Ruediger Pluem [Tue, 2 Feb 2021 19:50:14 +0000 (19:50 +0000)]
* We need to check for (!scheme && (u = strchr(url, ':')) && (u - url) > 14)
later as (!scheme || u[0] != '/' || u[1] != '/' || u[2] == '\0') is true
for requests with the CONNECT method which we need to decline. But in many
cases requests with the CONNECT method have (u - url) > 14 as in this
case (u - url) is the length of the FQDN the forward proxy should connect
to.
Joe Orton [Fri, 29 Jan 2021 12:42:56 +0000 (12:42 +0000)]
Update Travis LDAP testing to use a CentOS based container, pulled
from quay.io, to avoid the new Docker hub pull rate-limiting which
is causing intermittent failures.
Ruediger Pluem [Wed, 27 Jan 2021 08:08:56 +0000 (08:08 +0000)]
Before doing any bind check that the provided username is not NULL and that the
password is neither NULL nor empty.
Binds with empty passwords always succeed, but in case the password of the
user was not empty subsequent LDAP operations fail.
This causes authentications that use user supplied credentials
(AuthLDAPInitialBindAsUser set to on) to fail with status code 500 instead of
401 if the user supplied an empty password.
Add some missing hyper links to directives.
Remove some <var> in <syntax> to be more consistant with the rest of the doc.
Remove a duplicated traling ".".
Yann Ylavic [Tue, 19 Jan 2021 14:16:44 +0000 (14:16 +0000)]
mod_proxy_hcheck: don't pile up health checks. PR 63010.
Prevent health checks from running for a worker until the last one is fully
finished, to avoid making things worse (memory growth, #connections, ..).
This is done by zeroing worker->s->updated before scheduling the worker in the
threadpool, and resetting the time when it's finished. The scheduler then does
nothing if worker->s->updated is zero.
Also, to save some apr_time_now() calls when !HC_USE_THREADS, *baton->now is
updated in the callback and reused by the scheduler.
Yann Ylavic [Thu, 7 Jan 2021 13:19:08 +0000 (13:19 +0000)]
mod_proxy_wstunnel: leave Upgrade requests handling to mod_proxy_http.
Let mod_proxy_http's canon and scheme handlers accept "ws[s]:" schemes so that
mod_proxy_wstunnel can decline requests when mod_proxy_http is loaded.
* modules/proxy/{mod_proxy.h,proxy_util.c} (ap_proxy_worker_can_upgrade):
Add a "dflt" argument to ap_proxy_worker_can_upgrade() which, if not NULL,
is matched when no worker upgrade= parameter is configured. This allows to
handle the default "Upgrade: websocket" case for "ws[s]:" schemes.
* modules/proxy/mod_proxy_http.c (proxy_http_canon, proxy_http_handler):
Add and use the new get_url_scheme() helper to parse URL schemes handled by
mod_proxy_http and use it in canon and scheme handlers. This helper now
accepts ws[s] schemes.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_post_config):
New post_config hook to detect whether mod_proxy_http is loaded and set
global fallback_to_mod_proxy_http flag in this case.
* modules/proxy/mod_proxy_wstunnel.c (proxy_wstunnel_check_trans,
proxy_wstunnel_canon,
proxy_wstunnel_handler):
These hooks now early return DECLINED if fallback_to_mod_proxy_http is set.
While at it, removes the "based on the value of" because, it is not really based on the value of the environment variable, but on its existence or not.
Joe Orton [Thu, 17 Dec 2020 12:44:41 +0000 (12:44 +0000)]
Treat non-leaf certificates present in SSLProxyMachineCertificateFile
the same was as non-leaf certs are in SSLCertificateFile - use them to
build the trusted cert chain for the end-entity (client) cert.
* modules/ssl/ssl_engine_init.c (ssl_init_proxy_certs):
For any non-leaf certificate present in the configured, trust as
if used in SSLProxyMachineCertificateChainFile.
Joe Orton [Thu, 17 Dec 2020 09:27:08 +0000 (09:27 +0000)]
Add job using APR thread debugging, switching to the pthreads
error-checking mutex as the default type. This results in
errors rather than undefined behaviour when double-locking
a mutex.
This mimetypes contains 'xml', but is unfortunately not an xml file.
xml2enc processes these files (in particular, when mod_proxy_html is
used), typically resulting in them being corrupted as it seems to
attempt to perform a ISO-8859-1 to UTF-8 conversion on them.
* modules/filters/mod_xml2enc.c (xml2enc_ffunc): Restrict test for XML
types to matching "+xml".
Yann Ylavic [Tue, 8 Dec 2020 14:06:16 +0000 (14:06 +0000)]
Fix misleading crypt vs hash terminology in ht* and dbmmanage tools.
What the htpasswd, htdbm and dbmmanage tools do is hashing passwords, not
encrypting them, so fix the terminology in manpages, docs, --help, comments
and function names.
Yann Ylavic [Sun, 6 Dec 2020 23:13:38 +0000 (23:13 +0000)]
mod_proxy_http2: stop/wait the workers threads before their pool is killed.
There shouldn't be any worker thread active when pchild is destroyed (thus each
thread's pool), so register workers_pool_cleanup as a pre_cleanup of pchild.
This is to avoid races like the below stacktrace, where slot_run() threads
are still running when clean_child_exit() is called.
