.github/DISCUSSION_TEMPLATE/general.yml

@@ -1,15 +0,0 @@
----
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: general
-    attributes:
-      label: What would you like to discuss?
-      description: Please provide as much context as possible. Remember that only general discussions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I would like to discuss...
-    validations:
-      required: true

.github/DISCUSSION_TEMPLATE/ideas.yml

@@ -1,15 +0,0 @@
----
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: ideas
-    attributes:
-      label: What idea would you like to discuss?
-      description: Please provide as much context as possible. Remember that only ideas related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I have an idea for...
-    validations:
-      required: true

.github/DISCUSSION_TEMPLATE/q-a.yml

@@ -1,15 +0,0 @@
----
-body:
-  - type: markdown
-    attributes:
-      value: |
-        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
-  - type: textarea
-    id: q-a
-    attributes:
-      label: What question do you have?
-      description: Please provide as much context as possible. Remember that only questions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
-      value: |
-        I would like to know...
-    validations:
-      required: true

.github/ISSUE_TEMPLATE/bug_report.md

@@ -0,0 +1,38 @@
+---
+name: Bug report
+about: Create a report to help us improve
+title: ""
+labels: "bug"
+---
+
+### Environment
+
+Include the result of the following commands:
+  - `nginx -V`
+  - `uname -a`
+
+### Description
+
+Describe the bug in full detail including expected and actual behavior.
+Specify conditions that caused it. Provide the relevant part of nginx
+configuration and debug log.
+
+- [ ] The bug is reproducible with the latest version of nginx
+- [ ] The nginx configuration is minimized to the smallest possible
+to reproduce the issue and doesn't contain third-party modules
+
+#### nginx configuration
+
+```
+# Your nginx configuration here
+```
+or share the configuration in [gist](https://gist.github.com/).
+
+#### nginx debug log
+
+It is advised to enable
+[debug logging](http://nginx.org/en/docs/debugging_log.html).
+```
+# Your nginx debug log here
+```
+or share the debug log in [gist](https://gist.github.com/).

.github/ISSUE_TEMPLATE/bug_report.yml

@@ -1,106 +0,0 @@
----
-name: 🐛 Bug report
-description: Create a report to help us improve
-labels: bug
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this bug report!
-
-        Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search], is reproducible with the latest version of nginx, and does not involve any third-party modules 🙌
-
-        Remember to redact any sensitive information such as authentication credentials and/or license keys!
-
-        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
-
-        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
-        [discussions]: https://github.com/nginx/nginx/discussions
-        [forum]: https://community.nginx.org
-
-  - type: textarea
-    id: overview
-    attributes:
-      label: Bug Overview
-      description: A clear and concise overview of the bug.
-      placeholder: When I do "X", "Y" happens instead of "Z".
-    validations:
-      required: true
-
-  - type: textarea
-    id: behavior
-    attributes:
-      label: Expected Behavior
-      description: A clear and concise description of what you expected to happen.
-      placeholder: When I do "X", I expect "Z" to happen.
-    validations:
-      required: true
-
-  - type: textarea
-    id: steps
-    attributes:
-      label: Steps to Reproduce the Bug
-      description: Detail the series of steps required to reproduce the bug.
-      placeholder: When I run "X" using [...], "X" fails with "Y" error message. If I check the terminal outputs and/or logs, I see the following info.
-    validations:
-      required: true
-
-  - type: textarea
-    id: configuration
-    attributes:
-      label: NGINX Configuration
-      description: Please provide your NGINX configuration. Minimize it to the smallest possible configuration that reproduces the issue.
-      value: |
-        ```
-        # Your NGINX configuration
-        ```
-    validations:
-      required: true
-
-  - type: textarea
-    id: version
-    attributes:
-      label: NGINX version and build configuration options
-      description: Please provide details about your NGINX build.
-      value: |
-        The output of `nginx -V`: [...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: environment
-    attributes:
-      label: Environment where NGINX is being built and/or deployed
-      description: Please provide details about your environment.
-      value: |
-        - Target deployment platform: [e.g. AWS/GCP/local cluster/etc...]
-        - Target OS: [e.g. RHEL 9/Ubuntu 24.04/etc...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: architecture
-    attributes:
-      label: Architecture where NGINX is being built and/or deployed
-      description: Please provide details about your deployment environment.
-      value: |
-        The output of `uname -a`: [...]
-    validations:
-      required: true
-
-  - type: textarea
-    id: logs
-    attributes:
-      label: NGINX Debug Log
-      description: Please provide your NGINX debug log. See this [doc](http://nginx.org/en/docs/debugging_log.html) for details on how to enable it.
-      value: |
-        ```
-        # Your NGINX debug log
-        ```
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional Context
-      description: Add any other context about the problem here.
-      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.

.github/ISSUE_TEMPLATE/config.yml

@@ -1,12 +0,0 @@
----
-blank_issues_enabled: false
-contact_links:
-  - name: 💬 Talk to the NGINX community!
-    url: https://community.nginx.org
-    about: A community forum for NGINX users, developers, and contributors
-  - name: 📝 Code of Conduct
-    url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
-    about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
-  - name: 💼 For commercial & enterprise users
-    url: https://www.f5.com/products/nginx
-    about: F5 offers a wide range of NGINX products for commercial & enterprise users

.github/ISSUE_TEMPLATE/feature_request.md

@@ -0,0 +1,18 @@
+---
+name: Feature request
+about: Suggest a feature for nginx
+title: ""
+labels: "feature"
+---
+
+### Describe the feature you'd like to add to nginx
+
+A clear and concise description of the feature.
+
+### Describe the problem this feature solves
+
+A clear and concise description of the problem.
+
+### Additional context
+
+Add any other context about the feature request here.

.github/ISSUE_TEMPLATE/feature_request.yml

@@ -1,40 +0,0 @@
----
-name: ✨ Feature request
-description: Suggest an idea for this project
-labels: enhancement
-body:
-  - type: markdown
-    attributes:
-      value: |
-        Thanks for taking the time to fill out this feature request!
-
-        Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
-
-        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
-
-        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
-        [discussions]: https://github.com/nginx/nginx/discussions
-        [forum]: https://community.nginx.org
-
-  - type: textarea
-    id: overview
-    attributes:
-      label: Feature Overview
-      description: A clear and concise description of what the feature request is.
-      placeholder: I would like this project to be able to do "X".
-    validations:
-      required: true
-
-  - type: textarea
-    id: alternatives
-    attributes:
-      label: Alternatives Considered
-      description: Detail any potential alternative solutions/workarounds you've used or considered.
-      placeholder: I have done/might be able to do "X" in this project by doing "Y".
-
-  - type: textarea
-    id: context
-    attributes:
-      label: Additional Context
-      description: Add any other context about the problem here.
-      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.

.github/pull_request_template.md

@@ -1,10 +1,10 @@
 ### Proposed changes
 
-Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) in this PR's description or commit message.
+Describe the use case and detail of the change.
 
-### Checklist
+If this pull request addresses an issue on GitHub, make sure to reference that
+issue using one of the
+[supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue).
 
-Before creating a PR, run through this checklist and mark each as complete:
-
-- [ ] I have read the [contributing guidelines](/CONTRIBUTING.md).
-- [ ] I have checked that NGINX compiles and runs after adding my changes.
+Before creating a pull request, make sure to comply with the
+[Contributing Guidelines](https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md).

CONTRIBUTING.md

@@ -5,34 +5,34 @@ We really appreciate that you are considering contributing!
 
 ## Table of Contents
 
+- [Ask a Question](#ask-a-question)
 - [Report a Bug](#report-a-bug)
 - [Suggest a Feature or Enhancement](#suggest-a-feature-or-enhancement)
 - [Open a Discussion](#open-a-discussion)
 - [Submit a Pull Request](#submit-a-pull-request)
 - [Issue Lifecycle](#issue-lifecycle)
 
+## Ask a Question
+
+To ask a question, open an issue on GitHub with the label `question`.
+
 ## Report a Bug
 
 To report a bug, open an issue on GitHub with the label `bug` using the
-available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml).
-Please ensure the bug has not already been reported. **If the bug is a
-potential security vulnerability, please report it using our
-[security policy](/SECURITY.md).**
+available bug report issue template. Before reporting a bug, make sure the
+issue has not already been reported.
 
 ## Suggest a Feature or Enhancement
 
-To suggest a feature or enhancement, please create an issue on GitHub with the
-label `enhancement` using the available
-[feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml).
+To suggest a feature or enhancement, open an issue on GitHub with the label
+`feature` or `enhancement` using the available feature request issue template.
 Please ensure the feature or enhancement has not already been suggested.
 
 ## Open a Discussion
 
 If you want to engage in a conversation with the community and maintainers,
 we encourage you to use
-[GitHub Discussions](https://github.com/nginx/nginx/discussions) to discuss
-the NGINX codebase or the [NGINX Community forum](https://community.nginx.org)
-to chat anything else NGINX (including troubleshooting).
+[GitHub Discussions](https://github.com/nginx/nginx/discussions).
 
 ## Submit a Pull Request
 
@@ -89,20 +89,7 @@ git clone https://github.com/nginx/nginx-tests.git
 ```
 
 - Submitting a change implies granting project a permission to use it under the
-[BSD-2-Clause license](/LICENSE)
-
-### F5 Contributor License Agreement (CLA)
-
-F5 requires all contributors to agree to the terms of the F5 CLA
-(available [here](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md))
-before any of their changes can be incorporated into an F5 Open Source
-repository (even contributions to the F5 CLA itself!).
-
-If you have not yet agreed to the F5 CLA terms and submit a PR to this
-repository, a bot will prompt you to view and agree to the F5 CLA.
-You will have to agree to the F5 CLA terms through a comment in the PR
-before any of your changes can be merged. Your agreement signature
-will be safely stored by F5 and no longer be required in future PRs.
+[BSD-2-Clause license](https://github.com/nginx/nginx/blob/master/LICENSE)
 
 ## Issue Lifecycle
 

README.md

@@ -4,11 +4,6 @@
   <img alt="NGINX Banner">
 </picture>
 
-[![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
-[![Community Forum](https://img.shields.io/badge/community-forum-009639?logo=discourse&link=https%3A%2F%2Fcommunity.nginx.org)](https://community.nginx.org)
-[![License](https://img.shields.io/badge/License-BSD%202--Clause-blue.svg)](/LICENSE)
-[![Code of Conduct](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
-
 NGINX (pronounced "engine x" or "en-jin-eks") is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.
 
 NGINX is free and open source software, distributed under the terms of a simplified [2-clause BSD-like license](LICENSE).
@@ -65,6 +60,7 @@ nginx -V
 ```
 > See [Configuring the build](#configuring-the-build) for information on how to include specific Static modules into your nginx build.
 
+
 ## Configurations
 NGINX is highly flexible and configurable. Provisioning the software is achieved via text-based config file(s) accepting parameters called "[Directives](https://nginx.org/en/docs/dirindex.html)". See [Configuration File's Structure](https://nginx.org/en/docs/beginners_guide.html#conf_structure) for a comprehensive description of how NGINX configuration files work.
 
