summaryrefslogtreecommitdiffhomepage
path: root/src/nxt_router.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2021-11-25Fixing access_log structure reference counting.Max Romanov1-4/+26
The reference to the access_log structure is stored in the current nxt_router_conf_t and the global nxt_router_t. When the reference is copied, the reference counter should be adjusted accordingly. This closes #593 issue on GitHub.
2021-11-09Introducing application prototype processes.Tiago Natel de Moura1-68/+211
2021-11-05HTTP: removed surplus check for r->args is not NULL.Zhidao HONG1-2/+2
2021-10-28Moving request limit control to libunit.Max Romanov1-50/+5
Introducting application graceful stop. For now only used when application process reach request limit value. This closes #585 issue on GitHub.
2021-10-28Adding explicit app reference to nxt_router_app_port_release().Max Romanov1-11/+8
port->app field is not thread safe and should be used in main thread only. To release port after request processing, application reference should be obtained from corresponding request descriptor.
2021-08-17Added TLS session tickets support.Andrey Suvorov1-0/+4
2021-08-12Introduced the generic API nxt_buf_dummy_completion().Zhidao HONG1-11/+3
No functional changes.
2021-08-12Router: client IP address replacement.Oisin Canty1-1/+85
This commit introduces the replacement of the client address based on the value of a specified HTTP header. This is intended for use when Unit is placed behind a reverse proxy like nginx or a CDN. You must specify the source addresses of the trusted proxies. This can be accomplished with any valid IP pattern supported by Unit's match block: ["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"] The feature is configured per listener. The client address replacement functionality only operates when there is a source IP match and the specified header is present. Typically this would be an 'X-Forwarded-For' header. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] }, "pass": "applications/my_app" }, } } If a request occurs and Unit receives a header like below: "X-Forwarded-For: 84.123.23.23" By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8. If Unit runs behind consecutive reverse proxies and receives a header similar to the following: "X-Forwarded-For: 84.123.23.23, 10.0.0.254" You will need to enable "recursive" checking, which walks the header from last address to first and chooses the first non-trusted address it finds. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] "recursive": true, }, "pass": "applications/my_app" }, } } If a connection from 10.0.0.0/8 occurs, the chain is walked. Here, 10.0.0.254 is also a trusted address so the client address will be replaced with 84.123.23.23. If all IP addresses in the header are trusted, the client address is set to the first address in the header: If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1", the client address will be replaced with 10.0.0.3.
2021-07-29Application restart introduced.Max Romanov1-41/+178
When processing a restart request, the router sends a QUIT message to all existing processes of the application. Then, a new shared application port is created to ensure that new requests won't be handled by the old processes of the application.
2021-07-24Router: split nxt_http_app_conf_t from nxt_http_action_t.Zhidao HONG1-9/+38
No functional changes.
2021-07-23Router: split nxt_http_static_conf_t from nxt_http_action_t.Zhidao HONG1-5/+5
No functional changes.
2021-07-21Enabling configure TLS sessions.Andrey Suvorov1-12/+36
To support TLS sessions, Unit uses the OpenSSL built-in session cache; the cache_size option defines the number sessions to store. To disable the feather, the option must be zero.
2021-07-19Router: fixing assertion on app thread port handle.Max Romanov1-8/+10
A new application thread port message can be processed in the router after the application is removed from the router. Assertion for this case is replaced by a condition to store the new thread port until receiving the stop notification from the application process.
2021-07-01Fixing multiple TLS-enabled listeners initialization.Max Romanov1-6/+5
Because of the incorrect 'last' field assignment, multiple listeners with a TLS certificate did not initialize properly, which caused a router crash while establishing a connection. Test with multiple TLS listeners added. The issue was introduced in the c548e46fe516 commit. This closes #561 issue on GitHub.
2021-05-26Enabling SSL_CTX configuration by using SSL_CONF_cmd().Andrey Suvorov1-52/+38
To perform various configuration operations on SSL_CTX, OpenSSL provides SSL_CONF_cmd(). Specifically, to configure ciphers for a listener, "CipherString" and "Ciphersuites" file commands are used: https://www.openssl.org/docs/man1.1.1/man3/SSL_CONF_cmd.html This feature can be configured in the "tls/conf_commands" section.
2021-05-26Fixing crash during TLS connection shutdown.Andrey Suvorov1-0/+1
A crash was caused by an incorrect timer handler nxt_h1p_idle_timeout() if SSL_shutdown() returned SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE. The flag SSL_RECEIVED_SHUTDOWN is used to avoid getting SSL_ERROR_WANT_READ, so the server won't wait for a close notification from a client. For SSL_ERROR_WANT_WRITE, a correct timer handler is set up.
2021-05-25Fixing racing condition on listen socket close in router (v2).Max Romanov1-5/+5
This patch fixes a possible race between the nxt_router_conf_wait() and nxt_router_listen_socket_release() function calls and improves the 7f1b2eaa2d58 commit fix.
