Yann Ylavic [Tue, 21 Dec 2021 18:42:30 +0000 (18:42 +0000)]
mod_proxy: Bump max worker name to 384 chars.
The worker name is a fully qualified URI while the hostname's limit is 256
already, so potentially more than 256 are needed to store the name. Let's
use 384.
Stefan Eissing [Wed, 15 Dec 2021 16:39:38 +0000 (16:39 +0000)]
*) test: added first mod_proxy tests in test/modules/proxy that
check some variations on forward, reverse and mixed vhosts
and also using a unix: domain socket backend.
Joe Orton [Wed, 15 Dec 2021 11:37:53 +0000 (11:37 +0000)]
Add Travis job against OpenSSL 3 with -Werror but with deprecation
warnings disabled.
Be careful to remove the previous OpenSSL install prefix is rebuilding.
Yann Ylavic [Wed, 15 Dec 2021 11:35:36 +0000 (11:35 +0000)]
mod_proxy: follow up to r1895921: Don't prevent forwarding URIs w/ no hostname.
r1895921 changed proxy_detect() to disable forward proxying for URIs with no
hostname which is wrong, there might exist a third-party proxy module handling
the "urn:" scheme for instance (thanks Roy for the catch!).
For this to work, we also need to leave the forward proxied URI alone in
ap_proxy_pre_request() with no UDS special case or alike, a proxy module can
then catch (or not) the original URI as expected.
Yann Ylavic [Mon, 13 Dec 2021 18:55:18 +0000 (18:55 +0000)]
http: Enforce that fully qualified uri-paths not to be forward-proxied
have an http(s) scheme, and that the ones to be forward proxied have a
hostname, per HTTP specifications.
The early checks avoid failing the request later on and thus save cycles
for those invalid cases.
Joe Orton [Fri, 10 Dec 2021 14:50:19 +0000 (14:50 +0000)]
* modules/ssl/ssl_engine_io.c (bio_filter_in_ctrl): Remove debugging
assert for unexpected control commands, matching bio_filter_out_ctrl
which also ignores such invocations. Fixes core dumps in debug
builds with OpenSSL 3.0.0 which triggers this via the
BIO_get_ktls_recv() call on the SSL bio, aka
BIO_ctrl(b, BIO_CTRL_GET_KTLS_RECV, ...);
Stefan Eissing [Thu, 9 Dec 2021 14:15:19 +0000 (14:15 +0000)]
* When reaching server limits, such as MaxRequestsPerChild, the HTTP/2 connection
send a GOAWAY frame much too early on new connections, leading to invalid
protocol state and a client failing the request. See PR65731 at
<https://bz.apache.org/bugzilla/show_bug.cgi?id=65731>.
The module now initializes the HTTP/2 protocol correctly and allows the
client to submit one request before the shutdown via a GOAWAY frame
is being announced.
No changes-entries, since this fix is proposed for backport on the 1.15.x
module codebase in 2.4.x in a separate PR.
Ruediger Pluem [Thu, 9 Dec 2021 08:38:30 +0000 (08:38 +0000)]
* Correctly sent a 100 Continue status code when sending an interim
response as result of an Expect: 100-Continue in the request and not the
current status code of the request.
Ruediger Pluem [Thu, 9 Dec 2021 07:40:25 +0000 (07:40 +0000)]
* Do not change the status code after we already sent it to the client.
Changing the status code after we sent it to the client causes a status
code being logged that is different from the one sent to the client which
can be confusing.
Joe Orton [Tue, 7 Dec 2021 16:02:21 +0000 (16:02 +0000)]
As in r1877467 for mod_ssl, for OpenSSL 1.1.1+ require that OpenSSL is
configured with a suitable entropy source and don't try to seed it
from getpid etc.
* support/ab.c (main): Check RAND_status().
(ssl_rand_seed, ssl_rand_choosenum): Drop for OpenSSL 1.1.1+.
