Graham Leggett [Fri, 21 Sep 2018 13:30:15 +0000 (13:30 +0000)]
MPMs: Initialize all runtime/asynchronous objects on a dedicated pool and
before signals handling to avoid lifetime issues on restart or shutdown.
PR 62658.
trunk patch: http://svn.apache.org/r1835845
http://svn.apache.org/r1835846
http://svn.apache.org/r1837354
http://svn.apache.org/r1837356
http://svn.apache.org/r1839571
http://svn.apache.org/r1839583
2.4.x patch: http://home.apache.org/~ylavic/patches/2.4.x-mpms_async_objects_lifetime.patch
+1: ylavic, jim (but not for 2.4.35), minfrin
Jim Jagielski [Wed, 19 Sep 2018 12:55:26 +0000 (12:55 +0000)]
Merge r1835118 from trunk:
On the trunk:
* silencing gcc uninitialized warning
* refrainning from apr_table_addn() use since pool debug assumptions are in conflict
* adding more assertions
* copy-porting changes to base64 encoding code from mod_md
Submitted by: icing
Reviewed by: icing, minfrin, jim
Jim Jagielski [Wed, 19 Sep 2018 12:54:51 +0000 (12:54 +0000)]
Merge r1749402, r1656549, r1840776, r1800126, r1817131, r1834226 from trunk:
Style only
Be more consistent:
- add space between (if|while) and \(
- place of 'break ' statement
Fix cut and paste typo in error message + remove empty lines to be consistent
follow-up to r1656549.
Instead of logging a password (which is not a good practice), clarify the associated message
* Silence compiler warning
Be less tolerant when parsing the credencial for Basic authorization. Only spaces should be accepted after the authorization scheme. \t are also tolerated.
The current code accepts \v and \f as well.
The same behavior is already used in 'ap_get_basic_auth_pw()' which is mostly the same function as 'get_basic_auth()'.
Function used as 'apr_reslist_destructor' when calling 'apr_reslist_create()' should have the following prototype:
Joe Orton [Tue, 18 Sep 2018 11:09:15 +0000 (11:09 +0000)]
Merge r1841218 from trunk:
* modules/ssl/ssl_engine_kernel.c (ssl_check_post_client_verify):
Retrieve and set sslconn->client_cert here for both "modern" and
classic access control.
(ssl_hook_Access_classic, ssl_hook_Access_modern, ssl_hook_Access):
Restore SSLRequire and FakeBasicAuth checks to ssl_hook_Access so tests
are still applied for TLSv1.3.
Jim Jagielski [Wed, 12 Sep 2018 20:38:02 +0000 (20:38 +0000)]
Merge r1840010 from trunk:
On the trunk:
mod_http2: connection IO event handling reworked. Instead of reacting on
incoming bytes, the state machine now acts on incoming frames that are
affecting it. This reduces state transitions.
Submitted by: icing
Reviewed by: icing, ylavic, jim
Joe Orton [Wed, 12 Sep 2018 15:54:59 +0000 (15:54 +0000)]
Merge r1840710 from trunk:
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Disable AUTO_RETRY mode for OpenSSL 1.1.1, which fixes
post-handshake authentication.
(ssl_init_proxy_certs): Fix proxy client cert support with
TLSv1.3, which is now crippled by default.
Joe Orton [Wed, 12 Sep 2018 11:52:21 +0000 (11:52 +0000)]
Merge r1840585 from trunk:
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_modern): Fail with
403 if SSL_verify_client_post_handshake() fails, e.g. when the
TLS/1.3 client didn't send the Post-Handshake Authentication
extension.
Jim Jagielski [Tue, 11 Sep 2018 11:57:19 +0000 (11:57 +0000)]
Merge r1836381, r1836382, r1836383, r1836386, r1836603 from trunk:
* mod_proxy: Remove load order and link dependency between mod_lbmethod_*
modules and mod_proxy by providing mod_proxy's ap_proxy_balancer_get_best_worker
as an optional function.
PR: 62557
* Remove invalid copy and paste comments
* Always retrieve conditional function. static variable might contain garbage if module was reloaded in a static build.
