Fixed duplicate ids in the bug report template.

Version bump.
nginx-1.29.4-RELEASE
2025-12-16 14:22:33 -07:00 · 2025-12-16 14:22:33 -07:00 · 2025-12-09 22:28:10 +04:00 · 2025-12-09 21:25:10 +04:00 · 2025-12-08 07:49:16 +04:00 · 2025-12-08 07:49:16 +04:00
40 changed files with 5397 additions and 419 deletions
--- a/.github/DISCUSSION_TEMPLATE/general.yml
+++ b/.github/DISCUSSION_TEMPLATE/general.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: general
    attributes:
      label: What would you like to discuss?
      description: Please provide as much context as possible. Remember that only general discussions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I would like to discuss...
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/ideas.yml
+++ b/.github/DISCUSSION_TEMPLATE/ideas.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: ideas
    attributes:
      label: What idea would you like to discuss?
      description: Please provide as much context as possible. Remember that only ideas related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I have an idea for...
    validations:
      required: true
--- a/.github/DISCUSSION_TEMPLATE/q-a.yml
+++ b/.github/DISCUSSION_TEMPLATE/q-a.yml
@ -0,0 +1,15 @@
 ---
 body:
  - type: markdown
    attributes:
      value: |
        For NGINX troubleshooting/technical help, please visit our community forum instead of asking your questions here. We will politely redirect these types of questions to the forum.
  - type: textarea
    id: q-a
    attributes:
      label: What question do you have?
      description: Please provide as much context as possible. Remember that only questions related to the NGINX codebase will be addressed on GitHub. For anything else, please visit our [community forum](https://community.nginx.org/).
      value: |
        I would like to know...
    validations:
      required: true
--- a/.github/ISSUE_TEMPLATE/bug_report.md
+++ b/.github/ISSUE_TEMPLATE/bug_report.md
@ -1,38 +0,0 @@
 ---
 name: Bug report
 about: Create a report to help us improve
 title: ""
 labels: "bug"
 ---
 ### Environment
 Include the result of the following commands:
  - `nginx -V`
  - `uname -a`
 ### Description
 Describe the bug in full detail including expected and actual behavior.
 Specify conditions that caused it. Provide the relevant part of nginx
 configuration and debug log.
 - [ ] The bug is reproducible with the latest version of nginx
 - [ ] The nginx configuration is minimized to the smallest possible
 to reproduce the issue and doesn't contain third-party modules
 #### nginx configuration
 ```
 # Your nginx configuration here
 ```
 or share the configuration in [gist](https://gist.github.com/).
 #### nginx debug log
 It is advised to enable
 [debug logging](http://nginx.org/en/docs/debugging_log.html).
 ```
 # Your nginx debug log here
 ```
 or share the debug log in [gist](https://gist.github.com/).
--- a/.github/ISSUE_TEMPLATE/bug_report.yml
+++ b/.github/ISSUE_TEMPLATE/bug_report.yml
@ -0,0 +1,106 @@
 ---
 name: 🐛 Bug report
 description: Create a report to help us improve
 labels: bug
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to fill out this bug report!
        Before you continue filling out this report, please take a moment to check that your bug has not been [already reported on GitHub][issue search], is reproducible with the latest version of nginx, and does not involve any third-party modules 🙌
        Remember to redact any sensitive information such as authentication credentials and/or license keys!
        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
        [discussions]: https://github.com/nginx/nginx/discussions
        [forum]: https://community.nginx.org
  - type: textarea
    id: overview
    attributes:
      label: Bug Overview
      description: A clear and concise overview of the bug.
      placeholder: When I do "X", "Y" happens instead of "Z".
    validations:
      required: true
  - type: textarea
    id: behavior
    attributes:
      label: Expected Behavior
      description: A clear and concise description of what you expected to happen.
      placeholder: When I do "X", I expect "Z" to happen.
    validations:
      required: true
  - type: textarea
    id: steps
    attributes:
      label: Steps to Reproduce the Bug
      description: Detail the series of steps required to reproduce the bug.
      placeholder: When I run "X" using [...], "X" fails with "Y" error message. If I check the terminal outputs and/or logs, I see the following info.
    validations:
      required: true
  - type: textarea
    id: configuration
    attributes:
      label: NGINX Configuration
      description: Please provide your NGINX configuration. Minimize it to the smallest possible configuration that reproduces the issue.
      value: |
        ```
        # Your NGINX configuration
        ```
    validations:
      required: true
  - type: textarea
    id: version
    attributes:
      label: NGINX version and build configuration options
      description: Please provide details about your NGINX build.
      value: |
        The output of `nginx -V`: [...]
    validations:
      required: true
  - type: textarea
    id: environment
    attributes:
      label: Environment where NGINX is being built and/or deployed
      description: Please provide details about your environment.
      value: |
        - Target deployment platform: [e.g. AWS/GCP/local cluster/etc...]
        - Target OS: [e.g. RHEL 9/Ubuntu 24.04/etc...]
    validations:
      required: true
  - type: textarea
    id: architecture
    attributes:
      label: Architecture where NGINX is being built and/or deployed
      description: Please provide details about your deployment environment.
      value: |
        The output of `uname -a`: [...]
    validations:
      required: true
  - type: textarea
    id: logs
    attributes:
      label: NGINX Debug Log
      description: Please provide your NGINX debug log. See this [doc](http://nginx.org/en/docs/debugging_log.html) for details on how to enable it.
      value: |
        ```
        # Your NGINX debug log
        ```
  - type: textarea
    id: context
    attributes:
      label: Additional Context
      description: Add any other context about the problem here.
      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this issue in here.
--- a/.github/ISSUE_TEMPLATE/config.yml
+++ b/.github/ISSUE_TEMPLATE/config.yml
@ -0,0 +1,12 @@
 ---
 blank_issues_enabled: false
 contact_links:
  - name: 💬 Talk to the NGINX community!
    url: https://community.nginx.org
    about: A community forum for NGINX users, developers, and contributors
  - name: 📝 Code of Conduct
    url: https://www.contributor-covenant.org/version/2/1/code_of_conduct
    about: NGINX follows the Contributor Covenant Code of Conduct to ensure a safe and inclusive community
  - name: 💼 For commercial & enterprise users
    url: https://www.f5.com/products/nginx
    about: F5 offers a wide range of NGINX products for commercial & enterprise users
--- a/.github/ISSUE_TEMPLATE/feature_request.md
+++ b/.github/ISSUE_TEMPLATE/feature_request.md
@ -1,18 +0,0 @@
 ---
 name: Feature request
 about: Suggest a feature for nginx
 title: ""
 labels: "feature"
 ---
 ### Describe the feature you'd like to add to nginx
 A clear and concise description of the feature.
 ### Describe the problem this feature solves
 A clear and concise description of the problem.
 ### Additional context
 Add any other context about the feature request here.
--- a/.github/ISSUE_TEMPLATE/feature_request.yml
+++ b/.github/ISSUE_TEMPLATE/feature_request.yml
@ -0,0 +1,40 @@
 ---
 name: ✨ Feature request
 description: Suggest an idea for this project
 labels: enhancement
 body:
  - type: markdown
    attributes:
      value: |
        Thanks for taking the time to fill out this feature request!
        Before you continue filling out this request, please take a moment to check that your feature has not been [already requested on GitHub][issue search] 🙌
        **Note:** If you are seeking community support, please start a new topic in the [NGINX Community forum][forum]. If you wish to discuss the codebase, please start a new thread via [GitHub discussions][discussions].
        [issue search]: https://github.com/nginx/nginx/search?q=is%3Aissue&type=issues
        [discussions]: https://github.com/nginx/nginx/discussions
        [forum]: https://community.nginx.org
  - type: textarea
    id: overview
    attributes:
      label: Feature Overview
      description: A clear and concise description of what the feature request is.
      placeholder: I would like this project to be able to do "X".
    validations:
      required: true
  - type: textarea
    id: alternatives
    attributes:
      label: Alternatives Considered
      description: Detail any potential alternative solutions/workarounds you've used or considered.
      placeholder: I have done/might be able to do "X" in this project by doing "Y".
  - type: textarea
    id: context
    attributes:
      label: Additional Context
      description: Add any other context about the problem here.
      placeholder: Feel free to add any other context/information/screenshots/etc... that you think might be relevant to this feature request here.
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@ -1,10 +1,10 @@
 ### Proposed changes
-Describe the use case and detail of the change.
+Describe the use case and detail of the change. If this PR addresses an issue on GitHub, make sure to include a link to that issue using one of the [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue) in this PR's description or commit message.
-If this pull request addresses an issue on GitHub, make sure to reference that
+### Checklist
 issue using one of the
 [supported keywords](https://docs.github.com/en/github/managing-your-work-on-github/linking-a-pull-request-to-an-issue).
-Before creating a pull request, make sure to comply with the
+Before creating a PR, run through this checklist and mark each as complete:
-[Contributing Guidelines](https://github.com/nginx/nginx/blob/master/CONTRIBUTING.md).
+
 - [ ] I have read the [contributing guidelines](/CONTRIBUTING.md).
 - [ ] I have checked that NGINX compiles and runs after adding my changes.
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@ -5,34 +5,34 @@ We really appreciate that you are considering contributing!
 ## Table of Contents
 - [Ask a Question](#ask-a-question)
 - [Report a Bug](#report-a-bug)
 - [Suggest a Feature or Enhancement](#suggest-a-feature-or-enhancement)
 - [Open a Discussion](#open-a-discussion)
 - [Submit a Pull Request](#submit-a-pull-request)
 - [Issue Lifecycle](#issue-lifecycle)
 ## Ask a Question
 To ask a question, open an issue on GitHub with the label `question`.
 ## Report a Bug
 To report a bug, open an issue on GitHub with the label `bug` using the
-available bug report issue template. Before reporting a bug, make sure the
+available [bug report issue form](/.github/ISSUE_TEMPLATE/bug_report.yml).
-issue has not already been reported.
+Please ensure the bug has not already been reported. **If the bug is a
 potential security vulnerability, please report it using our
 [security policy](/SECURITY.md).**
 ## Suggest a Feature or Enhancement
-To suggest a feature or enhancement, open an issue on GitHub with the label
+To suggest a feature or enhancement, please create an issue on GitHub with the
-`feature` or `enhancement` using the available feature request issue template.
