From nobody Tue May 23 19:54:51 2023 X-Original-To: dev-commits-ports-main@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4QQlQh1GXyz4Syd6; Tue, 23 May 2023 19:54:52 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4QQlQh0GkJz3lBM; Tue, 23 May 2023 19:54:52 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684871692; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PceFmECq9XYpit85e6NKpRxB+nVpguqYPWpx7CqoSh4=; b=fTlfV1GuFHcRBBtOn7CekB0ymH3uGPEmTcaSQMPG9CaL0SmhqrFMYXSsxDukzubKryg88J D6ae73b3EAJaiF4SM+dOf4GDBb4Pvq/e0eZnyOmoXfEZSmsYERHez1ENQ1WnKnjaPLS4bp PxnMLC4J8NThMoRlbDUi15QYsPVCwI6bn58DoNkzVoqxacVY3wc1f4etwH/sAZ3Yau9/qO crMPc1nnSS6/o5OFUvqbSgSxkY4TPK/VlFC2WK258+dlgSMl5Iecsadbw7M4Dq/WCOuAuR KFhG2zB074byx75ZjsR3ug7rkvblDY1Gd9PFKxD0liUpUutPpzPzPNVbAA7jkw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1684871692; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=PceFmECq9XYpit85e6NKpRxB+nVpguqYPWpx7CqoSh4=; b=lLybvbs77EuN2XVhmKw2BIXAFCYjFBirMzQ7H5IILd/fLyV6SFnS6hiazxqNSLybo0tr0V jrVopUaCFJe1U0itD/5Fx3jJd0yrLVT7gHgrheqXLy1nXpfJ2c5mQfksyp0uz3xgct4Y6U +LWYYWd1RKdJ+jFRiakLqUK7SYx+9sgWtdpCCKT0e6o2CflcSL0LLB0jMqHIHBRABQonjm 4qVqsU7MkOVyAUCPJqZijLJR4g0GE/Pd8lNY7+Yq3NpB4rrE7385zfpoIoj8vnoHGePGjj xx2NQXjPr+Ke9kdzeuqCbgtf4QEZd792Bo4kovRHTNncvjfoeJ96cMtIHNm9Sw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1684871692; a=rsa-sha256; cv=none; b=ixTtLhtuLFA8n4z+hI2lVaMESzIeoIoFCzU/U/7g/4v8EcEZwCPvytHFegZ6jp9D6IlP1s FWiNAxqE06aKY+BBhbD6XsrnEp9n947gnn0EjD37UiqNRoIHIkak9I1N/QuubZWxuQcyNX ofqOSGYnbYHwYqREZkmlWOF27tldUwA1HWaV1iFQdYhaAyV2weVcNZAfssPxW1hHCNA9Sh K6RlYDkIs9kr3oPx2eXUjPHPt3ki2q+9I0hA4bOu19grvxknGm9ptHlM3ZyJb4ZxMnGLUO v4XruzOovu+k5R6Fv4Tr6Onj6icwCT/Pbi1jAOHvwkhHaC0i6wocq/QQYjuWrQ== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4QQlQg6CBBz1Crc; Tue, 23 May 2023 19:54:51 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 34NJspjo059890; Tue, 23 May 2023 19:54:51 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 34NJspIR059889; Tue, 23 May 2023 19:54:51 GMT (envelope-from git) Date: Tue, 23 May 2023 19:54:51 GMT Message-Id: <202305231954.34NJspIR059889@gitrepo.freebsd.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org From: "Sergey A. Osokin" Subject: git: ad934b7a108f - main - www/nginx-devel: update from 1.24.0 to 1.25.0 List-Id: Commits to the main branch of the FreeBSD ports repository List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-main List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-ports-main@freebsd.org X-BeenThere: dev-commits-ports-main@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: osa X-Git-Repository: ports X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: ad934b7a108f19075a29d8602c012d82346af2b2 Auto-Submitted: auto-generated X-ThisMailContainsUnwantedMimeParts: N The branch main has been updated by osa: URL: https://cgit.FreeBSD.org/ports/commit/?id=ad934b7a108f19075a29d8602c012d82346af2b2 commit ad934b7a108f19075a29d8602c012d82346af2b2 Author: Sergey A. Osokin AuthorDate: 2023-05-23 19:54:16 +0000 Commit: Sergey A. Osokin CommitDate: 2023-05-23 19:54:43 +0000 www/nginx-devel: update from 1.24.0 to 1.25.0 Enable HTTPv3 protocol by default. Remove third-party clojure module due to a build issue. The OpenSSL compatibility layer, which emulates BoringSSL QUIC API for OpenSSL, is enabled by default, and 0-RTT is not supported in this mode. Alternativly, it's possible to build nginx with a third-party library from ports tree, that provides QUIC support: o) BoringSSL o) LibreSSL o) QuicTLS *) Feature: experimental HTTP/3 support. --- www/nginx-devel/Makefile | 10 +- www/nginx-devel/Makefile.extmod | 9 +- www/nginx-devel/Makefile.options.desc | 1 - www/nginx-devel/distinfo | 8 +- www/nginx-devel/files/extra-patch-httpv3 | 26867 ----------------------------- www/nginx-devel/pkg-plist | 1 - 6 files changed, 7 insertions(+), 26889 deletions(-) diff --git a/www/nginx-devel/Makefile b/www/nginx-devel/Makefile index ef16b784021d..1f82c3a0de4e 100644 --- a/www/nginx-devel/Makefile +++ b/www/nginx-devel/Makefile @@ -1,6 +1,5 @@ PORTNAME?= nginx -PORTVERSION= 1.24.0 -PORTREVISION= 6 +PORTVERSION= 1.25.0 CATEGORIES= www MASTER_SITES= https://nginx.org/download/ \ LOCAL/osa @@ -82,7 +81,7 @@ OPTIONS_DEFINE= DEBUG DEBUGLOG DSO FILE_AIO IPV6 NJS NJS_XML THREADS WWW OPTIONS_DEFAULT?