From 3dbde9e89144b1fb6c81d600f8de3940fe1c5c10 Mon Sep 17 00:00:00 2001 From: Wonderfall Date: Fri, 18 Nov 2016 22:38:16 +0000 Subject: [PATCH] boring-nginx: patch not needed anymore --- boring-nginx/Dockerfile | 3 - boring-nginx/boring.patch | 35 - .../src/event/ngx_event_openssl.c | 3701 ---------- .../src/http/ngx_http_upstream.c | 6197 ----------------- .../src/event/ngx_event_openssl.c | 3697 ---------- .../nginx-1.11.5/src/http/ngx_http_upstream.c | 6197 ----------------- 6 files changed, 19830 deletions(-) delete mode 100644 boring-nginx/boring.patch delete mode 100644 boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c delete mode 100644 boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c delete mode 100644 boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c delete mode 100644 boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c diff --git a/boring-nginx/Dockerfile b/boring-nginx/Dockerfile index d10c321..da908da 100644 --- a/boring-nginx/Dockerfile +++ b/boring-nginx/Dockerfile @@ -7,8 +7,6 @@ ARG NGINX_VERSION=1.11.6 ARG GPG_NGINX="B0F4 2533 73F8 F6F5 10D4 2178 520A 9993 A1C0 52F8" ARG BUILD_CORES -COPY boring.patch /tmp/boring.patch - RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \ && NB_CORES=${BUILD_CORES-$(getconf _NPROCESSORS_CONF)} \ && BUILD_DEPS=" \ @@ -59,7 +57,6 @@ RUN echo "@commuedge https://nl.alpinelinux.org/alpine/edge/community" >> /etc/a && if [ "${FINGERPRINT}" != "${GPG_NGINX}" ]; then echo "Warning! Wrong GPG fingerprint!" && exit 1; fi \ && echo "All seems good, now unpacking ${NGINX_TARBALL}..." \ && tar xzf ${NGINX_TARBALL} && cd nginx-${NGINX_VERSION} \ - && patch -p1 < /tmp/boring.patch \ && ./configure \ --prefix=/etc/nginx \ --sbin-path=/usr/sbin/nginx \ diff --git a/boring-nginx/boring.patch b/boring-nginx/boring.patch deleted file mode 100644 index f819302..0000000 --- a/boring-nginx/boring.patch +++ /dev/null @@ -1,35 +0,0 @@ -diff -Naur nginx-1.11.5/src/event/ngx_event_openssl.c nginx-1.11.5-patched/src/event/ngx_event_openssl.c ---- nginx-1.11.5/src/event/ngx_event_openssl.c 2016-10-11 18:30:28.956383557 +0200 -+++ nginx-1.11.5-patched/src/event/ngx_event_openssl.c 2016-10-11 18:34:41.226899170 +0200 -@@ -2016,7 +2016,9 @@ - - /* handshake failures */ - if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ -+#ifdef SSL_R_BLOCK_CIPHER_PAD_IS_WRONG - || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ -+#endif - || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ - || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ - || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ -@@ -2024,7 +2026,9 @@ - #ifdef SSL_R_NO_CIPHERS_PASSED - || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ - #endif -+#ifdef SSL_R_NO_CIPHERS_SPECIFIED - || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ -+#endif - || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ - || n == SSL_R_NO_SHARED_CIPHER /* 193 */ - || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ -diff -Naur nginx-1.11.5/src/http/ngx_http_upstream.c nginx-1.11.5-patched/src/http/ngx_http_upstream.c ---- nginx-1.11.5/src/http/ngx_http_upstream.c 2016-10-11 18:31:13.368121756 +0200 -+++ nginx-1.11.5-patched/src/http/ngx_http_upstream.c 2016-10-11 18:35:17.470686369 +0200 -@@ -1696,7 +1696,7 @@ - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "upstream SSL server name: \"%s\"", name.data); - -- if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { -+ if (SSL_set_tlsext_host_name(c->ssl->connection, (const char*) name.data) == 0) { - ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, - "SSL_set_tlsext_host_name(\"%s\") failed", name.data); - return NGX_ERROR; diff --git a/boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c b/boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c deleted file mode 100644 index 8f8415e..0000000 --- a/boring-nginx/patch-source/nginx-1.11.5-patched/src/event/ngx_event_openssl.c +++ /dev/null @@ -1,3701 +0,0 @@ - -/* - * Copyright (C) Igor Sysoev - * Copyright (C) Nginx, Inc. - */ - - -#include -#include -#include - - -#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 - - -typedef struct { - ngx_uint_t engine; /* unsigned engine:1; */ -} ngx_openssl_conf_t; - - -static int ngx_ssl_password_callback(char *buf, int size, int rwflag, - void *userdata); -static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); -static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, - int ret); -static void ngx_ssl_passwords_cleanup(void *data); -static void ngx_ssl_handshake_handler(ngx_event_t *ev); -static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); -static void ngx_ssl_write_handler(ngx_event_t *wev); -static void ngx_ssl_read_handler(ngx_event_t *rev); -static void ngx_ssl_shutdown_handler(ngx_event_t *ev); -static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, - ngx_err_t err, char *text); -static void ngx_ssl_clear_error(ngx_log_t *log); - -static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, - ngx_str_t *sess_ctx); -ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); -static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, - ngx_ssl_session_t *sess); -static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - const -#endif - u_char *id, int len, int *copy); -static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); -static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - ngx_slab_pool_t *shpool, ngx_uint_t n); -static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, - ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); - -#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB -static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, - HMAC_CTX *hctx, int enc); -#endif - -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT -static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); -#endif - -static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); -static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); -static void ngx_openssl_exit(ngx_cycle_t *cycle); - - -static ngx_command_t ngx_openssl_commands[] = { - - { ngx_string("ssl_engine"), - NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, - ngx_openssl_engine, - 0, - 0, - NULL }, - - ngx_null_command -}; - - -static ngx_core_module_t ngx_openssl_module_ctx = { - ngx_string("openssl"), - ngx_openssl_create_conf, - NULL -}; - - -ngx_module_t ngx_openssl_module = { - NGX_MODULE_V1, - &ngx_openssl_module_ctx, /* module context */ - ngx_openssl_commands, /* module directives */ - NGX_CORE_MODULE, /* module type */ - NULL, /* init master */ - NULL, /* init module */ - NULL, /* init process */ - NULL, /* init thread */ - NULL, /* exit thread */ - NULL, /* exit process */ - ngx_openssl_exit, /* exit master */ - NGX_MODULE_V1_PADDING -}; - - -int ngx_ssl_connection_index; -int ngx_ssl_server_conf_index; -int ngx_ssl_session_cache_index; -int ngx_ssl_session_ticket_keys_index; -int ngx_ssl_certificate_index; -int ngx_ssl_next_certificate_index; -int ngx_ssl_stapling_index; - - -ngx_int_t -ngx_ssl_init(ngx_log_t *log) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); - -#else - - OPENSSL_config(NULL); - - SSL_library_init(); - SSL_load_error_strings(); - - OpenSSL_add_all_algorithms(); - -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -#ifndef SSL_OP_NO_COMPRESSION - { - /* - * Disable gzip compression in OpenSSL prior to 1.0.0 version, - * this saves about 522K per connection. - */ - int n; - STACK_OF(SSL_COMP) *ssl_comp_methods; - - ssl_comp_methods = SSL_COMP_get_compression_methods(); - n = sk_SSL_COMP_num(ssl_comp_methods); - - while (n--) { - (void) sk_SSL_COMP_pop(ssl_comp_methods); - } - } -#endif -#endif - - ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); - - if (ngx_ssl_connection_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_server_conf_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_session_cache_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, - NULL, NULL); - if (ngx_ssl_session_ticket_keys_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_certificate_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_next_certificate_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); - - if (ngx_ssl_stapling_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); - return NGX_ERROR; - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) -{ - ssl->ctx = SSL_CTX_new(SSLv23_method()); - - if (ssl->ctx == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - ssl->buffer_size = NGX_SSL_BUFSIZE; - - /* client side options */ - -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); -#endif - -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); -#endif - - /* server side options */ - -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); -#endif - -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#endif - -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ - SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); -#endif - -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); -#endif - -#ifdef SSL_OP_TLS_D5_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); -#endif - -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); -#endif - -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); -#endif - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - -#ifdef SSL_CTRL_CLEAR_OPTIONS - /* only in 0.9.8m+ */ - SSL_CTX_clear_options(ssl->ctx, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); -#endif - - if (!(protocols & NGX_SSL_SSLv2)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); - } - if (!(protocols & NGX_SSL_SSLv3)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); - } - if (!(protocols & NGX_SSL_TLSv1)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); - } -#ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); - if (!(protocols & NGX_SSL_TLSv1_1)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); - } -#endif -#ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); - if (!(protocols & NGX_SSL_TLSv1_2)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); - } -#endif - -#ifdef SSL_OP_NO_COMPRESSION - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); -#endif - -#ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); -#endif - -#ifdef SSL_MODE_NO_AUTO_CHAIN - SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); -#endif - - SSL_CTX_set_read_ahead(ssl->ctx, 1); - - SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, - ngx_array_t *keys, ngx_array_t *passwords) -{ - ngx_str_t *cert, *key; - ngx_uint_t i; - - cert = certs->elts; - key = keys->elts; - - for (i = 0; i < certs->nelts; i++) { - - if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) - != NGX_OK) - { - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_str_t *key, ngx_array_t *passwords) -{ - BIO *bio; - X509 *x509; - u_long n; - ngx_str_t *pwd; - ngx_uint_t tries; - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't - * allow to access certificate later from SSL_CTX, so we reimplement - * it here - */ - - bio = BIO_new_file((char *) cert->data, "r"); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "BIO_new_file(\"%s\") failed", cert->data); - return NGX_ERROR; - } - - x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); - if (x509 == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data); - BIO_free(bio); - return NGX_ERROR; - } - - if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_certificate(\"%s\") failed", cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, - SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - /* read rest of the chain */ - - for ( ;; ) { - - x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (x509 == NULL) { - n = ERR_peek_last_error(); - - if (ERR_GET_LIB(n) == ERR_LIB_PEM - && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) - { - /* end of file */ - ERR_clear_error(); - break; - } - - /* some real error */ - - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_X509(\"%s\") failed", cert->data); - BIO_free(bio); - return NGX_ERROR; - } - -#ifdef SSL_CTRL_CHAIN_CERT - - /* - * SSL_CTX_add0_chain_cert() is needed to add chain to - * a particular certificate when multiple certificates are used; - * only available in OpenSSL 1.0.2+ - */ - - if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_add0_chain_cert(\"%s\") failed", - cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - -#else - if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_add_extra_chain_cert(\"%s\") failed", - cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } -#endif - } - - BIO_free(bio); - - if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { - -#ifndef OPENSSL_NO_ENGINE - - u_char *p, *last; - ENGINE *engine; - EVP_PKEY *pkey; - - p = key->data + sizeof("engine:") - 1; - last = (u_char *) ngx_strchr(p, ':'); - - if (last == NULL) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid syntax in \"%V\"", key); - return NGX_ERROR; - } - - *last = '\0'; - - engine = ENGINE_by_id((char *) p); - - if (engine == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "ENGINE_by_id(\"%s\") failed", p); - return NGX_ERROR; - } - - *last++ = ':'; - - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); - - if (pkey == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "ENGINE_load_private_key(\"%s\") failed", last); - ENGINE_free(engine); - return NGX_ERROR; - } - - ENGINE_free(engine); - - if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_PrivateKey(\"%s\") failed", last); - EVP_PKEY_free(pkey); - return NGX_ERROR; - } - - EVP_PKEY_free(pkey); - - return NGX_OK; - -#else - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "loading \"engine:...\" certificate keys " - "is not supported"); - return NGX_ERROR; - -#endif - } - - if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (passwords) { - tries = passwords->nelts; - pwd = passwords->elts; - - SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback); - SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd); - - } else { - tries = 1; -#if (NGX_SUPPRESS_WARN) - pwd = NULL; -#endif - } - - for ( ;; ) { - - if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data, - SSL_FILETYPE_PEM) - != 0) - { - break; - } - - if (--tries) { - ERR_clear_error(); - SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd); - continue; - } - - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data); - return NGX_ERROR; - } - - SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL); - - return NGX_OK; -} - - -static int -ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) -{ - ngx_str_t *pwd = userdata; - - if (rwflag) { - ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, - "ngx_ssl_password_callback() is called for encryption"); - return 0; - } - - if (pwd->len > (size_t) size) { - ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, - "password is truncated to %d bytes", size); - } else { - size = pwd->len; - } - - ngx_memcpy(buf, pwd->data, size); - - return size; -} - - -ngx_int_t -ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, - ngx_uint_t prefer_server_ciphers) -{ - if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_cipher_list(\"%V\") failed", - ciphers); - return NGX_ERROR; - } - - if (prefer_server_ciphers) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - } - -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) - /* a temporary 512-bit RSA key is required for export versions of MSIE */ - SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); -#endif - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) -{ - STACK_OF(X509_NAME) *list; - - SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); - - SSL_CTX_set_verify_depth(ssl->ctx, depth); - - if (cert->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_load_verify_locations(\"%s\") failed", - cert->data); - return NGX_ERROR; - } - - /* - * SSL_CTX_load_verify_locations() may leave errors in the error queue - * while returning success - */ - - ERR_clear_error(); - - list = SSL_load_client_CA_file((char *) cert->data); - - if (list == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_load_client_CA_file(\"%s\") failed", cert->data); - return NGX_ERROR; - } - - /* - * before 0.9.7h and 0.9.8 SSL_load_client_CA_file() - * always leaved an error in the error queue - */ - - ERR_clear_error(); - - SSL_CTX_set_client_CA_list(ssl->ctx, list); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) -{ - SSL_CTX_set_verify_depth(ssl->ctx, depth); - - if (cert->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_load_verify_locations(\"%s\") failed", - cert->data); - return NGX_ERROR; - } - - /* - * SSL_CTX_load_verify_locations() may leave errors in the error queue - * while returning success - */ - - ERR_clear_error(); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) -{ - X509_STORE *store; - X509_LOOKUP *lookup; - - if (crl->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { - return NGX_ERROR; - } - - store = SSL_CTX_get_cert_store(ssl->ctx); - - if (store == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_get_cert_store() failed"); - return NGX_ERROR; - } - - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - - if (lookup == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_STORE_add_lookup() failed"); - return NGX_ERROR; - } - - if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_LOOKUP_load_file(\"%s\") failed", crl->data); - return NGX_ERROR; - } - - X509_STORE_set_flags(store, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); - - return NGX_OK; -} - - -static int -ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) -{ -#if (NGX_DEBUG) - char *subject, *issuer; - int err, depth; - X509 *cert; - X509_NAME *sname, *iname; - ngx_connection_t *c; - ngx_ssl_conn_t *ssl_conn; - - ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, - SSL_get_ex_data_X509_STORE_CTX_idx()); - - c = ngx_ssl_get_connection(ssl_conn); - - cert = X509_STORE_CTX_get_current_cert(x509_store); - err = X509_STORE_CTX_get_error(x509_store); - depth = X509_STORE_CTX_get_error_depth(x509_store); - - sname = X509_get_subject_name(cert); - subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)"; - - iname = X509_get_issuer_name(cert); - issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; - - ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, - "verify:%d, error:%d, depth:%d, " - "subject:\"%s\", issuer:\"%s\"", - ok, err, depth, subject, issuer); - - if (sname) { - OPENSSL_free(subject); - } - - if (iname) { - OPENSSL_free(issuer); - } -#endif - - return 1; -} - - -static void -ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) -{ - BIO *rbio, *wbio; - ngx_connection_t *c; - - if (where & SSL_CB_HANDSHAKE_START) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (c->ssl->handshaked) { - c->ssl->renegotiation = 1; - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); - } - } - - if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (!c->ssl->handshake_buffer_set) { - /* - * By default OpenSSL uses 4k buffer during a handshake, - * which is too low for long certificate chains and might - * result in extra round-trips. - * - * To adjust a buffer size we detect that buffering was added - * to write side of the connection by comparing rbio and wbio. - * If they are different, we assume that it's due to buffering - * added to wbio, and set buffer size. - */ - - rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn); - wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn); - - if (rbio != wbio) { - (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); - c->ssl->handshake_buffer_set = 1; - } - } - } -} - - -RSA * -ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length) -{ - static RSA *key; - - if (key_length != 512) { - return NULL; - } - -#if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED) - - if (key == NULL) { - key = RSA_generate_key(512, RSA_F4, NULL, NULL); - } - -#endif - - return key; -} - - -ngx_array_t * -ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) -{ - u_char *p, *last, *end; - size_t len; - ssize_t n; - ngx_fd_t fd; - ngx_str_t *pwd; - ngx_array_t *passwords; - ngx_pool_cleanup_t *cln; - u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; - - if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { - return NULL; - } - - cln = ngx_pool_cleanup_add(cf->temp_pool, 0); - passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); - - if (cln == NULL || passwords == NULL) { - return NULL; - } - - cln->handler = ngx_ssl_passwords_cleanup; - cln->data = passwords; - - fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); - if (fd == NGX_INVALID_FILE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_open_file_n " \"%s\" failed", file->data); - return NULL; - } - - len = 0; - last = buf; - - do { - n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); - - if (n == -1) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_read_fd_n " \"%s\" failed", file->data); - passwords = NULL; - goto cleanup; - } - - end = last + n; - - if (len && n == 0) { - *end++ = LF; - } - - p = buf; - - for ( ;; ) { - last = ngx_strlchr(last, end, LF); - - if (last == NULL) { - break; - } - - len = last++ - p; - - if (len && p[len - 1] == CR) { - len--; - } - - if (len) { - pwd = ngx_array_push(passwords); - if (pwd == NULL) { - passwords = NULL; - goto cleanup; - } - - pwd->len = len; - pwd->data = ngx_pnalloc(cf->temp_pool, len); - - if (pwd->data == NULL) { - passwords->nelts--; - passwords = NULL; - goto cleanup; - } - - ngx_memcpy(pwd->data, p, len); - } - - p = last; - } - - len = end - p; - - if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "too long line in \"%s\"", file->data); - passwords = NULL; - goto cleanup; - } - - ngx_memmove(buf, p, len); - last = buf + len; - - } while (n != 0); - - if (passwords->nelts == 0) { - pwd = ngx_array_push(passwords); - if (pwd == NULL) { - passwords = NULL; - goto cleanup; - } - - ngx_memzero(pwd, sizeof(ngx_str_t)); - } - -cleanup: - - if (ngx_close_file(fd) == NGX_FILE_ERROR) { - ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, - ngx_close_file_n " \"%s\" failed", file->data); - } - - ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); - - return passwords; -} - - -static void -ngx_ssl_passwords_cleanup(void *data) -{ - ngx_array_t *passwords = data; - - ngx_str_t *pwd; - ngx_uint_t i; - - pwd = passwords->elts; - - for (i = 0; i < passwords->nelts; i++) { - ngx_memzero(pwd[i].data, pwd[i].len); - } -} - - -ngx_int_t -ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) -{ - DH *dh; - BIO *bio; - - if (file->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { - return NGX_ERROR; - } - - bio = BIO_new_file((char *) file->data, "r"); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "BIO_new_file(\"%s\") failed", file->data); - return NGX_ERROR; - } - - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - if (dh == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_DHparams(\"%s\") failed", file->data); - BIO_free(bio); - return NGX_ERROR; - } - - SSL_CTX_set_tmp_dh(ssl->ctx, dh); - - DH_free(dh); - BIO_free(bio); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) -{ -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -#ifndef OPENSSL_NO_ECDH - - /* - * Elliptic-Curve Diffie-Hellman parameters are either "named curves" - * from RFC 4492 section 5.1.1, or explicitly described curves over - * binary fields. OpenSSL only supports the "named curves", which provide - * maximum interoperability. - */ - -#ifdef SSL_CTRL_SET_CURVES_LIST - - /* - * OpenSSL 1.0.2+ allows configuring a curve list instead of a single - * curve previously supported. By default an internal list is used, - * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ - * and X25519 in OpenSSL 1.1.0+. - * - * By default a curve preferred by the client will be used for - * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can - * be used to prefer server curves instead, similar to what it - * does for ciphers. - */ - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); - -#if SSL_CTRL_SET_ECDH_AUTO - /* not needed in OpenSSL 1.1.0+ */ - SSL_CTX_set_ecdh_auto(ssl->ctx, 1); -#endif - - if (ngx_strcmp(name->data, "auto") == 0) { - return NGX_OK; - } - - if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); - return NGX_ERROR; - } - -#else - - int nid; - char *curve; - EC_KEY *ecdh; - - if (ngx_strcmp(name->data, "auto") == 0) { - curve = "prime256v1"; - - } else { - curve = (char *) name->data; - } - - nid = OBJ_sn2nid(curve); - if (nid == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); - return NGX_ERROR; - } - - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EC_KEY_new_by_curve_name(\"%s\") failed", curve); - return NGX_ERROR; - } - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); - - SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); - - EC_KEY_free(ecdh); -#endif -#endif -#endif - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) -{ - ngx_ssl_connection_t *sc; - - sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); - if (sc == NULL) { - return NGX_ERROR; - } - - sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); - sc->buffer_size = ssl->buffer_size; - - sc->session_ctx = ssl->ctx; - - sc->connection = SSL_new(ssl->ctx); - - if (sc->connection == NULL) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); - return NGX_ERROR; - } - - if (SSL_set_fd(sc->connection, c->fd) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); - return NGX_ERROR; - } - - if (flags & NGX_SSL_CLIENT) { - SSL_set_connect_state(sc->connection); - - } else { - SSL_set_accept_state(sc->connection); - } - - if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); - return NGX_ERROR; - } - - c->ssl = sc; - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) -{ - if (session) { - if (SSL_set_session(c->ssl->connection, session) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_handshake(ngx_connection_t *c) -{ - int n, sslerr; - ngx_err_t err; - - ngx_ssl_clear_error(c->log); - - n = SSL_do_handshake(c->ssl->connection); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); - - if (n == 1) { - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - -#if (NGX_DEBUG) - { - char buf[129], *s, *d; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - const -#endif - SSL_CIPHER *cipher; - - cipher = SSL_get_current_cipher(c->ssl->connection); - - if (cipher) { - SSL_CIPHER_description(cipher, &buf[1], 128); - - for (s = &buf[1], d = buf; *s; s++) { - if (*s == ' ' && *d == ' ') { - continue; - } - - if (*s == LF || *s == CR) { - continue; - } - - *++d = *s; - } - - if (*d != ' ') { - d++; - } - - *d = '\0'; - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL: %s, cipher: \"%s\"", - SSL_get_version(c->ssl->connection), &buf[1]); - - if (SSL_session_reused(c->ssl->connection)) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL reused session"); - } - - } else { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL no shared ciphers"); - } - } -#endif - - c->ssl->handshaked = 1; - - c->recv = ngx_ssl_recv; - c->send = ngx_ssl_write; - c->recv_chain = ngx_ssl_recv_chain; - c->send_chain = ngx_ssl_send_chain; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS - - /* initial handshake done, disable renegotiation (CVE-2009-3555) */ - if (c->ssl->connection->s3) { - c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; - } - -#endif -#endif - - return NGX_OK; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_WRITE) { - c->write->ready = 0; - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - return NGX_AGAIN; - } - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - c->read->eof = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { - ngx_connection_error(c, err, - "peer closed connection in SSL handshake"); - - return NGX_ERROR; - } - - c->read->error = 1; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_handshake_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - - c = ev->data; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL handshake handler: %d", ev->write); - - if (ev->timedout) { - c->ssl->handler(c); - return; - } - - if (ngx_ssl_handshake(c) == NGX_AGAIN) { - return; - } - - c->ssl->handler(c); -} - - -ssize_t -ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) -{ - u_char *last; - ssize_t n, bytes, size; - ngx_buf_t *b; - - bytes = 0; - - b = cl->buf; - last = b->last; - - for ( ;; ) { - size = b->end - last; - - if (limit) { - if (bytes >= limit) { - return bytes; - } - - if (bytes + size > limit) { - size = (ssize_t) (limit - bytes); - } - } - - n = ngx_ssl_recv(c, last, size); - - if (n > 0) { - last += n; - bytes += n; - - if (last == b->end) { - cl = cl->next; - - if (cl == NULL) { - return bytes; - } - - b = cl->buf; - last = b->last; - } - - continue; - } - - if (bytes) { - - if (n == 0 || n == NGX_ERROR) { - c->read->ready = 1; - } - - return bytes; - } - - return n; - } -} - - -ssize_t -ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) -{ - int n, bytes; - - if (c->ssl->last == NGX_ERROR) { - c->read->error = 1; - return NGX_ERROR; - } - - if (c->ssl->last == NGX_DONE) { - c->read->ready = 0; - c->read->eof = 1; - return 0; - } - - bytes = 0; - - ngx_ssl_clear_error(c->log); - - /* - * SSL_read() may return data in parts, so try to read - * until SSL_read() would return no data - */ - - for ( ;; ) { - - n = SSL_read(c->ssl->connection, buf, size); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); - - if (n > 0) { - bytes += n; - } - - c->ssl->last = ngx_ssl_handle_recv(c, n); - - if (c->ssl->last == NGX_OK) { - - size -= n; - - if (size == 0) { - c->read->ready = 1; - return bytes; - } - - buf += n; - - continue; - } - - if (bytes) { - if (c->ssl->last != NGX_AGAIN) { - c->read->ready = 1; - } - - return bytes; - } - - switch (c->ssl->last) { - - case NGX_DONE: - c->read->ready = 0; - c->read->eof = 1; - return 0; - - case NGX_ERROR: - c->read->error = 1; - - /* fall through */ - - case NGX_AGAIN: - return c->ssl->last; - } - } -} - - -static ngx_int_t -ngx_ssl_handle_recv(ngx_connection_t *c, int n) -{ - int sslerr; - ngx_err_t err; - - if (c->ssl->renegotiation) { - /* - * disable renegotiation (CVE-2009-3555): - * OpenSSL (at least up to 0.9.8l) does not handle disabled - * renegotiation gracefully, so drop connection here - */ - - ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); - - while (ERR_peek_error()) { - ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, - "ignoring stale global SSL error"); - } - - ERR_clear_error(); - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - - return NGX_ERROR; - } - - if (n > 0) { - - if (c->ssl->saved_write_handler) { - - c->write->handler = c->ssl->saved_write_handler; - c->ssl->saved_write_handler = NULL; - c->write->ready = 1; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - ngx_post_event(c->write, &ngx_posted_events); - } - - return NGX_OK; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_WRITE) { - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "peer started SSL renegotiation"); - - c->write->ready = 0; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we do not set the timer because there is already the read event timer - */ - - if (c->ssl->saved_write_handler == NULL) { - c->ssl->saved_write_handler = c->write->handler; - c->write->handler = ngx_ssl_write_handler; - } - - return NGX_AGAIN; - } - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "peer shutdown SSL cleanly"); - return NGX_DONE; - } - - ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_write_handler(ngx_event_t *wev) -{ - ngx_connection_t *c; - - c = wev->data; - - c->read->handler(c->read); -} - - -/* - * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer - * before the SSL_write() call to decrease a SSL overhead. - * - * Besides for protocols such as HTTP it is possible to always buffer - * the output to decrease a SSL overhead some more. - */ - -ngx_chain_t * -ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) -{ - int n; - ngx_uint_t flush; - ssize_t send, size; - ngx_buf_t *buf; - - if (!c->ssl->buffer) { - - while (in) { - if (ngx_buf_special(in->buf)) { - in = in->next; - continue; - } - - n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); - - if (n == NGX_ERROR) { - return NGX_CHAIN_ERROR; - } - - if (n == NGX_AGAIN) { - return in; - } - - in->buf->pos += n; - - if (in->buf->pos == in->buf->last) { - in = in->next; - } - } - - return in; - } - - - /* the maximum limit size is the maximum int32_t value - the page size */ - - if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { - limit = NGX_MAX_INT32_VALUE - ngx_pagesize; - } - - buf = c->ssl->buf; - - if (buf == NULL) { - buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); - if (buf == NULL) { - return NGX_CHAIN_ERROR; - } - - c->ssl->buf = buf; - } - - if (buf->start == NULL) { - buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); - if (buf->start == NULL) { - return NGX_CHAIN_ERROR; - } - - buf->pos = buf->start; - buf->last = buf->start; - buf->end = buf->start + c->ssl->buffer_size; - } - - send = buf->last - buf->pos; - flush = (in == NULL) ? 1 : buf->flush; - - for ( ;; ) { - - while (in && buf->last < buf->end && send < limit) { - if (in->buf->last_buf || in->buf->flush) { - flush = 1; - } - - if (ngx_buf_special(in->buf)) { - in = in->next; - continue; - } - - size = in->buf->last - in->buf->pos; - - if (size > buf->end - buf->last) { - size = buf->end - buf->last; - } - - if (send + size > limit) { - size = (ssize_t) (limit - send); - } - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL buf copy: %z", size); - - ngx_memcpy(buf->last, in->buf->pos, size); - - buf->last += size; - in->buf->pos += size; - send += size; - - if (in->buf->pos == in->buf->last) { - in = in->next; - } - } - - if (!flush && send < limit && buf->last < buf->end) { - break; - } - - size = buf->last - buf->pos; - - if (size == 0) { - buf->flush = 0; - c->buffered &= ~NGX_SSL_BUFFERED; - return in; - } - - n = ngx_ssl_write(c, buf->pos, size); - - if (n == NGX_ERROR) { - return NGX_CHAIN_ERROR; - } - - if (n == NGX_AGAIN) { - break; - } - - buf->pos += n; - - if (n < size) { - break; - } - - flush = 0; - - buf->pos = buf->start; - buf->last = buf->start; - - if (in == NULL || send == limit) { - break; - } - } - - buf->flush = flush; - - if (buf->pos < buf->last) { - c->buffered |= NGX_SSL_BUFFERED; - - } else { - c->buffered &= ~NGX_SSL_BUFFERED; - } - - return in; -} - - -ssize_t -ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -{ - int n, sslerr; - ngx_err_t err; - - ngx_ssl_clear_error(c->log); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); - - n = SSL_write(c->ssl->connection, data, size); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); - - if (n > 0) { - - if (c->ssl->saved_read_handler) { - - c->read->handler = c->ssl->saved_read_handler; - c->ssl->saved_read_handler = NULL; - c->read->ready = 1; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - ngx_post_event(c->read, &ngx_posted_events); - } - - c->sent += n; - - return n; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - c->write->ready = 0; - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_READ) { - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "peer started SSL renegotiation"); - - c->read->ready = 0; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we do not set the timer because there is already - * the write event timer - */ - - if (c->ssl->saved_read_handler == NULL) { - c->ssl->saved_read_handler = c->read->handler; - c->read->handler = ngx_ssl_read_handler; - } - - return NGX_AGAIN; - } - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - c->write->error = 1; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_read_handler(ngx_event_t *rev) -{ - ngx_connection_t *c; - - c = rev->data; - - c->write->handler(c->write); -} - - -void -ngx_ssl_free_buffer(ngx_connection_t *c) -{ - if (c->ssl->buf && c->ssl->buf->start) { - if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { - c->ssl->buf->start = NULL; - } - } -} - - -ngx_int_t -ngx_ssl_shutdown(ngx_connection_t *c) -{ - int n, sslerr, mode; - ngx_err_t err; - - if (SSL_in_init(c->ssl->connection)) { - /* - * OpenSSL 1.0.2f complains if SSL_shutdown() is called during - * an SSL handshake, while previous versions always return 0. - * Avoid calling SSL_shutdown() if handshake wasn't completed. - */ - - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_OK; - } - - if (c->timedout) { - mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; - SSL_set_quiet_shutdown(c->ssl->connection, 1); - - } else { - mode = SSL_get_shutdown(c->ssl->connection); - - if (c->ssl->no_wait_shutdown) { - mode |= SSL_RECEIVED_SHUTDOWN; - } - - if (c->ssl->no_send_shutdown) { - mode |= SSL_SENT_SHUTDOWN; - } - - if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { - SSL_set_quiet_shutdown(c->ssl->connection, 1); - } - } - - SSL_set_shutdown(c->ssl->connection, mode); - - ngx_ssl_clear_error(c->log); - - n = SSL_shutdown(c->ssl->connection); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); - - sslerr = 0; - - /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ - - if (n != 1 && ERR_peek_error()) { - sslerr = SSL_get_error(c->ssl->connection, n); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL_get_error: %d", sslerr); - } - - if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_OK; - } - - if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { - c->read->handler = ngx_ssl_shutdown_handler; - c->write->handler = ngx_ssl_shutdown_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (sslerr == SSL_ERROR_WANT_READ) { - ngx_add_timer(c->read, 30000); - } - - return NGX_AGAIN; - } - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); - - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_ERROR; -} - - -static void -ngx_ssl_shutdown_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_connection_handler_pt handler; - - c = ev->data; - handler = c->ssl->handler; - - if (ev->timedout) { - c->timedout = 1; - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); - - if (ngx_ssl_shutdown(c) == NGX_AGAIN) { - return; - } - - handler(c); -} - - -static void -ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, - char *text) -{ - int n; - ngx_uint_t level; - - level = NGX_LOG_CRIT; - - if (sslerr == SSL_ERROR_SYSCALL) { - - if (err == NGX_ECONNRESET - || err == NGX_EPIPE - || err == NGX_ENOTCONN - || err == NGX_ETIMEDOUT - || err == NGX_ECONNREFUSED - || err == NGX_ENETDOWN - || err == NGX_ENETUNREACH - || err == NGX_EHOSTDOWN - || err == NGX_EHOSTUNREACH) - { - switch (c->log_error) { - - case NGX_ERROR_IGNORE_ECONNRESET: - case NGX_ERROR_INFO: - level = NGX_LOG_INFO; - break; - - case NGX_ERROR_ERR: - level = NGX_LOG_ERR; - break; - - default: - break; - } - } - - } else if (sslerr == SSL_ERROR_SSL) { - - n = ERR_GET_REASON(ERR_peek_error()); - - /* handshake failures */ - if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ -#ifdef SSL_R_BLOCK_CIPHER_PAD_IS_WRONG - || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ -#endif - || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ - || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ - || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ - || n == SSL_R_LENGTH_MISMATCH /* 159 */ -#ifdef SSL_R_NO_CIPHERS_PASSED - || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ -#endif -#ifdef SSL_R_NO_CIPHERS_SPECIFIED - || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ -#endif - || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ - || n == SSL_R_NO_SHARED_CIPHER /* 193 */ - || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ -#ifdef SSL_R_PARSE_TLSEXT - || n == SSL_R_PARSE_TLSEXT /* 227 */ -#endif - || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ - || n == SSL_R_UNEXPECTED_RECORD /* 245 */ - || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ - || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ - || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ - || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ -#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG - || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ - || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ - || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ -#endif -#ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED - || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ -#endif -#ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING - || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ -#endif -#ifdef SSL_R_INAPPROPRIATE_FALLBACK - || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ -#endif - || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ -#ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE - || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ - || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ - || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ - || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ - || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ - || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ - || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ - || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ - || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ - || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ - || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ - || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ - || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ - || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ - || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ - || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ - || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ - || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ - || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ - || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ -#endif - ) - { - switch (c->log_error) { - - case NGX_ERROR_IGNORE_ECONNRESET: - case NGX_ERROR_INFO: - level = NGX_LOG_INFO; - break; - - case NGX_ERROR_ERR: - level = NGX_LOG_ERR; - break; - - default: - break; - } - } - } - - ngx_ssl_error(level, c->log, err, text); -} - - -static void -ngx_ssl_clear_error(ngx_log_t *log) -{ - while (ERR_peek_error()) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); - } - - ERR_clear_error(); -} - - -void ngx_cdecl -ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) -{ - int flags; - u_long n; - va_list args; - u_char *p, *last; - u_char errstr[NGX_MAX_CONF_ERRSTR]; - const char *data; - - last = errstr + NGX_MAX_CONF_ERRSTR; - - va_start(args, fmt); - p = ngx_vslprintf(errstr, last - 1, fmt, args); - va_end(args); - - p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); - - for ( ;; ) { - - n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); - - if (n == 0) { - break; - } - - if (p >= last) { - goto next; - } - - *p++ = ' '; - - ERR_error_string_n(n, (char *) p, last - p); - - while (p < last && *p) { - p++; - } - - if (p < last && *data && (flags & ERR_TXT_STRING)) { - *p++ = ':'; - p = ngx_cpystrn(p, (u_char *) data, last - p); - } - - next: - - (void) ERR_get_error(); - } - - ngx_log_error(level, log, err, "%*s)", p - errstr, errstr); -} - - -ngx_int_t -ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, - ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout) -{ - long cache_mode; - - SSL_CTX_set_timeout(ssl->ctx, (long) timeout); - - if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) { - return NGX_ERROR; - } - - if (builtin_session_cache == NGX_SSL_NO_SCACHE) { - SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); - return NGX_OK; - } - - if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { - - /* - * If the server explicitly says that it does not support - * session reuse (see SSL_SESS_CACHE_OFF above), then - * Outlook Express fails to upload a sent email to - * the Sent Items folder on the IMAP server via a separate IMAP - * connection in the background. Therefore we have a special - * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) - * where the server pretends that it supports session reuse, - * but it does not actually store any session. - */ - - SSL_CTX_set_session_cache_mode(ssl->ctx, - SSL_SESS_CACHE_SERVER - |SSL_SESS_CACHE_NO_AUTO_CLEAR - |SSL_SESS_CACHE_NO_INTERNAL_STORE); - - SSL_CTX_sess_set_cache_size(ssl->ctx, 1); - - return NGX_OK; - } - - cache_mode = SSL_SESS_CACHE_SERVER; - - if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { - cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; - } - - SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); - - if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { - - if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { - SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); - } - } - - if (shm_zone) { - SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); - SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); - SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx) -{ - int n, i; - X509 *cert; - X509_NAME *name; - EVP_MD_CTX *md; - unsigned int len; - STACK_OF(X509_NAME) *list; - u_char buf[EVP_MAX_MD_SIZE]; - - /* - * Session ID context is set based on the string provided, - * the server certificates, and the client CA list. - */ - - md = EVP_MD_CTX_create(); - if (md == NULL) { - return NGX_ERROR; - } - - if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestInit_ex() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - - for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); - cert; - cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) - { - if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_digest() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - } - - list = SSL_CTX_get_client_CA_list(ssl->ctx); - - if (list != NULL) { - n = sk_X509_NAME_num(list); - - for (i = 0; i < n; i++) { - name = sk_X509_NAME_value(list, i); - - if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_NAME_digest() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - } - } - - if (EVP_DigestFinal_ex(md, buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - - EVP_MD_CTX_destroy(md); - - if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_session_id_context() failed"); - return NGX_ERROR; - } - - return NGX_OK; - -failed: - - EVP_MD_CTX_destroy(md); - - return