+label `enhancement` using the available
 [feature request issue form](/.github/ISSUE_TEMPLATE/feature_request.yml).
 Please ensure the feature or enhancement has not already been suggested.
 ## Open a Discussion
 If you want to engage in a conversation with the community and maintainers,
 we encourage you to use
-[GitHub Discussions](https://github.com/nginx/nginx/discussions).
+[GitHub Discussions](https://github.com/nginx/nginx/discussions) to discuss
 the NGINX codebase or the [NGINX Community forum](https://community.nginx.org)
 to chat anything else NGINX (including troubleshooting).
 ## Submit a Pull Request
@ -89,7 +89,20 @@ git clone https://github.com/nginx/nginx-tests.git
 ```
 - Submitting a change implies granting project a permission to use it under the
-[BSD-2-Clause license](https://github.com/nginx/nginx/blob/master/LICENSE)
+[BSD-2-Clause license](/LICENSE)
 ### F5 Contributor License Agreement (CLA)
 F5 requires all contributors to agree to the terms of the F5 CLA
 (available [here](https://github.com/f5/f5-cla/blob/main/docs/f5_cla.md))
 before any of their changes can be incorporated into an F5 Open Source
 repository (even contributions to the F5 CLA itself!).
 If you have not yet agreed to the F5 CLA terms and submit a PR to this
 repository, a bot will prompt you to view and agree to the F5 CLA.
 You will have to agree to the F5 CLA terms through a comment in the PR
 before any of your changes can be merged. Your agreement signature
 will be safely stored by F5 and no longer be required in future PRs.
 ## Issue Lifecycle
--- a/README.md
+++ b/README.md
@ -4,6 +4,11 @@
  <img alt="NGINX Banner">
 </picture>
 [![Project Status: Active – The project has reached a stable, usable state and is being actively developed.](https://www.repostatus.org/badges/latest/active.svg)](https://www.repostatus.org/#active)
 [![Community Forum](https://img.shields.io/badge/community-forum-009639?logo=discourse&link=https%3A%2F%2Fcommunity.nginx.org)](https://community.nginx.org)
 [![License](https://img.shields.io/badge/License-BSD%202--Clause-blue.svg)](/LICENSE)
 [![Code of Conduct](https://img.shields.io/badge/Contributor%20Covenant-2.1-4baaaa.svg)](/CODE_OF_CONDUCT.md)
 NGINX (pronounced "engine x" or "en-jin-eks") is the world's most popular Web Server, high performance Load Balancer, Reverse Proxy, API Gateway and Content Cache.
 NGINX is free and open source software, distributed under the terms of a simplified [2-clause BSD-like license](LICENSE).
@ -60,7 +65,6 @@ nginx -V
 ```
 > See [Configuring the build](#configuring-the-build) for information on how to include specific Static modules into your nginx build.
 ## Configurations
 NGINX is highly flexible and configurable. Provisioning the software is achieved via text-based config file(s) accepting parameters called "[Directives](https://nginx.org/en/docs/dirindex.html)". See [Configuration File's Structure](https://nginx.org/en/docs/beginners_guide.html#conf_structure) for a comprehensive description of how NGINX configuration files work.
@ -209,9 +213,7 @@ The output of which should start with:
 ```
 # Asking questions and reporting issues
-We encourage you to engage with us.
+See our [Support](SUPPORT.md) guidelines for information on how discuss the codebase, ask troubleshooting questions, and report issues.
 - [NGINX GitHub Discussions](https://github.com/nginx/nginx/discussions), is the go-to place to start asking questions and sharing your thoughts.
 - Our [GitHub Issues](https://github.com/nginx/nginx/issues) page offers space to submit and discuss specific issues, report bugs, and suggest enhancements.
 # Contributing code
 Please see the [Contributing](CONTRIBUTING.md) guide for information on how to contribute code.
--- a/SUPPORT.md
+++ b/SUPPORT.md
@ -0,0 +1,48 @@
 # Support
 ## Ask a Question
 We use GitHub issues for tracking bugs and feature requests
 related to this project.
 If you don't know how something in the codebase works, are curious if NGINX
 is capable of achieving your desired functionality or want to discuss the
 implementation of an existing or in development feature, please start a
 GitHub discussion!
 ## NGINX Specific Questions and/or Issues
 This project isn't the right place to get support for NGINX and/or NGINX
 troubleshooting questions, but the following resources are available below.
 Thanks for your understanding!
 ### Community Forum
 We have a [community forum](https://community.nginx.org/)!
 If you have any NGINX specific questions and/or issues,
 try checking out the [`NGINX category`](https://community.nginx.org/c/projects/nginx/23).
 For general discussions around anything tangentially NGINX related,
 check out the [`General Discussion category`](https://community.nginx.org/c/general-discussion/34).
 Both fellow community members and NGINXers might be able to help you! :)
 ### Documentation
 For a comprehensive list of all NGINX directives, check out <https://nginx.org>.
 For a comprehensive list of administration and deployment guides for all
 NGINX products, check out <https://docs.nginx.com>.
 ## Contributing
 Please see the [contributing guide](/CONTRIBUTING.md) for guidelines
 on how to best contribute to this project.
 ## Commercial Support
 Commercial support for this project is available.
 Please get in touch with [F5 sales](https://www.f5.com/products/get-f5/)
 or check your contract details for more information!
 ## Community Support
 Community support is offered on a best effort basis through any of our active communities.
--- a/auto/cc/clang
+++ b/auto/cc/clang
@ -5,15 +5,6 @@
 # clang
 NGX_CLANG_VER=`$CC -v 2>&1 | grep 'version' 2>&1 \
                           | sed -n -e 's/^.*clang version \(.*\)/\1/p' \
                                    -e 's/^.*LLVM version \(.*\)/\1/p'`
 echo " + clang version: $NGX_CLANG_VER"
 have=NGX_COMPILER value="\"clang $NGX_CLANG_VER\"" . auto/define
 CC_TEST_FLAGS="-pipe"
--- a/auto/cc/gcc
+++ b/auto/cc/gcc
@ -8,14 +8,6 @@
 #     4.0.0, 4.0.1, 4.1.0
 NGX_GCC_VER=`$CC -v 2>&1 | grep 'gcc version' 2>&1 \
                         | sed -e 's/^.* version \(.*\)/\1/'`
 echo " + gcc version: $NGX_GCC_VER"
 have=NGX_COMPILER value="\"gcc $NGX_GCC_VER\"" . auto/define
 # Solaris 7's /usr/ccs/bin/as does not support "-pipe"
 CC_TEST_FLAGS="-pipe"
@ -112,7 +104,7 @@ esac
 CC_AUX_FLAGS="$CC_AUX_FLAGS $CPU_OPT"
-case "$NGX_GCC_VER" in
+case "$NGX_CC_VER" in
    2.7*)
        # batch build
        CPU_OPT=
@ -145,7 +137,7 @@ CFLAGS="$CFLAGS -Wall -Wpointer-arith"
 #CFLAGS="$CFLAGS -Winline"
 #CFLAGS="$CFLAGS -Wmissing-prototypes"
-case "$NGX_GCC_VER" in
+case "$NGX_CC_VER" in
    2.*)
        # we have a lot of the unused function arguments
        CFLAGS="$CFLAGS -Wno-unused"
--- a/auto/cc/icc
+++ b/auto/cc/icc
@ -5,14 +5,6 @@
 # Intel C++ compiler 7.1, 8.0, 8.1, 9.0, 11.1
 NGX_ICC_VER=`$CC -V 2>&1 | grep 'Version' 2>&1 \
                         | sed -e 's/^.* Version \([^ ]*\) *Build.*$/\1/'`
 echo " + icc version: $NGX_ICC_VER"
 have=NGX_COMPILER value="\"Intel C Compiler $NGX_ICC_VER\"" . auto/define
 # optimizations
 CFLAGS="$CFLAGS -O"
@ -83,7 +75,7 @@ CFLAGS="$CFLAGS -wd1418"
 # external declaration in primary source file
 CFLAGS="$CFLAGS -wd1419"
-case "$NGX_ICC_VER" in
+case "$NGX_CC_VER" in
    9.*)
        # "cc" clobber ignored, warnings for Linux's htonl()/htons()
        CFLAGS="$CFLAGS -wd1469"
--- a/auto/cc/msvc
+++ b/auto/cc/msvc
@ -11,20 +11,12 @@
 # MSVC 2015 (14.0)                        cl 19.00
-NGX_MSVC_VER=`$NGX_WINE $CC 2>&1 | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
+ngx_msvc_ver=`echo $NGX_CC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
                                 | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
 echo " + cl version: $NGX_MSVC_VER"
 have=NGX_COMPILER value="\"cl $NGX_MSVC_VER\"" . auto/define
 ngx_msvc_ver=`echo $NGX_MSVC_VER | sed -e 's/^\([0-9]*\).*/\1/'`
 # detect x64 builds
-case "$NGX_MSVC_VER" in
