Index: head/www/nginx-devel/Makefile =================================================================== --- head/www/nginx-devel/Makefile (revision 566095) +++ head/www/nginx-devel/Makefile (revision 566096) @@ -1,378 +1,375 @@ # Created by: Sergey A. Osokin # $FreeBSD$ PORTNAME?= nginx PORTVERSION= 1.19.7 +PORTREVISION= 1 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ LOCAL/osa PKGNAMESUFFIX?= -devel DISTFILES= ${DISTNAME}${EXTRACT_SUFX} MAINTAINER?= osa@FreeBSD.org COMMENT?= Robust and small WWW server LICENSE?= BSD2CLAUSE LICENSE_FILE?= ${WRKSRC}/LICENSE CONFLICTS_INSTALL= nginx PORTSCOUT= limit:^1\.19\.[0-9]* USES= cpe CPE_VENDOR= nginx CPE_PRODUCT= nginx USE_GITHUB= nodefault NGINX_VARDIR?= /var NGINX_LOGDIR?= ${NGINX_VARDIR}/log/nginx NGINX_RUNDIR?= ${NGINX_VARDIR}/run NGINX_TMPDIR?= ${NGINX_VARDIR}/tmp/nginx HTTP_PORT?= 80 NGINX_ACCESSLOG?= ${NGINX_LOGDIR}/access.log NGINX_ERRORLOG?= ${NGINX_LOGDIR}/error.log CONFLICTS?= nginx-1.* \ nginx-full-1.* \ nginx-lite-1.* \ nginx-naxsi-1.* USE_RC_SUBR?= nginx SUB_FILES?= pkg-message SUB_LIST+= WWWOWN=${WWWOWN} \ WWWGRP=${WWWGRP} \ NGINX_RUNDIR=${NGINX_RUNDIR} \ NGINX_TMPDIR=${NGINX_TMPDIR} \ PREFIX=${PREFIX} HAS_CONFIGURE= yes CONFIGURE_ARGS+=--prefix=${ETCDIR} \ --with-cc-opt="-I ${LOCALBASE}/include" \ --with-ld-opt="-L ${LOCALBASE}/lib" \ --conf-path=${ETCDIR}/nginx.conf \ --sbin-path=${PREFIX}/sbin/nginx \ --pid-path=${NGINX_RUNDIR}/nginx.pid \ --error-log-path=${NGINX_ERRORLOG} \ --user=${WWWOWN} --group=${WWWGRP} \ --with-compat ALL_TARGET= PLIST_SUB+= NGINX_TMPDIR=${NGINX_TMPDIR} NGINX_LOGDIR=${NGINX_LOGDIR} WWWOWN=${WWWOWN} WWWGRP=${WWWGRP} USERS?= ${WWWOWN} GROUPS?=${WWWGRP} NO_OPTIONS_SORT= yes OPTIONS_GROUP= HTTPGRP MAILGRP STREAMGRP # Modules that are part of the base nginx distribution OPTIONS_GROUP_HTTPGRP= GOOGLE_PERFTOOLS HTTP HTTP_ADDITION HTTP_AUTH_REQ \ HTTP_CACHE HTTP_DAV HTTP_DEGRADATION HTTP_FLV HTTP_GUNZIP_FILTER \ HTTP_GZIP_STATIC HTTP_IMAGE_FILTER HTTP_MP4 HTTP_PERL \ HTTP_RANDOM_INDEX HTTP_REALIP HTTP_REWRITE HTTP_SECURE_LINK \ HTTP_SLICE HTTP_SSL HTTP_STATUS HTTP_SUB HTTP_XSLT HTTPV2 OPTIONS_GROUP_MAILGRP= MAIL MAIL_IMAP MAIL_POP3 MAIL_SMTP MAIL_SSL OPTIONS_GROUP_STREAMGRP= STREAM STREAM_REALIP STREAM_SSL \ STREAM_SSL_PREREAD # External modules (arrayvar MUST appear after devel_kit for build-dep) OPTIONS_GROUP_HTTPGRP+= AJP AWS_AUTH BROTLI CACHE_PURGE CLOJURE COOKIE_FLAG CT \ DEVEL_KIT ARRAYVAR DRIZZLE DYNAMIC_HC DYNAMIC_UPSTREAM ECHO ENCRYPTSESSION \ FORMINPUT GRIDFS HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_AUTH_DIGEST \ HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_DAV_EXT HTTP_EVAL \ HTTP_FANCYINDEX HTTP_FOOTER HTTP_GEOIP2 HTTP_IP2LOCATION HTTP_IP2PROXY \ HTTP_JSON_STATUS HTTP_MOGILEFS HTTP_MP4_H264 HTTP_NOTICE HTTP_PUSH \ HTTP_PUSH_STREAM HTTP_REDIS HTTP_RESPONSE HTTP_SLICE_AHEAD \ HTTP_SUBS_FILTER HTTP_TARANTOOL HTTP_UPLOAD HTTP_UPLOAD_PROGRESS \ HTTP_UPSTREAM_CHECK HTTP_UPSTREAM_FAIR HTTP_UPSTREAM_STICKY \ HTTP_VIDEO_THUMBEXTRACTOR HTTP_ZIP ICONV LET LINK LUA MEMC \ MODSECURITY3 NAXSI OPENTRACING PASSENGER POSTGRES RDS_CSV RDS_JSON \ REDIS2 RTMP SET_MISC SFLOW SHIBBOLETH SLOWFS_CACHE SMALL_LIGHT SRCACHE \ VOD VTS XSS WEBSOCKIFY OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 KTLS NJS THREADS WWW OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_DAV HTTP_FLV HTTP_GUNZIP_FILTER HTTP_GZIP_STATIC \ HTTP_MP4 HTTP_RANDOM_INDEX HTTP_REALIP HTTP_REWRITE \ HTTP_SECURE_LINK HTTP_SLICE HTTP_SSL HTTP_STATUS \ HTTP_SUB HTTPV2 MAIL MAIL_SSL STREAM STREAM_REALIP \ STREAM_SSL STREAM_SSL_PREREAD THREADS WWW OPTIONS_EXCLUDE=${${OSVERSION} < 1300042:?KTLS:} OPTIONS_RADIO+= GSSAPI OPTIONS_RADIO_GSSAPI= GSSAPI_HEIMDAL GSSAPI_MIT GSSAPI_HEIMDAL_USES= gssapi:heimdal,flags GSSAPI_MIT_USES= gssapi:mit OPTIONS_SUB= yes .include "Makefile.options.desc" .for opt in ${OPTIONS_GROUP_MAILGRP:NMAIL} ${opt}_IMPLIES= MAIL .endfor .for opt in ${OPTIONS_GROUP_HTTPGRP:NHTTP} WWW ${opt}_IMPLIES= HTTP .endfor .for opt in ${OPTIONS_GROUP_STREAMGRP:NSTREAM} ${opt}_IMPLIES= STREAM .endfor GSSAPI_HEIMDAL_IMPLIES= HTTP_AUTH_KRB5 GSSAPI_MIT_IMPLIES= HTTP_AUTH_KRB5 # If the target is makesum, make sure that every distfile is fetched. .if ${.TARGETS:Mmakesum} OPTIONS_DEFAULT= ${OPTIONS_DEFINE} ${OPTIONS_GROUP_HTTP} \ ${OPTIONS_GROUP_MAIL} ${OPTIONS_GROUP_STREAM} .endif # Non-module options handling DEBUG_CFLAGS= -g DEBUG_VARS= STRIP=#do not strip if nginx with debug information DEBUGLOG_CONFIGURE_ON= --with-debug DSO_CONFIGURE_ON= --modules-path=${MODULESDIR} DSO_VARS= MODULESDIR=${PREFIX}/libexec/${PORTNAME} FILE_AIO_CONFIGURE_ON= --with-file-aio IPV6_CONFIGURE_OFF= --with-cc-opt="-DNGX_HAVE_INET6=0 -I ${LOCALBASE}/include" THREADS_CONFIGURE_ON= --with-threads # Bundled modules GOOGLE_PERFTOOLS_LIB_DEPENDS= libprofiler.so:devel/google-perftools GOOGLE_PERFTOOLS_CONFIGURE_ON= --with-google_perftools_module HTTP_CONFIGURE_ON= --http-client-body-temp-path=${NGINX_TMPDIR}/client_body_temp \ --http-fastcgi-temp-path=${NGINX_TMPDIR}/fastcgi_temp \ --http-proxy-temp-path=${NGINX_TMPDIR}/proxy_temp \ --http-scgi-temp-path=${NGINX_TMPDIR}/scgi_temp \ --http-uwsgi-temp-path=${NGINX_TMPDIR}/uwsgi_temp \ --http-log-path=${NGINX_ACCESSLOG} HTTP_CONFIGURE_OFF= --without-http HTTP_ADDITION_CONFIGURE_ON= --with-http_addition_module HTTP_AUTH_REQ_CONFIGURE_ON= --with-http_auth_request_module HTTP_CACHE_CONFIGURE_OFF= --without-http-cache HTTP_DAV_CONFIGURE_ON= --with-http_dav_module HTTP_DEGRADATION_CONFIGURE_ON= --with-http_degradation_module HTTP_FLV_CONFIGURE_ON= --with-http_flv_module HTTP_GZIP_STATIC_CONFIGURE_ON= --with-http_gzip_static_module HTTP_GUNZIP_FILTER_CONFIGURE_ON=--with-http_gunzip_module HTTP_IMAGE_FILTER_LIB_DEPENDS= libgd.so:graphics/gd HTTP_IMAGE_FILTER_VARS= DSO_BASEMODS+=http_image_filter_module HTTP_MP4_CONFIGURE_ON= --with-http_mp4_module HTTP_PERL_CATEGORIES= perl5 HTTP_PERL_USES= perl5 HTTP_PERL_VARS= DSO_BASEMODS+=http_perl_module HTTP_RANDOM_INDEX_CONFIGURE_ON= --with-http_random_index_module HTTP_REALIP_CONFIGURE_ON= --with-http_realip_module HTTP_REWRITE_LIB_DEPENDS= libpcre.so:devel/pcre HTTP_REWRITE_CONFIGURE_ON= --with-pcre HTTP_REWRITE_CONFIGURE_OFF= --without-http_rewrite_module HTTP_SECURE_LINK_CONFIGURE_ON= --with-http_secure_link_module HTTP_SLICE_CONFIGURE_ON= --with-http_slice_module HTTP_SSL_CONFIGURE_ON= --with-http_ssl_module HTTP_SSL_USES= ssl HTTP_STATUS_CONFIGURE_ON= --with-http_stub_status_module HTTP_SUB_CONFIGURE_ON= --with-http_sub_module HTTP_XSLT_USES= gnome HTTP_XSLT_USE= GNOME=libxml2,libxslt HTTP_XSLT_VARS= DSO_BASEMODS+=http_xslt_module HTTPV2_IMPLIES= HTTP_SSL HTTPV2_CONFIGURE_ON= --with-http_v2_module KTLS_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-ktls:-p1 MAIL_VARS= DSO_BASEMODS+=mail MAIL_IMAP_CONFIGURE_OFF= --without-mail_imap_module MAIL_POP3_CONFIGURE_OFF= --without-mail_pop3_module MAIL_SMTP_CONFIGURE_OFF= --without-mail_smtp_module MAIL_SSL_USES= ssl MAIL_SSL_CONFIGURE_ON= --with-mail_ssl_module STREAM_VARS= DSO_BASEMODS+=stream STREAM_REALIP_CONFIGURE_ON= --with-stream_realip_module STREAM_SSL_USES= ssl STREAM_SSL_CONFIGURE_ON= --with-stream_ssl_module STREAM_SSL_PREREAD_CONFIGURE_ON=--with-stream_ssl_preread_module ### External modules .include "Makefile.extmod" .include .if ${PORT_OPTIONS:MDSO} _addbasemod= =dynamic _addextmod= add-dynamic-module .else _addextmod= add-module .endif .for mod in ${DSO_BASEMODS} CONFIGURE_ARGS+= --with-${mod}${_addbasemod} .endfor # Some modules depend on other being there before, for example, devel_kit needs # to be there before a few other. .for mod in ${FIRST_DSO_EXTMODS} CONFIGURE_ARGS+= --${_addextmod}=${WRKSRC_${mod}}${${mod:tu}_SUBDIR} .endfor .for mod in ${DSO_EXTMODS} CONFIGURE_ARGS+= --${_addextmod}=${WRKSRC_${mod}}${${mod:tu}_SUBDIR} .endfor # For non-GitHub hosted modules .for moddir in ${DSO_EXTDIRS} CONFIGURE_ARGS+= --${_addextmod}=${WRKDIR}/${moddir} .endfor .if empty(PORT_OPTIONS:MHTTP) && empty(PORT_OPTIONS:MMAIL) IGNORE= requires at least HTTP or MAIL to \ be defined. Please do 'make config' again .endif .if !