SSL: logging level of the "ech_required" TLS alert.

The alert is send by a client after its ECH configuration was rejected by a server.
Fixed duplicate ids in the bug report template.
2025-12-17 13:49:06 +04:00 · 2025-12-16 14:22:33 -07:00 · 2025-12-16 14:22:33 -07:00 · 2025-12-09 22:28:10 +04:00 · 2025-12-09 21:25:10 +04:00 · 2025-12-08 07:49:16 +04:00
60 changed files with 6485 additions and 543 deletions
--- a/.github/DISCUSSION_TEMPLATE/general.yml
+++ b/.github/DISCUSSION_TEMPLATE/general.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: general
    attributes:
      label: What would you like to discuss?
      description: Please provide as much context as possible. Remember that only general discussions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I would like to discuss...
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/ideas.yml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: ideas
    attributes:
      label: What idea would you like to discuss?
      description: Please provide as much context as possible. Remember that only ideas related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I have an idea for...
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/q-a.yml
+++ b/.github/DISCUSSION_TEMPLATE/q-a.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: q-a
    attributes:
      label: What question do you have?
      description: Please provide as much context as possible. Remember that only questions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I would like to know...
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,38 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ""
 labels: "bug"
 ---
 ### Environment
 Include the result of the following commands:
  - `nginx -V`
  - `uname -a`
 ### Description
 Describe the bug in full detail including expected and actual behavior.
 Specify conditions that caused it. Provide the relevant part of nginx
 configuration and debug log.
 - [ ] The bug is reproducible with the latest version of nginx
 - [ ] The nginx configuration is minimized to the smallest possible
 to reproduce the issue and doesn't contain third-party modules
 #### nginx configuration
 ```
 # Your nginx configuration here
 ```
 or share the configuration in [gist](https://gist.github.com/).
 #### nginx debug log
 It is advised to enable
 [debug logging](http://nginx.org/en/docs/debugging_log.html).
 ```
 # Your nginx debug log here
 ```
 or share the debug log in [gist](https://gist.github.com/).
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,106 @@
 ---
 name: 🐛 Bug report
 description: Create a report to help us improve
 labels: bug
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to fill out this bug report!
        Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search], is reproducible with the latest version of nginx, and does not involve any third-party modules 🙌
        Remember to redact any sensitive information such as authentication credentials and/or license keys!
        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
        [discussions]: https://github.com/nginx/nginx/discussions
        [forum]: https://community.nginx.org
  - type: textarea
    id: overview
    attributes:
      label: Bug Overview
      description: A clear and concise overview of the bug.
      placeholder: When I do "X", "Y" happens instead of "Z".
    validations:
      required: true
  - type: textarea
    id: behavior
    attributes:
      label: Expected Behavior
      description: A clear and concise description of what you expected to happen.
      placeholder: When I do "X", I expect "Z" to happen.
    validations:
      required: true
  - type: textarea
    id: steps
    attributes:
      label: Steps to Reproduce the Bug
      description: Detail the series of steps required to reproduce the bug.
      placeholder: When I run "X" using [...], "X" fails with "Y" error message. If I check the terminal outputs and/or logs, I see the following info.
    validations:
      required: true
  - type: textarea
    id: configuration
    attributes:
      label: NGINX Configuration
      description: Please provide your NGINX configuration. Minimize it to the smallest possible configuration that reproduces the issue.
      value: |
        ```
        # Your NGINX configuration
        ```
    validations:
      required: true
  - type: textarea
    id: version
    attributes:
      label: NGINX version and build configuration options
      description: Please provide details about your NGINX build.
      value: |
        The output of `nginx -V`: [...]
    validations:
      required: true
  - type: textarea
    id: environment
    attributes:
      label: Environment where NGINX is being built and/or deployed
      description: Please provide details about your environment.
      value: |
        - Target deployment platform: [e.g. AWS/GCP/local cluster/etc...]
        - Target OS: [e.g. RHEL 9/Ubuntu 24.04/etc...]
    validations:
      required: true
  - type: textarea
    id: architecture
    attributes:
      label: Architecture where NGINX is being built and/or deployed
      description: Please provide details about your deployment environment.
      value: |
        The output of `uname -a`: [...]
    validations:
      required: true
  - type: textarea
    id: logs
    attributes:
      label: NGINX Debug Log
      description: Please provide your NGINX debug log. See this [doc](http://nginx.org/en/docs/debugging_log.html) for details on how to enable it.
      value: |
        ```
        # Your NGINX debug log
        ```
  - type: textarea
    id: context
    attributes:
      label: Additional Context
      description: Add any other context about the problem here.
      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,12 @@
 ---
 blank_issues_enabled: false
 contact_links:
  - name: 💬 Talk to the NGINX community!
    url: https://community.nginx.org
    about: A community forum for NGINX users, developers, and contributors
  - name: 📝 Code of Conduct
    url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
    about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
  - name: 💼 For commercial & enterprise users
    url: https://www.f5.com/products/nginx
    about: F5 offers a wide range of NGINX products for commercial & enterprise users
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -1,18 +0,0 @@
 ---
 name: Feature request
 about: Suggest a feature for nginx
 title: ""
 labels: "feature"
 ---
 ### Describe the feature you'd like to add to nginx
 A clear and concise description of the feature.
 ### Describe the problem this feature solves
 A clear and concise description of the problem.
 ### Additional context
 Add any other context about the feature request here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -0,0 +1,40 @@
 ---
 name: ✨ Feature request
 description: Suggest an idea for this project
 labels: enhancement
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to fill out this feature request!
        Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
        [discussions]: https://github.com/nginx/nginx/discussions
        [forum]: https://community.nginx.org
  - type: textarea
    id: overview
    attributes:
      label: Feature Overview
      description: A clear and concise description of what the feature request is.
      placeholder: I would like this project to be able to do "X".
    validations:
      required: true
  - type: textarea
    id: alternatives
    attributes:
      label: Alternatives Considered
      description: Detail any potential alternative solutions/workarounds you've used or considered.
      placeholder: I have done/might be able to do "X" in this project by doing "Y".
  - type: textarea
    id: context
    attributes:
      label: Additional Context
      description: Add any other context about the problem here.
      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,10 +1,10 @@
 ### Proposed changes
-Describe the use case and detail of the change.
+Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) in this PR's description or commit message.
-If this pull request addresses an issue on GitHub, make sure to reference that
+### Checklist
 issue using one of the
 [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue).
-Before creating a pull request, make sure to comply with the
+Before creating a PR, run through this checklist and mark each as complete:
-[Contributing Guidelines](https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md).
+
 - [ ] I have read the [contributing guidelines](/CONTRIBUTING.md).
 - [ ] I have checked that NGINX compiles and runs after adding my changes.
--- a/.github/workflows/f5_cla.yml
+++ b/.github/workflows/f5_cla.yml
@ -0,0 +1,41 @@
 ---
 name: F5 CLA
 on:
  issue_comment:
    types: [created]
  pull_request_target:
    types: [opened, closed, synchronize]
 permissions: read-all
 jobs:
  f5-cla:
    name: F5 CLA
    runs-on: ubuntu-24.04
    permissions:
      actions: write
      pull-requests: write
      statuses: write
    steps:
      - name: Run F5 Contributor License Agreement (CLA) assistant
        if: (github.event.comment.body == 'recheck' || github.event.comment.body == 'I have hereby read the F5 CLA and agree to its terms') || github.event_name == 'pull_request_target'
        uses: contributor-assistant/github-action@ca4a40a7d1004f18d9960b404b97e5f30a505a08 # v2.6.1
        with:
          # Path to the CLA document.
          path-to-document: https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md
          # Custom CLA messages.
          custom-notsigned-prcomment: '🎉 Thank you for your contribution! It appears you have not yet signed the [F5 Contributor License Agreement (CLA)](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md), which is required for your changes to be incorporated into an F5 Open Source Software (OSS) project. Please kindly read the [F5 CLA](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md) and reply on a new comment with the following text to agree:'
          custom-pr-sign-comment: 'I have hereby read the F5 CLA and agree to its terms'
          custom-allsigned-prcomment: '✅ All required contributors have signed the F5 CLA for this PR. Thank you!'
          # Remote repository storing CLA signatures.
          remote-organization-name: f5
          remote-repository-name: f5-cla-data
          # Branch where CLA signatures are stored.
          branch: main
          path-to-signatures: signatures/signatures.json
          # Comma separated list of usernames for maintainers or any other individuals who should not be prompted for a CLA.
          # NOTE: You will want to edit the usernames to suit your project needs.
          allowlist: bot*
          # Do not lock PRs after a merge.
          lock-pullrequest-aftermerge: false
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
          PERSONAL_ACCESS_TOKEN: ${{ secrets.F5_CLA_TOKEN }}
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,34 +5,34 @@ We really appreciate that you are considering contributing!
 ## Table of Contents
 - [Ask a Question](#ask-a-question)
 - [Report a Bug](#report-a-bug)
 - [Suggest a Feature or Enhancement](#suggest-a-feature-or-enhancement)
 - [Open a Discussion](#open-a-discussion)
 - [Submit a Pull Request](#submit-a-pull-request)
 - [Issue Lifecycle](#issue-lifecycle)
 ## Ask a Question
 To ask a question, open an issue on GitHub with the label `question`.
 ## Report a Bug
 To report a bug, open an issue on GitHub with the label `bug` using the
-available bug report issue template. Before reporting a bug, make sure the
+available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml).
-issue has not already been reported.
+Please ensure the bug has not already been reported. **If the bug is a
 potential security vulnerability, please report it using our
 [security policy](/SECURITY.md).**
 ## Suggest a Feature or Enhancement
-To suggest a feature or enhancement, open an issue on GitHub with the label
+To suggest a feature or enhancement, please create an issue on GitHub with the
-`feature` or `enhancement` using the available feature request issue template.
+label `enhancement` using the available
 [feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml).
 Please ensure the feature or enhancement has not already been suggested.
 ## Open a Discussion
 If you want to engage in a conversation with the community and maintainers,
 we encourage you to use
-[GitHub Discussions](https://github.com/nginx/nginx/discussions).
+[GitHub Discussions](https://github.com/nginx/nginx/discussions) to discuss
 the NGINX codebase or the [NGINX Community forum](https://community.nginx.org)
 to chat anything else NGINX (including troubleshooting).
 ## Submit a Pull Request
@ -89,7 +89,20 @@ git clone https://github.com/nginx/nginx-tests.git
 ```
 - Submitting a change implies granting project a permission to use it under the
-[BSD-2-Clause license](https://github.com/nginx/nginx/blob/master/LICENSE)
+[BSD-2-Clause license](/LICENSE)
 ### F5 Contributor License Agreement (CLA)
 F5 requires all contributors to agree to the terms of the F5 CLA
 (available [here](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md))
 before any of their changes can be incorporated into an F5 Open Source
 repository (even contributions to the F5 CLA itself!).
 If you have not yet agreed to the F5 CLA terms and submit a PR to this
 repository, a bot will prompt you to view and agree to the F5 CLA.
 You will have to agree to the F5 CLA terms through a comment in the PR
 before any of your changes can be merged. Your agreement signature
 will be safely stored by F5 and no longer be required in future PRs.
 ## Issue Lifecycle
--- a/README.md
+++ b/README.md
@ -4,6 +4,11 @@
  <img alt="NGINX Banner">
 </picture>
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
 [![Community Forum](https://img.shields.io/badge/community-forum-009639?logo=discourse&link=https%3A%2F%2Fcommunity.nginx.org)](https://community.nginx.org)
 [![License](https://img.shields.io/badge/License-BSD%202--Clause-blue.svg)](/LICENSE)
 [![Code of Conduct](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
 NGINX (pronounced "engine x" or "en-jin-eks") is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.
 NGINX is free and open source software, distributed under the terms of a simplified [2-clause BSD-like license](LICENSE).
@ -60,7 +65,6 @@ nginx -V
 ```
 > See [Configuring the build](#configuring-the-build) for information on how to include specific Static modules into your nginx build.
 ## Configurations
 NGINX is highly flexible and configurable. Provisioning the software is achieved via text-based config file(s) accepting parameters called "[Directives](https://nginx.org/en/docs/dirindex.html)". See [Configuration File's Structure](https://nginx.org/en/docs/beginners_guide.html#conf_structure) for a comprehensive description of how NGINX configuration files work.
@ -209,9 +213,7 @@ The output of which should start with:
 ```
 # Asking questions and reporting issues
-We encourage you to engage with us.
+See our [Support](SUPPORT.md) guidelines for information on how discuss the codebase, ask troubleshooting questions, and report issues.
 - [NGINX GitHub Discussions](https://github.com/nginx/nginx/discussions), is the go-to place to start asking questions and sharing your thoughts.
 - Our [GitHub Issues](https://github.com/nginx/nginx/issues) page offers space to submit and discuss specific issues, report bugs, and suggest enhancements.
 # Contributing code
 Please see the [Contributing](CONTRIBUTING.md) guide for information on how to contribute code.
--- a/SUPPORT.md
+++ b/SUPPORT.md
@ -0,0 +1,48 @@
 # Support
 ## Ask a Question
 We use GitHub issues for tracking bugs and feature requests
 related to this project.
 If you don't know how something in the codebase works, are curious if NGINX
 is capable of achieving your desired functionality or want to discuss the
 implementation of an existing or in development feature, please start a
 GitHub discussion!
 ## NGINX Specific Questions and/or Issues
 This project isn't the right place to get support for NGINX and/or NGINX
 troubleshooting questions, but the following resources are available below.
 Thanks for your understanding!
 ### Community Forum
 We have a [community forum](https://community.nginx.org/)!
 If you have any NGINX specific questions and/or issues,
 try checking out the [`NGINX category`](https://community.nginx.org/c/projects/nginx/23).
 For general discussions around anything tangentially NGINX related,
 check out the [`General Discussion category`](https://community.nginx.org/c/general-discussion/34).
 Both fellow community members and NGINXers might be able to help you! :)
 ### Documentation
 For a comprehensive list of all NGINX directives, check out <https://nginx.org>.
 For a comprehensive list of administration and deployment guides for all
 NGINX products, check out <https://docs.nginx.com>.
 ## Contributing
 Please see the [contributing guide](/CONTRIBUTING.md) for guidelines
 on how to best contribute to this project.
 ## Commercial Support
 Commercial support for this project is available.
 Please get in touch with [F5 sales](https://www.f5.com/products/get-f5/)
 or check your contract details for more information!
 ## Community Support
 Community support is offered on a best effort basis through any of our active communities.