+case "$NGX_CC_VER" in
    *ARM64)
        NGX_MACHINE=arm64
--- a/auto/cc/name
+++ b/auto/cc/name
@ -28,6 +28,13 @@ if [ "$CC" = cl ]; then
    NGX_CC_NAME=msvc
    echo " + using Microsoft Visual C++ compiler"
    NGX_CC_VER=`$NGX_WINE $CC 2>&1 \
                | grep 'C/C++.* [0-9][0-9]*\.[0-9]' 2>&1 \
                | sed -e 's/^.* \([0-9][0-9]*\.[0-9].*\)/\1/'`
    echo " + cl version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"cl $NGX_CC_VER\"" . auto/define
 elif [ "$CC" = wcl386 ]; then
    NGX_CC_NAME=owc
    echo " + using Open Watcom C compiler"
@ -40,22 +47,48 @@ elif `$CC -V 2>&1 | grep '^Intel(R) C' >/dev/null 2>&1`; then
    NGX_CC_NAME=icc
    echo " + using Intel C++ compiler"
    NGX_CC_VER=`$CC -V 2>&1 \
                | sed -n -e 's/^.* Version \([^ ]*\) *Build.*$/\1/p'`
    echo " + icc version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"Intel C Compiler $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'gcc version' >/dev/null 2>&1`; then
    NGX_CC_NAME=gcc
    echo " + using GNU C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*gcc version \(.*\)/\1/p'`
    echo " + gcc version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"gcc $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'clang version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*clang version \(.*\)/\1/p'`
    echo " + clang version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
 elif `$CC -v 2>&1 | grep 'LLVM version' >/dev/null 2>&1`; then
    NGX_CC_NAME=clang
    echo " + using Clang C compiler"
    NGX_CC_VER=`$CC -v 2>&1 | sed -n -e 's/^.*LLVM version \(.*\)/\1/p'`
    echo " + clang version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"clang $NGX_CC_VER\"" . auto/define
 elif `$CC -V 2>&1 | grep 'Sun C' >/dev/null 2>&1`; then
    NGX_CC_NAME=sunc
    echo " + using Sun C compiler"
    NGX_CC_VER=`$CC -V 2>&1 | sed -n -e 's/^.* Sun C \(.*\)/\1/p'`
    echo " + Sun C version: $NGX_CC_VER"
    have=NGX_COMPILER value="\"Sun C $NGX_CC_VER\"" . auto/define
 elif `$CC -V 2>&1 | grep '^Compaq C' >/dev/null 2>&1`; then
    NGX_CC_NAME=ccc
    echo " + using Compaq C compiler"
--- a/auto/cc/sunc
+++ b/auto/cc/sunc
@ -13,13 +13,6 @@
 # Sun C 5.13 SunOS_i386 2014/10/20        Oracle Solaris Studio 12.4
 # Sun C 5.14 SunOS_i386 2016/05/31        Oracle Developer Studio 12.5
 NGX_SUNC_VER=`$CC -V 2>&1 | grep 'Sun C' 2>&1 \
                          | sed -e 's/^.* Sun C \(.*\)/\1/'`
 echo " + Sun C version: $NGX_SUNC_VER"
 have=NGX_COMPILER value="\"Sun C $NGX_SUNC_VER\"" . auto/define
 cat << END > $NGX_AUTOTEST.c
--- a/auto/lib/pcre/make
+++ b/auto/lib/pcre/make
@ -37,6 +37,7 @@ if [ $PCRE_LIBRARY = PCRE2 ]; then
                       pcre2_xclass.c"
        ngx_pcre_test="pcre2_chkdint.c \
                       pcre2_compile_cgroup.c \
                       pcre2_compile_class.c \
                       pcre2_convert.c \
                       pcre2_extuni.c \
--- a/auto/modules
+++ b/auto/modules
@ -729,7 +729,7 @@ if [ $HTTP = YES ]; then
        ngx_module_name=ngx_http_proxy_module
        ngx_module_incs=
-        ngx_module_deps=
+        ngx_module_deps=src/http/modules/ngx_http_proxy_module.h
        ngx_module_srcs=src/http/modules/ngx_http_proxy_module.c
        ngx_module_libs=
        ngx_module_link=$HTTP_PROXY
@ -781,6 +781,17 @@ if [ $HTTP = YES ]; then
        . auto/module
    fi
    if [ $HTTP_PROXY = YES -a $HTTP_V2 = YES ]; then
        ngx_module_name=ngx_http_proxy_v2_module
        ngx_module_incs=
        ngx_module_deps=
        ngx_module_srcs=src/http/modules/ngx_http_proxy_v2_module.c
        ngx_module_libs=
        ngx_module_link=$HTTP_V2
        . auto/module
    fi
    if [ $HTTP_PERL != NO ]; then
        ngx_module_name=ngx_http_perl_module
        ngx_module_incs=src/http/modules/perl
--- a/docs/xml/nginx/changes.xml
+++ b/docs/xml/nginx/changes.xml
@ -5,6 +5,85 @@
 <change_log title="nginx">
 <changes ver="1.29.4" date="2025-12-09">
 <change type="feature">
 <para lang="ru">
 модуль ngx_http_proxy_module поддерживает HTTP/2.
 </para>
 <para lang="en">
 the ngx_http_proxy_module supports HTTP/2.
 </para>
 </change>
 <change type="feature">
 <para lang="ru">
 поддержка расширения TLS Encrypted ClientHello
 при использовании ветки разработки ECH OpenSSL;
 директива ssl_ech_file.<br/>
 Спасибо Stephen Farrell.
 </para>
 <para lang="en">
 Encrypted ClientHello TLS extension support
 when using OpenSSL ECH feature branch;
 the "ssl_ech_file" directive.<br/>
 Thanks to Stephen Farrell.
 </para>
 </change>
 <change type="change">
 <para lang="ru">
 валидация хоста и порта в строке запроса,
 в заголовке "Host" и псевдо-заголовке ":authority"
 изменена на соответствующую RFC 3986.
 </para>
 <para lang="en">
 validation of host and port in the request line,
 "Host" header field, and ":authority" pseudo-header field
 has been changed to follow RFC 3986.
 </para>
 </change>
 <change type="change">
 <para lang="ru">
 теперь одиночный символ LF, используемый для перевода строки
 в chunked-теле запроса или ответа, считается ошибкой.
 </para>
 <para lang="en">
 now a single LF used as a line terminator
 in a chunked request or response body is considered an error.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при использовании HTTP/3 с OpenSSL 3.5.1 и новее
 в рабочем процессе мог произойти segmentation fault;
 ошибка появилась в 1.29.1.<br/>
 Спасибо Jan Svojanovsky.
 </para>
 <para lang="en">
 when using HTTP/3 with OpenSSL 3.5.1 or newer
 a segmentation fault might occur in a worker process;
 the bug had appeared in 1.29.1.<br/>
 Thanks to Jan Svojanovsky.
 </para>
 </change>
 <change type="bugfix">
 <para lang="ru">
 при совместном использовании директив try_files и proxy_pass с URI
 в рабочем процессе мог произойти segmentation fault.
 </para>
 <para lang="en">
 a segmentation fault might occur in a worker process
 if the "try_files" directive and "proxy_pass" with a URI were used.
 </para>
 </change>
 </changes>
 <changes ver="1.29.3" date="2025-10-28">
 <change type="feature">
--- a/src/core/nginx.h
+++ b/src/core/nginx.h
@ -9,8 +9,8 @@
 #define _NGINX_H_INCLUDED_
-#define nginx_version      1029003
+#define nginx_version      1029005
-#define NGINX_VERSION      "1.29.3"
+#define NGINX_VERSION      "1.29.5"
 #define NGINX_VER          "nginx/" NGINX_VERSION
 #ifdef NGX_BUILD
--- a/src/event/ngx_event_openssl.c
+++ b/src/event/ngx_event_openssl.c
@ -1653,6 +1653,105 @@ ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file)
 }
 ngx_int_t
 ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_array_t *filenames)
 {
 #ifdef SSL_OP_ECH_GREASE
    int             numkeys;
    BIO            *in;
    ngx_int_t       rc;
    ngx_str_t      *filename;
    ngx_uint_t      i;
    OSSL_ECHSTORE  *es;
    if (filenames == NULL) {
        return NGX_OK;
    }
    es = OSSL_ECHSTORE_new(NULL, NULL);
    if (es == NULL) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0, "OSSL_ECHSTORE_new() failed");
        return NGX_ERROR;
    }
    rc = NGX_ERROR;
    filename = filenames->elts;
    for (i = 0; i < filenames->nelts; i++) {
        if (ngx_conf_full_name(cf->cycle, &filename[i], 1) != NGX_OK) {
            goto cleanup;
        }
        in = BIO_new_file((char *) filename[i].data, "r");
        if (in == NULL) {
            ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                          "BIO_new_file(\"%s\") failed", filename[i].data);
            goto cleanup;
        }
        /*
         * We only set the ECHConfigList from the first file read to use
         * in ECH retry-configs.
         *
         * That allows many sensible key rotation schemes so that the
         * values sent in ECH retry-configs are smaller and current.
         * For example, if the first file name has the current ECH
         * private key, and a second one has the previously used key
         * that some clients may still use due to DNS caching.