NGX_ERROR; -} - - -ngx_int_t -ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) -{ - size_t len; - ngx_slab_pool_t *shpool; - ngx_ssl_session_cache_t *cache; - - if (data) { - shm_zone->data = data; - return NGX_OK; - } - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - if (shm_zone->shm.exists) { - shm_zone->data = shpool->data; - return NGX_OK; - } - - cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); - if (cache == NULL) { - return NGX_ERROR; - } - - shpool->data = cache; - shm_zone->data = cache; - - ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, - ngx_ssl_session_rbtree_insert_value); - - ngx_queue_init(&cache->expire_queue); - - len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; - - shpool->log_ctx = ngx_slab_alloc(shpool, len); - if (shpool->log_ctx == NULL) { - return NGX_ERROR; - } - - ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", - &shm_zone->shm.name); - - shpool->log_nomem = 0; - - return NGX_OK; -} - - -/* - * The length of the session id is 16 bytes for SSLv2 sessions and - * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. - * It seems that the typical length of the external ASN1 representation - * of a session is 118 or 119 bytes for SSLv3/TSLv1. - * - * Thus on 32-bit platforms we allocate separately an rbtree node, - * a session id, and an ASN1 representation, they take accordingly - * 64, 32, and 128 bytes. - * - * On 64-bit platforms we allocate separately an rbtree node + session_id, - * and an ASN1 representation, they take accordingly 128 and 128 bytes. - * - * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, - * so they are outside the code locked by shared pool mutex - */ - -static int -ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) -{ - int len; - u_char *p, *id, *cached_sess, *session_id; - uint32_t hash; - SSL_CTX *ssl_ctx; - unsigned int session_id_length; - ngx_shm_zone_t *shm_zone; - ngx_connection_t *c; - ngx_slab_pool_t *shpool; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - u_char buf[NGX_SSL_MAX_SESSION_SIZE]; - - len = i2d_SSL_SESSION(sess, NULL); - - /* do not cache too big session */ - - if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { - return 0; - } - - p = buf; - i2d_SSL_SESSION(sess, &p); - - c = ngx_ssl_get_connection(ssl_conn); - - ssl_ctx = c->ssl->session_ctx; - shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); - - cache = shm_zone->data; - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - /* drop one or two expired sessions */ - ngx_ssl_expire_sessions(cache, shpool, 1); - - cached_sess = ngx_slab_alloc_locked(shpool, len); - - if (cached_sess == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - cached_sess = ngx_slab_alloc_locked(shpool, len); - - if (cached_sess == NULL) { - sess_id = NULL; - goto failed; - } - } - - sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); - - if (sess_id == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); - - if (sess_id == NULL) { - goto failed; - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); - -#else - - session_id = sess->session_id; - session_id_length = sess->session_id_length; - -#endif - -#if (NGX_PTR_SIZE == 8) - - id = sess_id->sess_id; - -#else - - id = ngx_slab_alloc_locked(shpool, session_id_length); - - if (id == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - id = ngx_slab_alloc_locked(shpool, session_id_length); - - if (id == NULL) { - goto failed; - } - } - -#endif - - ngx_memcpy(cached_sess, buf, len); - - ngx_memcpy(id, session_id, session_id_length); - - hash = ngx_crc32_short(session_id, session_id_length); - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl new session: %08XD:%ud:%d", - hash, session_id_length, len); - - sess_id->node.key = hash; - sess_id->node.data = (u_char) session_id_length; - sess_id->id = id; - sess_id->len = len; - sess_id->session = cached_sess; - - sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); - - ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); - - ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); - - ngx_shmtx_unlock(&shpool->mutex); - - return 0; - -failed: - - if (cached_sess) { - ngx_slab_free_locked(shpool, cached_sess); - } - - if (sess_id) { - ngx_slab_free_locked(shpool, sess_id); - } - - ngx_shmtx_unlock(&shpool->mutex); - - ngx_log_error(NGX_LOG_ALERT, c->log, 0, - "could not allocate new session%s", shpool->log_ctx); - - return 0; -} - - -static ngx_ssl_session_t * -ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - const -#endif - u_char *id, int len, int *copy) -{ -#if OPENSSL_VERSION_NUMBER >= 0x0090707fL - const -#endif - u_char *p; - uint32_t hash; - ngx_int_t rc; - ngx_shm_zone_t *shm_zone; - ngx_slab_pool_t *shpool; - ngx_rbtree_node_t *node, *sentinel; - ngx_ssl_session_t *sess; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - u_char buf[NGX_SSL_MAX_SESSION_SIZE]; - ngx_connection_t *c; - - hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); - *copy = 0; - - c = ngx_ssl_get_connection(ssl_conn); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl get session: %08XD:%d", hash, len); - - shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, - ngx_ssl_session_cache_index); - - cache = shm_zone->data; - - sess = NULL; - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - node = cache->session_rbtree.root; - sentinel = cache->session_rbtree.sentinel; - - while (node != sentinel) { - - if (hash < node->key) { - node = node->left; - continue; - } - - if (hash > node->key) { - node = node->right; - continue; - } - - /* hash == node->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - - rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, - (size_t) len, (size_t) node->data); - - if (rc == 0) { - - if (sess_id->expire > ngx_time()) { - ngx_memcpy(buf, sess_id->session, sess_id->len); - - ngx_shmtx_unlock(&shpool->mutex); - - p = buf; - sess = d2i_SSL_SESSION(NULL, &p, sess_id->len); - - return sess; - } - - ngx_queue_remove(&sess_id->queue); - - ngx_rbtree_delete(&cache->session_rbtree, node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - - sess = NULL; - - goto done; - } - - node = (rc < 0) ? node->left : node->right; - } - -done: - - ngx_shmtx_unlock(&shpool->mutex); - - return sess; -} - - -void -ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) -{ - SSL_CTX_remove_session(ssl, sess); - - ngx_ssl_remove_session(ssl, sess); -} - - -static void -ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) -{ - u_char *id; - uint32_t hash; - ngx_int_t rc; - unsigned int len; - ngx_shm_zone_t *shm_zone; - ngx_slab_pool_t *shpool; - ngx_rbtree_node_t *node, *sentinel; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - - shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); - - if (shm_zone == NULL) { - return; - } - - cache = shm_zone->data; - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - id = (u_char *) SSL_SESSION_get_id(sess, &len); - -#else - - id = sess->session_id; - len = sess->session_id_length; - -#endif - - hash = ngx_crc32_short(id, len); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, - "ssl remove session: %08XD:%ud", hash, len); - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - node = cache->session_rbtree.root; - sentinel = cache->session_rbtree.sentinel; - - while (node != sentinel) { - - if (hash < node->key) { - node = node->left; - continue; - } - - if (hash > node->key) { - node = node->right; - continue; - } - - /* hash == node->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - - rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); - - if (rc == 0) { - - ngx_queue_remove(&sess_id->queue); - - ngx_rbtree_delete(&cache->session_rbtree, node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - - goto done; - } - - node = (rc < 0) ? node->left : node->right; - } - -done: - - ngx_shmtx_unlock(&shpool->mutex); -} - - -static void -ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - ngx_slab_pool_t *shpool, ngx_uint_t n) -{ - time_t now; - ngx_queue_t *q; - ngx_ssl_sess_id_t *sess_id; - - now = ngx_time(); - - while (n < 3) { - - if (ngx_queue_empty(&cache->expire_queue)) { - return; - } - - q = ngx_queue_last(&cache->expire_queue); - - sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); - - if (n++ != 0 && sess_id->expire > now) { - return; - } - - ngx_queue_remove(q); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, - "expire session: %08Xi", sess_id->node.key); - - ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - } -} - - -static void -ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, - ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) -{ - ngx_rbtree_node_t **p; - ngx_ssl_sess_id_t *sess_id, *sess_id_temp; - - for ( ;; ) { - - if (node->key < temp->key) { - - p = &temp->left; - - } else if (node->key > temp->key) { - - p = &temp->right; - - } else { /* node->key == temp->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - sess_id_temp = (ngx_ssl_sess_id_t *) temp; - - p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, - (size_t) node->data, (size_t) temp->data) - < 0) ? &temp->left : &temp->right; - } - - if (*p == sentinel) { - break; - } - - temp = *p; - } - - *p = node; - node->parent = temp; - node->left = sentinel; - node->right = sentinel; - ngx_rbt_red(node); -} - - -#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB - -ngx_int_t -ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) -{ - u_char buf[48]; - ssize_t n; - ngx_str_t *path; - ngx_file_t file; - ngx_uint_t i; - ngx_array_t *keys; - ngx_file_info_t fi; - ngx_ssl_session_ticket_key_t *key; - - if (paths == NULL) { - return NGX_OK; - } - - keys = ngx_array_create(cf->pool, paths->nelts, - sizeof(ngx_ssl_session_ticket_key_t)); - if (keys == NULL) { - return NGX_ERROR; - } - - path = paths->elts; - for (i = 0; i < paths->nelts; i++) { - - if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { - return NGX_ERROR; - } - - ngx_memzero(&file, sizeof(ngx_file_t)); - file.name = path[i]; - file.log = cf->log; - - file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0); - if (file.fd == NGX_INVALID_FILE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_open_file_n " \"%V\" failed", &file.name); - return NGX_ERROR; - } - - if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, - ngx_fd_info_n " \"%V\" failed", &file.name); - goto failed; - } - - if (ngx_file_size(&fi) != 48) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "\"%V\" must be 48 bytes", &file.name); - goto failed; - } - - n = ngx_read_file(&file, buf, 48, 0); - - if (n == NGX_ERROR) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, - ngx_read_file_n " \"%V\" failed", &file.name); - goto failed; - } - - if (n != 48) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, - ngx_read_file_n " \"%V\" returned only " - "%z bytes instead of 48", &file.name, n); - goto failed; - } - - key = ngx_array_push(keys); - if (key == NULL) { - goto failed; - } - - ngx_memcpy(key->name, buf, 16); - ngx_memcpy(key->aes_key, buf + 16, 16); - ngx_memcpy(key->hmac_key, buf + 32, 16); - - if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { - ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, - ngx_close_file_n " \"%V\" failed", &file.name); - } - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, - ngx_ssl_session_ticket_key_callback) - == 0) - { - ngx_log_error(NGX_LOG_WARN, cf->log, 0, - "nginx was built with Session Tickets support, however, " - "now it is linked dynamically to an OpenSSL library " - "which has no tlsext support, therefore Session Tickets " - "are not available"); - } - - return NGX_OK; - -failed: - - if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { - ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, - ngx_close_file_n " \"%V\" failed", &file.name); - } - - return NGX_ERROR; -} - - -static int -ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, - HMAC_CTX *hctx, int enc) -{ - SSL_CTX *ssl_ctx; - ngx_uint_t i; - ngx_array_t *keys; - ngx_connection_t *c; - ngx_ssl_session_ticket_key_t *key; - const EVP_MD *digest; - const EVP_CIPHER *cipher; -#if (NGX_DEBUG) - u_char buf[32]; -#endif - - c = ngx_ssl_get_connection(ssl_conn); - ssl_ctx = c->ssl->session_ctx; - - cipher = EVP_aes_128_cbc(); -#ifdef OPENSSL_NO_SHA256 - digest = EVP_sha1(); -#else - digest = EVP_sha256(); -#endif - - keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); - if (keys == NULL) { - return -1; - } - - key = keys->elts; - - if (enc == 1) { - /* encrypt session ticket */ - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket encrypt, key: \"%*s\" (%s session)", - ngx_hex_dump(buf, key[0].name, 16) - buf, buf, - SSL_session_reused(ssl_conn) ? "reused" : "new"); - - if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); - return -1; - } - - if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, - "EVP_EncryptInit_ex() failed"); - return -1; - } - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - if (HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; - } -#else - HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL); -#endif - - ngx_memcpy(name, key[0].name, 16); - - return 1; - - } else { - /* decrypt session ticket */ - - for (i = 0; i < keys->nelts; i++) { - if (ngx_memcmp(name, key[i].name, 16) == 0) { - goto found; - } - } - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\" not found", - ngx_hex_dump(buf, name, 16) - buf, buf); - - return 0; - - found: - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\"%s", - ngx_hex_dump(buf, key[i].name, 16) - buf, buf, - (i == 0) ? " (default)" : ""); - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - if (HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; - } -#else - HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL); -#endif - - if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, - "EVP_DecryptInit_ex() failed"); - return -1; - } - - return (i == 0) ? 1 : 2 /* renew */; - } -} - -#else - -ngx_int_t -ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) -{ - if (paths) { - ngx_log_error(NGX_LOG_WARN, ssl->log, 0, - "\"ssl_session_ticket_keys\" ignored, not supported"); - } - - return NGX_OK; -} - -#endif - - -void -ngx_ssl_cleanup_ctx(void *data) -{ - ngx_ssl_t *ssl = data; - - X509 *cert, *next; - - cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); - - while (cert) { - next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); - X509_free(cert); - cert = next; - } - - SSL_CTX_free(ssl->ctx); -} - - -ngx_int_t -ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) -{ - X509 *cert; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_ERROR; - } - -#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT - - /* X509_check_host() is only available in OpenSSL 1.0.2+ */ - - if (name->len == 0) { - goto failed; - } - - if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "X509_check_host(): no match"); - goto failed; - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "X509_check_host(): match"); - - goto found; - -#else - { - int n, i; - X509_NAME *sname; - ASN1_STRING *str; - X509_NAME_ENTRY *entry; - GENERAL_NAME *altname; - STACK_OF(GENERAL_NAME) *altnames; - - /* - * As per RFC6125 and RFC2818, we check subjectAltName extension, - * and if it's not present - commonName in Subject is checked. - */ - - altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); - - if (altnames) { - n = sk_GENERAL_NAME_num(altnames); - - for (i = 0; i < n; i++) { - altname = sk_GENERAL_NAME_value(altnames, i); - - if (altname->type != GEN_DNS) { - continue; - } - - str = altname->d.dNSName; - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: match"); - GENERAL_NAMES_free(altnames); - goto found; - } - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: no match"); - - GENERAL_NAMES_free(altnames); - goto failed; - } - - /* - * If there is no subjectAltName extension, check commonName - * in Subject. While RFC2818 requires to only check "most specific" - * CN, both Apache and OpenSSL check all CNs, and so do we. - */ - - sname = X509_get_subject_name(cert); - - if (sname == NULL) { - goto failed; - } - - i = -1; - for ( ;; ) { - i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); - - if (i < 0) { - break; - } - - entry = X509_NAME_get_entry(sname, i); - str = X509_NAME_ENTRY_get_data(entry); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: match"); - goto found; - } - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: no match"); - } -#endif - -failed: - - X509_free(cert); - return NGX_ERROR; - -found: - - X509_free(cert); - return NGX_OK; -} - - -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT - -static ngx_int_t -ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) -{ - u_char *s, *p, *end; - size_t slen, plen; - - s = name->data; - slen = name->len; - - p = ASN1_STRING_data(pattern); - plen = ASN1_STRING_length(pattern); - - if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { - return NGX_OK; - } - - if (plen > 2 && p[0] == '*' && p[1] == '.') { - plen -= 1; - p += 1; - - end = s + slen; - s = ngx_strlchr(s, end, '.'); - - if (s == NULL) { - return NGX_ERROR; - } - - slen = end - s; - - if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { - return NGX_OK; - } - } - - return NGX_ERROR; -} - -#endif - - -ngx_int_t -ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - s->data = (u_char *) SSL_get_version(c->ssl->connection); - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - u_char *buf; - SSL_SESSION *sess; - unsigned int len; - - sess = SSL_get0_session(c->ssl->connection); - if (sess == NULL) { - s->len = 0; - return NGX_OK; - } - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - buf = (u_char *) SSL_SESSION_get_id(sess, &len); - -#else - - buf = sess->session_id; - len = sess->session_id_length; - -#endif - - s->len = 2 * len; - s->data = ngx_pnalloc(pool, 2 * len); - if (s->data == NULL) { - return NGX_ERROR; - } - - ngx_hex_dump(s->data, buf, len); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - if (SSL_session_reused(c->ssl->connection)) { - ngx_str_set(s, "r"); - - } else { - ngx_str_set(s, "."); - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - - const char *servername; - - servername = SSL_get_servername(c->ssl->connection, - TLSEXT_NAMETYPE_host_name); - if (servername) { - s->data = (u_char *) servername; - s->len = ngx_strlen(servername); - return NGX_OK; - } - -#endif - - s->len = 0; - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - size_t len; - BIO *bio; - X509 *cert; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); - X509_free(cert); - return NGX_ERROR; - } - - if (PEM_write_bio_X509(bio, cert) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); - goto failed; - } - - len = BIO_pending(bio); - s->len = len; - - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - goto failed; - } - - BIO_read(bio, s->data, len); - - BIO_free(bio); - X509_free(cert); - - return NGX_OK; - -failed: - - BIO_free(bio); - X509_free(cert); - - return NGX_ERROR; -} - - -ngx_int_t -ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_str_t cert; - - if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { - return NGX_ERROR; - } - - if (cert.len == 0) { - s->len = 0; - return NGX_OK; - } - - len = cert.len - 1; - - for (i = 0; i < cert.len - 1; i++) { - if (cert.data[i] == LF) { - len++; - } - } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - return NGX_ERROR; - } - - p = s->data; - - for (i = 0; i < cert.len - 1; i++) { - *p++ = cert.data[i]; - if (cert.data[i] == LF) { - *p++ = '\t'; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - char *p; - size_t len; - X509 *cert; - X509_NAME *name; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - name = X509_get_subject_name(cert); - if (name == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - p = X509_NAME_oneline(name, NULL, 0); - - for (len = 0; p[len]; len++) { /* void */ } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - OPENSSL_free(p); - X509_free(cert); - return NGX_ERROR; - } - - ngx_memcpy(s->data, p, len); - - OPENSSL_free(p); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - char *p; - size_t len; - X509 *cert; - X509_NAME *name; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - name = X509_get_issuer_name(cert); - if (name == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - p = X509_NAME_oneline(name, NULL, 0); - - for (len = 0; p[len]; len++) { /* void */ } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - OPENSSL_free(p); - X509_free(cert); - return NGX_ERROR; - } - - ngx_memcpy(s->data, p, len); - - OPENSSL_free(p); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - size_t len; - X509 *cert; - BIO *bio; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); - len = BIO_pending(bio); - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - BIO_free(bio); - X509_free(cert); - return NGX_ERROR; - } - - BIO_read(bio, s->data, len); - BIO_free(bio); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - X509 *cert; - unsigned int len; - u_char buf[EVP_MAX_MD_SIZE]; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - if (!X509_digest(cert, EVP_sha1(), buf, &len)) { - X509_free(cert); - return NGX_ERROR; - } - - s->len = 2 * len; - s->data = ngx_pnalloc(pool, 2 * len); - if (s->data == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - ngx_hex_dump(s->data, buf, len); - - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - X509 *cert; - - if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { - ngx_str_set(s, "FAILED"); - return NGX_OK; - } - - cert = SSL_get_peer_certificate(c->ssl->connection); - - if (cert) { - ngx_str_set(s, "SUCCESS"); - - } else { - ngx_str_set(s, "NONE"); - } - - X509_free(cert); - - return NGX_OK; -} - - -static void * -ngx_openssl_create_conf(ngx_cycle_t *cycle) -{ - ngx_openssl_conf_t *oscf; - - oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); - if (oscf == NULL) { - return NULL; - } - - /* - * set by ngx_pcalloc(): - * - * oscf->engine = 0; - */ - - return oscf; -} - - -static char * -ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -{ -#ifndef OPENSSL_NO_ENGINE - - ngx_openssl_conf_t *oscf = conf; - - ENGINE *engine; - ngx_str_t *value; - - if (oscf->engine) { - return "is duplicate"; - } - - oscf->engine = 1; - - value = cf->args->elts; - - engine = ENGINE_by_id((char *) value[1].data); - - if (engine == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "ENGINE_by_id(\"%V\") failed", &value[1]); - return NGX_CONF_ERROR; - } - - if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", - &value[1]); - - ENGINE_free(engine); - - return NGX_CONF_ERROR; - } - - ENGINE_free(engine); - - return NGX_CONF_OK; - -#else - - return "is not supported"; - -#endif -} - - -static void -ngx_openssl_exit(ngx_cycle_t *cycle) -{ -#if OPENSSL_VERSION_NUMBER < 0x10100003L - - EVP_cleanup(); -#ifndef OPENSSL_NO_ENGINE - ENGINE_cleanup(); -#endif - -#endif -} diff --git a/boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c b/boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c deleted file mode 100644 index 4305a8a..0000000 --- a/boring-nginx/patch-source/nginx-1.11.5-patched/src/http/ngx_http_upstream.c +++ /dev/null @@ -1,6197 +0,0 @@ - -/* - * Copyright (C) Igor Sysoev - * Copyright (C) Nginx, Inc. - */ - - -#include -#include -#include - - -#if (NGX_HTTP_CACHE) -static ngx_int_t ngx_http_upstream_cache(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_cache_get(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_http_file_cache_t **cache); -static ngx_int_t ngx_http_upstream_cache_send(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_cache_status(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_cache_last_modified(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_cache_etag(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -#endif - -static void ngx_http_upstream_init_request(ngx_http_request_t *r); -static void ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx); -static void ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r); -static void ngx_http_upstream_wr_check_broken_connection(ngx_http_request_t *r); -static void ngx_http_upstream_check_broken_connection(ngx_http_request_t *r, - ngx_event_t *ev); -static void ngx_http_upstream_connect(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_reinit(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_send_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write); -static ngx_int_t ngx_http_upstream_send_request_body(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write); -static void ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_read_request_handler(ngx_http_request_t *r); -static void ngx_http_upstream_process_header(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_test_next(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_intercept_errors(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_test_connect(ngx_connection_t *c); -static ngx_int_t ngx_http_upstream_process_headers(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_body_in_memory(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_send_response(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgrade(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgraded_read_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_upgraded_write_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_upgraded_read_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgraded_write_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - ngx_uint_t from_upstream, ngx_uint_t do_write); -static void - ngx_http_upstream_process_non_buffered_downstream(ngx_http_request_t *r); -static void - ngx_http_upstream_process_non_buffered_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void - ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - ngx_uint_t do_write); -static ngx_int_t ngx_http_upstream_non_buffered_filter_init(void *data); -static ngx_int_t ngx_http_upstream_non_buffered_filter(void *data, - ssize_t bytes); -#if (NGX_THREADS) -static ngx_int_t ngx_http_upstream_thread_handler(ngx_thread_task_t *task, - ngx_file_t *file); -static void ngx_http_upstream_thread_event_handler(ngx_event_t *ev); -#endif -static ngx_int_t ngx_http_upstream_output_filter(void *data, - ngx_chain_t *chain); -static void ngx_http_upstream_process_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_process_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_request(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_store(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_dummy_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_next(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t ft_type); -static void ngx_http_upstream_cleanup(void *data); -static void ngx_http_upstream_finalize_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_int_t rc); - -static ngx_int_t ngx_http_upstream_process_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_content_length(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_process_cache_control(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_accel_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_limit_rate(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_buffering(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_charset(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_connection(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_process_transfer_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_vary(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_copy_multi_header_lines(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_content_type(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_location(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_refresh(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_set_cookie(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); - -#if (NGX_HTTP_GZIP) -static ngx_int_t ngx_http_upstream_copy_content_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -#endif - -static ngx_int_t ngx_http_upstream_add_variables(ngx_conf_t *cf); -static ngx_int_t ngx_http_upstream_addr_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_status_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_response_time_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_response_length_variable( - ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); - -static char *ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy); -static char *ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - -static ngx_int_t ngx_http_upstream_set_local(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_http_upstream_local_t *local); - -static void *ngx_http_upstream_create_main_conf(ngx_conf_t *cf); -static char *ngx_http_upstream_init_main_conf(ngx_conf_t *cf, void *conf); - -#if (NGX_HTTP_SSL) -static void ngx_http_upstream_ssl_init_connection(ngx_http_request_t *, - ngx_http_upstream_t *u, ngx_connection_t *c); -static void ngx_http_upstream_ssl_handshake(ngx_connection_t *c); -static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_connection_t *c); -#endif - - -ngx_http_upstream_header_t ngx_http_upstream_headers_in[] = { - - { ngx_string("Status"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, status), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Content-Type"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, content_type), - ngx_http_upstream_copy_content_type, 0, 1 }, - - { ngx_string("Content-Length"), - ngx_http_upstream_process_content_length, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Date"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, date), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, date), 0 }, - - { ngx_string("Last-Modified"), - ngx_http_upstream_process_last_modified, 0, - ngx_http_upstream_copy_last_modified, 0, 0 }, - - { ngx_string("ETag"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, etag), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, etag), 0 }, - - { ngx_string("Server"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, server), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, server), 0 }, - - { ngx_string("WWW-Authenticate"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, www_authenticate), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Location"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, location), - ngx_http_upstream_rewrite_location, 0, 0 }, - - { ngx_string("Refresh"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_rewrite_refresh, 0, 0 }, - - { ngx_string("Set-Cookie"), - ngx_http_upstream_process_set_cookie, - offsetof(ngx_http_upstream_headers_in_t, cookies), - ngx_http_upstream_rewrite_set_cookie, 0, 1 }, - - { ngx_string("Content-Disposition"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, 0, 1 }, - - { ngx_string("Cache-Control"), - ngx_http_upstream_process_cache_control, 0, - ngx_http_upstream_copy_multi_header_lines, - offsetof(ngx_http_headers_out_t, cache_control), 1 }, - - { ngx_string("Expires"), - ngx_http_upstream_process_expires, 0, - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, expires), 1 }, - - { ngx_string("Accept-Ranges"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, accept_ranges), - ngx_http_upstream_copy_allow_ranges, - offsetof(ngx_http_headers_out_t, accept_ranges), 1 }, - - { ngx_string("Content-Range"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, content_range), 0 }, - - { ngx_string("Connection"), - ngx_http_upstream_process_connection, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Keep-Alive"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Vary"), - ngx_http_upstream_process_vary, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Powered-By"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Expires"), - ngx_http_upstream_process_accel_expires, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Redirect"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, x_accel_redirect), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Limit-Rate"), - ngx_http_upstream_process_limit_rate, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Buffering"), - ngx_http_upstream_process_buffering, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Charset"), - ngx_http_upstream_process_charset, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Transfer-Encoding"), - ngx_http_upstream_process_transfer_encoding, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - -#if (NGX_HTTP_GZIP) - { ngx_string("Content-Encoding"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, content_encoding), - ngx_http_upstream_copy_content_encoding, 0, 0 }, -#endif - - { ngx_null_string, NULL, 0, NULL, 0, 0 } -}; - - -static ngx_command_t ngx_http_upstream_commands[] = { - - { ngx_string("upstream"), - NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_TAKE1, - ngx_http_upstream, - 0, - 0, - NULL }, - - { ngx_string("server"), - NGX_HTTP_UPS_CONF|NGX_CONF_1MORE, - ngx_http_upstream_server, - NGX_HTTP_SRV_CONF_OFFSET, - 0, - NULL }, - - ngx_null_command -}; - - -static ngx_http_module_t ngx_http_upstream_module_ctx = { - ngx_http_upstream_add_variables, /* preconfiguration */ - NULL, /* postconfiguration */ - - ngx_http_upstream_create_main_conf, /* create main configuration */ - ngx_http_upstream_init_main_conf, /* init main configuration */ - - NULL, /* create server configuration */ - NULL, /* merge server configuration */ - - NULL, /* create location configuration */ - NULL /* merge location configuration */ -}; - - -ngx_module_t ngx_http_upstream_module = { - NGX_MODULE_V1, - &ngx_http_upstream_module_ctx, /* module context */ - ngx_http_upstream_commands, /* module directives */ - NGX_HTTP_MODULE, /* module type */ - NULL, /* init master */ - NULL, /* init module */ - NULL, /* init process */ - NULL, /* init thread */ - NULL, /* exit thread */ - NULL, /* exit process */ - NULL, /* exit master */ - NGX_MODULE_V1_PADDING -}; - - -static ngx_http_variable_t ngx_http_upstream_vars[] = { - - { ngx_string("upstream_addr"), NULL, - ngx_http_upstream_addr_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_status"), NULL, - ngx_http_upstream_status_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_connect_time"), NULL, - ngx_http_upstream_response_time_variable, 2, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_header_time"), NULL, - ngx_http_upstream_response_time_variable, 1, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_response_time"), NULL, - ngx_http_upstream_response_time_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_response_length"), NULL, - ngx_http_upstream_response_length_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_bytes_received"), NULL, - ngx_http_upstream_response_length_variable, 1, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - -#if (NGX_HTTP_CACHE) - - { ngx_string("upstream_cache_status"), NULL, - ngx_http_upstream_cache_status, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_cache_last_modified"), NULL, - ngx_http_upstream_cache_last_modified, 0, - NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, - - { ngx_string("upstream_cache_etag"), NULL, - ngx_http_upstream_cache_etag, 0, - NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, - -#endif - - { ngx_null_string, NULL, NULL, 0, 0, 0 } -}; - - -static ngx_http_upstream_next_t ngx_http_upstream_next_errors[] = { - { 500, NGX_HTTP_UPSTREAM_FT_HTTP_500 }, - { 502, NGX_HTTP_UPSTREAM_FT_HTTP_502 }, - { 503, NGX_HTTP_UPSTREAM_FT_HTTP_503 }, - { 504, NGX_HTTP_UPSTREAM_FT_HTTP_504 }, - { 403, NGX_HTTP_UPSTREAM_FT_HTTP_403 }, - { 404, NGX_HTTP_UPSTREAM_FT_HTTP_404 }, - { 0, 0 } -}; - - -ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[] = { - { ngx_string("GET"), NGX_HTTP_GET }, - { ngx_string("HEAD"), NGX_HTTP_HEAD }, - { ngx_string("POST"), NGX_HTTP_POST }, - { ngx_null_string, 0 } -}; - - -ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[] = { - { ngx_string("X-Accel-Redirect"), NGX_HTTP_UPSTREAM_IGN_XA_REDIRECT }, - { ngx_string("X-Accel-Expires"), NGX_HTTP_UPSTREAM_IGN_XA_EXPIRES }, - { ngx_string("X-Accel-Limit-Rate"), NGX_HTTP_UPSTREAM_IGN_XA_LIMIT_RATE }, - { ngx_string("X-Accel-Buffering"), NGX_HTTP_UPSTREAM_IGN_XA_BUFFERING }, - { ngx_string("X-Accel-Charset"), NGX_HTTP_UPSTREAM_IGN_XA_CHARSET }, - { ngx_string("Expires"), NGX_HTTP_UPSTREAM_IGN_EXPIRES }, - { ngx_string("Cache-Control"), NGX_HTTP_UPSTREAM_IGN_CACHE_CONTROL }, - { ngx_string("Set-Cookie"), NGX_HTTP_UPSTREAM_IGN_SET_COOKIE }, - { ngx_string("Vary"), NGX_HTTP_UPSTREAM_IGN_VARY }, - { ngx_null_string, 0 } -}; - - -ngx_int_t -ngx_http_upstream_create(ngx_http_request_t *r) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - if (u && u->cleanup) { - r->main->count++; - ngx_http_upstream_cleanup(r); - } - - u = ngx_pcalloc(r->pool, sizeof(ngx_http_upstream_t)); - if (u == NULL) { - return NGX_ERROR; - } - - r->upstream = u; - - u->peer.log = r->connection->log; - u->peer.log_error = NGX_ERROR_ERR; - -#if (NGX_HTTP_CACHE) - r->cache = NULL; -#endif - - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - return NGX_OK; -} - - -void -ngx_http_upstream_init(ngx_http_request_t *r) -{ - ngx_connection_t *c; - - c = r->connection; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http init upstream, client timer: %d", c->read->timer_set); - -#if (NGX_HTTP_V2) - if (r->stream) { - ngx_http_upstream_init_request(r); - return; - } -#endif - - if (c->read->timer_set) { - ngx_del_timer(c->read); - } - - if (ngx_event_flags & NGX_USE_CLEAR_EVENT) { - - if (!c->write->active) { - if (ngx_add_event(c->write, NGX_WRITE_EVENT, NGX_CLEAR_EVENT) - == NGX_ERROR) - { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - } - - ngx_http_upstream_init_request(r); -} - - -static void -ngx_http_upstream_init_request(ngx_http_request_t *r) -{ - ngx_str_t *host; - ngx_uint_t i; - ngx_resolver_ctx_t *ctx, temp; - ngx_http_cleanup_t *cln; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - ngx_http_upstream_srv_conf_t *uscf, **uscfp; - ngx_http_upstream_main_conf_t *umcf; - - if (r->aio) { - return; - } - - u = r->upstream; - -#if (NGX_HTTP_CACHE) - - if (u->conf->cache) { - ngx_int_t rc; - - rc = ngx_http_upstream_cache(r, u); - - if (rc == NGX_BUSY) { - r->write_event_handler = ngx_http_upstream_init_request; - return; - } - - r->write_event_handler = ngx_http_request_empty_handler; - - if (rc == NGX_ERROR) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (rc == NGX_OK) { - rc = ngx_http_upstream_cache_send(r, u); - - if (rc == NGX_DONE) { - return; - } - - if (rc == NGX_HTTP_UPSTREAM_INVALID_HEADER) { - rc = NGX_DECLINED; - r->cached = 0; - } - } - - if (rc != NGX_DECLINED) { - ngx_http_finalize_request(r, rc); - return; - } - } - -#endif - - u->store = u->conf->store; - - if (!u->store && !r->post_action && !u->conf->ignore_client_abort) { - r->read_event_handler = ngx_http_upstream_rd_check_broken_connection; - r->write_event_handler = ngx_http_upstream_wr_check_broken_connection; - } - - if (r->request_body) { - u->request_bufs = r->request_body->bufs; - } - - if (u->create_request(r) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ngx_http_upstream_set_local(r, u, u->conf->local) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - u->output.alignment = clcf->directio_alignment; - u->output.pool = r->pool; - u->output.bufs.num = 1; - u->output.bufs.size = clcf->client_body_buffer_size; - - if (u->output.output_filter == NULL) { - u->output.output_filter = ngx_chain_writer; - u->output.filter_ctx = &u->writer; - } - - u->writer.pool = r->pool; - - if (r->upstream_states == NULL) { - - r->upstream_states = ngx_array_create(r->pool, 1, - sizeof(ngx_http_upstream_state_t)); - if (r->upstream_states == NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - } else { - - u->state = ngx_array_push(r->upstream_states); - if (u->state == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_memzero(u->state, sizeof(ngx_http_upstream_state_t)); - } - - cln = ngx_http_cleanup_add(r, 0); - if (cln == NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - cln->handler = ngx_http_upstream_cleanup; - cln->data = r; - u->cleanup = &cln->handler; - - if (u->resolved == NULL) { - - uscf = u->conf->upstream; - - } else { - -#if (NGX_HTTP_SSL) - u->ssl_name = u->resolved->host; -#endif - - host = &u->resolved->host; - - if (u->resolved->sockaddr) { - - if (u->resolved->port == 0 - && u->resolved->sockaddr->sa_family != AF_UNIX) - { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no port in upstream \"%V\"", host); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ngx_http_upstream_create_round_robin_peer(r, u->resolved) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_http_upstream_connect(r, u); - - return; - } - - umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - uscf = uscfp[i]; - - if (uscf->host.len == host->len - && ((uscf->port == 0 && u->resolved->no_port) - || uscf->port == u->resolved->port) - && ngx_strncasecmp(uscf->host.data, host->data, host->len) == 0) - { - goto found; - } - } - - if (u->resolved->port == 0) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no port in upstream \"%V\"", host); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - temp.name = *host; - - ctx = ngx_resolve_start(clcf->resolver, &temp); - if (ctx == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ctx == NGX_NO_RESOLVER) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no resolver defined to resolve %V", host); - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - return; - } - - ctx->name = *host; - ctx->handler = ngx_http_upstream_resolve_handler; - ctx->data = r; - ctx->timeout = clcf->resolver_timeout; - - u->resolved->ctx = ctx; - - if (ngx_resolve_name(ctx) != NGX_OK) { - u->resolved->ctx = NULL; - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - -found: - - if (uscf == NULL) { - ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, - "no upstream configuration"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->upstream = uscf; - -#if (NGX_HTTP_SSL) - u->ssl_name = uscf->host; -#endif - - if (uscf->peer.init(r, uscf) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->peer.start_time = ngx_current_msec; - - if (u->conf->next_upstream_tries - && u->peer.tries > u->conf->next_upstream_tries) - { - u->peer.tries = u->conf->next_upstream_tries; - } - - ngx_http_upstream_connect(r, u); -} - - -#if (NGX_HTTP_CACHE) - -static ngx_int_t -ngx_http_upstream_cache(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_http_cache_t *c; - ngx_http_file_cache_t *cache; - - c = r->cache; - - if (c == NULL) { - - if (!(r->method & u->conf->cache_methods)) { - return NGX_DECLINED; - } - - rc = ngx_http_upstream_cache_get(r, u, &cache); - - if (rc != NGX_OK) { - return rc; - } - - if (r->method == NGX_HTTP_HEAD && u->conf->cache_convert_head) { - u->method = ngx_http_core_get_method; - } - - if (ngx_http_file_cache_new(r) != NGX_OK) { - return NGX_ERROR; - } - - if (u->create_key(r) != NGX_OK) { - return NGX_ERROR; - } - - /* TODO: add keys */ - - ngx_http_file_cache_create_key(r); - - if (r->cache->header_start + 256 >= u->conf->buffer_size) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "%V_buffer_size %uz is not enough for cache key, " - "it should be increased to at least %uz", - &u->conf->module, u->conf->buffer_size, - ngx_align(r->cache->header_start + 256, 1024)); - - r->cache = NULL; - return NGX_DECLINED; - } - - u->cacheable = 1; - - c = r->cache; - - c->body_start = u->conf->buffer_size; - c->min_uses = u->conf->cache_min_uses; - c->file_cache = cache; - - switch (ngx_http_test_predicates(r, u->conf->cache_bypass)) { - - case NGX_ERROR: - return NGX_ERROR; - - case NGX_DECLINED: - u->cache_status = NGX_HTTP_CACHE_BYPASS; - return NGX_DECLINED; - - default: /* NGX_OK */ - break; - } - - c->lock = u->conf->cache_lock; - c->lock_timeout = u->conf->cache_lock_timeout; - c->lock_age = u->conf->cache_lock_age; - - u->cache_status = NGX_HTTP_CACHE_MISS; - } - - rc = ngx_http_file_cache_open(r); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream cache: %i", rc); - - switch (rc) { - - case NGX_HTTP_CACHE_UPDATING: - - if (u->conf->cache_use_stale & NGX_HTTP_UPSTREAM_FT_UPDATING) { - u->cache_status = rc; - rc = NGX_OK; - - } else { - rc = NGX_HTTP_CACHE_STALE; - } - - break; - - case NGX_OK: - u->cache_status = NGX_HTTP_CACHE_HIT; - } - - switch (rc) { - - case NGX_OK: - - return NGX_OK; - - case NGX_HTTP_CACHE_STALE: - - c->valid_sec = 0; - u->buffer.start = NULL; - u->cache_status = NGX_HTTP_CACHE_EXPIRED; - - break; - - case NGX_DECLINED: - - if ((size_t) (u->buffer.end - u->buffer.start) < u->conf->buffer_size) { - u->buffer.start = NULL; - - } else { - u->buffer.pos = u->buffer.start + c->header_start; - u->buffer.last = u->buffer.pos; - } - - break; - - case NGX_HTTP_CACHE_SCARCE: - - u->cacheable = 0; - - break; - - case NGX_AGAIN: - - return NGX_BUSY; - - case NGX_ERROR: - - return NGX_ERROR; - - default: - - /* cached NGX_HTTP_BAD_GATEWAY, NGX_HTTP_GATEWAY_TIME_OUT, etc. */ - - u->cache_status = NGX_HTTP_CACHE_HIT; - - return rc; - } - - r->cached = 0; - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_cache_get(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_http_file_cache_t **cache) -{ - ngx_str_t *name, val; - ngx_uint_t i; - ngx_http_file_cache_t **caches; - - if (u->conf->cache_zone) { - *cache = u->conf->cache_zone->data; - return NGX_OK; - } - - if (ngx_http_complex_value(r, u->conf->cache_value, &val) != NGX_OK) { - return NGX_ERROR; - } - - if (val.len == 0 - || (val.len == 3 && ngx_strncmp(val.data, "off", 3) == 0)) - { - return NGX_DECLINED; - } - - caches = u->caches->elts; - - for (i = 0; i < u->caches->nelts; i++) { - name = &caches[i]->shm_zone->shm.name; - - if (name->len == val.len - && ngx_strncmp(name->data, val.data, val.len) == 0) - { - *cache = caches[i]; - return NGX_OK; - } - } - - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "cache \"%V\" not found", &val); - - return NGX_ERROR; -} - - -static ngx_int_t -ngx_http_upstream_cache_send(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_http_cache_t *c; - - r->cached = 1; - c = r->cache; - - if (c->header_start == c->body_start) { - r->http_version = NGX_HTTP_VERSION_9; - return ngx_http_cache_send(r); - } - - /* TODO: cache stack */ - - u->buffer = *c->buf; - u->buffer.pos += c->header_start; - - ngx_memzero(&u->headers_in, sizeof(ngx_http_upstream_headers_in_t)); - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - rc = u->process_header(r); - - if (rc == NGX_OK) { - - if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { - return NGX_DONE; - } - - return ngx_http_cache_send(r); - } - - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - /* rc == NGX_HTTP_UPSTREAM_INVALID_HEADER */ - - /* TODO: delete file */ - - return rc; -} - -#endif - - -static void -ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - ngx_http_upstream_resolved_t *ur; - - r = ctx->data; - c = r->connection; - - u = r->upstream; - ur = u->resolved; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream resolve: \"%V?