The hostname part of the URL is not mandated for UDS though the canon_handler
hooks will require it, so add "localhost" if it's missing (won't be used anyway
for an AF_UNIX socket).
This can trigger with SetHandler "unix:" URLs which are now also fixed up.
Follow up to r1919015: fix compilation.
mod_proxy: Fix canonicalisation and FCGI env (PATH_INFO, SCRIPT_NAME) for
"balancer:" URLs set via SetHandler, also allowing for "unix:"
sockets with BalancerMember(s). PR 69168.
* modules/proxy/proxy_util.h, modules/proxy/proxy_util.c:
Move proxy_interpolate() from mod_proxy.c to ap_proxy_interpolate(),
exported locally only (non public).
Move proxy_fixup() from mod_proxy.c to ap_proxy_canon_url(), exported
locally only too (non public).
Rollback ap_proxy_fixup_uds_filename() to a local fixup_uds_filename()
usable from proxy_util.c only. The public function will be removed in
a following commit.
* modules/proxy/mod_proxy.h:
Note that ap_proxy_fixup_uds_filename() is deprecated.
* modules/proxy/mod_proxy.c:
Just use ap_proxy_canon_url() from proxy_fixup() and proxy_handler()
for SetHandler URLs.
* modules/proxy/mod_proxy_balancer.c:
Do not canonicalize the path from proxy_balancer_canon() anymore but
rather from balancer_fixup() where the balancer URL is rewritten to
the BalancerMember URL.
mod_proxy: Don't mangle r->filename when ap_proxy_canon_netloc() fails.
ap_proxy_canon_netloc() called from the canon_handler hooks modifies its
given url in place, hence &r->filename[6] passed from ap_proxy_canon_url().
This is not an issue if the canon_handler hook succeeds (or declines) since
r->filename is usually completely rewritten finally, but on failure it gets
truncated.
Avoid this by passing a copy of r->filename from the start, the proxy *url
and r->filename don't need to point to the same data.
* proxy/proxy_util.c(ap_proxy_canon_url):
Pass a copy of r->filename to the canon_handler hooks.
All pollset "good methods" implement APR_POLLSET_WAKEABLE and wake-ability
is quite important for MPM event's correctness anyway so simplify code around
pollset creation so as not to suggest that APR_POLLSET_NODEFAULT if favored
against APR_POLLSET_WAKEABLE.
While at it account for the wakeup pipe in the pollset_size since not all
pollset methods seem to do it internally in APR.
mpm_worker: Fix AH00045 about children processes not terminating timely.
* server/mpm/worker/worker.c(setup_threads_runtime):
Create pollset with APR_POLLSET_WAKEABLE to be able to wake up the listener
when stopping.
* server/mpm/worker/worker.c(wakeup_listener):
Wake up the listener using the wakeup pipe (apr_pollset_wakeup).
* server/mpm/worker/worker.c(join_workers):
Like mpm_event, don't depend on `pthread_kill(listener_thread, 0)` to check
whether the listener has exited (this does not work on some systems), but use
the "dying" global variable instead which is set by the listener just before
exiting.
mpm_event,mpm_worker: Comment about pollset sizing when APR_POLLSET_WAKEABLE.
Joe Orton [Thu, 11 Jul 2024 07:28:53 +0000 (07:28 +0000)]
Merge r1914365, r1914622, r1916057, r1918024 from trunk:
mod_ssl: Add support for loading keys from OpenSSL 3.x providers via
the STORE API. Separates compile-time support for the STORE API
(supported in 3.x) from support for the ENGINE API (deprecated in
3.x).
* modules/ssl/ssl_private.h: Define MODSSL_HAVE_OPENSSL_STORE for
OpenSSL 3.0+.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_store_uri,
modssl_load_keypair_store): New functions.
(modssl_load_keypair_engine): Renamed from modssl_load_keypair_engine.
(modssl_load_engine_keypair): Reimplement to use new STORE-based
functions if SSLCryptoDevice was not configured, or else old
ENGINE implementation.
* modules/ssl/ssl_util.c (modssl_is_engine_id): Match pkcs11: URIs
also for the OpenSSL 3.x STORE API.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs): Tweak log
message on error paths for the provider/STORE case.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair): Fix
build (hopefully) for OpenSSL 3.x with OPENSSL_NO_ENGINE defined.
* modules/ssl/ssl_engine_pphrase.c (modssl_load_engine_keypair):
Update to avoid GCC warning for no-engine builds where the
SSLModConfigRec is not used. Also log an error for the ENOTIMPL
path.
