3
0
Fork 0
forked from mirrors/nixpkgs
Commit graph

263 commits

Author SHA1 Message Date
aszlig e1d63ada02
nginx: Fix ETag patch to ignore realpath(3) error
While our ETag patch works pretty fine if it comes to serving data off
store paths, it unfortunately broke something that might be a bit more
common, namely when using regexes to extract path components of
location directives for example.

Recently, @devhell has reported a bug with a nginx location directive
like this:

  location ~^/\~([a-z0-9_]+)(/.*)?$" {
    alias /home/$1/public_html$2;
  }

While this might look harmless at first glance, it does however cause
issues with our ETag patch. The alias directive gets broken up by nginx
like this:

  *2 http script copy: "/home/"
  *2 http script capture: "foo"
  *2 http script copy: "/public_html/"
  *2 http script capture: "bar.txt"

In our patch however, we use realpath(3) to get the canonicalised path
from ngx_http_core_loc_conf_s.root, which returns the *configured* value
from the root or alias directive. So in the example above, realpath(3)
boils down to the following syscalls:

  lstat("/home", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
  lstat("/home/$1", 0x7ffd08da6f60) = -1 ENOENT (No such file or directory)

During my review[1] of the initial patch, I didn't actually notice that
what we're doing here is returning NGX_ERROR if the realpath(3) call
fails, which in turn causes an HTTP 500 error.

Since our patch actually made the canonicalisation (and thus additional
syscalls) necessary, we really shouldn't introduce an additional error
so let's - at least for now - silently skip return value if realpath(3)
has failed.

However since we're using the unaltered root from the config we have
another issue, consider this root:

  /nix/store/...-abcde/$1

Calling realpath(3) on this path will fail (except if there's a file
called "$1" of course), so even this fix is not enough because it
results in the ETag not being set to the store path hash.

While this is very ugly and we should fix this very soon, it's not as
serious as getting HTTP 500 errors for serving static files.

I added a small NixOS VM test, which uses the example above as a
regression test.

It seems that my memory is failing these days, since apparently I *knew*
about this issue since digging for existing issues in nixpkgs, I found
this similar pull request which I even reviewed:

https://github.com/NixOS/nixpkgs/pull/66532

However, since the comments weren't addressed and the author hasn't
responded to the pull request, I decided to keep this very commit and do
a follow-up pull request.

[1]: https://github.com/NixOS/nixpkgs/pull/48337

Signed-off-by: aszlig <aszlig@nix.build>
Reported-by: @devhell
Acked-by: @7c6f434c
Acked-by: @yorickvP
Merges: https://github.com/NixOS/nixpkgs/pull/80671
Fixes: https://github.com/NixOS/nixpkgs/pull/66532
2020-03-28 02:57:21 +01:00
ajs124 0aec2cdd08 nginxModules.fastcgi-cache-purge: 2.3 -> 2.5
switch to a fork that seems sort of alive
2020-03-10 23:35:15 +01:00
Emily 6d046e1079 openresty: rebase on top of nginx package
The primary motivation of this change was to allow third-party modules
to be used with OpenResty, but it also results in a significant
reduction of code duplication.
2020-02-04 19:30:40 -06:00
Emily db3182a65d nginxModules.brotli: v0.1.2 -> unstable
The fork was merged back upstream but has yet to see a formal release.
2020-02-04 19:30:40 -06:00
Will Dietz 92d29418b3
nginxMainline: 1.17.3 -> 1.17.8
http://nginx.org/en/CHANGES
2020-01-21 11:02:11 -06:00
Ryan Mulligan 6de8b8f144
Merge pull request #61722 from Izorkin/pinba-nginx
nginxModules.pinba: init at 13.05.2019
2020-01-04 07:58:18 -08:00
Frederik Rietdijk 7aa2b0215b Merge master into staging-next 2020-01-03 10:25:14 +01:00
Robin Gloster 6ca6ac796b
treewide: configureFlags is a flat list 2019-12-31 01:37:49 +01:00
Robin Gloster 5f2b92e3ec
treewide: NIX_*_COMPILE -> string 2019-12-31 00:13:29 +01:00
aszlig ccf55bead1
nginx: Clear Last-Modified if ETag is from store
This is what I've suspected a while ago[1]:

> Heads-up everyone: After testing this in a few production instances,
> it seems that some browsers still get cache hits for new store paths
> (and changed contents) for some reason. I highly suspect that it might
> be due to the last-modified header (as mentioned in [2]).
>
> Going to test this with last-modified disabled for a little while and
> if this is the case I think we should improve that patch by disabling
> last-modified if serving from a store path.

