From 7de28cfcdb0e28a423e5b5bb68152f0e86ac1bab Mon Sep 17 00:00:00 2001 From: Jon Carl Date: Tue, 2 Jul 2024 07:25:59 -0600 Subject: [PATCH] add ssl patches to nginx-1.25 image for coroutines to work in lua client hello and cert ssl blocks (#11485) * feat: add ssl patches for coroutines to work in lua ssl blocks Signed-off-by: Jon Carl * switch to include more patches Signed-off-by: Jon Carl --------- Signed-off-by: Jon Carl --- ...as-root.patch => 00_drop-alias-root.patch} | 0 .../01_nginx-1.25.3-win32_max_err_str.patch | 15 + ..._nginx-1.25.3-stream_balancer_export.patch | 53 ++++ ...stream_proxy_get_next_upstream_tries.patch | 31 +++ ...x-1.25.3-stream_proxy_timeout_fields.patch | 178 ++++++++++++ ...nx-1.25.3-stream_ssl_preread_no_skip.patch | 13 + ...6_nginx-1.25.3-resolver_conf_parsing.patch | 263 ++++++++++++++++++ .../07_nginx-1.25.3-daemon_destroy_pool.patch | 12 + ...nginx-1.25.3-init_cycle_pool_release.patch | 59 ++++ ...09_nginx-1.25.3-balancer_status_code.patch | 72 +++++ ...0_nginx-1.25.3-delayed_posted_events.patch | 98 +++++++ ...ginx-1.25.3-privileged_agent_process.patch | 203 ++++++++++++++ ...privileged_agent_process_connections.patch | 73 +++++ ...privileged_agent_process_thread_pool.patch | 12 + ...-1.25.3-single_process_graceful_exit.patch | 75 +++++ .../15_nginx-1.25.3-intercept_error_log.patch | 60 ++++ .../16_nginx-1.25.3-upstream_pipelining.patch | 23 ++ .../17_nginx-1.25.3-no_error_pages.patch | 91 ++++++ .../patches/18_nginx-1.25.3-no_Werror.patch | 36 +++ ...19_nginx-1.25.3-log_escape_non_ascii.patch | 117 ++++++++ ...20_nginx-1.25.3-proxy_host_port_vars.patch | 19 ++ .../21_nginx-1.25.3-cache_manager_exit.patch | 19 ++ ...22_nginx-1.25.3-larger_max_error_str.patch | 13 + .../23_nginx-1.25.3-pcre_conf_opt.patch | 26 ++ ....25.3-always_enable_cc_feature_tests.patch | 11 + .../25_nginx-1.25.3-ssl_cert_cb_yield.patch | 64 +++++ .../26_nginx-1.25.3-ssl_sess_cb_yield.patch | 41 +++ ...inx-1.25.3-ssl_client_hello_cb_yield.patch | 38 +++ ...nginx-1.25.3-upstream_timeout_fields.patch | 112 ++++++++ ...inx-1.25.3-safe_resolver_ipv6_option.patch | 60 ++++ .../30_nginx-1.25.3-socket_cloexec.patch | 185 ++++++++++++ ...nx-1.25.3-reuseport_close_unused_fds.patch | 38 +++ 32 files changed, 2110 insertions(+) rename images/nginx-1.25/rootfs/patches/{drop-alias-root.patch => 00_drop-alias-root.patch} (100%) create mode 100644 images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch create mode 100644 images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch create mode 100644 images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch create mode 100644 images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch create mode 100644 images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch create mode 100644 images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch create mode 100644 images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch create mode 100644 images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch create mode 100644 images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch create mode 100644 images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch create mode 100644 images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch create mode 100644 images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch create mode 100644 images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch create mode 100644 images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch create mode 100644 images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch create mode 100644 images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch create mode 100644 images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch create mode 100644 images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch create mode 100644 images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch create mode 100644 images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch create mode 100644 images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch create mode 100644 images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch create mode 100644 images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch create mode 100644 images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch create mode 100644 images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch create mode 100644 images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch create mode 100644 images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch create mode 100644 images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch create mode 100644 images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch create mode 100644 images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch create mode 100644 images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch diff --git a/images/nginx-1.25/rootfs/patches/drop-alias-root.patch b/images/nginx-1.25/rootfs/patches/00_drop-alias-root.patch similarity index 100% rename from images/nginx-1.25/rootfs/patches/drop-alias-root.patch rename to images/nginx-1.25/rootfs/patches/00_drop-alias-root.patch diff --git a/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch b/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch new file mode 100644 index 000000000..8c3ba2791 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/01_nginx-1.25.3-win32_max_err_str.patch @@ -0,0 +1,15 @@ +diff --git a/src/os/win32/ngx_event_log.c b/src/os/win32/ngx_event_log.c +index e11ed1e8..dce8eddd 100644 +--- a/src/os/win32/ngx_event_log.c ++++ b/src/os/win32/ngx_event_log.c +@@ -8,7 +8,9 @@ + #include + + +-#define NGX_MAX_ERROR_STR 2048 ++#ifndef NGX_MAX_ERROR_STR ++#define NGX_MAX_ERROR_STR 4096 ++#endif + + + void ngx_cdecl diff --git a/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch b/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch new file mode 100644 index 000000000..f56bc5257 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/02_nginx-1.25.3-stream_balancer_export.patch @@ -0,0 +1,53 @@ +diff --git a/src/stream/ngx_stream_upstream_round_robin.c b/src/stream/ngx_stream_upstream_round_robin.c +index 526de3a..b531ce1 100644 +--- a/src/stream/ngx_stream_upstream_round_robin.c ++++ b/src/stream/ngx_stream_upstream_round_robin.c +@@ -21,10 +21,6 @@ static void ngx_stream_upstream_notify_round_robin_peer( + + #if (NGX_STREAM_SSL) + +-static ngx_int_t ngx_stream_upstream_set_round_robin_peer_session( +- ngx_peer_connection_t *pc, void *data); +-static void ngx_stream_upstream_save_round_robin_peer_session( +- ngx_peer_connection_t *pc, void *data); + static ngx_int_t ngx_stream_upstream_empty_set_session( + ngx_peer_connection_t *pc, void *data); + static void ngx_stream_upstream_empty_save_session(ngx_peer_connection_t *pc, +@@ -690,7 +686,7 @@ ngx_stream_upstream_notify_round_robin_peer(ngx_peer_connection_t *pc, + + #if (NGX_STREAM_SSL) + +-static ngx_int_t ++ngx_int_t + ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc, + void *data) + { +@@ -756,7 +752,7 @@ ngx_stream_upstream_set_round_robin_peer_session(ngx_peer_connection_t *pc, + } + + +-static void ++void + ngx_stream_upstream_save_round_robin_peer_session(ngx_peer_connection_t *pc, + void *data) + { +diff --git a/src/stream/ngx_stream_upstream_round_robin.h b/src/stream/ngx_stream_upstream_round_robin.h +index 35d9fce..75f3e31 100644 +--- a/src/stream/ngx_stream_upstream_round_robin.h ++++ b/src/stream/ngx_stream_upstream_round_robin.h +@@ -142,5 +142,15 @@ ngx_int_t ngx_stream_upstream_get_round_robin_peer(ngx_peer_connection_t *pc, + void ngx_stream_upstream_free_round_robin_peer(ngx_peer_connection_t *pc, + void *data, ngx_uint_t state); + ++#if (NGX_STREAM_SSL) ++ngx_int_t ngx_stream_upstream_set_round_robin_peer_session( ++ ngx_peer_connection_t *pc, void *data); ++void ngx_stream_upstream_save_round_robin_peer_session( ++ ngx_peer_connection_t *pc, void *data); ++#endif ++ ++ ++#define HAVE_NGX_STREAM_BALANCER_EXPORT_PATCH 1 ++ + + #endif /* _NGX_STREAM_UPSTREAM_ROUND_ROBIN_H_INCLUDED_ */ diff --git a/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch b/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch new file mode 100644 index 000000000..cb881f070 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/03_nginx-1.25.3-stream_proxy_get_next_upstream_tries.patch @@ -0,0 +1,31 @@ +diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h +index 09d2459..de92724 100644 +--- a/src/stream/ngx_stream.h ++++ b/src/stream/ngx_stream.h +@@ -303,4 +303,7 @@ typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, + extern ngx_stream_filter_pt ngx_stream_top_filter; + + ++#define HAS_NGX_STREAM_PROXY_GET_NEXT_UPSTREAM_TRIES_PATCH 1 ++ ++ + #endif /* _NGX_STREAM_H_INCLUDED_ */ +diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c +index 0afde1c..3254ce1 100644 +--- a/src/stream/ngx_stream_proxy_module.c ++++ b/src/stream/ngx_stream_proxy_module.c +@@ -2156,3 +2156,14 @@ ngx_stream_proxy_bind(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + + return NGX_CONF_OK; + } ++ ++ ++ngx_uint_t ++ngx_stream_proxy_get_next_upstream_tries(ngx_stream_session_t *s) ++{ ++ ngx_stream_proxy_srv_conf_t *pscf; ++ ++ pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); ++ ++ return pscf->next_upstream_tries; ++} diff --git a/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch b/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch new file mode 100644 index 000000000..39c59e206 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/04_nginx-1.25.3-stream_proxy_timeout_fields.patch @@ -0,0 +1,178 @@ +diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream.h nginx-1.25.3-patched/src/stream/ngx_stream.h +--- nginx-1.25.3/src/stream/ngx_stream.h 2021-11-04 21:27:55.288708527 +0800 ++++ nginx-1.25.3-patched/src/stream/ngx_stream.h 2021-11-04 21:28:50.768035209 +0800 +@@ -254,6 +254,15 @@ typedef struct { + } ngx_stream_module_t; + + ++typedef struct { ++ ngx_msec_t connect_timeout; ++ ngx_msec_t timeout; ++} ngx_stream_proxy_ctx_t; ++ ++ ++#define NGX_STREAM_HAVE_PROXY_TIMEOUT_FIELDS_PATCH 1 ++ ++ + #define NGX_STREAM_MODULE 0x4d525453 /* "STRM" */ + + #define NGX_STREAM_MAIN_CONF 0x02000000 +@@ -307,6 +316,7 @@ void ngx_stream_finalize_session(ngx_str + extern ngx_module_t ngx_stream_module; + extern ngx_uint_t ngx_stream_max_module; + extern ngx_module_t ngx_stream_core_module; ++extern ngx_module_t ngx_stream_proxy_module; + + + typedef ngx_int_t (*ngx_stream_filter_pt)(ngx_stream_session_t *s, +diff -u -r -p -Naur nginx-1.25.3/src/stream/ngx_stream_proxy_module.c nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c +--- nginx-1.25.3/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:27:55.289708533 +0800 ++++ nginx-1.25.3-patched/src/stream/ngx_stream_proxy_module.c 2021-11-04 21:37:03.578936990 +0800 +@@ -400,6 +400,7 @@ ngx_stream_proxy_handler(ngx_stream_sess + ngx_stream_proxy_srv_conf_t *pscf; + ngx_stream_upstream_srv_conf_t *uscf, **uscfp; + ngx_stream_upstream_main_conf_t *umcf; ++ ngx_stream_proxy_ctx_t *pctx; + + c = s->connection; + +@@ -408,6 +409,17 @@ ngx_stream_proxy_handler(ngx_stream_sess + ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0, + "proxy connection handler"); + ++ pctx = ngx_palloc(c->pool, sizeof(ngx_stream_proxy_ctx_t)); ++ if (pctx == NULL) { ++ ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); ++ return; ++ } ++ ++ pctx->connect_timeout = pscf->connect_timeout; ++ pctx->timeout = pscf->timeout; ++ ++ ngx_stream_set_ctx(s, pctx, ngx_stream_proxy_module); ++ + u = ngx_pcalloc(c->pool, sizeof(ngx_stream_upstream_t)); + if (u == NULL) { + ngx_stream_proxy_finalize(s, NGX_STREAM_INTERNAL_SERVER_ERROR); +@@ -699,6 +711,7 @@ ngx_stream_proxy_connect(ngx_stream_sess + ngx_connection_t *c, *pc; + ngx_stream_upstream_t *u; + ngx_stream_proxy_srv_conf_t *pscf; ++ ngx_stream_proxy_ctx_t *ctx; + + c = s->connection; + +@@ -706,6 +719,8 @@ ngx_stream_proxy_connect(ngx_stream_sess + + pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); + ++ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); ++ + u = s->upstream; + + u->connected = 0; +@@ -774,7 +789,7 @@ ngx_stream_proxy_connect(ngx_stream_sess + pc->read->handler = ngx_stream_proxy_connect_handler; + pc->write->handler = ngx_stream_proxy_connect_handler; + +- ngx_add_timer(pc->write, pscf->connect_timeout); ++ ngx_add_timer(pc->write, ctx->connect_timeout); + } + + +@@ -957,12 +957,14 @@ ngx_stream_proxy_init_upstream(ngx_stream_session_t *s) + static ngx_int_t + ngx_stream_proxy_send_proxy_protocol(ngx_stream_session_t *s) + { +- u_char *p; +- ssize_t n, size; +- ngx_connection_t *c, *pc; +- ngx_stream_upstream_t *u; +- ngx_stream_proxy_srv_conf_t *pscf; +- u_char buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER]; ++ u_char *p; ++ u_char buf[NGX_PROXY_PROTOCOL_V1_MAX_HEADER]; ++ ssize_t n, size; ++ ngx_connection_t *c, *pc; ++ ngx_stream_upstream_t *u; ++ ngx_stream_proxy_ctx_t *ctx; ++ ++ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); + + c = s->connection; + +@@ -976,9 +993,7 @@ ngx_stream_proxy_send_proxy_protocol(ngx + return NGX_ERROR; + } + +- pscf = ngx_stream_get_module_srv_conf(s, ngx_stream_proxy_module); +- +- ngx_add_timer(pc->write, pscf->timeout); ++ ngx_add_timer(pc->write, ctx->timeout); + + pc->write->handler = ngx_stream_proxy_connect_handler; + +@@ -1053,6 +1068,9 @@ ngx_stream_proxy_ssl_init_connection(ngx + ngx_connection_t *pc; + ngx_stream_upstream_t *u; + ngx_stream_proxy_srv_conf_t *pscf; ++ ngx_stream_proxy_ctx_t *ctx; ++ ++ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); + + u = s->upstream; + +@@ -1099,7 +1117,7 @@ ngx_stream_proxy_ssl_init_connection(ngx + if (rc == NGX_AGAIN) { + + if (!pc->write->timer_set) { +- ngx_add_timer(pc->write, pscf->connect_timeout); ++ ngx_add_timer(pc->write, ctx->connect_timeout); + } + + pc->ssl->handler = ngx_stream_proxy_ssl_handshake; +@@ -1408,6 +1426,7 @@ ngx_stream_proxy_process_connection(ngx_ + ngx_stream_session_t *s; + ngx_stream_upstream_t *u; + ngx_stream_proxy_srv_conf_t *pscf; ++ ngx_stream_proxy_ctx_t *ctx; + + c = ev->data; + s = c->data; +@@ -1419,6 +1438,8 @@ ngx_stream_proxy_process_connection(ngx_ + return; + } + ++ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); ++ + c = s->connection; + pc = u->peer.connection; + +@@ -1438,7 +1459,7 @@ ngx_stream_proxy_process_connection(ngx_ + } + + if (u->connected && !c->read->delayed && !pc->read->delayed) { +- ngx_add_timer(c->write, pscf->timeout); ++ ngx_add_timer(c->write, ctx->timeout); + } + + return; +@@ -1600,6 +1621,9 @@ ngx_stream_proxy_process(ngx_stream_sess + ngx_log_handler_pt handler; + ngx_stream_upstream_t *u; + ngx_stream_proxy_srv_conf_t *pscf; ++ ngx_stream_proxy_ctx_t *ctx; ++ ++ ctx = ngx_stream_get_module_ctx(s, ngx_stream_proxy_module); + + u = s->upstream; + +@@ -1807,7 +1831,7 @@ ngx_stream_proxy_process(ngx_stream_sess + } + + if (!c->read->delayed && !pc->read->delayed) { +- ngx_add_timer(c->write, pscf->timeout); ++ ngx_add_timer(c->write, ctx->timeout); + + } else if (c->write->timer_set) { + ngx_del_timer(c->write); diff --git a/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch b/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch new file mode 100644 index 000000000..e45e9f69a --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/05_nginx-1.25.3-stream_ssl_preread_no_skip.patch @@ -0,0 +1,13 @@ +diff --git a/src/stream/ngx_stream_ssl_preread_module.c b/src/stream/ngx_stream_ssl_preread_module.c +index e3d11fd9..3717b5fe 100644 +--- a/src/stream/ngx_stream_ssl_preread_module.c ++++ b/src/stream/ngx_stream_ssl_preread_module.c +@@ -159,7 +159,7 @@ ngx_stream_ssl_preread_handler(ngx_stream_session_t *s) + + rc = ngx_stream_ssl_preread_parse_record(ctx, p, p + len); + if (rc != NGX_AGAIN) { +- return rc; ++ return rc == NGX_OK ? NGX_DECLINED : rc; + } + + p += len; diff --git a/images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch b/images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch new file mode 100644 index 000000000..8638cdf2a --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/06_nginx-1.25.3-resolver_conf_parsing.patch @@ -0,0 +1,263 @@ +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index cd55520c..dade1846 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -9,12 +9,26 @@ + #include + #include + ++#if !(NGX_WIN32) ++#include ++#endif ++ + + #define NGX_RESOLVER_UDP_SIZE 4096 + + #define NGX_RESOLVER_TCP_RSIZE (2 + 65535) + #define NGX_RESOLVER_TCP_WSIZE 8192 + ++#if !(NGX_WIN32) ++/* ++ * note that 2KB should be more than enough for majority of the ++ * resolv.conf files out there. it also acts as a safety guard to prevent ++ * abuse. ++ */ ++#define NGX_RESOLVER_FILE_BUF_SIZE 2048 ++#define NGX_RESOLVER_FILE_NAME "/etc/resolv.conf" ++#endif ++ + + typedef struct { + u_char ident_hi; +@@ -131,6 +145,191 @@ static ngx_resolver_node_t *ngx_resolver_lookup_addr6(ngx_resolver_t *r, + #endif + + ++#if !(NGX_WIN32) ++static ngx_int_t ++ngx_resolver_read_resolv_conf(ngx_conf_t *cf, ngx_resolver_t *r, u_char *path, ++ size_t path_len) ++{ ++ ngx_url_t u; ++ ngx_resolver_connection_t *rec; ++ ngx_fd_t fd; ++ ngx_file_t file; ++ u_char buf[NGX_RESOLVER_FILE_BUF_SIZE]; ++ u_char ipv6_buf[NGX_INET6_ADDRSTRLEN]; ++ ngx_uint_t address = 0, j, total = 0; ++ ssize_t n, i; ++ enum { ++ sw_nameserver, ++ sw_spaces, ++ sw_address, ++ sw_skip ++ } state; ++ ++ file.name.data = path; ++ file.name.len = path_len; ++ ++ if (ngx_conf_full_name(cf->cycle, &file.name, 1) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ fd = ngx_open_file(file.name.data, NGX_FILE_RDONLY, ++ NGX_FILE_OPEN, 0); ++ ++ if (fd == NGX_INVALID_FILE) { ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, ngx_errno, ++ ngx_open_file_n " \"%s\" failed", file.name.data); ++ ++ return NGX_ERROR; ++ } ++ ++ ngx_memzero(&file, sizeof(ngx_file_t)); ++ ++ file.fd = fd; ++ file.log = cf->log; ++ ++ state = sw_nameserver; ++ ++ n = ngx_read_file(&file, buf, NGX_RESOLVER_FILE_BUF_SIZE, 0); ++ ++ if (n == NGX_ERROR) { ++ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, ++ ngx_read_file_n " \"%s\" failed", file.name.data); ++ } ++ ++ if (ngx_close_file(file.fd) == NGX_FILE_ERROR) { ++ ngx_conf_log_error(NGX_LOG_ALERT, cf, ngx_errno, ++ ngx_close_file_n " \"%s\" failed", file.name.data); ++ } ++ ++ if (n == NGX_ERROR) { ++ return NGX_ERROR; ++ } ++ ++ if (n == 0) { ++ return NGX_OK; ++ } ++ ++ for (i = 0; i < n && total < MAXNS; /* void */) { ++ if (buf[i] == '#' || buf[i] == ';') { ++ state = sw_skip; ++ } ++ ++ switch (state) { ++ ++ case sw_nameserver: ++ ++ if ((size_t) n - i >= sizeof("nameserver") - 1 ++ && ngx_memcmp(buf + i, "nameserver", ++ sizeof("nameserver") - 1) == 0) ++ { ++ state = sw_spaces; ++ i += sizeof("nameserver") - 1; ++ ++ continue; ++ } ++ ++ break; ++ ++ case sw_spaces: ++ if (buf[i] != '\t' && buf[i] != ' ') { ++ address = i; ++ state = sw_address; ++ } ++ ++ break; ++ ++ case sw_address: ++ ++ if (buf[i] == CR || buf[i] == LF || i == n - 1) { ++ ngx_memzero(&u, sizeof(ngx_url_t)); ++ ++ u.url.data = buf + address; ++ ++ if (i == n - 1 && buf[i] != CR && buf[i] != LF) { ++ u.url.len = n - address; ++ ++ } else { ++ u.url.len = i - address; ++ } ++ ++ u.default_port = 53; ++ ++ /* IPv6? */ ++ if (ngx_strlchr(u.url.data, u.url.data + u.url.len, ++ ':') != NULL) ++ { ++ if (u.url.len + 2 > sizeof(ipv6_buf)) { ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ++ "IPv6 resolver address is too long:" ++ " \"%V\"", &u.url); ++ ++ return NGX_ERROR; ++ } ++ ++ ipv6_buf[0] = '['; ++ ngx_memcpy(ipv6_buf + 1, u.url.data, u.url.len); ++ ipv6_buf[u.url.len + 1] = ']'; ++ ++ u.url.data = ipv6_buf; ++ u.url.len = u.url.len + 2; ++ } ++ ++ if (ngx_parse_url(cf->pool, &u) != NGX_OK) { ++ if (u.err) { ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ++ "%s in resolver \"%V\"", ++ u.err, &u.url); ++ } ++ ++ return NGX_ERROR; ++ } ++ ++ rec = ngx_array_push_n(&r->connections, u.naddrs); ++ if (rec == NULL) { ++ return NGX_ERROR; ++ } ++ ++ ngx_memzero(rec, u.naddrs * sizeof(ngx_resolver_connection_t)); ++ ++ for (j = 0; j < u.naddrs; j++) { ++ rec[j].sockaddr = u.addrs[j].sockaddr; ++ rec[j].socklen = u.addrs[j].socklen; ++ rec[j].server = u.addrs[j].name; ++ rec[j].resolver = r; ++ } ++ ++ total++; ++ ++#if (NGX_DEBUG) ++ /* ++ * logs with level below NGX_LOG_NOTICE will not be printed ++ * in this early phase ++ */ ++ ngx_conf_log_error(NGX_LOG_NOTICE, cf, 0, ++ "parsed a resolver: \"%V\"", &u.url); ++#endif ++ ++ state = sw_nameserver; ++ } ++ ++ break; ++ ++ case sw_skip: ++ if (buf[i] == CR || buf[i] == LF) { ++ state = sw_nameserver; ++ } ++ ++ break; ++ } ++ ++ i++; ++ } ++ ++ return NGX_OK; ++} ++#endif ++ ++ + ngx_resolver_t * + ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) + { +@@ -246,6 +445,39 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) + } + #endif + ++#if !(NGX_WIN32) ++ if (ngx_strncmp(names[i].data, "local=", 6) == 0) { ++ ++ if (ngx_strcmp(&names[i].data[6], "on") == 0) { ++ if (ngx_resolver_read_resolv_conf(cf, r, ++ (u_char *) ++ NGX_RESOLVER_FILE_NAME, ++ sizeof(NGX_RESOLVER_FILE_NAME) ++ - 1) ++ != NGX_OK) ++ { ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ++ "unable to parse local resolver"); ++ return NULL; ++ } ++ ++ } else if (ngx_strcmp(&names[i].data[6], "off") != 0) { ++ if (ngx_resolver_read_resolv_conf(cf, r, ++ &names[i].data[6], ++ names[i].len - 6) ++ != NGX_OK) ++ { ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ++ "unable to parse local resolver"); ++ return NULL; ++ } ++ ++ } ++ ++ continue; ++ } ++#endif ++ + ngx_memzero(&u, sizeof(ngx_url_t)); + + u.url = names[i]; diff --git a/images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch b/images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch new file mode 100644 index 000000000..5690b88f0 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/07_nginx-1.25.3-daemon_destroy_pool.patch @@ -0,0 +1,12 @@ +diff --git a/src/os/unix/ngx_daemon.c b/src/os/unix/ngx_daemon.c +index ab672110..f259af31 100644 +--- a/src/os/unix/ngx_daemon.c ++++ b/src/os/unix/ngx_daemon.c +@@ -23,6 +23,8 @@ ngx_daemon(ngx_log_t *log) + break; + + default: ++ /* just to make it ASAN or Valgrind clean */ ++ ngx_destroy_pool(ngx_cycle->pool); + exit(0); + } diff --git a/images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch b/images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch new file mode 100644 index 000000000..bd2e9a7d9 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/08_nginx-1.25.3-init_cycle_pool_release.patch @@ -0,0 +1,59 @@ +diff -rup nginx-1.25.3/src/core/nginx.c nginx-1.25.3-patched/src/core/nginx.c +--- nginx-1.25.3/src/core/nginx.c 2017-12-17 00:00:38.136470108 -0800 ++++ nginx-1.25.3-patched/src/core/nginx.c 2017-12-16 23:59:51.680958322 -0800 +@@ -186,6 +186,7 @@ static u_char *ngx_prefix; + static u_char *ngx_conf_file; + static u_char *ngx_conf_params; + static char *ngx_signal; ++ngx_pool_t *saved_init_cycle_pool = NULL; + + + static char **ngx_os_environ; +@@ -253,6 +254,8 @@ main(int argc, char *const *argv) + return 1; + } + ++ saved_init_cycle_pool = init_cycle.pool; ++ + if (ngx_save_argv(&init_cycle, argc, argv) != NGX_OK) { + return 1; + } +diff -rup nginx-1.25.3/src/core/ngx_core.h nginx-1.25.3-patched/src/core/ngx_core.h +--- nginx-1.25.3/src/core/ngx_core.h 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_core.h 2017-12-16 23:59:51.679958370 -0800 +@@ -108,4 +108,6 @@ void ngx_cpuinfo(void); + #define NGX_DISABLE_SYMLINKS_NOTOWNER 2 + #endif + ++extern ngx_pool_t *saved_init_cycle_pool; ++ + #endif /* _NGX_CORE_H_INCLUDED_ */ +diff -rup nginx-1.25.3/src/core/ngx_cycle.c nginx-1.25.3-patched/src/core/ngx_cycle.c +--- nginx-1.25.3/src/core/ngx_cycle.c 2017-10-10 08:22:51.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_cycle.c 2017-12-16 23:59:51.678958419 -0800 +@@ -748,6 +748,10 @@ old_shm_zone_done: + + if (ngx_process == NGX_PROCESS_MASTER || ngx_is_init_cycle(old_cycle)) { + ++ if (ngx_is_init_cycle(old_cycle)) { ++ saved_init_cycle_pool = NULL; ++ } ++ + ngx_destroy_pool(old_cycle->pool); + cycle->old_cycle = NULL; + +diff -rup nginx-1.25.3/src/os/unix/ngx_process_cycle.c nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c +--- nginx-1.25.3/src/os/unix/ngx_process_cycle.c 2017-12-17 00:00:38.142469762 -0800 ++++ nginx-1.25.3-patched/src/os/unix/ngx_process_cycle.c 2017-12-16 23:59:51.691957791 -0800 +@@ -687,6 +692,11 @@ ngx_master_process_exit(ngx_cycle_t *cyc + ngx_exit_cycle.files_n = ngx_cycle->files_n; + ngx_cycle = &ngx_exit_cycle; + ++ if (saved_init_cycle_pool != NULL && saved_init_cycle_pool != cycle->pool) { ++ ngx_destroy_pool(saved_init_cycle_pool); ++ saved_init_cycle_pool = NULL; ++ } ++ + ngx_destroy_pool(cycle->pool); + + exit(0); diff --git a/images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch b/images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch new file mode 100644 index 000000000..c4d87e2fb --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/09_nginx-1.25.3-balancer_status_code.patch @@ -0,0 +1,72 @@ +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index f8d5707d..6efe0047 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -1515,6 +1515,11 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) + return; + } + ++ if (rc >= NGX_HTTP_SPECIAL_RESPONSE) { ++ ngx_http_upstream_finalize_request(r, u, rc); ++ return; ++ } ++ + u->state->peer = u->peer.name; + + if (rc == NGX_BUSY) { +diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h +index 3e714e5b..dfbb25e0 100644 +--- a/src/http/ngx_http_upstream.h ++++ b/src/http/ngx_http_upstream.h +@@ -427,4 +427,9 @@ extern ngx_conf_bitmask_t ngx_http_upstream_cache_method_mask[]; + extern ngx_conf_bitmask_t ngx_http_upstream_ignore_headers_masks[]; + + ++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH ++#define HAVE_BALANCER_STATUS_CODE_PATCH ++#endif ++ ++ + #endif /* _NGX_HTTP_UPSTREAM_H_INCLUDED_ */ +diff --git a/src/stream/ngx_stream.h b/src/stream/ngx_stream.h +index 09d24593..d8b4b584 100644 +--- a/src/stream/ngx_stream.h ++++ b/src/stream/ngx_stream.h +@@ -27,6 +27,7 @@ typedef struct ngx_stream_session_s ngx_stream_session_t; + + + #define NGX_STREAM_OK 200 ++#define NGX_STREAM_SPECIAL_RESPONSE 300 + #define NGX_STREAM_BAD_REQUEST 400 + #define NGX_STREAM_FORBIDDEN 403 + #define NGX_STREAM_INTERNAL_SERVER_ERROR 500 +diff --git a/src/stream/ngx_stream_proxy_module.c b/src/stream/ngx_stream_proxy_module.c +index 818d7329..329dcdc6 100644 +--- a/src/stream/ngx_stream_proxy_module.c ++++ b/src/stream/ngx_stream_proxy_module.c +@@ -691,6 +691,11 @@ ngx_stream_proxy_connect(ngx_stream_session_t *s) + return; + } + ++ if (rc >= NGX_STREAM_SPECIAL_RESPONSE) { ++ ngx_stream_proxy_finalize(s, rc); ++ return; ++ } ++ + u->state->peer = u->peer.name; + + if (rc == NGX_BUSY) { +diff --git a/src/stream/ngx_stream_upstream.h b/src/stream/ngx_stream_upstream.h +index 73947f46..21bc0ad7 100644 +--- a/src/stream/ngx_stream_upstream.h ++++ b/src/stream/ngx_stream_upstream.h +@@ -151,4 +151,9 @@ ngx_stream_upstream_srv_conf_t *ngx_stream_upstream_add(ngx_conf_t *cf, + extern ngx_module_t ngx_stream_upstream_module; + + ++#ifndef HAVE_BALANCER_STATUS_CODE_PATCH ++#define HAVE_BALANCER_STATUS_CODE_PATCH ++#endif ++ ++ + #endif /* _NGX_STREAM_UPSTREAM_H_INCLUDED_ */ diff --git a/images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch b/images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch new file mode 100644 index 000000000..687584324 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/10_nginx-1.25.3-delayed_posted_events.patch @@ -0,0 +1,98 @@ +diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c +index 57af8132..4853945f 100644 +--- a/src/event/ngx_event.c ++++ b/src/event/ngx_event.c +@@ -196,6 +196,9 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + ngx_uint_t flags; + ngx_msec_t timer, delta; + ++ ngx_queue_t *q; ++ ngx_event_t *ev; ++ + if (ngx_timer_resolution) { + timer = NGX_TIMER_INFINITE; + flags = 0; +@@ -215,6 +218,13 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + #endif + } + ++ if (!ngx_queue_empty(&ngx_posted_delayed_events)) { ++ ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "posted delayed event queue not empty" ++ " making poll timeout 0"); ++ timer = 0; ++ } ++ + if (ngx_use_accept_mutex) { + if (ngx_accept_disabled > 0) { + ngx_accept_disabled--; +@@ -257,6 +267,35 @@ ngx_process_events_and_timers(ngx_cycle_t *cycle) + } + + ngx_event_process_posted(cycle, &ngx_posted_events); ++ ++ while (!ngx_queue_empty(&ngx_posted_delayed_events)) { ++ q = ngx_queue_head(&ngx_posted_delayed_events); ++ ++ ev = ngx_queue_data(q, ngx_event_t, queue); ++ if (ev->delayed) { ++ /* start of newly inserted nodes */ ++ for (/* void */; ++ q != ngx_queue_sentinel(&ngx_posted_delayed_events); ++ q = ngx_queue_next(q)) ++ { ++ ev = ngx_queue_data(q, ngx_event_t, queue); ++ ev->delayed = 0; ++ ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "skipping delayed posted event %p," ++ " till next iteration", ev); ++ } ++ ++ break; ++ } ++ ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, cycle->log, 0, ++ "delayed posted event %p", ev); ++ ++ ngx_delete_posted_event(ev); ++ ++ ev->handler(ev); ++ } + } + + +@@ -600,6 +639,7 @@ ngx_event_process_init(ngx_cycle_t *cycle) + + ngx_queue_init(&ngx_posted_accept_events); + ngx_queue_init(&ngx_posted_events); ++ ngx_queue_init(&ngx_posted_delayed_events); + + if (ngx_event_timer_init(cycle->log) == NGX_ERROR) { + return NGX_ERROR; +diff --git a/src/event/ngx_event_posted.c b/src/event/ngx_event_posted.c +index d851f3d1..b6cea009 100644 +--- a/src/event/ngx_event_posted.c ++++ b/src/event/ngx_event_posted.c +@@ -12,6 +12,7 @@ + + ngx_queue_t ngx_posted_accept_events; + ngx_queue_t ngx_posted_events; ++ngx_queue_t ngx_posted_delayed_events; + + + void +diff --git a/src/event/ngx_event_posted.h b/src/event/ngx_event_posted.h +index 145d30fe..6c388553 100644 +--- a/src/event/ngx_event_posted.h ++++ b/src/event/ngx_event_posted.h +@@ -43,6 +43,9 @@ void ngx_event_process_posted(ngx_cycle_t *cycle, ngx_queue_t *posted); + + extern ngx_queue_t ngx_posted_accept_events; + extern ngx_queue_t ngx_posted_events; ++extern ngx_queue_t ngx_posted_delayed_events; ++ ++#define HAVE_POSTED_DELAYED_EVENTS_PATCH + + + #endif /* _NGX_EVENT_POSTED_H_INCLUDED_ */ diff --git a/images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch b/images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch new file mode 100644 index 000000000..164004eba --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/11_nginx-1.25.3-privileged_agent_process.patch @@ -0,0 +1,203 @@ +diff --git a/src/core/nginx.c b/src/core/nginx.c +index 60f8fe7..4bd244b 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -981,6 +981,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle) + + ccf->daemon = NGX_CONF_UNSET; + ccf->master = NGX_CONF_UNSET; ++ ccf->privileged_agent = NGX_CONF_UNSET; + ccf->timer_resolution = NGX_CONF_UNSET_MSEC; + + ccf->worker_processes = NGX_CONF_UNSET; +@@ -1009,6 +1010,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) + + ngx_conf_init_value(ccf->daemon, 1); + ngx_conf_init_value(ccf->master, 1); ++ ngx_conf_init_value(ccf->privileged_agent, 0); + ngx_conf_init_msec_value(ccf->timer_resolution, 0); + + ngx_conf_init_value(ccf->worker_processes, 1); +diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h +index c51b7ff..3261f90 100644 +--- a/src/core/ngx_cycle.h ++++ b/src/core/ngx_cycle.h +@@ -22,6 +22,9 @@ + #define NGX_DEBUG_POINTS_ABORT 2 + + ++#define HAVE_PRIVILEGED_PROCESS_PATCH 1 ++ ++ + typedef struct ngx_shm_zone_s ngx_shm_zone_t; + + typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data); +@@ -81,6 +84,7 @@ struct ngx_cycle_s { + typedef struct { + ngx_flag_t daemon; + ngx_flag_t master; ++ ngx_flag_t privileged_agent; + + ngx_msec_t timer_resolution; + +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index 7cee1c5..c4f70d6 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -15,6 +15,8 @@ static void ngx_start_worker_processes(ngx_cycle_t *cycle, ngx_int_t n, + ngx_int_t type); + static void ngx_start_cache_manager_processes(ngx_cycle_t *cycle, + ngx_uint_t respawn); ++static void ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ++ ngx_uint_t respawn); + static void ngx_pass_open_channel(ngx_cycle_t *cycle); + static void ngx_signal_worker_processes(ngx_cycle_t *cycle, int signo); + static ngx_uint_t ngx_reap_children(ngx_cycle_t *cycle); +@@ -24,6 +26,7 @@ static void ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker); + static void ngx_worker_process_exit(ngx_cycle_t *cycle); + static void ngx_channel_handler(ngx_event_t *ev); + static void ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data); ++static void ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data); + static void ngx_cache_manager_process_handler(ngx_event_t *ev); + static void ngx_cache_loader_process_handler(ngx_event_t *ev); + +@@ -51,6 +54,8 @@ sig_atomic_t ngx_noaccept; + ngx_uint_t ngx_noaccepting; + ngx_uint_t ngx_restart; + ++ngx_uint_t ngx_is_privileged_agent; ++ + + static u_char master_process[] = "master process"; + +@@ -130,6 +135,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) + ngx_start_worker_processes(cycle, ccf->worker_processes, + NGX_PROCESS_RESPAWN); + ngx_start_cache_manager_processes(cycle, 0); ++ ngx_start_privileged_agent_processes(cycle, 0); + + ngx_new_binary = 0; + delay = 0; +@@ -215,6 +221,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) + ngx_start_worker_processes(cycle, ccf->worker_processes, + NGX_PROCESS_RESPAWN); + ngx_start_cache_manager_processes(cycle, 0); ++ ngx_start_privileged_agent_processes(cycle, 0); + ngx_noaccepting = 0; + + continue; +@@ -234,6 +241,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) + ngx_start_worker_processes(cycle, ccf->worker_processes, + NGX_PROCESS_JUST_RESPAWN); + ngx_start_cache_manager_processes(cycle, 1); ++ ngx_start_privileged_agent_processes(cycle, 1); + + /* allow new processes to start */ + ngx_msleep(100); +@@ -248,6 +256,7 @@ ngx_master_process_cycle(ngx_cycle_t *cycle) + ngx_start_worker_processes(cycle, ccf->worker_processes, + NGX_PROCESS_RESPAWN); + ngx_start_cache_manager_processes(cycle, 0); ++ ngx_start_privileged_agent_processes(cycle, 0); + live = 1; + } + +@@ -393,6 +431,26 @@ ngx_start_cache_manager_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) + + + static void ++ngx_start_privileged_agent_processes(ngx_cycle_t *cycle, ngx_uint_t respawn) ++{ ++ ngx_core_conf_t *ccf; ++ ++ ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ++ ngx_core_module); ++ ++ if (!ccf->privileged_agent) { ++ return; ++ } ++ ++ ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle, ++ "privileged agent process", "privileged agent process", ++ respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN); ++ ++ ngx_pass_open_channel(cycle); ++} ++ ++ ++static void + ngx_pass_open_channel(ngx_cycle_t *cycle) + { + ngx_int_t i; +@@ -794,7 +860,10 @@ ngx_worker_process_init(ngx_cycle_t *cycle, ngx_int_t worker) + } + } + +- if (geteuid() == 0) { ++ /* ++ * privileged agent process has the same permission as master process ++ */ ++ if (!ngx_is_privileged_agent && geteuid() == 0) { + if (setgid(ccf->group) == -1) { + ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_errno, + "setgid(%d) failed", ccf->group); +@@ -1149,6 +1216,47 @@ ngx_cache_manager_process_cycle(ngx_cycle_t *cycle, void *data) + + + static void ++ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) ++{ ++ char *name = data; ++ ++ /* ++ * Set correct process type since closing listening Unix domain socket ++ * in a master process also removes the Unix domain socket file. ++ */ ++ ngx_process = NGX_PROCESS_HELPER; ++ ngx_is_privileged_agent = 1; ++ ++ ngx_close_listening_sockets(cycle); ++ ++ /* Set a moderate number of connections for a helper process. */ ++ cycle->connection_n = 512; ++ ++ ngx_worker_process_init(cycle, -1); ++ ++ ngx_use_accept_mutex = 0; ++ ++ ngx_setproctitle(name); ++ ++ for ( ;; ) { ++ ++ if (ngx_terminate || ngx_quit) { ++ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); ++ ngx_worker_process_exit(cycle); ++ } ++ ++ if (ngx_reopen) { ++ ngx_reopen = 0; ++ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reopening logs"); ++ ngx_reopen_files(cycle, -1); ++ } ++ ++ ngx_process_events_and_timers(cycle); ++ } ++} ++ ++ ++static void + ngx_cache_manager_process_handler(ngx_event_t *ev) + { + time_t next, n; +diff --git a/src/os/unix/ngx_process_cycle.h b/src/os/unix/ngx_process_cycle.h +index 69495d5..5149396 100644 +--- a/src/os/unix/ngx_process_cycle.h ++++ b/src/os/unix/ngx_process_cycle.h +@@ -45,6 +45,7 @@ extern ngx_pid_t ngx_new_binary; + extern ngx_uint_t ngx_inherited; + extern ngx_uint_t ngx_daemonized; + extern ngx_uint_t ngx_exiting; ++extern ngx_uint_t ngx_is_privileged_agent; + + extern sig_atomic_t ngx_reap; + extern sig_atomic_t ngx_sigio; diff --git a/images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch b/images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch new file mode 100644 index 000000000..5c38929cf --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/12_nginx-1.25.3-privileged_agent_process_connections.patch @@ -0,0 +1,73 @@ +diff --git a/src/core/nginx.c b/src/core/nginx.c +index 269ff84..48329bd 100644 +--- a/src/core/nginx.c ++++ b/src/core/nginx.c +@@ -1062,6 +1062,7 @@ ngx_core_module_create_conf(ngx_cycle_t *cycle) + ccf->daemon = NGX_CONF_UNSET; + ccf->master = NGX_CONF_UNSET; + ccf->privileged_agent = NGX_CONF_UNSET; ++ ccf->privileged_agent_connections = NGX_CONF_UNSET_UINT; + ccf->timer_resolution = NGX_CONF_UNSET_MSEC; + ccf->shutdown_timeout = NGX_CONF_UNSET_MSEC; + +@@ -1092,6 +1093,7 @@ ngx_core_module_init_conf(ngx_cycle_t *cycle, void *conf) + ngx_conf_init_value(ccf->daemon, 1); + ngx_conf_init_value(ccf->master, 1); + ngx_conf_init_value(ccf->privileged_agent, 0); ++ ngx_conf_init_uint_value(ccf->privileged_agent_connections, 512); + ngx_conf_init_msec_value(ccf->timer_resolution, 0); + ngx_conf_init_msec_value(ccf->shutdown_timeout, 0); + +diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h +index 6a9583e..4469390 100644 +--- a/src/core/ngx_cycle.h ++++ b/src/core/ngx_cycle.h +@@ -93,6 +93,7 @@ typedef struct { + ngx_flag_t daemon; + ngx_flag_t master; + ngx_flag_t privileged_agent; ++ ngx_uint_t privileged_agent_connections; + + ngx_msec_t timer_resolution; + ngx_msec_t shutdown_timeout; +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index df25f9d..bd259c1 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -1179,6 +1179,7 @@ static void + ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) + { + char *name = data; ++ ngx_core_conf_t *ccf = (ngx_core_conf_t *) ngx_get_conf(cycle->conf_ctx, ngx_core_module); + + /* + * Set correct process type since closing listening Unix domain socket +@@ -1190,7 +1191,7 @@ ngx_privileged_agent_process_cycle(ngx_cycle_t *cycle, void *data) + ngx_close_listening_sockets(cycle); + + /* Set a moderate number of connections for a helper process. */ +- cycle->connection_n = 512; ++ cycle->connection_n = ccf->privileged_agent_connections; + + ngx_worker_process_init(cycle, -1); + +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index df25f9d..bd259c1 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -442,6 +442,15 @@ + return; + } + ++ /* 0 is an illegal value and may result in a core dump later */ ++ if (ccf->privileged_agent_connections == 0) { ++ ngx_log_error(NGX_LOG_ALERT, cycle->log, 0, ++ "%ui worker_connection is not enough, " ++ "privileged agent process cannot be spawned", ++ ccf->privileged_agent_connections); ++ return; ++ } ++ + ngx_spawn_process(cycle, ngx_privileged_agent_process_cycle, + "privileged agent process", "privileged agent process", + respawn ? NGX_PROCESS_JUST_RESPAWN : NGX_PROCESS_RESPAWN); diff --git a/images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch b/images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch new file mode 100644 index 000000000..829f21460 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/13_nginx-1.25.3-privileged_agent_process_thread_pool.patch @@ -0,0 +1,12 @@ +--- a/src/core/ngx_thread_pool.c ++++ b/src/core/ngx_thread_pool.c +@@ -587,7 +587,8 @@ + ngx_thread_pool_conf_t *tcf; + + if (ngx_process != NGX_PROCESS_WORKER +- && ngx_process != NGX_PROCESS_SINGLE) ++ && ngx_process != NGX_PROCESS_SINGLE ++ && !ngx_is_privileged_agent) + { + return NGX_OK; + } diff --git a/images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch b/images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch new file mode 100644 index 000000000..2754fc2fe --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/14_nginx-1.25.3-single_process_graceful_exit.patch @@ -0,0 +1,75 @@ +diff --git a/src/os/unix/ngx_process.c b/src/os/unix/ngx_process.c +index 15680237..12a8c687 100644 +--- a/src/os/unix/ngx_process.c ++++ b/src/os/unix/ngx_process.c +@@ -362,8 +362,15 @@ ngx_signal_handler(int signo, siginfo_t *siginfo, void *ucontext) + break; + + case ngx_signal_value(NGX_RECONFIGURE_SIGNAL): +- ngx_reconfigure = 1; +- action = ", reconfiguring"; ++ if (ngx_process == NGX_PROCESS_SINGLE) { ++ ngx_terminate = 1; ++ action = ", exiting"; ++ ++ } else { ++ ngx_reconfigure = 1; ++ action = ", reconfiguring"; ++ } ++ + break; + + case ngx_signal_value(NGX_REOPEN_SIGNAL): +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index 5817a2c2..f3d58e97 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -305,11 +305,26 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) + } + + for ( ;; ) { ++ if (ngx_exiting) { ++ if (ngx_event_no_timers_left() == NGX_OK) { ++ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); ++ ++ for (i = 0; cycle->modules[i]; i++) { ++ if (cycle->modules[i]->exit_process) { ++ cycle->modules[i]->exit_process(cycle); ++ } ++ } ++ ++ ngx_master_process_exit(cycle); ++ } ++ } ++ + ngx_log_debug0(NGX_LOG_DEBUG_EVENT, cycle->log, 0, "worker cycle"); + + ngx_process_events_and_timers(cycle); + +- if (ngx_terminate || ngx_quit) { ++ if (ngx_terminate) { ++ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); + + for (i = 0; cycle->modules[i]; i++) { + if (cycle->modules[i]->exit_process) { +@@ -320,6 +335,20 @@ ngx_single_process_cycle(ngx_cycle_t *cycle) + ngx_master_process_exit(cycle); + } + ++ if (ngx_quit) { ++ ngx_quit = 0; ++ ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, ++ "gracefully shutting down"); ++ ngx_setproctitle("process is shutting down"); ++ ++ if (!ngx_exiting) { ++ ngx_exiting = 1; ++ ngx_set_shutdown_timer(cycle); ++ ngx_close_listening_sockets(cycle); ++ ngx_close_idle_connections(cycle); ++ } ++ } ++ + if (ngx_reconfigure) { + ngx_reconfigure = 0; + ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "reconfiguring"); diff --git a/images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch b/images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch new file mode 100644 index 000000000..5de769517 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/15_nginx-1.25.3-intercept_error_log.patch @@ -0,0 +1,60 @@ +diff --git a/src/core/ngx_cycle.h b/src/core/ngx_cycle.h +index c51b7ff..4c335b9 100644 +--- a/src/core/ngx_cycle.h ++++ b/src/core/ngx_cycle.h +@@ -22,9 +22,14 @@ + #define NGX_DEBUG_POINTS_ABORT 2 + + ++#define HAVE_INTERCEPT_ERROR_LOG_PATCH ++ ++ + typedef struct ngx_shm_zone_s ngx_shm_zone_t; + + typedef ngx_int_t (*ngx_shm_zone_init_pt) (ngx_shm_zone_t *zone, void *data); ++typedef ngx_int_t (*ngx_log_intercept_pt) (ngx_log_t *log, ngx_uint_t level, ++ u_char *buf, size_t len); + + struct ngx_shm_zone_s { + void *data; +@@ -75,6 +80,10 @@ struct ngx_cycle_s { + ngx_str_t prefix; + ngx_str_t lock_file; + ngx_str_t hostname; ++ ++ ngx_log_intercept_pt intercept_error_log_handler; ++ void *intercept_error_log_data; ++ unsigned entered_logger; /* :1 */ + }; + + +diff --git a/src/core/ngx_log.c b/src/core/ngx_log.c +index 8e9408d..ed9b11b 100644 +--- a/src/core/ngx_log.c ++++ b/src/core/ngx_log.c +@@ -112,6 +112,8 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, + ngx_uint_t wrote_stderr, debug_connection; + u_char errstr[NGX_MAX_ERROR_STR]; + ++ ngx_log_intercept_pt log_intercept = NULL; ++ + last = errstr + NGX_MAX_ERROR_STR; + + p = ngx_cpymem(errstr, ngx_cached_err_log_time.data, +@@ -153,6 +155,16 @@ ngx_log_error_core(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, + p = last - NGX_LINEFEED_SIZE; + } + ++ if (ngx_cycle) { ++ log_intercept = ngx_cycle->intercept_error_log_handler; ++ } ++ ++ if (log_intercept && !ngx_cycle->entered_logger) { ++ ngx_cycle->entered_logger = 1; ++ log_intercept(log, level, errstr, p - errstr); ++ ngx_cycle->entered_logger = 0; ++ } ++ + ngx_linefeed(p); + + wrote_stderr = 0; diff --git a/images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch b/images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch new file mode 100644 index 000000000..aed80365a --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/16_nginx-1.25.3-upstream_pipelining.patch @@ -0,0 +1,23 @@ +commit f9907b72a76a21ac5413187b83177a919475c75f +Author: Yichun Zhang (agentzh) +Date: Wed Feb 10 16:05:08 2016 -0800 + + bugfix: upstream: keep sending request data after the first write attempt. + + See + http://mailman.nginx.org/pipermail/nginx-devel/2012-March/002040.html + for more details on the issue. + +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 69019417..92b7c97f 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -2239,7 +2239,7 @@ ngx_http_upstream_send_request_handler(ngx_http_request_t *r, + + #endif + +- if (u->header_sent && !u->conf->preserve_output) { ++ if (u->request_body_sent && !u->conf->preserve_output) { + u->write_event_handler = ngx_http_upstream_dummy_handler; + + (void) ngx_handle_write_event(c->write, 0); diff --git a/images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch b/images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch new file mode 100644 index 000000000..aceb2e988 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/17_nginx-1.25.3-no_error_pages.patch @@ -0,0 +1,91 @@ +diff -upr nginx-1.25.3/src/http/ngx_http_core_module.c nginx-1.25.3-patched/src/http/ngx_http_core_module.c +--- nginx-1.25.3/src/http/ngx_http_core_module.c 2017-08-31 18:14:41.000000000 -0700 ++++ nginx-1.25.3-patched/src/http/ngx_http_core_module.c 2017-08-31 18:21:31.638098196 -0700 +@@ -64,6 +64,8 @@ static char *ngx_http_core_directio(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + static char *ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); ++static char *ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, ++ void *conf); + static char *ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd, + void *conf); + static char *ngx_http_core_error_log(ngx_conf_t *cf, ngx_command_t *cmd, +@@ -671,6 +673,14 @@ static ngx_command_t ngx_http_core_commands[] = { + 0, + NULL }, + ++ { ngx_string("no_error_pages"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF ++ |NGX_CONF_NOARGS, ++ ngx_http_core_no_error_pages, ++ NGX_HTTP_LOC_CONF_OFFSET, ++ 0, ++ NULL }, ++ + { ngx_string("post_action"), + NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF + |NGX_CONF_TAKE1, +@@ -3564,7 +3574,6 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) + * clcf->types = NULL; + * clcf->default_type = { 0, NULL }; + * clcf->error_log = NULL; +- * clcf->error_pages = NULL; + * clcf->client_body_path = NULL; + * clcf->regex = NULL; + * clcf->exact_match = 0; +@@ -3574,6 +3583,7 @@ ngx_http_core_create_loc_conf(ngx_conf_t *cf) + * clcf->keepalive_disable = 0; + */ + ++ clcf->error_pages = NGX_CONF_UNSET_PTR; + clcf->client_max_body_size = NGX_CONF_UNSET; + clcf->client_body_buffer_size = NGX_CONF_UNSET_SIZE; + clcf->client_body_timeout = NGX_CONF_UNSET_MSEC; +@@ -3776,9 +3786,7 @@ ngx_http_core_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) + } + } + +- if (conf->error_pages == NULL && prev->error_pages) { +- conf->error_pages = prev->error_pages; +- } ++ ngx_conf_merge_ptr_value(conf->error_pages, prev->error_pages, NULL); + + ngx_conf_merge_str_value(conf->default_type, + prev->default_type, "text/plain"); +@@ -4815,6 +4823,10 @@ ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + ngx_http_compile_complex_value_t ccv; + + if (clcf->error_pages == NULL) { ++ return "conflicts with \"no_error_pages\""; ++ } ++ ++ if (clcf->error_pages == NGX_CONF_UNSET_PTR) { + clcf->error_pages = ngx_array_create(cf->pool, 4, + sizeof(ngx_http_err_page_t)); + if (clcf->error_pages == NULL) { +@@ -4920,6 +4932,25 @@ ngx_http_core_error_page(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + } + + ++static char * ++ngx_http_core_no_error_pages(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) ++{ ++ ngx_http_core_loc_conf_t *clcf = conf; ++ ++ if (clcf->error_pages == NULL) { ++ return "is duplicate"; ++ } ++ ++ if (clcf->error_pages != NGX_CONF_UNSET_PTR) { ++ return "conflicts with \"error_page\""; ++ } ++ ++ clcf->error_pages = NULL; ++ ++ return NGX_CONF_OK; ++} ++ ++ + static char * + ngx_http_core_open_file_cache(ngx_conf_t *cf, ngx_command_t *cmd, void *conf) + { diff --git a/images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch b/images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch new file mode 100644 index 000000000..f7176faff --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/18_nginx-1.25.3-no_Werror.patch @@ -0,0 +1,36 @@ +diff -urp nginx-1.25.3/auto/cc/clang nginx-1.25.3-patched/auto/cc/clang +--- nginx-1.25.3/auto/cc/clang 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/clang 2014-03-13 20:54:26.241413360 -0700 +@@ -89,7 +89,7 @@ CFLAGS="$CFLAGS -Wconditional-uninitiali + CFLAGS="$CFLAGS -Wno-unused-parameter" + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.25.3/auto/cc/gcc nginx-1.25.3-patched/auto/cc/gcc +--- nginx-1.25.3/auto/cc/gcc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/gcc 2014-03-13 20:54:13.301355329 -0700 +@@ -168,7 +168,7 @@ esac + + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" +diff -urp nginx-1.25.3/auto/cc/icc nginx-1.25.3-patched/auto/cc/icc +--- nginx-1.25.3/auto/cc/icc 2014-03-04 03:39:24.000000000 -0800 ++++ nginx-1.25.3-patched/auto/cc/icc 2014-03-13 20:54:13.301355329 -0700 +@@ -115,7 +115,7 @@ case "$NGX_ICC_VER" in + esac + + # stop on warning +-CFLAGS="$CFLAGS -Werror" ++#CFLAGS="$CFLAGS -Werror" + + # debug + CFLAGS="$CFLAGS -g" diff --git a/images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch b/images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch new file mode 100644 index 000000000..bea6e52ee --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/19_nginx-1.25.3-log_escape_non_ascii.patch @@ -0,0 +1,117 @@ +diff --git a/src/http/modules/ngx_http_log_module.c b/src/http/modules/ngx_http_log_module.c +index 917ed55f..b769dfd3 100644 +--- a/src/http/modules/ngx_http_log_module.c ++++ b/src/http/modules/ngx_http_log_module.c +@@ -79,6 +79,8 @@ typedef struct { + time_t open_file_cache_valid; + ngx_uint_t open_file_cache_min_uses; + ++ ngx_flag_t escape_non_ascii; ++ + ngx_uint_t off; /* unsigned off:1 */ + } ngx_http_log_loc_conf_t; + +@@ -131,7 +133,8 @@ static size_t ngx_http_log_variable_getlen(ngx_http_request_t *r, + uintptr_t data); + static u_char *ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, + ngx_http_log_op_t *op); +-static uintptr_t ngx_http_log_escape(u_char *dst, u_char *src, size_t size); ++static uintptr_t ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, ++ u_char *src, size_t size); + static size_t ngx_http_log_json_variable_getlen(ngx_http_request_t *r, + uintptr_t data); + static u_char *ngx_http_log_json_variable(ngx_http_request_t *r, u_char *buf, +@@ -177,6 +180,13 @@ static ngx_command_t ngx_http_log_commands[] = { + 0, + NULL }, + ++ { ngx_string("log_escape_non_ascii"), ++ NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_CONF_FLAG, ++ ngx_conf_set_flag_slot, ++ NGX_HTTP_LOC_CONF_OFFSET, ++ offsetof(ngx_http_log_loc_conf_t, escape_non_ascii), ++ NULL }, ++ + ngx_null_command + }; + +@@ -935,6 +945,7 @@ static size_t + ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) + { + uintptr_t len; ++ ngx_http_log_loc_conf_t *lcf; + ngx_http_variable_value_t *value; + + value = ngx_http_get_indexed_variable(r, data); +@@ -943,7 +954,9 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) + return 1; + } + +- len = ngx_http_log_escape(NULL, value->data, value->len); ++ lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module); ++ ++ len = ngx_http_log_escape(lcf, NULL, value->data, value->len); + + value->escape = len ? 1 : 0; + +@@ -954,6 +967,7 @@ ngx_http_log_variable_getlen(ngx_http_request_t *r, uintptr_t data) + static u_char * + ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op) + { ++ ngx_http_log_loc_conf_t *lcf; + ngx_http_variable_value_t *value; + + value = ngx_http_get_indexed_variable(r, op->data); +@@ -967,16 +981,18 @@ ngx_http_log_variable(ngx_http_request_t *r, u_char *buf, ngx_http_log_op_t *op) + return ngx_cpymem(buf, value->data, value->len); + + } else { +- return (u_char *) ngx_http_log_escape(buf, value->data, value->len); ++ lcf = ngx_http_get_module_loc_conf(r, ngx_http_log_module); ++ return (u_char *) ngx_http_log_escape(lcf, buf, value->data, value->len); + } + } + + + static uintptr_t +-ngx_http_log_escape(u_char *dst, u_char *src, size_t size) ++ngx_http_log_escape(ngx_http_log_loc_conf_t *lcf, u_char *dst, u_char *src, ++ size_t size) + { +- ngx_uint_t n; +- static u_char hex[] = "0123456789ABCDEF"; ++ ngx_uint_t n; ++ static u_char hex[] = "0123456789ABCDEF"; + + static uint32_t escape[] = { + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ +@@ -996,6 +1012,12 @@ ngx_http_log_escape(u_char *dst, u_char *src, size_t size) + 0xffffffff, /* 1111 1111 1111 1111 1111 1111 1111 1111 */ + }; + ++ if (lcf->escape_non_ascii) { ++ ngx_memset(&escape[4], 0xff, sizeof(uint32_t) * 4); ++ ++ } else { ++ ngx_memzero(&escape[4], sizeof(uint32_t) * 4); ++ } + + if (dst == NULL) { + +@@ -1120,6 +1142,7 @@ ngx_http_log_create_loc_conf(ngx_conf_t *cf) + } + + conf->open_file_cache = NGX_CONF_UNSET_PTR; ++ conf->escape_non_ascii = NGX_CONF_UNSET; + + return conf; + } +@@ -1135,6 +1158,8 @@ ngx_http_log_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child) + ngx_http_log_fmt_t *fmt; + ngx_http_log_main_conf_t *lmcf; + ++ ngx_conf_merge_value(conf->escape_non_ascii, prev->escape_non_ascii, 1); ++ + if (conf->open_file_cache == NGX_CONF_UNSET_PTR) { + + conf->open_file_cache = prev->open_file_cache; diff --git a/images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch b/images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch new file mode 100644 index 000000000..82a344324 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/20_nginx-1.25.3-proxy_host_port_vars.patch @@ -0,0 +1,19 @@ +--- nginx-1.25.3/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 ++++ nginx-1.25.3-patched/src/http/modules/ngx_http_proxy_module.c 2017-07-16 14:02:51.000000000 +0800 +@@ -793,13 +793,13 @@ static ngx_keyval_t ngx_http_proxy_cach + static ngx_http_variable_t ngx_http_proxy_vars[] = { + + { ngx_string("proxy_host"), NULL, ngx_http_proxy_host_variable, 0, +- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, ++ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("proxy_port"), NULL, ngx_http_proxy_port_variable, 0, +- NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 }, ++ NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE, 0 }, + + { ngx_string("proxy_add_x_forwarded_for"), NULL, +- ngx_http_proxy_add_x_forwarded_for_variable, 0, NGX_HTTP_VAR_NOHASH, 0 }, ++ ngx_http_proxy_add_x_forwarded_for_variable, 0, 0, 0 }, + + #if 0 + { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 }, diff --git a/images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch b/images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch new file mode 100644 index 000000000..91ee63a26 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/21_nginx-1.25.3-cache_manager_exit.patch @@ -0,0 +1,19 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1383598130 28800 +# Node ID f64218e1ac963337d84092536f588b8e0d99bbaa +# Parent dea321e5c0216efccbb23e84bbce7cf3e28f130c +Cache: gracefully exit the cache manager process. + +diff -r dea321e5c021 -r f64218e1ac96 src/os/unix/ngx_process_cycle.c +--- a/src/os/unix/ngx_process_cycle.c Thu Oct 31 18:23:49 2013 +0400 ++++ b/src/os/unix/ngx_process_cycle.c Mon Nov 04 12:48:50 2013 -0800 +@@ -1134,7 +1134,7 @@ + + if (ngx_terminate || ngx_quit) { + ngx_log_error(NGX_LOG_NOTICE, cycle->log, 