@@ -213,7 +209,9 @@ The output of which should start with:
 ```
 
 # Asking questions and reporting issues
-See our [Support](SUPPORT.md) guidelines for information on how discuss the codebase, ask troubleshooting questions, and report issues.
+We encourage you to engage with us.
+- [NGINX GitHub Discussions](https://github.com/nginx/nginx/discussions), is the go-to place to start asking questions and sharing your thoughts.
+- Our [GitHub Issues](https://github.com/nginx/nginx/issues) page offers space to submit and discuss specific issues, report bugs, and suggest enhancements.
 
 # Contributing code
 Please see the [Contributing](CONTRIBUTING.md) guide for information on how to contribute code.

SUPPORT.md

@@ -1,48 +0,0 @@
-# Support
-
-## Ask a Question
-
-We use GitHub issues for tracking bugs and feature requests
-related to this project.
-
-If you don't know how something in the codebase works, are curious if NGINX
-is capable of achieving your desired functionality or want to discuss the
-implementation of an existing or in development feature, please start a
-GitHub discussion!
-
-## NGINX Specific Questions and/or Issues
-
-This project isn't the right place to get support for NGINX and/or NGINX
-troubleshooting questions, but the following resources are available below.
-Thanks for your understanding!
-
-### Community Forum
-
-We have a [community forum](https://community.nginx.org/)!
-If you have any NGINX specific questions and/or issues,
-try checking out the [`NGINX category`](https://community.nginx.org/c/projects/nginx/23).
-For general discussions around anything tangentially NGINX related,
-check out the [`General Discussion category`](https://community.nginx.org/c/general-discussion/34).
-Both fellow community members and NGINXers might be able to help you! :)
-
-### Documentation
-
-For a comprehensive list of all NGINX directives, check out <https://nginx.org>.
-
-For a comprehensive list of administration and deployment guides for all
-NGINX products, check out <https://docs.nginx.com>.
-
-## Contributing
-
-Please see the [contributing guide](/CONTRIBUTING.md) for guidelines
-on how to best contribute to this project.
-
-## Commercial Support
-
-Commercial support for this project is available.
-Please get in touch with [F5 sales](https://www.f5.com/products/get-f5/)
-or check your contract details for more information!
-
-## Community Support
-
-Community support is offered on a best effort basis through any of our active communities.

auto/cc/clang

@@ -5,6 +5,15 @@
 # clang
 
 
+NGX_CLANG_VER=`$CC -v 2>&1 | grep 'version' 2>&1 \
+                           | sed -n -e 's/^.*clang version \(.*\)/\1/p' \
+                                    -e 's/^.*LLVM version \(.*\)/\1/p'`
+
+echo " + clang version: $NGX_CLANG_VER"
+
+have=NGX_COMPILER value="\"clang $NGX_CLANG_VER\"" . auto/define
+
+
 CC_TEST_FLAGS="-pipe"
 
 

auto/cc/gcc

@@ -8,6 +8,14 @@
 #     4.0.0, 4.0.1, 4.1.0
 
 
+NGX_GCC_VER=`$CC -v 2>&1 | grep 'gcc version' 2>&1 \
+                         | sed -e 's/^.* version \(.*\)/\1/'`
+
+echo " + gcc version: $NGX_GCC_VER"
+
+have=NGX_COMPILER value="\"gcc $NGX_GCC_VER\"" . auto/define
+
+
 # Solaris 7's /usr/ccs/bin/as does not support "-pipe"
 
 CC_TEST_FLAGS="-pipe"
@@ -104,7 +112,7 @@ esac
 
 CC_AUX_FLAGS="$CC_AUX_FLAGS $CPU_OPT"
 
-case "$NGX_CC_VER" in
+case "$NGX_GCC_VER" in
     2.7*)
         # batch build
         CPU_OPT=
@@ -137,7 +145,7 @@ CFLAGS="$CFLAGS -Wall -Wpointer-arith"
 #CFLAGS="$CFLAGS -Winline"
 #CFLAGS="$CFLAGS -Wmissing-prototypes"
 
-case "$NGX_CC_VER" in
+case "$NGX_GCC_VER" in
     2.*)
         # we have a lot of the unused function arguments
         CFLAGS="$CFLAGS -Wno-unused"

auto/cc/icc

@@ -5,6 +5,14 @@
 
 # Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1
 
+NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \
+                         | sed -e 's/^.* Version \([^ ]*\) *Build.*$/\1/'`
+
+echo " + icc version: $NGX_ICC_VER"
+
+have=NGX_COMPILER value="\"Intel C Compiler $NGX_ICC_VER\"" . auto/define
+
+
 # optimizations
 
 CFLAGS="$CFLAGS -O"
@@ -75,7 +83,7 @@ CFLAGS="$CFLAGS -wd1418"
 # external declaration in primary source file
 CFLAGS="$CFLAGS -wd1419"
 
-case "$NGX_CC_VER" in
+case "$NGX_ICC_VER" in
     9.*)
         # "cc" clobber ignored, warnings for Linux's htonl()/htons()
         CFLAGS="$CFLAGS -wd1469"

auto/cc/msvc

@@ -11,12 +11,20 @@
 # MSVC 2015 (14.0)                        cl 19.00
 
 
-ngx_msvc_ver=`echo $NGX_CC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
+NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
+                                 | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
+
+echo " + cl version: $NGX_MSVC_VER"
+
+have=NGX_COMPILER value="\"cl $NGX_MSVC_VER\"" . auto/define
+
+
+ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
 
 
 # detect x64 builds
 
-case "$NGX_CC_VER" in
+case "$NGX_MSVC_VER" in
 
     *ARM64)
         NGX_MACHINE=arm64

auto/cc/name

@@ -28,13 +28,6 @@ if [ "$CC" = cl ]; then
     NGX_CC_NAME=msvc
     echo " + using Microsoft Visual C++ compiler"
 
-    NGX_CC_VER=`$NGX_WINE $CC 2>&1 \
-                | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
-                | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
-    echo " + cl version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"cl $NGX_CC_VER\"" . auto/define
-
 elif [ "$CC" = wcl386 ]; then
     NGX_CC_NAME=owc
     echo " + using Open Watcom C compiler"
@@ -47,48 +40,22 @@ elif `$CC -V 2>&1 | grep '^Intel(R) C' >/dev/null 2>&1`; then
     NGX_CC_NAME=icc
     echo " + using Intel C++ compiler"
 
-    NGX_CC_VER=`$CC -V 2>&1 \
-                | sed -n -e 's/^.* Version \([^ ]*\) *Build.*$/\1/p'`
-    echo " + icc version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"Intel C Compiler $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'gcc version' >/dev/null 2>&1`; then
     NGX_CC_NAME=gcc
     echo " + using GNU C compiler"
 
-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*gcc version \(.*\)/\1/p'`
-    echo " + gcc version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"gcc $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'clang version' >/dev/null 2>&1`; then
     NGX_CC_NAME=clang
     echo " + using Clang C compiler"
 
-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*clang version \(.*\)/\1/p'`
-    echo " + clang version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
-
 elif `$CC -v 2>&1 | grep 'LLVM version' >/dev/null 2>&1`; then
     NGX_CC_NAME=clang
     echo " + using Clang C compiler"
 
-    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*LLVM version \(.*\)/\1/p'`
-    echo " + clang version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
-
 elif `$CC -V 2>&1 | grep 'Sun C' >/dev/null 2>&1`; then
     NGX_CC_NAME=sunc
     echo " + using Sun C compiler"
 
-    NGX_CC_VER=`$CC -V 2>&1 | sed -n -e 's/^.* Sun C \(.*\)/\1/p'`
-    echo " + Sun C version: $NGX_CC_VER"
-
-    have=NGX_COMPILER value="\"Sun C $NGX_CC_VER\"" . auto/define
-
 elif `$CC -V 2>&1 | grep '^Compaq C' >/dev/null 2>&1`; then
     NGX_CC_NAME=ccc
     echo " + using Compaq C compiler"

auto/cc/sunc

@@ -13,6 +13,13 @@
 # Sun C 5.13 SunOS_i386 2014/10/20        Oracle Solaris Studio 12.4
 # Sun C 5.14 SunOS_i386 2016/05/31        Oracle Developer Studio 12.5
 
+NGX_SUNC_VER=`$CC -V 2>&1 | grep 'Sun C' 2>&1 \
+                          | sed -e 's/^.* Sun C \(.*\)/\1/'`
+
+echo " + Sun C version: $NGX_SUNC_VER"
+
+have=NGX_COMPILER value="\"Sun C $NGX_SUNC_VER\"" . auto/define
+
 
 cat << END > $NGX_AUTOTEST.c
 

auto/lib/pcre/make

@@ -37,7 +37,6 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                        pcre2_xclass.c"
 
         ngx_pcre_test="pcre2_chkdint.c \
-                       pcre2_compile_cgroup.c \
                        pcre2_compile_class.c \
                        pcre2_convert.c \
                        pcre2_extuni.c \

auto/modules

@@ -729,7 +729,7 @@ if [ $HTTP = YES ]; then
 
         ngx_module_name=ngx_http_proxy_module
         ngx_module_incs=
-        ngx_module_deps=src/http/modules/ngx_http_proxy_module.h
+        ngx_module_deps=
         ngx_module_srcs=src/http/modules/ngx_http_proxy_module.c
         ngx_module_libs=
         ngx_module_link=$HTTP_PROXY
@@ -781,17 +781,6 @@ if [ $HTTP = YES ]; then
         . auto/module
     fi
 
-    if [ $HTTP_PROXY = YES -a $HTTP_V2 = YES ]; then
-        ngx_module_name=ngx_http_proxy_v2_module
-        ngx_module_incs=
-        ngx_module_deps=
-        ngx_module_srcs=src/http/modules/ngx_http_proxy_v2_module.c
-        ngx_module_libs=
-        ngx_module_link=$HTTP_V2
-
-        . auto/module
-    fi
-
     if [ $HTTP_PERL != NO ]; then
         ngx_module_name=ngx_http_perl_module
         ngx_module_incs=src/http/modules/perl

docs/xml/nginx/changes.xml

@@ -5,144 +5,6 @@
 <change_log title="nginx">
 
 
-<changes ver="1.29.4" date="2025-12-09">
-
-<change type="feature">
-<para lang="ru">
-модуль ngx_http_proxy_module поддерживает HTTP/2.
-</para>
-<para lang="en">
-the ngx_http_proxy_module supports HTTP/2.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-поддержка расширения TLS Encrypted ClientHello
-при использовании ветки разработки ECH OpenSSL;
-директива ssl_ech_file.<br/>
-Спасибо Stephen Farrell.
-</para>
-<para lang="en">
-Encrypted ClientHello TLS extension support
-when using OpenSSL ECH feature branch;
-the "ssl_ech_file" directive.<br/>
-Thanks to Stephen Farrell.
-</para>
-</change>
-
-<change type="change">
-<para lang="ru">
-валидация хоста и порта в строке запроса,
-в заголовке "Host" и псевдо-заголовке ":authority"
-изменена на соответствующую RFC 3986.
-</para>
-<para lang="en">
-validation of host and port in the request line,
-"Host" header field, and ":authority" pseudo-header field
-has been changed to follow RFC 3986.
-</para>
-</change>
-
-<change type="change">
-<para lang="ru">
-теперь одиночный символ LF, используемый для перевода строки
-в chunked-теле запроса или ответа, считается ошибкой.
-</para>
-<para lang="en">
-now a single LF used as a line terminator
-in a chunked request or response body is considered an error.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при использовании HTTP/3 с OpenSSL 3.5.1 и новее
-в рабочем процессе мог произойти segmentation fault;
-ошибка появилась в 1.29.1.<br/>
-Спасибо Jan Svojanovsky.
-</para>
-<para lang="en">
-when using HTTP/3 with OpenSSL 3.5.1 or newer
-a segmentation fault might occur in a worker process;
-the bug had appeared in 1.29.1.<br/>
-Thanks to Jan Svojanovsky.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-при совместном использовании директив try_files и proxy_pass с URI
-в рабочем процессе мог произойти segmentation fault.
-</para>
-<para lang="en">
-a segmentation fault might occur in a worker process
-if the "try_files" directive and "proxy_pass" with a URI were used.
-</para>
-</change>
-
-</changes>
-
-
-<changes ver="1.29.3" date="2025-10-28">
-
-<change type="feature">
-<para lang="ru">
-директивы add_header_inherit и add_trailer_inherit.
-</para>
-<para lang="en">
-the "add_header_inherit" and "add_trailer_inherit" directives.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-переменные $request_port и $is_request_port.
-</para>
-<para lang="en">
-the $request_port and $is_request_port variables.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-переменные $ssl_sigalg и $ssl_client_sigalg.
-</para>
-<para lang="en">
-the $ssl_sigalg and $ssl_client_sigalg variables.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-параметр volatile директивы geo.
-</para>
-<para lang="en">
-the "volatile" parameter of the "geo" directive.
-</para>
-</change>
-
-<change type="feature">
-<para lang="ru">
-теперь сжатие сертификатов доступно с BoringSSL.
-</para>
-<para lang="en">
