Yann Ylavic [Sat, 1 Jun 2024 15:08:46 +0000 (15:08 +0000)]
mpm_event, mod_status: Separate processing and write completion queues.
As a follow up to r1918022 which handled the new CONN_STATE_PROCESS(ing) and
existing CONN_STATE_WRITE_COMPLETION in the same async queue, let's now have
two separates ones which allows more relevant async accounting in mod_status.
Rename CONN_STATE_PROCESS to CONN_STATE_PROCESSING as it's how it will be
called in mod_status.
* include/ap_mmn.h:
MMN minor bump for process_score->processing counter.
* include/httpd.h:
Rename CONN_STATE_PROCESS to CONN_STATE_PROCESSING.
* server/mpm/event/event.c:
Restore write_completion_q to handle connections in CONN_STATE_WRITE_COMPLETION.
Use processing_q (renamed from process_q) solely for CONN_STATE_PROCESSING.
Update process_score->processing according to the length of processing_q.
* modules/generators/mod_status.c:
Show the value of process_score->processing in the stats.
Yann Ylavic [Fri, 31 May 2024 15:18:33 +0000 (15:18 +0000)]
mpm_event: Don't spam with "Stopping process due to MaxConnectionsPerChild"
When MaxConnectionsPerChild is reached there may be some connections to process
still and the listener should stop writing this at every loop. Logging once
is enough.
Yann Ylavic [Tue, 28 May 2024 14:10:43 +0000 (14:10 +0000)]
mpm_event,core: Handle async POLLIN/POLLOUT in CONN_STATE_PROCESS state.
* include/httpd.h:
Rename CONN_STATE_CHECK_REQUEST_LINE_READABLE to CONN_STATE_KEEPALIVE
and CONN_STATE_READ_REQUEST_LINE to CONN_STATE_PROCESS, keeping the
old enums as aliases. Rework comments about each state.
* server/mpm/event/event.c:
Use the new states names.
Let the process_connection hooks return CONN_STATE_PROCESS for mpm_event
to POLLIN or POLLOUT depending on c->cs->sense being CONN_SENSE_WANT_READ
or CONN_SENSE_WANT_WRITE respectively.
Remove (ab)use of CONN_STATE_WRITE_COMPLETION with CONN_SENSE_WANT_READ to
mean poll() for read (and the need for the obscure c->clogging_input_filters
to make it work as expected). This is what CONN_STATE_PROCESS is for now.
Update the comment about the states that can be returned by process_connection
hooks (and their usage).
Use the same queue (process_q renamed from write_completion_q) for polling
connections in both CONN_STATE_PROCESS and CONN_STATE_WRITE_COMPLETION
states since they both use the same (server_rec's) Timeout. This implies
that both states are accounted as "write-completion" in mod_status for now.
* server/mpm/motorz/motorz.c, server/mpm/simple/simple_io.c, modules/http/http_core.c:
Use the new states names (only).
* include/scoreboard.h:
Change comment about process_score->write_completion to note that the
counter refers to CONN_STATE_PROCESS connections returned to the MPM
too.
* modules/http2/h2_c1.c:
Return the c1 connection with the CONN_STATE_PROCESS state rather than
CONN_STATE_WRITE_COMPLETION when waiting for a window update (i.e. ask
the MPM to poll for read directly). This avoids the transition to
CONN_STATE_KEEPALIVE which could kill the connection under high load.
Stefan Eissing [Mon, 27 May 2024 11:04:52 +0000 (11:04 +0000)]
*) mod_http2: sync with module's github.
- on newer HTTPD versions, return connection monitoring
to the event MPM when block on client updates.
2.4.x versions still treat connections in the event
MPM as KeepAlive and purge them on load in the middle
of response processing.
- spelling fixes
- support for yield calls in c2 "network" filter
Joe Orton [Mon, 20 May 2024 09:18:10 +0000 (09:18 +0000)]
Explicitly reject CGI output which includes a Transfer-Encoding
header, rather than drop it and send what's likely to be an unexpected
or corrupted response.
* modules/generators/cgi_common.h (cgi_handle_response): Send a 502
error if Transfer-Encoding is present in the response headers.
Joe Orton [Wed, 8 May 2024 12:46:58 +0000 (12:46 +0000)]
On Linux use the real thread id via gettid() in error logging,
where available, rather than the (meaningless) default
pthread_self()-as-integer interpretation:
* configure.in: Define DEFAULT_LOG_TID on Linux if gettid() is available.
* server/log.c: Define DEFAULT_LOG_TID as NULL by default.
(do_errorlog_default): Use DEFAULT_LOG_TID as the argument to log_tid().
mpm_worker: Fix AH00045 about children processes not terminating timely.
* server/mpm/worker/worker.c(setup_threads_runtime):
Create pollset with APR_POLLSET_WAKEABLE to be able to wake up the listener
when stopping.
* server/mpm/worker/worker.c(wakeup_listener):
Wake up the listener using the wakeup pipe (apr_pollset_wakeup).