Much earlier[2] when I reviewed the patch, I wrote this:

> Other than that, it looks good to me.
>
> However, I'm not sure what we should do with Last-Modified header.
> From RFC 2616, section 13.3.4:
>
> - If both an entity tag and a Last-Modified value have been
>   provided by the origin server, SHOULD use both validators in
>   cache-conditional requests. This allows both HTTP/1.0 and
>   HTTP/1.1 caches to respond appropriately.
>
> I'm a bit nervous about the SHOULD here, as user agents in the wild
> could possibly just use Last-Modified and use the cached content
> instead.

Unfortunately, I didn't pursue this any further back then because
@pbogdan noted[3] the following:

> Hmm, could they (assuming they are conforming):
>
>  * If an entity tag has been provided by the origin server, MUST
>    use that entity tag in any cache-conditional request (using If-
>    Match or If-None-Match).

Since running with this patch in some deployments, I found that both
Firefox and Chrome/Chromium do NOT re-validate against the ETag if the
Last-Modified header is still the same.

So I wrote a small NixOS VM test with Geckodriver to have a test case
which is closer to the real world and I indeed was able to reproduce
this.

Whether this is actually a bug in Chrome or Firefox is an entirely
different issue and even IF it is the fault of the browsers and it is
fixed at some point, we'd still need to handle this for older browser
versions.

Apart from clearing the header, I also recreated the patch by using a
plain "git diff" with a small description on top. This should make it
easier for future authors to work on that patch.

[1]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-495072764
[2]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451644084
[3]: https://github.com/NixOS/nixpkgs/pull/48337#issuecomment-451646135

Signed-off-by: aszlig <aszlig@nix.build>
2019-12-30 14:30:36 +01:00
Izorkin edddf0ac47 nginxModules.pinba: init at 13.05.2019 2019-12-11 10:06:55 +03:00
Jörg Thalheim 571ed9d22e
nginx: reference tests 2019-11-29 12:27:55 +00:00
tekeri a5f26644d4 Add nginx perl modules (#73198)
* nginx: enable perl_module if perl is given

* nginx: move `perl = null` to toplevel
2019-11-27 17:08:56 +00:00
Franz Pletz de85797565
Merge remote-tracking branch 'origin/master' into gcc-8 2019-09-03 22:15:07 +02:00
Robin Gloster 616b8343c4
Merge remote-tracking branch 'upstream/master' into gcc-8 2019-08-25 18:55:46 +02:00
Vladimír Čunát 2e6bf42a22
Merge branch 'master' into staging-next
There ver very many conflicts, basically all due to
name -> pname+version.  Fortunately, almost everything was auto-resolved
by kdiff3, and for now I just fixed up a couple evaluation problems,
as verified by the tarball job.  There might be some fallback to these
conflicts, but I believe it should be minimal.