-now certificate compression is available with BoringSSL.
-</para>
-</change>
-
-<change type="bugfix">
-<para lang="ru">
-теперь сжатие сертификатов запрещено при включенном OCSP stapling.
-</para>
-<para lang="en">
-now certificate compression is disabled with OCSP stapling.
-</para>
-</change>
-
-</changes>
-
-
 <changes ver="1.29.2" date="2025-10-07">
 
 <change type="feature">

misc/GNUmakefile

@@ -6,9 +6,9 @@ TEMP =		tmp
 
 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.5.4
+OPENSSL =	openssl-3.5.2
 ZLIB =		zlib-1.3.1
-PCRE =		pcre2-10.46
+PCRE =		pcre2-10.45
 
 
 release: export

src/core/nginx.h

@@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
 
 
-#define nginx_version      1029005
-#define NGINX_VERSION      "1.29.5"
+#define nginx_version      1029002
+#define NGINX_VERSION      "1.29.2"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 
 #ifdef NGX_BUILD

src/event/ngx_event_openssl.c

@@ -9,10 +9,6 @@
 #include <ngx_core.h>
 #include <ngx_event.h>
 
-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-#include <zlib.h>
-#endif
-
 
 #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096
 
@@ -23,13 +19,6 @@ typedef struct {
 
 
 static ngx_inline ngx_int_t ngx_ssl_cert_already_in_hash(void);
-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-static int ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn,
-    CBB *out, const uint8_t *in, size_t in_len);
-static void *ngx_ssl_cert_compression_alloc(void *opaque, u_int items,
-    u_int size);
-static void ngx_ssl_cert_compression_free(void *opaque, void *address);
-#endif
 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
     int ret);
@@ -139,7 +128,6 @@ int  ngx_ssl_ticket_keys_index;
 int  ngx_ssl_ocsp_index;
 int  ngx_ssl_index;
 int  ngx_ssl_certificate_name_index;
-int  ngx_ssl_certificate_comp_index;
 int  ngx_ssl_client_hello_arg_index;
 
 
@@ -283,13 +271,6 @@ ngx_ssl_init(ngx_log_t *log)
         return NGX_ERROR;
     }
 
-    ngx_ssl_certificate_comp_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
-                                                           NULL);
-    if (ngx_ssl_certificate_comp_index == -1) {
-        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
-        return NGX_ERROR;
-    }
-
     ngx_ssl_client_hello_arg_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
                                                               NULL, NULL);
     if (ngx_ssl_client_hello_arg_index == -1) {
@@ -748,18 +729,6 @@ ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
 
     SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
 
-#elif (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-
-    if (SSL_CTX_add_cert_compression_alg(ssl->ctx, TLSEXT_cert_compression_zlib,
-                                         ngx_ssl_cert_compression_callback,
-                                         NULL)
-        == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_add_cert_compression_alg() failed");
-        return NGX_ERROR;
-    }
-
 #else
 
     ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
@@ -772,155 +741,6 @@ ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
 }
 
 
-#if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
-
-static int
-ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn, CBB *out,
-    const uint8_t *in, size_t in_len)
-{
-    int                rc;
-    X509              *cert;
-    u_char            *p;
-    z_stream           zstream;
-    ngx_str_t         *comp, tmp;
-    ngx_pool_t        *pool;
-    ngx_connection_t  *c;
-
-#ifdef OPENSSL_IS_BORINGSSL
-    {
-    SSL_CTX    *ssl_ctx;
-    ngx_ssl_t  *ssl;
-
-    /* BoringSSL doesn't have certificate slots, we take the last set */
-
-    ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
-    ssl = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_index);
-    cert = ((X509 **) ssl->certs.elts)[ssl->certs.nelts - 1];
-    }
-#else
-
-    /*
-     * AWS-LC saves leaf certificate in SSL to associate with SSL_CTX,
-     * see https://github.com/aws/aws-lc/commit/e1ba2b3e5
-     */
-
-    cert = SSL_get_certificate(ssl_conn);
-
-#endif
-
-    comp = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
-
-    if (comp != NULL) {
-        return CBB_add_bytes(out, comp->data, comp->len);
-    }
-
-    c = ngx_ssl_get_connection(ssl_conn);
-
-    pool = ngx_create_pool(256, c->log);
-    if (pool == NULL) {
-        return 0;
-    }
-
-    pool->log = c->log;
-
-    ngx_memzero(&zstream, sizeof(z_stream));
-
-    zstream.zalloc = ngx_ssl_cert_compression_alloc;
-    zstream.zfree = ngx_ssl_cert_compression_free;
-    zstream.opaque = pool;
-
-    rc = deflateInit(&zstream, Z_DEFAULT_COMPRESSION);
-
-    if (rc != Z_OK) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateInit() failed: %d", rc);
-        goto error;
-    }
-
-    tmp.len = deflateBound(&zstream, in_len);
-    tmp.data = ngx_palloc(pool, tmp.len);
-    if (tmp.data == NULL) {
-        goto error;
-    }
-
-    zstream.next_in = (u_char *) in;
-    zstream.avail_in = in_len;
-    zstream.next_out = tmp.data;
-    zstream.avail_out = tmp.len;
-
-    rc = deflate(&zstream, Z_FINISH);
-
-    if (rc != Z_STREAM_END) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0,
-                      "deflate(Z_FINISH) failed: %d", rc);
-        goto error;
-    }
-
-    tmp.len -= zstream.avail_out;
-
-    rc = deflateEnd(&zstream);
-
-    if (rc != Z_OK) {
-        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateEnd() failed: %d", rc);
-        goto error;
-    }
-
-    p = ngx_alloc(sizeof(ngx_str_t) + tmp.len, c->log);
-    if (p == NULL) {
-        goto error;
-    }
-
-    comp = (ngx_str_t *) p;
-
-    comp->len = tmp.len;
-    comp->data = p + sizeof(ngx_str_t);
-
-    ngx_memcpy(comp->data, tmp.data, tmp.len);
-
-    if (X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, p) == 0) {
-        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_set_ex_data() failed");
-        ngx_free(p);
-    }
-
-    rc = CBB_add_bytes(out, tmp.data, tmp.len);
-
-    ngx_destroy_pool(pool);
-
-    return rc;
-
-error:
-
-    ngx_destroy_pool(pool);
-
-    return 0;
-}
-
-
-static void *
-ngx_ssl_cert_compression_alloc(void *opaque, u_int items, u_int size)
-{
-    ngx_pool_t *pool = opaque;
-
-    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pool->log, 0,
-                   "cert compression alloc: n:%ud s:%ud", items, size);
-
-    return ngx_palloc(pool, items * size);
-}
-
-
-static void
-ngx_ssl_cert_compression_free(void *opaque, void *address)
-{
-#if 0
-    ngx_pool_t *pool = opaque;
-
-    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pool->log, 0,
-                   "cert compression free: %p", address);
-#endif
-}
-
-#endif
-
-
 ngx_int_t
 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
     ngx_uint_t prefer_server_ciphers)
@@ -1653,105 +1473,6 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 }
 
 
-ngx_int_t
-ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *filenames)
-{
-#ifdef SSL_OP_ECH_GREASE
-    int             numkeys;
-    BIO            *in;
-    ngx_int_t       rc;
-    ngx_str_t      *filename;
-    ngx_uint_t      i;
-    OSSL_ECHSTORE  *es;
-
-    if (filenames == NULL) {
-        return NGX_OK;
-    }
-
-    es = OSSL_ECHSTORE_new(NULL, NULL);
-    if (es == NULL) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "OSSL_ECHSTORE_new() failed");
-        return NGX_ERROR;
-    }
-
-    rc = NGX_ERROR;
-    filename = filenames->elts;
-
-    for (i = 0; i < filenames->nelts; i++) {
-
-        if (ngx_conf_full_name(cf->cycle, &filename[i], 1) != NGX_OK) {
-            goto cleanup;
-        }
-
-        in = BIO_new_file((char *) filename[i].data, "r");
-        if (in == NULL) {
-            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                          "BIO_new_file(\"%s\") failed", filename[i].data);
-            goto cleanup;
-        }
-
-        /*
-         * We only set the ECHConfigList from the first file read to use
-         * in ECH retry-configs.
-         *
-         * That allows many sensible key rotation schemes so that the
-         * values sent in ECH retry-configs are smaller and current.
-         * For example, if the first file name has the current ECH
-         * private key, and a second one has the previously used key
-         * that some clients may still use due to DNS caching.
-         */
-
-         if (OSSL_ECHSTORE_read_pem(es, in, i ? OSSL_ECH_NO_RETRY
-                                              : OSSL_ECH_FOR_RETRY)
-             != 1)
-         {
-             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                           "OSSL_ECHSTORE_read_pem(%s) failed",
-                           filename[i].data);
-             BIO_free(in);
-             goto cleanup;
-         }
-
-         BIO_free(in);
-    }
-
-    /*
-     * load the ECH store after checking there's at least one ECH
-     * private key in there (the PEM file spec allows zero or one
-     * private key per file)
-     */
-
-    if (OSSL_ECHSTORE_num_keys(es, &numkeys) != 1) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "OSSL_ECHSTORE_num_keys(%s) failed");
-        goto cleanup;
-    }
-
-    if (numkeys > 0 && SSL_CTX_set1_echstore(ssl->ctx, es) != 1) {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set1_echstore() failed");
-        goto cleanup;
-    }
-
-    rc = NGX_OK;
-
-cleanup:
-
-    OSSL_ECHSTORE_free(es);
-    return rc;
-
-#else
-    if (filenames != NULL) {
-        ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
-                      "\"ssl_ech_file\" is not supported on this platform, "
-                      "ignored");
-    }
-
-    return NGX_OK;
-#endif
-}
-
-
 ngx_int_t
 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
 {
@@ -1971,34 +1692,21 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 }
 
 
-ngx_int_t
-ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl, ngx_ssl_client_hello_arg *cb)
+void
+ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
+    ngx_ssl_client_hello_arg *cb)
 {
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 
-    SSL_CTX_set_client_hello_cb(ssl->ctx, ngx_ssl_client_hello_callback, NULL);
-
-    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set_ex_data() failed");
-        return NGX_ERROR;
-    }
+    SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL);
+    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
 
 #elif defined OPENSSL_IS_BORINGSSL
 
-    SSL_CTX_set_select_certificate_cb(ssl->ctx, ngx_ssl_select_certificate);
-
-    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
-    {
-        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
-                      "SSL_CTX_set_ex_data() failed");
-        return NGX_ERROR;
-    }
+    SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate);
+    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
 
 #endif
-
-    return NGX_OK;
 }
 
 
@@ -5243,19 +4951,10 @@ ngx_ssl_cleanup_ctx(void *data)
     ngx_ssl_t  *ssl = data;
 
     X509        *cert;
-    u_char      *p;
     ngx_uint_t   i;
 
     for (i = 0; i < ssl->certs.nelts; i++) {
         cert = ((X509 **) ssl->certs.elts)[i];
-
-        p = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
-
-        if (p) {
-            ngx_free(p);
-            X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, NULL);
-        }
-
         X509_free(cert);
     }
 
@@ -5652,32 +5351,6 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }
 
 
-ngx_int_t
-ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_get0_signature_name
-
-    const char  *name;
-
-    if (SSL_get0_signature_name(c->ssl->connection, &name)) {
-        s->len = ngx_strlen(name);
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, name, s->len);
-
-        return NGX_OK;
-    }
-
-#endif
-
-    s->len = 0;