         */
         if (OSSL_ECHSTORE_read_pem(es, in, i ? OSSL_ECH_NO_RETRY
                                              : OSSL_ECH_FOR_RETRY)
             != 1)
         {
             ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                           "OSSL_ECHSTORE_read_pem(%s) failed",
                           filename[i].data);
             BIO_free(in);
             goto cleanup;
         }
         BIO_free(in);
    }
    /*
     * load the ECH store after checking there's at least one ECH
     * private key in there (the PEM file spec allows zero or one
     * private key per file)
     */
    if (OSSL_ECHSTORE_num_keys(es, &numkeys) != 1) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "OSSL_ECHSTORE_num_keys(%s) failed");
        goto cleanup;
    }
    if (numkeys > 0 && SSL_CTX_set1_echstore(ssl->ctx, es) != 1) {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set1_echstore() failed");
        goto cleanup;
    }
    rc = NGX_OK;
 cleanup:
    OSSL_ECHSTORE_free(es);
    return rc;
 #else
    if (filenames != NULL) {
        ngx_log_error(NGX_LOG_WARN, ssl->log, 0,
                      "\"ssl_ech_file\" is not supported on this platform, "
                      "ignored");
    }
    return NGX_OK;
 #endif
 }
 ngx_int_t
 ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name)
 {
@ -1872,21 +1971,34 @@ ngx_ssl_new_client_session(ngx_ssl_conn_t *ssl_conn, ngx_ssl_session_t *sess)
 }
-void
+ngx_int_t
-ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
+ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl, ngx_ssl_client_hello_arg *cb)
    ngx_ssl_client_hello_arg *cb)
 {
 #ifdef SSL_CLIENT_HELLO_SUCCESS
-    SSL_CTX_set_client_hello_cb(ssl_ctx, ngx_ssl_client_hello_callback, NULL);
+    SSL_CTX_set_client_hello_cb(ssl->ctx, ngx_ssl_client_hello_callback, NULL);
-    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
+
    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
    {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set_ex_data() failed");
        return NGX_ERROR;
    }
 #elif defined OPENSSL_IS_BORINGSSL
-    SSL_CTX_set_select_certificate_cb(ssl_ctx, ngx_ssl_select_certificate);
+    SSL_CTX_set_select_certificate_cb(ssl->ctx, ngx_ssl_select_certificate);
-    SSL_CTX_set_ex_data(ssl_ctx, ngx_ssl_client_hello_arg_index, cb);
+
    if (SSL_CTX_set_ex_data(ssl->ctx, ngx_ssl_client_hello_arg_index, cb) == 0)
    {
        ngx_ssl_error(NGX_LOG_EMERG, ssl->log, 0,
                      "SSL_CTX_set_ex_data() failed");
        return NGX_ERROR;
    }
 #endif
    return NGX_OK;
 }
@ -5695,6 +5807,81 @@ ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 }
 ngx_int_t
 ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
 #ifdef SSL_OP_ECH_GREASE
    int    echrv;
    char  *inner_sni, *outer_sni;
    inner_sni = NULL;
    outer_sni = NULL;
    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
    switch (echrv) {
    case SSL_ECH_STATUS_NOT_TRIED:
        ngx_str_set(s, "NOT_TRIED");
        break;
    case SSL_ECH_STATUS_SUCCESS:
        ngx_str_set(s, "SUCCESS");
        break;
    case SSL_ECH_STATUS_GREASE:
        ngx_str_set(s, "GREASE");
        break;
    case SSL_ECH_STATUS_BACKEND:
        ngx_str_set(s, "BACKEND");
        break;
    default:
        ngx_str_set(s, "FAILED");
        break;
    }
    OPENSSL_free(inner_sni);
    OPENSSL_free(outer_sni);
 #else
    s->len = 0;
 #endif
    return NGX_OK;
 }
 ngx_int_t
 ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s)
 {
 #if defined(SSL_OP_ECH_GREASE)
    int    echrv;
    char  *inner_sni, *outer_sni;
    inner_sni = NULL;
    outer_sni = NULL;
    echrv = SSL_ech_get1_status(c->ssl->connection, &inner_sni, &outer_sni);
    if (echrv == SSL_ECH_STATUS_SUCCESS && outer_sni) {
        s->len = ngx_strlen(outer_sni);
        s->data = ngx_pnalloc(pool, s->len);
        if (s->data == NULL) {
            return NGX_ERROR;
        }
        ngx_memcpy(s->data, outer_sni, s->len);
    } else {
        s->len = 0;
    }
    OPENSSL_free(inner_sni);
    OPENSSL_free(outer_sni);
 #else
    s->len = 0;
 #endif
    return NGX_OK;
 }
 ngx_int_t
 ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool, ngx_str_t *s)
 {
--- a/src/event/ngx_event_openssl.h
+++ b/src/event/ngx_event_openssl.h
@ -271,6 +271,8 @@ ngx_array_t *ngx_ssl_read_password_file(ngx_conf_t *cf, ngx_str_t *file);
 ngx_array_t *ngx_ssl_preserve_passwords(ngx_conf_t *cf,
    ngx_array_t *passwords);
 ngx_int_t ngx_ssl_dhparam(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *file);
 ngx_int_t ngx_ssl_ech_files(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_array_t *filename);
 ngx_int_t ngx_ssl_ecdh_curve(ngx_conf_t *cf, ngx_ssl_t *ssl, ngx_str_t *name);
 ngx_int_t ngx_ssl_early_data(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_uint_t enable);
@ -286,7 +288,7 @@ ngx_int_t ngx_ssl_session_ticket_keys(ngx_conf_t *cf, ngx_ssl_t *ssl,
    ngx_array_t *paths);
 ngx_int_t ngx_ssl_session_cache_init(ngx_shm_zone_t *shm_zone, void *data);
-void ngx_ssl_set_client_hello_callback(SSL_CTX *ssl_ctx,
+ngx_int_t ngx_ssl_set_client_hello_callback(ngx_ssl_t *ssl,
    ngx_ssl_client_hello_arg *cb);
 #ifdef SSL_CLIENT_HELLO_SUCCESS
 int ngx_ssl_client_hello_callback(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg);
@ -338,6 +340,10 @@ ngx_int_t ngx_ssl_get_early_data(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_server_name(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_ech_status(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_ech_outer_server_name(ngx_connection_t *c,
    ngx_pool_t *pool, ngx_str_t *s);
 ngx_int_t ngx_ssl_get_alpn_protocol(ngx_connection_t *c, ngx_pool_t *pool,
    ngx_str_t *s);
 ngx_int_t ngx_ssl_get_raw_certificate(ngx_connection_t *c, ngx_pool_t *pool,
--- a/src/event/quic/ngx_event_quic_ssl.c
+++ b/src/event/quic/ngx_event_quic_ssl.c
@ -185,7 +185,13 @@ ngx_quic_cbs_release_rcd(ngx_ssl_conn_t *ssl_conn, size_t bytes_read, void *arg)
    ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
                   "quic ngx_quic_cbs_release_rcd len:%uz", bytes_read);
    /* already closed on handshake failure */
    qc = ngx_quic_get_connection(c);
    if (qc == NULL) {
        return 1;
    }
    ctx = ngx_quic_get_send_ctx(qc, qc->read_level);
    cl = ngx_quic_read_buffer(c, &ctx->crypto, bytes_read);
--- a/src/http/modules/ngx_http_proxy_module.c
+++ b/src/http/modules/ngx_http_proxy_module.c
@ -8,6 +8,7 @@
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
 #include <ngx_http_proxy_module.h>
 #define  NGX_HTTP_PROXY_COOKIE_SECURE           0x0001
@ -23,11 +24,6 @@
 #define  NGX_HTTP_PROXY_COOKIE_SAMESITE_OFF     0x0400
 typedef struct {
    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
 } ngx_http_proxy_main_conf_t;
 typedef struct ngx_http_proxy_rewrite_s  ngx_http_proxy_rewrite_t;
 typedef ngx_int_t (*ngx_http_proxy_rewrite_pt)(ngx_http_request_t *r,
@ -61,96 +57,6 @@ typedef struct {
 } ngx_http_proxy_cookie_flags_t;
 typedef struct {
    ngx_str_t                      key_start;
    ngx_str_t                      schema;
    ngx_str_t                      host_header;
    ngx_str_t                      port;
    ngx_str_t                      uri;
 } ngx_http_proxy_vars_t;
 typedef struct {
    ngx_array_t                   *flushes;
    ngx_array_t                   *lengths;
    ngx_array_t                   *values;
    ngx_hash_t                     hash;
 } ngx_http_proxy_headers_t;
 typedef struct {
    ngx_http_upstream_conf_t       upstream;
    ngx_array_t                   *body_flushes;
    ngx_array_t                   *body_lengths;
    ngx_array_t                   *body_values;
    ngx_str_t                      body_source;
    ngx_http_proxy_headers_t       headers;
 #if (NGX_HTTP_CACHE)
    ngx_http_proxy_headers_t       headers_cache;
 #endif
    ngx_array_t                   *headers_source;
    ngx_array_t                   *proxy_lengths;
    ngx_array_t                   *proxy_values;
    ngx_array_t                   *redirects;
    ngx_array_t                   *cookie_domains;
    ngx_array_t                   *cookie_paths;
    ngx_array_t                   *cookie_flags;
    ngx_http_complex_value_t      *method;
    ngx_str_t                      location;
    ngx_str_t                      url;
 #if (NGX_HTTP_CACHE)
    ngx_http_complex_value_t       cache_key;
 #endif
    ngx_http_proxy_vars_t          vars;
    ngx_flag_t                     redirect;
    ngx_uint_t                     http_version;
    ngx_uint_t                     headers_hash_max_size;
    ngx_uint_t                     headers_hash_bucket_size;
 #if (NGX_HTTP_SSL)
    ngx_uint_t                     ssl;
    ngx_uint_t                     ssl_protocols;
    ngx_str_t                      ssl_ciphers;
    ngx_uint_t                     ssl_verify_depth;
    ngx_str_t                      ssl_trusted_certificate;
    ngx_str_t                      ssl_crl;
    ngx_array_t                   *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
 typedef struct {
    ngx_http_status_t              status;
    ngx_http_chunked_t             chunked;
    ngx_http_proxy_vars_t          vars;
    off_t                          internal_body_length;
    ngx_chain_t                   *free;
    ngx_chain_t                   *busy;
    ngx_buf_t                     *trailers;
    unsigned                       head:1;
    unsigned                       internal_chunked:1;
    unsigned                       header_sent:1;
 } ngx_http_proxy_ctx_t;
 static ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r,
    ngx_http_proxy_ctx_t *ctx, ngx_http_proxy_loc_conf_t *plcf);
 #if (NGX_HTTP_CACHE)
 static ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
 #endif
 static ngx_int_t ngx_http_proxy_create_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_reinit_request(ngx_http_request_t *r);
 static ngx_int_t ngx_http_proxy_body_output_filter(void *data, ngx_chain_t *in);
@ -178,15 +84,14 @@ static ngx_int_t ngx_http_proxy_port_variable(ngx_http_request_t *r,
 static ngx_int_t
    ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
    ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t
    ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data);
 static ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
    ngx_table_elt_t *h, size_t prefix);
 static ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
    ngx_table_elt_t *h);
 static ngx_int_t ngx_http_proxy_parse_cookie(ngx_str_t *value,
    ngx_array_t *attrs);
 static ngx_int_t ngx_http_proxy_rewrite_cookie_value(ngx_http_request_t *r,
@ -293,6 +198,9 @@ static ngx_conf_post_t  ngx_http_proxy_ssl_conf_command_post =
 static ngx_conf_enum_t  ngx_http_proxy_http_version[] = {
    { ngx_string("1.0"), NGX_HTTP_VERSION_10 },
    { ngx_string("1.1"), NGX_HTTP_VERSION_11 },
 #if (NGX_HTTP_V2)
    { ngx_string("2"), NGX_HTTP_VERSION_20 },
 #endif
    { ngx_null_string, 0 }
 };
@ -840,8 +748,8 @@ static char  ngx_http_proxy_version_11[] = " HTTP/1.1" CRLF;
 static ngx_keyval_t  ngx_http_proxy_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("close") },
+    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -868,8 +776,8 @@ static ngx_str_t  ngx_http_proxy_hide_headers[] = {
 #if (NGX_HTTP_CACHE)
 static ngx_keyval_t  ngx_http_proxy_cache_headers[] = {
-    { ngx_string("Host"), ngx_string("$proxy_host") },
+    { ngx_string("Host"), ngx_string("$proxy_internal_host") },
-    { ngx_string("Connection"), ngx_string("close") },
+    { ngx_string("Connection"), ngx_string("$proxy_internal_connection") },
    { ngx_string("Content-Length"), ngx_string("$proxy_internal_body_length") },
    { ngx_string("Transfer-Encoding"), ngx_string("$proxy_internal_chunked") },
    { ngx_string("TE"), ngx_string("") },
@ -904,6 +812,14 @@ static ngx_http_variable_t  ngx_http_proxy_vars[] = {
    { ngx_string("proxy_add_via"), NULL, NULL, 0, NGX_HTTP_VAR_NOHASH, 0 },
 #endif
    { ngx_string("proxy_internal_host"), NULL,
      ngx_http_proxy_host_variable, 1,
      NGX_HTTP_VAR_CHANGEABLE|NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
    { ngx_string("proxy_internal_connection"), NULL,
      ngx_http_proxy_internal_connection_variable, 0,
      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
    { ngx_string("proxy_internal_body_length"), NULL,
      ngx_http_proxy_internal_body_length_variable, 0,
      NGX_HTTP_VAR_NOCACHEABLE|NGX_HTTP_VAR_NOHASH, 0 },
@ -962,6 +878,14 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
    ngx_http_proxy_main_conf_t  *pmcf;
 #endif
    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
 #if (NGX_HTTP_V2)
    if (plcf->http_version == NGX_HTTP_VERSION_20) {
        return ngx_http_proxy_v2_handler(r);
    }
 #endif
    if (ngx_http_upstream_create(r) != NGX_OK) {
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }
@ -971,9 +895,9 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
        return NGX_HTTP_INTERNAL_SERVER_ERROR;
    }
-    ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);
+    ctx->legacy = 1;
-    plcf = ngx_http_get_module_loc_conf(r, ngx_http_proxy_module);
+    ngx_http_set_ctx(r, ctx, ngx_http_proxy_module);
    u = r->upstream;
@ -1050,7 +974,7 @@ ngx_http_proxy_handler(ngx_http_request_t *r)
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
    ngx_http_proxy_loc_conf_t *plcf)
 {
@ -1154,7 +1078,7 @@ ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
 #if (NGX_HTTP_CACHE)
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_create_key(ngx_http_request_t *r)
 {
    size_t                      len, loc_len;
@ -1206,7 +1130,8 @@ ngx_http_proxy_create_key(ngx_http_request_t *r)
        return NGX_OK;
    }
-    loc_len = (r->valid_location && ctx->vars.uri.len) ? plcf->location.len : 0;
+    loc_len = (r->valid_location && ctx->vars.uri.len)
              ? ngx_min(plcf->location.len, r->uri.len) : 0;
    if (r->quoted_uri || r->internal) {
        escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -1318,8 +1243,8 @@ ngx_http_proxy_create_request(ngx_http_request_t *r)
        uri_len = r->unparsed_uri.len;
    } else {
-        loc_len = (r->valid_location && ctx->vars.uri.len) ?