--- a/auto/cc/clang
+++ b/auto/cc/clang
@ -5,15 +5,6 @@
 # clang
 NGX_CLANG_VER=`$CC -v 2>&1 | grep 'version' 2>&1 \
                           | sed -n -e 's/^.*clang version \(.*\)/\1/p' \
                                    -e 's/^.*LLVM version \(.*\)/\1/p'`
 echo " + clang version: $NGX_CLANG_VER"
 have=NGX_COMPILER value="\"clang $NGX_CLANG_VER\"" . auto/define
 CC_TEST_FLAGS="-pipe"
--- a/auto/cc/gcc
+++ b/auto/cc/gcc
@ -8,14 +8,6 @@
 #     4.0.0, 4.0.1, 4.1.0
 NGX_GCC_VER=`$CC -v 2>&1 | grep 'gcc version' 2>&1 \
                         | sed -e 's/^.* version \(.*\)/\1/'`
 echo " + gcc version: $NGX_GCC_VER"
 have=NGX_COMPILER value="\"gcc $NGX_GCC_VER\"" . auto/define
 # Solaris 7's /usr/ccs/bin/as does not support "-pipe"
 CC_TEST_FLAGS="-pipe"
@ -112,7 +104,7 @@ esac
 CC_AUX_FLAGS="$CC_AUX_FLAGS $CPU_OPT"
-case "$NGX_GCC_VER" in
+case "$NGX_CC_VER" in
    2.7*)
        # batch build
        CPU_OPT=
@ -145,7 +137,7 @@ CFLAGS="$CFLAGS -Wall -Wpointer-arith"
 #CFLAGS="$CFLAGS -Winline"
 #CFLAGS="$CFLAGS -Wmissing-prototypes"
-case "$NGX_GCC_VER" in
+case "$NGX_CC_VER" in
    2.*)
        # we have a lot of the unused function arguments
        CFLAGS="$CFLAGS -Wno-unused"
--- a/auto/cc/icc
+++ b/auto/cc/icc
@ -5,14 +5,6 @@
 # Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1
 NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \
                         | sed -e 's/^.* Version \([^ ]*\) *Build.*$/\1/'`
 echo " + icc version: $NGX_ICC_VER"
 have=NGX_COMPILER value="\"Intel C Compiler $NGX_ICC_VER\"" . auto/define
 # optimizations
 CFLAGS="$CFLAGS -O"
@ -83,7 +75,7 @@ CFLAGS="$CFLAGS -wd1418"
 # external declaration in primary source file
 CFLAGS="$CFLAGS -wd1419"
-case "$NGX_ICC_VER" in
+case "$NGX_CC_VER" in
    9.*)
        # "cc" clobber ignored, warnings for Linux's htonl()/htons()
        CFLAGS="$CFLAGS -wd1469"
--- a/auto/cc/msvc
+++ b/auto/cc/msvc
@ -11,20 +11,12 @@
 # MSVC 2015 (14.0)                        cl 19.00
-NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
+ngx_msvc_ver=`echo $NGX_CC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
                                 | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
 echo " + cl version: $NGX_MSVC_VER"
 have=NGX_COMPILER value="\"cl $NGX_MSVC_VER\"" . auto/define
 ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
 # detect x64 builds
-case "$NGX_MSVC_VER" in
+case "$NGX_CC_VER" in
    *ARM64)
        NGX_MACHINE=arm64
--- a/auto/cc/name
+++ b/auto/cc/name
@ -28,6 +28,13 @@ if [ "$CC" = cl ]; then
    NGX_CC_NAME=msvc
    echo " + using Microsoft Visual C++ compiler"
    NGX_CC_VER=`$NGX_WINE $CC 2>&1 \
                | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
                | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
    echo " + cl version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"cl $NGX_CC_VER\"" . auto/define
 elif [ "$CC" = wcl386 ]; then
    NGX_CC_NAME=owc
    echo " + using Open Watcom C compiler"
@ -40,22 +47,48 @@ elif `$CC -V 2>&1 | grep '^Intel(R) C' >/dev/null 2>&1`; then
    NGX_CC_NAME=icc
    echo " + using Intel C++ compiler"
    NGX_CC_VER=`$CC -V 2>&1 \
                | sed -n -e 's/^.* Version \([^ ]*\) *Build.*$/\1/p'`
    echo " + icc version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"Intel C Compiler $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'gcc version' >/dev/null 2>&1`; then
    NGX_CC_NAME=gcc
    echo " + using GNU C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*gcc version \(.*\)/\1/p'`
    echo " + gcc version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"gcc $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'clang version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*clang version \(.*\)/\1/p'`
    echo " + clang version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'LLVM version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*LLVM version \(.*\)/\1/p'`
    echo " + clang version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
 elif `$CC -V 2>&1 | grep 'Sun C' >/dev/null 2>&1`; then
    NGX_CC_NAME=sunc
    echo " + using Sun C compiler"
    NGX_CC_VER=`$CC -V 2>&1 | sed -n -e 's/^.* Sun C \(.*\)/\1/p'`
    echo " + Sun C version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"Sun C $NGX_CC_VER\"" . auto/define
 elif `$CC -V 2>&1 | grep '^Compaq C' >/dev/null 2>&1`; then
    NGX_CC_NAME=ccc
    echo " + using Compaq C compiler"
--- a/auto/cc/sunc
+++ b/auto/cc/sunc
@ -13,13 +13,6 @@
 # Sun C 5.13 SunOS_i386 2014/10/20        Oracle Solaris Studio 12.4
 # Sun C 5.14 SunOS_i386 2016/05/31        Oracle Developer Studio 12.5
 NGX_SUNC_VER=`$CC -V 2>&1 | grep 'Sun C' 2>&1 \
                          | sed -e 's/^.* Sun C \(.*\)/\1/'`
 echo " + Sun C version: $NGX_SUNC_VER"
 have=NGX_COMPILER value="\"Sun C $NGX_SUNC_VER\"" . auto/define
 cat << END > $NGX_AUTOTEST.c
--- a/auto/lib/pcre/make
+++ b/auto/lib/pcre/make
@ -37,6 +37,7 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                       pcre2_xclass.c"
        ngx_pcre_test="pcre2_chkdint.c \
                       pcre2_compile_cgroup.c \
                       pcre2_compile_class.c \
                       pcre2_convert.c \
                       pcre2_extuni.c \
--- a/auto/modules
+++ b/auto/modules
@ -729,7 +729,7 @@ if [ $HTTP = YES ]; then
        ngx_module_name=ngx_http_proxy_module
        ngx_module_incs=
-        ngx_module_deps=
+        ngx_module_deps=src/http/modules/ngx_http_proxy_module.h
        ngx_module_srcs=src/http/modules/ngx_http_proxy_module.c
        ngx_module_libs=
        ngx_module_link=$HTTP_PROXY
@ -781,6 +781,17 @@ if [ $HTTP = YES ]; then
        . auto/module
    fi
    if [ $HTTP_PROXY = YES -a $HTTP_V2 = YES ]; then
        ngx_module_name=ngx_http_proxy_v2_module
        ngx_module_incs=
        ngx_module_deps=
        ngx_module_srcs=src/http/modules/ngx_http_proxy_v2_module.c
        ngx_module_libs=
        ngx_module_link=$HTTP_V2
        . auto/module
    fi
    if [ $HTTP_PERL != NO ]; then
        ngx_module_name=ngx_http_perl_module
        ngx_module_incs=src/http/modules/perl
--- a/conf/nginx.conf
+++ b/conf/nginx.conf
@ -36,8 +36,6 @@ http {
        listen       80;
        server_name  localhost;
        #charset koi8-r;
        #access_log  logs/host.access.log  main;
        location / {
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@ -5,8 +5,253 @@
 <change_log title="nginx">
 <changes ver="1.29.4" date="2025-12-09">
 <change type="feature">
 <para lang="ru">
 модуль ngx_http_proxy_module поддерживает HTTP/2.
 </para>
 <para lang="en">
 the ngx_http_proxy_module supports HTTP/2.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 поддержка расширения TLS Encrypted ClientHello
 при использовании ветки разработки ECH OpenSSL;
 директива ssl_ech_file.<br/>
 Спасибо Stephen Farrell.
 </para>
 <para lang="en">
 Encrypted ClientHello TLS extension support
 when using OpenSSL ECH feature branch;
 the "ssl_ech_file" directive.<br/>
 Thanks to Stephen Farrell.
 </para>
 </change>
 <change type="change">
 <para lang="ru">
 валидация хоста и порта в строке запроса,
 в заголовке "Host" и псевдо-заголовке ":authority"
 изменена на соответствующую RFC 3986.
 </para>
 <para lang="en">
 validation of host and port in the request line,
 "Host" header field, and ":authority" pseudo-header field
 has been changed to follow RFC 3986.
 </para>
 </change>
 <change type="change">
 <para lang="ru">
 теперь одиночный символ LF, используемый для перевода строки
 в chunked-теле запроса или ответа, считается ошибкой.
 </para>
 <para lang="en">
 now a single LF used as a line terminator
 in a chunked request or response body is considered an error.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при использовании HTTP/3 с OpenSSL 3.5.1 и новее
 в рабочем процессе мог произойти segmentation fault;
 ошибка появилась в 1.29.1.<br/>
 Спасибо Jan Svojanovsky.
 </para>
 <para lang="en">
 when using HTTP/3 with OpenSSL 3.5.1 or newer
 a segmentation fault might occur in a worker process;
 the bug had appeared in 1.29.1.<br/>
 Thanks to Jan Svojanovsky.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при совместном использовании директив try_files и proxy_pass с URI
 в рабочем процессе мог произойти segmentation fault.
 </para>
 <para lang="en">
 a segmentation fault might occur in a worker process
 if the "try_files" directive and "proxy_pass" with a URI were used.
 </para>
 </change>
 </changes>
 <changes ver="1.29.3" date="2025-10-28">
 <change type="feature">
 <para lang="ru">
 директивы add_header_inherit и add_trailer_inherit.
 </para>
 <para lang="en">
 the "add_header_inherit" and "add_trailer_inherit" directives.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 переменные $request_port и $is_request_port.
 </para>
 <para lang="en">
 the $request_port and $is_request_port variables.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 переменные $ssl_sigalg и $ssl_client_sigalg.
 </para>
 <para lang="en">
 the $ssl_sigalg and $ssl_client_sigalg variables.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 параметр volatile директивы geo.
 </para>
 <para lang="en">
 the "volatile" parameter of the "geo" directive.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 теперь сжатие сертификатов доступно с BoringSSL.
 </para>
 <para lang="en">
 now certificate compression is available with BoringSSL.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 теперь сжатие сертификатов запрещено при включенном OCSP stapling.
 </para>
 <para lang="en">
 now certificate compression is disabled with OCSP stapling.
 </para>
 </change>
 </changes>
 <changes ver="1.29.2" date="2025-10-07">
 <change type="feature">
 <para lang="ru">
 теперь nginx можно собрать с AWS-LC.<br/>
 Спасибо Samuel Chiang.
 </para>
 <para lang="en">
 now nginx can be built with AWS-LC.<br/>
 Thanks Samuel Chiang.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 теперь директива ssl_protocols работает
 в виртуальном сервере, отличном от сервера по умолчанию,
 при использовании OpenSSL 1.1.1 и новее.
 </para>
 <para lang="en">
 now the "ssl_protocols" directive works
 in a virtual server different from the default server
 when using OpenSSL 1.1.1 or newer.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при использовании TLSv1.3 с OpenSSL и клиентских сертификатов
 SSL handshake всегда завершался ошибкой
 при восстановлении сессии с другим значением SNI;
 ошибка появилась в 1.27.4.
 </para>
 <para lang="en">
 SSL handshake always failed
 when using TLSv1.3 with OpenSSL and client certificates
 and resuming a session with a different SNI value;
 the bug had appeared in 1.27.4.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при использовании QUIC и директивы ssl_reject_handshake
 в логах могли появляться сообщения
 "ignoring stale global SSL error";
 ошибка появилась в 1.29.0.<br/>
 Спасибо Владимиру Хомутову.
 </para>
 <para lang="en">
 the "ignoring stale global SSL error"
 alerts might appear in logs
 when using QUIC and the "ssl_reject_handshake" directive;
 the bug had appeared in 1.29.0.<br/>
 Thanks to Vladimir Homutov.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 в обработке delta-seconds
 в строке "Cache-Control" в заголовке ответа бэкенда.
 </para>
 <para lang="en">
 in delta-seconds processing
 in the "Cache-Control" backend response header line.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 команда XCLIENT не использовала кодировку xtext.<br/>
 Спасибо Igor Morgenstern из Aisle Research.
 </para>
 <para lang="en">
 an XCLIENT command didn't use the xtext encoding.<br/>
 Thanks to Igor Morgenstern of Aisle Research.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 в кешировании SSL-сертификатов во время переконфигурации.
 </para>
 <para lang="en">
 in SSL certificate caching during reconfiguration.
 </para>
 </change>
 </changes>
 <changes ver="1.29.1" date="2025-08-13">
 <change type="security">
 <para lang="ru">
 обработка специально созданного логина/пароля при использовании
 метода аутентификации "none" в модуле ngx_mail_smtp_module
 могла приводить к отправке серверу аутентификации
 части содержимого памяти рабочего процесса (CVE-2025-53859).
 </para>
 <para lang="en">
 processing of a specially crafted login/password when using
 the "none" authentication method in the ngx_mail_smtp_module
 might cause worker process memory disclosure
 to the authentication server (CVE-2025-53859).
 </para>
 </change>
 <change type="change">
 <para lang="ru">
 теперь сжатие сертификатов в протоколе TLSv1.3 по умолчанию запрещено.
@ -8721,7 +8966,7 @@ Thanks to Piotr Sikora.
 Спасибо Piotr Sikora.
 </para>
 <para lang="en">
-now nginx can be build with BoringSSL and LibreSSL.<br/>
+now nginx can be built with BoringSSL and LibreSSL.<br/>
 Thanks to Piotr Sikora.
 </para>
 </change>
@ -26004,7 +26249,7 @@ the ECONNABORTED error log level was changed to "error" from "crit".
 модуль ngx_http_perl_module не собирался без модуля ngx_http_ssi_filter_module.
 </para>
 <para lang="en">
-the ngx_http_perl_module could not be build without
+the ngx_http_perl_module could not be built without
 the ngx_http_ssi_filter_module.
 </para>
 </change>
--- a/misc/GNUmakefile
+++ b/misc/GNUmakefile
@ -6,9 +6,9 @@ TEMP =		tmp
 CC =		cl
 OBJS =		objs.msvc8
-OPENSSL =	openssl-3.5.2
+OPENSSL =	openssl-3.5.4
 ZLIB =		zlib-1.3.1
-PCRE =		pcre2-10.45
+PCRE =		pcre2-10.46
 release: export
--- a/misc/README
+++ b/misc/README
@ -3,7 +3,7 @@ make -f misc/GNUmakefile release
 the required tools:
 *) xsltproc to build CHANGES,
-*) xslscript.pl ( http://hg.nginx.org/xslscript ) to build XSLTs
+*) xslscript.pl ( https://github.com/nginx/xslscript ) to build XSLTs
   from XSLScript sources.