-    return NGX_OK;
-}
-
-
 ngx_int_t
 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@@ -5807,81 +5480,6 @@ ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }
 
 
-ngx_int_t
-ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_OP_ECH_GREASE
-    int    echrv;
-    char  *inner_sni, *outer_sni;
-
-    inner_sni = NULL;
-    outer_sni = NULL;
-
-    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
-
-    switch (echrv) {
-    case SSL_ECH_STATUS_NOT_TRIED:
-        ngx_str_set(s, "NOT_TRIED");
-        break;
-    case SSL_ECH_STATUS_SUCCESS:
-        ngx_str_set(s, "SUCCESS");
-        break;
-    case SSL_ECH_STATUS_GREASE:
-        ngx_str_set(s, "GREASE");
-        break;
-    case SSL_ECH_STATUS_BACKEND:
-        ngx_str_set(s, "BACKEND");
-        break;
-    default:
-        ngx_str_set(s, "FAILED");
-        break;
-    }
-
-    OPENSSL_free(inner_sni);
-    OPENSSL_free(outer_sni);
-#else
-    s->len = 0;
-#endif
-    return NGX_OK;
-}
-
-
-ngx_int_t
-ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s)
-{
-#if defined(SSL_OP_ECH_GREASE)
-    int    echrv;
-    char  *inner_sni, *outer_sni;
-
-    inner_sni = NULL;
-    outer_sni = NULL;
-
-    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
-
-    if (echrv == SSL_ECH_STATUS_SUCCESS && outer_sni) {
-        s->len = ngx_strlen(outer_sni);
-
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, outer_sni, s->len);
-
-    } else {
-        s->len = 0;
-    }
-
-    OPENSSL_free(inner_sni);
-    OPENSSL_free(outer_sni);
-#else
-    s->len = 0;
-#endif
-    return NGX_OK;
-}
-
-
 ngx_int_t
 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@@ -6498,32 +6096,6 @@ ngx_ssl_parse_time(
 }
 
 
-ngx_int_t
-ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
-{
-#ifdef SSL_get0_peer_signature_name
-
-    const char  *name;
-
-    if (SSL_get0_peer_signature_name(c->ssl->connection, &name)) {
-        s->len = ngx_strlen(name);
-        s->data = ngx_pnalloc(pool, s->len);
-        if (s->data == NULL) {
-            return NGX_ERROR;
-        }
-
-        ngx_memcpy(s->data, name, s->len);
-
-        return NGX_OK;
-    }
-
-#endif
-
-    s->len = 0;
-    return NGX_OK;
-}
-
-
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)
 {

src/event/ngx_event_openssl.h

@@ -271,8 +271,6 @@ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
     ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
-ngx_int_t ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl,
-    ngx_array_t *filename);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_uint_t enable);
@@ -288,7 +286,7 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
     ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
 
-ngx_int_t ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl,
+void ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
     ngx_ssl_client_hello_arg *cb);
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
@@ -330,8 +328,6 @@ ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
-ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
@@ -340,10 +336,6 @@ ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
-ngx_int_t ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);
-ngx_int_t ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c,
-    ngx_pool_t *pool, ngx_str_t *s);
 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
@@ -372,8 +364,6 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
     ngx_str_t *s);
-ngx_int_t ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
-    ngx_str_t *s);
 
 
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
@@ -401,7 +391,6 @@ extern int  ngx_ssl_ticket_keys_index;
 extern int  ngx_ssl_ocsp_index;
 extern int  ngx_ssl_index;
 extern int  ngx_ssl_certificate_name_index;
-extern int  ngx_ssl_certificate_comp_index;
 extern int  ngx_ssl_client_hello_arg_index;
 
 

src/event/quic/ngx_event_quic_ssl.c

@@ -185,13 +185,7 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
     ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                    "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);
 
-    /* already closed on handshake failure */
-
     qc = ngx_quic_get_connection(c);
-    if (qc == NULL) {
-        return 1;
-    }
-
     ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
 
     cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);

src/http/modules/ngx_http_chunked_filter_module.c

@@ -66,9 +66,7 @@ ngx_http_chunked_header_filter(ngx_http_request_t *r)
         || r->headers_out.status == NGX_HTTP_NO_CONTENT
         || r->headers_out.status < NGX_HTTP_OK
         || r != r->main
-        || r->method == NGX_HTTP_HEAD
-        || (r->method == NGX_HTTP_CONNECT
-            && r->headers_out.status < NGX_HTTP_SPECIAL_RESPONSE))
+        || r->method == NGX_HTTP_HEAD)
     {
         return ngx_http_next_header_filter(r);
     }

src/http/modules/ngx_http_geo_module.c

@@ -63,7 +63,6 @@ typedef struct {
     unsigned                         allow_binary_include:1;
     unsigned                         binary_include:1;
     unsigned                         proxy_recursive:1;
-    unsigned                         no_cacheable:1;
 } ngx_http_geo_conf_ctx_t;
 
 
@@ -464,7 +463,6 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                   + sizeof(ngx_http_variable_value_t)
                   + 0x10000 * sizeof(ngx_http_geo_range_t *);
     ctx.allow_binary_include = 1;
-    ctx.no_cacheable = 0;
 
     save = *cf;
     cf->pool = pool;
@@ -480,10 +478,6 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         goto failed;
     }
 
-    if (ctx.no_cacheable) {
-        var->flags |= NGX_HTTP_VAR_NOCACHEABLE;
-    }
-
     geo->proxies = ctx.proxies;
     geo->proxy_recursive = ctx.proxy_recursive;
 
@@ -629,12 +623,6 @@ ngx_http_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
             rv = NGX_CONF_OK;
             goto done;
         }
-
-        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
-            ctx->no_cacheable = 1;
-            rv = NGX_CONF_OK;
-            goto done;
-        }
     }
 
     if (cf->args->nelts != 2) {

src/http/modules/ngx_http_headers_filter_module.c

@@ -10,11 +10,6 @@
 #include <ngx_http.h>
 
 
-#define NGX_HTTP_HEADERS_INHERIT_OFF    0
-#define NGX_HTTP_HEADERS_INHERIT_ON     1
-#define NGX_HTTP_HEADERS_INHERIT_MERGE  2
-
-
 typedef struct ngx_http_header_val_s  ngx_http_header_val_t;
 
 typedef ngx_int_t (*ngx_http_set_header_pt)(ngx_http_request_t *r,
@@ -54,8 +49,6 @@ typedef struct {
     ngx_http_complex_value_t  *expires_value;
     ngx_array_t               *headers;
     ngx_array_t               *trailers;
-    ngx_uint_t                 headers_inherit;
-    ngx_uint_t                 trailers_inherit;
 } ngx_http_headers_conf_t;
 
 
@@ -104,14 +97,6 @@ static ngx_http_set_header_t  ngx_http_set_headers[] = {
 };
 
 
-static ngx_conf_enum_t  ngx_http_headers_inherit[] = {
-    { ngx_string("off"),   NGX_HTTP_HEADERS_INHERIT_OFF },
-    { ngx_string("on"),    NGX_HTTP_HEADERS_INHERIT_ON },
-    { ngx_string("merge"), NGX_HTTP_HEADERS_INHERIT_MERGE },
-    { ngx_null_string, 0 }
-};
-
-
 static ngx_command_t  ngx_http_headers_filter_commands[] = {
 
     { ngx_string("expires"),
@@ -138,22 +123,6 @@ static ngx_command_t  ngx_http_headers_filter_commands[] = {
       offsetof(ngx_http_headers_conf_t, trailers),
       NULL },
 
-    { ngx_string("add_header_inherit"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                        |NGX_CONF_TAKE1,
-      ngx_conf_set_enum_slot,
-      NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_headers_conf_t, headers_inherit),
-      &ngx_http_headers_inherit },
-
-    { ngx_string("add_trailer_inherit"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
-                        |NGX_CONF_TAKE1,
-      ngx_conf_set_enum_slot,
-      NGX_HTTP_LOC_CONF_OFFSET,
-      offsetof(ngx_http_headers_conf_t, trailers_inherit),
-      &ngx_http_headers_inherit },
-
       ngx_null_command
 };
 
@@ -688,8 +657,6 @@ ngx_http_headers_create_conf(ngx_conf_t *cf)
      */
 
     conf->expires = NGX_HTTP_EXPIRES_UNSET;
-    conf->headers_inherit = NGX_CONF_UNSET_UINT;
-    conf->trailers_inherit = NGX_CONF_UNSET_UINT;
 
     return conf;
 }
@@ -701,8 +668,6 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_http_headers_conf_t *prev = parent;
     ngx_http_headers_conf_t *conf = child;
 
-    ngx_http_header_val_t  *hv;
-
     if (conf->expires == NGX_HTTP_EXPIRES_UNSET) {
         conf->expires = prev->expires;
         conf->expires_time = prev->expires_time;
@@ -713,43 +678,12 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
         }
     }
 
-    ngx_conf_merge_uint_value(conf->headers_inherit, prev->headers_inherit,
-                              NGX_HTTP_HEADERS_INHERIT_ON);
-    ngx_conf_merge_uint_value(conf->trailers_inherit, prev->trailers_inherit,
-                              NGX_HTTP_HEADERS_INHERIT_ON);
-
-    if (conf->headers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
-        && prev->headers)
-    {
-        if (conf->headers == NULL) {
-            conf->headers = prev->headers;
-
-        } else if (conf->headers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
-            hv = ngx_array_push_n(conf->headers, prev->headers->nelts);
-            if (hv == NULL) {
-                return NGX_CONF_ERROR;
-            }
-
-            ngx_memcpy(hv, prev->headers->elts,
-                       sizeof(ngx_http_header_val_t) * prev->headers->nelts);
-        }
+    if (conf->headers == NULL) {
+        conf->headers = prev->headers;
     }
 
-    if (conf->trailers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
-        && prev->trailers)
-    {
-        if (conf->trailers == NULL) {
-            conf->trailers = prev->trailers;
-
-        } else if (conf->trailers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
-            hv = ngx_array_push_n(conf->trailers, prev->trailers->nelts);
-            if (hv == NULL) {
-                return NGX_CONF_ERROR;
-            }
-
-            ngx_memcpy(hv, prev->trailers->elts,
-                       sizeof(ngx_http_header_val_t) * prev->trailers->nelts);
-        }
+    if (conf->trailers == NULL) {
+        conf->trailers = prev->trailers;
     }
 
     return NGX_CONF_OK;

src/http/modules/ngx_http_proxy_module.c

@@ -8,7 +8,6 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
-#include <ngx_http_proxy_module.h>
 
 
 #define  NGX_HTTP_PROXY_COOKIE_SECURE           0x0001
@@ -24,6 +23,11 @@
 #define  NGX_HTTP_PROXY_COOKIE_SAMESITE_OFF     0x0400
 
 
+typedef struct {
+    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
+} ngx_http_proxy_main_conf_t;
+
+
 typedef struct ngx_http_proxy_rewrite_s  ngx_http_proxy_rewrite_t;
 
 typedef ngx_int_t (*ngx_http_proxy_rewrite_pt)(ngx_http_request_t *r,
@@ -57,6 +61,96 @@ typedef struct {
 } ngx_http_proxy_cookie_flags_t;
 
 
+typedef struct {
+    ngx_str_t                      key_start;
+    ngx_str_t                      schema;
+    ngx_str_t                      host_header;
+    ngx_str_t                      port;
+    ngx_str_t                      uri;
+} ngx_http_proxy_vars_t;
+
+
+typedef struct {
+    ngx_array_t                   *flushes;
+    ngx_array_t                   *lengths;
+    ngx_array_t                   *values;
+    ngx_hash_t                     hash;
+} ngx_http_proxy_headers_t;
+
+
+typedef struct {
+    ngx_http_upstream_conf_t       upstream;
+
+    ngx_array_t                   *body_flushes;
+    ngx_array_t                   *body_lengths;
+    ngx_array_t                   *body_values;
+    ngx_str_t                      body_source;
+
+    ngx_http_proxy_headers_t       headers;
+#if (NGX_HTTP_CACHE)
+    ngx_http_proxy_headers_t       headers_cache;
+#endif
+    ngx_array_t                   *headers_source;
