I cannot reproduce the error with curl, I can't see it in the logs(segfaults before the log) and there are like 4k rps on a single server, so debug logs are not really an option :( In the core I see the orignal request url with gdb. But thats about it. If I call the url directly there is no error.

Today I tested with and without ja3 patch. Same build process (official openresty builder). With ja3, there is a segfault in every 10 minutes, without it no segfault at all.

The core contains sensitive information so I cannot share it publicly,

built with OpenSSL 1.1.1w 11 Sep 2023
TLS SNI support enabled
configure arguments: --prefix=/usr/local/openresty/nginx --with-cc-opt='-O2 -DNGX_LUA_ABORT_AT_PANIC -I/usr/local/openresty/zlib/include -I/usr/local/openresty/pcre/include -I/usr/local/openresty/openssl111/include' --add-module=../ngx_devel_kit-0.3.3 --add-module=../echo-nginx-module-0.63 --add-module=../xss-nginx-module-0.06 --add-module=../ngx_coolkit-0.2 --add-module=../set-misc-nginx-module-0.33 --add-module=../form-input-nginx-module-0.12 --add-module=../encrypted-session-nginx-module-0.09 --add-module=../srcache-nginx-module-0.33 --add-module=../ngx_lua-0.10.26 --add-module=../ngx_lua_upstream-0.07 --add-module=../headers-more-nginx-module-0.37 --add-module=../array-var-nginx-module-0.06 --add-module=../memc-nginx-module-0.20 --add-module=../redis2-nginx-module-0.15 --add-module=../redis-nginx-module-0.3.9 --add-module=../ngx_stream_lua-0.0.14 --with-ld-opt='-Wl,-rpath,/usr/local/openresty/luajit/lib -L/usr/local/openresty/zlib/lib -L/usr/local/openresty/pcre/lib -L/usr/local/openresty/openssl111/lib -Wl,-rpath,/usr/local/openresty/zlib/lib:/usr/local/openresty/pcre/lib:/usr/local/openresty/openssl111/lib -Wl,-rpath,' --with-pcre-jit --with-stream --with-stream_ssl_module --with-stream_ssl_preread_module
--with-http_v2_module --without-mail_pop3_module --without-mail_imap_module --without-mail_smtp_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_auth_request_module --with-http_secure_link_module --with-http_random_index_module --with-http_gzip_static_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-threads --add-dynamic-module=/tmp/modules/brotli --add-dynamic-module=/tmp/modules/geoip2 --add-module=/tmp/modules/nginx-ssl-fingerprint --with-stream --without-pcre2 --with-http_ssl_module

I know this is not much:

(gdb) info shared
From                To                  Syms Read   Shared Object Library
0x00007eff33311220  0x00007eff33312179  Yes         /lib/x86_64-linux-gnu/libdl.so.2
0x00007eff332f3ae0  0x00007eff33303535  Yes         /lib/x86_64-linux-gnu/libpthread.so.0
0x00007eff332b4040  0x00007eff332c8c80  Yes (*)     /lib/x86_64-linux-gnu/libcrypt.so.1
0x00007eff3322e670  0x00007eff3329423d  Yes         /usr/local/openresty/luajit/lib/libluajit-5.1.so.2
0x00007eff331b62c0  0x00007eff33205e5d  Yes (*)     /usr/local/openresty/pcre/lib/libpcre.so.1
0x00007eff3313d750  0x00007eff3318974a  Yes (*)     /usr/local/openresty/openssl111/lib/libssl.so.1.1
0x00007eff32eca000  0x00007eff3305b260  Yes (*)     /usr/local/openresty/openssl111/lib/libcrypto.so.1.1
0x00007eff32e36280  0x00007eff32e4765b  Yes (*)     /usr/local/openresty/zlib/lib/libz.so.1
0x00007eff32c63630  0x00007eff32dd84bd  Yes         /lib/x86_64-linux-gnu/libc.so.6
0x00007eff3331f100  0x00007eff33341684  Yes         /lib64/ld-linux-x86-64.so.2
0x00007eff32aff3c0  0x00007eff32ba5fa8  Yes         /lib/x86_64-linux-gnu/libm.so.6
0x00007eff32ada5e0  0x00007eff32aeb055  Yes (*)     /lib/x86_64-linux-gnu/libgcc_s.so.1
0x00007eff32ac15c0  0x00007eff32ac7a1c  Yes         /lib/x86_64-linux-gnu/libnss_files.so.2
0x00007eff333173e0  0x00007eff3331864c  Yes         /usr/local/openresty/nginx/modules/ngx_http_geoip2_module.so
0x00007eff32ab2300  0x00007eff32ab4e5c  Yes (*)     /lib/x86_64-linux-gnu/libmaxminddb.so.0
0x00007eff271766e0  0x00007eff2717a0c1  Yes         /usr/local/openresty/lualib/cjson.so
0x00007eff270fefa0  0x00007eff27123300  Yes (*)     /lib/x86_64-linux-gnu/libnss_systemd.so.2
(*): Shared library is missing debugging information.