= DSO FILE_AIO HTTP HTTP_ADDITION HTTP_AUTH_REQ HTTP_CACHE \ HTTP_DAV HTTP_FLV HTTP_GUNZIP_FILTER HTTP_GZIP_STATIC HTTP_MP4 \ HTTP_RANDOM_INDEX HTTP_REALIP HTTP_SECURE_LINK HTTP_SLICE HTTP_SSL \ - HTTP_STATUS HTTP_SUB HTTPV2 MAIL MAIL_SSL STREAM \ + HTTP_STATUS HTTP_SUB HTTPV2 HTTPV3 MAIL MAIL_SSL STREAM \ STREAM_REALIP STREAM_SSL STREAM_SSL_PREREAD THREADS WWW LIB_DEPENDS+= libpcre2-8.so:devel/pcre2 @@ -165,10 +164,7 @@ HTTP_XSLT_LIB_DEPENDS= libxml2.so:textproc/libxml2 \ HTTP_XSLT_VARS= DSO_BASEMODS+=http_xslt_module HTTPV2_IMPLIES= HTTP_SSL HTTPV2_CONFIGURE_ON= --with-http_v2_module -HTTPV3_CONFIGURE_ON= --build=nginx-quic \ - --with-stream_quic_module \ - --with-http_v3_module -HTTPV3_EXTRA_PATCHES= ${PATCHDIR}/extra-patch-httpv3:-p1 +HTTPV3_CONFIGURE_ON= --with-http_v3_module HTTPV3_BORING_BUILD_DEPENDS= ${LOCALBASE}/bin/bssl:security/boringssl HTTPV3_BORING_RUN_DEPENDS= ${LOCALBASE}/bin/bssl:security/boringssl HTTPV3_BORING_IMPLIES= HTTPV3 diff --git a/www/nginx-devel/Makefile.extmod b/www/nginx-devel/Makefile.extmod index 897034118b2e..cd0aeeb89b65 100644 --- a/www/nginx-devel/Makefile.extmod +++ b/www/nginx-devel/Makefile.extmod @@ -2,7 +2,7 @@ OPTIONS_GROUP+= THIRDPARTYGRP # External modules (arrayvar MUST appear after devel_kit for build-dep) -OPTIONS_GROUP_THIRDPARTYGRP= AJP AWS_AUTH BROTLI CACHE_PURGE CLOJURE COOKIE_FLAG CT \ +OPTIONS_GROUP_THIRDPARTYGRP= AJP AWS_AUTH BROTLI CACHE_PURGE COOKIE_FLAG CT \ DEVEL_KIT ARRAYVAR DRIZZLE DYNAMIC_UPSTREAM ECHO ENCRYPTSESSION \ FIPS_CHECK FORMINPUT GRIDFS HEADERS_MORE HTTP_ACCEPT_LANGUAGE HTTP_AUTH_DIGEST \ HTTP_AUTH_KRB5 HTTP_AUTH_LDAP HTTP_AUTH_PAM HTTP_DAV_EXT HTTP_EVAL \ @@ -32,13 +32,6 @@ BROTLI_VARS= DSO_EXTMODS+=brotli CACHE_PURGE_GH_TUPLE= torden:ngx_cache_purge:2b977cf:cache_purge CACHE_PURGE_VARS= DSO_EXTMODS+=cache_purge -CLOJURE_CATEGORIES+= java -CLOJURE_USE= JAVA=yes JAVA_OS=native JAVA_VERSION=1.8 \ - JAVA_VENDOR=openjdk JAVA_BUILD=yes JAVA_RUN=yes -CLOJURE_GH_TUPLE= nginx-clojure:nginx-clojure:v0.6.0:clojure -CLOJURE_CONFIGURE_ENV= "JNI_INCS=-I${LOCALBASE}/openjdk8/include -I${LOCALBASE}/openjdk8/include/freebsd" -CLOJURE_VARS= DSO_EXTMODS+=clojure CLOJURE_SUBDIR=/src/c - COOKIE_FLAG_GH_TUPLE= AirisX:nginx_cookie_flag_module:c4ff449:cookie_flag COOKIE_FLAG_VARS= DSO_EXTMODS+=cookie_flag diff --git a/www/nginx-devel/Makefile.options.desc b/www/nginx-devel/Makefile.options.desc index e56d3d83c6b1..ac2bad570e17 100644 --- a/www/nginx-devel/Makefile.options.desc +++ b/www/nginx-devel/Makefile.options.desc @@ -3,7 +3,6 @@ ARRAYVAR_DESC= 3rd party array_var module AWS_AUTH_DESC= 3rd party aws auth module BROTLI_DESC= 3rd party brotli module CACHE_PURGE_DESC= 3rd party cache_purge module -CLOJURE_DESC= 3rd party clojure module COOKIE_FLAG_DESC= 3rd party cookie_flag module CT_DESC= 3rd party cert_transparency module (SSL req.) DEBUGLOG_DESC= Enable debug log (--with-debug) diff --git a/www/nginx-devel/distinfo b/www/nginx-devel/distinfo index 63a4c122581f..4d3f28f29199 100644 --- a/www/nginx-devel/distinfo +++ b/www/nginx-devel/distinfo @@ -1,6 +1,6 @@ -TIMESTAMP = 1683496279 -SHA256 (nginx-1.24.0.tar.gz) = 77a2541637b92a621e3ee76776c8b7b40cf6d707e69ba53a940283e30ff2f55d -SIZE (nginx-1.24.0.tar.gz) = 1112471 +TIMESTAMP = 1684868176 +SHA256 (nginx-1.25.0.tar.gz) = 5ed44d45943272a4e8a5bcf4434237210f2de31b903fca5e381c1bbd7eee1e8c +SIZE (nginx-1.25.0.tar.gz) = 1217579 SHA256 (nginx_mogilefs_module-1.0.4.tar.gz) = 7ac230d30907f013dff8d435a118619ea6168aa3714dba62c6962d350c6295ae SIZE (nginx_mogilefs_module-1.0.4.tar.gz) = 11208 SHA256 (nginx_mod_h264_streaming-2.2.7.tar.gz) = 6d974ba630cef59de1f60996c66b401264a345d25988a76037c2856cec756c19 @@ -19,8 +19,6 @@ SHA256 (google-ngx_brotli-9aec15e_GH0.tar.gz) = 0177b1158ff7092b9996346de28a0b29 SIZE (google-ngx_brotli-9aec15e_GH0.tar.gz) = 16194 SHA256 (torden-ngx_cache_purge-2b977cf_GH0.tar.gz) = 9de7dad5827edf37e803435ee764f6815562053daa0821aedaf539580307ff93 SIZE (torden-ngx_cache_purge-2b977cf_GH0.tar.gz) = 16739 -SHA256 (nginx-clojure-nginx-clojure-v0.6.0_GH0.tar.gz) = e8215cdebc3eb13f852c10e9bbbf315f2e1b75bb4dec015ca60ec29efcb86509 -SIZE (nginx-clojure-nginx-clojure-v0.6.0_GH0.tar.gz) = 