${PORT_OPTIONS:MHTTP_REWRITE} && !defined(USE_HTTP_REWRITE) PKGNAMESUFFIX:= ${PKGNAMESUFFIX}-nopcre -.endif - -.if ${PORT_OPTIONS:MKTLS} -CFLAGS+= -DNGX_SSL_SENDFILE .endif .if ${PORT_OPTIONS:MPASSENGER} && empty(PORT_OPTIONS:MDEBUG) CONFIGURE_ENV+= OPTIMIZE="yes" CFLAGS+= -DNDEBUG .endif pre-everything:: @${ECHO_MSG} .if ${PORT_OPTIONS:MHTTP_UPSTREAM_FAIR} @${ECHO_MSG} "Enable http_ssl module to build upstream_fair with SSL support" .endif .if ${PORT_OPTIONS:MPASSENGER} @${ECHO_MSG} "This port install Passenger module only" .endif @${ECHO_MSG} post-extract-GRIDFS-on: @${RMDIR} ${WRKSRC_gridfs}/mongo-c-driver/ @${MV} ${WRKSRC_mongo_c} ${WRKSRC_gridfs}/mongo-c-driver post-patch: @${REINPLACE_CMD} 's!%%HTTP_PORT%%!${HTTP_PORT}!; \ s!%%PREFIX%%!${PREFIX}!; \ s!%%NGINX_ERRORLOG%%!${NGINX_ERRORLOG}!' \ ${WRKSRC}/conf/nginx.conf post-patch-BROTLI-on: @${REINPLACE_CMD} -E 's!^brotli=.*!brotli="${LOCALBASE}"!' ${WRKSRC_brotli}/config post-patch-DRIZZLE-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_drizzle}/config post-patch-FASTDFS-on: @${REINPLACE_CMD} \ 's!%%PREFIX%%!${PREFIX}!g;s!%%LOCALBASE%%!${LOCALBASE}!g' \ ${WRKSRC_fastdfs}/src/config # Respect CFLAGS by remove needless --std=c99 flag post-patch-GRIDFS-on: @${REINPLACE_CMD} 's!--std=c99!-DMONGO_HAVE_STDINT!' ${WRKSRC_gridfs}/config post-patch-HTTP_AUTH_KRB5-on: @${REINPLACE_CMD} 's!%%GSSAPILIBS%%!${GSSAPILIBS}!g; \ s!%%GSSAPIINCDIR%%!${GSSAPIINCDIR}!g; \ s!%%GSSAPILIBDIR%%!${GSSAPILIBDIR}!g' ${WRKSRC_auth_krb5}/config post-patch-HTTP_TARANTOOL-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_nginx_tarantool}/config # linker error acquire if --std=c99 defined, add "static" to inline function post-patch-HTTP_ZIP-on: @${REINPLACE_CMD} \ 's!^inline!static inline!' \ ${WRKSRC_mod_zip}/ngx_http_zip_parsers.* post-patch-ICONV-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_iconv}/config post-patch-PASSENGER-on: @${REINPLACE_CMD} \ '177,179s!true!false!' \ ${WRKSRC_PASSENGER}/build/basics.rb @${REINPLACE_CMD} \ 's!-I/usr/include/libev!!; \ s!-lev!!; \ s!-Iext/libev!!; \ s!-I/usr/include/libeio!!; \ s!-leio!!; \ s!-Iext/libeio!!' \ ${WRKSRC_PASSENGER}/build/common_library.rb post-patch-POSTGRES-on: @${REINPLACE_CMD} 's!%%PREFIX%%!${LOCALBASE}!g' ${WRKSRC_postgres}/config post-patch-SFLOW-on: @${REINPLACE_CMD} \ 's!%%PREFIX%%!${LOCALBASE}!g' \ ${WRKSRC_sflow}/ngx_http_sflow_config.h post-patch-VOD-on: @${REINPLACE_CMD} \ 's!%%PREFIX%%!${LOCALBASE}!g' \ ${WRKSRC_vod}/config pre-configure-SMALL_LIGHT-on: ( cd ${WRKSRC_small_light} && ./setup ) .if !target(do-install) do-install: ${MKDIR} ${STAGEDIR}${ETCDIR} ${MKDIR} ${STAGEDIR}${NGINX_TMPDIR} ${MKDIR} ${STAGEDIR}${NGINX_LOGDIR} ${INSTALL_PROGRAM} ${WRKSRC}/objs/nginx ${STAGEDIR}${PREFIX}/sbin .for i in koi-utf koi-win win-utf ${INSTALL_DATA} ${WRKSRC}/conf/${i} ${STAGEDIR}${ETCDIR} .endfor .for i in fastcgi_params mime.types scgi_params uwsgi_params ${INSTALL_DATA} ${WRKSRC}/conf/${i} ${STAGEDIR}${ETCDIR}/${i}-dist .endfor do-install-HTTP_PERL-on: ${MKDIR} ${STAGEDIR}${PREFIX}/${SITE_ARCH_REL}/auto/nginx ${INSTALL_PROGRAM} ${WRKSRC}/objs/src/http/modules/perl/blib/arch/auto/nginx/nginx.so \ ${STAGEDIR}${PREFIX}/${SITE_ARCH_REL}/auto/nginx ${INSTALL_DATA} ${WRKSRC}/objs/src/http/modules/perl/blib/lib/nginx.pm \ ${STAGEDIR}${PREFIX}/${SITE_ARCH_REL}/ # Install dynamic modules do-install-DSO-on: ${MKDIR} ${STAGEDIR}${MODULESDIR} (cd ${WRKSRC}/objs/ && ${FIND} . -name '*.so' -maxdepth 1 -type f \ -exec ${INSTALL_PROGRAM} {} ${STAGEDIR}${MODULESDIR} \;) do-install-LINK-on: ${INSTALL_DATA} ${WRKSRC_link}/src/ngx_link_func_module.h ${STAGEDIR}${PREFIX}/include do-install-NAXSI-on: ${INSTALL_DATA} \ ${WRKDIR}/naxsi-${NAXSI_NGINX_VER}/naxsi_config/naxsi_core.rules \ ${STAGEDIR}${ETCDIR} do-install-NJS-on: ${INSTALL_PROGRAM} ${WRKSRC_njs}/build/njs ${STAGEDIR}${PREFIX}/sbin .endif .if !target(post-install) post-install: ${MKDIR} ${STAGEDIR}${PREFIX}/share/vim/vimfiles cd ${WRKSRC}/contrib/vim && ${COPYTREE_SHARE} . ${STAGEDIR}${PREFIX}/share/vim/vimfiles ${INSTALL_MAN} ${WRKSRC}/objs/nginx.8 ${STAGEDIR}${MAN8PREFIX}/share/man/man8 ${CAT} ${WRKSRC}/conf/nginx.conf >> ${STAGEDIR}${ETCDIR}/nginx.conf-dist post-install-WWW-on: ${MKDIR} ${STAGEDIR}${PREFIX}/www/nginx-dist (cd ${WRKSRC}/html && ${COPYTREE_SHARE} . ${STAGEDIR}${PREFIX}/www/nginx-dist && \ ${TOUCH} ${STAGEDIR}${PREFIX}/www/nginx-dist/EXAMPLE_DIRECTORY-DONT_ADD_OR_TOUCH_ANYTHING) .endif .include Index: head/www/nginx-devel/files/extra-patch-ktls =================================================================== --- head/www/nginx-devel/files/extra-patch-ktls (revision 566095) +++ head/www/nginx-devel/files/extra-patch-ktls (revision 566096) @@ -1,683 +1,312 @@ -diff --git a/src/core/ngx_log.h b/src/core/ngx_log.h -index afb73bf..4c6e9c2 100644 ---- a/src/core/ngx_log.h -+++ b/src/core/ngx_log.h -@@ -30,6 +30,7 @@ - #define NGX_LOG_DEBUG_HTTP 0x100 - #define NGX_LOG_DEBUG_MAIL 0x200 - #define NGX_LOG_DEBUG_STREAM 0x400 -+#define NGX_LOG_DEBUG_SSL 0x800 +From 11ad5d15c487ecc0a37f9747bb4bfa5bb96893c1 Mon Sep 17 00:00:00 2001 +From: John Baldwin +Date: Thu, 22 Aug 2019 12:18:32 -0700 +Subject: [PATCH] Add support for using SSL_sendfile from OpenSSL. + +This uses kernel TLS on systems supported by OpenSSL to send +files via sendfile() over TLS connections. +--- + auto/lib/openssl/conf | 8 ++ + src/event/ngx_event_openssl.c | 172 ++++++++++++++++++++++++++++++++++ + src/event/ngx_event_openssl.h | 7 ++ + src/http/ngx_http_request.c | 14 ++- + src/http/ngx_http_upstream.c | 5 + + 5 files changed, 203 insertions(+), 3 deletions(-) + +diff --git a/auto/lib/openssl/conf b/auto/lib/openssl/conf +index 4fb52df7fe..c4772248ae 100644 +--- a/auto/lib/openssl/conf ++++ b/auto/lib/openssl/conf +@@ -123,6 +123,14 @@ else + CORE_INCS="$CORE_INCS $ngx_feature_path" + CORE_LIBS="$CORE_LIBS $ngx_feature_libs" + OPENSSL=YES ++ ++ ngx_feature="SSL_sendfile()" ++ ngx_feature_name="NGX_SSL_SENDFILE" ++ ngx_feature_run=no ++ ngx_feature_test="SSL *ssl; ++ (void)BIO_get_ktls_send(SSL_get_wbio(ssl)); ++ SSL_sendfile(ssl, -1, 0, 0, 0);" ++ . auto/feature + fi + fi - /* - * do not forget to update debug_levels[] in src/core/ngx_log.c diff --git a/src/event/ngx_event_openssl.c b/src/event/ngx_event_openssl.c -index 2eef87e..7aa23c6 100644 +index 93a6ae46ea..04759827fc 100644 --- a/src/event/ngx_event_openssl.c +++ b/src/event/ngx_event_openssl.c @@ -52,6 +52,10 @@ static void ngx_ssl_shutdown_handler(ngx_event_t *ev); static void ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err, char *text); static void ngx_ssl_clear_error(ngx_log_t *log); +#if (NGX_SSL_SENDFILE) +static ssize_t ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, + size_t size, int flags); +#endif static ngx_int_t ngx_ssl_session_id_context(ngx_ssl_t *ssl, ngx_str_t *sess_ctx, ngx_array_t *certificates); -@@ -1024,7 +1028,7 @@ ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store) - iname = X509_get_issuer_name(cert); - issuer = iname ? X509_NAME_oneline(iname, NULL, 0) : "(none)"; - -- ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, - "verify:%d, error:%d, depth:%d, " - "subject:\"%s\", issuer:\"%s\"", - ok, err, depth, subject, issuer); -@@ -1057,7 +1061,7 @@ ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where, int ret) - - if (c->ssl->handshaked) { - c->ssl->renegotiation = 1; -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL renegotiation"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL renegotiation"); - } - } - -@@ -1693,7 +1697,7 @@ ngx_ssl_handshake(ngx_connection_t *c) - - n = SSL_do_handshake(c->ssl->connection); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_do_handshake: %d", n); - - if (n == 1) { - @@ -1712,7 +1716,11 @@ ngx_ssl_handshake(ngx_connection_t *c) c->recv = ngx_ssl_recv; c->send = ngx_ssl_write; c->recv_chain = ngx_ssl_recv_chain; +#if (NGX_SSL_SENDFILE) + c->send_chain = ngx_ssl_sendfile_chain; +#else c->send_chain = ngx_ssl_send_chain; +#endif #ifndef SSL_OP_NO_RENEGOTIATION #if OPENSSL_VERSION_NUMBER < 0x10100000L -@@ -1741,12 +1749,19 @@ ngx_ssl_handshake(ngx_connection_t *c) +@@ -1741,6 +1749,13 @@ ngx_ssl_handshake(ngx_connection_t *c) c->ssl->handshaked = 1; +#if (NGX_SSL_SENDFILE) -+ c->ssl->can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ c->ssl->can_use_sendfile = !!BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "BIO_get_ktls_send: %d", c->ssl->can_use_sendfile); + c->sendfile = c->ssl->can_use_sendfile ? 