Stefan Eissing [Tue, 3 Dec 2024 09:59:46 +0000 (09:59 +0000)]
Merge /httpd/httpd/trunk:r1922279
*) mod_md: update to version 2.4.29
- Fixed HTTP-01 challenges to not carry a final newline, as some ACME
server fail to ignore it. [Michael Kaufmann (@mkauf)]
- Fixed missing label+newline in server-status plain text output when
MDStapling is enabled.
Eric Covener [Sun, 1 Dec 2024 14:17:01 +0000 (14:17 +0000)]
Merge r1922246 from trunk:
Don't use AuthFormLoginRequiredLocation in inline
Intro to inline says:
If a non-authenticated user attempts to access a page protected by
mod_auth_form that isn't configured with a AuthFormLoginRequiredLocation
directive, a HTTP_UNAUTHORIZED status code is returned to the browser
indicating to the user that they are not authorized to view the page.
The entire point seems to be to keep the URL the same by using an internal redirect
via ErrorDocument, and AuthFormLoginRequiredLocation conflicts with it.
Submitted By: Rishikeshan Lavakumar/Sulochana <oss AT @rishikeshan.com>
Before r1918550 (r1918559 in 2.4.60), "SetHandler proxy:..." configurations
did not pass through proxy_fixup() hence the proxy_canon_handler hooks, leaving
fcgi's SCRIPT_FILENAME environment variable (from r->filename) decoded, or more
exactly not re-encoded.
We still want to call ap_proxy_canon_url() for "fcgi:" to handle/strip the UDS
"unix:" case and check that r->filename is valid and contains no controls, but
proxy_fcgi_canon() will not ap_proxy_canonenc_ex() thus re-encode anymore.
Note that this will do the same for "ProxyPass fcgi:...", there is no reason
that using SetHandler or ProxyPass don't result in the same thing. If an opt
in/out makes sense we should probably look at ProxyFCGIBackendType.
Follow up to r1919620: CHANGES entry indent.
Follow up to r1919620: init path after "proxy:" is skipped.
Follow up to r1919620: Restore r->filename re-encoding for ProxyPass URLs.
Joe Orton [Tue, 15 Oct 2024 11:33:02 +0000 (11:33 +0000)]
Merge r1921311 from trunk: [RTC exception for CI]
CI: Use the image version in the cache keys. This is likely a simpler
and more robust fix for the issues with Perl XS builds being cached.
Root cause was likely "ubuntu-latest" changing from 22.04 to 24.04.
Cache keys will now change when that happens again, preventing reuse
of cached builds across OS versions.
Ruediger Pluem [Mon, 14 Oct 2024 06:56:45 +0000 (06:56 +0000)]
Merge r1838684, r1920570, r1920571, r1920572 from trunk:
When a rewrite to proxy is configured in the server config, a check is made to make sure mod_proxy is active. But the same is not done if a rewrite to proxy is configured in an .htaccess file.
Basically this patch is the block of code from hook_uri2file that does the proxy check, copied to hook_fixup.
Patch provided by Michael Streeter [mstreeter1 gmail.com], slightly modified to use a new APLOGNO
PR 56264
mod_rewrite, mod_proxy: mod_proxy to cononicalize rewritten [P] URLs. PR 69235.
When mod_rewrite sets a "proxy:" URL with [P], it should be canonicalized by
mod_proxy still, notably to handle any "unix:" local socket part.
To avoid double encoding in perdir context, a follow up commit should remove the
ap_escape_uri() done in mod_rewrite since it's now on mod_proxy to canonicalize,
per PR 69260.
* Leave the proper escaping of the URL and the adding of r->args to the
proxy module which runs after us after r1920570.
Just take care to add r->args in case the proxy rule has the
[NE] flag set and tell the proxy module to not escape in this case.
Eric Covener [Fri, 27 Sep 2024 13:11:05 +0000 (13:11 +0000)]
*) mod_rewrite: Improve safe question mark detection
Trunk version of patch:
https://svn.apache.org/r1920566
Backport version for 2.4.x of patch:
Trunk version of patch works
svn merge -c 1920566 ^/httpd/httpd/trunk .
+1: rpluem, covener, jorton
Eric Covener [Fri, 27 Sep 2024 13:08:17 +0000 (13:08 +0000)]
*) Windows: Make UNCList EXEC_ON_READ to be early enough for
`Include //computername/include.conf`. PR69313
Trunk version of patch:
https://svn.apache.org/r1920564
Backport version for 2.4.x of patch:
svn merge -c r1920564 ^/httpd/httpd/trunk .
+1 covener, rpluem, steffenal
Eric Covener [Fri, 27 Sep 2024 13:06:46 +0000 (13:06 +0000)]
Merge r1919532, r1919533 from trunk:
*) mod_proxy: Avoid AH01059 parsing error for SetHandler "unix:" URLs
in <Location> (incomplete fix in 2.4.62). PR 69160.
