aboutsummaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAge
...
| * | | | | | | | | | | QUIC: update stream flow control credit on STREAM_DATA_BLOCKED.Roman Arutyunyan2021-11-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, after receiving STREAM_DATA_BLOCKED, current flow control limit was sent to client. Now, if the limit can be updated to the full window size, it is updated and the new value is sent to client, otherwise nothing is sent. The change lets client update flow control credit on demand. Also, it saves traffic by not sending MAX_STREAM_DATA with the same value twice.
| * | | | | | | | | | | HTTP/3: fixed compilation with QUIC, but without HTTP/3.Roman Arutyunyan2021-11-17
| | | | | | | | | | | |
| * | | | | | | | | | | QUIC: reject streams which we could not create.Roman Arutyunyan2021-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The reasons why a stream may not be created by server currently include hitting worker_connections limit and memory allocation error. Previously in these cases the entire QUIC connection was closed and all its streams were shut down. Now the new stream is rejected and existing streams continue working. To reject an HTTP/3 request stream, RESET_STREAM and STOP_SENDING with H3_REQUEST_REJECTED error code are sent to client. HTTP/3 uni streams and Stream streams are not rejected.
| * | | | | | | | | | | QUIC: stop processing new client streams at the closing state.Sergey Kandaurov2021-11-12
| | | | | | | | | | | |
| * | | | | | | | | | | HTTP/3: send Stream Cancellation instruction.Roman Arutyunyan2021-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As per quic-qpack-21: When a stream is reset or reading is abandoned, the decoder emits a Stream Cancellation instruction. Previously the instruction was not sent. Now it's sent when closing QUIC stream connection if dynamic table capacity is non-zero and eof was not received from client. The latter condition means that a trailers section may still be on its way from client and the stream needs to be cancelled.
| * | | | | | | | | | | HTTP/3: allowed QUIC stream connection reuse.Roman Arutyunyan2021-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A QUIC stream connection is treated as reusable until first bytes of request arrive, which is also when the request object is now allocated. A connection closed as a result of draining, is reset with the error code H3_REQUEST_REJECTED. Such behavior is allowed by quic-http-34: Once a request stream has been opened, the request MAY be cancelled by either endpoint. Clients cancel requests if the response is no longer of interest; servers cancel requests if they are unable to or choose not to respond. When the server cancels a request without performing any application processing, the request is considered "rejected." The server SHOULD abort its response stream with the error code H3_REQUEST_REJECTED. The client can treat requests rejected by the server as though they had never been sent at all, thereby allowing them to be retried later.
| * | | | | | | | | | | HTTP/3: adjusted QUIC connection finalization.Roman Arutyunyan2021-10-18
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When an HTTP/3 function returns an error in context of a QUIC stream, it's this function's responsibility now to finalize the entire QUIC connection with the right code, if required. Previously, QUIC connection finalization could be done both outside and inside such functions. The new rule follows a similar rule for logging, leads to cleaner code, and allows to provide more details about the error. While here, a few error cases are no longer treated as fatal and QUIC connection is no longer finalized in these cases. A few other cases now lead to stream reset instead of connection finalization.
| * | | | | | | | | | | QUIC: fixed PATH_RESPONSE frame expansion.Vladimir Homutov2021-11-11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The PATH_RESPONSE frame must be expanded to 1200, except the case when anti-amplification limit is in effect, i.e. on unvalidated paths. Previously, the anti-amplification limit was always applied.
| * | | | | | | | | | | QUIC: removed ngx_quic_error_text() declaration.Vladimir Homutov2021-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a leftover from cab3b7a070ef.
| * | | | | | | | | | | QUIC: fixed GSO packets count.Vladimir Homutov2021-11-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Thanks to Andrey Kolyshkin <a.kolyshkin@corp.vk.com>
| * | | | | | | | | | | QUIC: removed dead code.Vladimir Homutov2021-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The function is no longer used since b3d9e57d0f62.
| * | | | | | | | | | | QUIC: converted client_tp_done to bitfield.Vladimir Homutov2021-11-08
| | | | | | | | | | | |
| * | | | | | | | | | | QUIC: fixed removal of unused client IDs.Vladimir Homutov2021-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If client ID was never used, its refcount is zero. To keep things simple, the ngx_quic_unref_client_id() function is now aware of such IDs. If client ID was used, the ngx_quic_replace_retired_client_id() function is supposed to find all users and unref the ID, thus ngx_quic_unref_client_id() should not be called after it.
| * | | | | | | | | | | QUIC: connections with wrong ALPN protocols are now rejected.Vladimir Homutov2021-11-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, it was not enforced in the stream module. Now, since b9e02e9b2f1d it is possible to specify protocols. Since ALPN is always required, the 'require_alpn' setting is now obsolete.
