nginx 1.23.4

nginx/CHANGES

@@ -1,4 +1,50 @@
 
+Changes with nginx 1.23.4                                        28 Mar 2023
+
+    *) Change: now TLSv1.3 protocol is enabled by default.
+
+    *) Change: now nginx issues a warning if protocol parameters of a
+       listening socket are redefined.
+
+    *) Change: now nginx closes connections with lingering if pipelining was
+       used by the client.
+
+    *) Feature: byte ranges support in the ngx_http_gzip_static_module.
+
+    *) Bugfix: port ranges in the "listen" directive did not work; the bug
+       had appeared in 1.23.3.
+       Thanks to Valentin Bartenev.
+
+    *) Bugfix: incorrect location might be chosen to process a request if a
+       prefix location longer than 255 characters was used in the
+       configuration.
+
+    *) Bugfix: non-ASCII characters in file names on Windows were not
+       supported by the ngx_http_autoindex_module, the ngx_http_dav_module,
+       and the "include" directive.
+
+    *) Change: the logging level of the "data length too long", "length too
+       short", "bad legacy version", "no shared signature algorithms", "bad
+       digest length", "missing sigalgs extension", "encrypted length too
+       long", "bad length", "bad key update", "mixed handshake and non
+       handshake data", "ccs received early", "data between ccs and
+       finished", "packet length too long", "too many warn alerts", "record
+       too small", and "got a fin before a ccs" SSL errors has been lowered
+       from "crit" to "info".
+
+    *) Bugfix: a socket leak might occur when using HTTP/2 and the
+       "error_page" directive to redirect errors with code 400.
+
+    *) Bugfix: messages about logging to syslog errors did not contain
+       information that the errors happened while logging to syslog.
+       Thanks to Safar Safarly.
+
+    *) Workaround: "gzip filter failed to use preallocated memory" alerts
+       appeared in logs when using zlib-ng.
+
+    *) Bugfix: in the mail proxy server.
+
+
 Changes with nginx 1.23.3                                        13 Dec 2022
 
     *) Bugfix: an error might occur when reading PROXY protocol version 2

nginx/CHANGES.ru

@@ -1,4 +1,51 @@
 
+Изменения в nginx 1.23.4                                          28.03.2023
+
+    *) Изменение: теперь протокол TLSv1.3 разрешён по умолчанию.
+
+    *) Изменение: теперь nginx выдаёт предупреждение при переопределении
+       параметров listen-сокета, задающих используемые протоколы.
+
+    *) Изменение: теперь, если клиент использует pipelining, nginx закрывает
+       соединения с ожиданием дополнительных данных (lingering close).
+
+    *) Добавление: поддержка byte ranges для ответов модуля
+       ngx_http_gzip_static_module.
+
+    *) Исправление: диапазоны портов в директиве listen не работали; ошибка
+       появилась в 1.23.3.
+       Спасибо Валентину Бартеневу.
+
+    *) Исправление: для обработки запроса мог быть выбран неверный location,
+       если в конфигурации использовался префиксный location длиннее 255
+       символов.
+
+    *) Исправление: не-ASCII символы в именах файлов на Windows не
+       поддерживались модулями ngx_http_autoindex_module и
+       ngx_http_dav_module, а также директивой include.
+
+    *) Изменение: уровень логгирования ошибок SSL "data length too long",
+       "length too short", "bad legacy version", "no shared signature
+       algorithms", "bad digest length", "missing sigalgs extension",
+       "encrypted length too long", "bad length", "bad key update", "mixed
+       handshake and non handshake data", "ccs received early", "data
+       between ccs and finished", "packet length too long", "too many warn
+       alerts", "record too small", и "got a fin before a ccs" понижен с
+       уровня crit до info.
+
+    *) Исправление: при использовании HTTP/2 и директивы error_page для
+       перенаправления ошибок с кодом 400 могла происходить утечка сокетов.
+
+    *) Исправление: сообщения об ошибках записи в syslog не содержали
+       информации о том, что ошибки происходили в процессе записи в syslog.
+       Спасибо Safar Safarly.
+
+    *) Изменение: при использовании zlib-ng в логах появлялись сообщения
+       "gzip filter failed to use preallocated memory".
+
+    *) Исправление: в почтовом прокси-сервере.
+
+
 Изменения в nginx 1.23.3                                          13.12.2022
 
     *) Исправление: при чтении заголовка протокола PROXY версии 2,

nginx/auto/cc/conf

@@ -117,7 +117,7 @@ else
             . auto/cc/acc
         ;;
 
-        msvc*)
+        msvc)
             # MSVC++ 6.0 SP2, MSVC++ Toolkit 2003
 