Core was generated by `nginx: worker process                                                 '.
Program terminated with signal SIGSEGV, Segmentation fault.
#0  ngx_palloc_large (pool=0x55d85c102a00, size=<optimized out>) at src/core/ngx_palloc.c:228
228	src/core/ngx_palloc.c: No such file or directory.
(gdb) bt
#0  ngx_palloc_large (pool=0x55d85c102a00, size=<optimized out>) at src/core/ngx_palloc.c:228
#1  0x000055d85a2614ff in ngx_palloc (pool=<optimized out>, size=<optimized out>) at src/core/ngx_palloc.c:131
#2  0x000055d85a2d8a75 in ngx_http_v2_add_header (h2c=h2c@entry=0x55d85c18a500, header=header@entry=0x55d85c18a5a0) at src/http/v2/ngx_http_v2_table.c:212
#3  0x000055d85a2d6c4b in ngx_http_v2_state_process_header (h2c=0x55d85c18a500, 
    pos=0x55d85bf57d56 "A\217%\225ȕ\350\067r\364\032)5K\220\364\377S\260I|\245\211\323M\037C\256\272\fA\244ǩ\217\063\246\232?ߚh\372\035u\320b\r&=Ly\246\217\276\320\001w\376\276X\371\373", <incomplete sequence \355>, 
    end=0x55d85bf57e70 "\177\222\235)\255\027\030cǏ\v\216\241\321!\252_ϟ?@\212AH\264\245I'Y\006I\177\207%\207B\026A\222_@\212AH\264\245I'Z\223\310_\203!\354G@\212AH\264\245I'ZB\241?\204-5\247\327s\223\235)\255\027\030cǏ\v\216\241\321!\252_ϟ,\177P\222\233٫\372RB\313@\322_\245#\263\351OhL\237Q\234\">\213W\337h") at src/http/v2/ngx_http_v2.c:1778
#4  0x000055d85a2d736f in ngx_http_v2_state_field_huff (h2c=<optimized out>, pos=<optimized out>, end=<optimized out>) at src/http/v2/ngx_http_v2.c:1617
#5  0x000055d85a2d7608 in ngx_http_v2_state_field_len (h2c=h2c@entry=0x55d85c18a500, pos=<optimized out>, 
    end=end@entry=0x55d85bf57e70 "\177\222\235)\255\027\030cǏ\v\216\241\321!\252_ϟ?@\212AH\264\245I'Y\006I\177\207%\207B\026A\222_@\212AH\264\245I'Z\223\310_\203!\354G@\212AH\264\245I'ZB\241?\204-5\247\327s\223\235)\255\027\030cǏ\v\216\241\321!\252_ϟ,\177P\222\233٫\372RB\313@\322_\245#\263\351OhL\237Q\234\">\213W\337h") at src/http/v2/ngx_http_v2.c:1575
#6  0x000055d85a2d7886 in ngx_http_v2_state_header_block (h2c=0x55d85c18a500, pos=<optimized out>, 
    end=0x55d85bf57e70 "\177\222\235)\255\027\030cǏ\v\216\241\321!\252_ϟ?@\212AH\264\245I'Y\006I\177\207%\207B\026A\222_@\212AH\264\245I'Z\223\310_\203!\354G@\212AH\264\245I'ZB\241?\204-5\247\327s\223\235)\255\027\030cǏ\v\216\241\321!\252_ϟ,\177P\222\233٫\372RB\313@\322_\245#\263\351OhL\237Q\234\">\213W\337h") at src/http/v2/ngx_http_v2.c:1491
#7  0x000055d85a2d5145 in ngx_http_v2_read_handler (rev=0x7eff26bb8d70) at src/http/v2/ngx_http_v2.c:432
#8  0x000055d85a28a596 in ngx_epoll_process_events (cycle=<optimized out>, timer=<optimized out>, flags=<optimized out>) at src/event/modules/ngx_epoll_module.c:901
#9  0x000055d85a280978 in ngx_process_events_and_timers (cycle=cycle@entry=0x55d85bd276d0) at src/event/ngx_event.c:258
#10 0x000055d85a288690 in ngx_worker_process_cycle (cycle=cycle@entry=0x55d85bd276d0, data=data@entry=0x5) at src/os/unix/ngx_process_cycle.c:793
#11 0x000055d85a286f8d in ngx_spawn_process (cycle=cycle@entry=0x55d85bd276d0, proc=proc@entry=0x55d85a288610 <ngx_worker_process_cycle>, data=data@entry=0x5, name=name@entry=0x55d85a3a3ceb "worker process", respawn=respawn@entry=-3)
    at src/os/unix/ngx_process.c:199
#12 0x000055d85a288ba4 in ngx_start_worker_processes (cycle=cycle@entry=0x55d85bd276d0, n=8, type=type@entry=-3) at src/os/unix/ngx_process_cycle.c:382
#13 0x000055d85a289442 in ngx_master_process_cycle (cycle=0x55d85bd276d0) at src/os/unix/ngx_process_cycle.c:135
#14 0x000055d85a25ed7a in main (argc=<optimized out>, argv=<optimized out>) at src/core/nginx.c:387

f 0
(gdb) info local
p = 0x55d85bfe8990
n = 2
large = 0x9f5d259b3eb91b2

(gdb) p *pool
$38 = {d = {last = 0x55d85c102bfc "\330U", end = 0x55d85c102c00 "\020\002", next = 0x55d85c002ef0, failed = 1}, max = 432, current = 0x55d85c102a00, chain = 0x0, large = 0x55d85c0030d8, cleanup = 0x55d85c002fa0, log = 0x55d85c102a60}

f 2
#2  0x000055d85a2d8a75 in ngx_http_v2_add_header (h2c=h2c@entry=0x55d85c18a500, header=header@entry=0x55d85c18a5a0) at src/http/v2/ngx_http_v2_table.c:212
$12 = {connection = 0x7eff26d3e180, http_connection = 0x55d85c102ac0, total_bytes = 130, payload_bytes = 0, processing = 1, frames = 0, idle = 3, new_streams = 1, refused_streams = 0, priority_limit = 256, send_window = 65535, 
  recv_window = 2147483647, init_window = 65535, frame_size = 16384, waiting = {prev = 0x55d85c18a570, next = 0x55d85c18a570}, state = {sid = 1, length = 282, padding = 0, flags = 5, incomplete = 0, keep_pool = 1, parse_name = 0, 
    parse_value = 0, index = 1, header = {name = {len = 5, data = 0x55d85a3abcbe ":path"}, value = {len = 165, 
        data = 0x55d85c0ea340 "***SENSITIVE INFO (url)***"}}, header_limit = 32576, 
    field_state = 0 '\000', field_start = 0x55d85c0ea340 "***SENSITIVE INFO (url)***", 
    field_end = 0x55d85c0ea3e5 "", field_rest = 0, pool = 0x55d85c0ea2f0, stream = 0x55d85bfc9ee0, buffer = '\000' <repeats 15 times>, buffer_used = 0, handler = 0x55d85a2d77e0 <ngx_http_v2_state_header_block>}, hpack = {
    entries = 0x55d85c204dc0, added = 0, deleted = 0, reused = 0, allocated = 64, size = 4096, free = 4096, storage = 0x0, pos = 0x0}, pool = 0x55d85c032990, free_frames = 0x0, free_fake_connections = 0x0, 
  streams_index = 0x55d85c002fb8, last_out = 0x0, dependencies = {prev = 0x55d85bfc0398, next = 0x55d85bfc0398}, closed = {prev = 0x55d85c18a698, next = 0x55d85c18a698}, closed_nodes = 0, last_sid = 1, lingering_time = 0, 
  settings_ack = 1, table_update = 1, blocked = 1, goaway = 0, fp_fingerprinted = 0, fp_settings = {len = 35, data = 0x55d85c0030b8 "\001"}, fp_windowupdate = 0, fp_priorities = {len = 4, data = 0x55d85bfc02f0 "\001"}, 
  fp_pseudoheaders = {len = 2, data = 0x55d85bfc0310 "ce\374[\330U"}, fp_str = {len = 0, data = 0x0}}