When SetHandler "unix:..." is used in a <Location "/path"> block, the path
gets appended (including $DOCUMENT_ROOT somehow) to r->filename hence the
current checks in fixup_uds_filename() to add "localhost" when missing don't
work. Fix them.
mod_proxy: Allow for empty UDS URL hostname in ProxyPass workers too.
Using "unix:/udspath|scheme:" or "unix:/udspath|scheme://" for a ProxyPass URL
does not work currently, while it works for SetHandler "proxy:unix:...".
*) mod_md: update to version 2.4.28
- When the server starts, it looks for new, staged certificates to
activate. If the staged set of files in 'md/staging/<domain>' is messed
up, this could prevent further renewals to happen. Now, when the staging
set is present, but could not be activated due to an error, purge the
whole directory. [icing]
- Fix certificate retrieval on ACME renewal to not require a 'Location:'
header returned by the ACME CA. This was the way it was done in ACME
before it became an IETF standard. Let's Encrypt still supports this,
but other CAs do not. [icing]
- Restore compatibility with OpenSSL < 1.1. [ylavic]
Stefan Eissing [Tue, 17 Sep 2024 11:17:23 +0000 (11:17 +0000)]
Merged /httpd/httpd/trunk:r1920744
*) mod_tls: removed the experimental module. It now is availble standalone
from https://github.com/icing/mod_tls. The rustls provided API is not
stable and does not align with the httpd release cycle.
Joe Orton [Tue, 20 Aug 2024 08:33:00 +0000 (08:33 +0000)]
Merge r1866894 from trunk:
* modules/mappers/mod_rewrite.c: Enhance trace-level logging to log
line numbers accurately for C99 compilers, and remove odd/awkward
double-parentheses using the rewritelog() macro. For non-C99
compilers do_rewritelog() will now be defined - but as a noop - if
REWRITELOG_DISABLED is defined at compile time.
No functional change at runtime apart from the line numbers being
fixed.
*) mod_http2: sync with module's github.
- on newer HTTPD versions, return connection monitoring
to the event MPM when block on client updates.
2.4.x versions still treat connections in the event
MPM as KeepAlive and purge them on load in the middle
of response processing.
- spelling fixes
- support for yield calls in c2 "network" filter
mpm_event,core: Handle async POLLIN/POLLOUT in CONN_STATE_PROCESS state.
* include/httpd.h:
Rename CONN_STATE_CHECK_REQUEST_LINE_READABLE to CONN_STATE_KEEPALIVE
and CONN_STATE_READ_REQUEST_LINE to CONN_STATE_PROCESS, keeping the
old enums as aliases. Rework comments about each state.
* server/mpm/event/event.c:
Use the new states names.
Let the process_connection hooks return CONN_STATE_PROCESS for mpm_event
to POLLIN or POLLOUT depending on c->cs->sense being CONN_SENSE_WANT_READ
or CONN_SENSE_WANT_WRITE respectively.
Remove (ab)use of CONN_STATE_WRITE_COMPLETION with CONN_SENSE_WANT_READ to
mean poll() for read (and the need for the obscure c->clogging_input_filters
to make it work as expected). This is what CONN_STATE_PROCESS is for now.
Update the comment about the states that can be returned by process_connection
hooks (and their usage).
Use the same queue (process_q renamed from write_completion_q) for polling
connections in both CONN_STATE_PROCESS and CONN_STATE_WRITE_COMPLETION
states since they both use the same (server_rec's) Timeout. This implies
that both states are accounted as "write-completion" in mod_status for now.
* server/mpm/motorz/motorz.c, server/mpm/simple/simple_io.c, modules/http/http_core.c:
Use the new states names (only).
* include/scoreboard.h:
Change comment about process_score->write_completion to note that the
counter refers to CONN_STATE_PROCESS connections returned to the MPM
too.
* modules/http2/h2_c1.c:
Return the c1 connection with the CONN_STATE_PROCESS state rather than
CONN_STATE_WRITE_COMPLETION when waiting for a window update (i.e. ask
the MPM to poll for read directly). This avoids the transition to
CONN_STATE_KEEPALIVE which could kill the connection under high load.
Github: closes #448
Follow up to r1918022: MMN minor bump and checks for the new conn_state_e aliases' usability.
mpm_event: Don't spam with "Stopping process due to MaxConnectionsPerChild"
When MaxConnectionsPerChild is reached there may be some connections to process
still and the listener should stop writing this at every loop. Logging once
is enough.
mpm_event, mod_status: Separate processing and write completion queues.
