Stefan Eissing [Tue, 19 Nov 2019 12:39:32 +0000 (12:39 +0000)]
*) mod_md: v2.2.4 from github, Fixes a compile time issue with OpenSSL 1.0.2 in
the new OCSP code. Skips port checks for domain server_rec selection when "tls-alpn-01"
is configured explicitly (related to #133). [@mkauf, Stefan Eissing]
Joe Orton [Fri, 15 Nov 2019 09:46:30 +0000 (09:46 +0000)]
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
Joe Orton [Thu, 14 Nov 2019 08:39:46 +0000 (08:39 +0000)]
Also avoid adding the Set-Cookie header in both r->headers_out and
r->err_headers_out in ap_cookie_remove and ap_cookie_remove2 functions
to avoid duplication in HTTP response. (Follow-up to r1843244)
Joe Orton [Wed, 13 Nov 2019 08:01:13 +0000 (08:01 +0000)]
Non terminal cannot have string aliases (only tokens appear in error
messages). %token is used to define tokens, and %nterm non terminals.
The hidden %type (which was only recently documented) is meant for
both tokens and non terminals. Yet
%type <foo> expr "expression"
is actually more or less equivalent to
%nterm <foo> expr
%token <foo> "expression"
which is clearly not the intention of the author here.
* server/util_expr_parse.y: Remove useless string-literal only tokens.
Prefer %nterm to %type to avoid this error.
Joe Orton [Tue, 12 Nov 2019 12:45:57 +0000 (12:45 +0000)]
Add buildconf option to force (rather than suppress) regeneration of
the ap_expr parser. Add a Travis job which uses this, so a patch
which changes the parser sources is tested appropriately (e.g PR#72).
* buildconf: Add --with-regen-expr to force ap_expr regeneration.
* .travis.yml, test/travis_run_linux.sh: Pass BUILDCONF to buildconf
and add job which uses the new option.
Luca Toscano [Wed, 6 Nov 2019 10:21:20 +0000 (10:21 +0000)]
Update travis config
* Add 'if TRAVIS_OS_NAME' to before_install/before_script/script to allow multi-os testing.
* Add separation lines in matrix config (better visual impact).
* Add Linux to all the current job's name.
* Add tests for Worker mpm.
Joe Orton [Wed, 6 Nov 2019 09:28:54 +0000 (09:28 +0000)]
Pull in more -dev packages to get more modules building (including mod_md).
Test gcc 7 on bionic, xenial is the Travis default anyway.
Only add the toolchain PPA where really needed.
Yann Ylavic [Tue, 5 Nov 2019 16:41:14 +0000 (16:41 +0000)]
mod_proxy: Improve tunneling loop.
Support half closed connections and pending data draining (for protocols like
rsync). PR 61616.
When reading on one side goes faster than writing on the other side, the output
filters chain may start buffering data and finally block, which will break
bidirectional tunneling for some protocols.
To avoid this, proxy_tunnel_run() now stops polling/reading until pending data
are drained, and recovers appropriately.
Yann Ylavic [Tue, 5 Nov 2019 12:43:29 +0000 (12:43 +0000)]
mod_proxy: Add proxy check_trans hook.
This allows proxy modules to decline request handling at early stage.
Then mod_proxy_wstunnel can implement that hook to verify that an Upgrade
is requested, and otherwise hand over to mod_proxy_http.
Stefan Eissing [Tue, 5 Nov 2019 10:06:15 +0000 (10:06 +0000)]
*) mod_md v2.2.3:
- Configuring MDCAChallenges replaces any previous existing challenge configuration. It
had been additive before which was not the intended behaviour. [@mkauf]
- Fixing order of ACME challenges used when nothing else configured. Code now behaves as
documented for `MDCAChallenges`. Fixes #156. Thanks again to @mkauf for finding this.
- Fixing a potential, low memory null pointer dereference [thanks to @uhliarik].
- Fixing an incompatibility with a change in libcurl v7.66.0 that added unwanted
"transfer-encoding" to POST requests. This failed in directy communication with
Let's Encrypt boulder server. Thanks to @mkauf for finding and fixing.
Yann Ylavic [Sun, 3 Nov 2019 15:48:53 +0000 (15:48 +0000)]
mod_proxy: factorize mod_proxy_{connect,wstunnel} tunneling code in proxy_util.
This commit adds struct proxy_tunnel_rec that contains the fields needed for a
poll() loop through the filters chains, plus functions ap_proxy_tunnel_create()
and ap_proxy_tunnel_run() to respectively initialize a tunnel and (re)start it.
Proxy connect and wstunnel modules now make use of this new API to avoid
duplicating logic and code.
Yann Ylavic [Thu, 31 Oct 2019 16:16:05 +0000 (16:16 +0000)]
mod_proxy_http: follow up to r1869216.
Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case.
This both simplifies code and allows to keep EOS into the input_brigade until
it's sent, and thus detect whether we already fetched the whole body if/when
proxy_http_handler() re-enters for different balancer members.
Yann Ylavic [Thu, 31 Oct 2019 16:08:33 +0000 (16:08 +0000)]
mod_proxy_http: follow up to r1869216.
Let's call stream_reqbody() for all rb_methods, no RB_SPOOL_CL special case.
This both simplifies code and allows to keep EOS into the input_brigade until
it's sent, and thus detect whether we already fetched the whole body if/when
proxy_http_handler() re-enters for different balancer members.