Yann Ylavic [Mon, 6 Dec 2021 17:12:28 +0000 (17:12 +0000)]
mpm_event: Follow up to r1895553.
We can still kill processes above MaxSpareThreads at every maintenance cycle
unless there is not enough headromm in the scoreboard for a graceful restart.
Stefan Eissing [Mon, 6 Dec 2021 10:34:27 +0000 (10:34 +0000)]
*) mod_http2: fixed a bug in v2.0.0 that could lead to an infinite
loop when clients close connections prematurely.
Enhanced the scoreboard status updates on h2 connections for
mod_status. 'server-status' now gives a better idea what the
connection is working on.
Joe Orton [Fri, 3 Dec 2021 16:40:18 +0000 (16:40 +0000)]
* support/ab.c (main): Check apr_getopt() returned APR_EOF, fixing clang
warning:
support/ab.c:2343:13: warning[deadcode.DeadStores]: Although the value stored to 'status' is used in the enclosing expression, the value is never actually read from 'status'
Joe Orton [Fri, 3 Dec 2021 13:07:42 +0000 (13:07 +0000)]
* modules/filters/mod_deflate.c (deflate_in_filter): Handle FLUSH in
the input brigade even if done inflating (ctx->done is true), but
don't try to flush the inflate stream in that case. (Caught by
Coverity)
Yann Ylavic [Fri, 3 Dec 2021 12:59:02 +0000 (12:59 +0000)]
mpm_event: Retain active_daemons instead of resetting it on restart.
Since active_daemons is tracked by perform_idle_server_maintenance() and
decremented when a child gets quiescing or exits, clearing it on restart
is actually an off by -total_daemons (of the old gen) after the first calls
to perform_idle_server_maintenance().
Let perform_idle_server_maintenance() be the only one to update active_daemons
by putting it in the retained struct to keep track accross restarts.
Stefan Eissing [Tue, 30 Nov 2021 16:29:20 +0000 (16:29 +0000)]
*) mod_tls: added mod_tls from abetterinternet, donated
by ISRG/Prossimo <https://github.com/abetterinternet/mod_tls>.
- adds font-/backend TLS (v1.2/v1.3) via the Rust rustls crate
and its rustls-ffi C binding <https://github.com/rustls/rustls-ffi>.
- documentation at <https://github.com/abetterinternet/mod_tls>
(adding to Apache's manual TBD)
- build support for Apache httpd configure on *nix platforms,
rustls is linked statically into mod_tls.
Yann Ylavic [Thu, 25 Nov 2021 15:57:21 +0000 (15:57 +0000)]
mod_http2: fix logic for non-proxy Server and Date response headers.
First error was in r1890564 where the test for !PROXYREQ_NONE was replaced by
PROXYREQ_RESPONSE (which is never the case besides the fake proxy origin
request) so a mod_h2 PR tried to fix that but the logic is now incorrect.
Let's finally use the same logic as ap_basic_http_header().
Stefan Eissing [Wed, 24 Nov 2021 10:13:42 +0000 (10:13 +0000)]
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
Stefan Eissing [Wed, 10 Nov 2021 15:54:27 +0000 (15:54 +0000)]
* testsuite: possible now to issue client certificates and the chain file for them
* testsuite: handling of cert+key in same file improved
* testsuite: using 'stop' configuration to terminate server in case test cases
leave borked test configs lying around.
Stefan Eissing [Mon, 8 Nov 2021 12:33:46 +0000 (12:33 +0000)]
* test: just general cleanup and separation
- base modules loaded minimized
- h2's htdocs/cgi setup now in test/modules/http2
- less args to constructors, more methods
Stefan Eissing [Thu, 4 Nov 2021 09:42:45 +0000 (09:42 +0000)]
* mod_http2: a regression in v1.15.24 of the modules was fixed that
could lead to httpd child processes not being terminated on a
graceful reload or when reaching MaxConnectionsPerChild.
When unprocessed h2 requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
[@hansborr, @famzah, Stefan Eissing]
projects / thirdparty / apache / httpd.git / log
