Yann Ylavic [Mon, 13 Dec 2021 18:55:18 +0000 (18:55 +0000)]
http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
Joe Orton [Fri, 10 Dec 2021 14:50:19 +0000 (14:50 +0000)]
* modules/ssl/ssl_engine_io.c (bio_filter_in_ctrl): Remove debugging
assert for unexpected control commands, matching bio_filter_out_ctrl
which also ignores such invocations. Fixes core dumps in debug
builds with OpenSSL 3.0.0 which triggers this via the
BIO_get_ktls_recv() call on the SSL bio, aka
BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...);
Stefan Eissing [Thu, 9 Dec 2021 14:15:19 +0000 (14:15 +0000)]
* When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
No changes-entries, since this fix is proposed for backport on the 1.15.x
module codebase in 2.4.x in a separate PR.
Ruediger Pluem [Thu, 9 Dec 2021 08:38:30 +0000 (08:38 +0000)]
* Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request.
Ruediger Pluem [Thu, 9 Dec 2021 07:40:25 +0000 (07:40 +0000)]
* Do not change the status code after we already sent it to the client.
Changing the status code after we sent it to the client causes a status
code being logged that is different from the one sent to the client which
can be confusing.
Joe Orton [Tue, 7 Dec 2021 16:02:21 +0000 (16:02 +0000)]
As in r1877467 for mod_ssl, for OpenSSL 1.1.1+ require that OpenSSL is
configured with a suitable entropy source and don't try to seed it
from getpid etc.
* support/ab.c (main): Check RAND_status().
(ssl_rand_seed, ssl_rand_choosenum): Drop for OpenSSL 1.1.1+.
Yann Ylavic [Mon, 6 Dec 2021 17:12:28 +0000 (17:12 +0000)]
mpm_event: Follow up to r1895553.
We can still kill processes above MaxSpareThreads at every maintenance cycle
unless there is not enough headromm in the scoreboard for a graceful restart.
Stefan Eissing [Mon, 6 Dec 2021 10:34:27 +0000 (10:34 +0000)]
*) mod_http2: fixed a bug in v2.0.0 that could lead to an infinite
loop when clients close connections prematurely.
Enhanced the scoreboard status updates on h2 connections for
mod_status. 'server-status' now gives a better idea what the
connection is working on.
Joe Orton [Fri, 3 Dec 2021 16:40:18 +0000 (16:40 +0000)]
* support/ab.c (main): Check apr_getopt() returned APR_EOF, fixing clang
warning:
support/ab.c:2343:13: warning[deadcode.DeadStores]: Although the value stored to 'status' is used in the enclosing expression, the value is never actually read from 'status'
Joe Orton [Fri, 3 Dec 2021 13:07:42 +0000 (13:07 +0000)]
* modules/filters/mod_deflate.c (deflate_in_filter): Handle FLUSH in
the input brigade even if done inflating (ctx->done is true), but
don't try to flush the inflate stream in that case. (Caught by
Coverity)
Yann Ylavic [Fri, 3 Dec 2021 12:59:02 +0000 (12:59 +0000)]
mpm_event: Retain active_daemons instead of resetting it on restart.
Since active_daemons is tracked by perform_idle_server_maintenance() and
decremented when a child gets quiescing or exits, clearing it on restart
is actually an off by -total_daemons (of the old gen) after the first calls
to perform_idle_server_maintenance().
Let perform_idle_server_maintenance() be the only one to update active_daemons
by putting it in the retained struct to keep track accross restarts.
Stefan Eissing [Tue, 30 Nov 2021 16:29:20 +0000 (16:29 +0000)]
*) mod_tls: added mod_tls from abetterinternet, donated
by ISRG/Prossimo <https://github.com/abetterinternet/mod_tls>.
- adds font-/backend TLS (v1.2/v1.3) via the Rust rustls crate
and its rustls-ffi C binding <https://github.com/rustls/rustls-ffi>.
- documentation at <https://github.com/abetterinternet/mod_tls>
(adding to Apache's manual TBD)
- build support for Apache httpd configure on *nix platforms,
rustls is linked statically into mod_tls.
Yann Ylavic [Thu, 25 Nov 2021 15:57:21 +0000 (15:57 +0000)]
mod_http2: fix logic for non-proxy Server and Date response headers.
