Stefan Eissing [Sat, 17 Dec 2022 10:21:56 +0000 (10:21 +0000)]
*) mod_proxy_http2: apply the standard httpd content type handling
to responses from the backend, as other proxy modules do. Fixes PR 66391.
Thanks to Jérôme Billiras for providing the patch.
manu [Fri, 11 Nov 2022 01:46:28 +0000 (01:46 +0000)]
Open the lock database read-only when possible
The goal is to reduce lock contention, since a read access only
requires a shared lock. The improvement should not be significant
since for now we open and close the lock database on each HTTP
request.
manu [Wed, 9 Nov 2022 16:50:06 +0000 (16:50 +0000)]
Initialize allow_lockdiscovery as unset
Removing the initialization means it is set as 0 by apr_pcalloc(), and
0 is DAV_ENABLED_UNSET
That is required to inherit configuration in dav_merge_dir_config()
as pointed out by rpluem@
We only check for allow_lockdiscovery against DAV_ENABLED_OFF, hence
DAV_ENABLED_UNSET is equivalent to DAV_ENABLED_ON, which is required
for backware compatibility sake.
manu [Wed, 9 Nov 2022 01:12:26 +0000 (01:12 +0000)]
Turn DavLockDiscovery into a flag
As requested on dev@httpd.apache.org, turn DavLockDiscovery into a Flag.
Expressions can still be used by enclosing the directive by
<If "expr">...</If>
Stefan Eissing [Sat, 22 Oct 2022 11:41:55 +0000 (11:41 +0000)]
*) mod_http2: field values (headers and trailers) are stripped of
leading/trailing whitespace (space +htab) before being processed
or send in a response. This is compatible behaviour to HTTP/1.1
parsers that strip incoming headers of such characters.
[Stefan Eissing]
Yann Ylavic [Mon, 17 Oct 2022 09:48:11 +0000 (09:48 +0000)]
mod_dav: Allow to disable lock discovery via an DAVLockDiscovery expression.
mod_dav-fs scales badly when a few clients run PROPFIND requests to discover
directory content. Each PROPFIND involves lockdiscovery, which in turn waits
for a locked access to the file containing the lock database. Performances
quickly drop because of lock contention on this file.
Add a DAVLockDiscovery configuration directive that allows lockdiscovery to be
disabled. Its argument is an Apache expression so that flexible configuration
are possible (per-request).
When lock discovery is disabled, an empty lockdiscovery property is returned on
POPRFIND methods, just like if no lock was set on the object. That should cause
no regression, since a client cannot rely on lockdiscovery to decide when a
file should be accessed, the LOCK methood must be used.
If DAVLockDiscovery is not specified, the behavior is unchanged.
Stefan Eissing [Tue, 11 Oct 2022 14:54:08 +0000 (14:54 +0000)]
Sync with v2.0.10 from github:
* Extensive testing in production done by Alessandro Bianchi (@alexskynet)
on the v2.0.x versions for stability. Many thanks!
* refactored stream response handling to reflect the different phases
(response/data/trailers) more clearly and help resolving cpu busy loops.
* Adding more negative tests for handling of errored responses to cover
edge cases.
* mod_http2: fixed handling of response where neiter an EOS nor an ERROR was
received as a cause to reset the stream.
* mod_proxy_http2: generating error buckets for fault response bodies, to
signal failure to fron when response header were already sent.
v2.0.9
--------------------------------------------------------------------------------
* Fixed a bug where errors during reponse body handling did not lead to
a proper RST_STREAM. Instead processing went into an infinite loop.
Extended test cases to catch this condition.
v2.0.8
--------------------------------------------------------------------------------
* Delaying input setup of a stream just before processing starts. This allows
any EOS indicator arriving from the client before that to take effect.
Without knowing that a stream has no input, internal processing has to
simulate chunked encoding. This is not wrong, but somewhat more expensive
and mod_security has been reported to be allergic to seeing 'chunked'
on some requests. See <https://bz.apache.org/bugzilla/show_bug.cgi?id=66282>.
* mod_proxy_http2: fixed #235 by no longer forwarding 'Host:' header when
request ':authority' is known. Improved test case that did not catch that
the previous 'fix' was incorrect.
Yann Ylavic [Tue, 11 Oct 2022 09:53:04 +0000 (09:53 +0000)]
mod_proxy: Ignore (and warn about) enablereuse=on for ProxyPassMatch when
some dollar substitution (backreference) happens in the hostname
or port part of the URL.
Address or connection reuse can't work when the autority part of the URL is
dynamic (single origin server[:port] handled/assumed in the reslist). Detect
such cases and unset worker->s->is_address_reusable to disable reuse regardless
of enablereuse/disablereuse.
* modules/proxy/proxy_util.c(ap_proxy_define_worker_ex):
Lookup for $n substitution in the hostname[:port] when parsing the URL and
if present, set worker->->is_address_reusable=0 / worker->s->disablereuse=1.
* modules/proxy/proxy_util.c(ap_proxy_initialize_worker):
Don't overwrite worker->s->is_address_reusable from enablereuse/disablereuse
parameters, and set both consistently.
* docs/manual/mod/mod_proxy.xml:
Add ProxyPassMatch compatibility note about key=value parameters handled with
$n substitutions since 2.4.47.
Document the specificities of enablereuse/disablereuse w.r.t. $n subsitutions
in the different part of the URL.
Axe the note about unparsable URLs when the $n substitution happens in the
port, this has been addressed in 2.4.47 too (and works now).
Stefan Eissing [Mon, 26 Sep 2022 12:29:47 +0000 (12:29 +0000)]
*) mod_http2: new directive "H2HeaderStrictness" to control the compliance
level of header checks as defined in the HTTP/2 RFCs. Default is 7540.