%V\"", &r->uri, &r->args); - - if (ctx->state) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "%V could not be resolved (%i: %s)", - &ctx->name, ctx->state, - ngx_resolver_strerror(ctx->state)); - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - goto failed; - } - - ur->naddrs = ctx->naddrs; - ur->addrs = ctx->addrs; - -#if (NGX_DEBUG) - { - u_char text[NGX_SOCKADDR_STRLEN]; - ngx_str_t addr; - ngx_uint_t i; - - addr.data = text; - - for (i = 0; i < ctx->naddrs; i++) { - addr.len = ngx_sock_ntop(ur->addrs[i].sockaddr, ur->addrs[i].socklen, - text, NGX_SOCKADDR_STRLEN, 0); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "name was resolved to %V", &addr); - } - } -#endif - - if (ngx_http_upstream_create_round_robin_peer(r, ur) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - goto failed; - } - - ngx_resolve_name_done(ctx); - ur->ctx = NULL; - - u->peer.start_time = ngx_current_msec; - - if (u->conf->next_upstream_tries - && u->peer.tries > u->conf->next_upstream_tries) - { - u->peer.tries = u->conf->next_upstream_tries; - } - - ngx_http_upstream_connect(r, u); - -failed: - - ngx_http_run_posted_requests(c); -} - - -static void -ngx_http_upstream_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - - c = ev->data; - r = c->data; - - u = r->upstream; - c = r->connection; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream request: \"%V?%V\"", &r->uri, &r->args); - - if (ev->write) { - u->write_event_handler(r, u); - - } else { - u->read_event_handler(r, u); - } - - ngx_http_run_posted_requests(c); -} - - -static void -ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r) -{ - ngx_http_upstream_check_broken_connection(r, r->connection->read); -} - - -static void -ngx_http_upstream_wr_check_broken_connection(ngx_http_request_t *r) -{ - ngx_http_upstream_check_broken_connection(r, r->connection->write); -} - - -static void -ngx_http_upstream_check_broken_connection(ngx_http_request_t *r, - ngx_event_t *ev) -{ - int n; - char buf[1]; - ngx_err_t err; - ngx_int_t event; - ngx_connection_t *c; - ngx_http_upstream_t *u; - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ev->log, 0, - "http upstream check client, write event:%d, \"%V\"", - ev->write, &r->uri); - - c = r->connection; - u = r->upstream; - - if (c->error) { - if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) { - - event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT; - - if (ngx_del_event(ev, event, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (!u->cacheable) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#if (NGX_HTTP_V2) - if (r->stream) { - return; - } -#endif - -#if (NGX_HAVE_KQUEUE) - - if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) { - - if (!ev->pending_eof) { - return; - } - - ev->eof = 1; - c->error = 1; - - if (ev->kq_errno) { - ev->error = 1; - } - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, ev->kq_errno, - "kevent() reported that client prematurely closed " - "connection, so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, ev->kq_errno, - "kevent() reported that client prematurely closed " - "connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#endif - -#if (NGX_HAVE_EPOLLRDHUP) - - if ((ngx_event_flags & NGX_USE_EPOLL_EVENT) && ngx_use_epoll_rdhup) { - socklen_t len; - - if (!ev->pending_eof) { - return; - } - - ev->eof = 1; - c->error = 1; - - err = 0; - len = sizeof(ngx_err_t); - - /* - * BSDs and Linux return 0 and set a pending error in err - * Solaris returns -1 and sets errno - */ - - if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) - == -1) - { - err = ngx_socket_errno; - } - - if (err) { - ev->error = 1; - } - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "epoll_wait() reported that client prematurely closed " - "connection, so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "epoll_wait() reported that client prematurely closed " - "connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#endif - - n = recv(c->fd, buf, 1, MSG_PEEK); - - err = ngx_socket_errno; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ev->log, err, - "http upstream recv(): %d", n); - - if (ev->write && (n >= 0 || err == NGX_EAGAIN)) { - return; - } - - if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) { - - event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT; - - if (ngx_del_event(ev, event, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (n > 0) { - return; - } - - if (n == -1) { - if (err == NGX_EAGAIN) { - return; - } - - ev->error = 1; - - } else { /* n == 0 */ - err = 0; - } - - ev->eof = 1; - c->error = 1; - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "client prematurely closed connection, " - "so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "client prematurely closed connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } -} - - -static void -ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_connection_t *c; - - r->connection->log->action = "connecting to upstream"; - - if (u->state && u->state->response_time) { - u->state->response_time = ngx_current_msec - u->state->response_time; - } - - u->state = ngx_array_push(r->upstream_states); - if (u->state == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_memzero(u->state, sizeof(ngx_http_upstream_state_t)); - - u->state->response_time = ngx_current_msec; - u->state->connect_time = (ngx_msec_t) -1; - u->state->header_time = (ngx_msec_t) -1; - - rc = ngx_event_connect_peer(&u->peer); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream connect: %i", rc); - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "no live upstreams"); - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_NOLIVE); - return; - } - - if (rc == NGX_DECLINED) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - /* rc == NGX_OK || rc == NGX_AGAIN || rc == NGX_DONE */ - - c = u->peer.connection; - - c->data = r; - - c->write->handler = ngx_http_upstream_handler; - c->read->handler = ngx_http_upstream_handler; - - u->write_event_handler = ngx_http_upstream_send_request_handler; - u->read_event_handler = ngx_http_upstream_process_header; - - c->sendfile &= r->connection->sendfile; - u->output.sendfile = c->sendfile; - - if (c->pool == NULL) { - - /* we need separate pool here to be able to cache SSL connections */ - - c->pool = ngx_create_pool(128, r->connection->log); - if (c->pool == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - c->log = r->connection->log; - c->pool->log = c->log; - c->read->log = c->log; - c->write->log = c->log; - - /* init or reinit the ngx_output_chain() and ngx_chain_writer() contexts */ - - u->writer.out = NULL; - u->writer.last = &u->writer.out; - u->writer.connection = c; - u->writer.limit = 0; - - if (u->request_sent) { - if (ngx_http_upstream_reinit(r, u) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (r->request_body - && r->request_body->buf - && r->request_body->temp_file - && r == r->main) - { - /* - * the r->request_body->buf can be reused for one request only, - * the subrequests should allocate their own temporary bufs - */ - - u->output.free = ngx_alloc_chain_link(r->pool); - if (u->output.free == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->output.free->buf = r->request_body->buf; - u->output.free->next = NULL; - u->output.allocated = 1; - - r->request_body->buf->pos = r->request_body->buf->start; - r->request_body->buf->last = r->request_body->buf->start; - r->request_body->buf->tag = u->output.tag; - } - - u->request_sent = 0; - u->request_body_sent = 0; - - if (rc == NGX_AGAIN) { - ngx_add_timer(c->write, u->conf->connect_timeout); - return; - } - -#if (NGX_HTTP_SSL) - - if (u->ssl && c->ssl == NULL) { - ngx_http_upstream_ssl_init_connection(r, u, c); - return; - } - -#endif - - ngx_http_upstream_send_request(r, u, 1); -} - - -#if (NGX_HTTP_SSL) - -static void -ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_connection_t *c) -{ - int tcp_nodelay; - ngx_int_t rc; - ngx_http_core_loc_conf_t *clcf; - - if (ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (ngx_ssl_create_connection(u->conf->ssl, c, - NGX_SSL_BUFFER|NGX_SSL_CLIENT) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->sendfile = 0; - u->output.sendfile = 0; - - if (u->conf->ssl_server_name || u->conf->ssl_verify) { - if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (u->conf->ssl_session_reuse) { - if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - /* abbreviated SSL handshake may interact badly with Nagle */ - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - } - - r->connection->log->action = "SSL handshaking to upstream"; - - rc = ngx_ssl_handshake(c); - - if (rc == NGX_AGAIN) { - - if (!c->write->timer_set) { - ngx_add_timer(c->write, u->conf->connect_timeout); - } - - c->ssl->handler = ngx_http_upstream_ssl_handshake; - return; - } - - ngx_http_upstream_ssl_handshake(c); -} - - -static void -ngx_http_upstream_ssl_handshake(ngx_connection_t *c) -{ - long rc; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - - r = c->data; - u = r->upstream; - - ngx_http_set_log_request(c->log, r); - - if (c->ssl->handshaked) { - - if (u->conf->ssl_verify) { - rc = SSL_get_verify_result(c->ssl->connection); - - if (rc != X509_V_OK) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream SSL certificate verify error: (%l:%s)", - rc, X509_verify_cert_error_string(rc)); - goto failed; - } - - if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream SSL certificate does not match \"%V\"", - &u->ssl_name); - goto failed; - } - } - - if (u->conf->ssl_session_reuse) { - u->peer.save_session(&u->peer, u->peer.data); - } - - c->write->handler = ngx_http_upstream_handler; - c->read->handler = ngx_http_upstream_handler; - - c = r->connection; - - ngx_http_upstream_send_request(r, u, 1); - - ngx_http_run_posted_requests(c); - return; - } - -failed: - - c = r->connection; - - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - - ngx_http_run_posted_requests(c); -} - - -static ngx_int_t -ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_connection_t *c) -{ - u_char *p, *last; - ngx_str_t name; - - if (u->conf->ssl_name) { - if (ngx_http_complex_value(r, u->conf->ssl_name, &name) != NGX_OK) { - return NGX_ERROR; - } - - } else { - name = u->ssl_name; - } - - if (name.len == 0) { - goto done; - } - - /* - * ssl name here may contain port, notably if derived from $proxy_host - * or $http_host; we have to strip it - */ - - p = name.data; - last = name.data + name.len; - - if (*p == '[') { - p = ngx_strlchr(p, last, ']'); - - if (p == NULL) { - p = name.data; - } - } - - p = ngx_strlchr(p, last, ':'); - - if (p != NULL) { - name.len = p - name.data; - } - - if (!u->conf->ssl_server_name) { - goto done; - } - -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - - /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ - - if (name.len == 0 || *name.data == '[') { - goto done; - } - - if (ngx_inet_addr(name.data, name.len) != INADDR_NONE) { - goto done; - } - - /* - * SSL_set_tlsext_host_name() needs a null-terminated string, - * hence we explicitly null-terminate name here - */ - - p = ngx_pnalloc(r->pool, name.len + 1); - if (p == NULL) { - return NGX_ERROR; - } - - (void) ngx_cpystrn(p, name.data, name.len + 1); - - name.data = p; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "upstream SSL server name: \"%s\"", name.data); - - if (SSL_set_tlsext_host_name(c->ssl->connection, (const char*) name.data) == 0) { - ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, - "SSL_set_tlsext_host_name(\"%s\") failed", name.data); - return NGX_ERROR; - } - -#endif - -done: - - u->ssl_name = name; - - return NGX_OK; -} - -#endif - - -static ngx_int_t -ngx_http_upstream_reinit(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - off_t file_pos; - ngx_chain_t *cl; - - if (u->reinit_request(r) != NGX_OK) { - return NGX_ERROR; - } - - u->keepalive = 0; - u->upgrade = 0; - - ngx_memzero(&u->headers_in, sizeof(ngx_http_upstream_headers_in_t)); - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - /* reinit the request chain */ - - file_pos = 0; - - for (cl = u->request_bufs; cl; cl = cl->next) { - cl->buf->pos = cl->buf->start; - - /* there is at most one file */ - - if (cl->buf->in_file) { - cl->buf->file_pos = file_pos; - file_pos = cl->buf->file_last; - } - } - - /* reinit the subrequest's ngx_output_chain() context */ - - if (r->request_body && r->request_body->temp_file - && r != r->main && u->output.buf) - { - u->output.free = ngx_alloc_chain_link(r->pool); - if (u->output.free == NULL) { - return NGX_ERROR; - } - - u->output.free->buf = u->output.buf; - u->output.free->next = NULL; - - u->output.buf->pos = u->output.buf->start; - u->output.buf->last = u->output.buf->start; - } - - u->output.buf = NULL; - u->output.in = NULL; - u->output.busy = NULL; - - /* reinit u->buffer */ - - u->buffer.pos = u->buffer.start; - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - u->buffer.pos += r->cache->header_start; - } - -#endif - - u->buffer.last = u->buffer.pos; - - return NGX_OK; -} - - -static void -ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_uint_t do_write) -{ - ngx_int_t rc; - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream send request"); - - if (u->state->connect_time == (ngx_msec_t) -1) { - u->state->connect_time = ngx_current_msec - u->state->response_time; - } - - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - c->log->action = "sending request to upstream"; - - rc = ngx_http_upstream_send_request_body(r, u, do_write); - - if (rc == NGX_ERROR) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - if (rc == NGX_AGAIN) { - if (!c->write->ready) { - ngx_add_timer(c->write, u->conf->send_timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); - } - - if (ngx_handle_write_event(c->write, u->conf->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - - /* rc == NGX_OK */ - - u->request_body_sent = 1; - - if (c->write->timer_set) { - ngx_del_timer(c->write); - } - - if (c->tcp_nopush == NGX_TCP_NOPUSH_SET) { - if (ngx_tcp_push(c->fd) == NGX_ERROR) { - ngx_log_error(NGX_LOG_CRIT, c->log, ngx_socket_errno, - ngx_tcp_push_n " failed"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->tcp_nopush = NGX_TCP_NOPUSH_UNSET; - } - - u->write_event_handler = ngx_http_upstream_dummy_handler; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_add_timer(c->read, u->conf->read_timeout); - - if (c->read->ready) { - ngx_http_upstream_process_header(r, u); - return; - } -} - - -static ngx_int_t -ngx_http_upstream_send_request_body(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write) -{ - int tcp_nodelay; - ngx_int_t rc; - ngx_chain_t *out, *cl, *ln; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream send request body"); - - if (!r->request_body_no_buffering) { - - /* buffered request body */ - - if (!u->request_sent) { - u->request_sent = 1; - out = u->request_bufs; - - } else { - out = NULL; - } - - return ngx_output_chain(&u->output, out); - } - - if (!u->request_sent) { - u->request_sent = 1; - out = u->request_bufs; - - if (r->request_body->bufs) { - for (cl = out; cl->next; cl = out->next) { /* void */ } - cl->next = r->request_body->bufs; - r->request_body->bufs = NULL; - } - - c = u->peer.connection; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - return NGX_ERROR; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - r->read_event_handler = ngx_http_upstream_read_request_handler; - - } else { - out = NULL; - } - - for ( ;; ) { - - if (do_write) { - rc = ngx_output_chain(&u->output, out); - - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - while (out) { - ln = out; - out = out->next; - ngx_free_chain(r->pool, ln); - } - - if (rc == NGX_OK && !r->reading_body) { - break; - } - } - - if (r->reading_body) { - /* read client request body */ - - rc = ngx_http_read_unbuffered_request_body(r); - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; - } - - out = r->request_body->bufs; - r->request_body->bufs = NULL; - } - - /* stop if there is nothing to send */ - - if (out == NULL) { - rc = NGX_AGAIN; - break; - } - - do_write = 1; - } - - if (!r->reading_body) { - if (!u->store && !r->post_action && !u->conf->ignore_client_abort) { - r->read_event_handler = - ngx_http_upstream_rd_check_broken_connection; - } - } - - return rc; -} - - -static void -ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream send request handler"); - - if (c->write->timedout) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_TIMEOUT); - return; - } - -#if (NGX_HTTP_SSL) - - if (u->ssl && c->ssl == NULL) { - ngx_http_upstream_ssl_init_connection(r, u, c); - return; - } - -#endif - - if (u->header_sent) { - u->write_event_handler = ngx_http_upstream_dummy_handler; - - (void) ngx_handle_write_event(c->write, 0); - - return; - } - - ngx_http_upstream_send_request(r, u, 1); -} - - -static void -ngx_http_upstream_read_request_handler(ngx_http_request_t *r) -{ - ngx_connection_t *c; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream read request handler"); - - if (c->read->timedout) { - c->timedout = 1; - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - ngx_http_upstream_send_request(r, u, 0); -} - - -static void -ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ssize_t n; - ngx_int_t rc; - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process header"); - - c->log->action = "reading response header from upstream"; - - if (c->read->timedout) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_TIMEOUT); - return; - } - - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (u->buffer.start == NULL) { - u->buffer.start = ngx_palloc(r->pool, u->conf->buffer_size); - if (u->buffer.start == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->buffer.pos = u->buffer.start; - u->buffer.last = u->buffer.start; - u->buffer.end = u->buffer.start + u->conf->buffer_size; - u->buffer.temporary = 1; - - u->buffer.tag = u->output.tag; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - u->buffer.pos += r->cache->header_start; - u->buffer.last = u->buffer.pos; - } -#endif - } - - for ( ;; ) { - - n = c->recv(c, u->buffer.last, u->buffer.end - u->buffer.last); - - if (n == NGX_AGAIN) { -#if 0 - ngx_add_timer(rev, u->read_timeout); -#endif - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - - if (n == 0) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream prematurely closed connection"); - } - - if (n == NGX_ERROR || n == 0) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - u->state->bytes_received += n; - - u->buffer.last += n; - -#if 0 - u->valid_header_in = 0; - - u->peer.cached = 0; -#endif - - rc = u->process_header(r); - - if (rc == NGX_AGAIN) { - - if (u->buffer.last == u->buffer.end) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream sent too big header"); - - ngx_http_upstream_next(r, u, - NGX_HTTP_UPSTREAM_FT_INVALID_HEADER); - return; - } - - continue; - } - - break; - } - - if (rc == NGX_HTTP_UPSTREAM_INVALID_HEADER) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_INVALID_HEADER); - return; - } - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - /* rc == NGX_OK */ - - u->state->header_time = ngx_current_msec - u->state->response_time; - - if (u->headers_in.status_n >= NGX_HTTP_SPECIAL_RESPONSE) { - - if (ngx_http_upstream_test_next(r, u) == NGX_OK) { - return; - } - - if (ngx_http_upstream_intercept_errors(r, u) == NGX_OK) { - return; - } - } - - if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { - return; - } - - if (!r->subrequest_in_memory) { - ngx_http_upstream_send_response(r, u); - return; - } - - /* subrequest content in memory */ - - if (u->input_filter == NULL) { - u->input_filter_init = ngx_http_upstream_non_buffered_filter_init; - u->input_filter = ngx_http_upstream_non_buffered_filter; - u->input_filter_ctx = r; - } - - if (u->input_filter_init(u->input_filter_ctx) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - n = u->buffer.last - u->buffer.pos; - - if (n) { - u->buffer.last = u->buffer.pos; - - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - if (u->length == 0) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - u->read_event_handler = ngx_http_upstream_process_body_in_memory; - - ngx_http_upstream_process_body_in_memory(r, u); -} - - -static ngx_int_t -ngx_http_upstream_test_next(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_uint_t status; - ngx_http_upstream_next_t *un; - - status = u->headers_in.status_n; - - for (un = ngx_http_upstream_next_errors; un->status; un++) { - - if (status != un->status) { - continue; - } - - if (u->peer.tries > 1 && (u->conf->next_upstream & un->mask)) { - ngx_http_upstream_next(r, u, un->mask); - return NGX_OK; - } - -#if (NGX_HTTP_CACHE) - - if (u->cache_status == NGX_HTTP_CACHE_EXPIRED - && (u->conf->cache_use_stale & un->mask)) - { - ngx_int_t rc; - - rc = u->reinit_request(r); - - if (rc == NGX_OK) { - u->cache_status = NGX_HTTP_CACHE_STALE; - rc = ngx_http_upstream_cache_send(r, u); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - -#endif - } - -#if (NGX_HTTP_CACHE) - - if (status == NGX_HTTP_NOT_MODIFIED - && u->cache_status == NGX_HTTP_CACHE_EXPIRED - && u->conf->cache_revalidate) - { - time_t now, valid; - ngx_int_t rc; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream not modified"); - - now = ngx_time(); - valid = r->cache->valid_sec; - - rc = u->reinit_request(r); - - if (rc != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - - u->cache_status = NGX_HTTP_CACHE_REVALIDATED; - rc = ngx_http_upstream_cache_send(r, u); - - if (valid == 0) { - valid = r->cache->valid_sec; - } - - if (valid == 0) { - valid = ngx_http_file_cache_valid(u->conf->cache_valid, - u->headers_in.status_n); - if (valid) { - valid = now + valid; - } - } - - if (valid) { - r->cache->valid_sec = valid; - r->cache->date = now; - - ngx_http_file_cache_update_header(r); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - -#endif - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_intercept_errors(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_int_t status; - ngx_uint_t i; - ngx_table_elt_t *h; - ngx_http_err_page_t *err_page; - ngx_http_core_loc_conf_t *clcf; - - status = u->headers_in.status_n; - - if (status == NGX_HTTP_NOT_FOUND && u->conf->intercept_404) { - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_NOT_FOUND); - return NGX_OK; - } - - if (!u->conf->intercept_errors) { - return NGX_DECLINED; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->error_pages == NULL) { - return NGX_DECLINED; - } - - err_page = clcf->error_pages->elts; - for (i = 0; i < clcf->error_pages->nelts; i++) { - - if (err_page[i].status == status) { - - if (status == NGX_HTTP_UNAUTHORIZED - && u->headers_in.www_authenticate) - { - h = ngx_list_push(&r->headers_out.headers); - - if (h == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_OK; - } - - *h = *u->headers_in.www_authenticate; - - r->headers_out.www_authenticate = h; - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - time_t valid; - - valid = ngx_http_file_cache_valid(u->conf->cache_valid, status); - - if (valid) { - r->cache->valid_sec = ngx_time() + valid; - r->cache->error = status; - } - - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } -#endif - ngx_http_upstream_finalize_request(r, u, status); - - return NGX_OK; - } - } - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_test_connect(ngx_connection_t *c) -{ - int err; - socklen_t len; - -#if (NGX_HAVE_KQUEUE) - - if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) { - if (c->write->pending_eof || c->read->pending_eof) { - if (c->write->pending_eof) { - err = c->write->kq_errno; - - } else { - err = c->read->kq_errno; - } - - c->log->action = "connecting to upstream"; - (void) ngx_connection_error(c, err, - "kevent() reported that connect() failed"); - return NGX_ERROR; - } - - } else -#endif - { - err = 0; - len = sizeof(int); - - /* - * BSDs and Linux return 0 and set a pending error in err - * Solaris returns -1 and sets errno - */ - - if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) - == -1) - { - err = ngx_socket_errno; - } - - if (err) { - c->log->action = "connecting to upstream"; - (void) ngx_connection_error(c, err, "connect() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_headers(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_str_t uri, args; - ngx_uint_t i, flags; - ngx_list_part_t *part; - ngx_table_elt_t *h; - ngx_http_upstream_header_t *hh; - ngx_http_upstream_main_conf_t *umcf; - - umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); - - if (u->headers_in.x_accel_redirect - && !(u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_REDIRECT)) - { - ngx_http_upstream_finalize_request(r, u, NGX_DECLINED); - - part = &u->headers_in.headers.part; - h = part->elts; - - for (i = 0; /* void */; i++) { - - if (i >= part->nelts) { - if (part->next == NULL) { - break; - } - - part = part->next; - h = part->elts; - i = 0; - } - - hh = ngx_hash_find(&umcf->headers_in_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len); - - if (hh && hh->redirect) { - if (hh->copy_handler(r, &h[i], hh->conf) != NGX_OK) { - ngx_http_finalize_request(r, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - } - } - - uri = u->headers_in.x_accel_redirect->value; - - if (uri.data[0] == '@') { - ngx_http_named_location(r, &uri); - - } else { - ngx_str_null(&args); - flags = NGX_HTTP_LOG_UNSAFE; - - if (ngx_http_parse_unsafe_uri(r, &uri, &args, &flags) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND); - return NGX_DONE; - } - - if (r->method != NGX_HTTP_HEAD) { - r->method = NGX_HTTP_GET; - r->method_name = ngx_http_core_get_method; - } - - ngx_http_internal_redirect(r, &uri, &args); - } - - ngx_http_finalize_request(r, NGX_DONE); - return NGX_DONE; - } - - part = &u->headers_in.headers.part; - h = part->elts; - - for (i = 0; /* void */; i++) { - - if (i >= part->nelts) { - if (part->next == NULL) { - break; - } - - part = part->next; - h = part->elts; - i = 0; - } - - if (ngx_hash_find(&u->conf->hide_headers_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len)) - { - continue; - } - - hh = ngx_hash_find(&umcf->headers_in_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len); - - if (hh) { - if (hh->copy_handler(r, &h[i], hh->conf) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - - continue; - } - - if (ngx_http_upstream_copy_header_line(r, &h[i], 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - } - - if (r->headers_out.server && r->headers_out.server->value.data == NULL) { - r->headers_out.server->hash = 0; - } - - if (r->headers_out.date && r->headers_out.date->value.data == NULL) { - r->headers_out.date->hash = 0; - } - - r->headers_out.status = u->headers_in.status_n; - r->headers_out.status_line = u->headers_in.status_line; - - r->headers_out.content_length_n = u->headers_in.content_length_n; - - r->disable_not_modified = !u->cacheable; - - if (u->conf->force_ranges) { - r->allow_ranges = 1; - r->single_range = 1; - -#if (NGX_HTTP_CACHE) - if (r->cached) { - r->single_range = 0; - } -#endif - } - - u->length = -1; - - return NGX_OK; -} - - -static void -ngx_http_upstream_process_body_in_memory(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_event_t *rev; - ngx_connection_t *c; - - c = u->peer.connection; - rev = c->read; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process body on memory"); - - if (rev->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - b = &u->buffer; - - for ( ;; ) { - - size = b->end - b->last; - - if (size == 0) { - ngx_log_error(NGX_LOG_ALERT, c->log, 0, - "upstream buffer is too small to read response"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - n = c->recv(c, b->last, size); - - if (n == NGX_AGAIN) { - break; - } - - if (n == 0 || n == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, n); - return; - } - - u->state->bytes_received += n; - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (!rev->ready) { - break; - } - } - - if (u->length == 0) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (rev->active) { - ngx_add_timer(rev, u->conf->read_timeout); - - } else if (rev->timer_set) { - ngx_del_timer(rev); - } -} - - -static void -ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - int tcp_nodelay; - ssize_t n; - ngx_int_t rc; - ngx_event_pipe_t *p; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - rc = ngx_http_send_header(r); - - if (rc == NGX_ERROR || rc > NGX_OK || r->post_action) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - u->header_sent = 1; - - if (u->upgrade) { - ngx_http_upstream_upgrade(r, u); - return; - } - - c = r->connection; - - if (r->header_only) { - - if (!u->buffering) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - if (!u->cacheable && !u->store) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - u->pipe->downstream_error = 1; - } - - if (r->request_body && r->request_body->temp_file) { - ngx_pool_run_cleanup_file(r->pool, r->request_body->temp_file->file.fd); - r->request_body->temp_file->file.fd = NGX_INVALID_FILE; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (!u->buffering) { - - if (u->input_filter == NULL) { - u->input_filter_init = ngx_http_upstream_non_buffered_filter_init; - u->input_filter = ngx_http_upstream_non_buffered_filter; - u->input_filter_ctx = r; - } - - u->read_event_handler = ngx_http_upstream_process_non_buffered_upstream; - r->write_event_handler = - ngx_http_upstream_process_non_buffered_downstream; - - r->limit_rate = 0; - - if (u->input_filter_init(u->input_filter_ctx) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - n = u->buffer.last - u->buffer.pos; - - if (n) { - u->buffer.last = u->buffer.pos; - - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - ngx_http_upstream_process_non_buffered_downstream(r); - - } else { - u->buffer.pos = u->buffer.start; - u->buffer.last = u->buffer.start; - - if (ngx_http_send_special(r, NGX_HTTP_FLUSH) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (u->peer.connection->read->ready || u->length == 0) { - ngx_http_upstream_process_non_buffered_upstream(r, u); - } - } - - return; - } - - /* TODO: preallocate event_pipe bufs, look "Content-Length" */ - -#if (NGX_HTTP_CACHE) - - if (r->cache && r->cache->file.fd != NGX_INVALID_FILE) { - ngx_pool_run_cleanup_file(r->pool, r->cache->file.fd); - r->cache->file.fd = NGX_INVALID_FILE; - } - - switch (ngx_http_test_predicates(r, u->conf->no_cache)) { - - case NGX_ERROR: - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - - case NGX_DECLINED: - u->cacheable = 0; - break; - - default: /* NGX_OK */ - - if (u->cache_status == NGX_HTTP_CACHE_BYPASS) { - - /* create cache if previously bypassed */ - - if (ngx_http_file_cache_create(r) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - break; - } - - if (u->cacheable) { - time_t now, valid; - - now = ngx_time(); - - valid = r->cache->valid_sec; - - if (valid == 0) { - valid = ngx_http_file_cache_valid(u->conf->cache_valid, - u->headers_in.status_n); - if (valid) { - r->cache->valid_sec = now + valid; - } - } - - if (valid) { - r->cache->date = now; - r->cache->body_start = (u_short) (u->buffer.pos - u->buffer.start); - - if (u->headers_in.status_n == NGX_HTTP_OK - || u->headers_in.status_n == NGX_HTTP_PARTIAL_CONTENT) - { - r->cache->last_modified = u->headers_in.last_modified_time; - - if (u->headers_in.etag) { - r->cache->etag = u->headers_in.etag->value; - - } else { - ngx_str_null(&r->cache->etag); - } - - } else { - r->cache->last_modified = -1; - ngx_str_null(&r->cache->etag); - } - - if (ngx_http_file_cache_set_header(r, u->buffer.start) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - u->cacheable = 0; - } - } - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http cacheable: %d", u->cacheable); - - if (u->cacheable == 0 && r->cache) { - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } - - if (r->header_only && !u->cacheable && !u->store) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - -#endif - - p = u->pipe; - - p->output_filter = ngx_http_upstream_output_filter; - p->output_ctx = r; - p->tag = u->output.tag; - p->bufs = u->conf->bufs; - p->busy_size = u->conf->busy_buffers_size; - p->upstream = u->peer.connection; - p->downstream = c; - p->pool = r->pool; - p->log = c->log; - p->limit_rate = u->conf->limit_rate; - p->start_sec = ngx_time(); - - p->cacheable = u->cacheable || u->store; - - p->temp_file = ngx_pcalloc(r->pool, sizeof(ngx_temp_file_t)); - if (p->temp_file == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->temp_file->file.fd = NGX_INVALID_FILE; - p->temp_file->file.log = c->log; - p->temp_file->path = u->conf->temp_path; - p->temp_file->pool = r->pool; - - if (p->cacheable) { - p->temp_file->persistent = 1; - -#if (NGX_HTTP_CACHE) - if (r->cache && r->cache->file_cache->temp_path) { - p->temp_file->path = r->cache->file_cache->temp_path; - } -#endif - - } else { - p->temp_file->log_level = NGX_LOG_WARN; - p->temp_file->warn = "an upstream response is buffered " - "to a temporary file"; - } - - p->max_temp_file_size = u->conf->max_temp_file_size; - p->temp_file_write_size = u->conf->temp_file_write_size; - -#if (NGX_THREADS) - if (clcf->aio == NGX_HTTP_AIO_THREADS && clcf->aio_write) { - p->thread_handler = ngx_http_upstream_thread_handler; - p->thread_ctx = r; - } -#endif - - p->preread_bufs = ngx_alloc_chain_link(r->pool); - if (p->preread_bufs == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->preread_bufs->buf = &u->buffer; - p->preread_bufs->next = NULL; - u->buffer.recycled = 1; - - p->preread_size = u->buffer.last - u->buffer.pos; - - if (u->cacheable) { - - p->buf_to_file = ngx_calloc_buf(r->pool); - if (p->buf_to_file == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->buf_to_file->start = u->buffer.start; - p->buf_to_file->pos = u->buffer.start; - p->buf_to_file->last = u->buffer.pos; - p->buf_to_file->temporary = 1; - } - - if (ngx_event_flags & NGX_USE_IOCP_EVENT) { - /* the posted aio operation may corrupt a shadow buffer */ - p->single_buf = 1; - } - - /* TODO: p->free_bufs = 0 if use ngx_create_chain_of_bufs() */ - p->free_bufs = 1; - - /* - * event_pipe would do u->buffer.last += p->preread_size - * as though these bytes were read - */ - u->buffer.last = u->buffer.pos; - - if (u->conf->cyclic_temp_file) { - - /* - * we need to disable the use of sendfile() if we use cyclic temp file - * because the writing a new data may interfere with sendfile() - * that uses the same kernel file pages (at least on FreeBSD) - */ - - p->cyclic_temp_file = 1; - c->sendfile = 0; - - } else { - p->cyclic_temp_file = 0; - } - - p->read_timeout = u->conf->read_timeout; - p->send_timeout = clcf->send_timeout; - p->send_lowat = clcf->send_lowat; - - p->length = -1; - - if (u->input_filter_init - && u->input_filter_init(p->input_ctx) != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - u->read_event_handler = ngx_http_upstream_process_upstream; - r->write_event_handler = ngx_http_upstream_process_downstream; - - ngx_http_upstream_process_upstream(r, u); -} - - -static void -ngx_http_upstream_upgrade(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - int tcp_nodelay; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - c = r->connection; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - /* TODO: prevent upgrade if not requested or not possible */ - - r->keepalive = 0; - c->log->action = "proxying upgraded connection"; - - u->read_event_handler = ngx_http_upstream_upgraded_read_upstream; - u->write_event_handler = ngx_http_upstream_upgraded_write_upstream; - r->read_event_handler = ngx_http_upstream_upgraded_read_downstream; - r->write_event_handler = ngx_http_upstream_upgraded_write_downstream; - - if (clcf->tcp_nodelay) { - tcp_nodelay = 1; - - if (c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - if (u->peer.connection->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, u->peer.connection->log, 0, - "tcp_nodelay"); - - if (setsockopt(u->peer.connection->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(u->peer.connection, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - u->peer.connection->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - } - - if (ngx_http_send_special(r, NGX_HTTP_FLUSH) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (u->peer.connection->read->ready - || u->buffer.pos != u->buffer.last) - { - ngx_post_event(c->read, &ngx_posted_events); - ngx_http_upstream_process_upgraded(r, 1, 1); - return; - } - - ngx_http_upstream_process_upgraded(r, 0, 1); -} - - -static void -ngx_http_upstream_upgraded_read_downstream(ngx_http_request_t *r) -{ - ngx_http_upstream_process_upgraded(r, 0, 0); -} - - -static void -ngx_http_upstream_upgraded_write_downstream(ngx_http_request_t *r) -{ - ngx_http_upstream_process_upgraded(r, 1, 1); -} - - -static void -ngx_http_upstream_upgraded_read_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_http_upstream_process_upgraded(r, 1, 0); -} - - -static void -ngx_http_upstream_upgraded_write_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_http_upstream_process_upgraded(r, 0, 1); -} - - -static void -ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - ngx_uint_t from_upstream, ngx_uint_t do_write) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_connection_t *c, *downstream, *upstream, *dst, *src; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - - c = r->connection; - u = r->upstream; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process upgraded, fu:%ui", from_upstream); - - downstream = c; - upstream = u->peer.connection; - - if (downstream->write->timedout) { - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - if (upstream->read->timedout || upstream->write->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - if (from_upstream) { - src = upstream; - dst = downstream; - b = &u->buffer; - - } else { - src = downstream; - dst = upstream; - b = &u->from_client; - - if (r->header_in->last > r->header_in->pos) { - b = r->header_in; - b->end = b->last; - do_write = 1; - } - - if (b->start == NULL) { - b->start = ngx_palloc(r->pool, u->conf->buffer_size); - if (b->start == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - b->pos = b->start; - b->last = b->start; - b->end = b->start + u->conf->buffer_size; - b->temporary = 1; - b->tag = u->output.tag; - } - } - - for ( ;; ) { - - if (do_write) { - - size = b->last - b->pos; - - if (size && dst->write->ready) { - - n = dst->send(dst, b->pos, size); - - if (n == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (n > 0) { - b->pos += n; - - if (b->pos == b->last) { - b->pos = b->start; - b->last = b->start; - } - } - } - } - - size = b->end - b->last; - - if (size && src->read->ready) { - - n = src->recv(src, b->last, size); - - if (n == NGX_AGAIN || n == 0) { - break; - } - - if (n > 0) { - do_write = 1; - b->last += n; - - if (from_upstream) { - u->state->bytes_received += n; - } - - continue; - } - - if (n == NGX_ERROR) { - src->read->eof = 1; - } - } - - break; - } - - if ((upstream->read->eof && u->buffer.pos == u->buffer.last) - || (downstream->read->eof && u->from_client.pos == u->from_client.last) - || (downstream->read->eof && upstream->read->eof)) - { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream upgraded done"); - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (ngx_handle_write_event(upstream->write, u->conf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->write->active && !upstream->write->ready) { - ngx_add_timer(upstream->write, u->conf->send_timeout); - - } else if (upstream->write->timer_set) { - ngx_del_timer(upstream->write); - } - - if (ngx_handle_read_event(upstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->read->active && !upstream->read->ready) { - ngx_add_timer(upstream->read, u->conf->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); - } - - if (ngx_handle_write_event(downstream->write, clcf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (ngx_handle_read_event(downstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (downstream->write->active && !downstream->write->ready) { - ngx_add_timer(downstream->write, clcf->send_timeout); - - } else if (downstream->write->timer_set) { - ngx_del_timer(downstream->write); - } -} - - -static void -ngx_http_upstream_process_non_buffered_downstream(ngx_http_request_t *r) -{ - ngx_event_t *wev; - ngx_connection_t *c; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - wev = c->write; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process non buffered downstream"); - - c->log->action = "sending to client"; - - if (wev->timedout) { - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - ngx_http_upstream_process_non_buffered_request(r, 1); -} - - -static void -ngx_http_upstream_process_non_buffered_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process non buffered upstream"); - - c->log->action = "reading upstream"; - - if (c->read->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - ngx_http_upstream_process_non_buffered_request(r, 0); -} - - -static void -ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - ngx_uint_t do_write) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_int_t rc; - ngx_connection_t *downstream, *upstream; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - - u = r->upstream; - downstream = r->connection; - upstream = u->peer.connection; - - b = &u->buffer; - - do_write = do_write || u->length == 0; - - for ( ;; ) { - - if (do_write) { - - if (u->out_bufs || u->busy_bufs) { - rc = ngx_http_output_filter(r, u->out_bufs); - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - ngx_chain_update_chains(r->pool, &u->free_bufs, &u->busy_bufs, - &u->out_bufs, u->output.tag); - } - - if (u->busy_bufs == NULL) { - - if (u->length == 0 - || (upstream->read->eof && u->length == -1)) - { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (upstream->read->eof) { - ngx_log_error(NGX_LOG_ERR, upstream->log, 0, - "upstream prematurely closed connection"); - - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_BAD_GATEWAY); - return; - } - - if (upstream->read->error) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_BAD_GATEWAY); - return; - } - - b->pos = b->start; - b->last = b->start; - } - } - - size = b->end - b->last; - - if (size && upstream->read->ready) { - - n = upstream->recv(upstream, b->last, size); - - if (n == NGX_AGAIN) { - break; - } - - if (n > 0) { - u->state->bytes_received += n; - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - do_write = 1; - - continue; - } - - break; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (downstream->data == r) { - if (ngx_handle_write_event(downstream->write, clcf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - if (downstream->write->active && !downstream->write->ready) { - ngx_add_timer(downstream->write, clcf->send_timeout); - - } else if (downstream->write->timer_set) { - ngx_del_timer(downstream->write); - } - - if (ngx_handle_read_event(upstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->read->active && !upstream->read->ready) { - ngx_add_timer(upstream->read, u->conf->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); - } -} - - -static ngx_int_t -ngx_http_upstream_non_buffered_filter_init(void *data) -{ - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_non_buffered_filter(void *data, ssize_t bytes) -{ - ngx_http_request_t *r = data; - - ngx_buf_t *b; - ngx_chain_t *cl, **ll; - ngx_http_upstream_t *u; - - u = r->upstream; - - for (cl = u->out_bufs, ll = &u->out_bufs; cl; cl = cl->next) { - ll = &cl->next; - } - - cl = ngx_chain_get_free_buf(r->pool, &u->free_bufs); - if (cl == NULL) { - return NGX_ERROR; - } - - *ll = cl; - - cl->buf->flush = 1; - cl->buf->memory = 1; - - b = &u->buffer; - - cl->buf->pos = b->last; - b->last += bytes; - cl->buf->last = b->last; - cl->buf->tag = u->output.tag; - - if (u->length == -1) { - return NGX_OK; - } - - u->length -= bytes; - - return NGX_OK; -} - - -#if (NGX_THREADS) - -static ngx_int_t -ngx_http_upstream_thread_handler(ngx_thread_task_t *task, ngx_file_t *file) -{ - ngx_str_t name; - ngx_event_pipe_t *p; - ngx_thread_pool_t *tp; - ngx_http_request_t *r; - ngx_http_core_loc_conf_t *clcf; - - r = file->thread_ctx; - p = r->upstream->pipe; - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - tp = clcf->thread_pool; - - if (tp == NULL) { - if (ngx_http_complex_value(r, clcf->thread_pool_value, &name) - != NGX_OK) - { - return NGX_ERROR; - } - - tp = ngx_thread_pool_get((ngx_cycle_t *) ngx_cycle, &name); - - if (tp == NULL) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "thread pool \"%V\" not found", &name); - return NGX_ERROR; - } - } - - task->event.data = r; - task->event.handler = ngx_http_upstream_thread_event_handler; - - if (ngx_thread_task_post(tp, task) != NGX_OK) { - return NGX_ERROR; - } - - r->main->blocked++; - r->aio = 1; - p->aio = 1; - - return NGX_OK; -} - - -static void -ngx_http_upstream_thread_event_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - - r = ev->data; - c = r->connection; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream thread: \"%V?