Thread 23 (Thread 0x7f4865b79800 (LWP 3740)):
#0 0x00007f4864dec449 in pthread_cond_destroy@@GLIBC_2.3.2 () from /lib/x86_64-linux-gnu/libpthread.so.0
#1 0x00007f4865020117 in run_cleanups (cref=<optimized out>) at memory/unix/apr_pools.c:2629
#2 pool_clear_debug (pool=pool@entry=0x558a5297e4a0, file_line=0x558a5237456b "event.c:757") at memory/unix/apr_pools.c:1830
#3 0x00007f486501ffee in pool_destroy_debug (pool=0x558a5297e4a0, file_line=<optimized out>) at memory/unix/apr_pools.c:1915
#4 0x00007f48650200f0 in pool_clear_debug (pool=pool@entry=0x558a52a41070, file_line=0x558a5237456b "event.c:757") at memory/unix/apr_pools.c:1827
#5 0x00007f486501ffee in pool_destroy_debug (pool=0x558a52a41070, file_line=<optimized out>) at memory/unix/apr_pools.c:1915
#6 0x00007f486502085c in apr_pool_destroy_debug (pool=<optimized out>, file_line=<optimized out>) at memory/unix/apr_pools.c:1957
#7 0x0000558a52326cfc in clean_child_exit (code=0) at event.c:757
#8 0x0000558a52327969 in child_main (child_num_arg=child_num_arg@entry=1, child_bucket=child_bucket@entry=0) at event.c:2926
#9 0x0000558a52327ce5 in make_child (s=0x558a52c9f840, slot=slot@entry=1, bucket=0) at event.c:2992
#10 0x0000558a52327d4c in startup_children (number_to_start=2, number_to_start@entry=3) at event.c:3015
#11 0x0000558a523289ac in event_run (_pconf=<optimized out>, plog=0x558a5273ce00, s=0x558a52c9f840) at event.c:3374
#12 0x0000558a5233e91e in ap_run_mpm (pconf=0x558a5270cbe0, plog=0x558a5273ce00, s=0x558a52c9f840) at mpm_common.c:100
#13 0x0000558a5231b763 in main (argc=<optimized out>, argv=<optimized out>) at main.c:844
Thread 2 (Thread 0x7f4840b70700 (LWP 3836)):
#0 0x00007f4864dec9f3 in pthread_cond_wait@@GLIBC_2.3.2 () from /lib/x86_64-linux-gnu/libpthread.so.0
#1 0x00007f486501f65d in apr_thread_cond_wait (cond=<optimized out>, mutex=<optimized out>) at locks/unix/thread_cond.c:68
#2 0x00007f484e14ae4a in get_next (slot=0x558a528d5fe0) at h2_workers.c:209
#3 slot_run (thread=0x558a52828b30, wctx=0x558a528d5fe0) at h2_workers.c:228
#4 0x00007f4864de66db in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#5 0x00007f4864b0f88f in clone () from /lib/x86_64-linux-gnu/libc.so.6
Thread 1 (Thread 0x7f4841b72700 (LWP 3834)):
#0 0x00007f4864a2ce97 in raise () from /lib/x86_64-linux-gnu/libc.so.6
#1 0x00007f4864a2e801 in abort () from /lib/x86_64-linux-gnu/libc.so.6
#2 0x00007f4865020865 in apr_pool_destroy_debug (pool=<optimized out>, file_line=<optimized out>) at memory/unix/apr_pools.c:1955
#3 0x00007f486502b536 in apr_thread_exit (thd=thd@entry=0x558a52ba8980, retval=retval@entry=0) at threadproc/unix/thread.c:206
#4 0x00007f484e14aec6 in slot_run (thread=0x558a52ba8980, wctx=0x558a528d6060) at h2_workers.c:248
#5 0x00007f4864de66db in start_thread () from /lib/x86_64-linux-gnu/libpthread.so.0
#6 0x00007f4864b0f88f in clone () from /lib/x86_64-linux-gnu/libc.so.6
Yann Ylavic [Thu, 3 Dec 2020 14:06:17 +0000 (14:06 +0000)]
mod_proxy: provide prefetching and spooling mechanisms to all proxy modules.
Export ap_proxy_prefetch_input(), ap_proxy_spool_input() and
ap_proxy_read_input() from mod_proxy_http to mod_proxy.h/proxy_util.c so
that they are usable by all proxy modules.
mod_proxy_fcgi will use them in a following commit.
Yann Ylavic [Fri, 27 Nov 2020 17:31:09 +0000 (17:31 +0000)]
ap_pbase64decode(): save double NUL byte allocation and assignment.
apr_base64_decode_len() already accounts for the NUL byte, and
apr_base64_decode() already NUL terminates the string, no need
to do it in ap_pbase64decode().
Yann Ylavic [Mon, 23 Nov 2020 11:14:56 +0000 (11:14 +0000)]
mod_auth_digest: fix crash on ONE_PROCESS (debug) mode shutdown.
There need to be separate global variables for rmm and mutex(es) in the parent
and child processes, otherwise in ONE_PROCCESS (were clean_child_exit() and
ap_terminate() execute in the same process) the variables get overwritten in
child_init and freed twice when pchild and then pconf are destroyed.
Yann Ylavic [Mon, 23 Nov 2020 11:03:45 +0000 (11:03 +0000)]
mod_proxy: pconf vs pchild consistency, and correctness in ONE_PROCESS mode.
Consistently use pconf for ap_proxy_define_{worker,balancer}() and pchild for
ap_proxu_initialize_{worker,balancer}() in mod_proxy [child_]init code.
pchild is needed in _initialize() for mutexes/shms' child_init and cleanup,
and to avoid a crash on shutdown (i.e. ap_terminate) in ONE_PROCESS mode,
where worker->cp->pool is destroyed twice, let's register conn_pool_cleanup()
as a pre_cleanup of pchild.
projects / thirdparty / apache / httpd.git / log