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
-#define nginx_version      1029001
+#define nginx_version      1029005
-#define NGINX_VERSION      "1.29.1"
+#define NGINX_VERSION      "1.29.5"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 #ifdef NGX_BUILD
--- a/src/core/ngx_string.c
+++ b/src/core/ngx_string.c
@ -1494,8 +1494,9 @@ ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len)
 uintptr_t
 ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
 {
-    ngx_uint_t      n;
+    u_char          prefix;
    uint32_t       *escape;
    ngx_uint_t      n;
    static u_char   hex[] = "0123456789ABCDEF";
    /*
@ -1633,11 +1634,36 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
                    /* mail_auth is the same as memcached */
                    /* " ", "+", "=", not allowed */
    static uint32_t   mail_xtext[] = {
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
                    /* ?>=< ;:98 7654 3210  /.-, +*)( '&%$ #"!  */
        0x20000801, /* 0010 0000 0000 0000  0000 1000 0000 0001 */
                    /* _^]\ [ZYX WVUT SRQP  ONML KJIH GFED CBA@ */
        0x00000000, /* 0000 0000 0000 0000  0000 0000 0000 0000 */
                    /*  ~}| {zyx wvut srqp  onml kjih gfed cba` */
        0x80000000, /* 1000 0000 0000 0000  0000 0000 0000 0000 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
        0xffffffff, /* 1111 1111 1111 1111  1111 1111 1111 1111 */
    };
    static uint32_t  *map[] =
-        { uri, args, uri_component, html, refresh, memcached, memcached };
+        { uri, args, uri_component, html, refresh, memcached, memcached,
          mail_xtext };
    static u_char  map_char[] =
        { '%', '%', '%', '%', '%', '%', '%', '+' };
    escape = map[type];
    prefix = map_char[type];
    if (dst == NULL) {
@ -1658,7 +1684,7 @@ ngx_escape_uri(u_char *dst, u_char *src, size_t size, ngx_uint_t type)
    while (size) {
        if (escape[*src >> 5] & (1U << (*src & 0x1f))) {
-            *dst++ = '%';
+            *dst++ = prefix;
            *dst++ = hex[*src >> 4];
            *dst++ = hex[*src & 0xf];
            src++;
--- a/src/core/ngx_string.h
+++ b/src/core/ngx_string.h
@ -203,6 +203,7 @@ u_char *ngx_utf8_cpystrn(u_char *dst, u_char *src, size_t n, size_t len);
 #define NGX_ESCAPE_REFRESH        4
 #define NGX_ESCAPE_MEMCACHED      5
 #define NGX_ESCAPE_MAIL_AUTH      6
 #define NGX_ESCAPE_MAIL_XTEXT     7
 #define NGX_UNESCAPE_URI       1
 #define NGX_UNESCAPE_REDIRECT  2
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -9,6 +9,10 @@
 #include <ngx_core.h>
 #include <ngx_event.h>
 #if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
 #include <zlib.h>
 #endif
 #define NGX_SSL_PASSWORD_BUFFER_SIZE  4096
@ -19,6 +23,13 @@ typedef struct {
 static ngx_inline ngx_int_t ngx_ssl_cert_already_in_hash(void);
 #if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
 static int ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn,
    CBB *out, const uint8_t *in, size_t in_len);
 static void *ngx_ssl_cert_compression_alloc(void *opaque, u_int items,
    u_int size);
 static void ngx_ssl_cert_compression_free(void *opaque, void *address);
 #endif
 static int ngx_ssl_verify_callback(int ok, X509_STORE_CTX *x509_store);
 static void ngx_ssl_info_callback(const ngx_ssl_conn_t *ssl_conn, int where,
    int ret);
@ -128,6 +139,8 @@ int  ngx_ssl_ticket_keys_index;
 int  ngx_ssl_ocsp_index;
 int  ngx_ssl_index;
 int  ngx_ssl_certificate_name_index;
 int  ngx_ssl_certificate_comp_index;
 int  ngx_ssl_client_hello_arg_index;
 u_char  ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
@ -270,6 +283,21 @@ ngx_ssl_init(ngx_log_t *log)
        return NGX_ERROR;
    }
    ngx_ssl_certificate_comp_index = X509_get_ex_new_index(0, NULL, NULL, NULL,
                                                           NULL);
    if (ngx_ssl_certificate_comp_index == -1) {
        ngx_ssl_error(NGX_LOG_ALERT, log, 0, "X509_get_ex_new_index() failed");
        return NGX_ERROR;
    }
    ngx_ssl_client_hello_arg_index = SSL_CTX_get_ex_new_index(0, NULL, NULL,
                                                              NULL, NULL);
    if (ngx_ssl_client_hello_arg_index == -1) {
        ngx_ssl_error(NGX_LOG_ALERT, log, 0,
                      "SSL_CTX_get_ex_new_index() failed");
        return NGX_ERROR;
    }
    return NGX_OK;
 }
@ -449,10 +477,18 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
 {
    char            *err;
    X509            *x509, **elm;
    u_long           n;
    EVP_PKEY        *pkey;
    ngx_uint_t       mask;
    STACK_OF(X509)  *chain;
-    chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT, &err, cert, NULL);
+    mask = 0;
    elm = NULL;
 retry:
    chain = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_CERT | mask,
                                &err, cert, NULL);
    if (chain == NULL) {
        if (err != NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@ -492,6 +528,7 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
        }
    }
    if (elm == NULL) {
        elm = ngx_array_push(&ssl->certs);
        if (elm == NULL) {
            X509_free(x509);
@ -499,6 +536,10 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
            return NGX_ERROR;
        }
    } else {
        X509_free(*elm);
    }
    *elm = x509;
    /*
@ -519,11 +560,21 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
    }
 #else
    {
    int  n;
    /* SSL_CTX_set0_chain() is only available in OpenSSL 1.0.2+ */
 #ifdef SSL_CTRL_CLEAR_EXTRA_CHAIN_CERTS
    /* OpenSSL 1.0.1+ */
    SSL_CTX_clear_extra_chain_certs(ssl->ctx);
 #else
    if (ssl->ctx->extra_certs) {
        sk_X509_pop_free(ssl->ctx->extra_certs, X509_free);
        ssl->ctx->extra_certs = NULL;
    }
 #endif
    n = sk_X509_num(chain);
    while (n--) {
@ -539,10 +590,11 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
    }
    sk_X509_free(chain);
-    }
+
 #endif
-    pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY, &err, key, passwords);
+    pkey = ngx_ssl_cache_fetch(cf, NGX_SSL_CACHE_PKEY | mask,
                               &err, key, passwords);
    if (pkey == NULL) {
        if (err != NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
@ -554,9 +606,23 @@ ngx_ssl_certificate(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *cert,
    }
    if (SSL_CTX_use_PrivateKey(ssl->ctx, pkey) == 0) {
        EVP_PKEY_free(pkey);
        /* there can be mismatched pairs on uneven cache update */
        n = ERR_peek_last_error();
        if (ERR_GET_LIB(n) == ERR_LIB_X509
            && ERR_GET_REASON(n) == X509_R_KEY_VALUES_MISMATCH
            && mask == 0)
        {
            ERR_clear_error();
            mask = NGX_SSL_CACHE_INVALIDATE;
            goto retry;
        }
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_use_PrivateKey(\"%s\") failed", key->data);
        EVP_PKEY_free(pkey);
        return NGX_ERROR;
    }
@ -682,6 +748,18 @@ ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
    SSL_CTX_clear_options(ssl->ctx, SSL_OP_NO_TX_CERTIFICATE_COMPRESSION);
 #elif (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
    if (SSL_CTX_add_cert_compression_alg(ssl->ctx, TLSEXT_cert_compression_zlib,
                                         ngx_ssl_cert_compression_callback,
                                         NULL)
        == 0)
    {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_add_cert_compression_alg() failed");
        return NGX_ERROR;
    }
 #else
    ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
@ -694,6 +772,155 @@ ngx_ssl_certificate_compression(ngx_conf_t *cf, ngx_ssl_t *ssl,
 }
 #if (NGX_ZLIB && defined TLSEXT_cert_compression_zlib)
 static int
 ngx_ssl_cert_compression_callback(ngx_ssl_conn_t *ssl_conn, CBB *out,
    const uint8_t *in, size_t in_len)
 {
    int                rc;
    X509              *cert;
    u_char            *p;
    z_stream           zstream;
    ngx_str_t         *comp, tmp;
    ngx_pool_t        *pool;
    ngx_connection_t  *c;
 #ifdef OPENSSL_IS_BORINGSSL
    {
    SSL_CTX    *ssl_ctx;
    ngx_ssl_t  *ssl;
    /* BoringSSL doesn't have certificate slots, we take the last set */
    ssl_ctx = SSL_get_SSL_CTX(ssl_conn);
    ssl = SSL_CTX_get_ex_data(ssl_ctx, ngx_ssl_index);
    cert = ((X509 **) ssl->certs.elts)[ssl->certs.nelts - 1];
    }
 #else
    /*
     * AWS-LC saves leaf certificate in SSL to associate with SSL_CTX,
     * see https://github.com/aws/aws-lc/commit/e1ba2b3e5
     */
    cert = SSL_get_certificate(ssl_conn);
 #endif
    comp = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
    if (comp != NULL) {
        return CBB_add_bytes(out, comp->data, comp->len);
    }
    c = ngx_ssl_get_connection(ssl_conn);
    pool = ngx_create_pool(256, c->log);
    if (pool == NULL) {
        return 0;
    }
    pool->log = c->log;
    ngx_memzero(&zstream, sizeof(z_stream));
    zstream.zalloc = ngx_ssl_cert_compression_alloc;
    zstream.zfree = ngx_ssl_cert_compression_free;
    zstream.opaque = pool;
    rc = deflateInit(&zstream, Z_DEFAULT_COMPRESSION);
    if (rc != Z_OK) {
        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateInit() failed: %d", rc);
        goto error;
    }
    tmp.len = deflateBound(&zstream, in_len);
    tmp.data = ngx_palloc(pool, tmp.len);
    if (tmp.data == NULL) {
        goto error;
    }
    zstream.next_in = (u_char *) in;
    zstream.avail_in = in_len;
    zstream.next_out = tmp.data;
    zstream.avail_out = tmp.len;
    rc = deflate(&zstream, Z_FINISH);
    if (rc != Z_STREAM_END) {
        ngx_log_error(NGX_LOG_ALERT, c->log, 0,
                      "deflate(Z_FINISH) failed: %d", rc);
        goto error;
    }
    tmp.len -= zstream.avail_out;
    rc = deflateEnd(&zstream);
    if (rc != Z_OK) {
        ngx_log_error(NGX_LOG_ALERT, c->log, 0, "deflateEnd() failed: %d", rc);
        goto error;
    }
    p = ngx_alloc(sizeof(ngx_str_t) + tmp.len, c->log);
    if (p == NULL) {
        goto error;
    }
    comp = (ngx_str_t *) p;
    comp->len = tmp.len;
    comp->data = p + sizeof(ngx_str_t);
    ngx_memcpy(comp->data, tmp.data, tmp.len);
    if (X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, p) == 0) {
        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "X509_set_ex_data() failed");
        ngx_free(p);
    }
    rc = CBB_add_bytes(out, tmp.data, tmp.len);
    ngx_destroy_pool(pool);
    return rc;
 error:
    ngx_destroy_pool(pool);
    return 0;
 }
 static void *
 ngx_ssl_cert_compression_alloc(void *opaque, u_int items, u_int size)
 {
    ngx_pool_t *pool = opaque;
    ngx_log_debug2(NGX_LOG_DEBUG_EVENT, pool->log, 0,
                   "cert compression alloc: n:%ud s:%ud", items, size);
    return ngx_palloc(pool, items * size);
 }
 static void
 ngx_ssl_cert_compression_free(void *opaque, void *address)
 {
 #if 0
    ngx_pool_t *pool = opaque;
    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, pool->log, 0,
                   "cert compression free: %p", address);
 #endif
 }
 #endif
 ngx_int_t
 ngx_ssl_ciphers(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *ciphers,
    ngx_uint_t prefer_server_ciphers)
@ -1426,6 +1653,105 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 }
 ngx_int_t
 ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *filenames)
 {
 #ifdef SSL_OP_ECH_GREASE
    int             numkeys;
    BIO            *in;
    ngx_int_t       rc;
    ngx_str_t      *filename;
    ngx_uint_t      i;
    OSSL_ECHSTORE  *es;
    if (filenames == NULL) {
        return NGX_OK;
    }
    es = OSSL_ECHSTORE_new(NULL, NULL);
    if (es == NULL) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "OSSL_ECHSTORE_new() failed");
        return NGX_ERROR;
    }
    rc = NGX_ERROR;
    filename = filenames->elts;
    for (i = 0; i < filenames->nelts; i++) {
        if (ngx_conf_full_name(cf->cycle, &filename[i], 1) != NGX_OK) {
            goto cleanup;
        }
        in = BIO_new_file((char *) filename[i].data, "r");
        if (in == NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                          "BIO_new_file(\"%s\") failed", filename[i].data);
            goto cleanup;
        }
        /*
         * We only set the ECHConfigList from the first file read to use
         * in ECH retry-configs.
         *
         * That allows many sensible key rotation schemes so that the
         * values sent in ECH retry-configs are smaller and current.
         * For example, if the first file name has the current ECH
         * private key, and a second one has the previously used key
         * that some clients may still use due to DNS caching.
         */
         if (OSSL_ECHSTORE_read_pem(es, in, i ? OSSL_ECH_NO_RETRY
                                              : OSSL_ECH_FOR_RETRY)
             != 1)
         {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                           "OSSL_ECHSTORE_read_pem(%s) failed",
                           filename[i].data);
             BIO_free(in);
             goto cleanup;
         }
         BIO_free(in);
    }
    /*
     * load the ECH store after checking there's at least one ECH
     * private key in there (the PEM file spec allows zero or one
     * private key per file)
     */
    if (OSSL_ECHSTORE_num_keys(es, &numkeys) != 1) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "OSSL_ECHSTORE_num_keys(%s) failed");
        goto cleanup;
    }
    if (numkeys > 0 && SSL_CTX_set1_echstore(ssl->ctx, es) != 1) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set1_echstore() failed");
        goto cleanup;
    }
    rc = NGX_OK;
 cleanup:
    OSSL_ECHSTORE_free(es);
    return rc;
 #else
    if (filenames != NULL) {
        ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
                      "\"ssl_ech_file\" is not supported on this platform, "
                      "ignored");
    }
    return NGX_OK;
 #endif
 }
 ngx_int_t
 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
 {
@ -1645,6 +1971,131 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 }
 ngx_int_t
 ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl, ngx_ssl_client_hello_arg *cb)
 {
 #ifdef SSL_CLIENT_HELLO_SUCCESS
    SSL_CTX_set_client_hello_cb(ssl->ctx, ngx_ssl_client_hello_callback, NULL);
    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
    {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set_ex_data() failed");
        return NGX_ERROR;
    }
 #elif defined OPENSSL_IS_BORINGSSL
    SSL_CTX_set_select_certificate_cb(ssl->ctx, ngx_ssl_select_certificate);
    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
    {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set_ex_data() failed");
        return NGX_ERROR;
    }
 #endif
    return NGX_OK;
 }
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int
 ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
 {
    u_char                    *p;
    size_t                     len;
    ngx_int_t                  rc;
    ngx_str_t                  host;
    ngx_connection_t          *c;
    ngx_ssl_client_hello_arg  *cb;
    c = ngx_ssl_get_connection(ssl_conn);
    cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
                             ngx_ssl_client_hello_arg_index);
    if (SSL_client_hello_get0_ext(ssl_conn, TLSEXT_TYPE_server_name,
                                  (const unsigned char **) &p, &len)
        == 0)
    {
        ngx_str_null(&host);
        goto done;
    }
    /*
     * RFC 6066 mandates non-zero HostName length, we follow OpenSSL.
     * No more than one ServerName is expected.
     */
    if (len < 5
        || (size_t) (p[0] << 8) + p[1] + 2 != len
        || p[2] != TLSEXT_NAMETYPE_host_name
        || (size_t) (p[3] << 8) + p[4] + 2 + 3 != len)
    {
        *ad = SSL_AD_DECODE_ERROR;
        return SSL_CLIENT_HELLO_ERROR;
    }
    len -= 5;
    p += 5;
    if (len > TLSEXT_MAXLEN_host_name || ngx_strlchr(p, p + len, '\0')) {
        *ad = SSL_AD_UNRECOGNIZED_NAME;
        return SSL_CLIENT_HELLO_ERROR;
    }
    host.len = len;
    host.data = p;
 done:
    rc = cb->servername(ssl_conn, ad, &host);
    if (rc == SSL_TLSEXT_ERR_ALERT_FATAL) {
        return SSL_CLIENT_HELLO_ERROR;
    }
    return SSL_CLIENT_HELLO_SUCCESS;
 }
 #elif defined OPENSSL_IS_BORINGSSL
 enum ssl_select_cert_result_t ngx_ssl_select_certificate(
    const SSL_CLIENT_HELLO *client_hello)
 {
    int                        ad;
    ngx_int_t                  rc;
    ngx_ssl_conn_t            *ssl_conn;
    ngx_connection_t          *c;
    ngx_ssl_client_hello_arg  *cb;
    ssl_conn = client_hello->ssl;
    c = ngx_ssl_get_connection(ssl_conn);
    cb = SSL_CTX_get_ex_data(c->ssl->session_ctx,
                             ngx_ssl_client_hello_arg_index);
    /*
     * BoringSSL sends a hardcoded "handshake_failure" alert on errors,
     * we use it to map SSL_AD_INTERNAL_ERROR.  To preserve other alert
     * values, error handling is postponed to the servername callback.