+
+    ngx_array_t                   *proxy_lengths;
+    ngx_array_t                   *proxy_values;
+
+    ngx_array_t                   *redirects;
+    ngx_array_t                   *cookie_domains;
+    ngx_array_t                   *cookie_paths;
+    ngx_array_t                   *cookie_flags;
+
+    ngx_http_complex_value_t      *method;
+    ngx_str_t                      location;
+    ngx_str_t                      url;
+
+#if (NGX_HTTP_CACHE)
+    ngx_http_complex_value_t       cache_key;
+#endif
+
+    ngx_http_proxy_vars_t          vars;
+
+    ngx_flag_t                     redirect;
+
+    ngx_uint_t                     http_version;
+
+    ngx_uint_t                     headers_hash_max_size;
+    ngx_uint_t                     headers_hash_bucket_size;
+
+#if (NGX_HTTP_SSL)
+    ngx_uint_t                     ssl;
+    ngx_uint_t                     ssl_protocols;
+    ngx_str_t                      ssl_ciphers;
+    ngx_uint_t                     ssl_verify_depth;
+    ngx_str_t                      ssl_trusted_certificate;
+    ngx_str_t                      ssl_crl;
+    ngx_array_t                   *ssl_conf_commands;
+#endif
+} ngx_http_proxy_loc_conf_t;
+
+
+typedef struct {
+    ngx_http_status_t              status;
+    ngx_http_chunked_t             chunked;
+    ngx_http_proxy_vars_t          vars;
+    off_t                          internal_body_length;
+
+    ngx_chain_t                   *free;
+    ngx_chain_t                   *busy;
+
+    ngx_buf_t                     *trailers;
+
+    unsigned                       head:1;
+    unsigned                       internal_chunked:1;
+    unsigned                       header_sent:1;
+} ngx_http_proxy_ctx_t;
+
+
+static ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r,
+    ngx_http_proxy_ctx_t *ctx, ngx_http_proxy_loc_conf_t *plcf);
+#if (NGX_HTTP_CACHE)
+static ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
+#endif
 static ngx_int_t ngx_http_proxy_create_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_reinit_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_body_output_filter(void *data, ngx_chain_t *in);
@@ -84,14 +178,15 @@ static ngx_int_t ngx_http_proxy_port_variable(ngx_http_request_t *r,
 static ngx_int_t
     ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t
-    ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
     ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
+static ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
+    ngx_table_elt_t *h, size_t prefix);
+static ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
+    ngx_table_elt_t *h);
 static ngx_int_t ngx_http_proxy_parse_cookie(ngx_str_t *value,
     ngx_array_t *attrs);
 static ngx_int_t ngx_http_proxy_rewrite_cookie_value(ngx_http_request_t *r,
@@ -198,9 +293,6 @@ static ngx_conf_post_t  ngx_http_proxy_ssl_conf_command_post =
 static ngx_conf_enum_t  ngx_http_proxy_http_version[] = {
     { ngx_string("1.0"), NGX_HTTP_VERSION_10 },
     { ngx_string("1.1"), NGX_HTTP_VERSION_11 },
-#if (NGX_HTTP_V2)
-    { ngx_string("2"), NGX_HTTP_VERSION_20 },
-#endif
     { ngx_null_string, 0 }
 };
 
@@ -748,8 +840,8 @@ static char  ngx_http_proxy_version_11[] = " HTTP/1.1" CRLF;
 
 
 static ngx_keyval_t  ngx_http_proxy_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
+    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Connection"), ngx_string("close") },
     { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
     { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
     { ngx_string("TE"), ngx_string("") },
@@ -776,8 +868,8 @@ static ngx_str_t  ngx_http_proxy_hide_headers[] = {
 #if (NGX_HTTP_CACHE)
 
 static ngx_keyval_t  ngx_http_proxy_cache_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
+    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Connection"), ngx_string("close") },
     { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
     { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
     { ngx_string("TE"), ngx_string("") },
@@ -812,14 +904,6 @@ static ngx_http_variable_t  ngx_http_proxy_vars[] = {
     { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 },
 #endif
 
-    { ngx_string("proxy_internal_host"), NULL,
-      ngx_http_proxy_host_variable, 1,
-      NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
-
-    { ngx_string("proxy_internal_connection"), NULL,
-      ngx_http_proxy_internal_connection_variable, 0,
-      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
-
     { ngx_string("proxy_internal_body_length"), NULL,
       ngx_http_proxy_internal_body_length_variable, 0,
       NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
@@ -878,14 +962,6 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
     ngx_http_proxy_main_conf_t  *pmcf;
 #endif
 
-    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
-
-#if (NGX_HTTP_V2)
-    if (plcf->http_version == NGX_HTTP_VERSION_20) {
-        return ngx_http_proxy_v2_handler(r);
-    }
-#endif
-
     if (ngx_http_upstream_create(r) != NGX_OK) {
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
@@ -895,10 +971,10 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
         return NGX_HTTP_INTERNAL_SERVER_ERROR;
     }
 
-    ctx->legacy = 1;
-
     ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);
 
+    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
+
     u = r->upstream;
 
     if (plcf->proxy_lengths == NULL) {
@@ -974,7 +1050,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
 }
 
 
-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
     ngx_http_proxy_loc_conf_t *plcf)
 {
@@ -1078,7 +1154,7 @@ ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
 
 #if (NGX_HTTP_CACHE)
 
-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_create_key(ngx_http_request_t *r)
 {
     size_t                      len, loc_len;
@@ -1130,8 +1206,7 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
         return NGX_OK;
     }
 
-    loc_len = (r->valid_location && ctx->vars.uri.len)
-              ? ngx_min(plcf->location.len, r->uri.len) : 0;
+    loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
 
     if (r->quoted_uri || r->internal) {
         escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@@ -1243,8 +1318,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
         uri_len = r->unparsed_uri.len;
 
     } else {
-        loc_len = (r->valid_location && ctx->vars.uri.len)
-                  ? ngx_min(plcf->location.len, r->uri.len) : 0;
+        loc_len = (r->valid_location && ctx->vars.uri.len) ?
+                      plcf->location.len : 0;
 
         if (r->quoted_uri || r->internal) {
             escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@@ -2043,7 +2118,7 @@ ngx_http_proxy_input_filter_init(void *data)
         /* chunked */
 
         u->pipe->input_filter = ngx_http_proxy_chunked_filter;
-        u->pipe->length = 5; /* "0" CRLF CRLF */
+        u->pipe->length = 3; /* "0" LF LF */
 
         u->input_filter = ngx_http_proxy_non_buffered_chunked_filter;
         u->length = 1;
@@ -2692,11 +2767,6 @@ ngx_http_proxy_host_variable(ngx_http_request_t *r,
         return NGX_OK;
     }
 
-    if (data == 1 && !ctx->legacy) {
-        v->not_found = 1;
-        return NGX_OK;
-    }
-
     v->len = ctx->vars.host_header.len;
     v->valid = 1;
     v->no_cacheable = 0;
@@ -2777,29 +2847,6 @@ ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
 }
 
 
-static ngx_int_t
-ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    ngx_http_proxy_ctx_t  *ctx;
-
-    ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
-
-    if (ctx == NULL || !ctx->legacy) {
-        v->not_found = 1;
-        return NGX_OK;
-    }
-
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-
-    ngx_str_set(v, "close");
-
-    return NGX_OK;
-}
-
-
 static ngx_int_t
 ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data)
@@ -2853,7 +2900,7 @@ ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
 }
 
 
-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
     size_t prefix)
 {
@@ -2885,7 +2932,7 @@ ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
 }
 
 
-ngx_int_t
+static ngx_int_t
 ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r, ngx_table_elt_t *h)
 {
     u_char                     *p;
@@ -3530,7 +3577,6 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
      *     conf->headers.values = NULL;
      *     conf->headers.hash = { NULL, 0 };
      *     conf->headers_cache.lengths = NULL;
-     *     conf->host_set = 0;
      *     conf->headers_cache.values = NULL;
      *     conf->headers_cache.hash = { NULL, 0 };
      *     conf->body_lengths = NULL;
@@ -4106,7 +4152,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
         conf->headers_cache = prev->headers_cache;
 #endif
-        conf->host_set = prev->host_set;
     }
 
     rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@@ -4139,7 +4184,6 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
         prev->headers_cache = conf->headers_cache;
 #endif
-        prev->host_set = conf->host_set;
     }
 
     return NGX_CONF_OK;
@@ -4192,12 +4236,6 @@ ngx_http_proxy_init_headers(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
         src = conf->headers_source->elts;
         for (i = 0; i < conf->headers_source->nelts; i++) {
 
-            if (src[i].key.len == 4
-                && ngx_strncasecmp(src[i].key.data, (u_char *) "Host", 4) == 0)
-            {
-                conf->host_set = 1;
-            }
-
             s = ngx_array_push(&headers_merged);
             if (s == NULL) {
                 return NGX_ERROR;

src/http/modules/ngx_http_proxy_module.h

@@ -1,127 +0,0 @@
-
-/*
- * Copyright (C) Igor Sysoev
- * Copyright (C) Nginx, Inc.
- */
-
-
-#ifndef _NGX_HTTP_PROXY_H_INCLUDED_
-#define _NGX_HTTP_PROXY_H_INCLUDED_
-
-
-#include <ngx_config.h>
-#include <ngx_core.h>
-#include <ngx_http.h>
-
-
-typedef struct {
-    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
-} ngx_http_proxy_main_conf_t;
-
-
-typedef struct {
-    ngx_str_t                      key_start;
-    ngx_str_t                      schema;
-    ngx_str_t                      host_header;
-    ngx_str_t                      port;
-    ngx_str_t                      uri;
-} ngx_http_proxy_vars_t;
-
-
-typedef struct {
-    ngx_array_t                   *flushes;
-    ngx_array_t                   *lengths;
-    ngx_array_t                   *values;
-    ngx_hash_t                     hash;
-} ngx_http_proxy_headers_t;
-
-
-typedef struct {
-    ngx_http_upstream_conf_t       upstream;
-
-    ngx_array_t                   *body_flushes;
-    ngx_array_t                   *body_lengths;
-    ngx_array_t                   *body_values;
-    ngx_str_t                      body_source;
-
-    ngx_http_proxy_headers_t       headers;
-#if (NGX_HTTP_CACHE)
-    ngx_http_proxy_headers_t       headers_cache;
-#endif
-    ngx_array_t                   *headers_source;
-    ngx_uint_t                     host_set;
-
-    ngx_array_t                   *proxy_lengths;
-    ngx_array_t                   *proxy_values;
-
-    ngx_array_t                   *redirects;
-    ngx_array_t                   *cookie_domains;
-    ngx_array_t                   *cookie_paths;
-    ngx_array_t                   *cookie_flags;
-
-    ngx_http_complex_value_t      *method;
-    ngx_str_t                      location;
-    ngx_str_t                      url;
-
-#if (NGX_HTTP_CACHE)
-    ngx_http_complex_value_t       cache_key;
-#endif
-
-    ngx_http_proxy_vars_t          vars;
-
-    ngx_flag_t                     redirect;
-
-    ngx_uint_t                     http_version;
-
-    ngx_uint_t                     headers_hash_max_size;
-    ngx_uint_t                     headers_hash_bucket_size;
-
-#if (NGX_HTTP_SSL || NGX_COMPAT)
-    ngx_uint_t                     ssl;