%V\"", &r->uri, &r->args); - - r->main->blocked--; - r->aio = 0; - - r->write_event_handler(r); - - ngx_http_run_posted_requests(c); -} - -#endif - - -static ngx_int_t -ngx_http_upstream_output_filter(void *data, ngx_chain_t *chain) -{ - ngx_int_t rc; - ngx_event_pipe_t *p; - ngx_http_request_t *r; - - r = data; - p = r->upstream->pipe; - - rc = ngx_http_output_filter(r, chain); - - p->aio = r->aio; - - return rc; -} - - -static void -ngx_http_upstream_process_downstream(ngx_http_request_t *r) -{ - ngx_event_t *wev; - ngx_connection_t *c; - ngx_event_pipe_t *p; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - p = u->pipe; - wev = c->write; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process downstream"); - - c->log->action = "sending to client"; - -#if (NGX_THREADS) - p->aio = r->aio; -#endif - - if (wev->timedout) { - - if (wev->delayed) { - - wev->timedout = 0; - wev->delayed = 0; - - if (!wev->ready) { - ngx_add_timer(wev, p->send_timeout); - - if (ngx_handle_write_event(wev, p->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, wev->write) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - p->downstream_error = 1; - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - } - - } else { - - if (wev->delayed) { - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http downstream delayed"); - - if (ngx_handle_write_event(wev, p->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 1) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - ngx_http_upstream_process_request(r, u); -} - - -static void -ngx_http_upstream_process_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_event_t *rev; - ngx_event_pipe_t *p; - ngx_connection_t *c; - - c = u->peer.connection; - p = u->pipe; - rev = c->read; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process upstream"); - - c->log->action = "reading upstream"; - - if (rev->timedout) { - - if (rev->delayed) { - - rev->timedout = 0; - rev->delayed = 0; - - if (!rev->ready) { - ngx_add_timer(rev, p->read_timeout); - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 0) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - p->upstream_error = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - } - - } else { - - if (rev->delayed) { - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream delayed"); - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 0) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - ngx_http_upstream_process_request(r, u); -} - - -static void -ngx_http_upstream_process_request(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_temp_file_t *tf; - ngx_event_pipe_t *p; - - p = u->pipe; - -#if (NGX_THREADS) - if (p->writing) { - return; - } -#endif - - if (u->peer.connection) { - - if (u->store) { - - if (p->upstream_eof || p->upstream_done) { - - tf = p->temp_file; - - if (u->headers_in.status_n == NGX_HTTP_OK - && (p->upstream_done || p->length == -1) - && (u->headers_in.content_length_n == -1 - || u->headers_in.content_length_n == tf->offset)) - { - ngx_http_upstream_store(r, u); - } - } - } - -#if (NGX_HTTP_CACHE) - - if (u->cacheable) { - - if (p->upstream_done) { - ngx_http_file_cache_update(r, p->temp_file); - - } else if (p->upstream_eof) { - - tf = p->temp_file; - - if (p->length == -1 - && (u->headers_in.content_length_n == -1 - || u->headers_in.content_length_n - == tf->offset - (off_t) r->cache->body_start)) - { - ngx_http_file_cache_update(r, tf); - - } else { - ngx_http_file_cache_free(r->cache, tf); - } - - } else if (p->upstream_error) { - ngx_http_file_cache_free(r->cache, p->temp_file); - } - } - -#endif - - if (p->upstream_done || p->upstream_eof || p->upstream_error) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream exit: %p", p->out); - - if (p->upstream_done - || (p->upstream_eof && p->length == -1)) - { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (p->upstream_eof) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "upstream prematurely closed connection"); - } - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - return; - } - } - - if (p->downstream_error) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream downstream error"); - - if (!u->cacheable && !u->store && u->peer.connection) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - } -} - - -static void -ngx_http_upstream_store(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - size_t root; - time_t lm; - ngx_str_t path; - ngx_temp_file_t *tf; - ngx_ext_rename_file_t ext; - - tf = u->pipe->temp_file; - - if (tf->file.fd == NGX_INVALID_FILE) { - - /* create file for empty 200 response */ - - tf = ngx_pcalloc(r->pool, sizeof(ngx_temp_file_t)); - if (tf == NULL) { - return; - } - - tf->file.fd = NGX_INVALID_FILE; - tf->file.log = r->connection->log; - tf->path = u->conf->temp_path; - tf->pool = r->pool; - tf->persistent = 1; - - if (ngx_create_temp_file(&tf->file, tf->path, tf->pool, - tf->persistent, tf->clean, tf->access) - != NGX_OK) - { - return; - } - - u->pipe->temp_file = tf; - } - - ext.access = u->conf->store_access; - ext.path_access = u->conf->store_access; - ext.time = -1; - ext.create_path = 1; - ext.delete_file = 1; - ext.log = r->connection->log; - - if (u->headers_in.last_modified) { - - lm = ngx_parse_http_time(u->headers_in.last_modified->value.data, - u->headers_in.last_modified->value.len); - - if (lm != NGX_ERROR) { - ext.time = lm; - ext.fd = tf->file.fd; - } - } - - if (u->conf->store_lengths == NULL) { - - if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) { - return; - } - - } else { - if (ngx_http_script_run(r, &path, u->conf->store_lengths->elts, 0, - u->conf->store_values->elts) - == NULL) - { - return; - } - } - - path.len--; - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "upstream stores \"%s\" to \"%s\"", - tf->file.name.data, path.data); - - (void) ngx_ext_rename_file(&tf->file.name, &path, &ext); - - u->store = 0; -} - - -static void -ngx_http_upstream_dummy_handler(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream dummy handler"); -} - - -static void -ngx_http_upstream_next(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_uint_t ft_type) -{ - ngx_msec_t timeout; - ngx_uint_t status, state; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http next upstream, %xi", ft_type); - - if (u->peer.sockaddr) { - - if (ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_403 - || ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_404) - { - state = NGX_PEER_NEXT; - - } else { - state = NGX_PEER_FAILED; - } - - u->peer.free(&u->peer, u->peer.data, state); - u->peer.sockaddr = NULL; - } - - if (ft_type == NGX_HTTP_UPSTREAM_FT_TIMEOUT) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, NGX_ETIMEDOUT, - "upstream timed out"); - } - - if (u->peer.cached && ft_type == NGX_HTTP_UPSTREAM_FT_ERROR) { - /* TODO: inform balancer instead */ - u->peer.tries++; - } - - switch (ft_type) { - - case NGX_HTTP_UPSTREAM_FT_TIMEOUT: - status = NGX_HTTP_GATEWAY_TIME_OUT; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_500: - status = NGX_HTTP_INTERNAL_SERVER_ERROR; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_403: - status = NGX_HTTP_FORBIDDEN; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_404: - status = NGX_HTTP_NOT_FOUND; - break; - - /* - * NGX_HTTP_UPSTREAM_FT_BUSY_LOCK and NGX_HTTP_UPSTREAM_FT_MAX_WAITING - * never reach here - */ - - default: - status = NGX_HTTP_BAD_GATEWAY; - } - - if (r->connection->error) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - u->state->status = status; - - timeout = u->conf->next_upstream_timeout; - - if (u->request_sent - && (r->method & (NGX_HTTP_POST|NGX_HTTP_LOCK|NGX_HTTP_PATCH))) - { - ft_type |= NGX_HTTP_UPSTREAM_FT_NON_IDEMPOTENT; - } - - if (u->peer.tries == 0 - || ((u->conf->next_upstream & ft_type) != ft_type) - || (u->request_sent && r->request_body_no_buffering) - || (timeout && ngx_current_msec - u->peer.start_time >= timeout)) - { -#if (NGX_HTTP_CACHE) - - if (u->cache_status == NGX_HTTP_CACHE_EXPIRED - && (u->conf->cache_use_stale & ft_type)) - { - ngx_int_t rc; - - rc = u->reinit_request(r); - - if (rc == NGX_OK) { - u->cache_status = NGX_HTTP_CACHE_STALE; - rc = ngx_http_upstream_cache_send(r, u); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return; - } -#endif - - ngx_http_upstream_finalize_request(r, u, status); - return; - } - - if (u->peer.connection) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "close http upstream connection: %d", - u->peer.connection->fd); -#if (NGX_HTTP_SSL) - - if (u->peer.connection->ssl) { - u->peer.connection->ssl->no_wait_shutdown = 1; - u->peer.connection->ssl->no_send_shutdown = 1; - - (void) ngx_ssl_shutdown(u->peer.connection); - } -#endif - - if (u->peer.connection->pool) { - ngx_destroy_pool(u->peer.connection->pool); - } - - ngx_close_connection(u->peer.connection); - u->peer.connection = NULL; - } - - ngx_http_upstream_connect(r, u); -} - - -static void -ngx_http_upstream_cleanup(void *data) -{ - ngx_http_request_t *r = data; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "cleanup http upstream request: \"%V\"", &r->uri); - - ngx_http_upstream_finalize_request(r, r->upstream, NGX_DONE); -} - - -static void -ngx_http_upstream_finalize_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_int_t rc) -{ - ngx_uint_t flush; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "finalize http upstream request: %i", rc); - - if (u->cleanup == NULL) { - /* the request was already finalized */ - ngx_http_finalize_request(r, NGX_DONE); - return; - } - - *u->cleanup = NULL; - u->cleanup = NULL; - - if (u->resolved && u->resolved->ctx) { - ngx_resolve_name_done(u->resolved->ctx); - u->resolved->ctx = NULL; - } - - if (u->state && u->state->response_time) { - u->state->response_time = ngx_current_msec - u->state->response_time; - - if (u->pipe && u->pipe->read_length) { - u->state->bytes_received += u->pipe->read_length - - u->pipe->preread_size; - u->state->response_length = u->pipe->read_length; - } - } - - u->finalize_request(r, rc); - - if (u->peer.free && u->peer.sockaddr) { - u->peer.free(&u->peer, u->peer.data, 0); - u->peer.sockaddr = NULL; - } - - if (u->peer.connection) { - -#if (NGX_HTTP_SSL) - - /* TODO: do not shutdown persistent connection */ - - if (u->peer.connection->ssl) { - - /* - * We send the "close notify" shutdown alert to the upstream only - * and do not wait its "close notify" shutdown alert. - * It is acceptable according to the TLS standard. - */ - - u->peer.connection->ssl->no_wait_shutdown = 1; - - (void) ngx_ssl_shutdown(u->peer.connection); - } -#endif - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "close http upstream connection: %d", - u->peer.connection->fd); - - if (u->peer.connection->pool) { - ngx_destroy_pool(u->peer.connection->pool); - } - - ngx_close_connection(u->peer.connection); - } - - u->peer.connection = NULL; - - if (u->pipe && u->pipe->temp_file) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream temp fd: %d", - u->pipe->temp_file->file.fd); - } - - if (u->store && u->pipe && u->pipe->temp_file - && u->pipe->temp_file->file.fd != NGX_INVALID_FILE) - { - if (ngx_delete_file(u->pipe->temp_file->file.name.data) - == NGX_FILE_ERROR) - { - ngx_log_error(NGX_LOG_CRIT, r->connection->log, ngx_errno, - ngx_delete_file_n " \"%s\" failed", - u->pipe->temp_file->file.name.data); - } - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - - if (u->cacheable) { - - if (rc == NGX_HTTP_BAD_GATEWAY || rc == NGX_HTTP_GATEWAY_TIME_OUT) { - time_t valid; - - valid = ngx_http_file_cache_valid(u->conf->cache_valid, rc); - - if (valid) { - r->cache->valid_sec = ngx_time() + valid; - r->cache->error = rc; - } - } - } - - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } - -#endif - - if (r->subrequest_in_memory - && u->headers_in.status_n >= NGX_HTTP_SPECIAL_RESPONSE) - { - u->buffer.last = u->buffer.pos; - } - - if (rc == NGX_DECLINED) { - return; - } - - r->connection->log->action = "sending to client"; - - if (!u->header_sent - || rc == NGX_HTTP_REQUEST_TIME_OUT - || rc == NGX_HTTP_CLIENT_CLOSED_REQUEST - || (u->pipe && u->pipe->downstream_error)) - { - ngx_http_finalize_request(r, rc); - return; - } - - flush = 0; - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - rc = NGX_ERROR; - flush = 1; - } - - if (r->header_only) { - ngx_http_finalize_request(r, rc); - return; - } - - if (rc == 0) { - rc = ngx_http_send_special(r, NGX_HTTP_LAST); - - } else if (flush) { - r->keepalive = 0; - rc = ngx_http_send_special(r, NGX_HTTP_FLUSH); - } - - ngx_http_finalize_request(r, rc); -} - - -static ngx_int_t -ngx_http_upstream_process_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t **ph; - - ph = (ngx_table_elt_t **) ((char *) &r->upstream->headers_in + offset); - - if (*ph == NULL) { - *ph = h; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_ignore_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_content_length(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - u->headers_in.content_length = h; - u->headers_in.content_length_n = ngx_atoof(h->value.data, h->value.len); - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - u->headers_in.last_modified = h; - -#if (NGX_HTTP_CACHE) - - if (u->cacheable) { - u->headers_in.last_modified_time = ngx_parse_http_time(h->value.data, - h->value.len); - } - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_set_cookie(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t **ph; - ngx_http_upstream_t *u; - - u = r->upstream; - pa = &u->headers_in.cookies; - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 1, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - *ph = h; - -#if (NGX_HTTP_CACHE) - if (!(u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_SET_COOKIE)) { - u->cacheable = 0; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_cache_control(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t **ph; - ngx_http_upstream_t *u; - - u = r->upstream; - pa = &u->headers_in.cache_control; - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 2, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - *ph = h; - -#if (NGX_HTTP_CACHE) - { - u_char *p, *start, *last; - ngx_int_t n; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_CACHE_CONTROL) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (r->cache->valid_sec != 0 && u->headers_in.x_accel_expires != NULL) { - return NGX_OK; - } - - start = h->value.data; - last = start + h->value.len; - - if (ngx_strlcasestrn(start, last, (u_char *) "no-cache", 8 - 1) != NULL - || ngx_strlcasestrn(start, last, (u_char *) "no-store", 8 - 1) != NULL - || ngx_strlcasestrn(start, last, (u_char *) "private", 7 - 1) != NULL) - { - u->cacheable = 0; - return NGX_OK; - } - - p = ngx_strlcasestrn(start, last, (u_char *) "s-maxage=", 9 - 1); - offset = 9; - - if (p == NULL) { - p = ngx_strlcasestrn(start, last, (u_char *) "max-age=", 8 - 1); - offset = 8; - } - - if (p == NULL) { - return NGX_OK; - } - - n = 0; - - for (p += offset; p < last; p++) { - if (*p == ',' || *p == ';' || *p == ' ') { - break; - } - - if (*p >= '0' && *p <= '9') { - n = n * 10 + *p - '0'; - continue; - } - - u->cacheable = 0; - return NGX_OK; - } - - if (n == 0) { - u->cacheable = 0; - return NGX_OK; - } - - r->cache->valid_sec = ngx_time() + n; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.expires = h; - -#if (NGX_HTTP_CACHE) - { - time_t expires; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_EXPIRES) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (r->cache->valid_sec != 0) { - return NGX_OK; - } - - expires = ngx_parse_http_time(h->value.data, h->value.len); - - if (expires == NGX_ERROR || expires < ngx_time()) { - u->cacheable = 0; - return NGX_OK; - } - - r->cache->valid_sec = expires; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_accel_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.x_accel_expires = h; - -#if (NGX_HTTP_CACHE) - { - u_char *p; - size_t len; - ngx_int_t n; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_EXPIRES) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - len = h->value.len; - p = h->value.data; - - if (p[0] != '@') { - n = ngx_atoi(p, len); - - switch (n) { - case 0: - u->cacheable = 0; - /* fall through */ - - case NGX_ERROR: - return NGX_OK; - - default: - r->cache->valid_sec = ngx_time() + n; - return NGX_OK; - } - } - - p++; - len--; - - n = ngx_atoi(p, len); - - if (n != NGX_ERROR) { - r->cache->valid_sec = n; - } - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_limit_rate(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t n; - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.x_accel_limit_rate = h; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_LIMIT_RATE) { - return NGX_OK; - } - - n = ngx_atoi(h->value.data, h->value.len); - - if (n != NGX_ERROR) { - r->limit_rate = (size_t) n; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_buffering(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char c0, c1, c2; - ngx_http_upstream_t *u; - - u = r->upstream; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_BUFFERING) { - return NGX_OK; - } - - if (u->conf->change_buffering) { - - if (h->value.len == 2) { - c0 = ngx_tolower(h->value.data[0]); - c1 = ngx_tolower(h->value.data[1]); - - if (c0 == 'n' && c1 == 'o') { - u->buffering = 0; - } - - } else if (h->value.len == 3) { - c0 = ngx_tolower(h->value.data[0]); - c1 = ngx_tolower(h->value.data[1]); - c2 = ngx_tolower(h->value.data[2]); - - if (c0 == 'y' && c1 == 'e' && c2 == 's') { - u->buffering = 1; - } - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_charset(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - if (r->upstream->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_CHARSET) { - return NGX_OK; - } - - r->headers_out.override_charset = &h->value; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - r->upstream->headers_in.connection = h; - - if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len, - (u_char *) "close", 5 - 1) - != NULL) - { - r->upstream->headers_in.connection_close = 1; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_transfer_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - r->upstream->headers_in.transfer_encoding = h; - - if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len, - (u_char *) "chunked", 7 - 1) - != NULL) - { - r->upstream->headers_in.chunked = 1; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_vary(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.vary = h; - -#if (NGX_HTTP_CACHE) - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_VARY) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (h->value.len > NGX_HTTP_CACHE_VARY_LEN - || (h->value.len == 1 && h->value.data[0] == '*')) - { - u->cacheable = 0; - } - - r->cache->vary = h->value; - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t *ho, **ph; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (offset) { - ph = (ngx_table_elt_t **) ((char *) &r->headers_out + offset); - *ph = ho; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_multi_header_lines(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t *ho, **ph; - - pa = (ngx_array_t *) ((char *) &r->headers_out + offset); - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 2, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - *ph = ho; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_content_type(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char *p, *last; - - r->headers_out.content_type_len = h->value.len; - r->headers_out.content_type = h->value; - r->headers_out.content_type_lowcase = NULL; - - for (p = h->value.data; *p; p++) { - - if (*p != ';') { - continue; - } - - last = p; - - while (*++p == ' ') { /* void */ } - - if (*p == '\0') { - return NGX_OK; - } - - if (ngx_strncasecmp(p, (u_char *) "charset=", 8) != 0) { - continue; - } - - p += 8; - - r->headers_out.content_type_len = last - h->value.data; - - if (*p == '"') { - p++; - } - - last = h->value.data + h->value.len; - - if (*(last - 1) == '"') { - last--; - } - - r->headers_out.charset.len = last - p; - r->headers_out.charset.data = p; - - return NGX_OK; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_last_modified(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.last_modified = ho; - -#if (NGX_HTTP_CACHE) - - if (r->upstream->cacheable) { - r->headers_out.last_modified_time = - r->upstream->headers_in.last_modified_time; - } - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_location(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_redirect) { - rc = r->upstream->rewrite_redirect(r, ho, 0); - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - - if (rc == NGX_OK) { - r->headers_out.location = ho; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten location: \"%V\"", &ho->value); - } - - return rc; - } - - if (ho->value.data[0] != '/') { - r->headers_out.location = ho; - } - - /* - * we do not set r->headers_out.location here to avoid the handling - * the local redirects without a host name by ngx_http_header_filter() - */ - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_refresh(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char *p; - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_redirect) { - - p = ngx_strcasestrn(ho->value.data, "url=", 4 - 1); - - if (p) { - rc = r->upstream->rewrite_redirect(r, ho, p + 4 - ho->value.data); - - } else { - return NGX_OK; - } - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - - if (rc == NGX_OK) { - r->headers_out.refresh = ho; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten refresh: \"%V\"", &ho->value); - } - - return rc; - } - - r->headers_out.refresh = ho; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_set_cookie(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_cookie) { - rc = r->upstream->rewrite_cookie(r, ho); - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - -#if (NGX_DEBUG) - if (rc == NGX_OK) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten cookie: \"%V\"", &ho->value); - } -#endif - - return rc; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - if (r->upstream->conf->force_ranges) { - return NGX_OK; - } - -#if (NGX_HTTP_CACHE) - - if (r->cached) { - r->allow_ranges = 1; - return NGX_OK; - } - - if (r->upstream->cacheable) { - r->allow_ranges = 1; - r->single_range = 1; - return NGX_OK; - } - -#endif - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.accept_ranges = ho; - - return NGX_OK; -} - - -#if (NGX_HTTP_GZIP) - -static ngx_int_t -ngx_http_upstream_copy_content_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.content_encoding = ho; - - return NGX_OK; -} - -#endif - - -static ngx_int_t -ngx_http_upstream_add_variables(ngx_conf_t *cf) -{ - ngx_http_variable_t *var, *v; - - for (v = ngx_http_upstream_vars; v->name.len; v++) { - var = ngx_http_add_variable(cf, &v->name, v->flags); - if (var == NULL) { - return NGX_ERROR; - } - - var->get_handler = v->get_handler; - var->data = v->data; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_addr_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = 0; - state = r->upstream_states->elts; - - for (i = 0; i < r->upstream_states->nelts; i++) { - if (state[i].peer) { - len += state[i].peer->len + 2; - - } else { - len += 3; - } - } - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - - for ( ;; ) { - if (state[i].peer) { - p = ngx_cpymem(p, state[i].peer->data, state[i].peer->len); - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_status_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (3 + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - if (state[i].status) { - p = ngx_sprintf(p, "%ui", state[i].status); - - } else { - *p++ = '-'; - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_response_time_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_msec_int_t ms; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (NGX_TIME_T_LEN + 4 + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - if (state[i].status) { - - if (data == 1 && state[i].header_time != (ngx_msec_t) -1) { - ms = state[i].header_time; - - } else if (data == 2 && state[i].connect_time != (ngx_msec_t) -1) { - ms = state[i].connect_time; - - } else { - ms = state[i].response_time; - } - - ms = ngx_max(ms, 0); - p = ngx_sprintf(p, "%T.%03M", (time_t) ms / 1000, ms % 1000); - - } else { - *p++ = '-'; - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_response_length_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (NGX_OFF_T_LEN + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - - if (data == 1) { - p = ngx_sprintf(p, "%O", state[i].bytes_received); - - } else { - p = ngx_sprintf(p, "%O", state[i].response_length); - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -ngx_int_t -ngx_http_upstream_header_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - if (r->upstream == NULL) { - v->not_found = 1; - return NGX_OK; - } - - return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, - &r->upstream->headers_in.headers.part, - sizeof("upstream_http_") - 1); -} - - -ngx_int_t -ngx_http_upstream_cookie_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - ngx_str_t *name = (ngx_str_t *) data; - - ngx_str_t cookie, s; - - if (r->upstream == NULL) { - v->not_found = 1; - return NGX_OK; - } - - s.len = name->len - (sizeof("upstream_cookie_") - 1); - s.data = name->data + sizeof("upstream_cookie_") - 1; - - if (ngx_http_parse_set_cookie_lines(&r->upstream->headers_in.cookies, - &s, &cookie) - == NGX_DECLINED) - { - v->not_found = 1; - return NGX_OK; - } - - v->len = cookie.len; - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->data = cookie.data; - - return NGX_OK; -} - - -#if (NGX_HTTP_CACHE) - -ngx_int_t -ngx_http_upstream_cache_status(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - ngx_uint_t n; - - if (r->upstream == NULL || r->upstream->cache_status == 0) { - v->not_found = 1; - return NGX_OK; - } - - n = r->upstream->cache_status - 1; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->len = ngx_http_cache_status[n].len; - v->data = ngx_http_cache_status[n].data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_cache_last_modified(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - - if (r->upstream == NULL - || !r->upstream->conf->cache_revalidate - || r->upstream->cache_status != NGX_HTTP_CACHE_EXPIRED - || r->cache->last_modified == -1) - { - v->not_found = 1; - return NGX_OK; - } - - p = ngx_pnalloc(r->pool, sizeof("Mon, 28 Sep 1970 06:00:00 GMT") - 1); - if (p == NULL) { - return NGX_ERROR; - } - - v->len = ngx_http_time(p, r->cache->last_modified) - p; - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->data = p; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_cache_etag(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - if (r->upstream == NULL - || !r->upstream->conf->cache_revalidate - || r->upstream->cache_status != NGX_HTTP_CACHE_EXPIRED - || r->cache->etag.len == 0) - { - v->not_found = 1; - return NGX_OK; - } - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->len = r->cache->etag.len; - v->data = r->cache->etag.data; - - return NGX_OK; -} - -#endif - - -static char * -ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) -{ - char *rv; - void *mconf; - ngx_str_t *value; - ngx_url_t u; - ngx_uint_t m; - ngx_conf_t pcf; - ngx_http_module_t *module; - ngx_http_conf_ctx_t *ctx, *http_ctx; - ngx_http_upstream_srv_conf_t *uscf; - - ngx_memzero(&u, sizeof(ngx_url_t)); - - value = cf->args->elts; - u.host = value[1]; - u.no_resolve = 1; - u.no_port = 1; - - uscf = ngx_http_upstream_add(cf, &u, NGX_HTTP_UPSTREAM_CREATE - |NGX_HTTP_UPSTREAM_WEIGHT - |NGX_HTTP_UPSTREAM_MAX_CONNS - |NGX_HTTP_UPSTREAM_MAX_FAILS - |NGX_HTTP_UPSTREAM_FAIL_TIMEOUT - |NGX_HTTP_UPSTREAM_DOWN - |NGX_HTTP_UPSTREAM_BACKUP); - if (uscf == NULL) { - return NGX_CONF_ERROR; - } - - - ctx = ngx_pcalloc(cf->pool, sizeof(ngx_http_conf_ctx_t)); - if (ctx == NULL) { - return NGX_CONF_ERROR; - } - - http_ctx = cf->ctx; - ctx->main_conf = http_ctx->main_conf; - - /* the upstream{}'s srv_conf */ - - ctx->srv_conf = ngx_pcalloc(cf->pool, sizeof(void *) * ngx_http_max_module); - if (ctx->srv_conf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->srv_conf[ngx_http_upstream_module.ctx_index] = uscf; - - uscf->srv_conf = ctx->srv_conf; - - - /* the upstream{}'s loc_conf */ - - ctx->loc_conf = ngx_pcalloc(cf->pool, sizeof(void *) * ngx_http_max_module); - if (ctx->loc_conf == NULL) { - return NGX_CONF_ERROR; - } - - for (m = 0; cf->cycle->modules[m]; m++) { - if (cf->cycle->modules[m]->type != NGX_HTTP_MODULE) { - continue; - } - - module = cf->cycle->modules[m]->ctx; - - if (module->create_srv_conf) { - mconf = module->create_srv_conf(cf); - if (mconf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->srv_conf[cf->cycle->modules[m]->ctx_index] = mconf; - } - - if (module->create_loc_conf) { - mconf = module->create_loc_conf(cf); - if (mconf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->loc_conf[cf->cycle->modules[m]->ctx_index] = mconf; - } - } - - uscf->servers = ngx_array_create(cf->pool, 4, - sizeof(ngx_http_upstream_server_t)); - if (uscf->servers == NULL) { - return NGX_CONF_ERROR; - } - - - /* parse inside upstream{} */ - - pcf = *cf; - cf->ctx = ctx; - cf->cmd_type = NGX_HTTP_UPS_CONF; - - rv = ngx_conf_parse(cf, NULL); - - *cf = pcf; - - if (rv != NGX_CONF_OK) { - return rv; - } - - if (uscf->servers->nelts == 0) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "no servers are inside upstream"); - return NGX_CONF_ERROR; - } - - return rv; -} - - -static char * -ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -{ - ngx_http_upstream_srv_conf_t *uscf = conf; - - time_t fail_timeout; - ngx_str_t *value, s; - ngx_url_t u; - ngx_int_t weight, max_conns, max_fails; - ngx_uint_t i; - ngx_http_upstream_server_t *us; - - us = ngx_array_push(uscf->servers); - if (us == NULL) { - return NGX_CONF_ERROR; - } - - ngx_memzero(us, sizeof(ngx_http_upstream_server_t)); - - value = cf->args->elts; - - weight = 1; - max_conns = 0; - max_fails = 1; - fail_timeout = 10; - - for (i = 2; i < cf->args->nelts; i++) { - - if (ngx_strncmp(value[i].data, "weight=", 7) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_WEIGHT)) { - goto not_supported; - } - - weight = ngx_atoi(&value[i].data[7], value[i].len - 7); - - if (weight == NGX_ERROR || weight == 0) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "max_conns=", 10) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_CONNS)) { - goto not_supported; - } - - max_conns = ngx_atoi(&value[i].data[10], value[i].len - 10); - - if (max_conns == NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "max_fails=", 10) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_FAILS)) { - goto not_supported; - } - - max_fails = ngx_atoi(&value[i].data[10], value[i].len - 10); - - if (max_fails == NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "fail_timeout=", 13) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_FAIL_TIMEOUT)) { - goto not_supported; - } - - s.len = value[i].len - 13; - s.data = &value[i].data[13]; - - fail_timeout = ngx_parse_time(&s, 1); - - if (fail_timeout == (time_t) NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strcmp(value[i].data, "backup") == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_BACKUP)) { - goto not_supported; - } - - us->backup = 1; - - continue; - } - - if (ngx_strcmp(value[i].data, "down") == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_DOWN)) { - goto not_supported; - } - - us->down = 1; - - continue; - } - - goto invalid; - } - - ngx_memzero(&u, sizeof(ngx_url_t)); - - u.url = value[1]; - u.default_port = 80; - - if (ngx_parse_url(cf->pool, &u) != NGX_OK) { - if (u.err) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "%s in upstream \"%V\"", u.err, &u.url); - } - - return NGX_CONF_ERROR; - } - - us->name = u.url; - us->addrs = u.addrs; - us->naddrs = u.naddrs; - us->weight = weight; - us->max_conns = max_conns; - us->max_fails = max_fails; - us->fail_timeout = fail_timeout; - - return NGX_CONF_OK; - -invalid: - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[i]); - - return NGX_CONF_ERROR; - -not_supported: - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "balancing method does not support parameter \"%V\"", - &value[i]); - - return NGX_CONF_ERROR; -} - - -ngx_http_upstream_srv_conf_t * -ngx_http_upstream_add(ngx_conf_t *cf, ngx_url_t *u, ngx_uint_t flags) -{ - ngx_uint_t i; - ngx_http_upstream_server_t *us; - ngx_http_upstream_srv_conf_t *uscf, **uscfp; - ngx_http_upstream_main_conf_t *umcf; - - if (!(flags & NGX_HTTP_UPSTREAM_CREATE)) { - - if (ngx_parse_url(cf->pool, u) != NGX_OK) { - if (u->err) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "%s in upstream \"%V\"", u->err, &u->url); - } - - return NULL; - } - } - - umcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_upstream_module); - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - if (uscfp[i]->host.len != u->host.len - || ngx_strncasecmp(uscfp[i]->host.data, u->host.data, u->host.len) - != 0) - { - continue; - } - - if ((flags & NGX_HTTP_UPSTREAM_CREATE) - && (uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE)) - { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "duplicate upstream \"%V\"", &u->host); - return NULL; - } - - if ((uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE) && !u->no_port) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "upstream \"%V\" may not have port %d", - &u->host, u->port); - return NULL; - } - - if ((flags & NGX_HTTP_UPSTREAM_CREATE) && !uscfp[i]->no_port) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "upstream \"%V\" may not have port %d in %s:%ui", - &u->host, uscfp[i]->port, - uscfp[i]->file_name, uscfp[i]->line); - return NULL; - } - - if (uscfp[i]->port && u->port - && uscfp[i]->port != u->port) - { - continue; - } - - if (uscfp[i]->default_port && u->default_port - && uscfp[i]->default_port != u->default_port) - { - continue; - } - - if (flags & NGX_HTTP_UPSTREAM_CREATE) { - uscfp[i]->flags = flags; - } - - return uscfp[i]; - } - - uscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_srv_conf_t)); - if (uscf == NULL) { - return NULL; - } - - uscf->flags = flags; - uscf->host = u->host; - uscf->file_name = cf->conf_file->file.name.data; - uscf->line = cf->conf_file->line; - uscf->port = u->port; - uscf->default_port = u->default_port; - uscf->no_port = u->no_port; - - if (u->naddrs == 1 && (u->port || u->family == AF_UNIX)) { - uscf->servers = ngx_array_create(cf->pool, 1, - sizeof(ngx_http_upstream_server_t)); - if (uscf->servers == NULL) { - return NULL; - } - - us = ngx_array_push(uscf->servers); - if (us == NULL) { - return NULL; - } - - ngx_memzero(us, sizeof(ngx_http_upstream_server_t)); - - us->addrs = u->addrs; - us->naddrs = 1; - } - - uscfp = ngx_array_push(&umcf->upstreams); - if (uscfp == NULL) { - return NULL; - } - - *uscfp = uscf; - - return uscf; -} - - -char * -ngx_http_upstream_bind_set_slot(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf) -{ - char *p = conf; - - ngx_int_t rc; - ngx_str_t *value; - ngx_http_complex_value_t cv; - ngx_http_upstream_local_t **plocal, *local; - ngx_http_compile_complex_value_t ccv; - - plocal = (ngx_http_upstream_local_t **) (p + cmd->offset); - - if (*plocal != NGX_CONF_UNSET_PTR) { - return "is duplicate"; - } - - value = cf->args->elts; - - if (cf->args->nelts == 2 && ngx_strcmp(value[1].data, "off") == 0) { - *plocal = NULL; - return NGX_CONF_OK; - } - - ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); - - ccv.cf = cf; - ccv.value = &value[1]; - ccv.complex_value = &cv; - - if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { - return NGX_CONF_ERROR; - } - - local = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_local_t)); - if (local == NULL) { - return NGX_CONF_ERROR; - } - - *plocal = local; - - if (cv.lengths) { - local->value = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t)); - if (local->value == NULL) { - return NGX_CONF_ERROR; - } - - *local->value = cv; - - } else { - local->addr = ngx_palloc(cf->pool, sizeof(ngx_addr_t)); - if (local->addr == NULL) { - return NGX_CONF_ERROR; - } - - rc = ngx_parse_addr_port(cf->pool, local->addr, value[1].data, - value[1].len); - - switch (rc) { - case NGX_OK: - local->addr->name = value[1]; - break; - - case NGX_DECLINED: - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid address \"%V\"", &value[1]); - /* fall through */ - - default: - return NGX_CONF_ERROR; - } - } - - if (cf->args->nelts > 2) { - if (ngx_strcmp(value[2].data, "transparent") == 0) { -#if (NGX_HAVE_TRANSPARENT_PROXY) - local->transparent = 1; -#else - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "transparent proxying is not supported " - "on this platform, ignored"); -#endif - } else { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[2]); - return NGX_CONF_ERROR; - } - } - - return NGX_CONF_OK; -} - - -static ngx_int_t -ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_http_upstream_local_t *local) -{ - ngx_int_t rc; - ngx_str_t val; - ngx_addr_t *addr; - - if (local == NULL) { - u->peer.local = NULL; - return NGX_OK; - } - -#if (NGX_HAVE_TRANSPARENT_PROXY) - u->peer.transparent = local->transparent; -#endif - - if (local->value == NULL) { - u->peer.local = local->addr; - return NGX_OK; - } - - if (ngx_http_complex_value(r, local->value, &val) != NGX_OK) { - return NGX_ERROR; - } - - if (val.len == 0) { - return NGX_OK; - } - - addr = ngx_palloc(r->pool, sizeof(ngx_addr_t)); - if (addr == NULL) { - return NGX_ERROR; - } - - rc = ngx_parse_addr_port(r->pool, addr, val.data, val.len); - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - if (rc != NGX_OK) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "invalid local address \"%V\"", &val); - return NGX_OK; - } - - addr->name = val; - u->peer.local = addr; - - return NGX_OK; -} - - -char * -ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf) -{ - char *p = conf; - - ngx_str_t *value; - ngx_array_t **a; - ngx_http_upstream_param_t *param; - - a = (ngx_array_t **) (p + cmd->offset); - - if (*a == NULL) { - *a = ngx_array_create(cf->pool, 4, sizeof(ngx_http_upstream_param_t)); - if (*a == NULL) { - return NGX_CONF_ERROR; - } - } - - param = ngx_array_push(*a); - if (param == NULL) { - return NGX_CONF_ERROR; - } - - value = cf->args->elts; - - param->key = value[1]; - param->value = value[2]; - param->skip_empty = 0; - - if (cf->args->nelts == 4) { - if (ngx_strcmp(value[3].data, "if_not_empty") != 0) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[3]); - return NGX_CONF_ERROR; - } - - param->skip_empty = 1; - } - - return NGX_CONF_OK; -} - - -ngx_int_t -ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf, - ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev, - ngx_str_t *default_hide_headers, ngx_hash_init_t *hash) -{ - ngx_str_t *h; - ngx_uint_t i, j; - ngx_array_t hide_headers; - ngx_hash_key_t *hk; - - if (conf->hide_headers == NGX_CONF_UNSET_PTR - && conf->pass_headers == NGX_CONF_UNSET_PTR) - { - conf->hide_headers = prev->hide_headers; - conf->pass_headers = prev->pass_headers; - - conf->hide_headers_hash = prev->hide_headers_hash; - - if (conf->hide_headers_hash.buckets -#if (NGX_HTTP_CACHE) - && ((conf->cache == 0) == (prev->cache == 0)) -#endif - ) - { - return NGX_OK; - } - - } else { - if (conf->hide_headers == NGX_CONF_UNSET_PTR) { - conf->hide_headers = prev->hide_headers; - } - - if (conf->pass_headers == NGX_CONF_UNSET_PTR) { - conf->pass_headers = prev->pass_headers; - } - } - - if (ngx_array_init(&hide_headers, cf->temp_pool, 4, sizeof(ngx_hash_key_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - for (h = default_hide_headers; h->len; h++) { - hk = ngx_array_push(&hide_headers); - if (hk == NULL) { - return NGX_ERROR; - } - - hk->key = *h; - hk->key_hash = ngx_hash_key_lc(h->data, h->len); - hk->value = (void *) 1; - } - - if (conf->hide_headers != NGX_CONF_UNSET_PTR) { - - h = conf->hide_headers->elts; - - for (i = 0; i < conf->hide_headers->nelts; i++) { - - hk = hide_headers.elts; - - for (j = 0; j < hide_headers.nelts; j++) { - if (ngx_strcasecmp(h[i].data, hk[j].key.data) == 0) { - goto exist; - } - } - - hk = ngx_array_push(&hide_headers); - if (hk == NULL) { - return NGX_ERROR; - } - - hk->key = h[i]; - hk->key_hash = ngx_hash_key_lc(h[i].data, h[i].len); - hk->value = (void *) 1; - - exist: - - continue; - } - } - - if (conf->pass_headers != NGX_CONF_UNSET_PTR) { - - h = conf->pass_headers->elts; - hk = hide_headers.elts; - - for (i = 0; i < conf->pass_headers->nelts; i++) { - for (j = 0; j < hide_headers.nelts; j++) { - - if (hk[j].key.data == NULL) { - continue; - } - - if (ngx_strcasecmp(h[i].data, hk[j].key.data) == 0) { - hk[j].key.data = NULL; - break; - } - } - } - } - - hash->hash = &conf->hide_headers_hash; - hash->key = ngx_hash_key_lc; - hash->pool = cf->pool; - hash->temp_pool = NULL; - - return ngx_hash_init(hash, hide_headers.elts, hide_headers.nelts); -} - - -static void * -ngx_http_upstream_create_main_conf(ngx_conf_t *cf) -{ - ngx_http_upstream_main_conf_t *umcf; - - umcf = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_main_conf_t)); - if (umcf == NULL) { - return NULL; - } - - if (ngx_array_init(&umcf->upstreams, cf->pool, 4, - sizeof(ngx_http_upstream_srv_conf_t *)) - != NGX_OK) - { - return NULL; - } - - return umcf; -} - - -static char * -ngx_http_upstream_init_main_conf(ngx_conf_t *cf, void *conf) -{ - ngx_http_upstream_main_conf_t *umcf = conf; - - ngx_uint_t i; - ngx_array_t headers_in; - ngx_hash_key_t *hk; - ngx_hash_init_t hash; - ngx_http_upstream_init_pt init; - ngx_http_upstream_header_t *header; - ngx_http_upstream_srv_conf_t **uscfp; - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - init = uscfp[i]->peer.init_upstream ? uscfp[i]->peer.init_upstream: - ngx_http_upstream_init_round_robin; - - if (init(cf, uscfp[i]) != NGX_OK) { - return NGX_CONF_ERROR; - } - } - - - /* upstream_headers_in_hash */ - - if (ngx_array_init(&headers_in, cf->temp_pool, 32, sizeof(ngx_hash_key_t)) - != NGX_OK) - { - return NGX_CONF_ERROR; - } - - for (header = ngx_http_upstream_headers_in; header->name.len; header++) { - hk = ngx_array_push(&headers_in); - if (hk == NULL) { - return NGX_CONF_ERROR; - } - - hk->key = header->name; - hk->key_hash = ngx_hash_key_lc(header->name.data, header->name.len); - hk->value = header; - } - - hash.hash = &umcf->headers_in_hash; - hash.key = ngx_hash_key_lc; - hash.max_size = 512; - hash.bucket_size = ngx_align(64, ngx_cacheline_size); - hash.name = "upstream_headers_in_hash"; - hash.pool = cf->pool; - hash.temp_pool = NULL; - - if (ngx_hash_init(&hash, headers_in.elts, headers_in.nelts) != NGX_OK) { - return NGX_CONF_ERROR; - } - - return NGX_CONF_OK; -} diff --git a/boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c b/boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c deleted file mode 100644 index 68d02bf..0000000 --- a/boring-nginx/patch-source/nginx-1.11.5/src/event/ngx_event_openssl.c +++ /dev/null @@ -1,3697 +0,0 @@ - -/* - * Copyright (C) Igor Sysoev - * Copyright (C) Nginx, Inc. - */ - - -#include -#include -#include - - -#define NGX_SSL_PASSWORD_BUFFER_SIZE 4096 - - -typedef struct { - ngx_uint_t engine; /* unsigned engine:1; */ -} ngx_openssl_conf_t; - - -static int ngx_ssl_password_callback(char *buf, int size, int rwflag, - void *userdata); -static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store); -static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, - int ret); -static void ngx_ssl_passwords_cleanup(void *data); -static void ngx_ssl_handshake_handler(ngx_event_t *ev); -static ngx_int_t ngx_ssl_handle_recv(ngx_connection_t *c, int n); -static void ngx_ssl_write_handler(ngx_event_t *wev); -static void ngx_ssl_read_handler(ngx_event_t *rev); -static void ngx_ssl_shutdown_handler(ngx_event_t *ev); -static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, - ngx_err_t err, char *text); -static void ngx_ssl_clear_error(ngx_log_t *log); - -static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, - ngx_str_t *sess_ctx); -ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data); -static int ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, - ngx_ssl_session_t *sess); -static ngx_ssl_session_t *ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - const -#endif - u_char *id, int len, int *copy); -static void ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess); -static void ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - ngx_slab_pool_t *shpool, ngx_uint_t n); -static void ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, - ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel); - -#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB -static int ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, - HMAC_CTX *hctx, int enc); -#endif - -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT -static ngx_int_t ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *str); -#endif - -static void *ngx_openssl_create_conf(ngx_cycle_t *cycle); -static char *ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf); -static void ngx_openssl_exit(ngx_cycle_t *cycle); - - -static ngx_command_t ngx_openssl_commands[] = { - - { ngx_string("ssl_engine"), - NGX_MAIN_CONF|NGX_DIRECT_CONF|NGX_CONF_TAKE1, - ngx_openssl_engine, - 0, - 0, - NULL }, - - ngx_null_command -}; - - -static ngx_core_module_t ngx_openssl_module_ctx = { - ngx_string("openssl"), - ngx_openssl_create_conf, - NULL -}; - - -ngx_module_t ngx_openssl_module = { - NGX_MODULE_V1, - &ngx_openssl_module_ctx, /* module context */ - ngx_openssl_commands, /* module directives */ - NGX_CORE_MODULE, /* module type */ - NULL, /* init master */ - NULL, /* init module */ - NULL, /* init process */ - NULL, /* init thread */ - NULL, /* exit thread */ - NULL, /* exit process */ - ngx_openssl_exit, /* exit master */ - NGX_MODULE_V1_PADDING -}; - - -int ngx_ssl_connection_index; -int ngx_ssl_server_conf_index; -int ngx_ssl_session_cache_index; -int ngx_ssl_session_ticket_keys_index; -int ngx_ssl_certificate_index; -int ngx_ssl_next_certificate_index; -int ngx_ssl_stapling_index; - - -ngx_int_t -ngx_ssl_init(ngx_log_t *log) -{ -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - - OPENSSL_init_ssl(OPENSSL_INIT_LOAD_CONFIG, NULL); - -#else - - OPENSSL_config(NULL); - - SSL_library_init(); - SSL_load_error_strings(); - - OpenSSL_add_all_algorithms(); - -#endif - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -#ifndef SSL_OP_NO_COMPRESSION - { - /* - * Disable gzip compression in OpenSSL prior to 1.0.0 version, - * this saves about 522K per connection. - */ - int n; - STACK_OF(SSL_COMP) *ssl_comp_methods; - - ssl_comp_methods = SSL_COMP_get_compression_methods(); - n = sk_SSL_COMP_num(ssl_comp_methods); - - while (n--) { - (void) sk_SSL_COMP_pop(ssl_comp_methods); - } - } -#endif -#endif - - ngx_ssl_connection_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL); - - if (ngx_ssl_connection_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "SSL_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_server_conf_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_server_conf_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_session_cache_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_session_cache_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_session_ticket_keys_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, - NULL, NULL); - if (ngx_ssl_session_ticket_keys_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_certificate_index = SSL_CTX_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_certificate_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, - "SSL_CTX_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_next_certificate_index = X509_get_ex_new_index(0, NULL, NULL, NULL, - NULL); - if (ngx_ssl_next_certificate_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); - return NGX_ERROR; - } - - ngx_ssl_stapling_index = X509_get_ex_new_index(0, NULL, NULL, NULL, NULL); - - if (ngx_ssl_stapling_index == -1) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed"); - return NGX_ERROR; - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_create(ngx_ssl_t *ssl, ngx_uint_t protocols, void *data) -{ - ssl->ctx = SSL_CTX_new(SSLv23_method()); - - if (ssl->ctx == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "SSL_CTX_new() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_server_conf_index, data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, NULL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - ssl->buffer_size = NGX_SSL_BUFSIZE; - - /* client side options */ - -#ifdef SSL_OP_MICROSOFT_SESS_ID_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_SESS_ID_BUG); -#endif - -#ifdef SSL_OP_NETSCAPE_CHALLENGE_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_NETSCAPE_CHALLENGE_BUG); -#endif - - /* server side options */ - -#ifdef SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLREF2_REUSE_CERT_TYPE_BUG); -#endif - -#ifdef SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER - SSL_CTX_set_options(ssl->ctx, SSL_OP_MICROSOFT_BIG_SSLV3_BUFFER); -#endif - -#ifdef SSL_OP_MSIE_SSLV2_RSA_PADDING - /* this option allow a potential SSL 2.0 rollback (CAN-2005-2969) */ - SSL_CTX_set_options(ssl->ctx, SSL_OP_MSIE_SSLV2_RSA_PADDING); -#endif - -#ifdef SSL_OP_SSLEAY_080_CLIENT_DH_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_SSLEAY_080_CLIENT_DH_BUG); -#endif - -#ifdef SSL_OP_TLS_D5_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_D5_BUG); -#endif - -#ifdef SSL_OP_TLS_BLOCK_PADDING_BUG - SSL_CTX_set_options(ssl->ctx, SSL_OP_TLS_BLOCK_PADDING_BUG); -#endif - -#ifdef SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS - SSL_CTX_set_options(ssl->ctx, SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS); -#endif - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_DH_USE); - -#ifdef SSL_CTRL_CLEAR_OPTIONS - /* only in 0.9.8m+ */ - SSL_CTX_clear_options(ssl->ctx, - SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3|SSL_OP_NO_TLSv1); -#endif - - if (!