     */
    rc = cb->servername(ssl_conn, &ad, NULL);
    if (rc == SSL_TLSEXT_ERR_ALERT_FATAL && ad == SSL_AD_INTERNAL_ERROR) {
        return ssl_select_cert_error;
    }
    return ssl_select_cert_success;
 }
 #endif
 ngx_int_t
 ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c, ngx_uint_t flags)
 {
@ -3561,6 +4012,7 @@ ngx_ssl_connection_error(ngx_connection_t *c, int sslerr, ngx_err_t err,
            || n == SSL_R_TLSV1_ALERT_USER_CANCELLED                 /* 1090 */
            || n == SSL_R_TLSV1_ALERT_NO_RENEGOTIATION               /* 1100 */
 #endif
            || n == 1121 /* SSL_R_TLSV1_ALERT_ECH_REQUIRED */
            )
        {
            switch (c->log_error) {
@ -4792,10 +5244,19 @@ ngx_ssl_cleanup_ctx(void *data)
    ngx_ssl_t  *ssl = data;
    X509        *cert;
    u_char      *p;
    ngx_uint_t   i;
    for (i = 0; i < ssl->certs.nelts; i++) {
        cert = ((X509 **) ssl->certs.elts)[i];
        p = X509_get_ex_data(cert, ngx_ssl_certificate_comp_index);
        if (p) {
            ngx_free(p);
            X509_set_ex_data(cert, ngx_ssl_certificate_comp_index, NULL);
        }
        X509_free(cert);
    }
@ -5192,6 +5653,32 @@ ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }
 ngx_int_t
 ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
 #ifdef SSL_get0_signature_name
    const char  *name;
    if (SSL_get0_signature_name(c->ssl->connection, &name)) {
        s->len = ngx_strlen(name);
        s->data = ngx_pnalloc(pool, s->len);
        if (s->data == NULL) {
            return NGX_ERROR;
        }
        ngx_memcpy(s->data, name, s->len);
        return NGX_OK;
    }
 #endif
    s->len = 0;
    return NGX_OK;
 }
 ngx_int_t
 ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@ -5321,6 +5808,81 @@ ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }
 ngx_int_t
 ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
 #ifdef SSL_OP_ECH_GREASE
    int    echrv;
    char  *inner_sni, *outer_sni;
    inner_sni = NULL;
    outer_sni = NULL;
    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
    switch (echrv) {
    case SSL_ECH_STATUS_NOT_TRIED:
        ngx_str_set(s, "NOT_TRIED");
        break;
    case SSL_ECH_STATUS_SUCCESS:
        ngx_str_set(s, "SUCCESS");
        break;
    case SSL_ECH_STATUS_GREASE:
        ngx_str_set(s, "GREASE");
        break;
    case SSL_ECH_STATUS_BACKEND:
        ngx_str_set(s, "BACKEND");
        break;
    default:
        ngx_str_set(s, "FAILED");
        break;
    }
    OPENSSL_free(inner_sni);
    OPENSSL_free(outer_sni);
 #else
    s->len = 0;
 #endif
    return NGX_OK;
 }
 ngx_int_t
 ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s)
 {
 #if defined(SSL_OP_ECH_GREASE)
    int    echrv;
    char  *inner_sni, *outer_sni;
    inner_sni = NULL;
    outer_sni = NULL;
    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
    if (echrv == SSL_ECH_STATUS_SUCCESS && outer_sni) {
        s->len = ngx_strlen(outer_sni);
        s->data = ngx_pnalloc(pool, s->len);
        if (s->data == NULL) {
            return NGX_ERROR;
        }
        ngx_memcpy(s->data, outer_sni, s->len);
    } else {
        s->len = 0;
    }
    OPENSSL_free(inner_sni);
    OPENSSL_free(outer_sni);
 #else
    s->len = 0;
 #endif
    return NGX_OK;
 }
 ngx_int_t
 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
@ -5937,6 +6499,32 @@ ngx_ssl_parse_time(
 }
 ngx_int_t
 ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
 #ifdef SSL_get0_peer_signature_name
    const char  *name;
    if (SSL_get0_peer_signature_name(c->ssl->connection, &name)) {
        s->len = ngx_strlen(name);
        s->data = ngx_pnalloc(pool, s->len);
        if (s->data == NULL) {
            return NGX_ERROR;
        }
        ngx_memcpy(s->data, name, s->len);
        return NGX_OK;
    }
 #endif
    s->len = 0;
    return NGX_OK;
 }
 static void *
 ngx_openssl_create_conf(ngx_cycle_t *cycle)
 {
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@ -26,14 +26,6 @@
 #include <openssl/engine.h>
 #endif
 #include <openssl/evp.h>
 #if (NGX_QUIC)
 #ifdef OPENSSL_IS_BORINGSSL
 #include <openssl/hkdf.h>
 #include <openssl/chacha.h>
 #else
 #include <openssl/kdf.h>
 #endif
 #endif
 #include <openssl/hmac.h>
 #ifndef OPENSSL_NO_OCSP
 #include <openssl/ocsp.h>
@ -151,6 +143,7 @@ struct ngx_ssl_connection_s {
    unsigned                    in_ocsp:1;
    unsigned                    early_preread:1;
    unsigned                    write_blocked:1;
    unsigned                    sni_accepted:1;
 };
@ -197,6 +190,13 @@ typedef struct {
 } ngx_ssl_session_cache_t;
 typedef int (*ngx_ssl_servername_pt)(ngx_ssl_conn_t *, int *, void *);
 typedef struct {
    ngx_ssl_servername_pt       servername;
 } ngx_ssl_client_hello_arg;
 #define NGX_SSL_SSLv2    0x0002
 #define NGX_SSL_SSLv3    0x0004
 #define NGX_SSL_TLSv1    0x0008
@ -271,6 +271,8 @@ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
    ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_array_t *filename);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_uint_t enable);
@ -286,6 +288,15 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
 ngx_int_t ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl,
    ngx_ssl_client_hello_arg *cb);
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
 #elif defined OPENSSL_IS_BORINGSSL
 enum ssl_select_cert_result_t ngx_ssl_select_certificate(
    const SSL_CLIENT_HELLO *client_hello);
 #endif
 ngx_int_t ngx_ssl_create_connection(ngx_ssl_t *ssl, ngx_connection_t *c,
    ngx_uint_t flags);
@ -319,6 +330,8 @@ ngx_int_t ngx_ssl_get_curve(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_curves(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_id(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_session_reused(ngx_connection_t *c, ngx_pool_t *pool,
@ -327,6 +340,10 @@ ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c,
    ngx_pool_t *pool, ngx_str_t *s);
 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
@ -355,6 +372,8 @@ ngx_int_t ngx_ssl_get_client_v_end(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_v_remain(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_client_sigalg(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_handshake(ngx_connection_t *c);
@ -382,6 +401,8 @@ extern int  ngx_ssl_ticket_keys_index;
 extern int  ngx_ssl_ocsp_index;
 extern int  ngx_ssl_index;
 extern int  ngx_ssl_certificate_name_index;
 extern int  ngx_ssl_certificate_comp_index;
 extern int  ngx_ssl_client_hello_arg_index;
 extern u_char  ngx_ssl_session_buffer[NGX_SSL_MAX_SESSION_SIZE];
--- a/src/event/ngx_event_openssl_cache.c
+++ b/src/event/ngx_event_openssl_cache.c
@ -193,6 +193,7 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    time_t                 mtime;
    uint32_t               hash;
    ngx_int_t              rc;
    ngx_uint_t             invalidate;
    ngx_file_uniq_t        uniq;
    ngx_file_info_t        fi;
    ngx_ssl_cache_t       *cache, *old_cache;
@ -202,10 +203,17 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    *err = NULL;
    invalidate = index & NGX_SSL_CACHE_INVALIDATE;
    index &= ~NGX_SSL_CACHE_INVALIDATE;
    if (ngx_ssl_cache_init_key(cf->pool, index, path, &id) != NGX_OK) {
        return NULL;
    }
    if (id.type == NGX_SSL_CACHE_DATA) {
        invalidate = 0;
    }
    cache = (ngx_ssl_cache_t *) ngx_get_conf(cf->cycle->conf_ctx,
                                             ngx_openssl_cache_module);
@ -215,9 +223,14 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    cn = ngx_ssl_cache_lookup(cache, type, &id, hash);
    if (cn != NULL) {
        if (!invalidate) {
            return type->ref(err, cn->value);
        }
        type->free(cn->value);
        ngx_rbtree_delete(&cache->rbtree, &cn->node);
    }
    value = NULL;
    if (id.type == NGX_SSL_CACHE_PATH
@ -236,7 +249,7 @@ ngx_ssl_cache_fetch(ngx_conf_t *cf, ngx_uint_t index, char **err,
    old_cache = ngx_ssl_cache_get_old_conf(cf->cycle);
-    if (old_cache && old_cache->inheritable) {
+    if (old_cache && old_cache->inheritable && !invalidate) {
        cn = ngx_ssl_cache_lookup(old_cache, type, &id, hash);
        if (cn != NULL) {
--- a/src/event/quic/ngx_event_quic.h
+++ b/src/event/quic/ngx_event_quic.h
@ -18,7 +18,8 @@
 #elif (defined SSL_R_MISSING_QUIC_TRANSPORT_PARAMETERS_EXTENSION)
 #define NGX_QUIC_QUICTLS_API                 1
-#elif (defined OPENSSL_IS_BORINGSSL || defined LIBRESSL_VERSION_NUMBER)
+#elif (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC               \
       || defined LIBRESSL_VERSION_NUMBER)
 #define NGX_QUIC_BORINGSSL_API               1
 #else
--- a/src/event/quic/ngx_event_quic_protection.c
+++ b/src/event/quic/ngx_event_quic_protection.c
@ -8,6 +8,12 @@
 #include <ngx_core.h>
 #include <ngx_event.h>
 #include <ngx_event_quic_connection.h>
 #if (NGX_QUIC_BORINGSSL_EVP_API)
 #include <openssl/hkdf.h>
 #include <openssl/chacha.h>
 #else
 #include <openssl/kdf.h>
 #endif
 /* RFC 9001, 5.4.1.  Header Protection Application: 5-byte mask */
@ -33,7 +39,7 @@ static uint64_t ngx_quic_parse_pn(u_char **pos, ngx_int_t len, u_char *mask,
 static ngx_int_t ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out,
    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
-#ifndef OPENSSL_IS_BORINGSSL
+#if !(NGX_QUIC_BORINGSSL_EVP_API)
 static ngx_int_t ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
    const u_char *nonce, ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log);
 #endif
@ -58,7 +64,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
    switch (id) {
    case TLS1_3_CK_AES_128_GCM_SHA256:
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
        ciphers->c = EVP_aead_aes_128_gcm();
 #else
        ciphers->c = EVP_aes_128_gcm();
@ -69,7 +75,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        break;
    case TLS1_3_CK_AES_256_GCM_SHA384:
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
        ciphers->c = EVP_aead_aes_256_gcm();
 #else
        ciphers->c = EVP_aes_256_gcm();
@ -80,12 +86,12 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        break;
    case TLS1_3_CK_CHACHA20_POLY1305_SHA256:
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
        ciphers->c = EVP_aead_chacha20_poly1305();
 #else
        ciphers->c = EVP_chacha20_poly1305();
 #endif
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
        ciphers->hp = (const EVP_CIPHER *) EVP_aead_chacha20_poly1305();
 #else
        ciphers->hp = EVP_chacha20();
@ -94,7 +100,7 @@ ngx_quic_ciphers(ngx_uint_t id, ngx_quic_ciphers_t *ciphers)
        len = 32;
        break;
-#ifndef OPENSSL_IS_BORINGSSL
+#if !(NGX_QUIC_BORINGSSL_EVP_API)
    case TLS1_3_CK_AES_128_CCM_SHA256:
        ciphers->c = EVP_aes_128_ccm();
        ciphers->hp = EVP_aes_128_ctr();
@ -263,7 +269,7 @@ static ngx_int_t
 ngx_hkdf_expand(u_char *out_key, size_t out_len, const EVP_MD *digest,
    const uint8_t *prk, size_t prk_len, const u_char *info, size_t info_len)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    if (HKDF_expand(out_key, out_len, digest, prk, prk_len, info, info_len)
        == 0)
@ -325,7 +331,7 @@ ngx_hkdf_extract(u_char *out_key, size_t *out_len, const EVP_MD *digest,
    const u_char *secret, size_t secret_len, const u_char *salt,
    size_t salt_len)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    if (HKDF_extract(out_key, out_len, digest, secret, secret_len, salt,
                     salt_len)
@ -388,7 +394,7 @@ ngx_quic_crypto_init(const ngx_quic_cipher_t *cipher, ngx_quic_secret_t *s,
    ngx_quic_md_t *key, ngx_int_t enc, ngx_log_t *log)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    EVP_AEAD_CTX  *ctx;
    ctx = EVP_AEAD_CTX_new(cipher, key->data, key->len,
@ -448,7 +454,7 @@ static ngx_int_t
 ngx_quic_crypto_open(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    if (EVP_AEAD_CTX_open(s->ctx, out->data, &out->len, out->len, nonce,
                          s->iv.len, in->data, in->len, ad->data, ad->len)
        != 1)
@ -468,7 +474,7 @@ ngx_int_t
 ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
    ngx_str_t *in, ngx_str_t *ad, ngx_log_t *log)
 {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    if (EVP_AEAD_CTX_seal(s->ctx, out->data, &out->len, out->len, nonce,
                          s->iv.len, in->data, in->len, ad->data, ad->len)
        != 1)
@ -484,7 +490,7 @@ ngx_quic_crypto_seal(ngx_quic_secret_t *s, ngx_str_t *out, const u_char *nonce,
 }
-#ifndef OPENSSL_IS_BORINGSSL
+#if !(NGX_QUIC_BORINGSSL_EVP_API)
 static ngx_int_t
 ngx_quic_crypto_common(ngx_quic_secret_t *s, ngx_str_t *out,
@ -563,7 +569,7 @@ void
 ngx_quic_crypto_cleanup(ngx_quic_secret_t *s)
 {
    if (s->ctx) {
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
        EVP_AEAD_CTX_free(s->ctx);
 #else
        EVP_CIPHER_CTX_free(s->ctx);
@ -579,7 +585,7 @@ ngx_quic_crypto_hp_init(const EVP_CIPHER *cipher, ngx_quic_secret_t *s,
 {
    EVP_CIPHER_CTX  *ctx;
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    if (cipher == (EVP_CIPHER *) EVP_aead_chacha20_poly1305()) {
        /* no EVP interface */
        s->hp_ctx = NULL;
@ -615,7 +621,7 @@ ngx_quic_crypto_hp(ngx_quic_secret_t *s, u_char *out, u_char *in,
    ctx = s->hp_ctx;
-#ifdef OPENSSL_IS_BORINGSSL
+#if (NGX_QUIC_BORINGSSL_EVP_API)
    uint32_t         cnt;
    if (ctx == NULL) {
--- a/src/event/quic/ngx_event_quic_protection.h
+++ b/src/event/quic/ngx_event_quic_protection.h
@ -22,10 +22,12 @@
 #define NGX_QUIC_MAX_MD_SIZE          48
-#ifdef OPENSSL_IS_BORINGSSL
+#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
 #define NGX_QUIC_BORINGSSL_EVP_API    1
 #define ngx_quic_cipher_t             EVP_AEAD
 #define ngx_quic_crypto_ctx_t         EVP_AEAD_CTX
 #else
 #define NGX_QUIC_BORINGSSL_EVP_API    0
 #define ngx_quic_cipher_t             EVP_CIPHER
 #define ngx_quic_crypto_ctx_t         EVP_CIPHER_CTX
 #endif
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@ -185,7 +185,13 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                   "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);
    /* already closed on handshake failure */
    qc = ngx_quic_get_connection(c);
    if (qc == NULL) {
        return 1;
    }
    ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
    cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);
@ -695,30 +701,35 @@ ngx_quic_handshake(ngx_connection_t *c)
    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_do_handshake: %d", n);
    if (qc->error) {
        return NGX_ERROR;
    }
    if (n <= 0) {
        sslerr = SSL_get_error(ssl_conn, n);
        ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_get_error: %d",
                       sslerr);
        if (sslerr != SSL_ERROR_WANT_READ) {
        if (c->ssl->handshake_rejected) {
            ngx_connection_error(c, 0, "handshake rejected");
            ERR_clear_error();
            return NGX_ERROR;
        }
        if (qc->error) {
            ngx_connection_error(c, 0, "SSL_do_handshake() failed");
            ERR_clear_error();
            return NGX_ERROR;
        }
        if (sslerr != SSL_ERROR_WANT_READ) {
            ngx_ssl_connection_error(c, sslerr, 0, "SSL_do_handshake() failed");
            return NGX_ERROR;
        }
    }
    if (qc->error) {
        ngx_connection_error(c, 0, "SSL_do_handshake() failed");
        return NGX_ERROR;
    }
    if (!SSL_is_init_finished(ssl_conn)) {
        if (ngx_quic_keys_available(qc->keys, NGX_QUIC_ENCRYPTION_EARLY_DATA, 0)
            && qc->client_tp_done)
@ -968,7 +979,7 @@ ngx_quic_init_connection(ngx_connection_t *c)
    }
 #endif
-#ifdef OPENSSL_IS_BORINGSSL
+#if (defined OPENSSL_IS_BORINGSSL || defined OPENSSL_IS_AWSLC)
    if (SSL_set_quic_early_data_context(ssl_conn, p, clen) == 0) {
        ngx_ssl_error(NGX_LOG_ALERT, c->log, 0,
                      "quic SSL_set_quic_early_data_context() failed");
--- a/src/http/modules/ngx_http_chunked_filter_module.c
+++ b/src/http/modules/ngx_http_chunked_filter_module.c
@ -66,7 +66,9 @@ ngx_http_chunked_header_filter(ngx_http_request_t *r)
        || r->headers_out.status == NGX_HTTP_NO_CONTENT
        || r->headers_out.status < NGX_HTTP_OK
        || r != r->main
-        || r->method == NGX_HTTP_HEAD)
+        || r->method == NGX_HTTP_HEAD