9113 activates the checks for forbidden leading/trailing whitespace in
field values (available from nghttp2 v1.50.0 on).
- source sync with github version
- fix for keepalive idle wait in mpm_worker setup
- ensuring EOS when secondary connection has been handled
- fixed race in late input EOS arrival when stream was
already scheduled for execution.
Stefan Eissing [Wed, 21 Sep 2022 11:23:24 +0000 (11:23 +0000)]
*) mod_http2: removing bucket splitting into an extra recv brigade.
buckets are always received as a whole now, even if the total size
exceeds the receivers specified length. This simplifies the internal
handling and, since these buckets already exist, lead to less memory
consumption overall.
Stefan Eissing [Wed, 21 Sep 2022 11:03:44 +0000 (11:03 +0000)]
*) tests: load the top-level mod_aptest in all test suites.
- aptest logs the test name from the header 'AP-Test-Name' with
the request line. LogLevel aptest:info is switched on.
- pytest sets 'AP-Test-Name' for all curl/nghttp invocation
against the server.
Stefan Eissing [Tue, 20 Sep 2022 12:40:58 +0000 (12:40 +0000)]
*) mod_proxy_http2: use only the ':authority' header to forward 'Host'
information to a backend. Deduce ':authority' from what the client
sent when 'ProxyPreserveHost' is on.
Eric Covener [Fri, 2 Sep 2022 23:17:14 +0000 (23:17 +0000)]
emphasize a few things about authz_host
- "domain name" is not a good contrast for hostname unqualified, use "partial" as used earlier in the doc
- mention that DNS resolution [of the require line arguments] is done at runtime not startup. This may be
obvious to developers when you see it uses an ap_expr but the question was specifically asked on IRC.
Stefan Eissing [Thu, 25 Aug 2022 14:00:13 +0000 (14:00 +0000)]
mod_md v2.4.19 from github sync
*) mod_md: a new directive `MDStoreLocks` can be used on cluster
setups with a shared file system for `MDStoreDir` to order
activation of renewed certificates when several cluster nodes are
restarted at the same time. Store locks are not enabled by default.
Restored curl_easy cleanup behaviour from v2.4.14 and refactored
the use of curl_multi for OCSP requests to work with that.
Fixes <https://github.com/icing/mod_md/issues/293>.
Stefan Eissing [Mon, 1 Aug 2022 12:56:11 +0000 (12:56 +0000)]
*) mod_ssl: when a proxy connection had handled a request using SSL, an
error was logged when "SSLProxyEngine" was only configured in the
location/proxy section and not the overall server. The connection
continued to work, the error log was in error. Fixed PR66190.
core: Follow up to r1902728: pools may have no allocator with APR_POOL_DEBUG.
With APR <= 1.7 and APR_POOL_DEBUG, thread's pools don't necessarily have an
allocator, so avoid apr_allocator_max_free_set(NULL) in ap_thread_create() and
ap_thread_main_create().
Also, always create an allocator in ap_thread_current_create().
util_pcre: Restore nmatch < ncaps behaviour with PCRE1 (only).
When the requested nmatch is below the number of captures for the regex (i.e.
nmatch is zero if the user does not care about the captures), with PCRE1 we can
pass a smaller ovector to pcre_exec() (or even NULL) which allows for somes
optimizations (less or even no recursion) internally in pcre.
This might avoid crashes due to stack usage/exhaustion with pathological
patterns (see BZ 66119).
util_pcre: Add a thread local subpool cache for when stack does not suffice.
When AP_HAS_THREAD_LOCAL is available, use a thread-local match_thread_state to
save per-thread data in a subpool of the thread's pool.
If private_malloc() gets out of the stack buffer and the current thread has a
pool (i.e. ap_thread_current() != NULL), it will apr_palloc()ate and return
memory from the subpool.
When the match is complete and the match_data are freed, the thread subpool is
cleared thus giving back the memory to the allocator, which itself will give
back the memory or recycle it depending on its max_free setting.
* util_pcre.c:
Restore POSIX_MALLOC_THRESHOLDsince this is part of the user API.
* util_pcre.c(match_data_pt):
Type not used (explicitely) anymore, axe.
* util_pcre.c(struct match_data_state):
Put the stack buffer there to simplify code (the state is allocated on
stack anyway).
If APREG_USE_THREAD_LOCAL, add the apr_thread_t* and match_thread_state*
fields that track the thread local data for the match.
* util_pcre.c(alloc_match_data, free_match):
Renamed to setup_state() and cleanup_state(), simplified (no stack buffer
parameters anymore).
cleanup_state() now clears the thread local subpool if used during the match.
setup_state() set state->thd to ap_thread_current(), thus NULL if it's not a
suitable thread for using thread local data.
* util_pcre.c(private_malloc):
Fix a possible buf_used overflow (size <= avail < APR_ALIGN_DEFAULT(size)).
Create the thread local subpool (once per thread) and allocate from there
when stack space is missing and state->thd != NULL, otherwise fall back to
malloc() still.
* util_pcre.c(private_free):
Do nothing for thread local subpool memory, will be freed in cleanup_state
eventually.
core: Apply ap_max_mem_free to created threads' pool allocator.
Since APR does not set the threshold above which the allocator of the thread's
starts returning its memory to the system, so set ap_max_mem_free from
ap_thread_create(), ap_thread_main_create() and ap_thread_current_create().
* include/httpd.h:
Provide our own ap_thread_create() in any case (but !APR_HAS_THREADS).
Simplify #ifdef-ery.
* server/util.c(thread_start, ap_thread_main_create, ap_thread_current_create):
Set ap_max_mem_free to the thread's pool allocator.
Simplify #ifdef-ery.
projects / thirdparty / apache / httpd.git / log
