From 38ac7de61e8b206f8140fd6ec46b3aad0663578d Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Fri, 28 May 2021 18:16:23 +0300 Subject: Version bump. --- docs/changes.xml | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 3707194e..51a519f0 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -5,6 +5,35 @@ + + + + +NGINX Unit updated to 1.25.0. + + + + + + + + + + + -- cgit From cfba69781a18407d5c2020c4e3f3d4fc175a6127 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Thu, 1 Jul 2021 13:56:40 +0300 Subject: Fixing multiple TLS-enabled listeners initialization. Because of the incorrect 'last' field assignment, multiple listeners with a TLS certificate did not initialize properly, which caused a router crash while establishing a connection. Test with multiple TLS listeners added. The issue was introduced in the c548e46fe516 commit. This closes #561 issue on GitHub. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 51a519f0..ec8d4981 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -44,6 +44,13 @@ Initial release of Java 17 module for NGINX Unit. + + +the router process could crash on TLS connection open when multiple listeners +with TLS certificate configured; the bug had appeared in 1.23.0. + + + -- cgit From 2ac9c627aa6aa736f3df9f426e741642694ac911 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Thu, 1 Jul 2021 16:23:51 +0300 Subject: Fixing memory and descriptor leakage in case of port send failure. In rare cases, when the destination process had finished running but no notification of this was received yet, send could fail with an error, and the send message structure with file descriptors could leak. The leakage was periodically reproduced by respawn tests on FreeBSD 12. --- docs/changes.xml | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index ec8d4981..2af2fc90 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -31,6 +31,20 @@ NGINX Unit updated to 1.25.0. date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +the router process could crash on TLS connection open when multiple listeners +with TLS certificate configured; the bug had appeared in 1.23.0. + + + + + +a descriptor and memory leak occurred in the router process when an app +process stopped or crashed. + + + @@ -44,13 +58,6 @@ Initial release of Java 17 module for NGINX Unit. - - -the router process could crash on TLS connection open when multiple listeners -with TLS certificate configured; the bug had appeared in 1.23.0. - - - -- cgit From 7d2bc04e391f9216fb4e0464cb43c9c438f7e034 Mon Sep 17 00:00:00 2001 From: Oisin Canty Date: Fri, 2 Jul 2021 10:55:13 +0000 Subject: Fixing crash during IPv6 text address generation. When the textual representation of an IPv6 nxt_sockaddr_t was being generated, a crash would occur if the address had a full IPv6 form: f607:7403:1e4b:6c66:33b2:843f:2517:da27 This was caused by a variable that tracks the location of a collapsed group ("::") that was not set to a sane default. When the address was generated, a group would be inserted when it was not necessary, thus causing an overflow. This closes #481 issue on GitHub. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 2af2fc90..1d77aea7 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -45,6 +45,13 @@ process stopped or crashed. + + +the controller or router process could crash if the configuration contained +a full-form IPv6 in a listener address. + + + -- cgit From 655e321075c0beebe14eba83deeac1ba4c9e0b29 Mon Sep 17 00:00:00 2001 From: Oisin Canty Date: Fri, 2 Jul 2021 12:57:55 +0000 Subject: Ruby: process and thread lifecycle hooks. This feature allows one to specify blocks of code that are called when certain lifecycle events occur. A user configures a "hooks" property on the app configuration that points to a script. This script will be evaluated on boot and should contain blocks of code that will be called on specific events. An example of configuration: { "type": "ruby", "processes": 2, "threads": 2, "user": "vagrant", "group": "vagrant", "script": "config.ru", "hooks": "hooks.rb", "working_directory": "/home/vagrant/unit/rbhooks", "environment": { "GEM_HOME": "/home/vagrant/.ruby" } } An example of a valid "hooks.rb" file follows: File.write("./hooks.#{Process.pid}", "hooks evaluated") on_worker_boot do File.write("./worker_boot.#{Process.pid}", "worker booted") end on_thread_boot do File.write("./thread_boot.#{Process.pid}.#{Thread.current.object_id}", "thread booted") end on_thread_shutdown do File.write("./thread_shutdown.