* server/mpm/worker/worker.c(join_workers):
Like mpm_event, don't depend on `pthread_kill(listener_thread, 0)` to check
whether the listener has exited (this does not work on some systems), but use
the "dying" global variable instead which is set by the listener just before
exiting.
All pollset "good methods" implement APR_POLLSET_WAKEABLE and wake-ability
is quite important for MPM event's correctness anyway so simplify code around
pollset creation so as not to suggest that APR_POLLSET_NODEFAULT if favored
against APR_POLLSET_WAKEABLE.
While at it account for the wakeup pipe in the pollset_size since not all
pollset methods seem to do it internally in APR.
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
Stefan Eissing [Mon, 8 Apr 2024 11:24:18 +0000 (11:24 +0000)]
mod_md: update to v2.4.26
- Using OCSP stapling information to trigger certificate renewals. Proposed
by @frasertweedale.
- Added directive `MDCheckInterval` to control how often the server checks
for detected revocations. Added proposals for configurations in the
README.md chapter "Revocations".
- OCSP stapling: accept OCSP responses without a `nextUpdate` entry which is
allowed in RFC 6960. Treat those as having an update interval of 12 hours.
Added by @frasertweedale.
- Adapt OpenSSL usage to changes in their API. By Yann Ylavic.
Test Updates
- workarounds for using Pebble v2.5
- disable EAB tests for Pebble since v2.5 no longer
supports HS256 FWT for EAB keys
- some stability improvemnets in error/warning checks
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_03_not_found and
test_h2_800_05_non_ws_delay_resource) due to
additional RST messages.
Maybe we should allow RST after EOF in all websocket tests?
Fix occasional pytest failures
in modules/http2/test_800_websockets.py
(test_h2_800_04_non_ws_resource and
test_h2_800_09b_unsupported) due to
additional RST messages.
Joe Orton [Fri, 15 Mar 2024 15:26:11 +0000 (15:26 +0000)]
mod_systemd: if SELinux is available and enabled, log the SELinux
context at startup, since this may vary when httpd is started via
systemd vs being started directly.
* modules/arch/unix/mod_systemd.c (systemd_post_config):
Do nothing for the pre-config iteration.
Log the SELinux context if available.
Yann Ylavic [Thu, 14 Mar 2024 14:54:59 +0000 (14:54 +0000)]
mod_crypto: Fix warnings about signed bit fields.
The non-zero value for one bit field is -1:
mod_crypto.c|565 col 18| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->encrypt = 1;
|| ^ ~
mod_crypto.c|746 col 22| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->clength = 1;
|| ^ ~
mod_crypto.c|903 col 35| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->seen_eos = 1;
|| ^ ~
mod_crypto.c|960 col 22| error: implicit truncation from 'int' to a one-bit wide bit-field changes value from 1 to -1 [-Werror,-Wsingle-bit-bitfield-constant-conversion]
|| ctx->clength = 1;
|| ^ ~
Use unsigned bit fields for struct crypto_ctx's members seen_eos, encrypt and clength.
Eric Covener [Mon, 11 Mar 2024 20:35:27 +0000 (20:35 +0000)]
event: avoid possible hang in clean_child_exit
If the pthread_create failure isn't on the first worker thread,
another one is likely to hold the queue mutex already. The cleanup
of pchild will try to cleanup the queue and block on destroying
the condition.
Joe Orton [Thu, 29 Feb 2024 15:28:36 +0000 (15:28 +0000)]
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Update to avoid GCC warning for no-engine builds where the
SSLModConfigRec is not used. Also log an error for the ENOTIMPL
path.
Joe Orton [Thu, 29 Feb 2024 14:00:55 +0000 (14:00 +0000)]
CI tweaks:
- don't install CPAN modules if NO_TEST_FRAMEWORK is set
- remove the workaround for mod_h2 APR build caching which
should no longer be necessary now caching is fixed
- fix capturing specific perl-framework failures with "TEST -v" mode
Joe Orton [Thu, 29 Feb 2024 13:30:50 +0000 (13:30 +0000)]
CI: Re-enable caching for *fixed* versions of apr/apr-util which
should now work correctly (since the version is in the cache key).
For 1.x branches, CLEAR_CACHE must still be used. [skip ci]
Joe Orton [Thu, 29 Feb 2024 12:11:39 +0000 (12:11 +0000)]
CI: Hopefully fix caching and artifact uploads by creating $JOBID
as a unique key for each job in the matrix, using that as the
cache key and in each artefact upload (otherwise multiple failures
uploading "error_log" overwrite each other).
Yann Ylavic [Tue, 20 Feb 2024 10:37:30 +0000 (10:37 +0000)]
mod_ssl: Follow up to r1913815: szCryptoDevice to NULL when !MODSSL_HAVE_ENGINE_API
Latest OpenSSL versions removed the ENGINE API completely, still provide NULL
SSLModConfigRec::szCryptoDevice since it's used outside MODSSL_HAVE_ENGINE_API.
SSLModConfigRec is a private struct, so no MMN change.
* modules/ssl/ssl_private(SSLModConfigRec):
Provide szCryptoDevice (NULL) even if !MODSSL_HAVE_ENGINE_API.