2021-05-17Fixing a crash after applying the wrong TLS configuration.Andrey Suvorov1-3/+3
When an invalid TLS configuration is applied (such as the conf_commands feature), nxt_cert_store_get() creates a buffer to send a certificate request to the main process and adds its default completion handler to an asynchronous queue to free the allocated buffer. However, if configuration fails, nxt_router_conf_error() removes the memory pool used to allocate the buffer, causing a crash when the completion handler is dispatched. Assertion "src/nxt_buf.c:208 assertion failed: data == b->parent" is triggered when is NXT_DEBUG enabled in the configure script. This patch uses a reference counter to retain the memory pool and redefines the completion handler to free the buffer before releasing the memory pool.
2021-05-17Fixing racing condition on listen socket close in router.Max Romanov1-10/+14
Listen socket is actually closed in the instant timer handler. This patch moves the "configuration has been applied" notification to the timer handler to avoid a situation when the user gets the response from the controller, but the listen socket is still open in the router.
2021-04-22Router: grouped app and share fields in nxt_http_action_t.Zhidao HONG1-1/+1
This is a prerequisite for further introduction of openat2() features. No functional changes.
2021-03-25Releasing shm buffers for large body requests.Max Romanov1-11/+4
This fixes memory and shm file descriptor leakage that occurred when a large request body was passed via shared memory. The leakage was caught with the "test_settings_body_buffer_size" test. The main condition is the "body_buffer_size" value exceeding 10 Mb (a shm segment). Thus, the router was forced to split the body into several shm segments, but these buffers were not freed because of dummy completion handlers.
2021-03-24Added ability to configure multiple certificates on a listener.Andrey Suvorov1-30/+93
The certificate is selected by matching the arriving SNI to the common name and the alternatives names. If no certificate matches the name, the first bundle in the array is chosen.
2021-03-02Fixing warnings on Solaris.Max Romanov1-1/+1
pthread_t on Solaris is an integer type with size not equal to pointer size. To avoid warnings, type casts to and from pointer needs to be done via uintptr_t type. This change originally proposed by Juraj Lutter <juraj@lutter.sk>.
2021-01-28Router: fixing crash after WebSocket processing.Max Romanov1-1/+4
After WebSocket processing, the application port was released with incorrect reason ("got request"), unnecessarily decrementing the active request counter. The assertion was triggered only on application removal; a test was added for this case.
2021-01-27Router: fixing error handling in config request.Max Romanov1-19/+42
The controller process awaits the response from the router for every configration change request. This patch adds error reporting for various error conditions which may happen because of file descriptors or memory shortage. Lack of a response lead to the controller awaiting the response, thus being unable to process other client reconfiguration requests that also became stuck.
2021-01-25Router: fixing assertion in shortage of file descriptors.Max Romanov1-0/+2
Each application in router process required fd for a request queue shared memory. When the number of file descripts close to the limit, and port sockets successfully opened, router needs to properly handle the errors. This patch closes port sockets before destroying port structure to avoid file descriptors leakage and assertion in debug build.
2020-12-17Router: fixed crash in OOSM processing.Max Romanov1-3/+8
Multithreaded application may create different shared memory segments in different threads. The segments then passed to different router threads. Because of this multithreading, the order of adding incoming segments is not determined and there can be situation when some of the incoming segments are not initialized yet. This patch simply adds check for NULL to skip non-initialized segments. Crash reproduced during load tests with high number of simultaneous connections (1024 and more).
2020-12-08PHP: populating PHP_AUTH_* server variables.Valentin Bartenev1-0/+4
This closes #498 issue on GitHub.
2020-11-17HTTP parser: allowed more characters in header field names.Valentin Bartenev1-0/+7
Previously, all requests that contained in header field names characters other than alphanumeric, or "-", or "_" were rejected with a 400 "Bad Request" error response. Now, the parser allows the same set of characters as specified in RFC 7230, including: "!", "#", "$", "%", "&", "'", "*", "+", ".", "^", "`", "|", and "~". Header field names that contain only these characters are considered valid. Also, there's a new option introduced: "discard_unsafe_fields". It accepts boolean value and it is set to "true" by default. When this option is "true", all header field names that contain characters in valid range, but other than alphanumeric or "-" are skipped during parsing. When the option is "false", these header fields aren't skipped. Requests with non-valid characters in header field names according to RFC 7230 are rejected regardless of "discard_unsafe_fields" setting. This closes #422 issue on GitHub.
2020-11-10Fixing multi-buffer body send to application.Max Romanov1-3/+13
Application shared queue only capable to pass one shared memory buffer. The rest buffers in chain needs to be send directly to application in response to REQ_HEADERS_AC message. The issue can be reproduced for configurations where 'body_buffer_size' is greater than memory segment size (10 Mb). Requests with body size greater than 10 Mb are just `stuck` e.g. not passed to application awaiting for more data from router. The bug was introduced in 1d84b9e4b459 (v1.19.0).
