Graham Leggett [Sun, 19 Nov 2023 10:45:05 +0000 (10:45 +0000)]
Apply earlier fix to the ldapsearch case:
Arrange for backend LDAP connections to be returned
to the pool by a fixup hook rather than staying locked
until the end of (a potentially slow) request.
Yann Ylavic [Sat, 18 Nov 2023 13:49:04 +0000 (13:49 +0000)]
mod_proxy: Follow up to r1912245: ap_proxy_ prefix for extern functions.
Even if they are not part of the API (not in mod_proxy.h) hence requires no
MMN bump, {get,set,increment_,decrement_}busy_count() being AP_PROXY_DECLARE()d
could name-collide with a third-party module's functions.
Rename them using the ap_proxy_ prefix, with an underscore after the verb for
for all of them too (for consistency), that is:
ap_proxy_{get,set,increment,decrement}_busy_count()
Yann Ylavic [Thu, 16 Nov 2023 14:58:52 +0000 (14:58 +0000)]
Follow up to r1874101: Axe useless LIBRESSL_VERSION_NUMBER check.
Since the fix to MODSSL_USE_OPENSSL_PRE_1_1_API in r1908537, we are sure that
!defined(LIBRESSL_VERSION_NUMBER) || LIBRESSL_VERSION_NUMBER < 0x2070000fL
in this block.
Yann Ylavic [Thu, 16 Nov 2023 10:27:30 +0000 (10:27 +0000)]
ci: Disable ASan's LeakSanitizer.
The tool sometimes/somehow crashes in CI, though I can't reproduce locally.
Possibly an issue with the gcc toolchain used there.. disable for now as it
makes the tests fail.
Yann Ylavic [Wed, 15 Nov 2023 22:09:05 +0000 (22:09 +0000)]
mod_ssl: Disable the OpenSSL ENGINE API when OPENSSL_NO_ENGINE is set. PR 68080
Also, always allow for "SSLCryptoDevice builtin" even if the ENGINE API is not
available, OPENSSL_NO_ENGINE or more generally with the new API (providers)
available since OpenSSL >= 3.
* ssl_private.h: Set MODSSL_HAVE_ENGINE_API to 0 if OPENSSL_NO_ENGINE.
* mod_ssl.c, ssl_engine_config.c: Don't depend on HAVE_OPENSSL_ENGINE_H and
HAVE_ENGINE_INIT to provide [ssl_cmd_]SSLCryptoDevice.
Stefan Eissing [Tue, 31 Oct 2023 10:24:11 +0000 (10:24 +0000)]
* mod_md: Fix the reported "until" validity of a certificate in the status
handler. [Rainer Jung]
Fix possible NULL deref when logging the error that an authentication
resource could not be retrieved from the ACME server. [Stefan Eissing]
Joe Orton [Mon, 16 Oct 2023 13:10:16 +0000 (13:10 +0000)]
Fix h2 build broken in r1913019:
* modules/http2: Make WebSockets support conditional also
on APR 1.7.x since apr_encode.h is required. Restore
#include "apr_encode.h" removed in previous commit.
Joe Orton [Tue, 3 Oct 2023 12:58:16 +0000 (12:58 +0000)]
mod_dav_fs: add DAVLockDBType directive.
* modules/dav/fs/dbm.c (dav_dbm_open_direct): Take a dbmtype argument
and use it to select the apr_dbm driver type.
(dav_dbm_open): Continue to use the "default" propdb type to open
the property databases.
* modules/dav/fs/lock.c: Store and pass through the lockdb_type
through.
* modules/dav/fs/mod_dav_fs.c (dav_get_lockdb_path): Return the dbm
type via an output argument.
(dav_fs_cmd_davlockdbtype): New config directive.
(dav_fs_merge_server_config): Merge the dbm type.
(dav_fs_post_config): Set the default lockdb type.
* modules/dav/fs/repos.h: Update prototypes as above; internal API
only so no compat concerns.
Joe Orton [Thu, 28 Sep 2023 08:11:30 +0000 (08:11 +0000)]
* modules/dav/fs/dbm.c (dav_dbm_open_direct): Test against
APR_MAJOR_VERSION, APU_MAJOR_VERSION is not defined for APR trunk
since the #include <apu_version.h> is conditional on APR < 2.
Joe Orton [Fri, 22 Sep 2023 09:31:22 +0000 (09:31 +0000)]
* modules/dav/fs/dbm.c (dav_fs_dbm_error, dav_dbm_open_direct): Remove
error message references to "property" databases since these
functions are used for both propdbs and the lock database.
mod_proxy: Allocate and pnitialize the workers and balancers on pconf.
On ungraceful restart, pchild might be destroyed without waiting for the MPM
threads, just before exit()ing but still there is a window where threads may
be using its data still.
Avoid possible exit path crashes by basing the workers/balancers on pconf,
which is not destroyed in children processes.
While at it, avoid the duplication of the generic "forward" worker for each
server(_rec), there can be a single instance like the generic "reverse"
worker.
mod_proxy: Add ap_proxy_worker_get_name() and deprecate ap_proxy_worker_name().
The latter requires a pool and returns a non constant string although it may
return worker shared data.
By computing the worker "UDS" name at init time we can return a constant name
in any case with no need for a pool, that's the new ap_proxy_worker_get_name().
mod_proxy: Handle backend address renewal with address_ttl= parameter.
Define a new proxy_address struct holding the current/latest sockaddr in use
by each proxy worker and conn. Since backend addresses can be updated when
their TTL expires and while connections are being processed, each address is
refcounted and freed only when the last worker (or conn) using it grabs the
new one.
The lifetime of the addresses is handled at a single place by the new
ap_proxy_determine_address() function. It guarantees to bind the current/latest
backend address to the passed in conn (or do nothing if it's up to date already).
