Stefan Eissing [Fri, 17 Sep 2021 12:41:45 +0000 (12:41 +0000)]
Merge of /httpd/httpd/trunk:r1893399
*) mod_md: when MDMessageCmd for a 'challenge-setup:<type>:<dnsname>'
fails (!= 0 exit), the renewal process is aborted and an error is
reported for the MDomain. This provides scripts that distribute
information in a cluster to abort early with bothering an ACME
server to validate a dns name that will not work. The common
retry logic will make another attempt in the future, as with
other failures.
Fixed a bug when adding private key specs to an already working
MDomain, see <https://github.com/icing/mod_md/issues/260>.
Stefan Eissing [Wed, 15 Sep 2021 13:41:35 +0000 (13:41 +0000)]
Merge of /httpd/httpd/trunk:r1893359
*) mod_md: fixed a bug in handling multiple parallel OCSP requests. These could
run into an assertion which terminated (and restarted) the child process where
the task was running. Eventually, all OCSP responses were collected, but not
in the way that things are supposed to work.
See also <https://bz.apache.org/bugzilla/show_bug.cgi?id=65567>.
The bug was possibly triggered when more than one OCSP status needed updating
at the same time. For example for several renewed certificates after a server
reload.
Stefan Eissing [Thu, 9 Sep 2021 15:22:23 +0000 (15:22 +0000)]
Merge r1890605, r1893164, r1893179 from trunk:
*) core/mod_proxy/mod_ssl:
Adding `outgoing` flag to conn_rec, indicating a connection is
initiated by the server to somewhere, in contrast to incoming
connections from clients.
Adding 'ap_ssl_bind_outgoing()` function that marks a connection
as outgoing and is used by mod_proxy instead of the previous
optional function `ssl_engine_set`. This enables other SSL
module to secure proxy connections.
The optional functions `ssl_engine_set`, `ssl_engine_disable` and
`ssl_proxy_enable` are now provided by the core to have backward
compatibility with non-httpd modules that might use them. mod_ssl
itself no longer registers these functions, but keeps them in its
header for backward compatibility.
The core provided optional function wrap any registered function
like it was done for `ssl_is_ssl`.
*core: clarify comments and use hook API better to check for presence of callbacks.
core: Set r->request_time before any logging, mod_unique_id needs it.
* server/protocol.c(read_request_line):
Move r->request_time initialization before first APLOG_TRACE5,
ap_log_rerror() may run the generate_log_id hooks and call mod_unique_id
with no timestamp initialized (zero).
mod_unique_id: Follow up to r1892915: Shorter counter race condition yet.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Set the counter in network byte order for uuencoding only, allowing for
simple cur_unique_id.counter++
mod_unique_id: Follow up to r1892915 and r1893002: Atomic counter.
* modules/metadata/mod_unique_id.c(gen_unique_id):
Use an atomic 32bit counter to close the race condition with threaded MPMs,
using the lower 16 bits for uuencoding still.
mod_proxy: Don't canonicalize with both nocanon and ProxyPassInterpolateEnv On.
If nocanon is set, we should match the unparsed_uri against the interpolated
alias (not the ProxyPass'ed one) when verifying the resulting length. Otherwise
we falsely restore the canonicalized URL in case of mismatch. PR 65549.
mpm_event: Fix children processes possibly not stopped on graceful restart.
The number of children spawned can go above active_daemons_limit due to
exponential idle_spawn_rate growth (x 2), enforce the upper limit in
perform_idle_server_maintenance(). PR 63169.
Submitted by: Joel Self <joelself gmail.com>
mpm_event: Follow up to r1893014: log when children are not spawned.
Log at trace1 level when active_daemons >= active_daemons_limit and we won't
spawn children. Reset free_length to avoid negative value in this case too.
* modules/proxy/proxy_util.c(fix_uds_filename):
Sanity checks on the configured UDS path, fail with 500 if invalid since
continuing through proxy processing wouldn't work as expected.
mod_ssl: Log private key material to file set by $SSLKEYLOGFILE in the
environment, using the standard format which can be parsed by (e.g.)
wireshark for decoding SSL/TLS traffic; supported from OpenSSL 1.1.1.
* modules/ssl/ssl_private.h: Add keylog_file to SSLModConfigRec.
* modules/ssl/ssl_engine_init.c (ssl_init_Module): Open log file if
SSLKEYLOGFILE is set in the environment.
(ssl_init_ctx_protocol): Register the keylog callback with OpenSSL.
* modules/ssl/ssl_engine_kernel.c (modssl_callback_keylog):
New function.