(protocols & NGX_SSL_SSLv2)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv2); - } - if (!(protocols & NGX_SSL_SSLv3)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_SSLv3); - } - if (!(protocols & NGX_SSL_TLSv1)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1); - } -#ifdef SSL_OP_NO_TLSv1_1 - SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_1); - if (!(protocols & NGX_SSL_TLSv1_1)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_1); - } -#endif -#ifdef SSL_OP_NO_TLSv1_2 - SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TLSv1_2); - if (!(protocols & NGX_SSL_TLSv1_2)) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_TLSv1_2); - } -#endif - -#ifdef SSL_OP_NO_COMPRESSION - SSL_CTX_set_options(ssl->ctx, SSL_OP_NO_COMPRESSION); -#endif - -#ifdef SSL_MODE_RELEASE_BUFFERS - SSL_CTX_set_mode(ssl->ctx, SSL_MODE_RELEASE_BUFFERS); -#endif - -#ifdef SSL_MODE_NO_AUTO_CHAIN - SSL_CTX_set_mode(ssl->ctx, SSL_MODE_NO_AUTO_CHAIN); -#endif - - SSL_CTX_set_read_ahead(ssl->ctx, 1); - - SSL_CTX_set_info_callback(ssl->ctx, ngx_ssl_info_callback); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_certificates(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *certs, - ngx_array_t *keys, ngx_array_t *passwords) -{ - ngx_str_t *cert, *key; - ngx_uint_t i; - - cert = certs->elts; - key = keys->elts; - - for (i = 0; i < certs->nelts; i++) { - - if (ngx_ssl_certificate(cf, ssl, &cert[i], &key[i], passwords) - != NGX_OK) - { - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_str_t *key, ngx_array_t *passwords) -{ - BIO *bio; - X509 *x509; - u_long n; - ngx_str_t *pwd; - ngx_uint_t tries; - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we can't use SSL_CTX_use_certificate_chain_file() as it doesn't - * allow to access certificate later from SSL_CTX, so we reimplement - * it here - */ - - bio = BIO_new_file((char *) cert->data, "r"); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "BIO_new_file(\"%s\") failed", cert->data); - return NGX_ERROR; - } - - x509 = PEM_read_bio_X509_AUX(bio, NULL, NULL, NULL); - if (x509 == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_X509_AUX(\"%s\") failed", cert->data); - BIO_free(bio); - return NGX_ERROR; - } - - if (SSL_CTX_use_certificate(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_certificate(\"%s\") failed", cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - if (X509_set_ex_data(x509, ngx_ssl_next_certificate_index, - SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index)) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "X509_set_ex_data() failed"); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_certificate_index, x509) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - - /* read rest of the chain */ - - for ( ;; ) { - - x509 = PEM_read_bio_X509(bio, NULL, NULL, NULL); - if (x509 == NULL) { - n = ERR_peek_last_error(); - - if (ERR_GET_LIB(n) == ERR_LIB_PEM - && ERR_GET_REASON(n) == PEM_R_NO_START_LINE) - { - /* end of file */ - ERR_clear_error(); - break; - } - - /* some real error */ - - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_X509(\"%s\") failed", cert->data); - BIO_free(bio); - return NGX_ERROR; - } - -#ifdef SSL_CTRL_CHAIN_CERT - - /* - * SSL_CTX_add0_chain_cert() is needed to add chain to - * a particular certificate when multiple certificates are used; - * only available in OpenSSL 1.0.2+ - */ - - if (SSL_CTX_add0_chain_cert(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_add0_chain_cert(\"%s\") failed", - cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } - -#else - if (SSL_CTX_add_extra_chain_cert(ssl->ctx, x509) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_add_extra_chain_cert(\"%s\") failed", - cert->data); - X509_free(x509); - BIO_free(bio); - return NGX_ERROR; - } -#endif - } - - BIO_free(bio); - - if (ngx_strncmp(key->data, "engine:", sizeof("engine:") - 1) == 0) { - -#ifndef OPENSSL_NO_ENGINE - - u_char *p, *last; - ENGINE *engine; - EVP_PKEY *pkey; - - p = key->data + sizeof("engine:") - 1; - last = (u_char *) ngx_strchr(p, ':'); - - if (last == NULL) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid syntax in \"%V\"", key); - return NGX_ERROR; - } - - *last = '\0'; - - engine = ENGINE_by_id((char *) p); - - if (engine == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "ENGINE_by_id(\"%s\") failed", p); - return NGX_ERROR; - } - - *last++ = ':'; - - pkey = ENGINE_load_private_key(engine, (char *) last, 0, 0); - - if (pkey == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "ENGINE_load_private_key(\"%s\") failed", last); - ENGINE_free(engine); - return NGX_ERROR; - } - - ENGINE_free(engine); - - if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_PrivateKey(\"%s\") failed", last); - EVP_PKEY_free(pkey); - return NGX_ERROR; - } - - EVP_PKEY_free(pkey); - - return NGX_OK; - -#else - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "loading \"engine:...\" certificate keys " - "is not supported"); - return NGX_ERROR; - -#endif - } - - if (ngx_conf_full_name(cf->cycle, key, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (passwords) { - tries = passwords->nelts; - pwd = passwords->elts; - - SSL_CTX_set_default_passwd_cb(ssl->ctx, ngx_ssl_password_callback); - SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, pwd); - - } else { - tries = 1; -#if (NGX_SUPPRESS_WARN) - pwd = NULL; -#endif - } - - for ( ;; ) { - - if (SSL_CTX_use_PrivateKey_file(ssl->ctx, (char *) key->data, - SSL_FILETYPE_PEM) - != 0) - { - break; - } - - if (--tries) { - ERR_clear_error(); - SSL_CTX_set_default_passwd_cb_userdata(ssl->ctx, ++pwd); - continue; - } - - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_use_PrivateKey_file(\"%s\") failed", key->data); - return NGX_ERROR; - } - - SSL_CTX_set_default_passwd_cb(ssl->ctx, NULL); - - return NGX_OK; -} - - -static int -ngx_ssl_password_callback(char *buf, int size, int rwflag, void *userdata) -{ - ngx_str_t *pwd = userdata; - - if (rwflag) { - ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, 0, - "ngx_ssl_password_callback() is called for encryption"); - return 0; - } - - if (pwd->len > (size_t) size) { - ngx_log_error(NGX_LOG_ERR, ngx_cycle->log, 0, - "password is truncated to %d bytes", size); - } else { - size = pwd->len; - } - - ngx_memcpy(buf, pwd->data, size); - - return size; -} - - -ngx_int_t -ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers, - ngx_uint_t prefer_server_ciphers) -{ - if (SSL_CTX_set_cipher_list(ssl->ctx, (char *) ciphers->data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_cipher_list(\"%V\") failed", - ciphers); - return NGX_ERROR; - } - - if (prefer_server_ciphers) { - SSL_CTX_set_options(ssl->ctx, SSL_OP_CIPHER_SERVER_PREFERENCE); - } - -#if (OPENSSL_VERSION_NUMBER < 0x10100001L && !defined LIBRESSL_VERSION_NUMBER) - /* a temporary 512-bit RSA key is required for export versions of MSIE */ - SSL_CTX_set_tmp_rsa_callback(ssl->ctx, ngx_ssl_rsa512_key_callback); -#endif - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_client_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) -{ - STACK_OF(X509_NAME) *list; - - SSL_CTX_set_verify(ssl->ctx, SSL_VERIFY_PEER, ngx_ssl_verify_callback); - - SSL_CTX_set_verify_depth(ssl->ctx, depth); - - if (cert->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_load_verify_locations(\"%s\") failed", - cert->data); - return NGX_ERROR; - } - - /* - * SSL_CTX_load_verify_locations() may leave errors in the error queue - * while returning success - */ - - ERR_clear_error(); - - list = SSL_load_client_CA_file((char *) cert->data); - - if (list == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_load_client_CA_file(\"%s\") failed", cert->data); - return NGX_ERROR; - } - - /* - * before 0.9.7h and 0.9.8 SSL_load_client_CA_file() - * always leaved an error in the error queue - */ - - ERR_clear_error(); - - SSL_CTX_set_client_CA_list(ssl->ctx, list); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_trusted_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert, - ngx_int_t depth) -{ - SSL_CTX_set_verify_depth(ssl->ctx, depth); - - if (cert->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, cert, 1) != NGX_OK) { - return NGX_ERROR; - } - - if (SSL_CTX_load_verify_locations(ssl->ctx, (char *) cert->data, NULL) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_load_verify_locations(\"%s\") failed", - cert->data); - return NGX_ERROR; - } - - /* - * SSL_CTX_load_verify_locations() may leave errors in the error queue - * while returning success - */ - - ERR_clear_error(); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_crl(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *crl) -{ - X509_STORE *store; - X509_LOOKUP *lookup; - - if (crl->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, crl, 1) != NGX_OK) { - return NGX_ERROR; - } - - store = SSL_CTX_get_cert_store(ssl->ctx); - - if (store == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_get_cert_store() failed"); - return NGX_ERROR; - } - - lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()); - - if (lookup == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_STORE_add_lookup() failed"); - return NGX_ERROR; - } - - if (X509_LOOKUP_load_file(lookup, (char *) crl->data, X509_FILETYPE_PEM) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_LOOKUP_load_file(\"%s\") failed", crl->data); - return NGX_ERROR; - } - - X509_STORE_set_flags(store, - X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL); - - return NGX_OK; -} - - -static int -ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) -{ -#if (NGX_DEBUG) - char *subject, *issuer; - int err, depth; - X509 *cert; - X509_NAME *sname, *iname; - ngx_connection_t *c; - ngx_ssl_conn_t *ssl_conn; - - ssl_conn = X509_STORE_CTX_get_ex_data(x509_store, - SSL_get_ex_data_X509_STORE_CTX_idx()); - - c = ngx_ssl_get_connection(ssl_conn); - - cert = X509_STORE_CTX_get_current_cert(x509_store); - err = X509_STORE_CTX_get_error(x509_store); - depth = X509_STORE_CTX_get_error_depth(x509_store); - - sname = X509_get_subject_name(cert); - subject = sname ? X509_NAME_oneline(sname, NULL, 0) : "(none)"; - - iname = X509_get_issuer_name(cert); - issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; - - ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, - "verify:%d, error:%d, depth:%d, " - "subject:\"%s\", issuer:\"%s\"", - ok, err, depth, subject, issuer); - - if (sname) { - OPENSSL_free(subject); - } - - if (iname) { - OPENSSL_free(issuer); - } -#endif - - return 1; -} - - -static void -ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) -{ - BIO *rbio, *wbio; - ngx_connection_t *c; - - if (where & SSL_CB_HANDSHAKE_START) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (c->ssl->handshaked) { - c->ssl->renegotiation = 1; - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); - } - } - - if ((where & SSL_CB_ACCEPT_LOOP) == SSL_CB_ACCEPT_LOOP) { - c = ngx_ssl_get_connection((ngx_ssl_conn_t *) ssl_conn); - - if (!c->ssl->handshake_buffer_set) { - /* - * By default OpenSSL uses 4k buffer during a handshake, - * which is too low for long certificate chains and might - * result in extra round-trips. - * - * To adjust a buffer size we detect that buffering was added - * to write side of the connection by comparing rbio and wbio. - * If they are different, we assume that it's due to buffering - * added to wbio, and set buffer size. - */ - - rbio = SSL_get_rbio((ngx_ssl_conn_t *) ssl_conn); - wbio = SSL_get_wbio((ngx_ssl_conn_t *) ssl_conn); - - if (rbio != wbio) { - (void) BIO_set_write_buffer_size(wbio, NGX_SSL_BUFSIZE); - c->ssl->handshake_buffer_set = 1; - } - } - } -} - - -RSA * -ngx_ssl_rsa512_key_callback(ngx_ssl_conn_t *ssl_conn, int is_export, - int key_length) -{ - static RSA *key; - - if (key_length != 512) { - return NULL; - } - -#if (OPENSSL_VERSION_NUMBER < 0x10100003L && !defined OPENSSL_NO_DEPRECATED) - - if (key == NULL) { - key = RSA_generate_key(512, RSA_F4, NULL, NULL); - } - -#endif - - return key; -} - - -ngx_array_t * -ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file) -{ - u_char *p, *last, *end; - size_t len; - ssize_t n; - ngx_fd_t fd; - ngx_str_t *pwd; - ngx_array_t *passwords; - ngx_pool_cleanup_t *cln; - u_char buf[NGX_SSL_PASSWORD_BUFFER_SIZE]; - - if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { - return NULL; - } - - cln = ngx_pool_cleanup_add(cf->temp_pool, 0); - passwords = ngx_array_create(cf->temp_pool, 4, sizeof(ngx_str_t)); - - if (cln == NULL || passwords == NULL) { - return NULL; - } - - cln->handler = ngx_ssl_passwords_cleanup; - cln->data = passwords; - - fd = ngx_open_file(file->data, NGX_FILE_RDONLY, NGX_FILE_OPEN, 0); - if (fd == NGX_INVALID_FILE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_open_file_n " \"%s\" failed", file->data); - return NULL; - } - - len = 0; - last = buf; - - do { - n = ngx_read_fd(fd, last, NGX_SSL_PASSWORD_BUFFER_SIZE - len); - - if (n == -1) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_read_fd_n " \"%s\" failed", file->data); - passwords = NULL; - goto cleanup; - } - - end = last + n; - - if (len && n == 0) { - *end++ = LF; - } - - p = buf; - - for ( ;; ) { - last = ngx_strlchr(last, end, LF); - - if (last == NULL) { - break; - } - - len = last++ - p; - - if (len && p[len - 1] == CR) { - len--; - } - - if (len) { - pwd = ngx_array_push(passwords); - if (pwd == NULL) { - passwords = NULL; - goto cleanup; - } - - pwd->len = len; - pwd->data = ngx_pnalloc(cf->temp_pool, len); - - if (pwd->data == NULL) { - passwords->nelts--; - passwords = NULL; - goto cleanup; - } - - ngx_memcpy(pwd->data, p, len); - } - - p = last; - } - - len = end - p; - - if (len == NGX_SSL_PASSWORD_BUFFER_SIZE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "too long line in \"%s\"", file->data); - passwords = NULL; - goto cleanup; - } - - ngx_memmove(buf, p, len); - last = buf + len; - - } while (n != 0); - - if (passwords->nelts == 0) { - pwd = ngx_array_push(passwords); - if (pwd == NULL) { - passwords = NULL; - goto cleanup; - } - - ngx_memzero(pwd, sizeof(ngx_str_t)); - } - -cleanup: - - if (ngx_close_file(fd) == NGX_FILE_ERROR) { - ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, - ngx_close_file_n " \"%s\" failed", file->data); - } - - ngx_memzero(buf, NGX_SSL_PASSWORD_BUFFER_SIZE); - - return passwords; -} - - -static void -ngx_ssl_passwords_cleanup(void *data) -{ - ngx_array_t *passwords = data; - - ngx_str_t *pwd; - ngx_uint_t i; - - pwd = passwords->elts; - - for (i = 0; i < passwords->nelts; i++) { - ngx_memzero(pwd[i].data, pwd[i].len); - } -} - - -ngx_int_t -ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file) -{ - DH *dh; - BIO *bio; - - if (file->len == 0) { - return NGX_OK; - } - - if (ngx_conf_full_name(cf->cycle, file, 1) != NGX_OK) { - return NGX_ERROR; - } - - bio = BIO_new_file((char *) file->data, "r"); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "BIO_new_file(\"%s\") failed", file->data); - return NGX_ERROR; - } - - dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); - if (dh == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "PEM_read_bio_DHparams(\"%s\") failed", file->data); - BIO_free(bio); - return NGX_ERROR; - } - - SSL_CTX_set_tmp_dh(ssl->ctx, dh); - - DH_free(dh); - BIO_free(bio); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name) -{ -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL -#ifndef OPENSSL_NO_ECDH - - /* - * Elliptic-Curve Diffie-Hellman parameters are either "named curves" - * from RFC 4492 section 5.1.1, or explicitly described curves over - * binary fields. OpenSSL only supports the "named curves", which provide - * maximum interoperability. - */ - -#ifdef SSL_CTRL_SET_CURVES_LIST - - /* - * OpenSSL 1.0.2+ allows configuring a curve list instead of a single - * curve previously supported. By default an internal list is used, - * with prime256v1 being preferred by server in OpenSSL 1.0.2b+ - * and X25519 in OpenSSL 1.1.0+. - * - * By default a curve preferred by the client will be used for - * key exchange. The SSL_OP_CIPHER_SERVER_PREFERENCE option can - * be used to prefer server curves instead, similar to what it - * does for ciphers. - */ - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); - -#if SSL_CTRL_SET_ECDH_AUTO - /* not needed in OpenSSL 1.1.0+ */ - SSL_CTX_set_ecdh_auto(ssl->ctx, 1); -#endif - - if (ngx_strcmp(name->data, "auto") == 0) { - return NGX_OK; - } - - if (SSL_CTX_set1_curves_list(ssl->ctx, (char *) name->data) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set1_curves_list(\"%s\") failed", name->data); - return NGX_ERROR; - } - -#else - - int nid; - char *curve; - EC_KEY *ecdh; - - if (ngx_strcmp(name->data, "auto") == 0) { - curve = "prime256v1"; - - } else { - curve = (char *) name->data; - } - - nid = OBJ_sn2nid(curve); - if (nid == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "OBJ_sn2nid(\"%s\") failed: unknown curve", curve); - return NGX_ERROR; - } - - ecdh = EC_KEY_new_by_curve_name(nid); - if (ecdh == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EC_KEY_new_by_curve_name(\"%s\") failed", curve); - return NGX_ERROR; - } - - SSL_CTX_set_options(ssl->ctx, SSL_OP_SINGLE_ECDH_USE); - - SSL_CTX_set_tmp_ecdh(ssl->ctx, ecdh); - - EC_KEY_free(ecdh); -#endif -#endif -#endif - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags) -{ - ngx_ssl_connection_t *sc; - - sc = ngx_pcalloc(c->pool, sizeof(ngx_ssl_connection_t)); - if (sc == NULL) { - return NGX_ERROR; - } - - sc->buffer = ((flags & NGX_SSL_BUFFER) != 0); - sc->buffer_size = ssl->buffer_size; - - sc->session_ctx = ssl->ctx; - - sc->connection = SSL_new(ssl->ctx); - - if (sc->connection == NULL) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_new() failed"); - return NGX_ERROR; - } - - if (SSL_set_fd(sc->connection, c->fd) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_fd() failed"); - return NGX_ERROR; - } - - if (flags & NGX_SSL_CLIENT) { - SSL_set_connect_state(sc->connection); - - } else { - SSL_set_accept_state(sc->connection); - } - - if (SSL_set_ex_data(sc->connection, ngx_ssl_connection_index, c) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_ex_data() failed"); - return NGX_ERROR; - } - - c->ssl = sc; - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_set_session(ngx_connection_t *c, ngx_ssl_session_t *session) -{ - if (session) { - if (SSL_set_session(c->ssl->connection, session) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_set_session() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_handshake(ngx_connection_t *c) -{ - int n, sslerr; - ngx_err_t err; - - ngx_ssl_clear_error(c->log); - - n = SSL_do_handshake(c->ssl->connection); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); - - if (n == 1) { - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - -#if (NGX_DEBUG) - { - char buf[129], *s, *d; -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - const -#endif - SSL_CIPHER *cipher; - - cipher = SSL_get_current_cipher(c->ssl->connection); - - if (cipher) { - SSL_CIPHER_description(cipher, &buf[1], 128); - - for (s = &buf[1], d = buf; *s; s++) { - if (*s == ' ' && *d == ' ') { - continue; - } - - if (*s == LF || *s == CR) { - continue; - } - - *++d = *s; - } - - if (*d != ' ') { - d++; - } - - *d = '\0'; - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL: %s, cipher: \"%s\"", - SSL_get_version(c->ssl->connection), &buf[1]); - - if (SSL_session_reused(c->ssl->connection)) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL reused session"); - } - - } else { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL no shared ciphers"); - } - } -#endif - - c->ssl->handshaked = 1; - - c->recv = ngx_ssl_recv; - c->send = ngx_ssl_write; - c->recv_chain = ngx_ssl_recv_chain; - c->send_chain = ngx_ssl_send_chain; - -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#ifdef SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS - - /* initial handshake done, disable renegotiation (CVE-2009-3555) */ - if (c->ssl->connection->s3) { - c->ssl->connection->s3->flags |= SSL3_FLAGS_NO_RENEGOTIATE_CIPHERS; - } - -#endif -#endif - - return NGX_OK; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_WRITE) { - c->write->ready = 0; - c->read->handler = ngx_ssl_handshake_handler; - c->write->handler = ngx_ssl_handshake_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - return NGX_AGAIN; - } - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - c->read->eof = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { - ngx_connection_error(c, err, - "peer closed connection in SSL handshake"); - - return NGX_ERROR; - } - - c->read->error = 1; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_do_handshake() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_handshake_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - - c = ev->data; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL handshake handler: %d", ev->write); - - if (ev->timedout) { - c->ssl->handler(c); - return; - } - - if (ngx_ssl_handshake(c) == NGX_AGAIN) { - return; - } - - c->ssl->handler(c); -} - - -ssize_t -ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit) -{ - u_char *last; - ssize_t n, bytes, size; - ngx_buf_t *b; - - bytes = 0; - - b = cl->buf; - last = b->last; - - for ( ;; ) { - size = b->end - last; - - if (limit) { - if (bytes >= limit) { - return bytes; - } - - if (bytes + size > limit) { - size = (ssize_t) (limit - bytes); - } - } - - n = ngx_ssl_recv(c, last, size); - - if (n > 0) { - last += n; - bytes += n; - - if (last == b->end) { - cl = cl->next; - - if (cl == NULL) { - return bytes; - } - - b = cl->buf; - last = b->last; - } - - continue; - } - - if (bytes) { - - if (n == 0 || n == NGX_ERROR) { - c->read->ready = 1; - } - - return bytes; - } - - return n; - } -} - - -ssize_t -ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) -{ - int n, bytes; - - if (c->ssl->last == NGX_ERROR) { - c->read->error = 1; - return NGX_ERROR; - } - - if (c->ssl->last == NGX_DONE) { - c->read->ready = 0; - c->read->eof = 1; - return 0; - } - - bytes = 0; - - ngx_ssl_clear_error(c->log); - - /* - * SSL_read() may return data in parts, so try to read - * until SSL_read() would return no data - */ - - for ( ;; ) { - - n = SSL_read(c->ssl->connection, buf, size); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); - - if (n > 0) { - bytes += n; - } - - c->ssl->last = ngx_ssl_handle_recv(c, n); - - if (c->ssl->last == NGX_OK) { - - size -= n; - - if (size == 0) { - c->read->ready = 1; - return bytes; - } - - buf += n; - - continue; - } - - if (bytes) { - if (c->ssl->last != NGX_AGAIN) { - c->read->ready = 1; - } - - return bytes; - } - - switch (c->ssl->last) { - - case NGX_DONE: - c->read->ready = 0; - c->read->eof = 1; - return 0; - - case NGX_ERROR: - c->read->error = 1; - - /* fall through */ - - case NGX_AGAIN: - return c->ssl->last; - } - } -} - - -static ngx_int_t -ngx_ssl_handle_recv(ngx_connection_t *c, int n) -{ - int sslerr; - ngx_err_t err; - - if (c->ssl->renegotiation) { - /* - * disable renegotiation (CVE-2009-3555): - * OpenSSL (at least up to 0.9.8l) does not handle disabled - * renegotiation gracefully, so drop connection here - */ - - ngx_log_error(NGX_LOG_NOTICE, c->log, 0, "SSL renegotiation disabled"); - - while (ERR_peek_error()) { - ngx_ssl_error(NGX_LOG_DEBUG, c->log, 0, - "ignoring stale global SSL error"); - } - - ERR_clear_error(); - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - - return NGX_ERROR; - } - - if (n > 0) { - - if (c->ssl->saved_write_handler) { - - c->write->handler = c->ssl->saved_write_handler; - c->ssl->saved_write_handler = NULL; - c->write->ready = 1; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - ngx_post_event(c->write, &ngx_posted_events); - } - - return NGX_OK; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_WRITE) { - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "peer started SSL renegotiation"); - - c->write->ready = 0; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we do not set the timer because there is already the read event timer - */ - - if (c->ssl->saved_write_handler == NULL) { - c->ssl->saved_write_handler = c->write->handler; - c->write->handler = ngx_ssl_write_handler; - } - - return NGX_AGAIN; - } - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "peer shutdown SSL cleanly"); - return NGX_DONE; - } - - ngx_ssl_connection_error(c, sslerr, err, "SSL_read() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_write_handler(ngx_event_t *wev) -{ - ngx_connection_t *c; - - c = wev->data; - - c->read->handler(c->read); -} - - -/* - * OpenSSL has no SSL_writev() so we copy several bufs into our 16K buffer - * before the SSL_write() call to decrease a SSL overhead. - * - * Besides for protocols such as HTTP it is possible to always buffer - * the output to decrease a SSL overhead some more. - */ - -ngx_chain_t * -ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) -{ - int n; - ngx_uint_t flush; - ssize_t send, size; - ngx_buf_t *buf; - - if (!c->ssl->buffer) { - - while (in) { - if (ngx_buf_special(in->buf)) { - in = in->next; - continue; - } - - n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); - - if (n == NGX_ERROR) { - return NGX_CHAIN_ERROR; - } - - if (n == NGX_AGAIN) { - return in; - } - - in->buf->pos += n; - - if (in->buf->pos == in->buf->last) { - in = in->next; - } - } - - return in; - } - - - /* the maximum limit size is the maximum int32_t value - the page size */ - - if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { - limit = NGX_MAX_INT32_VALUE - ngx_pagesize; - } - - buf = c->ssl->buf; - - if (buf == NULL) { - buf = ngx_create_temp_buf(c->pool, c->ssl->buffer_size); - if (buf == NULL) { - return NGX_CHAIN_ERROR; - } - - c->ssl->buf = buf; - } - - if (buf->start == NULL) { - buf->start = ngx_palloc(c->pool, c->ssl->buffer_size); - if (buf->start == NULL) { - return NGX_CHAIN_ERROR; - } - - buf->pos = buf->start; - buf->last = buf->start; - buf->end = buf->start + c->ssl->buffer_size; - } - - send = buf->last - buf->pos; - flush = (in == NULL) ? 1 : buf->flush; - - for ( ;; ) { - - while (in && buf->last < buf->end && send < limit) { - if (in->buf->last_buf || in->buf->flush) { - flush = 1; - } - - if (ngx_buf_special(in->buf)) { - in = in->next; - continue; - } - - size = in->buf->last - in->buf->pos; - - if (size > buf->end - buf->last) { - size = buf->end - buf->last; - } - - if (send + size > limit) { - size = (ssize_t) (limit - send); - } - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL buf copy: %z", size); - - ngx_memcpy(buf->last, in->buf->pos, size); - - buf->last += size; - in->buf->pos += size; - send += size; - - if (in->buf->pos == in->buf->last) { - in = in->next; - } - } - - if (!flush && send < limit && buf->last < buf->end) { - break; - } - - size = buf->last - buf->pos; - - if (size == 0) { - buf->flush = 0; - c->buffered &= ~NGX_SSL_BUFFERED; - return in; - } - - n = ngx_ssl_write(c, buf->pos, size); - - if (n == NGX_ERROR) { - return NGX_CHAIN_ERROR; - } - - if (n == NGX_AGAIN) { - break; - } - - buf->pos += n; - - if (n < size) { - break; - } - - flush = 0; - - buf->pos = buf->start; - buf->last = buf->start; - - if (in == NULL || send == limit) { - break; - } - } - - buf->flush = flush; - - if (buf->pos < buf->last) { - c->buffered |= NGX_SSL_BUFFERED; - - } else { - c->buffered &= ~NGX_SSL_BUFFERED; - } - - return in; -} - - -ssize_t -ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -{ - int n, sslerr; - ngx_err_t err; - - ngx_ssl_clear_error(c->log); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); - - n = SSL_write(c->ssl->connection, data, size); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); - - if (n > 0) { - - if (c->ssl->saved_read_handler) { - - c->read->handler = c->ssl->saved_read_handler; - c->ssl->saved_read_handler = NULL; - c->read->ready = 1; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - ngx_post_event(c->read, &ngx_posted_events); - } - - c->sent += n; - - return n; - } - - sslerr = SSL_get_error(c->ssl->connection, n); - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - c->write->ready = 0; - return NGX_AGAIN; - } - - if (sslerr == SSL_ERROR_WANT_READ) { - - ngx_log_error(NGX_LOG_INFO, c->log, 0, - "peer started SSL renegotiation"); - - c->read->ready = 0; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - /* - * we do not set the timer because there is already - * the write event timer - */ - - if (c->ssl->saved_read_handler == NULL) { - c->ssl->saved_read_handler = c->read->handler; - c->read->handler = ngx_ssl_read_handler; - } - - return NGX_AGAIN; - } - - c->ssl->no_wait_shutdown = 1; - c->ssl->no_send_shutdown = 1; - c->write->error = 1; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_write() failed"); - - return NGX_ERROR; -} - - -static void -ngx_ssl_read_handler(ngx_event_t *rev) -{ - ngx_connection_t *c; - - c = rev->data; - - c->write->handler(c->write); -} - - -void -ngx_ssl_free_buffer(ngx_connection_t *c) -{ - if (c->ssl->buf && c->ssl->buf->start) { - if (ngx_pfree(c->pool, c->ssl->buf->start) == NGX_OK) { - c->ssl->buf->start = NULL; - } - } -} - - -ngx_int_t -ngx_ssl_shutdown(ngx_connection_t *c) -{ - int n, sslerr, mode; - ngx_err_t err; - - if (SSL_in_init(c->ssl->connection)) { - /* - * OpenSSL 1.0.2f complains if SSL_shutdown() is called during - * an SSL handshake, while previous versions always return 0. - * Avoid calling SSL_shutdown() if handshake wasn't completed. - */ - - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_OK; - } - - if (c->timedout) { - mode = SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN; - SSL_set_quiet_shutdown(c->ssl->connection, 1); - - } else { - mode = SSL_get_shutdown(c->ssl->connection); - - if (c->ssl->no_wait_shutdown) { - mode |= SSL_RECEIVED_SHUTDOWN; - } - - if (c->ssl->no_send_shutdown) { - mode |= SSL_SENT_SHUTDOWN; - } - - if (c->ssl->no_wait_shutdown && c->ssl->no_send_shutdown) { - SSL_set_quiet_shutdown(c->ssl->connection, 1); - } - } - - SSL_set_shutdown(c->ssl->connection, mode); - - ngx_ssl_clear_error(c->log); - - n = SSL_shutdown(c->ssl->connection); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); - - sslerr = 0; - - /* before 0.9.8m SSL_shutdown() returned 0 instead of -1 on errors */ - - if (n != 1 && ERR_peek_error()) { - sslerr = SSL_get_error(c->ssl->connection, n); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL_get_error: %d", sslerr); - } - - if (n == 1 || sslerr == 0 || sslerr == SSL_ERROR_ZERO_RETURN) { - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_OK; - } - - if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { - c->read->handler = ngx_ssl_shutdown_handler; - c->write->handler = ngx_ssl_shutdown_handler; - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - return NGX_ERROR; - } - - if (sslerr == SSL_ERROR_WANT_READ) { - ngx_add_timer(c->read, 30000); - } - - return NGX_AGAIN; - } - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - - ngx_ssl_connection_error(c, sslerr, err, "SSL_shutdown() failed"); - - SSL_free(c->ssl->connection); - c->ssl = NULL; - - return NGX_ERROR; -} - - -static void -ngx_ssl_shutdown_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_connection_handler_pt handler; - - c = ev->data; - handler = c->ssl->handler; - - if (ev->timedout) { - c->timedout = 1; - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); - - if (ngx_ssl_shutdown(c) == NGX_AGAIN) { - return; - } - - handler(c); -} - - -static void -ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, - char *text) -{ - int n; - ngx_uint_t level; - - level = NGX_LOG_CRIT; - - if (sslerr == SSL_ERROR_SYSCALL) { - - if (err == NGX_ECONNRESET - || err == NGX_EPIPE - || err == NGX_ENOTCONN - || err == NGX_ETIMEDOUT - || err == NGX_ECONNREFUSED - || err == NGX_ENETDOWN - || err == NGX_ENETUNREACH - || err == NGX_EHOSTDOWN - || err == NGX_EHOSTUNREACH) - { - switch (c->log_error) { - - case NGX_ERROR_IGNORE_ECONNRESET: - case NGX_ERROR_INFO: - level = NGX_LOG_INFO; - break; - - case NGX_ERROR_ERR: - level = NGX_LOG_ERR; - break; - - default: - break; - } - } - - } else if (sslerr == SSL_ERROR_SSL) { - - n = ERR_GET_REASON(ERR_peek_error()); - - /* handshake failures */ - if (n == SSL_R_BAD_CHANGE_CIPHER_SPEC /* 103 */ - || n == SSL_R_BLOCK_CIPHER_PAD_IS_WRONG /* 129 */ - || n == SSL_R_DIGEST_CHECK_FAILED /* 149 */ - || n == SSL_R_ERROR_IN_RECEIVED_CIPHER_LIST /* 151 */ - || n == SSL_R_EXCESSIVE_MESSAGE_SIZE /* 152 */ - || n == SSL_R_LENGTH_MISMATCH /* 159 */ -#ifdef SSL_R_NO_CIPHERS_PASSED - || n == SSL_R_NO_CIPHERS_PASSED /* 182 */ -#endif - || n == SSL_R_NO_CIPHERS_SPECIFIED /* 183 */ - || n == SSL_R_NO_COMPRESSION_SPECIFIED /* 187 */ - || n == SSL_R_NO_SHARED_CIPHER /* 193 */ - || n == SSL_R_RECORD_LENGTH_MISMATCH /* 213 */ -#ifdef SSL_R_PARSE_TLSEXT - || n == SSL_R_PARSE_TLSEXT /* 227 */ -#endif - || n == SSL_R_UNEXPECTED_MESSAGE /* 244 */ - || n == SSL_R_UNEXPECTED_RECORD /* 245 */ - || n == SSL_R_UNKNOWN_ALERT_TYPE /* 246 */ - || n == SSL_R_UNKNOWN_PROTOCOL /* 252 */ - || n == SSL_R_WRONG_VERSION_NUMBER /* 267 */ - || n == SSL_R_DECRYPTION_FAILED_OR_BAD_RECORD_MAC /* 281 */ -#ifdef SSL_R_RENEGOTIATE_EXT_TOO_LONG - || n == SSL_R_RENEGOTIATE_EXT_TOO_LONG /* 335 */ - || n == SSL_R_RENEGOTIATION_ENCODING_ERR /* 336 */ - || n == SSL_R_RENEGOTIATION_MISMATCH /* 337 */ -#endif -#ifdef SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED - || n == SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED /* 338 */ -#endif -#ifdef SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING - || n == SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING /* 345 */ -#endif -#ifdef SSL_R_INAPPROPRIATE_FALLBACK - || n == SSL_R_INAPPROPRIATE_FALLBACK /* 373 */ -#endif - || n == 1000 /* SSL_R_SSLV3_ALERT_CLOSE_NOTIFY */ -#ifdef SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE - || n == SSL_R_SSLV3_ALERT_UNEXPECTED_MESSAGE /* 1010 */ - || n == SSL_R_SSLV3_ALERT_BAD_RECORD_MAC /* 1020 */ - || n == SSL_R_TLSV1_ALERT_DECRYPTION_FAILED /* 1021 */ - || n == SSL_R_TLSV1_ALERT_RECORD_OVERFLOW /* 1022 */ - || n == SSL_R_SSLV3_ALERT_DECOMPRESSION_FAILURE /* 1030 */ - || n == SSL_R_SSLV3_ALERT_HANDSHAKE_FAILURE /* 1040 */ - || n == SSL_R_SSLV3_ALERT_NO_CERTIFICATE /* 1041 */ - || n == SSL_R_SSLV3_ALERT_BAD_CERTIFICATE /* 1042 */ - || n == SSL_R_SSLV3_ALERT_UNSUPPORTED_CERTIFICATE /* 1043 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_REVOKED /* 1044 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_EXPIRED /* 1045 */ - || n == SSL_R_SSLV3_ALERT_CERTIFICATE_UNKNOWN /* 1046 */ - || n == SSL_R_SSLV3_ALERT_ILLEGAL_PARAMETER /* 1047 */ - || n == SSL_R_TLSV1_ALERT_UNKNOWN_CA /* 1048 */ - || n == SSL_R_TLSV1_ALERT_ACCESS_DENIED /* 1049 */ - || n == SSL_R_TLSV1_ALERT_DECODE_ERROR /* 1050 */ - || n == SSL_R_TLSV1_ALERT_DECRYPT_ERROR /* 1051 */ - || n == SSL_R_TLSV1_ALERT_EXPORT_RESTRICTION /* 1060 */ - || n == SSL_R_TLSV1_ALERT_PROTOCOL_VERSION /* 1070 */ - || n == SSL_R_TLSV1_ALERT_INSUFFICIENT_SECURITY /* 1071 */ - || n == SSL_R_TLSV1_ALERT_INTERNAL_ERROR /* 1080 */ - || n == SSL_R_TLSV1_ALERT_USER_CANCELLED /* 1090 */ - || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION /* 1100 */ -#endif - ) - { - switch (c->log_error) { - - case NGX_ERROR_IGNORE_ECONNRESET: - case NGX_ERROR_INFO: - level = NGX_LOG_INFO; - break; - - case NGX_ERROR_ERR: - level = NGX_LOG_ERR; - break; - - default: - break; - } - } - } - - ngx_ssl_error(level, c->log, err, text); -} - - -static void -ngx_ssl_clear_error(ngx_log_t *log) -{ - while (ERR_peek_error()) { - ngx_ssl_error(NGX_LOG_ALERT, log, 0, "ignoring stale global SSL error"); - } - - ERR_clear_error(); -} - - -void ngx_cdecl -ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, char *fmt, ...) -{ - int flags; - u_long n; - va_list args; - u_char *p, *last; - u_char errstr[NGX_MAX_CONF_ERRSTR]; - const char *data; - - last = errstr + NGX_MAX_CONF_ERRSTR; - - va_start(args, fmt); - p = ngx_vslprintf(errstr, last - 1, fmt, args); - va_end(args); - - p = ngx_cpystrn(p, (u_char *) " (SSL:", last - p); - - for ( ;; ) { - - n = ERR_peek_error_line_data(NULL, NULL, &data, &flags); - - if (n == 0) { - break; - } - - if (p >= last) { - goto next; - } - - *p++ = ' '; - - ERR_error_string_n(n, (char *) p, last - p); - - while (p < last && *p) { - p++; - } - - if (p < last && *data && (flags & ERR_TXT_STRING)) { - *p++ = ':'; - p = ngx_cpystrn(p, (u_char *) data, last - p); - } - - next: - - (void) ERR_get_error(); - } - - ngx_log_error(level, log, err, "%*s)", p - errstr, errstr); -} - - -ngx_int_t -ngx_ssl_session_cache(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, - ssize_t builtin_session_cache, ngx_shm_zone_t *shm_zone, time_t timeout) -{ - long cache_mode; - - SSL_CTX_set_timeout(ssl->ctx, (long) timeout); - - if (ngx_ssl_session_id_context(ssl, sess_ctx) != NGX_OK) { - return NGX_ERROR; - } - - if (builtin_session_cache == NGX_SSL_NO_SCACHE) { - SSL_CTX_set_session_cache_mode(ssl->ctx, SSL_SESS_CACHE_OFF); - return NGX_OK; - } - - if (builtin_session_cache == NGX_SSL_NONE_SCACHE) { - - /* - * If the server explicitly says that it does not support - * session reuse (see SSL_SESS_CACHE_OFF above), then - * Outlook Express fails to upload a sent email to - * the Sent Items folder on the IMAP server via a separate IMAP - * connection in the background. Therefore we have a special - * mode (SSL_SESS_CACHE_SERVER|SSL_SESS_CACHE_NO_INTERNAL_STORE) - * where the server pretends that it supports session reuse, - * but it does not actually store any session. - */ - - SSL_CTX_set_session_cache_mode(ssl->ctx, - SSL_SESS_CACHE_SERVER - |SSL_SESS_CACHE_NO_AUTO_CLEAR - |SSL_SESS_CACHE_NO_INTERNAL_STORE); - - SSL_CTX_sess_set_cache_size(ssl->ctx, 1); - - return NGX_OK; - } - - cache_mode = SSL_SESS_CACHE_SERVER; - - if (shm_zone && builtin_session_cache == NGX_SSL_NO_BUILTIN_SCACHE) { - cache_mode |= SSL_SESS_CACHE_NO_INTERNAL; - } - - SSL_CTX_set_session_cache_mode(ssl->ctx, cache_mode); - - if (builtin_session_cache != NGX_SSL_NO_BUILTIN_SCACHE) { - - if (builtin_session_cache != NGX_SSL_DFLT_BUILTIN_SCACHE) { - SSL_CTX_sess_set_cache_size(ssl->ctx, builtin_session_cache); - } - } - - if (shm_zone) { - SSL_CTX_sess_set_new_cb(ssl->ctx, ngx_ssl_new_session); - SSL_CTX_sess_set_get_cb(ssl->ctx, ngx_ssl_get_cached_session); - SSL_CTX_sess_set_remove_cb(ssl->ctx, ngx_ssl_remove_session); - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_cache_index, shm_zone) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx) -{ - int n, i; - X509 *cert; - X509_NAME *name; - EVP_MD_CTX *md; - unsigned int len; - STACK_OF(X509_NAME) *list; - u_char buf[EVP_MAX_MD_SIZE]; - - /* - * Session ID context is set based on the string provided, - * the server certificates, and the client CA list. - */ - - md = EVP_MD_CTX_create(); - if (md == NULL) { - return NGX_ERROR; - } - - if (EVP_DigestInit_ex(md, EVP_sha1(), NULL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestInit_ex() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, sess_ctx->data, sess_ctx->len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - - for (cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); - cert; - cert = X509_get_ex_data(cert, ngx_ssl_next_certificate_index)) - { - if (X509_digest(cert, EVP_sha1(), buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_digest() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - } - - list = SSL_CTX_get_client_CA_list(ssl->ctx); - - if (list != NULL) { - n = sk_X509_NAME_num(list); - - for (i = 0; i < n; i++) { - name = sk_X509_NAME_value(list, i); - - if (X509_NAME_digest(name, EVP_sha1(), buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "X509_NAME_digest() failed"); - goto failed; - } - - if (EVP_DigestUpdate(md, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - } - } - - if (EVP_DigestFinal_ex(md, buf, &len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "EVP_DigestUpdate() failed"); - goto failed; - } - - EVP_MD_CTX_destroy(md); - - if (SSL_CTX_set_session_id_context(ssl->ctx, buf, len) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_session_id_context() failed"); - return NGX_ERROR; - } - - return NGX_OK; - -failed: - - EVP_MD_CTX_destroy(md); - - return NGX_ERROR; -} - - -ngx_int_t -ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data) -{ - size_t len; - ngx_slab_pool_t *shpool; - ngx_ssl_session_cache_t *cache; - - if (data) { - shm_zone->data = data; - return NGX_OK; - } - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - if (shm_zone->shm.exists) { - shm_zone->data = shpool->data; - return NGX_OK; - } - - cache = ngx_slab_alloc(shpool, sizeof(ngx_ssl_session_cache_t)); - if (cache == NULL) { - return NGX_ERROR; - } - - shpool->data = cache; - shm_zone->data = cache; - - ngx_rbtree_init(&cache->session_rbtree, &cache->sentinel, - ngx_ssl_session_rbtree_insert_value); - - ngx_queue_init(&cache->expire_queue); - - len = sizeof(" in SSL session shared cache \"\"") + shm_zone->shm.name.len; - - shpool->log_ctx = ngx_slab_alloc(shpool, len); - if (shpool->log_ctx == NULL) { - return NGX_ERROR; - } - - ngx_sprintf(shpool->log_ctx, " in SSL session shared cache \"%V\"%Z", - &shm_zone->shm.name); - - shpool->log_nomem = 0; - - return NGX_OK; -} - - -/* - * The length of the session id is 16 bytes for SSLv2 sessions and - * between 1 and 32 bytes for SSLv3/TLSv1, typically 32 bytes. - * It seems that the typical length of the external ASN1 representation - * of a session is 118 or 119 bytes for SSLv3/TSLv1. - * - * Thus on 32-bit platforms we allocate separately an rbtree node, - * a session id, and an ASN1 representation, they take accordingly - * 64, 32, and 128 bytes. - * - * On 64-bit platforms we allocate separately an rbtree node + session_id, - * and an ASN1 representation, they take accordingly 128 and 128 bytes. - * - * OpenSSL's i2d_SSL_SESSION() and d2i_SSL_SESSION are slow, - * so they are outside the code locked by shared pool mutex - */ - -static int -ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) -{ - int len; - u_char *p, *id, *cached_sess, *session_id; - uint32_t hash; - SSL_CTX *ssl_ctx; - unsigned int session_id_length; - ngx_shm_zone_t *shm_zone; - ngx_connection_t *c; - ngx_slab_pool_t *shpool; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - u_char buf[NGX_SSL_MAX_SESSION_SIZE]; - - len = i2d_SSL_SESSION(sess, NULL); - - /* do not cache too big session */ - - if (len > (int) NGX_SSL_MAX_SESSION_SIZE) { - return 0; - } - - p = buf; - i2d_SSL_SESSION(sess, &p); - - c = ngx_ssl_get_connection(ssl_conn); - - ssl_ctx = c->ssl->session_ctx; - shm_zone = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_cache_index); - - cache = shm_zone->data; - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - /* drop one or two expired sessions */ - ngx_ssl_expire_sessions(cache, shpool, 1); - - cached_sess = ngx_slab_alloc_locked(shpool, len); - - if (cached_sess == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - cached_sess = ngx_slab_alloc_locked(shpool, len); - - if (cached_sess == NULL) { - sess_id = NULL; - goto failed; - } - } - - sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); - - if (sess_id == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - sess_id = ngx_slab_alloc_locked(shpool, sizeof(ngx_ssl_sess_id_t)); - - if (sess_id == NULL) { - goto failed; - } - } - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - session_id = (u_char *) SSL_SESSION_get_id(sess, &session_id_length); - -#else - - session_id = sess->session_id; - session_id_length = sess->session_id_length; - -#endif - -#if (NGX_PTR_SIZE == 8) - - id = sess_id->sess_id; - -#else - - id = ngx_slab_alloc_locked(shpool, session_id_length); - - if (id == NULL) { - - /* drop the oldest non-expired session and try once more */ - - ngx_ssl_expire_sessions(cache, shpool, 0); - - id = ngx_slab_alloc_locked(shpool, session_id_length); - - if (id == NULL) { - goto failed; - } - } - -#endif - - ngx_memcpy(cached_sess, buf, len); - - ngx_memcpy(id, session_id, session_id_length); - - hash = ngx_crc32_short(session_id, session_id_length); - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl new session: %08XD:%ud:%d", - hash, session_id_length, len); - - sess_id->node.key = hash; - sess_id->node.data = (u_char) session_id_length; - sess_id->id = id; - sess_id->len = len; - sess_id->session = cached_sess; - - sess_id->expire = ngx_time() + SSL_CTX_get_timeout(ssl_ctx); - - ngx_queue_insert_head(&cache->expire_queue, &sess_id->queue); - - ngx_rbtree_insert(&cache->session_rbtree, &sess_id->node); - - ngx_shmtx_unlock(&shpool->mutex); - - return 0; - -failed: - - if (cached_sess) { - ngx_slab_free_locked(shpool, cached_sess); - } - - if (sess_id) { - ngx_slab_free_locked(shpool, sess_id); - } - - ngx_shmtx_unlock(&shpool->mutex); - - ngx_log_error(NGX_LOG_ALERT, c->log, 0, - "could not allocate new session%s", shpool->log_ctx); - - return 0; -} - - -static ngx_ssl_session_t * -ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, -#if OPENSSL_VERSION_NUMBER >= 0x10100003L - const -#endif - u_char *id, int len, int *copy) -{ -#if OPENSSL_VERSION_NUMBER >= 0x0090707fL - const -#endif - u_char *p; - uint32_t hash; - ngx_int_t rc; - ngx_shm_zone_t *shm_zone; - ngx_slab_pool_t *shpool; - ngx_rbtree_node_t *node, *sentinel; - ngx_ssl_session_t *sess; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - u_char buf[NGX_SSL_MAX_SESSION_SIZE]; - ngx_connection_t *c; - - hash = ngx_crc32_short((u_char *) (uintptr_t) id, (size_t) len); - *copy = 0; - - c = ngx_ssl_get_connection(ssl_conn); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl get session: %08XD:%d", hash, len); - - shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, - ngx_ssl_session_cache_index); - - cache = shm_zone->data; - - sess = NULL; - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - node = cache->session_rbtree.root; - sentinel = cache->session_rbtree.sentinel; - - while (node != sentinel) { - - if (hash < node->key) { - node = node->left; - continue; - } - - if (hash > node->key) { - node = node->right; - continue; - } - - /* hash == node->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - - rc = ngx_memn2cmp((u_char *) (uintptr_t) id, sess_id->id, - (size_t) len, (size_t) node->data); - - if (rc == 0) { - - if (sess_id->expire > ngx_time()) { - ngx_memcpy(buf, sess_id->session, sess_id->len); - - ngx_shmtx_unlock(&shpool->mutex); - - p = buf; - sess = d2i_SSL_SESSION(NULL, &p, sess_id->len); - - return sess; - } - - ngx_queue_remove(&sess_id->queue); - - ngx_rbtree_delete(&cache->session_rbtree, node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - - sess = NULL; - - goto done; - } - - node = (rc < 0) ? node->left : node->right; - } - -done: - - ngx_shmtx_unlock(&shpool->mutex); - - return sess; -} - - -void -ngx_ssl_remove_cached_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) -{ - SSL_CTX_remove_session(ssl, sess); - - ngx_ssl_remove_session(ssl, sess); -} - - -static void -ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) -{ - u_char *id; - uint32_t hash; - ngx_int_t rc; - unsigned int len; - ngx_shm_zone_t *shm_zone; - ngx_slab_pool_t *shpool; - ngx_rbtree_node_t *node, *sentinel; - ngx_ssl_sess_id_t *sess_id; - ngx_ssl_session_cache_t *cache; - - shm_zone = SSL_CTX_get_ex_data(ssl, ngx_ssl_session_cache_index); - - if (shm_zone == NULL) { - return; - } - - cache = shm_zone->data; - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - id = (u_char *) SSL_SESSION_get_id(sess, &len); - -#else - - id = sess->session_id; - len = sess->session_id_length; - -#endif - - hash = ngx_crc32_short(id, len); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, - "ssl remove session: %08XD:%ud", hash, len); - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; - - ngx_shmtx_lock(&shpool->mutex); - - node = cache->session_rbtree.root; - sentinel = cache->session_rbtree.sentinel; - - while (node != sentinel) { - - if (hash < node->key) { - node = node->left; - continue; - } - - if (hash > node->key) { - node = node->right; - continue; - } - - /* hash == node->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - - rc = ngx_memn2cmp(id, sess_id->id, len, (size_t) node->data); - - if (rc == 0) { - - ngx_queue_remove(&sess_id->queue); - - ngx_rbtree_delete(&cache->session_rbtree, node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - - goto done; - } - - node = (rc < 0) ? node->left : node->right; - } - -done: - - ngx_shmtx_unlock(&shpool->mutex); -} - - -static void -ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - ngx_slab_pool_t *shpool, ngx_uint_t n) -{ - time_t now; - ngx_queue_t *q; - ngx_ssl_sess_id_t *sess_id; - - now = ngx_time(); - - while (n < 3) { - - if (ngx_queue_empty(&cache->expire_queue)) { - return; - } - - q = ngx_queue_last(&cache->expire_queue); - - sess_id = ngx_queue_data(q, ngx_ssl_sess_id_t, queue); - - if (n++ != 0 && sess_id->expire > now) { - return; - } - - ngx_queue_remove(q); - - ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, - "expire session: %08Xi", sess_id->node.key); - - ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); - - ngx_slab_free_locked(shpool, sess_id->session); -#if (NGX_PTR_SIZE == 4) - ngx_slab_free_locked(shpool, sess_id->id); -#endif - ngx_slab_free_locked(shpool, sess_id); - } -} - - -static void -ngx_ssl_session_rbtree_insert_value(ngx_rbtree_node_t *temp, - ngx_rbtree_node_t *node, ngx_rbtree_node_t *sentinel) -{ - ngx_rbtree_node_t **p; - ngx_ssl_sess_id_t *sess_id, *sess_id_temp; - - for ( ;; ) { - - if (node->key < temp->key) { - - p = &temp->left; - - } else if (node->key > temp->key) { - - p = &temp->right; - - } else { /* node->key == temp->key */ - - sess_id = (ngx_ssl_sess_id_t *) node; - sess_id_temp = (ngx_ssl_sess_id_t *) temp; - - p = (ngx_memn2cmp(sess_id->id, sess_id_temp->id, - (size_t) node->data, (size_t) temp->data) - < 0) ? &temp->left : &temp->right; - } - - if (*p == sentinel) { - break; - } - - temp = *p; - } - - *p = node; - node->parent = temp; - node->left = sentinel; - node->right = sentinel; - ngx_rbt_red(node); -} - - -#ifdef SSL_CTRL_SET_TLSEXT_TICKET_KEY_CB - -ngx_int_t -ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) -{ - u_char buf[48]; - ssize_t n; - ngx_str_t *path; - ngx_file_t file; - ngx_uint_t i; - ngx_array_t *keys; - ngx_file_info_t fi; - ngx_ssl_session_ticket_key_t *key; - - if (paths == NULL) { - return NGX_OK; - } - - keys = ngx_array_create(cf->pool, paths->nelts, - sizeof(ngx_ssl_session_ticket_key_t)); - if (keys == NULL) { - return NGX_ERROR; - } - - path = paths->elts; - for (i = 0; i < paths->nelts; i++) { - - if (ngx_conf_full_name(cf->cycle, &path[i], 1) != NGX_OK) { - return NGX_ERROR; - } - - ngx_memzero(&file, sizeof(ngx_file_t)); - file.name = path[i]; - file.log = cf->log; - - file.fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, 0, 0); - if (file.fd == NGX_INVALID_FILE) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, - ngx_open_file_n " \"%V\" failed", &file.name); - return NGX_ERROR; - } - - if (ngx_fd_info(file.fd, &fi) == NGX_FILE_ERROR) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, - ngx_fd_info_n " \"%V\" failed", &file.name); - goto failed; - } - - if (ngx_file_size(&fi) != 48) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "\"%V\" must be 48 bytes", &file.name); - goto failed; - } - - n = ngx_read_file(&file, buf, 48, 0); - - if (n == NGX_ERROR) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, ngx_errno, - ngx_read_file_n " \"%V\" failed", &file.name); - goto failed; - } - - if (n != 48) { - ngx_conf_log_error(NGX_LOG_CRIT, cf, 0, - ngx_read_file_n " \"%V\" returned only " - "%z bytes instead of 48", &file.name, n); - goto failed; - } - - key = ngx_array_push(keys); - if (key == NULL) { - goto failed; - } - - ngx_memcpy(key->name, buf, 16); - ngx_memcpy(key->aes_key, buf + 16, 16); - ngx_memcpy(key->hmac_key, buf + 32, 16); - - if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { - ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, - ngx_close_file_n " \"%V\" failed", &file.name); - } - } - - if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_session_ticket_keys_index, keys) - == 0) - { - ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, - "SSL_CTX_set_ex_data() failed"); - return NGX_ERROR; - } - - if (SSL_CTX_set_tlsext_ticket_key_cb(ssl->ctx, - ngx_ssl_session_ticket_key_callback) - == 0) - { - ngx_log_error(NGX_LOG_WARN, cf->log, 0, - "nginx was built with Session Tickets support, however, " - "now it is linked dynamically to an OpenSSL library " - "which has no tlsext support, therefore Session Tickets " - "are not available"); - } - - return NGX_OK; - -failed: - - if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { - ngx_log_error(NGX_LOG_ALERT, cf->log, ngx_errno, - ngx_close_file_n " \"%V\" failed", &file.name); - } - - return NGX_ERROR; -} - - -static int -ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - unsigned char *name, unsigned char *iv, EVP_CIPHER_CTX *ectx, - HMAC_CTX *hctx, int enc) -{ - SSL_CTX *ssl_ctx; - ngx_uint_t i; - ngx_array_t *keys; - ngx_connection_t *c; - ngx_ssl_session_ticket_key_t *key; - const EVP_MD *digest; - const EVP_CIPHER *cipher; -#if (NGX_DEBUG) - u_char buf[32]; -#endif - - c = ngx_ssl_get_connection(ssl_conn); - ssl_ctx = c->ssl->session_ctx; - - cipher = EVP_aes_128_cbc(); -#ifdef OPENSSL_NO_SHA256 - digest = EVP_sha1(); -#else - digest = EVP_sha256(); -#endif - - keys = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_session_ticket_keys_index); - if (keys == NULL) { - return -1; - } - - key = keys->elts; - - if (enc == 1) { - /* encrypt session ticket */ - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket encrypt, key: \"%*s\" (%s session)", - ngx_hex_dump(buf, key[0].name, 16) - buf, buf, - SSL_session_reused(ssl_conn) ? "reused" : "new"); - - if (RAND_bytes(iv, EVP_CIPHER_iv_length(cipher)) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "RAND_bytes() failed"); - return -1; - } - - if (EVP_EncryptInit_ex(ectx, cipher, NULL, key[0].aes_key, iv) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, - "EVP_EncryptInit_ex() failed"); - return -1; - } - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - if (HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; - } -#else - HMAC_Init_ex(hctx, key[0].hmac_key, 16, digest, NULL); -#endif - - ngx_memcpy(name, key[0].name, 16); - - return 1; - - } else { - /* decrypt session ticket */ - - for (i = 0; i < keys->nelts; i++) { - if (ngx_memcmp(name, key[i].name, 16) == 0) { - goto found; - } - } - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\" not found", - ngx_hex_dump(buf, name, 16) - buf, buf); - - return 0; - - found: - - ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\"%s", - ngx_hex_dump(buf, key[i].name, 16) - buf, buf, - (i == 0) ? " (default)" : ""); - -#if OPENSSL_VERSION_NUMBER >= 0x10000000L - if (HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "HMAC_Init_ex() failed"); - return -1; - } -#else - HMAC_Init_ex(hctx, key[i].hmac_key, 16, digest, NULL); -#endif - - if (EVP_DecryptInit_ex(ectx, cipher, NULL, key[i].aes_key, iv) != 1) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, - "EVP_DecryptInit_ex() failed"); - return -1; - } - - return (i == 0) ? 1 : 2 /* renew */; - } -} - -#else - -ngx_int_t -ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *paths) -{ - if (paths) { - ngx_log_error(NGX_LOG_WARN, ssl->log, 0, - "\"ssl_session_ticket_keys\" ignored, not supported"); - } - - return NGX_OK; -} - -#endif - - -void -ngx_ssl_cleanup_ctx(void *data) -{ - ngx_ssl_t *ssl = data; - - X509 *cert, *next; - - cert = SSL_CTX_get_ex_data(ssl->ctx, ngx_ssl_certificate_index); - - while (cert) { - next = X509_get_ex_data(cert, ngx_ssl_next_certificate_index); - X509_free(cert); - cert = next; - } - - SSL_CTX_free(ssl->ctx); -} - - -ngx_int_t -ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) -{ - X509 *cert; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_ERROR; - } - -#ifdef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT - - /* X509_check_host() is only available in OpenSSL 1.0.2+ */ - - if (name->len == 0) { - goto failed; - } - - if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "X509_check_host(): no match"); - goto failed; - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "X509_check_host(): match"); - - goto found; - -#else - { - int n, i; - X509_NAME *sname; - ASN1_STRING *str; - X509_NAME_ENTRY *entry; - GENERAL_NAME *altname; - STACK_OF(GENERAL_NAME) *altnames; - - /* - * As per RFC6125 and RFC2818, we check subjectAltName extension, - * and if it's not present - commonName in Subject is checked. - */ - - altnames = X509_get_ext_d2i(cert, NID_subject_alt_name, NULL, NULL); - - if (altnames) { - n = sk_GENERAL_NAME_num(altnames); - - for (i = 0; i < n; i++) { - altname = sk_GENERAL_NAME_value(altnames, i); - - if (altname->type != GEN_DNS) { - continue; - } - - str = altname->d.dNSName; - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: match"); - GENERAL_NAMES_free(altnames); - goto found; - } - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL subjectAltName: no match"); - - GENERAL_NAMES_free(altnames); - goto failed; - } - - /* - * If there is no subjectAltName extension, check commonName - * in Subject. While RFC2818 requires to only check "most specific" - * CN, both Apache and OpenSSL check all CNs, and so do we. - */ - - sname = X509_get_subject_name(cert); - - if (sname == NULL) { - goto failed; - } - - i = -1; - for ( ;; ) { - i = X509_NAME_get_index_by_NID(sname, NID_commonName, i); - - if (i < 0) { - break; - } - - entry = X509_NAME_get_entry(sname, i); - str = X509_NAME_ENTRY_get_data(entry); - - ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: match"); - goto found; - } - } - - ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, - "SSL commonName: no match"); - } -#endif - -failed: - - X509_free(cert); - return NGX_ERROR; - -found: - - X509_free(cert); - return NGX_OK; -} - - -#ifndef X509_CHECK_FLAG_ALWAYS_CHECK_SUBJECT - -static ngx_int_t -ngx_ssl_check_name(ngx_str_t *name, ASN1_STRING *pattern) -{ - u_char *s, *p, *end; - size_t slen, plen; - - s = name->data; - slen = name->len; - - p = ASN1_STRING_data(pattern); - plen = ASN1_STRING_length(pattern); - - if (slen == plen && ngx_strncasecmp(s, p, plen) == 0) { - return NGX_OK; - } - - if (plen > 2 && p[0] == '*' && p[1] == '.') { - plen -= 1; - p += 1; - - end = s + slen; - s = ngx_strlchr(s, end, '.'); - - if (s == NULL) { - return NGX_ERROR; - } - - slen = end - s; - - if (plen == slen && ngx_strncasecmp(s, p, plen) == 0) { - return NGX_OK; - } - } - - return NGX_ERROR; -} - -#endif - - -ngx_int_t -ngx_ssl_get_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - s->data = (u_char *) SSL_get_version(c->ssl->connection); - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_cipher_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - s->data = (u_char *) SSL_get_cipher_name(c->ssl->connection); - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - u_char *buf; - SSL_SESSION *sess; - unsigned int len; - - sess = SSL_get0_session(c->ssl->connection); - if (sess == NULL) { - s->len = 0; - return NGX_OK; - } - -#if OPENSSL_VERSION_NUMBER >= 0x0090800fL - - buf = (u_char *) SSL_SESSION_get_id(sess, &len); - -#else - - buf = sess->session_id; - len = sess->session_id_length; - -#endif - - s->len = 2 * len; - s->data = ngx_pnalloc(pool, 2 * len); - if (s->data == NULL) { - return NGX_ERROR; - } - - ngx_hex_dump(s->data, buf, len); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - if (SSL_session_reused(c->ssl->connection)) { - ngx_str_set(s, "r"); - - } else { - ngx_str_set(s, "."); - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - - const char *servername; - - servername = SSL_get_servername(c->ssl->connection, - TLSEXT_NAMETYPE_host_name); - if (servername) { - s->data = (u_char *) servername; - s->len = ngx_strlen(servername); - return NGX_OK; - } - -#endif - - s->len = 0; - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - size_t len; - BIO *bio; - X509 *cert; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "BIO_new() failed"); - X509_free(cert); - return NGX_ERROR; - } - - if (PEM_write_bio_X509(bio, cert) == 0) { - ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "PEM_write_bio_X509() failed"); - goto failed; - } - - len = BIO_pending(bio); - s->len = len; - - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - goto failed; - } - - BIO_read(bio, s->data, len); - - BIO_free(bio); - X509_free(cert); - - return NGX_OK; - -failed: - - BIO_free(bio); - X509_free(cert); - - return NGX_ERROR; -} - - -ngx_int_t -ngx_ssl_get_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_str_t cert; - - if (ngx_ssl_get_raw_certificate(c, pool, &cert) != NGX_OK) { - return NGX_ERROR; - } - - if (cert.len == 0) { - s->len = 0; - return NGX_OK; - } - - len = cert.len - 1; - - for (i = 0; i < cert.len - 1; i++) { - if (cert.data[i] == LF) { - len++; - } - } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - return NGX_ERROR; - } - - p = s->data; - - for (i = 0; i < cert.len - 1; i++) { - *p++ = cert.data[i]; - if (cert.data[i] == LF) { - *p++ = '\t'; - } - } - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_subject_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - char *p; - size_t len; - X509 *cert; - X509_NAME *name; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - name = X509_get_subject_name(cert); - if (name == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - p = X509_NAME_oneline(name, NULL, 0); - - for (len = 0; p[len]; len++) { /* void */ } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - OPENSSL_free(p); - X509_free(cert); - return NGX_ERROR; - } - - ngx_memcpy(s->data, p, len); - - OPENSSL_free(p); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_issuer_dn(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - char *p; - size_t len; - X509 *cert; - X509_NAME *name; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - name = X509_get_issuer_name(cert); - if (name == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - p = X509_NAME_oneline(name, NULL, 0); - - for (len = 0; p[len]; len++) { /* void */ } - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - OPENSSL_free(p); - X509_free(cert); - return NGX_ERROR; - } - - ngx_memcpy(s->data, p, len); - - OPENSSL_free(p); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_serial_number(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - size_t len; - X509 *cert; - BIO *bio; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - bio = BIO_new(BIO_s_mem()); - if (bio == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - i2a_ASN1_INTEGER(bio, X509_get_serialNumber(cert)); - len = BIO_pending(bio); - - s->len = len; - s->data = ngx_pnalloc(pool, len); - if (s->data == NULL) { - BIO_free(bio); - X509_free(cert); - return NGX_ERROR; - } - - BIO_read(bio, s->data, len); - BIO_free(bio); - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_fingerprint(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - X509 *cert; - unsigned int len; - u_char buf[EVP_MAX_MD_SIZE]; - - s->len = 0; - - cert = SSL_get_peer_certificate(c->ssl->connection); - if (cert == NULL) { - return NGX_OK; - } - - if (!X509_digest(cert, EVP_sha1(), buf, &len)) { - X509_free(cert); - return NGX_ERROR; - } - - s->len = 2 * len; - s->data = ngx_pnalloc(pool, 2 * len); - if (s->data == NULL) { - X509_free(cert); - return NGX_ERROR; - } - - ngx_hex_dump(s->data, buf, len); - - X509_free(cert); - - return NGX_OK; -} - - -ngx_int_t -ngx_ssl_get_client_verify(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s) -{ - X509 *cert; - - if (SSL_get_verify_result(c->ssl->connection) != X509_V_OK) { - ngx_str_set(s, "FAILED"); - return NGX_OK; - } - - cert = SSL_get_peer_certificate(c->ssl->connection); - - if (cert) { - ngx_str_set(s, "SUCCESS"); - - } else { - ngx_str_set(s, "NONE"); - } - - X509_free(cert); - - return NGX_OK; -} - - -static void * -ngx_openssl_create_conf(ngx_cycle_t *cycle) -{ - ngx_openssl_conf_t *oscf; - - oscf = ngx_pcalloc(cycle->pool, sizeof(ngx_openssl_conf_t)); - if (oscf == NULL) { - return NULL; - } - - /* - * set by ngx_pcalloc(): - * - * oscf->engine = 0; - */ - - return oscf; -} - - -static char * -ngx_openssl_engine(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -{ -#ifndef OPENSSL_NO_ENGINE - - ngx_openssl_conf_t *oscf = conf; - - ENGINE *engine; - ngx_str_t *value; - - if (oscf->engine) { - return "is duplicate"; - } - - oscf->engine = 1; - - value = cf->args->elts; - - engine = ENGINE_by_id((char *) value[1].data); - - if (engine == NULL) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "ENGINE_by_id(\"%V\") failed", &value[1]); - return NGX_CONF_ERROR; - } - - if (ENGINE_set_default(engine, ENGINE_METHOD_ALL) == 0) { - ngx_ssl_error(NGX_LOG_EMERG, cf->log, 0, - "ENGINE_set_default(\"%V\", ENGINE_METHOD_ALL) failed", - &value[1]); - - ENGINE_free(engine); - - return NGX_CONF_ERROR; - } - - ENGINE_free(engine); - - return NGX_CONF_OK; - -#else - - return "is not supported"; - -#endif -} - - -static void -ngx_openssl_exit(ngx_cycle_t *cycle) -{ -#if OPENSSL_VERSION_NUMBER < 0x10100003L - - EVP_cleanup(); -#ifndef OPENSSL_NO_ENGINE - ENGINE_cleanup(); -#endif - -#endif -} diff --git a/boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c b/boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c deleted file mode 100644 index ceb798f..0000000 --- a/boring-nginx/patch-source/nginx-1.11.5/src/http/ngx_http_upstream.c +++ /dev/null @@ -1,6197 +0,0 @@ - -/* - * Copyright (C) Igor Sysoev - * Copyright (C) Nginx, Inc. - */ - - -#include -#include -#include - - -#if (NGX_HTTP_CACHE) -static ngx_int_t ngx_http_upstream_cache(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_cache_get(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_http_file_cache_t **cache); -static ngx_int_t ngx_http_upstream_cache_send(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_cache_status(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_cache_last_modified(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_cache_etag(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -#endif - -static void ngx_http_upstream_init_request(ngx_http_request_t *r); -static void ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx); -static void ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r); -static void ngx_http_upstream_wr_check_broken_connection(ngx_http_request_t *r); -static void ngx_http_upstream_check_broken_connection(ngx_http_request_t *r, - ngx_event_t *ev); -static void ngx_http_upstream_connect(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_reinit(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_send_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write); -static ngx_int_t ngx_http_upstream_send_request_body(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write); -static void ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_read_request_handler(ngx_http_request_t *r); -static void ngx_http_upstream_process_header(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_test_next(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_intercept_errors(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static ngx_int_t ngx_http_upstream_test_connect(ngx_connection_t *c); -static ngx_int_t ngx_http_upstream_process_headers(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_body_in_memory(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_send_response(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgrade(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgraded_read_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_upgraded_write_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_upgraded_read_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_upgraded_write_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - ngx_uint_t from_upstream, ngx_uint_t do_write); -static void - ngx_http_upstream_process_non_buffered_downstream(ngx_http_request_t *r); -static void - ngx_http_upstream_process_non_buffered_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void - ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - ngx_uint_t do_write); -static ngx_int_t ngx_http_upstream_non_buffered_filter_init(void *data); -static ngx_int_t ngx_http_upstream_non_buffered_filter(void *data, - ssize_t bytes); -#if (NGX_THREADS) -static ngx_int_t ngx_http_upstream_thread_handler(ngx_thread_task_t *task, - ngx_file_t *file); -static void ngx_http_upstream_thread_event_handler(ngx_event_t *ev); -#endif -static ngx_int_t ngx_http_upstream_output_filter(void *data, - ngx_chain_t *chain); -static void ngx_http_upstream_process_downstream(ngx_http_request_t *r); -static void ngx_http_upstream_process_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_process_request(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_store(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_dummy_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u); -static void ngx_http_upstream_next(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t ft_type); -static void ngx_http_upstream_cleanup(void *data); -static void ngx_http_upstream_finalize_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_int_t rc); - -static ngx_int_t ngx_http_upstream_process_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_content_length(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_process_cache_control(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_accel_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_limit_rate(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_buffering(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_charset(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_connection(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_process_transfer_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_process_vary(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_header_line(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t - ngx_http_upstream_copy_multi_header_lines(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_content_type(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_location(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_refresh(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_rewrite_set_cookie(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -static ngx_int_t ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); - -#if (NGX_HTTP_GZIP) -static ngx_int_t ngx_http_upstream_copy_content_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset); -#endif - -static ngx_int_t ngx_http_upstream_add_variables(ngx_conf_t *cf); -static ngx_int_t ngx_http_upstream_addr_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_status_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_response_time_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data); -static ngx_int_t ngx_http_upstream_response_length_variable( - ngx_http_request_t *r, ngx_http_variable_value_t *v, uintptr_t data); - -static char *ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy); -static char *ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf); - -static ngx_int_t ngx_http_upstream_set_local(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_http_upstream_local_t *local); - -static void *ngx_http_upstream_create_main_conf(ngx_conf_t *cf); -static char *ngx_http_upstream_init_main_conf(ngx_conf_t *cf, void *conf); - -#if (NGX_HTTP_SSL) -static void ngx_http_upstream_ssl_init_connection(ngx_http_request_t *, - ngx_http_upstream_t *u, ngx_connection_t *c); -static void ngx_http_upstream_ssl_handshake(ngx_connection_t *c); -static ngx_int_t ngx_http_upstream_ssl_name(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_connection_t *c); -#endif - - -ngx_http_upstream_header_t ngx_http_upstream_headers_in[] = { - - { ngx_string("Status"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, status), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Content-Type"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, content_type), - ngx_http_upstream_copy_content_type, 0, 1 }, - - { ngx_string("Content-Length"), - ngx_http_upstream_process_content_length, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Date"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, date), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, date), 0 }, - - { ngx_string("Last-Modified"), - ngx_http_upstream_process_last_modified, 0, - ngx_http_upstream_copy_last_modified, 0, 0 }, - - { ngx_string("ETag"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, etag), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, etag), 0 }, - - { ngx_string("Server"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, server), - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, server), 0 }, - - { ngx_string("WWW-Authenticate"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, www_authenticate), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Location"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, location), - ngx_http_upstream_rewrite_location, 0, 0 }, - - { ngx_string("Refresh"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_rewrite_refresh, 0, 0 }, - - { ngx_string("Set-Cookie"), - ngx_http_upstream_process_set_cookie, - offsetof(ngx_http_upstream_headers_in_t, cookies), - ngx_http_upstream_rewrite_set_cookie, 0, 1 }, - - { ngx_string("Content-Disposition"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, 0, 1 }, - - { ngx_string("Cache-Control"), - ngx_http_upstream_process_cache_control, 0, - ngx_http_upstream_copy_multi_header_lines, - offsetof(ngx_http_headers_out_t, cache_control), 1 }, - - { ngx_string("Expires"), - ngx_http_upstream_process_expires, 0, - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, expires), 1 }, - - { ngx_string("Accept-Ranges"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, accept_ranges), - ngx_http_upstream_copy_allow_ranges, - offsetof(ngx_http_headers_out_t, accept_ranges), 1 }, - - { ngx_string("Content-Range"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, - offsetof(ngx_http_headers_out_t, content_range), 0 }, - - { ngx_string("Connection"), - ngx_http_upstream_process_connection, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Keep-Alive"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - - { ngx_string("Vary"), - ngx_http_upstream_process_vary, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Powered-By"), - ngx_http_upstream_ignore_header_line, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Expires"), - ngx_http_upstream_process_accel_expires, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Redirect"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, x_accel_redirect), - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Limit-Rate"), - ngx_http_upstream_process_limit_rate, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Buffering"), - ngx_http_upstream_process_buffering, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("X-Accel-Charset"), - ngx_http_upstream_process_charset, 0, - ngx_http_upstream_copy_header_line, 0, 0 }, - - { ngx_string("Transfer-Encoding"), - ngx_http_upstream_process_transfer_encoding, 0, - ngx_http_upstream_ignore_header_line, 0, 0 }, - -#if (NGX_HTTP_GZIP) - { ngx_string("Content-Encoding"), - ngx_http_upstream_process_header_line, - offsetof(ngx_http_upstream_headers_in_t, content_encoding), - ngx_http_upstream_copy_content_encoding, 0, 0 }, -#endif - - { ngx_null_string, NULL, 0, NULL, 0, 0 } -}; - - -static ngx_command_t ngx_http_upstream_commands[] = { - - { ngx_string("upstream"), - NGX_HTTP_MAIN_CONF|NGX_CONF_BLOCK|NGX_CONF_TAKE1, - ngx_http_upstream, - 0, - 0, - NULL }, - - { ngx_string("server"), - NGX_HTTP_UPS_CONF|NGX_CONF_1MORE, - ngx_http_upstream_server, - NGX_HTTP_SRV_CONF_OFFSET, - 0, - NULL }, - - ngx_null_command -}; - - -static ngx_http_module_t ngx_http_upstream_module_ctx = { - ngx_http_upstream_add_variables, /* preconfiguration */ - NULL, /* postconfiguration */ - - ngx_http_upstream_create_main_conf, /* create main configuration */ - ngx_http_upstream_init_main_conf, /* init main configuration */ - - NULL, /* create server configuration */ - NULL, /* merge server configuration */ - - NULL, /* create location configuration */ - NULL /* merge location configuration */ -}; - - -ngx_module_t ngx_http_upstream_module = { - NGX_MODULE_V1, - &ngx_http_upstream_module_ctx, /* module context */ - ngx_http_upstream_commands, /* module directives */ - NGX_HTTP_MODULE, /* module type */ - NULL, /* init master */ - NULL, /* init module */ - NULL, /* init process */ - NULL, /* init thread */ - NULL, /* exit thread */ - NULL, /* exit process */ - NULL, /* exit master */ - NGX_MODULE_V1_PADDING -}; - - -static ngx_http_variable_t ngx_http_upstream_vars[] = { - - { ngx_string("upstream_addr"), NULL, - ngx_http_upstream_addr_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_status"), NULL, - ngx_http_upstream_status_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_connect_time"), NULL, - ngx_http_upstream_response_time_variable, 2, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_header_time"), NULL, - ngx_http_upstream_response_time_variable, 1, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_response_time"), NULL, - ngx_http_upstream_response_time_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_response_length"), NULL, - ngx_http_upstream_response_length_variable, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_bytes_received"), NULL, - ngx_http_upstream_response_length_variable, 1, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - -#if (NGX_HTTP_CACHE) - - { ngx_string("upstream_cache_status"), NULL, - ngx_http_upstream_cache_status, 0, - NGX_HTTP_VAR_NOCACHEABLE, 0 }, - - { ngx_string("upstream_cache_last_modified"), NULL, - ngx_http_upstream_cache_last_modified, 0, - NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, - - { ngx_string("upstream_cache_etag"), NULL, - ngx_http_upstream_cache_etag, 0, - NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, - -#endif - - { ngx_null_string, NULL, NULL, 0, 0, 0 } -}; - - -static ngx_http_upstream_next_t ngx_http_upstream_next_errors[] = { - { 500, NGX_HTTP_UPSTREAM_FT_HTTP_500 }, - { 502, NGX_HTTP_UPSTREAM_FT_HTTP_502 }, - { 503, NGX_HTTP_UPSTREAM_FT_HTTP_503 }, - { 504, NGX_HTTP_UPSTREAM_FT_HTTP_504 }, - { 403, NGX_HTTP_UPSTREAM_FT_HTTP_403 }, - { 404, NGX_HTTP_UPSTREAM_FT_HTTP_404 }, - { 0, 0 } -}; - - -ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[] = { - { ngx_string("GET"), NGX_HTTP_GET }, - { ngx_string("HEAD"), NGX_HTTP_HEAD }, - { ngx_string("POST"), NGX_HTTP_POST }, - { ngx_null_string, 0 } -}; - - -ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[] = { - { ngx_string("X-Accel-Redirect"), NGX_HTTP_UPSTREAM_IGN_XA_REDIRECT }, - { ngx_string("X-Accel-Expires"), NGX_HTTP_UPSTREAM_IGN_XA_EXPIRES }, - { ngx_string("X-Accel-Limit-Rate"), NGX_HTTP_UPSTREAM_IGN_XA_LIMIT_RATE }, - { ngx_string("X-Accel-Buffering"), NGX_HTTP_UPSTREAM_IGN_XA_BUFFERING }, - { ngx_string("X-Accel-Charset"), NGX_HTTP_UPSTREAM_IGN_XA_CHARSET }, - { ngx_string("Expires"), NGX_HTTP_UPSTREAM_IGN_EXPIRES }, - { ngx_string("Cache-Control"), NGX_HTTP_UPSTREAM_IGN_CACHE_CONTROL }, - { ngx_string("Set-Cookie"), NGX_HTTP_UPSTREAM_IGN_SET_COOKIE }, - { ngx_string("Vary"), NGX_HTTP_UPSTREAM_IGN_VARY }, - { ngx_null_string, 0 } -}; - - -ngx_int_t -ngx_http_upstream_create(ngx_http_request_t *r) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - if (u && u->cleanup) { - r->main->count++; - ngx_http_upstream_cleanup(r); - } - - u = ngx_pcalloc(r->pool, sizeof(ngx_http_upstream_t)); - if (u == NULL) { - return NGX_ERROR; - } - - r->upstream = u; - - u->peer.log = r->connection->log; - u->peer.log_error = NGX_ERROR_ERR; - -#if (NGX_HTTP_CACHE) - r->cache = NULL; -#endif - - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - return NGX_OK; -} - - -void -ngx_http_upstream_init(ngx_http_request_t *r) -{ - ngx_connection_t *c; - - c = r->connection; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http init upstream, client timer: %d", c->read->timer_set); - -#if (NGX_HTTP_V2) - if (r->stream) { - ngx_http_upstream_init_request(r); - return; - } -#endif - - if (c->read->timer_set) { - ngx_del_timer(c->read); - } - - if (ngx_event_flags & NGX_USE_CLEAR_EVENT) { - - if (!c->write->active) { - if (ngx_add_event(c->write, NGX_WRITE_EVENT, NGX_CLEAR_EVENT) - == NGX_ERROR) - { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - } - - ngx_http_upstream_init_request(r); -} - - -static void -ngx_http_upstream_init_request(ngx_http_request_t *r) -{ - ngx_str_t *host; - ngx_uint_t i; - ngx_resolver_ctx_t *ctx, temp; - ngx_http_cleanup_t *cln; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - ngx_http_upstream_srv_conf_t *uscf, **uscfp; - ngx_http_upstream_main_conf_t *umcf; - - if (r->aio) { - return; - } - - u = r->upstream; - -#if (NGX_HTTP_CACHE) - - if (u->conf->cache) { - ngx_int_t rc; - - rc = ngx_http_upstream_cache(r, u); - - if (rc == NGX_BUSY) { - r->write_event_handler = ngx_http_upstream_init_request; - return; - } - - r->write_event_handler = ngx_http_request_empty_handler; - - if (rc == NGX_ERROR) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (rc == NGX_OK) { - rc = ngx_http_upstream_cache_send(r, u); - - if (rc == NGX_DONE) { - return; - } - - if (rc == NGX_HTTP_UPSTREAM_INVALID_HEADER) { - rc = NGX_DECLINED; - r->cached = 0; - } - } - - if (rc != NGX_DECLINED) { - ngx_http_finalize_request(r, rc); - return; - } - } - -#endif - - u->store = u->conf->store; - - if (!u->store && !r->post_action && !u->conf->ignore_client_abort) { - r->read_event_handler = ngx_http_upstream_rd_check_broken_connection; - r->write_event_handler = ngx_http_upstream_wr_check_broken_connection; - } - - if (r->request_body) { - u->request_bufs = r->request_body->bufs; - } - - if (u->create_request(r) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ngx_http_upstream_set_local(r, u, u->conf->local) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - u->output.alignment = clcf->directio_alignment; - u->output.pool = r->pool; - u->output.bufs.num = 1; - u->output.bufs.size = clcf->client_body_buffer_size; - - if (u->output.output_filter == NULL) { - u->output.output_filter = ngx_chain_writer; - u->output.filter_ctx = &u->writer; - } - - u->writer.pool = r->pool; - - if (r->upstream_states == NULL) { - - r->upstream_states = ngx_array_create(r->pool, 1, - sizeof(ngx_http_upstream_state_t)); - if (r->upstream_states == NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - } else { - - u->state = ngx_array_push(r->upstream_states); - if (u->state == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_memzero(u->state, sizeof(ngx_http_upstream_state_t)); - } - - cln = ngx_http_cleanup_add(r, 0); - if (cln == NULL) { - ngx_http_finalize_request(r, NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - cln->handler = ngx_http_upstream_cleanup; - cln->data = r; - u->cleanup = &cln->handler; - - if (u->resolved == NULL) { - - uscf = u->conf->upstream; - - } else { - -#if (NGX_HTTP_SSL) - u->ssl_name = u->resolved->host; -#endif - - host = &u->resolved->host; - - if (u->resolved->sockaddr) { - - if (u->resolved->port == 0 - && u->resolved->sockaddr->sa_family != AF_UNIX) - { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no port in upstream \"%V\"", host); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ngx_http_upstream_create_round_robin_peer(r, u->resolved) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_http_upstream_connect(r, u); - - return; - } - - umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - uscf = uscfp[i]; - - if (uscf->host.len == host->len - && ((uscf->port == 0 && u->resolved->no_port) - || uscf->port == u->resolved->port) - && ngx_strncasecmp(uscf->host.data, host->data, host->len) == 0) - { - goto found; - } - } - - if (u->resolved->port == 0) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no port in upstream \"%V\"", host); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - temp.name = *host; - - ctx = ngx_resolve_start(clcf->resolver, &temp); - if (ctx == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - if (ctx == NGX_NO_RESOLVER) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "no resolver defined to resolve %V", host); - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - return; - } - - ctx->name = *host; - ctx->handler = ngx_http_upstream_resolve_handler; - ctx->data = r; - ctx->timeout = clcf->resolver_timeout; - - u->resolved->ctx = ctx; - - if (ngx_resolve_name(ctx) != NGX_OK) { - u->resolved->ctx = NULL; - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - -found: - - if (uscf == NULL) { - ngx_log_error(NGX_LOG_ALERT, r->connection->log, 0, - "no upstream configuration"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->upstream = uscf; - -#if (NGX_HTTP_SSL) - u->ssl_name = uscf->host; -#endif - - if (uscf->peer.init(r, uscf) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->peer.start_time = ngx_current_msec; - - if (u->conf->next_upstream_tries - && u->peer.tries > u->conf->next_upstream_tries) - { - u->peer.tries = u->conf->next_upstream_tries; - } - - ngx_http_upstream_connect(r, u); -} - - -#if (NGX_HTTP_CACHE) - -static ngx_int_t -ngx_http_upstream_cache(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_http_cache_t *c; - ngx_http_file_cache_t *cache; - - c = r->cache; - - if (c == NULL) { - - if (!(r->method & u->conf->cache_methods)) { - return NGX_DECLINED; - } - - rc = ngx_http_upstream_cache_get(r, u, &cache); - - if (rc != NGX_OK) { - return rc; - } - - if (r->method == NGX_HTTP_HEAD && u->conf->cache_convert_head) { - u->method = ngx_http_core_get_method; - } - - if (ngx_http_file_cache_new(r) != NGX_OK) { - return NGX_ERROR; - } - - if (u->create_key(r) != NGX_OK) { - return NGX_ERROR; - } - - /* TODO: add keys */ - - ngx_http_file_cache_create_key(r); - - if (r->cache->header_start + 256 >= u->conf->buffer_size) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "%V_buffer_size %uz is not enough for cache key, " - "it should be increased to at least %uz", - &u->conf->module, u->conf->buffer_size, - ngx_align(r->cache->header_start + 256, 1024)); - - r->cache = NULL; - return NGX_DECLINED; - } - - u->cacheable = 1; - - c = r->cache; - - c->body_start = u->conf->buffer_size; - c->min_uses = u->conf->cache_min_uses; - c->file_cache = cache; - - switch (ngx_http_test_predicates(r, u->conf->cache_bypass)) { - - case NGX_ERROR: - return NGX_ERROR; - - case NGX_DECLINED: - u->cache_status = NGX_HTTP_CACHE_BYPASS; - return NGX_DECLINED; - - default: /* NGX_OK */ - break; - } - - c->lock = u->conf->cache_lock; - c->lock_timeout = u->conf->cache_lock_timeout; - c->lock_age = u->conf->cache_lock_age; - - u->cache_status = NGX_HTTP_CACHE_MISS; - } - - rc = ngx_http_file_cache_open(r); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream cache: %i", rc); - - switch (rc) { - - case NGX_HTTP_CACHE_UPDATING: - - if (u->conf->cache_use_stale & NGX_HTTP_UPSTREAM_FT_UPDATING) { - u->cache_status = rc; - rc = NGX_OK; - - } else { - rc = NGX_HTTP_CACHE_STALE; - } - - break; - - case NGX_OK: - u->cache_status = NGX_HTTP_CACHE_HIT; - } - - switch (rc) { - - case NGX_OK: - - return NGX_OK; - - case NGX_HTTP_CACHE_STALE: - - c->valid_sec = 0; - u->buffer.start = NULL; - u->cache_status = NGX_HTTP_CACHE_EXPIRED; - - break; - - case NGX_DECLINED: - - if ((size_t) (u->buffer.end - u->buffer.start) < u->conf->buffer_size) { - u->buffer.start = NULL; - - } else { - u->buffer.pos = u->buffer.start + c->header_start; - u->buffer.last = u->buffer.pos; - } - - break; - - case NGX_HTTP_CACHE_SCARCE: - - u->cacheable = 0; - - break; - - case NGX_AGAIN: - - return NGX_BUSY; - - case NGX_ERROR: - - return NGX_ERROR; - - default: - - /* cached NGX_HTTP_BAD_GATEWAY, NGX_HTTP_GATEWAY_TIME_OUT, etc. */ - - u->cache_status = NGX_HTTP_CACHE_HIT; - - return rc; - } - - r->cached = 0; - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_cache_get(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_http_file_cache_t **cache) -{ - ngx_str_t *name, val; - ngx_uint_t i; - ngx_http_file_cache_t **caches; - - if (u->conf->cache_zone) { - *cache = u->conf->cache_zone->data; - return NGX_OK; - } - - if (ngx_http_complex_value(r, u->conf->cache_value, &val) != NGX_OK) { - return NGX_ERROR; - } - - if (val.len == 0 - || (val.len == 3 && ngx_strncmp(val.data, "off", 3) == 0)) - { - return NGX_DECLINED; - } - - caches = u->caches->elts; - - for (i = 0; i < u->caches->nelts; i++) { - name = &caches[i]->shm_zone->shm.name; - - if (name->len == val.len - && ngx_strncmp(name->data, val.data, val.len) == 0) - { - *cache = caches[i]; - return NGX_OK; - } - } - - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "cache \"%V\" not found", &val); - - return NGX_ERROR; -} - - -static ngx_int_t -ngx_http_upstream_cache_send(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_http_cache_t *c; - - r->cached = 1; - c = r->cache; - - if (c->header_start == c->body_start) { - r->http_version = NGX_HTTP_VERSION_9; - return ngx_http_cache_send(r); - } - - /* TODO: cache stack */ - - u->buffer = *c->buf; - u->buffer.pos += c->header_start; - - ngx_memzero(&u->headers_in, sizeof(ngx_http_upstream_headers_in_t)); - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - rc = u->process_header(r); - - if (rc == NGX_OK) { - - if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { - return NGX_DONE; - } - - return ngx_http_cache_send(r); - } - - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - /* rc == NGX_HTTP_UPSTREAM_INVALID_HEADER */ - - /* TODO: delete file */ - - return rc; -} - -#endif - - -static void -ngx_http_upstream_resolve_handler(ngx_resolver_ctx_t *ctx) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - ngx_http_upstream_resolved_t *ur; - - r = ctx->data; - c = r->connection; - - u = r->upstream; - ur = u->resolved; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream resolve: \"%V?