* Add missing log numbers
* ap_proxy_balancer_get_best_worker cannot be exported and used as an optional
function at the same time. So rename ap_proxy_balancer_get_best_worker to
proxy_balancer_get_best_worker and make it static which is then used as an
optional function and recreate ap_proxy_balancer_get_best_worker as an
exported thin wrapper of proxy_balancer_get_best_worker.
Jim Jagielski [Tue, 11 Sep 2018 11:54:34 +0000 (11:54 +0000)]
Merge r1801144, r1801148, r1801456 from trunk:
mpm_winnt: Factor out a helper function to parse the type of an accept
filter and use an appropriate enum for it.
This makes the code in winnt_accept() a bit easier to follow. As a minor
side effect, it also fixes a small bug where the "unrecognized AcceptFilter
'%s'" log entry would always contain "none" instead of the actually
unrecognized kind of the accept filter.
mpm_winnt: Fix typo in the logged message in winnt_get_connection().
mpm_winnt: Following up on r1801144, use the new accept_filter_e enum
values in a couple of missed places in winnt_accept().
Submitted by: kotkov
Reviewed by: jailletc36, jim (via inspection), wrowe
*) mod_ssl: add experimental support for TLSv1.3 (tested with OpenSSL v1.1.1-pre9.
SSL(Proxy)CipherSuite now has an optional first parameter for the protocol the ciphers are for.
Directive "SSLVerifyClient" now triggers certificate retrieval from the client.
Verifying the client fails exactly the same for HTTP/2 connections for all SSL protocols,
as this would need to trigger the master connection thread - which we do not support
right now.
Renegotiation of ciphers is intentionally ignored for TLSv1.3 connections. "SSLCipherSuite"
does not allow to specify TLSv1.3 ciphers in a directory context (because it cannot work) and
TLSv1.2 or lower ciphers are not relevant for 1.3, as cipher suites are completely separate.
Sites which make use of such TLSv1.2 feature need to evaluate carefully if or how they
can match their needs onto the TLSv1.3 protocol.
[Yann Ylavic, Stefan Eissing]
Rainer Jung [Wed, 29 Aug 2018 03:41:51 +0000 (03:41 +0000)]
Add the remaining parts of my proxy-statusa and
server-status proposals back to the list.
I have only applied the uncontroversial "auto"
mode part of the accepted patches.
The "html" part is now back in STATUS (with
adjusted smaller patches) to give some more
time for feedback whether the HTML output
format is allowed to change during a patch
release.
Rainer Jung [Wed, 29 Aug 2018 02:50:30 +0000 (02:50 +0000)]
mod_proxy: Improve the balancer member data shown
in mod_status when "ProxyStatus" is "On":
add "busy" count to auto mode and show byte counts
in auto mode always in units of kilobytes.
Partial backport of r1837588 from trunk
(only auto mode changes, html parts not yet
backported).
Rainer Jung [Wed, 29 Aug 2018 02:23:36 +0000 (02:23 +0000)]
mod_status: Complete the data shown for async
MPMs in "auto" mode. Added number of processes,
number of stopping processes and number
of busy and idle workers.
This changes only the key/value list of the
server-status "auto" output. The data is already
part of the "html" output.
Yann Ylavic [Tue, 28 Aug 2018 20:07:07 +0000 (20:07 +0000)]
Merge r1837130 from trunk:
mod_ratelimit: Don't interfere with "chunked" encoding.
By the time ap_http_header_filter() sends the header brigade and adds the
"CHUNK" filter, we need to garantee that the header went through all the
filters' stack, and more specifically above ap_http_chunk_filter() which
assumes that all it receives is content data.
Since rate_limit_filter() may retain the header brigade, make it run after
ap_http_chunk_filter(), just before AP_FTYPE_CONNECTION filters.
Also, ap_http_header_filter() shouldn't eat the EOS for HEAD/no-body responses.
For instance mod_ratelimit depends on it since r1835168, but any next request
filter may as well to flush and/or bail out approprietely.
This fixes the regression introduced in 2.4.34 (r1835168).
PR 62568.
Submitted by: ylavic
Reviewed by: covener, ylavic, jim
projects / thirdparty / apache / httpd.git / log
