Date: Tue, 2 Nov 2021 16:13:47 GMT From: "Sergey A. Osokin" <osa@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 62502a50558b - main - www/nginx-devel: update from 1.21.3 to 1.21.4. Message-ID: <202111021613.1A2GDlpj078564@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by osa: URL: https://cgit.FreeBSD.org/ports/commit/?id=62502a50558bbc0950693a9ea52aee738a80f0c8 commit 62502a50558bbc0950693a9ea52aee738a80f0c8 Author: Sergey A. Osokin <osa@FreeBSD.org> AuthorDate: 2021-11-02 16:12:41 +0000 Commit: Sergey A. Osokin <osa@FreeBSD.org> CommitDate: 2021-11-02 16:13:40 +0000 www/nginx-devel: update from 1.21.3 to 1.21.4. New kernel TLS feature is available starting with FreeBSD 13.0, and it requires OpenSSL 3.0, compiled with "enable-ktls" option. Further, KTLS needs to be enabled in kernel, and in OpenSSL, either via OpenSSL configuration file or with ssl_conf_command Options KTLS; in nginx configuration. To enable kernel TLS on FreeBSD 13 and above: # kldload ktls_ocf # sysctl kern.ipc.tls.enable=1 to load a software backend, see man ktls(4) for details. Also, please visit the following link to get more details https://hg.nginx.org/nginx/rev/65946a191197 <Changelog> *) Change: support for NPN instead of ALPN to establish HTTP/2 connections has been removed. *) Change: now nginx rejects SSL connections if ALPN is used by the client, but no supported protocols can be negotiated. *) Change: the default value of the "sendfile_max_chunk" directive was changed to 2 megabytes. *) Feature: the "proxy_half_close" directive in the stream module. *) Feature: the "ssl_alpn" directive in the stream module. *) Feature: the $ssl_alpn_protocol variable. *) Feature: support for SSL_sendfile() when using OpenSSL 3.0. *) Feature: the "mp4_start_key_frame" directive in the ngx_http_mp4_module. Thanks to Tracey Jaquith. *) Bugfix: in the $content_length variable when using chunked transfer encoding. *) Bugfix: after receiving a response with incorrect length from a proxied backend nginx might nevertheless cache the connection. Thanks to Awdhesh Mathpal. *) Bugfix: invalid headers from backends were logged at the "info" level instead of "error"; the bug had appeared in 1.21.1. *) Bugfix: requests might hang when using HTTP/2 and the "aio_write" directive. </Changelog> --- www/nginx-devel/Makefile | 8 +- www/nginx-devel/Makefile.options.desc | 1 - www/nginx-devel/distinfo | 6 +- www/nginx-devel/files/extra-patch-ktls | 312 --------------------------------- 4 files changed, 5 insertions(+), 322 deletions(-) diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile index e5ae4f01f87d..8f5670fae386 100644 --- a/www/nginx-devel/Makefile +++ b/www/nginx-devel/Makefile @@ -1,8 +1,7 @@ # Created by: Sergey A. Osokin <osa@FreeBSD.org> PORTNAME?= nginx -PORTVERSION= 1.21.3 -PORTREVISION= 4 +PORTVERSION= 1.21.4 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ LOCAL/osa @@ -78,7 +77,7 @@ OPTIONS_GROUP_MAILGRP= MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL OPTIONS_GROUP_STREAMGRP= STREAM STREAM_REALIP STREAM_SSL \ STREAM_SSL_PREREAD -OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 KTLS NJS THREADS WWW +OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS THREADS WWW OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_DAV HTTP_FLV HTTP_GUNZIP_FILTER HTTP_GZIP_STATIC \ HTTP_MP4 HTTP_RANDOM_INDEX HTTP_REALIP HTTP_REWRITE \ @@ -86,8 +85,6 @@ OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_SUB HTTPV2 MAIL MAIL_SSL