* server/scoreboard.c (ap_increment_counts): In certain cases like certain
invalid requests r->method might be NULL here. r->method_number defaults
to M_GET and hence is M_GET in these cases.
mpm_prefork: mask signals during ap_run_child_init().
This prevents threads potentially created from the child_init hooks (e.g.
mod_watchdog workers) to catch signals needed by the MPM, like here:
https://travis-ci.com/github/apache/httpd/jobs/510821148#L5356.
mod_proxy: Fix potential tunneling infinite loop and spurious timeout.
PRs 65521 and 65519.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
Avoid an infinite loop by shutting down the connection for write when poll()
returns POLLHUP and read is already down. PR 65521.
* modules/proxy/proxy_util.c(ap_proxy_tunnel_run):
When write completion is finished don't check for ap_filter_input_pending()
before proxy_tunnel_forward() to flush input data, this is a nonblocking read
already which will do the same thing implicitely. ap_filter_input_pending()
is broken in 2.4.x without the whole pending data mechanism (not backported
yet), so let's align here. PR 65519.
mod_proxy: Follow up to r1892740.
Really remove the old ap_filter_input_pending() handling forgotten by r1892740.
mod_http2: fixes a use-after-read of an integer value when
passing a stream identifier for further IO checking. A
non-issue since an int value matching no active stream
will lead to no action.
mod_proxy_uwsgi: Fix PATH_INFO setting for generic worker.
When the generic "proxy:reverse" worker is selected for an uwsgi scheme, the
worker name is irrelevant so uwscgi_handler() should point to the PATH_INFO
directly from the given URL.
* mod_deflate: refrain from reading buckets of known length, just
to get their length. This may transform buckets unwanted (e.g. file
to mmap) and prevent optimization down the filter chain.
Stefan Eissing [Fri, 3 Sep 2021 13:28:01 +0000 (13:28 +0000)]
Merge of r1890693,r1890696 from trunk:
mod_ssl: tighten the handling of ALPN for outgoing (proxy)
connections. If ALPN protocols are provided and sent to the
remote server, the received protocol selected is inspected
and checked for a match. Without match, the peer handshake
fails.
An exception is the proposal of "http/1.1" where it is
accepted if the remote server did not answer ALPN with
a selected protocol. This accomodates for hosts that do
not observe/support ALPN and speak http/1.x be default.
Stefan Eissing [Wed, 1 Sep 2021 13:22:19 +0000 (13:22 +0000)]
Merge r1892782 from trunk:
* mod_md: Certificate/keys pairs are verified as matching before a renewal is accepted
as successful or a staged renewal is replacing the existing certificates.
This avoid potential mess ups in the md store file system to render the active
certificates non-working. [@mkauf]
Yann Ylavic [Tue, 24 Aug 2021 12:44:28 +0000 (12:44 +0000)]
Merge r1891206, r1891216, r1891284 from trunk:
mod_proxy: Fix possible reuse/merging of Proxy(Pass)Match workers. PR 65419.
We can't truncate ProxyMatch's worker name/url to the first '$' substitution
without possibly colliding with other workers. This also makes the matching
done at runtime by ap_proxy_strcmp_ematch() completely pointless.
To fix this and still address r1878467 (i.e. make http://host:port$1 a "valid"
URL), we need to remove '$' substitutions from the :port part of the URL only
since it's allowed anywhere else by apr_uri_parse().
So let's strip them before apr_uri_parse() and prepend them back in the path
before apr_uri_unparse() to restore the original URL. Non-matchable workers are
not concerned so ap_proxy_define_worker() is made a local helper (w/o the ap_
prefix) which takes "matchable" as argument and can then be called by both
ap_proxy_define_[match_]worker() functions.
mod_proxy: Follow up to r1891206: fix UDS scheme.
mod_proxy: Avoid confusion of prefix/regex matching workers at loading. PR 65429.
ap_proxy_get_worker() needs to know whether it should lookup for prefix or
match or both matching workers, depending on the context.
For instance <Proxy[Match]> or ProxyPass[Match] directives need to lookup for
an existing worker with the same type as the directive (*Match or not), because
they will define one with that matching type if none exists.
On the contrary, "ProxySet <url>" at load time or ap_proxy_pre_request() at run
time need to find a worker matching an url whether it's by prefix or by regex.
So this commit adds ap_proxy_get_worker_ex() which takes a bitmask for the
matching type and calls it appropriately where needed.
For consistency, ap_proxy_define_worker_ex() is also added, using the same
bitmask flags, deprecating ap_proxy_define_match_worker().
projects / thirdparty / apache / httpd.git / log