(gdb) p header
$13 = (ngx_http_v2_header_t *) 0x55d85c18a5a0
(gdb) p header->name
$14 = {len = 5, data = 0x55d85a3abcbe ":path"}
(gdb) p header->value
$15 = {len = 165, data = 0x55d85c0ea340 "***SENSITIVE INFO (url)***"}
(gdb) p h2c->hpack
$17 = {entries = 0x55d85c204dc0, added = 0, deleted = 0, reused = 0, allocated = 64, size = 4096, free = 4096, storage = 0x0, pos = 0x0}
(gdb) p **h2c->hpack->entries
$20 = {name = {len = 94387745532352, data = 0x55d85bd08010 "\a"}, value = {len = 0, data = 0x0}}
(gdb) p *h2c->connection
$24 = {data = 0x55d85c18a500, read = 0x7eff26bb8d70, write = 0x7eff26a37d70, fd = 49, recv = 0x55d85a28fc60 <ngx_ssl_recv>, send = 0x55d85a290100 <ngx_ssl_write>, recv_chain = 0x55d85a290040 <ngx_ssl_recv_chain>, 
  send_chain = 0x55d85a290530 <ngx_ssl_send_chain>, listening = 0x55d85bd27f10, sent = 58, log = 0x55d85c102a60, pool = 0x55d85c102a00, type = 1, sockaddr = 0x55d85c102a50, socklen = 16, addr_text = {len = 12, 
    data = 0x55d85c102ab0 "84.*IP****"}, proxy_protocol = 0x0, ssl = 0x55d85c102b18, udp = 0x0, local_sockaddr = 0x55d85bf44430, local_socklen = 16, buffer = 0x0, queue = {prev = 0x7eff26d38748, next = 0x7eff26d38fb8}, 
  number = 737234, start_time = 84136899431, requests = 1, buffered = 0, log_error = 2, timedout = 0, error = 0, destroyed = 0, pipeline = 0, idle = 1, reusable = 0, close = 0, shared = 0, sendfile = 0, sndlowat = 0, tcp_nodelay = 1, 
  tcp_nopush = 0, need_last_buf = 0, need_flush_buf = 0, sendfile_task = 0x0}
(gdb) p *h2c->connection->pool
$25 = {d = {last = 0x55d85c102bfc "\330U", end = 0x55d85c102c00 "\020\002", next = 0x55d85c002ef0, failed = 1}, max = 432, current = 0x55d85c102a00, chain = 0x0, large = 0x55d85c0030d8, cleanup = 0x55d85c002fa0, log = 0x55d85c102a60}
(gdb) 

(gdb) f 3
#3  0x000055d85a2d6c4b in ngx_http_v2_state_process_header (h2c=0x55d85c18a500, 
    pos=0x55d85bf57d56 "A\217%\225ȕ\350\067r\364\032)5K\220\364\377S\260I|\245\211\323M\037C\256\272\fA\244ǩ\217\063\246\232?ߚh\372\035u\320b\r&=Ly\246\217\276\320\001w\376\276X\371\373", <incomplete sequence \355>, 
    end=0x55d85bf57e70 "\177\222\235)\255\027\030cǏ\v\216\241\321!\252_ϟ?@\212AH\264\245I'Y\006I\177\207%\207B\026A\222_@\212AH\264\245I'Z\223\310_\203!\354G@\212AH\264\245I'ZB\241?\204-5\247\327s\223\235)\255\027\030cǏ\v\216\241\321!\252_ϟ,\177P\222\233٫\372RB\313@\322_\245#\263\351OhL\237Q\234\">\213W\337h") at src/http/v2/ngx_http_v2.c:1778
1778	src/http/v2/ngx_http_v2.c: No such file or directory.
(gdb) p pos
$39 = (u_char *) 0x55d85bf57d56 "A\217%\225ȕ\350\067r\364\032)5K\220\364\377S\260I|\245\211\323M\037C\256\272\fA\244ǩ\217\063\246\232?ߚh\372\035u\320b\r&=Ly\246\217\276\320\001w\376\276X\371\373", <incomplete sequence \355>
(gdb) p end
$42 = (u_char *) 0x55d85bf57e70 "\177\222\235)\255\027\030cǏ\v\216\241\321!\252_ϟ?@\212AH\264\245I'Y\006I\177\207%\207B\026A\222_@\212AH\264\245I'Z\223\310_\203!\354G@\212AH\264\245I'ZB\241?\204-5\247\327s\223\235)\255\027\030cǏ\v\216\241\321!\252_ϟ,\177P\222\233٫\372RB\313@\322_\245#\263\351OhL\237Q\234\">\213W\337h"
(gdb) p *h2c->connection->log
$47 = {log_level = 4, file = 0x55d85bd27a70, connection = 737234, disk_full_time = 0, handler = 0x55d85a2a1a30 <ngx_http_log_error>, data = 0x55d85c102b00, writer = 0x0, wdata = 0x0, 
  action = 0x55d85a3aaaec "processing HTTP/2 connection", next = 0x0}
(gdb) p **h2c->streams_index
$51 = {id = 1, index = 0x0, parent = 0xffffffffffffffff, queue = {prev = 0x55d85c18a688, next = 0x55d85c18a688}, children = {prev = 0x55d85bfc03a8, next = 0x55d85bfc03a8}, reuse = {prev = 0x0, next = 0x0}, rank = 1, weight = 16, 
  rel_weight = 0.0625, stream = 0x55d85bfc9ee0}