-    ngx_uint_t                     ssl_protocols;
-    ngx_str_t                      ssl_ciphers;
-    ngx_uint_t                     ssl_verify_depth;
-    ngx_str_t                      ssl_trusted_certificate;
-    ngx_str_t                      ssl_crl;
-    ngx_array_t                   *ssl_conf_commands;
-#endif
-} ngx_http_proxy_loc_conf_t;
-
-
-typedef struct {
-    ngx_http_status_t              status;
-    ngx_http_chunked_t             chunked;
-    ngx_http_proxy_vars_t          vars;
-    off_t                          internal_body_length;
-
-    ngx_chain_t                   *free;
-    ngx_chain_t                   *busy;
-
-    ngx_buf_t                     *trailers;
-
-    unsigned                       head:1;
-    unsigned                       internal_chunked:1;
-    unsigned                       header_sent:1;
-    unsigned                       legacy:1;
-} ngx_http_proxy_ctx_t;
-
-
-ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
-    ngx_http_proxy_loc_conf_t *plcf);
-#if (NGX_HTTP_CACHE)
-ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
-#endif
-ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
-    ngx_table_elt_t *h, size_t prefix);
-ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
-    ngx_table_elt_t *h);
-
-#if (NGX_HTTP_V2)
-ngx_int_t ngx_http_proxy_v2_handler(ngx_http_request_t *r);
-#endif
-
-
-extern ngx_module_t  ngx_http_proxy_module;
-
-
-#endif /* _NGX_HTTP_PROXY_H_INCLUDED_ */

src/http/modules/ngx_http_ssl_module.c

@@ -117,13 +117,6 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
       0,
       NULL },
 
-    { ngx_string("ssl_ech_file"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
-      ngx_conf_set_str_array_slot,
-      NGX_HTTP_SRV_CONF_OFFSET,
-      offsetof(ngx_http_ssl_srv_conf_t, ech_files),
-      NULL },
-
     { ngx_string("ssl_password_file"),
       NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
       ngx_http_ssl_password_file,
@@ -244,7 +237,7 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
       NULL },
 
     { ngx_string("ssl_ocsp"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
       ngx_conf_set_enum_slot,
       NGX_HTTP_SRV_CONF_OFFSET,
       offsetof(ngx_http_ssl_srv_conf_t, ocsp),
@@ -365,9 +358,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
     { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
@@ -384,13 +374,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_ech_status"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_status, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
-    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
-      NGX_HTTP_VAR_CHANGEABLE, 0 },
-
     { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
@@ -432,9 +415,6 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
     { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_client_sigalg"), NULL, ngx_http_ssl_variable,
-      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
-
       ngx_http_null_variable
 };
 
@@ -657,7 +637,6 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
     sscf->certificates = NGX_CONF_UNSET_PTR;
     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
     sscf->certificate_cache = NGX_CONF_UNSET_PTR;
-    sscf->ech_files = NGX_CONF_UNSET_PTR;
     sscf->passwords = NGX_CONF_UNSET_PTR;
     sscf->conf_commands = NGX_CONF_UNSET_PTR;
     sscf->builtin_session_cache = NGX_CONF_UNSET;
@@ -709,8 +688,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                          NULL);
 
-    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
-
     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
 
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -775,9 +752,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     {
     static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername };
 
-    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
+    ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
 
     if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                                ngx_http_ssl_servername)
@@ -897,10 +872,6 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         return NGX_CONF_ERROR;
     }
 
-    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
-
     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -939,19 +910,13 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     if (conf->stapling) {
 
-        if (conf->certificate_compression) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "\"ssl_stapling\" is incompatible with "
-                          "\"ssl_certificate_compression\"");
-            return NGX_CONF_ERROR;
-        }
-
         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                              &conf->stapling_responder, conf->stapling_verify)
             != NGX_OK)
         {
             return NGX_CONF_ERROR;
         }
+
     }
 
     if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {

src/http/modules/ngx_http_ssl_module.h

@@ -49,7 +49,6 @@ typedef struct {
 
     ngx_str_t                       ciphers;
 
-    ngx_array_t                    *ech_files;
     ngx_array_t                    *passwords;
     ngx_array_t                    *conf_commands;
 

src/http/ngx_http.h

@@ -130,8 +130,8 @@ ngx_int_t ngx_http_post_request(ngx_http_request_t *r,
     ngx_http_posted_request_t *pr);
 ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
     ngx_str_t *host);
-ngx_int_t ngx_http_validate_host(ngx_str_t *host, in_port_t *port,
-    ngx_pool_t *pool, ngx_uint_t alloc);
+ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
+    ngx_uint_t alloc);
 void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_free_request(ngx_http_request_t *r, ngx_int_t rc);

src/http/ngx_http_core_module.h

@@ -206,7 +206,6 @@ typedef struct {
 #if (NGX_PCRE)
     unsigned                    captures:1;
 #endif
-    unsigned                    allow_connect:1;
 
     ngx_http_core_loc_conf_t  **named_locations;
 } ngx_http_core_srv_conf_t;

src/http/ngx_http_parse.c

@@ -111,7 +111,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
         sw_schema,
         sw_schema_slash,
         sw_schema_slash_slash,
-        sw_spaces_before_host,
         sw_host_start,
         sw_host,
         sw_host_end,
@@ -159,7 +158,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
             if (ch == ' ') {
                 r->method_end = p - 1;
                 m = r->request_start;
-                state = sw_spaces_before_uri;
 
                 switch (p - m) {
 
@@ -249,7 +247,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                     if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
                     {
                         r->method = NGX_HTTP_CONNECT;
-                        state = sw_spaces_before_host;
                     }
 
                     break;
@@ -272,6 +269,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                     break;
                 }
 
+                state = sw_spaces_before_uri;
                 break;
             }
 
@@ -347,14 +345,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
             }
             break;
 
-        case sw_spaces_before_host:
-
-            if (ch == ' ') {
-                break;
-            }
-
-            /* fall through */
-
         case sw_host_start:
 
             r->host_start = p;
@@ -383,18 +373,12 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
 
         case sw_host_end:
 
-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-
             r->host_end = p;
 
-            if (r->method == NGX_HTTP_CONNECT) {
-                return NGX_HTTP_PARSE_INVALID_REQUEST;
-            }
-
             switch (ch) {
+            case ':':
+                state = sw_port;
+                break;
             case '/':
                 r->uri_start = p;
                 state = sw_after_slash_in_uri;
@@ -465,17 +449,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                 break;
             }
 
-            r->host_end = p;
-
-            if (r->method == NGX_HTTP_CONNECT) {
-                if (ch == ' ') {
-                    state = sw_http_09;
-                    break;
-                }
-
-                return NGX_HTTP_PARSE_INVALID_REQUEST;
-            }
-
             switch (ch) {
             case '/':
                 r->uri_start = p;
@@ -711,16 +684,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
         case sw_http_HTTP:
             switch (ch) {
             case '/':
-
-                /*
-                 * use single "/" from request line to preserve pointers,
-                 * if request line will be copied to large client buffer
-                 */
-                if (r->method == NGX_HTTP_CONNECT) {
-                    r->uri_start = p;
-                    r->uri_end = p + 1;
-                }
-
                 state = sw_first_major_digit;
                 break;
             default:
@@ -2254,6 +2217,12 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 case CR:
                     state = sw_last_chunk_extension_almost_done;
                     break;
+                case LF:
+                    if (keep_trailers) {
+                        goto done;
+                    }
+                    state = sw_trailer;
+                    break;
                 case ';':
                 case ' ':
                 case '\t':
@@ -2270,6 +2239,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
             case CR:
                 state = sw_chunk_extension_almost_done;
                 break;
+            case LF:
+                state = sw_chunk_data;
+                break;
             case ';':
             case ' ':
             case '\t':
@@ -2287,7 +2259,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 state = sw_chunk_extension_almost_done;
                 break;
             case LF:
-                goto invalid;
+                state = sw_chunk_data;
             }
             break;
 
@@ -2307,6 +2279,9 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
             case CR:
                 state = sw_after_data_almost_done;
                 break;
+            case LF:
+                state = sw_chunk_start;
+                break;
             default:
                 goto invalid;
             }
@@ -2325,7 +2300,10 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 state = sw_last_chunk_extension_almost_done;
                 break;
             case LF:
-                goto invalid;
+                if (keep_trailers) {
+                    goto done;
+                }
+                state = sw_trailer;
             }
             break;
 
@@ -2345,7 +2323,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 state = sw_trailer_almost_done;
                 break;
             case LF:
-                goto invalid;
+                goto done;
             default:
                 state = sw_trailer_header;
             }
@@ -2363,7 +2341,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                 state = sw_trailer_header_almost_done;
                 break;
             case LF:
-                goto invalid;
+                state = sw_trailer;
             }
             break;
 
@@ -2389,45 +2367,35 @@ data:
     switch (state) {
 
     case sw_chunk_start:
-        ctx->length = 5 /* "0" CRLF CRLF */;
+        ctx->length = 3 /* "0" LF LF */;
         break;
     case sw_chunk_size:
-        ctx->length = 2 /* CRLF */
-                      + (ctx->size ? ctx->size + 7 /* CRLF "0" CRLF CRLF */
-                                   : 2 /* CRLF */);
+        ctx->length = 1 /* LF */
+                      + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */
+                                   : 1 /* LF */);
         break;
     case sw_chunk_extension:
