Graham Leggett [Sun, 26 Sep 2021 14:35:55 +0000 (14:35 +0000)]
Backport:
*) mpm event: Correctly count active child processes in parent process if
child process dies due to MaxConnectionsPerChild. PR 65592.
Trunk version of patch:
https://svn.apache.org/r1893520
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1893520 ^/httpd/httpd/trunk .
+1: rpluem, ylavic, minfrin
Graham Leggett [Sun, 26 Sep 2021 14:30:51 +0000 (14:30 +0000)]
Backport:
*) mod_http2: when a server is restarted gracefully, any idle h2 worker
threads are shut down immediately.
Also, change OpenSSL API use for deprecations in OpenSSL 3.0.
Adds all other, never proposed code changes to make a clean
sync of http2 sources.
trunk patch: http://svn.apache.org/r1893214
http://svn.apache.org/r1893215
http://svn.apache.org/r1893220
and other never proposed code changes
PR: https://github.com/apache/httpd/pull/270
+1: icing, rpluem, minfrin
Graham Leggett [Sun, 26 Sep 2021 14:18:55 +0000 (14:18 +0000)]
Backport:
*) mod_dav: Correctly handle errors returned by dav providers on REPORT
requests.
Trunk version of patch:
https://svn.apache.org/r1893589
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1893589 ^/httpd/httpd/trunk .
+1: rpluem, minfrin, ylavic
Graham Leggett [Sun, 26 Sep 2021 14:14:37 +0000 (14:14 +0000)]
Backport:
*) core: do not install core input/output filters on secondary
connections.
Trunk version of patch:
http://svn.apache.org/viewvc?view=revision&revision=1787606
Backport version for 2.4.x of patch:
svn merge -c 1787606 ^/httpd/httpd/trunk .
+1: icing, rpluem, ylavic
Graham Leggett [Sun, 26 Sep 2021 14:11:22 +0000 (14:11 +0000)]
Backport:
*) core: Add ap_pre_connection() as a wrapper to ap_run_pre_connection()
and use it to prevent that failures in running the pre_connection
hook cause crashes afterwards.
Trunk version of patch:
https://svn.apache.org/r1893497
https://svn.apache.org/r1893507
Backport version for 2.4.x of patch:
https://patch-diff.githubusercontent.com/raw/apache/httpd/pull/269.diff
Can be applied via apply_backport_pr.sh 269.
+1: rpluem, icing, ylavic
Stefan Eissing [Fri, 17 Sep 2021 12:41:45 +0000 (12:41 +0000)]
Merge of /httpd/httpd/trunk:r1893399
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
Stefan Eissing [Wed, 15 Sep 2021 13:41:35 +0000 (13:41 +0000)]
Merge of /httpd/httpd/trunk:r1893359
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
Stefan Eissing [Thu, 9 Sep 2021 15:22:23 +0000 (15:22 +0000)]
Merge r1890605, r1893164, r1893179 from trunk:
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
*core: clarify comments and use hook API better to check for presence of callbacks.
core: Set r->request_time before any logging, mod_unique_id needs it.
* server/protocol.c(read_request_line):
Move r->request_time initialization before first APLOG_TRACE5,
ap_log_rerror() may run the generate_log_id hooks and call mod_unique_id
with no timestamp initialized (zero).
mod_unique_id: Follow up to r1892915: Shorter counter race condition yet.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Set the counter in network byte order for uuencoding only, allowing for
simple cur_unique_id.counter++
mod_unique_id: Follow up to r1892915 and r1893002: Atomic counter.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Use an atomic 32bit counter to close the race condition with threaded MPMs,
using the lower 16 bits for uuencoding still.
mod_proxy: Don't canonicalize with both nocanon and ProxyPassInterpolateEnv On.
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
mpm_event: Fix children processes possibly not stopped on graceful restart.
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Submitted by: Joel Self <joelself gmail.com>
mpm_event: Follow up to r1893014: log when children are not spawned.
Log at trace1 level when active_daemons >= active_daemons_limit and we won't
spawn children. Reset free_length to avoid negative value in this case too.
* modules/proxy/proxy_util.c(fix_uds_filename):
Sanity checks on the configured UDS path, fail with 500 if invalid since
continuing through proxy processing wouldn't work as expected.
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
* server/scoreboard.c (ap_increment_counts): In certain cases like certain
invalid requests r->method might be NULL here. r->method_number defaults
to M_GET and hence is M_GET in these cases.
mpm_prefork: mask signals during ap_run_child_init().
This prevents threads potentially created from the child_init hooks (e.g.
mod_watchdog workers) to catch signals needed by the MPM, like here:
https://travis-ci.com/github/apache/httpd/jobs/510821148#L5356.
mod_proxy: Fix potential tunneling infinite loop and spurious timeout.
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
mod_proxy: Follow up to r1892740.
Really remove the old ap_filter_input_pending() handling forgotten by r1892740.
projects / thirdparty / apache / httpd.git / log
