This reduces the number of moving parts in ABI compatibility checks.
Additionally, it also allows to use OpenSSL in FIPS mode while still
using md5 for non-security tasks.
This parameter lets binding the proxy connection to a non-local address.
Upstream will see the connection as coming from that address.
When used with $remote_addr, upstream will accept the connection from real
client address.
Example:
proxy_bind $remote_addr transparent;
Added (RTLD_NOW | RTLD_GLOBAL) to dlopen() test. There is no RTLD_GLOBAL
on FreeBSD 2.2.9.
Added uint32_t test, with fallback to u_int32_t, similar to uint64_t one.
Added fallback to u_int32_t in in_addr_t test.
With these changes it is now possible to compile nginx on FreeBSD 2.2.9
with only few minor warnings (assuming -Wno-error).
Fixed a regression introduced in rev. 434548349838 that prevented
auto/types/sizeof and auto/types/typedef properly reporting autotest
source code to autoconf.err in case of test failure.
OPENSSL_config() deprecated in OpenSSL 1.1.0. Additionally,
SSL_library_init(), SSL_load_error_strings() and OpenSSL_add_all_algorithms()
are no longer available if OPENSSL_API_COMPAT is set to 0x10100000L.
The OPENSSL_init_ssl() function is now used instead with appropriate
arguments to trigger the same behaviour. The configure test changed to
use SSL_CTX_set_options().
Deinitialization now happens automatically in OPENSSL_cleanup() called
via atexit(3), so we no longer call EVP_cleanup() and ENGINE_cleanup()
directly.
Just using "cp" is incorrect, as it will overwrite old files
possibly used by OS, leading to unexpected effects. Changed
to "mv + cp", much like used for the main binary.
The "build" target introduced to do all build-related tasks, and
it is now used in Makefile and in objs/Makefile as a dependency for
the "install" target.
In particular, this resolves problems as observed with dynamic modules
by people trying to do "make install" without calling "make" first.
The install_sw target first appeared in OpenSSL 0.9.7e and is documented since
OpenSSL 1.0.0 as the way to install the OpenSSL software without documentation.
Before 7142b04337d6, it was possible to build the OpenSSL library
along with nginx, and link nginx statically with this library
(--with-openssl=DIR --with-ld-opt=-static --with-http_ssl_module).
This was broken on Linux by not adding -ldl after -lcrypto.
The fix also makes it possible to link nginx statically on Linux
with the system OpenSSL library, which never worked before.
Now we always set NGX_CC_NAME to "msvc", and additionally test compiler
version as reported by "cl" in auto/cc/msvc (the same version is also
available via the _MSC_VER define). In particular, this approach allows
to properly check for C99 variadic macros support, which previously was
not used with MSVC versions not explicitly recognized.
Now unneeded wildcards in NGX_CC_NAME tests for msvc removed accordingly,
as well as unused wildcards for owc and icc.
The auto/module script is extended to understand ngx_module_link=DYNAMIC.
When set, it links the module as a shared object rather than statically
into nginx binary. The module can later be loaded using the "load_module"
directive.
New auto/module parameter ngx_module_order allows to define module loading
order in complex cases. By default the order is set based on ngx_module_type.
3rd party modules can be compiled dynamically using the --add-dynamic-module
configure option, which will preset ngx_module_link to "DYNAMIC" before
calling the module config script.
Win32 support is rudimentary, and only works when using MinGW gcc (which
is able to handle exports/imports automatically).
In collaboration with Ruslan Ermilov.
This script simplifies configuration of additional modules,
including 3rd party ones. The script is extensible, and
will be used to introduce dynamic linking of modules in upcoming
changes.
3rd party module config scripts are called with ngx_module_link
preset to "ADDON" - this allows config scripts to call auto/module
without ngx_module_link explicitly defined, as well as testing if
new interface is in place if compatibility with older nginx versions
is desired.
In collaboration with Ruslan Ermilov.
Additionally, HTTP_HEADERS_FILTER_MODULE now added to HTTP_FILTER_MODULES.
This avoids explict use of modules at the later stages, now only module
lists are used. This will be needed in later patches.
Splits a request into subrequests, each providing a specific range of response.
The variable "$slice_range" must be used to set subrequest range and proper
cache key. The directive "slice" sets slice size.
The following example splits requests into 1-megabyte cacheable subrequests.
server {
listen 8000;
location / {
slice 1m;
proxy_cache cache;
proxy_cache_key $uri$is_args$args$slice_range;
proxy_set_header Range $slice_range;
proxy_cache_valid 200 206 1h;
proxy_pass http://127.0.0.1:9000;
}
}
The function is now called ngx_parse_http_time(), and can be used by
any code to parse HTTP-style date and time. In particular, it will be
used for OCSP stapling.
For compatibility, a macro to map ngx_http_parse_time() to the new name
provided for a while.
It's now initialized in auto/options like the rest of variables
for system paths.
As a side effect, the currently unused macro NGX_SBIN_PATH now
gets the correct value.