First error was in r1890564 where the test for !PROXYREQ_NONE was replaced by
PROXYREQ_RESPONSE (which is never the case besides the fake proxy origin
request) so a mod_h2 PR tried to fix that but the logic is now incorrect.
Let's finally use the same logic as ap_basic_http_header().
Stefan Eissing [Wed, 24 Nov 2021 10:13:42 +0000 (10:13 +0000)]
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
Stefan Eissing [Wed, 10 Nov 2021 15:54:27 +0000 (15:54 +0000)]
* testsuite: possible now to issue client certificates and the chain file for them
* testsuite: handling of cert+key in same file improved
* testsuite: using 'stop' configuration to terminate server in case test cases
leave borked test configs lying around.
Stefan Eissing [Mon, 8 Nov 2021 12:33:46 +0000 (12:33 +0000)]
* test: just general cleanup and separation
- base modules loaded minimized
- h2's htdocs/cgi setup now in test/modules/http2
- less args to constructors, more methods
Stefan Eissing [Thu, 4 Nov 2021 09:42:45 +0000 (09:42 +0000)]
* mod_http2: a regression in v1.15.24 of the modules was fixed that
could lead to httpd child processes not being terminated on a
graceful reload or when reaching MaxConnectionsPerChild.
When unprocessed h2 requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
[@hansborr, @famzah, Stefan Eissing]
Stefan Eissing [Wed, 3 Nov 2021 14:29:14 +0000 (14:29 +0000)]
* mod_md: EC private key generation for openssl 3.0 in separate
way since the previous code does not work with it. Keeping
old code for known interop with other *SSL libs.
Stefan Eissing [Fri, 29 Oct 2021 09:04:38 +0000 (09:04 +0000)]
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
Yann Ylavic [Fri, 15 Oct 2021 11:09:32 +0000 (11:09 +0000)]
mod_proxy_connect: Honor the smallest of the backend or client timeout.
It seems that mod_proxy_connect has never applied any timeout in its tunneling
loop. Address this by setting a default timeout in ap_proxy_tunnel_create()
since mod_proxy_connect does not overwrite tunnel->timeout (while proxy_http
and proxy_wstunnel do).
This default timeout is set to the smallest of the backend side or the client
side timeout.
Yann Ylavic [Fri, 15 Oct 2021 10:29:00 +0000 (10:29 +0000)]
mpm_event: Restart stopping of idle children after a load peak. PR 65626.
r1770752 added an heuristic to avoid stopping children when the load triggers
MaxSpareThreads but children take some time to shut down until the point where
active_daemons_limit/ServerLimit is reached (scoreboard full) and no child gets
created to handle incoming connections.
However when this happens there is nothing to stop children again when the load
settles down (besides MaxRequestsPerChild, which may be 0) so let's restart to
stop children again if/when idle_thread_count reaches max_workers / 4.
Stefan Eissing [Thu, 14 Oct 2021 10:18:17 +0000 (10:18 +0000)]
*) mod_http2: when pollset signals output, resume a streams data
in nghttp2 every time without checks that response body bytes
are available. This resolves the situation that a stream may stall
when 2 consecutive H2HEADER buckets are sent (e.g. 103+200).
Stefan Eissing [Thu, 14 Oct 2021 09:58:37 +0000 (09:58 +0000)]
*) mod_http2: H2HEADER buckets have the correct lenght of zero and no
longer smuggle the contained field lengths in this field. Instead
the bytes reportded to mod_logio are counted specifically.
Stefan Eissing [Thu, 14 Oct 2021 08:59:12 +0000 (08:59 +0000)]
*) mod_http2: no longer splitting buckets on adding them to a beam,
accepting the whole bucket since no memory is saved by a split.
Also, allowing meta buckets to be added to a "full" beam.
Re-enabled test cases for travis verification.
Stefan Eissing [Wed, 13 Oct 2021 12:26:21 +0000 (12:26 +0000)]
* mod_http2: resurrecting check for nghttp function
nghttp2_session_callbacks_set_on_invalid_header_callback
adding test for proxy server header behaviour
making test fixture package scoped for better performance
Stefan Eissing [Wed, 13 Oct 2021 11:15:03 +0000 (11:15 +0000)]
* mod_http2: checking for nghttp2 function 'set_no_closed_streams' on configure.
adapting test result expectations for new nghttp2 1.45 change in checking
pseudo header fields for invalid characters.
projects / thirdparty / apache / httpd.git / log