0, "exiting"); +- exit(0); ++ ngx_worker_process_exit(cycle); + } + + if (ngx_reopen) { diff --git a/images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch b/images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch new file mode 100644 index 000000000..e5cd07e67 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/22_nginx-1.25.3-larger_max_error_str.patch @@ -0,0 +1,13 @@ +--- nginx-1.25.3/src/core/ngx_log.h 2013-10-08 05:07:14.000000000 -0700 ++++ nginx-1.25.3-patched/src/core/ngx_log.h 2013-12-05 20:35:35.996236720 -0800 +@@ -64,7 +64,9 @@ struct ngx_log_s { + }; + + +-#define NGX_MAX_ERROR_STR 2048 ++#ifndef NGX_MAX_ERROR_STR ++#define NGX_MAX_ERROR_STR 4096 ++#endif + + + /*********************************/ diff --git a/images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch b/images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch new file mode 100644 index 000000000..eb17e0642 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/23_nginx-1.25.3-pcre_conf_opt.patch @@ -0,0 +1,26 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1386694955 28800 +# Node ID 9ba6b149669f1f02eeb4cdc0ebd364a949b5c469 +# Parent 30e806b8636af5fd3f03ec17df24801f390f7511 +Configure: added new option --with-pcre-conf-opt=OPTIONS. + +diff -r 30e806b8636a -r 9ba6b149669f auto/options +--- a/auto/options Mon Dec 09 10:16:44 2013 +0400 ++++ b/auto/options Tue Dec 10 09:02:35 2013 -0800 +@@ -286,6 +286,7 @@ + --with-pcre) USE_PCRE=YES ;; + --with-pcre=*) PCRE="$value" ;; + --with-pcre-opt=*) PCRE_OPT="$value" ;; ++ --with-pcre-conf-opt=*) PCRE_CONF_OPT="$value" ;; + --with-pcre-jit) PCRE_JIT=YES ;; + + --with-openssl=*) OPENSSL="$value" ;; +@@ -441,6 +442,7 @@ + --with-pcre force PCRE library usage + --with-pcre=DIR set path to PCRE library sources + --with-pcre-opt=OPTIONS set additional build options for PCRE ++ --with-pcre-conf-opt=OPTIONS set additional configure options for PCRE + --with-pcre-jit build PCRE with JIT compilation support + + --with-md5=DIR set path to md5 library sources diff --git a/images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch b/images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch new file mode 100644 index 000000000..b381d9b07 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/24_nginx-1.25.3-always_enable_cc_feature_tests.patch @@ -0,0 +1,11 @@ +--- nginx-1.25.3/auto/cc/conf 2015-10-30 22:47:50.000000000 +0800 ++++ nginx-1.25.3-patched/auto/cc/conf 2015-11-02 12:23:05.385156987 +0800 +@@ -144,7 +144,7 @@ fi + CFLAGS="$CFLAGS $NGX_CC_OPT" + NGX_TEST_LD_OPT="$NGX_LD_OPT" + +-if [ "$NGX_PLATFORM" != win32 ]; then ++if [ 1 ]; then + + if test -n "$NGX_LD_OPT"; then + ngx_feature=--with-ld-opt=\"$NGX_LD_OPT\" diff --git a/images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch b/images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch new file mode 100644 index 000000000..89773c05e --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/25_nginx-1.25.3-ssl_cert_cb_yield.patch @@ -0,0 +1,64 @@ +# HG changeset patch +# User Yichun Zhang +# Date 1451762084 28800 +# Sat Jan 02 11:14:44 2016 -0800 +# Node ID 449f0461859c16e95bdb18e8be6b94401545d3dd +# Parent 78b4e10b4367b31367aad3c83c9c3acdd42397c4 +SSL: handled SSL_CTX_set_cert_cb() callback yielding. + +OpenSSL 1.0.2+ introduces SSL_CTX_set_cert_cb() to allow custom +callbacks to serve the SSL certificiates and private keys dynamically +and lazily. The callbacks may yield for nonblocking I/O or sleeping. +Here we added support for such usage in NGINX 3rd-party modules +(like ngx_lua) in NGINX's event handlers for downstream SSL +connections. + +diff -r 78b4e10b4367 -r 449f0461859c src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c Thu Dec 17 16:39:15 2015 +0300 ++++ b/src/event/ngx_event_openssl.c Sat Jan 02 11:14:44 2016 -0800 +@@ -1445,6 +1445,23 @@ ngx_ssl_handshake(ngx_connection_t *c) + return NGX_AGAIN; + } + ++#if OPENSSL_VERSION_NUMBER >= 0x10002000L ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; +@@ -1558,6 +1575,21 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + return NGX_AGAIN; + } + ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch b/images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch new file mode 100644 index 000000000..ac5fe65eb --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/26_nginx-1.25.3-ssl_sess_cb_yield.patch @@ -0,0 +1,41 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -1446,7 +1446,12 @@ ngx_ssl_handshake(ngx_connection_t *c) + } + + #if OPENSSL_VERSION_NUMBER >= 0x10002000L +- if (sslerr == SSL_ERROR_WANT_X509_LOOKUP) { ++ if (sslerr == SSL_ERROR_WANT_X509_LOOKUP ++# ifdef SSL_ERROR_PENDING_SESSION ++ || sslerr == SSL_ERROR_PENDING_SESSION ++# endif ++ ) ++ { + c->read->handler = ngx_ssl_handshake_handler; + c->write->handler = ngx_ssl_handshake_handler; + +@@ -1575,6 +1580,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + return NGX_AGAIN; + } + ++#ifdef SSL_ERROR_PENDING_SESSION ++ if (sslerr == SSL_ERROR_PENDING_SESSION) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch b/images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch new file mode 100644 index 000000000..0e97be992 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/27_nginx-1.25.3-ssl_client_hello_cb_yield.patch @@ -0,0 +1,38 @@ +diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c +index 8ba30e58..2b2db95c 100644 +--- a/src/event/ngx_event_openssl.c ++++ b/src/event/ngx_event_openssl.c +@@ -1712,6 +1712,9 @@ ngx_ssl_handshake(ngx_connection_t *c) + if (sslerr == SSL_ERROR_WANT_X509_LOOKUP + # ifdef SSL_ERROR_PENDING_SESSION + || sslerr == SSL_ERROR_PENDING_SESSION ++# endif ++# ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB ++ || sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB + # endif + ) + { +@@ -1889,6 +1892,23 @@ ngx_ssl_try_early_data(ngx_connection_t *c) + } + #endif + ++#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB ++ if (sslerr == SSL_ERROR_WANT_CLIENT_HELLO_CB) { ++ c->read->handler = ngx_ssl_handshake_handler; ++ c->write->handler = ngx_ssl_handshake_handler; ++ ++ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ if (ngx_handle_write_event(c->write, 0) != NGX_OK) { ++ return NGX_ERROR; ++ } ++ ++ return NGX_AGAIN; ++ } ++#endif ++ + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + + c->ssl->no_wait_shutdown = 1; diff --git a/images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch b/images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch new file mode 100644 index 000000000..2314ddf80 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/28_nginx-1.25.3-upstream_timeout_fields.patch @@ -0,0 +1,112 @@ +diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c +index 69019417..2265d8f7 100644 +--- a/src/http/ngx_http_upstream.c ++++ b/src/http/ngx_http_upstream.c +@@ -509,12 +509,19 @@ void + ngx_http_upstream_init(ngx_http_request_t *r) + { + ngx_connection_t *c; ++ ngx_http_upstream_t *u; + + c = r->connection; + + ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0, + "http init upstream, client timer: %d", c->read->timer_set); + ++ u = r->upstream; ++ ++ u->connect_timeout = u->conf->connect_timeout; ++ u->send_timeout = u->conf->send_timeout; ++ u->read_timeout = u->conf->read_timeout; ++ + #if (NGX_HTTP_V2) + if (r->stream) { + ngx_http_upstream_init_request(r); +@@ -1626,7 +1633,7 @@ ngx_http_upstream_connect(ngx_http_request_t *r, ngx_http_upstream_t *u) + u->request_body_blocked = 0; + + if (rc == NGX_AGAIN) { +- ngx_add_timer(c->write, u->conf->connect_timeout); ++ ngx_add_timer(c->write, u->connect_timeout); + return; + } + +@@ -1704,7 +1711,7 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, + if (rc == NGX_AGAIN) { + + if (!c->write->timer_set) { +- ngx_add_timer(c->write, u->conf->connect_timeout); ++ ngx_add_timer(c->write, u->connect_timeout); + } + + c->ssl->handler = ngx_http_upstream_ssl_handshake_handler; +@@ -2022,7 +2029,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, + + if (rc == NGX_AGAIN) { + if (!c->write->ready || u->request_body_blocked) { +- ngx_add_timer(c->write, u->conf->send_timeout); ++ ngx_add_timer(c->write, u->send_timeout); + + } else if (c->write->timer_set) { + ngx_del_timer(c->write); +@@ -2084,7 +2091,7 @@ ngx_http_upstream_send_request(ngx_http_request_t *r, ngx_http_upstream_t *u, + return; + } + +- ngx_add_timer(c->read, u->conf->read_timeout); ++ ngx_add_timer(c->read, u->read_timeout); + + if (c->read->ready) { + ngx_http_upstream_process_header(r, u); +@@ -3213,7 +3220,7 @@ ngx_http_upstream_send_response(ngx_http_request_t *r, ngx_http_upstream_t *u) + p->cyclic_temp_file = 0; + } + +- p->read_timeout = u->conf->read_timeout; ++ p->read_timeout = u->read_timeout; + p->send_timeout = clcf->send_timeout; + p->send_lowat = clcf->send_lowat; + +@@ -3458,7 +3465,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, + } + + if (upstream->write->active && !upstream->write->ready) { +- ngx_add_timer(upstream->write, u->conf->send_timeout); ++ ngx_add_timer(upstream->write, u->send_timeout); + + } else if (upstream->write->timer_set) { + ngx_del_timer(upstream->write); +@@ -3470,7 +3477,7 @@ ngx_http_upstream_process_upgraded(ngx_http_request_t *r, + } + + if (upstream->read->active && !upstream->read->ready) { +- ngx_add_timer(upstream->read, u->conf->read_timeout); ++ ngx_add_timer(upstream->read, u->read_timeout); + + } else if (upstream->read->timer_set) { + ngx_del_timer(upstream->read); +@@ -3664,7 +3671,7 @@ ngx_http_upstream_process_non_buffered_request(ngx_http_request_t *r, + } + + if (upstream->read->active && !upstream->read->ready) { +- ngx_add_timer(upstream->read, u->conf->read_timeout); ++ ngx_add_timer(upstream->read, u->read_timeout); + + } else if (upstream->read->timer_set) { + ngx_del_timer(upstream->read); +diff --git a/src/http/ngx_http_upstream.h b/src/http/ngx_http_upstream.h +index c2f4dc0b..b9eef118 100644 +--- a/src/http/ngx_http_upstream.h ++++ b/src/http/ngx_http_upstream.h +@@ -333,6 +333,11 @@ struct ngx_http_upstream_s { + ngx_array_t *caches; + #endif + ++#define HAVE_NGX_UPSTREAM_TIMEOUT_FIELDS 1 ++ ngx_msec_t connect_timeout; ++ ngx_msec_t send_timeout; ++ ngx_msec_t read_timeout; ++ + ngx_http_upstream_headers_in_t headers_in; + + ngx_http_upstream_resolved_t *resolved; diff --git a/images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch b/images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch new file mode 100644 index 000000000..6c54c6c4c --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/29_nginx-1.25.3-safe_resolver_ipv6_option.patch @@ -0,0 +1,60 @@ +# HG changeset patch +# User Thibault Charbonnier +# Date 1481847421 28800 +# Thu Dec 15 16:17:01 2016 -0800 +# Node ID 8bf038fe006fd8ae253d6b41fc6cf109a8912d3e +# Parent a3dc657f4e9530623683e6b85bd7492662e4dc47 +Resolver: ignore ipv6=off resolver option when no ipv6 support + +Makes the resolver directive more robust: we only error out when ipv6 +resolution is desired but not supported (ipv6=on). + +use case 1: some configurations are sometimes re-used between builds with and +without ipv6 support. This patch avoids the need to remove the "ipv6=off" flag. + +use case 2: currently, some tools rely on the --with-ipv6 configure option from +"nginx -V" to determine if ipv6 resolution should be disabled in some cases. +With this option disappearing in Nginx 1.11.5, this patch would allow such tools +to assume "ipv6=off" to be safe regardless of ipv6 support in the current +build. + +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index dade1846..5a3f0aa4 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -425,7 +425,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) + continue; + } + +-#if (NGX_HAVE_INET6) + if (ngx_strncmp(names[i].data, "ipv4=", 5) == 0) { + + if (ngx_strcmp(&names[i].data[5], "on") == 0) { +@@ -446,10 +445,19 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) + if (ngx_strncmp(names[i].data, "ipv6=", 5) == 0) { + + if (ngx_strcmp(&names[i].data[5], "on") == 0) { ++#if (NGX_HAVE_INET6) + r->ipv6 = 1; ++#else ++ ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, ++ "no ipv6 support but \"%V\" in resolver", ++ &names[i]); ++ return NULL; ++#endif + + } else if (ngx_strcmp(&names[i].data[5], "off") == 0) { ++#if (NGX_HAVE_INET6) + r->ipv6 = 0; ++#endif + + } else { + ngx_conf_log_error(NGX_LOG_EMERG, cf, 0, +@@ -459,7 +467,6 @@ ngx_resolver_create(ngx_conf_t *cf, ngx_str_t *names, ngx_uint_t n) + + continue; + } +-#endif + + #if !(NGX_WIN32) + if (ngx_strncmp(names[i].data, "local=", 6) == 0) { diff --git a/images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch b/images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch new file mode 100644 index 000000000..8ffe4c167 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/30_nginx-1.25.3-socket_cloexec.patch @@ -0,0 +1,185 @@ +diff --git a/auto/unix b/auto/unix +index 10835f6c..b5b33bb3 100644 +--- a/auto/unix ++++ b/auto/unix +@@ -990,3 +990,27 @@ ngx_feature_test='struct addrinfo *res; + if (getaddrinfo("localhost", NULL, NULL, &res) != 0) return 1; + freeaddrinfo(res)' + . auto/feature ++ ++ngx_feature="SOCK_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_SOCKET_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM | SOCK_CLOEXEC, 0);" ++. auto/feature ++ ++ngx_feature="FD_CLOEXEC support" ++ngx_feature_name="NGX_HAVE_FD_CLOEXEC" ++ngx_feature_run=no ++ngx_feature_incs="#include ++ #include ++ #include " ++ngx_feature_path= ++ngx_feature_libs= ++ngx_feature_test="int fd; ++ fd = socket(AF_INET, SOCK_STREAM, 0); ++ fcntl(fd, F_SETFD, FD_CLOEXEC);" ++. auto/feature +diff --git a/src/core/ngx_resolver.c b/src/core/ngx_resolver.c +index cd55520c..438e0806 100644 +--- a/src/core/ngx_resolver.c ++++ b/src/core/ngx_resolver.c +@@ -4466,8 +4466,14 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + ngx_event_t *rev, *wev; + ngx_connection_t *c; + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(rec->sockaddr->sa_family, SOCK_STREAM, 0); + ++#endif ++ + ngx_log_debug1(NGX_LOG_DEBUG_EVENT, &rec->log, 0, "TCP socket %d", s); + + if (s == (ngx_socket_t) -1) { +@@ -4494,6 +4500,15 @@ ngx_tcp_connect(ngx_resolver_connection_t *rec) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, &rec->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + rev = c->read; + wev = c->write; + +diff --git a/src/event/ngx_event.h b/src/event/ngx_event.h +index 19fec68..8c2f01a 100644 +--- a/src/event/ngx_event.h ++++ b/src/event/ngx_event.h +@@ -73,6 +73,9 @@ struct ngx_event_s { + /* to test on worker exit */ + unsigned channel:1; + unsigned resolver:1; ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ unsigned skip_socket_leak_check:1; ++#endif + + unsigned cancelable:1; + +diff --git a/src/event/ngx_event_accept.c b/src/event/ngx_event_accept.c +index 77563709..5827b9d0 100644 +--- a/src/event/ngx_event_accept.c ++++ b/src/event/ngx_event_accept.c +@@ -62,7 +62,9 @@ ngx_event_accept(ngx_event_t *ev) + + #if (NGX_HAVE_ACCEPT4) + if (use_accept4) { +- s = accept4(lc->fd, &sa.sockaddr, &socklen, SOCK_NONBLOCK); ++ s = accept4(lc->fd, &sa.sockaddr, &socklen, ++ SOCK_NONBLOCK | SOCK_CLOEXEC); ++ + } else { + s = accept(lc->fd, &sa.sockaddr, &socklen); + } +@@ -202,6 +204,16 @@ ngx_event_accept(ngx_event_t *ev) + ngx_close_accepted_connection(c); + return; + } ++ ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, ev->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ngx_close_accepted_connection(c); ++ return; ++ } ++#endif ++ + } + } + +diff --git a/src/event/ngx_event_connect.c b/src/event/ngx_event_connect.c +index c5bb8068..cf33b1d2 100644 +--- a/src/event/ngx_event_connect.c ++++ b/src/event/ngx_event_connect.c +@@ -38,8 +38,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + + type = (pc->type ? pc->type : SOCK_STREAM); + ++#if (NGX_HAVE_SOCKET_CLOEXEC) ++ s = ngx_socket(pc->sockaddr->sa_family, type | SOCK_CLOEXEC, 0); ++ ++#else + s = ngx_socket(pc->sockaddr->sa_family, type, 0); + ++#endif ++ ++ + ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pc->log, 0, "%s socket %d", + (type == SOCK_STREAM) ? "stream" : "dgram", s); + +@@ -80,6 +87,15 @@ ngx_event_connect_peer(ngx_peer_connection_t *pc) + goto failed; + } + ++#if (NGX_HAVE_FD_CLOEXEC) ++ if (ngx_cloexec(s) == -1) { ++ ngx_log_error(NGX_LOG_ALERT, pc->log, ngx_socket_errno, ++ ngx_cloexec_n " failed"); ++ ++ goto failed; ++ } ++#endif ++ + if (pc->local) { + + #if (NGX_HAVE_TRANSPARENT_PROXY) +diff --git a/src/os/unix/ngx_process_cycle.c b/src/os/unix/ngx_process_cycle.c +index c4376a5..48e8fa8 100644 +--- a/src/os/unix/ngx_process_cycle.c ++++ b/src/os/unix/ngx_process_cycle.c +@@ -960,6 +1029,9 @@ ngx_worker_process_exit(ngx_cycle_t *cycle) + for (i = 0; i < cycle->connection_n; i++) { + if (c[i].fd != -1 + && c[i].read ++#if (HAVE_SOCKET_CLOEXEC_PATCH) ++ && !c[i].read->skip_socket_leak_check ++#endif + && !c[i].read->accept + && !c[i].read->channel + && !c[i].read->resolver) +diff --git a/src/os/unix/ngx_socket.h b/src/os/unix/ngx_socket.h +index fcc51533..d1eebf47 100644 +--- a/src/os/unix/ngx_socket.h ++++ b/src/os/unix/ngx_socket.h +@@ -38,6 +38,17 @@ int ngx_blocking(ngx_socket_t s); + + #endif + ++#if (NGX_HAVE_FD_CLOEXEC) ++ ++#define ngx_cloexec(s) fcntl(s, F_SETFD, FD_CLOEXEC) ++#define ngx_cloexec_n "fcntl(FD_CLOEXEC)" ++ ++/* at least FD_CLOEXEC is required to ensure connection fd is closed ++ * after execve */ ++#define HAVE_SOCKET_CLOEXEC_PATCH 1 ++ ++#endif ++ + int ngx_tcp_nopush(ngx_socket_t s); + int ngx_tcp_push(ngx_socket_t s); + diff --git a/images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch b/images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch new file mode 100644 index 000000000..ff4a36fd2 --- /dev/null +++ b/images/nginx-1.25/rootfs/patches/31_nginx-1.25.3-reuseport_close_unused_fds.patch @@ -0,0 +1,38 @@ +diff --git a/src/core/ngx_connection.c b/src/core/ngx_connection.c +--- a/src/core/ngx_connection.c ++++ b/src/core/ngx_connection.c +@@ -1118,6 +1118,12 @@ ngx_close_listening_sockets(ngx_cycle_t *cycle) + ls = cycle->listening.elts; + for (i = 0; i < cycle->listening.nelts; i++) { + ++#if (NGX_HAVE_REUSEPORT) ++ if (ls[i].fd == (ngx_socket_t) -1) { ++ continue; ++ } ++#endif ++ + c = ls[i].connection; + + if (c) { +diff --git a/src/event/ngx_event.c b/src/event/ngx_event.c +--- a/src/event/ngx_event.c ++++ b/src/event/ngx_event.c +@@ -775,6 +775,18 @@ ngx_event_process_init(ngx_cycle_t *cycle) + + #if (NGX_HAVE_REUSEPORT) + if (ls[i].reuseport && ls[i].worker != ngx_worker) { ++ ngx_log_debug2(NGX_LOG_DEBUG_CORE, cycle->log, 0, ++ "closing unused fd:%d listening on %V", ++ ls[i].fd, &ls[i].addr_text); ++ ++ if (ngx_close_socket(ls[i].fd) == -1) { ++ ngx_log_error(NGX_LOG_EMERG, cycle->log, ngx_socket_errno, ++ ngx_close_socket_n " %V failed", ++ &ls[i].addr_text); ++ } ++ ++ ls[i].fd = (ngx_socket_t) -1; ++ + continue; + } + #endif