+        loc_len = (r->valid_location && ctx->vars.uri.len)
-                      plcf->location.len : 0;
+                  ? ngx_min(plcf->location.len, r->uri.len) : 0;
        if (r->quoted_uri || r->internal) {
            escape = 2 * ngx_escape_uri(NULL, r->uri.data + loc_len,
@ -2118,7 +2043,7 @@ ngx_http_proxy_input_filter_init(void *data)
        /* chunked */
        u->pipe->input_filter = ngx_http_proxy_chunked_filter;
-        u->pipe->length = 3; /* "0" LF LF */
+        u->pipe->length = 5; /* "0" CRLF CRLF */
        u->input_filter = ngx_http_proxy_non_buffered_chunked_filter;
        u->length = 1;
@ -2767,6 +2692,11 @@ ngx_http_proxy_host_variable(ngx_http_request_t *r,
        return NGX_OK;
    }
    if (data == 1 && !ctx->legacy) {
        v->not_found = 1;
        return NGX_OK;
    }
    v->len = ctx->vars.host_header.len;
    v->valid = 1;
    v->no_cacheable = 0;
@ -2847,6 +2777,29 @@ ngx_http_proxy_add_x_forwarded_for_variable(ngx_http_request_t *r,
 }
 static ngx_int_t
 ngx_http_proxy_internal_connection_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
 {
    ngx_http_proxy_ctx_t  *ctx;
    ctx = ngx_http_get_module_ctx(r, ngx_http_proxy_module);
    if (ctx == NULL || !ctx->legacy) {
        v->not_found = 1;
        return NGX_OK;
    }
    v->valid = 1;
    v->no_cacheable = 0;
    v->not_found = 0;
    ngx_str_set(v, "close");
    return NGX_OK;
 }
 static ngx_int_t
 ngx_http_proxy_internal_body_length_variable(ngx_http_request_t *r,
    ngx_http_variable_value_t *v, uintptr_t data)
@ -2900,7 +2853,7 @@ ngx_http_proxy_internal_chunked_variable(ngx_http_request_t *r,
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
    size_t prefix)
 {
@ -2932,7 +2885,7 @@ ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r, ngx_table_elt_t *h,
 }
-static ngx_int_t
+ngx_int_t
 ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r, ngx_table_elt_t *h)
 {
    u_char                     *p;
@ -3577,6 +3530,7 @@ ngx_http_proxy_create_loc_conf(ngx_conf_t *cf)
     *     conf->headers.values = NULL;
     *     conf->headers.hash = { NULL, 0 };
     *     conf->headers_cache.lengths = NULL;
     *     conf->host_set = 0;
     *     conf->headers_cache.values = NULL;
     *     conf->headers_cache.hash = { NULL, 0 };
     *     conf->body_lengths = NULL;
@ -4152,6 +4106,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        conf->headers_cache = prev->headers_cache;
 #endif
        conf->host_set = prev->host_set;
    }
    rc = ngx_http_proxy_init_headers(cf, conf, &conf->headers,
@ -4184,6 +4139,7 @@ ngx_http_proxy_merge_loc_conf(ngx_conf_t *cf, void *parent, void *child)
 #if (NGX_HTTP_CACHE)
        prev->headers_cache = conf->headers_cache;
 #endif
        prev->host_set = conf->host_set;
    }
    return NGX_CONF_OK;
@ -4236,6 +4192,12 @@ ngx_http_proxy_init_headers(ngx_conf_t *cf, ngx_http_proxy_loc_conf_t *conf,
        src = conf->headers_source->elts;
        for (i = 0; i < conf->headers_source->nelts; i++) {
            if (src[i].key.len == 4
                && ngx_strncasecmp(src[i].key.data, (u_char *) "Host", 4) == 0)
            {
                conf->host_set = 1;
            }
            s = ngx_array_push(&headers_merged);
            if (s == NULL) {
                return NGX_ERROR;
--- a/src/http/modules/ngx_http_proxy_module.h
+++ b/src/http/modules/ngx_http_proxy_module.h
@ -0,0 +1,127 @@
 /*
 * Copyright (C) Igor Sysoev
 * Copyright (C) Nginx, Inc.
 */
 #ifndef _NGX_HTTP_PROXY_H_INCLUDED_
 #define _NGX_HTTP_PROXY_H_INCLUDED_
 #include <ngx_config.h>
 #include <ngx_core.h>
 #include <ngx_http.h>
 typedef struct {
    ngx_array_t                    caches;  /* ngx_http_file_cache_t * */
 } ngx_http_proxy_main_conf_t;
 typedef struct {
    ngx_str_t                      key_start;
    ngx_str_t                      schema;
    ngx_str_t                      host_header;
    ngx_str_t                      port;
    ngx_str_t                      uri;
 } ngx_http_proxy_vars_t;
 typedef struct {
    ngx_array_t                   *flushes;
    ngx_array_t                   *lengths;
    ngx_array_t                   *values;
    ngx_hash_t                     hash;
 } ngx_http_proxy_headers_t;
 typedef struct {
    ngx_http_upstream_conf_t       upstream;
    ngx_array_t                   *body_flushes;
    ngx_array_t                   *body_lengths;
    ngx_array_t                   *body_values;
    ngx_str_t                      body_source;
    ngx_http_proxy_headers_t       headers;
 #if (NGX_HTTP_CACHE)
    ngx_http_proxy_headers_t       headers_cache;
 #endif
    ngx_array_t                   *headers_source;
    ngx_uint_t                     host_set;
    ngx_array_t                   *proxy_lengths;
    ngx_array_t                   *proxy_values;
    ngx_array_t                   *redirects;
    ngx_array_t                   *cookie_domains;
    ngx_array_t                   *cookie_paths;
    ngx_array_t                   *cookie_flags;
    ngx_http_complex_value_t      *method;
    ngx_str_t                      location;
    ngx_str_t                      url;
 #if (NGX_HTTP_CACHE)
    ngx_http_complex_value_t       cache_key;
 #endif
    ngx_http_proxy_vars_t          vars;
    ngx_flag_t                     redirect;
    ngx_uint_t                     http_version;
    ngx_uint_t                     headers_hash_max_size;
    ngx_uint_t                     headers_hash_bucket_size;
 #if (NGX_HTTP_SSL || NGX_COMPAT)
    ngx_uint_t                     ssl;
    ngx_uint_t                     ssl_protocols;
    ngx_str_t                      ssl_ciphers;
    ngx_uint_t                     ssl_verify_depth;
    ngx_str_t                      ssl_trusted_certificate;
    ngx_str_t                      ssl_crl;
    ngx_array_t                   *ssl_conf_commands;
 #endif
 } ngx_http_proxy_loc_conf_t;
 typedef struct {
    ngx_http_status_t              status;
    ngx_http_chunked_t             chunked;
    ngx_http_proxy_vars_t          vars;
    off_t                          internal_body_length;
    ngx_chain_t                   *free;
    ngx_chain_t                   *busy;
    ngx_buf_t                     *trailers;
    unsigned                       head:1;
    unsigned                       internal_chunked:1;
    unsigned                       header_sent:1;
    unsigned                       legacy:1;
 } ngx_http_proxy_ctx_t;
 ngx_int_t ngx_http_proxy_eval(ngx_http_request_t *r, ngx_http_proxy_ctx_t *ctx,
    ngx_http_proxy_loc_conf_t *plcf);
 #if (NGX_HTTP_CACHE)
 ngx_int_t ngx_http_proxy_create_key(ngx_http_request_t *r);
 #endif
 ngx_int_t ngx_http_proxy_rewrite_redirect(ngx_http_request_t *r,
    ngx_table_elt_t *h, size_t prefix);
 ngx_int_t ngx_http_proxy_rewrite_cookie(ngx_http_request_t *r,
    ngx_table_elt_t *h);
 #if (NGX_HTTP_V2)
 ngx_int_t ngx_http_proxy_v2_handler(ngx_http_request_t *r);
 #endif
 extern ngx_module_t  ngx_http_proxy_module;
 #endif /* _NGX_HTTP_PROXY_H_INCLUDED_ */
--- a/src/http/modules/ngx_http_proxy_v2_module.c
+++ b/src/http/modules/ngx_http_proxy_v2_module.c
--- a/src/http/modules/ngx_http_ssl_module.c
+++ b/src/http/modules/ngx_http_ssl_module.c
@ -117,6 +117,13 @@ static ngx_command_t  ngx_http_ssl_commands[] = {
      0,
      NULL },
    { ngx_string("ssl_ech_file"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_array_slot,
      NGX_HTTP_SRV_CONF_OFFSET,
      offsetof(ngx_http_ssl_srv_conf_t, ech_files),
      NULL },
    { ngx_string("ssl_password_file"),
      NGX_HTTP_MAIN_CONF|NGX_HTTP_SRV_CONF|NGX_CONF_TAKE1,
      ngx_http_ssl_password_file,
@ -377,6 +384,13 @@ static ngx_http_variable_t  ngx_http_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_status"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_status, NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
      NGX_HTTP_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_cert"), NULL, ngx_http_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_HTTP_VAR_CHANGEABLE, 0 },
@ -643,6 +657,7 @@ ngx_http_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->builtin_session_cache = NGX_CONF_UNSET;
@ -694,6 +709,8 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);
    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -758,7 +775,9 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    {
    static ngx_ssl_client_hello_arg cb = { ngx_http_ssl_servername };
-    ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
+    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                               ngx_http_ssl_servername)
@ -878,6 +897,10 @@ ngx_http_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
--- a/src/http/modules/ngx_http_ssl_module.h
+++ b/src/http/modules/ngx_http_ssl_module.h
@ -49,6 +49,7 @@ typedef struct {
    ngx_str_t                       ciphers;
    ngx_array_t                    *ech_files;
    ngx_array_t                    *passwords;
    ngx_array_t                    *conf_commands;
--- a/src/http/ngx_http.h
+++ b/src/http/ngx_http.h
@ -130,8 +130,8 @@ ngx_int_t ngx_http_post_request(ngx_http_request_t *r,
    ngx_http_posted_request_t *pr);
 ngx_int_t ngx_http_set_virtual_server(ngx_http_request_t *r,
    ngx_str_t *host);
-ngx_int_t ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool,
+ngx_int_t ngx_http_validate_host(ngx_str_t *host, in_port_t *port,
-    ngx_uint_t alloc);
+    ngx_pool_t *pool, ngx_uint_t alloc);
 void ngx_http_close_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_finalize_request(ngx_http_request_t *r, ngx_int_t rc);
 void ngx_http_free_request(ngx_http_request_t *r, ngx_int_t rc);
--- a/src/http/ngx_http_parse.c
+++ b/src/http/ngx_http_parse.c
