From 08e28c83b0b3f62f9d5d9af0ff007f9e5800d31e Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Tue, 11 Oct 2016 18:36:19 +0200 Subject: [PATCH] boring-nginx: update patch --- boring-nginx/boring.patch | 14 +++++----- .../src/event/ngx_event_openssl.c | 10 +++---- .../src/http/ngx_http_upstream.c | 26 ++++++++++++++++--- .../src/event/ngx_event_openssl.c | 10 +++---- .../src/http/ngx_http_upstream.c | 26 ++++++++++++++++--- 5 files changed, 63 insertions(+), 23 deletions(-) rename boring-nginx/patch-source/{nginx-1.11.4-patched => nginx-1.11.5-patched}/src/event/ngx_event_openssl.c (99%) rename boring-nginx/patch-source/{nginx-1.11.4-patched => nginx-1.11.5-patched}/src/http/ngx_http_upstream.c (99%) rename boring-nginx/patch-source/{nginx-1.11.4 => nginx-1.11.5}/src/event/ngx_event_openssl.c (99%) rename boring-nginx/patch-source/{nginx-1.11.4 => nginx-1.11.5}/src/http/ngx_http_upstream.c (99%) diff --git a/boring-nginx/boring.patch b/boring-nginx/boring.patch index 29724a8..f819302 100644 --- a/boring-nginx/boring.patch +++ b/boring-nginx/boring.patch @@ -1,6 +1,6 @@ -diff -Naur nginx-1.11.4/src/event/ngx_event_openssl.c nginx-1.11.4-patched/src/event/ngx_event_openssl.c ---- nginx-1.11.4/src/event/ngx_event_openssl.c 2016-09-16 00:49:53.176182112 +0200 -+++ nginx-1.11.4-patched/src/event/ngx_event_openssl.c 2016-09-16 00:47:27.636986453 +0200 +diff -Naur nginx-1.11.5/src/event/ngx_event_openssl.c nginx-1.11.5-patched/src/event/ngx_event_openssl.c +--- nginx-1.11.5/src/event/ngx_event_openssl.c 2016-10-11 18:30:28.956383557 +0200 ++++ nginx-1.11.5-patched/src/event/ngx_event_openssl.c 2016-10-11 18:34:41.226899170 +0200 @@ -2016,7 +2016,9 @@ /* handshake failures */ @@ -21,10 +21,10 @@ diff -Naur nginx-1.11.4/src/event/ngx_event_openssl.c nginx-1.11.4-patched/src/e || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ || n == SSL_R_NO_SHARED_CIPHER /* 193 */ || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ -diff -Naur nginx-1.11.4/src/http/ngx_http_upstream.c nginx-1.11.4-patched/src/http/ngx_http_upstream.c ---- nginx-1.11.4/src/http/ngx_http_upstream.c 2016-09-16 00:50:04.068121614 +0200 -+++ nginx-1.11.4-patched/src/http/ngx_http_upstream.c 2016-09-16 00:47:50.916858344 +0200 -@@ -1694,7 +1694,7 @@ +diff -Naur nginx-1.11.5/src/http/ngx_http_upstream.c nginx-1.11.5-patched/src/http/ngx_http_upstream.c +--- nginx-1.11.5/src/http/ngx_http_upstream.c 2016-10-11 18:31:13.368121756 +0200 ++++ nginx-1.11.5-patched/src/http/ngx_http_upstream.c 2016-10-11 18:35:17.470686369 +0200 +@@ -1696,7 +1696,7 @@ ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, "upstream SSL server name: \"%s\"", name.data); diff --git a/boring-nginx/patch-source/nginx-1.11.4-patched/src/event/ngx_event_openssl.c b/boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c similarity index 99% rename from boring-nginx/patch-source/nginx-1.11.4-patched/src/event/ngx_event_openssl.c rename to boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c index fd827fc..8f8415e 100644 --- a/boring-nginx/patch-source/nginx-1.11.4-patched/src/event/ngx_event_openssl.c +++ b/boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c @@ -55,7 +55,7 @@ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, HMAC_CTX *hctx, int enc); #endif -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); #endif @@ -3096,7 +3096,7 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) return NGX_ERROR; } -#if OPENSSL_VERSION_NUMBER >= 0x10002002L +#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT /* X509_check_host() is only available in OpenSSL 1.0.2+ */ @@ -3213,7 +3213,7 @@ found: } -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) @@ -3660,13 +3660,13 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) engine = ENGINE_by_id((char *) value[1].data); if (engine == NULL) { - ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, + ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "ENGINE_by_id(\"%V\") failed", &value[1]); return NGX_CONF_ERROR; } if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { - ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, + ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", &value[1]); diff --git a/boring-nginx/patch-source/nginx-1.11.4-patched/src/http/ngx_http_upstream.c b/boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c similarity index 99% rename from boring-nginx/patch-source/nginx-1.11.4-patched/src/http/ngx_http_upstream.c rename to boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c index 7310c1c..4305a8a 100644 --- a/boring-nginx/patch-source/nginx-1.11.4-patched/src/http/ngx_http_upstream.c +++ b/boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c @@ -748,6 +748,8 @@ found: return; } + u->upstream = uscf; + #if (NGX_HTTP_SSL) u->ssl_name = uscf->host; #endif @@ -5442,6 +5444,7 @@ ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) uscf = ngx_http_upstream_add(cf, &u, NGX_HTTP_UPSTREAM_CREATE |NGX_HTTP_UPSTREAM_WEIGHT + |NGX_HTTP_UPSTREAM_MAX_CONNS |NGX_HTTP_UPSTREAM_MAX_FAILS |NGX_HTTP_UPSTREAM_FAIL_TIMEOUT |NGX_HTTP_UPSTREAM_DOWN @@ -5543,7 +5546,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) time_t fail_timeout; ngx_str_t *value, s; ngx_url_t u; - ngx_int_t weight, max_fails; + ngx_int_t weight, max_conns, max_fails; ngx_uint_t i; ngx_http_upstream_server_t *us; @@ -5557,6 +5560,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) value = cf->args->elts; weight = 1; + max_conns = 0; max_fails = 1; fail_timeout = 10; @@ -5577,6 +5581,21 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) continue; } + if (ngx_strncmp(value[i].data, "max_conns=", 10) == 0) { + + if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_CONNS)) { + goto not_supported; + } + + max_conns = ngx_atoi(&value[i].data[10], value[i].len - 10); + + if (max_conns == NGX_ERROR) { + goto invalid; + } + + continue; + } + if (ngx_strncmp(value[i].data, "max_fails=", 10) == 0) { if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_FAILS)) { @@ -5653,6 +5672,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) us->addrs = u.addrs; us->naddrs = u.naddrs; us->weight = weight; + us->max_conns = max_conns; us->max_fails = max_fails; us->fail_timeout = fail_timeout; @@ -5717,14 +5737,14 @@ ngx_http_upstream_add(ngx_conf_t *cf, ngx_url_t *u, ngx_uint_t flags) } if ((uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE) && !u->no_port) { - ngx_conf_log_error(NGX_LOG_WARN, cf, 0, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "upstream \"%V\" may not have port %d", &u->host, u->port); return NULL; } if ((flags & NGX_HTTP_UPSTREAM_CREATE) && !uscfp[i]->no_port) { - ngx_log_error(NGX_LOG_WARN, cf->log, 0, + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "upstream \"%V\" may not have port %d in %s:%ui", &u->host, uscfp[i]->port, uscfp[i]->file_name, uscfp[i]->line); diff --git a/boring-nginx/patch-source/nginx-1.11.4/src/event/ngx_event_openssl.c b/boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c similarity index 99% rename from boring-nginx/patch-source/nginx-1.11.4/src/event/ngx_event_openssl.c rename to boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c index 1cbfdf2..68d02bf 100644 --- a/boring-nginx/patch-source/nginx-1.11.4/src/event/ngx_event_openssl.c +++ b/boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c @@ -55,7 +55,7 @@ static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, HMAC_CTX *hctx, int enc); #endif -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); #endif @@ -3092,7 +3092,7 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) return NGX_ERROR; } -#if OPENSSL_VERSION_NUMBER >= 0x10002002L +#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT /* X509_check_host() is only available in OpenSSL 1.0.2+ */ @@ -3209,7 +3209,7 @@ found: } -#if OPENSSL_VERSION_NUMBER < 0x10002002L +#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) @@ -3656,13 +3656,13 @@ ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) engine = ENGINE_by_id((char *) value[1].data); if (engine == NULL) { - ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, + ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "ENGINE_by_id(\"%V\") failed", &value[1]); return NGX_CONF_ERROR; } if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { - ngx_ssl_error(NGX_LOG_WARN, cf->log, 0, + ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", &value[1]); diff --git a/boring-nginx/patch-source/nginx-1.11.4/src/http/ngx_http_upstream.c b/boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c similarity index 99% rename from boring-nginx/patch-source/nginx-1.11.4/src/http/ngx_http_upstream.c rename to boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c index 7e4b3c5..ceb798f 100644 --- a/boring-nginx/patch-source/nginx-1.11.4/src/http/ngx_http_upstream.c +++ b/boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c @@ -748,6 +748,8 @@ found: return; } + u->upstream = uscf; + #if (NGX_HTTP_SSL) u->ssl_name = uscf->host; #endif @@ -5442,6 +5444,7 @@ ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) uscf = ngx_http_upstream_add(cf, &u, NGX_HTTP_UPSTREAM_CREATE |NGX_HTTP_UPSTREAM_WEIGHT + |NGX_HTTP_UPSTREAM_MAX_CONNS |NGX_HTTP_UPSTREAM_MAX_FAILS |NGX_HTTP_UPSTREAM_FAIL_TIMEOUT |NGX_HTTP_UPSTREAM_DOWN @@ -5543,7 +5546,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) time_t fail_timeout; ngx_str_t *value, s; ngx_url_t u; - ngx_int_t weight, max_fails; + ngx_int_t weight, max_conns, max_fails; ngx_uint_t i; ngx_http_upstream_server_t *us; @@ -5557,6 +5560,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) value = cf->args->elts; weight = 1; + max_conns = 0; max_fails = 1; fail_timeout = 10; @@ -5577,6 +5581,21 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) continue; } + if (ngx_strncmp(value[i].data, "max_conns=", 10) == 0) { + + if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_CONNS)) { + goto not_supported; + } + + max_conns = ngx_atoi(&value[i].data[10], value[i].len - 10); + + if (max_conns == NGX_ERROR) { + goto invalid; + } + + continue; + } + if (ngx_strncmp(value[i].data, "max_fails=", 10) == 0) { if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_FAILS)) { @@ -5653,6 +5672,7 @@ ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) us->addrs = u.addrs; us->naddrs = u.naddrs; us->weight = weight; + us->max_conns = max_conns; us->max_fails = max_fails; us->fail_timeout = fail_timeout; @@ -5717,14 +5737,14 @@ ngx_http_upstream_add(ngx_conf_t *cf, ngx_url_t *u, ngx_uint_t flags) } if ((uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE) && !u->no_port) { - ngx_conf_log_error(NGX_LOG_WARN, cf, 0, + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, "upstream \"%V\" may not have port %d", &u->host, u->port); return NULL; } if ((flags & NGX_HTTP_UPSTREAM_CREATE) && !uscfp[i]->no_port) { - ngx_log_error(NGX_LOG_WARN, cf->log, 0, + ngx_log_error(NGX_LOG_EMERG, cf->log, 0, "upstream \"%V\" may not have port %d in %s:%ui", &u->host, uscfp[i]->port, uscfp[i]->file_name, uscfp[i]->line);