#{Process.pid}.#{Thread.current.object_id}", "thread shutdown") end on_worker_shutdown do File.write("./worker_shutdown.#{Process.pid}", "worker shutdown") end This closes issue #535 on GitHub. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 1d77aea7..5265d529 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -31,6 +31,12 @@ NGINX Unit updated to 1.25.0. date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +process and thread lifecycle hooks in Ruby. + + + the router process could crash on TLS connection open when multiple listeners -- cgit From daa051e7e7266325ef38a606b3aee4377a73f0d0 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Mon, 19 Jul 2021 16:23:13 +0300 Subject: Router: fixing assertion on app thread port handle. A new application thread port message can be processed in the router after the application is removed from the router. Assertion for this case is replaced by a condition to store the new thread port until receiving the stop notification from the application process. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 5265d529..dd8fb731 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -44,6 +44,13 @@ with TLS certificate configured; the bug had appeared in 1.23.0. + + +the router process could crash on rapid mutithreaded application +reconfiguration. + + + a descriptor and memory leak occurred in the router process when an app -- cgit From 567545213d95e608b54ce92bfc33fac4327a9f93 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Tue, 20 Jul 2021 10:37:50 +0300 Subject: Python: fixing ASGI receive() issues. The receive() call never blocks for a GET request and always returns the same empty body message. The Starlette framework creates a separate task when receive() is called in a loop until an 'http.disconnect' message is received. The 'http.disconnect' message was previously issued after the response header had been sent. However, the correct behavior is to respond with 'http.disconnect' after sending the response is complete. This closes #564 issue on GitHub. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index dd8fb731..68db823d 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -65,6 +65,13 @@ a full-form IPv6 in a listener address. + + +compatibility issues with some Python ASGI apps, notably based on Starlette +framework. + + + -- cgit From c37ff7ed0ed06b0e928efdb217a8999ff3ff7f50 Mon Sep 17 00:00:00 2001 From: Andrey Suvorov Date: Wed, 21 Jul 2021 15:22:52 -0700 Subject: Enabling configure TLS sessions. To support TLS sessions, Unit uses the OpenSSL built-in session cache; the cache_size option defines the number sessions to store. To disable the feather, the option must be zero. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 68db823d..2aa9bb65 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -31,6 +31,12 @@ NGINX Unit updated to 1.25.0. date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +TLS sessions cache. + + + process and thread lifecycle hooks in Ruby. -- cgit From f965e358b6ca878ead629dffb2f0df57230995ea Mon Sep 17 00:00:00 2001 From: Andrey Suvorov Date: Thu, 22 Jul 2021 11:23:48 -0700 Subject: Changing SNI callback return code if a client sends no SNI. When a client sends no SNI is a common situation. But currently the server processes it as an error and returns SSL_TLSEXT_ERR_ALERT_FATAL causing termination of a current TLS session. The problem occurs if configuration has more than one certificate bundle in a listener. This fix changes the return code to SSL_TLSEXT_ERR_OK and the log level of a message. --- docs/changes.xml | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 2aa9bb65..634bf9cd 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -43,6 +43,14 @@ process and thread lifecycle hooks in Ruby. + + +TLS connection was rejected for configuration with more than one +certificate bundle in a listener if a client did not use SNI. + + + + the router process could crash on TLS connection open when multiple listeners -- cgit From fa9fb29be221e0393562831a9e3bcba416652f60 Mon Sep 17 00:00:00 2001 From: Max Romanov Date: Thu, 29 Jul 2021 19:50:39 +0300 Subject: Application restart introduced. When processing a restart request, the router sends a QUIT message to all existing processes of the application. Then, a new shared application port is created to ensure that new requests won't be handled by the old processes of the application. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 634bf9cd..ce18875a 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -43,6 +43,12 @@ process and thread lifecycle hooks in Ruby. + + +application restart control. + + + TLS connection was rejected for configuration with more than one -- cgit From 44fe31dc6198e7a6fd752d6cdb7e51be73f6d8eb Mon Sep 17 00:00:00 2001 From: Zhidao HONG Date: Wed, 4 Aug 2021 18:09:50 +0800 Subject: Added a changelog for ae4f067a9ea4. --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index ce18875a..63c52633 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -92,6 +92,13 @@ framework. + + +the router process crashed when a request was passed to an empty "routes" +or "upstreams" using a variable "pass" option. + + + -- cgit From 60cf1399611ae1b2728492c94ff57a4a044774b4 Mon Sep 17 00:00:00 2001 From: Oisin Canty Date: Thu, 5 Aug 2021 16:00:01 +0000 Subject: Router: fixed crash when matching an empty address pattern array. A crash would occur when the router tried to match an against an empty address pattern array. The following configuration was used to reproduce the issue: { "listeners": { "127.0.0.1:8082": { "pass": "routes" } }, "routes": [ { "match": { "source": [] }, "action": { "return": 200 } } ] } --- docs/changes.xml | 7 +++++++ 1 file changed, 7 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 63c52633..e183f907 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -99,6 +99,13 @@ or "upstreams" using a variable "pass" option. + + +the router process crashed while matching a request to an empty array of +source or destination address patterns. + + + -- cgit From ca373aaccd276fb412e59557a3971a8d06ada0f8 Mon Sep 17 00:00:00 2001 From: Oisin Canty Date: Thu, 12 Aug 2021 08:23:16 +0000 Subject: Router: client IP address replacement. This commit introduces the replacement of the client address based on the value of a specified HTTP header. This is intended for use when Unit is placed behind a reverse proxy like nginx or a CDN. You must specify the source addresses of the trusted proxies. This can be accomplished with any valid IP pattern supported by Unit's match block: ["10.0.0.1", "10.4.0.0/16", "!192.168.1.1"] The feature is configured per listener. The client address replacement functionality only operates when there is a source IP match and the specified header is present. Typically this would be an 'X-Forwarded-For' header. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] }, "pass": "applications/my_app" }, } } If a request occurs and Unit receives a header like below: "X-Forwarded-For: 84.123.23.23" By default, Unit trusts the last rightmost IP in the header, so REMOTE_ADDR will be set to 84.123.23.23 if the connection originated from 10.0.0.0/8. If Unit runs behind consecutive reverse proxies and receives a header similar to the following: "X-Forwarded-For: 84.123.23.23, 10.0.0.254" You will need to enable "recursive" checking, which walks the header from last address to first and chooses the first non-trusted address it finds. { "listeners": { "127.0.0.1:8080": { "client_ip": { "header": "X-Forwarded-For", "source": [ "10.0.0.0/8" ] "recursive": true, }, "pass": "applications/my_app" }, } } If a connection from 10.0.0.0/8 occurs, the chain is walked. Here, 10.0.0.254 is also a trusted address so the client address will be replaced with 84.123.23.23. If all IP addresses in the header are trusted, the client address is set to the first address in the header: If 10.0.0.0/8 is trusted and "X-Forwarded-For: 10.0.0.3, 10.0.0.2, 10.0.0.1", the client address will be replaced with 10.0.0.3. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index e183f907..56dfa038 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -49,6 +49,12 @@ application restart control. + + +client IP address replacement from specified HTTP header field. + + + TLS connection was rejected for configuration with more than one -- cgit From e0aa132172f03fe7c31484ce7d301813b5dacb89 Mon Sep 17 00:00:00 2001 From: Andrey Suvorov Date: Tue, 17 Aug 2021 16:52:32 -0700 Subject: Added TLS session tickets support. --- docs/changes.xml | 6 ++++++ 1 file changed, 6 insertions(+) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 56dfa038..bb894e3d 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -31,6 +31,12 @@ NGINX Unit updated to 1.25.0. date="" time="" packager="Andrei Belov <defan@nginx.com>"> + + +TLS session tickets. + + + TLS sessions cache. -- cgit From 8b3a8eaf986df9fe2a01bd5d62703687297db2d4 