Graham Leggett [Fri, 21 Jan 2022 00:09:24 +0000 (00:09 +0000)]
event: Add support for non blocking behaviour in the
CONN_STATE_READ_REQUEST_LINE phase, in addition to the existing
CONN_STATE_WRITE_COMPLETION phase. Update mod_ssl to perform non blocking
TLS handshakes.
Yann Ylavic [Thu, 20 Jan 2022 17:01:40 +0000 (17:01 +0000)]
ap_regex: Follow up to r1897240: runtime fallback to alloc/free.
Even though APR_HAS_THREAD_LOCAL is compiled in, ap_regexec() might still be
called by non a apr_thread_t thread, let's fall back to alloc/free in this
case too.
Stefan Eissing [Thu, 20 Jan 2022 15:36:50 +0000 (15:36 +0000)]
*) test:
- modules/http2: ignore some SSL library error logs when using openssl 3.x
- modules/tls: right now, we seem unable to force curl to use TLSv1.3, adjust
test case expectations accordingly. Use --tls-max to force v1.2 where needed.
Yann Ylavic [Thu, 20 Jan 2022 13:15:36 +0000 (13:15 +0000)]
ap_regex: Follow up to r1897240: Fix issues spotted by Rüdiger (thanks!).
#include "apr_thread_proc.h" is enough/needed by util_pcre.c and main.c.
Fix compilation (vector => ovector) for !HAVE_PCRE2 && APR_HAS_THREAD_LOCAL.
Check pcre2_match_data_create() return value for HAVE_PCRE2 && !APR_HAS_THREAD_LOCAL.
Yann Ylavic [Thu, 20 Jan 2022 12:16:58 +0000 (12:16 +0000)]
ap_regex: PCRE needs buffers sized against the number of captures only.
No more (useless), no less (or PCRE will allocate a new buffer by itself to
satisfy the needs), so we should base our buffer size solely on the number
of captures in the regex (determined at compile time from the pattern).
The nmatch provided by the user is used to fill in pmatch only (up to that),
but "our" buffers are sized exactly as needed to avoid oversized allocations
or PCRE allocating by itself.
Yann Ylavic [Thu, 20 Jan 2022 11:09:34 +0000 (11:09 +0000)]
ap_regex: Use Thread Local Storage (if efficient) to avoid allocations.
PCRE2 wants an opaque context by providing the API to allocate and free it, so
to minimize these calls we maintain one opaque context per thread (in Thread
Local Storage, TLS) grown as needed, and while at it we do the same for PCRE1
ints vectors. Note that this requires a fast TLS mechanism to be worth it,
which is the case of apr_thread_data_get/set() from/to apr_thread_current()
when APR_HAS_THREAD_LOCAL; otherwise we'll do the allocation and freeing for
each ap_regexec().
The small stack vector is used for PCRE1 && !APR_HAS_THREAD_LOCAL only now.
Yann Ylavic [Tue, 18 Jan 2022 20:51:42 +0000 (20:51 +0000)]
mod_dav: Follow up to r1897156: Fix warning.
In file included from mod_dav.c:51:
mod_dav.c: In function ‘uripath_is_canonical’:
mod_dav.c:774:38: error: passing argument 1 of ‘ap_strchr’ discards ‘const’ qualifier from pointer target type [-Werror=discarded-qualifiers]
774 | dot_pos = strchr(dot_pos + 1, '.')) {
| ~~~~~~~~^~~
/home/travis/build/apache/httpd/include/httpd.h:2469:34: note: in definition of macro ‘strchr’
2469 | # define strchr(s, c) ap_strchr(s,c)
| ^
/home/travis/build/apache/httpd/include/httpd.h:2457:36: note: expected ‘char *’ but argument is of type ‘const char *’
2457 | AP_DECLARE(char *) ap_strchr(char *s, int c);
| ~~~~~~^
Ruediger Pluem [Tue, 18 Jan 2022 20:13:29 +0000 (20:13 +0000)]
* Allocate the dav_liveprop_elem structure only once in the lifetime of the
resource->pool and reuse it to avoid unnecessary huge memory allocations
during collection walks.
Graham Leggett [Mon, 17 Jan 2022 16:10:51 +0000 (16:10 +0000)]
core: Allow an optional expression to be specified for an effective
path in the DirectoryMatch and LocationMatch directives. This allows
modules like mod_dav to map URLs to URL spaces or to directories on
the filesystem.
Yann Ylavic [Wed, 29 Dec 2021 13:12:44 +0000 (13:12 +0000)]
mpm_event: Fix a possible listener deadlock. PR 65769.
When the listener starts accepting more connections than the number of workers
already started (due to scheduling), the listening sockets gets disabled (per
AH03269) but nothing was re-enabling them before the end of the connections,
despite the creation of more idle/available workers in the meantime.
In the wost case there is no idle worker when the listener accepts the first
connection thus nothing to wake up the listener blocked in poll() with no
socket, hence a deadlock.
