Hi, I noticed that you have introduced `ngx_event_udp_accept()`, which can create a separate socket for receiving datagrams from a specific client. I understand that it is necessary for DTLS servers. However I wonder why it is also called for normal udp servers.
For udp servers listening on a port below 1024, such call will fail if the worker processes drop their privilege as a non-root user. The following patch solves this problem by retaining CAP_NET_BIND_SERVICE after worker processes change UID. Cheers, Miao Wang
0001-Retain-CAP_NET_BIND_SERVICE-capability-for-udp-privi.patch
Description: Binary data
> 在 2018年02月21日,22:30,Wang Shanker <shankerwangm...@gmail.com> 写道: > > Hi, of course. I'm implementing RFC8094, which is for transmitting dns > queries through DTLS. Nginx is used for offloading DTLS encryption and > the software behind nginx is bind9. > > Cheers, > > Miao Wang > >> 在 2018年02月21日,22:12,Vladimir Homutov <v...@nginx.com> 写道: >> >> On Wed, Feb 21, 2018 at 08:47:37AM -0500, shankerwangmiao wrote: >>> >>> I have tested this patch in my environment. Before the patch is applied, >>> `tcp_nodelay off` needs to be placed in every `server` clause with DTLS >>> enabled to work the problem around. >>> >> >> Hello, >> can you please elaborate about your environment? Do you proxy DTLS >> stream directly to backend, or you perform DTLS offload ? >> What protocol are you using and which server/client software >> before/behind nginx? >> >> I'm attaching refreshed patch against nginx-1.13.9 for those who are >> interested to test. >> <nginx-1.13.9-dtls-experimental.diff>_______________________________________________ >> nginx mailing list >> nginx@nginx.org >> http://mailman.nginx.org/mailman/listinfo/nginx >
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