With this change it's no longer needed to pass -D_GNU_SOURCE manually,
and -D_FILE_OFFSET_BITS=64 is set to use 64-bit off_t.
Note that nginx currently fails to work properly with master process
enabled on GNU Hurd, as fcntl(F_SETOWN) returns EOPNOTSUPP for sockets
as of GNU Hurd 0.6. Additionally, our strerror() preloading doesn't
work well with GNU Hurd, as it uses large numbers for most errors.
When configured, an individual listen socket on a given address is
created for each worker process. This allows to reduce in-kernel lock
contention on configurations with high accept rates, resulting in better
performance. As of now it works on Linux and DragonFly BSD.
Note that on Linux incoming connection requests are currently tied up
to a specific listen socket, and if some sockets are closed, connection
requests will be reset, see https://lwn.net/Articles/542629/. With
nginx, this may happen if the number of worker processes is reduced.
There is no such problem on DragonFly BSD.
Based on previous work by Sepherosa Ziehau and Yingqi Lu.
The code tried to use suffixes for "long" and "long long" types, but
it never worked as intended due to the bug in the shell code. Also,
the max value for any 64-bit type other than "long long" on platforms
with 32-bit "long" would be incorrect if the bug was fixed.
So instead of fixing the bug in the shell code, always use the "int"
constant for 32-bit types, and "long long" constant for 64-bit types.
It appeared that the NGX_HAVE_AIO_SENDFILE macro was defined regardless of
the "--with-file-aio" configure option and the NGX_HAVE_FILE_AIO macro.
Now they are related.
Additionally, fixed one macro.
Previous workaround to avoid warnings on OS X due to deprecated system
OpenSSL library (introduced in a3870ea96ccd) no longer works, as
the MAC_OS_X_VERSION_MIN_REQUIRED macro is ignored on OS X 10.9
if a compiler used supports __attribute__(availability).
This fixes --with-file-aio support on systems that lack eventfd()
syscall, notably aarch64 Linux.
The syscall(SYS_eventfd) may still be necessary on systems that
have eventfd() syscall in the kernel but lack it in glibc, e.g.
as seen in the current CentOS 5 release.
Client address specified in the PROXY protocol header is now
saved in the $proxy_protocol_addr variable and can be used in
the realip module.
This is currently not implemented for mail.
Modern clang versions seem to no longer produce warnings for
system headers on Linux (at least clang 3.3 works), hence the
change. For older versions --with-cc-opt="-Wno-error" can be
used as a workaround.
Several warnings silenced, notably (ngx_socket_t) -1 is now checked
on socket operations instead of -1, as ngx_socket_t is unsigned on win32
and gcc complains on comparison.
With this patch, it's now possible to compile nginx using mingw gcc,
with options we normally compile on win32.
Several false positive warnings silenced, notably W8012 "Comparing
signed and unsigned" (due to u_short values promoted to int), and
W8072 "Suspicious pointer arithmetic" (due to large type values added
to pointers).
With this patch, it's now again possible to compile nginx using bcc32,
with options we normally compile on win32 minus ipv6 and ssl.
Precompiled headers are disabled as they lead to internal compiler errors
with long configure lines. Couple of false positive warnings silenced.
Various win32 typedefs are adjusted to work with Open Watcom C 1.9 headers.
With this patch, it's now again possible to compile nginx using owc386,
with options we normally compile on win32 minus ipv6 and ssl.
It was introduced in Linux 2.6.39, glibc 2.14 and allows to obtain
file descriptors without actually opening files. Thus made it possible
to traverse path with openat() syscalls without the need to have read
permissions for path components. It is effectively emulates O_SEARCH
which is missing on Linux.
O_PATH is used in combination with O_RDONLY. The last one is ignored
if O_PATH is used, but it allows nginx to not fail when it was built on
modern system (i.e. glibc 2.14+) and run with a kernel older than 2.6.39.
Then O_PATH is unknown to the kernel and ignored, while O_RDONLY is used.
Sadly, fstat() is not working with O_PATH descriptors till Linux 3.6.
As a workaround we fallback to fstatat() with the AT_EMPTY_PATH flag
that was introduced at the same time as O_PATH.
As of PCRE 8.33, config.h.generic no longer contains boolean macros. Two
of them (SUPPORT_PCRE8 and HAVE_MEMMOVE) were added to appropriate makefiles.
This allows PCRE 8.33 to compile and don't change anything for previous
versions.
This is done by passing AI_ADDRCONFIG to getaddrinfo().
On Linux, setting net.ipv6.conf.all.disable_ipv6 to 1 will now be
respected.
On FreeBSD, AI_ADDRCONFIG filtering is currently implemented by
attempting to create a datagram socket for the corresponding family,
which succeeds even if the system doesn't in fact have any addresses
of that family configured. That is, if the system with IPv6 support
in the kernel doesn't have IPv6 addresses configured, AI_ADDRCONFIG
will filter out IPv6 only inside a jail without IPv6 addresses or
with IPv6 disabled.
The $NGX_AUTO_CONFIG_H added to perl module Makefile dependencies to
make sure it's always rebuild after a configure. It is needed as we
expand various variables used for Makefile generation during configure
(in particular, nginx version).
