mod_proxy: Don't canonicalize with both nocanon and ProxyPassInterpolateEnv On.
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
mpm_event: Fix children processes possibly not stopped on graceful restart.
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Submitted by: Joel Self <joelself gmail.com>
mpm_event: Follow up to r1893014: log when children are not spawned.
Log at trace1 level when active_daemons >= active_daemons_limit and we won't
spawn children. Reset free_length to avoid negative value in this case too.
* modules/proxy/proxy_util.c(fix_uds_filename):
Sanity checks on the configured UDS path, fail with 500 if invalid since
continuing through proxy processing wouldn't work as expected.
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
* server/scoreboard.c (ap_increment_counts): In certain cases like certain
invalid requests r->method might be NULL here. r->method_number defaults
to M_GET and hence is M_GET in these cases.
mpm_prefork: mask signals during ap_run_child_init().
This prevents threads potentially created from the child_init hooks (e.g.
mod_watchdog workers) to catch signals needed by the MPM, like here:
https://travis-ci.com/github/apache/httpd/jobs/510821148#L5356.
mod_proxy: Fix potential tunneling infinite loop and spurious timeout.
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
mod_proxy: Follow up to r1892740.
Really remove the old ap_filter_input_pending() handling forgotten by r1892740.
mod_http2: fixes a use-after-read of an integer value when
passing a stream identifier for further IO checking. A
non-issue since an int value matching no active stream
will lead to no action.
mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
directly from the given URL.
* mod_deflate: refrain from reading buckets of known length, just
to get their length. This may transform buckets unwanted (e.g. file
to mmap) and prevent optimization down the filter chain.
Stefan Eissing [Fri, 3 Sep 2021 13:28:01 +0000 (13:28 +0000)]
Merge of r1890693,r1890696 from trunk:
mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
Stefan Eissing [Wed, 1 Sep 2021 13:22:19 +0000 (13:22 +0000)]
Merge r1892782 from trunk:
* mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
Yann Ylavic [Tue, 24 Aug 2021 12:44:28 +0000 (12:44 +0000)]
Merge r1891206, r1891216, r1891284 from trunk:
mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match workers. PR 65419.
We can't truncate ProxyMatch's worker name/url to the first '$' substitution
without possibly colliding with other workers. This also makes the matching
done at runtime by ap_proxy_strcmp_ematch() completely pointless.
To fix this and still address r1878467 (i.e. make http://host:port$1 a "valid"
URL), we need to remove '$' substitutions from the :port part of the URL only
since it's allowed anywhere else by apr_uri_parse().
So let's strip them before apr_uri_parse() and prepend them back in the path
before apr_uri_unparse() to restore the original URL. Non-matchable workers are
not concerned so ap_proxy_define_worker() is made a local helper (w/o the ap_
prefix) which takes "matchable" as argument and can then be called by both
ap_proxy_define_[match_]worker() functions.
mod_proxy: Follow up to r1891206: fix UDS scheme.
mod_proxy: Avoid confusion of prefix/regex matching workers at loading. PR 65429.
ap_proxy_get_worker() needs to know whether it should lookup for prefix or
match or both matching workers, depending on the context.
For instance <Proxy[Match]> or ProxyPass[Match] directives need to lookup for
an existing worker with the same type as the directive (*Match or not), because
they will define one with that matching type if none exists.
On the contrary, "ProxySet <url>" at load time or ap_proxy_pre_request() at run
time need to find a worker matching an url whether it's by prefix or by regex.
So this commit adds ap_proxy_get_worker_ex() which takes a bitmask for the
matching type and calls it appropriately where needed.
For consistency, ap_proxy_define_worker_ex() is also added, using the same
bitmask flags, deprecating ap_proxy_define_match_worker().
Graham Leggett [Sun, 22 Aug 2021 09:51:33 +0000 (09:51 +0000)]
Backport:
*) back port the add of balancer_manage in mod_proxy_balancer.
trunk patch: http://svn.apache.org/r1859235
http://svn.apache.org/r1887176
http://svn.apache.org/r1887359
http://svn.apache.org/r1887144
Backport version for 2.4.x of patch:
https://people.apache.org/~jfclere/patches/patch.210810.txt
+1: jfclere, jim, minfrin
Graham Leggett [Sat, 21 Aug 2021 22:55:47 +0000 (22:55 +0000)]
Backport:
*) mod_dav: Add method_precondition hook. WebDAV extensions define
conditions that must exist before a WebDAV method can be executed.
This hook allows a WebDAV extension to verify these preconditions.
trunk patch: http://svn.apache.org/r1879339
http://svn.apache.org/r1879340
2.4.x patch: https://svn.apache.org/repos/asf/httpd/httpd/patches/2.4.x/httpd-2.4-dav-preconditions1.patch
+1: minfrin, jim, ylavic (by inspection)
Graham Leggett [Sat, 21 Aug 2021 21:30:47 +0000 (21:30 +0000)]
Backport:
*) Easy patches: synch 2.4.x and trunk
- mod_auth_basic: Use ap_cstr_casecmp instead of strcasecmp.
- mod_ldap: log and abort locking errors.
- mod_ldap: style fix for r1831165
- mod_ldap: build break fix for r1831165
--> These 3 commits are preparation work for backporting r1856735
- mod_deflate: Avoid hard-coded "%ld" format strings in mod_deflate's logging statements
- mod_deflate: Use apr_uint64_t instead of uint64_t (follow up to r1849590)
- mod_forensic: Follow up to r1856490: missing one mod_log_forensic test_char_table case.
(r1856490 has been backported in r1870261)
- mod_rewrite: Save a few cycles.
- mod_request: Fix a comment (missing '_' in 'keep_body') and some style issues
- core: remove extra whitespace in HTTP_NOT_IMPLEMENTED
trunk patch:
https://svn.apache.org/r1817063
https://svn.apache.org/r1831165
https://svn.apache.org/r1831171
https://svn.apache.org/r1831172
https://svn.apache.org/r1849590
https://svn.apache.org/r1849630
https://svn.apache.org/r1856491
https://svn.apache.org/r1883421
https://svn.apache.org/r1889327
https://svn.apache.org/r1891200
2.4.x patch: svn merge -c 1817063,1831165,1831171,1831172,1849590,1849630,1856491,1883421,1889327,1891200 ^/httpd/httpd/trunk .
+1: jailletc36, covener, jim
icing: I have trouble running the svn merge due to conflicts in CHANGES and
the infamous log tags. Do you have a patch or a PR to use for checking?
covener: on faith
projects / thirdparty / apache / httpd.git / log