As a follow up to r1918022 which handled the new CONN_STATE_PROCESS(ing) and
existing CONN_STATE_WRITE_COMPLETION in the same async queue, let's now have
two separates ones which allows more relevant async accounting in mod_status.
Rename CONN_STATE_PROCESS to CONN_STATE_PROCESSING as it's how it will be
called in mod_status.
* include/ap_mmn.h:
MMN minor bump for process_score->processing counter.
* include/httpd.h:
Rename CONN_STATE_PROCESS to CONN_STATE_PROCESSING.
* server/mpm/event/event.c:
Restore write_completion_q to handle connections in CONN_STATE_WRITE_COMPLETION.
Use processing_q (renamed from process_q) solely for CONN_STATE_PROCESSING.
Update process_score->processing according to the length of processing_q.
* modules/generators/mod_status.c:
Show the value of process_score->processing in the stats.
Follow up to r1918098 (and r1918022): Push missing changes.
mpm_event,mod_http2: Keep compatibility with CONN_STATE_PROCESSING + OK
Before r1918022, returning OK with CONN_STATE_PROCESSING to mpm_event was
handled like/by CONN_STATE_LINGER "to not break old or third-party modules
which might return OK w/o touching the state and expect lingering close,
like with worker or prefork MPMs".
So we need a new return code to be allowed to apply the new POLLIN/POLLOUT
behaviour for CONN_STATE_PROCESSING, thus revive AGAIN as introduced by
Graham some times ago for a nonblocking WIP (moved to a branch/PR since then).
MPM event will advertise its ability to handle CONN_STATE_PROCESSING + AGAIN
with AP_MPMQ_CAN_AGAIN, and mod_http2 can use that to know how to return to
the MPM as expected. When !AP_MPMQ_CAN_AGAIN modules/mod_http2 can still use
CONN_STATE_WRITE_COMPLETION + CONN_SENSE_WANT_READ + c->clogging_input_filters
which will work in mpm_even-2.4.x still.
* include/ap_mmn.h:
Bump MMN minor for AP_MPMQ_CAN_AGAIN and AGAIN.
* include/ap_mpm.h:
Define AP_MPMQ_CAN_AGAIN.
* include/httpd.h:
Define AGAIN.
* modules/http2/h2.h:
No need for H2_USE_STATE_PROCESSING anymore with AP_MPMQ_CAN_AGAIN.
* modules/http2/h2_c1.c:
For !keepalive case return to the MPM using CONN_STATE_PROCESSING + AGAIN
or CONN_STATE_WRITE_COMPLETION + c->clogging_input_filters depending on
AP_MPMQ_CAN_AGAIN only.
* modules/http2/h2_session.c:
Can return to the MPM for h2_send_flow_blocked() provided it's async only.
* server/mpm/event/event.c:
Rework process_socket()'s CONN_STATE_PROCESSING to handle AGAIN and preserve
compatibility. Have a lingering_close label to goto there faster when
process_lingering_close() is to be called. Improve relevant comments.
mpm_event,mod_http2,mod_status: Follow up to r1918257: CONN_STATE_ASYNC_WAITIO.
Per discussion on PR #449, have a separate state for returning the connection
to the MPM to wait for an IO (namely CONN_STATE_ASYNC_WAITIO), rather than
(ab)using CONN_STATE_PROCESSING.
This removes the need for AGAIN added in r1918257 (for now), and AP_MPMQ_CAN_AGAIN
is renamed to AP_MPMQ_CAN_WAITIO.
This is also the state that mod_status accounts for, so rename ->processing
to ->wait_io in process_score (shows as "wait-io" in mod_status and mod_lua).
mpm_event: Follow up to r1918482: CONN_STATE_ASYNC_WAITIO > CONN_STATE_LINGER.
mpm_event: Follow up to r1918482: CONN_STATE_LINGER* are not the last anymore.
Since CONN_STATE_ASYNC_WAITIO, we cannot check for < or >= CONN_STATE_LINGER
anymore to determine if in an lingering close state, so let's add a new
CONN_STATE_IS_LINGERING_CLOSE() macro for this and use it in mpm_event.
The test for state == CONN_STATE_LINGER in process_lingering_close() is a
bit weak too in order to call ap_start_lingering_close() the first time only,
so have a conn_state->linger_started flag instead.
mod_status: Follow up to r1918482: Bump colspan for the new wait-io colomn
mod_status: "Threads" span three colomns (busy, graceful, idle), not two.
mod_rewrite: Better question mark tracking to avoid UnsafeAllow3F. PR 69197.
Track in do_expand() whether a '?' in the uri-path comes from a literal in
the substitution string or from an expansion (variable, lookup, ...).
In the former case it's safe to assume that it's the query-string separator
but for the other case it's not (could be a decoded %3f from r->uri).
This allows to avoid [UnsafeAllow3F] for most cases.