-        ctx->length = 2 /* CRLF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
-        break;
     case sw_chunk_extension_almost_done:
-        ctx->length = 1 /* LF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
+        ctx->length = 1 /* LF */ + ctx->size + 4 /* LF "0" LF LF */;
         break;
     case sw_chunk_data:
-        ctx->length = ctx->size + 7 /* CRLF "0" CRLF CRLF */;
+        ctx->length = ctx->size + 4 /* LF "0" LF LF */;
         break;
     case sw_after_data:
-        ctx->length = 7 /* CRLF "0" CRLF CRLF */;
-        break;
     case sw_after_data_almost_done:
-        ctx->length = 6 /* LF "0" CRLF CRLF */;
+        ctx->length = 4 /* LF "0" LF LF */;
         break;
     case sw_last_chunk_extension:
-        ctx->length = 4 /* CRLF CRLF */;
-        break;
     case sw_last_chunk_extension_almost_done:
-        ctx->length = 3 /* LF CRLF */;
+        ctx->length = 2 /* LF LF */;
         break;
     case sw_trailer:
-        ctx->length = 2 /* CRLF */;
-        break;
     case sw_trailer_almost_done:
         ctx->length = 1 /* LF */;
         break;
     case sw_trailer_header:
-        ctx->length = 4 /* CRLF CRLF */;
-        break;
     case sw_trailer_header_almost_done:
-        ctx->length = 3 /* LF CRLF */;
+        ctx->length = 2 /* LF LF */;
         break;
 
     }

src/http/ngx_http_request.c

@@ -931,7 +931,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
         goto done;
     }
 
-    rc = ngx_http_validate_host(&host, NULL, c->pool, 1);
+    rc = ngx_http_validate_host(&host, c->pool, 1);
 
     if (rc == NGX_ERROR) {
         goto error;
@@ -1107,7 +1107,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
     ssize_t              n;
     ngx_int_t            rc, rv;
     ngx_str_t            host;
-    in_port_t            port;
     ngx_connection_t    *c;
     ngx_http_request_t  *r;
 
@@ -1170,7 +1169,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                 host.len = r->host_end - r->host_start;
                 host.data = r->host_start;
 
-                rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+                rc = ngx_http_validate_host(&host, r->pool, 0);
 
                 if (rc == NGX_DECLINED) {
                     ngx_log_error(NGX_LOG_INFO, c->log, 0,
@@ -1189,7 +1188,6 @@ ngx_http_process_request_line(ngx_event_t *rev)
                 }
 
                 r->headers_in.server = host;
-                r->port = port;
             }
 
             if (r->http_version < NGX_HTTP_VERSION_10) {
@@ -1850,7 +1848,6 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
 {
     ngx_int_t  rc;
     ngx_str_t  host;
-    in_port_t  port;
 
     if (r->headers_in.host) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@@ -1867,7 +1864,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
 
     host = h->value;
 
-    rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+    rc = ngx_http_validate_host(&host, r->pool, 0);
 
     if (rc == NGX_DECLINED) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@@ -1890,7 +1887,6 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
     }
 
     r->headers_in.server = host;
-    r->port = port;
 
     return NGX_OK;
 }
@@ -1989,8 +1985,6 @@ ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h,
 static ngx_int_t
 ngx_http_process_request_header(ngx_http_request_t *r)
 {
-    ngx_http_core_srv_conf_t  *cscf;
-
     if (r->headers_in.server.len == 0
         && ngx_http_set_virtual_server(r, &r->headers_in.server)
            == NGX_ERROR)
@@ -2059,11 +2053,7 @@ ngx_http_process_request_header(ngx_http_request_t *r)
         }
     }
 
-    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
-
-    if (r->method == NGX_HTTP_CONNECT
-        && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect))
-    {
+    if (r->method == NGX_HTTP_CONNECT) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                       "client sent CONNECT method");
         ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
@@ -2174,176 +2164,74 @@ ngx_http_process_request(ngx_http_request_t *r)
 
 
 ngx_int_t
-ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,
-    ngx_uint_t alloc)
+ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
-    u_char     *h, ch;
-    size_t      i, dot_pos, host_len;
-    ngx_int_t   port;
+    u_char  *h, ch;
+    size_t   i, dot_pos, host_len;
 
     enum {
-        sw_host_start = 0,
-        sw_host,
-        sw_host_ip_literal,
-        sw_host_end,
-        sw_port,
+        sw_usual = 0,
+        sw_literal,
+        sw_rest
     } state;
 
     dot_pos = host->len;
     host_len = host->len;
-    port = 0;
 
     h = host->data;
 
-    state = sw_host_start;
+    state = sw_usual;
 
     for (i = 0; i < host->len; i++) {
         ch = h[i];
 
-        switch (state) {
+        switch (ch) {
 
-        case sw_host_start:
-
-            if (ch == '[') {
-                state = sw_host_ip_literal;
-                break;
+        case '.':
+            if (dot_pos == i - 1) {
+                return NGX_DECLINED;
             }
+            dot_pos = i;
+            break;
 
-            state = sw_host;
-
-            /* fall through */
-
-        case sw_host:
-
-            if (ch >= 'A' && ch <= 'Z') {
-                alloc = 1;
-                break;
-            }
-
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
+        case ':':
+            if (state == sw_usual) {
                 host_len = i;
-                state = sw_port;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            case '%':
-                /* pct-encoded */
-                break;
-            default:
-                return NGX_DECLINED;
+                state = sw_rest;
             }
             break;
 
-        case sw_host_ip_literal:
+        case '[':
+            if (i == 0) {
+                state = sw_literal;
+            }
+            break;
+
+        case ']':
+            if (state == sw_literal) {
+                host_len = i + 1;
+                state = sw_rest;
+            }
+            break;
+
+        default:
+
+            if (ngx_path_separator(ch)) {
+                return NGX_DECLINED;
+            }
+
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }
 
             if (ch >= 'A' && ch <= 'Z') {
                 alloc = 1;
-                break;
             }
 
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
-                break;
-            case ']':
-                host_len = i + 1;
-                state = sw_host_end;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            default:
-                return NGX_DECLINED;
-            }
             break;
-
-        case sw_host_end:
-
-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-            return NGX_DECLINED;
-
-        case sw_port:
-
-            if (ch >= '0' && ch <= '9') {
-                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
-                    return NGX_DECLINED;
-                }
-
-                port = port * 10 + (ch - '0');
-                break;
-            }
-            return NGX_DECLINED;
         }
     }
 
-    if (state == sw_host_ip_literal) {
-        return NGX_DECLINED;
-    }
-
     if (dot_pos == host_len - 1) {
         host_len--;
     }
@@ -2363,10 +2251,6 @@ ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,
 
     host->len = host_len;
 
-    if (portp) {
-        *portp = port;
-    }
-
     return NGX_OK;
 }
 

src/http/ngx_http_request.h

@@ -461,8 +461,6 @@ struct ngx_http_request_s {
 
     ngx_http_cleanup_t               *cleanup;
 
-    in_port_t                         port;
-
     unsigned                          count:16;
     unsigned                          subrequests:8;
     unsigned                          blocked:8;

src/http/ngx_http_upstream.c

@@ -1771,23 +1771,6 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
         }
     }
 
-#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
-
-    if (u->ssl_alpn_protocol.len) {
-        if (SSL_set_alpn_protos(c->ssl->connection, u->ssl_alpn_protocol.data,
-                                u->ssl_alpn_protocol.len)
-            != 0)
-        {
-            ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
-                          "SSL_set_alpn_protos() failed");
-            ngx_http_upstream_finalize_request(r, u,
-                                               NGX_HTTP_INTERNAL_SERVER_ERROR);
-            return;
-        }
-    }
-
-#endif
-
     if (u->conf->ssl_session_reuse) {
         c->ssl->save_session = ngx_http_upstream_ssl_save_session;
 
@@ -6915,7 +6898,6 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
     }
 
     if (val.len == 0) {
-        u->peer.local = NULL;
         return NGX_OK;
     }
 
@@ -6932,7 +6914,6 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
     if (rc != NGX_OK) {
         ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                       "invalid local address \"%V\"", &val);
-        u->peer.local = NULL;
         return NGX_OK;
     }
 

src/http/ngx_http_upstream.h

@@ -253,7 +253,7 @@ typedef struct {
 
     ngx_str_t                        module;
 
-    NGX_COMPAT_BEGIN(6)
+    NGX_COMPAT_BEGIN(2)
     NGX_COMPAT_END
 } ngx_http_upstream_conf_t;
 
@@ -390,7 +390,6 @@ struct ngx_http_upstream_s {
 
 #if (NGX_HTTP_SSL || NGX_COMPAT)
     ngx_str_t                        ssl_name;
-    ngx_str_t                        ssl_alpn_protocol;
 #endif
 
     ngx_http_cleanup_pt             *cleanup;

src/http/ngx_http_variables.c

@@ -71,10 +71,6 @@ static ngx_int_t ngx_http_variable_scheme(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_https(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_variable_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
-static ngx_int_t ngx_http_variable_is_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data);
 static void ngx_http_variable_set_args(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_is_args(ngx_http_request_t *r,
@@ -235,12 +231,6 @@ static ngx_http_variable_t  ngx_http_core_variables[] = {
 
     { ngx_string("https"), NULL, ngx_http_variable_https, 0, 0, 0 },
 
-    { ngx_string("request_port"), NULL,
-      ngx_http_variable_request_port, 0, 0, 0 },
-
-    { ngx_string("is_request_port"), NULL,
-      ngx_http_variable_is_request_port, 0, 0, 0 },
-
     { ngx_string("request_uri"), NULL, ngx_http_variable_request,
       offsetof(ngx_http_request_t, unparsed_uri), 0, 0 },
 
@@ -1550,51 +1540,6 @@ ngx_http_variable_https(ngx_http_request_t *r,
 }
 
 
-static ngx_int_t
-ngx_http_variable_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    ngx_uint_t  port;
-
-    v->len = 0;
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-
-    v->data = ngx_pnalloc(r->pool, sizeof("65535") - 1);
-    if (v->data == NULL) {
-        return NGX_ERROR;
-    }
-
-    port = r->port;
-
-    if (port > 0 && port < 65536) {
-        v->len = ngx_sprintf(v->data, "%ui", port) - v->data;
-    }
-
-    return NGX_OK;
-}
-
-
-static ngx_int_t
-ngx_http_variable_is_request_port(ngx_http_request_t *r,
-    ngx_http_variable_value_t *v, uintptr_t data)
-{
-    if (r->port == 0) {
-        *v = ngx_http_variable_null_value;
-        return NGX_OK;
-    }
-
-    v->len = 1;
-    v->valid = 1;
-    v->no_cacheable = 0;
-    v->not_found = 0;
-    v->data = (u_char *) ":";
-
-    return NGX_OK;
-}
-
-
 static void
 ngx_http_variable_set_args(ngx_http_request_t *r,
     ngx_http_variable_value_t *v, uintptr_t data)

src/http/v2/ngx_http_v2.c

@@ -3519,7 +3519,6 @@ static ngx_int_t
 ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
 {
     ngx_int_t  rc;
-    in_port_t  port;
 
     if (r->host_start) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@@ -3530,7 +3529,7 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