Fix this by waking up the listener when a worker becomes idle and this unblocks
connections_above_limit(). This is also worthwhile when all the workers are
started (fully initialized runtime) since the number of idle workers is a
condition for connections_above_limit() anyway so the sooner the listeners are
re-enabled the better (the other condition is the number of connections which
is unblocked appropriately by decrement_connection_count() already).
Also when a child exists with ps->quiescing == 1 and it's caught by
server_main_loop() before perform_idle_server_maintenance(), active_daemons was
not decrement as needed (including accross restarts), leading to an invalid
active_daemons accounting.
* server/mpm/event/event.c(should_enable_listensocks):
New helper that returns whether listenning sockets can be poll()ed again.
* server/mpm/event/event.c(decrement_connection_count, listener_thread):
Use should_enable_listensocks() where previously open-coded.
* server/mpm/event/event.c(worker_thread):
Wake up the listener when is_idle => 1 and should_enable_listensocks().
Have a single point of exit when workers_may_exit to make sure that the
wake always occurs (even when exiting).
* server/mpm/event/event.c(server_main_loop):
Decrement active_daemons not only when !ps->quiescing but also when
ps->quiescing == 1, i.e. all the cases not handled by
perform_idle_server_maintenance() already.
Yann Ylavic [Tue, 21 Dec 2021 18:42:30 +0000 (18:42 +0000)]
mod_proxy: Bump max worker name to 384 chars.
The worker name is a fully qualified URI while the hostname's limit is 256
already, so potentially more than 256 are needed to store the name. Let's
use 384.
Stefan Eissing [Wed, 15 Dec 2021 16:39:38 +0000 (16:39 +0000)]
*) test: added first mod_proxy tests in test/modules/proxy that
check some variations on forward, reverse and mixed vhosts
and also using a unix: domain socket backend.
Joe Orton [Wed, 15 Dec 2021 11:37:53 +0000 (11:37 +0000)]
Add Travis job against OpenSSL 3 with -Werror but with deprecation
warnings disabled.
Be careful to remove the previous OpenSSL install prefix is rebuilding.
Yann Ylavic [Wed, 15 Dec 2021 11:35:36 +0000 (11:35 +0000)]
mod_proxy: follow up to r1895921: Don't prevent forwarding URIs w/ no hostname.
r1895921 changed proxy_detect() to disable forward proxying for URIs with no
hostname which is wrong, there might exist a third-party proxy module handling
the "urn:" scheme for instance (thanks Roy for the catch!).
For this to work, we also need to leave the forward proxied URI alone in
ap_proxy_pre_request() with no UDS special case or alike, a proxy module can
then catch (or not) the original URI as expected.
Yann Ylavic [Mon, 13 Dec 2021 18:55:18 +0000 (18:55 +0000)]
http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
Joe Orton [Fri, 10 Dec 2021 14:50:19 +0000 (14:50 +0000)]
* modules/ssl/ssl_engine_io.c (bio_filter_in_ctrl): Remove debugging
assert for unexpected control commands, matching bio_filter_out_ctrl
which also ignores such invocations. Fixes core dumps in debug
builds with OpenSSL 3.0.0 which triggers this via the
BIO_get_ktls_recv() call on the SSL bio, aka
BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...);
Stefan Eissing [Thu, 9 Dec 2021 14:15:19 +0000 (14:15 +0000)]
* When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
No changes-entries, since this fix is proposed for backport on the 1.15.x
module codebase in 2.4.x in a separate PR.
Ruediger Pluem [Thu, 9 Dec 2021 08:38:30 +0000 (08:38 +0000)]
* Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request.
Ruediger Pluem [Thu, 9 Dec 2021 07:40:25 +0000 (07:40 +0000)]
* Do not change the status code after we already sent it to the client.
Changing the status code after we sent it to the client causes a status
code being logged that is different from the one sent to the client which
can be confusing.
Joe Orton [Tue, 7 Dec 2021 16:02:21 +0000 (16:02 +0000)]
As in r1877467 for mod_ssl, for OpenSSL 1.1.1+ require that OpenSSL is
configured with a suitable entropy source and don't try to seed it
from getpid etc.
* support/ab.c (main): Check RAND_status().
(ssl_rand_seed, ssl_rand_choosenum): Drop for OpenSSL 1.1.1+.
Yann Ylavic [Mon, 6 Dec 2021 17:12:28 +0000 (17:12 +0000)]
mpm_event: Follow up to r1895553.
We can still kill processes above MaxSpareThreads at every maintenance cycle
unless there is not enough headromm in the scoreboard for a graceful restart.
Stefan Eissing [Mon, 6 Dec 2021 10:34:27 +0000 (10:34 +0000)]
*) mod_http2: fixed a bug in v2.0.0 that could lead to an infinite
loop when clients close connections prematurely.
Enhanced the scoreboard status updates on h2 connections for
mod_status. 'server-status' now gives a better idea what the
connection is working on.
projects / thirdparty / apache / httpd.git / log