1 : 0; +#endif + return NGX_OK; } - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; -@@ -1825,7 +1840,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - - n = SSL_read_early_data(c->ssl->connection, &buf, 1, &readbytes); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read_early_data: %d, %uz", n, readbytes); - - if (n == SSL_READ_EARLY_DATA_FINISH) { -@@ -1880,7 +1895,7 @@ ngx_ssl_try_early_data(ngx_connection_t *c) - - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - c->read->ready = 0; -@@ -1971,17 +1986,17 @@ ngx_ssl_handshake_log(ngx_connection_t *c) - - *d = '\0'; - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL: %s, cipher: \"%s\"", - SSL_get_version(c->ssl->connection), &buf[1]); - - if (SSL_session_reused(c->ssl->connection)) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL reused session"); - } - - } else { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL no shared ciphers"); - } - } -@@ -1996,7 +2011,7 @@ ngx_ssl_handshake_handler(ngx_event_t *ev) - - c = ev->data; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL handshake handler: %d", ev->write); - - if (ev->timedout) { -@@ -2110,7 +2125,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) - - n = SSL_read(c->ssl->connection, buf, size); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_read: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_read: %d", n); - - if (n > 0) { - bytes += n; -@@ -2145,7 +2160,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) - ngx_post_event(c->read, &ngx_posted_next_events); - } - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read: avail:%d", c->read->available); - - } else { -@@ -2159,7 +2174,7 @@ ngx_ssl_recv(ngx_connection_t *c, u_char *buf, size_t size) - return NGX_ERROR; - } - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read: avail:%d", c->read->available); - - #endif -@@ -2255,7 +2270,7 @@ ngx_ssl_recv_early(ngx_connection_t *c, u_char *buf, size_t size) - - n = SSL_read_early_data(c->ssl->connection, buf, size, &readbytes); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read_early_data: %d, %uz", n, readbytes); - - if (n == SSL_READ_EARLY_DATA_SUCCESS) { -@@ -2375,7 +2390,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ) { - -@@ -2398,7 +2413,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_read: want write"); - - c->write->ready = 0; -@@ -2423,7 +2438,7 @@ ngx_ssl_handle_recv(ngx_connection_t *c, int n) - c->ssl->no_send_shutdown = 1; - - if (sslerr == SSL_ERROR_ZERO_RETURN || ERR_peek_error() == 0) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "peer shutdown SSL cleanly"); - return NGX_DONE; - } -@@ -2441,7 +2456,7 @@ ngx_ssl_write_handler(ngx_event_t *wev) - - c = wev->data; - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL write handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL write handler"); - - c->read->handler(c->read); - } -@@ -2545,7 +2560,7 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) - size = (ssize_t) (limit - send); - } - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL buf copy: %z", size); - - ngx_memcpy(buf->last, in->buf->pos, size); @@ -2609,6 +2624,163 @@ ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) return in; } +#if (NGX_SSL_SENDFILE) +ngx_chain_t * +ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit) +{ + int can_use_sendfile; + ssize_t n; + + can_use_sendfile = BIO_get_ktls_send(SSL_get_wbio(c->ssl->connection)); + -+ ngx_log_debug5(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug5(NGX_LOG_DEBUG_EVENT, c->log, 0, + "Sending chain %p can_use_sendfile:%d c->sendfile:%d " \ + "c->ssl->buffer:%d