* modules/proxy/mod_proxy.h,modules/proxy/proxy_util.c:
Add ap_proxy_fill_error_brigade() to factorize proxy error handling
on the client connection side.
* modules/proxy/mod_proxy_{http,ajp,uwsgi}.c:
Use ap_proxy_fill_error_brigade() where needed, including when an
empty brigade is returned on the backend side or when calling
ap_proxy_buckets_lifetime_transform fails.
* modules/proxy/mod_proxy.h:
Restore the interface of ap_proxy_transfer_between_connections() back to
before MMN 20210506.0.
Add ap_proxy_tunnel_conn_bytes_in() and ap_proxy_tunnel_conn_bytes_out().
New proxy_tunnel_conn_t typedef'ed from opaque struct proxy_tunnel_conn.
* modules/proxy/mod_proxy.h(ap_proxy_tunnel_conn_get_read,
ap_proxy_tunnel_conn_get_transferred):
Axed/replaced by ap_proxy_tunnel_conn_bytes_in() and
ap_proxy_tunnel_conn_bytes_out().
* modules/proxy/proxy_util.c(struct proxy_tunnel_conn):
Replace "exchanged" by "bytes_in" and "bytes_out".
* modules/proxy/proxy_util.c(proxy_transfer):
New helper implementing ap_proxy_transfer_between_connections() and
returning both &bytes_in and &bytes_out.
* modules/proxy/proxy_util.c(ap_proxy_transfer_between_connections):
Now calls proxy_transfer().
* modules/proxy/proxy_util.c(ap_proxy_tunnel_conn_bytes_in,
ap_proxy_tunnel_conn_bytes_out):
Return tc->bytes_in and tc->bytes_out respectively.
* modules/proxy/proxy_util.c(proxy_tunnel_forward):
Use proxy_transfer() which updates in->bytes_in, &out->bytes_out.
tunnel->replied will be updated in proxy_tunnel_run().
* modules/proxy/proxy_util.c(proxy_tunnel_forward):
Fall through the "done" label in any case to set tunnel->replied based
on tunnel->client->bytes_out > 0.
* modules/proxy/mod_proxy_http.c(ap_proxy_http_process_response):
Use ap_proxy_tunnel_conn_bytes_{in,out}() for worker->s->{read,transferred}
accounting.
* modules/proxy/mod_proxy_http.c(proxy_http_async_finish):
Update worker->s->{read,transferred} when async too.
Stefan Eissing [Thu, 23 Sep 2021 13:44:58 +0000 (13:44 +0000)]
* mod_http2: fix version suffix after sync with github
Make shutdown worker wait loop robust against timed wait
interruptions and report the correct seconds waited.
* t/modules/http2.t is gone since 1893547. So do not use it any longer in
HTTP/2 tests and remove the dependency on Protocol::HTTP2::Client.
Update test/travis_run_linux.sh to handle NO_TEST_FRAMEWORK.
mod_proxy: Handle UDS URIs with empty hostname as if they had no hostname.
It was reported to me (privately) that r1893101 broke existing settings like:
SetHandler "proxy:unix:///path/to/uds.sock|fcgi://localhost/"
RFC 3986 (section 3.2.2) says that:
If the URI scheme defines a default for host, then that default
applies when the host subcomponent is undefined or when the
registered name is empty (zero length). For example, the "file" URI
scheme is defined so that no authority, an empty host, and
"localhost" all mean the end-user's machine, whereas the "http"
scheme considers a missing authority or empty host invalid.
Let's consider that the "unix" scheme is closer to the "file" scheme than
the "http" one, and accept "unix:///path/to/uds.sock" as a valid URI.
Handle the unix: scheme as an obsolute URI or a rule like:
RewriteRule ^/(.*) unix:/path/to/uds.sock|fcgi://localhost/$1 [P]
sets r->filename for /index.html as:
proxy:http://www.example.com/unix:/path/to/uds.sock|http://localhost/index.html
instead of the expected:
proxy:unix:/path/to/uds.sock|http://localhost/index.html
Submitted by: Janne Peltonen <janne.peltonen sange.fi>
Reviewed by: ylavic
In case one of the pre_connection hooks causes the hook run to stop by an error
the pre_connection hook of the core module maybe did not run
(it is APR_HOOK_REALLY_LAST) and hence we missed to
- Put the socket in c->conn_config
- Setup core output and input filters
- Set socket options and timeouts
For calls of ap_run_pre_connection where this matters create a wrapper named
ap_pre_connection that ensures that this happens.