             . auto/cc/msvc

nginx/auto/cc/msvc

@@ -11,8 +11,8 @@
 # MSVC 2015 (14.0)                        cl 19.00
 
 
-NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'Compiler Version' 2>&1 \
-                                 | sed -e 's/^.* Version \(.*\)/\1/'`
+NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
+                                 | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
 
 echo " + cl version: $NGX_MSVC_VER"
 
@@ -22,6 +22,21 @@ have=NGX_COMPILER value="\"cl $NGX_MSVC_VER\"" . auto/define
 ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
 
 
+# detect x64 builds
+
+case "$NGX_MSVC_VER" in
+
+    *x64)
+        NGX_MACHINE=amd64
+    ;;
+
+    *)
+        NGX_MACHINE=i386
+    ;;
+
+esac
+
+
 # optimizations
 
 # maximize speed, equivalent to -Og -Oi -Ot -Oy -Ob2 -Gs -GF -Gy

nginx/auto/lib/openssl/make

@@ -7,11 +7,24 @@ case "$CC" in
 
     cl)
 
+        case "$NGX_MACHINE" in
+
+            amd64)
+                OPENSSL_TARGET=VC-WIN64A
+            ;;
+
+            *)
+                OPENSSL_TARGET=VC-WIN32
+            ;;
+
+        esac
+
         cat << END                                            >> $NGX_MAKEFILE
 
 $OPENSSL/openssl/include/openssl/ssl.h:	$NGX_MAKEFILE
 	\$(MAKE) -f auto/lib/openssl/makefile.msvc			\
-		OPENSSL="$OPENSSL" OPENSSL_OPT="$OPENSSL_OPT"
+		OPENSSL="$OPENSSL" OPENSSL_OPT="$OPENSSL_OPT"		\
+		OPENSSL_TARGET="$OPENSSL_TARGET"
 
 END
 

nginx/auto/lib/openssl/makefile.msvc

@@ -6,7 +6,7 @@
 all:
 	cd $(OPENSSL)
 
-	perl Configure VC-WIN32 no-shared no-threads			\
+	perl Configure $(OPENSSL_TARGET) no-shared no-threads		\
 		--prefix="%cd%/openssl" 				\
 		--openssldir="%cd%/openssl/ssl" 			\
 		$(OPENSSL_OPT)

nginx/auto/os/linux

@@ -238,7 +238,6 @@ ngx_feature="UDP_SEGMENT"
 ngx_feature_name="NGX_HAVE_UDP_SEGMENT"
 ngx_feature_run=no
 ngx_feature_incs="#include <sys/socket.h>
-                  #include <stdint.h>
                   #include <netinet/udp.h>"
 ngx_feature_path=
 ngx_feature_libs=

nginx/configure

@@ -44,6 +44,7 @@ if test -z "$NGX_PLATFORM"; then
 else
     echo "building for $NGX_PLATFORM"
     NGX_SYSTEM=$NGX_PLATFORM
+    NGX_MACHINE=i386
 fi
 
 . auto/cc/conf

nginx/src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1023003
-#define NGINX_VERSION      "1.23.3"
+#define nginx_version      1023004
+#define NGINX_VERSION      "1.23.4"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

nginx/src/core/ngx_conf_file.c

@@ -544,8 +544,8 @@ ngx_conf_read_token(ngx_conf_t *cf)
                     }
 
                     ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
-                                  "unexpected end of file, "
-                                  "expecting \";\" or \"}\"");
+                                       "unexpected end of file, "
+                                       "expecting \";\" or \"}\"");
                     return NGX_ERROR;
                 }
 

nginx/src/core/ngx_connection.c

@@ -660,7 +660,7 @@ ngx_open_listening_sockets(ngx_cycle_t *cycle)
                 /*
                  * on OpenVZ after suspend/resume EADDRINUSE
                  * may be returned by listen() instead of bind(), see
-                 * https://bugzilla.openvz.org/show_bug.cgi?id=2470
+                 * https://bugs.openvz.org/browse/OVZ-5587
                  */
 
                 if (err != NGX_EADDRINUSE || !ngx_test_config) {

nginx/src/core/ngx_connection.h

@@ -172,6 +172,7 @@ struct ngx_connection_s {
     unsigned            timedout:1;
     unsigned            error:1;
     unsigned            destroyed:1;
+    unsigned            pipeline:1;
 
     unsigned            idle:1;
     unsigned            reusable:1;

nginx/src/core/ngx_string.c

@@ -1364,7 +1364,12 @@ ngx_utf8_decode(u_char **p, size_t n)
 
     u = **p;
 