| * | | | | | | | | | | QUIC: refactored packet creation.Vladimir Homutov2021-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The "min" and "max" arguments refer to UDP datagram size. Generating payload requires to account properly for header size, which is variable and depends on payload size and packet number.
| * | | | | | | | | | | QUIC: removed unused argument in ngx_quic_create_short_header().Vladimir Homutov2021-10-07
| | | | | | | | | | | |
| * | | | | | | | | | | QUIC: added function to initialize packet.Vladimir Homutov2021-09-30
| | | | | | | | | | | |
| * | | | | | | | | | | QUIC: fixed processing of minimum packet size.Vladimir Homutov2021-10-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If packet needs to be expanded (for example Initial to 1200 bytes), but path limit is less, such packet should not be created/sent.
| * | | | | | | | | | | QUIC: added shutdown support in stream proxy.Vladimir Homutov2021-09-23
| | | | | | | | | | | |
| * | | | | | | | | | | Merged with the default branch.Sergey Kandaurov2021-11-03
| |\ \ \ \ \ \ \ \ \ \ \
| * | | | | | | | | | | | QUIC: style.Sergey Kandaurov2021-10-26
| | | | | | | | | | | | |
| * | | | | | | | | | | | QUIC: speeding up processing 0-RTT.Sergey Kandaurov2021-10-26
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After fe919fd63b0b, processing QUIC streams was postponed until after handshake completion, which means that 0-RTT is effectively off. With ssl_ocsp enabled, it could be further delayed. This differs from how OCSP validation works with SSL_read_early_data(). With this change, processing QUIC streams is unlocked when obtaining 0-RTT secret.
| * | | | | | | | | | | | QUIC: refactored OCSP validation in preparation for 0-RTT support.Sergey Kandaurov2021-10-26
| | | | | | | | | | | | |
| * | | | | | | | | | | | QUIC: switched to integer arithmetic in rtt calculations.Vladimir Homutov2021-10-19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | RFC 9002 uses constants implying effective implementation, i.e. using bit shift operations instead of floating point.
| * | | | | | | | | | | | QUIC: optimized ack range processing.Vladimir Homutov2021-10-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The sent queue is sorted by packet number. It is possible to avoid traversing full queue while handling ack ranges. It makes sense to start traversing from the queue head (i.e. check oldest packets first).
| * | | | | | | | | | | | QUIC: limited the total number of frames.Roman Arutyunyan2021-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Exceeding 10000 allocated frames is considered a flood.
| * | | | | | | | | | | | QUIC: traffic-based flood detection.Roman Arutyunyan2021-10-13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With this patch, all traffic over a QUIC connection is compared to traffic over QUIC streams. As long as total traffic is many times larger than stream traffic, we consider this to be a flood.
| * | | | | | | | | | | | HTTP/3: traffic-based flood detection.Roman Arutyunyan2021-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With this patch, all traffic over HTTP/3 bidi and uni streams is counted in the h3c->total_bytes field, and payload traffic is counted in the h3c->payload_bytes field. As long as total traffic is many times larger than payload traffic, we consider this to be a flood. Request header traffic is counted as if all fields are literal. Response header traffic is counted as is.
| * | | | | | | | | | | | HTTP/3: fixed request length calculation.Roman Arutyunyan2021-10-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously, when request was blocked, r->request_length was not updated.
| * | | | | | | | | | | | HTTP/3: removed client-side encoder support.Roman Arutyunyan2021-10-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Dynamic tables are not used when generating responses anyway.
| * | | | | | | | | | | | QUIC: attempt decrypt before checking for stateless reset.Martin Duke2021-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Checking the reset after encryption avoids false positives. More importantly, it avoids the check entirely in the usual case where decryption succeeds. RFC 9000, 10.3.1 Detecting a Stateless Reset Endpoints MAY skip this check if any packet from a datagram is successfully processed.
| * | | | | | | | | | | | QUIC: Check if CID has been used in stateless reset checkMartin Duke2021-10-12
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Section 10.3.1 of RFC9000 requires this check.
| * | | | | | | | | | | | QUIC: send RESET_STREAM in response to STOP_SENDING.Roman Arutyunyan2021-09-21
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | As per RFC 9000: An endpoint that receives a STOP_SENDING frame MUST send a RESET_STREAM frame if the stream is in the "Ready" or "Send" state. An endpoint SHOULD copy the error code from the STOP_SENDING frame to the RESET_STREAM frame it sends, but it can use any application error code.
| * | | | | | | | | | | | QUIC: reset stream only once.Roman Arutyunyan2021-09-22
| | | | | | | | | | | | |
| * | | | | | | | | | | | HTTP/3: reset streams with incomplete responses or timeouts.Roman Arutyunyan2021-09-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This prevents client from closing the QUIC connection due to response parse error.