(gdb) p *ngx_cycle
$57 = {conf_ctx = 0x55d85bd28978, pool = 0x55d85bd27680, log = 0x55d85bd276e8, new_log = {log_level = 4, file = 0x55d85bd27a70, connection = 0, disk_full_time = 0, handler = 0x0, data = 0x0, writer = 0x0, wdata = 0x0, action = 0x0, 
    next = 0x0}, log_use_stderr = 0, files = 0x0, free_connections = 0x7eff26d384b0, free_connection_n = 16278, modules = 0x55d85bd290e0, modules_n = 107, modules_used = 1, reusable_connections_queue = {prev = 0x7eff26d39468, 
    next = 0x7eff26d3c528}, reusable_connections_n = 93, connections_reuse_time = 0, listening = {elts = 0x55d85bd27de8, nelts = 7, size = 296, nalloc = 10, pool = 0x55d85bd27680}, paths = {elts = 0x55d85bd27a08, nelts = 6, size = 8, 
    nalloc = 10, pool = 0x55d85bd27680}, config_dump = {elts = 0x55d85bd27a58, nelts = 0, size = 24, nalloc = 1, pool = 0x55d85bd27680}, config_dump_rbtree = {root = 0x55d85bd27820, sentinel = 0x55d85bd27820, 
    insert = 0x55d85a2664c0 <ngx_str_rbtree_insert_value>}, config_dump_sentinel = {key = 0, left = 0x0, right = 0x0, parent = 0x0, color = 0 '\000', data = 0 '\000'}, open_files = {last = 0x55d85bd27850, part = {
      elts = 0x55d85bd27a70, nelts = 1, next = 0x0}, size = 40, nalloc = 20, pool = 0x55d85bd27680}, shared_memory = {last = 0x55d85bd4c108, part = {elts = 0x55d85bd27d90, nelts = 1, next = 0x55d85bd4bfd0}, size = 88, nalloc = 1, 
    pool = 0x55d85bd27680}, connection_n = 16384, files_n = 0, connections = 0x7eff26d37010, read_events = 0x7eff26bb6010, write_events = 0x7eff26a35010, old_cycle = 0x0, conf_file = {len = 42, 
    data = 0x55d85bd279ba "/usr/local/openresty/nginx/conf/nginx.conf"}, conf_param = {len = 29, data = 0x55d85bd279e5 "daemon on; master_process on;\032\063\377~"}, conf_prefix = {len = 32, 
    data = 0x55d85bd27970 "/usr/local/openresty/nginx/conf//usr/local/openresty/nginx/logs/error.log"}, prefix = {len = 27, data = 0x55d85bd27990 "/usr/local/openresty/nginx/logs/error.log"}, error_log = {len = 14, 
    data = 0x55d85bd279ab "logs/error.log"}, lock_file = {len = 43, data = 0x55d85bf446fc "/usr/local/openresty/nginx/logs/nginx.lock.accept"}, hostname = {len = 24, data = 0x55d85bd290c8 "*************\200?Z\330U"}, 
  intercept_error_log_handler = 0x0, intercept_error_log_data = 0x0, entered_logger = 0}

Most fingerprint schemas use the window_size_increment (http2.window_update.window_size_increment) field as second parameter:

[SETTINGS]|WINDOW_UPDATE|PRIORITY|Pseudo-Header-Order|HEADERS_FRAME|WINDOW_UPDATE

But here the second passed parameter is the http2.settings.initial_window_size

What's the reason for this?

Hi
could you confirm if OpenSSL 3.x is supported?

Thanks,
Marcello

is there a way to bypass Google chrome permutations on tls extensions?

salesforce/ja3

Hello, i have read the other issue about the discrepancy between ja3zone and this implementation. Indeed it differs in 2 locations. I am testing with ubuntu20 curl since this ja3 is "known" to many people. I also have my own IDS tool in golang which uses tlsx to calculate ja3 hashes. I have also tested the tested haproxy-ja3 implementation which is compatible with ja3zone.

http-request set-header X-SSL-JA3 %[ssl_fc_protocol_hello_id],%[ssl_fc_cipherlist_bin(1),be2dec(-,2)],%[ssl_fc_extlist_bin(1),be2dec(-,2)],%[ssl_fc_eclist_bin(1),be2dec(-,2)],%[ssl_fc_ecformats_bin,be2dec(-,1)]
http-request set-header X-SSL-JA3-Hash %[req.fhdr(x-ssl-ja3),digest(md5),hex]

Also mentioned in ja3zone author at https://waf.ninja/ja3-on-guard-against-bots/ the nginx implementation differs from all "others". I believe you should seek compatibility.

Stumbled on this while doing testing, was pulling master while testing a nginx 1.21.4 / openssl 1.1.1q deployment and was getting segfaults. Traced this to the 0.4.0 and subsequent patches, reverting to 0.3.0 tag worked fine. Would be nice to understand what version compatibility there is for the releases.

when tls 1.3 is negotiated, the JA3 value is truncated therefore the md5 hash is wrong.

There exist updates in TLS client fingerprinting technology
https://github.com/FoxIO-LLC/ja4/tree/main

Cisco ssl fingerprint is a more complete implementation
https://resources.sei.cmu.edu/asset_files/Presentation/2019_017_001_539902.pdf

Would it be possible to implement this using https://www.openssl.org/docs/manmaster/man3/SSL_CTX_set_client_hello_cb.html from recently released version of OpenSSL instead of patching it?

That should simplify maintenance quite a bit.

about nginx-quic
about quictls-openssl

Could you check if is it possible to add http_ssl_ja3_hash function?