limit:%O", + in, can_use_sendfile, c->sendfile, c->ssl->buffer, limit); + + if (! (can_use_sendfile && c->sendfile) || c->ssl->buffer) { + return ngx_ssl_send_chain(c, in, limit); + } + + /* the maximum limit size is the maximum int32_t value - the page size */ + if (limit == 0 || limit > (off_t) (NGX_MAX_INT32_VALUE - ngx_pagesize)) { + limit = NGX_MAX_INT32_VALUE - ngx_pagesize; + } + + while (in) { + if (ngx_buf_special(in->buf)) { + in = in->next; + continue; + } + + if (in->buf->in_file) { + ngx_chain_t *cl; + int sendfile_flags; + off_t sendfile_size; + + cl = in; +#ifdef __FreeBSD__ + sendfile_flags = /* in->buf->sendfile_flags |*/ SF_NODISKIO; +#else + sendfile_flags = in->buf->sendfile_flags; +#endif + sendfile_size = ngx_chain_coalesce_file(&cl, limit); + + n = ngx_ssl_sendfile(c, in->buf->file->fd, in->buf->file_pos, + sendfile_size, sendfile_flags); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "ngx_ssl_sendfile returns:%z", n); + } else { + n = ngx_ssl_write(c, in->buf->pos, in->buf->last - in->buf->pos); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, + "ngx_ssl_write returns:%z", n); + } + + if (n == NGX_ERROR) { + return NGX_CHAIN_ERROR; + } + if (n == NGX_AGAIN) { + return in; + } + if (n == NGX_BUSY) { + c->busy_count = 1; + c->write->delayed = 1; + ngx_add_timer(c->write, 10); + return in; + } + + in = ngx_chain_update_sent(in, (off_t) n); + } + + return in; +} + +static ssize_t +ngx_ssl_sendfile(ngx_connection_t *c, int fd, off_t off, size_t size, int flags) +{ + int n, sslerr; + ngx_err_t err; + + ngx_ssl_clear_error(c->log); + -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, ++ ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, + "SSL to sendfile: %uz at %O with %Xd", size, off, flags); + + n = SSL_sendfile(c->ssl->connection, fd, off, size, flags); + -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_sendfile: %d", n); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_sendfile: %d", n); + + if (n > 0) { + + if (c->ssl->saved_read_handler) { + + c->read->handler = c->ssl->saved_read_handler; + c->ssl->saved_read_handler = NULL; + c->read->ready = 1; + + if (ngx_handle_read_event(c->read, 0) != NGX_OK) { + return NGX_ERROR; + } + + ngx_post_event(c->read, &ngx_posted_events); + } + + c->sent += n; + + return n; + } + + sslerr = SSL_get_error(c->ssl->connection, n); + +#ifdef __FreeBSD__ + if (sslerr == SSL_ERROR_WANT_WRITE && ngx_errno == EBUSY) { -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "bioerr=NGX_EBUSY, sslerr=%d", sslerr); + return NGX_BUSY; + } +#endif + + err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; + -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); ++ ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); + + if (sslerr == SSL_ERROR_WANT_WRITE) { + c->write->ready = 0; + return NGX_AGAIN; + } + + if (sslerr == SSL_ERROR_WANT_READ) { + + ngx_log_error(NGX_LOG_INFO, c->log, 0, + "peer started SSL renegotiation"); + + c->read->ready = 0; + + if (ngx_handle_read_event(c->read, 0) != NGX_OK) { + return NGX_ERROR; + } + + /* + * we do not set the timer because there is already + * the write event timer + */ + + if (c->ssl->saved_read_handler == NULL) { + c->ssl->saved_read_handler = c->read->handler; + c->read->handler = ngx_ssl_read_handler; + } + + return NGX_AGAIN; + } + + c->ssl->no_wait_shutdown = 1; + c->ssl->no_send_shutdown = 1; + c->write->error = 1; + + ngx_ssl_connection_error(c, sslerr, err, "SSL_sendfile() failed"); + + return NGX_ERROR; +} +#endif ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) -@@ -2624,11 +2796,11 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - ngx_ssl_clear_error(c->log); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", size); - - n = SSL_write(c->ssl->connection, data, size); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_write: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_write: %d", n); - - if (n > 0) { - -@@ -2666,7 +2838,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -@@ -2689,7 +2861,7 @@ ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size) - - if (sslerr == SSL_ERROR_WANT_READ) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write: want read"); - - c->read->ready = 0; -@@ -2732,13 +2904,13 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - ngx_ssl_clear_error(c->log); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL to write: %uz", size); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL to write: %uz", size); - - written = 0; - - n = SSL_write_early_data(c->ssl->connection, data, size, &written); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: %d, %uz", n, written); - - if (n > 0) { -@@ -2770,11 +2942,11 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - err = (sslerr == SSL_ERROR_SYSCALL) ? ngx_errno : 0; - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d", sslerr); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_WRITE) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: want write"); - - if (c->ssl->saved_read_handler) { -@@ -2804,7 +2976,7 @@ ngx_ssl_write_early(ngx_connection_t *c, u_char *data, size_t size) - - if (sslerr == SSL_ERROR_WANT_READ) { - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_write_early_data: want read"); - - c->read->ready = 0; -@@ -2845,7 +3017,7 @@ ngx_ssl_read_handler(ngx_event_t *rev) - - c = rev->data; - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL read handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL read handler"); - - c->write->handler(c->write); - } -@@ -2920,7 +3092,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) - - n = SSL_shutdown(c->ssl->connection); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n); -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, "SSL_shutdown: %d", n); - - if (n == 1) { - SSL_free(c->ssl->connection); -@@ -2937,7 +3109,7 @@ ngx_ssl_shutdown(ngx_connection_t *c) - - sslerr = SSL_get_error(c->ssl->connection, n); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL_get_error: %d", sslerr); - - if (sslerr == SSL_ERROR_WANT_READ || sslerr == SSL_ERROR_WANT_WRITE) { -@@ -2996,7 +3168,7 @@ ngx_ssl_shutdown_handler(ngx_event_t *ev) - c->timedout = 1; - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, ev->log, 0, "SSL shutdown handler"); -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, ev->log, 0, "SSL shutdown handler"); - - if (ngx_ssl_shutdown(c) == NGX_AGAIN) { - return; -@@ -3592,7 +3764,7 @@ ngx_ssl_new_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess) - - hash = ngx_crc32_short(session_id, session_id_length); - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl new session: %08XD:%ud:%d", - hash, session_id_length, len); - -@@ -3656,7 +3828,7 @@ ngx_ssl_get_cached_session(ngx_ssl_conn_t *ssl_conn, - - c = ngx_ssl_get_connection(ssl_conn); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl get session: %08XD:%d", hash, len); - - shm_zone = SSL_CTX_get_ex_data(c->ssl->session_ctx, -@@ -3767,7 +3939,7 @@ ngx_ssl_remove_session(SSL_CTX *ssl, ngx_ssl_session_t *sess) - - hash = ngx_crc32_short(id, len); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, - "ssl remove session: %08XD:%ud", hash, len); - - shpool = (ngx_slab_pool_t *) shm_zone->shm.addr; -@@ -3845,7 +4017,7 @@ ngx_ssl_expire_sessions(ngx_ssl_session_cache_t *cache, - - ngx_queue_remove(q); - -- ngx_log_debug1(NGX_LOG_DEBUG_EVENT, ngx_cycle->log, 0, -+ ngx_log_debug1(NGX_LOG_DEBUG_SSL, ngx_cycle->log, 0, - "expire session: %08Xi", sess_id->node.key); - - ngx_rbtree_delete(&cache->session_rbtree, &sess_id->node); -@@ -4080,7 +4252,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - if (enc == 1) { - /* encrypt session ticket */ - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket encrypt, key: \"%*s\" (%s session)", - ngx_hex_dump(buf, key[0].name, 16) - buf, buf, - SSL_session_reused(ssl_conn) ? "reused" : "new"); -@@ -4127,7 +4299,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - } - } - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\" not found", - ngx_hex_dump(buf, name, 