@ -383,21 +383,18 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        case sw_host_end:
            r->host_end = p;
            if (r->method == NGX_HTTP_CONNECT) {
            if (ch == ':') {
                state = sw_port;
                break;
            }
            r->host_end = p;
            if (r->method == NGX_HTTP_CONNECT) {
                return NGX_HTTP_PARSE_INVALID_REQUEST;
            }
            switch (ch) {
            case ':':
                state = sw_port;
                break;
            case '/':
                r->uri_start = p;
                state = sw_after_slash_in_uri;
@ -465,14 +462,11 @@ ngx_http_parse_request_line(ngx_http_request_t *r, ngx_buf_t *b)
        case sw_port:
            if (ch >= '0' && ch <= '9') {
                if (r->port >= 6553 && (r->port > 6553 || (ch - '0') > 5)) {
                    return NGX_HTTP_PARSE_INVALID_REQUEST;
                }
                r->port = r->port * 10 + (ch - '0');
                break;
            }
            r->host_end = p;
            if (r->method == NGX_HTTP_CONNECT) {
                if (ch == ' ') {
                    state = sw_http_09;
@ -2260,12 +2254,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                case CR:
                    state = sw_last_chunk_extension_almost_done;
                    break;
                case LF:
                    if (keep_trailers) {
                        goto done;
                    }
                    state = sw_trailer;
                    break;
                case ';':
                case ' ':
                case '\t':
@ -2282,9 +2270,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_chunk_extension_almost_done;
                break;
            case LF:
                state = sw_chunk_data;
                break;
            case ';':
            case ' ':
            case '\t':
@ -2302,7 +2287,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_chunk_extension_almost_done;
                break;
            case LF:
-                state = sw_chunk_data;
+                goto invalid;
            }
            break;
@ -2322,9 +2307,6 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
            case CR:
                state = sw_after_data_almost_done;
                break;
            case LF:
                state = sw_chunk_start;
                break;
            default:
                goto invalid;
            }
@ -2343,10 +2325,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_last_chunk_extension_almost_done;
                break;
            case LF:
-                if (keep_trailers) {
+                goto invalid;
                    goto done;
                }
                state = sw_trailer;
            }
            break;
@ -2366,7 +2345,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_almost_done;
                break;
            case LF:
-                goto done;
+                goto invalid;
            default:
                state = sw_trailer_header;
            }
@ -2384,7 +2363,7 @@ ngx_http_parse_chunked(ngx_http_request_t *r, ngx_buf_t *b,
                state = sw_trailer_header_almost_done;
                break;
            case LF:
-                state = sw_trailer;
+                goto invalid;
            }
            break;
@ -2410,35 +2389,45 @@ data:
    switch (state) {
    case sw_chunk_start:
-        ctx->length = 3 /* "0" LF LF */;
+        ctx->length = 5 /* "0" CRLF CRLF */;
        break;
    case sw_chunk_size:
-        ctx->length = 1 /* LF */
+        ctx->length = 2 /* CRLF */
-                      + (ctx->size ? ctx->size + 4 /* LF "0" LF LF */
+                      + (ctx->size ? ctx->size + 7 /* CRLF "0" CRLF CRLF */
-                                   : 1 /* LF */);
+                                   : 2 /* CRLF */);
        break;
    case sw_chunk_extension:
        ctx->length = 2 /* CRLF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_chunk_extension_almost_done:
-        ctx->length = 1 /* LF */ + ctx->size + 4 /* LF "0" LF LF */;
+        ctx->length = 1 /* LF */ + ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_chunk_data:
-        ctx->length = ctx->size + 4 /* LF "0" LF LF */;
+        ctx->length = ctx->size + 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_after_data:
        ctx->length = 7 /* CRLF "0" CRLF CRLF */;
        break;
    case sw_after_data_almost_done:
-        ctx->length = 4 /* LF "0" LF LF */;
+        ctx->length = 6 /* LF "0" CRLF CRLF */;
        break;
    case sw_last_chunk_extension:
        ctx->length = 4 /* CRLF CRLF */;
        break;
    case sw_last_chunk_extension_almost_done:
-        ctx->length = 2 /* LF LF */;
+        ctx->length = 3 /* LF CRLF */;
        break;
    case sw_trailer:
        ctx->length = 2 /* CRLF */;
        break;
    case sw_trailer_almost_done:
        ctx->length = 1 /* LF */;
        break;
    case sw_trailer_header:
        ctx->length = 4 /* CRLF CRLF */;
        break;
    case sw_trailer_header_almost_done:
-        ctx->length = 2 /* LF LF */;
+        ctx->length = 3 /* LF CRLF */;
        break;
    }
--- a/src/http/ngx_http_request.c
+++ b/src/http/ngx_http_request.c
@ -931,7 +931,7 @@ ngx_http_ssl_servername(ngx_ssl_conn_t *ssl_conn, int *ad, void *arg)
        goto done;
    }
-    rc = ngx_http_validate_host(&host, c->pool, 1);
+    rc = ngx_http_validate_host(&host, NULL, c->pool, 1);
    if (rc == NGX_ERROR) {
        goto error;
@ -1107,6 +1107,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
    ssize_t              n;
    ngx_int_t            rc, rv;
    ngx_str_t            host;
    in_port_t            port;
    ngx_connection_t    *c;
    ngx_http_request_t  *r;
@ -1169,7 +1170,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                host.len = r->host_end - r->host_start;
                host.data = r->host_start;
-                rc = ngx_http_validate_host(&host, r->pool, 0);
+                rc = ngx_http_validate_host(&host, &port, r->pool, 0);
                if (rc == NGX_DECLINED) {
                    ngx_log_error(NGX_LOG_INFO, c->log, 0,
@ -1188,6 +1189,7 @@ ngx_http_process_request_line(ngx_event_t *rev)
                }
                r->headers_in.server = host;
                r->port = port;
            }
            if (r->http_version < NGX_HTTP_VERSION_10) {
@ -1846,9 +1848,9 @@ static ngx_int_t
 ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    ngx_uint_t offset)
 {
    u_char     *p;
    ngx_int_t  rc;
    ngx_str_t  host;
    in_port_t  port;
    if (r->headers_in.host) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1865,7 +1867,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    host = h->value;
-    rc = ngx_http_validate_host(&host, r->pool, 0);
+    rc = ngx_http_validate_host(&host, &port, r->pool, 0);
    if (rc == NGX_DECLINED) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -1888,17 +1890,7 @@ ngx_http_process_host(ngx_http_request_t *r, ngx_table_elt_t *h,
    }
    r->headers_in.server = host;
-
+    r->port = port;
    p = ngx_strlchr(h->value.data + host.len,
                    h->value.data + h->value.len, ':');
    if (p) {
        rc = ngx_atoi(p + 1, h->value.data + h->value.len - p - 1);
        if (rc > 0 && rc < 65536) {
            r->port = rc;
        }
    }
    return NGX_OK;
 }
@ -2182,72 +2174,174 @@ ngx_http_process_request(ngx_http_request_t *r)
 ngx_int_t
-ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
+ngx_http_validate_host(ngx_str_t *host, in_port_t *portp, ngx_pool_t *pool,
    ngx_uint_t alloc)
 {
    u_char     *h, ch;
    size_t      i, dot_pos, host_len;
    ngx_int_t   port;
    enum {
-        sw_usual = 0,
+        sw_host_start = 0,
-        sw_literal,
+        sw_host,
-        sw_rest
+        sw_host_ip_literal,
        sw_host_end,
        sw_port,
    } state;
    dot_pos = host->len;
    host_len = host->len;
    port = 0;
    h = host->data;
-    state = sw_usual;
+    state = sw_host_start;
    for (i = 0; i < host->len; i++) {
        ch = h[i];
-        switch (ch) {
+        switch (state) {
        case sw_host_start:
            if (ch == '[') {
                state = sw_host_ip_literal;
                break;
            }
            state = sw_host;
            /* fall through */
        case sw_host:
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                host_len = i;
                state = sw_port;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
-
+            case '_':
-        case ':':
+            case '~':
-            if (state == sw_usual) {
+                /* unreserved */
                host_len = i;
                state = sw_rest;
            }
                break;
-
+            case '!':
-        case '[':
+            case '$':
-            if (i == 0) {
+            case '&':
-                state = sw_literal;
+            case '\'':
-            }
+            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
-
+            case '%':
-        case ']':
+                /* pct-encoded */
            if (state == sw_literal) {
                host_len = i + 1;
                state = sw_rest;
            }
                break;
            default:
            if (ngx_path_separator(ch)) {
                return NGX_DECLINED;
            }
            break;
-            if (ch <= 0x20 || ch == 0x7f) {
+        case sw_host_ip_literal:
                return NGX_DECLINED;
            }
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
            }
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                break;
            case ']':
                host_len = i + 1;