Thanks,
Marcello

nginx -t give lots of memroy leak messages when compiled with your patch (exactly with your guide)
with youor own config :

`root@birds:~/tmp/nginx# ./objs/nginx -t -c ../nginx-ssl-fingerprint/nginx.conf

nginx: [emerg] open() "/usr/local/nginx/../nginx-ssl-fingerprint/nginx.conf" failed (2: No such file or directory)
nginx: configuration file /usr/local/nginx/../nginx-ssl-fingerprint/nginx.conf test failed

=================================================================
==27166==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1024 byte(s) in 1 object(s) allocated from:
#0 0x7f14fddbf55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x555f3db0b97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x555f3da9e50c in ngx_create_pool src/core/ngx_palloc.c:23
#3 0x555f3da9a043 in main src/core/nginx.c:253
#4 0x7f14fda79d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

SUMMARY: AddressSanitizer: 1024 byte(s) leaked in 1 allocation(s).`

with my real usage config:

`root@birds:~# /usr/local/nginx/sbin/nginx -t
nginx: the configuration file /usr/local/nginx/conf/nginx.conf syntax is ok
nginx: configuration file /usr/local/nginx/conf/nginx.conf test is successful

=================================================================
==27178==ERROR: LeakSanitizer: detected memory leaks

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x5599493afd49 in ngx_hash_init src/core/ngx_hash.c:396
#7 0x559949461271 in ngx_http_core_merge_loc_conf src/http/ngx_http_core_module.c:3724
#8 0x559949456e05 in ngx_http_merge_servers src/http/ngx_http.c:597
#9 0x559949456e05 in ngx_http_block src/http/ngx_http.c:270
#10 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#11 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#12 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#13 0x5599493a8789 in main src/core/nginx.c:292
#14 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x559949469f51 in ngx_http_core_server src/http/ngx_http_core_module.c:2923
#7 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#8 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#9 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#10 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#11 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#12 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#13 0x5599493a8789 in main src/core/nginx.c:292
#14 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493add78 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493add78 in ngx_pnalloc src/core/ngx_palloc.c:140
#5 0x5599493e54d4 in ngx_conf_read_token src/core/ngx_conf_file.c:766
#6 0x5599493e54d4 in ngx_conf_parse src/core/ngx_conf_file.c:243
#7 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#14 0x5599493a8789 in main src/core/nginx.c:292
#15 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x55994955dd2b in ngx_http_proxy_create_loc_conf src/http/modules/ngx_http_proxy_module.c:3318
#7 0x559949467bb9 in ngx_http_core_location src/http/ngx_http_core_module.c:3077
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#14 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#15 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#16 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#17 0x5599493a8789 in main src/core/nginx.c:292
#18 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae626 in ngx_array_init src/core/ngx_array.h:44
#6 0x5599493ae626 in ngx_array_create src/core/ngx_array.c:22
#7 0x55994948ef66 in ngx_http_log_create_main_conf src/http/modules/ngx_http_log_module.c:1152
#8 0x5599494562e8 in ngx_http_block src/http/ngx_http.c:197
#9 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#10 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#11 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#12 0x5599493a8789 in main src/core/nginx.c:292
#13 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493ad50c in ngx_create_pool src/core/ngx_palloc.c:23
#3 0x5599493dc0c8 in ngx_init_cycle src/core/ngx_cycle.c:69
#4 0x5599493a8789 in main src/core/nginx.c:292
#5 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x55994945e199 in ngx_http_core_create_loc_conf src/http/ngx_http_core_module.c:3554
#7 0x55994955612d in ngx_http_rewrite_if src/http/modules/ngx_http_rewrite_module.c:569
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#14 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#15 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#16 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#17 0x5599493a8789 in main src/core/nginx.c:292
#18 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae842 in ngx_array_push src/core/ngx_array.c:76
#6 0x5599493e662a in ngx_conf_set_keyval_slot src/core/ngx_conf_file.c:1147
#7 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#8 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#9 0x5599494683a3 in ngx_http_core_location src/http/ngx_http_core_module.c:3227
#10 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#11 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#12 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#13 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#14 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#15 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#16 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#17 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#18 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#19 0x5599493a8789 in main src/core/nginx.c:292
#20 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae842 in ngx_array_push src/core/ngx_array.c:76
#6 0x5599494a2f80 in ngx_http_get_variable_index src/http/ngx_http_variables.c:579
#7 0x5599494901b9 in ngx_http_log_variable_compile src/http/modules/ngx_http_log_module.c:921
#8 0x5599494901b9 in ngx_http_log_compile_format src/http/modules/ngx_http_log_module.c:1691
#9 0x559949490b7b in ngx_http_log_init src/http/modules/ngx_http_log_module.c:1892
#10 0x5599494582e0 in ngx_http_block src/http/ngx_http.c:310
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#14 0x5599493a8789 in main src/core/nginx.c:292
#15 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae9e4 in ngx_array_push_n src/core/ngx_array.c:126
#6 0x55994957ef8a in ngx_http_fastcgi_init_params src/http/modules/ngx_http_fastcgi_module.c:3479
#7 0x559949580b36 in ngx_http_fastcgi_merge_loc_conf src/http/modules/ngx_http_fastcgi_module.c:3276
#8 0x559949453e6c in ngx_http_merge_locations src/http/ngx_http.c:650
#9 0x559949456ed3 in ngx_http_merge_servers src/http/ngx_http.c:607
#10 0x559949456ed3 in ngx_http_block src/http/ngx_http.c:270
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#14 0x5599493a8789 in main src/core/nginx.c:292
#15 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x5599495137ab in ngx_http_headers_create_conf src/http/modules/ngx_http_headers_filter_module.c:645
#7 0x55994955612d in ngx_http_rewrite_if src/http/modules/ngx_http_rewrite_module.c:569
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x5599494683a3 in ngx_http_core_location src/http/ngx_http_core_module.c:3227
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#14 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#15 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#16 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#17 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#18 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#19 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#20 0x5599493a8789 in main src/core/nginx.c:292
#21 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493add78 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493add78 in ngx_pnalloc src/core/ngx_palloc.c:140
#5 0x5599494a2b79 in ngx_http_add_variable src/http/ngx_http_variables.c:458
#6 0x5599494a573a in ngx_http_variables_add_core_vars src/http/ngx_http_variables.c:2676
#7 0x55994946340d in ngx_http_core_preconfiguration src/http/ngx_http_core_module.c:3371
#8 0x5599494567d9 in ngx_http_block src/http/ngx_http.c:229
#9 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#10 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#11 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#12 0x5599493a8789 in main src/core/nginx.c:292
#13 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 16384 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5b55c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
#1 0x55994941a97f in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x5599493acff7 in ngx_palloc_block src/core/ngx_palloc.c:186
#3 0x5599493adca9 in ngx_palloc_small src/core/ngx_palloc.c:173
#4 0x5599493adca9 in ngx_palloc src/core/ngx_palloc.c:127
#5 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#6 0x559949581c90 in ngx_http_uwsgi_create_loc_conf src/http/modules/ngx_http_uwsgi_module.c:1506
#7 0x55994955612d in ngx_http_rewrite_if src/http/modules/ngx_http_rewrite_module.c:569
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x55994946a63a in ngx_http_core_server src/http/ngx_http_core_module.c:2984
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#14 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#15 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#16 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#17 0x5599493a8789 in main src/core/nginx.c:292
#18 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 10120 byte(s) in 202 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x5599496b788d in CRYPTO_zalloc (/usr/local/nginx/sbin/nginx+0x42d88d)