STREAM STREAM_REALIP \ STREAM_SSL STREAM_SSL_PREREAD THREADS WWW -OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} - OPTIONS_RADIO+= GSSAPI OPTIONS_RADIO_GSSAPI= GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_HEIMDAL_USES= gssapi:heimdal,flags @@ -169,7 +166,6 @@ HTTP_XSLT_USE= GNOME=libxml2,libxslt HTTP_XSLT_VARS= DSO_BASEMODS+=http_xslt_module HTTPV2_IMPLIES= HTTP_SSL HTTPV2_CONFIGURE_ON= --with-http_v2_module -KTLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ktls:-p1 MAIL_VARS= DSO_BASEMODS+=mail MAIL_IMAP_CONFIGURE_OFF= --without-mail_imap_module MAIL_POP3_CONFIGURE_OFF= --without-mail_pop3_module diff --git a/www/nginx-devel/Makefile.options.desc b/www/nginx-devel/Makefile.options.desc index 44b8b624769d..66252c898a37 100644 --- a/www/nginx-devel/Makefile.options.desc +++ b/www/nginx-devel/Makefile.options.desc @@ -76,7 +76,6 @@ HTTP_XSLT_DESC= Enable http_xslt module HTTP_ZIP_DESC= 3rd party http_zip module ICONV_DESC= 3rd party iconv module IPV6_DESC= Enable IPv6 support -KTLS_DESC= Kernel TLS offload LET_DESC= 3rd party let module LINK_DESC= 3rd party link function module LUA_DESC= 3rd party lua module diff --git a/www/nginx-devel/distinfo b/www/nginx-devel/distinfo index 063a66e07f46..0c3e20996083 100644 --- a/www/nginx-devel/distinfo +++ b/www/nginx-devel/distinfo @@ -1,6 +1,6 @@ -TIMESTAMP = 1634653086 -SHA256 (nginx-1.21.3.tar.gz) = 14774aae0d151da350417efc4afda5cce5035056e71894836797e1f6e2d1175a -SIZE (nginx-1.21.3.tar.gz) = 1066609 +TIMESTAMP = 1635865241 +SHA256 (nginx-1.21.4.tar.gz) = d1f72f474e71bcaaf465dcc7e6f7b6a4705e4b1ed95c581af31df697551f3bfe +SIZE (nginx-1.21.4.tar.gz) = 1070260 SHA256 (nginx_mogilefs_module-1.0.4.tar.gz) = 7ac230d30907f013dff8d435a118619ea6168aa3714dba62c6962d350c6295ae SIZE (nginx_mogilefs_module-1.0.4.tar.gz) = 11208 SHA256 (nginx_mod_h264_streaming-2.2.7.tar.gz) = 6d974ba630cef59de1f60996c66b401264a345d25988a76037c2856cec756c19 diff --git a/www/nginx-devel/files/extra-patch-ktls b/www/nginx-devel/files/extra-patch-ktls deleted file mode 100644 index 52c40f53933c..000000000000 --- a/www/nginx-devel/files/extra-patch-ktls +++ /dev/null @@ -1,312 +0,0 @@ -From 11ad5d15c487ecc0a37f9747bb4bfa5bb96893c1 Mon Sep 17 00:00:00 2001 -From: John Baldwin <jhb@FreeBSD.org> -Date: Thu, 22 Aug 2019 12:18:32 -0700 -Subject: [PATCH] Add support for using SSL_sendfile from OpenSSL. - -This uses kernel TLS on systems supported by OpenSSL to send -files via sendfile() over TLS connections. ---- - auto/lib/openssl/conf | 8 ++ - src/event/ngx_event_openssl.c | 172 ++++++++++++++++++++++++++++++++++ - src/event/ngx_event_openssl.h | 7 ++ - src/http/ngx_http_request.c | 14 ++- - src/http/ngx_http_upstream.c | 5 + - 5 files changed, 203 insertions(+), 3 deletions(-) - -diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf -index 4fb52df7fe..c4772248ae 100644 ---- a/auto/lib/openssl/conf -+++ b/auto/lib/openssl/conf -@@ -123,6 +123,14 @@ else - CORE_INCS="$CORE_INCS $ngx_feature_path" - CORE_LIBS="$CORE_LIBS $ngx_feature_libs" - OPENSSL=YES -+ -+ ngx_feature="SSL_sendfile()" -+ ngx_feature_name="NGX_SSL_SENDFILE" -+ ngx_feature_run=no -+ ngx_feature_test="SSL *ssl; -+ (void)BIO_get_ktls_send(SSL_get_wbio(ssl)); -+ SSL_sendfile(ssl, -1, 0, 0, 0);" -+ . auto/feature - fi - fi - -diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 93a6ae46ea..04759827fc 100644 ---- a/src/event/ngx_event_openssl.c -+++ b/src/event/ngx_event_openssl.c -@@ -52,6 +52,10 @@ static void