Fix ENGINE use with OpenSSL 3.2, which appears to be broken due to a
refcounting issue in mod_ssl.
* modules/ssl/ssl_engine_pphrase.c (modssl_engine_cleanup):
New function.
(modssl_load_keypair_engine): Take pconf & ptemp arguments, don't
call ENGINE_finish() immediately but register the above cleanup.
(modssl_load_engine_keypair): Pass through pconf & ptemp.
* modules/ssl/ssl_engine_init.c (ssl_init_server_certs):
Pass through pconf and ptemp to modssl_load_engine_keypair.
Since r1908537 BIO_set_callback_ex is used with OpenSSL >= 3.0 instead of
BIO_set_callback to set the BIO callback. The meaning of parameters and
their range of values in the callback function set by BIO_set_callback_ex
has changed compared to the callback function set by BIO_set_callback
although parameters kept their names. Accommodate for this and adjust the
code accordingly.
Furthermore limit the size of dumps to APR_UINT16_MAX bytes. Given the length
of SSL records of 16k this should not have practical implications.
* Changelog for r1918880
mod_ssl: Let modssl_set_io_callbacks() decide which callback is needed.
* modules/ssl/ssl_private.h:
Add conn_rec and server_rec args to modssl_set_io_callbacks().
* modules/ssl/ssl_engine_io.c(modssl_set_io_callbacks):
Don't set modssl_io_cb for log levels below TRACE4.
Yann Ylavic [Wed, 26 Jun 2024 14:51:32 +0000 (14:51 +0000)]
mod_proxy: Fixup UDS filename for mod_proxy called through r->handler.
* modules/proxy/proxy_util.c:
Export ap_proxy_fixup_uds_filename() from fix_uds_filename.
Call it from ap_proxy_pre_request() even for rewritten balancer workers.
Joe Orton [Fri, 21 Jun 2024 14:31:54 +0000 (14:31 +0000)]
Merge r1917578 from trunk:
On Linux use the real thread id via gettid() in error logging,
where available, rather than the (meaningless) default
pthread_self()-as-integer interpretation:
* configure.in: Define DEFAULT_LOG_TID on Linux if gettid() is available.
* server/log.c: Define DEFAULT_LOG_TID as NULL by default.
(do_errorlog_default): Use DEFAULT_LOG_TID as the argument to log_tid().
* modules/ssl/ssl_engine_io.c (bio_filter_out_write,
bio_filter_in_read): #ifdef-out reneg protection if
SSL_OP_NO_RENEGOTATION is defined.
* modules/ssl/ssl_engine_init.c (ssl_init_ctx_protocol):
Enable SSL_OP_NO_RENEGOTATION.
(ssl_init_ctx_callbacks): Only enable the "info" callback if
debug-level logging *or* OpenSSL doesn't support SSL_OP_NO_RENEGOTATION.
* modules/ssl/ssl_engine_kernel.c (ssl_hook_Access_classic): Use
modssl_set_reneg_state to set the reneg protection mode.
(ssl_hook_Access_modern): Drop manipulation of the reneg mode which
does nothing for TLSv1.3 already.
(ssl_callback_Info): Only enable reneg protection if
SSL_OP_NO_RENEGOTATION is *not* defined.
* modules/ssl/ssl_util_ssl.c (modssl_set_reneg_state): New function.
mod_ssl: follow up to r1877397: fix SSL_OP_NO_RENEGOT*I*ATION typo.
Joe Orton [Mon, 17 Jun 2024 14:21:04 +0000 (14:21 +0000)]
Merge r1916863 from trunk:
* Ensure that we set the default DH parameters for the key
Replace else with an if as the if branch no longer ensures that
custome DH parameters have been loaded.
This fixes a regression that causes the default DH parameters for a key
no longer set and thus effectively disabling DH ciphers when no explicit
DH parameters are set.
Add experimental support for fd passing in mod_cgid. Attaches CGI
script stderr to the error log specific to the vhost, by passing the
appropriate fd over the AF_UNIX socket from the request handling
thread to the cgid server process.
* modules/generators/mod_cgid.c (sock_readhdr): New function, also
returns auxiliary control data (the stderr fd) if available.
(sock_write): Take optional aux fd argument, send it as control
data. (send_req, get_req): Adjust accordingly to pass/receive the
stderr fd.
(cgid_server): Use passed fd if available, limit the lifetime.
PR: 60692
mod_cgid: Continuation of r1862968, experimental fd passing support.