Indirect leak of 6464 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493afd9d in ngx_hash_init src/core/ngx_hash.c:403
#5 0x5599494a63ca in ngx_http_variables_init_vars src/http/ngx_http_variables.c:2784
#6 0x559949458307 in ngx_http_block src/http/ngx_http.c:316
#7 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#8 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#9 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#10 0x5599493a8789 in main src/core/nginx.c:292
#11 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 5349 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493b290e in ngx_create_temp_buf src/core/ngx_buf.c:22
#5 0x5599493e39c5 in ngx_conf_add_dump src/core/ngx_conf_file.c:132
#6 0x5599493e39c5 in ngx_conf_parse src/core/ngx_conf_file.c:225
#7 0x5599493e5dd5 in ngx_conf_include src/core/ngx_conf_file.c:841
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#14 0x5599493a8789 in main src/core/nginx.c:292
#15 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4544 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493afd9d in ngx_hash_init src/core/ngx_hash.c:403
#5 0x559949461271 in ngx_http_core_merge_loc_conf src/http/ngx_http_core_module.c:3724
#6 0x559949456e05 in ngx_http_merge_servers src/http/ngx_http.c:597
#7 0x559949456e05 in ngx_http_block src/http/ngx_http.c:270
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#11 0x5599493a8789 in main src/core/nginx.c:292
#12 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4280 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#5 0x5599493b1623 in ngx_hash_keys_array_init src/core/ngx_hash.c:727
#6 0x5599494a5610 in ngx_http_variables_add_core_vars src/http/ngx_http_variables.c:2662
#7 0x55994946340d in ngx_http_core_preconfiguration src/http/ngx_http_core_module.c:3371
#8 0x5599494567d9 in ngx_http_block src/http/ngx_http.c:229
#9 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#10 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#11 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#12 0x5599493a8789 in main src/core/nginx.c:292
#13 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4280 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#5 0x5599493b15c2 in ngx_hash_keys_array_init src/core/ngx_hash.c:721
#6 0x5599494a5610 in ngx_http_variables_add_core_vars src/http/ngx_http_variables.c:2662
#7 0x55994946340d in ngx_http_core_preconfiguration src/http/ngx_http_core_module.c:3371
#8 0x5599494567d9 in ngx_http_block src/http/ngx_http.c:229
#9 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#10 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#11 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#12 0x5599493a8789 in main src/core/nginx.c:292
#13 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4280 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493ae05e in ngx_pcalloc src/core/ngx_palloc.c:302
#5 0x5599493b1561 in ngx_hash_keys_array_init src/core/ngx_hash.c:716
#6 0x5599494a5610 in ngx_http_variables_add_core_vars src/http/ngx_http_variables.c:2662
#7 0x55994946340d in ngx_http_core_preconfiguration src/http/ngx_http_core_module.c:3371
#8 0x5599494567d9 in ngx_http_block src/http/ngx_http.c:229
#9 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#10 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#11 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#12 0x5599493a8789 in main src/core/nginx.c:292
#13 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493ae842 in ngx_array_push src/core/ngx_array.c:76
#5 0x5599493b1e62 in ngx_hash_add_key src/core/ngx_hash.c:844
#6 0x5599494a2ca8 in ngx_http_add_variable src/http/ngx_http_variables.c:471
#7 0x5599494a573a in ngx_http_variables_add_core_vars src/http/ngx_http_variables.c:2676
#8 0x55994946340d in ngx_http_core_preconfiguration src/http/ngx_http_core_module.c:3371
#9 0x5599494567d9 in ngx_http_block src/http/ngx_http.c:229
#10 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#11 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#12 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#13 0x5599493a8789 in main src/core/nginx.c:292
#14 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 4096 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994941a7ec in ngx_alloc src/os/unix/ngx_alloc.c:22
#2 0x5599493ad325 in ngx_palloc_large src/core/ngx_palloc.c:220
#3 0x5599493adc20 in ngx_palloc src/core/ngx_palloc.c:131
#4 0x5599493ae842 in ngx_array_push src/core/ngx_array.c:76
#5 0x559949460434 in ngx_http_core_type src/http/ngx_http_core_module.c:3351
#6 0x5599493e49c4 in ngx_conf_parse src/core/ngx_conf_file.c:304
#7 0x55994945fd78 in ngx_http_core_types src/http/ngx_http_core_module.c:3294
#8 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#9 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#10 0x5599493e5dd5 in ngx_conf_include src/core/ngx_conf_file.c:841
#11 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#12 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#13 0x559949456815 in ngx_http_block src/http/ngx_http.c:239
#14 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#15 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#16 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#17 0x5599493a8789 in main src/core/nginx.c:292
#18 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 2921 byte(s) in 3 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994965eac2 in asn1_enc_save (/usr/local/nginx/sbin/nginx+0x3d4ac2)