ngx_ssl_shutdown_handler(ngx_event_t *ev); - static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, - ngx_err_t err, char *text); - static void ngx_ssl_clear_error(ngx_log_t *log); -+#if (NGX_SSL_SENDFILE) -+static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, -+ size_t size, int flags); -+#endif - - static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, - ngx_str_t *sess_ctx, ngx_array_t *certificates); -@@ -1712,7 +1716,11 @@ ngx_ssl_handshake(ngx_connection_t *c) - c->recv = ngx_ssl_recv; - c->send = ngx_ssl_write; - c->recv_chain = ngx_ssl_recv_chain; -+#if (NGX_SSL_SENDFILE) -+ c->send_chain = ngx_ssl_sendfile_chain; -+#else - c->send_chain = ngx_ssl_send_chain; -+#endif - - #ifndef SSL_OP_NO_RENEGOTIATION - #if OPENSSL_VERSION_NUMBER < 0x10100000L -@@ -1741,6 +1749,13 @@ ngx_ssl_handshake(ngx_connection_t *c) - - c->ssl->handshaked = 1; - -+#if (NGX_SSL_SENDFILE) -+ c->ssl->can_use_sendfile = !!BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "BIO_get_ktls_send: %d", c->ssl->can_use_sendfile); -+ c->sendfile = c->ssl->can_use_sendfile ? 1 : 0; -+#endif -+ - return NGX_OK; - } - -@@ -2609,6 +2624,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) - return in; - } - -+#if (NGX_SSL_SENDFILE) -+ngx_chain_t * -+ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) -+{ -+ int can_use_sendfile; -+ ssize_t n; -+ -+ can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ -+ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "Sending chain %p can_use_sendfile:%d c->sendfile:%d " \ -+ "c->ssl->buffer:%d limit:%O", -+ in, can_use_sendfile, c->sendfile, c->ssl->buffer, limit); -+ -+ if (! (can_use_sendfile && c->sendfile) || c->ssl->buffer) { -+ return ngx_ssl_send_chain(c, in, limit); -+ } -+ -+ /* the maximum limit size is the maximum int32_t value - the page size */ -+ if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { -+ limit = NGX_MAX_INT32_VALUE - ngx_pagesize; -+ } -+ -+ while (in) { -+ if (ngx_buf_special(in->buf)) { -+ in = in->next; -+ continue; -+ } -+ -+ if (in->buf->in_file) { -+ ngx_chain_t *cl; -+ int sendfile_flags; -+ off_t sendfile_size; -+ -+ cl = in; -+#ifdef __FreeBSD__ -+ sendfile_flags = /* in->buf->sendfile_flags |*/ SF_NODISKIO; -+#else -+ sendfile_flags = in->buf->sendfile_flags; -+#endif -+ sendfile_size = ngx_chain_coalesce_file(&cl, limit); -+ -+ n = ngx_ssl_sendfile(c, in->buf->file->fd, in->buf->file_pos, -+ sendfile_size, sendfile_flags); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "ngx_ssl_sendfile returns:%z", n); -+ } else { -+ n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "ngx_ssl_write returns:%z", n); -+ } -+ -+ if (n == NGX_ERROR) { -+ return NGX_CHAIN_ERROR; -+ } -+ if (n == NGX_AGAIN) { -+ return in; -+ } -+ if (n == NGX_BUSY) { -+ c->busy_count = 1; -+ c->write->delayed = 1; -+ ngx_add_timer(c->write, 10); -+ return in; -+ } -+ -+ in = ngx_chain_update_sent(in, (off_t) n); -+ } -+ -+ return in; -+} -+ -+static ssize_t -+ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, size_t size, int flags) -+{ -+ int n, sslerr; -+ ngx_err_t err; -+ -+ ngx_ssl_clear_error(c->log); -+ -+ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ "SSL to sendfile: %uz at %O with %Xd", size, off, flags); -+ -+ n = SSL_sendfile(c->ssl->connection, fd, off, size, flags); -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); -+ -+ if (n > 0) { -+ -+ if (c->ssl->saved_read_handler) { -+ -+ c->read->handler = c->ssl->saved_read_handler; -+ c->ssl->saved_read_handler = NULL; -+ c->read->ready = 1; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ ngx_post_event(c->read, &ngx_posted_events); -+ } -+ -+ c->sent += n; -+ -+ return n; -+ } -+ -+ sslerr = SSL_get_error(c->ssl->connection, n); -+ -+#ifdef __FreeBSD__ -+ if (sslerr == SSL_ERROR_WANT_WRITE && ngx_errno == EBUSY) { -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); -+ return NGX_BUSY; -+ } -+#endif -+ -+ err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; -+ -+ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ -+ if (sslerr == SSL_ERROR_WANT_WRITE) { -+ c->write->ready = 0; -+ return NGX_AGAIN; -+ } -+ -+ if (sslerr == SSL_ERROR_WANT_READ) { -+ -+ ngx_log_error(NGX_LOG_INFO, c->log, 0, -+ "peer started SSL renegotiation"); -+ -+ c->read->ready = 0; -+ -+ if (ngx_handle_read_event(c->read, 0) != NGX_OK) { -+ return NGX_ERROR; -+ } -+ -+ /* -+ * we do not set the timer because there is already -+ * the write event timer -+ */ -+ -+ if (c->ssl->saved_read_handler == NULL) { -+ c->ssl->saved_read_handler = c->read->handler; -+ c->read->handler = ngx_ssl_read_handler; -+ } -+ -+ return NGX_AGAIN; -+ } -+ -+ c->ssl->no_wait_shutdown = 1; -+ c->ssl->no_send_shutdown = 1; -+ c->write->error = 1; -+ -+ ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); -+ -+ return NGX_ERROR; -+} -+#endif - - ssize_t - ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 329760d093..233b7f20c8 100644 ---- a/src/event/ngx_event_openssl.h -+++ b/src/event/ngx_event_openssl.h -@@ -106,6 +106,9 @@ struct ngx_ssl_connection_s { - unsigned in_ocsp:1; - unsigned early_preread:1; - unsigned write_blocked:1; -+#if (NGX_SSL_SENDFILE) -+ unsigned can_use_sendfile:1; -+#endif - }; - - -@@ -289,6 +292,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); - ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); - ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, - off_t limit); -+#if (NGX_SSL_SENDFILE) -+ngx_chain_t *ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, -+ off_t limit); -+#endif - void ngx_ssl_free_buffer(ngx_connection_t *c); - ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); - void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, -diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 68d81e9320..e4a922a83a 100644 ---- a/src/http/ngx_http_request.c -+++ b/src/http/ngx_http_request.c -@@ -608,7 +608,10 @@ ngx_http_alloc_request(ngx_connection_t *c) - - #if (NGX_HTTP_SSL) - if (c->ssl) { -- r->main_filter_need_in_memory = 1; -+#if (NGX_SSL_SENDFILE) -+ if (c->ssl->can_use_sendfile == 0) -+#endif -+ r->main_filter_need_in_memory = 1; - } - #endif - -@@ -747,8 +750,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) - sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, - ngx_http_ssl_module); - -- if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) -- != NGX_OK) -+ if (ngx_ssl_create_connection(&sscf->ssl, c, -+#if (NGX_SSL_SENDFILE) -+ 0 -+#else -+ NGX_SSL_BUFFER -+#endif -+ ) != NGX_OK) - { - ngx_http_close_connection(c); - return; -diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index 9cbb5a3b0c..f93f2ae244 100644 ---- a/src/http/ngx_http_upstream.c -+++ b/src/http/ngx_http_upstream.c -@@ -1715,6 +1715,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, - return; - } - -+#if (NGX_SSL_SENDFILE) -+ c->sendfile = 0; -+ u->output.sendfile = 0; -+#endif -+ - ngx_http_upstream_ssl_handshake(r, u, c); - } -
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202111021613.1A2GDlpj078564>