How to pass the real client IP addresses to backend servers via special request headers



ChangeLog for 1.21.4.x
Johnny Wang , 18 May 2022 (created 13 May 2022)Version 1.21.4.1 - 18 May 2022
upgraded the nginx core to 1.21.4.
- see the changes here: http://nginx.org/en/CHANGES
win32/win64: upgraded zlib to 1.2.12.
win32/win64: upgraded OpenSSL to 1.1.1n.
feature: allow to be compiled with LibreSSL 3.0+. Thanks spacewander for the patch.
feature: add lua_ssl_conf_command directive for setting arbitrary OpenSSL configuration parameter particularly the TLSv1.3 ciphersuites. Thanks Zhefeng Chen for the patch.
feature: implemented the ssl_client_hello_by_lua* api for controlling the NGINX downstream SSL handshake dynamically with Lua. Thanks Zhefeng Chen for the patch.
feature: the number connections of privileged agent can be set by enable_privileged_agent(connections). Thanks wangyao for the patch.
feature: implemented the new ngx.run_worker_thread API to run Lua function in a seperated worker thread. Thanks kingluo for the patch.
upgraded lua-nginx-module to 0.10.21
- bugfix: ngx.pipe waits until timeout because child process forgot to close pipe after dup2. Thanks Junlong Li for the patch.
- bugfix: posted event handler was called after event memory was freed. Thanks Junlong Li for the patch.
- bugfix: prevent illegal memory access in ngx_http_lua_util.c. Thanks Jiahao Wang for the patch.
- optimize: removed superfluous code from shdict_store. Thanks Odin Hultgren Van Der Horst for the patch.
- bugfix: fix nginx crash caused by a bad format specifier. Thanks balus for the patch.
- bugfix: fixed memcpy param overlap detected by asan. Thanks pengyanfeng for the patch.
- bugfix: fix possible null pointer dereference found by Coverity. Thanks doujiang24 for the patch.
- bugfix: we should use luaL_typename() with lua stack index. Thanks balus for the patch.
- bugfix: fixed potential leak on memory allocation errors. we have to clean just created SSL context manually, thus appropriate call added. Thanks nandsky for the patch.
- bugfix: nginx crash when resolve an not exist domain in thread create by ngx.thread.spawn. Thanks lijunlong for the patch.
- bugfix: should reset the value_len to 0 when reuse the expired list type key in shared dict. Thanks ngtee8 for the patch.
- change: do not need to create the Lua request ctx data table from C. Thanks doujiang for the patch.
- bugfix: we should ignore match limit in DFA mode. Thanks Jianyong Chen for the patch.
- bugfix: buffer bloat and CPU 100% when download large file was filtered by body_filter_by_lua. Thanks lijunlong for the patch.
- bugfix: fixed missing 'const' qualifier causing compilation failure on freebsd. Thanks Jiahao Wang for the patch.
- bugfix: should not allow to create timer in the exit process phase. Thanks Jinhua Tan for the patch.
- feature: support environ in ngx.pipe on mac. Thanks tzssangglass for the patch.
upgraded stream-lua-nginx-module to 0.0.11
- bugfix: compilation failed when building without --with-stream_ssl_module. Thanks vislee for the patch.
- bugfix: we should use luaL_typename() with lua stack index. Thanks Jianyong Chen for the patch.
- bugfix: fixed possible null pointer dereference found by Coverity. Thanks Ilya Shipitsin for the patch.
- bugfix: nginx crash when resolve an not exist domain. Thanks lijunlong for the patch.
- bugfix: should reset the value_len to 0 when reuse the expired list type key in shared dict. Thanks ngtee8 for the patch.
- bugfix: we should ignore match limit in DFA mode. Thanks balus for the patch.
- bugfix: some lua configurations (i.e.
lua_ssl_trusted_certificate
) were missing in the init_worker phase. Thanks doujiang for the patch. - bugfix: failed to start when non-ssl server configured with ssl_certificate_by_lua* directive. Thanks Zhefeng Chen for the patch.