                state = sw_host_end;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
            case '_':
            case '~':
                /* unreserved */
                break;
            case '!':
            case '$':
            case '&':
            case '\'':
            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
            default:
                return NGX_DECLINED;
            }
            break;
        case sw_host_end:
            if (ch == ':') {
                state = sw_port;
                break;
            }
            return NGX_DECLINED;
        case sw_port:
            if (ch >= '0' && ch <= '9') {
                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
                    return NGX_DECLINED;
                }
                port = port * 10 + (ch - '0');
                break;
            }
            return NGX_DECLINED;
        }
    }
    if (state == sw_host_ip_literal) {
        return NGX_DECLINED;
    }
    if (dot_pos == host_len - 1) {
@ -2269,6 +2363,10 @@ ngx_http_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
    host->len = host_len;
    if (portp) {
        *portp = port;
    }
    return NGX_OK;
 }
--- a/src/http/ngx_http_upstream.c
+++ b/src/http/ngx_http_upstream.c
@ -1771,6 +1771,23 @@ ngx_http_upstream_ssl_init_connection(ngx_http_request_t *r,
        }
    }
 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
    if (u->ssl_alpn_protocol.len) {
        if (SSL_set_alpn_protos(c->ssl->connection, u->ssl_alpn_protocol.data,
                                u->ssl_alpn_protocol.len)
            != 0)
        {
            ngx_ssl_error(NGX_LOG_ERR, c->log, 0,
                          "SSL_set_alpn_protos() failed");
            ngx_http_upstream_finalize_request(r, u,
                                               NGX_HTTP_INTERNAL_SERVER_ERROR);
            return;
        }
    }
 #endif
    if (u->conf->ssl_session_reuse) {
        c->ssl->save_session = ngx_http_upstream_ssl_save_session;
--- a/src/http/ngx_http_upstream.h
+++ b/src/http/ngx_http_upstream.h
@ -390,6 +390,7 @@ struct ngx_http_upstream_s {
 #if (NGX_HTTP_SSL || NGX_COMPAT)
    ngx_str_t                        ssl_name;
    ngx_str_t                        ssl_alpn_protocol;
 #endif
    ngx_http_cleanup_pt             *cleanup;
--- a/src/http/v2/ngx_http_v2.c
+++ b/src/http/v2/ngx_http_v2.c
@ -3518,8 +3518,8 @@ ngx_http_v2_parse_scheme(ngx_http_request_t *r, ngx_str_t *value)
 static ngx_int_t
 ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
 {
    u_char     *p;
    ngx_int_t  rc;
    in_port_t  port;
    if (r->host_start) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -3530,7 +3530,7 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
    r->host_start = value->data;
    r->host_end = value->data + value->len;
-    rc = ngx_http_validate_host(value, r->pool, 0);
+    rc = ngx_http_validate_host(value, &port, r->pool, 0);
    if (rc == NGX_DECLINED) {
        ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -3552,16 +3552,7 @@ ngx_http_v2_parse_authority(ngx_http_request_t *r, ngx_str_t *value)
    }
    r->headers_in.server = *value;
-
+    r->port = port;
    p = ngx_strlchr(r->host_start + value->len, r->host_end, ':');
    if (p) {
        rc = ngx_atoi(p + 1, r->host_end - p - 1);
        if (rc > 0 && rc < 65536) {
            r->port = rc;
        }
    }
    return NGX_OK;
 }
@ -4113,15 +4104,14 @@ ngx_http_v2_process_request_body(ngx_http_request_t *r, u_char *pos,
                n = size;
            }
            if (n > 0) {
                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
            }
            ngx_log_debug1(NGX_LOG_DEBUG_HTTP, fc->log, 0,
                           "http2 request body recv %uz", n);
            if (n > 0) {
                rb->buf->last = ngx_cpymem(rb->buf->last, pos, n);
                pos += n;
                size -= n;
            }
            if (size == 0 && last) {
                rb->rest = 0;
--- a/src/http/v3/ngx_http_v3_request.c
+++ b/src/http/v3/ngx_http_v3_request.c
@ -904,6 +904,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
    u_char     *p;
    ngx_int_t   rc;
    ngx_str_t   host;
    in_port_t   port;
    if (r->request_line.len) {
        return NGX_OK;
@ -961,7 +962,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        host.len = r->host_end - r->host_start;
        host.data = r->host_start;
-        rc = ngx_http_validate_host(&host, r->pool, 0);
+        rc = ngx_http_validate_host(&host, &port, r->pool, 0);
        if (rc == NGX_DECLINED) {
            ngx_log_error(NGX_LOG_INFO, r->connection->log, 0,
@ -979,16 +980,7 @@ ngx_http_v3_init_pseudo_headers(ngx_http_request_t *r)
        }
        r->headers_in.server = host;
-
+        r->port = port;
        p = ngx_strlchr(r->host_start + host.len, r->host_end, ':');
        if (p) {
            rc = ngx_atoi(p + 1, r->host_end - p - 1);
            if (rc > 0 && rc < 65536) {
                r->port = rc;
            }
        }
    }
    if (ngx_list_init(&r->headers_in.headers, r->pool, 20,
--- a/src/stream/ngx_stream_core_module.c
+++ b/src/stream/ngx_stream_core_module.c
@ -476,68 +476,169 @@ ngx_stream_validate_host(ngx_str_t *host, ngx_pool_t *pool, ngx_uint_t alloc)
 {
    u_char     *h, ch;
    size_t      i, dot_pos, host_len;
    ngx_int_t   port;
    enum {
-        sw_usual = 0,
+        sw_host_start = 0,
-        sw_literal,
+        sw_host,
-        sw_rest
+        sw_host_ip_literal,
        sw_host_end,
        sw_port,
    } state;
    dot_pos = host->len;
    host_len = host->len;
    port = 0;
    h = host->data;
-    state = sw_usual;
+    state = sw_host_start;
    for (i = 0; i < host->len; i++) {
        ch = h[i];
-        switch (ch) {
+        switch (state) {
        case sw_host_start:
            if (ch == '[') {
                state = sw_host_ip_literal;
                break;
            }
            state = sw_host;
            /* fall through */
        case sw_host:
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                host_len = i;
                state = sw_port;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
-
+            case '_':
-        case ':':
+            case '~':
-            if (state == sw_usual) {
+                /* unreserved */
                host_len = i;
                state = sw_rest;
            }
                break;
-
+            case '!':
-        case '[':
+            case '$':
-            if (i == 0) {
+            case '&':
-                state = sw_literal;
+            case '\'':
-            }
+            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
-
+            case '%':
-        case ']':
+                /* pct-encoded */
            if (state == sw_literal) {
                host_len = i + 1;
                state = sw_rest;
            }
                break;
            default:
            if (ngx_path_separator(ch)) {
                return NGX_DECLINED;
            }
            break;
-            if (ch <= 0x20 || ch == 0x7f) {
+        case sw_host_ip_literal:
                return NGX_DECLINED;
            }
            if (ch >= 'A' && ch <= 'Z') {
                alloc = 1;
            }
                break;
            }
            if (ch >= 'a' && ch <= 'z') {
                break;
            }
            if (ch >= '0' && ch <= '9') {
                break;
            }
            switch (ch) {
            case ':':
                break;
            case ']':
                host_len = i + 1;
                state = sw_host_end;
                break;
            case '-':
                break;
            case '.':
                if (dot_pos == i - 1) {
                    return NGX_DECLINED;
                }
                dot_pos = i;
                break;
            case '_':
            case '~':
                /* unreserved */
                break;
            case '!':
            case '$':
            case '&':
            case '\'':
            case '(':
            case ')':
            case '*':
            case '+':
            case ',':
            case ';':
            case '=':
                /* sub-delims */
                break;
            default:
                return NGX_DECLINED;
            }
            break;
        case sw_host_end:
            if (ch == ':') {
                state = sw_port;
                break;
            }
            return NGX_DECLINED;
        case sw_port:
            if (ch >= '0' && ch <= '9') {
                if (port >= 6553 && (port > 6553 || (ch - '0') > 5)) {
                    return NGX_DECLINED;
                }
                port = port * 10 + (ch - '0');
                break;
            }
            return NGX_DECLINED;
        }
    }
    if (state == sw_host_ip_literal) {
        return NGX_DECLINED;
    }
    if (dot_pos == host_len - 1) {
--- a/src/stream/ngx_stream_ssl_module.c
+++ b/src/stream/ngx_stream_ssl_module.c
@ -126,6 +126,13 @@ static ngx_command_t  ngx_stream_ssl_commands[] = {
      0,
      NULL },
    { ngx_string("ssl_ech_file"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_conf_set_str_array_slot,
      NGX_STREAM_SRV_CONF_OFFSET,
      offsetof(ngx_stream_ssl_srv_conf_t, ech_files),
      NULL },
    { ngx_string("ssl_password_file"),
      NGX_STREAM_MAIN_CONF|NGX_STREAM_SRV_CONF|NGX_CONF_TAKE1,
      ngx_stream_ssl_password_file,
@ -372,6 +379,13 @@ static ngx_stream_variable_t  ngx_stream_ssl_vars[] = {
    { ngx_string("ssl_alpn_protocol"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_alpn_protocol, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_status"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_status, NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_ech_outer_server_name"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_ech_outer_server_name,