-    if (u >= 0xf0) {
+    if (u >= 0xf8) {
+
+        (*p)++;
+        return 0xffffffff;
+
+    } else if (u >= 0xf0) {
 
         u &= 0x07;
         valid = 0xffff;

nginx/src/core/ngx_syslog.c

@@ -18,6 +18,7 @@
 static char *ngx_syslog_parse_args(ngx_conf_t *cf, ngx_syslog_peer_t *peer);
 static ngx_int_t ngx_syslog_init_peer(ngx_syslog_peer_t *peer);
 static void ngx_syslog_cleanup(void *data);
+static u_char *ngx_syslog_log_error(ngx_log_t *log, u_char *buf, size_t len);
 
 
 static char  *facilities[] = {
@@ -66,6 +67,9 @@ ngx_syslog_process_conf(ngx_conf_t *cf, ngx_syslog_peer_t *peer)
         ngx_str_set(&peer->tag, "nginx");
     }
 
+    peer->hostname = &cf->cycle->hostname;
+    peer->logp = &cf->cycle->new_log;
+
     peer->conn.fd = (ngx_socket_t) -1;
 
     peer->conn.read = &ngx_syslog_dummy_event;
@@ -243,7 +247,7 @@ ngx_syslog_add_header(ngx_syslog_peer_t *peer, u_char *buf)
     }
 
     return ngx_sprintf(buf, "<%ui>%V %V %V: ", pri, &ngx_cached_syslog_time,
-                       &ngx_cycle->hostname, &peer->tag);
+                       peer->hostname, &peer->tag);
 }
 
 
@@ -286,15 +290,19 @@ ngx_syslog_send(ngx_syslog_peer_t *peer, u_char *buf, size_t len)
 {
     ssize_t  n;
 
+    if (peer->log.handler == NULL) {
+        peer->log = *peer->logp;
+        peer->log.handler = ngx_syslog_log_error;
+        peer->log.data = peer;
+        peer->log.action = "logging to syslog";
+    }
+
     if (peer->conn.fd == (ngx_socket_t) -1) {
         if (ngx_syslog_init_peer(peer) != NGX_OK) {
             return NGX_ERROR;
         }
     }
 
-    /* log syslog socket events with valid log */
-    peer->conn.log = ngx_cycle->log;
-
     if (ngx_send) {
         n = ngx_send(&peer->conn, buf, len);
 
@@ -306,7 +314,7 @@ ngx_syslog_send(ngx_syslog_peer_t *peer, u_char *buf, size_t len)
     if (n == NGX_ERROR) {
 
         if (ngx_close_socket(peer->conn.fd) == -1) {
-            ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+            ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                           ngx_close_socket_n " failed");
         }
 
@@ -324,24 +332,25 @@ ngx_syslog_init_peer(ngx_syslog_peer_t *peer)
 
     fd = ngx_socket(peer->server.sockaddr->sa_family, SOCK_DGRAM, 0);
     if (fd == (ngx_socket_t) -1) {
-        ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+        ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                       ngx_socket_n " failed");
         return NGX_ERROR;
     }
 
     if (ngx_nonblocking(fd) == -1) {
-        ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+        ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                       ngx_nonblocking_n " failed");
         goto failed;
     }
 
     if (connect(fd, peer->server.sockaddr, peer->server.socklen) == -1) {
-        ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+        ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                       "connect() failed");
         goto failed;
     }
 
     peer->conn.fd = fd;
+    peer->conn.log = &peer->log;
 
     /* UDP sockets are always ready to write */
     peer->conn.write->ready = 1;
@@ -351,7 +360,7 @@ ngx_syslog_init_peer(ngx_syslog_peer_t *peer)
 failed:
 
     if (ngx_close_socket(fd) == -1) {
-        ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+        ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                       ngx_close_socket_n " failed");
     }
 
@@ -372,7 +381,30 @@ ngx_syslog_cleanup(void *data)
     }
 
     if (ngx_close_socket(peer->conn.fd) == -1) {
-        ngx_log_error(NGX_LOG_ALERT, ngx_cycle->log, ngx_socket_errno,
+        ngx_log_error(NGX_LOG_ALERT, &peer->log, ngx_socket_errno,
                       ngx_close_socket_n " failed");
     }
 }
+
+
+static u_char *
+ngx_syslog_log_error(ngx_log_t *log, u_char *buf, size_t len)
+{
+    u_char             *p;
+    ngx_syslog_peer_t  *peer;
+
+    p = buf;
+
+    if (log->action) {
+        p = ngx_snprintf(buf, len, " while %s", log->action);
+        len -= p - buf;
+    }
+
+    peer = log->data;
+
+    if (peer) {
+        p = ngx_snprintf(p, len, ", server: %V", &peer->server.name);
+    }
+
+    return p;
+}