Mon Sep 17 00:00:00 2001 From: Artem Konev Date: Thu, 19 Aug 2021 16:15:07 +0300 Subject: Edited changes.xml for the 1.25.0 release. --- docs/changes.xml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index bb894e3d..110d8bef 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -57,14 +57,14 @@ application restart control. -client IP address replacement from specified HTTP header field. +client IP address replacement from a specified HTTP header field. -TLS connection was rejected for configuration with more than one -certificate bundle in a listener if a client did not use SNI. +TLS connections were rejected for configurations with multiple +certificate bundles in a listener if the client did not use SNI. @@ -72,13 +72,13 @@ certificate bundle in a listener if a client did not use SNI. the router process could crash on TLS connection open when multiple listeners -with TLS certificate configured; the bug had appeared in 1.23.0. +with TLS certificates were configured; the bug had appeared in 1.23.0. -the router process could crash on rapid mutithreaded application +the router process could crash with frequent mutithreaded application reconfiguration. @@ -99,7 +99,7 @@ a full-form IPv6 in a listener address. -compatibility issues with some Python ASGI apps, notably based on Starlette +compatibility issues with some Python ASGI apps, notably based on the Starlette framework. -- cgit From 90680c2cafa052363f3bf00c7dcc883f4d13c467 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Thu, 19 Aug 2021 17:43:04 +0300 Subject: Reordered changes for 1.25.0 by significance (subjective). --- docs/changes.xml | 31 +++++++++++++++---------------- 1 file changed, 15 insertions(+), 16 deletions(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 110d8bef..78171167 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -33,7 +33,7 @@ NGINX Unit updated to 1.25.0. -TLS session tickets. +client IP address replacement from a specified HTTP header field. @@ -45,7 +45,7 @@ TLS sessions cache. -process and thread lifecycle hooks in Ruby. +TLS session tickets. @@ -57,22 +57,21 @@ application restart control. -client IP address replacement from a specified HTTP header field. +process and thread lifecycle hooks in Ruby. -TLS connections were rejected for configurations with multiple -certificate bundles in a listener if the client did not use SNI. +the router process could crash on TLS connection open when multiple listeners +with TLS certificates were configured; the bug had appeared in 1.23.0. - -the router process could crash on TLS connection open when multiple listeners -with TLS certificates were configured; the bug had appeared in 1.23.0. +TLS connections were rejected for configurations with multiple certificate +bundles in a listener if the client did not use SNI. @@ -85,22 +84,22 @@ reconfiguration. -a descriptor and memory leak occurred in the router process when an app -process stopped or crashed. +compatibility issues with some Python ASGI apps, notably based on the Starlette +framework. -the controller or router process could crash if the configuration contained -a full-form IPv6 in a listener address. +a descriptor and memory leak occurred in the router process when an app process +stopped or crashed. -compatibility issues with some Python ASGI apps, notably based on the Starlette -framework. +the controller or router process could crash if the configuration contained +a full-form IPv6 in a listener address. @@ -113,8 +112,8 @@ or "upstreams" using a variable "pass" option. -the router process crashed while matching a request to an empty array of -source or destination address patterns. +the router process crashed while matching a request to an empty array of source +or destination address patterns. -- cgit From 9aefc734764260d79b3d51b2284b1776c9ecf7c2 Mon Sep 17 00:00:00 2001 From: Valentin Bartenev Date: Thu, 19 Aug 2021 17:48:21 +0300 Subject: Added version 1.25.0 CHANGES. --- docs/changes.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'docs/changes.xml') diff --git a/docs/changes.xml b/docs/changes.xml index 78171167..7e7f79ed 100644 --- a/docs/changes.xml +++ b/docs/changes.xml @@ -15,7 +15,7 @@ unit-jsc-common unit-jsc8 unit-jsc10 unit-jsc11 unit-jsc13 unit-jsc14 unit-jsc15 unit-jsc16 unit-jsc17" ver="1.25.0" rev="1" - date="" time="" + date="2021-08-19" time="18:00:00 +0300" packager="Andrei Belov <defan@nginx.com>"> @@ -28,7 +28,7 @@ NGINX Unit updated to 1.25.0. -- cgit