786029 SHA256 (AirisX-nginx_cookie_flag_module-c4ff449_GH0.tar.gz) = 4b8c1c1e1ed59ed85751f4bd7d68026ad5051103c8b983e05ad17eb0cdab138e SIZE (AirisX-nginx_cookie_flag_module-c4ff449_GH0.tar.gz) = 4713 SHA256 (grahamedgecombe-nginx-ct-93e9884_GH0.tar.gz) = 72fdd125b9207cdda135f368095f85b943a78a4ff004d1cd217972e12b1571b2 diff --git a/www/nginx-devel/files/extra-patch-httpv3 b/www/nginx-devel/files/extra-patch-httpv3 deleted file mode 100644 index c49f591c25d5..000000000000 --- a/www/nginx-devel/files/extra-patch-httpv3 +++ /dev/null @@ -1,26867 +0,0 @@ -diff -r ac779115ed6e README ---- /dev/null Thu Jan 01 00:00:00 1970 +0000 -+++ b/README Thu May 11 11:48:37 2023 -0400 -@@ -0,0 +1,386 @@ -+Experimental QUIC support for nginx -+----------------------------------- -+ -+1. Introduction -+2. Building from sources -+3. Configuration -+4. Directives -+5. Clients -+6. Troubleshooting -+7. Contributing -+8. Links -+ -+1. Introduction -+ -+ This is an experimental QUIC [1] / HTTP/3 [2] support for nginx. -+ -+ The code is developed in a separate "quic" branch available -+ at https://hg.nginx.org/nginx-quic. Currently it is based -+ on nginx mainline 1.23.x. We merge new nginx releases into -+ this branch regularly. -+ -+ The project code base is under the same BSD license as nginx. -+ -+ The code is currently at a beta level of quality, however -+ there are several production deployments with it. -+ -+ NGINX Development Team is working on improving HTTP/3 support to -+ integrate it into the main NGINX codebase. Thus, expect further -+ updates of this code, including features, changes in behaviour, -+ bug fixes, and refactoring. NGINX Development team will be -+ grateful for any feedback and code submissions. -+ -+ Please contact NGINX Development Team via nginx-devel mailing list [3]. -+ -+ What works now: -+ -+ IETF QUIC version 1 is supported. Internet drafts are no longer supported. -+ -+ nginx should be able to respond to HTTP/3 requests over QUIC and -+ it should be possible to upload and download big files without errors. -+ -+ + The handshake completes successfully -+ + One endpoint can update keys and its peer responds correctly -+ + 0-RTT data is being received and acted on -+ + Connection is established using TLS Resume Ticket -+ + A handshake that includes a Retry packet completes successfully -+ + Stream data is being exchanged and ACK'ed -+ + An H3 transaction succeeded -+ + One or both endpoints insert entries into dynamic table and -+ subsequently reference them from header blocks -+ + Version Negotiation packet is sent to client with unknown version -+ + Lost packets are detected and retransmitted properly -+ + Clients may migrate to new address -+ -+2. Building from sources -+ -+ The build is configured using the configure command. -+ Refer to http://nginx.org/en/docs/configure.html for details. -+ -+ When configuring nginx, it's possible to enable QUIC and HTTP/3 -+ using the following new configuration options: -+ -+ --with-http_v3_module - enable QUIC and HTTP/3 -+ --with-stream_quic_module - enable QUIC in Stream -+ -+ A library that provides QUIC support is recommended to build nginx, there -+ are several of those available on the market: -+ + BoringSSL [4] -+ + LibreSSL [5] -+ + QuicTLS [6] -+ -+ Alternatively, nginx can be configured with OpenSSL compatibility -+ layer, which emulates BoringSSL QUIC API for OpenSSL. This mode is -+ enabled by default if native QUIC support is not detected. -+ 0-RTT is not supported in OpenSSL compatibility mode. -+ -+ Clone the NGINX QUIC repository -+ -+ $ hg clone -b quic https://hg.nginx.org/nginx-quic -+ $ cd nginx-quic -+ -+ Use the following command to configure nginx with BoringSSL [4] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../boringssl/include" \ -+ --with-ld-opt="-L../boringssl/build/ssl \ -+ -L../boringssl/build/crypto" -+ $ make -+ -+ Alternatively, nginx can be configured with QuicTLS [6] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../quictls/build/include" \ -+ --with-ld-opt="-L../quictls/build/lib" -+ -+ Alternatively, nginx can be configured with a modern version -+ of LibreSSL [7] -+ -+ $ ./auto/configure --with-debug --with-http_v3_module \ -+ --with-cc-opt="-I../libressl/build/include" \ -+ --with-ld-opt="-L../libressl/build/lib" -+ -+3. Configuration -+ -+ The HTTP "listen" directive got a new option "quic" which enables -+ QUIC as client transport protocol instead of TCP. -+ -+ The Stream "listen" directive got a new option "quic" which enables -+ QUIC as client transport protocol instead of TCP or plain UDP. -+ -+ Along with "quic", it's also possible to specify "reuseport" -+ option [8] to make it work properly with multiple workers. -+ -+ To enable address validation: -+ -+ quic_retry on; -+ -+ To enable 0-RTT: -+ -+ ssl_early_data on; -+ -+ To enable GSO (Generic Segmentation Offloading): -+ -+ quic_gso on; -+ -+ To limit maximum UDP payload size on receive path: -+ -+ quic_mtu ; -+ -+ To set host key for various tokens: -+ -+ quic_host_key ; -+ -+ QUIC requires TLSv1.3 protocol, which is enabled by the default -+ by "ssl_protocols" directive. -+ -+ By default, GSO Linux-specific optimization [10] is disabled. -+ Enable it in case a corresponding network interface is configured to -+ support GSO. -+ -+ A number of directives were added that configure HTTP/3: -+ -+ http3 -+ http3_hq -+ http3_stream_buffer_size -+ http3_max_concurrent_pushes -+ http3_max_concurrent_streams -+ http3_push -+ http3_push_preload -+ -+ In http, an additional variable is available: $http3. -+ The value of $http3 is "h3" for HTTP/3 connections, -+ "hq" for hq connections, or an empty string otherwise. -+ -+ In stream, an additional variable is available: $quic. -+ The value of $quic is "quic" if QUIC connection is used, -+ or an empty string otherwise. -+ -+Example configuration: -+ -+ http { -+ log_format quic '$remote_addr - $remote_user [$time_local] ' -+ '"$request" $status $body_bytes_sent ' -+ '"$http_referer" "$http_user_agent" "$http3"'; -+ -+ access_log logs/access.log quic; -+ -+ server { -+ # for better compatibility it's recommended -+ # to use the same port for quic and https -+ listen 8443 quic reuseport; -+ listen 8443 ssl; -+ -+ ssl_certificate certs/example.com.crt; -+ ssl_certificate_key certs/example.com.key; -+ -+ location / { -+ # required for browsers to direct them into quic port -+ add_header Alt-Svc 'h3=":8443"; ma=86400'; -+ } -+ } -+ } -+ -+4. Directives -+ -+ Syntax: quic_bpf on | off; -+ Default: quic_bpf off; -+ Context: main -+ -+ Enables routing of QUIC packets using eBPF. -+ When enabled, this allows to support QUIC connection migration. -+ The directive is only supported on Linux 5.7+. -+ -+ -+ Syntax: quic_retry on | off; -+ Default: quic_retry off; -+ Context: http | stream, server -+ -+ Enables the QUIC Address Validation feature. This includes: -+ - sending a new token in a Retry packet or a NEW_TOKEN frame -+ - validating a token received in the Initial packet -+ -+ -+ Syntax: quic_gso on | off; -+ Default: quic_gso off; -+ Context: http | stream, server -+ -+ Enables sending in optimized batch mode using segmentation offloading. -+ Optimized sending is only supported on Linux featuring UDP_SEGMENT. -+ -+ -+ Syntax: quic_mtu size; -+ Default: quic_mtu 65527; -+ Context: http | stream, server -+ -+ Sets the QUIC max_udp_payload_size transport parameter value. -+ This is the maximum UDP payload that we are willing to receive. -+ -+ -+ Syntax: quic_host_key file; -+ Default: - -+ Context: http | stream, server -+ -+ Specifies a file with the secret key used to encrypt stateless reset and -+ address validation tokens. By default, a randomly generated key is used. -+ -+ -+ Syntax: quic_active_connection_id_limit number; -+ Default: quic_active_connection_id_limit 2; -+ Context: http | stream, server -+ -+ Sets the QUIC active_connection_id_limit transport parameter value. -+ This is the maximum number of connection IDs we are willing to store. -+ -+ -+ Syntax: quic_timeout time; -+ Default: quic_timeout 60s; -+ Context: stream, server -+ -+ Defines a timeout used to negotiate the QUIC idle timeout. -+ In the http module, it is taken from the keepalive_timeout directive. -+ -+ -+ Syntax: quic_stream_buffer_size size; -+ Default: quic_stream_buffer_size 64k; -+ Context: stream, server -+ -+ Syntax: http3_stream_buffer_size size; -+ Default: http3_stream_buffer_size 64k; -+ Context: http, server -+ -+ Sets buffer