16) - buf, buf); - -@@ -4135,7 +4307,7 @@ ngx_ssl_session_ticket_key_callback(ngx_ssl_conn_t *ssl_conn, - - found: - -- ngx_log_debug3(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug3(NGX_LOG_DEBUG_SSL, c->log, 0, - "ssl session ticket decrypt, key: \"%*s\"%s", - ngx_hex_dump(buf, key[i].name, 16) - buf, buf, - (i == 0) ? " (default)" : ""); -@@ -4232,12 +4404,12 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - } - - if (X509_check_host(cert, (char *) name->data, name->len, 0, NULL) != 1) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "X509_check_host(): no match"); - goto failed; - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "X509_check_host(): match"); - - goto found; -@@ -4270,19 +4442,19 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - - str = altname->d.dNSName; - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: match"); - GENERAL_NAMES_free(altnames); - goto found; - } - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL subjectAltName: no match"); - - GENERAL_NAMES_free(altnames); -@@ -4312,18 +4484,18 @@ ngx_ssl_check_host(ngx_connection_t *c, ngx_str_t *name) - entry = X509_NAME_get_entry(sname, i); - str = X509_NAME_ENTRY_get_data(entry); - -- ngx_log_debug2(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug2(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: \"%*s\"", - ASN1_STRING_length(str), ASN1_STRING_data(str)); - - if (ngx_ssl_check_name(name, str) == NGX_OK) { -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: match"); - goto found; - } - } - -- ngx_log_debug0(NGX_LOG_DEBUG_EVENT, c->log, 0, -+ ngx_log_debug0(NGX_LOG_DEBUG_SSL, c->log, 0, - "SSL commonName: no match"); - } - #endif diff --git a/src/event/ngx_event_openssl.h b/src/event/ngx_event_openssl.h -index 329760d..233b7f2 100644 +index 329760d093..233b7f20c8 100644 --- a/src/event/ngx_event_openssl.h +++ b/src/event/ngx_event_openssl.h @@ -106,6 +106,9 @@ struct ngx_ssl_connection_s { unsigned in_ocsp:1; unsigned early_preread:1; unsigned write_blocked:1; +#if (NGX_SSL_SENDFILE) + unsigned can_use_sendfile:1; +#endif }; @@ -289,6 +292,10 @@ ssize_t ngx_ssl_write(ngx_connection_t *c, u_char *data, size_t size); ssize_t ngx_ssl_recv_chain(ngx_connection_t *c, ngx_chain_t *cl, off_t limit); ngx_chain_t *ngx_ssl_send_chain(ngx_connection_t *c, ngx_chain_t *in, off_t limit); +#if (NGX_SSL_SENDFILE) +ngx_chain_t *ngx_ssl_sendfile_chain(ngx_connection_t *c, ngx_chain_t *in, + off_t limit); +#endif void ngx_ssl_free_buffer(ngx_connection_t *c); ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c); void ngx_cdecl ngx_ssl_error(ngx_uint_t level, ngx_log_t *log, ngx_err_t err, diff --git a/src/http/ngx_http_request.c b/src/http/ngx_http_request.c -index 204a939..a6bc928 100644 +index 68d81e9320..e4a922a83a 100644 --- a/src/http/ngx_http_request.c +++ b/src/http/ngx_http_request.c -@@ -605,7 +605,10 @@ ngx_http_alloc_request(ngx_connection_t *c) +@@ -608,7 +608,10 @@ ngx_http_alloc_request(ngx_connection_t *c) #if (NGX_HTTP_SSL) if (c->ssl) { - r->main_filter_need_in_memory = 1; +#if (NGX_SSL_SENDFILE) + if (c->ssl->can_use_sendfile == 0) +#endif + r->main_filter_need_in_memory = 1; } #endif -@@ -741,8 +744,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) +@@ -747,8 +750,13 @@ ngx_http_ssl_handshake(ngx_event_t *rev) sscf = ngx_http_get_module_srv_conf(hc->conf_ctx, ngx_http_ssl_module); - if (ngx_ssl_create_connection(&sscf->ssl, c, NGX_SSL_BUFFER) - != NGX_OK) + if (ngx_ssl_create_connection(&sscf->ssl, c, +#if (NGX_SSL_SENDFILE) + 0 +#else + NGX_SSL_BUFFER +#endif + ) != NGX_OK) { ngx_http_close_connection(c); return; diff --git a/src/http/ngx_http_upstream.c b/src/http/ngx_http_upstream.c -index dda4046..46671ac 100644 +index 9cbb5a3b0c..f93f2ae244 100644 --- a/src/http/ngx_http_upstream.c +++ b/src/http/ngx_http_upstream.c @@ -1715,6 +1715,11 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r, return; } +#if (NGX_SSL_SENDFILE) + c->sendfile = 0; + u->output.sendfile = 0; +#endif + ngx_http_upstream_ssl_handshake(r, u, c); }