Yann Ylavic [Thu, 25 Nov 2021 15:57:21 +0000 (15:57 +0000)]
mod_http2: fix logic for non-proxy Server and Date response headers.
First error was in r1890564 where the test for !PROXYREQ_NONE was replaced by
PROXYREQ_RESPONSE (which is never the case besides the fake proxy origin
request) so a mod_h2 PR tried to fix that but the logic is now incorrect.
Let's finally use the same logic as ap_basic_http_header().
Stefan Eissing [Wed, 24 Nov 2021 10:13:42 +0000 (10:13 +0000)]
*) mod_md: values for External Account Binding (EAB) can
now also be configured to be read from a separate JSON
file. This allows to keep server configuration permissions
world readable without exposing secrets.
Stefan Eissing [Wed, 10 Nov 2021 15:54:27 +0000 (15:54 +0000)]
* testsuite: possible now to issue client certificates and the chain file for them
* testsuite: handling of cert+key in same file improved
* testsuite: using 'stop' configuration to terminate server in case test cases
leave borked test configs lying around.
Stefan Eissing [Mon, 8 Nov 2021 12:33:46 +0000 (12:33 +0000)]
* test: just general cleanup and separation
- base modules loaded minimized
- h2's htdocs/cgi setup now in test/modules/http2
- less args to constructors, more methods
Stefan Eissing [Thu, 4 Nov 2021 09:42:45 +0000 (09:42 +0000)]
* mod_http2: a regression in v1.15.24 of the modules was fixed that
could lead to httpd child processes not being terminated on a
graceful reload or when reaching MaxConnectionsPerChild.
When unprocessed h2 requests were queued at the time, these could stall.
See <https://github.com/icing/mod_h2/issues/212>.
[@hansborr, @famzah, Stefan Eissing]
Stefan Eissing [Wed, 3 Nov 2021 14:29:14 +0000 (14:29 +0000)]
* mod_md: EC private key generation for openssl 3.0 in separate
way since the previous code does not work with it. Keeping
old code for known interop with other *SSL libs.
Stefan Eissing [Fri, 29 Oct 2021 09:04:38 +0000 (09:04 +0000)]
*) mod_md: adding v2.4.8 with the following changes
- Added support for ACME External Account Binding (EAB).
Use the new directive `MDExternalAccountBinding` to provide the
server with the value for key identifier and hmac as provided by
your CA.
While working on some servers, EAB handling is not uniform
across CAs. First tests with a Sectigo Certificate Manager in
demo mode are successful. But ZeroSSL, for example, seems to
regard EAB values as a one-time-use-only thing, which makes them
fail if you create a seconde account or retry the creation of the
first account with the same EAB.
- The directive 'MDCertificateAuthority' now checks if its parameter
is a http/https url or one of a set of known names. Those are
'LetsEncrypt', 'LetsEncrypt-Test', 'Buypass' and 'Buypass-Test'
for now and they are not case-sensitive.
The default of LetsEncrypt is unchanged.
- `MDContactEmail` can now be specified inside a `<MDomain dnsname>`
section.
- Treating 401 HTTP status codes for orders like 403, since some ACME
servers seem to prefer that for accessing oders from other accounts.
- When retrieving certificate chains, try to read the repsonse even
if the HTTP Content-Type is unrecognized.
- Fixed a bug that reset the error counter of a certificate renewal
and prevented the increasing delays in further attempts.
- Fixed the renewal process giving up every time on an already existing
order with some invalid domains. Now, if such are seen in a previous
order, a new order is created for a clean start over again.
See <https://github.com/icing/mod_md/issues/268>
- Fixed a mixup in md-status handler when static certificate files
and renewal was configured at the same time.
Yann Ylavic [Fri, 15 Oct 2021 11:09:32 +0000 (11:09 +0000)]
mod_proxy_connect: Honor the smallest of the backend or client timeout.
It seems that mod_proxy_connect has never applied any timeout in its tunneling
loop. Address this by setting a default timeout in ap_proxy_tunnel_create()
since mod_proxy_connect does not overwrite tunnel->timeout (while proxy_http
and proxy_wstunnel do).
This default timeout is set to the smallest of the backend side or the client
side timeout.
Yann Ylavic [Fri, 15 Oct 2021 10:29:00 +0000 (10:29 +0000)]
mpm_event: Restart stopping of idle children after a load peak. PR 65626.
r1770752 added an heuristic to avoid stopping children when the load triggers
MaxSpareThreads but children take some time to shut down until the point where
active_daemons_limit/ServerLimit is reached (scoreboard full) and no child gets
created to handle incoming connections.
However when this happens there is nothing to stop children again when the load
settles down (besides MaxRequestsPerChild, which may be 0) so let's restart to
stop children again if/when idle_thread_count reaches max_workers / 4.
Stefan Eissing [Thu, 14 Oct 2021 10:18:17 +0000 (10:18 +0000)]
*) mod_http2: when pollset signals output, resume a streams data
in nghttp2 every time without checks that response body bytes
are available. This resolves the situation that a stream may stall
when 2 consecutive H2HEADER buckets are sent (e.g. 103+200).