Hydra nixpkgs: ?compare=1538299
2019-08-24 08:55:37 +02:00
Robin Gloster 4e60b0efae
treewide: update globin's maintained drvs 2019-08-20 19:36:05 +02:00
volth c814d72b51 treewide: name -> pname 2019-08-17 10:54:38 +00:00
Izorkin 83381bec9c nginxMainline: 1.17.2 -> 1.17.3 2019-08-13 21:31:57 +03:00
Izorkin aec55db737 nginxStable: 1.16.0 -> 1.16.1 2019-08-13 21:30:08 +03:00
Izorkin 293e5d8365 nginxMainline: 1.16.0 -> 1.17.2 2019-07-24 21:09:22 +03:00
Franz Pletz c051374da2
nginx: fix build with gcc8 2019-06-17 07:06:02 +02:00
Izorkin 872f056bb4 nginxModules.lua: 0.10.14 -> 0.10.15 2019-05-13 12:37:14 +03:00
Izorkin fa3f68edab nginxModules.http_proxy_connect_module: 16.04.2019 -> 06.05.2019 2019-05-13 12:37:10 +03:00
Jörg Thalheim 0816c69173
nginxModules: update and add nginx modules (#59949)
nginxModules: update and add nginx modules
2019-05-13 10:15:09 +01:00
Izorkin 619aa5c97f nginxMainline: 1.15.12 -> 1.16.0 2019-04-30 07:56:29 +03:00
Izorkin 65a736064a nginxStable: 1.14.2 -> 1.16.0 2019-04-30 07:56:23 +03:00
Yurii Izorkin 5ba8811758 nginxMainline: 1.15.10 -> 1.15.12 (#59950) 2019-04-22 00:08:08 +02:00
Izorkin 452cf0b3e2 nginxModules.naxsi: init at 0.56 2019-04-21 11:10:49 +03:00
Izorkin 6600d00ed1 nginxModules.video-thumbextractor: init at 0.9.0 2019-04-21 10:32:46 +03:00
Izorkin f6525448a5 nginxModules.sorted-querystring: init at 0.3 2019-04-21 10:30:29 +03:00
Izorkin b329187524 nginxModules.limit-speed: init at 21.05.2014 2019-04-21 10:27:31 +03:00
Izorkin 13c938ac1e nginxModules.subsFilter: 0.6.4 -> 13.04.2016 2019-04-21 10:21:44 +03:00
Izorkin d1dff5a9ec nginxModules.upstream-tarantool: 2.7 -> 2.7.1 2019-04-20 23:11:08 +03:00
Izorkin 6a154d00c3 nginxModules.upstream-check: 10.11.2017 -> 12.08.2018 2019-04-20 23:08:55 +03:00
Izorkin d66b94da62 nginxModules.coolkit: init at 0.2 2019-04-20 22:35:55 +03:00
Izorkin 80666e68b2 nginxModules.slowfs-cache: init at 1.10 2019-04-20 22:29:29 +03:00
Izorkin 8c1131ef28 nginxModules.lua: 0.10.13 -> 0.10.14 2019-04-20 22:29:29 +03:00
Izorkin 89a73423ab nginxModules.mpeg-ts: init at 0.1.1 2019-04-20 22:29:24 +03:00
Izorkin c940a7caa0 nginxModules.live: init at 18.11.2018 2019-04-20 21:46:45 +03:00
Izorkin b0dc2d6106 nginxModules.dav: 0.1.0 -> 3.0.0 2019-04-20 21:40:09 +03:00
Izorkin 7a5d938067 nginxModules.http_proxy_connect_module: 05.09.2018 -> 16.04.2019 2019-04-20 21:33:18 +03:00
aszlig 1f24685d93
nginx/etag-patch: Use Nix store dir from build env
So far, the Nix store directory was hardcoded and if someone uses a
different Nix store directory the patch won't work. Of course, this is
pretty uncommon, but by not only substituting the store directory but
also the length of it we also save a few calls to ngx_strlen(), which
should save us a few cycles.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-18 10:07:55 +02:00
aszlig af5a3ce474
nginx: Fix memleak in nix-etag patch
The original patch introduced a new "real" variable which gets populated
(and allocated) via ngx_realpath(). It's properly freed in error
conditions but it won't be freed if ngx_http_set_etag returns
successfully.

Adding another ngx_free() just before returning fixes that memory leak.

I also fixed a small indentation issue along the way.

Signed-off-by: aszlig <aszlig@nix.build>
2019-04-18 09:40:13 +02:00
Yegor Timoshenko 1da8eec00f
nginx: handle impure symlinks in ETag patch 2019-04-18 09:40:11 +02:00
Yegor Timoshenko f03302b636
nginx: check for realpath() == NULL in ETag patch
Thanks to Gabriel Ebner!
2019-04-18 09:40:09 +02:00
Yegor Timoshenko 135d54f535
nginx: if root is in Nix store, use path's hash as ETag
Resolves #25485. Usage example:

$ realpath /var/www
/nix/store/wnrhnnpdj3x50j5xz38zp1qxs1ygwccw-site
$ curl --head localhost
HTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 Sep 2018 06:09:25 GMT
Content-Type: text/html
Content-Length: 50
Last-Modified: Thu, 01 Jan 1970 00:00:01 GMT
Connection: keep-alive
ETag: "wnrhnnpdj3x50j5xz38zp1qxs1ygwccw"
Accept-Ranges: bytes
2019-04-18 09:40:06 +02:00
Franz Pletz 4c0d1ae7be
nginxMainline: 1.15.9 -> 1.15.10 2019-04-02 12:02:39 +02:00
Maximilian Bosch 37867dba74
nginxModules.http_proxy_connect_module: init
This adds the nginx module `ngx_http_proxy_connect_module` which allows
to tunnel HTTPS through an nginx proxy[1].

As this module contained patches for several nginx version, some minor
adjustments were needed:

* Allowed each entry in `nginxModules` to provide patches.

* Added an optional `supports` attribute to ensure that each module can
  determine if it supports the currently built nginx version (e.g. stable
  1.14 ATM or mainline 1.15 ATM).

[1] https://github.com/chobits/ngx_http_proxy_connect_module
2019-03-29 23:53:09 +01:00
Benjamin Smith f4d24273e5 nginx: add http subs filter module (#56546) 2019-03-13 02:16:40 +02:00