%V\"", &r->uri, &r->args); - - if (ctx->state) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "%V could not be resolved (%i: %s)", - &ctx->name, ctx->state, - ngx_resolver_strerror(ctx->state)); - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - goto failed; - } - - ur->naddrs = ctx->naddrs; - ur->addrs = ctx->addrs; - -#if (NGX_DEBUG) - { - u_char text[NGX_SOCKADDR_STRLEN]; - ngx_str_t addr; - ngx_uint_t i; - - addr.data = text; - - for (i = 0; i < ctx->naddrs; i++) { - addr.len = ngx_sock_ntop(ur->addrs[i].sockaddr, ur->addrs[i].socklen, - text, NGX_SOCKADDR_STRLEN, 0); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "name was resolved to %V", &addr); - } - } -#endif - - if (ngx_http_upstream_create_round_robin_peer(r, ur) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - goto failed; - } - - ngx_resolve_name_done(ctx); - ur->ctx = NULL; - - u->peer.start_time = ngx_current_msec; - - if (u->conf->next_upstream_tries - && u->peer.tries > u->conf->next_upstream_tries) - { - u->peer.tries = u->conf->next_upstream_tries; - } - - ngx_http_upstream_connect(r, u); - -failed: - - ngx_http_run_posted_requests(c); -} - - -static void -ngx_http_upstream_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - - c = ev->data; - r = c->data; - - u = r->upstream; - c = r->connection; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream request: \"%V?%V\"", &r->uri, &r->args); - - if (ev->write) { - u->write_event_handler(r, u); - - } else { - u->read_event_handler(r, u); - } - - ngx_http_run_posted_requests(c); -} - - -static void -ngx_http_upstream_rd_check_broken_connection(ngx_http_request_t *r) -{ - ngx_http_upstream_check_broken_connection(r, r->connection->read); -} - - -static void -ngx_http_upstream_wr_check_broken_connection(ngx_http_request_t *r) -{ - ngx_http_upstream_check_broken_connection(r, r->connection->write); -} - - -static void -ngx_http_upstream_check_broken_connection(ngx_http_request_t *r, - ngx_event_t *ev) -{ - int n; - char buf[1]; - ngx_err_t err; - ngx_int_t event; - ngx_connection_t *c; - ngx_http_upstream_t *u; - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, ev->log, 0, - "http upstream check client, write event:%d, \"%V\"", - ev->write, &r->uri); - - c = r->connection; - u = r->upstream; - - if (c->error) { - if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) { - - event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT; - - if (ngx_del_event(ev, event, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (!u->cacheable) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#if (NGX_HTTP_V2) - if (r->stream) { - return; - } -#endif - -#if (NGX_HAVE_KQUEUE) - - if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) { - - if (!ev->pending_eof) { - return; - } - - ev->eof = 1; - c->error = 1; - - if (ev->kq_errno) { - ev->error = 1; - } - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, ev->kq_errno, - "kevent() reported that client prematurely closed " - "connection, so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, ev->kq_errno, - "kevent() reported that client prematurely closed " - "connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#endif - -#if (NGX_HAVE_EPOLLRDHUP) - - if ((ngx_event_flags & NGX_USE_EPOLL_EVENT) && ngx_use_epoll_rdhup) { - socklen_t len; - - if (!ev->pending_eof) { - return; - } - - ev->eof = 1; - c->error = 1; - - err = 0; - len = sizeof(ngx_err_t); - - /* - * BSDs and Linux return 0 and set a pending error in err - * Solaris returns -1 and sets errno - */ - - if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) - == -1) - { - err = ngx_socket_errno; - } - - if (err) { - ev->error = 1; - } - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "epoll_wait() reported that client prematurely closed " - "connection, so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "epoll_wait() reported that client prematurely closed " - "connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } - - return; - } - -#endif - - n = recv(c->fd, buf, 1, MSG_PEEK); - - err = ngx_socket_errno; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, ev->log, err, - "http upstream recv(): %d", n); - - if (ev->write && (n >= 0 || err == NGX_EAGAIN)) { - return; - } - - if ((ngx_event_flags & NGX_USE_LEVEL_EVENT) && ev->active) { - - event = ev->write ? NGX_WRITE_EVENT : NGX_READ_EVENT; - - if (ngx_del_event(ev, event, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (n > 0) { - return; - } - - if (n == -1) { - if (err == NGX_EAGAIN) { - return; - } - - ev->error = 1; - - } else { /* n == 0 */ - err = 0; - } - - ev->eof = 1; - c->error = 1; - - if (!u->cacheable && u->peer.connection) { - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "client prematurely closed connection, " - "so upstream connection is closed too"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - ngx_log_error(NGX_LOG_INFO, ev->log, err, - "client prematurely closed connection"); - - if (u->peer.connection == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - } -} - - -static void -ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_int_t rc; - ngx_connection_t *c; - - r->connection->log->action = "connecting to upstream"; - - if (u->state && u->state->response_time) { - u->state->response_time = ngx_current_msec - u->state->response_time; - } - - u->state = ngx_array_push(r->upstream_states); - if (u->state == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_memzero(u->state, sizeof(ngx_http_upstream_state_t)); - - u->state->response_time = ngx_current_msec; - u->state->connect_time = (ngx_msec_t) -1; - u->state->header_time = (ngx_msec_t) -1; - - rc = ngx_event_connect_peer(&u->peer); - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream connect: %i", rc); - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->state->peer = u->peer.name; - - if (rc == NGX_BUSY) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, "no live upstreams"); - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_NOLIVE); - return; - } - - if (rc == NGX_DECLINED) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - /* rc == NGX_OK || rc == NGX_AGAIN || rc == NGX_DONE */ - - c = u->peer.connection; - - c->data = r; - - c->write->handler = ngx_http_upstream_handler; - c->read->handler = ngx_http_upstream_handler; - - u->write_event_handler = ngx_http_upstream_send_request_handler; - u->read_event_handler = ngx_http_upstream_process_header; - - c->sendfile &= r->connection->sendfile; - u->output.sendfile = c->sendfile; - - if (c->pool == NULL) { - - /* we need separate pool here to be able to cache SSL connections */ - - c->pool = ngx_create_pool(128, r->connection->log); - if (c->pool == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - c->log = r->connection->log; - c->pool->log = c->log; - c->read->log = c->log; - c->write->log = c->log; - - /* init or reinit the ngx_output_chain() and ngx_chain_writer() contexts */ - - u->writer.out = NULL; - u->writer.last = &u->writer.out; - u->writer.connection = c; - u->writer.limit = 0; - - if (u->request_sent) { - if (ngx_http_upstream_reinit(r, u) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (r->request_body - && r->request_body->buf - && r->request_body->temp_file - && r == r->main) - { - /* - * the r->request_body->buf can be reused for one request only, - * the subrequests should allocate their own temporary bufs - */ - - u->output.free = ngx_alloc_chain_link(r->pool); - if (u->output.free == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->output.free->buf = r->request_body->buf; - u->output.free->next = NULL; - u->output.allocated = 1; - - r->request_body->buf->pos = r->request_body->buf->start; - r->request_body->buf->last = r->request_body->buf->start; - r->request_body->buf->tag = u->output.tag; - } - - u->request_sent = 0; - u->request_body_sent = 0; - - if (rc == NGX_AGAIN) { - ngx_add_timer(c->write, u->conf->connect_timeout); - return; - } - -#if (NGX_HTTP_SSL) - - if (u->ssl && c->ssl == NULL) { - ngx_http_upstream_ssl_init_connection(r, u, c); - return; - } - -#endif - - ngx_http_upstream_send_request(r, u, 1); -} - - -#if (NGX_HTTP_SSL) - -static void -ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_connection_t *c) -{ - int tcp_nodelay; - ngx_int_t rc; - ngx_http_core_loc_conf_t *clcf; - - if (ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (ngx_ssl_create_connection(u->conf->ssl, c, - NGX_SSL_BUFFER|NGX_SSL_CLIENT) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->sendfile = 0; - u->output.sendfile = 0; - - if (u->conf->ssl_server_name || u->conf->ssl_verify) { - if (ngx_http_upstream_ssl_name(r, u, c) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - } - - if (u->conf->ssl_session_reuse) { - if (u->peer.set_session(&u->peer, u->peer.data) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - /* abbreviated SSL handshake may interact badly with Nagle */ - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - } - - r->connection->log->action = "SSL handshaking to upstream"; - - rc = ngx_ssl_handshake(c); - - if (rc == NGX_AGAIN) { - - if (!c->write->timer_set) { - ngx_add_timer(c->write, u->conf->connect_timeout); - } - - c->ssl->handler = ngx_http_upstream_ssl_handshake; - return; - } - - ngx_http_upstream_ssl_handshake(c); -} - - -static void -ngx_http_upstream_ssl_handshake(ngx_connection_t *c) -{ - long rc; - ngx_http_request_t *r; - ngx_http_upstream_t *u; - - r = c->data; - u = r->upstream; - - ngx_http_set_log_request(c->log, r); - - if (c->ssl->handshaked) { - - if (u->conf->ssl_verify) { - rc = SSL_get_verify_result(c->ssl->connection); - - if (rc != X509_V_OK) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream SSL certificate verify error: (%l:%s)", - rc, X509_verify_cert_error_string(rc)); - goto failed; - } - - if (ngx_ssl_check_host(c, &u->ssl_name) != NGX_OK) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream SSL certificate does not match \"%V\"", - &u->ssl_name); - goto failed; - } - } - - if (u->conf->ssl_session_reuse) { - u->peer.save_session(&u->peer, u->peer.data); - } - - c->write->handler = ngx_http_upstream_handler; - c->read->handler = ngx_http_upstream_handler; - - c = r->connection; - - ngx_http_upstream_send_request(r, u, 1); - - ngx_http_run_posted_requests(c); - return; - } - -failed: - - c = r->connection; - - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - - ngx_http_run_posted_requests(c); -} - - -static ngx_int_t -ngx_http_upstream_ssl_name(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_connection_t *c) -{ - u_char *p, *last; - ngx_str_t name; - - if (u->conf->ssl_name) { - if (ngx_http_complex_value(r, u->conf->ssl_name, &name) != NGX_OK) { - return NGX_ERROR; - } - - } else { - name = u->ssl_name; - } - - if (name.len == 0) { - goto done; - } - - /* - * ssl name here may contain port, notably if derived from $proxy_host - * or $http_host; we have to strip it - */ - - p = name.data; - last = name.data + name.len; - - if (*p == '[') { - p = ngx_strlchr(p, last, ']'); - - if (p == NULL) { - p = name.data; - } - } - - p = ngx_strlchr(p, last, ':'); - - if (p != NULL) { - name.len = p - name.data; - } - - if (!u->conf->ssl_server_name) { - goto done; - } - -#ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME - - /* as per RFC 6066, literal IPv4 and IPv6 addresses are not permitted */ - - if (name.len == 0 || *name.data == '[') { - goto done; - } - - if (ngx_inet_addr(name.data, name.len) != INADDR_NONE) { - goto done; - } - - /* - * SSL_set_tlsext_host_name() needs a null-terminated string, - * hence we explicitly null-terminate name here - */ - - p = ngx_pnalloc(r->pool, name.len + 1); - if (p == NULL) { - return NGX_ERROR; - } - - (void) ngx_cpystrn(p, name.data, name.len + 1); - - name.data = p; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "upstream SSL server name: \"%s\"", name.data); - - if (SSL_set_tlsext_host_name(c->ssl->connection, name.data) == 0) { - ngx_ssl_error(NGX_LOG_ERR, r->connection->log, 0, - "SSL_set_tlsext_host_name(\"%s\") failed", name.data); - return NGX_ERROR; - } - -#endif - -done: - - u->ssl_name = name; - - return NGX_OK; -} - -#endif - - -static ngx_int_t -ngx_http_upstream_reinit(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - off_t file_pos; - ngx_chain_t *cl; - - if (u->reinit_request(r) != NGX_OK) { - return NGX_ERROR; - } - - u->keepalive = 0; - u->upgrade = 0; - - ngx_memzero(&u->headers_in, sizeof(ngx_http_upstream_headers_in_t)); - u->headers_in.content_length_n = -1; - u->headers_in.last_modified_time = -1; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - /* reinit the request chain */ - - file_pos = 0; - - for (cl = u->request_bufs; cl; cl = cl->next) { - cl->buf->pos = cl->buf->start; - - /* there is at most one file */ - - if (cl->buf->in_file) { - cl->buf->file_pos = file_pos; - file_pos = cl->buf->file_last; - } - } - - /* reinit the subrequest's ngx_output_chain() context */ - - if (r->request_body && r->request_body->temp_file - && r != r->main && u->output.buf) - { - u->output.free = ngx_alloc_chain_link(r->pool); - if (u->output.free == NULL) { - return NGX_ERROR; - } - - u->output.free->buf = u->output.buf; - u->output.free->next = NULL; - - u->output.buf->pos = u->output.buf->start; - u->output.buf->last = u->output.buf->start; - } - - u->output.buf = NULL; - u->output.in = NULL; - u->output.busy = NULL; - - /* reinit u->buffer */ - - u->buffer.pos = u->buffer.start; - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - u->buffer.pos += r->cache->header_start; - } - -#endif - - u->buffer.last = u->buffer.pos; - - return NGX_OK; -} - - -static void -ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_uint_t do_write) -{ - ngx_int_t rc; - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream send request"); - - if (u->state->connect_time == (ngx_msec_t) -1) { - u->state->connect_time = ngx_current_msec - u->state->response_time; - } - - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - c->log->action = "sending request to upstream"; - - rc = ngx_http_upstream_send_request_body(r, u, do_write); - - if (rc == NGX_ERROR) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - if (rc == NGX_AGAIN) { - if (!c->write->ready) { - ngx_add_timer(c->write, u->conf->send_timeout); - - } else if (c->write->timer_set) { - ngx_del_timer(c->write); - } - - if (ngx_handle_write_event(c->write, u->conf->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - - /* rc == NGX_OK */ - - u->request_body_sent = 1; - - if (c->write->timer_set) { - ngx_del_timer(c->write); - } - - if (c->tcp_nopush == NGX_TCP_NOPUSH_SET) { - if (ngx_tcp_push(c->fd) == NGX_ERROR) { - ngx_log_error(NGX_LOG_CRIT, c->log, ngx_socket_errno, - ngx_tcp_push_n " failed"); - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - c->tcp_nopush = NGX_TCP_NOPUSH_UNSET; - } - - u->write_event_handler = ngx_http_upstream_dummy_handler; - - if (ngx_handle_write_event(c->write, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - ngx_add_timer(c->read, u->conf->read_timeout); - - if (c->read->ready) { - ngx_http_upstream_process_header(r, u); - return; - } -} - - -static ngx_int_t -ngx_http_upstream_send_request_body(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_uint_t do_write) -{ - int tcp_nodelay; - ngx_int_t rc; - ngx_chain_t *out, *cl, *ln; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream send request body"); - - if (!r->request_body_no_buffering) { - - /* buffered request body */ - - if (!u->request_sent) { - u->request_sent = 1; - out = u->request_bufs; - - } else { - out = NULL; - } - - return ngx_output_chain(&u->output, out); - } - - if (!u->request_sent) { - u->request_sent = 1; - out = u->request_bufs; - - if (r->request_body->bufs) { - for (cl = out; cl->next; cl = out->next) { /* void */ } - cl->next = r->request_body->bufs; - r->request_body->bufs = NULL; - } - - c = u->peer.connection; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - return NGX_ERROR; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - r->read_event_handler = ngx_http_upstream_read_request_handler; - - } else { - out = NULL; - } - - for ( ;; ) { - - if (do_write) { - rc = ngx_output_chain(&u->output, out); - - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - while (out) { - ln = out; - out = out->next; - ngx_free_chain(r->pool, ln); - } - - if (rc == NGX_OK && !r->reading_body) { - break; - } - } - - if (r->reading_body) { - /* read client request body */ - - rc = ngx_http_read_unbuffered_request_body(r); - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - return rc; - } - - out = r->request_body->bufs; - r->request_body->bufs = NULL; - } - - /* stop if there is nothing to send */ - - if (out == NULL) { - rc = NGX_AGAIN; - break; - } - - do_write = 1; - } - - if (!r->reading_body) { - if (!u->store && !r->post_action && !u->conf->ignore_client_abort) { - r->read_event_handler = - ngx_http_upstream_rd_check_broken_connection; - } - } - - return rc; -} - - -static void -ngx_http_upstream_send_request_handler(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream send request handler"); - - if (c->write->timedout) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_TIMEOUT); - return; - } - -#if (NGX_HTTP_SSL) - - if (u->ssl && c->ssl == NULL) { - ngx_http_upstream_ssl_init_connection(r, u, c); - return; - } - -#endif - - if (u->header_sent) { - u->write_event_handler = ngx_http_upstream_dummy_handler; - - (void) ngx_handle_write_event(c->write, 0); - - return; - } - - ngx_http_upstream_send_request(r, u, 1); -} - - -static void -ngx_http_upstream_read_request_handler(ngx_http_request_t *r) -{ - ngx_connection_t *c; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream read request handler"); - - if (c->read->timedout) { - c->timedout = 1; - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - ngx_http_upstream_send_request(r, u, 0); -} - - -static void -ngx_http_upstream_process_header(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ssize_t n; - ngx_int_t rc; - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process header"); - - c->log->action = "reading response header from upstream"; - - if (c->read->timedout) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_TIMEOUT); - return; - } - - if (!u->request_sent && ngx_http_upstream_test_connect(c) != NGX_OK) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - if (u->buffer.start == NULL) { - u->buffer.start = ngx_palloc(r->pool, u->conf->buffer_size); - if (u->buffer.start == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - u->buffer.pos = u->buffer.start; - u->buffer.last = u->buffer.start; - u->buffer.end = u->buffer.start + u->conf->buffer_size; - u->buffer.temporary = 1; - - u->buffer.tag = u->output.tag; - - if (ngx_list_init(&u->headers_in.headers, r->pool, 8, - sizeof(ngx_table_elt_t)) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - u->buffer.pos += r->cache->header_start; - u->buffer.last = u->buffer.pos; - } -#endif - } - - for ( ;; ) { - - n = c->recv(c, u->buffer.last, u->buffer.end - u->buffer.last); - - if (n == NGX_AGAIN) { -#if 0 - ngx_add_timer(rev, u->read_timeout); -#endif - - if (ngx_handle_read_event(c->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - return; - } - - if (n == 0) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream prematurely closed connection"); - } - - if (n == NGX_ERROR || n == 0) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_ERROR); - return; - } - - u->state->bytes_received += n; - - u->buffer.last += n; - -#if 0 - u->valid_header_in = 0; - - u->peer.cached = 0; -#endif - - rc = u->process_header(r); - - if (rc == NGX_AGAIN) { - - if (u->buffer.last == u->buffer.end) { - ngx_log_error(NGX_LOG_ERR, c->log, 0, - "upstream sent too big header"); - - ngx_http_upstream_next(r, u, - NGX_HTTP_UPSTREAM_FT_INVALID_HEADER); - return; - } - - continue; - } - - break; - } - - if (rc == NGX_HTTP_UPSTREAM_INVALID_HEADER) { - ngx_http_upstream_next(r, u, NGX_HTTP_UPSTREAM_FT_INVALID_HEADER); - return; - } - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return; - } - - /* rc == NGX_OK */ - - u->state->header_time = ngx_current_msec - u->state->response_time; - - if (u->headers_in.status_n >= NGX_HTTP_SPECIAL_RESPONSE) { - - if (ngx_http_upstream_test_next(r, u) == NGX_OK) { - return; - } - - if (ngx_http_upstream_intercept_errors(r, u) == NGX_OK) { - return; - } - } - - if (ngx_http_upstream_process_headers(r, u) != NGX_OK) { - return; - } - - if (!r->subrequest_in_memory) { - ngx_http_upstream_send_response(r, u); - return; - } - - /* subrequest content in memory */ - - if (u->input_filter == NULL) { - u->input_filter_init = ngx_http_upstream_non_buffered_filter_init; - u->input_filter = ngx_http_upstream_non_buffered_filter; - u->input_filter_ctx = r; - } - - if (u->input_filter_init(u->input_filter_ctx) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - n = u->buffer.last - u->buffer.pos; - - if (n) { - u->buffer.last = u->buffer.pos; - - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - if (u->length == 0) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - u->read_event_handler = ngx_http_upstream_process_body_in_memory; - - ngx_http_upstream_process_body_in_memory(r, u); -} - - -static ngx_int_t -ngx_http_upstream_test_next(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_uint_t status; - ngx_http_upstream_next_t *un; - - status = u->headers_in.status_n; - - for (un = ngx_http_upstream_next_errors; un->status; un++) { - - if (status != un->status) { - continue; - } - - if (u->peer.tries > 1 && (u->conf->next_upstream & un->mask)) { - ngx_http_upstream_next(r, u, un->mask); - return NGX_OK; - } - -#if (NGX_HTTP_CACHE) - - if (u->cache_status == NGX_HTTP_CACHE_EXPIRED - && (u->conf->cache_use_stale & un->mask)) - { - ngx_int_t rc; - - rc = u->reinit_request(r); - - if (rc == NGX_OK) { - u->cache_status = NGX_HTTP_CACHE_STALE; - rc = ngx_http_upstream_cache_send(r, u); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - -#endif - } - -#if (NGX_HTTP_CACHE) - - if (status == NGX_HTTP_NOT_MODIFIED - && u->cache_status == NGX_HTTP_CACHE_EXPIRED - && u->conf->cache_revalidate) - { - time_t now, valid; - ngx_int_t rc; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream not modified"); - - now = ngx_time(); - valid = r->cache->valid_sec; - - rc = u->reinit_request(r); - - if (rc != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - - u->cache_status = NGX_HTTP_CACHE_REVALIDATED; - rc = ngx_http_upstream_cache_send(r, u); - - if (valid == 0) { - valid = r->cache->valid_sec; - } - - if (valid == 0) { - valid = ngx_http_file_cache_valid(u->conf->cache_valid, - u->headers_in.status_n); - if (valid) { - valid = now + valid; - } - } - - if (valid) { - r->cache->valid_sec = valid; - r->cache->date = now; - - ngx_http_file_cache_update_header(r); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return NGX_OK; - } - -#endif - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_intercept_errors(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_int_t status; - ngx_uint_t i; - ngx_table_elt_t *h; - ngx_http_err_page_t *err_page; - ngx_http_core_loc_conf_t *clcf; - - status = u->headers_in.status_n; - - if (status == NGX_HTTP_NOT_FOUND && u->conf->intercept_404) { - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_NOT_FOUND); - return NGX_OK; - } - - if (!u->conf->intercept_errors) { - return NGX_DECLINED; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (clcf->error_pages == NULL) { - return NGX_DECLINED; - } - - err_page = clcf->error_pages->elts; - for (i = 0; i < clcf->error_pages->nelts; i++) { - - if (err_page[i].status == status) { - - if (status == NGX_HTTP_UNAUTHORIZED - && u->headers_in.www_authenticate) - { - h = ngx_list_push(&r->headers_out.headers); - - if (h == NULL) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_OK; - } - - *h = *u->headers_in.www_authenticate; - - r->headers_out.www_authenticate = h; - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - time_t valid; - - valid = ngx_http_file_cache_valid(u->conf->cache_valid, status); - - if (valid) { - r->cache->valid_sec = ngx_time() + valid; - r->cache->error = status; - } - - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } -#endif - ngx_http_upstream_finalize_request(r, u, status); - - return NGX_OK; - } - } - - return NGX_DECLINED; -} - - -static ngx_int_t -ngx_http_upstream_test_connect(ngx_connection_t *c) -{ - int err; - socklen_t len; - -#if (NGX_HAVE_KQUEUE) - - if (ngx_event_flags & NGX_USE_KQUEUE_EVENT) { - if (c->write->pending_eof || c->read->pending_eof) { - if (c->write->pending_eof) { - err = c->write->kq_errno; - - } else { - err = c->read->kq_errno; - } - - c->log->action = "connecting to upstream"; - (void) ngx_connection_error(c, err, - "kevent() reported that connect() failed"); - return NGX_ERROR; - } - - } else -#endif - { - err = 0; - len = sizeof(int); - - /* - * BSDs and Linux return 0 and set a pending error in err - * Solaris returns -1 and sets errno - */ - - if (getsockopt(c->fd, SOL_SOCKET, SO_ERROR, (void *) &err, &len) - == -1) - { - err = ngx_socket_errno; - } - - if (err) { - c->log->action = "connecting to upstream"; - (void) ngx_connection_error(c, err, "connect() failed"); - return NGX_ERROR; - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_headers(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_str_t uri, args; - ngx_uint_t i, flags; - ngx_list_part_t *part; - ngx_table_elt_t *h; - ngx_http_upstream_header_t *hh; - ngx_http_upstream_main_conf_t *umcf; - - umcf = ngx_http_get_module_main_conf(r, ngx_http_upstream_module); - - if (u->headers_in.x_accel_redirect - && !(u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_REDIRECT)) - { - ngx_http_upstream_finalize_request(r, u, NGX_DECLINED); - - part = &u->headers_in.headers.part; - h = part->elts; - - for (i = 0; /* void */; i++) { - - if (i >= part->nelts) { - if (part->next == NULL) { - break; - } - - part = part->next; - h = part->elts; - i = 0; - } - - hh = ngx_hash_find(&umcf->headers_in_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len); - - if (hh && hh->redirect) { - if (hh->copy_handler(r, &h[i], hh->conf) != NGX_OK) { - ngx_http_finalize_request(r, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - } - } - - uri = u->headers_in.x_accel_redirect->value; - - if (uri.data[0] == '@') { - ngx_http_named_location(r, &uri); - - } else { - ngx_str_null(&args); - flags = NGX_HTTP_LOG_UNSAFE; - - if (ngx_http_parse_unsafe_uri(r, &uri, &args, &flags) != NGX_OK) { - ngx_http_finalize_request(r, NGX_HTTP_NOT_FOUND); - return NGX_DONE; - } - - if (r->method != NGX_HTTP_HEAD) { - r->method = NGX_HTTP_GET; - r->method_name = ngx_http_core_get_method; - } - - ngx_http_internal_redirect(r, &uri, &args); - } - - ngx_http_finalize_request(r, NGX_DONE); - return NGX_DONE; - } - - part = &u->headers_in.headers.part; - h = part->elts; - - for (i = 0; /* void */; i++) { - - if (i >= part->nelts) { - if (part->next == NULL) { - break; - } - - part = part->next; - h = part->elts; - i = 0; - } - - if (ngx_hash_find(&u->conf->hide_headers_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len)) - { - continue; - } - - hh = ngx_hash_find(&umcf->headers_in_hash, h[i].hash, - h[i].lowcase_key, h[i].key.len); - - if (hh) { - if (hh->copy_handler(r, &h[i], hh->conf) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - - continue; - } - - if (ngx_http_upstream_copy_header_line(r, &h[i], 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_INTERNAL_SERVER_ERROR); - return NGX_DONE; - } - } - - if (r->headers_out.server && r->headers_out.server->value.data == NULL) { - r->headers_out.server->hash = 0; - } - - if (r->headers_out.date && r->headers_out.date->value.data == NULL) { - r->headers_out.date->hash = 0; - } - - r->headers_out.status = u->headers_in.status_n; - r->headers_out.status_line = u->headers_in.status_line; - - r->headers_out.content_length_n = u->headers_in.content_length_n; - - r->disable_not_modified = !u->cacheable; - - if (u->conf->force_ranges) { - r->allow_ranges = 1; - r->single_range = 1; - -#if (NGX_HTTP_CACHE) - if (r->cached) { - r->single_range = 0; - } -#endif - } - - u->length = -1; - - return NGX_OK; -} - - -static void -ngx_http_upstream_process_body_in_memory(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_event_t *rev; - ngx_connection_t *c; - - c = u->peer.connection; - rev = c->read; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process body on memory"); - - if (rev->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - b = &u->buffer; - - for ( ;; ) { - - size = b->end - b->last; - - if (size == 0) { - ngx_log_error(NGX_LOG_ALERT, c->log, 0, - "upstream buffer is too small to read response"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - n = c->recv(c, b->last, size); - - if (n == NGX_AGAIN) { - break; - } - - if (n == 0 || n == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, n); - return; - } - - u->state->bytes_received += n; - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (!rev->ready) { - break; - } - } - - if (u->length == 0) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (rev->active) { - ngx_add_timer(rev, u->conf->read_timeout); - - } else if (rev->timer_set) { - ngx_del_timer(rev); - } -} - - -static void -ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - int tcp_nodelay; - ssize_t n; - ngx_int_t rc; - ngx_event_pipe_t *p; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - rc = ngx_http_send_header(r); - - if (rc == NGX_ERROR || rc > NGX_OK || r->post_action) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - u->header_sent = 1; - - if (u->upgrade) { - ngx_http_upstream_upgrade(r, u); - return; - } - - c = r->connection; - - if (r->header_only) { - - if (!u->buffering) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - if (!u->cacheable && !u->store) { - ngx_http_upstream_finalize_request(r, u, rc); - return; - } - - u->pipe->downstream_error = 1; - } - - if (r->request_body && r->request_body->temp_file) { - ngx_pool_run_cleanup_file(r->pool, r->request_body->temp_file->file.fd); - r->request_body->temp_file->file.fd = NGX_INVALID_FILE; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (!u->buffering) { - - if (u->input_filter == NULL) { - u->input_filter_init = ngx_http_upstream_non_buffered_filter_init; - u->input_filter = ngx_http_upstream_non_buffered_filter; - u->input_filter_ctx = r; - } - - u->read_event_handler = ngx_http_upstream_process_non_buffered_upstream; - r->write_event_handler = - ngx_http_upstream_process_non_buffered_downstream; - - r->limit_rate = 0; - - if (u->input_filter_init(u->input_filter_ctx) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (clcf->tcp_nodelay && c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - tcp_nodelay = 1; - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - n = u->buffer.last - u->buffer.pos; - - if (n) { - u->buffer.last = u->buffer.pos; - - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - ngx_http_upstream_process_non_buffered_downstream(r); - - } else { - u->buffer.pos = u->buffer.start; - u->buffer.last = u->buffer.start; - - if (ngx_http_send_special(r, NGX_HTTP_FLUSH) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (u->peer.connection->read->ready || u->length == 0) { - ngx_http_upstream_process_non_buffered_upstream(r, u); - } - } - - return; - } - - /* TODO: preallocate event_pipe bufs, look "Content-Length" */ - -#if (NGX_HTTP_CACHE) - - if (r->cache && r->cache->file.fd != NGX_INVALID_FILE) { - ngx_pool_run_cleanup_file(r->pool, r->cache->file.fd); - r->cache->file.fd = NGX_INVALID_FILE; - } - - switch (ngx_http_test_predicates(r, u->conf->no_cache)) { - - case NGX_ERROR: - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - - case NGX_DECLINED: - u->cacheable = 0; - break; - - default: /* NGX_OK */ - - if (u->cache_status == NGX_HTTP_CACHE_BYPASS) { - - /* create cache if previously bypassed */ - - if (ngx_http_file_cache_create(r) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - break; - } - - if (u->cacheable) { - time_t now, valid; - - now = ngx_time(); - - valid = r->cache->valid_sec; - - if (valid == 0) { - valid = ngx_http_file_cache_valid(u->conf->cache_valid, - u->headers_in.status_n); - if (valid) { - r->cache->valid_sec = now + valid; - } - } - - if (valid) { - r->cache->date = now; - r->cache->body_start = (u_short) (u->buffer.pos - u->buffer.start); - - if (u->headers_in.status_n == NGX_HTTP_OK - || u->headers_in.status_n == NGX_HTTP_PARTIAL_CONTENT) - { - r->cache->last_modified = u->headers_in.last_modified_time; - - if (u->headers_in.etag) { - r->cache->etag = u->headers_in.etag->value; - - } else { - ngx_str_null(&r->cache->etag); - } - - } else { - r->cache->last_modified = -1; - ngx_str_null(&r->cache->etag); - } - - if (ngx_http_file_cache_set_header(r, u->buffer.start) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - u->cacheable = 0; - } - } - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http cacheable: %d", u->cacheable); - - if (u->cacheable == 0 && r->cache) { - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } - - if (r->header_only && !u->cacheable && !u->store) { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - -#endif - - p = u->pipe; - - p->output_filter = ngx_http_upstream_output_filter; - p->output_ctx = r; - p->tag = u->output.tag; - p->bufs = u->conf->bufs; - p->busy_size = u->conf->busy_buffers_size; - p->upstream = u->peer.connection; - p->downstream = c; - p->pool = r->pool; - p->log = c->log; - p->limit_rate = u->conf->limit_rate; - p->start_sec = ngx_time(); - - p->cacheable = u->cacheable || u->store; - - p->temp_file = ngx_pcalloc(r->pool, sizeof(ngx_temp_file_t)); - if (p->temp_file == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->temp_file->file.fd = NGX_INVALID_FILE; - p->temp_file->file.log = c->log; - p->temp_file->path = u->conf->temp_path; - p->temp_file->pool = r->pool; - - if (p->cacheable) { - p->temp_file->persistent = 1; - -#if (NGX_HTTP_CACHE) - if (r->cache && r->cache->file_cache->temp_path) { - p->temp_file->path = r->cache->file_cache->temp_path; - } -#endif - - } else { - p->temp_file->log_level = NGX_LOG_WARN; - p->temp_file->warn = "an upstream response is buffered " - "to a temporary file"; - } - - p->max_temp_file_size = u->conf->max_temp_file_size; - p->temp_file_write_size = u->conf->temp_file_write_size; - -#if (NGX_THREADS) - if (clcf->aio == NGX_HTTP_AIO_THREADS && clcf->aio_write) { - p->thread_handler = ngx_http_upstream_thread_handler; - p->thread_ctx = r; - } -#endif - - p->preread_bufs = ngx_alloc_chain_link(r->pool); - if (p->preread_bufs == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->preread_bufs->buf = &u->buffer; - p->preread_bufs->next = NULL; - u->buffer.recycled = 1; - - p->preread_size = u->buffer.last - u->buffer.pos; - - if (u->cacheable) { - - p->buf_to_file = ngx_calloc_buf(r->pool); - if (p->buf_to_file == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - p->buf_to_file->start = u->buffer.start; - p->buf_to_file->pos = u->buffer.start; - p->buf_to_file->last = u->buffer.pos; - p->buf_to_file->temporary = 1; - } - - if (ngx_event_flags & NGX_USE_IOCP_EVENT) { - /* the posted aio operation may corrupt a shadow buffer */ - p->single_buf = 1; - } - - /* TODO: p->free_bufs = 0 if use ngx_create_chain_of_bufs() */ - p->free_bufs = 1; - - /* - * event_pipe would do u->buffer.last += p->preread_size - * as though these bytes were read - */ - u->buffer.last = u->buffer.pos; - - if (u->conf->cyclic_temp_file) { - - /* - * we need to disable the use of sendfile() if we use cyclic temp file - * because the writing a new data may interfere with sendfile() - * that uses the same kernel file pages (at least on FreeBSD) - */ - - p->cyclic_temp_file = 1; - c->sendfile = 0; - - } else { - p->cyclic_temp_file = 0; - } - - p->read_timeout = u->conf->read_timeout; - p->send_timeout = clcf->send_timeout; - p->send_lowat = clcf->send_lowat; - - p->length = -1; - - if (u->input_filter_init - && u->input_filter_init(p->input_ctx) != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - u->read_event_handler = ngx_http_upstream_process_upstream; - r->write_event_handler = ngx_http_upstream_process_downstream; - - ngx_http_upstream_process_upstream(r, u); -} - - -static void -ngx_http_upstream_upgrade(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - int tcp_nodelay; - ngx_connection_t *c; - ngx_http_core_loc_conf_t *clcf; - - c = r->connection; - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - /* TODO: prevent upgrade if not requested or not possible */ - - r->keepalive = 0; - c->log->action = "proxying upgraded connection"; - - u->read_event_handler = ngx_http_upstream_upgraded_read_upstream; - u->write_event_handler = ngx_http_upstream_upgraded_write_upstream; - r->read_event_handler = ngx_http_upstream_upgraded_read_downstream; - r->write_event_handler = ngx_http_upstream_upgraded_write_downstream; - - if (clcf->tcp_nodelay) { - tcp_nodelay = 1; - - if (c->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, "tcp_nodelay"); - - if (setsockopt(c->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(c, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - c->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - - if (u->peer.connection->tcp_nodelay == NGX_TCP_NODELAY_UNSET) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, u->peer.connection->log, 0, - "tcp_nodelay"); - - if (setsockopt(u->peer.connection->fd, IPPROTO_TCP, TCP_NODELAY, - (const void *) &tcp_nodelay, sizeof(int)) == -1) - { - ngx_connection_error(u->peer.connection, ngx_socket_errno, - "setsockopt(TCP_NODELAY) failed"); - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - u->peer.connection->tcp_nodelay = NGX_TCP_NODELAY_SET; - } - } - - if (ngx_http_send_special(r, NGX_HTTP_FLUSH) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (u->peer.connection->read->ready - || u->buffer.pos != u->buffer.last) - { - ngx_post_event(c->read, &ngx_posted_events); - ngx_http_upstream_process_upgraded(r, 1, 1); - return; - } - - ngx_http_upstream_process_upgraded(r, 0, 1); -} - - -static void -ngx_http_upstream_upgraded_read_downstream(ngx_http_request_t *r) -{ - ngx_http_upstream_process_upgraded(r, 0, 0); -} - - -static void -ngx_http_upstream_upgraded_write_downstream(ngx_http_request_t *r) -{ - ngx_http_upstream_process_upgraded(r, 1, 1); -} - - -static void -ngx_http_upstream_upgraded_read_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_http_upstream_process_upgraded(r, 1, 0); -} - - -static void -ngx_http_upstream_upgraded_write_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_http_upstream_process_upgraded(r, 0, 1); -} - - -static void -ngx_http_upstream_process_upgraded(ngx_http_request_t *r, - ngx_uint_t from_upstream, ngx_uint_t do_write) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_connection_t *c, *downstream, *upstream, *dst, *src; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - - c = r->connection; - u = r->upstream; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process upgraded, fu:%ui", from_upstream); - - downstream = c; - upstream = u->peer.connection; - - if (downstream->write->timedout) { - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - if (upstream->read->timedout || upstream->write->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - if (from_upstream) { - src = upstream; - dst = downstream; - b = &u->buffer; - - } else { - src = downstream; - dst = upstream; - b = &u->from_client; - - if (r->header_in->last > r->header_in->pos) { - b = r->header_in; - b->end = b->last; - do_write = 1; - } - - if (b->start == NULL) { - b->start = ngx_palloc(r->pool, u->conf->buffer_size); - if (b->start == NULL) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - b->pos = b->start; - b->last = b->start; - b->end = b->start + u->conf->buffer_size; - b->temporary = 1; - b->tag = u->output.tag; - } - } - - for ( ;; ) { - - if (do_write) { - - size = b->last - b->pos; - - if (size && dst->write->ready) { - - n = dst->send(dst, b->pos, size); - - if (n == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (n > 0) { - b->pos += n; - - if (b->pos == b->last) { - b->pos = b->start; - b->last = b->start; - } - } - } - } - - size = b->end - b->last; - - if (size && src->read->ready) { - - n = src->recv(src, b->last, size); - - if (n == NGX_AGAIN || n == 0) { - break; - } - - if (n > 0) { - do_write = 1; - b->last += n; - - if (from_upstream) { - u->state->bytes_received += n; - } - - continue; - } - - if (n == NGX_ERROR) { - src->read->eof = 1; - } - } - - break; - } - - if ((upstream->read->eof && u->buffer.pos == u->buffer.last) - || (downstream->read->eof && u->from_client.pos == u->from_client.last) - || (downstream->read->eof && upstream->read->eof)) - { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream upgraded done"); - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (ngx_handle_write_event(upstream->write, u->conf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->write->active && !upstream->write->ready) { - ngx_add_timer(upstream->write, u->conf->send_timeout); - - } else if (upstream->write->timer_set) { - ngx_del_timer(upstream->write); - } - - if (ngx_handle_read_event(upstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->read->active && !upstream->read->ready) { - ngx_add_timer(upstream->read, u->conf->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); - } - - if (ngx_handle_write_event(downstream->write, clcf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (ngx_handle_read_event(downstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (downstream->write->active && !downstream->write->ready) { - ngx_add_timer(downstream->write, clcf->send_timeout); - - } else if (downstream->write->timer_set) { - ngx_del_timer(downstream->write); - } -} - - -static void -ngx_http_upstream_process_non_buffered_downstream(ngx_http_request_t *r) -{ - ngx_event_t *wev; - ngx_connection_t *c; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - wev = c->write; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process non buffered downstream"); - - c->log->action = "sending to client"; - - if (wev->timedout) { - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_REQUEST_TIME_OUT); - return; - } - - ngx_http_upstream_process_non_buffered_request(r, 1); -} - - -static void -ngx_http_upstream_process_non_buffered_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_connection_t *c; - - c = u->peer.connection; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process non buffered upstream"); - - c->log->action = "reading upstream"; - - if (c->read->timedout) { - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_GATEWAY_TIME_OUT); - return; - } - - ngx_http_upstream_process_non_buffered_request(r, 0); -} - - -static void -ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, - ngx_uint_t do_write) -{ - size_t size; - ssize_t n; - ngx_buf_t *b; - ngx_int_t rc; - ngx_connection_t *downstream, *upstream; - ngx_http_upstream_t *u; - ngx_http_core_loc_conf_t *clcf; - - u = r->upstream; - downstream = r->connection; - upstream = u->peer.connection; - - b = &u->buffer; - - do_write = do_write || u->length == 0; - - for ( ;; ) { - - if (do_write) { - - if (u->out_bufs || u->busy_bufs) { - rc = ngx_http_output_filter(r, u->out_bufs); - - if (rc == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - ngx_chain_update_chains(r->pool, &u->free_bufs, &u->busy_bufs, - &u->out_bufs, u->output.tag); - } - - if (u->busy_bufs == NULL) { - - if (u->length == 0 - || (upstream->read->eof && u->length == -1)) - { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (upstream->read->eof) { - ngx_log_error(NGX_LOG_ERR, upstream->log, 0, - "upstream prematurely closed connection"); - - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_BAD_GATEWAY); - return; - } - - if (upstream->read->error) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_BAD_GATEWAY); - return; - } - - b->pos = b->start; - b->last = b->start; - } - } - - size = b->end - b->last; - - if (size && upstream->read->ready) { - - n = upstream->recv(upstream, b->last, size); - - if (n == NGX_AGAIN) { - break; - } - - if (n > 0) { - u->state->bytes_received += n; - u->state->response_length += n; - - if (u->input_filter(u->input_filter_ctx, n) == NGX_ERROR) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - do_write = 1; - - continue; - } - - break; - } - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - - if (downstream->data == r) { - if (ngx_handle_write_event(downstream->write, clcf->send_lowat) - != NGX_OK) - { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - if (downstream->write->active && !downstream->write->ready) { - ngx_add_timer(downstream->write, clcf->send_timeout); - - } else if (downstream->write->timer_set) { - ngx_del_timer(downstream->write); - } - - if (ngx_handle_read_event(upstream->read, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - if (upstream->read->active && !upstream->read->ready) { - ngx_add_timer(upstream->read, u->conf->read_timeout); - - } else if (upstream->read->timer_set) { - ngx_del_timer(upstream->read); - } -} - - -static ngx_int_t -ngx_http_upstream_non_buffered_filter_init(void *data) -{ - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_non_buffered_filter(void *data, ssize_t bytes) -{ - ngx_http_request_t *r = data; - - ngx_buf_t *b; - ngx_chain_t *cl, **ll; - ngx_http_upstream_t *u; - - u = r->upstream; - - for (cl = u->out_bufs, ll = &u->out_bufs; cl; cl = cl->next) { - ll = &cl->next; - } - - cl = ngx_chain_get_free_buf(r->pool, &u->free_bufs); - if (cl == NULL) { - return NGX_ERROR; - } - - *ll = cl; - - cl->buf->flush = 1; - cl->buf->memory = 1; - - b = &u->buffer; - - cl->buf->pos = b->last; - b->last += bytes; - cl->buf->last = b->last; - cl->buf->tag = u->output.tag; - - if (u->length == -1) { - return NGX_OK; - } - - u->length -= bytes; - - return NGX_OK; -} - - -#if (NGX_THREADS) - -static ngx_int_t -ngx_http_upstream_thread_handler(ngx_thread_task_t *task, ngx_file_t *file) -{ - ngx_str_t name; - ngx_event_pipe_t *p; - ngx_thread_pool_t *tp; - ngx_http_request_t *r; - ngx_http_core_loc_conf_t *clcf; - - r = file->thread_ctx; - p = r->upstream->pipe; - - clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module); - tp = clcf->thread_pool; - - if (tp == NULL) { - if (ngx_http_complex_value(r, clcf->thread_pool_value, &name) - != NGX_OK) - { - return NGX_ERROR; - } - - tp = ngx_thread_pool_get((ngx_cycle_t *) ngx_cycle, &name); - - if (tp == NULL) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "thread pool \"%V\" not found", &name); - return NGX_ERROR; - } - } - - task->event.data = r; - task->event.handler = ngx_http_upstream_thread_event_handler; - - if (ngx_thread_task_post(tp, task) != NGX_OK) { - return NGX_ERROR; - } - - r->main->blocked++; - r->aio = 1; - p->aio = 1; - - return NGX_OK; -} - - -static void -ngx_http_upstream_thread_event_handler(ngx_event_t *ev) -{ - ngx_connection_t *c; - ngx_http_request_t *r; - - r = ev->data; - c = r->connection; - - ngx_http_set_log_request(c->log, r); - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream thread: \"%V?