From: Stefan Eissing <icing@apache.org>
Date: Fri, 5 Jan 2018 15:16:13 +0000 (+0000)
Subject: On the trunk:
X-Git-Tag: 2.5.0-alpha2-ci-test-only~2998
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2cdb63739baac977720d65fec9c1c7b1d29af86;p=thirdparty%2Fapache%2Fhttpd.git

On the trunk:

mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit
     management of the base server domains outside VirtualHosts. By default, this is "off",
     e.g. mod_md will not manage certificates or perform https: redirections on the
     base server.


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@1820310 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/CHANGES b/CHANGES
index 5e90aefc4f9..5a5b05c7097 100644
--- a/CHANGES
+++ b/CHANGES
@@ -2,6 +2,11 @@
 Changes with Apache 2.5.1
 
 
+  *) mod_md v1.1.8: new configuration directive "MDBaseServer on|off" to allow/inhibit 
+     management of the base server domains outside VirtualHosts. By default, this is "off", 
+     e.g. mod_md will not manage certificates or perform https: redirections on the 
+     base server. [Stefan Eissing]
+              
   *) core: Add "AcceptErrorsNonFatal" to allow ECONNREFUSED, ECONNABORTED, and
      ECONNRESET during the client accept() to not trigger graceful shutdown of
      the child process.  [Eric Covener]
diff --git a/modules/md/md_version.h b/modules/md/md_version.h
index c6d7e59ad52..d76a15b6fe2 100644
--- a/modules/md/md_version.h
+++ b/modules/md/md_version.h
@@ -26,7 +26,7 @@
  * @macro
  * Version number of the md module as c string
  */
-#define MOD_MD_VERSION "1.1.7"
+#define MOD_MD_VERSION "1.1.8"
 
 /**
  * @macro
@@ -34,7 +34,7 @@
  * release. This is a 24 bit number with 8 bits for major number, 8 bits
  * for minor and 8 bits for patch. Version 1.2.3 becomes 0x010203.
  */
-#define MOD_MD_VERSION_NUM 0x010107
+#define MOD_MD_VERSION_NUM 0x010108
 
 #define MD_ACME_DEF_URL    "https://acme-v01.api.letsencrypt.org/directory"
 
diff --git a/modules/md/mod_md.c b/modules/md/mod_md.c
index be9fde5d6b3..038f1d28244 100644
--- a/modules/md/mod_md.c
+++ b/modules/md/mod_md.c
@@ -218,8 +218,12 @@ static apr_status_t assign_to_servers(md_t *md, server_rec *base_server,
     servers = apr_array_make(ptemp, 5, sizeof(server_rec*));
     
     for (s = base_server; s; s = s->next) {
-        r.server = s;
+        if (!mc->manage_base_server && s == base_server) {
+            /* we shall not assign ourselves to the base server */
+            continue;
+        }
         
+        r.server = s;
         for (i = 0; i < md->domains->nelts; ++i) {
             domain = APR_ARRAY_IDX(md->domains, i, const char*);
             
diff --git a/modules/md/mod_md_config.c b/modules/md/mod_md_config.c
index 761338c3429..8cf95dda235 100644
--- a/modules/md/mod_md_config.c
+++ b/modules/md/mod_md_config.c
@@ -50,6 +50,7 @@
 #define MD_CMD_OLD_MD         "ManagedDomain"
 #define MD_CMD_MD_SECTION     "<MDomainSet"
 #define MD_CMD_MD_OLD_SECTION "<ManagedDomain"
+#define MD_CMD_BASE_SERVER    "MDBaseServer"
 #define MD_CMD_CA             "MDCertificateAuthority"
 #define MD_CMD_CAAGREEMENT    "MDCertificateAgreement"
 #define MD_CMD_CACHALLENGES   "MDCAChallenges"
@@ -58,13 +59,13 @@
 #define MD_CMD_MEMBER         "MDMember"
 #define MD_CMD_MEMBERS        "MDMembers"
 #define MD_CMD_MUSTSTAPLE     "MDMustStaple"
+#define MD_CMD_NOTIFYCMD      "MDNotifyCmd"
 #define MD_CMD_PORTMAP        "MDPortMap"
 #define MD_CMD_PKEYS          "MDPrivateKeys"
 #define MD_CMD_PROXY          "MDHttpProxy"
 #define MD_CMD_RENEWWINDOW    "MDRenewWindow"
 #define MD_CMD_REQUIREHTTPS   "MDRequireHttps"
 #define MD_CMD_STOREDIR       "MDStoreDir"
-#define MD_CMD_NOTIFYCMD      "MDNotifyCmd"
 
 #define DEF_VAL     (-1)
 
@@ -78,6 +79,7 @@ static md_mod_conf_t defmc = {
     443,
     0,
     0,
+    0,
     MD_HSTS_MAX_AGE_DEFAULT,
     NULL,
     NULL,
@@ -487,6 +489,27 @@ static const char *md_config_set_must_staple(cmd_parms *cmd, void *dc, const cha
     return NULL;
 }
 
+static const char *md_config_set_base_server(cmd_parms *cmd, void *dc, const char *value)
+{
+    md_srv_conf_t *config = md_config_get(cmd->server);
+    const char *err = ap_check_cmd_context(cmd, GLOBAL_ONLY);
+
+    (void)dc;
+    if (!err) {
+        if (!apr_strnatcasecmp("off", value)) {
+            config->mc->manage_base_server = 0;
+        }
+        else if (!apr_strnatcasecmp("on", value)) {
+            config->mc->manage_base_server = 1;
+        }
+        else {
+            err = apr_pstrcat(cmd->pool, "unknown '", value, 
+                              "', supported parameter values are 'on' and 'off'", NULL);
+        }
+    }
+    return err;
+}
+
 static const char *md_config_set_require_https(cmd_parms *cmd, void *dc, const char *value)
 {
     md_srv_conf_t *config = md_config_get(cmd->server);
@@ -831,6 +854,8 @@ const command_rec md_cmds[] = {
                   "Redirect non-secure requests to the https: equivalent."),
     AP_INIT_TAKE1(     MD_CMD_NOTIFYCMD, md_config_set_notify_cmd, NULL, RSRC_CONF, 
                   "set the command to run when signup/renew of domain is complete."),
+    AP_INIT_TAKE1(     MD_CMD_BASE_SERVER, md_config_set_base_server, NULL, RSRC_CONF, 
+                  "allow managing of base server outside virtual hosts."),
 
 /* This will disappear soon */
     AP_INIT_TAKE_ARGV( MD_CMD_OLD_MD, md_config_set_names_old, NULL, RSRC_CONF, 
diff --git a/modules/md/mod_md_config.h b/modules/md/mod_md_config.h
index 10edbab0966..87caf2774ab 100644
--- a/modules/md/mod_md_config.h
+++ b/modules/md/mod_md_config.h
@@ -47,6 +47,7 @@ typedef struct {
     int local_443;                     /* On which port https:443 arrives */
     int can_http;                      /* Does someone listen to the local port 80 equivalent? */
     int can_https;                     /* Does someone listen to the local port 443 equivalent? */
+    int manage_base_server;            /* If base server outside vhost may be managed */
     int hsts_max_age;                  /* max-age of HSTS (rfc6797) header */
     const char *hsts_header;           /* computed HTST header to use or NULL */
     apr_array_header_t *unused_names;  /* post config, names of all MDs not assigned to a vhost */