Dependancy tracking introduced in r5169 were not handled absolute path
names properly. Absolute names might appear in CORE_DEPS if --with-openssl
or --with-pcre configure arguments are used to build OpenSSL/PCRE
libraries.
Additionally, revert part of r5169 to set NGX_INCS from Makefile
variables. Makefile variables have $ngx_include_opt in them, which
might result in wrong include paths being used. As a side effect,
this also restores build with --with-http_perl_module and --without-http
at the same time.
To avoid further breaks it's now done properly, all the dependencies
are now passed to Makefile.PL. While here, fixed include list passed to
Makefile.PL to use Makefile variables rather than a list expanded during
configure.
Filename extension used for dynamically loaded perl modules isn't
necessarily ".so" (e.g., it's ".bundle" on Mac OS X).
This fixes "make" after "make" unnecessarily rebuilding perl module.
Added missing dependencies for perl module's Makefile.
Simplified dependencies for perl module nginx.so: it depends
on Makefile that in turn depends on other perl bits.
Note: the "-p" argument of cp(1) dropped intentionally, to force nginx.so
rebuild. It is considered too boring to properly list all dependencies
in Makefile.PL.
This includes "debug_connection", upstreams, "proxy_pass", etc.
(ticket #92)
To preserve compatibility, "listen" specified with a domain name
selects the first IPv4 address, if available. If not available,
the first IPv6 address will be used (ticket #186).
On Mac OS X system toolchain by default prefers include files
from /usr/local/include, but libraries from /usr/lib. This might result in
various problems, in particular the one outlined below.
If the PCRE library is installed into /usr/local/, this results in pcre.h
being used from /usr/local/include (with PCRE_CONFIG_JIT defined), but
libpcre from /usr/lib (as shipped with the OS, without pcre_free_study()
symbol). As a result build fails as we use pcre_free_study() function
if we try to compile with PCRE JIT support.
Obvious workaround is to the root cause is to ask compiler to prefer
library from /usr/local/lib via ./configure --with-ld-opt="-L/usr/local/lib".
On the other hand, in any case it would be good to check if the function
we are going to use is available, hence the change.
See thread here for details:
http://mailman.nginx.org/pipermail/nginx-devel/2012-December/003074.html
Prodded by Piotr Sikora.
Very basic version without any OCSP responder query code, assuming valid
DER-encoded OCSP response is present in a ssl_stapling_file configured.
Such file might be produced with openssl like this:
openssl ocsp -issuer root.crt -cert domain.crt -respout domain.staple \
-url http://ocsp.example.com
HP-UX needs _HPUX_ALT_XOPEN_SOCKET_API to be defined to be able to
use various POSIX versions of networking functions. Notably sendmsg()
resulted in "sendmsg() failed (9: Bad file number)" alerts without it.
See xopen_networking(7) for more details.
This fixes alignment problems observerd on ARMs, and likely also needed
for MIPSes. Unless we know alignment is not required just assume we
need 16, which appears to be safe default for all architectures.
See here for details:
http://mailman.nginx.org/pipermail/nginx/2012-June/034139.html
New versions of icc confuse auto/cc/name due to introduced handling
of a "icc -v":
$ icc -v
icc version 12.1.3 (gcc version 4.6.0 compatibility)
$ icc -V
Intel(R) C Compiler XE for applications running on IA-32, Version 12.1.3.293 Build 20120212
Copyright (C) 1985-2012 Intel Corporation. All rights reserved.
FOR NON-COMMERCIAL USE ONLY
See report here:
http://mailman.nginx.org/pipermail/nginx/2012-February/032177.html
in the sys_nerr test.
o When sys_nerr and _sys_nerr are missed on a particular platform
and our euristic for a maximum errno detection applied always
print the maximum errno number we reached instead of printing void.[*]
* patch from Maxim Dounin
This commit makes possible to build nginx on AIX 7.1.
NetBSD 5.0+ has SO_ACCEPTFILTER support merged from FreeBSD, and having
accept filter check in FreeBSD-specific ngx_freebsd_config.h prevents it
from being used on NetBSD. Therefore move the check into configure (and
do the same for Linux-specific TCP_DEFER_ACCEPT, just to be in line).
At least Sun Studio 12 has problems with bit-fields exposed by nginx code
(caught by test suite). They seems to be fixed in Sun Studio 12.1. As a
workaround use "-fast -xalias_level=any" for older versions, it resolves
the problem.
Catch up with new Linux version numbering scheme as announced at [1] and
suppress unrecognized versions to actually use default 0.
[1] https://lkml.org/lkml/2011/5/29/204
This configure test must run before auto/make, because it adds library.
auto/unix was placed after auto/make just for historical reasons.
Patch by Denis F. Latypoff
Solaris strerror() invalid error code behaviour depends on version:
Solaris 10 returns "Unknown error" and sets errno to EINVAL,
Solaris 9 returns "Unknown error" and leaves errno intact,
Solaris 2 returns NULL.