size for reading and writing of the QUIC STREAM payload. -+ The buffer size is used to calculate initial flow control limits -+ in the following QUIC transport parameters: -+ - initial_max_data -+ - initial_max_stream_data_bidi_local -+ - initial_max_stream_data_bidi_remote -+ - initial_max_stream_data_uni -+ -+ -+ Syntax: http3_max_concurrent_pushes number; -+ Default: http3_max_concurrent_pushes 10; -+ Context: http, server -+ -+ Limits the maximum number of concurrent push requests in a connection. -+ -+ -+ Syntax: http3_max_concurrent_streams number; -+ Default: http3_max_concurrent_streams 128; -+ Context: http, server -+ -+ Sets the maximum number of concurrent HTTP/3 streams in a connection. -+ -+ -+ Syntax: http3_push uri | off; -+ Default: http3_push off; -+ Context: http, server, location -+ -+ Pre-emptively sends (pushes) a request to the specified uri along with -+ the response to the original request. Only relative URIs with absolute -+ path will be processed, for example: -+ -+ http3_push /static/css/main.css; -+ -+ The uri value can contain variables. -+ -+ Several http3_push directives can be specified on the same configuration -+ level. The off parameter cancels the effect of the http3_push directives -+ inherited from the previous configuration level. -+ -+ -+ Syntax: http3_push_preload on | off; -+ Default: http3_push_preload off; -+ Context: http, server, location -+ -+ Enables automatic conversion of preload links specified in the “Link” -+ response header fields into push requests. -+ -+ -+ Syntax: http3 on | off; -+ Default: http3 on; -+ Context: http, server -+ -+ Enables HTTP/3 protocol negotiation. -+ -+ -+ Syntax: http3_hq on | off; -+ Default: http3_hq off; -+ Context: http, server -+ -+ Enables HTTP/0.9 protocol negotiation used in QUIC interoperability tests. -+ -+5. Clients -+ -+ * Browsers -+ -+ Known to work: Firefox 90+ and Chrome 92+ (QUIC version 1) -+ -+ Beware of strange issues: sometimes browser may decide to ignore QUIC -+ Cache clearing/restart might help. Always check access.log and -+ error.log to make sure the browser is using HTTP/3 and not TCP https. -+ -+ * Console clients -+ -+ Known to work: ngtcp2, firefox's neqo and chromium's console clients: -+ -+ $ examples/client 127.0.0.1 8443 https://example.com:8443/index.html -+ -+ $ ./neqo-client https://127.0.0.1:8443/ -+ -+ $ chromium-build/out/my_build/quic_client http://example.com:8443 -+ -+ -+ In case everyhing is right, the access log should show something like: -+ -+ 127.0.0.1 - - [24/Apr/2020:11:27:29 +0300] "GET / HTTP/3" 200 805 "-" -+ "nghttp3/ngtcp2 client" "quic" -+ -+ -+6. Troubleshooting -+ -+ Here are some tips that may help to identify problems: -+ -+ + Ensure nginx is built with proper SSL library that supports QUIC -+ -+ + Ensure nginx is using the proper SSL library in runtime -+ (`nginx -V` shows what it's using) -+ -+ + Ensure a client is actually sending requests over QUIC -+ (see "Clients" section about browsers and cache) -+ -+ We recommend to start with simple console client like ngtcp2 -+ to ensure the server is configured properly before trying -+ with real browsers that may be very picky with certificates, -+ for example. -+ -+ + Build nginx with debug support [9] and check the debug log. -+ It should contain all details about connection and why it -+ failed. All related messages contain "quic " prefix and can -+ be easily filtered out. -+ -+ + For a deeper investigation, please enable additional debugging -+ in src/event/quic/ngx_event_quic_connection.h: -+ -+ #define NGX_QUIC_DEBUG_PACKETS -+ #define NGX_QUIC_DEBUG_FRAMES -+ #define NGX_QUIC_DEBUG_ALLOC -+ #define NGX_QUIC_DEBUG_CRYPTO -+ -+7. Contributing -+ -+ Please refer to -+ http://nginx.org/en/docs/contributing_changes.html -+ -+8. Links -+ -+ [1] https://datatracker.ietf.org/doc/html/rfc9000 -+ [2] https://datatracker.ietf.org/doc/html/rfc9114 -+ [3] https://mailman.nginx.org/mailman/listinfo/nginx-devel -+ [4] https://boringssl.googlesource.com/boringssl/ -+ [5] https://www.libressl.org/ -+ [6] https://github.com/quictls/openssl -+ [7] https://github.com/libressl-portable/portable/releases/tag/v3.6.0 -+ [8] https://nginx.org/en/docs/http/ngx_http_core_module.html#listen -+ [9] https://nginx.org/en/docs/debugging_log.html -+ [10] http://vger.kernel.org/lpc_net2018_talks/willemdebruijn-lpc2018-udpgso-paper-DRAFT-1.pdf -diff -r ac779115ed6e auto/lib/openssl/conf ---- a/auto/lib/openssl/conf Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/lib/openssl/conf Thu May 11 11:48:37 2023 -0400 -@@ -5,12 +5,17 @@ - - if [ $OPENSSL != NONE ]; then - -+ have=NGX_OPENSSL . auto/have -+ have=NGX_SSL . auto/have -+ -+ if [ $USE_OPENSSL_QUIC = YES ]; then -+ have=NGX_QUIC . auto/have -+ have=NGX_QUIC_OPENSSL_COMPAT . auto/have -+ fi -+ - case "$CC" in - - cl | bcc32) -- have=NGX_OPENSSL . auto/have -- have=NGX_SSL . auto/have -- - CFLAGS="$CFLAGS -DNO_SYS_TYPES_H" - - CORE_INCS="$CORE_INCS $OPENSSL/openssl/include" -@@ -33,9 +38,6 @@ if [ $OPENSSL != NONE ]; then - ;; - - *) -- have=NGX_OPENSSL . auto/have -- have=NGX_SSL . auto/have -- - CORE_INCS="$CORE_INCS $OPENSSL/.openssl/include" - CORE_DEPS="$CORE_DEPS $OPENSSL/.openssl/include/openssl/ssl.h" - CORE_LIBS="$CORE_LIBS $OPENSSL/.openssl/lib/libssl.a" -@@ -123,6 +125,35 @@ else - CORE_INCS="$CORE_INCS $ngx_feature_path" - CORE_LIBS="$CORE_LIBS $ngx_feature_libs" - OPENSSL=YES -+ -+ if [ $USE_OPENSSL_QUIC = YES ]; then -+ -+ ngx_feature="OpenSSL QUIC support" -+ ngx_feature_name="NGX_QUIC" -+ ngx_feature_test="SSL_set_quic_method(NULL, NULL)" -+ . auto/feature -+ -+ if [ $ngx_found = no ]; then -+ have=NGX_QUIC_OPENSSL_COMPAT . auto/have -+ -+ ngx_feature="OpenSSL QUIC compatibility" -+ ngx_feature_test="SSL_CTX_add_custom_ext(NULL, 0, 0, -+ NULL, NULL, NULL, NULL, NULL)" -+ . auto/feature -+ fi -+ -+ if [ $ngx_found = no ]; then -+cat << END -+ -+$0: error: certain modules require OpenSSL QUIC support. -+You can either do not enable the modules, or install the OpenSSL library with -+QUIC support into the system, or build the OpenSSL library with QUIC support -+statically from the source with nginx by using --with-openssl= option. -+ -+END -+ exit 1 -+ fi -+ fi - fi - fi - -diff -r ac779115ed6e auto/make ---- a/auto/make Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/make Thu May 11 11:48:37 2023 -0400 -@@ -6,9 +6,10 @@ - echo "creating $NGX_MAKEFILE" - - mkdir -p $NGX_OBJS/src/core $NGX_OBJS/src/event $NGX_OBJS/src/event/modules \ -+ $NGX_OBJS/src/event/quic \ - $NGX_OBJS/src/os/unix $NGX_OBJS/src/os/win32 \ -- $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/modules \ -- $NGX_OBJS/src/http/modules/perl \ -+ $NGX_OBJS/src/http $NGX_OBJS/src/http/v2 $NGX_OBJS/src/http/v3 \ -+ $NGX_OBJS/src/http/modules $NGX_OBJS/src/http/modules/perl \ - $NGX_OBJS/src/mail \ - $NGX_OBJS/src/stream \ - $NGX_OBJS/src/misc -diff -r ac779115ed6e auto/modules ---- a/auto/modules Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/modules Thu May 11 11:48:37 2023 -0400 -@@ -102,7 +102,7 @@ if [ $HTTP = YES ]; then - fi - - -- if [ $HTTP_V2 = YES ]; then -+ if [ $HTTP_V2 = YES -o $HTTP_V3 = YES ]; then - HTTP_SRCS="$HTTP_SRCS $HTTP_HUFF_SRCS" - fi - -@@ -124,6 +124,7 @@ if [ $HTTP = YES ]; then - # ngx_http_header_filter - # ngx_http_chunked_filter - # ngx_http_v2_filter -+ # ngx_http_v3_filter - # ngx_http_range_header_filter - # ngx_http_gzip_filter - # ngx_http_postpone_filter -@@ -156,6 +157,7 @@ if [ $HTTP = YES ]; then - ngx_http_header_filter_module \ - ngx_http_chunked_filter_module \ - ngx_http_v2_filter_module \ -+ ngx_http_v3_filter_module \ - ngx_http_range_header_filter_module \ - ngx_http_gzip_filter_module \ - ngx_http_postpone_filter_module \ -@@ -217,6 +219,17 @@ if [ $HTTP = YES ]; then - . auto/module - fi - -+ if [ $HTTP_V3 = YES ]; then -+ ngx_module_name=ngx_http_v3_filter_module -+ ngx_module_incs= -+ ngx_module_deps= -+ ngx_module_srcs=src/http/v3/ngx_http_v3_filter_module.c -+ ngx_module_libs= -+ ngx_module_link=$HTTP_V3 -+ -+ . auto/module -+ fi -+ - if :; then - ngx_module_name=ngx_http_range_header_filter_module - ngx_module_incs= -@@ -426,6 +439,33 @@ if [ $HTTP = YES ]; then - . auto/module - fi - -+ if [ $HTTP_V3 = YES ]; then -+ USE_OPENSSL_QUIC=YES -+ HTTP_SSL=YES -+ -+ have=NGX_HTTP_V3 . auto/have -+ have=NGX_HTTP_HEADERS . auto/have -+ -+ ngx_module_name=ngx_http_v3_module -+ ngx_module_incs=src/http/v3 -+ ngx_module_deps="src/http/v3/ngx_http_v3.h \ -+ src/http/v3/ngx_http_v3_encode.h \ -+ src/http/v3/ngx_http_v3_parse.h \ -+ src/http/v3/ngx_http_v3_table.h \ -+ src/http/v3/ngx_http_v3_uni.h" -+ ngx_module_srcs="src/http/v3/ngx_http_v3.c \ -+ src/http/v3/ngx_http_v3_encode.c \ -+ src/http/v3/ngx_http_v3_parse.c \ -+ src/http/v3/ngx_http_v3_table.c \ -+ src/http/v3/ngx_http_v3_uni.c \ -+ src/http/v3/ngx_http_v3_request.c \ -+ src/http/v3/ngx_http_v3_module.c" -+ ngx_module_libs= -+ ngx_module_link=$HTTP_V3 -+ -+ . auto/module -+ fi -+ - if :; then - ngx_module_name=ngx_http_static_module - ngx_module_incs= -@@ -1035,6 +1075,20 @@ if [ $STREAM != NO ]; then - - ngx_module_incs= - -+ if [ $STREAM_QUIC = YES ]; then -+ USE_OPENSSL_QUIC=YES -+ have=NGX_STREAM_QUIC . auto/have -+ STREAM_SSL=YES -+ -+ ngx_module_name=ngx_stream_quic_module -+ ngx_module_deps=src/stream/ngx_stream_quic_module.h -+ ngx_module_srcs=src/stream/ngx_stream_quic_module.c -+ ngx_module_libs= -+ ngx_module_link=$STREAM_QUIC -+ -+ . auto/module -+ fi -+ - if [ $STREAM_SSL = YES ]; then - USE_OPENSSL=YES - have=NGX_STREAM_SSL . auto/have -@@ -1272,6 +1326,63 @@ if [ $USE_OPENSSL = YES ]; then - fi - - -+if [ $USE_OPENSSL_QUIC = YES ]; then -+ ngx_module_type=CORE -+ ngx_module_name=ngx_quic_module -+ ngx_module_incs= -+ ngx_module_deps="src/event/quic/ngx_event_quic.h \ -+ src/event/quic/ngx_event_quic_transport.h \ -+ src/event/quic/ngx_event_quic_protection.h \ -+ src/event/quic/ngx_event_quic_connection.h \ -+ src/event/quic/ngx_event_quic_frames.h \ -+ src/event/quic/ngx_event_quic_connid.h \ -+ src/event/quic/ngx_event_quic_migration.h \ -+ src/event/quic/ngx_event_quic_streams.h \ -+ src/event/quic/ngx_event_quic_ssl.h \ -+ src/event/quic/ngx_event_quic_tokens.h \ -+ src/event/quic/ngx_event_quic_ack.h \ -+ src/event/quic/ngx_event_quic_output.h \ -+ src/event/quic/ngx_event_quic_socket.h \ -+ src/event/quic/ngx_event_quic_openssl_compat.h" -+ ngx_module_srcs="src/event/quic/ngx_event_quic.c \ -+ src/event/quic/ngx_event_quic_udp.c \ -+ src/event/quic/ngx_event_quic_transport.c \ -+ src/event/quic/ngx_event_quic_protection.c \ -+ src/event/quic/ngx_event_quic_frames.c \ -+ src/event/quic/ngx_event_quic_connid.c \ -+ src/event/quic/ngx_event_quic_migration.c \ -+ src/event/quic/ngx_event_quic_streams.c \ -+ src/event/quic/ngx_event_quic_ssl.c \ -+ src/event/quic/ngx_event_quic_tokens.c \ -+ src/event/quic/ngx_event_quic_ack.c \ -+ src/event/quic/ngx_event_quic_output.c \ -+ src/event/quic/ngx_event_quic_socket.c \ -+ src/event/quic/ngx_event_quic_openssl_compat.c" -+ -+ ngx_module_libs= -+ ngx_module_link=YES -+ ngx_module_order= -+ -+ . auto/module -+ -+ if [ $QUIC_BPF = YES -a $SO_COOKIE_FOUND = YES ]; then -+ ngx_module_type=CORE -+ ngx_module_name=ngx_quic_bpf_module -+ ngx_module_incs= -+ ngx_module_deps= -+ ngx_module_srcs="src/event/quic/ngx_event_quic_bpf.c \ -+ src/event/quic/ngx_event_quic_bpf_code.c" -+ ngx_module_libs= -+ ngx_module_link=YES -+ ngx_module_order= -+ -+ . auto/module -+ -+ have=NGX_QUIC_BPF . auto/have -+ fi -+fi -+ -+ - if [ $USE_PCRE = YES ]; then - ngx_module_type=CORE - ngx_module_name=ngx_regex_module -diff -r ac779115ed6e auto/options ---- a/auto/options Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/options Thu May 11 11:48:37 2023 -0400 -@@ -45,6 +45,8 @@ USE_THREADS=NO - - NGX_FILE_AIO=NO - -+QUIC_BPF=NO -+ - HTTP=YES - - NGX_HTTP_LOG_PATH= -@@ -59,6 +61,7 @@ HTTP_CHARSET=YES - HTTP_GZIP=YES - HTTP_SSL=NO - HTTP_V2=NO -+HTTP_V3=NO - HTTP_SSI=YES - HTTP_REALIP=NO - HTTP_XSLT=NO -@@ -116,6 +119,7 @@ MAIL_SMTP=YES - - STREAM=NO - STREAM_SSL=NO -+STREAM_QUIC=NO - STREAM_REALIP=NO - STREAM_LIMIT_CONN=YES - STREAM_ACCESS=YES -@@ -149,6 +153,7 @@ PCRE_JIT=NO - PCRE2=YES - - USE_OPENSSL=NO -+USE_OPENSSL_QUIC=NO - OPENSSL=NONE - - USE_ZLIB=NO -@@ -166,6 +171,8 @@ USE_GEOIP=NO - NGX_GOOGLE_PERFTOOLS=NO - NGX_CPP_TEST=NO - -+SO_COOKIE_FOUND=NO -+ - NGX_LIBATOMIC=NO - - NGX_CPU_CACHE_LINE= -@@ -211,6 +218,8 @@ do - - --with-file-aio) NGX_FILE_AIO=YES ;; - -+ --without-quic_bpf_module) QUIC_BPF=NONE ;; -+ - --with-ipv6) - NGX_POST_CONF_MSG="$NGX_POST_CONF_MSG - $0: warning: the \"--with-ipv6\" option is deprecated" -@@ -228,6 +237,7 @@ do - - --with-http_ssl_module) HTTP_SSL=YES ;; - --with-http_v2_module) HTTP_V2=YES ;; -+ --with-http_v3_module) HTTP_V3=YES ;; - --with-http_realip_module) HTTP_REALIP=YES ;; - --with-http_addition_module) HTTP_ADDITION=YES ;; - --with-http_xslt_module) HTTP_XSLT=YES ;; -@@ -314,6 +324,7 @@ use the \"--with-mail_ssl_module\" optio - --with-stream) STREAM=YES ;; - --with-stream=dynamic) STREAM=DYNAMIC ;; - --with-stream_ssl_module) STREAM_SSL=YES ;; -+ --with-stream_quic_module) STREAM_QUIC=YES ;; - --with-stream_realip_module) STREAM_REALIP=YES ;; - --with-stream_geoip_module) STREAM_GEOIP=YES ;; - --with-stream_geoip_module=dynamic) -@@ -443,8 +454,11 @@ cat << END - - --with-file-aio enable file AIO support - -+ --without-quic_bpf_module disable ngx_quic_bpf_module -+ - --with-http_ssl_module enable ngx_http_ssl_module - --with-http_v2_module enable ngx_http_v2_module -+ --with-http_v3_module enable ngx_http_v3_module - --with-http_realip_module enable ngx_http_realip_module - --with-http_addition_module enable ngx_http_addition_module - --with-http_xslt_module enable ngx_http_xslt_module -@@ -533,6 +547,7 @@ cat << END - --with-stream enable TCP/UDP proxy module - --with-stream=dynamic enable dynamic TCP/UDP proxy module - --with-stream_ssl_module enable ngx_stream_ssl_module -+ --with-stream_quic_module enable ngx_stream_quic_module - --with-stream_realip_module enable ngx_stream_realip_module - --with-stream_geoip_module enable ngx_stream_geoip_module - --with-stream_geoip_module=dynamic enable dynamic ngx_stream_geoip_module -diff -r ac779115ed6e auto/os/linux ---- a/auto/os/linux Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/os/linux Thu May 11 11:48:37 2023 -0400 -@@ -232,6 +232,50 @@ ngx_feature_test="struct crypt_data cd; - ngx_include="sys/vfs.h"; . auto/include - - -+# BPF sockhash -+ -+ngx_feature="BPF sockhash" -+ngx_feature_name="NGX_HAVE_BPF" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="union bpf_attr attr = { 0 }; -+ -+ attr.map_flags = 0; -+ attr.map_type = BPF_MAP_TYPE_SOCKHASH; -+ -+ syscall(__NR_bpf, 0, &attr, 0);" -+. auto/feature -+ -+if [ $ngx_found = yes ]; then -+ CORE_SRCS="$CORE_SRCS src/core/ngx_bpf.c" -+ CORE_DEPS="$CORE_DEPS src/core/ngx_bpf.h" -+ -+ if [ $QUIC_BPF != NONE ]; then -+ QUIC_BPF=YES -+ fi -+fi -+ -+ -+ngx_feature="SO_COOKIE" -+ngx_feature_name="NGX_HAVE_SO_COOKIE" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ $NGX_INCLUDE_INTTYPES_H" -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="socklen_t optlen = sizeof(uint64_t); -+ uint64_t cookie; -+ getsockopt(0, SOL_SOCKET, SO_COOKIE, &cookie, &optlen)" -+. auto/feature -+ -+if [ $ngx_found = yes ]; then -+ SO_COOKIE_FOUND=YES -+fi -+ -+ - # UDP segmentation offloading - - ngx_feature="UDP_SEGMENT" -diff -r ac779115ed6e auto/sources ---- a/auto/sources Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/sources Thu May 11 11:48:37 2023 -0400 -@@ -83,7 +83,7 @@ CORE_SRCS="src/core/nginx.c \ - - EVENT_MODULES="ngx_events_module ngx_event_core_module" - --EVENT_INCS="src/event src/event/modules" -+EVENT_INCS="src/event src/event/modules src/event/quic" - - EVENT_DEPS="src/event/ngx_event.h \ - src/event/ngx_event_timer.h \ -diff -r ac779115ed6e auto/unix ---- a/auto/unix Tue Mar 28 18:01:53 2023 +0300 -+++ b/auto/unix Thu May 11 11:48:37 2023 -0400 -@@ -448,6 +448,54 @@ ngx_feature_test="setsockopt(0, IPPROTO_ - . auto/feature - - -+# IP packet fragmentation -+ -+ngx_feature="IP_MTU_DISCOVER" -+ngx_feature_name="NGX_HAVE_IP_MTU_DISCOVER" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="(void) IP_PMTUDISC_DO; -+ setsockopt(0, IPPROTO_IP, IP_MTU_DISCOVER, NULL, 0)" -+. auto/feature -+ -+ -+ngx_feature="IPV6_MTU_DISCOVER" -+ngx_feature_name="NGX_HAVE_IPV6_MTU_DISCOVER" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="(void) IPV6_PMTUDISC_DO; -+ setsockopt(0, IPPROTO_IPV6, IPV6_MTU_DISCOVER, NULL, 0)" -+. auto/feature -+ -+ -+ngx_feature="IP_DONTFRAG" -+ngx_feature_name="NGX_HAVE_IP_DONTFRAG" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= -+ngx_feature_libs= -+ngx_feature_test="setsockopt(0, IPPROTO_IP, IP_DONTFRAG, NULL, 0)" -+. auto/feature -+ -+ -+ngx_feature="IPV6_DONTFRAG" -+ngx_feature_name="NGX_HAVE_IPV6_DONTFRAG" -+ngx_feature_run=no -+ngx_feature_incs="#include -+ #include " -+ngx_feature_path= *** 26032 LINES SKIPPED ***