ngx_xudp_module.c
@@ -308,6 +308,10 @@ ngx_xudp_get_address_from_http_core_module(ngx_xudp_conf_t *xcf, ngx_http_core_m
     ngx_http_conf_addr_t        *addr;
     ngx_sockaddr_t               wildcard;
 
+    if (cmcf->ports == NULL) {
+        return NGX_OK;
+    }
+
     port = (ngx_http_conf_port_t*) cmcf->ports->elts;
 
     for(i = 0; i < cmcf->ports->nelts; i++) {
@@ -1349,4 +1353,4 @@ ngx_xudp_terminate_xudp_binding(ngx_cycle_t *cycle)
 
     /* call unbind */
     xudp_unbind(engine);
-}
+}
diff --git a/modules/ngx_http_lua_module/config b/modules/ngx_http_lua_module/config
@@ -514,3 +514,5 @@ CORE_INCS="$CORE_INCS $ngx_addon_dir/src/api"
 CFLAGS="$CFLAGS -DNDK_SET_VAR"
 
 echo "/* DO NOT EDIT! This file was automatically generated by config */" > "$ngx_addon_dir/src/ngx_http_lua_autoconf.h"
+
+have=T_NGX_HTTP_HAVE_LUA_MODULE . auto/have
diff --git a/modules/ngx_http_lua_module/src/ngx_http_lua_ssl_certby.c b/modules/ngx_http_lua_module/src/ngx_http_lua_ssl_certby.c
@@ -231,6 +231,13 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
 
     hc = c->data;
 
+#if (T_NGX_XQUIC)
+    if (c->xquic_conn) {
+        ngx_http_xquic_connection_t *qc = (ngx_http_xquic_connection_t *)c->data;
+        hc = qc->http_connection;
+    }
+#endif
+
     fc = ngx_http_lua_create_fake_connection(NULL);
     if (fc == NULL) {
         goto failed;
@@ -255,6 +262,10 @@ ngx_http_lua_ssl_cert_handler(ngx_ssl_conn_t *ssl_conn, void *data)
     fc->log->log_level = c->log->log_level;
     fc->ssl = c->ssl;
 
+#if (T_NGX_XQUIC)
+    fc->xquic_conn = c->xquic_conn;
+#endif
+
     clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
 
 #if (nginx_version >= 1009000)