        || (r->method == NGX_HTTP_CONNECT
            && r->headers_out.status < NGX_HTTP_SPECIAL_RESPONSE))
    {
        return ngx_http_next_header_filter(r);
    }
--- a/src/http/modules/ngx_http_geo_module.c
+++ b/src/http/modules/ngx_http_geo_module.c
@ -63,6 +63,7 @@ typedef struct {
    unsigned                         allow_binary_include:1;
    unsigned                         binary_include:1;
    unsigned                         proxy_recursive:1;
    unsigned                         no_cacheable:1;
 } ngx_http_geo_conf_ctx_t;
@ -463,6 +464,7 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                  + sizeof(ngx_http_variable_value_t)
                  + 0x10000 * sizeof(ngx_http_geo_range_t *);
    ctx.allow_binary_include = 1;
    ctx.no_cacheable = 0;
    save = *cf;
    cf->pool = pool;
@ -478,6 +480,10 @@ ngx_http_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        goto failed;
    }
    if (ctx.no_cacheable) {
        var->flags |= NGX_HTTP_VAR_NOCACHEABLE;
    }
    geo->proxies = ctx.proxies;
    geo->proxy_recursive = ctx.proxy_recursive;
@ -623,6 +629,12 @@ ngx_http_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
            rv = NGX_CONF_OK;
            goto done;
        }
        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
            ctx->no_cacheable = 1;
            rv = NGX_CONF_OK;
            goto done;
        }
    }
    if (cf->args->nelts != 2) {
--- a/src/http/modules/ngx_http_headers_filter_module.c
+++ b/src/http/modules/ngx_http_headers_filter_module.c
@ -10,6 +10,11 @@
 #include <ngx_http.h>
 #define NGX_HTTP_HEADERS_INHERIT_OFF    0
 #define NGX_HTTP_HEADERS_INHERIT_ON     1
 #define NGX_HTTP_HEADERS_INHERIT_MERGE  2
 typedef struct ngx_http_header_val_s  ngx_http_header_val_t;
 typedef ngx_int_t (*ngx_http_set_header_pt)(ngx_http_request_t *r,
@ -49,6 +54,8 @@ typedef struct {
    ngx_http_complex_value_t  *expires_value;
    ngx_array_t               *headers;
    ngx_array_t               *trailers;
    ngx_uint_t                 headers_inherit;
    ngx_uint_t                 trailers_inherit;
 } ngx_http_headers_conf_t;
@ -97,6 +104,14 @@ static ngx_http_set_header_t  ngx_http_set_headers[] = {
 };
 static ngx_conf_enum_t  ngx_http_headers_inherit[] = {
    { ngx_string("off"),   NGX_HTTP_HEADERS_INHERIT_OFF },
    { ngx_string("on"),    NGX_HTTP_HEADERS_INHERIT_ON },
    { ngx_string("merge"), NGX_HTTP_HEADERS_INHERIT_MERGE },
    { ngx_null_string, 0 }
 };
 static ngx_command_t  ngx_http_headers_filter_commands[] = {
    { ngx_string("expires"),
@ -123,6 +138,22 @@ static ngx_command_t  ngx_http_headers_filter_commands[] = {
      offsetof(ngx_http_headers_conf_t, trailers),
      NULL },
    { ngx_string("add_header_inherit"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
                        |NGX_CONF_TAKE1,
      ngx_conf_set_enum_slot,
      NGX_HTTP_LOC_CONF_OFFSET,
      offsetof(ngx_http_headers_conf_t, headers_inherit),
      &ngx_http_headers_inherit },
    { ngx_string("add_trailer_inherit"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_HTTP_LOC_CONF|NGX_HTTP_LIF_CONF
                        |NGX_CONF_TAKE1,
      ngx_conf_set_enum_slot,
      NGX_HTTP_LOC_CONF_OFFSET,
      offsetof(ngx_http_headers_conf_t, trailers_inherit),
      &ngx_http_headers_inherit },
      ngx_null_command
 };
@ -657,6 +688,8 @@ ngx_http_headers_create_conf(ngx_conf_t *cf)
     */
    conf->expires = NGX_HTTP_EXPIRES_UNSET;
    conf->headers_inherit = NGX_CONF_UNSET_UINT;
    conf->trailers_inherit = NGX_CONF_UNSET_UINT;
    return conf;
 }
@ -668,6 +701,8 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_http_headers_conf_t *prev = parent;
    ngx_http_headers_conf_t *conf = child;
    ngx_http_header_val_t  *hv;
    if (conf->expires == NGX_HTTP_EXPIRES_UNSET) {
        conf->expires = prev->expires;
        conf->expires_time = prev->expires_time;
@ -678,12 +713,43 @@ ngx_http_headers_merge_conf(ngx_conf_t *cf, void *parent, void *child)
        }
    }
    ngx_conf_merge_uint_value(conf->headers_inherit, prev->headers_inherit,
                              NGX_HTTP_HEADERS_INHERIT_ON);
    ngx_conf_merge_uint_value(conf->trailers_inherit, prev->trailers_inherit,
                              NGX_HTTP_HEADERS_INHERIT_ON);
    if (conf->headers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
        && prev->headers)
    {
        if (conf->headers == NULL) {
            conf->headers = prev->headers;
        } else if (conf->headers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
            hv = ngx_array_push_n(conf->headers, prev->headers->nelts);
            if (hv == NULL) {
                return NGX_CONF_ERROR;
            }
            ngx_memcpy(hv, prev->headers->elts,
                       sizeof(ngx_http_header_val_t) * prev->headers->nelts);
        }
    }
    if (conf->trailers_inherit != NGX_HTTP_HEADERS_INHERIT_OFF
        && prev->trailers)
    {
        if (conf->trailers == NULL) {
            conf->trailers = prev->trailers;
        } else if (conf->trailers_inherit == NGX_HTTP_HEADERS_INHERIT_MERGE) {
            hv = ngx_array_push_n(conf->trailers, prev->trailers->nelts);
            if (hv == NULL) {
                return NGX_CONF_ERROR;
            }
            ngx_memcpy(hv, prev->trailers->elts,
                       sizeof(ngx_http_header_val_t) * prev->trailers->nelts);
        }
    }
    return NGX_CONF_OK;
--- a/src/http/modules/ngx_http_index_module.c
+++ b/src/http/modules/ngx_http_index_module.c
@ -490,7 +490,7 @@ ngx_http_index_set_index(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        if (value[i].len == 0) {
            ngx_conf_log_error(NGX_LOG_EMERG, cf, 0,
                               "index \"%V\" in \"index\" directive is invalid",
-                               &value[1]);
+                               &value[i]);
            return NGX_CONF_ERROR;
        }
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -8,6 +8,7 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
 #include <ngx_http_proxy_module.h>
 #define  NGX_HTTP_PROXY_COOKIE_SECURE           0x0001
@ -23,11 +24,6 @@
 #define  NGX_HTTP_PROXY_COOKIE_SAMESITE_OFF     0x0400
 typedef struct {
    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
 } ngx_http_proxy_main_conf_t;
 typedef struct ngx_http_proxy_rewrite_s  ngx_http_proxy_rewrite_t;
 typedef ngx_int_t (*ngx_http_proxy_rewrite_pt)(ngx_http_request_t *r,
@ -61,96 +57,6 @@ typedef struct {
 } ngx_http_proxy_cookie_flags_t;
 typedef struct {
    ngx_str_t                      key_start;
    ngx_str_t                      schema;
    ngx_str_t                      host_header;
    ngx_str_t                      port;
    ngx_str_t                      uri;
 } ngx_http_proxy_vars_t;
 typedef struct {
    ngx_array_t                   *flushes;
    ngx_array_t                   *lengths;
    ngx_array_t                   *values;
    ngx_hash_t                     hash;
 } ngx_http_proxy_headers_t;
 typedef struct {
    ngx_http_upstream_conf_t       upstream;
    ngx_array_t                   *body_flushes;
    ngx_array_t                   *body_lengths;
    ngx_array_t                   *body_values;
    ngx_str_t                      body_source;
    ngx_http_proxy_headers_t       headers;
 #if (NGX_HTTP_CACHE)
    ngx_http_proxy_headers_t       headers_cache;
 #endif
    ngx_array_t                   *headers_source;
    ngx_array_t                   *proxy_lengths;
    ngx_array_t                   *proxy_values;
    ngx_array_t                   *redirects;
    ngx_array_t                   *cookie_domains;
    ngx_array_t                   *cookie_paths;
    ngx_array_t                   *cookie_flags;
    ngx_http_complex_value_t      *method;
    ngx_str_t                      location;
    ngx_str_t                      url;
 #if (NGX_HTTP_CACHE)
    ngx_http_complex_value_t       cache_key;
 #endif
    ngx_http_proxy_vars_t          vars;
    ngx_flag_t                     redirect;
    ngx_uint_t                     http_version;
    ngx_uint_t                     headers_hash_max_size;
    ngx_uint_t                     headers_hash_bucket_size;
 #if (NGX_HTTP_SSL)
    ngx_uint_t                     ssl;
    ngx_uint_t                     ssl_protocols;
    ngx_str_t                      ssl_ciphers;
    ngx_uint_t                     ssl_verify_depth;
    ngx_str_t                      ssl_trusted_certificate;
    ngx_str_t                      ssl_crl;
    ngx_array_t                   *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
 typedef struct {
    ngx_http_status_t              status;
    ngx_http_chunked_t             chunked;
    ngx_http_proxy_vars_t          vars;
    off_t                          internal_body_length;
    ngx_chain_t                   *free;
    ngx_chain_t                   *busy;
    ngx_buf_t                     *trailers;
    unsigned                       head:1;
    unsigned                       internal_chunked:1;
    unsigned                       header_sent:1;
 } ngx_http_proxy_ctx_t;
 static ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r,
    ngx_http_proxy_ctx_t *ctx, ngx_http_proxy_loc_conf_t *plcf);
 #if (NGX_HTTP_CACHE)
 static ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
 #endif
 static ngx_int_t ngx_http_proxy_create_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_reinit_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_body_output_filter(void *data, ngx_chain_t *in);
@ -178,15 +84,14 @@ static ngx_int_t ngx_http_proxy_port_variable(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
    ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
    ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
    ngx_table_elt_t *h, size_t prefix);
 static ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
    ngx_table_elt_t *h);
 static ngx_int_t ngx_http_proxy_parse_cookie(ngx_str_t *value,
    ngx_array_t *attrs);
 static ngx_int_t ngx_http_proxy_rewrite_cookie_value(ngx_http_request_t *r,
@ -293,6 +198,9 @@ static ngx_conf_post_t  ngx_http_proxy_ssl_conf_command_post =
 static ngx_conf_enum_t  ngx_http_proxy_http_version[] = {
    { ngx_string("1.0"), NGX_HTTP_VERSION_10 },
    { ngx_string("1.1"), NGX_HTTP_VERSION_11 },
 #if (NGX_HTTP_V2)
    { ngx_string("2"), NGX_HTTP_VERSION_20 },
 #endif
    { ngx_null_string, 0 }
 };
@ -840,8 +748,8 @@ static char  ngx_http_proxy_version_11[] = " HTTP/1.1" CRLF;
 static ngx_keyval_t  ngx_http_proxy_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("close") },
+    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -868,8 +776,8 @@ static ngx_str_t  ngx_http_proxy_hide_headers[] = {
 #if (NGX_HTTP_CACHE)
 static ngx_keyval_t  ngx_http_proxy_cache_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("close") },
+    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -904,6 +812,14 @@ static ngx_http_variable_t  ngx_http_proxy_vars[] = {
    { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 },
 #endif
    { ngx_string("proxy_internal_host"), NULL,
      ngx_http_proxy_host_variable, 1,
      NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
    { ngx_string("proxy_internal_connection"), NULL,
      ngx_http_proxy_internal_connection_variable, 0,
      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
    { ngx_string("proxy_internal_body_length"), NULL,
      ngx_http_proxy_internal_body_length_variable, 0,
      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
@ -962,6 +878,14 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
    ngx_http_proxy_main_conf_t  *pmcf;
 #endif
    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
 #if (NGX_HTTP_V2)
    if (plcf->http_version == NGX_HTTP_VERSION_20) {
        return ngx_http_proxy_v2_handler(r);
    }
 #endif
    if (ngx_http_upstream_create(r) != NGX_OK) {
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }
@ -971,9 +895,9 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }
-    ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);
+    ctx->legacy = 1;
-    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
+    ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);
    u = r->upstream;
@ -1050,7 +974,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
    ngx_http_proxy_loc_conf_t *plcf)
 {
@ -1154,7 +1078,7 @@ ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
 #if (NGX_HTTP_CACHE)
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_create_key(ngx_http_request_t *r)
 {
    size_t                      len, loc_len;
@ -1206,7 +1130,8 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
        return NGX_OK;
    }
-    loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
+    loc_len = (r->valid_location && ctx->vars.uri.len)
              ? ngx_min(plcf->location.len, r->uri.len) : 0;
    if (r->quoted_uri || r->internal) {
        escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -1318,8 +1243,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
        uri_len = r->unparsed_uri.len;
    } else {
-        loc_len = (r->valid_location && ctx->vars.uri.len) ?
+        loc_len = (r->valid_location && ctx->vars.uri.len)
-                      plcf->location.len : 0;
+                  ? ngx_min(plcf->location.len, r->uri.len) : 0;
        if (r->quoted_uri || r->internal) {
            escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -2118,7 +2043,7 @@ ngx_http_proxy_input_filter_init(void *data)
        /* chunked */
        u->pipe->input_filter = ngx_http_proxy_chunked_filter;
-        u->pipe->length = 3; /* "0" LF LF */
+        u->pipe->length = 5; /* "0" CRLF CRLF */
        u->input_filter = ngx_http_proxy_non_buffered_chunked_filter;
        u->length = 1;
@ -2767,6 +2692,11 @@ ngx_http_proxy_host_variable(ngx_http_request_t *r,
        return NGX_OK;
    }
    if (data == 1 && !ctx->legacy) {
        v->not_found = 1;
        return NGX_OK;
    }
    v->len = ctx->vars.host_header.len;
    v->valid = 1;
    v->no_cacheable = 0;
@ -2847,6 +2777,29 @@ ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
 }
 static ngx_int_t
 ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
 {
    ngx_http_proxy_ctx_t  *ctx;
    ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
    if (ctx == NULL || !ctx->legacy) {
        v->not_found = 1;
        return NGX_OK;
    }
    v->valid = 1;
    v->no_cacheable = 0;
    v->not_found = 0;
    ngx_str_set(v, "close");
    return NGX_OK;
 }
 static ngx_int_t
 ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
@ -2900,7 +2853,7 @@ ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
    size_t prefix)
 {
@ -2932,7 +2885,7 @@ ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r, ngx_table_elt_t *h)
 {
    u_char                     *p;
@ -3577,6 +3530,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
     *     conf->headers.values = NULL;
     *     conf->headers.hash = { NULL, 0 };
     *     conf->headers_cache.lengths = NULL;
     *     conf->host_set = 0;
     *     conf->headers_cache.values = NULL;
     *     conf->headers_cache.hash = { NULL, 0 };
     *     conf->body_lengths = NULL;
@ -4152,6 +4106,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        conf->headers_cache = prev->headers_cache;
 #endif
        conf->host_set = prev->host_set;
    }
    rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@ -4184,6 +4139,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        prev->headers_cache = conf->headers_cache;
 #endif
        prev->host_set = conf->host_set;
    }
    return NGX_CONF_OK;
@ -4236,6 +4192,12 @@ ngx_http_proxy_init_headers(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
        src = conf->headers_source->elts;
        for (i = 0; i < conf->headers_source->nelts; i++) {
            if (src[i].key.len == 4
                && ngx_strncasecmp(src[i].key.data, (u_char *) "Host", 4) == 0)
            {
                conf->host_set = 1;
            }
            s = ngx_array_push(&headers_merged);
            if (s == NULL) {
                return NGX_ERROR;
--- a/src/http/modules/ngx_http_proxy_module.h
+++ b/src/http/modules/ngx_http_proxy_module.h
@ -0,0 +1,127 @@
 /*
 * Copyright (C) Igor Sysoev
 * Copyright (C) Nginx, Inc.