2020-10-28Router: introducing the PORT_ACK message.Max Romanov1-0/+2
The PORT_ACK message is the router's response to the application's NEW_PORT message. After receiving PORT_ACK, the application is safe to process requests using this port. This message avoids a racing condition when the application starts processing a request from the shared queue and sends REQ_HEADERS_ACK. The REQ_HEADERS_ACK message contains the application port ID as reply_port, which the router uses to send request data. When the application creates a new port, it immediately sends it to the main router thread. Because the request is processed outside the main thread, a racing condition can occur between the receipt of the new port in the main thread and the receipt of REQ_HEADERS_ACK in the worker router thread where the same port is specified as reply_port.
2020-10-28Router: broadcasting the SHM_ACK message to all process ports.Max Romanov1-2/+1
2020-10-28Added error response logging.Max Romanov1-4/+10
Every internal server error response should have a clear description in log.
2020-10-28Router: checking a buffer before accessing its memory fields.Max Romanov1-1/+1
This fixes the router's crash on buildbot; the reason was an unexpected 'last' response from the application to the router arriving before the response headers. The last buffer is not a memory buffer, so the result of accessing memory fields is unpredictable. The unexpected 'last' message was caused by an error in libunit; fixed in fee8fd855a00.
2020-10-28Router: closing app worker's ports.Max Romanov1-0/+19
2020-09-29Fixing request buffer memory leakage in router.Max Romanov1-0/+3
The issue was introduced in changeset 1d84b9e4b459. The request buffer was transferred via the shared application queue, but the buffer position and the 'sent' flag were not updated after the buffer had been sent.
2020-08-28Router: fixed "pass" to upstreams.hongzhidao1-0/+4
Messed up return values in nxt_upstream_find() caused error in applying any configuration with a valid "pass" value in router configuration pointing to upstream. That wasn't the case in "listeners" objects, where the return value wasn't checked. Also, it caused segfault in cases where the "pass" option was configured with variables and resulting value was pointing to a non-existent upstream. Added missing return checks as well to catch possible memory allocation errors. The bug was introduced in d32bc428f46b. This closes #472 issue on GitHub.
2020-09-15Python: changed request headers format in router protocol.Max Romanov1-1/+1
The coming ASGI support requires raw HTTP headers format. Headers grouping and upcase code were moved to WSGI module.
2020-08-21Configuration: removed "reschedule_timeout" option.Valentin Bartenev1-11/+0
It's not used since cbcd76704c90. This option is a leftover from previous IPC between router and applications processes. It was never documented, though. Thanks to 洪志道 (Hong Zhi Dao).
2020-08-13Fixing router assertion in result of application prefork error.Max Romanov1-0/+8
Buffer for application prefork request allocated from temp conf mem_pool. If error response from main process received before buffer completion handler, temp conf mem_pool destroyed and router may crash in completion handler. Assertion "src/nxt_buf.c:208 assertion failed: data == b->parent" triggered when NXT_DEBUG_ALLOC enabled in configure. This patch disables completion handler and memory allocated for buffer released with memory pool.
2020-08-13Basic variables support.Valentin Bartenev1-44/+139
2020-08-12Responding with error in case of first process start failure.Max Romanov1-18/+124
After shared application port introducing, request queue in router was removed and requests may stuck forever waiting for another process start.
2020-08-11Style fixes for 2 file descriptors transfer over port.Max Romanov1-16/+16
Two consecutive fd and fd2 fields replaced with array.
2020-08-11Introducing application and port shared memory queues.Max Romanov1-22/+179
The goal is to minimize the number of syscalls needed to deliver a message.
2020-08-11Made router port message handlers into static functions.Max Romanov1-4/+13
Mostly harmless.
2020-08-11Adding debug messages to catch process management issues.Max Romanov1-2/+36
2020-08-11Introducing the shared application port.Max Romanov1-1042/+462
This is the port shared between all application processes which use it to pass requests for processing. Using it significantly simplifies the request processing code in the router. The drawback is 2 more file descriptors per each configured application and more complex libunit message wait/read code.
2020-08-11Changing router to application shared memory exchange protocol.Max Romanov1-3/+66
The application process needs to request the shared memory segment from the router instead of the latter pushing the segment before sending a request to the application. This is required to simplify the communication between the router and the application and to prepare the router for using the application shared port and then the queue.
2020-08-11Changing router to application port exchange protocol.Max Romanov1-17/+83
The application process needs to request the port from the router instead of the latter pushing the port before sending a request to the application. This is required to simplify the communication between the router and the application and to prepare the router to use the application shared port and then the queue.
2020-08-09Fixing leaked configuration objects.Max Romanov1-4/+30
If there are no listen sockets, the router configuration usage counter remains 0 and never decreases. The only moment to release a configuration is right after a configuration update.