%V\"", &r->uri, &r->args); - - r->main->blocked--; - r->aio = 0; - - r->write_event_handler(r); - - ngx_http_run_posted_requests(c); -} - -#endif - - -static ngx_int_t -ngx_http_upstream_output_filter(void *data, ngx_chain_t *chain) -{ - ngx_int_t rc; - ngx_event_pipe_t *p; - ngx_http_request_t *r; - - r = data; - p = r->upstream->pipe; - - rc = ngx_http_output_filter(r, chain); - - p->aio = r->aio; - - return rc; -} - - -static void -ngx_http_upstream_process_downstream(ngx_http_request_t *r) -{ - ngx_event_t *wev; - ngx_connection_t *c; - ngx_event_pipe_t *p; - ngx_http_upstream_t *u; - - c = r->connection; - u = r->upstream; - p = u->pipe; - wev = c->write; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process downstream"); - - c->log->action = "sending to client"; - -#if (NGX_THREADS) - p->aio = r->aio; -#endif - - if (wev->timedout) { - - if (wev->delayed) { - - wev->timedout = 0; - wev->delayed = 0; - - if (!wev->ready) { - ngx_add_timer(wev, p->send_timeout); - - if (ngx_handle_write_event(wev, p->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, wev->write) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - p->downstream_error = 1; - c->timedout = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "client timed out"); - } - - } else { - - if (wev->delayed) { - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http downstream delayed"); - - if (ngx_handle_write_event(wev, p->send_lowat) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 1) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - ngx_http_upstream_process_request(r, u); -} - - -static void -ngx_http_upstream_process_upstream(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_event_t *rev; - ngx_event_pipe_t *p; - ngx_connection_t *c; - - c = u->peer.connection; - p = u->pipe; - rev = c->read; - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream process upstream"); - - c->log->action = "reading upstream"; - - if (rev->timedout) { - - if (rev->delayed) { - - rev->timedout = 0; - rev->delayed = 0; - - if (!rev->ready) { - ngx_add_timer(rev, p->read_timeout); - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 0) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - - } else { - p->upstream_error = 1; - ngx_connection_error(c, NGX_ETIMEDOUT, "upstream timed out"); - } - - } else { - - if (rev->delayed) { - - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0, - "http upstream delayed"); - - if (ngx_handle_read_event(rev, 0) != NGX_OK) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - - return; - } - - if (ngx_event_pipe(p, 0) == NGX_ABORT) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - return; - } - } - - ngx_http_upstream_process_request(r, u); -} - - -static void -ngx_http_upstream_process_request(ngx_http_request_t *r, - ngx_http_upstream_t *u) -{ - ngx_temp_file_t *tf; - ngx_event_pipe_t *p; - - p = u->pipe; - -#if (NGX_THREADS) - if (p->writing) { - return; - } -#endif - - if (u->peer.connection) { - - if (u->store) { - - if (p->upstream_eof || p->upstream_done) { - - tf = p->temp_file; - - if (u->headers_in.status_n == NGX_HTTP_OK - && (p->upstream_done || p->length == -1) - && (u->headers_in.content_length_n == -1 - || u->headers_in.content_length_n == tf->offset)) - { - ngx_http_upstream_store(r, u); - } - } - } - -#if (NGX_HTTP_CACHE) - - if (u->cacheable) { - - if (p->upstream_done) { - ngx_http_file_cache_update(r, p->temp_file); - - } else if (p->upstream_eof) { - - tf = p->temp_file; - - if (p->length == -1 - && (u->headers_in.content_length_n == -1 - || u->headers_in.content_length_n - == tf->offset - (off_t) r->cache->body_start)) - { - ngx_http_file_cache_update(r, tf); - - } else { - ngx_http_file_cache_free(r->cache, tf); - } - - } else if (p->upstream_error) { - ngx_http_file_cache_free(r->cache, p->temp_file); - } - } - -#endif - - if (p->upstream_done || p->upstream_eof || p->upstream_error) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream exit: %p", p->out); - - if (p->upstream_done - || (p->upstream_eof && p->length == -1)) - { - ngx_http_upstream_finalize_request(r, u, 0); - return; - } - - if (p->upstream_eof) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "upstream prematurely closed connection"); - } - - ngx_http_upstream_finalize_request(r, u, NGX_HTTP_BAD_GATEWAY); - return; - } - } - - if (p->downstream_error) { - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream downstream error"); - - if (!u->cacheable && !u->store && u->peer.connection) { - ngx_http_upstream_finalize_request(r, u, NGX_ERROR); - } - } -} - - -static void -ngx_http_upstream_store(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - size_t root; - time_t lm; - ngx_str_t path; - ngx_temp_file_t *tf; - ngx_ext_rename_file_t ext; - - tf = u->pipe->temp_file; - - if (tf->file.fd == NGX_INVALID_FILE) { - - /* create file for empty 200 response */ - - tf = ngx_pcalloc(r->pool, sizeof(ngx_temp_file_t)); - if (tf == NULL) { - return; - } - - tf->file.fd = NGX_INVALID_FILE; - tf->file.log = r->connection->log; - tf->path = u->conf->temp_path; - tf->pool = r->pool; - tf->persistent = 1; - - if (ngx_create_temp_file(&tf->file, tf->path, tf->pool, - tf->persistent, tf->clean, tf->access) - != NGX_OK) - { - return; - } - - u->pipe->temp_file = tf; - } - - ext.access = u->conf->store_access; - ext.path_access = u->conf->store_access; - ext.time = -1; - ext.create_path = 1; - ext.delete_file = 1; - ext.log = r->connection->log; - - if (u->headers_in.last_modified) { - - lm = ngx_parse_http_time(u->headers_in.last_modified->value.data, - u->headers_in.last_modified->value.len); - - if (lm != NGX_ERROR) { - ext.time = lm; - ext.fd = tf->file.fd; - } - } - - if (u->conf->store_lengths == NULL) { - - if (ngx_http_map_uri_to_path(r, &path, &root, 0) == NULL) { - return; - } - - } else { - if (ngx_http_script_run(r, &path, u->conf->store_lengths->elts, 0, - u->conf->store_values->elts) - == NULL) - { - return; - } - } - - path.len--; - - ngx_log_debug2(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "upstream stores \"%s\" to \"%s\"", - tf->file.name.data, path.data); - - (void) ngx_ext_rename_file(&tf->file.name, &path, &ext); - - u->store = 0; -} - - -static void -ngx_http_upstream_dummy_handler(ngx_http_request_t *r, ngx_http_upstream_t *u) -{ - ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream dummy handler"); -} - - -static void -ngx_http_upstream_next(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_uint_t ft_type) -{ - ngx_msec_t timeout; - ngx_uint_t status, state; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http next upstream, %xi", ft_type); - - if (u->peer.sockaddr) { - - if (ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_403 - || ft_type == NGX_HTTP_UPSTREAM_FT_HTTP_404) - { - state = NGX_PEER_NEXT; - - } else { - state = NGX_PEER_FAILED; - } - - u->peer.free(&u->peer, u->peer.data, state); - u->peer.sockaddr = NULL; - } - - if (ft_type == NGX_HTTP_UPSTREAM_FT_TIMEOUT) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, NGX_ETIMEDOUT, - "upstream timed out"); - } - - if (u->peer.cached && ft_type == NGX_HTTP_UPSTREAM_FT_ERROR) { - /* TODO: inform balancer instead */ - u->peer.tries++; - } - - switch (ft_type) { - - case NGX_HTTP_UPSTREAM_FT_TIMEOUT: - status = NGX_HTTP_GATEWAY_TIME_OUT; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_500: - status = NGX_HTTP_INTERNAL_SERVER_ERROR; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_403: - status = NGX_HTTP_FORBIDDEN; - break; - - case NGX_HTTP_UPSTREAM_FT_HTTP_404: - status = NGX_HTTP_NOT_FOUND; - break; - - /* - * NGX_HTTP_UPSTREAM_FT_BUSY_LOCK and NGX_HTTP_UPSTREAM_FT_MAX_WAITING - * never reach here - */ - - default: - status = NGX_HTTP_BAD_GATEWAY; - } - - if (r->connection->error) { - ngx_http_upstream_finalize_request(r, u, - NGX_HTTP_CLIENT_CLOSED_REQUEST); - return; - } - - u->state->status = status; - - timeout = u->conf->next_upstream_timeout; - - if (u->request_sent - && (r->method & (NGX_HTTP_POST|NGX_HTTP_LOCK|NGX_HTTP_PATCH))) - { - ft_type |= NGX_HTTP_UPSTREAM_FT_NON_IDEMPOTENT; - } - - if (u->peer.tries == 0 - || ((u->conf->next_upstream & ft_type) != ft_type) - || (u->request_sent && r->request_body_no_buffering) - || (timeout && ngx_current_msec - u->peer.start_time >= timeout)) - { -#if (NGX_HTTP_CACHE) - - if (u->cache_status == NGX_HTTP_CACHE_EXPIRED - && (u->conf->cache_use_stale & ft_type)) - { - ngx_int_t rc; - - rc = u->reinit_request(r); - - if (rc == NGX_OK) { - u->cache_status = NGX_HTTP_CACHE_STALE; - rc = ngx_http_upstream_cache_send(r, u); - } - - ngx_http_upstream_finalize_request(r, u, rc); - return; - } -#endif - - ngx_http_upstream_finalize_request(r, u, status); - return; - } - - if (u->peer.connection) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "close http upstream connection: %d", - u->peer.connection->fd); -#if (NGX_HTTP_SSL) - - if (u->peer.connection->ssl) { - u->peer.connection->ssl->no_wait_shutdown = 1; - u->peer.connection->ssl->no_send_shutdown = 1; - - (void) ngx_ssl_shutdown(u->peer.connection); - } -#endif - - if (u->peer.connection->pool) { - ngx_destroy_pool(u->peer.connection->pool); - } - - ngx_close_connection(u->peer.connection); - u->peer.connection = NULL; - } - - ngx_http_upstream_connect(r, u); -} - - -static void -ngx_http_upstream_cleanup(void *data) -{ - ngx_http_request_t *r = data; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "cleanup http upstream request: \"%V\"", &r->uri); - - ngx_http_upstream_finalize_request(r, r->upstream, NGX_DONE); -} - - -static void -ngx_http_upstream_finalize_request(ngx_http_request_t *r, - ngx_http_upstream_t *u, ngx_int_t rc) -{ - ngx_uint_t flush; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "finalize http upstream request: %i", rc); - - if (u->cleanup == NULL) { - /* the request was already finalized */ - ngx_http_finalize_request(r, NGX_DONE); - return; - } - - *u->cleanup = NULL; - u->cleanup = NULL; - - if (u->resolved && u->resolved->ctx) { - ngx_resolve_name_done(u->resolved->ctx); - u->resolved->ctx = NULL; - } - - if (u->state && u->state->response_time) { - u->state->response_time = ngx_current_msec - u->state->response_time; - - if (u->pipe && u->pipe->read_length) { - u->state->bytes_received += u->pipe->read_length - - u->pipe->preread_size; - u->state->response_length = u->pipe->read_length; - } - } - - u->finalize_request(r, rc); - - if (u->peer.free && u->peer.sockaddr) { - u->peer.free(&u->peer, u->peer.data, 0); - u->peer.sockaddr = NULL; - } - - if (u->peer.connection) { - -#if (NGX_HTTP_SSL) - - /* TODO: do not shutdown persistent connection */ - - if (u->peer.connection->ssl) { - - /* - * We send the "close notify" shutdown alert to the upstream only - * and do not wait its "close notify" shutdown alert. - * It is acceptable according to the TLS standard. - */ - - u->peer.connection->ssl->no_wait_shutdown = 1; - - (void) ngx_ssl_shutdown(u->peer.connection); - } -#endif - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "close http upstream connection: %d", - u->peer.connection->fd); - - if (u->peer.connection->pool) { - ngx_destroy_pool(u->peer.connection->pool); - } - - ngx_close_connection(u->peer.connection); - } - - u->peer.connection = NULL; - - if (u->pipe && u->pipe->temp_file) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "http upstream temp fd: %d", - u->pipe->temp_file->file.fd); - } - - if (u->store && u->pipe && u->pipe->temp_file - && u->pipe->temp_file->file.fd != NGX_INVALID_FILE) - { - if (ngx_delete_file(u->pipe->temp_file->file.name.data) - == NGX_FILE_ERROR) - { - ngx_log_error(NGX_LOG_CRIT, r->connection->log, ngx_errno, - ngx_delete_file_n " \"%s\" failed", - u->pipe->temp_file->file.name.data); - } - } - -#if (NGX_HTTP_CACHE) - - if (r->cache) { - - if (u->cacheable) { - - if (rc == NGX_HTTP_BAD_GATEWAY || rc == NGX_HTTP_GATEWAY_TIME_OUT) { - time_t valid; - - valid = ngx_http_file_cache_valid(u->conf->cache_valid, rc); - - if (valid) { - r->cache->valid_sec = ngx_time() + valid; - r->cache->error = rc; - } - } - } - - ngx_http_file_cache_free(r->cache, u->pipe->temp_file); - } - -#endif - - if (r->subrequest_in_memory - && u->headers_in.status_n >= NGX_HTTP_SPECIAL_RESPONSE) - { - u->buffer.last = u->buffer.pos; - } - - if (rc == NGX_DECLINED) { - return; - } - - r->connection->log->action = "sending to client"; - - if (!u->header_sent - || rc == NGX_HTTP_REQUEST_TIME_OUT - || rc == NGX_HTTP_CLIENT_CLOSED_REQUEST - || (u->pipe && u->pipe->downstream_error)) - { - ngx_http_finalize_request(r, rc); - return; - } - - flush = 0; - - if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { - rc = NGX_ERROR; - flush = 1; - } - - if (r->header_only) { - ngx_http_finalize_request(r, rc); - return; - } - - if (rc == 0) { - rc = ngx_http_send_special(r, NGX_HTTP_LAST); - - } else if (flush) { - r->keepalive = 0; - rc = ngx_http_send_special(r, NGX_HTTP_FLUSH); - } - - ngx_http_finalize_request(r, rc); -} - - -static ngx_int_t -ngx_http_upstream_process_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t **ph; - - ph = (ngx_table_elt_t **) ((char *) &r->upstream->headers_in + offset); - - if (*ph == NULL) { - *ph = h; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_ignore_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_content_length(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - u->headers_in.content_length = h; - u->headers_in.content_length_n = ngx_atoof(h->value.data, h->value.len); - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_last_modified(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - - u->headers_in.last_modified = h; - -#if (NGX_HTTP_CACHE) - - if (u->cacheable) { - u->headers_in.last_modified_time = ngx_parse_http_time(h->value.data, - h->value.len); - } - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_set_cookie(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t **ph; - ngx_http_upstream_t *u; - - u = r->upstream; - pa = &u->headers_in.cookies; - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 1, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - *ph = h; - -#if (NGX_HTTP_CACHE) - if (!(u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_SET_COOKIE)) { - u->cacheable = 0; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_cache_control(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t **ph; - ngx_http_upstream_t *u; - - u = r->upstream; - pa = &u->headers_in.cache_control; - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 2, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - *ph = h; - -#if (NGX_HTTP_CACHE) - { - u_char *p, *start, *last; - ngx_int_t n; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_CACHE_CONTROL) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (r->cache->valid_sec != 0 && u->headers_in.x_accel_expires != NULL) { - return NGX_OK; - } - - start = h->value.data; - last = start + h->value.len; - - if (ngx_strlcasestrn(start, last, (u_char *) "no-cache", 8 - 1) != NULL - || ngx_strlcasestrn(start, last, (u_char *) "no-store", 8 - 1) != NULL - || ngx_strlcasestrn(start, last, (u_char *) "private", 7 - 1) != NULL) - { - u->cacheable = 0; - return NGX_OK; - } - - p = ngx_strlcasestrn(start, last, (u_char *) "s-maxage=", 9 - 1); - offset = 9; - - if (p == NULL) { - p = ngx_strlcasestrn(start, last, (u_char *) "max-age=", 8 - 1); - offset = 8; - } - - if (p == NULL) { - return NGX_OK; - } - - n = 0; - - for (p += offset; p < last; p++) { - if (*p == ',' || *p == ';' || *p == ' ') { - break; - } - - if (*p >= '0' && *p <= '9') { - n = n * 10 + *p - '0'; - continue; - } - - u->cacheable = 0; - return NGX_OK; - } - - if (n == 0) { - u->cacheable = 0; - return NGX_OK; - } - - r->cache->valid_sec = ngx_time() + n; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.expires = h; - -#if (NGX_HTTP_CACHE) - { - time_t expires; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_EXPIRES) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (r->cache->valid_sec != 0) { - return NGX_OK; - } - - expires = ngx_parse_http_time(h->value.data, h->value.len); - - if (expires == NGX_ERROR || expires < ngx_time()) { - u->cacheable = 0; - return NGX_OK; - } - - r->cache->valid_sec = expires; - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_accel_expires(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.x_accel_expires = h; - -#if (NGX_HTTP_CACHE) - { - u_char *p; - size_t len; - ngx_int_t n; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_EXPIRES) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - len = h->value.len; - p = h->value.data; - - if (p[0] != '@') { - n = ngx_atoi(p, len); - - switch (n) { - case 0: - u->cacheable = 0; - /* fall through */ - - case NGX_ERROR: - return NGX_OK; - - default: - r->cache->valid_sec = ngx_time() + n; - return NGX_OK; - } - } - - p++; - len--; - - n = ngx_atoi(p, len); - - if (n != NGX_ERROR) { - r->cache->valid_sec = n; - } - } -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_limit_rate(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t n; - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.x_accel_limit_rate = h; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_LIMIT_RATE) { - return NGX_OK; - } - - n = ngx_atoi(h->value.data, h->value.len); - - if (n != NGX_ERROR) { - r->limit_rate = (size_t) n; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_buffering(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char c0, c1, c2; - ngx_http_upstream_t *u; - - u = r->upstream; - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_BUFFERING) { - return NGX_OK; - } - - if (u->conf->change_buffering) { - - if (h->value.len == 2) { - c0 = ngx_tolower(h->value.data[0]); - c1 = ngx_tolower(h->value.data[1]); - - if (c0 == 'n' && c1 == 'o') { - u->buffering = 0; - } - - } else if (h->value.len == 3) { - c0 = ngx_tolower(h->value.data[0]); - c1 = ngx_tolower(h->value.data[1]); - c2 = ngx_tolower(h->value.data[2]); - - if (c0 == 'y' && c1 == 'e' && c2 == 's') { - u->buffering = 1; - } - } - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_charset(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - if (r->upstream->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_XA_CHARSET) { - return NGX_OK; - } - - r->headers_out.override_charset = &h->value; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_connection(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - r->upstream->headers_in.connection = h; - - if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len, - (u_char *) "close", 5 - 1) - != NULL) - { - r->upstream->headers_in.connection_close = 1; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_transfer_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - r->upstream->headers_in.transfer_encoding = h; - - if (ngx_strlcasestrn(h->value.data, h->value.data + h->value.len, - (u_char *) "chunked", 7 - 1) - != NULL) - { - r->upstream->headers_in.chunked = 1; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_process_vary(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_http_upstream_t *u; - - u = r->upstream; - u->headers_in.vary = h; - -#if (NGX_HTTP_CACHE) - - if (u->conf->ignore_headers & NGX_HTTP_UPSTREAM_IGN_VARY) { - return NGX_OK; - } - - if (r->cache == NULL) { - return NGX_OK; - } - - if (h->value.len > NGX_HTTP_CACHE_VARY_LEN - || (h->value.len == 1 && h->value.data[0] == '*')) - { - u->cacheable = 0; - } - - r->cache->vary = h->value; - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_header_line(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t *ho, **ph; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (offset) { - ph = (ngx_table_elt_t **) ((char *) &r->headers_out + offset); - *ph = ho; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_multi_header_lines(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_array_t *pa; - ngx_table_elt_t *ho, **ph; - - pa = (ngx_array_t *) ((char *) &r->headers_out + offset); - - if (pa->elts == NULL) { - if (ngx_array_init(pa, r->pool, 2, sizeof(ngx_table_elt_t *)) != NGX_OK) - { - return NGX_ERROR; - } - } - - ph = ngx_array_push(pa); - if (ph == NULL) { - return NGX_ERROR; - } - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - *ph = ho; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_content_type(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char *p, *last; - - r->headers_out.content_type_len = h->value.len; - r->headers_out.content_type = h->value; - r->headers_out.content_type_lowcase = NULL; - - for (p = h->value.data; *p; p++) { - - if (*p != ';') { - continue; - } - - last = p; - - while (*++p == ' ') { /* void */ } - - if (*p == '\0') { - return NGX_OK; - } - - if (ngx_strncasecmp(p, (u_char *) "charset=", 8) != 0) { - continue; - } - - p += 8; - - r->headers_out.content_type_len = last - h->value.data; - - if (*p == '"') { - p++; - } - - last = h->value.data + h->value.len; - - if (*(last - 1) == '"') { - last--; - } - - r->headers_out.charset.len = last - p; - r->headers_out.charset.data = p; - - return NGX_OK; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_last_modified(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.last_modified = ho; - -#if (NGX_HTTP_CACHE) - - if (r->upstream->cacheable) { - r->headers_out.last_modified_time = - r->upstream->headers_in.last_modified_time; - } - -#endif - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_location(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_redirect) { - rc = r->upstream->rewrite_redirect(r, ho, 0); - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - - if (rc == NGX_OK) { - r->headers_out.location = ho; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten location: \"%V\"", &ho->value); - } - - return rc; - } - - if (ho->value.data[0] != '/') { - r->headers_out.location = ho; - } - - /* - * we do not set r->headers_out.location here to avoid the handling - * the local redirects without a host name by ngx_http_header_filter() - */ - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_refresh(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - u_char *p; - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_redirect) { - - p = ngx_strcasestrn(ho->value.data, "url=", 4 - 1); - - if (p) { - rc = r->upstream->rewrite_redirect(r, ho, p + 4 - ho->value.data); - - } else { - return NGX_OK; - } - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - - if (rc == NGX_OK) { - r->headers_out.refresh = ho; - - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten refresh: \"%V\"", &ho->value); - } - - return rc; - } - - r->headers_out.refresh = ho; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_rewrite_set_cookie(ngx_http_request_t *r, ngx_table_elt_t *h, - ngx_uint_t offset) -{ - ngx_int_t rc; - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - if (r->upstream->rewrite_cookie) { - rc = r->upstream->rewrite_cookie(r, ho); - - if (rc == NGX_DECLINED) { - return NGX_OK; - } - -#if (NGX_DEBUG) - if (rc == NGX_OK) { - ngx_log_debug1(NGX_LOG_DEBUG_HTTP, r->connection->log, 0, - "rewritten cookie: \"%V\"", &ho->value); - } -#endif - - return rc; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_copy_allow_ranges(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - if (r->upstream->conf->force_ranges) { - return NGX_OK; - } - -#if (NGX_HTTP_CACHE) - - if (r->cached) { - r->allow_ranges = 1; - return NGX_OK; - } - - if (r->upstream->cacheable) { - r->allow_ranges = 1; - r->single_range = 1; - return NGX_OK; - } - -#endif - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.accept_ranges = ho; - - return NGX_OK; -} - - -#if (NGX_HTTP_GZIP) - -static ngx_int_t -ngx_http_upstream_copy_content_encoding(ngx_http_request_t *r, - ngx_table_elt_t *h, ngx_uint_t offset) -{ - ngx_table_elt_t *ho; - - ho = ngx_list_push(&r->headers_out.headers); - if (ho == NULL) { - return NGX_ERROR; - } - - *ho = *h; - - r->headers_out.content_encoding = ho; - - return NGX_OK; -} - -#endif - - -static ngx_int_t -ngx_http_upstream_add_variables(ngx_conf_t *cf) -{ - ngx_http_variable_t *var, *v; - - for (v = ngx_http_upstream_vars; v->name.len; v++) { - var = ngx_http_add_variable(cf, &v->name, v->flags); - if (var == NULL) { - return NGX_ERROR; - } - - var->get_handler = v->get_handler; - var->data = v->data; - } - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_addr_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = 0; - state = r->upstream_states->elts; - - for (i = 0; i < r->upstream_states->nelts; i++) { - if (state[i].peer) { - len += state[i].peer->len + 2; - - } else { - len += 3; - } - } - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - - for ( ;; ) { - if (state[i].peer) { - p = ngx_cpymem(p, state[i].peer->data, state[i].peer->len); - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_status_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (3 + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - if (state[i].status) { - p = ngx_sprintf(p, "%ui", state[i].status); - - } else { - *p++ = '-'; - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_response_time_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_msec_int_t ms; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (NGX_TIME_T_LEN + 4 + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - if (state[i].status) { - - if (data == 1 && state[i].header_time != (ngx_msec_t) -1) { - ms = state[i].header_time; - - } else if (data == 2 && state[i].connect_time != (ngx_msec_t) -1) { - ms = state[i].connect_time; - - } else { - ms = state[i].response_time; - } - - ms = ngx_max(ms, 0); - p = ngx_sprintf(p, "%T.%03M", (time_t) ms / 1000, ms % 1000); - - } else { - *p++ = '-'; - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_response_length_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - size_t len; - ngx_uint_t i; - ngx_http_upstream_state_t *state; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - - if (r->upstream_states == NULL || r->upstream_states->nelts == 0) { - v->not_found = 1; - return NGX_OK; - } - - len = r->upstream_states->nelts * (NGX_OFF_T_LEN + 2); - - p = ngx_pnalloc(r->pool, len); - if (p == NULL) { - return NGX_ERROR; - } - - v->data = p; - - i = 0; - state = r->upstream_states->elts; - - for ( ;; ) { - - if (data == 1) { - p = ngx_sprintf(p, "%O", state[i].bytes_received); - - } else { - p = ngx_sprintf(p, "%O", state[i].response_length); - } - - if (++i == r->upstream_states->nelts) { - break; - } - - if (state[i].peer) { - *p++ = ','; - *p++ = ' '; - - } else { - *p++ = ' '; - *p++ = ':'; - *p++ = ' '; - - if (++i == r->upstream_states->nelts) { - break; - } - - continue; - } - } - - v->len = p - v->data; - - return NGX_OK; -} - - -ngx_int_t -ngx_http_upstream_header_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - if (r->upstream == NULL) { - v->not_found = 1; - return NGX_OK; - } - - return ngx_http_variable_unknown_header(v, (ngx_str_t *) data, - &r->upstream->headers_in.headers.part, - sizeof("upstream_http_") - 1); -} - - -ngx_int_t -ngx_http_upstream_cookie_variable(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - ngx_str_t *name = (ngx_str_t *) data; - - ngx_str_t cookie, s; - - if (r->upstream == NULL) { - v->not_found = 1; - return NGX_OK; - } - - s.len = name->len - (sizeof("upstream_cookie_") - 1); - s.data = name->data + sizeof("upstream_cookie_") - 1; - - if (ngx_http_parse_set_cookie_lines(&r->upstream->headers_in.cookies, - &s, &cookie) - == NGX_DECLINED) - { - v->not_found = 1; - return NGX_OK; - } - - v->len = cookie.len; - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->data = cookie.data; - - return NGX_OK; -} - - -#if (NGX_HTTP_CACHE) - -ngx_int_t -ngx_http_upstream_cache_status(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - ngx_uint_t n; - - if (r->upstream == NULL || r->upstream->cache_status == 0) { - v->not_found = 1; - return NGX_OK; - } - - n = r->upstream->cache_status - 1; - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->len = ngx_http_cache_status[n].len; - v->data = ngx_http_cache_status[n].data; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_cache_last_modified(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - u_char *p; - - if (r->upstream == NULL - || !r->upstream->conf->cache_revalidate - || r->upstream->cache_status != NGX_HTTP_CACHE_EXPIRED - || r->cache->last_modified == -1) - { - v->not_found = 1; - return NGX_OK; - } - - p = ngx_pnalloc(r->pool, sizeof("Mon, 28 Sep 1970 06:00:00 GMT") - 1); - if (p == NULL) { - return NGX_ERROR; - } - - v->len = ngx_http_time(p, r->cache->last_modified) - p; - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->data = p; - - return NGX_OK; -} - - -static ngx_int_t -ngx_http_upstream_cache_etag(ngx_http_request_t *r, - ngx_http_variable_value_t *v, uintptr_t data) -{ - if (r->upstream == NULL - || !r->upstream->conf->cache_revalidate - || r->upstream->cache_status != NGX_HTTP_CACHE_EXPIRED - || r->cache->etag.len == 0) - { - v->not_found = 1; - return NGX_OK; - } - - v->valid = 1; - v->no_cacheable = 0; - v->not_found = 0; - v->len = r->cache->etag.len; - v->data = r->cache->etag.data; - - return NGX_OK; -} - -#endif - - -static char * -ngx_http_upstream(ngx_conf_t *cf, ngx_command_t *cmd, void *dummy) -{ - char *rv; - void *mconf; - ngx_str_t *value; - ngx_url_t u; - ngx_uint_t m; - ngx_conf_t pcf; - ngx_http_module_t *module; - ngx_http_conf_ctx_t *ctx, *http_ctx; - ngx_http_upstream_srv_conf_t *uscf; - - ngx_memzero(&u, sizeof(ngx_url_t)); - - value = cf->args->elts; - u.host = value[1]; - u.no_resolve = 1; - u.no_port = 1; - - uscf = ngx_http_upstream_add(cf, &u, NGX_HTTP_UPSTREAM_CREATE - |NGX_HTTP_UPSTREAM_WEIGHT - |NGX_HTTP_UPSTREAM_MAX_CONNS - |NGX_HTTP_UPSTREAM_MAX_FAILS - |NGX_HTTP_UPSTREAM_FAIL_TIMEOUT - |NGX_HTTP_UPSTREAM_DOWN - |NGX_HTTP_UPSTREAM_BACKUP); - if (uscf == NULL) { - return NGX_CONF_ERROR; - } - - - ctx = ngx_pcalloc(cf->pool, sizeof(ngx_http_conf_ctx_t)); - if (ctx == NULL) { - return NGX_CONF_ERROR; - } - - http_ctx = cf->ctx; - ctx->main_conf = http_ctx->main_conf; - - /* the upstream{}'s srv_conf */ - - ctx->srv_conf = ngx_pcalloc(cf->pool, sizeof(void *) * ngx_http_max_module); - if (ctx->srv_conf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->srv_conf[ngx_http_upstream_module.ctx_index] = uscf; - - uscf->srv_conf = ctx->srv_conf; - - - /* the upstream{}'s loc_conf */ - - ctx->loc_conf = ngx_pcalloc(cf->pool, sizeof(void *) * ngx_http_max_module); - if (ctx->loc_conf == NULL) { - return NGX_CONF_ERROR; - } - - for (m = 0; cf->cycle->modules[m]; m++) { - if (cf->cycle->modules[m]->type != NGX_HTTP_MODULE) { - continue; - } - - module = cf->cycle->modules[m]->ctx; - - if (module->create_srv_conf) { - mconf = module->create_srv_conf(cf); - if (mconf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->srv_conf[cf->cycle->modules[m]->ctx_index] = mconf; - } - - if (module->create_loc_conf) { - mconf = module->create_loc_conf(cf); - if (mconf == NULL) { - return NGX_CONF_ERROR; - } - - ctx->loc_conf[cf->cycle->modules[m]->ctx_index] = mconf; - } - } - - uscf->servers = ngx_array_create(cf->pool, 4, - sizeof(ngx_http_upstream_server_t)); - if (uscf->servers == NULL) { - return NGX_CONF_ERROR; - } - - - /* parse inside upstream{} */ - - pcf = *cf; - cf->ctx = ctx; - cf->cmd_type = NGX_HTTP_UPS_CONF; - - rv = ngx_conf_parse(cf, NULL); - - *cf = pcf; - - if (rv != NGX_CONF_OK) { - return rv; - } - - if (uscf->servers->nelts == 0) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "no servers are inside upstream"); - return NGX_CONF_ERROR; - } - - return rv; -} - - -static char * -ngx_http_upstream_server(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) -{ - ngx_http_upstream_srv_conf_t *uscf = conf; - - time_t fail_timeout; - ngx_str_t *value, s; - ngx_url_t u; - ngx_int_t weight, max_conns, max_fails; - ngx_uint_t i; - ngx_http_upstream_server_t *us; - - us = ngx_array_push(uscf->servers); - if (us == NULL) { - return NGX_CONF_ERROR; - } - - ngx_memzero(us, sizeof(ngx_http_upstream_server_t)); - - value = cf->args->elts; - - weight = 1; - max_conns = 0; - max_fails = 1; - fail_timeout = 10; - - for (i = 2; i < cf->args->nelts; i++) { - - if (ngx_strncmp(value[i].data, "weight=", 7) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_WEIGHT)) { - goto not_supported; - } - - weight = ngx_atoi(&value[i].data[7], value[i].len - 7); - - if (weight == NGX_ERROR || weight == 0) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "max_conns=", 10) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_CONNS)) { - goto not_supported; - } - - max_conns = ngx_atoi(&value[i].data[10], value[i].len - 10); - - if (max_conns == NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "max_fails=", 10) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_MAX_FAILS)) { - goto not_supported; - } - - max_fails = ngx_atoi(&value[i].data[10], value[i].len - 10); - - if (max_fails == NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strncmp(value[i].data, "fail_timeout=", 13) == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_FAIL_TIMEOUT)) { - goto not_supported; - } - - s.len = value[i].len - 13; - s.data = &value[i].data[13]; - - fail_timeout = ngx_parse_time(&s, 1); - - if (fail_timeout == (time_t) NGX_ERROR) { - goto invalid; - } - - continue; - } - - if (ngx_strcmp(value[i].data, "backup") == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_BACKUP)) { - goto not_supported; - } - - us->backup = 1; - - continue; - } - - if (ngx_strcmp(value[i].data, "down") == 0) { - - if (!(uscf->flags & NGX_HTTP_UPSTREAM_DOWN)) { - goto not_supported; - } - - us->down = 1; - - continue; - } - - goto invalid; - } - - ngx_memzero(&u, sizeof(ngx_url_t)); - - u.url = value[1]; - u.default_port = 80; - - if (ngx_parse_url(cf->pool, &u) != NGX_OK) { - if (u.err) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "%s in upstream \"%V\"", u.err, &u.url); - } - - return NGX_CONF_ERROR; - } - - us->name = u.url; - us->addrs = u.addrs; - us->naddrs = u.naddrs; - us->weight = weight; - us->max_conns = max_conns; - us->max_fails = max_fails; - us->fail_timeout = fail_timeout; - - return NGX_CONF_OK; - -invalid: - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[i]); - - return NGX_CONF_ERROR; - -not_supported: - - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "balancing method does not support parameter \"%V\"", - &value[i]); - - return NGX_CONF_ERROR; -} - - -ngx_http_upstream_srv_conf_t * -ngx_http_upstream_add(ngx_conf_t *cf, ngx_url_t *u, ngx_uint_t flags) -{ - ngx_uint_t i; - ngx_http_upstream_server_t *us; - ngx_http_upstream_srv_conf_t *uscf, **uscfp; - ngx_http_upstream_main_conf_t *umcf; - - if (!(flags & NGX_HTTP_UPSTREAM_CREATE)) { - - if (ngx_parse_url(cf->pool, u) != NGX_OK) { - if (u->err) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "%s in upstream \"%V\"", u->err, &u->url); - } - - return NULL; - } - } - - umcf = ngx_http_conf_get_module_main_conf(cf, ngx_http_upstream_module); - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - if (uscfp[i]->host.len != u->host.len - || ngx_strncasecmp(uscfp[i]->host.data, u->host.data, u->host.len) - != 0) - { - continue; - } - - if ((flags & NGX_HTTP_UPSTREAM_CREATE) - && (uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE)) - { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "duplicate upstream \"%V\"", &u->host); - return NULL; - } - - if ((uscfp[i]->flags & NGX_HTTP_UPSTREAM_CREATE) && !u->no_port) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "upstream \"%V\" may not have port %d", - &u->host, u->port); - return NULL; - } - - if ((flags & NGX_HTTP_UPSTREAM_CREATE) && !uscfp[i]->no_port) { - ngx_log_error(NGX_LOG_EMERG, cf->log, 0, - "upstream \"%V\" may not have port %d in %s:%ui", - &u->host, uscfp[i]->port, - uscfp[i]->file_name, uscfp[i]->line); - return NULL; - } - - if (uscfp[i]->port && u->port - && uscfp[i]->port != u->port) - { - continue; - } - - if (uscfp[i]->default_port && u->default_port - && uscfp[i]->default_port != u->default_port) - { - continue; - } - - if (flags & NGX_HTTP_UPSTREAM_CREATE) { - uscfp[i]->flags = flags; - } - - return uscfp[i]; - } - - uscf = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_srv_conf_t)); - if (uscf == NULL) { - return NULL; - } - - uscf->flags = flags; - uscf->host = u->host; - uscf->file_name = cf->conf_file->file.name.data; - uscf->line = cf->conf_file->line; - uscf->port = u->port; - uscf->default_port = u->default_port; - uscf->no_port = u->no_port; - - if (u->naddrs == 1 && (u->port || u->family == AF_UNIX)) { - uscf->servers = ngx_array_create(cf->pool, 1, - sizeof(ngx_http_upstream_server_t)); - if (uscf->servers == NULL) { - return NULL; - } - - us = ngx_array_push(uscf->servers); - if (us == NULL) { - return NULL; - } - - ngx_memzero(us, sizeof(ngx_http_upstream_server_t)); - - us->addrs = u->addrs; - us->naddrs = 1; - } - - uscfp = ngx_array_push(&umcf->upstreams); - if (uscfp == NULL) { - return NULL; - } - - *uscfp = uscf; - - return uscf; -} - - -char * -ngx_http_upstream_bind_set_slot(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf) -{ - char *p = conf; - - ngx_int_t rc; - ngx_str_t *value; - ngx_http_complex_value_t cv; - ngx_http_upstream_local_t **plocal, *local; - ngx_http_compile_complex_value_t ccv; - - plocal = (ngx_http_upstream_local_t **) (p + cmd->offset); - - if (*plocal != NGX_CONF_UNSET_PTR) { - return "is duplicate"; - } - - value = cf->args->elts; - - if (cf->args->nelts == 2 && ngx_strcmp(value[1].data, "off") == 0) { - *plocal = NULL; - return NGX_CONF_OK; - } - - ngx_memzero(&ccv, sizeof(ngx_http_compile_complex_value_t)); - - ccv.cf = cf; - ccv.value = &value[1]; - ccv.complex_value = &cv; - - if (ngx_http_compile_complex_value(&ccv) != NGX_OK) { - return NGX_CONF_ERROR; - } - - local = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_local_t)); - if (local == NULL) { - return NGX_CONF_ERROR; - } - - *plocal = local; - - if (cv.lengths) { - local->value = ngx_palloc(cf->pool, sizeof(ngx_http_complex_value_t)); - if (local->value == NULL) { - return NGX_CONF_ERROR; - } - - *local->value = cv; - - } else { - local->addr = ngx_palloc(cf->pool, sizeof(ngx_addr_t)); - if (local->addr == NULL) { - return NGX_CONF_ERROR; - } - - rc = ngx_parse_addr_port(cf->pool, local->addr, value[1].data, - value[1].len); - - switch (rc) { - case NGX_OK: - local->addr->name = value[1]; - break; - - case NGX_DECLINED: - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid address \"%V\"", &value[1]); - /* fall through */ - - default: - return NGX_CONF_ERROR; - } - } - - if (cf->args->nelts > 2) { - if (ngx_strcmp(value[2].data, "transparent") == 0) { -#if (NGX_HAVE_TRANSPARENT_PROXY) - local->transparent = 1; -#else - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "transparent proxying is not supported " - "on this platform, ignored"); -#endif - } else { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[2]); - return NGX_CONF_ERROR; - } - } - - return NGX_CONF_OK; -} - - -static ngx_int_t -ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u, - ngx_http_upstream_local_t *local) -{ - ngx_int_t rc; - ngx_str_t val; - ngx_addr_t *addr; - - if (local == NULL) { - u->peer.local = NULL; - return NGX_OK; - } - -#if (NGX_HAVE_TRANSPARENT_PROXY) - u->peer.transparent = local->transparent; -#endif - - if (local->value == NULL) { - u->peer.local = local->addr; - return NGX_OK; - } - - if (ngx_http_complex_value(r, local->value, &val) != NGX_OK) { - return NGX_ERROR; - } - - if (val.len == 0) { - return NGX_OK; - } - - addr = ngx_palloc(r->pool, sizeof(ngx_addr_t)); - if (addr == NULL) { - return NGX_ERROR; - } - - rc = ngx_parse_addr_port(r->pool, addr, val.data, val.len); - if (rc == NGX_ERROR) { - return NGX_ERROR; - } - - if (rc != NGX_OK) { - ngx_log_error(NGX_LOG_ERR, r->connection->log, 0, - "invalid local address \"%V\"", &val); - return NGX_OK; - } - - addr->name = val; - u->peer.local = addr; - - return NGX_OK; -} - - -char * -ngx_http_upstream_param_set_slot(ngx_conf_t *cf, ngx_command_t *cmd, - void *conf) -{ - char *p = conf; - - ngx_str_t *value; - ngx_array_t **a; - ngx_http_upstream_param_t *param; - - a = (ngx_array_t **) (p + cmd->offset); - - if (*a == NULL) { - *a = ngx_array_create(cf->pool, 4, sizeof(ngx_http_upstream_param_t)); - if (*a == NULL) { - return NGX_CONF_ERROR; - } - } - - param = ngx_array_push(*a); - if (param == NULL) { - return NGX_CONF_ERROR; - } - - value = cf->args->elts; - - param->key = value[1]; - param->value = value[2]; - param->skip_empty = 0; - - if (cf->args->nelts == 4) { - if (ngx_strcmp(value[3].data, "if_not_empty") != 0) { - ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, - "invalid parameter \"%V\"", &value[3]); - return NGX_CONF_ERROR; - } - - param->skip_empty = 1; - } - - return NGX_CONF_OK; -} - - -ngx_int_t -ngx_http_upstream_hide_headers_hash(ngx_conf_t *cf, - ngx_http_upstream_conf_t *conf, ngx_http_upstream_conf_t *prev, - ngx_str_t *default_hide_headers, ngx_hash_init_t *hash) -{ - ngx_str_t *h; - ngx_uint_t i, j; - ngx_array_t hide_headers; - ngx_hash_key_t *hk; - - if (conf->hide_headers == NGX_CONF_UNSET_PTR - && conf->pass_headers == NGX_CONF_UNSET_PTR) - { - conf->hide_headers = prev->hide_headers; - conf->pass_headers = prev->pass_headers; - - conf->hide_headers_hash = prev->hide_headers_hash; - - if (conf->hide_headers_hash.buckets -#if (NGX_HTTP_CACHE) - && ((conf->cache == 0) == (prev->cache == 0)) -#endif - ) - { - return NGX_OK; - } - - } else { - if (conf->hide_headers == NGX_CONF_UNSET_PTR) { - conf->hide_headers = prev->hide_headers; - } - - if (conf->pass_headers == NGX_CONF_UNSET_PTR) { - conf->pass_headers = prev->pass_headers; - } - } - - if (ngx_array_init(&hide_headers, cf->temp_pool, 4, sizeof(ngx_hash_key_t)) - != NGX_OK) - { - return NGX_ERROR; - } - - for (h = default_hide_headers; h->len; h++) { - hk = ngx_array_push(&hide_headers); - if (hk == NULL) { - return NGX_ERROR; - } - - hk->key = *h; - hk->key_hash = ngx_hash_key_lc(h->data, h->len); - hk->value = (void *) 1; - } - - if (conf->hide_headers != NGX_CONF_UNSET_PTR) { - - h = conf->hide_headers->elts; - - for (i = 0; i < conf->hide_headers->nelts; i++) { - - hk = hide_headers.elts; - - for (j = 0; j < hide_headers.nelts; j++) { - if (ngx_strcasecmp(h[i].data, hk[j].key.data) == 0) { - goto exist; - } - } - - hk = ngx_array_push(&hide_headers); - if (hk == NULL) { - return NGX_ERROR; - } - - hk->key = h[i]; - hk->key_hash = ngx_hash_key_lc(h[i].data, h[i].len); - hk->value = (void *) 1; - - exist: - - continue; - } - } - - if (conf->pass_headers != NGX_CONF_UNSET_PTR) { - - h = conf->pass_headers->elts; - hk = hide_headers.elts; - - for (i = 0; i < conf->pass_headers->nelts; i++) { - for (j = 0; j < hide_headers.nelts; j++) { - - if (hk[j].key.data == NULL) { - continue; - } - - if (ngx_strcasecmp(h[i].data, hk[j].key.data) == 0) { - hk[j].key.data = NULL; - break; - } - } - } - } - - hash->hash = &conf->hide_headers_hash; - hash->key = ngx_hash_key_lc; - hash->pool = cf->pool; - hash->temp_pool = NULL; - - return ngx_hash_init(hash, hide_headers.elts, hide_headers.nelts); -} - - -static void * -ngx_http_upstream_create_main_conf(ngx_conf_t *cf) -{ - ngx_http_upstream_main_conf_t *umcf; - - umcf = ngx_pcalloc(cf->pool, sizeof(ngx_http_upstream_main_conf_t)); - if (umcf == NULL) { - return NULL; - } - - if (ngx_array_init(&umcf->upstreams, cf->pool, 4, - sizeof(ngx_http_upstream_srv_conf_t *)) - != NGX_OK) - { - return NULL; - } - - return umcf; -} - - -static char * -ngx_http_upstream_init_main_conf(ngx_conf_t *cf, void *conf) -{ - ngx_http_upstream_main_conf_t *umcf = conf; - - ngx_uint_t i; - ngx_array_t headers_in; - ngx_hash_key_t *hk; - ngx_hash_init_t hash; - ngx_http_upstream_init_pt init; - ngx_http_upstream_header_t *header; - ngx_http_upstream_srv_conf_t **uscfp; - - uscfp = umcf->upstreams.elts; - - for (i = 0; i < umcf->upstreams.nelts; i++) { - - init = uscfp[i]->peer.init_upstream ? uscfp[i]->peer.init_upstream: - ngx_http_upstream_init_round_robin; - - if (init(cf, uscfp[i]) != NGX_OK) { - return NGX_CONF_ERROR; - } - } - - - /* upstream_headers_in_hash */ - - if (ngx_array_init(&headers_in, cf->temp_pool, 32, sizeof(ngx_hash_key_t)) - != NGX_OK) - { - return NGX_CONF_ERROR; - } - - for (header = ngx_http_upstream_headers_in; header->name.len; header++) { - hk = ngx_array_push(&headers_in); - if (hk == NULL) { - return NGX_CONF_ERROR; - } - - hk->key = header->name; - hk->key_hash = ngx_hash_key_lc(header->name.data, header->name.len); - hk->value = header; - } - - hash.hash = &umcf->headers_in_hash; - hash.key = ngx_hash_key_lc; - hash.max_size = 512; - hash.bucket_size = ngx_align(64, ngx_cacheline_size); - hash.name = "upstream_headers_in_hash"; - hash.pool = cf->pool; - hash.temp_pool = NULL; - - if (ngx_hash_init(&hash, headers_in.elts, headers_in.nelts) != NGX_OK) { - return NGX_CONF_ERROR; - } - - return NGX_CONF_OK; -}