The function is called indirectly by ap_proxy_determine_connection() for the
proxy modules that use it, or directly by mod_proxy_ftp and mod_proxy_hcheck.
It also is called eventually by ap_proxy_connect_backend() when connect()ing all
the current addresses fails, to check (PROXY_DETERMINE_ADDRESS_CHECK) if some
new addrs are available.
This commit is also a rework of the lifetime of conn->addr, conn->hostname
and conn->forward, using the conn->uds_pool and conn->fwd_pool for the cases
where the backend is connected through a UDS socket and a remote CONNECT proxy
respectively.
* include/ap_mmn.h:
Minor bump for new function/fields.
* modules/proxy/mod_proxy.h (struct proxy_address,
ap_proxy_determine_addresss()):
Declare ap_proxy_determine_addresss() and opaque struct proxy_address,
new fields to structs proxy_conn_rec/proxy_worker_shared/proxy_worker.
* modules/proxy/mod_proxy.c (set_worker_param):
Parse/set the new worker->address_ttl parameter.
* modules/proxy/proxy_util.c (proxy_util_register_hooks(),
ap_proxy_initialize_worker(),
ap_proxy_connection_reusable(),
ap_proxyerror(), proxyerror_core(),
init_conn_pool(), make_conn_subpool(),
connection_make(), connection_cleanup(),
connection_constructor()):
Initialize *proxy_start_time in proxy_util_register_hooks() as the epoch
from which expiration times are relative (i.e. seconds stored in an uint32_t
for atomic changes).
Make sure worker->s->is_address_reusable and worker->s->disablereuse are
consistant in ap_proxy_initialize_worker(), thus no need to check for both
in ap_proxy_connection_reusable().
New proxyerror_core() helper taking an apr_status_t to log, wrap in
ap_proxyerror().
New make_conn_subpool() to create worker->cp->{pool,dns} with their own
allocator.
New connection_make() helper to factorize code in connection_cleanup() and
connection_constructor().
* modules/proxy/proxy_util.c (proxy_address_inc(), proxy_address_dec(),
proxy_address_cleanup(), proxy_address_set_expired(),
worker_address_get(), worker_address_set(),
worker_address_resolve(), proxy_addrs_equal(),
ap_proxy_determine_address(),
ap_proxy_determine_connection(),
ap_proxy_connect_backend()):
Implement ap_proxy_determine_address() using the above helpers for atomic changes,
and call it from ap_proxy_determine_connection() and ap_proxy_connect_backend().
* modules/proxy/mod_proxy_ftp.c (proxy_ftp_handler):
Use ap_proxy_determine_address() and use the returned backend->addr.
* modules/proxy/mod_proxy_hcheck.c (hc_determine_connection, hc_get_backend,
hc_init_worker, hc_watchdog_callback):
Use ap_proxy_determine_address() in hc_determine_connection() and call the
latter from hc_get_backend(), replace hc_init_worker() by hc_init_baton()
which now calls hc_get_hcworker() and hc_get_backend() to resolve the first
address at init time.
* modules/proxy/mod_proxy_http.c (proxy_http_handler):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
* modules/proxy/mod_proxy_ajp.c (ap_proxy_ajp_request):
Use backend->addr and ->hostname instead of worker->cp->addr and
worker->s->hostname_ex respectively.
Rainer Jung [Wed, 30 Aug 2023 12:56:11 +0000 (12:56 +0000)]
mod_ssl: Silence info log message "SSL Library Error: error:0A000126:
SSL routines::unexpected eof while reading" when using
OpenSSL 3 by setting SSL_OP_IGNORE_UNEXPECTED_EOF if
available. [Rainer Jung]
Stefan Eissing [Wed, 16 Aug 2023 11:40:21 +0000 (11:40 +0000)]
* mod_md: fixed passing of the server environment variables to programs
started via MDMessageCmd and MDChallengeDns01 on *nix system.
See <https://github.com/icing/mod_md/issues/319>.
Joe Orton [Mon, 14 Aug 2023 14:40:00 +0000 (14:40 +0000)]
Add DAVBasePath directive to allow users to configure the real repos
root path, useful where the DAV repos is configured with a regex match.
* modules/dav/main/mod_dav.c
(dav_get_resource): If available, pass the configured base path
as the repos root to repos provider.
On the error path for fetching a resource, detect and warn
specifically when the location is configured via a regex.
(dav_cmd_davbasepath): New function.
Stefan Eissing [Mon, 14 Aug 2023 14:39:00 +0000 (14:39 +0000)]
HTTP/2, websockets
- provide "Connection" header in internal Upgrade request
- set input notification if input is already available when
stream processing is started
- add optional function in mod_http2.h to use instead of
ap_get_pollfd_from_conn() in older servers with a new
mod_http2
Stefan Eissing [Fri, 14 Jul 2023 12:26:50 +0000 (12:26 +0000)]
* mod_md:
- New directive `MDMatchNames all|servernames` to allow more control over how
MDomains are matched to VirtualHosts.
- New directive `MDChallengeDns01Version`. Setting this to `2` will provide
the command also with the challenge value on `teardown` invocation. In version
1, the default, only the `setup` invocation gets this parameter.
Refs #312. Thanks to @domrim for the idea.
- For Managed Domain in "manual" mode, the checks if all used ServerName and
ServerAlias are part of the MDomain now reports a warning instead of an error
(AH10040) when not all names are present.
- MDChallengeDns01 can now be configured for individual domains.
Using PR from Jérôme Billiras (@bilhackmac) and adding test case and fixing proper working
- Fixed a bug found by Jérôme Billiras (@bilhackmac) that caused the challenge
teardown not being invoked as it should.
projects / thirdparty / apache / httpd.git / log