- bugfix: old coroutine APIs were used in the
preread
andssl_cert
phase. Thanks Zhefeng Chen for the patch.
upgraded lua-resty-core to 0.1.23
upgraded lua-resty-websocket to 0.09
- bugfix: should abort when status code is invalid in wb:send_close(server). Thanks Gerrard-YNWA for the patch.
upgraded lua-resty-redis to 0.30
- feature: add a surface to support redis module. Thanks spacewander for the patch.
upgraded lua-resty-limit-traffic to 0.08
- optimize: resty.limit.conn call dict:incr with
init_ttl
argument. Thanks WindMGC for the patch.
- optimize: resty.limit.conn call dict:incr with
upgraded lua-resty-mysql to 0.25
- bugfix: fallback to default auth plugin if server doesn't have
CLIENT_PLUGIN_AUTH
capability. Thanks Wangchong Zhou for the patch.
- bugfix: fallback to default auth plugin if server doesn't have
upgraded set-misc-nginx-module to 0.33
- feature: added url safe base64 encoding/decoding. Thanks Pavel for the patch.
- bugfix: fix a possible resource leak of fd when exception occur. Thanks Hai Shi for the patch.
- feature: added new directive
set_hmac_sha256
. Thanks erankor for the patch.
upgraded encrypted-session-nginx-module to 0.09
- optimize: make it compatible with boringssl. Thanks lijunlong for the patch.
upgraded lua-resty-string to 0.15
- feature: added an optional len parameter for resty.md5.update(). Thanks lijunlong for the patch.
- feature: add
enable_padding
option for aes. Thanks beimingfish for the patch. - optimize: speed up
string.to_hex
by reusing hex buf. Thanks jinjiezhao for the patch.
upgraded lua-cjson to 2.1.0.10
- bugfix: fixed bugs suspected by cppcheck: shift signed 32-bit value by 31 bits and uninitialized variable. Thanks Jiahao Wang for the patch.
- bugfix: fixed a possible division by zero bugs found by cppcheck. Thanks Jiahao Wang for the patch.
- feature: support lua 5.2+.
upgraded luajit2 to 2.1-20220411
- Add missing check for LJ_KEYINDEX in ITERN recording.
- DynASM/ARM64: Fix NOP instruction for aligment.
- Fix soft-float IR_POW splitting.
- Fix BC_UCLO insertion for returns.
- Fix string buffer COW handling.
- Fix command-line argv handling.
- Always exit after machine code page protection change fails.
- Fix FOLD rule for BUFHDR append with intervening buffer use.
- Fix compiled error handling for buffer methods.
- FFI: Ensure library is loaded before de-serializing FFI types.
- Fix HREFK forwarding vs. table.clear().
- Fix FOLD rule for BUFHDR append.
- Fix tonumber("-0") in dual-number mode.
- Limit work done in SINK pass.
- Fix ABC FOLD rule with constants.
- Windows: Fix binary output of jit.bcsave to stdout.
- Fix FOLD rule for x-0.
- ARM64: Fix pcall() error case.
- refactor: removed duplicated table entries. Thanks lijunlong for the patch.
- OSX/ARM64: Fix external unwinding.
- Fix interaction of profiler and ITERN recording.
- Fix compilation of multi-result call to next().
- ARM64: Fix IR_HREF code generation.
- MIPS64: Fix soft-float IR_TOSTR.
- MIPS: Fix register allocation in assembly of HREF.
- Windows/x64: Document MSVC flags for C++ exception interoperability.
- FFI: Ensure returned string is alive in ffi.typeinfo().
- bugfix: fixed merge error which was introduced by commit 63dee93f4e. Thanks lijunlong for the patch.
- OSX/ARM64: Disable unwind info.
- Fix stack allocation after on-trace stack check.
- Fix ITERN blacklisting.
- Ensure ITERN forward progress on interpreter bailout.