* include/ap_mmn.h: Bump minor version as we added new ap_pre_connection
function.
idle_spawn_rate *= 2 can go above MAX_SPAWN_RATE at some point, and it's not
enough for MAX_SPAWN_RATE to be a power of two for MPMs event and worker since
idle_spawn_rate is per bucket (num_buckets is not necessarily a power of two).
Let's cap on the other MPMs too should MAX_SPAWN_RATE change in the future.
Stefan Eissing [Fri, 17 Sep 2021 12:18:41 +0000 (12:18 +0000)]
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
Stefan Eissing [Wed, 15 Sep 2021 13:22:27 +0000 (13:22 +0000)]
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
core: Add ap_create_connection() to create a server or client/proxy connection.
c->outgoing shouldn't be set by mod_ssl, ap_create_connection() allows that
and this commit also replaces all the calls to ap_run_create_connection() in
mod_proxy modules (not in the MPMs which create incoming connections only).
* include/http_connection.h, server/connection.c:
Declare and implement ap_create_connection().
* modules/proxy/proxy_util.c, modules/proxy/mod_proxy_connect.c,
modules/proxy/mod_proxy_ftp.c:
Use ap_create_connection() instead of ap_run_create_connection(), and don't
provide a connection_id a scoreboard handle for outgoing connection.
* server/log.c(do_errorlog_default):
Use c->outgoing instead of c->sbh to determine if it's a "client" or "remote"
connection.
mpm_event: Follow up to r1893014: log when children are not spawned.
Log at trace5 level when active_daemons >= active_daemons_limit and we won't
spawn children. Reset free_length to avoid negative value in this case too.
core: Initialize the request fields on read failure to avoid NULLs.
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
core: Initialize the request fields on read failure to avoid NULLs.
* server/protocol.c(read_request_line):
Set r->method_number to M_INVALID and r->{method,uri,unparsed_uri} to "-"
when read fails, ap_parse_request_line() will never be called.
mod_proxy: Don't canonicalize with both nocanon and ProxyPassInterpolateEnv On.
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
mpm_event: Fix children processes possibly not stopped on graceful restart.
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
mod_unique_id: Follow up to r1892915 and r1893002: Atomic counter.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Use an atomic 32bit counter to close the race condition, using the lower
16 bits for uuencoding still.
mod_unique_id: Follow up to r1892915: Shorter counter race condition yet.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Set the counter in network byte order for uuencoding only, allowing for
simple cur_unique_id.counter++
core: Set r->request_time before any logging, mod_unique_id needs it.
* server/protocol.c(read_request_line):
Move r->request_time initialization before first APLOG_TRACE5,
ap_log_rerror() may run the generate_log_id hooks and call mod_unique_id
with no timestamp initialized (zero).
* modules/proxy/proxy_util.c(fix_uds_filename):
Sanity checks on the configured UDS path, fail with 500 if invalid since
continuing through proxy processing wouldn't work as expected.
mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
directly from the given URL.
Stefan Eissing [Wed, 1 Sep 2021 13:16:03 +0000 (13:16 +0000)]
mod_md:
* Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
Yann Ylavic [Mon, 30 Aug 2021 18:04:20 +0000 (18:04 +0000)]
mod_proxy: Fix potential tunneling infinite loop and spurious timeout.
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
Stefan Eissing [Mon, 30 Aug 2021 10:05:06 +0000 (10:05 +0000)]
* mod_deflate: refrain from reading buckets of known length, just
to get their length. This may transform buckets unwanted (e.g. file
to mmap) and prevent optimization down the filter chain.
Stefan Eissing [Thu, 26 Aug 2021 11:10:06 +0000 (11:10 +0000)]
test/modules/http2:
* removing unneeded python imports for smaller footprint
* fixing bug in waiting for stopped server to no longer
accept new connections.
Stefan Eissing [Wed, 25 Aug 2021 14:59:03 +0000 (14:59 +0000)]
mod_http2: fixes a use-after-read of an integer value when
passing a stream identifier for further IO checking. A
non-issue since an int value matching no active stream
will lead to no action.
Stefan Eissing [Wed, 25 Aug 2021 14:31:12 +0000 (14:31 +0000)]
* test/modules/http2: using stop/start instead of reload when changing apache configs
to give reliable results. The new reload behaviour keeps old children around until
very late and may answer on old configurations.
Yann Ylavic [Tue, 24 Aug 2021 22:22:40 +0000 (22:22 +0000)]
mpm_{event,worker,prefork}: late stop of children processes on restart.
