id summary reporter owner description type status priority milestone component version resolution keywords cc uname nginx_version 618 BoringSSL nginx, worker process XXXXX exited on signal 11 Alex Storn "Randomly crash nginx workers, used BoringSSL last version today. The statement took here https://calomel.org/nginx.html (build Nginx with Google's BoringSSL) '''40k errors''' {{{ [alert] 23307#0: worker process XXXXX exited on signal 11 }}} This patch does not solve the problems workers crash - http://trac.nginx.org/nginx/ticket/235 The crash is caused by SSL_CTX_get_ex_data() returning NULL, which is then dereferenced without a check. Since this check is absent in trunk, I suppose the bug is reproducible there, too. {{{ worker_processes 4; worker_priority 15; pcre_jit on; error_log /var/log/nginx-error.log crit; worker_rlimit_nofile 20000; events { worker_connections 19000; use kqueue; } http { # Timeouts: do not keep connections open longer then necessary to reduce # resource usage and deny Slowloris type attacks. Slow attacks are related to # pausing in between packets. client_body_timeout 2s; # maximum time between packets the client can pause when sending nginx any data client_header_timeout 2s; # maximum time the client has to send the entire header to nginx keepalive_timeout 28s; # timeout which a single keep-alive client connection will stay open send_timeout 10s; # maximum time between packets nginx is allowed to pause when sending the client data spdy_keepalive_timeout 128s; # inactivity timeout after which the SPDY connection is closed spdy_recv_timeout 2s; # timeout if nginx is currently expecting data from the client but nothing arrives # general options for FreeBSD on ZFS aio on; # asynchronous file input/output, fast with ZFS, make sure sendfile=off charset utf-8; # adds the line ""Content-Type"" into response-header, same as ""source_charset"" default_type application/octet-stream; #directio off; # zfs does not support direct i/o because of the ARC and L2ARC disable_symlinks on; # disable symlinks to avoid malicious symlinks out of the document root etag off; # disables ""ETag"" response header so clients use Cache-Control header only gzip off; # disable on the fly gzip compression, only use gzip_static to reduce latency gzip_http_version 1.0; # serve gzipped content to all clients including HTTP/1.0 and greater # gzip_static always; # precompress content (gzip -9) with an external script found on this page below #gzip_vary on; # send response header ""Vary: Accept-Encoding"". SPDY ignores Vary header gzip_proxied any; # allows compressed responses for any request even from proxies ignore_invalid_headers on; include mime.types; keepalive_requests 20; # number of keep alive requests per connection, does not affect SPDY keepalive_disable none; # allow all browsers to use keepalive connections lingering_time 2; # maximum time during which nginx will process additional data from the client lingering_timeout 2; # maximum waiting time for more client data to arrive max_ranges 1; # allow a single range header for resumed downloads and to stop large range header DoS attacks merge_slashes on; # compression of two or more adjacent slashes in a URI into a single slash ""//"" into ""/"" msie_padding off; #open_file_cache max=128 inactive=4h; # cache is not be needed if ZFS ARC size is sufficient #open_file_cache_errors on; # since ARC delivery is faster then the cache lookups #open_file_cache_min_uses 1; #open_file_cache_valid 3h; output_buffers 1 256K; # sendfile=off so set to the total size of all objects on an average page #postpone_output 1460; # before sending data response, collect at least one packet's payload (MSS) of data #read_ahead 0; # no forced read ahead, let ZFS handle I/O calls as zfs is efficient recursive_error_pages on; reset_timedout_connection on; # reset timed out connections freeing ram and resources sendfile off; # off for FreeBSD and ZFS to avoid redundant data caching server_tokens off; # no nginx version number in error pages #server_name_in_redirect off; # if off, nginx will use the requested Host header source_charset utf-8; # same value as ""charset"" spdy_headers_comp 1; # SPDY gzip header compression to at least one(1) (default 0) spdy_max_concurrent_streams 20; #SPDY maximum parallel client requests (default 100) tcp_nodelay on; # disable the Nagle buffering algorithm, used for keepalive only tcp_nopush off; # sendfile=off so tcp_nopush can not be used .. } }}} " defect closed critical nginx-core 1.7.x invalid FreeBSD s16.example.com 10.0-RELEASE-p7 FreeBSD 10.0-RELEASE-p7 #0: Tue Jul 8 06:37:44 UTC 2014 root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC amd64 "nginx version: nginx/1.7.4 TLS SNI support enabled configure arguments: --prefix=/usr/local/etc/nginx --with-cc-opt='-I /tmp/boringssl/.openssl/include' --with-ld-opt='-L /tmp/boringssl/.openssl/lib' --conf-path=/usr/local/etc/nginx/nginx.conf --sbin-path=/usr/local/sbin/nginx --pid-path=/var/run/nginx.pid --error-log-path=/var/log/nginx-error.log --user=www --group=www --with-file-aio --with-ipv6 --http-client-body-temp-path=/var/tmp/nginx/client_body_temp --http-fastcgi-temp-path=/var/tmp/nginx/fastcgi_temp --http-proxy-temp-path=/var/tmp/nginx/proxy_temp --http-scgi-temp-path=/var/tmp/nginx/scgi_temp --http-uwsgi-temp-path=/var/tmp/nginx/uwsgi_temp --http-log-path=/var/log/nginx-access.log --add-module=/usr/ports/www/nginx-devel/work/openresty-headers-more-nginx-module-0c6e05d --with-http_image_filter_module --with-http_stub_status_module --with-pcre --with-http_spdy_module --with-http_ssl_modul"