     r->host_start = value->data;
     r->host_end = value->data + value->len;
 
-    rc = ngx_http_validate_host(value, &port, r->pool, 0);
+    rc = ngx_http_validate_host(value, r->pool, 0);
 
     if (rc == NGX_DECLINED) {
         ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@@ -3552,7 +3551,6 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
     }
 
     r->headers_in.server = *value;
-    r->port = port;
 
     return NGX_OK;
 }
@@ -4104,14 +4102,15 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
                 n = size;
             }
 
+            if (n > 0) {
+                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
+            }
+
             ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
                            "http2 request body recv %uz", n);
 
-            if (n > 0) {
-                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
-                pos += n;
-                size -= n;
-            }
+            pos += n;
+            size -= n;
 
             if (size == 0 && last) {
                 rb->rest = 0;

src/http/v3/ngx_http_v3_request.c

@@ -904,7 +904,6 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
     u_char     *p;
     ngx_int_t   rc;
     ngx_str_t   host;
-    in_port_t   port;
 
     if (r->request_line.len) {
         return NGX_OK;
@@ -962,7 +961,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
         host.len = r->host_end - r->host_start;
         host.data = r->host_start;
 
-        rc = ngx_http_validate_host(&host, &port, r->pool, 0);
+        rc = ngx_http_validate_host(&host, r->pool, 0);
 
         if (rc == NGX_DECLINED) {
             ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@@ -980,7 +979,6 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
         }
 
         r->headers_in.server = host;
-        r->port = port;
     }
 
     if (ngx_list_init(&r->headers_in.headers, r->pool, 20,

src/stream/ngx_stream_core_module.c

@@ -474,173 +474,72 @@ ngx_stream_core_content_phase(ngx_stream_session_t *s,
 ngx_int_t
 ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
-    u_char     *h, ch;
-    size_t      i, dot_pos, host_len;
-    ngx_int_t   port;
+    u_char  *h, ch;
+    size_t   i, dot_pos, host_len;
 
     enum {
-        sw_host_start = 0,
-        sw_host,
-        sw_host_ip_literal,
-        sw_host_end,
-        sw_port,
+        sw_usual = 0,
+        sw_literal,
+        sw_rest
     } state;
 
     dot_pos = host->len;
     host_len = host->len;
-    port = 0;
 
     h = host->data;
 
-    state = sw_host_start;
+    state = sw_usual;
 
     for (i = 0; i < host->len; i++) {
         ch = h[i];
 
-        switch (state) {
+        switch (ch) {
 
-        case sw_host_start:
-
-            if (ch == '[') {
-                state = sw_host_ip_literal;
-                break;
+        case '.':
+            if (dot_pos == i - 1) {
+                return NGX_DECLINED;
             }
+            dot_pos = i;
+            break;
 
-            state = sw_host;
-
-            /* fall through */
-
-        case sw_host:
-
-            if (ch >= 'A' && ch <= 'Z') {
-                alloc = 1;
-                break;
-            }
-
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
+        case ':':
+            if (state == sw_usual) {
                 host_len = i;
-                state = sw_port;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            case '%':
-                /* pct-encoded */
-                break;
-            default:
-                return NGX_DECLINED;
+                state = sw_rest;
             }
             break;
 
-        case sw_host_ip_literal:
+        case '[':
+            if (i == 0) {
+                state = sw_literal;
+            }
+            break;
+
+        case ']':
+            if (state == sw_literal) {
+                host_len = i + 1;
+                state = sw_rest;
+            }
+            break;
+
+        default:
+
+            if (ngx_path_separator(ch)) {
+                return NGX_DECLINED;
+            }
+
+            if (ch <= 0x20 || ch == 0x7f) {
+                return NGX_DECLINED;
+            }
 
             if (ch >= 'A' && ch <= 'Z') {
                 alloc = 1;
-                break;
             }
 
-            if (ch >= 'a' && ch <= 'z') {
-                break;
-            }
-
-            if (ch >= '0' && ch <= '9') {
-                break;
-            }
-
-            switch (ch) {
-            case ':':
-                break;
-            case ']':
-                host_len = i + 1;
-                state = sw_host_end;
-                break;
-            case '-':
-                break;
-            case '.':
-                if (dot_pos == i - 1) {
-                    return NGX_DECLINED;
-                }
-                dot_pos = i;
-                break;
-            case '_':
-            case '~':
-                /* unreserved */
-                break;
-            case '!':
-            case '$':
-            case '&':
-            case '\'':
-            case '(':
-            case ')':
-            case '*':
-            case '+':
-            case ',':
-            case ';':
-            case '=':
-                /* sub-delims */
-                break;
-            default:
-                return NGX_DECLINED;
-            }
             break;
-
-        case sw_host_end:
-
-            if (ch == ':') {
-                state = sw_port;
-                break;
-            }
-            return NGX_DECLINED;
-
-        case sw_port:
-
-            if (ch >= '0' && ch <= '9') {
-                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
-                    return NGX_DECLINED;
-                }
-
-                port = port * 10 + (ch - '0');
-                break;
-            }
-            return NGX_DECLINED;
         }
     }
 
-    if (state == sw_host_ip_literal) {
-        return NGX_DECLINED;
-    }
-
     if (dot_pos == host_len - 1) {
         host_len--;
     }

src/stream/ngx_stream_geo_module.c

@@ -61,7 +61,6 @@ typedef struct {
     unsigned                           outside_entries:1;
     unsigned                           allow_binary_include:1;
     unsigned                           binary_include:1;
-    unsigned                           no_cacheable:1;
 } ngx_stream_geo_conf_ctx_t;
 
 
@@ -434,7 +433,6 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                   + sizeof(ngx_stream_variable_value_t)
                   + 0x10000 * sizeof(ngx_stream_geo_range_t *);
     ctx.allow_binary_include = 1;
-    ctx.no_cacheable = 0;
 
     save = *cf;
     cf->pool = pool;
@@ -450,10 +448,6 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
         goto failed;
     }
 
-    if (ctx.no_cacheable) {
-        var->flags |= NGX_STREAM_VAR_NOCACHEABLE;
-    }
-
     if (ctx.ranges) {
 
         if (ctx.high.low && !ctx.binary_include) {
@@ -589,12 +583,6 @@ ngx_stream_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
 
             goto done;
         }
-
-        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
-            ctx->no_cacheable = 1;
-            rv = NGX_CONF_OK;
-            goto done;
-        }
     }
 
     if (cf->args->nelts != 2) {

src/stream/ngx_stream_proxy_module.c

@@ -680,7 +680,6 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
     }
 
     if (val.len == 0) {
-        u->peer.local = NULL;
         return NGX_OK;
     }
 
@@ -697,7 +696,6 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
     if (rc != NGX_OK) {
         ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
                       "invalid local address \"%V\"", &val);
-        u->peer.local = NULL;
         return NGX_OK;
     }
 

src/stream/ngx_stream_ssl_module.c

@@ -126,13 +126,6 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
       0,
       NULL },
 
-    { ngx_string("ssl_ech_file"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
-      ngx_conf_set_str_array_slot,
-      NGX_STREAM_SRV_CONF_OFFSET,
-      offsetof(ngx_stream_ssl_srv_conf_t, ech_files),
-      NULL },
-
     { ngx_string("ssl_password_file"),
       NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
       ngx_stream_ssl_password_file,
@@ -246,7 +239,7 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
       NULL },
 
     { ngx_string("ssl_ocsp"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
       ngx_conf_set_enum_slot,
       NGX_STREAM_SRV_CONF_OFFSET,
       offsetof(ngx_stream_ssl_srv_conf_t, ocsp),
@@ -364,9 +357,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
     { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
     { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
@@ -379,13 +369,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
     { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_ech_status"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_status, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
-    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
-      NGX_STREAM_VAR_CHANGEABLE, 0 },
-
     { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
@@ -421,9 +404,6 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
     { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
       (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },
 
-    { ngx_string("ssl_client_sigalg"), NULL, ngx_stream_ssl_variable,
-      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
-
       ngx_stream_null_variable
 };
 
@@ -902,7 +882,6 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
     sscf->certificates = NGX_CONF_UNSET_PTR;
     sscf->certificate_keys = NGX_CONF_UNSET_PTR;
     sscf->certificate_cache = NGX_CONF_UNSET_PTR;
-    sscf->ech_files = NGX_CONF_UNSET_PTR;
     sscf->passwords = NGX_CONF_UNSET_PTR;
     sscf->conf_commands = NGX_CONF_UNSET_PTR;
     sscf->prefer_server_ciphers = NGX_CONF_UNSET;
@@ -958,8 +937,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                          NULL);
 
-    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
-
     ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
 
     ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@@ -1025,9 +1002,7 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
     {
     static ngx_ssl_client_hello_arg cb = { ngx_stream_ssl_servername };
 
-    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
+    ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
 
     SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                            ngx_stream_ssl_servername);
@@ -1141,10 +1116,6 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
         return NGX_CONF_ERROR;
     }
 
-    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
-        return NGX_CONF_ERROR;
-    }
-
     if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
         return NGX_CONF_ERROR;
     }
@@ -1184,19 +1155,13 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
 
     if (conf->stapling) {
 
-        if (conf->certificate_compression) {
-            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
-                          "\"ssl_stapling\" is incompatible with "
-                          "\"ssl_certificate_compression\"");
-            return NGX_CONF_ERROR;
-        }
-
         if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                              &conf->stapling_responder, conf->stapling_verify)
             != NGX_OK)
         {
             return NGX_CONF_ERROR;
         }
+
     }
 
     if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {

src/stream/ngx_stream_ssl_module.h

@@ -49,7 +49,6 @@ typedef struct {
 
     ngx_str_t         ciphers;
 
-    ngx_array_t      *ech_files;
     ngx_array_t      *passwords;
     ngx_array_t      *conf_commands;