Split out CGI bucket implementation from mod_cgi and use in both
mod_cgi and mod_cgid, bringing stderr handling in mod_cgid up to par
with mod_cgi. (There is a lot of code which has been copied between
mod_cgi{,d} so there's scope for further reduction of source
duplication between the modules using this header)
* modules/generators/cgi_common.h: Copied from mod_cgi.c, removed
everything but the CGI bucket implementation with only one change:
(struct cgi_bucket_data, cgi_bucket_create, cgi_bucket_read): Take a
timeout on bucket creation, store and use on reads.
* modules/generators/mod_cgi.c [APR_FILES_AS_SOCKETS]: Include
cgi_common.h.
(cgi_handler): Pass configured timeout to CGI bucket.
* modules/generators/mod_cgid.c: Include cgi_common.h.
(log_script_err): Copy from mod_cgi.c.
(log_script): Use log_script_err.
(send_req): Take fd for stderr.
(cgid_child_errfn): Handle fd-passing case by writing error
to stderr for client to pass through ap_log_rerror.
(cgid_handler): Create pipe for stderr, pass write-end to
server via send_req, use read-end to create CGI bucket. Handle
stderr output in failure paths.
PR: 54221
* modules/generators/mod_cgid.c (sock_readhdr): Only set up control
message block when required; add some additional error handling.
* modules/generators/cgi_common.h (cgi_bucket_create):
Disable APR timeout handling here for all callers.
* modules/generators/mod_cgi.c (cgi_handler): ... drop it here.
PR: 63797
Move common (and near-identical) code for CGI response output handling
to cgi_common.h; the diff between the modules for this code was as
follows:
Change from previous: mod_cgi will now explicitly discard output when
returning HTTP_MOVED_TEMPORARILY for relative redirects (should not be
functionally different), TRACE1 logging of ap_pass_brigade failures
for mod_cgid is dropped.
* modules/generators/cgi_common.h (cgi_handle_response): New function,
factored out from mod_cgid.
(discard_script_output): Copied function from mod_cgi/d unchanged.
* modules/generator/mod_cgid.c (cgid_handler),
modules/generator/mod_cgi.c (cgi_handler): Use cgi_handle_response.
Fix build broken w/o --enable-cgid-fdpassing by r1867968:
* modules/generators/cgi_common.h: Only define CGI bucket type
if WANT_CGI_BUCKET is defined.
* modules/generators/mod_cgi.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff APR_FILES_AS_SOCKETS is defined
* modules/generators/mod_cgid.c: Always include cgi_common.h, defining
WANT_CGI_BUCKET iff HAVE_CGID_FDPASSING (--enable-cgid-fdpassing).
Add comment, no functional change.
* modules/generators/cgi_common.h (cgi_handle_request): Factor out
near-identical common code from mod_cgid, mod_cgi.
* modules/generators/mod_cgid.c (cgid_handler),
modules/generators/mod_cgi.c (cgi_handler):
Adjust to use cgi_handle_request.
* modules/generators/cgi_common.h (cgi_handle_request): Catch
(unlikely) apr_bucket_read() failure when reading request.
* modules/generators/mod_cgid.c (cgid_handler): Bail immediately with
a 503 response on errors when talking to the daemon. Check the pid
returned is not zero.
* modules/generators/mod_cgid.c (get_req): Add basic sanity
checking for the structure received in the CGI daemon.
* modules/generators/mod_cgid.c (get_cgi_pid): Fix test for pid=0.
(cgid_handler): Remove duplicated test for pid=0 here added in
r1879119.
* modules/generators/cgi_common.h (cgi_handle_response): Avoid trying
to read the output brigade twice in the case of a timeout.
PR: 64709
Further re-unification of code duplicated across mod_cgi/mod_cgid into
cgi_common.h. Functional changes:
- brings the PR 61980 fix to mod_cgid as well, and
- some mod_cgid-specific APLOGNOs are dropped in favour of the
code used in the equivalent error path in mod_cgi
... otherwise no user-visible changes (intended).
* modules/generators/cgi_common.h (log_scripterror, log_script_err): Move
here from mod_cgi.
(cgi_handle_exec): Move here, renamed from mod_cgi's handle_exec.
(cgi_optfns_retrieve): New function, split out from mod_cgi's cgi_post_config.
* modules/generators/cgi_common.h (discard_script_output): Simplify
slightly and ensure constant rather than unlimited memory
consumption when discarding CGI script output (for e.g. a redirect
response).
projects / thirdparty / apache / httpd.git / log