Stefan Eissing [Thu, 14 Oct 2021 09:58:37 +0000 (09:58 +0000)]
*) mod_http2: H2HEADER buckets have the correct lenght of zero and no
longer smuggle the contained field lengths in this field. Instead
the bytes reportded to mod_logio are counted specifically.
Stefan Eissing [Thu, 14 Oct 2021 08:59:12 +0000 (08:59 +0000)]
*) mod_http2: no longer splitting buckets on adding them to a beam,
accepting the whole bucket since no memory is saved by a split.
Also, allowing meta buckets to be added to a "full" beam.
Re-enabled test cases for travis verification.
Stefan Eissing [Wed, 13 Oct 2021 12:26:21 +0000 (12:26 +0000)]
* mod_http2: resurrecting check for nghttp function
nghttp2_session_callbacks_set_on_invalid_header_callback
adding test for proxy server header behaviour
making test fixture package scoped for better performance
Stefan Eissing [Wed, 13 Oct 2021 11:15:03 +0000 (11:15 +0000)]
* mod_http2: checking for nghttp2 function 'set_no_closed_streams' on configure.
adapting test result expectations for new nghttp2 1.45 change in checking
pseudo header fields for invalid characters.
Yann Ylavic [Tue, 12 Oct 2021 16:48:18 +0000 (16:48 +0000)]
*) core: Be safe with ap_lingering_close() called with a socket NULL-ed.
PR 65627.
mod_itk seems to:
ap_set_core_module_config(c->conn_config, NULL)
before calling ap_lingering_close(), causing a crash after r1891721.
Until we have an API to no-op ap_lingering_close(), let's be safe.
* server/connection.c(ap_start_lingering_close):
The socket should not be NULL here, add an assertion.
* server/connection.c(ap_lingering_close):
Set c->aborted if the socket is NULL, and give up.
Stefan Eissing [Tue, 12 Oct 2021 13:34:01 +0000 (13:34 +0000)]
*) mod_http2:
- Fixed an issue since 1.15.24 that "Server" headers in proxied requests
were overwritten instead of preserved. [PR by @daum3ns]
- Added directove 'H2StreamTimeout' to configure a separate value for HTTP/2
streams, overriding server's 'Timeout' configuration. [rpluem]
- HTTP/2 connections now use pollsets to monitor the status of the
ongoing streams and their main connection when host OS allows this.
- Removed work-arounds for older versions of libnghttp2 and checking
during configure that at least version 1.15.0 is present.
- The HTTP/2 connection state handler, based on an experiment and draft
at the IETF http working group (abandoned for some time), has been removed.
- H2SerializeHeaders no longer has an effect. A warning is logged when it is
set to "on". The switch enabled the internal writing of requests to be parsed
by the internal HTTP/1.1 protocol handler and was introduced to avoid
potential incompatibilities during the introduction of HTTP/2.
- Removed the abort/redo of tasks when mood swings lower the active limit.
Stefan Eissing [Mon, 11 Oct 2021 14:08:57 +0000 (14:08 +0000)]
* test infrastruture:
- moved common pytest code into test/pyhttpd
- does basic setup for a list of host names and some htdocs
- added modules/core and moved encoding tests from http2 there
- all test methods have module name in in prefix now, so to test only core, run
> pytest -k test_core
Yann Ylavic [Sat, 9 Oct 2021 15:22:00 +0000 (15:22 +0000)]
mod_proxy_uwsgi: Remove duplicate slashes at the beginning of PATH_INFO.
To accommodate for configs like:
ProxyPass /uwsgi-pp uwsgi://localhost:8001/
which before r1892805 did not produce a leading double-slash in PATH_INFO.
Ruediger Pluem [Fri, 8 Oct 2021 10:49:06 +0000 (10:49 +0000)]
* Make aliases more robust against potential traversal attacks, by using
apr_filepath_merge to merge the real path and the remainder of the fake
path like we do in the same situation for resources mapped by
DocumentRoot.
Joe Orton [Thu, 7 Oct 2021 10:17:27 +0000 (10:17 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_callbacks,
ssl_init_server_certs): Flip logic for enabling/disabling DH auto
parameter selection for OpenSSL 1.1+ to be simpler and consistent
with auto ECDH curve selection.
Joe Orton [Mon, 4 Oct 2021 10:26:18 +0000 (10:26 +0000)]
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): For OpenSSL
1.1+, disable auto DH parameter selection if parameters have been
manually configured. This fixes a regression in r1890067 after
which manually configured parameters are ignored.
* modules/proxy/mod_proxy.h, modules/proxy/mod_proxy.c:
Declare/implement the hook.
* modules/proxy/proxy_util.c(proxy_transfer):
Run tunnel_forward hooks when called by the tunneling loop.
Simpler input/output brigade cleanup on exit.
* modules/proxy/mod_proxy.h,modules/proxy/proxy_util.c:
Add ap_proxy_fill_error_brigade() to factorize proxy error handling
on the client connection side.
* modules/proxy/mod_proxy_{http,ajp,uwsgi}.c:
Use ap_proxy_fill_error_brigade() where needed, including when an
empty brigade is returned on the backend side or when calling
ap_proxy_buckets_lifetime_transform fails.
projects / thirdparty / apache / httpd.git / log