| * | | | | | | | | | | | Added r->response_sent flag.Roman Arutyunyan2021-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The flag indicates that the entire response was sent to the socket up to the last_buf flag. The flag is only usable for protocol implementations that call ngx_http_write_filter() from header filter, such as HTTP/1.x and HTTP/3.
| * | | | | | | | | | | | Stream: fixed segfault when using SSL certificates with variables.Sergey Kandaurov2021-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Similar to the previous change, a segmentation fault occurres when evaluating SSL certificates on a QUIC connection due to an uninitialized stream session. The fix is to adjust initializing the QUIC part of a connection until after it has session and variables initialized. Similarly, this appends logging error context for QUIC connections: - client 127.0.0.1:54749 connected to 127.0.0.1:8880 while handling frames - quic client timed out (60: Operation timed out) while handling quic input
| * | | | | | | | | | | | HTTP/3: fixed segfault when using SSL certificates with variables.Sergey Kandaurov2021-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | A QUIC connection doesn't have c->log->data and friends initialized to sensible values. Yet, a request can be created in the certificate callback with such an assumption, which leads to a segmentation fault due to null pointer dereference in ngx_http_free_request(). The fix is to adjust initializing the QUIC part of a connection such that it has all of that in place. Further, this appends logging error context for unsuccessful QUIC handshakes: - cannot load certificate .. while handling frames - SSL_do_handshake() failed .. while sending frames
| * | | | | | | | | | | | Stream: detect "listen .. quic" without TLSv1.3.Sergey Kandaurov2021-09-29
| | | | | | | | | | | | |
| * | | | | | | | | | | | Fixed mismerge of ssl_reject_handshake in 71b7453fb11f.Sergey Kandaurov2021-09-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | In particular, this fixes rejecting "listen .. quic|http3" configurations without TLSv1.3 configured.
| * | | | | | | | | | | | HTTP/3: fixed server push after ea9b645472b5.Sergey Kandaurov2021-09-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Unlike in HTTP/2, both "host" and ":authority" reside in r->headers_in.server.
| * | | | | | | | | | | | QUIC: moved a variable initialization near to its use.Sergey Kandaurov2021-09-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This tends to produce slightly more optimal code with pos == NULL when built with Clang on low optimization levels. Spotted by Ruslan Ermilov.
| * | | | | | | | | | | | Configure: check for QUIC 0-RTT support at compile time.Ruslan Ermilov2021-09-27
| | | | | | | | | | | | |
| * | | | | | | | | | | | HTTP/3: fixed null pointer dereference with server push.Sergey Kandaurov2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | See details for HTTP/2 fix in 8b0553239592 for a complete description.
| * | | | | | | | | | | | HTTP/3: fixed ngx_stat_active counter.Roman Arutyunyan2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously the counter was not incremented for HTTP/3 streams, but still decremented in ngx_http_close_connection(). There are two solutions here, one is to increment the counter for HTTP/3 streams, and the other one is not to decrement the counter for HTTP/3 streams. The latter solution looks inconsistent with ngx_stat_reading/ngx_stat_writing, which are incremented on a per-request basis. The change adds ngx_stat_active increment for HTTP/3 request and push streams.
| * | | | | | | | | | | | HTTP/3: fixed pushed request finalization in case of error.Roman Arutyunyan2021-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Previously request could be finalized twice. For example, this could happen if "Host" header was invalid.
| * | | | | | | | | | | | QUIC: set NGX_TCP_NODELAY_DISABLED for fake stream connections.Sergey Kandaurov2021-09-22
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Notably, it is to avoid setting the TCP_NODELAY flag for QUIC streams in ngx_http_upstream_send_response(). It is an invalid operation on inherently SOCK_DGRAM sockets, which leads to QUIC connection close. The change reduces diff to the default branch in stream content phase.
| * | | | | | | | | | | | QUIC: simplified stream fd initialization.Roman Arutyunyan2021-09-21
| | | | | | | | | | | | |
| * | | | | | | | | | | | HTTP/3: make ngx_http_log_error() static again.Roman Arutyunyan2021-09-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This function was only referenced from ngx_http_v3_create_push_request() to initialize push connection log. Now the log handler is copied from the parent request connection. The change reduces diff to the default branch.
| * | | | | | | | | | | | QUIC: separate event handling functions.Roman Arutyunyan2021-09-09
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The functions ngx_quic_handle_read_event() and ngx_quic_handle_write_event() are added. Previously this code was a part of ngx_handle_read_event() and ngx_handle_write_event(). The change simplifies ngx_handle_read_event() and ngx_handle_write_event() by moving QUIC-related code to a QUIC source file.
generated by cgit v1.2.3 (git 2.25.1) at 2025-05-24 00:29:18 +0000