- ARM64: Reorder interpreter stack frame and fix unwinding.
- Don't bail out to interpreter to JLOOP originating from ITERN.
- FFI: Don't load PC from non-function object in FFI continuation.
- FFI: Fix missing cts->L initialization in argv2ctype().
- OSX/ARM64: Disable external unwinding for now.
- Compile table traversals: next(), pairs(), BC_ISNEXT/BC_ITERN. This work sponsored by OpenResty INC.
- Use IR_HIOP for generalized two-register returns.
- Refactor table traversal.
- ARM: Fix symbol display in trace disassembly.
- Refactor IR_TMPREF generation.
- Refactor IR_VLOAD to take an offset.
- MIPS: Fix trace linking.
- feature: implemented string.buffer library.
- Consider slots used by upvalues in use-def analysis.
- Prevent loop in snap_usedef().
- Fix io.close().
- Fix minilua vararg stack handling.
- Avoid out-of-range number of results when compiling select(k, ...).
- Fix error message in lj_lib_checkintrange().
- Fix IRXLOAD_* mode bits description.
- Add IRCONV_NONE for pass-through INT to I64/U64 type change.
- Fix jit.dump() output for IR_CONV.
- Change: Resolve luaL_newstate() return NULL in ppc64le issue. Thanks ManirajDeivendran for the patch.
- Disable unreliable assertion for external frame unwinding.
- Flush and close output file after profiling run.
- Avoid conflict between 64 bit lightuserdata and ITERN key.
- Change: Resolve compilation error in ppc Thanks Maniraj Deivendran for the patch.
- bugfix: disabled the assertion since it might be a false alarm on fedora aarch64.
- feature: added the trace entry and normal exit events in the GC64 interpreter. Thanks doujiang24 for the patch.
- Throw any errors before stack changes in trace stitching.
- DynASM/x86: Add missing escape in pattern.
- DynASM/ARM64: Fix LSL/BFI* encoding with variable shifts.
- Fix MinGW static build.
- Fix dependencies.
- Fix IR_BUFHDR assembly.
- FFI: Support FFI numbers in string.format() and buf:putf().
- ARM64: More improvements to the generation of immediates.
- Abstract out on-demand loading of FFI library.
- FFI: Fix dangling reference to CType.
- PPC/PS3: Fix BC_ADD*/BC_SUB*.
- Fix use-def analysis for vararg functions.
- Fix use-def analysis for BC_VARG.
- DynASM/ARM64: Fix ADRP encoding with absolute address.
- Fix compiler warnings.
- DynASM/ARM64: Add .long expr. Add .quad/.addr expr + refs.
- DynASM/x86: Fix x64 .aword refs. Add .qword, .quad, .addr and .long.
- FFI/ARM64/OSX: Fix vararg call handling.
- Prevent compile of __concat with tailcall to fast function.
- Fix IR_RENAME snapshot number. Follow-up fix for a32aeadc.
- DynASM: Fix global label references
- DynASM/ARM64: Add VREG support.
- Fix build with busybox grep.
- NetBSD: Use PROT_MPROTECT() and disable getentropy().
- Allow disabling the serializer.
- BSD: Fix build with BSD grep.
- Fix .bat file builds.
- OSX: Fix build by hardcoding external frame unwinding.
- Reorganize lightuserdata interning code.
- Upgrade docs to HTML5. It's about time.
- FFI: Handle zero-fill of struct-of-NYI.
- ARM64: Improve generation of immediates.
- Detect inconsistent renames even in the presence of sunk values.
- Handle on-trace OOM errors from helper functions.
- Use weak guards for on-trace allocations.
- PPC: Fix GG_State loads.
- MIPS: Fix handling of long-range spare jumps.
- Cleanup and enable external unwinding for more platforms.
- Remove specific version numbers from the docs.
- iOS: Don't use getentropy() since it's disallowed in the App Store.
- Linux/ARM64: Make mremap() non-moving due to VA space woes.