Indirect leak of 2090 byte(s) in 6 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x559949741def in c2i_ASN1_BIT_STRING (/usr/local/nginx/sbin/nginx+0x4b7def)

Indirect leak of 1494 byte(s) in 60 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x559949657c3a in ASN1_STRING_set (/usr/local/nginx/sbin/nginx+0x3cdc3a)

Indirect leak of 1392 byte(s) in 5 object(s) allocated from:
#0 0x7f1595e5ac18 in __interceptor_realloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:164
#1 0x559949709bfb in OPENSSL_sk_insert (/usr/local/nginx/sbin/nginx+0x47fbfb)

Indirect leak of 1128 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994970a1d4 in OPENSSL_sk_dup (/usr/local/nginx/sbin/nginx+0x4801d4)

Indirect leak of 1024 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x5599496b788d in CRYPTO_zalloc (/usr/local/nginx/sbin/nginx+0x42d88d)
#2 0x55994955a280 in ngx_http_ssl_merge_srv_conf src/http/modules/ngx_http_ssl_module.c:725
#3 0x559949456d0d in ngx_http_merge_servers src/http/ngx_http.c:584
#4 0x559949456d0d in ngx_http_block src/http/ngx_http.c:270
#5 0x5599493e5145 in ngx_conf_handler src/core/ngx_conf_file.c:463
#6 0x5599493e5145 in ngx_conf_parse src/core/ngx_conf_file.c:319
#7 0x5599493dd4bc in ngx_init_cycle src/core/ngx_cycle.c:284
#8 0x5599493a8789 in main src/core/nginx.c:292
#9 0x7f1595b15d8f (/lib/x86_64-linux-gnu/libc.so.6+0x29d8f)

Indirect leak of 504 byte(s) in 6 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994967161a in BUF_MEM_grow (/usr/local/nginx/sbin/nginx+0x3e761a)

Indirect leak of 352 byte(s) in 6 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994971b107 in x509_name_canon.part.0 (/usr/local/nginx/sbin/nginx+0x491107)

Indirect leak of 144 byte(s) in 9 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994965dad0 in asn1_primitive_new (/usr/local/nginx/sbin/nginx+0x3d3ad0)

Indirect leak of 32 byte(s) in 1 object(s) allocated from:
#0 0x7f1595e5a867 in __interceptor_malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x55994970a183 in OPENSSL_sk_dup (/usr/local/nginx/sbin/nginx+0x480183)

SUMMARY: AddressSanitizer: 271582 byte(s) leaked in 321 allocation(s).`

i did not test if your patch is causing it or the nginx version your patch is made for (in the guide you clone an specific version of openssl and nginx) ,even if it's the latter we should change the nginx version so i though i must report this

my os:

root@birds:~# uname -a Linux birds 5.15.0-58-generic #64-Ubuntu SMP Thu Jan 5 11:43:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux root@birds:~# lsb_release -a No LSB modules are available. Distributor ID: Ubuntu Description: Ubuntu 22.04.1 LTS Release: 22.04 Codename: jammy

my https://ja3.zone/#/check fingerprint :
771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-16-5-34-51-43-13-45-28-41,29-23-24-25-256-257,0

my ja3 fingerprint genratored by nginx compiled using your guide and your test config :
771,4865-4867-4866-49195-49199-52393-52392-49196-49200-49162-49161-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-51-43-13-45-28,29-23-24-25-256-257,0

the diffenece is in extensions field
i thought maybe using real domain an vaild certificate may have effect, tested ,no difference

Hello, is there a compatible version other than nginx 1.23.1?

If the author has the energy, Looking forward to adding http3 support and Brotli compression support to this nginx docker

I can consistently reproduce a worker crash with the latest version of this library, with minor tweaks the build steps in the README (nginx 1.24.0 and not using ASAN).

Here's how I'm building:

# Clone

git clone -b OpenSSL_1_1_1-stable --depth=1 https://github.com/openssl/openssl
git clone -b release-1.24.0 --depth=1 https://github.com/nginx/nginx
git clone https://github.com/phuslu/nginx-ssl-fingerprint

# Patch

patch -p1 -d openssl < nginx-ssl-fingerprint/patches/openssl.1_1_1.patch
patch -p1 -d nginx < nginx-ssl-fingerprint/patches/nginx.patch

# Configure & Build

cd nginx
./auto/configure --with-openssl=$(pwd)/../openssl --add-module=$(pwd)/../nginx-ssl-fingerprint --with-http_ssl_module --with-stream_ssl_module --with-debug --with-stream --with-cc-opt="-O2 -fno-omit-frame-pointer" --with-ld-opt="-L/usr/local/lib -Wl,-E"
make

# Test

objs/nginx -p . -c $(pwd)/../nginx-ssl-fingerprint/nginx.conf

While nginx is running, from another terminal issue the tlsfuzzer test-client-hello-max-size.py against the configured port.

This commandline works for me: PYTHONPATH=. python3 scripts/test-client-hello-max-size.py -p 8444

In the nginx output window, you will notice the following lines:

2023/10/11 11:18:09 [debug] 3755132#0: *2 ngx_ssl_client_hello_ja3_cb: alloc 65544 bytes
2023/10/11 11:18:09 [debug] 3755132#0: *2 malloc: 00005593CAC2E590:65544
2023/10/11 11:18:09 [debug] 3755132#0: *2 ngx_ssl_client_hello_ja3_cb: used 65545 bytes
: worker process: malloc.c:2379: sysmalloc: Assertion `(old_top == initial_top (av) && old_size == 0) || ((unsigned long) (old_size) >= MINSIZE && prev_inuse (old_top) && ((unsigned long) old_end & (pagesize - 1))
 == 0)' failed.
2023/10/11 11:18:09 [notice] 3755131#0: signal 17 (SIGCHLD) received from 3755132
2023/10/11 11:18:09 [alert] 3755131#0: worker process 3755132 exited on signal 6

Please let me know if you need any additional information to reproduce and fix this issue.