Change how the main process handles restarts, from:
0. <restart signal>
1. stop old generation of children processes (graceful or not)
2. reload new configuration
3. start new generation of children processes
to:
0. <restart signal>
1. reload new configuration
2. stop old generation of children processes (graceful or not)
3. start new generation of children processes
The delay between stop and start is now very short and does not depend on the
reload time (which can be quite long with many vhosts and/or complex setups
with regexps or whatever third party components to compile).
Also, while reloading, the old generation of children processes keeps accepting
and handling incoming connections until the new generation is up to take over.
* os/unix/unixd.c (sig_term, sig_restart):
Set AP_MPMQ_STOPPING only once.
* server/listen.c (ap_duplicate_listeners):
Use ap_log_error() the main server instead of ap_log_perror().
* server/mpm/{event,worker,prefork}/{event,worker,prefork}.c
({event,worker,prefork}_retained_data):
Save the generation pool pointer (gen_pool) and all the buckets here, they
won't be cleared before the reload like pconf so they need a persitent
storage accross restarts (i.e. retained->gen_pool).
* server/mpm/{event,worker,prefork}/{event,worker,prefork}.c
(perform_idle_server_maintenance, child_main, make_child):
Change usage of all_buckets (previously with global/static scope) to the new
retained->buckets array.
Stefan Eissing [Fri, 20 Aug 2021 16:07:44 +0000 (16:07 +0000)]
* test/module/http2: test suite from github mod_h2 repository
slightly adapted to run in a source build. usage:
> make install # to have httpd, apxs etc. in place
> cd test
> pytest
Yann Ylavic [Fri, 20 Aug 2021 09:36:19 +0000 (09:36 +0000)]
core: follow up to r1891148: WC bucket defaulting to FLUSH bucket.
Define WC bucket semantics as:
/**
* @brief Write Completion (WC) bucket
*
* A WC bucket is a FLUSH bucket with special ->data == &ap_bucket_wc_data,
* still both AP_BUCKET_IS_WC() and APR_BUCKET_IS_FLUSH() hold for them so
* they have the same semantics for most filters, namely:
* Everything produced before shall be passed to the next filter, including
* the WC/FLUSH bucket itself.
* The distinction between WC and FLUSH buckets is only for filters that care
* about write completion (calling ap_filter_reinstate_brigade() with non-NULL
* flush_upto), those can setaside WC buckets and the preceding data provided
* they have first determined that the next filter(s) have pending data
* already, usually by calling ap_filter_should_yield(f->next).
*/
The only filters that care about write completion for now are
ap_core_output_filter() and ssl_io_filter_output(), which try to fill
in the pipe as much as possible, using ap_filter_reinstate_brigade(&flush_upto)
to determine whether they should flush (blocking) or setaside their remaining
data.
So ap_filter_reinstate_brigade() is made to not treat WC as FLUSH buckets and
keep the above filters working as before (and correctly w.r.t. above WC bucket
semantics).
* include/ap_mmn.h, include/util_filter.h:
Axe specific ap_bucket_type_wc and define global &ap_bucket_wc_data address to
mark WC buckets checked by AP_BUCKET_IS_WC().
* server/util_filter.c (ap_filter_reinstate_brigade):
Don't treat WC buckets as FLUSH buckets.
Yann Ylavic [Thu, 19 Aug 2021 16:04:45 +0000 (16:04 +0000)]
core: core output filter to cleanup empty/meta buckets following data, ASAP.
* server/core_filters.c (delete_meta_bucket):
Add delete_meta_bucket() helper to set r->flush on EOR.
* server/core_filters.c (send_brigade_nonblocking):
Use delete_meta_bucket() to factorize code.
* server/core_filters.c (writev_nonblocking):
Use delete_meta_bucket() to factorize code.
Cleanup trailing empty/meta buckets immediately after data have been sent to
get more accurate EOR timestamp (otherwise trailing buckets could be deleted
only after the next data or with a final send_brigade_nonblocking() call in
the output filter).
Improve fix to please a fuzzer which reports:
util.c:2713:26: runtime error: signed integer overflow: 9999999999999999 * 1000 cannot be represented in type 'long'
Compute the maximum limit for each case 's', 'h', 'ms' and 'mi' and make sure that the input is below this value.
While at it, move a comment to make things more consistent and use 'apr_time_from_msec() instead of hand writing it.
Stefan Eissing [Sat, 31 Jul 2021 13:36:19 +0000 (13:36 +0000)]
* core/mpm: add hook 'child_stopping` that gets called when the MPM is
stopping a child process. The additional `graceful` parameter allows
registered hooks to free resources early during a graceful shutdown.
projects / thirdparty / apache / httpd.git / log