 */
 #ifndef _NGX_HTTP_PROXY_H_INCLUDED_
 #define _NGX_HTTP_PROXY_H_INCLUDED_
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
 typedef struct {
    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
 } ngx_http_proxy_main_conf_t;
 typedef struct {
    ngx_str_t                      key_start;
    ngx_str_t                      schema;
    ngx_str_t                      host_header;
    ngx_str_t                      port;
    ngx_str_t                      uri;
 } ngx_http_proxy_vars_t;
 typedef struct {
    ngx_array_t                   *flushes;
    ngx_array_t                   *lengths;
    ngx_array_t                   *values;
    ngx_hash_t                     hash;
 } ngx_http_proxy_headers_t;
 typedef struct {
    ngx_http_upstream_conf_t       upstream;
    ngx_array_t                   *body_flushes;
    ngx_array_t                   *body_lengths;
    ngx_array_t                   *body_values;
    ngx_str_t                      body_source;
    ngx_http_proxy_headers_t       headers;
 #if (NGX_HTTP_CACHE)
    ngx_http_proxy_headers_t       headers_cache;
 #endif
    ngx_array_t                   *headers_source;
    ngx_uint_t                     host_set;
    ngx_array_t                   *proxy_lengths;
    ngx_array_t                   *proxy_values;
    ngx_array_t                   *redirects;
    ngx_array_t                   *cookie_domains;
    ngx_array_t                   *cookie_paths;
    ngx_array_t                   *cookie_flags;
    ngx_http_complex_value_t      *method;
    ngx_str_t                      location;
    ngx_str_t                      url;
 #if (NGX_HTTP_CACHE)
    ngx_http_complex_value_t       cache_key;
 #endif
    ngx_http_proxy_vars_t          vars;
    ngx_flag_t                     redirect;
    ngx_uint_t                     http_version;
    ngx_uint_t                     headers_hash_max_size;
    ngx_uint_t                     headers_hash_bucket_size;
 #if (NGX_HTTP_SSL || NGX_COMPAT)
    ngx_uint_t                     ssl;
    ngx_uint_t                     ssl_protocols;
    ngx_str_t                      ssl_ciphers;
    ngx_uint_t                     ssl_verify_depth;
    ngx_str_t                      ssl_trusted_certificate;
    ngx_str_t                      ssl_crl;
    ngx_array_t                   *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
 typedef struct {
    ngx_http_status_t              status;
    ngx_http_chunked_t             chunked;
    ngx_http_proxy_vars_t          vars;
    off_t                          internal_body_length;
    ngx_chain_t                   *free;
    ngx_chain_t                   *busy;
    ngx_buf_t                     *trailers;
    unsigned                       head:1;
    unsigned                       internal_chunked:1;
    unsigned                       header_sent:1;
    unsigned                       legacy:1;
 } ngx_http_proxy_ctx_t;
 ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
    ngx_http_proxy_loc_conf_t *plcf);
 #if (NGX_HTTP_CACHE)
 ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
 #endif
 ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
    ngx_table_elt_t *h, size_t prefix);
 ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
    ngx_table_elt_t *h);
 #if (NGX_HTTP_V2)
 ngx_int_t ngx_http_proxy_v2_handler(ngx_http_request_t *r);
 #endif
 extern ngx_module_t  ngx_http_proxy_module;
 #endif /* _NGX_HTTP_PROXY_H_INCLUDED_ */
--- a/src/http/modules/ngx_http_proxy_v2_module.c
+++ b/src/http/modules/ngx_http_proxy_v2_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@ -117,6 +117,13 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      0,
      NULL },
    { ngx_string("ssl_ech_file"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_array_slot,
      NGX_HTTP_SRV_CONF_OFFSET,
      offsetof(ngx_http_ssl_srv_conf_t, ech_files),
      NULL },
    { ngx_string("ssl_password_file"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_http_ssl_password_file,
@ -237,7 +244,7 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      NULL },
    { ngx_string("ssl_ocsp"),
-      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_FLAG,
+      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_enum_slot,
      NGX_HTTP_SRV_CONF_OFFSET,
      offsetof(ngx_http_ssl_srv_conf_t, ocsp),
@ -358,6 +365,9 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_curves"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_curves, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_sigalg"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_session_id"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_session_id, NGX_HTTP_VAR_CHANGEABLE, 0 },
@ -374,6 +384,13 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_status"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_status, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
      NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
@ -415,6 +432,9 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_client_v_remain"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_v_remain, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_sigalg"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_HTTP_VAR_CHANGEABLE, 0 },
      ngx_http_null_variable
 };
@ -637,6 +657,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->builtin_session_cache = NGX_CONF_UNSET;
@ -688,6 +709,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);
    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -749,6 +772,12 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    cln->data = &conf->ssl;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
    {
    static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername };
    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                               ngx_http_ssl_servername)
@ -759,7 +788,7 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
            "dynamically to an OpenSSL library which has no tlsext support, "
            "therefore SNI is not available");
    }
-
+    }
 #endif
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@ -868,6 +897,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
@ -906,13 +939,19 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    if (conf->stapling) {
        if (conf->certificate_compression) {
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                          "\"ssl_stapling\" is incompatible with "
                          "\"ssl_certificate_compression\"");
            return NGX_CONF_ERROR;
        }
        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                             &conf->stapling_responder, conf->stapling_verify)
            != NGX_OK)
        {
            return NGX_CONF_ERROR;
        }
    }
    if (ngx_ssl_early_data(cf, &conf->ssl, conf->early_data) != NGX_OK) {
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@ -49,6 +49,7 @@ typedef struct {
    ngx_str_t                       ciphers;
    ngx_array_t                    *ech_files;
    ngx_array_t                    *passwords;
    ngx_array_t                    *conf_commands;
--- a/src/http/ngx_http.h
+++ b/src/http/ngx_http.h
@ -130,8 +130,8 @@ ngx_int_t ngx_http_post_request(ngx_http_request_t *r,
    ngx_http_posted_request_t *pr);
 ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
    ngx_str_t *host);
-ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
+ngx_int_t ngx_http_validate_host(ngx_str_t *host, in_port_t *port,
-    ngx_uint_t alloc);
+    ngx_pool_t *pool, ngx_uint_t alloc);
 void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_free_request(ngx_http_request_t *r, ngx_int_t rc);
--- a/src/http/ngx_http_core_module.h
+++ b/src/http/ngx_http_core_module.h
@ -206,6 +206,7 @@ typedef struct {
 #if (NGX_PCRE)
    unsigned                    captures:1;
 #endif
    unsigned                    allow_connect:1;
    ngx_http_core_loc_conf_t  **named_locations;
 } ngx_http_core_srv_conf_t;
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -111,6 +111,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        sw_schema,
        sw_schema_slash,
        sw_schema_slash_slash,
        sw_spaces_before_host,
        sw_host_start,
        sw_host,
        sw_host_end,
@ -158,6 +159,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
            if (ch == ' ') {
                r->method_end = p - 1;
                m = r->request_start;
                state = sw_spaces_before_uri;
                switch (p - m) {
@ -247,6 +249,7 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                    if (ngx_str7_cmp(m, 'C', 'O', 'N', 'N', 'E', 'C', 'T', ' '))
                    {
                        r->method = NGX_HTTP_CONNECT;
                        state = sw_spaces_before_host;
                    }
                    break;
@ -269,7 +272,6 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                    break;
                }
                state = sw_spaces_before_uri;
                break;
            }
@ -345,6 +347,14 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
            }
            break;
        case sw_spaces_before_host:
            if (ch == ' ') {
                break;
            }
            /* fall through */
        case sw_host_start:
            r->host_start = p;
@ -373,12 +383,18 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        case sw_host_end:
-            r->host_end = p;
+            if (ch == ':') {
            switch (ch) {
            case ':':
                state = sw_port;
                break;
            }
            r->host_end = p;
            if (r->method == NGX_HTTP_CONNECT) {
                return NGX_HTTP_PARSE_INVALID_REQUEST;
            }
            switch (ch) {
            case '/':
                r->uri_start = p;
                state = sw_after_slash_in_uri;
@ -449,6 +465,17 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
                break;
            }
            r->host_end = p;
            if (r->method == NGX_HTTP_CONNECT) {
                if (ch == ' ') {
                    state = sw_http_09;
                    break;
                }
                return NGX_HTTP_PARSE_INVALID_REQUEST;
            }
            switch (ch) {
            case '/':
                r->uri_start = p;
@ -684,6 +711,16 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        case sw_http_HTTP:
            switch (ch) {
            case '/':
                /*
                 * use single "/" from request line to preserve pointers,
                 * if request line will be copied to large client buffer
                 */
                if (r->method == NGX_HTTP_CONNECT) {
                    r->uri_start = p;
                    r->uri_end = p + 1;
                }
                state = sw_first_major_digit;
                break;
            default:
@ -2217,12 +2254,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                case CR:
                    state = sw_last_chunk_extension_almost_done;
                    break;
                case LF:
                    if (keep_trailers) {
                        goto done;
                    }
                    state = sw_trailer;
                    break;
                case ';':
                case ' ':
                case '\t':
@ -2239,9 +2270,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_chunk_extension_almost_done;
                break;
            case LF:
                state = sw_chunk_data;
                break;
            case ';':
            case ' ':
            case '\t':
@ -2259,7 +2287,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_chunk_extension_almost_done;
                break;
            case LF:
-                state = sw_chunk_data;
+                goto invalid;
            }
            break;
@ -2279,9 +2307,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_after_data_almost_done;
                break;
            case LF:
                state = sw_chunk_start;
                break;
            default:
                goto invalid;
            }
@ -2300,10 +2325,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_last_chunk_extension_almost_done;
                break;
            case LF:
-                if (keep_trailers) {
+                goto invalid;
                    goto done;
                }
                state = sw_trailer;
            }
            break;
@ -2323,7 +2345,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_almost_done;
                break;
            case LF:
-                goto done;
+                goto invalid;
            default:
                state = sw_trailer_header;
            }
@ -2341,7 +2363,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_header_almost_done;
                break;
            case LF:
-                state = sw_trailer;
+                goto invalid;
            }
            break;
@ -2367,35 +2389,45 @@ data:
    switch (state) {
    case sw_chunk_start:
-        ctx->length = 3 /* "0" LF LF */;
+        ctx->length = 5 /* "0" CRLF CRLF */;
        break;
    case sw_chunk_size:
-        ctx->length = 1 /* LF */
+        ctx->length = 2 /* CRLF */
-                      + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */
+                      + (ctx->size ? ctx->size + 7 /* CRLF "0" CRLF CRLF */
-                                   : 1 /* LF */);
+                                   : 2 /* CRLF */);
        break;
    case sw_chunk_extension:
        ctx->length = 2 /* CRLF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_chunk_extension_almost_done:
-        ctx->length = 1 /* LF */ + ctx->size + 4 /* LF "0" LF LF */;
+        ctx->length = 1 /* LF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_chunk_data:
-        ctx->length = ctx->size + 4 /* LF "0" LF LF */;
+        ctx->length = ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_after_data:
        ctx->length = 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_after_data_almost_done:
-        ctx->length = 4 /* LF "0" LF LF */;
+        ctx->length = 6 /* LF "0" CRLF CRLF */;
        break;
    case sw_last_chunk_extension:
        ctx->length = 4 /* CRLF CRLF */;
        break;
    case sw_last_chunk_extension_almost_done:
-        ctx->length = 2 /* LF LF */;
+        ctx->length = 3 /* LF CRLF */;
        break;
    case sw_trailer:
        ctx->length = 2 /* CRLF */;
        break;
    case sw_trailer_almost_done:
        ctx->length = 1 /* LF */;
        break;
    case sw_trailer_header:
        ctx->length = 4 /* CRLF CRLF */;
        break;
    case sw_trailer_header_almost_done:
-        ctx->length = 2 /* LF LF */;
+        ctx->length = 3 /* LF CRLF */;
        break;
    }
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@ -891,8 +891,27 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    if (c->ssl->sni_accepted) {
        return SSL_TLSEXT_ERR_OK;
    }
    if (c->ssl->handshake_rejected) {
        *ad = SSL_AD_UNRECOGNIZED_NAME;
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    hc = c->data;
    if (arg != NULL) {
        host = *(ngx_str_t *) arg;
        if (host.data == NULL) {
            ngx_log_debug0(NGX_LOG_DEBUG_HTTP, c->log, 0,
                           "SSL server name: null");
            goto done;
        }
    } else {
        servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
        if (servername == NULL) {
@ -901,18 +920,18 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
            goto done;
        }
    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
                   "SSL server name: \"%s\"", servername);
        host.len = ngx_strlen(servername);
        host.data = (u_char *) servername;
    }
    ngx_log_debug1(NGX_LOG_DEBUG_HTTP, c->log, 0,
                   "SSL server name: \"%V\"", &host);
    if (host.len == 0) {
        goto done;
    }
-    host.data = (u_char *) servername;
+    rc = ngx_http_validate_host(&host, NULL, c->pool, 1);
    rc = ngx_http_validate_host(&host, c->pool, 1);
    if (rc == NGX_ERROR) {
        goto error;
@ -933,31 +952,6 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }
    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
 #if (defined TLS1_3_VERSION                                                   \
     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
    /*
     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
     * but servername being negotiated in every TLSv1.3 handshake
     * is only returned in OpenSSL 1.1.1+ as well
     */
    if (sscf->verify) {
        const char  *hostname;
        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
            c->ssl->handshake_rejected = 1;
            *ad = SSL_AD_ACCESS_DENIED;
            return SSL_TLSEXT_ERR_ALERT_FATAL;
        }
    }
 #endif
    hc->ssl_servername = ngx_palloc(c->pool, sizeof(ngx_str_t));
    if (hc->ssl_servername == NULL) {
        goto error;
@ -971,6 +965,8 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
    ngx_set_connection_log(c, clcf->error_log);
    sscf = ngx_http_get_module_srv_conf(cscf->ctx, ngx_http_ssl_module);
    c->ssl->buffer_size = sscf->buffer_size;
    if (sscf->ssl.ctx) {
@ -1019,6 +1015,7 @@ done:
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    c->ssl->sni_accepted = 1;
    return SSL_TLSEXT_ERR_OK;
 error:
@ -1110,6 +1107,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
    ssize_t              n;
    ngx_int_t            rc, rv;
    ngx_str_t            host;
    in_port_t            port;
    ngx_connection_t    *c;
    ngx_http_request_t  *r;
@ -1172,7 +1170,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                host.len = r->host_end - r->host_start;
                host.data = r->host_start;
-                rc = ngx_http_validate_host(&host, r->pool, 0);
+                rc = ngx_http_validate_host(&host, &port, r->pool, 0);
                if (rc == NGX_DECLINED) {
                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
@ -1191,6 +1189,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                }
                r->headers_in.server = host;
                r->port = port;
            }
            if (r->http_version < NGX_HTTP_VERSION_10) {
@ -1851,6 +1850,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
 {
    ngx_int_t  rc;
    ngx_str_t  host;
    in_port_t  port;
    if (r->headers_in.host) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1867,7 +1867,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    host = h->value;
-    rc = ngx_http_validate_host(&host, r->pool, 0);
+    rc = ngx_http_validate_host(&host, &port, r->pool, 0);
    if (rc == NGX_DECLINED) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1890,6 +1890,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    }
    r->headers_in.server = host;
    r->port = port;
    return NGX_OK;
 }
@ -1988,6 +1989,8 @@ ngx_http_process_user_agent(ngx_http_request_t *r, ngx_table_elt_t *h,
 static ngx_int_t
 ngx_http_process_request_header(ngx_http_request_t *r)
 {
    ngx_http_core_srv_conf_t  *cscf;
    if (r->headers_in.server.len == 0
        && ngx_http_set_virtual_server(r, &r->headers_in.server)
           == NGX_ERROR)
@ -2056,7 +2059,11 @@ ngx_http_process_request_header(ngx_http_request_t *r)
        }
    }
-    if (r->method == NGX_HTTP_CONNECT) {
+    cscf = ngx_http_get_module_srv_conf(r, ngx_http_core_module);
    if (r->method == NGX_HTTP_CONNECT
        && (r->http_version != NGX_HTTP_VERSION_11 || !cscf->allow_connect))
    {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
                      "client sent CONNECT method");
        ngx_http_finalize_request(r, NGX_HTTP_NOT_ALLOWED);
@ -2167,72 +2174,174 @@ ngx_http_process_request(ngx_http_request_t *r)
 ngx_int_t
-ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
+ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,
    ngx_uint_t alloc)
 {
    u_char     *h, ch;
    size_t      i, dot_pos, host_len;
    ngx_int_t   port;
    enum {
-        sw_usual = 0,
+        sw_host_start = 0,
-        sw_literal,
+        sw_host,
-        sw_rest
+        sw_host_ip_literal,
        sw_host_end,
        sw_port,
    } state;
    dot_pos = host->len;
    host_len = host->len;
    port = 0;
    h = host->data;
-    state = sw_usual;
+    state = sw_host_start;
    for (i = 0; i < host->len; i++) {
        ch = h[i];
-        switch (ch) {
+        switch (state) {
        case sw_host_start:
            if (ch == '[') {