Yann Ylavic [Thu, 31 Oct 2019 14:15:07 +0000 (14:15 +0000)]
mod_proxy_http: fix load-balancer fallback for requests with a body.
Since r1656259 (or r1656259 in 2.4.41) and the move of prefetch before connect,
the balancer fallback case where proxy_http_handler() is re-entered with the
next balancer member broke.
We need to save the body (partially) prefetched the first time and reuse it on
successive calls, otherwise we might forward partial or empty body.
Fix alignment in a <highlight> block.
Add directive name in <default> so that 'quickreference.html' is generated with the corresponding default value.
Avoid some duplicated words (i.e. 'to to').
Fix some incorrect directive name in some description.
Fix the description of 'AuthFormBody' which was a copy&paste of 'AuthFormMethod'.
Remove some useless <var></var> around 'On|Off'.
Yann Ylavic [Tue, 22 Oct 2019 10:14:53 +0000 (10:14 +0000)]
mod_ssl: follow up to r1868645.
Restore ssl_callback_ServerNameIndication() even with OpenSSL 1.1.1+, which
depends on its return value (OK/NOACK), mainly on session resumption, for
SSL_get_servername() to consider or ignore the SNI (returning NULL thus
making SSLStrictSNIVHostCheck fail for possibly legitimate cases).
This means that init_vhost() should accurately return whether the SNI exists
in the configured vhosts, even when it's called multiple times (e.g. first
from ClientHello callback and then from SNI callback), so save that state in
sslconn->vhost_found and reuse it.
Yann Ylavic [Sun, 20 Oct 2019 12:31:45 +0000 (12:31 +0000)]
mod_proxy_http: revert r1868625.
The HTTP_IN filter handles "100 Continue" the first time it's called only,
and in spool_reqbody_cl() we have already tried to prefetch the body, so
it's too late.
Yann Ylavic [Sun, 20 Oct 2019 10:50:33 +0000 (10:50 +0000)]
mod_ssl: negotiate the TLS protocol version per name based vhost configuration.
By using the new ClientHello callback provided by OpenSSL 1.1.1, which runs at
the earliest connection stage, we can switch the SSL_CTX of the SSL connection
early enough for OpenSSL to take into account the protocol configuration of the
vhost.
In other words:
SSL_set_SSL_CTX(c->SSL, s->SSL_CTX)
followed by:
SSL_set_{min,max}_proto_version(SSL_CTX_get_{min,max}_proto_version(s->SSL_CTX))
works as expected at this stage (while the same from the SNI callback is
ignored by/due to OpenSSL's state machine).
Extracting the SNI (to select the relevant vhost) in the ClientHello callback
is not as easy as calling SSL_get_servername() though, we have to work with
the raw TLS extensions helpers provided by OpenSSL. I stole this code from a
test in the OpenSSL source code (i.e. client_hello_select_server_ctx() in
test/handshake_helper.c).
We can then call init_vhost() as with the SNI callback (in use only for OpenSSL
versions earlier than 1.1.1 now), and pass it the extracted SNI.
Yann Ylavic [Sat, 19 Oct 2019 13:58:16 +0000 (13:58 +0000)]
mod_proxy_http: follow up to r1868576.
As suggested by Ruediger, let the HTTP_IN filter handle the 100 continue from
spool_reqbody_cl().
Also, according to rfc7231#section-5.1.1, we don't need the interim response
if we "already received some or all of the message body", which is now also
taken into account.
Yann Ylavic [Fri, 18 Oct 2019 07:50:59 +0000 (07:50 +0000)]
mod_proxy_http: Fix 100-continue deadlock for spooled request bodies. PR 63855.
Send "100 Continue", if needed, before fetching/blocking on the request body in
spool_reqbody_cl(), otherwise mod_proxy and the client can wait for each other,
leading to a request timeout (408).
While at it, make so that ap_send_interim_response() uses the default status
line if none is set in r->status_line.
Stefan Eissing [Wed, 16 Oct 2019 12:31:43 +0000 (12:31 +0000)]
*) mod_md: Adding the several new features.
The module offers an implementation of OCSP Stapling that can replace fully or
for a limited set of domains the existing one from mod_ssl. OCSP handling
is part of mod_md's monitoring and message notifications. If can be used
for sites that do not have ACME certificates.
The url for a CTLog Monitor can be configured. It is used in the server-status
to link to the external status page of a certicate.
The MDMessageCmd is called with argument "installed" when a new certificate
has been activated on server restart/reload. This allows for processing of
the new certificate, for example to applications that require it in different
locations or formats.
Ruediger Pluem [Fri, 11 Oct 2019 15:11:40 +0000 (15:11 +0000)]
Fix pool concurrency problems
Create a subpool of the connection pool for worker scoped DNS resolutions.
This is needed to avoid race conditions in using the connection pool by multiple
threads during ramp up.
Recheck after obtaining the lock if we still need to do things or if they
were already done by another thread while we were waiting on the lock.
* modules/proxy/proxy_util.c: Create a subpool of the connection pool for worker
scoped DNS resolutions and use it.
* modules/proxy/mod_proxy.h: Define AP_VOLATILIZE_T and add dns_pool to
struct proxy_conn_pool.
* modules/proxy/mod_proxy_ftp.c: Use dns_pool and consider that
worker->cp->addr is volatile in this location of the code.
Joe Orton [Fri, 4 Oct 2019 09:24:07 +0000 (09:24 +0000)]
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
projects / thirdparty / apache / httpd.git / log