The service built using your nginx extension received a last value of 41 for the third extension in most cases, but what I saw on other websites was random every time. I tested it using Windows Chrome 128.

An interesting phenomenon is that sometimes on the first visit, the value obtained is random, but when the webpage is refreshed later, the value returned to 41. I don't know if this phenomenon is caused by my configuration error or some other reason.

Based on your expansion:

https://tls.peet.ws/api/all ：

https://tls.browserleaks.com/json :

使用情况中发现性能有较高的降低，我可以基于什么方案提高性能，或者是否我在某些环节有问题造成的

installed version
openssl-3.2
nginx-1.25.3

Running nginx reports an error

==50858==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 1024 byte(s) in 1 object(s) allocated from:
#0 0x7f836aaa65c0 in posix_memalign (/usr/lib64/libasan.so.4+0xe05c0)
#1 0x4fdd0e in ngx_memalign src/os/unix/ngx_alloc.c:57
#2 0x490397 in ngx_create_pool src/core/ngx_palloc.c:23
#3 0x48ae63 in main src/core/nginx.c:254
#4 0x7f836a73fb26 in __libc_start_main (/usr/lib64/libc.so.6+0x25b26)

{ "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36", "ja3_hash": "40adfd923eb82b89d8836ba37a19bca1", "ja3_text": "771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-11-10-35-22-23-13-43-45-51,29-23-30-25-24,0-1-2", "ja3n_hash": "a4518eeb044cff26ec5f82d0cca28b6d", "ja3n_text": "771,4866-4867-4865-49196-49200-159-52393-52392-52394-49195-49199-158-49188-49192-107-49187-49191-103-49162-49172-57-49161-49171-51-157-156-61-60-53-47-255,0-10-11-13-22-23-35-43-45-51,29-23-30-25-24,0-1-2", "akamai_hash": "", "akamai_text": "" }

I think project need some tests in pipeline for production grade.

For example:

1. some popular ja3 hashes
2. http and https smoke tests
3. invalid ssl handshake
4. something else?

I can write some.

But what language choose? python (with tlsfuzzer library) and go (with ja3transport) is pretty good candidate.

I would rather choose go. What do you think @phuslu @deancn ?

p.s. golang transport cant use "tls heartbeat", but i think it is ok.

It would be great to allow to get raw ja3 fingeprint

ive tried to replace /usr/sbin/nginx with self compiled /home/nginx/objs/nginx in /usr/lib/systemd/system/nginx.service / /etc/systemd/system/nginx.service & got this error:

$:/home/nginx# systemctl daemon-reload
$:/home/nginx# service nginx restart
Job for nginx.service failed because the control process exited with error code.
See "systemctl status nginx.service" and "journalctl -xe" for details.
$:/home/nginx# systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
     Loaded: loaded (/etc/systemd/system/nginx.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Sun 2023-04-16 10:45:05 MSK; 8s ago
       Docs: man:nginx(8)
    Process: 1385450 ExecStartPre=/home/nginx/objs/nginx -t -q -g daemon on; master_process on; (code=exited, status=1/FAILURE)
        CPU: 84ms

Apr 16 10:45:05 incredible-gmod nginx[1385450]: Direct leak of 1024 byte(s) in 1 object(s) allocated from:
Apr 16 10:45:05 incredible-gmod nginx[1385450]:     #0 0x7f7c1eaa4a3c in __interceptor_posix_memalign ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:226
Apr 16 10:45:05 incredible-gmod nginx[1385450]:     #1 0x55c5d1611556 in ngx_memalign src/os/unix/ngx_alloc.c:57
Apr 16 10:45:05 incredible-gmod nginx[1385450]:     #2 0x55c5d15a5138 in ngx_create_pool src/core/ngx_palloc.c:23
Apr 16 10:45:05 incredible-gmod nginx[1385450]:     #3 0x55c5d159feba in main src/core/nginx.c:253
Apr 16 10:45:05 incredible-gmod nginx[1385450]:     #4 0x7f7c1e78dd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09)
Apr 16 10:45:05 incredible-gmod nginx[1385450]: SUMMARY: AddressSanitizer: 1024 byte(s) leaked in 1 allocation(s).
Apr 16 10:45:05 incredible-gmod systemd[1]: nginx.service: Control process exited, code=exited, status=1/FAILURE
Apr 16 10:45:05 incredible-gmod systemd[1]: nginx.service: Failed with result 'exit-code'.
Apr 16 10:45:05 incredible-gmod systemd[1]: Failed to start A high performance web server and a reverse proxy server.

whats iam doing wrong?

Per the original JA3 project README:

"We also needed to introduce some code to account for Google’s GREASE (Generate Random Extensions And Sustain Extensibility) as described here. Google uses this as a mechanism to prevent extensibility failures in the TLS ecosystem. JA3 ignores these values completely to ensure that programs utilizing GREASE can still be identified with a single JA3 hash."

Original implementation:
GREASE_TABLE = {0x0a0a: True, 0x1a1a: True, 0x2a2a: True, 0x3a3a: True,
0x4a4a: True, 0x5a5a: True, 0x6a6a: True, 0x7a7a: True,
0x8a8a: True, 0x9a9a: True, 0xaaaa: True, 0xbaba: True,
0xcaca: True, 0xdada: True, 0xeaea: True, 0xfafa: True}

GREASE_TABLE Ref: https://tools.ietf.org/html/draft-davidben-tls-grease-00

Here are some sample different JA3 for Chrome using the example server in the README:

user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
ja3: 772,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513,29-23-24,0
ja3_hash: 59686f806cae30344b525e99af5b655d
ssl_greased: 1

user_agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.0.0 Safari/537.36
ja3: 772,4865-4866-4867-49195-49199-49196-49200-52393-52392-49171-49172-156-157-47-53,0-23-65281-10-11-35-16-5-13-18-51-45-43-27-17513
ja3_hash: 217b989439002f3b88747b7b038532d9
ssl_greased: 1