                state = sw_host_ip_literal;
                break;
            }
            state = sw_host;
            /* fall through */
        case sw_host:
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                host_len = i;
                state = sw_port;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
-
+            case '_':
-        case ':':
+            case '~':
-            if (state == sw_usual) {
+                /* unreserved */
                host_len = i;
                state = sw_rest;
            }
                break;
-
+            case '!':
-        case '[':
+            case '$':
-            if (i == 0) {
+            case '&':
-                state = sw_literal;
+            case '\'':
-            }
+            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
-
+            case '%':
-        case ']':
+                /* pct-encoded */
            if (state == sw_literal) {
                host_len = i + 1;
                state = sw_rest;
            }
                break;
            default:
            if (ngx_path_separator(ch)) {
                return NGX_DECLINED;
            }
            break;
-            if (ch <= 0x20 || ch == 0x7f) {
+        case sw_host_ip_literal:
                return NGX_DECLINED;
            }
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
            }
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                break;
            case ']':
                host_len = i + 1;
                state = sw_host_end;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
            case '_':
            case '~':
                /* unreserved */
                break;
            case '!':
            case '$':
            case '&':
            case '\'':
            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
            default:
                return NGX_DECLINED;
            }
            break;
        case sw_host_end:
            if (ch == ':') {
                state = sw_port;
                break;
            }
            return NGX_DECLINED;
        case sw_port:
            if (ch >= '0' && ch <= '9') {
                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
                    return NGX_DECLINED;
                }
                port = port * 10 + (ch - '0');
                break;
            }
            return NGX_DECLINED;
        }
    }
    if (state == sw_host_ip_literal) {
        return NGX_DECLINED;
    }
    if (dot_pos == host_len - 1) {
@ -2254,6 +2363,10 @@ ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
    host->len = host_len;
    if (portp) {
        *portp = port;
    }
    return NGX_OK;
 }
--- a/src/http/ngx_http_request.h
+++ b/src/http/ngx_http_request.h
@ -461,6 +461,8 @@ struct ngx_http_request_s {
    ngx_http_cleanup_t               *cleanup;
    in_port_t                         port;
    unsigned                          count:16;
    unsigned                          subrequests:8;
    unsigned                          blocked:8;
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@ -116,6 +116,10 @@ static ngx_int_t ngx_http_upstream_process_set_cookie(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
 #if (NGX_HTTP_CACHE)
 static ngx_int_t ngx_http_upstream_process_delta_seconds(u_char *p,
    u_char *last);
 #endif
 static ngx_int_t ngx_http_upstream_ignore_header_line(ngx_http_request_t *r,
    ngx_table_elt_t *h, ngx_uint_t offset);
 static ngx_int_t ngx_http_upstream_process_expires(ngx_http_request_t *r,
@ -1767,6 +1771,23 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
        }
    }
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
    if (u->ssl_alpn_protocol.len) {
        if (SSL_set_alpn_protos(c->ssl->connection, u->ssl_alpn_protocol.data,
                                u->ssl_alpn_protocol.len)
            != 0)
        {
            ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
                          "SSL_set_alpn_protos() failed");
            ngx_http_upstream_finalize_request(r, u,
                                               NGX_HTTP_INTERNAL_SERVER_ERROR);
            return;
        }
    }
 #endif
    if (u->conf->ssl_session_reuse) {
        c->ssl->save_session = ngx_http_upstream_ssl_save_session;
@ -5066,18 +5087,9 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
    }
    if (p) {
-        n = 0;
+        n = ngx_http_upstream_process_delta_seconds(p + offset, last);
        for (p += offset; p < last; p++) {
            if (*p == ',' || *p == ';' || *p == ' ') {
                break;
            }
            if (*p >= '0' && *p <= '9') {
                n = n * 10 + (*p - '0');
                continue;
            }
        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5087,7 +5099,8 @@ ngx_http_upstream_process_cache_control(ngx_http_request_t *r,
            return NGX_OK;
        }
-        r->cache->valid_sec = ngx_time() + n;
+        r->cache->valid_sec = ngx_min((ngx_uint_t) ngx_time() + n,
                                      NGX_MAX_INT_T_VALUE);
        u->headers_in.expired = 0;
    }
@ -5097,18 +5110,9 @@ extensions:
                         23 - 1);
    if (p) {
-        n = 0;
+        n = ngx_http_upstream_process_delta_seconds(p + 23, last);
        for (p += 23; p < last; p++) {
            if (*p == ',' || *p == ';' || *p == ' ') {
                break;
            }
            if (*p >= '0' && *p <= '9') {
                n = n * 10 + (*p - '0');
                continue;
            }
        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5120,18 +5124,9 @@ extensions:
    p = ngx_strlcasestrn(start, last, (u_char *) "stale-if-error=", 15 - 1);
    if (p) {
-        n = 0;
+        n = ngx_http_upstream_process_delta_seconds(p + 15, last);
        for (p += 15; p < last; p++) {
            if (*p == ',' || *p == ';' || *p == ' ') {
                break;
            }
            if (*p >= '0' && *p <= '9') {
                n = n * 10 + (*p - '0');
                continue;
            }
        if (n == NGX_ERROR) {
            u->cacheable = 0;
            return NGX_OK;
        }
@ -5145,6 +5140,41 @@ extensions:
 }
 #if (NGX_HTTP_CACHE)
 static ngx_int_t
 ngx_http_upstream_process_delta_seconds(u_char *p, u_char *last)
 {
    ngx_int_t  n, cutoff, cutlim;
    cutoff = NGX_MAX_INT_T_VALUE / 10;
    cutlim = NGX_MAX_INT_T_VALUE % 10;
    n = 0;
    for ( /* void */ ; p < last; p++) {
        if (*p == ',' || *p == ';' || *p == ' ') {
            break;
        }
        if (*p < '0' || *p > '9') {
            return NGX_ERROR;
        }
        if (n >= cutoff && (n > cutoff || *p - '0' > cutlim)) {
            n = NGX_MAX_INT_T_VALUE;
            break;
        }
        n = n * 10 + (*p - '0');
    }
    return n;
 }
 #endif
 static ngx_int_t
 ngx_http_upstream_process_expires(ngx_http_request_t *r, ngx_table_elt_t *h,
    ngx_uint_t offset)
@ -6885,6 +6915,7 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
    }
    if (val.len == 0) {
        u->peer.local = NULL;
        return NGX_OK;
    }
@ -6901,6 +6932,7 @@ ngx_http_upstream_set_local(ngx_http_request_t *r, ngx_http_upstream_t *u,
    if (rc != NGX_OK) {
        ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                      "invalid local address \"%V\"", &val);
        u->peer.local = NULL;
        return NGX_OK;
    }
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@ -253,7 +253,7 @@ typedef struct {
    ngx_str_t                        module;
-    NGX_COMPAT_BEGIN(2)
+    NGX_COMPAT_BEGIN(6)
    NGX_COMPAT_END
 } ngx_http_upstream_conf_t;
@ -390,6 +390,7 @@ struct ngx_http_upstream_s {
 #if (NGX_HTTP_SSL || NGX_COMPAT)
    ngx_str_t                        ssl_name;
    ngx_str_t                        ssl_alpn_protocol;
 #endif
    ngx_http_cleanup_pt             *cleanup;
--- a/src/http/ngx_http_variables.c
+++ b/src/http/ngx_http_variables.c
@ -71,6 +71,10 @@ static ngx_int_t ngx_http_variable_scheme(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_https(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_request_port(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_is_request_port(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static void ngx_http_variable_set_args(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_variable_is_args(ngx_http_request_t *r,
@ -231,6 +235,12 @@ static ngx_http_variable_t  ngx_http_core_variables[] = {
    { ngx_string("https"), NULL, ngx_http_variable_https, 0, 0, 0 },
    { ngx_string("request_port"), NULL,
      ngx_http_variable_request_port, 0, 0, 0 },
    { ngx_string("is_request_port"), NULL,
      ngx_http_variable_is_request_port, 0, 0, 0 },
    { ngx_string("request_uri"), NULL, ngx_http_variable_request,
      offsetof(ngx_http_request_t, unparsed_uri), 0, 0 },
@ -1540,6 +1550,51 @@ ngx_http_variable_https(ngx_http_request_t *r,
 }
 static ngx_int_t
 ngx_http_variable_request_port(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
 {
    ngx_uint_t  port;
    v->len = 0;
    v->valid = 1;
    v->no_cacheable = 0;
    v->not_found = 0;
    v->data = ngx_pnalloc(r->pool, sizeof("65535") - 1);
    if (v->data == NULL) {
        return NGX_ERROR;
    }
    port = r->port;
    if (port > 0 && port < 65536) {
        v->len = ngx_sprintf(v->data, "%ui", port) - v->data;
    }
    return NGX_OK;
 }
 static ngx_int_t
 ngx_http_variable_is_request_port(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
 {
    if (r->port == 0) {
        *v = ngx_http_variable_null_value;
        return NGX_OK;
    }
    v->len = 1;
    v->valid = 1;
    v->no_cacheable = 0;
    v->not_found = 0;
    v->data = (u_char *) ":";
    return NGX_OK;
 }
 static void
 ngx_http_variable_set_args(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@ -3519,6 +3519,7 @@ static ngx_int_t
 ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
 {
    ngx_int_t  rc;
    in_port_t  port;
    if (r->host_start) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -3529,7 +3530,7 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
    r->host_start = value->data;
    r->host_end = value->data + value->len;
-    rc = ngx_http_validate_host(value, r->pool, 0);
+    rc = ngx_http_validate_host(value, &port, r->pool, 0);
    if (rc == NGX_DECLINED) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -3551,6 +3552,7 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
    }
    r->headers_in.server = *value;
    r->port = port;
    return NGX_OK;
 }
@ -4102,15 +4104,14 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
                n = size;
            }
            if (n > 0) {
                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
            }
            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
                           "http2 request body recv %uz", n);
            if (n > 0) {
                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
                pos += n;
                size -= n;
            }
            if (size == 0 && last) {
                rb->rest = 0;
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@ -904,6 +904,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
    u_char     *p;
    ngx_int_t   rc;
    ngx_str_t   host;
    in_port_t   port;
    if (r->request_line.len) {
        return NGX_OK;
@ -961,7 +962,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        host.len = r->host_end - r->host_start;
        host.data = r->host_start;
-        rc = ngx_http_validate_host(&host, r->pool, 0);
+        rc = ngx_http_validate_host(&host, &port, r->pool, 0);
        if (rc == NGX_DECLINED) {
            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -979,6 +980,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        }
        r->headers_in.server = host;
        r->port = port;
    }
    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
--- a/src/mail/ngx_mail_proxy_module.c
+++ b/src/mail/ngx_mail_proxy_module.c
@ -531,6 +531,7 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
    ngx_int_t                  rc;
    ngx_str_t                  line, auth, encoded;
    ngx_buf_t                 *b;
    uintptr_t                  n;
    ngx_connection_t          *c;
    ngx_mail_session_t        *s;
    ngx_mail_proxy_conf_t     *pcf;
@ -627,6 +628,10 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
                          CRLF) - 1
                   + s->connection->addr_text.len + s->login.len + s->host.len;
        n = ngx_escape_uri(NULL, s->login.data, s->login.len,
                           NGX_ESCAPE_MAIL_XTEXT);
        line.len += n * 2;
 #if (NGX_HAVE_INET6)
        if (s->connection->sockaddr->sa_family == AF_INET6) {
            line.len += sizeof("IPV6:") - 1;
@ -654,7 +659,14 @@ ngx_mail_proxy_smtp_handler(ngx_event_t *rev)
        if (s->login.len && !pcf->smtp_auth) {
            p = ngx_cpymem(p, " LOGIN=", sizeof(" LOGIN=") - 1);
            if (n == 0) {
                p = ngx_copy(p, s->login.data, s->login.len);
            } else {
                p = (u_char *) ngx_escape_uri(p, s->login.data, s->login.len,
                                              NGX_ESCAPE_MAIL_XTEXT);
            }
        }
        p = ngx_cpymem(p, " NAME=", sizeof(" NAME=") - 1);
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@ -476,68 +476,169 @@ ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
    u_char     *h, ch;
    size_t      i, dot_pos, host_len;
    ngx_int_t   port;
    enum {
-        sw_usual = 0,
+        sw_host_start = 0,
-        sw_literal,
+        sw_host,
-        sw_rest
+        sw_host_ip_literal,
        sw_host_end,
        sw_port,
    } state;
    dot_pos = host->len;
    host_len = host->len;
    port = 0;
    h = host->data;
-    state = sw_usual;
+    state = sw_host_start;
    for (i = 0; i < host->len; i++) {
        ch = h[i];
-        switch (ch) {
+        switch (state) {
        case sw_host_start:
            if (ch == '[') {
                state = sw_host_ip_literal;
                break;
            }
            state = sw_host;
            /* fall through */
        case sw_host:
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                host_len = i;
                state = sw_port;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
-
+            case '_':
-        case ':':
+            case '~':
-            if (state == sw_usual) {
+                /* unreserved */
                host_len = i;
                state = sw_rest;
            }
                break;
-
+            case '!':
-        case '[':
+            case '$':
-            if (i == 0) {
+            case '&':
-                state = sw_literal;
+            case '\'':
-            }
+            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
-
+            case '%':
-        case ']':
+                /* pct-encoded */
            if (state == sw_literal) {
                host_len = i + 1;
                state = sw_rest;
            }
                break;
            default:
            if (ngx_path_separator(ch)) {
                return NGX_DECLINED;
            }
            break;
-            if (ch <= 0x20 || ch == 0x7f) {
+        case sw_host_ip_literal:
                return NGX_DECLINED;
            }
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
            }
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                break;
            case ']':
                host_len = i + 1;
                state = sw_host_end;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
            case '_':
            case '~':
                /* unreserved */
                break;
            case '!':
            case '$':
            case '&':
            case '\'':
            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
            default:
                return NGX_DECLINED;
            }
            break;
        case sw_host_end:
            if (ch == ':') {
                state = sw_port;
                break;
            }
            return NGX_DECLINED;
        case sw_port:
            if (ch >= '0' && ch <= '9') {
                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
                    return NGX_DECLINED;
                }
                port = port * 10 + (ch - '0');
                break;
            }
            return NGX_DECLINED;
        }
    }
    if (state == sw_host_ip_literal) {
        return NGX_DECLINED;
    }
    if (dot_pos == host_len - 1) {
--- a/src/stream/ngx_stream_geo_module.c
+++ b/src/stream/ngx_stream_geo_module.c
@ -61,6 +61,7 @@ typedef struct {
    unsigned                           outside_entries:1;
    unsigned                           allow_binary_include:1;
    unsigned                           binary_include:1;
    unsigned                           no_cacheable:1;
 } ngx_stream_geo_conf_ctx_t;
@ -433,6 +434,7 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
                  + sizeof(ngx_stream_variable_value_t)
                  + 0x10000 * sizeof(ngx_stream_geo_range_t *);
    ctx.allow_binary_include = 1;
    ctx.no_cacheable = 0;
    save = *cf;
    cf->pool = pool;
@ -448,6 +450,10 @@ ngx_stream_geo_block(ngx_conf_t *cf, ngx_command_t *cmd, void *conf)
        goto failed;
    }
    if (ctx.no_cacheable) {
        var->flags |= NGX_STREAM_VAR_NOCACHEABLE;
    }
    if (ctx.ranges) {
        if (ctx.high.low && !ctx.binary_include) {
@ -583,6 +589,12 @@ ngx_stream_geo(ngx_conf_t *cf, ngx_command_t *dummy, void *conf)
            goto done;
        }
        else if (ngx_strcmp(value[0].data, "volatile") == 0) {
            ctx->no_cacheable = 1;
            rv = NGX_CONF_OK;
            goto done;
        }
    }
    if (cf->args->nelts != 2) {
--- a/src/stream/ngx_stream_proxy_module.c
+++ b/src/stream/ngx_stream_proxy_module.c
@ -680,6 +680,7 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
    }
    if (val.len == 0) {
        u->peer.local = NULL;
        return NGX_OK;
    }
@ -696,6 +697,7 @@ ngx_stream_proxy_set_local(ngx_stream_session_t *s, ngx_stream_upstream_t *u,
    if (rc != NGX_OK) {
        ngx_log_error(NGX_LOG_ERR, s->connection->log, 0,
                      "invalid local address \"%V\"", &val);
        u->peer.local = NULL;
        return NGX_OK;
    }
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -126,6 +126,13 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      0,
      NULL },
    { ngx_string("ssl_ech_file"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_array_slot,
      NGX_STREAM_SRV_CONF_OFFSET,
      offsetof(ngx_stream_ssl_srv_conf_t, ech_files),
      NULL },
    { ngx_string("ssl_password_file"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_stream_ssl_password_file,
@ -239,7 +246,7 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      NULL },
    { ngx_string("ssl_ocsp"),
-      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_FLAG,
+      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_enum_slot,
      NGX_STREAM_SRV_CONF_OFFSET,
      offsetof(ngx_stream_ssl_srv_conf_t, ocsp),
@ -357,6 +364,9 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_curves"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_curves, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_sigalg"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_session_id"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_session_id, NGX_STREAM_VAR_CHANGEABLE, 0 },
@ -369,6 +379,13 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_status"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_status, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
      NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },
@ -404,6 +421,9 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_client_v_remain"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_v_remain, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_sigalg"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_client_sigalg, NGX_STREAM_VAR_CHANGEABLE, 0 },
      ngx_stream_null_variable
 };
@ -555,8 +575,27 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    if (c->ssl->sni_accepted) {
        return SSL_TLSEXT_ERR_OK;
    }
    if (c->ssl->handshake_rejected) {
        *ad = SSL_AD_UNRECOGNIZED_NAME;
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    s = c->data;
    if (arg) {
        host = *(ngx_str_t *) arg;
        if (host.data == NULL) {
            ngx_log_debug0(NGX_LOG_DEBUG_STREAM, c->log, 0,