      NGX_STREAM_VAR_CHANGEABLE, 0 },
    { ngx_string("ssl_client_cert"), NULL, ngx_stream_ssl_variable,
      (uintptr_t) ngx_ssl_get_certificate, NGX_STREAM_VAR_CHANGEABLE, 0 },
@ -888,6 +902,7 @@ ngx_stream_ssl_create_srv_conf(ngx_conf_t *cf)
    sscf->certificates = NGX_CONF_UNSET_PTR;
    sscf->certificate_keys = NGX_CONF_UNSET_PTR;
    sscf->certificate_cache = NGX_CONF_UNSET_PTR;
    sscf->ech_files = NGX_CONF_UNSET_PTR;
    sscf->passwords = NGX_CONF_UNSET_PTR;
    sscf->conf_commands = NGX_CONF_UNSET_PTR;
    sscf->prefer_server_ciphers = NGX_CONF_UNSET;
@ -943,6 +958,8 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    ngx_conf_merge_ptr_value(conf->certificate_cache, prev->certificate_cache,
                         NULL);
    ngx_conf_merge_ptr_value(conf->ech_files, prev->ech_files, NULL);
    ngx_conf_merge_ptr_value(conf->passwords, prev->passwords, NULL);
    ngx_conf_merge_str_value(conf->dhparam, prev->dhparam, "");
@ -1008,7 +1025,9 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
    {
    static ngx_ssl_client_hello_arg cb = { ngx_stream_ssl_servername };
-    ngx_ssl_set_client_hello_callback(conf->ssl.ctx, &cb);
+    if (ngx_ssl_set_client_hello_callback(&conf->ssl, &cb) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    SSL_CTX_set_tlsext_servername_callback(conf->ssl.ctx,
                                           ngx_stream_ssl_servername);
@ -1122,6 +1141,10 @@ ngx_stream_ssl_merge_srv_conf(ngx_conf_t *cf, void *parent, void *child)
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ech_files(cf, &conf->ssl, conf->ech_files) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
    if (ngx_ssl_ecdh_curve(cf, &conf->ssl, &conf->ecdh_curve) != NGX_OK) {
        return NGX_CONF_ERROR;
    }
--- a/src/stream/ngx_stream_ssl_module.h
+++ b/src/stream/ngx_stream_ssl_module.h
@ -49,6 +49,7 @@ typedef struct {
    ngx_str_t         ciphers;
    ngx_array_t      *ech_files;
    ngx_array_t      *passwords;
    ngx_array_t      *conf_commands;
Author	SHA1	Message	Date
Aleksei Bavshin	7c2524a692	Fixed duplicate ids in the bug report template.	2025-12-16 14:22:33 -07:00
Aleksei Bavshin	5c2947d844	Version bump.	2025-12-16 14:22:33 -07:00
Sergey Kandaurov	c70457482c	nginx-1.29.4-RELEASE	2025-12-09 22:28:10 +04:00
Jan Svojanovsky	66fde99b1d	QUIC: fixed possible segfault on handshake failures. When using OpenSSL 3.5, the crypto_release_rcd QUIC callback can be called late, after the QUIC connection was already closed on handshake failure, resulting in a segmentation fault. For instance, it happened if a client Finished message didn't align with a record boundary.	2025-12-09 21:25:10 +04:00
Zhidao HONG	61690b5dc0	Proxy: cache support for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	17fd964f99	Proxy: buffering support for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	fdd8e97558	Proxy: extracted control frame and skip functions for HTTP/2.	2025-12-08 07:49:16 +04:00
Zhidao HONG	2a0342a17d	Proxy: extracted ngx_http_proxy_v2_process_frames() function.	2025-12-08 07:49:16 +04:00
Zhidao HONG	9bf758ea4d	Proxy: added HTTP/2 proxy module. The module allows to use HTTP/2 protocol for proxying. HTTP/2 proxying is enabled by specifying "proxy_http_version 2". Example: server { listen 8000; location / { proxy_http_version 2; proxy_pass https://127.0.0.1:8443; } } server { listen 8443 ssl; http2 on; ssl_certificate certs/example.com.crt; ssl_certificate_key certs/example.com.key; location / { return 200 foo; } }	2025-12-08 07:49:16 +04:00
Roman Arutyunyan	90a4fc7935	Proxy: refactored for HTTP/2 support.	2025-12-08 07:49:16 +04:00
Zhidao HONG	b8492d9c25	Upstream: add support for connection level ALPN protocol negotiation. This commit is prepared for HTTP/2 and HTTP/3 support. The ALPN protocol is now set per-connection in ngx_http_upstream_ssl_init_connection(), allowing proper protocol negotiation for each individual upstream connection regardless of SSL context sharing.	2025-12-08 07:49:16 +04:00
Sergey Kandaurov	f405ef11fd	Disabled bare LF in chunked transfer encoding. Chunked transfer encoding, since originally introduced in HTTP/1.1 in RFC 2068, is specified to use CRLF as the only line terminator. Although tolerant applications may recognize a single LF, formally this covers the start line and fields, and doesn't apply to chunks. Strict chunked parsing is reaffirmed as intentional in RFC errata ID 7633, notably "because it does not have to retain backwards compatibility with 1.0 parsers". A general RFC 2616 recommendation to tolerate deviations whenever interpreted unambiguously doesn't apply here, because chunked body is used to determine HTTP message framing; a relaxed parsing may cause various security problems due to a broken delimitation. For instance, this is possible when receiving chunked body from intermediates that blindly parse chunk-ext or a trailer section until CRLF, and pass it further without re-coding.	2025-12-06 17:41:32 +04:00
QirunGao	0427f5335f	SSL: avoid warning when ECH is not configured and not supported.	2025-12-04 21:09:32 +04:00
Alessandro Fael Garcia	367113670e	Update GitHub templates and markdown files. - Issue templates are replaced with forms. Forms allow to explicitly ask for certain info before an issue is opened, they can be programmatically queried via GH actions to get the data in fields. - Added language around GH discussions vs the forum in the issue forms. - Added GH discussions templates. These templates delineate which types of discussions belong on GitHub vs the community forum. - Created SUPPORT.md to delineate which types of topics belong on GitHub vs different support channels (community forum/docs/commercial support). - Updated CONTRIBUTING.md: - Removed text that belongs in SUPPORT.md. - Added F5 CLA clarifying text. - Added badges to README.md. Most of these are there to make information even clearer, moreso for users reading README.md from sources outside GitHub.	2025-12-04 19:08:14 +04:00
sftcd	ab4f5b2d32	Add basic ECH shared-mode via OpenSSL.	2025-12-01 16:33:40 +04:00
Sergey Kandaurov	bcb41c9193	Proxy: fixed segfault in URI change. If request URI was shorter than location prefix, as after replacement with try_files, location length was used to copy the remaining URI part leading to buffer overread. The fix is to replace full request URI in this case. In the following configuration, request "/123" is changed to "/" when sent to backend. location /1234 { try_files /123 =404; proxy_pass http://127.0.0.1:8080/; } Closes #983 on GitHub.	2025-11-26 22:46:22 +04:00
Sergey Kandaurov	6446f99107	Changed interface of ngx_http_validate_host(). This allows to process a port subcomponent and save it in r->port in a unified way, similar to r->headers_in.server. For HTTP/1.x request line in the absolute form, r->host_end now includes a port subcomponent, which is also consistent with HTTP/2 and HTTP/3.	2025-11-26 19:51:40 +04:00
Sergey Kandaurov	511abb19e1	Improved host header validation. Validation is rewritten to follow RFC 3986 host syntax, based on ngx_http_parse_request_line(). The following is now rejected: - the rest of gen-delims "#", "?", "@", "[", "]" - other unwise delims <">, "<", ">", "\", "^", "`', "{", "\|", "}" - IP literals with a trailing dot, missing closing bracket, or pct-encoded - a port subcomponent with invalid values - characters in upper half	2025-11-26 19:51:40 +04:00
Sergey Kandaurov	6ed1188411	HTTP/2: extended guard for NULL buffer and zero length. In addition to moving memcpy() under the length condition in `15bf6d8cc`, which addressed a reported UB due to string function conventions, this is repeated for advancing an input buffer, to make the resulting code more clean and readable. Additionally, although considered harmless for both string functions and additive operators, as previously discussed in GitHub PR 866, this fixes the main source of annoying sanitizer reports in the module. Prodded by UndefinedBehaviorSanitizer (pointer-overflow).	2025-11-19 18:52:54 +04:00
Sergey Kandaurov	9d04b6630a	SSL: fixed build with BoringSSL, broken by `38a701d88`.	2025-11-10 23:27:53 +04:00
Sergey Kandaurov	38a701d88b	SSL: ngx_ssl_set_client_hello_callback() error handling. The function interface is changed to follow a common approach to other functions used to setup SSL_CTX, with an exception of "ngx_conf_t *cf" since it is not bound to nginx configuration. This is required to report and propagate SSL_CTX_set_ex_data() errors, as reminded by Coverity (CID 1668589).	2025-11-10 20:01:28 +04:00
Thierry Bastian	ac99f2808b	Configure: MSVC compatibility with PCRE2 10.47.	2025-11-06 15:34:58 +04:00
Sergey Kandaurov	a386df6b23	Version bump.	2025-11-06 15:34:58 +04:00
Andrew Clayton	99312be10c	Configure: ensure we get the "built by ..." line in nginx -V. For certain compilers we embed the compiler version used to build nginx in the binary, retrievable via 'nginx -V', e.g. $ ./objs/nginx -V ... built by gcc 15.2.1 20250808 (Red Hat 15.2.1-1) (GCC) ... However if the CFLAGS environment variable is set this would be omitted. This is due to the compiler specific auto/cc files not being run when the CFLAGS environment variable is set, this is so entities can set their own compiler flags, and thus the NGX_COMPILER variable isn't set. Nonetheless it is a useful thing to have so re-work the auto scripts to move the version gathering out of the individual auto/cc/$NGX_CC_NAME files and merge them into auto/cc/name. Link: <https://github.com/nginx/nginx/issues/878>	2025-11-04 16:11:53 +00:00