                           "SSL server name: null");
            goto done;
        }
    } else {
        servername = SSL_get_servername(ssl_conn, TLSEXT_NAMETYPE_host_name);
        if (servername == NULL) {
@ -565,17 +604,17 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
            goto done;
        }
    ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
                   "SSL server name: \"%s\"", servername);
        host.len = ngx_strlen(servername);
        host.data = (u_char *) servername;
    }
    ngx_log_debug1(NGX_LOG_DEBUG_STREAM, c->log, 0,
                   "SSL server name: \"%V\"", &host);
    if (host.len == 0) {
        goto done;
    }
    host.data = (u_char *) servername;
    rc = ngx_stream_validate_host(&host, c->pool, 1);
    if (rc == NGX_ERROR) {
@ -596,35 +635,12 @@ ngx_stream_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }
    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
 #if (defined TLS1_3_VERSION                                                   \
     && !defined LIBRESSL_VERSION_NUMBER && !defined OPENSSL_IS_BORINGSSL)
    /*
     * SSL_SESSION_get0_hostname() is only available in OpenSSL 1.1.1+,
     * but servername being negotiated in every TLSv1.3 handshake
     * is only returned in OpenSSL 1.1.1+ as well
     */
    if (sscf->verify) {
        const char  *hostname;
        hostname = SSL_SESSION_get0_hostname(SSL_get0_session(ssl_conn));
        if (hostname != NULL && ngx_strcmp(hostname, servername) != 0) {
            c->ssl->handshake_rejected = 1;
            *ad = SSL_AD_ACCESS_DENIED;
            return SSL_TLSEXT_ERR_ALERT_FATAL;
        }
    }
 #endif
    s->srv_conf = cscf->ctx->srv_conf;
    ngx_set_connection_log(c, cscf->error_log);
    sscf = ngx_stream_get_module_srv_conf(cscf->ctx, ngx_stream_ssl_module);
    if (sscf->ssl.ctx) {
        if (SSL_set_SSL_CTX(ssl_conn, sscf->ssl.ctx) == NULL) {
            goto error;
@ -663,6 +679,7 @@ done:
        return SSL_TLSEXT_ERR_ALERT_FATAL;
    }
    c->ssl->sni_accepted = 1;
    return SSL_TLSEXT_ERR_OK;
 error:
@ -885,6 +902,7 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
@ -940,6 +958,8 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);
    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -1002,8 +1022,16 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    cln->data = &conf->ssl;
 #ifdef SSL_CTRL_SET_TLSEXT_HOSTNAME
    {
    static ngx_ssl_client_hello_arg cb = { ngx_stream_ssl_servername };
    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                           ngx_stream_ssl_servername);
    }
 #endif
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
@ -1113,6 +1141,10 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
@ -1152,13 +1184,19 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    if (conf->stapling) {
        if (conf->certificate_compression) {
            ngx_log_error(NGX_LOG_EMERG, cf->log, 0,
                          "\"ssl_stapling\" is incompatible with "
                          "\"ssl_certificate_compression\"");
            return NGX_CONF_ERROR;
        }
        if (ngx_ssl_stapling(cf, &conf->ssl, &conf->stapling_file,
                             &conf->stapling_responder, conf->stapling_verify)
            != NGX_OK)
        {
            return NGX_CONF_ERROR;
        }
    }
    if (ngx_ssl_conf_commands(cf, &conf->ssl, conf->conf_commands) != NGX_OK) {
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@ -49,6 +49,7 @@ typedef struct {
    ngx_str_t         ciphers;
    ngx_array_t      *ech_files;
    ngx_array_t      *passwords;
    ngx_array_t      *conf_commands;
Author	SHA1	Message	Date
Roman Arutyunyan	0609736a92	SSL: logging level of the "ech_required" TLS alert. The alert is send by a client after its ECH configuration was rejected by a server.	2025-12-17 13:49:06 +04:00
Aleksei Bavshin	7c2524a692	Fixed duplicate ids in the bug report template.	2025-12-16 14:22:33 -07:00
Aleksei Bavshin	5c2947d844	Version bump.	2025-12-16 14:22:33 -07:00
Sergey Kandaurov	c70457482c	nginx-1.29.4-RELEASE	2025-12-09 22:28:10 +04:00
Jan Svojanovsky	66fde99b1d	QUIC: fixed possible segfault on handshake failures. When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be called late, after the QUIC connection was already closed on handshake failure, resulting in a segmentation fault. For instance, it happened if a client Finished message didn't align with a record boundary.	2025-12-09 21:25:10 +04:00
Zhidao HONG	61690b5dc0	Proxy: cache support for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	17fd964f99	Proxy: buffering support for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	fdd8e97558	Proxy: extracted control frame and skip functions for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	2a0342a17d	Proxy: extracted ngx_http_proxy_v2_process_frames() function.	2025-12-08 07:49:16 +04:00
Zhidao HONG	9bf758ea4d	Proxy: added HTTP/2 proxy module. The module allows to use HTTP/2 protocol for proxying. HTTP/2 proxying is enabled by specifying "proxy_http_version 2". Example: server { listen 8000; location / { proxy_http_version 2; proxy_pass https://127.0.0.1:8443; } } server { listen 8443 ssl; http2 on; ssl_certificate certs/example.com.crt; ssl_certificate_key certs/example.com.key; location / { return 200 foo; } }	2025-12-08 07:49:16 +04:00
Roman Arutyunyan	90a4fc7935	Proxy: refactored for HTTP/2 support.	2025-12-08 07:49:16 +04:00
Zhidao HONG	b8492d9c25	Upstream: add support for connection level ALPN protocol negotiation. This commit is prepared for HTTP/2 and HTTP/3 support. The ALPN protocol is now set per-connection in ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation for each individual upstream connection regardless of SSL context sharing.	2025-12-08 07:49:16 +04:00
Sergey Kandaurov	f405ef11fd	Disabled bare LF in chunked transfer encoding. Chunked transfer encoding, since originally introduced in HTTP/1.1 in RFC 2068, is specified to use CRLF as the only line terminator. Although tolerant applications may recognize a single LF, formally this covers the start line and fields, and doesn't apply to chunks. Strict chunked parsing is reaffirmed as intentional in RFC errata ID 7633, notably "because it does not have to retain backwards compatibility with 1.0 parsers". A general RFC 2616 recommendation to tolerate deviations whenever interpreted unambiguously doesn't apply here, because chunked body is used to determine HTTP message framing; a relaxed parsing may cause various security problems due to a broken delimitation. For instance, this is possible when receiving chunked body from intermediates that blindly parse chunk-ext or a trailer section until CRLF, and pass it further without re-coding.	2025-12-06 17:41:32 +04:00
QirunGao	0427f5335f	SSL: avoid warning when ECH is not configured and not supported.	2025-12-04 21:09:32 +04:00
Alessandro Fael Garcia	367113670e	Update GitHub templates and markdown files. - Issue templates are replaced with forms. Forms allow to explicitly ask for certain info before an issue is opened, they can be programmatically queried via GH actions to get the data in fields. - Added language around GH discussions vs the forum in the issue forms. - Added GH discussions templates. These templates delineate which types of discussions belong on GitHub vs the community forum. - Created SUPPORT.md to delineate which types of topics belong on GitHub vs different support channels (community forum/docs/commercial support). - Updated CONTRIBUTING.md: - Removed text that belongs in SUPPORT.md. - Added F5 CLA clarifying text. - Added badges to README.md. Most of these are there to make information even clearer, moreso for users reading README.md from sources outside GitHub.	2025-12-04 19:08:14 +04:00
sftcd	ab4f5b2d32	Add basic ECH shared-mode via OpenSSL.	2025-12-01 16:33:40 +04:00
Sergey Kandaurov	bcb41c9193	Proxy: fixed segfault in URI change. If request URI was shorter than location prefix, as after replacement with try_files, location length was used to copy the remaining URI part leading to buffer overread. The fix is to replace full request URI in this case. In the following configuration, request "/123" is changed to "/" when sent to backend. location /1234 { try_files /123 =404; proxy_pass http://127.0.0.1:8080/; } Closes #983 on GitHub.	2025-11-26 22:46:22 +04:00
Sergey Kandaurov	6446f99107	Changed interface of ngx_http_validate_host(). This allows to process a port subcomponent and save it in r->port in a unified way, similar to r->headers_in.server. For HTTP/1.x request line in the absolute form, r->host_end now includes a port subcomponent, which is also consistent with HTTP/2 and HTTP/3.	2025-11-26 19:51:40 +04:00
Sergey Kandaurov	511abb19e1	Improved host header validation. Validation is rewritten to follow RFC 3986 host syntax, based on ngx_http_parse_request_line(). The following is now rejected: - the rest of gen-delims "#", "?", "@", "[", "]" - other unwise delims <">, "<", ">", "\", "^", "`', "{", "\|", "}" - IP literals with a trailing dot, missing closing bracket, or pct-encoded - a port subcomponent with invalid values - characters in upper half	2025-11-26 19:51:40 +04:00
Sergey Kandaurov	6ed1188411	HTTP/2: extended guard for NULL buffer and zero length. In addition to moving memcpy() under the length condition in `15bf6d8cc`, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow).	2025-11-19 18:52:54 +04:00
Sergey Kandaurov	9d04b6630a	SSL: fixed build with BoringSSL, broken by `38a701d88`.	2025-11-10 23:27:53 +04:00
Sergey Kandaurov	38a701d88b	SSL: ngx_ssl_set_client_hello_callback() error handling. The function interface is changed to follow a common approach to other functions used to setup SSL_CTX, with an exception of "ngx_conf_t *cf" since it is not bound to nginx configuration. This is required to report and propagate SSL_CTX_set_ex_data() errors, as reminded by Coverity (CID 1668589).	2025-11-10 20:01:28 +04:00
Thierry Bastian	ac99f2808b	Configure: MSVC compatibility with PCRE2 10.47.	2025-11-06 15:34:58 +04:00
Sergey Kandaurov	a386df6b23	Version bump.	2025-11-06 15:34:58 +04:00
Andrew Clayton	99312be10c	Configure: ensure we get the "built by ..." line in nginx -V. For certain compilers we embed the compiler version used to build nginx in the binary, retrievable via 'nginx -V', e.g. $ ./objs/nginx -V ... built by gcc 15.2.1 20250808 (Red Hat 15.2.1-1) (GCC) ... However if the CFLAGS environment variable is set this would be omitted. This is due to the compiler specific auto/cc files not being run when the CFLAGS environment variable is set, this is so entities can set their own compiler flags, and thus the NGX_COMPILER variable isn't set. Nonetheless it is a useful thing to have so re-work the auto scripts to move the version gathering out of the individual auto/cc/$NGX_CC_NAME files and merge them into auto/cc/name. Link: <https://github.com/nginx/nginx/issues/878>	2025-11-04 16:11:53 +00:00
Roman Arutyunyan	fd0848bdd3	nginx-1.29.3-RELEASE	2025-10-28 16:05:10 +04:00
Roman Arutyunyan	65c0b2e770	Modules compatibility: increased compat section size.	2025-10-28 16:00:54 +04:00
Roman Arutyunyan	f04e2b7f6e	Fixed compilation warnings on Windows after `c93a0c48af`.	2025-10-28 12:11:21 +04:00
Roman Semenov	ce30a1cb0d	OCSP: fixed invalid type for the 'ssl_ocsp' directive.	2025-10-27 15:05:36 +04:00
Roman Arutyunyan	c93a0c48af	Headers filter: inheritance control for add_header and add_trailer. The new directives add_header_inherit and add_trailer_inherit allow to alter inheritance rules for the values specified in the add_header and add_trailer directives in a convenient way. The "merge" parameter enables appending the values from the previous level to the current level values. The "off" parameter cancels inheritance of the values from the previous configuration level, similar to add_header "" (`2194e75bb`). The "on" parameter (default) enables the standard inheritance behaviour, which is to inherit values from the previous level only if there are no directives on the current level. The inheritance rules themselves are inherited in a standard way. Thus, for example, "add_header_inherit merge;" specified at the top level will be inherited in all nested levels recursively unless redefined below.	2025-10-25 19:46:20 +04:00
Dmitry Plotnikov	ac72ca60c7	Geo: the "volatile" parameter. Similar to map's volatile parameter, creates a non-cacheable geo variable.	2025-10-24 15:06:54 -07:00
Sergey Kandaurov	71f8eb52b7	SSL: $ssl_sigalg, $ssl_client_sigalg. Variables contain the IANA name of the signature scheme[1] used to sign the TLS handshake. Variables are only meaningful when using OpenSSL 3.5 and above, with older versions they are empty. Moreover, since this data isn't stored in a serialized session, variables are only available for new sessions. [1] https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml Requested by willmafh.	2025-10-24 18:22:32 +04:00
Roman Arutyunyan	364a94ecec	Upstream: reset local address in case of error. After `f10bc5a763` the address was set to NULL only when local address was not specified at all. In case complex value evaluated to an empty or invalid string, local address remained unchanged. Currenrly this is not a problem since the value is only set once. This change is a preparation for being able to change the local address after initial setting.	2025-10-24 17:49:04 +04:00
Roman Arutyunyan	42ca3a4576	CONNECT method support for HTTP/1.1. The change allows modules to use the CONNECT method with HTTP/1.1 requests. To do so, they need to set the "allow_connect" flag in the core server configuration.	2025-10-23 18:40:05 +04:00
Roman Arutyunyan	c8c7beb96f	Added $request_port and $is_request_port variables. The $request_port variable contains the port passed by the client in the request line (for HTTP/1.x) or ":authority" pseudo-header (for HTTP/2 and HTTP/3). If the request line contains no host, or ":authority" is missing, then $request_port is taken from the "Host" header, similar to the $host variable. The $is_request_port variable contains ":" if $request_port is non-empty, and is empty otherwise.	2025-10-23 18:40:05 +04:00
Sergey Kandaurov	78d1ab5a2c	SSL: support for compressed server certificates with BoringSSL. BoringSSL/AWS-LC provide two callbacks for each compression algorithm, which may be used to compress and decompress certificates in runtime. This change implements compression support with zlib, as enabled with the ssl_certificate_compression directive. Compressed certificates are stored in certificate exdata and reused in subsequent connections. Notably, AWS-LC saves an X509 pointer in SSL connection, which allows to use it from SSL_get_certificate() for caching purpose. In contrast, BoringSSL reconstructs X509 on-the-fly, though given that it doesn't support multiple certificates, always replacing previously configured certificates, we use the last configured one from ssl->certs, instead.	2025-10-08 19:56:41 +04:00
Sergey Kandaurov	25b03d6500	SSL: disabled using certificate compression with OCSP stapling. OCSP response in TLSv1.3 is sent in the Certificate message. This is incompatible with pre-compression of the configured certificates.	2025-10-08 19:56:41 +04:00
Sergey Kandaurov	f5a989cda2	Updated OpenSSL and PCRE used for win32 builds.	2025-10-08 19:56:41 +04:00
Sergey Kandaurov	3494f25c3e	Version bump.	2025-10-08 19:56:41 +04:00
Sergey Kandaurov	7f71abdd14	nginx-1.29.2-RELEASE	2025-10-07 21:04:07 +04:00
Sergey Kandaurov	9d5cdc616c	Fixed a typo.	2025-10-07 21:04:07 +04:00
Sergey Kandaurov	a144d828cb	SSL: fixed "key values mismatch" with object cache inheritance. In rare cases, it was possible to get into this error state on reload with improperly updated file timestamps for certificate and key pairs. The fix is to retry on X509_R_KEY_VALUES_MISMATCH, similar to `5d5d9adcc`. Additionally, loading SSL certificate is updated to avoid certificates discarded on retry to appear in ssl->certs and in extra chain.	2025-10-06 12:56:42 +04:00
Maryna-f5	c2a266fa78	Added F5 CLA workflow.	2025-09-30 11:44:52 -07:00
Sergey Kandaurov	6f81314a07	Mail: xtext encoding (RFC 3461) in XCLIENT LOGIN. The XCLIENT command uses xtext encoding for attribute values, as specified in https://www.postfix.org/XCLIENT_README.html. Reported by Igor Morgenstern of Aisle Research.	2025-09-26 17:04:20 +04:00
Sergey Kandaurov	8255bd29ac	Upstream: overflow detection in Cache-Control delta-seconds. Overflowing calculations are now aligned to the greatest positive integer as specified in RFC 9111, Section 1.2.2.	2025-09-26 16:50:13 +04:00
Sergey Kandaurov	93ff1ee12c	SSL: AWS-LC compatibility.	2025-09-25 19:28:36 +04:00
Sergey Kandaurov	af436c58ca	QUIC: a new macro to differentiate BoringSSL specific EVP API.	2025-09-25 19:28:36 +04:00
Sergey Kandaurov	4c9ae11dff	QUIC: localized OpenSSL headers used for QUIC protection.	2025-09-25 19:28:36 +04:00
Sergey Kandaurov	7f9ced0ce0	SNI: support for early ClientHello callback with BoringSSL. This brings feature parity with OpenSSL after the previous change, making it possible to set SSL protocols per virtual server.	2025-09-25 19:25:08 +04:00
Sergey Kandaurov	0373fe5d98	SNI: using the ClientHello callback. The change introduces an SNI based virtual server selection during early ClientHello processing. The callback is available since OpenSSL 1.1.1; for older OpenSSL versions, the previous behaviour is kept. Using the ClientHello callback sets a reasonable processing order for the "server_name" TLS extension. Notably, session resumption decision now happens after applying server configuration chosen by SNI, useful with enabled verification of client certificates, which brings consistency with BoringSSL behaviour. The change supersedes and reverts a fix made in `46b9f5d38` for TLSv1.3 resumed sessions. In addition, since the callback is invoked prior to the protocol version negotiation, this makes it possible to set "ssl_protocols" on a per-virtual server basis. To keep the $ssl_server_name variable working with TLSv1.2 resumed sessions, as previously fixed in `fd97b2a80`, a limited server name callback is preserved in order to acknowledge the extension. Note that to allow third-party modules to properly chain the call to ngx_ssl_client_hello_callback(), the servername callback function is passed through exdata.	2025-09-25 19:25:08 +04:00
willmafh	bc71625dcc	Fixed inaccurate index directive error report.	2025-09-18 18:16:22 +04:00
Sergey Kandaurov	417c87b78d	Updated link to xslscript.	2025-09-15 22:13:27 +04:00
Sergey Kandaurov	eb5ebbbed7	QUIC: fixed ssl_reject_handshake error handling. This was broken in `7468a10b6` (1.29.0), resulting in a missing diagnostics and SSL error queue not cleared for SSL handshakes rejected by SNI, seen as "ignoring stale global SSL error" alerts, for instance, when doing SSL shutdown of a long standing connection after rejecting another one by SNI. The fix is to move the qc->error check after c->ssl->handshake_rejected is handled first, to make the error queue cleared. Although not practicably visible as needed, this is accompanied by clearing the error queue under the qc->error case as well, to be on the safe side. As an implementation note, due to the way of handling invalid transport parameters for OpenSSL 3.5 and above, which leaves a passed pointer not advanced on error, SSL_get_error() may return either SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE depending on a library. To cope with that, both qc->error and c->ssl->handshake_rejected checks were moved out of "sslerr != SSL_ERROR_WANT_READ". Also, this reconstructs a missing "SSL_do_handshake() failed" diagnostics for the qc->error case, replacing using ngx_ssl_connection_error() with ngx_connection_error(). It is made this way to avoid logging at the crit log level because qc->error set is expected to have an empty error queue. Reported and tested by Vladimir Homutov.	2025-09-12 17:57:48 +04:00
Mohamed Karrab	446ce033e5	Removed legacy charset directive from default config example. The example configuration previously specified 'charset koi8-r', which is a legacy Cyrillic encoding. As koi8-r is rarely used today and modern browsers handle UTF-8 by default, specifying the charset explicitly is unnecessary. Removing the directive keeps the example configuration concise and aligned with current best practices.	2025-08-19 15:47:51 +04:00
Sergey Kandaurov	1a82df8cca	Added a previously missed changes entry in 1.29.1 relnotes.	2025-08-13 21:21:40 +04:00
Sergey Kandaurov	36d40e5610	Version bump.	2025-08-13 21:21:40 +04:00